diff options
| author | Akira Moroo <retrage01@gmail.com> | 2021-06-22 05:34:20 +0000 |
|---|---|---|
| committer | Akira Moroo <retrage01@gmail.com> | 2021-11-11 09:52:21 +0000 |
| commit | 9100f3c416707d926fc100d4441cf32bb1da6dd6 (patch) | |
| tree | bd0d24e3919acd56c48cda64f5266f5fb99585ef /src | |
| parent | 26238516804a45636f8c675d492b048c32b82d31 (diff) | |
| download | afl++-9100f3c416707d926fc100d4441cf32bb1da6dd6.tar.gz | |
Add initial CoreSight mode support
The original code is:
https://github.com/RICSecLab/AFLplusplus-cs/tree/retrage/coresight-mode-pr
Signed-off-by: Akira Moroo <retrage01@gmail.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-analyze.c | 18 | ||||
| -rw-r--r-- | src/afl-common.c | 29 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 5 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 9 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 28 | ||||
| -rw-r--r-- | src/afl-showmap.c | 22 | ||||
| -rw-r--r-- | src/afl-tmin.c | 16 |
7 files changed, 113 insertions, 14 deletions
diff --git a/src/afl-analyze.c b/src/afl-analyze.c index d52a6d6e..c8b82428 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -77,6 +77,7 @@ static volatile u8 stop_soon; /* Ctrl-C pressed? */ static u8 *target_path; static u8 frida_mode; static u8 qemu_mode; +static u8 cs_mode; static u32 map_size = MAP_SIZE; static afl_forkserver_t fsrv = {0}; /* The forkserver */ @@ -790,6 +791,8 @@ static void set_up_environment(char **argv) { } else { + /* CoreSight mode uses the default behavior. */ + setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); @@ -845,6 +848,7 @@ static void usage(u8 *argv0) { " -f file - input file read by the tested program (stdin)\n" " -t msec - timeout for each run (%u ms)\n" " -m megs - memory limit for child process (%u MB)\n" + " -A - use binary-only instrumentation (CoreSight mode)\n" " -O - use binary-only instrumentation (FRIDA mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" @@ -890,7 +894,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_fsrv_init(&fsrv); - while ((opt = getopt(argc, argv, "+i:f:m:t:eOQUWh")) > 0) { + while ((opt = getopt(argc, argv, "+i:f:m:t:eAOQUWh")) > 0) { switch (opt) { @@ -989,6 +993,14 @@ int main(int argc, char **argv_orig, char **envp) { break; + case 'A': /* CoreSight mode */ + + if (cs_mode) { FATAL("Multiple -A options not supported"); } + + cs_mode = 1; + fsrv.cs_mode = cs_mode; + break; + case 'O': /* FRIDA mode */ if (frida_mode) { FATAL("Multiple -O options not supported"); } @@ -1080,6 +1092,10 @@ int main(int argc, char **argv_orig, char **envp) { } + } else if (cs_mode) { + + use_argv = get_cs_argv(argv[0], &target_path, argc - optind, argv + optind); + } else { use_argv = argv + optind; diff --git a/src/afl-common.c b/src/afl-common.c index ec3b2f3f..6c2d0753 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -204,6 +204,35 @@ void argv_cpy_free(char **argv) { } +/* Rewrite argv for CoreSight process tracer. */ + +char **get_cs_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { + + if (unlikely(getenv("AFL_CS_CUSTOM_BIN"))) { + + WARNF( + "AFL_CS_CUSTOM_BIN is enabled. " + "You must run your target under afl-cs-proxy on your own!"); + return argv; + + } + + char **new_argv = ck_alloc(sizeof(char *) * (argc + 4)); + if (unlikely(!new_argv)) { FATAL("Illegal amount of arguments specified"); } + + memcpy(&new_argv[3], &argv[1], (int)(sizeof(char *)) * (argc - 1)); + new_argv[argc + 3] = NULL; + + new_argv[2] = *target_path_p; + new_argv[1] = "--"; + + /* Now we need to actually find the cs-proxy binary to put in argv[0]. */ + + *target_path_p = new_argv[0] = find_afl_binary(own_loc, "afl-cs-proxy"); + return new_argv; + +} + /* Rewrite argv for QEMU. */ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 9262d718..e5a4d3d1 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2645,6 +2645,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode || (afl->fsrv.qemu_mode && getenv("AFL_QEMU_CUSTOM_BIN")) || + (afl->fsrv.cs_mode && getenv("AFL_CS_CUSTOM_BIN")) || afl->non_instrumented_mode) { return; @@ -2721,7 +2722,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { #endif /* ^!__APPLE__ */ if (!afl->fsrv.qemu_mode && !afl->fsrv.frida_mode && !afl->unicorn_mode && - !afl->non_instrumented_mode && + !afl->fsrv.cs_mode && !afl->non_instrumented_mode && !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { SAYF("\n" cLRD "[-] " cRST @@ -2752,7 +2753,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { } - if ((afl->fsrv.qemu_mode || afl->fsrv.frida_mode) && + if ((afl->fsrv.cs_mode || afl->fsrv.qemu_mode || afl->fsrv.frida_mode) && memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { SAYF("\n" cLRD "[-] " cRST diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 808bf258..426580d2 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -285,7 +285,7 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, "afl_banner : %s\n" "afl_version : " VERSION "\n" - "target_mode : %s%s%s%s%s%s%s%s%s\n" + "target_mode : %s%s%s%s%s%s%s%s%s%s\n" "command_line : %s\n", (afl->start_time - afl->prev_run_time) / 1000, cur_time / 1000, (afl->prev_run_time + cur_time - afl->start_time) / 1000, @@ -321,12 +321,13 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, afl->q_testcase_cache_count, afl->q_testcase_evictions, afl->use_banner, afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "", + afl->fsrv.cs_mode ? "coresight" : "", afl->non_instrumented_mode ? " non_instrumented " : "", afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", afl->persistent_mode ? "persistent " : "", afl->shmem_testcase_mode ? "shmem_testcase " : "", afl->deferred_mode ? "deferred " : "", - (afl->unicorn_mode || afl->fsrv.qemu_mode || + (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->fsrv.cs_mode || afl->non_instrumented_mode || afl->no_forkserver || afl->crash_mode || afl->persistent_mode || afl->deferred_mode) ? "" @@ -1238,7 +1239,9 @@ void show_init_stats(afl_state_t *afl) { // SAYF("\n"); - if (avg_us > ((afl->fsrv.qemu_mode || afl->unicorn_mode) ? 50000 : 10000)) { + if (avg_us > ((afl->fsrv.cs_mode || afl->fsrv.qemu_mode || afl->unicorn_mode) + ? 50000 + : 10000)) { WARNF(cLRD "The target binary is pretty slow! See %s/perf_tips.md.", doc_path); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index c08b8fbb..99eebfaa 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -113,6 +113,7 @@ static void usage(u8 *argv0, int more_help) { "maximum.\n" " -m megs - memory limit for child process (%u MB, 0 = no limit " "[default])\n" + " -A - use binary-only instrumentation (CoreSight mode)\n" " -O - use binary-only instrumentation (FRIDA mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" @@ -434,7 +435,8 @@ int main(int argc, char **argv_orig, char **envp) { while ((opt = getopt( argc, argv, - "+b:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNOo:p:RQs:S:t:T:UV:Wx:Z")) > 0) { + "+Ab:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNOo:p:RQs:S:t:T:UV:Wx:Z")) > + 0) { switch (opt) { @@ -825,6 +827,13 @@ int main(int argc, char **argv_orig, char **envp) { afl->use_banner = optarg; break; + case 'A': /* CoreSight mode */ + + if (afl->fsrv.cs_mode) { FATAL("Multiple -A options not supported"); } + afl->fsrv.cs_mode = 1; + + break; + case 'O': /* FRIDA mode */ if (afl->fsrv.frida_mode) { @@ -1212,6 +1221,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->crash_mode) { FATAL("-C and -n are mutually exclusive"); } if (afl->fsrv.frida_mode) { FATAL("-O and -n are mutually exclusive"); } if (afl->fsrv.qemu_mode) { FATAL("-Q and -n are mutually exclusive"); } + if (afl->fsrv.cs_mode) { FATAL("-A and -n are mutually exclusive"); } if (afl->unicorn_mode) { FATAL("-U and -n are mutually exclusive"); } } @@ -1458,6 +1468,8 @@ int main(int argc, char **argv_orig, char **envp) { } else { + /* CoreSight mode uses the default behavior. */ + setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); @@ -1651,7 +1663,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (!afl->fsrv.qemu_mode && !afl->fsrv.frida_mode && + if (!afl->fsrv.qemu_mode && !afl->fsrv.frida_mode && !afl->fsrv.cs_mode && !afl->non_instrumented_mode) { check_binary(afl, afl->cmplog_binary); @@ -1697,6 +1709,11 @@ int main(int argc, char **argv_orig, char **envp) { } + } else if (afl->fsrv.cs_mode) { + + use_argv = get_cs_argv(argv[0], &afl->fsrv.target_path, argc - optind, + argv + optind); + } else { use_argv = argv + optind; @@ -1704,7 +1721,7 @@ int main(int argc, char **argv_orig, char **envp) { } if (afl->non_instrumented_mode || afl->fsrv.qemu_mode || - afl->fsrv.frida_mode || afl->unicorn_mode) { + afl->fsrv.frida_mode || afl->fsrv.cs_mode || afl->unicorn_mode) { map_size = afl->fsrv.real_map_size = afl->fsrv.map_size = MAP_SIZE; afl->virgin_bits = ck_realloc(afl->virgin_bits, map_size); @@ -1724,7 +1741,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode); if (!afl->non_instrumented_mode && !afl->fsrv.qemu_mode && - !afl->unicorn_mode && !afl->fsrv.frida_mode && + !afl->unicorn_mode && !afl->fsrv.frida_mode && !afl->fsrv.cs_mode && !afl->afl_env.afl_skip_bin_check) { if (map_size <= DEFAULT_SHMEM_SIZE) { @@ -1777,6 +1794,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_fsrv_init_dup(&afl->cmplog_fsrv, &afl->fsrv); // TODO: this is semi-nice afl->cmplog_fsrv.trace_bits = afl->fsrv.trace_bits; + afl->cmplog_fsrv.cs_mode = afl->fsrv.cs_mode; afl->cmplog_fsrv.qemu_mode = afl->fsrv.qemu_mode; afl->cmplog_fsrv.frida_mode = afl->fsrv.frida_mode; afl->cmplog_fsrv.cmplog_binary = afl->cmplog_binary; @@ -1785,7 +1803,7 @@ int main(int argc, char **argv_orig, char **envp) { if ((map_size <= DEFAULT_SHMEM_SIZE || afl->cmplog_fsrv.map_size < map_size) && !afl->non_instrumented_mode && !afl->fsrv.qemu_mode && - !afl->fsrv.frida_mode && !afl->unicorn_mode && + !afl->fsrv.frida_mode && !afl->unicorn_mode && !afl->fsrv.cs_mode && !afl->afl_env.afl_skip_bin_check) { afl->cmplog_fsrv.map_size = MAX(map_size, (u32)DEFAULT_SHMEM_SIZE); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 6c06c476..daaed767 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -690,6 +690,8 @@ static void set_up_environment(afl_forkserver_t *fsrv, char **argv) { } else { + /* CoreSight mode uses the default behavior. */ + setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); @@ -843,6 +845,7 @@ static void usage(u8 *argv0) { " -t msec - timeout for each run (none)\n" " -m megs - memory limit for child process (%u MB)\n" " -O - use binary-only instrumentation (FRIDA mode)\n" + " -P - use binary-only instrumentation (CoreSight mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use Unicorn-based instrumentation (Unicorn mode)\n" " -W - use qemu-based instrumentation with Wine (Wine mode)\n" @@ -917,7 +920,7 @@ int main(int argc, char **argv_orig, char **envp) { if (getenv("AFL_QUIET") != NULL) { be_quiet = true; } - while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZOQUWbcrsh")) > 0) { + while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZOPQUWbcrsh")) > 0) { switch (opt) { @@ -1060,6 +1063,15 @@ int main(int argc, char **argv_orig, char **envp) { break; + /* FIXME: We want to use -P for consistency, but it is already unsed for + * undocumenetd feature "Another afl-cmin specific feature." */ + case 'P': /* CoreSight mode */ + + if (fsrv->cs_mode) { FATAL("Multiple -P options not supported"); } + + fsrv->cs_mode = true; + break; + case 'Q': if (fsrv->qemu_mode) { FATAL("Multiple -Q options not supported"); } @@ -1124,6 +1136,7 @@ int main(int argc, char **argv_orig, char **envp) { } + if (fsrv->cs_mode && !mem_limit_given) { fsrv->mem_limit = MEM_LIMIT; } if (fsrv->qemu_mode && !mem_limit_given) { fsrv->mem_limit = MEM_LIMIT_QEMU; } if (unicorn_mode && !mem_limit_given) { fsrv->mem_limit = MEM_LIMIT_UNICORN; } @@ -1204,6 +1217,11 @@ int main(int argc, char **argv_orig, char **envp) { } + } else if (fsrv->cs_mode) { + + use_argv = + get_cs_argv(argv[0], &fsrv->target_path, argc - optind, argv + optind); + } else { use_argv = argv + optind; @@ -1230,7 +1248,7 @@ int main(int argc, char **argv_orig, char **envp) { fsrv->shmem_fuzz_len = (u32 *)map; fsrv->shmem_fuzz = map + sizeof(u32); - if (!fsrv->qemu_mode && !unicorn_mode) { + if (!fsrv->cs_mode && !fsrv->qemu_mode && !unicorn_mode) { u32 save_be_quiet = be_quiet; be_quiet = !debug; diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 3f6f14f9..212b6251 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -808,6 +808,8 @@ static void set_up_environment(afl_forkserver_t *fsrv, char **argv) { } else { + /* CoreSight mode uses the default behavior. */ + setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); @@ -921,7 +923,7 @@ int main(int argc, char **argv_orig, char **envp) { SAYF(cCYA "afl-tmin" VERSION cRST " by Michal Zalewski\n"); - while ((opt = getopt(argc, argv, "+i:o:f:m:t:B:xeOQUWHh")) > 0) { + while ((opt = getopt(argc, argv, "+i:o:f:m:t:B:xeAOQUWHh")) > 0) { switch (opt) { @@ -1033,6 +1035,13 @@ int main(int argc, char **argv_orig, char **envp) { break; + case 'A': /* CoreSight mode */ + + if (fsrv->cs_mode) { FATAL("Multiple -A options not supported"); } + + fsrv->cs_mode = 1; + break; + case 'O': /* FRIDA mode */ if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); } @@ -1152,6 +1161,11 @@ int main(int argc, char **argv_orig, char **envp) { } + } else if (fsrv->cs_mode) { + + use_argv = + get_cs_argv(argv[0], &fsrv->target_path, argc - optind, argv + optind); + } else { use_argv = argv + optind; |