void handle_misaligned_load(trapframe *tf) { printk(BIOS_DEBUG, "Trapframe ptr: %p\n", tf); uintptr_t faultingInstructionAddr = tf->epc; insn_t faultingInstruction = fetch_instruction(faultingInstructionAddr); printk(BIOS_DEBUG, "Faulting instruction: 0x%x\n", faultingInstruction); insn_t widthMask = 0x7000; insn_t memWidth = (faultingInstruction & widthMask) >> 12; insn_t destMask = 0xF80; insn_t destRegister = (faultingInstruction & destMask) >> 7; printk(BIOS_DEBUG, "Width: 0x%x\n", memWidth); if (memWidth == 3) { // load double, handle the issue void* badAddress = (void*) tf->badvaddr; uint64_t value = 0; for (int i = 0; i < 8; i++) { value <<= 8; value += mprv_read_u8(badAddress+i); } tf->gpr[destRegister] = value; } else { // panic, this should not have happened die("Code should not reach this path, misaligned on a non-64 bit store/load\n"); } // return to where we came from write_csr(mepc, read_csr(mepc) + 4); asm volatile("j machine_call_return"); }
static int exec_1() { // fetch stage //it should return -1 to terminate a cycle stage_context[1] = stage_context[0]; ///move the data to next stage stage_context[0].pc = PC; stage_context[0].ins = allocate_ins_buffer(); stage_context[0].decoded = NULL; // no decoded information if(fetch_instruction(PC,ins_buffer[stage_context[0].ins])==-1) {///error in fetching -- turn it into a nop free_ins_buffer(stage_context[0].ins); stage_context[0].ins = -1; return -1; } ++PC; return -1; }
void handle_misaligned_store(trapframe *tf) { printk(BIOS_DEBUG, "Trapframe ptr: %p\n", tf); uintptr_t faultingInstructionAddr = tf->epc; insn_t faultingInstruction = fetch_instruction(faultingInstructionAddr); printk(BIOS_DEBUG, "Faulting instruction: 0x%x\n", faultingInstruction); insn_t widthMask = 0x7000; insn_t memWidth = (faultingInstruction & widthMask) >> 12; insn_t srcMask = 0x1F00000; insn_t srcRegister = (faultingInstruction & srcMask) >> 20; printk(BIOS_DEBUG, "Width: 0x%x\n", memWidth); if (memWidth == 3) { // store double, handle the issue void* badAddress = (void*) tf->badvaddr; uint64_t value = tf->gpr[srcRegister]; for (int i = 0; i < 8; i++) { mprv_write_u8(badAddress+i, value); value >>= 8; } } else {
int cycle(ARMSIM_CTX *ctx){ as_log(ctx, "Entering cycle\n",0); if(ctx->irq != 0 && can_irq(ctx->registers)){ unsigned int irq_ret = get_effective_pc(ctx) + 4; if(ctx->log_hook_defined != 0){ as_log(ctx, "----------------------------------------------------------------------------------------", 0); char * string1 = (char*)malloc(sizeof(char)*LOG_STRING_LENGTH); sprintf(string1, "!!!! IRQ: ePC=%#010x, tPC=%#010x !!!!", get_effective_pc(ctx), get_register(ctx->registers, AR_r15)); as_log(ctx, string1, 0); free(string1); char * string2 = (char*)malloc(sizeof(char)*LOG_STRING_LENGTH); char * instruction_string = instruction_to_string(master_decode(irq_ret - 4, get_word_from_memory(ctx, irq_ret - 4))); sprintf(string2, "???? Effective IRQ return: %s ????", instruction_string); as_log(ctx, string2, 0); free(string2); } set_mode(ctx->registers, AM_IRQ); set_cpsr(ctx->registers, get_cpsr(ctx->registers) | 0xC0); set_register(ctx->registers, AR_r14, irq_ret); branch_cpu(ctx, 0x00000018); ctx->irq = 0; } ctx-> per = as_execute_instruction(ctx, ctx->pdr); ctx->pdr = as_decode_instruction(ctx, ctx->pfr_address, ctx->pfr_instruction); ARM_ADDRESS * address = (ARM_ADDRESS*)malloc(sizeof(ARM_ADDRESS)); ctx->pfr_instruction = fetch_instruction(ctx, address); ctx->pfr_address = *address; free(address); if(ctx->per != 0) { ctx->steps += 1; if (ctx->trace_hook_defined != 0) { cpu_trace(ctx, ctx->per); } } as_log(ctx, "Leaving cycle\n",0); return (ctx->per != 0); }
inline void cosmac_device::run() { output_state_code(); switch (m_state) { case COSMAC_STATE_0_FETCH: fetch_instruction(); break; case COSMAC_STATE_1_RESET: reset(); debug(); break; case COSMAC_STATE_1_INIT: initialize(); debug(); break; case COSMAC_STATE_1_EXECUTE: sample_ef_lines(); execute_instruction(); debug(); break; case COSMAC_STATE_2_DMA_IN: dma_input(); break; case COSMAC_STATE_2_DMA_OUT: dma_output(); break; case COSMAC_STATE_3_INT: interrupt(); debug(); break; } }
int main(int argc, char* argv[]) { Registers registers; Decoder decoder; Reader reader; int memory[1001]; init_values(®isters, memory); read_lines(&reader, argv[1]); while(registers.regs[eip] != 0) { char* line; line = fetch_instruction(®isters, &reader); parse(®isters, &decoder, line, memory); parse_operand(®isters, &decoder, memory); printf(" eip: %*i", 3, registers.regs[eip]); printf(" eax: %*i", 3, registers.regs[eax]); printf(" ebp: %*i", 3, registers.regs[ebp]); printf(" esp: %i\n", registers.regs[esp]); } // while () return 0; } // main()
/*---------------------------------------------------------------------------* * NAME: fuzz_engine * DESC: fetch and parse each ad instructions *---------------------------------------------------------------------------*/ unsigned int fuzz_engine(config *conf) { int result; int error_occured = 0; /* debug */ debug(1, "<-----------------------[enter]\n"); /* if mode file, open the debugger file */ if (conf->type == 2) { if(create_debugger_file(conf)) return -1; } do { /* parse all the file */ while (conf->adc->offset < conf->adc->size) { /* fetch the instruction */ if (fetch_instruction(conf)) return -200; } /* compute the lengths */ update_length(conf); /* compute the hash values */ update_hash(conf); /* send the start message to the debugger. i.e. the fuzzer cannot speak with the debugger anymore, only the debugger send messages to the fuzzer */ if ((conf->dbg_mode) && (!conf->ring_zero)) if (dbg_send_msg(conf, INET_START_A_MSG, 0 , NULL, 0)) return -1; /* start the fuzzing */ result = start_fuzz(conf); if (result == -1) error_occured = 1; /* free the (big) fuzz buffer */ if (conf->buf_fuzz) { free(conf->buf_fuzz); conf->buf_fuzz = NULL; } /* free the blocks */ free_block(conf); /* free the lengths */ free_length(conf); /* free the hashes */ free_hash(conf); /* free the chronos */ free_chrono(conf); /* reset the offset */ conf->adc->offset = conf->adc->start; /* add a value to the fuzz counter */ conf->fuzz_file_id++; /* we close the debugger file */ if ((conf->type == 2) && (!conf->ring_zero)) { if(fclose(conf->fuzz_file_dbg)) { error_("error closing the debugger file.\n"); perror(""); error_("QUITTING!\n"); return -1; } } /* we are no more in the ring zero mode */ conf->ring_zero = 1; } while (!fuzz_finished(conf) && (error_occured == 0)); /* free the fuzz */ if (conf->fuzz) { struct struct_fuzz *fuzz; struct struct_fuzz *fuzz_to_free; fuzz = conf->fuzz; while (fuzz) { fuzz_to_free = fuzz; fuzz = fuzz->next; /* before freeing fuzz, free source */ if (fuzz_to_free->source) { struct struct_source *source; struct struct_source *source_to_free; source = fuzz_to_free->source; /* free the filename first */ while(source) { source_to_free = source; source = source->next; debug(3, "free source: %d filename: \"%s\"\n", source_to_free->id, source_to_free->filename); if (source_to_free->filename) free(source_to_free->filename); free(source_to_free); } } debug(3, "free fuzz[%d]\n", fuzz_to_free->id); free(fuzz_to_free); } conf->fuzz = NULL; } /* debug */ debug(1, "<-----------------------[quit]\n"); /* return value */ return 0; }