-
Notifications
You must be signed in to change notification settings - Fork 60
/
Copy pathrunFuzz
executable file
·50 lines (41 loc) · 1.18 KB
/
runFuzz
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/bin/sh
#
# usage: ./runFuzz [-C] [-M n | -S n] xtraargs..
# -C continue existing fuzz run
# -M n and -S n for master/slave. n must be unique
# xtraargs are passed to qemu
#
# choose kernel with K=name env variable, ie K=linux34 for linux34/bzImage
#
AFL=${TAFL:-../TriforceAFL}
KERN=${K:-kern}
# hokey arg parsing, sorry!
if [ "x$1" = "x-C" ] ; then # continue
INP="-"
shift
else
INP=inputs
fi
if [ "x$1" = "x-M" -o "x$1" = "x-S" ] ; then # master/slave args
FARGS="$1 $2"
shift; shift
else
echo "specify -M n or -S n please"
exit 1
fi
# find our kernel and it's parameters
getSym() { (grep " $1\$" $KERN/kallsyms|| echo 0 0)|cut -d' ' -f1; }
PANIC=`getSym panic`
LOGSTORE=`getSym log_store`
# make a rootfs image
make inputs fuzzRoot.cpio.gz || exit 1
# run fuzzer and qemu-system
export AFL_SKIP_CRASHES=1
$AFL/afl-fuzz $FARGS -t 500+ -i $INP -o outputs -QQ -- \
$AFL/afl-qemu-system-trace \
-L $AFL/qemu_mode/qemu/pc-bios \
-kernel $KERN/bzImage -initrd ./fuzzRoot.cpio.gz \
-m 64M -nographic -append "console=ttyS0" \
-aflPanicAddr "$PANIC" \
-aflDmesgAddr "$LOGSTORE" \
-aflFile @@