ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-13 18:48:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

adding ctor function skipping in LTO fixed map mode

Browse Source
This commit is contained in:
van Hauser
2020-08-11 02:05:39 +02:00
parent 432638404f
commit 50e76fce12
3 changed files with 90 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/Changelog.md
View File

@ -30,6 +30,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
reporting) reporting)
- LTO: switch default to the dynamic memory map, set AFL_LLVM_MAP_ADDR - LTO: switch default to the dynamic memory map, set AFL_LLVM_MAP_ADDR
for a fixed map address (eg. 0x10000) for a fixed map address (eg. 0x10000)
- LTO: skipping ctors and ifuncs in fix map address instrumentation
- LTO: autodictionary mode is a default - LTO: autodictionary mode is a default
- LTO: instrim instrumentation disabled, only classic support used - LTO: instrim instrumentation disabled, only classic support used
as it is always better as it is always better

52
include/debug.h
View File

@ -218,43 +218,43 @@
/* Die with a verbose non-OS fatal error message. */ /* Die with a verbose non-OS fatal error message. */
#define FATAL(x...) \ #define FATAL(x...) \
do { \ do { \
\ \
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \
"\n[-] PROGRAM ABORT : " cRST x); \ "\n[-] PROGRAM ABORT : " cRST x); \
SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", __func__, \ SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", __func__, \
__FILE__, __LINE__); \ __FILE__, __LINE__); \
exit(1); \ exit(1); \
\ \
} while (0) } while (0)
/* Die by calling abort() to provide a core dump. */ /* Die by calling abort() to provide a core dump. */
#define ABORT(x...) \ #define ABORT(x...) \
do { \ do { \
\ \
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \
"\n[-] PROGRAM ABORT : " cRST x); \ "\n[-] PROGRAM ABORT : " cRST x); \
SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", __func__, \ SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", __func__, \
__FILE__, __LINE__); \ __FILE__, __LINE__); \
abort(); \ abort(); \
\ \
} while (0) } while (0)
/* Die while also including the output of perror(). */ /* Die while also including the output of perror(). */
#define PFATAL(x...) \ #define PFATAL(x...) \
do { \ do { \
\ \
fflush(stdout); \ fflush(stdout); \
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \
"\n[-] SYSTEM ERROR : " cRST x); \ "\n[-] SYSTEM ERROR : " cRST x); \
SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", __func__, \ SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", __func__, \
__FILE__, __LINE__); \ __FILE__, __LINE__); \
SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \ SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \
exit(1); \ exit(1); \
\ \
} while (0) } while (0)
/* Die with FATAL() or PFATAL() depending on the value of res (used to /* Die with FATAL() or PFATAL() depending on the value of res (used to

76
llvm_mode/afl-llvm-lto-instrumentation.so.cc
View File

@ -224,22 +224,70 @@ bool AFLLTOPass::runOnModule(Module &M) {
if (map_addr) { if (map_addr) {
for (GlobalIFunc &IF : M.ifuncs()) { for (GlobalIFunc &IF : M.ifuncs()) {
StringRef ifunc_name = IF.getName(); StringRef ifunc_name = IF.getName();
Constant *r = IF.getResolver(); Constant *r = IF.getResolver();
StringRef r_name = cast<Function>(r->getOperand(0))->getName(); StringRef r_name = cast<Function>(r->getOperand(0))->getName();
if (!be_quiet) if (!be_quiet)
fprintf(stderr, "Found an ifunc with name %s that points to resolver function %s, we cannot instrument this, putting it into a block list.\n", fprintf(stderr,
"Warning: Found an ifunc with name %s that points to resolver "
"function %s, we cannot instrument this, putting it into a "
"block list.\n",
ifunc_name.str().c_str(), r_name.str().c_str()); ifunc_name.str().c_str(), r_name.str().c_str());
module_block_list.push_back(r_name.str()); module_block_list.push_back(r_name.str());
} }
// next up: ctors run before __afl_init() GlobalVariable *GV = M.getNamedGlobal("llvm.global_ctors");
if (GV && !GV->isDeclaration() && !GV->hasLocalLinkage()) {
// TODO
ConstantArray *InitList = dyn_cast<ConstantArray>(GV->getInitializer());
if (InitList) {
for (unsigned i = 0, e = InitList->getNumOperands(); i != e; ++i) {
if (ConstantStruct *CS =
dyn_cast<ConstantStruct>(InitList->getOperand(i))) {
if (CS->getNumOperands() >= 2) {
if (CS->getOperand(1)->isNullValue())
break; // Found a null terminator, stop here.
ConstantInt *CI = dyn_cast<ConstantInt>(CS->getOperand(0));
int Priority = CI ? CI->getSExtValue() : 0;
Constant *FP = CS->getOperand(1);
if (ConstantExpr *CE = dyn_cast<ConstantExpr>(FP))
if (CE->isCast()) FP = CE->getOperand(0);
if (Function *F = dyn_cast<Function>(FP)) {
if (!F->isDeclaration() &&
strncmp(F->getName().str().c_str(), "__afl", 5) != 0 &&
Priority <= 5) {
if (!be_quiet)
fprintf(stderr,
"Warning: Found constructor function %s with prio "
"%u, we cannot instrument this, putting it into a "
"block list.\n",
F->getName().str().c_str(), Priority);
module_block_list.push_back(F->getName().str());
}
}
}
}
}
}
}
} }
@ -260,21 +308,23 @@ bool AFLLTOPass::runOnModule(Module &M) {
if (isIgnoreFunction(&F)) continue; if (isIgnoreFunction(&F)) continue;
if (module_block_list.size()) { if (module_block_list.size()) {
for (auto bname : module_block_list) { for (auto bname : module_block_list) {
std::string fname = F.getName().str(); std::string fname = F.getName().str();
if (fname.compare(bname) == 0) { if (fname.compare(bname) == 0) {
if (!be_quiet) if (!be_quiet)
WARNF("Skipping instrumentation of ifunc resolver function %s", WARNF(
fname.c_str()); "Skipping instrumentation of dangerous early running function "
"%s",
fname.c_str());
} }
} }
} }
// the instrument file list check // the instrument file list check