Merge pull request #1489 from AFLplusplus/dev

push to stable

README.md

@@ -2,9 +2,9 @@
 
 <img align="right" src="https://raw.githubusercontent.com/AFLplusplus/Website/master/static/aflpp_bg.svg" alt="AFL++ logo" width="250" heigh="250">
 
-Release version: [4.01c](https://github.com/AFLplusplus/AFLplusplus/releases)
+Release version: [4.02c](https://github.com/AFLplusplus/AFLplusplus/releases)
 
-GitHub version: 4.02a
+GitHub version: 4.02c
 
 Repository:
 [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus)

docs/Changelog.md

@@ -8,17 +8,19 @@
 Want to stay in the loop on major new features? Join our mailing list by
 sending a mail to <afl-users+subscribe@googlegroups.com>.
 
-### Version ++4.02a (dev)
-  - afl-fuzz:
-    - change post_process hook to allow returning NULL and 0 length to
-      tell afl-fuzz to skip this mutated input
+### Version ++4.02c (release)
   - afl-cc:
     - important fix for the default pcguard mode when LLVM IR vector
       selects are produced, thanks to @juppytt for reporting!
   - gcc_plugin:
     - Adacore submitted CMPLOG support to the gcc_plugin! :-)
   - llvm_mode:
     - laf cmp splitting fixed for more comparison types
+  - frida_mode:
+    - now works on Android!
+  - afl-fuzz:
+    - change post_process hook to allow returning NULL and 0 length to
+      tell afl-fuzz to skip this mutated input
 
 
 ### Version ++4.01c (release)

frida_mode/GNUmakefile

@@ -13,6 +13,16 @@ JS_SRC:=$(BUILD_DIR)api.c
 JS_OBJ:=$(BUILD_DIR)api.o
 SOURCES:=$(wildcard $(SRC_DIR)**/*.c) $(wildcard $(SRC_DIR)*.c)
 OBJS:=$(foreach src,$(SOURCES),$(OBJ_DIR)$(notdir $(patsubst %.c, %.o, $(src))))
+
+TARGET_CC?=$(CC)
+TARGET_CXX?=$(CXX)
+HOST_CC?=$(CC)
+HOST_CXX?=$(CXX)
+IS_ANDROID:=$(findstring android, $(shell $(TARGET_CC) --version 2>/dev/null))
+IS_x86:=$(findstring i686, $(shell $(TARGET_CC) --version 2>/dev/null))
+IS_x86_64:=$(findstring x86_64, $(shell $(TARGET_CC) --version 2>/dev/null))
+IS_ARM:=$(findstring arm, $(shell $(TARGET_CC) --version 2>/dev/null))
+IS_ARM64:=$(findstring aarch64, $(shell $(TARGET_CC) --version 2>/dev/null))
 CFLAGS+=-fPIC \
 		-D_GNU_SOURCE \
 		-D_FORTIFY_SOURCE=2 \
@@ -21,16 +31,27 @@ CFLAGS+=-fPIC \
 		-funroll-loops \
 		-ffunction-sections \
 
+ifdef IS_ANDROID
+CFLAGS+=-DANDROID 
+endif
+
 AFL_CFLAGS:=-Wno-unused-parameter \
 		   -Wno-sign-compare \
 		   -Wno-unused-function \
 		   -Wno-unused-result \
 		   -Wno-int-to-pointer-cast \
 		   -Wno-pointer-sign
 
+ifdef IS_ANDROID
+LDFLAGS+= -static-libstdc++ \
+		  -DANDROID \
+		  -llog \
+		  -shared
+else 		 
 LDFLAGS+=-shared \
 		 -lpthread \
 		 -lresolv
+endif
 
 ifdef DEBUG
 CFLAGS+=-Werror \
@@ -43,10 +64,12 @@ endif
 
 FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/
 FRIDA_TRACE:=$(BUILD_DIR)afl-frida-trace.so
+FRIDA_TRACE_LIB:=$(BUILD_DIR)libafl-frida-trace.a
 FRIDA_TRACE_EMBEDDED:=$(BUILD_DIR)afl-frida-trace-embedded
 
 TARGET_CC?=$(CC)
 TARGET_CXX?=$(CXX)
+TARGET_AR?=$(AR)
 HOST_CC?=$(CC)
 HOST_CXX?=$(CXX)
 
@@ -76,11 +99,11 @@ else
 ifdef DEBUG
  AFL_CFLAGS:=$(AFL_CFLAGS) -Wno-prio-ctor-dtor
 endif
+
 LDFLAGS+=	-z noexecstack \
 			-Wl,--gc-sections \
 			-Wl,--exclude-libs,ALL \
-		    -ldl \
-		    -lrt
+		    -ldl 
 LDSCRIPT:=-Wl,--version-script=$(PWD)frida.map
 endif
 
@@ -91,25 +114,28 @@ ifeq "$(shell uname)" "Linux"
  endif
 endif
 
-ifneq "$(findstring android, $(shell $(CC) --version 2>/dev/null))" ""
+
+ifdef IS_ANDROID
  OS:=android
- ifneq "$(findstring aarch64, $(shell $(CC) --version 2>/dev/null))" ""
-   ARCH:=arm64
+ ifdef IS_x86
+  ARCH:=x86	
  endif
- ifneq "$(findstring arm, $(shell $(CC) --version 2>/dev/null))" ""
-   ARCH:=arm
+ ifdef IS_x86
+  ARCH:=x86_64
  endif
- ifneq "$(findstring x86_64, $(shell $(CC) --version 2>/dev/null))" ""
-   ARCH:=x86_64
+ ifdef IS_ARM
+   ARCH:=arm
  endif
- ifneq "$(findstring i686, $(shell $(CC) --version 2>/dev/null))" ""
-   ARCH:=x86
+ ifdef IS_ARM64
+   ARCH:=arm64
  endif
 endif
 
+
 ifeq "$(ARCH)" "armhf"
  TARGET_CC:=arm-linux-gnueabihf-gcc
  TARGET_CXX:=arm-linux-gnueabihf-g++
+ TARGET_AR:=arm-linux-gnueabihf-ar
 endif
 
 ifndef OS
@@ -157,7 +183,7 @@ BIN2C_SRC:=$(PWD)util/bin2c.c
 
 ############################## ALL #############################################
 
-all: $(FRIDA_TRACE) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) $(ADDR_BIN)
+all: $(FRIDA_TRACE) $(FRIDA_TRACE_LIB) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) $(ADDR_BIN)
 
 32:
 	CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
@@ -221,10 +247,22 @@ else ifeq "$(ARCH)" "arm64"
 
 CFLAGS+=-I $(FRIDA_DIR)build/frida_thin-$(OS)-$(ARCH)/include/frida-1.0 \
 	    -I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/include/glib-2.0/ \
-		-I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/glib-2.0/include/ \
+		-I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/glib-2.0/include/ \	
 		-I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/include/capstone/ \
 		-I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/include/json-glib-1.0/ \
 
+ifeq "$(OS)" "android"
+ CFLAGS += -static-libstdc++
+endif
+else
+CFLAGS+=-I $(FRIDA_DIR)build/frida_thin-$(OS)-$(ARCH)/include/frida-1.0 \
+	    -I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/include/glib-2.0/ \
+		-I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/glib-2.0/include/ \	
+		-I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/include/capstone/ \
+		-I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/include/json-glib-1.0/ \
+
+endif
+
 TRACE_LDFLAGS+=$(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/lib/libfrida-gum-1.0.a \
 			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libsoup-2.4.a \
 			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libsqlite3.a \
@@ -242,13 +280,15 @@ TRACE_LDFLAGS+=$(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/lib/libfrida-gum-1.0.a \
 			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/liblzma.a \
 			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libz.a \
 
-else
-
 CFLAGS+=-I $(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/include/frida-1.0 \
 	    -I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/glib-2.0/ \
 		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/glib-2.0/include/ \
 		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/capstone/ \
-		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/json-glib-1.0/ \
+		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/json-glib-1.0/ 
+
+ifeq "$(OS)" "android"
+ CFLAGS += -static-libstdc++
+endif
 
 TRACE_LDFLAGS+=$(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/lib/libfrida-gum-1.0.a \
 			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libsoup-2.4.a \
@@ -267,11 +307,6 @@ TRACE_LDFLAGS+=$(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/lib/libfrida-gum-1.0.a \
 			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/liblzma.a \
 			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libz.a \
 
-endif
-
-
-
-
 
 else
 $(GUM_DEVKIT_TARBALL): | $(FRIDA_BUILD_DIR)
@@ -353,6 +388,15 @@ $(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL
 
 	cp -v $(FRIDA_TRACE) $(ROOT)
 
+$(FRIDA_TRACE_LIB): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL_COMPILER_RT_OBJ) $(AFL_PERFORMANCE_OBJ) GNUmakefile | $(BUILD_DIR)
+	$(TARGET_AR) \
+		-rcs \
+		$@ \
+		$(OBJS) \
+		$(JS_OBJ) \
+		$(AFL_COMPILER_RT_OBJ) \
+		$(AFL_PERFORMANCE_OBJ) \
+
 ############################# HOOK #############################################
 
 $(AFLPP_FRIDA_DRIVER_HOOK_OBJ): $(AFLPP_FRIDA_DRIVER_HOOK_SRC) $(GUM_DEVIT_HEADER) | $(BUILD_DIR)
@@ -364,6 +408,7 @@ $(AFLPP_QEMU_DRIVER_HOOK_OBJ): $(AFLPP_QEMU_DRIVER_HOOK_SRC) | $(BUILD_DIR)
 hook: $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ)
 
 ############################# ADDR #############################################
+ifneq "$(OS)" "android"
 $(ADDR_BIN): $(ADDR_SRC) | $(BUILD_DIR)
 	-$(TARGET_CC) \
 		$(CFLAGS) \
@@ -377,7 +422,20 @@ $(ADDR_BIN): $(ADDR_SRC) | $(BUILD_DIR)
 		-ldl \
 		-lrt \
 		$< -o $@
-
+else
+$(ADDR_BIN): $(ADDR_SRC) | $(BUILD_DIR)
+	-$(TARGET_CC) \
+		$(CFLAGS) \
+		-Werror \
+		-Wall \
+		-Wextra \
+		-Wpointer-arith \
+		-z noexecstack \
+		-Wl,--gc-sections \
+		-Wl,--exclude-libs,ALL \
+		-ldl \
+		$< -o $@
+endif
 addr: $(ADDR_BIN)
 
 ############################# CLEAN ############################################

frida_mode/README.md

@@ -146,6 +146,8 @@ instances run CMPLOG mode and instrumentation of the binary is less frequent
   QEMU driver to provide a `main` loop for a user provided
   `LLVMFuzzerTestOneInput`, this option configures the driver to read input from
   `stdin` rather than using in-memory test cases.
+* `AFL_FRIDA_INST_COVERAGE_ABSOLUTE` - Generate coverage files using absolute
+  virtual addresses rather than relative virtual addresses.
 * `AFL_FRIDA_INST_COVERAGE_FILE` - File to write DynamoRIO format coverage
   information (e.g., to be loaded within IDA lighthouse).
 * `AFL_FRIDA_INST_DEBUG_FILE` - File to write raw assembly of original blocks

frida_mode/frida.map

@@ -13,6 +13,7 @@
     js_api_set_debug_maps;
     js_api_set_entrypoint;
     js_api_set_instrument_cache_size;
+    js_api_set_instrument_coverage_absolute;
     js_api_set_instrument_coverage_file;
     js_api_set_instrument_debug_file;
     js_api_set_instrument_jit;

frida_mode/hook/frida_hook.c

@@ -31,7 +31,7 @@ __attribute__((visibility("default"))) void afl_persistent_hook(
   // do a length check matching the target!
 
   void **esp = (void **)regs->esp;
-  void * arg1 = esp[0];
+  void  *arg1 = esp[0];
   void **arg2 = &esp[1];
   memcpy(arg1, input_buf, input_buf_len);
   *arg2 = (void *)input_buf_len;
@@ -50,6 +50,16 @@ __attribute__((visibility("default"))) void afl_persistent_hook(
 
 }
 
+#elif defined(__arm__)
+
+__attribute__((visibility("default"))) void afl_persistent_hook(
+    GumCpuContext *regs, uint8_t *input_buf, uint32_t input_buf_len) {
+  // do a length check matching the target!
+
+  memcpy((void *)regs->r[0], input_buf, input_buf_len);
+  regs->r[1] = input_buf_len;
+}
+
 #else
   #pragma error "Unsupported architecture"
 #endif

frida_mode/include/instrument.h

@@ -7,13 +7,14 @@
 
 extern char    *instrument_debug_filename;
 extern char    *instrument_coverage_filename;
+extern bool     instrument_coverage_absolute;
 extern gboolean instrument_tracing;
 extern gboolean instrument_optimize;
 extern gboolean instrument_unique;
 extern guint64  instrument_hash_zero;
 extern char    *instrument_coverage_unstable_filename;
 extern gboolean instrument_coverage_insn;
-extern char *   instrument_regs_filename;
+extern char    *instrument_regs_filename;
 
 extern gboolean instrument_use_fixed_seed;
 extern guint64  instrument_fixed_seed;

frida_mode/include/seccomp.h

@@ -1,7 +1,7 @@
 #ifndef _SECCOMP_H
 #define _SECCOMP_H
 
-#ifndef __APPLE__
+#if !defined(__APPLE__) && !defined(__ANDROID__)
 
   #include <stdint.h>
   #include <linux/filter.h>

frida_mode/include/shm.h

@@ -0,0 +1,9 @@
+#ifndef _SHM_H
+#define _SHM_H
+
+#include <stddef.h>
+
+void *shm_create(size_t size);
+
+#endif
+

frida_mode/src/asan/asan.c

@@ -36,6 +36,15 @@ static gboolean asan_exclude_module(const GumModuleDetails *details,
   address = gum_module_find_export_by_name(details->name, symbol_name);
   if (address == 0) { return TRUE; }
 
+  /* If the reported address of the symbol is outside of the range of the module
+   * then ignore it */
+  if (address < details->range->base_address) { return TRUE; }
+  if (address > (details->range->base_address + details->range->size)) {
+
+    return TRUE;
+
+  }
+
   ranges_add_exclude((GumMemoryRange *)details->range);
   return FALSE;