Merge pull request #1404 from AFLplusplus/dev

push to stable
author: van Hauser <vh@thc.org> 2022-05-16 12:34:38 +0200
committer: GitHub <noreply@github.com> 2022-05-16 12:34:38 +0200
commit: a2eb1f14126cffd046c44d5e87e945ed2699cec5 (patch)
tree: 2eecf55a92eec04e67aa3a9d9bec8e5f50659de6 /frida_mode/src
parent: c7bb0a9638a8929a5b664f16032c23a55a84be70 (diff)
parent: c08eeb95ca78625cf3f8a96bd04320c57c50d0f1 (diff)
download: afl++-a2eb1f14126cffd046c44d5e87e945ed2699cec5.tar.gz
6 files changed, 114 insertions, 5 deletions
diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c
index 2bc8f8aa..fab9eee2 100644
--- a/frida_mode/src/instrument/instrument_arm64.c
+++ b/frida_mode/src/instrument/instrument_arm64.c
@@ -157,11 +157,13 @@ static gboolean instrument_is_deterministic(const cs_insn *from_insn) {
 }
 
 static void instrument_coverage_switch(GumStalkerObserver *self,
+                                       gpointer            from_address,
                                        gpointer            start_address,
                                        const cs_insn *     from_insn,
                                        gpointer *          target) {
 
   UNUSED_PARAMETER(self);
+  UNUSED_PARAMETER(from_address);
   UNUSED_PARAMETER(start_address);
 
   gsize fixup_offset;
diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c
index f02c971e..a764b054 100644
--- a/frida_mode/src/instrument/instrument_x64.c
+++ b/frida_mode/src/instrument/instrument_x64.c
@@ -172,12 +172,13 @@ void instrument_coverage_optimize_init(void) {
 }
 
 static void instrument_coverage_switch(GumStalkerObserver *self,
+                                       gpointer            from_address,
                                        gpointer            start_address,
                                        const cs_insn *     from_insn,
                                        gpointer *          target) {
 
   UNUSED_PARAMETER(self);
-  UNUSED_PARAMETER(start_address);
+  UNUSED_PARAMETER(from_address);
 
   cs_x86 *   x86;
   cs_x86_op *op;
diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c
index 6a899248..1baa98ca 100644
--- a/frida_mode/src/instrument/instrument_x86.c
+++ b/frida_mode/src/instrument/instrument_x86.c
@@ -84,11 +84,13 @@ gboolean instrument_is_coverage_optimize_supported(void) {
 }
 
 static void instrument_coverage_switch(GumStalkerObserver *self,
+                                       gpointer            from_address,
                                        gpointer            start_address,
                                        const cs_insn *     from_insn,
                                        gpointer *          target) {
 
   UNUSED_PARAMETER(self);
+  UNUSED_PARAMETER(from_address);
   UNUSED_PARAMETER(start_address);
 
   cs_x86 *   x86;
diff --git a/frida_mode/src/module.c b/frida_mode/src/module.c
index 65b394cd..60e69fec 100644
--- a/frida_mode/src/module.c
+++ b/frida_mode/src/module.c
@@ -42,7 +42,7 @@ gboolean found_range(const GumRangeDetails *details, gpointer user_data) {
 
 }
 
-#if defined(__linux__)
+#if defined(__linux__) && !defined(__ANDROID__)
 static int on_dlclose(void *handle) {
 
   GArray *         ranges = NULL;
@@ -95,7 +95,7 @@ void module_init(void) {
 
   FOKF(cBLU "Module" cRST " - " cYEL " [%c]", handle_dlclose ? 'X' : ' ');
 
-#if defined(__linux__)
+#if defined(__linux__) && !defined(__ANDROID__)
   if (!handle_dlclose) { return; }
 
   page_size = gum_query_page_size();
diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c
index fa0288cc..59bfecc2 100644
--- a/frida_mode/src/prefetch.c
+++ b/frida_mode/src/prefetch.c
@@ -32,6 +32,8 @@ gboolean prefetch_backpatch = TRUE;
 static prefetch_data_t *prefetch_data = NULL;
 static int              prefetch_shm_id = -1;
 
+static GHashTable *cant_prefetch = NULL;
+
 static void gum_afl_stalker_backpatcher_notify(GumStalkerObserver *self,
                                                const GumBackpatch *backpatch,
                                                gsize               size) {
@@ -40,6 +42,18 @@ static void gum_afl_stalker_backpatcher_notify(GumStalkerObserver *self,
   if (!entry_run) { return; }
   gsize remaining =
       sizeof(prefetch_data->backpatch_data) - prefetch_data->backpatch_size;
+
+  gpointer from = gum_stalker_backpatch_get_from(backpatch);
+  gpointer to = gum_stalker_backpatch_get_to(backpatch);
+
+  /* Stop reporting patches which can't be prefetched */
+  if (g_hash_table_contains(cant_prefetch, GSIZE_TO_POINTER(from)) ||
+      g_hash_table_contains(cant_prefetch, GSIZE_TO_POINTER(to))) {
+
+    return;
+
+  }
+
   if (sizeof(gsize) + size > remaining) { return; }
 
   gsize *dst_backpatch_size =
@@ -68,6 +82,9 @@ void prefetch_write(void *addr) {
   /* Bail if we aren't initialized */
   if (prefetch_data == NULL) return;
 
+  /* Stop reporting blocks which can't be prefetched */
+  if (g_hash_table_contains(cant_prefetch, GSIZE_TO_POINTER(addr))) { return; }
+
   /*
    * Our shared memory IPC is large enough for about 1000 entries, we can fine
    * tune this if we need to. But if we have more new blocks that this in a
@@ -84,6 +101,38 @@ void prefetch_write(void *addr) {
 
 }
 
+typedef struct {
+
+  GumAddress address;
+  gboolean   executable;
+
+} check_executable_t;
+
+static gboolean prefetch_find_executable(const GumRangeDetails *details,
+                                         gpointer               user_data) {
+
+  check_executable_t *ctx = (check_executable_t *)user_data;
+  if (GUM_MEMORY_RANGE_INCLUDES(details->range, ctx->address)) {
+
+    ctx->executable = TRUE;
+    return FALSE;
+
+  }
+
+  return TRUE;
+
+}
+
+static gboolean prefetch_is_executable(void *address) {
+
+  check_executable_t ctx = {.address = GUM_ADDRESS(address),
+                            .executable = FALSE};
+  gum_process_enumerate_ranges(GUM_PAGE_EXECUTE, prefetch_find_executable,
+                               &ctx);
+  return ctx.executable;
+
+}
+
 static void prefetch_read_blocks(void) {
 
   GumStalker *stalker = stalker_get();
@@ -92,7 +141,24 @@ static void prefetch_read_blocks(void) {
   for (size_t i = 0; i < prefetch_data->count; i++) {
 
     void *addr = prefetch_data->entry[i];
-    gum_stalker_prefetch(stalker, addr, 1);
+
+    if (prefetch_is_executable(addr)) {
+
+      gum_stalker_prefetch(stalker, addr, 1);
+
+    } else {
+
+      /*
+       * If our child process creates a new executable mapping, e.g. by
+       * dynamically loading a new DSO, then this won't appear in our parent
+       * process' memory map and hence we can't prefetch it. Add it to a
+       * hashtable which the child will inherit on the next fork to prevent the
+       * child from keep reporting it and exhausting the shared memory buffers
+       * used to pass new blocks from the child back to the parent.
+       */
+      g_hash_table_add(cant_prefetch, GSIZE_TO_POINTER(addr));
+
+    }
 
   }
 
@@ -125,7 +191,36 @@ static void prefetch_read_patches(void) {
     }
 
     backpatch = (GumBackpatch *)&prefetch_data->backpatch_data[offset];
-    gum_stalker_prefetch_backpatch(stalker, backpatch);
+
+    gpointer from = gum_stalker_backpatch_get_from(backpatch);
+    gpointer to = gum_stalker_backpatch_get_to(backpatch);
+
+    /*
+     * If our child process creates a new executable mapping, e.g. by
+     * dynamically loading a new DSO, then this won't appear in our parent
+     * process' memory map and hence we can't prefetch it. Add it to a
+     * hashtable which the child will inherit on the next fork to prevent the
+     * child from keep reporting it and exhausting the shared memory buffers
+     * used to pass new blocks from the child back to the parent.
+     */
+    if (!prefetch_is_executable(from)) {
+
+      g_hash_table_add(cant_prefetch, GSIZE_TO_POINTER(from));
+
+    }
+
+    if (!prefetch_is_executable(to)) {
+
+      g_hash_table_add(cant_prefetch, GSIZE_TO_POINTER(to));
+
+    }
+
+    if (prefetch_is_executable(from) && prefetch_is_executable(to)) {
+
+      gum_stalker_prefetch_backpatch(stalker, backpatch);
+
+    }
+
     offset += size;
 
   }
@@ -215,6 +310,13 @@ void prefetch_init(void) {
 
   prefetch_hook_fork();
 
+  cant_prefetch = g_hash_table_new(g_direct_hash, g_direct_equal);
+  if (cant_prefetch == NULL) {
+
+    FFATAL("Failed to g_hash_table_new, errno: %d", errno);
+
+  }
+
   if (!prefetch_backpatch) { return; }
 
   GumStalkerObserver *         observer = stalker_get_observer();
diff --git a/frida_mode/src/stalker.c b/frida_mode/src/stalker.c
index 80e4e707..ddc17b81 100644
--- a/frida_mode/src/stalker.c
+++ b/frida_mode/src/stalker.c
@@ -131,6 +131,8 @@ void stalker_init(void) {
 
   }
 
+  gum_stalker_activate_experimental_unwind_support();
+
 #if defined(__x86_64__) || defined(__i386__)
   stalker = g_object_new(GUM_TYPE_STALKER, "ic-entries", stalker_ic_entries,
                          "adjacent-blocks", stalker_adjacent_blocks, NULL);
author	van Hauser <vh@thc.org>	2022-05-16 12:34:38 +0200
committer	GitHub <noreply@github.com>	2022-05-16 12:34:38 +0200
commit	a2eb1f14126cffd046c44d5e87e945ed2699cec5 (patch)
tree	2eecf55a92eec04e67aa3a9d9bec8e5f50659de6 /frida_mode/src
parent	c7bb0a9638a8929a5b664f16032c23a55a84be70 (diff)
parent	c08eeb95ca78625cf3f8a96bd04320c57c50d0f1 (diff)
download	afl++-a2eb1f14126cffd046c44d5e87e945ed2699cec5.tar.gz