alwin.berger/FRET-qemu
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: alwin.berger:wcet_system
Branches Tags
alwin.berger:wcet_system
alwin.berger:fret_153
alwin.berger:fret_141
alwin.berger:fret_update_130
alwin.berger:standalone_icount_measure
alwin.berger:fret_update_112
alwin.berger:fret_update_111
alwin.berger:fret_v3
alwin.berger:fret_v2
alwin.berger:v6.1.1-libafl-backport
alwin.berger:6.1.1-instument
alwin.berger:6.2.0-instrum
alwin.berger:old_master_fix_insns
alwin.berger:eval_24-11-11
alwin.berger:working_0.10.1_port
alwin.berger:submitted
..
compare: alwin.berger:6.1.1-instument
Branches Tags
alwin.berger:fret_153
alwin.berger:fret_141
alwin.berger:fret_update_130
alwin.berger:standalone_icount_measure
alwin.berger:fret_update_112
alwin.berger:fret_update_111
alwin.berger:fret_v3
alwin.berger:fret_v2
alwin.berger:wcet_system
alwin.berger:v6.1.1-libafl-backport
alwin.berger:6.1.1-instument
alwin.berger:6.2.0-instrum
alwin.berger:old_master_fix_insns
alwin.berger:eval_24-11-11
alwin.berger:working_0.10.1_port
alwin.berger:submitted

7 Commits
wcet_syste ... 6.1.1-inst

Author SHA1 Message Date
Alwin Berger
5288d4210f return success from snapshots 2022-01-03 23:39:05 +01:00
Alwin Berger
9658746a0c port libafl instrumentation 2022-01-03 16:36:09 +01:00
Alwin Berger
11e5d5be6a add physical memory access 2022-01-03 00:13:33 +01:00
Alwin Berger
18a87dfe40 config, renaming, no flush on load 2022-01-02 18:44:48 +01:00
Alwin Berger
1576aa029a build as shared lib 2022-01-01 20:59:57 +01:00
Alwin Berger
ae0e744998 demo break+snapshot workflow 2021-12-28 22:14:13 +01:00
Alwin Berger
c26a334f7a Nix boilerplate 2021-12-28 13:11:57 +01:00
27 changed files with 40 additions and 811 deletions
Show Stats Expand all files Collapse all files

1
.envrc Normal file
View File

@ -0,0 +1 @@
use_nix shell.nix

5
.gitignore vendored
View File

@ -15,6 +15,7 @@ GTAGS
*.depend_raw
*.swp
*.patch
.ccls*
.direnv
.vscode
.cache
*.axf
*.qcow2

72
3k.c
View File

@ -1,72 +0,0 @@
#include <stdio.h>
#include <stdint.h>
void libafl_qemu_main_loop( void );
void libafl_qemu_sys_init(int argc, char **argv, char **envp);
void libafl_qemu_cleanup( void );
void libafl_qemu_set_breakpoint( unsigned long int );
void libafl_qemu_remove_native_breakpoint( unsigned long int );
void libafl_qemu_set_native_breakpoint( unsigned long int );
void libafl_snapshot_save( const char* );
void libafl_snapshot_load( const char* );
void libafl_phys_read(uint32_t, uint8_t*, int);
void libafl_phys_write(uint32_t, uint8_t*, int);
int64_t icount_to_ns(int64_t icount);
int64_t libafl_get_clock( void );
int main(int argc, char **argv, char **envp)
{
unsigned char buf[32] = "_`abcdefghijklmnopqrstuvwxyz{|}~";
unsigned char buf2[32] = "0";
unsigned char buf3[32] = "z";
unsigned char buf4[32] = "a!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!";
unsigned char buf5[32] = "b!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!";
libafl_qemu_sys_init(argc, argv, envp);
int pheader = 0x00006a4c;
// libafl_phys_read(0x20000110-0x20000100+pheader, buf,32);
// printf("FUZZ_INPUT[0]: %c\n", buf[0]);
// Start pre-run
libafl_qemu_set_native_breakpoint(0x4ce2);//send 217028
libafl_qemu_main_loop();
libafl_qemu_remove_native_breakpoint(0x4ce2);
// End pre-run
libafl_snapshot_save("Start");
libafl_qemu_set_native_breakpoint(0x4be0);
int64_t tmp = libafl_get_clock();
printf("snapshot icount: %ld, %ldns\n",tmp,icount_to_ns(tmp));
libafl_snapshot_load("Start");
tmp = libafl_get_clock();
printf("snapshot icount after load: %ld, %ldns\n",tmp,icount_to_ns(tmp));
libafl_phys_write(0x20000110-0x20000100+pheader, buf,32);
libafl_qemu_main_loop();
printf("%ld für %s\n",libafl_get_clock(),buf);
libafl_snapshot_load("Start");
libafl_phys_write(0x20000110-0x20000100+pheader, buf2,32);
libafl_qemu_main_loop();
printf("%ld für %s\n",libafl_get_clock(),buf2);
libafl_snapshot_load("Start");
libafl_phys_write(0x20000110-0x20000100+pheader, buf3,32);
libafl_qemu_main_loop();
printf("%ld für %s\n",libafl_get_clock(),buf3);
libafl_snapshot_load("Start");
/*int counter = 3000;
do {
libafl_phys_write(0x20000110-0x20000100+pheader, buf,32);
libafl_qemu_main_loop();
int64_t tmp = libafl_get_clock();
printf("%ld, %ldns\n",tmp,icount_to_ns(tmp));
libafl_snapshot_load("Start");
// puts("Reload has occured");
counter--;
} while (counter);*/
libafl_qemu_cleanup();
return 0;
}

13
README.md
View File

@ -1,13 +0,0 @@
# QEMU LibAFL Bridge
This is a patched QEMU that exposes an interface for LibAFL-based fuzzers.
This raw interface is used in `libafl_qemu` that expose a more Rusty API.
#### License
<sup>
This project extends the QEMU emulator, and our contributions to previously existing files adopt those files' respective licenses; the files that we have added are made available under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version.
</sup>
<br>

19
accel/tcg/cpu-exec.c
View File

@ -626,18 +626,6 @@ static inline void cpu_handle_debug_exception(CPUState *cpu)
static inline bool cpu_handle_exception(CPUState *cpu, int *ret)
{
//// --- Begin LibAFL code ---
#define EXCP_LIBAFL_BP 0xf4775747
if (cpu->exception_index == EXCP_LIBAFL_BP) {
*ret = cpu->exception_index;
cpu->exception_index = -1;
return true;
}
//// --- End LibAFL code ---
if (cpu->exception_index < 0) {
#ifndef CONFIG_USER_ONLY
if (replay_has_exception()
@ -868,7 +856,6 @@ static inline void cpu_loop_exec_tb(CPUState *cpu, TranslationBlock *tb,
TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block,
target_ulong dst_block, target_ulong cs_base,
uint32_t flags, int cflags);
void libafl_exec_edge_one_off(target_ulong src_block, target_ulong dst_block);
//// --- End LibAFL code ---
@ -971,12 +958,6 @@ int cpu_exec(CPUState *cpu)
*/
qatomic_set(&cpu->tb_jmp_cache[tb_jmp_cache_hash_func(pc)], tb);
}
//// --- Begin LibAFL code ---
// This will save an edge (0,pc) after interrupts
// if (!last_tb) {
// libafl_exec_edge_one_off(0, tb->pc);
// }
//// --- End LibAFL code ---
#ifndef CONFIG_USER_ONLY
/*

13
accel/tcg/tcg-runtime.c
View File

@ -31,19 +31,6 @@
#include "exec/log.h"
#include "tcg/tcg.h"
//// --- Begin LibAFL code ---
#define EXCP_LIBAFL_BP 0xf4775747
void HELPER(libafl_qemu_handle_breakpoint)(CPUArchState *env)
{
CPUState* cpu = env_cpu(env);
cpu->exception_index = EXCP_LIBAFL_BP;
cpu_loop_exit(cpu);
}
//// --- End LibAFL code ---
/* 32-bit helpers */
int32_t HELPER(div_i32)(int32_t arg1, int32_t arg2)

6
accel/tcg/tcg-runtime.h
View File

@ -285,9 +285,3 @@ DEF_HELPER_FLAGS_4(gvec_leu32, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
DEF_HELPER_FLAGS_4(gvec_leu64, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
DEF_HELPER_FLAGS_5(gvec_bitsel, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
//// --- Begin LibAFL code ---
DEF_HELPER_FLAGS_1(libafl_qemu_handle_breakpoint, TCG_CALL_NO_RWG, void, env)
//// --- End LibAFL code ---

47
accel/tcg/translate-all.c
View File

@ -68,8 +68,6 @@
#include "exec/helper-head.h"
void libafl_helper_table_add(TCGHelperInfo* info);
void libafl_gen_jmp(target_ulong src, target_ulong dst);
void libafl_exec_edge_one_off(target_ulong src_block, target_ulong dst_block);
TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block,
target_ulong dst_block, target_ulong cs_base,
uint32_t flags, int cflags);
@ -81,8 +79,6 @@ void libafl_gen_cmp(target_ulong pc, TCGv op0, TCGv op1, MemOp ot);
void (*libafl_exec_edge_hook)(uint64_t id);
uint64_t (*libafl_gen_edge_hook)(uint64_t src, uint64_t dst);
void (*libafl_exec_jmp_hook)(uint64_t src, uint64_t dst, uint64_t id);
uint64_t (*libafl_gen_jmp_hook)(uint64_t src, uint64_t dst);
static TCGHelperInfo libafl_exec_edge_hook_info = {
.func = NULL, .name = "libafl_exec_edge_hook", \
@ -91,13 +87,6 @@ static TCGHelperInfo libafl_exec_edge_hook_info = {
};
static int exec_edge_hook_added = 0;
static TCGHelperInfo libafl_exec_jmp_hook_info = {
.func = NULL, .name = "libafl_exec_jmp_hook", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(i64, 3)
};
static int exec_jmp_hook_added = 0;
void (*libafl_exec_block_hook)(uint64_t id);
uint64_t (*libafl_gen_block_hook)(uint64_t pc);
@ -1781,40 +1770,6 @@ tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc,
}
//// --- Begin LibAFL code ---
void libafl_exec_edge_one_off(target_ulong src_block, target_ulong dst_block)
{
uint32_t libafl_id = 0;
if (libafl_gen_edge_hook)
libafl_id = libafl_gen_edge_hook((uint64_t)src_block, (uint64_t)dst_block);
if (!libafl_exec_edge_hook || libafl_id == (uint32_t)-1)
return;
if (!exec_edge_hook_added) {
exec_edge_hook_added = 1;
libafl_exec_edge_hook_info.func = libafl_exec_edge_hook;
libafl_helper_table_add(&libafl_exec_edge_hook_info);
}
libafl_exec_edge_hook(libafl_id);
}
void libafl_gen_jmp(target_ulong src, target_ulong dst)
{
uint32_t libafl_id = 0;
if (libafl_gen_jmp_hook)
libafl_id = libafl_gen_jmp_hook((uint64_t)src, (uint64_t)dst);
if (!libafl_exec_jmp_hook || libafl_id == (uint32_t)-1)
return;
if (!exec_jmp_hook_added) {
exec_jmp_hook_added = 1;
libafl_exec_jmp_hook_info.func = libafl_exec_jmp_hook;
libafl_helper_table_add(&libafl_exec_jmp_hook_info);
}
TCGv_i64 tmp0 = tcg_const_i64(src);
TCGv_i64 tmp1 = tcg_const_i64(dst);
TCGv_i64 tmp2 = tcg_const_i64(libafl_id);
TCGTemp *tmp3[3] = { tcgv_i64_temp(tmp0), tcgv_i64_temp(tmp1), tcgv_i64_temp(tmp2) };
tcg_gen_callN(libafl_exec_jmp_hook, NULL, 3, tmp3);
tcg_temp_free_i64(tmp0);
}
/* Called with mmap_lock held for user mode emulation. */
TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block,
@ -1860,7 +1815,6 @@ TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block,
tb->flags = flags;
tb->cflags = cflags;
tb->trace_vcpu_dstate = *cpu->trace_dstate;
tb->icount = 0;
tcg_ctx->tb_cflags = 0;
tcg_func_start(tcg_ctx);
@ -1981,7 +1935,6 @@ TranslationBlock *tb_gen_code(CPUState *cpu,
tb->flags = flags;
tb->cflags = cflags;
tb->trace_vcpu_dstate = *cpu->trace_dstate;
tb->icount = 0;
tcg_ctx->tb_cflags = cflags;
tb_overflow:

15
accel/tcg/translator.c
View File

@ -22,13 +22,6 @@
#include "tcg/tcg-internal.h"
struct libafl_breakpoint {
target_ulong addr;
struct libafl_breakpoint* next;
};
extern struct libafl_breakpoint* libafl_qemu_breakpoints;
struct libafl_hook {
target_ulong addr;
void (*callback)(uint64_t);
@ -115,14 +108,6 @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
hk = hk->next;
}
struct libafl_breakpoint* bp = libafl_qemu_breakpoints;
while (bp) {
if (bp->addr == db->pc_next) {
gen_helper_libafl_qemu_handle_breakpoint(cpu_env);
}
bp = bp->next;
}
//// --- End LibAFL code ---
/* Disassemble one instruction. The translate_insn hook should

54
cpu.c
View File

@ -46,13 +46,6 @@
#include "tcg/tcg-internal.h"
#include "exec/helper-head.h"
struct libafl_breakpoint {
target_ulong addr;
struct libafl_breakpoint* next;
};
struct libafl_breakpoint* libafl_qemu_breakpoints = NULL;
struct libafl_hook {
target_ulong addr;
void (*callback)(uint64_t);
@ -72,8 +65,6 @@ static GByteArray *libafl_qemu_mem_buf = NULL;
int libafl_qemu_write_reg(int reg, uint8_t* val);
int libafl_qemu_read_reg(int reg, uint8_t* val);
int libafl_qemu_num_regs(void);
int libafl_qemu_set_breakpoint(uint64_t addr);
int libafl_qemu_remove_breakpoint(uint64_t addr);
int libafl_qemu_set_hook(uint64_t addr, void (*callback)(uint64_t), uint64_t value);
int libafl_qemu_remove_hook(uint64_t addr);
@ -136,44 +127,6 @@ int libafl_qemu_num_regs(void)
void libafl_breakpoint_invalidate(CPUState *cpu, target_ulong pc);
int libafl_qemu_set_breakpoint(uint64_t addr)
{
CPUState *cpu;
target_ulong pc = (target_ulong) addr;
CPU_FOREACH(cpu) {
libafl_breakpoint_invalidate(cpu, pc);
}
struct libafl_breakpoint* bp = malloc(sizeof(struct libafl_breakpoint));
bp->addr = pc;
bp->next = libafl_qemu_breakpoints;
libafl_qemu_breakpoints = bp;
return 1;
}
int libafl_qemu_remove_breakpoint(uint64_t addr)
{
CPUState *cpu;
int r = 0;
target_ulong pc = (target_ulong) addr;
struct libafl_breakpoint** bp = &libafl_qemu_breakpoints;
while (*bp) {
if ((*bp)->addr == pc) {
CPU_FOREACH(cpu) {
libafl_breakpoint_invalidate(cpu, pc);
}
*bp = (*bp)->next;
r = 1;
} else {
bp = &(*bp)->next;
}
}
return r;
}
int libafl_qemu_set_hook(uint64_t addr, void (*callback)(uint64_t), uint64_t value)
{
CPUState *cpu;
@ -239,12 +192,7 @@ static int cpu_common_post_load(void *opaque, int version_id)
* memory we've translated code from. So we must flush all TBs,
* which will now be stale.
*/
/* Begin LibAFL instrumentation */
// Do not flush old tbs on loadvm, when fuzzing in system-mode
#if !defined(CONFIG_USER_ONLY) && defined(AS_SHARED_LIB)
tb_flush(cpu);
#endif
/* End LibAFL instrumentation */
// tb_flush(cpu);
return 0;
}

22
hw/intc/armv7m_nvic.c
View File

@ -2999,25 +2999,3 @@ static void armv7m_nvic_register_types(void)
}
type_init(armv7m_nvic_register_types)
/* Begin LibAFL instrumentation */
#include "qemu/main-loop.h"
void libafl_send_irq(int irqn);
void libafl_send_irq(int irqn) {
bool haslock = qemu_mutex_iothread_locked();
if (!haslock) {
qemu_mutex_lock_iothread();
}
CPUState *cpu;
CPU_FOREACH(cpu) {
CPUARMState* env = cpu->env_ptr;
NVICState* nvic = env->nvic;
// set_irq_level(nvic, irqn, 1);
// set_irq_level(nvic, irqn, 0);
armv7m_nvic_set_pending(nvic, irqn+16, false);
}
if (!haslock) {
qemu_mutex_unlock_iothread();
}
}
/* End LibAFL instrumentation */

26
hw/timer/armv7m_systick.c
View File

@ -38,6 +38,7 @@ static inline int64_t systick_scale(SysTickState *s)
return 1000;
}
}
static void systick_timer_tick(void *opaque)
{
SysTickState *s = (SysTickState *)opaque;
@ -247,28 +248,3 @@ static void armv7m_systick_register_types(void)
}
type_init(armv7m_systick_register_types)
/* Begin LibAFL instrumentation */
extern void libafl_send_irq(int irqn);
volatile unsigned int libafl_int_offset = 0;
static ptimer_state* mytimer;
/* This can be moved to a helper function later */
static void libafl_timed_int_hook(void*);
static void libafl_timed_int_hook(void* arg)
{
libafl_send_irq(0);
}
void libafl_start_int_timer( void );
void libafl_start_int_timer( void ) {
if (libafl_int_offset==0) {return;}
if (!mytimer) {
mytimer = ptimer_init(&libafl_timed_int_hook, NULL, 0);
}
ptimer_transaction_begin(mytimer);
ptimer_stop(mytimer);
ptimer_set_period(mytimer, libafl_int_offset);
ptimer_set_count(mytimer, 8);
ptimer_run(mytimer, 1);
ptimer_transaction_commit(mytimer);
}
/* End LibAFL instrumentation */

10
linux-user/aarch64/cpu_loop.c
View File

@ -88,16 +88,6 @@ void cpu_loop(CPUARMState *env)
process_queued_cpu_work(cs);
switch (trapnr) {
//// --- Begin LibAFL code ---
#define EXCP_LIBAFL_BP 0xf4775747
case EXCP_LIBAFL_BP:
return;
//// --- End LibAFL code ---
case EXCP_SWI:
ret = do_syscall(env,
env->xregs[8],

10
linux-user/arm/cpu_loop.c
View File

@ -298,16 +298,6 @@ void cpu_loop(CPUARMState *env)
process_queued_cpu_work(cs);
switch(trapnr) {
//// --- Begin LibAFL code ---
#define EXCP_LIBAFL_BP 0xf4775747
case EXCP_LIBAFL_BP:
return;
//// --- End LibAFL code ---
case EXCP_UDEF:
case EXCP_NOCP:
case EXCP_INVSTATE:

10
linux-user/i386/cpu_loop.c
View File

@ -209,16 +209,6 @@ void cpu_loop(CPUX86State *env)
process_queued_cpu_work(cs);
switch(trapnr) {
//// --- Begin LibAFL code ---
#define EXCP_LIBAFL_BP 0xf4775747
case EXCP_LIBAFL_BP:
return;
//// --- End LibAFL code ---
case 0x80:
/* linux syscall from int $0x80 */
ret = do_syscall(env,

64
linux-user/main.c
View File

@ -582,16 +582,6 @@ static int parse_args(int argc, char **argv)
r++;
}
if (!strncmp(r, "libafl", 6)) {
if (optind >= argc) {
(void) fprintf(stderr,
"qemu: missing argument for option '%s'\n", r);
exit(EXIT_FAILURE);
}
optind++;
continue;
}
for (arginfo = arg_table; arginfo->handle_opt != NULL; arginfo++) {
if (!strcmp(r, arginfo->argv)) {
if (arginfo->has_arg) {
@ -621,51 +611,16 @@ static int parse_args(int argc, char **argv)
exit(EXIT_FAILURE);
}
exec_path = strdup(argv[optind]);
exec_path = argv[optind];
return optind;
}
//// --- Begin LibAFL code ---
uint64_t libafl_load_addr(void);
int libafl_qemu_main(void);
int libafl_qemu_run(void);
extern __thread CPUArchState *libafl_qemu_env;
struct image_info libafl_image_info;
struct linux_binprm bprm;
uint64_t libafl_load_addr(void) {
return libafl_image_info.load_addr;
}
__attribute__((weak)) int libafl_qemu_main(void)
{
libafl_qemu_run();
return 0;
}
int libafl_qemu_run(void)
{
cpu_loop(libafl_qemu_env);
return 1;
}
//// --- End LibAFL code ---
#ifdef AS_LIB
int qemu_user_init(int argc, char **argv, char **envp);
int qemu_user_init(int argc, char **argv, char **envp)
#else
int main(int argc, char **argv, char **envp)
#endif
{
struct target_pt_regs regs1, *regs = &regs1;
//struct image_info info1, *info = &info1;
struct image_info *info = &libafl_image_info;
// struct linux_binprm bprm;
struct image_info info1, *info = &info1;
struct linux_binprm bprm;
TaskState *ts;
CPUArchState *env;
CPUState *cpu;
@ -927,18 +882,7 @@ int main(int argc, char **argv, char **envp)
}
gdb_handlesig(cpu, 0);
}
// cpu_loop(env);
//// --- Begin LibAFL code ---
libafl_qemu_env = env;
#ifndef AS_LIB
return libafl_qemu_main();
#endif
//// --- End LibAFL code ---
cpu_loop(env);
/* never exits */
return 0;
}

115
linux-user/syscall.c
View File

@ -756,23 +756,6 @@ void target_set_brk(abi_ulong new_brk)
brk_page = HOST_PAGE_ALIGN(target_brk);
}
//// --- Begin LibAFL code ---
uint64_t libafl_get_brk(void);
uint64_t libafl_set_brk(uint64_t new_brk);
uint64_t libafl_get_brk(void) {
return (uint64_t)target_brk;
}
uint64_t libafl_set_brk(uint64_t new_brk) {
uint64_t old_brk = (uint64_t)target_brk;
target_brk = (abi_ulong)new_brk;
return old_brk;
}
//// --- End LibAFL code ---
//#define DEBUGF_BRK(message, args...) do { fprintf(stderr, (message), ## args); } while (0)
#define DEBUGF_BRK(message, args...)
@ -13132,67 +13115,6 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1,
return ret;
}
//// --- Begin LibAFL code ---
struct libafl_mapinfo {
uint64_t start, end;
uint64_t offset;
const char* path;
int flags, is_priv;
};
GSList * libafl_maps_next(GSList *map_info, struct libafl_mapinfo* ret);
GSList * libafl_maps_next(GSList *map_info, struct libafl_mapinfo* ret) {
if (!map_info || !ret)
return NULL;
GSList *s = g_slist_next(map_info);
if (!s)
return NULL;
MapInfo *e = (MapInfo *) s->data;
if (h2g_valid(e->start)) {
unsigned long min = e->start;
unsigned long max = e->end;
int flags = page_get_flags(h2g(min));
max = h2g_valid(max - 1) ?
max : (uintptr_t) g2h_untagged(GUEST_ADDR_MAX) + 1;
if (page_check_range(h2g(min), max - min, flags) == -1) {
return libafl_maps_next(s, ret);
}
int libafl_flags = 0;
if (flags & PAGE_READ) libafl_flags |= PROT_READ;
if (flags & PAGE_WRITE_ORG) libafl_flags |= PROT_WRITE;
if (flags & PAGE_EXEC) libafl_flags |= PROT_EXEC;
ret->start = (uint64_t)min;
ret->end = (uint64_t)max;
ret->offset = (uint64_t)e->offset;
ret->path = e->path;
ret->flags = libafl_flags;
ret->is_priv = e->is_priv;
return s;
} else {
return libafl_maps_next(s, ret);
}
}
struct syshook_ret {
uint64_t retval;
bool skip_syscall;
};
struct syshook_ret (*libafl_pre_syscall_hook)(int, uint64_t, uint64_t, uint64_t,
uint64_t, uint64_t, uint64_t,
uint64_t, uint64_t);
uint64_t (*libafl_post_syscall_hook)(uint64_t, int, uint64_t, uint64_t,
uint64_t, uint64_t, uint64_t, uint64_t,
uint64_t, uint64_t);
//// --- End LibAFL code ---
abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
abi_long arg2, abi_long arg3, abi_long arg4,
abi_long arg5, abi_long arg6, abi_long arg7,
@ -13222,46 +13144,9 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
print_syscall(cpu_env, num, arg1, arg2, arg3, arg4, arg5, arg6);
}
//// --- Begin LibAFL code ---
if (libafl_pre_syscall_hook) {
struct syshook_ret hook_ret = libafl_pre_syscall_hook(num,
(uint64_t)arg1,
(uint64_t)arg2,
(uint64_t)arg3,
(uint64_t)arg4,
(uint64_t)arg5,
(uint64_t)arg6,
(uint64_t)arg7,
(uint64_t)arg8);
if (hook_ret.skip_syscall) {
ret = (abi_ulong)hook_ret.retval;
goto after_syscall;
}
}
//// --- End LibAFL code ---
ret = do_syscall1(cpu_env, num, arg1, arg2, arg3, arg4,
arg5, arg6, arg7, arg8);
//// --- Begin LibAFL code ---
if (libafl_post_syscall_hook) {
ret = (abi_ulong)libafl_post_syscall_hook((uint64_t)ret, num,
(uint64_t)arg1,
(uint64_t)arg2,
(uint64_t)arg3,
(uint64_t)arg4,
(uint64_t)arg5,
(uint64_t)arg6,
(uint64_t)arg7,
(uint64_t)arg8);
}
after_syscall:
//// --- End LibAFL code ---
if (unlikely(qemu_loglevel_mask(LOG_STRACE))) {
print_syscall_ret(cpu_env, num, ret, arg1, arg2,
arg3, arg4, arg5, arg6);

69
myconfigureunshared.sh
View File

@ -1,69 +0,0 @@
#!/bin/sh
cd "$(dirname "$0")"
mkdir -p build
cd build
../configure --target-list=arm-linux-user,arm-softmmu \
--audio-drv-list= \
--disable-blobs \
--disable-bochs \
--disable-brlapi \
--disable-bsd-user \
--disable-bzip2 \
--disable-cap-ng \
--disable-cloop \
--disable-curl \
--disable-curses \
--disable-dmg \
--enable-fdt \
--disable-gcrypt \
--disable-glusterfs \
--disable-gnutls \
--disable-gtk \
--disable-guest-agent \
--disable-iconv \
--disable-libiscsi \
--disable-libnfs \
--disable-libssh \
--disable-libusb \
--disable-linux-aio \
--disable-live-block-migration \
--disable-lzo \
--disable-nettle \
--disable-numa \
--disable-opengl \
--disable-parallels \
--disable-plugins \
--disable-qcow1 \
--disable-qed \
--disable-rbd \
--disable-rdma \
--disable-replication \
--disable-sdl \
--disable-seccomp \
--disable-smartcard \
--disable-snappy \
--disable-spice \
--enable-system \
--disable-tools \
--disable-tpm \
--disable-usb-redir \
--disable-vde \
--disable-vdi \
--disable-vhost-crypto \
--disable-vhost-kernel \
--disable-vhost-net \
--disable-vhost-scsi \
--disable-vhost-user \
--disable-vhost-vdpa \
--disable-vhost-vsock \
--disable-virglrenderer \
--disable-virtfs \
--disable-vnc \
--disable-vnc-jpeg \
--disable-vnc-png \
--disable-vnc-sasl \
--disable-vte \
--disable-vvfat \
--disable-xen \
--disable-xen-pci-passthrough \
--disable-xfsctl

31
mytest.c
View File

@ -1,31 +0,0 @@
#include <stdio.h>
#include <stdint.h>
void libafl_qemu_main_loop( void );
void libafl_qemu_sys_init(int argc, char **argv, char **envp);
void libafl_qemu_cleanup( void );
void libafl_qemu_set_breakpoint( unsigned long int );
void libafl_qemu_remove_native_breakpoint( unsigned long int );
void libafl_qemu_set_native_breakpoint( unsigned long int );
void libafl_snapshot_save( const char* );
void libafl_snapshot_load( const char* );
int64_t libafl_get_clock( void );
int main(int argc, char **argv, char **envp)
{
libafl_qemu_sys_init(argc, argv, envp);
libafl_qemu_set_native_breakpoint(0x4c60);//send 217028
libafl_qemu_main_loop();
libafl_qemu_remove_native_breakpoint(0x4c60);
libafl_qemu_set_native_breakpoint(0x00004f5c);
libafl_snapshot_save("Start");
printf("Snap start icount: %lu\n",libafl_get_clock());
libafl_qemu_main_loop();
printf("tr1 icount: %lu\n",libafl_get_clock());
libafl_snapshot_load("Start");
libafl_qemu_main_loop();
printf("tr2 icount: %lu\n",libafl_get_clock());
libafl_qemu_cleanup();
return 0;
}

12
myteststarter.sh
View File

@ -1,12 +0,0 @@
#!/bin/sh
if [ ! -f dummy.qcow2 ]; then
qemu-img create -f qcow2 dummy.qcow2 32M
fi
export LD_LIBRARY_PATH=./build
build/qemu-system-arm -machine mps2-an385 -monitor null -semihosting \
--semihosting-config enable=on,target=native \
-kernel $1 \
-serial stdio -nographic \
-snapshot -drive if=none,format=qcow2,file=dummy.qcow2 \
-icount shift=3,align=off,sleep=off \
-S

17
shell.nix Normal file
View File

@ -0,0 +1,17 @@
{ pkgs ? import <nixpkgs> {} }:
with pkgs;
stdenv.mkDerivation {
name = "tccboot-1";
hardeningDisable = [ "all" ];
src = ./.;
buildInputs = [
glib
python3
pkg-config
ninja
meson
pixman
gcc-arm-embedded
];
}

79
softmmu/main.c
View File

@ -46,40 +46,29 @@ int main(int argc, char **argv)
/* Begin LibAFL instrumentation */
#include "sysemu/runstate.h"
#include "sysemu/cpu-timers.h"
#include "migration/snapshot.h"
#include "hw/core/cpu.h"
#include "qapi/error.h"
#include "exec/memory.h"
void libafl_qemu_main_loop( void );
void libafl_qemu_run( void );
void libafl_qemu_sys_init(int argc, char **argv, char **envp);
void libafl_qemu_cleanup( void );
void libafl_qemu_sys_init(int argc, char **argv, char **envp) { qemu_init(argc, argv, envp); }
void libafl_qemu_cleanup( void ) { qemu_cleanup(); }
void libafl_qemu_set_native_breakpoint( vaddr );
void libafl_qemu_remove_native_breakpoint( vaddr );
void libafl_qemu_set_breakpoint( vaddr );
int libafl_snapshot_save( const char* );
int libafl_snapshot_load( const char* );
void libafl_phys_read(vaddr, uint8_t*, int);
void libafl_phys_write(vaddr, uint8_t*, int);
int64_t libafl_get_clock( void );
#ifdef TARGET_ARM
extern void libafl_start_int_timer(void);
#endif
void libafl_qemu_main_loop( void )
{
#ifdef TARGET_ARM
libafl_start_int_timer();
#endif
vm_start();
qemu_main_loop();
}
void libafl_qemu_run( void ) { libafl_qemu_main_loop(); }
void libafl_qemu_set_native_breakpoint(vaddr pc)
void libafl_qemu_set_breakpoint(vaddr pc)
{
CPUState *cpu;
CPU_FOREACH(cpu) {
@ -87,14 +76,6 @@ void libafl_qemu_set_native_breakpoint(vaddr pc)
}
}
void libafl_qemu_remove_native_breakpoint(vaddr pc)
{
CPUState *cpu;
CPU_FOREACH(cpu) {
cpu_breakpoint_remove(cpu, pc, BP_GDB);
}
}
int libafl_snapshot_save( const char* name )
{
Error *err = NULL;
@ -118,65 +99,29 @@ void libafl_phys_write(vaddr addr, uint8_t* buf, int len)
cpu_physical_memory_write(addr, buf, len);
}
int64_t libafl_get_clock( void )
{
return icount_get_raw();
}
#ifndef AS_SHARED_LIB
#ifdef TARGET_ARM
extern unsigned int libafl_int_offset;
#endif
int main(int argc, char **argv, char **envp)
{
qemu_init(argc, argv, envp);
qemu_main_loop();
qemu_cleanup();
//LIBAFL Instrumentation Demo
/*
// unsigned char buf[32] = "_`abcdefghijklmnopqrstuvwxyz{|}~";
#ifdef TARGET_ARM
libafl_int_offset = 375000;
#endif
// unsigned char buf[32] = "\x02\x9b\x02\x9b\x02\x9b\x02\x9b"; // 0xFA71 x 4
unsigned char buf[32] = "\x05\x29\x07\x1f\x0b\x17\x01\x17"; // 5*73 7*59 11*43
unsigned char len = 8;
// qemu_init(argc, argv, envp);
// qemu_main_loop();
// qemu_cleanup();
// 2000010c
unsigned char buf[4096] = {3};
libafl_qemu_sys_init(argc, argv, envp);
int pheader = 0x5be4;
libafl_phys_write(0x20000110-0x20000100+pheader, buf,32);
libafl_phys_read(0x20000110-0x20000100+pheader, buf,32);
libafl_phys_write(0x20000108-0x20000100+pheader, &len,1);
libafl_phys_write(0x00006de4+0xc, buf,1);
libafl_phys_read(0x00006de4+0xc, buf,1);
printf("FUZZ_INPUT[0]: %x\n", buf[0]);
libafl_qemu_set_native_breakpoint(0xae);
libafl_qemu_set_breakpoint(0x00004f5c);
libafl_snapshot_save("Start");
int counter = 3;
do {
libafl_qemu_main_loop();
libafl_snapshot_load("Start");
puts("Reload has occured");
counter--;
} while (runstate_check(RUN_STATE_DEBUG) && counter);
} while (runstate_check(RUN_STATE_DEBUG));
libafl_qemu_cleanup();
*/
/*
// Clock comparison
unsigned char ex1[32] = "_`abcdefghijklmnopqrstuvwxyz{|}~";
// unsigned char ex1[32] = "a!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!";
unsigned char ex2[32] = "a!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!";
libafl_qemu_sys_init(argc, argv, envp);
libafl_qemu_set_native_breakpoint(0x4be0);
libafl_snapshot_save("Start");
libafl_phys_write(0x20000110-0x20000100+0x00006ae4, ex1,32);
libafl_qemu_main_loop();
printf("Post ex1: %ld\n",libafl_get_clock());
libafl_snapshot_load("Start");
libafl_phys_write(0x20000110-0x20000100+0x00006ae4, ex2,32);
libafl_qemu_main_loop();
printf("Post ex2: %ld\n",libafl_get_clock());
*/
return 0;
}
#endif
/* End LibAFL instrumentation */
/* End LibAFL instrumentation */

2
starter.sh
View File

@ -7,4 +7,4 @@ build/qemu-system-arm -machine mps2-an385 -monitor null -semihosting \
-kernel $1 \
-serial stdio -nographic \
-snapshot -drive if=none,format=qcow2,file=dummy.qcow2 \
-icount shift=auto,align=off,sleep=off
-S

36
target/arm/translate-a64.c
View File

@ -4186,12 +4186,6 @@ static void disas_pc_rel_adr(DisasContext *s, uint32_t insn)
tcg_gen_movi_i64(cpu_reg(s, rd), base + offset);
}
//// --- Begin LibAFL code ---
void libafl_gen_cmp(target_ulong pc, TCGv op0, TCGv op1, MemOp ot);
//// --- End LibAFL code ---
/*
* Add/subtract (immediate)
*
@ -4223,16 +4217,6 @@ static void disas_add_sub_imm(DisasContext *s, uint32_t insn)
imm <<= 12;
}
//// --- Begin LibAFL code ---
if (rd == 31 && sub_op) { // cmp xX, imm
TCGv_i64 tcg_imm = tcg_const_i64(imm);
libafl_gen_cmp(s->pc_curr, tcg_rn, tcg_imm, is_64bit ? MO_64 : MO_32);
tcg_temp_free_i64(tcg_imm);
}
//// --- End LibAFL code ---
tcg_result = tcg_temp_new_i64();
if (!setflags) {
if (sub_op) {
@ -4895,13 +4879,6 @@ static void disas_add_sub_ext_reg(DisasContext *s, uint32_t insn)
tcg_rm = read_cpu_reg(s, rm, sf);
ext_and_shift_reg(tcg_rm, tcg_rm, option, imm3);
//// --- Begin LibAFL code ---
if (rd == 31 && sub_op) // cmp xX, xY
libafl_gen_cmp(s->pc_curr, tcg_rn, tcg_rm, sf ? MO_64 : MO_32);
//// --- End LibAFL code ---
tcg_result = tcg_temp_new_i64();
if (!setflags) {
@ -4966,13 +4943,6 @@ static void disas_add_sub_reg(DisasContext *s, uint32_t insn)
shift_reg_imm(tcg_rm, tcg_rm, sf, shift_type, imm6);
//// --- Begin LibAFL code ---
if (rd == 31 && sub_op) // cmp xX, xY
libafl_gen_cmp(s->pc_curr, tcg_rn, tcg_rm, sf ? MO_64 : MO_32);
//// --- End LibAFL code ---
tcg_result = tcg_temp_new_i64();
if (!setflags) {
@ -5255,12 +5225,6 @@ static void disas_cc(DisasContext *s, uint32_t insn)
}
tcg_rn = cpu_reg(s, rn);
//// --- Begin LibAFL code ---
libafl_gen_cmp(s->pc_curr, tcg_rn, tcg_y, sf ? MO_64 : MO_32);
//// --- End LibAFL code ---
/* Set the flags for the new comparison. */
tcg_tmp = tcg_temp_new_i64();
if (op) {

48
target/arm/translate.c
View File

@ -2615,14 +2615,8 @@ static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
}
}
//// --- Begin LibAFL code ---
void libafl_gen_jmp(target_ulong src, target_ulong dst); // see translate-all.c
//// --- End LibAFL code ---
static inline void gen_jmp(DisasContext *s, uint32_t dest)
{
//// --- Begin LibAFL code ---
libafl_gen_jmp(s->pc_curr,dest);
//// --- End LibAFL code ---
gen_jmp_tb(s, dest, 0);
}
@ -5430,12 +5424,6 @@ static bool store_reg_kind(DisasContext *s, int rd,
g_assert_not_reached();
}
//// --- Begin LibAFL code ---
void libafl_gen_cmp(target_ulong pc, TCGv op0, TCGv op1, MemOp ot);
//// --- End LibAFL code ---
/*
* Data Processing (register)
*
@ -5452,24 +5440,6 @@ static bool op_s_rrr_shi(DisasContext *s, arg_s_rrr_shi *a,
gen_arm_shift_im(tmp2, a->shty, a->shim, logic_cc);
tmp1 = load_reg(s, a->rn);
//// --- Begin LibAFL code ---
if (gen == gen_sub_CC || /*gen == gen_add_CC ||*/ gen == gen_rsb_CC) {
#ifdef TARGET_AARCH64
TCGv tmp1_64 = tcg_temp_new();
TCGv tmp2_64 = tcg_temp_new();
tcg_gen_extu_i32_i64(tmp1_64, tmp1);
tcg_gen_extu_i32_i64(tmp2_64, tmp2);
libafl_gen_cmp(s->pc_curr, tmp1_64, tmp2_64, MO_32);
tcg_temp_free(tmp1_64);
tcg_temp_free(tmp2_64);
#else
libafl_gen_cmp(s->pc_curr, tmp1, tmp2, MO_32);
#endif
}
//// --- End LibAFL code ---
gen(tmp1, tmp1, tmp2);
tcg_temp_free_i32(tmp2);
@ -5562,24 +5532,6 @@ static bool op_s_rri_rot(DisasContext *s, arg_s_rri_rot *a,
tmp2 = tcg_const_i32(imm);
tmp1 = load_reg(s, a->rn);
//// --- Begin LibAFL code ---
if (gen == gen_sub_CC || /*gen == gen_add_CC ||*/ gen == gen_rsb_CC) {
#ifdef TARGET_AARCH64
TCGv tmp1_64 = tcg_temp_new();
TCGv tmp2_64 = tcg_temp_new();
tcg_gen_extu_i32_i64(tmp1_64, tmp1);
tcg_gen_extu_i32_i64(tmp2_64, tmp2);
libafl_gen_cmp(s->pc_curr, tmp1_64, tmp2_64, MO_32);
tcg_temp_free(tmp1_64);
tcg_temp_free(tmp2_64);
#else
libafl_gen_cmp(s->pc_curr, tmp1, tmp2, MO_32);
#endif
}
//// --- End LibAFL code ---
gen(tmp1, tmp1, tmp2);
tcg_temp_free_i32(tmp2);

20
target/i386/tcg/translate.c
View File

@ -32,12 +32,6 @@
#include "exec/log.h"
//// --- Begin LibAFL code ---
void libafl_gen_cmp(target_ulong pc, TCGv op0, TCGv op1, MemOp ot);
//// --- End LibAFL code ---
#define PREFIX_REPZ 0x01
#define PREFIX_REPNZ 0x02
#define PREFIX_LOCK 0x04
@ -1451,13 +1445,6 @@ static void gen_op(DisasContext *s1, int op, MemOp ot, int d)
tcg_gen_sub_tl(s1->T0, s1->cc_srcT, s1->T1);
} else {
tcg_gen_mov_tl(s1->cc_srcT, s1->T0);
//// --- Begin LibAFL code ---
libafl_gen_cmp(s1->pc, s1->T0, s1->T1, ot);
//// --- End LibAFL code ---
tcg_gen_sub_tl(s1->T0, s1->T0, s1->T1);
gen_op_st_rm_T0_A0(s1, ot, d);
}
@ -1501,13 +1488,6 @@ static void gen_op(DisasContext *s1, int op, MemOp ot, int d)
case OP_CMPL:
tcg_gen_mov_tl(cpu_cc_src, s1->T1);
tcg_gen_mov_tl(s1->cc_srcT, s1->T0);
//// --- Begin LibAFL code ---
libafl_gen_cmp(s1->pc, s1->T0, s1->T1, ot);
//// --- End LibAFL code ---
tcg_gen_sub_tl(cpu_cc_dst, s1->T0, s1->T1);
set_cc_op(s1, CC_OP_SUBB + ot);
break;

35
tcg/tcg-op.c
View File

@ -2860,13 +2860,6 @@ static inline void plugin_gen_mem_callbacks(TCGv vaddr, uint16_t info)
#endif
}
//// --- Begin LibAFL code ---
void libafl_gen_read(TCGv addr, MemOp ot);
void libafl_gen_write(TCGv addr, MemOp ot);
//// --- End LibAFL code ---
void tcg_gen_qemu_ld_i32(TCGv_i32 val, TCGv addr, TCGArg idx, MemOp memop)
{
MemOp orig_memop;
@ -2886,13 +2879,6 @@ void tcg_gen_qemu_ld_i32(TCGv_i32 val, TCGv addr, TCGArg idx, MemOp memop)
}
addr = plugin_prep_mem_callbacks(addr);
//// --- Begin LibAFL code ---
libafl_gen_read(addr, memop);
//// --- End LibAFL code ---
gen_ldst_i32(INDEX_op_qemu_ld_i32, val, addr, memop, idx);
plugin_gen_mem_callbacks(addr, info);
@ -2938,13 +2924,6 @@ void tcg_gen_qemu_st_i32(TCGv_i32 val, TCGv addr, TCGArg idx, MemOp memop)
}
addr = plugin_prep_mem_callbacks(addr);
//// --- Begin LibAFL code ---
libafl_gen_write(addr, memop);
//// --- End LibAFL code ---
if (TCG_TARGET_HAS_qemu_st8_i32 && (memop & MO_SIZE) == MO_8) {
gen_ldst_i32(INDEX_op_qemu_st8_i32, val, addr, memop, idx);
} else {
@ -2987,13 +2966,6 @@ void tcg_gen_qemu_ld_i64(TCGv_i64 val, TCGv addr, TCGArg idx, MemOp memop)
}
addr = plugin_prep_mem_callbacks(addr);
//// --- Begin LibAFL code ---
libafl_gen_read(addr, memop);
//// --- End LibAFL code ---
gen_ldst_i64(INDEX_op_qemu_ld_i64, val, addr, memop, idx);
plugin_gen_mem_callbacks(addr, info);
@ -3052,13 +3024,6 @@ void tcg_gen_qemu_st_i64(TCGv_i64 val, TCGv addr, TCGArg idx, MemOp memop)
}
addr = plugin_prep_mem_callbacks(addr);
//// --- Begin LibAFL code ---
libafl_gen_write(addr, memop);
//// --- End LibAFL code ---
gen_ldst_i64(INDEX_op_qemu_st_i64, val, addr, memop, idx);
plugin_gen_mem_callbacks(addr, info);