diff options
Diffstat (limited to 'qemu_mode/libqasan')
| -rw-r--r-- | qemu_mode/libqasan/README.md | 23 | ||||
| -rw-r--r-- | qemu_mode/libqasan/dlmalloc.c | 25 | ||||
| -rw-r--r-- | qemu_mode/libqasan/hooks.c | 2 | ||||
| -rw-r--r-- | qemu_mode/libqasan/libqasan.c | 2 | ||||
| -rw-r--r-- | qemu_mode/libqasan/string.c | 2 |
5 files changed, 45 insertions, 9 deletions
diff --git a/qemu_mode/libqasan/README.md b/qemu_mode/libqasan/README.md index 83fb2442..4a241233 100644 --- a/qemu_mode/libqasan/README.md +++ b/qemu_mode/libqasan/README.md @@ -4,16 +4,25 @@ This library is the injected runtime used by QEMU AddressSanitizer (QASan). The original repository is [here](https://github.com/andreafioraldi/qasan). -The version embedded in qemuafl is an updated version of just the usermode part and this runtime is injected via LD_PRELOAD (so works just for dynamically linked binaries). +The version embedded in qemuafl is an updated version of just the usermode part +and this runtime is injected via LD_PRELOAD (so works just for dynamically +linked binaries). -The usage is super simple, just set the env var `AFL_USE_QASAN=1` when fuzzing in qemu mode (-Q). afl-fuzz will automatically set AFL_PRELOAD to load this library and enable the QASan instrumentation in afl-qemu-trace. +The usage is super simple, just set the env var `AFL_USE_QASAN=1` when fuzzing +in qemu mode (-Q). afl-fuzz will automatically set AFL_PRELOAD to load this +library and enable the QASan instrumentation in afl-qemu-trace. -For debugging purposes, we still suggest to run the original QASan as the stacktrace support for ARM (just a debug feature, it does not affect the bug finding capabilities during fuzzing) is WIP. +For debugging purposes, we still suggest to run the original QASan as the +stacktrace support for ARM (just a debug feature, it does not affect the bug +finding capabilities during fuzzing) is WIP. -### When I should use QASan? +### When should I use QASan? -If your target binary is PIC x86_64, you should also give a try to [retrowrite](https://github.com/HexHive/retrowrite) for static rewriting. +If your target binary is PIC x86_64, you should also give a try to +[retrowrite](https://github.com/HexHive/retrowrite) for static rewriting. -If it fails, or if your binary is for another architecture, or you want to use persistent and snapshot mode, AFL++ QASan mode is what you want/have to use. +If it fails, or if your binary is for another architecture, or you want to use +persistent and snapshot mode, AFL++ QASan mode is what you want/have to use. -Note that the overhead of libdislocator when combined with QEMU mode is much lower but it can catch less bugs. This is a short blanket, take your choice. +Note that the overhead of libdislocator when combined with QEMU mode is much +lower but it can catch less bugs. This is a short blanket, take your choice. diff --git a/qemu_mode/libqasan/dlmalloc.c b/qemu_mode/libqasan/dlmalloc.c index 71cafd9d..74b05e15 100644 --- a/qemu_mode/libqasan/dlmalloc.c +++ b/qemu_mode/libqasan/dlmalloc.c @@ -3916,6 +3916,11 @@ static void internal_malloc_stats(mstate m) { clear_smallmap(M, I); \ \ } else if (RTCHECK(B == smallbin_at(M, I) || \ +<<<<<<< HEAD +======= + \ + \ +>>>>>>> e3a5c31307f323452dc4b5288e0d19a02b596a33 (ok_address(M, B) && B->fd == P))) { \ \ F->bk = B; \ @@ -4126,6 +4131,11 @@ static void internal_malloc_stats(mstate m) { XP->child[1] = R; \ \ } else \ +<<<<<<< HEAD +======= + \ + \ +>>>>>>> e3a5c31307f323452dc4b5288e0d19a02b596a33 CORRUPTION_ERROR_ACTION(M); \ if (R != 0) { \ \ @@ -4141,6 +4151,11 @@ static void internal_malloc_stats(mstate m) { C0->parent = R; \ \ } else \ +<<<<<<< HEAD +======= + \ + \ +>>>>>>> e3a5c31307f323452dc4b5288e0d19a02b596a33 CORRUPTION_ERROR_ACTION(M); \ \ } \ @@ -4152,11 +4167,21 @@ static void internal_malloc_stats(mstate m) { C1->parent = R; \ \ } else \ +<<<<<<< HEAD +======= + \ + \ +>>>>>>> e3a5c31307f323452dc4b5288e0d19a02b596a33 CORRUPTION_ERROR_ACTION(M); \ \ } \ \ } else \ +<<<<<<< HEAD +======= + \ + \ +>>>>>>> e3a5c31307f323452dc4b5288e0d19a02b596a33 CORRUPTION_ERROR_ACTION(M); \ \ } \ diff --git a/qemu_mode/libqasan/hooks.c b/qemu_mode/libqasan/hooks.c index 3bb4cc42..405dddae 100644 --- a/qemu_mode/libqasan/hooks.c +++ b/qemu_mode/libqasan/hooks.c @@ -174,7 +174,9 @@ char *fgets(char *s, int size, FILE *stream) { QASAN_DEBUG("%14p: fgets(%p, %d, %p)\n", rtv, s, size, stream); QASAN_STORE(s, size); +#ifndef __ANDROID__ QASAN_LOAD(stream, sizeof(FILE)); +#endif char *r = __lq_libc_fgets(s, size, stream); QASAN_DEBUG("\t\t = %p\n", r); diff --git a/qemu_mode/libqasan/libqasan.c b/qemu_mode/libqasan/libqasan.c index 11b50270..9fc4ef7a 100644 --- a/qemu_mode/libqasan/libqasan.c +++ b/qemu_mode/libqasan/libqasan.c @@ -72,7 +72,7 @@ void __libqasan_print_maps(void) { QASAN_LOG("QEMU-AddressSanitizer (v%s)\n", QASAN_VERSTR); QASAN_LOG( - "Copyright (C) 2019-2020 Andrea Fioraldi <andreafioraldi@gmail.com>\n"); + "Copyright (C) 2019-2021 Andrea Fioraldi <andreafioraldi@gmail.com>\n"); QASAN_LOG("\n"); if (__qasan_log) __libqasan_print_maps(); diff --git a/qemu_mode/libqasan/string.c b/qemu_mode/libqasan/string.c index 4be01279..c850463b 100644 --- a/qemu_mode/libqasan/string.c +++ b/qemu_mode/libqasan/string.c @@ -271,7 +271,7 @@ void *__libqasan_memmem(const void *haystack, size_t haystack_len, } - } while (++h <= end); + } while (h++ <= end); return 0; |