aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorvanhauser-thc <vh@thc.org>2021-07-30 08:33:18 +0200
committervanhauser-thc <vh@thc.org>2021-07-30 08:33:18 +0200
commitc3fbf5dca309e80e91f9bee9ff6d13f6aa240427 (patch)
treedf62913972211fbafe36ab5acd71340111a640d7
parentbcdb69289f4a5304b1aee641d5f5a32437b91729 (diff)
downloadafl++-c3fbf5dca309e80e91f9bee9ff6d13f6aa240427.tar.gz
add more string functions for dictionary features
Diffstat
-rw-r--r--docs/Changelog.md1
-rw-r--r--instrumentation/SanitizerCoverageLTO.so.cc39
-rw-r--r--instrumentation/afl-llvm-dict2file.so.cc55
-rw-r--r--instrumentation/afl-llvm-lto-instrumentation.so.cc38
-rw-r--r--instrumentation/compare-transform-pass.so.cc39
-rw-r--r--test/test-compcov.c2
6 files changed, 150 insertions, 24 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md
index e51a94b5..10d25754 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -16,6 +16,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- added afl-persistent-config script to set perform permanent system
configuration settings for fuzzing, for Linux and Macos.
thanks to jhertz!
+ - added xml, curl and exotic string functions to llvm dictionary features
- removed utils/afl_frida because frida_mode/ is now so much better
diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc
index 91b81910..e06f8b93 100644
--- a/instrumentation/SanitizerCoverageLTO.so.cc
+++ b/instrumentation/SanitizerCoverageLTO.so.cc
@@ -626,12 +626,41 @@ bool ModuleSanitizerCoverage::instrumentModule(
if (!Callee) continue;
if (callInst->getCallingConv() != llvm::CallingConv::C) continue;
std::string FuncName = Callee->getName().str();
- isStrcmp &= !FuncName.compare("strcmp");
+
+ isStrcmp &= (!FuncName.compare("strcmp") ||
+ !FuncName.compare("xmlStrcmp") ||
+ !FuncName.compare("xmlStrEqual") ||
+ !FuncName.compare("g_strcmp0") ||
+ !FuncName.compare("curl_strequal") ||
+ !FuncName.compare("strcsequal"));
isMemcmp &=
- (!FuncName.compare("memcmp") || !FuncName.compare("bcmp"));
- isStrncmp &= !FuncName.compare("strncmp");
- isStrcasecmp &= !FuncName.compare("strcasecmp");
- isStrncasecmp &= !FuncName.compare("strncasecmp");
+ (!FuncName.compare("memcmp") || !FuncName.compare("bcmp") ||
+ !FuncName.compare("CRYPTO_memcmp") ||
+ !FuncName.compare("OPENSSL_memcmp") ||
+ !FuncName.compare("memcmp_const_time") ||
+ !FuncName.compare("memcmpct"));
+ isStrncmp &= (!FuncName.compare("strncmp") ||
+ !FuncName.compare("xmlStrncmp") ||
+ !FuncName.compare("curl_strnequal"));
+ isStrcasecmp &= (!FuncName.compare("strcasecmp") ||
+ !FuncName.compare("stricmp") ||
+ !FuncName.compare("ap_cstr_casecmp") ||
+ !FuncName.compare("OPENSSL_strcasecmp") ||
+ !FuncName.compare("xmlStrcasecmp") ||
+ !FuncName.compare("g_strcasecmp") ||
+ !FuncName.compare("g_ascii_strcasecmp") ||
+ !FuncName.compare("Curl_strcasecompare") ||
+ !FuncName.compare("Curl_safe_strcasecompare") ||
+ !FuncName.compare("cmsstrcasecmp"));
+ isStrncasecmp &= (!FuncName.compare("strncasecmp") ||
+ !FuncName.compare("strnicmp") ||
+ !FuncName.compare("ap_cstr_casecmpn") ||
+ !FuncName.compare("OPENSSL_strncasecmp") ||
+ !FuncName.compare("xmlStrncasecmp") ||
+ !FuncName.compare("g_ascii_strncasecmp") ||
+ !FuncName.compare("Curl_strncasecompare") ||
+ !FuncName.compare("g_strncasecmp"));
+
isIntMemcpy &= !FuncName.compare("llvm.memcpy.p0i8.p0i8.i64");
isStdString &=
((FuncName.find("basic_string") != std::string::npos &&
diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc
index 9daa75a8..4622e488 100644
--- a/instrumentation/afl-llvm-dict2file.so.cc
+++ b/instrumentation/afl-llvm-dict2file.so.cc
@@ -288,6 +288,7 @@ bool AFLdict2filePass::runOnModule(Module &M) {
bool isStrncasecmp = true;
bool isIntMemcpy = true;
bool isStdString = true;
+ bool isStrstr = true;
bool addedNull = false;
size_t optLen = 0;
@@ -295,12 +296,46 @@ bool AFLdict2filePass::runOnModule(Module &M) {
if (!Callee) continue;
if (callInst->getCallingConv() != llvm::CallingConv::C) continue;
std::string FuncName = Callee->getName().str();
- isStrcmp &= !FuncName.compare("strcmp");
+ isStrcmp &=
+ (!FuncName.compare("strcmp") || !FuncName.compare("xmlStrcmp") ||
+ !FuncName.compare("xmlStrEqual") ||
+ !FuncName.compare("g_strcmp0") ||
+ !FuncName.compare("curl_strequal") ||
+ !FuncName.compare("strcsequal"));
isMemcmp &=
- (!FuncName.compare("memcmp") || !FuncName.compare("bcmp"));
- isStrncmp &= !FuncName.compare("strncmp");
- isStrcasecmp &= !FuncName.compare("strcasecmp");
- isStrncasecmp &= !FuncName.compare("strncasecmp");
+ (!FuncName.compare("memcmp") || !FuncName.compare("bcmp") ||
+ !FuncName.compare("CRYPTO_memcmp") ||
+ !FuncName.compare("OPENSSL_memcmp") ||
+ !FuncName.compare("memcmp_const_time") ||
+ !FuncName.compare("memcmpct"));
+ isStrncmp &= (!FuncName.compare("strncmp") ||
+ !FuncName.compare("xmlStrncmp") ||
+ !FuncName.compare("curl_strnequal"));
+ isStrcasecmp &= (!FuncName.compare("strcasecmp") ||
+ !FuncName.compare("stricmp") ||
+ !FuncName.compare("ap_cstr_casecmp") ||
+ !FuncName.compare("OPENSSL_strcasecmp") ||
+ !FuncName.compare("xmlStrcasecmp") ||
+ !FuncName.compare("g_strcasecmp") ||
+ !FuncName.compare("g_ascii_strcasecmp") ||
+ !FuncName.compare("Curl_strcasecompare") ||
+ !FuncName.compare("Curl_safe_strcasecompare") ||
+ !FuncName.compare("cmsstrcasecmp"));
+ isStrncasecmp &= (!FuncName.compare("strncasecmp") ||
+ !FuncName.compare("strnicmp") ||
+ !FuncName.compare("ap_cstr_casecmpn") ||
+ !FuncName.compare("OPENSSL_strncasecmp") ||
+ !FuncName.compare("xmlStrncasecmp") ||
+ !FuncName.compare("g_ascii_strncasecmp") ||
+ !FuncName.compare("Curl_strncasecompare") ||
+ !FuncName.compare("g_strncasecmp"));
+ isStrstr &= (!FuncName.compare("strstr") ||
+ !FuncName.compare("g_strstr_len") ||
+ !FuncName.compare("ap_strcasestr") ||
+ !FuncName.compare("xmlStrstr") ||
+ !FuncName.compare("xmlStrcasestr") ||
+ !FuncName.compare("g_str_has_prefix") ||
+ !FuncName.compare("g_str_has_suffix"));
isIntMemcpy &= !FuncName.compare("llvm.memcpy.p0i8.p0i8.i64");
isStdString &= ((FuncName.find("basic_string") != std::string::npos &&
FuncName.find("compare") != std::string::npos) ||
@@ -308,13 +343,17 @@ bool AFLdict2filePass::runOnModule(Module &M) {
FuncName.find("find") != std::string::npos));
if (!isStrcmp && !isMemcmp && !isStrncmp && !isStrcasecmp &&
- !isStrncasecmp && !isIntMemcpy && !isStdString)
+ !isStrncasecmp && !isIntMemcpy && !isStdString && !isStrstr)
continue;
/* Verify the strcmp/memcmp/strncmp/strcasecmp/strncasecmp function
* prototype */
FunctionType *FT = Callee->getFunctionType();
+ isStrstr &=
+ FT->getNumParams() == 2 &&
+ FT->getParamType(0) == FT->getParamType(1) &&
+ FT->getParamType(0) == IntegerType::getInt8PtrTy(M.getContext());
isStrcmp &=
FT->getNumParams() == 2 && FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
@@ -345,7 +384,7 @@ bool AFLdict2filePass::runOnModule(Module &M) {
FT->getParamType(1)->isPointerTy();
if (!isStrcmp && !isMemcmp && !isStrncmp && !isStrcasecmp &&
- !isStrncasecmp && !isIntMemcpy && !isStdString)
+ !isStrncasecmp && !isIntMemcpy && !isStdString && !isStrstr)
continue;
/* is a str{n,}{case,}cmp/memcmp, check if we have
@@ -359,7 +398,7 @@ bool AFLdict2filePass::runOnModule(Module &M) {
bool HasStr1;
getConstantStringInfo(Str1P, TmpStr);
- if (TmpStr.empty()) {
+ if (isStrstr || TmpStr.empty()) {
HasStr1 = false;
diff --git a/instrumentation/afl-llvm-lto-instrumentation.so.cc b/instrumentation/afl-llvm-lto-instrumentation.so.cc
index 263d947d..e300044c 100644
--- a/instrumentation/afl-llvm-lto-instrumentation.so.cc
+++ b/instrumentation/afl-llvm-lto-instrumentation.so.cc
@@ -393,12 +393,40 @@ bool AFLLTOPass::runOnModule(Module &M) {
if (!Callee) continue;
if (callInst->getCallingConv() != llvm::CallingConv::C) continue;
std::string FuncName = Callee->getName().str();
- isStrcmp &= !FuncName.compare("strcmp");
+
+ isStrcmp &= (!FuncName.compare("strcmp") ||
+ !FuncName.compare("xmlStrcmp") ||
+ !FuncName.compare("xmlStrEqual") ||
+ !FuncName.compare("g_strcmp0") ||
+ !FuncName.compare("curl_strequal") ||
+ !FuncName.compare("strcsequal"));
isMemcmp &=
- (!FuncName.compare("memcmp") || !FuncName.compare("bcmp"));
- isStrncmp &= !FuncName.compare("strncmp");
- isStrcasecmp &= !FuncName.compare("strcasecmp");
- isStrncasecmp &= !FuncName.compare("strncasecmp");
+ (!FuncName.compare("memcmp") || !FuncName.compare("bcmp") ||
+ !FuncName.compare("CRYPTO_memcmp") ||
+ !FuncName.compare("OPENSSL_memcmp") ||
+ !FuncName.compare("memcmp_const_time") ||
+ !FuncName.compare("memcmpct"));
+ isStrncmp &= (!FuncName.compare("strncmp") ||
+ !FuncName.compare("xmlStrncmp") ||
+ !FuncName.compare("curl_strnequal"));
+ isStrcasecmp &= (!FuncName.compare("strcasecmp") ||
+ !FuncName.compare("stricmp") ||
+ !FuncName.compare("ap_cstr_casecmp") ||
+ !FuncName.compare("OPENSSL_strcasecmp") ||
+ !FuncName.compare("xmlStrcasecmp") ||
+ !FuncName.compare("g_strcasecmp") ||
+ !FuncName.compare("g_ascii_strcasecmp") ||
+ !FuncName.compare("Curl_strcasecompare") ||
+ !FuncName.compare("Curl_safe_strcasecompare") ||
+ !FuncName.compare("cmsstrcasecmp"));
+ isStrncasecmp &= (!FuncName.compare("strncasecmp") ||
+ !FuncName.compare("strnicmp") ||
+ !FuncName.compare("ap_cstr_casecmpn") ||
+ !FuncName.compare("OPENSSL_strncasecmp") ||
+ !FuncName.compare("xmlStrncasecmp") ||
+ !FuncName.compare("g_ascii_strncasecmp") ||
+ !FuncName.compare("Curl_strncasecompare") ||
+ !FuncName.compare("g_strncasecmp"));
isIntMemcpy &= !FuncName.compare("llvm.memcpy.p0i8.p0i8.i64");
isStdString &=
((FuncName.find("basic_string") != std::string::npos &&
diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc
index f5dd4a53..288e8282 100644
--- a/instrumentation/compare-transform-pass.so.cc
+++ b/instrumentation/compare-transform-pass.so.cc
@@ -151,12 +151,39 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
if (!Callee) continue;
if (callInst->getCallingConv() != llvm::CallingConv::C) continue;
StringRef FuncName = Callee->getName();
- isStrcmp &= !FuncName.compare(StringRef("strcmp"));
- isMemcmp &= (!FuncName.compare(StringRef("memcmp")) ||
- !FuncName.compare(StringRef("bcmp")));
- isStrncmp &= !FuncName.compare(StringRef("strncmp"));
- isStrcasecmp &= !FuncName.compare(StringRef("strcasecmp"));
- isStrncasecmp &= !FuncName.compare(StringRef("strncasecmp"));
+ isStrcmp &=
+ (!FuncName.compare("strcmp") || !FuncName.compare("xmlStrcmp") ||
+ !FuncName.compare("xmlStrEqual") ||
+ !FuncName.compare("g_strcmp0") ||
+ !FuncName.compare("curl_strequal") ||
+ !FuncName.compare("strcsequal"));
+ isMemcmp &=
+ (!FuncName.compare("memcmp") || !FuncName.compare("bcmp") ||
+ !FuncName.compare("CRYPTO_memcmp") ||
+ !FuncName.compare("OPENSSL_memcmp") ||
+ !FuncName.compare("memcmp_const_time") ||
+ !FuncName.compare("memcmpct"));
+ isStrncmp &= (!FuncName.compare("strncmp") ||
+ !FuncName.compare("xmlStrncmp") ||
+ !FuncName.compare("curl_strnequal"));
+ isStrcasecmp &= (!FuncName.compare("strcasecmp") ||
+ !FuncName.compare("stricmp") ||
+ !FuncName.compare("ap_cstr_casecmp") ||
+ !FuncName.compare("OPENSSL_strcasecmp") ||
+ !FuncName.compare("xmlStrcasecmp") ||
+ !FuncName.compare("g_strcasecmp") ||
+ !FuncName.compare("g_ascii_strcasecmp") ||
+ !FuncName.compare("Curl_strcasecompare") ||
+ !FuncName.compare("Curl_safe_strcasecompare") ||
+ !FuncName.compare("cmsstrcasecmp"));
+ isStrncasecmp &= (!FuncName.compare("strncasecmp") ||
+ !FuncName.compare("strnicmp") ||
+ !FuncName.compare("ap_cstr_casecmpn") ||
+ !FuncName.compare("OPENSSL_strncasecmp") ||
+ !FuncName.compare("xmlStrncasecmp") ||
+ !FuncName.compare("g_ascii_strncasecmp") ||
+ !FuncName.compare("Curl_strncasecompare") ||
+ !FuncName.compare("g_strncasecmp"));
isIntMemcpy &= !FuncName.compare("llvm.memcpy.p0i8.p0i8.i64");
if (!isStrcmp && !isMemcmp && !isStrncmp && !isStrcasecmp &&
diff --git a/test/test-compcov.c b/test/test-compcov.c
index 4959c39c..ae63ca45 100644
--- a/test/test-compcov.c
+++ b/test/test-compcov.c
@@ -29,6 +29,8 @@ int main(int argc, char **argv) {
printf("your string was APRI\n");
else if (strcasecmp(input, "Kiwi") == 0)
printf("your string was Kiwi\n");
+ else if (strstr(input, "tsala") == 0)
+ printf("your string is a fruit salad\n");
else if (strncasecmp(input, "avocado", 9) == 0)
printf("your string was avocado\n");
else if (strncasecmp(input, "Grapes", argc > 2 ? atoi(argv[2]) : 3) == 0)
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-15 21:32:37 +0000