better handling of -fsanitize=..,...,.. lists

2025-06-17 20:28:08 +00:00 · 2022-08-14 14:40:26 +02:00
parent 1a3b463c4c
commit 4e98071385
2 changed files with 98 additions and 13 deletions
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -14,6 +14,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
    - added AFL_NO_STARTUP_CALIBRATION to start fuzzing at once instead
      of calibrating all initial seeds first. Good for large queues
      and long execution times, especially in CIs.
+  - afl-cc:
+    - better handling of -fsanitize=..,...,.. lists
  - qemu_mode:
    - added AFL_QEMU_TRACK_UNSTABLE to log the addresses of unstable
      edges (together with AFL_DEBUG=1 afl-fuzz). thanks to
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@ -51,7 +51,7 @@ static u32  cc_par_cnt = 1;            /* Param count, including argv0      */
 static u8   clang_mode;                /* Invoked as afl-clang*?            */
 static u8   llvm_fullpath[PATH_MAX];
 static u8   instrument_mode, instrument_opt_mode, ngram_size, ctx_k, lto_mode;
-static u8   compiler_mode, plusplus_mode, have_instr_env = 0;
+static u8   compiler_mode, plusplus_mode, have_instr_env = 0, need_aflpplib = 0;
 static u8   have_gcc, have_llvm, have_gcc_plugin, have_lto, have_instr_list = 0;
 static u8  *lto_flag = AFL_CLANG_FLTO, *argvnull;
 static u8   debug;
@ -310,6 +310,69 @@ static u8 *find_object(u8 *obj, u8 *argv0) {

 }

+void parse_fsanitize(char *string) {
+
+  char *p, *ptr = string + strlen("-fsanitize=");
+  char *new = malloc(strlen(string) + 1);
+  char *tmp = malloc(strlen(ptr));
+  u32   count = 0, len, ende = 0;
+  strcpy(new, "-fsanitize=");
+
+  do {
+
+    p = strchr(ptr, ',');
+    if (!p) {
+
+      p = ptr + strlen(ptr) + 1;
+      ende = 1;
+
+    }
+
+    len = p - ptr;
+    if (len) {
+
+      strncpy(tmp, ptr, len);
+      tmp[len] = 0;
+      // fprintf(stderr, "Found: %s\n", tmp);
+      ptr += len + 1;
+      if (*tmp) {
+
+        u32 copy = 1;
+        if (!strcmp(tmp, "fuzzer")) {
+
+          need_aflpplib = 1;
+          copy = 0;
+
+        } else if (!strncmp(tmp, "fuzzer", 6)) {
+
+          copy = 0;
+
+        }
+
+        if (copy) {
+
+          if (count) { strcat(new, ","); }
+          strcat(new, tmp);
+          ++count;
+
+        }
+
+      }
+
+    } else {
+
+      ptr++;                                    /*fprintf(stderr, "NO!\n"); */
+
+    }
+
+  } while (!ende);
+
+  strcpy(string, new);
+  // fprintf(stderr, "string: %s\n", string);
+  // fprintf(stderr, "new: %s\n", new);
+
+}
+
 /* Copy argv to cc_params, making the necessary edits. */

 static void edit_params(u32 argc, char **argv, char **envp) {
@ -779,20 +842,35 @@ static void edit_params(u32 argc, char **argv, char **envp) {

    }

-    if ((!strncmp(cur, "-fsanitize=fuzzer-", strlen("-fsanitize=fuzzer-")) ||
-         !strncmp(cur, "-fsanitize-coverage", strlen("-fsanitize-coverage"))) &&
-        (strncmp(cur, "sanitize-coverage-allow",
-                 strlen("sanitize-coverage-allow")) &&
-         strncmp(cur, "sanitize-coverage-deny",
-                 strlen("sanitize-coverage-deny")) &&
-         instrument_mode != INSTRUMENT_LLVMNATIVE)) {
+    if (!strncmp(cur, "-fsanitize-coverage-", 20) && strstr(cur, "list=")) {
+
+      have_instr_list = 1;
+
+    }
+
+    if (!strncmp(cur, "-fsanitize=", strlen("-fsanitize=")) &&
+        strchr(cur, ',')) {
+
+      parse_fsanitize(cur);
+      if (!cur || strlen(cur) <= strlen("-fsanitize=")) { continue; }
+
+    } else if ((!strncmp(cur, "-fsanitize=fuzzer-",
+
+                         strlen("-fsanitize=fuzzer-")) ||
+                !strncmp(cur, "-fsanitize-coverage",
+                         strlen("-fsanitize-coverage"))) &&
+               (strncmp(cur, "sanitize-coverage-allow",
+                        strlen("sanitize-coverage-allow")) &&
+                strncmp(cur, "sanitize-coverage-deny",
+                        strlen("sanitize-coverage-deny")) &&
+                instrument_mode != INSTRUMENT_LLVMNATIVE)) {

      if (!be_quiet) { WARNF("Found '%s' - stripping!", cur); }
      continue;

    }

-    if (!strcmp(cur, "-fsanitize=fuzzer")) {
+    if (need_aflpplib || !strcmp(cur, "-fsanitize=fuzzer")) {

      u8 *afllib = find_object("libAFLDriver.a", argv[0]);

@ -823,7 +901,15 @@ static void edit_params(u32 argc, char **argv, char **envp) {

      }

-      continue;
+      if (need_aflpplib) {
+
+        need_aflpplib = 0;
+
+      } else {
+
+        continue;
+
+      }

    }

@ -831,9 +917,6 @@ static void edit_params(u32 argc, char **argv, char **envp) {
    if (!strcmp(cur, "armv7a-linux-androideabi")) bit_mode = 32;
    if (!strcmp(cur, "-m64")) bit_mode = 64;

-    if (!strncmp(cur, "-fsanitize-coverage-", 20) && strstr(cur, "list="))
-      have_instr_list = 1;
-
    if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory"))
      asan_set = 1;