1*08b48e0bSAndroid Build Coastguard Worker /*
2*08b48e0bSAndroid Build Coastguard Worker american fuzzy lop++ - afl-untracer skeleton example
3*08b48e0bSAndroid Build Coastguard Worker ---------------------------------------------------
4*08b48e0bSAndroid Build Coastguard Worker
5*08b48e0bSAndroid Build Coastguard Worker Written by Marc Heuse <[email protected]>
6*08b48e0bSAndroid Build Coastguard Worker
7*08b48e0bSAndroid Build Coastguard Worker Copyright 2019-2024 AFLplusplus Project. All rights reserved.
8*08b48e0bSAndroid Build Coastguard Worker
9*08b48e0bSAndroid Build Coastguard Worker Licensed under the Apache License, Version 2.0 (the "License");
10*08b48e0bSAndroid Build Coastguard Worker you may not use this file except in compliance with the License.
11*08b48e0bSAndroid Build Coastguard Worker You may obtain a copy of the License at:
12*08b48e0bSAndroid Build Coastguard Worker
13*08b48e0bSAndroid Build Coastguard Worker http://www.apache.org/licenses/LICENSE-2.0
14*08b48e0bSAndroid Build Coastguard Worker
15*08b48e0bSAndroid Build Coastguard Worker
16*08b48e0bSAndroid Build Coastguard Worker HOW-TO
17*08b48e0bSAndroid Build Coastguard Worker ======
18*08b48e0bSAndroid Build Coastguard Worker
19*08b48e0bSAndroid Build Coastguard Worker You only need to change the following:
20*08b48e0bSAndroid Build Coastguard Worker
21*08b48e0bSAndroid Build Coastguard Worker 1. decide if you want to receive data from stdin [DEFAULT] or file(name)
22*08b48e0bSAndroid Build Coastguard Worker -> use_stdin = 0 if via file, and what the maximum input size is
23*08b48e0bSAndroid Build Coastguard Worker 2. dl load the library you want to fuzz, lookup the functions you need
24*08b48e0bSAndroid Build Coastguard Worker and setup the calls to these
25*08b48e0bSAndroid Build Coastguard Worker 3. in the while loop you call the functions in the necessary order -
26*08b48e0bSAndroid Build Coastguard Worker incl the cleanup. the cleanup is important!
27*08b48e0bSAndroid Build Coastguard Worker
28*08b48e0bSAndroid Build Coastguard Worker Just look these steps up in the code, look for "// STEP x:"
29*08b48e0bSAndroid Build Coastguard Worker
30*08b48e0bSAndroid Build Coastguard Worker
31*08b48e0bSAndroid Build Coastguard Worker */
32*08b48e0bSAndroid Build Coastguard Worker
33*08b48e0bSAndroid Build Coastguard Worker #define __USE_GNU
34*08b48e0bSAndroid Build Coastguard Worker #define _GNU_SOURCE
35*08b48e0bSAndroid Build Coastguard Worker
36*08b48e0bSAndroid Build Coastguard Worker #ifdef __ANDROID__
37*08b48e0bSAndroid Build Coastguard Worker #include "android-ashmem.h"
38*08b48e0bSAndroid Build Coastguard Worker #endif
39*08b48e0bSAndroid Build Coastguard Worker #include "config.h"
40*08b48e0bSAndroid Build Coastguard Worker #include "types.h"
41*08b48e0bSAndroid Build Coastguard Worker #include "debug.h"
42*08b48e0bSAndroid Build Coastguard Worker
43*08b48e0bSAndroid Build Coastguard Worker #include <stdio.h>
44*08b48e0bSAndroid Build Coastguard Worker #include <stdlib.h>
45*08b48e0bSAndroid Build Coastguard Worker #include <signal.h>
46*08b48e0bSAndroid Build Coastguard Worker #include <unistd.h>
47*08b48e0bSAndroid Build Coastguard Worker #include <string.h>
48*08b48e0bSAndroid Build Coastguard Worker #include <assert.h>
49*08b48e0bSAndroid Build Coastguard Worker #include <stdint.h>
50*08b48e0bSAndroid Build Coastguard Worker #include <errno.h>
51*08b48e0bSAndroid Build Coastguard Worker #include <dlfcn.h>
52*08b48e0bSAndroid Build Coastguard Worker #include <fcntl.h>
53*08b48e0bSAndroid Build Coastguard Worker #include <pthread.h>
54*08b48e0bSAndroid Build Coastguard Worker
55*08b48e0bSAndroid Build Coastguard Worker #include <sys/mman.h>
56*08b48e0bSAndroid Build Coastguard Worker #if !defined(__HAIKU__)
57*08b48e0bSAndroid Build Coastguard Worker #include <sys/shm.h>
58*08b48e0bSAndroid Build Coastguard Worker #endif
59*08b48e0bSAndroid Build Coastguard Worker #include <sys/wait.h>
60*08b48e0bSAndroid Build Coastguard Worker #include <sys/types.h>
61*08b48e0bSAndroid Build Coastguard Worker
62*08b48e0bSAndroid Build Coastguard Worker #if defined(__linux__)
63*08b48e0bSAndroid Build Coastguard Worker #include <sys/personality.h>
64*08b48e0bSAndroid Build Coastguard Worker #include <sys/ucontext.h>
65*08b48e0bSAndroid Build Coastguard Worker #elif defined(__APPLE__) && defined(__LP64__)
66*08b48e0bSAndroid Build Coastguard Worker #include <mach-o/dyld_images.h>
67*08b48e0bSAndroid Build Coastguard Worker #elif defined(__FreeBSD__)
68*08b48e0bSAndroid Build Coastguard Worker #include <sys/sysctl.h>
69*08b48e0bSAndroid Build Coastguard Worker #include <sys/user.h>
70*08b48e0bSAndroid Build Coastguard Worker #include <sys/procctl.h>
71*08b48e0bSAndroid Build Coastguard Worker #elif defined(__HAIKU__)
72*08b48e0bSAndroid Build Coastguard Worker #include <kernel/OS.h>
73*08b48e0bSAndroid Build Coastguard Worker #include <kernel/image.h>
74*08b48e0bSAndroid Build Coastguard Worker #else
75*08b48e0bSAndroid Build Coastguard Worker #error "Unsupported platform"
76*08b48e0bSAndroid Build Coastguard Worker #endif
77*08b48e0bSAndroid Build Coastguard Worker
78*08b48e0bSAndroid Build Coastguard Worker #define MEMORY_MAP_DECREMENT 0x200000000000
79*08b48e0bSAndroid Build Coastguard Worker #define MAX_LIB_COUNT 128
80*08b48e0bSAndroid Build Coastguard Worker
81*08b48e0bSAndroid Build Coastguard Worker // STEP 1:
82*08b48e0bSAndroid Build Coastguard Worker
83*08b48e0bSAndroid Build Coastguard Worker /* here you need to specify the parameter for the target function */
84*08b48e0bSAndroid Build Coastguard Worker static void *(*o_function)(u8 *buf, int len);
85*08b48e0bSAndroid Build Coastguard Worker
86*08b48e0bSAndroid Build Coastguard Worker /* use stdin (1) or a file on the commandline (0) */
87*08b48e0bSAndroid Build Coastguard Worker static u32 use_stdin = 1;
88*08b48e0bSAndroid Build Coastguard Worker
89*08b48e0bSAndroid Build Coastguard Worker /* This is were the testcase data is written into */
90*08b48e0bSAndroid Build Coastguard Worker static u8 buf[10000]; // this is the maximum size for a test case! set it!
91*08b48e0bSAndroid Build Coastguard Worker
92*08b48e0bSAndroid Build Coastguard Worker /* If you want to have debug output set this to 1, can also be set with
93*08b48e0bSAndroid Build Coastguard Worker AFL_DEBUG */
94*08b48e0bSAndroid Build Coastguard Worker static u32 debug = 0;
95*08b48e0bSAndroid Build Coastguard Worker
96*08b48e0bSAndroid Build Coastguard Worker // END STEP 1
97*08b48e0bSAndroid Build Coastguard Worker
98*08b48e0bSAndroid Build Coastguard Worker typedef struct library_list {
99*08b48e0bSAndroid Build Coastguard Worker
100*08b48e0bSAndroid Build Coastguard Worker u8 *name;
101*08b48e0bSAndroid Build Coastguard Worker u64 addr_start, addr_end;
102*08b48e0bSAndroid Build Coastguard Worker
103*08b48e0bSAndroid Build Coastguard Worker } library_list_t;
104*08b48e0bSAndroid Build Coastguard Worker
105*08b48e0bSAndroid Build Coastguard Worker #ifdef __ANDROID__
106*08b48e0bSAndroid Build Coastguard Worker u32 __afl_map_size = MAP_SIZE;
107*08b48e0bSAndroid Build Coastguard Worker u32 do_exit;
108*08b48e0bSAndroid Build Coastguard Worker #else
109*08b48e0bSAndroid Build Coastguard Worker __thread u32 __afl_map_size = MAP_SIZE;
110*08b48e0bSAndroid Build Coastguard Worker __thread u32 do_exit;
111*08b48e0bSAndroid Build Coastguard Worker #endif
112*08b48e0bSAndroid Build Coastguard Worker
113*08b48e0bSAndroid Build Coastguard Worker static pid_t pid = 65537;
114*08b48e0bSAndroid Build Coastguard Worker static pthread_t __afl_thread;
115*08b48e0bSAndroid Build Coastguard Worker static u8 __afl_dummy[MAP_SIZE];
116*08b48e0bSAndroid Build Coastguard Worker static u8 *__afl_area_ptr = __afl_dummy;
117*08b48e0bSAndroid Build Coastguard Worker static u8 *inputfile; // this will point to argv[1]
118*08b48e0bSAndroid Build Coastguard Worker static u32 len;
119*08b48e0bSAndroid Build Coastguard Worker
120*08b48e0bSAndroid Build Coastguard Worker static library_list_t liblist[MAX_LIB_COUNT];
121*08b48e0bSAndroid Build Coastguard Worker static u32 liblist_cnt;
122*08b48e0bSAndroid Build Coastguard Worker
123*08b48e0bSAndroid Build Coastguard Worker static void sigtrap_handler(int signum, siginfo_t *si, void *context);
124*08b48e0bSAndroid Build Coastguard Worker static void fuzz(void);
125*08b48e0bSAndroid Build Coastguard Worker
126*08b48e0bSAndroid Build Coastguard Worker /* read the library information */
read_library_information(void)127*08b48e0bSAndroid Build Coastguard Worker void read_library_information(void) {
128*08b48e0bSAndroid Build Coastguard Worker
129*08b48e0bSAndroid Build Coastguard Worker #if defined(__linux__)
130*08b48e0bSAndroid Build Coastguard Worker FILE *f;
131*08b48e0bSAndroid Build Coastguard Worker u8 buf[1024], *b, *m, *e, *n;
132*08b48e0bSAndroid Build Coastguard Worker
133*08b48e0bSAndroid Build Coastguard Worker if ((f = fopen("/proc/self/maps", "r")) == NULL)
134*08b48e0bSAndroid Build Coastguard Worker FATAL("cannot open /proc/self/maps");
135*08b48e0bSAndroid Build Coastguard Worker
136*08b48e0bSAndroid Build Coastguard Worker if (debug) fprintf(stderr, "Library list:\n");
137*08b48e0bSAndroid Build Coastguard Worker while (fgets(buf, sizeof(buf), f)) {
138*08b48e0bSAndroid Build Coastguard Worker
139*08b48e0bSAndroid Build Coastguard Worker if (strstr(buf, " r-x")) {
140*08b48e0bSAndroid Build Coastguard Worker
141*08b48e0bSAndroid Build Coastguard Worker if (liblist_cnt >= MAX_LIB_COUNT) {
142*08b48e0bSAndroid Build Coastguard Worker
143*08b48e0bSAndroid Build Coastguard Worker WARNF("too many libraries to old, maximum count of %d reached",
144*08b48e0bSAndroid Build Coastguard Worker liblist_cnt);
145*08b48e0bSAndroid Build Coastguard Worker return;
146*08b48e0bSAndroid Build Coastguard Worker
147*08b48e0bSAndroid Build Coastguard Worker }
148*08b48e0bSAndroid Build Coastguard Worker
149*08b48e0bSAndroid Build Coastguard Worker b = buf;
150*08b48e0bSAndroid Build Coastguard Worker m = index(buf, '-');
151*08b48e0bSAndroid Build Coastguard Worker e = index(buf, ' ');
152*08b48e0bSAndroid Build Coastguard Worker if ((n = strrchr(buf, '/')) == NULL) n = strrchr(buf, ' ');
153*08b48e0bSAndroid Build Coastguard Worker if (n &&
154*08b48e0bSAndroid Build Coastguard Worker ((*n >= '0' && *n <= '9') || *n == '[' || *n == '{' || *n == '('))
155*08b48e0bSAndroid Build Coastguard Worker n = NULL;
156*08b48e0bSAndroid Build Coastguard Worker else
157*08b48e0bSAndroid Build Coastguard Worker n++;
158*08b48e0bSAndroid Build Coastguard Worker if (b && m && e && n && *n) {
159*08b48e0bSAndroid Build Coastguard Worker
160*08b48e0bSAndroid Build Coastguard Worker *m++ = 0;
161*08b48e0bSAndroid Build Coastguard Worker *e = 0;
162*08b48e0bSAndroid Build Coastguard Worker if (n[strlen(n) - 1] == '\n') n[strlen(n) - 1] = 0;
163*08b48e0bSAndroid Build Coastguard Worker
164*08b48e0bSAndroid Build Coastguard Worker liblist[liblist_cnt].name = (u8 *)strdup((char *)n);
165*08b48e0bSAndroid Build Coastguard Worker liblist[liblist_cnt].addr_start = strtoull(b, NULL, 16);
166*08b48e0bSAndroid Build Coastguard Worker liblist[liblist_cnt].addr_end = strtoull(m, NULL, 16);
167*08b48e0bSAndroid Build Coastguard Worker if (debug)
168*08b48e0bSAndroid Build Coastguard Worker fprintf(
169*08b48e0bSAndroid Build Coastguard Worker stderr, "%s:%llx (%llx-%llx)\n", liblist[liblist_cnt].name,
170*08b48e0bSAndroid Build Coastguard Worker liblist[liblist_cnt].addr_end - liblist[liblist_cnt].addr_start,
171*08b48e0bSAndroid Build Coastguard Worker liblist[liblist_cnt].addr_start,
172*08b48e0bSAndroid Build Coastguard Worker liblist[liblist_cnt].addr_end - 1);
173*08b48e0bSAndroid Build Coastguard Worker liblist_cnt++;
174*08b48e0bSAndroid Build Coastguard Worker
175*08b48e0bSAndroid Build Coastguard Worker }
176*08b48e0bSAndroid Build Coastguard Worker
177*08b48e0bSAndroid Build Coastguard Worker }
178*08b48e0bSAndroid Build Coastguard Worker
179*08b48e0bSAndroid Build Coastguard Worker }
180*08b48e0bSAndroid Build Coastguard Worker
181*08b48e0bSAndroid Build Coastguard Worker if (debug) fprintf(stderr, "\n");
182*08b48e0bSAndroid Build Coastguard Worker
183*08b48e0bSAndroid Build Coastguard Worker #elif defined(__FreeBSD__)
184*08b48e0bSAndroid Build Coastguard Worker int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, getpid()};
185*08b48e0bSAndroid Build Coastguard Worker char *buf, *start, *end;
186*08b48e0bSAndroid Build Coastguard Worker size_t miblen = sizeof(mib) / sizeof(mib[0]);
187*08b48e0bSAndroid Build Coastguard Worker size_t len;
188*08b48e0bSAndroid Build Coastguard Worker
189*08b48e0bSAndroid Build Coastguard Worker if (debug) fprintf(stderr, "Library list:\n");
190*08b48e0bSAndroid Build Coastguard Worker if (sysctl(mib, miblen, NULL, &len, NULL, 0) == -1) { return; }
191*08b48e0bSAndroid Build Coastguard Worker
192*08b48e0bSAndroid Build Coastguard Worker len = len * 4 / 3;
193*08b48e0bSAndroid Build Coastguard Worker
194*08b48e0bSAndroid Build Coastguard Worker buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANON, -1, 0);
195*08b48e0bSAndroid Build Coastguard Worker if (buf == MAP_FAILED) { return; }
196*08b48e0bSAndroid Build Coastguard Worker
197*08b48e0bSAndroid Build Coastguard Worker if (sysctl(mib, miblen, buf, &len, NULL, 0) == -1) {
198*08b48e0bSAndroid Build Coastguard Worker
199*08b48e0bSAndroid Build Coastguard Worker munmap(buf, len);
200*08b48e0bSAndroid Build Coastguard Worker return;
201*08b48e0bSAndroid Build Coastguard Worker
202*08b48e0bSAndroid Build Coastguard Worker }
203*08b48e0bSAndroid Build Coastguard Worker
204*08b48e0bSAndroid Build Coastguard Worker start = buf;
205*08b48e0bSAndroid Build Coastguard Worker end = buf + len;
206*08b48e0bSAndroid Build Coastguard Worker
207*08b48e0bSAndroid Build Coastguard Worker while (start < end) {
208*08b48e0bSAndroid Build Coastguard Worker
209*08b48e0bSAndroid Build Coastguard Worker struct kinfo_vmentry *region = (struct kinfo_vmentry *)start;
210*08b48e0bSAndroid Build Coastguard Worker size_t size = region->kve_structsize;
211*08b48e0bSAndroid Build Coastguard Worker
212*08b48e0bSAndroid Build Coastguard Worker if (size == 0) { break; }
213*08b48e0bSAndroid Build Coastguard Worker
214*08b48e0bSAndroid Build Coastguard Worker if ((region->kve_protection & KVME_PROT_READ) &&
215*08b48e0bSAndroid Build Coastguard Worker !(region->kve_protection & KVME_PROT_EXEC)) {
216*08b48e0bSAndroid Build Coastguard Worker
217*08b48e0bSAndroid Build Coastguard Worker liblist[liblist_cnt].name =
218*08b48e0bSAndroid Build Coastguard Worker region->kve_path[0] != '\0' ? (u8 *)strdup(region->kve_path) : 0;
219*08b48e0bSAndroid Build Coastguard Worker liblist[liblist_cnt].addr_start = region->kve_start;
220*08b48e0bSAndroid Build Coastguard Worker liblist[liblist_cnt].addr_end = region->kve_end;
221*08b48e0bSAndroid Build Coastguard Worker
222*08b48e0bSAndroid Build Coastguard Worker if (debug) {
223*08b48e0bSAndroid Build Coastguard Worker
224*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr, "%s:%lx (%lx-%lx)\n", liblist[liblist_cnt].name,
225*08b48e0bSAndroid Build Coastguard Worker (unsigned long)(liblist[liblist_cnt].addr_end -
226*08b48e0bSAndroid Build Coastguard Worker liblist[liblist_cnt].addr_start),
227*08b48e0bSAndroid Build Coastguard Worker (unsigned long)liblist[liblist_cnt].addr_start,
228*08b48e0bSAndroid Build Coastguard Worker (unsigned long)(liblist[liblist_cnt].addr_end - 1));
229*08b48e0bSAndroid Build Coastguard Worker
230*08b48e0bSAndroid Build Coastguard Worker }
231*08b48e0bSAndroid Build Coastguard Worker
232*08b48e0bSAndroid Build Coastguard Worker liblist_cnt++;
233*08b48e0bSAndroid Build Coastguard Worker
234*08b48e0bSAndroid Build Coastguard Worker }
235*08b48e0bSAndroid Build Coastguard Worker
236*08b48e0bSAndroid Build Coastguard Worker start += size;
237*08b48e0bSAndroid Build Coastguard Worker
238*08b48e0bSAndroid Build Coastguard Worker }
239*08b48e0bSAndroid Build Coastguard Worker
240*08b48e0bSAndroid Build Coastguard Worker #elif defined(__HAIKU__)
241*08b48e0bSAndroid Build Coastguard Worker image_info ii;
242*08b48e0bSAndroid Build Coastguard Worker int32 c = 0;
243*08b48e0bSAndroid Build Coastguard Worker
244*08b48e0bSAndroid Build Coastguard Worker while (get_next_image_info(0, &c, &ii) == B_OK) {
245*08b48e0bSAndroid Build Coastguard Worker
246*08b48e0bSAndroid Build Coastguard Worker liblist[liblist_cnt].name = (u8 *)strdup(ii.name);
247*08b48e0bSAndroid Build Coastguard Worker liblist[liblist_cnt].addr_start = (u64)ii.text;
248*08b48e0bSAndroid Build Coastguard Worker liblist[liblist_cnt].addr_end = (u64)((char *)ii.text + ii.text_size);
249*08b48e0bSAndroid Build Coastguard Worker
250*08b48e0bSAndroid Build Coastguard Worker if (debug) {
251*08b48e0bSAndroid Build Coastguard Worker
252*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr, "%s:%lx (%lx-%lx)\n", liblist[liblist_cnt].name,
253*08b48e0bSAndroid Build Coastguard Worker (unsigned long)(liblist[liblist_cnt].addr_end -
254*08b48e0bSAndroid Build Coastguard Worker liblist[liblist_cnt].addr_start),
255*08b48e0bSAndroid Build Coastguard Worker (unsigned long)liblist[liblist_cnt].addr_start,
256*08b48e0bSAndroid Build Coastguard Worker (unsigned long)(liblist[liblist_cnt].addr_end - 1));
257*08b48e0bSAndroid Build Coastguard Worker
258*08b48e0bSAndroid Build Coastguard Worker }
259*08b48e0bSAndroid Build Coastguard Worker
260*08b48e0bSAndroid Build Coastguard Worker liblist_cnt++;
261*08b48e0bSAndroid Build Coastguard Worker
262*08b48e0bSAndroid Build Coastguard Worker }
263*08b48e0bSAndroid Build Coastguard Worker
264*08b48e0bSAndroid Build Coastguard Worker #endif
265*08b48e0bSAndroid Build Coastguard Worker
266*08b48e0bSAndroid Build Coastguard Worker }
267*08b48e0bSAndroid Build Coastguard Worker
find_library(char * name)268*08b48e0bSAndroid Build Coastguard Worker library_list_t *find_library(char *name) {
269*08b48e0bSAndroid Build Coastguard Worker
270*08b48e0bSAndroid Build Coastguard Worker #if defined(__linux__)
271*08b48e0bSAndroid Build Coastguard Worker u32 i;
272*08b48e0bSAndroid Build Coastguard Worker
273*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < liblist_cnt; i++)
274*08b48e0bSAndroid Build Coastguard Worker if (strncmp(liblist[i].name, name, strlen(name)) == 0) return &liblist[i];
275*08b48e0bSAndroid Build Coastguard Worker #elif defined(__APPLE__) && defined(__LP64__)
276*08b48e0bSAndroid Build Coastguard Worker kern_return_t err;
277*08b48e0bSAndroid Build Coastguard Worker static library_list_t lib;
278*08b48e0bSAndroid Build Coastguard Worker
279*08b48e0bSAndroid Build Coastguard Worker // get the list of all loaded modules from dyld
280*08b48e0bSAndroid Build Coastguard Worker // the task_info mach API will get the address of the dyld all_image_info
281*08b48e0bSAndroid Build Coastguard Worker // struct for the given task from which we can get the names and load
282*08b48e0bSAndroid Build Coastguard Worker // addresses of all modules
283*08b48e0bSAndroid Build Coastguard Worker task_dyld_info_data_t task_dyld_info;
284*08b48e0bSAndroid Build Coastguard Worker mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT;
285*08b48e0bSAndroid Build Coastguard Worker err = task_info(mach_task_self(), TASK_DYLD_INFO,
286*08b48e0bSAndroid Build Coastguard Worker (task_info_t)&task_dyld_info, &count);
287*08b48e0bSAndroid Build Coastguard Worker
288*08b48e0bSAndroid Build Coastguard Worker const struct dyld_all_image_infos *all_image_infos =
289*08b48e0bSAndroid Build Coastguard Worker (const struct dyld_all_image_infos *)task_dyld_info.all_image_info_addr;
290*08b48e0bSAndroid Build Coastguard Worker const struct dyld_image_info *image_infos = all_image_infos->infoArray;
291*08b48e0bSAndroid Build Coastguard Worker
292*08b48e0bSAndroid Build Coastguard Worker for (size_t i = 0; i < all_image_infos->infoArrayCount; i++) {
293*08b48e0bSAndroid Build Coastguard Worker
294*08b48e0bSAndroid Build Coastguard Worker const char *image_name = image_infos[i].imageFilePath;
295*08b48e0bSAndroid Build Coastguard Worker mach_vm_address_t image_load_address =
296*08b48e0bSAndroid Build Coastguard Worker (mach_vm_address_t)image_infos[i].imageLoadAddress;
297*08b48e0bSAndroid Build Coastguard Worker if (strstr(image_name, name)) {
298*08b48e0bSAndroid Build Coastguard Worker
299*08b48e0bSAndroid Build Coastguard Worker lib.name = name;
300*08b48e0bSAndroid Build Coastguard Worker lib.addr_start = (u64)image_load_address;
301*08b48e0bSAndroid Build Coastguard Worker lib.addr_end = 0;
302*08b48e0bSAndroid Build Coastguard Worker return &lib;
303*08b48e0bSAndroid Build Coastguard Worker
304*08b48e0bSAndroid Build Coastguard Worker }
305*08b48e0bSAndroid Build Coastguard Worker
306*08b48e0bSAndroid Build Coastguard Worker }
307*08b48e0bSAndroid Build Coastguard Worker
308*08b48e0bSAndroid Build Coastguard Worker #endif
309*08b48e0bSAndroid Build Coastguard Worker
310*08b48e0bSAndroid Build Coastguard Worker return NULL;
311*08b48e0bSAndroid Build Coastguard Worker
312*08b48e0bSAndroid Build Coastguard Worker }
313*08b48e0bSAndroid Build Coastguard Worker
314*08b48e0bSAndroid Build Coastguard Worker /* for having an easy breakpoint location after loading the shared library */
315*08b48e0bSAndroid Build Coastguard Worker // this seems to work for clang too. nice :) requires gcc 4.4+
316*08b48e0bSAndroid Build Coastguard Worker #pragma GCC push_options
317*08b48e0bSAndroid Build Coastguard Worker #pragma GCC optimize("O0")
breakpoint(void)318*08b48e0bSAndroid Build Coastguard Worker void breakpoint(void) {
319*08b48e0bSAndroid Build Coastguard Worker
320*08b48e0bSAndroid Build Coastguard Worker if (debug) fprintf(stderr, "Breakpoint function \"breakpoint\" reached.\n");
321*08b48e0bSAndroid Build Coastguard Worker
322*08b48e0bSAndroid Build Coastguard Worker }
323*08b48e0bSAndroid Build Coastguard Worker
324*08b48e0bSAndroid Build Coastguard Worker #pragma GCC pop_options
325*08b48e0bSAndroid Build Coastguard Worker
326*08b48e0bSAndroid Build Coastguard Worker /* Error reporting to forkserver controller */
327*08b48e0bSAndroid Build Coastguard Worker
send_forkserver_error(int error)328*08b48e0bSAndroid Build Coastguard Worker void send_forkserver_error(int error) {
329*08b48e0bSAndroid Build Coastguard Worker
330*08b48e0bSAndroid Build Coastguard Worker u32 status;
331*08b48e0bSAndroid Build Coastguard Worker if (!error || error > 0xffff) return;
332*08b48e0bSAndroid Build Coastguard Worker status = (FS_OPT_ERROR | FS_OPT_SET_ERROR(error));
333*08b48e0bSAndroid Build Coastguard Worker if (write(FORKSRV_FD + 1, (char *)&status, 4) != 4) return;
334*08b48e0bSAndroid Build Coastguard Worker
335*08b48e0bSAndroid Build Coastguard Worker }
336*08b48e0bSAndroid Build Coastguard Worker
337*08b48e0bSAndroid Build Coastguard Worker /* SHM setup. */
338*08b48e0bSAndroid Build Coastguard Worker
__afl_map_shm(void)339*08b48e0bSAndroid Build Coastguard Worker static void __afl_map_shm(void) {
340*08b48e0bSAndroid Build Coastguard Worker
341*08b48e0bSAndroid Build Coastguard Worker char *id_str = getenv(SHM_ENV_VAR);
342*08b48e0bSAndroid Build Coastguard Worker char *ptr;
343*08b48e0bSAndroid Build Coastguard Worker
344*08b48e0bSAndroid Build Coastguard Worker if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) {
345*08b48e0bSAndroid Build Coastguard Worker
346*08b48e0bSAndroid Build Coastguard Worker u32 val = atoi(ptr);
347*08b48e0bSAndroid Build Coastguard Worker if (val > 0) __afl_map_size = val;
348*08b48e0bSAndroid Build Coastguard Worker
349*08b48e0bSAndroid Build Coastguard Worker }
350*08b48e0bSAndroid Build Coastguard Worker
351*08b48e0bSAndroid Build Coastguard Worker if (__afl_map_size > MAP_SIZE) {
352*08b48e0bSAndroid Build Coastguard Worker
353*08b48e0bSAndroid Build Coastguard Worker if (__afl_map_size > FS_OPT_MAX_MAPSIZE) {
354*08b48e0bSAndroid Build Coastguard Worker
355*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr,
356*08b48e0bSAndroid Build Coastguard Worker "Error: AFL++ tools *require* to set AFL_MAP_SIZE to %u to "
357*08b48e0bSAndroid Build Coastguard Worker "be able to run this instrumented program!\n",
358*08b48e0bSAndroid Build Coastguard Worker __afl_map_size);
359*08b48e0bSAndroid Build Coastguard Worker if (id_str) {
360*08b48e0bSAndroid Build Coastguard Worker
361*08b48e0bSAndroid Build Coastguard Worker send_forkserver_error(FS_ERROR_MAP_SIZE);
362*08b48e0bSAndroid Build Coastguard Worker exit(-1);
363*08b48e0bSAndroid Build Coastguard Worker
364*08b48e0bSAndroid Build Coastguard Worker }
365*08b48e0bSAndroid Build Coastguard Worker
366*08b48e0bSAndroid Build Coastguard Worker } else {
367*08b48e0bSAndroid Build Coastguard Worker
368*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr,
369*08b48e0bSAndroid Build Coastguard Worker "Warning: AFL++ tools will need to set AFL_MAP_SIZE to %u to "
370*08b48e0bSAndroid Build Coastguard Worker "be able to run this instrumented program!\n",
371*08b48e0bSAndroid Build Coastguard Worker __afl_map_size);
372*08b48e0bSAndroid Build Coastguard Worker
373*08b48e0bSAndroid Build Coastguard Worker }
374*08b48e0bSAndroid Build Coastguard Worker
375*08b48e0bSAndroid Build Coastguard Worker }
376*08b48e0bSAndroid Build Coastguard Worker
377*08b48e0bSAndroid Build Coastguard Worker if (id_str) {
378*08b48e0bSAndroid Build Coastguard Worker
379*08b48e0bSAndroid Build Coastguard Worker #ifdef USEMMAP
380*08b48e0bSAndroid Build Coastguard Worker const char *shm_file_path = id_str;
381*08b48e0bSAndroid Build Coastguard Worker int shm_fd = -1;
382*08b48e0bSAndroid Build Coastguard Worker unsigned char *shm_base = NULL;
383*08b48e0bSAndroid Build Coastguard Worker
384*08b48e0bSAndroid Build Coastguard Worker /* create the shared memory segment as if it was a file */
385*08b48e0bSAndroid Build Coastguard Worker shm_fd = shm_open(shm_file_path, O_RDWR, 0600);
386*08b48e0bSAndroid Build Coastguard Worker if (shm_fd == -1) {
387*08b48e0bSAndroid Build Coastguard Worker
388*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr, "shm_open() failed\n");
389*08b48e0bSAndroid Build Coastguard Worker send_forkserver_error(FS_ERROR_SHM_OPEN);
390*08b48e0bSAndroid Build Coastguard Worker exit(1);
391*08b48e0bSAndroid Build Coastguard Worker
392*08b48e0bSAndroid Build Coastguard Worker }
393*08b48e0bSAndroid Build Coastguard Worker
394*08b48e0bSAndroid Build Coastguard Worker /* map the shared memory segment to the address space of the process */
395*08b48e0bSAndroid Build Coastguard Worker shm_base =
396*08b48e0bSAndroid Build Coastguard Worker mmap(0, __afl_map_size, PROT_READ | PROT_WRITE, MAP_SHARED, shm_fd, 0);
397*08b48e0bSAndroid Build Coastguard Worker
398*08b48e0bSAndroid Build Coastguard Worker if (shm_base == MAP_FAILED) {
399*08b48e0bSAndroid Build Coastguard Worker
400*08b48e0bSAndroid Build Coastguard Worker close(shm_fd);
401*08b48e0bSAndroid Build Coastguard Worker shm_fd = -1;
402*08b48e0bSAndroid Build Coastguard Worker
403*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr, "mmap() failed\n");
404*08b48e0bSAndroid Build Coastguard Worker send_forkserver_error(FS_ERROR_MMAP);
405*08b48e0bSAndroid Build Coastguard Worker exit(2);
406*08b48e0bSAndroid Build Coastguard Worker
407*08b48e0bSAndroid Build Coastguard Worker }
408*08b48e0bSAndroid Build Coastguard Worker
409*08b48e0bSAndroid Build Coastguard Worker __afl_area_ptr = shm_base;
410*08b48e0bSAndroid Build Coastguard Worker #else
411*08b48e0bSAndroid Build Coastguard Worker u32 shm_id = atoi(id_str);
412*08b48e0bSAndroid Build Coastguard Worker
413*08b48e0bSAndroid Build Coastguard Worker __afl_area_ptr = shmat(shm_id, 0, 0);
414*08b48e0bSAndroid Build Coastguard Worker
415*08b48e0bSAndroid Build Coastguard Worker #endif
416*08b48e0bSAndroid Build Coastguard Worker
417*08b48e0bSAndroid Build Coastguard Worker if (__afl_area_ptr == (void *)-1) {
418*08b48e0bSAndroid Build Coastguard Worker
419*08b48e0bSAndroid Build Coastguard Worker send_forkserver_error(FS_ERROR_SHMAT);
420*08b48e0bSAndroid Build Coastguard Worker exit(1);
421*08b48e0bSAndroid Build Coastguard Worker
422*08b48e0bSAndroid Build Coastguard Worker }
423*08b48e0bSAndroid Build Coastguard Worker
424*08b48e0bSAndroid Build Coastguard Worker /* Write something into the bitmap so that the parent doesn't give up */
425*08b48e0bSAndroid Build Coastguard Worker
426*08b48e0bSAndroid Build Coastguard Worker __afl_area_ptr[0] = 1;
427*08b48e0bSAndroid Build Coastguard Worker
428*08b48e0bSAndroid Build Coastguard Worker }
429*08b48e0bSAndroid Build Coastguard Worker
430*08b48e0bSAndroid Build Coastguard Worker }
431*08b48e0bSAndroid Build Coastguard Worker
432*08b48e0bSAndroid Build Coastguard Worker /* Fork server logic. */
__afl_start_forkserver(void)433*08b48e0bSAndroid Build Coastguard Worker inline static void __afl_start_forkserver(void) {
434*08b48e0bSAndroid Build Coastguard Worker
435*08b48e0bSAndroid Build Coastguard Worker u8 tmp[4] = {0, 0, 0, 0};
436*08b48e0bSAndroid Build Coastguard Worker u32 status = 0;
437*08b48e0bSAndroid Build Coastguard Worker
438*08b48e0bSAndroid Build Coastguard Worker if (__afl_map_size <= FS_OPT_MAX_MAPSIZE)
439*08b48e0bSAndroid Build Coastguard Worker status |= (FS_OPT_SET_MAPSIZE(__afl_map_size) | FS_OPT_MAPSIZE);
440*08b48e0bSAndroid Build Coastguard Worker if (status) status |= (FS_OPT_ENABLED);
441*08b48e0bSAndroid Build Coastguard Worker memcpy(tmp, &status, 4);
442*08b48e0bSAndroid Build Coastguard Worker
443*08b48e0bSAndroid Build Coastguard Worker /* Phone home and tell the parent that we're OK. */
444*08b48e0bSAndroid Build Coastguard Worker if (write(FORKSRV_FD + 1, tmp, 4) != 4) do_exit = 1;
445*08b48e0bSAndroid Build Coastguard Worker // fprintf(stderr, "write0 %d\n", do_exit);
446*08b48e0bSAndroid Build Coastguard Worker
447*08b48e0bSAndroid Build Coastguard Worker }
448*08b48e0bSAndroid Build Coastguard Worker
__afl_next_testcase(u8 * buf,u32 max_len)449*08b48e0bSAndroid Build Coastguard Worker inline static u32 __afl_next_testcase(u8 *buf, u32 max_len) {
450*08b48e0bSAndroid Build Coastguard Worker
451*08b48e0bSAndroid Build Coastguard Worker s32 status;
452*08b48e0bSAndroid Build Coastguard Worker
453*08b48e0bSAndroid Build Coastguard Worker /* Wait for parent by reading from the pipe. Abort if read fails. */
454*08b48e0bSAndroid Build Coastguard Worker if (read(FORKSRV_FD, &status, 4) != 4) do_exit = 1;
455*08b48e0bSAndroid Build Coastguard Worker // fprintf(stderr, "read %d\n", do_exit);
456*08b48e0bSAndroid Build Coastguard Worker
457*08b48e0bSAndroid Build Coastguard Worker /* we have a testcase - read it if we read from stdin */
458*08b48e0bSAndroid Build Coastguard Worker if (use_stdin) {
459*08b48e0bSAndroid Build Coastguard Worker
460*08b48e0bSAndroid Build Coastguard Worker if ((status = read(0, buf, max_len)) <= 0) exit(-1);
461*08b48e0bSAndroid Build Coastguard Worker
462*08b48e0bSAndroid Build Coastguard Worker } else
463*08b48e0bSAndroid Build Coastguard Worker
464*08b48e0bSAndroid Build Coastguard Worker status = 1;
465*08b48e0bSAndroid Build Coastguard Worker // fprintf(stderr, "stdin: %d %d\n", use_stdin, status);
466*08b48e0bSAndroid Build Coastguard Worker
467*08b48e0bSAndroid Build Coastguard Worker /* report that we are starting the target */
468*08b48e0bSAndroid Build Coastguard Worker if (write(FORKSRV_FD + 1, &pid, 4) != 4) do_exit = 1;
469*08b48e0bSAndroid Build Coastguard Worker // fprintf(stderr, "write1 %d\n", do_exit);
470*08b48e0bSAndroid Build Coastguard Worker
471*08b48e0bSAndroid Build Coastguard Worker __afl_area_ptr[0] = 1; // put something in the map
472*08b48e0bSAndroid Build Coastguard Worker
473*08b48e0bSAndroid Build Coastguard Worker return status;
474*08b48e0bSAndroid Build Coastguard Worker
475*08b48e0bSAndroid Build Coastguard Worker }
476*08b48e0bSAndroid Build Coastguard Worker
__afl_end_testcase(int status)477*08b48e0bSAndroid Build Coastguard Worker inline static void __afl_end_testcase(int status) {
478*08b48e0bSAndroid Build Coastguard Worker
479*08b48e0bSAndroid Build Coastguard Worker if (write(FORKSRV_FD + 1, &status, 4) != 4) do_exit = 1;
480*08b48e0bSAndroid Build Coastguard Worker // fprintf(stderr, "write2 %d\n", do_exit);
481*08b48e0bSAndroid Build Coastguard Worker if (do_exit) exit(0);
482*08b48e0bSAndroid Build Coastguard Worker
483*08b48e0bSAndroid Build Coastguard Worker }
484*08b48e0bSAndroid Build Coastguard Worker
485*08b48e0bSAndroid Build Coastguard Worker #ifdef __aarch64__
486*08b48e0bSAndroid Build Coastguard Worker #define SHADOW(addr) \
487*08b48e0bSAndroid Build Coastguard Worker ((uint64_t *)(((uintptr_t)addr & 0xfffffffffffffff8) - \
488*08b48e0bSAndroid Build Coastguard Worker MEMORY_MAP_DECREMENT - \
489*08b48e0bSAndroid Build Coastguard Worker ((uintptr_t)addr & 0x7) * 0x10000000000))
490*08b48e0bSAndroid Build Coastguard Worker #else
491*08b48e0bSAndroid Build Coastguard Worker #define SHADOW(addr) \
492*08b48e0bSAndroid Build Coastguard Worker ((uint32_t *)(((uintptr_t)addr & 0xfffffffffffffffc) - \
493*08b48e0bSAndroid Build Coastguard Worker MEMORY_MAP_DECREMENT - \
494*08b48e0bSAndroid Build Coastguard Worker ((uintptr_t)addr & 0x3) * 0x10000000000))
495*08b48e0bSAndroid Build Coastguard Worker #endif
496*08b48e0bSAndroid Build Coastguard Worker
setup_trap_instrumentation(void)497*08b48e0bSAndroid Build Coastguard Worker void setup_trap_instrumentation(void) {
498*08b48e0bSAndroid Build Coastguard Worker
499*08b48e0bSAndroid Build Coastguard Worker library_list_t *lib_base = NULL;
500*08b48e0bSAndroid Build Coastguard Worker size_t lib_size = 0;
501*08b48e0bSAndroid Build Coastguard Worker u8 *lib_addr;
502*08b48e0bSAndroid Build Coastguard Worker char *line = NULL;
503*08b48e0bSAndroid Build Coastguard Worker size_t nread, len = 0;
504*08b48e0bSAndroid Build Coastguard Worker char *filename = getenv("AFL_UNTRACER_FILE");
505*08b48e0bSAndroid Build Coastguard Worker if (!filename) filename = getenv("TRAPFUZZ_FILE");
506*08b48e0bSAndroid Build Coastguard Worker if (!filename) FATAL("AFL_UNTRACER_FILE environment variable not set");
507*08b48e0bSAndroid Build Coastguard Worker
508*08b48e0bSAndroid Build Coastguard Worker FILE *patches = fopen(filename, "r");
509*08b48e0bSAndroid Build Coastguard Worker if (!patches) FATAL("Couldn't open AFL_UNTRACER_FILE file %s", filename);
510*08b48e0bSAndroid Build Coastguard Worker
511*08b48e0bSAndroid Build Coastguard Worker // Index into the coverage bitmap for the current trap instruction.
512*08b48e0bSAndroid Build Coastguard Worker #ifdef __aarch64__
513*08b48e0bSAndroid Build Coastguard Worker uint64_t bitmap_index = 0;
514*08b48e0bSAndroid Build Coastguard Worker #ifdef __APPLE__
515*08b48e0bSAndroid Build Coastguard Worker pthread_jit_write_protect_np(0);
516*08b48e0bSAndroid Build Coastguard Worker #endif
517*08b48e0bSAndroid Build Coastguard Worker #else
518*08b48e0bSAndroid Build Coastguard Worker uint32_t bitmap_index = 0;
519*08b48e0bSAndroid Build Coastguard Worker #endif
520*08b48e0bSAndroid Build Coastguard Worker
521*08b48e0bSAndroid Build Coastguard Worker #if defined(__FreeBSD__) && __FreeBSD_version >= 1301000
522*08b48e0bSAndroid Build Coastguard Worker // We try to allow W/X pages despite kern.elf32/64.allow_wx system settings
523*08b48e0bSAndroid Build Coastguard Worker int allow_wx = PROC_WX_MAPPINGS_PERMIT;
524*08b48e0bSAndroid Build Coastguard Worker (void)procctl(P_PID, 0, PROC_WXMAP_CTL, &allow_wx);
525*08b48e0bSAndroid Build Coastguard Worker #endif
526*08b48e0bSAndroid Build Coastguard Worker
527*08b48e0bSAndroid Build Coastguard Worker while ((nread = getline(&line, &len, patches)) != -1) {
528*08b48e0bSAndroid Build Coastguard Worker
529*08b48e0bSAndroid Build Coastguard Worker char *end = line + len;
530*08b48e0bSAndroid Build Coastguard Worker
531*08b48e0bSAndroid Build Coastguard Worker char *col = strchr(line, ':');
532*08b48e0bSAndroid Build Coastguard Worker if (col) {
533*08b48e0bSAndroid Build Coastguard Worker
534*08b48e0bSAndroid Build Coastguard Worker // It's a library:size pair
535*08b48e0bSAndroid Build Coastguard Worker *col++ = 0;
536*08b48e0bSAndroid Build Coastguard Worker
537*08b48e0bSAndroid Build Coastguard Worker lib_base = find_library(line);
538*08b48e0bSAndroid Build Coastguard Worker if (!lib_base) FATAL("Library %s does not appear to be loaded", line);
539*08b48e0bSAndroid Build Coastguard Worker
540*08b48e0bSAndroid Build Coastguard Worker // we ignore the defined lib_size
541*08b48e0bSAndroid Build Coastguard Worker lib_size = strtoul(col, NULL, 16);
542*08b48e0bSAndroid Build Coastguard Worker #if (__linux__)
543*08b48e0bSAndroid Build Coastguard Worker if (lib_size < lib_base->addr_end - lib_base->addr_start)
544*08b48e0bSAndroid Build Coastguard Worker lib_size = lib_base->addr_end - lib_base->addr_start;
545*08b48e0bSAndroid Build Coastguard Worker #endif
546*08b48e0bSAndroid Build Coastguard Worker if (lib_size % 0x1000 != 0)
547*08b48e0bSAndroid Build Coastguard Worker WARNF("Invalid library size 0x%zx. Must be multiple of 0x1000",
548*08b48e0bSAndroid Build Coastguard Worker lib_size);
549*08b48e0bSAndroid Build Coastguard Worker
550*08b48e0bSAndroid Build Coastguard Worker lib_addr = (u8 *)lib_base->addr_start;
551*08b48e0bSAndroid Build Coastguard Worker // Make library code writable.
552*08b48e0bSAndroid Build Coastguard Worker if (mprotect((void *)lib_addr, lib_size,
553*08b48e0bSAndroid Build Coastguard Worker PROT_READ | PROT_WRITE | PROT_EXEC) != 0)
554*08b48e0bSAndroid Build Coastguard Worker FATAL("Failed to mprotect library %s writable", line);
555*08b48e0bSAndroid Build Coastguard Worker
556*08b48e0bSAndroid Build Coastguard Worker // Create shadow memory.
557*08b48e0bSAndroid Build Coastguard Worker #ifdef __aarch64__
558*08b48e0bSAndroid Build Coastguard Worker for (int i = 0; i < 8; i++) {
559*08b48e0bSAndroid Build Coastguard Worker
560*08b48e0bSAndroid Build Coastguard Worker #else
561*08b48e0bSAndroid Build Coastguard Worker for (int i = 0; i < 4; i++) {
562*08b48e0bSAndroid Build Coastguard Worker
563*08b48e0bSAndroid Build Coastguard Worker #endif
564*08b48e0bSAndroid Build Coastguard Worker
565*08b48e0bSAndroid Build Coastguard Worker void *shadow_addr = SHADOW(lib_addr + i);
566*08b48e0bSAndroid Build Coastguard Worker void *shadow = mmap(shadow_addr, lib_size, PROT_READ | PROT_WRITE,
567*08b48e0bSAndroid Build Coastguard Worker MAP_PRIVATE | MAP_ANON | MAP_FIXED, 0, 0);
568*08b48e0bSAndroid Build Coastguard Worker if (debug)
569*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr, "Shadow: %s %d = %p-%p for %p\n", line, i, shadow,
570*08b48e0bSAndroid Build Coastguard Worker shadow + lib_size - 1, lib_addr);
571*08b48e0bSAndroid Build Coastguard Worker if (shadow == MAP_FAILED) FATAL("Failed to mmap shadow memory");
572*08b48e0bSAndroid Build Coastguard Worker
573*08b48e0bSAndroid Build Coastguard Worker }
574*08b48e0bSAndroid Build Coastguard Worker
575*08b48e0bSAndroid Build Coastguard Worker // Done, continue with next line.
576*08b48e0bSAndroid Build Coastguard Worker continue;
577*08b48e0bSAndroid Build Coastguard Worker
578*08b48e0bSAndroid Build Coastguard Worker }
579*08b48e0bSAndroid Build Coastguard Worker
580*08b48e0bSAndroid Build Coastguard Worker // It's an offset, parse it and do the patching.
581*08b48e0bSAndroid Build Coastguard Worker unsigned long offset = strtoul(line, NULL, 16);
582*08b48e0bSAndroid Build Coastguard Worker
583*08b48e0bSAndroid Build Coastguard Worker if (offset > lib_size)
584*08b48e0bSAndroid Build Coastguard Worker FATAL("Invalid offset: 0x%lx. Current library is 0x%zx bytes large",
585*08b48e0bSAndroid Build Coastguard Worker offset, lib_size);
586*08b48e0bSAndroid Build Coastguard Worker
587*08b48e0bSAndroid Build Coastguard Worker if (bitmap_index >= __afl_map_size)
588*08b48e0bSAndroid Build Coastguard Worker FATAL("Too many basic blocks to instrument");
589*08b48e0bSAndroid Build Coastguard Worker
590*08b48e0bSAndroid Build Coastguard Worker #ifdef __arch64__
591*08b48e0bSAndroid Build Coastguard Worker uint64_t
592*08b48e0bSAndroid Build Coastguard Worker #else
593*08b48e0bSAndroid Build Coastguard Worker uint32_t
594*08b48e0bSAndroid Build Coastguard Worker #endif
595*08b48e0bSAndroid Build Coastguard Worker *shadow = SHADOW(lib_addr + offset);
596*08b48e0bSAndroid Build Coastguard Worker if (*shadow != 0) continue; // skip duplicates
597*08b48e0bSAndroid Build Coastguard Worker
598*08b48e0bSAndroid Build Coastguard Worker // Make lookup entry in shadow memory.
599*08b48e0bSAndroid Build Coastguard Worker
600*08b48e0bSAndroid Build Coastguard Worker #if ((defined(__APPLE__) && defined(__LP64__)) || defined(__x86_64__) || \
601*08b48e0bSAndroid Build Coastguard Worker defined(__i386__))
602*08b48e0bSAndroid Build Coastguard Worker
603*08b48e0bSAndroid Build Coastguard Worker // this is for Intel x64
604*08b48e0bSAndroid Build Coastguard Worker
605*08b48e0bSAndroid Build Coastguard Worker uint8_t orig_byte = lib_addr[offset];
606*08b48e0bSAndroid Build Coastguard Worker *shadow = (bitmap_index << 8) | orig_byte;
607*08b48e0bSAndroid Build Coastguard Worker lib_addr[offset] = 0xcc; // replace instruction with debug trap
608*08b48e0bSAndroid Build Coastguard Worker if (debug)
609*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr,
610*08b48e0bSAndroid Build Coastguard Worker "Patch entry: %p[%lx] = %p = %02x -> SHADOW(%p) #%d -> %08x\n",
611*08b48e0bSAndroid Build Coastguard Worker lib_addr, offset, lib_addr + offset, orig_byte, shadow,
612*08b48e0bSAndroid Build Coastguard Worker bitmap_index, *shadow);
613*08b48e0bSAndroid Build Coastguard Worker
614*08b48e0bSAndroid Build Coastguard Worker #elif defined(__aarch64__)
615*08b48e0bSAndroid Build Coastguard Worker
616*08b48e0bSAndroid Build Coastguard Worker // this is for aarch64
617*08b48e0bSAndroid Build Coastguard Worker
618*08b48e0bSAndroid Build Coastguard Worker uint32_t *patch_bytes = (uint32_t *)(lib_addr + offset);
619*08b48e0bSAndroid Build Coastguard Worker uint32_t orig_bytes = *patch_bytes;
620*08b48e0bSAndroid Build Coastguard Worker *shadow = (bitmap_index << 32) | orig_bytes;
621*08b48e0bSAndroid Build Coastguard Worker *patch_bytes = 0xd4200000; // replace instruction with debug trap
622*08b48e0bSAndroid Build Coastguard Worker if (debug)
623*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr,
624*08b48e0bSAndroid Build Coastguard Worker "Patch entry: %p[%lx] = %p = %02x -> SHADOW(%p) #%d -> %016x\n",
625*08b48e0bSAndroid Build Coastguard Worker lib_addr, offset, lib_addr + offset, orig_bytes, shadow,
626*08b48e0bSAndroid Build Coastguard Worker bitmap_index, *shadow);
627*08b48e0bSAndroid Build Coastguard Worker
628*08b48e0bSAndroid Build Coastguard Worker #else
629*08b48e0bSAndroid Build Coastguard Worker // this will be ARM and AARCH64
630*08b48e0bSAndroid Build Coastguard Worker // for ARM we will need to identify if the code is in thumb or ARM
631*08b48e0bSAndroid Build Coastguard Worker #error "non x86_64/aarch64 not supported yet"
632*08b48e0bSAndroid Build Coastguard Worker //__arm__:
633*08b48e0bSAndroid Build Coastguard Worker // linux thumb: 0xde01
634*08b48e0bSAndroid Build Coastguard Worker // linux arm: 0xe7f001f0
635*08b48e0bSAndroid Build Coastguard Worker //__aarch64__:
636*08b48e0bSAndroid Build Coastguard Worker // linux aarch64: 0xd4200000
637*08b48e0bSAndroid Build Coastguard Worker #endif
638*08b48e0bSAndroid Build Coastguard Worker
639*08b48e0bSAndroid Build Coastguard Worker bitmap_index++;
640*08b48e0bSAndroid Build Coastguard Worker
641*08b48e0bSAndroid Build Coastguard Worker }
642*08b48e0bSAndroid Build Coastguard Worker
643*08b48e0bSAndroid Build Coastguard Worker free(line);
644*08b48e0bSAndroid Build Coastguard Worker fclose(patches);
645*08b48e0bSAndroid Build Coastguard Worker
646*08b48e0bSAndroid Build Coastguard Worker // Install signal handler for SIGTRAP.
647*08b48e0bSAndroid Build Coastguard Worker struct sigaction s;
648*08b48e0bSAndroid Build Coastguard Worker s.sa_flags = SA_SIGINFO;
649*08b48e0bSAndroid Build Coastguard Worker s.sa_sigaction = sigtrap_handler;
650*08b48e0bSAndroid Build Coastguard Worker sigemptyset(&s.sa_mask);
651*08b48e0bSAndroid Build Coastguard Worker sigaction(SIGTRAP, &s, 0);
652*08b48e0bSAndroid Build Coastguard Worker
653*08b48e0bSAndroid Build Coastguard Worker if (debug) fprintf(stderr, "Patched %u locations.\n", bitmap_index);
654*08b48e0bSAndroid Build Coastguard Worker __afl_map_size = bitmap_index;
655*08b48e0bSAndroid Build Coastguard Worker if (__afl_map_size % 8) __afl_map_size = (((__afl_map_size + 7) >> 3) << 3);
656*08b48e0bSAndroid Build Coastguard Worker
657*08b48e0bSAndroid Build Coastguard Worker }
658*08b48e0bSAndroid Build Coastguard Worker
659*08b48e0bSAndroid Build Coastguard Worker /* the signal handler for the traps / debugging interrupts
660*08b48e0bSAndroid Build Coastguard Worker No debug output here because this would cost speed */
661*08b48e0bSAndroid Build Coastguard Worker static void sigtrap_handler(int signum, siginfo_t *si, void *context) {
662*08b48e0bSAndroid Build Coastguard Worker
663*08b48e0bSAndroid Build Coastguard Worker uint64_t addr;
664*08b48e0bSAndroid Build Coastguard Worker // Must re-execute the instruction, so decrement PC by one instruction.
665*08b48e0bSAndroid Build Coastguard Worker ucontext_t *ctx = (ucontext_t *)context;
666*08b48e0bSAndroid Build Coastguard Worker #if defined(__APPLE__) && defined(__LP64__)
667*08b48e0bSAndroid Build Coastguard Worker #if defined(__x86_64__)
668*08b48e0bSAndroid Build Coastguard Worker ctx->uc_mcontext->__ss.__rip -= 1;
669*08b48e0bSAndroid Build Coastguard Worker addr = ctx->uc_mcontext->__ss.__rip;
670*08b48e0bSAndroid Build Coastguard Worker #else
671*08b48e0bSAndroid Build Coastguard Worker ctx->uc_mcontext->__ss.__pc -= 4;
672*08b48e0bSAndroid Build Coastguard Worker addr = ctx->uc_mcontext->__ss.__pc;
673*08b48e0bSAndroid Build Coastguard Worker #endif
674*08b48e0bSAndroid Build Coastguard Worker #elif defined(__linux__)
675*08b48e0bSAndroid Build Coastguard Worker #if defined(__x86_64__) || defined(__i386__)
676*08b48e0bSAndroid Build Coastguard Worker ctx->uc_mcontext.gregs[REG_RIP] -= 1;
677*08b48e0bSAndroid Build Coastguard Worker addr = ctx->uc_mcontext.gregs[REG_RIP];
678*08b48e0bSAndroid Build Coastguard Worker #elif defined(__aarch64__)
679*08b48e0bSAndroid Build Coastguard Worker ctx->uc_mcontext.pc -= 4;
680*08b48e0bSAndroid Build Coastguard Worker addr = ctx->uc_mcontext.pc;
681*08b48e0bSAndroid Build Coastguard Worker #else
682*08b48e0bSAndroid Build Coastguard Worker #error "Unsupported processor"
683*08b48e0bSAndroid Build Coastguard Worker #endif
684*08b48e0bSAndroid Build Coastguard Worker #elif defined(__FreeBSD__) && defined(__LP64__)
685*08b48e0bSAndroid Build Coastguard Worker ctx->uc_mcontext.mc_rip -= 1;
686*08b48e0bSAndroid Build Coastguard Worker addr = ctx->uc_mcontext.mc_rip;
687*08b48e0bSAndroid Build Coastguard Worker #elif defined(__HAIKU__) && defined(__x86_64__)
688*08b48e0bSAndroid Build Coastguard Worker ctx->uc_mcontext.rip -= 1;
689*08b48e0bSAndroid Build Coastguard Worker addr = ctx->uc_mcontext.rip;
690*08b48e0bSAndroid Build Coastguard Worker #else
691*08b48e0bSAndroid Build Coastguard Worker #error "Unsupported platform"
692*08b48e0bSAndroid Build Coastguard Worker #endif
693*08b48e0bSAndroid Build Coastguard Worker
694*08b48e0bSAndroid Build Coastguard Worker // fprintf(stderr, "TRAP at context addr = %lx, fault addr = %lx\n", addr,
695*08b48e0bSAndroid Build Coastguard Worker // si->si_addr);
696*08b48e0bSAndroid Build Coastguard Worker
697*08b48e0bSAndroid Build Coastguard Worker // If the trap didn't come from our instrumentation, then we probably will
698*08b48e0bSAndroid Build Coastguard Worker // just segfault here
699*08b48e0bSAndroid Build Coastguard Worker uint8_t *faultaddr;
700*08b48e0bSAndroid Build Coastguard Worker if (unlikely(si->si_addr))
701*08b48e0bSAndroid Build Coastguard Worker faultaddr = (u8 *)si->si_addr - 1;
702*08b48e0bSAndroid Build Coastguard Worker else
703*08b48e0bSAndroid Build Coastguard Worker faultaddr = (u8 *)addr;
704*08b48e0bSAndroid Build Coastguard Worker // if (debug) fprintf(stderr, "Shadow location: %p\n", SHADOW(faultaddr));
705*08b48e0bSAndroid Build Coastguard Worker uint32_t shadow = *SHADOW(faultaddr);
706*08b48e0bSAndroid Build Coastguard Worker uint8_t orig_byte = shadow & 0xff;
707*08b48e0bSAndroid Build Coastguard Worker uint32_t index = shadow >> 8;
708*08b48e0bSAndroid Build Coastguard Worker
709*08b48e0bSAndroid Build Coastguard Worker // if (debug) fprintf(stderr, "shadow data: %x, orig_byte %02x, index %d\n",
710*08b48e0bSAndroid Build Coastguard Worker // shadow, orig_byte, index);
711*08b48e0bSAndroid Build Coastguard Worker
712*08b48e0bSAndroid Build Coastguard Worker // Index zero is invalid so that it is still possible to catch actual trap
713*08b48e0bSAndroid Build Coastguard Worker // instructions in instrumented libraries.
714*08b48e0bSAndroid Build Coastguard Worker if (unlikely(index == 0)) abort();
715*08b48e0bSAndroid Build Coastguard Worker
716*08b48e0bSAndroid Build Coastguard Worker // Restore original instruction
717*08b48e0bSAndroid Build Coastguard Worker *faultaddr = orig_byte;
718*08b48e0bSAndroid Build Coastguard Worker
719*08b48e0bSAndroid Build Coastguard Worker __afl_area_ptr[index] = 128;
720*08b48e0bSAndroid Build Coastguard Worker
721*08b48e0bSAndroid Build Coastguard Worker }
722*08b48e0bSAndroid Build Coastguard Worker
723*08b48e0bSAndroid Build Coastguard Worker /* the MAIN function */
724*08b48e0bSAndroid Build Coastguard Worker int main(int argc, char *argv[]) {
725*08b48e0bSAndroid Build Coastguard Worker
726*08b48e0bSAndroid Build Coastguard Worker #if defined(__linux__)
727*08b48e0bSAndroid Build Coastguard Worker (void)personality(ADDR_NO_RANDOMIZE); // disable ASLR
728*08b48e0bSAndroid Build Coastguard Worker #elif defined(__FreeBSD__) && __FreeBSD_version >= 1200000
729*08b48e0bSAndroid Build Coastguard Worker int no_randomize = PROC_ASLR_FORCE_DISABLE;
730*08b48e0bSAndroid Build Coastguard Worker (void)procctl(P_PID, 0, PROC_ASLR_CTL, &no_randomize);
731*08b48e0bSAndroid Build Coastguard Worker #endif
732*08b48e0bSAndroid Build Coastguard Worker
733*08b48e0bSAndroid Build Coastguard Worker pid = getpid();
734*08b48e0bSAndroid Build Coastguard Worker if (getenv("AFL_DEBUG")) debug = 1;
735*08b48e0bSAndroid Build Coastguard Worker
736*08b48e0bSAndroid Build Coastguard Worker /* by default we use stdin, but also a filename can be passed, in this
737*08b48e0bSAndroid Build Coastguard Worker case the input is argv[1] and we have to disable stdin */
738*08b48e0bSAndroid Build Coastguard Worker if (argc > 1) {
739*08b48e0bSAndroid Build Coastguard Worker
740*08b48e0bSAndroid Build Coastguard Worker use_stdin = 0;
741*08b48e0bSAndroid Build Coastguard Worker inputfile = (u8 *)argv[1];
742*08b48e0bSAndroid Build Coastguard Worker
743*08b48e0bSAndroid Build Coastguard Worker }
744*08b48e0bSAndroid Build Coastguard Worker
745*08b48e0bSAndroid Build Coastguard Worker // STEP 2: load the library you want to fuzz and lookup the functions,
746*08b48e0bSAndroid Build Coastguard Worker // inclusive of the cleanup functions
747*08b48e0bSAndroid Build Coastguard Worker // NOTE: above the main() you have to define the functions!
748*08b48e0bSAndroid Build Coastguard Worker
749*08b48e0bSAndroid Build Coastguard Worker void *dl = dlopen("./libtestinstr.so", RTLD_LAZY);
750*08b48e0bSAndroid Build Coastguard Worker if (!dl) FATAL("could not find target library");
751*08b48e0bSAndroid Build Coastguard Worker o_function = dlsym(dl, "testinstr");
752*08b48e0bSAndroid Build Coastguard Worker if (!o_function) FATAL("could not resolve target function from library");
753*08b48e0bSAndroid Build Coastguard Worker if (debug) fprintf(stderr, "Function address: %p\n", o_function);
754*08b48e0bSAndroid Build Coastguard Worker
755*08b48e0bSAndroid Build Coastguard Worker // END STEP 2
756*08b48e0bSAndroid Build Coastguard Worker
757*08b48e0bSAndroid Build Coastguard Worker /* setup instrumentation, shared memory and forkserver */
758*08b48e0bSAndroid Build Coastguard Worker breakpoint();
759*08b48e0bSAndroid Build Coastguard Worker read_library_information();
760*08b48e0bSAndroid Build Coastguard Worker setup_trap_instrumentation();
761*08b48e0bSAndroid Build Coastguard Worker __afl_map_shm();
762*08b48e0bSAndroid Build Coastguard Worker __afl_start_forkserver();
763*08b48e0bSAndroid Build Coastguard Worker
764*08b48e0bSAndroid Build Coastguard Worker while (1) {
765*08b48e0bSAndroid Build Coastguard Worker
766*08b48e0bSAndroid Build Coastguard Worker // instead of fork() we could also use the snapshot lkm or do our own mini
767*08b48e0bSAndroid Build Coastguard Worker // snapshot feature like in https://github.com/marcinguy/fuzzer
768*08b48e0bSAndroid Build Coastguard Worker // -> snapshot.c
769*08b48e0bSAndroid Build Coastguard Worker if ((pid = fork()) == -1) PFATAL("fork failed");
770*08b48e0bSAndroid Build Coastguard Worker
771*08b48e0bSAndroid Build Coastguard Worker if (pid) {
772*08b48e0bSAndroid Build Coastguard Worker
773*08b48e0bSAndroid Build Coastguard Worker u32 status;
774*08b48e0bSAndroid Build Coastguard Worker if (waitpid(pid, (int *)&status, 0) < 0) exit(1);
775*08b48e0bSAndroid Build Coastguard Worker /* report the test case is done and wait for the next */
776*08b48e0bSAndroid Build Coastguard Worker __afl_end_testcase(status);
777*08b48e0bSAndroid Build Coastguard Worker
778*08b48e0bSAndroid Build Coastguard Worker } else {
779*08b48e0bSAndroid Build Coastguard Worker
780*08b48e0bSAndroid Build Coastguard Worker pid = getpid();
781*08b48e0bSAndroid Build Coastguard Worker while ((len = __afl_next_testcase(buf, sizeof(buf))) > 0) {
782*08b48e0bSAndroid Build Coastguard Worker
783*08b48e0bSAndroid Build Coastguard Worker // in this function the fuzz magic happens, this is STEP 3
784*08b48e0bSAndroid Build Coastguard Worker fuzz();
785*08b48e0bSAndroid Build Coastguard Worker
786*08b48e0bSAndroid Build Coastguard Worker // we can use _exit which is faster because our target library
787*08b48e0bSAndroid Build Coastguard Worker // was loaded via dlopen and therefore cannot have deconstructors
788*08b48e0bSAndroid Build Coastguard Worker // registered.
789*08b48e0bSAndroid Build Coastguard Worker _exit(0);
790*08b48e0bSAndroid Build Coastguard Worker
791*08b48e0bSAndroid Build Coastguard Worker }
792*08b48e0bSAndroid Build Coastguard Worker
793*08b48e0bSAndroid Build Coastguard Worker }
794*08b48e0bSAndroid Build Coastguard Worker
795*08b48e0bSAndroid Build Coastguard Worker }
796*08b48e0bSAndroid Build Coastguard Worker
797*08b48e0bSAndroid Build Coastguard Worker return 0;
798*08b48e0bSAndroid Build Coastguard Worker
799*08b48e0bSAndroid Build Coastguard Worker }
800*08b48e0bSAndroid Build Coastguard Worker
801*08b48e0bSAndroid Build Coastguard Worker #ifndef _DEBUG
802*08b48e0bSAndroid Build Coastguard Worker inline
803*08b48e0bSAndroid Build Coastguard Worker #endif
804*08b48e0bSAndroid Build Coastguard Worker static void
805*08b48e0bSAndroid Build Coastguard Worker fuzz(void) {
806*08b48e0bSAndroid Build Coastguard Worker
807*08b48e0bSAndroid Build Coastguard Worker // STEP 3: call the function to fuzz, also the functions you might
808*08b48e0bSAndroid Build Coastguard Worker // need to call to prepare the function and - important! -
809*08b48e0bSAndroid Build Coastguard Worker // to clean everything up
810*08b48e0bSAndroid Build Coastguard Worker
811*08b48e0bSAndroid Build Coastguard Worker // in this example we use the input file, not stdin!
812*08b48e0bSAndroid Build Coastguard Worker (*o_function)(buf, len);
813*08b48e0bSAndroid Build Coastguard Worker
814*08b48e0bSAndroid Build Coastguard Worker // normally you also need to cleanup
815*08b48e0bSAndroid Build Coastguard Worker //(*o_LibFree)(foo);
816*08b48e0bSAndroid Build Coastguard Worker
817*08b48e0bSAndroid Build Coastguard Worker // END STEP 3
818*08b48e0bSAndroid Build Coastguard Worker
819*08b48e0bSAndroid Build Coastguard Worker }
820*08b48e0bSAndroid Build Coastguard Worker
821