one byte cmp in cmplog

2025-06-17 04:18:06 +00:00 · 2020-04-14 13:02:49 +02:00
parent 92aaaef381
commit 0d0338012b
5 changed files with 80 additions and 41 deletions
--- a/llvm_mode/afl-llvm-rt.o.c
+++ b/llvm_mode/afl-llvm-rt.o.c
@ -651,13 +651,7 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) {
 ///// CmpLog instrumentation
-void __cmplog_ins_hook1(uint8_t Arg1, uint8_t Arg2) {
+void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2) {
  return;
 }
 void __cmplog_ins_hook2(uint16_t Arg1, uint16_t Arg2) {
  if (!__afl_cmp_map) return;
@ -672,16 +666,35 @@ void __cmplog_ins_hook2(uint16_t Arg1, uint16_t Arg2) {
  // if (!__afl_cmp_map->headers[k].cnt)
  //  __afl_cmp_map->headers[k].cnt = __afl_cmp_counter++;
-  __afl_cmp_map->headers[k].shape = 1;
+  __afl_cmp_map->headers[k].shape = 0;
  //__afl_cmp_map->headers[k].type = CMP_TYPE_INS;
  hits &= CMP_MAP_H - 1;
-  __afl_cmp_map->log[k][hits].v0 = Arg1;
+  __afl_cmp_map->log[k][hits].v0 = arg1;
-  __afl_cmp_map->log[k][hits].v1 = Arg2;
+  __afl_cmp_map->log[k][hits].v1 = arg2;
 }
 void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2) {
  if (!__afl_cmp_map) return;
  uintptr_t k = (uintptr_t)__builtin_return_address(0);
  k = (k >> 4) ^ (k << 8);
  k &= CMP_MAP_W - 1;
  __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
  u32 hits = __afl_cmp_map->headers[k].hits;
  __afl_cmp_map->headers[k].hits = hits + 1;
  __afl_cmp_map->headers[k].shape = 1;
  hits &= CMP_MAP_H - 1;
  __afl_cmp_map->log[k][hits].v0 = arg1;
  __afl_cmp_map->log[k][hits].v1 = arg2;
 }
-void __cmplog_ins_hook4(uint32_t Arg1, uint32_t Arg2) {
+void __cmplog_ins_hook4(uint32_t arg1, uint32_t arg2) {
  if (!__afl_cmp_map) return;
@ -697,12 +710,12 @@ void __cmplog_ins_hook4(uint32_t Arg1, uint32_t Arg2) {
  __afl_cmp_map->headers[k].shape = 3;
  hits &= CMP_MAP_H - 1;
-  __afl_cmp_map->log[k][hits].v0 = Arg1;
+  __afl_cmp_map->log[k][hits].v0 = arg1;
-  __afl_cmp_map->log[k][hits].v1 = Arg2;
+  __afl_cmp_map->log[k][hits].v1 = arg2;
 }
-void __cmplog_ins_hook8(uint64_t Arg1, uint64_t Arg2) {
+void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2) {
  if (!__afl_cmp_map) return;
@ -718,8 +731,8 @@ void __cmplog_ins_hook8(uint64_t Arg1, uint64_t Arg2) {
  __afl_cmp_map->headers[k].shape = 7;
  hits &= CMP_MAP_H - 1;
-  __afl_cmp_map->log[k][hits].v0 = Arg1;
+  __afl_cmp_map->log[k][hits].v0 = arg1;
-  __afl_cmp_map->log[k][hits].v1 = Arg2;
+  __afl_cmp_map->log[k][hits].v1 = arg2;
 }
@ -734,28 +747,28 @@ void __cmplog_ins_hook8(uint64_t Arg1, uint64_t Arg2) {
 #pragma weak __sanitizer_cov_trace_cmp4 = __cmplog_ins_hook4
 #pragma weak __sanitizer_cov_trace_cmp8 = __cmplog_ins_hook8
 #else
-void __sanitizer_cov_trace_const_cmp1(uint8_t Arg1, uint8_t Arg2)
+void __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2)
    __attribute__((alias("__cmplog_ins_hook1")));
-void __sanitizer_cov_trace_const_cmp2(uint16_t Arg1, uint16_t Arg2)
+void __sanitizer_cov_trace_const_cmp2(uint16_t arg1, uint16_t arg2)
    __attribute__((alias("__cmplog_ins_hook2")));
-void __sanitizer_cov_trace_const_cmp4(uint32_t Arg1, uint32_t Arg2)
+void __sanitizer_cov_trace_const_cmp4(uint32_t arg1, uint32_t arg2)
    __attribute__((alias("__cmplog_ins_hook4")));
-void __sanitizer_cov_trace_const_cmp8(uint64_t Arg1, uint64_t Arg2)
+void __sanitizer_cov_trace_const_cmp8(uint64_t arg1, uint64_t arg2)
    __attribute__((alias("__cmplog_ins_hook8")));
-void __sanitizer_cov_trace_cmp1(uint8_t Arg1, uint8_t Arg2)
+void __sanitizer_cov_trace_cmp1(uint8_t arg1, uint8_t arg2)
    __attribute__((alias("__cmplog_ins_hook1")));
-void __sanitizer_cov_trace_cmp2(uint16_t Arg1, uint16_t Arg2)
+void __sanitizer_cov_trace_cmp2(uint16_t arg1, uint16_t arg2)
    __attribute__((alias("__cmplog_ins_hook2")));
-void __sanitizer_cov_trace_cmp4(uint32_t Arg1, uint32_t Arg2)
+void __sanitizer_cov_trace_cmp4(uint32_t arg1, uint32_t arg2)
    __attribute__((alias("__cmplog_ins_hook4")));
-void __sanitizer_cov_trace_cmp8(uint64_t Arg1, uint64_t Arg2)
+void __sanitizer_cov_trace_cmp8(uint64_t arg1, uint64_t arg2)
    __attribute__((alias("__cmplog_ins_hook8")));
 #endif                                                /* defined(__APPLE__) */
-void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases) {
+void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) {
-  for (uint64_t i = 0; i < Cases[0]; i++) {
+  for (uint64_t i = 0; i < cases[0]; i++) {
    uintptr_t k = (uintptr_t)__builtin_return_address(0) + i;
    k = (k >> 4) ^ (k << 8);
@ -769,8 +782,8 @@ void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases) {
    __afl_cmp_map->headers[k].shape = 7;
    hits &= CMP_MAP_H - 1;
-    __afl_cmp_map->log[k][hits].v0 = Val;
+    __afl_cmp_map->log[k][hits].v0 = val;
-    __afl_cmp_map->log[k][hits].v1 = Cases[i + 2];
+    __afl_cmp_map->log[k][hits].v1 = cases[i + 2];
  }
--- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h
+++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h
@ -53,11 +53,12 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2,
    TCGv cur_loc_v = tcg_const_tl(cur_loc);
-    switch (ot) {
+    switch (ot & MO_SIZE) {
      case MO_64: gen_helper_afl_cmplog_64(cur_loc_v, arg1, arg2); break;
      case MO_32: gen_helper_afl_cmplog_32(cur_loc_v, arg1, arg2); break;
      case MO_16: gen_helper_afl_cmplog_16(cur_loc_v, arg1, arg2); break;
      case MO_8: gen_helper_afl_cmplog_8(cur_loc_v, arg1, arg2); break;
      default: break;
    }
@ -75,7 +76,7 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2,
    if (cur_loc >= afl_inst_rms) return;
-    switch (ot) {
+    switch (ot & MO_SIZE) {
      case MO_64: gen_helper_afl_compcov_64(cur_loc_v, arg1, arg2); break;
      case MO_32: gen_helper_afl_compcov_32(cur_loc_v, arg1, arg2); break;
--- a/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h
+++ b/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h
@ -107,18 +107,39 @@ void HELPER(afl_compcov_64)(target_ulong cur_loc, target_ulong arg1,
 }
 void HELPER(afl_cmplog_8)(target_ulong cur_loc, target_ulong arg1,
                           target_ulong arg2) {
  register uintptr_t k = (uintptr_t)cur_loc;
  __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
  u32 hits = __afl_cmp_map->headers[k].hits;
  __afl_cmp_map->headers[k].hits = hits + 1;
  // if (!__afl_cmp_map->headers[k].cnt)
  //  __afl_cmp_map->headers[k].cnt = __afl_cmp_counter++;
  __afl_cmp_map->headers[k].shape = 0;
  hits &= CMP_MAP_H - 1;
  __afl_cmp_map->log[k][hits].v0 = arg1;
  __afl_cmp_map->log[k][hits].v1 = arg2;
 }
 void HELPER(afl_cmplog_16)(target_ulong cur_loc, target_ulong arg1,
                           target_ulong arg2) {
  register uintptr_t k = (uintptr_t)cur_loc;
  __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
  u32 hits = __afl_cmp_map->headers[k].hits;
  __afl_cmp_map->headers[k].hits = hits + 1;
  // if (!__afl_cmp_map->headers[k].cnt)
  //  __afl_cmp_map->headers[k].cnt = __afl_cmp_counter++;
  __afl_cmp_map->headers[k].shape = 1;
  //__afl_cmp_map->headers[k].type = CMP_TYPE_INS;
  hits &= CMP_MAP_H - 1;
  __afl_cmp_map->log[k][hits].v0 = arg1;
@ -131,6 +152,8 @@ void HELPER(afl_cmplog_32)(target_ulong cur_loc, target_ulong arg1,
  register uintptr_t k = (uintptr_t)cur_loc;
  __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
  u32 hits = __afl_cmp_map->headers[k].hits;
  __afl_cmp_map->headers[k].hits = hits + 1;
@ -147,6 +170,8 @@ void HELPER(afl_cmplog_64)(target_ulong cur_loc, target_ulong arg1,
  register uintptr_t k = (uintptr_t)cur_loc;
  __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
  u32 hits = __afl_cmp_map->headers[k].hits;
  __afl_cmp_map->headers[k].hits = hits + 1;
--- a/qemu_mode/patches/tcg-runtime-head.diff
+++ b/qemu_mode/patches/tcg-runtime-head.diff
@ -2,7 +2,7 @@ diff --git a/accel/tcg/tcg-runtime.h b/accel/tcg/tcg-runtime.h
 index 1bd39d13..81ef3973 100644
 --- a/accel/tcg/tcg-runtime.h
 +++ b/accel/tcg/tcg-runtime.h
-@@ -260,3 +260,13 @@ DEF_HELPER_FLAGS_4(gvec_leu8, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+@@ -260,3 +260,14 @@ DEF_HELPER_FLAGS_4(gvec_leu8, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(gvec_leu16, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(gvec_leu32, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(gvec_leu64, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
@ -12,6 +12,7 @@ index 1bd39d13..81ef3973 100644
 +DEF_HELPER_FLAGS_3(afl_compcov_16, TCG_CALL_NO_RWG, void, tl, tl, tl)
 +DEF_HELPER_FLAGS_3(afl_compcov_32, TCG_CALL_NO_RWG, void, tl, tl, tl)
 +DEF_HELPER_FLAGS_3(afl_compcov_64, TCG_CALL_NO_RWG, void, tl, tl, tl)
 +DEF_HELPER_FLAGS_3(afl_cmplog_8, TCG_CALL_NO_RWG, void, tl, tl, tl)
 +DEF_HELPER_FLAGS_3(afl_cmplog_16, TCG_CALL_NO_RWG, void, tl, tl, tl)
 +DEF_HELPER_FLAGS_3(afl_cmplog_32, TCG_CALL_NO_RWG, void, tl, tl, tl)
 +DEF_HELPER_FLAGS_3(afl_cmplog_64, TCG_CALL_NO_RWG, void, tl, tl, tl)
--- a/src/afl-fuzz-redqueen.c
+++ b/src/afl-fuzz-redqueen.c
@ -242,11 +242,11 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
  u64 *buf_64 = (u64 *)&buf[idx];
  u32 *buf_32 = (u32 *)&buf[idx];
  u16 *buf_16 = (u16 *)&buf[idx];
-  // u8*  buf_8  = &buf[idx];
+  u8*  buf_8  = &buf[idx];
  u64 *o_buf_64 = (u64 *)&orig_buf[idx];
  u32 *o_buf_32 = (u32 *)&orig_buf[idx];
  u16 *o_buf_16 = (u16 *)&orig_buf[idx];
-  // u8*  o_buf_8  = &orig_buf[idx];
+  u8*  o_buf_8  = &orig_buf[idx];
  u32 its_len = len - idx;
  *status = 0;
@ -310,18 +310,17 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
  }
-  /*if (SHAPE_BYTES(h->shape) == 1 || *status == 2) {
+  if (SHAPE_BYTES(h->shape) == 1 || *status == 2) {
-    if (its_len >= 2 && *buf_8 == (u8)pattern && *o_buf_8 == (u8)o_pattern) {
+    if (its_len >= 1 && *buf_8 == (u8)pattern && *o_buf_8 == (u8)o_pattern) {
      *buf_8 = (u8)repl;
-      if (unlikely(its_fuzz(afl, buf, len, status)))
+      if (unlikely(its_fuzz(afl, buf, len, status))) return 1;
-        return 1;
+      *buf_8 = (u8)pattern;
      *buf_16 = (u16)pattern;
    }
-  }*/
+  }
  return 0;