diff options
Diffstat (limited to 'llvm_mode')
| -rw-r--r-- | llvm_mode/afl-clang-fast.c | 10 | ||||
| -rw-r--r-- | llvm_mode/afl-llvm-rt.o.c | 25 | ||||
| -rw-r--r-- | llvm_mode/cmplog-routines-pass.cc | 38 |
3 files changed, 36 insertions, 37 deletions
diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 683b6bee..fe987157 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -202,13 +202,13 @@ static void edit_params(u32 argc, char** argv) { if (cmplog_mode) { cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard,trace-cmp"; - + cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/cmplog-routines-pass.so", obj_path); - + cc_params[cc_par_cnt++] = "-fno-inline"; } else { @@ -423,8 +423,7 @@ static void edit_params(u32 argc, char** argv) { break; case 32: - cc_params[cc_par_cnt++] = - alloc_printf("%s/afl-llvm-rt-32.o", obj_path); + cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-32.o", obj_path); if (access(cc_params[cc_par_cnt - 1], R_OK)) FATAL("-m32 is not supported by your compiler"); @@ -432,8 +431,7 @@ static void edit_params(u32 argc, char** argv) { break; case 64: - cc_params[cc_par_cnt++] = - alloc_printf("%s/afl-llvm-rt-64.o", obj_path); + cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-64.o", obj_path); if (access(cc_params[cc_par_cnt - 1], R_OK)) FATAL("-m64 is not supported by your compiler"); diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index d776462c..5d6e30f5 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -370,7 +370,7 @@ void __sanitizer_cov_trace_cmp2(uint16_t Arg1, uint16_t Arg2) { uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (k >> 4) ^ (k << 8); k &= CMP_MAP_W - 1; - + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; u32 hits = __afl_cmp_map->headers[k].hits; @@ -394,7 +394,7 @@ void __sanitizer_cov_trace_cmp4(uint32_t Arg1, uint32_t Arg2) { uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (k >> 4) ^ (k << 8); k &= CMP_MAP_W - 1; - + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; u32 hits = __afl_cmp_map->headers[k].hits; @@ -415,7 +415,7 @@ void __sanitizer_cov_trace_cmp8(uint64_t Arg1, uint64_t Arg2) { uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (k >> 4) ^ (k << 8); k &= CMP_MAP_W - 1; - + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; u32 hits = __afl_cmp_map->headers[k].hits; @@ -473,21 +473,19 @@ void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t* Cases) { // to avoid to call it on .text addresses static int area_is_mapped(void* ptr, size_t len) { - char * p = ptr; - char * page = (char*)((uintptr_t)p & ~(sysconf(_SC_PAGE_SIZE) -1)); + char* p = ptr; + char* page = (char*)((uintptr_t)p & ~(sysconf(_SC_PAGE_SIZE) - 1)); int r = msync(page, (p - page) + len, MS_ASYNC); - if (r < 0) - return errno != ENOMEM; + if (r < 0) return errno != ENOMEM; return 1; } void __cmplog_rtn_hook(void* ptr1, void* ptr2) { - if (!area_is_mapped(ptr1, 32) || !area_is_mapped(ptr2, 32)) - return; - + if (!area_is_mapped(ptr1, 32) || !area_is_mapped(ptr2, 32)) return; + uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (k >> 4) ^ (k << 8); k &= CMP_MAP_W - 1; @@ -500,7 +498,10 @@ void __cmplog_rtn_hook(void* ptr1, void* ptr2) { __afl_cmp_map->headers[k].shape = 31; hits &= CMP_MAP_RTN_H - 1; - __builtin_memcpy(((struct cmpfn_operands*)__afl_cmp_map->log[k])[hits].v0, ptr1, 32); - __builtin_memcpy(((struct cmpfn_operands*)__afl_cmp_map->log[k])[hits].v1, ptr2, 32); + __builtin_memcpy(((struct cmpfn_operands*)__afl_cmp_map->log[k])[hits].v0, + ptr1, 32); + __builtin_memcpy(((struct cmpfn_operands*)__afl_cmp_map->log[k])[hits].v1, + ptr2, 32); } + diff --git a/llvm_mode/cmplog-routines-pass.cc b/llvm_mode/cmplog-routines-pass.cc index e7125f9f..b24aaa4e 100644 --- a/llvm_mode/cmplog-routines-pass.cc +++ b/llvm_mode/cmplog-routines-pass.cc @@ -107,15 +107,16 @@ bool CmpLogRoutines::hookRtns(Module &M) { std::vector<CallInst *> calls; LLVMContext & C = M.getContext(); - Type * VoidTy = Type::getVoidTy(C); - PointerType * VoidPtrTy = PointerType::get(VoidTy, 0); + Type * VoidTy = Type::getVoidTy(C); + PointerType *VoidPtrTy = PointerType::get(VoidTy, 0); #if LLVM_VERSION_MAJOR < 9 Constant * #else FunctionCallee #endif - c = M.getOrInsertFunction("__cmplog_rtn_hook", VoidTy, VoidPtrTy, VoidPtrTy + c = M.getOrInsertFunction("__cmplog_rtn_hook", VoidTy, VoidPtrTy, + VoidPtrTy #if LLVM_VERSION_MAJOR < 5 , NULL @@ -255,14 +256,13 @@ bool CmpLogRoutines::hookRtns(Module &M) { FunctionType *FT = Callee->getFunctionType(); - bool isPtrRtn = - FT->getNumParams() >= 2 && !FT->getReturnType()->isVoidTy() && - FT->getParamType(0) == FT->getParamType(1) && - FT->getParamType(0)->isPointerTy(); - - if (!isPtrRtn) - continue; - + bool isPtrRtn = FT->getNumParams() >= 2 && + !FT->getReturnType()->isVoidTy() && + FT->getParamType(0) == FT->getParamType(1) && + FT->getParamType(0)->isPointerTy(); + + if (!isPtrRtn) continue; + calls.push_back(callInst); } @@ -278,16 +278,15 @@ bool CmpLogRoutines::hookRtns(Module &M) { for (auto &callInst : calls) { - Value *v1P = callInst->getArgOperand(0), - *v2P = callInst->getArgOperand(1); - + Value *v1P = callInst->getArgOperand(0), *v2P = callInst->getArgOperand(1); + IRBuilder<> IRB(callInst->getParent()); IRB.SetInsertPoint(callInst); - - std::vector<Value*> args; + + std::vector<Value *> args; args.push_back(v1P); args.push_back(v2P); - + IRB.CreateCall(cmplogHookFn, args, "tmp"); // errs() << callInst->getCalledFunction()->getName() << "\n"; @@ -301,7 +300,8 @@ bool CmpLogRoutines::hookRtns(Module &M) { bool CmpLogRoutines::runOnModule(Module &M) { if (getenv("AFL_QUIET") == NULL) - llvm::errs() << "Running cmplog-routines-pass by andreafioraldi@gmail.com\n"; + llvm::errs() + << "Running cmplog-routines-pass by andreafioraldi@gmail.com\n"; hookRtns(M); verifyModule(M); @@ -310,7 +310,7 @@ bool CmpLogRoutines::runOnModule(Module &M) { } static void registerCmpLogRoutinesPass(const PassManagerBuilder &, - legacy::PassManagerBase &PM) { + legacy::PassManagerBase &PM) { auto p = new CmpLogRoutines(); PM.add(p); |