AFL_G2h default to g2h_untagged as workaround

Author: andreafioraldi

accel/tcg/cpu-exec.c

@@ -209,7 +209,7 @@ static void collect_memory_snapshot(void) {
 
     int flags = page_get_flags(h2g(min));
 
-    max = h2g_valid(max - 1) ? max : (uintptr_t)g2h(GUEST_ADDR_MAX) + 1;
+    max = h2g_valid(max - 1) ? max : (uintptr_t)AFL_G2H(GUEST_ADDR_MAX) + 1;
     if (page_check_range(h2g(min), max - min, flags) == -1)
         continue;
 
@@ -436,7 +436,7 @@ void afl_setup(void) {
 
         int flags = page_get_flags(h2g(min));
 
-        max = h2g_valid(max - 1) ? max : (uintptr_t)g2h(GUEST_ADDR_MAX) + 1;
+        max = h2g_valid(max - 1) ? max : (uintptr_t)AFL_G2H(GUEST_ADDR_MAX) + 1;
         if (page_check_range(h2g(min), max - min, flags) == -1)
             continue;
 

accel/tcg/tcg-runtime.c

@@ -206,18 +206,18 @@ void HELPER(afl_cmplog_rtn)(CPUArchState *env) {
 
 #if defined(TARGET_X86_64)
 
-  void *ptr1 = g2h(env->regs[R_EDI]);
-  void *ptr2 = g2h(env->regs[R_ESI]);
+  void *ptr1 = AFL_G2H(env->regs[R_EDI]);
+  void *ptr2 = AFL_G2H(env->regs[R_ESI]);
 
 #elif defined(TARGET_I386)
 
-  target_ulong *stack = g2h(env->regs[R_ESP]);
+  target_ulong *stack = AFL_G2H(env->regs[R_ESP]);
 
   if (!area_is_mapped(stack, sizeof(target_ulong) * 2)) return;
 
   // when this hook is executed, the retaddr is not on stack yet
-  void *    ptr1 = g2h(stack[0]);
-  void *    ptr2 = g2h(stack[1]);
+  void *    ptr1 = AFL_G2H(stack[0]);
+  void *    ptr2 = AFL_G2H(stack[1]);
 
 #else
 
@@ -531,7 +531,7 @@ char* asan_giovese_printaddr(target_ulong guest_addr) {
     if (h2g_valid(min)) {
 
       int flags = page_get_flags(h2g(min));
-      max = h2g_valid(max - 1) ? max : (uintptr_t)g2h(GUEST_ADDR_MAX) + 1;
+      max = h2g_valid(max - 1) ? max : (uintptr_t)AFL_G2H(GUEST_ADDR_MAX) + 1;
       if (page_check_range(h2g(min), max - min, flags) == -1)
           continue;
 
@@ -716,27 +716,27 @@ target_long qasan_actions_dispatcher(void *cpu_env,
         }
 #else
         case QASAN_ACTION_CHECK_LOAD:
-        __asan_loadN(g2h(arg1), arg2);
+        __asan_loadN(AFL_G2H(arg1), arg2);
         break;
 
         case QASAN_ACTION_CHECK_STORE:
-        __asan_storeN(g2h(arg1), arg2);
+        __asan_storeN(AFL_G2H(arg1), arg2);
         break;
 
         case QASAN_ACTION_POISON:
-        __asan_poison_memory_region(g2h(arg1), arg2);
+        __asan_poison_memory_region(AFL_G2H(arg1), arg2);
         break;
 
         case QASAN_ACTION_USER_POISON:
-        __asan_poison_memory_region(g2h(arg1), arg2);
+        __asan_poison_memory_region(AFL_G2H(arg1), arg2);
         break;
 
         case QASAN_ACTION_UNPOISON:
-        __asan_unpoison_memory_region(g2h(arg1), arg2);
+        __asan_unpoison_memory_region(AFL_G2H(arg1), arg2);
         break;
 
         case QASAN_ACTION_IS_POISON:
-        return __asan_region_is_poisoned(g2h(arg1), arg2) != NULL;
+        return __asan_region_is_poisoned(AFL_G2H(arg1), arg2) != NULL;
 
         case QASAN_ACTION_ALLOC:
           break;
@@ -779,7 +779,7 @@ void HELPER(qasan_load1)(CPUArchState *env, target_ulong addr) {
 
   if (qasan_disabled) return;
 
-  void* ptr = (void*)g2h(addr);
+  void* ptr = (void*)AFL_G2H(addr);
 
 #ifdef ASAN_GIOVESE
   if (asan_giovese_load1(ptr)) {
@@ -795,7 +795,7 @@ void HELPER(qasan_load2)(CPUArchState *env, target_ulong addr) {
 
   if (qasan_disabled) return;
 
-  void* ptr = (void*)g2h(addr);
+  void* ptr = (void*)AFL_G2H(addr);
 
 #ifdef ASAN_GIOVESE
   if (asan_giovese_load2(ptr)) {
@@ -811,7 +811,7 @@ void HELPER(qasan_load4)(CPUArchState *env, target_ulong addr) {
 
   if (qasan_disabled) return;
 
-  void* ptr = (void*)g2h(addr);
+  void* ptr = (void*)AFL_G2H(addr);
 
 #ifdef ASAN_GIOVESE
   if (asan_giovese_load4(ptr)) {
@@ -827,7 +827,7 @@ void HELPER(qasan_load8)(CPUArchState *env, target_ulong addr) {
 
   if (qasan_disabled) return;
 
-  void* ptr = (void*)g2h(addr);
+  void* ptr = (void*)AFL_G2H(addr);
 
 #ifdef ASAN_GIOVESE
   if (asan_giovese_load8(ptr)) {
@@ -843,7 +843,7 @@ void HELPER(qasan_store1)(CPUArchState *env, target_ulong addr) {
 
   if (qasan_disabled) return;
 
-  void* ptr = (void*)g2h(addr);
+  void* ptr = (void*)AFL_G2H(addr);
 
 #ifdef ASAN_GIOVESE
   if (asan_giovese_store1(ptr)) {
@@ -859,7 +859,7 @@ void HELPER(qasan_store2)(CPUArchState *env, target_ulong addr) {
 
   if (qasan_disabled) return;
 
-  void* ptr = (void*)g2h(addr);
+  void* ptr = (void*)AFL_G2H(addr);
 
 #ifdef ASAN_GIOVESE
   if (asan_giovese_store2(ptr)) {
@@ -875,7 +875,7 @@ void HELPER(qasan_store4)(CPUArchState *env, target_ulong addr) {
 
   if (qasan_disabled) return;
 
-  void* ptr = (void*)g2h(addr);
+  void* ptr = (void*)AFL_G2H(addr);
 
 #ifdef ASAN_GIOVESE
   if (asan_giovese_store4(ptr)) {
@@ -891,7 +891,7 @@ void HELPER(qasan_store8)(CPUArchState *env, target_ulong addr) {
 
   if (qasan_disabled) return;
 
-  void* ptr = (void*)g2h(addr);
+  void* ptr = (void*)AFL_G2H(addr);
 
 #ifdef ASAN_GIOVESE
   if (asan_giovese_store8(ptr)) {

qemuafl/asan-giovese-inl.h

@@ -319,14 +319,14 @@ int asan_giovese_guest_loadN(target_ulong addr, size_t n) {
 
     if (n <= first_size) {
 
-      uintptr_t h = (uintptr_t)g2h(start);
+      uintptr_t h = (uintptr_t)AFL_G2H(start);
       int8_t*   shadow_addr = (int8_t*)(h >> 3) + SHADOW_OFFSET;
       int8_t    k = *shadow_addr;
       return k != 0 && ((intptr_t)((h & 7) + n) > k);
 
     }
 
-    uintptr_t h = (uintptr_t)g2h(start);
+    uintptr_t h = (uintptr_t)AFL_G2H(start);
     int8_t*   shadow_addr = (int8_t*)(h >> 3) + SHADOW_OFFSET;
     int8_t    k = *shadow_addr;
     if (k != 0 && ((intptr_t)((h & 7) + first_size) > k)) return 1;
@@ -337,7 +337,7 @@ int asan_giovese_guest_loadN(target_ulong addr, size_t n) {
 
   while (start < last_8) {
 
-    uintptr_t h = (uintptr_t)g2h(start);
+    uintptr_t h = (uintptr_t)AFL_G2H(start);
     int8_t*   shadow_addr = (int8_t*)(h >> 3) + SHADOW_OFFSET;
     if (*shadow_addr) return 1;
     start += 8;
@@ -346,7 +346,7 @@ int asan_giovese_guest_loadN(target_ulong addr, size_t n) {
 
   if (last_8 != end) {
 
-    uintptr_t h = (uintptr_t)g2h(start);
+    uintptr_t h = (uintptr_t)AFL_G2H(start);
     size_t    last_size = end - last_8;
     int8_t*   shadow_addr = (int8_t*)(h >> 3) + SHADOW_OFFSET;
     int8_t    k = *shadow_addr;
@@ -373,14 +373,14 @@ int asan_giovese_guest_storeN(target_ulong addr, size_t n) {
 
     if (n <= first_size) {
 
-      uintptr_t h = (uintptr_t)g2h(start);
+      uintptr_t h = (uintptr_t)AFL_G2H(start);
       int8_t*   shadow_addr = (int8_t*)(h >> 3) + SHADOW_OFFSET;
       int8_t    k = *shadow_addr;
       return k != 0 && ((intptr_t)((h & 7) + n) > k);
 
     }
 
-    uintptr_t h = (uintptr_t)g2h(start);
+    uintptr_t h = (uintptr_t)AFL_G2H(start);
     int8_t*   shadow_addr = (int8_t*)(h >> 3) + SHADOW_OFFSET;
     int8_t    k = *shadow_addr;
     if (k != 0 && ((intptr_t)((h & 7) + first_size) > k)) return 1;
@@ -391,7 +391,7 @@ int asan_giovese_guest_storeN(target_ulong addr, size_t n) {
 
   while (start < last_8) {
 
-    uintptr_t h = (uintptr_t)g2h(start);
+    uintptr_t h = (uintptr_t)AFL_G2H(start);
     int8_t*   shadow_addr = (int8_t*)(h >> 3) + SHADOW_OFFSET;
     if (*shadow_addr) return 1;
     start += 8;
@@ -400,7 +400,7 @@ int asan_giovese_guest_storeN(target_ulong addr, size_t n) {
 
   if (last_8 != end) {
 
-    uintptr_t h = (uintptr_t)g2h(start);
+    uintptr_t h = (uintptr_t)AFL_G2H(start);
     size_t    last_size = end - last_8;
     int8_t*   shadow_addr = (int8_t*)(h >> 3) + SHADOW_OFFSET;
     int8_t    k = *shadow_addr;
@@ -493,7 +493,7 @@ int asan_giovese_poison_guest_region(target_ulong addr, size_t n,
 
     if (n < first_size) return 0;
 
-    uintptr_t h = (uintptr_t)g2h(start);
+    uintptr_t h = (uintptr_t)AFL_G2H(start);
     uint8_t*  shadow_addr = (uint8_t*)(h >> 3) + SHADOW_OFFSET;
     *shadow_addr = 8 - first_size;
 
@@ -503,7 +503,7 @@ int asan_giovese_poison_guest_region(target_ulong addr, size_t n,
 
   while (start < last_8) {
 
-    uintptr_t h = (uintptr_t)g2h(start);
+    uintptr_t h = (uintptr_t)AFL_G2H(start);
     uint8_t*  shadow_addr = (uint8_t*)(h >> 3) + SHADOW_OFFSET;
     *shadow_addr = poison_byte;
     start += 8;
@@ -527,7 +527,7 @@ int asan_giovese_unpoison_guest_region(target_ulong addr, size_t n) {
 
   while (start < end) {
 
-    uintptr_t h = (uintptr_t)g2h(start);
+    uintptr_t h = (uintptr_t)AFL_G2H(start);
     uint8_t*  shadow_addr = (uint8_t*)(h >> 3) + SHADOW_OFFSET;
     *shadow_addr = 0;
     start += 8;
@@ -856,7 +856,7 @@ static int poisoned_find_error(target_ulong addr, size_t n,
 
   while (start < end) {
 
-    uintptr_t rs = (uintptr_t)g2h(start);
+    uintptr_t rs = (uintptr_t)AFL_G2H(start);
     int8_t*   shadow_addr = (int8_t*)(rs >> 3) + SHADOW_OFFSET;
     switch (*shadow_addr) {
 
@@ -892,7 +892,7 @@ static int poisoned_find_error(target_ulong addr, size_t n,
 
   if (have_partials) {
 
-    uintptr_t rs = (uintptr_t)g2h((end & ~7) + 8);
+    uintptr_t rs = (uintptr_t)AFL_G2H((end & ~7) + 8);
     uint8_t*  last_shadow_addr = (uint8_t*)(rs >> 3) + SHADOW_OFFSET;
     *err_string = poisoned_strerror(*last_shadow_addr);
     return 1;
@@ -905,7 +905,7 @@ static int poisoned_find_error(target_ulong addr, size_t n,
 
 }
 
-#define _MEM2SHADOW(x) ((uint8_t*)((uintptr_t)g2h(x) >> 3) + SHADOW_OFFSET)
+#define _MEM2SHADOW(x) ((uint8_t*)((uintptr_t)AFL_G2H(x) >> 3) + SHADOW_OFFSET)
 
 #define _MEM2SHADOWPRINT(x) shadow_color_map[*_MEM2SHADOW(x)], *_MEM2SHADOW(x)
 

qemuafl/asan-giovese.h

@@ -32,6 +32,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #include <stdint.h>
 #include <inttypes.h>
 #include <stdlib.h>
+#include "common.h"
 
 #ifndef ASAN_NAME_STR
 #define ASAN_NAME_STR "AddressSanitizer"

qemuafl/common.h

@@ -40,6 +40,8 @@
 
 #include "api.h"
 
+#define AFL_G2H g2h_untagged
+
 #if defined(TARGET_X86_64)
 #define api_regs x86_64_regs
 #elif defined(TARGET_I386)