This repository demonstrates issue with libafl_qemu crashing after target experiences a segfault.
Assuming the supplied devcontainer is used, demonstrating the issue should be simple with:
make
However if built outside of devcontainer, due to differences of compiler the
entrypoint and exitpoint parameters in Makefile may need to be altered.
These values are intended to be on the call to process_image and the
instruction immediately after, e.g. 0x11dc & 0x11e1:
$ objdump -M intel -d targets/vuln_prog_slowinit | grep "main>:" -A40
0000000000001180 <main>:
1180: f3 0f 1e fa endbr64
1184: 55 push rbp
1185: 53 push rbx
...
11d9: 48 89 ef mov rdi,rbp
11dc: e8 2f 01 00 00 call 1310 <process_image>
11e1: 48 8b 44 24 18 mov rax,QWORD PTR [rsp+0x18]
11e6: 64 48 2b 04 25 28 00 sub rax,QWORD PTR fs:0x28
11ed: 00 00
...
The fuzzing campaign quickly ends and terminates after a segfault in the target. Sometimes another crash will occur that does not cause the campaign to terminate but a segfault always causes the fuzzing process to end.