diff options
Diffstat (limited to 'llvm_mode')
-rw-r--r-- | llvm_mode/README.lto.md | 3 | ||||
-rw-r--r-- | llvm_mode/afl-llvm-lto-instrumentation.so.cc | 45 | ||||
-rw-r--r-- | llvm_mode/afl-llvm-rt.o.c | 4 |
3 files changed, 32 insertions, 20 deletions
diff --git a/llvm_mode/README.lto.md b/llvm_mode/README.lto.md index 48d0e36c..9fc444df 100644 --- a/llvm_mode/README.lto.md +++ b/llvm_mode/README.lto.md @@ -50,7 +50,8 @@ Example build output from a libtiff build: libtool: link: afl-clang-lto -g -O2 -Wall -W -o thumbnail thumbnail.o ../libtiff/.libs/libtiff.a ../port/.libs/libport.a -llzma -ljbig -ljpeg -lz -lm afl-clang-lto++2.63d by Marc "vanHauser" Heuse <mh@mh-sec.de> in mode LTO afl-llvm-lto++2.63d by Marc "vanHauser" Heuse <mh@mh-sec.de> -[+] Instrumented 11836 locations with no collisions (on average 1007 collisions would be in afl-gcc/afl-clang-fast) (non-hardened mode). +AUTODICTIONARY: 11 strings found +[+] Instrumented 12071 locations with no collisions (on average 1046 collisions would be in afl-gcc/afl-clang-fast) (non-hardened mode). ``` ## Building llvm 11 diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index 28f6bf9e..5cdf0b70 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -468,15 +468,13 @@ bool AFLLTOPass::runOnModule(Module &M) { TmpConstStr.append("\0", 1); ConstStr = StringRef(TmpConstStr); - if (isSizedcmp && constLen > sizedLen) { constLen = sizedLen; } + if (isSizedcmp && constLen > sizedLen) constLen = sizedLen; - /* - if (!be_quiet) - errs() << callInst->getCalledFunction()->getName() << ": len " - << constLen << ": " << ConstStr << "\n"; - */ + if (debug) + errs() << callInst->getCalledFunction()->getName() << ": len " + << constLen << ": " << ConstStr << "\n"; - if (constLen && constLen < MAX_DICT_FILE) + if (constLen >= MIN_AUTO_EXTRA && constLen <= MAX_DICT_FILE) dictionary.push_back(ConstStr.str().substr(0, constLen)); } @@ -514,14 +512,22 @@ bool AFLLTOPass::runOnModule(Module &M) { if (getenv("AFL_LLVM_LTO_DONTWRITEID") == NULL) { - GlobalVariable *AFLFinalLoc = new GlobalVariable( - M, Int32Ty, true, GlobalValue::ExternalLinkage, 0, "__afl_final_loc", - 0, GlobalVariable::GeneralDynamicTLSModel, 0, false); - ConstantInt *const_loc = - ConstantInt::get(Int32Ty, (((afl_global_id + 8) >> 3) << 3)); - StoreInst *StoreFinalLoc = IRB.CreateStore(const_loc, AFLFinalLoc); - StoreFinalLoc->setMetadata(M.getMDKindID("nosanitize"), - MDNode::get(C, None)); + uint32_t write_loc = afl_global_id; + + if (afl_global_id % 8) write_loc = (((afl_global_id + 8) >> 3) << 3); + + if (write_loc <= MAP_SIZE && write_loc <= 0x800000) { + + GlobalVariable *AFLFinalLoc = new GlobalVariable( + M, Int32Ty, true, GlobalValue::ExternalLinkage, 0, + "__afl_final_loc", 0, GlobalVariable::GeneralDynamicTLSModel, 0, + false); + ConstantInt *const_loc = ConstantInt::get(Int32Ty, write_loc); + StoreInst * StoreFinalLoc = IRB.CreateStore(const_loc, AFLFinalLoc); + StoreFinalLoc->setMetadata(M.getMDKindID("nosanitize"), + MDNode::get(C, None)); + + } } @@ -537,7 +543,9 @@ bool AFLLTOPass::runOnModule(Module &M) { } - if (!be_quiet) printf("AUTODICTIONARY: %lu strings found\n", count); + if (!be_quiet) + printf("AUTODICTIONARY: %lu string%s found\n", count, + count == 1 ? "" : "s"); if (count) { @@ -549,13 +557,16 @@ bool AFLLTOPass::runOnModule(Module &M) { } + count = 0; + for (auto token : dictionary) { - if (offset + token.length() < 0xfffff0) { + if (offset + token.length() < 0xfffff0 && count < MAX_AUTO_EXTRAS) { ptr[offset++] = (uint8_t)token.length(); memcpy(ptr + offset, token.c_str(), token.length()); offset += token.length(); + count++; } diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index cbc4648d..3ad9eab4 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -208,7 +208,7 @@ static void __afl_start_snapshots(void) { assume we're not running in forkserver mode and just execute program. */ status |= (FS_OPT_ENABLED | FS_OPT_SNAPSHOT); - if (map_size <= 0x1000000) + if (map_size <= 0x800000) status |= (FS_OPT_SET_MAPSIZE(map_size) | FS_OPT_MAPSIZE); if (__afl_dictionary_len > 0 && __afl_dictionary) status |= FS_OPT_AUTODICT; memcpy(tmp, &status, 4); @@ -373,7 +373,7 @@ static void __afl_start_forkserver(void) { void (*old_sigchld_handler)(int) = 0; // = signal(SIGCHLD, SIG_DFL); - if (map_size <= 0x1000000) + if (map_size <= 0x800000) status |= (FS_OPT_SET_MAPSIZE(map_size) | FS_OPT_MAPSIZE); if (__afl_dictionary_len > 0 && __afl_dictionary) status |= FS_OPT_AUTODICT; if (status) status |= (FS_OPT_ENABLED); |