SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

generalize system state hook

Browse Source
This commit is contained in:
Alwin Berger 2022-01-26 23:14:38 +01:00
parent 44a32398d9
commit 8676342776
3 changed files with 54 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
fuzzers/wcet_qemu_sys/src/freertos.rs
View File

@ -145,7 +145,7 @@ fn bindgen_test_layout_xMINI_LIST_ITEM() {
} }
pub type MiniListItem_t = xMINI_LIST_ITEM; pub type MiniListItem_t = xMINI_LIST_ITEM;
#[repr(C)] #[repr(C)]
#[derive(Debug, Copy, Clone, Default)] #[derive(Debug, Copy, Clone, Default, Serialize, Deserialize)]
pub struct xLIST { pub struct xLIST {
pub uxNumberOfItems: UBaseType_t, pub uxNumberOfItems: UBaseType_t,
pub pxIndex: ListItem_t_ptr, pub pxIndex: ListItem_t_ptr,
@ -535,4 +535,10 @@ impl emu_lookup for List_t {
std::mem::transmute::<[u8; std::mem::size_of::<List_t>()], List_t>(tmp) std::mem::transmute::<[u8; std::mem::size_of::<List_t>()], List_t>(tmp)
} }
} }
}
#[derive(Debug, Copy, Clone, Serialize, Deserialize)]
pub enum rtos_struct {
TCB_struct(TCB_t),
List_struct(List_t),
} }

23
fuzzers/wcet_qemu_sys/src/showmap.rs
View File

@ -1,5 +1,6 @@
//! A singlethreaded QEMU fuzzer that can auto-restart. //! A singlethreaded QEMU fuzzer that can auto-restart.
use libafl_qemu::QemuInstrumentationFilter;
use crate::system_trace::QemuSystemStateHelper; use crate::system_trace::QemuSystemStateHelper;
use libafl::feedbacks::CrashFeedback; use libafl::feedbacks::CrashFeedback;
use std::path::Path; use std::path::Path;
@ -209,21 +210,21 @@ fn fuzz(
.expect("Symbol pxReadyTasksLists not found"); .expect("Symbol pxReadyTasksLists not found");
// let task_queue_addr = virt2phys(task_queue_addr,&elf.goblin()); // let task_queue_addr = virt2phys(task_queue_addr,&elf.goblin());
println!("Task Queue at {:#x}", task_queue_addr); println!("Task Queue at {:#x}", task_queue_addr);
let shv = elf let systick_handler = elf
.resolve_symbol("xPortSysTickHandler", 0) .resolve_symbol("xPortSysTickHandler", 0)
.expect("Symbol xPortSysTickHandler not found"); .expect("Symbol xPortSysTickHandler not found");
let shv = virt2phys(shv,&elf.goblin()); let systick_handler = virt2phys(systick_handler,&elf.goblin());
println!("SysTick at {:#x}", shv); println!("SysTick at {:#x}", systick_handler);
let shv = elf let svc_handle = elf
.resolve_symbol("vPortSVCHandler", 0) .resolve_symbol("vPortSVCHandler", 0)
.expect("Symbol vPortSVCHandler not found"); .expect("Symbol vPortSVCHandler not found");
let shv = virt2phys(shv,&elf.goblin()); let svc_handle = virt2phys(svc_handle,&elf.goblin());
println!("SVChandle at {:#x}", shv); println!("SVChandle at {:#x}", svc_handle);
let shv = elf let svh = elf
.resolve_symbol("xPortPendSVHandler", 0) .resolve_symbol("xPortPendSVHandler", 0)
.expect("Symbol xPortPendSVHandler not found"); .expect("Symbol xPortPendSVHandler not found");
let shv = virt2phys(shv,&elf.goblin()); let svh = virt2phys(svh,&elf.goblin());
println!("PendHandle at {:#x}", shv); println!("PendHandle at {:#x}", svh);
@ -300,6 +301,8 @@ fn fuzz(
ExitKind::Ok ExitKind::Ok
}; };
//======= Set System-State watchpoints
let system_state_filter = QemuInstrumentationFilter::AllowList(vec![svh..svh+1]);
//======= Construct the executor, including the Helpers. The edges_observer still contains the ref to EDGES_MAP //======= Construct the executor, including the Helpers. The edges_observer still contains the ref to EDGES_MAP
let mut executor = QemuExecutor::new( let mut executor = QemuExecutor::new(
@ -310,7 +313,7 @@ fn fuzz(
// QemuCmpLogHelper::new(), // QemuCmpLogHelper::new(),
// QemuAsanHelper::new(), // QemuAsanHelper::new(),
QemuSysSnapshotHelper::new(), QemuSysSnapshotHelper::new(),
QemuSystemStateHelper::new() QemuSystemStateHelper::with_instrumentation_filter(system_state_filter,curr_tcb_pointer.try_into().unwrap(),task_queue_addr.try_into().unwrap())
), ),
tuple_list!(edges_observer), tuple_list!(edges_observer),
&mut fuzzer, &mut fuzzer,

70
fuzzers/wcet_qemu_sys/src/system_trace.rs
View File

@ -1,3 +1,4 @@
use crate::freertos::rtos_struct::*;
use crate::freertos; use crate::freertos;
use hashbrown::HashMap; use hashbrown::HashMap;
use libafl::{executors::ExitKind, inputs::Input, observers::ObserversTuple, state::HasMetadata}; use libafl::{executors::ExitKind, inputs::Input, observers::ObserversTuple, state::HasMetadata};
@ -11,18 +12,14 @@ use libafl_qemu::{
#[derive(Debug, Default, Serialize, Deserialize)] #[derive(Debug, Default, Serialize, Deserialize)]
pub struct QemuSystemStateMetadata { pub struct QemuSystemStateMetadata {
pub tcbs: Vec<freertos::TCB_t>, pub rtos_states: Vec<(freertos::TCB_t,HashMap<u32,freertos::rtos_struct>)>,
// pub map: HashMap<u64, u64>,
// pub current_id: u64,
} }
impl QemuSystemStateMetadata { impl QemuSystemStateMetadata {
#[must_use] #[must_use]
pub fn new() -> Self { pub fn new() -> Self {
Self { Self {
tcbs: Vec::new(), rtos_states: Vec::new(),
// map: HashMap::new(),
// current_id: 0,
} }
} }
} }
@ -32,19 +29,23 @@ libafl::impl_serdeany!(QemuSystemStateMetadata);
#[derive(Debug)] #[derive(Debug)]
pub struct QemuSystemStateHelper { pub struct QemuSystemStateHelper {
filter: QemuInstrumentationFilter, filter: QemuInstrumentationFilter,
tcb_addr: u32,
ready_queues: u32,
} }
impl QemuSystemStateHelper { impl QemuSystemStateHelper {
#[must_use] #[must_use]
pub fn new() -> Self { pub fn new(tcb_addr: u32, ready_queues: u32) -> Self {
Self { Self {
filter: QemuInstrumentationFilter::None, filter: QemuInstrumentationFilter::None,
tcb_addr: tcb_addr,
ready_queues: ready_queues,
} }
} }
#[must_use] #[must_use]
pub fn with_instrumentation_filter(filter: QemuInstrumentationFilter) -> Self { pub fn with_instrumentation_filter(filter: QemuInstrumentationFilter, tcb_addr: u32, ready_queues: u32) -> Self {
Self { filter } Self { filter, tcb_addr, ready_queues}
} }
#[must_use] #[must_use]
@ -53,12 +54,6 @@ impl QemuSystemStateHelper {
} }
} }
impl Default for QemuSystemStateHelper {
fn default() -> Self {
Self::new()
}
}
impl<I, S> QemuHelper<I, S> for QemuSystemStateHelper impl<I, S> QemuHelper<I, S> for QemuSystemStateHelper
where where
I: Input, I: Input,
@ -85,26 +80,29 @@ where
I: Input, I: Input,
QT: QemuHelperTuple<I, S>, QT: QemuHelperTuple<I, S>,
{ {
// if pc == 0x2e8 { //vPortSVCHandler let h = helpers.match_first_type::<QemuSystemStateHelper>().expect("QemuSystemHelper not found in helper tupel");
// if pc == 0x3c4 { //SystemTick if !h.must_instrument(pc) {
if pc == 0x37c { //xPortPendSVHandler return;
if let Some(h) = helpers.match_first_type::<QemuSystemStateHelper>() {
if !h.must_instrument(pc) {
return;
}
}
if state.metadata().get::<QemuSystemStateMetadata>().is_none() {
state.add_metadata(QemuSystemStateMetadata::new());
}
let meta = state
.metadata_mut()
.get_mut::<QemuSystemStateMetadata>()
.unwrap();
let curr_tcb_addr : freertos::void_ptr = freertos::emu_lookup::lookup(emulator, 0x20006ff0.try_into().unwrap());
// println!("Current TCB addr: {:x}",curr_tcb_addr);
let current_tcb : freertos::TCB_t = freertos::emu_lookup::lookup(emulator,curr_tcb_addr);
println!("{}", std::str::from_utf8(&current_tcb.pcTaskName).unwrap());
meta.tcbs.push(current_tcb);
let id = meta.tcbs.len();
} }
if state.metadata().get::<QemuSystemStateMetadata>().is_none() {
state.add_metadata(QemuSystemStateMetadata::new());
}
let meta = state
.metadata_mut()
.get_mut::<QemuSystemStateMetadata>()
.unwrap();
let curr_tcb_addr : freertos::void_ptr = freertos::emu_lookup::lookup(emulator, h.tcb_addr);
// println!("Current TCB addr: {:x}",curr_tcb_addr);
let current_tcb : freertos::TCB_t = freertos::emu_lookup::lookup(emulator,curr_tcb_addr);
println!("{:?}",current_tcb);
println!("{}", std::str::from_utf8(&current_tcb.pcTaskName).unwrap());
let mut result_tup : (freertos::TCB_t,HashMap<u32,freertos::rtos_struct>) = (current_tcb, HashMap::with_capacity(5));
for i in 0..4 {
let target : u32= (std::mem::size_of::<freertos::List_t>()*i).try_into().unwrap();
let ready_list : freertos::List_t = freertos::emu_lookup::lookup(emulator, h.ready_queues+target);
let a : freertos::rtos_struct = List_struct(ready_list);
// println!("{:?}",ready_list);
// println!("Prio: {} Number: {} first {:x}",i,ready_list.uxNumberOfItems, ready_list.pxIndex);
}
meta.rtos_states.push(result_tup);
} }