AFL_ALIGNED_ALLOC in libdislocator

libdislocator/libdislocator.so.c

@@ -62,6 +62,8 @@
 #include "config.h"
 #include "types.h"
 
+#define ALLOC_ALIGN_SIZE (sizeof(void*))
+
 #ifndef PAGE_SIZE
 #define PAGE_SIZE 4096
 #endif                                                        /* !PAGE_SIZE */
@@ -114,6 +116,8 @@
 #define ALLOC_CANARY 0xAACCAACC
 #define ALLOC_CLOBBER 0xCC
 
+#define TAIL_ALLOC_CANARY 0xAC
+
 #define PTR_C(_p) (((u32*)(_p))[-1])
 #define PTR_L(_p) (((u32*)(_p))[-2])
 
@@ -122,7 +126,8 @@
 static u32 max_mem = MAX_ALLOC;         /* Max heap usage to permit         */
 static u8  alloc_verbose,               /* Additional debug messages        */
     hard_fail,                          /* abort() when max_mem exceeded?   */
-    no_calloc_over;                     /* abort() on calloc() overflows?   */
+    no_calloc_over,                     /* abort() on calloc() overflows?   */
+    align_allocations;                  /* Force alignment to sizeof(void*) */
 
 #if defined __OpenBSD__ || defined __APPLE__
 #define __thread
@@ -140,7 +145,7 @@ static u32          alloc_canary;
 
 static void* __dislocator_alloc(size_t len) {
 
-  void*  ret;
+  u8*    ret;
   size_t tlen;
   int    flags, fd, sp;
 
@@ -154,11 +159,17 @@ static void* __dislocator_alloc(size_t len) {
 
   }
 
-  tlen = (1 + PG_COUNT(len + 8)) * PAGE_SIZE;
+  size_t rlen;
+  if (align_allocations && (len & (ALLOC_ALIGN_SIZE - 1)))
+    rlen = (len & ~(ALLOC_ALIGN_SIZE - 1)) + ALLOC_ALIGN_SIZE;
+  else
+    rlen = len;
+
+  tlen = (1 + PG_COUNT(rlen + 8)) * PAGE_SIZE;
   flags = MAP_PRIVATE | MAP_ANONYMOUS;
   fd = -1;
 #if defined(USEHUGEPAGE)
-  sp = (len >= SUPER_PAGE_SIZE && !(len % SUPER_PAGE_SIZE));
+  sp = (rlen >= SUPER_PAGE_SIZE && !(rlen % SUPER_PAGE_SIZE));
 
 #if defined(__APPLE__)
   if (sp) fd = VM_FLAGS_SUPERPAGE_SIZE_2MB;
@@ -174,7 +185,7 @@ static void* __dislocator_alloc(size_t len) {
   /* We will also store buffer length and a canary below the actual buffer, so
      let's add 8 bytes for that. */
 
-  ret = mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0);
+  ret = (u8*)mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0);
 #if defined(USEHUGEPAGE)
   /* We try one more time with regular call */
   if (ret == MAP_FAILED) {
@@ -186,7 +197,7 @@ static void* __dislocator_alloc(size_t len) {
 #elif defined(__FreeBSD__)
     flags &= -MAP_ALIGNED_SUPER;
 #endif
-    ret = mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0);
+    ret = (u8*)mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0);
 
   }
 
@@ -204,13 +215,13 @@ static void* __dislocator_alloc(size_t len) {
 
   /* Set PROT_NONE on the last page. */
 
-  if (mprotect(ret + PG_COUNT(len + 8) * PAGE_SIZE, PAGE_SIZE, PROT_NONE))
+  if (mprotect(ret + PG_COUNT(rlen + 8) * PAGE_SIZE, PAGE_SIZE, PROT_NONE))
     FATAL("mprotect() failed when allocating memory");
 
   /* Offset the return pointer so that it's right-aligned to the page
      boundary. */
 
-  ret += PAGE_SIZE * PG_COUNT(len + 8) - len - 8;
+  ret += PAGE_SIZE * PG_COUNT(rlen + 8) - rlen - 8;
 
   /* Store allocation metadata. */
 
@@ -221,6 +232,14 @@ static void* __dislocator_alloc(size_t len) {
 
   total_mem += len;
 
+  if (rlen != len) {
+
+    size_t i;
+    for (i = len; i < rlen; ++i)
+      ret[i] = TAIL_ALLOC_CANARY;
+
+  }
+
   return ret;
 
 }
@@ -299,6 +318,16 @@ void free(void* ptr) {
 
   total_mem -= len;
 
+  if (align_allocations && (len & (ALLOC_ALIGN_SIZE - 1))) {
+
+    u8*    ptr_ = ptr;
+    size_t rlen = (len & ~(ALLOC_ALIGN_SIZE - 1)) + ALLOC_ALIGN_SIZE;
+    for (; len < rlen; ++len)
+      if (ptr_[len] != TAIL_ALLOC_CANARY)
+        FATAL("bad tail allocator canary on free()");
+
+  }
+
   /* Protect everything. Note that the extra page at the end is already
      set as PROT_NONE, so we don't need to touch that. */
 
@@ -323,6 +352,7 @@ void* realloc(void* ptr, size_t len) {
   if (ret && ptr) {
 
     if (PTR_C(ptr) != alloc_canary) FATAL("bad allocator canary on realloc()");
+    // Here the tail canary check is delayed to free()
 
     memcpy(ret, ptr, MIN(len, PTR_L(ptr)));
     free(ptr);
@@ -441,6 +471,7 @@ __attribute__((constructor)) void __dislocator_init(void) {
   alloc_verbose = !!getenv("AFL_LD_VERBOSE");
   hard_fail = !!getenv("AFL_LD_HARD_FAIL");
   no_calloc_over = !!getenv("AFL_LD_NO_CALLOC_OVER");
+  align_allocations = !!getenv("AFL_ALIGNED_ALLOC");
 
 }
 

llvm_mode/afl-clang-fast.c

@@ -224,7 +224,8 @@ static void edit_params(u32 argc, char** argv) {
       cc_params[cc_par_cnt++] = "-load";
       cc_params[cc_par_cnt++] = "-Xclang";
       if (getenv("AFL_LLVM_INSTRIM") != NULL || getenv("INSTRIM_LIB") != NULL)
-      cc_params[cc_par_cnt++] = alloc_printf("%s/libLLVMInsTrim.so", obj_path);
+        cc_params[cc_par_cnt++] =
+            alloc_printf("%s/libLLVMInsTrim.so", obj_path);
       else
         cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path);
 
@@ -401,16 +402,19 @@ static void edit_params(u32 argc, char** argv) {
 
       case 0:
         if (cmplog_mode)
-          cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-cmplog-rt.o", obj_path);
+          cc_params[cc_par_cnt++] =
+              alloc_printf("%s/afl-llvm-cmplog-rt.o", obj_path);
         else
           cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt.o", obj_path);
         break;
 
       case 32:
         if (cmplog_mode)
-          cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-cmplog-rt-32.o", obj_path);
+          cc_params[cc_par_cnt++] =
+              alloc_printf("%s/afl-llvm-cmplog-rt-32.o", obj_path);
         else
-          cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-32.o", obj_path);
+          cc_params[cc_par_cnt++] =
+              alloc_printf("%s/afl-llvm-rt-32.o", obj_path);
 
         if (access(cc_params[cc_par_cnt - 1], R_OK))
           FATAL("-m32 is not supported by your compiler");
@@ -419,9 +423,11 @@ static void edit_params(u32 argc, char** argv) {
 
       case 64:
         if (cmplog_mode)
-          cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-cmplog-rt-64.o", obj_path);
+          cc_params[cc_par_cnt++] =
+              alloc_printf("%s/afl-llvm-cmplog-rt-64.o", obj_path);
         else
-          cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-64.o", obj_path);
+          cc_params[cc_par_cnt++] =
+              alloc_printf("%s/afl-llvm-rt-64.o", obj_path);
 
         if (access(cc_params[cc_par_cnt - 1], R_OK))
           FATAL("-m64 is not supported by your compiler");
@@ -496,8 +502,7 @@ int main(int argc, char** argv) {
   }
 
   cmplog_mode = getenv("AFL_CMPLOG") || getenv("AFL_LLVM_CMPLOG");
-  if (cmplog_mode)
-    printf("CmpLog mode by <andreafioraldi@gmail.com>\n");
+  if (cmplog_mode) printf("CmpLog mode by <andreafioraldi@gmail.com>\n");
 
 #ifndef __ANDROID__
   find_obj(argv[0]);

qemu_mode/patches/afl-qemu-cpu-inl.h

@@ -350,8 +350,10 @@ static void afl_forkserver(CPUState *cpu) {
        a successful run. In this case, we want to wake it up without forking
        again. */
 
-    if (WIFSTOPPED(status)) child_stopped = 1;
-    else if(unlikely(first_run && is_persistent)) exit(12); // Persistent is wrong
+    if (WIFSTOPPED(status))
+      child_stopped = 1;
+    else if (unlikely(first_run && is_persistent))
+      exit(12);  // Persistent is wrong
     first_run = 0;
 
     if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(7);

src/afl-fuzz-cmplog.c

@@ -633,3 +633,4 @@ u8 common_fuzz_cmplog_stuff(char** argv, u8* out_buf, u32 len) {
   return 0;
 
 }
+

src/afl-fuzz-globals.c

@@ -251,7 +251,7 @@ u32                a_extras_cnt;        /* Total number of tokens available */
 
 u8 *(*post_handler)(u8 *buf, u32 *len);
 
-u8* cmplog_binary;
+u8 *cmplog_binary;
 s32 cmplog_forksrv_pid;
 
 /* hooks for the custom mutator function */

src/afl-fuzz-init.c

@@ -247,6 +247,7 @@ void bind_to_free_cpu(void) {
       ;
 
   }
+
 #elif defined(__NetBSD__)
 if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) {
 

src/afl-fuzz-redqueen.c

@@ -371,3 +371,4 @@ u8 input_to_state_stage(char** argv, u8* orig_buf, u8* buf, u32 len,
   return 0;
 
 }
+

src/afl-fuzz-stats.c

@@ -599,7 +599,8 @@ void show_stats(void) {
   if (cmplog_mode) {
 
     sprintf(tmp, "%s/%s, %s/%s, %s/%s, %s/%s", DI(stage_finds[STAGE_PYTHON]),
-            DI(stage_cycles[STAGE_PYTHON]), DI(stage_finds[STAGE_CUSTOM_MUTATOR]),
+            DI(stage_cycles[STAGE_PYTHON]),
+            DI(stage_finds[STAGE_CUSTOM_MUTATOR]),
             DI(stage_cycles[STAGE_CUSTOM_MUTATOR]),
             DI(stage_finds[STAGE_COLORIZATION]),
             DI(stage_cycles[STAGE_COLORIZATION]), DI(stage_finds[STAGE_ITS]),
@@ -611,7 +612,8 @@ void show_stats(void) {
   } else {
 
     sprintf(tmp, "%s/%s, %s/%s", DI(stage_finds[STAGE_PYTHON]),
-            DI(stage_cycles[STAGE_PYTHON]), DI(stage_finds[STAGE_CUSTOM_MUTATOR]),
+            DI(stage_cycles[STAGE_PYTHON]),
+            DI(stage_finds[STAGE_CUSTOM_MUTATOR]),
             DI(stage_cycles[STAGE_CUSTOM_MUTATOR]));
 
     SAYF(bV bSTOP "   py/custom : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB "\n",

src/afl-fuzz.c

@@ -867,8 +867,7 @@ int main(int argc, char** argv) {
 
   if (!out_file) setup_stdio_file();
 
-  if (cmplog_binary)
-    check_binary(cmplog_binary);
+  if (cmplog_binary) check_binary(cmplog_binary);
   check_binary(argv[optind]);
 
   start_time = get_cur_time();

src/afl-sharedmem.c

@@ -149,7 +149,7 @@ void setup_shm(unsigned char dumb_mode) {
   if (!trace_bits) PFATAL("mmap() failed");
 
 #else
-  u8* shm_str;
+  u8 *shm_str;
 
   shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600);