-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathqemu-system-aarch64-afl
executable file
·102 lines (88 loc) · 3.18 KB
/
qemu-system-aarch64-afl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#!/usr/bin/env bash
# Disable core dumps
# You can activate core dumps, but this will fill your disk with core dumps in
# optee/arm-trusted-firmware/build/qemu/release
ulimit -c 0
# Increase virtual memory limit
#ulimit -Sv $[2047 << 10]
BASE_PATH=$(dirname "$(readlink -f "$0")")
UUID=$(uuidgen)
KERNEL="$BASE_PATH/linux/arch/arm64/boot/Image"
ROOTFS="$BASE_PATH/gen_rootfs/filesystem.cpio.gz"
TZBIOS="$BASE_PATH/arm-trusted-firmware/build/qemu/release/bl1.bin"
TASK_BIN="$BASE_PATH/task/qemu-$UUID/bin"
TASK_LOG="$BASE_PATH/task/qemu-$UUID/log"
NPORT=540${FUZZ_ID:-01}
SPORT=541${FUZZ_ID:-01}
function run_qemu {
cd "$BASE_PATH/arm-trusted-firmware/build/qemu/release"
"$BASE_PATH/qemu/aarch64-softmmu/qemu-system-aarch64" \
-nographic \
-serial telnet:127.0.0.1:$NPORT,server \
-serial telnet:127.0.0.1:$SPORT,server \
-machine virt,secure=on \
-cpu cortex-a57 \
-m 1057 \
-bios "$TZBIOS" \
-semihosting-config enable,target=native \
-d unimp \
-initrd "$ROOTFS" \
-kernel "$KERNEL" -no-acpi \
-append 'console=ttyAMA0,38400 keep_bootcon root=/dev/vda2' \
-fsdev local,id=fsdev0,path="$BASE_PATH",security_model=none \
-device virtio-9p-device,fsdev=fsdev0,mount_tag=host \
-netdev user,id=vmnic -device virtio-net-device,netdev=vmnic \
"$@"
}
# ncwait_command PORT LOGFILE
function ncwait_command {
echo "source scripts/ncwait.sh; ncwait_log \"$1\" \"$2\""
}
# xterm_log TITLE PORT LOGFILE
function xterm_log {
xterm -title "$1" -e 'bash' -c "$(ncwait_command "$2" "$3")" &
}
# xfce4-terminal_log TITLE PORT LOGFILE
function xfce4-terminal_log {
xfce4-terminal --title "$1" -e "bash -c \"$(ncwait_command "$2" "$3")\"" &
}
# screen_log SCREENNAME PORT LOGFILE
function screen_log {
screen -dmS "$1" -d -m
screen -S "$1" -X stuff "$(ncwait_command "$2" "$3")\n"
}
# term_log TITLE PORT LOGFILE
function term_log {
case "$QEMU_TERMINAL" in
"screen") screen_log "$1" "$2" "$3" ;;
"xfce4-terminal") xfce4-terminal_log "$1" "$2" "$3" ;;
*) xterm_log "$1" "$2" "$3";;
esac
}
# secure_world LOGFILE
function secure_world {
term_log "$FUZZ_ID-secure-world-$UUID" "$SPORT" "$1"
}
function normal_world {
term_log "$FUZZ_ID-normal-world-$UUID" "$NPORT" "$1"
}
function task_backup {
mkdir -p "$TASK_BIN"
cp "$KERNEL" "$TASK_BIN"
cp "$ROOTFS" "$TASK_BIN"
cp "$TZBIOS" "$TASK_BIN"
repo info > "$TASK_BIN/repo-info.txt"
repo diff > "$TASK_BIN/repo-diff.txt"
repo status > "$TASK_BIN/repo-status.txt"
}
if [ "$TASK_BACKUP" == "y" ]; then
task_backup
fi
log_path="$AFL_OUTPUT_PATH/"
if [[ -z "$AFL_OUTPUT_PATH" ]]; then
log_path="$TASK_LOG/$UUID."
mkdir -p "$TASK_LOG"
fi
secure_world "${log_path}secure.log" &
normal_world "${log_path}normal.log" &
run_qemu "$@" 2>&1 > "${log_path}qemu.log"