From 6551fc31f4ce2e888169598a60ea98e200d2c691 Mon Sep 17 00:00:00 2001 From: Alwin Berger Date: Tue, 19 Apr 2022 23:43:58 +0200 Subject: [PATCH] add interrupts --- fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs | 12 +++++++++++- fuzzers/wcet_qemu_sys/src/bin/showmap.rs | 12 +++++++++++- fuzzers/wcet_qemu_sys/src/sysstate/helpers.rs | 17 +++++++++++++++++ libafl_qemu/src/emu.rs | 4 ++++ 4 files changed, 43 insertions(+), 2 deletions(-) diff --git a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs index c67d2db867..76af11c4b4 100644 --- a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs +++ b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs @@ -1,5 +1,6 @@ //! A singlethreaded QEMU fuzzer that can auto-restart. +use wcet_qemu_sys::sysstate::helpers::INTR_OFFSET; use wcet_qemu_sys::sysstate::graph::RandGraphSnippetMutator; use wcet_qemu_sys::sysstate::graph::GraphMaximizerCorpusScheduler; use wcet_qemu_sys::sysstate::graph::SysMapFeedback; @@ -415,12 +416,21 @@ fn fuzz( let target = input.target_bytes(); let mut buf = target.as_slice(); let mut len = buf.len(); - if len > 32 { + let mut int_tick : Option = None; + if len > 4 { + let mut t : [u8; 4] = [0,0,0,0]; // 4 extra bytes determine the tick to execute an interrupt + t.copy_from_slice(&buf[0..4]); + int_tick = Some(u32::from_le_bytes(t) as u64); + buf = &buf[4..]; + len = buf.len(); + } + if len >= 32 { buf = &buf[0..32]; len = 32; } unsafe { + INTR_OFFSET = int_tick; emu.write_mem(test_length_ptr,&(len as u32).to_le_bytes()); emu.write_mem(input_addr,buf); diff --git a/fuzzers/wcet_qemu_sys/src/bin/showmap.rs b/fuzzers/wcet_qemu_sys/src/bin/showmap.rs index 0888b33cee..5588aa46d4 100644 --- a/fuzzers/wcet_qemu_sys/src/bin/showmap.rs +++ b/fuzzers/wcet_qemu_sys/src/bin/showmap.rs @@ -1,5 +1,6 @@ //! A singlethreaded QEMU fuzzer that can auto-restart. +use wcet_qemu_sys::sysstate::helpers::INTR_OFFSET; use std::io::Read; use wcet_qemu_sys::sysstate::observers::QemuSysStateObserver; use wcet_qemu_sys::sysstate::feedbacks::DumpSystraceFeedback; @@ -337,12 +338,21 @@ fn fuzz( let target = input.target_bytes(); let mut buf = target.as_slice(); let mut len = buf.len(); - if len > 32 { + let mut int_tick : Option = None; + if len > 4 { + let mut t : [u8; 4] = [0,0,0,0]; // 4 extra bytes determine the tick to execute an interrupt + t.copy_from_slice(&buf[0..4]); + int_tick = Some(u32::from_le_bytes(t) as u64); + buf = &buf[4..]; + len = buf.len(); + } + if len >= 32 { buf = &buf[0..32]; len = 32; } unsafe { + INTR_OFFSET = int_tick; emu.write_mem(test_length_ptr,&(len as u32).to_le_bytes()); emu.write_mem(input_addr,buf); diff --git a/fuzzers/wcet_qemu_sys/src/sysstate/helpers.rs b/fuzzers/wcet_qemu_sys/src/sysstate/helpers.rs index 4650d52fb0..030c25a830 100644 --- a/fuzzers/wcet_qemu_sys/src/sysstate/helpers.rs +++ b/fuzzers/wcet_qemu_sys/src/sysstate/helpers.rs @@ -17,6 +17,8 @@ use libafl_qemu::{ //============================= Struct definitions +pub static mut INTR_OFFSET : Option = None; +pub static mut INTR_DONE : bool = true; //============================= Qemu Helper @@ -88,6 +90,21 @@ where I: Input, QT: QemuHelperTuple, { + unsafe { + match INTR_OFFSET { + None => (), + Some(off) => { + if emulator.get_ticks() > off { + if !INTR_DONE { + libafl_qemu::emu::libafl_send_irq(0); + INTR_DONE = true; + } + } else { + INTR_DONE = false; + } + }, + } + } let h = helpers.match_first_type::().expect("QemuSystemHelper not found in helper tupel"); if !h.must_instrument(pc) { return; diff --git a/libafl_qemu/src/emu.rs b/libafl_qemu/src/emu.rs index 1a2387b68b..7740a0903d 100644 --- a/libafl_qemu/src/emu.rs +++ b/libafl_qemu/src/emu.rs @@ -218,6 +218,10 @@ extern "C" { fn libafl_maps_next(map_info: *const c_void, ret: *mut MapInfo) -> *const c_void; + #[cfg(feature = "systemmode")] + #[cfg(feature = "arm")] + pub fn libafl_send_irq(irqn: u32); + static exec_path: *const u8; static guest_base: usize;