libradamsa dlopen

2025-06-08 16:21:32 +00:00 · 2019-11-11 14:32:50 +01:00 · 2019-11-11 14:32:50 +01:00 · cd84339bcc
commit cd84339bcc
parent 66791a5dad
6 changed files with 86 additions and 18 deletions
--- a/17
+++ b/17
@ -34,7 +34,7 @@ MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8)

 CFLAGS     ?= -O3 -funroll-loops
 CFLAGS     += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
-	      -I include/ -I src/third_party/libradamsa/ \
+	      -I include/ \
 	      -DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \
 	      -DBIN_PATH=\"$(BIN_PATH)\" -Wno-unused-function

@ -184,11 +184,14 @@ src/afl-forkserver.o : src/afl-forkserver.c include/forkserver.h
 src/afl-sharedmem.o : src/afl-sharedmem.c include/sharedmem.h
 	$(CC) $(CFLAGS) -c src/afl-sharedmem.c -o src/afl-sharedmem.o

-src/third_party/libradamsa/libradamsa.a : src/third_party/libradamsa/libradamsa.c src/third_party/libradamsa/radamsa.h
+radamsa: src/third_party/libradamsa/libradamsa.so
+	cp src/third_party/libradamsa/libradamsa.so .
+
+src/third_party/libradamsa/libradamsa.so: src/third_party/libradamsa/libradamsa.c src/third_party/libradamsa/radamsa.h
 	$(MAKE) -C src/third_party/libradamsa/

-afl-fuzz: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $(AFL_FUZZ_FILES) src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(PYFLAGS) $(LDFLAGS)
+afl-fuzz: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(PYFLAGS) $(LDFLAGS)

 afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o $(COMM_HDR) | test_x86
 	$(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o -o $@ $(LDFLAGS)
@ -204,8 +207,8 @@ afl-gotcpu: src/afl-gotcpu.c $(COMM_HDR) | test_x86


 # document all mutations and only do one run (use with only one input file!)
-document: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $(AFL_FUZZ_FILES) -D_AFL_DOCUMENT_MUTATIONS src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o afl-fuzz-document $(LDFLAGS) $(PYFLAGS)
+document: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(AFL_FUZZ_FILES) -D_AFL_DOCUMENT_MUTATIONS src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o afl-fuzz-document $(LDFLAGS) $(PYFLAGS)


 code-format:
@ -253,7 +256,7 @@ all_done: test_build
 .NOTPARALLEL: clean

 clean:
-	rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast *.so unicorn_mode/24f55a7973278f20f0de21b904851d99d4716263.tar.gz *.8
+	rm -f $(PROGS) libradamsa.so afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast *.so unicorn_mode/24f55a7973278f20f0de21b904851d99d4716263.tar.gz *.8
 	rm -rf out_dir qemu_mode/qemu-3.1.1 unicorn_mode/unicorn *.dSYM */*.dSYM
 	-$(MAKE) -C llvm_mode clean
 	$(MAKE) -C libdislocator clean
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@ -286,6 +286,7 @@ extern u8 schedule;                     /* Power schedule (default: EXPLORE)*/
 extern u8 havoc_max_mult;

 extern u8 use_radamsa;
+extern size_t (*radamsa_mutate_ptr)(u8*, size_t, u8*, size_t, u32);

 extern u8 skip_deterministic,           /* Skip deterministic stages?       */
    force_deterministic,                /* Force deterministic stages?      */
--- a/src/afl-fuzz-globals.c
+++ b/src/afl-fuzz-globals.c
@ -96,6 +96,7 @@ u8 schedule = EXPLORE;                  /* Power schedule (default: EXPLORE)*/
 u8 havoc_max_mult = HAVOC_MAX_MULT;

 u8 use_radamsa;
+size_t (*radamsa_mutate_ptr)(u8*, size_t, u8*, size_t, u32);

 u8 skip_deterministic,                  /* Skip deterministic stages?       */
    force_deterministic,                /* Force deterministic stages?      */
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@ -24,9 +24,6 @@
 */

 #include "afl-fuzz.h"
-#include "radamsa.h"
-
-#define RADAMSA_CHANCE 24

 /* MOpt */

@ -2285,7 +2282,7 @@ retry_splicing:

 radamsa_stage:

-  if (!use_radamsa)
+  if (!use_radamsa || !radamsa_mutate_ptr)
    goto abandon_entry;
  
  stage_name = "radamsa";
@ -2305,7 +2302,7 @@ radamsa_stage:
  u8 *tmp_buf;

  for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) {
-  u32 new_len = radamsa_mutate(save_buf, len, new_buf, max_len, get_rand_seed());
+  u32 new_len = radamsa_mutate_ptr(save_buf, len, new_buf, max_len, get_rand_seed());

    if (new_len) {
     
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@ -24,7 +24,58 @@
 */

 #include "afl-fuzz.h"
-#include "radamsa.h"
+
+static u8* get_libradamsa_path(u8* own_loc) {
+
+  u8 *tmp, *cp, *rsl, *own_copy;
+  
+  tmp = getenv("AFL_PATH");
+
+  if (tmp) {
+
+    cp = alloc_printf("%s/libradamsa.so", tmp);
+
+    if (access(cp, X_OK)) FATAL("Unable to find '%s'", cp);
+
+    return cp;
+
+  }
+
+  own_copy = ck_strdup(own_loc);
+  rsl = strrchr(own_copy, '/');
+
+  if (rsl) {
+
+    *rsl = 0;
+
+    cp = alloc_printf("%s/libradamsa.so", own_copy);
+    ck_free(own_copy);
+
+    if (!access(cp, X_OK))
+      return cp;
+
+  } else
+
+    ck_free(own_copy);
+
+  if (!access(BIN_PATH "/libradamsa.so", X_OK)) {
+
+    return ck_strdup(BIN_PATH "/libradamsa.so");
+
+  }
+
+  SAYF("\n" cLRD "[-] " cRST
+       "Oops, unable to find the 'libradamsa.so' binary. The binary must be "
+       "built\n"
+       "    separately using 'make radamsa'."
+       "If you\n"
+       "    already have the binary installed, you may need to specify "
+       "AFL_PATH in the\n"
+       "    environment.\n");
+
+  FATAL("Failed to locate 'libradamsa.so'.");
+
+}

 /* Display usage hints. */

@ -545,9 +596,21 @@ int main(int argc, char** argv) {
  if (use_radamsa) {
  
    OKF("Using Radamsa add-on");
-    /* randamsa_init installs some signal hadlers, call it firstly so that
-     AFL++ can then replace those signal handlers */
-    radamsa_init();
+    
+    u8* libradamsa_path = get_libradamsa_path(argv[0]);
+    void* handle = dlopen(libradamsa_path, RTLD_NOW);
+    ck_free(libradamsa_path);
+    
+    if (!handle) FATAL("Failed to dlopen() libradamsa");
+
+    void (*radamsa_init_ptr)(void) = dlsym(handle, "radamsa_init");
+    radamsa_mutate_ptr = dlsym(handle, "radamsa_mutate");
+
+    if (!radamsa_init_ptr || !radamsa_mutate_ptr) FATAL("Failed to dlsym() libradamsa");
+
+    /* randamsa_init installs some signal hadlers, call it before setup_signal_handlers
+       so that AFL++ can then replace those signal handlers */
+    radamsa_init_ptr();

  }
  
--- a/src/third_party/libradamsa/Makefile
+++ b/src/third_party/libradamsa/Makefile
@ -1,6 +1,9 @@
 CUR_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))

-all: libradamsa.a
+all: libradamsa.so
+
+libradamsa.so: libradamsa.a
+	$(CC) -shared libradamsa.a -o libradamsa.so

 libradamsa.a: libradamsa.c radamsa.h
 	@echo " ***************************************************************"
@ -14,4 +17,4 @@ test: libradamsa.a libradamsa-test.c
 	rm /tmp/libradamsa-*.fuzz

 clean:
-	rm -f libradamsa.a libradamsa-test
+	rm -f libradamsa.a libradamsa.so libradamsa-test