mirror/uvm32
1
Fork 0
mirror of https://github.com/ringtailsoftware/uvm32.git synced 2026-06-05 22:43:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix issues with unaligned memory bus rd/wr. Improve fuzzing.

Browse source
This commit is contained in:
Toby Jaffey 2025-12-14 18:35:00 +00:00
parent 5fb03b7d66
commit e5fd17aff6
5 changed files with 70 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hosts/fuzz/Makefile
View file

@ -1,6 +1,6 @@
TOPDIR=../..
all:
afl-clang-fast -g3 -fsanitize=address,undefined -Wall -DUVM32_MEMORY_SIZE=8388608 -I${TOPDIR}/uvm32 -I${TOPDIR}/common -o host-fuzz ${TOPDIR}/uvm32/uvm32.c fuzz.c
afl-clang-fast -g3 -fsanitize=address,undefined -Wall -DUVM32_MEMORY_SIZE=4096 -I${TOPDIR}/uvm32 -I${TOPDIR}/common -o host-fuzz ${TOPDIR}/uvm32/uvm32.c fuzz.c
afl-fuzz -i${TOPDIR}/precompiled -oo ./host-fuzz
clean:

17
hosts/fuzz/fuzz.c
View file

@ -9,14 +9,19 @@ __AFL_FUZZ_INIT();
int main(int argc, char *argv[]) {
__AFL_INIT();
uvm32_state_t vmst;
uvm32_evt_t evt;
uvm32_init(&vmst);
unsigned char *rom = __AFL_FUZZ_TESTCASE_BUF;
while (__AFL_LOOP(10000)) {
uvm32_load(&vmst, rom, __AFL_FUZZ_TESTCASE_LEN);
uvm32_run(&vmst, &evt, 1000);
uvm32_state_t *vmst = malloc(sizeof(uvm32_state_t));
while (__AFL_LOOP(100000)) {
memset(vmst, 0x00, sizeof(uvm32_state_t));
uvm32_init(vmst);
unsigned char *rom = __AFL_FUZZ_TESTCASE_BUF;
uvm32_load(vmst, rom, __AFL_FUZZ_TESTCASE_LEN);
memset(&evt, 0x00, sizeof(evt));
for (int i=0;i<10;i++) {
uvm32_run(vmst, &evt, 1000);
}
}
return 0;

BIN
precompiled/self.bin
View file

Binary file not shown.

49
uvm32/uvm32.c
View file

@ -254,6 +254,7 @@ uint32_t uvm32_run(uvm32_state_t *vmst, uvm32_evt_t *evt, uint32_t instr_meter)
while(vmst->_status == UVM32_STATUS_RUNNING && instr_meter > 0) {
uint64_t elapsedUs = 1;
uint32_t ret;
ret = MiniRV32IMAStep(vmst, &vmst->_core, vmst->_memory, elapsedUs, 1);
instr_meter--;
@ -420,22 +421,22 @@ uint32_t _uvm32_extramLoad(void *userdata, uint32_t addr, uint32_t accessTyp) {
// Any other value will have caused UVM32_ERR_INTERNAL_CORE
switch(accessTyp) {
case 0:
return ((int8_t *)vmst->_extram)[addr];
return _uvm32_load1s(vmst->_extram, addr);
break;
case 1:
return ((int16_t *)vmst->_extram)[addr/2];
return _uvm32_load2s(vmst->_extram, addr);
break;
case 2:
return ((uint32_t *)vmst->_extram)[addr / 4];
return _uvm32_load4(vmst->_extram, addr);
break;
case 5:
return ((uint16_t *)vmst->_extram)[addr/2];
return _uvm32_load2(vmst->_extram, addr);
break;
// have a default case to keep coverage check happy
// no other values are possible here
default: // fall through
case 4:
return ((uint8_t *)vmst->_extram)[addr];
return _uvm32_load1(vmst->_extram, addr);
break;
}
@ -454,15 +455,15 @@ uint32_t _uvm32_extramStore(void *userdata, uint32_t addr, uint32_t val, uint32_
if (addr < vmst->_extramLen) {
switch(accessTyp) {
case 1:
((uint16_t *)vmst->_extram)[addr/2] = val;
_uvm32_store2(vmst->_extram, addr, val);
break;
case 2:
((uint32_t *)vmst->_extram)[addr/4] = val;
_uvm32_store4(vmst->_extram, addr, val);
break;
// no other values are valid here and will be stopped above
default: // fall through
case 0:
((uint8_t *)vmst->_extram)[addr] = val;
_uvm32_store1(vmst->_extram, addr, val);
break;
}
vmst->_extramDirty = true;
@ -490,3 +491,35 @@ uint32_t uvm32_getProgramCounter(const uvm32_state_t *vmst) {
return vmst->_core.pc;
}
// Access of memory bus in alignment safe way
void _uvm32_store4(void *p, uint32_t off, uint32_t val) {
UVM32_MEMCPY((uint8_t *)p + off, &val, 4);
}
void _uvm32_store2(void *p, uint32_t off, uint16_t val) {
UVM32_MEMCPY((uint8_t *)p + off, &val, 2);
}
void _uvm32_store1(void *p, uint32_t off, uint8_t val) {
((uint8_t *)p)[off] = val;
}
uint32_t _uvm32_load4(void *p, uint32_t off) {
uint32_t v;
UVM32_MEMCPY(&v, (uint8_t *)p + off, 4);
return v;
}
uint16_t _uvm32_load2(void *p, uint32_t off) {
uint16_t v;
UVM32_MEMCPY(&v, (uint8_t *)p + off, 2);
return v;
}
uint8_t _uvm32_load1(void *p, uint32_t off) {
return ((uint8_t *)p)[off];
}
int16_t _uvm32_load2s(void *p, uint32_t off) {
int16_t v;
UVM32_MEMCPY(&v, (uint8_t *)p + off, 2);
return v;
}
int8_t _uvm32_load1s(void *p, uint32_t off) {
return ((int8_t *)p)[off];
}

17
uvm32/uvm32.h
View file

@ -51,6 +51,23 @@ uint32_t _uvm32_extramLoad(void *userdata, uint32_t addr, uint32_t accessTyp);
uint32_t _uvm32_extramStore(void *userdata, uint32_t addr, uint32_t val, uint32_t accessTyp);
#define MINIRV32_HANDLE_MEM_LOAD_CONTROL( addy, rval ) rval = _uvm32_extramLoad(userdata, addy, ( ir >> 12 ) & 0x7);
#define MINIRV32_HANDLE_MEM_STORE_CONTROL( addy, val ) if( _uvm32_extramStore(userdata, addy, val, ( ir >> 12 ) & 0x7) ) return val;
void _uvm32_store4(void *p, uint32_t off, uint32_t val);
void _uvm32_store2(void *p, uint32_t off, uint16_t val);
void _uvm32_store1(void *p, uint32_t off, uint8_t val);
uint32_t _uvm32_load4(void *p, uint32_t off);
uint16_t _uvm32_load2(void *p, uint32_t off);
uint8_t _uvm32_load1(void *p, uint32_t off);
int16_t _uvm32_load2s(void *p, uint32_t off);
int8_t _uvm32_load1s(void *p, uint32_t off);
#define MINIRV32_CUSTOM_MEMORY_BUS
#define MINIRV32_STORE4( ofs, val ) _uvm32_store4(image, ofs, val)
#define MINIRV32_STORE2( ofs, val ) _uvm32_store2(image, ofs, val)
#define MINIRV32_STORE1( ofs, val ) _uvm32_store1(image, ofs, val)
#define MINIRV32_LOAD4( ofs ) _uvm32_load4(image, ofs)
#define MINIRV32_LOAD2( ofs ) _uvm32_load2(image, ofs)
#define MINIRV32_LOAD1( ofs ) _uvm32_load1(image, ofs)
#define MINIRV32_LOAD2_SIGNED( ofs ) _uvm32_load2s(image, ofs)
#define MINIRV32_LOAD1_SIGNED( ofs ) _uvm32_load1s(image, ofs)
#ifndef MINIRV32_IMPLEMENTATION
#define MINIRV32_STEPPROTO
#endif