From e04b65afd0464b9f73f32d47650cc0c23e623bd3 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 28 Jan 2024 14:20:11 +0100 Subject: [PATCH] restict len --- instrumentation/afl-compiler-rt.o.c | 69 ++++++++++++++++++----------- nyx_mode/QEMU-Nyx | 2 +- nyx_mode/libnyx | 2 +- qemu_mode/qemuafl | 2 +- unicorn_mode/unicornafl | 2 +- 5 files changed, 47 insertions(+), 30 deletions(-) diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index e9dcb663..6197f621 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -111,6 +111,8 @@ u32 __afl_dictionary_len; u64 __afl_map_addr; u32 __afl_first_final_loc; +static u8 __afl_cmplog_max_len = 16; + #ifdef __AFL_CODE_COVERAGE typedef struct afl_module_info_t afl_module_info_t; @@ -1929,7 +1931,8 @@ void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2, uint8_t attr) { /* - if (unlikely(!__afl_cmp_map || arg1 == arg2)) return; + if (likely(!__afl_cmp_map)) return; + if (unlikely(arg1 == arg2)) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); @@ -1961,7 +1964,8 @@ void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2, uint8_t attr) { void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2, uint8_t attr) { - if (unlikely(!__afl_cmp_map || arg1 == arg2)) return; + if (likely(!__afl_cmp_map)) return; + if (unlikely(arg1 == arg2)) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); @@ -1999,7 +2003,8 @@ void __cmplog_ins_hook4(uint32_t arg1, uint32_t arg2, uint8_t attr) { // fprintf(stderr, "hook4 arg0=%x arg1=%x attr=%u\n", arg1, arg2, attr); - if (unlikely(!__afl_cmp_map || arg1 == arg2)) return; + if (likely(!__afl_cmp_map)) return; + if (unlikely(arg1 == arg2)) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); @@ -2037,7 +2042,8 @@ void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2, uint8_t attr) { // fprintf(stderr, "hook8 arg0=%lx arg1=%lx attr=%u\n", arg1, arg2, attr); - if (unlikely(!__afl_cmp_map || arg1 == arg2)) return; + if (likely(!__afl_cmp_map)) return; + if (unlikely(arg1 == arg2)) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); @@ -2080,7 +2086,8 @@ void __cmplog_ins_hookN(uint128_t arg1, uint128_t arg2, uint8_t attr, // (u64)(arg1 >> 64), (u64)arg1, (u64)(arg2 >> 64), (u64)arg2, size + 1, // attr); - if (unlikely(!__afl_cmp_map || arg1 == arg2)) return; + if (likely(!__afl_cmp_map)) return; + if (unlikely(arg1 == arg2 || size > __afl_cmplog_max_len)) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); @@ -2124,6 +2131,7 @@ void __cmplog_ins_hookN(uint128_t arg1, uint128_t arg2, uint8_t attr, void __cmplog_ins_hook16(uint128_t arg1, uint128_t arg2, uint8_t attr) { if (likely(!__afl_cmp_map)) return; + if (16 > __afl_cmplog_max_len) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); @@ -2161,18 +2169,21 @@ void __cmplog_ins_hook16(uint128_t arg1, uint128_t arg2, uint8_t attr) { #endif +/* void __sanitizer_cov_trace_cmp1(uint8_t arg1, uint8_t arg2) { - //__cmplog_ins_hook1(arg1, arg2, 0); + __cmplog_ins_hook1(arg1, arg2, 0); } void __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2) { - //__cmplog_ins_hook1(arg1, arg2, 0); + __cmplog_ins_hook1(arg1, arg2, 0); } +*/ + void __sanitizer_cov_trace_cmp2(uint16_t arg1, uint16_t arg2) { __cmplog_ins_hook2(arg1, arg2, 0); @@ -2317,14 +2328,14 @@ void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u64 len) { // fprintf(stderr, "RTN1 %p %p %u\n", ptr1, ptr2, len); if (likely(!__afl_cmp_map)) return; - if (unlikely(!len)) return; + if (unlikely(!len || len > __afl_cmplog_max_len)) return; int len0 = MIN(len, 31 + _CMPLOG_EXTRA); int len1 = strnlen(ptr1, len0); if (len1 < 31 + _CMPLOG_EXTRA) len1 = area_is_valid(ptr1, len1 + 1); int len2 = strnlen(ptr2, len0); if (len2 < 31 + _CMPLOG_EXTRA) len2 = area_is_valid(ptr2, len2 + 1); int l = MAX(len1, len2); - if (l < 2) return; + if (l < 2 || l > __afl_cmplog_max_len) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); @@ -2370,7 +2381,7 @@ void __cmplog_rtn_hook_str(u8 *ptr1, u8 *ptr2) { int len1 = strnlen(ptr1, 30) + 1; int len2 = strnlen(ptr2, 30) + 1; int l = MAX(len1, len2); - if (l < 3) return; + if (l < 2 || l > __afl_cmplog_max_len) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); @@ -2410,26 +2421,30 @@ void __cmplog_rtn_hook_str(u8 *ptr1, u8 *ptr2) { /* hook function for all other func(ptr, ptr, ...) variants */ void __cmplog_rtn_hook(u8 *ptr1, u8 *ptr2) { - fprintf(stderr, "RTN1 %p %p\n", ptr1, ptr2); + // fprintf(stderr, "RTN1 %p %p\n", ptr1, ptr2); - u32 i; + if (likely(!__afl_cmp_map)) return; if (area_is_valid(ptr1, 31 + _CMPLOG_EXTRA) <= 0 || area_is_valid(ptr2, 31 + _CMPLOG_EXTRA) <= 0) return; - fprintf(stderr, "rtn arg0="); - for (i = 0; i < 32; i++) - fprintf(stderr, "%02x", ptr1[i]); - fprintf(stderr, " arg1="); - for (i = 0; i < 32; i++) - fprintf(stderr, "%02x", ptr2[i]); - fprintf(stderr, "\n"); - if (likely(!__afl_cmp_map)) return; + /* + u32 i; + fprintf(stderr, "rtn arg0="); + for (i = 0; i < 32; i++) + fprintf(stderr, "%02x", ptr1[i]); + fprintf(stderr, " arg1="); + for (i = 0; i < 32; i++) + fprintf(stderr, "%02x", ptr2[i]); + fprintf(stderr, "\n"); + */ + int l1, l2; if ((l1 = area_is_valid(ptr1, 31 + _CMPLOG_EXTRA)) <= 0 || (l2 = area_is_valid(ptr2, 31 + _CMPLOG_EXTRA)) <= 0) return; int len = MIN(31 + _CMPLOG_EXTRA, MIN(l1, l2)); + if (likely(len > __afl_cmplog_max_len)) return; // fprintf(stderr, "RTN2 %u\n", len); uintptr_t k = (uintptr_t)__builtin_return_address(0); @@ -2464,7 +2479,7 @@ void __cmplog_rtn_hook(u8 *ptr1, u8 *ptr2) { __builtin_memcpy(cmpfn[hits].v0, ptr1, len); __builtin_memcpy(cmpfn[hits].v1, ptr2, len); - fprintf(stderr, "RTN3 len %u\n", len); + // fprintf(stderr, "RTN3 len %u\n", len); } @@ -2473,12 +2488,16 @@ void __cmplog_rtn_hook(u8 *ptr1, u8 *ptr2) { information and pass it on to the standard binary rtn hook */ void __cmplog_rtn_hook_n(u8 *ptr1, u8 *ptr2, u64 len) { - fprintf(stderr, "__cmplog_rtn_hook_n %llu, %p %p\n", len, ptr1, ptr2); + // fprintf(stderr, "__cmplog_rtn_hook_n %llu, %p %p\n", len, ptr1, ptr2); + if (likely(!__afl_cmp_map)) return; + if (likely(len > __afl_cmplog_max_len)) return; - u32 i; if (area_is_valid(ptr1, 31 + _CMPLOG_EXTRA) <= 0 || area_is_valid(ptr2, 31 + _CMPLOG_EXTRA) <= 0) return; + + /* + u32 i; fprintf(stderr, "rtn_n len=%llu arg0=", len); for (i = 0; i < len; i++) fprintf(stderr, "%02x", ptr1[i]); @@ -2486,14 +2505,12 @@ void __cmplog_rtn_hook_n(u8 *ptr1, u8 *ptr2, u64 len) { for (i = 0; i < len; i++) fprintf(stderr, "%02x", ptr2[i]); fprintf(stderr, "\n"); + */ //(void)(len); __cmplog_rtn_hook(ptr1, ptr2); #if 0 - /* - */ - // fprintf(stderr, "RTN1 %p %p %u\n", ptr1, ptr2, len); if (likely(!__afl_cmp_map)) return; if (unlikely(!len)) return; diff --git a/nyx_mode/QEMU-Nyx b/nyx_mode/QEMU-Nyx index 02a6f2ae..92ed7cef 160000 --- a/nyx_mode/QEMU-Nyx +++ b/nyx_mode/QEMU-Nyx @@ -1 +1 @@ -Subproject commit 02a6f2aed360cfe76bb3d788dafe517c350d74e5 +Subproject commit 92ed7cefc1bd043a1230ca74b263b484825c2655 diff --git a/nyx_mode/libnyx b/nyx_mode/libnyx index 512058a6..8291ef4c 160000 --- a/nyx_mode/libnyx +++ b/nyx_mode/libnyx @@ -1 +1 @@ -Subproject commit 512058a68d58b1a90a4e3971b526a955559735bf +Subproject commit 8291ef4cb4f1d4bfe3026fe198167fd5c98e3a15 diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index e63c9af1..a1321713 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit e63c9af1937c13163cd1bc8bc276101441cbe70a +Subproject commit a1321713c7502c152dd7527555e0f8a800d55225 diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 63aab0f7..f2cede37 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 63aab0f752ba1d40a1c4de6988a78cd1e6dcc1c7 +Subproject commit f2cede37a75bbd4a9b9438f0277727b5d4620572