From 580401591f36b0f6f7ba3ee08c867e12415e5cc5 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sat, 9 Oct 2021 17:23:32 +0100 Subject: LLVM passes making slightly more C++ --- instrumentation/SanitizerCoverageLTO.so.cc | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) (limited to 'instrumentation/SanitizerCoverageLTO.so.cc') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index e06f8b93..eb0f06b2 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -250,7 +250,7 @@ class ModuleSanitizerCoverage { Module * Mo = NULL; GlobalVariable * AFLMapPtr = NULL; Value * MapPtrFixed = NULL; - FILE * documentFile = NULL; + std::ofstream dFile; size_t found = 0; // afl++ END @@ -446,7 +446,8 @@ bool ModuleSanitizerCoverage::instrumentModule( if ((ptr = getenv("AFL_LLVM_DOCUMENT_IDS")) != NULL) { - if ((documentFile = fopen(ptr, "a")) == NULL) + dFile.open(ptr, std::ofstream::out | std::ofstream::app); + if (dFile.is_open()) WARNF("Cannot access document file %s", ptr); } @@ -1003,12 +1004,7 @@ bool ModuleSanitizerCoverage::instrumentModule( instrumentFunction(F, DTCallback, PDTCallback); // afl++ START - if (documentFile) { - - fclose(documentFile); - documentFile = NULL; - - } + if (dFile.is_open()) dFile.close(); if (!getenv("AFL_LLVM_LTO_DONTWRITEID") || dictionary.size() || map_addr) { @@ -1509,12 +1505,11 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, // afl++ START ++afl_global_id; - if (documentFile) { + if (dFile.is_open()) { unsigned long long int moduleID = (((unsigned long long int)(rand() & 0xffffffff)) << 32) | getpid(); - fprintf(documentFile, "ModuleID=%llu Function=%s edgeID=%u\n", moduleID, - F.getName().str().c_str(), afl_global_id); + dFile << "ModuleID=" << moduleID << " Function=" << F.getName().str() << " edgeID=" << afl_global_id << "\n"; } -- cgit 1.4.1 From 65afe5addc7d5bd741a5283eeba4813849e99836 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sat, 9 Oct 2021 18:31:12 +0100 Subject: LLVM coverage making it more C++ too. --- instrumentation/SanitizerCoverageLTO.so.cc | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) (limited to 'instrumentation/SanitizerCoverageLTO.so.cc') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index eb0f06b2..960eb783 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1065,7 +1065,6 @@ bool ModuleSanitizerCoverage::instrumentModule( if (dictionary.size()) { size_t memlen = 0, count = 0, offset = 0; - char * ptr; // sort and unique the dictionary std::sort(dictionary.begin(), dictionary.end()); @@ -1085,13 +1084,7 @@ bool ModuleSanitizerCoverage::instrumentModule( if (count) { - if ((ptr = (char *)malloc(memlen + count)) == NULL) { - - fprintf(stderr, "Error: malloc for %lu bytes failed!\n", - memlen + count); - exit(-1); - - } + auto ptrhld = std::unique_ptr(new char[memlen + count]); count = 0; @@ -1099,8 +1092,8 @@ bool ModuleSanitizerCoverage::instrumentModule( if (offset + token.length() < 0xfffff0 && count < MAX_AUTO_EXTRAS) { - ptr[offset++] = (uint8_t)token.length(); - memcpy(ptr + offset, token.c_str(), token.length()); + ptrhld.get()[offset++] = (uint8_t)token.length(); + memcpy(ptrhld.get() + offset, token.c_str(), token.length()); offset += token.length(); count++; @@ -1120,10 +1113,10 @@ bool ModuleSanitizerCoverage::instrumentModule( GlobalVariable *AFLInternalDictionary = new GlobalVariable( M, ArrayTy, true, GlobalValue::ExternalLinkage, ConstantDataArray::get(Ctx, - *(new ArrayRef((char *)ptr, offset))), + *(new ArrayRef(ptrhld.get(), offset))), "__afl_internal_dictionary"); AFLInternalDictionary->setInitializer(ConstantDataArray::get( - Ctx, *(new ArrayRef((char *)ptr, offset)))); + Ctx, *(new ArrayRef(ptrhld.get(), offset)))); AFLInternalDictionary->setConstant(true); GlobalVariable *AFLDictionary = new GlobalVariable( -- cgit 1.4.1 From bb8a4d71da8f2b748a78ccc4416df6bffb393d80 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Oct 2021 20:53:54 +0200 Subject: format and remove warning --- instrumentation/SanitizerCoverageLTO.so.cc | 8 ++++---- instrumentation/afl-llvm-dict2file.so.cc | 7 ++++--- instrumentation/afl-llvm-lto-instrumentation.so.cc | 11 +++++++---- instrumentation/afl-llvm-lto-instrumentlist.so.cc | 2 +- instrumentation/split-compares-pass.so.cc | 10 +++++----- 5 files changed, 21 insertions(+), 17 deletions(-) (limited to 'instrumentation/SanitizerCoverageLTO.so.cc') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 960eb783..d90fa867 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -447,8 +447,7 @@ bool ModuleSanitizerCoverage::instrumentModule( if ((ptr = getenv("AFL_LLVM_DOCUMENT_IDS")) != NULL) { dFile.open(ptr, std::ofstream::out | std::ofstream::app); - if (dFile.is_open()) - WARNF("Cannot access document file %s", ptr); + if (dFile.is_open()) WARNF("Cannot access document file %s", ptr); } @@ -1084,7 +1083,7 @@ bool ModuleSanitizerCoverage::instrumentModule( if (count) { - auto ptrhld = std::unique_ptr(new char[memlen + count]); + auto ptrhld = std::unique_ptr(new char[memlen + count]); count = 0; @@ -1502,7 +1501,8 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, unsigned long long int moduleID = (((unsigned long long int)(rand() & 0xffffffff)) << 32) | getpid(); - dFile << "ModuleID=" << moduleID << " Function=" << F.getName().str() << " edgeID=" << afl_global_id << "\n"; + dFile << "ModuleID=" << moduleID << " Function=" << F.getName().str() + << " edgeID=" << afl_global_id << "\n"; } diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc index c4ad1783..0a3e74b9 100644 --- a/instrumentation/afl-llvm-dict2file.so.cc +++ b/instrumentation/afl-llvm-dict2file.so.cc @@ -65,8 +65,10 @@ using namespace llvm; namespace { class AFLdict2filePass : public ModulePass { + std::ofstream of; - void dict2file(u8 *, u32); + void dict2file(u8 *, u32); + public: static char ID; @@ -147,8 +149,7 @@ bool AFLdict2filePass::runOnModule(Module &M) { FATAL("AFL_LLVM_DICT2FILE is not set to an absolute path: %s", ptr); of.open(ptr, std::ofstream::out | std::ofstream::app); - if (!of.is_open()) - PFATAL("Could not open/create %s.", ptr); + if (!of.is_open()) PFATAL("Could not open/create %s.", ptr); /* Instrument all the things! */ diff --git a/instrumentation/afl-llvm-lto-instrumentation.so.cc b/instrumentation/afl-llvm-lto-instrumentation.so.cc index 4eb8424f..c2f61d34 100644 --- a/instrumentation/afl-llvm-lto-instrumentation.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentation.so.cc @@ -138,8 +138,7 @@ bool AFLLTOPass::runOnModule(Module &M) { if ((ptr = getenv("AFL_LLVM_DOCUMENT_IDS")) != NULL) { dFile.open(ptr, std::ofstream::out | std::ofstream::app); - if (!dFile.is_open()) - WARNF("Cannot access document file %s", ptr); + if (!dFile.is_open()) WARNF("Cannot access document file %s", ptr); } @@ -246,8 +245,10 @@ bool AFLLTOPass::runOnModule(Module &M) { AttributeList Attrs = F.getAttributes(); #if LLVM_VERSION_MAJOR < 14 if (Attrs.hasAttribute(-1, StringRef("skipinstrument"))) { + #else if (Attrs.hasFnAttr(StringRef("skipinstrument"))) { + #endif if (debug) @@ -852,7 +853,9 @@ bool AFLLTOPass::runOnModule(Module &M) { if (dFile.is_open()) { - dFile << "ModuleID=" << moduleID << " Function=" << F.getName().str() << " edgeID=" << afl_global_id << "\n"; + dFile << "ModuleID=" << moduleID + << " Function=" << F.getName().str() + << " edgeID=" << afl_global_id << "\n"; } @@ -1019,7 +1022,7 @@ bool AFLLTOPass::runOnModule(Module &M) { if (count) { - auto ptrhld = std::unique_ptr(new char[memlen + count]); + auto ptrhld = std::unique_ptr(new char[memlen + count]); count = 0; diff --git a/instrumentation/afl-llvm-lto-instrumentlist.so.cc b/instrumentation/afl-llvm-lto-instrumentlist.so.cc index 0ec0e427..ee2e5dd3 100644 --- a/instrumentation/afl-llvm-lto-instrumentlist.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentlist.so.cc @@ -117,7 +117,7 @@ bool AFLcheckIfInstrument::runOnModule(Module &M) { auto & Ctx = F.getContext(); AttributeList Attrs = F.getAttributes(); #if LLVM_VERSION_MAJOR < 14 - AttrBuilder NewAttrs; + AttrBuilder NewAttrs; NewAttrs.addAttribute("skipinstrument"); F.setAttributes( Attrs.addAttributes(Ctx, AttributeList::FunctionIndex, NewAttrs)); diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc index 13f45b69..e63be98c 100644 --- a/instrumentation/split-compares-pass.so.cc +++ b/instrumentation/split-compares-pass.so.cc @@ -578,16 +578,16 @@ bool SplitComparesTransform::splitCompare(CmpInst *cmp_inst, Module &M, /* dependent on the cmp of the high parts go to the end or go on with * the comparison */ - auto term = bb->getTerminator(); - BranchInst *br = nullptr; + auto term = bb->getTerminator(); + if (pred == CmpInst::ICMP_EQ) { - br = BranchInst::Create(cmp_low_bb, end_bb, icmp_high, bb); + BranchInst::Create(cmp_low_bb, end_bb, icmp_high, bb); } else { - /* CmpInst::ICMP_NE */ - br = BranchInst::Create(end_bb, cmp_low_bb, icmp_high, bb); + // CmpInst::ICMP_NE + BranchInst::Create(end_bb, cmp_low_bb, icmp_high, bb); } -- cgit 1.4.1 From 45b8e057934b5f565013f29f4f461aaca051a56d Mon Sep 17 00:00:00 2001 From: Kuang-che Wu Date: Sat, 30 Oct 2021 22:27:49 +0800 Subject: fix off by one bug of PCGUARD instrumentation fix bug #1120 --- instrumentation/SanitizerCoverageLTO.so.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'instrumentation/SanitizerCoverageLTO.so.cc') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index d90fa867..7a3d8c4d 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1049,7 +1049,7 @@ bool ModuleSanitizerCoverage::instrumentModule( uint32_t write_loc = afl_global_id; - if (afl_global_id % 8) write_loc = (((afl_global_id + 8) >> 3) << 3); + write_loc = (((afl_global_id + 8) >> 3) << 3); GlobalVariable *AFLFinalLoc = new GlobalVariable(M, Int32Tyi, true, GlobalValue::ExternalLinkage, 0, -- cgit 1.4.1 From 682e1d835cac4c33f93d3709c98e5e8489f0ec7e Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 2 Nov 2021 19:20:18 +0100 Subject: select support for LTO --- instrumentation/SanitizerCoverageLTO.so.cc | 140 ++++++++++++++++++++++++++++- 1 file changed, 137 insertions(+), 3 deletions(-) (limited to 'instrumentation/SanitizerCoverageLTO.so.cc') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 7a3d8c4d..bc4df34e 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -235,6 +235,8 @@ class ModuleSanitizerCoverage { uint32_t autodictionary = 1; uint32_t inst = 0; uint32_t afl_global_id = 0; + uint32_t unhandled = 0; + uint32_t select_cnt = 0; uint64_t map_addr = 0; const char * skip_nozero = NULL; const char * use_threadsafe_counters = nullptr; @@ -1150,9 +1152,9 @@ bool ModuleSanitizerCoverage::instrumentModule( getenv("AFL_USE_MSAN") ? ", MSAN" : "", getenv("AFL_USE_CFISAN") ? ", CFISAN" : "", getenv("AFL_USE_UBSAN") ? ", UBSAN" : ""); - OKF("Instrumented %u locations with no collisions (on average %llu " - "collisions would be in afl-gcc/vanilla AFL) (%s mode).", - inst, calculateCollisions(inst), modeline); + OKF("Instrumented %u locations (%u selects) without collisions (%llu " + "collisions have been avoided) (%s mode).", + inst, select_cnt, calculateCollisions(inst), modeline); } @@ -1274,6 +1276,7 @@ void ModuleSanitizerCoverage::instrumentFunction( const DominatorTree * DT = DTCallback(F); const PostDominatorTree *PDT = PDTCallback(F); bool IsLeafFunc = true; + uint32_t skip_next = 0, local_selects = 0; for (auto &BB : F) { @@ -1291,6 +1294,137 @@ void ModuleSanitizerCoverage::instrumentFunction( Value *val = ConstantInt::get(Int32Ty, ++afl_global_id); callInst->setOperand(1, val); + ++inst; + + } + + SelectInst *selectInst = nullptr; + + if (!skip_next && (selectInst = dyn_cast(&IN))) { + + uint32_t vector_cnt = 0; + Value * condition = selectInst->getCondition(); + Value * result; + auto t = condition->getType(); + IRBuilder<> IRB(selectInst->getNextNode()); + + ++select_cnt; + + if (t->getTypeID() == llvm::Type::IntegerTyID) { + + Value *val1 = ConstantInt::get(Int32Ty, ++afl_global_id); + Value *val2 = ConstantInt::get(Int32Ty, ++afl_global_id); + result = IRB.CreateSelect(condition, val1, val2); + inst += 2; + + } else if (t->getTypeID() == llvm::Type::FixedVectorTyID) { + + FixedVectorType *tt = dyn_cast(t); + if (tt) { + + uint32_t elements = tt->getElementCount().getFixedValue(); + vector_cnt = elements; + inst += vector_cnt * 2; + if (elements) { + + FixedVectorType *GuardPtr1 = + FixedVectorType::get(Int32Ty, elements); + FixedVectorType *GuardPtr2 = + FixedVectorType::get(Int32Ty, elements); + Value *x, *y; + + Value *val1 = ConstantInt::get(Int32Ty, ++afl_global_id); + Value *val2 = ConstantInt::get(Int32Ty, ++afl_global_id); + x = IRB.CreateInsertElement(GuardPtr1, val1, (uint64_t)0); + y = IRB.CreateInsertElement(GuardPtr2, val2, (uint64_t)0); + + for (uint64_t i = 1; i < elements; i++) { + + val1 = ConstantInt::get(Int32Ty, ++afl_global_id); + val2 = ConstantInt::get(Int32Ty, ++afl_global_id); + x = IRB.CreateInsertElement(GuardPtr1, val1, i); + y = IRB.CreateInsertElement(GuardPtr2, val2, i); + + } + + /* + std::string errMsg; + raw_string_ostream os(errMsg); + x->print(os); + fprintf(stderr, "X: %s\n", os.str().c_str()); + */ + result = IRB.CreateSelect(condition, x, y); + + } + + } + + } else { + + unhandled++; + continue; + + } + + local_selects++; + uint32_t vector_cur = 0; + /* Load SHM pointer */ + LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + + while (1) { + + /* Get CurLoc */ + Value *MapPtrIdx = nullptr; + + /* Load counter for CurLoc */ + if (!vector_cnt) { + + MapPtrIdx = IRB.CreateGEP(MapPtr, result); + + } else { + + auto element = IRB.CreateExtractElement(result, vector_cur++); + MapPtrIdx = IRB.CreateGEP(MapPtr, element); + + } + + if (use_threadsafe_counters) { + + IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, +#if LLVM_VERSION_MAJOR >= 13 + llvm::MaybeAlign(1), +#endif + llvm::AtomicOrdering::Monotonic); + + } else { + + LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + + /* Update bitmap */ + + Value *Incr = IRB.CreateAdd(Counter, One); + + if (skip_nozero == NULL) { + + auto cf = IRB.CreateICmpEQ(Incr, Zero); + auto carry = IRB.CreateZExt(cf, Int8Ty); + Incr = IRB.CreateAdd(Incr, carry); + + } + + IRB.CreateStore(Incr, MapPtrIdx); + + } + + if (!vector_cnt || vector_cnt == vector_cur) { break; } + + } + + skip_next = 1; + + } else { + + skip_next = 0; } -- cgit 1.4.1 From ce41f881a0109ada6b550d96766d52e692a0e0f4 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 2 Nov 2021 19:53:15 +0100 Subject: nosan --- instrumentation/SanitizerCoverageLTO.so.cc | 27 ++++++++++++-------------- instrumentation/SanitizerCoveragePCGUARD.so.cc | 15 ++++++++++++-- 2 files changed, 25 insertions(+), 17 deletions(-) (limited to 'instrumentation/SanitizerCoverageLTO.so.cc') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index bc4df34e..b3a6ba45 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1042,8 +1042,7 @@ bool ModuleSanitizerCoverage::instrumentModule( M, Int64Tyi, true, GlobalValue::ExternalLinkage, 0, "__afl_map_addr"); ConstantInt *MapAddr = ConstantInt::get(Int64Tyi, map_addr); StoreInst * StoreMapAddr = IRB.CreateStore(MapAddr, AFLMapAddrFixed); - StoreMapAddr->setMetadata(M.getMDKindID("nosanitize"), - MDNode::get(Ctx, None)); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(StoreMapAddr); } @@ -1058,8 +1057,7 @@ bool ModuleSanitizerCoverage::instrumentModule( "__afl_final_loc"); ConstantInt *const_loc = ConstantInt::get(Int32Tyi, write_loc); StoreInst * StoreFinalLoc = IRB.CreateStore(const_loc, AFLFinalLoc); - StoreFinalLoc->setMetadata(M.getMDKindID("nosanitize"), - MDNode::get(Ctx, None)); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(StoreFinalLoc); } @@ -1107,8 +1105,7 @@ bool ModuleSanitizerCoverage::instrumentModule( 0, "__afl_dictionary_len"); ConstantInt *const_len = ConstantInt::get(Int32Tyi, offset); StoreInst *StoreDictLen = IRB.CreateStore(const_len, AFLDictionaryLen); - StoreDictLen->setMetadata(M.getMDKindID("nosanitize"), - MDNode::get(Ctx, None)); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(StoreDictLen); ArrayType *ArrayTy = ArrayType::get(IntegerType::get(Ctx, 8), offset); GlobalVariable *AFLInternalDictionary = new GlobalVariable( @@ -1128,8 +1125,7 @@ bool ModuleSanitizerCoverage::instrumentModule( Value *AFLDictPtr = IRB.CreatePointerCast(AFLDictOff, PointerType::get(Int8Tyi, 0)); StoreInst *StoreDict = IRB.CreateStore(AFLDictPtr, AFLDictionary); - StoreDict->setMetadata(M.getMDKindID("nosanitize"), - MDNode::get(Ctx, None)); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(StoreDict); } @@ -1370,6 +1366,7 @@ void ModuleSanitizerCoverage::instrumentFunction( uint32_t vector_cur = 0; /* Load SHM pointer */ LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(MapPtr); while (1) { @@ -1399,6 +1396,7 @@ void ModuleSanitizerCoverage::instrumentFunction( } else { LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(Counter); /* Update bitmap */ @@ -1412,7 +1410,8 @@ void ModuleSanitizerCoverage::instrumentFunction( } - IRB.CreateStore(Incr, MapPtrIdx); + auto nosan = IRB.CreateStore(Incr, MapPtrIdx); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(nosan); } @@ -1655,8 +1654,7 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, } else { LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); - MapPtr->setMetadata(Mo->getMDKindID("nosanitize"), - MDNode::get(*Ct, None)); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(MapPtr); MapPtrIdx = IRB.CreateGEP(MapPtr, CurLoc); } @@ -1673,8 +1671,7 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, } else { LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); - Counter->setMetadata(Mo->getMDKindID("nosanitize"), - MDNode::get(*Ct, None)); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(Counter); Value *Incr = IRB.CreateAdd(Counter, One); @@ -1686,8 +1683,8 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, } - IRB.CreateStore(Incr, MapPtrIdx) - ->setMetadata(Mo->getMDKindID("nosanitize"), MDNode::get(*Ct, None)); + auto nosan = IRB.CreateStore(Incr, MapPtrIdx); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(nosan); } diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index e8239483..70af2ee2 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -912,6 +912,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, Int32PtrTy); LoadInst *Idx = IRB.CreateLoad(GuardPtr); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(Idx); callInst->setOperand(1, Idx); @@ -1026,6 +1027,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, /* Load SHM pointer */ LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(MapPtr); /* std::string errMsg; @@ -1044,6 +1046,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, if (!vector_cnt) { CurLoc = IRB.CreateLoad(result); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(CurLoc); MapPtrIdx = IRB.CreateGEP(MapPtr, CurLoc); } else { @@ -1051,6 +1054,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, auto element = IRB.CreateExtractElement(result, vector_cur++); auto elementptr = IRB.CreateIntToPtr(element, Int32PtrTy); auto elementld = IRB.CreateLoad(elementptr); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(elementld); MapPtrIdx = IRB.CreateGEP(MapPtr, elementld); } @@ -1066,6 +1070,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } else { LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(Counter); /* Update bitmap */ @@ -1079,7 +1084,8 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } - IRB.CreateStore(Incr, MapPtrIdx); + StoreInst *StoreCtx = IRB.CreateStore(Incr, MapPtrIdx); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(StoreCtx); } @@ -1309,10 +1315,12 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, Int32PtrTy); LoadInst *CurLoc = IRB.CreateLoad(GuardPtr); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(CurLoc); /* Load SHM pointer */ LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(MapPtr); /* Load counter for CurLoc */ @@ -1329,6 +1337,8 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, } else { LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(Counter); + /* Update bitmap */ Value *Incr = IRB.CreateAdd(Counter, One); @@ -1341,7 +1351,8 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, } - IRB.CreateStore(Incr, MapPtrIdx); + StoreInst *StoreCtx = IRB.CreateStore(Incr, MapPtrIdx); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(StoreCtx); } -- cgit 1.4.1 From ccded9fc5cfead1b88104484c4acde12e81e0afe Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 3 Nov 2021 12:49:54 +0100 Subject: vectorized coverage only possible for llvm 14 :( --- instrumentation/SanitizerCoverageLTO.so.cc | 10 ++++++++-- instrumentation/SanitizerCoveragePCGUARD.so.cc | 17 +++++++++++++++-- instrumentation/cmplog-instructions-pass.cc | 1 - 3 files changed, 23 insertions(+), 5 deletions(-) (limited to 'instrumentation/SanitizerCoverageLTO.so.cc') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index b3a6ba45..fbbe24a2 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1313,7 +1313,10 @@ void ModuleSanitizerCoverage::instrumentFunction( result = IRB.CreateSelect(condition, val1, val2); inst += 2; - } else if (t->getTypeID() == llvm::Type::FixedVectorTyID) { + } + +#if LLVM_VERSION_MAJOR > 13 + else if (t->getTypeID() == llvm::Type::FixedVectorTyID) { FixedVectorType *tt = dyn_cast(t); if (tt) { @@ -1355,7 +1358,10 @@ void ModuleSanitizerCoverage::instrumentFunction( } - } else { + } else + +#endif + { unhandled++; continue; diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 70af2ee2..10c9430e 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -895,6 +895,12 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, CallInst *callInst = nullptr; + /* + std::string errMsg; + raw_string_ostream os(errMsg); + IN.print(os); + fprintf(stderr, "X: %s\n", os.str().c_str()); + */ if ((callInst = dyn_cast(&IN))) { Function *Callee = callInst->getCalledFunction(); @@ -948,7 +954,10 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, result = IRB.CreateSelect(condition, GuardPtr1, GuardPtr2); - } else if (t->getTypeID() == llvm::Type::FixedVectorTyID) { + } else + +#if LLVM_VERSION_MAJOR > 13 + if (t->getTypeID() == llvm::Type::FixedVectorTyID) { FixedVectorType *tt = dyn_cast(t); if (tt) { @@ -1015,9 +1024,13 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } - } else { + } else + +#endif + { unhandled++; + continue; } diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index 86e206f1..cb149e9a 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -377,7 +377,6 @@ bool CmpLogInstructions::hookInstrs(Module &M) { vector_cnt = tt->getElementCount().getFixedValue(); ty1 = ty0 = tt->getElementType(); - fprintf(stderr, "vec %u\n", vector_cnt); } -- cgit 1.4.1 From 7a7630ae91c87e000b40f63c592fad9e09ad45d3 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 3 Nov 2021 13:18:02 +0100 Subject: support llvm >= 11 --- instrumentation/SanitizerCoverageLTO.so.cc | 18 ++++++++++-------- instrumentation/SanitizerCoveragePCGUARD.so.cc | 7 ++++++- instrumentation/cmplog-instructions-pass.cc | 11 ++++++++++- 3 files changed, 26 insertions(+), 10 deletions(-) (limited to 'instrumentation/SanitizerCoverageLTO.so.cc') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index fbbe24a2..ee8c317e 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1296,6 +1296,12 @@ void ModuleSanitizerCoverage::instrumentFunction( SelectInst *selectInst = nullptr; + /* + std::string errMsg; + raw_string_ostream os(errMsg); + IN.print(os); + fprintf(stderr, "X(%u): %s\n", skip_next, os.str().c_str()); + */ if (!skip_next && (selectInst = dyn_cast(&IN))) { uint32_t vector_cnt = 0; @@ -1311,12 +1317,13 @@ void ModuleSanitizerCoverage::instrumentFunction( Value *val1 = ConstantInt::get(Int32Ty, ++afl_global_id); Value *val2 = ConstantInt::get(Int32Ty, ++afl_global_id); result = IRB.CreateSelect(condition, val1, val2); + skip_next = 1; inst += 2; - } + } else #if LLVM_VERSION_MAJOR > 13 - else if (t->getTypeID() == llvm::Type::FixedVectorTyID) { + if (t->getTypeID() == llvm::Type::FixedVectorTyID) { FixedVectorType *tt = dyn_cast(t); if (tt) { @@ -1346,13 +1353,8 @@ void ModuleSanitizerCoverage::instrumentFunction( } - /* - std::string errMsg; - raw_string_ostream os(errMsg); - x->print(os); - fprintf(stderr, "X: %s\n", os.str().c_str()); - */ result = IRB.CreateSelect(condition, x, y); + skip_next = 1; } diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 10c9430e..be3f4f49 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -865,7 +865,10 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, cnt_sel++; cnt_sel_inc += 2; - } else if (t->getTypeID() == llvm::Type::FixedVectorTyID) { + } + +#if LLVM__MAJOR > 11 + else if (t->getTypeID() == llvm::Type::FixedVectorTyID) { FixedVectorType *tt = dyn_cast(t); if (tt) { @@ -877,6 +880,8 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } +#endif + } } diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index cb149e9a..01a8a637 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -338,8 +338,10 @@ bool CmpLogInstructions::hookInstrs(Module &M) { } +#if LLVM_MAJOR > 11 vector_cnt = tt->getElementCount().getFixedValue(); ty0 = tt->getElementType(); +#endif } @@ -357,9 +359,11 @@ bool CmpLogInstructions::hookInstrs(Module &M) { max_size = 80; else if (ty0->isFP128Ty() || ty0->isPPC_FP128Ty()) max_size = 128; +#if LLVM_MAJOR > 11 else if (ty0->getTypeID() != llvm::Type::PointerTyID && !be_quiet) fprintf(stderr, "Warning: unsupported cmp type for cmplog: %u!\n", ty0->getTypeID()); +#endif attr += 8; @@ -367,6 +371,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) { if (ty0->isVectorTy()) { +#if LLVM_MAJOR > 11 VectorType *tt = dyn_cast(ty0); if (!tt) { @@ -377,6 +382,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) { vector_cnt = tt->getElementCount().getFixedValue(); ty1 = ty0 = tt->getElementType(); +#endif } @@ -391,13 +397,16 @@ bool CmpLogInstructions::hookInstrs(Module &M) { } else { +#if LLVM_MAJOR > 11 if (ty0->getTypeID() != llvm::Type::PointerTyID && !be_quiet) { - fprintf(stderr, "Warning: unsupported cmp type for cmplog: %u!\n", + fprintf(stderr, "Warning: unsupported cmp type for cmplog: %u\n", ty0->getTypeID()); } +#endif + } } -- cgit 1.4.1 From 6ce3d7fede6b32b522b6cc4403f7c0101cf4a4bc Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 4 Nov 2021 15:53:17 +0100 Subject: add AFL_USE_TSAN --- TODO.md | 1 + docs/Changelog.md | 2 + docs/fuzzing_expert.md | 2 + frida_mode/src/instrument/instrument.c | 4 +- frida_mode/src/instrument/instrument_arm32.c | 2 + frida_mode/src/instrument/instrument_arm64.c | 1 + frida_mode/src/instrument/instrument_x64.c | 54 ++++++++++++++------------ frida_mode/src/instrument/instrument_x86.c | 1 + frida_mode/src/main.c | 7 ++-- frida_mode/src/prefetch.c | 6 +-- frida_mode/src/seccomp/seccomp_callback.c | 32 ++++++++------- frida_mode/src/seccomp/seccomp_filter.c | 6 +-- include/envs.h | 1 + instrumentation/SanitizerCoverageLTO.so.cc | 3 +- instrumentation/SanitizerCoveragePCGUARD.so.cc | 3 +- instrumentation/afl-llvm-pass.so.cc | 3 +- qemu_mode/libcompcov/libcompcov.so.c | 25 +++++++++--- src/afl-as.c | 1 + src/afl-cc.c | 9 +++++ utils/aflpp_driver/aflpp_qemu_driver.c | 2 +- 20 files changed, 106 insertions(+), 59 deletions(-) (limited to 'instrumentation/SanitizerCoverageLTO.so.cc') diff --git a/TODO.md b/TODO.md index 1d4270b4..30676312 100644 --- a/TODO.md +++ b/TODO.md @@ -2,6 +2,7 @@ ## TODO + - AFL_USE_TSAN to docs/env_variables.md after work over - screen update during input2stage - better autodetection of shifting runtime timeout values - Update afl->pending_not_fuzzed for MOpt diff --git a/docs/Changelog.md b/docs/Changelog.md index 04b2fb2e..cfeb8cc1 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -26,7 +26,9 @@ sending a mail to . - Prevent accidently killing non-afl/fuzz services when aborting afl-showmap and other tools. - afl-cc: + - support llvm IR select instrumentation for default PCGUARD and LTO - fix for shared linking on MacOS + - added AFL_USE_TSAN thread sanitizer support - llvm and LTO mode modified to work with new llvm 14-dev (again) - added the very good grammar mutator "GramaTron" to the custom_mutators diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md index 96193f88..44ebade4 100644 --- a/docs/fuzzing_expert.md +++ b/docs/fuzzing_expert.md @@ -149,6 +149,8 @@ The following sanitizers have built-in support in AFL++: vulnerabilities - which is however one of the most important and dangerous C++ memory corruption classes! Enabled with `export AFL_USE_CFISAN=1` before compiling. + * TSAN = Thread SANitizer, finds thread race conditions. + Enabled with `export AFL_USE_TSAN=1` before compiling. * LSAN = Leak SANitizer, finds memory leaks in a program. This is not really a security issue, but for developers this can be very valuable. Note that unlike the other sanitizers above this needs diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index 81d85aa1..eeebe545 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -347,8 +347,8 @@ void instrument_init(void) { #else tid = syscall(SYS_gettid); #endif - instrument_hash_seed = g_get_monotonic_time() ^ - (((guint64)getpid()) << 32) ^ tid; + instrument_hash_seed = + g_get_monotonic_time() ^ (((guint64)getpid()) << 32) ^ tid; } diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index 4b0a648e..395d56c1 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -23,7 +23,9 @@ void instrument_coverage_optimize(const cs_insn * instr, } void instrument_coverage_optimize_init(void) { + WARNF("Optimized coverage not supported on this architecture"); + } void instrument_flush(GumStalkerOutput *output) { diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index 80d1d845..358e8e6b 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -96,6 +96,7 @@ void instrument_coverage_optimize(const cs_insn * instr, } void instrument_coverage_optimize_init(void) { + } void instrument_flush(GumStalkerOutput *output) { diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index a7eb650a..19ec81b2 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -4,12 +4,12 @@ #include #if defined(__linux__) -#if !defined(__ANDROID__) -#include -#include -#else -#include -#endif + #if !defined(__ANDROID__) + #include + #include + #else + #include + #endif #endif #include "frida-gumjs.h" @@ -22,13 +22,13 @@ #if defined(__x86_64__) -#ifndef MAP_FIXED_NOREPLACE - #ifdef MAP_EXCL - #define MAP_FIXED_NOREPLACE MAP_EXCL | MAP_FIXED - #else - #define MAP_FIXED_NOREPLACE MAP_FIXED + #ifndef MAP_FIXED_NOREPLACE + #ifdef MAP_EXCL + #define MAP_FIXED_NOREPLACE MAP_EXCL | MAP_FIXED + #else + #define MAP_FIXED_NOREPLACE MAP_FIXED + #endif #endif -#endif gboolean instrument_is_coverage_optimize_supported(void) { @@ -53,15 +53,12 @@ typedef struct { // 0x7ffff6cfb08b: pushf // 0x7ffff6cfb08c: push rsi // 0x7ffff6cfb08d: mov rsi,0x228 - // 0x7ffff6cfb094: xchg QWORD PTR [rip+0x3136a5],rsi # 0x7ffff700e740 - // 0x7ffff6cfb09b: xor rsi,0x451 - // 0x7ffff6cfb0a2: add BYTE PTR [rsi+0x10000],0x1 - // 0x7ffff6cfb0a9: adc BYTE PTR [rsi+0x10000],0x0 - // 0x7ffff6cfb0b0: pop rsi - // 0x7ffff6cfb0b1: popf + // 0x7ffff6cfb094: xchg QWORD PTR [rip+0x3136a5],rsi # + // 0x7ffff700e740 0x7ffff6cfb09b: xor rsi,0x451 0x7ffff6cfb0a2: add + // BYTE PTR [rsi+0x10000],0x1 0x7ffff6cfb0a9: adc BYTE PTR + // [rsi+0x10000],0x0 0x7ffff6cfb0b0: pop rsi 0x7ffff6cfb0b1: popf // 0x7ffff6cfb0b2: lea rsp,[rsp+0x80] - uint8_t lea_rsp_rsp_sub_rz[5]; uint8_t push_fq; uint8_t push_rsi; @@ -160,16 +157,25 @@ static void instrument_coverage_optimize_map_mmap(char * shm_file_path, __afl_area_ptr = NULL; -#if !defined(__ANDROID__) + #if !defined(__ANDROID__) shm_fd = shm_open(shm_file_path, O_RDWR, DEFAULT_PERMISSION); if (shm_fd == -1) { FATAL("shm_open() failed\n"); } -#else + #else shm_fd = open("/dev/ashmem", O_RDWR); if (shm_fd == -1) { FATAL("open() failed\n"); } - if (ioctl(shm_fd, ASHMEM_SET_NAME, shm_file_path) == -1) { FATAL("ioctl(ASHMEM_SET_NAME) failed"); } - if (ioctl(shm_fd, ASHMEM_SET_SIZE, __afl_map_size) == -1) { FATAL("ioctl(ASHMEM_SET_SIZE) failed"); } + if (ioctl(shm_fd, ASHMEM_SET_NAME, shm_file_path) == -1) { -#endif + FATAL("ioctl(ASHMEM_SET_NAME) failed"); + + } + + if (ioctl(shm_fd, ASHMEM_SET_SIZE, __afl_map_size) == -1) { + + FATAL("ioctl(ASHMEM_SET_SIZE) failed"); + + } + + #endif __afl_area_ptr = mmap(address, __afl_map_size, PROT_READ | PROT_WRITE, MAP_FIXED_NOREPLACE | MAP_SHARED, shm_fd, 0); diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c index 1ff5c920..f90c01c2 100644 --- a/frida_mode/src/instrument/instrument_x86.c +++ b/frida_mode/src/instrument/instrument_x86.c @@ -84,6 +84,7 @@ void instrument_coverage_optimize(const cs_insn * instr, } void instrument_coverage_optimize_init(void) { + } void instrument_flush(GumStalkerOutput *output) { diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index c8183d8f..3599143b 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -126,15 +126,16 @@ static void afl_print_cmdline(void) { g_free(fname); g_free(buffer); #elif defined(__APPLE__) - int idx; + int idx; char **argv = *_NSGetArgv(); - int nargv = *_NSGetArgc(); + int nargv = *_NSGetArgc(); - for (idx = 0; idx < nargv; idx ++) { + for (idx = 0; idx < nargv; idx++) { OKF("AFL - COMMANDLINE: argv[%d] = %s", idx, argv[idx]); } + #endif } diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c index c30ca65c..1ddbd5ed 100644 --- a/frida_mode/src/prefetch.c +++ b/frida_mode/src/prefetch.c @@ -44,8 +44,8 @@ static void gum_afl_stalker_backpatcher_notify(GumStalkerObserver *self, sizeof(prefetch_data->backpatch_data) - prefetch_data->backpatch_size; if (sizeof(gsize) + size > remaining) { return; } - gsize *dst_backpatch_size = (gsize *) - &prefetch_data->backpatch_data[prefetch_data->backpatch_size]; + gsize *dst_backpatch_size = + (gsize *)&prefetch_data->backpatch_data[prefetch_data->backpatch_size]; *dst_backpatch_size = size; prefetch_data->backpatch_size += sizeof(gsize); @@ -117,7 +117,7 @@ static void prefetch_read_patches(void) { remaining = prefetch_data->backpatch_size - offset) { gsize *src_backpatch_data = (gsize *)&prefetch_data->backpatch_data[offset]; - gsize size = *src_backpatch_data; + gsize size = *src_backpatch_data; offset += sizeof(gsize); if (prefetch_data->backpatch_size - offset < size) { diff --git a/frida_mode/src/seccomp/seccomp_callback.c b/frida_mode/src/seccomp/seccomp_callback.c index 4232d842..ac0fb8bb 100644 --- a/frida_mode/src/seccomp/seccomp_callback.c +++ b/frida_mode/src/seccomp/seccomp_callback.c @@ -1,8 +1,8 @@ #if defined(__linux__) && !defined(__ANDROID__) -#if !defined(__MUSL__) - #include -#endif + #if !defined(__MUSL__) + #include + #endif #include #include "seccomp.h" @@ -16,12 +16,13 @@ static void seccomp_callback_filter(struct seccomp_notif * req, GumDebugSymbolDetails details = {0}; if (req->data.nr == SYS_OPENAT) { -#if UINTPTR_MAX == 0xffffffffffffffffu + #if UINTPTR_MAX == 0xffffffffffffffffu seccomp_print("SYS_OPENAT: (%s)\n", (char *)req->data.args[1]); -#endif -#if UINTPTR_MAX == 0xffffffff + #endif + #if UINTPTR_MAX == 0xffffffff seccomp_print("SYS_OPENAT: (%s)\n", (char *)(__u32)req->data.args[1]); -#endif + #endif + } seccomp_print( @@ -31,7 +32,7 @@ static void seccomp_callback_filter(struct seccomp_notif * req, req->data.args[0], req->data.args[1], req->data.args[2], req->data.args[3], req->data.args[4], req->data.args[5]); -#if !defined(__MUSL__) + #if !defined(__MUSL__) seccomp_print("FRAMES: (%u)\n", frames->len); char **syms = backtrace_symbols(frames->items, frames->len); if (syms == NULL) { FATAL("Failed to get symbols"); } @@ -52,23 +53,24 @@ static void seccomp_callback_filter(struct seccomp_notif * req, } free(syms); -#else + #else void **syms = (void **)__builtin_frame_address(0); - void *framep = __builtin_frame_address(1); - int i = 0; + void * framep = __builtin_frame_address(1); + int i = 0; syms = framep; while (syms) { - - framep = *syms; + + framep = *syms; syms = framep; if (!syms) break; - seccomp_print("\%3d. %s\n", i ++, (char *)framep); + seccomp_print("\%3d. %s\n", i++, (char *)framep); } -#endif + + #endif resp->error = 0; resp->val = 0; diff --git a/frida_mode/src/seccomp/seccomp_filter.c b/frida_mode/src/seccomp/seccomp_filter.c index 7ee5ead1..0dcc4cbb 100644 --- a/frida_mode/src/seccomp/seccomp_filter.c +++ b/frida_mode/src/seccomp/seccomp_filter.c @@ -2,9 +2,9 @@ #include #include -#if !defined(__MUSL__) - #include -#endif + #if !defined(__MUSL__) + #include + #endif #include #include #include diff --git a/include/envs.h b/include/envs.h index 61267a0d..25d05539 100644 --- a/include/envs.h +++ b/include/envs.h @@ -203,6 +203,7 @@ static char *afl_environment_variables[] = { "AFL_USE_MSAN", "AFL_USE_TRACE_PC", "AFL_USE_UBSAN", + "AFL_USE_TSAN", "AFL_USE_CFISAN", "AFL_USE_LSAN", "AFL_WINE_PATH", diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index ee8c317e..4e25221a 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1142,10 +1142,11 @@ bool ModuleSanitizerCoverage::instrumentModule( else { char modeline[100]; - snprintf(modeline, sizeof(modeline), "%s%s%s%s%s", + snprintf(modeline, sizeof(modeline), "%s%s%s%s%s%s", getenv("AFL_HARDEN") ? "hardened" : "non-hardened", getenv("AFL_USE_ASAN") ? ", ASAN" : "", getenv("AFL_USE_MSAN") ? ", MSAN" : "", + getenv("AFL_USE_TSAN") ? ", TSAN" : "", getenv("AFL_USE_CFISAN") ? ", CFISAN" : "", getenv("AFL_USE_UBSAN") ? ", UBSAN" : ""); OKF("Instrumented %u locations (%u selects) without collisions (%llu " diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index be3f4f49..76bb2448 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -547,10 +547,11 @@ bool ModuleSanitizerCoverage::instrumentModule( else { char modeline[100]; - snprintf(modeline, sizeof(modeline), "%s%s%s%s%s", + snprintf(modeline, sizeof(modeline), "%s%s%s%s%s%s", getenv("AFL_HARDEN") ? "hardened" : "non-hardened", getenv("AFL_USE_ASAN") ? ", ASAN" : "", getenv("AFL_USE_MSAN") ? ", MSAN" : "", + getenv("AFL_USE_TSAN") ? ", TSAN" : "", getenv("AFL_USE_CFISAN") ? ", CFISAN" : "", getenv("AFL_USE_UBSAN") ? ", UBSAN" : ""); OKF("Instrumented %u locations with no collisions (%s mode) of which are " diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index ecf28f31..9b7e625e 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -956,11 +956,12 @@ bool AFLCoverage::runOnModule(Module &M) { else { char modeline[100]; - snprintf(modeline, sizeof(modeline), "%s%s%s%s%s", + snprintf(modeline, sizeof(modeline), "%s%s%s%s%s%s", getenv("AFL_HARDEN") ? "hardened" : "non-hardened", getenv("AFL_USE_ASAN") ? ", ASAN" : "", getenv("AFL_USE_MSAN") ? ", MSAN" : "", getenv("AFL_USE_CFISAN") ? ", CFISAN" : "", + getenv("AFL_USE_TSAN") ? ", TSAN" : "", getenv("AFL_USE_UBSAN") ? ", UBSAN" : ""); OKF("Instrumented %d locations (%s mode, ratio %u%%).", inst_blocks, modeline, inst_ratio); diff --git a/qemu_mode/libcompcov/libcompcov.so.c b/qemu_mode/libcompcov/libcompcov.so.c index 24867cda..eba3d80a 100644 --- a/qemu_mode/libcompcov/libcompcov.so.c +++ b/qemu_mode/libcompcov/libcompcov.so.c @@ -42,10 +42,10 @@ #endif /* !__linux__ */ #ifndef likely -# define likely(x) __builtin_expect((!!(x)),1) + #define likely(x) __builtin_expect((!!(x)), 1) #endif #ifndef unlikely -# define unlikely(x) __builtin_expect((!!(x)),0) + #define unlikely(x) __builtin_expect((!!(x)), 0) #endif /* Change this value to tune the compare coverage */ @@ -235,7 +235,12 @@ int strcmp(const char *str1, const char *str2) { int strncmp(const char *str1, const char *str2, size_t len) { - if (unlikely(!__libc_strncmp)) { __libc_strncmp = dlsym(RTLD_NEXT, "strncmp"); } + if (unlikely(!__libc_strncmp)) { + + __libc_strncmp = dlsym(RTLD_NEXT, "strncmp"); + + } + void *retaddr = __builtin_return_address(0); if (__compcov_is_in_bound(retaddr) && @@ -265,7 +270,12 @@ int strncmp(const char *str1, const char *str2, size_t len) { int strcasecmp(const char *str1, const char *str2) { - if (unlikely(!__libc_strcasecmp)) { __libc_strncasecmp = dlsym(RTLD_NEXT, "strcasecmp"); } + if (unlikely(!__libc_strcasecmp)) { + + __libc_strncasecmp = dlsym(RTLD_NEXT, "strcasecmp"); + + } + void *retaddr = __builtin_return_address(0); if (__compcov_is_in_bound(retaddr) && @@ -296,7 +306,12 @@ int strcasecmp(const char *str1, const char *str2) { int strncasecmp(const char *str1, const char *str2, size_t len) { - if (unlikely(!__libc_strncasecmp)) { __libc_strncasecmp = dlsym(RTLD_NEXT, "strncasecmp"); } + if (unlikely(!__libc_strncasecmp)) { + + __libc_strncasecmp = dlsym(RTLD_NEXT, "strncasecmp"); + + } + void *retaddr = __builtin_return_address(0); if (__compcov_is_in_bound(retaddr) && diff --git a/src/afl-as.c b/src/afl-as.c index 7119d630..774340ac 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -521,6 +521,7 @@ static void add_instrumentation(void) { getenv("AFL_HARDEN") ? "hardened" : "non-hardened", getenv("AFL_USE_ASAN") ? ", ASAN" : "", getenv("AFL_USE_MSAN") ? ", MSAN" : "", + getenv("AFL_USE_TSAN") ? ", TSAN" : "", getenv("AFL_USE_UBSAN") ? ", UBSAN" : "", getenv("AFL_USE_LSAN") ? ", LSAN" : ""); diff --git a/src/afl-cc.c b/src/afl-cc.c index e7f08aac..3837459b 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -857,6 +857,14 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-fsanitize=undefined"; cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error"; cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all"; + cc_params[cc_par_cnt++] = "-fno-omit-frame-pointer"; + + } + + if (getenv("AFL_USE_TSAN")) { + + cc_params[cc_par_cnt++] = "-fsanitize=thread"; + cc_params[cc_par_cnt++] = "-fno-omit-frame-pointer"; } @@ -1814,6 +1822,7 @@ int main(int argc, char **argv, char **envp) { " AFL_USE_CFISAN: activate control flow sanitizer\n" " AFL_USE_MSAN: activate memory sanitizer\n" " AFL_USE_UBSAN: activate undefined behaviour sanitizer\n" + " AFL_USE_TSAN: activate thread sanitizer\n" " AFL_USE_LSAN: activate leak-checker sanitizer\n"); if (have_gcc_plugin) diff --git a/utils/aflpp_driver/aflpp_qemu_driver.c b/utils/aflpp_driver/aflpp_qemu_driver.c index 99a4c9a8..e47df1e6 100644 --- a/utils/aflpp_driver/aflpp_qemu_driver.c +++ b/utils/aflpp_driver/aflpp_qemu_driver.c @@ -22,7 +22,7 @@ int main(int argc, char **argv) { if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv); // Do any other expensive one-time initialization here. - if (getenv("AFL_QEMU_DRIVER_NO_HOOK")) { + if (getenv("AFL_QEMU_DRIVER_NO_HOOK") || getenv("AFL_FRIDA_DRIVER_NO_HOOK")) { afl_qemu_driver_stdin_input(); -- cgit 1.4.1 From 11f89ab785f0b74c0862c46406f81007ac5cf3ba Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 23 Nov 2021 19:34:21 +0100 Subject: do not add zero byte on string compares with len --- instrumentation/SanitizerCoverageLTO.so.cc | 11 +++++++---- instrumentation/afl-llvm-dict2file.so.cc | 19 ++++++++++++++----- instrumentation/compare-transform-pass.so.cc | 1 + instrumentation/split-switches-pass.so.cc | 4 ++-- 4 files changed, 24 insertions(+), 11 deletions(-) (limited to 'instrumentation/SanitizerCoverageLTO.so.cc') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 4e25221a..dbe4672c 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -922,13 +922,16 @@ bool ModuleSanitizerCoverage::instrumentModule( // was not already added if (!isMemcmp) { - if (addedNull == false && thestring[optLen - 1] != '\0') { + /* + if (addedNull == false && thestring[optLen - 1] != + '\0') { - thestring.append("\0", 1); // add null byte - optLen++; + thestring.append("\0", 1); // add null byte + optLen++; - } + } + */ if (!isStdString) { // ensure we do not have garbage diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc index 7c04c0c5..d4f36b2c 100644 --- a/instrumentation/afl-llvm-dict2file.so.cc +++ b/instrumentation/afl-llvm-dict2file.so.cc @@ -603,18 +603,27 @@ bool AFLdict2filePass::runOnModule(Module &M) { // was not already added if (!isMemcmp) { - if (addedNull == false && thestring[optLen - 1] != '\0') { + /* + if (addedNull == false && thestring[optLen - 1] != '\0') + { - thestring.append("\0", 1); // add null byte - optLen++; + thestring.append("\0", 1); // add null byte + optLen++; - } + } + + */ if (!isStdString) { // ensure we do not have garbage size_t offset = thestring.find('\0', 0); - if (offset + 1 < optLen) optLen = offset + 1; + if (offset && offset < opLen && offset + 1 < optLen) { + + optLen = offset + 1; + + } + thestring = thestring.substr(0, optLen); } diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc index b05da71c..5db9c409 100644 --- a/instrumentation/compare-transform-pass.so.cc +++ b/instrumentation/compare-transform-pass.so.cc @@ -442,6 +442,7 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, bool isSizedcmp = false; bool isCaseInsensitive = false; Function * Callee = callInst->getCalledFunction(); + if (Callee) { isMemcmp = Callee->getName().compare("memcmp") == 0; diff --git a/instrumentation/split-switches-pass.so.cc b/instrumentation/split-switches-pass.so.cc index 7bff2789..e0a96ac9 100644 --- a/instrumentation/split-switches-pass.so.cc +++ b/instrumentation/split-switches-pass.so.cc @@ -507,9 +507,9 @@ bool SplitSwitchesTransform::runOnModule(Module &M) { #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ /* if (modified) { - + PA.abandon(); - + }*/ return PA; -- cgit 1.4.1 From 90d7931af6398cf632b5bf2371e3cb6c35286e70 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 23 Nov 2021 19:37:27 +0100 Subject: fixes --- instrumentation/SanitizerCoverageLTO.so.cc | 4 +--- instrumentation/afl-llvm-dict2file.so.cc | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) (limited to 'instrumentation/SanitizerCoverageLTO.so.cc') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index dbe4672c..7710e262 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -621,7 +621,6 @@ bool ModuleSanitizerCoverage::instrumentModule( bool isStrncasecmp = true; bool isIntMemcpy = true; bool isStdString = true; - bool addedNull = false; size_t optLen = 0; Function *Callee = callInst->getCalledFunction(); @@ -801,7 +800,6 @@ bool ModuleSanitizerCoverage::instrumentModule( if (literalLength + 1 == optLength) { Str2.append("\0", 1); // add null byte - // addedNull = true; } @@ -909,8 +907,8 @@ bool ModuleSanitizerCoverage::instrumentModule( if (optLen < 2) { continue; } if (literalLength + 1 == optLen) { // add null byte + thestring.append("\0", 1); - addedNull = true; } diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc index d4f36b2c..2ffa8fbb 100644 --- a/instrumentation/afl-llvm-dict2file.so.cc +++ b/instrumentation/afl-llvm-dict2file.so.cc @@ -291,7 +291,6 @@ bool AFLdict2filePass::runOnModule(Module &M) { bool isIntMemcpy = true; bool isStdString = true; bool isStrstr = true; - bool addedNull = false; size_t optLen = 0; Function *Callee = callInst->getCalledFunction(); @@ -591,7 +590,6 @@ bool AFLdict2filePass::runOnModule(Module &M) { if (optLen < 2) { continue; } if (literalLength + 1 == optLen) { // add null byte thestring.append("\0", 1); - addedNull = true; } @@ -618,7 +616,7 @@ bool AFLdict2filePass::runOnModule(Module &M) { // ensure we do not have garbage size_t offset = thestring.find('\0', 0); - if (offset && offset < opLen && offset + 1 < optLen) { + if (offset && offset < optLen && offset + 1 < optLen) { optLen = offset + 1; -- cgit 1.4.1 From 8c4435e7ef6cad7a0d475603469e98c09d32f504 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 23 Nov 2021 21:07:50 +0100 Subject: fix for llvm < 11 --- instrumentation/SanitizerCoverageLTO.so.cc | 3 ++- instrumentation/compare-transform-pass.so.cc | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'instrumentation/SanitizerCoverageLTO.so.cc') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 7710e262..37726607 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -930,7 +930,8 @@ bool ModuleSanitizerCoverage::instrumentModule( } */ - if (!isStdString) { + if (!isStdString && + thestring.find('\0', 0) != std::string::npos) { // ensure we do not have garbage size_t offset = thestring.find('\0', 0); diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc index 5db9c409..2eb3d77b 100644 --- a/instrumentation/compare-transform-pass.so.cc +++ b/instrumentation/compare-transform-pass.so.cc @@ -519,7 +519,7 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, // in the unusual case the const str has embedded null // characters, the string comparison functions should terminate // at the first null - if (!isMemcmp) { + if (!isMemcmp && TmpConstStr.find('\0') != std::string::npos) { TmpConstStr.assign(TmpConstStr, 0, TmpConstStr.find('\0') + 1); -- cgit 1.4.1 From 22827e807035a50394bac6a37406b19109fc655f Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 1 Dec 2021 11:38:55 +0100 Subject: unify LLVM_VERSION_... usage --- instrumentation/SanitizerCoverageLTO.so.cc | 10 +-- instrumentation/SanitizerCoveragePCGUARD.so.cc | 24 ++--- instrumentation/afl-llvm-common.cc | 2 +- instrumentation/afl-llvm-lto-instrumentlist.so.cc | 8 +- instrumentation/afl-llvm-pass.so.cc | 30 ++----- instrumentation/cmplog-instructions-pass.cc | 82 ++++++++--------- instrumentation/cmplog-routines-pass.cc | 104 +++++++++++----------- instrumentation/cmplog-switches-pass.cc | 50 +++++------ instrumentation/compare-transform-pass.so.cc | 32 +++---- instrumentation/split-compares-pass.so.cc | 6 +- instrumentation/split-switches-pass.so.cc | 8 +- src/afl-cc.c | 24 ++--- 12 files changed, 183 insertions(+), 197 deletions(-) (limited to 'instrumentation/SanitizerCoverageLTO.so.cc') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 37726607..bff85a0a 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1325,7 +1325,7 @@ void ModuleSanitizerCoverage::instrumentFunction( } else -#if LLVM_VERSION_MAJOR > 13 +#if LLVM_VERSION_MAJOR >= 14 if (t->getTypeID() == llvm::Type::FixedVectorTyID) { FixedVectorType *tt = dyn_cast(t); @@ -1468,7 +1468,7 @@ GlobalVariable *ModuleSanitizerCoverage::CreateFunctionLocalArrayInSection( *CurModule, ArrayTy, false, GlobalVariable::PrivateLinkage, Constant::getNullValue(ArrayTy), "__sancov_gen_"); -#if LLVM_VERSION_MAJOR > 12 +#if LLVM_VERSION_MAJOR >= 13 if (TargetTriple.supportsCOMDAT() && (TargetTriple.isOSBinFormatELF() || !F.isInterposable())) if (auto Comdat = getOrCreateFunctionComdat(F, TargetTriple)) @@ -1628,10 +1628,10 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, if (Options.TracePC) { IRB.CreateCall(SanCovTracePC) -#if LLVM_VERSION_MAJOR < 12 - ->cannotMerge(); // gets the PC using GET_CALLER_PC. -#else +#if LLVM_VERSION_MAJOR >= 12 ->setCannotMerge(); // gets the PC using GET_CALLER_PC. +#else + ->cannotMerge(); // gets the PC using GET_CALLER_PC. #endif } diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 76bb2448..3574b0e4 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -36,7 +36,8 @@ #include "llvm/Support/CommandLine.h" #include "llvm/Support/Debug.h" #include "llvm/Support/SpecialCaseList.h" -#if LLVM_MAJOR > 10 || (LLVM_MAJOR == 10 && LLVM_MINOR > 0) +#if LLVM_VERSION_MAJOR >= 11 || \ + (LLVM_VERSION_MAJOR == 10 && LLVM_VERSION_MINOR >= 1) #include "llvm/Support/VirtualFileSystem.h" #endif #include "llvm/Support/raw_ostream.h" @@ -127,7 +128,7 @@ class ModuleSanitizerCoverage { public: ModuleSanitizerCoverage( const SanitizerCoverageOptions &Options = SanitizerCoverageOptions() -#if LLVM_MAJOR > 10 +#if (LLVM_VERSION_MAJOR >= 11) , const SpecialCaseList *Allowlist = nullptr, const SpecialCaseList *Blocklist = nullptr @@ -215,7 +216,7 @@ class ModuleSanitizerCoverageLegacyPass : public ModulePass { public: ModuleSanitizerCoverageLegacyPass( const SanitizerCoverageOptions &Options = SanitizerCoverageOptions() -#if LLVM_VERSION_MAJOR > 10 +#if LLVM_VERSION_MAJOR >= 11 , const std::vector &AllowlistFiles = std::vector(), @@ -233,7 +234,7 @@ class ModuleSanitizerCoverageLegacyPass : public ModulePass { bool runOnModule(Module &M) override { ModuleSanitizerCoverage ModuleSancov(Options -#if LLVM_MAJOR > 10 +#if (LLVM_VERSION_MAJOR >= 11) , Allowlist.get(), Blocklist.get() #endif @@ -283,7 +284,7 @@ PreservedAnalyses ModuleSanitizerCoveragePass::run(Module & M, ModuleAnalysisManager &MAM) { ModuleSanitizerCoverage ModuleSancov(Options -#if LLVM_MAJOR > 10 +#if (LLVM_VERSION_MAJOR >= 11) , Allowlist.get(), Blocklist.get() #endif @@ -749,7 +750,7 @@ GlobalVariable *ModuleSanitizerCoverage::CreateFunctionLocalArrayInSection( *CurModule, ArrayTy, false, GlobalVariable::PrivateLinkage, Constant::getNullValue(ArrayTy), "__sancov_gen_"); -#if LLVM_VERSION_MAJOR > 12 +#if LLVM_VERSION_MAJOR >= 13 if (TargetTriple.supportsCOMDAT() && (TargetTriple.isOSBinFormatELF() || !F.isInterposable())) if (auto Comdat = getOrCreateFunctionComdat(F, TargetTriple)) @@ -762,7 +763,8 @@ GlobalVariable *ModuleSanitizerCoverage::CreateFunctionLocalArrayInSection( #endif Array->setSection(getSectionName(Section)); -#if LLVM_MAJOR > 10 || (LLVM_MAJOR == 10 && LLVM_MINOR > 0) +#if (LLVM_VERSION_MAJOR >= 11) || \ + (LLVM_VERSION_MAJOR == 10 && LLVM_VERSION_MINOR >= 1) Array->setAlignment(Align(DL->getTypeStoreSize(Ty).getFixedSize())); #else Array->setAlignment(Align(4)); // cheating @@ -868,7 +870,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } -#if LLVM__MAJOR > 11 +#if (LLVM_VERSION_MAJOR >= 12) else if (t->getTypeID() == llvm::Type::FixedVectorTyID) { FixedVectorType *tt = dyn_cast(t); @@ -962,7 +964,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } else -#if LLVM_VERSION_MAJOR > 13 +#if LLVM_VERSION_MAJOR >= 14 if (t->getTypeID() == llvm::Type::FixedVectorTyID) { FixedVectorType *tt = dyn_cast(t); @@ -1484,7 +1486,7 @@ INITIALIZE_PASS_END(ModuleSanitizerCoverageLegacyPass, "sancov", ModulePass *llvm::createModuleSanitizerCoverageLegacyPassPass( const SanitizerCoverageOptions &Options -#if LLVM_MAJOR > 10 +#if (LLVM_VERSION_MAJOR >= 11) , const std::vector &AllowlistFiles, const std::vector &BlocklistFiles @@ -1492,7 +1494,7 @@ ModulePass *llvm::createModuleSanitizerCoverageLegacyPassPass( ) { return new ModuleSanitizerCoverageLegacyPass(Options -#if LLVM_MAJOR > 10 +#if (LLVM_VERSION_MAJOR >= 11) , AllowlistFiles, BlocklistFiles #endif diff --git a/instrumentation/afl-llvm-common.cc b/instrumentation/afl-llvm-common.cc index 3239ea91..e5e367a7 100644 --- a/instrumentation/afl-llvm-common.cc +++ b/instrumentation/afl-llvm-common.cc @@ -281,7 +281,7 @@ void scanForDangerousFunctions(llvm::Module *M) { if (!M) return; -#if LLVM_VERSION_MAJOR > 3 || \ +#if LLVM_VERSION_MAJOR >= 4 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR >= 9) for (GlobalIFunc &IF : M->ifuncs()) { diff --git a/instrumentation/afl-llvm-lto-instrumentlist.so.cc b/instrumentation/afl-llvm-lto-instrumentlist.so.cc index cf26f912..906af879 100644 --- a/instrumentation/afl-llvm-lto-instrumentlist.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentlist.so.cc @@ -116,14 +116,14 @@ bool AFLcheckIfInstrument::runOnModule(Module &M) { auto & Ctx = F.getContext(); AttributeList Attrs = F.getAttributes(); -#if LLVM_VERSION_MAJOR < 14 +#if LLVM_VERSION_MAJOR >= 14 + AttributeList NewAttrs = Attrs.addFnAttribute(Ctx, "skipinstrument"); + F.setAttributes(NewAttrs); +#else AttrBuilder NewAttrs; NewAttrs.addAttribute("skipinstrument"); F.setAttributes( Attrs.addAttributes(Ctx, AttributeList::FunctionIndex, NewAttrs)); -#else - AttributeList NewAttrs = Attrs.addFnAttribute(Ctx, "skipinstrument"); - F.setAttributes(NewAttrs); #endif } diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 21ce0cf9..8e22fde8 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -52,7 +52,7 @@ typedef long double max_align_t; #include "llvm/Support/MathExtras.h" #include "llvm/Transforms/IPO/PassManagerBuilder.h" -#if LLVM_VERSION_MAJOR > 3 || \ +#if LLVM_VERSION_MAJOR >= 4 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) #include "llvm/IR/DebugInfo.h" #include "llvm/IR/CFG.h" @@ -114,7 +114,7 @@ uint64_t PowerOf2Ceil(unsigned in) { #endif /* #if LLVM_VERSION_STRING >= "4.0.1" */ -#if LLVM_VERSION_MAJOR > 4 || \ +#if LLVM_VERSION_MAJOR >= 5 || \ (LLVM_VERSION_MAJOR == 4 && LLVM_VERSION_PATCH >= 1) #define AFL_HAVE_VECTOR_INTRINSICS 1 #endif @@ -662,22 +662,7 @@ bool AFLCoverage::runOnModule(Module &M) { /* Update bitmap */ if (use_threadsafe_counters) { /* Atomic */ - /* - #if LLVM_VERSION_MAJOR < 9 - if (neverZero_counters_str != - NULL) { // with llvm 9 we make this the default as the bug - in llvm - // is then fixed - #else - if (!skip_nozero) { - - #endif - // register MapPtrIdx in a todo list - todo.push_back(MapPtrIdx); - - } else { - - */ + IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, #if LLVM_VERSION_MAJOR >= 13 llvm::MaybeAlign(1), @@ -696,13 +681,12 @@ bool AFLCoverage::runOnModule(Module &M) { Value *Incr = IRB.CreateAdd(Counter, One); -#if LLVM_VERSION_MAJOR < 9 - if (neverZero_counters_str != - NULL) { // with llvm 9 we make this the default as the bug in llvm - // is then fixed -#else +#if LLVM_VERSION_MAJOR >= 9 if (!skip_nozero) { +#else + if (neverZero_counters_str != NULL) { + #endif /* hexcoder: Realize a counter that skips zero during overflow. * Once this counter reaches its maximum value, it next increments to diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index a7b7aac8..07f80b2c 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -37,7 +37,7 @@ #include "llvm/Pass.h" #include "llvm/Analysis/ValueTracking.h" -#if LLVM_VERSION_MAJOR > 3 || \ +#if LLVM_VERSION_MAJOR >= 4 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) #include "llvm/IR/Verifier.h" #include "llvm/IR/DebugInfo.h" @@ -66,11 +66,11 @@ class CmpLogInstructions : public ModulePass { bool runOnModule(Module &M) override; -#if LLVM_VERSION_MAJOR < 4 - const char *getPassName() const override { +#if LLVM_VERSION_MAJOR >= 4 + StringRef getPassName() const override { #else - StringRef getPassName() const override { + const char *getPassName() const override { #endif return "cmplog instructions"; @@ -113,10 +113,10 @@ bool CmpLogInstructions::hookInstrs(Module &M) { IntegerType *Int64Ty = IntegerType::getInt64Ty(C); IntegerType *Int128Ty = IntegerType::getInt128Ty(C); -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif c1 = M.getOrInsertFunction("__cmplog_ins_hook1", VoidTy, Int8Ty, Int8Ty, Int8Ty @@ -125,16 +125,16 @@ bool CmpLogInstructions::hookInstrs(Module &M) { NULL #endif ); -#if LLVM_VERSION_MAJOR < 9 - Function *cmplogHookIns1 = cast(c1); -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee cmplogHookIns1 = c1; +#else + Function *cmplogHookIns1 = cast(c1); #endif -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif c2 = M.getOrInsertFunction("__cmplog_ins_hook2", VoidTy, Int16Ty, Int16Ty, Int8Ty @@ -143,16 +143,16 @@ bool CmpLogInstructions::hookInstrs(Module &M) { NULL #endif ); -#if LLVM_VERSION_MAJOR < 9 - Function *cmplogHookIns2 = cast(c2); -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee cmplogHookIns2 = c2; +#else + Function *cmplogHookIns2 = cast(c2); #endif -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif c4 = M.getOrInsertFunction("__cmplog_ins_hook4", VoidTy, Int32Ty, Int32Ty, Int8Ty @@ -161,16 +161,16 @@ bool CmpLogInstructions::hookInstrs(Module &M) { NULL #endif ); -#if LLVM_VERSION_MAJOR < 9 - Function *cmplogHookIns4 = cast(c4); -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee cmplogHookIns4 = c4; +#else + Function *cmplogHookIns4 = cast(c4); #endif -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif c8 = M.getOrInsertFunction("__cmplog_ins_hook8", VoidTy, Int64Ty, Int64Ty, Int8Ty @@ -179,16 +179,16 @@ bool CmpLogInstructions::hookInstrs(Module &M) { NULL #endif ); -#if LLVM_VERSION_MAJOR < 9 - Function *cmplogHookIns8 = cast(c8); -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee cmplogHookIns8 = c8; +#else + Function *cmplogHookIns8 = cast(c8); #endif -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif c16 = M.getOrInsertFunction("__cmplog_ins_hook16", VoidTy, Int128Ty, Int128Ty, Int8Ty @@ -203,10 +203,10 @@ bool CmpLogInstructions::hookInstrs(Module &M) { FunctionCallee cmplogHookIns16 = c16; #endif -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif cN = M.getOrInsertFunction("__cmplog_ins_hookN", VoidTy, Int128Ty, Int128Ty, Int8Ty, Int8Ty @@ -215,10 +215,10 @@ bool CmpLogInstructions::hookInstrs(Module &M) { NULL #endif ); -#if LLVM_VERSION_MAJOR < 9 - Function *cmplogHookInsN = cast(cN); -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee cmplogHookInsN = cN; +#else + Function *cmplogHookInsN = cast(cN); #endif GlobalVariable *AFLCmplogPtr = M.getNamedGlobal("__afl_cmp_map"); @@ -338,7 +338,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) { } -#if LLVM_MAJOR > 11 +#if (LLVM_VERSION_MAJOR >= 12) vector_cnt = tt->getElementCount().getKnownMinValue(); ty0 = tt->getElementType(); #endif @@ -359,7 +359,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) { max_size = 80; else if (ty0->isFP128Ty() || ty0->isPPC_FP128Ty()) max_size = 128; -#if LLVM_MAJOR > 11 +#if (LLVM_VERSION_MAJOR >= 12) else if (ty0->getTypeID() != llvm::Type::PointerTyID && !be_quiet) fprintf(stderr, "Warning: unsupported cmp type for cmplog: %u!\n", ty0->getTypeID()); @@ -371,7 +371,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) { if (ty0->isVectorTy()) { -#if LLVM_MAJOR > 11 +#if (LLVM_VERSION_MAJOR >= 12) VectorType *tt = dyn_cast(ty0); if (!tt) { @@ -397,7 +397,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) { } else { -#if LLVM_MAJOR > 11 +#if (LLVM_VERSION_MAJOR >= 12) if (ty0->getTypeID() != llvm::Type::PointerTyID && !be_quiet) { fprintf(stderr, "Warning: unsupported cmp type for cmplog: %u\n", diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc index fb514edc..0565875e 100644 --- a/instrumentation/cmplog-routines-pass.cc +++ b/instrumentation/cmplog-routines-pass.cc @@ -36,7 +36,7 @@ #include "llvm/Pass.h" #include "llvm/Analysis/ValueTracking.h" -#if LLVM_VERSION_MAJOR > 3 || \ +#if LLVM_VERSION_MAJOR >= 4 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) #include "llvm/IR/Verifier.h" #include "llvm/IR/DebugInfo.h" @@ -65,11 +65,11 @@ class CmpLogRoutines : public ModulePass { bool runOnModule(Module &M) override; -#if LLVM_VERSION_MAJOR < 4 - const char *getPassName() const override { +#if LLVM_VERSION_MAJOR >= 4 + StringRef getPassName() const override { #else - StringRef getPassName() const override { + const char *getPassName() const override { #endif return "cmplog routines"; @@ -97,10 +97,10 @@ bool CmpLogRoutines::hookRtns(Module &M) { IntegerType *Int64Ty = IntegerType::getInt64Ty(C); PointerType *i8PtrTy = PointerType::get(Int8Ty, 0); -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif c = M.getOrInsertFunction("__cmplog_rtn_hook", VoidTy, i8PtrTy, i8PtrTy #if LLVM_VERSION_MAJOR < 5 @@ -108,16 +108,16 @@ bool CmpLogRoutines::hookRtns(Module &M) { NULL #endif ); -#if LLVM_VERSION_MAJOR < 9 - Function *cmplogHookFn = cast(c); -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee cmplogHookFn = c; +#else + Function *cmplogHookFn = cast(c); #endif -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif c1 = M.getOrInsertFunction("__cmplog_rtn_llvm_stdstring_stdstring", VoidTy, i8PtrTy, i8PtrTy @@ -126,16 +126,16 @@ bool CmpLogRoutines::hookRtns(Module &M) { NULL #endif ); -#if LLVM_VERSION_MAJOR < 9 - Function *cmplogLlvmStdStd = cast(c1); -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee cmplogLlvmStdStd = c1; +#else + Function *cmplogLlvmStdStd = cast(c1); #endif -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif c2 = M.getOrInsertFunction("__cmplog_rtn_llvm_stdstring_cstring", VoidTy, i8PtrTy, i8PtrTy @@ -144,16 +144,16 @@ bool CmpLogRoutines::hookRtns(Module &M) { NULL #endif ); -#if LLVM_VERSION_MAJOR < 9 - Function *cmplogLlvmStdC = cast(c2); -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee cmplogLlvmStdC = c2; +#else + Function *cmplogLlvmStdC = cast(c2); #endif -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif c3 = M.getOrInsertFunction("__cmplog_rtn_gcc_stdstring_stdstring", VoidTy, i8PtrTy, i8PtrTy @@ -162,16 +162,16 @@ bool CmpLogRoutines::hookRtns(Module &M) { NULL #endif ); -#if LLVM_VERSION_MAJOR < 9 - Function *cmplogGccStdStd = cast(c3); -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee cmplogGccStdStd = c3; +#else + Function *cmplogGccStdStd = cast(c3); #endif -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif c4 = M.getOrInsertFunction("__cmplog_rtn_gcc_stdstring_cstring", VoidTy, i8PtrTy, i8PtrTy @@ -180,16 +180,16 @@ bool CmpLogRoutines::hookRtns(Module &M) { NULL #endif ); -#if LLVM_VERSION_MAJOR < 9 - Function *cmplogGccStdC = cast(c4); -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee cmplogGccStdC = c4; +#else + Function *cmplogGccStdC = cast(c4); #endif -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif c5 = M.getOrInsertFunction("__cmplog_rtn_hook_n", VoidTy, i8PtrTy, i8PtrTy, Int64Ty @@ -198,16 +198,16 @@ bool CmpLogRoutines::hookRtns(Module &M) { NULL #endif ); -#if LLVM_VERSION_MAJOR < 9 - Function *cmplogHookFnN = cast(c5); -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee cmplogHookFnN = c5; +#else + Function *cmplogHookFnN = cast(c5); #endif -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif c6 = M.getOrInsertFunction("__cmplog_rtn_hook_strn", VoidTy, i8PtrTy, i8PtrTy, Int64Ty @@ -216,16 +216,16 @@ bool CmpLogRoutines::hookRtns(Module &M) { NULL #endif ); -#if LLVM_VERSION_MAJOR < 9 - Function *cmplogHookFnStrN = cast(c6); -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee cmplogHookFnStrN = c6; +#else + Function *cmplogHookFnStrN = cast(c6); #endif -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif c7 = M.getOrInsertFunction("__cmplog_rtn_hook_str", VoidTy, i8PtrTy, i8PtrTy @@ -234,10 +234,10 @@ bool CmpLogRoutines::hookRtns(Module &M) { NULL #endif ); -#if LLVM_VERSION_MAJOR < 9 - Function *cmplogHookFnStr = cast(c7); -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee cmplogHookFnStr = c7; +#else + Function *cmplogHookFnStr = cast(c7); #endif GlobalVariable *AFLCmplogPtr = M.getNamedGlobal("__afl_cmp_map"); diff --git a/instrumentation/cmplog-switches-pass.cc b/instrumentation/cmplog-switches-pass.cc index aa719013..bcd5f8bd 100644 --- a/instrumentation/cmplog-switches-pass.cc +++ b/instrumentation/cmplog-switches-pass.cc @@ -37,7 +37,7 @@ #include "llvm/Pass.h" #include "llvm/Analysis/ValueTracking.h" -#if LLVM_VERSION_MAJOR > 3 || \ +#if LLVM_VERSION_MAJOR >= 4 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) #include "llvm/IR/Verifier.h" #include "llvm/IR/DebugInfo.h" @@ -112,10 +112,10 @@ bool CmpLogInstructions::hookInstrs(Module &M) { IntegerType *Int32Ty = IntegerType::getInt32Ty(C); IntegerType *Int64Ty = IntegerType::getInt64Ty(C); -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif c1 = M.getOrInsertFunction("__cmplog_ins_hook1", VoidTy, Int8Ty, Int8Ty, Int8Ty @@ -124,16 +124,16 @@ bool CmpLogInstructions::hookInstrs(Module &M) { NULL #endif ); -#if LLVM_VERSION_MAJOR < 9 - Function *cmplogHookIns1 = cast(c1); -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee cmplogHookIns1 = c1; +#else + Function *cmplogHookIns1 = cast(c1); #endif -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif c2 = M.getOrInsertFunction("__cmplog_ins_hook2", VoidTy, Int16Ty, Int16Ty, Int8Ty @@ -142,16 +142,16 @@ bool CmpLogInstructions::hookInstrs(Module &M) { NULL #endif ); -#if LLVM_VERSION_MAJOR < 9 - Function *cmplogHookIns2 = cast(c2); -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee cmplogHookIns2 = c2; +#else + Function *cmplogHookIns2 = cast(c2); #endif -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif c4 = M.getOrInsertFunction("__cmplog_ins_hook4", VoidTy, Int32Ty, Int32Ty, Int8Ty @@ -160,16 +160,16 @@ bool CmpLogInstructions::hookInstrs(Module &M) { NULL #endif ); -#if LLVM_VERSION_MAJOR < 9 - Function *cmplogHookIns4 = cast(c4); -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee cmplogHookIns4 = c4; +#else + Function *cmplogHookIns4 = cast(c4); #endif -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif c8 = M.getOrInsertFunction("__cmplog_ins_hook8", VoidTy, Int64Ty, Int64Ty, Int8Ty @@ -178,10 +178,10 @@ bool CmpLogInstructions::hookInstrs(Module &M) { NULL #endif ); -#if LLVM_VERSION_MAJOR < 9 - Function *cmplogHookIns8 = cast(c8); -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee cmplogHookIns8 = c8; +#else + Function *cmplogHookIns8 = cast(c8); #endif GlobalVariable *AFLCmplogPtr = M.getNamedGlobal("__afl_cmp_map"); diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc index 1ec2bbfe..ef3bd66b 100644 --- a/instrumentation/compare-transform-pass.so.cc +++ b/instrumentation/compare-transform-pass.so.cc @@ -35,7 +35,7 @@ #include "llvm/Pass.h" #include "llvm/Analysis/ValueTracking.h" -#if LLVM_VERSION_MAJOR > 3 || \ +#if LLVM_VERSION_MAJOR >= 4 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) #include "llvm/IR/Verifier.h" #include "llvm/IR/DebugInfo.h" @@ -64,11 +64,11 @@ class CompareTransform : public ModulePass { bool runOnModule(Module &M) override; -#if LLVM_VERSION_MAJOR < 4 - const char *getPassName() const override { +#if LLVM_VERSION_MAJOR >= 4 + StringRef getPassName() const override { #else - StringRef getPassName() const override { + const char *getPassName() const override { #endif return "transforms compare functions"; @@ -100,17 +100,17 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, IntegerType * Int32Ty = IntegerType::getInt32Ty(C); IntegerType * Int64Ty = IntegerType::getInt64Ty(C); -#if LLVM_VERSION_MAJOR < 9 - Function *tolowerFn; -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee tolowerFn; +#else + Function * tolowerFn; #endif { -#if LLVM_VERSION_MAJOR < 9 - Constant * -#else +#if LLVM_VERSION_MAJOR >= 9 FunctionCallee +#else + Constant * #endif c = M.getOrInsertFunction("tolower", Int32Ty, Int32Ty #if LLVM_VERSION_MAJOR < 5 @@ -118,10 +118,10 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, NULL #endif ); -#if LLVM_VERSION_MAJOR < 9 - tolowerFn = cast(c); -#else +#if LLVM_VERSION_MAJOR >= 9 tolowerFn = c; +#else + tolowerFn = cast(c); #endif } @@ -496,10 +496,10 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, PHINode *PN = PHINode::Create( Int32Ty, (next_lenchk_bb ? 2 : 1) * unrollLen + 1, "cmp_phi"); -#if LLVM_VERSION_MAJOR < 8 - TerminatorInst *term = bb->getTerminator(); -#else +#if LLVM_VERSION_MAJOR >= 8 Instruction *term = bb->getTerminator(); +#else + TerminatorInst *term = bb->getTerminator(); #endif BranchInst::Create(next_lenchk_bb ? next_lenchk_bb : next_cmp_bb, bb); term->eraseFromParent(); diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc index d1254e40..95485be9 100644 --- a/instrumentation/split-compares-pass.so.cc +++ b/instrumentation/split-compares-pass.so.cc @@ -34,7 +34,7 @@ #include "llvm/IR/Module.h" #include "llvm/IR/IRBuilder.h" -#if LLVM_VERSION_MAJOR > 3 || \ +#if LLVM_VERSION_MAJOR >= 4 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) #include "llvm/IR/Verifier.h" #include "llvm/IR/DebugInfo.h" @@ -796,7 +796,7 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { LLVMContext &C = M.getContext(); -#if LLVM_VERSION_MAJOR > 3 || \ +#if LLVM_VERSION_MAJOR >= 4 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 7) const DataLayout &dl = M.getDataLayout(); @@ -1398,7 +1398,7 @@ bool SplitComparesTransform::runOnModule(Module &M) { bool brokenDebug = false; if (verifyModule(M, &errs() -#if LLVM_VERSION_MAJOR > 3 || \ +#if LLVM_VERSION_MAJOR >= 4 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR >= 9) , &brokenDebug // 9th May 2016 diff --git a/instrumentation/split-switches-pass.so.cc b/instrumentation/split-switches-pass.so.cc index 1e32a31d..c0fa7c9c 100644 --- a/instrumentation/split-switches-pass.so.cc +++ b/instrumentation/split-switches-pass.so.cc @@ -37,7 +37,7 @@ #include "llvm/Analysis/ValueTracking.h" #include "llvm/IR/IRBuilder.h" -#if LLVM_VERSION_MAJOR > 3 || \ +#if LLVM_VERSION_MAJOR >= 4 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) #include "llvm/IR/Verifier.h" #include "llvm/IR/DebugInfo.h" @@ -369,10 +369,10 @@ bool SplitSwitchesTransform::splitSwitches(Module &M) { CaseVector Cases; for (SwitchInst::CaseIt i = SI->case_begin(), e = SI->case_end(); i != e; ++i) -#if LLVM_VERSION_MAJOR < 5 - Cases.push_back(CaseExpr(i.getCaseValue(), i.getCaseSuccessor())); -#else +#if LLVM_VERSION_MAJOR >= 5 Cases.push_back(CaseExpr(i->getCaseValue(), i->getCaseSuccessor())); +#else + Cases.push_back(CaseExpr(i.getCaseValue(), i.getCaseSuccessor())); #endif /* bugfix thanks to pbst * round up bytesChecked (in case getBitWidth() % 8 != 0) */ diff --git a/src/afl-cc.c b/src/afl-cc.c index 9c6e9b3e..6bdb9572 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -574,7 +574,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (instrument_mode == INSTRUMENT_PCGUARD) { -#if LLVM_MAJOR > 10 || (LLVM_MAJOR == 10 && LLVM_MINOR > 0) +#if LLVM_MAJOR >= 11 || (LLVM_MAJOR == 10 && LLVM_MINOR >= 1) #if defined __ANDROID__ || ANDROID cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard"; instrument_mode = INSTRUMENT_LLVMNATIVE; @@ -1167,7 +1167,7 @@ int main(int argc, char **argv, char **envp) { } -#if (LLVM_MAJOR > 2) +#if (LLVM_MAJOR >= 3) if ((ptr = find_object("SanitizerCoverageLTO.so", argv[0])) != NULL) { @@ -1196,7 +1196,7 @@ int main(int argc, char **argv, char **envp) { } -#if (LLVM_MAJOR > 2) +#if (LLVM_MAJOR >= 3) if (strncmp(callname, "afl-clang-fast", 14) == 0) { @@ -1724,8 +1724,8 @@ int main(int argc, char **argv, char **envp) { compiler_mode == LTO ? " [SELECTED]" : "", have_llvm ? "AVAILABLE" : "unavailable!", compiler_mode == LLVM ? " [SELECTED]" : "", - LLVM_MAJOR > 6 ? "DEFAULT" : " ", - LLVM_MAJOR > 6 ? " " : "DEFAULT", + LLVM_MAJOR >= 7 ? "DEFAULT" : " ", + LLVM_MAJOR >= 7 ? " " : "DEFAULT", have_gcc_plugin ? "AVAILABLE" : "unavailable!", compiler_mode == GCC_PLUGIN ? " [SELECTED]" : "", have_gcc ? "AVAILABLE" : "unavailable!", @@ -1826,12 +1826,12 @@ int main(int argc, char **argv, char **envp) { " AFL_GCC_INSTRUMENT_FILE: enable selective instrumentation by " "filename\n"); -#if LLVM_MAJOR < 9 +#if LLVM_MAJOR >= 9 #define COUNTER_BEHAVIOUR \ - " AFL_LLVM_NOT_ZERO: use cycling trace counters that skip zero\n" + " AFL_LLVM_SKIP_NEVERZERO: do not skip zero on trace counters\n" #else #define COUNTER_BEHAVIOUR \ - " AFL_LLVM_SKIP_NEVERZERO: do not skip zero on trace counters\n" + " AFL_LLVM_NOT_ZERO: use cycling trace counters that skip zero\n" #endif if (have_llvm) SAYF( @@ -1905,7 +1905,7 @@ int main(int argc, char **argv, char **envp) { "consult the README.md, especially section 3.1 about instrumenting " "targets.\n\n"); -#if (LLVM_MAJOR > 2) +#if (LLVM_MAJOR >= 3) if (have_lto) SAYF("afl-cc LTO with ld=%s %s\n", AFL_REAL_LD, AFL_CLANG_FLTO); if (have_llvm) @@ -1967,9 +1967,7 @@ int main(int argc, char **argv, char **envp) { if (instrument_mode == 0 && compiler_mode < GCC_PLUGIN) { -#if LLVM_MAJOR <= 6 - instrument_mode = INSTRUMENT_AFL; -#else +#if LLVM_MAJOR >= 7 #if LLVM_MAJOR < 11 && (LLVM_MAJOR < 10 || LLVM_MINOR < 1) if (have_instr_env) { @@ -1984,6 +1982,8 @@ int main(int argc, char **argv, char **envp) { #endif instrument_mode = INSTRUMENT_PCGUARD; +#else + instrument_mode = INSTRUMENT_AFL; #endif } -- cgit 1.4.1 From fc094dee13060fd84e89764a9526c11a55072e4d Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 3 Dec 2021 11:35:30 +0100 Subject: change dlopen solution --- docs/Changelog.md | 7 ++++++- docs/best_practices.md | 21 +++++++++++++++++++++ instrumentation/SanitizerCoverageLTO.so.cc | 12 ++++++++++++ instrumentation/SanitizerCoveragePCGUARD.so.cc | 12 ++++++++++++ instrumentation/afl-compiler-rt.o.c | 15 ++++++++------- test/test-dlopen.c | 20 ++++++++++++++++++-- 6 files changed, 77 insertions(+), 10 deletions(-) (limited to 'instrumentation/SanitizerCoverageLTO.so.cc') diff --git a/docs/Changelog.md b/docs/Changelog.md index 103f9f63..be5cac43 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,9 +9,14 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . ### Version ++3.15a (dev) - - documentation restructuring, made possible by Google Season of Docs :) + - documentation restructuring, made possible by Google Season of Docs - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :) thanks to RICSecLab submitting! + - if instrumented libaries are dlopen()'ed after the forkserver you + will now see crashes. before you would have colliding coverage. + we changed this to force fixing a broken setup rather then allowing + ineffective fuzzing. + See docs/best_practices.md how to fix such setups. - afl-fuzz: - cmplog binaries will need to be recompiled for this version (it is better!) diff --git a/docs/best_practices.md b/docs/best_practices.md index 979849f4..18096851 100644 --- a/docs/best_practices.md +++ b/docs/best_practices.md @@ -5,6 +5,7 @@ ### Targets * [Fuzzing a target with source code available](#fuzzing-a-target-with-source-code-available) +* [Fuzzing a target with dlopen() instrumented libraries](#fuzzing-a-target-with-dlopen-instrumented-libraries) * [Fuzzing a binary-only target](#fuzzing-a-binary-only-target) * [Fuzzing a GUI program](#fuzzing-a-gui-program) * [Fuzzing a network service](#fuzzing-a-network-service) @@ -20,6 +21,26 @@ To learn how to fuzz a target if source code is available, see [fuzzing_in_depth.md](fuzzing_in_depth.md). +### Fuzzing a target with dlopen instrumented libraries + +If a source code based fuzzing target loads instrumented libraries with +dlopen() after the forkserver has been activated and non-colliding coverage +instrumentation is used (PCGUARD (which is the default), or LTO), then this +an issue, because this would enlarge the coverage map, but afl-fuzz doesn't +know about it. + +The solution is to use `AFL_PRELOAD` for all dlopen()'ed libraries to +ensure that all coverage targets are present on startup in the target, +even if accessed only later with dlopen(). + +For PCGUARD instrumentation `abort()` is called if this is detected, for LTO +there will either be no coverage for the instrumented dlopen()'ed libraries or +you will see lots of crashes in the UI. + +Note that this is not an issue if you use the inferiour `afl-gcc-fast`, +`afl-gcc` or`AFL_LLVM_INSTRUMENT=CLASSIC/NGRAM/CTX afl-clang-fast` +instrumentation. + ### Fuzzing a binary-only target For a comprehensive guide, see diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index bff85a0a..8d7f0c80 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1289,6 +1289,18 @@ void ModuleSanitizerCoverage::instrumentFunction( if (!Callee) continue; if (callInst->getCallingConv() != llvm::CallingConv::C) continue; StringRef FuncName = Callee->getName(); + if (!FuncName.compare(StringRef("dlopen")) || + !FuncName.compare(StringRef("_dlopen"))) { + + fprintf(stderr, + "WARNING: dlopen() detected. To have coverage for a library " + "that your target dlopen()'s this must either happen before " + "__AFL_INIT() or you must use AFL_PRELOAD to preload all " + "dlopen()'ed libraries!\n"); + continue; + + } + if (FuncName.compare(StringRef("__afl_coverage_interesting"))) continue; Value *val = ConstantInt::get(Int32Ty, ++afl_global_id); diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 3574b0e4..92450781 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -851,6 +851,18 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, if (!Callee) continue; if (callInst->getCallingConv() != llvm::CallingConv::C) continue; StringRef FuncName = Callee->getName(); + if (!FuncName.compare(StringRef("dlopen")) || + !FuncName.compare(StringRef("_dlopen"))) { + + fprintf(stderr, + "WARNING: dlopen() detected. To have coverage for a library " + "that your target dlopen()'s this must either happen before " + "__AFL_INIT() or you must use AFL_PRELOAD to preload all " + "dlopen()'ed libraries!\n"); + continue; + + } + if (FuncName.compare(StringRef("__afl_coverage_interesting"))) continue; cnt_cov++; diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 65dafb8c..20f325f3 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1418,16 +1418,14 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { if (start == stop || *start) return; // If a dlopen of an instrumented library happens after the forkserver then - // we have a problem. - // Should we abort()? This way a user would/could find out. - // Currently we just do not instrument that lib, which is invisible. + // we have a problem as we cannot increase the coverage map anymore. if (__afl_already_initialized_forkserver) { fprintf(stderr, - "[-] ERROR: forkserver is already up, but an instrumented dlopen() " - "library loaded afterwards. You must LD_PRELOAD such libraries to " - "be able to fuzz them.\n"); - return; // or should be abort()? + "[-] FATAL: forkserver is already up, but an instrumented dlopen() " + "library loaded afterwards. You must AFL_PRELOAD such libraries to " + "be able to fuzz them or LD_PRELOAD to run outside of afl-fuzz.\n"); + abort(); } @@ -1443,6 +1441,7 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { /* instrumented code is loaded *after* our forkserver is up. this is a problem. We cannot prevent collisions then :( */ + /* if (__afl_already_initialized_forkserver && __afl_final_loc + 1 + stop - start > __afl_map_size) { @@ -1475,6 +1474,8 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { } + */ + /* Make sure that the first element in the range is always set - we use that to avoid duplicate calls (which can happen as an artifact of the underlying implementation in LLVM). */ diff --git a/test/test-dlopen.c b/test/test-dlopen.c index d08d9092..b81bab13 100644 --- a/test/test-dlopen.c +++ b/test/test-dlopen.c @@ -5,7 +5,13 @@ int main(int argc, char **argv) { - if (!getenv("TEST_DLOPEN_TARGET")) return 1; + if (!getenv("TEST_DLOPEN_TARGET")) { + + fprintf(stderr, "Error: TEST_DLOPEN_TARGET not set!\n"); + return 1; + + } + void *lib = dlopen(getenv("TEST_DLOPEN_TARGET"), RTLD_LAZY); if (!lib) { @@ -15,8 +21,18 @@ int main(int argc, char **argv) { } int (*func)(int, char **) = dlsym(lib, "main_exported"); - if (!func) return 3; + if (!func) { + + fprintf(stderr, "Error: main_exported not found!\n"); + return 3; + + } + + // must use deferred forkserver as otherwise afl++ instrumentation aborts + // because all dlopen() of instrumented libs must be before the forkserver + __AFL_INIT(); + fprintf(stderr, "Running main_exported\n"); return func(argc, argv); } -- cgit 1.4.1