From e1384b5086e918350426cd0ece7dbe9c451f771f Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 18 Mar 2021 09:11:00 +0000 Subject: Add support for FRIDA mode --- frida_mode/src/instrument.c | 265 +++++++++++++++++++++++++++++ frida_mode/src/interceptor.c | 16 ++ frida_mode/src/main.c | 149 ++++++++++++++++ frida_mode/src/prefetch.c | 121 +++++++++++++ frida_mode/src/ranges.c | 395 +++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 946 insertions(+) create mode 100644 frida_mode/src/instrument.c create mode 100644 frida_mode/src/interceptor.c create mode 100644 frida_mode/src/main.c create mode 100644 frida_mode/src/prefetch.c create mode 100644 frida_mode/src/ranges.c (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument.c b/frida_mode/src/instrument.c new file mode 100644 index 00000000..042fdab8 --- /dev/null +++ b/frida_mode/src/instrument.c @@ -0,0 +1,265 @@ +#include "frida-gum.h" +#include "config.h" +#include "debug.h" +#include "prefetch.h" +#include "ranges.h" +#include "unistd.h" + +extern uint8_t *__afl_area_ptr; +extern u32 __afl_map_size; + +uint64_t __thread previous_pc = 0; +GumAddress current_log_impl = GUM_ADDRESS(0); + +static gboolean tracing = false; +static gboolean optimize = false; +static gboolean strict = false; + +#if defined(__x86_64__) +static const guint8 afl_log_code[] = { + + 0x9c, /* pushfq */ + 0x50, /* push rax */ + 0x51, /* push rcx */ + 0x52, /* push rdx */ + + 0x48, 0x8d, 0x05, 0x27, + 0x00, 0x00, 0x00, /* lea rax, sym._afl_area_ptr_ptr */ + 0x48, 0x8b, 0x00, /* mov rax, qword [rax] */ + 0x48, 0x8b, 0x00, /* mov rax, qword [rax] */ + 0x48, 0x8d, 0x0d, 0x22, + 0x00, 0x00, 0x00, /* lea rcx, sym.previous_pc */ + 0x48, 0x8b, 0x11, /* mov rdx, qword [rcx] */ + 0x48, 0x8b, 0x12, /* mov rdx, qword [rdx] */ + 0x48, 0x31, 0xfa, /* xor rdx, rdi */ + 0xfe, 0x04, 0x10, /* inc byte [rax + rdx] */ + 0x48, 0xd1, 0xef, /* shr rdi, 1 */ + 0x48, 0x8b, 0x01, /* mov rax, qword [rcx] */ + 0x48, 0x89, 0x38, /* mov qword [rax], rdi */ + + 0x5a, /* pop rdx */ + 0x59, /* pop rcx */ + 0x58, /* pop rax */ + 0x9d, /* popfq */ + + 0xc3, /* ret */ + + /* Read-only data goes here: */ + /* uint8_t** afl_area_ptr_ptr */ + /* uint64_t* afl_prev_loc_ptr */ + +}; + +void instrument_coverage_optimize(const cs_insn * instr, + GumStalkerOutput *output) { + + guint64 current_pc = instr->address; + guint64 area_offset = (current_pc >> 4) ^ (current_pc << 8); + area_offset &= MAP_SIZE - 1; + GumX86Writer *cw = output->writer.x86; + + if (current_log_impl == 0 || + !gum_x86_writer_can_branch_directly_between(cw->pc, current_log_impl) || + !gum_x86_writer_can_branch_directly_between(cw->pc + 128, + current_log_impl)) { + + gconstpointer after_log_impl = cw->code + 1; + + gum_x86_writer_put_jmp_near_label(cw, after_log_impl); + + current_log_impl = cw->pc; + gum_x86_writer_put_bytes(cw, afl_log_code, sizeof(afl_log_code)); + + uint8_t **afl_area_ptr_ptr = &__afl_area_ptr; + uint64_t *afl_prev_loc_ptr = &previous_pc; + gum_x86_writer_put_bytes(cw, (const guint8 *)&afl_area_ptr_ptr, + sizeof(afl_area_ptr_ptr)); + gum_x86_writer_put_bytes(cw, (const guint8 *)&afl_prev_loc_ptr, + sizeof(afl_prev_loc_ptr)); + + gum_x86_writer_put_label(cw, after_log_impl); + + } + + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, + -GUM_RED_ZONE_SIZE); + gum_x86_writer_put_push_reg(cw, GUM_REG_RDI); + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RDI, area_offset); + gum_x86_writer_put_call_address(cw, current_log_impl); + gum_x86_writer_put_pop_reg(cw, GUM_REG_RDI); + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, + GUM_RED_ZONE_SIZE); + +} + +#elif defined(__aarch64__) +static const guint8 afl_log_code[] = { + + // __afl_area_ptr[current_pc ^ previous_pc]++; + // previous_pc = current_pc >> 1; + 0xE1, 0x0B, 0xBF, 0xA9, // stp x1, x2, [sp, -0x10]! + 0xE3, 0x13, 0xBF, 0xA9, // stp x3, x4, [sp, -0x10]! + + // x0 = current_pc + 0xc1, 0x01, 0x00, 0x58, // ldr x1, #0x38, =&__afl_area_ptr + 0x21, 0x00, 0x40, 0xf9, // ldr x1, [x1] (=__afl_area_ptr) + + 0xc2, 0x01, 0x00, 0x58, // ldr x2, #0x38, =&previous_pc + 0x42, 0x00, 0x40, 0xf9, // ldr x2, [x2] (=previous_pc) + + // __afl_area_ptr[current_pc ^ previous_pc]++; + 0x42, 0x00, 0x00, 0xca, // eor x2, x2, x0 + 0x23, 0x68, 0x62, 0xf8, // ldr x3, [x1, x2] + 0x63, 0x04, 0x00, 0x91, // add x3, x3, #1 + 0x23, 0x68, 0x22, 0xf8, // str x3, [x1, x2] + + // previous_pc = current_pc >> 1; + 0xe0, 0x07, 0x40, 0x8b, // add x0, xzr, x0, LSR #1 + 0xe2, 0x00, 0x00, 0x58, // ldr x2, #0x1c, =&previous_pc + 0x40, 0x00, 0x00, 0xf9, // str x0, [x2] + + 0xE3, 0x13, 0xc1, 0xA8, // ldp x3, x4, [sp], #0x10 + 0xE1, 0x0B, 0xc1, 0xA8, // ldp x1, x2, [sp], #0x10 + 0xC0, 0x03, 0x5F, 0xD6, // ret + + // &afl_area_ptr_ptr + // &afl_prev_loc_ptr + +}; + +void instrument_coverage_optimize(const cs_insn * instr, + GumStalkerOutput *output) { + + guint64 current_pc = instr->address; + guint64 area_offset = (current_pc >> 4) ^ (current_pc << 8); + area_offset &= MAP_SIZE - 1; + GumArm64Writer *cw = output->writer.arm64; + + if (current_log_impl == 0 || + !gum_arm64_writer_can_branch_directly_between(cw, cw->pc, + current_log_impl) || + !gum_arm64_writer_can_branch_directly_between(cw, cw->pc + 128, + current_log_impl)) { + + gconstpointer after_log_impl = cw->code + 1; + + gum_arm64_writer_put_b_label(cw, after_log_impl); + + current_log_impl = cw->pc; + gum_arm64_writer_put_bytes(cw, afl_log_code, sizeof(afl_log_code)); + + uint8_t **afl_area_ptr_ptr = &__afl_area_ptr; + uint64_t *afl_prev_loc_ptr = &previous_pc; + gum_arm64_writer_put_bytes(cw, (const guint8 *)&afl_area_ptr_ptr, + sizeof(afl_area_ptr_ptr)); + gum_arm64_writer_put_bytes(cw, (const guint8 *)&afl_prev_loc_ptr, + sizeof(afl_prev_loc_ptr)); + + gum_arm64_writer_put_label(cw, after_log_impl); + + } + + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_LR, ARM64_REG_X0, ARM64_REG_SP, -(16 + GUM_RED_ZONE_SIZE), + GUM_INDEX_PRE_ADJUST); + gum_arm64_writer_put_ldr_reg_u64(cw, ARM64_REG_X0, area_offset); + gum_arm64_writer_put_bl_imm(cw, current_log_impl); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_LR, ARM64_REG_X0, ARM64_REG_SP, 16 + GUM_RED_ZONE_SIZE, + GUM_INDEX_POST_ADJUST); + +} + +#endif + +static void on_basic_block(GumCpuContext *context, gpointer user_data) { + + /* Avoid stack operations in potentially performance critical code */ + static char buffer[200]; + int len; + guint64 current_pc = (guint64)user_data; + if (tracing) { + + /* Avoid any functions which may cause an allocation since the target app + * may already be running inside malloc and it isn't designed to be + * re-entrant on a single thread */ + len = snprintf(buffer, sizeof(buffer), + "current_pc: 0x%016" G_GINT64_MODIFIER + "x, previous_pc: 0x%016" G_GINT64_MODIFIER "x\n", + current_pc, previous_pc); + + write(STDOUT_FILENO, buffer, len + 1); + + } + + current_pc = (current_pc >> 4) ^ (current_pc << 8); + current_pc &= MAP_SIZE - 1; + + __afl_area_ptr[current_pc ^ previous_pc]++; + previous_pc = current_pc >> 1; + +} + +void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, + gpointer user_data) { + + const cs_insn *instr; + gboolean begin = TRUE; + while (gum_stalker_iterator_next(iterator, &instr)) { + + if (begin) { + + prefetch_write((void *)instr->address); + if (!strict || !range_is_excluded((void *)instr->address)) { + + if (optimize) { + + instrument_coverage_optimize(instr, output); + + } else { + + gum_stalker_iterator_put_callout(iterator, on_basic_block, + (gpointer)instr->address, NULL); + + } + + } + + begin = FALSE; + + } + + gum_stalker_iterator_keep(iterator); + + } + +} + +void instrument_init() { + + optimize = (getenv("AFL_FRIDA_INST_NO_OPTIMIZE") == NULL); + tracing = (getenv("AFL_FRIDA_INST_TRACE") != NULL); + strict = (getenv("AFL_FRIDA_INST_STRICT") != NULL); + +#if !defined(__x86_64__) && !defined(__aarch64__) + optimize = false; +#endif + + OKF("Instrumentation - optimize [%c]", optimize ? 'X' : ' '); + OKF("Instrumentation - tracing [%c]", tracing ? 'X' : ' '); + OKF("Instrumentation - strict [%c]", strict ? 'X' : ' '); + + if (tracing && optimize) { + + FATAL("AFL_FRIDA_INST_OPTIMIZE and AFL_FRIDA_INST_TRACE are incompatible"); + + } + + if (__afl_map_size != 0x10000) { + + FATAL("Bad map size: 0x%08x", __afl_map_size); + + } + +} + diff --git a/frida_mode/src/interceptor.c b/frida_mode/src/interceptor.c new file mode 100644 index 00000000..ba05a80a --- /dev/null +++ b/frida_mode/src/interceptor.c @@ -0,0 +1,16 @@ +#include "frida-gum.h" +#include "debug.h" + +#include "interceptor.h" + +void intercept(void *address, gpointer replacement, gpointer user_data) { + + GumInterceptor *interceptor = gum_interceptor_obtain(); + gum_interceptor_begin_transaction(interceptor); + GumReplaceReturn ret = + gum_interceptor_replace(interceptor, address, replacement, user_data); + if (ret != GUM_ATTACH_OK) { FATAL("gum_interceptor_attach: %d", ret); } + gum_interceptor_end_transaction(interceptor); + +} + diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c new file mode 100644 index 00000000..444c9583 --- /dev/null +++ b/frida_mode/src/main.c @@ -0,0 +1,149 @@ +#include +#include + +#ifdef __APPLE__ + #include + #include +#else + #include + #include +#endif + +#include "frida-gum.h" +#include "config.h" +#include "debug.h" + +#include "interceptor.h" +#include "instrument.h" +#include "prefetch.h" +#include "ranges.h" + +#ifdef __APPLE__ +extern mach_port_t mach_task_self(); +extern GumAddress gum_darwin_find_entrypoint(mach_port_t task); +#else +extern int __libc_start_main(int *(main)(int, char **, char **), int argc, + char **ubp_av, void (*init)(void), + void (*fini)(void), void (*rtld_fini)(void), + void(*stack_end)); +#endif + +typedef int *(*main_fn_t)(int argc, char **argv, char **envp); + +static main_fn_t main_fn = NULL; +static GumStalker * stalker = NULL; +static GumMemoryRange code_range = {0}; + +extern void __afl_manual_init(); +extern __thread uint64_t previous_pc; + +static int on_fork() { + + prefetch_read(stalker); + return fork(); + +} + +#ifdef __APPLE__ +static void on_main_os(int argc, char **argv, char **envp) { + +} + +#else +static void on_main_os(int argc, char **argv, char **envp) { + + /* Personality doesn't affect the current process, it only takes effect on + * evec */ + int persona = personality(ADDR_NO_RANDOMIZE); + if ((persona & ADDR_NO_RANDOMIZE) == 0) { execvpe(argv[0], argv, envp); } + + GumInterceptor *interceptor = gum_interceptor_obtain(); + + gum_interceptor_begin_transaction(interceptor); + gum_interceptor_revert(interceptor, __libc_start_main); + gum_interceptor_end_transaction(interceptor); + gum_interceptor_flush(interceptor); + +} + +#endif + +static int *on_main(int argc, char **argv, char **envp) { + + on_main_os(argc, argv, envp); + + stalker = gum_stalker_new(); + if (stalker == NULL) { FATAL("Failed to initialize stalker"); } + + gum_stalker_set_trust_threshold(stalker, 0); + + GumStalkerTransformer *transformer = + gum_stalker_transformer_make_from_callback(instr_basic_block, NULL, NULL); + + instrument_init(); + prefetch_init(); + ranges_init(stalker); + + intercept(fork, on_fork, stalker); + + gum_stalker_follow_me(stalker, transformer, NULL); + gum_stalker_deactivate(stalker); + + __afl_manual_init(); + + /* Child here */ + previous_pc = 0; + prefetch_start(stalker); + main_fn(argc, argv, envp); + _exit(0); + +} + +#ifdef __APPLE__ +static void intercept_main() { + + mach_port_t task = mach_task_self(); + OKF("Task Id: %u", task); + GumAddress entry = gum_darwin_find_entrypoint(task); + OKF("Entry Point: 0x%016" G_GINT64_MODIFIER "x", entry); + void *main = GSIZE_TO_POINTER(entry); + main_fn = main; + intercept(main, on_main, NULL); + +} + +#else +static int on_libc_start_main(int *(main)(int, char **, char **), int argc, + char **ubp_av, void (*init)(void), + void (*fini)(void), void (*rtld_fini)(void), + void(*stack_end)) { + + main_fn = main; + intercept(main, on_main, NULL); + return __libc_start_main(main, argc, ubp_av, init, fini, rtld_fini, + stack_end); + +} + +static void intercept_main() { + + intercept(__libc_start_main, on_libc_start_main, NULL); + +} + +#endif + +__attribute__((constructor)) static void init() { + + gum_init_embedded(); + if (!gum_stalker_is_supported()) { + + gum_deinit_embedded(); + FATAL("Failed to initialize embedded"); + + } + + intercept_main(); + +} + diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c new file mode 100644 index 00000000..64633c1c --- /dev/null +++ b/frida_mode/src/prefetch.c @@ -0,0 +1,121 @@ +#include +#include +#include + +#include "frida-gum.h" +#include "prefetch.h" +#include "debug.h" + +#define TRUST 0 +#define PREFETCH_SIZE 65536 +#define PREFETCH_ENTRIES ((PREFETCH_SIZE - sizeof(size_t)) / sizeof(void *)) + +typedef struct { + + size_t count; + void * entry[PREFETCH_ENTRIES]; + +} prefetch_data_t; + +static prefetch_data_t *prefetch_data = NULL; + +static int prefetch_shm_id = -1; + +/* + * We do this from the transformer since we need one anyway for coverage, this + * saves the need to use an event sink. + */ +void prefetch_write(void *addr) { + + /* Bail if we aren't initialized */ + if (prefetch_data == NULL) return; + + /* + * Our shared memory IPC is large enough for about 1000 entries, we can fine + * tune this if we need to. But if we have more new blocks that this in a + * single run then we ignore them and we'll pick them up next time. + */ + if (prefetch_data->count >= PREFETCH_ENTRIES) return; + + /* + * Write the block address to the SHM IPC and increment the number of entries. + */ + + prefetch_data->entry[prefetch_data->count] = addr; + prefetch_data->count++; + +} + +/* + * Read the IPC region one block at the time and prefetch it + */ +void prefetch_read(GumStalker *stalker) { + + if (prefetch_data == NULL) return; + + for (size_t i = 0; i < prefetch_data->count; i++) { + + void *addr = prefetch_data->entry[i]; + gum_stalker_prefetch(stalker, addr, 1); + + } + + /* + * Reset the entry count to indicate we have finished with it and it can be + * refilled by the child. + */ + prefetch_data->count = 0; + +} + +void prefetch_init() { + + g_assert_cmpint(sizeof(prefetch_data_t), ==, PREFETCH_SIZE); + gboolean prefetch = (getenv("AFL_FRIDA_INST_NO_PREFETCH") == NULL); + + OKF("Instrumentation - prefetch [%c]", prefetch ? 'X' : ' '); + + if (!prefetch) { return; } + /* + * Make our shared memory, we can attach before we fork, just like AFL does + * with the coverage bitmap region and fork will take care of ensuring both + * the parent and child see the same consistent memory region. + */ + prefetch_shm_id = + shmget(IPC_PRIVATE, sizeof(prefetch_data_t), IPC_CREAT | IPC_EXCL | 0600); + if (prefetch_shm_id < 0) { + + FATAL("prefetch_shm_id < 0 - errno: %d\n", errno); + + } + + prefetch_data = shmat(prefetch_shm_id, NULL, 0); + g_assert(prefetch_data != MAP_FAILED); + + /* + * Configure the shared memory region to be removed once the process dies. + */ + if (shmctl(prefetch_shm_id, IPC_RMID, NULL) < 0) { + + FATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); + + } + + /* Clear it, not sure it's necessary, just seems like good practice */ + memset(prefetch_data, '\0', sizeof(prefetch_data_t)); + +} + +__attribute__((noinline)) static void prefetch_activation() { + + asm volatile(""); + +} + +void prefetch_start(GumStalker *stalker) { + + gum_stalker_activate(stalker, prefetch_activation); + prefetch_activation(); + +} + diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c new file mode 100644 index 00000000..fc14710f --- /dev/null +++ b/frida_mode/src/ranges.c @@ -0,0 +1,395 @@ +// 0x123-0x321 +// module.so + +#include "ranges.h" +#include "debug.h" + +#define MAX_RANGES 20 + +typedef struct { + + gchar * suffix; + GumMemoryRange *range; + gboolean done; + +} convert_name_ctx_t; + +typedef struct { + + GumStalker *stalker; + GArray * array; + +} include_range_ctx_t; + +GArray * ranges = NULL; +gboolean exclude_ranges = false; + +static void convert_address_token(gchar *token, GumMemoryRange *range) { + + gchar **tokens; + int token_count; + tokens = g_strsplit(token, "-", 2); + for (token_count = 0; tokens[token_count] != NULL; token_count++) + ; + + if (token_count != 2) { + + FATAL("Invalid range (should have two addresses seperated by a '-'): %s\n", + token); + + } + + gchar *from_str = tokens[0]; + gchar *to_str = tokens[1]; + + if (!g_str_has_prefix(from_str, "0x")) { + + FATAL("Invalid range: %s - Start address should have 0x prefix: %s\n", + token, from_str); + + } + + if (!g_str_has_prefix(to_str, "0x")) { + + FATAL("Invalid range: %s - End address should have 0x prefix: %s\n", token, + to_str); + + } + + from_str = &from_str[2]; + to_str = &to_str[2]; + + for (char *c = from_str; *c != '\0'; c++) { + + if (!g_ascii_isxdigit(*c)) { + + FATAL("Invalid range: %s - Start address not formed of hex digits: %s\n", + token, from_str); + + } + + } + + for (char *c = to_str; *c != '\0'; c++) { + + if (!g_ascii_isxdigit(*c)) { + + FATAL("Invalid range: %s - End address not formed of hex digits: %s\n", + token, to_str); + + } + + } + + guint64 from = g_ascii_strtoull(from_str, NULL, 16); + if (from == 0) { + + FATAL("Invalid range: %s - Start failed hex conversion: %s\n", token, + from_str); + + } + + guint64 to = g_ascii_strtoull(to_str, NULL, 16); + if (to == 0) { + + FATAL("Invalid range: %s - End failed hex conversion: %s\n", token, to_str); + + } + + if (from >= to) { + + FATAL("Invalid range: %s - Start (0x%016" G_GINT64_MODIFIER + "x) must be less than end " + "(0x%016" G_GINT64_MODIFIER "x)\n", + token, from, to); + + } + + range->base_address = from; + range->size = to - from; + + g_strfreev(tokens); + +} + +static gboolean convert_name_token_for_module(const GumModuleDetails *details, + gpointer user_data) { + + convert_name_ctx_t *ctx = (convert_name_ctx_t *)user_data; + if (details->path == NULL) { return true; }; + + if (!g_str_has_suffix(details->path, ctx->suffix)) { return true; }; + + OKF("Found module - prefix: %s, 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x %s", + ctx->suffix, details->range->base_address, + details->range->base_address + details->range->size, details->path); + + *ctx->range = *details->range; + ctx->done = true; + return false; + +} + +static void convert_name_token(gchar *token, GumMemoryRange *range) { + + gchar * suffix = g_strconcat("/", token, NULL); + convert_name_ctx_t ctx = {.suffix = suffix, .range = range, .done = false}; + + gum_process_enumerate_modules(convert_name_token_for_module, &ctx); + if (!ctx.done) { FATAL("Failed to resolve module: %s\n", token); } + g_free(suffix); + +} + +static void convert_token(gchar *token, GumMemoryRange *range) { + + if (g_strrstr(token, "-")) { + + convert_address_token(token, range); + + } else { + + convert_name_token(token, range); + + } + + OKF("Converted token: %s -> 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x\n", + token, range->base_address, range->base_address + range->size); + +} + +static gboolean include_ranges(const GumRangeDetails *details, + gpointer user_data) { + + include_range_ctx_t *ctx = (include_range_ctx_t *)user_data; + GArray * array = (GArray *)ctx->array; + GumAddress base = details->range->base_address; + GumAddress limit = details->range->base_address + details->range->size; + + OKF("Range for inclusion 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x", + base, limit); + + for (int i = 0; i < array->len; i++) { + + GumMemoryRange *range = &g_array_index(array, GumMemoryRange, i); + GumAddress range_base = range->base_address; + GumAddress range_limit = range->base_address + range->size; + + /* Before the region */ + if (range_limit < base) { continue; } + + /* After the region */ + if (range_base > limit) { + + GumMemoryRange exclude = {.base_address = base, .size = limit - base}; + OKF("\t Excluding 0x%016" G_GINT64_MODIFIER "x-0x%016" G_GINT64_MODIFIER + "x", + base, limit); + gum_stalker_exclude(ctx->stalker, &exclude); + return true; + + } + + /* Overlap the start of the region */ + if (range_base < base) { + + /* Range contains the region */ + if (range_limit > limit) { + + return true; + + } else { + + base = range_limit; + continue; + + } + + /* Overlap the end of the region */ + + } else { + + GumMemoryRange exclude = {.base_address = base, + .size = range_base - base}; + OKF("\t Excluding 0x%016" G_GINT64_MODIFIER "x-0x%016" G_GINT64_MODIFIER + "x", + base, range_base); + gum_stalker_exclude(ctx->stalker, &exclude); + /* Extend past the end of the region */ + if (range_limit >= limit) { + + return true; + + /* Contained within the region */ + + } else { + + base = range_limit; + continue; + + } + + } + + } + + GumMemoryRange exclude = {.base_address = base, .size = limit - base}; + OKF("\t Excluding 0x%016" G_GINT64_MODIFIER "x-0x%016" G_GINT64_MODIFIER "x", + base, limit); + gum_stalker_exclude(ctx->stalker, &exclude); + return true; + +} + +gint range_sort(gconstpointer a, gconstpointer b) { + + return ((GumMemoryRange *)a)->base_address - + ((GumMemoryRange *)b)->base_address; + +} + +static gboolean print_ranges(const GumRangeDetails *details, + gpointer user_data) { + + if (details->file == NULL) { + + OKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER "X", + details->range->base_address, + details->range->base_address + details->range->size); + + } else { + + OKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER + "X %s(0x%016" G_GINT64_MODIFIER "x)", + details->range->base_address, + details->range->base_address + details->range->size, + details->file->path, details->file->offset); + + } + + return true; + +} + +void ranges_init(GumStalker *stalker) { + + char * showmaps; + char * include; + char * exclude; + char * list; + gchar ** tokens; + int token_count; + GumMemoryRange range; + + int i; + + showmaps = getenv("AFL_FRIDA_DEBUG_MAPS"); + include = getenv("AFL_FRIDA_INST_RANGES"); + exclude = getenv("AFL_FRIDA_EXCLUDE_RANGES"); + + if (showmaps) { + + gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, print_ranges, NULL); + + } + + if (include != NULL && exclude != NULL) { + + FATAL( + "Cannot specifify both AFL_FRIDA_INST_RANGES and " + "AFL_FRIDA_EXCLUDE_RANGES"); + + } + + if (include == NULL && exclude == NULL) { return; } + + list = include == NULL ? exclude : include; + exclude_ranges = include == NULL ? true : false; + + tokens = g_strsplit(list, ",", MAX_RANGES); + + for (token_count = 0; tokens[token_count] != NULL; token_count++) + ; + + ranges = g_array_sized_new(false, false, sizeof(GumMemoryRange), token_count); + + for (i = 0; i < token_count; i++) { + + convert_token(tokens[i], &range); + g_array_append_val(ranges, range); + + } + + g_array_sort(ranges, range_sort); + + /* Check for overlaps */ + for (i = 1; i < token_count; i++) { + + GumMemoryRange *prev = &g_array_index(ranges, GumMemoryRange, i - 1); + GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i); + GumAddress prev_limit = prev->base_address + prev->size; + GumAddress curr_limit = curr->base_address + curr->size; + if (prev_limit > curr->base_address) { + + FATAL("OVerlapping ranges 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x", + prev->base_address, prev_limit, curr->base_address, curr_limit); + + } + + } + + for (i = 0; i < token_count; i++) { + + GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i); + GumAddress curr_limit = curr->base_address + curr->size; + OKF("Range %3d - 0x%016" G_GINT64_MODIFIER "x-0x%016" G_GINT64_MODIFIER "x", + i, curr->base_address, curr_limit); + + } + + if (include == NULL) { + + for (i = 0; i < token_count; i++) { + + gum_stalker_exclude(stalker, &g_array_index(ranges, GumMemoryRange, i)); + + } + + } else { + + include_range_ctx_t ctx = {.stalker = stalker, .array = ranges}; + gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, include_ranges, &ctx); + + } + + g_strfreev(tokens); + +} + +gboolean range_is_excluded(gpointer address) { + + int i; + GumAddress test = GUM_ADDRESS(address); + + if (ranges == NULL) { return false; } + + for (i = 0; i < ranges->len; i++) { + + GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i); + GumAddress curr_limit = curr->base_address + curr->size; + + if (test < curr->base_address) { return !exclude_ranges; } + + if (test < curr_limit) { return exclude_ranges; } + + } + + return !exclude_ranges; + +} + -- cgit 1.4.1 From c169cb3911b33fbc3974005788ade1c9218ade98 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 25 Mar 2021 20:10:09 +0100 Subject: integrate frida_mode, code-format --- GNUmakefile | 3 +++ docs/Changelog.md | 2 ++ docs/env_variables.md | 5 +++-- frida_mode/Makefile | 32 +++++++++++++++----------------- frida_mode/inc/instrument.h | 7 ------- frida_mode/inc/interceptor.h | 4 ---- frida_mode/inc/prefetch.h | 5 ----- frida_mode/inc/ranges.h | 6 ------ frida_mode/include/instrument.h | 7 +++++++ frida_mode/include/interceptor.h | 4 ++++ frida_mode/include/prefetch.h | 5 +++++ frida_mode/include/ranges.h | 6 ++++++ frida_mode/src/main.c | 8 ++++---- include/forkserver.h | 2 +- qemu_mode/qemuafl | 2 +- src/afl-cc.c | 18 ++++++++++++------ src/afl-common.c | 11 ++++++++++- src/afl-ld-lto.c | 15 +++++++++------ 18 files changed, 82 insertions(+), 60 deletions(-) delete mode 100644 frida_mode/inc/instrument.h delete mode 100644 frida_mode/inc/interceptor.h delete mode 100644 frida_mode/inc/prefetch.h delete mode 100644 frida_mode/inc/ranges.h create mode 100644 frida_mode/include/instrument.h create mode 100644 frida_mode/include/interceptor.h create mode 100644 frida_mode/include/prefetch.h create mode 100644 frida_mode/include/ranges.h (limited to 'frida_mode/src') diff --git a/GNUmakefile b/GNUmakefile index ac8fe796..963004bd 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -593,6 +593,7 @@ distrib: all $(MAKE) -C utils/afl_network_proxy $(MAKE) -C utils/socket_fuzzing $(MAKE) -C utils/argv_fuzzing + -$(MAKE) -C frida_mode -cd qemu_mode && sh ./build_qemu_support.sh -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh @@ -603,6 +604,7 @@ binary-only: test_shm test_python ready $(PROGS) $(MAKE) -C utils/afl_network_proxy $(MAKE) -C utils/socket_fuzzing $(MAKE) -C utils/argv_fuzzing + -$(MAKE) -C frida_mode -cd qemu_mode && sh ./build_qemu_support.sh -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh @@ -648,6 +650,7 @@ install: all $(MANPAGES) @if [ -f afl-fuzz-document ]; then set -e; install -m 755 afl-fuzz-document $${DESTDIR}$(BIN_PATH); fi @if [ -f socketfuzz32.so -o -f socketfuzz64.so ]; then $(MAKE) -C utils/socket_fuzzing install; fi @if [ -f argvfuzz32.so -o -f argvfuzz64.so ]; then $(MAKE) -C utils/argv_fuzzing install; fi + @if [ -f afl-frida-trace.so ]; then install -m 755 afl-frida-trace.so $${DESTDIR}$(HELPER_PATH); fi @if [ -f utils/afl_network_proxy/afl-network-server ]; then $(MAKE) -C utils/afl_network_proxy install; fi @if [ -f utils/aflpp_driver/libAFLDriver.a ]; then set -e; install -m 644 utils/aflpp_driver/libAFLDriver.a $${DESTDIR}$(HELPER_PATH); fi @if [ -f utils/aflpp_driver/libAFLQemuDriver.a ]; then set -e; install -m 644 utils/aflpp_driver/libAFLQemuDriver.a $${DESTDIR}$(HELPER_PATH); fi diff --git a/docs/Changelog.md b/docs/Changelog.md index 730791da..6ae42b04 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,6 +9,8 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . ### Version ++3.13a (development) + - frida_mode - new mode that uses frida to fuzz binary-only targets, + thanks to @WorksButNotTested! - afl-fuzz: - added patch by @realmadsci to support @@ as part of command line options, e.g. `afl-fuzz ... -- ./target --infile=@@` diff --git a/docs/env_variables.md b/docs/env_variables.md index 572fad01..899b36cc 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -372,7 +372,8 @@ checks or alter some of the more exotic semantics of the tool: may complain of high load prematurely, especially on systems with low core counts. To avoid the alarming red color, you can set `AFL_NO_CPU_RED`. - - In QEMU mode (-Q), `AFL_PATH` will be searched for afl-qemu-trace. + - In QEMU mode (-Q), Unicorn mode (-U) and Frida mode (-O), `AFL_PATH` will + be searched for afl-qemu-trace. - In QEMU mode (-Q), setting `AFL_QEMU_CUSTOM_BIN` cause afl-fuzz to skip prepending `afl-qemu-trace` to your command line. Use this if you wish to use a @@ -605,7 +606,7 @@ optimal values if not already present in the environment: override this by setting `LD_BIND_LAZY` beforehand, but it is almost certainly pointless. - - By default, `ASAN_OPTIONS` are set to: + - By default, `ASAN_OPTIONS` are set to (among others): ``` abort_on_error=1 detect_leaks=0 diff --git a/frida_mode/Makefile b/frida_mode/Makefile index efae5ebf..822f1c6a 100644 --- a/frida_mode/Makefile +++ b/frida_mode/Makefile @@ -1,41 +1,39 @@ PWD:=$(shell pwd)/ -INC_DIR:=$(PWD)inc/ +INC_DIR:=$(PWD)include/ SRC_DIR:=$(PWD)src/ INCLUDES:=$(wildcard $(INC_DIR)*.h) SOURCES:=$(wildcard $(SRC_DIR)*.c) BUILD_DIR:=$(PWD)build/ -CFLAGS:= $(CFLAGS) \ - -fPIC \ - -D_GNU_SOURCE +CFLAGS+=-fPIC -D_GNU_SOURCE FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/ FRIDA_TRACE:=$(FRIDA_BUILD_DIR)afl-frida-trace.so ARCH=$(shell uname -m) ifeq "$(ARCH)" "aarch64" -ARCH:=arm64 -TESTINSTR_BASE:=0x0000aaaaaaaaa000 + ARCH:=arm64 + TESTINSTR_BASE:=0x0000aaaaaaaaa000 endif ifeq "$(ARCH)" "x86_64" -TESTINSTR_BASE:=0x0000555555554000 + TESTINSTR_BASE:=0x0000555555554000 endif ifeq "$(shell uname)" "Darwin" -OS:=macos -AFL_FRIDA_INST_RANGES=0x0000000000001000-0xFFFFFFFFFFFFFFFF -CFLAGS:=$(CFLAGS) -Wno-deprecated-declarations -TEST_LDFLAGS:=-undefined dynamic_lookup + OS:=macos + AFL_FRIDA_INST_RANGES=0x0000000000001000-0xFFFFFFFFFFFFFFFF + CFLAGS:=$(CFLAGS) -Wno-deprecated-declarations + TEST_LDFLAGS:=-undefined dynamic_lookup endif ifeq "$(shell uname)" "Linux" -OS:=linux -AFL_FRIDA_INST_RANGES=$(shell $(PWD)test/testinstr.py -f $(BUILD_DIR)testinstr -s .testinstr -b $(TESTINSTR_BASE)) -CFLAGS:=$(CFLAGS) -Wno-prio-ctor-dtor -TEST_LDFLAGS:= + OS:=linux + AFL_FRIDA_INST_RANGES=$(shell $(PWD)test/testinstr.py -f $(BUILD_DIR)testinstr -s .testinstr -b $(TESTINSTR_BASE)) + CFLAGS:=$(CFLAGS) -Wno-prio-ctor-dtor + TEST_LDFLAGS:= endif ifndef OS -$(error "Operating system unsupported") + $(error "Operating system unsupported") endif VERSION=14.2.13 @@ -347,4 +345,4 @@ cmin_bash_frida: $(TEST_BIN) -i $(TEST_DATA_DIR) \ -o $(FRIDA_OUT) \ -- \ - $(TEST_BIN) @@ \ No newline at end of file + $(TEST_BIN) @@ diff --git a/frida_mode/inc/instrument.h b/frida_mode/inc/instrument.h deleted file mode 100644 index ff71bed4..00000000 --- a/frida_mode/inc/instrument.h +++ /dev/null @@ -1,7 +0,0 @@ -#include "frida-gum.h" - -void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, - gpointer user_data); - -void instrument_init(); - diff --git a/frida_mode/inc/interceptor.h b/frida_mode/inc/interceptor.h deleted file mode 100644 index 5ed3cf49..00000000 --- a/frida_mode/inc/interceptor.h +++ /dev/null @@ -1,4 +0,0 @@ -#include "frida-gum.h" - -void intercept(void *address, gpointer replacement, gpointer user_data); - diff --git a/frida_mode/inc/prefetch.h b/frida_mode/inc/prefetch.h deleted file mode 100644 index b7f25a97..00000000 --- a/frida_mode/inc/prefetch.h +++ /dev/null @@ -1,5 +0,0 @@ -void prefetch_init(); -void prefetch_start(GumStalker *stalker); -void prefetch_write(void *addr); -void prefetch_read(GumStalker *stalker); - diff --git a/frida_mode/inc/ranges.h b/frida_mode/inc/ranges.h deleted file mode 100644 index b9394dbc..00000000 --- a/frida_mode/inc/ranges.h +++ /dev/null @@ -1,6 +0,0 @@ -#include "frida-gum.h" - -void ranges_init(GumStalker *stalker); - -gboolean range_is_excluded(gpointer address); - diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h new file mode 100644 index 00000000..ff71bed4 --- /dev/null +++ b/frida_mode/include/instrument.h @@ -0,0 +1,7 @@ +#include "frida-gum.h" + +void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, + gpointer user_data); + +void instrument_init(); + diff --git a/frida_mode/include/interceptor.h b/frida_mode/include/interceptor.h new file mode 100644 index 00000000..5ed3cf49 --- /dev/null +++ b/frida_mode/include/interceptor.h @@ -0,0 +1,4 @@ +#include "frida-gum.h" + +void intercept(void *address, gpointer replacement, gpointer user_data); + diff --git a/frida_mode/include/prefetch.h b/frida_mode/include/prefetch.h new file mode 100644 index 00000000..b7f25a97 --- /dev/null +++ b/frida_mode/include/prefetch.h @@ -0,0 +1,5 @@ +void prefetch_init(); +void prefetch_start(GumStalker *stalker); +void prefetch_write(void *addr); +void prefetch_read(GumStalker *stalker); + diff --git a/frida_mode/include/ranges.h b/frida_mode/include/ranges.h new file mode 100644 index 00000000..b9394dbc --- /dev/null +++ b/frida_mode/include/ranges.h @@ -0,0 +1,6 @@ +#include "frida-gum.h" + +void ranges_init(GumStalker *stalker); + +gboolean range_is_excluded(gpointer address); + diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index 444c9583..7505c2f9 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -22,10 +22,10 @@ extern mach_port_t mach_task_self(); extern GumAddress gum_darwin_find_entrypoint(mach_port_t task); #else -extern int __libc_start_main(int *(main)(int, char **, char **), int argc, - char **ubp_av, void (*init)(void), - void (*fini)(void), void (*rtld_fini)(void), - void(*stack_end)); +extern int __libc_start_main(int *(main)(int, char **, char **), int argc, + char **ubp_av, void (*init)(void), + void (*fini)(void), void (*rtld_fini)(void), + void(*stack_end)); #endif typedef int *(*main_fn_t)(int argc, char **argv, char **envp); diff --git a/include/forkserver.h b/include/forkserver.h index cc759545..48db94c7 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -77,7 +77,7 @@ typedef struct afl_forkserver { bool qemu_mode; /* if running in qemu mode or not */ - bool frida_mode; /* if running in frida mode or not */ + bool frida_mode; /* if running in frida mode or not */ bool use_stdin; /* use stdin for sending data */ diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index 0fb212da..ddc4a974 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit 0fb212daab492411b3e323bc18a3074c1aecfd37 +Subproject commit ddc4a9748d59857753fb33c30a356f354595f36d diff --git a/src/afl-cc.c b/src/afl-cc.c index d134f013..1b4edbb9 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -638,8 +638,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; - cc_params[cc_par_cnt++] = - alloc_printf("%s/afl-llvm-pass.so", obj_path); + cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path); } @@ -1247,7 +1246,9 @@ int main(int argc, char **argv, char **envp) { strcasecmp(ptr, "CFG") == 0) { - FATAL("InsTrim instrumentation was removed. Use a modern LLVM and PCGUARD (default in afl-cc).\n"); + FATAL( + "InsTrim instrumentation was removed. Use a modern LLVM and " + "PCGUARD (default in afl-cc).\n"); } else if (strcasecmp(ptr, "AFL") == 0 || @@ -1313,7 +1314,9 @@ int main(int argc, char **argv, char **envp) { if (getenv("AFL_LLVM_INSTRIM") || getenv("INSTRIM") || getenv("INSTRIM_LIB")) { - FATAL("InsTrim instrumentation was removed. Use a modern LLVM and PCGUARD (default in afl-cc).\n"); + FATAL( + "InsTrim instrumentation was removed. Use a modern LLVM and PCGUARD " + "(default in afl-cc).\n"); } @@ -1400,7 +1403,9 @@ int main(int argc, char **argv, char **envp) { if (strncasecmp(ptr2, "cfg", strlen("cfg")) == 0 || strncasecmp(ptr2, "instrim", strlen("instrim")) == 0) { - FATAL("InsTrim instrumentation was removed. Use a modern LLVM and PCGUARD (default in afl-cc).\n"); + FATAL( + "InsTrim instrumentation was removed. Use a modern LLVM and " + "PCGUARD (default in afl-cc).\n"); } @@ -1765,7 +1770,8 @@ int main(int argc, char **argv, char **envp) { " AFL_LLVM_CMPLOG: log operands of comparisons (RedQueen " "mutator)\n" " AFL_LLVM_INSTRUMENT: set instrumentation mode:\n" - " CLASSIC, PCGUARD, LTO, GCC, CLANG, CALLER, CTX, NGRAM-2 ..-16\n" + " CLASSIC, PCGUARD, LTO, GCC, CLANG, CALLER, CTX, NGRAM-2 " + "..-16\n" " You can also use the old environment variables instead:\n" " AFL_LLVM_USE_TRACE_PC: use LLVM trace-pc-guard instrumentation\n" " AFL_LLVM_CALLER: use single context sensitive coverage (for " diff --git a/src/afl-common.c b/src/afl-common.c index 087aa113..0fb1462e 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -336,7 +336,16 @@ u8 *find_afl_binary(u8 *own_loc, u8 *fname) { } - target_path = alloc_printf("%s/%s", BIN_PATH, fname); + if (perm == X_OK) { + + target_path = alloc_printf("%s/%s", BIN_PATH, fname); + + } else { + + target_path = alloc_printf("%s/%s", AFL_PATH, fname); + + } + if (!access(target_path, perm)) { return target_path; diff --git a/src/afl-ld-lto.c b/src/afl-ld-lto.c index 8928ddc9..d0113af9 100644 --- a/src/afl-ld-lto.c +++ b/src/afl-ld-lto.c @@ -73,7 +73,8 @@ static u32 ld_param_cnt = 1; /* Number of params to 'ld' */ so we exploit this property to keep the code "simple". */ static void edit_params(int argc, char **argv) { - u32 i, gold_pos = 0, gold_present = 0, rt_present = 0, rt_lto_present = 0, inst_present = 0; + u32 i, gold_pos = 0, gold_present = 0, rt_present = 0, rt_lto_present = 0, + inst_present = 0; char *ptr; ld_params = ck_alloc(4096 * sizeof(u8 *)); @@ -185,10 +186,12 @@ static void edit_params(int argc, char **argv) { } - if (getenv("AFL_LLVM_INSTRIM") || + if (getenv("AFL_LLVM_INSTRIM") || ((ptr = getenv("AFL_LLVM_INSTRUMENT")) && - (strcasestr(ptr, "CFG") == 0 || strcasestr(ptr, "INSTRIM") == 0))) - FATAL("InsTrim was removed because it is not effective. Use a modern LLVM and PCGUARD (which is the default in afl-cc).\n"); + (strcasestr(ptr, "CFG") == 0 || strcasestr(ptr, "INSTRIM") == 0))) + FATAL( + "InsTrim was removed because it is not effective. Use a modern LLVM " + "and PCGUARD (which is the default in afl-cc).\n"); if (debug) DEBUGF( @@ -228,8 +231,8 @@ static void edit_params(int argc, char **argv) { if (!inst_present) { - ld_params[ld_param_cnt++] = alloc_printf( - "-mllvm=-load=%s/afl-llvm-lto-instrumentation.so", afl_path); + ld_params[ld_param_cnt++] = alloc_printf( + "-mllvm=-load=%s/afl-llvm-lto-instrumentation.so", afl_path); } -- cgit 1.4.1 From 950648c513d031b5c829565255a7c157a33ba7c3 Mon Sep 17 00:00:00 2001 From: Your Name Date: Fri, 16 Apr 2021 07:06:37 +0100 Subject: Changes following code review --- frida_mode/src/instrument.c | 8 +++++++- frida_mode/src/ranges.c | 3 +-- frida_mode/test/testinstr.c | 7 +++++++ 3 files changed, 15 insertions(+), 3 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument.c b/frida_mode/src/instrument.c index 042fdab8..22910062 100644 --- a/frida_mode/src/instrument.c +++ b/frida_mode/src/instrument.c @@ -174,7 +174,13 @@ void instrument_coverage_optimize(const cs_insn * instr, static void on_basic_block(GumCpuContext *context, gpointer user_data) { - /* Avoid stack operations in potentially performance critical code */ + /* + * This function is performance critical as it is called to instrument every + * basic block. By moving our print buffer to a global, we avoid it affecting + * the critical path with additional stack adjustments if tracing is not + * enabled. If tracing is enabled, then we're printing a load of diagnostic + * information so this overhead is unlikely to be noticeable. + */ static char buffer[200]; int len; guint64 current_pc = (guint64)user_data; diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c index fc14710f..49ef5a62 100644 --- a/frida_mode/src/ranges.c +++ b/frida_mode/src/ranges.c @@ -29,8 +29,7 @@ static void convert_address_token(gchar *token, GumMemoryRange *range) { gchar **tokens; int token_count; tokens = g_strsplit(token, "-", 2); - for (token_count = 0; tokens[token_count] != NULL; token_count++) - ; + for (token_count = 0; tokens[token_count] != NULL; token_count++) {} if (token_count != 2) { diff --git a/frida_mode/test/testinstr.c b/frida_mode/test/testinstr.c index 2c3d5144..37d47f91 100644 --- a/frida_mode/test/testinstr.c +++ b/frida_mode/test/testinstr.c @@ -78,6 +78,13 @@ int main(int argc, char **argv) { } buf = malloc(len); + if (buf == NULL) { + + perror("malloc"); + break; + + } + n_read = read(fd, buf, len); if (n_read != len) { -- cgit 1.4.1