add AFL_USE_TSAN

2025-06-16 11:58:08 +00:00 · 2021-11-04 15:53:17 +01:00
parent 5e0e385e62
commit 6ce3d7fede
20 changed files with 106 additions and 59 deletions
--- a/TODO.md
+++ b/TODO.md
@ -2,6 +2,7 @@

 ## TODO

+ - AFL_USE_TSAN to docs/env_variables.md after work over
 - screen update during input2stage
 - better autodetection of shifting runtime timeout values
 - Update afl->pending_not_fuzzed for MOpt
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -26,7 +26,9 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
  - Prevent accidently killing non-afl/fuzz services when aborting
    afl-showmap and other tools.
  - afl-cc:
+    - support llvm IR select instrumentation for default PCGUARD and LTO
    - fix for shared linking on MacOS
+    - added AFL_USE_TSAN thread sanitizer support
    - llvm and LTO mode modified to work with new llvm 14-dev (again)
  - added the very good grammar mutator "GramaTron" to the
    custom_mutators
--- a/docs/fuzzing_expert.md
+++ b/docs/fuzzing_expert.md
@ -149,6 +149,8 @@ The following sanitizers have built-in support in AFL++:
    vulnerabilities - which is however one of the most important and dangerous
    C++ memory corruption classes!
    Enabled with `export AFL_USE_CFISAN=1` before compiling.
+  * TSAN = Thread SANitizer, finds thread race conditions.
+    Enabled with `export AFL_USE_TSAN=1` before compiling.
  * LSAN = Leak SANitizer, finds memory leaks in a program. This is not really
    a security issue, but for developers this can be very valuable.
    Note that unlike the other sanitizers above this needs
--- a/frida_mode/src/instrument/instrument.c
+++ b/frida_mode/src/instrument/instrument.c
@ -347,8 +347,8 @@ void instrument_init(void) {
 #else
    tid = syscall(SYS_gettid);
 #endif
-    instrument_hash_seed = g_get_monotonic_time() ^
-                           (((guint64)getpid()) << 32) ^ tid;
+    instrument_hash_seed =
+        g_get_monotonic_time() ^ (((guint64)getpid()) << 32) ^ tid;

  }

--- a/frida_mode/src/instrument/instrument_arm32.c
+++ b/frida_mode/src/instrument/instrument_arm32.c
@ -23,7 +23,9 @@ void instrument_coverage_optimize(const cs_insn *   instr,
 }

 void instrument_coverage_optimize_init(void) {
+
  WARNF("Optimized coverage not supported on this architecture");
+
 }

 void instrument_flush(GumStalkerOutput *output) {
--- a/frida_mode/src/instrument/instrument_arm64.c
+++ b/frida_mode/src/instrument/instrument_arm64.c
@ -96,6 +96,7 @@ void instrument_coverage_optimize(const cs_insn *   instr,
 }

 void instrument_coverage_optimize_init(void) {
+
 }

 void instrument_flush(GumStalkerOutput *output) {
--- a/frida_mode/src/instrument/instrument_x64.c
+++ b/frida_mode/src/instrument/instrument_x64.c
@ -53,15 +53,12 @@ typedef struct {
  //    0x7ffff6cfb08b:      pushf
  //    0x7ffff6cfb08c:      push   rsi
  //    0x7ffff6cfb08d:      mov    rsi,0x228
-  //    0x7ffff6cfb094:      xchg   QWORD PTR [rip+0x3136a5],rsi        # 0x7ffff700e740
-  //    0x7ffff6cfb09b:      xor    rsi,0x451
-  //    0x7ffff6cfb0a2:      add    BYTE PTR [rsi+0x10000],0x1
-  //    0x7ffff6cfb0a9:      adc    BYTE PTR [rsi+0x10000],0x0
-  //    0x7ffff6cfb0b0:      pop    rsi
-  //    0x7ffff6cfb0b1:      popf
+  //    0x7ffff6cfb094:      xchg   QWORD PTR [rip+0x3136a5],rsi        #
+  //    0x7ffff700e740 0x7ffff6cfb09b:      xor    rsi,0x451 0x7ffff6cfb0a2: add
+  //    BYTE PTR [rsi+0x10000],0x1 0x7ffff6cfb0a9:      adc    BYTE PTR
+  //    [rsi+0x10000],0x0 0x7ffff6cfb0b0:      pop    rsi 0x7ffff6cfb0b1: popf
  //    0x7ffff6cfb0b2:      lea    rsp,[rsp+0x80]

-
  uint8_t lea_rsp_rsp_sub_rz[5];
  uint8_t push_fq;
  uint8_t push_rsi;
@ -166,8 +163,17 @@ static void instrument_coverage_optimize_map_mmap(char *   shm_file_path,
  #else
  shm_fd = open("/dev/ashmem", O_RDWR);
  if (shm_fd == -1) { FATAL("open() failed\n"); }
-  if (ioctl(shm_fd, ASHMEM_SET_NAME, shm_file_path) == -1) { FATAL("ioctl(ASHMEM_SET_NAME) failed"); }
-  if (ioctl(shm_fd, ASHMEM_SET_SIZE, __afl_map_size) == -1) { FATAL("ioctl(ASHMEM_SET_SIZE) failed"); }
+  if (ioctl(shm_fd, ASHMEM_SET_NAME, shm_file_path) == -1) {
+
+    FATAL("ioctl(ASHMEM_SET_NAME) failed");
+
+  }
+
+  if (ioctl(shm_fd, ASHMEM_SET_SIZE, __afl_map_size) == -1) {
+
+    FATAL("ioctl(ASHMEM_SET_SIZE) failed");
+
+  }

  #endif

--- a/frida_mode/src/instrument/instrument_x86.c
+++ b/frida_mode/src/instrument/instrument_x86.c
@ -84,6 +84,7 @@ void instrument_coverage_optimize(const cs_insn *   instr,
 }

 void instrument_coverage_optimize_init(void) {
+
 }

 void instrument_flush(GumStalkerOutput *output) {
--- a/frida_mode/src/main.c
+++ b/frida_mode/src/main.c
@ -135,6 +135,7 @@ static void afl_print_cmdline(void) {
    OKF("AFL - COMMANDLINE: argv[%d] = %s", idx, argv[idx]);

  }
+
 #endif

 }
--- a/frida_mode/src/prefetch.c
+++ b/frida_mode/src/prefetch.c
@ -44,8 +44,8 @@ static void gum_afl_stalker_backpatcher_notify(GumStalkerObserver *self,
      sizeof(prefetch_data->backpatch_data) - prefetch_data->backpatch_size;
  if (sizeof(gsize) + size > remaining) { return; }

-  gsize *dst_backpatch_size = (gsize *)
-      &prefetch_data->backpatch_data[prefetch_data->backpatch_size];
+  gsize *dst_backpatch_size =
+      (gsize *)&prefetch_data->backpatch_data[prefetch_data->backpatch_size];
  *dst_backpatch_size = size;
  prefetch_data->backpatch_size += sizeof(gsize);

--- a/frida_mode/src/seccomp/seccomp_callback.c
+++ b/frida_mode/src/seccomp/seccomp_callback.c
@ -22,6 +22,7 @@ static void seccomp_callback_filter(struct seccomp_notif *     req,
  #if UINTPTR_MAX == 0xffffffff
    seccomp_print("SYS_OPENAT: (%s)\n", (char *)(__u32)req->data.args[1]);
  #endif
+
  }

  seccomp_print(
@ -68,6 +69,7 @@ static void seccomp_callback_filter(struct seccomp_notif *     req,
    seccomp_print("\%3d. %s\n", i++, (char *)framep);

  }
+
  #endif

  resp->error = 0;
--- a/include/envs.h
+++ b/include/envs.h
@ -203,6 +203,7 @@ static char *afl_environment_variables[] = {
    "AFL_USE_MSAN",
    "AFL_USE_TRACE_PC",
    "AFL_USE_UBSAN",
+    "AFL_USE_TSAN",
    "AFL_USE_CFISAN",
    "AFL_USE_LSAN",
    "AFL_WINE_PATH",
--- a/instrumentation/SanitizerCoverageLTO.so.cc
+++ b/instrumentation/SanitizerCoverageLTO.so.cc
@ -1142,10 +1142,11 @@ bool ModuleSanitizerCoverage::instrumentModule(
    else {

      char modeline[100];
-      snprintf(modeline, sizeof(modeline), "%s%s%s%s%s",
+      snprintf(modeline, sizeof(modeline), "%s%s%s%s%s%s",
               getenv("AFL_HARDEN") ? "hardened" : "non-hardened",
               getenv("AFL_USE_ASAN") ? ", ASAN" : "",
               getenv("AFL_USE_MSAN") ? ", MSAN" : "",
+               getenv("AFL_USE_TSAN") ? ", TSAN" : "",
               getenv("AFL_USE_CFISAN") ? ", CFISAN" : "",
               getenv("AFL_USE_UBSAN") ? ", UBSAN" : "");
      OKF("Instrumented %u locations (%u selects) without collisions (%llu "
--- a/instrumentation/SanitizerCoveragePCGUARD.so.cc
+++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc
@ -547,10 +547,11 @@ bool ModuleSanitizerCoverage::instrumentModule(
    else {

      char modeline[100];
-      snprintf(modeline, sizeof(modeline), "%s%s%s%s%s",
+      snprintf(modeline, sizeof(modeline), "%s%s%s%s%s%s",
               getenv("AFL_HARDEN") ? "hardened" : "non-hardened",
               getenv("AFL_USE_ASAN") ? ", ASAN" : "",
               getenv("AFL_USE_MSAN") ? ", MSAN" : "",
+               getenv("AFL_USE_TSAN") ? ", TSAN" : "",
               getenv("AFL_USE_CFISAN") ? ", CFISAN" : "",
               getenv("AFL_USE_UBSAN") ? ", UBSAN" : "");
      OKF("Instrumented %u locations with no collisions (%s mode) of which are "
--- a/instrumentation/afl-llvm-pass.so.cc
+++ b/instrumentation/afl-llvm-pass.so.cc
@ -956,11 +956,12 @@ bool AFLCoverage::runOnModule(Module &M) {
    else {

      char modeline[100];
-      snprintf(modeline, sizeof(modeline), "%s%s%s%s%s",
+      snprintf(modeline, sizeof(modeline), "%s%s%s%s%s%s",
               getenv("AFL_HARDEN") ? "hardened" : "non-hardened",
               getenv("AFL_USE_ASAN") ? ", ASAN" : "",
               getenv("AFL_USE_MSAN") ? ", MSAN" : "",
               getenv("AFL_USE_CFISAN") ? ", CFISAN" : "",
+               getenv("AFL_USE_TSAN") ? ", TSAN" : "",
               getenv("AFL_USE_UBSAN") ? ", UBSAN" : "");
      OKF("Instrumented %d locations (%s mode, ratio %u%%).", inst_blocks,
          modeline, inst_ratio);
--- a/qemu_mode/libcompcov/libcompcov.so.c
+++ b/qemu_mode/libcompcov/libcompcov.so.c
@ -235,7 +235,12 @@ int strcmp(const char *str1, const char *str2) {

 int strncmp(const char *str1, const char *str2, size_t len) {

-  if (unlikely(!__libc_strncmp)) { __libc_strncmp = dlsym(RTLD_NEXT, "strncmp"); }
+  if (unlikely(!__libc_strncmp)) {
+
+    __libc_strncmp = dlsym(RTLD_NEXT, "strncmp");
+
+  }
+
  void *retaddr = __builtin_return_address(0);

  if (__compcov_is_in_bound(retaddr) &&
@ -265,7 +270,12 @@ int strncmp(const char *str1, const char *str2, size_t len) {

 int strcasecmp(const char *str1, const char *str2) {

-  if (unlikely(!__libc_strcasecmp)) { __libc_strncasecmp = dlsym(RTLD_NEXT, "strcasecmp"); }
+  if (unlikely(!__libc_strcasecmp)) {
+
+    __libc_strncasecmp = dlsym(RTLD_NEXT, "strcasecmp");
+
+  }
+
  void *retaddr = __builtin_return_address(0);

  if (__compcov_is_in_bound(retaddr) &&
@ -296,7 +306,12 @@ int strcasecmp(const char *str1, const char *str2) {

 int strncasecmp(const char *str1, const char *str2, size_t len) {

-  if (unlikely(!__libc_strncasecmp)) { __libc_strncasecmp = dlsym(RTLD_NEXT, "strncasecmp"); }
+  if (unlikely(!__libc_strncasecmp)) {
+
+    __libc_strncasecmp = dlsym(RTLD_NEXT, "strncasecmp");
+
+  }
+
  void *retaddr = __builtin_return_address(0);

  if (__compcov_is_in_bound(retaddr) &&
--- a/src/afl-as.c
+++ b/src/afl-as.c
@ -521,6 +521,7 @@ static void add_instrumentation(void) {
               getenv("AFL_HARDEN") ? "hardened" : "non-hardened",
               getenv("AFL_USE_ASAN") ? ", ASAN" : "",
               getenv("AFL_USE_MSAN") ? ", MSAN" : "",
+               getenv("AFL_USE_TSAN") ? ", TSAN" : "",
               getenv("AFL_USE_UBSAN") ? ", UBSAN" : "",
               getenv("AFL_USE_LSAN") ? ", LSAN" : "");

--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@ -857,6 +857,14 @@ static void edit_params(u32 argc, char **argv, char **envp) {
    cc_params[cc_par_cnt++] = "-fsanitize=undefined";
    cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error";
    cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all";
+    cc_params[cc_par_cnt++] = "-fno-omit-frame-pointer";
+
+  }
+
+  if (getenv("AFL_USE_TSAN")) {
+
+    cc_params[cc_par_cnt++] = "-fsanitize=thread";
+    cc_params[cc_par_cnt++] = "-fno-omit-frame-pointer";

  }

@ -1814,6 +1822,7 @@ int main(int argc, char **argv, char **envp) {
          "  AFL_USE_CFISAN: activate control flow sanitizer\n"
          "  AFL_USE_MSAN: activate memory sanitizer\n"
          "  AFL_USE_UBSAN: activate undefined behaviour sanitizer\n"
+          "  AFL_USE_TSAN: activate thread sanitizer\n"
          "  AFL_USE_LSAN: activate leak-checker sanitizer\n");

      if (have_gcc_plugin)
--- a/utils/aflpp_driver/aflpp_qemu_driver.c
+++ b/utils/aflpp_driver/aflpp_qemu_driver.c
@ -22,7 +22,7 @@ int main(int argc, char **argv) {
  if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv);
  // Do any other expensive one-time initialization here.

-  if (getenv("AFL_QEMU_DRIVER_NO_HOOK")) {
+  if (getenv("AFL_QEMU_DRIVER_NO_HOOK") || getenv("AFL_FRIDA_DRIVER_NO_HOOK")) {

    afl_qemu_driver_stdin_input();