Make shellphish-afl compile on Ubuntu 20.04

patches/build_qemu.diff

@@ -1,5 +1,5 @@
---- qemu_mode/build_qemu_support.sh 	2019-01-26 15:02:56.276349827 -0700
-+++ /qemu_mode/build_qemu_support.sh	2019-01-26 15:48:59.953197930 -0700
+--- qemu_mode/build_qemu_support.sh
++++ qemu_mode/build_qemu_support.sh
 @@ -22,6 +22,10 @@
  # will be written to ../afl-qemu-trace.
  #
@@ -11,7 +11,7 @@
 
  VERSION="2.10.0"
  QEMU_URL="http://download.qemu-project.org/qemu-${VERSION}.tar.xz"
-@@ -115,15 +119,11 @@
+@@ -115,15 +119,11 @@ echo "[*] Uncompressing archive (this will take a while)..."
  rm -rf "qemu-${VERSION}" || exit 1
  tar xf "$ARCHIVE" || exit 1
 
@@ -28,48 +28,69 @@
  cd qemu-$VERSION || exit 1
 
  echo "[*] Applying patches..."
-@@ -132,26 +132,40 @@
+@@ -132,26 +132,61 @@ patch -p1 <../patches/elfload.diff || exit 1
  patch -p1 <../patches/cpu-exec.diff || exit 1
  patch -p1 <../patches/syscall.diff || exit 1
 
-+if [ "`lsb_release -a 2>/dev/null | grep Release | awk '{print $2}'`" = 18.04 ]; then
++# some patches are needed for Ubuntu 20.04 but not for Ubuntu 18.04
++# (I have not tested other distributions)
++apply_patch_18_04=0
++apply_patches_above_18_04=0
++if [ `lsb_release -a 2>/dev/null | grep 'Distributor ID' | awk '{print $3}'` = Ubuntu ]; then
++    if [ `lsb_release -a 2>/dev/null | grep 'Release' | awk '{print $2}' | tr -d .` -ge 1804 ]; then
++        apply_patch_18_04=1
++    fi
++    if [ `lsb_release -a 2>/dev/null | grep 'Release' | awk '{print $2}' | tr -d .` -gt 1804 ]; then
++        apply_patches_above_18_04=1
++    fi
++else
++    apply_patch_18_04=1
++    apply_patches_above_18_04=1
++fi
++
++if [ $apply_patch_18_04 -eq 1 ]; then
 +    patch -p1 <../patches/memfd.diff
 +fi
++if [ $apply_patches_above_18_04 -eq 1 ]; then
++    patch -p1 <../patches/gettid.diff
++    patch -p1 <../patches/syscall_sockios.diff
++    patch -p1 <../patches/stime.diff
++fi
 +
  echo "[+] Patching done."
 
 -# --enable-pie seems to give a couple of exec's a second performance
 -# improvement, much to my surprise. Not sure how universal this is..
 +CPU_TARGETS=$@
-+
-+for CPU_TARGET in $CPU_TARGETS; do
-+
-+    # --enable-pie seems to give a couple of exec's a second performance
-+    # improvement, much to my surprise. Not sure how universal this is..
 
 -CFLAGS="-O3 -ggdb" ./configure --disable-system \
 -  --enable-linux-user --disable-gtk --disable-sdl --disable-vnc \
 -  --target-list="${CPU_TARGET}-linux-user" --enable-pie --enable-kvm || exit 1
-+    CFLAGS="-O3 -ggdb" ./configure --disable-system --python=`which python2` \
-+      --enable-linux-user --disable-gtk --disable-sdl --disable-vnc \
-+      --target-list="${CPU_TARGET}-linux-user" --enable-pie --enable-kvm || exit 1
++for CPU_TARGET in $CPU_TARGETS; do
 
 -echo "[+] Configuration complete."
-+    echo "[+] Configuration complete."
++    # --enable-pie seems to give a couple of exec's a second performance
++    # improvement, much to my surprise. Not sure how universal this is..
 
 -echo "[*] Attempting to build QEMU (fingers crossed!)..."
-+    echo "[*] Attempting to build QEMU (fingers crossed!)..."
++    CFLAGS="-O3 -ggdb" ./configure --disable-system --python=`which python2` \
++      --enable-linux-user --disable-gtk --disable-sdl --disable-vnc \
++      --target-list="${CPU_TARGET}-linux-user" --enable-pie --enable-kvm || exit 1
 
 -make || exit 1
-+    make || exit 1
++    echo "[+] Configuration complete."
 
 -echo "[+] Build process successful!"
-+    echo "[+] Build process successful!"
++    echo "[*] Attempting to build QEMU (fingers crossed!)..."
 
 -echo "[*] Copying binary..."
-+    echo "[*] Copying binary..."
++    make || exit 1
 
 -cp -f "${CPU_TARGET}-linux-user/qemu-${CPU_TARGET}" "../../afl-qemu-trace" || exit 1
++    echo "[+] Build process successful!"
++
++    echo "[*] Copying binary..."
++
 +    cp -f "${CPU_TARGET}-linux-user/qemu-${CPU_TARGET}" "../../afl-qemu-trace" || exit 1
 +
 +    mkdir -p ../../tracers/$CPU_TARGET
@@ -80,7 +101,7 @@
 
  cd ..
  ls -l ../afl-qemu-trace || exit 1
-@@ -166,29 +180,29 @@
+@@ -166,29 +201,29 @@ if [ "$ORIG_CPU_TARGET" = "" ]; then
 
    make >/dev/null || exit 1
 

patches/gettid.diff

@@ -0,0 +1,47 @@
+--- qemu-2.10.0/linux-user/syscall.c
++++ qemu-2.10.0/linux-user/syscall.c
+@@ -259,11 +259,12 @@ static type name (type1 arg1,type2 arg2,type3 arg3,type4 arg4,type5 arg5,	\
+ #endif
+
+ #ifdef __NR_gettid
++#define __NR_sys_gettid __NR_gettid
+-_syscall0(int, gettid)
++_syscall0(int, sys_gettid)
+ #else
+ /* This is a replacement for the host gettid() and must return a host
+    errno. */
+-static int gettid(void) {
++static int sys_gettid(void) {
+     return -ENOSYS;
+ }
+ #endif
+@@ -6222,7 +6222,7 @@ static void *clone_func(void *arg)
+     cpu = ENV_GET_CPU(env);
+     thread_cpu = cpu;
+     ts = (TaskState *)cpu->opaque;
+-    info->tid = gettid();
++    info->tid = sys_gettid();
+     task_settid(ts);
+     if (info->child_tidptr)
+         put_user_u32(info->tid, info->child_tidptr);
+@@ -6366,9 +6366,9 @@ static int do_fork(CPUArchState *env, unsigned int flags, abi_ulong newsp,
+                mapping.  We can't repeat the spinlock hack used above because
+                the child process gets its own copy of the lock.  */
+             if (flags & CLONE_CHILD_SETTID)
+-                put_user_u32(gettid(), child_tidptr);
++                put_user_u32(sys_gettid(), child_tidptr);
+             if (flags & CLONE_PARENT_SETTID)
+-                put_user_u32(gettid(), parent_tidptr);
++                put_user_u32(sys_gettid(), parent_tidptr);
+             ts = (TaskState *)cpu->opaque;
+             if (flags & CLONE_SETTLS)
+                 cpu_set_tls (env, newtls);
+@@ -11405,7 +11405,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
+         break;
+ #endif
+     case TARGET_NR_gettid:
+-        ret = get_errno(gettid());
++        ret = get_errno(sys_gettid());
+         break;
+ #ifdef TARGET_NR_readahead
+     case TARGET_NR_readahead:

patches/stime.diff

@@ -0,0 +1,17 @@
+--- qemu-2.10.0/linux-user/syscall.c
++++ qemu-2.10.0/linux-user/syscall.c
+@@ -8157,10 +8157,11 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
+ #ifdef TARGET_NR_stime /* not on alpha */
+     case TARGET_NR_stime:
+         {
+-            time_t host_time;
+-            if (get_user_sal(host_time, arg1))
++            struct timespec ts;
++            ts.tv_nsec = 0;
++            if (get_user_sal(ts.tv_sec, arg1))
+                 goto efault;
+-            ret = get_errno(stime(&host_time));
++            ret = get_errno(clock_settime(CLOCK_REALTIME, &ts));
+         }
+         break;
+ #endif

patches/syscall_sockios.diff

@@ -0,0 +1,10 @@
+--- qemu-2.10.0/linux-user/syscall.c
++++ qemu-2.10.0/linux-user/syscall.c
+@@ -41,6 +41,7 @@ int __clone2(int (*fn)(void *), void *child_stack_base,
+              size_t stack_size, int flags, void *arg, ...);
+ #endif
+ #include <sys/socket.h>
++#include <linux/sockios.h>
+ #include <sys/un.h>
+ #include <sys/uio.h>
+ #include <poll.h>

setup.py

@@ -13,7 +13,7 @@
 AFL_CGC_INSTALL_PATH = os.path.join("bin", "afl-cgc")
 AFL_MULTI_CGC_INSTALL_PATH = os.path.join("bin", "afl-multi-cgc")
 SUPPORTED_ARCHES = ["aarch64", "x86_64", "i386", "arm", "ppc", "ppc64", "mips", "mipsel", "mips64"]
-QEMU_PATCH = "patches/memfd.diff"
+QEMU_PATCHES = ["patches/memfd.diff", "patches/gettid.diff", "patches/syscall_sockios.diff", "patches/stime.diff"]
 MULTIARCH_LIBRARY_PATH = os.path.join("bin", "fuzzer-libs")
 AFL_QEMU_MODE_PATCH = AFL_UNIX_INSTALL_PATH+"/qemu_mode/patches/"
 AFL_UNIX_FUZZ = os.path.join(AFL_UNIX_INSTALL_PATH)
@@ -35,9 +35,9 @@ def _setup_other_arch():
         if subprocess.call(['cp',AFL_UNIX_GEN, AFL_UNIX_INSTALL_PATH]) != 0:
             raise LibError("Build file doesn't exist")
 
-        # patch for qemu to work with ubuntu 18.04 and above
-        if subprocess.check_call(['cp',QEMU_PATCH,AFL_QEMU_MODE_PATCH]) != 0:
-            raise LibError('Patch to work Qemu with Ubuntu 18 not found')
+        # patches for QEMU to work with ubuntu 18.04 and above
+        if subprocess.check_call(['cp'] + QEMU_PATCHES + [AFL_QEMU_MODE_PATCH]) != 0:
+            raise LibError('Patches to make QEMU work with Ubuntu 18.04 and above not found')
 
         if subprocess.check_call(['./build.sh'] + SUPPORTED_ARCHES, cwd=AFL_UNIX_INSTALL_PATH) != 0:
             raise LibError("Unable to build afl-other-arch")