From 636194de0eb83fbbd8319806c2f4b37b83b2144c Mon Sep 17 00:00:00 2001 From: s1341 Date: Sun, 6 Jun 2021 11:40:07 +0300 Subject: [PATCH] Frida switch from walk-proc-maps to frida-gum based extraction of ranges (#149) * Bump frida-gum version * Move from walk of /proc/pid/maps to frida based range/module locatoin --- fuzzers/frida_libpng/Cargo.toml | 2 +- fuzzers/frida_libpng/src/fuzzer.rs | 3 +- libafl/src/bolts/os/mod.rs | 69 -- libafl/src/executors/inprocess.rs | 10 - libafl_frida/Cargo.toml | 2 +- libafl_frida/src/alloc.rs | 30 +- libafl_frida/src/asan_errors.rs | 31 +- libafl_frida/src/asan_rt.rs | 1149 ++++++++++++---------------- libafl_frida/src/helper.rs | 41 +- libafl_targets/src/drcov.rs | 6 +- 10 files changed, 538 insertions(+), 805 deletions(-) diff --git a/fuzzers/frida_libpng/Cargo.toml b/fuzzers/frida_libpng/Cargo.toml index a68944cdaf..c6b48feeb1 100644 --- a/fuzzers/frida_libpng/Cargo.toml +++ b/fuzzers/frida_libpng/Cargo.toml @@ -24,7 +24,7 @@ which = "4.1" libafl = { path = "../../libafl/", features = [ "std", "llmp_bind_public" ] } #, "llmp_small_maps", "llmp_debug"]} libafl_frida = { path = "../../libafl_frida" } capstone = "0.8.0" -frida-gum = { version = "0.5.1", features = [ "auto-download", "backtrace", "event-sink", "invocation-listener"] } +frida-gum = { version = "0.5.2", features = [ "auto-download", "backtrace", "event-sink", "invocation-listener"] } lazy_static = "1.4.0" libc = "0.2" libloading = "0.7.0" diff --git a/fuzzers/frida_libpng/src/fuzzer.rs b/fuzzers/frida_libpng/src/fuzzer.rs index c6b90170a4..721cded413 100644 --- a/fuzzers/frida_libpng/src/fuzzer.rs +++ b/fuzzers/frida_libpng/src/fuzzer.rs @@ -242,7 +242,6 @@ pub fn main() { .value_of("modules_to_instrument") .unwrap() .split(':') - .map(|module_name| std::fs::canonicalize(module_name).unwrap()) .collect::>(), //modules_to_instrument, &[PathBuf::from("./corpus")], @@ -278,7 +277,7 @@ fn fuzz( unsafe fn fuzz( module_name: &str, symbol_name: &str, - modules_to_instrument: &[PathBuf], + modules_to_instrument: &[&str], corpus_dirs: &[PathBuf], objective_dir: &Path, broker_port: u16, diff --git a/libafl/src/bolts/os/mod.rs b/libafl/src/bolts/os/mod.rs index c4a1239da3..967c090e05 100644 --- a/libafl/src/bolts/os/mod.rs +++ b/libafl/src/bolts/os/mod.rs @@ -90,75 +90,6 @@ pub fn startable_self() -> Result { Ok(startable) } -/// Allows one to walk the mappings in /proc/self/maps, caling a callback function for each -/// mapping. -/// If the callback returns true, we stop the walk. -#[cfg(all(feature = "std", any(target_os = "linux", target_os = "android")))] -pub fn walk_self_maps(visitor: &mut dyn FnMut(usize, usize, String, String) -> bool) { - use regex::Regex; - use std::io::{BufRead, BufReader}; - let re = Regex::new(r"^(?P[0-9a-f]{8,16})-(?P[0-9a-f]{8,16}) (?P[-rwxp]{4}) (?P[0-9a-f]{8}) [0-9a-f]+:[0-9a-f]+ [0-9]+\s+(?P.*)$") - .unwrap(); - - let mapsfile = File::open("/proc/self/maps").expect("Unable to open /proc/self/maps"); - - for line in BufReader::new(mapsfile).lines() { - let line = line.unwrap(); - if let Some(caps) = re.captures(&line) { - if visitor( - usize::from_str_radix(caps.name("start").unwrap().as_str(), 16).unwrap(), - usize::from_str_radix(caps.name("end").unwrap().as_str(), 16).unwrap(), - caps.name("perm").unwrap().as_str().to_string(), - caps.name("path").unwrap().as_str().to_string(), - ) { - break; - }; - } - } -} - -/// Get the start and end address, permissions and path of the mapping containing a particular address -#[cfg(all(feature = "std", any(target_os = "linux", target_os = "android")))] -pub fn find_mapping_for_address(address: usize) -> Result<(usize, usize, String, String), Error> { - let mut result = (0, 0, "".to_string(), "".to_string()); - walk_self_maps(&mut |start, end, permissions, path| { - if start <= address && address < end { - result = (start, end, permissions, path); - true - } else { - false - } - }); - - if result.0 == 0 { - Err(Error::Unknown( - "Couldn't find a mapping for this address".to_string(), - )) - } else { - Ok(result) - } -} - -/// Get the start and end address of the mapping containing with a particular path -#[cfg(all(feature = "std", any(target_os = "linux", target_os = "android")))] -#[must_use] -pub fn find_mapping_for_path(libpath: &str) -> (usize, usize) { - let mut libstart = 0; - let mut libend = 0; - walk_self_maps(&mut |start, end, _permissions, path| { - if libpath == path { - if libstart == 0 { - libstart = start; - } - - libend = end; - } - false - }); - - (libstart, libend) -} - /// "Safe" wrapper around dup2 #[cfg(all(unix, feature = "std"))] pub fn dup2(fd: i32, device: i32) -> Result<(), Error> { diff --git a/libafl/src/executors/inprocess.rs b/libafl/src/executors/inprocess.rs index e17324318d..441d9cc6fe 100644 --- a/libafl/src/executors/inprocess.rs +++ b/libafl/src/executors/inprocess.rs @@ -450,21 +450,11 @@ mod unix_signal_handler { target_arch = "aarch64" ))] { - use crate::bolts::os::find_mapping_for_address; println!("{:━^100}", " CRASH "); println!( "Received signal {} at 0x{:016x}, fault address: 0x{:016x}", _signal, _context.uc_mcontext.pc, _context.uc_mcontext.fault_address ); - if let Ok((start, _, _, path)) = - find_mapping_for_address(_context.uc_mcontext.pc as usize) - { - println!( - "pc is at offset 0x{:08x} in {}", - _context.uc_mcontext.pc as usize - start, - path - ); - } println!("{:━^100}", " REGISTERS "); for reg in 0..31 { diff --git a/libafl_frida/Cargo.toml b/libafl_frida/Cargo.toml index 712f906017..016a8929e8 100644 --- a/libafl_frida/Cargo.toml +++ b/libafl_frida/Cargo.toml @@ -22,7 +22,7 @@ hashbrown = "0.11" libloading = "0.7.0" rangemap = "0.1.10" frida-gum-sys = { version = "0.3", features = [ "auto-download", "event-sink", "invocation-listener"] } -frida-gum = { version = "0.5.1", features = [ "auto-download", "backtrace", "event-sink", "invocation-listener"] } +frida-gum = { version = "0.5.2", features = [ "auto-download", "backtrace", "event-sink", "invocation-listener"] } core_affinity = { version = "0.5", git = "https://github.com/s1341/core_affinity_rs" } regex = "1.4" dynasmrt = "1.0.1" diff --git a/libafl_frida/src/alloc.rs b/libafl_frida/src/alloc.rs index f94e72800d..14f9cb917c 100644 --- a/libafl_frida/src/alloc.rs +++ b/libafl_frida/src/alloc.rs @@ -1,6 +1,5 @@ +use frida_gum::{PageProtection, RangeDetails}; use hashbrown::HashMap; -#[cfg(any(target_os = "linux", target_os = "android"))] -use libafl::bolts::os::walk_self_maps; use nix::{ libc::memset, sys::mman::{mmap, MapFlags, ProtFlags}, @@ -220,19 +219,18 @@ impl Allocator { metadata } else { if !ptr.is_null() { - AsanErrors::get_mut().report_error( - AsanError::UnallocatedFree((ptr as usize, Backtrace::new())), - None, - ); + AsanErrors::get_mut() + .report_error(AsanError::UnallocatedFree((ptr as usize, Backtrace::new()))); } return; }; if metadata.freed { - AsanErrors::get_mut().report_error( - AsanError::DoubleFree((ptr as usize, metadata.clone(), Backtrace::new())), - None, - ); + AsanErrors::get_mut().report_error(AsanError::DoubleFree(( + ptr as usize, + metadata.clone(), + Backtrace::new(), + ))); } let shadow_mapping_start = map_to_shadow!(self, ptr as usize); @@ -389,21 +387,23 @@ impl Allocator { for metadata in self.allocations.values() { if !metadata.freed { AsanErrors::get_mut() - .report_error(AsanError::Leak((metadata.address, metadata.clone())), None); + .report_error(AsanError::Leak((metadata.address, metadata.clone()))); } } } /// Unpoison all the memory that is currently mapped with read/write permissions. pub fn unpoison_all_existing_memory(&mut self) { - walk_self_maps(&mut |start, end, permissions, _path| { - if permissions.as_bytes()[0] == b'r' || permissions.as_bytes()[1] == b'w' { + RangeDetails::enumerate_with_prot(PageProtection::NoAccess, &mut |range: &RangeDetails| { + if range.protection() as u32 & PageProtection::ReadWrite as u32 != 0 { + let start = range.memory_range().base_address().0 as usize; + let end = start + range.memory_range().size(); if self.pre_allocated_shadow && start == 1 << self.shadow_bit { - return false; + return true; } self.map_shadow_for_region(start, end, true); } - false + true }); } } diff --git a/libafl_frida/src/asan_errors.rs b/libafl_frida/src/asan_errors.rs index 80ee69e1ba..d8778b9c1e 100644 --- a/libafl_frida/src/asan_errors.rs +++ b/libafl_frida/src/asan_errors.rs @@ -3,9 +3,7 @@ use capstone::{arch::BuildsCapstone, Capstone}; use color_backtrace::{default_output_stream, BacktracePrinter, Verbosity}; #[cfg(target_arch = "aarch64")] use frida_gum::interceptor::Interceptor; - -#[cfg(any(target_os = "linux", target_os = "android"))] -use libafl::bolts::os::find_mapping_for_address; +use frida_gum::ModuleDetails; use libafl::{ bolts::{ownedref::OwnedPtr, tuples::Named}, @@ -18,7 +16,6 @@ use libafl::{ state::HasMetadata, Error, SerdeAny, }; -use rangemap::RangeMap; use serde::{Deserialize, Serialize}; use std::io::Write; use termcolor::{Color, ColorSpec, WriteColor}; @@ -111,11 +108,7 @@ impl AsanErrors { /// Report an error #[allow(clippy::too_many_lines)] - pub(crate) fn report_error( - &mut self, - error: AsanError, - instrumented_ranges: Option<&RangeMap>, - ) { + pub(crate) fn report_error(&mut self, error: AsanError) { self.errors.push(error.clone()); let mut out_stream = default_output_stream(); @@ -144,13 +137,13 @@ impl AsanErrors { | AsanError::WriteAfterFree(mut error) => { let (basereg, indexreg, _displacement, fault_address) = error.fault; - if let Some((range, path)) = instrumented_ranges.unwrap().get_key_value(&error.pc) { + if let Some(module_details) = ModuleDetails::with_address(error.pc as u64) { writeln!( output, " at 0x{:x} ({}@0x{:04x}), faulting address 0x{:x}", error.pc, - path, - error.pc - range.start, + module_details.path(), + error.pc - module_details.range().base_address().0 as usize, fault_address ) .unwrap(); @@ -267,17 +260,17 @@ impl AsanErrors { { let invocation = Interceptor::current_invocation(); let cpu_context = invocation.cpu_context(); - if let Some((range, path)) = instrumented_ranges.unwrap().get_key_value(&pc) { + if let Some(module_details) = ModuleDetails::with_address(pc as u64) { writeln!( output, " at 0x{:x} ({}@0x{:04x})", pc, - path, - pc - range.start, + module_details.path(), + pc - module_details.range().base_address().0 as usize, ) .unwrap(); } else { - writeln!(output, " at 0x{:x}", pc,).unwrap(); + writeln!(output, " at 0x{:x}", pc).unwrap(); } #[allow(clippy::non_ascii_literal)] @@ -364,13 +357,13 @@ impl AsanErrors { | AsanError::StackOobWrite((registers, pc, fault, backtrace)) => { let (basereg, indexreg, _displacement, fault_address) = fault; - if let Ok((start, _, _, path)) = find_mapping_for_address(pc) { + if let Some(module_details) = ModuleDetails::with_address(pc as u64) { writeln!( output, " at 0x{:x} ({}:0x{:04x}), faulting address 0x{:x}", pc, - path, - pc - start, + module_details.path(), + pc - module_details.range().base_address().0 as usize, fault_address ) .unwrap(); diff --git a/libafl_frida/src/asan_rt.rs b/libafl_frida/src/asan_rt.rs index 35312d0559..adbbd9ec3f 100644 --- a/libafl_frida/src/asan_rt.rs +++ b/libafl_frida/src/asan_rt.rs @@ -6,12 +6,9 @@ even if the target would not have crashed under normal conditions. this helps finding mem errors early. */ -use frida_gum::NativePointer; +use frida_gum::{NativePointer, RangeDetails}; use hashbrown::HashMap; -#[cfg(any(target_os = "linux", target_os = "android"))] -use libafl::bolts::os::{find_mapping_for_address, find_mapping_for_path}; - use nix::{ libc::memset, sys::mman::{mmap, MapFlags, ProtFlags}, @@ -26,8 +23,7 @@ use dynasmrt::{dynasm, DynasmApi, DynasmLabelApi}; use frida_gum::{interceptor::Interceptor, Gum, ModuleMap}; #[cfg(unix)] use libc::{c_char, getrlimit64, rlimit64, wchar_t}; -use rangemap::RangeMap; -use std::{ffi::c_void, path::PathBuf}; +use std::ffi::c_void; use crate::{ alloc::Allocator, @@ -67,7 +63,6 @@ pub struct AsanRuntime { blob_check_mem_64bytes: Option>, stalked_addresses: HashMap, options: FridaOptions, - instrumented_ranges: RangeMap, module_map: Option, shadow_check_func: Option bool>, } @@ -94,7 +89,6 @@ impl AsanRuntime { blob_check_mem_64bytes: None, stalked_addresses: HashMap::new(), options, - instrumented_ranges: RangeMap::new(), module_map: None, shadow_check_func: None, } @@ -102,7 +96,7 @@ impl AsanRuntime { /// Initialize the runtime so that it is read for action. Take care not to move the runtime /// instance after this function has been called, as the generated blobs would become /// invalid! - pub fn init(&mut self, gum: &Gum, modules_to_instrument: &[PathBuf]) { + pub fn init(&mut self, _gum: &Gum, modules_to_instrument: &[&str]) { unsafe { ASAN_ERRORS = Some(AsanErrors::new(self.options.clone())); } @@ -111,18 +105,10 @@ impl AsanRuntime { self.generate_shadow_check_function(); self.unpoison_all_existing_memory(); - for module_name in modules_to_instrument { - let (start, end) = find_mapping_for_path(module_name.to_str().unwrap()); - self.instrumented_ranges - .insert(start..end, module_name.to_str().unwrap().to_string()); - } - let module_names: Vec<&str> = modules_to_instrument - .iter() - .map(|modname| modname.to_str().unwrap()) - .collect(); - self.module_map = Some(ModuleMap::new_from_names(&module_names)); + self.module_map = Some(ModuleMap::new_from_names(modules_to_instrument)); + #[cfg(target_arch = "aarch64")] - self.hook_functions(gum); + self.hook_functions(_gum); //unsafe { //let mem = self.allocator.alloc(0xac + 2, 8); @@ -211,7 +197,9 @@ impl AsanRuntime { pub fn current_stack() -> (usize, usize) { let stack_var = 0xeadbeef; let stack_address = &stack_var as *const _ as *const c_void as usize; - let (start, end, _, _) = find_mapping_for_address(stack_address).unwrap(); + let range_details = RangeDetails::with_address(stack_address as u64).unwrap(); + let start = range_details.memory_range().base_address().0 as usize; + let end = start + range_details.memory_range().size(); let mut stack_rlimit = rlimit64 { rlim_cur: 0, @@ -247,7 +235,9 @@ impl AsanRuntime { #[cfg(target_os = "android")] let tls_address = tls_address & 0xffffffffffffff; - let (start, end, _, _) = find_mapping_for_address(tls_address).unwrap(); + let range_details = RangeDetails::with_address(tls_address as u64).unwrap(); + let start = range_details.memory_range().base_address().0 as usize; + let end = start + range_details.memory_range().size(); (start, end) } @@ -525,18 +515,15 @@ impl AsanRuntime { fn write(fd: i32, buf: *const c_void, count: usize) -> usize; } if !(self.shadow_check_func.unwrap())(buf, count) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgWrite(( - "write".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - buf as usize, - count, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgWrite(( + "write".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + buf as usize, + count, + Backtrace::new(), + ))); } unsafe { write(fd, buf, count) } } @@ -548,18 +535,15 @@ impl AsanRuntime { fn read(fd: i32, buf: *mut c_void, count: usize) -> usize; } if !(self.shadow_check_func.unwrap())(buf, count) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "read".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - buf as usize, - count, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "read".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + buf as usize, + count, + Backtrace::new(), + ))); } unsafe { read(fd, buf, count) } } @@ -571,18 +555,15 @@ impl AsanRuntime { fn fgets(s: *mut c_void, size: u32, stream: *mut c_void) -> *mut c_void; } if !(self.shadow_check_func.unwrap())(s, size as usize) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "fgets".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s as usize, - size as usize, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "fgets".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s as usize, + size as usize, + Backtrace::new(), + ))); } unsafe { fgets(s, size, stream) } } @@ -594,32 +575,26 @@ impl AsanRuntime { fn memcmp(s1: *const c_void, s2: *const c_void, n: usize) -> i32; } if !(self.shadow_check_func.unwrap())(s1, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "memcmp".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s1 as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "memcmp".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s1 as usize, + n, + Backtrace::new(), + ))); } if !(self.shadow_check_func.unwrap())(s2, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "memcmp".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s2 as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "memcmp".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s2 as usize, + n, + Backtrace::new(), + ))); } unsafe { memcmp(s1, s2, n) } } @@ -631,32 +606,26 @@ impl AsanRuntime { fn memcpy(dest: *mut c_void, src: *const c_void, n: usize) -> *mut c_void; } if !(self.shadow_check_func.unwrap())(dest, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgWrite(( - "memcpy".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - dest as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgWrite(( + "memcpy".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + dest as usize, + n, + Backtrace::new(), + ))); } if !(self.shadow_check_func.unwrap())(src, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "memcpy".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - src as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "memcpy".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + src as usize, + n, + Backtrace::new(), + ))); } unsafe { memcpy(dest, src, n) } } @@ -668,32 +637,26 @@ impl AsanRuntime { fn mempcpy(dest: *mut c_void, src: *const c_void, n: usize) -> *mut c_void; } if !(self.shadow_check_func.unwrap())(dest, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgWrite(( - "mempcpy".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - dest as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgWrite(( + "mempcpy".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + dest as usize, + n, + Backtrace::new(), + ))); } if !(self.shadow_check_func.unwrap())(src, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "mempcpy".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - src as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "mempcpy".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + src as usize, + n, + Backtrace::new(), + ))); } unsafe { mempcpy(dest, src, n) } } @@ -705,32 +668,26 @@ impl AsanRuntime { fn memmove(dest: *mut c_void, src: *const c_void, n: usize) -> *mut c_void; } if !(self.shadow_check_func.unwrap())(dest, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgWrite(( - "memmove".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - dest as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgWrite(( + "memmove".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + dest as usize, + n, + Backtrace::new(), + ))); } if !(self.shadow_check_func.unwrap())(src, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "memmove".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - src as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "memmove".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + src as usize, + n, + Backtrace::new(), + ))); } unsafe { memmove(dest, src, n) } } @@ -742,18 +699,15 @@ impl AsanRuntime { fn memset(dest: *mut c_void, c: i32, n: usize) -> *mut c_void; } if !(self.shadow_check_func.unwrap())(dest, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgWrite(( - "memset".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - dest as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgWrite(( + "memset".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + dest as usize, + n, + Backtrace::new(), + ))); } unsafe { memset(dest, c, n) } } @@ -765,18 +719,15 @@ impl AsanRuntime { fn memchr(s: *mut c_void, c: i32, n: usize) -> *mut c_void; } if !(self.shadow_check_func.unwrap())(s, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "memchr".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "memchr".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s as usize, + n, + Backtrace::new(), + ))); } unsafe { memchr(s, c, n) } } @@ -788,18 +739,15 @@ impl AsanRuntime { fn memrchr(s: *mut c_void, c: i32, n: usize) -> *mut c_void; } if !(self.shadow_check_func.unwrap())(s, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "memrchr".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "memrchr".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s as usize, + n, + Backtrace::new(), + ))); } unsafe { memrchr(s, c, n) } } @@ -822,32 +770,26 @@ impl AsanRuntime { ) -> *mut c_void; } if !(self.shadow_check_func.unwrap())(haystack, haystacklen) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "memmem".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - haystack as usize, - haystacklen, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "memmem".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + haystack as usize, + haystacklen, + Backtrace::new(), + ))); } if !(self.shadow_check_func.unwrap())(needle, needlelen) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "memmem".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - needle as usize, - needlelen, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "memmem".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + needle as usize, + needlelen, + Backtrace::new(), + ))); } unsafe { memmem(haystack, haystacklen, needle, needlelen) } } @@ -859,18 +801,15 @@ impl AsanRuntime { fn bzero(s: *mut c_void, n: usize); } if !(self.shadow_check_func.unwrap())(s, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgWrite(( - "bzero".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgWrite(( + "bzero".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s as usize, + n, + Backtrace::new(), + ))); } unsafe { bzero(s, n) } } @@ -882,18 +821,15 @@ impl AsanRuntime { fn explicit_bzero(s: *mut c_void, n: usize); } if !(self.shadow_check_func.unwrap())(s, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgWrite(( - "explicit_bzero".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgWrite(( + "explicit_bzero".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s as usize, + n, + Backtrace::new(), + ))); } unsafe { explicit_bzero(s, n) } } @@ -905,32 +841,26 @@ impl AsanRuntime { fn bcmp(s1: *const c_void, s2: *const c_void, n: usize) -> i32; } if !(self.shadow_check_func.unwrap())(s1, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "bcmp".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s1 as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "bcmp".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s1 as usize, + n, + Backtrace::new(), + ))); } if !(self.shadow_check_func.unwrap())(s2, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "bcmp".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s2 as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "bcmp".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s2 as usize, + n, + Backtrace::new(), + ))); } unsafe { bcmp(s1, s2, n) } } @@ -943,18 +873,15 @@ impl AsanRuntime { fn strlen(s: *const c_char) -> usize; } if !(self.shadow_check_func.unwrap())(s as *const c_void, unsafe { strlen(s) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strchr".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s as usize, - unsafe { strlen(s) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strchr".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s as usize, + unsafe { strlen(s) }, + Backtrace::new(), + ))); } unsafe { strchr(s, c) } } @@ -967,18 +894,15 @@ impl AsanRuntime { fn strlen(s: *const c_char) -> usize; } if !(self.shadow_check_func.unwrap())(s as *const c_void, unsafe { strlen(s) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strrchr".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s as usize, - unsafe { strlen(s) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strrchr".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s as usize, + unsafe { strlen(s) }, + Backtrace::new(), + ))); } unsafe { strrchr(s, c) } } @@ -991,32 +915,26 @@ impl AsanRuntime { fn strlen(s: *const c_char) -> usize; } if !(self.shadow_check_func.unwrap())(s1 as *const c_void, unsafe { strlen(s1) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strcasecmp".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s1 as usize, - unsafe { strlen(s1) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strcasecmp".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s1 as usize, + unsafe { strlen(s1) }, + Backtrace::new(), + ))); } if !(self.shadow_check_func.unwrap())(s2 as *const c_void, unsafe { strlen(s2) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strcasecmp".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s2 as usize, - unsafe { strlen(s2) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strcasecmp".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s2 as usize, + unsafe { strlen(s2) }, + Backtrace::new(), + ))); } unsafe { strcasecmp(s1, s2) } } @@ -1028,32 +946,26 @@ impl AsanRuntime { fn strncasecmp(s1: *const c_char, s2: *const c_char, n: usize) -> i32; } if !(self.shadow_check_func.unwrap())(s1 as *const c_void, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strncasecmp".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s1 as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strncasecmp".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s1 as usize, + n, + Backtrace::new(), + ))); } if !(self.shadow_check_func.unwrap())(s2 as *const c_void, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strncasecmp".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s2 as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strncasecmp".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s2 as usize, + n, + Backtrace::new(), + ))); } unsafe { strncasecmp(s1, s2, n) } } @@ -1066,32 +978,26 @@ impl AsanRuntime { fn strlen(s: *const c_char) -> usize; } if !(self.shadow_check_func.unwrap())(s1 as *const c_void, unsafe { strlen(s1) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strcat".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s1 as usize, - unsafe { strlen(s1) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strcat".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s1 as usize, + unsafe { strlen(s1) }, + Backtrace::new(), + ))); } if !(self.shadow_check_func.unwrap())(s2 as *const c_void, unsafe { strlen(s2) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strcat".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s2 as usize, - unsafe { strlen(s2) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strcat".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s2 as usize, + unsafe { strlen(s2) }, + Backtrace::new(), + ))); } unsafe { strcat(s1, s2) } } @@ -1104,32 +1010,26 @@ impl AsanRuntime { fn strlen(s: *const c_char) -> usize; } if !(self.shadow_check_func.unwrap())(s1 as *const c_void, unsafe { strlen(s1) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strcmp".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s1 as usize, - unsafe { strlen(s1) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strcmp".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s1 as usize, + unsafe { strlen(s1) }, + Backtrace::new(), + ))); } if !(self.shadow_check_func.unwrap())(s2 as *const c_void, unsafe { strlen(s2) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strcmp".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s2 as usize, - unsafe { strlen(s2) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strcmp".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s2 as usize, + unsafe { strlen(s2) }, + Backtrace::new(), + ))); } unsafe { strcmp(s1, s2) } } @@ -1141,32 +1041,26 @@ impl AsanRuntime { fn strncmp(s1: *const c_char, s2: *const c_char, n: usize) -> i32; } if !(self.shadow_check_func.unwrap())(s1 as *const c_void, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strncmp".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s1 as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strncmp".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s1 as usize, + n, + Backtrace::new(), + ))); } if !(self.shadow_check_func.unwrap())(s2 as *const c_void, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strncmp".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s2 as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strncmp".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s2 as usize, + n, + Backtrace::new(), + ))); } unsafe { strncmp(s1, s2, n) } } @@ -1179,32 +1073,26 @@ impl AsanRuntime { fn strlen(s: *const c_char) -> usize; } if !(self.shadow_check_func.unwrap())(dest as *const c_void, unsafe { strlen(src) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgWrite(( - "strcpy".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - dest as usize, - unsafe { strlen(src) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgWrite(( + "strcpy".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + dest as usize, + unsafe { strlen(src) }, + Backtrace::new(), + ))); } if !(self.shadow_check_func.unwrap())(src as *const c_void, unsafe { strlen(src) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strcpy".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - src as usize, - unsafe { strlen(src) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strcpy".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + src as usize, + unsafe { strlen(src) }, + Backtrace::new(), + ))); } unsafe { strcpy(dest, src) } } @@ -1216,32 +1104,26 @@ impl AsanRuntime { fn strncpy(dest: *mut c_char, src: *const c_char, n: usize) -> *mut c_char; } if !(self.shadow_check_func.unwrap())(dest as *const c_void, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgWrite(( - "strncpy".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - dest as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgWrite(( + "strncpy".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + dest as usize, + n, + Backtrace::new(), + ))); } if !(self.shadow_check_func.unwrap())(src as *const c_void, n) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strncpy".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - src as usize, - n, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strncpy".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + src as usize, + n, + Backtrace::new(), + ))); } unsafe { strncpy(dest, src, n) } } @@ -1254,32 +1136,26 @@ impl AsanRuntime { fn strlen(s: *const c_char) -> usize; } if !(self.shadow_check_func.unwrap())(dest as *const c_void, unsafe { strlen(src) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgWrite(( - "stpcpy".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - dest as usize, - unsafe { strlen(src) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgWrite(( + "stpcpy".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + dest as usize, + unsafe { strlen(src) }, + Backtrace::new(), + ))); } if !(self.shadow_check_func.unwrap())(src as *const c_void, unsafe { strlen(src) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "stpcpy".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - src as usize, - unsafe { strlen(src) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "stpcpy".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + src as usize, + unsafe { strlen(src) }, + Backtrace::new(), + ))); } unsafe { stpcpy(dest, src) } } @@ -1292,18 +1168,15 @@ impl AsanRuntime { fn strlen(s: *const c_char) -> usize; } if !(self.shadow_check_func.unwrap())(s as *const c_void, unsafe { strlen(s) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strdup".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s as usize, - unsafe { strlen(s) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strdup".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s as usize, + unsafe { strlen(s) }, + Backtrace::new(), + ))); } unsafe { strdup(s) } } @@ -1316,18 +1189,15 @@ impl AsanRuntime { } let size = unsafe { strlen(s) }; if !(self.shadow_check_func.unwrap())(s as *const c_void, size) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strlen".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s as usize, - size, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strlen".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s as usize, + size, + Backtrace::new(), + ))); } size } @@ -1340,18 +1210,15 @@ impl AsanRuntime { } let size = unsafe { strnlen(s, n) }; if !(self.shadow_check_func.unwrap())(s as *const c_void, size) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strnlen".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s as usize, - size, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strnlen".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s as usize, + size, + Backtrace::new(), + ))); } size } @@ -1366,32 +1233,26 @@ impl AsanRuntime { if !(self.shadow_check_func.unwrap())(haystack as *const c_void, unsafe { strlen(haystack) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strstr".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - haystack as usize, - unsafe { strlen(haystack) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strstr".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + haystack as usize, + unsafe { strlen(haystack) }, + Backtrace::new(), + ))); } if !(self.shadow_check_func.unwrap())(needle as *const c_void, unsafe { strlen(needle) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strstr".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - needle as usize, - unsafe { strlen(needle) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strstr".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + needle as usize, + unsafe { strlen(needle) }, + Backtrace::new(), + ))); } unsafe { strstr(haystack, needle) } } @@ -1406,32 +1267,26 @@ impl AsanRuntime { if !(self.shadow_check_func.unwrap())(haystack as *const c_void, unsafe { strlen(haystack) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strcasestr".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - haystack as usize, - unsafe { strlen(haystack) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strcasestr".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + haystack as usize, + unsafe { strlen(haystack) }, + Backtrace::new(), + ))); } if !(self.shadow_check_func.unwrap())(needle as *const c_void, unsafe { strlen(needle) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "strcasestr".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - needle as usize, - unsafe { strlen(needle) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "strcasestr".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + needle as usize, + unsafe { strlen(needle) }, + Backtrace::new(), + ))); } unsafe { strcasestr(haystack, needle) } } @@ -1444,18 +1299,15 @@ impl AsanRuntime { fn strlen(s: *const c_char) -> usize; } if !(self.shadow_check_func.unwrap())(s as *const c_void, unsafe { strlen(s) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "atoi".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s as usize, - unsafe { strlen(s) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "atoi".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s as usize, + unsafe { strlen(s) }, + Backtrace::new(), + ))); } unsafe { atoi(s) } } @@ -1468,18 +1320,15 @@ impl AsanRuntime { fn strlen(s: *const c_char) -> usize; } if !(self.shadow_check_func.unwrap())(s as *const c_void, unsafe { strlen(s) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "atol".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s as usize, - unsafe { strlen(s) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "atol".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s as usize, + unsafe { strlen(s) }, + Backtrace::new(), + ))); } unsafe { atol(s) } } @@ -1492,18 +1341,15 @@ impl AsanRuntime { fn strlen(s: *const c_char) -> usize; } if !(self.shadow_check_func.unwrap())(s as *const c_void, unsafe { strlen(s) }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "atoll".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s as usize, - unsafe { strlen(s) }, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "atoll".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s as usize, + unsafe { strlen(s) }, + Backtrace::new(), + ))); } unsafe { atoll(s) } } @@ -1516,18 +1362,15 @@ impl AsanRuntime { } let size = unsafe { wcslen(s) }; if !(self.shadow_check_func.unwrap())(s as *const c_void, (size + 1) * 2) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "wcslen".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s as usize, - (size + 1) * 2, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "wcslen".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s as usize, + (size + 1) * 2, + Backtrace::new(), + ))); } size } @@ -1542,34 +1385,28 @@ impl AsanRuntime { if !(self.shadow_check_func.unwrap())(dest as *const c_void, unsafe { (wcslen(src) + 1) * 2 }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgWrite(( - "wcscpy".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - dest as usize, - (unsafe { wcslen(src) } + 1) * 2, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgWrite(( + "wcscpy".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + dest as usize, + (unsafe { wcslen(src) } + 1) * 2, + Backtrace::new(), + ))); } if !(self.shadow_check_func.unwrap())(src as *const c_void, unsafe { (wcslen(src) + 1) * 2 }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "wcscpy".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - src as usize, - (unsafe { wcslen(src) } + 1) * 2, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "wcscpy".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + src as usize, + (unsafe { wcslen(src) } + 1) * 2, + Backtrace::new(), + ))); } unsafe { wcscpy(dest, src) } } @@ -1583,33 +1420,27 @@ impl AsanRuntime { } if !(self.shadow_check_func.unwrap())(s1 as *const c_void, unsafe { (wcslen(s1) + 1) * 2 }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "wcscmp".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s1 as usize, - (unsafe { wcslen(s1) } + 1) * 2, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "wcscmp".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s1 as usize, + (unsafe { wcslen(s1) } + 1) * 2, + Backtrace::new(), + ))); } if !(self.shadow_check_func.unwrap())(s2 as *const c_void, unsafe { (wcslen(s2) + 1) * 2 }) { - AsanErrors::get_mut().report_error( - AsanError::BadFuncArgRead(( - "wcscmp".to_string(), - self.real_address_for_stalked( - Interceptor::current_invocation().cpu_context().pc() as usize, - ), - s2 as usize, - (unsafe { wcslen(s2) } + 1) * 2, - Backtrace::new(), - )), - Some(&self.instrumented_ranges), - ); + AsanErrors::get_mut().report_error(AsanError::BadFuncArgRead(( + "wcscmp".to_string(), + self.real_address_for_stalked( + Interceptor::current_invocation().cpu_context().pc() as usize + ), + s2 as usize, + (unsafe { wcslen(s2) } + 1) * 2, + Backtrace::new(), + ))); } unsafe { wcscmp(s1, s2) } } @@ -2093,7 +1924,7 @@ impl AsanRuntime { )) } }; - AsanErrors::get_mut().report_error(error, Some(&self.instrumented_ranges)); + AsanErrors::get_mut().report_error(error); } #[allow(clippy::unused_self)] diff --git a/libafl_frida/src/helper.rs b/libafl_frida/src/helper.rs index be3046cc79..0bbc78104f 100644 --- a/libafl_frida/src/helper.rs +++ b/libafl_frida/src/helper.rs @@ -3,9 +3,6 @@ use std::hash::Hasher; use libafl::inputs::{HasTargetBytes, Input}; -#[cfg(any(target_os = "linux", target_os = "android"))] -use libafl::bolts::os::find_mapping_for_path; - use libafl_targets::drcov::{DrCovBasicBlock, DrCovWriter}; #[cfg(target_arch = "aarch64")] @@ -26,14 +23,13 @@ use frida_gum::instruction_writer::{Aarch64Register, IndexMode}; use frida_gum::{ instruction_writer::InstructionWriter, stalker::{StalkerOutput, Transformer}, - CpuContext, + CpuContext, ModuleDetails, ModuleMap, }; use frida_gum::{Gum, Module, PageProtection}; #[cfg(target_arch = "aarch64")] use num_traits::cast::FromPrimitive; use rangemap::RangeMap; -use std::path::PathBuf; use nix::sys::mman::{mmap, MapFlags, ProtFlags}; @@ -59,7 +55,7 @@ pub trait FridaHelper<'a> { /// pointer to the frida coverage map fn map_ptr(&mut self) -> *mut u8; - fn ranges(&self) -> &RangeMap; + fn ranges(&self) -> &RangeMap; } /// (Default) map size for frida coverage reporting @@ -77,7 +73,8 @@ pub struct FridaInstrumentationHelper<'a> { #[cfg(target_arch = "aarch64")] capstone: Capstone, asan_runtime: AsanRuntime, - ranges: RangeMap, + ranges: RangeMap, + module_map: ModuleMap, options: &'a FridaOptions, drcov_basic_blocks: Vec, } @@ -125,7 +122,7 @@ impl<'a> FridaHelper<'a> for FridaInstrumentationHelper<'a> { self.map.as_mut_ptr() } - fn ranges(&self) -> &RangeMap { + fn ranges(&self) -> &RangeMap { &self.ranges } } @@ -220,7 +217,7 @@ impl<'a> FridaInstrumentationHelper<'a> { gum: &'a Gum, options: &'a FridaOptions, _harness_module_name: &str, - modules_to_instrument: &'a [PathBuf], + modules_to_instrument: &'a [&str], ) -> Self { // workaround frida's frida-gum-allocate-near bug: unsafe { @@ -262,31 +259,23 @@ impl<'a> FridaInstrumentationHelper<'a> { .expect("Failed to create Capstone object"), asan_runtime: AsanRuntime::new(options.clone()), ranges: RangeMap::new(), + module_map: ModuleMap::new_from_names(modules_to_instrument), options, drcov_basic_blocks: vec![], }; if helper.options().stalker_enabled() { - for (id, module_name) in modules_to_instrument.iter().enumerate() { - let (lib_start, lib_end) = find_mapping_for_path(module_name.to_str().unwrap()); - println!( - "including range {:x}-{:x} for {:?}", - lib_start, lib_end, module_name - ); - helper.ranges.insert( - lib_start..lib_end, - (id as u16, module_name.to_str().unwrap()), - ); + for (i, module) in helper.module_map.values().iter().enumerate() { + let range = module.range(); + let start = range.base_address().0 as usize; + helper + .ranges + .insert(start..(start + range.size()), (i as u16, module.path())); } - if let Some(suppressed_specifiers) = helper.options().dont_instrument_locations() { for (module_name, offset) in suppressed_specifiers { - let (lib_start, _) = find_mapping_for_path( - std::fs::canonicalize(&module_name) - .unwrap() - .to_str() - .unwrap(), - ); + let module_details = ModuleDetails::with_name(module_name).unwrap(); + let lib_start = module_details.range().base_address().0 as usize; println!("removing address: {:#x}", lib_start + offset); helper .ranges diff --git a/libafl_targets/src/drcov.rs b/libafl_targets/src/drcov.rs index f6ecb8aa14..ddffb04eb9 100644 --- a/libafl_targets/src/drcov.rs +++ b/libafl_targets/src/drcov.rs @@ -18,7 +18,7 @@ pub struct DrCovBasicBlock { /// A writer for `DrCov` files pub struct DrCovWriter<'a> { writer: BufWriter, - module_mapping: &'a RangeMap, + module_mapping: &'a RangeMap, basic_blocks: &'a mut Vec, } @@ -40,7 +40,7 @@ impl<'a> DrCovWriter<'a> { /// Create a new [`DrCovWriter`] pub fn new( path: &str, - module_mapping: &'a RangeMap, + module_mapping: &'a RangeMap, basic_blocks: &'a mut Vec, ) -> Self { Self { @@ -58,7 +58,7 @@ impl<'a> DrCovWriter<'a> { .write_all(b"DRCOV VERSION: 2\nDRCOV FLAVOR: libafl\n") .unwrap(); - let modules: Vec<(&std::ops::Range, &(u16, &str))> = + let modules: Vec<(&std::ops::Range, &(u16, String))> = self.module_mapping.iter().collect(); self.writer .write_all(format!("Module Table: version 2, count {}\n", modules.len()).as_bytes())