-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathfuzzc.h
More file actions
177 lines (155 loc) · 5.1 KB
/
fuzzc.h
File metadata and controls
177 lines (155 loc) · 5.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
#ifndef FUZZC_H
#define FUZZC_H
#if defined(HP_BACKEND_QEMU)
#ifdef __cplusplus
extern "C" {
#endif
#endif
#if defined(HP_X86_64)
#include "bochs.h"
#include "cpu/cpu.h"
#include "memory/memory-bochs.h"
#define NM_PREFIX ""
#elif defined(HP_AARCH64)
#include <libgen.h>
#define NM_PREFIX "aarch64-linux-gnu-"
#endif
#if defined(HP_X86_64)
typedef bx_address hp_address;
typedef bx_phy_address hp_phy_address;
typedef bxInstruction_c hp_instruction;
#elif defined(HP_AARCH64)
typedef uint64_t hp_address;
typedef uint64_t hp_phy_address;
typedef void hp_instruction;
#endif
// backends/xxx/control
bool cpu0_get_fuzztrace(void);
void cpu0_set_fuzztrace(bool fuzztrace);
bool cpu0_get_fuzz_executing_input(void);
void cpu0_set_fuzz_executing_input(bool fuzzing);
void cpu0_run_loop();
void cpu0_run_loop_and_ret(void);
// backends/xxx/breakpoints
void apply_breakpoints_linux();
void apply_breakpoints_seL4();
// backends/xxx/dbg
void icp_init_gdb();
bool is_gdbstub_enabled();
void hp_gdbstub_debug_loop();
#if defined(HP_BACKEND_BOCHS)
int bx_gdbstub_mem_check(unsigned cpu, uint64_t lin, unsigned len, unsigned rw);
#endif
// backends/xxx/init
void icp_init_backend();
// backends/xxx/instrument
#if defined(HP_AARCH64)
void write_pcs_execution(uint64_t pc, uint64_t pc_last);
void qemu_ctrl_flow_insn(uint64_t branch_pc, uint64_t new_pc);
#endif
// backends/xxx/mem
void fuzz_hook_memory_access(hp_address phy, unsigned len,
unsigned memtype, unsigned rw, void* data);
void fuzz_clear_dirty();
void fuzz_watch_memory_inc();
void fuzz_reset_memory();
void icp_init_mem(const char* filename);
void cpu0_read_virtual(hp_address start, size_t size, void *data);
void cpu0_write_virtual(hp_address start, size_t size, void *data);
bool cpu0_read_instr_buf(size_t pc, uint8_t *instr_buf);
hp_phy_address cpu0_virt2phy(hp_address start);
void cpu0_mem_read_physical_page(hp_phy_address addr, size_t len, void *buf);
void cpu0_mem_write_physical_page(hp_phy_address addr, size_t len, void *buf);
void cpu0_tlb_flush(void);
void cpu_physical_memory_read_fastpath(uint64_t addr, void* dest, size_t len);
void cpu_physical_memory_write_fastpath(uint64_t addr, const void* src, size_t len);
// backends/xxx/regs
#if defined(HP_X86_64)
uint64_t cpu0_get_vmcsptr(void);
#endif
void icp_init_regs(const char* filename);
void dump_regs();
uint64_t cpu0_get_pc(void);
void cpu0_set_pc(uint64_t rip);
void cpu0_invalidate_prefetch();
size_t init_random_register_data_len();
bool cpu0_get_user_pl(void);
void save_cpu();
void restore_cpu();
void cpu0_set_general_purpose_reg64(unsigned reg, uint64_t value);
uint64_t cpu0_get_general_purpose_reg64(unsigned reg);
#if defined(HP_AARCH64)
void aarch64_set_esr_el2_for_hvc();
void aarch64_set_esr_el2_for_data_abort(int sas, int srt, int write_or_read);
void aarch64_set_far_el2(uint64_t far);
uint64_t aarch64_get_far_el2(void);
void aarch64_set_hpfar_el2(uint64_t addr);
uint64_t aarch64_get_hpfar_el2(void);
#endif
// backends/xxx/ept/s2pt
void mark_page_not_guest(hp_phy_address addr, int level);
void mark_l2_guest_page(uint64_t paddr, uint64_t len, uint64_t addr);
void mark_l2_guest_pagetable(uint64_t paddr, uint64_t len, uint8_t level);
int gpa2hpa(hp_phy_address guest_paddr, hp_phy_address *phy, int *translation_level);
bool gva2hpa(hp_address laddr, hp_phy_address *phy);
#if defined(HP_X86_64)
void ept_locate_pc();
void ept_mark_page_table();
#elif defined(HP_AARCH64)
void s2pt_locate_pc();
void s2pt_mark_page_table();
#endif
bool frame_is_guest(hp_phy_address addr);
// fuzz.cc
void fuzz_dma_read_cb(hp_phy_address addr, unsigned len, void* data);
// main.cc
void fuzz_emu_stop_normal();
void fuzz_emu_stop_unhealthy();
void fuzz_emu_stop_crash(const char *type);
void fuzz_hook_exception(unsigned vector, unsigned error_code);
void fuzz_hook_hlt();
void fuzz_interrupt(unsigned cpu, unsigned vector);
void fuzz_after_execution(hp_instruction *i);
void fuzz_before_execution(uint64_t icount);
// cov.cc
void print_stacktrace();
void add_edge(uint64_t prev_rip, uint64_t new_rip);
// sysret (x86) -> eret (AARCH64)
uint32_t get_sysret_status();
void reset_sysret_status();
void set_sysret_status(uint32_t new_status);
void add_stacktrace(hp_address branch_rip, hp_address new_rip);
void pop_stacktrace(void);
bool empty_stacktrace(void);
void fuzz_stacktrace();
// feedback.cc
#if defined(HP_X86_64)
bool fuzz_hook_vmlaunch();
#elif defined(HP_AARCH64)
bool fuzz_hook_back_to_el1_kernel(void);
#endif
void fuzz_hook_cmp(uint64_t op1, uint64_t op2, size_t size);
// slat.cc
uint64_t pow64(uint64_t x, uint64_t y);
// hmem.cc
extern size_t maxaddr;
extern uint8_t* is_l2_page_bitmap; /* Page is in L2 */
extern uint8_t* is_l2_pagetable_bitmap; /* Page is in L2 */
void fuzz_mark_l2_guest_page(uint64_t paddr, uint64_t len);
void fuzz_reset_watched_pages();
// sym2addr_linux.cc
typedef struct addr_bin_name {
size_t addr;
const char *bin;
const char *name;
int off;
} addr_bin_name;
bool addr_to_sym(addr_bin_name *addr_bin_name);
bool sym_to_addr(addr_bin_name *addr_bin_name);
uint64_t sym_to_addr2(const char *bin, const char *name);
#if defined(HP_BACKEND_QEMU)
#ifdef __cplusplus
}
#endif
#endif
#endif