From 942f8d0ec9bed45c9038112aef7cd9b8a05f6f30 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Mon, 28 Oct 2019 11:01:37 +0000 Subject: Fix proposal for libtokencap Avoiding fopen API seems buggy on NetBSD. --- libtokencap/Makefile | 3 +++ libtokencap/libtokencap.so.c | 18 +++++++++++++----- 2 files changed, 16 insertions(+), 5 deletions(-) (limited to 'libtokencap') diff --git a/libtokencap/Makefile b/libtokencap/Makefile index 441412c7..df2426ed 100644 --- a/libtokencap/Makefile +++ b/libtokencap/Makefile @@ -33,6 +33,9 @@ endif ifeq "$(shell uname)" "OpenBSD" TARGETS = libtokencap.so endif +ifeq "$(shell uname)" "NetBSD" + TARGETS = libtokencap.so +endif all: $(TARGETS) libtokencap.so: libtokencap.so.c ../config.h diff --git a/libtokencap/libtokencap.so.c b/libtokencap/libtokencap.so.c index 7ed231fe..e1977127 100644 --- a/libtokencap/libtokencap.so.c +++ b/libtokencap/libtokencap.so.c @@ -23,6 +23,7 @@ #include #include #include +#include #include "../types.h" #include "../config.h" @@ -49,7 +50,7 @@ static struct mapping { void *st, *en; } __tokencap_ro[MAX_MAPPINGS]; static u32 __tokencap_ro_cnt; static u8 __tokencap_ro_loaded; -static FILE* __tokencap_out_file; +static int __tokencap_out_file = -1; /* Identify read-only regions in memory. Only parameters that fall into these ranges are worth dumping when passed to strcmp() and so on. Read-write @@ -211,7 +212,7 @@ static void __tokencap_dump(const u8* ptr, size_t len, u8 is_text) { u32 i; u32 pos = 0; - if (len < MIN_AUTO_EXTRA || len > MAX_AUTO_EXTRA || !__tokencap_out_file) + if (len < MIN_AUTO_EXTRA || len > MAX_AUTO_EXTRA || __tokencap_out_file == -1) return; for (i = 0; i < len; i++) { @@ -237,7 +238,9 @@ static void __tokencap_dump(const u8* ptr, size_t len, u8 is_text) { buf[pos] = 0; - fprintf(__tokencap_out_file, "\"%s\"\n", buf); + write(__tokencap_out_file, "\"", 1); + write(__tokencap_out_file, buf, pos); + write(__tokencap_out_file, "\"\n", 2); } @@ -403,8 +406,13 @@ char* strcasestr(const char* haystack, const char* needle) { __attribute__((constructor)) void __tokencap_init(void) { u8* fn = getenv("AFL_TOKEN_FILE"); - if (fn) __tokencap_out_file = fopen(fn, "a"); - if (!__tokencap_out_file) __tokencap_out_file = stderr; + if (fn) __tokencap_out_file = open(fn, O_RDWR | O_CREAT | O_APPEND, 0655); + if (__tokencap_out_file == -1) __tokencap_out_file = STDERR_FILENO; } +/* closing as best as we can the tokens file */ +__attribute__((destructor)) void __tokencap_shutdown(void) { + if (__tokencap_out_file != STDERR_FILENO) close(__tokencap_out_file); +} + -- cgit 1.4.1 From 25443918c4ab15c4c1f9ba0861f5d48daa29a412 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Mon, 28 Oct 2019 16:45:30 +0100 Subject: silence some compiler warnings --- libtokencap/libtokencap.so.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'libtokencap') diff --git a/libtokencap/libtokencap.so.c b/libtokencap/libtokencap.so.c index e1977127..820f5bc4 100644 --- a/libtokencap/libtokencap.so.c +++ b/libtokencap/libtokencap.so.c @@ -238,9 +238,9 @@ static void __tokencap_dump(const u8* ptr, size_t len, u8 is_text) { buf[pos] = 0; - write(__tokencap_out_file, "\"", 1); - write(__tokencap_out_file, buf, pos); - write(__tokencap_out_file, "\"\n", 2); + int wrt_ok = ( 1 == write(__tokencap_out_file, "\"", 1)); + wrt_ok &= (pos == write(__tokencap_out_file, buf, pos)); + wrt_ok &= (2 == write(__tokencap_out_file, "\"\n", 2)); } -- cgit 1.4.1 From df5c7eef39ac20497d5b372033874c70bb7a47e9 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Tue, 29 Oct 2019 10:49:16 +0000 Subject: libtokencap, respect constness also considering pointer arithmetic is non C standard, some compilers might not have GNU extensions. --- libtokencap/libtokencap.so.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'libtokencap') diff --git a/libtokencap/libtokencap.so.c b/libtokencap/libtokencap.so.c index 820f5bc4..7e55963c 100644 --- a/libtokencap/libtokencap.so.c +++ b/libtokencap/libtokencap.so.c @@ -256,7 +256,7 @@ int strcmp(const char* str1, const char* str2) { while (1) { - unsigned char c1 = *str1, c2 = *str2; + const unsigned char c1 = *str1, c2 = *str2; if (c1 != c2) return (c1 > c2) ? 1 : -1; if (!c1) return 0; @@ -298,7 +298,7 @@ int strcasecmp(const char* str1, const char* str2) { while (1) { - unsigned char c1 = tolower(*str1), c2 = tolower(*str2); + const unsigned char c1 = tolower(*str1), c2 = tolower(*str2); if (c1 != c2) return (c1 > c2) ? 1 : -1; if (!c1) return 0; @@ -318,7 +318,7 @@ int strncasecmp(const char* str1, const char* str2, size_t len) { while (len--) { - unsigned char c1 = tolower(*str1), c2 = tolower(*str2); + const unsigned char c1 = tolower(*str1), c2 = tolower(*str2); if (!c1) return 0; if (c1 != c2) return (c1 > c2) ? 1 : -1; @@ -338,12 +338,15 @@ int memcmp(const void* mem1, const void* mem2, size_t len) { if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0); if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0); + const char *strmem1 = (const char *)mem1; + const char *strmem2 = (const char *)mem2; + while (len--) { - unsigned char c1 = *(const char*)mem1, c2 = *(const char*)mem2; + const unsigned char c1 = *strmem1, c2 = *strmem2; if (c1 != c2) return (c1 > c2) ? 1 : -1; - mem1++; - mem2++; + strmem1++; + strmem2++; } -- cgit 1.4.1 From c87210820c1566c74bf08ab4345679598cabd71b Mon Sep 17 00:00:00 2001 From: David Carlier Date: Tue, 29 Oct 2019 15:06:20 +0000 Subject: libtokencap update proposal - bcmp interception. - FreeBSD using default argument to get current pid for the mapping data gathering, getpid seems to cause some issues under certain conditions (getenv call). --- libtokencap/libtokencap.so.c | 28 ++++++++++++++++++++++++---- llvm_mode/afl-clang-fast.c | 3 +++ src/afl-gcc.c | 1 + 3 files changed, 28 insertions(+), 4 deletions(-) (limited to 'libtokencap') diff --git a/libtokencap/libtokencap.so.c b/libtokencap/libtokencap.so.c index 7e55963c..2fe9ae63 100644 --- a/libtokencap/libtokencap.so.c +++ b/libtokencap/libtokencap.so.c @@ -115,7 +115,7 @@ static void __tokencap_load_mappings(void) { #elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__ #if defined __FreeBSD__ - int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, getpid()}; + int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, -1}; #elif defined __OpenBSD__ int mib[] = {CTL_KERN, KERN_PROC_VMMAP, getpid()}; #elif defined __NetBSD__ @@ -134,9 +134,7 @@ static void __tokencap_load_mappings(void) { #endif buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANON, -1, 0); - if (!buf) { - return; - } + if (buf == MAP_FAILED) return; if (sysctl(mib, miblen, buf, &len, NULL, 0) == -1) { @@ -354,6 +352,28 @@ int memcmp(const void* mem1, const void* mem2, size_t len) { } +#undef bcmp + +int bcmp(const void* mem1, const void* mem2, size_t len) { + + if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0); + if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0); + + const char *strmem1 = (const char *)mem1; + const char *strmem2 = (const char *)mem2; + + while (len--) { + + int diff = *strmem1 ^ *strmem2; + if (diff != 0) return 1; + strmem1++; + strmem2++; + + } + + return 0; +} + #undef strstr char* strstr(const char* haystack, const char* needle) { diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index a7f6acdc..1acf8856 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -273,6 +273,9 @@ static void edit_params(u32 argc, char** argv) { cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp"; cc_params[cc_par_cnt++] = "-fno-builtin-memcmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-bcmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-strstr"; + cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr"; } diff --git a/src/afl-gcc.c b/src/afl-gcc.c index 740442dc..e0706a5f 100644 --- a/src/afl-gcc.c +++ b/src/afl-gcc.c @@ -320,6 +320,7 @@ static void edit_params(u32 argc, char** argv) { cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp"; cc_params[cc_par_cnt++] = "-fno-builtin-memcmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-bcmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strstr"; cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr"; -- cgit 1.4.1