ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-18 20:48:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

ret addr patching

Browse Source
This commit is contained in:
Andrea Fioraldi
2019-09-12 16:57:17 +02:00
parent 95b641198e
commit 75d2881302
5 changed files with 37 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
include/alloc-inl.h
View File

@ -106,44 +106,20 @@
\
} while (0)
/*
#define CHECK_PTR(_p) do { \
\
\
\
\
\
/* #define CHECK_PTR(_p) do { \
if (_p) { \
\
\
\
\
\
if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\
\
\
\
\
\
if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \
ABORT("Use after free."); \
else ABORT("Corrupted head alloc canary."); \
\
} \
\
\
\
\
if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \
ABORT("Corrupted tail alloc canary."); \
\
} \
\
\
\
\
\
\
} while (0)
*/

BIN
qemu_mode/libcompcov/compcovtest Executable file
View File

Binary file not shown.

1
qemu_mode/patches/afl-qemu-common.h
View File

@ -57,6 +57,7 @@ extern abi_ulong afl_persistent_ret_addr;
extern u8 afl_compcov_level;
extern unsigned char afl_fork_child;
extern unsigned char is_persistent;
extern target_long persistent_stack_offset;
extern __thread abi_ulong afl_prev_loc;

9
qemu_mode/patches/afl-qemu-cpu-inl.h
View File

@ -86,6 +86,7 @@ static int forkserver_installed = 0;
unsigned char afl_fork_child;
unsigned int afl_forksrv_pid;
unsigned char is_persistent;
target_long persistent_stack_offset;
/* Instrumentation ratio: */
@ -200,9 +201,10 @@ static void afl_setup(void) {
if (is_persistent) {
afl_persistent_addr = strtoll(getenv("AFL_QEMU_PERSISTENT_ADDR"), NULL, 16);
if (getenv("AFL_QEMU_PERSISTENT_RET") == NULL) exit(1);
afl_persistent_ret_addr =
strtoll(getenv("AFL_QEMU_PERSISTENT_RET"), NULL, 16);
if (getenv("AFL_QEMU_PERSISTENT_RET"))
afl_persistent_ret_addr =
strtoll(getenv("AFL_QEMU_PERSISTENT_RET"), NULL, 16);
/* If AFL_QEMU_PERSISTENT_RET is not specified patch the return addr */
}
@ -345,6 +347,7 @@ void afl_persistent_loop() {
cycle_cnt = afl_persistent_cnt;
first_pass = 0;
persistent_stack_offset = TARGET_LONG_BITS / 8;
return;

39
qemu_mode/patches/afl-qemu-cpu-translate-inl.h
View File

@ -128,19 +128,30 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2,
}
#define AFL_QEMU_TARGET_i386_SNIPPET \
if (is_persistent) { \
\
if (s->pc == afl_persistent_addr) { \
\
tcg_gen_afl_call0(&afl_persistent_loop); \
\
} else if (s->pc == afl_persistent_ret_addr) { \
\
gen_jmp_im(s, afl_persistent_addr); \
gen_eob(s); \
\
} \
\
#define AFL_QEMU_TARGET_i386_SNIPPET \
if (is_persistent) { \
\
if (s->pc == afl_persistent_addr) { \
\
if (afl_persistent_ret_addr == 0) { \
\
TCGv_ptr stack_off_ptr = tcg_const_ptr(&persistent_stack_offset); \
TCGv stack_off = tcg_temp_new(); \
tcg_gen_ld_tl(stack_off, stack_off_ptr, 0); \
tcg_gen_sub_tl(cpu_regs[R_ESP], cpu_regs[R_ESP], stack_off); \
tcg_temp_free(stack_off); \
\
} \
TCGv_ptr paddr = tcg_const_ptr(afl_persistent_addr); \
tcg_gen_st_tl(paddr, cpu_regs[R_ESP], 0); \
tcg_gen_afl_call0(&afl_persistent_loop); \
\
} else if (afl_persistent_ret_addr && s->pc == afl_persistent_ret_addr) { \
\
gen_jmp_im(s, afl_persistent_addr); \
gen_eob(s); \
\
} \
\
}