From 9d03763d942c19ac9c6cbe7d6a3f3cecba65abad Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 1 May 2020 00:57:20 +0200 Subject: at some point we have to do a rewrite of llvm_mode/GNUmakefile --- llvm_mode/afl-llvm-rt.o.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 8867ae36..722ca421 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -152,7 +152,7 @@ static void __afl_map_shm(void) { if (getenv("AFL_DEBUG")) fprintf(stderr, - "DEBUG: id_str %s, __afl_map_addr 0x%x, MAP_SIZE %u, " + "DEBUG: id_str %s, __afl_map_addr 0x%lx, MAP_SIZE %u, " "__afl_final_loc %u, max_size_forkserver %u/0x%x\n", id_str == NULL ? "" : id_str, __afl_map_addr, MAP_SIZE, __afl_final_loc, FS_OPT_MAX_MAPSIZE, FS_OPT_MAX_MAPSIZE); -- cgit 1.4.1 From 6e45e55d82eeed2075579a530f5aeea8d00af55b Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 5 May 2020 10:38:44 +0200 Subject: fix crash in AFL_LLVM_LAF_TRANSFORM_COMPARES --- docs/Changelog.md | 1 + llvm_mode/afl-llvm-rt.o.c | 15 ++++++--------- llvm_mode/compare-transform-pass.so.cc | 12 ++++++++---- test/test.sh | 2 +- 4 files changed, 16 insertions(+), 14 deletions(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/docs/Changelog.md b/docs/Changelog.md index 8c0624b6..ac68e8ff 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -21,6 +21,7 @@ sending a mail to . fuzzing speed - fixes to LTO mode if instrumented edges > MAP_SIZE - CTX and NGRAM can now be used together + - AFL_LLVM_LAF_TRANSFORM_COMPARES would sometimes crash, fixed - added AFL_LLVM_SKIP_NEVERZERO to skip the never zero coverage counter implmentation. For targets with little or no loops or heavy called functions. Gives a small performance boost. diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 722ca421..56038f7a 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -67,22 +67,19 @@ u8 __afl_area_initial[MAP_SIZE]; u8 *__afl_area_ptr = __afl_area_initial; u8 *__afl_dictionary; +u32 __afl_final_loc; +u32 __afl_map_size = MAP_SIZE; +u32 __afl_dictionary_len; +u64 __afl_map_addr; + #ifdef __ANDROID__ PREV_LOC_T __afl_prev_loc[NGRAM_SIZE_MAX]; -u32 __afl_final_loc; u32 __afl_prev_ctx; u32 __afl_cmp_counter; -u32 __afl_dictionary_len; -u32 __afl_map_size = MAP_SIZE; -u64 __afl_map_addr; #else __thread PREV_LOC_T __afl_prev_loc[NGRAM_SIZE_MAX]; -__thread u32 __afl_final_loc; __thread u32 __afl_prev_ctx; __thread u32 __afl_cmp_counter; -__thread u32 __afl_dictionary_len; -__thread u32 __afl_map_size = MAP_SIZE; -__thread u64 __afl_map_addr; #endif struct cmp_map *__afl_cmp_map; @@ -152,7 +149,7 @@ static void __afl_map_shm(void) { if (getenv("AFL_DEBUG")) fprintf(stderr, - "DEBUG: id_str %s, __afl_map_addr 0x%lx, MAP_SIZE %u, " + "DEBUG: id_str %s, __afl_map_addr 0x%llx, MAP_SIZE %u, " "__afl_final_loc %u, max_size_forkserver %u/0x%x\n", id_str == NULL ? "" : id_str, __afl_map_addr, MAP_SIZE, __afl_final_loc, FS_OPT_MAX_MAPSIZE, FS_OPT_MAX_MAPSIZE); diff --git a/llvm_mode/compare-transform-pass.so.cc b/llvm_mode/compare-transform-pass.so.cc index c871c1c4..9cf4169e 100644 --- a/llvm_mode/compare-transform-pass.so.cc +++ b/llvm_mode/compare-transform-pass.so.cc @@ -386,13 +386,13 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, TmpConstStr = Str1.str(); VarStr = Str2P; - constLen = isMemcmp ? sizedLen : GetStringLength(Str1P); + constLen = isMemcmp ? sizedLen : TmpConstStr.length(); } else { TmpConstStr = Str2.str(); VarStr = Str1P; - constLen = isMemcmp ? sizedLen : GetStringLength(Str2P); + constLen = isMemcmp ? sizedLen : TmpConstStr.length(); } @@ -401,8 +401,12 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, * runtime bounds checking, which makes debugging easier) */ TmpConstStr.append("\0", 1); ConstStr = StringRef(TmpConstStr); - - if (isSizedcmp && constLen > sizedLen) { constLen = sizedLen; } + // fprintf(stderr, "issized: %d, const > sized ? %u > %u\n", isSizedcmp, + // constLen, sizedLen); + if (isSizedcmp && constLen > sizedLen && sizedLen) constLen = sizedLen; + if (constLen > TmpConstStr.length()) constLen = TmpConstStr.length(); + if (!constLen) constLen = TmpConstStr.length(); + if (!constLen) continue; if (!be_quiet) errs() << callInst->getCalledFunction()->getName() << ": len " << constLen diff --git a/test/test.sh b/test/test.sh index e950e3de..90633a9f 100755 --- a/test/test.sh +++ b/test/test.sh @@ -81,7 +81,7 @@ test `uname -s` = 'Darwin' -o `uname -s` = 'FreeBSD' && { } || { AFL_GCC=afl-gcc } -command -v gcc || AFL_GCC=afl-clang +command -v gcc >/dev/null 2>&1 || AFL_GCC=afl-clang SYS=`uname -m` -- cgit 1.4.1