fix

vanhauser-thc · vanhauser-thc · commit eb765dd8a606 · 2021-11-09T11:03:59.000+01:00
diff --git a/accel/tcg/tcg-runtime.c b/accel/tcg/tcg-runtime.c
@@ -33,7 +33,8 @@
 #include "tcg/tcg.h"
 
 #include "qemuafl/common.h"
-#include "qemuafl/imported/afl_hash.h"
+
+uint32_t afl_hash_ip(uint64_t);
 
 void HELPER(afl_entry_routine)(CPUArchState *env) {
 
@@ -283,7 +284,7 @@ void HELPER(afl_cmplog_rtn)(CPUArchState *env) {
   uintptr_t k = 0;
 #endif
 
-  k = (uintptr_t)(afl_hash_ip((uint64_t)k, 8));
+  k = (uintptr_t)(afl_hash_ip((uint64_t)k));
   k &= (CMP_MAP_W - 1);
 
   u32 hits = 0;
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
@@ -65,7 +65,7 @@
 
 #include "qemuafl/common.h"
 #include "tcg/tcg-op.h"
-#include "qemuaflimported/afl_hash.h"
+#include "qemuafl/imported/afl_hash.h"
 
 #include <math.h>
 
@@ -107,7 +107,7 @@ static void afl_gen_trace(target_ulong cur_loc) {
 
   // cur_loc = (cur_loc >> 4) ^ (cur_loc << 8);
   // cur_loc &= MAP_SIZE - 1;
-  cur_loc = (uintptr_t)(afl_hash_ip((uint64_t)cur_loc, 8));
+  cur_loc = (uintptr_t)(afl_hash_ip((uint64_t)cur_loc));
   cur_loc &= (MAP_SIZE - 1);
 
   /* Implement probabilistic instrumentation by looking at scrambled block
diff --git a/qemuafl/cpu-translate.h b/qemuafl/cpu-translate.h
@@ -35,7 +35,7 @@
 #include "tcg/tcg.h"
 #include "tcg/tcg-op.h"
 
-#include "imported/afl_hash.h"
+uint32_t afl_hash_ip(uint64_t);
 
 #if TARGET_LONG_BITS == 64
   #define _DEFAULT_MO MO_64
@@ -50,7 +50,7 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2,
 
   if (__afl_cmp_map) {
 
-    cur_loc = (uintptr_t)(afl_hash_ip((uint64_t)cur_loc, 8));
+    cur_loc = (uintptr_t)(afl_hash_ip((uint64_t)cur_loc));
     cur_loc &= (CMP_MAP_W - 1);
 
     TCGv cur_loc_v = tcg_const_tl(cur_loc);
@@ -80,7 +80,7 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2,
 
     if (!is_imm && afl_compcov_level < 2) return;
 
-    cur_loc = (uintptr_t)(afl_hash_ip((uint64_t)cur_loc, 8));
+    cur_loc = (uintptr_t)(afl_hash_ip((uint64_t)cur_loc));
     cur_loc &= (MAP_SIZE - 1);
 
     TCGv cur_loc_v = tcg_const_tl(cur_loc);
diff --git a/qemuafl/imported/afl_hash.h b/qemuafl/imported/afl_hash.h
@@ -10,42 +10,12 @@
 #include <limits.h>
 #include <stdint.h>
 
-uint32_t afl_hash_ip(uint8_t *input, size_t len);
-uint32_t AFL_readLE32(const void *memPtr);
+uint32_t afl_hash_ip(uint64_t ip);
 uint64_t AFL_readLE64(const void *memPtr);
 uint64_t AFL_rrmxmx(uint64_t h64, uint64_t len);
 
-const uint8_t AFL_kSecret[] = {
-
-    0xb8, 0xfe, 0x6c, 0x39, 0x23, 0xa4, 0x4b, 0xbe, 0x7c, 0x01, 0x81, 0x2c,
-    0xf7, 0x21, 0xad, 0x1c, 0xde, 0xd4, 0x6d, 0xe9, 0x83, 0x90, 0x97, 0xdb,
-    0x72, 0x40, 0xa4, 0xa4, 0xb7, 0xb3, 0x67, 0x1f, 0xcb, 0x79, 0xe6, 0x4e,
-    0xcc, 0xc0, 0xe5, 0x78, 0x82, 0x5a, 0xd0, 0x7d, 0xcc, 0xff, 0x72, 0x21,
-    0xb8, 0x08, 0x46, 0x74, 0xf7, 0x43, 0x24, 0x8e, 0xe0, 0x35, 0x90, 0xe6,
-    0x81, 0x3a, 0x26, 0x4c, 0x3c, 0x28, 0x52, 0xbb, 0x91, 0xc3, 0x00, 0xcb,
-    0x88, 0xd0, 0x65, 0x8b, 0x1b, 0x53, 0x2e, 0xa3, 0x71, 0x64, 0x48, 0x97,
-    0xa2, 0x0d, 0xf9, 0x4e, 0x38, 0x19, 0xef, 0x46, 0xa9, 0xde, 0xac, 0xd8,
-    0xa8, 0xfa, 0x76, 0x3f, 0xe3, 0x9c, 0x34, 0x3f, 0xf9, 0xdc, 0xbb, 0xc7,
-    0xc7, 0x0b, 0x4f, 0x1d, 0x8a, 0x51, 0xe0, 0x4b, 0xcd, 0xb4, 0x59, 0x31,
-    0xc8, 0x9f, 0x7e, 0xc9, 0xd9, 0x78, 0x73, 0x64, 0xea, 0xc5, 0xac, 0x83,
-    0x34, 0xd3, 0xeb, 0xc3, 0xc5, 0x81, 0xa0, 0xff, 0xfa, 0x13, 0x63, 0xeb,
-    0x17, 0x0d, 0xdd, 0x51, 0xb7, 0xf0, 0xda, 0x49, 0xd3, 0x16, 0x55, 0x26,
-    0x29, 0xd4, 0x68, 0x9e, 0x2b, 0x16, 0xbe, 0x58, 0x7d, 0x47, 0xa1, 0xfc,
-    0x8f, 0xf8, 0xb8, 0xd1, 0x7a, 0xd0, 0x31, 0xce, 0x45, 0xcb, 0x3a, 0x8f,
-    0x95, 0x16, 0x04, 0x28, 0xaf, 0xd7, 0xfb, 0xca, 0xbb, 0x4b, 0x40, 0x7e,
-
-};
-
 #define AFL_rotl64(x, r) (((x) << (r)) | ((x) >> (64 - (r))))
 
-inline uint32_t AFL_readLE32(const void *memPtr) {
-
-  const uint8_t *bytePtr = (const uint8_t *)memPtr;
-  return bytePtr[0] | ((uint32_t)bytePtr[1] << 8) | ((uint32_t)bytePtr[2] << 16) |
-         ((uint32_t)bytePtr[3] << 24);
-
-}
-
 inline uint64_t AFL_readLE64(const void *memPtr) {
 
   const uint8_t *bytePtr = (const uint8_t *)memPtr;
@@ -67,17 +37,35 @@ inline uint64_t AFL_rrmxmx(uint64_t h64, uint64_t len) {
 
 }
 
-inline uint32_t afl_hash_ip(uint8_t *input, size_t len) {
+inline uint32_t afl_hash_ip(uint64_t ip) {
+
+  const uint8_t secret[] = {
+
+    0xb8, 0xfe, 0x6c, 0x39, 0x23, 0xa4, 0x4b, 0xbe, 0x7c, 0x01, 0x81, 0x2c,
+    0xf7, 0x21, 0xad, 0x1c, 0xde, 0xd4, 0x6d, 0xe9, 0x83, 0x90, 0x97, 0xdb,
+    0x72, 0x40, 0xa4, 0xa4, 0xb7, 0xb3, 0x67, 0x1f, 0xcb, 0x79, 0xe6, 0x4e,
+    0xcc, 0xc0, 0xe5, 0x78, 0x82, 0x5a, 0xd0, 0x7d, 0xcc, 0xff, 0x72, 0x21,
+    0xb8, 0x08, 0x46, 0x74, 0xf7, 0x43, 0x24, 0x8e, 0xe0, 0x35, 0x90, 0xe6,
+    0x81, 0x3a, 0x26, 0x4c, 0x3c, 0x28, 0x52, 0xbb, 0x91, 0xc3, 0x00, 0xcb,
+    0x88, 0xd0, 0x65, 0x8b, 0x1b, 0x53, 0x2e, 0xa3, 0x71, 0x64, 0x48, 0x97,
+    0xa2, 0x0d, 0xf9, 0x4e, 0x38, 0x19, 0xef, 0x46, 0xa9, 0xde, 0xac, 0xd8,
+    0xa8, 0xfa, 0x76, 0x3f, 0xe3, 0x9c, 0x34, 0x3f, 0xf9, 0xdc, 0xbb, 0xc7,
+    0xc7, 0x0b, 0x4f, 0x1d, 0x8a, 0x51, 0xe0, 0x4b, 0xcd, 0xb4, 0x59, 0x31,
+    0xc8, 0x9f, 0x7e, 0xc9, 0xd9, 0x78, 0x73, 0x64, 0xea, 0xc5, 0xac, 0x83,
+    0x34, 0xd3, 0xeb, 0xc3, 0xc5, 0x81, 0xa0, 0xff, 0xfa, 0x13, 0x63, 0xeb,
+    0x17, 0x0d, 0xdd, 0x51, 0xb7, 0xf0, 0xda, 0x49, 0xd3, 0x16, 0x55, 0x26,
+    0x29, 0xd4, 0x68, 0x9e, 0x2b, 0x16, 0xbe, 0x58, 0x7d, 0x47, 0xa1, 0xfc,
+    0x8f, 0xf8, 0xb8, 0xd1, 0x7a, 0xd0, 0x31, 0xce, 0x45, 0xcb, 0x3a, 0x8f,
+    0x95, 0x16, 0x04, 0x28, 0xaf, 0xd7, 0xfb, 0xca, 0xbb, 0x4b, 0x40, 0x7e,
 
-  const uint8_t *secret = AFL_kSecret;
+};
 
-    uint32_t const input1 = AFL_readLE32(input);
-    uint32_t const input2 = AFL_readLE32(input + len - 4);
-    uint64_t const bitflip =
-        (AFL_readLE64(secret + 8) ^ AFL_readLE64(secret + 16));
-    uint64_t const input64 = input2 + (((uint64_t)input1) << 32);
-    uint64_t const keyed = input64 ^ bitflip;
-    return AFL_rrmxmx(keyed, len);
+  uint32_t const input1 = (uint32_t)(ip & 0xffffffff);
+  uint32_t const input2 = (uint32_t)(ip >> 32);
+  uint64_t const bitflip = (AFL_readLE64(secret + 8) ^ AFL_readLE64(secret + 16));
+  uint64_t const input64 = input2 + (((uint64_t)input1) << 32);
+  uint64_t const keyed = input64 ^ bitflip;
+  return AFL_rrmxmx(keyed, 8);
 
 }
 
diff --git a/qemuafl/imported/types.h b/qemuafl/imported/types.h
@@ -47,6 +47,7 @@ typedef uint128_t         u128;
 #define FS_ERROR_SHMAT 8
 #define FS_ERROR_MMAP 16
 #define FS_ERROR_OLD_CMPLOG 32
+#define FS_ERROR_OLD_CMPLOG_QEMU 64
 
 /* Reporting options */
 #define FS_OPT_ENABLED 0x80000001
