forked from vanhauser-thc/afl-patches
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathafl-fuzz-context_sensitive.diff
138 lines (118 loc) · 4.71 KB
/
afl-fuzz-context_sensitive.diff
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
--- ./config.h 2017-11-05 03:24:47.000000000 +0100
+++ ./config.h 2018-07-14 16:40:42.647038619 +0200
@@ -21,7 +21,7 @@
/* Version string: */
-#define VERSION "2.52b"
+#define VERSION "2.52c"
/******************************************************
* *
@@ -313,7 +313,7 @@
problems with complex programs). You need to recompile the target binary
after changing this - otherwise, SEGVs may ensue. */
-#define MAP_SIZE_POW2 16
+#define MAP_SIZE_POW2 18
#define MAP_SIZE (1 << MAP_SIZE_POW2)
/* Maximum allocator request size (keep well under INT_MAX): */
--- ./llvm_mode/afl-llvm-pass.so.cc 2017-06-23 00:49:06.000000000 +0200
+++ ./llvm_mode/afl-llvm-pass.so.cc 2018-07-24 23:44:48.450352402 +0200
@@ -104,15 +104,31 @@
M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc",
0, GlobalVariable::GeneralDynamicTLSModel, 0, false);
+ Constant *getCallingContext = M.getOrInsertFunction("__afl_getCallingContext", Int32Ty, Type::getVoidTy(C));
+
/* Instrument all the things! */
int inst_blocks = 0;
- for (auto &F : M)
+ for (auto &F : M) {
+ AllocaInst *CallingContext = nullptr;
for (auto &BB : F) {
BasicBlock::iterator IP = BB.getFirstInsertionPt();
IRBuilder<> IRB(&(*IP));
+ if (&BB == &F.getEntryBlock()) {
+ auto *localVar = IRB.CreateAlloca( IntegerType::getInt32Ty(C), nullptr, "AFL_StackContext");
+ localVar->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+ CallInst *myCall = IRB.CreateCall(getCallingContext);
+ CallingContext = localVar;
+ Value *context = myCall;
+ StoreInst *storectx = IRB.CreateStore(context, localVar);
+ storectx->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+ myCall->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+ }
+ if (CallingContext == nullptr) {
+ break;
+ }
if (AFL_R(100) >= inst_ratio) continue;
@@ -128,18 +144,32 @@
PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
Value *PrevLocCasted = IRB.CreateZExt(PrevLoc, IRB.getInt32Ty());
+ LoadInst *getContext = IRB.CreateLoad(CallingContext);
+ getContext->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+ Value *Context = getContext;
+
/* Load SHM pointer */
LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr);
MapPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+ Value *x1 = IRB.CreateXor(PrevLocCasted, CurLoc);
+ dyn_cast<Instruction>(x1)
+ ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+ Value *x2 = IRB.CreateXor(x1, Context);
+ dyn_cast<Instruction>(x2)
+ ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
Value *MapPtrIdx =
- IRB.CreateGEP(MapPtr, IRB.CreateXor(PrevLocCasted, CurLoc));
+ IRB.CreateGEP(MapPtr, x2);
+ dyn_cast<Instruction>(MapPtrIdx)
+ ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
/* Update bitmap */
LoadInst *Counter = IRB.CreateLoad(MapPtrIdx);
Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
Value *Incr = IRB.CreateAdd(Counter, ConstantInt::get(Int8Ty, 1));
+ dyn_cast<Instruction>(Incr)
+ ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
IRB.CreateStore(Incr, MapPtrIdx)
->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
@@ -152,7 +182,7 @@
inst_blocks++;
}
-
+ }
/* Say something nice. */
if (!be_quiet) {
--- ./llvm_mode/afl-llvm-rt.o.c 2017-02-01 02:59:41.000000000 +0100
+++ ./llvm_mode/afl-llvm-rt.o.c 2018-07-14 13:38:44.140489482 +0200
@@ -28,6 +28,7 @@
#include <unistd.h>
#include <string.h>
#include <assert.h>
+#include <execinfo.h>
#include <sys/mman.h>
#include <sys/shm.h>
@@ -304,3 +305,29 @@
}
}
+
+ /* Construct a stack trace dependent value in order
+ to assist edge coverage with context sensitivity,
+ see Angora paper for details. This will lead to more
+ entries in the bitmap, so it is advised to
+ use a greater bitmap size (256KB). */
+
+int __afl_getCallingContext(void) {
+ static void *StackTrace[256];
+ int depth = 0;
+ u32 result = 0;
+
+ if (!depth)
+ depth = backtrace(StackTrace, sizeof(StackTrace)/sizeof(void *));
+#ifdef HAVE__UNWIND_BACKTRACE
+ if (!depth)
+ depth = unwindBacktrace(StackTrace, sizeof(StackTrace)/sizeof(void *));
+#endif
+ if (!depth)
+ return result;
+
+ for (int i = 2; i < depth - 2; ++i) {
+ result ^= (u32)( StackTrace[i] );
+ }
+ return result % MAP_SIZE;
+}