Fix using relative filename to find targets

[tl455047]

Hello, I'm trying to reproduce CVE-2016-4487 using scripts/fuzz/cxxfilt-CVE-2016-4487.sh. However, I found that content in Ftargets.txt is incomplete. According to valgrind report, the CVE callstack should include following functions, but as I executed cxxfilt-CVE-2016-4487.sh, Ftargets.txt contains only several functions.

valgrind report

valgrind binutils/cxxfilt _Q10-__9cafebabe.
==3272167== Memcheck, a memory error detector      
==3272167== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==3272167== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==3272167== Command: binutils-2.26/binutils/cxxfilt _Q10-__9cafebabe.   
==3272167== 
==3272167== Invalid write of size 8                                                
==3272167==    at 0x23B180: register_Btype (cplus-dem.c:4319)             
==3272167==    by 0x23755A: demangle_class (cplus-dem.c:2594)                                                                                                         
==3272167==    by 0x234EAC: demangle_signature (cplus-dem.c:1490)                 
==3272167==    by 0x23441D: internal_cplus_demangle (cplus-dem.c:1203)
==3272167==    by 0x23399A: cplus_demangle (cplus-dem.c:886)
==3272167==    by 0x137E21: demangle_it (cxxfilt.c:62)
==3272167==    by 0x1382B6: main (cxxfilt.c:227)
...

target locations in scripts/fuzz/cxxfilt-CVE-2016-4487.sh

cxxfilt.c:227
cxxfilt.c:62
cplus-dem.c:886
cplus-dem.c:1203
cplus-dem.c:1490
cplus-dem.c:2594
cplus-dem.c:4319

actually Ftargets.txt

cplus_demangle
internal_cplus_demangle
main
demangle_it

I dumped all values of target_file, target_line, filename, line used to find the BBtarget in llvm_mode/afl-llvm-pass.so.cc:344, and found that sometimes filename was relative filename. aflgo has already handled this problem when constructing bb_namein llvm_mode/afl-llvm-pass.so.cc:331, but it seems that aflgo still tried to use relative filename to find BBtarget in llvm_mode/afl-llvm-pass.so.cc:344, and may cause missing certain target locations. I removed the relative path for every filename, it seems to solve the problem.

llvm_mode/afl-llvm-pass.so.cc

...
325  if (bb_name.empty()) {
326
327    std::size_t found = filename.find_last_of("/\\");
328    if (found != std::string::npos)
329      filename = filename.substr(found + 1);
330
331    bb_name = filename + ":" + std::to_string(line);
332  }
...
344  if (!target_file.compare(filename) && target_line == line)
345    is_target = true;
...

part of values of target_file, target_line, filename, line using in llvm_mode/afl-llvm-pass.so.cc:344

# target_file target_line filename line
...
../../libiberty/cplus-dem.c 4319 cxxfilt.c 227   
../../libiberty/cplus-dem.c 4319 cxxfilt.c 62    
../../libiberty/cplus-dem.c 4319 cplus-dem.c 886 
../../libiberty/cplus-dem.c 4319 cplus-dem.c 1203
../../libiberty/cplus-dem.c 4319 cplus-dem.c 1490
../../libiberty/cplus-dem.c 4319 cplus-dem.c 2594
**../../libiberty/cplus-dem.c 4319 cplus-dem.c 4319** is target location, should be found
...

what I modified

...
  std::size_t found = filename.find_last_of("/\\");
  if (found != std::string::npos)
    filename = filename.substr(found + 1);
          
  if (bb_name.empty()) 
   bb_name = filename + ":" + std::to_string(line);
...
  if (!target_file.compare(filename) && target_line == line)
    is_target = true;
...

fixed Ftargets.txt

cplus_demangle
internal_cplus_demangle
demangle_signature
register_Btype
demangle_class
main
demangle_it

By the way, I test on ubuntu 20.04. In my system scripts/fuzz/cxxfilt-CVE-2016-4487.sh:8 will write a $character to first line of BBtargets.txt and cause first target location can't be found. I'm not sure this problem exists in every system, but in my case I need to remove this $ character.

[mboehme]

Thanks @tl455047! LGTM. Merged.