diff options
Diffstat (limited to 'instrumentation')
| -rw-r--r-- | instrumentation/README.cmplog.md | 5 | ||||
| -rw-r--r-- | instrumentation/SanitizerCoverageLTO.so.cc | 3 | ||||
| -rw-r--r-- | instrumentation/SanitizerCoveragePCGUARD.so.cc | 1 | ||||
| -rw-r--r-- | instrumentation/compare-transform-pass.so.cc | 54 |
4 files changed, 48 insertions, 15 deletions
diff --git a/instrumentation/README.cmplog.md b/instrumentation/README.cmplog.md index a2caca4f..8a9fd372 100644 --- a/instrumentation/README.cmplog.md +++ b/instrumentation/README.cmplog.md @@ -4,9 +4,8 @@ The CmpLog instrumentation enables logging of comparison operands in a shared memory. These values can be used by various mutators built on top of it. At the moment, -we support the RedQueen mutator (input-2-state instructions only), for details -see -[the RedQueen paper](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2018/12/17/NDSS19-Redqueen.pdf). +we support the Redqueen mutator (input-2-state instructions only), for details +see [the Redqueen paper](https://github.com/RUB-SysSec/redqueen). ## Build diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 597a24b1..6a4a071f 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1275,7 +1275,7 @@ void ModuleSanitizerCoverage::instrumentFunction( const DominatorTree * DT = DTCallback(F); const PostDominatorTree *PDT = PDTCallback(F); bool IsLeafFunc = true; - uint32_t skip_next = 0, local_selects = 0; + uint32_t skip_next = 0; for (auto &BB : F) { @@ -1385,7 +1385,6 @@ void ModuleSanitizerCoverage::instrumentFunction( } - local_selects++; uint32_t vector_cur = 0; /* Load SHM pointer */ LoadInst *MapPtr = diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index c422d858..e4ffeb50 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -1054,7 +1054,6 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } - local_selects++; uint32_t vector_cur = 0; /* Load SHM pointer */ diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc index 3f6a6763..c3a4ee34 100644 --- a/instrumentation/compare-transform-pass.so.cc +++ b/instrumentation/compare-transform-pass.so.cc @@ -383,17 +383,56 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, bool isMemcmp = false; bool isSizedcmp = false; bool isCaseInsensitive = false; + bool needs_null = false; Function * Callee = callInst->getCalledFunction(); if (Callee) { - isMemcmp = Callee->getName().compare("memcmp") == 0; - isSizedcmp = isMemcmp || Callee->getName().compare("strncmp") == 0 || - Callee->getName().compare("strncasecmp") == 0; - isCaseInsensitive = Callee->getName().compare("strcasecmp") == 0 || - Callee->getName().compare("strncasecmp") == 0; + if (!Callee->getName().compare("memcmp") || + !Callee->getName().compare("bcmp") || + !Callee->getName().compare("CRYPTO_memcmp") || + !Callee->getName().compare("OPENSSL_memcmp") || + !Callee->getName().compare("memcmp_const_time") || + !Callee->getName().compare("memcmpct") || + !Callee->getName().compare("llvm.memcpy.p0i8.p0i8.i64")) + isMemcmp = true; + + if (isMemcmp || !Callee->getName().compare("strncmp") || + !Callee->getName().compare("xmlStrncmp") || + !Callee->getName().compare("curl_strnequal") || + !Callee->getName().compare("strncasecmp") || + !Callee->getName().compare("strnicmp") || + !Callee->getName().compare("ap_cstr_casecmpn") || + !Callee->getName().compare("OPENSSL_strncasecmp") || + !Callee->getName().compare("xmlStrncasecmp") || + !Callee->getName().compare("g_ascii_strncasecmp") || + !Callee->getName().compare("Curl_strncasecompare") || + !Callee->getName().compare("g_strncasecmp")) + isSizedcmp = true; + + if (!Callee->getName().compare("strcasecmp") || + !Callee->getName().compare("stricmp") || + !Callee->getName().compare("ap_cstr_casecmp") || + !Callee->getName().compare("OPENSSL_strcasecmp") || + !Callee->getName().compare("xmlStrcasecmp") || + !Callee->getName().compare("g_strcasecmp") || + !Callee->getName().compare("g_ascii_strcasecmp") || + !Callee->getName().compare("Curl_strcasecompare") || + !Callee->getName().compare("Curl_safe_strcasecompare") || + !Callee->getName().compare("cmsstrcasecmp") || + !Callee->getName().compare("strncasecmp") || + !Callee->getName().compare("strnicmp") || + !Callee->getName().compare("ap_cstr_casecmpn") || + !Callee->getName().compare("OPENSSL_strncasecmp") || + !Callee->getName().compare("xmlStrncasecmp") || + !Callee->getName().compare("g_ascii_strncasecmp") || + !Callee->getName().compare("Curl_strncasecompare") || + !Callee->getName().compare("g_strncasecmp")) + isCaseInsensitive = true; } + if (!isSizedcmp) needs_null = true; + Value *sizedValue = isSizedcmp ? callInst->getArgOperand(2) : NULL; bool isConstSized = sizedValue && isa<ConstantInt>(sizedValue); @@ -447,17 +486,14 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, // the following is in general OK, but strncmp is sometimes used in binary // data structures and this can result in crashes :( so it is commented out - /* // add null termination character implicit in c strings - if (!isMemcmp && TmpConstStr[TmpConstStr.length() - 1]) { + if (needs_null && TmpConstStr[TmpConstStr.length() - 1] != 0) { TmpConstStr.append("\0", 1); } - */ - // in the unusual case the const str has embedded null // characters, the string comparison functions should terminate // at the first null |