From 396de6fc9c49e6865b3130489ed39c7ea47540d1 Mon Sep 17 00:00:00 2001 From: Marc Poulhiès Date: Thu, 3 Mar 2022 13:05:17 +0100 Subject: Fix GCC plugin crash when using deny/allow list The provided function declaration F may not have valid location information. Return an empty string in this case as the two callers are already using this convention to filter out functions from being instrumented when deny/allow list are used. --- instrumentation/afl-gcc-pass.so.cc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'instrumentation') diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc index 734fa170..bb5483fc 100644 --- a/instrumentation/afl-gcc-pass.so.cc +++ b/instrumentation/afl-gcc-pass.so.cc @@ -714,9 +714,11 @@ struct afl_pass : gimple_opt_pass { } + /* Returns the source file name attached to the function declaration F. If + there is no source location information, returns an empty string. */ std::string getSourceName(function *F) { - return DECL_SOURCE_FILE(F->decl); + return DECL_SOURCE_FILE(F->decl) ? DECL_SOURCE_FILE(F->decl) : ""; } -- cgit 1.4.1 From b1da7500b2ef915887322d4a1903fe981d49acb5 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Apr 2022 13:06:13 +0200 Subject: fix msg --- instrumentation/cmplog-instructions-pass.cc | 79 +++++++++++++++++++++++++++-- instrumentation/cmplog-routines-pass.cc | 2 + src/afl-fuzz.c | 2 +- 3 files changed, 79 insertions(+), 4 deletions(-) (limited to 'instrumentation') diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index 4d37bcb2..e21289b4 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -32,9 +32,15 @@ #include "llvm/Support/Debug.h" #include "llvm/Support/raw_ostream.h" #if LLVM_MAJOR >= 11 + #include "llvm/Pass.h" + #include "llvm/InitializePasses.h" #include "llvm/Passes/PassPlugin.h" #include "llvm/Passes/PassBuilder.h" #include "llvm/IR/PassManager.h" + #include "llvm/Analysis/EHPersonalities.h" + #include "llvm/Analysis/PostDominators.h" + #include "llvm/Analysis/LoopInfo.h" + #include "llvm/Analysis/LoopPass.h" #else #include "llvm/IR/LegacyPassManager.h" #include "llvm/Transforms/IPO/PassManagerBuilder.h" @@ -64,7 +70,10 @@ using namespace llvm; namespace { +using LoopInfoCallback = function_ref; + #if LLVM_MAJOR >= 11 /* use new pass manager */ + class CmpLogInstructions : public PassInfoMixin { public: @@ -88,6 +97,7 @@ class CmpLogInstructions : public ModulePass { #endif #if LLVM_MAJOR >= 11 /* use new pass manager */ + PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM); #else bool runOnModule(Module &M) override; @@ -106,7 +116,8 @@ class CmpLogInstructions : public ModulePass { #endif private: - bool hookInstrs(Module &M); + bool hookInstrs(Module &M, LoopInfoCallback LCallback); + unsigned int instrumented = 0; }; @@ -153,7 +164,7 @@ Iterator Unique(Iterator first, Iterator last) { } -bool CmpLogInstructions::hookInstrs(Module &M) { +bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { std::vector icomps; LLVMContext & C = M.getContext(); @@ -290,14 +301,62 @@ bool CmpLogInstructions::hookInstrs(Module &M) { if (!isInInstrumentList(&F, MNAME)) continue; + std::vector lcomps; + const LoopInfo * LI = LCallback(F); +#if 0 + for (LoopInfo::iterator I = LI->begin(), E = LI->end(); I != E; ++I) { + Loop * L = *I; + BasicBlock *In, *Out; + bool ok = false ; L->getIncomingAndBackEdge(In, Out); + if (ok) { + + BasicBlock *decisionBB = In->getSingleSuccessor(); + + if (decisionBB) { + + /* + std::string errMsg1; + raw_string_ostream os1(errMsg1); + In->print(os1); + fprintf(stderr, "In: %s\n", os1.str().c_str()); + std::string errMsg2; + raw_string_ostream os2(errMsg2); + Out->print(os2); + fprintf(stderr, "Out: %s\n", os2.str().c_str()); + std::string errMsg3; + raw_string_ostream os3(errMsg3); + decisionBB->print(os3); + fprintf(stderr, "Dec: %s\n", os3.str().c_str()); + */ + lcomps.push_back(decisionBB); + + } + + } + } +#endif + + + // fprintf(stderr, "Loops in %s: %zu\n", F.getName().str().c_str(), + // lcomps.size()); + for (auto &BB : F) { + if (std::find(lcomps.begin(), lcomps.end(), &BB) != lcomps.end()) { + + fprintf(stderr, "skipping: %p %s\n", &BB, BB.getName().str().c_str()); + + continue; + + } + for (auto &IN : BB) { CmpInst *selectcmpInst = nullptr; if ((selectcmpInst = dyn_cast(&IN))) { icomps.push_back(selectcmpInst); + fprintf(stderr, "Found icomp %p in %p\n", selectcmpInst, &BB); } @@ -644,6 +703,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) { break; } + + ++instrumented; } @@ -657,6 +718,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) { } } + + fprintf(stderr, "instrumented: %u (%zu)\n", instrumented, icomps.size()); if (icomps.size()) return true; @@ -678,9 +741,19 @@ bool CmpLogInstructions::runOnModule(Module &M) { printf("Running cmplog-instructions-pass by andreafioraldi@gmail.com\n"); else be_quiet = 1; - hookInstrs(M); + + auto &FAM = MAM.getResult(M).getManager(); + auto LoopCallback = [&FAM](Function &F) -> const LoopInfo * { + + return &FAM.getResult(F); + + }; + + hookInstrs(M, LoopCallback); verifyModule(M); + fprintf(stderr, "done cmplog-instructions-pass\n"); + #if LLVM_MAJOR >= 11 /* use new pass manager */ return PreservedAnalyses::all(); #else diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc index 8205cfb0..708a94bc 100644 --- a/instrumentation/cmplog-routines-pass.cc +++ b/instrumentation/cmplog-routines-pass.cc @@ -761,6 +761,8 @@ bool CmpLogRoutines::runOnModule(Module &M) { #endif verifyModule(M); + fprintf(stderr, "done cmplog-routines-pass\n"); + #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ return PA; #else diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 92243fbb..c5ab364a 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1650,7 +1650,7 @@ int main(int argc, char **argv_orig, char **envp) { } - OKF("Generating fuzz data with a a length of min=%u max=%u", afl->min_length, + OKF("Generating fuzz data with a length of min=%u max=%u", afl->min_length, afl->max_length); u32 min_alloc = MAX(64U, afl->min_length); afl_realloc(AFL_BUF_PARAM(in_scratch), min_alloc); -- cgit 1.4.1 From 1d00bde6c508ed86366e4a7d3730e6d1203bcb60 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Apr 2022 13:11:19 +0200 Subject: code format --- custom_mutators/symcc/README.md | 5 ++++- frida_mode/src/instrument/instrument_arm64.c | 4 ++-- frida_mode/src/instrument/instrument_x64.c | 3 ++- instrumentation/cmplog-instructions-pass.cc | 10 ++++++---- utils/libdislocator/libdislocator.so.c | 9 +++++---- 5 files changed, 19 insertions(+), 12 deletions(-) (limited to 'instrumentation') diff --git a/custom_mutators/symcc/README.md b/custom_mutators/symcc/README.md index 337362ae..364a348e 100644 --- a/custom_mutators/symcc/README.md +++ b/custom_mutators/symcc/README.md @@ -1,6 +1,9 @@ # custum mutator: symcc -This uses the excellent symcc to find new paths into the target. +This uses the symcc to find new paths into the target. + +Note that this is a just a proof of concept example! It is better to use +the fuzzing helpers of symcc, symqemu, Fuzzolic, etc. rather than this. To use this custom mutator follow the steps in the symcc repository [https://github.com/eurecom-s3/symcc/](https://github.com/eurecom-s3/symcc/) diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index e6251cb4..2bc8f8aa 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -18,8 +18,8 @@ #if defined(__aarch64__) -gboolean instrument_cache_enabled = FALSE; -gsize instrument_cache_size = 0; +gboolean instrument_cache_enabled = FALSE; +gsize instrument_cache_size = 0; static GHashTable *coverage_blocks = NULL; __attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[MAP_SIZE]; diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index d54c8353..f02c971e 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -336,7 +336,8 @@ void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output) { GumX86Writer *cw = output->writer.x86; - /* guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address)); */ + /* guint64 area_offset = + * instrument_get_offset_hash(GUM_ADDRESS(instr->address)); */ if (instrument_previous_pc_addr == NULL) { GumAddressSpec spec = {.near_address = cw->code, diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index e21289b4..85d48835 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -116,7 +116,7 @@ class CmpLogInstructions : public ModulePass { #endif private: - bool hookInstrs(Module &M, LoopInfoCallback LCallback); + bool hookInstrs(Module &M, LoopInfoCallback LCallback); unsigned int instrumented = 0; }; @@ -305,6 +305,7 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { const LoopInfo * LI = LCallback(F); #if 0 for (LoopInfo::iterator I = LI->begin(), E = LI->end(); I != E; ++I) { + Loop * L = *I; BasicBlock *In, *Out; bool ok = false ; L->getIncomingAndBackEdge(In, Out); @@ -333,9 +334,10 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { } } + } -#endif +#endif // fprintf(stderr, "Loops in %s: %zu\n", F.getName().str().c_str(), // lcomps.size()); @@ -703,7 +705,7 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { break; } - + ++instrumented; } @@ -718,7 +720,7 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { } } - + fprintf(stderr, "instrumented: %u (%zu)\n", instrumented, icomps.size()); if (icomps.size()) diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index 72fafa4b..bd08a678 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -257,16 +257,17 @@ static void *__dislocator_alloc(size_t len) { } #if defined(USENAMEDPAGE) -#if defined(__linux__) + #if defined(__linux__) // in the /proc//maps file, the anonymous page appears as // `- ---p 00000000 00:00 0 [anon:libdislocator]` - if (prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, - (unsigned long)ret, tlen, (unsigned long)"libdislocator") < 0) { + if (prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, (unsigned long)ret, tlen, + (unsigned long)"libdislocator") < 0) { DEBUGF("prctl() failed"); } -#endif + + #endif #endif /* Set PROT_NONE on the last page. */ -- cgit 1.4.1 From 4f42ecd8150f9b72e0fef37292572b7ad3ef6870 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Apr 2022 13:16:10 +0200 Subject: remove WIP code --- custom_mutators/grammar_mutator/grammar_mutator | 2 +- instrumentation/cmplog-instructions-pass.cc | 81 +------------------------ instrumentation/cmplog-routines-pass.cc | 2 - unicorn_mode/unicornafl | 2 +- 4 files changed, 5 insertions(+), 82 deletions(-) (limited to 'instrumentation') diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator index ff4e5a26..cbe5e327 160000 --- a/custom_mutators/grammar_mutator/grammar_mutator +++ b/custom_mutators/grammar_mutator/grammar_mutator @@ -1 +1 @@ -Subproject commit ff4e5a265daf5d88c4a636fb6a2c22b1d733db09 +Subproject commit cbe5e32752773945e0142fac9f1b7a0ccb5dcdff diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index 85d48835..4d37bcb2 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -32,15 +32,9 @@ #include "llvm/Support/Debug.h" #include "llvm/Support/raw_ostream.h" #if LLVM_MAJOR >= 11 - #include "llvm/Pass.h" - #include "llvm/InitializePasses.h" #include "llvm/Passes/PassPlugin.h" #include "llvm/Passes/PassBuilder.h" #include "llvm/IR/PassManager.h" - #include "llvm/Analysis/EHPersonalities.h" - #include "llvm/Analysis/PostDominators.h" - #include "llvm/Analysis/LoopInfo.h" - #include "llvm/Analysis/LoopPass.h" #else #include "llvm/IR/LegacyPassManager.h" #include "llvm/Transforms/IPO/PassManagerBuilder.h" @@ -70,10 +64,7 @@ using namespace llvm; namespace { -using LoopInfoCallback = function_ref; - #if LLVM_MAJOR >= 11 /* use new pass manager */ - class CmpLogInstructions : public PassInfoMixin { public: @@ -97,7 +88,6 @@ class CmpLogInstructions : public ModulePass { #endif #if LLVM_MAJOR >= 11 /* use new pass manager */ - PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM); #else bool runOnModule(Module &M) override; @@ -116,8 +106,7 @@ class CmpLogInstructions : public ModulePass { #endif private: - bool hookInstrs(Module &M, LoopInfoCallback LCallback); - unsigned int instrumented = 0; + bool hookInstrs(Module &M); }; @@ -164,7 +153,7 @@ Iterator Unique(Iterator first, Iterator last) { } -bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { +bool CmpLogInstructions::hookInstrs(Module &M) { std::vector icomps; LLVMContext & C = M.getContext(); @@ -301,64 +290,14 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { if (!isInInstrumentList(&F, MNAME)) continue; - std::vector lcomps; - const LoopInfo * LI = LCallback(F); -#if 0 - for (LoopInfo::iterator I = LI->begin(), E = LI->end(); I != E; ++I) { - - Loop * L = *I; - BasicBlock *In, *Out; - bool ok = false ; L->getIncomingAndBackEdge(In, Out); - if (ok) { - - BasicBlock *decisionBB = In->getSingleSuccessor(); - - if (decisionBB) { - - /* - std::string errMsg1; - raw_string_ostream os1(errMsg1); - In->print(os1); - fprintf(stderr, "In: %s\n", os1.str().c_str()); - std::string errMsg2; - raw_string_ostream os2(errMsg2); - Out->print(os2); - fprintf(stderr, "Out: %s\n", os2.str().c_str()); - std::string errMsg3; - raw_string_ostream os3(errMsg3); - decisionBB->print(os3); - fprintf(stderr, "Dec: %s\n", os3.str().c_str()); - */ - lcomps.push_back(decisionBB); - - } - - } - - } - -#endif - - // fprintf(stderr, "Loops in %s: %zu\n", F.getName().str().c_str(), - // lcomps.size()); - for (auto &BB : F) { - if (std::find(lcomps.begin(), lcomps.end(), &BB) != lcomps.end()) { - - fprintf(stderr, "skipping: %p %s\n", &BB, BB.getName().str().c_str()); - - continue; - - } - for (auto &IN : BB) { CmpInst *selectcmpInst = nullptr; if ((selectcmpInst = dyn_cast(&IN))) { icomps.push_back(selectcmpInst); - fprintf(stderr, "Found icomp %p in %p\n", selectcmpInst, &BB); } @@ -706,8 +645,6 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { } - ++instrumented; - } /* else fprintf(stderr, "skipped\n"); */ @@ -721,8 +658,6 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { } - fprintf(stderr, "instrumented: %u (%zu)\n", instrumented, icomps.size()); - if (icomps.size()) return true; else @@ -743,19 +678,9 @@ bool CmpLogInstructions::runOnModule(Module &M) { printf("Running cmplog-instructions-pass by andreafioraldi@gmail.com\n"); else be_quiet = 1; - - auto &FAM = MAM.getResult(M).getManager(); - auto LoopCallback = [&FAM](Function &F) -> const LoopInfo * { - - return &FAM.getResult(F); - - }; - - hookInstrs(M, LoopCallback); + hookInstrs(M); verifyModule(M); - fprintf(stderr, "done cmplog-instructions-pass\n"); - #if LLVM_MAJOR >= 11 /* use new pass manager */ return PreservedAnalyses::all(); #else diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc index 708a94bc..8205cfb0 100644 --- a/instrumentation/cmplog-routines-pass.cc +++ b/instrumentation/cmplog-routines-pass.cc @@ -761,8 +761,6 @@ bool CmpLogRoutines::runOnModule(Module &M) { #endif verifyModule(M); - fprintf(stderr, "done cmplog-routines-pass\n"); - #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ return PA; #else diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index a44fa944..d4915053 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit a44fa94488d01aba60401ccf81f8bebcce685bf2 +Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e -- cgit 1.4.1