diff options
| author | van Hauser <vh@thc.org> | 2020-08-16 13:29:24 +0200 |
|---|---|---|
| committer | van Hauser <vh@thc.org> | 2020-08-16 13:29:24 +0200 |
| commit | 1d56de6c1d24e6ed24bf7193df18110da753c6b2 (patch) | |
| tree | bc72fbf527e2dfc0260de25b1caad0c3319ce5df | |
| parent | 266b51a842ccb001a4a9babab5fc8650e36f94ce (diff) | |
| download | afl++-1d56de6c1d24e6ed24bf7193df18110da753c6b2.tar.gz | |
fix lto autodict for long strings
| -rw-r--r-- | docs/Changelog.md | 1 | ||||
| -rw-r--r-- | llvm_mode/afl-llvm-lto-instrumentation.so.cc | 33 | ||||
| -rw-r--r-- | llvm_mode/afl-llvm-rt.o.c | 5 |
3 files changed, 25 insertions, 14 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md index ead4ff26..55b0c7dd 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -37,6 +37,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. for a fixed map address (eg. 0x10000) - LTO: improved stability for persistent mode, no other instrumentation has that advantage + - LTO: fixed autodict for long strings - LTO: laf-intel and redqueen/cmplog are now applied at link time to prevent llvm optimizing away the splits - LTO: autodictionary mode is a default diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index 2b99d4c6..5320df09 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -291,14 +291,14 @@ bool AFLLTOPass::runOnModule(Module &M) { if ((callInst = dyn_cast<CallInst>(&IN))) { - bool isStrcmp = true; - bool isMemcmp = true; - bool isStrncmp = true; - bool isStrcasecmp = true; - bool isStrncasecmp = true; - bool isIntMemcpy = true; - bool addedNull = false; - uint8_t optLen = 0; + bool isStrcmp = true; + bool isMemcmp = true; + bool isStrncmp = true; + bool isStrcasecmp = true; + bool isStrncasecmp = true; + bool isIntMemcpy = true; + bool addedNull = false; + size_t optLen = 0; Function *Callee = callInst->getCalledFunction(); if (!Callee) continue; @@ -546,17 +546,26 @@ bool AFLLTOPass::runOnModule(Module &M) { // add null byte if this is a string compare function and a null // was not already added - if (addedNull == false && !isMemcmp) { + if (!isMemcmp) { - thestring.append("\0", 1); // add null byte - optLen++; + if (addedNull == false) { + + thestring.append("\0", 1); // add null byte + optLen++; + + } + + // ensure we do not have garbage + size_t offset = thestring.find('\0', 0); + if (offset + 1 < optLen) optLen = offset + 1; + thestring = thestring.substr(0, optLen); } if (!be_quiet) { std::string outstring; - fprintf(stderr, "%s: length %u/%u \"", FuncName.c_str(), optLen, + fprintf(stderr, "%s: length %zu/%zu \"", FuncName.c_str(), optLen, (unsigned int)thestring.length()); for (uint8_t i = 0; i < thestring.length(); i++) { diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index e5ff7b19..d00fd26f 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -329,8 +329,9 @@ static void __afl_map_shm(void) { __afl_area_ptr[0] = 1; - } else if (__afl_map_addr && - (!__afl_area_ptr || __afl_area_ptr == __afl_area_initial)) { + } else if ((!__afl_area_ptr || __afl_area_ptr == __afl_area_initial) && + + __afl_map_addr) { __afl_area_ptr = mmap((void *)__afl_map_addr, __afl_map_size, PROT_READ | PROT_WRITE, |