ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-18 20:48:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

ret addr patching

Browse Source
This commit is contained in:
Andrea Fioraldi
2019-09-12 16:57:17 +02:00
parent 95b641198e
commit 75d2881302
5 changed files with 37 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
include/alloc-inl.h
View File

@ -106,44 +106,20 @@
\ \
} while (0) } while (0)
/* /* #define CHECK_PTR(_p) do { \
#define CHECK_PTR(_p) do { \
\
\
\
\
\
if (_p) { \ if (_p) { \
\
\
\
\
\
if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\ if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\
\
\
\
\
\
if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \ if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \
ABORT("Use after free."); \ ABORT("Use after free."); \
else ABORT("Corrupted head alloc canary."); \ else ABORT("Corrupted head alloc canary."); \
\
} \ } \
\
\
\
\
if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \ if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \
ABORT("Corrupted tail alloc canary."); \ ABORT("Corrupted tail alloc canary."); \
\
} \ } \
\
\
\
\
\
\
} while (0) } while (0)
*/ */

BIN
qemu_mode/libcompcov/compcovtest Executable file
View File

Binary file not shown.

1
qemu_mode/patches/afl-qemu-common.h
View File

@ -57,6 +57,7 @@ extern abi_ulong afl_persistent_ret_addr;
extern u8 afl_compcov_level; extern u8 afl_compcov_level;
extern unsigned char afl_fork_child; extern unsigned char afl_fork_child;
extern unsigned char is_persistent; extern unsigned char is_persistent;
extern target_long persistent_stack_offset;
extern __thread abi_ulong afl_prev_loc; extern __thread abi_ulong afl_prev_loc;

9
qemu_mode/patches/afl-qemu-cpu-inl.h
View File

@ -86,6 +86,7 @@ static int forkserver_installed = 0;
unsigned char afl_fork_child; unsigned char afl_fork_child;
unsigned int afl_forksrv_pid; unsigned int afl_forksrv_pid;
unsigned char is_persistent; unsigned char is_persistent;
target_long persistent_stack_offset;
/* Instrumentation ratio: */ /* Instrumentation ratio: */
@ -200,9 +201,10 @@ static void afl_setup(void) {
if (is_persistent) { if (is_persistent) {
afl_persistent_addr = strtoll(getenv("AFL_QEMU_PERSISTENT_ADDR"), NULL, 16); afl_persistent_addr = strtoll(getenv("AFL_QEMU_PERSISTENT_ADDR"), NULL, 16);
if (getenv("AFL_QEMU_PERSISTENT_RET") == NULL) exit(1); if (getenv("AFL_QEMU_PERSISTENT_RET"))
afl_persistent_ret_addr = afl_persistent_ret_addr =
strtoll(getenv("AFL_QEMU_PERSISTENT_RET"), NULL, 16); strtoll(getenv("AFL_QEMU_PERSISTENT_RET"), NULL, 16);
/* If AFL_QEMU_PERSISTENT_RET is not specified patch the return addr */
} }
@ -345,6 +347,7 @@ void afl_persistent_loop() {
cycle_cnt = afl_persistent_cnt; cycle_cnt = afl_persistent_cnt;
first_pass = 0; first_pass = 0;
persistent_stack_offset = TARGET_LONG_BITS / 8;
return; return;

39
qemu_mode/patches/afl-qemu-cpu-translate-inl.h
View File

@ -128,19 +128,30 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2,
} }
#define AFL_QEMU_TARGET_i386_SNIPPET \ #define AFL_QEMU_TARGET_i386_SNIPPET \
if (is_persistent) { \ if (is_persistent) { \
\ \
if (s->pc == afl_persistent_addr) { \ if (s->pc == afl_persistent_addr) { \
\ \
tcg_gen_afl_call0(&afl_persistent_loop); \ if (afl_persistent_ret_addr == 0) { \
\ \
} else if (s->pc == afl_persistent_ret_addr) { \ TCGv_ptr stack_off_ptr = tcg_const_ptr(&persistent_stack_offset); \
\ TCGv stack_off = tcg_temp_new(); \
gen_jmp_im(s, afl_persistent_addr); \ tcg_gen_ld_tl(stack_off, stack_off_ptr, 0); \
gen_eob(s); \ tcg_gen_sub_tl(cpu_regs[R_ESP], cpu_regs[R_ESP], stack_off); \
\ tcg_temp_free(stack_off); \
} \ \
\ } \
TCGv_ptr paddr = tcg_const_ptr(afl_persistent_addr); \
tcg_gen_st_tl(paddr, cpu_regs[R_ESP], 0); \
tcg_gen_afl_call0(&afl_persistent_loop); \
\
} else if (afl_persistent_ret_addr && s->pc == afl_persistent_ret_addr) { \
\
gen_jmp_im(s, afl_persistent_addr); \
gen_eob(s); \
\
} \
\
} }