本文指导如何修改build_qemu_support.sh脚本以使用QEMU2.10.0,包括解决libtool和python缺失问题,以及应用memfd_create和syscall.diff补丁以适应系统需求。过程中涉及到了apt安装包、代码补丁的编辑和编译过程的修复。
找到build_qemu_support.sh文件,双击点开,找到
修改QEMU_URL为以下内容, 确保qemu2.10.0版本能正常下载。或手动下载放至build_qemu_support.sh同级目录下。
QEMU_URL="https://download.qemu.org/qemu-${VERSION}.tar.xz"
运行build_qemu_support.sh(这里修改为自己的afl安装路径)
/path/to/afl/qemu_mode/build_qemu_support.sh
根据提示安装缺少的库
- 报错
libtool not found, please install first。
需要装两个
sudo apt install libtool
sudo apt install libtool-bin
- 报错
python not found, please install first。
/usr/bin目录中找不到python,所以报错。直接把安装好的python2复制一份并重命名为python
cd /usr/bin/
sudo cp python2.7 python
- 报错error: static declaration of ‘memfd_create’ follows non-static declaration
在/path/to/afl/qemu_mode/patches目录下新建 memfd_create.diff 文件,添加以下内容:
diff -ru qemu-2.10.0-clean/util/memfd.c qemu-2.10.0/util/memfd.c
--- qemu-2.10.0-clean/util/memfd.c 2018-11-20 18:11:00.170271506 +0100
+++ qemu-2.10.0/util/memfd.c 2018-11-20 18:11:13.398423613 +0100
@@ -37,7 +37,7 @@
#include <sys/syscall.h>
#include <asm/unistd.h>
-static int memfd_create(const char *name, unsigned int flags)
+int memfd_create(const char *name, unsigned int flags)
{
#ifdef __NR_memfd_create
return syscall(__NR_memfd_create, name, flags);
在build_qemu_support.sh文件这里
patch -p1 <../patches/elfload.diff || exit 1
patch -p1 <../patches/cpu-exec.diff || exit 1
patch -p1 <../patches/syscall.diff || exit 1
下方添加一行
patch -p1 <../patches/memfd_create.diff || exit 1
- 报错 error: static declaration of ‘gettid’ follows non-static declaration
修改同目录下 syscall.diff 文件,将原先文件内容全部删除,添加以下内容
--- qemu-2.10.0-rc3-clean/linux-user/syscall.c 2017-08-15 11:39:41.000000000 -0700
+++ qemu-2.10.0-rc3/linux-user/syscall.c 2017-08-22 14:34:03.193088186 -0700
@@ -34,6 +34,7 @@
#include <sys/resource.h>
#include <sys/swap.h>
#include <linux/capability.h>
+#include <linux/sockios.h> // https://lkml.org/lkml/2019/6/3/988
#include <sched.h>
#include <sys/timex.h>
#ifdef __ia64__
@@ -116,6 +117,8 @@ int __clone2(int (*fn)(void *), void *ch
#include "qemu.h"
+extern unsigned int afl_forksrv_pid;
+
#ifndef CLONE_IO
#define CLONE_IO 0x80000000 /* Clone io context */
#endif
@@ -256,7 +259,9 @@ static type name (type1 arg1,type2 arg2,
#endif
#ifdef __NR_gettid
-_syscall0(int, gettid)
+// taken from https://patchwork.kernel.org/patch/10862231/
+#define __NR_sys_gettid __NR_gettid
+_syscall0(int, sys_gettid)
#else
/* This is a replacement for the host gettid() and must return a host
errno. */
@@ -6219,7 +6224,8 @@ static void *clone_func(void *arg)
cpu = ENV_GET_CPU(env);
thread_cpu = cpu;
ts = (TaskState *)cpu->opaque;
- info->tid = gettid();
+ // taken from https://patchwork.kernel.org/patch/10862231/
+ info->tid = sys_gettid();
task_settid(ts);
if (info->child_tidptr)
put_user_u32(info->tid, info->child_tidptr);
@@ -6363,9 +6369,11 @@ static int do_fork(CPUArchState *env, un
mapping. We can't repeat the spinlock hack used above because
the child process gets its own copy of the lock. */
if (flags & CLONE_CHILD_SETTID)
- put_user_u32(gettid(), child_tidptr);
+ // taken from https://patchwork.kernel.org/patch/10862231/
+ put_user_u32(sys_gettid(), child_tidptr);
if (flags & CLONE_PARENT_SETTID)
- put_user_u32(gettid(), parent_tidptr);
+ // taken from https://patchwork.kernel.org/patch/10862231/
+ put_user_u32(sys_gettid(), parent_tidptr);
ts = (TaskState *)cpu->opaque;
if (flags & CLONE_SETTLS)
cpu_set_tls (env, newtls);
@@ -11402,7 +11410,8 @@ abi_long do_syscall(void *cpu_env, int n
break;
#endif
case TARGET_NR_gettid:
- ret = get_errno(gettid());
+ // taken from https://patchwork.kernel.org/patch/10862231/
+ ret = get_errno(sys_gettid());
break;
#ifdef TARGET_NR_readahead
case TARGET_NR_readahead:
再次运行,编译成功,出现以下内容
2024.1.28
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
