path: root/fix-lib.m4

#!/bin/sh
# Patcher for dynamically linked library
# Copyright (C) 2025  Nguyễn Gia Phong
#
# This file is part of taosc.
#
# Taosc is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Taosc is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with taosc.  If not, see <https://www.gnu.org/licenses/>.

set -ex
if test $# -lt 4
then
  echo Usage: taosc-fix-lib executable library address workdir option...
  exit 1
fi
binary="$(realpath $1)"
library="$(realpath $2)"
lib="$(basename $library)"
address="$3"
wd="$(realpath $4)"
bin="$wd/$(basename $binary)"
opts="${@:5}"

afl-dyninst --library="$library" -x "$binary" "$bin.fuzzee"
pushd DATA_DIR > /dev/null
trap 'popd > /dev/null' EXIT
mkdir -p "$wd/collect"
e9tool -M false -P 'log(state)@collect' -o "$bin.collect" "$binary"
e9tool -M addr=$address -P 'log(state)@collect'\
  -o "$wd/collect/$lib" --shared "$library"
mkdir -p "$wd/patched"
e9tool -M addr=$address -P 'if dest(state)@patch goto'\
  -o "$wd/patched/$lib" --shared "$library"

# TODO: augment number of executions
afl-dyninst-env afl-fuzz -i "$wd/fuzz/exploits" -o "$wd/fuzz/crashes"\
  -CE 10000 -- "$bin.fuzzee" $opts @@
# TODO: use patchelf
find "$wd/fuzz/crashes/default/crashes" -name id:* | parallel\
  LD_LIBRARY_PATH="$wd/collect" TAOSC_OUTPUT="$wd/vars/neg/"'$(basename {})'\
  "$bin.collect" $opts {} || true
taosc-synth "$wd/vars" > "$wd/predicates"
taosc-scout "$library" "$address" > "$wd/destinations"
# vim: filetype=sh.m4