From e0f197424c2bd7e63265f6aa6f3ffe9865a3eb93 Mon Sep 17 00:00:00 2001 From: Alwin Berger Date: Fri, 21 Jan 2022 20:09:36 +0100 Subject: [PATCH] wrap emu memory lookup --- fuzzers/wcet_qemu_sys/src/freertos.rs | 207 ++++++++++++++------------ fuzzers/wcet_qemu_sys/src/showmap.rs | 47 ++---- 2 files changed, 121 insertions(+), 133 deletions(-) diff --git a/fuzzers/wcet_qemu_sys/src/freertos.rs b/fuzzers/wcet_qemu_sys/src/freertos.rs index 53e290a7d2..56c0dc4168 100644 --- a/fuzzers/wcet_qemu_sys/src/freertos.rs +++ b/fuzzers/wcet_qemu_sys/src/freertos.rs @@ -1,43 +1,26 @@ +// Manual Types +use libafl_qemu::Emulator; + +pub type xLIST_ITEM_ptr = ::std::os::raw::c_uint; +pub type xLIST_ptr = ::std::os::raw::c_uint; +pub type ListItem_t_ptr = ::std::os::raw::c_uint; +pub type StackType_t_ptr = ::std::os::raw::c_uint; +pub type char_ptr = ::std::os::raw::c_uint; +pub type void_ptr = ::std::os::raw::c_uint; +pub type TCB_t_ptr = ::std::os::raw::c_uint; + + + /* automatically generated by rust-bindgen 0.59.2 */ -use std::ops::Deref; - -#[repr(transparent)] -#[derive(Debug, Copy, Clone)] -pub struct __uint8_t(pub ::std::os::raw::c_uchar); -#[repr(transparent)] -#[derive(Debug, Copy, Clone)] -pub struct __uint16_t(pub ::std::os::raw::c_ushort); -#[repr(transparent)] -#[derive(Debug, Copy, Clone)] -pub struct __uint32_t(pub ::std::os::raw::c_uint); -#[repr(transparent)] -#[derive(Debug, Copy, Clone)] -pub struct StackType_t(pub u32); -#[repr(transparent)] -#[derive(Debug, Copy, Clone)] -pub struct StackType_t_ptr(pub u32); -#[repr(transparent)] -#[derive(Debug, Copy, Clone)] -pub struct UBaseType_t(pub ::std::os::raw::c_uint); -#[repr(transparent)] -#[derive(Debug, Copy, Clone, Default)] -pub struct TickType_t(pub u32); - -#[repr(transparent)] -#[derive(Debug, Copy, Clone, Default)] -pub struct void_ptr(pub ::std::os::raw::c_uint); - -#[repr(transparent)] -#[derive(Debug, Copy, Clone, Default)] -pub struct xLIST_ptr(pub ::std::os::raw::c_uint); - -#[repr(transparent)] -#[derive(Debug, Copy, Clone, Default)] -pub struct xLIST_ITEM_ptr(pub ::std::os::raw::c_uint); - +pub type __uint8_t = ::std::os::raw::c_uchar; +pub type __uint16_t = ::std::os::raw::c_ushort; +pub type __uint32_t = ::std::os::raw::c_uint; +pub type StackType_t = u32; +pub type UBaseType_t = ::std::os::raw::c_uint; +pub type TickType_t = u32; #[repr(C)] -#[derive(Debug, Copy, Clone, Default)] +#[derive(Debug, Copy, Clone)] pub struct xLIST_ITEM { pub xItemValue: TickType_t, pub pxNext: xLIST_ITEM_ptr, @@ -49,12 +32,12 @@ pub struct xLIST_ITEM { fn bindgen_test_layout_xLIST_ITEM() { assert_eq!( ::std::mem::size_of::(), - 20usize, + 40usize, concat!("Size of: ", stringify!(xLIST_ITEM)) ); assert_eq!( ::std::mem::align_of::(), - 4usize, + 8usize, concat!("Alignment of ", stringify!(xLIST_ITEM)) ); assert_eq!( @@ -69,7 +52,7 @@ fn bindgen_test_layout_xLIST_ITEM() { ); assert_eq!( unsafe { &(*(::std::ptr::null::())).pxNext as *const _ as usize }, - 4usize, + 8usize, concat!( "Offset of field: ", stringify!(xLIST_ITEM), @@ -79,7 +62,7 @@ fn bindgen_test_layout_xLIST_ITEM() { ); assert_eq!( unsafe { &(*(::std::ptr::null::())).pxPrevious as *const _ as usize }, - 8usize, + 16usize, concat!( "Offset of field: ", stringify!(xLIST_ITEM), @@ -89,7 +72,7 @@ fn bindgen_test_layout_xLIST_ITEM() { ); assert_eq!( unsafe { &(*(::std::ptr::null::())).pvOwner as *const _ as usize }, - 12usize, + 24usize, concat!( "Offset of field: ", stringify!(xLIST_ITEM), @@ -99,7 +82,7 @@ fn bindgen_test_layout_xLIST_ITEM() { ); assert_eq!( unsafe { &(*(::std::ptr::null::())).pvContainer as *const _ as usize }, - 16usize, + 32usize, concat!( "Offset of field: ", stringify!(xLIST_ITEM), @@ -108,9 +91,7 @@ fn bindgen_test_layout_xLIST_ITEM() { ) ); } -#[repr(transparent)] -#[derive(Debug, Copy, Clone)] -pub struct ListItem_t(pub xLIST_ITEM); +pub type ListItem_t = xLIST_ITEM; #[repr(C)] #[derive(Debug, Copy, Clone)] pub struct xMINI_LIST_ITEM { @@ -122,12 +103,12 @@ pub struct xMINI_LIST_ITEM { fn bindgen_test_layout_xMINI_LIST_ITEM() { assert_eq!( ::std::mem::size_of::(), - 12usize, + 24usize, concat!("Size of: ", stringify!(xMINI_LIST_ITEM)) ); assert_eq!( ::std::mem::align_of::(), - 4usize, + 8usize, concat!("Alignment of ", stringify!(xMINI_LIST_ITEM)) ); assert_eq!( @@ -142,7 +123,7 @@ fn bindgen_test_layout_xMINI_LIST_ITEM() { ); assert_eq!( unsafe { &(*(::std::ptr::null::())).pxNext as *const _ as usize }, - 4usize, + 8usize, concat!( "Offset of field: ", stringify!(xMINI_LIST_ITEM), @@ -152,7 +133,7 @@ fn bindgen_test_layout_xMINI_LIST_ITEM() { ); assert_eq!( unsafe { &(*(::std::ptr::null::())).pxPrevious as *const _ as usize }, - 8usize, + 16usize, concat!( "Offset of field: ", stringify!(xMINI_LIST_ITEM), @@ -161,26 +142,24 @@ fn bindgen_test_layout_xMINI_LIST_ITEM() { ) ); } -#[repr(transparent)] -#[derive(Debug, Copy, Clone)] -pub struct MiniListItem_t(pub xMINI_LIST_ITEM); +pub type MiniListItem_t = xMINI_LIST_ITEM; #[repr(C)] #[derive(Debug, Copy, Clone)] pub struct xLIST { pub uxNumberOfItems: UBaseType_t, - pub pxIndex: xLIST_ITEM_ptr, + pub pxIndex: ListItem_t_ptr, pub xListEnd: MiniListItem_t, } #[test] fn bindgen_test_layout_xLIST() { assert_eq!( ::std::mem::size_of::(), - 20usize, + 40usize, concat!("Size of: ", stringify!(xLIST)) ); assert_eq!( ::std::mem::align_of::(), - 4usize, + 8usize, concat!("Alignment of ", stringify!(xLIST)) ); assert_eq!( @@ -195,7 +174,7 @@ fn bindgen_test_layout_xLIST() { ); assert_eq!( unsafe { &(*(::std::ptr::null::())).pxIndex as *const _ as usize }, - 4usize, + 8usize, concat!( "Offset of field: ", stringify!(xLIST), @@ -205,7 +184,7 @@ fn bindgen_test_layout_xLIST() { ); assert_eq!( unsafe { &(*(::std::ptr::null::())).xListEnd as *const _ as usize }, - 8usize, + 16usize, concat!( "Offset of field: ", stringify!(xLIST), @@ -214,12 +193,8 @@ fn bindgen_test_layout_xLIST() { ) ); } -#[repr(transparent)] -#[derive(Debug, Copy, Clone)] -pub struct List_t(pub xLIST); -#[repr(transparent)] -#[derive(Debug, Copy, Clone)] -pub struct TaskHandle_t(pub *mut tskTaskControlBlock); +pub type List_t = xLIST; +pub type TaskHandle_t = *mut tskTaskControlBlock; pub const eTaskState_eRunning: eTaskState = 0; pub const eTaskState_eReady: eTaskState = 1; pub const eTaskState_eBlocked: eTaskState = 2; @@ -231,7 +206,7 @@ pub type eTaskState = ::std::os::raw::c_uint; #[derive(Debug, Copy, Clone)] pub struct xTASK_STATUS { pub xHandle: TaskHandle_t, - pub pcTaskName: u32, + pub pcTaskName: char_ptr, pub xTaskNumber: UBaseType_t, pub eCurrentState: eTaskState, pub uxCurrentPriority: UBaseType_t, @@ -244,12 +219,12 @@ pub struct xTASK_STATUS { fn bindgen_test_layout_xTASK_STATUS() { assert_eq!( ::std::mem::size_of::(), - 36usize, + 72usize, concat!("Size of: ", stringify!(xTASK_STATUS)) ); assert_eq!( ::std::mem::align_of::(), - 4usize, + 8usize, concat!("Alignment of ", stringify!(xTASK_STATUS)) ); assert_eq!( @@ -264,7 +239,7 @@ fn bindgen_test_layout_xTASK_STATUS() { ); assert_eq!( unsafe { &(*(::std::ptr::null::())).pcTaskName as *const _ as usize }, - 4usize, + 8usize, concat!( "Offset of field: ", stringify!(xTASK_STATUS), @@ -274,7 +249,7 @@ fn bindgen_test_layout_xTASK_STATUS() { ); assert_eq!( unsafe { &(*(::std::ptr::null::())).xTaskNumber as *const _ as usize }, - 8usize, + 16usize, concat!( "Offset of field: ", stringify!(xTASK_STATUS), @@ -284,7 +259,7 @@ fn bindgen_test_layout_xTASK_STATUS() { ); assert_eq!( unsafe { &(*(::std::ptr::null::())).eCurrentState as *const _ as usize }, - 12usize, + 24usize, concat!( "Offset of field: ", stringify!(xTASK_STATUS), @@ -294,7 +269,7 @@ fn bindgen_test_layout_xTASK_STATUS() { ); assert_eq!( unsafe { &(*(::std::ptr::null::())).uxCurrentPriority as *const _ as usize }, - 16usize, + 32usize, concat!( "Offset of field: ", stringify!(xTASK_STATUS), @@ -304,7 +279,7 @@ fn bindgen_test_layout_xTASK_STATUS() { ); assert_eq!( unsafe { &(*(::std::ptr::null::())).uxBasePriority as *const _ as usize }, - 20usize, + 40usize, concat!( "Offset of field: ", stringify!(xTASK_STATUS), @@ -314,7 +289,7 @@ fn bindgen_test_layout_xTASK_STATUS() { ); assert_eq!( unsafe { &(*(::std::ptr::null::())).ulRunTimeCounter as *const _ as usize }, - 24usize, + 48usize, concat!( "Offset of field: ", stringify!(xTASK_STATUS), @@ -324,7 +299,7 @@ fn bindgen_test_layout_xTASK_STATUS() { ); assert_eq!( unsafe { &(*(::std::ptr::null::())).pxStackBase as *const _ as usize }, - 28usize, + 56usize, concat!( "Offset of field: ", stringify!(xTASK_STATUS), @@ -336,7 +311,7 @@ fn bindgen_test_layout_xTASK_STATUS() { unsafe { &(*(::std::ptr::null::())).usStackHighWaterMark as *const _ as usize }, - 32usize, + 64usize, concat!( "Offset of field: ", stringify!(xTASK_STATUS), @@ -345,9 +320,7 @@ fn bindgen_test_layout_xTASK_STATUS() { ) ); } -#[repr(transparent)] -#[derive(Debug, Copy, Clone)] -pub struct TaskStatus_t(pub xTASK_STATUS); +pub type TaskStatus_t = xTASK_STATUS; #[repr(C)] #[derive(Debug, Copy, Clone)] pub struct tskTaskControlBlock { @@ -368,12 +341,12 @@ pub struct tskTaskControlBlock { fn bindgen_test_layout_tskTaskControlBlock() { assert_eq!( ::std::mem::size_of::(), - 80usize, + 152usize, concat!("Size of: ", stringify!(tskTaskControlBlock)) ); assert_eq!( ::std::mem::align_of::(), - 4usize, + 8usize, concat!("Alignment of ", stringify!(tskTaskControlBlock)) ); assert_eq!( @@ -392,7 +365,7 @@ fn bindgen_test_layout_tskTaskControlBlock() { unsafe { &(*(::std::ptr::null::())).xStateListItem as *const _ as usize }, - 4usize, + 8usize, concat!( "Offset of field: ", stringify!(tskTaskControlBlock), @@ -404,7 +377,7 @@ fn bindgen_test_layout_tskTaskControlBlock() { unsafe { &(*(::std::ptr::null::())).xEventListItem as *const _ as usize }, - 24usize, + 48usize, concat!( "Offset of field: ", stringify!(tskTaskControlBlock), @@ -414,7 +387,7 @@ fn bindgen_test_layout_tskTaskControlBlock() { ); assert_eq!( unsafe { &(*(::std::ptr::null::())).uxPriority as *const _ as usize }, - 44usize, + 88usize, concat!( "Offset of field: ", stringify!(tskTaskControlBlock), @@ -424,7 +397,7 @@ fn bindgen_test_layout_tskTaskControlBlock() { ); assert_eq!( unsafe { &(*(::std::ptr::null::())).pxStack as *const _ as usize }, - 48usize, + 96usize, concat!( "Offset of field: ", stringify!(tskTaskControlBlock), @@ -434,7 +407,7 @@ fn bindgen_test_layout_tskTaskControlBlock() { ); assert_eq!( unsafe { &(*(::std::ptr::null::())).pcTaskName as *const _ as usize }, - 52usize, + 104usize, concat!( "Offset of field: ", stringify!(tskTaskControlBlock), @@ -446,7 +419,7 @@ fn bindgen_test_layout_tskTaskControlBlock() { unsafe { &(*(::std::ptr::null::())).uxBasePriority as *const _ as usize }, - 64usize, + 120usize, concat!( "Offset of field: ", stringify!(tskTaskControlBlock), @@ -458,7 +431,7 @@ fn bindgen_test_layout_tskTaskControlBlock() { unsafe { &(*(::std::ptr::null::())).uxMutexesHeld as *const _ as usize }, - 68usize, + 128usize, concat!( "Offset of field: ", stringify!(tskTaskControlBlock), @@ -470,7 +443,7 @@ fn bindgen_test_layout_tskTaskControlBlock() { unsafe { &(*(::std::ptr::null::())).ulNotifiedValue as *const _ as usize }, - 72usize, + 136usize, concat!( "Offset of field: ", stringify!(tskTaskControlBlock), @@ -482,7 +455,7 @@ fn bindgen_test_layout_tskTaskControlBlock() { unsafe { &(*(::std::ptr::null::())).ucNotifyState as *const _ as usize }, - 76usize, + 144usize, concat!( "Offset of field: ", stringify!(tskTaskControlBlock), @@ -495,7 +468,7 @@ fn bindgen_test_layout_tskTaskControlBlock() { &(*(::std::ptr::null::())).ucStaticallyAllocated as *const _ as usize }, - 77usize, + 145usize, concat!( "Offset of field: ", stringify!(tskTaskControlBlock), @@ -507,7 +480,7 @@ fn bindgen_test_layout_tskTaskControlBlock() { unsafe { &(*(::std::ptr::null::())).ucDelayAborted as *const _ as usize }, - 78usize, + 146usize, concat!( "Offset of field: ", stringify!(tskTaskControlBlock), @@ -516,9 +489,49 @@ fn bindgen_test_layout_tskTaskControlBlock() { ) ); } -#[repr(transparent)] -#[derive(Debug, Copy, Clone)] -pub struct tskTCB(pub tskTaskControlBlock); -#[repr(transparent)] -#[derive(Debug, Copy, Clone)] -pub struct TCB_t(pub tskTCB); +pub type tskTCB = tskTaskControlBlock; +pub type TCB_t = tskTCB; + +pub trait emu_lookup { + fn lookup(emu: &Emulator, addr: ::std::os::raw::c_uint) -> Self; +} + +impl emu_lookup for xLIST_ITEM { + fn lookup(emu: &Emulator, addr: ::std::os::raw::c_uint) -> xLIST_ITEM { + let mut tmp : [u8; std::mem::size_of::()] = [0u8; std::mem::size_of::()]; + unsafe { + emu.read_mem(addr.into(), &mut tmp); + std::mem::transmute::<[u8; std::mem::size_of::()], xLIST_ITEM>(tmp) + } + } +} + +impl emu_lookup for TCB_t { + fn lookup(emu: &Emulator, addr: ::std::os::raw::c_uint) -> TCB_t { + let mut tmp : [u8; std::mem::size_of::()] = [0u8; std::mem::size_of::()]; + unsafe { + emu.read_mem(addr.into(), &mut tmp); + std::mem::transmute::<[u8; std::mem::size_of::()], TCB_t>(tmp) + } + } +} + +impl emu_lookup for void_ptr { + fn lookup(emu: &Emulator, addr: ::std::os::raw::c_uint) -> void_ptr { + let mut tmp : [u8; std::mem::size_of::()] = [0u8; std::mem::size_of::()]; + unsafe { + emu.read_mem(addr.into(), &mut tmp); + std::mem::transmute::<[u8; std::mem::size_of::()], void_ptr>(tmp) + } + } +} + +impl emu_lookup for List_t { + fn lookup(emu: &Emulator, addr: ::std::os::raw::c_uint) -> List_t { + let mut tmp : [u8; std::mem::size_of::()] = [0u8; std::mem::size_of::()]; + unsafe { + emu.read_mem(addr.into(), &mut tmp); + std::mem::transmute::<[u8; std::mem::size_of::()], List_t>(tmp) + } + } +} \ No newline at end of file diff --git a/fuzzers/wcet_qemu_sys/src/showmap.rs b/fuzzers/wcet_qemu_sys/src/showmap.rs index ad34f75bc8..6f481ae659 100644 --- a/fuzzers/wcet_qemu_sys/src/showmap.rs +++ b/fuzzers/wcet_qemu_sys/src/showmap.rs @@ -203,11 +203,11 @@ fn fuzz( .expect("Symbol pxCurrentTCBC not found"); // let curr_tcb_pointer = virt2phys(curr_tcb_pointer,&elf.goblin()); println!("TCB pointer at {:#x}", curr_tcb_pointer); - // let task_queue_addr = elf - // .resolve_symbol("pxReadyTasksLists", 0) - // .expect("Symbol pxReadyTasksLists not found"); - // // let task_queue_addr = virt2phys(task_queue_addr,&elf.goblin()); - // println!("Task Queue at {:#x}", task_queue_addr); + let task_queue_addr = elf + .resolve_symbol("pxReadyTasksLists", 0) + .expect("Symbol pxReadyTasksLists not found"); + // let task_queue_addr = virt2phys(task_queue_addr,&elf.goblin()); + println!("Task Queue at {:#x}", task_queue_addr); @@ -269,42 +269,17 @@ fn fuzz( } unsafe { - // let mut addr_buf : [u8; 4] = [0u8; 4]; - // emu.read_mem(test_length_ptr,&mut addr_buf); - // println!("current len: {}",u32::from_le_bytes(addr_buf)); - //==end test emu.write_mem(test_length_ptr,&(len as u32).to_le_bytes()); emu.write_mem(input_addr,buf); - //== next test - // emu.read_mem(test_length_ptr,&mut addr_buf); - // println!("new len: {}, expected: {}",u32::from_le_bytes(addr_buf),len); - // println!("{:#?}",edges_copy); emu.run(); - // println!("{:#?}",edges_copy); - // let mut buf_struct : [u8; 5*std::mem::size_of::()] = [1u8; 5*std::mem::size_of::()]; - // emu.read_mem(task_queue_addr, &mut buf_struct); - // let mut prio_lists : Vec = Vec::new(); - // for i in 0..5 { - // let mut tmp : [u8; std::mem::size_of::()] = [0u8; std::mem::size_of::()]; - // emu.read_mem(task_queue_addr+i*40, &mut tmp); - // let list_struct = std::mem::transmute::<[u8; std::mem::size_of::()], freertos::List_t>(tmp); - // prio_lists.push(list_struct); - // } - // println!("Raw Buffer: {:?}",buf_struct); - // println!("Lists: {:?}",prio_lists); //====== experiment inspecting the current tcb - let mut curr_tcb_addr : [u8; 4] = [1u8; 4]; - emu.read_mem(curr_tcb_pointer,&mut curr_tcb_addr); - let curr_tcb_addr = u32::from_le_bytes(curr_tcb_addr); - println!("tcb addr: {:x}",curr_tcb_addr); - - let mut tmp : [u8; std::mem::size_of::()] = [1u8; std::mem::size_of::()]; - emu.read_mem(curr_tcb_addr.into(), &mut tmp); - println!("Raw TCB: {:?}",tmp); - let tcb = std::mem::transmute::<[u8; std::mem::size_of::()], freertos::TCB_t>(tmp); - println!("TCB: {:?}",tcb); - + let curr_tcb_addr : freertos::void_ptr = freertos::emu_lookup::lookup(&emu, curr_tcb_pointer.try_into().unwrap()); + println!("Current TCB addr: {:x}",curr_tcb_addr); + let current_tcb : freertos::TCB_t = freertos::emu_lookup::lookup(&emu,curr_tcb_addr); + println!("Current TCB: {:?}",current_tcb); + let ready_queue : freertos::List_t = freertos::emu_lookup::lookup(&emu,task_queue_addr.try_into().unwrap()); + println!("Ready Queue: {:?}",ready_queue); } ExitKind::Ok