mirror of
https://github.com/AFLplusplus/AFLplusplus.git
synced 2025-06-17 04:18:06 +00:00
fix #736 (ty b1gr3db)
This commit is contained in:
Andrea Fioraldi
@ -1 +1 @@
|
|||||||
47722f64e4
|
9a258d5b7a
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
@ -174,7 +174,9 @@ char *fgets(char *s, int size, FILE *stream) {
|
|||||||
|
|
||||||
QASAN_DEBUG("%14p: fgets(%p, %d, %p)\n", rtv, s, size, stream);
|
QASAN_DEBUG("%14p: fgets(%p, %d, %p)\n", rtv, s, size, stream);
|
||||||
QASAN_STORE(s, size);
|
QASAN_STORE(s, size);
|
||||||
|
#ifndef __ANDROID__
|
||||||
QASAN_LOAD(stream, sizeof(FILE));
|
QASAN_LOAD(stream, sizeof(FILE));
|
||||||
|
#endif
|
||||||
char *r = __lq_libc_fgets(s, size, stream);
|
char *r = __lq_libc_fgets(s, size, stream);
|
||||||
QASAN_DEBUG("\t\t = %p\n", r);
|
QASAN_DEBUG("\t\t = %p\n", r);
|
||||||
|
|
||||||
|
|||||||
@ -72,7 +72,7 @@ void __libqasan_print_maps(void) {
|
|||||||
|
|
||||||
QASAN_LOG("QEMU-AddressSanitizer (v%s)\n", QASAN_VERSTR);
|
QASAN_LOG("QEMU-AddressSanitizer (v%s)\n", QASAN_VERSTR);
|
||||||
QASAN_LOG(
|
QASAN_LOG(
|
||||||
"Copyright (C) 2019-2020 Andrea Fioraldi <andreafioraldi@gmail.com>\n");
|
"Copyright (C) 2019-2021 Andrea Fioraldi <andreafioraldi@gmail.com>\n");
|
||||||
QASAN_LOG("\n");
|
QASAN_LOG("\n");
|
||||||
|
|
||||||
if (__qasan_log) __libqasan_print_maps();
|
if (__qasan_log) __libqasan_print_maps();
|
||||||
|
|||||||
@ -51,9 +51,9 @@ typedef struct {
|
|||||||
struct chunk_begin {
|
struct chunk_begin {
|
||||||
|
|
||||||
size_t requested_size;
|
size_t requested_size;
|
||||||
void* aligned_orig; // NULL if not aligned
|
void * aligned_orig; // NULL if not aligned
|
||||||
struct chunk_begin* next;
|
struct chunk_begin *next;
|
||||||
struct chunk_begin* prev;
|
struct chunk_begin *prev;
|
||||||
char redzone[REDZONE_SIZE];
|
char redzone[REDZONE_SIZE];
|
||||||
|
|
||||||
};
|
};
|
||||||
@ -68,45 +68,45 @@ struct chunk_struct {
|
|||||||
|
|
||||||
#ifdef __GLIBC__
|
#ifdef __GLIBC__
|
||||||
|
|
||||||
void* (*__lq_libc_malloc)(size_t);
|
void *(*__lq_libc_malloc)(size_t);
|
||||||
void (*__lq_libc_free)(void*);
|
void (*__lq_libc_free)(void *);
|
||||||
#define backend_malloc __lq_libc_malloc
|
#define backend_malloc __lq_libc_malloc
|
||||||
#define backend_free __lq_libc_free
|
#define backend_free __lq_libc_free
|
||||||
|
|
||||||
#define TMP_ZONE_SIZE 4096
|
#define TMP_ZONE_SIZE 4096
|
||||||
static int __tmp_alloc_zone_idx;
|
static int __tmp_alloc_zone_idx;
|
||||||
static unsigned char __tmp_alloc_zone[TMP_ZONE_SIZE];
|
static unsigned char __tmp_alloc_zone[TMP_ZONE_SIZE];
|
||||||
|
|
||||||
#else
|
#else
|
||||||
|
|
||||||
// From dlmalloc.c
|
// From dlmalloc.c
|
||||||
void* dlmalloc(size_t);
|
void * dlmalloc(size_t);
|
||||||
void dlfree(void*);
|
void dlfree(void *);
|
||||||
#define backend_malloc dlmalloc
|
#define backend_malloc dlmalloc
|
||||||
#define backend_free dlfree
|
#define backend_free dlfree
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
int __libqasan_malloc_initialized;
|
int __libqasan_malloc_initialized;
|
||||||
|
|
||||||
static struct chunk_begin* quarantine_top;
|
static struct chunk_begin *quarantine_top;
|
||||||
static struct chunk_begin* quarantine_end;
|
static struct chunk_begin *quarantine_end;
|
||||||
static size_t quarantine_bytes;
|
static size_t quarantine_bytes;
|
||||||
|
|
||||||
#ifdef __BIONIC__
|
#ifdef __BIONIC__
|
||||||
static pthread_mutex_t quarantine_lock;
|
static pthread_mutex_t quarantine_lock;
|
||||||
#define LOCK_TRY pthread_mutex_trylock
|
#define LOCK_TRY pthread_mutex_trylock
|
||||||
#define LOCK_INIT pthread_mutex_init
|
#define LOCK_INIT pthread_mutex_init
|
||||||
#define LOCK_UNLOCK pthread_mutex_unlock
|
#define LOCK_UNLOCK pthread_mutex_unlock
|
||||||
#else
|
#else
|
||||||
static pthread_spinlock_t quarantine_lock;
|
static pthread_spinlock_t quarantine_lock;
|
||||||
#define LOCK_TRY pthread_spin_trylock
|
#define LOCK_TRY pthread_spin_trylock
|
||||||
#define LOCK_INIT pthread_spin_init
|
#define LOCK_INIT pthread_spin_init
|
||||||
#define LOCK_UNLOCK pthread_spin_unlock
|
#define LOCK_UNLOCK pthread_spin_unlock
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
// need qasan disabled
|
// need qasan disabled
|
||||||
static int quanratine_push(struct chunk_begin* ck) {
|
static int quanratine_push(struct chunk_begin *ck) {
|
||||||
|
|
||||||
if (ck->requested_size >= QUARANTINE_MAX_BYTES) return 0;
|
if (ck->requested_size >= QUARANTINE_MAX_BYTES) return 0;
|
||||||
|
|
||||||
@ -114,7 +114,7 @@ static int quanratine_push(struct chunk_begin* ck) {
|
|||||||
|
|
||||||
while (ck->requested_size + quarantine_bytes >= QUARANTINE_MAX_BYTES) {
|
while (ck->requested_size + quarantine_bytes >= QUARANTINE_MAX_BYTES) {
|
||||||
|
|
||||||
struct chunk_begin* tmp = quarantine_end;
|
struct chunk_begin *tmp = quarantine_end;
|
||||||
quarantine_end = tmp->prev;
|
quarantine_end = tmp->prev;
|
||||||
|
|
||||||
quarantine_bytes -= tmp->requested_size;
|
quarantine_bytes -= tmp->requested_size;
|
||||||
@ -154,23 +154,23 @@ void __libqasan_init_malloc(void) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
size_t __libqasan_malloc_usable_size(void* ptr) {
|
size_t __libqasan_malloc_usable_size(void *ptr) {
|
||||||
|
|
||||||
char* p = ptr;
|
char *p = ptr;
|
||||||
p -= sizeof(struct chunk_begin);
|
p -= sizeof(struct chunk_begin);
|
||||||
|
|
||||||
return ((struct chunk_begin*)p)->requested_size;
|
return ((struct chunk_begin *)p)->requested_size;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
void* __libqasan_malloc(size_t size) {
|
void *__libqasan_malloc(size_t size) {
|
||||||
|
|
||||||
if (!__libqasan_malloc_initialized) {
|
if (!__libqasan_malloc_initialized) {
|
||||||
|
|
||||||
__libqasan_init_malloc();
|
__libqasan_init_malloc();
|
||||||
|
|
||||||
#ifdef __GLIBC__
|
#ifdef __GLIBC__
|
||||||
void* r = &__tmp_alloc_zone[__tmp_alloc_zone_idx];
|
void *r = &__tmp_alloc_zone[__tmp_alloc_zone_idx];
|
||||||
|
|
||||||
if (size & (ALLOC_ALIGN_SIZE - 1))
|
if (size & (ALLOC_ALIGN_SIZE - 1))
|
||||||
__tmp_alloc_zone_idx +=
|
__tmp_alloc_zone_idx +=
|
||||||
@ -185,7 +185,7 @@ void* __libqasan_malloc(size_t size) {
|
|||||||
|
|
||||||
int state = QASAN_SWAP(QASAN_DISABLED); // disable qasan for this thread
|
int state = QASAN_SWAP(QASAN_DISABLED); // disable qasan for this thread
|
||||||
|
|
||||||
struct chunk_begin* p = backend_malloc(sizeof(struct chunk_struct) + size);
|
struct chunk_begin *p = backend_malloc(sizeof(struct chunk_struct) + size);
|
||||||
|
|
||||||
QASAN_SWAP(state);
|
QASAN_SWAP(state);
|
||||||
|
|
||||||
@ -197,14 +197,14 @@ void* __libqasan_malloc(size_t size) {
|
|||||||
p->aligned_orig = NULL;
|
p->aligned_orig = NULL;
|
||||||
p->next = p->prev = NULL;
|
p->next = p->prev = NULL;
|
||||||
|
|
||||||
QASAN_ALLOC(&p[1], (char*)&p[1] + size);
|
QASAN_ALLOC(&p[1], (char *)&p[1] + size);
|
||||||
QASAN_POISON(p->redzone, REDZONE_SIZE, ASAN_HEAP_LEFT_RZ);
|
QASAN_POISON(p->redzone, REDZONE_SIZE, ASAN_HEAP_LEFT_RZ);
|
||||||
if (size & (ALLOC_ALIGN_SIZE - 1))
|
if (size & (ALLOC_ALIGN_SIZE - 1))
|
||||||
QASAN_POISON((char*)&p[1] + size,
|
QASAN_POISON((char *)&p[1] + size,
|
||||||
(size & ~(ALLOC_ALIGN_SIZE - 1)) + 8 - size + REDZONE_SIZE,
|
(size & ~(ALLOC_ALIGN_SIZE - 1)) + 8 - size + REDZONE_SIZE,
|
||||||
ASAN_HEAP_RIGHT_RZ);
|
ASAN_HEAP_RIGHT_RZ);
|
||||||
else
|
else
|
||||||
QASAN_POISON((char*)&p[1] + size, REDZONE_SIZE, ASAN_HEAP_RIGHT_RZ);
|
QASAN_POISON((char *)&p[1] + size, REDZONE_SIZE, ASAN_HEAP_RIGHT_RZ);
|
||||||
|
|
||||||
__builtin_memset(&p[1], 0xff, size);
|
__builtin_memset(&p[1], 0xff, size);
|
||||||
|
|
||||||
@ -212,17 +212,17 @@ void* __libqasan_malloc(size_t size) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
void __libqasan_free(void* ptr) {
|
void __libqasan_free(void *ptr) {
|
||||||
|
|
||||||
if (!ptr) return;
|
if (!ptr) return;
|
||||||
|
|
||||||
#ifdef __GLIBC__
|
#ifdef __GLIBC__
|
||||||
if (ptr >= (void*)__tmp_alloc_zone &&
|
if (ptr >= (void *)__tmp_alloc_zone &&
|
||||||
ptr < ((void*)__tmp_alloc_zone + TMP_ZONE_SIZE))
|
ptr < ((void *)__tmp_alloc_zone + TMP_ZONE_SIZE))
|
||||||
return;
|
return;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
struct chunk_begin* p = ptr;
|
struct chunk_begin *p = ptr;
|
||||||
p -= 1;
|
p -= 1;
|
||||||
|
|
||||||
size_t n = p->requested_size;
|
size_t n = p->requested_size;
|
||||||
@ -249,21 +249,22 @@ void __libqasan_free(void* ptr) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
void* __libqasan_calloc(size_t nmemb, size_t size) {
|
void *__libqasan_calloc(size_t nmemb, size_t size) {
|
||||||
|
|
||||||
size *= nmemb;
|
size *= nmemb;
|
||||||
|
|
||||||
#ifdef __GLIBC__
|
#ifdef __GLIBC__
|
||||||
if (!__libqasan_malloc_initialized) {
|
if (!__libqasan_malloc_initialized) {
|
||||||
|
|
||||||
void* r = &__tmp_alloc_zone[__tmp_alloc_zone_idx];
|
void *r = &__tmp_alloc_zone[__tmp_alloc_zone_idx];
|
||||||
__tmp_alloc_zone_idx += size;
|
__tmp_alloc_zone_idx += size;
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
char* p = __libqasan_malloc(size);
|
char *p = __libqasan_malloc(size);
|
||||||
if (!p) return NULL;
|
if (!p) return NULL;
|
||||||
|
|
||||||
__builtin_memset(p, 0, size);
|
__builtin_memset(p, 0, size);
|
||||||
@ -272,14 +273,14 @@ void* __libqasan_calloc(size_t nmemb, size_t size) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
void* __libqasan_realloc(void* ptr, size_t size) {
|
void *__libqasan_realloc(void *ptr, size_t size) {
|
||||||
|
|
||||||
char* p = __libqasan_malloc(size);
|
char *p = __libqasan_malloc(size);
|
||||||
if (!p) return NULL;
|
if (!p) return NULL;
|
||||||
|
|
||||||
if (!ptr) return p;
|
if (!ptr) return p;
|
||||||
|
|
||||||
size_t n = ((struct chunk_begin*)ptr)[-1].requested_size;
|
size_t n = ((struct chunk_begin *)ptr)[-1].requested_size;
|
||||||
if (size < n) n = size;
|
if (size < n) n = size;
|
||||||
|
|
||||||
__builtin_memcpy(p, ptr, n);
|
__builtin_memcpy(p, ptr, n);
|
||||||
@ -289,9 +290,9 @@ void* __libqasan_realloc(void* ptr, size_t size) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int __libqasan_posix_memalign(void** ptr, size_t align, size_t len) {
|
int __libqasan_posix_memalign(void **ptr, size_t align, size_t len) {
|
||||||
|
|
||||||
if ((align % 2) || (align % sizeof(void*))) return EINVAL;
|
if ((align % 2) || (align % sizeof(void *))) return EINVAL;
|
||||||
if (len == 0) {
|
if (len == 0) {
|
||||||
|
|
||||||
*ptr = NULL;
|
*ptr = NULL;
|
||||||
@ -305,7 +306,7 @@ int __libqasan_posix_memalign(void** ptr, size_t align, size_t len) {
|
|||||||
|
|
||||||
int state = QASAN_SWAP(QASAN_DISABLED); // disable qasan for this thread
|
int state = QASAN_SWAP(QASAN_DISABLED); // disable qasan for this thread
|
||||||
|
|
||||||
char* orig = backend_malloc(sizeof(struct chunk_struct) + size);
|
char *orig = backend_malloc(sizeof(struct chunk_struct) + size);
|
||||||
|
|
||||||
QASAN_SWAP(state);
|
QASAN_SWAP(state);
|
||||||
|
|
||||||
@ -313,10 +314,10 @@ int __libqasan_posix_memalign(void** ptr, size_t align, size_t len) {
|
|||||||
|
|
||||||
QASAN_UNPOISON(orig, sizeof(struct chunk_struct) + size);
|
QASAN_UNPOISON(orig, sizeof(struct chunk_struct) + size);
|
||||||
|
|
||||||
char* data = orig + sizeof(struct chunk_begin);
|
char *data = orig + sizeof(struct chunk_begin);
|
||||||
data += align - ((uintptr_t)data % align);
|
data += align - ((uintptr_t)data % align);
|
||||||
|
|
||||||
struct chunk_begin* p = (struct chunk_begin*)data - 1;
|
struct chunk_begin *p = (struct chunk_begin *)data - 1;
|
||||||
|
|
||||||
p->requested_size = len;
|
p->requested_size = len;
|
||||||
p->aligned_orig = orig;
|
p->aligned_orig = orig;
|
||||||
@ -339,9 +340,9 @@ int __libqasan_posix_memalign(void** ptr, size_t align, size_t len) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
void* __libqasan_memalign(size_t align, size_t len) {
|
void *__libqasan_memalign(size_t align, size_t len) {
|
||||||
|
|
||||||
void* ret = NULL;
|
void *ret = NULL;
|
||||||
|
|
||||||
__libqasan_posix_memalign(&ret, align, len);
|
__libqasan_posix_memalign(&ret, align, len);
|
||||||
|
|
||||||
@ -349,9 +350,9 @@ void* __libqasan_memalign(size_t align, size_t len) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
void* __libqasan_aligned_alloc(size_t align, size_t len) {
|
void *__libqasan_aligned_alloc(size_t align, size_t len) {
|
||||||
|
|
||||||
void* ret = NULL;
|
void *ret = NULL;
|
||||||
|
|
||||||
if ((len % align)) return NULL;
|
if ((len % align)) return NULL;
|
||||||
|
|
||||||
|
|||||||
@ -271,7 +271,7 @@ void *__libqasan_memmem(const void *haystack, size_t haystack_len,
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
} while (++h <= end);
|
} while (h++ <= end);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
|||||||
Submodule qemu_mode/qemuafl updated: 47722f64e4...9a258d5b7a
@ -1303,7 +1303,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif /* CMPLOG_SOLVE_ARITHMETIC */
|
#endif /* CMPLOG_SOLVE_ARITHMETIC */
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
@ -2670,3 +2670,4 @@ exit_its:
|
|||||||
return r;
|
return r;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user