frida: modules may be relative paths; move to ahash for filenames; fix tls bug

fuzzers/frida_libpng/src/fuzzer.rs

@@ -197,9 +197,10 @@ pub fn main() {
             env::args()
                 .nth(3)
                 .expect("no modules to instrument specified")
-                .split(":")
+                .split(':')
+                .map(|module_name| std::fs::canonicalize(module_name).unwrap())
                 .collect(),
-            vec![PathBuf::from("./corpus")],
+            &vec![PathBuf::from("./corpus")],
             PathBuf::from("./crashes"),
             1337,
         )
@@ -224,8 +225,8 @@ fn fuzz(
 unsafe fn fuzz(
     module_name: &str,
     symbol_name: &str,
-    modules_to_instrument: Vec<&str>,
-    corpus_dirs: Vec<PathBuf>,
+    modules_to_instrument: Vec<PathBuf>,
+    corpus_dirs: &Vec<PathBuf>,
     objective_dir: PathBuf,
     broker_port: u16,
 ) -> Result<(), Error> {

libafl_frida/Cargo.toml

@@ -27,7 +27,7 @@ termcolor = "1.1.2"
 serde = "1.0"
 backtrace = { version = "0.3.58", default-features = false, features = ["std", "serde"] }
 num-traits = "0.2.14"
-seahash = "4.1.0"
+ahash = "0.7"
 
 [target.'cfg(unix)'.dependencies]
 gothook = { version = "0.1" }

libafl_frida/src/asan_rt.rs

@@ -31,6 +31,7 @@ use std::{
     cell::{RefCell, RefMut},
     ffi::c_void,
     io::{self, Write},
+    path::PathBuf,
     rc::Rc,
 };
 use termcolor::{Color, ColorSpec, WriteColor};
@@ -697,7 +698,7 @@ impl AsanRuntime {
     /// Initialize the runtime so that it is read for action. Take care not to move the runtime
     /// instance after this function has been called, as the generated blobs would become
     /// invalid!
-    pub fn init(&mut self, modules_to_instrument: &[&str]) {
+    pub fn init(&mut self, modules_to_instrument: &[PathBuf]) {
         // workaround frida's frida-gum-allocate-near bug:
         unsafe {
             for _ in 0..512 {
@@ -730,7 +731,7 @@ impl AsanRuntime {
         self.unpoison_all_existing_memory();
         for module_name in modules_to_instrument {
             #[cfg(unix)]
-            self.hook_library(module_name);
+            self.hook_library(module_name.to_str().unwrap());
         }
     }
 
@@ -786,15 +787,14 @@ impl AsanRuntime {
     pub fn register_thread(&self) {
         let mut allocator = Allocator::get();
         let (stack_start, stack_end) = Self::current_stack();
-        println!("current stack: {:#016x}-{:#016x}", stack_start, stack_end);
         allocator.map_shadow_for_region(stack_start, stack_end, true);
 
-        //let (tls_start, tls_end) = Self::current_tls();
-        //allocator.map_shadow_for_region(tls_start, tls_end, true);
-        //println!(
-            //"registering thread with stack {:x}:{:x} and tls {:x}:{:x}",
-            //stack_start as usize, stack_end as usize, tls_start as usize, tls_end as usize
-        //);
+        let (tls_start, tls_end) = Self::current_tls();
+        allocator.map_shadow_for_region(tls_start, tls_end, true);
+        println!(
+            "registering thread with stack {:x}:{:x} and tls {:x}:{:x}",
+            stack_start as usize, stack_end as usize, tls_start as usize, tls_end as usize
+        );
     }
 
     /// Determine the stack start, end for the currently running thread
@@ -829,6 +829,9 @@ impl AsanRuntime {
     /// Determine the tls start, end for the currently running thread
     fn current_tls() -> (usize, usize) {
         let tls_address = unsafe { get_tls_ptr() } as usize;
+        // we need to mask off the highest byte, due to 'High Byte Ignore"
+        #[cfg(target_os = "android")]
+        let tls_address = tls_address  & 0xffffffffffffff;
 
         let (start, end, _, _) = find_mapping_for_address(tls_address).unwrap();
         (start, end)

libafl_frida/src/helper.rs

@@ -1,3 +1,6 @@
+use ahash::AHasher;
+use std::hash::Hasher;
+
 use libafl::inputs::{HasTargetBytes, Input};
 
 #[cfg(any(target_os = "linux", target_os = "android"))]
@@ -26,7 +29,7 @@ use frida_gum::{Gum, Module, PageProtection};
 use num_traits::cast::FromPrimitive;
 
 use rangemap::RangeMap;
-use std::rc::Rc;
+use std::{path::PathBuf, rc::Rc};
 
 use crate::{asan_rt::AsanRuntime, FridaOptions};
 
@@ -82,9 +85,12 @@ impl<'a> FridaHelper<'a> for FridaInstrumentationHelper<'a> {
 
     fn post_exec<I: Input + HasTargetBytes>(&mut self, input: &I) {
         if self.options.drcov_enabled() {
+            let mut hasher = AHasher::new_with_keys(0, 0);
+            hasher.write(input.target_bytes().as_slice());
+
             let filename = format!(
                 "./coverage/{:016x}.drcov",
-                seahash::hash(input.target_bytes().as_slice())
+                hasher.finish(),
             );
             DrCovWriter::new(&filename, &self.ranges, &mut self.drcov_basic_blocks).write();
         }
@@ -193,7 +199,7 @@ impl<'a> FridaInstrumentationHelper<'a> {
         gum: &'a Gum,
         options: FridaOptions,
         _harness_module_name: &str,
-        modules_to_instrument: &'a [&str],
+        modules_to_instrument: &'a [PathBuf],
     ) -> Self {
         let mut helper = Self {
             map: [0u8; MAP_SIZE],
@@ -214,11 +220,11 @@ impl<'a> FridaInstrumentationHelper<'a> {
 
         if options.stalker_enabled() {
             for (id, module_name) in modules_to_instrument.iter().enumerate() {
-                let (lib_start, lib_end) = find_mapping_for_path(module_name);
-                println!("including range {:x}-{:x} for {}", lib_start, lib_end, module_name);
+                let (lib_start, lib_end) = find_mapping_for_path(module_name.to_str().unwrap());
+                println!("including range {:x}-{:x} for {:?}", lib_start, lib_end, module_name);
                 helper
                     .ranges
-                    .insert(lib_start..lib_end, (id as u16, module_name));
+                    .insert(lib_start..lib_end, (id as u16, module_name.to_str().unwrap()));
             }
 
             if helper.options.drcov_enabled() {