ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-08 16:21:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
AFLplusplus/unicorn_mode/patches/patches.diff
Dominik Maier 00dc8a0ad5 Added AFL-Unicorn mode
2019-07-25 02:26:51 +02:00

108 lines
3.5 KiB
Diff
Raw Blame History

diff --git a/Makefile b/Makefile
index 7d73782..fb3ccfd 100644
--- a/Makefile
+++ b/Makefile
@@ -88,6 +88,10 @@ AR = llvm-ar
LDFLAGS := -fsanitize=address ${LDFLAGS}
endif
+ifeq ($(UNICORN_AFL),yes)
+UNICORN_CFLAGS += -DUNICORN_AFL
+endif
+
ifeq ($(CROSS),)
CC ?= cc
AR ?= ar
diff --git a/config.mk b/config.mk
index c3621fb..c7b4f7e 100644
--- a/config.mk
+++ b/config.mk
@@ -8,7 +8,7 @@
# Compile with debug info when you want to debug code.
# Change this to 'no' for release edition.
-UNICORN_DEBUG ?= yes
+UNICORN_DEBUG ?= no
################################################################################
# Specify which archs you want to compile in. By default, we build all archs.
@@ -28,3 +28,9 @@ UNICORN_STATIC ?= yes
# a shared library.
UNICORN_SHARED ?= yes
+
+
+################################################################################
+# Changing 'UNICORN_AFLL = yes' to 'UNICORN_AFL = no' disables AFL instrumentation
+
+UNICORN_AFL ?= yes
diff --git a/qemu/cpu-exec.c b/qemu/cpu-exec.c
index 7755adf..8114b70 100644
--- a/qemu/cpu-exec.c
+++ b/qemu/cpu-exec.c
@@ -24,6 +24,11 @@
#include "uc_priv.h"
+#if defined(UNICORN_AFL)
+#include "../afl-unicorn-cpu-inl.h"
+static int afl_first_instr = 0;
+#endif
+
static tcg_target_ulong cpu_tb_exec(CPUState *cpu, uint8_t *tb_ptr);
static TranslationBlock *tb_find_slow(CPUArchState *env, target_ulong pc,
target_ulong cs_base, uint64_t flags);
@@ -231,6 +236,10 @@ int cpu_exec(struct uc_struct *uc, CPUArchState *env) // qq
next_tb & TB_EXIT_MASK, tb);
}
+#if defined(UNICORN_AFL)
+ AFL_UNICORN_CPU_SNIPPET2;
+#endif
+
/* cpu_interrupt might be called while translating the
TB, but before it is linked into a potentially
infinite loop and becomes env->current_tb. Avoid
@@ -369,6 +378,11 @@ static TranslationBlock *tb_find_slow(CPUArchState *env, target_ulong pc,
not_found:
/* if no translated code available, then translate it now */
tb = tb_gen_code(cpu, pc, cs_base, (int)flags, 0); // qq
+
+#if defined(UNICORN_AFL)
+ /* There seems to be no chaining in unicorn ever? :( */
+ AFL_UNICORN_CPU_SNIPPET1;
+#endif
found:
/* Move the last found TB to the head of the list */
diff --git a/qemu/translate-all.c b/qemu/translate-all.c
index 1a96c34..7ef4878 100644
--- a/qemu/translate-all.c
+++ b/qemu/translate-all.c
@@ -403,11 +403,25 @@ static PageDesc *page_find_alloc(struct uc_struct *uc, tb_page_addr_t index, int
#if defined(CONFIG_USER_ONLY)
/* We can't use g_malloc because it may recurse into a locked mutex. */
+#if defined(UNICORN_AFL)
+ /* This was added by unicorn-afl to bail out semi-gracefully if out of memory. */
+# define ALLOC(P, SIZE) \
+ do { \
+ void* _tmp = mmap(NULL, SIZE, PROT_READ | PROT_WRITE, \
+ MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \
+ if (_tmp == (void*)-1) { \
+ qemu_log(">>> Out of memory for stack, bailing out. <<<\n"); \
+ exit(1); \
+ } \
+ (P) = _tmp; \
+ } while (0)
+#else /* !UNICORN_AFL */
# define ALLOC(P, SIZE) \
do { \
P = mmap(NULL, SIZE, PROT_READ | PROT_WRITE, \
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \
} while (0)
+#endif /* UNICORN_AFL */
#else
# define ALLOC(P, SIZE) \
do { P = g_malloc0(SIZE); } while (0)
Reference in New Issue View Git Blame Copy Permalink