From decae09931c9bcaac2cdba7a3b288a74d90518f7 Mon Sep 17 00:00:00 2001 From: Alwin Berger Date: Fri, 23 Dec 2022 15:32:20 +0100 Subject: [PATCH] input length and read input pointer --- fuzzers/FRET/src/fuzzer.rs | 15 +++++++++++++-- fuzzers/FRET/src/systemstate/feedbacks.rs | 3 ++- fuzzers/FRET/src/systemstate/helpers.rs | 9 ++++++--- 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/fuzzers/FRET/src/fuzzer.rs b/fuzzers/FRET/src/fuzzer.rs index 2e21fbc042..45b1b00929 100644 --- a/fuzzers/FRET/src/fuzzer.rs +++ b/fuzzers/FRET/src/fuzzer.rs @@ -77,10 +77,18 @@ pub fn fuzz() { &env::var("FUZZ_INPUT").unwrap_or_else(|_| "FUZZ_INPUT".to_owned()), 0, ) - .expect("Symbol or env FUZZ_INPUT not found") ; + .expect("Symbol or env FUZZ_INPUT not found"); let input_addr = virt2phys(input_addr,&elf) as GuestPhysAddr; println!("FUZZ_INPUT @ {:#x}", input_addr); + let test_length_ptr = elf + .resolve_symbol("FUZZ_LENGTH", 0); + let test_length_ptr = Option::map_or(test_length_ptr, None, |x| Some(virt2phys(x,&elf) as u32)); + + let input_counter_ptr = elf + .resolve_symbol(&env::var("FUZZ_POINTER").unwrap_or_else(|_| "FUZZ_POINTER".to_owned()), 0); + let input_counter_ptr = Option::map_or(input_counter_ptr, None, |x| Some(virt2phys(x,&elf) as u32)); + let main_addr = elf .resolve_symbol(&env::var("FUZZ_MAIN").unwrap_or_else(|_| "FUZZ_INPUT".to_owned()), 0) .expect("Symbol main not found"); @@ -145,6 +153,9 @@ pub fn fuzz() { } emu.write_phys_mem(input_addr, buf); + if let Some(s) = test_length_ptr { + emu.write_phys_mem(s as u64, &len.to_le_bytes()) + } emu.run(); @@ -211,7 +222,7 @@ pub fn fuzz() { let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective); let mut hooks = QemuHooks::new(&emu, tuple_list!(QemuEdgeCoverageHelper::default(),QemuStateRestoreHelper::new(), - QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,0,app_range))); + QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,input_counter_ptr,app_range))); // Create a QEMU in-process executor let executor = QemuExecutor::new( diff --git a/fuzzers/FRET/src/systemstate/feedbacks.rs b/fuzzers/FRET/src/systemstate/feedbacks.rs index b64ee90000..eeb8790c53 100644 --- a/fuzzers/FRET/src/systemstate/feedbacks.rs +++ b/fuzzers/FRET/src/systemstate/feedbacks.rs @@ -238,12 +238,13 @@ where { let observer = observers.match_name::("systemstate") .expect("QemusystemstateObserver not found"); + let names : Vec = observer.last_run.iter().map(|x| x.current_task.task_name.clone()).collect(); match &self.dumpfile { Some(s) => { std::fs::write(s,ron::to_string(&observer.last_run).expect("Error serializing hashmap")).expect("Can not dump to file"); self.dumpfile = None }, - None => if !self.dump_metadata {println!("{:?}",observer.last_run);} + None => if !self.dump_metadata {println!("{:?}\n{:?}",observer.last_run,names);} }; if self.dump_metadata {self.last_trace=Some(observer.last_run.clone());} Ok(!self.dump_metadata) diff --git a/fuzzers/FRET/src/systemstate/helpers.rs b/fuzzers/FRET/src/systemstate/helpers.rs index e749592c10..5d5605d920 100644 --- a/fuzzers/FRET/src/systemstate/helpers.rs +++ b/fuzzers/FRET/src/systemstate/helpers.rs @@ -36,7 +36,7 @@ pub struct QemuSystemStateHelper { kerneladdr: u32, tcb_addr: u32, ready_queues: u32, - input_counter: u32, + input_counter: Option, app_range: Range, } @@ -46,7 +46,7 @@ impl QemuSystemStateHelper { kerneladdr: u32, tcb_addr: u32, ready_queues: u32, - input_counter: u32, + input_counter: Option, app_range: Range, ) -> Self { QemuSystemStateHelper { @@ -94,7 +94,10 @@ where (*c.raw_ptr()).can_do_io = can_do_io; } let mut buf : [u8; 4] = [0,0,0,0]; - // unsafe { emulator.read_mem(h.input_counter.into(), &mut buf) }; + match h.input_counter { + Some(s) => unsafe { emulator.read_mem(s, &mut buf); }, + None => (), + }; systemstate.input_counter = u32::from_le_bytes(buf); let curr_tcb_addr : freertos::void_ptr = freertos::emu_lookup::lookup(emulator, h.tcb_addr);