summary refs log tree commit diff
path: root/fix.m4
blob: 4647d005ad623f390b842ddb306854766b0a10f2 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/bin/sh
# Patcher
# Copyright (C) 2024  Nguyễn Gia Phong
#
# This file is part of taosc.
#
# Taosc is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Taosc is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with taosc.  If not, see <https://www.gnu.org/licenses/>.

set -ex
if test $# -ne 3
then
  echo Usage: taosc-fix binary address workdir
  exit 1
fi
binary="$(realpath $1)"
address="$2"
wd="$(realpath $3)"
bin="$wd/$(basename $binary)"

afl-dyninst -x "$binary" "$bin.fuzzee"
pushd DATA_DIR > /dev/null
trap 'popd > /dev/null' EXIT
e9tool -M addr=$address -P 'log(state)@collect'\
  -o "$bin.collect" "$binary"
e9tool -M addr=$address -P 'if dest(state)@patch goto'\
  -o "$bin.patched" "$binary"

# TODO: augment number of executions
afl-dyninst-env afl-fuzz -i "$wd/fuzz/exploits" -o "$wd/fuzz/crashes"\
  -CE 10000 -- "$bin.fuzzee" -d @@
find "$wd/fuzz/crashes/default/crashes" -name id:* |
  parallel TAOSC_OUTPUT="$wd/vars/neg/"'$(basename {})' "$bin.collect" -d {}
time taosc-synth "$wd/vars" > "$wd/predicates"
taosc-scout "$binary" "$address" > "$wd/destinations"

# TAOSC_PREDICATE=">=v15p0" TAOSC_DESTINATION=0x "$bin.patched" -d @@
# vim: filetype=sh.m4