SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix liabfl_qemu example

Browse Source 
Use GuestAddr and physical memory access
This commit is contained in:
Alwin Berger 2022-11-15 09:27:56 +01:00
parent 7fc994ee1e
commit 5ef91d2524
2 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
fuzzers/qemu_systemmode/README.md
View File

@ -21,6 +21,6 @@ Create on and then run the fuzzer:
# create an image
qemu-img create -f qcow2 dummy.qcow2 32M
# run the fuzzer
KERNEL=./example/example.elf target/release/qemu_launcher -icount shift=auto,align=off,sleep=off -machine mps2-an385 -monitor null -kernel ./example/example.elf -serial null -nographic -snapshot -drive if=none,format=qcow2,file=dummy.qcow2 -S
KERNEL=./example/example.elf target/release/qemu_systemmode -icount shift=auto,align=off,sleep=off -machine mps2-an385 -monitor null -kernel ./example/example.elf -serial null -nographic -snapshot -drive if=none,format=qcow2,file=dummy.qcow2 -S
```
Currently the ``KERNEL`` variable is needed because the fuzzer does not parse QEMUs arguments to find the binary.

14
fuzzers/qemu_systemmode/src/fuzzer.rs
View File

@ -36,20 +36,20 @@ use libafl_qemu::{
edges::QemuEdgeCoverageHelper,
elf::EasyElf,
emu::Emulator,
GuestAddr,
//snapshot::QemuSnapshotHelper,
QemuExecutor,
QemuHooks,
Regs,
};
fn virt2phys(vaddr: u32, tab: &EasyElf) -> u32 {
/// Read ELF program headers to resolve physical load addresses.
fn virt2phys(vaddr: GuestAddr, tab: &EasyElf) -> GuestAddr {
let ret;
for i in &tab.goblin().program_headers {
if i.vm_range()
.contains(&vaddr.try_into().expect("Can not cast u64 to usize"))
{
ret = vaddr - TryInto::<u32>::try_into(i.p_vaddr).unwrap()
+ TryInto::<u32>::try_into(i.p_paddr).unwrap();
if i.vm_range().contains(&vaddr.try_into().unwrap()) {
ret = vaddr - TryInto::<GuestAddr>::try_into(i.p_vaddr).unwrap()
+ TryInto::<GuestAddr>::try_into(i.p_paddr).unwrap();
return ret - (ret % 2);
}
}
@ -113,7 +113,7 @@ pub fn fuzz() {
// len = MAX_INPUT_SIZE;
}
emu.write_mem(input_addr, buf);
emu.write_phys_mem(input_addr, buf);
emu.run();