SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

strdup is an allocating function, treat it as such (#241)

Browse Source 
* strdup is an allocating function, treat it as such; poison target bytes after run

* Add cfg guards
This commit is contained in:
s1341 2021-08-04 16:03:49 +03:00 committed by GitHub
parent 5542a81e12
commit 3fac056b58
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
libafl_frida/src/asan_rt.rs
View File

@ -164,6 +164,12 @@ impl AsanRuntime {
.map_shadow_for_region(address, address + size, true);
}
/// Make sure the specified memory is poisoned
#[cfg(target_arch = "aarch64")]
pub fn poison(&mut self, address: usize, size: usize) {
Allocator::poison(self.allocator.map_to_shadow(address), size);
}
/// Add a stalked address to real address mapping.
#[inline]
pub fn add_stalked_address(&mut self, stalked: usize, real: usize) {
@ -1235,10 +1241,11 @@ impl AsanRuntime {
#[cfg(target_arch = "aarch64")]
fn hook_strdup(&mut self, s: *const c_char) -> *mut c_char {
extern "C" {
fn strdup(s: *const c_char) -> *mut c_char;
fn strlen(s: *const c_char) -> usize;
fn strcpy(dest: *mut c_char, src: *const c_char) -> *mut c_char;
}
if !(self.shadow_check_func.unwrap())(s as *const c_void, unsafe { strlen(s) }) {
let size = unsafe { strlen(s) };
if !(self.shadow_check_func.unwrap())(s as *const c_void, size) {
AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead((
"strdup".to_string(),
self.real_address_for_stalked(
@ -1249,7 +1256,12 @@ impl AsanRuntime {
Backtrace::new(),
)));
}
unsafe { strdup(s) }
unsafe {
let ret = self.allocator.alloc(size, 8) as *mut c_char;
strcpy(ret, s);
ret
}
}
#[inline]
@ -2007,7 +2019,7 @@ impl AsanRuntime {
; mov x5, #1
; add x5, xzr, x5, lsl #shadow_bit
; add x5, x5, x0, lsr #3
; ubfx x5, x5, #0, #(shadow_bit + 2)
; ubfx x5, x5, #0, #(shadow_bit + 1)
; cmp x1, #0
; b.eq >return_success
@ -2127,7 +2139,7 @@ impl AsanRuntime {
; mov x1, #1
; add x1, xzr, x1, lsl #shadow_bit
; add x1, x1, x0, lsr #3
; ubfx x1, x1, #0, #(shadow_bit + 2)
; ubfx x1, x1, #0, #(shadow_bit + 1)
; ldrh w1, [x1, #0]
; and x0, x0, #7
; rev16 w1, w1
@ -2158,7 +2170,7 @@ impl AsanRuntime {
; mov x1, #1
; add x1, xzr, x1, lsl #shadow_bit
; add x1, x1, x0, lsr #3
; ubfx x1, x1, #0, #(shadow_bit + 2)
; ubfx x1, x1, #0, #(shadow_bit + 1)
; ldrh w1, [x1, #0]
; and x0, x0, #7
; rev16 w1, w1

15
libafl_frida/src/helper.rs
View File

@ -110,9 +110,12 @@ impl<'a> FridaHelper<'a> for FridaInstrumentationHelper<'a> {
fn pre_exec<I: Input + HasTargetBytes>(&mut self, input: &I) {
let target_bytes = input.target_bytes();
let slice = target_bytes.as_slice();
//println!("target_bytes: {:02x?}", slice);
self.asan_runtime
.unpoison(slice.as_ptr() as usize, slice.len());
//println!("target_bytes: {:#x}: {:02x?}", slice.as_ptr() as usize, slice);
#[cfg(target_arch = "aarch64")]
if self.options.asan_enabled() {
self.asan_runtime
.unpoison(slice.as_ptr() as usize, slice.len());
}
}
fn post_exec<I: Input + HasTargetBytes>(&mut self, input: &I) {
@ -124,10 +127,16 @@ impl<'a> FridaHelper<'a> for FridaInstrumentationHelper<'a> {
DrCovWriter::new(&filename, &self.ranges, &mut self.drcov_basic_blocks).write();
}
#[cfg(target_arch = "aarch64")]
if self.options.asan_enabled() {
if self.options.asan_detect_leaks() {
self.asan_runtime.check_for_leaks();
}
let target_bytes = input.target_bytes();
let slice = target_bytes.as_slice();
self.asan_runtime
.poison(slice.as_ptr() as usize, slice.len());
self.asan_runtime.reset_allocations();
}
}