From 12bcf3bea093ed733904d3993bbdba0c2572a497 Mon Sep 17 00:00:00 2001 From: Catena cyber <35799796+catenacyber@users.noreply.github.com> Date: Tue, 11 Sep 2018 06:49:32 +0200 Subject: [PATCH] Fuzz builds ok (#1007) * Fuzzing M68K without abort * UC_MODE_32 is not ok with sparc use UC_MODE_SPARC32|UC_MODE_BIG_ENDIAN instead * Temporary removing leaking on start targets * Do not abort for m68K undef instructions --- qemu/target-m68k/translate.c | 3 -- tests/fuzz/fuzz_emu_arm_thumbbe.c | 56 ------------------------------- tests/fuzz/fuzz_emu_sparc_32.c | 56 ------------------------------- tests/fuzz/fuzz_emu_sparc_64be.c | 56 ------------------------------- tests/fuzz/gentargets.sh | 5 ++- tests/regress/memleak_sparc.c | 2 +- 6 files changed, 3 insertions(+), 175 deletions(-) delete mode 100644 tests/fuzz/fuzz_emu_arm_thumbbe.c delete mode 100644 tests/fuzz/fuzz_emu_sparc_32.c delete mode 100644 tests/fuzz/fuzz_emu_sparc_64be.c diff --git a/qemu/target-m68k/translate.c b/qemu/target-m68k/translate.c index 30f58d4b..837b9566 100644 --- a/qemu/target-m68k/translate.c +++ b/qemu/target-m68k/translate.c @@ -888,10 +888,7 @@ DISAS_INSN(undef_fpu) DISAS_INSN(undef) { - M68kCPU *cpu = m68k_env_get_cpu(env); - gen_exception(s, s->pc - 2, EXCP_UNSUPPORTED); - cpu_abort(CPU(cpu), "Illegal instruction: %04x @ %08x", insn, s->pc - 2); } DISAS_INSN(mulw) diff --git a/tests/fuzz/fuzz_emu_arm_thumbbe.c b/tests/fuzz/fuzz_emu_arm_thumbbe.c deleted file mode 100644 index 94fac450..00000000 --- a/tests/fuzz/fuzz_emu_arm_thumbbe.c +++ /dev/null @@ -1,56 +0,0 @@ -#include - - -// memory address where emulation starts -#define ADDRESS 0x1000000 - -uc_engine *uc; -int initialized = 0; -FILE * outfile = NULL; - - -int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - uc_err err; - - if (initialized == 0) { - if (outfile == NULL) { - // we compute the output - outfile = fopen("/dev/null", "w"); - if (outfile == NULL) { - printf("failed opening /dev/null\n"); - abort(); - return 0; - } - } - - initialized = 1; - } - - // Not global as we must reset this structure - // Initialize emulator in supplied mode - err = uc_open(UC_ARCH_ARM, UC_MODE_THUMB + UC_MODE_BIG_ENDIAN, &uc); - if (err != UC_ERR_OK) { - printf("Failed on uc_open() with error returned: %u\n", err); - abort(); - } - - // map 4MB memory for this emulation - uc_mem_map(uc, ADDRESS, 4 * 1024 * 1024, UC_PROT_ALL); - - // write machine code to be emulated to memory - if (uc_mem_write(uc, ADDRESS, Data, Size)) { - printf("Failed to write emulation code to memory, quit!\n"); - abort(); - } - - // emulate code in infinite time & 4096 instructions - // avoid timeouts with infinite loops - err=uc_emu_start(uc, ADDRESS, ADDRESS + Size, 0, 0x1000); - if (err) { - fprintf(outfile, "Failed on uc_emu_start() with error returned %u: %s\n", err, uc_strerror(err)); - } - - uc_close(uc); - - return 0; -} diff --git a/tests/fuzz/fuzz_emu_sparc_32.c b/tests/fuzz/fuzz_emu_sparc_32.c deleted file mode 100644 index 0e3e20ed..00000000 --- a/tests/fuzz/fuzz_emu_sparc_32.c +++ /dev/null @@ -1,56 +0,0 @@ -#include - - -// memory address where emulation starts -#define ADDRESS 0x1000000 - -uc_engine *uc; -int initialized = 0; -FILE * outfile = NULL; - - -int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - uc_err err; - - if (initialized == 0) { - if (outfile == NULL) { - // we compute the output - outfile = fopen("/dev/null", "w"); - if (outfile == NULL) { - printf("failed opening /dev/null\n"); - abort(); - return 0; - } - } - - initialized = 1; - } - - // Not global as we must reset this structure - // Initialize emulator in supplied mode - err = uc_open(UC_ARCH_SPARC, UC_MODE_32, &uc); - if (err != UC_ERR_OK) { - printf("Failed on uc_open() with error returned: %u\n", err); - abort(); - } - - // map 4MB memory for this emulation - uc_mem_map(uc, ADDRESS, 4 * 1024 * 1024, UC_PROT_ALL); - - // write machine code to be emulated to memory - if (uc_mem_write(uc, ADDRESS, Data, Size)) { - printf("Failed to write emulation code to memory, quit!\n"); - abort(); - } - - // emulate code in infinite time & 4096 instructions - // avoid timeouts with infinite loops - err=uc_emu_start(uc, ADDRESS, ADDRESS + Size, 0, 0x1000); - if (err) { - fprintf(outfile, "Failed on uc_emu_start() with error returned %u: %s\n", err, uc_strerror(err)); - } - - uc_close(uc); - - return 0; -} diff --git a/tests/fuzz/fuzz_emu_sparc_64be.c b/tests/fuzz/fuzz_emu_sparc_64be.c deleted file mode 100644 index fda4d8b5..00000000 --- a/tests/fuzz/fuzz_emu_sparc_64be.c +++ /dev/null @@ -1,56 +0,0 @@ -#include - - -// memory address where emulation starts -#define ADDRESS 0x1000000 - -uc_engine *uc; -int initialized = 0; -FILE * outfile = NULL; - - -int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - uc_err err; - - if (initialized == 0) { - if (outfile == NULL) { - // we compute the output - outfile = fopen("/dev/null", "w"); - if (outfile == NULL) { - printf("failed opening /dev/null\n"); - abort(); - return 0; - } - } - - initialized = 1; - } - - // Not global as we must reset this structure - // Initialize emulator in supplied mode - err = uc_open(UC_ARCH_SPARC, UC_MODE_SPARC64|UC_MODE_BIG_ENDIAN, &uc); - if (err != UC_ERR_OK) { - printf("Failed on uc_open() with error returned: %u\n", err); - abort(); - } - - // map 4MB memory for this emulation - uc_mem_map(uc, ADDRESS, 4 * 1024 * 1024, UC_PROT_ALL); - - // write machine code to be emulated to memory - if (uc_mem_write(uc, ADDRESS, Data, Size)) { - printf("Failed to write emulation code to memory, quit!\n"); - abort(); - } - - // emulate code in infinite time & 4096 instructions - // avoid timeouts with infinite loops - err=uc_emu_start(uc, ADDRESS, ADDRESS + Size, 0, 0x1000); - if (err) { - fprintf(outfile, "Failed on uc_emu_start() with error returned %u: %s\n", err, uc_strerror(err)); - } - - uc_close(uc); - - return 0; -} diff --git a/tests/fuzz/gentargets.sh b/tests/fuzz/gentargets.sh index f7fb1f89..92385051 100644 --- a/tests/fuzz/gentargets.sh +++ b/tests/fuzz/gentargets.sh @@ -4,9 +4,8 @@ sed 's/UC_MODE_32/UC_MODE_64/' fuzz_emu_x86_32.c > fuzz_emu_x86_64.c sed 's/UC_MODE_32/UC_MODE_16/' fuzz_emu_x86_32.c > fuzz_emu_x86_16.c -sed 's/UC_ARCH_X86/UC_ARCH_SPARC/' fuzz_emu_x86_32.c > fuzz_emu_sparc_32.c sed 's/UC_ARCH_X86/UC_ARCH_SPARC/' fuzz_emu_x86_32.c | sed 's/UC_MODE_32/UC_MODE_SPARC32|UC_MODE_BIG_ENDIAN/' > fuzz_emu_sparc_32be.c -sed 's/UC_ARCH_X86/UC_ARCH_SPARC/' fuzz_emu_x86_32.c | sed 's/UC_MODE_32/UC_MODE_SPARC64|UC_MODE_BIG_ENDIAN/' > fuzz_emu_sparc_64be.c +#sed 's/UC_ARCH_X86/UC_ARCH_SPARC/' fuzz_emu_x86_32.c | sed 's/UC_MODE_32/UC_MODE_SPARC64|UC_MODE_BIG_ENDIAN/' > fuzz_emu_sparc_64be.c sed 's/UC_ARCH_X86/UC_ARCH_M68K/' fuzz_emu_x86_32.c | sed 's/UC_MODE_32/UC_MODE_BIG_ENDIAN/' > fuzz_emu_m68k_be.c @@ -19,4 +18,4 @@ sed 's/UC_ARCH_X86/UC_ARCH_ARM64/' fuzz_emu_x86_32.c | sed 's/UC_MODE_32/UC_MODE sed 's/UC_ARCH_X86/UC_ARCH_ARM/' fuzz_emu_x86_32.c | sed 's/UC_MODE_32/UC_MODE_ARM/' > fuzz_emu_arm_arm.c sed 's/UC_ARCH_X86/UC_ARCH_ARM/' fuzz_emu_x86_32.c | sed 's/UC_MODE_32/UC_MODE_THUMB/' > fuzz_emu_arm_thumb.c sed 's/UC_ARCH_X86/UC_ARCH_ARM/' fuzz_emu_x86_32.c | sed 's/UC_MODE_32/UC_MODE_ARM + UC_MODE_BIG_ENDIAN/' > fuzz_emu_arm_armbe.c -sed 's/UC_ARCH_X86/UC_ARCH_ARM/' fuzz_emu_x86_32.c | sed 's/UC_MODE_32/UC_MODE_THUMB + UC_MODE_BIG_ENDIAN/' > fuzz_emu_arm_thumbbe.c +#sed 's/UC_ARCH_X86/UC_ARCH_ARM/' fuzz_emu_x86_32.c | sed 's/UC_MODE_32/UC_MODE_THUMB + UC_MODE_BIG_ENDIAN/' > fuzz_emu_arm_thumbbe.c diff --git a/tests/regress/memleak_sparc.c b/tests/regress/memleak_sparc.c index 049ebda5..b3dd81e7 100644 --- a/tests/regress/memleak_sparc.c +++ b/tests/regress/memleak_sparc.c @@ -55,7 +55,7 @@ static void test_sparc(void) printf("Emulate SPARC code\n"); // Initialize emulator in Sparc mode - err = uc_open(UC_ARCH_SPARC, UC_MODE_32, &uc); + err = uc_open(UC_ARCH_SPARC, UC_MODE_SPARC32|UC_MODE_BIG_ENDIAN, &uc); if (err) { printf("Failed on uc_open() with error returned: %u (%s)\n", err, uc_strerror(err));