1*08b48e0bSAndroid Build Coastguard Worker /* 2*08b48e0bSAndroid Build Coastguard Worker american fuzzy lop++ - LLVM Injection instrumentation 3*08b48e0bSAndroid Build Coastguard Worker -------------------------------------------------- 4*08b48e0bSAndroid Build Coastguard Worker 5*08b48e0bSAndroid Build Coastguard Worker Written by Marc Heuse <[email protected]> 6*08b48e0bSAndroid Build Coastguard Worker 7*08b48e0bSAndroid Build Coastguard Worker Copyright 2015, 2016 Google Inc. All rights reserved. 8*08b48e0bSAndroid Build Coastguard Worker Copyright 2019-2024 AFLplusplus Project. All rights reserved. 9*08b48e0bSAndroid Build Coastguard Worker 10*08b48e0bSAndroid Build Coastguard Worker Licensed under the Apache License, Version 2.0 (the "License"); 11*08b48e0bSAndroid Build Coastguard Worker you may not use this file except in compliance with the License. 12*08b48e0bSAndroid Build Coastguard Worker You may obtain a copy of the License at: 13*08b48e0bSAndroid Build Coastguard Worker 14*08b48e0bSAndroid Build Coastguard Worker https://www.apache.org/licenses/LICENSE-2.0 15*08b48e0bSAndroid Build Coastguard Worker 16*08b48e0bSAndroid Build Coastguard Worker */ 17*08b48e0bSAndroid Build Coastguard Worker 18*08b48e0bSAndroid Build Coastguard Worker #include <stdio.h> 19*08b48e0bSAndroid Build Coastguard Worker #include <stdlib.h> 20*08b48e0bSAndroid Build Coastguard Worker #include <unistd.h> 21*08b48e0bSAndroid Build Coastguard Worker 22*08b48e0bSAndroid Build Coastguard Worker #include <list> 23*08b48e0bSAndroid Build Coastguard Worker #include <string> 24*08b48e0bSAndroid Build Coastguard Worker #include <fstream> 25*08b48e0bSAndroid Build Coastguard Worker #include <sys/time.h> 26*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Config/llvm-config.h" 27*08b48e0bSAndroid Build Coastguard Worker 28*08b48e0bSAndroid Build Coastguard Worker #include "llvm/ADT/Statistic.h" 29*08b48e0bSAndroid Build Coastguard Worker #include "llvm/IR/IRBuilder.h" 30*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ 31*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Passes/PassPlugin.h" 32*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Passes/PassBuilder.h" 33*08b48e0bSAndroid Build Coastguard Worker #include "llvm/IR/PassManager.h" 34*08b48e0bSAndroid Build Coastguard Worker #else 35*08b48e0bSAndroid Build Coastguard Worker #include "llvm/IR/LegacyPassManager.h" 36*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Transforms/IPO/PassManagerBuilder.h" 37*08b48e0bSAndroid Build Coastguard Worker #endif 38*08b48e0bSAndroid Build Coastguard Worker #include "llvm/IR/Module.h" 39*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Support/Debug.h" 40*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Support/raw_ostream.h" 41*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR < 17 42*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Transforms/IPO/PassManagerBuilder.h" 43*08b48e0bSAndroid Build Coastguard Worker #endif 44*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Transforms/Utils/BasicBlockUtils.h" 45*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Pass.h" 46*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Analysis/ValueTracking.h" 47*08b48e0bSAndroid Build Coastguard Worker 48*08b48e0bSAndroid Build Coastguard Worker #include "llvm/IR/IRBuilder.h" 49*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 4 || \ 50*08b48e0bSAndroid Build Coastguard Worker (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) 51*08b48e0bSAndroid Build Coastguard Worker #include "llvm/IR/Verifier.h" 52*08b48e0bSAndroid Build Coastguard Worker #include "llvm/IR/DebugInfo.h" 53*08b48e0bSAndroid Build Coastguard Worker #else 54*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Analysis/Verifier.h" 55*08b48e0bSAndroid Build Coastguard Worker #include "llvm/DebugInfo.h" 56*08b48e0bSAndroid Build Coastguard Worker #define nullptr 0 57*08b48e0bSAndroid Build Coastguard Worker #endif 58*08b48e0bSAndroid Build Coastguard Worker 59*08b48e0bSAndroid Build Coastguard Worker #include <set> 60*08b48e0bSAndroid Build Coastguard Worker #include "afl-llvm-common.h" 61*08b48e0bSAndroid Build Coastguard Worker 62*08b48e0bSAndroid Build Coastguard Worker using namespace llvm; 63*08b48e0bSAndroid Build Coastguard Worker 64*08b48e0bSAndroid Build Coastguard Worker namespace { 65*08b48e0bSAndroid Build Coastguard Worker 66*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ 67*08b48e0bSAndroid Build Coastguard Worker class InjectionRoutines : public PassInfoMixin<InjectionRoutines> { 68*08b48e0bSAndroid Build Coastguard Worker 69*08b48e0bSAndroid Build Coastguard Worker public: InjectionRoutines()70*08b48e0bSAndroid Build Coastguard Worker InjectionRoutines() { 71*08b48e0bSAndroid Build Coastguard Worker 72*08b48e0bSAndroid Build Coastguard Worker #else 73*08b48e0bSAndroid Build Coastguard Worker class InjectionRoutines : public ModulePass { 74*08b48e0bSAndroid Build Coastguard Worker 75*08b48e0bSAndroid Build Coastguard Worker public: 76*08b48e0bSAndroid Build Coastguard Worker static char ID; 77*08b48e0bSAndroid Build Coastguard Worker InjectionRoutines() : ModulePass(ID) { 78*08b48e0bSAndroid Build Coastguard Worker 79*08b48e0bSAndroid Build Coastguard Worker #endif 80*08b48e0bSAndroid Build Coastguard Worker 81*08b48e0bSAndroid Build Coastguard Worker initInstrumentList(); 82*08b48e0bSAndroid Build Coastguard Worker 83*08b48e0bSAndroid Build Coastguard Worker } 84*08b48e0bSAndroid Build Coastguard Worker 85*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ 86*08b48e0bSAndroid Build Coastguard Worker PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM); 87*08b48e0bSAndroid Build Coastguard Worker #else 88*08b48e0bSAndroid Build Coastguard Worker bool runOnModule(Module &M) override; 89*08b48e0bSAndroid Build Coastguard Worker 90*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 4 91*08b48e0bSAndroid Build Coastguard Worker StringRef getPassName() const override { 92*08b48e0bSAndroid Build Coastguard Worker 93*08b48e0bSAndroid Build Coastguard Worker #else 94*08b48e0bSAndroid Build Coastguard Worker const char *getPassName() const override { 95*08b48e0bSAndroid Build Coastguard Worker 96*08b48e0bSAndroid Build Coastguard Worker #endif 97*08b48e0bSAndroid Build Coastguard Worker return "Injection routines"; 98*08b48e0bSAndroid Build Coastguard Worker 99*08b48e0bSAndroid Build Coastguard Worker } 100*08b48e0bSAndroid Build Coastguard Worker 101*08b48e0bSAndroid Build Coastguard Worker #endif 102*08b48e0bSAndroid Build Coastguard Worker 103*08b48e0bSAndroid Build Coastguard Worker private: 104*08b48e0bSAndroid Build Coastguard Worker bool hookRtns(Module &M); 105*08b48e0bSAndroid Build Coastguard Worker 106*08b48e0bSAndroid Build Coastguard Worker bool doSQL = false; 107*08b48e0bSAndroid Build Coastguard Worker bool doLDAP = false; 108*08b48e0bSAndroid Build Coastguard Worker bool doXSS = false; 109*08b48e0bSAndroid Build Coastguard Worker 110*08b48e0bSAndroid Build Coastguard Worker }; 111*08b48e0bSAndroid Build Coastguard Worker 112*08b48e0bSAndroid Build Coastguard Worker } // namespace 113*08b48e0bSAndroid Build Coastguard Worker 114*08b48e0bSAndroid Build Coastguard Worker #if LLVM_MAJOR >= 11 115*08b48e0bSAndroid Build Coastguard Worker extern "C" ::llvm::PassPluginLibraryInfo LLVM_ATTRIBUTE_WEAK 116*08b48e0bSAndroid Build Coastguard Worker llvmGetPassPluginInfo() { 117*08b48e0bSAndroid Build Coastguard Worker 118*08b48e0bSAndroid Build Coastguard Worker return {LLVM_PLUGIN_API_VERSION, "Injectionroutines", "v0.1", 119*08b48e0bSAndroid Build Coastguard Worker /* lambda to insert our pass into the pass pipeline. */ 120*08b48e0bSAndroid Build Coastguard Worker [](PassBuilder &PB) { 121*08b48e0bSAndroid Build Coastguard Worker 122*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR <= 13 123*08b48e0bSAndroid Build Coastguard Worker using OptimizationLevel = typename PassBuilder::OptimizationLevel; 124*08b48e0bSAndroid Build Coastguard Worker #endif 125*08b48e0bSAndroid Build Coastguard Worker PB.registerOptimizerLastEPCallback( 126*08b48e0bSAndroid Build Coastguard Worker [](ModulePassManager &MPM, OptimizationLevel OL) { 127*08b48e0bSAndroid Build Coastguard Worker 128*08b48e0bSAndroid Build Coastguard Worker MPM.addPass(InjectionRoutines()); 129*08b48e0bSAndroid Build Coastguard Worker 130*08b48e0bSAndroid Build Coastguard Worker }); 131*08b48e0bSAndroid Build Coastguard Worker 132*08b48e0bSAndroid Build Coastguard Worker }}; 133*08b48e0bSAndroid Build Coastguard Worker 134*08b48e0bSAndroid Build Coastguard Worker } 135*08b48e0bSAndroid Build Coastguard Worker 136*08b48e0bSAndroid Build Coastguard Worker #else 137*08b48e0bSAndroid Build Coastguard Worker char InjectionRoutines::ID = 0; 138*08b48e0bSAndroid Build Coastguard Worker #endif 139*08b48e0bSAndroid Build Coastguard Worker 140*08b48e0bSAndroid Build Coastguard Worker bool InjectionRoutines::hookRtns(Module &M) { 141*08b48e0bSAndroid Build Coastguard Worker 142*08b48e0bSAndroid Build Coastguard Worker std::vector<CallInst *> calls, llvmStdStd, llvmStdC, gccStdStd, gccStdC, 143*08b48e0bSAndroid Build Coastguard Worker Memcmp, Strcmp, Strncmp; 144*08b48e0bSAndroid Build Coastguard Worker LLVMContext &C = M.getContext(); 145*08b48e0bSAndroid Build Coastguard Worker 146*08b48e0bSAndroid Build Coastguard Worker Type *VoidTy = Type::getVoidTy(C); 147*08b48e0bSAndroid Build Coastguard Worker IntegerType *Int8Ty = IntegerType::getInt8Ty(C); 148*08b48e0bSAndroid Build Coastguard Worker PointerType *i8PtrTy = PointerType::get(Int8Ty, 0); 149*08b48e0bSAndroid Build Coastguard Worker 150*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 9 151*08b48e0bSAndroid Build Coastguard Worker FunctionCallee 152*08b48e0bSAndroid Build Coastguard Worker #else 153*08b48e0bSAndroid Build Coastguard Worker Constant * 154*08b48e0bSAndroid Build Coastguard Worker #endif 155*08b48e0bSAndroid Build Coastguard Worker c1 = M.getOrInsertFunction("__afl_injection_sql", VoidTy, i8PtrTy 156*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR < 5 157*08b48e0bSAndroid Build Coastguard Worker , 158*08b48e0bSAndroid Build Coastguard Worker NULL 159*08b48e0bSAndroid Build Coastguard Worker #endif 160*08b48e0bSAndroid Build Coastguard Worker ); 161*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 9 162*08b48e0bSAndroid Build Coastguard Worker FunctionCallee sqlfunc = c1; 163*08b48e0bSAndroid Build Coastguard Worker #else 164*08b48e0bSAndroid Build Coastguard Worker Function *sqlfunc = cast<Function>(c1); 165*08b48e0bSAndroid Build Coastguard Worker #endif 166*08b48e0bSAndroid Build Coastguard Worker 167*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 9 168*08b48e0bSAndroid Build Coastguard Worker FunctionCallee 169*08b48e0bSAndroid Build Coastguard Worker #else 170*08b48e0bSAndroid Build Coastguard Worker Constant * 171*08b48e0bSAndroid Build Coastguard Worker #endif 172*08b48e0bSAndroid Build Coastguard Worker c2 = M.getOrInsertFunction("__afl_injection_ldap", VoidTy, i8PtrTy 173*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR < 5 174*08b48e0bSAndroid Build Coastguard Worker , 175*08b48e0bSAndroid Build Coastguard Worker NULL 176*08b48e0bSAndroid Build Coastguard Worker #endif 177*08b48e0bSAndroid Build Coastguard Worker ); 178*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 9 179*08b48e0bSAndroid Build Coastguard Worker FunctionCallee ldapfunc = c2; 180*08b48e0bSAndroid Build Coastguard Worker #else 181*08b48e0bSAndroid Build Coastguard Worker Function *ldapfunc = cast<Function>(c2); 182*08b48e0bSAndroid Build Coastguard Worker #endif 183*08b48e0bSAndroid Build Coastguard Worker 184*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 9 185*08b48e0bSAndroid Build Coastguard Worker FunctionCallee 186*08b48e0bSAndroid Build Coastguard Worker #else 187*08b48e0bSAndroid Build Coastguard Worker Constant * 188*08b48e0bSAndroid Build Coastguard Worker #endif 189*08b48e0bSAndroid Build Coastguard Worker c3 = M.getOrInsertFunction("__afl_injection_xss", VoidTy, i8PtrTy 190*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR < 5 191*08b48e0bSAndroid Build Coastguard Worker , 192*08b48e0bSAndroid Build Coastguard Worker NULL 193*08b48e0bSAndroid Build Coastguard Worker #endif 194*08b48e0bSAndroid Build Coastguard Worker ); 195*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 9 196*08b48e0bSAndroid Build Coastguard Worker FunctionCallee xssfunc = c3; 197*08b48e0bSAndroid Build Coastguard Worker #else 198*08b48e0bSAndroid Build Coastguard Worker Function *xssfunc = cast<Function>(c3); 199*08b48e0bSAndroid Build Coastguard Worker #endif 200*08b48e0bSAndroid Build Coastguard Worker 201*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 9 202*08b48e0bSAndroid Build Coastguard Worker FunctionCallee FuncPtr; 203*08b48e0bSAndroid Build Coastguard Worker #else 204*08b48e0bSAndroid Build Coastguard Worker Function *FuncPtr; 205*08b48e0bSAndroid Build Coastguard Worker #endif 206*08b48e0bSAndroid Build Coastguard Worker 207*08b48e0bSAndroid Build Coastguard Worker /* iterate over all functions, bbs and instruction and add suitable calls */ 208*08b48e0bSAndroid Build Coastguard Worker for (auto &F : M) { 209*08b48e0bSAndroid Build Coastguard Worker 210*08b48e0bSAndroid Build Coastguard Worker if (!isInInstrumentList(&F, MNAME)) continue; 211*08b48e0bSAndroid Build Coastguard Worker 212*08b48e0bSAndroid Build Coastguard Worker for (auto &BB : F) { 213*08b48e0bSAndroid Build Coastguard Worker 214*08b48e0bSAndroid Build Coastguard Worker for (auto &IN : BB) { 215*08b48e0bSAndroid Build Coastguard Worker 216*08b48e0bSAndroid Build Coastguard Worker CallInst *callInst = nullptr; 217*08b48e0bSAndroid Build Coastguard Worker 218*08b48e0bSAndroid Build Coastguard Worker if ((callInst = dyn_cast<CallInst>(&IN))) { 219*08b48e0bSAndroid Build Coastguard Worker 220*08b48e0bSAndroid Build Coastguard Worker Function *Callee = callInst->getCalledFunction(); 221*08b48e0bSAndroid Build Coastguard Worker if (!Callee) continue; 222*08b48e0bSAndroid Build Coastguard Worker if (callInst->getCallingConv() != llvm::CallingConv::C) continue; 223*08b48e0bSAndroid Build Coastguard Worker 224*08b48e0bSAndroid Build Coastguard Worker std::string FuncName = Callee->getName().str(); 225*08b48e0bSAndroid Build Coastguard Worker FuncPtr = nullptr; 226*08b48e0bSAndroid Build Coastguard Worker size_t param = 0; 227*08b48e0bSAndroid Build Coastguard Worker 228*08b48e0bSAndroid Build Coastguard Worker // Marker: ADD_TO_INJECTIONS 229*08b48e0bSAndroid Build Coastguard Worker // If you just need to add another function to test for SQL etc. 230*08b48e0bSAndroid Build Coastguard Worker // then add them here. 231*08b48e0bSAndroid Build Coastguard Worker // To add a new class or to work on e.g. std::string/Rust strings/... 232*08b48e0bSAndroid Build Coastguard Worker // you will need to add a function to afl-compiler-rt.c.o and 233*08b48e0bSAndroid Build Coastguard Worker // and upwards in this file add a pointer to that function to use 234*08b48e0bSAndroid Build Coastguard Worker // here. 235*08b48e0bSAndroid Build Coastguard Worker 236*08b48e0bSAndroid Build Coastguard Worker if (doSQL && 237*08b48e0bSAndroid Build Coastguard Worker (FuncName.compare("sqlite3_exec") == 0 || 238*08b48e0bSAndroid Build Coastguard Worker FuncName.compare("PQexec") == 0 || FuncName.compare("") == 0 || 239*08b48e0bSAndroid Build Coastguard Worker FuncName.compare("PQexecParams") == 0 || 240*08b48e0bSAndroid Build Coastguard Worker FuncName.compare("mysql_query") == 0)) { 241*08b48e0bSAndroid Build Coastguard Worker 242*08b48e0bSAndroid Build Coastguard Worker if (!be_quiet) { 243*08b48e0bSAndroid Build Coastguard Worker 244*08b48e0bSAndroid Build Coastguard Worker errs() << "Injection SQL hook: " << FuncName << "\n"; 245*08b48e0bSAndroid Build Coastguard Worker 246*08b48e0bSAndroid Build Coastguard Worker } 247*08b48e0bSAndroid Build Coastguard Worker 248*08b48e0bSAndroid Build Coastguard Worker FuncPtr = sqlfunc; 249*08b48e0bSAndroid Build Coastguard Worker param = 1; 250*08b48e0bSAndroid Build Coastguard Worker 251*08b48e0bSAndroid Build Coastguard Worker } 252*08b48e0bSAndroid Build Coastguard Worker 253*08b48e0bSAndroid Build Coastguard Worker if (doLDAP && (FuncName.compare("ldap_search_ext") == 0 || 254*08b48e0bSAndroid Build Coastguard Worker FuncName.compare("ldap_search_ext_s") == 0)) { 255*08b48e0bSAndroid Build Coastguard Worker 256*08b48e0bSAndroid Build Coastguard Worker if (!be_quiet) { 257*08b48e0bSAndroid Build Coastguard Worker 258*08b48e0bSAndroid Build Coastguard Worker errs() << "Injection LDAP hook: " << FuncName << "\n"; 259*08b48e0bSAndroid Build Coastguard Worker 260*08b48e0bSAndroid Build Coastguard Worker } 261*08b48e0bSAndroid Build Coastguard Worker 262*08b48e0bSAndroid Build Coastguard Worker FuncPtr = ldapfunc; 263*08b48e0bSAndroid Build Coastguard Worker param = 1; 264*08b48e0bSAndroid Build Coastguard Worker 265*08b48e0bSAndroid Build Coastguard Worker } 266*08b48e0bSAndroid Build Coastguard Worker 267*08b48e0bSAndroid Build Coastguard Worker if (doXSS && (FuncName.compare("htmlReadMemory") == 0)) { 268*08b48e0bSAndroid Build Coastguard Worker 269*08b48e0bSAndroid Build Coastguard Worker if (!be_quiet) { 270*08b48e0bSAndroid Build Coastguard Worker 271*08b48e0bSAndroid Build Coastguard Worker errs() << "Injection XSS hook: " << FuncName << "\n"; 272*08b48e0bSAndroid Build Coastguard Worker 273*08b48e0bSAndroid Build Coastguard Worker } 274*08b48e0bSAndroid Build Coastguard Worker 275*08b48e0bSAndroid Build Coastguard Worker FuncPtr = xssfunc; 276*08b48e0bSAndroid Build Coastguard Worker param = 1; 277*08b48e0bSAndroid Build Coastguard Worker 278*08b48e0bSAndroid Build Coastguard Worker } 279*08b48e0bSAndroid Build Coastguard Worker 280*08b48e0bSAndroid Build Coastguard Worker if (FuncPtr) { 281*08b48e0bSAndroid Build Coastguard Worker 282*08b48e0bSAndroid Build Coastguard Worker IRBuilder<> IRB(callInst->getParent()); 283*08b48e0bSAndroid Build Coastguard Worker IRB.SetInsertPoint(callInst); 284*08b48e0bSAndroid Build Coastguard Worker 285*08b48e0bSAndroid Build Coastguard Worker Value *parameter = callInst->getArgOperand(param); 286*08b48e0bSAndroid Build Coastguard Worker 287*08b48e0bSAndroid Build Coastguard Worker std::vector<Value *> args; 288*08b48e0bSAndroid Build Coastguard Worker Value *casted = IRB.CreatePointerCast(parameter, i8PtrTy); 289*08b48e0bSAndroid Build Coastguard Worker args.push_back(casted); 290*08b48e0bSAndroid Build Coastguard Worker IRB.CreateCall(FuncPtr, args); 291*08b48e0bSAndroid Build Coastguard Worker 292*08b48e0bSAndroid Build Coastguard Worker } 293*08b48e0bSAndroid Build Coastguard Worker 294*08b48e0bSAndroid Build Coastguard Worker } 295*08b48e0bSAndroid Build Coastguard Worker 296*08b48e0bSAndroid Build Coastguard Worker } 297*08b48e0bSAndroid Build Coastguard Worker 298*08b48e0bSAndroid Build Coastguard Worker } 299*08b48e0bSAndroid Build Coastguard Worker 300*08b48e0bSAndroid Build Coastguard Worker } 301*08b48e0bSAndroid Build Coastguard Worker 302*08b48e0bSAndroid Build Coastguard Worker return true; 303*08b48e0bSAndroid Build Coastguard Worker 304*08b48e0bSAndroid Build Coastguard Worker } 305*08b48e0bSAndroid Build Coastguard Worker 306*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ 307*08b48e0bSAndroid Build Coastguard Worker PreservedAnalyses InjectionRoutines::run(Module &M, 308*08b48e0bSAndroid Build Coastguard Worker ModuleAnalysisManager &MAM) { 309*08b48e0bSAndroid Build Coastguard Worker 310*08b48e0bSAndroid Build Coastguard Worker #else 311*08b48e0bSAndroid Build Coastguard Worker bool InjectionRoutines::runOnModule(Module &M) { 312*08b48e0bSAndroid Build Coastguard Worker 313*08b48e0bSAndroid Build Coastguard Worker #endif 314*08b48e0bSAndroid Build Coastguard Worker 315*08b48e0bSAndroid Build Coastguard Worker if (getenv("AFL_QUIET") == NULL) 316*08b48e0bSAndroid Build Coastguard Worker printf("Running injection-pass by Marc Heuse ([email protected])\n"); 317*08b48e0bSAndroid Build Coastguard Worker else 318*08b48e0bSAndroid Build Coastguard Worker be_quiet = 1; 319*08b48e0bSAndroid Build Coastguard Worker if (getenv("AFL_LLVM_INJECTIONS_ALL")) { 320*08b48e0bSAndroid Build Coastguard Worker 321*08b48e0bSAndroid Build Coastguard Worker doSQL = true; 322*08b48e0bSAndroid Build Coastguard Worker doLDAP = true; 323*08b48e0bSAndroid Build Coastguard Worker doXSS = true; 324*08b48e0bSAndroid Build Coastguard Worker 325*08b48e0bSAndroid Build Coastguard Worker } 326*08b48e0bSAndroid Build Coastguard Worker 327*08b48e0bSAndroid Build Coastguard Worker if (getenv("AFL_LLVM_INJECTIONS_SQL")) { doSQL = true; } 328*08b48e0bSAndroid Build Coastguard Worker if (getenv("AFL_LLVM_INJECTIONS_LDAP")) { doLDAP = true; } 329*08b48e0bSAndroid Build Coastguard Worker if (getenv("AFL_LLVM_INJECTIONS_XSS")) { doXSS = true; } 330*08b48e0bSAndroid Build Coastguard Worker 331*08b48e0bSAndroid Build Coastguard Worker hookRtns(M); 332*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ 333*08b48e0bSAndroid Build Coastguard Worker auto PA = PreservedAnalyses::all(); 334*08b48e0bSAndroid Build Coastguard Worker #endif 335*08b48e0bSAndroid Build Coastguard Worker verifyModule(M); 336*08b48e0bSAndroid Build Coastguard Worker 337*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ 338*08b48e0bSAndroid Build Coastguard Worker return PA; 339*08b48e0bSAndroid Build Coastguard Worker #else 340*08b48e0bSAndroid Build Coastguard Worker return true; 341*08b48e0bSAndroid Build Coastguard Worker #endif 342*08b48e0bSAndroid Build Coastguard Worker 343*08b48e0bSAndroid Build Coastguard Worker } 344*08b48e0bSAndroid Build Coastguard Worker 345*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR < 11 /* use old pass manager */ 346*08b48e0bSAndroid Build Coastguard Worker static void registerInjectionRoutinesPass(const PassManagerBuilder &, 347*08b48e0bSAndroid Build Coastguard Worker legacy::PassManagerBase &PM) { 348*08b48e0bSAndroid Build Coastguard Worker 349*08b48e0bSAndroid Build Coastguard Worker auto p = new InjectionRoutines(); 350*08b48e0bSAndroid Build Coastguard Worker PM.add(p); 351*08b48e0bSAndroid Build Coastguard Worker 352*08b48e0bSAndroid Build Coastguard Worker } 353*08b48e0bSAndroid Build Coastguard Worker 354*08b48e0bSAndroid Build Coastguard Worker static RegisterStandardPasses RegisterInjectionRoutinesPass( 355*08b48e0bSAndroid Build Coastguard Worker PassManagerBuilder::EP_OptimizerLast, registerInjectionRoutinesPass); 356*08b48e0bSAndroid Build Coastguard Worker 357*08b48e0bSAndroid Build Coastguard Worker static RegisterStandardPasses RegisterInjectionRoutinesPass0( 358*08b48e0bSAndroid Build Coastguard Worker PassManagerBuilder::EP_EnabledOnOptLevel0, registerInjectionRoutinesPass); 359*08b48e0bSAndroid Build Coastguard Worker 360*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 11 361*08b48e0bSAndroid Build Coastguard Worker static RegisterStandardPasses RegisterInjectionRoutinesPassLTO( 362*08b48e0bSAndroid Build Coastguard Worker PassManagerBuilder::EP_FullLinkTimeOptimizationLast, 363*08b48e0bSAndroid Build Coastguard Worker registerInjectionRoutinesPass); 364*08b48e0bSAndroid Build Coastguard Worker #endif 365*08b48e0bSAndroid Build Coastguard Worker #endif 366*08b48e0bSAndroid Build Coastguard Worker 367