Update QEMU test scripts

tests/qemu-tests/download_images.sh

@@ -2,7 +2,8 @@
 
 set -o errexit
 
-OUT_DIR=images
+CWD=$(dirname -- "$0")
+OUT_DIR="${CWD}/images"
 URL="https://github.com/gsingh93/linux-exploit-dev-env/releases/latest/download"
 
 mkdir -p "${OUT_DIR}"

tests/qemu-tests/gdb.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+ARCH="$1"
+KERNEL_TYPE="$2"
+
+CWD=$(dirname -- "$0")
+IMAGE_DIR="${CWD}/images"
+
+if [[ -z "$ARCH" || -z "$KERNEL_TYPE" ]]; then
+    echo "usage: $0 ARCH [ack | linux]"
+    exit 1
+fi
+
+ptrace_scope=$(cat /proc/sys/kernel/yama/ptrace_scope)
+if [[ $ptrace_scope -ne 0 && $(id -u) -ne 0 ]]; then
+    cat << EOF
+WARNING: You are not running as root and ptrace_scope is not set to zero. If you
+run into issues when using pwndbg or gdb-pt-dump, rerun this script as root, or
+alternatively run the following command:
+
+    echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
+
+EOF
+fi
+
+if [[ $ARCH == "arm64" ]]; then
+    GDB=gdb-multiarch
+else
+    GDB=gdb
+fi
+
+VMLINUX="${IMAGE_DIR}/vmlinux-${KERNEL_TYPE}-${ARCH}"
+
+exec "${GDB}" -q \
+    -ex "file ${VMLINUX}" \
+    -ex "target remote :1234" \
+    -ex "source ${CWD}/tests/test_qemu_system.py" \
+    -ex "quit" \
+    "$@"

tests/qemu-tests/run_qemu_system.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+
+ARCH="$1"
+KERNEL_TYPE="${2:-linux}"
+
+CWD=$(dirname -- "$0")
+IMAGE_DIR="${CWD}/images"
+
+if [ -z "$ARCH" ]; then
+    echo "usage: $0 ARCH [ack | linux]"
+    exit 1
+fi
+
+if [[ "${ARCH}" != @(x86_64|arm64|aarch64) ]]; then
+    echo "Invalid arch ${ARCH}"
+    exit 1
+fi
+
+if [[ "${KERNEL_TYPE}" != @(ack|linux) ]]; then
+    echo "Invalid kernel type ${KERNEL_TYPE}"
+    exit 1
+fi
+
+if [[ "${ARCH}" == @(arm64|aarch64) ]]; then
+    ARCH=arm64
+    QEMU_BIN=qemu-system-aarch64
+    KERNEL="${IMAGE_DIR}/Image-${KERNEL_TYPE}-arm64"
+    ROOTFS="${IMAGE_DIR}/rootfs-arm64.img"
+
+    QEMU_ARGS=(
+        -cpu max
+        -machine virt
+        -append "console=ttyAMA0 root=/dev/vda nokaslr"
+    )
+elif [ "$ARCH" == "x86_64" ]; then
+    QEMU_BIN=qemu-system-x86_64
+    KERNEL="${IMAGE_DIR}/bzImage-${KERNEL_TYPE}-x86_64"
+    ROOTFS="${IMAGE_DIR}/rootfs-x86_64.img"
+
+    QEMU_ARGS=(
+        -append "8250.nr_uarts=1 console=ttyS0 root=/dev/vda nokaslr"
+    )
+fi
+
+QEMU_ARGS+=(
+    -kernel $KERNEL
+    -nographic
+    -drive file=$ROOTFS,if=virtio,format=qcow2
+    -S -s
+)
+
+echo "Waiting for GDB to attach (use 'ctrl-a x' to quit)"
+
+$QEMU_BIN "${QEMU_ARGS[@]}"

tests/qemu-tests/test_qemu_system.sh

@@ -1,49 +0,0 @@
-#!/bin/bash
-
-ARCH="$1"
-
-if [ -z "$ARCH" ]; then
-    echo "usage: $0 ARCH"
-    exit 1
-fi
-
-if [ "$ACK" == 1 ]; then
-    KERNEL_TYPE=ack
-else
-    KERNEL_TYPE=linux
-fi
-
-if [ "$ARCH" == arm64 ] || [ "$ARCH" == aarch64 ]; then
-    QEMU_BIN=qemu-system-aarch64
-    KERNEL=Image-${KERNEL_TYPE}-arm64
-    ROOTFS=rootfs-arm64.img
-
-    QEMU_ARGS=(
-        -cpu cortex-a53
-        -machine virt
-        -append "console=ttyAMA0 root=/dev/vda nokaslr"
-    )
-elif [ "$ARCH" == "x86_64" ]; then
-    QEMU_BIN=qemu-system-x86_64
-    KERNEL=bzImage-${KERNEL_TYPE}-x86_64
-    ROOTFS=rootfs-x86_64.img
-
-    QEMU_ARGS=(
-        -accel kvm
-        -append "8250.nr_uarts=1 console=ttyS0 root=/dev/vda nokaslr"
-    )
-else
-    echo "No arch specified"
-    exit 1
-fi
-
-tmux splitw -h -p 60 gdb-multiarch -ex "target remote :1234" -ex continue
-
-QEMU_ARGS+=(
-    -kernel $KERNEL
-    -nographic
-    -drive file=$ROOTFS,if=virtio,format=qcow2
-    -S -s
-)
-
-$QEMU_BIN "${QEMU_ARGS[@]}"

tests/qemu-tests/tests.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+CWD=$(dirname -- "$0")
+
+set -x
+
+for kernel_type in linux ack; do
+    for arch in x86_64 arm64; do
+        tmux splitw -h "${CWD}/run_qemu_system.sh" $arch $kernel_type
+        pane_id=$(tmux display-message -p "#{pane_id}")
+
+        "${CWD}/gdb.sh" $arch $kernel_type
+        exit_code=$?
+
+        tmux send-keys -t $pane_id ^A x
+        if [ $exit_code -ne 0 ]; then
+            exit $exit_code
+        fi
+    done
+done

tests/qemu-tests/tests/test_qemu_system.py

@@ -0,0 +1,15 @@
+import traceback
+
+import gdb
+
+import pwndbg
+import pwndbg.commands.kconfig
+
+gdb.execute("break start_kernel")
+gdb.execute("continue")
+
+try:
+    pwndbg.commands.kconfig.kconfig()
+except Exception:
+    traceback.print_exc()
+    exit(1)