Fuzzing Xen with KF/x

gistfile1.txt

root@t2:/shared/xtf# make
root@t2:/shared/xtf# cd tests/kfx
root@t2:/shared/xtf/tests/kfx# xl create -p xen.cfg
Parsing config from xen.cfg
root@t2:/shared/xtf/tests/kfx# xl list
Name                                        ID   Mem VCPUs      State   Time(s)
Domain-0                                     0  8192     8     r-----  210894.3
test-pv64-xen-kfx                           71  1024     1     --p---       0.0
root@t2:/shared/xtf/tests/kfx# /shared/kernel-fuzzer-for-xen-project/kfx --setup --domain test-pv64-xen-kfx -c
Init vmi, init_events: 1 init_paging 0 domain test-pv64-xen-kfx domid 0 json (null)
Waiting for harness start (cpuid with leaf 0x13371337)
Got start cpuid callback with leaf: 0x13371337 subleaf: 0x90
Target buffer & size: 0x109980 144
Parent is ready
root@t2:/shared/xtf/tests/kfx# mkdir input
root@t2:/shared/xtf/tests/kfx# mkdir output
root@t2:/shared/xtf/tests/kfx# /shared/kernel-fuzzer-for-xen-project/rwmem --domid 71 --read 0x109980 --limit 144 --file input/seed
Init vmi, init_events: 0 init_paging 1 domain (null) domid 71 json (null)
Read operation success: 144 bytes from 0x109980
root@t2:/shared/xtf/tests/kfx# cat /shared/xen/xen/xen-syms.map | grep handle_exception
0xffff82d04039c948 T handle_exception
root@t2:/shared/xtf/tests/kfx# cat /shared/xen/xen/xen-syms.map | grep handle_ist_exception
0xffff82d04039cd9a t x86_64/entry.S#handle_ist_exception
root@t2:/shared/xtf/tests/kfx# cat /shared/xen/xen/xen-syms.map | grep fatal_trap
0xffff82d0403533a6 T fatal_trap
root@t2:/shared/xtf/tests/kfx# /shared/kernel-fuzzer-for-xen-project/AFLplusplus/afl-fuzz -i input -o output -- /shared/kernel-fuzzer-for-xen-project/kfx --domain test-pv64-xen-kfx --address 0x109980 --input @@ --input-limit 144 --sink-vaddr 0xffff82d0403533a6  --sink-vaddr 0xffff82d04039cd9a  --sink-vaddr 0xffff82d04039c948 --ptcov