diff options
| author | David Carlier <devnexen@gmail.com> | 2022-04-15 17:34:19 +0100 |
|---|---|---|
| committer | David Carlier <devnexen@gmail.com> | 2022-04-15 17:34:19 +0100 |
| commit | 6e790552fe7a1f34e584160ceef051b6f66b7ce4 (patch) | |
| tree | 11777a725d854e372ac7eac8e95140ca91c991c8 | |
| parent | 5d4b0938d5c3ddad18c85c1f2a4c516d46bbf243 (diff) | |
| download | afl++-6e790552fe7a1f34e584160ceef051b6f66b7ce4.tar.gz | |
libdislocator, new option to name an anonymous address range.
For performance matter tough, disabled by default.
| m--------- | unicorn_mode/unicornafl | 0 | ||||
| -rw-r--r-- | utils/libdislocator/Makefile | 3 | ||||
| -rw-r--r-- | utils/libdislocator/README.md | 5 | ||||
| -rw-r--r-- | utils/libdislocator/libdislocator.so.c | 18 |
4 files changed, 24 insertions, 2 deletions
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl -Subproject d4915053d477dd827b3fe4b494173d3fbf9f456 +Subproject a44fa94488d01aba60401ccf81f8bebcce685bf diff --git a/utils/libdislocator/Makefile b/utils/libdislocator/Makefile index f0b4bb72..6bfb79ec 100644 --- a/utils/libdislocator/Makefile +++ b/utils/libdislocator/Makefile @@ -19,9 +19,10 @@ HELPER_PATH = $(PREFIX)/lib/afl VERSION = $(shell grep '^\#define VERSION ' ../../config.h | cut -d '"' -f2) CFLAGS ?= -O3 -funroll-loops -D_FORTIFY_SOURCE=2 -override CFLAGS += -I ../../include/ -Wall -g -Wno-pointer-sign +CFLAGS += -I ../../include/ -Wall -g -Wno-pointer-sign CFLAGS_ADD=$(USEHUGEPAGE:1=-DUSEHUGEPAGE) +CFLAGS_ADD += $(USENAMEDPAGE:1=-DUSENAMEDPAGE) CFLAGS += $(CFLAGS_ADD) all: libdislocator.so diff --git a/utils/libdislocator/README.md b/utils/libdislocator/README.md index 68ac9143..e4934b5d 100644 --- a/utils/libdislocator/README.md +++ b/utils/libdislocator/README.md @@ -29,6 +29,9 @@ heap-related security bugs in several ways: - Optionally, in platforms supporting it, huge pages can be used by passing `USEHUGEPAGE=1` to make. + - Optionally, in platforms supporting it, `named` pages can be used by passing + `USENAMEDPAGE=1` to make. + - Size alignment to `max_align_t` can be enforced with `AFL_ALIGNED_ALLOC=1`. In this case, a tail canary is inserted in the padding bytes at the end of the allocated zone. This reduce the ability of libdislocator to detect @@ -64,4 +67,4 @@ require AFL-instrumented binaries to work. Note that the AFL_PRELOAD approach (which AFL++ internally maps to LD_PRELOAD or DYLD_INSERT_LIBRARIES, depending on the OS) works only if the target binary is dynamically linked. Otherwise, attempting to use the library will have no -effect. \ No newline at end of file +effect. diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index 103da9d5..72fafa4b 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -39,6 +39,7 @@ #if (defined(__linux__) && !defined(__ANDROID__)) || defined(__HAIKU__) #include <unistd.h> + #include <sys/prctl.h> #ifdef __linux__ #include <sys/syscall.h> #include <malloc.h> @@ -66,6 +67,10 @@ } while (0) #endif + #ifndef PR_SET_VMA + #define PR_SET_VMA 0x53564d41 + #define PR_SET_VMA_ANON_NAME 0 + #endif #endif #include "config.h" @@ -251,6 +256,19 @@ static void *__dislocator_alloc(size_t len) { } +#if defined(USENAMEDPAGE) +#if defined(__linux__) + // in the /proc/<pid>/maps file, the anonymous page appears as + // `<start>-<end> ---p 00000000 00:00 0 [anon:libdislocator]` + if (prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, + (unsigned long)ret, tlen, (unsigned long)"libdislocator") < 0) { + + DEBUGF("prctl() failed"); + + } +#endif +#endif + /* Set PROT_NONE on the last page. */ if (mprotect(ret + PG_COUNT(rlen + 8) * PAGE_SIZE, PAGE_SIZE, PROT_NONE)) |