From 3fac056b5827e757dbcd5c4daf872f3ac95104d0 Mon Sep 17 00:00:00 2001 From: s1341 Date: Wed, 4 Aug 2021 16:03:49 +0300 Subject: [PATCH] strdup is an allocating function, treat it as such (#241) * strdup is an allocating function, treat it as such; poison target bytes after run * Add cfg guards --- libafl_frida/src/asan_rt.rs | 24 ++++++++++++++++++------ libafl_frida/src/helper.rs | 15 ++++++++++++--- 2 files changed, 30 insertions(+), 9 deletions(-) diff --git a/libafl_frida/src/asan_rt.rs b/libafl_frida/src/asan_rt.rs index a7596f69b8..4bbeff2d7e 100644 --- a/libafl_frida/src/asan_rt.rs +++ b/libafl_frida/src/asan_rt.rs @@ -164,6 +164,12 @@ impl AsanRuntime { .map_shadow_for_region(address, address + size, true); } + /// Make sure the specified memory is poisoned + #[cfg(target_arch = "aarch64")] + pub fn poison(&mut self, address: usize, size: usize) { + Allocator::poison(self.allocator.map_to_shadow(address), size); + } + /// Add a stalked address to real address mapping. #[inline] pub fn add_stalked_address(&mut self, stalked: usize, real: usize) { @@ -1235,10 +1241,11 @@ impl AsanRuntime { #[cfg(target_arch = "aarch64")] fn hook_strdup(&mut self, s: *const c_char) -> *mut c_char { extern "C" { - fn strdup(s: *const c_char) -> *mut c_char; fn strlen(s: *const c_char) -> usize; + fn strcpy(dest: *mut c_char, src: *const c_char) -> *mut c_char; } - if !(self.shadow_check_func.unwrap())(s as *const c_void, unsafe { strlen(s) }) { + let size = unsafe { strlen(s) }; + if !(self.shadow_check_func.unwrap())(s as *const c_void, size) { AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( "strdup".to_string(), self.real_address_for_stalked( @@ -1249,7 +1256,12 @@ impl AsanRuntime { Backtrace::new(), ))); } - unsafe { strdup(s) } + + unsafe { + let ret = self.allocator.alloc(size, 8) as *mut c_char; + strcpy(ret, s); + ret + } } #[inline] @@ -2007,7 +2019,7 @@ impl AsanRuntime { ; mov x5, #1 ; add x5, xzr, x5, lsl #shadow_bit ; add x5, x5, x0, lsr #3 - ; ubfx x5, x5, #0, #(shadow_bit + 2) + ; ubfx x5, x5, #0, #(shadow_bit + 1) ; cmp x1, #0 ; b.eq >return_success @@ -2127,7 +2139,7 @@ impl AsanRuntime { ; mov x1, #1 ; add x1, xzr, x1, lsl #shadow_bit ; add x1, x1, x0, lsr #3 - ; ubfx x1, x1, #0, #(shadow_bit + 2) + ; ubfx x1, x1, #0, #(shadow_bit + 1) ; ldrh w1, [x1, #0] ; and x0, x0, #7 ; rev16 w1, w1 @@ -2158,7 +2170,7 @@ impl AsanRuntime { ; mov x1, #1 ; add x1, xzr, x1, lsl #shadow_bit ; add x1, x1, x0, lsr #3 - ; ubfx x1, x1, #0, #(shadow_bit + 2) + ; ubfx x1, x1, #0, #(shadow_bit + 1) ; ldrh w1, [x1, #0] ; and x0, x0, #7 ; rev16 w1, w1 diff --git a/libafl_frida/src/helper.rs b/libafl_frida/src/helper.rs index dec6aafb7b..c3f2625e85 100644 --- a/libafl_frida/src/helper.rs +++ b/libafl_frida/src/helper.rs @@ -110,9 +110,12 @@ impl<'a> FridaHelper<'a> for FridaInstrumentationHelper<'a> { fn pre_exec(&mut self, input: &I) { let target_bytes = input.target_bytes(); let slice = target_bytes.as_slice(); - //println!("target_bytes: {:02x?}", slice); - self.asan_runtime - .unpoison(slice.as_ptr() as usize, slice.len()); + //println!("target_bytes: {:#x}: {:02x?}", slice.as_ptr() as usize, slice); + #[cfg(target_arch = "aarch64")] + if self.options.asan_enabled() { + self.asan_runtime + .unpoison(slice.as_ptr() as usize, slice.len()); + } } fn post_exec(&mut self, input: &I) { @@ -124,10 +127,16 @@ impl<'a> FridaHelper<'a> for FridaInstrumentationHelper<'a> { DrCovWriter::new(&filename, &self.ranges, &mut self.drcov_basic_blocks).write(); } + #[cfg(target_arch = "aarch64")] if self.options.asan_enabled() { if self.options.asan_detect_leaks() { self.asan_runtime.check_for_leaks(); } + + let target_bytes = input.target_bytes(); + let slice = target_bytes.as_slice(); + self.asan_runtime + .poison(slice.as_ptr() as usize, slice.len()); self.asan_runtime.reset_allocations(); } }