From 38d74f0ad56a74cfed1eec04a8a46b4f8e4ec824 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Mon, 28 Oct 2019 20:48:45 +0100 Subject: second forgotten place, we need to filter out float vector types --- llvm_mode/split-compares-pass.so.cc | 2 ++ 1 file changed, 2 insertions(+) (limited to 'llvm_mode') diff --git a/llvm_mode/split-compares-pass.so.cc b/llvm_mode/split-compares-pass.so.cc index 06bdeb60..60420f77 100644 --- a/llvm_mode/split-compares-pass.so.cc +++ b/llvm_mode/split-compares-pass.so.cc @@ -118,6 +118,8 @@ bool SplitComparesTransform::simplifyCompares(Module &M) { /* this is probably not needed but we do it anyway */ if (TyOp0 != TyOp1) { continue; } + if (TyOp0->isArrayTy() || TyOp0->isVectorTy()) { continue; } + fcomps.push_back(selectcmpInst); } -- cgit 1.4.1 From c87210820c1566c74bf08ab4345679598cabd71b Mon Sep 17 00:00:00 2001 From: David Carlier Date: Tue, 29 Oct 2019 15:06:20 +0000 Subject: libtokencap update proposal - bcmp interception. - FreeBSD using default argument to get current pid for the mapping data gathering, getpid seems to cause some issues under certain conditions (getenv call). --- libtokencap/libtokencap.so.c | 28 ++++++++++++++++++++++++---- llvm_mode/afl-clang-fast.c | 3 +++ src/afl-gcc.c | 1 + 3 files changed, 28 insertions(+), 4 deletions(-) (limited to 'llvm_mode') diff --git a/libtokencap/libtokencap.so.c b/libtokencap/libtokencap.so.c index 7e55963c..2fe9ae63 100644 --- a/libtokencap/libtokencap.so.c +++ b/libtokencap/libtokencap.so.c @@ -115,7 +115,7 @@ static void __tokencap_load_mappings(void) { #elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__ #if defined __FreeBSD__ - int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, getpid()}; + int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, -1}; #elif defined __OpenBSD__ int mib[] = {CTL_KERN, KERN_PROC_VMMAP, getpid()}; #elif defined __NetBSD__ @@ -134,9 +134,7 @@ static void __tokencap_load_mappings(void) { #endif buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANON, -1, 0); - if (!buf) { - return; - } + if (buf == MAP_FAILED) return; if (sysctl(mib, miblen, buf, &len, NULL, 0) == -1) { @@ -354,6 +352,28 @@ int memcmp(const void* mem1, const void* mem2, size_t len) { } +#undef bcmp + +int bcmp(const void* mem1, const void* mem2, size_t len) { + + if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0); + if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0); + + const char *strmem1 = (const char *)mem1; + const char *strmem2 = (const char *)mem2; + + while (len--) { + + int diff = *strmem1 ^ *strmem2; + if (diff != 0) return 1; + strmem1++; + strmem2++; + + } + + return 0; +} + #undef strstr char* strstr(const char* haystack, const char* needle) { diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index a7f6acdc..1acf8856 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -273,6 +273,9 @@ static void edit_params(u32 argc, char** argv) { cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp"; cc_params[cc_par_cnt++] = "-fno-builtin-memcmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-bcmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-strstr"; + cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr"; } diff --git a/src/afl-gcc.c b/src/afl-gcc.c index 740442dc..e0706a5f 100644 --- a/src/afl-gcc.c +++ b/src/afl-gcc.c @@ -320,6 +320,7 @@ static void edit_params(u32 argc, char** argv) { cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp"; cc_params[cc_par_cnt++] = "-fno-builtin-memcmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-bcmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strstr"; cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr"; -- cgit 1.4.1 From 16953b5cfa040c886d0edfbf2f4da478c3e6014d Mon Sep 17 00:00:00 2001 From: David Carlier Date: Wed, 30 Oct 2019 17:04:43 +0000 Subject: LLVM mode passing the full path of the LLVM config bindir. On FreeBSD the system compiler does not have llvm-config however system packages provides several version of the LLVM toolchain thus forcing to pass AFL_CC/AFL_CXX to make it work fully. --- llvm_mode/Makefile | 2 +- llvm_mode/afl-clang-fast.c | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'llvm_mode') diff --git a/llvm_mode/Makefile b/llvm_mode/Makefile index 7cfbe92d..033babac 100644 --- a/llvm_mode/Makefile +++ b/llvm_mode/Makefile @@ -52,7 +52,7 @@ endif CFLAGS ?= -O3 -funroll-loops CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I ../include/ \ -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \ - -DVERSION=\"$(VERSION)\" + -DLLVM_BINDIR=\"$(LLVM_BINDIR)\" -DVERSION=\"$(VERSION)\" ifdef AFL_TRACE_PC CFLAGS += -DUSE_TRACE_PC=1 endif diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 1acf8856..e92fb76f 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -32,11 +32,13 @@ #include #include #include +#include #include static u8* obj_path; /* Path to runtime libraries */ static u8** cc_params; /* Parameters passed to the real CC */ static u32 cc_par_cnt = 1; /* Param count, including argv0 */ +static u8 llvm_fullpath[PATH_MAX]; /* Try to find the runtime libraries. If that fails, abort. */ @@ -117,12 +119,14 @@ static void edit_params(u32 argc, char** argv) { if (!strcmp(name, "afl-clang-fast++")) { u8* alt_cxx = getenv("AFL_CXX"); - cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++"; + snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang++", LLVM_BINDIR); + cc_params[0] = alt_cxx ? alt_cxx : (u8*)llvm_fullpath; } else { u8* alt_cc = getenv("AFL_CC"); - cc_params[0] = alt_cc ? alt_cc : (u8*)"clang"; + snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang", LLVM_BINDIR); + cc_params[0] = alt_cc ? alt_cc : (u8*)llvm_fullpath; } -- cgit 1.4.1 From 070ccae4dd04c5315bf1daba8ee35202b4f30264 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Thu, 31 Oct 2019 09:25:43 +0000 Subject: Little tweaks --- llvm_mode/afl-clang-fast.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'llvm_mode') diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index e92fb76f..b2243492 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -38,7 +38,7 @@ static u8* obj_path; /* Path to runtime libraries */ static u8** cc_params; /* Parameters passed to the real CC */ static u32 cc_par_cnt = 1; /* Param count, including argv0 */ -static u8 llvm_fullpath[PATH_MAX]; +static u8 llvm_fullpath[PATH_MAX]; /* Try to find the runtime libraries. If that fails, abort. */ @@ -106,6 +106,7 @@ static void find_obj(u8* argv0) { static void edit_params(u32 argc, char** argv) { u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1, bit_mode = 0; + u8 has_llvm_config = 0; u8* name; cc_params = ck_alloc((argc + 128) * sizeof(u8*)); @@ -116,16 +117,20 @@ static void edit_params(u32 argc, char** argv) { else ++name; + has_llvm_config = (strlen(LLVM_BINDIR) > 0); + if (!strcmp(name, "afl-clang-fast++")) { u8* alt_cxx = getenv("AFL_CXX"); - snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang++", LLVM_BINDIR); + if (has_llvm_config) snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang++", LLVM_BINDIR); + else sprintf(llvm_fullpath, "clang++"); cc_params[0] = alt_cxx ? alt_cxx : (u8*)llvm_fullpath; } else { u8* alt_cc = getenv("AFL_CC"); - snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang", LLVM_BINDIR); + if (has_llvm_config) snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang", LLVM_BINDIR); + else sprintf(llvm_fullpath, "clang"); cc_params[0] = alt_cc ? alt_cc : (u8*)llvm_fullpath; } -- cgit 1.4.1 From 7fdc7e01a5889fba365b8b841ba19602e26b5bd7 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Thu, 31 Oct 2019 11:39:08 +0000 Subject: Fix some silent warnings and put some var to some usage... --- llvm_mode/LLVMInsTrim.so.cc | 15 +++++++++------ llvm_mode/afl-llvm-pass.so.cc | 2 ++ llvm_mode/compare-transform-pass.so.cc | 4 ++++ 3 files changed, 15 insertions(+), 6 deletions(-) (limited to 'llvm_mode') diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index 4b5597e2..89738812 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -158,6 +158,7 @@ struct InsTrim : public ModulePass { bool instrumentBlock = false; DebugLoc Loc; StringRef instFilename; + unsigned int instLine = 0; for (auto &BB : F) { @@ -171,7 +172,7 @@ struct InsTrim : public ModulePass { DILocation *cDILoc = dyn_cast(Loc.getAsMDNode()); - unsigned int instLine = cDILoc->getLine(); + instLine = cDILoc->getLine(); instFilename = cDILoc->getFilename(); if (instFilename.str().empty()) { @@ -217,11 +218,13 @@ struct InsTrim : public ModulePass { * not whitelisted, so we skip instrumentation. */ if (!instrumentBlock) { - if (!instFilename.str().empty()) - SAYF(cYEL "[!] " cBRI "Not in whitelist, skipping %s ...\n", - instFilename.str().c_str()); - else - SAYF(cYEL "[!] " cBRI "No filename information found, skipping it"); + if (!be_quiet) { + if (!instFilename.str().empty()) + SAYF(cYEL "[!] " cBRI "Not in whitelist, skipping %s line %u...\n", + instFilename.str().c_str(), instLine); + else + SAYF(cYEL "[!] " cBRI "No filename information found, skipping it"); + } continue; } diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index e094a0b2..0c68136b 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -190,6 +190,8 @@ bool AFLCoverage::runOnModule(Module &M) { } + (void)instLine; + /* Continue only if we know where we actually are */ if (!instFilename.str().empty()) { diff --git a/llvm_mode/compare-transform-pass.so.cc b/llvm_mode/compare-transform-pass.so.cc index e1b6e671..0ccce875 100644 --- a/llvm_mode/compare-transform-pass.so.cc +++ b/llvm_mode/compare-transform-pass.so.cc @@ -234,6 +234,10 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, ConstantInt *ilen = dyn_cast(op2); sizedLen = ilen->getZExtValue(); + } else { + + sizedLen = 0; + } if (HasStr1) { -- cgit 1.4.1