Attach kernel instument code

Author: Kaipeng Zeng

static_analysis_tools/kern_instrument/AssignTrackerPass/AssignTracker.cpp

@@ -0,0 +1,158 @@
+#include <llvm/IR/LegacyPassManager.h>
+#include <llvm/Transforms/IPO/PassManagerBuilder.h>
+#include <llvm/IR/Module.h>
+#include <llvm/IR/Value.h>
+#include <llvm/IR/Type.h>
+#include <llvm/IR/Operator.h>
+#include <llvm/IR/Instructions.h>
+#include <llvm/IR/InstrTypes.h>
+#include <llvm/Bitcode/BitcodeWriter.h>
+
+#include "llvm/IR/LegacyPassManager.h"
+#include "llvm/IR/CallSite.h"
+#include "llvm/IR/IRBuilder.h"
+#include "llvm/IR/InlineAsm.h"
+#include "llvm/ADT/Statistic.h"
+#include "llvm/IR/Function.h"
+#include "llvm/Pass.h"
+#include "llvm/Support/raw_ostream.h"
+
+
+using namespace llvm;
+using namespace legacy;
+
+static const char *const SanCovTraceSrt1Name = "__sanitizer_cov_trace_srt1";
+static const char *const SanCovTraceSrt2Name = "__sanitizer_cov_trace_srt2";
+static const char *const SanCovTraceSrt4Name = "__sanitizer_cov_trace_srt4";
+static const char *const SanCovTraceSrt8Name = "__sanitizer_cov_trace_srt8";
+
+namespace {
+    struct AssignTracker : public ModulePass {
+        static char ID; // Pass identification, replacement for typeid
+        FunctionCallee SanCovTraceSrt1;
+        FunctionCallee SanCovTraceSrt2;
+        FunctionCallee SanCovTraceSrt4;
+        FunctionCallee SanCovTraceSrt8;
+        Type *VoidTy;
+        Type *Int8Ty;
+        Type *Int16Ty;
+        Type *Int32Ty;
+        Type *Int64Ty;
+        std::hash<std::string> hashSrt;
+        std::map<std::string, unsigned> StructIDMap;
+
+        LLVMContext *C;
+        AssignTracker() : ModulePass(ID) {}
+
+        bool runOnModule(Module &M) override {
+            C = &M.getContext();
+            IRBuilder<> IRB(*C);
+
+            VoidTy = IRB.getVoidTy();
+            Int8Ty = IRB.getInt8Ty();
+            Int16Ty = IRB.getInt16Ty();
+            Int32Ty = IRB.getInt32Ty();
+            Int64Ty = IRB.getInt64Ty();
+
+            SanCovTraceSrt1 = M.getOrInsertFunction(SanCovTraceSrt1Name, VoidTy, Int32Ty, Int8Ty);
+            SanCovTraceSrt2 = M.getOrInsertFunction(SanCovTraceSrt2Name, VoidTy, Int32Ty, Int16Ty);
+            SanCovTraceSrt4 = M.getOrInsertFunction(SanCovTraceSrt4Name, VoidTy, Int32Ty, Int32Ty);
+            SanCovTraceSrt8 = M.getOrInsertFunction(SanCovTraceSrt8Name, VoidTy, Int32Ty, Int64Ty);
+
+            for (Function &F : M)
+                instrumentFieldAssign(F);
+            for (auto i : StructIDMap) {
+                errs() << i.first << ": " << std::to_string(i.second) << "\n";
+            }
+            return true;
+        }
+        void injectFieldAssignTracker(Instruction *I, unsigned id);
+        void instrumentFieldAssign(Function &func);
+    };
+}
+
+std::string stripNum(std::string name) {
+    size_t len = name.size();
+    char tmp[len];
+    strncpy(tmp, name.c_str(), len);
+    if (len < 1)
+        return name;
+    while ((tmp[len-1] <= '9' && tmp[len-1] >= '0' && len > 1)
+            || (tmp[len-1] == 'i' && tmp[len-2] == '.' && len > 2)
+            || (tmp[len-1] == '.' && len > 1)) {
+        if (tmp[len-1] == 'i' && tmp[len-2] == '.') {
+            tmp[len-1] = 0;
+            tmp[len-2] = 0;
+            len -= 2;
+            continue;
+        }
+        tmp[len-1] = 0;
+        len--;
+    }
+    name = name.substr(0, len);
+    return name;
+
+;
+}
+
+void AssignTracker::instrumentFieldAssign(Function &func) {
+    if (!func.size())
+        return;
+    for (BasicBlock &bb : func) {
+        for (Instruction &i : bb) {
+            if (StoreInst *si = dyn_cast<StoreInst>(&i)) {
+                const Value *val_op = si->getOperand(0);
+                const Value *var_op = si->getPointerOperand();
+                if (!val_op->getType()->isIntegerTy())
+                    continue;
+                if (const GEPOperator *gep = dyn_cast<GEPOperator>(var_op)) {
+                    const Value *intPtr = gep->getPointerOperand(); 
+                    if (Type *gepOpTy = dyn_cast<PointerType>(intPtr->getType())->getElementType()) {
+                        if (gepOpTy->isStructTy()) {
+                            std::string srtName = gepOpTy->getStructName();
+                            std::string fieldName = var_op->getName();
+                            std::string key = stripNum(srtName) + "->" + stripNum(fieldName);
+                            if (StructIDMap.find(key) == StructIDMap.end())
+                                StructIDMap[key] = hashSrt(key);
+                            injectFieldAssignTracker(si, StructIDMap[key]);
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
+
+void AssignTracker::injectFieldAssignTracker(Instruction *I, unsigned id) {
+    IRBuilder<> IRB(I);
+    Value *val = I->getOperand(0);
+    unsigned bitWidth = val->getType()->getIntegerBitWidth();
+    switch (bitWidth) {
+        case 8: {
+            IRB.CreateCall(SanCovTraceSrt1, {IRB.getInt32(id), IRB.CreateIntCast(val, Int8Ty, true)});
+            break;
+        }
+        case 16: {
+            IRB.CreateCall(SanCovTraceSrt2, {IRB.getInt32(id), IRB.CreateIntCast(val, Int16Ty, true)});
+            break;
+        }
+        case 32: {
+            IRB.CreateCall(SanCovTraceSrt4, {IRB.getInt32(id), IRB.CreateIntCast(val, Int32Ty, true)});
+            break;
+        }
+        case 64: {
+            IRB.CreateCall(SanCovTraceSrt8, {IRB.getInt32(id), IRB.CreateIntCast(val, Int64Ty, true)});
+            break;
+        }
+    }
+}
+
+char AssignTracker::ID = 0;
+static RegisterPass<AssignTracker> X("AssignTracker", "AssignTracker Pass", false, false);
+
+static void registerAssignTrackerPass(const PassManagerBuilder &, legacy::PassManagerBase &PM)
+{
+    PM.add(new AssignTracker());
+}
+
+static RegisterStandardPasses RegisterAPass(PassManagerBuilder::EP_OptimizerLast, registerAssignTrackerPass);

static_analysis_tools/kern_instrument/AssignTrackerPass/AssignTracker.exports

@@ -0,0 +1,20 @@
+# If we don't need RTTI or EH, there's no reason to export anything
+# from the hello plugin.
+if( NOT LLVM_REQUIRES_RTTI )
+  if( NOT LLVM_REQUIRES_EH )
+    set(LLVM_EXPORTED_SYMBOL_FILE ${CMAKE_CURRENT_SOURCE_DIR}/AssignTracker.exports)
+  endif()
+endif()
+
+if(WIN32 OR CYGWIN)
+  set(LLVM_LINK_COMPONENTS Core Support)
+endif()
+
+add_llvm_library( LLVMAssignTracker MODULE BUILDTREE_ONLY
+  AssignTracker.cpp
+
+  DEPENDS
+  intrinsics_gen
+  PLUGIN_TOOL
+  opt
+  )

static_analysis_tools/kern_instrument/AssignTrackerPass/CMakeLists.txt

@@ -0,0 +1,84 @@
+From a756fae764d6f6d316467ff9eeec7c4dfb4f22cc Mon Sep 17 00:00:00 2001
+From: bins <bins@kp-test>
+Date: Wed, 10 Jun 2020 02:48:56 -0400
+Subject: [PATCH] KCOV_SRT_TRACK ok
+
+---
+ kernel/kcov.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 61 insertions(+)
+
+diff --git a/kernel/kcov.c b/kernel/kcov.c
+index f50354202..e2fd7c405 100644
+--- a/kernel/kcov.c
++++ b/kernel/kcov.c
+@@ -312,6 +312,67 @@ void notrace __sanitizer_cov_trace_switch(u64 val, u64 *cases)
+ EXPORT_SYMBOL(__sanitizer_cov_trace_switch);
+ #endif /* ifdef CONFIG_KCOV_ENABLE_COMPARISONS */
+ 
++static void notrace write_srt_data(u64 id, u64 val, u64 ip)
++{
++	struct task_struct *t;
++	u64 *area;
++	u64 count, start_index, end_pos, max_pos;
++
++	t = current;
++
++	if (!check_kcov_mode(KCOV_MODE_TRACE_PC, t))
++		return;
++
++    ip = canonicalize_ip(ip);
++
++	area = (u64 *)t->kcov_area;
++	max_pos = t->kcov_size * sizeof(unsigned long);
++
++	count = READ_ONCE(area[0]);
++
++	/* Every record is KCOV_WORDS_PER_STRU 64-bit words. */
++	start_index = 1 + count;
++	end_pos = (start_index + 3) * sizeof(u64);
++	if (likely(end_pos <= max_pos)) {
++		area[start_index] = id;
++		area[start_index + 1] = val;
++		area[start_index + 2] = ip;
++		WRITE_ONCE(area[0], count + 3);
++	}
++}
++
++void notrace __sanitizer_cov_trace_srt1(u32 id, u8 val)
++{
++    u64 id_64 = ((u64)0xfefe000f << 32) | (u64)id;
++    u64 val_64 = (u64)val;
++	write_srt_data(id_64, val_64, _RET_IP_);
++}
++EXPORT_SYMBOL(__sanitizer_cov_trace_srt1);
++
++void notrace __sanitizer_cov_trace_srt2(u32 id, u16 val)
++{
++    u64 id_64 = ((u64)0xfefe00f0 << 32) | (u64)id;
++    u64 val_64 = (u64)val;
++	write_srt_data(id_64, val_64, _RET_IP_);
++}
++EXPORT_SYMBOL(__sanitizer_cov_trace_srt2);
++
++void notrace __sanitizer_cov_trace_srt4(u32 id, u32 val)
++{
++    u64 id_64 = ((u64)0xfefe0f00 << 32)| (u64)id;
++    u64 val_64 = (u64)val;
++	write_srt_data(id_64, val_64, _RET_IP_);
++}
++EXPORT_SYMBOL(__sanitizer_cov_trace_srt4);
++
++void notrace __sanitizer_cov_trace_srt8(u32 id, u64 val)
++{
++    u64 id_64 = ((u64)0xfefef000 << 32) | (u64)id;
++    u64 val_64 = (u64)val;
++	write_srt_data(id_64, val_64, _RET_IP_);
++}
++EXPORT_SYMBOL(__sanitizer_cov_trace_srt8);
++
+ static void kcov_start(struct task_struct *t, unsigned int size,
+ 			void *area, enum kcov_mode mode, int sequence)
+ {
+-- 
+2.20.1
+

static_analysis_tools/kern_instrument/kern_patch/0001-KCOV_SRT_TRACK-ok.patch

@@ -16,15 +16,15 @@ To implement collect kernel states as syzkaller resource, we have to follow the
 
 ### Kernel instrument
 
-First, we need to implement a LLVM pass to do instrument. While we already knew, lots of states of kernel are located in some field of structure. Tracking the store operation of a variable of GEPointer can detect states which may help to fuzzer. Then, refer to [this document](https://llvm.org/docs/WritingAnLLVMPass.html) to build you compiler with field assignment tracker. While building kernel, you have to add line such like:
+First, we need to implement a [LLVM pass](../static_analysis_tools/kern_instrument/AssignTrackerPass)  to do instrument. While we already knew, lots of states of kernel are located in some field of structure. Tracking the store operation of a variable of GEPointer can detect states which may help to fuzzer. Then, refer to [this document](https://llvm.org/docs/WritingAnLLVMPass.html) to build you compiler with field assignment tracker. While building kernel, you have to add line such like:
 ```  
 CFLAGS_*.o = -Xclang -load -Xclang PATH_TO_YOUR_PASS.so -fno-discard-value-names
 ```  
 to Makefile for the object file you need to instrument it. The kernel state id is the hash of structure name and field name.
 
 ### Implement the instrument function in kernel
 
-Refer to our [implement](../instrument/kcov_trace_srt.patch) of instrument to collect kernel state. Then, build your kernel as usual.
+Refer to our [implement](../static_analysis_tools/kern_instrument/kern_patch) of instrument to collect kernel state. Then, build your kernel as usual.
 
 ### Patch syzkaller