diff options
| author | Nguyễn Gia Phong <cnx@loang.net> | 2025-02-03 00:26:15 +0900 |
|---|---|---|
| committer | Nguyễn Gia Phong <cnx@loang.net> | 2025-02-03 00:26:15 +0900 |
| commit | 5ce1c28bc194557638c7277e3461c6e1a2bfad6e (patch) | |
| tree | 9e998ff77e368ab6d134ae0a113b4e1082b8d3fc | |
| parent | e45e422b3e472ec2f8151d5e24312027843dd881 (diff) | |
| download | taosc-5ce1c28bc194557638c7277e3461c6e1a2bfad6e.tar.gz | |
Add draft for dynamic lib patcher
| -rw-r--r-- | Makefile | 5 | ||||
| -rw-r--r-- | fix-lib.m4 | 54 |
2 files changed, 58 insertions, 1 deletions
diff --git a/Makefile b/Makefile index 92cefaf..19f3d6b 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ PREFIX ?= /usr/local BIN_PREFIX ::= $(DESTDIR)$(PREFIX)/bin/taosc- DATA_DIR ::= $(DESTDIR)$(PREFIX)/share/taosc -BIN ::= fix scout synth +BIN ::= fix fix-lib scout synth DATA ::= collect patch all: $(BIN) $(DATA) @@ -19,6 +19,9 @@ clean: fix: fix.m4 m4 -D DATA_DIR=$(DATA_DIR) $< > $@ +fix-lib: fix-lib.m4 + m4 -D DATA_DIR=$(DATA_DIR) $< > $@ + synth: synth.py link $< $@ diff --git a/fix-lib.m4 b/fix-lib.m4 new file mode 100644 index 0000000..3d9216a --- /dev/null +++ b/fix-lib.m4 @@ -0,0 +1,54 @@ +#!/bin/sh +# Patcher for dynamically linked library +# Copyright (C) 2025 Nguyễn Gia Phong +# +# This file is part of taosc. +# +# Taosc is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Taosc is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with taosc. If not, see <https://www.gnu.org/licenses/>. + +set -ex +if test $# -lt 4 +then + echo Usage: taosc-fix-lib executable library address workdir option... + exit 1 +fi +binary="$(realpath $1)" +library="$(realpath $2)" +lib="$(basename $library)" +address="$3" +wd="$(realpath $4)" +bin="$wd/$(basename $binary)" +opts="${@:5}" + +afl-dyninst --library="$library" -x "$binary" "$bin.fuzzee" +pushd DATA_DIR > /dev/null +trap 'popd > /dev/null' EXIT +mkdir -p "$wd/collect" +e9tool -M false -P 'log(state)@collect' -o "$bin.collect" "$binary" +e9tool -M addr=$address -P 'log(state)@collect'\ + -o "$wd/collect/$lib" --shared "$library" +mkdir -p "$wd/patched" +e9tool -M addr=$address -P 'if dest(state)@patch goto'\ + -o "$wd/patched/$lib" --shared "$library" + +# TODO: augment number of executions +afl-dyninst-env afl-fuzz -i "$wd/fuzz/exploits" -o "$wd/fuzz/crashes"\ + -CE 10000 -- "$bin.fuzzee" $opts @@ +# TODO: use patchelf +find "$wd/fuzz/crashes/default/crashes" -name id:* | parallel\ + LD_LIBRARY_PATH="$wd/collect" TAOSC_OUTPUT="$wd/vars/neg/"'$(basename {})'\ + "$bin.collect" $opts {} || true +taosc-synth "$wd/vars" > "$wd/predicates" +taosc-scout "$library" "$address" > "$wd/destinations" +# vim: filetype=sh.m4 |