From a1c9c497d5e0659e94a25f8cb399f4d111643606 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 6 May 2020 15:37:49 +0200 Subject: aarch64 support for afl-untracer --- examples/afl_untracer/afl-untracer.c | 67 ++++++++++++++++++++++++++++++++---- 1 file changed, 60 insertions(+), 7 deletions(-) (limited to 'examples/afl_untracer/afl-untracer.c') diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c index d319b530..ed1a8239 100644 --- a/examples/afl_untracer/afl-untracer.c +++ b/examples/afl_untracer/afl-untracer.c @@ -156,7 +156,7 @@ void read_library_information() { liblist[liblist_cnt].addr_end = strtoull(m, NULL, 16); if (debug) fprintf( - stderr, "%s:%x (%lx-%lx)\n", liblist[liblist_cnt].name, + stderr, "%s:%llx (%llx-%llx)\n", liblist[liblist_cnt].name, liblist[liblist_cnt].addr_end - liblist[liblist_cnt].addr_start, liblist[liblist_cnt].addr_start, liblist[liblist_cnt].addr_end - 1); @@ -276,6 +276,17 @@ library_list_t *find_library(char *name) { } +/* for having an easy breakpoint after load the shared library */ +// this seems to work for clang too. nice :) requires gcc 4.4+ +#pragma GCC push_options +#pragma GCC optimize ("O0") +void breakpoint() { + + if (debug) fprintf(stderr, "Breakpoint function \"breakpoint\" reached.\n"); + +} +#pragma GCC pop_options + /* Error reporting to forkserver controller */ void send_forkserver_error(int error) { @@ -433,10 +444,17 @@ static void __afl_end_testcase(int status) { } +#ifdef __aarch64__ +#define SHADOW(addr) \ + ((uint64_t *)(((uintptr_t)addr & 0xfffffffffffffff8) - \ + MEMORY_MAP_DECREMENT - \ + ((uintptr_t)addr & 0x7) * 0x10000000000)) +#else #define SHADOW(addr) \ ((uint32_t *)(((uintptr_t)addr & 0xfffffffffffffffc) - \ MEMORY_MAP_DECREMENT - \ ((uintptr_t)addr & 0x3) * 0x10000000000)) +#endif void setup_trap_instrumentation() { @@ -453,7 +471,11 @@ void setup_trap_instrumentation() { if (!patches) FATAL("Couldn't open AFL_UNTRACER_FILE file %s", filename); // Index into the coverage bitmap for the current trap instruction. - int bitmap_index = 0; +#ifdef __aarch64__ + uint64_t bitmap_index = 0; +#else + uint32_t bitmap_index = 0; +#endif while ((nread = getline(&line, &len, patches)) != -1) { @@ -486,7 +508,11 @@ void setup_trap_instrumentation() { FATAL("Failed to mprotect library %s writable", line); // Create shadow memory. +#ifdef __aarch64__ + for (int i = 0; i < 8; i++) { +#else for (int i = 0; i < 4; i++) { +#endif void *shadow_addr = SHADOW(lib_addr + i); void *shadow = mmap(shadow_addr, lib_size, PROT_READ | PROT_WRITE, @@ -513,12 +539,17 @@ void setup_trap_instrumentation() { if (bitmap_index >= __afl_map_size) FATAL("Too many basic blocks to instrument"); - uint32_t *shadow = SHADOW(lib_addr + offset); +#ifdef __arch64__ + uint64_t +#else + uint32_t +#endif + *shadow = SHADOW(lib_addr + offset); if (*shadow != 0) continue; // skip duplicates // Make lookup entry in shadow memory. -#if ((defined(__APPLE__) && defined(__LP64__)) || defined(__x86_64__)) +#if ((defined(__APPLE__) && defined(__LP64__)) || defined(__x86_64__) || defined(__i386__)) // this is for Intel x64 @@ -531,10 +562,24 @@ void setup_trap_instrumentation() { lib_addr, offset, lib_addr + offset, orig_byte, shadow, bitmap_index, *shadow); +#elif defined(__aarch64__) + + // this is for aarch64 + + uint32_t *patch_bytes = (uint32_t*)(lib_addr + offset); + uint32_t orig_bytes = *patch_bytes; + *shadow = (bitmap_index << 32) | orig_bytes; + *patch_bytes = 0xd4200000; // replace instruction with debug trap + if (debug) + fprintf(stderr, + "Patch entry: %p[%x] = %p = %02x -> SHADOW(%p) #%d -> %016x\n", + lib_addr, offset, lib_addr + offset, orig_bytes, shadow, + bitmap_index, *shadow); + #else // this will be ARM and AARCH64 // for ARM we will need to identify if the code is in thumb or ARM -#error "non x86_64 not supported yet" +#error "non x86_64/aarch64 not supported yet" //__arm__: // linux thumb: 0xde01 // linux arm: 0xe7f001f0 @@ -573,8 +618,15 @@ static void sigtrap_handler(int signum, siginfo_t *si, void *context) { ctx->uc_mcontext->__ss.__rip -= 1; addr = ctx->uc_mcontext->__ss.__rip; #elif defined(__linux__) - ctx->uc_mcontext.gregs[REG_RIP] -= 1; - addr = ctx->uc_mcontext.gregs[REG_RIP]; +#if defined(__x86_64__) || defined(__i386__) + ctx->uc_mcontext.mc_rip -= 1; + addr = ctx->uc_mcontext.mc_rip; +#elif defined(__aarch64__) + ctx->uc_mcontext.pc -= 4; + addr = ctx->uc_mcontext.pc; +#else +#error "Unsupported processor" +#endif #elif defined(__FreeBSD__) && defined(__LP64__) ctx->uc_mcontext.mc_rip -= 1; addr = ctx->uc_mcontext.mc_rip; @@ -642,6 +694,7 @@ int main(int argc, char *argv[]) { // END STEP 2 /* setup instrumentation, shared memory and forkserver */ + breakpoint(); read_library_information(); setup_trap_instrumentation(); __afl_map_shm(); -- cgit 1.4.1 From e910882e320f33f4413ba9c2dff537f885276bb5 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 6 May 2020 15:43:39 +0200 Subject: fix untracer --- examples/afl_untracer/afl-untracer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'examples/afl_untracer/afl-untracer.c') diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c index ed1a8239..99f06f36 100644 --- a/examples/afl_untracer/afl-untracer.c +++ b/examples/afl_untracer/afl-untracer.c @@ -619,8 +619,8 @@ static void sigtrap_handler(int signum, siginfo_t *si, void *context) { addr = ctx->uc_mcontext->__ss.__rip; #elif defined(__linux__) #if defined(__x86_64__) || defined(__i386__) - ctx->uc_mcontext.mc_rip -= 1; - addr = ctx->uc_mcontext.mc_rip; + ctx->uc_mcontext.gregs[REG_RIP] -= 1; + addr = ctx->uc_mcontext.gregs[REG_RIP]; #elif defined(__aarch64__) ctx->uc_mcontext.pc -= 4; addr = ctx->uc_mcontext.pc; -- cgit 1.4.1 From 140053502bd5ce162ab7e6bfbb151494381d704c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 7 May 2020 08:08:20 +0200 Subject: import transform fix into autodict, code-format --- examples/afl_untracer/afl-untracer.c | 40 +++++++++++++++------------- llvm_mode/afl-clang-fast.c | 6 +++-- llvm_mode/afl-llvm-lto-instrim.so.cc | 24 +++++++++++------ llvm_mode/afl-llvm-lto-instrumentation.so.cc | 24 +++++++++++------ 4 files changed, 58 insertions(+), 36 deletions(-) (limited to 'examples/afl_untracer/afl-untracer.c') diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c index 99f06f36..5dbc71bf 100644 --- a/examples/afl_untracer/afl-untracer.c +++ b/examples/afl_untracer/afl-untracer.c @@ -279,12 +279,13 @@ library_list_t *find_library(char *name) { /* for having an easy breakpoint after load the shared library */ // this seems to work for clang too. nice :) requires gcc 4.4+ #pragma GCC push_options -#pragma GCC optimize ("O0") -void breakpoint() { +#pragma GCC optimize("O0") +void breakpoint() { if (debug) fprintf(stderr, "Breakpoint function \"breakpoint\" reached.\n"); } + #pragma GCC pop_options /* Error reporting to forkserver controller */ @@ -470,7 +471,7 @@ void setup_trap_instrumentation() { FILE *patches = fopen(filename, "r"); if (!patches) FATAL("Couldn't open AFL_UNTRACER_FILE file %s", filename); - // Index into the coverage bitmap for the current trap instruction. + // Index into the coverage bitmap for the current trap instruction. #ifdef __aarch64__ uint64_t bitmap_index = 0; #else @@ -507,11 +508,13 @@ void setup_trap_instrumentation() { PROT_READ | PROT_WRITE | PROT_EXEC) != 0) FATAL("Failed to mprotect library %s writable", line); - // Create shadow memory. + // Create shadow memory. #ifdef __aarch64__ for (int i = 0; i < 8; i++) { + #else for (int i = 0; i < 4; i++) { + #endif void *shadow_addr = SHADOW(lib_addr + i); @@ -540,16 +543,17 @@ void setup_trap_instrumentation() { FATAL("Too many basic blocks to instrument"); #ifdef __arch64__ - uint64_t + uint64_t #else - uint32_t + uint32_t #endif - *shadow = SHADOW(lib_addr + offset); + *shadow = SHADOW(lib_addr + offset); if (*shadow != 0) continue; // skip duplicates // Make lookup entry in shadow memory. -#if ((defined(__APPLE__) && defined(__LP64__)) || defined(__x86_64__) || defined(__i386__)) +#if ((defined(__APPLE__) && defined(__LP64__)) || defined(__x86_64__) || \ + defined(__i386__)) // this is for Intel x64 @@ -566,10 +570,10 @@ void setup_trap_instrumentation() { // this is for aarch64 - uint32_t *patch_bytes = (uint32_t*)(lib_addr + offset); - uint32_t orig_bytes = *patch_bytes; + uint32_t *patch_bytes = (uint32_t *)(lib_addr + offset); + uint32_t orig_bytes = *patch_bytes; *shadow = (bitmap_index << 32) | orig_bytes; - *patch_bytes = 0xd4200000; // replace instruction with debug trap + *patch_bytes = 0xd4200000; // replace instruction with debug trap if (debug) fprintf(stderr, "Patch entry: %p[%x] = %p = %02x -> SHADOW(%p) #%d -> %016x\n", @@ -577,14 +581,14 @@ void setup_trap_instrumentation() { bitmap_index, *shadow); #else - // this will be ARM and AARCH64 - // for ARM we will need to identify if the code is in thumb or ARM + // this will be ARM and AARCH64 + // for ARM we will need to identify if the code is in thumb or ARM #error "non x86_64/aarch64 not supported yet" - //__arm__: - // linux thumb: 0xde01 - // linux arm: 0xe7f001f0 - //__aarch64__: - // linux aarch64: 0xd4200000 + //__arm__: + // linux thumb: 0xde01 + // linux arm: 0xe7f001f0 + //__aarch64__: + // linux aarch64: 0xd4200000 #endif bitmap_index++; diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 1f3463eb..42b02bdd 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -716,9 +716,11 @@ int main(int argc, char **argv, char **envp) { } } - + if (instrument_opt_mode && lto_mode) - FATAL("CTX and NGRAM can not be used in LTO mode (and would make LTO useless)"); + FATAL( + "CTX and NGRAM can not be used in LTO mode (and would make LTO " + "useless)"); if (!instrument_opt_mode) { diff --git a/llvm_mode/afl-llvm-lto-instrim.so.cc b/llvm_mode/afl-llvm-lto-instrim.so.cc index 9fd3e3ec..f862e091 100644 --- a/llvm_mode/afl-llvm-lto-instrim.so.cc +++ b/llvm_mode/afl-llvm-lto-instrim.so.cc @@ -346,11 +346,15 @@ struct InsTrimLTO : public ModulePass { if (auto *Var = dyn_cast(Ptr->getOperand(0))) { - if (auto *Array = dyn_cast( - Var->getInitializer())) { + if (Var->hasInitializer()) { - HasStr2 = true; - Str2 = Array->getAsString().str(); + if (auto *Array = dyn_cast( + Var->getInitializer())) { + + HasStr2 = true; + Str2 = Array->getAsString().str(); + + } } @@ -419,11 +423,15 @@ struct InsTrimLTO : public ModulePass { if (auto *Var = dyn_cast(Ptr->getOperand(0))) { - if (auto *Array = dyn_cast( - Var->getInitializer())) { + if (Var->hasInitializer()) { + + if (auto *Array = dyn_cast( + Var->getInitializer())) { + + HasStr1 = true; + Str1 = Array->getAsString().str(); - HasStr1 = true; - Str1 = Array->getAsString().str(); + } } diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index 79081d37..0e353fdf 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -326,11 +326,15 @@ bool AFLLTOPass::runOnModule(Module &M) { if (auto *Var = dyn_cast(Ptr->getOperand(0))) { - if (auto *Array = - dyn_cast(Var->getInitializer())) { + if (Var->hasInitializer()) { - HasStr2 = true; - Str2 = Array->getAsString().str(); + if (auto *Array = dyn_cast( + Var->getInitializer())) { + + HasStr2 = true; + Str2 = Array->getAsString().str(); + + } } @@ -398,11 +402,15 @@ bool AFLLTOPass::runOnModule(Module &M) { if (auto *Var = dyn_cast(Ptr->getOperand(0))) { - if (auto *Array = - dyn_cast(Var->getInitializer())) { + if (Var->hasInitializer()) { + + if (auto *Array = dyn_cast( + Var->getInitializer())) { + + HasStr1 = true; + Str1 = Array->getAsString().str(); - HasStr1 = true; - Str1 = Array->getAsString().str(); + } } -- cgit 1.4.1