add last api callsite to system state
This commit is contained in:
parent
7595d25192
commit
c748fecbe2
@ -103,6 +103,13 @@ pub fn fuzz() {
|
|||||||
// let svh = elf
|
// let svh = elf
|
||||||
// .resolve_symbol("vPortEnterCritical", 0)
|
// .resolve_symbol("vPortEnterCritical", 0)
|
||||||
// .expect("Symbol vPortEnterCritical not found");
|
// .expect("Symbol vPortEnterCritical not found");
|
||||||
|
let app_start = elf
|
||||||
|
.resolve_symbol("__APP_CODE_START__", 0)
|
||||||
|
.expect("Symbol __APP_CODE_START__ not found");
|
||||||
|
let app_end = elf
|
||||||
|
.resolve_symbol("__APP_CODE_END__", 0)
|
||||||
|
.expect("Symbol __APP_CODE_END__ not found");
|
||||||
|
let app_range = app_start..app_end;
|
||||||
|
|
||||||
let breakpoint = elf
|
let breakpoint = elf
|
||||||
.resolve_symbol(
|
.resolve_symbol(
|
||||||
@ -204,7 +211,7 @@ pub fn fuzz() {
|
|||||||
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
|
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
|
||||||
let mut hooks = QemuHooks::new(&emu,
|
let mut hooks = QemuHooks::new(&emu,
|
||||||
tuple_list!(QemuEdgeCoverageHelper::default(),QemuStateRestoreHelper::new(),
|
tuple_list!(QemuEdgeCoverageHelper::default(),QemuStateRestoreHelper::new(),
|
||||||
QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,0)));
|
QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,0,app_range)));
|
||||||
|
|
||||||
// Create a QEMU in-process executor
|
// Create a QEMU in-process executor
|
||||||
let executor = QemuExecutor::new(
|
let executor = QemuExecutor::new(
|
||||||
|
|||||||
@ -1,4 +1,6 @@
|
|||||||
|
use std::cell::UnsafeCell;
|
||||||
use std::io::Write;
|
use std::io::Write;
|
||||||
|
use std::ops::Range;
|
||||||
use libafl::prelude::UsesInput;
|
use libafl::prelude::UsesInput;
|
||||||
use libafl_qemu::GuestAddr;
|
use libafl_qemu::GuestAddr;
|
||||||
use libafl_qemu::QemuHooks;
|
use libafl_qemu::QemuHooks;
|
||||||
@ -35,6 +37,7 @@ pub struct QemuSystemStateHelper {
|
|||||||
tcb_addr: u32,
|
tcb_addr: u32,
|
||||||
ready_queues: u32,
|
ready_queues: u32,
|
||||||
input_counter: u32,
|
input_counter: u32,
|
||||||
|
app_range: Range<u32>,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl QemuSystemStateHelper {
|
impl QemuSystemStateHelper {
|
||||||
@ -44,12 +47,14 @@ impl QemuSystemStateHelper {
|
|||||||
tcb_addr: u32,
|
tcb_addr: u32,
|
||||||
ready_queues: u32,
|
ready_queues: u32,
|
||||||
input_counter: u32,
|
input_counter: u32,
|
||||||
|
app_range: Range<u32>,
|
||||||
) -> Self {
|
) -> Self {
|
||||||
QemuSystemStateHelper {
|
QemuSystemStateHelper {
|
||||||
kerneladdr,
|
kerneladdr,
|
||||||
tcb_addr: tcb_addr,
|
tcb_addr: tcb_addr,
|
||||||
ready_queues: ready_queues,
|
ready_queues: ready_queues,
|
||||||
input_counter: input_counter,
|
input_counter: input_counter,
|
||||||
|
app_range,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -62,7 +67,8 @@ where
|
|||||||
where
|
where
|
||||||
QT: QemuHelperTuple<S>,
|
QT: QemuHelperTuple<S>,
|
||||||
{
|
{
|
||||||
_hooks.instruction(self.kerneladdr, exec_syscall_hook::<QT, S>, false)
|
_hooks.instruction(self.kerneladdr, exec_syscall_hook::<QT, S>, false);
|
||||||
|
_hooks.jmps(Some(gen_jmp_is_syscall::<QT, S>), Some(trace_api_call::<QT, S>));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -97,14 +103,16 @@ where
|
|||||||
};
|
};
|
||||||
systemstate.current_tcb = freertos::emu_lookup::lookup(emulator,curr_tcb_addr);
|
systemstate.current_tcb = freertos::emu_lookup::lookup(emulator,curr_tcb_addr);
|
||||||
|
|
||||||
// unsafe {
|
unsafe {
|
||||||
// match SAVED_JUMP.take() {
|
LAST_API_CALL.with(|x|
|
||||||
// Some(s) => {
|
match *x.get() {
|
||||||
// systemstate.last_pc = Some(s.0);
|
Some(s) => {
|
||||||
// },
|
systemstate.last_pc = Some(s.0 as u64);
|
||||||
// None => (),
|
},
|
||||||
// }
|
None => (),
|
||||||
// }
|
}
|
||||||
|
);
|
||||||
|
}
|
||||||
// println!("{:?}",std::str::from_utf8(¤t_tcb.pcTaskName));
|
// println!("{:?}",std::str::from_utf8(¤t_tcb.pcTaskName));
|
||||||
|
|
||||||
for i in 0..NUM_PRIOS {
|
for i in 0..NUM_PRIOS {
|
||||||
@ -138,4 +146,41 @@ where
|
|||||||
}
|
}
|
||||||
|
|
||||||
unsafe { CURRENT_SYSTEMSTATE_VEC.push(systemstate); }
|
unsafe { CURRENT_SYSTEMSTATE_VEC.push(systemstate); }
|
||||||
|
}
|
||||||
|
|
||||||
|
thread_local!(static LAST_API_CALL : UnsafeCell<Option<(GuestAddr,GuestAddr)>> = UnsafeCell::new(None));
|
||||||
|
|
||||||
|
pub fn gen_jmp_is_syscall<QT, S>(
|
||||||
|
hooks: &mut QemuHooks<'_, QT, S>,
|
||||||
|
_state: Option<&mut S>,
|
||||||
|
src: GuestAddr,
|
||||||
|
dest: GuestAddr,
|
||||||
|
) -> Option<u64>
|
||||||
|
where
|
||||||
|
S: UsesInput,
|
||||||
|
QT: QemuHelperTuple<S>,
|
||||||
|
{
|
||||||
|
if let Some(h) = hooks.helpers().match_first_type::<QemuSystemStateHelper>() {
|
||||||
|
if h.app_range.contains(&src) && !h.app_range.contains(&dest) {
|
||||||
|
// println!("New jmp {:x} {:x}", src, dest);
|
||||||
|
return Some(1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return None;
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn trace_api_call<QT, S>(
|
||||||
|
_hooks: &mut QemuHooks<'_, QT, S>,
|
||||||
|
_state: Option<&mut S>,
|
||||||
|
src: GuestAddr, dest: GuestAddr, id: u64
|
||||||
|
)
|
||||||
|
where
|
||||||
|
S: UsesInput,
|
||||||
|
QT: QemuHelperTuple<S>,
|
||||||
|
{
|
||||||
|
unsafe {
|
||||||
|
let p = LAST_API_CALL.with(|x| x.get());
|
||||||
|
*p = Some((src,dest));
|
||||||
|
// print!("*");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
Loading…
x
Reference in New Issue
Block a user