1*08b48e0bSAndroid Build Coastguard Worker /* 2*08b48e0bSAndroid Build Coastguard Worker american fuzzy lop++ - injectable parts 3*08b48e0bSAndroid Build Coastguard Worker --------------------------------------- 4*08b48e0bSAndroid Build Coastguard Worker 5*08b48e0bSAndroid Build Coastguard Worker Originally written by Michal Zalewski 6*08b48e0bSAndroid Build Coastguard Worker 7*08b48e0bSAndroid Build Coastguard Worker Now maintained by Marc Heuse <[email protected]>, 8*08b48e0bSAndroid Build Coastguard Worker Heiko Eißfeldt <[email protected]>, 9*08b48e0bSAndroid Build Coastguard Worker Andrea Fioraldi <[email protected]>, 10*08b48e0bSAndroid Build Coastguard Worker Dominik Maier <[email protected]> 11*08b48e0bSAndroid Build Coastguard Worker 12*08b48e0bSAndroid Build Coastguard Worker Copyright 2016, 2017 Google Inc. All rights reserved. 13*08b48e0bSAndroid Build Coastguard Worker Copyright 2019-2024 AFLplusplus Project. All rights reserved. 14*08b48e0bSAndroid Build Coastguard Worker 15*08b48e0bSAndroid Build Coastguard Worker Licensed under the Apache License, Version 2.0 (the "License"); 16*08b48e0bSAndroid Build Coastguard Worker you may not use this file except in compliance with the License. 17*08b48e0bSAndroid Build Coastguard Worker You may obtain a copy of the License at: 18*08b48e0bSAndroid Build Coastguard Worker 19*08b48e0bSAndroid Build Coastguard Worker https://www.apache.org/licenses/LICENSE-2.0 20*08b48e0bSAndroid Build Coastguard Worker 21*08b48e0bSAndroid Build Coastguard Worker This file houses the assembly-level instrumentation injected into fuzzed 22*08b48e0bSAndroid Build Coastguard Worker programs. The instrumentation stores XORed pairs of data: identifiers of the 23*08b48e0bSAndroid Build Coastguard Worker currently executing branch and the one that executed immediately before. 24*08b48e0bSAndroid Build Coastguard Worker 25*08b48e0bSAndroid Build Coastguard Worker TL;DR: the instrumentation does shm_trace_map[cur_loc ^ prev_loc]++ 26*08b48e0bSAndroid Build Coastguard Worker 27*08b48e0bSAndroid Build Coastguard Worker The code is designed for 32-bit and 64-bit x86 systems. Both modes should 28*08b48e0bSAndroid Build Coastguard Worker work everywhere except for Apple systems. Apple does relocations differently 29*08b48e0bSAndroid Build Coastguard Worker from everybody else, so since their OSes have been 64-bit for a longer while, 30*08b48e0bSAndroid Build Coastguard Worker I didn't go through the mental effort of porting the 32-bit code. 31*08b48e0bSAndroid Build Coastguard Worker 32*08b48e0bSAndroid Build Coastguard Worker In principle, similar code should be easy to inject into any well-behaved 33*08b48e0bSAndroid Build Coastguard Worker binary-only code (e.g., using DynamoRIO). Conditional jumps offer natural 34*08b48e0bSAndroid Build Coastguard Worker targets for instrumentation, and should offer comparable probe density. 35*08b48e0bSAndroid Build Coastguard Worker 36*08b48e0bSAndroid Build Coastguard Worker */ 37*08b48e0bSAndroid Build Coastguard Worker 38*08b48e0bSAndroid Build Coastguard Worker #ifndef _HAVE_AFL_AS_H 39*08b48e0bSAndroid Build Coastguard Worker #define _HAVE_AFL_AS_H 40*08b48e0bSAndroid Build Coastguard Worker 41*08b48e0bSAndroid Build Coastguard Worker #include "config.h" 42*08b48e0bSAndroid Build Coastguard Worker #include "types.h" 43*08b48e0bSAndroid Build Coastguard Worker 44*08b48e0bSAndroid Build Coastguard Worker /* 45*08b48e0bSAndroid Build Coastguard Worker ------------------ 46*08b48e0bSAndroid Build Coastguard Worker Performances notes 47*08b48e0bSAndroid Build Coastguard Worker ------------------ 48*08b48e0bSAndroid Build Coastguard Worker 49*08b48e0bSAndroid Build Coastguard Worker Contributions to make this code faster are appreciated! Here are some 50*08b48e0bSAndroid Build Coastguard Worker rough notes that may help with the task: 51*08b48e0bSAndroid Build Coastguard Worker 52*08b48e0bSAndroid Build Coastguard Worker - Only the trampoline_fmt and the non-setup __afl_maybe_log code paths are 53*08b48e0bSAndroid Build Coastguard Worker really worth optimizing; the setup / fork server stuff matters a lot less 54*08b48e0bSAndroid Build Coastguard Worker and should be mostly just kept readable. 55*08b48e0bSAndroid Build Coastguard Worker 56*08b48e0bSAndroid Build Coastguard Worker - We're aiming for modern CPUs with out-of-order execution and large 57*08b48e0bSAndroid Build Coastguard Worker pipelines; the code is mostly follows intuitive, human-readable 58*08b48e0bSAndroid Build Coastguard Worker instruction ordering, because "textbook" manual reorderings make no 59*08b48e0bSAndroid Build Coastguard Worker substantial difference. 60*08b48e0bSAndroid Build Coastguard Worker 61*08b48e0bSAndroid Build Coastguard Worker - Interestingly, instrumented execution isn't a lot faster if we store a 62*08b48e0bSAndroid Build Coastguard Worker variable pointer to the setup, log, or return routine and then do a reg 63*08b48e0bSAndroid Build Coastguard Worker call from within trampoline_fmt. It does speed up non-instrumented 64*08b48e0bSAndroid Build Coastguard Worker execution quite a bit, though, since that path just becomes 65*08b48e0bSAndroid Build Coastguard Worker push-call-ret-pop. 66*08b48e0bSAndroid Build Coastguard Worker 67*08b48e0bSAndroid Build Coastguard Worker - There is also not a whole lot to be gained by doing SHM attach at a 68*08b48e0bSAndroid Build Coastguard Worker fixed address instead of retrieving __afl_area_ptr. Although it allows us 69*08b48e0bSAndroid Build Coastguard Worker to have a shorter log routine inserted for conditional jumps and jump 70*08b48e0bSAndroid Build Coastguard Worker labels (for a ~10% perf gain), there is a risk of bumping into other 71*08b48e0bSAndroid Build Coastguard Worker allocations created by the program or by tools such as ASAN. 72*08b48e0bSAndroid Build Coastguard Worker 73*08b48e0bSAndroid Build Coastguard Worker - popf is *awfully* slow, which is why we're doing the lahf / sahf + 74*08b48e0bSAndroid Build Coastguard Worker overflow test trick. Unfortunately, this forces us to taint eax / rax, but 75*08b48e0bSAndroid Build Coastguard Worker this dependency on a commonly-used register still beats the alternative of 76*08b48e0bSAndroid Build Coastguard Worker using pushf / popf. 77*08b48e0bSAndroid Build Coastguard Worker 78*08b48e0bSAndroid Build Coastguard Worker One possible optimization is to avoid touching flags by using a circular 79*08b48e0bSAndroid Build Coastguard Worker buffer that stores just a sequence of current locations, with the XOR stuff 80*08b48e0bSAndroid Build Coastguard Worker happening offline. Alas, this doesn't seem to have a huge impact: 81*08b48e0bSAndroid Build Coastguard Worker 82*08b48e0bSAndroid Build Coastguard Worker https://groups.google.com/d/msg/afl-users/MsajVf4fRLo/2u6t88ntUBIJ 83*08b48e0bSAndroid Build Coastguard Worker 84*08b48e0bSAndroid Build Coastguard Worker - Preforking one child a bit sooner, and then waiting for the "go" command 85*08b48e0bSAndroid Build Coastguard Worker from within the child, doesn't offer major performance gains; fork() seems 86*08b48e0bSAndroid Build Coastguard Worker to be relatively inexpensive these days. Preforking multiple children does 87*08b48e0bSAndroid Build Coastguard Worker help, but badly breaks the "~1 core per fuzzer" design, making it harder to 88*08b48e0bSAndroid Build Coastguard Worker scale up. Maybe there is some middle ground. 89*08b48e0bSAndroid Build Coastguard Worker 90*08b48e0bSAndroid Build Coastguard Worker Perhaps of note: in the 64-bit version for all platforms except for Apple, 91*08b48e0bSAndroid Build Coastguard Worker the instrumentation is done slightly differently than on 32-bit, with 92*08b48e0bSAndroid Build Coastguard Worker __afl_prev_loc and __afl_area_ptr being local to the object file (.lcomm), 93*08b48e0bSAndroid Build Coastguard Worker rather than global (.comm). This is to avoid GOTRELPC lookups in the critical 94*08b48e0bSAndroid Build Coastguard Worker code path, which AFAICT, are otherwise unavoidable if we want gcc -shared to 95*08b48e0bSAndroid Build Coastguard Worker work; simple relocations between .bss and .text won't work on most 64-bit 96*08b48e0bSAndroid Build Coastguard Worker platforms in such a case. 97*08b48e0bSAndroid Build Coastguard Worker 98*08b48e0bSAndroid Build Coastguard Worker (Fun fact: on Apple systems, .lcomm can segfault the linker.) 99*08b48e0bSAndroid Build Coastguard Worker 100*08b48e0bSAndroid Build Coastguard Worker The side effect is that state transitions are measured in a somewhat 101*08b48e0bSAndroid Build Coastguard Worker different way, with previous tuple being recorded separately within the scope 102*08b48e0bSAndroid Build Coastguard Worker of every .c file. This should have no impact in any practical sense. 103*08b48e0bSAndroid Build Coastguard Worker 104*08b48e0bSAndroid Build Coastguard Worker Another side effect of this design is that getenv() will be called once per 105*08b48e0bSAndroid Build Coastguard Worker every .o file when running in non-instrumented mode; and since getenv() tends 106*08b48e0bSAndroid Build Coastguard Worker to be optimized in funny ways, we need to be very careful to save every 107*08b48e0bSAndroid Build Coastguard Worker oddball register it may touch. 108*08b48e0bSAndroid Build Coastguard Worker 109*08b48e0bSAndroid Build Coastguard Worker */ 110*08b48e0bSAndroid Build Coastguard Worker 111*08b48e0bSAndroid Build Coastguard Worker static const u8 *trampoline_fmt_32 = 112*08b48e0bSAndroid Build Coastguard Worker 113*08b48e0bSAndroid Build Coastguard Worker "\n" 114*08b48e0bSAndroid Build Coastguard Worker "/* --- AFL TRAMPOLINE (32-BIT) --- */\n" 115*08b48e0bSAndroid Build Coastguard Worker "\n" 116*08b48e0bSAndroid Build Coastguard Worker ".align 4\n" 117*08b48e0bSAndroid Build Coastguard Worker "\n" 118*08b48e0bSAndroid Build Coastguard Worker "leal -16(%%esp), %%esp\n" 119*08b48e0bSAndroid Build Coastguard Worker "movl %%edi, 0(%%esp)\n" 120*08b48e0bSAndroid Build Coastguard Worker "movl %%edx, 4(%%esp)\n" 121*08b48e0bSAndroid Build Coastguard Worker "movl %%ecx, 8(%%esp)\n" 122*08b48e0bSAndroid Build Coastguard Worker "movl %%eax, 12(%%esp)\n" 123*08b48e0bSAndroid Build Coastguard Worker "movl $0x%08x, %%ecx\n" 124*08b48e0bSAndroid Build Coastguard Worker "call __afl_maybe_log\n" 125*08b48e0bSAndroid Build Coastguard Worker "movl 12(%%esp), %%eax\n" 126*08b48e0bSAndroid Build Coastguard Worker "movl 8(%%esp), %%ecx\n" 127*08b48e0bSAndroid Build Coastguard Worker "movl 4(%%esp), %%edx\n" 128*08b48e0bSAndroid Build Coastguard Worker "movl 0(%%esp), %%edi\n" 129*08b48e0bSAndroid Build Coastguard Worker "leal 16(%%esp), %%esp\n" 130*08b48e0bSAndroid Build Coastguard Worker "\n" 131*08b48e0bSAndroid Build Coastguard Worker "/* --- END --- */\n" 132*08b48e0bSAndroid Build Coastguard Worker "\n"; 133*08b48e0bSAndroid Build Coastguard Worker 134*08b48e0bSAndroid Build Coastguard Worker static const u8 *trampoline_fmt_64 = 135*08b48e0bSAndroid Build Coastguard Worker 136*08b48e0bSAndroid Build Coastguard Worker "\n" 137*08b48e0bSAndroid Build Coastguard Worker "/* --- AFL TRAMPOLINE (64-BIT) --- */\n" 138*08b48e0bSAndroid Build Coastguard Worker "\n" 139*08b48e0bSAndroid Build Coastguard Worker ".align 4\n" 140*08b48e0bSAndroid Build Coastguard Worker "\n" 141*08b48e0bSAndroid Build Coastguard Worker "leaq -(128+24)(%%rsp), %%rsp\n" 142*08b48e0bSAndroid Build Coastguard Worker "movq %%rdx, 0(%%rsp)\n" 143*08b48e0bSAndroid Build Coastguard Worker "movq %%rcx, 8(%%rsp)\n" 144*08b48e0bSAndroid Build Coastguard Worker "movq %%rax, 16(%%rsp)\n" 145*08b48e0bSAndroid Build Coastguard Worker "movq $0x%08x, %%rcx\n" 146*08b48e0bSAndroid Build Coastguard Worker "call __afl_maybe_log\n" 147*08b48e0bSAndroid Build Coastguard Worker "movq 16(%%rsp), %%rax\n" 148*08b48e0bSAndroid Build Coastguard Worker "movq 8(%%rsp), %%rcx\n" 149*08b48e0bSAndroid Build Coastguard Worker "movq 0(%%rsp), %%rdx\n" 150*08b48e0bSAndroid Build Coastguard Worker "leaq (128+24)(%%rsp), %%rsp\n" 151*08b48e0bSAndroid Build Coastguard Worker "\n" 152*08b48e0bSAndroid Build Coastguard Worker "/* --- END --- */\n" 153*08b48e0bSAndroid Build Coastguard Worker "\n"; 154*08b48e0bSAndroid Build Coastguard Worker 155*08b48e0bSAndroid Build Coastguard Worker static const u8 *main_payload_32 = 156*08b48e0bSAndroid Build Coastguard Worker 157*08b48e0bSAndroid Build Coastguard Worker "\n" 158*08b48e0bSAndroid Build Coastguard Worker "/* --- AFL MAIN PAYLOAD (32-BIT) --- */\n" 159*08b48e0bSAndroid Build Coastguard Worker "\n" 160*08b48e0bSAndroid Build Coastguard Worker ".text\n" 161*08b48e0bSAndroid Build Coastguard Worker ".att_syntax\n" 162*08b48e0bSAndroid Build Coastguard Worker ".code32\n" 163*08b48e0bSAndroid Build Coastguard Worker ".align 8\n" 164*08b48e0bSAndroid Build Coastguard Worker "\n" 165*08b48e0bSAndroid Build Coastguard Worker 166*08b48e0bSAndroid Build Coastguard Worker "__afl_maybe_log:\n" 167*08b48e0bSAndroid Build Coastguard Worker "\n" 168*08b48e0bSAndroid Build Coastguard Worker " lahf\n" 169*08b48e0bSAndroid Build Coastguard Worker " seto %al\n" 170*08b48e0bSAndroid Build Coastguard Worker "\n" 171*08b48e0bSAndroid Build Coastguard Worker " /* Check if SHM region is already mapped. */\n" 172*08b48e0bSAndroid Build Coastguard Worker "\n" 173*08b48e0bSAndroid Build Coastguard Worker " movl __afl_area_ptr, %edx\n" 174*08b48e0bSAndroid Build Coastguard Worker " testl %edx, %edx\n" 175*08b48e0bSAndroid Build Coastguard Worker " je __afl_setup\n" 176*08b48e0bSAndroid Build Coastguard Worker "\n" 177*08b48e0bSAndroid Build Coastguard Worker "__afl_store:\n" 178*08b48e0bSAndroid Build Coastguard Worker "\n" 179*08b48e0bSAndroid Build Coastguard Worker " /* Calculate and store hit for the code location specified in ecx. There\n" 180*08b48e0bSAndroid Build Coastguard Worker " is a double-XOR way of doing this without tainting another register,\n" 181*08b48e0bSAndroid Build Coastguard Worker " and we use it on 64-bit systems; but it's slower for 32-bit ones. */\n" 182*08b48e0bSAndroid Build Coastguard Worker "\n" 183*08b48e0bSAndroid Build Coastguard Worker #ifndef COVERAGE_ONLY 184*08b48e0bSAndroid Build Coastguard Worker " movl __afl_prev_loc, %edi\n" 185*08b48e0bSAndroid Build Coastguard Worker " xorl %ecx, %edi\n" 186*08b48e0bSAndroid Build Coastguard Worker " shrl $1, %ecx\n" 187*08b48e0bSAndroid Build Coastguard Worker " movl %ecx, __afl_prev_loc\n" 188*08b48e0bSAndroid Build Coastguard Worker #else 189*08b48e0bSAndroid Build Coastguard Worker " movl %ecx, %edi\n" 190*08b48e0bSAndroid Build Coastguard Worker #endif /* ^!COVERAGE_ONLY */ 191*08b48e0bSAndroid Build Coastguard Worker "\n" 192*08b48e0bSAndroid Build Coastguard Worker #ifdef SKIP_COUNTS 193*08b48e0bSAndroid Build Coastguard Worker " orb $1, (%edx, %edi, 1)\n" 194*08b48e0bSAndroid Build Coastguard Worker #else 195*08b48e0bSAndroid Build Coastguard Worker " addb $1, (%edx, %edi, 1)\n" 196*08b48e0bSAndroid Build Coastguard Worker " adcb $0, (%edx, %edi, 1)\n" // never zero counter implementation. slightly better path discovery and little performance impact 197*08b48e0bSAndroid Build Coastguard Worker #endif /* ^SKIP_COUNTS */ 198*08b48e0bSAndroid Build Coastguard Worker "\n" 199*08b48e0bSAndroid Build Coastguard Worker "__afl_return:\n" 200*08b48e0bSAndroid Build Coastguard Worker "\n" 201*08b48e0bSAndroid Build Coastguard Worker " addb $127, %al\n" 202*08b48e0bSAndroid Build Coastguard Worker " sahf\n" 203*08b48e0bSAndroid Build Coastguard Worker " ret\n" 204*08b48e0bSAndroid Build Coastguard Worker "\n" 205*08b48e0bSAndroid Build Coastguard Worker ".align 8\n" 206*08b48e0bSAndroid Build Coastguard Worker "\n" 207*08b48e0bSAndroid Build Coastguard Worker "__afl_setup:\n" 208*08b48e0bSAndroid Build Coastguard Worker "\n" 209*08b48e0bSAndroid Build Coastguard Worker " /* Do not retry setup if we had previous failures. */\n" 210*08b48e0bSAndroid Build Coastguard Worker "\n" 211*08b48e0bSAndroid Build Coastguard Worker " cmpb $0, __afl_setup_failure\n" 212*08b48e0bSAndroid Build Coastguard Worker " jne __afl_return\n" 213*08b48e0bSAndroid Build Coastguard Worker "\n" 214*08b48e0bSAndroid Build Coastguard Worker " /* Map SHM, jumping to __afl_setup_abort if something goes wrong.\n" 215*08b48e0bSAndroid Build Coastguard Worker " We do not save FPU/MMX/SSE registers here, but hopefully, nobody\n" 216*08b48e0bSAndroid Build Coastguard Worker " will notice this early in the game. */\n" 217*08b48e0bSAndroid Build Coastguard Worker "\n" 218*08b48e0bSAndroid Build Coastguard Worker " pushl %eax\n" 219*08b48e0bSAndroid Build Coastguard Worker " pushl %ecx\n" 220*08b48e0bSAndroid Build Coastguard Worker "\n" 221*08b48e0bSAndroid Build Coastguard Worker " pushl $.AFL_SHM_ENV\n" 222*08b48e0bSAndroid Build Coastguard Worker " call getenv\n" 223*08b48e0bSAndroid Build Coastguard Worker " addl $4, %esp\n" 224*08b48e0bSAndroid Build Coastguard Worker "\n" 225*08b48e0bSAndroid Build Coastguard Worker " testl %eax, %eax\n" 226*08b48e0bSAndroid Build Coastguard Worker " je __afl_setup_abort\n" 227*08b48e0bSAndroid Build Coastguard Worker "\n" 228*08b48e0bSAndroid Build Coastguard Worker #ifdef USEMMAP 229*08b48e0bSAndroid Build Coastguard Worker " pushl $384 /* shm_open mode 0600 */\n" 230*08b48e0bSAndroid Build Coastguard Worker " pushl $2 /* flags O_RDWR */\n" 231*08b48e0bSAndroid Build Coastguard Worker " pushl %eax /* SHM file path */\n" 232*08b48e0bSAndroid Build Coastguard Worker " call shm_open\n" 233*08b48e0bSAndroid Build Coastguard Worker " addl $12, %esp\n" 234*08b48e0bSAndroid Build Coastguard Worker "\n" 235*08b48e0bSAndroid Build Coastguard Worker " cmpl $-1, %eax\n" 236*08b48e0bSAndroid Build Coastguard Worker " je __afl_setup_abort\n" 237*08b48e0bSAndroid Build Coastguard Worker "\n" 238*08b48e0bSAndroid Build Coastguard Worker " pushl $0 /* mmap off */\n" 239*08b48e0bSAndroid Build Coastguard Worker " pushl %eax /* shm fd */\n" 240*08b48e0bSAndroid Build Coastguard Worker " pushl $1 /* mmap flags */\n" 241*08b48e0bSAndroid Build Coastguard Worker " pushl $3 /* mmap prot */\n" 242*08b48e0bSAndroid Build Coastguard Worker " pushl $"STRINGIFY(MAP_SIZE)" /* mmap len */\n" 243*08b48e0bSAndroid Build Coastguard Worker " pushl $0 /* mmap addr */\n" 244*08b48e0bSAndroid Build Coastguard Worker " call mmap\n" 245*08b48e0bSAndroid Build Coastguard Worker " addl $12, %esp\n" 246*08b48e0bSAndroid Build Coastguard Worker "\n" 247*08b48e0bSAndroid Build Coastguard Worker " cmpl $-1, %eax\n" 248*08b48e0bSAndroid Build Coastguard Worker " je __afl_setup_abort\n" 249*08b48e0bSAndroid Build Coastguard Worker "\n" 250*08b48e0bSAndroid Build Coastguard Worker #else 251*08b48e0bSAndroid Build Coastguard Worker " pushl %eax\n" 252*08b48e0bSAndroid Build Coastguard Worker " call atoi\n" 253*08b48e0bSAndroid Build Coastguard Worker " addl $4, %esp\n" 254*08b48e0bSAndroid Build Coastguard Worker "\n" 255*08b48e0bSAndroid Build Coastguard Worker " pushl $0 /* shmat flags */\n" 256*08b48e0bSAndroid Build Coastguard Worker " pushl $0 /* requested addr */\n" 257*08b48e0bSAndroid Build Coastguard Worker " pushl %eax /* SHM ID */\n" 258*08b48e0bSAndroid Build Coastguard Worker " call shmat\n" 259*08b48e0bSAndroid Build Coastguard Worker " addl $12, %esp\n" 260*08b48e0bSAndroid Build Coastguard Worker "\n" 261*08b48e0bSAndroid Build Coastguard Worker " cmpl $-1, %eax\n" 262*08b48e0bSAndroid Build Coastguard Worker " je __afl_setup_abort\n" 263*08b48e0bSAndroid Build Coastguard Worker "\n" 264*08b48e0bSAndroid Build Coastguard Worker #endif 265*08b48e0bSAndroid Build Coastguard Worker " movb $1, (%eax)\n" 266*08b48e0bSAndroid Build Coastguard Worker " /* Store the address of the SHM region. */\n" 267*08b48e0bSAndroid Build Coastguard Worker "\n" 268*08b48e0bSAndroid Build Coastguard Worker " movl %eax, __afl_area_ptr\n" 269*08b48e0bSAndroid Build Coastguard Worker " movl %eax, %edx\n" 270*08b48e0bSAndroid Build Coastguard Worker "\n" 271*08b48e0bSAndroid Build Coastguard Worker " popl %ecx\n" 272*08b48e0bSAndroid Build Coastguard Worker " popl %eax\n" 273*08b48e0bSAndroid Build Coastguard Worker "\n" 274*08b48e0bSAndroid Build Coastguard Worker "__afl_forkserver:\n" 275*08b48e0bSAndroid Build Coastguard Worker "\n" 276*08b48e0bSAndroid Build Coastguard Worker " /* Enter the fork server mode to avoid the overhead of execve() calls. */\n" 277*08b48e0bSAndroid Build Coastguard Worker "\n" 278*08b48e0bSAndroid Build Coastguard Worker " pushl %eax\n" 279*08b48e0bSAndroid Build Coastguard Worker " pushl %ecx\n" 280*08b48e0bSAndroid Build Coastguard Worker " pushl %edx\n" 281*08b48e0bSAndroid Build Coastguard Worker "\n" 282*08b48e0bSAndroid Build Coastguard Worker " /* Phone home and tell the parent that we're OK. (Note that signals with\n" 283*08b48e0bSAndroid Build Coastguard Worker " no SA_RESTART will mess it up). If this fails, assume that the fd is\n" 284*08b48e0bSAndroid Build Coastguard Worker " closed because we were execve()d from an instrumented binary, or because\n" 285*08b48e0bSAndroid Build Coastguard Worker " the parent doesn't want to use the fork server. */\n" 286*08b48e0bSAndroid Build Coastguard Worker "\n" 287*08b48e0bSAndroid Build Coastguard Worker " pushl $4 /* length */\n" 288*08b48e0bSAndroid Build Coastguard Worker " pushl $__afl_temp /* data */\n" 289*08b48e0bSAndroid Build Coastguard Worker " pushl $" STRINGIFY((FORKSRV_FD + 1)) " /* file desc */\n" 290*08b48e0bSAndroid Build Coastguard Worker " call write\n" 291*08b48e0bSAndroid Build Coastguard Worker " addl $12, %esp\n" 292*08b48e0bSAndroid Build Coastguard Worker "\n" 293*08b48e0bSAndroid Build Coastguard Worker " cmpl $4, %eax\n" 294*08b48e0bSAndroid Build Coastguard Worker " jne __afl_fork_resume\n" 295*08b48e0bSAndroid Build Coastguard Worker "\n" 296*08b48e0bSAndroid Build Coastguard Worker "__afl_fork_wait_loop:\n" 297*08b48e0bSAndroid Build Coastguard Worker "\n" 298*08b48e0bSAndroid Build Coastguard Worker " /* Wait for parent by reading from the pipe. Abort if read fails. */\n" 299*08b48e0bSAndroid Build Coastguard Worker "\n" 300*08b48e0bSAndroid Build Coastguard Worker " pushl $4 /* length */\n" 301*08b48e0bSAndroid Build Coastguard Worker " pushl $__afl_temp /* data */\n" 302*08b48e0bSAndroid Build Coastguard Worker " pushl $" STRINGIFY(FORKSRV_FD) " /* file desc */\n" 303*08b48e0bSAndroid Build Coastguard Worker " call read\n" 304*08b48e0bSAndroid Build Coastguard Worker " addl $12, %esp\n" 305*08b48e0bSAndroid Build Coastguard Worker "\n" 306*08b48e0bSAndroid Build Coastguard Worker " cmpl $4, %eax\n" 307*08b48e0bSAndroid Build Coastguard Worker " jne __afl_die\n" 308*08b48e0bSAndroid Build Coastguard Worker "\n" 309*08b48e0bSAndroid Build Coastguard Worker " /* Once woken up, create a clone of our process. This is an excellent use\n" 310*08b48e0bSAndroid Build Coastguard Worker " case for syscall(__NR_clone, 0, CLONE_PARENT), but glibc boneheadedly\n" 311*08b48e0bSAndroid Build Coastguard Worker " caches getpid() results and offers no way to update the value, breaking\n" 312*08b48e0bSAndroid Build Coastguard Worker " abort(), raise(), and a bunch of other things :-( */\n" 313*08b48e0bSAndroid Build Coastguard Worker "\n" 314*08b48e0bSAndroid Build Coastguard Worker " call fork\n" 315*08b48e0bSAndroid Build Coastguard Worker "\n" 316*08b48e0bSAndroid Build Coastguard Worker " cmpl $0, %eax\n" 317*08b48e0bSAndroid Build Coastguard Worker " jl __afl_die\n" 318*08b48e0bSAndroid Build Coastguard Worker " je __afl_fork_resume\n" 319*08b48e0bSAndroid Build Coastguard Worker "\n" 320*08b48e0bSAndroid Build Coastguard Worker " /* In parent process: write PID to pipe, then wait for child. */\n" 321*08b48e0bSAndroid Build Coastguard Worker "\n" 322*08b48e0bSAndroid Build Coastguard Worker " movl %eax, __afl_fork_pid\n" 323*08b48e0bSAndroid Build Coastguard Worker "\n" 324*08b48e0bSAndroid Build Coastguard Worker " pushl $4 /* length */\n" 325*08b48e0bSAndroid Build Coastguard Worker " pushl $__afl_fork_pid /* data */\n" 326*08b48e0bSAndroid Build Coastguard Worker " pushl $" STRINGIFY((FORKSRV_FD + 1)) " /* file desc */\n" 327*08b48e0bSAndroid Build Coastguard Worker " call write\n" 328*08b48e0bSAndroid Build Coastguard Worker " addl $12, %esp\n" 329*08b48e0bSAndroid Build Coastguard Worker "\n" 330*08b48e0bSAndroid Build Coastguard Worker " pushl $0 /* no flags */\n" 331*08b48e0bSAndroid Build Coastguard Worker " pushl $__afl_temp /* status */\n" 332*08b48e0bSAndroid Build Coastguard Worker " pushl __afl_fork_pid /* PID */\n" 333*08b48e0bSAndroid Build Coastguard Worker " call waitpid\n" 334*08b48e0bSAndroid Build Coastguard Worker " addl $12, %esp\n" 335*08b48e0bSAndroid Build Coastguard Worker "\n" 336*08b48e0bSAndroid Build Coastguard Worker " cmpl $0, %eax\n" 337*08b48e0bSAndroid Build Coastguard Worker " jle __afl_die\n" 338*08b48e0bSAndroid Build Coastguard Worker "\n" 339*08b48e0bSAndroid Build Coastguard Worker " /* Relay wait status to pipe, then loop back. */\n" 340*08b48e0bSAndroid Build Coastguard Worker "\n" 341*08b48e0bSAndroid Build Coastguard Worker " pushl $4 /* length */\n" 342*08b48e0bSAndroid Build Coastguard Worker " pushl $__afl_temp /* data */\n" 343*08b48e0bSAndroid Build Coastguard Worker " pushl $" STRINGIFY((FORKSRV_FD + 1)) " /* file desc */\n" 344*08b48e0bSAndroid Build Coastguard Worker " call write\n" 345*08b48e0bSAndroid Build Coastguard Worker " addl $12, %esp\n" 346*08b48e0bSAndroid Build Coastguard Worker "\n" 347*08b48e0bSAndroid Build Coastguard Worker " jmp __afl_fork_wait_loop\n" 348*08b48e0bSAndroid Build Coastguard Worker "\n" 349*08b48e0bSAndroid Build Coastguard Worker "__afl_fork_resume:\n" 350*08b48e0bSAndroid Build Coastguard Worker "\n" 351*08b48e0bSAndroid Build Coastguard Worker " /* In child process: close fds, resume execution. */\n" 352*08b48e0bSAndroid Build Coastguard Worker "\n" 353*08b48e0bSAndroid Build Coastguard Worker " pushl $" STRINGIFY(FORKSRV_FD) "\n" 354*08b48e0bSAndroid Build Coastguard Worker " call close\n" 355*08b48e0bSAndroid Build Coastguard Worker "\n" 356*08b48e0bSAndroid Build Coastguard Worker " pushl $" STRINGIFY((FORKSRV_FD + 1)) "\n" 357*08b48e0bSAndroid Build Coastguard Worker " call close\n" 358*08b48e0bSAndroid Build Coastguard Worker "\n" 359*08b48e0bSAndroid Build Coastguard Worker " addl $8, %esp\n" 360*08b48e0bSAndroid Build Coastguard Worker "\n" 361*08b48e0bSAndroid Build Coastguard Worker " popl %edx\n" 362*08b48e0bSAndroid Build Coastguard Worker " popl %ecx\n" 363*08b48e0bSAndroid Build Coastguard Worker " popl %eax\n" 364*08b48e0bSAndroid Build Coastguard Worker " jmp __afl_store\n" 365*08b48e0bSAndroid Build Coastguard Worker "\n" 366*08b48e0bSAndroid Build Coastguard Worker "__afl_die:\n" 367*08b48e0bSAndroid Build Coastguard Worker "\n" 368*08b48e0bSAndroid Build Coastguard Worker " xorl %eax, %eax\n" 369*08b48e0bSAndroid Build Coastguard Worker " call _exit\n" 370*08b48e0bSAndroid Build Coastguard Worker "\n" 371*08b48e0bSAndroid Build Coastguard Worker "__afl_setup_abort:\n" 372*08b48e0bSAndroid Build Coastguard Worker "\n" 373*08b48e0bSAndroid Build Coastguard Worker " /* Record setup failure so that we don't keep calling\n" 374*08b48e0bSAndroid Build Coastguard Worker " shmget() / shmat() over and over again. */\n" 375*08b48e0bSAndroid Build Coastguard Worker "\n" 376*08b48e0bSAndroid Build Coastguard Worker " incb __afl_setup_failure\n" 377*08b48e0bSAndroid Build Coastguard Worker " popl %ecx\n" 378*08b48e0bSAndroid Build Coastguard Worker " popl %eax\n" 379*08b48e0bSAndroid Build Coastguard Worker " jmp __afl_return\n" 380*08b48e0bSAndroid Build Coastguard Worker "\n" 381*08b48e0bSAndroid Build Coastguard Worker ".AFL_VARS:\n" 382*08b48e0bSAndroid Build Coastguard Worker "\n" 383*08b48e0bSAndroid Build Coastguard Worker " .comm __afl_area_ptr, 4, 32\n" 384*08b48e0bSAndroid Build Coastguard Worker " .comm __afl_setup_failure, 1, 32\n" 385*08b48e0bSAndroid Build Coastguard Worker #ifndef COVERAGE_ONLY 386*08b48e0bSAndroid Build Coastguard Worker " .comm __afl_prev_loc, 4, 32\n" 387*08b48e0bSAndroid Build Coastguard Worker #endif /* !COVERAGE_ONLY */ 388*08b48e0bSAndroid Build Coastguard Worker " .comm __afl_final_loc, 4, 32\n" 389*08b48e0bSAndroid Build Coastguard Worker " .comm __afl_fork_pid, 4, 32\n" 390*08b48e0bSAndroid Build Coastguard Worker " .comm __afl_temp, 4, 32\n" 391*08b48e0bSAndroid Build Coastguard Worker "\n" 392*08b48e0bSAndroid Build Coastguard Worker ".AFL_SHM_ENV:\n" 393*08b48e0bSAndroid Build Coastguard Worker " .asciz \"" SHM_ENV_VAR "\"\n" 394*08b48e0bSAndroid Build Coastguard Worker "\n" 395*08b48e0bSAndroid Build Coastguard Worker "/* --- END --- */\n" 396*08b48e0bSAndroid Build Coastguard Worker "\n"; 397*08b48e0bSAndroid Build Coastguard Worker 398*08b48e0bSAndroid Build Coastguard Worker /* The OpenBSD hack is due to lahf and sahf not being recognized by some 399*08b48e0bSAndroid Build Coastguard Worker versions of binutils: https://marc.info/?l=openbsd-cvs&m=141636589924400 400*08b48e0bSAndroid Build Coastguard Worker 401*08b48e0bSAndroid Build Coastguard Worker The Apple code is a bit different when calling libc functions because 402*08b48e0bSAndroid Build Coastguard Worker they are doing relocations differently from everybody else. We also need 403*08b48e0bSAndroid Build Coastguard Worker to work around the crash issue with .lcomm and the fact that they don't 404*08b48e0bSAndroid Build Coastguard Worker recognize .string. */ 405*08b48e0bSAndroid Build Coastguard Worker 406*08b48e0bSAndroid Build Coastguard Worker #ifdef __APPLE__ 407*08b48e0bSAndroid Build Coastguard Worker #define CALL_L64(str) "call _" str "\n" 408*08b48e0bSAndroid Build Coastguard Worker #else 409*08b48e0bSAndroid Build Coastguard Worker #define CALL_L64(str) "call " str "@PLT\n" 410*08b48e0bSAndroid Build Coastguard Worker #endif /* ^__APPLE__ */ 411*08b48e0bSAndroid Build Coastguard Worker 412*08b48e0bSAndroid Build Coastguard Worker static const u8 *main_payload_64 = 413*08b48e0bSAndroid Build Coastguard Worker 414*08b48e0bSAndroid Build Coastguard Worker "\n" 415*08b48e0bSAndroid Build Coastguard Worker "/* --- AFL MAIN PAYLOAD (64-BIT) --- */\n" 416*08b48e0bSAndroid Build Coastguard Worker "\n" 417*08b48e0bSAndroid Build Coastguard Worker ".text\n" 418*08b48e0bSAndroid Build Coastguard Worker ".att_syntax\n" 419*08b48e0bSAndroid Build Coastguard Worker ".code64\n" 420*08b48e0bSAndroid Build Coastguard Worker ".align 8\n" 421*08b48e0bSAndroid Build Coastguard Worker "\n" 422*08b48e0bSAndroid Build Coastguard Worker "__afl_maybe_log:\n" 423*08b48e0bSAndroid Build Coastguard Worker "\n" 424*08b48e0bSAndroid Build Coastguard Worker #if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9)) 425*08b48e0bSAndroid Build Coastguard Worker " .byte 0x9f /* lahf */\n" 426*08b48e0bSAndroid Build Coastguard Worker #else 427*08b48e0bSAndroid Build Coastguard Worker " lahf\n" 428*08b48e0bSAndroid Build Coastguard Worker #endif /* ^__OpenBSD__, etc */ 429*08b48e0bSAndroid Build Coastguard Worker " seto %al\n" 430*08b48e0bSAndroid Build Coastguard Worker "\n" 431*08b48e0bSAndroid Build Coastguard Worker " /* Check if SHM region is already mapped. */\n" 432*08b48e0bSAndroid Build Coastguard Worker "\n" 433*08b48e0bSAndroid Build Coastguard Worker " movq __afl_area_ptr(%rip), %rdx\n" 434*08b48e0bSAndroid Build Coastguard Worker " testq %rdx, %rdx\n" 435*08b48e0bSAndroid Build Coastguard Worker " je __afl_setup\n" 436*08b48e0bSAndroid Build Coastguard Worker "\n" 437*08b48e0bSAndroid Build Coastguard Worker "__afl_store:\n" 438*08b48e0bSAndroid Build Coastguard Worker "\n" 439*08b48e0bSAndroid Build Coastguard Worker " /* Calculate and store hit for the code location specified in rcx. */\n" 440*08b48e0bSAndroid Build Coastguard Worker "\n" 441*08b48e0bSAndroid Build Coastguard Worker #ifndef COVERAGE_ONLY 442*08b48e0bSAndroid Build Coastguard Worker " xorq __afl_prev_loc(%rip), %rcx\n" 443*08b48e0bSAndroid Build Coastguard Worker " xorq %rcx, __afl_prev_loc(%rip)\n" 444*08b48e0bSAndroid Build Coastguard Worker " shrq $1, __afl_prev_loc(%rip)\n" 445*08b48e0bSAndroid Build Coastguard Worker #endif /* ^!COVERAGE_ONLY */ 446*08b48e0bSAndroid Build Coastguard Worker "\n" 447*08b48e0bSAndroid Build Coastguard Worker #ifdef SKIP_COUNTS 448*08b48e0bSAndroid Build Coastguard Worker " orb $1, (%rdx, %rcx, 1)\n" 449*08b48e0bSAndroid Build Coastguard Worker #else 450*08b48e0bSAndroid Build Coastguard Worker " addb $1, (%rdx, %rcx, 1)\n" 451*08b48e0bSAndroid Build Coastguard Worker " adcb $0, (%rdx, %rcx, 1)\n" // never zero counter implementation. slightly better path discovery and little performance impact 452*08b48e0bSAndroid Build Coastguard Worker #endif /* ^SKIP_COUNTS */ 453*08b48e0bSAndroid Build Coastguard Worker "\n" 454*08b48e0bSAndroid Build Coastguard Worker "__afl_return:\n" 455*08b48e0bSAndroid Build Coastguard Worker "\n" 456*08b48e0bSAndroid Build Coastguard Worker " addb $127, %al\n" 457*08b48e0bSAndroid Build Coastguard Worker #if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9)) 458*08b48e0bSAndroid Build Coastguard Worker " .byte 0x9e /* sahf */\n" 459*08b48e0bSAndroid Build Coastguard Worker #else 460*08b48e0bSAndroid Build Coastguard Worker " sahf\n" 461*08b48e0bSAndroid Build Coastguard Worker #endif /* ^__OpenBSD__, etc */ 462*08b48e0bSAndroid Build Coastguard Worker " ret\n" 463*08b48e0bSAndroid Build Coastguard Worker "\n" 464*08b48e0bSAndroid Build Coastguard Worker ".align 8\n" 465*08b48e0bSAndroid Build Coastguard Worker "\n" 466*08b48e0bSAndroid Build Coastguard Worker "__afl_setup:\n" 467*08b48e0bSAndroid Build Coastguard Worker "\n" 468*08b48e0bSAndroid Build Coastguard Worker " /* Do not retry setup if we had previous failures. */\n" 469*08b48e0bSAndroid Build Coastguard Worker "\n" 470*08b48e0bSAndroid Build Coastguard Worker " cmpb $0, __afl_setup_failure(%rip)\n" 471*08b48e0bSAndroid Build Coastguard Worker " jne __afl_return\n" 472*08b48e0bSAndroid Build Coastguard Worker "\n" 473*08b48e0bSAndroid Build Coastguard Worker " /* Check out if we have a global pointer on file. */\n" 474*08b48e0bSAndroid Build Coastguard Worker "\n" 475*08b48e0bSAndroid Build Coastguard Worker #ifndef __APPLE__ 476*08b48e0bSAndroid Build Coastguard Worker " movq __afl_global_area_ptr@GOTPCREL(%rip), %rdx\n" 477*08b48e0bSAndroid Build Coastguard Worker " movq (%rdx), %rdx\n" 478*08b48e0bSAndroid Build Coastguard Worker #else 479*08b48e0bSAndroid Build Coastguard Worker " movq __afl_global_area_ptr(%rip), %rdx\n" 480*08b48e0bSAndroid Build Coastguard Worker #endif /* !^__APPLE__ */ 481*08b48e0bSAndroid Build Coastguard Worker " testq %rdx, %rdx\n" 482*08b48e0bSAndroid Build Coastguard Worker " je __afl_setup_first\n" 483*08b48e0bSAndroid Build Coastguard Worker "\n" 484*08b48e0bSAndroid Build Coastguard Worker " movq %rdx, __afl_area_ptr(%rip)\n" 485*08b48e0bSAndroid Build Coastguard Worker " jmp __afl_store\n" 486*08b48e0bSAndroid Build Coastguard Worker "\n" 487*08b48e0bSAndroid Build Coastguard Worker "__afl_setup_first:\n" 488*08b48e0bSAndroid Build Coastguard Worker "\n" 489*08b48e0bSAndroid Build Coastguard Worker " /* Save everything that is not yet saved and that may be touched by\n" 490*08b48e0bSAndroid Build Coastguard Worker " getenv() and several other libcalls we'll be relying on. */\n" 491*08b48e0bSAndroid Build Coastguard Worker "\n" 492*08b48e0bSAndroid Build Coastguard Worker " leaq -352(%rsp), %rsp\n" 493*08b48e0bSAndroid Build Coastguard Worker "\n" 494*08b48e0bSAndroid Build Coastguard Worker " movq %rax, 0(%rsp)\n" 495*08b48e0bSAndroid Build Coastguard Worker " movq %rcx, 8(%rsp)\n" 496*08b48e0bSAndroid Build Coastguard Worker " movq %rdi, 16(%rsp)\n" 497*08b48e0bSAndroid Build Coastguard Worker " movq %rsi, 32(%rsp)\n" 498*08b48e0bSAndroid Build Coastguard Worker " movq %r8, 40(%rsp)\n" 499*08b48e0bSAndroid Build Coastguard Worker " movq %r9, 48(%rsp)\n" 500*08b48e0bSAndroid Build Coastguard Worker " movq %r10, 56(%rsp)\n" 501*08b48e0bSAndroid Build Coastguard Worker " movq %r11, 64(%rsp)\n" 502*08b48e0bSAndroid Build Coastguard Worker "\n" 503*08b48e0bSAndroid Build Coastguard Worker " movq %xmm0, 96(%rsp)\n" 504*08b48e0bSAndroid Build Coastguard Worker " movq %xmm1, 112(%rsp)\n" 505*08b48e0bSAndroid Build Coastguard Worker " movq %xmm2, 128(%rsp)\n" 506*08b48e0bSAndroid Build Coastguard Worker " movq %xmm3, 144(%rsp)\n" 507*08b48e0bSAndroid Build Coastguard Worker " movq %xmm4, 160(%rsp)\n" 508*08b48e0bSAndroid Build Coastguard Worker " movq %xmm5, 176(%rsp)\n" 509*08b48e0bSAndroid Build Coastguard Worker " movq %xmm6, 192(%rsp)\n" 510*08b48e0bSAndroid Build Coastguard Worker " movq %xmm7, 208(%rsp)\n" 511*08b48e0bSAndroid Build Coastguard Worker " movq %xmm8, 224(%rsp)\n" 512*08b48e0bSAndroid Build Coastguard Worker " movq %xmm9, 240(%rsp)\n" 513*08b48e0bSAndroid Build Coastguard Worker " movq %xmm10, 256(%rsp)\n" 514*08b48e0bSAndroid Build Coastguard Worker " movq %xmm11, 272(%rsp)\n" 515*08b48e0bSAndroid Build Coastguard Worker " movq %xmm12, 288(%rsp)\n" 516*08b48e0bSAndroid Build Coastguard Worker " movq %xmm13, 304(%rsp)\n" 517*08b48e0bSAndroid Build Coastguard Worker " movq %xmm14, 320(%rsp)\n" 518*08b48e0bSAndroid Build Coastguard Worker " movq %xmm15, 336(%rsp)\n" 519*08b48e0bSAndroid Build Coastguard Worker "\n" 520*08b48e0bSAndroid Build Coastguard Worker " /* Map SHM, jumping to __afl_setup_abort if something goes wrong. */\n" 521*08b48e0bSAndroid Build Coastguard Worker "\n" 522*08b48e0bSAndroid Build Coastguard Worker " /* The 64-bit ABI requires 16-byte stack alignment. We'll keep the\n" 523*08b48e0bSAndroid Build Coastguard Worker " original stack ptr in the callee-saved r12. */\n" 524*08b48e0bSAndroid Build Coastguard Worker "\n" 525*08b48e0bSAndroid Build Coastguard Worker " pushq %r12\n" 526*08b48e0bSAndroid Build Coastguard Worker " movq %rsp, %r12\n" 527*08b48e0bSAndroid Build Coastguard Worker " subq $16, %rsp\n" 528*08b48e0bSAndroid Build Coastguard Worker " andq $0xfffffffffffffff0, %rsp\n" 529*08b48e0bSAndroid Build Coastguard Worker "\n" 530*08b48e0bSAndroid Build Coastguard Worker " leaq .AFL_SHM_ENV(%rip), %rdi\n" 531*08b48e0bSAndroid Build Coastguard Worker CALL_L64("getenv") 532*08b48e0bSAndroid Build Coastguard Worker "\n" 533*08b48e0bSAndroid Build Coastguard Worker " testq %rax, %rax\n" 534*08b48e0bSAndroid Build Coastguard Worker " je __afl_setup_abort\n" 535*08b48e0bSAndroid Build Coastguard Worker "\n" 536*08b48e0bSAndroid Build Coastguard Worker #ifdef USEMMAP 537*08b48e0bSAndroid Build Coastguard Worker " movl $384, %edx /* shm_open mode 0600 */\n" 538*08b48e0bSAndroid Build Coastguard Worker " movl $2, %esi /* flags O_RDWR */\n" 539*08b48e0bSAndroid Build Coastguard Worker " movq %rax, %rdi /* SHM file path */\n" 540*08b48e0bSAndroid Build Coastguard Worker CALL_L64("shm_open") 541*08b48e0bSAndroid Build Coastguard Worker "\n" 542*08b48e0bSAndroid Build Coastguard Worker " cmpq $-1, %rax\n" 543*08b48e0bSAndroid Build Coastguard Worker " je __afl_setup_abort\n" 544*08b48e0bSAndroid Build Coastguard Worker "\n" 545*08b48e0bSAndroid Build Coastguard Worker " movl $0, %r9d\n" 546*08b48e0bSAndroid Build Coastguard Worker " movl %eax, %r8d\n" 547*08b48e0bSAndroid Build Coastguard Worker " movl $1, %ecx\n" 548*08b48e0bSAndroid Build Coastguard Worker " movl $3, %edx\n" 549*08b48e0bSAndroid Build Coastguard Worker " movl $"STRINGIFY(MAP_SIZE)", %esi\n" 550*08b48e0bSAndroid Build Coastguard Worker " movl $0, %edi\n" 551*08b48e0bSAndroid Build Coastguard Worker CALL_L64("mmap") 552*08b48e0bSAndroid Build Coastguard Worker "\n" 553*08b48e0bSAndroid Build Coastguard Worker " cmpq $-1, %rax\n" 554*08b48e0bSAndroid Build Coastguard Worker " je __afl_setup_abort\n" 555*08b48e0bSAndroid Build Coastguard Worker "\n" 556*08b48e0bSAndroid Build Coastguard Worker #else 557*08b48e0bSAndroid Build Coastguard Worker " movq %rax, %rdi\n" 558*08b48e0bSAndroid Build Coastguard Worker CALL_L64("atoi") 559*08b48e0bSAndroid Build Coastguard Worker "\n" 560*08b48e0bSAndroid Build Coastguard Worker " xorq %rdx, %rdx /* shmat flags */\n" 561*08b48e0bSAndroid Build Coastguard Worker " xorq %rsi, %rsi /* requested addr */\n" 562*08b48e0bSAndroid Build Coastguard Worker " movq %rax, %rdi /* SHM ID */\n" 563*08b48e0bSAndroid Build Coastguard Worker CALL_L64("shmat") 564*08b48e0bSAndroid Build Coastguard Worker "\n" 565*08b48e0bSAndroid Build Coastguard Worker " cmpq $-1, %rax\n" 566*08b48e0bSAndroid Build Coastguard Worker " je __afl_setup_abort\n" 567*08b48e0bSAndroid Build Coastguard Worker "\n" 568*08b48e0bSAndroid Build Coastguard Worker #endif 569*08b48e0bSAndroid Build Coastguard Worker " movb $1, (%rax)\n" 570*08b48e0bSAndroid Build Coastguard Worker " /* Store the address of the SHM region. */\n" 571*08b48e0bSAndroid Build Coastguard Worker "\n" 572*08b48e0bSAndroid Build Coastguard Worker " movq %rax, %rdx\n" 573*08b48e0bSAndroid Build Coastguard Worker " movq %rax, __afl_area_ptr(%rip)\n" 574*08b48e0bSAndroid Build Coastguard Worker "\n" 575*08b48e0bSAndroid Build Coastguard Worker #ifdef __APPLE__ 576*08b48e0bSAndroid Build Coastguard Worker " movq %rax, __afl_global_area_ptr(%rip)\n" 577*08b48e0bSAndroid Build Coastguard Worker #else 578*08b48e0bSAndroid Build Coastguard Worker " movq __afl_global_area_ptr@GOTPCREL(%rip), %rdx\n" 579*08b48e0bSAndroid Build Coastguard Worker " movq %rax, (%rdx)\n" 580*08b48e0bSAndroid Build Coastguard Worker #endif /* ^__APPLE__ */ 581*08b48e0bSAndroid Build Coastguard Worker " movq %rax, %rdx\n" 582*08b48e0bSAndroid Build Coastguard Worker "\n" 583*08b48e0bSAndroid Build Coastguard Worker "__afl_forkserver:\n" 584*08b48e0bSAndroid Build Coastguard Worker "\n" 585*08b48e0bSAndroid Build Coastguard Worker " /* Enter the fork server mode to avoid the overhead of execve() calls. We\n" 586*08b48e0bSAndroid Build Coastguard Worker " push rdx (area ptr) twice to keep stack alignment neat. */\n" 587*08b48e0bSAndroid Build Coastguard Worker "\n" 588*08b48e0bSAndroid Build Coastguard Worker " pushq %rdx\n" 589*08b48e0bSAndroid Build Coastguard Worker " pushq %rdx\n" 590*08b48e0bSAndroid Build Coastguard Worker "\n" 591*08b48e0bSAndroid Build Coastguard Worker " /* Phone home and tell the parent that we're OK. (Note that signals with\n" 592*08b48e0bSAndroid Build Coastguard Worker " no SA_RESTART will mess it up). If this fails, assume that the fd is\n" 593*08b48e0bSAndroid Build Coastguard Worker " closed because we were execve()d from an instrumented binary, or because\n" 594*08b48e0bSAndroid Build Coastguard Worker " the parent doesn't want to use the fork server. */\n" 595*08b48e0bSAndroid Build Coastguard Worker "\n" 596*08b48e0bSAndroid Build Coastguard Worker " movq $4, %rdx /* length */\n" 597*08b48e0bSAndroid Build Coastguard Worker " leaq __afl_temp(%rip), %rsi /* data */\n" 598*08b48e0bSAndroid Build Coastguard Worker " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi /* file desc */\n" 599*08b48e0bSAndroid Build Coastguard Worker CALL_L64("write") 600*08b48e0bSAndroid Build Coastguard Worker "\n" 601*08b48e0bSAndroid Build Coastguard Worker " cmpq $4, %rax\n" 602*08b48e0bSAndroid Build Coastguard Worker " jne __afl_fork_resume\n" 603*08b48e0bSAndroid Build Coastguard Worker "\n" 604*08b48e0bSAndroid Build Coastguard Worker "__afl_fork_wait_loop:\n" 605*08b48e0bSAndroid Build Coastguard Worker "\n" 606*08b48e0bSAndroid Build Coastguard Worker " /* Wait for parent by reading from the pipe. Abort if read fails. */\n" 607*08b48e0bSAndroid Build Coastguard Worker "\n" 608*08b48e0bSAndroid Build Coastguard Worker " movq $4, %rdx /* length */\n" 609*08b48e0bSAndroid Build Coastguard Worker " leaq __afl_temp(%rip), %rsi /* data */\n" 610*08b48e0bSAndroid Build Coastguard Worker " movq $" STRINGIFY(FORKSRV_FD) ", %rdi /* file desc */\n" 611*08b48e0bSAndroid Build Coastguard Worker CALL_L64("read") 612*08b48e0bSAndroid Build Coastguard Worker " cmpq $4, %rax\n" 613*08b48e0bSAndroid Build Coastguard Worker " jne __afl_die\n" 614*08b48e0bSAndroid Build Coastguard Worker "\n" 615*08b48e0bSAndroid Build Coastguard Worker " /* Once woken up, create a clone of our process. This is an excellent use\n" 616*08b48e0bSAndroid Build Coastguard Worker " case for syscall(__NR_clone, 0, CLONE_PARENT), but glibc boneheadedly\n" 617*08b48e0bSAndroid Build Coastguard Worker " caches getpid() results and offers no way to update the value, breaking\n" 618*08b48e0bSAndroid Build Coastguard Worker " abort(), raise(), and a bunch of other things :-( */\n" 619*08b48e0bSAndroid Build Coastguard Worker "\n" 620*08b48e0bSAndroid Build Coastguard Worker CALL_L64("fork") 621*08b48e0bSAndroid Build Coastguard Worker " cmpq $0, %rax\n" 622*08b48e0bSAndroid Build Coastguard Worker " jl __afl_die\n" 623*08b48e0bSAndroid Build Coastguard Worker " je __afl_fork_resume\n" 624*08b48e0bSAndroid Build Coastguard Worker "\n" 625*08b48e0bSAndroid Build Coastguard Worker " /* In parent process: write PID to pipe, then wait for child. */\n" 626*08b48e0bSAndroid Build Coastguard Worker "\n" 627*08b48e0bSAndroid Build Coastguard Worker " movl %eax, __afl_fork_pid(%rip)\n" 628*08b48e0bSAndroid Build Coastguard Worker "\n" 629*08b48e0bSAndroid Build Coastguard Worker " movq $4, %rdx /* length */\n" 630*08b48e0bSAndroid Build Coastguard Worker " leaq __afl_fork_pid(%rip), %rsi /* data */\n" 631*08b48e0bSAndroid Build Coastguard Worker " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi /* file desc */\n" 632*08b48e0bSAndroid Build Coastguard Worker CALL_L64("write") 633*08b48e0bSAndroid Build Coastguard Worker "\n" 634*08b48e0bSAndroid Build Coastguard Worker " movq $0, %rdx /* no flags */\n" 635*08b48e0bSAndroid Build Coastguard Worker " leaq __afl_temp(%rip), %rsi /* status */\n" 636*08b48e0bSAndroid Build Coastguard Worker " movq __afl_fork_pid(%rip), %rdi /* PID */\n" 637*08b48e0bSAndroid Build Coastguard Worker CALL_L64("waitpid") 638*08b48e0bSAndroid Build Coastguard Worker " cmpq $0, %rax\n" 639*08b48e0bSAndroid Build Coastguard Worker " jle __afl_die\n" 640*08b48e0bSAndroid Build Coastguard Worker "\n" 641*08b48e0bSAndroid Build Coastguard Worker " /* Relay wait status to pipe, then loop back. */\n" 642*08b48e0bSAndroid Build Coastguard Worker "\n" 643*08b48e0bSAndroid Build Coastguard Worker " movq $4, %rdx /* length */\n" 644*08b48e0bSAndroid Build Coastguard Worker " leaq __afl_temp(%rip), %rsi /* data */\n" 645*08b48e0bSAndroid Build Coastguard Worker " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi /* file desc */\n" 646*08b48e0bSAndroid Build Coastguard Worker CALL_L64("write") 647*08b48e0bSAndroid Build Coastguard Worker "\n" 648*08b48e0bSAndroid Build Coastguard Worker " jmp __afl_fork_wait_loop\n" 649*08b48e0bSAndroid Build Coastguard Worker "\n" 650*08b48e0bSAndroid Build Coastguard Worker "__afl_fork_resume:\n" 651*08b48e0bSAndroid Build Coastguard Worker "\n" 652*08b48e0bSAndroid Build Coastguard Worker " /* In child process: close fds, resume execution. */\n" 653*08b48e0bSAndroid Build Coastguard Worker "\n" 654*08b48e0bSAndroid Build Coastguard Worker " movq $" STRINGIFY(FORKSRV_FD) ", %rdi\n" 655*08b48e0bSAndroid Build Coastguard Worker CALL_L64("close") 656*08b48e0bSAndroid Build Coastguard Worker "\n" 657*08b48e0bSAndroid Build Coastguard Worker " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi\n" 658*08b48e0bSAndroid Build Coastguard Worker CALL_L64("close") 659*08b48e0bSAndroid Build Coastguard Worker "\n" 660*08b48e0bSAndroid Build Coastguard Worker " popq %rdx\n" 661*08b48e0bSAndroid Build Coastguard Worker " popq %rdx\n" 662*08b48e0bSAndroid Build Coastguard Worker "\n" 663*08b48e0bSAndroid Build Coastguard Worker " movq %r12, %rsp\n" 664*08b48e0bSAndroid Build Coastguard Worker " popq %r12\n" 665*08b48e0bSAndroid Build Coastguard Worker "\n" 666*08b48e0bSAndroid Build Coastguard Worker " movq 0(%rsp), %rax\n" 667*08b48e0bSAndroid Build Coastguard Worker " movq 8(%rsp), %rcx\n" 668*08b48e0bSAndroid Build Coastguard Worker " movq 16(%rsp), %rdi\n" 669*08b48e0bSAndroid Build Coastguard Worker " movq 32(%rsp), %rsi\n" 670*08b48e0bSAndroid Build Coastguard Worker " movq 40(%rsp), %r8\n" 671*08b48e0bSAndroid Build Coastguard Worker " movq 48(%rsp), %r9\n" 672*08b48e0bSAndroid Build Coastguard Worker " movq 56(%rsp), %r10\n" 673*08b48e0bSAndroid Build Coastguard Worker " movq 64(%rsp), %r11\n" 674*08b48e0bSAndroid Build Coastguard Worker "\n" 675*08b48e0bSAndroid Build Coastguard Worker " movq 96(%rsp), %xmm0\n" 676*08b48e0bSAndroid Build Coastguard Worker " movq 112(%rsp), %xmm1\n" 677*08b48e0bSAndroid Build Coastguard Worker " movq 128(%rsp), %xmm2\n" 678*08b48e0bSAndroid Build Coastguard Worker " movq 144(%rsp), %xmm3\n" 679*08b48e0bSAndroid Build Coastguard Worker " movq 160(%rsp), %xmm4\n" 680*08b48e0bSAndroid Build Coastguard Worker " movq 176(%rsp), %xmm5\n" 681*08b48e0bSAndroid Build Coastguard Worker " movq 192(%rsp), %xmm6\n" 682*08b48e0bSAndroid Build Coastguard Worker " movq 208(%rsp), %xmm7\n" 683*08b48e0bSAndroid Build Coastguard Worker " movq 224(%rsp), %xmm8\n" 684*08b48e0bSAndroid Build Coastguard Worker " movq 240(%rsp), %xmm9\n" 685*08b48e0bSAndroid Build Coastguard Worker " movq 256(%rsp), %xmm10\n" 686*08b48e0bSAndroid Build Coastguard Worker " movq 272(%rsp), %xmm11\n" 687*08b48e0bSAndroid Build Coastguard Worker " movq 288(%rsp), %xmm12\n" 688*08b48e0bSAndroid Build Coastguard Worker " movq 304(%rsp), %xmm13\n" 689*08b48e0bSAndroid Build Coastguard Worker " movq 320(%rsp), %xmm14\n" 690*08b48e0bSAndroid Build Coastguard Worker " movq 336(%rsp), %xmm15\n" 691*08b48e0bSAndroid Build Coastguard Worker "\n" 692*08b48e0bSAndroid Build Coastguard Worker " leaq 352(%rsp), %rsp\n" 693*08b48e0bSAndroid Build Coastguard Worker "\n" 694*08b48e0bSAndroid Build Coastguard Worker " jmp __afl_store\n" 695*08b48e0bSAndroid Build Coastguard Worker "\n" 696*08b48e0bSAndroid Build Coastguard Worker "__afl_die:\n" 697*08b48e0bSAndroid Build Coastguard Worker "\n" 698*08b48e0bSAndroid Build Coastguard Worker " xorq %rax, %rax\n" 699*08b48e0bSAndroid Build Coastguard Worker CALL_L64("_exit") 700*08b48e0bSAndroid Build Coastguard Worker "\n" 701*08b48e0bSAndroid Build Coastguard Worker "__afl_setup_abort:\n" 702*08b48e0bSAndroid Build Coastguard Worker "\n" 703*08b48e0bSAndroid Build Coastguard Worker " /* Record setup failure so that we don't keep calling\n" 704*08b48e0bSAndroid Build Coastguard Worker " shmget() / shmat() over and over again. */\n" 705*08b48e0bSAndroid Build Coastguard Worker "\n" 706*08b48e0bSAndroid Build Coastguard Worker " incb __afl_setup_failure(%rip)\n" 707*08b48e0bSAndroid Build Coastguard Worker "\n" 708*08b48e0bSAndroid Build Coastguard Worker " movq %r12, %rsp\n" 709*08b48e0bSAndroid Build Coastguard Worker " popq %r12\n" 710*08b48e0bSAndroid Build Coastguard Worker "\n" 711*08b48e0bSAndroid Build Coastguard Worker " movq 0(%rsp), %rax\n" 712*08b48e0bSAndroid Build Coastguard Worker " movq 8(%rsp), %rcx\n" 713*08b48e0bSAndroid Build Coastguard Worker " movq 16(%rsp), %rdi\n" 714*08b48e0bSAndroid Build Coastguard Worker " movq 32(%rsp), %rsi\n" 715*08b48e0bSAndroid Build Coastguard Worker " movq 40(%rsp), %r8\n" 716*08b48e0bSAndroid Build Coastguard Worker " movq 48(%rsp), %r9\n" 717*08b48e0bSAndroid Build Coastguard Worker " movq 56(%rsp), %r10\n" 718*08b48e0bSAndroid Build Coastguard Worker " movq 64(%rsp), %r11\n" 719*08b48e0bSAndroid Build Coastguard Worker "\n" 720*08b48e0bSAndroid Build Coastguard Worker " movq 96(%rsp), %xmm0\n" 721*08b48e0bSAndroid Build Coastguard Worker " movq 112(%rsp), %xmm1\n" 722*08b48e0bSAndroid Build Coastguard Worker " movq 128(%rsp), %xmm2\n" 723*08b48e0bSAndroid Build Coastguard Worker " movq 144(%rsp), %xmm3\n" 724*08b48e0bSAndroid Build Coastguard Worker " movq 160(%rsp), %xmm4\n" 725*08b48e0bSAndroid Build Coastguard Worker " movq 176(%rsp), %xmm5\n" 726*08b48e0bSAndroid Build Coastguard Worker " movq 192(%rsp), %xmm6\n" 727*08b48e0bSAndroid Build Coastguard Worker " movq 208(%rsp), %xmm7\n" 728*08b48e0bSAndroid Build Coastguard Worker " movq 224(%rsp), %xmm8\n" 729*08b48e0bSAndroid Build Coastguard Worker " movq 240(%rsp), %xmm9\n" 730*08b48e0bSAndroid Build Coastguard Worker " movq 256(%rsp), %xmm10\n" 731*08b48e0bSAndroid Build Coastguard Worker " movq 272(%rsp), %xmm11\n" 732*08b48e0bSAndroid Build Coastguard Worker " movq 288(%rsp), %xmm12\n" 733*08b48e0bSAndroid Build Coastguard Worker " movq 304(%rsp), %xmm13\n" 734*08b48e0bSAndroid Build Coastguard Worker " movq 320(%rsp), %xmm14\n" 735*08b48e0bSAndroid Build Coastguard Worker " movq 336(%rsp), %xmm15\n" 736*08b48e0bSAndroid Build Coastguard Worker "\n" 737*08b48e0bSAndroid Build Coastguard Worker " leaq 352(%rsp), %rsp\n" 738*08b48e0bSAndroid Build Coastguard Worker "\n" 739*08b48e0bSAndroid Build Coastguard Worker " jmp __afl_return\n" 740*08b48e0bSAndroid Build Coastguard Worker "\n" 741*08b48e0bSAndroid Build Coastguard Worker ".AFL_VARS:\n" 742*08b48e0bSAndroid Build Coastguard Worker "\n" 743*08b48e0bSAndroid Build Coastguard Worker 744*08b48e0bSAndroid Build Coastguard Worker #ifdef __APPLE__ 745*08b48e0bSAndroid Build Coastguard Worker 746*08b48e0bSAndroid Build Coastguard Worker " .comm __afl_area_ptr, 8\n" 747*08b48e0bSAndroid Build Coastguard Worker #ifndef COVERAGE_ONLY 748*08b48e0bSAndroid Build Coastguard Worker " .comm __afl_prev_loc, 8\n" 749*08b48e0bSAndroid Build Coastguard Worker #endif /* !COVERAGE_ONLY */ 750*08b48e0bSAndroid Build Coastguard Worker " .comm __afl_fork_pid, 4\n" 751*08b48e0bSAndroid Build Coastguard Worker " .comm __afl_temp, 4\n" 752*08b48e0bSAndroid Build Coastguard Worker " .comm __afl_setup_failure, 1\n" 753*08b48e0bSAndroid Build Coastguard Worker 754*08b48e0bSAndroid Build Coastguard Worker #else 755*08b48e0bSAndroid Build Coastguard Worker 756*08b48e0bSAndroid Build Coastguard Worker " .lcomm __afl_area_ptr, 8\n" 757*08b48e0bSAndroid Build Coastguard Worker #ifndef COVERAGE_ONLY 758*08b48e0bSAndroid Build Coastguard Worker " .lcomm __afl_prev_loc, 8\n" 759*08b48e0bSAndroid Build Coastguard Worker #endif /* !COVERAGE_ONLY */ 760*08b48e0bSAndroid Build Coastguard Worker " .lcomm __afl_fork_pid, 4\n" 761*08b48e0bSAndroid Build Coastguard Worker " .lcomm __afl_temp, 4\n" 762*08b48e0bSAndroid Build Coastguard Worker " .lcomm __afl_setup_failure, 1\n" 763*08b48e0bSAndroid Build Coastguard Worker 764*08b48e0bSAndroid Build Coastguard Worker #endif /* ^__APPLE__ */ 765*08b48e0bSAndroid Build Coastguard Worker 766*08b48e0bSAndroid Build Coastguard Worker " .comm __afl_global_area_ptr, 8, 8\n" 767*08b48e0bSAndroid Build Coastguard Worker "\n" 768*08b48e0bSAndroid Build Coastguard Worker ".AFL_SHM_ENV:\n" 769*08b48e0bSAndroid Build Coastguard Worker " .asciz \"" SHM_ENV_VAR "\"\n" 770*08b48e0bSAndroid Build Coastguard Worker "\n" 771*08b48e0bSAndroid Build Coastguard Worker "/* --- END --- */\n" 772*08b48e0bSAndroid Build Coastguard Worker "\n"; 773*08b48e0bSAndroid Build Coastguard Worker 774*08b48e0bSAndroid Build Coastguard Worker #endif /* !_HAVE_AFL_AS_H */ 775*08b48e0bSAndroid Build Coastguard Worker 776