Merge pull request #16 from realmadsci/afl-exclude-ranges

Add AFL_QEMU_EXCLUDE_RANGES

Author: andreafioraldi

accel/tcg/cpu-exec.c

@@ -35,6 +35,7 @@
 #include "exec/tb-lookup.h"
 #include "exec/log.h"
 #include "qemu/main-loop.h"
+#include "qemu/selfmap.h"
 #if defined(TARGET_I386) && !defined(CONFIG_USER_ONLY)
 #include "hw/i386/apic.h"
 #endif
@@ -373,12 +374,11 @@ void afl_setup(void) {
   if (getenv("AFL_CODE_END"))
     afl_end_code = strtoll(getenv("AFL_CODE_END"), NULL, 16);
 
+  int have_names = 0;
   if (getenv("AFL_QEMU_INST_RANGES")) {
-
     char *str = getenv("AFL_QEMU_INST_RANGES");
     char *saveptr1, *saveptr2 = NULL;
     char *pt1, *pt2, *pt3 = NULL;
-    int have_names = 0;
 
     while (1) {
 
@@ -389,7 +389,7 @@ void afl_setup(void) {
       pt2 = strtok_r(pt1, "-", &saveptr2);
       pt3 = strtok_r(NULL, "-", &saveptr2);
 
-      struct vmrange* n = malloc(sizeof(struct vmrange));
+      struct vmrange* n = calloc(1, sizeof(struct vmrange));
       n->next = afl_instr_code;
 
       if (pt3 == NULL) { // filename
@@ -406,69 +406,91 @@ void afl_setup(void) {
       afl_instr_code = n;
 
     }
-    
-    if (have_names) {
-    
-      FILE *fp;
-      char *line = NULL;
-      size_t len = 0;
-      ssize_t read;
-
-      fp = fopen("/proc/self/maps", "r");
-      if (fp == NULL) {
-        fprintf(stderr, "[AFL] ERROR: cannot open /proc/self/maps\n");
-        exit(1);
+  }
+
+  if (getenv("AFL_QEMU_EXCLUDE_RANGES")) {
+    char *str = getenv("AFL_QEMU_EXCLUDE_RANGES");
+    char *saveptr1, *saveptr2 = NULL;
+    char *pt1, *pt2, *pt3 = NULL;
+
+    while (1) {
+
+      pt1 = strtok_r(str, ",", &saveptr1);
+      if (pt1 == NULL) break;
+      str = NULL;
+
+      pt2 = strtok_r(pt1, "-", &saveptr2);
+      pt3 = strtok_r(NULL, "-", &saveptr2);
+
+      struct vmrange* n = calloc(1, sizeof(struct vmrange));
+      n->exclude = true; // These are "exclusion" regions.
+      n->next = afl_instr_code;
+
+      if (pt3 == NULL) { // filename
+        have_names = 1;
+        n->start = (target_ulong)-1;
+        n->end = 0;
+        n->name = strdup(pt1);
+      } else {
+        n->start = strtoull(pt2, NULL, 16);
+        n->end = strtoull(pt3, NULL, 16);
+        n->name = NULL;
       }
-      
-      while ((read = getline(&line, &len, fp)) != -1) {
-      
-        int fields, dev_maj, dev_min, inode;
-        uint64_t min, max, offset;
-        char flag_r, flag_w, flag_x, flag_p;
-        char path[512] = "";
-
-        fields = sscanf(line, "%"PRIx64"-%"PRIx64" %c%c%c%c %"PRIx64" %x:%x %d"
-                        " %512s", &min, &max, &flag_r, &flag_w, &flag_x,
-                        &flag_p, &offset, &dev_maj, &dev_min, &inode, path);
-
-        if ((fields < 10) || (fields > 11) || !flag_x || !h2g_valid(min))
-            continue;
-        
+
+      afl_instr_code = n;
+
+    }
+  }
+
+  if (have_names) {
+    GSList *map_info = read_self_maps();
+    for (GSList *s = map_info; s; s = g_slist_next(s)) {
+      MapInfo *e = (MapInfo *) s->data;
+
+      if (h2g_valid(e->start)) {
+        unsigned long min = e->start;
+        unsigned long max = e->end;
         int flags = page_get_flags(h2g(min));
-        
-        max = h2g_valid(max - 1) ? max : (uintptr_t)AFL_G2H(GUEST_ADDR_MAX) + 1;
-        if (page_check_range(h2g(min), max - min, flags) == -1)
-            continue;
-        
+
+        max = h2g_valid(max - 1) ? max : (uintptr_t) AFL_G2H(GUEST_ADDR_MAX) + 1;
+
+        if (page_check_range(h2g(min), max - min, flags) == -1) {
+          continue;
+        }
+
+        // Now that we have a valid guest address region, compare its
+        // name against the names we care about:
         target_ulong gmin = h2g(min);
         target_ulong gmax = h2g(max);
-        
+
         struct vmrange* n = afl_instr_code;
         while (n) {
-          if (n->name && strstr(path, n->name)) {
+          if (n->name && strstr(e->path, n->name)) {
             if (gmin < n->start) n->start = gmin;
             if (gmax > n->end) n->end = gmax;
             break;
           }
           n = n->next;
         }
-      
       }
-      
-      fclose(fp);
-    
     }
-    
-    if (getenv("AFL_DEBUG") && afl_instr_code) {
-      struct vmrange* n = afl_instr_code;
-      while (n) {
+    free_self_maps(map_info);
+  }
+
+  if (getenv("AFL_DEBUG") && afl_instr_code) {
+    struct vmrange* n = afl_instr_code;
+    while (n) {
+      if (n->exclude) {
+        fprintf(stderr, "Exclude range: 0x%lx-0x%lx (%s)\n",
+                (unsigned long)n->start, (unsigned long)n->end,
+                n->name ? n->name : "<noname>");
+      } else {
         fprintf(stderr, "Instrument range: 0x%lx-0x%lx (%s)\n",
                 (unsigned long)n->start, (unsigned long)n->end,
                 n->name ? n->name : "<noname>");
-        n = n->next;
       }
+      n = n->next;
     }
-
   }
 
   /* Maintain for compatibility */

qemuafl/common.h

@@ -76,9 +76,12 @@ typedef void (*afl_persistent_hook_fn)(struct api_regs *regs,
 
 /* Declared in afl-qemu-cpu-inl.h */
 
+// This structure is used for tracking which
+// code is to be instrumented via afl_instr_code.
 struct vmrange {
   target_ulong start, end;
   char* name;
+  bool exclude; // Exclude this region rather than include it
   struct vmrange* next;
 };
 
@@ -164,14 +167,19 @@ static inline int is_valid_addr(target_ulong addr) {
 
 static inline int afl_must_instrument(target_ulong addr) {
 
+  // Reject any exclusion regions
+  for (struct vmrange* n = afl_instr_code; n; n = n->next) {
+    if (n->exclude && addr < n->end && addr >= n->start)
+      return 0;
+  }
+
+  // Check for inclusion in instrumentation regions
   if (addr < afl_end_code && addr >= afl_start_code)
     return 1;
-  
-  struct vmrange* n = afl_instr_code;
-  while(n) {
-    if (addr < n->end && addr >= n->start)
+
+  for (struct vmrange* n = afl_instr_code; n; n = n->next) {
+    if (!n->exclude && addr < n->end && addr >= n->start)
       return 1;
-    n = n->next;
   }
 
   return 0;