mirror of
https://github.com/AFLplusplus/AFLplusplus.git
synced 2025-06-12 10:08:07 +00:00
602eceed8b
* Output afl-clang-fast stuffs only if necessary (#1912)
* afl-cc header
* afl-cc common declarations
- Add afl-cc-state.c
- Strip includes, find_object, debug/be_quiet/have_*/callname setting from afl-cc.c
- Use debugf_args in main
- Modify execvp stuffs to fit new aflcc struct
* afl-cc show usage
* afl-cc mode selecting
1. compiler_mode by callname in argv[0]
2. compiler_mode by env "AFL_CC_COMPILER"
3. compiler_mode/instrument_mode by command line options "--afl-..."
4. instrument_mode/compiler_mode by various env vars including "AFL_LLVM_INSTRUMENT"
5. final checking steps
6. print "... - mode: %s-%s\n"
7. determine real argv[0] according to compiler_mode
* afl-cc macro defs
* afl-cc linking behaviors
* afl-cc fsanitize behaviors
* afl-cc misc
* afl-cc body update
* afl-cc all-in-one
formated with custom-format.py
* nits
---------
Co-authored-by: vanhauser-thc <vh@thc.org>
* changelog
* update grammar mutator
* lto llvm 12+
* docs(custom_mutators): fix missing ':' (#1953)
* Fix broken LTO mode and response file support (#1948)
* Strip `-Wl,-no-undefined` during compilation (#1952)
Make the compiler wrapper stripping `-Wl,-no-undefined` in addition to `-Wl,--no-undefined`.
Both versions of the flag are accepted by clang and, therefore, used by building systems in the wild (e.g., samba will not build without this fix).
* Remove dead code in write_to_testcase (#1955)
The custom_mutators_count check in if case is duplicate with if condition.
The else case is custom_mutators_count == 0, neither custom_mutator_list iteration nor sent check needed.
Signed-off-by: Xeonacid <h.dwwwwww@gmail.com>
* update qemuafl
* WIP: Add ability to generate drcov trace using QEMU backend (#1956)
* Document new drcov QEMU plugin
* Add link to lightkeeper for QEMU drcov file loading
---------
Co-authored-by: Jean-Romain Garnier <jean-romain.garnier@airbus.com>
* code format
* changelog
* sleep on uid != 0 afl-system-config
* fix segv about skip_next, warn on unsupported cases of linking options (#1958)
* todos
* ensure afl-cc only allows available compiler modes
* update grammar mutator
* disable aslr on apple
* fix for arm64
* help selective instrumentation
* typos
* macos
* add compiler test script
* apple fixes
* bump nyx submodules (#1963)
* fix docs
* update changelog
* update grammar mutator
* improve compiler test script
* gcc asan workaround (#1966)
* fix github merge fuckup
* fix
* Fix afl-cc (#1968)
- Check if too many cmdline params here, each time before insert a new param.
- Check if it is "-fsanitize=..." before we do sth.
- Remove improper param_st transfer.
* Avoid adding llvmnative instrumentation when linking rust sanitizer runtime (#1969)
* Dynamic instrumentation filtering for LLVM native (#1971)
* Add two dynamic instrumentation filter methods to runtime
* Always use pc-table with native pcguard
* Add make_symbol_list.py and README
* changelog
* todos
* new forkserver check
* fix
* nyx test for CI
* improve nyx docs
* Fixes to afl-cc and documentation (#1974)
* Always compile with -ldl when building for CODE_COVERAGE
When building with CODE_COVERAGE, the afl runtime contains code that
calls `dladdr` which requires -ldl. Under most circumstances, clang
already adds this (e.g. when building with pc-table), but there are some
circumstances where it isn't added automatically.
* Add visibility declaration to __afl_connected
When building with hidden visibility, the use of __AFL_LOOP inside such
code can cause linker errors due to __afl_connected being declared
"hidden".
* Update docs to clarify that CODE_COVERAGE=1 is required for dynamic_covfilter
* nits
* nyx build script updates
* test error output
* debug ci
* debug ci
* Improve afl-cc (#1975)
* update response file support
- full support of rsp file
- fix some segv issues
* Improve afl-cc
- remove dead code about allow/denylist options of sancov
- missing `if (!aflcc->have_msan)`
- add docs for each function
- typo
* enable nyx
* debug ci
* debug ci
* debug ci
* debug ci
* debug ci
* debug ci
* debug ci
* debug ci
* fix ci
* clean test script
* NO_NYX
* NO_NYX
* fix ci
* debug ci
* fix ci
* finalize ci fix
* Enhancement on Deterministic stage (#1972)
* fuzzer: init commit based on aflpp 60dc37a8cf
* fuzzers: adding the skip variables and initialize
* log: profile the det/havoc finding
* log: add profile log output
* fuzzers: sperate log/skipdet module
* fuzzers: add quick eff_map calc
* fuzzers: add skip_eff_map in fuzz_one
* fuzzers: mark whole input space in eff_map
* fuzzers: add undet bit threshold to skip some seeds
* fuzzers: fix one byte overflow
* fuzzers: fix overflow
* fix code format
* add havoc only again
* code format
* remove log to INTROSPECTION, rename skipdet module
* rename skipdet module
* remove log to stats
* clean redundant code
* code format
* remove redundant code format check
* remove redundant doc
* remove redundant objects
* clean files
* change -d to default skipdet
* disable deterministic when using CUSTOM_MUTATOR
* revert fix
* final touches for skipdet
* remove unused var
* remove redundant eff struct (#1977)
* update QEMU-Nyx submodule (#1978)
* update QEMU-Nyx submodule (#1980)
* Fix type in AFL_NOOPT env variable in afl-cc help message (#1982)
* nits
* 2024 v4.10c release
* fixes
---------
Signed-off-by: Xeonacid <h.dwwwwww@gmail.com>
Co-authored-by: Sonic <50692172+SonicStark@users.noreply.github.com>
Co-authored-by: Xeonacid <h.dwwwwww@gmail.com>
Co-authored-by: Nils Bars <nils.bars@rub.de>
Co-authored-by: Jean-Romain Garnier <7504819+JRomainG@users.noreply.github.com>
Co-authored-by: Jean-Romain Garnier <jean-romain.garnier@airbus.com>
Co-authored-by: Sergej Schumilo <sergej@schumilo.de>
Co-authored-by: Christian Holler (:decoder) <choller@mozilla.com>
Co-authored-by: Han Zheng <35988108+kdsjZh@users.noreply.github.com>
Co-authored-by: Khaled Yakdan <yakdan@code-intelligence.com>
244 lines
5.5 KiB
C
244 lines
5.5 KiB
C
/*******************************************************************************
|
|
Copyright (c) 2019-2024, Andrea Fioraldi
|
|
|
|
|
|
Redistribution and use in source and binary forms, with or without
|
|
modification, are permitted provided that the following conditions are met:
|
|
|
|
1. Redistributions of source code must retain the above copyright notice, this
|
|
list of conditions and the following disclaimer.
|
|
2. Redistributions in binary form must reproduce the above copyright notice,
|
|
this list of conditions and the following disclaimer in the documentation
|
|
and/or other materials provided with the distribution.
|
|
|
|
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
|
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
|
|
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
|
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*******************************************************************************/
|
|
|
|
#include "libqasan.h"
|
|
#include <sys/mman.h>
|
|
|
|
#ifdef __x86_64__
|
|
|
|
uint8_t *__libqasan_patch_jump(uint8_t *addr, uint8_t *dest) {
|
|
|
|
// mov rax, dest
|
|
addr[0] = 0x48;
|
|
addr[1] = 0xb8;
|
|
*(uint8_t **)&addr[2] = dest;
|
|
|
|
// jmp rax
|
|
addr[10] = 0xff;
|
|
addr[11] = 0xe0;
|
|
|
|
return &addr[12];
|
|
|
|
}
|
|
|
|
#elif __i386__
|
|
|
|
uint8_t *__libqasan_patch_jump(uint8_t *addr, uint8_t *dest) {
|
|
|
|
// mov eax, dest
|
|
addr[0] = 0xb8;
|
|
*(uint8_t **)&addr[1] = dest;
|
|
|
|
// jmp eax
|
|
addr[5] = 0xff;
|
|
addr[6] = 0xe0;
|
|
|
|
return &addr[7];
|
|
|
|
}
|
|
|
|
#elif __arm__
|
|
|
|
// in ARM, r12 is a scratch register used by the linker to jump,
|
|
// so let's use it in our stub
|
|
|
|
uint8_t *__libqasan_patch_jump(uint8_t *addr, uint8_t *dest) {
|
|
|
|
// ldr r12, OFF
|
|
addr[0] = 0x0;
|
|
addr[1] = 0xc0;
|
|
addr[2] = 0x9f;
|
|
addr[3] = 0xe5;
|
|
|
|
// add pc, pc, r12
|
|
addr[4] = 0xc;
|
|
addr[5] = 0xf0;
|
|
addr[6] = 0x8f;
|
|
addr[7] = 0xe0;
|
|
|
|
// OFF: .word dest
|
|
*(uint32_t *)&addr[8] = (uint32_t)dest;
|
|
|
|
return &addr[12];
|
|
|
|
}
|
|
|
|
#elif __aarch64__
|
|
|
|
// in ARM64, x16 is a scratch register used by the linker to jump,
|
|
// so let's use it in our stub
|
|
|
|
uint8_t *__libqasan_patch_jump(uint8_t *addr, uint8_t *dest) {
|
|
|
|
// ldr x16, OFF
|
|
addr[0] = 0x50;
|
|
addr[1] = 0x0;
|
|
addr[2] = 0x0;
|
|
addr[3] = 0x58;
|
|
|
|
// br x16
|
|
addr[4] = 0x0;
|
|
addr[5] = 0x2;
|
|
addr[6] = 0x1f;
|
|
addr[7] = 0xd6;
|
|
|
|
// OFF: .dword dest
|
|
*(uint64_t *)&addr[8] = (uint64_t)dest;
|
|
|
|
return &addr[16];
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
#define CANNOT_HOTPATCH
|
|
|
|
#endif
|
|
|
|
#ifdef CANNOT_HOTPATCH
|
|
|
|
void __libqasan_hotpatch(void) {
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
static void *libc_start, *libc_end;
|
|
int libc_perms;
|
|
|
|
static void find_libc(void) {
|
|
|
|
FILE *fp;
|
|
char *line = NULL;
|
|
size_t len = 0;
|
|
ssize_t read;
|
|
|
|
fp = fopen("/proc/self/maps", "r");
|
|
if (fp == NULL) return;
|
|
|
|
while ((read = getline(&line, &len, fp)) != -1) {
|
|
|
|
int fields, dev_maj, dev_min, inode;
|
|
uint64_t min, max, offset;
|
|
char flag_r, flag_w, flag_x, flag_p;
|
|
char path[512] = "";
|
|
fields = sscanf(line,
|
|
"%" PRIx64 "-%" PRIx64 " %c%c%c%c %" PRIx64
|
|
" %x:%x %d"
|
|
" %511s",
|
|
&min, &max, &flag_r, &flag_w, &flag_x, &flag_p, &offset,
|
|
&dev_maj, &dev_min, &inode, path);
|
|
|
|
if ((fields < 10) || (fields > 11)) continue;
|
|
|
|
if (flag_x == 'x' && (__libqasan_strstr(path, "/libc.so") ||
|
|
__libqasan_strstr(path, "/libc-"))) {
|
|
|
|
libc_start = (void *)min;
|
|
libc_end = (void *)max;
|
|
|
|
libc_perms = PROT_EXEC;
|
|
if (flag_w == 'w') libc_perms |= PROT_WRITE;
|
|
if (flag_r == 'r') libc_perms |= PROT_READ;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
free(line);
|
|
fclose(fp);
|
|
|
|
}
|
|
|
|
/* Why this shit? https://twitter.com/andreafioraldi/status/1227635146452541441
|
|
Unfortunatly, symbol override with LD_PRELOAD is not enough to prevent libc
|
|
code to call this optimized XMM-based routines.
|
|
We patch them at runtime to call our unoptimized version of the same routine.
|
|
*/
|
|
|
|
void __libqasan_hotpatch(void) {
|
|
|
|
find_libc();
|
|
|
|
if (!libc_start) return;
|
|
|
|
if (mprotect(libc_start, libc_end - libc_start,
|
|
PROT_READ | PROT_WRITE | PROT_EXEC) < 0)
|
|
return;
|
|
|
|
void *libc = dlopen("libc.so.6", RTLD_LAZY);
|
|
|
|
#define HOTPATCH(fn) \
|
|
uint8_t *p_##fn = (uint8_t *)dlsym(libc, #fn); \
|
|
if (p_##fn) __libqasan_patch_jump(p_##fn, (uint8_t *)&(fn));
|
|
|
|
HOTPATCH(memcmp)
|
|
HOTPATCH(memmove)
|
|
|
|
uint8_t *p_memcpy = (uint8_t *)dlsym(libc, "memcpy");
|
|
// fuck you libc
|
|
if (p_memcpy && p_memmove != p_memcpy)
|
|
__libqasan_patch_jump(p_memcpy, (uint8_t *)&memcpy);
|
|
|
|
HOTPATCH(memchr)
|
|
HOTPATCH(memrchr)
|
|
HOTPATCH(memmem)
|
|
#ifndef __BIONIC__
|
|
HOTPATCH(bzero)
|
|
HOTPATCH(explicit_bzero)
|
|
HOTPATCH(mempcpy)
|
|
HOTPATCH(bcmp)
|
|
#endif
|
|
|
|
HOTPATCH(strchr)
|
|
HOTPATCH(strrchr)
|
|
HOTPATCH(strcasecmp)
|
|
HOTPATCH(strncasecmp)
|
|
HOTPATCH(strcat)
|
|
HOTPATCH(strcmp)
|
|
HOTPATCH(strncmp)
|
|
HOTPATCH(strcpy)
|
|
HOTPATCH(strncpy)
|
|
HOTPATCH(stpcpy)
|
|
HOTPATCH(strdup)
|
|
HOTPATCH(strlen)
|
|
HOTPATCH(strnlen)
|
|
HOTPATCH(strstr)
|
|
HOTPATCH(strcasestr)
|
|
HOTPATCH(wcslen)
|
|
HOTPATCH(wcscpy)
|
|
HOTPATCH(wcscmp)
|
|
|
|
#undef HOTPATCH
|
|
|
|
mprotect(libc_start, libc_end - libc_start, libc_perms);
|
|
|
|
}
|
|
|
|
#endif
|
|
|