From 281cd47c154e7cd642e76482f5f07e9f1584c561 Mon Sep 17 00:00:00 2001 From: realmadsci <71108352+realmadsci@users.noreply.github.com> Date: Fri, 12 Mar 2021 14:46:49 -0500 Subject: libqasan: Add checks for read() and write() --- qemu_mode/libqasan/hooks.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'qemu_mode') diff --git a/qemu_mode/libqasan/hooks.c b/qemu_mode/libqasan/hooks.c index 9c406c74..0e6c3e08 100644 --- a/qemu_mode/libqasan/hooks.c +++ b/qemu_mode/libqasan/hooks.c @@ -51,6 +51,7 @@ ssize_t write(int fd, const void *buf, size_t count) { void *rtv = __builtin_return_address(0); QASAN_DEBUG("%14p: write(%d, %p, %zu)\n", rtv, fd, buf, count); + QASAN_LOAD(buf, count); ssize_t r = __lq_libc_write(fd, buf, count); QASAN_DEBUG("\t\t = %zd\n", r); @@ -63,6 +64,7 @@ ssize_t read(int fd, void *buf, size_t count) { void *rtv = __builtin_return_address(0); QASAN_DEBUG("%14p: read(%d, %p, %zu)\n", rtv, fd, buf, count); + QASAN_STORE(buf, count); ssize_t r = __lq_libc_read(fd, buf, count); QASAN_DEBUG("\t\t = %zd\n", r); -- cgit 1.4.1 From 96574854b34b42650190648014c7ca673cfd31ce Mon Sep 17 00:00:00 2001 From: realmadsci <71108352+realmadsci@users.noreply.github.com> Date: Thu, 4 Mar 2021 13:33:06 -0500 Subject: libqasan/malloc: Additional pointer checks Add checks to free() and malloc_usable_size() to verify (sort of) that the pointers are actually pointing at valid allocated memory before dereferencing them and using the chunk_begin struct info. This will catch use-after-free and wildly bad pointers a little bit earlier. --- qemu_mode/libqasan/malloc.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'qemu_mode') diff --git a/qemu_mode/libqasan/malloc.c b/qemu_mode/libqasan/malloc.c index 5a2d2a0c..6fe6fc8c 100644 --- a/qemu_mode/libqasan/malloc.c +++ b/qemu_mode/libqasan/malloc.c @@ -159,6 +159,9 @@ size_t __libqasan_malloc_usable_size(void *ptr) { char *p = ptr; p -= sizeof(struct chunk_begin); + // Validate that the chunk marker is readable (a crude check + // to verify that ptr is a valid malloc region before we dereference it) + QASAN_LOAD(p, sizeof(struct chunk_begin) - REDZONE_SIZE); return ((struct chunk_begin *)p)->requested_size; } @@ -225,6 +228,9 @@ void __libqasan_free(void *ptr) { struct chunk_begin *p = ptr; p -= 1; + // Validate that the chunk marker is readable (a crude check + // to verify that ptr is a valid malloc region before we dereference it) + QASAN_LOAD(p, sizeof(struct chunk_begin) - REDZONE_SIZE); size_t n = p->requested_size; QASAN_STORE(ptr, n); -- cgit 1.4.1 From 4e567d3f5d22ae14bffc17cc8d475959d5fcfc21 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 16 Mar 2021 15:38:45 +0100 Subject: update qemuafl --- qemu_mode/QEMUAFL_VERSION | 2 +- qemu_mode/qemuafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'qemu_mode') diff --git a/qemu_mode/QEMUAFL_VERSION b/qemu_mode/QEMUAFL_VERSION index a7f25da3..68290650 100644 --- a/qemu_mode/QEMUAFL_VERSION +++ b/qemu_mode/QEMUAFL_VERSION @@ -1 +1 @@ -d1ca56b84e +0fb212daab diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index d1ca56b8..0fb212da 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit d1ca56b84e78f821406eef28d836918edfc8d610 +Subproject commit 0fb212daab492411b3e323bc18a3074c1aecfd37 -- cgit 1.4.1 From f5420e737a1ed1dbeb81783836d0449c06aa0fcc Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 16 Mar 2021 16:15:29 +0100 Subject: rtn fix --- docs/Changelog.md | 2 +- instrumentation/afl-compiler-rt.o.c | 23 ++++++++++++----------- qemu_mode/qemuafl | 2 +- 3 files changed, 14 insertions(+), 13 deletions(-) (limited to 'qemu_mode') diff --git a/docs/Changelog.md b/docs/Changelog.md index 8222f942..9aea3638 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,7 +9,7 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . ### Version ++3.12a (dev) - - ... + - fix cmplog rtn (rare crash and not being able to gather ptr data) ### Version ++3.11c (release) diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 50b4e2c5..892118fb 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1734,25 +1734,26 @@ static int area_is_valid(void *ptr, size_t len) { long r = syscall(SYS_write, __afl_dummy_fd[1], ptr, len); - if (unlikely(r <= 0 || r > len)) { // fail - maybe hitting asan boundary? + if (r <= 0 || r > len) return 0; - char *p = (char *)ptr; - long page_size = sysconf(_SC_PAGE_SIZE); - char *page = (char *)((uintptr_t)p & ~(page_size - 1)) + page_size; - if (page >= p + len) { return 0; } // no isnt, return fail - len = page - p - len; - r = syscall(SYS_write, __afl_dummy_fd[1], page, len); + // even if the write succeed this can be a false positive if we cross + // a page boundary. who knows why. - } + char *p = (char *)ptr; + long page_size = sysconf(_SC_PAGE_SIZE); + char *page = (char *)((uintptr_t)p & ~(page_size - 1)) + page_size; - // partial writes - we return what was written. - if (likely(r >= 0 && r <= len)) { + if (page > p + len) { + // no, not crossing a page boundary return (int)r; } else { - return 0; + // yes it crosses a boundary, hence we can only return the length of + // rest of the first page, we cannot detect if the next page is valid + // or not, neither by SYS_write nor msync() :-( + return (int)(page - p); } diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index 0fb212da..d1ca56b8 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit 0fb212daab492411b3e323bc18a3074c1aecfd37 +Subproject commit d1ca56b84e78f821406eef28d836918edfc8d610 -- cgit 1.4.1 From 65e3770badc154788a8c9a9c16c1c2a0ebed833f Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 16 Mar 2021 16:32:35 +0100 Subject: qemuafl --- qemu_mode/qemuafl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'qemu_mode') diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index d1ca56b8..0fb212da 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit d1ca56b84e78f821406eef28d836918edfc8d610 +Subproject commit 0fb212daab492411b3e323bc18a3074c1aecfd37 -- cgit 1.4.1 From 82554677a812470ccebae7f1e7c76e11aed82eaf Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Wed, 24 Mar 2021 11:00:13 +0100 Subject: update qemuafl --- qemu_mode/QEMUAFL_VERSION | 2 +- qemu_mode/qemuafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'qemu_mode') diff --git a/qemu_mode/QEMUAFL_VERSION b/qemu_mode/QEMUAFL_VERSION index 68290650..b541116b 100644 --- a/qemu_mode/QEMUAFL_VERSION +++ b/qemu_mode/QEMUAFL_VERSION @@ -1 +1 @@ -0fb212daab +d6ff420165 diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index 0fb212da..d6ff4201 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit 0fb212daab492411b3e323bc18a3074c1aecfd37 +Subproject commit d6ff420165aca12996d4b307b4641445048f0e71 -- cgit 1.4.1 From a908a982254305777a3ea4dadf70120089b4ddf4 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Wed, 24 Mar 2021 11:06:02 +0100 Subject: update qemuafl --- qemu_mode/QEMUAFL_VERSION | 2 +- qemu_mode/qemuafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'qemu_mode') diff --git a/qemu_mode/QEMUAFL_VERSION b/qemu_mode/QEMUAFL_VERSION index b541116b..8d95c359 100644 --- a/qemu_mode/QEMUAFL_VERSION +++ b/qemu_mode/QEMUAFL_VERSION @@ -1 +1 @@ -d6ff420165 +ddc4a9748d diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index d6ff4201..ddc4a974 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit d6ff420165aca12996d4b307b4641445048f0e71 +Subproject commit ddc4a9748d59857753fb33c30a356f354595f36d -- cgit 1.4.1 From 2b3642aa39fc79b5fd394120f0fadf4476d4476e Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 24 Mar 2021 11:13:16 +0100 Subject: v3.12c ready to go --- docs/Changelog.md | 1 + qemu_mode/qemuafl | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'qemu_mode') diff --git a/docs/Changelog.md b/docs/Changelog.md index 476c6f4e..5b7d6ab6 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -13,6 +13,7 @@ sending a mail to . - added AFL_TARGET_ENV variable to pass extra env vars to the target (for things like LD_LIBRARY_PATH) - fix map detection, AFL_MAP_SIZE not needed anymore for most cases + - fix counting favorites (just a display thing) - afl-cc: - fix cmplog rtn (rare crash and not being able to gather ptr data) - fix our own PCGUARD implementation to compile with llvm 10.0.1 diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index ddc4a974..0fb212da 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit ddc4a9748d59857753fb33c30a356f354595f36d +Subproject commit 0fb212daab492411b3e323bc18a3074c1aecfd37 -- cgit 1.4.1