Merge pull request #26 from AFLplusplus/afl4

Afl4

Author: vanhauser-thc

accel/tcg/cpu-exec.c

@@ -629,7 +629,7 @@ void afl_forkserver(CPUState *cpu) {
     status |= (FS_OPT_SET_MAPSIZE(MAP_SIZE) | FS_OPT_MAPSIZE);
   if (lkm_snapshot) status |= FS_OPT_SNAPSHOT;
   if (sharedmem_fuzzing != 0) status |= FS_OPT_SHDMEM_FUZZ;
-  if (status) status |= (FS_OPT_ENABLED);
+  if (status) status |= (FS_OPT_ENABLED | FS_OPT_NEWCMPLOG);
   if (getenv("AFL_DEBUG"))
     fprintf(stderr, "Debug: Sending status %08x\n", status);
   memcpy(tmp, &status, 4);

accel/tcg/tcg-runtime.c

@@ -34,6 +34,8 @@
 
 #include "qemuafl/common.h"
 
+uint32_t afl_hash_ip(uint64_t);
+
 void HELPER(afl_entry_routine)(CPUArchState *env) {
 
   afl_forkserver(env_cpu(env));
@@ -117,13 +119,23 @@ void HELPER(afl_cmplog_8)(target_ulong cur_loc, target_ulong arg1,
                           target_ulong arg2) {
 
   register uintptr_t k = (uintptr_t)cur_loc;
+  u32 hits = 0;
 
-  __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
+  if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS)
+    __afl_cmp_map->headers[k].hits = 0;
 
-  u32 hits = __afl_cmp_map->headers[k].hits;
-  __afl_cmp_map->headers[k].hits = hits + 1;
+  if (__afl_cmp_map->headers[k].hits == 0) {
+
+    __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
+    __afl_cmp_map->headers[k].shape = 0;
+
+  } else {
 
-  __afl_cmp_map->headers[k].shape = 0;
+    hits = __afl_cmp_map->headers[k].hits;
+
+  }
+
+  __afl_cmp_map->headers[k].hits = hits + 1;
 
   hits &= CMP_MAP_H - 1;
   __afl_cmp_map->log[k][hits].v0 = arg1;
@@ -135,13 +147,23 @@ void HELPER(afl_cmplog_16)(target_ulong cur_loc, target_ulong arg1,
                            target_ulong arg2) {
 
   register uintptr_t k = (uintptr_t)cur_loc;
+  u32 hits = 0;
 
-  __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
+  if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS)
+    __afl_cmp_map->headers[k].hits = 0;
 
-  u32 hits = __afl_cmp_map->headers[k].hits;
-  __afl_cmp_map->headers[k].hits = hits + 1;
+  if (__afl_cmp_map->headers[k].hits == 0) {
+
+    __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
+    __afl_cmp_map->headers[k].shape = 1;
 
-  __afl_cmp_map->headers[k].shape = 1;
+  } else {
+
+    hits = __afl_cmp_map->headers[k].hits;
+
+  }
+
+  __afl_cmp_map->headers[k].hits = hits + 1;
 
   hits &= CMP_MAP_H - 1;
   __afl_cmp_map->log[k][hits].v0 = arg1;
@@ -153,13 +175,23 @@ void HELPER(afl_cmplog_32)(target_ulong cur_loc, target_ulong arg1,
                            target_ulong arg2) {
 
   register uintptr_t k = (uintptr_t)cur_loc;
+  u32 hits = 0;
 
-  __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
+  if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS)
+    __afl_cmp_map->headers[k].hits = 0;
 
-  u32 hits = __afl_cmp_map->headers[k].hits;
-  __afl_cmp_map->headers[k].hits = hits + 1;
+  if (__afl_cmp_map->headers[k].hits == 0) {
 
-  __afl_cmp_map->headers[k].shape = 3;
+    __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
+    __afl_cmp_map->headers[k].shape = 3;
+
+  } else {
+
+    hits = __afl_cmp_map->headers[k].hits;
+
+  }
+
+  __afl_cmp_map->headers[k].hits = hits + 1;
 
   hits &= CMP_MAP_H - 1;
   __afl_cmp_map->log[k][hits].v0 = arg1;
@@ -171,13 +203,23 @@ void HELPER(afl_cmplog_64)(target_ulong cur_loc, target_ulong arg1,
                            target_ulong arg2) {
 
   register uintptr_t k = (uintptr_t)cur_loc;
+  u32 hits = 0;
 
-  __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
+  if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS)
+    __afl_cmp_map->headers[k].hits = 0;
 
-  u32 hits = __afl_cmp_map->headers[k].hits;
-  __afl_cmp_map->headers[k].hits = hits + 1;
+  if (__afl_cmp_map->headers[k].hits == 0) {
+
+    __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
+    __afl_cmp_map->headers[k].shape = 7;
 
-  __afl_cmp_map->headers[k].shape = 7;
+  } else {
+
+    hits = __afl_cmp_map->headers[k].hits;
+
+  }
+
+  __afl_cmp_map->headers[k].hits = hits + 1;
 
   hits &= CMP_MAP_H - 1;
   __afl_cmp_map->log[k][hits].v0 = arg1;
@@ -242,21 +284,28 @@ void HELPER(afl_cmplog_rtn)(CPUArchState *env) {
   uintptr_t k = 0;
 #endif
 
-  k = (k >> 4) ^ (k << 8);
-  k &= CMP_MAP_W - 1;
+  k = (uintptr_t)(afl_hash_ip((uint64_t)k));
+  k &= (CMP_MAP_W - 1);
 
-  __afl_cmp_map->headers[k].type = CMP_TYPE_RTN;
+  u32 hits = 0;
 
-  u32 hits = __afl_cmp_map->headers[k].hits;
-  __afl_cmp_map->headers[k].hits = hits + 1;
+  if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) {
+    __afl_cmp_map->headers[k].type = CMP_TYPE_RTN;
+    __afl_cmp_map->headers[k].hits = 0;
+    __afl_cmp_map->headers[k].shape = 30;
+  } else {
+    hits = __afl_cmp_map->headers[k].hits;
+  }
 
-  __afl_cmp_map->headers[k].shape = 31;
+  __afl_cmp_map->headers[k].hits += 1;
 
   hits &= CMP_MAP_RTN_H - 1;
+  ((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0_len = 31;
+  ((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1_len = 31;
   __builtin_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0,
-                   ptr1, 32);
+                   ptr1, 31);
   __builtin_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1,
-                   ptr2, 32);
+                   ptr2, 31);
 
 }
 

accel/tcg/translate-all.c

@@ -65,6 +65,7 @@
 
 #include "qemuafl/common.h"
 #include "tcg/tcg-op.h"
+#include "qemuafl/imported/afl_hash.h"
 
 #include <math.h>
 
@@ -106,7 +107,8 @@ static void afl_gen_trace(target_ulong cur_loc) {
 
   // cur_loc = (cur_loc >> 4) ^ (cur_loc << 8);
   // cur_loc &= MAP_SIZE - 1;
-  cur_loc = pc_hash(cur_loc) & (MAP_SIZE -1);
+  cur_loc = (uintptr_t)(afl_hash_ip((uint64_t)cur_loc));
+  cur_loc &= (MAP_SIZE - 1);
 
   /* Implement probabilistic instrumentation by looking at scrambled block
      address. This keeps the instrumented locations stable across runs. */

qemuafl/cpu-translate.h

@@ -35,6 +35,8 @@
 #include "tcg/tcg.h"
 #include "tcg/tcg-op.h"
 
+uint32_t afl_hash_ip(uint64_t);
+
 #if TARGET_LONG_BITS == 64
   #define _DEFAULT_MO MO_64
 #else
@@ -48,8 +50,8 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2,
 
   if (__afl_cmp_map) {
 
-    cur_loc = (cur_loc >> 4) ^ (cur_loc << 8);
-    cur_loc &= CMP_MAP_W - 1;
+    cur_loc = (uintptr_t)(afl_hash_ip((uint64_t)cur_loc));
+    cur_loc &= (CMP_MAP_W - 1);
 
     TCGv cur_loc_v = tcg_const_tl(cur_loc);
 
@@ -78,8 +80,8 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2,
 
     if (!is_imm && afl_compcov_level < 2) return;
 
-    cur_loc = (cur_loc >> 4) ^ (cur_loc << 8);
-    cur_loc &= MAP_SIZE - 7;
+    cur_loc = (uintptr_t)(afl_hash_ip((uint64_t)cur_loc));
+    cur_loc &= (MAP_SIZE - 1);
 
     TCGv cur_loc_v = tcg_const_tl(cur_loc);
 

qemuafl/imported/afl_hash.h

@@ -0,0 +1,72 @@
+
+#ifndef _AFL_HASH_H
+
+#define _AFL_HASH_H
+
+/* This is an exerpt of xxhash/XXH3 to prevent colliding with xxhash that is
+   in QEMU */
+
+#include <stdio.h>
+#include <limits.h>
+#include <stdint.h>
+
+uint32_t afl_hash_ip(uint64_t ip);
+uint64_t AFL_readLE64(const void *memPtr);
+uint64_t AFL_rrmxmx(uint64_t h64, uint64_t len);
+
+#define AFL_rotl64(x, r) (((x) << (r)) | ((x) >> (64 - (r))))
+
+inline uint64_t AFL_readLE64(const void *memPtr) {
+
+  const uint8_t *bytePtr = (const uint8_t *)memPtr;
+  return bytePtr[0] | ((uint64_t)bytePtr[1] << 8) | ((uint64_t)bytePtr[2] << 16) |
+         ((uint64_t)bytePtr[3] << 24) | ((uint64_t)bytePtr[4] << 32) |
+         ((uint64_t)bytePtr[5] << 40) | ((uint64_t)bytePtr[6] << 48) |
+         ((uint64_t)bytePtr[7] << 56);
+
+}
+
+inline uint64_t AFL_rrmxmx(uint64_t h64, uint64_t len) {
+
+  /* this mix is inspired by Pelle Evensen's rrmxmx */
+  h64 ^= AFL_rotl64(h64, 49) ^ AFL_rotl64(h64, 24);
+  h64 *= 0x9FB21C651E98DF25ULL;
+  h64 ^= (h64 >> 35) + len;
+  h64 *= 0x9FB21C651E98DF25ULL;
+  return h64 ^ (h64 >> 28);
+
+}
+
+inline uint32_t afl_hash_ip(uint64_t ip) {
+
+  const uint8_t secret[] = {
+
+    0xb8, 0xfe, 0x6c, 0x39, 0x23, 0xa4, 0x4b, 0xbe, 0x7c, 0x01, 0x81, 0x2c,
+    0xf7, 0x21, 0xad, 0x1c, 0xde, 0xd4, 0x6d, 0xe9, 0x83, 0x90, 0x97, 0xdb,
+    0x72, 0x40, 0xa4, 0xa4, 0xb7, 0xb3, 0x67, 0x1f, 0xcb, 0x79, 0xe6, 0x4e,
+    0xcc, 0xc0, 0xe5, 0x78, 0x82, 0x5a, 0xd0, 0x7d, 0xcc, 0xff, 0x72, 0x21,
+    0xb8, 0x08, 0x46, 0x74, 0xf7, 0x43, 0x24, 0x8e, 0xe0, 0x35, 0x90, 0xe6,
+    0x81, 0x3a, 0x26, 0x4c, 0x3c, 0x28, 0x52, 0xbb, 0x91, 0xc3, 0x00, 0xcb,
+    0x88, 0xd0, 0x65, 0x8b, 0x1b, 0x53, 0x2e, 0xa3, 0x71, 0x64, 0x48, 0x97,
+    0xa2, 0x0d, 0xf9, 0x4e, 0x38, 0x19, 0xef, 0x46, 0xa9, 0xde, 0xac, 0xd8,
+    0xa8, 0xfa, 0x76, 0x3f, 0xe3, 0x9c, 0x34, 0x3f, 0xf9, 0xdc, 0xbb, 0xc7,
+    0xc7, 0x0b, 0x4f, 0x1d, 0x8a, 0x51, 0xe0, 0x4b, 0xcd, 0xb4, 0x59, 0x31,
+    0xc8, 0x9f, 0x7e, 0xc9, 0xd9, 0x78, 0x73, 0x64, 0xea, 0xc5, 0xac, 0x83,
+    0x34, 0xd3, 0xeb, 0xc3, 0xc5, 0x81, 0xa0, 0xff, 0xfa, 0x13, 0x63, 0xeb,
+    0x17, 0x0d, 0xdd, 0x51, 0xb7, 0xf0, 0xda, 0x49, 0xd3, 0x16, 0x55, 0x26,
+    0x29, 0xd4, 0x68, 0x9e, 0x2b, 0x16, 0xbe, 0x58, 0x7d, 0x47, 0xa1, 0xfc,
+    0x8f, 0xf8, 0xb8, 0xd1, 0x7a, 0xd0, 0x31, 0xce, 0x45, 0xcb, 0x3a, 0x8f,
+    0x95, 0x16, 0x04, 0x28, 0xaf, 0xd7, 0xfb, 0xca, 0xbb, 0x4b, 0x40, 0x7e,
+
+};
+
+  uint32_t const input1 = (uint32_t)(ip & 0xffffffff);
+  uint32_t const input2 = (uint32_t)(ip >> 32);
+  uint64_t const bitflip = (AFL_readLE64(secret + 8) ^ AFL_readLE64(secret + 16));
+  uint64_t const input64 = input2 + (((uint64_t)input1) << 32);
+  uint64_t const keyed = input64 ^ bitflip;
+  return AFL_rrmxmx(keyed, 8);
+
+}
+
+#endif

qemuafl/imported/cmplog.h

@@ -18,7 +18,7 @@
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at:
 
-     http://www.apache.org/licenses/LICENSE-2.0
+     https://www.apache.org/licenses/LICENSE-2.0
 
    Shared code to handle the shared memory. This is used by the fuzzer
    as well the other components like afl-tmin, afl-showmap, etc...
@@ -29,42 +29,47 @@
 #define _AFL_CMPLOG_H
 
 #include "config.h"
-//#include "forkserver.h"
+
+#define CMPLOG_LVL_MAX 3
 
 #define CMP_MAP_W 65536
-#define CMP_MAP_H 256
+#define CMP_MAP_H 32
 #define CMP_MAP_RTN_H (CMP_MAP_H / 4)
 
 #define SHAPE_BYTES(x) (x + 1)
 
-#define CMP_TYPE_INS 0
-#define CMP_TYPE_RTN 1
+#define CMP_TYPE_INS 1
+#define CMP_TYPE_RTN 2
 
 struct cmp_header {
 
-  unsigned hits : 20;
-
-  unsigned cnt : 20;
-  unsigned id : 16;
-
-  unsigned shape : 5;  // from 0 to 31
-  unsigned type : 1;
+  unsigned hits : 24;
+  unsigned id : 24;
+  unsigned shape : 5;
+  unsigned type : 2;
+  unsigned attribute : 4;
+  unsigned overflow : 1;
+  unsigned reserved : 4;
 
 } __attribute__((packed));
 
 struct cmp_operands {
 
   u64 v0;
   u64 v1;
+  u64 v0_128;
+  u64 v1_128;
 
-};
+} __attribute__((packed));
 
 struct cmpfn_operands {
 
-  u8 v0[32];
-  u8 v1[32];
+  u8 v0[31];
+  u8 v0_len;
+  u8 v1[31];
+  u8 v1_len;
 
-};
+} __attribute__((packed));
 
 typedef struct cmp_operands cmp_map_list[CMP_MAP_H];
 
@@ -77,7 +82,8 @@ struct cmp_map {
 
 /* Execs the child */
 
-//void cmplog_exec_child(afl_forkserver_t *fsrv, char **argv);
+struct afl_forkserver;
+void cmplog_exec_child(struct afl_forkserver *fsrv, char **argv);
 
 #endif