diff options
| author | Andrea Fioraldi <andreafioraldi@gmail.com> | 2020-02-07 20:44:36 +0100 |
|---|---|---|
| committer | Andrea Fioraldi <andreafioraldi@gmail.com> | 2020-02-07 20:44:36 +0100 |
| commit | aa2cb66ea23884eb03cb0220dcfafbdd7343f54d (patch) | |
| tree | 94567a29d95d97000d4b420407ef58eb9a418b32 /qemu_mode | |
| parent | 420b1aa85934b59ccf0b58fb9b2740418a379241 (diff) | |
| download | afl++-aa2cb66ea23884eb03cb0220dcfafbdd7343f54d.tar.gz | |
code format
Diffstat (limited to 'qemu_mode')
| -rw-r--r-- | qemu_mode/patches/afl-qemu-common.h | 4 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-cpu-inl.h | 43 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 98 |
3 files changed, 77 insertions, 68 deletions
diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h index de6c7b73..da3d563e 100644 --- a/qemu_mode/patches/afl-qemu-common.h +++ b/qemu_mode/patches/afl-qemu-common.h @@ -59,7 +59,7 @@ #define INC_AFL_AREA(loc) afl_area_ptr[loc]++ #endif -typedef void (*afl_persistent_hook_fn)(uint64_t* regs, uint64_t guest_base); +typedef void (*afl_persistent_hook_fn)(uint64_t *regs, uint64_t guest_base); /* Declared in afl-qemu-cpu-inl.h */ @@ -81,7 +81,7 @@ extern afl_persistent_hook_fn afl_persistent_hook_ptr; extern __thread abi_ulong afl_prev_loc; -extern struct cmp_map* __afl_cmp_map; +extern struct cmp_map *__afl_cmp_map; extern __thread u32 __afl_cmp_counter; void afl_debug_dump_saved_regs(); diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index 7ef54d78..5e155c74 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -82,7 +82,7 @@ u8 afl_compcov_level; __thread abi_ulong afl_prev_loc; -struct cmp_map* __afl_cmp_map; +struct cmp_map *__afl_cmp_map; __thread u32 __afl_cmp_counter; /* Set in the child process in forkserver mode: */ @@ -187,9 +187,9 @@ static void afl_setup(void) { if (inst_r) afl_area_ptr[0] = 1; } - - if (getenv("___AFL_EINS_ZWEI_POLIZEI___")) { // CmpLog forkserver - + + if (getenv("___AFL_EINS_ZWEI_POLIZEI___")) { // CmpLog forkserver + id_str = getenv(CMPLOG_SHM_ENV_VAR); if (id_str) { @@ -198,10 +198,10 @@ static void afl_setup(void) { __afl_cmp_map = shmat(shm_id, NULL, 0); - if (__afl_cmp_map == (void*)-1) exit(1); + if (__afl_cmp_map == (void *)-1) exit(1); } - + } if (getenv("AFL_INST_LIBS")) { @@ -247,32 +247,42 @@ static void afl_setup(void) { if (getenv("AFL_QEMU_PERSISTENT_GPR")) persistent_save_gpr = 1; if (getenv("AFL_QEMU_PERSISTENT_HOOK")) { - + #ifdef AFL_QEMU_STATIC_BUILD - fprintf(stderr, "[AFL] ERROR: you cannot use AFL_QEMU_PERSISTENT_HOOK when afl-qemu-trace is static\n"); + fprintf(stderr, + "[AFL] ERROR: you cannot use AFL_QEMU_PERSISTENT_HOOK when " + "afl-qemu-trace is static\n"); exit(1); #else - + persistent_save_gpr = 1; - - void* plib = dlopen(getenv("AFL_QEMU_PERSISTENT_HOOK"), RTLD_NOW); + + void *plib = dlopen(getenv("AFL_QEMU_PERSISTENT_HOOK"), RTLD_NOW); if (!plib) { - fprintf(stderr, "[AFL] ERROR: invalid AFL_QEMU_PERSISTENT_HOOK=%s\n", getenv("AFL_QEMU_PERSISTENT_HOOK")); + + fprintf(stderr, "[AFL] ERROR: invalid AFL_QEMU_PERSISTENT_HOOK=%s\n", + getenv("AFL_QEMU_PERSISTENT_HOOK")); exit(1); + } - + afl_persistent_hook_ptr = dlsym(plib, "afl_persistent_hook"); if (!afl_persistent_hook_ptr) { - fprintf(stderr, "[AFL] ERROR: failed to find the function \"afl_persistent_hook\" in %s\n", getenv("AFL_QEMU_PERSISTENT_HOOK")); + + fprintf(stderr, + "[AFL] ERROR: failed to find the function " + "\"afl_persistent_hook\" in %s\n", + getenv("AFL_QEMU_PERSISTENT_HOOK")); exit(1); + } #endif } - + if (getenv("AFL_QEMU_PERSISTENT_RETADDR_OFFSET")) persisent_retaddr_offset = strtoll(getenv("AFL_QEMU_PERSISTENT_RETADDR_OFFSET"), NULL, 0); @@ -402,9 +412,12 @@ static void afl_forkserver(CPUState *cpu) { if (WIFSTOPPED(status)) child_stopped = 1; else if (unlikely(first_run && is_persistent)) { + fprintf(stderr, "[AFL] ERROR: no persistent iteration executed\n"); exit(12); // Persistent is wrong + } + first_run = 0; if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(7); diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index d081060f..3c230c30 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -153,17 +153,15 @@ static void afl_cmplog_64(target_ulong cur_loc, target_ulong arg1, } - static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2, TCGMemOp ot, int is_imm) { void *func; - if (cur_loc > afl_end_code || cur_loc < afl_start_code) - return; + if (cur_loc > afl_end_code || cur_loc < afl_start_code) return; if (__afl_cmp_map) { - + cur_loc = (cur_loc >> 4) ^ (cur_loc << 8); cur_loc &= CMP_MAP_W - 1; @@ -177,16 +175,16 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2, } tcg_gen_afl_compcov_log_call(func, cur_loc, arg1, arg2); - + } else if (afl_compcov_level) { - + if (!is_imm && afl_compcov_level < 2) return; cur_loc = (cur_loc >> 4) ^ (cur_loc << 8); cur_loc &= MAP_SIZE - 7; if (cur_loc >= afl_inst_rms) return; - + switch (ot) { case MO_64: func = &afl_compcov_log_64; break; @@ -197,7 +195,7 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2, } tcg_gen_afl_compcov_log_call(func, cur_loc, arg1, arg2); - + } } @@ -254,62 +252,60 @@ static void log_x86_sp_content(void) { }*/ - static void callback_to_persistent_hook(void) { afl_persistent_hook_ptr(persistent_saved_gpr, guest_base); - + } -static void i386_restore_state_for_persistent(TCGv* cpu_regs) { - - if (persistent_save_gpr) { - - int i; - TCGv_ptr gpr_sv; - - TCGv_ptr first_pass_ptr = tcg_const_ptr(&persistent_first_pass); - TCGv first_pass = tcg_temp_local_new(); - TCGv one = tcg_const_tl(1); - tcg_gen_ld8u_tl(first_pass, first_pass_ptr, 0); - - TCGLabel *lbl_restore_gpr = gen_new_label(); - tcg_gen_brcond_tl(TCG_COND_NE, first_pass, one, lbl_restore_gpr); - +static void i386_restore_state_for_persistent(TCGv *cpu_regs) { + + if (persistent_save_gpr) { + + int i; + TCGv_ptr gpr_sv; + + TCGv_ptr first_pass_ptr = tcg_const_ptr(&persistent_first_pass); + TCGv first_pass = tcg_temp_local_new(); + TCGv one = tcg_const_tl(1); + tcg_gen_ld8u_tl(first_pass, first_pass_ptr, 0); + + TCGLabel *lbl_restore_gpr = gen_new_label(); + tcg_gen_brcond_tl(TCG_COND_NE, first_pass, one, lbl_restore_gpr); + // save GRP registers - for (i = 0; i < CPU_NB_REGS; ++i) { - - gpr_sv = tcg_const_ptr(&persistent_saved_gpr[i]); - tcg_gen_st_tl(cpu_regs[i], gpr_sv, 0); - + for (i = 0; i < CPU_NB_REGS; ++i) { + + gpr_sv = tcg_const_ptr(&persistent_saved_gpr[i]); + tcg_gen_st_tl(cpu_regs[i], gpr_sv, 0); + } gen_set_label(lbl_restore_gpr); - + tcg_gen_afl_call0(&afl_persistent_loop); - - if (afl_persistent_hook_ptr) - tcg_gen_afl_call0(callback_to_persistent_hook); - - // restore GRP registers - for (i = 0; i < CPU_NB_REGS; ++i) { - - gpr_sv = tcg_const_ptr(&persistent_saved_gpr[i]); - tcg_gen_ld_tl(cpu_regs[i], gpr_sv, 0); - + + if (afl_persistent_hook_ptr) tcg_gen_afl_call0(callback_to_persistent_hook); + + // restore GRP registers + for (i = 0; i < CPU_NB_REGS; ++i) { + + gpr_sv = tcg_const_ptr(&persistent_saved_gpr[i]); + tcg_gen_ld_tl(cpu_regs[i], gpr_sv, 0); + } - - tcg_temp_free(first_pass); - + + tcg_temp_free(first_pass); + } else if (afl_persistent_ret_addr == 0) { - + TCGv_ptr stack_off_ptr = tcg_const_ptr(&persistent_stack_offset); - TCGv stack_off = tcg_temp_new(); - tcg_gen_ld_tl(stack_off, stack_off_ptr, 0); - tcg_gen_sub_tl(cpu_regs[R_ESP], cpu_regs[R_ESP], stack_off); - tcg_temp_free(stack_off); - - } + TCGv stack_off = tcg_temp_new(); + tcg_gen_ld_tl(stack_off, stack_off_ptr, 0); + tcg_gen_sub_tl(cpu_regs[R_ESP], cpu_regs[R_ESP], stack_off); + tcg_temp_free(stack_off); + + } } |