diff options
Diffstat (limited to 'qemu_mode/patches')
| -rw-r--r-- | qemu_mode/patches/afl-qemu-common.h | 51 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-cpu-inl.h | 26 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 52 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-tcg-inl.h | 15 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-translate-inl.h | 24 | ||||
| -rw-r--r-- | qemu_mode/patches/i386-translate.diff | 6 |
6 files changed, 116 insertions, 58 deletions
diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h new file mode 100644 index 00000000..c475cb58 --- /dev/null +++ b/qemu_mode/patches/afl-qemu-common.h @@ -0,0 +1,51 @@ +/* + american fuzzy lop++ - high-performance binary-only instrumentation + ------------------------------------------------------------------- + + Originally written by Andrew Griffiths <agriffiths@google.com> and + Michal Zalewski <lcamtuf@google.com> + + TCG instrumentation and block chaining support by Andrea Biondo + <andrea.biondo965@gmail.com> + + QEMU 3.1.0 port, TCG thread-safety, CompareCoverage and NeverZero + counters by Andrea Fioraldi <andreafioraldi@gmail.com> + + Copyright 2015, 2016, 2017 Google Inc. All rights reserved. + Copyright 2019 AFLplusplus Project. All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + This code is a shim patched into the separately-distributed source + code of QEMU 3.1.0. It leverages the built-in QEMU tracing functionality + to implement AFL-style instrumentation and to take care of the remaining + parts of the AFL fork server logic. + + The resulting QEMU binary is essentially a standalone instrumentation + tool; for an example of how to leverage it for other purposes, you can + have a look at afl-showmap.c. + + */ + +#include "../../config.h" + +/* NeverZero */ + +#if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO) +# define INC_AFL_AREA(loc) \ + asm volatile ( \ + "incb (%0, %1, 1)\n" \ + "adcb $0, (%0, %1, 1)\n" \ + : /* no out */ \ + : "r" (afl_area_ptr), "r" (loc) \ + : "memory", "eax" \ + ) +#else +# define INC_AFL_AREA(loc) \ + afl_area_ptr[loc]++ +#endif + diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index 86203a5b..4ad31b60 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -1,19 +1,18 @@ /* - american fuzzy lop - high-performance binary-only instrumentation - ----------------------------------------------------------------- + american fuzzy lop++ - high-performance binary-only instrumentation + ------------------------------------------------------------------- - Written by Andrew Griffiths <agriffiths@google.com> and - Michal Zalewski <lcamtuf@google.com> - - Idea & design very much by Andrew Griffiths. + Originally written by Andrew Griffiths <agriffiths@google.com> and + Michal Zalewski <lcamtuf@google.com> TCG instrumentation and block chaining support by Andrea Biondo <andrea.biondo965@gmail.com> - QEMU 3.1.0 port, TCG thread-safety and CompareCoverage by Andrea Fioraldi - <andreafioraldi@gmail.com> + QEMU 3.1.0 port, TCG thread-safety, CompareCoverage and NeverZero + counters by Andrea Fioraldi <andreafioraldi@gmail.com> Copyright 2015, 2016, 2017 Google Inc. All rights reserved. + Copyright 2019 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -66,7 +65,7 @@ abi_ulong afl_entry_point, /* ELF entry point (_start) */ afl_start_code, /* .text start pointer */ afl_end_code; /* .text end pointer */ -u8 afl_enable_compcov; +u8 afl_compcov_level; /* Set in the child process in forkserver mode: */ @@ -159,9 +158,14 @@ static void afl_setup(void) { } + /* Maintain for compatibility */ if (getenv("AFL_QEMU_COMPCOV")) { - afl_enable_compcov = 1; + afl_compcov_level = 1; + } + if (getenv("AFL_COMPCOV_LEVEL")) { + + afl_compcov_level = atoi(getenv("AFL_COMPCOV_LEVEL")); } /* pthread_atfork() seems somewhat broken in util/rcu.c, and I'm @@ -327,7 +331,7 @@ static void afl_wait_tsl(CPUState *cpu, int fd) { if (is_valid_addr(t.tb.pc)) { mmap_lock(); - tb = tb_gen_code(cpu, t.tb.pc, t.tb.cs_base, t.tb.flags, 0); + tb = tb_gen_code(cpu, t.tb.pc, t.tb.cs_base, t.tb.flags, t.tb.cf_mask); mmap_unlock(); } else { diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index 0ca89c98..09ecb9d2 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -1,19 +1,18 @@ /* - american fuzzy lop - high-performance binary-only instrumentation - ----------------------------------------------------------------- + american fuzzy lop++ - high-performance binary-only instrumentation + ------------------------------------------------------------------- - Written by Andrew Griffiths <agriffiths@google.com> and - Michal Zalewski <lcamtuf@google.com> - - Idea & design very much by Andrew Griffiths. + Originally written by Andrew Griffiths <agriffiths@google.com> and + Michal Zalewski <lcamtuf@google.com> TCG instrumentation and block chaining support by Andrea Biondo <andrea.biondo965@gmail.com> - - QEMU 3.1.0 port, TCG thread-safety and CompareCoverage by Andrea Fioraldi - <andreafioraldi@gmail.com> + + QEMU 3.1.0 port, TCG thread-safety, CompareCoverage and NeverZero + counters by Andrea Fioraldi <andreafioraldi@gmail.com> Copyright 2015, 2016, 2017 Google Inc. All rights reserved. + Copyright 2019 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -32,7 +31,7 @@ */ -#include "../../config.h" +#include "afl-qemu-common.h" #include "tcg.h" #include "tcg-op.h" @@ -40,7 +39,7 @@ extern unsigned char *afl_area_ptr; extern unsigned int afl_inst_rms; extern abi_ulong afl_start_code, afl_end_code; -extern u8 afl_enable_compcov; +extern u8 afl_compcov_level; void tcg_gen_afl_compcov_log_call(void *func, target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2); @@ -49,7 +48,7 @@ static void afl_compcov_log_16(target_ulong cur_loc, target_ulong arg1, target_ulong arg2) { if ((arg1 & 0xff) == (arg2 & 0xff)) { - afl_area_ptr[cur_loc]++; + INC_AFL_AREA(cur_loc); } } @@ -57,11 +56,11 @@ static void afl_compcov_log_32(target_ulong cur_loc, target_ulong arg1, target_ulong arg2) { if ((arg1 & 0xff) == (arg2 & 0xff)) { - afl_area_ptr[cur_loc]++; + INC_AFL_AREA(cur_loc); if ((arg1 & 0xffff) == (arg2 & 0xffff)) { - afl_area_ptr[cur_loc +1]++; + INC_AFL_AREA(cur_loc +1); if ((arg1 & 0xffffff) == (arg2 & 0xffffff)) { - afl_area_ptr[cur_loc +2]++; + INC_AFL_AREA(cur_loc +2); } } } @@ -71,19 +70,19 @@ static void afl_compcov_log_64(target_ulong cur_loc, target_ulong arg1, target_ulong arg2) { if ((arg1 & 0xff) == (arg2 & 0xff)) { - afl_area_ptr[cur_loc]++; + INC_AFL_AREA(cur_loc); if ((arg1 & 0xffff) == (arg2 & 0xffff)) { - afl_area_ptr[cur_loc +1]++; + INC_AFL_AREA(cur_loc +1); if ((arg1 & 0xffffff) == (arg2 & 0xffffff)) { - afl_area_ptr[cur_loc +2]++; + INC_AFL_AREA(cur_loc +2); if ((arg1 & 0xffffffff) == (arg2 & 0xffffffff)) { - afl_area_ptr[cur_loc +3]++; + INC_AFL_AREA(cur_loc +3); if ((arg1 & 0xffffffffff) == (arg2 & 0xffffffffff)) { - afl_area_ptr[cur_loc +4]++; + INC_AFL_AREA(cur_loc +4); if ((arg1 & 0xffffffffffff) == (arg2 & 0xffffffffffff)) { - afl_area_ptr[cur_loc +5]++; + INC_AFL_AREA(cur_loc +5); if ((arg1 & 0xffffffffffffff) == (arg2 & 0xffffffffffffff)) { - afl_area_ptr[cur_loc +6]++; + INC_AFL_AREA(cur_loc +6); } } } @@ -95,11 +94,14 @@ static void afl_compcov_log_64(target_ulong cur_loc, target_ulong arg1, static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2, - TCGMemOp ot) { + TCGMemOp ot, int is_imm) { void *func; - if (!afl_enable_compcov || cur_loc > afl_end_code || cur_loc < afl_start_code) + if (!afl_compcov_level || cur_loc > afl_end_code || cur_loc < afl_start_code) + return; + + if (!is_imm && afl_compcov_level < 2) return; switch (ot) { @@ -117,7 +119,7 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2, } cur_loc = (cur_loc >> 4) ^ (cur_loc << 8); - cur_loc &= MAP_SIZE - 1; + cur_loc &= MAP_SIZE - 7; if (cur_loc >= afl_inst_rms) return; diff --git a/qemu_mode/patches/afl-qemu-tcg-inl.h b/qemu_mode/patches/afl-qemu-tcg-inl.h index ff90d1b9..a9c53b8c 100644 --- a/qemu_mode/patches/afl-qemu-tcg-inl.h +++ b/qemu_mode/patches/afl-qemu-tcg-inl.h @@ -1,19 +1,18 @@ /* - american fuzzy lop - high-performance binary-only instrumentation - ----------------------------------------------------------------- + american fuzzy lop++ - high-performance binary-only instrumentation + ------------------------------------------------------------------- - Written by Andrew Griffiths <agriffiths@google.com> and - Michal Zalewski <lcamtuf@google.com> - - Idea & design very much by Andrew Griffiths. + Originally written by Andrew Griffiths <agriffiths@google.com> and + Michal Zalewski <lcamtuf@google.com> TCG instrumentation and block chaining support by Andrea Biondo <andrea.biondo965@gmail.com> - QEMU 3.1.0 port, TCG thread-safety and CompareCoverage by Andrea Fioraldi - <andreafioraldi@gmail.com> + QEMU 3.1.0 port, TCG thread-safety, CompareCoverage and NeverZero + counters by Andrea Fioraldi <andreafioraldi@gmail.com> Copyright 2015, 2016, 2017 Google Inc. All rights reserved. + Copyright 2019 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/qemu_mode/patches/afl-qemu-translate-inl.h b/qemu_mode/patches/afl-qemu-translate-inl.h index bfb2897e..ffe43dba 100644 --- a/qemu_mode/patches/afl-qemu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-translate-inl.h @@ -1,19 +1,18 @@ /* - american fuzzy lop - high-performance binary-only instrumentation - ----------------------------------------------------------------- + american fuzzy lop++ - high-performance binary-only instrumentation + ------------------------------------------------------------------- - Written by Andrew Griffiths <agriffiths@google.com> and - Michal Zalewski <lcamtuf@google.com> - - Idea & design very much by Andrew Griffiths. + Originally written by Andrew Griffiths <agriffiths@google.com> and + Michal Zalewski <lcamtuf@google.com> TCG instrumentation and block chaining support by Andrea Biondo <andrea.biondo965@gmail.com> - QEMU 3.1.0 port, TCG thread-safety and CompareCoverage by Andrea Fioraldi - <andreafioraldi@gmail.com> + QEMU 3.1.0 port, TCG thread-safety, CompareCoverage and NeverZero + counters by Andrea Fioraldi <andreafioraldi@gmail.com> Copyright 2015, 2016, 2017 Google Inc. All rights reserved. + Copyright 2019 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -32,7 +31,7 @@ */ -#include "../../config.h" +#include "afl-qemu-common.h" #include "tcg-op.h" /* Declared in afl-qemu-cpu-inl.h */ @@ -42,11 +41,14 @@ extern abi_ulong afl_start_code, afl_end_code; void tcg_gen_afl_maybe_log_call(target_ulong cur_loc); -void afl_maybe_log(target_ulong cur_loc) { +void afl_maybe_log(target_ulong cur_loc) { static __thread abi_ulong prev_loc; - afl_area_ptr[cur_loc ^ prev_loc]++; + register uintptr_t afl_idx = cur_loc ^ prev_loc; + + INC_AFL_AREA(afl_idx); + prev_loc = cur_loc >> 1; } diff --git a/qemu_mode/patches/i386-translate.diff b/qemu_mode/patches/i386-translate.diff index 0bc48828..239b2404 100644 --- a/qemu_mode/patches/i386-translate.diff +++ b/qemu_mode/patches/i386-translate.diff @@ -15,11 +15,11 @@ index 0dd5fbe4..b95d341e 100644 tcg_gen_atomic_fetch_add_tl(s1->cc_srcT, s1->A0, s1->T0, s1->mem_index, ot | MO_LE); tcg_gen_sub_tl(s1->T0, s1->cc_srcT, s1->T1); -+ afl_gen_compcov(s1->pc, s1->cc_srcT, s1->T1, ot); ++ afl_gen_compcov(s1->pc, s1->cc_srcT, s1->T1, ot, d == OR_EAX); } else { tcg_gen_mov_tl(s1->cc_srcT, s1->T0); tcg_gen_sub_tl(s1->T0, s1->T0, s1->T1); -+ afl_gen_compcov(s1->pc, s1->T0, s1->T1, ot); ++ afl_gen_compcov(s1->pc, s1->T0, s1->T1, ot, d == OR_EAX); gen_op_st_rm_T0_A0(s1, ot, d); } gen_op_update2_cc(s1); @@ -27,7 +27,7 @@ index 0dd5fbe4..b95d341e 100644 tcg_gen_mov_tl(cpu_cc_src, s1->T1); tcg_gen_mov_tl(s1->cc_srcT, s1->T0); tcg_gen_sub_tl(cpu_cc_dst, s1->T0, s1->T1); -+ afl_gen_compcov(s1->pc, s1->T0, s1->T1, ot); ++ afl_gen_compcov(s1->pc, s1->T0, s1->T1, ot, d == OR_EAX); set_cc_op(s1, CC_OP_SUBB + ot); break; } |