about summary refs log tree commit diff
path: root/qemu_mode
diff options
context:
space:
mode:
authorhexcoder- <heiko@hexco.de>2020-02-19 02:13:50 +0100
committerhexcoder- <heiko@hexco.de>2020-02-19 02:13:50 +0100
commit3beee6da772f88f1bd7987b4b2e7c56a53ec3270 (patch)
tree2e9cbb09322c058bd2d48831062bc3cec298663d /qemu_mode
parent16a7e4ae681c45aadbba15bd32e7e1b5aeba2226 (diff)
parentdef4ad645c0ab450f8502e16117ecc50dcc2f41a (diff)
downloadafl++-3beee6da772f88f1bd7987b4b2e7c56a53ec3270.tar.gz
Merge branch 'master' of https://github.com/vanhauser-thc/AFLplusplus
Diffstat (limited to 'qemu_mode')
-rw-r--r--qemu_mode/patches/afl-qemu-cpu-translate-inl.h118


-rw-r--r--qemu_mode/patches/afl-qemu-tcg-runtime-inl.h160


-rw-r--r--qemu_mode/patches/tcg-runtime.diff20


3 files changed, 163 insertions, 135 deletions
diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h
index eefe62b2..04cf2e66 100644
--- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h
+++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h
@@ -41,124 +41,6 @@
 #define _DEFAULT_MO MO_32
 #endif
 
-void HELPER(afl_compcov_16)(target_ulong cur_loc, target_ulong arg1,
-                            target_ulong arg2) {
-
-  register uintptr_t idx = cur_loc;
-
-  if ((arg1 & 0xff00) == (arg2 & 0xff00)) { INC_AFL_AREA(idx); }
-
-}
-
-void HELPER(afl_compcov_32)(target_ulong cur_loc, target_ulong arg1,
-                            target_ulong arg2) {
-
-  register uintptr_t idx = cur_loc;
-
-  if ((arg1 & 0xff000000) == (arg2 & 0xff000000)) {
-
-    INC_AFL_AREA(idx + 2);
-    if ((arg1 & 0xff0000) == (arg2 & 0xff0000)) {
-
-      INC_AFL_AREA(idx + 1);
-      if ((arg1 & 0xff00) == (arg2 & 0xff00)) { INC_AFL_AREA(idx); }
-
-    }
-
-  }
-
-}
-
-void HELPER(afl_compcov_64)(target_ulong cur_loc, target_ulong arg1,
-                            target_ulong arg2) {
-
-  register uintptr_t idx = cur_loc;
-
-  if ((arg1 & 0xff00000000000000) == (arg2 & 0xff00000000000000)) {
-
-    INC_AFL_AREA(idx + 6);
-    if ((arg1 & 0xff000000000000) == (arg2 & 0xff000000000000)) {
-
-      INC_AFL_AREA(idx + 5);
-      if ((arg1 & 0xff0000000000) == (arg2 & 0xff0000000000)) {
-
-        INC_AFL_AREA(idx + 4);
-        if ((arg1 & 0xff00000000) == (arg2 & 0xff00000000)) {
-
-          INC_AFL_AREA(idx + 3);
-          if ((arg1 & 0xff000000) == (arg2 & 0xff000000)) {
-
-            INC_AFL_AREA(idx + 2);
-            if ((arg1 & 0xff0000) == (arg2 & 0xff0000)) {
-
-              INC_AFL_AREA(idx + 1);
-              if ((arg1 & 0xff00) == (arg2 & 0xff00)) { INC_AFL_AREA(idx); }
-
-            }
-
-          }
-
-        }
-
-      }
-
-    }
-
-  }
-
-}
-
-void HELPER(afl_cmplog_16)(target_ulong cur_loc, target_ulong arg1,
-                           target_ulong arg2) {
-
-  register uintptr_t k = (uintptr_t)cur_loc;
-
-  u32 hits = __afl_cmp_map->headers[k].hits;
-  __afl_cmp_map->headers[k].hits = hits + 1;
-  // if (!__afl_cmp_map->headers[k].cnt)
-  //  __afl_cmp_map->headers[k].cnt = __afl_cmp_counter++;
-
-  __afl_cmp_map->headers[k].shape = 1;
-  //__afl_cmp_map->headers[k].type = CMP_TYPE_INS;
-
-  hits &= CMP_MAP_H - 1;
-  __afl_cmp_map->log[k][hits].v0 = arg1;
-  __afl_cmp_map->log[k][hits].v1 = arg2;
-
-}
-
-void HELPER(afl_cmplog_32)(target_ulong cur_loc, target_ulong arg1,
-                           target_ulong arg2) {
-
-  register uintptr_t k = (uintptr_t)cur_loc;
-
-  u32 hits = __afl_cmp_map->headers[k].hits;
-  __afl_cmp_map->headers[k].hits = hits + 1;
-
-  __afl_cmp_map->headers[k].shape = 3;
-
-  hits &= CMP_MAP_H - 1;
-  __afl_cmp_map->log[k][hits].v0 = arg1;
-  __afl_cmp_map->log[k][hits].v1 = arg2;
-
-}
-
-void HELPER(afl_cmplog_64)(target_ulong cur_loc, target_ulong arg1,
-                           target_ulong arg2) {
-
-  register uintptr_t k = (uintptr_t)cur_loc;
-
-  u32 hits = __afl_cmp_map->headers[k].hits;
-  __afl_cmp_map->headers[k].hits = hits + 1;
-
-  __afl_cmp_map->headers[k].shape = 7;
-
-  hits &= CMP_MAP_H - 1;
-  __afl_cmp_map->log[k][hits].v0 = arg1;
-  __afl_cmp_map->log[k][hits].v1 = arg2;
-
-}
-
 static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2,
                             TCGMemOp ot, int is_imm) {
 
diff --git a/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h b/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h
new file mode 100644
index 00000000..6339d41c
--- /dev/null
+++ b/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h
@@ -0,0 +1,160 @@
+/*
+   american fuzzy lop++ - high-performance binary-only instrumentation
+   -------------------------------------------------------------------
+
+   Originally written by Andrew Griffiths <agriffiths@google.com> and
+                         Michal Zalewski
+
+   TCG instrumentation and block chaining support by Andrea Biondo
+                                      <andrea.biondo965@gmail.com>
+
+   QEMU 3.1.1 port, TCG thread-safety, CompareCoverage and NeverZero
+   counters by Andrea Fioraldi <andreafioraldi@gmail.com>
+
+   Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
+   Copyright 2019-2020 AFLplusplus Project. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   This code is a shim patched into the separately-distributed source
+   code of QEMU 3.1.0. It leverages the built-in QEMU tracing functionality
+   to implement AFL-style instrumentation and to take care of the remaining
+   parts of the AFL fork server logic.
+
+   The resulting QEMU binary is essentially a standalone instrumentation
+   tool; for an example of how to leverage it for other purposes, you can
+   have a look at afl-showmap.c.
+
+ */
+
+#include "afl-qemu-common.h"
+#include "tcg.h"
+
+void HELPER(afl_entry_routine)(CPUArchState *env) {
+  
+  afl_forkserver(ENV_GET_CPU(env));
+  
+}
+
+void HELPER(afl_compcov_16)(target_ulong cur_loc, target_ulong arg1,
+                            target_ulong arg2) {
+
+  register uintptr_t idx = cur_loc;
+
+  if ((arg1 & 0xff00) == (arg2 & 0xff00)) { INC_AFL_AREA(idx); }
+
+}
+
+void HELPER(afl_compcov_32)(target_ulong cur_loc, target_ulong arg1,
+                            target_ulong arg2) {
+
+  register uintptr_t idx = cur_loc;
+
+  if ((arg1 & 0xff000000) == (arg2 & 0xff000000)) {
+
+    INC_AFL_AREA(idx + 2);
+    if ((arg1 & 0xff0000) == (arg2 & 0xff0000)) {
+
+      INC_AFL_AREA(idx + 1);
+      if ((arg1 & 0xff00) == (arg2 & 0xff00)) { INC_AFL_AREA(idx); }
+
+    }
+
+  }
+
+}
+
+void HELPER(afl_compcov_64)(target_ulong cur_loc, target_ulong arg1,
+                            target_ulong arg2) {
+
+  register uintptr_t idx = cur_loc;
+
+  if ((arg1 & 0xff00000000000000) == (arg2 & 0xff00000000000000)) {
+
+    INC_AFL_AREA(idx + 6);
+    if ((arg1 & 0xff000000000000) == (arg2 & 0xff000000000000)) {
+
+      INC_AFL_AREA(idx + 5);
+      if ((arg1 & 0xff0000000000) == (arg2 & 0xff0000000000)) {
+
+        INC_AFL_AREA(idx + 4);
+        if ((arg1 & 0xff00000000) == (arg2 & 0xff00000000)) {
+
+          INC_AFL_AREA(idx + 3);
+          if ((arg1 & 0xff000000) == (arg2 & 0xff000000)) {
+
+            INC_AFL_AREA(idx + 2);
+            if ((arg1 & 0xff0000) == (arg2 & 0xff0000)) {
+
+              INC_AFL_AREA(idx + 1);
+              if ((arg1 & 0xff00) == (arg2 & 0xff00)) { INC_AFL_AREA(idx); }
+
+            }
+
+          }
+
+        }
+
+      }
+
+    }
+
+  }
+
+}
+
+void HELPER(afl_cmplog_16)(target_ulong cur_loc, target_ulong arg1,
+                           target_ulong arg2) {
+
+  register uintptr_t k = (uintptr_t)cur_loc;
+
+  u32 hits = __afl_cmp_map->headers[k].hits;
+  __afl_cmp_map->headers[k].hits = hits + 1;
+  // if (!__afl_cmp_map->headers[k].cnt)
+  //  __afl_cmp_map->headers[k].cnt = __afl_cmp_counter++;
+
+  __afl_cmp_map->headers[k].shape = 1;
+  //__afl_cmp_map->headers[k].type = CMP_TYPE_INS;
+
+  hits &= CMP_MAP_H - 1;
+  __afl_cmp_map->log[k][hits].v0 = arg1;
+  __afl_cmp_map->log[k][hits].v1 = arg2;
+
+}
+
+void HELPER(afl_cmplog_32)(target_ulong cur_loc, target_ulong arg1,
+                           target_ulong arg2) {
+
+  register uintptr_t k = (uintptr_t)cur_loc;
+
+  u32 hits = __afl_cmp_map->headers[k].hits;
+  __afl_cmp_map->headers[k].hits = hits + 1;
+
+  __afl_cmp_map->headers[k].shape = 3;
+
+  hits &= CMP_MAP_H - 1;
+  __afl_cmp_map->log[k][hits].v0 = arg1;
+  __afl_cmp_map->log[k][hits].v1 = arg2;
+
+}
+
+void HELPER(afl_cmplog_64)(target_ulong cur_loc, target_ulong arg1,
+                           target_ulong arg2) {
+
+  register uintptr_t k = (uintptr_t)cur_loc;
+
+  u32 hits = __afl_cmp_map->headers[k].hits;
+  __afl_cmp_map->headers[k].hits = hits + 1;
+
+  __afl_cmp_map->headers[k].shape = 7;
+
+  hits &= CMP_MAP_H - 1;
+  __afl_cmp_map->log[k][hits].v0 = arg1;
+  __afl_cmp_map->log[k][hits].v1 = arg2;
+
+}
+
diff --git a/qemu_mode/patches/tcg-runtime.diff b/qemu_mode/patches/tcg-runtime.diff
index 54a62ba8..15456320 100644
--- a/qemu_mode/patches/tcg-runtime.diff
+++ b/qemu_mode/patches/tcg-runtime.diff
@@ -1,24 +1,10 @@
 diff --git a/accel/tcg/tcg-runtime.c b/accel/tcg/tcg-runtime.c
-index d0d44844..46154af1 100644
+index d0d44844..009ef15a 100644
 --- a/accel/tcg/tcg-runtime.c
 +++ b/accel/tcg/tcg-runtime.c
-@@ -31,6 +31,8 @@
- #include "disas/disas.h"
- #include "exec/log.h"
- 
-+#include "../../../patches/afl-qemu-common.h"
-+
- /* 32-bit helpers */
- 
- int32_t HELPER(div_i32)(int32_t arg1, int32_t arg2)
-@@ -167,3 +169,10 @@ void HELPER(exit_atomic)(CPUArchState *env)
+@@ -167,3 +167,5 @@ void HELPER(exit_atomic)(CPUArchState *env)
  {
      cpu_loop_exit_atomic(ENV_GET_CPU(env), GETPC());
  }
 +
-+
-+void HELPER(afl_entry_routine)(CPUArchState *env) {
-+  
-+  afl_forkserver(ENV_GET_CPU(env));
-+  
-+}
++#include "../../../patches/afl-qemu-tcg-runtime-inl.h"

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-17 20:13:52 +0000