SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

wrap emu memory lookup

Browse Source
This commit is contained in:
Alwin Berger 2022-01-21 20:09:36 +01:00
parent 45bdab5000
commit e0f197424c
2 changed files with 121 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

207
fuzzers/wcet_qemu_sys/src/freertos.rs
View File

@ -1,43 +1,26 @@
// Manual Types
use libafl_qemu::Emulator;
pub type xLIST_ITEM_ptr = ::std::os::raw::c_uint;
pub type xLIST_ptr = ::std::os::raw::c_uint;
pub type ListItem_t_ptr = ::std::os::raw::c_uint;
pub type StackType_t_ptr = ::std::os::raw::c_uint;
pub type char_ptr = ::std::os::raw::c_uint;
pub type void_ptr = ::std::os::raw::c_uint;
pub type TCB_t_ptr = ::std::os::raw::c_uint;
/* automatically generated by rust-bindgen 0.59.2 */
use std::ops::Deref;
#[repr(transparent)]
#[derive(Debug, Copy, Clone)]
pub struct __uint8_t(pub ::std::os::raw::c_uchar);
#[repr(transparent)]
#[derive(Debug, Copy, Clone)]
pub struct __uint16_t(pub ::std::os::raw::c_ushort);
#[repr(transparent)]
#[derive(Debug, Copy, Clone)]
pub struct __uint32_t(pub ::std::os::raw::c_uint);
#[repr(transparent)]
#[derive(Debug, Copy, Clone)]
pub struct StackType_t(pub u32);
#[repr(transparent)]
#[derive(Debug, Copy, Clone)]
pub struct StackType_t_ptr(pub u32);
#[repr(transparent)]
#[derive(Debug, Copy, Clone)]
pub struct UBaseType_t(pub ::std::os::raw::c_uint);
#[repr(transparent)]
#[derive(Debug, Copy, Clone, Default)]
pub struct TickType_t(pub u32);
#[repr(transparent)]
#[derive(Debug, Copy, Clone, Default)]
pub struct void_ptr(pub ::std::os::raw::c_uint);
#[repr(transparent)]
#[derive(Debug, Copy, Clone, Default)]
pub struct xLIST_ptr(pub ::std::os::raw::c_uint);
#[repr(transparent)]
#[derive(Debug, Copy, Clone, Default)]
pub struct xLIST_ITEM_ptr(pub ::std::os::raw::c_uint);
pub type __uint8_t = ::std::os::raw::c_uchar;
pub type __uint16_t = ::std::os::raw::c_ushort;
pub type __uint32_t = ::std::os::raw::c_uint;
pub type StackType_t = u32;
pub type UBaseType_t = ::std::os::raw::c_uint;
pub type TickType_t = u32;
#[repr(C)]
#[derive(Debug, Copy, Clone, Default)]
#[derive(Debug, Copy, Clone)]
pub struct xLIST_ITEM {
pub xItemValue: TickType_t,
pub pxNext: xLIST_ITEM_ptr,
@ -49,12 +32,12 @@ pub struct xLIST_ITEM {
fn bindgen_test_layout_xLIST_ITEM() {
assert_eq!(
::std::mem::size_of::<xLIST_ITEM>(),
20usize,
40usize,
concat!("Size of: ", stringify!(xLIST_ITEM))
);
assert_eq!(
::std::mem::align_of::<xLIST_ITEM>(),
4usize,
8usize,
concat!("Alignment of ", stringify!(xLIST_ITEM))
);
assert_eq!(
@ -69,7 +52,7 @@ fn bindgen_test_layout_xLIST_ITEM() {
);
assert_eq!(
unsafe { &(*(::std::ptr::null::<xLIST_ITEM>())).pxNext as *const _ as usize },
4usize,
8usize,
concat!(
"Offset of field: ",
stringify!(xLIST_ITEM),
@ -79,7 +62,7 @@ fn bindgen_test_layout_xLIST_ITEM() {
);
assert_eq!(
unsafe { &(*(::std::ptr::null::<xLIST_ITEM>())).pxPrevious as *const _ as usize },
8usize,
16usize,
concat!(
"Offset of field: ",
stringify!(xLIST_ITEM),
@ -89,7 +72,7 @@ fn bindgen_test_layout_xLIST_ITEM() {
);
assert_eq!(
unsafe { &(*(::std::ptr::null::<xLIST_ITEM>())).pvOwner as *const _ as usize },
12usize,
24usize,
concat!(
"Offset of field: ",
stringify!(xLIST_ITEM),
@ -99,7 +82,7 @@ fn bindgen_test_layout_xLIST_ITEM() {
);
assert_eq!(
unsafe { &(*(::std::ptr::null::<xLIST_ITEM>())).pvContainer as *const _ as usize },
16usize,
32usize,
concat!(
"Offset of field: ",
stringify!(xLIST_ITEM),
@ -108,9 +91,7 @@ fn bindgen_test_layout_xLIST_ITEM() {
)
);
}
#[repr(transparent)]
#[derive(Debug, Copy, Clone)]
pub struct ListItem_t(pub xLIST_ITEM);
pub type ListItem_t = xLIST_ITEM;
#[repr(C)]
#[derive(Debug, Copy, Clone)]
pub struct xMINI_LIST_ITEM {
@ -122,12 +103,12 @@ pub struct xMINI_LIST_ITEM {
fn bindgen_test_layout_xMINI_LIST_ITEM() {
assert_eq!(
::std::mem::size_of::<xMINI_LIST_ITEM>(),
12usize,
24usize,
concat!("Size of: ", stringify!(xMINI_LIST_ITEM))
);
assert_eq!(
::std::mem::align_of::<xMINI_LIST_ITEM>(),
4usize,
8usize,
concat!("Alignment of ", stringify!(xMINI_LIST_ITEM))
);
assert_eq!(
@ -142,7 +123,7 @@ fn bindgen_test_layout_xMINI_LIST_ITEM() {
);
assert_eq!(
unsafe { &(*(::std::ptr::null::<xMINI_LIST_ITEM>())).pxNext as *const _ as usize },
4usize,
8usize,
concat!(
"Offset of field: ",
stringify!(xMINI_LIST_ITEM),
@ -152,7 +133,7 @@ fn bindgen_test_layout_xMINI_LIST_ITEM() {
);
assert_eq!(
unsafe { &(*(::std::ptr::null::<xMINI_LIST_ITEM>())).pxPrevious as *const _ as usize },
8usize,
16usize,
concat!(
"Offset of field: ",
stringify!(xMINI_LIST_ITEM),
@ -161,26 +142,24 @@ fn bindgen_test_layout_xMINI_LIST_ITEM() {
)
);
}
#[repr(transparent)]
#[derive(Debug, Copy, Clone)]
pub struct MiniListItem_t(pub xMINI_LIST_ITEM);
pub type MiniListItem_t = xMINI_LIST_ITEM;
#[repr(C)]
#[derive(Debug, Copy, Clone)]
pub struct xLIST {
pub uxNumberOfItems: UBaseType_t,
pub pxIndex: xLIST_ITEM_ptr,
pub pxIndex: ListItem_t_ptr,
pub xListEnd: MiniListItem_t,
}
#[test]
fn bindgen_test_layout_xLIST() {
assert_eq!(
::std::mem::size_of::<xLIST>(),
20usize,
40usize,
concat!("Size of: ", stringify!(xLIST))
);
assert_eq!(
::std::mem::align_of::<xLIST>(),
4usize,
8usize,
concat!("Alignment of ", stringify!(xLIST))
);
assert_eq!(
@ -195,7 +174,7 @@ fn bindgen_test_layout_xLIST() {
);
assert_eq!(
unsafe { &(*(::std::ptr::null::<xLIST>())).pxIndex as *const _ as usize },
4usize,
8usize,
concat!(
"Offset of field: ",
stringify!(xLIST),
@ -205,7 +184,7 @@ fn bindgen_test_layout_xLIST() {
);
assert_eq!(
unsafe { &(*(::std::ptr::null::<xLIST>())).xListEnd as *const _ as usize },
8usize,
16usize,
concat!(
"Offset of field: ",
stringify!(xLIST),
@ -214,12 +193,8 @@ fn bindgen_test_layout_xLIST() {
)
);
}
#[repr(transparent)]
#[derive(Debug, Copy, Clone)]
pub struct List_t(pub xLIST);
#[repr(transparent)]
#[derive(Debug, Copy, Clone)]
pub struct TaskHandle_t(pub *mut tskTaskControlBlock);
pub type List_t = xLIST;
pub type TaskHandle_t = *mut tskTaskControlBlock;
pub const eTaskState_eRunning: eTaskState = 0;
pub const eTaskState_eReady: eTaskState = 1;
pub const eTaskState_eBlocked: eTaskState = 2;
@ -231,7 +206,7 @@ pub type eTaskState = ::std::os::raw::c_uint;
#[derive(Debug, Copy, Clone)]
pub struct xTASK_STATUS {
pub xHandle: TaskHandle_t,
pub pcTaskName: u32,
pub pcTaskName: char_ptr,
pub xTaskNumber: UBaseType_t,
pub eCurrentState: eTaskState,
pub uxCurrentPriority: UBaseType_t,
@ -244,12 +219,12 @@ pub struct xTASK_STATUS {
fn bindgen_test_layout_xTASK_STATUS() {
assert_eq!(
::std::mem::size_of::<xTASK_STATUS>(),
36usize,
72usize,
concat!("Size of: ", stringify!(xTASK_STATUS))
);
assert_eq!(
::std::mem::align_of::<xTASK_STATUS>(),
4usize,
8usize,
concat!("Alignment of ", stringify!(xTASK_STATUS))
);
assert_eq!(
@ -264,7 +239,7 @@ fn bindgen_test_layout_xTASK_STATUS() {
);
assert_eq!(
unsafe { &(*(::std::ptr::null::<xTASK_STATUS>())).pcTaskName as *const _ as usize },
4usize,
8usize,
concat!(
"Offset of field: ",
stringify!(xTASK_STATUS),
@ -274,7 +249,7 @@ fn bindgen_test_layout_xTASK_STATUS() {
);
assert_eq!(
unsafe { &(*(::std::ptr::null::<xTASK_STATUS>())).xTaskNumber as *const _ as usize },
8usize,
16usize,
concat!(
"Offset of field: ",
stringify!(xTASK_STATUS),
@ -284,7 +259,7 @@ fn bindgen_test_layout_xTASK_STATUS() {
);
assert_eq!(
unsafe { &(*(::std::ptr::null::<xTASK_STATUS>())).eCurrentState as *const _ as usize },
12usize,
24usize,
concat!(
"Offset of field: ",
stringify!(xTASK_STATUS),
@ -294,7 +269,7 @@ fn bindgen_test_layout_xTASK_STATUS() {
);
assert_eq!(
unsafe { &(*(::std::ptr::null::<xTASK_STATUS>())).uxCurrentPriority as *const _ as usize },
16usize,
32usize,
concat!(
"Offset of field: ",
stringify!(xTASK_STATUS),
@ -304,7 +279,7 @@ fn bindgen_test_layout_xTASK_STATUS() {
);
assert_eq!(
unsafe { &(*(::std::ptr::null::<xTASK_STATUS>())).uxBasePriority as *const _ as usize },
20usize,
40usize,
concat!(
"Offset of field: ",
stringify!(xTASK_STATUS),
@ -314,7 +289,7 @@ fn bindgen_test_layout_xTASK_STATUS() {
);
assert_eq!(
unsafe { &(*(::std::ptr::null::<xTASK_STATUS>())).ulRunTimeCounter as *const _ as usize },
24usize,
48usize,
concat!(
"Offset of field: ",
stringify!(xTASK_STATUS),
@ -324,7 +299,7 @@ fn bindgen_test_layout_xTASK_STATUS() {
);
assert_eq!(
unsafe { &(*(::std::ptr::null::<xTASK_STATUS>())).pxStackBase as *const _ as usize },
28usize,
56usize,
concat!(
"Offset of field: ",
stringify!(xTASK_STATUS),
@ -336,7 +311,7 @@ fn bindgen_test_layout_xTASK_STATUS() {
unsafe {
&(*(::std::ptr::null::<xTASK_STATUS>())).usStackHighWaterMark as *const _ as usize
},
32usize,
64usize,
concat!(
"Offset of field: ",
stringify!(xTASK_STATUS),
@ -345,9 +320,7 @@ fn bindgen_test_layout_xTASK_STATUS() {
)
);
}
#[repr(transparent)]
#[derive(Debug, Copy, Clone)]
pub struct TaskStatus_t(pub xTASK_STATUS);
pub type TaskStatus_t = xTASK_STATUS;
#[repr(C)]
#[derive(Debug, Copy, Clone)]
pub struct tskTaskControlBlock {
@ -368,12 +341,12 @@ pub struct tskTaskControlBlock {
fn bindgen_test_layout_tskTaskControlBlock() {
assert_eq!(
::std::mem::size_of::<tskTaskControlBlock>(),
80usize,
152usize,
concat!("Size of: ", stringify!(tskTaskControlBlock))
);
assert_eq!(
::std::mem::align_of::<tskTaskControlBlock>(),
4usize,
8usize,
concat!("Alignment of ", stringify!(tskTaskControlBlock))
);
assert_eq!(
@ -392,7 +365,7 @@ fn bindgen_test_layout_tskTaskControlBlock() {
unsafe {
&(*(::std::ptr::null::<tskTaskControlBlock>())).xStateListItem as *const _ as usize
},
4usize,
8usize,
concat!(
"Offset of field: ",
stringify!(tskTaskControlBlock),
@ -404,7 +377,7 @@ fn bindgen_test_layout_tskTaskControlBlock() {
unsafe {
&(*(::std::ptr::null::<tskTaskControlBlock>())).xEventListItem as *const _ as usize
},
24usize,
48usize,
concat!(
"Offset of field: ",
stringify!(tskTaskControlBlock),
@ -414,7 +387,7 @@ fn bindgen_test_layout_tskTaskControlBlock() {
);
assert_eq!(
unsafe { &(*(::std::ptr::null::<tskTaskControlBlock>())).uxPriority as *const _ as usize },
44usize,
88usize,
concat!(
"Offset of field: ",
stringify!(tskTaskControlBlock),
@ -424,7 +397,7 @@ fn bindgen_test_layout_tskTaskControlBlock() {
);
assert_eq!(
unsafe { &(*(::std::ptr::null::<tskTaskControlBlock>())).pxStack as *const _ as usize },
48usize,
96usize,
concat!(
"Offset of field: ",
stringify!(tskTaskControlBlock),
@ -434,7 +407,7 @@ fn bindgen_test_layout_tskTaskControlBlock() {
);
assert_eq!(
unsafe { &(*(::std::ptr::null::<tskTaskControlBlock>())).pcTaskName as *const _ as usize },
52usize,
104usize,
concat!(
"Offset of field: ",
stringify!(tskTaskControlBlock),
@ -446,7 +419,7 @@ fn bindgen_test_layout_tskTaskControlBlock() {
unsafe {
&(*(::std::ptr::null::<tskTaskControlBlock>())).uxBasePriority as *const _ as usize
},
64usize,
120usize,
concat!(
"Offset of field: ",
stringify!(tskTaskControlBlock),
@ -458,7 +431,7 @@ fn bindgen_test_layout_tskTaskControlBlock() {
unsafe {
&(*(::std::ptr::null::<tskTaskControlBlock>())).uxMutexesHeld as *const _ as usize
},
68usize,
128usize,
concat!(
"Offset of field: ",
stringify!(tskTaskControlBlock),
@ -470,7 +443,7 @@ fn bindgen_test_layout_tskTaskControlBlock() {
unsafe {
&(*(::std::ptr::null::<tskTaskControlBlock>())).ulNotifiedValue as *const _ as usize
},
72usize,
136usize,
concat!(
"Offset of field: ",
stringify!(tskTaskControlBlock),
@ -482,7 +455,7 @@ fn bindgen_test_layout_tskTaskControlBlock() {
unsafe {
&(*(::std::ptr::null::<tskTaskControlBlock>())).ucNotifyState as *const _ as usize
},
76usize,
144usize,
concat!(
"Offset of field: ",
stringify!(tskTaskControlBlock),
@ -495,7 +468,7 @@ fn bindgen_test_layout_tskTaskControlBlock() {
&(*(::std::ptr::null::<tskTaskControlBlock>())).ucStaticallyAllocated as *const _
as usize
},
77usize,
145usize,
concat!(
"Offset of field: ",
stringify!(tskTaskControlBlock),
@ -507,7 +480,7 @@ fn bindgen_test_layout_tskTaskControlBlock() {
unsafe {
&(*(::std::ptr::null::<tskTaskControlBlock>())).ucDelayAborted as *const _ as usize
},
78usize,
146usize,
concat!(
"Offset of field: ",
stringify!(tskTaskControlBlock),
@ -516,9 +489,49 @@ fn bindgen_test_layout_tskTaskControlBlock() {
)
);
}
#[repr(transparent)]
#[derive(Debug, Copy, Clone)]
pub struct tskTCB(pub tskTaskControlBlock);
#[repr(transparent)]
#[derive(Debug, Copy, Clone)]
pub struct TCB_t(pub tskTCB);
pub type tskTCB = tskTaskControlBlock;
pub type TCB_t = tskTCB;
pub trait emu_lookup {
fn lookup(emu: &Emulator, addr: ::std::os::raw::c_uint) -> Self;
}
impl emu_lookup for xLIST_ITEM {
fn lookup(emu: &Emulator, addr: ::std::os::raw::c_uint) -> xLIST_ITEM {
let mut tmp : [u8; std::mem::size_of::<xLIST_ITEM>()] = [0u8; std::mem::size_of::<xLIST_ITEM>()];
unsafe {
emu.read_mem(addr.into(), &mut tmp);
std::mem::transmute::<[u8; std::mem::size_of::<xLIST_ITEM>()], xLIST_ITEM>(tmp)
}
}
}
impl emu_lookup for TCB_t {
fn lookup(emu: &Emulator, addr: ::std::os::raw::c_uint) -> TCB_t {
let mut tmp : [u8; std::mem::size_of::<TCB_t>()] = [0u8; std::mem::size_of::<TCB_t>()];
unsafe {
emu.read_mem(addr.into(), &mut tmp);
std::mem::transmute::<[u8; std::mem::size_of::<TCB_t>()], TCB_t>(tmp)
}
}
}
impl emu_lookup for void_ptr {
fn lookup(emu: &Emulator, addr: ::std::os::raw::c_uint) -> void_ptr {
let mut tmp : [u8; std::mem::size_of::<void_ptr>()] = [0u8; std::mem::size_of::<void_ptr>()];
unsafe {
emu.read_mem(addr.into(), &mut tmp);
std::mem::transmute::<[u8; std::mem::size_of::<void_ptr>()], void_ptr>(tmp)
}
}
}
impl emu_lookup for List_t {
fn lookup(emu: &Emulator, addr: ::std::os::raw::c_uint) -> List_t {
let mut tmp : [u8; std::mem::size_of::<List_t>()] = [0u8; std::mem::size_of::<List_t>()];
unsafe {
emu.read_mem(addr.into(), &mut tmp);
std::mem::transmute::<[u8; std::mem::size_of::<List_t>()], List_t>(tmp)
}
}
}

47
fuzzers/wcet_qemu_sys/src/showmap.rs
View File

@ -203,11 +203,11 @@ fn fuzz(
.expect("Symbol pxCurrentTCBC not found");
// let curr_tcb_pointer = virt2phys(curr_tcb_pointer,&elf.goblin());
println!("TCB pointer at {:#x}", curr_tcb_pointer);
// let task_queue_addr = elf
// .resolve_symbol("pxReadyTasksLists", 0)
// .expect("Symbol pxReadyTasksLists not found");
// // let task_queue_addr = virt2phys(task_queue_addr,&elf.goblin());
// println!("Task Queue at {:#x}", task_queue_addr);
let task_queue_addr = elf
.resolve_symbol("pxReadyTasksLists", 0)
.expect("Symbol pxReadyTasksLists not found");
// let task_queue_addr = virt2phys(task_queue_addr,&elf.goblin());
println!("Task Queue at {:#x}", task_queue_addr);
@ -269,42 +269,17 @@ fn fuzz(
}
unsafe {
// let mut addr_buf : [u8; 4] = [0u8; 4];
// emu.read_mem(test_length_ptr,&mut addr_buf);
// println!("current len: {}",u32::from_le_bytes(addr_buf));
//==end test
emu.write_mem(test_length_ptr,&(len as u32).to_le_bytes());
emu.write_mem(input_addr,buf);
//== next test
// emu.read_mem(test_length_ptr,&mut addr_buf);
// println!("new len: {}, expected: {}",u32::from_le_bytes(addr_buf),len);
// println!("{:#?}",edges_copy);
emu.run();
// println!("{:#?}",edges_copy);
// let mut buf_struct : [u8; 5*std::mem::size_of::<freertos::List_t>()] = [1u8; 5*std::mem::size_of::<freertos::List_t>()];
// emu.read_mem(task_queue_addr, &mut buf_struct);
// let mut prio_lists : Vec<freertos::List_t> = Vec::new();
// for i in 0..5 {
// let mut tmp : [u8; std::mem::size_of::<freertos::List_t>()] = [0u8; std::mem::size_of::<freertos::List_t>()];
// emu.read_mem(task_queue_addr+i*40, &mut tmp);
// let list_struct = std::mem::transmute::<[u8; std::mem::size_of::<freertos::List_t>()], freertos::List_t>(tmp);
// prio_lists.push(list_struct);
// }
// println!("Raw Buffer: {:?}",buf_struct);
// println!("Lists: {:?}",prio_lists);
//====== experiment inspecting the current tcb
let mut curr_tcb_addr : [u8; 4] = [1u8; 4];
emu.read_mem(curr_tcb_pointer,&mut curr_tcb_addr);
let curr_tcb_addr = u32::from_le_bytes(curr_tcb_addr);
println!("tcb addr: {:x}",curr_tcb_addr);
let mut tmp : [u8; std::mem::size_of::<freertos::TCB_t>()] = [1u8; std::mem::size_of::<freertos::TCB_t>()];
emu.read_mem(curr_tcb_addr.into(), &mut tmp);
println!("Raw TCB: {:?}",tmp);
let tcb = std::mem::transmute::<[u8; std::mem::size_of::<freertos::TCB_t>()], freertos::TCB_t>(tmp);
println!("TCB: {:?}",tcb);
let curr_tcb_addr : freertos::void_ptr = freertos::emu_lookup::lookup(&emu, curr_tcb_pointer.try_into().unwrap());
println!("Current TCB addr: {:x}",curr_tcb_addr);
let current_tcb : freertos::TCB_t = freertos::emu_lookup::lookup(&emu,curr_tcb_addr);
println!("Current TCB: {:?}",current_tcb);
let ready_queue : freertos::List_t = freertos::emu_lookup::lookup(&emu,task_queue_addr.try_into().unwrap());
println!("Ready Queue: {:?}",ready_queue);
}
ExitKind::Ok