Last active
October 23, 2019 19:07
-
-
Save andreafioraldi/73d689a4965cb940c46b74c71ef5cf91 to your computer and use it in GitHub Desktop.
An example of a domain-specific custom coverage for AFL++ QEMU mode. This patch provide a feedback for the fuzzer when the return value of a syscall is negative (so an error happened)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/linux-user/i386/cpu_loop.c b/linux-user/i386/cpu_loop.c | |
| index 51cfa006..510e4cbf 100644 | |
| --- a/linux-user/i386/cpu_loop.c | |
| +++ b/linux-user/i386/cpu_loop.c | |
| @@ -80,6 +80,8 @@ static void set_idt(int n, unsigned int dpl) | |
| } | |
| #endif | |
| +#include "../patches/afl-qemu-common.h" | |
| + | |
| void cpu_loop(CPUX86State *env) | |
| { | |
| CPUState *cs = CPU(x86_env_get_cpu(env)); | |
| @@ -106,6 +108,13 @@ void cpu_loop(CPUX86State *env) | |
| env->regs[R_EDI], | |
| env->regs[R_EBP], | |
| 0, 0); | |
| + | |
| + if (ret < 0) { | |
| + abi_ulong cur_loc = (env->eip >> 4) ^ (env->eip << 8); | |
| + cur_loc &= MAP_SIZE - 1; | |
| + INC_AFL_AREA(cur_loc); | |
| + } | |
| + | |
| if (ret == -TARGET_ERESTARTSYS) { | |
| env->eip -= 2; | |
| } else if (ret != -TARGET_QEMU_ESIGRETURN) { | |
| @@ -124,6 +133,13 @@ void cpu_loop(CPUX86State *env) | |
| env->regs[8], | |
| env->regs[9], | |
| 0, 0); | |
| + | |
| + if (ret < 0) { | |
| + abi_ulong cur_loc = (env->eip >> 4) ^ (env->eip << 8); | |
| + cur_loc &= MAP_SIZE - 1; | |
| + INC_AFL_AREA(cur_loc); | |
| + } | |
| + | |
| if (ret == -TARGET_ERESTARTSYS) { | |
| env->eip -= 2; | |
| } else if (ret != -TARGET_QEMU_ESIGRETURN) { |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment