From 380051868a7531830d94d312f0f11b0e19e3284f Mon Sep 17 00:00:00 2001
From: van Hauser <vh@thc.org>
Date: Thu, 10 Sep 2020 15:26:46 +0200
Subject: add libfuzzer custom mutator, minor enhancements and fixes

---
 .../libfuzzer/FuzzerExtFunctionsDlsym.cpp          | 60 ++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 custom_mutators/libfuzzer/FuzzerExtFunctionsDlsym.cpp

(limited to 'custom_mutators/libfuzzer/FuzzerExtFunctionsDlsym.cpp')

diff --git a/custom_mutators/libfuzzer/FuzzerExtFunctionsDlsym.cpp b/custom_mutators/libfuzzer/FuzzerExtFunctionsDlsym.cpp
new file mode 100644
index 00000000..8009b237
--- /dev/null
+++ b/custom_mutators/libfuzzer/FuzzerExtFunctionsDlsym.cpp
@@ -0,0 +1,60 @@
+//===- FuzzerExtFunctionsDlsym.cpp - Interface to external functions ------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Implementation for operating systems that support dlsym(). We only use it on
+// Apple platforms for now. We don't use this approach on Linux because it
+// requires that clients of LibFuzzer pass ``--export-dynamic`` to the linker.
+// That is a complication we don't wish to expose to clients right now.
+//===----------------------------------------------------------------------===//
+#include "FuzzerPlatform.h"
+#if LIBFUZZER_APPLE
+
+  #include "FuzzerExtFunctions.h"
+  #include "FuzzerIO.h"
+  #include <dlfcn.h>
+
+using namespace fuzzer;
+
+template <typename T>
+static T GetFnPtr(const char *FnName, bool WarnIfMissing) {
+
+  dlerror();  // Clear any previous errors.
+  void *Fn = dlsym(RTLD_DEFAULT, FnName);
+  if (Fn == nullptr) {
+
+    if (WarnIfMissing) {
+
+      const char *ErrorMsg = dlerror();
+      Printf("WARNING: Failed to find function \"%s\".", FnName);
+      if (ErrorMsg) Printf(" Reason %s.", ErrorMsg);
+      Printf("\n");
+
+    }
+
+  }
+
+  return reinterpret_cast<T>(Fn);
+
+}
+
+namespace fuzzer {
+
+ExternalFunctions::ExternalFunctions() {
+\
+  #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN) \
+    this->NAME = GetFnPtr<decltype(ExternalFunctions::NAME)>(#NAME, WARN)
+
+  #include "FuzzerExtFunctions.def"
+
+  #undef EXT_FUNC
+
+}
+
+}  // namespace fuzzer
+
+#endif  // LIBFUZZER_APPLE
+
-- 
cgit 1.4.1


From 862b6d0382a132cc5338cfdcdc2c30c2cd8d578b Mon Sep 17 00:00:00 2001
From: van Hauser <vh@thc.org>
Date: Fri, 11 Sep 2020 08:56:28 +0200
Subject: fix for afl-compiler-rt to only send dictionary data if there is some

---
 custom_mutators/libfuzzer/FuzzerDriver.cpp         |  2 +-
 .../libfuzzer/FuzzerExtFunctionsDlsym.cpp          |  4 ++--
 .../libfuzzer/FuzzerExtFunctionsWeak.cpp           |  7 +++----
 .../libfuzzer/FuzzerExtFunctionsWindows.cpp        | 23 +++++++++++-----------
 instrumentation/afl-compiler-rt.o.c                |  6 ++++--
 5 files changed, 22 insertions(+), 20 deletions(-)

(limited to 'custom_mutators/libfuzzer/FuzzerExtFunctionsDlsym.cpp')

diff --git a/custom_mutators/libfuzzer/FuzzerDriver.cpp b/custom_mutators/libfuzzer/FuzzerDriver.cpp
index 9a0a32b0..6468a02e 100644
--- a/custom_mutators/libfuzzer/FuzzerDriver.cpp
+++ b/custom_mutators/libfuzzer/FuzzerDriver.cpp
@@ -77,7 +77,7 @@ struct {
 } Flags;
 
 static const FlagDescription FlagDescriptions[]{
-\
+
 #define FUZZER_DEPRECATED_FLAG(Name) \
   {#Name, "Deprecated; don't use", 0, nullptr, nullptr, nullptr},
 #define FUZZER_FLAG_INT(Name, Default, Description) \
diff --git a/custom_mutators/libfuzzer/FuzzerExtFunctionsDlsym.cpp b/custom_mutators/libfuzzer/FuzzerExtFunctionsDlsym.cpp
index 8009b237..4a4d58fc 100644
--- a/custom_mutators/libfuzzer/FuzzerExtFunctionsDlsym.cpp
+++ b/custom_mutators/libfuzzer/FuzzerExtFunctionsDlsym.cpp
@@ -45,8 +45,8 @@ namespace fuzzer {
 
 ExternalFunctions::ExternalFunctions() {
 \
-  #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN) \
-    this->NAME = GetFnPtr<decltype(ExternalFunctions::NAME)>(#NAME, WARN)
+  #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN) this->NAME =
+      GetFnPtr < decltype(ExternalFunctions::NAME)>(#NAME, WARN)
 
   #include "FuzzerExtFunctions.def"
 
diff --git a/custom_mutators/libfuzzer/FuzzerExtFunctionsWeak.cpp b/custom_mutators/libfuzzer/FuzzerExtFunctionsWeak.cpp
index c7a1d05e..bbd8f3ba 100644
--- a/custom_mutators/libfuzzer/FuzzerExtFunctionsWeak.cpp
+++ b/custom_mutators/libfuzzer/FuzzerExtFunctionsWeak.cpp
@@ -46,10 +46,9 @@ namespace fuzzer {
 
 ExternalFunctions::ExternalFunctions() {
 \
-  #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN)                         \
-    this->NAME = ::NAME;                                                      \
-    CheckFnPtr(reinterpret_cast<void *>(reinterpret_cast<uintptr_t>(::NAME)), \
-               #NAME, WARN);
+  #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN) this->NAME = ::NAME;
+  CheckFnPtr(reinterpret_cast<void *>(reinterpret_cast<uintptr_t>(::NAME)),
+             #NAME, WARN);
 
   #include "FuzzerExtFunctions.def"
 
diff --git a/custom_mutators/libfuzzer/FuzzerExtFunctionsWindows.cpp b/custom_mutators/libfuzzer/FuzzerExtFunctionsWindows.cpp
index a727220a..d79421cd 100644
--- a/custom_mutators/libfuzzer/FuzzerExtFunctionsWindows.cpp
+++ b/custom_mutators/libfuzzer/FuzzerExtFunctionsWindows.cpp
@@ -45,15 +45,16 @@ using namespace fuzzer;
   #endif  // LIBFUZZER_MSVC
 
 extern "C" {
-\
-  #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN)         \
-    RETURN_TYPE NAME##Def FUNC_SIG {                          \
-                                                              \
-      Printf("ERROR: Function \"%s\" not defined.\n", #NAME); \
-      exit(1);                                                \
-                                                              \
-    }                                                         \
-    EXTERNAL_FUNC(NAME, NAME##Def) RETURN_TYPE NAME FUNC_SIG
+
+#define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN)
+    RETURN_TYPE NAME##Def FUNC_SIG {
+
+  Printf("ERROR: Function \"%s\" not defined.\n", #NAME);
+  exit(1);
+
+}
+
+EXTERNAL_FUNC(NAME, NAME##Def) RETURN_TYPE NAME FUNC_SIG
 
   #include "FuzzerExtFunctions.def"
 
@@ -80,8 +81,8 @@ namespace fuzzer {
 
 ExternalFunctions::ExternalFunctions() {
 \
-  #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN) \
-    this->NAME = GetFnPtr<decltype(::NAME)>(::NAME, ::NAME##Def, #NAME, WARN);
+  #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN) this->NAME =
+      GetFnPtr < decltype(::NAME)>(::NAME, ::NAME##Def, #NAME, WARN);
 
   #include "FuzzerExtFunctions.def"
 
diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c
index 0e8b97a2..209cc726 100644
--- a/instrumentation/afl-compiler-rt.o.c
+++ b/instrumentation/afl-compiler-rt.o.c
@@ -469,7 +469,8 @@ static void __afl_start_snapshots(void) {
     }
 
     if ((was_killed & (FS_OPT_ENABLED | FS_OPT_AUTODICT)) ==
-        (FS_OPT_ENABLED | FS_OPT_AUTODICT)) {
+            (FS_OPT_ENABLED | FS_OPT_AUTODICT) &&
+        __afl_dictionary_len && __afl_dictionary) {
 
       // great lets pass the dictionary through the forkserver FD
       u32 len = __afl_dictionary_len, offset = 0;
@@ -681,7 +682,8 @@ static void __afl_start_forkserver(void) {
     }
 
     if ((was_killed & (FS_OPT_ENABLED | FS_OPT_AUTODICT)) ==
-        (FS_OPT_ENABLED | FS_OPT_AUTODICT)) {
+            (FS_OPT_ENABLED | FS_OPT_AUTODICT) &&
+        __afl_dictionary_len && __afl_dictionary) {
 
       // great lets pass the dictionary through the forkserver FD
       u32 len = __afl_dictionary_len, offset = 0;
-- 
cgit 1.4.1