Issues with setting up Fuzzing on a custom Firmware #24
Description
Firmware Preparation
I'm trying to fuzz a nuttx based firmware for board STM32F429I-Discovery. For that, I added the aflCall code to the board startup file as p2im expects and compiled the firmware with the toolchain mentioned in the repository.
# P2IM - fuzzing configuration template
# ------------------------------------------------------
# Copyright (C) 2018-2020 RiS3 Lab
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
# http://www.apache.org/licenses/LICENSE-2.0
# Please change configurations that are enclosed in "< >".
# Please use absolute path in this file.
[DEFAULT] # used only by fuzz.py
# <repo_path> is the path of root directory of P2IM git repo
base = /home/ritvik
# <firmware_name> can be arbitrary string you want. It doesn't need to be the firmware binary name
program = nucleo-f429zi_nsh
# Each firmware may be fuzzed multiple times. So it's better to number each fuzzer run
run = 1
# working directory of fuzzing
working_dir = %(base)s/fuzzing/%(program)s/%(run)s
[afl] # used only by fuzz.py
bin = %(base)s/afl/afl-fuzz
timeout = 150+
input = %(working_dir)s/inputs
output = %(working_dir)s/outputs
[cov] # used only by cov.py
#count_hang = False
count_hang = True
bbl_cov_read_sz = 20000000
# 1 second
timeout = 1
[qemu]
bin = qemu-system-gnuarmeclipse
log = unimp,guest_errors,int
#log = unimp,guest_errors,exec,int -D qemu.log
[program]
# the board/mcu supported by QEMU is listed as comments below
board = STM32F429I-Discovery
mcu = STM32F429ZI
#board = NUCLEO-F103RB
#mcu = STM32F103RB
#board = Arduino-Due
#mcu = SAM3X8E
#board = FRDM-K64F
#mcu = MK64FN1M0VLL12
# <firmware_elf_file_name> has to be name of firmware elf file
img = %(working_dir)s/nuttx
[model]
retry_num = 3
peri_addr_range = 512
# arm-none-eabi-objdump is part of GNU Arm Embedded Toolchain you downloaded while setting up P2IM environment.
# For example, <path_of_arm-none-eabi-objdump> on my machine is /home/bo/gcc-arm-none-eabi-6-2017-q2-update/bin/arm-none-eabi-objdump
objdump = /usr/bin/arm-none-eabi-objdump
# config below are only used by fuzz.py
bin = %(base)s/model_instantiation/me.py
log_file = %(working_dir)s/me.logThis is my fuzz.cfg file with firmware ELFs in the intended paths.
Fuzzing
After ensuring that the random seed provided in the repository is present in the correct inputs folder, I ran the following commands to start fuzzing -
cp ./fuzzing/nucleo-f429zi_nsh/1/fuzz.cfg .
./model_instantiation/fuzz.py -c fuzz.cfgThe firmware was able to be processed by qemu but AFL immediately bails out with the following logs -
./model_instantiation/fuzz.py -c fuzz.cfg
Change working dir to: /home/ritvik/fuzzing/nucleo-f429zi_nsh/1
CWD: /home/ritvik/fuzzing/nucleo-f429zi_nsh/1
try our best to extract model w/o input
cmd_me0: /home/ritvik/model_instantiation/me.py -c /home/ritvik/fuzz.cfg --run-num 0 --print-to-file
Change working dir to: 0/
CWD: /home/ritvik/fuzzing/nucleo-f429zi_nsh/1/0
Redirect stdout to file named stdout
extract model for each seed input
0.seed.1
run f/w w/ seed input to check if there is aup
cmd_qemu: /home/ritvik/qemu/precompiled_bin/qemu-system-gnuarmeclipse -nographic -aflFile /home/ritvik/fuzzing/nucleo-f429zi_nsh/1/inputs/seed -board STM32F429I-Discovery -mcu STM32F429ZI -image /home/ritvik/fuzzing/nucleo-f429zi_nsh/1/nuttx -pm-stage 3 -model-input /home/ritvik/fuzzing/nucleo-f429zi_nsh/1/0/peripheral_model.json -me-bin /home/ritvik/model_instantiation/me.py -me-config /home/ritvik/fuzz.cfg
There is aup, run ME
cmd_me: /home/ritvik/model_instantiation/me.py -c /home/ritvik/fuzz.cfg --run-num 0.seed.1 --print-to-file --run-from-forkserver --afl-file /home/ritvik/fuzzing/nucleo-f429zi_nsh/1/inputs/seed --model-if /home/ritvik/fuzzing/nucleo-f429zi_nsh/1/0/peripheral_model.json
Change working dir to: 0.seed.1/
CWD: /home/ritvik/fuzzing/nucleo-f429zi_nsh/1/0.seed.1
Redirect stdout to file named stdout
0.seed.2
run f/w w/ seed input to check if there is aup
cmd_qemu: /home/ritvik/qemu/precompiled_bin/qemu-system-gnuarmeclipse -nographic -aflFile /home/ritvik/fuzzing/nucleo-f429zi_nsh/1/inputs/seed -board STM32F429I-Discovery -mcu STM32F429ZI -image /home/ritvik/fuzzing/nucleo-f429zi_nsh/1/nuttx -pm-stage 3 -model-input /home/ritvik/fuzzing/nucleo-f429zi_nsh/1/0.seed.1/peripheral_model.json -me-bin /home/ritvik/model_instantiation/me.py -me-config /home/ritvik/fuzz.cfg
qemu hangs(pid: 89974). seed input should not hang!
No aup, don't run ME
launch fuzzer
cmd_afl: /home/ritvik/afl/afl-fuzz -i /home/ritvik/fuzzing/nucleo-f429zi_nsh/1/inputs -o /home/ritvik/fuzzing/nucleo-f429zi_nsh/1/outputs -t 150+ -QQ -a /home/ritvik/model_instantiation/me.py -b /home/ritvik/fuzz.cfg -c /home/ritvik/fuzzing/nucleo-f429zi_nsh/1/0.seed.1/peripheral_model.json -T nucleo-f429zi_nsh_1 -d /home/ritvik/qemu/precompiled_bin/qemu-system-gnuarmeclipse -nographic -board STM32F429I-Discovery -mcu STM32F429ZI -image /home/ritvik/fuzzing/nucleo-f429zi_nsh/1/nuttx -pm-stage 3 -aflFile @@
afl-fuzz 2.06b by <lcamtuf@google.com>
[+] You have 64 CPU cores and 1 runnable tasks (utilization: 2%).
[+] Try parallel jobs - see docs/parallel_fuzzing.txt.
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning '/home/ritvik/fuzzing/nucleo-f429zi_nsh/1/inputs'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:seed'...
[!] WARNING: Test case results in a hang (skipping)
[-] PROGRAM ABORT : All test cases time out, giving up!
Location : perform_dry_run(), afl-fuzz.c:2812
Upon debugging with provided instructions with the following commands -
cd /home/ritvik/fuzzing/nucleo-f429zi_nsh/1
./run_fw.py 0 ./inputs/seed
['/home/ritvik/qemu/precompiled_bin/qemu-system-gnuarmeclipse', '-nographic', '-board', 'STM32F429I-Discovery', '-mcu', 'STM32F429ZI', '-image', '/home/ritvik/fuzzing/nucleo-f429zi_nsh/1/nuttx', '-pm-stage', '3', '-aflFile', './inputs/seed', '-model-input', '/home/ritvik/fuzzing/nucleo-f429zi_nsh/1/0/peripheral_model.json']
(process:85200): GLib-WARNING **: /Host/Work/qemu/glib-2.51.0/glib/gmem.c:483: custom memory allocation vtable not supported
[0, 0] 1-th(total 1-th) unassigned mem_r *0x0
[0, 0] 2-th(total 2-th) unassigned mem_r *0x4
QEMU 2.3.50 monitor - type 'help' for more information
(qemu) QEMU 2.3.50 monitor - type 'help' for more information
(qemu) start up afl forkserver!
[8000254, 80002ae] 1-th(total 3-th) pm_r *0x40023800 gets 0x0, remains CR+SR
[8000254, 80002ae] 1-th(total 1-th) pm_w *0x40023800 = 0x1, remains CR+SR
[8000254, 80002ae] 2-th(total 2-th) pm_w *0x40023808 = 0x0, remains CR+SR
[8000254, 80002ae] 2-th(total 4-th) pm_r *0x40023800 gets 0x1, remains CR+SR
[8000254, 80002ae] 3-th(total 3-th) pm_w *0x40023800 = 0x1, remains CR+SR
[8000254, 80002ae] 4-th(total 4-th) pm_w *0x40023804 = 0x24003010, remains DR
[8000254, 80002ae] 3-th(total 5-th) pm_r *0x40023800 gets 0x1, remains CR+SR
[8000254, 80002ae] 5-th(total 5-th) pm_w *0x40023800 = 0x1, remains CR+SR
[8000254, 80002ae] 6-th(total 6-th) pm_w *0x4002380c = 0x0, remains DR
[800034c, 8000368] 4-th(total 6-th) pm_r *0x40023800 gets 0x1, remains CR+SR
[800034c, 8000368] 7-th(total 7-th) pm_w *0x40023800 = 0x10001, remains CR+SR
[8000368, 8000374] 5-th(total 7-th) pm_r *0x40023800 gets 0x20000, remains CR+SR
[800038a, 8000400] 6-th(total 8-th) pm_r *0x40023840 gets 0x0, remains CR
[800038a, 8000400] 8-th(total 8-th) pm_w *0x40023840 = 0x10000000, remains CR
[800038a, 8000400] 7-th(total 9-th) pm_r *0x40007000 gets 0x0, remains CR
[800038a, 8000400] 9-th(total 9-th) pm_w *0x40007000 = 0xc000, remains CR
[800038a, 8000400] 8-th(total 10-th) pm_r *0x40023808 gets 0x0, remains CR+SR
[800038a, 8000400] 10-th(total 10-th) pm_w *0x40023808 = 0x0, remains CR+SR
[800038a, 8000400] 9-th(total 11-th) pm_r *0x40023808 gets 0x0, remains CR+SR
[800038a, 8000400] 11-th(total 11-th) pm_w *0x40023808 = 0x8000, remains CR+SR
[800038a, 8000400] 10-th(total 12-th) pm_r *0x40023808 gets 0x8000, remains CR+SR
[8000400, 8000432] 12-th(total 12-th) pm_w *0x40023808 = 0x9400, remains CR+SR
[8000400, 8000432] 13-th(total 13-th) pm_w *0x40023804 = 0x7405408, remains DR
[8000400, 8000432] 11-th(total 13-th) pm_r *0x40023800 gets 0x10001, remains CR+SR
[8000400, 8000432] 14-th(total 14-th) pm_w *0x40023800 = 0x1010001, remains CR+SR
[8000400, 8000432] 12-th(total 14-th) pm_r *0x40023800 gets 0x1010001, remains CR+SR
[8000426, 8000432] 13-th(total 15-th) pm_r *0x40023800 gets 0x2000000, remains CR+SR
[8000432, 8000468] 15-th(total 15-th) pm_w *0x40023c00 = 0x605, remains DR
[8000432, 8000468] 14-th(total 16-th) pm_r *0x40023808 gets 0x9400, remains CR+SR
[8000432, 8000468] 16-th(total 16-th) pm_w *0x40023808 = 0x9402, remains CR+SR
[8000432, 8000468] 15-th(total 17-th) pm_r *0x40023808 gets 0x9402, remains CR+SR
[800045c, 8000468] 16-th(total 18-th) pm_r *0x40023808 gets 0x8, remains CR+SR
[80002c4, 80002e4] 17-th(total 19-th) pm_r *0x40023830 gets 0x0, remains CR
[80002c4, 80002e4] 17-th(total 17-th) pm_w *0x40023830 = 0x1ff, remains CR
[80002e8, 80002fc] 18-th(total 20-th) pm_r *0x40023834 gets 0x0, remains CR
[80002e8, 80002fc] 18-th(total 18-th) pm_w *0x40023834 = 0x0, remains CR
[8000304, 8000328] 19-th(total 21-th) pm_r *0x40023840 gets 0x10000000, remains CR
[8000304, 8000328] 19-th(total 19-th) pm_w *0x40023840 = 0x10040000, remains CR
[800032c, 8000348] 20-th(total 22-th) pm_r *0x40023844 gets 0x0, remains CR
[800032c, 8000348] 20-th(total 20-th) pm_w *0x40023844 = 0x4000, remains CR
[8001230, 800126a] 21-th(total 23-th) pm_r *0x40023840 gets 0x10040000, remains CR
[8001230, 800126a] 21-th(total 21-th) pm_w *0x40023840 = 0x10040000, remains CR
[800058e, 800060c] 22-th(total 24-th) pm_r *0x40020c24 gets 0x0, remains CR
[800058e, 800060c] 22-th(total 22-th) pm_w *0x40020c24 = 0x7, remains CR
[800058e, 800060c] 23-th(total 25-th) pm_r *0x40020c00 gets 0x0, remains CR
[800058e, 800060c] 23-th(total 23-th) pm_w *0x40020c00 = 0x20000, remains CR
[800062c, 8000668] 24-th(total 26-th) pm_r *0x40020c0c gets 0x0, remains CR
[800062c, 8000668] 24-th(total 24-th) pm_w *0x40020c0c = 0x10000, remains CR
[80006fe, 800074c] 25-th(total 27-th) pm_r *0x40020c08 gets 0x0, remains CR
[80006fe, 800074c] 25-th(total 25-th) pm_w *0x40020c08 = 0x30000, remains CR
[80006fe, 800074c] 26-th(total 28-th) pm_r *0x40020c04 gets 0x0, remains CR
[800076c, 8000786] 26-th(total 26-th) pm_w *0x40020c04 = 0x0, remains CR
[800058e, 800060c] 27-th(total 29-th) pm_r *0x40020c24 gets 0x7, remains CR
[800058e, 800060c] 27-th(total 27-th) pm_w *0x40020c24 = 0x77, remains CR
[800058e, 800060c] 28-th(total 30-th) pm_r *0x40020c00 gets 0x20000, remains CR
[800058e, 800060c] 28-th(total 28-th) pm_w *0x40020c00 = 0xa0000, remains CR
[800062c, 8000668] 29-th(total 31-th) pm_r *0x40020c0c gets 0x10000, remains CR
[800062c, 8000668] 29-th(total 29-th) pm_w *0x40020c0c = 0x50000, remains CR
[80006fe, 800074c] 30-th(total 32-th) pm_r *0x40020c08 gets 0x30000, remains CR
[80006fe, 800074c] 30-th(total 30-th) pm_w *0x40020c08 = 0xf0000, remains CR
[80006fe, 800074c] 31-th(total 33-th) pm_r *0x40020c04 gets 0x0, remains CR
[800076c, 8000786] 31-th(total 31-th) pm_w *0x40020c04 = 0x0, remains CR
[80008b8, 8000938] 32-th(total 34-th) pm_r *0x4000480c gets 0x0, remains CR
[80008b8, 8000938] 32-th(total 32-th) pm_w *0x4000480c = 0x0, remains CR
[80008b8, 8000938] 33-th(total 35-th) pm_r *0x40004810 gets 0x0, remains CR
[80008b8, 8000938] 33-th(total 33-th) pm_w *0x40004810 = 0x0, remains CR
[80008b8, 8000938] 34-th(total 36-th) pm_r *0x4000480c gets 0x0, remains CR
[80008b8, 8000938] 34-th(total 34-th) pm_w *0x4000480c = 0x0, remains CR
[80008b8, 8000938] 35-th(total 37-th) pm_r *0x40004814 gets 0x0, remains CR
[80008b8, 8000938] 35-th(total 35-th) pm_w *0x40004814 = 0x0, remains CR
[80008b8, 8000938] 36-th(total 36-th) pm_w *0x40004808 = 0x16d, remains DR
[80008b8, 8000938] 36-th(total 38-th) pm_r *0x4000480c gets 0x0, remains CR
[80008b8, 8000938] 37-th(total 37-th) pm_w *0x4000480c = 0x200c, remains CR
[8000954, 800096c] 37-th(total 39-th) pm_r *0x4000480c gets 0x200c, remains CR
[800096c, 800098a] 38-th(total 38-th) pm_w *0x4000480c = 0x200c, remains CR
[8000954, 800096c] 38-th(total 40-th) pm_r *0x40004814 gets 0x0, remains CR
[800096c, 800098a] 39-th(total 39-th) pm_w *0x40004814 = 0x0, remains CR
[8001230, 800126a] 39-th(total 41-th) pm_r *0x40023840 gets 0x10040000, remains CR
[8001230, 800126a] 40-th(total 40-th) pm_w *0x40023840 = 0x10040000, remains CR
[800058e, 800060c] 40-th(total 42-th) pm_r *0x40020c24 gets 0x77, remains CR
[800058e, 800060c] 41-th(total 41-th) pm_w *0x40020c24 = 0x77, remains CR
[800058e, 800060c] 41-th(total 43-th) pm_r *0x40020c00 gets 0xa0000, remains CR
[800058e, 800060c] 42-th(total 42-th) pm_w *0x40020c00 = 0xa0000, remains CR
[800062c, 8000668] 42-th(total 44-th) pm_r *0x40020c0c gets 0x50000, remains CR
[800062c, 8000668] 43-th(total 43-th) pm_w *0x40020c0c = 0x50000, remains CR
[80006fe, 800074c] 43-th(total 45-th) pm_r *0x40020c08 gets 0xf0000, remains CR
[80006fe, 800074c] 44-th(total 44-th) pm_w *0x40020c08 = 0xf0000, remains CR
[80006fe, 800074c] 44-th(total 46-th) pm_r *0x40020c04 gets 0x0, remains CR
[800076c, 8000786] 45-th(total 45-th) pm_w *0x40020c04 = 0x0, remains CR
[800058e, 800060c] 45-th(total 47-th) pm_r *0x40020c24 gets 0x77, remains CR
[800058e, 800060c] 46-th(total 46-th) pm_w *0x40020c24 = 0x77, remains CR
[800058e, 800060c] 46-th(total 48-th) pm_r *0x40020c00 gets 0xa0000, remains CR
[800058e, 800060c] 47-th(total 47-th) pm_w *0x40020c00 = 0xa0000, remains CR
[800062c, 8000668] 47-th(total 49-th) pm_r *0x40020c0c gets 0x50000, remains CR
[800062c, 8000668] 48-th(total 48-th) pm_w *0x40020c0c = 0x50000, remains CR
[80006fe, 800074c] 48-th(total 50-th) pm_r *0x40020c08 gets 0xf0000, remains CR
[80006fe, 800074c] 49-th(total 49-th) pm_w *0x40020c08 = 0xf0000, remains CR
[80006fe, 800074c] 49-th(total 51-th) pm_r *0x40020c04 gets 0x0, remains CR
[800076c, 8000786] 50-th(total 50-th) pm_w *0x40020c04 = 0x0, remains CR
[8000954, 800096c] 50-th(total 52-th) pm_r *0x40004810 gets 0x0, remains CR
[800096c, 800098a] 51-th(total 51-th) pm_w *0x40004810 = 0x0, remains CR
[8000954, 800096c] 51-th(total 53-th) pm_r *0x4000480c gets 0x200c, remains CR
[800096c, 800098a] 52-th(total 52-th) pm_w *0x4000480c = 0x2000, remains CR
[8000954, 800096c] 52-th(total 54-th) pm_r *0x40004814 gets 0x0, remains CR
[800096c, 800098a] 53-th(total 53-th) pm_w *0x40004814 = 0x0, remains CR
[8000954, 800096c] 53-th(total 55-th) pm_r *0x4000480c gets 0x2000, remains CR
[800096c, 800098a] 54-th(total 54-th) pm_w *0x4000480c = 0x2000, remains CR
[800096c, 800098a] 55-th(total 55-th) pm_w *0x40004808 = 0x16d, remains DR
[800096c, 800098a] 56-th(total 56-th) pm_w *0x4000480c = 0x2000, remains CR
[8000954, 800096c] 54-th(total 56-th) pm_r *0x40004810 gets 0x0, remains CR
[800096c, 800098a] 57-th(total 57-th) pm_w *0x40004810 = 0x0, remains CR
[8000954, 800096c] 55-th(total 57-th) pm_r *0x40004814 gets 0x0, remains CR
[800096c, 800098a] 58-th(total 58-th) pm_w *0x40004814 = 0x0, remains CR
[8000954, 800096c] 56-th(total 58-th) pm_r *0x4000480c gets 0x2000, remains CR
[800096c, 800098a] 59-th(total 59-th) pm_w *0x4000480c = 0x200c, remains CR
[8000850, 800086c] 60-th(total 60-th) pm_w *0x40020418 = 0x10000, remains DR
[80005d2, 800060c] 57-th(total 59-th) pm_r *0x40020400 gets 0x0, remains CR
[80005d2, 800060c] 61-th(total 61-th) pm_w *0x40020400 = 0x1, remains CR
[800062c, 8000668] 58-th(total 60-th) pm_r *0x4002040c gets 0x0, remains CR
[800062c, 8000668] 62-th(total 62-th) pm_w *0x4002040c = 0x0, remains CR
[8000682, 80006c2] 59-th(total 61-th) pm_r *0x40020420 gets 0x0, remains CR
[8000682, 80006c2] 63-th(total 63-th) pm_w *0x40020420 = 0x0, remains CR
[80006fe, 800074c] 60-th(total 62-th) pm_r *0x40020408 gets 0x0, remains CR
[80006fe, 800074c] 64-th(total 64-th) pm_w *0x40020408 = 0x2, remains CR
[80006fe, 800074c] 61-th(total 63-th) pm_r *0x40020404 gets 0x0, remains CR
[800076c, 8000786] 65-th(total 65-th) pm_w *0x40020404 = 0x0, remains CR
[8000850, 800086c] 66-th(total 66-th) pm_w *0x40020418 = 0x800000, remains DR
[80005d2, 800060c] 62-th(total 64-th) pm_r *0x40020400 gets 0x1, remains CR
[80005d2, 800060c] 67-th(total 67-th) pm_w *0x40020400 = 0x4001, remains CR
[800062c, 8000668] 63-th(total 65-th) pm_r *0x4002040c gets 0x0, remains CR
[800062c, 8000668] 68-th(total 68-th) pm_w *0x4002040c = 0x0, remains CR
[8000682, 80006c2] 64-th(total 66-th) pm_r *0x40020420 gets 0x0, remains CR
[8000682, 80006c2] 69-th(total 69-th) pm_w *0x40020420 = 0x0, remains CR
[80006fe, 800074c] 65-th(total 67-th) pm_r *0x40020408 gets 0x2, remains CR
[80006fe, 800074c] 70-th(total 70-th) pm_w *0x40020408 = 0x8002, remains CR
[80006fe, 800074c] 66-th(total 68-th) pm_r *0x40020404 gets 0x0, remains CR
[800076c, 8000786] 71-th(total 71-th) pm_w *0x40020404 = 0x0, remains CR
[8000850, 800086c] 72-th(total 72-th) pm_w *0x40020418 = 0x40000000, remains DR
[80005d2, 800060c] 67-th(total 69-th) pm_r *0x40020400 gets 0x4001, remains CR
[80005d2, 800060c] 73-th(total 73-th) pm_w *0x40020400 = 0x10004001, remains CR
[800062c, 8000668] 68-th(total 70-th) pm_r *0x4002040c gets 0x0, remains CR
[800062c, 8000668] 74-th(total 74-th) pm_w *0x4002040c = 0x0, remains CR
[8000678, 80006c2] 69-th(total 71-th) pm_r *0x40020424 gets 0x0, remains CR
[8000678, 80006c2] 75-th(total 75-th) pm_w *0x40020424 = 0x0, remains CR
[80006fe, 800074c] 70-th(total 72-th) pm_r *0x40020408 gets 0x8002, remains CR
[80006fe, 800074c] 76-th(total 76-th) pm_w *0x40020408 = 0x20008002, remains CR
[80006fe, 800074c] 71-th(total 73-th) pm_r *0x40020404 gets 0x0, remains CR
[800076c, 8000786] 77-th(total 77-th) pm_w *0x40020404 = 0x0, remains CR
[800085c, 800086c] 78-th(total 78-th) pm_w *0x40020418 = 0x80, remains DR
[8000850, 800086c] 79-th(total 79-th) pm_w *0x40020418 = 0x800000, remains DR
[800085c, 800086c] 80-th(total 80-th) pm_w *0x40020418 = 0x1, remains DR
[8000954, 800096c] 72-th(total 74-th) pm_r *0x4000480c gets 0x200c, remains CR
[800096c, 800098a] 81-th(total 81-th) pm_w *0x4000480c = 0x202c, remains CR
[8000954, 800096c] 73-th(total 75-th) pm_r *0x40004814 gets 0x0, remains CR
[800096c, 800098a] 82-th(total 82-th) pm_w *0x40004814 = 0x0, remains CR
[8000954, 800096c] 74-th(total 76-th) pm_r *0x40004800 gets 0x0, remains SR
doneWork(65) is invoked!
I observed that the input did not hang. This behaviour was also reproducible with other seeds (such as my own cfg or a random seed as well).
Just to make sure that I have setup my firmware in the intended way, here is the startup code's assembly with a call to startForkServer -
gdb-multiarch ./nuttx
GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./nuttx...done.
gdb-peda$ set architecture arm
The target architecture is assumed to be arm
gdb-peda$ info files
Symbols from "/home/ritvik/fuzzing/nucleo-f429zi_nsh/1/nuttx".
Local exec file:
`/home/ritvik/fuzzing/nucleo-f429zi_nsh/1/nuttx', file type elf32-littlearm.
Entry point: 0x80001e0
0x08000000 - 0x08021c63 is .text
0x08021c64 - 0x08021c6c is .ARM.exidx
0x20000000 - 0x20000388 is .data
0x20000390 - 0x20001674 is .bss
gdb-peda$ x/i 0x80001e0
0x80001e0 <__start>: push {lr}
gdb-peda$
0x80001e2 <__start+2>: sub sp, #12
gdb-peda$
0x80001e4 <__start+4>: movs r0, #0
gdb-peda$
0x80001e6 <__start+6>: bl 0x80001b4 <startForkserver>
gdb-peda$
0x80001ea <__start+10>: bl 0x80004aa <stm32_clockconfig>I'm unsure why AFL is hanging, maybe I'm missing some trivial configuration setup. If so, I would appreciate some pointers in this regard.