input length and read input pointer

2022-12-23 15:32:20 +01:00 · 2022-12-23 15:32:20 +01:00 · decae09931
commit decae09931
parent b812e994a6
3 changed files with 21 additions and 6 deletions
--- a/fuzzers/FRET/src/fuzzer.rs
+++ b/fuzzers/FRET/src/fuzzer.rs
@ -81,6 +81,14 @@ pub fn fuzz() {
    let input_addr = virt2phys(input_addr,&elf) as GuestPhysAddr;
    println!("FUZZ_INPUT @ {:#x}", input_addr);

+    let test_length_ptr = elf
+        .resolve_symbol("FUZZ_LENGTH", 0);
+    let test_length_ptr = Option::map_or(test_length_ptr, None, |x| Some(virt2phys(x,&elf) as u32));
+
+    let input_counter_ptr = elf
+        .resolve_symbol(&env::var("FUZZ_POINTER").unwrap_or_else(|_| "FUZZ_POINTER".to_owned()), 0);
+    let input_counter_ptr = Option::map_or(input_counter_ptr, None, |x| Some(virt2phys(x,&elf) as u32));
+
    let main_addr = elf
        .resolve_symbol(&env::var("FUZZ_MAIN").unwrap_or_else(|_| "FUZZ_INPUT".to_owned()), 0)
        .expect("Symbol main not found");
@ -145,6 +153,9 @@ pub fn fuzz() {
                }

                emu.write_phys_mem(input_addr, buf);
+                if let Some(s) = test_length_ptr {
+                    emu.write_phys_mem(s as u64, &len.to_le_bytes())
+                }

                emu.run();

@ -211,7 +222,7 @@ pub fn fuzz() {
        let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
        let mut hooks = QemuHooks::new(&emu,
            tuple_list!(QemuEdgeCoverageHelper::default(),QemuStateRestoreHelper::new(),
-        QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,0,app_range)));
+        QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,input_counter_ptr,app_range)));

        // Create a QEMU in-process executor
        let executor = QemuExecutor::new(
--- a/fuzzers/FRET/src/systemstate/feedbacks.rs
+++ b/fuzzers/FRET/src/systemstate/feedbacks.rs
@ -238,12 +238,13 @@ where
    {
        let observer = observers.match_name::<QemuSystemStateObserver>("systemstate")
            .expect("QemusystemstateObserver not found");
+        let names : Vec<String> = observer.last_run.iter().map(|x| x.current_task.task_name.clone()).collect();
        match &self.dumpfile {
            Some(s) => {
                    std::fs::write(s,ron::to_string(&observer.last_run).expect("Error serializing hashmap")).expect("Can not dump to file");
                    self.dumpfile = None
                },
-            None => if !self.dump_metadata {println!("{:?}",observer.last_run);}
+            None => if !self.dump_metadata {println!("{:?}\n{:?}",observer.last_run,names);}
        };
        if self.dump_metadata {self.last_trace=Some(observer.last_run.clone());}
        Ok(!self.dump_metadata)
--- a/fuzzers/FRET/src/systemstate/helpers.rs
+++ b/fuzzers/FRET/src/systemstate/helpers.rs
@ -36,7 +36,7 @@ pub struct QemuSystemStateHelper {
    kerneladdr: u32,
    tcb_addr: u32,
    ready_queues: u32,
-    input_counter: u32,
+    input_counter: Option<u32>,
    app_range: Range<u32>,
 }

@ -46,7 +46,7 @@ impl QemuSystemStateHelper {
        kerneladdr: u32,
        tcb_addr: u32,
        ready_queues: u32,
-        input_counter: u32,
+        input_counter: Option<u32>,
        app_range: Range<u32>,
    ) -> Self {
        QemuSystemStateHelper {
@ -94,7 +94,10 @@ where
        (*c.raw_ptr()).can_do_io = can_do_io;
    }
    let mut buf : [u8; 4] = [0,0,0,0];
-    // unsafe { emulator.read_mem(h.input_counter.into(), &mut buf) };
+    match h.input_counter {
+        Some(s) => unsafe { emulator.read_mem(s, &mut buf); },
+        None => (),
+    };
    systemstate.input_counter = u32::from_le_bytes(buf);

    let curr_tcb_addr : freertos::void_ptr = freertos::emu_lookup::lookup(emulator, h.tcb_addr);