intel/llvm
1
0
Fork 0
mirror of https://github.com/intel/llvm.git synced 2026-01-22 07:01:03 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
c24f66e33bcbc82e40f5dd94cda12430dc819638
llvm/compiler-rt/lib/fuzzer/FuzzerInterceptors.cpp

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

255 lines
8.9 KiB
C++
Raw Normal View History

Recommit "[libFuzzer] Link libFuzzer's own interceptors when other compiler runtimes are not linked." Summary: libFuzzer intercepts certain library functions such as memcmp/strcmp by defining weak hooks. Weak hooks, however, are called only when other runtimes such as ASan is linked. This patch defines libFuzzer's own interceptors, which is linked into the libFuzzer executable when other runtimes are not linked, i.e., when -fsanitize=fuzzer is given, but not others. The patch once landed but was reverted in 8ef9e2bf355d05bc81d8b0fe1e5333eec59a0a91 due to an assertion failure caused by calling an intercepted function, strncmp, while initializing the interceptors in fuzzerInit(). This issue is now fixed by calling libFuzzer's own implementation of library functions (i.e., internal_*) when the fuzzer has not been initialized yet, instead of recursively calling fuzzerInit() again. Reviewers: kcc, morehouse, hctim Subscribers: #sanitizers, krytarowski, mgorny, cfe-commits Tags: #clang, #sanitizers Differential Revision: https://reviews.llvm.org/D83494
2020-07-16 20:26:03 +00:00
//===-- FuzzerInterceptors.cpp --------------------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
// Intercept certain libc functions to aid fuzzing.
// Linked only when other RTs that define their own interceptors are not linked.
//===----------------------------------------------------------------------===//
#include "FuzzerPlatform.h"
#if LIBFUZZER_LINUX
#define GET_CALLER_PC() __builtin_return_address(0)
#define PTR_TO_REAL(x) real_##x
#define REAL(x) __interception::PTR_TO_REAL(x)
#define FUNC_TYPE(x) x##_type
#define DEFINE_REAL(ret_type, func, ...) \
typedef ret_type (*FUNC_TYPE(func))(__VA_ARGS__); \
namespace __interception { \
FUNC_TYPE(func) PTR_TO_REAL(func); \
}
#include <cassert>
[fuzzer] Fix build on musl cstddef is needed for size_t definition. (Multiple headers can provide size_t but none of them exists.) Reviewed By: MaskRay Differential Revision: https://reviews.llvm.org/D96213
2021-06-13 12:32:07 -07:00
#include <cstddef> // for size_t
Recommit "[libFuzzer] Link libFuzzer's own interceptors when other compiler runtimes are not linked." Summary: libFuzzer intercepts certain library functions such as memcmp/strcmp by defining weak hooks. Weak hooks, however, are called only when other runtimes such as ASan is linked. This patch defines libFuzzer's own interceptors, which is linked into the libFuzzer executable when other runtimes are not linked, i.e., when -fsanitize=fuzzer is given, but not others. The patch once landed but was reverted in 8ef9e2bf355d05bc81d8b0fe1e5333eec59a0a91 due to an assertion failure caused by calling an intercepted function, strncmp, while initializing the interceptors in fuzzerInit(). This issue is now fixed by calling libFuzzer's own implementation of library functions (i.e., internal_*) when the fuzzer has not been initialized yet, instead of recursively calling fuzzerInit() again. Reviewers: kcc, morehouse, hctim Subscribers: #sanitizers, krytarowski, mgorny, cfe-commits Tags: #clang, #sanitizers Differential Revision: https://reviews.llvm.org/D83494
2020-07-16 20:26:03 +00:00
#include <cstdint>
#include <dlfcn.h> // for dlsym()
static void *getFuncAddr(const char *name, uintptr_t wrapper_addr) {
void *addr = dlsym(RTLD_NEXT, name);
if (!addr) {
// If the lookup using RTLD_NEXT failed, the sanitizer runtime library is
// later in the library search order than the DSO that we are trying to
// intercept, which means that we cannot intercept this function. We still
// want the address of the real definition, though, so look it up using
// RTLD_DEFAULT.
addr = dlsym(RTLD_DEFAULT, name);
// In case `name' is not loaded, dlsym ends up finding the actual wrapper.
// We don't want to intercept the wrapper and have it point to itself.
if (reinterpret_cast<uintptr_t>(addr) == wrapper_addr)
addr = nullptr;
}
return addr;
}
static int FuzzerInited = 0;
static bool FuzzerInitIsRunning;
static void fuzzerInit();
static void ensureFuzzerInited() {
assert(!FuzzerInitIsRunning);
if (!FuzzerInited) {
fuzzerInit();
}
}
static int internal_strcmp_strncmp(const char *s1, const char *s2, bool strncmp,
size_t n) {
size_t i = 0;
while (true) {
if (strncmp) {
if (i == n)
break;
i++;
}
unsigned c1 = *s1;
unsigned c2 = *s2;
if (c1 != c2)
return (c1 < c2) ? -1 : 1;
if (c1 == 0)
break;
s1++;
s2++;
}
return 0;
}
static int internal_strncmp(const char *s1, const char *s2, size_t n) {
return internal_strcmp_strncmp(s1, s2, true, n);
}
static int internal_strcmp(const char *s1, const char *s2) {
return internal_strcmp_strncmp(s1, s2, false, 0);
}
static int internal_memcmp(const void *s1, const void *s2, size_t n) {
const uint8_t *t1 = static_cast<const uint8_t *>(s1);
const uint8_t *t2 = static_cast<const uint8_t *>(s2);
for (size_t i = 0; i < n; ++i, ++t1, ++t2)
if (*t1 != *t2)
return *t1 < *t2 ? -1 : 1;
return 0;
}
static size_t internal_strlen(const char *s) {
size_t i = 0;
while (s[i])
i++;
return i;
}
static char *internal_strstr(const char *haystack, const char *needle) {
// This is O(N^2), but we are not using it in hot places.
size_t len1 = internal_strlen(haystack);
size_t len2 = internal_strlen(needle);
if (len1 < len2)
return nullptr;
for (size_t pos = 0; pos <= len1 - len2; pos++) {
if (internal_memcmp(haystack + pos, needle, len2) == 0)
return const_cast<char *>(haystack) + pos;
}
return nullptr;
}
extern "C" {
[libFuzzer] Break dependency on common_interface_defs.h Some libFuzzer users build using the build.sh script, without access to the <sanitizer/common_interface_defs.h> include. Update https://github.com/rust-fuzz/libfuzzer/issues/65. Reviewed By: dokyungs Differential Revision: https://reviews.llvm.org/D86981
2020-09-01 15:35:01 -07:00
// Weak hooks forward-declared to avoid dependency on
// <sanitizer/common_interface_defs.h>.
void __sanitizer_weak_hook_memcmp(void *called_pc, const void *s1,
const void *s2, size_t n, int result);
void __sanitizer_weak_hook_strncmp(void *called_pc, const char *s1,
const char *s2, size_t n, int result);
void __sanitizer_weak_hook_strncasecmp(void *called_pc, const char *s1,
const char *s2, size_t n, int result);
void __sanitizer_weak_hook_strcmp(void *called_pc, const char *s1,
const char *s2, int result);
void __sanitizer_weak_hook_strcasecmp(void *called_pc, const char *s1,
const char *s2, int result);
void __sanitizer_weak_hook_strstr(void *called_pc, const char *s1,
const char *s2, char *result);
void __sanitizer_weak_hook_strcasestr(void *called_pc, const char *s1,
const char *s2, char *result);
void __sanitizer_weak_hook_memmem(void *called_pc, const void *s1, size_t len1,
const void *s2, size_t len2, void *result);
[libFuzzer] Instrument bcmp If we define memcmp in an archive, bcmp should be defined as well (many libc define bcmp/memcmp in one object file). Otherwise if the application calls bcmp or strcmp which gets optimized to bcmp (SimplifyLibCalls), the undefined reference may pull in an optimized bcmp/strcmp implementation (libc replacement) later on the linker command line. If both libFuzzer's memcmp and the optimized memcmp are strong => there will be a multiple definition error.
2020-07-24 00:23:46 -07:00
DEFINE_REAL(int, bcmp, const void *, const void *, size_t)
Recommit "[libFuzzer] Link libFuzzer's own interceptors when other compiler runtimes are not linked." Summary: libFuzzer intercepts certain library functions such as memcmp/strcmp by defining weak hooks. Weak hooks, however, are called only when other runtimes such as ASan is linked. This patch defines libFuzzer's own interceptors, which is linked into the libFuzzer executable when other runtimes are not linked, i.e., when -fsanitize=fuzzer is given, but not others. The patch once landed but was reverted in 8ef9e2bf355d05bc81d8b0fe1e5333eec59a0a91 due to an assertion failure caused by calling an intercepted function, strncmp, while initializing the interceptors in fuzzerInit(). This issue is now fixed by calling libFuzzer's own implementation of library functions (i.e., internal_*) when the fuzzer has not been initialized yet, instead of recursively calling fuzzerInit() again. Reviewers: kcc, morehouse, hctim Subscribers: #sanitizers, krytarowski, mgorny, cfe-commits Tags: #clang, #sanitizers Differential Revision: https://reviews.llvm.org/D83494
2020-07-16 20:26:03 +00:00
DEFINE_REAL(int, memcmp, const void *, const void *, size_t)
DEFINE_REAL(int, strncmp, const char *, const char *, size_t)
DEFINE_REAL(int, strcmp, const char *, const char *)
DEFINE_REAL(int, strncasecmp, const char *, const char *, size_t)
DEFINE_REAL(int, strcasecmp, const char *, const char *)
DEFINE_REAL(char *, strstr, const char *, const char *)
DEFINE_REAL(char *, strcasestr, const char *, const char *)
DEFINE_REAL(void *, memmem, const void *, size_t, const void *, size_t)
[libFuzzer] Instrument bcmp If we define memcmp in an archive, bcmp should be defined as well (many libc define bcmp/memcmp in one object file). Otherwise if the application calls bcmp or strcmp which gets optimized to bcmp (SimplifyLibCalls), the undefined reference may pull in an optimized bcmp/strcmp implementation (libc replacement) later on the linker command line. If both libFuzzer's memcmp and the optimized memcmp are strong => there will be a multiple definition error.
2020-07-24 00:23:46 -07:00
ATTRIBUTE_INTERFACE int bcmp(const char *s1, const char *s2, size_t n) {
if (!FuzzerInited)
return internal_memcmp(s1, s2, n);
int result = REAL(bcmp)(s1, s2, n);
__sanitizer_weak_hook_memcmp(GET_CALLER_PC(), s1, s2, n, result);
return result;
}
Recommit "[libFuzzer] Link libFuzzer's own interceptors when other compiler runtimes are not linked." Summary: libFuzzer intercepts certain library functions such as memcmp/strcmp by defining weak hooks. Weak hooks, however, are called only when other runtimes such as ASan is linked. This patch defines libFuzzer's own interceptors, which is linked into the libFuzzer executable when other runtimes are not linked, i.e., when -fsanitize=fuzzer is given, but not others. The patch once landed but was reverted in 8ef9e2bf355d05bc81d8b0fe1e5333eec59a0a91 due to an assertion failure caused by calling an intercepted function, strncmp, while initializing the interceptors in fuzzerInit(). This issue is now fixed by calling libFuzzer's own implementation of library functions (i.e., internal_*) when the fuzzer has not been initialized yet, instead of recursively calling fuzzerInit() again. Reviewers: kcc, morehouse, hctim Subscribers: #sanitizers, krytarowski, mgorny, cfe-commits Tags: #clang, #sanitizers Differential Revision: https://reviews.llvm.org/D83494
2020-07-16 20:26:03 +00:00
ATTRIBUTE_INTERFACE int memcmp(const void *s1, const void *s2, size_t n) {
if (!FuzzerInited)
return internal_memcmp(s1, s2, n);
int result = REAL(memcmp)(s1, s2, n);
__sanitizer_weak_hook_memcmp(GET_CALLER_PC(), s1, s2, n, result);
return result;
}
ATTRIBUTE_INTERFACE int strncmp(const char *s1, const char *s2, size_t n) {
if (!FuzzerInited)
return internal_strncmp(s1, s2, n);
int result = REAL(strncmp)(s1, s2, n);
__sanitizer_weak_hook_strncmp(GET_CALLER_PC(), s1, s2, n, result);
return result;
}
ATTRIBUTE_INTERFACE int strcmp(const char *s1, const char *s2) {
if (!FuzzerInited)
return internal_strcmp(s1, s2);
int result = REAL(strcmp)(s1, s2);
__sanitizer_weak_hook_strcmp(GET_CALLER_PC(), s1, s2, result);
return result;
}
ATTRIBUTE_INTERFACE int strncasecmp(const char *s1, const char *s2, size_t n) {
ensureFuzzerInited();
int result = REAL(strncasecmp)(s1, s2, n);
__sanitizer_weak_hook_strncasecmp(GET_CALLER_PC(), s1, s2, n, result);
return result;
}
ATTRIBUTE_INTERFACE int strcasecmp(const char *s1, const char *s2) {
ensureFuzzerInited();
int result = REAL(strcasecmp)(s1, s2);
__sanitizer_weak_hook_strcasecmp(GET_CALLER_PC(), s1, s2, result);
return result;
}
ATTRIBUTE_INTERFACE char *strstr(const char *s1, const char *s2) {
if (!FuzzerInited)
return internal_strstr(s1, s2);
char *result = REAL(strstr)(s1, s2);
__sanitizer_weak_hook_strstr(GET_CALLER_PC(), s1, s2, result);
return result;
}
ATTRIBUTE_INTERFACE char *strcasestr(const char *s1, const char *s2) {
ensureFuzzerInited();
char *result = REAL(strcasestr)(s1, s2);
__sanitizer_weak_hook_strcasestr(GET_CALLER_PC(), s1, s2, result);
return result;
}
ATTRIBUTE_INTERFACE
void *memmem(const void *s1, size_t len1, const void *s2, size_t len2) {
ensureFuzzerInited();
void *result = REAL(memmem)(s1, len1, s2, len2);
__sanitizer_weak_hook_memmem(GET_CALLER_PC(), s1, len1, s2, len2, result);
return result;
}
__attribute__((section(".preinit_array"),
used)) static void (*__local_fuzzer_preinit)(void) = fuzzerInit;
} // extern "C"
static void fuzzerInit() {
assert(!FuzzerInitIsRunning);
if (FuzzerInited)
return;
FuzzerInitIsRunning = true;
[libFuzzer] Instrument bcmp If we define memcmp in an archive, bcmp should be defined as well (many libc define bcmp/memcmp in one object file). Otherwise if the application calls bcmp or strcmp which gets optimized to bcmp (SimplifyLibCalls), the undefined reference may pull in an optimized bcmp/strcmp implementation (libc replacement) later on the linker command line. If both libFuzzer's memcmp and the optimized memcmp are strong => there will be a multiple definition error.
2020-07-24 00:23:46 -07:00
REAL(bcmp) = reinterpret_cast<memcmp_type>(
getFuncAddr("bcmp", reinterpret_cast<uintptr_t>(&bcmp)));
Recommit "[libFuzzer] Link libFuzzer's own interceptors when other compiler runtimes are not linked." Summary: libFuzzer intercepts certain library functions such as memcmp/strcmp by defining weak hooks. Weak hooks, however, are called only when other runtimes such as ASan is linked. This patch defines libFuzzer's own interceptors, which is linked into the libFuzzer executable when other runtimes are not linked, i.e., when -fsanitize=fuzzer is given, but not others. The patch once landed but was reverted in 8ef9e2bf355d05bc81d8b0fe1e5333eec59a0a91 due to an assertion failure caused by calling an intercepted function, strncmp, while initializing the interceptors in fuzzerInit(). This issue is now fixed by calling libFuzzer's own implementation of library functions (i.e., internal_*) when the fuzzer has not been initialized yet, instead of recursively calling fuzzerInit() again. Reviewers: kcc, morehouse, hctim Subscribers: #sanitizers, krytarowski, mgorny, cfe-commits Tags: #clang, #sanitizers Differential Revision: https://reviews.llvm.org/D83494
2020-07-16 20:26:03 +00:00
REAL(memcmp) = reinterpret_cast<memcmp_type>(
getFuncAddr("memcmp", reinterpret_cast<uintptr_t>(&memcmp)));
REAL(strncmp) = reinterpret_cast<strncmp_type>(
getFuncAddr("strncmp", reinterpret_cast<uintptr_t>(&strncmp)));
REAL(strcmp) = reinterpret_cast<strcmp_type>(
getFuncAddr("strcmp", reinterpret_cast<uintptr_t>(&strcmp)));
REAL(strncasecmp) = reinterpret_cast<strncasecmp_type>(
getFuncAddr("strncasecmp", reinterpret_cast<uintptr_t>(&strncasecmp)));
REAL(strcasecmp) = reinterpret_cast<strcasecmp_type>(
getFuncAddr("strcasecmp", reinterpret_cast<uintptr_t>(&strcasecmp)));
REAL(strstr) = reinterpret_cast<strstr_type>(
getFuncAddr("strstr", reinterpret_cast<uintptr_t>(&strstr)));
REAL(strcasestr) = reinterpret_cast<strcasestr_type>(
getFuncAddr("strcasestr", reinterpret_cast<uintptr_t>(&strcasestr)));
REAL(memmem) = reinterpret_cast<memmem_type>(
getFuncAddr("memmem", reinterpret_cast<uintptr_t>(&memmem)));
FuzzerInitIsRunning = false;
FuzzerInited = 1;
}
#endif
Reference in New Issue Copy Permalink