Merge branch 'master' into radamsa

author: Andrea Fioraldi <andreafioraldi@gmail.com> 2019-11-11 14:36:06 +0100
committer: GitHub <noreply@github.com> 2019-11-11 14:36:06 +0100
commit: 659db7e421b47da4b04110a141d9c20307f74ecc (patch)
tree: 18f9c38cc5270adcf445a62b974712cead4a01c4 /libtokencap
parent: cd84339bccc104a51a5da614a9f82cc4ae615cce (diff)
parent: 01d55372441960c435af8f3bd6b61d1302042728 (diff)
download: afl++-659db7e421b47da4b04110a141d9c20307f74ecc.tar.gz
3 files changed, 185 insertions, 24 deletions
diff --git a/libtokencap/Makefile b/libtokencap/Makefile
index 3fd01b2c..6e1319d8 100644
--- a/libtokencap/Makefile
+++ b/libtokencap/Makefile
@@ -2,7 +2,7 @@
 # american fuzzy lop - libtokencap
 # --------------------------------
 #
-# Written by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 #
 # Copyright 2016 Google Inc. All rights reserved.
 #
@@ -24,6 +24,18 @@ CFLAGS      += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign
 ifeq "$(shell uname)" "Linux"
   TARGETS = libtokencap.so
 endif
+ifeq "$(shell uname)" "Darwin"
+  TARGETS = libtokencap.so
+endif
+ifeq "$(shell uname)" "FreeBSD"
+  TARGETS = libtokencap.so
+endif
+ifeq "$(shell uname)" "OpenBSD"
+  TARGETS = libtokencap.so
+endif
+ifeq "$(shell uname)" "NetBSD"
+  TARGETS = libtokencap.so
+endif
 all: $(TARGETS)
 
 libtokencap.so: libtokencap.so.c ../config.h
@@ -37,5 +49,5 @@ clean:
 
 install: all
 	install -m 755 ../libtokencap.so $${DESTDIR}$(HELPER_PATH)
-	install -m 644 README.tokencap $${DESTDIR}$(HELPER_PATH)
+	install -m 644 README.tokencap.md $${DESTDIR}$(HELPER_PATH)
 
diff --git a/libtokencap/README.md b/libtokencap/README.tokencap.md
index baf69da1..8aae38bf 100644
--- a/libtokencap/README.md
+++ b/libtokencap/README.tokencap.md
@@ -2,7 +2,7 @@
 
   (See ../docs/README for the general instruction manual.)
 
-This Linux-only companion library allows you to instrument `strcmp()`, `memcmp()`,
+This companion library allows you to instrument `strcmp()`, `memcmp()`,
 and related functions to automatically extract syntax tokens passed to any of
 these libcalls. The resulting list of tokens may be then given as a starting
 dictionary to afl-fuzz (the -x option) to improve coverage on subsequent
@@ -55,9 +55,10 @@ If you don't get any results, the target library is probably not using strcmp()
 and memcmp() to parse input; or you haven't compiled it with -fno-builtin; or
 the whole thing isn't dynamically linked, and LD_PRELOAD is having no effect.
 
-PS. The library is Linux-only because there is probably no particularly portable
-and non-invasive way to distinguish between read-only and read-write memory
-mappings. The `__tokencap_load_mappings()` function is the only thing that would
-need to be changed for other OSes. Porting to platforms with /proc/<pid>/maps
-(e.g., FreeBSD) should be trivial.
+Portability hints: There is probably no particularly portable and non-invasive
+way to distinguish between read-only and read-write memory mappings.
+The `__tokencap_load_mappings()` function is the only thing that would
+need to be changed for other OSes.
+
+Current supported OSes are: Linux, Darwin, FreeBSD (thanks to @devnexen)
 
diff --git a/libtokencap/libtokencap.so.c b/libtokencap/libtokencap.so.c
index 17b6190c..467be05b 100644
--- a/libtokencap/libtokencap.so.c
+++ b/libtokencap/libtokencap.so.c
@@ -3,7 +3,7 @@
    american fuzzy lop - extract tokens passed to strcmp / memcmp
    -------------------------------------------------------------
 
-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
+   Written by Michal Zalewski
 
    Copyright 2016 Google Inc. All rights reserved.
 
@@ -15,20 +15,32 @@
 
    This Linux-only companion library allows you to instrument strcmp(),
    memcmp(), and related functions to automatically extract tokens.
-   See README.tokencap for more info.
+   See README.tokencap.md for more info.
 
  */
 
 #include <stdio.h>
 #include <string.h>
 #include <ctype.h>
+#include <unistd.h>
+#include <fcntl.h>
 
 #include "../types.h"
 #include "../config.h"
 
-#ifndef __linux__
-#error "Sorry, this library is Linux-specific for now!"
-#endif                                                        /* !__linux__ */
+#if !defined __linux__  && !defined __APPLE__  && !defined __FreeBSD__ && !defined __OpenBSD__ && !defined __NetBSD__
+# error "Sorry, this library is unsupported in this platform for now!"
+#endif /* !__linux__ && !__APPLE__ && ! __FreeBSD__ && ! __OpenBSD__ && !__NetBSD__*/
+
+#if defined __APPLE__
+# include <mach/vm_map.h>
+# include <mach/mach_init.h>
+#elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__
+# include <sys/types.h>
+# include <sys/sysctl.h>
+# include <sys/user.h>
+# include <sys/mman.h>
+#endif
 
 /* Mapping data and such */
 
@@ -38,7 +50,8 @@ static struct mapping { void *st, *en; } __tokencap_ro[MAX_MAPPINGS];
 
 static u32   __tokencap_ro_cnt;
 static u8    __tokencap_ro_loaded;
-static FILE* __tokencap_out_file;
+static int __tokencap_out_file = -1;
+static pid_t __tokencap_pid = -1;
 
 /* Identify read-only regions in memory. Only parameters that fall into these
    ranges are worth dumping when passed to strcmp() and so on. Read-write
@@ -46,6 +59,8 @@ static FILE* __tokencap_out_file;
 
 static void __tokencap_load_mappings(void) {
 
+#if defined __linux__
+
   u8    buf[MAX_LINE];
   FILE* f = fopen("/proc/self/maps", "r");
 
@@ -70,6 +85,106 @@ static void __tokencap_load_mappings(void) {
 
   fclose(f);
 
+#elif defined __APPLE__
+
+  struct vm_region_submap_info_64 region;
+  mach_msg_type_number_t cnt = VM_REGION_SUBMAP_INFO_COUNT_64;
+  vm_address_t base = 0;
+  vm_size_t size = 0;
+  natural_t depth = 0;
+
+  __tokencap_ro_loaded = 1;
+
+  while (1) {
+
+    if (vm_region_recurse_64(mach_task_self(), &base, &size, &depth,
+       (vm_region_info_64_t)&region, &cnt) != KERN_SUCCESS) break;
+
+    if (region.is_submap) {
+       depth++;
+    } else {
+       /* We only care of main map addresses and the read only kinds */
+       if ((region.protection & VM_PROT_READ) && !(region.protection & VM_PROT_WRITE)) {
+          __tokencap_ro[__tokencap_ro_cnt].st = (void *)base;
+          __tokencap_ro[__tokencap_ro_cnt].en = (void *)(base + size);
+
+	  if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
+       }
+    }
+  }
+
+#elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__
+
+#if defined __FreeBSD__
+  int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, __tokencap_pid};
+#elif defined __OpenBSD__
+  int mib[] = {CTL_KERN, KERN_PROC_VMMAP, __tokencap_pid};
+#elif defined __NetBSD__
+  int mib[] = {CTL_VM, VM_PROC, VM_PROC_MAP, __tokencap_pid, sizeof(struct kinfo_vmentry)};
+#endif
+  char *buf, *low, *high;
+  size_t miblen = sizeof(mib)/sizeof(mib[0]);
+  size_t len;
+
+  if (sysctl(mib, miblen, NULL, &len, NULL, 0) == -1) return;
+
+#if defined __FreeBSD__ || defined __NetBSD__
+  len = len * 4 / 3;
+#elif defined __OpenBSD__
+  len -= len % sizeof(struct kinfo_vmentry);
+#endif
+
+  buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANON, -1, 0);
+  if (buf == MAP_FAILED) return;
+
+  if (sysctl(mib, miblen, buf, &len, NULL, 0) == -1) {
+
+     munmap(buf, len);
+     return;
+
+  }
+
+  low = buf;
+  high = low + len;
+
+  __tokencap_ro_loaded = 1;
+
+  while (low < high) {
+     struct kinfo_vmentry *region = (struct kinfo_vmentry *)low;
+
+#if defined __FreeBSD__ || defined __NetBSD__
+
+#if defined __FreeBSD__
+     size_t size = region->kve_structsize;
+
+     if (size == 0) break;
+#elif defined __NetBSD__
+     size_t size = sizeof (*region);
+#endif
+
+     /* We go through the whole mapping of the process and track read-only addresses */
+     if ((region->kve_protection & KVME_PROT_READ) &&
+	 !(region->kve_protection & KVME_PROT_WRITE)) {
+
+#elif defined __OpenBSD__
+
+     size_t size = sizeof (*region);
+
+     /* We go through the whole mapping of the process and track read-only addresses */
+     if ((region->kve_protection & KVE_PROT_READ) &&
+	 !(region->kve_protection & KVE_PROT_WRITE)) {
+#endif
+          __tokencap_ro[__tokencap_ro_cnt].st = (void *)region->kve_start;
+          __tokencap_ro[__tokencap_ro_cnt].en = (void *)region->kve_end;
+
+	  if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
+     }
+
+     low += size;
+  }
+
+  munmap(buf, len);
+#endif
 }
 
 /* Check an address against the list of read-only mappings. */
@@ -96,7 +211,7 @@ static void __tokencap_dump(const u8* ptr, size_t len, u8 is_text) {
   u32 i;
   u32 pos = 0;
 
-  if (len < MIN_AUTO_EXTRA || len > MAX_AUTO_EXTRA || !__tokencap_out_file)
+  if (len < MIN_AUTO_EXTRA || len > MAX_AUTO_EXTRA || __tokencap_out_file == -1)
     return;
 
   for (i = 0; i < len; i++) {
@@ -122,7 +237,9 @@ static void __tokencap_dump(const u8* ptr, size_t len, u8 is_text) {
 
   buf[pos] = 0;
 
-  fprintf(__tokencap_out_file, "\"%s\"\n", buf);
+  int wrt_ok = (  1 == write(__tokencap_out_file, "\"", 1));
+  wrt_ok    &= (pos == write(__tokencap_out_file, buf, pos));
+  wrt_ok    &= (2   == write(__tokencap_out_file, "\"\n", 2));
 
 }
 
@@ -138,7 +255,7 @@ int strcmp(const char* str1, const char* str2) {
 
   while (1) {
 
-    unsigned char c1 = *str1, c2 = *str2;
+    const unsigned char c1 = *str1, c2 = *str2;
 
     if (c1 != c2) return (c1 > c2) ? 1 : -1;
     if (!c1) return 0;
@@ -180,7 +297,7 @@ int strcasecmp(const char* str1, const char* str2) {
 
   while (1) {
 
-    unsigned char c1 = tolower(*str1), c2 = tolower(*str2);
+    const unsigned char c1 = tolower(*str1), c2 = tolower(*str2);
 
     if (c1 != c2) return (c1 > c2) ? 1 : -1;
     if (!c1) return 0;
@@ -200,7 +317,7 @@ int strncasecmp(const char* str1, const char* str2, size_t len) {
 
   while (len--) {
 
-    unsigned char c1 = tolower(*str1), c2 = tolower(*str2);
+    const unsigned char c1 = tolower(*str1), c2 = tolower(*str2);
 
     if (!c1) return 0;
     if (c1 != c2) return (c1 > c2) ? 1 : -1;
@@ -220,12 +337,15 @@ int memcmp(const void* mem1, const void* mem2, size_t len) {
   if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
   if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);
 
+  const char *strmem1 = (const char *)mem1;
+  const char *strmem2 = (const char *)mem2;
+
   while (len--) {
 
-    unsigned char c1 = *(const char*)mem1, c2 = *(const char*)mem2;
+    const unsigned char c1 = *strmem1, c2 = *strmem2;
     if (c1 != c2) return (c1 > c2) ? 1 : -1;
-    mem1++;
-    mem2++;
+    strmem1++;
+    strmem2++;
 
   }
 
@@ -233,6 +353,28 @@ int memcmp(const void* mem1, const void* mem2, size_t len) {
 
 }
 
+#undef bcmp
+
+int bcmp(const void* mem1, const void* mem2, size_t len) {
+
+  if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
+  if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);
+
+  const char *strmem1 = (const char *)mem1;
+  const char *strmem2 = (const char *)mem2;
+
+  while (len--) {
+
+    int diff = *strmem1 ^ *strmem2;
+    if (diff != 0) return 1;
+    strmem1++;
+    strmem2++;
+
+  }
+
+  return 0;
+}
+
 #undef strstr
 
 char* strstr(const char* haystack, const char* needle) {
@@ -288,8 +430,14 @@ char* strcasestr(const char* haystack, const char* needle) {
 __attribute__((constructor)) void __tokencap_init(void) {
 
   u8* fn = getenv("AFL_TOKEN_FILE");
-  if (fn) __tokencap_out_file = fopen(fn, "a");
-  if (!__tokencap_out_file) __tokencap_out_file = stderr;
+  if (fn) __tokencap_out_file = open(fn, O_RDWR | O_CREAT | O_APPEND, 0655);
+  if (__tokencap_out_file == -1) __tokencap_out_file = STDERR_FILENO;
+  __tokencap_pid = getpid();
+
+}
 
+/* closing as best as we can the tokens file */
+__attribute__((destructor)) void __tokencap_shutdown(void) {
+  if (__tokencap_out_file != STDERR_FILENO) close(__tokencap_out_file);
 }
author	Andrea Fioraldi <andreafioraldi@gmail.com>	2019-11-11 14:36:06 +0100
committer	GitHub <noreply@github.com>	2019-11-11 14:36:06 +0100
commit	659db7e421b47da4b04110a141d9c20307f74ecc (patch)
tree	18f9c38cc5270adcf445a62b974712cead4a01c4 /libtokencap
parent	cd84339bccc104a51a5da614a9f82cc4ae615cce (diff)
parent	01d55372441960c435af8f3bd6b61d1302042728 (diff)
download	afl++-659db7e421b47da4b04110a141d9c20307f74ecc.tar.gz