-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathharness.c
112 lines (92 loc) · 4.01 KB
/
harness.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
#include <time.h>
#include <string.h>
char to_write[1024*2047] = {0x41};
void *g_initial_brk = 0;
void LLVMFuzzerTestOneInput(void *buf, size_t buf_size) {
// Print the current brk
void *start_brk = sbrk(0);
// Overwrite the snapshotted brk space so it will be restored at snapshot reset time
memcpy(g_initial_brk, to_write, sizeof(to_write));
// Calculate the number of allocations based on the content of dummy_buffer
size_t num_allocs = ((unsigned char *)buf)[0] % 100 + 50; // Between 50 and 150 allocations
void **allocs = (void**)malloc(num_allocs * sizeof(void*));
for (size_t i = 0; i < num_allocs; i++) {
// Move the brk randomly
if (i % 3 == 0) {
//fprintf(stderr, "[TARGET] Moving brk forwards of %#x\n", -1024 * (((unsigned char *)buf)[i % buf_size] % 50));
sbrk(1024 * (((unsigned char *)buf)[i % buf_size] % 50)); // Move forwards
} else if (i % 5 == 0) {
//fprintf(stderr, "[TARGET] Moving brk backwards of %#x\n", -1024 * (((unsigned char *)buf)[i % buf_size] % 50));
sbrk(-1024 * (((unsigned char *)buf)[i % buf_size] % 50)); // Move backwards
}
size_t size = ((unsigned char *)buf)[i % buf_size] % 4096 + 1; // Allocation size between 1 and 4096 bytes
allocs[i] = malloc(size);
if (allocs[i]) {
// Write pseudo-random data based on dummy_buffer content
for (size_t j = 0; j < size; j++) {
((char*)allocs[i])[j] = ((unsigned char *)buf)[(i + j) % buf_size];
}
}
}
// Free the allocations
for (size_t i = 0; i < num_allocs; i++) {
free(allocs[i]);
}
free(allocs);
// Perform operations with mmap and munmap
size_t num_mmaps = ((unsigned char *)buf)[1 % buf_size] % 20 + 10; // Between 10 and 30 mmap operations
void **mmaps = (void**)malloc(num_mmaps * sizeof(void*));
for (size_t i = 0; i < num_mmaps; i++) {
size_t size = ((((unsigned char *)buf)[i % buf_size] % 10) + 1) * 4096; // mmap size as a multiple of 4 KB
mmaps[i] = mmap(NULL, size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (mmaps[i] != MAP_FAILED) {
// Write and execute code in the RWX allocation
unsigned char code[] = {
0x48, 0x31, 0xC0, // xor rax, rax
0x48, 0xFF, 0xC0, // inc rax
0xC3 // ret
};
memcpy(mmaps[i], code, sizeof(code));
// Execute the code
void (*func)() = (void (*)())mmaps[i];
func();
}
}
// TODO: Add more operations with mmaps, for example RWX regions that jump to each other and get overwritten meanwhile
// This would help testing the TB->edge caching and the general handling of RWX regions in QEMU
// Munmap the allocated regions
for (size_t i = 0; i < num_mmaps; i++) {
if (mmaps[i] != MAP_FAILED) {
munmap(mmaps[i], ((((unsigned char *)buf)[i % buf_size] % 10) + 1) * 4096);
}
}
free(mmaps);
void *end_brk = sbrk(0);
if (end_brk < start_brk) {
fprintf(stderr, "[TARGET] brk moved backwards. Snapshotted brk %#lx, new brk %#lx\n", (unsigned long)start_brk, (unsigned long)end_brk);
}
}
int main() {
// Get the initial brk
void *initial_brk = sbrk(0);
fprintf(stderr, "[TARGET] Initial brk: %p\n", initial_brk);
g_initial_brk = initial_brk;
// Increment the brk by 2 mb
sbrk(1024 * 2048);
// Fill dummy_buffer with random data
char dummy_buffer[1024];
srand((unsigned int)time(NULL));
for (size_t i = 0; i < sizeof(dummy_buffer); i++) {
dummy_buffer[i] = rand() % 256;
}
// Call LLVMFuzzerTestOneInput
LLVMFuzzerTestOneInput(dummy_buffer, sizeof(dummy_buffer));
// Print the final brk
void *final_brk = sbrk(0);
fprintf(stderr, "[TARGET] Final brk: %p\n", final_brk);
return 0;
}