alwin.berger/FRET-qemu
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: alwin.berger:v6.1.1-libafl-backport
Branches Tags
alwin.berger:wcet_system
alwin.berger:fret_153
alwin.berger:fret_141
alwin.berger:fret_update_130
alwin.berger:standalone_icount_measure
alwin.berger:fret_update_112
alwin.berger:fret_update_111
alwin.berger:fret_v3
alwin.berger:fret_v2
alwin.berger:v6.1.1-libafl-backport
alwin.berger:6.1.1-instument
alwin.berger:6.2.0-instrum
alwin.berger:old_master_fix_insns
alwin.berger:eval_24-11-11
alwin.berger:working_0.10.1_port
alwin.berger:submitted
..
compare: alwin.berger:wcet_system
Branches Tags
alwin.berger:fret_153
alwin.berger:fret_141
alwin.berger:fret_update_130
alwin.berger:standalone_icount_measure
alwin.berger:fret_update_112
alwin.berger:fret_update_111
alwin.berger:fret_v3
alwin.berger:fret_v2
alwin.berger:wcet_system
alwin.berger:v6.1.1-libafl-backport
alwin.berger:6.1.1-instument
alwin.berger:6.2.0-instrum
alwin.berger:old_master_fix_insns
alwin.berger:eval_24-11-11
alwin.berger:working_0.10.1_port
alwin.berger:submitted

19 Commits
v6.1.1-lib ... wcet_syste

Author SHA1 Message Date
Alwin Berger
85e0a3f630 fix comment 2022-09-07 21:29:56 +02:00
Alwin Berger
ab54074925 TESTING: add some code for instrumentation tests 2022-07-10 16:21:02 +02:00
Alwin Berger
f5b92c8907 new example in main 2022-07-10 16:18:46 +02:00
Alwin Berger
f438967783 extend libafl_exec_jmp_hook 2022-05-26 23:57:34 +02:00
Alwin Berger
3493dfa219 start interrupt timer on start 2022-05-04 22:58:30 +02:00
Alwin Berger
a5a49c3292 add hard-coded libafl_exec_systick_hook 2022-04-26 00:29:18 +02:00
Alwin Berger
8a379ba198 add libafl_send_irq 2022-04-19 23:44:36 +02:00
Alwin Berger
6ffc2bbe4f bugfix 2022-04-18 13:46:21 +02:00
Alwin Berger
0cf10fb0ff add jmp instrumentation 2022-04-11 22:56:11 +02:00
Alwin Berger
404cb91655 use libafl_gen_jmp 2022-04-08 00:54:21 +02:00
Alwin Berger
ff823f26ff save edges after interrupts 2022-04-06 21:16:15 +02:00
Alwin Berger
80af255c2e add native remove breakpoint 2022-02-06 20:50:16 +01:00
Alwin Berger
e62b0072ea switch to icount_get_raw 2022-02-01 15:00:06 +01:00
Alwin Berger
6ec50ee9c3 add libafl_get_clock 2022-01-31 19:42:07 +01:00
Alwin Berger
88a0358a4e ignore binaries 2022-01-28 12:22:43 +01:00
Alwin Berger
78dac2f524 add starters 2022-01-28 10:34:05 +01:00
Alwin Berger
9caef2e60f Fix tb->icount > TCG_MAX_INSNS for edges 
Aparently tcg_tb_alloc does not return a 0ed field,
which can cause icount to appear to have a value above the
maximum allowed number of instructions per tb.
 2022-01-15 23:33:33 +01:00
Alwin Berger
b781a3ebce EXPERIMENT: don't flush tbs on loadvm 
This should speed up fuzzing somewhat, but could also create
use-after-free bugs.
 2022-01-09 22:44:41 +01:00
Alwin Berger
5a1cf4d873 Add softmmu instumentation 
Break up the control flow from softmmu/main.c:main to be called as a
library.
For now use gdb style breakpoints and native snapshots.
This keeps compatability with user-mode code.
 2022-01-09 22:30:34 +01:00
16 changed files with 515 additions and 2 deletions
Show Stats Expand all files Collapse all files

3
.gitignore vendored
View File

@ -15,3 +15,6 @@ GTAGS
*.depend_raw *.depend_raw
*.swp *.swp
*.patch *.patch
.cache
*.axf
*.qcow2

72
3k.c Normal file
View File

@ -0,0 +1,72 @@
#include <stdio.h>
#include <stdint.h>
void libafl_qemu_main_loop( void );
void libafl_qemu_sys_init(int argc, char **argv, char **envp);
void libafl_qemu_cleanup( void );
void libafl_qemu_set_breakpoint( unsigned long int );
void libafl_qemu_remove_native_breakpoint( unsigned long int );
void libafl_qemu_set_native_breakpoint( unsigned long int );
void libafl_snapshot_save( const char* );
void libafl_snapshot_load( const char* );
void libafl_phys_read(uint32_t, uint8_t*, int);
void libafl_phys_write(uint32_t, uint8_t*, int);
int64_t icount_to_ns(int64_t icount);
int64_t libafl_get_clock( void );
int main(int argc, char **argv, char **envp)
{
unsigned char buf[32] = "_`abcdefghijklmnopqrstuvwxyz{|}~";
unsigned char buf2[32] = "0";
unsigned char buf3[32] = "z";
unsigned char buf4[32] = "a!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!";
unsigned char buf5[32] = "b!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!";
libafl_qemu_sys_init(argc, argv, envp);
int pheader = 0x00006a4c;
// libafl_phys_read(0x20000110-0x20000100+pheader, buf,32);
// printf("FUZZ_INPUT[0]: %c\n", buf[0]);
// Start pre-run
libafl_qemu_set_native_breakpoint(0x4ce2);//send 217028
libafl_qemu_main_loop();
libafl_qemu_remove_native_breakpoint(0x4ce2);
// End pre-run
libafl_snapshot_save("Start");
libafl_qemu_set_native_breakpoint(0x4be0);
int64_t tmp = libafl_get_clock();
printf("snapshot icount: %ld, %ldns\n",tmp,icount_to_ns(tmp));
libafl_snapshot_load("Start");
tmp = libafl_get_clock();
printf("snapshot icount after load: %ld, %ldns\n",tmp,icount_to_ns(tmp));
libafl_phys_write(0x20000110-0x20000100+pheader, buf,32);
libafl_qemu_main_loop();
printf("%ld für %s\n",libafl_get_clock(),buf);
libafl_snapshot_load("Start");
libafl_phys_write(0x20000110-0x20000100+pheader, buf2,32);
libafl_qemu_main_loop();
printf("%ld für %s\n",libafl_get_clock(),buf2);
libafl_snapshot_load("Start");
libafl_phys_write(0x20000110-0x20000100+pheader, buf3,32);
libafl_qemu_main_loop();
printf("%ld für %s\n",libafl_get_clock(),buf3);
libafl_snapshot_load("Start");
/*int counter = 3000;
do {
libafl_phys_write(0x20000110-0x20000100+pheader, buf,32);
libafl_qemu_main_loop();
int64_t tmp = libafl_get_clock();
printf("%ld, %ldns\n",tmp,icount_to_ns(tmp));
libafl_snapshot_load("Start");
// puts("Reload has occured");
counter--;
} while (counter);*/
libafl_qemu_cleanup();
return 0;
}

7
accel/tcg/cpu-exec.c
View File

@ -868,6 +868,7 @@ static inline void cpu_loop_exec_tb(CPUState *cpu, TranslationBlock *tb,
TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block, TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block,
target_ulong dst_block, target_ulong cs_base, target_ulong dst_block, target_ulong cs_base,
uint32_t flags, int cflags); uint32_t flags, int cflags);
void libafl_exec_edge_one_off(target_ulong src_block, target_ulong dst_block);
//// --- End LibAFL code --- //// --- End LibAFL code ---
@ -970,6 +971,12 @@ int cpu_exec(CPUState *cpu)
*/ */
qatomic_set(&cpu->tb_jmp_cache[tb_jmp_cache_hash_func(pc)], tb); qatomic_set(&cpu->tb_jmp_cache[tb_jmp_cache_hash_func(pc)], tb);
} }
//// --- Begin LibAFL code ---
// This will save an edge (0,pc) after interrupts
// if (!last_tb) {
// libafl_exec_edge_one_off(0, tb->pc);
// }
//// --- End LibAFL code ---
#ifndef CONFIG_USER_ONLY #ifndef CONFIG_USER_ONLY
/* /*

47
accel/tcg/translate-all.c
View File

@ -68,6 +68,8 @@
#include "exec/helper-head.h" #include "exec/helper-head.h"
void libafl_helper_table_add(TCGHelperInfo* info); void libafl_helper_table_add(TCGHelperInfo* info);
void libafl_gen_jmp(target_ulong src, target_ulong dst);
void libafl_exec_edge_one_off(target_ulong src_block, target_ulong dst_block);
TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block, TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block,
target_ulong dst_block, target_ulong cs_base, target_ulong dst_block, target_ulong cs_base,
uint32_t flags, int cflags); uint32_t flags, int cflags);
@ -79,6 +81,8 @@ void libafl_gen_cmp(target_ulong pc, TCGv op0, TCGv op1, MemOp ot);
void (*libafl_exec_edge_hook)(uint64_t id); void (*libafl_exec_edge_hook)(uint64_t id);
uint64_t (*libafl_gen_edge_hook)(uint64_t src, uint64_t dst); uint64_t (*libafl_gen_edge_hook)(uint64_t src, uint64_t dst);
void (*libafl_exec_jmp_hook)(uint64_t src, uint64_t dst, uint64_t id);
uint64_t (*libafl_gen_jmp_hook)(uint64_t src, uint64_t dst);
static TCGHelperInfo libafl_exec_edge_hook_info = { static TCGHelperInfo libafl_exec_edge_hook_info = {
.func = NULL, .name = "libafl_exec_edge_hook", \ .func = NULL, .name = "libafl_exec_edge_hook", \
@ -87,6 +91,13 @@ static TCGHelperInfo libafl_exec_edge_hook_info = {
}; };
static int exec_edge_hook_added = 0; static int exec_edge_hook_added = 0;
static TCGHelperInfo libafl_exec_jmp_hook_info = {
.func = NULL, .name = "libafl_exec_jmp_hook", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(i64, 3)
};
static int exec_jmp_hook_added = 0;
void (*libafl_exec_block_hook)(uint64_t id); void (*libafl_exec_block_hook)(uint64_t id);
uint64_t (*libafl_gen_block_hook)(uint64_t pc); uint64_t (*libafl_gen_block_hook)(uint64_t pc);
@ -1770,6 +1781,40 @@ tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc,
} }
//// --- Begin LibAFL code --- //// --- Begin LibAFL code ---
void libafl_exec_edge_one_off(target_ulong src_block, target_ulong dst_block)
{
uint32_t libafl_id = 0;
if (libafl_gen_edge_hook)
libafl_id = libafl_gen_edge_hook((uint64_t)src_block, (uint64_t)dst_block);
if (!libafl_exec_edge_hook || libafl_id == (uint32_t)-1)
return;
if (!exec_edge_hook_added) {
exec_edge_hook_added = 1;
libafl_exec_edge_hook_info.func = libafl_exec_edge_hook;
libafl_helper_table_add(&libafl_exec_edge_hook_info);
}
libafl_exec_edge_hook(libafl_id);
}
void libafl_gen_jmp(target_ulong src, target_ulong dst)
{
uint32_t libafl_id = 0;
if (libafl_gen_jmp_hook)
libafl_id = libafl_gen_jmp_hook((uint64_t)src, (uint64_t)dst);
if (!libafl_exec_jmp_hook || libafl_id == (uint32_t)-1)
return;
if (!exec_jmp_hook_added) {
exec_jmp_hook_added = 1;
libafl_exec_jmp_hook_info.func = libafl_exec_jmp_hook;
libafl_helper_table_add(&libafl_exec_jmp_hook_info);
}
TCGv_i64 tmp0 = tcg_const_i64(src);
TCGv_i64 tmp1 = tcg_const_i64(dst);
TCGv_i64 tmp2 = tcg_const_i64(libafl_id);
TCGTemp *tmp3[3] = { tcgv_i64_temp(tmp0), tcgv_i64_temp(tmp1), tcgv_i64_temp(tmp2) };
tcg_gen_callN(libafl_exec_jmp_hook, NULL, 3, tmp3);
tcg_temp_free_i64(tmp0);
}
/* Called with mmap_lock held for user mode emulation. */ /* Called with mmap_lock held for user mode emulation. */
TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block, TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block,
@ -1815,6 +1860,7 @@ TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block,
tb->flags = flags; tb->flags = flags;
tb->cflags = cflags; tb->cflags = cflags;
tb->trace_vcpu_dstate = *cpu->trace_dstate; tb->trace_vcpu_dstate = *cpu->trace_dstate;
tb->icount = 0;
tcg_ctx->tb_cflags = 0; tcg_ctx->tb_cflags = 0;
tcg_func_start(tcg_ctx); tcg_func_start(tcg_ctx);
@ -1935,6 +1981,7 @@ TranslationBlock *tb_gen_code(CPUState *cpu,
tb->flags = flags; tb->flags = flags;
tb->cflags = cflags; tb->cflags = cflags;
tb->trace_vcpu_dstate = *cpu->trace_dstate; tb->trace_vcpu_dstate = *cpu->trace_dstate;
tb->icount = 0;
tcg_ctx->tb_cflags = cflags; tcg_ctx->tb_cflags = cflags;
tb_overflow: tb_overflow:

5
cpu.c
View File

@ -239,7 +239,12 @@ static int cpu_common_post_load(void *opaque, int version_id)
* memory we've translated code from. So we must flush all TBs, * memory we've translated code from. So we must flush all TBs,
* which will now be stale. * which will now be stale.
*/ */
/* Begin LibAFL instrumentation */
// Do not flush old tbs on loadvm, when fuzzing in system-mode
#if !defined(CONFIG_USER_ONLY) && defined(AS_SHARED_LIB)
tb_flush(cpu); tb_flush(cpu);
#endif
/* End LibAFL instrumentation */
return 0; return 0;
} }

22
hw/intc/armv7m_nvic.c
View File

@ -2999,3 +2999,25 @@ static void armv7m_nvic_register_types(void)
} }
type_init(armv7m_nvic_register_types) type_init(armv7m_nvic_register_types)
/* Begin LibAFL instrumentation */
#include "qemu/main-loop.h"
void libafl_send_irq(int irqn);
void libafl_send_irq(int irqn) {
bool haslock = qemu_mutex_iothread_locked();
if (!haslock) {
qemu_mutex_lock_iothread();
}
CPUState *cpu;
CPU_FOREACH(cpu) {
CPUARMState* env = cpu->env_ptr;
NVICState* nvic = env->nvic;
// set_irq_level(nvic, irqn, 1);
// set_irq_level(nvic, irqn, 0);
armv7m_nvic_set_pending(nvic, irqn+16, false);
}
if (!haslock) {
qemu_mutex_unlock_iothread();
}
}
/* End LibAFL instrumentation */

26
hw/timer/armv7m_systick.c
View File

@ -38,7 +38,6 @@ static inline int64_t systick_scale(SysTickState *s)
return 1000; return 1000;
} }
} }
static void systick_timer_tick(void *opaque) static void systick_timer_tick(void *opaque)
{ {
SysTickState *s = (SysTickState *)opaque; SysTickState *s = (SysTickState *)opaque;
@ -248,3 +247,28 @@ static void armv7m_systick_register_types(void)
} }
type_init(armv7m_systick_register_types) type_init(armv7m_systick_register_types)
/* Begin LibAFL instrumentation */
extern void libafl_send_irq(int irqn);
volatile unsigned int libafl_int_offset = 0;
static ptimer_state* mytimer;
/* This can be moved to a helper function later */
static void libafl_timed_int_hook(void*);
static void libafl_timed_int_hook(void* arg)
{
libafl_send_irq(0);
}
void libafl_start_int_timer( void );
void libafl_start_int_timer( void ) {
if (libafl_int_offset==0) {return;}
if (!mytimer) {
mytimer = ptimer_init(&libafl_timed_int_hook, NULL, 0);
}
ptimer_transaction_begin(mytimer);
ptimer_stop(mytimer);
ptimer_set_period(mytimer, libafl_int_offset);
ptimer_set_count(mytimer, 8);
ptimer_run(mytimer, 1);
ptimer_transaction_commit(mytimer);
}
/* End LibAFL instrumentation */

70
myconfigure.sh Executable file
View File

@ -0,0 +1,70 @@
#!/bin/sh
cd "$(dirname "$0")"
mkdir -p build
cd build
../configure --target-list=arm-linux-user,arm-softmmu,x86_64-linux-user,x86_64-softmmu \
--audio-drv-list= \
--disable-blobs \
--disable-bochs \
--disable-brlapi \
--disable-bsd-user \
--disable-bzip2 \
--disable-cap-ng \
--disable-cloop \
--disable-curl \
--disable-curses \
--disable-dmg \
--enable-fdt \
--disable-gcrypt \
--disable-glusterfs \
--disable-gnutls \
--disable-gtk \
--disable-guest-agent \
--disable-iconv \
--disable-libiscsi \
--disable-libnfs \
--disable-libssh \
--disable-libusb \
--disable-linux-aio \
--disable-live-block-migration \
--disable-lzo \
--disable-nettle \
--disable-numa \
--disable-opengl \
--disable-parallels \
--disable-plugins \
--disable-qcow1 \
--disable-qed \
--disable-rbd \
--disable-rdma \
--disable-replication \
--disable-sdl \
--disable-seccomp \
--disable-smartcard \
--disable-snappy \
--disable-spice \
--enable-system \
--disable-tools \
--disable-tpm \
--disable-usb-redir \
--disable-vde \
--disable-vdi \
--disable-vhost-crypto \
--disable-vhost-kernel \
--disable-vhost-net \
--disable-vhost-scsi \
--disable-vhost-user \
--disable-vhost-vdpa \
--disable-vhost-vsock \
--disable-virglrenderer \
--disable-virtfs \
--disable-vnc \
--disable-vnc-jpeg \
--disable-vnc-png \
--disable-vnc-sasl \
--disable-vte \
--disable-vvfat \
--disable-xen \
--disable-xen-pci-passthrough \
--disable-xfsctl \
--as-shared-lib

69
myconfigureunshared.sh Executable file
View File

@ -0,0 +1,69 @@
#!/bin/sh
cd "$(dirname "$0")"
mkdir -p build
cd build
../configure --target-list=arm-linux-user,arm-softmmu \
--audio-drv-list= \
--disable-blobs \
--disable-bochs \
--disable-brlapi \
--disable-bsd-user \
--disable-bzip2 \
--disable-cap-ng \
--disable-cloop \
--disable-curl \
--disable-curses \
--disable-dmg \
--enable-fdt \
--disable-gcrypt \
--disable-glusterfs \
--disable-gnutls \
--disable-gtk \
--disable-guest-agent \
--disable-iconv \
--disable-libiscsi \
--disable-libnfs \
--disable-libssh \
--disable-libusb \
--disable-linux-aio \
--disable-live-block-migration \
--disable-lzo \
--disable-nettle \
--disable-numa \
--disable-opengl \
--disable-parallels \
--disable-plugins \
--disable-qcow1 \
--disable-qed \
--disable-rbd \
--disable-rdma \
--disable-replication \
--disable-sdl \
--disable-seccomp \
--disable-smartcard \
--disable-snappy \
--disable-spice \
--enable-system \
--disable-tools \
--disable-tpm \
--disable-usb-redir \
--disable-vde \
--disable-vdi \
--disable-vhost-crypto \
--disable-vhost-kernel \
--disable-vhost-net \
--disable-vhost-scsi \
--disable-vhost-user \
--disable-vhost-vdpa \
--disable-vhost-vsock \
--disable-virglrenderer \
--disable-virtfs \
--disable-vnc \
--disable-vnc-jpeg \
--disable-vnc-png \
--disable-vnc-sasl \
--disable-vte \
--disable-vvfat \
--disable-xen \
--disable-xen-pci-passthrough \
--disable-xfsctl

31
mytest.c Normal file
View File

@ -0,0 +1,31 @@
#include <stdio.h>
#include <stdint.h>
void libafl_qemu_main_loop( void );
void libafl_qemu_sys_init(int argc, char **argv, char **envp);
void libafl_qemu_cleanup( void );
void libafl_qemu_set_breakpoint( unsigned long int );
void libafl_qemu_remove_native_breakpoint( unsigned long int );
void libafl_qemu_set_native_breakpoint( unsigned long int );
void libafl_snapshot_save( const char* );
void libafl_snapshot_load( const char* );
int64_t libafl_get_clock( void );
int main(int argc, char **argv, char **envp)
{
libafl_qemu_sys_init(argc, argv, envp);
libafl_qemu_set_native_breakpoint(0x4c60);//send 217028
libafl_qemu_main_loop();
libafl_qemu_remove_native_breakpoint(0x4c60);
libafl_qemu_set_native_breakpoint(0x00004f5c);
libafl_snapshot_save("Start");
printf("Snap start icount: %lu\n",libafl_get_clock());
libafl_qemu_main_loop();
printf("tr1 icount: %lu\n",libafl_get_clock());
libafl_snapshot_load("Start");
libafl_qemu_main_loop();
printf("tr2 icount: %lu\n",libafl_get_clock());
libafl_qemu_cleanup();
return 0;
}

12
myteststarter.sh Executable file
View File

@ -0,0 +1,12 @@
#!/bin/sh
if [ ! -f dummy.qcow2 ]; then
qemu-img create -f qcow2 dummy.qcow2 32M
fi
export LD_LIBRARY_PATH=./build
build/qemu-system-arm -machine mps2-an385 -monitor null -semihosting \
--semihosting-config enable=on,target=native \
-kernel $1 \
-serial stdio -nographic \
-snapshot -drive if=none,format=qcow2,file=dummy.qcow2 \
-icount shift=3,align=off,sleep=off \
-S

5
softmmu/cpus.c
View File

@ -305,7 +305,10 @@ void cpu_handle_guest_debug(CPUState *cpu)
cpu_single_step(cpu, 0); cpu_single_step(cpu, 0);
} }
} else { } else {
gdb_set_stop_cpu(cpu); /* Begin LibAFL changes */
// With LibAFL Breakpoints there is no gdb attached.
// gdb_set_stop_cpu(cpu);
/* End LibAFL changes */
qemu_system_debug_request(); qemu_system_debug_request();
cpu->stopped = true; cpu->stopped = true;
} }

128
softmmu/main.c
View File

@ -44,11 +44,139 @@ int main(int argc, char **argv)
#define main qemu_main #define main qemu_main
#endif /* CONFIG_COCOA */ #endif /* CONFIG_COCOA */
/* Begin LibAFL instrumentation */
#include "sysemu/runstate.h"
#include "sysemu/cpu-timers.h"
#include "migration/snapshot.h"
#include "hw/core/cpu.h"
#include "qapi/error.h"
#include "exec/memory.h"
void libafl_qemu_main_loop( void );
void libafl_qemu_run( void );
void libafl_qemu_sys_init(int argc, char **argv, char **envp);
void libafl_qemu_cleanup( void );
void libafl_qemu_sys_init(int argc, char **argv, char **envp) { qemu_init(argc, argv, envp); }
void libafl_qemu_cleanup( void ) { qemu_cleanup(); }
void libafl_qemu_set_native_breakpoint( vaddr );
void libafl_qemu_remove_native_breakpoint( vaddr );
int libafl_snapshot_save( const char* );
int libafl_snapshot_load( const char* );
void libafl_phys_read(vaddr, uint8_t*, int);
void libafl_phys_write(vaddr, uint8_t*, int);
int64_t libafl_get_clock( void );
#ifdef TARGET_ARM
extern void libafl_start_int_timer(void);
#endif
void libafl_qemu_main_loop( void )
{
#ifdef TARGET_ARM
libafl_start_int_timer();
#endif
vm_start();
qemu_main_loop();
}
void libafl_qemu_run( void ) { libafl_qemu_main_loop(); }
void libafl_qemu_set_native_breakpoint(vaddr pc)
{
CPUState *cpu;
CPU_FOREACH(cpu) {
cpu_breakpoint_insert(cpu, pc, BP_GDB, NULL);
}
}
void libafl_qemu_remove_native_breakpoint(vaddr pc)
{
CPUState *cpu;
CPU_FOREACH(cpu) {
cpu_breakpoint_remove(cpu, pc, BP_GDB);
}
}
int libafl_snapshot_save( const char* name )
{
Error *err = NULL;
save_snapshot(name, true, NULL, false, NULL, &err);
return err == 0;
}
int libafl_snapshot_load( const char* name )
{
Error *err = NULL;
load_snapshot(name, NULL, false, NULL, &err);
return err == 0;
}
void libafl_phys_read(vaddr addr, uint8_t* buf, int len)
{
cpu_physical_memory_read(addr, buf, len);
}
void libafl_phys_write(vaddr addr, uint8_t* buf, int len)
{
cpu_physical_memory_write(addr, buf, len);
}
int64_t libafl_get_clock( void )
{
return icount_get_raw();
}
#ifndef AS_SHARED_LIB
#ifdef TARGET_ARM
extern unsigned int libafl_int_offset;
#endif
int main(int argc, char **argv, char **envp) int main(int argc, char **argv, char **envp)
{ {
qemu_init(argc, argv, envp); qemu_init(argc, argv, envp);
qemu_main_loop(); qemu_main_loop();
qemu_cleanup(); qemu_cleanup();
//LIBAFL Instrumentation Demo
/*
// unsigned char buf[32] = "_`abcdefghijklmnopqrstuvwxyz{|}~";
#ifdef TARGET_ARM
libafl_int_offset = 375000;
#endif
// unsigned char buf[32] = "\x02\x9b\x02\x9b\x02\x9b\x02\x9b"; // 0xFA71 x 4
unsigned char buf[32] = "\x05\x29\x07\x1f\x0b\x17\x01\x17"; // 5*73 7*59 11*43
unsigned char len = 8;
libafl_qemu_sys_init(argc, argv, envp);
int pheader = 0x5be4;
libafl_phys_write(0x20000110-0x20000100+pheader, buf,32);
libafl_phys_read(0x20000110-0x20000100+pheader, buf,32);
libafl_phys_write(0x20000108-0x20000100+pheader, &len,1);
printf("FUZZ_INPUT[0]: %x\n", buf[0]);
libafl_qemu_set_native_breakpoint(0xae);
libafl_snapshot_save("Start");
int counter = 3;
do {
libafl_qemu_main_loop();
libafl_snapshot_load("Start");
puts("Reload has occured");
counter--;
} while (runstate_check(RUN_STATE_DEBUG) && counter);
libafl_qemu_cleanup();
*/
/*
// Clock comparison
unsigned char ex1[32] = "_`abcdefghijklmnopqrstuvwxyz{|}~";
// unsigned char ex1[32] = "a!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!";
unsigned char ex2[32] = "a!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!";
libafl_qemu_sys_init(argc, argv, envp);
libafl_qemu_set_native_breakpoint(0x4be0);
libafl_snapshot_save("Start");
libafl_phys_write(0x20000110-0x20000100+0x00006ae4, ex1,32);
libafl_qemu_main_loop();
printf("Post ex1: %ld\n",libafl_get_clock());
libafl_snapshot_load("Start");
libafl_phys_write(0x20000110-0x20000100+0x00006ae4, ex2,32);
libafl_qemu_main_loop();
printf("Post ex2: %ld\n",libafl_get_clock());
*/
return 0; return 0;
} }
#endif
/* End LibAFL instrumentation */

4
softmmu/runstate.c
View File

@ -668,6 +668,10 @@ static bool main_loop_should_exit(void)
if (qemu_debug_requested()) { if (qemu_debug_requested()) {
vm_stop(RUN_STATE_DEBUG); vm_stop(RUN_STATE_DEBUG);
/* Begin LibAFL instrumentation */
// main loop will exit back to fuzzer
return true;
/* End LibAFL instrumentation */
} }
if (qemu_suspend_requested()) { if (qemu_suspend_requested()) {
qemu_system_suspend(); qemu_system_suspend();

10
starter.sh Executable file
View File

@ -0,0 +1,10 @@
#!/bin/sh
if [ ! -f dummy.qcow2 ]; then
qemu-img create -f qcow2 dummy.qcow2 32M
fi
build/qemu-system-arm -machine mps2-an385 -monitor null -semihosting \
--semihosting-config enable=on,target=native \
-kernel $1 \
-serial stdio -nographic \
-snapshot -drive if=none,format=qcow2,file=dummy.qcow2 \
-icount shift=auto,align=off,sleep=off

6
target/arm/translate.c
View File

@ -2615,8 +2615,14 @@ static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
} }
} }
//// --- Begin LibAFL code ---
void libafl_gen_jmp(target_ulong src, target_ulong dst); // see translate-all.c
//// --- End LibAFL code ---
static inline void gen_jmp(DisasContext *s, uint32_t dest) static inline void gen_jmp(DisasContext *s, uint32_t dest)
{ {
//// --- Begin LibAFL code ---
libafl_gen_jmp(s->pc_curr,dest);
//// --- End LibAFL code ---
gen_jmp_tb(s, dest, 0); gen_jmp_tb(s, dest, 0);
} }