SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix frida bugs (#132)

Browse Source 
* Get rid of extra deactivate

* Fix realloc, posix_memalign/memalign bugs

* Fix cfg attributes; Add instrumented ranges and translated PC to func errors

* Formatting

* Make hook_functionss aarch64 only for now.
This commit is contained in:
s1341 2021-05-27 12:17:42 +03:00 committed by GitHub
parent 945693f6ed
commit 83bef6e85a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 333 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
fuzzers/frida_libpng/src/fuzzer.rs
View File

@ -113,9 +113,6 @@ where
libc::raise(libc::SIGABRT); libc::raise(libc::SIGABRT);
} }
} }
if self.helper.stalker_enabled() {
self.stalker.deactivate();
}
self.helper.post_exec(input); self.helper.post_exec(input);
res res
} }

2
libafl_frida/src/alloc.rs
View File

@ -1,5 +1,5 @@
use hashbrown::HashMap; use hashbrown::HashMap;
#[cfg(all(feature = "std", any(target_os = "linux", target_os = "android")))] #[cfg(any(target_os = "linux", target_os = "android"))]
use libafl::bolts::os::walk_self_maps; use libafl::bolts::os::walk_self_maps;
use nix::{ use nix::{
libc::memset, libc::memset,

25
libafl_frida/src/asan_errors.rs
View File

@ -4,7 +4,7 @@ use color_backtrace::{default_output_stream, BacktracePrinter, Verbosity};
#[cfg(target_arch = "aarch64")] #[cfg(target_arch = "aarch64")]
use frida_gum::interceptor::Interceptor; use frida_gum::interceptor::Interceptor;
#[cfg(all(feature = "std", any(target_os = "linux", target_os = "android")))] #[cfg(any(target_os = "linux", target_os = "android"))]
use libafl::bolts::os::find_mapping_for_address; use libafl::bolts::os::find_mapping_for_address;
use libafl::{ use libafl::{
@ -46,8 +46,8 @@ pub(crate) enum AsanError {
Leak((usize, AllocationMetadata)), Leak((usize, AllocationMetadata)),
StackOobRead(([usize; 32], usize, (u16, u16, usize, usize), Backtrace)), StackOobRead(([usize; 32], usize, (u16, u16, usize, usize), Backtrace)),
StackOobWrite(([usize; 32], usize, (u16, u16, usize, usize), Backtrace)), StackOobWrite(([usize; 32], usize, (u16, u16, usize, usize), Backtrace)),
BadFuncArgRead((String, usize, usize, Backtrace)), BadFuncArgRead((String, usize, usize, usize, Backtrace)),
BadFuncArgWrite((String, usize, usize, Backtrace)), BadFuncArgWrite((String, usize, usize, usize, Backtrace)),
} }
impl AsanError { impl AsanError {
@ -253,18 +253,33 @@ impl AsanErrors {
} }
} }
} }
AsanError::BadFuncArgRead((name, address, size, backtrace)) AsanError::BadFuncArgRead((name, pc, address, size, backtrace))
| AsanError::BadFuncArgWrite((name, address, size, backtrace)) => { | AsanError::BadFuncArgWrite((name, pc, address, size, backtrace)) => {
writeln!( writeln!(
output, output,
" in call to {}, argument {:#016x}, size: {:#x}", " in call to {}, argument {:#016x}, size: {:#x}",
name, address, size name, address, size
) )
.unwrap(); .unwrap();
output.reset().unwrap();
#[cfg(target_arch = "aarch64")] #[cfg(target_arch = "aarch64")]
{ {
let invocation = Interceptor::current_invocation(); let invocation = Interceptor::current_invocation();
let cpu_context = invocation.cpu_context(); let cpu_context = invocation.cpu_context();
if let Some((range, path)) = instrumented_ranges.unwrap().get_key_value(&pc) {
writeln!(
output,
" at 0x{:x} ({}@0x{:04x})",
pc,
path,
pc - range.start,
)
.unwrap();
} else {
writeln!(output, " at 0x{:x}", pc,).unwrap();
}
#[allow(clippy::non_ascii_literal)] #[allow(clippy::non_ascii_literal)]
writeln!(output, "{:━^100}", " REGISTERS ").unwrap(); writeln!(output, "{:━^100}", " REGISTERS ").unwrap();
for reg in 0..29 { for reg in 0..29 {

381
libafl_frida/src/asan_rt.rs
View File

File diff suppressed because it is too large Load Diff

10
libafl_frida/src/helper.rs
View File

@ -304,6 +304,7 @@ impl<'a> FridaInstrumentationHelper<'a> {
for instruction in basic_block { for instruction in basic_block {
let instr = instruction.instr(); let instr = instruction.instr();
let address = instr.address(); let address = instr.address();
//println!("block @ {:x} transformed to {:x}", address, output.writer().pc());
//println!("address: {:x} contains: {:?}", address, helper.ranges.contains_key(&(address as usize))); //println!("address: {:x} contains: {:?}", address, helper.ranges.contains_key(&(address as usize)));
if helper.ranges.contains_key(&(address as usize)) { if helper.ranges.contains_key(&(address as usize)) {
if first { if first {
@ -314,13 +315,8 @@ impl<'a> FridaInstrumentationHelper<'a> {
} }
if helper.options().drcov_enabled() { if helper.options().drcov_enabled() {
instruction.put_callout(|context| { instruction.put_callout(|context| {
let real_address = match helper let real_address =
.asan_runtime helper.asan_runtime.real_address_for_stalked(pc(&context));
.real_address_for_stalked(pc(&context))
{
Some(address) => *address,
None => pc(&context),
};
//let (range, (id, name)) = helper.ranges.get_key_value(&real_address).unwrap(); //let (range, (id, name)) = helper.ranges.get_key_value(&real_address).unwrap();
//println!("{}:0x{:016x}", name, real_address - range.start); //println!("{}:0x{:016x}", name, real_address - range.start);
helper helper