about summary refs log tree commit diff
path: root/llvm_mode
diff options
context:
space:
mode:
Diffstat (limited to 'llvm_mode')
-rw-r--r--llvm_mode/README.lto.md3
-rw-r--r--llvm_mode/afl-llvm-lto-instrumentation.so.cc45
-rw-r--r--llvm_mode/afl-llvm-rt.o.c4
3 files changed, 32 insertions, 20 deletions
diff --git a/llvm_mode/README.lto.md b/llvm_mode/README.lto.md
index 48d0e36c..9fc444df 100644
--- a/llvm_mode/README.lto.md
+++ b/llvm_mode/README.lto.md
@@ -50,7 +50,8 @@ Example build output from a libtiff build:
 libtool: link: afl-clang-lto -g -O2 -Wall -W -o thumbnail thumbnail.o  ../libtiff/.libs/libtiff.a ../port/.libs/libport.a -llzma -ljbig -ljpeg -lz -lm
 afl-clang-lto++2.63d by Marc "vanHauser" Heuse <mh@mh-sec.de> in mode LTO
 afl-llvm-lto++2.63d by Marc "vanHauser" Heuse <mh@mh-sec.de>
-[+] Instrumented 11836 locations with no collisions (on average 1007 collisions would be in afl-gcc/afl-clang-fast) (non-hardened mode).
+AUTODICTIONARY: 11 strings found
+[+] Instrumented 12071 locations with no collisions (on average 1046 collisions would be in afl-gcc/afl-clang-fast) (non-hardened mode).
 ```
 
 ## Building llvm 11
diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc
index 28f6bf9e..5cdf0b70 100644
--- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc
+++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc
@@ -468,15 +468,13 @@ bool AFLLTOPass::runOnModule(Module &M) {
       TmpConstStr.append("\0", 1);
       ConstStr = StringRef(TmpConstStr);
 
-      if (isSizedcmp && constLen > sizedLen) { constLen = sizedLen; }
+      if (isSizedcmp && constLen > sizedLen) constLen = sizedLen;
 
-      /*
-            if (!be_quiet)
-              errs() << callInst->getCalledFunction()->getName() << ": len "
-                     << constLen << ": " << ConstStr << "\n";
-      */
+      if (debug)
+        errs() << callInst->getCalledFunction()->getName() << ": len "
+               << constLen << ": " << ConstStr << "\n";
 
-      if (constLen && constLen < MAX_DICT_FILE)
+      if (constLen >= MIN_AUTO_EXTRA && constLen <= MAX_DICT_FILE)
         dictionary.push_back(ConstStr.str().substr(0, constLen));
 
     }
@@ -514,14 +512,22 @@ bool AFLLTOPass::runOnModule(Module &M) {
 
     if (getenv("AFL_LLVM_LTO_DONTWRITEID") == NULL) {
 
-      GlobalVariable *AFLFinalLoc = new GlobalVariable(
-          M, Int32Ty, true, GlobalValue::ExternalLinkage, 0, "__afl_final_loc",
-          0, GlobalVariable::GeneralDynamicTLSModel, 0, false);
-      ConstantInt *const_loc =
-          ConstantInt::get(Int32Ty, (((afl_global_id + 8) >> 3) << 3));
-      StoreInst *StoreFinalLoc = IRB.CreateStore(const_loc, AFLFinalLoc);
-      StoreFinalLoc->setMetadata(M.getMDKindID("nosanitize"),
-                                 MDNode::get(C, None));
+      uint32_t write_loc = afl_global_id;
+
+      if (afl_global_id % 8) write_loc = (((afl_global_id + 8) >> 3) << 3);
+
+      if (write_loc <= MAP_SIZE && write_loc <= 0x800000) {
+
+        GlobalVariable *AFLFinalLoc = new GlobalVariable(
+            M, Int32Ty, true, GlobalValue::ExternalLinkage, 0,
+            "__afl_final_loc", 0, GlobalVariable::GeneralDynamicTLSModel, 0,
+            false);
+        ConstantInt *const_loc = ConstantInt::get(Int32Ty, write_loc);
+        StoreInst *  StoreFinalLoc = IRB.CreateStore(const_loc, AFLFinalLoc);
+        StoreFinalLoc->setMetadata(M.getMDKindID("nosanitize"),
+                                   MDNode::get(C, None));
+
+      }
 
     }
 
@@ -537,7 +543,9 @@ bool AFLLTOPass::runOnModule(Module &M) {
 
       }
 
-      if (!be_quiet) printf("AUTODICTIONARY: %lu strings found\n", count);
+      if (!be_quiet)
+        printf("AUTODICTIONARY: %lu string%s found\n", count,
+               count == 1 ? "" : "s");
 
       if (count) {
 
@@ -549,13 +557,16 @@ bool AFLLTOPass::runOnModule(Module &M) {
 
         }
 
+        count = 0;
+
         for (auto token : dictionary) {
 
-          if (offset + token.length() < 0xfffff0) {
+          if (offset + token.length() < 0xfffff0 && count < MAX_AUTO_EXTRAS) {
 
             ptr[offset++] = (uint8_t)token.length();
             memcpy(ptr + offset, token.c_str(), token.length());
             offset += token.length();
+            count++;
 
           }
 
diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c
index cbc4648d..3ad9eab4 100644
--- a/llvm_mode/afl-llvm-rt.o.c
+++ b/llvm_mode/afl-llvm-rt.o.c
@@ -208,7 +208,7 @@ static void __afl_start_snapshots(void) {
      assume we're not running in forkserver mode and just execute program. */
 
   status |= (FS_OPT_ENABLED | FS_OPT_SNAPSHOT);
-  if (map_size <= 0x1000000)
+  if (map_size <= 0x800000)
     status |= (FS_OPT_SET_MAPSIZE(map_size) | FS_OPT_MAPSIZE);
   if (__afl_dictionary_len > 0 && __afl_dictionary) status |= FS_OPT_AUTODICT;
   memcpy(tmp, &status, 4);
@@ -373,7 +373,7 @@ static void __afl_start_forkserver(void) {
 
   void (*old_sigchld_handler)(int) = 0;  // = signal(SIGCHLD, SIG_DFL);
 
-  if (map_size <= 0x1000000)
+  if (map_size <= 0x800000)
     status |= (FS_OPT_SET_MAPSIZE(map_size) | FS_OPT_MAPSIZE);
   if (__afl_dictionary_len > 0 && __afl_dictionary) status |= FS_OPT_AUTODICT;
   if (status) status |= (FS_OPT_ENABLED);