From 029e039cbcbf9e30f35eb255162679b8d609d25d Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 21 May 2023 17:49:14 +0200 Subject: code format --- frida_mode/src/lib/lib_apple.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/lib/lib_apple.c b/frida_mode/src/lib/lib_apple.c index 634e0e30..d29d0303 100644 --- a/frida_mode/src/lib/lib_apple.c +++ b/frida_mode/src/lib/lib_apple.c @@ -17,8 +17,8 @@ static gboolean lib_get_main_module(const GumModuleDetails *details, GumDarwinModule **ret = (GumDarwinModule **)user_data; GumDarwinModule *module = gum_darwin_module_new_from_memory( - details->path, mach_task_self(), details->range->base_address, - GUM_DARWIN_MODULE_FLAGS_NONE, NULL); + details->path, mach_task_self(), details->range->base_address, + GUM_DARWIN_MODULE_FLAGS_NONE, NULL); FVERBOSE("Found main module: %s", module->name); -- cgit 1.4.1 From e596c9856b636d6c227115655aa74f316d8f27ca Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 31 May 2023 19:15:18 +0100 Subject: Support for instrumentation more than GB away from data structures --- frida_mode/src/instrument/instrument_arm64.c | 231 ++++++++++++++++++++++----- frida_mode/test/testinstr/GNUmakefile | 5 + 2 files changed, 198 insertions(+), 38 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index 4372861d..131eb4c5 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -76,6 +76,45 @@ typedef struct { } afl_log_code_asm_t; +typedef struct { + + uint32_t b_imm8; /* br #XX (end) */ + + uint32_t restoration_prolog; /* ldp x16, x17, [sp], #0x90 */ + + uint32_t stp_x0_x1; /* stp x0, x1, [sp, #-0xa0] */ + + uint32_t ldr_x0_p_prev_loc_1; /* ldr x0, #0xXXXX */ + uint32_t ldr_x1_ptr_x0; /* ldr x1, [x0] */ + + uint32_t ldr_x0_p_area_offset; /* ldr x0, #0xXXXX */ + uint32_t eor_x0_x1_x0; /* eor x0, x1, x0 */ + uint32_t ldr_x1_p_area_ptr; /* ldr x1, #0xXXXX */ + uint32_t add_x0_x1_x0; /* add x0, x1, x0 */ + + uint32_t ldrb_w1_x0; /* ldrb w1, [x0] */ + uint32_t add_w1_w1_1; /* add w1, w1, #1 */ + uint32_t add_w1_w1_w1_lsr_8; /* add x1, x1, x1, lsr #8 */ + + uint32_t strb_w1_ptr_x0; /* strb w1, [x0] */ + + uint32_t ldr_x0_p_prev_loc_2; /* ldr x0, #0xXXXX */ + uint32_t ldr_x1_p_area_offset_ror; /* ldr x1, #0xXXXX */ + uint32_t str_x1_ptr_x0; /* str x1, [x0] */ + + uint32_t ldp_x0_x1; /* ldp x0, x1, [sp, #-0xa0] */ + + uint32_t b_end; /* skip the data */ + + uint64_t area_ptr; + uint64_t prev_loc_ptr; + uint64_t area_offset; + uint64_t area_offset_ror; + + uint8_t end[0]; + +} afl_log_code_asm_long_t; + #pragma pack(pop) typedef union { @@ -85,6 +124,13 @@ typedef union { } afl_log_code; +typedef union { + + afl_log_code_asm_long_t code; + uint8_t bytes[0]; + +} afl_log_code_long; + static const afl_log_code_asm_t template = { @@ -119,6 +165,46 @@ static const afl_log_code_asm_t template = ; +static const afl_log_code_asm_long_t template_long = + {.b_imm8 = 0x1400001a, + + .restoration_prolog = 0xa8c947f0, /* ldp x16, x17, [sp], #0x90 */ + + .stp_x0_x1 = 0xa93607e0, /* stp x0, x1, [sp, #-0xa0] */ + + .ldr_x0_p_prev_loc_1 = 0x58000220, /* ldr x0, #0xXXXX */ + .ldr_x1_ptr_x0 = 0xf9400001, /* ldr x1, [x0] */ + + .ldr_x0_p_area_offset = 0x58000220, /* ldr x0, #0xXXXX */ + .eor_x0_x1_x0 = 0xca000020, /* eor x0, x1, x0 */ + .ldr_x1_p_area_ptr = 0x58000161, /* ldr x1, #0xXXXX */ + .add_x0_x1_x0 = 0x8b000020, /* add x0, x1, x0 */ + + .ldrb_w1_x0 = 0x39400001, /* ldrb w1, [x0] */ + .add_w1_w1_1 = 0x11000421, /* add w1, w1, #1 */ + .add_w1_w1_w1_lsr_8 = 0x8b412021, /* add x1, x1, x1, lsr #8 */ + + .strb_w1_ptr_x0 = 0x39000001, /* strb w1, [x0] */ + + .ldr_x0_p_prev_loc_2 = 0x580000e0, /* ldr x0, #0xXXXX */ + .ldr_x1_p_area_offset_ror = 0x58000141, /* ldr x1, #0xXXXX */ + .str_x1_ptr_x0 = 0xf9000001, /* str x1, [x0] */ + + .ldp_x0_x1 = 0xa97607e0, /* ldp x0, x1, [sp, #-0xa0] */ + + .b_end = 0x14000009, /* skip the data */ + + .area_ptr = 0x0, + .prev_loc_ptr = 0x0, + .area_offset = 0x0, + .area_offset_ror = 0x0, + + .end = {} + +} + +; + gboolean instrument_is_coverage_optimize_supported(void) { return true; @@ -266,16 +352,22 @@ static gboolean instrument_coverage_in_range(gssize offset) { } -static void instrument_patch_ardp(guint32 *patch, GumAddress insn, +static bool instrument_patch_ardp(guint32 *patch, GumAddress insn, GumAddress target) { - if (!PAGE_ALIGNED(target)) { FATAL("Target not page aligned"); } + if (!PAGE_ALIGNED(target)) { + + FWARNF("Target not page aligned"); + return false; + + } gssize distance = target - (GUM_ADDRESS(insn) & PAGE_MASK); if (!instrument_coverage_in_range(distance)) { - FATAL("Patch out of range 0x%016lX->0x%016lX = 0x%016lX", insn, target, - distance); + FVERBOSE("Patch out of range 0x%016lX->0x%016lX = 0x%016lX", insn, target, + distance); + return false; } @@ -283,6 +375,95 @@ static void instrument_patch_ardp(guint32 *patch, GumAddress insn, guint32 imm_high = ((distance >> 14) & 0x7FFFF) << 5; *patch |= imm_low; *patch |= imm_high; + return true; + +} + +bool instrument_write_inline(GumArm64Writer *cw, GumAddress code_addr, + guint64 area_offset, gsize area_offset_ror) { + + afl_log_code code = {0}; + code.code = template; + + /* + * Given our map is allocated on a 64KB boundary and our map is a multiple of + * 64KB in size, then it should also end on a 64 KB boundary. It is followed + * by our previous_pc, so this too should be 64KB aligned. + */ + g_assert(PAGE_ALIGNED(instrument_previous_pc_addr)); + g_assert(PAGE_ALIGNED(__afl_area_ptr)); + + if (!instrument_patch_ardp( + &code.code.adrp_x0_prev_loc1, + code_addr + offsetof(afl_log_code, code.adrp_x0_prev_loc1), + GUM_ADDRESS(instrument_previous_pc_addr))) { + + return false; + + } + + code.code.mov_x0_curr_loc |= area_offset << 5; + + if (!instrument_patch_ardp( + &code.code.adrp_x1_area_ptr, + code_addr + offsetof(afl_log_code, code.adrp_x1_area_ptr), + GUM_ADDRESS(__afl_area_ptr))) { + + return false; + + } + + if (!instrument_patch_ardp( + &code.code.adrp_x0_prev_loc2, + code_addr + offsetof(afl_log_code, code.adrp_x0_prev_loc2), + GUM_ADDRESS(instrument_previous_pc_addr))) { + + return false; + + } + + code.code.mov_x1_curr_loc_shr_1 |= (area_offset_ror << 5); + + if (instrument_suppress) { + + gum_arm64_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code)); + + } else { + + size_t offset = offsetof(afl_log_code, code.stp_x0_x1); + gum_arm64_writer_put_bytes(cw, &code.bytes[offset], + sizeof(afl_log_code) - offset); + + } + + return true; + +} + +bool instrument_write_inline_long(GumArm64Writer *cw, GumAddress code_addr, + guint64 area_offset, gsize area_offset_ror) { + + afl_log_code_long code = {0}; + code.code = template_long; + + code.code.area_ptr = GUM_ADDRESS(__afl_area_ptr); + code.code.prev_loc_ptr = GUM_ADDRESS(instrument_previous_pc_addr); + code.code.area_offset = area_offset; + code.code.area_offset_ror = GUM_ADDRESS(area_offset_ror); + + if (instrument_suppress) { + + gum_arm64_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code_long)); + + } else { + + size_t offset = offsetof(afl_log_code_long, code.stp_x0_x1); + gum_arm64_writer_put_bytes(cw, &code.bytes[offset], + sizeof(afl_log_code_long) - offset); + + } + + return true; } @@ -312,6 +493,8 @@ void instrument_coverage_optimize(const cs_insn *instr, } // gum_arm64_writer_put_brk_imm(cw, 0x0); + // uint32_t jmp_dot = 0x14000000; + // gum_arm64_writer_put_bytes(cw, (guint8 *)&jmp_dot, sizeof(jmp_dot)); if (instrument_suppress) { instrument_coverage_suppress_init(); } @@ -343,47 +526,19 @@ void instrument_coverage_optimize(const cs_insn *instr, } - code.code = template; - - /* - * Given our map is allocated on a 64KB boundary and our map is a multiple of - * 64KB in size, then it should also end on a 64 KB boundary. It is followed - * by our previous_pc, so this too should be 64KB aligned. - */ - g_assert(PAGE_ALIGNED(instrument_previous_pc_addr)); - g_assert(PAGE_ALIGNED(__afl_area_ptr)); - - instrument_patch_ardp( - &code.code.adrp_x0_prev_loc1, - code_addr + offsetof(afl_log_code, code.adrp_x0_prev_loc1), - GUM_ADDRESS(instrument_previous_pc_addr)); - - code.code.mov_x0_curr_loc |= area_offset << 5; - - instrument_patch_ardp( - &code.code.adrp_x1_area_ptr, - code_addr + offsetof(afl_log_code, code.adrp_x1_area_ptr), - GUM_ADDRESS(__afl_area_ptr)); - map_size_pow2 = util_log2(__afl_map_size); area_offset_ror = util_rotate(area_offset, 1, map_size_pow2); - instrument_patch_ardp( - &code.code.adrp_x0_prev_loc2, - code_addr + offsetof(afl_log_code, code.adrp_x0_prev_loc2), - GUM_ADDRESS(instrument_previous_pc_addr)); - - code.code.mov_x1_curr_loc_shr_1 |= (area_offset_ror << 5); + code.code = template; - if (instrument_suppress) { + if (!instrument_write_inline(cw, code_addr, area_offset, area_offset_ror)) { - gum_arm64_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code)); + if (!instrument_write_inline_long(cw, code_addr, area_offset, + area_offset_ror)) { - } else { + FATAL("Failed to write inline instrumentation"); - size_t offset = offsetof(afl_log_code, code.stp_x0_x1); - gum_arm64_writer_put_bytes(cw, &code.bytes[offset], - sizeof(afl_log_code) - offset); + } } diff --git a/frida_mode/test/testinstr/GNUmakefile b/frida_mode/test/testinstr/GNUmakefile index ebc0b2dc..46d9b85f 100644 --- a/frida_mode/test/testinstr/GNUmakefile +++ b/frida_mode/test/testinstr/GNUmakefile @@ -67,3 +67,8 @@ debug: --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ --ex 'set disassembly-flavor intel' \ --args $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + +lldb: + lldb \ + -O 'settings set target.env-vars DYLD_INSERT_LIBRARIES=$(ROOT)afl-frida-trace.so' \ + -- $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) -- cgit 1.4.1 From 06e1c64745ed37bd826ff6f2c1a42340684998dc Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 31 May 2023 17:34:36 +0100 Subject: Changes to support defered start --- frida_mode/include/entry.h | 2 -- frida_mode/src/entry.c | 26 +-------------------- frida_mode/src/instrument/instrument.c | 1 - frida_mode/src/main.c | 41 +++++++++++++++++++++++++++++----- 4 files changed, 37 insertions(+), 33 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/include/entry.h b/frida_mode/include/entry.h index edc41467..949fab71 100644 --- a/frida_mode/include/entry.h +++ b/frida_mode/include/entry.h @@ -14,8 +14,6 @@ void entry_init(void); void entry_start(void); -void entry_prologue(GumStalkerIterator *iterator, GumStalkerOutput *output); - void entry_on_fork(void); #endif diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c index 05af7ebb..fc49b4d7 100644 --- a/frida_mode/src/entry.c +++ b/frida_mode/src/entry.c @@ -78,31 +78,7 @@ void entry_init(void) { void entry_start(void) { - if (persistent_start == 0) { - - ranges_exclude(); - stalker_trust(); - - } - - if (entry_point == 0) { entry_launch(); } - -} - -static void entry_callout(GumCpuContext *cpu_context, gpointer user_data) { - - UNUSED_PARAMETER(cpu_context); - UNUSED_PARAMETER(user_data); - entry_compiled = TRUE; - entry_launch(); - -} - -void entry_prologue(GumStalkerIterator *iterator, GumStalkerOutput *output) { - - UNUSED_PARAMETER(output); FVERBOSE("AFL_ENTRYPOINT reached"); - if (persistent_start == 0) { ranges_exclude(); @@ -110,7 +86,7 @@ void entry_prologue(GumStalkerIterator *iterator, GumStalkerOutput *output) { } - gum_stalker_iterator_put_callout(iterator, entry_callout, NULL, NULL); + entry_launch(); } diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index a6aac666..db73d845 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -169,7 +169,6 @@ static void instrument_basic_block(GumStalkerIterator *iterator, if (unlikely(begin)) { instrument_debug_start(instr->address, output); } - if (instr->address == entry_point) { entry_prologue(iterator, output); } if (instr->address == persistent_start) { persistent_prologue(output); } if (instr->address == persistent_ret) { persistent_epilogue(output); } diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index c8c50b37..f11c4b25 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -197,7 +197,7 @@ static void afl_print_env(void) { } -__attribute__((visibility("default"))) void afl_frida_start(void) { +void afl_frida_config(void) { FOKF(cRED "**********************"); FOKF(cRED "* " cYEL "******************" cRED " *"); @@ -225,9 +225,7 @@ __attribute__((visibility("default"))) void afl_frida_start(void) { js_start(); - /* Initialize */ output_init(); - embedded_init(); entry_init(); instrument_init(); @@ -240,12 +238,35 @@ __attribute__((visibility("default"))) void afl_frida_start(void) { ranges_init(); stats_init(); - /* Start */ +} + +void afl_frida_run(void) { + stalker_start(); entry_start(); } +__attribute__((visibility("default"))) void afl_frida_start(void) { + + afl_frida_config(); + afl_frida_run(); + +} + +typedef void *(*entry_func_t)(size_t a1, size_t a2, size_t a3, size_t a4, + size_t a5, size_t a6); + +static void *on_entry(size_t a1, size_t a2, size_t a3, size_t a4, size_t a5, + size_t a6) { + + intercept_unhook(GSIZE_TO_POINTER(entry_point)); + afl_frida_run(); + entry_func_t entry = (entry_func_t)entry_point; + return entry(a1, a2, a3, a4, a5, a6); + +} + static int on_main(int argc, char **argv, char **envp) { int ret; @@ -254,7 +275,17 @@ static int on_main(int argc, char **argv, char **envp) { intercept_unhook_self(); - afl_frida_start(); + afl_frida_config(); + + if (entry_point == 0) { + + afl_frida_run(); + + } else { + + intercept_hook(GSIZE_TO_POINTER(entry_point), on_entry, NULL); + + } if (js_main_hook != NULL) { -- cgit 1.4.1 From 9926f070822c35c312b5051ce0be0a40a471f253 Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 22 Jun 2023 17:36:02 +0100 Subject: Support for long form instrumentation on x64 --- frida_mode/src/instrument/instrument_x64.c | 289 ++++++++++++++++++++++++----- 1 file changed, 242 insertions(+), 47 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index 8338f8e7..3983c3ba 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -58,6 +58,7 @@ typedef union { } jcc_insn; static GHashTable *coverage_blocks = NULL; +static GHashTable *coverage_blocks_long = NULL; gboolean instrument_is_coverage_optimize_supported(void) { @@ -127,6 +128,64 @@ typedef struct { } afl_log_code_asm_t; +typedef struct { + + // cur_location = (block_address >> 4) ^ (block_address << 8); + // shared_mem[cur_location ^ prev_location]++; + // prev_location = cur_location >> 1; + + // mov QWORD PTR [rsp-0x88],rax + // lahf + // mov QWORD PTR [rsp-0x90],rax + // mov QWORD PTR [rsp-0x98],rbx + + // mov rax, 0xXXXXXXXXXXXXXXXXX /* p_prev_loc */ + // mov eax, dword ptr [rax] /* prev_loc */ + // xor eax,0x3f77 /* cur_loc */ + + // mov rbx, 0xXXXXXXXXXXXXXXXXX /* map */ + // add rax,rbx + + // mov bl,BYTE PTR [rax] + // add bl,0x1 + // adc bl,0x0 + // mov BYTE PTR [rax],bl + + // mov rax, 0xXXXXXXXXXXXXXXXXX /* p_prev_loc */ + // mov dword ptr [rax], 0xXXXXXXXXX /* prev_loc */ + + // mov rbx,QWORD PTR [rsp-0x98] + // mov rax,QWORD PTR [rsp-0x90] + // sahf + // mov rax,QWORD PTR [rsp-0x88] + + uint8_t mov_rax_rsp_88[8]; + uint8_t lahf; + uint8_t mov_rax_rsp_90[8]; + uint8_t mov_rbx_rsp_98[8]; + + uint8_t mov_rax_prev_loc_ptr1[10]; + uint8_t mov_eax_prev_loc[2]; + uint8_t xor_eax_curr_loc[5]; + + uint8_t mov_rbx_map_ptr[10]; + uint8_t add_rax_rbx[3]; + + uint8_t mov_rbx_ptr_rax[2]; + uint8_t add_bl_1[3]; + uint8_t adc_bl_0[3]; + uint8_t mov_ptr_rax_rbx[2]; + + uint8_t mov_rax_prev_loc_ptr2[10]; + uint8_t mov_prev_loc_curr_loc_shr1[6]; + + uint8_t mov_rsp_98_rbx[8]; + uint8_t mov_rsp_90_rax[8]; + uint8_t sahf; + uint8_t mov_rsp_88_rax[8]; + +} afl_log_code_asm_long_t; + #pragma pack(pop) static const afl_log_code_asm_t template = @@ -158,6 +217,41 @@ static const afl_log_code_asm_t template = ; +static const afl_log_code_asm_long_t template_long = + { + + .mov_rax_rsp_88 = {0x48, 0x89, 0x84, 0x24, 0x78, 0xFF, 0xFF, 0xFF}, + .lahf = 0x9f, + .mov_rax_rsp_90 = {0x48, 0x89, 0x84, 0x24, 0x70, 0xFF, 0xFF, 0xFF}, + .mov_rbx_rsp_98 = {0x48, 0x89, 0x9C, 0x24, 0x68, 0xFF, 0xFF, 0xFF}, + + .mov_rax_prev_loc_ptr1 = {0x48, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF}, + .mov_eax_prev_loc = {0x8b, 0x00}, + .xor_eax_curr_loc = {0x35}, + + .mov_rbx_map_ptr = {0x48, 0xBB, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF}, + .add_rax_rbx = {0x48, 0x01, 0xd8}, + + .mov_rbx_ptr_rax = {0x8a, 0x18}, + .add_bl_1 = {0x80, 0xc3, 0x01}, + .adc_bl_0 = {0x80, 0xd3, 0x00}, + .mov_ptr_rax_rbx = {0x88, 0x18}, + + .mov_rax_prev_loc_ptr2 = {0x48, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF}, + .mov_prev_loc_curr_loc_shr1 = {0xc7, 0x00, 0xFF, 0xFF, 0xFF, 0xFF}, + + .mov_rsp_98_rbx = {0x48, 0x8B, 0x9C, 0x24, 0x68, 0xFF, 0xFF, 0xFF}, + .mov_rsp_90_rax = {0x48, 0x8B, 0x84, 0x24, 0x70, 0xFF, 0xFF, 0xFF}, + .sahf = 0x9e, + .mov_rsp_88_rax = {0x48, 0x8B, 0x84, 0x24, 0x78, 0xFF, 0xFF, 0xFF}, + +} + +; + typedef union { afl_log_code_asm_t code; @@ -165,6 +259,13 @@ typedef union { } afl_log_code; +typedef union { + + afl_log_code_asm_long_t code; + uint8_t bytes[0]; + +} afl_log_code_long; + void instrument_coverage_optimize_init(void) { FVERBOSE("__afl_area_ptr: %p", __afl_area_ptr); @@ -182,16 +283,19 @@ static void instrument_coverage_switch_insn(GumStalkerObserver *self, cs_x86 *x86; cs_x86_op *op; + bool is_short = false; + bool is_long = false; + if (from_insn == NULL) { return; } x86 = &from_insn->detail->x86; op = x86->operands; - if (!g_hash_table_contains(coverage_blocks, GSIZE_TO_POINTER(*target))) { - - return; + is_short = g_hash_table_contains(coverage_blocks, GSIZE_TO_POINTER(*target)); + is_long = + g_hash_table_contains(coverage_blocks_long, GSIZE_TO_POINTER(*target)); - } + if (!is_short && !is_long) { return; } switch (from_insn->id) { @@ -212,15 +316,41 @@ static void instrument_coverage_switch_insn(GumStalkerObserver *self, break; case X86_INS_RET: - instrument_cache_insert(start_address, - (guint8 *)*target + sizeof(afl_log_code)); + if (is_short) { + + instrument_cache_insert(start_address, + (guint8 *)*target + sizeof(afl_log_code)); + + } else if (is_long) { + + instrument_cache_insert(start_address, + (guint8 *)*target + sizeof(afl_log_code_long)); + + } else { + + FATAL("Something has gone wrong here!"); + + } + break; default: return; } - *target = (guint8 *)*target + sizeof(afl_log_code); + if (is_short) { + + *target = (guint8 *)*target + sizeof(afl_log_code); + + } else if (is_long) { + + *target = (guint8 *)*target + sizeof(afl_log_code_long); + + } else { + + FATAL("Something has gone wrong here!"); + + } } @@ -270,22 +400,22 @@ static void instrument_coverage_suppress_init(void) { } + coverage_blocks_long = g_hash_table_new(g_direct_hash, g_direct_equal); + if (coverage_blocks_long == NULL) { + + FATAL("Failed to g_hash_table_new, errno: %d", errno); + + } + } -static void instrument_coverage_write(GumAddress address, - GumStalkerOutput *output) { +bool instrument_write_inline(GumX86Writer *cw, GumAddress code_addr, + guint32 area_offset, guint32 area_offset_ror) { - afl_log_code code = {0}; - GumX86Writer *cw = output->writer.x86; - guint64 area_offset = instrument_get_offset_hash(address); - gsize map_size_pow2; - gsize area_offset_ror; - GumAddress code_addr = cw->pc; + afl_log_code code = {0}; code.code = template; - /* mov_prev_loc_curr_loc_shr1 */ - gssize prev_loc_value = GPOINTER_TO_SIZE(instrument_previous_pc_addr) - (code_addr + offsetof(afl_log_code, code.mov_prev_loc_curr_loc_shr1) + @@ -294,11 +424,7 @@ static void instrument_coverage_write(GumAddress address, offsetof(afl_log_code, code.mov_prev_loc_curr_loc_shr1) + sizeof(code.code.mov_prev_loc_curr_loc_shr1) - sizeof(gint) - sizeof(guint32); - if (!instrument_coverage_in_range(prev_loc_value)) { - - FATAL("Patch out of range (current_pc_value1): 0x%016lX", prev_loc_value); - - } + if (!instrument_coverage_in_range(prev_loc_value)) { return false; } *((gint *)&code.bytes[prev_loc_value_offset]) = (gint)prev_loc_value; @@ -311,11 +437,7 @@ static void instrument_coverage_write(GumAddress address, gssize prev_loc_value_offset2 = offsetof(afl_log_code, code.mov_eax_prev_loc) + sizeof(code.code.mov_eax_prev_loc) - sizeof(gint); - if (!instrument_coverage_in_range(prev_loc_value)) { - - FATAL("Patch out of range (current_pc_value1): 0x%016lX", prev_loc_value2); - - } + if (!instrument_coverage_in_range(prev_loc_value)) { return false; } *((gint *)&code.bytes[prev_loc_value_offset2]) = (gint)prev_loc_value2; @@ -338,12 +460,7 @@ static void instrument_coverage_write(GumAddress address, (code_addr + offsetof(afl_log_code, code.lea_rbx_area_ptr) + sizeof(code.code.lea_rbx_area_ptr))); - if (!instrument_coverage_in_range(lea_rbx_area_ptr_value)) { - - FATAL("Patch out of range (lea_rbx_area_ptr_value): 0x%016lX", - lea_rbx_area_ptr_value); - - } + if (!instrument_coverage_in_range(lea_rbx_area_ptr_value)) { return false; } *((guint32 *)&code.bytes[lea_rbx_area_ptr_offset]) = lea_rbx_area_ptr_value; @@ -353,12 +470,100 @@ static void instrument_coverage_write(GumAddress address, offsetof(afl_log_code, code.mov_prev_loc_curr_loc_shr1) + sizeof(code.code.mov_prev_loc_curr_loc_shr1) - sizeof(guint32); - map_size_pow2 = util_log2(__afl_map_size); - area_offset_ror = util_rotate(area_offset, 1, map_size_pow2); - *((guint32 *)&code.bytes[curr_loc_shr_1_offset]) = (guint32)(area_offset_ror); + if (instrument_suppress) { + + if (!g_hash_table_add(coverage_blocks, GSIZE_TO_POINTER(cw->code))) { + + FATAL("Failed - g_hash_table_add"); + + } + + } + gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code)); + return true; + +} + +bool instrument_write_inline_long(GumX86Writer *cw, guint32 area_offset, + guint32 area_offset_ror) { + + afl_log_code_long code = {0}; + code.code = template_long; + + /* mov_rax_prev_loc_ptr1 */ + gssize mov_rax_prev_loc_ptr1_offset = + offsetof(afl_log_code_long, code.mov_rax_prev_loc_ptr1) + + sizeof(code.code.mov_rax_prev_loc_ptr1) - sizeof(gsize); + *((gsize *)&code.bytes[mov_rax_prev_loc_ptr1_offset]) = + GPOINTER_TO_SIZE(instrument_previous_pc_addr); + + /* xor_eax_curr_loc */ + gssize xor_eax_curr_loc_offset = + offsetof(afl_log_code_long, code.xor_eax_curr_loc) + + sizeof(code.code.xor_eax_curr_loc) - sizeof(guint32); + *((guint32 *)&code.bytes[xor_eax_curr_loc_offset]) = area_offset; + + /* mov_rbx_map_ptr */ + gsize mov_rbx_map_ptr_offset = + offsetof(afl_log_code_long, code.mov_rbx_map_ptr) + + sizeof(code.code.mov_rbx_map_ptr) - sizeof(gsize); + *((gsize *)&code.bytes[mov_rbx_map_ptr_offset]) = + GPOINTER_TO_SIZE(__afl_area_ptr); + + /* mov_rax_prev_loc_ptr2 */ + gssize mov_rax_prev_loc_ptr2_offset = + offsetof(afl_log_code_long, code.mov_rax_prev_loc_ptr2) + + sizeof(code.code.mov_rax_prev_loc_ptr2) - sizeof(gsize); + *((gsize *)&code.bytes[mov_rax_prev_loc_ptr2_offset]) = + GPOINTER_TO_SIZE(instrument_previous_pc_addr); + + /* mov_prev_loc_curr_loc_shr1 */ + gssize mov_prev_loc_curr_loc_shr1_offset = + offsetof(afl_log_code_long, code.mov_prev_loc_curr_loc_shr1) + + sizeof(code.code.mov_prev_loc_curr_loc_shr1) - sizeof(guint32); + *((guint32 *)&code.bytes[mov_prev_loc_curr_loc_shr1_offset]) = + (guint32)(area_offset_ror); + + if (instrument_suppress) { + + if (!g_hash_table_add(coverage_blocks_long, GSIZE_TO_POINTER(cw->code))) { + + FATAL("Failed - g_hash_table_add"); + + } + + } + + gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code_long)); + return true; + +} + +static void instrument_coverage_write(GumAddress address, + GumStalkerOutput *output) { + + GumX86Writer *cw = output->writer.x86; + guint64 area_offset = (guint32)instrument_get_offset_hash(address); + gsize map_size_pow2; + guint32 area_offset_ror; + GumAddress code_addr = cw->pc; + + map_size_pow2 = util_log2(__afl_map_size); + area_offset_ror = (guint32)util_rotate(instrument_get_offset_hash(address), 1, + map_size_pow2); + + if (!instrument_write_inline(cw, code_addr, area_offset, area_offset_ror)) { + + if (!instrument_write_inline_long(cw, area_offset, area_offset_ror)) { + + FATAL("Failed to write inline instrumentation"); + + } + + } } @@ -380,17 +585,7 @@ void instrument_coverage_optimize(const cs_insn *instr, } - if (instrument_suppress) { - - instrument_coverage_suppress_init(); - - if (!g_hash_table_add(coverage_blocks, GSIZE_TO_POINTER(cw->code))) { - - FATAL("Failed - g_hash_table_add"); - - } - - } + if (instrument_suppress) { instrument_coverage_suppress_init(); } instrument_coverage_write(GUM_ADDRESS(instr->address), output); -- cgit 1.4.1 From a560e42a4d4a41ca132cbc3d7d06c567c1f992a8 Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 10 Jul 2023 07:31:19 +0100 Subject: Increase dummy map size --- frida_mode/src/instrument/instrument_arm32.c | 2 +- frida_mode/src/instrument/instrument_arm64.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index 51f78a35..2e123247 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -15,7 +15,7 @@ static GHashTable *coverage_blocks = NULL; extern __thread guint64 instrument_previous_pc; -__attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[MAP_SIZE]; +__attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[2UL << 20]; #pragma pack(push, 1) typedef struct { diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index 131eb4c5..a8d30dc1 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -22,7 +22,7 @@ gboolean instrument_cache_enabled = FALSE; gsize instrument_cache_size = 0; static GHashTable *coverage_blocks = NULL; -__attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[MAP_SIZE]; +__attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[2UL << 20]; #pragma pack(push, 1) typedef struct { -- cgit 1.4.1 From 127c345161769c513275fed9d64de12536ee979d Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 13 Jul 2023 14:26:26 +0200 Subject: nts --- frida_mode/src/instrument/instrument_arm32.c | 2 +- frida_mode/src/instrument/instrument_arm64.c | 2 +- include/config.h | 8 ++++++++ instrumentation/SanitizerCoveragePCGUARD.so.cc | 1 + instrumentation/afl-compiler-rt.o.c | 6 ------ 5 files changed, 11 insertions(+), 8 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index 2e123247..c1e3f187 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -15,7 +15,7 @@ static GHashTable *coverage_blocks = NULL; extern __thread guint64 instrument_previous_pc; -__attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[2UL << 20]; +__attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[MAP_INITIAL_SIZE]; #pragma pack(push, 1) typedef struct { diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index a8d30dc1..2256f941 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -22,7 +22,7 @@ gboolean instrument_cache_enabled = FALSE; gsize instrument_cache_size = 0; static GHashTable *coverage_blocks = NULL; -__attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[2UL << 20]; +__attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[MAP_INITIAL_SIZE]; #pragma pack(push, 1) typedef struct { diff --git a/include/config.h b/include/config.h index 8585041e..16f4b613 100644 --- a/include/config.h +++ b/include/config.h @@ -446,7 +446,15 @@ after changing this - otherwise, SEGVs may ensue. */ #define MAP_SIZE_POW2 16 + +/* Do not change this unless you really know what you are doing. */ + #define MAP_SIZE (1U << MAP_SIZE_POW2) +#if MAP_SIZE <= 65536 + #define MAP_INITIAL_SIZE (2 << 20) // = 2097152 +#else + #define MAP_INITIAL_SIZE MAP_SIZE +#endif /* Maximum allocator request size (keep well under INT_MAX): */ diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 7d614f43..98c5973c 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -227,6 +227,7 @@ llvmGetPassPluginInfo() { PreservedAnalyses ModuleSanitizerCoverageAFL::run(Module &M, ModuleAnalysisManager &MAM) { + ModuleSanitizerCoverageAFL ModuleSancov(Options); auto &FAM = MAM.getResult(M).getManager(); auto DTCallback = [&FAM](Function &F) -> const DominatorTree *{ diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 3f8b519b..dd9aae77 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -87,12 +87,6 @@ is used for instrumentation output before __afl_map_shm() has a chance to run. It will end up as .comm, so it shouldn't be too wasteful. */ -#if MAP_SIZE <= 65536 - #define MAP_INITIAL_SIZE 2097152 -#else - #define MAP_INITIAL_SIZE MAP_SIZE -#endif - #if defined(__HAIKU__) extern ssize_t _kern_write(int fd, off_t pos, const void *buffer, size_t bufferSize); -- cgit 1.4.1 From d6e7740ad6bab0f5a0d34a96561d80ccbafd6073 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 30 Aug 2023 17:17:55 +0100 Subject: Don't corrupt instruction if map offset is too large --- frida_mode/src/instrument/instrument_arm64.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index 2256f941..a0c66697 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -402,6 +402,18 @@ bool instrument_write_inline(GumArm64Writer *cw, GumAddress code_addr, } + /* + * The mov instruction supports up to a 16-bit offset. If our offset is out of + * range, then it can end up clobbering the op-code portion of the instruction + * rather than just the operands. So return false and fall back to the + * alternative instrumentation. + */ + if (area_offset > UINT16_MAX) { + + return false; + + } + code.code.mov_x0_curr_loc |= area_offset << 5; if (!instrument_patch_ardp( -- cgit 1.4.1 From 3bae404733e27b3ec7769ad6d5d997dcd9ec6fa3 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 3 Sep 2023 11:25:03 +0200 Subject: code format --- frida_mode/src/instrument/instrument_arm64.c | 14 +++++--------- utils/afl_untracer/afl-untracer.c | 29 +++++++++++++++------------- 2 files changed, 21 insertions(+), 22 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index a0c66697..1147275f 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -402,17 +402,13 @@ bool instrument_write_inline(GumArm64Writer *cw, GumAddress code_addr, } - /* - * The mov instruction supports up to a 16-bit offset. If our offset is out of - * range, then it can end up clobbering the op-code portion of the instruction - * rather than just the operands. So return false and fall back to the + /* + * The mov instruction supports up to a 16-bit offset. If our offset is out of + * range, then it can end up clobbering the op-code portion of the instruction + * rather than just the operands. So return false and fall back to the * alternative instrumentation. */ - if (area_offset > UINT16_MAX) { - - return false; - - } + if (area_offset > UINT16_MAX) { return false; } code.code.mov_x0_curr_loc |= area_offset << 5; diff --git a/utils/afl_untracer/afl-untracer.c b/utils/afl_untracer/afl-untracer.c index 5a67b996..0e3f8a45 100644 --- a/utils/afl_untracer/afl-untracer.c +++ b/utils/afl_untracer/afl-untracer.c @@ -54,7 +54,7 @@ #include #if !defined(__HAIKU__) -#include + #include #endif #include #include @@ -236,28 +236,31 @@ void read_library_information(void) { start += size; } + #elif defined(__HAIKU__) image_info ii; - int32 c = 0; + int32 c = 0; while (get_next_image_info(0, &c, &ii) == B_OK) { - liblist[liblist_cnt].name = (u8 *)strdup(ii.name); - liblist[liblist_cnt].addr_start = (u64)ii.text; - liblist[liblist_cnt].addr_end = (u64)((char *)ii.text + ii.text_size); + liblist[liblist_cnt].name = (u8 *)strdup(ii.name); + liblist[liblist_cnt].addr_start = (u64)ii.text; + liblist[liblist_cnt].addr_end = (u64)((char *)ii.text + ii.text_size); - if (debug) { + if (debug) { - fprintf(stderr, "%s:%lx (%lx-%lx)\n", liblist[liblist_cnt].name, - (unsigned long)(liblist[liblist_cnt].addr_end - - liblist[liblist_cnt].addr_start), - (unsigned long)liblist[liblist_cnt].addr_start, - (unsigned long)(liblist[liblist_cnt].addr_end - 1)); + fprintf(stderr, "%s:%lx (%lx-%lx)\n", liblist[liblist_cnt].name, + (unsigned long)(liblist[liblist_cnt].addr_end - + liblist[liblist_cnt].addr_start), + (unsigned long)liblist[liblist_cnt].addr_start, + (unsigned long)(liblist[liblist_cnt].addr_end - 1)); - } + } + + liblist_cnt++; - liblist_cnt++; } + #endif } -- cgit 1.4.1 From b679e155ca0ef898fc8f758b3714a2ab347c9685 Mon Sep 17 00:00:00 2001 From: Joey Jiao Date: Tue, 25 Jul 2023 15:24:34 +0800 Subject: frida_mode: fix oob when copying details Change-Id: I6a19792ee9e174720242602cec4a79134f6218de --- frida_mode/src/lib/lib.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/lib/lib.c b/frida_mode/src/lib/lib.c index d563b69b..7fac755a 100644 --- a/frida_mode/src/lib/lib.c +++ b/frida_mode/src/lib/lib.c @@ -44,8 +44,10 @@ static gboolean lib_find_exe(const GumModuleDetails *details, lib_details_t *lib_details = (lib_details_t *)user_data; - memcpy(lib_details->name, details->name, PATH_MAX); - memcpy(lib_details->path, details->path, PATH_MAX); + strncpy(lib_details->name, details->name, PATH_MAX); + strncpy(lib_details->path, details->path, PATH_MAX); + lib_details->name[PATH_MAX] = '\0'; + lib_details->path[PATH_MAX] = '\0'; lib_details->base_address = details->range->base_address; lib_details->size = details->range->size; return FALSE; -- cgit 1.4.1 From f3d2127fd815bed2ec9dfab981123898d11cea65 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 6 Nov 2023 10:13:59 +0100 Subject: clang-format 16->17 --- .custom-format.py | 2 +- frida_mode/src/main.c | 8 +++--- include/afl-mutations.h | 2 +- include/xxhash.h | 30 +++++++++++------------ instrumentation/cmplog-instructions-pass.cc | 2 +- instrumentation/cmplog-routines-pass.cc | 2 +- instrumentation/cmplog-switches-pass.cc | 2 +- instrumentation/split-switches-pass.so.cc | 2 +- qemu_mode/libqasan/dlmalloc.c | 38 ++++++++++++++--------------- qemu_mode/libqasan/malloc.c | 4 +-- src/afl-fuzz-one.c | 30 +++++++++++------------ src/afl-fuzz-redqueen.c | 2 +- utils/libtokencap/libtokencap.so.c | 6 ++--- 13 files changed, 65 insertions(+), 65 deletions(-) (limited to 'frida_mode/src') diff --git a/.custom-format.py b/.custom-format.py index 3521c05d..c8075ace 100755 --- a/.custom-format.py +++ b/.custom-format.py @@ -24,7 +24,7 @@ import importlib.metadata # string_re = re.compile('(\\"(\\\\.|[^"\\\\])*\\")') # TODO: for future use -CURRENT_LLVM = os.getenv('LLVM_VERSION', 16) +CURRENT_LLVM = os.getenv('LLVM_VERSION', 17) CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN", "") diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index f11c4b25..bd7b1351 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -49,10 +49,10 @@ extern void __libc_init(void *raw_args, void (*onexit)(void) __unused, int (*slingshot)(int, char **, char **), structors_array_t const *const structors); #else -extern int __libc_start_main(int (*main)(int, char **, char **), int argc, - char **ubp_av, void (*init)(void), - void (*fini)(void), void (*rtld_fini)(void), - void(*stack_end)); +extern int __libc_start_main(int (*main)(int, char **, char **), int argc, + char **ubp_av, void (*init)(void), + void (*fini)(void), void (*rtld_fini)(void), + void(*stack_end)); #endif typedef int (*main_fn_t)(int argc, char **argv, char **envp); diff --git a/include/afl-mutations.h b/include/afl-mutations.h index 98ba6fcf..d709b90d 100644 --- a/include/afl-mutations.h +++ b/include/afl-mutations.h @@ -1854,7 +1854,7 @@ inline u32 afl_mutate(afl_state_t *afl, u8 *buf, u32 len, u32 steps, for (u32 step = 0; step < steps; ++step) { - retry_havoc_step : { + retry_havoc_step: { u32 r = rand_below(afl, MUT_STRATEGY_ARRAY_SIZE), item; diff --git a/include/xxhash.h b/include/xxhash.h index 7bc0a14e..a8bd6f27 100644 --- a/include/xxhash.h +++ b/include/xxhash.h @@ -365,7 +365,7 @@ typedef uint32_t XXH32_hash_t; (defined(__cplusplus) || \ (defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) /* C99 */)) #include -typedef uint32_t XXH32_hash_t; +typedef uint32_t XXH32_hash_t; #else #include @@ -1082,7 +1082,7 @@ struct XXH64_state_s { #include #define XXH_ALIGN(n) alignas(n) #elif defined(__cplusplus) && (__cplusplus >= 201103L) /* >= C++11 */ - /* In C++ alignas() is a keyword */ + /* In C++ alignas() is a keyword */ #define XXH_ALIGN(n) alignas(n) #elif defined(__GNUC__) #define XXH_ALIGN(n) __attribute__((aligned(n))) @@ -3031,8 +3031,8 @@ XXH64_hashFromCanonical(const XXH64_canonical_t *src) { __STDC_VERSION__ >= 199901L /* >= C99 */ #define XXH_RESTRICT restrict #else - /* Note: it might be useful to define __restrict or __restrict__ for - * some C++ compilers */ + /* Note: it might be useful to define __restrict or __restrict__ for + * some C++ compilers */ #define XXH_RESTRICT /* disable */ #endif @@ -3492,8 +3492,8 @@ XXH_FORCE_INLINE xxh_u64x2 XXH_vec_loadu(const void *ptr) { #define XXH_vec_mulo vec_mulo #define XXH_vec_mule vec_mule #elif defined(__clang__) && XXH_HAS_BUILTIN(__builtin_altivec_vmuleuw) - /* Clang has a better way to control this, we can just use the builtin - * which doesn't swap. */ + /* Clang has a better way to control this, we can just use the builtin + * which doesn't swap. */ #define XXH_vec_mulo __builtin_altivec_vmulouw #define XXH_vec_mule __builtin_altivec_vmuleuw #else @@ -3604,15 +3604,15 @@ XXH_FORCE_INLINE xxh_u64 XXH_mult32to64(xxh_u64 x, xxh_u64 y) { #include #define XXH_mult32to64(x, y) __emulu((unsigned)(x), (unsigned)(y)) #else - /* - * Downcast + upcast is usually better than masking on older compilers - * like GCC 4.2 (especially 32-bit ones), all without affecting newer - * compilers. - * - * The other method, (x & 0xFFFFFFFF) * (y & 0xFFFFFFFF), will AND both - * operands and perform a full 64x64 multiply -- entirely redundant on - * 32-bit. - */ + /* + * Downcast + upcast is usually better than masking on older compilers + * like GCC 4.2 (especially 32-bit ones), all without affecting newer + * compilers. + * + * The other method, (x & 0xFFFFFFFF) * (y & 0xFFFFFFFF), will AND both + * operands and perform a full 64x64 multiply -- entirely redundant on + * 32-bit. + */ #define XXH_mult32to64(x, y) \ ((xxh_u64)(xxh_u32)(x) * (xxh_u64)(xxh_u32)(y)) #endif diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index bca1f927..9cd1dc59 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -90,7 +90,7 @@ class CmpLogInstructions : public ModulePass { #if LLVM_MAJOR >= 11 /* use new pass manager */ PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM); #else - bool runOnModule(Module &M) override; + bool runOnModule(Module &M) override; #if LLVM_VERSION_MAJOR >= 4 StringRef getPassName() const override { diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc index c3fbed8d..54e9ddf3 100644 --- a/instrumentation/cmplog-routines-pass.cc +++ b/instrumentation/cmplog-routines-pass.cc @@ -85,7 +85,7 @@ class CmpLogRoutines : public ModulePass { #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM); #else - bool runOnModule(Module &M) override; + bool runOnModule(Module &M) override; #if LLVM_VERSION_MAJOR >= 4 StringRef getPassName() const override { diff --git a/instrumentation/cmplog-switches-pass.cc b/instrumentation/cmplog-switches-pass.cc index 38de669d..01da6da7 100644 --- a/instrumentation/cmplog-switches-pass.cc +++ b/instrumentation/cmplog-switches-pass.cc @@ -85,7 +85,7 @@ class CmplogSwitches : public ModulePass { #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM); #else - bool runOnModule(Module &M) override; + bool runOnModule(Module &M) override; #if LLVM_VERSION_MAJOR < 4 const char *getPassName() const override { diff --git a/instrumentation/split-switches-pass.so.cc b/instrumentation/split-switches-pass.so.cc index dcd89652..e3dfea0d 100644 --- a/instrumentation/split-switches-pass.so.cc +++ b/instrumentation/split-switches-pass.so.cc @@ -84,7 +84,7 @@ class SplitSwitchesTransform : public ModulePass { #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM); #else - bool runOnModule(Module &M) override; + bool runOnModule(Module &M) override; #if LLVM_VERSION_MAJOR >= 4 StringRef getPassName() const override { diff --git a/qemu_mode/libqasan/dlmalloc.c b/qemu_mode/libqasan/dlmalloc.c index b459eb7b..1919ae26 100644 --- a/qemu_mode/libqasan/dlmalloc.c +++ b/qemu_mode/libqasan/dlmalloc.c @@ -771,8 +771,8 @@ MAX_RELEASE_CHECK_RATE default: 4095 unless not HAVE_MMAP #include "/usr/include/malloc.h" #else /* HAVE_USR_INCLUDE_MALLOC_H */ #ifndef STRUCT_MALLINFO_DECLARED - /* HP-UX (and others?) redefines mallinfo unless _STRUCT_MALLINFO is - * defined */ + /* HP-UX (and others?) redefines mallinfo unless _STRUCT_MALLINFO is + * defined */ #define _STRUCT_MALLINFO #define STRUCT_MALLINFO_DECLARED 1 struct mallinfo { @@ -1660,10 +1660,10 @@ extern size_t getpagesize(); #define is_aligned(A) (((size_t)((A)) & (CHUNK_ALIGN_MASK)) == 0) /* the number of bytes to offset an address to align it */ - #define align_offset(A) \ - ((((size_t)(A)&CHUNK_ALIGN_MASK) == 0) \ - ? 0 \ - : ((MALLOC_ALIGNMENT - ((size_t)(A)&CHUNK_ALIGN_MASK)) & \ + #define align_offset(A) \ + ((((size_t)(A) & CHUNK_ALIGN_MASK) == 0) \ + ? 0 \ + : ((MALLOC_ALIGNMENT - ((size_t)(A) & CHUNK_ALIGN_MASK)) & \ CHUNK_ALIGN_MASK)) /* -------------------------- MMAP preliminaries ------------------------- */ @@ -1715,10 +1715,10 @@ static FORCEINLINE int unixmunmap(void *ptr, size_t size) { #define MUNMAP_DEFAULT(a, s) unixmunmap((a), (s)) #else /* MAP_ANONYMOUS */ - /* - Nearly all versions of mmap support MAP_ANONYMOUS, so the following - is unlikely to be needed, but is supplied just in case. - */ + /* + Nearly all versions of mmap support MAP_ANONYMOUS, so the following + is unlikely to be needed, but is supplied just in case. + */ #define MMAP_FLAGS (MAP_PRIVATE) static int dev_zero_fd = -1; /* Cached file descriptor for /dev/zero. */ #define MMAP_DEFAULT(s) \ @@ -1965,7 +1965,7 @@ static FORCEINLINE void x86_clear_lock(int *sl) { #endif /* ... gcc spins locks ... */ - /* How to yield for a spin lock */ + /* How to yield for a spin lock */ #define SPINS_PER_YIELD 63 #if defined(_MSC_VER) #define SLEEP_EX_DURATION 50 /* delay for yield/sleep */ @@ -2008,11 +2008,11 @@ static MLOCK_T malloc_global_mutex = 0; #define CURRENT_THREAD GetCurrentThreadId() #define EQ_OWNER(X, Y) ((X) == (Y)) #else - /* - Note: the following assume that pthread_t is a type that can be - initialized to (casted) zero. If this is not the case, you will need - to somehow redefine these or not use spin locks. - */ + /* + Note: the following assume that pthread_t is a type that can be + initialized to (casted) zero. If this is not the case, you will need + to somehow redefine these or not use spin locks. + */ #define THREAD_ID_T pthread_t #define CURRENT_THREAD pthread_self() #define EQ_OWNER(X, Y) pthread_equal(X, Y) @@ -2169,7 +2169,7 @@ static int pthread_init_lock(MLOCK_T *lk) { #endif /* ... lock types ... */ - /* Common code for all lock types */ + /* Common code for all lock types */ #define USE_LOCK_BIT (2U) #ifndef ACQUIRE_MALLOC_GLOBAL_LOCK @@ -3077,7 +3077,7 @@ static size_t traverse_and_check(mstate m); /* The size of the smallest chunk held in bin with index i */ #define minsize_for_tree_index(i) \ ((SIZE_T_ONE << (((i) >> 1) + TREEBIN_SHIFT)) | \ - (((size_t)((i)&SIZE_T_ONE)) << (((i) >> 1) + TREEBIN_SHIFT - 1))) + (((size_t)((i) & SIZE_T_ONE)) << (((i) >> 1) + TREEBIN_SHIFT - 1))) /* ------------------------ Operations on bin maps ----------------------- */ @@ -3245,7 +3245,7 @@ static size_t traverse_and_check(mstate m); #else /* FOOTERS */ - /* Set foot of inuse chunk to be xor of mstate and seed */ + /* Set foot of inuse chunk to be xor of mstate and seed */ #define mark_inuse_foot(M, p, s) \ (((mchunkptr)((char *)(p) + (s)))->prev_foot = \ ((size_t)(M) ^ mparams.magic)) diff --git a/qemu_mode/libqasan/malloc.c b/qemu_mode/libqasan/malloc.c index d2db3856..4448f480 100644 --- a/qemu_mode/libqasan/malloc.c +++ b/qemu_mode/libqasan/malloc.c @@ -80,8 +80,8 @@ static unsigned char __tmp_alloc_zone[TMP_ZONE_SIZE]; #else // From dlmalloc.c -void *dlmalloc(size_t); -void dlfree(void *); +void *dlmalloc(size_t); +void dlfree(void *); #define backend_malloc dlmalloc #define backend_free dlfree diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 2003be1f..b2306996 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -577,13 +577,13 @@ u8 fuzz_one_original(afl_state_t *afl) { * SIMPLE BITFLIP (+dictionary construction) * *********************************************/ -#define FLIP_BIT(_ar, _b) \ - do { \ - \ - u8 *_arf = (u8 *)(_ar); \ - u32 _bf = (_b); \ - _arf[(_bf) >> 3] ^= (128 >> ((_bf)&7)); \ - \ +#define FLIP_BIT(_ar, _b) \ + do { \ + \ + u8 *_arf = (u8 *)(_ar); \ + u32 _bf = (_b); \ + _arf[(_bf) >> 3] ^= (128 >> ((_bf) & 7)); \ + \ } while (0) /* Single walking bit. */ @@ -2216,7 +2216,7 @@ havoc_stage: } - retry_havoc_step : { + retry_havoc_step: { u32 r = rand_below(afl, rand_max), item; @@ -3703,13 +3703,13 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { * SIMPLE BITFLIP (+dictionary construction) * *********************************************/ -#define FLIP_BIT(_ar, _b) \ - do { \ - \ - u8 *_arf = (u8 *)(_ar); \ - u32 _bf = (_b); \ - _arf[(_bf) >> 3] ^= (128 >> ((_bf)&7)); \ - \ +#define FLIP_BIT(_ar, _b) \ + do { \ + \ + u8 *_arf = (u8 *)(_ar); \ + u32 _bf = (_b); \ + _arf[(_bf) >> 3] ^= (128 >> ((_bf) & 7)); \ + \ } while (0) /* Single walking bit. */ diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 43b5c8bd..86e7f1cf 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -1828,7 +1828,7 @@ static void try_to_add_to_dictN(afl_state_t *afl, u128 v, u8 size) { for (k = 0; k < size; ++k) { #else - u32 off = 16 - size; + u32 off = 16 - size; for (k = 16 - size; k < 16; ++k) { #endif diff --git a/utils/libtokencap/libtokencap.so.c b/utils/libtokencap/libtokencap.so.c index b21f3068..f4024799 100644 --- a/utils/libtokencap/libtokencap.so.c +++ b/utils/libtokencap/libtokencap.so.c @@ -55,7 +55,7 @@ #elif defined __HAIKU__ #include #elif defined __sun - /* For map addresses the old struct is enough */ +/* For map addresses the old struct is enough */ #include #include #endif @@ -168,7 +168,7 @@ static void __tokencap_load_mappings(void) { #elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__ #if defined __FreeBSD__ - int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, __tokencap_pid}; + int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, __tokencap_pid}; #elif defined __OpenBSD__ int mib[] = {CTL_KERN, KERN_PROC_VMMAP, __tokencap_pid}; #elif defined __NetBSD__ @@ -209,7 +209,7 @@ static void __tokencap_load_mappings(void) { #if defined __FreeBSD__ || defined __NetBSD__ #if defined __FreeBSD__ - size_t size = region->kve_structsize; + size_t size = region->kve_structsize; if (size == 0) break; #elif defined __NetBSD__ -- cgit 1.4.1 From 86d76b52acb945c662ba6d2f8ff44cf036a12161 Mon Sep 17 00:00:00 2001 From: Bet4 <0xbet4@gmail.com> Date: Thu, 21 Dec 2023 23:48:43 +0800 Subject: Improve binary-only related docs --- docs/fuzzing_binary-only_targets.md | 8 +------- frida_mode/src/main.c | 4 ++-- frida_mode/src/ranges.c | 2 +- 3 files changed, 4 insertions(+), 10 deletions(-) (limited to 'frida_mode/src') diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index 9d9d6bb6..a151bce4 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -94,8 +94,7 @@ For more information, see In FRIDA mode, you can fuzz binary-only targets as easily as with QEMU mode. FRIDA mode is most of the times slightly faster than QEMU mode. It is also -newer, lacks COMPCOV, and has the advantage that it works on MacOS (both intel -and M1). +newer, and has the advantage that it works on MacOS (both intel and M1). To build FRIDA mode: @@ -113,10 +112,6 @@ The mode is approximately 2-5x slower than compile-time instrumentation, and is less conducive to parallelization. But for binary-only fuzzing, it gives a huge speed improvement if it is possible to use. -If you want to fuzz a binary-only library, then you can fuzz it with frida-gum -via frida_mode/. You will have to write a harness to call the target function in -the library, use afl-frida.c as a template. - You can also perform remote fuzzing with frida, e.g., if you want to fuzz on iPhone or Android devices, for this you can use [https://github.com/ttdennis/fpicker/](https://github.com/ttdennis/fpicker/) as @@ -302,7 +297,6 @@ some are very hard to set up... * S2E: [https://github.com/S2E](https://github.com/S2E) * TinyInst: [https://github.com/googleprojectzero/TinyInst](https://github.com/googleprojectzero/TinyInst) - (Mac/Windows only) * ... please send me any missing that are good ## Closing words diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index bd7b1351..9daf067b 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -166,7 +166,7 @@ static void afl_print_env(void) { if (fd < 0) { - FWARNF("Failed to open /proc/self/cmdline, errno: (%d)", errno); + FWARNF("Failed to open /proc/self/environ, errno: (%d)", errno); return; } @@ -174,7 +174,7 @@ static void afl_print_env(void) { ssize_t bytes_read = read(fd, buffer, PROC_MAX - 1); if (bytes_read < 0) { - FFATAL("Failed to read /proc/self/cmdline, errno: (%d)", errno); + FFATAL("Failed to read /proc/self/environ, errno: (%d)", errno); } diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c index e9fc3b4e..269ba59b 100644 --- a/frida_mode/src/ranges.c +++ b/frida_mode/src/ranges.c @@ -653,7 +653,7 @@ void ranges_init(void) { /* * After step 4 we have the total ranges to be instrumented, we now subtract * that either from the original ranges of the modules or from the whole - * memory if AFL_INST_NO_DYNAMIC_LOAD to configure the stalker. + * memory if AFL_FRIDA_INST_NO_DYNAMIC_LOAD to configure the stalker. */ if (ranges_inst_dynamic_load) { -- cgit 1.4.1