Librasan (#3023)

* Fixes to main

* Add librasan

* Party like it's 2024

* Fix snapshot module to work with guest asan

* Fix guest_asan module

* Fixes to runner

* Fix linking issues using a REL

* Fix qemu_launcher

* Change modify_mapping to a method

* Fix gasan_test

* Remove debug from Justfile

* Optimize release build of librasan

* Set ulimit for qasan and gasan tests

* Tidy up symbol renaming

* Add missing symbols for PPC

* Change to support rustix 1.0.0

* Canonicalize the CUSTOM_ASAN_PATH

* Review changes

* Restructure backends

* release_max_level_info

* More review changes

* Clippy fixes

* Changes to reduce the burden on the CI

* Fix macos clippy

---------

Co-authored-by: Your Name <[email protected]>

Author: 2 people

.github/workflows/build_and_test.yml

@@ -62,10 +62,10 @@ jobs:
         if: runner.os == 'MacOS'
         run: cd docs && mdbook test -L ../target/debug/deps $(python3-config --ldflags | cut -d ' ' -f1)
       - name: Run tests (Windows)
-        if: runner.os == 'Windows' 
+        if: runner.os == 'Windows'
         run: cargo test -- --test-threads 1
       - name: Run tests (Linux)
-        if: runner.os != 'Windows' 
+        if: runner.os != 'Windows'
         run: cargo test -- --test-threads 1
       - name: Test libafl no_std
         run: cd libafl && cargo test --no-default-features
@@ -404,6 +404,43 @@ jobs:
         shell: bash
         run: ARCH=${{ matrix.arch }} RUN_ON_CI=1 LLVM_CONFIG=llvm-config-${{env.MAIN_LLVM_VERSION}} ./scripts/test_fuzzer.sh ${{ matrix.fuzzer }}
 
+  librasan-build:
+      runs-on: ubuntu-24.04
+      needs:
+        - changes
+      if: ${{ needs.changes.outputs.qemu == 'true' }}
+      steps:
+        - uses: actions/checkout@v4
+        - uses: ./.github/workflows/librasan-prepare
+        - name: Build
+          if: runner.os == 'Linux'
+          shell: bash
+          run: |
+            RUN_ON_CI=1 \
+            LLVM_CONFIG=llvm-config-${{env.MAIN_LLVM_VERSION}} \
+            just \
+              -f ./libafl_qemu/librasan/Justfile \
+              build_everything_dev \
+              build_x86_64_release
+
+  librasan-test:
+      runs-on: ubuntu-24.04
+      needs:
+        - changes
+      if: ${{ needs.changes.outputs.qemu == 'true' }}
+      steps:
+        - uses: actions/checkout@v4
+        - uses: ./.github/workflows/librasan-prepare
+        - name: Build
+          if: runner.os == 'Linux'
+          shell: bash
+          run: |
+            RUN_ON_CI=1 \
+            LLVM_CONFIG=llvm-config-${{env.MAIN_LLVM_VERSION}} \
+            just \
+              -f ./libafl_qemu/librasan/Justfile \
+              test_everything
+
   fuzzers-qemu-system:
     needs:
       - changes

.github/workflows/librasan-prepare/action.yml

@@ -0,0 +1,73 @@
+name: Setup QEMU librasan environment
+description: Sets up the QEMU librasan environment
+runs:
+  using: composite
+  steps:
+    - name: Enable i386
+      shell: bash
+      run: sudo dpkg --add-architecture i386
+    - name: Install QEMU deps
+      shell: bash
+      run: |
+        sudo apt-get update && \
+        DEBIAN_FRONTEND=noninteractive \
+          sudo apt-get install -y \
+          build-essential \
+          clang-18 \
+          clang++-18 \
+          cmake \
+          curl \
+          g++-aarch64-linux-gnu \
+          g++-arm-linux-gnueabi \
+          g++-i686-linux-gnu \
+          g++-mipsel-linux-gnu \
+          g++-powerpc-linux-gnu \
+          gcc-aarch64-linux-gnu \
+          gcc-arm-linux-gnueabi \
+          gcc-i686-linux-gnu \
+          gcc-mipsel-linux-gnu \
+          gcc-powerpc-linux-gnu \
+          gdb \
+          gdb-multiarch \
+          git \
+          gnupg \
+          libc6-dev:i386 \
+          libclang-dev \
+          libgcc-13-dev:i386 \
+          libglib2.0-dev \
+          lsb-release \
+          ninja-build \
+          python3 \
+          python3-pip \
+          python3-venv \
+          qemu-user \
+          software-properties-common \
+          wget
+    - uses: dtolnay/rust-toolchain@nightly
+    - name: install just
+      uses: extractions/setup-just@v2
+      with:
+        just-version: 1.39.0
+    - name: Install cargo-binstall
+      shell: bash
+      run: |
+        curl -L --proto '=https' --tlsv1.2 -sSf \
+          https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | \
+            bash
+    - name: Install nextest
+      shell: bash
+      run: |
+        cargo binstall --no-confirm cargo-nextest
+    - name: Install Rust Targets
+      shell: bash
+      run: |
+        rustup target add armv7-unknown-linux-gnueabi && \
+        rustup target add aarch64-unknown-linux-gnu && \
+        rustup target add i686-unknown-linux-gnu && \
+        rustup target add powerpc-unknown-linux-gnu
+    - uses: actions/checkout@v4
+      with:
+        submodules: true
+        fetch-depth: 0
+    - uses: Swatinem/rust-cache@v2
+      with: { shared-key: "${{ runner.os }}-shared-fuzzer-cache" }

.github/workflows/ubuntu-prepare/action.yml

@@ -7,6 +7,10 @@ runs:
       shell: bash
       run: sudo apt-get update && sudo apt-get install -y curl lsb-release wget software-properties-common gnupg ninja-build shellcheck pax-utils nasm libsqlite3-dev libc6-dev libgtk-3-dev gcc g++ gcc-arm-none-eabi gcc-arm-linux-gnueabi g++-arm-linux-gnueabi libslirp-dev libz3-dev build-essential cmake
     - uses: dtolnay/rust-toolchain@stable
+    - name: install just
+      uses: extractions/setup-just@v2
+      with:
+        just-version: 1.39.0
     - name: Add stable clippy
       shell: bash
       run: rustup toolchain install stable --component clippy --allow-downgrade

Cargo.toml

@@ -96,6 +96,7 @@ cmake = "0.1.51"
 document-features = "0.2.10"
 fastbloom = { version = "0.9.0", default-features = false }
 hashbrown = { version = "0.14.5", default-features = false } # A faster hashmap, nostd compatible
+just = "1.40.0"
 libc = "0.2.159" # For (*nix) libc
 libipt = "0.3.0"
 log = "0.4.22"

fuzzers/binary_only/qemu_launcher/Cargo.toml

@@ -47,7 +47,10 @@ libafl = { path = "../../../libafl", features = ["tui_monitor"] }
 libafl_bolts = { path = "../../../libafl_bolts", features = [
   "errors_backtrace",
 ] }
-libafl_qemu = { path = "../../../libafl_qemu", features = ["usermode"] }
+libafl_qemu = { path = "../../../libafl_qemu", features = [
+  "usermode",
+  "rasan",
+] }
 libafl_targets = { path = "../../../libafl_targets" }
 log = { version = "0.4.22", features = ["release_max_level_info"] }
 nix = { version = "0.29.0", features = ["fs"] }

fuzzers/binary_only/qemu_launcher/Justfile

@@ -31,6 +31,10 @@ harness: libpng
 
 [unix]
 run: harness build
+    #!/bin/bash
+
+    source {{ DOTENV }}
+    CUSTOM_QASAN_PATH={{ BUILD_DIR }}/$CROSS_TARGET/{{ PROFILE_DIR }}/libqasan.so \
     {{ FUZZER }} \
         --input ./corpus \
         --output {{ TARGET_DIR }}/output/ \
@@ -56,7 +60,12 @@ test_inner: harness build
 
     # complie again with simple mgr
     cargo build --profile={{PROFILE}} --features="simplemgr,{{ARCH}}" --target-dir={{ TARGET_DIR }} || exit 1
-    ./tests/qasan/test.sh || exit 1
+
+    export CUSTOM_QASAN_PATH={{ BUILD_DIR }}/$CROSS_TARGET/{{ PROFILE_DIR }}/libqasan.so
+    ./tests/qasan/qasan_test.sh || exit 1
+
+    export CUSTOM_GASAN_PATH={{ BUILD_DIR }}/$CROSS_TARGET/{{ PROFILE_DIR }}/libgasan.so
+    ./tests/qasan/gasan_test.sh || exit 1
 
 [unix]
 test:
@@ -72,6 +81,10 @@ single: harness build
         {{ HARNESS }}
 
 asan: harness build
+    #!/bin/bash
+
+    source {{ DOTENV }}
+    CUSTOM_QASAN_PATH={{ BUILD_DIR }}/$CROSS_TARGET/{{ PROFILE_DIR }}/libqasan.so \
     {{ FUZZER }} \
         --input ./corpus \
         --output {{ TARGET_DIR }}/output/ \
@@ -82,6 +95,10 @@ asan: harness build
         {{ HARNESS }}
 
 asan_guest: harness build
+    #!/bin/bash
+
+    source {{ DOTENV }}
+    CUSTOM_GASAN_PATH={{ BUILD_DIR }}/$CROSS_TARGET/{{ PROFILE_DIR }}/libgasan.so \
     {{ FUZZER }} \
         --input ./corpus \
         --output {{ TARGET_DIR }}/output/ \
@@ -93,4 +110,4 @@ asan_guest: harness build
 
 [unix]
 clean:
-    cargo clean
+    cargo clean

fuzzers/binary_only/qemu_launcher/src/client.rs

@@ -126,6 +126,16 @@ impl Client<'_> {
                         unsafe { AsanModule::builder().env(&env).asan_report().build() }
                     );
 
+                    instance_builder.build().run(args, modules, state)
+                } else if is_asan_guest {
+                    let modules = tuple_list!(
+                        DrCovModule::builder()
+                            .filename(drcov.clone())
+                            .full_trace(true)
+                            .build(),
+                        AsanGuestModule::default(&env),
+                    );
+
                     instance_builder.build().run(args, modules, state)
                 } else {
                     let modules = tuple_list!(DrCovModule::builder()
@@ -139,6 +149,10 @@ impl Client<'_> {
                 let modules =
                     tuple_list!(unsafe { AsanModule::builder().env(&env).asan_report().build() });
 
+                instance_builder.build().run(args, modules, state)
+            } else if is_asan_guest {
+                let modules = tuple_list!(AsanGuestModule::default(&env));
+
                 instance_builder.build().run(args, modules, state)
             } else {
                 let modules = tuple_list!();

fuzzers/binary_only/qemu_launcher/src/fuzzer.rs

@@ -8,9 +8,9 @@ use clap::Parser;
 #[cfg(feature = "simplemgr")]
 use libafl::events::SimpleEventManager;
 #[cfg(not(feature = "simplemgr"))]
-use libafl::events::{EventConfig, Launcher, MonitorTypedEventManager};
+use libafl::events::{EventConfig, Launcher, LlmpEventManagerBuilder, MonitorTypedEventManager};
 use libafl::{
-    events::{ClientDescription, LlmpEventManagerBuilder},
+    events::ClientDescription,
     monitors::{tui::TuiMonitor, Monitor, MultiMonitor},
     Error,
 };

fuzzers/binary_only/qemu_launcher/src/instance.rs

@@ -44,7 +44,8 @@ use libafl_qemu::{
         cmplog::CmpLogObserver,
         edges::EdgeCoverageFullVariant,
         utils::filters::{HasAddressFilter, NopPageFilter, StdAddressFilter},
-        EdgeCoverageModule, EmulatorModuleTuple, SnapshotModule, StdEdgeCoverageModule,
+        AsanGuestModule, EdgeCoverageModule, EmulatorModuleTuple, SnapshotModule,
+        StdEdgeCoverageModule,
     },
     Emulator, GuestAddr, Qemu, QemuExecutor,
 };
@@ -153,7 +154,7 @@ impl<M: Monitor> Instance<'_, M> {
             .map_observer(edges_observer.as_mut())
             .build()?;
 
-        let mut snapshot_module = SnapshotModule::new();
+        let mut snapshot_module = SnapshotModule::with_filters(AsanGuestModule::snapshot_filters());
 
         /*
          * Since the generics for the modules are already excessive when taking

fuzzers/binary_only/qemu_launcher/tests/qasan/.gitignore

@@ -0,0 +1 @@
+/qasan

fuzzers/binary_only/qemu_launcher/tests/qasan/gasan_test.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+set -e
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+if [[ ! -x "$QEMU_LAUNCHER" ]]; then
+  echo "env variable QEMU_LAUNCHER does not point to a valid executable"
+  echo "QEMU_LAUNCHER should point to qemu_launcher"
+  exit 1
+fi
+
+cd "$SCRIPT_DIR"
+make
+
+tests=(
+  "overflow"
+  "underflow"
+  "double_free"
+  "memset"
+  "uaf"
+  "test_limits"
+)
+
+tests_expected=(
+  "Segmentation fault"
+  "Segmentation fault"
+  "Panic!"
+  "Panic!"
+  "Segmentation fault"
+  "Test-Limits - No Error"
+)
+
+tests_not_expected=(
+  "dummy"
+  "dummy"
+  "dummy"
+  "dummy"
+  "dummy"
+  "Context:"
+)
+
+# We don't want any core dumps. They can potentially be quite large
+ulimit -c 0
+
+for i in "${!tests[@]}"
+do
+  test="${tests[i]}"
+  expected="${tests_expected[i]}"
+  not_expected="${tests_not_expected[i]}"
+
+  echo "Running $test detection test..."
+  OUT=$("$QEMU_LAUNCHER" \
+    -r "inputs/$test.txt" \
+    --input dummy \
+    --output out \
+    --asan-guest-cores 0 \
+    --cores 0 \
+    -- qasan 2>&1 | tr -d '\0')
+
+  echo "$OUT"
+
+  if ! echo "$OUT" | grep -q "$expected"; then
+    echo "ERROR: Expected: $expected."
+    echo "Output is:"
+    echo "$OUT"
+    exit 1
+  elif echo "$OUT" | grep -q "$not_expected"; then
+    echo "ERROR: Did not expect: $not_expected."
+    echo "Output is:"
+    echo "$OUT"
+    exit 1
+  else
+    echo "OK."
+  fi
+done

fuzzers/binary_only/qemu_launcher/tests/qasan/qasan.c

@@ -71,13 +71,7 @@ int main(int argc, char **argv) {
 
   char input = '\0';
 
-  // if (read(STDIN_FILENO, &input, 1) < 0) {
-
-  //   LOG("Failed to read stdin\n");
-  //   return 1;
-
-  // }
-
+  if (argc > 1) { input = argv[1][0]; }
   LLVMFuzzerTestOneInput(&input, 1);
 
   LOG("DONE\n");

fuzzers/binary_only/qemu_launcher/tests/qasan/test.sh renamed to fuzzers/binary_only/qemu_launcher/tests/qasan/qasan_test.sh

@@ -22,11 +22,11 @@ tests=(
 )
 
 tests_expected=(
-  "is 0 bytes to the right of the 10-byte chunk"
-  "is 1 bytes to the left of the 10-byte chunk"
-  "is 0 bytes inside the 10-byte chunk"
-  "Invalid 11 bytes write at"
-  "is 0 bytes inside the 10-byte chunk"
+  "AddressSanitizer Error"
+  "AddressSanitizer Error"
+  "Panic!"
+  "AddressSanitizer Error"
+  "AddressSanitizer Error"
   "Test-Limits - No Error"
 )
 
@@ -39,6 +39,9 @@ tests_not_expected=(
   "Context:"
 )
 
+# We don't want any core dumps. They can potentially be quite large
+ulimit -c 0
+
 for i in "${!tests[@]}"
 do
   test="${tests[i]}"