SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix frida bugs (#132)

Browse Source 
* Get rid of extra deactivate

* Fix realloc, posix_memalign/memalign bugs

* Fix cfg attributes; Add instrumented ranges and translated PC to func errors

* Formatting

* Make hook_functionss aarch64 only for now.
This commit is contained in:
s1341 2021-05-27 12:17:42 +03:00 committed by GitHub
parent 945693f6ed
commit 83bef6e85a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 333 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
fuzzers/frida_libpng/src/fuzzer.rs
View File

@ -113,9 +113,6 @@ where
libc::raise(libc::SIGABRT);
}
}
if self.helper.stalker_enabled() {
self.stalker.deactivate();
}
self.helper.post_exec(input);
res
}

2
libafl_frida/src/alloc.rs
View File

@ -1,5 +1,5 @@
use hashbrown::HashMap;
#[cfg(all(feature = "std", any(target_os = "linux", target_os = "android")))]
#[cfg(any(target_os = "linux", target_os = "android"))]
use libafl::bolts::os::walk_self_maps;
use nix::{
libc::memset,

25
libafl_frida/src/asan_errors.rs
View File

@ -4,7 +4,7 @@ use color_backtrace::{default_output_stream, BacktracePrinter, Verbosity};
#[cfg(target_arch = "aarch64")]
use frida_gum::interceptor::Interceptor;
#[cfg(all(feature = "std", any(target_os = "linux", target_os = "android")))]
#[cfg(any(target_os = "linux", target_os = "android"))]
use libafl::bolts::os::find_mapping_for_address;
use libafl::{
@ -46,8 +46,8 @@ pub(crate) enum AsanError {
Leak((usize, AllocationMetadata)),
StackOobRead(([usize; 32], usize, (u16, u16, usize, usize), Backtrace)),
StackOobWrite(([usize; 32], usize, (u16, u16, usize, usize), Backtrace)),
BadFuncArgRead((String, usize, usize, Backtrace)),
BadFuncArgWrite((String, usize, usize, Backtrace)),
BadFuncArgRead((String, usize, usize, usize, Backtrace)),
BadFuncArgWrite((String, usize, usize, usize, Backtrace)),
}
impl AsanError {
@ -253,18 +253,33 @@ impl AsanErrors {
}
}
}
AsanError::BadFuncArgRead((name, address, size, backtrace))
| AsanError::BadFuncArgWrite((name, address, size, backtrace)) => {
AsanError::BadFuncArgRead((name, pc, address, size, backtrace))
| AsanError::BadFuncArgWrite((name, pc, address, size, backtrace)) => {
writeln!(
output,
" in call to {}, argument {:#016x}, size: {:#x}",
name, address, size
)
.unwrap();
output.reset().unwrap();
#[cfg(target_arch = "aarch64")]
{
let invocation = Interceptor::current_invocation();
let cpu_context = invocation.cpu_context();
if let Some((range, path)) = instrumented_ranges.unwrap().get_key_value(&pc) {
writeln!(
output,
" at 0x{:x} ({}@0x{:04x})",
pc,
path,
pc - range.start,
)
.unwrap();
} else {
writeln!(output, " at 0x{:x}", pc,).unwrap();
}
#[allow(clippy::non_ascii_literal)]
writeln!(output, "{:━^100}", " REGISTERS ").unwrap();
for reg in 0..29 {

381
libafl_frida/src/asan_rt.rs
View File

File diff suppressed because it is too large Load Diff

10
libafl_frida/src/helper.rs
View File

@ -304,6 +304,7 @@ impl<'a> FridaInstrumentationHelper<'a> {
for instruction in basic_block {
let instr = instruction.instr();
let address = instr.address();
//println!("block @ {:x} transformed to {:x}", address, output.writer().pc());
//println!("address: {:x} contains: {:?}", address, helper.ranges.contains_key(&(address as usize)));
if helper.ranges.contains_key(&(address as usize)) {
if first {
@ -314,13 +315,8 @@ impl<'a> FridaInstrumentationHelper<'a> {
}
if helper.options().drcov_enabled() {
instruction.put_callout(|context| {
let real_address = match helper
.asan_runtime
.real_address_for_stalked(pc(&context))
{
Some(address) => *address,
None => pc(&context),
};
let real_address =
helper.asan_runtime.real_address_for_stalked(pc(&context));
//let (range, (id, name)) = helper.ranges.get_key_value(&real_address).unwrap();
//println!("{}:0x{:016x}", name, real_address - range.start);
helper