ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-12 18:18:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

add more string functions for dictionary features

Browse Source
This commit is contained in:
vanhauser-thc
2021-07-30 08:33:18 +02:00
parent bcdb69289f
commit c3fbf5dca3
6 changed files with 150 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/Changelog.md
View File

@ -16,6 +16,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- added afl-persistent-config script to set perform permanent system - added afl-persistent-config script to set perform permanent system
configuration settings for fuzzing, for Linux and Macos. configuration settings for fuzzing, for Linux and Macos.
thanks to jhertz! thanks to jhertz!
- added xml, curl and exotic string functions to llvm dictionary features
- removed utils/afl_frida because frida_mode/ is now so much better - removed utils/afl_frida because frida_mode/ is now so much better

39
instrumentation/SanitizerCoverageLTO.so.cc
View File

@ -626,12 +626,41 @@ bool ModuleSanitizerCoverage::instrumentModule(
if (!Callee) continue; if (!Callee) continue;
if (callInst->getCallingConv() != llvm::CallingConv::C) continue; if (callInst->getCallingConv() != llvm::CallingConv::C) continue;
std::string FuncName = Callee->getName().str(); std::string FuncName = Callee->getName().str();
isStrcmp &= !FuncName.compare("strcmp");
isStrcmp &= (!FuncName.compare("strcmp") ||
!FuncName.compare("xmlStrcmp") ||
!FuncName.compare("xmlStrEqual") ||
!FuncName.compare("g_strcmp0") ||
!FuncName.compare("curl_strequal") ||
!FuncName.compare("strcsequal"));
isMemcmp &= isMemcmp &=
(!FuncName.compare("memcmp") || !FuncName.compare("bcmp")); (!FuncName.compare("memcmp") || !FuncName.compare("bcmp") ||
isStrncmp &= !FuncName.compare("strncmp"); !FuncName.compare("CRYPTO_memcmp") ||
isStrcasecmp &= !FuncName.compare("strcasecmp"); !FuncName.compare("OPENSSL_memcmp") ||
isStrncasecmp &= !FuncName.compare("strncasecmp"); !FuncName.compare("memcmp_const_time") ||
!FuncName.compare("memcmpct"));
isStrncmp &= (!FuncName.compare("strncmp") ||
!FuncName.compare("xmlStrncmp") ||
!FuncName.compare("curl_strnequal"));
isStrcasecmp &= (!FuncName.compare("strcasecmp") ||
!FuncName.compare("stricmp") ||
!FuncName.compare("ap_cstr_casecmp") ||
!FuncName.compare("OPENSSL_strcasecmp") ||
!FuncName.compare("xmlStrcasecmp") ||
!FuncName.compare("g_strcasecmp") ||
!FuncName.compare("g_ascii_strcasecmp") ||
!FuncName.compare("Curl_strcasecompare") ||
!FuncName.compare("Curl_safe_strcasecompare") ||
!FuncName.compare("cmsstrcasecmp"));
isStrncasecmp &= (!FuncName.compare("strncasecmp") ||
!FuncName.compare("strnicmp") ||
!FuncName.compare("ap_cstr_casecmpn") ||
!FuncName.compare("OPENSSL_strncasecmp") ||
!FuncName.compare("xmlStrncasecmp") ||
!FuncName.compare("g_ascii_strncasecmp") ||
!FuncName.compare("Curl_strncasecompare") ||
!FuncName.compare("g_strncasecmp"));
isIntMemcpy &= !FuncName.compare("llvm.memcpy.p0i8.p0i8.i64"); isIntMemcpy &= !FuncName.compare("llvm.memcpy.p0i8.p0i8.i64");
isStdString &= isStdString &=
((FuncName.find("basic_string") != std::string::npos && ((FuncName.find("basic_string") != std::string::npos &&

55
instrumentation/afl-llvm-dict2file.so.cc
View File

@ -288,6 +288,7 @@ bool AFLdict2filePass::runOnModule(Module &M) {
bool isStrncasecmp = true; bool isStrncasecmp = true;
bool isIntMemcpy = true; bool isIntMemcpy = true;
bool isStdString = true; bool isStdString = true;
bool isStrstr = true;
bool addedNull = false; bool addedNull = false;
size_t optLen = 0; size_t optLen = 0;
@ -295,12 +296,46 @@ bool AFLdict2filePass::runOnModule(Module &M) {
if (!Callee) continue; if (!Callee) continue;
if (callInst->getCallingConv() != llvm::CallingConv::C) continue; if (callInst->getCallingConv() != llvm::CallingConv::C) continue;
std::string FuncName = Callee->getName().str(); std::string FuncName = Callee->getName().str();
isStrcmp &= !FuncName.compare("strcmp"); isStrcmp &=
(!FuncName.compare("strcmp") || !FuncName.compare("xmlStrcmp") ||
!FuncName.compare("xmlStrEqual") ||
!FuncName.compare("g_strcmp0") ||
!FuncName.compare("curl_strequal") ||
!FuncName.compare("strcsequal"));
isMemcmp &= isMemcmp &=
(!FuncName.compare("memcmp") || !FuncName.compare("bcmp")); (!FuncName.compare("memcmp") || !FuncName.compare("bcmp") ||
isStrncmp &= !FuncName.compare("strncmp"); !FuncName.compare("CRYPTO_memcmp") ||
isStrcasecmp &= !FuncName.compare("strcasecmp"); !FuncName.compare("OPENSSL_memcmp") ||
isStrncasecmp &= !FuncName.compare("strncasecmp"); !FuncName.compare("memcmp_const_time") ||
!FuncName.compare("memcmpct"));
isStrncmp &= (!FuncName.compare("strncmp") ||
!FuncName.compare("xmlStrncmp") ||
!FuncName.compare("curl_strnequal"));
isStrcasecmp &= (!FuncName.compare("strcasecmp") ||
!FuncName.compare("stricmp") ||
!FuncName.compare("ap_cstr_casecmp") ||
!FuncName.compare("OPENSSL_strcasecmp") ||
!FuncName.compare("xmlStrcasecmp") ||
!FuncName.compare("g_strcasecmp") ||
!FuncName.compare("g_ascii_strcasecmp") ||
!FuncName.compare("Curl_strcasecompare") ||
!FuncName.compare("Curl_safe_strcasecompare") ||
!FuncName.compare("cmsstrcasecmp"));
isStrncasecmp &= (!FuncName.compare("strncasecmp") ||
!FuncName.compare("strnicmp") ||
!FuncName.compare("ap_cstr_casecmpn") ||
!FuncName.compare("OPENSSL_strncasecmp") ||
!FuncName.compare("xmlStrncasecmp") ||
!FuncName.compare("g_ascii_strncasecmp") ||
!FuncName.compare("Curl_strncasecompare") ||
!FuncName.compare("g_strncasecmp"));
isStrstr &= (!FuncName.compare("strstr") ||
!FuncName.compare("g_strstr_len") ||
!FuncName.compare("ap_strcasestr") ||
!FuncName.compare("xmlStrstr") ||
!FuncName.compare("xmlStrcasestr") ||
!FuncName.compare("g_str_has_prefix") ||
!FuncName.compare("g_str_has_suffix"));
isIntMemcpy &= !FuncName.compare("llvm.memcpy.p0i8.p0i8.i64"); isIntMemcpy &= !FuncName.compare("llvm.memcpy.p0i8.p0i8.i64");
isStdString &= ((FuncName.find("basic_string") != std::string::npos && isStdString &= ((FuncName.find("basic_string") != std::string::npos &&
FuncName.find("compare") != std::string::npos) || FuncName.find("compare") != std::string::npos) ||
@ -308,13 +343,17 @@ bool AFLdict2filePass::runOnModule(Module &M) {
FuncName.find("find") != std::string::npos)); FuncName.find("find") != std::string::npos));
if (!isStrcmp && !isMemcmp && !isStrncmp && !isStrcasecmp && if (!isStrcmp && !isMemcmp && !isStrncmp && !isStrcasecmp &&
!isStrncasecmp && !isIntMemcpy && !isStdString) !isStrncasecmp && !isIntMemcpy && !isStdString && !isStrstr)
continue; continue;
/* Verify the strcmp/memcmp/strncmp/strcasecmp/strncasecmp function /* Verify the strcmp/memcmp/strncmp/strcasecmp/strncasecmp function
* prototype */ * prototype */
FunctionType *FT = Callee->getFunctionType(); FunctionType *FT = Callee->getFunctionType();
isStrstr &=
FT->getNumParams() == 2 &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) == IntegerType::getInt8PtrTy(M.getContext());
isStrcmp &= isStrcmp &=
FT->getNumParams() == 2 && FT->getReturnType()->isIntegerTy(32) && FT->getNumParams() == 2 && FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) && FT->getParamType(0) == FT->getParamType(1) &&
@ -345,7 +384,7 @@ bool AFLdict2filePass::runOnModule(Module &M) {
FT->getParamType(1)->isPointerTy(); FT->getParamType(1)->isPointerTy();
if (!isStrcmp && !isMemcmp && !isStrncmp && !isStrcasecmp && if (!isStrcmp && !isMemcmp && !isStrncmp && !isStrcasecmp &&
!isStrncasecmp && !isIntMemcpy && !isStdString) !isStrncasecmp && !isIntMemcpy && !isStdString && !isStrstr)
continue; continue;
/* is a str{n,}{case,}cmp/memcmp, check if we have /* is a str{n,}{case,}cmp/memcmp, check if we have
@ -359,7 +398,7 @@ bool AFLdict2filePass::runOnModule(Module &M) {
bool HasStr1; bool HasStr1;
getConstantStringInfo(Str1P, TmpStr); getConstantStringInfo(Str1P, TmpStr);
if (TmpStr.empty()) { if (isStrstr || TmpStr.empty()) {
HasStr1 = false; HasStr1 = false;

38
instrumentation/afl-llvm-lto-instrumentation.so.cc
View File

@ -393,12 +393,40 @@ bool AFLLTOPass::runOnModule(Module &M) {
if (!Callee) continue; if (!Callee) continue;
if (callInst->getCallingConv() != llvm::CallingConv::C) continue; if (callInst->getCallingConv() != llvm::CallingConv::C) continue;
std::string FuncName = Callee->getName().str(); std::string FuncName = Callee->getName().str();
isStrcmp &= !FuncName.compare("strcmp");
isStrcmp &= (!FuncName.compare("strcmp") ||
!FuncName.compare("xmlStrcmp") ||
!FuncName.compare("xmlStrEqual") ||
!FuncName.compare("g_strcmp0") ||
!FuncName.compare("curl_strequal") ||
!FuncName.compare("strcsequal"));
isMemcmp &= isMemcmp &=
(!FuncName.compare("memcmp") || !FuncName.compare("bcmp")); (!FuncName.compare("memcmp") || !FuncName.compare("bcmp") ||
isStrncmp &= !FuncName.compare("strncmp"); !FuncName.compare("CRYPTO_memcmp") ||
isStrcasecmp &= !FuncName.compare("strcasecmp"); !FuncName.compare("OPENSSL_memcmp") ||
isStrncasecmp &= !FuncName.compare("strncasecmp"); !FuncName.compare("memcmp_const_time") ||
!FuncName.compare("memcmpct"));
isStrncmp &= (!FuncName.compare("strncmp") ||
!FuncName.compare("xmlStrncmp") ||
!FuncName.compare("curl_strnequal"));
isStrcasecmp &= (!FuncName.compare("strcasecmp") ||
!FuncName.compare("stricmp") ||
!FuncName.compare("ap_cstr_casecmp") ||
!FuncName.compare("OPENSSL_strcasecmp") ||
!FuncName.compare("xmlStrcasecmp") ||
!FuncName.compare("g_strcasecmp") ||
!FuncName.compare("g_ascii_strcasecmp") ||
!FuncName.compare("Curl_strcasecompare") ||
!FuncName.compare("Curl_safe_strcasecompare") ||
!FuncName.compare("cmsstrcasecmp"));
isStrncasecmp &= (!FuncName.compare("strncasecmp") ||
!FuncName.compare("strnicmp") ||
!FuncName.compare("ap_cstr_casecmpn") ||
!FuncName.compare("OPENSSL_strncasecmp") ||
!FuncName.compare("xmlStrncasecmp") ||
!FuncName.compare("g_ascii_strncasecmp") ||
!FuncName.compare("Curl_strncasecompare") ||
!FuncName.compare("g_strncasecmp"));
isIntMemcpy &= !FuncName.compare("llvm.memcpy.p0i8.p0i8.i64"); isIntMemcpy &= !FuncName.compare("llvm.memcpy.p0i8.p0i8.i64");
isStdString &= isStdString &=
((FuncName.find("basic_string") != std::string::npos && ((FuncName.find("basic_string") != std::string::npos &&

39
instrumentation/compare-transform-pass.so.cc
View File

@ -151,12 +151,39 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
if (!Callee) continue; if (!Callee) continue;
if (callInst->getCallingConv() != llvm::CallingConv::C) continue; if (callInst->getCallingConv() != llvm::CallingConv::C) continue;
StringRef FuncName = Callee->getName(); StringRef FuncName = Callee->getName();
isStrcmp &= !FuncName.compare(StringRef("strcmp")); isStrcmp &=
isMemcmp &= (!FuncName.compare(StringRef("memcmp")) || (!FuncName.compare("strcmp") || !FuncName.compare("xmlStrcmp") ||
!FuncName.compare(StringRef("bcmp"))); !FuncName.compare("xmlStrEqual") ||
isStrncmp &= !FuncName.compare(StringRef("strncmp")); !FuncName.compare("g_strcmp0") ||
isStrcasecmp &= !FuncName.compare(StringRef("strcasecmp")); !FuncName.compare("curl_strequal") ||
isStrncasecmp &= !FuncName.compare(StringRef("strncasecmp")); !FuncName.compare("strcsequal"));
isMemcmp &=
(!FuncName.compare("memcmp") || !FuncName.compare("bcmp") ||
!FuncName.compare("CRYPTO_memcmp") ||
!FuncName.compare("OPENSSL_memcmp") ||
!FuncName.compare("memcmp_const_time") ||
!FuncName.compare("memcmpct"));
isStrncmp &= (!FuncName.compare("strncmp") ||
!FuncName.compare("xmlStrncmp") ||
!FuncName.compare("curl_strnequal"));
isStrcasecmp &= (!FuncName.compare("strcasecmp") ||
!FuncName.compare("stricmp") ||
!FuncName.compare("ap_cstr_casecmp") ||
!FuncName.compare("OPENSSL_strcasecmp") ||
!FuncName.compare("xmlStrcasecmp") ||
!FuncName.compare("g_strcasecmp") ||
!FuncName.compare("g_ascii_strcasecmp") ||
!FuncName.compare("Curl_strcasecompare") ||
!FuncName.compare("Curl_safe_strcasecompare") ||
!FuncName.compare("cmsstrcasecmp"));
isStrncasecmp &= (!FuncName.compare("strncasecmp") ||
!FuncName.compare("strnicmp") ||
!FuncName.compare("ap_cstr_casecmpn") ||
!FuncName.compare("OPENSSL_strncasecmp") ||
!FuncName.compare("xmlStrncasecmp") ||
!FuncName.compare("g_ascii_strncasecmp") ||
!FuncName.compare("Curl_strncasecompare") ||
!FuncName.compare("g_strncasecmp"));
isIntMemcpy &= !FuncName.compare("llvm.memcpy.p0i8.p0i8.i64"); isIntMemcpy &= !FuncName.compare("llvm.memcpy.p0i8.p0i8.i64");
if (!isStrcmp && !isMemcmp && !isStrncmp && !isStrcasecmp && if (!isStrcmp && !isMemcmp && !isStrncmp && !isStrcasecmp &&

2
test/test-compcov.c
View File

@ -29,6 +29,8 @@ int main(int argc, char **argv) {
printf("your string was APRI\n"); printf("your string was APRI\n");
else if (strcasecmp(input, "Kiwi") == 0) else if (strcasecmp(input, "Kiwi") == 0)
printf("your string was Kiwi\n"); printf("your string was Kiwi\n");
else if (strstr(input, "tsala") == 0)
printf("your string is a fruit salad\n");
else if (strncasecmp(input, "avocado", 9) == 0) else if (strncasecmp(input, "avocado", 9) == 0)
printf("your string was avocado\n"); printf("your string was avocado\n");
else if (strncasecmp(input, "Grapes", argc > 2 ? atoi(argv[2]) : 3) == 0) else if (strncasecmp(input, "Grapes", argc > 2 ? atoi(argv[2]) : 3) == 0)