| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
 | #include <errno.h>
#include <sys/shm.h>
#include <sys/mman.h>
#include "frida-gum.h"
#include "debug.h"
#include "prefetch.h"
#include "stalker.h"
#define TRUST 0
#define PREFETCH_SIZE 65536
#define PREFETCH_ENTRIES ((PREFETCH_SIZE - sizeof(size_t)) / sizeof(void *))
typedef struct {
  size_t count;
  void * entry[PREFETCH_ENTRIES];
} prefetch_data_t;
static prefetch_data_t *prefetch_data = NULL;
static int prefetch_shm_id = -1;
/*
 * We do this from the transformer since we need one anyway for coverage, this
 * saves the need to use an event sink.
 */
void prefetch_write(void *addr) {
  /* Bail if we aren't initialized */
  if (prefetch_data == NULL) return;
  /*
   * Our shared memory IPC is large enough for about 1000 entries, we can fine
   * tune this if we need to. But if we have more new blocks that this in a
   * single run then we ignore them and we'll pick them up next time.
   */
  if (prefetch_data->count >= PREFETCH_ENTRIES) return;
  /*
   * Write the block address to the SHM IPC and increment the number of entries.
   */
  prefetch_data->entry[prefetch_data->count] = addr;
  prefetch_data->count++;
}
/*
 * Read the IPC region one block at the time and prefetch it
 */
void prefetch_read(void) {
  GumStalker *stalker = stalker_get();
  if (prefetch_data == NULL) return;
  for (size_t i = 0; i < prefetch_data->count; i++) {
    void *addr = prefetch_data->entry[i];
    gum_stalker_prefetch(stalker, addr, 1);
  }
  /*
   * Reset the entry count to indicate we have finished with it and it can be
   * refilled by the child.
   */
  prefetch_data->count = 0;
}
void prefetch_init(void) {
  g_assert_cmpint(sizeof(prefetch_data_t), ==, PREFETCH_SIZE);
  gboolean prefetch = (getenv("AFL_FRIDA_INST_NO_PREFETCH") == NULL);
  OKF("Instrumentation - prefetch [%c]", prefetch ? 'X' : ' ');
  if (!prefetch) { return; }
  /*
   * Make our shared memory, we can attach before we fork, just like AFL does
   * with the coverage bitmap region and fork will take care of ensuring both
   * the parent and child see the same consistent memory region.
   */
  prefetch_shm_id =
      shmget(IPC_PRIVATE, sizeof(prefetch_data_t), IPC_CREAT | IPC_EXCL | 0600);
  if (prefetch_shm_id < 0) {
    FATAL("prefetch_shm_id < 0 - errno: %d\n", errno);
  }
  prefetch_data = shmat(prefetch_shm_id, NULL, 0);
  g_assert(prefetch_data != MAP_FAILED);
  /*
   * Configure the shared memory region to be removed once the process dies.
   */
  if (shmctl(prefetch_shm_id, IPC_RMID, NULL) < 0) {
    FATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno);
  }
  /* Clear it, not sure it's necessary, just seems like good practice */
  memset(prefetch_data, '\0', sizeof(prefetch_data_t));
}
 |