diff options
| author | Andrea Fioraldi <andreafioraldi@gmail.com> | 2020-03-06 16:43:18 +0100 |
|---|---|---|
| committer | Andrea Fioraldi <andreafioraldi@gmail.com> | 2020-03-06 16:43:18 +0100 |
| commit | 1d4a3c87f5473c218e047a9ff949bcbc3460763e (patch) | |
| tree | ddd8f0116b25d23647eb2877934923ee37b9e607 /qemu_mode/patches/afl-qemu-tcg-runtime-inl.h | |
| parent | 6e8f249b20622f2a3cd230a25252b563fbb65a49 (diff) | |
| download | afl++-1d4a3c87f5473c218e047a9ff949bcbc3460763e.tar.gz | |
cmplog routines instrumentation for qemu mode on x86
Diffstat (limited to 'qemu_mode/patches/afl-qemu-tcg-runtime-inl.h')
| -rw-r--r-- | qemu_mode/patches/afl-qemu-tcg-runtime-inl.h | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h b/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h index 2bb0ac9e..9cdba901 100644 --- a/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h +++ b/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h @@ -158,3 +158,62 @@ void HELPER(afl_cmplog_64)(target_ulong cur_loc, target_ulong arg1, } +#include <sys/mman.h> + +static int area_is_mapped(void* ptr, size_t len) { + + char* p = ptr; + char* page = (char*)((uintptr_t)p & ~(sysconf(_SC_PAGE_SIZE) - 1)); + + int r = msync(page, (p - page) + len, MS_ASYNC); + if (r < 0) return errno != ENOMEM; + return 1; + +} + +void HELPER(afl_cmplog_rtn)(CPUX86State *env) { + +#if defined(TARGET_X86_64) + + void* ptr1 = g2h(env->regs[R_EDI]); + void* ptr2 = g2h(env->regs[R_ESI]); + +#elif defined(TARGET_I386) + + target_ulong* stack = g2h(env->regs[R_ESP]); + + if (!area_is_mapped(stack, sizeof(target_ulong)*2)) return; + + // when this hook is executed, the retaddr is not on stack yet + void* ptr1 = g2h(stack[0]); + void* ptr2 = g2h(stack[1]); + +#else + + // dumb code to make it compile + void* ptr1 = NULL; + void* ptr2 = NULL; + return; + +#endif + + if (!area_is_mapped(ptr1, 32) || !area_is_mapped(ptr2, 32)) return; + + uintptr_t k = (uintptr_t)env->eip; + k = (k >> 4) ^ (k << 8); + k &= CMP_MAP_W - 1; + + __afl_cmp_map->headers[k].type = CMP_TYPE_RTN; + + u32 hits = __afl_cmp_map->headers[k].hits; + __afl_cmp_map->headers[k].hits = hits + 1; + + __afl_cmp_map->headers[k].shape = 31; + + hits &= CMP_MAP_RTN_H - 1; + __builtin_memcpy(((struct cmpfn_operands*)__afl_cmp_map->log[k])[hits].v0, + ptr1, 32); + __builtin_memcpy(((struct cmpfn_operands*)__afl_cmp_map->log[k])[hits].v1, + ptr2, 32); + +} |