From 6b40189045645938098772260ecda1c0bcbf6467 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Thu, 12 Sep 2019 12:34:53 +0200 Subject: first version of persistent QEMU --- qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 27 +++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) (limited to 'qemu_mode/patches/afl-qemu-cpu-translate-inl.h') diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index 3d3c1b6b..878518a7 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -35,15 +35,6 @@ #include "tcg.h" #include "tcg-op.h" -/* Declared in afl-qemu-cpu-inl.h */ -extern unsigned char *afl_area_ptr; -extern unsigned int afl_inst_rms; -extern abi_ulong afl_start_code, afl_end_code; -extern u8 afl_compcov_level; - -void tcg_gen_afl_compcov_log_call(void *func, target_ulong cur_loc, - TCGv_i64 arg1, TCGv_i64 arg2); - static void afl_compcov_log_16(target_ulong cur_loc, target_ulong arg1, target_ulong arg2) { @@ -137,3 +128,21 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2, } +#define AFL_QEMU_TARGET_i386_SNIPPET \ + if (is_persistent) { \ + \ + if (s->pc == afl_persistent_addr) { \ + \ + fprintf(stderr, " IN TRANSLATING %p!\n", s->pc); \ + tcg_gen_afl_call0(&afl_persistent_loop); \ + \ + } else if (s->pc == afl_persistent_ret_addr) { \ + \ + fprintf(stderr, " IN TRANSLATING RET %p!\n", s->pc); \ + gen_jmp_im(s, afl_persistent_addr); \ + gen_eob(s); \ + \ + } \ + \ + } + -- cgit 1.4.1 From 95b641198e512bdaf3f8c142d5f6d58495d527a8 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Thu, 12 Sep 2019 13:02:21 +0200 Subject: remove debug print --- qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 2 -- 1 file changed, 2 deletions(-) (limited to 'qemu_mode/patches/afl-qemu-cpu-translate-inl.h') diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index 878518a7..fe1b26b8 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -133,12 +133,10 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2, \ if (s->pc == afl_persistent_addr) { \ \ - fprintf(stderr, " IN TRANSLATING %p!\n", s->pc); \ tcg_gen_afl_call0(&afl_persistent_loop); \ \ } else if (s->pc == afl_persistent_ret_addr) { \ \ - fprintf(stderr, " IN TRANSLATING RET %p!\n", s->pc); \ gen_jmp_im(s, afl_persistent_addr); \ gen_eob(s); \ \ -- cgit 1.4.1 From 75d28813023c00144675eae7b75f4138ae9f317e Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Thu, 12 Sep 2019 16:57:17 +0200 Subject: ret addr patching --- include/alloc-inl.h | 34 ++++----------------- qemu_mode/libcompcov/compcovtest | Bin 0 -> 8624 bytes qemu_mode/patches/afl-qemu-common.h | 1 + qemu_mode/patches/afl-qemu-cpu-inl.h | 9 ++++-- qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 39 ++++++++++++++++--------- 5 files changed, 37 insertions(+), 46 deletions(-) create mode 100755 qemu_mode/libcompcov/compcovtest (limited to 'qemu_mode/patches/afl-qemu-cpu-translate-inl.h') diff --git a/include/alloc-inl.h b/include/alloc-inl.h index 814d8511..b0815ab1 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -106,44 +106,20 @@ \ } while (0) -/* -#define CHECK_PTR(_p) do { \ - \ - \ - \ - \ - \ +/* #define CHECK_PTR(_p) do { \ if (_p) { \ - \ - \ - \ - \ - \ if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\ - \ - \ - \ - \ - \ if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \ ABORT("Use after free."); \ else ABORT("Corrupted head alloc canary."); \ - \ + } \ - \ - \ - \ - \ + if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \ ABORT("Corrupted tail alloc canary."); \ - \ + } \ - \ - \ - \ - \ - \ - \ + } while (0) */ diff --git a/qemu_mode/libcompcov/compcovtest b/qemu_mode/libcompcov/compcovtest new file mode 100755 index 00000000..0bb68d60 Binary files /dev/null and b/qemu_mode/libcompcov/compcovtest differ diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h index f05dc05b..053585a7 100644 --- a/qemu_mode/patches/afl-qemu-common.h +++ b/qemu_mode/patches/afl-qemu-common.h @@ -57,6 +57,7 @@ extern abi_ulong afl_persistent_ret_addr; extern u8 afl_compcov_level; extern unsigned char afl_fork_child; extern unsigned char is_persistent; +extern target_long persistent_stack_offset; extern __thread abi_ulong afl_prev_loc; diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index 826167eb..2e685d8d 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -86,6 +86,7 @@ static int forkserver_installed = 0; unsigned char afl_fork_child; unsigned int afl_forksrv_pid; unsigned char is_persistent; +target_long persistent_stack_offset; /* Instrumentation ratio: */ @@ -200,9 +201,10 @@ static void afl_setup(void) { if (is_persistent) { afl_persistent_addr = strtoll(getenv("AFL_QEMU_PERSISTENT_ADDR"), NULL, 16); - if (getenv("AFL_QEMU_PERSISTENT_RET") == NULL) exit(1); - afl_persistent_ret_addr = - strtoll(getenv("AFL_QEMU_PERSISTENT_RET"), NULL, 16); + if (getenv("AFL_QEMU_PERSISTENT_RET")) + afl_persistent_ret_addr = + strtoll(getenv("AFL_QEMU_PERSISTENT_RET"), NULL, 16); + /* If AFL_QEMU_PERSISTENT_RET is not specified patch the return addr */ } @@ -345,6 +347,7 @@ void afl_persistent_loop() { cycle_cnt = afl_persistent_cnt; first_pass = 0; + persistent_stack_offset = TARGET_LONG_BITS / 8; return; diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index fe1b26b8..cd5c21aa 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -128,19 +128,30 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2, } -#define AFL_QEMU_TARGET_i386_SNIPPET \ - if (is_persistent) { \ - \ - if (s->pc == afl_persistent_addr) { \ - \ - tcg_gen_afl_call0(&afl_persistent_loop); \ - \ - } else if (s->pc == afl_persistent_ret_addr) { \ - \ - gen_jmp_im(s, afl_persistent_addr); \ - gen_eob(s); \ - \ - } \ - \ +#define AFL_QEMU_TARGET_i386_SNIPPET \ + if (is_persistent) { \ + \ + if (s->pc == afl_persistent_addr) { \ + \ + if (afl_persistent_ret_addr == 0) { \ + \ + TCGv_ptr stack_off_ptr = tcg_const_ptr(&persistent_stack_offset); \ + TCGv stack_off = tcg_temp_new(); \ + tcg_gen_ld_tl(stack_off, stack_off_ptr, 0); \ + tcg_gen_sub_tl(cpu_regs[R_ESP], cpu_regs[R_ESP], stack_off); \ + tcg_temp_free(stack_off); \ + \ + } \ + TCGv_ptr paddr = tcg_const_ptr(afl_persistent_addr); \ + tcg_gen_st_tl(paddr, cpu_regs[R_ESP], 0); \ + tcg_gen_afl_call0(&afl_persistent_loop); \ + \ + } else if (afl_persistent_ret_addr && s->pc == afl_persistent_ret_addr) { \ + \ + gen_jmp_im(s, afl_persistent_addr); \ + gen_eob(s); \ + \ + } \ + \ } -- cgit 1.4.1