Merge branch 'dev' of github.com:AFLplusplus/LibAFLrs into dev

2021-04-02 11:59:47 +02:00 · 2021-04-02 11:59:47 +02:00 · fd46388f63
commit fd46388f63
parent ceea3e0c14 c8bfe76c43
5 changed files with 73 additions and 108 deletions
--- a/fuzzers/frida_libpng/build.rs
+++ b/fuzzers/frida_libpng/build.rs
@ -29,8 +29,13 @@ fn main() {
    let libpng_tar = format!("{}/libpng-1.6.37.tar.xz", &cwd);
    // Enforce clang for its -fsanitize-coverage support.
-    std::env::set_var("CC", "clang");
+    let clang = match env::var("CLANG_PATH") {
-    std::env::set_var("CXX", "clang++");
+        Ok(path) => path,
        Err(_) => "clang".to_string(),
    };
    let clangpp = format!("{}++", &clang);
    std::env::set_var("CC", &clang);
    std::env::set_var("CXX", &clangpp);
    let ldflags = match env::var("LDFLAGS") {
        Ok(val) => val,
        Err(_) => "".to_string(),
@ -61,8 +66,8 @@ fn main() {
                "--disable-shared",
                &format!("--host={}", env::var("TARGET").unwrap())[..],
            ])
-            .env("CC", "clang")
+            .env("CC", &clang)
-            .env("CXX", "clang++")
+            .env("CXX", &clangpp)
            .env(
                "CFLAGS",
                "-O3 -g -D_DEFAULT_SOURCE -fPIC -fno-omit-frame-pointer",
--- a/fuzzers/frida_libpng/src/fuzzer.rs
+++ b/fuzzers/frida_libpng/src/fuzzer.rs
@ -77,69 +77,56 @@ pub fn get_module_size(module_name: &str) -> usize {
 /// every time we need a copy that is within a direct branch of the start of the transformed basic
 /// block.
 #[cfg(target_arch = "x86_64")]
-const MAYBE_LOG_CODE: [u8; 69] = [
+const MAYBE_LOG_CODE: [u8; 47] = [
-    0x9c, // pushfq
+    0x9c, /* pushfq */
-    0x50, // push rax
+    0x50, /* push rax */
-    0x51, // push rcx
+    0x51, /* push rcx */
-    0x52, // push rdx
+    0x52, /* push rdx */
-    0x56, // push rsi
+    0x48, 0x8d, 0x05, 0x24, 0x00, 0x00, 0x00, /* lea rax, sym._afl_area_ptr_ptr */
-    0x89, 0xf8, // mov eax, edi
+    0x48, 0x8b, 0x00, /* mov rax, qword [rax] */
-    0xc1, 0xe0, 0x08, // shl eax, 8
+    0x48, 0x8d, 0x0d, 0x22, 0x00, 0x00, 0x00, /* lea rcx, sym.previous_pc     */
-    0xc1, 0xef, 0x04, // shr edi, 4
+    0x48, 0x8b, 0x11, /* mov rdx, qword [rcx] */
-    0x31, 0xc7, // xor edi, eax
+    0x48, 0x8b, 0x12, /* mov rdx, qword [rdx] */
-    0x0f, 0xb7, 0xc7, // movzx eax, di
+    0x48, 0x31, 0xfa, /* xor rdx, rdi */
-    0x48, 0x8d, 0x0d, 0x34, 0x00, 0x00, 0x00, // lea rcx, sym._afl_area_ptr_ptr
+    0xfe, 0x04, 0x10, /* inc byte [rax + rdx] */
-    0x48, 0x8b, 0x09, // mov rcx, qword [rcx]
+    0x48, 0xd1, 0xef, /* shr rdi, 1 */
-    0x48, 0x8d, 0x15, 0x22, 0x00, 0x00, 0x00, // lea rdx, sym._afl_prev_loc_ptr
+    0x48, 0x8b, 0x01, /* mov rax, qword [rcx] */
-    0x48, 0x8b, 0x32, // mov rsi, qword [rdx]
+    0x48, 0x89, 0x38, /* mov qword [rax], rdi */
-    0x48, 0x8b, 0x36, // mov rsi, qword [rsi]
+    0x5a, /* pop rdx */
-    0x48, 0x31, 0xc6, // xor rsi, rax
+    0x59, /* pop rcx */
-    0x48, 0x81, 0xe6, 0xff, 0x1f, 0x00,
+    0x58, /* pop rax */
-    0x00, // and rsi, 0x1fff (8 * 1024 - 1) TODO: make this variable
+    0x9d, /* popfq */
-    0xfe, 0x04, 0x31, // inc byte [rcx + rsi]
+    0xc3, /* ret */
-    0x48, 0xd1, 0xe8, // shr rax, 1
+
-    0x48, 0x8b, 0x0a, // mov rcx, qword [rdx]
+          /* Read-only data goes here: */
-    0x48, 0x89, 0x01, // mov qword [rcx], rax
+          /* uint8_t* afl_area_ptr */
-    0x5e, // pop rsi
+          /* uint64_t* afl_prev_loc_ptr */
    0x5a, // pop rdx
    0x59, // pop rcx
    0x58, // pop rax
    0x9d, // popfq
    0xc3, // ret
          // Read-only data goes here:
          // uint64_t* afl_prev_loc_ptr
          // uint8_t** afl_area_ptr_ptr
          // unsigned int afl_instr_rms
 ];
 #[cfg(target_arch = "aarch64")]
-const MAYBE_LOG_CODE: [u8; 104] = [
+const MAYBE_LOG_CODE: [u8; 56] = [
    // __afl_area_ptr[current_pc ^ previous_pc]++;
    // previous_pc = current_pc >> 1;
    0xE1, 0x0B, 0xBF, 0xA9, // stp x1, x2, [sp, -0x10]!
    0xE3, 0x13, 0xBF, 0xA9, // stp x3, x4, [sp, -0x10]!
-    0xE1, 0x03, 0x00, 0xAA, // mov x1, x0
+    // x0 = current_pc
-    0x00, 0xDC, 0x78, 0xD3, // lsl x0, x0, #8
+    0x81, 0x01, 0x00, 0x58, // ldr x1, #0x30, =__afl_area_ptr
-    0x21, 0xFC, 0x44, 0xD3, // lsr x1, x1, #4
+    0xa2, 0x01, 0x00, 0x58, // ldr x2, #0x38, =&previous_pc
-    0x00, 0x00, 0x01, 0xCA, // eor x0, x0, x1
+    0x44, 0x00, 0x40, 0xf9, // ldr x4, [x2] (=previous_pc)
-    0x00, 0x3C, 0x00, 0x53, // uxth w0, w0
+    // __afl_area_ptr[current_pc ^ previous_pc]++;
-    0xa1, 0x02, 0x00, 0x58, // ldr x1, =area_ptr
+    0x84, 0x00, 0x00, 0xca, // eor x4, x4, x0
-    0x42, 0x02, 0x00, 0x58, // ldr x2, =pc_ptr
+    0x23, 0x68, 0x64, 0xf8, // ldr x3, [x1, x4]
-    0x43, 0x00, 0x40, 0xF9, // ldr x3, [x2]
+    0x63, 0x04, 0x00, 0x91, // add x3, x3, #1
-    0x63, 0x00, 0x00, 0xCA, // eor x3, x3, x0
+    0x23, 0x68, 0x24, 0xf8, // str x3, [x1, x2]
-    0x63, 0x40, 0x40, 0x92, // and x3, x3, #0x1ffff
+    // previous_pc = current_pc >> 1;
-    0x21, 0x00, 0x03, 0x8B, // add x1, x1, x3
+    0xe0, 0x07, 0x40, 0x8b, // add x0, xzr, x0, LSR #1
-    0x24, 0x00, 0x40, 0x39, // ldrb w4, [x1, #0
+    0x40, 0x00, 0x00, 0xf9, // str x0, [x2]
    0x84, 0x04, 0x00, 0x91, // add x4, x4, #1
    0x24, 0x00, 0x00, 0x39, // strb w4, [x1, #0]
    0x00, 0xFC, 0x41, 0xD3, // lsr x0, x0, #1
    0x40, 0x00, 0x00, 0xF9, // str x0, [x2]
    0xE3, 0x13, 0xc1, 0xA8, // ldp x3, x4, [sp], #0x10
    0xE1, 0x0B, 0xc1, 0xA8, // ldp x1, x2, [sp], #0x10
    0xC0, 0x03, 0x5F, 0xD6, // ret
-    0x1f, 0x20, 0x03, 0xD5, // nop
+
-    0x1f, 0x20, 0x03, 0xD5, // nop
+          // &afl_area_ptr
-    0x1f, 0x20, 0x03, 0xD5, // nop
+          // &afl_prev_loc_ptr
    0x1f, 0x20, 0x03, 0xD5, // nop
    0x1f, 0x20, 0x03, 0xD5, // nop
 ];
 /// The implementation of the FridaEdgeCoverageHelper
@ -198,7 +185,10 @@ impl<'a> FridaEdgeCoverageHelper<'a> {
                                -(frida_gum_sys::GUM_RED_ZONE_SIZE as i32),
                            );
                            writer.put_push_reg(X86Register::Rdi);
-                            writer.put_mov_reg_address(X86Register::Rdi, address);
+                            writer.put_mov_reg_address(
                                X86Register::Rdi,
                                ((address >> 4) ^ (address << 8)) & (MAP_SIZE - 1) as u64,
                            );
                            writer.put_call_address(helper.current_log_impl);
                            writer.put_pop_reg(X86Register::Rdi);
                            writer.put_lea_reg_reg_offset(
@ -216,7 +206,10 @@ impl<'a> FridaEdgeCoverageHelper<'a> {
                                -(16 + frida_gum_sys::GUM_RED_ZONE_SIZE as i32) as i64,
                                IndexMode::PreAdjust,
                            );
-                            writer.put_ldr_reg_u64(Aarch64Register::X0, address);
+                            writer.put_ldr_reg_u64(
                                Aarch64Register::X0,
                                ((address >> 4) ^ (address << 8)) & (MAP_SIZE - 1) as u64,
                            );
                            writer.put_bl_imm(helper.current_log_impl);
                            writer.put_ldp_reg_reg_reg_offset(
                                Aarch64Register::Lr,
--- a/libafl/src/bolts/llmp.rs
+++ b/libafl/src/bolts/llmp.rs
@ -80,18 +80,12 @@ use nix::{
 };
 #[cfg(all(feature = "std", unix))]
-use std::{
+use std::os::unix::{
-    ffi::CStr,
+    self,
-    os::unix::{
+    net::{UnixListener, UnixStream},
-        self,
+    {io::AsRawFd, prelude::RawFd},
        net::{UnixListener, UnixStream},
        {io::AsRawFd, prelude::RawFd},
    },
 };
 #[cfg(all(unix, feature = "std"))]
 use libc::c_char;
 #[cfg(all(unix, feature = "std"))]
 use uds::{UnixListenerExt, UnixSocketAddr, UnixStreamExt};
@ -102,9 +96,6 @@ use crate::{
    Error,
 };
 #[cfg(all(unix, feature = "std"))]
 use super::shmem::HasFd;
 /// We'll start off with 256 megabyte maps per fuzzer client
 #[cfg(not(feature = "llmp_small_maps"))]
 const LLMP_CFG_INITIAL_MAP_SIZE: usize = 1 << 28;
@ -454,7 +445,7 @@ where
 #[cfg(all(unix, feature = "std"))]
 impl<SH> LlmpConnection<SH>
 where
-    SH: ShMem + HasFd,
+    SH: ShMem,
 {
    #[cfg(all(feature = "std", unix))]
    pub fn on_domain_socket(filename: &str) -> Result<Self, Error> {
@ -1438,6 +1429,7 @@ where
        let client_out_map_mem = &self.llmp_out.out_maps.first().unwrap().shmem;
        let broadcast_map_description = postcard::to_allocvec(&client_out_map_mem.description())?;
        let client_out_map_mem_fd: i32 = client_out_map_mem.shm_str().parse().unwrap();
        let mut incoming_map_description_serialized = vec![0u8; broadcast_map_description.len()];
@ -1504,17 +1496,7 @@ where
                    ListenerStream::Unix(stream, addr) => unsafe {
                        dbg!("New connection", addr);
-                        let broadcast_fd_initial: i32 =
+                        let broadcast_fd_initial: i32 = client_out_map_mem_fd;
                            CStr::from_ptr(broadcast_map_description.as_ptr() as *const c_char)
                                .to_string_lossy()
                                .into_owned()
                                .parse()
                                .unwrap_or_else(|_| {
                                    panic!(
                                        "ShmId is not a valid int file descriptor: {:?}",
                                        broadcast_map_description
                                    )
                                });
                        match sendmsg(
                            stream.as_raw_fd(),
@ -1893,7 +1875,7 @@ where
 #[cfg(all(unix, feature = "std"))]
 impl<SH> LlmpClient<SH>
 where
-    SH: ShMem + HasFd,
+    SH: ShMem,
 {
    #[cfg(all(unix, feature = "std"))]
    /// Create a LlmpClient, getting the ID from a given filename
@ -1936,7 +1918,9 @@ where
                            .first()
                            .unwrap()
                            .shmem
-                            .shm_id()])],
+                            .shm_str()
                            .parse()
                            .unwrap()])],
                        MsgFlags::empty(),
                        None,
                    ) {
--- a/libafl/src/bolts/shmem.rs
+++ b/libafl/src/bolts/shmem.rs
@ -101,13 +101,6 @@ pub trait ShMem: Sized + Debug {
    }
 }
 /// shared maps that have an id can use this trait
 //#[cfg(all(unix, feature = "std"))]
 pub trait HasFd {
    /// Retrieve the id of this shared map
    fn shm_id(&self) -> i32;
 }
 #[cfg(all(unix, feature = "std"))]
 pub mod unix_shmem {
@ -121,7 +114,7 @@ pub mod unix_shmem {
    use crate::Error;
-    use super::{HasFd, ShMem};
+    use super::ShMem;
    #[cfg(unix)]
    extern "C" {
@ -313,12 +306,6 @@ pub mod unix_shmem {
        }
    }
    impl HasFd for UnixShMem {
        fn shm_id(&self) -> i32 {
            self.shm_id
        }
    }
    /// Deinit sharedmaps on drop
    impl Drop for UnixShMem {
        fn drop(&mut self) {
--- a/libafl/src/events/llmp.rs
+++ b/libafl/src/events/llmp.rs
@ -17,9 +17,6 @@ use crate::utils::{fork, ForkResult};
 #[cfg(all(feature = "std", unix))]
 use crate::bolts::shmem::UnixShMem;
 #[cfg(all(feature = "std", unix))]
 use crate::bolts::shmem::HasFd;
 use crate::{
    bolts::{
        llmp::{self, LlmpClient, LlmpClientDescription, LlmpSender, Tag},
@ -313,7 +310,7 @@ impl<I, S, SH, ST> LlmpEventManager<I, S, SH, ST>
 where
    I: Input,
    S: IfInteresting<I>,
-    SH: ShMem + HasFd,
+    SH: ShMem,
    ST: Stats,
 {
    #[cfg(all(feature = "std", unix))]
@ -516,7 +513,7 @@ pub fn setup_restarting_mgr<I, S, SH, ST>(
 where
    I: Input,
    S: DeserializeOwned + IfInteresting<I>,
-    SH: ShMem, // Todo: HasFd is only needed for Android
+    SH: ShMem,
    ST: Stats,
 {
    let mut mgr;
@ -525,7 +522,6 @@ where
    let (sender, mut receiver) = if std::env::var(_ENV_FUZZER_SENDER).is_err() {
        #[cfg(target_os = "android")]
        {
            let path = std::env::current_dir()?;
            mgr = LlmpEventManager::<I, S, SH, ST>::new_on_domain_socket(stats, "\x00llmp_socket")?;
        };
        #[cfg(not(target_os = "android"))]