SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

prepare multiple interrupt sources

Browse Source
This commit is contained in:
Alwin Berger 2024-09-06 08:38:30 +02:00
parent ee737b9eb8
commit 288abeb6bf
3 changed files with 14 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
fuzzers/FRET/src/fuzzer.rs
View File

@ -41,6 +41,7 @@ pub static mut RNG_SEED: u64 = 1;
pub const FIRST_INT : u32 = 200000; pub const FIRST_INT : u32 = 200000;
pub const MAX_NUM_INTERRUPT: usize = 128; pub const MAX_NUM_INTERRUPT: usize = 128;
pub const NUM_INTERRUPT_SOURCES: usize = 6; // Keep in sync with qemu-libafl-bridge/hw/timer/armv7m_systick.c:319 and FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC/init/startup.c:216
pub const DO_NUM_INTERRUPT: usize = 128; pub const DO_NUM_INTERRUPT: usize = 128;
pub static mut MAX_INPUT_SIZE: usize = 32; pub static mut MAX_INPUT_SIZE: usize = 32;
@ -70,8 +71,8 @@ return api_addreses;
#[allow(unused)] #[allow(unused)]
extern "C" { extern "C" {
static mut libafl_interrupt_offsets : [u32; MAX_NUM_INTERRUPT]; static mut libafl_interrupt_offsets : [[u32; MAX_NUM_INTERRUPT]; NUM_INTERRUPT_SOURCES];
static mut libafl_num_interrupts : usize; static mut libafl_num_interrupts : [usize; NUM_INTERRUPT_SOURCES];
} }
@ -229,7 +230,7 @@ let breakpoint = elf
.expect("Symbol or env BREAKPOINT not found"); .expect("Symbol or env BREAKPOINT not found");
println!("Breakpoint address = {:#x}", breakpoint); println!("Breakpoint address = {:#x}", breakpoint);
unsafe { unsafe {
libafl_num_interrupts = 0; libafl_num_interrupts = [0; NUM_INTERRUPT_SOURCES];
} }
if let Ok(input_len) = env::var("FUZZ_INPUT_LEN") { if let Ok(input_len) = env::var("FUZZ_INPUT_LEN") {
@ -332,8 +333,8 @@ let run_client = |state: Option<_>, mut mgr, _core_id| {
{ {
let time_bytes = input.parts_by_name("interrupts").next().map(|x| x.1.bytes()).unwrap_or(&[0u8; MAX_NUM_INTERRUPT*4]); let time_bytes = input.parts_by_name("interrupts").next().map(|x| x.1.bytes()).unwrap_or(&[0u8; MAX_NUM_INTERRUPT*4]);
let t = input_bytes_to_interrupt_times(time_bytes); let t = input_bytes_to_interrupt_times(time_bytes);
for i in 0..t.len() {libafl_interrupt_offsets[i]=t[i];} for i in 0..t.len() {libafl_interrupt_offsets[0][i]=t[i];}
libafl_num_interrupts=t.len(); libafl_num_interrupts[0]=t.len();
// println!("Load: {:?}", libafl_interrupt_offsets[0..libafl_num_interrupts].to_vec()); // println!("Load: {:?}", libafl_interrupt_offsets[0..libafl_num_interrupts].to_vec());
} }

5
fuzzers/FRET/src/systemstate/helpers.rs
View File

@ -29,7 +29,10 @@ use super::CaptureEvent;
pub const ISR_SYMBOLS : &'static [&'static str] = &[ pub const ISR_SYMBOLS : &'static [&'static str] = &[
// ISRs // ISRs
"Reset_Handler","Default_Handler","Default_Handler2","Default_Handler3","Default_Handler4","Default_Handler5","Default_Handler6","vPortSVCHandler","xPortPendSVHandler","xPortSysTickHandler","isr_starter" "Reset_Handler","Default_Handler","Default_Handler2","Default_Handler3","Default_Handler4","Default_Handler5","Default_Handler6","vPortSVCHandler","xPortPendSVHandler","xPortSysTickHandler","ISR_0_Handler", "ISR_1_Handler", "ISR_2_Handler", "ISR_3_Handler", "ISR_4_Handler", "ISR_5_Handler", "ISR_6_Handler", "ISR_7_Handler", "ISR_8_Handler", "ISR_9_Handler", "ISR_10_Handler", "ISR_11_Handler", "ISR_12_Handler", "ISR_13_Handler"
];
pub const USR_ISR_SYMBOLS : &'static [&'static str] = &[
"ISR_0_Handler", "ISR_1_Handler", "ISR_2_Handler", "ISR_3_Handler", "ISR_4_Handler", "ISR_5_Handler", "ISR_6_Handler", "ISR_7_Handler", "ISR_8_Handler", "ISR_9_Handler", "ISR_10_Handler", "ISR_11_Handler", "ISR_12_Handler", "ISR_13_Handler"
]; ];
/// Read ELF program headers to resolve physical load addresses. /// Read ELF program headers to resolve physical load addresses.

7
fuzzers/FRET/src/systemstate/observers.rs
View File

@ -16,6 +16,7 @@ use std::cell::RefCell;
use std::collections::VecDeque; use std::collections::VecDeque;
use std::borrow::Cow; use std::borrow::Cow;
use super::helpers::USR_ISR_SYMBOLS;
use super::{ AtomicBasicBlock, ExecInterval}; use super::{ AtomicBasicBlock, ExecInterval};
use super::{ use super::{
CURRENT_SYSTEMSTATE_VEC, CURRENT_SYSTEMSTATE_VEC,
@ -233,7 +234,7 @@ fn get_releases(trace: &Vec<ExecInterval>, states: &HashMap<u64, ReducedFreeRTOS
}); });
continue; continue;
} }
if i.start_capture.0 == CaptureEvent::ISRStart && ( i.start_capture.1 == "xPortSysTickHandler" || i.start_capture.1 == "isr_starter" ) { if i.start_capture.0 == CaptureEvent::ISRStart && ( i.start_capture.1 == "xPortSysTickHandler" || USR_ISR_SYMBOLS.contains(&i.start_capture.1.as_str()) ) {
// detect race-conditions, get start adn end state from the nearest valid intervals // detect race-conditions, get start adn end state from the nearest valid intervals
if states.get(&i.start_state).map(|x| x.read_invalid).unwrap_or(true) { if states.get(&i.start_state).map(|x| x.read_invalid).unwrap_or(true) {
let mut start_index=None; let mut start_index=None;
@ -411,7 +412,7 @@ fn states2intervals(trace: Vec<ReducedFreeRTOSSystemState>, meta: Vec<(u64, Capt
}, },
CaptureEvent::ISRStart => { CaptureEvent::ISRStart => {
// special case for isrs which do not capture their end // special case for isrs which do not capture their end
// if meta[i].2 == "isr_starter" { // if meta[i].2 == "ISR_0_Handler" {
// &2 // &2
// } else { // } else {
// regular case // regular case
@ -564,7 +565,7 @@ fn add_abb_info(trace: &mut Vec<ExecInterval>, table: &HashMap<u64, ReducedFreeR
// for i in meta.iter_mut() { // for i in meta.iter_mut() {
// if i.1 == CaptureEvent::APIStart && i.2.ends_with("FromISR") { // if i.1 == CaptureEvent::APIStart && i.2.ends_with("FromISR") {
// i.1 = CaptureEvent::ISREnd; // i.1 = CaptureEvent::ISREnd;
// i.2 = "isr_starter".to_string(); // i.2 = "ISR_0_Handler".to_string();
// } // }
// } // }
// } // }