diff options
Diffstat (limited to 'qemu_mode/patches')
| -rw-r--r-- | qemu_mode/patches/afl-qemu-common.h | 52 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 16 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-translate-inl.h | 14 | 
3 files changed, 55 insertions, 27 deletions
| diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h new file mode 100644 index 00000000..8013800d --- /dev/null +++ b/qemu_mode/patches/afl-qemu-common.h @@ -0,0 +1,52 @@ +/* + american fuzzy lop - high-performance binary-only instrumentation + ----------------------------------------------------------------- + + Written by Andrew Griffiths <agriffiths@google.com> and + Michal Zalewski <lcamtuf@google.com> + + Idea & design very much by Andrew Griffiths. + + TCG instrumentation and block chaining support by Andrea Biondo + <andrea.biondo965@gmail.com> + + QEMU 3.1.0 port, TCG thread-safety and CompareCoverage by Andrea Fioraldi + <andreafioraldi@gmail.com> + + Copyright 2015, 2016, 2017 Google Inc. All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + This code is a shim patched into the separately-distributed source + code of QEMU 3.1.0. It leverages the built-in QEMU tracing functionality + to implement AFL-style instrumentation and to take care of the remaining + parts of the AFL fork server logic. + + The resulting QEMU binary is essentially a standalone instrumentation + tool; for an example of how to leverage it for other purposes, you can + have a look at afl-showmap.c. + + */ + +#include "../../config.h" + +/* NeverZero */ + +#if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO) +# define INC_AFL_AREA(loc) \ + asm volatile ( \ + "incb (%0, %1, 1)\n" \ + "adcb $0, (%0, %1, 1)\n" \ + : /* no out */ \ + : "r" (afl_area_ptr), "r" (loc) \ + : "memory", "eax" \ + ) +#else +# define INC_AFL_AREA(loc) \ + afl_area_ptr[loc]++ +#endif + diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index e91e9ffa..fc78e652 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -32,7 +32,7 @@ */ -#include "../../config.h" +#include "afl-qemu-common.h" #include "tcg.h" #include "tcg-op.h" @@ -45,20 +45,6 @@ extern u8 afl_compcov_level; void tcg_gen_afl_compcov_log_call(void *func, target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2); -#if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO) -# define INC_AFL_AREA(loc) \ - asm volatile ( \ - "incb (%0, %1, 1)\n" \ - "adcb $0, (%0, %1, 1)\n" \ - : /* no out */ \ - : "r" (afl_area_ptr), "r" (loc) \ - : "memory", "eax" \ - ) -#else -# define INC_AFL_AREA(loc) \ - afl_area_ptr[loc]++ -#endif - static void afl_compcov_log_16(target_ulong cur_loc, target_ulong arg1, target_ulong arg2) { diff --git a/qemu_mode/patches/afl-qemu-translate-inl.h b/qemu_mode/patches/afl-qemu-translate-inl.h index a33e17b7..d63c5167 100644 --- a/qemu_mode/patches/afl-qemu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-translate-inl.h @@ -32,7 +32,7 @@ */ -#include "../../config.h" +#include "afl-qemu-common.h" #include "tcg-op.h" /* Declared in afl-qemu-cpu-inl.h */ @@ -48,17 +48,7 @@ void afl_maybe_log(target_ulong cur_loc) { register uintptr_t afl_idx = cur_loc ^ prev_loc; -#if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO) - asm volatile ( - "incb (%0, %1, 1)\n" - "adcb $0, (%0, %1, 1)\n" - : /* no out */ - : "r" (afl_area_ptr), "r" (afl_idx) - : "memory", "eax" - ); -#else - afl_area_ptr[afl_idx]++; -#endif + INC_AFL_AREA(afl_idx); prev_loc = cur_loc >> 1; | 
