cpu-exec: Add AFL_QEMU_EXCLUDE_RANGES

realmadsci · realmadsci · commit b68b4d721c9d · 2021-03-02T12:54:22.000-08:00
This environment variable allows rejection of
specific regions from instrumentation.

It takes priority over AFL_INST_LIBS and AFL_QEMU_INST_RANGES,
so it can be used to poke a "hole" in previously included sections.
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
@@ -408,6 +408,40 @@ void afl_setup(void) {
     }
   }
 
+  if (getenv("AFL_QEMU_EXCLUDE_RANGES")) {
+    char *str = getenv("AFL_QEMU_EXCLUDE_RANGES");
+    char *saveptr1, *saveptr2 = NULL;
+    char *pt1, *pt2, *pt3 = NULL;
+
+    while (1) {
+
+      pt1 = strtok_r(str, ",", &saveptr1);
+      if (pt1 == NULL) break;
+      str = NULL;
+
+      pt2 = strtok_r(pt1, "-", &saveptr2);
+      pt3 = strtok_r(NULL, "-", &saveptr2);
+
+      struct vmrange* n = calloc(1, sizeof(struct vmrange));
+      n->exclude = true; // These are "exclusion" regions.
+      n->next = afl_instr_code;
+
+      if (pt3 == NULL) { // filename
+        have_names = 1;
+        n->start = (target_ulong)-1;
+        n->end = 0;
+        n->name = strdup(pt1);
+      } else {
+        n->start = strtoull(pt2, NULL, 16);
+        n->end = strtoull(pt3, NULL, 16);
+        n->name = NULL;
+      }
+
+      afl_instr_code = n;
+
+    }
+  }
+
   if (have_names) {
     GSList *map_info = read_self_maps();
     for (GSList *s = map_info; s; s = g_slist_next(s)) {
@@ -446,9 +480,15 @@ void afl_setup(void) {
   if (getenv("AFL_DEBUG") && afl_instr_code) {
     struct vmrange* n = afl_instr_code;
     while (n) {
-      fprintf(stderr, "Instrument range: 0x%lx-0x%lx (%s)\n",
-              (unsigned long)n->start, (unsigned long)n->end,
-              n->name ? n->name : "<noname>");
+      if (n->exclude) {
+        fprintf(stderr, "Exclude range: 0x%lx-0x%lx (%s)\n",
+                (unsigned long)n->start, (unsigned long)n->end,
+                n->name ? n->name : "<noname>");
+      } else {
+        fprintf(stderr, "Instrument range: 0x%lx-0x%lx (%s)\n",
+                (unsigned long)n->start, (unsigned long)n->end,
+                n->name ? n->name : "<noname>");
+      }
       n = n->next;
     }
   }
diff --git a/qemuafl/common.h b/qemuafl/common.h
@@ -76,9 +76,12 @@ typedef void (*afl_persistent_hook_fn)(struct api_regs *regs,
 
 /* Declared in afl-qemu-cpu-inl.h */
 
+// This structure is used for tracking which
+// code is to be instrumented via afl_instr_code.
 struct vmrange {
   target_ulong start, end;
   char* name;
+  bool exclude; // Exclude this region rather than include it
   struct vmrange* next;
 };
 
@@ -164,14 +167,19 @@ static inline int is_valid_addr(target_ulong addr) {
 
 static inline int afl_must_instrument(target_ulong addr) {
 
+  // Reject any exclusion regions
+  for (struct vmrange* n = afl_instr_code; n; n = n->next) {
+    if (n->exclude && addr < n->end && addr >= n->start)
+      return 0;
+  }
+
+  // Check for inclusion in instrumentation regions
   if (addr < afl_end_code && addr >= afl_start_code)
     return 1;
-  
-  struct vmrange* n = afl_instr_code;
-  while(n) {
-    if (addr < n->end && addr >= n->start)
+
+  for (struct vmrange* n = afl_instr_code; n; n = n->next) {
+    if (!n->exclude && addr < n->end && addr >= n->start)
       return 1;
-    n = n->next;
   }
 
   return 0;
