def goN(self, status): if status != 0: self.lgr.debug('afl goN after crash. Call getMsg') ''' Only applies to multi-packet UDP fu ''' self.current_packet = 1 ''' If just starting, get data from afl, otherwise, was read from stopHap. ''' if self.stop_hap is None: self.in_data = self.getMsg() if self.in_data is None: self.lgr.error('Got None from afl') return self.orig_data_length = len(self.in_data) self.orig_in_data = self.in_data cli.quiet_run_command('restore-snapshot name=origin') #self.lgr.debug('got %d of data from afl iteration %d' % (len(self.in_data), self.iteration)) if status != 0: self.lgr.debug( 'afl goN after crash. restored snapshot after getting %d bytes from afl' % len(self.in_data)) current_length = len(self.in_data) self.afl_packet_count = self.packet_count if self.url_header is None and self.packet_count > 1 and current_length < ( self.pad_to_size * (self.packet_count - 1)): self.lgr.debug( 'afl packet count of %d and size of %d, but only %d bytes from AFL. Cannot do it.' % (self.packet_count, self.pad_to_size, current_length)) self.afl_packet_count = (current_length / self.pad_to_size) + 1 self.lgr.debug('afl packet count now %d' % self.afl_packet_count) self.addr, max_len = self.dataWatch.firstBufferAddress() if self.addr is None: self.lgr.error('AFL, no firstBufferAddress found') return ''' clear the bit_trace ''' self.coverage.doCoverage() #self.lgr.debug('afl, did coverage, cycle: 0x%x' % self.cpu.cycles) if self.stop_hap is None: self.stop_hap = SIM_hap_add_callback("Core_Simulation_Stopped", self.stopHap, None) if status != 0: self.lgr.debug( 'afl goN call continue, cpu cycle was 0x%x context %s' % (self.cpu.cycles, self.cpu.current_context)) self.coverage.watchExits() self.writeData() cli.quiet_run_command('c')
def setup_xchg(): global atomic_breakpoints lockbrk = create_userspace_breakpoint() cli.quiet_run_command('set-pattern %d "0xf0" "0xff"' % lockbrk) atomic_breakpoints.append(lockbrk) for instr in [ "xadd", "xchg", "cmpxchg" ]: brk = create_userspace_breakpoint() cli.quiet_run_command('set-prefix %d "%s"' % (brk, instr)) atomic_breakpoints.append(brk) for brk in atomic_breakpoints: cs410_dispatch.breakpoint_handlers[brk] = xchg_handle_breakpoints
def setup_xchg(): global atomic_breakpoints lockbrk = create_userspace_breakpoint() cli.quiet_run_command('set-pattern %d "0xf0" "0xff"' % lockbrk) atomic_breakpoints.append(lockbrk) for instr in ["xadd", "xchg", "cmpxchg"]: brk = create_userspace_breakpoint() cli.quiet_run_command('set-prefix %d "%s"' % (brk, instr)) atomic_breakpoints.append(brk) for brk in atomic_breakpoints: cs410_dispatch.breakpoint_handlers[brk] = xchg_handle_breakpoints
def goAlone(self, dumb): if self.index < len(self.afl_list): cli.quiet_run_command('save-snapshot name = origin') full = os.path.join(self.afl_dir, self.afl_list[self.index]) with open(full) as fh: data = bytearray(fh.read()) self.addr, max_len = self.dataWatch.firstBufferAddress() self.mem_utils.writeString(self.cpu, self.addr, data) self.lgr.debug('playAFL goAlone file %s continue' % self.afl_list[self.index]) self.backstop.setFutureCycleAlone(self.backstop_cycles) self.index += 1 SIM_run_command('c') else: self.coverage.saveCoverage() print('Played %d sessions' % len(self.afl_list))
def __init__(self, top, cpu, backstop, coverage, mem_utils, dataWatch, target, lgr): self.top = top self.backstop = backstop self.coverage = coverage self.mem_utils = mem_utils self.dataWatch = dataWatch self.cpu = cpu self.lgr = lgr afl_output = os.getenv('AFL_OUTPUT') if afl_output is None: afl_output = os.path.join(os.getenv('HOME'), 'SEED', 'afl', 'afl-output') self.afl_dir = os.path.join(afl_output, target, 'queue') self.afl_list = [ f for f in os.listdir(self.afl_dir) if os.path.isfile(os.path.join(self.afl_dir, f)) ] self.index = 0 self.stop_hap = None self.addr = None self.backstop_cycles = 100000 self.pid = self.top.getPID() cli.quiet_run_command('disable-reverse-execution') cli.quiet_run_command('enable-unsupported-feature internals') cli.quiet_run_command('save-snapshot name = origin') self.top.removeDebugBreaks(keep_watching=False, keep_coverage=False) self.coverage.enableCoverage(self.pid, backstop=self.backstop, backstop_cycles=self.backstop_cycles, afl=False) self.coverage.doCoverage(force_default_context=True)
def finishInit(self): self.top.removeDebugBreaks(keep_watching=False, keep_coverage=False) self.coverage.enableCoverage(self.pid, backstop=self.backstop, backstop_cycles=self.backstop_cycles, afl=True) cli.quiet_run_command('disable-reverse-execution') cli.quiet_run_command('enable-unsupported-feature internals') cli.quiet_run_command('save-snapshot name = origin') self.synchAFL()
def go(self): self.lgr.debug('replayAFL go') retval = False afl_file = aflPath.getAFLPath(self.target, self.index, self.instance) if afl_file is not None: retval = True print('Replaying %s' % afl_file) if retval: #driver = threading.Thread(target=feedDriver, args=(self.ip, self.port, self.header, self.lgr, )) #self.lgr.debug('start thread') #SIM_run_alone(self.startAlone, driver) shutil.copyfile(afl_file, '/tmp/sendudp') dumb, forwarding = cli.quiet_run_command('list-port-forwarding-setup') ssh_port = None for line in forwarding.splitlines(): if line.strip().endswith(':22'): ssh_port = line.split()[3] break if ssh_port is None: self.lgr.error('No forwarding port found for ssh port 21') return script_file = os.path.join(self.resim_dir, 'simics', 'monitorCore', 'sendDriver.sh') cmd = '%s %s %s %s %s %s &' % (script_file, ssh_port, self.client_path, self.ip, self.port, self.header) #result=os.system(cmd) self.send_driver = subprocess.Popen(shlex.split(cmd), stdin=subprocess.PIPE, stdout=subprocess.PIPE,stderr=subprocess.PIPE) self.lgr.debug('ReplayAFL tmpdriver cmd: %s ' % (cmd)) self.lgr.debug('replay for fd %d' % self.targetFD) if self.trace: self.top.noReverse() self.top.traceAll() SIM_run_command('c') else: if not self.tcp: if self.cover: self.top.enableCoverage() self.top.trackIO(self.targetFD, reset=True, callback=self.killDriver) else: ''' Run to accept to get the new FD and then do trackIO from the doTrack callback''' self.top.noReverse() self.lgr.debug('replayAFL run to accept') f1 = stopFunction.StopFunction(self.doTrack, [], nest=False) flist = [f1] self.top.runToAccept(self.targetFD, flist=flist) return retval
def make_new_symtable(sname, fname, cr3): fpath = user_prog_path+fname if not os.path.isfile(fpath) or '/' in fname: cs410_utils.log('410-warning', 'Unable to load user symbols for "%s"' % fname) del user_process_registry[cr3] return try: cli.quiet_run_command('new-symtable %s' % sname) cli.quiet_run_command('%s.load-symbols "%s"' % (sname, kern_path)) cli.quiet_run_command('%s.load-symbols "%s"' % (sname, fpath)) cli.quiet_run_command('%s.source-path "%s/;%s/;%s/"' % (sname, working_dir, user_src_path, test_src_path)) except: cs410_utils.log('410-warning', 'Unable to load user symbols for "%s"' % fname) del user_process_registry[cr3]
def aflInitCallback(self): self.lgr.debug('afl aflInitCallback') ''' Now in target process''' self.coverage = self.top.getCoverage() self.pid = self.top.getPID() self.top.removeDebugBreaks(keep_watching=False, keep_coverage=False) self.coverage.enableCoverage(self.pid, backstop=self.backstop, backstop_cycles=self.backstop_cycles, afl=True) self.coverage.doCoverage() cmd = 'skip-to bookmark = bookmark0' cli.quiet_run_command(cmd) cli.quiet_run_command('disable-reverse-execution') cli.quiet_run_command('enable-unsupported-feature internals') cli.quiet_run_command('save-snapshot name = origin') self.synchAFL() self.lgr.debug('afl done init, num packets is %d stop_on_read is %r' % (self.packet_count, self.stop_on_read)) self.fault_hap = None self.top.noWatchSysEnter() self.goN(0)
def skipToTest(cpu, cycle, lgr): while SIM_simics_is_running(): lgr.error('skipToTest but simics running') time.sleep(1) retval = True cli.quiet_run_command('pselect %s' % cpu.name) cmd = 'skip-to cycle = %d ' % cycle cli.quiet_run_command(cmd) now = cpu.cycles if now != cycle: lgr.error('skipToTest failed wanted 0x%x got 0x%x' % (cycle, now)) time.sleep(1) cli.quiet_run_command(cmd) now = cpu.cycles if now != cycle: lgr.error('skipToTest failed again wanted 0x%x got 0x%x' % (cycle, now)) retval = False return retval
def switch_symtable(cr3): if user_process_registry.has_key(cr3): cli.quiet_run_command("cell0_context.symtable %s" % user_process_registry[cr3]) else: cli.quiet_run_command("cell0_context.symtable deflsym")
def enablebps(bp): cli.quiet_run_command("enable %d" % bp)
def go(self, no_go_receive=False): ''' Go to the first data receive watch mark (or the origin if the watch mark does not exist), which we assume follows a read, recv, etc. Then write the dfile content into memory, e.g., starting at R1 of a ARM recv. Adjust the returned length, e.g., R0 to match the length of the dfile. Finally, run trackIO on the given file descriptor. Assumes we are stopped. If "stay", then just inject and don't run. ''' if self.addr is None: return if self.callback is None: if self.save_json is not None: self.callback = self.saveJson self.lgr.debug('injectIO set callback to %s' % str(self.callback)) else: self.callback = self.top.stopTrackIO if not os.path.isfile(self.dfile): print('File not found at %s\n\n' % self.dfile) return #with open(self.dfile) as fh: # self.in_data = fh.read() with open(self.dfile, 'rb') as fh: if sys.version_info[0] == 2: self.in_data = bytearray(fh.read()) else: self.in_data = fh.read() self.lgr.debug('write data total size %d file %s' % (len(self.in_data), self.dfile)) ''' Got to origin/recv location unless not yet debugging, or unless modifying kernel buffer ''' if self.target is None and not no_go_receive and not self.mem_utils.isKernel(self.addr): self.dataWatch.goToRecvMark() lenreg = None lenreg2 = None if self.cpu.architecture == 'arm': ''' **SEEMS WRONG, what was observed? **length register, seems to acutally be R7, at least that is what libc uses and reports (as R0 by the time the invoker sees it. So, we'll set both for alternate libc implementations? ''' lenreg = 'r0' #lenreg2 = 'r7' else: lenreg = 'eax' if self.orig_buffer is not None: ''' restore receive buffer to original condition in case injected data is smaller than original and poor code references data past the end of what is received. ''' self.mem_utils.writeString(self.cpu, self.addr, self.orig_buffer) self.lgr.debug('injectIO restored %d bytes to original buffer at 0x%x' % (len(self.orig_buffer), self.addr)) if self.target is None and not self.trace_all: ''' Set Debug before write to use RESim context on the callHap ''' ''' We assume we are in user space in the target process and thus will not move.''' self.top.stopDebug() self.top.debugPidGroup(self.pid) self.top.watchPageFaults() if self.no_rop: self.lgr.debug('injectIO stop ROP') self.top.watchROP(watching=False) self.bookmarks = self.top.getBookmarksInstance() force_default_context = False if self.bookmarks is None: force_default_context = True self.write_data = writeData.WriteData(self.top, self.cpu, self.in_data, self.packet_count, self.mem_utils, self.backstop, self.snap_name, self.lgr, udp_header=self.udp_header, pad_to_size=self.pad_to_size, backstop_cycles=self.backstop_cycles, stop_on_read=self.stop_on_read, force_default_context=force_default_context, write_callback=self.writeCallback, limit_one=self.limit_one, dataWatch=self.dataWatch) #bytes_wrote = self.writeData() bytes_wrote = self.write_data.write() if bytes_wrote is None: self.lgr.error('got None for bytes_wrote in injectIO') return eip = self.top.getEIP(self.cpu) if self.target is None: self.dataWatch.clearWatchMarks() self.dataWatch.clearWatches() if self.coverage: self.lgr.debug('injectIO enabled coverage') self.top.enableCoverage(backstop_cycles=self.backstop_cycles) self.lgr.debug('injectIO ip: 0x%x did write %d bytes to addr 0x%x cycle: 0x%x Now clear watches' % (eip, bytes_wrote, self.addr, self.cpu.cycles)) if not self.stay: if not self.trace_all: self.lgr.debug('injectIO not traceall, about to set origin, eip: 0x%x cycles: 0x%x' % (eip, self.cpu.cycles)) self.bookmarks.setOrigin(self.cpu) cli.quiet_run_command('disable-reverse-execution') cli.quiet_run_command('enable-reverse-execution') eip = self.top.getEIP(self.cpu) self.lgr.debug('injectIO back from cmds eip: 0x%x cycles: 0x%x' % (eip, self.cpu.cycles)) #self.dataWatch.setRange(self.addr, bytes_wrote, 'injectIO', back_stop=False, recv_addr=self.addr, max_len = self.max_len) ''' per trackIO, look at entire buffer for ref to old data ''' if not self.mem_utils.isKernel(self.addr): self.dataWatch.setRange(self.addr, bytes_wrote, 'injectIO', back_stop=False, recv_addr=self.addr, max_len = self.max_len) ''' special case''' if self.max_len == 1: self.addr += 1 if self.addr_addr is not None: self.dataWatch.setRange(self.addr_addr, self.addr_size, 'injectIO-addr') if not self.no_rop: self.top.watchROP() else: self.top.traceAll() use_backstop=True if self.stop_on_read: use_backstop = False if self.trace_all: self.lgr.debug('injectIO trace_all requested. Context is %s' % self.cpu.current_context) cli.quiet_run_command('c') elif not self.mem_utils.isKernel(self.addr): print('retracking IO') self.lgr.debug('retracking IO callback: %s' % str(self.callback)) self.top.retrack(clear=self.clear_retrack, callback=self.callback, use_backstop=use_backstop) else: ''' Injected into kernel buffer ''' self.top.stopTrackIO() self.dataWatch.clearWatches() self.dataWatch.setCallback(self.callback) self.context_manager.watchTasks() self.top.runToIO(self.fd, linger=True, break_simulation=False) else: ''' target is not current process. go to target then callback to injectCalback''' self.lgr.debug('injectIO debug to %s' % self.target) self.top.resetOrigin() ''' watch for death of this process as well ''' self.context_manager.stopWatchTasks() self.context_manager.watchGroupExits() self.top.watchPageFaults() #self.context_manager.setExitCallback(self.recordExit) self.top.debugProc(self.target, final_fun=self.injectCallback)
str = working_dir + "/" + str # print " And I'm guessing this means I should look in '%s'" % str if (os.path.isfile(str)): # Load all subsequent symbol tables with this source as well kern_path = str # I'm pretty sure this is unnecessary; it's not like the kernel symbol table is # going to change in flight, and even if it does, it's not like we need to keep # both of them around. Let's reuse deflsym and avoid the assertion failure we # get from calling new-symtable at runtime. # usersym = "usersym%d" % cs410_dispatch.kernel_up usersym = "deflsym" cli.quiet_run_command( "%s.source-path \"%s/;%s;%s\"" % (usersym, working_dir, user_src_path, test_src_path)) cli.quiet_run_command("%s.load-symbols %s" % (usersym, str)) cli.quiet_run_command("cell0_context.symtable %s" % usersym) else: print "No such kernel image: '%s'; symbolic debugging won't work." % str # print " !!> Cannot find that file; ignoring simulation request." # print " !!> This probably means that symbolic debugging will not work." # print " !!> Note that we are running loader callbacks anyway!" # print " !!> Please contact a TA." error = 1 for x in boot_callbacks: x(cpu, cs410_dispatch.kernel_up, error) cs410_dispatch.add_simcall(booted)
def __init__(self, top, cpu, cell_name, coverage, backstop, mem_utils, dataWatch, snap_name, context_manager, page_faults, lgr, packet_count=1, stop_on_read=False, fname=None, linear=False, target=None, create_dead_zone=False, port=8765, one_done=False): pad_env = os.getenv('AFL_PAD') self.lgr = lgr if pad_env is not None: try: self.pad_to_size = int(pad_env) except: self.lgr.error('Bad AFL_PAD value %s' % pad_env) return else: self.pad_to_size = 0 self.udp_header = os.getenv('AFL_UDP_HEADER') if packet_count > 1 and not (self.udp_header is not None or self.pad_to_size > 0): self.lgr.error( 'Multi-packet requested but no pad or UDP header has been given in env variables' ) return self.filter_module = None self.packet_filter = os.getenv('AFL_PACKET_FILTER') if self.packet_filter is not None: file_path = './%s.py' % self.packet_filter abs_path = os.path.abspath(file_path) if os.path.isfile(abs_path): self.filter_module = imp.load_source(self.packet_filter, abs_path) self.lgr.debug('afl using AFL_PACKET_FILTER %s' % self.packet_filter) else: self.lgr.error('failed to find filter at %s' % self.packet_filter) return ''' module_name = self.packet_filter spec = importlib.util.spec_from_file_location(module_name, file_path) filter_module = importlib.util.module_from_spec(spec) spec.loader.exec_module(flter_module) ''' self.pad_char = chr(0) self.cpu = cpu self.cell_name = cell_name self.top = top self.mem_utils = mem_utils self.stop_on_read = stop_on_read self.dataWatch = dataWatch self.coverage = coverage self.context_manager = context_manager self.linear = linear # For multi-packet UDP. afl_packet_count may be adjusted less than given packet count. self.packet_count = packet_count self.afl_packet_count = None self.current_packet = 0 self.backstop = backstop self.stop_hap = None self.call_break = None self.call_hap = None self.in_data = None self.orig_in_data = None self.orig_data_length = 0 self.write_data = None self.target = target self.create_dead_zone = create_dead_zone self.backstop.setCallback(self.whenDone) self.port = port self.one_done = one_done self.page_faults = page_faults sor = os.getenv('STOP_ON_READ') if sor is not None and sor.lower() == 'true': self.stop_on_read = True # TBD why are sor and backstop mutually exclusive? if stop_on_read: self.backstop_cycles = 0 else: if os.getenv('BACK_STOP_CYCLES') is not None: self.backstop_cycles = int(os.getenv('BACK_STOP_CYCLES')) self.lgr.debug('afl BACK_STOP_CYCLES is %d' % self.backstop_cycles) else: self.lgr.warning( 'no BACK_STOP_CYCLES defined, using default of 100000') self.backstop_cycles = 100000 self.sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) self.sock.settimeout(2) self.server_address = ('localhost', self.port) self.iteration = 1 self.pid = self.top.getPID() self.total_hits = 0 self.bad_trick = False self.trace_snap1 = None self.empty_trace_bits = None if self.cpu.architecture == 'arm': lenreg = 'r0' else: lenreg = 'eax' self.len_reg_num = self.cpu.iface.int_register.get_number(lenreg) self.pc_reg = self.cpu.iface.int_register.get_number('pc') self.addr = None self.orig_buffer = None hang_cycles = 90000000 hang = os.getenv('HANG_CYCLES') if hang is not None: hang_cycles = int(hang) self.backstop.setHangCallback(self.coverage.recordHang, hang_cycles) self.lgr.debug('AFL init from snap %s' % snap_name) self.snap_name = snap_name self.loadPickle(snap_name) if target is None: self.top.removeDebugBreaks(keep_watching=False, keep_coverage=False) if self.orig_buffer is not None: self.lgr.debug('restored %d bytes 0x%x context %s' % (len( self.orig_buffer), self.addr, self.cpu.current_context)) self.mem_utils.writeString(self.cpu, self.addr, self.orig_buffer) self.coverage.enableCoverage( self.pid, backstop=self.backstop, backstop_cycles=self.backstop_cycles, afl=True, fname=fname, linear=linear, create_dead_zone=self.create_dead_zone) cli.quiet_run_command('disable-reverse-execution') cli.quiet_run_command('enable-unsupported-feature internals') cli.quiet_run_command('save-snapshot name = origin') self.coverage.doCoverage() self.synchAFL() self.lgr.debug( 'afl done init, num packets is %d stop_on_read is %r' % (self.packet_count, self.stop_on_read)) self.fault_hap = None #tracemalloc.start() # hack around Simics model bug #self.fixFaults() else: self.lgr.debug('afl use target %s, call debug' % target) ''' need a bookmark to get back to here after setting up debug process ''' self.top.resetOrigin() self.top.debugProc(target, self.aflInitCallback)
def break_exception_18_present(): ret, cmdout = cli.quiet_run_command("break-exception -list", output_mode = output_modes.unformatted_text) return " 18 " in cmdout
def goAlone(self, clear_hits): self.current_packet = 1 self.index += 1 done = False if self.target != 'oneplay': ''' skip files if already have coverage ''' while not done and self.index < len(self.afl_list): fname = self.getHitsPath(self.index) if not os.path.isfile(fname): done = True else: hits_json = json.load(open(fname)) for hit in hits_json: hit = int(hit) if hit not in self.all_hits: self.all_hits.append(hit) self.index += 1 if self.index < len(self.afl_list): cli.quiet_run_command('restore-snapshot name = origin') if self.coverage is not None: if clear_hits: self.coverage.stopCover() self.coverage.doCoverage(no_merge=True, physical=self.physical) if self.orig_buffer is not None: #self.lgr.debug('playAFL restored %d bytes to original buffer at 0x%x' % (len(self.orig_buffer), self.addr)) self.mem_utils.writeString(self.cpu, self.addr, self.orig_buffer) full = os.path.join(self.afl_dir, self.afl_list[self.index]) with open(full, 'rb') as fh: if sys.version_info[0] == 2: self.in_data = bytearray(fh.read()) else: self.in_data = fh.read() self.lgr.debug( 'playAFL goAlone loaded %d bytes from file session %d of %d' % (len(self.in_data), self.index, len(self.afl_list))) self.afl_packet_count = self.packet_count if self.orig_buffer is not None: ''' restore receive buffer to original condition in case injected data is smaller than original and poor code references data past the end of what is received. ''' self.mem_utils.writeString(self.cpu, self.addr, self.orig_buffer) self.lgr.debug( 'playAFL restored %d bytes to original buffer at 0x%x' % (len(self.orig_buffer), self.addr)) #self.top.restoreRESimContext() #self.context_manager.restoreDebugContext() self.write_data = writeData.WriteData( self.top, self.cpu, self.in_data, self.afl_packet_count, self.mem_utils, self.backstop, self.snap_name, self.lgr, udp_header=self.udp_header, pad_to_size=self.pad_to_size, backstop_cycles=self.backstop_cycles, force_default_context=True, stop_on_read=self.stop_on_read) eip = self.top.getEIP(self.cpu) count = self.write_data.write() self.lgr.debug( 'playAFL goAlone ip: 0x%x wrote %d bytes from file %s continue from cycle 0x%x %d cpu context: %s' % (eip, count, self.afl_list[self.index], self.cpu.cycles, self.cpu.cycles, str(self.cpu.current_context))) self.backstop.setFutureCycle(self.backstop_cycles, now=True) if self.afl_mode: self.coverage.watchExits() elif self.coverage is not None: self.coverage.watchExits(callback=self.reportExit) else: self.context_manager.watchGroupExits() self.context_manager.setExitCallback(self.reportExit) SIM_run_command('c') else: ''' did all sessions ''' if self.coverage is not None and self.findbb is None and not self.afl_mode: hits = self.coverage.getHitCount() self.lgr.debug('All sessions done, save %d all_hits as %s' % (len(self.all_hits), self.target)) hits_path = self.coverage.getHitsPath() s = json.dumps(self.all_hits) save_name = '%s.%s.hits' % (hits_path, self.target) try: os.makedirs(os.path.dirname(hits_path)) except: pass with open(save_name, 'w') as fh: fh.write(s) fh.flush() print('%d Hits file written to %s' % (len(self.all_hits), save_name)) self.delStopHap(None) if self.findbb is not None: for f, n in sorted(self.bnt_list): print('%-30s packet %d' % (f, n)) print('Found %d sessions that hit address 0x%x' % (len(self.bnt_list), self.findbb)) print('Played %d sessions' % len(self.afl_list)) cli.quiet_run_command('restore-snapshot name = origin') if len(self.exit_list) > 0: print('%d Sessions that called exit:' % len(self.exit_list)) for exit in sorted(self.exit_list): print(exit) print('\n\n Sessions that did not exit:') for item in sorted(self.afl_list): if item not in self.exit_list: print(item)
def goN(self, status): if status != 0: self.lgr.debug('afl goN after crash. Call getMsg') ''' Only applies to multi-packet UDP fu ''' self.current_packet = 0 self.bad_trick = False ''' If just starting, get data from afl, otherwise, was read from stopHap. ''' if self.stop_hap is None: self.in_data = self.getMsg() if self.in_data is None: self.lgr.error('Got None from afl') return self.orig_data_length = len(self.in_data) self.orig_in_data = self.in_data cli.quiet_run_command('restore-snapshot name=origin') #self.top.restoreRESimContext() #self.lgr.debug('got %d of data from afl iteration %d' % (len(self.in_data), self.iteration)) if status != 0: self.lgr.debug( 'afl goN after crash. restored snapshot after getting %d bytes from afl' % len(self.in_data)) current_length = len(self.in_data) self.afl_packet_count = self.packet_count if self.udp_header is None and self.packet_count > 1 and current_length < ( self.pad_to_size * (self.packet_count - 1)): self.lgr.debug( 'afl packet count of %d and size of %d, but only %d bytes from AFL. Cannot do it.' % (self.packet_count, self.pad_to_size, current_length)) self.afl_packet_count = (current_length / self.pad_to_size) + 1 self.lgr.debug('afl packet count now %d' % self.afl_packet_count) if self.addr is None: self.addr, max_len = self.dataWatch.firstBufferAddress() if self.addr is None: self.lgr.error('AFL, no firstBufferAddress found') return if self.create_dead_zone: self.lgr.debug('afl goN dead zone iteration %d' % self.iteration) ''' clear the bit_trace ''' #self.lgr.debug('afl goN call doCoverage') if self.linear: #self.lgr.debug('afl, linear use context manager to watch tasks') self.context_manager.restoreDebugContext() self.context_manager.watchTasks() self.coverage.doCoverage() #self.lgr.debug('afl, did coverage, cycle: 0x%x' % self.cpu.cycles) if self.stop_hap is None: #self.lgr.debug('afl added stop hap') self.stop_hap = SIM_hap_add_callback("Core_Simulation_Stopped", self.stopHap, None) if status != 0: self.lgr.debug( 'afl goN call continue, cpu cycle was 0x%x context %s' % (self.cpu.cycles, self.cpu.current_context)) self.coverage.watchExits(pid=self.pid) if self.write_data is None: self.write_data = writeData.WriteData( self.top, self.cpu, self.in_data, self.afl_packet_count, self.mem_utils, self.backstop, self.snap_name, self.lgr, udp_header=self.udp_header, pad_to_size=self.pad_to_size, filter=self.filter_module, backstop_cycles=self.backstop_cycles, force_default_context=True, stop_on_read=self.stop_on_read) else: self.write_data.reset(self.in_data, self.afl_packet_count, self.addr) self.write_data.write() self.page_faults.watchPageFaults() #self.lgr.debug('afl goN context %s' % self.cpu.current_context) cli.quiet_run_command('c')
raise cs410_utils.try_loadm('410-core', 'cs410_dispatch') cs410_utils.try_loadm('410-core', 'cs410_boot_assist') cs410_utils.try_loadm('410-core', 'cs410_next') cs410_utils.try_loadm('410-core', 'cs410_core_haps') cs410_utils.try_loadm('410-core', 'cs410_osdev') print "Done." # # Set up source directories and the boot device. # from cs410_utils import working_dir, user_src_path, test_src_path, kern_path, img_path cli.quiet_run_command("flp0.insert-floppy A " + img_path) cli.quiet_run_command("system_cmp0.cmos-boot-dev A") (y, m, d, h, min, s, wd, yd, dst) = time.localtime(time.time()) cli.quiet_run_command("rtc0.set-date-time %d %d %d %d %d %d" % (y, m, d, h, min, s)) # The world has been put in order. But that might be way too boring. # So glance around and try to load some other files. loaded_mods = [] print "410: Staff modules...", for fname in glob.glob("./410mods-dynamic-*.py"): cs410_utils.try_loadm('410-dyn', fname[2:-3]) # Grab the part after 410mods-dynamic-* and put it in the list. loaded_mods.append(fname[18:-3]) print "Done."
def __init__(self, top, cpu, cell_name, backstop, coverage, mem_utils, dataWatch, target, snap_name, context_manager, cfg_file, lgr, packet_count=1, stop_on_read=False, linear=False, create_dead_zone=False, afl_mode=False, crashes=False): self.top = top self.backstop = backstop self.coverage = coverage self.mem_utils = mem_utils self.dataWatch = dataWatch self.snap_name = snap_name self.cpu = cpu self.context_manager = context_manager self.cell_name = cell_name self.lgr = lgr self.afl_mode = afl_mode self.findbb = None self.write_data = None self.orig_buffer = None self.return_ip = None self.cfg_file = cfg_file self.target = target self.afl_dir = aflPath.getAFLOutput() self.all_hits = [] pad_env = os.getenv('AFL_PAD') if pad_env is not None: try: self.pad_to_size = int(pad_env) except: self.lgr.error('Bad AFL_PAD value %s' % pad_env) return else: self.pad_to_size = 0 self.stop_on_read = stop_on_read if not self.stop_on_read: sor = os.getenv('STOP_ON_READ') if sor is not None and sor.lower() == 'true': self.stop_on_read = True self.udp_header = os.getenv('AFL_UDP_HEADER') if packet_count > 1 and not (self.udp_header is not None or self.pad_to_size > 0): self.lgr.error( 'Multi-packet requested but no pad or UDP header has been given in env variables' ) return None if os.path.isfile(target): ''' single file to play ''' self.target = 'oneplay' relative = target[(len(self.afl_dir) + 1):] self.afl_list = [relative] self.lgr.debug( 'playAFL, single file, path relative to afl_dir is %s' % relative) else: if not crashes: self.afl_list = aflPath.getTargetQueue(target, get_all=True) else: self.afl_list = aflPath.getTargetCrashes(target) print('Playing %d sessions. Please wait until that is reported.' % len(self.afl_list)) self.lgr.debug('playAFL afl list has %d items' % len(self.afl_list)) self.index = -1 self.stop_hap = None self.call_hap = None self.call_break = None self.addr = None self.in_data = None #self.backstop_cycles = 100000 self.backstop_cycles = 900000 bsc = os.getenv('BACK_STOP_CYCLES') if bsc is not None: self.backstop_cycles = int(bsc) self.packet_count = packet_count self.afl_packet_count = None self.current_packet = 0 self.call_ip = None self.hit_total = 0 ''' replay file names that hit the given bb ''' self.bnt_list = [] self.pid = self.top.getPID() self.stop_on_break = False self.exit_list = [] if self.cpu.architecture == 'arm': lenreg = 'r0' else: lenreg = 'eax' self.len_reg_num = self.cpu.iface.int_register.get_number(lenreg) self.snap_name = snap_name if not self.loadPickle(snap_name): print('No AFL data stored for checkpoint %s, cannot play AFL.' % snap_name) return None cli.quiet_run_command('disable-reverse-execution') cli.quiet_run_command('enable-unsupported-feature internals') cli.quiet_run_command('save-snapshot name = origin') self.top.removeDebugBreaks(keep_watching=False, keep_coverage=False) self.physical = False if self.coverage is not None: self.coverage.enableCoverage(self.pid, backstop=self.backstop, backstop_cycles=self.backstop_cycles, afl=afl_mode, linear=linear, create_dead_zone=create_dead_zone) self.physical = True if linear: self.physical = False self.lgr.debug( 'afl, linear use context manager to watch tasks') self.context_manager.restoreDebugContext() self.context_manager.watchTasks() self.coverage.doCoverage(no_merge=True, physical=self.physical) full_path = self.coverage.getFullPath() full_path = os.path.abspath(full_path) hits_path = self.coverage.getHitsPath() + '.prog' parent = os.path.dirname(os.path.abspath(hits_path)) print('parent is %s' % parent) try: os.makedirs(parent) except: pass with open(hits_path, 'w') as fh: fh.write(full_path + '\n') fh.write(self.cfg_file + '\n') #print('full_path is %s, wrote that to %s' % (full_path, hits_path)) #self.backstop.setCallback(self.whenDone) hang_cycles = 90000000 hang = os.getenv('HANG_CYCLES') if hang is not None: hang_cycles = int(hang) self.backstop.setHangCallback(self.hangCallback, hang_cycles)
raise cs410_utils.try_loadm('410-core', 'cs410_dispatch') cs410_utils.try_loadm('410-core', 'cs410_boot_assist') cs410_utils.try_loadm('410-core', 'cs410_next') cs410_utils.try_loadm('410-core', 'cs410_core_haps') cs410_utils.try_loadm('410-core', 'cs410_osdev') print "Done." # # Set up source directories and the boot device. # from cs410_utils import working_dir, user_src_path, test_src_path, kern_path, img_path cli.quiet_run_command("system.motherboard.sio.flp.insert-floppy A " + img_path) cli.quiet_run_command("system.motherboard.cmos-boot-dev A") (y, m, d, h, min, s, wd, yd, dst) = time.localtime(time.time()) cli.quiet_run_command("system.motherboard.southbridge.rtc.set-date-time %d %d %d %d %d %d" % (y, m, d, h, min, s)) # The world has been put in order. But that might be way too boring. # So glance around and try to load some other files. loaded_mods = [] print "410: Staff modules...", for fname in glob.glob("./410mods-dynamic-*.py"): cs410_utils.try_loadm('410-dyn', fname[2:-3]) # Grab the part after 410mods-dynamic-* and put it in the list. loaded_mods.append(fname[18:-3]) print "Done."
def goToDebugBookmark(self, mark): if type(mark) == int: self.lgr.debug('goToDebugBookmark skip to debug bookmark: %d' % mark) marks = self.getSorted() i = 0 for the_mark in marks: i += 1 if i == mark: self.goToDebugBookmark(the_mark) return self.lgr.debug('goToDebugBookmark skip to debug bookmark: %s' % mark) if mark not in self.__bookmarks: self.lgr.error( 'goToDebugBookmark could not find cycle for mark %s' % mark) return sys.stderr = open('err.txt', 'w') dum, cpu = self.context_mgr.getDebugPid() self.context_mgr.clearExitBreaksAlone(None) start_cycle = self.getCycle('_start+1') done = False if self.top.SIMICS_BUG: while not done: SIM_run_command('pselect %s' % cpu.name) SIM_run_command('skip-to cycle = 0x%x' % start_cycle) cycles = SIM_cycle_count(cpu) self.lgr.debug( 'goToDebugBookmark, did skip to start at cycle %x, expected %x ' % (cycles, start_cycle)) cycle = self.__bookmarks[mark].cycles self.lgr.debug("goToDebugBookmark, pslect then skip to 0x%x" % cycle) SIM_run_command('pselect %s' % cpu.name) SIM_run_command('skip-to cycle=%d' % cycle) eip = self.top.getEIP(cpu) current = SIM_cycle_count(cpu) step = SIM_step_count(cpu) self.lgr.debug( 'goToDebugBookmark skipped to cycle %x step: %x eip: %x, wanted cycle: %x step: %x eip: %x' % (current, step, eip, cycle, self.__bookmarks[mark].steps, self.__bookmarks[mark].eip)) if current != cycle or eip != self.__bookmarks[mark].eip: self.lgr.error( 'goToDebugBookmark, simicsError skipped to cycle %x eip: %x, BUT WE wanted %x eip: 0x%x' % (current, eip, cycle, self.__bookmarks[mark].eip)) ''' play simics ping pong until cycles match eip ''' else: done = True else: cycle = self.__bookmarks[mark].cycles #self.lgr.debug("goToDebugBookmark, pslect then skip to 0x%x" % cycle) cli.quiet_run_command('pselect %s' % cpu.name) try: cli.quiet_run_command('skip-to cycle=%d' % cycle) except: print('reverse disabled') return 'reverse disabled' eip = self.top.getEIP(cpu) current = SIM_cycle_count(cpu) step = SIM_step_count(cpu) #if cycle is not None and self.__bookmarks[mark].steps is not None: # self.lgr.debug('goToDebugBookmark skipped to cycle %x step: %x eip: %x, wanted cycle: %x step: %x eip: %x' % (current, step, eip, cycle, self.__bookmarks[mark].steps, self.__bookmarks[mark].eip)) if current != cycle or eip != self.__bookmarks[mark].eip: self.lgr.error( 'goToDebugBookmark, simicsError skipped to cycle %x eip: %x, BUT WE wanted %x eip: 0x%x' % (current, eip, cycle, self.__bookmarks[mark].eip)) self.context_mgr.setExitBreaks() self.context_mgr.resetBackStop() self.top.gdbMailbox('0x%x' % eip) #self.lgr.debug('goToDebugBookmark set mbox to %x' % eip) return self.__mark_msg[mark]
str = working_dir + "/" + str # print " And I'm guessing this means I should look in '%s'" % str if (os.path.isfile(str)): # Load all subsequent symbol tables with this source as well kern_path = str # I'm pretty sure this is unnecessary; it's not like the kernel symbol table is # going to change in flight, and even if it does, it's not like we need to keep # both of them around. Let's reuse deflsym and avoid the assertion failure we # get from calling new-symtable at runtime. # usersym = "usersym%d" % cs410_dispatch.kernel_up usersym = "deflsym" cli.quiet_run_command("%s.source-path \"%s/;%s;%s\"" % (usersym, working_dir, user_src_path, test_src_path)) cli.quiet_run_command("%s.load-symbols %s" % (usersym, str)) cli.quiet_run_command("cell0_context.symtable %s" % usersym) else: print "No such kernel image: '%s'; symbolic debugging won't work." % str # print " !!> Cannot find that file; ignoring simulation request." # print " !!> This probably means that symbolic debugging will not work." # print " !!> Note that we are running loader callbacks anyway!" # print " !!> Please contact a TA." error = 1 for x in boot_callbacks: x(cpu, cs410_dispatch.kernel_up, error) cs410_dispatch.add_simcall(booted)
def disablebps(bp): cli.quiet_run_command("disable %d" % bp)