From dea96ab59c2059713aa6cbb07f7965b852ae5b2c Mon Sep 17 00:00:00 2001 From: s1341 Date: Fri, 30 Apr 2021 15:35:40 +0300 Subject: [PATCH] frida: modules may be relative paths; move to ahash for filenames; fix tls bug --- fuzzers/frida_libpng/src/fuzzer.rs | 9 +++++---- libafl_frida/Cargo.toml | 2 +- libafl_frida/src/asan_rt.rs | 21 ++++++++++++--------- libafl_frida/src/helper.rs | 18 ++++++++++++------ 4 files changed, 30 insertions(+), 20 deletions(-) diff --git a/fuzzers/frida_libpng/src/fuzzer.rs b/fuzzers/frida_libpng/src/fuzzer.rs index d7df2525cb..d7b0c8cde4 100644 --- a/fuzzers/frida_libpng/src/fuzzer.rs +++ b/fuzzers/frida_libpng/src/fuzzer.rs @@ -197,9 +197,10 @@ pub fn main() { env::args() .nth(3) .expect("no modules to instrument specified") - .split(":") + .split(':') + .map(|module_name| std::fs::canonicalize(module_name).unwrap()) .collect(), - vec![PathBuf::from("./corpus")], + &vec![PathBuf::from("./corpus")], PathBuf::from("./crashes"), 1337, ) @@ -224,8 +225,8 @@ fn fuzz( unsafe fn fuzz( module_name: &str, symbol_name: &str, - modules_to_instrument: Vec<&str>, - corpus_dirs: Vec, + modules_to_instrument: Vec, + corpus_dirs: &Vec, objective_dir: PathBuf, broker_port: u16, ) -> Result<(), Error> { diff --git a/libafl_frida/Cargo.toml b/libafl_frida/Cargo.toml index 92a082e53a..26dc39bbd3 100644 --- a/libafl_frida/Cargo.toml +++ b/libafl_frida/Cargo.toml @@ -27,7 +27,7 @@ termcolor = "1.1.2" serde = "1.0" backtrace = { version = "0.3.58", default-features = false, features = ["std", "serde"] } num-traits = "0.2.14" -seahash = "4.1.0" +ahash = "0.7" [target.'cfg(unix)'.dependencies] gothook = { version = "0.1" } diff --git a/libafl_frida/src/asan_rt.rs b/libafl_frida/src/asan_rt.rs index 80d243f50f..4f09ca01a7 100644 --- a/libafl_frida/src/asan_rt.rs +++ b/libafl_frida/src/asan_rt.rs @@ -31,6 +31,7 @@ use std::{ cell::{RefCell, RefMut}, ffi::c_void, io::{self, Write}, + path::PathBuf, rc::Rc, }; use termcolor::{Color, ColorSpec, WriteColor}; @@ -697,7 +698,7 @@ impl AsanRuntime { /// Initialize the runtime so that it is read for action. Take care not to move the runtime /// instance after this function has been called, as the generated blobs would become /// invalid! - pub fn init(&mut self, modules_to_instrument: &[&str]) { + pub fn init(&mut self, modules_to_instrument: &[PathBuf]) { // workaround frida's frida-gum-allocate-near bug: unsafe { for _ in 0..512 { @@ -730,7 +731,7 @@ impl AsanRuntime { self.unpoison_all_existing_memory(); for module_name in modules_to_instrument { #[cfg(unix)] - self.hook_library(module_name); + self.hook_library(module_name.to_str().unwrap()); } } @@ -786,15 +787,14 @@ impl AsanRuntime { pub fn register_thread(&self) { let mut allocator = Allocator::get(); let (stack_start, stack_end) = Self::current_stack(); - println!("current stack: {:#016x}-{:#016x}", stack_start, stack_end); allocator.map_shadow_for_region(stack_start, stack_end, true); - //let (tls_start, tls_end) = Self::current_tls(); - //allocator.map_shadow_for_region(tls_start, tls_end, true); - //println!( - //"registering thread with stack {:x}:{:x} and tls {:x}:{:x}", - //stack_start as usize, stack_end as usize, tls_start as usize, tls_end as usize - //); + let (tls_start, tls_end) = Self::current_tls(); + allocator.map_shadow_for_region(tls_start, tls_end, true); + println!( + "registering thread with stack {:x}:{:x} and tls {:x}:{:x}", + stack_start as usize, stack_end as usize, tls_start as usize, tls_end as usize + ); } /// Determine the stack start, end for the currently running thread @@ -829,6 +829,9 @@ impl AsanRuntime { /// Determine the tls start, end for the currently running thread fn current_tls() -> (usize, usize) { let tls_address = unsafe { get_tls_ptr() } as usize; + // we need to mask off the highest byte, due to 'High Byte Ignore" + #[cfg(target_os = "android")] + let tls_address = tls_address & 0xffffffffffffff; let (start, end, _, _) = find_mapping_for_address(tls_address).unwrap(); (start, end) diff --git a/libafl_frida/src/helper.rs b/libafl_frida/src/helper.rs index 589f270b40..d53308f192 100644 --- a/libafl_frida/src/helper.rs +++ b/libafl_frida/src/helper.rs @@ -1,3 +1,6 @@ +use ahash::AHasher; +use std::hash::Hasher; + use libafl::inputs::{HasTargetBytes, Input}; #[cfg(any(target_os = "linux", target_os = "android"))] @@ -26,7 +29,7 @@ use frida_gum::{Gum, Module, PageProtection}; use num_traits::cast::FromPrimitive; use rangemap::RangeMap; -use std::rc::Rc; +use std::{path::PathBuf, rc::Rc}; use crate::{asan_rt::AsanRuntime, FridaOptions}; @@ -82,9 +85,12 @@ impl<'a> FridaHelper<'a> for FridaInstrumentationHelper<'a> { fn post_exec(&mut self, input: &I) { if self.options.drcov_enabled() { + let mut hasher = AHasher::new_with_keys(0, 0); + hasher.write(input.target_bytes().as_slice()); + let filename = format!( "./coverage/{:016x}.drcov", - seahash::hash(input.target_bytes().as_slice()) + hasher.finish(), ); DrCovWriter::new(&filename, &self.ranges, &mut self.drcov_basic_blocks).write(); } @@ -193,7 +199,7 @@ impl<'a> FridaInstrumentationHelper<'a> { gum: &'a Gum, options: FridaOptions, _harness_module_name: &str, - modules_to_instrument: &'a [&str], + modules_to_instrument: &'a [PathBuf], ) -> Self { let mut helper = Self { map: [0u8; MAP_SIZE], @@ -214,11 +220,11 @@ impl<'a> FridaInstrumentationHelper<'a> { if options.stalker_enabled() { for (id, module_name) in modules_to_instrument.iter().enumerate() { - let (lib_start, lib_end) = find_mapping_for_path(module_name); - println!("including range {:x}-{:x} for {}", lib_start, lib_end, module_name); + let (lib_start, lib_end) = find_mapping_for_path(module_name.to_str().unwrap()); + println!("including range {:x}-{:x} for {:?}", lib_start, lib_end, module_name); helper .ranges - .insert(lib_start..lib_end, (id as u16, module_name)); + .insert(lib_start..lib_end, (id as u16, module_name.to_str().unwrap())); } if helper.options.drcov_enabled() {