1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright (c) 2011 The Chromium OS Authors.
27 #include <sys/types.h>
28 #include <linux/compiler_attributes.h>
29 #include <linux/types.h>
31 #include <asm/fuzzing_engine.h>
32 #include <asm/getopt.h>
34 #include <asm/sections.h>
35 #include <asm/state.h>
39 /* Environment variable for time offset */
40 #define ENV_TIME_OFFSET "UBOOT_SB_TIME_OFFSET"
42 /* Operating System Interface */
45 size_t length; /* number of bytes in the block */
48 ssize_t os_read(int fd, void *buf, size_t count)
50 return read(fd, buf, count);
53 ssize_t os_write(int fd, const void *buf, size_t count)
55 return write(fd, buf, count);
58 int os_printf(const char *fmt, ...)
64 i = vfprintf(stdout, fmt, args);
70 off_t os_lseek(int fd, off_t offset, int whence)
72 if (whence == OS_SEEK_SET)
74 else if (whence == OS_SEEK_CUR)
76 else if (whence == OS_SEEK_END)
80 return lseek(fd, offset, whence);
83 int os_open(const char *pathname, int os_flags)
87 switch (os_flags & OS_O_MASK) {
102 if (os_flags & OS_O_CREAT)
104 if (os_flags & OS_O_TRUNC)
107 * During a cold reset execv() is used to relaunch the U-Boot binary.
108 * We must ensure that all files are closed in this case.
112 return open(pathname, flags, 0777);
117 /* Do not close the console input */
123 int os_unlink(const char *pathname)
125 return unlink(pathname);
128 void os_exit(int exit_code)
133 unsigned int os_alarm(unsigned int seconds)
135 return alarm(seconds);
138 void os_set_alarm_handler(void (*handler)(int))
142 signal(SIGALRM, handler);
145 void os_raise_sigalrm(void)
150 int os_write_file(const char *fname, const void *buf, int size)
154 fd = os_open(fname, OS_O_WRONLY | OS_O_CREAT | OS_O_TRUNC);
156 printf("Cannot open file '%s'\n", fname);
159 if (os_write(fd, buf, size) != size) {
160 printf("Cannot write to file '%s'\n", fname);
169 off_t os_filesize(int fd)
173 size = os_lseek(fd, 0, OS_SEEK_END);
176 if (os_lseek(fd, 0, OS_SEEK_SET) < 0)
182 int os_read_file(const char *fname, void **bufp, int *sizep)
188 fd = os_open(fname, OS_O_RDONLY);
190 printf("Cannot open file '%s'\n", fname);
193 size = os_filesize(fd);
195 printf("Cannot get file size of '%s'\n", fname);
199 *bufp = os_malloc(size);
201 printf("Not enough memory to read file '%s'\n", fname);
205 if (os_read(fd, *bufp, size) != size) {
206 printf("Cannot read from file '%s'\n", fname);
218 int os_map_file(const char *pathname, int os_flags, void **bufp, int *sizep)
224 ifd = os_open(pathname, os_flags);
226 printf("Cannot open file '%s'\n", pathname);
229 size = os_filesize(ifd);
231 printf("Cannot get file size of '%s'\n", pathname);
234 if ((unsigned long long)size > (unsigned long long)SIZE_MAX) {
235 printf("File '%s' too large to map\n", pathname);
239 ptr = mmap(0, size, PROT_READ | PROT_WRITE, MAP_SHARED, ifd, 0);
240 if (ptr == MAP_FAILED) {
241 printf("Can't map file '%s': %s\n", pathname, strerror(errno));
251 int os_unmap(void *buf, int size)
253 if (munmap(buf, size)) {
254 printf("Can't unmap %p %x\n", buf, size);
261 /* Restore tty state when we exit */
262 static struct termios orig_term;
263 static bool term_setup;
264 static bool term_nonblock;
266 void os_fd_restore(void)
271 tcsetattr(0, TCSANOW, &orig_term);
273 flags = fcntl(0, F_GETFL, 0);
274 fcntl(0, F_SETFL, flags & ~O_NONBLOCK);
280 static void os_sigint_handler(int sig)
283 signal(SIGINT, SIG_DFL);
287 static void os_signal_handler(int sig, siginfo_t *info, void *con)
289 ucontext_t __maybe_unused *context = con;
292 #if defined(__x86_64__)
293 pc = context->uc_mcontext.gregs[REG_RIP];
294 #elif defined(__aarch64__)
295 pc = context->uc_mcontext.pc;
296 #elif defined(__riscv)
297 pc = context->uc_mcontext.__gregs[REG_PC];
300 "\nUnsupported architecture, cannot read program counter\n";
302 os_write(1, msg, sizeof(msg));
306 os_signal_action(sig, pc);
309 int os_setup_signal_handlers(void)
311 struct sigaction act;
313 act.sa_sigaction = os_signal_handler;
314 sigemptyset(&act.sa_mask);
315 act.sa_flags = SA_SIGINFO;
316 if (sigaction(SIGILL, &act, NULL) ||
317 sigaction(SIGBUS, &act, NULL) ||
318 sigaction(SIGSEGV, &act, NULL))
323 /* Put tty into raw mode so <tab> and <ctrl+c> work */
324 void os_tty_raw(int fd, bool allow_sigs)
332 /* If not a tty, don't complain */
333 if (tcgetattr(fd, &orig_term))
337 term.c_iflag = IGNBRK | IGNPAR;
338 term.c_oflag = OPOST | ONLCR;
339 term.c_cflag = CS8 | CREAD | CLOCAL;
340 term.c_lflag = allow_sigs ? ISIG : 0;
341 if (tcsetattr(fd, TCSANOW, &term))
344 flags = fcntl(fd, F_GETFL, 0);
345 if (!(flags & O_NONBLOCK)) {
346 if (fcntl(fd, F_SETFL, flags | O_NONBLOCK))
348 term_nonblock = true;
352 atexit(os_fd_restore);
353 signal(SIGINT, os_sigint_handler);
357 * Provide our own malloc so we don't use space in the sandbox ram_buf for
358 * allocations that are internal to sandbox, or need to be done before U-Boot's
361 void *os_malloc(size_t length)
363 int page_size = getpagesize();
364 struct os_mem_hdr *hdr;
369 * Use an address that is hopefully available to us so that pointers
370 * to this memory are fairly obvious. If we end up with a different
371 * address, that's fine too.
373 hdr = mmap((void *)0x10000000, length + page_size,
374 PROT_READ | PROT_WRITE | PROT_EXEC,
375 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
376 if (hdr == MAP_FAILED)
378 hdr->length = length;
380 return (void *)hdr + page_size;
383 void os_free(void *ptr)
385 int page_size = getpagesize();
386 struct os_mem_hdr *hdr;
389 hdr = ptr - page_size;
390 munmap(hdr, hdr->length + page_size);
394 /* These macros are from kernel.h but not accessible in this file */
395 #define ALIGN(x, a) __ALIGN_MASK((x), (typeof(x))(a) - 1)
396 #define __ALIGN_MASK(x, mask) (((x) + (mask)) & ~(mask))
399 * Provide our own malloc so we don't use space in the sandbox ram_buf for
400 * allocations that are internal to sandbox, or need to be done before U-Boot's
403 void *os_realloc(void *ptr, size_t length)
405 int page_size = getpagesize();
406 struct os_mem_hdr *hdr;
409 /* Reallocating a NULL pointer is just an alloc */
411 return os_malloc(length);
413 /* Changing a length to 0 is just a free */
420 * If the new size is the same number of pages as the old, nothing to
421 * do. There isn't much point in shrinking things
423 hdr = ptr - page_size;
424 if (ALIGN(length, page_size) <= ALIGN(hdr->length, page_size))
427 /* We have to grow it, so allocate something new */
428 new_ptr = os_malloc(length);
429 memcpy(new_ptr, ptr, hdr->length);
435 void os_usleep(unsigned long usec)
440 uint64_t __attribute__((no_instrument_function)) os_get_nsec(void)
442 #if defined(CLOCK_MONOTONIC) && defined(_POSIX_MONOTONIC_CLOCK)
444 if (EINVAL == clock_gettime(CLOCK_MONOTONIC, &tp)) {
447 gettimeofday(&tv, NULL);
448 tp.tv_sec = tv.tv_sec;
449 tp.tv_nsec = tv.tv_usec * 1000;
451 return tp.tv_sec * 1000000000ULL + tp.tv_nsec;
454 gettimeofday(&tv, NULL);
455 return tv.tv_sec * 1000000000ULL + tv.tv_usec * 1000;
459 static char *short_opts;
460 static struct option *long_opts;
462 int os_parse_args(struct sandbox_state *state, int argc, char *argv[])
464 struct sandbox_cmdline_option **sb_opt =
465 __u_boot_sandbox_option_start();
466 size_t num_options = __u_boot_sandbox_option_count();
469 int hidden_short_opt;
474 if (short_opts || long_opts)
480 /* dynamically construct the arguments to the system getopt_long */
481 short_opts = os_malloc(sizeof(*short_opts) * num_options * 2 + 1);
482 long_opts = os_malloc(sizeof(*long_opts) * (num_options + 1));
483 if (!short_opts || !long_opts)
487 * getopt_long requires "val" to be unique (since that is what the
488 * func returns), so generate unique values automatically for flags
489 * that don't have a short option. pick 0x100 as that is above the
490 * single byte range (where ASCII/ISO-XXXX-X charsets live).
492 hidden_short_opt = 0x100;
494 for (i = 0; i < num_options; ++i) {
495 long_opts[i].name = sb_opt[i]->flag;
496 long_opts[i].has_arg = sb_opt[i]->has_arg ?
497 required_argument : no_argument;
498 long_opts[i].flag = NULL;
500 if (sb_opt[i]->flag_short) {
501 short_opts[si++] = long_opts[i].val = sb_opt[i]->flag_short;
502 if (long_opts[i].has_arg == required_argument)
503 short_opts[si++] = ':';
505 long_opts[i].val = sb_opt[i]->flag_short = hidden_short_opt++;
507 short_opts[si] = '\0';
509 /* we need to handle output ourselves since u-boot provides printf */
512 memset(&long_opts[num_options], '\0', sizeof(*long_opts));
514 * walk all of the options the user gave us on the command line,
515 * figure out what u-boot option structure they belong to (via
516 * the unique short val key), and call the appropriate callback.
518 while ((c = getopt_long(argc, argv, short_opts, long_opts, NULL)) != -1) {
519 for (i = 0; i < num_options; ++i) {
520 if (sb_opt[i]->flag_short == c) {
521 if (sb_opt[i]->callback(state, optarg)) {
522 state->parse_err = sb_opt[i]->flag;
528 if (i == num_options) {
530 * store the faulting flag for later display. we have to
531 * store the flag itself as the getopt parsing itself is
532 * tricky: need to handle the following flags (assume all
533 * of the below are unknown):
534 * -a optopt='a' optind=<next>
535 * -abbbb optopt='a' optind=<this>
536 * -aaaaa optopt='a' optind=<this>
537 * --a optopt=0 optind=<this>
538 * as you can see, it is impossible to determine the exact
539 * faulting flag without doing the parsing ourselves, so
540 * we just report the specific flag that failed.
543 static char parse_err[3] = { '-', 0, '\0', };
544 parse_err[1] = optopt;
545 state->parse_err = parse_err;
547 state->parse_err = argv[optind - 1];
555 void os_dirent_free(struct os_dirent_node *node)
557 struct os_dirent_node *next;
566 int os_dirent_ls(const char *dirname, struct os_dirent_node **headp)
568 struct dirent *entry;
569 struct os_dirent_node *head, *node, *next;
579 dir = opendir(dirname);
583 /* Create a buffer upfront, with typically sufficient size */
584 dirlen = strlen(dirname) + 2;
586 fname = os_malloc(len);
592 for (node = head = NULL;; node = next) {
594 entry = readdir(dir);
599 next = os_malloc(sizeof(*node) + strlen(entry->d_name) + 1);
601 os_dirent_free(head);
605 if (dirlen + strlen(entry->d_name) > len) {
606 len = dirlen + strlen(entry->d_name);
608 fname = os_realloc(fname, len);
612 os_dirent_free(head);
618 strcpy(next->name, entry->d_name);
619 switch (entry->d_type) {
621 next->type = OS_FILET_REG;
624 next->type = OS_FILET_DIR;
627 next->type = OS_FILET_LNK;
630 next->type = OS_FILET_UNKNOWN;
633 snprintf(fname, len, "%s/%s", dirname, next->name);
634 if (!stat(fname, &buf))
635 next->size = buf.st_size;
649 const char *os_dirent_typename[OS_FILET_COUNT] = {
656 const char *os_dirent_get_typename(enum os_dirent_t type)
658 if (type >= OS_FILET_REG && type < OS_FILET_COUNT)
659 return os_dirent_typename[type];
661 return os_dirent_typename[OS_FILET_UNKNOWN];
665 * For compatibility reasons avoid loff_t here.
666 * U-Boot defines loff_t as long long.
667 * But /usr/include/linux/types.h may not define it at all.
668 * Alpine Linux being one example.
670 int os_get_filesize(const char *fname, long long *size)
675 ret = stat(fname, &buf);
687 void os_puts(const char *str)
698 int os_write_ram_buf(const char *fname)
700 struct sandbox_state *state = state_get_current();
703 fd = open(fname, O_CREAT | O_WRONLY, 0777);
706 ret = write(fd, state->ram_buf, state->ram_size);
708 if (ret != state->ram_size)
714 int os_read_ram_buf(const char *fname)
716 struct sandbox_state *state = state_get_current();
720 ret = os_get_filesize(fname, &size);
723 if (size != state->ram_size)
725 fd = open(fname, O_RDONLY);
729 ret = read(fd, state->ram_buf, state->ram_size);
731 if (ret != state->ram_size)
737 static int make_exec(char *fname, const void *data, int size)
741 strcpy(fname, "/tmp/u-boot.jump.XXXXXX");
745 if (write(fd, data, size) < 0)
748 if (chmod(fname, 0777))
755 * add_args() - Allocate a new argv with the given args
757 * This is used to create a new argv array with all the old arguments and some
758 * new ones that are passed in
760 * @argvp: Returns newly allocated args list
761 * @add_args: Arguments to add, each a string
762 * @count: Number of arguments in @add_args
763 * Return: 0 if OK, -ENOMEM if out of memory
765 static int add_args(char ***argvp, char *add_args[], int count)
770 for (argc = 0; (*argvp)[argc]; argc++)
773 argv = os_malloc((argc + count + 1) * sizeof(char *));
775 printf("Out of memory for %d argv\n", count);
778 for (ap = *argvp, argc = 0; *ap; ap++) {
781 /* Drop args that we don't want to propagate */
782 if (*arg == '-' && strlen(arg) == 2) {
789 } else if (!strcmp(arg, "--rm_memory")) {
795 memcpy(argv + argc, add_args, count * sizeof(char *));
796 argv[argc + count] = NULL;
803 * os_jump_to_file() - Jump to a new program
805 * This saves the memory buffer, sets up arguments to the new process, then
808 * @fname: Filename to exec
809 * Return: does not return on success, any return value is an error
811 static int os_jump_to_file(const char *fname, bool delete_it)
813 struct sandbox_state *state = state_get_current();
817 char **argv = state->argv;
823 strcpy(mem_fname, "/tmp/u-boot.mem.XXXXXX");
824 fd = mkstemp(mem_fname);
828 err = os_write_ram_buf(mem_fname);
836 extra_args[argc++] = "-j";
837 extra_args[argc++] = (char *)fname;
839 extra_args[argc++] = "-m";
840 extra_args[argc++] = mem_fname;
841 if (state->ram_buf_rm)
842 extra_args[argc++] = "--rm_memory";
843 err = add_args(&argv, extra_args, argc);
846 argv[0] = (char *)fname;
849 for (i = 0; argv[i]; i++)
850 printf("%d %s\n", i, argv[i]);
856 err = execv(fname, argv);
859 perror("Unable to run image");
860 printf("Image filename '%s'\n", fname);
865 return unlink(fname);
870 int os_jump_to_image(const void *dest, int size)
875 err = make_exec(fname, dest, size);
879 return os_jump_to_file(fname, true);
882 int os_find_u_boot(char *fname, int maxlen, bool use_img,
883 const char *cur_prefix, const char *next_prefix)
885 struct sandbox_state *state = state_get_current();
886 const char *progname = state->argv[0];
887 int len = strlen(progname);
893 if (len >= maxlen || len < 4)
896 strcpy(fname, progname);
897 suffix = fname + len - 4;
899 /* Change the existing suffix to the new one */
904 strcpy(suffix + 1, next_prefix); /* e.g. "-tpl" to "-spl" */
906 *suffix = '\0'; /* e.g. "-spl" to "" */
907 fd = os_open(fname, O_RDONLY);
914 * We didn't find it, so try looking for 'u-boot-xxx' in the xxx/
915 * directory. Replace the old dirname with the new one.
917 snprintf(subdir, sizeof(subdir), "/%s/", cur_prefix);
918 p = strstr(fname, subdir);
921 /* e.g. ".../tpl/u-boot-spl" to "../spl/u-boot-spl" */
922 memcpy(p + 1, next_prefix, strlen(next_prefix));
924 /* e.g. ".../spl/u-boot" to ".../u-boot" */
925 strcpy(p, p + 1 + strlen(cur_prefix));
929 fd = os_open(fname, O_RDONLY);
939 int os_spl_to_uboot(const char *fname)
941 struct sandbox_state *state = state_get_current();
943 /* U-Boot will delete ram buffer after read: "--rm_memory"*/
944 state->ram_buf_rm = true;
946 return os_jump_to_file(fname, false);
949 long os_get_time_offset(void)
953 offset = getenv(ENV_TIME_OFFSET);
955 return strtol(offset, NULL, 0);
959 void os_set_time_offset(long offset)
964 snprintf(buf, sizeof(buf), "%ld", offset);
965 ret = setenv(ENV_TIME_OFFSET, buf, true);
967 printf("Could not set environment variable %s\n",
971 void os_localtime(struct rtc_time *rt)
973 time_t t = time(NULL);
977 rt->tm_sec = tm->tm_sec;
978 rt->tm_min = tm->tm_min;
979 rt->tm_hour = tm->tm_hour;
980 rt->tm_mday = tm->tm_mday;
981 rt->tm_mon = tm->tm_mon + 1;
982 rt->tm_year = tm->tm_year + 1900;
983 rt->tm_wday = tm->tm_wday;
984 rt->tm_yday = tm->tm_yday;
985 rt->tm_isdst = tm->tm_isdst;
993 int os_mprotect_allow(void *start, size_t len)
995 int page_size = getpagesize();
997 /* Move start to the start of a page, len to the end */
998 start = (void *)(((ulong)start) & ~(page_size - 1));
999 len = (len + page_size * 2) & ~(page_size - 1);
1001 return mprotect(start, len, PROT_READ | PROT_WRITE);
1004 void *os_find_text_base(void)
1012 * This code assumes that the first line of /proc/self/maps holds
1013 * information about the text, for example:
1015 * 5622d9907000-5622d9a55000 r-xp 00000000 08:01 15067168 u-boot
1017 * The first hex value is assumed to be the address.
1019 * This is tested in Linux 4.15.
1021 fd = open("/proc/self/maps", O_RDONLY);
1024 len = read(fd, line, sizeof(line));
1026 char *end = memchr(line, '-', len);
1032 if (sscanf(line, "%zx", &addr) == 1)
1033 base = (void *)addr;
1042 * os_unblock_signals() - unblock all signals
1044 * If we are relaunching the sandbox in a signal handler, we have to unblock
1045 * the respective signal before calling execv(). See signal(7) man-page.
1047 static void os_unblock_signals(void)
1052 sigprocmask(SIG_UNBLOCK, &sigs, NULL);
1055 void os_relaunch(char *argv[])
1057 os_unblock_signals();
1059 execv(argv[0], argv);
1065 static void *fuzzer_thread(void * ptr)
1068 char *argv[5] = {"./u-boot", "-T", "-c", cmd, NULL};
1069 const char *fuzz_test;
1071 /* Find which test to run from an environment variable. */
1072 fuzz_test = getenv("UBOOT_SB_FUZZ_TEST");
1076 snprintf(cmd, sizeof(cmd), "fuzz %s", fuzz_test);
1078 sandbox_main(4, argv);
1083 static bool fuzzer_initialized = false;
1084 static pthread_mutex_t fuzzer_mutex = PTHREAD_MUTEX_INITIALIZER;
1085 static pthread_cond_t fuzzer_cond = PTHREAD_COND_INITIALIZER;
1086 static const uint8_t *fuzzer_data;
1087 static size_t fuzzer_size;
1089 int sandbox_fuzzing_engine_get_input(const uint8_t **data, size_t *size)
1091 if (!fuzzer_initialized)
1094 /* Tell the main thread we need new inputs then wait for them. */
1095 pthread_mutex_lock(&fuzzer_mutex);
1096 pthread_cond_signal(&fuzzer_cond);
1097 pthread_cond_wait(&fuzzer_cond, &fuzzer_mutex);
1098 *data = fuzzer_data;
1099 *size = fuzzer_size;
1100 pthread_mutex_unlock(&fuzzer_mutex);
1104 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
1106 static pthread_t tid;
1108 pthread_mutex_lock(&fuzzer_mutex);
1110 /* Initialize the sandbox on another thread. */
1111 if (!fuzzer_initialized) {
1112 fuzzer_initialized = true;
1113 if (pthread_create(&tid, NULL, fuzzer_thread, NULL))
1115 pthread_cond_wait(&fuzzer_cond, &fuzzer_mutex);
1118 /* Hand over the input. */
1121 pthread_cond_signal(&fuzzer_cond);
1123 /* Wait for the inputs to be finished with. */
1124 pthread_cond_wait(&fuzzer_cond, &fuzzer_mutex);
1125 pthread_mutex_unlock(&fuzzer_mutex);
1130 int main(int argc, char *argv[])
1132 return sandbox_main(argc, argv);