fix PCGUARD, build aflpp_driver with fPIC

docs/Changelog.md

@@ -32,10 +32,13 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
       afl++ ignores these and uses them for splicing instead.
   - afl-cc:
     - We do not support llvm versions prior 6.0 anymore
+    - Fix for -pie compiled binaries with default afl-clang-fast PCGUARD
     - Leak Sanitizer (AFL_USE_LSAN) added by Joshua Rogers, thanks!
     - Removed InsTrim instrumentation as it is not as good as PCGUARD
     - Removed automatic linking with -lc++ for LTO mode
-  - utils/aflpp_driver/aflpp_qemu_driver_hook fixed to work with qemu mode
+  - utils/aflpp_driver:
+    - aflpp_qemu_driver_hook fixed to work with qemu_mode
+    - aflpp_driver now compiled with -fPIC
   - add -d (add dead fuzzer stats) to afl-whatsup
 
 ### Version ++3.12c (release)

instrumentation/SanitizerCoverageLTO.so.cc

@@ -60,15 +60,14 @@ using namespace llvm;
 
 #define DEBUG_TYPE "sancov"
 
-static const char *const SanCovTracePCIndirName =
+const char SanCovTracePCIndirName[] = "__sanitizer_cov_trace_pc_indir";
-    "__sanitizer_cov_trace_pc_indir";
+const char SanCovTracePCName[] = "__sanitizer_cov_trace_pc";
-static const char *const SanCovTracePCName = "__sanitizer_cov_trace_pc";
+// const char SanCovTracePCGuardName =
-// static const char *const SanCovTracePCGuardName =
 //    "__sanitizer_cov_trace_pc_guard";
-static const char *const SanCovGuardsSectionName = "sancov_guards";
+const char SanCovGuardsSectionName[] = "sancov_guards";
-static const char *const SanCovCountersSectionName = "sancov_cntrs";
+const char SanCovCountersSectionName[] = "sancov_cntrs";
-static const char *const SanCovBoolFlagSectionName = "sancov_bools";
+const char SanCovBoolFlagSectionName[] = "sancov_bools";
-static const char *const SanCovPCsSectionName = "sancov_pcs";
+const char SanCovPCsSectionName[] = "sancov_pcs";
 
 static cl::opt<int> ClCoverageLevel(
     "lto-coverage-level",

instrumentation/SanitizerCoveragePCGUARD.so.cc

@@ -52,49 +52,39 @@ using namespace llvm;
 
 #define DEBUG_TYPE "sancov"
 
-static const char *const SanCovTracePCIndirName =
+const char SanCovTracePCIndirName[] = "__sanitizer_cov_trace_pc_indir";
-    "__sanitizer_cov_trace_pc_indir";
+const char SanCovTracePCName[] = "__sanitizer_cov_trace_pc";
-static const char *const SanCovTracePCName = "__sanitizer_cov_trace_pc";
+const char SanCovTraceCmp1[] = "__sanitizer_cov_trace_cmp1";
-static const char *const SanCovTraceCmp1 = "__sanitizer_cov_trace_cmp1";
+const char SanCovTraceCmp2[] = "__sanitizer_cov_trace_cmp2";
-static const char *const SanCovTraceCmp2 = "__sanitizer_cov_trace_cmp2";
+const char SanCovTraceCmp4[] = "__sanitizer_cov_trace_cmp4";
-static const char *const SanCovTraceCmp4 = "__sanitizer_cov_trace_cmp4";
+const char SanCovTraceCmp8[] = "__sanitizer_cov_trace_cmp8";
-static const char *const SanCovTraceCmp8 = "__sanitizer_cov_trace_cmp8";
+const char SanCovTraceConstCmp1[] = "__sanitizer_cov_trace_const_cmp1";
-static const char *const SanCovTraceConstCmp1 =
+const char SanCovTraceConstCmp2[] = "__sanitizer_cov_trace_const_cmp2";
-    "__sanitizer_cov_trace_const_cmp1";
+const char SanCovTraceConstCmp4[] = "__sanitizer_cov_trace_const_cmp4";
-static const char *const SanCovTraceConstCmp2 =
+const char SanCovTraceConstCmp8[] = "__sanitizer_cov_trace_const_cmp8";
-    "__sanitizer_cov_trace_const_cmp2";
+const char SanCovTraceDiv4[] = "__sanitizer_cov_trace_div4";
-static const char *const SanCovTraceConstCmp4 =
+const char SanCovTraceDiv8[] = "__sanitizer_cov_trace_div8";
-    "__sanitizer_cov_trace_const_cmp4";
+const char SanCovTraceGep[] = "__sanitizer_cov_trace_gep";
-static const char *const SanCovTraceConstCmp8 =
+const char SanCovTraceSwitchName[] = "__sanitizer_cov_trace_switch";
-    "__sanitizer_cov_trace_const_cmp8";
+const char SanCovModuleCtorTracePcGuardName[] =
-static const char *const SanCovTraceDiv4 = "__sanitizer_cov_trace_div4";
-static const char *const SanCovTraceDiv8 = "__sanitizer_cov_trace_div8";
-static const char *const SanCovTraceGep = "__sanitizer_cov_trace_gep";
-static const char *const SanCovTraceSwitchName = "__sanitizer_cov_trace_switch";
-static const char *const SanCovModuleCtorTracePcGuardName =
     "sancov.module_ctor_trace_pc_guard";
-static const char *const SanCovModuleCtor8bitCountersName =
+const char SanCovModuleCtor8bitCountersName[] =
     "sancov.module_ctor_8bit_counters";
-static const char *const SanCovModuleCtorBoolFlagName =
+const char SanCovModuleCtorBoolFlagName[] = "sancov.module_ctor_bool_flag";
-    "sancov.module_ctor_bool_flag";
 static const uint64_t SanCtorAndDtorPriority = 2;
 
-static const char *const SanCovTracePCGuardName =
+const char SanCovTracePCGuardName[] = "__sanitizer_cov_trace_pc_guard";
-    "__sanitizer_cov_trace_pc_guard";
+const char SanCovTracePCGuardInitName[] = "__sanitizer_cov_trace_pc_guard_init";
-static const char *const SanCovTracePCGuardInitName =
+const char SanCov8bitCountersInitName[] = "__sanitizer_cov_8bit_counters_init";
-    "__sanitizer_cov_trace_pc_guard_init";
+const char SanCovBoolFlagInitName[] = "__sanitizer_cov_bool_flag_init";
-static const char *const SanCov8bitCountersInitName =
+const char SanCovPCsInitName[] = "__sanitizer_cov_pcs_init";
-    "__sanitizer_cov_8bit_counters_init";
-static const char *const SanCovBoolFlagInitName =
-    "__sanitizer_cov_bool_flag_init";
-static const char *const SanCovPCsInitName = "__sanitizer_cov_pcs_init";
 
-static const char *const SanCovGuardsSectionName = "sancov_guards";
+const char SanCovGuardsSectionName[] = "sancov_guards";
-static const char *const SanCovCountersSectionName = "sancov_cntrs";
+const char SanCovCountersSectionName[] = "sancov_cntrs";
-static const char *const SanCovBoolFlagSectionName = "sancov_bools";
+const char SanCovBoolFlagSectionName[] = "sancov_bools";
-static const char *const SanCovPCsSectionName = "sancov_pcs";
+const char SanCovPCsSectionName[] = "sancov_pcs";
 
-static const char *const SanCovLowestStackName = "__sancov_lowest_stack";
+const char SanCovLowestStackName[] = "__sancov_lowest_stack";
 
 static char *skip_nozero;
 
@@ -320,12 +310,12 @@ std::pair<Value *, Value *> ModuleSanitizerCoverage::CreateSecStartEnd(
     Module &M, const char *Section, Type *Ty) {
 
   GlobalVariable *SecStart = new GlobalVariable(
-      M, Ty->getPointerElementType(), false, GlobalVariable::ExternalLinkage,
+      M, Ty->getPointerElementType(), false,
-      nullptr, getSectionStart(Section));
+      GlobalVariable::ExternalWeakLinkage, nullptr, getSectionStart(Section));
   SecStart->setVisibility(GlobalValue::HiddenVisibility);
   GlobalVariable *SecEnd = new GlobalVariable(
-      M, Ty->getPointerElementType(), false, GlobalVariable::ExternalLinkage,
+      M, Ty->getPointerElementType(), false,
-      nullptr, getSectionEnd(Section));
+      GlobalVariable::ExternalWeakLinkage, nullptr, getSectionEnd(Section));
   SecEnd->setVisibility(GlobalValue::HiddenVisibility);
   IRBuilder<> IRB(M.getContext());
   if (!TargetTriple.isOSBinFormatCOFF())
@@ -573,7 +563,7 @@ bool ModuleSanitizerCoverage::instrumentModule(
 }
 
 // True if block has successors and it dominates all of them.
-static bool isFullDominator(const BasicBlock *BB, const DominatorTree *DT) {
+bool isFullDominator(const BasicBlock *BB, const DominatorTree *DT) {
 
   if (succ_begin(BB) == succ_end(BB)) return false;
 
@@ -588,8 +578,7 @@ static bool isFullDominator(const BasicBlock *BB, const DominatorTree *DT) {
 }
 
 // True if block has predecessors and it postdominates all of them.
-static bool isFullPostDominator(const BasicBlock *       BB,
+bool isFullPostDominator(const BasicBlock *BB, const PostDominatorTree *PDT) {
-                                const PostDominatorTree *PDT) {
 
   if (pred_begin(BB) == pred_end(BB)) return false;
 
@@ -603,7 +592,7 @@ static bool isFullPostDominator(const BasicBlock *       BB,
 
 }
 
-static bool shouldInstrumentBlock(const Function &F, const BasicBlock *BB,
+bool shouldInstrumentBlock(const Function &F, const BasicBlock *BB,
                            const DominatorTree *           DT,
                            const PostDominatorTree *       PDT,
                            const SanitizerCoverageOptions &Options) {
@@ -636,8 +625,7 @@ static bool shouldInstrumentBlock(const Function &F, const BasicBlock *BB,
 // A twist here is that we treat From->To as a backedge if
 //   * To dominates From or
 //   * To->UniqueSuccessor dominates From
-static bool IsBackEdge(BasicBlock *From, BasicBlock *To,
+bool IsBackEdge(BasicBlock *From, BasicBlock *To, const DominatorTree *DT) {
-                       const DominatorTree *DT) {
 
   if (DT->dominates(To, From)) return true;
   if (auto Next = To->getUniqueSuccessor())
@@ -651,7 +639,7 @@ static bool IsBackEdge(BasicBlock *From, BasicBlock *To,
 //
 // Note that Cmp pruning is controlled by the same flag as the
 // BB pruning.
-static bool IsInterestingCmp(ICmpInst *CMP, const DominatorTree *DT,
+bool IsInterestingCmp(ICmpInst *CMP, const DominatorTree *DT,
                       const SanitizerCoverageOptions &Options) {
 
   if (!Options.NoPrune)
@@ -1046,7 +1034,7 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB,
 
   if (IsEntryBB) {
 
-    // Keep static allocas and llvm.localescape calls in the entry block.  Even
+    // Keep allocas and llvm.localescape calls in the entry block.  Even
     // if we aren't splitting the block, it's nice for allocas to be before
     // calls.
     IP = PrepareToSplitEntryBlock(BB, IP);
@@ -1221,7 +1209,7 @@ ModulePass *llvm::createModuleSanitizerCoverageLegacyPassPass(
 
 }
 
-static void registerPCGUARDPass(const PassManagerBuilder &,
+void registerPCGUARDPass(const PassManagerBuilder &,
                          legacy::PassManagerBase &PM) {
 
   auto p = new ModuleSanitizerCoverageLegacyPass();
@@ -1229,9 +1217,9 @@ static void registerPCGUARDPass(const PassManagerBuilder &,
 
 }
 
-static RegisterStandardPasses RegisterCompTransPass(
+RegisterStandardPasses RegisterCompTransPass(
     PassManagerBuilder::EP_OptimizerLast, registerPCGUARDPass);
 
-static RegisterStandardPasses RegisterCompTransPass0(
+RegisterStandardPasses RegisterCompTransPass0(
     PassManagerBuilder::EP_EnabledOnOptLevel0, registerPCGUARDPass);
 

utils/afl_proxy/afl-proxy.c

@@ -70,12 +70,18 @@ static void __afl_map_shm(void) {
   char *id_str = getenv(SHM_ENV_VAR);
   char *ptr;
 
+
+  /* NOTE TODO BUG FIXME: if you want to supply a variable sized map then
+     uncomment the following: */
+
+  /*
   if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) {
 
     u32 val = atoi(ptr);
     if (val > 0) __afl_map_size = val;
 
   }
+  */
 
   if (__afl_map_size > MAP_SIZE) {
 

utils/aflpp_driver/GNUmakefile

@@ -7,7 +7,7 @@ ifneq "" "$(LLVM_BINDIR)"
   LLVM_BINDIR := $(LLVM_BINDIR)/
 endif
 
-CFLAGS := -O3 -funroll-loops -g
+CFLAGS := -O3 -funroll-loops -g -fPIC
 
 all:	libAFLDriver.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so
 
@@ -36,7 +36,7 @@ aflpp_qemu_driver_hook.so:	aflpp_qemu_driver_hook.o
 	-$(LLVM_BINDIR)clang -shared aflpp_qemu_driver_hook.o -o aflpp_qemu_driver_hook.so
 
 aflpp_qemu_driver_hook.o:	aflpp_qemu_driver_hook.c
-	-$(LLVM_BINDIR)clang -fPIC $(CFLAGS) -funroll-loops -c aflpp_qemu_driver_hook.c
+	-$(LLVM_BINDIR)clang $(CFLAGS) -funroll-loops -c aflpp_qemu_driver_hook.c
 
 test:	debug
 	#clang -S -emit-llvm -D_DEBUG=\"1\" -I../../include -Wl,--allow-multiple-definition -funroll-loops -o aflpp_driver_test.ll aflpp_driver_test.c