'RISC-V fuzzing emulation

I am new to this but I need to emulate RISC-V using qemu. As a start for my fuzzing project, how can I do give qemu an instruction set and get the changes in the registries as an output.

qemuriscvfuzzing


Solution 1:[1]

I probably understand your question. Because I don't have a riscv-related environment here, I can only provide a solution. For example, in riscv, we design a function to get the values of all registers, relying on qemu's plugin module (such as qemu_plugin_register_vcpu_insn_exec_cb()).

plugin_test.c

#include <inttypes.h>
#include <assert.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>
#include <glib.h>

#include <qemu-plugin.h>

QEMU_PLUGIN_EXPORT int qemu_plugin_version = QEMU_PLUGIN_VERSION;

#define CPU_SIZE 32
static int cpu_num;
static int cpu_value[CPU_SIZE]={0};

static void vcpu_insn_exec_before(unsigned int cpu_index, void *)
{
    for (size_t i = 0; i < cpu_num; i++)
    {
        /* code */
        for (size_t j = 0; j < CPU_SIZE; i++)
        {
            
            if(cpu_value[j] != get_cpu_register(i,j)) {
                // The value of cpu has changed
                ...
            } else {
                // The value of cpu has not changed
                ...
            }
        }
        
    }
}

static void vcpu_tb_trans(qemu_plugin_id_t id, struct qemu_plugin_tb *tb)
{
    size_t n = qemu_plugin_tb_n_insns(tb);
    size_t i;

    for (i = 0; i < n; i++) {
        struct qemu_plugin_insn *insn = qemu_plugin_tb_get_insn(tb, i);
        qemu_plugin_register_vcpu_insn_exec_cb(
                insn, vcpu_insn_exec_before, QEMU_PLUGIN_CB_NO_REGS,void *);
    }
}

static void plugin_exit(qemu_plugin_id_t id, void *p)
{
}

QEMU_PLUGIN_EXPORT int qemu_plugin_install(qemu_plugin_id_t id,
                                           const qemu_info_t *info,
                                           int argc, char **argv)
{
    if(info->system_emulation) {
        cpu_num = info->system.smp_vcpus;
    } else {
        cpu_num = 1;
    }
    
    qemu_plugin_register_vcpu_tb_trans_cb(id, vcpu_tb_trans);
    qemu_plugin_register_atexit_cb(id, plugin_exit, NULL);
    return 0;
}

api-ext.c

void *qemu_get_cpu(int index);

static uint32_t get_cpu_register(unsigned int cpu_index, unsigned int reg) {
    uint8_t* cpu = qemu_get_cpu(cpu_index);
    return *(uint32_t*)(cpu + 33488 + 5424 + reg * 4);
}

It should be noted that the content in api-ext.c is obtained from others. This is the function used to obtain the value of arm cpu. You need to check the source code or documentation for riscv.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

Android avd emulator - how to save "Do you want to save the current state for the next quick boot?" in config.ini file

How to emulate TrustZone in QEMU?

qemu-system-i386: Error loading uncompressed kernel without PVH ELF Note

Run a native X86 binary from inside an ARM chroot

Permission denied for virtual disk

How do we emulate virtual CAN devices from host to Android emulator?

Does QEMU emulate enough features for vfio to work in the guest?

Qemu STM32 Emulation

Can't SSH into RancherOS which is installed in iohyve in FreeNAS within a virtual machine

EVE-NG QEMU based nodes are not starting

error: Failed to connect socket to '/var/run/libvirt/libvirt-sock': Connection refused

Weird Problem Trying to compile Android Emulator

How does QEMU risc-v put FDT address in register a1?

Can we Install qemu on Poxmox ? if yes how?

virt-install aarch64 vm on amd64 host failed