Intel PT minor fixes and improvements (AFLplusplus#2749)

* Fix build target Create target directory if doesn't exist * Remove filter on speculatively exec blocks since also committed blocks can have this flag * Add current ip_filters getter * Fix possibile infinite loop in trace decode * Add comment about target_path
riesentoaster · Dec 11, 2024 · 6022d95 · 6022d95
1 parent 622e89e
commit 6022d95
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 10 deletions.
diff --git a/fuzzers/binary_only/intel_pt_command_executor/Makefile.toml b/fuzzers/binary_only/intel_pt_command_executor/Makefile.toml
@@ -1,17 +1,23 @@
+[env]
+TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}"
+
 [env.development]
 PROFILE_DIR = "debug"
 
 [env.release]
 PROFILE_DIR = "release"
 
+[tasks.target_dir]
+condition = { files_not_exist = ["${TARGET_DIR}"] }
+script_runner = "@shell"
+script = '''
+mkdir -p ${TARGET_DIR}
+'''
+
 [tasks.build_target]
+dependencies = ["target_dir"]
 command = "rustc"
-args = [
-  "src/target_program.rs",
-  "--out-dir",
-  "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/${PROFILE_DIR}",
-  "-O",
-]
+args = ["src/target_program.rs", "--out-dir", "${TARGET_DIR}", "-O"]
 
 [tasks.build_fuzzer]
 command = "cargo"

diff --git a/fuzzers/binary_only/intel_pt_command_executor/src/main.rs b/fuzzers/binary_only/intel_pt_command_executor/src/main.rs
@@ -36,7 +36,10 @@ pub fn main() {
     // Enable logging
     env_logger::init();
 
+    // path of the program we want to fuzz
     let target_path = PathBuf::from(env::args().next().unwrap())
+        .parent()
+        .unwrap()
         .parent()
         .unwrap()
         .join("target_program");

diff --git a/libafl_intelpt/src/lib.rs b/libafl_intelpt/src/lib.rs
@@ -179,6 +179,12 @@ impl IntelPT {
         }
     }
 
+    /// Get the current IP filters configuration
+    #[must_use]
+    pub fn ip_filters(&self) -> Vec<RangeInclusive<usize>> {
+        self.ip_filters.clone()
+    }
+
     fn ip_filters_to_addr_filter(&self) -> AddrFilter {
         let mut builder = AddrFilterBuilder::new();
         let mut iter = self
@@ -400,24 +406,26 @@ impl IntelPT {
                     *status = s;
                     let offset = decoder.offset().map_err(error_from_pt_error)?;
 
-                    if b.ninsn() > 0 && !b.speculative() && skip < offset {
+                    if b.ninsn() > 0 && skip < offset {
                         let id = hash_me(*previous_block_end_ip) ^ hash_me(b.ip());
                         // SAFETY: the index is < map.len() since the modulo operation is applied
                         let map_loc = unsafe { map.get_unchecked_mut(id as usize % map.len()) };
                         *map_loc = (*map_loc).saturating_add(&1u8.into());
 
                         *previous_block_end_ip = b.end_ip();
                     }
+
+                    if status.eos() {
+                        break 'block;
+                    }
                 }
                 Err(e) => {
                     if e.code() != PtErrorCode::Eos {
                         log::trace!("PT error in block next {e:?}");
                     }
+                    break 'block;
                 }
             }
-            if status.eos() {
-                break 'block;
-            }
         }
         Ok(())
     }