void handle_misaligned_load(trapframe *tf) {
printk(BIOS_DEBUG, "Trapframe ptr: %p\n", tf);
uintptr_t faultingInstructionAddr = tf->epc;
insn_t faultingInstruction = fetch_instruction(faultingInstructionAddr);
printk(BIOS_DEBUG, "Faulting instruction: 0x%x\n", faultingInstruction);
insn_t widthMask = 0x7000;
insn_t memWidth = (faultingInstruction & widthMask) >> 12;
insn_t destMask = 0xF80;
insn_t destRegister = (faultingInstruction & destMask) >> 7;
printk(BIOS_DEBUG, "Width: 0x%x\n", memWidth);
if (memWidth == 3) {
// load double, handle the issue
void* badAddress = (void*) tf->badvaddr;
uint64_t value = 0;
for (int i = 0; i < 8; i++) {
value <<= 8;
value += mprv_read_u8(badAddress+i);
}
tf->gpr[destRegister] = value;
} else {
// panic, this should not have happened
die("Code should not reach this path, misaligned on a non-64 bit store/load\n");
}
// return to where we came from
write_csr(mepc, read_csr(mepc) + 4);
asm volatile("j machine_call_return");
}
static int exec_1()
{ // fetch stage
//it should return -1 to terminate a cycle
stage_context[1] = stage_context[0]; ///move the data to next stage
stage_context[0].pc = PC;
stage_context[0].ins = allocate_ins_buffer();
stage_context[0].decoded = NULL; // no decoded information
if(fetch_instruction(PC,ins_buffer[stage_context[0].ins])==-1)
{///error in fetching -- turn it into a nop
free_ins_buffer(stage_context[0].ins);
stage_context[0].ins = -1;
return -1;
}
++PC;
return -1;
}
void handle_misaligned_store(trapframe *tf) {
printk(BIOS_DEBUG, "Trapframe ptr: %p\n", tf);
uintptr_t faultingInstructionAddr = tf->epc;
insn_t faultingInstruction = fetch_instruction(faultingInstructionAddr);
printk(BIOS_DEBUG, "Faulting instruction: 0x%x\n", faultingInstruction);
insn_t widthMask = 0x7000;
insn_t memWidth = (faultingInstruction & widthMask) >> 12;
insn_t srcMask = 0x1F00000;
insn_t srcRegister = (faultingInstruction & srcMask) >> 20;
printk(BIOS_DEBUG, "Width: 0x%x\n", memWidth);
if (memWidth == 3) {
// store double, handle the issue
void* badAddress = (void*) tf->badvaddr;
uint64_t value = tf->gpr[srcRegister];
for (int i = 0; i < 8; i++) {
mprv_write_u8(badAddress+i, value);
value >>= 8;
}
} else {
int cycle(ARMSIM_CTX *ctx){
as_log(ctx, "Entering cycle\n",0);
if(ctx->irq != 0 && can_irq(ctx->registers)){
unsigned int irq_ret = get_effective_pc(ctx) + 4;
if(ctx->log_hook_defined != 0){
as_log(ctx, "----------------------------------------------------------------------------------------", 0);
char * string1 = (char*)malloc(sizeof(char)*LOG_STRING_LENGTH);
sprintf(string1, "!!!! IRQ: ePC=%#010x, tPC=%#010x !!!!", get_effective_pc(ctx), get_register(ctx->registers, AR_r15));
as_log(ctx, string1, 0);
free(string1);
char * string2 = (char*)malloc(sizeof(char)*LOG_STRING_LENGTH);
char * instruction_string = instruction_to_string(master_decode(irq_ret - 4, get_word_from_memory(ctx, irq_ret - 4)));
sprintf(string2, "???? Effective IRQ return: %s ????", instruction_string);
as_log(ctx, string2, 0);
free(string2);
}
set_mode(ctx->registers, AM_IRQ);
set_cpsr(ctx->registers, get_cpsr(ctx->registers) | 0xC0);
set_register(ctx->registers, AR_r14, irq_ret);
branch_cpu(ctx, 0x00000018);
ctx->irq = 0;
}
ctx-> per = as_execute_instruction(ctx, ctx->pdr);
ctx->pdr = as_decode_instruction(ctx, ctx->pfr_address, ctx->pfr_instruction);
ARM_ADDRESS * address = (ARM_ADDRESS*)malloc(sizeof(ARM_ADDRESS));
ctx->pfr_instruction = fetch_instruction(ctx, address);
ctx->pfr_address = *address;
free(address);
if(ctx->per != 0) {
ctx->steps += 1;
if (ctx->trace_hook_defined != 0) {
cpu_trace(ctx, ctx->per);
}
}
as_log(ctx, "Leaving cycle\n",0);
return (ctx->per != 0);
}
inline void cosmac_device::run()
{
output_state_code();
switch (m_state)
{
case COSMAC_STATE_0_FETCH:
fetch_instruction();
break;
case COSMAC_STATE_1_RESET:
reset();
debug();
break;
case COSMAC_STATE_1_INIT:
initialize();
debug();
break;
case COSMAC_STATE_1_EXECUTE:
sample_ef_lines();
execute_instruction();
debug();
break;
case COSMAC_STATE_2_DMA_IN:
dma_input();
break;
case COSMAC_STATE_2_DMA_OUT:
dma_output();
break;
case COSMAC_STATE_3_INT:
interrupt();
debug();
break;
}
}
int main(int argc, char* argv[])
{
Registers registers;
Decoder decoder;
Reader reader;
int memory[1001];
init_values(®isters, memory);
read_lines(&reader, argv[1]);
while(registers.regs[eip] != 0)
{
char* line;
line = fetch_instruction(®isters, &reader);
parse(®isters, &decoder, line, memory);
parse_operand(®isters, &decoder, memory);
printf(" eip: %*i", 3, registers.regs[eip]);
printf(" eax: %*i", 3, registers.regs[eax]);
printf(" ebp: %*i", 3, registers.regs[ebp]);
printf(" esp: %i\n", registers.regs[esp]);
} // while ()
return 0;
} // main()
/*---------------------------------------------------------------------------*
* NAME: fuzz_engine
* DESC: fetch and parse each ad instructions
*---------------------------------------------------------------------------*/
unsigned int fuzz_engine(config *conf) {
int result;
int error_occured = 0;
/* debug */
debug(1, "<-----------------------[enter]\n");
/* if mode file, open the debugger file */
if (conf->type == 2) {
if(create_debugger_file(conf)) return -1;
}
do {
/* parse all the file */
while (conf->adc->offset < conf->adc->size) {
/* fetch the instruction */
if (fetch_instruction(conf)) return -200;
}
/* compute the lengths */
update_length(conf);
/* compute the hash values */
update_hash(conf);
/* send the start message to the debugger. i.e. the fuzzer cannot speak
with the debugger anymore, only the debugger send messages to the fuzzer */
if ((conf->dbg_mode) && (!conf->ring_zero))
if (dbg_send_msg(conf, INET_START_A_MSG, 0 , NULL, 0)) return -1;
/* start the fuzzing */
result = start_fuzz(conf);
if (result == -1)
error_occured = 1;
/* free the (big) fuzz buffer */
if (conf->buf_fuzz) {
free(conf->buf_fuzz);
conf->buf_fuzz = NULL;
}
/* free the blocks */
free_block(conf);
/* free the lengths */
free_length(conf);
/* free the hashes */
free_hash(conf);
/* free the chronos */
free_chrono(conf);
/* reset the offset */
conf->adc->offset = conf->adc->start;
/* add a value to the fuzz counter */
conf->fuzz_file_id++;
/* we close the debugger file */
if ((conf->type == 2) && (!conf->ring_zero)) {
if(fclose(conf->fuzz_file_dbg)) {
error_("error closing the debugger file.\n");
perror("");
error_("QUITTING!\n");
return -1;
}
}
/* we are no more in the ring zero mode */
conf->ring_zero = 1;
} while (!fuzz_finished(conf) && (error_occured == 0));
/* free the fuzz */
if (conf->fuzz) {
struct struct_fuzz *fuzz;
struct struct_fuzz *fuzz_to_free;
fuzz = conf->fuzz;
while (fuzz) {
fuzz_to_free = fuzz;
fuzz = fuzz->next;
/* before freeing fuzz, free source */
if (fuzz_to_free->source) {
struct struct_source *source;
struct struct_source *source_to_free;
source = fuzz_to_free->source;
/* free the filename first */
while(source) {
source_to_free = source;
source = source->next;
debug(3, "free source: %d filename: \"%s\"\n", source_to_free->id, source_to_free->filename);
if (source_to_free->filename) free(source_to_free->filename);
free(source_to_free);
}
}
debug(3, "free fuzz[%d]\n", fuzz_to_free->id);
free(fuzz_to_free);
}
conf->fuzz = NULL;
}
/* debug */
debug(1, "<-----------------------[quit]\n");
/* return value */
return 0;
}
