def goN(self, status):
if status != 0:
self.lgr.debug('afl goN after crash. Call getMsg')
''' Only applies to multi-packet UDP fu '''
self.current_packet = 1
''' If just starting, get data from afl, otherwise, was read from stopHap. '''
if self.stop_hap is None:
self.in_data = self.getMsg()
if self.in_data is None:
self.lgr.error('Got None from afl')
return
self.orig_data_length = len(self.in_data)
self.orig_in_data = self.in_data
cli.quiet_run_command('restore-snapshot name=origin')
#self.lgr.debug('got %d of data from afl iteration %d' % (len(self.in_data), self.iteration))
if status != 0:
self.lgr.debug(
'afl goN after crash. restored snapshot after getting %d bytes from afl'
% len(self.in_data))
current_length = len(self.in_data)
self.afl_packet_count = self.packet_count
if self.url_header is None and self.packet_count > 1 and current_length < (
self.pad_to_size * (self.packet_count - 1)):
self.lgr.debug(
'afl packet count of %d and size of %d, but only %d bytes from AFL. Cannot do it.'
% (self.packet_count, self.pad_to_size, current_length))
self.afl_packet_count = (current_length / self.pad_to_size) + 1
self.lgr.debug('afl packet count now %d' % self.afl_packet_count)
self.addr, max_len = self.dataWatch.firstBufferAddress()
if self.addr is None:
self.lgr.error('AFL, no firstBufferAddress found')
return
''' clear the bit_trace '''
self.coverage.doCoverage()
#self.lgr.debug('afl, did coverage, cycle: 0x%x' % self.cpu.cycles)
if self.stop_hap is None:
self.stop_hap = SIM_hap_add_callback("Core_Simulation_Stopped",
self.stopHap, None)
if status != 0:
self.lgr.debug(
'afl goN call continue, cpu cycle was 0x%x context %s' %
(self.cpu.cycles, self.cpu.current_context))
self.coverage.watchExits()
self.writeData()
cli.quiet_run_command('c')
def setup_xchg():
global atomic_breakpoints
lockbrk = create_userspace_breakpoint()
cli.quiet_run_command('set-pattern %d "0xf0" "0xff"' % lockbrk)
atomic_breakpoints.append(lockbrk)
for instr in [ "xadd", "xchg", "cmpxchg" ]:
brk = create_userspace_breakpoint()
cli.quiet_run_command('set-prefix %d "%s"' % (brk, instr))
atomic_breakpoints.append(brk)
for brk in atomic_breakpoints:
cs410_dispatch.breakpoint_handlers[brk] = xchg_handle_breakpoints
def setup_xchg():
global atomic_breakpoints
lockbrk = create_userspace_breakpoint()
cli.quiet_run_command('set-pattern %d "0xf0" "0xff"' % lockbrk)
atomic_breakpoints.append(lockbrk)
for instr in ["xadd", "xchg", "cmpxchg"]:
brk = create_userspace_breakpoint()
cli.quiet_run_command('set-prefix %d "%s"' % (brk, instr))
atomic_breakpoints.append(brk)
for brk in atomic_breakpoints:
cs410_dispatch.breakpoint_handlers[brk] = xchg_handle_breakpoints
def goAlone(self, dumb):
if self.index < len(self.afl_list):
cli.quiet_run_command('save-snapshot name = origin')
full = os.path.join(self.afl_dir, self.afl_list[self.index])
with open(full) as fh:
data = bytearray(fh.read())
self.addr, max_len = self.dataWatch.firstBufferAddress()
self.mem_utils.writeString(self.cpu, self.addr, data)
self.lgr.debug('playAFL goAlone file %s continue' %
self.afl_list[self.index])
self.backstop.setFutureCycleAlone(self.backstop_cycles)
self.index += 1
SIM_run_command('c')
else:
self.coverage.saveCoverage()
print('Played %d sessions' % len(self.afl_list))
def __init__(self, top, cpu, backstop, coverage, mem_utils, dataWatch,
target, lgr):
self.top = top
self.backstop = backstop
self.coverage = coverage
self.mem_utils = mem_utils
self.dataWatch = dataWatch
self.cpu = cpu
self.lgr = lgr
afl_output = os.getenv('AFL_OUTPUT')
if afl_output is None:
afl_output = os.path.join(os.getenv('HOME'), 'SEED', 'afl',
'afl-output')
self.afl_dir = os.path.join(afl_output, target, 'queue')
self.afl_list = [
f for f in os.listdir(self.afl_dir)
if os.path.isfile(os.path.join(self.afl_dir, f))
]
self.index = 0
self.stop_hap = None
self.addr = None
self.backstop_cycles = 100000
self.pid = self.top.getPID()
cli.quiet_run_command('disable-reverse-execution')
cli.quiet_run_command('enable-unsupported-feature internals')
cli.quiet_run_command('save-snapshot name = origin')
self.top.removeDebugBreaks(keep_watching=False, keep_coverage=False)
self.coverage.enableCoverage(self.pid,
backstop=self.backstop,
backstop_cycles=self.backstop_cycles,
afl=False)
self.coverage.doCoverage(force_default_context=True)
def finishInit(self):
self.top.removeDebugBreaks(keep_watching=False, keep_coverage=False)
self.coverage.enableCoverage(self.pid,
backstop=self.backstop,
backstop_cycles=self.backstop_cycles,
afl=True)
cli.quiet_run_command('disable-reverse-execution')
cli.quiet_run_command('enable-unsupported-feature internals')
cli.quiet_run_command('save-snapshot name = origin')
self.synchAFL()
def go(self):
self.lgr.debug('replayAFL go')
retval = False
afl_file = aflPath.getAFLPath(self.target, self.index, self.instance)
if afl_file is not None:
retval = True
print('Replaying %s' % afl_file)
if retval:
#driver = threading.Thread(target=feedDriver, args=(self.ip, self.port, self.header, self.lgr, ))
#self.lgr.debug('start thread')
#SIM_run_alone(self.startAlone, driver)
shutil.copyfile(afl_file, '/tmp/sendudp')
dumb, forwarding = cli.quiet_run_command('list-port-forwarding-setup')
ssh_port = None
for line in forwarding.splitlines():
if line.strip().endswith(':22'):
ssh_port = line.split()[3]
break
if ssh_port is None:
self.lgr.error('No forwarding port found for ssh port 21')
return
script_file = os.path.join(self.resim_dir, 'simics', 'monitorCore', 'sendDriver.sh')
cmd = '%s %s %s %s %s %s &' % (script_file, ssh_port, self.client_path, self.ip, self.port, self.header)
#result=os.system(cmd)
self.send_driver = subprocess.Popen(shlex.split(cmd), stdin=subprocess.PIPE, stdout=subprocess.PIPE,stderr=subprocess.PIPE)
self.lgr.debug('ReplayAFL tmpdriver cmd: %s ' % (cmd))
self.lgr.debug('replay for fd %d' % self.targetFD)
if self.trace:
self.top.noReverse()
self.top.traceAll()
SIM_run_command('c')
else:
if not self.tcp:
if self.cover:
self.top.enableCoverage()
self.top.trackIO(self.targetFD, reset=True, callback=self.killDriver)
else:
''' Run to accept to get the new FD and then do trackIO from the doTrack callback'''
self.top.noReverse()
self.lgr.debug('replayAFL run to accept')
f1 = stopFunction.StopFunction(self.doTrack, [], nest=False)
flist = [f1]
self.top.runToAccept(self.targetFD, flist=flist)
return retval
def make_new_symtable(sname, fname, cr3):
fpath = user_prog_path+fname
if not os.path.isfile(fpath) or '/' in fname:
cs410_utils.log('410-warning',
'Unable to load user symbols for "%s"' % fname)
del user_process_registry[cr3]
return
try:
cli.quiet_run_command('new-symtable %s' % sname)
cli.quiet_run_command('%s.load-symbols "%s"' % (sname, kern_path))
cli.quiet_run_command('%s.load-symbols "%s"' % (sname, fpath))
cli.quiet_run_command('%s.source-path "%s/;%s/;%s/"' %
(sname, working_dir, user_src_path, test_src_path))
except:
cs410_utils.log('410-warning',
'Unable to load user symbols for "%s"' % fname)
del user_process_registry[cr3]
def make_new_symtable(sname, fname, cr3):
fpath = user_prog_path+fname
if not os.path.isfile(fpath) or '/' in fname:
cs410_utils.log('410-warning',
'Unable to load user symbols for "%s"' % fname)
del user_process_registry[cr3]
return
try:
cli.quiet_run_command('new-symtable %s' % sname)
cli.quiet_run_command('%s.load-symbols "%s"' % (sname, kern_path))
cli.quiet_run_command('%s.load-symbols "%s"' % (sname, fpath))
cli.quiet_run_command('%s.source-path "%s/;%s/;%s/"' %
(sname, working_dir, user_src_path, test_src_path))
except:
cs410_utils.log('410-warning',
'Unable to load user symbols for "%s"' % fname)
del user_process_registry[cr3]
def aflInitCallback(self):
self.lgr.debug('afl aflInitCallback')
''' Now in target process'''
self.coverage = self.top.getCoverage()
self.pid = self.top.getPID()
self.top.removeDebugBreaks(keep_watching=False, keep_coverage=False)
self.coverage.enableCoverage(self.pid,
backstop=self.backstop,
backstop_cycles=self.backstop_cycles,
afl=True)
self.coverage.doCoverage()
cmd = 'skip-to bookmark = bookmark0'
cli.quiet_run_command(cmd)
cli.quiet_run_command('disable-reverse-execution')
cli.quiet_run_command('enable-unsupported-feature internals')
cli.quiet_run_command('save-snapshot name = origin')
self.synchAFL()
self.lgr.debug('afl done init, num packets is %d stop_on_read is %r' %
(self.packet_count, self.stop_on_read))
self.fault_hap = None
self.top.noWatchSysEnter()
self.goN(0)
def skipToTest(cpu, cycle, lgr):
while SIM_simics_is_running():
lgr.error('skipToTest but simics running')
time.sleep(1)
retval = True
cli.quiet_run_command('pselect %s' % cpu.name)
cmd = 'skip-to cycle = %d ' % cycle
cli.quiet_run_command(cmd)
now = cpu.cycles
if now != cycle:
lgr.error('skipToTest failed wanted 0x%x got 0x%x' % (cycle, now))
time.sleep(1)
cli.quiet_run_command(cmd)
now = cpu.cycles
if now != cycle:
lgr.error('skipToTest failed again wanted 0x%x got 0x%x' %
(cycle, now))
retval = False
return retval
def switch_symtable(cr3):
if user_process_registry.has_key(cr3):
cli.quiet_run_command("cell0_context.symtable %s" %
user_process_registry[cr3])
else:
cli.quiet_run_command("cell0_context.symtable deflsym")
def enablebps(bp):
cli.quiet_run_command("enable %d" % bp)
def go(self, no_go_receive=False):
''' Go to the first data receive watch mark (or the origin if the watch mark does not exist),
which we assume follows a read, recv, etc. Then write the dfile content into
memory, e.g., starting at R1 of a ARM recv. Adjust the returned length, e.g., R0
to match the length of the dfile. Finally, run trackIO on the given file descriptor.
Assumes we are stopped.
If "stay", then just inject and don't run.
'''
if self.addr is None:
return
if self.callback is None:
if self.save_json is not None:
self.callback = self.saveJson
self.lgr.debug('injectIO set callback to %s' % str(self.callback))
else:
self.callback = self.top.stopTrackIO
if not os.path.isfile(self.dfile):
print('File not found at %s\n\n' % self.dfile)
return
#with open(self.dfile) as fh:
# self.in_data = fh.read()
with open(self.dfile, 'rb') as fh:
if sys.version_info[0] == 2:
self.in_data = bytearray(fh.read())
else:
self.in_data = fh.read()
self.lgr.debug('write data total size %d file %s' % (len(self.in_data), self.dfile))
''' Got to origin/recv location unless not yet debugging, or unless modifying kernel buffer '''
if self.target is None and not no_go_receive and not self.mem_utils.isKernel(self.addr):
self.dataWatch.goToRecvMark()
lenreg = None
lenreg2 = None
if self.cpu.architecture == 'arm':
''' **SEEMS WRONG, what was observed? **length register, seems to acutally be R7, at least that is what libc uses and reports (as R0 by the time
the invoker sees it. So, we'll set both for alternate libc implementations? '''
lenreg = 'r0'
#lenreg2 = 'r7'
else:
lenreg = 'eax'
if self.orig_buffer is not None:
''' restore receive buffer to original condition in case injected data is smaller than original and poor code
references data past the end of what is received. '''
self.mem_utils.writeString(self.cpu, self.addr, self.orig_buffer)
self.lgr.debug('injectIO restored %d bytes to original buffer at 0x%x' % (len(self.orig_buffer), self.addr))
if self.target is None and not self.trace_all:
''' Set Debug before write to use RESim context on the callHap '''
''' We assume we are in user space in the target process and thus will not move.'''
self.top.stopDebug()
self.top.debugPidGroup(self.pid)
self.top.watchPageFaults()
if self.no_rop:
self.lgr.debug('injectIO stop ROP')
self.top.watchROP(watching=False)
self.bookmarks = self.top.getBookmarksInstance()
force_default_context = False
if self.bookmarks is None:
force_default_context = True
self.write_data = writeData.WriteData(self.top, self.cpu, self.in_data, self.packet_count,
self.mem_utils, self.backstop, self.snap_name, self.lgr, udp_header=self.udp_header,
pad_to_size=self.pad_to_size, backstop_cycles=self.backstop_cycles, stop_on_read=self.stop_on_read, force_default_context=force_default_context,
write_callback=self.writeCallback, limit_one=self.limit_one, dataWatch=self.dataWatch)
#bytes_wrote = self.writeData()
bytes_wrote = self.write_data.write()
if bytes_wrote is None:
self.lgr.error('got None for bytes_wrote in injectIO')
return
eip = self.top.getEIP(self.cpu)
if self.target is None:
self.dataWatch.clearWatchMarks()
self.dataWatch.clearWatches()
if self.coverage:
self.lgr.debug('injectIO enabled coverage')
self.top.enableCoverage(backstop_cycles=self.backstop_cycles)
self.lgr.debug('injectIO ip: 0x%x did write %d bytes to addr 0x%x cycle: 0x%x Now clear watches' % (eip, bytes_wrote, self.addr, self.cpu.cycles))
if not self.stay:
if not self.trace_all:
self.lgr.debug('injectIO not traceall, about to set origin, eip: 0x%x cycles: 0x%x' % (eip, self.cpu.cycles))
self.bookmarks.setOrigin(self.cpu)
cli.quiet_run_command('disable-reverse-execution')
cli.quiet_run_command('enable-reverse-execution')
eip = self.top.getEIP(self.cpu)
self.lgr.debug('injectIO back from cmds eip: 0x%x cycles: 0x%x' % (eip, self.cpu.cycles))
#self.dataWatch.setRange(self.addr, bytes_wrote, 'injectIO', back_stop=False, recv_addr=self.addr, max_len = self.max_len)
''' per trackIO, look at entire buffer for ref to old data '''
if not self.mem_utils.isKernel(self.addr):
self.dataWatch.setRange(self.addr, bytes_wrote, 'injectIO', back_stop=False, recv_addr=self.addr, max_len = self.max_len)
''' special case'''
if self.max_len == 1:
self.addr += 1
if self.addr_addr is not None:
self.dataWatch.setRange(self.addr_addr, self.addr_size, 'injectIO-addr')
if not self.no_rop:
self.top.watchROP()
else:
self.top.traceAll()
use_backstop=True
if self.stop_on_read:
use_backstop = False
if self.trace_all:
self.lgr.debug('injectIO trace_all requested. Context is %s' % self.cpu.current_context)
cli.quiet_run_command('c')
elif not self.mem_utils.isKernel(self.addr):
print('retracking IO')
self.lgr.debug('retracking IO callback: %s' % str(self.callback))
self.top.retrack(clear=self.clear_retrack, callback=self.callback, use_backstop=use_backstop)
else:
''' Injected into kernel buffer '''
self.top.stopTrackIO()
self.dataWatch.clearWatches()
self.dataWatch.setCallback(self.callback)
self.context_manager.watchTasks()
self.top.runToIO(self.fd, linger=True, break_simulation=False)
else:
''' target is not current process. go to target then callback to injectCalback'''
self.lgr.debug('injectIO debug to %s' % self.target)
self.top.resetOrigin()
''' watch for death of this process as well '''
self.context_manager.stopWatchTasks()
self.context_manager.watchGroupExits()
self.top.watchPageFaults()
#self.context_manager.setExitCallback(self.recordExit)
self.top.debugProc(self.target, final_fun=self.injectCallback)
str = working_dir + "/" + str
# print " And I'm guessing this means I should look in '%s'" % str
if (os.path.isfile(str)):
# Load all subsequent symbol tables with this source as well
kern_path = str
# I'm pretty sure this is unnecessary; it's not like the kernel symbol table is
# going to change in flight, and even if it does, it's not like we need to keep
# both of them around. Let's reuse deflsym and avoid the assertion failure we
# get from calling new-symtable at runtime.
# usersym = "usersym%d" % cs410_dispatch.kernel_up
usersym = "deflsym"
cli.quiet_run_command(
"%s.source-path \"%s/;%s;%s\"" %
(usersym, working_dir, user_src_path, test_src_path))
cli.quiet_run_command("%s.load-symbols %s" % (usersym, str))
cli.quiet_run_command("cell0_context.symtable %s" % usersym)
else:
print "No such kernel image: '%s'; symbolic debugging won't work." % str
# print " !!> Cannot find that file; ignoring simulation request."
# print " !!> This probably means that symbolic debugging will not work."
# print " !!> Note that we are running loader callbacks anyway!"
# print " !!> Please contact a TA."
error = 1
for x in boot_callbacks:
x(cpu, cs410_dispatch.kernel_up, error)
cs410_dispatch.add_simcall(booted)
def __init__(self,
top,
cpu,
cell_name,
coverage,
backstop,
mem_utils,
dataWatch,
snap_name,
context_manager,
page_faults,
lgr,
packet_count=1,
stop_on_read=False,
fname=None,
linear=False,
target=None,
create_dead_zone=False,
port=8765,
one_done=False):
pad_env = os.getenv('AFL_PAD')
self.lgr = lgr
if pad_env is not None:
try:
self.pad_to_size = int(pad_env)
except:
self.lgr.error('Bad AFL_PAD value %s' % pad_env)
return
else:
self.pad_to_size = 0
self.udp_header = os.getenv('AFL_UDP_HEADER')
if packet_count > 1 and not (self.udp_header is not None
or self.pad_to_size > 0):
self.lgr.error(
'Multi-packet requested but no pad or UDP header has been given in env variables'
)
return
self.filter_module = None
self.packet_filter = os.getenv('AFL_PACKET_FILTER')
if self.packet_filter is not None:
file_path = './%s.py' % self.packet_filter
abs_path = os.path.abspath(file_path)
if os.path.isfile(abs_path):
self.filter_module = imp.load_source(self.packet_filter,
abs_path)
self.lgr.debug('afl using AFL_PACKET_FILTER %s' %
self.packet_filter)
else:
self.lgr.error('failed to find filter at %s' %
self.packet_filter)
return
'''
module_name = self.packet_filter
spec = importlib.util.spec_from_file_location(module_name, file_path)
filter_module = importlib.util.module_from_spec(spec)
spec.loader.exec_module(flter_module)
'''
self.pad_char = chr(0)
self.cpu = cpu
self.cell_name = cell_name
self.top = top
self.mem_utils = mem_utils
self.stop_on_read = stop_on_read
self.dataWatch = dataWatch
self.coverage = coverage
self.context_manager = context_manager
self.linear = linear
# For multi-packet UDP. afl_packet_count may be adjusted less than given packet count.
self.packet_count = packet_count
self.afl_packet_count = None
self.current_packet = 0
self.backstop = backstop
self.stop_hap = None
self.call_break = None
self.call_hap = None
self.in_data = None
self.orig_in_data = None
self.orig_data_length = 0
self.write_data = None
self.target = target
self.create_dead_zone = create_dead_zone
self.backstop.setCallback(self.whenDone)
self.port = port
self.one_done = one_done
self.page_faults = page_faults
sor = os.getenv('STOP_ON_READ')
if sor is not None and sor.lower() == 'true':
self.stop_on_read = True
# TBD why are sor and backstop mutually exclusive?
if stop_on_read:
self.backstop_cycles = 0
else:
if os.getenv('BACK_STOP_CYCLES') is not None:
self.backstop_cycles = int(os.getenv('BACK_STOP_CYCLES'))
self.lgr.debug('afl BACK_STOP_CYCLES is %d' %
self.backstop_cycles)
else:
self.lgr.warning(
'no BACK_STOP_CYCLES defined, using default of 100000')
self.backstop_cycles = 100000
self.sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.sock.settimeout(2)
self.server_address = ('localhost', self.port)
self.iteration = 1
self.pid = self.top.getPID()
self.total_hits = 0
self.bad_trick = False
self.trace_snap1 = None
self.empty_trace_bits = None
if self.cpu.architecture == 'arm':
lenreg = 'r0'
else:
lenreg = 'eax'
self.len_reg_num = self.cpu.iface.int_register.get_number(lenreg)
self.pc_reg = self.cpu.iface.int_register.get_number('pc')
self.addr = None
self.orig_buffer = None
hang_cycles = 90000000
hang = os.getenv('HANG_CYCLES')
if hang is not None:
hang_cycles = int(hang)
self.backstop.setHangCallback(self.coverage.recordHang, hang_cycles)
self.lgr.debug('AFL init from snap %s' % snap_name)
self.snap_name = snap_name
self.loadPickle(snap_name)
if target is None:
self.top.removeDebugBreaks(keep_watching=False,
keep_coverage=False)
if self.orig_buffer is not None:
self.lgr.debug('restored %d bytes 0x%x context %s' % (len(
self.orig_buffer), self.addr, self.cpu.current_context))
self.mem_utils.writeString(self.cpu, self.addr,
self.orig_buffer)
self.coverage.enableCoverage(
self.pid,
backstop=self.backstop,
backstop_cycles=self.backstop_cycles,
afl=True,
fname=fname,
linear=linear,
create_dead_zone=self.create_dead_zone)
cli.quiet_run_command('disable-reverse-execution')
cli.quiet_run_command('enable-unsupported-feature internals')
cli.quiet_run_command('save-snapshot name = origin')
self.coverage.doCoverage()
self.synchAFL()
self.lgr.debug(
'afl done init, num packets is %d stop_on_read is %r' %
(self.packet_count, self.stop_on_read))
self.fault_hap = None
#tracemalloc.start()
# hack around Simics model bug
#self.fixFaults()
else:
self.lgr.debug('afl use target %s, call debug' % target)
''' need a bookmark to get back to here after setting up debug process '''
self.top.resetOrigin()
self.top.debugProc(target, self.aflInitCallback)
def break_exception_18_present():
ret, cmdout = cli.quiet_run_command("break-exception -list",
output_mode = output_modes.unformatted_text)
return " 18 " in cmdout
def goAlone(self, clear_hits):
self.current_packet = 1
self.index += 1
done = False
if self.target != 'oneplay':
''' skip files if already have coverage '''
while not done and self.index < len(self.afl_list):
fname = self.getHitsPath(self.index)
if not os.path.isfile(fname):
done = True
else:
hits_json = json.load(open(fname))
for hit in hits_json:
hit = int(hit)
if hit not in self.all_hits:
self.all_hits.append(hit)
self.index += 1
if self.index < len(self.afl_list):
cli.quiet_run_command('restore-snapshot name = origin')
if self.coverage is not None:
if clear_hits:
self.coverage.stopCover()
self.coverage.doCoverage(no_merge=True,
physical=self.physical)
if self.orig_buffer is not None:
#self.lgr.debug('playAFL restored %d bytes to original buffer at 0x%x' % (len(self.orig_buffer), self.addr))
self.mem_utils.writeString(self.cpu, self.addr,
self.orig_buffer)
full = os.path.join(self.afl_dir, self.afl_list[self.index])
with open(full, 'rb') as fh:
if sys.version_info[0] == 2:
self.in_data = bytearray(fh.read())
else:
self.in_data = fh.read()
self.lgr.debug(
'playAFL goAlone loaded %d bytes from file session %d of %d' %
(len(self.in_data), self.index, len(self.afl_list)))
self.afl_packet_count = self.packet_count
if self.orig_buffer is not None:
''' restore receive buffer to original condition in case injected data is smaller than original and poor code
references data past the end of what is received. '''
self.mem_utils.writeString(self.cpu, self.addr,
self.orig_buffer)
self.lgr.debug(
'playAFL restored %d bytes to original buffer at 0x%x' %
(len(self.orig_buffer), self.addr))
#self.top.restoreRESimContext()
#self.context_manager.restoreDebugContext()
self.write_data = writeData.WriteData(
self.top,
self.cpu,
self.in_data,
self.afl_packet_count,
self.mem_utils,
self.backstop,
self.snap_name,
self.lgr,
udp_header=self.udp_header,
pad_to_size=self.pad_to_size,
backstop_cycles=self.backstop_cycles,
force_default_context=True,
stop_on_read=self.stop_on_read)
eip = self.top.getEIP(self.cpu)
count = self.write_data.write()
self.lgr.debug(
'playAFL goAlone ip: 0x%x wrote %d bytes from file %s continue from cycle 0x%x %d cpu context: %s'
% (eip, count, self.afl_list[self.index], self.cpu.cycles,
self.cpu.cycles, str(self.cpu.current_context)))
self.backstop.setFutureCycle(self.backstop_cycles, now=True)
if self.afl_mode:
self.coverage.watchExits()
elif self.coverage is not None:
self.coverage.watchExits(callback=self.reportExit)
else:
self.context_manager.watchGroupExits()
self.context_manager.setExitCallback(self.reportExit)
SIM_run_command('c')
else:
''' did all sessions '''
if self.coverage is not None and self.findbb is None and not self.afl_mode:
hits = self.coverage.getHitCount()
self.lgr.debug('All sessions done, save %d all_hits as %s' %
(len(self.all_hits), self.target))
hits_path = self.coverage.getHitsPath()
s = json.dumps(self.all_hits)
save_name = '%s.%s.hits' % (hits_path, self.target)
try:
os.makedirs(os.path.dirname(hits_path))
except:
pass
with open(save_name, 'w') as fh:
fh.write(s)
fh.flush()
print('%d Hits file written to %s' %
(len(self.all_hits), save_name))
self.delStopHap(None)
if self.findbb is not None:
for f, n in sorted(self.bnt_list):
print('%-30s packet %d' % (f, n))
print('Found %d sessions that hit address 0x%x' %
(len(self.bnt_list), self.findbb))
print('Played %d sessions' % len(self.afl_list))
cli.quiet_run_command('restore-snapshot name = origin')
if len(self.exit_list) > 0:
print('%d Sessions that called exit:' % len(self.exit_list))
for exit in sorted(self.exit_list):
print(exit)
print('\n\n Sessions that did not exit:')
for item in sorted(self.afl_list):
if item not in self.exit_list:
print(item)
def goN(self, status):
if status != 0:
self.lgr.debug('afl goN after crash. Call getMsg')
''' Only applies to multi-packet UDP fu '''
self.current_packet = 0
self.bad_trick = False
''' If just starting, get data from afl, otherwise, was read from stopHap. '''
if self.stop_hap is None:
self.in_data = self.getMsg()
if self.in_data is None:
self.lgr.error('Got None from afl')
return
self.orig_data_length = len(self.in_data)
self.orig_in_data = self.in_data
cli.quiet_run_command('restore-snapshot name=origin')
#self.top.restoreRESimContext()
#self.lgr.debug('got %d of data from afl iteration %d' % (len(self.in_data), self.iteration))
if status != 0:
self.lgr.debug(
'afl goN after crash. restored snapshot after getting %d bytes from afl'
% len(self.in_data))
current_length = len(self.in_data)
self.afl_packet_count = self.packet_count
if self.udp_header is None and self.packet_count > 1 and current_length < (
self.pad_to_size * (self.packet_count - 1)):
self.lgr.debug(
'afl packet count of %d and size of %d, but only %d bytes from AFL. Cannot do it.'
% (self.packet_count, self.pad_to_size, current_length))
self.afl_packet_count = (current_length / self.pad_to_size) + 1
self.lgr.debug('afl packet count now %d' % self.afl_packet_count)
if self.addr is None:
self.addr, max_len = self.dataWatch.firstBufferAddress()
if self.addr is None:
self.lgr.error('AFL, no firstBufferAddress found')
return
if self.create_dead_zone:
self.lgr.debug('afl goN dead zone iteration %d' % self.iteration)
''' clear the bit_trace '''
#self.lgr.debug('afl goN call doCoverage')
if self.linear:
#self.lgr.debug('afl, linear use context manager to watch tasks')
self.context_manager.restoreDebugContext()
self.context_manager.watchTasks()
self.coverage.doCoverage()
#self.lgr.debug('afl, did coverage, cycle: 0x%x' % self.cpu.cycles)
if self.stop_hap is None:
#self.lgr.debug('afl added stop hap')
self.stop_hap = SIM_hap_add_callback("Core_Simulation_Stopped",
self.stopHap, None)
if status != 0:
self.lgr.debug(
'afl goN call continue, cpu cycle was 0x%x context %s' %
(self.cpu.cycles, self.cpu.current_context))
self.coverage.watchExits(pid=self.pid)
if self.write_data is None:
self.write_data = writeData.WriteData(
self.top,
self.cpu,
self.in_data,
self.afl_packet_count,
self.mem_utils,
self.backstop,
self.snap_name,
self.lgr,
udp_header=self.udp_header,
pad_to_size=self.pad_to_size,
filter=self.filter_module,
backstop_cycles=self.backstop_cycles,
force_default_context=True,
stop_on_read=self.stop_on_read)
else:
self.write_data.reset(self.in_data, self.afl_packet_count,
self.addr)
self.write_data.write()
self.page_faults.watchPageFaults()
#self.lgr.debug('afl goN context %s' % self.cpu.current_context)
cli.quiet_run_command('c')
raise
cs410_utils.try_loadm('410-core', 'cs410_dispatch')
cs410_utils.try_loadm('410-core', 'cs410_boot_assist')
cs410_utils.try_loadm('410-core', 'cs410_next')
cs410_utils.try_loadm('410-core', 'cs410_core_haps')
cs410_utils.try_loadm('410-core', 'cs410_osdev')
print "Done."
#
# Set up source directories and the boot device.
#
from cs410_utils import working_dir, user_src_path, test_src_path, kern_path, img_path
cli.quiet_run_command("flp0.insert-floppy A " + img_path)
cli.quiet_run_command("system_cmp0.cmos-boot-dev A")
(y, m, d, h, min, s, wd, yd, dst) = time.localtime(time.time())
cli.quiet_run_command("rtc0.set-date-time %d %d %d %d %d %d" % (y, m, d, h, min, s))
# The world has been put in order. But that might be way too boring.
# So glance around and try to load some other files.
loaded_mods = []
print "410: Staff modules...",
for fname in glob.glob("./410mods-dynamic-*.py"):
cs410_utils.try_loadm('410-dyn', fname[2:-3])
# Grab the part after 410mods-dynamic-* and put it in the list.
loaded_mods.append(fname[18:-3])
print "Done."
def __init__(self,
top,
cpu,
cell_name,
backstop,
coverage,
mem_utils,
dataWatch,
target,
snap_name,
context_manager,
cfg_file,
lgr,
packet_count=1,
stop_on_read=False,
linear=False,
create_dead_zone=False,
afl_mode=False,
crashes=False):
self.top = top
self.backstop = backstop
self.coverage = coverage
self.mem_utils = mem_utils
self.dataWatch = dataWatch
self.snap_name = snap_name
self.cpu = cpu
self.context_manager = context_manager
self.cell_name = cell_name
self.lgr = lgr
self.afl_mode = afl_mode
self.findbb = None
self.write_data = None
self.orig_buffer = None
self.return_ip = None
self.cfg_file = cfg_file
self.target = target
self.afl_dir = aflPath.getAFLOutput()
self.all_hits = []
pad_env = os.getenv('AFL_PAD')
if pad_env is not None:
try:
self.pad_to_size = int(pad_env)
except:
self.lgr.error('Bad AFL_PAD value %s' % pad_env)
return
else:
self.pad_to_size = 0
self.stop_on_read = stop_on_read
if not self.stop_on_read:
sor = os.getenv('STOP_ON_READ')
if sor is not None and sor.lower() == 'true':
self.stop_on_read = True
self.udp_header = os.getenv('AFL_UDP_HEADER')
if packet_count > 1 and not (self.udp_header is not None
or self.pad_to_size > 0):
self.lgr.error(
'Multi-packet requested but no pad or UDP header has been given in env variables'
)
return None
if os.path.isfile(target):
''' single file to play '''
self.target = 'oneplay'
relative = target[(len(self.afl_dir) + 1):]
self.afl_list = [relative]
self.lgr.debug(
'playAFL, single file, path relative to afl_dir is %s' %
relative)
else:
if not crashes:
self.afl_list = aflPath.getTargetQueue(target, get_all=True)
else:
self.afl_list = aflPath.getTargetCrashes(target)
print('Playing %d sessions. Please wait until that is reported.' %
len(self.afl_list))
self.lgr.debug('playAFL afl list has %d items' % len(self.afl_list))
self.index = -1
self.stop_hap = None
self.call_hap = None
self.call_break = None
self.addr = None
self.in_data = None
#self.backstop_cycles = 100000
self.backstop_cycles = 900000
bsc = os.getenv('BACK_STOP_CYCLES')
if bsc is not None:
self.backstop_cycles = int(bsc)
self.packet_count = packet_count
self.afl_packet_count = None
self.current_packet = 0
self.call_ip = None
self.hit_total = 0
''' replay file names that hit the given bb '''
self.bnt_list = []
self.pid = self.top.getPID()
self.stop_on_break = False
self.exit_list = []
if self.cpu.architecture == 'arm':
lenreg = 'r0'
else:
lenreg = 'eax'
self.len_reg_num = self.cpu.iface.int_register.get_number(lenreg)
self.snap_name = snap_name
if not self.loadPickle(snap_name):
print('No AFL data stored for checkpoint %s, cannot play AFL.' %
snap_name)
return None
cli.quiet_run_command('disable-reverse-execution')
cli.quiet_run_command('enable-unsupported-feature internals')
cli.quiet_run_command('save-snapshot name = origin')
self.top.removeDebugBreaks(keep_watching=False, keep_coverage=False)
self.physical = False
if self.coverage is not None:
self.coverage.enableCoverage(self.pid,
backstop=self.backstop,
backstop_cycles=self.backstop_cycles,
afl=afl_mode,
linear=linear,
create_dead_zone=create_dead_zone)
self.physical = True
if linear:
self.physical = False
self.lgr.debug(
'afl, linear use context manager to watch tasks')
self.context_manager.restoreDebugContext()
self.context_manager.watchTasks()
self.coverage.doCoverage(no_merge=True, physical=self.physical)
full_path = self.coverage.getFullPath()
full_path = os.path.abspath(full_path)
hits_path = self.coverage.getHitsPath() + '.prog'
parent = os.path.dirname(os.path.abspath(hits_path))
print('parent is %s' % parent)
try:
os.makedirs(parent)
except:
pass
with open(hits_path, 'w') as fh:
fh.write(full_path + '\n')
fh.write(self.cfg_file + '\n')
#print('full_path is %s, wrote that to %s' % (full_path, hits_path))
#self.backstop.setCallback(self.whenDone)
hang_cycles = 90000000
hang = os.getenv('HANG_CYCLES')
if hang is not None:
hang_cycles = int(hang)
self.backstop.setHangCallback(self.hangCallback, hang_cycles)
raise
cs410_utils.try_loadm('410-core', 'cs410_dispatch')
cs410_utils.try_loadm('410-core', 'cs410_boot_assist')
cs410_utils.try_loadm('410-core', 'cs410_next')
cs410_utils.try_loadm('410-core', 'cs410_core_haps')
cs410_utils.try_loadm('410-core', 'cs410_osdev')
print "Done."
#
# Set up source directories and the boot device.
#
from cs410_utils import working_dir, user_src_path, test_src_path, kern_path, img_path
cli.quiet_run_command("system.motherboard.sio.flp.insert-floppy A " + img_path)
cli.quiet_run_command("system.motherboard.cmos-boot-dev A")
(y, m, d, h, min, s, wd, yd, dst) = time.localtime(time.time())
cli.quiet_run_command("system.motherboard.southbridge.rtc.set-date-time %d %d %d %d %d %d" % (y, m, d, h, min, s))
# The world has been put in order. But that might be way too boring.
# So glance around and try to load some other files.
loaded_mods = []
print "410: Staff modules...",
for fname in glob.glob("./410mods-dynamic-*.py"):
cs410_utils.try_loadm('410-dyn', fname[2:-3])
# Grab the part after 410mods-dynamic-* and put it in the list.
loaded_mods.append(fname[18:-3])
print "Done."
def goToDebugBookmark(self, mark):
if type(mark) == int:
self.lgr.debug('goToDebugBookmark skip to debug bookmark: %d' %
mark)
marks = self.getSorted()
i = 0
for the_mark in marks:
i += 1
if i == mark:
self.goToDebugBookmark(the_mark)
return
self.lgr.debug('goToDebugBookmark skip to debug bookmark: %s' % mark)
if mark not in self.__bookmarks:
self.lgr.error(
'goToDebugBookmark could not find cycle for mark %s' % mark)
return
sys.stderr = open('err.txt', 'w')
dum, cpu = self.context_mgr.getDebugPid()
self.context_mgr.clearExitBreaksAlone(None)
start_cycle = self.getCycle('_start+1')
done = False
if self.top.SIMICS_BUG:
while not done:
SIM_run_command('pselect %s' % cpu.name)
SIM_run_command('skip-to cycle = 0x%x' % start_cycle)
cycles = SIM_cycle_count(cpu)
self.lgr.debug(
'goToDebugBookmark, did skip to start at cycle %x, expected %x '
% (cycles, start_cycle))
cycle = self.__bookmarks[mark].cycles
self.lgr.debug("goToDebugBookmark, pslect then skip to 0x%x" %
cycle)
SIM_run_command('pselect %s' % cpu.name)
SIM_run_command('skip-to cycle=%d' % cycle)
eip = self.top.getEIP(cpu)
current = SIM_cycle_count(cpu)
step = SIM_step_count(cpu)
self.lgr.debug(
'goToDebugBookmark skipped to cycle %x step: %x eip: %x, wanted cycle: %x step: %x eip: %x'
% (current, step, eip, cycle, self.__bookmarks[mark].steps,
self.__bookmarks[mark].eip))
if current != cycle or eip != self.__bookmarks[mark].eip:
self.lgr.error(
'goToDebugBookmark, simicsError skipped to cycle %x eip: %x, BUT WE wanted %x eip: 0x%x'
% (current, eip, cycle, self.__bookmarks[mark].eip))
''' play simics ping pong until cycles match eip '''
else:
done = True
else:
cycle = self.__bookmarks[mark].cycles
#self.lgr.debug("goToDebugBookmark, pslect then skip to 0x%x" % cycle)
cli.quiet_run_command('pselect %s' % cpu.name)
try:
cli.quiet_run_command('skip-to cycle=%d' % cycle)
except:
print('reverse disabled')
return 'reverse disabled'
eip = self.top.getEIP(cpu)
current = SIM_cycle_count(cpu)
step = SIM_step_count(cpu)
#if cycle is not None and self.__bookmarks[mark].steps is not None:
# self.lgr.debug('goToDebugBookmark skipped to cycle %x step: %x eip: %x, wanted cycle: %x step: %x eip: %x' % (current, step, eip, cycle, self.__bookmarks[mark].steps, self.__bookmarks[mark].eip))
if current != cycle or eip != self.__bookmarks[mark].eip:
self.lgr.error(
'goToDebugBookmark, simicsError skipped to cycle %x eip: %x, BUT WE wanted %x eip: 0x%x'
% (current, eip, cycle, self.__bookmarks[mark].eip))
self.context_mgr.setExitBreaks()
self.context_mgr.resetBackStop()
self.top.gdbMailbox('0x%x' % eip)
#self.lgr.debug('goToDebugBookmark set mbox to %x' % eip)
return self.__mark_msg[mark]
str = working_dir + "/" + str
# print " And I'm guessing this means I should look in '%s'" % str
if (os.path.isfile(str)):
# Load all subsequent symbol tables with this source as well
kern_path = str
# I'm pretty sure this is unnecessary; it's not like the kernel symbol table is
# going to change in flight, and even if it does, it's not like we need to keep
# both of them around. Let's reuse deflsym and avoid the assertion failure we
# get from calling new-symtable at runtime.
# usersym = "usersym%d" % cs410_dispatch.kernel_up
usersym = "deflsym"
cli.quiet_run_command("%s.source-path \"%s/;%s;%s\"" %
(usersym, working_dir, user_src_path, test_src_path))
cli.quiet_run_command("%s.load-symbols %s" % (usersym, str))
cli.quiet_run_command("cell0_context.symtable %s" % usersym)
else:
print "No such kernel image: '%s'; symbolic debugging won't work." % str
# print " !!> Cannot find that file; ignoring simulation request."
# print " !!> This probably means that symbolic debugging will not work."
# print " !!> Note that we are running loader callbacks anyway!"
# print " !!> Please contact a TA."
error = 1
for x in boot_callbacks:
x(cpu, cs410_dispatch.kernel_up, error)
cs410_dispatch.add_simcall(booted)
def enablebps(bp):
cli.quiet_run_command("enable %d" % bp)
def disablebps(bp):
cli.quiet_run_command("disable %d" % bp)
def disablebps(bp):
cli.quiet_run_command("disable %d" % bp)
def switch_symtable(cr3):
if user_process_registry.has_key(cr3):
cli.quiet_run_command("cell0_context.symtable %s" %
user_process_registry[cr3])
else:
cli.quiet_run_command("cell0_context.symtable deflsym")
