p98n2ja4z
/
AFLplusplus
2
0
Fork 5
Code Issues Pull Requests 2 Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'five'
${ noResults }
AFLplusplus/src%2FAFLplusplus-stable%2Fsrc/afl-cc.c

3698 lines
101 KiB
Raw Permalink Blame History Escape

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

/*
american fuzzy lop++ - compiler instrumentation wrapper
-------------------------------------------------------
Written by Michal Zalewski, Laszlo Szekeres and Marc Heuse
Copyright 2015, 2016 Google Inc. All rights reserved.
Copyright 2019-2024 AFLplusplus Project. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
https://www.apache.org/licenses/LICENSE-2.0
*/
#define AFL_MAIN
#ifndef _GNU_SOURCE
#define _GNU_SOURCE 1
#endif
#include "common.h"
#include "config.h"
#include "types.h"
#include "debug.h"
#include "alloc-inl.h"
#include "llvm-alternative-coverage.h"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <limits.h>
#include <assert.h>
#include <ctype.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/mman.h>
#if (LLVM_MAJOR - 0 == 0)
#undef LLVM_MAJOR
#endif
#if !defined(LLVM_MAJOR)
#define LLVM_MAJOR 0
#endif
#if (LLVM_MINOR - 0 == 0)
#undef LLVM_MINOR
#endif
#if !defined(LLVM_MINOR)
#define LLVM_MINOR 0
#endif
#ifndef MAX_PARAMS_NUM
#define MAX_PARAMS_NUM 2048
#endif
/** Global declarations -----BEGIN----- **/
typedef enum {
PARAM_MISS, // not matched
PARAM_SCAN, // scan only
PARAM_KEEP, // kept as-is
PARAM_DROP, // ignored
} param_st;
typedef enum {
INSTRUMENT_DEFAULT = 0,
INSTRUMENT_CLASSIC = 1,
INSTRUMENT_AFL = 1,
INSTRUMENT_PCGUARD = 2,
INSTRUMENT_CFG = 3,
INSTRUMENT_LTO = 4,
INSTRUMENT_LLVMNATIVE = 5,
INSTRUMENT_GCC = 6,
INSTRUMENT_CLANG = 7,
INSTRUMENT_OPT_CTX = 8,
INSTRUMENT_OPT_NGRAM = 16,
INSTRUMENT_OPT_CALLER = 32,
INSTRUMENT_OPT_CTX_K = 64,
INSTRUMENT_OPT_CODECOV = 128,
} instrument_mode_id;
typedef enum {
UNSET = 0,
LTO = 1,
LLVM = 2,
GCC_PLUGIN = 3,
GCC = 4,
CLANG = 5
} compiler_mode_id;
static u8 cwd[4096];
char instrument_mode_string[18][18] = {
"DEFAULT",
"CLASSIC",
"PCGUARD",
"CFG",
"LTO",
"PCGUARD-NATIVE",
"GCC",
"CLANG",
"CTX",
"CALLER",
"",
"",
"",
"",
"",
"",
"NGRAM",
""
};
char compiler_mode_string[7][12] = {
"AUTOSELECT", "LLVM-LTO", "LLVM", "GCC_PLUGIN",
"GCC", "CLANG", ""
};
u8 *instrument_mode_2str(instrument_mode_id i) {
return instrument_mode_string[i];
}
u8 *compiler_mode_2str(compiler_mode_id i) {
return compiler_mode_string[i];
}
u8 *getthecwd() {
if (getcwd(cwd, sizeof(cwd)) == NULL) {
static u8 fail[] = "";
return fail;
}
return cwd;
}
typedef struct aflcc_state {
u8 **cc_params; /* Parameters passed to the real CC */
u32 cc_par_cnt; /* Param count, including argv0 */
u8 *argv0; /* Original argv0 (by strdup) */
u8 *callname; /* Executable file argv0 indicated */
u8 debug;
u8 compiler_mode, plusplus_mode, lto_mode;
u8 *lto_flag;
u8 instrument_mode, instrument_opt_mode, ngram_size, ctx_k;
u8 cmplog_mode;
u8 have_instr_env, have_gcc, have_clang, have_llvm, have_gcc_plugin, have_lto,
have_optimized_pcguard, have_instr_list;
u8 fortify_set, x_set, bit_mode, preprocessor_only, have_unroll, have_o,
have_pic, have_c, shared_linking, partial_linking, non_dash, have_fp,
have_flto, have_hidden, have_fortify, have_fcf, have_staticasan,
have_rust_asanrt, have_asan, have_msan, have_ubsan, have_lsan, have_tsan,
have_cfisan;
// u8 *march_opt;
u8 need_aflpplib;
int passthrough;
u8 use_stdin; /* dummy */
u8 *argvnull; /* dummy */
} aflcc_state_t;
void aflcc_state_init(aflcc_state_t *, u8 *argv0);
u8 *find_object(aflcc_state_t *, u8 *obj);
void find_built_deps(aflcc_state_t *);
/* Insert param into the new argv, raise error if MAX_PARAMS_NUM exceeded. */
static inline void insert_param(aflcc_state_t *aflcc, u8 *param) {
if (unlikely(aflcc->cc_par_cnt + 1 >= MAX_PARAMS_NUM))
FATAL("Too many command line parameters, please increase MAX_PARAMS_NUM.");
aflcc->cc_params[aflcc->cc_par_cnt++] = param;
}
/*
Insert a param which contains path to the object file. It uses find_object to
get the path based on the name `obj`, and then uses a sprintf like method to
format it with `fmt`. If `fmt` is NULL, the inserted arg is same as the path.
If `msg` provided, it should be an error msg raised if the path can't be
found. `obj` must not be NULL.
*/
static inline void insert_object(aflcc_state_t *aflcc, u8 *obj, u8 *fmt,
u8 *msg) {
u8 *_obj_path = find_object(aflcc, obj);
if (!_obj_path) {
if (msg)
FATAL("%s", msg);
else
FATAL("Unable to find '%s'", obj);
} else {
if (fmt) {
u8 *_obj_path_fmt = alloc_printf(fmt, _obj_path);
ck_free(_obj_path);
aflcc->cc_params[aflcc->cc_par_cnt++] = _obj_path_fmt;
} else {
aflcc->cc_params[aflcc->cc_par_cnt++] = _obj_path;
}
}
}
/* Insert params into the new argv, make clang load the pass. */
static inline void load_llvm_pass(aflcc_state_t *aflcc, u8 *pass) {
#if LLVM_MAJOR >= 11 /* use new pass manager */
#if LLVM_MAJOR < 16
insert_param(aflcc, "-fexperimental-new-pass-manager");
#endif
insert_object(aflcc, pass, "-fpass-plugin=%s", 0);
#else
insert_param(aflcc, "-Xclang");
insert_param(aflcc, "-load");
insert_param(aflcc, "-Xclang");
insert_object(aflcc, pass, 0, 0);
#endif
}
static inline void debugf_args(int argc, char **argv) {
DEBUGF("cd '%s';", getthecwd());
for (int i = 0; i < argc; i++)
SAYF(" '%s'", argv[i]);
SAYF("\n");
fflush(stdout);
fflush(stderr);
}
void compiler_mode_by_callname(aflcc_state_t *);
void compiler_mode_by_environ(aflcc_state_t *);
void compiler_mode_by_cmdline(aflcc_state_t *, int argc, char **argv);
void instrument_mode_by_environ(aflcc_state_t *);
void mode_final_checkout(aflcc_state_t *, int argc, char **argv);
void mode_notification(aflcc_state_t *);
void add_real_argv0(aflcc_state_t *);
void add_defs_common(aflcc_state_t *);
void add_defs_selective_instr(aflcc_state_t *);
void add_defs_persistent_mode(aflcc_state_t *);
void add_defs_fortify(aflcc_state_t *, u8);
void add_defs_lsan_ctrl(aflcc_state_t *);
param_st parse_fsanitize(aflcc_state_t *, u8 *, u8);
void add_sanitizers(aflcc_state_t *, char **envp);
void add_optimized_pcguard(aflcc_state_t *);
void add_native_pcguard(aflcc_state_t *);
void add_assembler(aflcc_state_t *);
void add_gcc_plugin(aflcc_state_t *);
param_st parse_misc_params(aflcc_state_t *, u8 *, u8);
void add_misc_params(aflcc_state_t *);
param_st parse_linking_params(aflcc_state_t *, u8 *, u8, u8 *skip_next,
char **argv);
void add_lto_linker(aflcc_state_t *);
void add_lto_passes(aflcc_state_t *);
void add_runtime(aflcc_state_t *);
/** Global declarations -----END----- **/
/*
Init global state struct. We also extract the callname,
check debug options and if in C++ mode here.
*/
void aflcc_state_init(aflcc_state_t *aflcc, u8 *argv0) {
// Default NULL/0 is a good start
memset(aflcc, 0, sizeof(aflcc_state_t));
aflcc->cc_params = ck_alloc(MAX_PARAMS_NUM * sizeof(u8 *));
aflcc->cc_par_cnt = 1;
aflcc->lto_flag = AFL_CLANG_FLTO;
// aflcc->march_opt = CFLAGS_OPT;
/* callname & if C++ mode */
aflcc->argv0 = ck_strdup(argv0);
char *cname = NULL;
if ((cname = strrchr(aflcc->argv0, '/')) != NULL) {
cname++;
} else {
cname = aflcc->argv0;
}
aflcc->callname = cname;
if (strlen(cname) > 2 && (strncmp(cname + strlen(cname) - 2, "++", 2) == 0 ||
strstr(cname, "-g++") != NULL)) {
aflcc->plusplus_mode = 1;
}
/* debug */
if (getenv("AFL_DEBUG")) {
aflcc->debug = 1;
if (strcmp(getenv("AFL_DEBUG"), "0") == 0) unsetenv("AFL_DEBUG");
} else if (getenv("AFL_QUIET")) {
be_quiet = 1;
}
if ((getenv("AFL_PASSTHROUGH") || getenv("AFL_NOOPT")) && (!aflcc->debug)) {
be_quiet = 1;
}
}
/*
Try to find a specific runtime we need, in here:
1. firstly we check the $AFL_PATH environment variable location if set
2. next we check argv[0] if it has path information and use it
a) we also check ../lib/afl
3. if 2. failed we check /proc (only Linux, Android, NetBSD, DragonFly, and
FreeBSD with procfs)
a) and check here in ../lib/afl too
4. we look into the AFL_PATH define (usually /usr/local/lib/afl)
5. we finally try the current directory
if all these attempts fail - we return NULL and the caller has to decide
what to do. Otherwise the path to obj would be allocated and returned.
*/
u8 *find_object(aflcc_state_t *aflcc, u8 *obj) {
u8 *argv0 = aflcc->argv0;
u8 *afl_path = getenv("AFL_PATH");
u8 *slash = NULL, *tmp;
if (afl_path) {
tmp = alloc_printf("%s/%s", afl_path, obj);
if (aflcc->debug) DEBUGF("Trying %s\n", tmp);
if (!access(tmp, R_OK)) { return tmp; }
ck_free(tmp);
}
if (argv0) {
slash = strrchr(argv0, '/');
if (slash) {
u8 *dir = ck_strdup(argv0);
slash = strrchr(dir, '/');
*slash = 0;
tmp = alloc_printf("%s/%s", dir, obj);
if (aflcc->debug) DEBUGF("Trying %s\n", tmp);
if (!access(tmp, R_OK)) {
ck_free(dir);
return tmp;
}
ck_free(tmp);
tmp = alloc_printf("%s/../lib/afl/%s", dir, obj);
if (aflcc->debug) DEBUGF("Trying %s\n", tmp);
if (!access(tmp, R_OK)) {
ck_free(dir);
return tmp;
}
ck_free(tmp);
ck_free(dir);
}
#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__linux__) || \
defined(__ANDROID__) || defined(__NetBSD__)
#define HAS_PROC_FS 1
#endif
#ifdef HAS_PROC_FS
else {
char *procname = NULL;
#if defined(__FreeBSD__) || defined(__DragonFly__)
procname = "/proc/curproc/file";
#elif defined(__linux__) || defined(__ANDROID__)
procname = "/proc/self/exe";
#elif defined(__NetBSD__)
procname = "/proc/curproc/exe";
#endif
if (procname) {
char exepath[PATH_MAX];
ssize_t exepath_len = readlink(procname, exepath, sizeof(exepath));
if (exepath_len > 0 && exepath_len < PATH_MAX) {
exepath[exepath_len] = 0;
slash = strrchr(exepath, '/');
if (slash) {
*slash = 0;
tmp = alloc_printf("%s/%s", exepath, obj);
if (aflcc->debug) DEBUGF("Trying %s\n", tmp);
if (!access(tmp, R_OK)) { return tmp; }
ck_free(tmp);
tmp = alloc_printf("%s/../lib/afl/%s", exepath, obj);
if (aflcc->debug) DEBUGF("Trying %s\n", tmp);
if (!access(tmp, R_OK)) { return tmp; }
ck_free(tmp);
}
}
}
}
#endif
#undef HAS_PROC_FS
}
tmp = alloc_printf("%s/%s", AFL_PATH, obj);
if (aflcc->debug) DEBUGF("Trying %s\n", tmp);
if (!access(tmp, R_OK)) { return tmp; }
ck_free(tmp);
tmp = alloc_printf("./%s", obj);
if (aflcc->debug) DEBUGF("Trying %s\n", tmp);
if (!access(tmp, R_OK)) { return tmp; }
ck_free(tmp);
if (aflcc->debug) DEBUGF("Trying ... giving up\n");
return NULL;
}
/*
Deduce some info about compiler toolchains in current system,
from the building results of AFL++
*/
void find_built_deps(aflcc_state_t *aflcc) {
char *ptr = NULL;
#if defined(__x86_64__) || defined(__i386__)
if ((ptr = find_object(aflcc, "afl-as")) != NULL) {
#ifndef __APPLE__
// on OSX clang masquerades as GCC
aflcc->have_gcc = 1;
#endif
aflcc->have_clang = 1;
ck_free(ptr);
}
#endif
if ((ptr = find_object(aflcc, "SanitizerCoveragePCGUARD.so")) != NULL) {
aflcc->have_optimized_pcguard = 1;
ck_free(ptr);
}
#if (LLVM_MAJOR >= 3)
if ((ptr = find_object(aflcc, "SanitizerCoverageLTO.so")) != NULL) {
aflcc->have_lto = 1;
ck_free(ptr);
}
if ((ptr = find_object(aflcc, "cmplog-routines-pass.so")) != NULL) {
aflcc->have_llvm = 1;
ck_free(ptr);
}
#endif
#ifdef __ANDROID__
aflcc->have_llvm = 1;
#endif
if ((ptr = find_object(aflcc, "afl-gcc-pass.so")) != NULL) {
aflcc->have_gcc_plugin = 1;
ck_free(ptr);
}
#if !defined(__ANDROID__) && !defined(ANDROID)
ptr = find_object(aflcc, "afl-compiler-rt.o");
if (!ptr) {
FATAL(
"Unable to find 'afl-compiler-rt.o'. Please set the AFL_PATH "
"environment variable.");
}
if (aflcc->debug) { DEBUGF("rt=%s\n", ptr); }
ck_free(ptr);
#endif
}
/** compiler_mode & instrument_mode selecting -----BEGIN----- **/
/* Select compiler_mode by callname, such as "afl-clang-fast", etc. */
void compiler_mode_by_callname(aflcc_state_t *aflcc) {
if (strncmp(aflcc->callname, "afl-clang-fast", 14) == 0) {
/* afl-clang-fast is always created there by makefile
just like afl-clang, burdened with special purposes:
- If llvm-config is not available (i.e. LLVM_MAJOR is 0),
or too old, it falls back to LLVM-NATIVE mode and let
the actual compiler complain if doesn't work.
- Otherwise try default llvm instruments except LTO.
*/
#if (LLVM_MAJOR >= 3)
aflcc->compiler_mode = LLVM;
#else
aflcc->compiler_mode = CLANG;
#endif
} else
#if (LLVM_MAJOR >= 3)
if (strncmp(aflcc->callname, "afl-clang-lto", 13) == 0 ||
strncmp(aflcc->callname, "afl-lto", 7) == 0) {
aflcc->compiler_mode = LTO;
} else
#endif
if (strncmp(aflcc->callname, "afl-gcc-fast", 12) == 0 ||
strncmp(aflcc->callname, "afl-g++-fast", 12) == 0) {
aflcc->compiler_mode = GCC_PLUGIN;
} else if (strncmp(aflcc->callname, "afl-gcc", 7) == 0 ||
strncmp(aflcc->callname, "afl-g++", 7) == 0) {
aflcc->compiler_mode = GCC;
} else if (strcmp(aflcc->callname, "afl-clang") == 0 ||
strcmp(aflcc->callname, "afl-clang++") == 0) {
aflcc->compiler_mode = CLANG;
}
}
/*
Select compiler_mode by env AFL_CC_COMPILER. And passthrough mode can be
regarded as a special compiler_mode, so we check for it here, too.
*/
void compiler_mode_by_environ(aflcc_state_t *aflcc) {
if (getenv("AFL_PASSTHROUGH") || getenv("AFL_NOOPT")) {
aflcc->passthrough = 1;
}
char *ptr = getenv("AFL_CC_COMPILER");
if (!ptr) { return; }
if (aflcc->compiler_mode) {
if (!be_quiet) {
WARNF(
"\"AFL_CC_COMPILER\" is set but a specific compiler was already "
"selected by command line parameter or symlink, ignoring the "
"environment variable!");
}
} else {
if (strncasecmp(ptr, "LTO", 3) == 0) {
aflcc->compiler_mode = LTO;
} else if (strncasecmp(ptr, "LLVM", 4) == 0) {
aflcc->compiler_mode = LLVM;
} else if (strncasecmp(ptr, "GCC_P", 5) == 0 ||
strncasecmp(ptr, "GCC-P", 5) == 0 ||
strncasecmp(ptr, "GCCP", 4) == 0) {
aflcc->compiler_mode = GCC_PLUGIN;
} else if (strcasecmp(ptr, "GCC") == 0) {
aflcc->compiler_mode = GCC;
} else if (strcasecmp(ptr, "CLANG") == 0) {
aflcc->compiler_mode = CLANG;
} else
FATAL("Unknown AFL_CC_COMPILER mode: %s\n", ptr);
}
}
/*
Select compiler_mode by command line options --afl-...
If it can be inferred, instrument_mode would also be set.
This can supersedes previous result based on callname
or AFL_CC_COMPILER. And "--afl_noopt"/"--afl-noopt" will
be overwritten by "-g".
*/
void compiler_mode_by_cmdline(aflcc_state_t *aflcc, int argc, char **argv) {
char *ptr = NULL;
for (int i = 1; i < argc; i++) {
if (strncmp(argv[i], "--afl", 5) == 0) {
if (!strcmp(argv[i], "--afl_noopt") || !strcmp(argv[i], "--afl-noopt")) {
aflcc->passthrough = 1;
argv[i] = "-g"; // we have to overwrite it, -g is always good
continue;
}
if (aflcc->compiler_mode && !be_quiet) {
WARNF(
"--afl-... compiler mode supersedes the AFL_CC_COMPILER and "
"symlink compiler selection!");
}
ptr = argv[i];
ptr += 5;
while (*ptr == '-')
ptr++;
if (strncasecmp(ptr, "LTO", 3) == 0) {
aflcc->compiler_mode = LTO;
} else if (strncasecmp(ptr, "LLVM", 4) == 0) {
aflcc->compiler_mode = LLVM;
} else if (strncasecmp(ptr, "PCGUARD", 7) == 0 ||
strncasecmp(ptr, "PC-GUARD", 8) == 0) {
aflcc->compiler_mode = LLVM;
aflcc->instrument_mode = INSTRUMENT_PCGUARD;
} else if (strcasecmp(ptr, "INSTRIM") == 0 ||
strcasecmp(ptr, "CFG") == 0) {
FATAL(
"InsTrim instrumentation was removed. Use a modern LLVM and "
"PCGUARD (default in afl-cc).\n");
} else if (strcasecmp(ptr, "AFL") == 0 ||
strcasecmp(ptr, "CLASSIC") == 0) {
aflcc->compiler_mode = LLVM;
aflcc->instrument_mode = INSTRUMENT_CLASSIC;
} else if (strcasecmp(ptr, "LLVMNATIVE") == 0 ||
strcasecmp(ptr, "NATIVE") == 0 ||
strcasecmp(ptr, "LLVM-NATIVE") == 0) {
aflcc->compiler_mode = LLVM;
aflcc->instrument_mode = INSTRUMENT_LLVMNATIVE;
} else if (strncasecmp(ptr, "GCC_P", 5) == 0 ||
strncasecmp(ptr, "GCC-P", 5) == 0 ||
strncasecmp(ptr, "GCCP", 4) == 0) {
aflcc->compiler_mode = GCC_PLUGIN;
} else if (strcasecmp(ptr, "GCC") == 0) {
aflcc->compiler_mode = GCC;
} else if (strncasecmp(ptr, "CLANG", 5) == 0) {
aflcc->compiler_mode = CLANG;
} else
FATAL("Unknown --afl-... compiler mode: %s\n", argv[i]);
}
}
}
/*
Select instrument_mode by those envs in old style:
- USE_TRACE_PC, AFL_USE_TRACE_PC, AFL_LLVM_USE_TRACE_PC, AFL_TRACE_PC
- AFL_LLVM_CALLER, AFL_LLVM_CTX, AFL_LLVM_CTX_K
- AFL_LLVM_NGRAM_SIZE
*/
static void instrument_mode_old_environ(aflcc_state_t *aflcc) {
if (getenv("AFL_LLVM_INSTRIM") || getenv("INSTRIM") ||
getenv("INSTRIM_LIB")) {
FATAL(
"InsTrim instrumentation was removed. Use a modern LLVM and PCGUARD "
"(default in afl-cc).\n");
}
if (getenv("USE_TRACE_PC") || getenv("AFL_USE_TRACE_PC") ||
getenv("AFL_LLVM_USE_TRACE_PC") || getenv("AFL_TRACE_PC")) {
if (aflcc->instrument_mode == 0)
aflcc->instrument_mode = INSTRUMENT_PCGUARD;
else if (aflcc->instrument_mode != INSTRUMENT_PCGUARD)
FATAL("you cannot set AFL_LLVM_INSTRUMENT and AFL_TRACE_PC together");
}
if (getenv("AFL_LLVM_CTX")) aflcc->instrument_opt_mode |= INSTRUMENT_OPT_CTX;
if (getenv("AFL_LLVM_CALLER") || getenv("AFL_LLVM_LTO_CALLER") ||
getenv("AFL_LLVM_LTO_CTX"))
aflcc->instrument_opt_mode |= INSTRUMENT_OPT_CALLER;
if (getenv("AFL_LLVM_NGRAM_SIZE")) {
aflcc->instrument_opt_mode |= INSTRUMENT_OPT_NGRAM;
aflcc->ngram_size = atoi(getenv("AFL_LLVM_NGRAM_SIZE"));
if (aflcc->ngram_size < 2 || aflcc->ngram_size > NGRAM_SIZE_MAX)
FATAL(
"NGRAM instrumentation mode must be between 2 and NGRAM_SIZE_MAX "
"(%u)",
NGRAM_SIZE_MAX);
}
if (getenv("AFL_LLVM_CTX_K")) {
aflcc->ctx_k = atoi(getenv("AFL_LLVM_CTX_K"));
if (aflcc->ctx_k < 1 || aflcc->ctx_k > CTX_MAX_K)
FATAL("K-CTX instrumentation mode must be between 1 and CTX_MAX_K (%u)",
CTX_MAX_K);
if (aflcc->ctx_k == 1) {
setenv("AFL_LLVM_CALLER", "1", 1);
unsetenv("AFL_LLVM_CTX_K");
aflcc->instrument_opt_mode |= INSTRUMENT_OPT_CALLER;
} else {
aflcc->instrument_opt_mode |= INSTRUMENT_OPT_CTX_K;
}
}
}
/*
Select instrument_mode by env 'AFL_LLVM_INSTRUMENT'.
Previous compiler_mode will be superseded, if required by some
values of instrument_mode.
*/
static void instrument_mode_new_environ(aflcc_state_t *aflcc) {
if (!getenv("AFL_LLVM_INSTRUMENT")) { return; }
u8 *ptr2 = strtok(getenv("AFL_LLVM_INSTRUMENT"), ":,;");
while (ptr2) {
if (strncasecmp(ptr2, "afl", strlen("afl")) == 0 ||
strncasecmp(ptr2, "classic", strlen("classic")) == 0) {
if (aflcc->instrument_mode == INSTRUMENT_LTO) {
aflcc->instrument_mode = INSTRUMENT_CLASSIC;
aflcc->lto_mode = 1;
} else if (!aflcc->instrument_mode ||
aflcc->instrument_mode == INSTRUMENT_AFL) {
aflcc->instrument_mode = INSTRUMENT_AFL;
} else {
FATAL("main instrumentation mode already set with %s",
instrument_mode_2str(aflcc->instrument_mode));
}
}
if (strncasecmp(ptr2, "pc-guard", strlen("pc-guard")) == 0 ||
strncasecmp(ptr2, "pcguard", strlen("pcguard")) == 0) {
if (!aflcc->instrument_mode ||
aflcc->instrument_mode == INSTRUMENT_PCGUARD)
aflcc->instrument_mode = INSTRUMENT_PCGUARD;
else
FATAL("main instrumentation mode already set with %s",
instrument_mode_2str(aflcc->instrument_mode));
}
if (strncasecmp(ptr2, "llvmnative", strlen("llvmnative")) == 0 ||
strncasecmp(ptr2, "llvm-native", strlen("llvm-native")) == 0 ||
strncasecmp(ptr2, "native", strlen("native")) == 0) {
if (!aflcc->instrument_mode ||
aflcc->instrument_mode == INSTRUMENT_LLVMNATIVE)
aflcc->instrument_mode = INSTRUMENT_LLVMNATIVE;
else
FATAL("main instrumentation mode already set with %s",
instrument_mode_2str(aflcc->instrument_mode));
}
if (strncasecmp(ptr2, "llvmcodecov", strlen("llvmcodecov")) == 0 ||
strncasecmp(ptr2, "llvm-codecov", strlen("llvm-codecov")) == 0) {
if (!aflcc->instrument_mode ||
aflcc->instrument_mode == INSTRUMENT_LLVMNATIVE) {
aflcc->instrument_mode = INSTRUMENT_LLVMNATIVE;
aflcc->instrument_opt_mode |= INSTRUMENT_OPT_CODECOV;
} else {
FATAL("main instrumentation mode already set with %s",
instrument_mode_2str(aflcc->instrument_mode));
}
}
if (strncasecmp(ptr2, "cfg", strlen("cfg")) == 0 ||
strncasecmp(ptr2, "instrim", strlen("instrim")) == 0) {
FATAL(
"InsTrim instrumentation was removed. Use a modern LLVM and "
"PCGUARD (default in afl-cc).\n");
}
if (strncasecmp(ptr2, "lto", strlen("lto")) == 0) {
aflcc->lto_mode = 1;
if (!aflcc->instrument_mode || aflcc->instrument_mode == INSTRUMENT_LTO)
aflcc->instrument_mode = INSTRUMENT_LTO;
else
FATAL("main instrumentation mode already set with %s",
instrument_mode_2str(aflcc->instrument_mode));
}
if (strcasecmp(ptr2, "gcc") == 0) {
if (!aflcc->instrument_mode || aflcc->instrument_mode == INSTRUMENT_GCC)
aflcc->instrument_mode = INSTRUMENT_GCC;
else if (aflcc->instrument_mode != INSTRUMENT_GCC)
FATAL("main instrumentation mode already set with %s",
instrument_mode_2str(aflcc->instrument_mode));
aflcc->compiler_mode = GCC;
}
if (strcasecmp(ptr2, "clang") == 0) {
if (!aflcc->instrument_mode || aflcc->instrument_mode == INSTRUMENT_CLANG)
aflcc->instrument_mode = INSTRUMENT_CLANG;
else if (aflcc->instrument_mode != INSTRUMENT_CLANG)
FATAL("main instrumentation mode already set with %s",
instrument_mode_2str(aflcc->instrument_mode));
aflcc->compiler_mode = CLANG;
}
if (strncasecmp(ptr2, "ctx-", strlen("ctx-")) == 0 ||
strncasecmp(ptr2, "kctx-", strlen("c-ctx-")) == 0 ||
strncasecmp(ptr2, "k-ctx-", strlen("k-ctx-")) == 0) {
u8 *ptr3 = ptr2;
while (*ptr3 && (*ptr3 < '0' || *ptr3 > '9'))
ptr3++;
if (!*ptr3) {
if ((ptr3 = getenv("AFL_LLVM_CTX_K")) == NULL)
FATAL(
"you must set the K-CTX K with (e.g. for value 2) "
"AFL_LLVM_INSTRUMENT=ctx-2");
}
aflcc->ctx_k = atoi(ptr3);
if (aflcc->ctx_k < 1 || aflcc->ctx_k > CTX_MAX_K)
FATAL(
"K-CTX instrumentation option must be between 1 and CTX_MAX_K "
"(%u)",
CTX_MAX_K);
if (aflcc->ctx_k == 1) {
aflcc->instrument_opt_mode |= INSTRUMENT_OPT_CALLER;
setenv("AFL_LLVM_CALLER", "1", 1);
unsetenv("AFL_LLVM_CTX_K");
} else {
aflcc->instrument_opt_mode |= (INSTRUMENT_OPT_CTX_K);
u8 *ptr4 = alloc_printf("%u", aflcc->ctx_k);
setenv("AFL_LLVM_CTX_K", ptr4, 1);
}
}
if (strcasecmp(ptr2, "ctx") == 0) {
aflcc->instrument_opt_mode |= INSTRUMENT_OPT_CTX;
setenv("AFL_LLVM_CTX", "1", 1);
}
if (strncasecmp(ptr2, "caller", strlen("caller")) == 0) {
aflcc->instrument_opt_mode |= INSTRUMENT_OPT_CALLER;
setenv("AFL_LLVM_CALLER", "1", 1);
}
if (strncasecmp(ptr2, "ngram", strlen("ngram")) == 0) {
u8 *ptr3 = ptr2 + strlen("ngram");
while (*ptr3 && (*ptr3 < '0' || *ptr3 > '9')) {
ptr3++;
}
if (!*ptr3) {
if ((ptr3 = getenv("AFL_LLVM_NGRAM_SIZE")) == NULL)
FATAL(
"you must set the NGRAM size with (e.g. for value 2) "
"AFL_LLVM_INSTRUMENT=ngram-2");
}
aflcc->ngram_size = atoi(ptr3);
if (aflcc->ngram_size < 2 || aflcc->ngram_size > NGRAM_SIZE_MAX) {
FATAL(
"NGRAM instrumentation option must be between 2 and "
"NGRAM_SIZE_MAX (%u)",
NGRAM_SIZE_MAX);
}
aflcc->instrument_opt_mode |= (INSTRUMENT_OPT_NGRAM);
u8 *ptr4 = alloc_printf("%u", aflcc->ngram_size);
setenv("AFL_LLVM_NGRAM_SIZE", ptr4, 1);
}
ptr2 = strtok(NULL, ":,;");
}
}
/*
Select instrument_mode by envs, the top wrapper. We check
have_instr_env firstly, then call instrument_mode_old_environ
and instrument_mode_new_environ sequentially.
*/
void instrument_mode_by_environ(aflcc_state_t *aflcc) {
if (getenv("AFL_LLVM_INSTRUMENT_FILE") || getenv("AFL_LLVM_WHITELIST") ||
getenv("AFL_LLVM_ALLOWLIST") || getenv("AFL_LLVM_DENYLIST") ||
getenv("AFL_LLVM_BLOCKLIST")) {
aflcc->have_instr_env = 1;
}
if (aflcc->have_instr_env && getenv("AFL_DONT_OPTIMIZE") && !be_quiet) {
WARNF(
"AFL_LLVM_ALLOWLIST/DENYLIST and AFL_DONT_OPTIMIZE cannot be combined "
"for file matching, only function matching!");
}
instrument_mode_old_environ(aflcc);
instrument_mode_new_environ(aflcc);
}
/*
Workaround to ensure CALLER, CTX, K-CTX and NGRAM
instrumentation were used correctly.
*/
static void instrument_opt_mode_exclude(aflcc_state_t *aflcc) {
if ((aflcc->instrument_opt_mode & INSTRUMENT_OPT_CTX) &&
(aflcc->instrument_opt_mode & INSTRUMENT_OPT_CALLER)) {
FATAL("you cannot set CTX and CALLER together");
}
if ((aflcc->instrument_opt_mode & INSTRUMENT_OPT_CTX) &&
(aflcc->instrument_opt_mode & INSTRUMENT_OPT_CTX_K)) {
FATAL("you cannot set CTX and K-CTX together");
}
if ((aflcc->instrument_opt_mode & INSTRUMENT_OPT_CALLER) &&
(aflcc->instrument_opt_mode & INSTRUMENT_OPT_CTX_K)) {
FATAL("you cannot set CALLER and K-CTX together");
}
if (aflcc->instrument_opt_mode && aflcc->compiler_mode != LLVM &&
!((aflcc->instrument_opt_mode & INSTRUMENT_OPT_CALLER) &&
aflcc->compiler_mode == LTO))
FATAL("CTX, CALLER and NGRAM can only be used in LLVM mode");
if (aflcc->instrument_opt_mode &&
aflcc->instrument_opt_mode != INSTRUMENT_OPT_CODECOV &&
aflcc->instrument_mode != INSTRUMENT_CLASSIC &&
!(aflcc->instrument_opt_mode & INSTRUMENT_OPT_CALLER &&
aflcc->compiler_mode == LTO))
FATAL(
"CALLER, CTX and NGRAM instrumentation options can only be used with "
"the LLVM CLASSIC instrumentation mode.");
}
/*
Last step of compiler_mode & instrument_mode selecting.
We have a few of workarounds here, to check any corner cases,
prepare for a series of fallbacks, and raise warnings or errors.
*/
void mode_final_checkout(aflcc_state_t *aflcc, int argc, char **argv) {
if (aflcc->instrument_opt_mode &&
aflcc->instrument_mode == INSTRUMENT_DEFAULT &&
(aflcc->compiler_mode == LLVM || aflcc->compiler_mode == UNSET)) {
aflcc->instrument_mode = INSTRUMENT_CLASSIC;
aflcc->compiler_mode = LLVM;
}
if (!aflcc->compiler_mode) {
// lto is not a default because outside of afl-cc RANLIB and AR have to
// be set to LLVM versions so this would work
if (aflcc->have_llvm)
aflcc->compiler_mode = LLVM;
else if (aflcc->have_gcc_plugin)
aflcc->compiler_mode = GCC_PLUGIN;
else if (aflcc->have_gcc)
aflcc->compiler_mode = GCC;
else if (aflcc->have_clang)
aflcc->compiler_mode = CLANG;
else if (aflcc->have_lto)
aflcc->compiler_mode = LTO;
else
FATAL("no compiler mode available");
}
switch (aflcc->compiler_mode) {
case GCC:
if (!aflcc->have_gcc) FATAL("afl-gcc is not available on your platform!");
break;
case CLANG:
if (!aflcc->have_clang)
FATAL("afl-clang is not available on your platform!");
break;
case LLVM:
if (!aflcc->have_llvm)
FATAL(
"LLVM mode is not available, please install LLVM 13+ and recompile "
"AFL++");
break;
case GCC_PLUGIN:
if (!aflcc->have_gcc_plugin)
FATAL(
"GCC_PLUGIN mode is not available, install gcc plugin support and "
"recompile AFL++");
break;
case LTO:
if (!aflcc->have_lto)
FATAL(
"LTO mode is not available, please install LLVM 13+ and lld of the "
"same version and recompile AFL++");
break;
default:
FATAL("no compiler mode available");
}
if (aflcc->compiler_mode == GCC) { aflcc->instrument_mode = INSTRUMENT_GCC; }
if (aflcc->compiler_mode == CLANG) {
/* if our PCGUARD implementation is not available then silently switch to
native LLVM PCGUARD. Or classic asm instrument is explicitly preferred. */
if (!aflcc->have_optimized_pcguard &&
(aflcc->instrument_mode == INSTRUMENT_DEFAULT ||
aflcc->instrument_mode == INSTRUMENT_PCGUARD)) {
aflcc->instrument_mode = INSTRUMENT_LLVMNATIVE;
} else {
aflcc->instrument_mode = INSTRUMENT_CLANG;
setenv(CLANG_ENV_VAR, "1", 1); // used by afl-as
}
}
if (aflcc->compiler_mode == LTO) {
if (aflcc->instrument_mode == 0 ||
aflcc->instrument_mode == INSTRUMENT_LTO ||
aflcc->instrument_mode == INSTRUMENT_CFG ||
aflcc->instrument_mode == INSTRUMENT_PCGUARD) {
aflcc->lto_mode = 1;
aflcc->instrument_mode = INSTRUMENT_PCGUARD;
} else if (aflcc->instrument_mode == INSTRUMENT_CLASSIC) {
aflcc->lto_mode = 1;
} else {
if (!be_quiet) {
WARNF("afl-clang-lto called with mode %s, using that mode instead",
instrument_mode_2str(aflcc->instrument_mode));
}
}
}
if (aflcc->instrument_mode == 0 && aflcc->compiler_mode < GCC_PLUGIN) {
#if LLVM_MAJOR >= 7
#if LLVM_MAJOR < 11 && (LLVM_MAJOR < 10 || LLVM_MINOR < 1)
if (aflcc->have_instr_env) {
aflcc->instrument_mode = INSTRUMENT_AFL;
if (!be_quiet) {
WARNF(
"Switching to classic instrumentation because "
"AFL_LLVM_ALLOWLIST/DENYLIST does not work with PCGUARD < 10.0.1.");
}
} else
#endif
aflcc->instrument_mode = INSTRUMENT_PCGUARD;
#else
aflcc->instrument_mode = INSTRUMENT_AFL;
#endif
}
if (!aflcc->instrument_opt_mode && aflcc->lto_mode &&
aflcc->instrument_mode == INSTRUMENT_CFG) {
aflcc->instrument_mode = INSTRUMENT_PCGUARD;
}
#ifndef AFL_CLANG_FLTO
if (aflcc->lto_mode)
FATAL(
"instrumentation mode LTO specified but LLVM support not available "
"(requires LLVM 11 or higher)");
#endif
if (aflcc->lto_mode) {
if (aflcc->lto_flag[0] != '-')
FATAL(
"Using afl-clang-lto is not possible because Makefile magic did not "
"identify the correct -flto flag");
else
aflcc->compiler_mode = LTO;
}
if (getenv("AFL_LLVM_SKIP_NEVERZERO") && getenv("AFL_LLVM_NOT_ZERO"))
FATAL(
"AFL_LLVM_NOT_ZERO and AFL_LLVM_SKIP_NEVERZERO can not be set "
"together");
#if LLVM_MAJOR < 11 && (LLVM_MAJOR < 10 || LLVM_MINOR < 1)
if (aflcc->instrument_mode == INSTRUMENT_PCGUARD && aflcc->have_instr_env) {
FATAL(
"Instrumentation type PCGUARD does not support "
"AFL_LLVM_ALLOWLIST/DENYLIST! Use LLVM 10.0.1+ instead.");
}
#endif
instrument_opt_mode_exclude(aflcc);
u8 *ptr2;
if ((ptr2 = getenv("AFL_LLVM_DICT2FILE")) != NULL && *ptr2 != '/')
FATAL("AFL_LLVM_DICT2FILE must be set to an absolute file path");
if (getenv("AFL_LLVM_LAF_ALL")) {
setenv("AFL_LLVM_LAF_SPLIT_SWITCHES", "1", 1);
setenv("AFL_LLVM_LAF_SPLIT_COMPARES", "1", 1);
setenv("AFL_LLVM_LAF_SPLIT_FLOATS", "1", 1);
setenv("AFL_LLVM_LAF_TRANSFORM_COMPARES", "1", 1);
}
if (getenv("AFL_LLVM_DICT2FILE") &&
(getenv("AFL_LLVM_LAF_SPLIT_SWITCHES") ||
getenv("AFL_LLVM_LAF_SPLIT_COMPARES") ||
getenv("AFL_LLVM_LAF_SPLIT_FLOATS") ||
getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES")))
FATAL("AFL_LLVM_DICT2FILE is incompatible with AFL_LLVM_LAF_*");
aflcc->cmplog_mode = getenv("AFL_CMPLOG") || getenv("AFL_LLVM_CMPLOG") ||
getenv("AFL_GCC_CMPLOG");
}
/*
Print welcome message on screen, giving brief notes about
compiler_mode and instrument_mode.
*/
void mode_notification(aflcc_state_t *aflcc) {
char *ptr2 = alloc_printf(" + NGRAM-%u", aflcc->ngram_size);
char *ptr3 = alloc_printf(" + K-CTX-%u", aflcc->ctx_k);
char *ptr1 = alloc_printf(
"%s%s%s%s%s", instrument_mode_2str(aflcc->instrument_mode),
(aflcc->instrument_opt_mode & INSTRUMENT_OPT_CTX) ? " + CTX" : "",
(aflcc->instrument_opt_mode & INSTRUMENT_OPT_CALLER) ? " + CALLER" : "",
(aflcc->instrument_opt_mode & INSTRUMENT_OPT_NGRAM) ? ptr2 : "",
(aflcc->instrument_opt_mode & INSTRUMENT_OPT_CTX_K) ? ptr3 : "");
ck_free(ptr2);
ck_free(ptr3);
if ((isatty(2) && !be_quiet) || aflcc->debug) {
SAYF(cCYA
"afl-cc" VERSION cRST
" by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: %s-%s\n",
compiler_mode_2str(aflcc->compiler_mode), ptr1);
}
ck_free(ptr1);
if (!be_quiet &&
(aflcc->compiler_mode == GCC || aflcc->compiler_mode == CLANG)) {
WARNF(
"You are using outdated instrumentation, install LLVM and/or "
"gcc-plugin and use afl-clang-fast/afl-clang-lto/afl-gcc-fast "
"instead!");
}
}
/*
Set argv[0] required by execvp. It can be
- specified by env AFL_CXX
- g++ or clang++
- CLANGPP_BIN or LLVM_BINDIR/clang++
when in C++ mode, or
- specified by env AFL_CC
- gcc or clang
- CLANG_BIN or LLVM_BINDIR/clang
otherwise.
*/
void add_real_argv0(aflcc_state_t *aflcc) {
static u8 llvm_fullpath[PATH_MAX];
if (aflcc->plusplus_mode) {
u8 *alt_cxx = getenv("AFL_CXX");
if (!alt_cxx) {
if (aflcc->compiler_mode == GCC || aflcc->compiler_mode == GCC_PLUGIN) {
alt_cxx = "g++";
} else if (aflcc->compiler_mode == CLANG) {
alt_cxx = "clang++";
} else {
if (USE_BINDIR)
snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang++",
LLVM_BINDIR);
else
snprintf(llvm_fullpath, sizeof(llvm_fullpath), CLANGPP_BIN);
alt_cxx = llvm_fullpath;
}
}
aflcc->cc_params[0] = alt_cxx;
} else {
u8 *alt_cc = getenv("AFL_CC");
if (!alt_cc) {
if (aflcc->compiler_mode == GCC || aflcc->compiler_mode == GCC_PLUGIN) {
alt_cc = "gcc";
} else if (aflcc->compiler_mode == CLANG) {
alt_cc = "clang";
} else {
if (USE_BINDIR)
snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang",
LLVM_BINDIR);
else
snprintf(llvm_fullpath, sizeof(llvm_fullpath), CLANG_BIN);
alt_cc = llvm_fullpath;
}
}
aflcc->cc_params[0] = alt_cc;
}
}
/** compiler_mode & instrument_mode selecting -----END----- **/
/** Macro defs for the preprocessor -----BEGIN----- **/
void add_defs_common(aflcc_state_t *aflcc) {
insert_param(aflcc, "-D__AFL_COMPILER=1");
insert_param(aflcc, "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1");
}
/*
__afl_coverage macro defs. See
instrumentation/README.instrument_list.md#
2-selective-instrumentation-with-_afl_coverage-directives
*/
void add_defs_selective_instr(aflcc_state_t *aflcc) {
if (aflcc->plusplus_mode) {
insert_param(aflcc,
"-D__AFL_COVERAGE()=int __afl_selective_coverage = 1;"
"extern \"C\" void __afl_coverage_discard();"
"extern \"C\" void __afl_coverage_skip();"
"extern \"C\" void __afl_coverage_on();"
"extern \"C\" void __afl_coverage_off();");
} else {
insert_param(aflcc,
"-D__AFL_COVERAGE()=int __afl_selective_coverage = 1;"
"void __afl_coverage_discard();"
"void __afl_coverage_skip();"
"void __afl_coverage_on();"
"void __afl_coverage_off();");
}
insert_param(
aflcc,
"-D__AFL_COVERAGE_START_OFF()=int __afl_selective_coverage_start_off = "
"1;");
insert_param(aflcc, "-D__AFL_COVERAGE_ON()=__afl_coverage_on()");
insert_param(aflcc, "-D__AFL_COVERAGE_OFF()=__afl_coverage_off()");
insert_param(aflcc, "-D__AFL_COVERAGE_DISCARD()=__afl_coverage_discard()");
insert_param(aflcc, "-D__AFL_COVERAGE_SKIP()=__afl_coverage_skip()");
}
/*
Macro defs for persistent mode. As documented in
instrumentation/README.persistent_mode.md, deferred forkserver initialization
and persistent mode are not available in afl-gcc and afl-clang.
*/
void add_defs_persistent_mode(aflcc_state_t *aflcc) {
if (aflcc->compiler_mode == GCC || aflcc->compiler_mode == CLANG) return;
insert_param(aflcc, "-D__AFL_HAVE_MANUAL_CONTROL=1");
/* When the user tries to use persistent or deferred forkserver modes by
appending a single line to the program, we want to reliably inject a
signature into the binary (to be picked up by afl-fuzz) and we want
to call a function from the runtime .o file. This is unnecessarily
painful for three reasons:
1) We need to convince the compiler not to optimize out the signature.
This is done with __attribute__((used)).
2) We need to convince the linker, when called with -Wl,--gc-sections,
not to do the same. This is done by forcing an assignment to a
'volatile' pointer.
3) We need to declare __afl_persistent_loop() in the global namespace,
but doing this within a method in a class is hard - :: and extern "C"
are forbidden and __attribute__((alias(...))) doesn't work. Hence the
__asm__ aliasing trick.
*/
insert_param(aflcc,
"-D__AFL_FUZZ_INIT()="
"int __afl_sharedmem_fuzzing = 1;"
"extern __attribute__((visibility(\"default\"))) "
"unsigned int *__afl_fuzz_len;"
"extern __attribute__((visibility(\"default\"))) "
"unsigned char *__afl_fuzz_ptr;"
"unsigned char __afl_fuzz_alt[1048576];"
"unsigned char *__afl_fuzz_alt_ptr = __afl_fuzz_alt;");
insert_param(aflcc,
"-D__AFL_FUZZ_TESTCASE_BUF=(__afl_fuzz_ptr ? __afl_fuzz_ptr : "
"__afl_fuzz_alt_ptr)");
insert_param(
aflcc,
"-D__AFL_FUZZ_TESTCASE_LEN=(__afl_fuzz_ptr ? *__afl_fuzz_len : "
"(*__afl_fuzz_len = read(0, __afl_fuzz_alt_ptr, 1048576)) == 0xffffffff "
"? 0 : *__afl_fuzz_len)");
insert_param(
aflcc,
"-D__AFL_LOOP(_A)="
"({ static volatile const char *_B __attribute__((used,unused)); "
" _B = (const char*)\"" PERSIST_SIG
"\"; "
"extern __attribute__((visibility(\"default\"))) int __afl_connected;"
#ifdef __APPLE__
"__attribute__((visibility(\"default\"))) "
"int _L(unsigned int) __asm__(\"___afl_persistent_loop\"); "
#else
"__attribute__((visibility(\"default\"))) "
"int _L(unsigned int) __asm__(\"__afl_persistent_loop\"); "
#endif /* ^__APPLE__ */
// if afl is connected, we run _A times, else once.
"_L(__afl_connected ? _A : 1); })");
insert_param(
aflcc,
"-D__AFL_INIT()="
"do { static volatile const char *_A __attribute__((used,unused)); "
" _A = (const char*)\"" DEFER_SIG
"\"; "
#ifdef __APPLE__
"__attribute__((visibility(\"default\"))) "
"void _I(void) __asm__(\"___afl_manual_init\"); "
#else
"__attribute__((visibility(\"default\"))) "
"void _I(void) __asm__(\"__afl_manual_init\"); "
#endif /* ^__APPLE__ */
"_I(); } while (0)");
}
/*
Control macro def of _FORTIFY_SOURCE. It will do nothing
if we detect this routine has been called previously, or
the macro already here in these existing args.
*/
void add_defs_fortify(aflcc_state_t *aflcc, u8 action) {
if (aflcc->have_fortify) { return; }
switch (action) {
case 1:
insert_param(aflcc, "-D_FORTIFY_SOURCE=1");
break;
case 2:
insert_param(aflcc, "-D_FORTIFY_SOURCE=2");
break;
default: // OFF
insert_param(aflcc, "-U_FORTIFY_SOURCE");
break;
}
aflcc->have_fortify = 1;
}
/* Macro defs of __AFL_LEAK_CHECK, __AFL_LSAN_ON and __AFL_LSAN_OFF */
void add_defs_lsan_ctrl(aflcc_state_t *aflcc) {
insert_param(aflcc, "-includesanitizer/lsan_interface.h");
insert_param(
aflcc,
"-D__AFL_LEAK_CHECK()={if(__lsan_do_recoverable_leak_check() > 0) "
"_exit(23); }");
insert_param(aflcc, "-D__AFL_LSAN_OFF()=__lsan_disable();");
insert_param(aflcc, "-D__AFL_LSAN_ON()=__lsan_enable();");
}
/** Macro defs for the preprocessor -----END----- **/
/** About -fsanitize -----BEGIN----- **/
/* For input "-fsanitize=...", it:
1. may have various OOB traps :) if ... doesn't contain ',' or
the input has bad syntax such as "-fsantiz=,"
2. strips any fuzzer* in ... and writes back (may result in "-fsanitize=")
3. rets 1 if exactly "fuzzer" found, otherwise rets 0
*/
static u8 fsanitize_fuzzer_comma(char *string) {
u8 detect_single_fuzzer = 0;
char *p, *ptr = string + strlen("-fsanitize=");
// ck_alloc will check alloc failure
char *new = ck_alloc(strlen(string) + 1);
char *tmp = ck_alloc(strlen(ptr) + 1);
u32 count = 0, len, ende = 0;
strcpy(new, "-fsanitize=");
do {
p = strchr(ptr, ',');
if (!p) {
p = ptr + strlen(ptr) + 1;
ende = 1;
}
len = p - ptr;
if (len) {
strncpy(tmp, ptr, len);
tmp[len] = 0;
// fprintf(stderr, "Found: %s\n", tmp);
ptr += len + 1;
if (*tmp) {
u32 copy = 1;
if (!strcmp(tmp, "fuzzer")) {
detect_single_fuzzer = 1;
copy = 0;
} else if (!strncmp(tmp, "fuzzer", 6)) {
copy = 0;
}
if (copy) {
if (count) { strcat(new, ","); }
strcat(new, tmp);
++count;
}
}
} else {
ptr++;
}
} while (!ende);
strcpy(string, new);
ck_free(tmp);
ck_free(new);
return detect_single_fuzzer;
}
/*
Parse and process possible -fsanitize related args, return PARAM_MISS
if nothing matched. We have 3 main tasks here for these args:
- Check which one of those sanitizers present here.
- Check if libfuzzer present. We need to block the request of enable
libfuzzer, and link harness with our libAFLDriver.a later.
- Check if SanCov allow/denylist options present. We need to try switching
to LLVMNATIVE instead of using our optimized PCGUARD anyway. If we
can't make it finally for various reasons, just drop these options.
*/
param_st parse_fsanitize(aflcc_state_t *aflcc, u8 *cur_argv, u8 scan) {
param_st final_ = PARAM_MISS;
// MACRO START
#define HAVE_SANITIZER_SCAN_KEEP(v, k) \
do { \
\
if (strstr(cur_argv, "=" STRINGIFY(k)) || \
strstr(cur_argv, "," STRINGIFY(k))) { \
\
if (scan) { \
\
aflcc->have_##v = 1; \
final_ = PARAM_SCAN; \
\
} else { \
\
final_ = PARAM_KEEP; \
\
} \
\
} \
\
} while (0)
// MACRO END
if (!strncmp(cur_argv, "-fsanitize=", strlen("-fsanitize="))) {
HAVE_SANITIZER_SCAN_KEEP(asan, address);
HAVE_SANITIZER_SCAN_KEEP(msan, memory);
HAVE_SANITIZER_SCAN_KEEP(ubsan, undefined);
HAVE_SANITIZER_SCAN_KEEP(tsan, thread);
HAVE_SANITIZER_SCAN_KEEP(lsan, leak);
HAVE_SANITIZER_SCAN_KEEP(cfisan, cfi);
}
#undef HAVE_SANITIZER_SCAN_KEEP
// We can't use a "else if" there, because some of the following
// matching rules overlap with those in the if-statement above.
if (!strcmp(cur_argv, "-fsanitize=fuzzer")) {
if (scan) {
aflcc->need_aflpplib = 1;
final_ = PARAM_SCAN;
} else {
final_ = PARAM_DROP;
}
} else if (!strncmp(cur_argv, "-fsanitize=", strlen("-fsanitize=")) &&
strchr(cur_argv, ',') &&
!strstr(cur_argv, "=,")) { // avoid OOB errors
if (scan) {
u8 *cur_argv_ = ck_strdup(cur_argv);
if (fsanitize_fuzzer_comma(cur_argv_)) {
aflcc->need_aflpplib = 1;
final_ = PARAM_SCAN;
}
ck_free(cur_argv_);
} else {
fsanitize_fuzzer_comma(cur_argv);
if (!cur_argv || strlen(cur_argv) <= strlen("-fsanitize="))
final_ = PARAM_DROP; // this means it only has "fuzzer" previously.
}
} else if (!strncmp(cur_argv, "-fsanitize-coverage-", 20) &&
strstr(cur_argv, "list=")) {
if (scan) {
aflcc->have_instr_list = 1;
final_ = PARAM_SCAN;
} else {
if (aflcc->instrument_mode != INSTRUMENT_LLVMNATIVE) {
if (!be_quiet) { WARNF("Found '%s' - stripping!", cur_argv); }
final_ = PARAM_DROP;
} else {
final_ = PARAM_KEEP;
}
}
}
if (final_ == PARAM_KEEP) insert_param(aflcc, cur_argv);
return final_;
}
/*
Add params for sanitizers. Here we need to consider:
- Use static runtime for asan, as much as possible.
- ASAN, MSAN, AFL_HARDEN are mutually exclusive.
- Add options if not found there, on request of AFL_USE_ASAN, AFL_USE_MSAN,
etc.
- Update have_* so that functions called after this can have correct context.
However this also means any functions called before should NOT depend on
these have_*, otherwise they may not work as expected.
*/
void add_sanitizers(aflcc_state_t *aflcc, char **envp) {
// 如果启用了 ASAN (地址消毒器),则进行相关配置
if (getenv("AFL_USE_ASAN") || aflcc->have_asan) {
// 如果同时启用了 MSAN (内存消毒器),则报错,因为 ASAN 和 MSAN 不能同时使用
if (getenv("AFL_USE_MSAN") || aflcc->have_msan)
FATAL("ASAN and MSAN are mutually exclusive");
// 如果启用了 AFL_HARDEN则报错因为 ASAN 和 AFL_HARDEN 不能同时使用
if (getenv("AFL_HARDEN"))
FATAL("ASAN and AFL_HARDEN are mutually exclusive");
// 如果是 GCC 插件模式,并且没有启用静态 ASAN 库,则添加静态 ASAN 库的选项
if (aflcc->compiler_mode == GCC_PLUGIN && !aflcc->have_staticasan) {
insert_param(aflcc, "-static-libasan");
}
// 添加 fortify 配置0表示没有额外的强化
add_defs_fortify(aflcc, 0);
// 如果没有启用 ASAN则添加相应的编译选项来启用地址消毒
if (!aflcc->have_asan) {
insert_param(aflcc, "-fsanitize=address");
insert_param(aflcc, "-fno-common");
}
aflcc->have_asan = 1; // 标记已经启用了 ASAN
}
// 如果启用了 MSAN (内存消毒器),则进行相关配置
else if (getenv("AFL_USE_MSAN") || aflcc->have_msan) {
// 如果同时启用了 ASAN则报错因为 ASAN 和 MSAN 不能同时使用
if (getenv("AFL_USE_ASAN") || aflcc->have_asan)
FATAL("ASAN and MSAN are mutually exclusive");
// 如果启用了 AFL_HARDEN则报错因为 MSAN 和 AFL_HARDEN 不能同时使用
if (getenv("AFL_HARDEN"))
FATAL("MSAN and AFL_HARDEN are mutually exclusive");
// 添加 fortify 配置0表示没有额外的强化
add_defs_fortify(aflcc, 0);
// 如果没有启用 MSAN则添加相应的编译选项来启用内存消毒
if (!aflcc->have_msan) { insert_param(aflcc, "-fsanitize=memory"); }
aflcc->have_msan = 1; // 标记已经启用了 MSAN
}
// 如果启用了 UBSAN (未定义行为消毒器),则进行相关配置
if (getenv("AFL_USE_UBSAN") || aflcc->have_ubsan) {
// 如果没有启用 UBSAN则添加相应的编译选项来启用未定义行为消毒
if (!aflcc->have_ubsan) {
insert_param(aflcc, "-fsanitize=undefined");
insert_param(aflcc, "-fsanitize-undefined-trap-on-error");
insert_param(aflcc, "-fno-sanitize-recover=all");
}
// 如果没有启用帧指针,则添加相应的选项来启用帧指针
if (!aflcc->have_fp) {
insert_param(aflcc, "-fno-omit-frame-pointer");
aflcc->have_fp = 1;
}
aflcc->have_ubsan = 1; // 标记已经启用了 UBSAN
}
// 如果启用了 TSAN (线程消毒器),则进行相关配置
if (getenv("AFL_USE_TSAN") || aflcc->have_tsan) {
// 如果没有启用帧指针,则添加相应的选项来启用帧指针
if (!aflcc->have_fp) {
insert_param(aflcc, "-fno-omit-frame-pointer");
aflcc->have_fp = 1;
}
// 如果没有启用 TSAN则添加相应的编译选项来启用线程消毒
if (!aflcc->have_tsan) { insert_param(aflcc, "-fsanitize=thread"); }
aflcc->have_tsan = 1; // 标记已经启用了 TSAN
}
// 如果启用了 LSAN (泄漏消毒器),则进行相关配置
if (getenv("AFL_USE_LSAN") && !aflcc->have_lsan) {
// 添加编译选项来启用泄漏消毒
insert_param(aflcc, "-fsanitize=leak");
// 添加 LSAN 控制的定义
add_defs_lsan_ctrl(aflcc);
aflcc->have_lsan = 1; // 标记已经启用了 LSAN
}
// 如果启用了 CFISAN (控制流完整性消毒器),则进行相关配置
if (getenv("AFL_USE_CFISAN") || aflcc->have_cfisan) {
// 如果是 GCC 插件模式或 GCC 模式,则启用完整的控制流保护
if (aflcc->compiler_mode == GCC_PLUGIN || aflcc->compiler_mode == GCC) {
// 如果没有启用控制流保护,则添加相应选项
if (!aflcc->have_fcf) { insert_param(aflcc, "-fcf-protection=full"); }
} else {
// 如果没有启用 LTO (链接时优化),则添加 LTO 选项
if (!aflcc->lto_mode && !aflcc->have_flto) {
uint32_t i = 0, found = 0;
while (envp[i] != NULL && !found) {
if (strncmp("-flto", envp[i++], 5) == 0) found = 1;
}
if (!found) { insert_param(aflcc, "-flto"); }
aflcc->have_flto = 1; // 标记已经启用了 LTO
}
// 如果没有启用 CFISAN则添加相应选项来启用控制流完整性消毒
if (!aflcc->have_cfisan) { insert_param(aflcc, "-fsanitize=cfi"); }
// 如果没有启用隐藏符号,则启用隐藏符号选项
if (!aflcc->have_hidden) {
insert_param(aflcc, "-fvisibility=hidden");
aflcc->have_hidden = 1;
}
aflcc->have_cfisan = 1; // 标记已经启用了 CFISAN
}
}
}
/* Add params to enable LLVM SanCov, the native PCGUARD */
void add_native_pcguard(aflcc_state_t *aflcc) {
/* If there is a rust ASan runtime on the command line, it is likely we're
* linking from rust and adding native flags requiring the sanitizer runtime
* will trigger native clang to add yet another runtime, causing linker
* errors. For now we shouldn't add instrumentation here, we're linking
* anyway.
*/
if (aflcc->have_rust_asanrt) { return; }
/* If llvm-config doesn't figure out LLVM_MAJOR, just
go on anyway and let compiler complain if doesn't work. */
#if LLVM_MAJOR > 0 && LLVM_MAJOR < 6
FATAL("pcguard instrumentation with pc-table requires LLVM 6.0.1+");
#else
#if LLVM_MAJOR == 0
WARNF(
"pcguard instrumentation with pc-table requires LLVM 6.0.1+"
" otherwise the compiler will fail");
#endif
if (aflcc->instrument_opt_mode & INSTRUMENT_OPT_CODECOV) {
insert_param(aflcc,
"-fsanitize-coverage=trace-pc-guard,bb,no-prune,pc-table");
} else {
insert_param(aflcc, "-fsanitize-coverage=trace-pc-guard,pc-table");
}
#endif
}
/*
Add params to launch our optimized PCGUARD on request.
It will fallback to use the native PCGUARD in some cases. If so, plz
bear in mind that instrument_mode will be set to INSTRUMENT_LLVMNATIVE.
*/
void add_optimized_pcguard(aflcc_state_t *aflcc) {
#if LLVM_MAJOR >= 13
#if defined __ANDROID__ || ANDROID
insert_param(aflcc, "-fsanitize-coverage=trace-pc-guard");
aflcc->instrument_mode = INSTRUMENT_LLVMNATIVE;
#else
if (aflcc->have_instr_list) {
if (!be_quiet)
SAYF(
"Using unoptimized trace-pc-guard, due usage of "
"-fsanitize-coverage-allow/denylist, you can use "
"AFL_LLVM_ALLOWLIST/AFL_LLVM_DENYLIST instead.\n");
insert_param(aflcc, "-fsanitize-coverage=trace-pc-guard");
aflcc->instrument_mode = INSTRUMENT_LLVMNATIVE;
} else {
/* Since LLVM_MAJOR >= 13 we use new pass manager */
#if LLVM_MAJOR < 16
insert_param(aflcc, "-fexperimental-new-pass-manager");
#endif
insert_object(aflcc, "SanitizerCoveragePCGUARD.so", "-fpass-plugin=%s", 0);
}
#endif // defined __ANDROID__ || ANDROID
#else // LLVM_MAJOR < 13
#if LLVM_MAJOR >= 4
if (!be_quiet)
SAYF(
"Using unoptimized trace-pc-guard, upgrade to LLVM 13+ for "
"enhanced version.\n");
insert_param(aflcc, "-fsanitize-coverage=trace-pc-guard");
aflcc->instrument_mode = INSTRUMENT_LLVMNATIVE;
#else
FATAL("pcguard instrumentation requires LLVM 4.0.1+");
#endif
#endif
}
/** About -fsanitize -----END----- **/
/** Linking behaviors -----BEGIN----- **/
/*
Parse and process possible linking stage related args,
return PARAM_MISS if nothing matched.
*/
param_st parse_linking_params(aflcc_state_t *aflcc, u8 *cur_argv, u8 scan,
u8 *skip_next, char **argv) {
if (aflcc->lto_mode && !strncmp(cur_argv, "-flto=thin", 10)) {
FATAL(
"afl-clang-lto cannot work with -flto=thin. Switch to -flto=full or "
"use afl-clang-fast!");
}
param_st final_ = PARAM_MISS;
if (!strcmp(cur_argv, "-shared") || !strcmp(cur_argv, "-dynamiclib")) {
if (scan) {
aflcc->shared_linking = 1;
final_ = PARAM_SCAN;
} else {
final_ = PARAM_KEEP;
}
} else if (!strcmp(cur_argv, "-Wl,-r") || !strcmp(cur_argv, "-Wl,-i") ||
!strcmp(cur_argv, "-Wl,--relocatable") ||
!strcmp(cur_argv, "-r") || !strcmp(cur_argv, "--relocatable")) {
if (scan) {
aflcc->partial_linking = 1;
final_ = PARAM_SCAN;
} else {
final_ = PARAM_KEEP;
}
} else if (!strncmp(cur_argv, "-fuse-ld=", 9) ||
!strncmp(cur_argv, "--ld-path=", 10)) {
if (scan) {
final_ = PARAM_SCAN;
} else {
if (aflcc->lto_mode)
final_ = PARAM_DROP;
else
final_ = PARAM_KEEP;
}
} else if (!strcmp(cur_argv, "-Wl,-z,defs") ||
!strcmp(cur_argv, "-Wl,--no-undefined") ||
!strcmp(cur_argv, "-Wl,-no-undefined") ||
!strcmp(cur_argv, "--no-undefined") ||
strstr(cur_argv, "afl-compiler-rt") ||
strstr(cur_argv, "afl-llvm-rt")) {
if (scan) {
final_ = PARAM_SCAN;
} else {
final_ = PARAM_DROP;
}
} else if (!strcmp(cur_argv, "-z") || !strcmp(cur_argv, "-Wl,-z")) {
u8 *param = *(argv + 1);
if (param && (!strcmp(param, "defs") || !strcmp(param, "-Wl,defs"))) {
*skip_next = 1;
if (scan) {
final_ = PARAM_SCAN;
} else {
final_ = PARAM_DROP;
}
}
}
// Try to warn user for some unsupported cases
if (scan && final_ == PARAM_MISS) {
u8 *ptr_ = NULL;
if (!strcmp(cur_argv, "-Xlinker") && (ptr_ = *(argv + 1))) {
if (!strcmp(ptr_, "defs")) {
WARNF("'-Xlinker' 'defs' detected. This may result in a bad link.");
} else if (strstr(ptr_, "-no-undefined")) {
WARNF(
"'-Xlinker' '%s' detected. The latter option may be dropped and "
"result in a bad link.",
ptr_);
}
} else if (!strncmp(cur_argv, "-Wl,", 4) &&
(u8 *)strrchr(cur_argv, ',') != (cur_argv + 3)) {
ptr_ = cur_argv + 4;
if (strstr(ptr_, "-shared") || strstr(ptr_, "-dynamiclib")) {
WARNF(
"'%s': multiple link options after '-Wl,' may break shared "
"linking.",
ptr_);
}
if (strstr(ptr_, "-r,") || strstr(ptr_, "-i,") || strstr(ptr_, ",-r") ||
strstr(ptr_, ",-i") || strstr(ptr_, "--relocatable")) {
WARNF(
"'%s': multiple link options after '-Wl,' may break partial "
"linking.",
ptr_);
}
if (strstr(ptr_, "defs") || strstr(ptr_, "no-undefined")) {
WARNF(
"'%s': multiple link options after '-Wl,' may enable report "
"unresolved symbol references and result in a bad link.",
ptr_);
}
}
}
if (final_ == PARAM_KEEP) insert_param(aflcc, cur_argv);
return final_;
}
/* Add params to specify the linker used in LTO */
void add_lto_linker(aflcc_state_t *aflcc) {
unsetenv("AFL_LD");
unsetenv("AFL_LD_CALLER");
u8 *ld_path = NULL;
if (getenv("AFL_REAL_LD")) {
ld_path = strdup(getenv("AFL_REAL_LD"));
} else {
ld_path = strdup(AFL_REAL_LD);
}
if (!ld_path || !*ld_path) {
if (ld_path) {
// Freeing empty string
free(ld_path);
}
ld_path = strdup("ld.lld");
}
if (!ld_path) { PFATAL("Could not allocate mem for ld_path"); }
#if defined(AFL_CLANG_LDPATH) && LLVM_MAJOR >= 12
insert_param(aflcc, alloc_printf("--ld-path=%s", ld_path));
#else
insert_param(aflcc, alloc_printf("-fuse-ld=%s", ld_path));
#endif
free(ld_path);
}
/* Add params to launch SanitizerCoverageLTO.so when linking */
void add_lto_passes(aflcc_state_t *aflcc) {
#if defined(AFL_CLANG_LDPATH) && LLVM_MAJOR >= 15
// The NewPM implementation only works fully since LLVM 15.
insert_object(aflcc, "SanitizerCoverageLTO.so", "-Wl,--load-pass-plugin=%s",
0);
#elif defined(AFL_CLANG_LDPATH) && LLVM_MAJOR >= 13
insert_param(aflcc, "-Wl,--lto-legacy-pass-manager");
insert_object(aflcc, "SanitizerCoverageLTO.so", "-Wl,-mllvm=-load=%s", 0);
#else
insert_param(aflcc, "-fno-experimental-new-pass-manager");
insert_object(aflcc, "SanitizerCoverageLTO.so", "-Wl,-mllvm=-load=%s", 0);
#endif
insert_param(aflcc, "-Wl,--allow-multiple-definition");
}
/* Add params to link with libAFLDriver.a on request */
static void add_aflpplib(aflcc_state_t *aflcc) {
if (!aflcc->need_aflpplib) return;
u8 *afllib = find_object(aflcc, "libAFLDriver.a");
if (!be_quiet) {
OKF("Found '-fsanitize=fuzzer', replacing with libAFLDriver.a");
}
if (!afllib) {
if (!be_quiet) {
WARNF(
"Cannot find 'libAFLDriver.a' to replace '-fsanitize=fuzzer' in "
"the flags - this will fail!");
}
} else {
insert_param(aflcc, afllib);
#ifdef __APPLE__
insert_param(aflcc, "-Wl,-undefined,dynamic_lookup");
#endif
}
}
/* Add params to link with runtimes depended by our instrumentation */
void add_runtime(aflcc_state_t *aflcc) {
if (aflcc->preprocessor_only || aflcc->have_c || !aflcc->non_dash) {
/* In the preprocessor_only case (-E), we are not actually compiling at
all but requesting the compiler to output preprocessed sources only.
We must not add the runtime in this case because the compiler will
simply output its binary content back on stdout, breaking any build
systems that rely on a separate source preprocessing step. */
return;
}
if (aflcc->compiler_mode != GCC_PLUGIN && aflcc->compiler_mode != GCC &&
!getenv("AFL_LLVM_NO_RPATH")) {
// in case LLVM is installed not via a package manager or "make install"
// e.g. compiled download or compiled from github then its ./lib directory
// might not be in the search path. Add it if so.
const char *libdir = LLVM_LIBDIR;
if (aflcc->plusplus_mode && strlen(libdir) && strncmp(libdir, "/usr", 4) &&
strncmp(libdir, "/lib", 4)) {
#ifdef __APPLE__
u8 *libdir_opt = strdup("-Wl,-rpath," LLVM_LIBDIR);
#else
u8 *libdir_opt = strdup("-Wl,-rpath=" LLVM_LIBDIR);
#endif
insert_param(aflcc, libdir_opt);
}
}
#ifndef __ANDROID__
#define M32_ERR_MSG "-m32 is not supported by your compiler"
#define M64_ERR_MSG "-m64 is not supported by your compiler"
if (aflcc->compiler_mode != GCC && aflcc->compiler_mode != CLANG) {
switch (aflcc->bit_mode) {
case 0:
if (!aflcc->shared_linking && !aflcc->partial_linking)
insert_object(aflcc, "afl-compiler-rt.o", 0, 0);
if (aflcc->lto_mode) insert_object(aflcc, "afl-llvm-rt-lto.o", 0, 0);
break;
case 32:
if (!aflcc->shared_linking && !aflcc->partial_linking)
insert_object(aflcc, "afl-compiler-rt-32.o", 0, M32_ERR_MSG);
if (aflcc->lto_mode)
insert_object(aflcc, "afl-llvm-rt-lto-32.o", 0, M32_ERR_MSG);
break;
case 64:
if (!aflcc->shared_linking && !aflcc->partial_linking)
insert_object(aflcc, "afl-compiler-rt-64.o", 0, M64_ERR_MSG);
if (aflcc->lto_mode)
insert_object(aflcc, "afl-llvm-rt-lto-64.o", 0, M64_ERR_MSG);
break;
}
#if __AFL_CODE_COVERAGE
// Required for dladdr used in afl-compiler-rt.o
insert_param(aflcc, "-ldl");
#endif
#if !defined(__APPLE__) && !defined(__sun)
if (!aflcc->shared_linking && !aflcc->partial_linking)
insert_object(aflcc, "dynamic_list.txt", "-Wl,--dynamic-list=%s", 0);
#endif
#if defined(__APPLE__)
if (aflcc->shared_linking || aflcc->partial_linking) {
insert_param(aflcc, "-Wl,-U");
insert_param(aflcc, "-Wl,___afl_area_ptr");
insert_param(aflcc, "-Wl,-U");
insert_param(aflcc, "-Wl,___sanitizer_cov_trace_pc_guard_init");
}
#endif
}
#endif
add_aflpplib(aflcc);
#if defined(USEMMAP) && !defined(__HAIKU__) && !__APPLE__
insert_param(aflcc, "-Wl,-lrt");
#endif
}
/** Linking behaviors -----END----- **/
/** Miscellaneous routines -----BEGIN----- **/
/*
Add params to make compiler driver use our afl-as
as assembler, required by the vanilla instrumentation.
*/
void add_assembler(aflcc_state_t *aflcc) {
u8 *afl_as = find_object(aflcc, "afl-as");
if (!afl_as) FATAL("Cannot find 'afl-as'.");
u8 *slash = strrchr(afl_as, '/');
if (slash) *slash = 0;
// Search for 'as' may be unreliable in some cases (see #2058)
// so use 'afl-as' instead, because 'as' is usually a symbolic link,
// or can be a renamed copy of 'afl-as' created in the same dir.
// Now we should verify if the compiler can find the 'as' we need.
#define AFL_AS_ERR "(should be a symlink or copy of 'afl-as')"
u8 *afl_as_dup = alloc_printf("%s/as", afl_as);
int fd = open(afl_as_dup, O_RDONLY);
if (fd < 0) { PFATAL("Unable to open '%s' " AFL_AS_ERR, afl_as_dup); }
struct stat st;
if (fstat(fd, &st) < 0) {
PFATAL("Unable to fstat '%s' " AFL_AS_ERR, afl_as_dup);
}
u32 f_len = st.st_size;
u8 *f_data = mmap(0, f_len, PROT_READ, MAP_PRIVATE, fd, 0);
if (f_data == MAP_FAILED) {
PFATAL("Unable to mmap file '%s' " AFL_AS_ERR, afl_as_dup);
}
close(fd);
// "AFL_AS" is a const str passed to getenv in afl-as.c
if (!memmem(f_data, f_len, "AFL_AS", strlen("AFL_AS") + 1)) {
FATAL(
"Looks like '%s' is not a valid symlink or copy of '%s/afl-as'. "
"It is a prerequisite to override system-wide 'as' for "
"instrumentation.",
afl_as_dup, afl_as);
}
if (munmap(f_data, f_len)) { PFATAL("unmap() failed"); }
ck_free(afl_as_dup);
#undef AFL_AS_ERR
insert_param(aflcc, "-B");
insert_param(aflcc, afl_as);
if (aflcc->compiler_mode == CLANG) insert_param(aflcc, "-no-integrated-as");
}
/* Add params to launch the gcc plugins for instrumentation. */
void add_gcc_plugin(aflcc_state_t *aflcc) {
if (aflcc->cmplog_mode) {
insert_object(aflcc, "afl-gcc-cmplog-pass.so", "-fplugin=%s", 0);
insert_object(aflcc, "afl-gcc-cmptrs-pass.so", "-fplugin=%s", 0);
}
insert_object(aflcc, "afl-gcc-pass.so", "-fplugin=%s", 0);
insert_param(aflcc, "-fno-if-conversion");
insert_param(aflcc, "-fno-if-conversion2");
}
/* Add some miscellaneous params required by our instrumentation. */
void add_misc_params(aflcc_state_t *aflcc) {
// 如果环境变量 AFl_NO_BUILTIN 或其他相关环境变量被设置,或者启用了 LTO 模式
// 则禁用内置的字符串和内存比较函数
if (getenv("AFL_NO_BUILTIN") || getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES") ||
getenv("AFL_LLVM_LAF_ALL") || getenv("AFL_LLVM_CMPLOG") ||
aflcc->lto_mode) {
// 禁用常见的字符串和内存比较函数的内置实现,防止与模糊测试产生冲突
insert_param(aflcc, "-fno-builtin-strcmp");
insert_param(aflcc, "-fno-builtin-strncmp");
insert_param(aflcc, "-fno-builtin-strcasecmp");
insert_param(aflcc, "-fno-builtin-strncasecmp");
insert_param(aflcc, "-fno-builtin-memcmp");
insert_param(aflcc, "-fno-builtin-bcmp");
insert_param(aflcc, "-fno-builtin-strstr");
insert_param(aflcc, "-fno-builtin-strcasestr");
}
// 如果没有启用位置无关代码PIC则添加 -fPIC 参数
if (!aflcc->have_pic) {
insert_param(aflcc, "-fPIC");
}
// 如果环境变量 AFL_HARDEN 被设置,启用栈保护等安全选项
if (getenv("AFL_HARDEN")) {
// 启用所有函数的栈保护
insert_param(aflcc, "-fstack-protector-all");
// 如果未设置 Fortify设置 Fortify 防护等级
if (!aflcc->fortify_set)
add_defs_fortify(aflcc, 2);
}
// 如果环境变量 AFL_DONT_OPTIMIZE 未设置,启用优化选项
if (!getenv("AFL_DONT_OPTIMIZE")) {
// 启用调试符号生成
insert_param(aflcc, "-g");
// 如果没有设置 -O 优化级别,设置为 -O3最高优化
if (!aflcc->have_o)
insert_param(aflcc, "-O3");
// 如果没有设置循环展开,启用循环展开优化
if (!aflcc->have_unroll)
insert_param(aflcc, "-funroll-loops");
// 以下代码被注释掉了,但如果有指定架构优化选项(如 -march也可以启用
// if (strlen(aflcc->march_opt) > 1 && aflcc->march_opt[0] == '-')
// insert_param(aflcc, aflcc->march_opt);
}
// 如果设置了 x_set 标志,插入 -x none 参数
if (aflcc->x_set) {
insert_param(aflcc, "-x");
insert_param(aflcc, "none");
}
}
/*
Parse and process a variety of args under our matching rules,
return PARAM_MISS if nothing matched.
*/
param_st parse_misc_params(aflcc_state_t *aflcc, u8 *cur_argv, u8 scan) {
param_st final_ = PARAM_MISS;
// MACRO START
#define SCAN_KEEP(dst, src) \
do { \
\
if (scan) { \
\
dst = src; \
final_ = PARAM_SCAN; \
\
} else { \
\
final_ = PARAM_KEEP; \
\
} \
\
} while (0)
// MACRO END
if (!strncasecmp(cur_argv, "-fpic", 5)) {
SCAN_KEEP(aflcc->have_pic, 1);
} else if (!strcmp(cur_argv, "-m32") ||
!strcmp(cur_argv, "armv7a-linux-androideabi")) {
SCAN_KEEP(aflcc->bit_mode, 32);
} else if (!strcmp(cur_argv, "-m64")) {
SCAN_KEEP(aflcc->bit_mode, 64);
} else if (strstr(cur_argv, "FORTIFY_SOURCE")) {
SCAN_KEEP(aflcc->fortify_set, 1);
} else if (!strcmp(cur_argv, "-x")) {
SCAN_KEEP(aflcc->x_set, 1);
} else if (!strcmp(cur_argv, "-E")) {
SCAN_KEEP(aflcc->preprocessor_only, 1);
} else if (!strcmp(cur_argv, "--target=wasm32-wasi")) {
SCAN_KEEP(aflcc->passthrough, 1);
} else if (!strcmp(cur_argv, "-c")) {
SCAN_KEEP(aflcc->have_c, 1);
} else if (!strcmp(cur_argv, "-static-libasan")) {
SCAN_KEEP(aflcc->have_staticasan, 1);
} else if (strstr(cur_argv, "librustc") && strstr(cur_argv, "_rt.asan.a")) {
SCAN_KEEP(aflcc->have_rust_asanrt, 1);
} else if (!strcmp(cur_argv, "-fno-omit-frame-pointer")) {
SCAN_KEEP(aflcc->have_fp, 1);
} else if (!strcmp(cur_argv, "-fvisibility=hidden")) {
SCAN_KEEP(aflcc->have_hidden, 1);
} else if (!strcmp(cur_argv, "-flto") || !strcmp(cur_argv, "-flto=full")) {
SCAN_KEEP(aflcc->have_flto, 1);
} else if (!strncmp(cur_argv, "-D_FORTIFY_SOURCE",
strlen("-D_FORTIFY_SOURCE"))) {
SCAN_KEEP(aflcc->have_fortify, 1);
} else if (!strncmp(cur_argv, "-fcf-protection", strlen("-fcf-protection"))) {
SCAN_KEEP(aflcc->have_cfisan, 1);
} else if (!strncmp(cur_argv, "-O", 2)) {
SCAN_KEEP(aflcc->have_o, 1);
} else if (!strncmp(cur_argv, "-funroll-loop", 13)) {
SCAN_KEEP(aflcc->have_unroll, 1);
} else if (!strncmp(cur_argv, "--afl", 5)) {
if (scan)
final_ = PARAM_SCAN;
else
final_ = PARAM_DROP;
} else if (!strncmp(cur_argv, "-fno-unroll", 11)) {
if (scan)
final_ = PARAM_SCAN;
else
final_ = PARAM_DROP;
} else if (!strcmp(cur_argv, "-pipe") && aflcc->compiler_mode == GCC_PLUGIN) {
if (scan)
final_ = PARAM_SCAN;
else
final_ = PARAM_DROP;
} else if (!strncmp(cur_argv, "-stdlib=", 8) &&
(aflcc->compiler_mode == GCC ||
aflcc->compiler_mode == GCC_PLUGIN)) {
if (scan) {
final_ = PARAM_SCAN;
} else {
if (!be_quiet) WARNF("Found '%s' - stripping!", cur_argv);
final_ = PARAM_DROP;
}
} else if (cur_argv[0] != '-') {
/* It's a weak, loose pattern, with very different purpose
than others. We handle it at last, cautiously and robustly. */
if (scan && cur_argv[0] != '@') // response file support
aflcc->non_dash = 1;
}
#undef SCAN_KEEP
if (final_ == PARAM_KEEP) insert_param(aflcc, cur_argv);
return final_;
}
/** Miscellaneous routines -----END----- **/
/* Print help message on request */
static void maybe_usage(aflcc_state_t *aflcc, int argc, char **argv) {
if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) {
printf("afl-cc" VERSION
" by Michal Zalewski, Laszlo Szekeres, Marc Heuse\n");
SAYF(
"\n"
"afl-cc/afl-c++ [options]\n"
"\n"
"This is a helper application for afl-fuzz. It serves as a drop-in "
"replacement\n"
"for gcc and clang, letting you recompile third-party code with the "
"required\n"
"runtime instrumentation. A common use pattern would be one of the "
"following:\n\n"
" CC=afl-cc CXX=afl-c++ ./configure --disable-shared\n"
" cmake -DCMAKE_C_COMPILERC=afl-cc -DCMAKE_CXX_COMPILER=afl-c++ .\n"
" CC=afl-cc CXX=afl-c++ meson\n\n");
SAYF(
" |------------- FEATURES "
"-------------|\n"
"MODES: NCC PERSIST DICT LAF "
"CMPLOG SELECT\n"
" [LLVM] LLVM: %s%s\n"
" PCGUARD %s yes yes module yes yes "
"yes\n"
" NATIVE AVAILABLE no yes no no "
"part. yes\n"
" CLASSIC %s no yes module yes yes "
"yes\n"
" - NORMAL\n"
" - CALLER\n"
" - CTX\n"
" - NGRAM-{2-16}\n"
" [LTO] LLVM LTO: %s%s\n"
" PCGUARD DEFAULT yes yes yes yes yes "
" yes\n"
" CLASSIC yes yes yes yes yes "
" yes\n"
" [GCC_PLUGIN] gcc plugin: %s%s\n"
" CLASSIC DEFAULT no yes no no no "
"yes\n"
" [GCC/CLANG] simple gcc/clang: %s%s\n"
" CLASSIC DEFAULT no no no no no "
"no\n\n",
aflcc->have_llvm ? "AVAILABLE " : "unavailable!",
aflcc->compiler_mode == LLVM ? " [SELECTED]" : "",
aflcc->have_llvm ? "AVAILABLE " : "unavailable!",
aflcc->have_llvm ? "AVAILABLE " : "unavailable!",
aflcc->have_lto ? "AVAILABLE" : "unavailable!",
aflcc->compiler_mode == LTO ? " [SELECTED]" : "",
aflcc->have_gcc_plugin ? "AVAILABLE" : "unavailable!",
aflcc->compiler_mode == GCC_PLUGIN ? " [SELECTED]" : "",
aflcc->have_gcc && aflcc->have_clang
? "AVAILABLE"
: (aflcc->have_gcc
? "GCC ONLY "
: (aflcc->have_clang ? "CLANG ONLY" : "unavailable!")),
(aflcc->compiler_mode == GCC || aflcc->compiler_mode == CLANG)
? " [SELECTED]"
: "");
SAYF(
"Modes:\n"
" To select the compiler mode use a symlink version (e.g. "
"afl-clang-fast), set\n"
" the environment variable AFL_CC_COMPILER to a mode (e.g. LLVM) or "
"use the\n"
" command line parameter --afl-MODE (e.g. --afl-llvm). If none is "
"selected,\n"
" afl-cc will select the best available (LLVM -> GCC_PLUGIN -> GCC).\n"
" The best is LTO but it often needs RANLIB and AR settings outside "
"of afl-cc.\n\n");
#if LLVM_MAJOR >= 11 || (LLVM_MAJOR == 10 && LLVM_MINOR > 0)
#define NATIVE_MSG \
" LLVM-NATIVE: use llvm's native PCGUARD instrumentation (less " \
"performant)\n"
#else
#define NATIVE_MSG ""
#endif
SAYF(
"Sub-Modes: (set via env AFL_LLVM_INSTRUMENT, afl-cc selects the best "
"available)\n"
" PCGUARD: Dominator tree instrumentation (best!) (README.llvm.md)\n"
NATIVE_MSG
" CLASSIC: decision target instrumentation (README.llvm.md)\n"
" CALLER: CLASSIC + single callee context "
"(instrumentation/README.ctx.md)\n"
" CTX: CLASSIC + full callee context "
"(instrumentation/README.ctx.md)\n"
" NGRAM-x: CLASSIC + previous path "
"((instrumentation/README.ngram.md)\n\n");
#undef NATIVE_MSG
SAYF(
"Features: (see documentation links)\n"
" NCC: non-colliding coverage [automatic] (that is an amazing "
"thing!)\n"
" (instrumentation/README.lto.md)\n"
" PERSIST: persistent mode support [code] (huge speed increase!)\n"
" (instrumentation/README.persistent_mode.md)\n"
" DICT: dictionary in the target [yes=automatic or LLVM module "
"pass]\n"
" (instrumentation/README.lto.md + "
"instrumentation/README.llvm.md)\n"
" LAF: comparison splitting [env] "
"(instrumentation/README.laf-intel.md)\n"
" CMPLOG: input2state exploration [env] "
"(instrumentation/README.cmplog.md)\n"
" SELECT: selective instrumentation (allow/deny) on filename or "
"function [env]\n"
" (instrumentation/README.instrument_list.md)\n\n");
if (argc < 2 || strncmp(argv[1], "-hh", 3)) {
SAYF(
"To see all environment variables for the configuration of afl-cc "
"use \"-hh\".\n");
} else {
SAYF(
"Environment variables used:\n"
" AFL_CC: path to the C compiler to use\n"
" AFL_CXX: path to the C++ compiler to use\n"
" AFL_DEBUG: enable developer debugging output\n"
" AFL_DONT_OPTIMIZE: disable optimization instead of -O3\n"
" AFL_NO_BUILTIN: no builtins for string compare functions (for "
"libtokencap.so)\n"
" AFL_NOOPT: behave like a normal compiler (to pass configure "
"tests)\n"
" AFL_PATH: path to instrumenting pass and runtime "
"(afl-compiler-rt.*o)\n"
" AFL_IGNORE_UNKNOWN_ENVS: don't warn on unknown env vars\n"
" AFL_INST_RATIO: percentage of branches to instrument\n"
" AFL_QUIET: suppress verbose output\n"
" AFL_HARDEN: adds code hardening to catch memory bugs\n"
" AFL_USE_ASAN: activate address sanitizer\n"
" AFL_USE_CFISAN: activate control flow sanitizer\n"
" AFL_USE_MSAN: activate memory sanitizer\n"
" AFL_USE_UBSAN: activate undefined behaviour sanitizer\n"
" AFL_USE_TSAN: activate thread sanitizer\n"
" AFL_USE_LSAN: activate leak-checker sanitizer\n");
if (aflcc->have_gcc_plugin)
SAYF(
"\nGCC Plugin-specific environment variables:\n"
" AFL_GCC_CMPLOG: log operands of comparisons (RedQueen mutator)\n"
" AFL_GCC_OUT_OF_LINE: disable inlined instrumentation\n"
" AFL_GCC_SKIP_NEVERZERO: do not skip zero on trace counters\n"
" AFL_GCC_INSTRUMENT_FILE: enable selective instrumentation by "
"filename\n");
#if LLVM_MAJOR >= 9
#define COUNTER_BEHAVIOUR \
" AFL_LLVM_SKIP_NEVERZERO: do not skip zero on trace counters\n"
#else
#define COUNTER_BEHAVIOUR \
" AFL_LLVM_NOT_ZERO: use cycling trace counters that skip zero\n"
#endif
if (aflcc->have_llvm)
SAYF(
"\nLLVM/LTO/afl-clang-fast/afl-clang-lto specific environment "
"variables:\n"
" AFL_LLVM_THREADSAFE_INST: instrument with thread safe counters, "
"disables neverzero\n"
COUNTER_BEHAVIOUR
" AFL_LLVM_DICT2FILE: generate an afl dictionary based on found "
"comparisons\n"
" AFL_LLVM_DICT2FILE_NO_MAIN: skip parsing main() for the "
"dictionary\n"
" AFL_LLVM_INJECTIONS_ALL: enables all injections hooking\n"
" AFL_LLVM_INJECTIONS_SQL: enables SQL injections hooking\n"
" AFL_LLVM_INJECTIONS_LDAP: enables LDAP injections hooking\n"
" AFL_LLVM_INJECTIONS_XSS: enables XSS injections hooking\n"
" AFL_LLVM_LAF_ALL: enables all LAF splits/transforms\n"
" AFL_LLVM_LAF_SPLIT_COMPARES: enable cascaded comparisons\n"
" AFL_LLVM_LAF_SPLIT_COMPARES_BITW: size limit (default 8)\n"
" AFL_LLVM_LAF_SPLIT_SWITCHES: cascaded comparisons on switches\n"
" AFL_LLVM_LAF_SPLIT_FLOATS: cascaded comparisons on floats\n"
" AFL_LLVM_LAF_TRANSFORM_COMPARES: cascade comparisons for string "
"functions\n"
" AFL_LLVM_ALLOWLIST/AFL_LLVM_DENYLIST: enable "
"instrument allow/\n"
" deny listing (selective instrumentation)\n");
if (aflcc->have_llvm)
SAYF(
" AFL_LLVM_CMPLOG: log operands of comparisons (RedQueen "
"mutator)\n"
" AFL_LLVM_INSTRUMENT: set instrumentation mode:\n"
" CLASSIC, PCGUARD, LTO, GCC, CLANG, CALLER, CTX, NGRAM-2 "
"..-16\n"
" You can also use the old environment variables instead:\n"
" AFL_LLVM_USE_TRACE_PC: use LLVM trace-pc-guard instrumentation\n"
" AFL_LLVM_CALLER: use single context sensitive coverage (for "
"CLASSIC)\n"
" AFL_LLVM_CTX: use full context sensitive coverage (for "
"CLASSIC)\n"
" AFL_LLVM_NGRAM_SIZE: use ngram prev_loc count coverage (for "
"CLASSIC)\n"
" AFL_LLVM_NO_RPATH: disable rpath setting for custom LLVM "
"locations\n");
#ifdef AFL_CLANG_FLTO
if (aflcc->have_lto)
SAYF(
"\nLTO/afl-clang-lto specific environment variables:\n"
" AFL_LLVM_MAP_ADDR: use a fixed coverage map address (speed), "
"e.g. "
"0x10000\n"
" AFL_LLVM_DOCUMENT_IDS: write all edge IDs and the corresponding "
"functions\n"
" into this file (LTO mode)\n"
" AFL_LLVM_LTO_CALLER: activate CALLER/CTX instrumentation\n"
" AFL_LLVM_LTO_CALLER_DEPTH: skip how many empty functions\n"
" AFL_LLVM_LTO_DONTWRITEID: don't write the highest ID used to a "
"global var\n"
" AFL_LLVM_LTO_STARTID: from which ID to start counting from for "
"a bb\n"
" AFL_REAL_LD: use this lld linker instead of the compiled in "
"path\n"
" AFL_LLVM_LTO_SKIPINIT: don't inject initialization code "
"(used in WAFL mode)\n"
"If anything fails - be sure to read README.lto.md!\n");
#endif
SAYF(
"\nYou can supply --afl-noopt to not instrument, like AFL_NOOPT. "
"(this is helpful\n"
"in some build systems if you do not want to instrument "
"everything.\n");
}
SAYF(
"\nFor any information on the available instrumentations and options "
"please \n"
"consult the README.md, especially section 3.1 about instrumenting "
"targets.\n\n");
#if (LLVM_MAJOR >= 3)
if (aflcc->have_lto)
SAYF("afl-cc LTO with ld=%s %s\n", AFL_REAL_LD, AFL_CLANG_FLTO);
if (aflcc->have_llvm)
SAYF("afl-cc LLVM version %d using the binary path \"%s\".\n", LLVM_MAJOR,
LLVM_BINDIR);
#endif
#ifdef USEMMAP
#if !defined(__HAIKU__)
SAYF("Compiled with shm_open support.\n");
#else
SAYF("Compiled with shm_open support (adds -lrt when linking).\n");
#endif
#else
SAYF("Compiled with shmat support.\n");
#endif
SAYF("\n");
SAYF(
"Do not be overwhelmed :) afl-cc uses good defaults if no options are "
"selected.\n"
"Read the documentation for FEATURES though, all are good but few are "
"defaults.\n"
"Recommended is afl-clang-lto with AFL_LLVM_CMPLOG or afl-clang-fast "
"with\n"
"AFL_LLVM_CMPLOG and "
"AFL_LLVM_DICT2FILE+AFL_LLVM_DICT2FILE_NO_MAIN.\n\n");
if (LLVM_MAJOR < 13) {
SAYF(
"Warning: It is highly recommended to use at least LLVM version 13 "
"(or better, higher) rather than %d!\n\n",
LLVM_MAJOR);
}
exit(1);
}
}
/*
Process params passed to afl-cc.
We have two working modes, *scan* and *non-scan*. In scan mode,
the main task is to set some variables in aflcc according to current argv[i],
while in non-scan mode, is to choose keep or drop current argv[i].
We have several matching routines being called sequentially in the while-loop,
and each of them try to parse and match current argv[i] according to their own
rules. If one miss match, the next will then take over. In non-scan mode, each
argv[i] mis-matched by all the routines will be kept.
These routines are:
1. parse_misc_params
2. parse_fsanitize
3. parse_linking_params
4. `if (*cur == '@') {...}`, i.e., parse response files
*/
static void process_params(aflcc_state_t *aflcc, u8 scan, u32 argc,
char **argv) {
<<<<<<< HEAD
u8 skip_next = 0;
while (--argc) {
u8 *cur = *(++argv);
if (skip_next > 0) {
skip_next--;
continue;
}
if (PARAM_MISS != parse_misc_params(aflcc, cur, scan)) continue;
if (PARAM_MISS != parse_fsanitize(aflcc, cur, scan)) continue;
if (PARAM_MISS != parse_linking_params(aflcc, cur, scan, &skip_next, argv))
continue;
if (*cur == '@') {
u8 *filename = cur + 1;
if (aflcc->debug) { DEBUGF("response file=%s\n", filename); }
FILE *f = fopen(filename, "r");
if (!f) {
if (!scan) insert_param(aflcc, cur);
continue;
}
struct stat st;
if (fstat(fileno(f), &st) || !S_ISREG(st.st_mode) || st.st_size < 1) {
fclose(f);
if (!scan) insert_param(aflcc, cur);
continue;
}
static u32 rsp_count = 2000;
if (scan) {
if (rsp_count == 0) FATAL("Too many response files provided!");
--rsp_count;
}
u32 argc_read = 1;
char **argv_read = ck_alloc(sizeof(char *));
argv_read[0] = "";
char *arg_buf = NULL;
u64 arg_len = 0;
enum fsm_state {
=======
// for (u32 x = 0; x < argc; ++x) fprintf(stderr, "[%u] %s\n", x, argv[x]);
/* Process the argument list. */
u8 skip_next = 0;
while (--argc) {
u8 *cur = *(++argv);
if (skip_next > 0) {
skip_next--;
continue;
}
if (PARAM_MISS != parse_misc_params(aflcc, cur, scan)) continue;
if (PARAM_MISS != parse_fsanitize(aflcc, cur, scan)) continue;
if (PARAM_MISS != parse_linking_params(aflcc, cur, scan, &skip_next, argv))
continue;
/* Response file support -----BEGIN-----
We have two choices - move everything to the command line or
rewrite the response files to temporary files and delete them
afterwards. We choose the first for easiness.
For clang, llvm::cl::ExpandResponseFiles does this, however it
only has C++ interface. And for gcc there is expandargv in libiberty,
written in C, but we can't simply copy-paste since its LGPL licensed.
So here we use an equivalent FSM as alternative, and try to be compatible
with the two above. See:
- https://gcc.gnu.org/onlinedocs/gcc/Overall-Options.html
- driver::expand_at_files in gcc.git/gcc/gcc.c
- expandargv in gcc.git/libiberty/argv.c
- llvm-project.git/clang/tools/driver/driver.cpp
- ExpandResponseFiles in
llvm-project.git/llvm/lib/Support/CommandLine.cpp
*/
if (*cur == '@') {
u8 *filename = cur + 1;
if (aflcc->debug) { DEBUGF("response file=%s\n", filename); }
// Check not found or empty? let the compiler complain if so.
FILE *f = fopen(filename, "r");
if (!f) {
if (!scan) insert_param(aflcc, cur);
continue;
}
struct stat st;
if (fstat(fileno(f), &st) || !S_ISREG(st.st_mode) || st.st_size < 1) {
fclose(f);
if (!scan) insert_param(aflcc, cur);
continue;
}
// Limit the number of response files, the max value
// just keep consistent with expandargv. Only do this in
// scan mode, and not touch rsp_count anymore in the next.
static u32 rsp_count = 2000;
if (scan) {
if (rsp_count == 0) FATAL("Too many response files provided!");
--rsp_count;
}
// argc, argv acquired from this rsp file. Note that
// process_params ignores argv[0], we need to put a const "" here.
u32 argc_read = 1;
char **argv_read = ck_alloc(sizeof(char *));
argv_read[0] = "";
char *arg_buf = NULL;
u64 arg_len = 0;
enum fsm_state {
>>>>>>> e12b99bad19de97a02e9fe14b9b2c048338b2ab7
fsm_whitespace, // whitespace seen so far
fsm_double_quote, // have unpaired double quote
fsm_single_quote, // have unpaired single quote
fsm_backslash, // a backslash is seen with no unpaired quote
fsm_normal // a normal char is seen
<<<<<<< HEAD
};
=======
};
// Workaround to append c to arg buffer, and append the buffer to argv
>>>>>>> e12b99bad19de97a02e9fe14b9b2c048338b2ab7
#define ARG_ALLOC(c) \
do { \
\
++arg_len; \
arg_buf = ck_realloc(arg_buf, (arg_len + 1) * sizeof(char)); \
arg_buf[arg_len] = '\0'; \
arg_buf[arg_len - 1] = (char)c; \
\
} while (0)
#define ARG_STORE() \
do { \
\
++argc_read; \
argv_read = ck_realloc(argv_read, argc_read * sizeof(char *)); \
argv_read[argc_read - 1] = arg_buf; \
arg_buf = NULL; \
arg_len = 0; \
\
} while (0)
int cur_chr = (int)' '; // init as whitespace, as a good start :)
enum fsm_state state_ = fsm_whitespace;
while (cur_chr != EOF) {
switch (state_) {
case fsm_whitespace:
if (arg_buf) {
ARG_STORE();
break;
}
if (isspace(cur_chr)) {
cur_chr = fgetc(f);
} else if (cur_chr == (int)'\'') {
state_ = fsm_single_quote;
cur_chr = fgetc(f);
} else if (cur_chr == (int)'"') {
state_ = fsm_double_quote;
cur_chr = fgetc(f);
} else if (cur_chr == (int)'\\') {
state_ = fsm_backslash;
cur_chr = fgetc(f);
} else {
state_ = fsm_normal;
}
break;
case fsm_normal:
if (isspace(cur_chr)) {
state_ = fsm_whitespace;
} else if (cur_chr == (int)'\'') {
state_ = fsm_single_quote;
cur_chr = fgetc(f);
} else if (cur_chr == (int)'\"') {
state_ = fsm_double_quote;
cur_chr = fgetc(f);
} else if (cur_chr == (int)'\\') {
state_ = fsm_backslash;
cur_chr = fgetc(f);
} else {
ARG_ALLOC(cur_chr);
cur_chr = fgetc(f);
}
break;
case fsm_backslash:
ARG_ALLOC(cur_chr);
cur_chr = fgetc(f);
state_ = fsm_normal;
break;
case fsm_single_quote:
if (cur_chr == (int)'\\') {
cur_chr = fgetc(f);
if (cur_chr == EOF) break;
ARG_ALLOC(cur_chr);
} else if (cur_chr == (int)'\'') {
state_ = fsm_normal;
} else {
ARG_ALLOC(cur_chr);
}
cur_chr = fgetc(f);
break;
case fsm_double_quote:
if (cur_chr == (int)'\\') {
cur_chr = fgetc(f);
if (cur_chr == EOF) break;
ARG_ALLOC(cur_chr);
} else if (cur_chr == (int)'"') {
state_ = fsm_normal;
} else {
ARG_ALLOC(cur_chr);
}
cur_chr = fgetc(f);
break;
default:
break;
}
}
if (arg_buf) { ARG_STORE(); } // save the pending arg after EOF
#undef ARG_ALLOC
#undef ARG_STORE
if (argc_read > 1) { process_params(aflcc, scan, argc_read, argv_read); }
// We cannot free argv_read[] unless we don't need to keep any
// reference in cc_params. Never free argv[0], the const "".
if (scan) {
while (argc_read > 1)
ck_free(argv_read[--argc_read]);
ck_free(argv_read);
}
continue;
} /* Response file support -----END----- */
if (!scan) insert_param(aflcc, cur);
}
}
/* Process each of the existing argv, also add a few new args. */
static void edit_params(aflcc_state_t *aflcc, u32 argc, char **argv,
char **envp) {
<<<<<<< HEAD
add_real_argv0(aflcc);
if (aflcc->compiler_mode != GCC_PLUGIN && aflcc->compiler_mode != GCC) {
insert_param(aflcc, "-Wno-unused-command-line-argument");
}
if (aflcc->compiler_mode == GCC || aflcc->compiler_mode == CLANG) {
add_assembler(aflcc);
}
if (aflcc->compiler_mode == GCC_PLUGIN) { add_gcc_plugin(aflcc); }
if (aflcc->compiler_mode == LLVM || aflcc->compiler_mode == LTO) {
if (aflcc->lto_mode && aflcc->have_instr_env) {
load_llvm_pass(aflcc, "afl-llvm-lto-instrumentlist.so");
}
if (getenv("AFL_LLVM_DICT2FILE")) {
load_llvm_pass(aflcc, "afl-llvm-dict2file.so");
}
if (getenv("LAF_SPLIT_SWITCHES") || getenv("AFL_LLVM_LAF_SPLIT_SWITCHES")) {
load_llvm_pass(aflcc, "split-switches-pass.so");
}
if (getenv("LAF_TRANSFORM_COMPARES") ||
getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES")) {
load_llvm_pass(aflcc, "compare-transform-pass.so");
}
if (getenv("LAF_SPLIT_COMPARES") || getenv("AFL_LLVM_LAF_SPLIT_COMPARES") ||
getenv("AFL_LLVM_LAF_SPLIT_FLOATS")) {
load_llvm_pass(aflcc, "split-compares-pass.so");
}
if (aflcc->cmplog_mode) {
insert_param(aflcc, "-fno-inline");
load_llvm_pass(aflcc, "cmplog-switches-pass.so");
load_llvm_pass(aflcc, "split-switches-pass.so");
}
if (aflcc->lto_mode) {
insert_param(aflcc, aflcc->lto_flag);
if (!aflcc->have_c) {
add_lto_linker(aflcc);
add_lto_passes(aflcc);
}
} else {
if (aflcc->instrument_mode == INSTRUMENT_PCGUARD) {
add_optimized_pcguard(aflcc);
} else if (aflcc->instrument_mode == INSTRUMENT_LLVMNATIVE) {
add_native_pcguard(aflcc);
} else {
load_llvm_pass(aflcc, "afl-llvm-pass.so");
}
}
=======
add_real_argv0(aflcc);
// prevent unnecessary build errors
if (aflcc->compiler_mode != GCC_PLUGIN && aflcc->compiler_mode != GCC) {
insert_param(aflcc, "-Wno-unused-command-line-argument");
}
if (aflcc->compiler_mode == GCC || aflcc->compiler_mode == CLANG) {
add_assembler(aflcc);
}
if (aflcc->compiler_mode == GCC_PLUGIN) { add_gcc_plugin(aflcc); }
if (aflcc->compiler_mode == LLVM || aflcc->compiler_mode == LTO) {
if (aflcc->lto_mode && aflcc->have_instr_env) {
load_llvm_pass(aflcc, "afl-llvm-lto-instrumentlist.so");
}
if (getenv("AFL_LLVM_DICT2FILE")) {
load_llvm_pass(aflcc, "afl-llvm-dict2file.so");
}
// laf
if (getenv("LAF_SPLIT_SWITCHES") || getenv("AFL_LLVM_LAF_SPLIT_SWITCHES")) {
load_llvm_pass(aflcc, "split-switches-pass.so");
}
if (getenv("LAF_TRANSFORM_COMPARES") ||
getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES")) {
load_llvm_pass(aflcc, "compare-transform-pass.so");
}
if (getenv("LAF_SPLIT_COMPARES") || getenv("AFL_LLVM_LAF_SPLIT_COMPARES") ||
getenv("AFL_LLVM_LAF_SPLIT_FLOATS")) {
load_llvm_pass(aflcc, "split-compares-pass.so");
}
// /laf
if (aflcc->cmplog_mode) {
insert_param(aflcc, "-fno-inline");
load_llvm_pass(aflcc, "cmplog-switches-pass.so");
// reuse split switches from laf
load_llvm_pass(aflcc, "split-switches-pass.so");
}
// #if LLVM_MAJOR >= 13
// // Use the old pass manager in LLVM 14 which the AFL++ passes still
// use. insert_param(aflcc, "-flegacy-pass-manager");
// #endif
if (aflcc->lto_mode) {
insert_param(aflcc, aflcc->lto_flag);
if (!aflcc->have_c) {
add_lto_linker(aflcc);
add_lto_passes(aflcc);
}
} else {
if (aflcc->instrument_mode == INSTRUMENT_PCGUARD) {
add_optimized_pcguard(aflcc);
} else if (aflcc->instrument_mode == INSTRUMENT_LLVMNATIVE) {
add_native_pcguard(aflcc);
} else {
load_llvm_pass(aflcc, "afl-llvm-pass.so");
}
}
>>>>>>> e12b99bad19de97a02e9fe14b9b2c048338b2ab7
if (aflcc->cmplog_mode) {
load_llvm_pass(aflcc, "cmplog-instructions-pass.so");
load_llvm_pass(aflcc, "cmplog-routines-pass.so");
}
if (getenv("AFL_LLVM_INJECTIONS_ALL") ||
getenv("AFL_LLVM_INJECTIONS_SQL") ||
getenv("AFL_LLVM_INJECTIONS_LDAP") ||
getenv("AFL_LLVM_INJECTIONS_XSS")) {
load_llvm_pass(aflcc, "injection-pass.so");
}
// insert_param(aflcc, "-Qunused-arguments");
}
/* Inspect the command line parameters. */
process_params(aflcc, 0, argc, argv);
add_sanitizers(aflcc, envp);
add_misc_params(aflcc);
add_defs_common(aflcc);
add_defs_selective_instr(aflcc);
add_defs_persistent_mode(aflcc);
add_runtime(aflcc);
insert_param(aflcc, NULL);
}
/* Main entry point */
classDiagram
class AFLCCMain {
+main(argc, argv, envp)
+initializeState()
+checkEnvironmentVariables()
+findDependencies()
+determineCompilerMode()
+determineInstrumentationMode()
+finalizeMode()
+processParameters()
+maybeShowUsage()
+notifyMode()
+debugArguments()
+editParameters()
+executeCompiler()
}
class AFLCCState {
-cc_params: char**
-cc_par_cnt: u32
-passthrough: u8
-debug: u8
+aflcc_state_init(state, prog_name)
}
class EnvironmentChecker {
+check_environment_vars(envp)
}
class DependencyFinder {
+find_built_deps(aflcc)
}
class CompilerModeHandler {
+compiler_mode_by_callname(aflcc)
+compiler_mode_by_environ(aflcc)
+compiler_mode_by_cmdline(aflcc, argc, argv)
}
class InstrumentationModeHandler {
+instrument_mode_by_environ(aflcc)
}
class ModeFinalizer {
+mode_final_checkout(aflcc, argc, argv)
}
class ParameterProcessor {
+process_params(aflcc, start_idx, argc, argv)
}
class UsageNotifier {
+maybe_usage(aflcc, argc, argv)
}
class ModeNotifier {
+mode_notification(aflcc)
}
class Debugger {
+debugf_args(argc, argv)
}
class ParameterEditor {
+edit_params(aflcc, argc, argv, envp)
}
class Executor {
+execute_compiler(aflcc, argv)
}
AFLCCMain --> AFLCCState : 使
AFLCCMain --> EnvironmentChecker : 使
AFLCCMain --> DependencyFinder : 使
AFLCCMain --> CompilerModeHandler : 使
AFLCCMain --> InstrumentationModeHandler : 使
AFLCCMain --> ModeFinalizer : 使
AFLCCMain --> ParameterProcessor : 使
AFLCCMain --> UsageNotifier : 使
AFLCCMain --> ModeNotifier : 使
AFLCCMain --> Debugger : 使
AFLCCMain --> ParameterEditor : 使
AFLCCMain --> Executor : 使
Reference in new issue View Git Blame Copy Permalink