alnsn · January 8, 2016 00:29
diff --git a/afl-rump.diff b/afl-rump.diff
 --- afl-as.h.orig	2016-01-04 19:12:46.000000000 +0000
 +++ afl-as.h	2016-01-07 09:13:10.000000000 +0000
 @@ -494,6 +494,33 @@
   "  andq  $0xfffffffffffffff0, %rsp\n"
   "\n"
   "  leaq .AFL_SHM_ENV(%rip), %rdi\n"
 +#ifdef __NetBSD__
 +  "  subq  $32, %rsp\n"
 +  "  movq  %rsp, %rsi\n"
 +  "  movq  $32, %rdx\n"
 +  CALL_L64("rumpuser_getparam")
 +  "\n"
 +  "  testq %rax, %rax\n"
 +  "  jne    __afl_setup_abort\n"
 +  "\n"
 +  "  /* Simple inlined atoi. */\n"
 +  "  movl $0, %eax         /* res=0    */\n"
 +  "  movq  %rsp, %rdi      /* load ptr */\n"
 +  "  movzbl (%rdi), %edx   /* *ptr     */\n"
 +  "  testb  %dl, %dl       /* NUL?     */\n"
 +  "  je 2f\n"
 +  "\n"
 +  "1:\n"
 +  "  leal (%rax,%rax,4), %eax      /* res*=5             */\n"
 +  "  leal -0x30(%rdx,%rax,2), %eax /* *ptr - '0' + 2*res */\n"
 +  "  add $1, %rdi                  /* ptr++              */\n"
 +  "  movzbl (%rdi), %edx           /* *ptr               */\n"
 +  "  testb  %dl, %dl               /* NUL?               */\n"
 +  "  jne 1b\n"
 +  "\n"
 +  "2:\n"
 +  "  addq  $32, %rsp\n"
 +#else
   CALL_L64("getenv")
   "\n"
   "  testq %rax, %rax\n"
 @@ -501,11 +528,18 @@
   "\n"
   "  movq  %rax, %rdi\n"
   CALL_L64("atoi")
 +#endif
   "\n"
   "  xorq %rdx, %rdx   /* shmat flags    */\n"
   "  xorq %rsi, %rsi   /* requested addr */\n"
   "  movq %rax, %rdi   /* SHM ID         */\n"
 +#ifdef __NetBSD__
 +  "  movl $228, %eax /* SYS_shmat */\n"
 +  "  syscall\n"
 +  "  jb   __afl_setup_abort\n"
 +#else
   CALL_L64("shmat")
 +#endif
   "\n"
   "  cmpq $-1, %rax\n"
   "  je   __afl_setup_abort\n"
 @@ -539,7 +573,13 @@
   "  movq $4, %rdx               /* length    */\n"
   "  leaq __afl_temp(%rip), %rsi /* data      */\n"
   "  movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi       /* file desc */\n"
 +#ifdef __NetBSD__
 +  "  movl $4, %eax /* SYS_write */\n"
 +  "  syscall\n"
 +  "  jb  __afl_fork_resume\n"
 +#else
   CALL_L64("write")
 +#endif
   "\n"
   "  cmpq $4, %rax\n"
   "  jne  __afl_fork_resume\n"
 @@ -551,7 +591,13 @@
   "  movq $4, %rdx               /* length    */\n"
   "  leaq __afl_temp(%rip), %rsi /* data      */\n"
   "  movq $" STRINGIFY(FORKSRV_FD) ", %rdi             /* file desc */\n"
 +#ifdef __NetBSD__
 +  "  movl $3, %eax /* SYS_read */\n"
 +  "  syscall\n"
 +  "  jb  __afl_die\n"
 +#else
   CALL_L64("read")
 +#endif
   "  cmpq $4, %rax\n"
   "  jne  __afl_die\n"
   "\n"
 @@ -560,7 +606,15 @@
   "     caches getpid() results and offers no way to update the value, breaking\n"
   "     abort(), raise(), and a bunch of other things :-( */\n"
   "\n"
 +#ifdef __NetBSD__
 +  "  movl $2, %eax /* SYS_fork */\n"
 +  "  syscall\n"
 +  "  jb   __afl_die\n"
 +  "  decl %edx     /* fork.S: from 1 to 0 in child, 0 to -1 in parent */\n"
 +  "  andl %edx,%eax\n"
 +#else
   CALL_L64("fork")
 +#endif
   "  cmpq $0, %rax\n"
   "  jl   __afl_die\n"
   "  je   __afl_fork_resume\n"
 @@ -572,12 +626,24 @@
   "  movq $4, %rdx                   /* length    */\n"
   "  leaq __afl_fork_pid(%rip), %rsi /* data      */\n"
   "  movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi             /* file desc */\n"
 +#ifdef __NetBSD__
 +  "  movl $4, %eax /* SYS_write */\n"
 +  "  syscall\n"
 +#else
   CALL_L64("write")
 +#endif
   "\n"
   "  movq $0, %rdx                   /* no flags  */\n"
   "  leaq __afl_temp(%rip), %rsi     /* status    */\n"
   "  movq __afl_fork_pid(%rip), %rdi /* PID       */\n"
 +#ifdef __NetBSD__
 +  "  movl $7, %eax /* SYS_compat_50_wait4 */\n"
 +  "  movq $0, %r10 /* rusage argument  is NULL */\n"
 +  "  syscall\n"
 +  "  jb  __afl_die\n"
 +#else
   CALL_L64("waitpid")
 +#endif
   "  cmpq $0, %rax\n"
   "  jle  __afl_die\n"
   "\n"
 @@ -586,7 +652,12 @@
   "  movq $4, %rdx               /* length    */\n"
   "  leaq __afl_temp(%rip), %rsi /* data      */\n"
   "  movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi         /* file desc */\n"
 +#ifdef __NetBSD__
 +  "  movl $4, %eax /* SYS_write */\n"
 +  "  syscall\n"
 +#else
   CALL_L64("write")
 +#endif
   "\n"
   "  jmp  __afl_fork_wait_loop\n"
   "\n"
 @@ -595,10 +666,20 @@
   "  /* In child process: close fds, resume execution. */\n"
   "\n"
   "  movq $" STRINGIFY(FORKSRV_FD) ", %rdi\n"
 +#ifdef __NetBSD__
 +  "  movl $6, %eax /* SYS_close */\n"
 +  "  syscall\n"
 +#else
   CALL_L64("close")
 +#endif
   "\n"
   "  movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi\n"
 +#ifdef __NetBSD__
 +  "  movl $6, %eax /* SYS_close */\n"
 +  "  syscall\n"
 +#else
   CALL_L64("close")
 +#endif
   "\n"
   "  popq %rdx\n"
   "  popq %rdx\n"
 @@ -638,8 +719,13 @@
   "\n"
   "__afl_die:\n"
   "\n"
 +#ifdef __NetBSD__
 +  "  movl $1, %eax /* SYS_exit */\n"
 +  "  syscall\n"
 +#else
   "  xorq %rax, %rax\n"
   CALL_L64("_exit")
 +#endif
   "\n"
   "__afl_setup_abort:\n"
   "\n"
 --- config.h.orig	2016-01-05 23:31:49.000000000 +0000
 +++ config.h	2016-01-05 23:34:29.000000000 +0000
 @@ -257,7 +257,7 @@
 
 /* Environment variable used to pass SHM ID to the called program. */
 
 -#define SHM_ENV_VAR         "__AFL_SHM_ID"
 +#define SHM_ENV_VAR         "RUMP__AFL_SHM_ID"
 
 /* Other less interesting, internal-only variables. */
	--- afl-as.h.orig 2016-01-04 19:12:46.000000000 +0000
	+++ afl-as.h 2016-01-07 09:13:10.000000000 +0000
	@@ -494,6 +494,33 @@
	" andq $0xfffffffffffffff0, %rsp\n"
	"\n"
	" leaq .AFL_SHM_ENV(%rip), %rdi\n"
	+#ifdef __NetBSD__
	+ " subq $32, %rsp\n"
	+ " movq %rsp, %rsi\n"
	+ " movq $32, %rdx\n"
	+ CALL_L64("rumpuser_getparam")
	+ "\n"
	+ " testq %rax, %rax\n"
	+ " jne __afl_setup_abort\n"
	+ "\n"
	+ " /* Simple inlined atoi. */\n"
	+ " movl $0, %eax /* res=0 */\n"
	+ " movq %rsp, %rdi /* load ptr */\n"
	+ " movzbl (%rdi), %edx /* ptr /\n"
	+ " testb %dl, %dl /* NUL? */\n"
	+ " je 2f\n"
	+ "\n"
	+ "1:\n"
	+ " leal (%rax,%rax,4), %eax /* res=5 /\n"
	+ " leal -0x30(%rdx,%rax,2), %eax /* ptr - '0' + 2res */\n"
	+ " add $1, %rdi /* ptr++ */\n"
	+ " movzbl (%rdi), %edx /* ptr /\n"
	+ " testb %dl, %dl /* NUL? */\n"
	+ " jne 1b\n"
	+ "\n"
	+ "2:\n"
	+ " addq $32, %rsp\n"
	+#else
	CALL_L64("getenv")
	"\n"
	" testq %rax, %rax\n"
	@@ -501,11 +528,18 @@
	"\n"
	" movq %rax, %rdi\n"
	CALL_L64("atoi")
	+#endif
	"\n"
	" xorq %rdx, %rdx /* shmat flags */\n"
	" xorq %rsi, %rsi /* requested addr */\n"
	" movq %rax, %rdi /* SHM ID */\n"
	+#ifdef __NetBSD__
	+ " movl $228, %eax /* SYS_shmat */\n"
	+ " syscall\n"
	+ " jb __afl_setup_abort\n"
	+#else
	CALL_L64("shmat")
	+#endif
	"\n"
	" cmpq $-1, %rax\n"
	" je __afl_setup_abort\n"
	@@ -539,7 +573,13 @@
	" movq $4, %rdx /* length */\n"
	" leaq __afl_temp(%rip), %rsi /* data */\n"
	" movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi /* file desc */\n"
	+#ifdef __NetBSD__
	+ " movl $4, %eax /* SYS_write */\n"
	+ " syscall\n"
	+ " jb __afl_fork_resume\n"
	+#else
	CALL_L64("write")
	+#endif
	"\n"
	" cmpq $4, %rax\n"
	" jne __afl_fork_resume\n"
	@@ -551,7 +591,13 @@
	" movq $4, %rdx /* length */\n"
	" leaq __afl_temp(%rip), %rsi /* data */\n"
	" movq $" STRINGIFY(FORKSRV_FD) ", %rdi /* file desc */\n"
	+#ifdef __NetBSD__
	+ " movl $3, %eax /* SYS_read */\n"
	+ " syscall\n"
	+ " jb __afl_die\n"
	+#else
	CALL_L64("read")
	+#endif
	" cmpq $4, %rax\n"
	" jne __afl_die\n"
	"\n"
	@@ -560,7 +606,15 @@
	" caches getpid() results and offers no way to update the value, breaking\n"
	" abort(), raise(), and a bunch of other things :-( */\n"
	"\n"
	+#ifdef __NetBSD__
	+ " movl $2, %eax /* SYS_fork */\n"
	+ " syscall\n"
	+ " jb __afl_die\n"
	+ " decl %edx /* fork.S: from 1 to 0 in child, 0 to -1 in parent */\n"
	+ " andl %edx,%eax\n"
	+#else
	CALL_L64("fork")
	+#endif
	" cmpq $0, %rax\n"
	" jl __afl_die\n"
	" je __afl_fork_resume\n"
	@@ -572,12 +626,24 @@
	" movq $4, %rdx /* length */\n"
	" leaq __afl_fork_pid(%rip), %rsi /* data */\n"
	" movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi /* file desc */\n"
	+#ifdef __NetBSD__
	+ " movl $4, %eax /* SYS_write */\n"
	+ " syscall\n"
	+#else
	CALL_L64("write")
	+#endif
	"\n"
	" movq $0, %rdx /* no flags */\n"
	" leaq __afl_temp(%rip), %rsi /* status */\n"
	" movq __afl_fork_pid(%rip), %rdi /* PID */\n"
	+#ifdef __NetBSD__
	+ " movl $7, %eax /* SYS_compat_50_wait4 */\n"
	+ " movq $0, %r10 /* rusage argument is NULL */\n"
	+ " syscall\n"
	+ " jb __afl_die\n"
	+#else
	CALL_L64("waitpid")
	+#endif
	" cmpq $0, %rax\n"
	" jle __afl_die\n"
	"\n"
	@@ -586,7 +652,12 @@
	" movq $4, %rdx /* length */\n"
	" leaq __afl_temp(%rip), %rsi /* data */\n"
	" movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi /* file desc */\n"
	+#ifdef __NetBSD__
	+ " movl $4, %eax /* SYS_write */\n"
	+ " syscall\n"
	+#else
	CALL_L64("write")
	+#endif
	"\n"
	" jmp __afl_fork_wait_loop\n"
	"\n"
	@@ -595,10 +666,20 @@
	" /* In child process: close fds, resume execution. */\n"
	"\n"
	" movq $" STRINGIFY(FORKSRV_FD) ", %rdi\n"
	+#ifdef __NetBSD__
	+ " movl $6, %eax /* SYS_close */\n"
	+ " syscall\n"
	+#else
	CALL_L64("close")
	+#endif
	"\n"
	" movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi\n"
	+#ifdef __NetBSD__
	+ " movl $6, %eax /* SYS_close */\n"
	+ " syscall\n"
	+#else
	CALL_L64("close")
	+#endif
	"\n"
	" popq %rdx\n"
	" popq %rdx\n"
	@@ -638,8 +719,13 @@
	"\n"
	"__afl_die:\n"
	"\n"
	+#ifdef __NetBSD__
	+ " movl $1, %eax /* SYS_exit */\n"
	+ " syscall\n"
	+#else
	" xorq %rax, %rax\n"
	CALL_L64("_exit")
	+#endif
	"\n"
	"__afl_setup_abort:\n"
	"\n"
	--- config.h.orig 2016-01-05 23:31:49.000000000 +0000
	+++ config.h 2016-01-05 23:34:29.000000000 +0000
	@@ -257,7 +257,7 @@

	/* Environment variable used to pass SHM ID to the called program. */

	-#define SHM_ENV_VAR "__AFL_SHM_ID"
	+#define SHM_ENV_VAR "RUMP__AFL_SHM_ID"

	/* Other less interesting, internal-only variables. */