diff options
| author | van Hauser <vh@thc.org> | 2020-08-14 11:40:26 +0200 |
|---|---|---|
| committer | van Hauser <vh@thc.org> | 2020-08-14 11:40:26 +0200 |
| commit | 9ff9ff2ad2a8b4f66a64f47a3252d13803774cd2 (patch) | |
| tree | f023d2799ab0934549183907fc0ecb7513dd2c24 | |
| parent | d86b13384fd8aed10a19e2f517d7315a358bc1f5 (diff) | |
| download | afl++-9ff9ff2ad2a8b4f66a64f47a3252d13803774cd2.tar.gz | |
more secure way to work with a dynamic map
| -rw-r--r-- | llvm_mode/afl-llvm-rt.o.c | 35 |
1 files changed, 30 insertions, 5 deletions
diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 206a9878..5479c3da 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -54,8 +54,6 @@ Basically, we need to make sure that the forkserver is initialized after the LLVM-generated runtime initialization pass, not before. */ -#define CONST_PRIO 5 - #ifndef MAP_FIXED_NOREPLACE #ifdef MAP_EXCL #define MAP_FIXED_NOREPLACE MAP_EXCL | MAP_FIXED @@ -74,12 +72,12 @@ run. It will end up as .comm, so it shouldn't be too wasteful. */ #if MAP_SIZE <= 65536 - #define MAP_INITIAL_SIZE 512000 + #define MAP_INITIAL_SIZE 256000 #else #define MAP_INITIAL_SIZE MAP_SIZE #endif -u8 __afl_area_initial[MAP_INITIAL_SIZE]; +u8 __afl_area_initial[MAP_INITIAL_SIZE]; u8 * __afl_area_ptr = __afl_area_initial; u8 * __afl_dictionary; u8 * __afl_fuzz_ptr; @@ -186,12 +184,21 @@ static void __afl_map_shm_fuzz() { static void __afl_map_shm(void) { // we we are not running in afl ensure the map exists - if (!__afl_area_ptr) __afl_area_ptr = __afl_area_initial; + if (!__afl_area_ptr) { __afl_area_ptr = __afl_area_initial; } char *id_str = getenv(SHM_ENV_VAR); if (__afl_final_loc) { + if (__afl_area_ptr && __afl_final_loc && + __afl_final_loc > MAP_INITIAL_SIZE && + __afl_area_ptr != __afl_area_initial) { + + munmap(__afl_area_ptr, __afl_final_loc); + __afl_area_ptr = __afl_area_initial; + + } + if (__afl_final_loc % 8) __afl_final_loc = (((__afl_final_loc + 7) >> 3) << 3); @@ -889,6 +896,24 @@ __attribute__((constructor(CTOR_PRIO))) void __afl_auto_early(void) { } +/* preset __afl_area_ptr */ + +__attribute__((constructor(0))) void __afl_auto_first(void) { + + if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; + u8 *ptr; + + if (__afl_final_loc > MAP_INITIAL_SIZE) { + + ptr = (u8 *)mmap(NULL, __afl_final_loc, PROT_READ | PROT_WRITE, MAP_PRIVATE, + -1, 0); + + if (ptr && (ssize_t)ptr != -1) { __afl_area_ptr = ptr; } + + } + +} + /* The following stuff deals with supporting -fsanitize-coverage=trace-pc-guard. It remains non-operational in the traditional, plugin-backed LLVM mode. For more info about 'trace-pc-guard', see llvm_mode/README.md. |