From 93202547d9335a59222daecc4369a8a3189d4fdb Mon Sep 17 00:00:00 2001 From: Jorge Gorbe Date: Tue, 25 Nov 2014 18:47:43 +0100 Subject: [PATCH] It worksgit diffgit diff --- CMakeLists.txt | 6 +- drafl.c | 215 +++++++++++++++++++++++++++++++------------------ 2 files changed, 141 insertions(+), 80 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index dec7d75..2dc7483 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -41,9 +41,9 @@ set(DynamoRIO_USE_LIBC ON) add_library(drafl SHARED drafl.c) configure_DynamoRIO_client(drafl) -use_DynamoRIO_extension(drafl drmgr) -use_DynamoRIO_extension(drafl drwrap) -use_DynamoRIO_extension(drafl drx) +#use_DynamoRIO_extension(drafl drmgr) +#use_DynamoRIO_extension(drafl drwrap) +#use_DynamoRIO_extension(drafl drx) # We keep our shared libs in the lib dir, not the bin dir: place_shared_lib_in_lib_dir(drafl) diff --git a/drafl.c b/drafl.c index 0146cdd..8fa542e 100644 --- a/drafl.c +++ b/drafl.c @@ -31,50 +31,69 @@ */ #include "dr_api.h" -#include "drmgr.h" -#include "drwrap.h" -#include "drx.h" +//#include "drmgr.h" +//#include "drwrap.h" +//#include "drx.h" #include "../common/utils.h" #include #include +#include +#include #include #include #include +#include +#include +#include + +#include "afl-0.68b/config.h" + +//#define USE_FIFO_HACK -#include "afl-0.40b/config.h" typedef unsigned char u8; typedef unsigned int u32; -static u8 *afl_area_ptr = 0; -static u32 afl_prev_loc = 0; -static u32 afl_setup_failure = 0; -static u32 afl_temp = 0; -static u32 afl_fork_pid = 0; +#ifdef X64 +typedef uint64_t native_word; +#else +typedef uint32_t native_word; +#endif + +static u8* afl_area_ptr = 0; +static native_word afl_prev_loc = 0; + +static u8 afl_setup_failure = 0; +static native_word afl_temp = 0; +static native_word afl_fork_pid = 0; + +static FILE *logfile; + +#define LOG(s) do { fprintf(logfile, s); fflush(logfile); } while(0) +#define LOG1(s, a1) do { fprintf(logfile, s, a1); fflush(logfile); } while(0) + +int ctl_fd; +int st_fd; static void event_exit(void) { - if (outf != STDERR) - dr_close_file(outf); - drx_exit(); - drwrap_exit(); - drmgr_exit(); -} + LOG("event_exit()\n"); + fclose(logfile); -static dr_emit_flags_t -event_basic_block(void *drcontext, void *tag, instrlist_t *bb, - bool for_trace, bool translating) -{ - return DR_EMIT_DEFAULT; + //drx_exit(); + //drwrap_exit(); + //drmgr_exit(); } static void afl_die() { + LOG("afl_die()\n"); + fclose(logfile); exit(0); } -static void afl_store(u32 loc) +static void afl_store(native_word loc) { /* xorl __afl_prev_loc, %ecx ecx = loc ^ afl_prev_loc @@ -82,7 +101,7 @@ static void afl_store(u32 loc) xorl $" STRINGIFY(MAP_SIZE-1) ", __afl_prev_loc afl_prev_loc = afl_prev_loc ^ (MAP_SIZE - 1) */ - u32 index = loc; + native_word index = loc; #ifndef COVERAGE_ONLY index = afl_prev_loc ^ loc; afl_prev_loc = loc ^ (MAP_SIZE - 1); @@ -90,110 +109,152 @@ static void afl_store(u32 loc) u8 *ptr = afl_area_ptr + index; #ifdef COVERAGE_ONLY - (*index) |= 1; + (*ptr) |= 1; #else - ++(*index); + ++(*ptr); #endif } - static void -afl_maybe_log(u32 loc) +afl_forkserver() { - if (afl_area_ptr == 0) - afl_setup(); + LOG("writing hello message to st pipe\n"); + int n = write(st_fd, &afl_temp, 4); + LOG1("write returned %d\n", n); + if (n != 4) { + close(ctl_fd); + close(st_fd); + LOG("returning\n"); + return; + } - afl_store(loc); + while (1) + { + LOG("waiting for parent reading from ctl pipe\n"); + n = read(ctl_fd, &afl_temp, 4); + LOG1("read returned %d\n", n); + if (n != 4) + afl_die(); + + LOG("forking\n"); + afl_fork_pid = fork(); + if (afl_fork_pid < 0) + afl_die(); + + if (afl_fork_pid != 0) // parent + { + LOG1("parent: writing PID %d to st pipe\n", (int)afl_fork_pid); + // write PID + n = write(st_fd, &afl_fork_pid, 4); + LOG1("write returned %d\n", n); + + // wait for PID + LOG("parent: calling waitpid\n"); + int err = waitpid(afl_fork_pid, (int*)&afl_temp, WUNTRACED); + if (err <= 0) + afl_die(); + + LOG("parent: writing wait status after waitpid\n"); + // write wait status + write(st_fd, &afl_temp, 4); + + // keep looping + } + else // child + { + LOG("child: closing descriptors"); + close(ctl_fd); + close(st_fd); + break; + // will return to afl_setup -> afl_maybe_log and store the current location + } + } } -static void afl_setup() + +static void +afl_setup() { + LOG1("Calling getenv(\"%s\")\n", SHM_ENV_VAR); char *s = getenv(SHM_ENV_VAR); + LOG1("Returned value=\"%s\"\n", s); if (!s) { + LOG("Exiting.\n"); afl_setup_failure = 1; return; } int shm_id = atoi(s); + LOG1("Calling shmat(%d, 0, 0)\n", shm_id); void *result = shmat(shm_id, 0, 0); + LOG1("Returned value=%p\n", result); if (result == (void *)-1) { + LOG("Exiting.\n"); afl_setup_failure = 1; return; } afl_area_ptr = result; + LOG("Starting forkserver.\n"); afl_forkserver(); } -static void afl_forkserver() +static void +afl_maybe_log(native_word loc) { - write(FORKSRV_FD+1, &afl_temp, 4); - while (1) + if (afl_area_ptr == 0) { - int n = read(FORKSRV_FD, &afl_temp, 4); - if (n != 4) - afl_die(); + LOG("afl_area_ptr is null, calling afl_setup()\n"); + afl_setup(); + } - afl_fork_pid = fork(); - if (afl_fork_pid 0) - afl_die(); + afl_store(loc); +} - if (afl_fork_pid != 0) // parent - { - write(FORKSRV_FD+1, &afl_fork_pid, 4); - int err = waitpid(afl_fork_pid, &afl_temp, WUNTRACED); - if (err <= 0) - afl_die(); - write(FORKSRV_FD+1, &afl_temp, 4); - // will loop indefinitely - } - else // child - { - close(FORKSRV_FD); - close(FORKSRV_FD+1); - break; - // will return to afl_setup -> afl_maybe_log and store the current location - } - } +static dr_emit_flags_t +event_basic_block(void *drcontext, void *tag, instrlist_t *bb, + bool for_trace, bool translating) +{ + instr_t *instr = instrlist_first(bb); + native_word random_id = random() % MAP_SIZE; + dr_insert_clean_call(drcontext, bb, instr, afl_maybe_log, false, 1, OPND_CREATE_INTPTR(random_id)); + return DR_EMIT_DEFAULT; } DR_EXPORT void dr_init(client_id_t id) { - module_data_t *exe; - IF_DEBUG(bool ok;) - dr_set_client_name("DrAFL", "https://code.google.com/p/american-fuzzy-lop/"); - IF_DEBUG(ok = ) - drmgr_init(); - ASSERT(ok, "drmgr failed to initialize"); - IF_DEBUG(ok = ) - drwrap_init(); - ASSERT(ok, "drwrap failed to initialize"); - IF_DEBUG(ok = ) - drx_init(); - ASSERT(ok, "drx failed to initialize"); + dr_register_exit_event(event_exit); + dr_register_bb_event(event_basic_block); - dr_register_exit_event(event_exit); -#ifdef UNIX - dr_register_fork_init_event(event_fork); -#endif - drmgr_register_module_load_event(event_module_load); - drmgr_register_module_unload_event(event_module_unload); +//#ifdef UNIX +// dr_register_fork_init_event(event_fork); +//#endif +// drmgr_register_module_load_event(event_module_load); +// drmgr_register_module_unload_event(event_module_unload); -#ifdef WINDOWS - dr_enable_console_printing(); + logfile = fopen("/tmp/afl.txt", "w"); + LOG("log file created in dr_init()\n"); + + +#ifdef USE_FIFO_HACK + ctl_fd = open("/tmp/afl-control", O_RDONLY); + st_fd = open("/tmp/afl-status", O_WRONLY); +#else + ctl_fd = FORKSRV_FD; + st_fd = FORKSRV_FD + 1; #endif - open_log_file(); + } -- 2.34.1