SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix capture in api calls

Browse Source
This commit is contained in:
Alwin Berger 2024-03-27 15:24:44 +01:00
parent 7e79f4051d
commit 730fbcf6d4
3 changed files with 13 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
fuzzers/FRET/benchmark/target_symbols.csv
View File

@ -22,4 +22,5 @@ watersv2_int,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break
micro_branchless,main_branchless,FUZZ_INPUT,4,trigger_Qemu_break
micro_int,main_int,FUZZ_INPUT,16,trigger_Qemu_break
micro_longint,main_micro_longint,FUZZ_INPUT,16,trigger_Qemu_break
minimal,main_minimal,FUZZ_INPUT,4096,trigger_Qemu_break
minimal,main_minimal,FUZZ_INPUT,4096,trigger_Qemu_break
gen3,main_minimal,FUZZ_INPUT,4096,trigger_Qemu_break

1 kernel main_function input_symbol input_size return_function
22 micro_branchless main_branchless FUZZ_INPUT 4 trigger_Qemu_break
23 micro_int main_int FUZZ_INPUT 16 trigger_Qemu_break
24 micro_longint main_micro_longint FUZZ_INPUT 16 trigger_Qemu_break
25 minimal main_minimal FUZZ_INPUT 4096 trigger_Qemu_break
26 gen3 main_minimal FUZZ_INPUT 4096 trigger_Qemu_break

8
fuzzers/FRET/src/systemstate/helpers.rs
View File

@ -235,7 +235,7 @@ fn trigger_collection(emulator: &Emulator, edge: (Option<GuestAddr>,Option<Guest
}
},
Some(dest) => {
if let Some(src) = edge.0 { // Bot set, can be API Call/Ret
if let Some(src) = edge.0 { // Both set, can be API Call/Ret
if let Some(s) = h.api_fn_addrs.get(&src) { // API End
systemstate.capture_point=(CaptureEvent::APIEnd, s);
} else if let Some(s) = h.api_fn_addrs.get(&dest) { // API Call
@ -282,9 +282,9 @@ fn trigger_collection(emulator: &Emulator, edge: (Option<GuestAddr>,Option<Guest
let critical : void_ptr = freertos::emu_lookup::lookup(emulator, h.critical_addr);
let suspended : void_ptr = freertos::emu_lookup::lookup(emulator, h.scheduler_lock_addr);
systemstate.current_tcb = freertos::emu_lookup::lookup(emulator,curr_tcb_addr);
// During ISRs it is only safe to extract structs if they are not currently being modified
if (systemstate.capture_point.0==CaptureEvent::ISRStart || systemstate.capture_point.0==CaptureEvent::ISREnd) && critical == 0 && suspended == 0 {
systemstate.current_tcb = freertos::emu_lookup::lookup(emulator,curr_tcb_addr);
if (systemstate.capture_point.0==CaptureEvent::APIStart || systemstate.capture_point.0==CaptureEvent::APIEnd) || (critical == 0 && suspended == 0) {
// Extract delay list
let mut target : GuestAddr = h.delay_queue;
target = freertos::emu_lookup::lookup(emulator, target);
@ -371,7 +371,7 @@ where
if h.app_range.contains(&src) && !h.app_range.contains(&dest) {
if let Some(_) = in_any_range(&h.api_fn_ranges,dest) {
// println!("New jmp {:x} {:x}", src, dest);
// println!("API Call Edge");
// println!("API Call Edge {:x} {:x}", src, dest);
return Some(1);
}
} else if !h.app_range.contains(&src) && dest == 0 {

12
fuzzers/FRET/src/systemstate/observers.rs
View File

@ -173,6 +173,8 @@ fn refine_system_states(input: &mut Vec<RawFreeRTOSSystemState>) -> Vec<RefinedF
fn post_process_trace(mut trace: Vec<RefinedFreeRTOSSystemState>) -> Vec<RefinedFreeRTOSSystemState> {
// remove subsequent pairs of equal states where an ISRStart follows an ISREnd
let mut ret : Vec<RefinedFreeRTOSSystemState> = Vec::new();
ret.push(trace[0].clone());
let mut i = 1;
while i < trace.len() - 1 {
if trace[i] == trace[i + 1] &&
@ -181,13 +183,13 @@ fn post_process_trace(mut trace: Vec<RefinedFreeRTOSSystemState>) -> Vec<Refined
trace[i].capture_point.1 == trace[i + 1].capture_point.1
{
// extend the end of the last ABB until the end of the next one
trace[i-1].end_tick = trace[i+1].end_tick;
trace.remove(i + 1);
trace.remove(i);
ret.last_mut().unwrap().end_tick = trace[i+1].end_tick;
i+=2;
} else {
ret.push(trace[i].clone());
i+=1;
}
}
trace
ret
}