Fix various QEMU bugs (#2475)

* Update LibAFL QEMU to the latest version (V9.0.2 update, important bug fixes, ... - check the dedicated repo for more info)
* fix bug in hook execution, causing first execution hooks to be run multiple times.

Author: rmalmain

.dockerignore

@@ -1,4 +1,5 @@
-target
+**/target
+**/.git
 Cargo.lock
 
 *.o

fuzzers/qemu/qemu_launcher/Cargo.toml

@@ -48,13 +48,13 @@ vergen = { version = "8.2", features = [
 
 [dependencies]
 clap = { version = "4.3", features = ["derive", "string"] }
-libafl = { path = "../../../libafl/" }
-libafl_bolts = { path = "../../../libafl_bolts/", features = [
+libafl = { path = "../../../libafl" }
+libafl_bolts = { path = "../../../libafl_bolts", features = [
   "errors_backtrace",
 ] }
-libafl_qemu = { path = "../../../libafl_qemu/", features = ["usermode"] }
+libafl_qemu = { path = "../../../libafl_qemu", features = ["usermode"] }
 log = { version = "0.4.20" }
 nix = { version = "0.29", features = ["fs"] }
 rangemap = { version = "1.3" }
 readonly = { version = "0.2.10" }
-typed-builder = { version = "0.18" }
+typed-builder = { version = "0.19" }

libafl_qemu/Cargo.toml

@@ -125,7 +125,7 @@ serde_yaml = { version = "0.9", optional = true } # For parsing the injections y
 toml = { version = "0.8.13", optional = true } # For parsing the injections toml file
 pyo3 = { version = "0.22", optional = true, features = ["multiple-pymethods"] }
 bytes-utils = "0.1"
-typed-builder = "0.18"
+typed-builder = "0.19"
 memmap2 = "0.9"
 # Document all features of this crate (for `cargo doc`)
 document-features = { version = "0.2", optional = true }

libafl_qemu/libafl_qemu_build/src/build.rs

@@ -11,7 +11,7 @@ use crate::cargo_add_rpath;
 
 pub const QEMU_URL: &str = "https://github.com/AFLplusplus/qemu-libafl-bridge";
 pub const QEMU_DIRNAME: &str = "qemu-libafl-bridge";
-pub const QEMU_REVISION: &str = "4cafaa9a087dae6674b0fdc11ba34d3e6a8364d2";
+pub const QEMU_REVISION: &str = "24abc2a717226bedc047167f639aef0edc9ce92d";
 
 #[allow(clippy::module_name_repetitions)]
 pub struct BuildResult {

libafl_qemu/src/emu/mod.rs

@@ -477,6 +477,7 @@ where
     breakpoints_by_id: RefCell<HashMap<BreakpointId, BreakpointMutRef<CM, EH, ET, S>>>,
     #[builder(setter(transform = |args: &[String], env: &[(String, String)]| Qemu::init(args, env).unwrap()))]
     qemu: Qemu,
+    first_exec: bool,
     _phantom: PhantomData<(ET, S)>,
 }
 
@@ -513,6 +514,7 @@ where
             exit_handler: RefCell::new(exit_handler),
             breakpoints_by_addr: RefCell::new(HashMap::new()),
             breakpoints_by_id: RefCell::new(HashMap::new()),
+            first_exec: true,
             _phantom: PhantomData,
             qemu,
         })
@@ -678,7 +680,10 @@ where
     }
 
     pub fn first_exec_all(&mut self) {
-        self.modules.first_exec_all();
+        if self.first_exec {
+            self.modules.first_exec_all();
+            self.first_exec = false;
+        }
     }
 
     pub fn pre_exec_all(&mut self, input: &S::Input) {

libafl_qemu/src/modules/edges.rs

@@ -162,7 +162,7 @@ where
         ET: EmulatorModuleTuple<S>,
     {
         if self.use_hitcounts {
-            // hooks.edges(
+            // emulator_modules.edges(
             //     Hook::Function(gen_unique_edge_ids::<ET, S>),
             //     Hook::Raw(trace_edge_hitcount),
             // );
@@ -175,7 +175,7 @@ where
                 );
             }
         } else {
-            // hooks.edges(
+            // emulator_modules.edges(
             //     Hook::Function(gen_unique_edge_ids::<ET, S>),
             //     Hook::Raw(trace_edge_single),
             // );