SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Various fixes related to frida mode (#445)

Browse Source 
* Fix lint errors

* Fix incorrect address for unfreed allocations when reseting

* Use hash for edge ids

* Fmt
This commit is contained in:
s1341 2022-01-03 11:41:52 +02:00 committed by GitHub
parent 9f6872ac68
commit 1608294d0b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 27 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
libafl_frida/src/alloc.rs
View File

@ -292,13 +292,14 @@ impl Allocator {
self.allocations
.insert(metadata.address + self.page_size, metadata);
// println!("serving address: {:?}, size: {:x}", address, size);
//println!("serving address: {:?}, size: {:x}", address, size);
address
}
/// Releases the allocation at the given address.
#[allow(clippy::missing_safety_doc)]
pub unsafe fn release(&mut self, ptr: *mut c_void) {
//println!("freeing address: {:?}", ptr);
let mut metadata = if let Some(metadata) = self.allocations.get_mut(&(ptr as usize)) {
metadata
} else {
@ -379,7 +380,8 @@ impl Allocator {
}
for allocation in tmp_allocations {
self.allocations.insert(allocation.address, allocation);
self.allocations
.insert(allocation.address + self.page_size, allocation);
}
self.total_allocation_size = 0;

4
libafl_frida/src/asan/asan_rt.rs
View File

@ -1084,7 +1084,7 @@ impl AsanRuntime {
{
index_reg -= capstone::arch::arm64::Arm64Reg::ARM64_REG_S0 as u16;
}
fault_address += self.regs[index_reg as usize] as usize;
fault_address += self.regs[index_reg as usize];
}
let backtrace = Backtrace::new();
@ -2086,6 +2086,7 @@ impl AsanRuntime {
self.blob_check_mem_64bytes.as_ref().unwrap()
}
/// Determine if the instruction is 'interesting' for the purposes of ASAN
#[cfg(target_arch = "aarch64")]
#[inline]
pub fn asan_is_interesting_instruction(
@ -2359,6 +2360,7 @@ impl AsanRuntime {
writer.put_lea_reg_reg_offset(X86Register::Rsp, X86Register::Rsp, redzone_size);
}
/// Emit a shadow memory check into the instruction stream
#[cfg(target_arch = "aarch64")]
#[inline]
pub fn emit_shadow_check(

9
libafl_frida/src/asan/errors.rs
View File

@ -195,12 +195,7 @@ impl AsanErrors {
.set_color(ColorSpec::new().set_fg(Some(Color::Yellow)))
.unwrap();
}
write!(
output,
"x{:02}: 0x{:016x} ",
reg, error.registers[reg as usize]
)
.unwrap();
write!(output, "x{:02}: 0x{:016x} ", reg, error.registers[reg]).unwrap();
output.reset().unwrap();
if reg % 4 == 3 {
writeln!(output).unwrap();
@ -459,7 +454,7 @@ impl AsanErrors {
.set_color(ColorSpec::new().set_fg(Some(Color::Yellow)))
.unwrap();
}
write!(output, "x{:02}: 0x{:016x} ", reg, registers[reg as usize]).unwrap();
write!(output, "x{:02}: 0x{:016x} ", reg, registers[reg]).unwrap();
output.reset().unwrap();
if reg % 4 == 3 {
writeln!(output).unwrap();

24
libafl_frida/src/coverage_rt.rs
View File

@ -127,6 +127,15 @@ impl CoverageRuntime {
/// Emits coverage mapping into the current basic block.
#[inline]
pub fn emit_coverage_mapping(&mut self, address: u64, output: &StalkerOutput) {
let tmp = (address >> 32) + ((address & 0xffffffff) << 32);
let bitflip = 0x1cad21f72c81017c ^ 0xdb979082e96dd4de;
let mut h64 = tmp ^ bitflip;
h64 = h64.rotate_left(49) & h64.rotate_left(24);
h64 *= 0x9FB21C651E98DF25;
h64 ^= (h64 >> 35) + 8;
h64 *= 0x9FB21C651E98DF25;
h64 ^= h64 >> 28;
let writer = output.writer();
#[allow(clippy::cast_possible_wrap)] // gum redzone size is u32, we need an offset as i32.
let redzone_size = i64::from(frida_gum_sys::GUM_RED_ZONE_SIZE);
@ -153,10 +162,7 @@ impl CoverageRuntime {
{
writer.put_lea_reg_reg_offset(X86Register::Rsp, X86Register::Rsp, -(redzone_size));
writer.put_push_reg(X86Register::Rdi);
writer.put_mov_reg_address(
X86Register::Rdi,
((address >> 4) ^ (address << 8)) & (MAP_SIZE - 1) as u64,
);
writer.put_mov_reg_address(X86Register::Rdi, h64 & (MAP_SIZE as u64 - 1));
writer.put_call_address(self.current_log_impl);
writer.put_pop_reg(X86Register::Rdi);
writer.put_lea_reg_reg_offset(X86Register::Rsp, X86Register::Rsp, redzone_size);
@ -167,19 +173,17 @@ impl CoverageRuntime {
Aarch64Register::Lr,
Aarch64Register::X0,
Aarch64Register::Sp,
-(16 + redzone_size) as i64,
-(16 + redzone_size),
IndexMode::PreAdjust,
);
writer.put_ldr_reg_u64(
Aarch64Register::X0,
((address >> 4) ^ (address << 8)) & (MAP_SIZE - 1) as u64,
);
writer.put_ldr_reg_u64(Aarch64Register::X0, h64 & (MAP_SIZE as u64 - 1));
writer.put_bl_imm(self.current_log_impl);
writer.put_ldp_reg_reg_reg_offset(
Aarch64Register::Lr,
Aarch64Register::X0,
Aarch64Register::Sp,
16 + redzone_size as i64,
16 + redzone_size,
IndexMode::PostAdjust,
);
}

6
libafl_frida/src/helper.rs
View File

@ -285,7 +285,7 @@ impl<'a> FridaInstrumentationHelper<'a> {
for instruction in basic_block {
let instr = instruction.instr();
let address = instr.address();
// println!("block @ {:x} transformed to {:x}", address, output.writer().pc());
//println!("block @ {:x} transformed to {:x}", address, output.writer().pc());
//println!(
//"address: {:x} contains: {:?}",
@ -297,7 +297,7 @@ impl<'a> FridaInstrumentationHelper<'a> {
if helper.ranges.contains_key(&(address as usize)) {
if first {
first = false;
// println!("block @ {:x} transformed to {:x}", address, output.writer().pc());
//println!("block @ {:x} transformed to {:x}", address, output.writer().pc());
if helper.options().coverage_enabled() {
helper.coverage_rt.emit_coverage_mapping(address, &output);
}
@ -399,6 +399,7 @@ impl<'a> FridaInstrumentationHelper<'a> {
self.options
}
/// Determine the width of the specified instruction
#[cfg(target_arch = "aarch64")]
#[inline]
pub fn instruction_width(instr: &Insn, operands: &Vec<arch::ArchOperand>) -> u32 {
@ -465,6 +466,7 @@ impl<'a> FridaInstrumentationHelper<'a> {
8 * num_registers
}
/// Convert from a capstone register id to a frida InstructionWriter register index
#[cfg(target_arch = "aarch64")]
#[inline]
pub fn writer_register(reg: capstone::RegId) -> Aarch64Register {