SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

switch to native breakpoints

Browse Source
This commit is contained in:
Alwin Berger 2023-03-13 12:19:24 +01:00
parent 57fc441118
commit d118eeacbd
3 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
fuzzers/FRET/src/fuzzer.rs
View File

@ -33,6 +33,7 @@ use libafl::{
use libafl_qemu::{ use libafl_qemu::{
edges, edges::QemuEdgeCoverageHelper, elf::EasyElf, emu::Emulator, GuestPhysAddr, QemuExecutor, edges, edges::QemuEdgeCoverageHelper, elf::EasyElf, emu::Emulator, GuestPhysAddr, QemuExecutor,
QemuHooks, Regs, QemuInstrumentationFilter, GuestAddr, QemuHooks, Regs, QemuInstrumentationFilter, GuestAddr,
emu::libafl_qemu_set_native_breakpoint, emu::libafl_qemu_remove_native_breakpoint,
}; };
use rand::{SeedableRng, StdRng, Rng}; use rand::{SeedableRng, StdRng, Rng};
use crate::{ use crate::{
@ -167,14 +168,14 @@ pub fn fuzz() {
let emu = Emulator::new(&args, &env); let emu = Emulator::new(&args, &env);
if let Some(main_addr) = main_addr { if let Some(main_addr) = main_addr {
emu.set_breakpoint(main_addr);
unsafe { unsafe {
libafl_qemu_set_native_breakpoint(main_addr);
emu.run(); emu.run();
libafl_qemu_remove_native_breakpoint(main_addr);
} }
emu.remove_breakpoint(main_addr);
} }
emu.set_breakpoint(breakpoint); // BREAKPOINT unsafe { libafl_qemu_set_native_breakpoint(breakpoint); }// BREAKPOINT
// The wrapped harness function, calling out to the LLVM-style harness // The wrapped harness function, calling out to the LLVM-style harness
let mut harness = |input: &BytesInput| { let mut harness = |input: &BytesInput| {
@ -276,7 +277,7 @@ pub fn fuzz() {
let mut state = state.unwrap_or_else(|| { let mut state = state.unwrap_or_else(|| {
StdState::new( StdState::new(
// RNG // RNG
StdRand::with_seed(RNG_SEED), unsafe {StdRand::with_seed(RNG_SEED) },
// Corpus that will be evolved, we keep it in memory for performance // Corpus that will be evolved, we keep it in memory for performance
InMemoryCorpus::new(), InMemoryCorpus::new(),
// Corpus in which we store solutions (crashes in this example), // Corpus in which we store solutions (crashes in this example),
@ -492,7 +493,7 @@ pub fn fuzz() {
let emu = Emulator::new(&args, &env); let emu = Emulator::new(&args, &env);
if let Some(main_addr) = main_addr { if let Some(main_addr) = main_addr {
emu.set_breakpoint(main_addr); unsafe { libafl_qemu_set_native_breakpoint(main_addr); }// BREAKPOINT
} }
unsafe { unsafe {
emu.run(); emu.run();

2
fuzzers/FRET/src/systemstate/helpers.rs
View File

@ -93,7 +93,7 @@ fn trigger_collection(emulator: &Emulator, h: &QemuSystemStateHelper) {
let mut systemstate = RawFreeRTOSSystemState::default(); let mut systemstate = RawFreeRTOSSystemState::default();
unsafe { unsafe {
// TODO: investigate why can_do_io is not set sometimes, as this is just a workaround // TODO: investigate why can_do_io is not set sometimes, as this is just a workaround
let c = emulator.current_cpu().unwrap(); let c = emulator.cpu_from_index(0);
let can_do_io = (*c.raw_ptr()).can_do_io; let can_do_io = (*c.raw_ptr()).can_do_io;
(*c.raw_ptr()).can_do_io = 1; (*c.raw_ptr()).can_do_io = 1;
systemstate.qemu_tick = emu::icount_get_raw(); systemstate.qemu_tick = emu::icount_get_raw();

3
libafl_qemu/src/emu.rs
View File

@ -314,6 +314,9 @@ extern "C" {
fn libafl_qemu_set_breakpoint(addr: u64) -> i32; fn libafl_qemu_set_breakpoint(addr: u64) -> i32;
fn libafl_qemu_remove_breakpoint(addr: u64) -> i32; fn libafl_qemu_remove_breakpoint(addr: u64) -> i32;
pub fn libafl_qemu_set_native_breakpoint(addr: u32);
pub fn libafl_qemu_remove_native_breakpoint(addr: u32);
fn libafl_flush_jit(); fn libafl_flush_jit();
fn libafl_qemu_trigger_breakpoint(cpu: CPUStatePtr); fn libafl_qemu_trigger_breakpoint(cpu: CPUStatePtr);