support AFL_LLVM_INSTRUMENT env for our own PCGUARD

This commit is contained in:
van Hauser
2020-11-16 10:59:09 +01:00
parent 7000f2a2cf
commit 1cc637a0a0
5 changed files with 116 additions and 63 deletions

View File

@ -37,24 +37,27 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- added NO_SPLICING compile option and makefile define - added NO_SPLICING compile option and makefile define
- added INTROSPECTION make target that writes all mutations to - added INTROSPECTION make target that writes all mutations to
out/NAME/introspection.txt out/NAME/introspection.txt
- added INTROSPECTION support for custom modules
- print special compile time options used in help output - print special compile time options used in help output
- somewhere we broke -n dumb fuzzing, fixed
- instrumentation - instrumentation
- We received an enhanced gcc_plugin module from AdaCore, thank you - We received an enhanced gcc_plugin module from AdaCore, thank you
very much!! very much!!
- not overriding -Ox or -fno-unroll-loops anymore - not overriding -Ox or -fno-unroll-loops anymore
- we now have our own trace-pc-guard implementation. It is the same as - we now have our own trace-pc-guard implementation. It is the same as
-fsanitize-coverage=trace-pc-guard from llvm 12, but: it is a) inline -fsanitize-coverage=trace-pc-guard from llvm 12, but: it is a) inline
and b) works from llvm 10+ on :) and b) works from llvm 10.0.1 + onwards :)
- new llvm pass: dict2file via AFL_LLVM_DICT2FILE, create afl-fuzz - new llvm pass: dict2file via AFL_LLVM_DICT2FILE, create afl-fuzz
-x dictionary of string comparisons found during compilation -x dictionary of string comparisons found during compilation
- LTO autodict now also collects interesting cmp comparisons, - LTO autodict now also collects interesting cmp comparisons,
std::string compare + find + ==, bcmp std::string compare + find + ==, bcmp
- fix crash in dict2file for integers > 64 bit - fix crash in dict2file for integers > 64 bit
- custom mutators
- added a new custom mutator: symcc -> https://github.com/eurecom-s3/symcc/
- added a new custom mutator: libfuzzer that integrates libfuzzer mutations
- Our afl++ Grammar-Mutator is now better integrated into custom_mutators/
- added INTROSPECTION support for custom modules
- python fuzz function was not optional, fixed
- unicornafl synced with upstream (arm64 fix, better rust bindings) - unicornafl synced with upstream (arm64 fix, better rust bindings)
- added a new custom mutator: symcc -> https://github.com/eurecom-s3/symcc/
- added a new custom mutator: libfuzzer that integrates libfuzzer mutations
- Our afl++ Grammar-Mutator is now better integrated into custom_mutators/
### Version ++2.68c (release) ### Version ++2.68c (release)

View File

@ -544,7 +544,9 @@ bool ModuleSanitizerCoverage::instrumentModule(
be_quiet = 1; be_quiet = 1;
skip_nozero = getenv("AFL_LLVM_SKIP_NEVERZERO"); skip_nozero = getenv("AFL_LLVM_SKIP_NEVERZERO");
// scanForDangerousFunctions(&M);
initInstrumentList();
scanForDangerousFunctions(&M);
if (debug) { if (debug) {
@ -819,6 +821,8 @@ void ModuleSanitizerCoverage::instrumentFunction(
Function &F, DomTreeCallback DTCallback, PostDomTreeCallback PDTCallback) { Function &F, DomTreeCallback DTCallback, PostDomTreeCallback PDTCallback) {
if (F.empty()) return; if (F.empty()) return;
if (!isInInstrumentList(&F)) return;
if (F.getName().find(".module_ctor") != std::string::npos) if (F.getName().find(".module_ctor") != std::string::npos)
return; // Should not instrument sanitizer init functions. return; // Should not instrument sanitizer init functions.
if (F.getName().startswith("__sanitizer_")) if (F.getName().startswith("__sanitizer_"))
@ -1315,6 +1319,7 @@ std::string ModuleSanitizerCoverage::getSectionEnd(
} }
char ModuleSanitizerCoverageLegacyPass::ID = 0; char ModuleSanitizerCoverageLegacyPass::ID = 0;
INITIALIZE_PASS_BEGIN(ModuleSanitizerCoverageLegacyPass, "sancov", INITIALIZE_PASS_BEGIN(ModuleSanitizerCoverageLegacyPass, "sancov",
"Pass for instrumenting coverage on functions", false, "Pass for instrumenting coverage on functions", false,
false) false)
@ -1323,6 +1328,7 @@ INITIALIZE_PASS_DEPENDENCY(PostDominatorTreeWrapperPass)
INITIALIZE_PASS_END(ModuleSanitizerCoverageLegacyPass, "sancov", INITIALIZE_PASS_END(ModuleSanitizerCoverageLegacyPass, "sancov",
"Pass for instrumenting coverage on functions", false, "Pass for instrumenting coverage on functions", false,
false) false)
ModulePass *llvm::createModuleSanitizerCoverageLegacyPassPass( ModulePass *llvm::createModuleSanitizerCoverageLegacyPassPass(
const SanitizerCoverageOptions &Options, const SanitizerCoverageOptions &Options,
const std::vector<std::string> &AllowlistFiles, const std::vector<std::string> &AllowlistFiles,

View File

@ -49,14 +49,14 @@ static u8 * obj_path; /* Path to runtime libraries */
static u8 **cc_params; /* Parameters passed to the real CC */ static u8 **cc_params; /* Parameters passed to the real CC */
static u32 cc_par_cnt = 1; /* Param count, including argv0 */ static u32 cc_par_cnt = 1; /* Param count, including argv0 */
static u8 llvm_fullpath[PATH_MAX]; static u8 llvm_fullpath[PATH_MAX];
static u8 instrument_mode, instrument_opt_mode, ngram_size, lto_mode, static u8 instrument_mode, instrument_opt_mode, ngram_size, lto_mode;
compiler_mode, plusplus_mode; static u8 compiler_mode, plusplus_mode, have_instr_env = 0;
static u8 have_gcc, have_llvm, have_gcc_plugin, have_lto; static u8 have_gcc, have_llvm, have_gcc_plugin, have_lto, have_instr_list = 0;
static u8 *lto_flag = AFL_CLANG_FLTO, *argvnull; static u8 * lto_flag = AFL_CLANG_FLTO, *argvnull;
static u8 debug; static u8 debug;
static u8 cwd[4096]; static u8 cwd[4096];
static u8 cmplog_mode; static u8 cmplog_mode;
u8 use_stdin; /* dummy */ u8 use_stdin; /* dummy */
// static u8 *march_opt = CFLAGS_OPT; // static u8 *march_opt = CFLAGS_OPT;
enum { enum {
@ -354,19 +354,13 @@ static void edit_params(u32 argc, char **argv, char **envp) {
if (lto_mode && plusplus_mode) if (lto_mode && plusplus_mode)
cc_params[cc_par_cnt++] = "-lc++"; // needed by fuzzbench, early cc_params[cc_par_cnt++] = "-lc++"; // needed by fuzzbench, early
if (lto_mode) { if (lto_mode && have_instr_env) {
if (getenv("AFL_LLVM_INSTRUMENT_FILE") != NULL || cc_params[cc_par_cnt++] = "-Xclang";
getenv("AFL_LLVM_WHITELIST") || getenv("AFL_LLVM_ALLOWLIST") || cc_params[cc_par_cnt++] = "-load";
getenv("AFL_LLVM_DENYLIST") || getenv("AFL_LLVM_BLOCKLIST")) { cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] =
cc_params[cc_par_cnt++] = "-Xclang"; alloc_printf("%s/afl-llvm-lto-instrumentlist.so", obj_path);
cc_params[cc_par_cnt++] = "-load";
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] =
alloc_printf("%s/afl-llvm-lto-instrumentlist.so", obj_path);
}
} }
@ -508,11 +502,25 @@ static void edit_params(u32 argc, char **argv, char **envp) {
if (instrument_mode == INSTRUMENT_PCGUARD) { if (instrument_mode == INSTRUMENT_PCGUARD) {
#if LLVM_MAJOR > 10 || (LLVM_MAJOR == 10 && LLVM_MINOR > 0) #if LLVM_MAJOR > 10 || (LLVM_MAJOR == 10 && LLVM_MINOR > 0)
cc_params[cc_par_cnt++] = "-Xclang"; if (have_instr_list) {
cc_params[cc_par_cnt++] = "-load";
cc_params[cc_par_cnt++] = "-Xclang"; if (!be_quiet)
cc_params[cc_par_cnt++] = SAYF(
alloc_printf("%s/SanitizerCoveragePCGUARD.so", obj_path); "Using unoptimized trace-pc-guard, due usage of "
"-fsanitize-coverage-allow/denylist, you can use "
"AFL_LLVM_ALLOWLIST/AFL_LLMV_DENYLIST instead.\n");
cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard";
} else {
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = "-load";
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] =
alloc_printf("%s/SanitizerCoveragePCGUARD.so", obj_path);
}
#else #else
#if LLVM_MAJOR >= 4 #if LLVM_MAJOR >= 4
if (!be_quiet) if (!be_quiet)
@ -590,6 +598,9 @@ static void edit_params(u32 argc, char **argv, char **envp) {
if (!strcmp(cur, "armv7a-linux-androideabi")) bit_mode = 32; if (!strcmp(cur, "armv7a-linux-androideabi")) bit_mode = 32;
if (!strcmp(cur, "-m64")) bit_mode = 64; if (!strcmp(cur, "-m64")) bit_mode = 64;
if (!strncmp(cur, "-fsanitize-coverage-", 20) && strstr(cur, "list="))
have_instr_list = 1;
if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory")) if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory"))
asan_set = 1; asan_set = 1;
@ -856,6 +867,14 @@ int main(int argc, char **argv, char **envp) {
be_quiet = 1; be_quiet = 1;
if (getenv("AFL_LLVM_INSTRUMENT_FILE") || getenv("AFL_LLVM_WHITELIST") ||
getenv("AFL_LLVM_ALLOWLIST") || getenv("AFL_LLVM_DENYLIST") ||
getenv("AFL_LLVM_BLOCKLIST")) {
have_instr_env = 1;
}
if ((ptr = strrchr(callname, '/')) != NULL) callname = ptr + 1; if ((ptr = strrchr(callname, '/')) != NULL) callname = ptr + 1;
argvnull = (u8 *)argv[0]; argvnull = (u8 *)argv[0];
check_environment_vars(envp); check_environment_vars(envp);
@ -1015,14 +1034,14 @@ int main(int argc, char **argv, char **envp) {
} }
if ((getenv("AFL_LLVM_INSTRUMENT_FILE") != NULL || if (have_instr_env && getenv("AFL_DONT_OPTIMIZE")) {
getenv("AFL_LLVM_WHITELIST") || getenv("AFL_LLVM_ALLOWLIST") ||
getenv("AFL_LLVM_DENYLIST") || getenv("AFL_LLVM_BLOCKLIST")) &&
getenv("AFL_DONT_OPTIMIZE"))
WARNF( WARNF(
"AFL_LLVM_ALLOWLIST/DENYLIST and AFL_DONT_OPTIMIZE cannot be combined " "AFL_LLVM_ALLOWLIST/DENYLIST and AFL_DONT_OPTIMIZE cannot be combined "
"for file matching, only function matching!"); "for file matching, only function matching!");
}
if (getenv("AFL_LLVM_INSTRIM") || getenv("INSTRIM") || if (getenv("AFL_LLVM_INSTRIM") || getenv("INSTRIM") ||
getenv("INSTRIM_LIB")) { getenv("INSTRIM_LIB")) {
@ -1426,22 +1445,20 @@ int main(int argc, char **argv, char **envp) {
#if LLVM_MAJOR <= 6 #if LLVM_MAJOR <= 6
instrument_mode = INSTRUMENT_AFL; instrument_mode = INSTRUMENT_AFL;
#else #else
if (getenv("AFL_LLVM_INSTRUMENT_FILE") != NULL || #if LLVM_MAJOR < 11 && (LLVM_MAJOR < 10 || LLVM_MINOR < 1)
getenv("AFL_LLVM_WHITELIST") || getenv("AFL_LLVM_ALLOWLIST") || if (have_instr_env) {
getenv("AFL_LLVM_DENYLIST") || getenv("AFL_LLVM_BLOCKLIST")) {
instrument_mode = INSTRUMENT_AFL; instrument_mode = INSTRUMENT_AFL;
WARNF( if (!be_quiet)
"switching to classic instrumentation because " WARNF(
"AFL_LLVM_ALLOWLIST/DENYLIST does not work with PCGUARD. Use " "Switching to classic instrumentation because "
"-fsanitize-coverage-allowlist=allowlist.txt or " "AFL_LLVM_ALLOWLIST/DENYLIST does not work with PCGUARD < 10.0.1.");
"-fsanitize-coverage-blocklist=denylist.txt if you want to use "
"PCGUARD. Requires llvm 12+. See https://clang.llvm.org/docs/ "
"SanitizerCoverage.html#partially-disabling-instrumentation");
} else } else
#endif
instrument_mode = INSTRUMENT_PCGUARD; instrument_mode = INSTRUMENT_PCGUARD;
#endif #endif
} }
@ -1487,18 +1504,16 @@ int main(int argc, char **argv, char **envp) {
"AFL_LLVM_NOT_ZERO and AFL_LLVM_SKIP_NEVERZERO can not be set " "AFL_LLVM_NOT_ZERO and AFL_LLVM_SKIP_NEVERZERO can not be set "
"together"); "together");
if (instrument_mode == INSTRUMENT_PCGUARD && #if LLVM_MAJOR < 11 && (LLVM_MAJOR < 10 || LLVM_MINOR < 1)
(getenv("AFL_LLVM_INSTRUMENT_FILE") != NULL || if (instrument_mode == INSTRUMENT_PCGUARD && have_instr_env) {
getenv("AFL_LLVM_WHITELIST") || getenv("AFL_LLVM_ALLOWLIST") ||
getenv("AFL_LLVM_DENYLIST") || getenv("AFL_LLVM_BLOCKLIST")))
FATAL( FATAL(
"Instrumentation type PCGUARD does not support " "Instrumentation type PCGUARD does not support "
"AFL_LLVM_ALLOWLIST/DENYLIST! Use " "AFL_LLVM_ALLOWLIST/DENYLIST! Use LLVM 10.0.1+ instead.");
"-fsanitize-coverage-allowlist=allowlist.txt or "
"-fsanitize-coverage-blocklist=denylist.txt instead (requires llvm " }
"12+), see "
"https://clang.llvm.org/docs/" #endif
"SanitizerCoverage.html#partially-disabling-instrumentation");
u8 *ptr2; u8 *ptr2;

View File

@ -2497,7 +2497,8 @@ void check_binary(afl_state_t *afl, u8 *fname) {
} }
if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode || afl->non_instrumented_mode) { if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode ||
afl->non_instrumented_mode) {
return; return;

View File

@ -435,11 +435,23 @@ int main(int argc, char **argv_orig, char **envp) {
u8 *c; u8 *c;
if (afl->non_instrumented_mode) { FATAL("-M is not supported in non-instrumented mode"); } if (afl->non_instrumented_mode) {
FATAL("-M is not supported in non-instrumented mode");
}
if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); }
/* sanity check for argument: should not begin with '-' (possible option) */ /* sanity check for argument: should not begin with '-' (possible
if (optarg && *optarg == '-') { FATAL("argument for -M started with a dash '-', which is used for options"); } * option) */
if (optarg && *optarg == '-') {
FATAL(
"argument for -M started with a dash '-', which is used for "
"options");
}
afl->sync_id = ck_strdup(optarg); afl->sync_id = ck_strdup(optarg);
afl->skip_deterministic = 0; // force deterministic fuzzing afl->skip_deterministic = 0; // force deterministic fuzzing
@ -469,11 +481,23 @@ int main(int argc, char **argv_orig, char **envp) {
case 'S': /* secondary sync id */ case 'S': /* secondary sync id */
if (afl->non_instrumented_mode) { FATAL("-S is not supported in non-instrumented mode"); } if (afl->non_instrumented_mode) {
FATAL("-S is not supported in non-instrumented mode");
}
if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); }
/* sanity check for argument: should not begin with '-' (possible option) */ /* sanity check for argument: should not begin with '-' (possible
if (optarg && *optarg == '-') { FATAL("argument for -M started with a dash '-', which is used for options"); } * option) */
if (optarg && *optarg == '-') {
FATAL(
"argument for -M started with a dash '-', which is used for "
"options");
}
afl->sync_id = ck_strdup(optarg); afl->sync_id = ck_strdup(optarg);
afl->is_secondary_node = 1; afl->is_secondary_node = 1;
@ -1354,7 +1378,11 @@ int main(int argc, char **argv_orig, char **envp) {
} }
if (!afl->fsrv.qemu_mode && !afl->non_instrumented_mode) { check_binary(afl, afl->cmplog_binary); } if (!afl->fsrv.qemu_mode && !afl->non_instrumented_mode) {
check_binary(afl, afl->cmplog_binary);
}
} }