SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Expose AFL++ style extended cmplog for unicornafl (#3238)

Browse Source 
* expose afl++ style extended cmplog for unicornafl

* also update map ptr

* fix imports

* fix naming

* feature dep
This commit is contained in:
lazymio 2025-05-16 19:29:49 +08:00 committed by GitHub
parent 8b0fc8ca73
commit 7a9cca9e1b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libafl_cc/src/no-link-rt.c
View File

@ -16,6 +16,15 @@ void __libafl_targets_cmplog_instructions(uintptr_t k, uint8_t shape,
(void)arg2; (void)arg2;
} }
void __libafl_targets_cmplog_instructions_extended(uintptr_t k, uint8_t shape,
uint64_t arg1,
uint64_t arg2) {
(void)k;
(void)shape;
(void)arg1;
(void)arg2;
}
void __cmplog_ins_hook1_extended(uint8_t arg1, uint8_t arg2, uint8_t attr) { void __cmplog_ins_hook1_extended(uint8_t arg1, uint8_t arg2, uint8_t attr) {
(void)arg1; (void)arg1;
(void)arg2; (void)arg2;

1
libafl_targets/Cargo.toml
View File

@ -67,6 +67,7 @@ forkserver = [
windows_asan = ["common"] # Compile C code for ASAN on Windows windows_asan = ["common"] # Compile C code for ASAN on Windows
whole_archive = [] # use +whole-archive to ensure the presence of weak symbols whole_archive = [] # use +whole-archive to ensure the presence of weak symbols
cmplog_extended_instrumentation = [ cmplog_extended_instrumentation = [
"cmplog", # without `cmplog`, extended instrumentation won't compile
] # support for aflpp cmplog map, we will remove this once aflpp and libafl cmplog shares the same LLVM passes. ] # support for aflpp cmplog map, we will remove this once aflpp and libafl cmplog shares the same LLVM passes.
function-logging = ["common"] function-logging = ["common"]
track_hit_feedbacks = ["libafl/track_hit_feedbacks"] track_hit_feedbacks = ["libafl/track_hit_feedbacks"]

6
libafl_targets/src/cmplog.c
View File

@ -102,6 +102,12 @@ void __libafl_targets_cmplog_instructions(uintptr_t k, uint8_t shape,
cmplog_instructions_checked(k, shape, arg1, arg2, 0); cmplog_instructions_checked(k, shape, arg1, arg2, 0);
} }
// Very generic afl++ style cmplog instructions callback
void __libafl_targets_cmplog_instructions_extended(uintptr_t k, uint8_t shape,
uint64_t arg1, uint64_t arg2) {
cmplog_instructions_extended_checked(k, shape, arg1, arg2, 0);
}
// Very generic cmplog routines callback // Very generic cmplog routines callback
void __libafl_targets_cmplog_routines(uintptr_t k, const uint8_t *ptr1, void __libafl_targets_cmplog_routines(uintptr_t k, const uint8_t *ptr1,
const uint8_t *ptr2) { const uint8_t *ptr2) {

3
libafl_targets/src/cmplog.h
View File

@ -234,7 +234,8 @@ static inline void cmplog_routines_checked_extended(uintptr_t k,
void __libafl_targets_cmplog_instructions(uintptr_t k, uint8_t shape, void __libafl_targets_cmplog_instructions(uintptr_t k, uint8_t shape,
uint64_t arg1, uint64_t arg2); uint64_t arg1, uint64_t arg2);
void __libafl_targets_cmplog_instructions_extended(uintptr_t k, uint8_t shape,
uint64_t arg1, uint64_t arg2);
void __libafl_targets_cmplog_routines(uintptr_t k, const uint8_t *ptr1, void __libafl_targets_cmplog_routines(uintptr_t k, const uint8_t *ptr1,
const uint8_t *ptr2); const uint8_t *ptr2);

8
libafl_targets/src/cmps/mod.rs
View File

@ -51,15 +51,23 @@ unsafe extern "C" {
/// Logs an instruction for feedback during fuzzing /// Logs an instruction for feedback during fuzzing
pub fn __libafl_targets_cmplog_instructions(k: usize, shape: u8, arg1: u64, arg2: u64); pub fn __libafl_targets_cmplog_instructions(k: usize, shape: u8, arg1: u64, arg2: u64);
/// Logs an AFL++ style instruction for feedback during fuzzing
pub fn __libafl_targets_cmplog_instructions_extended(k: usize, shape: u8, arg1: u64, arg2: u64);
/// Logs a routine for feedback during fuzzing /// Logs a routine for feedback during fuzzing
pub fn __libafl_targets_cmplog_routines(k: usize, ptr1: *const u8, ptr2: *const u8); pub fn __libafl_targets_cmplog_routines(k: usize, ptr1: *const u8, ptr2: *const u8);
/// Pointer to the `CmpLog` map /// Pointer to the `CmpLog` map
pub static mut libafl_cmplog_map_ptr: *mut CmpLogMap; pub static mut libafl_cmplog_map_ptr: *mut CmpLogMap;
/// Pointer to the extended `CmpLog` map
pub static mut libafl_cmplog_map_extended_ptr: *mut CmpLogMap;
} }
#[cfg(feature = "cmplog")] #[cfg(feature = "cmplog")]
pub use libafl_cmplog_map_ptr as CMPLOG_MAP_PTR; pub use libafl_cmplog_map_ptr as CMPLOG_MAP_PTR;
#[cfg(feature = "cmplog_extended_instrumentation")]
pub use libafl_cmplog_map_extended_ptr as EXTENDED_CMPLOG_MAP_PTR;
/// Value indicating if cmplog is enabled. /// Value indicating if cmplog is enabled.
#[unsafe(no_mangle)] #[unsafe(no_mangle)]

7
libafl_targets/src/forkserver.rs
View File

@ -22,6 +22,9 @@ use nix::{
#[cfg(feature = "cmplog")] #[cfg(feature = "cmplog")]
use crate::cmps::CMPLOG_MAP_PTR; use crate::cmps::CMPLOG_MAP_PTR;
#[cfg(feature = "cmplog_extended_instrumentation")]
use crate::cmps::EXTENDED_CMPLOG_MAP_PTR;
use crate::coverage::{__afl_map_size, EDGES_MAP_PTR, INPUT_LENGTH_PTR, INPUT_PTR, SHM_FUZZING}; use crate::coverage::{__afl_map_size, EDGES_MAP_PTR, INPUT_LENGTH_PTR, INPUT_PTR, SHM_FUZZING};
#[cfg(any(target_os = "linux", target_vendor = "apple"))] #[cfg(any(target_os = "linux", target_vendor = "apple"))]
use crate::coverage::{__token_start, __token_stop}; use crate::coverage::{__token_start, __token_stop};
@ -201,6 +204,10 @@ fn map_cmplog_shared_memory_internal() -> Result<(), Error> {
unsafe { unsafe {
CMPLOG_MAP_PTR = map.cast(); CMPLOG_MAP_PTR = map.cast();
} }
#[cfg(feature = "cmplog_extended_instrumentation")]
unsafe {
EXTENDED_CMPLOG_MAP_PTR = map.cast();
}
Ok(()) Ok(())
} }