From 9933a6f3ab6c5b02c9f108dded6eb93ed59d2941 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 7 Apr 2022 10:21:44 +0200 Subject: update grammar mutator --- custom_mutators/grammar_mutator/GRAMMAR_VERSION | 2 +- custom_mutators/grammar_mutator/grammar_mutator | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'custom_mutators') diff --git a/custom_mutators/grammar_mutator/GRAMMAR_VERSION b/custom_mutators/grammar_mutator/GRAMMAR_VERSION index 93f9321c..2568c6a5 100644 --- a/custom_mutators/grammar_mutator/GRAMMAR_VERSION +++ b/custom_mutators/grammar_mutator/GRAMMAR_VERSION @@ -1 +1 @@ -cbe5e32 +ff4e5a2 diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator index cbe5e327..ff4e5a26 160000 --- a/custom_mutators/grammar_mutator/grammar_mutator +++ b/custom_mutators/grammar_mutator/grammar_mutator @@ -1 +1 @@ -Subproject commit cbe5e32752773945e0142fac9f1b7a0ccb5dcdff +Subproject commit ff4e5a265daf5d88c4a636fb6a2c22b1d733db09 -- cgit 1.4.1 From 1d00bde6c508ed86366e4a7d3730e6d1203bcb60 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Apr 2022 13:11:19 +0200 Subject: code format --- custom_mutators/symcc/README.md | 5 ++++- frida_mode/src/instrument/instrument_arm64.c | 4 ++-- frida_mode/src/instrument/instrument_x64.c | 3 ++- instrumentation/cmplog-instructions-pass.cc | 10 ++++++---- utils/libdislocator/libdislocator.so.c | 9 +++++---- 5 files changed, 19 insertions(+), 12 deletions(-) (limited to 'custom_mutators') diff --git a/custom_mutators/symcc/README.md b/custom_mutators/symcc/README.md index 337362ae..364a348e 100644 --- a/custom_mutators/symcc/README.md +++ b/custom_mutators/symcc/README.md @@ -1,6 +1,9 @@ # custum mutator: symcc -This uses the excellent symcc to find new paths into the target. +This uses the symcc to find new paths into the target. + +Note that this is a just a proof of concept example! It is better to use +the fuzzing helpers of symcc, symqemu, Fuzzolic, etc. rather than this. To use this custom mutator follow the steps in the symcc repository [https://github.com/eurecom-s3/symcc/](https://github.com/eurecom-s3/symcc/) diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index e6251cb4..2bc8f8aa 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -18,8 +18,8 @@ #if defined(__aarch64__) -gboolean instrument_cache_enabled = FALSE; -gsize instrument_cache_size = 0; +gboolean instrument_cache_enabled = FALSE; +gsize instrument_cache_size = 0; static GHashTable *coverage_blocks = NULL; __attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[MAP_SIZE]; diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index d54c8353..f02c971e 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -336,7 +336,8 @@ void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output) { GumX86Writer *cw = output->writer.x86; - /* guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address)); */ + /* guint64 area_offset = + * instrument_get_offset_hash(GUM_ADDRESS(instr->address)); */ if (instrument_previous_pc_addr == NULL) { GumAddressSpec spec = {.near_address = cw->code, diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index e21289b4..85d48835 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -116,7 +116,7 @@ class CmpLogInstructions : public ModulePass { #endif private: - bool hookInstrs(Module &M, LoopInfoCallback LCallback); + bool hookInstrs(Module &M, LoopInfoCallback LCallback); unsigned int instrumented = 0; }; @@ -305,6 +305,7 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { const LoopInfo * LI = LCallback(F); #if 0 for (LoopInfo::iterator I = LI->begin(), E = LI->end(); I != E; ++I) { + Loop * L = *I; BasicBlock *In, *Out; bool ok = false ; L->getIncomingAndBackEdge(In, Out); @@ -333,9 +334,10 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { } } + } -#endif +#endif // fprintf(stderr, "Loops in %s: %zu\n", F.getName().str().c_str(), // lcomps.size()); @@ -703,7 +705,7 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { break; } - + ++instrumented; } @@ -718,7 +720,7 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { } } - + fprintf(stderr, "instrumented: %u (%zu)\n", instrumented, icomps.size()); if (icomps.size()) diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index 72fafa4b..bd08a678 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -257,16 +257,17 @@ static void *__dislocator_alloc(size_t len) { } #if defined(USENAMEDPAGE) -#if defined(__linux__) + #if defined(__linux__) // in the /proc//maps file, the anonymous page appears as // `- ---p 00000000 00:00 0 [anon:libdislocator]` - if (prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, - (unsigned long)ret, tlen, (unsigned long)"libdislocator") < 0) { + if (prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, (unsigned long)ret, tlen, + (unsigned long)"libdislocator") < 0) { DEBUGF("prctl() failed"); } -#endif + + #endif #endif /* Set PROT_NONE on the last page. */ -- cgit 1.4.1 From 4f42ecd8150f9b72e0fef37292572b7ad3ef6870 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Apr 2022 13:16:10 +0200 Subject: remove WIP code --- custom_mutators/grammar_mutator/grammar_mutator | 2 +- instrumentation/cmplog-instructions-pass.cc | 81 +------------------------ instrumentation/cmplog-routines-pass.cc | 2 - unicorn_mode/unicornafl | 2 +- 4 files changed, 5 insertions(+), 82 deletions(-) (limited to 'custom_mutators') diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator index ff4e5a26..cbe5e327 160000 --- a/custom_mutators/grammar_mutator/grammar_mutator +++ b/custom_mutators/grammar_mutator/grammar_mutator @@ -1 +1 @@ -Subproject commit ff4e5a265daf5d88c4a636fb6a2c22b1d733db09 +Subproject commit cbe5e32752773945e0142fac9f1b7a0ccb5dcdff diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index 85d48835..4d37bcb2 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -32,15 +32,9 @@ #include "llvm/Support/Debug.h" #include "llvm/Support/raw_ostream.h" #if LLVM_MAJOR >= 11 - #include "llvm/Pass.h" - #include "llvm/InitializePasses.h" #include "llvm/Passes/PassPlugin.h" #include "llvm/Passes/PassBuilder.h" #include "llvm/IR/PassManager.h" - #include "llvm/Analysis/EHPersonalities.h" - #include "llvm/Analysis/PostDominators.h" - #include "llvm/Analysis/LoopInfo.h" - #include "llvm/Analysis/LoopPass.h" #else #include "llvm/IR/LegacyPassManager.h" #include "llvm/Transforms/IPO/PassManagerBuilder.h" @@ -70,10 +64,7 @@ using namespace llvm; namespace { -using LoopInfoCallback = function_ref; - #if LLVM_MAJOR >= 11 /* use new pass manager */ - class CmpLogInstructions : public PassInfoMixin { public: @@ -97,7 +88,6 @@ class CmpLogInstructions : public ModulePass { #endif #if LLVM_MAJOR >= 11 /* use new pass manager */ - PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM); #else bool runOnModule(Module &M) override; @@ -116,8 +106,7 @@ class CmpLogInstructions : public ModulePass { #endif private: - bool hookInstrs(Module &M, LoopInfoCallback LCallback); - unsigned int instrumented = 0; + bool hookInstrs(Module &M); }; @@ -164,7 +153,7 @@ Iterator Unique(Iterator first, Iterator last) { } -bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { +bool CmpLogInstructions::hookInstrs(Module &M) { std::vector icomps; LLVMContext & C = M.getContext(); @@ -301,64 +290,14 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { if (!isInInstrumentList(&F, MNAME)) continue; - std::vector lcomps; - const LoopInfo * LI = LCallback(F); -#if 0 - for (LoopInfo::iterator I = LI->begin(), E = LI->end(); I != E; ++I) { - - Loop * L = *I; - BasicBlock *In, *Out; - bool ok = false ; L->getIncomingAndBackEdge(In, Out); - if (ok) { - - BasicBlock *decisionBB = In->getSingleSuccessor(); - - if (decisionBB) { - - /* - std::string errMsg1; - raw_string_ostream os1(errMsg1); - In->print(os1); - fprintf(stderr, "In: %s\n", os1.str().c_str()); - std::string errMsg2; - raw_string_ostream os2(errMsg2); - Out->print(os2); - fprintf(stderr, "Out: %s\n", os2.str().c_str()); - std::string errMsg3; - raw_string_ostream os3(errMsg3); - decisionBB->print(os3); - fprintf(stderr, "Dec: %s\n", os3.str().c_str()); - */ - lcomps.push_back(decisionBB); - - } - - } - - } - -#endif - - // fprintf(stderr, "Loops in %s: %zu\n", F.getName().str().c_str(), - // lcomps.size()); - for (auto &BB : F) { - if (std::find(lcomps.begin(), lcomps.end(), &BB) != lcomps.end()) { - - fprintf(stderr, "skipping: %p %s\n", &BB, BB.getName().str().c_str()); - - continue; - - } - for (auto &IN : BB) { CmpInst *selectcmpInst = nullptr; if ((selectcmpInst = dyn_cast(&IN))) { icomps.push_back(selectcmpInst); - fprintf(stderr, "Found icomp %p in %p\n", selectcmpInst, &BB); } @@ -706,8 +645,6 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { } - ++instrumented; - } /* else fprintf(stderr, "skipped\n"); */ @@ -721,8 +658,6 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { } - fprintf(stderr, "instrumented: %u (%zu)\n", instrumented, icomps.size()); - if (icomps.size()) return true; else @@ -743,19 +678,9 @@ bool CmpLogInstructions::runOnModule(Module &M) { printf("Running cmplog-instructions-pass by andreafioraldi@gmail.com\n"); else be_quiet = 1; - - auto &FAM = MAM.getResult(M).getManager(); - auto LoopCallback = [&FAM](Function &F) -> const LoopInfo * { - - return &FAM.getResult(F); - - }; - - hookInstrs(M, LoopCallback); + hookInstrs(M); verifyModule(M); - fprintf(stderr, "done cmplog-instructions-pass\n"); - #if LLVM_MAJOR >= 11 /* use new pass manager */ return PreservedAnalyses::all(); #else diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc index 708a94bc..8205cfb0 100644 --- a/instrumentation/cmplog-routines-pass.cc +++ b/instrumentation/cmplog-routines-pass.cc @@ -761,8 +761,6 @@ bool CmpLogRoutines::runOnModule(Module &M) { #endif verifyModule(M); - fprintf(stderr, "done cmplog-routines-pass\n"); - #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ return PA; #else diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index a44fa944..d4915053 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit a44fa94488d01aba60401ccf81f8bebcce685bf2 +Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e -- cgit 1.4.1 From 7f26d133458f5034499f40129e9a5517cee21cce Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 22 Apr 2022 10:28:14 +0200 Subject: try repeating write --- GNUmakefile | 2 +- custom_mutators/grammar_mutator/grammar_mutator | 2 +- include/debug.h | 47 +++++++++++++++++-------- unicorn_mode/unicornafl | 2 +- 4 files changed, 36 insertions(+), 17 deletions(-) (limited to 'custom_mutators') diff --git a/GNUmakefile b/GNUmakefile index ec81cbac..8b09c51a 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -145,7 +145,7 @@ else CFLAGS ?= -O2 $(CFLAGS_OPT) # -funroll-loops is slower on modern compilers endif -override CFLAGS += -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wpointer-arith \ +override CFLAGS += -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wno-pointer-arith \ -fPIC -I include/ -DAFL_PATH=\"$(HELPER_PATH)\" \ -DBIN_PATH=\"$(BIN_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" # -fstack-protector diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator index cbe5e327..ff4e5a26 160000 --- a/custom_mutators/grammar_mutator/grammar_mutator +++ b/custom_mutators/grammar_mutator/grammar_mutator @@ -1 +1 @@ -Subproject commit cbe5e32752773945e0142fac9f1b7a0ccb5dcdff +Subproject commit ff4e5a265daf5d88c4a636fb6a2c22b1d733db09 diff --git a/include/debug.h b/include/debug.h index 31ebd0f2..e2ee16a8 100644 --- a/include/debug.h +++ b/include/debug.h @@ -355,20 +355,39 @@ static inline const char *colorfilter(const char *x) { /* Error-checking versions of read() and write() that call RPFATAL() as appropriate. */ -#define ck_write(fd, buf, len, fn) \ - do { \ - \ - int _fd = (fd); \ - \ - s32 _len = (s32)(len); \ - s32 _res = write(_fd, (buf), _len); \ - if (_res != _len) { \ - \ - RPFATAL(_res, "Short write to %s, fd %d (%d of %d bytes)", fn, _fd, \ - _res, _len); \ - \ - } \ - \ +#define ck_write(fd, buf, len, fn) \ + do { \ + \ + if (len <= 0) break; \ + int _fd = (fd); \ + s32 _written = 0, _off = 0, _len = (s32)(len); \ + \ + do { \ + \ + s32 _res = write(_fd, (buf) + _off, _len); \ + if (_res != _len && (_res > 0 && _written + _res != _len)) { \ + \ + if (_res > 0) { \ + \ + _written += _res; \ + _len -= _res; \ + _off += _res; \ + \ + } else { \ + \ + RPFATAL(_res, "Short write to %s, fd %d (%d of %d bytes)", fn, _fd, \ + _res, _len); \ + \ + } \ + \ + } else { \ + \ + break; \ + \ + } \ + \ + } while (1); \ + \ } while (0) #define ck_read(fd, buf, len, fn) \ diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index d4915053..a44fa944 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e +Subproject commit a44fa94488d01aba60401ccf81f8bebcce685bf2 -- cgit 1.4.1