AFL_ALIGNED_ALLOC in libdislocator

2025-06-14 11:08:06 +00:00 · 2020-02-01 19:12:26 +01:00
parent 86a25e64cd
commit 4384008f81
12 changed files with 93 additions and 51 deletions
--- a/libdislocator/libdislocator.so.c
+++ b/libdislocator/libdislocator.so.c
@ -62,6 +62,8 @@
 #include "config.h"
 #include "types.h"

+#define ALLOC_ALIGN_SIZE (sizeof(void*))
+
 #ifndef PAGE_SIZE
 #define PAGE_SIZE 4096
 #endif                                                        /* !PAGE_SIZE */
@ -114,6 +116,8 @@
 #define ALLOC_CANARY 0xAACCAACC
 #define ALLOC_CLOBBER 0xCC

+#define TAIL_ALLOC_CANARY 0xAC
+
 #define PTR_C(_p) (((u32*)(_p))[-1])
 #define PTR_L(_p) (((u32*)(_p))[-2])

@ -122,7 +126,8 @@
 static u32 max_mem = MAX_ALLOC;         /* Max heap usage to permit         */
 static u8  alloc_verbose,               /* Additional debug messages        */
    hard_fail,                          /* abort() when max_mem exceeded?   */
-    no_calloc_over;                     /* abort() on calloc() overflows?   */
+    no_calloc_over,                     /* abort() on calloc() overflows?   */
+    align_allocations;                  /* Force alignment to sizeof(void*) */

 #if defined __OpenBSD__ || defined __APPLE__
 #define __thread
@ -140,7 +145,7 @@ static u32          alloc_canary;

 static void* __dislocator_alloc(size_t len) {

-  void*  ret;
+  u8*    ret;
  size_t tlen;
  int    flags, fd, sp;

@ -154,11 +159,17 @@ static void* __dislocator_alloc(size_t len) {

  }

-  tlen = (1 + PG_COUNT(len + 8)) * PAGE_SIZE;
+  size_t rlen;
+  if (align_allocations && (len & (ALLOC_ALIGN_SIZE - 1)))
+    rlen = (len & ~(ALLOC_ALIGN_SIZE - 1)) + ALLOC_ALIGN_SIZE;
+  else
+    rlen = len;
+
+  tlen = (1 + PG_COUNT(rlen + 8)) * PAGE_SIZE;
  flags = MAP_PRIVATE | MAP_ANONYMOUS;
  fd = -1;
 #if defined(USEHUGEPAGE)
-  sp = (len >= SUPER_PAGE_SIZE && !(len % SUPER_PAGE_SIZE));
+  sp = (rlen >= SUPER_PAGE_SIZE && !(rlen % SUPER_PAGE_SIZE));

 #if defined(__APPLE__)
  if (sp) fd = VM_FLAGS_SUPERPAGE_SIZE_2MB;
@ -174,7 +185,7 @@ static void* __dislocator_alloc(size_t len) {
  /* We will also store buffer length and a canary below the actual buffer, so
     let's add 8 bytes for that. */

-  ret = mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0);
+  ret = (u8*)mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0);
 #if defined(USEHUGEPAGE)
  /* We try one more time with regular call */
  if (ret == MAP_FAILED) {
@ -186,7 +197,7 @@ static void* __dislocator_alloc(size_t len) {
 #elif defined(__FreeBSD__)
    flags &= -MAP_ALIGNED_SUPER;
 #endif
-    ret = mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0);
+    ret = (u8*)mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0);

  }

@ -204,13 +215,13 @@ static void* __dislocator_alloc(size_t len) {

  /* Set PROT_NONE on the last page. */

-  if (mprotect(ret + PG_COUNT(len + 8) * PAGE_SIZE, PAGE_SIZE, PROT_NONE))
+  if (mprotect(ret + PG_COUNT(rlen + 8) * PAGE_SIZE, PAGE_SIZE, PROT_NONE))
    FATAL("mprotect() failed when allocating memory");

  /* Offset the return pointer so that it's right-aligned to the page
     boundary. */

-  ret += PAGE_SIZE * PG_COUNT(len + 8) - len - 8;
+  ret += PAGE_SIZE * PG_COUNT(rlen + 8) - rlen - 8;

  /* Store allocation metadata. */

@ -221,6 +232,14 @@ static void* __dislocator_alloc(size_t len) {

  total_mem += len;

+  if (rlen != len) {
+
+    size_t i;
+    for (i = len; i < rlen; ++i)
+      ret[i] = TAIL_ALLOC_CANARY;
+
+  }
+
  return ret;

 }
@ -299,6 +318,16 @@ void free(void* ptr) {

  total_mem -= len;

+  if (align_allocations && (len & (ALLOC_ALIGN_SIZE - 1))) {
+
+    u8*    ptr_ = ptr;
+    size_t rlen = (len & ~(ALLOC_ALIGN_SIZE - 1)) + ALLOC_ALIGN_SIZE;
+    for (; len < rlen; ++len)
+      if (ptr_[len] != TAIL_ALLOC_CANARY)
+        FATAL("bad tail allocator canary on free()");
+
+  }
+
  /* Protect everything. Note that the extra page at the end is already
     set as PROT_NONE, so we don't need to touch that. */

@ -323,6 +352,7 @@ void* realloc(void* ptr, size_t len) {
  if (ret && ptr) {

    if (PTR_C(ptr) != alloc_canary) FATAL("bad allocator canary on realloc()");
+    // Here the tail canary check is delayed to free()

    memcpy(ret, ptr, MIN(len, PTR_L(ptr)));
    free(ptr);
@ -441,6 +471,7 @@ __attribute__((constructor)) void __dislocator_init(void) {
  alloc_verbose = !!getenv("AFL_LD_VERBOSE");
  hard_fail = !!getenv("AFL_LD_HARD_FAIL");
  no_calloc_over = !!getenv("AFL_LD_NO_CALLOC_OVER");
+  align_allocations = !!getenv("AFL_ALIGNED_ALLOC");

 }

--- a/llvm_mode/afl-clang-fast.c
+++ b/llvm_mode/afl-clang-fast.c
@ -224,7 +224,8 @@ static void edit_params(u32 argc, char** argv) {
      cc_params[cc_par_cnt++] = "-load";
      cc_params[cc_par_cnt++] = "-Xclang";
      if (getenv("AFL_LLVM_INSTRIM") != NULL || getenv("INSTRIM_LIB") != NULL)
-      cc_params[cc_par_cnt++] = alloc_printf("%s/libLLVMInsTrim.so", obj_path);
+        cc_params[cc_par_cnt++] =
+            alloc_printf("%s/libLLVMInsTrim.so", obj_path);
      else
        cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path);

@ -401,16 +402,19 @@ static void edit_params(u32 argc, char** argv) {

      case 0:
        if (cmplog_mode)
-          cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-cmplog-rt.o", obj_path);
+          cc_params[cc_par_cnt++] =
+              alloc_printf("%s/afl-llvm-cmplog-rt.o", obj_path);
        else
          cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt.o", obj_path);
        break;

      case 32:
        if (cmplog_mode)
-          cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-cmplog-rt-32.o", obj_path);
+          cc_params[cc_par_cnt++] =
+              alloc_printf("%s/afl-llvm-cmplog-rt-32.o", obj_path);
        else
-          cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-32.o", obj_path);
+          cc_params[cc_par_cnt++] =
+              alloc_printf("%s/afl-llvm-rt-32.o", obj_path);

        if (access(cc_params[cc_par_cnt - 1], R_OK))
          FATAL("-m32 is not supported by your compiler");
@ -419,9 +423,11 @@ static void edit_params(u32 argc, char** argv) {

      case 64:
        if (cmplog_mode)
-          cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-cmplog-rt-64.o", obj_path);
+          cc_params[cc_par_cnt++] =
+              alloc_printf("%s/afl-llvm-cmplog-rt-64.o", obj_path);
        else
-          cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-64.o", obj_path);
+          cc_params[cc_par_cnt++] =
+              alloc_printf("%s/afl-llvm-rt-64.o", obj_path);

        if (access(cc_params[cc_par_cnt - 1], R_OK))
          FATAL("-m64 is not supported by your compiler");
@ -496,8 +502,7 @@ int main(int argc, char** argv) {
  }

  cmplog_mode = getenv("AFL_CMPLOG") || getenv("AFL_LLVM_CMPLOG");
-  if (cmplog_mode)
-    printf("CmpLog mode by <andreafioraldi@gmail.com>\n");
+  if (cmplog_mode) printf("CmpLog mode by <andreafioraldi@gmail.com>\n");

 #ifndef __ANDROID__
  find_obj(argv[0]);
--- a/qemu_mode/patches/afl-qemu-cpu-inl.h
+++ b/qemu_mode/patches/afl-qemu-cpu-inl.h
@ -350,8 +350,10 @@ static void afl_forkserver(CPUState *cpu) {
       a successful run. In this case, we want to wake it up without forking
       again. */

-    if (WIFSTOPPED(status)) child_stopped = 1;
-    else if(unlikely(first_run && is_persistent)) exit(12); // Persistent is wrong
+    if (WIFSTOPPED(status))
+      child_stopped = 1;
+    else if (unlikely(first_run && is_persistent))
+      exit(12);  // Persistent is wrong
    first_run = 0;

    if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(7);
--- a/src/afl-fuzz-cmplog.c
+++ b/src/afl-fuzz-cmplog.c
@ -633,3 +633,4 @@ u8 common_fuzz_cmplog_stuff(char** argv, u8* out_buf, u32 len) {
  return 0;

 }
+
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@ -247,6 +247,7 @@ void bind_to_free_cpu(void) {
      ;

  }
+
 #elif defined(__NetBSD__)
 if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) {

--- a/src/afl-fuzz-redqueen.c
+++ b/src/afl-fuzz-redqueen.c
@ -371,3 +371,4 @@ u8 input_to_state_stage(char** argv, u8* orig_buf, u8* buf, u32 len,
  return 0;

 }
+
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@ -599,7 +599,8 @@ void show_stats(void) {
  if (cmplog_mode) {

    sprintf(tmp, "%s/%s, %s/%s, %s/%s, %s/%s", DI(stage_finds[STAGE_PYTHON]),
-            DI(stage_cycles[STAGE_PYTHON]), DI(stage_finds[STAGE_CUSTOM_MUTATOR]),
+            DI(stage_cycles[STAGE_PYTHON]),
+            DI(stage_finds[STAGE_CUSTOM_MUTATOR]),
            DI(stage_cycles[STAGE_CUSTOM_MUTATOR]),
            DI(stage_finds[STAGE_COLORIZATION]),
            DI(stage_cycles[STAGE_COLORIZATION]), DI(stage_finds[STAGE_ITS]),
@ -611,7 +612,8 @@ void show_stats(void) {
  } else {

    sprintf(tmp, "%s/%s, %s/%s", DI(stage_finds[STAGE_PYTHON]),
-            DI(stage_cycles[STAGE_PYTHON]), DI(stage_finds[STAGE_CUSTOM_MUTATOR]),
+            DI(stage_cycles[STAGE_PYTHON]),
+            DI(stage_finds[STAGE_CUSTOM_MUTATOR]),
            DI(stage_cycles[STAGE_CUSTOM_MUTATOR]));

    SAYF(bV bSTOP "   py/custom : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB "\n",
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@ -867,8 +867,7 @@ int main(int argc, char** argv) {

  if (!out_file) setup_stdio_file();

-  if (cmplog_binary)
-    check_binary(cmplog_binary);
+  if (cmplog_binary) check_binary(cmplog_binary);
  check_binary(argv[optind]);

  start_time = get_cur_time();