Various fixes related to frida mode (#445)

* Fix lint errors

* Fix incorrect address for unfreed allocations when reseting

* Use hash for edge ids

* Fmt

libafl_frida/src/alloc.rs

@@ -292,13 +292,14 @@ impl Allocator {
 
         self.allocations
             .insert(metadata.address + self.page_size, metadata);
-        // println!("serving address: {:?}, size: {:x}", address, size);
+        //println!("serving address: {:?}, size: {:x}", address, size);
         address
     }
 
     /// Releases the allocation at the given address.
     #[allow(clippy::missing_safety_doc)]
     pub unsafe fn release(&mut self, ptr: *mut c_void) {
+        //println!("freeing address: {:?}", ptr);
         let mut metadata = if let Some(metadata) = self.allocations.get_mut(&(ptr as usize)) {
             metadata
         } else {
@@ -379,7 +380,8 @@ impl Allocator {
         }
 
         for allocation in tmp_allocations {
-            self.allocations.insert(allocation.address, allocation);
+            self.allocations
+                .insert(allocation.address + self.page_size, allocation);
         }
 
         self.total_allocation_size = 0;

libafl_frida/src/asan/asan_rt.rs

@@ -1084,7 +1084,7 @@ impl AsanRuntime {
             {
                 index_reg -= capstone::arch::arm64::Arm64Reg::ARM64_REG_S0 as u16;
             }
-            fault_address += self.regs[index_reg as usize] as usize;
+            fault_address += self.regs[index_reg as usize];
         }
 
         let backtrace = Backtrace::new();
@@ -2086,6 +2086,7 @@ impl AsanRuntime {
         self.blob_check_mem_64bytes.as_ref().unwrap()
     }
 
+    /// Determine if the instruction is 'interesting' for the purposes of ASAN
     #[cfg(target_arch = "aarch64")]
     #[inline]
     pub fn asan_is_interesting_instruction(
@@ -2359,6 +2360,7 @@ impl AsanRuntime {
         writer.put_lea_reg_reg_offset(X86Register::Rsp, X86Register::Rsp, redzone_size);
     }
 
+    /// Emit a shadow memory check into the instruction stream
     #[cfg(target_arch = "aarch64")]
     #[inline]
     pub fn emit_shadow_check(

libafl_frida/src/asan/errors.rs

@@ -195,12 +195,7 @@ impl AsanErrors {
                             .set_color(ColorSpec::new().set_fg(Some(Color::Yellow)))
                             .unwrap();
                     }
-                    write!(
+                    write!(output, "x{:02}: 0x{:016x} ", reg, error.registers[reg]).unwrap();
-                        output,
-                        "x{:02}: 0x{:016x} ",
-                        reg, error.registers[reg as usize]
-                    )
-                    .unwrap();
                     output.reset().unwrap();
                     if reg % 4 == 3 {
                         writeln!(output).unwrap();
@@ -459,7 +454,7 @@ impl AsanErrors {
                             .set_color(ColorSpec::new().set_fg(Some(Color::Yellow)))
                             .unwrap();
                     }
-                    write!(output, "x{:02}: 0x{:016x} ", reg, registers[reg as usize]).unwrap();
+                    write!(output, "x{:02}: 0x{:016x} ", reg, registers[reg]).unwrap();
                     output.reset().unwrap();
                     if reg % 4 == 3 {
                         writeln!(output).unwrap();

libafl_frida/src/coverage_rt.rs

@@ -127,6 +127,15 @@ impl CoverageRuntime {
     /// Emits coverage mapping into the current basic block.
     #[inline]
     pub fn emit_coverage_mapping(&mut self, address: u64, output: &StalkerOutput) {
+        let tmp = (address >> 32) + ((address & 0xffffffff) << 32);
+        let bitflip = 0x1cad21f72c81017c ^ 0xdb979082e96dd4de;
+        let mut h64 = tmp ^ bitflip;
+        h64 = h64.rotate_left(49) & h64.rotate_left(24);
+        h64 *= 0x9FB21C651E98DF25;
+        h64 ^= (h64 >> 35) + 8;
+        h64 *= 0x9FB21C651E98DF25;
+        h64 ^= h64 >> 28;
+
         let writer = output.writer();
         #[allow(clippy::cast_possible_wrap)] // gum redzone size is u32, we need an offset as i32.
         let redzone_size = i64::from(frida_gum_sys::GUM_RED_ZONE_SIZE);
@@ -153,10 +162,7 @@ impl CoverageRuntime {
         {
             writer.put_lea_reg_reg_offset(X86Register::Rsp, X86Register::Rsp, -(redzone_size));
             writer.put_push_reg(X86Register::Rdi);
-            writer.put_mov_reg_address(
+            writer.put_mov_reg_address(X86Register::Rdi, h64 & (MAP_SIZE as u64 - 1));
-                X86Register::Rdi,
-                ((address >> 4) ^ (address << 8)) & (MAP_SIZE - 1) as u64,
-            );
             writer.put_call_address(self.current_log_impl);
             writer.put_pop_reg(X86Register::Rdi);
             writer.put_lea_reg_reg_offset(X86Register::Rsp, X86Register::Rsp, redzone_size);
@@ -167,19 +173,17 @@ impl CoverageRuntime {
                 Aarch64Register::Lr,
                 Aarch64Register::X0,
                 Aarch64Register::Sp,
-                -(16 + redzone_size) as i64,
+                -(16 + redzone_size),
                 IndexMode::PreAdjust,
             );
-            writer.put_ldr_reg_u64(
+            writer.put_ldr_reg_u64(Aarch64Register::X0, h64 & (MAP_SIZE as u64 - 1));
-                Aarch64Register::X0,
+
-                ((address >> 4) ^ (address << 8)) & (MAP_SIZE - 1) as u64,
-            );
             writer.put_bl_imm(self.current_log_impl);
             writer.put_ldp_reg_reg_reg_offset(
                 Aarch64Register::Lr,
                 Aarch64Register::X0,
                 Aarch64Register::Sp,
-                16 + redzone_size as i64,
+                16 + redzone_size,
                 IndexMode::PostAdjust,
             );
         }

libafl_frida/src/helper.rs

@@ -285,7 +285,7 @@ impl<'a> FridaInstrumentationHelper<'a> {
                 for instruction in basic_block {
                     let instr = instruction.instr();
                     let address = instr.address();
-                    // println!("block @ {:x} transformed to {:x}", address, output.writer().pc());
+                    //println!("block @ {:x} transformed to {:x}", address, output.writer().pc());
 
                     //println!(
                     //"address: {:x} contains: {:?}",
@@ -297,7 +297,7 @@ impl<'a> FridaInstrumentationHelper<'a> {
                     if helper.ranges.contains_key(&(address as usize)) {
                         if first {
                             first = false;
-                            // println!("block @ {:x} transformed to {:x}", address, output.writer().pc());
+                            //println!("block @ {:x} transformed to {:x}", address, output.writer().pc());
                             if helper.options().coverage_enabled() {
                                 helper.coverage_rt.emit_coverage_mapping(address, &output);
                             }
@@ -399,6 +399,7 @@ impl<'a> FridaInstrumentationHelper<'a> {
         self.options
     }
 
+    /// Determine the width of the specified instruction
     #[cfg(target_arch = "aarch64")]
     #[inline]
     pub fn instruction_width(instr: &Insn, operands: &Vec<arch::ArchOperand>) -> u32 {
@@ -465,6 +466,7 @@ impl<'a> FridaInstrumentationHelper<'a> {
         8 * num_registers
     }
 
+    /// Convert from a capstone register id to a frida InstructionWriter register index
     #[cfg(target_arch = "aarch64")]
     #[inline]
     pub fn writer_register(reg: capstone::RegId) -> Aarch64Register {