add interrupts

2022-04-19 23:43:58 +02:00 · 2022-04-19 23:43:58 +02:00 · 6551fc31f4
commit 6551fc31f4
parent 5c4238e0ee
4 changed files with 43 additions and 2 deletions
--- a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs
+++ b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs
@ -1,5 +1,6 @@
 //! A singlethreaded QEMU fuzzer that can auto-restart.

+use wcet_qemu_sys::sysstate::helpers::INTR_OFFSET;
 use wcet_qemu_sys::sysstate::graph::RandGraphSnippetMutator;
 use wcet_qemu_sys::sysstate::graph::GraphMaximizerCorpusScheduler;
 use wcet_qemu_sys::sysstate::graph::SysMapFeedback;
@ -415,12 +416,21 @@ fn fuzz(
        let target = input.target_bytes();
        let mut buf = target.as_slice();
        let mut len = buf.len();
-        if len > 32 {
+        let mut int_tick : Option<u64> = None;
+        if len > 4 {
+            let mut t : [u8; 4] = [0,0,0,0];    // 4 extra bytes determine the tick to execute an interrupt
+            t.copy_from_slice(&buf[0..4]);
+            int_tick = Some(u32::from_le_bytes(t) as u64);
+            buf = &buf[4..];
+            len = buf.len();
+        }
+        if len >= 32 {
            buf = &buf[0..32];
            len = 32;
        }

        unsafe {
+            INTR_OFFSET = int_tick;
            emu.write_mem(test_length_ptr,&(len as u32).to_le_bytes());
            emu.write_mem(input_addr,buf);

--- a/fuzzers/wcet_qemu_sys/src/bin/showmap.rs
+++ b/fuzzers/wcet_qemu_sys/src/bin/showmap.rs
@ -1,5 +1,6 @@
 //! A singlethreaded QEMU fuzzer that can auto-restart.

+use wcet_qemu_sys::sysstate::helpers::INTR_OFFSET;
 use std::io::Read;
 use wcet_qemu_sys::sysstate::observers::QemuSysStateObserver;
 use wcet_qemu_sys::sysstate::feedbacks::DumpSystraceFeedback;
@ -337,12 +338,21 @@ fn fuzz(
        let target = input.target_bytes();
        let mut buf = target.as_slice();
        let mut len = buf.len();
-        if len > 32 {
+        let mut int_tick : Option<u64> = None;
+        if len > 4 {
+            let mut t : [u8; 4] = [0,0,0,0];    // 4 extra bytes determine the tick to execute an interrupt
+            t.copy_from_slice(&buf[0..4]);
+            int_tick = Some(u32::from_le_bytes(t) as u64);
+            buf = &buf[4..];
+            len = buf.len();
+        }
+        if len >= 32 {
            buf = &buf[0..32];
            len = 32;
        }

        unsafe {
+            INTR_OFFSET = int_tick;
            emu.write_mem(test_length_ptr,&(len as u32).to_le_bytes());
            emu.write_mem(input_addr,buf);

--- a/fuzzers/wcet_qemu_sys/src/sysstate/helpers.rs
+++ b/fuzzers/wcet_qemu_sys/src/sysstate/helpers.rs
@ -17,6 +17,8 @@ use libafl_qemu::{

 //============================= Struct definitions

+pub static mut INTR_OFFSET : Option<u64> = None;
+pub static mut INTR_DONE : bool = true;

 //============================= Qemu Helper

@ -88,6 +90,21 @@ where
    I: Input,
    QT: QemuHelperTuple<I, S>,
 {
+    unsafe {
+        match INTR_OFFSET {
+            None => (),
+            Some(off) => {
+                if emulator.get_ticks() > off {
+                    if !INTR_DONE {
+                        libafl_qemu::emu::libafl_send_irq(0);
+                        INTR_DONE = true;
+                    }
+                } else {
+                    INTR_DONE = false;
+                }
+            },
+        }
+    }
    let h = helpers.match_first_type::<QemuSystemStateHelper>().expect("QemuSystemHelper not found in helper tupel");
    if !h.must_instrument(pc) {
        return;
--- a/libafl_qemu/src/emu.rs
+++ b/libafl_qemu/src/emu.rs
@ -218,6 +218,10 @@ extern "C" {

    fn libafl_maps_next(map_info: *const c_void, ret: *mut MapInfo) -> *const c_void;

+    #[cfg(feature = "systemmode")]
+    #[cfg(feature = "arm")]
+    pub fn libafl_send_irq(irqn: u32);
+
    static exec_path: *const u8;
    static guest_base: usize;