about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--docs/Changelog.md4
-rw-r--r--frida_mode/src/lib/lib.c6
-rw-r--r--instrumentation/compare-transform-pass.so.cc24
-rw-r--r--src/afl-cc.c2
-rw-r--r--src/afl-forkserver.c1
-rw-r--r--src/afl-fuzz-queue.c6
-rw-r--r--utils/afl_untracer/Makefile7
-rw-r--r--utils/afl_untracer/afl-untracer.c34
8 files changed, 74 insertions, 10 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 87c01f21..bccc6748 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -14,6 +14,10 @@
     - now also shows coverage reached
     - option -m shows only very relevant stats
     - option -n will not use color in the output
+  - instrumentation:
+    - fix for a few string compare transform functions for LAF
+  - frida_mode:
+    - fixes support for large map offsets
   - added benchmark/benchmark.sh if you want to see how good your fuzzing
     speed is in comparison to other setups.
 
diff --git a/frida_mode/src/lib/lib.c b/frida_mode/src/lib/lib.c
index d563b69b..7fac755a 100644
--- a/frida_mode/src/lib/lib.c
+++ b/frida_mode/src/lib/lib.c
@@ -44,8 +44,10 @@ static gboolean lib_find_exe(const GumModuleDetails *details,
 
   lib_details_t *lib_details = (lib_details_t *)user_data;
 
-  memcpy(lib_details->name, details->name, PATH_MAX);
-  memcpy(lib_details->path, details->path, PATH_MAX);
+  strncpy(lib_details->name, details->name, PATH_MAX);
+  strncpy(lib_details->path, details->path, PATH_MAX);
+  lib_details->name[PATH_MAX] = '\0';
+  lib_details->path[PATH_MAX] = '\0';
   lib_details->base_address = details->range->base_address;
   lib_details->size = details->range->size;
   return FALSE;
diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc
index 5dd705cf..5a5415d7 100644
--- a/instrumentation/compare-transform-pass.so.cc
+++ b/instrumentation/compare-transform-pass.so.cc
@@ -169,6 +169,7 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
   DenseMap<Value *, std::string *> valueMap;
   std::vector<CallInst *>          calls;
   LLVMContext                     &C = M.getContext();
+  IntegerType                     *Int1Ty = IntegerType::getInt1Ty(C);
   IntegerType                     *Int8Ty = IntegerType::getInt8Ty(C);
   IntegerType                     *Int32Ty = IntegerType::getInt32Ty(C);
   IntegerType                     *Int64Ty = IntegerType::getInt64Ty(C);
@@ -227,9 +228,9 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
           isStrcmp &=
               (!FuncName.compare("strcmp") || !FuncName.compare("xmlStrcmp") ||
                !FuncName.compare("xmlStrEqual") ||
-               !FuncName.compare("g_strcmp0") ||
                !FuncName.compare("curl_strequal") ||
-               !FuncName.compare("strcsequal"));
+               !FuncName.compare("strcsequal") ||
+               !FuncName.compare("g_strcmp0"));
           isMemcmp &=
               (!FuncName.compare("memcmp") || !FuncName.compare("bcmp") ||
                !FuncName.compare("CRYPTO_memcmp") ||
@@ -237,8 +238,8 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
                !FuncName.compare("memcmp_const_time") ||
                !FuncName.compare("memcmpct"));
           isStrncmp &= (!FuncName.compare("strncmp") ||
-                        !FuncName.compare("xmlStrncmp") ||
-                        !FuncName.compare("curl_strnequal"));
+                        !FuncName.compare("curl_strnequal") ||
+                        !FuncName.compare("xmlStrncmp"));
           isStrcasecmp &= (!FuncName.compare("strcasecmp") ||
                            !FuncName.compare("stricmp") ||
                            !FuncName.compare("ap_cstr_casecmp") ||
@@ -457,6 +458,7 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
     bool        isSizedcmp = false;
     bool        isCaseInsensitive = false;
     bool        needs_null = false;
+    bool        success_is_one = false;
     Function   *Callee = callInst->getCalledFunction();
 
     if (Callee) {
@@ -503,6 +505,12 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
           !Callee->getName().compare("g_strncasecmp"))
         isCaseInsensitive = true;
 
+      if (!Callee->getName().compare("xmlStrEqual") ||
+          !Callee->getName().compare("curl_strequal") ||
+          !Callee->getName().compare("strcsequal") ||
+          !Callee->getName().compare("curl_strnequal"))
+        success_is_one = true;
+
     }
 
     if (!isSizedcmp) needs_null = true;
@@ -667,6 +675,14 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
       else
         isub = cur_cmp_IRB.CreateSub(load, ConstantInt::get(Int8Ty, c));
 
+      if (success_is_one && i == unrollLen - 1) {
+
+        Value *isubsub = cur_cmp_IRB.CreateTrunc(isub, Int1Ty);
+        isub = cur_cmp_IRB.CreateSelect(isubsub, ConstantInt::get(Int8Ty, 0),
+                                        ConstantInt::get(Int8Ty, 1));
+
+      }
+
       Value *sext = cur_cmp_IRB.CreateSExt(isub, Int32Ty);
       PN->addIncoming(sext, cur_cmp_bb);
 
diff --git a/src/afl-cc.c b/src/afl-cc.c
index 86b81459..12707007 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -317,7 +317,7 @@ void parse_fsanitize(char *string) {
 
   char *p, *ptr = string + strlen("-fsanitize=");
   char *new = malloc(strlen(string) + 1);
-  char *tmp = malloc(strlen(ptr));
+  char *tmp = malloc(strlen(ptr) + 1);
   u32   count = 0, len, ende = 0;
 
   if (!new || !tmp) { FATAL("could not acquire memory"); }
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 9da096f7..07f5a1a9 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -272,6 +272,7 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) {
   fsrv_to->uses_crash_exitcode = from->uses_crash_exitcode;
   fsrv_to->crash_exitcode = from->crash_exitcode;
   fsrv_to->child_kill_signal = from->child_kill_signal;
+  fsrv_to->fsrv_kill_signal = from->fsrv_kill_signal;
   fsrv_to->debug = from->debug;
 
   // These are forkserver specific.
diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c
index 2b102879..91120e10 100644
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@@ -737,7 +737,11 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
         u64 top_rated_fav_factor;
         u64 top_rated_fuzz_p2;
 
-        if (likely(afl->schedule >= FAST && afl->schedule <= RARE)) {
+        if (likely(afl->schedule >= FAST && afl->schedule < RARE)) {
+
+          top_rated_fuzz_p2 = 0;  // Skip the fuzz_p2 comparison
+
+        } else if (unlikely(afl->schedule == RARE)) {
 
           top_rated_fuzz_p2 =
               next_pow2(afl->n_fuzz[afl->top_rated[i]->n_fuzz_entry]);
diff --git a/utils/afl_untracer/Makefile b/utils/afl_untracer/Makefile
index 14a09b41..264aebe5 100644
--- a/utils/afl_untracer/Makefile
+++ b/utils/afl_untracer/Makefile
@@ -3,11 +3,16 @@ ifdef DEBUG
 else
   OPT=-O3
 endif
+SYS = $(shell uname -s)
+DL =
+ifeq "$(SYS)" "Linux"
+    DL = -ldl
+endif
 
 all:	afl-untracer libtestinstr.so
 
 afl-untracer:	afl-untracer.c
-	$(CC) $(OPT) -I../../include -g -o afl-untracer afl-untracer.c -ldl
+	$(CC) $(OPT) -I../../include -g -o afl-untracer afl-untracer.c $(DL)
 
 libtestinstr.so:	libtestinstr.c
 	$(CC) -g -O0 -fPIC -o libtestinstr.so -shared libtestinstr.c
diff --git a/utils/afl_untracer/afl-untracer.c b/utils/afl_untracer/afl-untracer.c
index e1038212..0e3f8a45 100644
--- a/utils/afl_untracer/afl-untracer.c
+++ b/utils/afl_untracer/afl-untracer.c
@@ -53,7 +53,9 @@
 #include <pthread.h>
 
 #include <sys/mman.h>
-#include <sys/shm.h>
+#if !defined(__HAIKU__)
+  #include <sys/shm.h>
+#endif
 #include <sys/wait.h>
 #include <sys/types.h>
 
@@ -66,6 +68,9 @@
   #include <sys/sysctl.h>
   #include <sys/user.h>
   #include <sys/procctl.h>
+#elif defined(__HAIKU__)
+  #include <kernel/OS.h>
+  #include <kernel/image.h>
 #else
   #error "Unsupported platform"
 #endif
@@ -232,6 +237,30 @@ void read_library_information(void) {
 
   }
 
+#elif defined(__HAIKU__)
+  image_info ii;
+  int32      c = 0;
+
+  while (get_next_image_info(0, &c, &ii) == B_OK) {
+
+    liblist[liblist_cnt].name = (u8 *)strdup(ii.name);
+    liblist[liblist_cnt].addr_start = (u64)ii.text;
+    liblist[liblist_cnt].addr_end = (u64)((char *)ii.text + ii.text_size);
+
+    if (debug) {
+
+      fprintf(stderr, "%s:%lx (%lx-%lx)\n", liblist[liblist_cnt].name,
+              (unsigned long)(liblist[liblist_cnt].addr_end -
+                              liblist[liblist_cnt].addr_start),
+              (unsigned long)liblist[liblist_cnt].addr_start,
+              (unsigned long)(liblist[liblist_cnt].addr_end - 1));
+
+    }
+
+    liblist_cnt++;
+
+  }
+
 #endif
 
 }
@@ -655,6 +684,9 @@ static void sigtrap_handler(int signum, siginfo_t *si, void *context) {
 #elif defined(__FreeBSD__) && defined(__LP64__)
   ctx->uc_mcontext.mc_rip -= 1;
   addr = ctx->uc_mcontext.mc_rip;
+#elif defined(__HAIKU__) && defined(__x86_64__)
+  ctx->uc_mcontext.rip -= 1;
+  addr = ctx->uc_mcontext.rip;
 #else
   #error "Unsupported platform"
 #endif
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-22 17:28:10 +0000