diff options
Diffstat (limited to 'instrumentation')
| -rw-r--r-- | instrumentation/README.laf-intel.md | 5 | ||||
| -rw-r--r-- | instrumentation/README.llvm.md | 2 | ||||
| -rw-r--r-- | instrumentation/SanitizerCoverageLTO.so.cc | 36 | ||||
| -rw-r--r-- | instrumentation/SanitizerCoveragePCGUARD.so.cc | 2 | ||||
| -rw-r--r-- | instrumentation/afl-llvm-dict2file.so.cc | 24 | ||||
| -rw-r--r-- | instrumentation/afl-llvm-lto-instrumentation.so.cc | 24 | ||||
| -rw-r--r-- | instrumentation/afl-llvm-lto-instrumentlist.so.cc | 7 | ||||
| -rw-r--r-- | instrumentation/split-compares-pass.so.cc | 10 |
8 files changed, 54 insertions, 56 deletions
diff --git a/instrumentation/README.laf-intel.md b/instrumentation/README.laf-intel.md index 229807e8..789055ed 100644 --- a/instrumentation/README.laf-intel.md +++ b/instrumentation/README.laf-intel.md @@ -3,9 +3,8 @@ ## Introduction This originally is the work of an individual nicknamed laf-intel. -His blog [Circumventing Fuzzing Roadblocks with Compiler Transformations] -(https://lafintel.wordpress.com/) and gitlab repo [laf-llvm-pass] -(https://gitlab.com/laf-intel/laf-llvm-pass/) +His blog [Circumventing Fuzzing Roadblocks with Compiler Transformations](https://lafintel.wordpress.com/) +and gitlab repo [laf-llvm-pass](https://gitlab.com/laf-intel/laf-llvm-pass/) describe some code transformations that help AFL++ to enter conditional blocks, where conditions consist of comparisons of large values. diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md index 6e210a7c..5b1e60cc 100644 --- a/instrumentation/README.llvm.md +++ b/instrumentation/README.llvm.md @@ -2,7 +2,7 @@ (See [../README.md](../README.md) for the general instruction manual.) - (See [README.gcc_plugin.md](../README.gcc_plugin.md) for the GCC-based instrumentation.) + (See [README.gcc_plugin.md](README.gcc_plugin.md) for the GCC-based instrumentation.) ## 1) Introduction diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index e06f8b93..d90fa867 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -250,7 +250,7 @@ class ModuleSanitizerCoverage { Module * Mo = NULL; GlobalVariable * AFLMapPtr = NULL; Value * MapPtrFixed = NULL; - FILE * documentFile = NULL; + std::ofstream dFile; size_t found = 0; // afl++ END @@ -446,8 +446,8 @@ bool ModuleSanitizerCoverage::instrumentModule( if ((ptr = getenv("AFL_LLVM_DOCUMENT_IDS")) != NULL) { - if ((documentFile = fopen(ptr, "a")) == NULL) - WARNF("Cannot access document file %s", ptr); + dFile.open(ptr, std::ofstream::out | std::ofstream::app); + if (dFile.is_open()) WARNF("Cannot access document file %s", ptr); } @@ -1003,12 +1003,7 @@ bool ModuleSanitizerCoverage::instrumentModule( instrumentFunction(F, DTCallback, PDTCallback); // afl++ START - if (documentFile) { - - fclose(documentFile); - documentFile = NULL; - - } + if (dFile.is_open()) dFile.close(); if (!getenv("AFL_LLVM_LTO_DONTWRITEID") || dictionary.size() || map_addr) { @@ -1069,7 +1064,6 @@ bool ModuleSanitizerCoverage::instrumentModule( if (dictionary.size()) { size_t memlen = 0, count = 0, offset = 0; - char * ptr; // sort and unique the dictionary std::sort(dictionary.begin(), dictionary.end()); @@ -1089,13 +1083,7 @@ bool ModuleSanitizerCoverage::instrumentModule( if (count) { - if ((ptr = (char *)malloc(memlen + count)) == NULL) { - - fprintf(stderr, "Error: malloc for %lu bytes failed!\n", - memlen + count); - exit(-1); - - } + auto ptrhld = std::unique_ptr<char[]>(new char[memlen + count]); count = 0; @@ -1103,8 +1091,8 @@ bool ModuleSanitizerCoverage::instrumentModule( if (offset + token.length() < 0xfffff0 && count < MAX_AUTO_EXTRAS) { - ptr[offset++] = (uint8_t)token.length(); - memcpy(ptr + offset, token.c_str(), token.length()); + ptrhld.get()[offset++] = (uint8_t)token.length(); + memcpy(ptrhld.get() + offset, token.c_str(), token.length()); offset += token.length(); count++; @@ -1124,10 +1112,10 @@ bool ModuleSanitizerCoverage::instrumentModule( GlobalVariable *AFLInternalDictionary = new GlobalVariable( M, ArrayTy, true, GlobalValue::ExternalLinkage, ConstantDataArray::get(Ctx, - *(new ArrayRef<char>((char *)ptr, offset))), + *(new ArrayRef<char>(ptrhld.get(), offset))), "__afl_internal_dictionary"); AFLInternalDictionary->setInitializer(ConstantDataArray::get( - Ctx, *(new ArrayRef<char>((char *)ptr, offset)))); + Ctx, *(new ArrayRef<char>(ptrhld.get(), offset)))); AFLInternalDictionary->setConstant(true); GlobalVariable *AFLDictionary = new GlobalVariable( @@ -1509,12 +1497,12 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, // afl++ START ++afl_global_id; - if (documentFile) { + if (dFile.is_open()) { unsigned long long int moduleID = (((unsigned long long int)(rand() & 0xffffffff)) << 32) | getpid(); - fprintf(documentFile, "ModuleID=%llu Function=%s edgeID=%u\n", moduleID, - F.getName().str().c_str(), afl_global_id); + dFile << "ModuleID=" << moduleID << " Function=" << F.getName().str() + << " edgeID=" << afl_global_id << "\n"; } diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 48ad2d02..013492f9 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -881,8 +881,6 @@ void ModuleSanitizerCoverage::InjectCoverageForIndirectCalls( Function &F, ArrayRef<Instruction *> IndirCalls) { if (IndirCalls.empty()) return; - assert(Options.TracePC || Options.TracePCGuard || - Options.Inline8bitCounters /*|| Options.InlineBoolFlag*/); for (auto I : IndirCalls) { IRBuilder<> IRB(I); diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc index 4622e488..0a3e74b9 100644 --- a/instrumentation/afl-llvm-dict2file.so.cc +++ b/instrumentation/afl-llvm-dict2file.so.cc @@ -66,6 +66,9 @@ namespace { class AFLdict2filePass : public ModulePass { + std::ofstream of; + void dict2file(u8 *, u32); + public: static char ID; @@ -81,7 +84,7 @@ class AFLdict2filePass : public ModulePass { } // namespace -void dict2file(int fd, u8 *mem, u32 len) { +void AFLdict2filePass::dict2file(u8 *mem, u32 len) { u32 i, j, binary = 0; char line[MAX_AUTO_EXTRA * 8], tmp[8]; @@ -113,9 +116,8 @@ void dict2file(int fd, u8 *mem, u32 len) { line[j] = 0; strcat(line, "\"\n"); - if (write(fd, line, strlen(line)) <= 0) - PFATAL("Could not write to dictionary file"); - fsync(fd); + of << line; + of.flush(); if (!be_quiet) fprintf(stderr, "Found dictionary token: %s", line); @@ -125,7 +127,7 @@ bool AFLdict2filePass::runOnModule(Module &M) { DenseMap<Value *, std::string *> valueMap; char * ptr; - int fd, found = 0; + int found = 0; /* Show a banner */ setvbuf(stdout, NULL, _IONBF, 0); @@ -146,8 +148,8 @@ bool AFLdict2filePass::runOnModule(Module &M) { if (!ptr || *ptr != '/') FATAL("AFL_LLVM_DICT2FILE is not set to an absolute path: %s", ptr); - if ((fd = open(ptr, O_WRONLY | O_APPEND | O_CREAT | O_DSYNC, 0644)) < 0) - PFATAL("Could not open/create %s.", ptr); + of.open(ptr, std::ofstream::out | std::ofstream::app); + if (!of.is_open()) PFATAL("Could not open/create %s.", ptr); /* Instrument all the things! */ @@ -264,11 +266,11 @@ bool AFLdict2filePass::runOnModule(Module &M) { } - dict2file(fd, (u8 *)&val, len); + dict2file((u8 *)&val, len); found++; if (val2) { - dict2file(fd, (u8 *)&val2, len); + dict2file((u8 *)&val2, len); found++; } @@ -630,7 +632,7 @@ bool AFLdict2filePass::runOnModule(Module &M) { ptr = (char *)thestring.c_str(); - dict2file(fd, (u8 *)ptr, optLen); + dict2file((u8 *)ptr, optLen); found++; } @@ -641,7 +643,7 @@ bool AFLdict2filePass::runOnModule(Module &M) { } - close(fd); + of.close(); /* Say something nice. */ diff --git a/instrumentation/afl-llvm-lto-instrumentation.so.cc b/instrumentation/afl-llvm-lto-instrumentation.so.cc index 4a5738de..c2f61d34 100644 --- a/instrumentation/afl-llvm-lto-instrumentation.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentation.so.cc @@ -108,8 +108,8 @@ bool AFLLTOPass::runOnModule(Module &M) { // std::vector<CallInst *> calls; DenseMap<Value *, std::string *> valueMap; std::vector<BasicBlock *> BlockList; + std::ofstream dFile; char * ptr; - FILE * documentFile = NULL; size_t found = 0; srand((unsigned int)time(NULL)); @@ -137,8 +137,8 @@ bool AFLLTOPass::runOnModule(Module &M) { if ((ptr = getenv("AFL_LLVM_DOCUMENT_IDS")) != NULL) { - if ((documentFile = fopen(ptr, "a")) == NULL) - WARNF("Cannot access document file %s", ptr); + dFile.open(ptr, std::ofstream::out | std::ofstream::app); + if (!dFile.is_open()) WARNF("Cannot access document file %s", ptr); } @@ -243,8 +243,14 @@ bool AFLLTOPass::runOnModule(Module &M) { // the instrument file list check AttributeList Attrs = F.getAttributes(); +#if LLVM_VERSION_MAJOR < 14 if (Attrs.hasAttribute(-1, StringRef("skipinstrument"))) { +#else + if (Attrs.hasFnAttr(StringRef("skipinstrument"))) { + +#endif + if (debug) fprintf(stderr, "DEBUG: Function %s is not in a source file that was specified " @@ -845,10 +851,11 @@ bool AFLLTOPass::runOnModule(Module &M) { } - if (documentFile) { + if (dFile.is_open()) { - fprintf(documentFile, "ModuleID=%llu Function=%s edgeID=%u\n", - moduleID, F.getName().str().c_str(), afl_global_id); + dFile << "ModuleID=" << moduleID + << " Function=" << F.getName().str() + << " edgeID=" << afl_global_id << "\n"; } @@ -920,8 +927,7 @@ bool AFLLTOPass::runOnModule(Module &M) { } - if (documentFile) fclose(documentFile); - documentFile = NULL; + if (dFile.is_open()) dFile.close(); // save highest location ID to global variable // do this after each function to fail faster @@ -1016,7 +1022,7 @@ bool AFLLTOPass::runOnModule(Module &M) { if (count) { - auto ptrhld = std::unique_ptr<char []>(new char[memlen + count]); + auto ptrhld = std::unique_ptr<char[]>(new char[memlen + count]); count = 0; diff --git a/instrumentation/afl-llvm-lto-instrumentlist.so.cc b/instrumentation/afl-llvm-lto-instrumentlist.so.cc index 416dbb88..ee2e5dd3 100644 --- a/instrumentation/afl-llvm-lto-instrumentlist.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentlist.so.cc @@ -116,10 +116,15 @@ bool AFLcheckIfInstrument::runOnModule(Module &M) { auto & Ctx = F.getContext(); AttributeList Attrs = F.getAttributes(); - AttrBuilder NewAttrs; +#if LLVM_VERSION_MAJOR < 14 + AttrBuilder NewAttrs; NewAttrs.addAttribute("skipinstrument"); F.setAttributes( Attrs.addAttributes(Ctx, AttributeList::FunctionIndex, NewAttrs)); +#else + AttributeList NewAttrs = Attrs.addFnAttribute(Ctx, "skipinstrument"); + F.setAttributes(NewAttrs); +#endif } diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc index 13f45b69..e63be98c 100644 --- a/instrumentation/split-compares-pass.so.cc +++ b/instrumentation/split-compares-pass.so.cc @@ -578,16 +578,16 @@ bool SplitComparesTransform::splitCompare(CmpInst *cmp_inst, Module &M, /* dependent on the cmp of the high parts go to the end or go on with * the comparison */ - auto term = bb->getTerminator(); - BranchInst *br = nullptr; + auto term = bb->getTerminator(); + if (pred == CmpInst::ICMP_EQ) { - br = BranchInst::Create(cmp_low_bb, end_bb, icmp_high, bb); + BranchInst::Create(cmp_low_bb, end_bb, icmp_high, bb); } else { - /* CmpInst::ICMP_NE */ - br = BranchInst::Create(end_bb, cmp_low_bb, icmp_high, bb); + // CmpInst::ICMP_NE + BranchInst::Create(end_bb, cmp_low_bb, icmp_high, bb); } |