ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 11:08:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

adding ctor function skipping in LTO fixed map mode

Browse Source
This commit is contained in:
van Hauser
2020-08-11 02:05:39 +02:00
parent 432638404f
commit 50e76fce12
3 changed files with 90 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/Changelog.md
View File

@ -30,6 +30,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
reporting) reporting)
- LTO: switch default to the dynamic memory map, set AFL_LLVM_MAP_ADDR - LTO: switch default to the dynamic memory map, set AFL_LLVM_MAP_ADDR
for a fixed map address (eg. 0x10000) for a fixed map address (eg. 0x10000)
- LTO: skipping ctors and ifuncs in fix map address instrumentation
- LTO: autodictionary mode is a default - LTO: autodictionary mode is a default
- LTO: instrim instrumentation disabled, only classic support used - LTO: instrim instrumentation disabled, only classic support used
as it is always better as it is always better

60
llvm_mode/afl-llvm-lto-instrumentation.so.cc
View File

@ -229,17 +229,65 @@ bool AFLLTOPass::runOnModule(Module &M) {
Constant *r = IF.getResolver(); Constant *r = IF.getResolver();
StringRef r_name = cast<Function>(r->getOperand(0))->getName(); StringRef r_name = cast<Function>(r->getOperand(0))->getName();
if (!be_quiet) if (!be_quiet)
fprintf(stderr, "Found an ifunc with name %s that points to resolver function %s, we cannot instrument this, putting it into a block list.\n", fprintf(stderr,
"Warning: Found an ifunc with name %s that points to resolver "
"function %s, we cannot instrument this, putting it into a "
"block list.\n",
ifunc_name.str().c_str(), r_name.str().c_str()); ifunc_name.str().c_str(), r_name.str().c_str());
module_block_list.push_back(r_name.str()); module_block_list.push_back(r_name.str());
} }
// next up: ctors run before __afl_init() GlobalVariable *GV = M.getNamedGlobal("llvm.global_ctors");
if (GV && !GV->isDeclaration() && !GV->hasLocalLinkage()) {
// TODO ConstantArray *InitList = dyn_cast<ConstantArray>(GV->getInitializer());
if (InitList) {
for (unsigned i = 0, e = InitList->getNumOperands(); i != e; ++i) {
if (ConstantStruct *CS =
dyn_cast<ConstantStruct>(InitList->getOperand(i))) {
if (CS->getNumOperands() >= 2) {
if (CS->getOperand(1)->isNullValue())
break; // Found a null terminator, stop here.
ConstantInt *CI = dyn_cast<ConstantInt>(CS->getOperand(0));
int Priority = CI ? CI->getSExtValue() : 0;
Constant *FP = CS->getOperand(1);
if (ConstantExpr *CE = dyn_cast<ConstantExpr>(FP))
if (CE->isCast()) FP = CE->getOperand(0);
if (Function *F = dyn_cast<Function>(FP)) {
if (!F->isDeclaration() &&
strncmp(F->getName().str().c_str(), "__afl", 5) != 0 &&
Priority <= 5) {
if (!be_quiet)
fprintf(stderr,
"Warning: Found constructor function %s with prio "
"%u, we cannot instrument this, putting it into a "
"block list.\n",
F->getName().str().c_str(), Priority);
module_block_list.push_back(F->getName().str());
}
}
}
}
}
}
}
} }
@ -268,7 +316,9 @@ bool AFLLTOPass::runOnModule(Module &M) {
if (fname.compare(bname) == 0) { if (fname.compare(bname) == 0) {
if (!be_quiet) if (!be_quiet)
WARNF("Skipping instrumentation of ifunc resolver function %s", WARNF(
"Skipping instrumentation of dangerous early running function "
"%s",
fname.c_str()); fname.c_str());
} }