SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix liabfl_qemu example

Browse Source 
Use GuestAddr and physical memory access
This commit is contained in:
Alwin Berger 2022-11-15 09:27:56 +01:00
parent 7fc994ee1e
commit 5ef91d2524
2 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
fuzzers/qemu_systemmode/README.md
View File

@ -21,6 +21,6 @@ Create on and then run the fuzzer:
# create an image # create an image
qemu-img create -f qcow2 dummy.qcow2 32M qemu-img create -f qcow2 dummy.qcow2 32M
# run the fuzzer # run the fuzzer
KERNEL=./example/example.elf target/release/qemu_launcher -icount shift=auto,align=off,sleep=off -machine mps2-an385 -monitor null -kernel ./example/example.elf -serial null -nographic -snapshot -drive if=none,format=qcow2,file=dummy.qcow2 -S KERNEL=./example/example.elf target/release/qemu_systemmode -icount shift=auto,align=off,sleep=off -machine mps2-an385 -monitor null -kernel ./example/example.elf -serial null -nographic -snapshot -drive if=none,format=qcow2,file=dummy.qcow2 -S
``` ```
Currently the ``KERNEL`` variable is needed because the fuzzer does not parse QEMUs arguments to find the binary. Currently the ``KERNEL`` variable is needed because the fuzzer does not parse QEMUs arguments to find the binary.

14
fuzzers/qemu_systemmode/src/fuzzer.rs
View File

@ -36,20 +36,20 @@ use libafl_qemu::{
edges::QemuEdgeCoverageHelper, edges::QemuEdgeCoverageHelper,
elf::EasyElf, elf::EasyElf,
emu::Emulator, emu::Emulator,
GuestAddr,
//snapshot::QemuSnapshotHelper, //snapshot::QemuSnapshotHelper,
QemuExecutor, QemuExecutor,
QemuHooks, QemuHooks,
Regs, Regs,
}; };
fn virt2phys(vaddr: u32, tab: &EasyElf) -> u32 { /// Read ELF program headers to resolve physical load addresses.
fn virt2phys(vaddr: GuestAddr, tab: &EasyElf) -> GuestAddr {
let ret; let ret;
for i in &tab.goblin().program_headers { for i in &tab.goblin().program_headers {
if i.vm_range() if i.vm_range().contains(&vaddr.try_into().unwrap()) {
.contains(&vaddr.try_into().expect("Can not cast u64 to usize")) ret = vaddr - TryInto::<GuestAddr>::try_into(i.p_vaddr).unwrap()
{ + TryInto::<GuestAddr>::try_into(i.p_paddr).unwrap();
ret = vaddr - TryInto::<u32>::try_into(i.p_vaddr).unwrap()
+ TryInto::<u32>::try_into(i.p_paddr).unwrap();
return ret - (ret % 2); return ret - (ret % 2);
} }
} }
@ -113,7 +113,7 @@ pub fn fuzz() {
// len = MAX_INPUT_SIZE; // len = MAX_INPUT_SIZE;
} }
emu.write_mem(input_addr, buf); emu.write_phys_mem(input_addr, buf);
emu.run(); emu.run();