├── LICENSE ├── README.md ├── code-coverage ├── nyx-code-coverage.py └── postprocess-gcno.py ├── preload └── harness │ ├── Makefile │ ├── compile.sh │ ├── sharedir │ └── README.md │ └── src │ ├── afl_glue.c │ ├── afl_glue.h │ ├── afl_runtime.c │ ├── afl_runtime.h │ ├── config.h │ ├── crash_handler.c │ ├── crash_handler.h │ ├── firefox_hooks.c │ ├── fuzz.c │ ├── fuzz.h │ ├── ld_preload_fuzz.c │ ├── moz_interface.c │ ├── nyx.h │ ├── stats.c │ └── stats.h └── userspace-tools ├── LICENSE ├── Makefile ├── README.md ├── compile_64.sh ├── qemu_tool.sh └── src └── htools ├── habort.c ├── hcat.c ├── hget.c ├── hget_bulk.c ├── hpush.c └── hrelease.c /LICENSE: -------------------------------------------------------------------------------- 1 | Mozilla Public License Version 2.0 2 | ================================== 3 | 4 | 1. Definitions 5 | -------------- 6 | 7 | 1.1. "Contributor" 8 | means each individual or legal entity that creates, contributes to 9 | the creation of, or owns Covered Software. 10 | 11 | 1.2. "Contributor Version" 12 | means the combination of the Contributions of others (if any) used 13 | by a Contributor and that particular Contributor's Contribution. 14 | 15 | 1.3. "Contribution" 16 | means Covered Software of a particular Contributor. 17 | 18 | 1.4. "Covered Software" 19 | means Source Code Form to which the initial Contributor has attached 20 | the notice in Exhibit A, the Executable Form of such Source Code 21 | Form, and Modifications of such Source Code Form, in each case 22 | including portions thereof. 23 | 24 | 1.5. "Incompatible With Secondary Licenses" 25 | means 26 | 27 | (a) that the initial Contributor has attached the notice described 28 | in Exhibit B to the Covered Software; or 29 | 30 | (b) that the Covered Software was made available under the terms of 31 | version 1.1 or earlier of the License, but not also under the 32 | terms of a Secondary License. 33 | 34 | 1.6. "Executable Form" 35 | means any form of the work other than Source Code Form. 36 | 37 | 1.7. "Larger Work" 38 | means a work that combines Covered Software with other material, in 39 | a separate file or files, that is not Covered Software. 40 | 41 | 1.8. "License" 42 | means this document. 43 | 44 | 1.9. "Licensable" 45 | means having the right to grant, to the maximum extent possible, 46 | whether at the time of the initial grant or subsequently, any and 47 | all of the rights conveyed by this License. 48 | 49 | 1.10. "Modifications" 50 | means any of the following: 51 | 52 | (a) any file in Source Code Form that results from an addition to, 53 | deletion from, or modification of the contents of Covered 54 | Software; or 55 | 56 | (b) any new file in Source Code Form that contains any Covered 57 | Software. 58 | 59 | 1.11. "Patent Claims" of a Contributor 60 | means any patent claim(s), including without limitation, method, 61 | process, and apparatus claims, in any patent Licensable by such 62 | Contributor that would be infringed, but for the grant of the 63 | License, by the making, using, selling, offering for sale, having 64 | made, import, or transfer of either its Contributions or its 65 | Contributor Version. 66 | 67 | 1.12. "Secondary License" 68 | means either the GNU General Public License, Version 2.0, the GNU 69 | Lesser General Public License, Version 2.1, the GNU Affero General 70 | Public License, Version 3.0, or any later versions of those 71 | licenses. 72 | 73 | 1.13. "Source Code Form" 74 | means the form of the work preferred for making modifications. 75 | 76 | 1.14. "You" (or "Your") 77 | means an individual or a legal entity exercising rights under this 78 | License. For legal entities, "You" includes any entity that 79 | controls, is controlled by, or is under common control with You. For 80 | purposes of this definition, "control" means (a) the power, direct 81 | or indirect, to cause the direction or management of such entity, 82 | whether by contract or otherwise, or (b) ownership of more than 83 | fifty percent (50%) of the outstanding shares or beneficial 84 | ownership of such entity. 85 | 86 | 2. License Grants and Conditions 87 | -------------------------------- 88 | 89 | 2.1. Grants 90 | 91 | Each Contributor hereby grants You a world-wide, royalty-free, 92 | non-exclusive license: 93 | 94 | (a) under intellectual property rights (other than patent or trademark) 95 | Licensable by such Contributor to use, reproduce, make available, 96 | modify, display, perform, distribute, and otherwise exploit its 97 | Contributions, either on an unmodified basis, with Modifications, or 98 | as part of a Larger Work; and 99 | 100 | (b) under Patent Claims of such Contributor to make, use, sell, offer 101 | for sale, have made, import, and otherwise transfer either its 102 | Contributions or its Contributor Version. 103 | 104 | 2.2. Effective Date 105 | 106 | The licenses granted in Section 2.1 with respect to any Contribution 107 | become effective for each Contribution on the date the Contributor first 108 | distributes such Contribution. 109 | 110 | 2.3. Limitations on Grant Scope 111 | 112 | The licenses granted in this Section 2 are the only rights granted under 113 | this License. No additional rights or licenses will be implied from the 114 | distribution or licensing of Covered Software under this License. 115 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 116 | Contributor: 117 | 118 | (a) for any code that a Contributor has removed from Covered Software; 119 | or 120 | 121 | (b) for infringements caused by: (i) Your and any other third party's 122 | modifications of Covered Software, or (ii) the combination of its 123 | Contributions with other software (except as part of its Contributor 124 | Version); or 125 | 126 | (c) under Patent Claims infringed by Covered Software in the absence of 127 | its Contributions. 128 | 129 | This License does not grant any rights in the trademarks, service marks, 130 | or logos of any Contributor (except as may be necessary to comply with 131 | the notice requirements in Section 3.4). 132 | 133 | 2.4. Subsequent Licenses 134 | 135 | No Contributor makes additional grants as a result of Your choice to 136 | distribute the Covered Software under a subsequent version of this 137 | License (see Section 10.2) or under the terms of a Secondary License (if 138 | permitted under the terms of Section 3.3). 139 | 140 | 2.5. Representation 141 | 142 | Each Contributor represents that the Contributor believes its 143 | Contributions are its original creation(s) or it has sufficient rights 144 | to grant the rights to its Contributions conveyed by this License. 145 | 146 | 2.6. Fair Use 147 | 148 | This License is not intended to limit any rights You have under 149 | applicable copyright doctrines of fair use, fair dealing, or other 150 | equivalents. 151 | 152 | 2.7. Conditions 153 | 154 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted 155 | in Section 2.1. 156 | 157 | 3. Responsibilities 158 | ------------------- 159 | 160 | 3.1. Distribution of Source Form 161 | 162 | All distribution of Covered Software in Source Code Form, including any 163 | Modifications that You create or to which You contribute, must be under 164 | the terms of this License. You must inform recipients that the Source 165 | Code Form of the Covered Software is governed by the terms of this 166 | License, and how they can obtain a copy of this License. You may not 167 | attempt to alter or restrict the recipients' rights in the Source Code 168 | Form. 169 | 170 | 3.2. Distribution of Executable Form 171 | 172 | If You distribute Covered Software in Executable Form then: 173 | 174 | (a) such Covered Software must also be made available in Source Code 175 | Form, as described in Section 3.1, and You must inform recipients of 176 | the Executable Form how they can obtain a copy of such Source Code 177 | Form by reasonable means in a timely manner, at a charge no more 178 | than the cost of distribution to the recipient; and 179 | 180 | (b) You may distribute such Executable Form under the terms of this 181 | License, or sublicense it under different terms, provided that the 182 | license for the Executable Form does not attempt to limit or alter 183 | the recipients' rights in the Source Code Form under this License. 184 | 185 | 3.3. Distribution of a Larger Work 186 | 187 | You may create and distribute a Larger Work under terms of Your choice, 188 | provided that You also comply with the requirements of this License for 189 | the Covered Software. If the Larger Work is a combination of Covered 190 | Software with a work governed by one or more Secondary Licenses, and the 191 | Covered Software is not Incompatible With Secondary Licenses, this 192 | License permits You to additionally distribute such Covered Software 193 | under the terms of such Secondary License(s), so that the recipient of 194 | the Larger Work may, at their option, further distribute the Covered 195 | Software under the terms of either this License or such Secondary 196 | License(s). 197 | 198 | 3.4. Notices 199 | 200 | You may not remove or alter the substance of any license notices 201 | (including copyright notices, patent notices, disclaimers of warranty, 202 | or limitations of liability) contained within the Source Code Form of 203 | the Covered Software, except that You may alter any license notices to 204 | the extent required to remedy known factual inaccuracies. 205 | 206 | 3.5. Application of Additional Terms 207 | 208 | You may choose to offer, and to charge a fee for, warranty, support, 209 | indemnity or liability obligations to one or more recipients of Covered 210 | Software. However, You may do so only on Your own behalf, and not on 211 | behalf of any Contributor. You must make it absolutely clear that any 212 | such warranty, support, indemnity, or liability obligation is offered by 213 | You alone, and You hereby agree to indemnify every Contributor for any 214 | liability incurred by such Contributor as a result of warranty, support, 215 | indemnity or liability terms You offer. You may include additional 216 | disclaimers of warranty and limitations of liability specific to any 217 | jurisdiction. 218 | 219 | 4. Inability to Comply Due to Statute or Regulation 220 | --------------------------------------------------- 221 | 222 | If it is impossible for You to comply with any of the terms of this 223 | License with respect to some or all of the Covered Software due to 224 | statute, judicial order, or regulation then You must: (a) comply with 225 | the terms of this License to the maximum extent possible; and (b) 226 | describe the limitations and the code they affect. Such description must 227 | be placed in a text file included with all distributions of the Covered 228 | Software under this License. Except to the extent prohibited by statute 229 | or regulation, such description must be sufficiently detailed for a 230 | recipient of ordinary skill to be able to understand it. 231 | 232 | 5. Termination 233 | -------------- 234 | 235 | 5.1. The rights granted under this License will terminate automatically 236 | if You fail to comply with any of its terms. However, if You become 237 | compliant, then the rights granted under this License from a particular 238 | Contributor are reinstated (a) provisionally, unless and until such 239 | Contributor explicitly and finally terminates Your grants, and (b) on an 240 | ongoing basis, if such Contributor fails to notify You of the 241 | non-compliance by some reasonable means prior to 60 days after You have 242 | come back into compliance. Moreover, Your grants from a particular 243 | Contributor are reinstated on an ongoing basis if such Contributor 244 | notifies You of the non-compliance by some reasonable means, this is the 245 | first time You have received notice of non-compliance with this License 246 | from such Contributor, and You become compliant prior to 30 days after 247 | Your receipt of the notice. 248 | 249 | 5.2. If You initiate litigation against any entity by asserting a patent 250 | infringement claim (excluding declaratory judgment actions, 251 | counter-claims, and cross-claims) alleging that a Contributor Version 252 | directly or indirectly infringes any patent, then the rights granted to 253 | You by any and all Contributors for the Covered Software under Section 254 | 2.1 of this License shall terminate. 255 | 256 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all 257 | end user license agreements (excluding distributors and resellers) which 258 | have been validly granted by You or Your distributors under this License 259 | prior to termination shall survive termination. 260 | 261 | ************************************************************************ 262 | * * 263 | * 6. Disclaimer of Warranty * 264 | * ------------------------- * 265 | * * 266 | * Covered Software is provided under this License on an "as is" * 267 | * basis, without warranty of any kind, either expressed, implied, or * 268 | * statutory, including, without limitation, warranties that the * 269 | * Covered Software is free of defects, merchantable, fit for a * 270 | * particular purpose or non-infringing. The entire risk as to the * 271 | * quality and performance of the Covered Software is with You. * 272 | * Should any Covered Software prove defective in any respect, You * 273 | * (not any Contributor) assume the cost of any necessary servicing, * 274 | * repair, or correction. This disclaimer of warranty constitutes an * 275 | * essential part of this License. No use of any Covered Software is * 276 | * authorized under this License except under this disclaimer. * 277 | * * 278 | ************************************************************************ 279 | 280 | ************************************************************************ 281 | * * 282 | * 7. Limitation of Liability * 283 | * -------------------------- * 284 | * * 285 | * Under no circumstances and under no legal theory, whether tort * 286 | * (including negligence), contract, or otherwise, shall any * 287 | * Contributor, or anyone who distributes Covered Software as * 288 | * permitted above, be liable to You for any direct, indirect, * 289 | * special, incidental, or consequential damages of any character * 290 | * including, without limitation, damages for lost profits, loss of * 291 | * goodwill, work stoppage, computer failure or malfunction, or any * 292 | * and all other commercial damages or losses, even if such party * 293 | * shall have been informed of the possibility of such damages. This * 294 | * limitation of liability shall not apply to liability for death or * 295 | * personal injury resulting from such party's negligence to the * 296 | * extent applicable law prohibits such limitation. Some * 297 | * jurisdictions do not allow the exclusion or limitation of * 298 | * incidental or consequential damages, so this exclusion and * 299 | * limitation may not apply to You. * 300 | * * 301 | ************************************************************************ 302 | 303 | 8. Litigation 304 | ------------- 305 | 306 | Any litigation relating to this License may be brought only in the 307 | courts of a jurisdiction where the defendant maintains its principal 308 | place of business and such litigation shall be governed by laws of that 309 | jurisdiction, without reference to its conflict-of-law provisions. 310 | Nothing in this Section shall prevent a party's ability to bring 311 | cross-claims or counter-claims. 312 | 313 | 9. Miscellaneous 314 | ---------------- 315 | 316 | This License represents the complete agreement concerning the subject 317 | matter hereof. If any provision of this License is held to be 318 | unenforceable, such provision shall be reformed only to the extent 319 | necessary to make it enforceable. Any law or regulation which provides 320 | that the language of a contract shall be construed against the drafter 321 | shall not be used to construe this License against a Contributor. 322 | 323 | 10. Versions of the License 324 | --------------------------- 325 | 326 | 10.1. New Versions 327 | 328 | Mozilla Foundation is the license steward. Except as provided in Section 329 | 10.3, no one other than the license steward has the right to modify or 330 | publish new versions of this License. Each version will be given a 331 | distinguishing version number. 332 | 333 | 10.2. Effect of New Versions 334 | 335 | You may distribute the Covered Software under the terms of the version 336 | of the License under which You originally received the Covered Software, 337 | or under the terms of any subsequent version published by the license 338 | steward. 339 | 340 | 10.3. Modified Versions 341 | 342 | If you create software not governed by this License, and you want to 343 | create a new license for such software, you may create and use a 344 | modified version of this License if you rename the license and remove 345 | any references to the name of the license steward (except to note that 346 | such modified license differs from this License). 347 | 348 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 349 | Licenses 350 | 351 | If You choose to distribute Source Code Form that is Incompatible With 352 | Secondary Licenses under the terms of this version of the License, the 353 | notice described in Exhibit B of this License must be attached. 354 | 355 | Exhibit A - Source Code Form License Notice 356 | ------------------------------------------- 357 | 358 | This Source Code Form is subject to the terms of the Mozilla Public 359 | License, v. 2.0. If a copy of the MPL was not distributed with this 360 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 361 | 362 | If it is not possible or desirable to put the notice in a particular 363 | file, then You may include the notice in a location (such as a LICENSE 364 | file in a relevant directory) where a recipient would be likely to look 365 | for such a notice. 366 | 367 | You may add additional accurate notices of copyright ownership. 368 | 369 | Exhibit B - "Incompatible With Secondary Licenses" Notice 370 | --------------------------------------------------------- 371 | 372 | This Source Code Form is "Incompatible With Secondary Licenses", as 373 | defined by the Mozilla Public License, v. 2.0. 374 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Snapshot Fuzzing for Firefox 2 | 3 | This repository contains a custom Agent and tooling for using [Nyx](https://github.com/nyx-fuzz) and [AFL++](https://github.com/AFLplusplus/AFLplusplus/) with Firefox. 4 | 5 | Unfortunately, we cannot provide detailed documentation yet. For questions, feel free to reach out on [chat.mozilla.org](https://chat.mozilla.org/#/room/#fuzzing:mozilla.org). 6 | -------------------------------------------------------------------------------- /code-coverage/nyx-code-coverage.py: -------------------------------------------------------------------------------- 1 | # This Source Code Form is subject to the terms of the Mozilla Public 2 | # License, v. 2.0. If a copy of the MPL was not distributed with this 3 | # file, You can obtain one at http://mozilla.org/MPL/2.0/. 4 | 5 | from argparse import ArgumentParser 6 | from pathlib import Path 7 | from subprocess import PIPE, run 8 | import json 9 | import logging 10 | import struct 11 | import sys 12 | 13 | LOG = logging.getLogger(__file__) 14 | 15 | def symbolize(addresses, mod_path): 16 | output = run( 17 | ["llvm-addr2line", "--output-style=JSON", "--inlining=true", "-C", "-e", mod_path], 18 | stdout=PIPE, 19 | input="\n".join(addresses), 20 | text=True, 21 | ).stdout.splitlines() 22 | 23 | locations = [] 24 | 25 | for line in output: 26 | if not line: 27 | # Happens on last line usually. For empty input lines, it would output 28 | # a JSON formatted error instead 29 | continue 30 | 31 | result = json.loads(line) 32 | 33 | # Make sure we're not accidentally somehow mismatching results. 34 | assert(result["Address"] == addresses[len(locations)]) 35 | 36 | # Due to inlining, we can have multiple locations here, so we return a list of lists. 37 | locations.append([]) 38 | 39 | for symbol in result["Symbol"]: 40 | if symbol["FileName"]: 41 | locations[-1].append({"filename" : symbol["FileName"], "line": int(symbol["Line"])}) 42 | 43 | return locations 44 | 45 | def read_modinfo(file, ff_path): 46 | modinfo = {} 47 | with file.open() as fd: 48 | for x in fd.readlines(): 49 | fn, start, stop = x.rsplit(" ", 2) 50 | fn = fn.replace("/home/user/firefox", str(ff_path.resolve())) 51 | modinfo[fn] = (int(start), int(stop)) 52 | return modinfo 53 | 54 | 55 | def read_line_clusters(file): 56 | line_clusters = {} 57 | if file.exists(): 58 | with file.open() as fd: 59 | line_clusters = json.load(fd) 60 | else: 61 | LOG.warning("WARNING: lineclusters.json not found") 62 | return line_clusters 63 | 64 | # Ensure we're warning about missing files only once to keep output readable. 65 | line_cluster_warned = set() 66 | 67 | def get_line_cluster(line_clusters, name, line): 68 | if name not in line_clusters: 69 | if line_clusters and name not in line_cluster_warned: 70 | LOG.warning("file not found in line clusters: %s", name) 71 | line_cluster_warned.add(name) 72 | return [line] 73 | for x in line_clusters[name]: 74 | if line in x: 75 | return x 76 | return [line] 77 | 78 | 79 | def read_pointers(file): 80 | pointer_list = [] 81 | with file.open("rb") as fd: 82 | while True: 83 | pointer_buf = fd.read(8) 84 | if not pointer_buf: 85 | break 86 | pointer = struct.unpack("> 6) << 6) == len(pointers): 129 | # This is fine, AFL++ increases the bitmap size to a multiple of 64 130 | # and we can just truncate the bitmap back to the right length. 131 | bitmap = bitmap[:len(pointers)] 132 | else: 133 | LOG.error("ERROR: Length mismatch: len(pointers) != len(bitmap)") 134 | sys.exit(1) 135 | 136 | line_clusters = read_line_clusters(args.line_clusters) 137 | 138 | merged_locations = [""] * len(bitmap) 139 | 140 | unresolved = 0 141 | covered = 0 142 | 143 | for mod_path, (start_idx, stop_idx) in modinfo.items(): 144 | addresses = [] 145 | 146 | for idx, pointer in enumerate(pointers): 147 | if start_idx <= idx < stop_idx: 148 | if pointer == 0: 149 | unresolved += 1 150 | # Important to be able to match entries to original bitmap by index 151 | addresses.append("") 152 | else: 153 | addresses.append(str(pointer)) 154 | if bitmap[idx] > 0: 155 | covered += 1 156 | 157 | locations = symbolize(addresses, mod_path) 158 | 159 | for idx, location in enumerate(locations): 160 | merged_locations[start_idx + idx] = location 161 | 162 | LOG.info("Total unresolved: %d", unresolved) 163 | LOG.info("Total covered: %d", covered) 164 | LOG.info("Total uncovered: %d", len(bitmap) - covered) 165 | 166 | covobj = { 167 | "source_files": [], 168 | "git": {"head": {"id": args.scm_rev}, "branch": "main"}, 169 | } 170 | 171 | name2obj = {} 172 | 173 | for idx, locations in enumerate(merged_locations): 174 | # Check if this is an unresolvable location 175 | if not locations: 176 | continue 177 | 178 | for location in locations: 179 | name = location["filename"] 180 | line = location["line"] 181 | 182 | name = name.replace(args.build_prefix, "", 1) 183 | if name.startswith("objdir"): 184 | continue 185 | 186 | if not line: 187 | # Line 0 usually means this location cannot be resolved 188 | # to any line in source code. 189 | continue 190 | 191 | if name not in name2obj: 192 | source_file = {"name": name, "coverage": [None] * line} 193 | 194 | name2obj[name] = source_file 195 | covobj["source_files"].append(source_file) 196 | 197 | lines = get_line_cluster(line_clusters, name, line) 198 | 199 | for line in lines: 200 | while len(name2obj[name]["coverage"]) <= line: 201 | name2obj[name]["coverage"].append(None) 202 | name2obj[name]["coverage"][line - 1] = bitmap[idx] 203 | 204 | with args.outfile.open("w") as fd: 205 | json.dump(covobj, fd) 206 | 207 | 208 | if __name__ == "__main__": 209 | main() 210 | -------------------------------------------------------------------------------- /code-coverage/postprocess-gcno.py: -------------------------------------------------------------------------------- 1 | # This Source Code Form is subject to the terms of the Mozilla Public 2 | # License, v. 2.0. If a copy of the MPL was not distributed with this 3 | # file, You can obtain one at http://mozilla.org/MPL/2.0/. 4 | 5 | from argparse import ArgumentParser 6 | from os import SEEK_CUR 7 | from pathlib import Path 8 | import json 9 | import logging 10 | import re 11 | import struct 12 | import sys 13 | 14 | GCOV_TAG_FUNCTION = b"\x00\x00\x00\x01" 15 | GCOV_TAG_BLOCKS = b"\x00\x00\x41\x01" 16 | GCOV_TAG_ARCS = b"\x00\x00\x43\x01" 17 | GCOV_TAG_LINES = b"\x00\x00\x45\x01" 18 | GCOV_TAG_COUNTER_ARCS = b"\x00\x00\xa1\x01" 19 | GCOV_TAG_OBJECT_SUMMARY = b"\x00\x00\x00\xa1" 20 | GCOV_TAG_PROGRAM_SUMMARY = b"\x00\x00\x00\xa3" 21 | GCOV_TAG_END = b"\x00\x00\x00\x00" 22 | 23 | LOG = logging.getLogger(__file__) 24 | 25 | 26 | def normalize_filename(nm): 27 | result = nm 28 | while True: 29 | result, changes = re.subn(r'(/|^)([^"/]+/\.\.|\.)/', r"\1", result) 30 | if not changes: 31 | break 32 | if result != nm: 33 | LOG.debug("resolved %s to %s", nm, result) 34 | return result 35 | 36 | 37 | class SetEncoder(json.JSONEncoder): 38 | def default(self, o): 39 | if isinstance(o, set): 40 | return list(o) 41 | return super().default(o) 42 | 43 | 44 | class GCNOReader: 45 | def __init__(self, filename): 46 | self.fp = filename.open("rb") 47 | # magic_number 48 | if self.fp.read(4) != b"oncg": 49 | raise RuntimeError(f"File does not look like gcno: {filename}") 50 | self.skip(4) # version 51 | self.skip(4) # checksum 52 | 53 | def __enter__(self): 54 | return self 55 | 56 | def __exit__(self, *_exc): 57 | self.fp.close() 58 | self.fp = None 59 | 60 | def read_tag(self): 61 | tag = self.fp.read(4) 62 | length = self.read_int() 63 | return (tag, length) 64 | 65 | def read_int(self): 66 | data = self.fp.read(4) 67 | return struct.unpack(" 0: 141 | if not src_file: 142 | LOG.error("No source file in block?") 143 | sys.exit(1) 144 | if self.target_file is None or src_file.endswith( 145 | self.target_file 146 | ): 147 | blocks[block_no]["lines"].append(line_no) 148 | else: 149 | src_file = fd.read_string() 150 | if not src_file: 151 | break 152 | src_file = normalize_filename(src_file) 153 | src_file = src_file.replace(self.prefix, "", 1) 154 | 155 | if not blocks_recorded and ( 156 | self.target_file is None 157 | or src_file.endswith(self.target_file) 158 | ): 159 | if src_file not in local_blocks: 160 | local_blocks[src_file] = [blocks] 161 | LOG.info( 162 | "Reading block for %s, expecting %d blocks", 163 | src_file, 164 | len(blocks), 165 | ) 166 | elif src_file in local_blocks: 167 | LOG.info( 168 | "Got another src_file for %s, now expecting %d blocks", 169 | src_file, 170 | len(blocks), 171 | ) 172 | local_blocks[src_file].append(blocks) 173 | 174 | # This loop actually alternates between reading lines and reading strings. 175 | # That means, it reads the same file string multiple times without actually 176 | # entering a new `GCOV_TAG_BLOCKS` section. We must avoid adding `blocks` 177 | # times or we end up duplicating a lot of lines. 178 | blocks_recorded = True 179 | 180 | elif blocks_recorded: 181 | if len(blocks) != len(local_blocks[src_file][-1]): 182 | LOG.error("ERROR: Size mismatch?!") 183 | sys.exit(1) 184 | 185 | else: 186 | raise ValueError(f"Invalid block number: {block_no}") 187 | 188 | else: 189 | raise ValueError(f"Invalid tag: {tag}") 190 | 191 | for src_file in local_blocks: 192 | self.blocks.setdefault(src_file, set()) 193 | for blocks in local_blocks[src_file]: 194 | for x in blocks: 195 | if x["lines"]: 196 | self.blocks[src_file].add(tuple(x["lines"])) 197 | 198 | 199 | def test_normalize_filename(): 200 | assert normalize_filename("./file.h") == "file.h" 201 | assert normalize_filename("../file.h") == "../file.h" 202 | assert normalize_filename("/path/../file.h") == "/file.h" 203 | assert normalize_filename("path/../file.h") == "file.h" 204 | assert normalize_filename("path/a/b/../../file.h") == "path/file.h" 205 | assert normalize_filename("path/a/../b/../file.h") == "path/file.h" 206 | assert normalize_filename("path/./a/file.h") == "path/a/file.h" 207 | assert normalize_filename("path/././a/file.h") == "path/a/file.h" 208 | 209 | 210 | def main(): 211 | parser = ArgumentParser(prog=Path(__file__).name) 212 | parser.add_argument("outfile", type=Path, help="Output file.") 213 | parser.add_argument( 214 | "target", type=Path, help="Path to gcno file or directory of gcno files." 215 | ) 216 | parser.add_argument("prefix", help="Strip prefix.") 217 | parser.add_argument( 218 | "target_file", nargs="?", help="Restrict results to a single source file." 219 | ) 220 | parser.add_argument( 221 | "-v", "--verbose", action="store_true", help="Verbose debug logging." 222 | ) 223 | args = parser.parse_args() 224 | logging.basicConfig( 225 | format="%(message)s", level=logging.DEBUG if args.verbose else logging.WARN 226 | ) 227 | 228 | processor = GCNOProcessor(args.prefix, args.target_file) 229 | processor.process_path(args.target) 230 | processor.dump(args.outfile) 231 | 232 | 233 | if __name__ == "__main__": 234 | main() 235 | -------------------------------------------------------------------------------- /preload/harness/Makefile: -------------------------------------------------------------------------------- 1 | CFLAGS?=-O2 -m64 -g -Wall -Werror -Wno-unused -Wno-unused-result 2 | 3 | SOURCES=\ 4 | src/afl_runtime.c \ 5 | src/firefox_hooks.c \ 6 | src/ld_preload_fuzz.c \ 7 | src/afl_glue.c \ 8 | src/fuzz.c \ 9 | src/stats.c \ 10 | src/crash_handler.c \ 11 | src/moz_interface.c 12 | 13 | all: bin64/ld_preload_fuzz.so bin64/ld_preload_fuzz_no_pt.so bin64/ld_preload_fuzz_no_pt_repro.so 14 | 15 | clean: 16 | $(RM) bin64/ld_preload_fuzz.so bin64/ld_preload_fuzz_no_pt.so bin64/ld_preload_fuzz_no_pt_repro.so 17 | 18 | bin64/ld_preload_fuzz.so: $(SOURCES) 19 | @mkdir -p "$(@D)" 20 | $(CC) -shared $(CFLAGS) $(CPPFLAGS) -fPIC $^ -o $@ -ldl -Isrc -ldw -lunwind -lssl -lcrypto 21 | 22 | bin64/ld_preload_fuzz_no_pt.so: $(SOURCES) 23 | @mkdir -p "$(@D)" 24 | $(CC) -shared $(CFLAGS) $(CPPFLAGS) -fPIC $^ -DNO_PT_NYX -o $@ -ldl -Isrc 25 | 26 | bin64/ld_preload_fuzz_no_pt_repro.so: $(SOURCES) 27 | @mkdir -p "$(@D)" 28 | $(CC) -shared $(CFLAGS) $(CPPFLAGS) -fPIC $^ -DNO_PT_NYX -DREPRODUCER -D__NOKAFL -o $@ -ldl -Isrc 29 | 30 | .PHONY: all clean 31 | -------------------------------------------------------------------------------- /preload/harness/compile.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | cd "$(dirname "$0")" 4 | 5 | mkdir -p bin64/ 6 | mkdir -p sharedir/htools/ 7 | 8 | (cd ../../userspace-tools && sh compile_64.sh) 9 | cp ../../userspace-tools/bin64/h* sharedir/htools/ 10 | 11 | make -B all 12 | 13 | rm -f sharedir/ld_preload_fuzz.so sharedir/ld_preload_fuzz_no_pt.so 14 | cp bin64/ld_preload_fuzz.so bin64/ld_preload_fuzz_no_pt.so sharedir/ 15 | -------------------------------------------------------------------------------- /preload/harness/sharedir/README.md: -------------------------------------------------------------------------------- 1 | # sharedir for Nyx fuzzing 2 | 3 | Please see [our public automation repository](https://github.com/MozillaSecurity/orion/tree/master/services/nyx) for examples how to build a sharedir. 4 | -------------------------------------------------------------------------------- /preload/harness/src/afl_glue.c: -------------------------------------------------------------------------------- 1 | /* This Source Code Form is subject to the terms of the Mozilla Public 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 | 5 | #include 6 | #include "afl_glue.h" 7 | #include "nyx.h" 8 | 9 | void no_op() {} 10 | 11 | void (*enable_afl_tracing_ptr)(void) = no_op; 12 | void (*disable_afl_tracing_ptr)(void) = no_op; 13 | void (*init_afl_tracing_ptr)(void) = no_op; 14 | 15 | void init_afl(void) { 16 | return; 17 | 18 | static int once = 0; 19 | if (once == 0) { 20 | assert(1337 == *((uint64_t*)0x100018)); 21 | enable_afl_tracing_ptr = *((void (**)(void))0x100000); 22 | disable_afl_tracing_ptr = *((void (**)(void))0x100008); 23 | init_afl_tracing_ptr = *((void (**)(void))0x100010); 24 | 25 | hprintf("[*] enable_afl_tracing_fptr at: %p\n", enable_afl_tracing_ptr); 26 | hprintf("[*] disable_afl_tracing_fptr at: %p\n", disable_afl_tracing_ptr); 27 | hprintf("[*] init_afl_tracing_ptr at: %p\n", init_afl_tracing_ptr); 28 | 29 | once = 1; 30 | } 31 | } 32 | 33 | void enable_afl_tracing_safe(void) { 34 | assert(enable_afl_tracing_ptr); 35 | enable_afl_tracing_ptr(); 36 | } 37 | 38 | void disable_afl_tracing_safe(void) { 39 | assert(disable_afl_tracing_ptr); 40 | disable_afl_tracing_ptr(); 41 | } 42 | 43 | void init_afl_tracing_safe(void) { 44 | assert(init_afl_tracing_ptr); 45 | init_afl_tracing_ptr(); 46 | } 47 | -------------------------------------------------------------------------------- /preload/harness/src/afl_glue.h: -------------------------------------------------------------------------------- 1 | /* This Source Code Form is subject to the terms of the Mozilla Public 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 | 5 | #pragma once 6 | 7 | void init_afl(void); 8 | void enable_afl_tracing_safe(void); 9 | void disable_afl_tracing_safe(void); 10 | void init_afl_tracing_safe(void); 11 | -------------------------------------------------------------------------------- /preload/harness/src/afl_runtime.c: -------------------------------------------------------------------------------- 1 | /* This Source Code Form is subject to the terms of the Mozilla Public 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include "nyx.h" 10 | #include "afl_runtime.h" 11 | 12 | // Maximum path length on Linux 13 | #define PATH_MAX 4096 14 | 15 | // Maximum length of an uint32_t as string 16 | #define START_STOP_MAX 10 17 | 18 | __attribute__((weak)) extern afl_module_info_t* __afl_module_info; 19 | 20 | char* get_afl_modinfo_string() { 21 | if (!&__afl_module_info) { 22 | return NULL; 23 | } 24 | 25 | uint32_t cnt = 0; 26 | afl_module_info_t* start = __afl_module_info; 27 | 28 | hprintf("start is %p\n", start); 29 | 30 | while (start) { 31 | ++cnt; 32 | start = start->next; 33 | } 34 | 35 | if (!cnt) return NULL; 36 | 37 | // Allocate per entry enough space for: 38 | // 39 | // 1. One path 40 | // 2. Two pcguard start/stop offsets 41 | // 3. Two spaces and a trailing newline 42 | // 43 | // This is a very conservative allocation so we can just YOLO the rest. 44 | size_t bufsize = (PATH_MAX + START_STOP_MAX * 2 + 2 + 1) * cnt + 1; 45 | char* buf = malloc(bufsize); 46 | char* cur = buf; 47 | 48 | if (!buf) return NULL; 49 | 50 | start = __afl_module_info; 51 | 52 | while (start) { 53 | size_t namelen = strlen(start->name); 54 | 55 | memcpy(cur, start->name, namelen); 56 | cur += namelen; 57 | *cur = ' '; 58 | cur += 1; 59 | cur += sprintf(cur, "%u %u", *start->start, *start->stop); 60 | *cur = '\n'; 61 | cur += 1; 62 | 63 | start = start->next; 64 | } 65 | 66 | *cur = '\0'; 67 | 68 | return buf; 69 | } 70 | -------------------------------------------------------------------------------- /preload/harness/src/afl_runtime.h: -------------------------------------------------------------------------------- 1 | /* This Source Code Form is subject to the terms of the Mozilla Public 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 | 5 | #include 6 | 7 | typedef struct afl_module_info_t afl_module_info_t; 8 | 9 | struct afl_module_info_t { 10 | // A unique id starting with 0 11 | uint32_t id; 12 | 13 | // Name and base address of the module 14 | char* name; 15 | uintptr_t base_address; 16 | 17 | // PC Guard start/stop 18 | uint32_t* start; 19 | uint32_t* stop; 20 | 21 | // PC Table begin/end 22 | uintptr_t* pcs_beg; 23 | uintptr_t* pcs_end; 24 | 25 | uint8_t mapped; 26 | 27 | afl_module_info_t* next; 28 | }; 29 | 30 | char* get_afl_modinfo_string(); 31 | -------------------------------------------------------------------------------- /preload/harness/src/config.h: -------------------------------------------------------------------------------- 1 | /* This Source Code Form is subject to the terms of the Mozilla Public 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 | 5 | #pragma once 6 | 7 | // #define DEBUG 8 | 9 | // #define CATCH_MOZ_CRASH 10 | // #define CATCH_MOZ_ASSERT 11 | // #define CATCH_MOZ_RELEASE_ASSERT 12 | #define CATCH_MOZ_DIAGNOSTIC_ASSERT 13 | -------------------------------------------------------------------------------- /preload/harness/src/crash_handler.c: -------------------------------------------------------------------------------- 1 | /* This Source Code Form is subject to the terms of the Mozilla Public 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 | 5 | #define _GNU_SOURCE 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #include "nyx.h" 15 | #include "crash_handler.h" 16 | 17 | char* log_content = NULL; 18 | static bool ready = false; 19 | 20 | extern bool nyx_firefox_is_parent; 21 | extern bool asan_executable; 22 | 23 | void init_crash_handling(void) { 24 | if (!log_content) { 25 | log_content = malloc(LOG_CONTENT_SIZE); 26 | memset(log_content, 0x00, LOG_CONTENT_SIZE); 27 | } 28 | ready = true; 29 | } 30 | 31 | void fault_handler(int signo, siginfo_t* info, void* extra) { 32 | ucontext_t* context = (ucontext_t*)extra; 33 | uint64_t reason = 0x8000000000000000ULL | 34 | context->uc_mcontext.gregs[REG_RIP] | 35 | ((uint64_t)info->si_signo << 47); 36 | kAFL_hypercall(HYPERCALL_KAFL_PANIC, reason); 37 | } 38 | 39 | void setHandler(void (*handler)(int, siginfo_t*, void*)) { 40 | struct sigaction action; 41 | action.sa_flags = SA_SIGINFO; 42 | action.sa_sigaction = handler; 43 | 44 | int (*new_sigaction)(int signum, const struct sigaction* act, 45 | struct sigaction* oldact); 46 | new_sigaction = dlsym(RTLD_NEXT, "sigaction"); 47 | 48 | if (!asan_executable) { 49 | if (new_sigaction(SIGFPE, &action, NULL) == -1) { 50 | hprintf("sigfpe: sigaction"); 51 | _exit(1); 52 | } 53 | if (new_sigaction(SIGILL, &action, NULL) == -1) { 54 | hprintf("sigill: sigaction"); 55 | _exit(1); 56 | } 57 | 58 | if (new_sigaction(SIGSEGV, &action, NULL) == -1) { 59 | hprintf("sigsegv: sigaction"); 60 | _exit(1); 61 | } 62 | 63 | if (new_sigaction(SIGBUS, &action, NULL) == -1) { 64 | hprintf("sigbus: sigaction"); 65 | _exit(1); 66 | } 67 | if (new_sigaction(SIGABRT, &action, NULL) == -1) { 68 | hprintf("sigabrt: sigaction"); 69 | _exit(1); 70 | } 71 | if (new_sigaction(SIGIOT, &action, NULL) == -1) { 72 | hprintf("sigiot: sigaction"); 73 | _exit(1); 74 | } 75 | if (new_sigaction(SIGTRAP, &action, NULL) == -1) { 76 | hprintf("sigiot: sigaction"); 77 | _exit(1); 78 | } 79 | if (new_sigaction(SIGSYS, &action, NULL) == -1) { 80 | hprintf("sigsys: sigaction"); 81 | _exit(1); 82 | } 83 | hprintf("ALL SIGNAL HANDLERS ARE HOOKED!\n"); 84 | // kAFL_hypercall(HYPERCALL_KAFL_USER_ABORT, 0); 85 | } 86 | } 87 | 88 | int sigaction(int signum, const struct sigaction* act, 89 | struct sigaction* oldact) { 90 | int (*new_sigaction)(int signum, const struct sigaction* act, 91 | struct sigaction* oldact); 92 | new_sigaction = dlsym(RTLD_NEXT, "sigaction"); 93 | 94 | int ret_val = new_sigaction(signum, act, oldact); 95 | 96 | if (ready) { 97 | setHandler(fault_handler); 98 | } 99 | 100 | return ret_val; 101 | } 102 | 103 | void handle_asan(void) { 104 | char* log_file_path = NULL; 105 | 106 | if (!nyx_firefox_is_parent && !getenv("MOZ_LOG_CHILD_CRASHES")) { 107 | // Ignore content crashes unless explicitly requested 108 | while (1) { 109 | sleep(1); 110 | } 111 | } 112 | 113 | asprintf(&log_file_path, "/tmp/data.log.%d", getpid()); 114 | 115 | FILE* f = fopen(log_file_path, "r"); 116 | 117 | if (f) { 118 | if (log_content) { 119 | // A previous handler might haft left a diagnostic message in the log 120 | // already that we shouldn't overwrite. 121 | size_t log_content_size = strlen(log_content); 122 | fread(log_content + log_content_size, 123 | LOG_CONTENT_SIZE - log_content_size - 1, 1, f); 124 | } else { 125 | log_content = malloc(LOG_CONTENT_SIZE); 126 | memset(log_content, 0x00, LOG_CONTENT_SIZE); 127 | fread(log_content, LOG_CONTENT_SIZE - 1, 1, f); 128 | } 129 | fclose(f); 130 | 131 | kAFL_hypercall(HYPERCALL_KAFL_PANIC_EXTENDED, (uint64_t)log_content); 132 | } else { 133 | hprintf("ERROR: Cannot locate log_file at %s!?\n", log_file_path); 134 | } 135 | } 136 | 137 | void __assert(const char* func, const char* file, int line, 138 | const char* failedexpr) { 139 | sprintf(log_content, "HYPERCALL_KAFL_PANIC_EXTENDED: assert: %s %s %d: %s\n", 140 | func, file, line, failedexpr); 141 | kAFL_hypercall(HYPERCALL_KAFL_PANIC_EXTENDED, (uint64_t)log_content); 142 | } 143 | 144 | void _abort(void) { 145 | handle_asan(); 146 | sprintf(log_content, "HYPERCALL_KAFL_PANIC_EXTENDED: abort called: %p\n", 147 | __builtin_return_address(0)); 148 | kAFL_hypercall(HYPERCALL_KAFL_PANIC_EXTENDED, (uint64_t)log_content); 149 | while (1) { 150 | } 151 | } 152 | 153 | void abort(void) { 154 | handle_asan(); 155 | sprintf(log_content, "HYPERCALL_KAFL_PANIC_EXTENDED: abort called: %p\n", 156 | __builtin_return_address(0)); 157 | kAFL_hypercall(HYPERCALL_KAFL_PANIC_EXTENDED, (uint64_t)log_content); 158 | while (1) { 159 | } 160 | } 161 | 162 | void __abort(void) { 163 | handle_asan(); 164 | sprintf(log_content, "HYPERCALL_KAFL_PANIC_EXTENDED: abort called: %p\n", 165 | __builtin_return_address(0)); 166 | kAFL_hypercall(HYPERCALL_KAFL_PANIC_EXTENDED, (uint64_t)log_content); 167 | while (1) { 168 | } 169 | } 170 | 171 | void __assert_fail(const char* __assertion, const char* __file, 172 | unsigned int __line, const char* __function) { 173 | sprintf(log_content, "HYPERCALL_KAFL_PANIC_EXTENDED: assert: %s %s %d: %s\n", 174 | __function, __file, __line, __assertion); 175 | kAFL_hypercall(HYPERCALL_KAFL_PANIC_EXTENDED, (uint64_t)log_content); 176 | } 177 | 178 | void __assert_perror_fail(int __errnum, const char* __file, unsigned int __line, 179 | const char* __function) { 180 | sprintf(log_content, "HYPERCALL_KAFL_PANIC_EXTENDED: assert: %s %s %d: %d\n", 181 | __function, __file, __line, __errnum); 182 | kAFL_hypercall(HYPERCALL_KAFL_PANIC_EXTENDED, (uint64_t)log_content); 183 | } 184 | -------------------------------------------------------------------------------- /preload/harness/src/crash_handler.h: -------------------------------------------------------------------------------- 1 | /* This Source Code Form is subject to the terms of the Mozilla Public 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 | 5 | #pragma once 6 | 7 | #include 8 | 9 | #define LOG_CONTENT_SIZE 0x10000 10 | 11 | void fault_handler(int signo, siginfo_t* info, void* extra); 12 | void setHandler(void (*handler)(int, siginfo_t*, void*)); 13 | 14 | void init_crash_handling(void); 15 | 16 | // Exported so it can be used internally as well. 17 | void __assert(const char* func, const char* file, int line, 18 | const char* failedexpr); 19 | -------------------------------------------------------------------------------- /preload/harness/src/firefox_hooks.c: -------------------------------------------------------------------------------- 1 | /* This Source Code Form is subject to the terms of the Mozilla Public 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 | 5 | #define _GNU_SOURCE 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #include "config.h" 12 | #include "nyx.h" 13 | 14 | /* required to support kafl_panic hypercalls */ 15 | extern char* log_content; 16 | 17 | __attribute__((noreturn)) void firefox_handler_MOZ_CRASH(const char* aFilename, 18 | int aLine) { 19 | #ifndef CATCH_MOZ_CRASH 20 | kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0); 21 | #endif 22 | hprintf("Caught MOZ_CRASH at %s:%d\n", aFilename, aLine); 23 | sprintf(log_content, "Hit MOZ_CRASH() at %s:%d\n", aFilename, aLine); 24 | // Trigger a crash to also emit a trace through ASan 25 | *((volatile int*)0x1) = aLine; 26 | while (1) { 27 | } 28 | } 29 | 30 | __attribute__((noreturn)) void firefox_handler_MOZ_ASSERT(const char* aFilename, 31 | int aLine, 32 | const char* aReason) { 33 | #ifndef CATCH_MOZ_ASSERT 34 | kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0); 35 | #endif 36 | hprintf("Caught MOZ_ASSERT(%s) at %s:%d\n", aReason, aFilename, aLine); 37 | sprintf(log_content, "Assertion failure: %s, at %s:%d\n", aReason, aFilename, 38 | aLine); 39 | // Trigger a crash to also emit a trace through ASan 40 | *((volatile int*)0x1) = aLine; 41 | while (1) { 42 | } 43 | } 44 | 45 | __attribute__((noreturn)) void firefox_handler_MOZ_RELEASE_ASSERT( 46 | const char* aFilename, int aLine, const char* aReason) { 47 | #ifndef CATCH_MOZ_RELEASE_ASSERT 48 | kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0); 49 | #endif 50 | hprintf("Caught MOZ_RELEASE_ASSERT(%s) at %s:%d\n", aReason, aFilename, 51 | aLine); 52 | sprintf(log_content, "Assertion failure: %s, at %s:%d\n", aReason, aFilename, 53 | aLine); 54 | // Trigger a crash to also emit a trace through ASan 55 | *((volatile int*)0x1) = aLine; 56 | while (1) { 57 | } 58 | } 59 | 60 | __attribute__((noreturn)) void firefox_handler_MOZ_DIAGNOSTIC_ASSERT( 61 | const char* aFilename, int aLine, const char* aReason) { 62 | #ifndef CATCH_MOZ_DIAGNOSTIC_ASSERT 63 | kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0); 64 | #endif 65 | hprintf("Caught MOZ_DIAGNOSTIC_ASSERT(%s) at %s:%d\n", aReason, aFilename, 66 | aLine); 67 | sprintf(log_content, "Assertion failure: %s, at %s:%d\n", aReason, aFilename, 68 | aLine); 69 | // Trigger a crash to also emit a trace through ASan 70 | *((volatile int*)0x1) = aLine; 71 | while (1) { 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /preload/harness/src/fuzz.c: -------------------------------------------------------------------------------- 1 | /* This Source Code Form is subject to the terms of the Mozilla Public 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 | 5 | #define _GNU_SOURCE 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | #include "fuzz.h" 17 | #include "config.h" 18 | #include "stats.h" 19 | #include "afl_glue.h" 20 | 21 | #include "nyx.h" 22 | 23 | #define PR_SET_NAME 15 /* Set process name */ 24 | #define PR_GET_NAME 16 /* Get process name */ 25 | 26 | extern bool nyx_firefox_is_parent; 27 | extern bool nyx_started; 28 | 29 | int prctl(int option, unsigned long arg2, unsigned long arg3, 30 | unsigned long arg4, unsigned long arg5) { 31 | static int (*__prctl)(int option, unsigned long arg2, unsigned long arg3, 32 | unsigned long arg4, unsigned long arg5) = NULL; 33 | 34 | if (!nyx_started && option == PR_SET_NAME) { 35 | if (nyx_firefox_is_parent) { 36 | hprintf("[*] %s: enabling AFL tracing on parent thread: %s\n", __func__, 37 | (char*)arg2); 38 | init_afl(); 39 | enable_afl_tracing_safe(); 40 | } 41 | 42 | // hprintf("PR_SET_NAME: %s by PID: %d TID: %d\n", (char*) arg2, getpid(), 43 | // gettid()); 44 | } 45 | 46 | if (__prctl == NULL) { 47 | __prctl = dlsym(RTLD_NEXT, "prctl"); 48 | } 49 | 50 | return __prctl(option, arg2, arg3, arg4, arg5); 51 | } 52 | -------------------------------------------------------------------------------- /preload/harness/src/fuzz.h: -------------------------------------------------------------------------------- 1 | /* This Source Code Form is subject to the terms of the Mozilla Public 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 | 5 | #pragma once 6 | #include 7 | 8 | // Implemented in ld_preload_fuzz.c 9 | void nyx_init_start(void); 10 | uint32_t internal_get_owned_raw_fuzz_data(void** data); 11 | uint32_t internal_get_next_fuzz_data(void* data, uint32_t len); 12 | uint32_t internal_get_raw_fuzz_data(void* data, uint32_t len); 13 | 14 | // Implemented in firefox_hooks.c 15 | __attribute__((noreturn)) void firefox_handler_MOZ_CRASH(const char* aFilename, 16 | int aLine); 17 | __attribute__((noreturn)) void firefox_handler_MOZ_ASSERT(const char* aFilename, 18 | int aLine, 19 | const char* aReason); 20 | __attribute__((noreturn)) void firefox_handler_MOZ_RELEASE_ASSERT( 21 | const char* aFilename, int aLine, const char* aReason); 22 | __attribute__((noreturn)) void firefox_handler_MOZ_DIAGNOSTIC_ASSERT( 23 | const char* aFilename, int aLine, const char* aReason); 24 | -------------------------------------------------------------------------------- /preload/harness/src/ld_preload_fuzz.c: -------------------------------------------------------------------------------- 1 | /* This Source Code Form is subject to the terms of the Mozilla Public 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 | 5 | #define _GNU_SOURCE 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | #include "nyx.h" 28 | #include "crash_handler.h" 29 | #include "config.h" 30 | #include "stats.h" 31 | 32 | #define PAYLOAD_SIZE (0x100000) // Maximum testcase size that AFL++ supports 33 | 34 | extern void __assert(const char* func, const char* file, int line, 35 | const char* failedexpr); 36 | #define INTERPRETER_ASSERT(x) \ 37 | do { \ 38 | if (x) { \ 39 | } else { \ 40 | __assert(__func__, __FILE__, __LINE__, #x); \ 41 | } \ 42 | } while (0) 43 | #define ASSERT(x) INTERPRETER_ASSERT(x) 44 | 45 | __attribute__((weak)) extern unsigned int __afl_final_loc; 46 | unsigned int* __afl_final_loc_ptr = &__afl_final_loc; 47 | 48 | __attribute__((weak)) extern uint8_t* __afl_area_ptr; 49 | 50 | __attribute__((weak)) extern uint32_t __afl_dictionary_len; 51 | uint32_t* __afl_dictionary_len_ptr = &__afl_dictionary_len; 52 | 53 | __attribute__((weak)) extern uint8_t* __afl_dictionary; 54 | uint8_t** __afl_dictionary_ptr = &__afl_dictionary; 55 | 56 | #ifdef REPRODUCER 57 | uint8_t global_payload_buffer[PAYLOAD_SIZE]; 58 | #else 59 | uint8_t* global_payload_buffer = NULL; 60 | #endif 61 | 62 | // We currently don't support running without AddressSanitizer but we might 63 | // in the future. 64 | bool asan_executable = true; 65 | 66 | uint32_t internal_get_owned_raw_fuzz_data(void** data) { 67 | uint8_t* payload_buffer = global_payload_buffer; 68 | uint8_t* payload_begin = payload_buffer + 4; 69 | uint32_t payload_size = *(uint32_t*)payload_buffer; 70 | 71 | *data = payload_begin; 72 | return payload_size; 73 | } 74 | 75 | uint32_t internal_get_raw_fuzz_data(void* data, uint32_t len) { 76 | uint8_t* payload_buffer = global_payload_buffer; 77 | uint8_t* payload_begin = payload_buffer + 4; 78 | uint32_t payload_size = *(uint32_t*)payload_buffer; 79 | uint32_t retlen = payload_size > len ? len : payload_size; 80 | memcpy(data, payload_begin, retlen); 81 | return retlen; 82 | } 83 | 84 | uint32_t internal_get_next_fuzz_data(void* data, uint32_t len) { 85 | static uint8_t* payload_pos = NULL; 86 | 87 | uint8_t* payload_buffer = global_payload_buffer; 88 | 89 | if (payload_pos == NULL) { 90 | payload_pos = payload_buffer + 4; 91 | #ifdef FUZZ_DEBUG 92 | hprintf( 93 | "DEBUG: internal_get_next_fuzz_data: Initializing payload_pos to %p\n", 94 | payload_pos); 95 | #endif 96 | } 97 | 98 | uint8_t* payload_begin = payload_buffer + 4; 99 | 100 | uint32_t payload_size = *(uint32_t*)payload_buffer; 101 | 102 | #ifdef FUZZ_DEBUG 103 | hprintf("DEBUG: internal_get_next_fuzz_data: payload_begin %p size %u\n", 104 | payload_begin, payload_size); 105 | #endif 106 | 107 | if (payload_pos + 3 >= payload_begin + payload_size) { 108 | // Need at least 3 bytes remaining 109 | return 0xFFFFFFFF; 110 | } 111 | 112 | uint16_t next_chunk_size = *(uint16_t*)(payload_pos)&0x7ff; 113 | payload_pos += sizeof(uint16_t); 114 | 115 | #ifdef FUZZ_DEBUG 116 | hprintf("DEBUG: internal_get_next_fuzz_data: next_chunk_size %u len %u\n", 117 | next_chunk_size, len); 118 | #endif 119 | 120 | next_chunk_size = next_chunk_size > len ? len : next_chunk_size; 121 | 122 | size_t remaining = payload_begin + payload_size - payload_pos; 123 | 124 | next_chunk_size = next_chunk_size > remaining ? remaining : next_chunk_size; 125 | 126 | #ifdef FUZZ_DEBUG 127 | hprintf("DEBUG: internal_get_next_fuzz_data: remaining %u\n", remaining); 128 | #endif 129 | 130 | memcpy(data, payload_pos, next_chunk_size); 131 | payload_pos += next_chunk_size; 132 | 133 | return next_chunk_size; 134 | } 135 | 136 | void* trace_buffer = NULL; 137 | void* pcmap_buffer = NULL; 138 | size_t pcmap_buffer_size = 0; 139 | 140 | int _mlock(void* dst, size_t size) { return syscall(SYS_mlock, dst, size); } 141 | 142 | int _munlock(void* dst, size_t size) { return syscall(SYS_munlock, dst, size); } 143 | 144 | int _mlockall(int flags) { return syscall(SYS_mlockall, flags); } 145 | 146 | pid_t _fork(void) { return syscall(SYS_fork); } 147 | 148 | void init_trace_buffers() { 149 | static bool done = false; 150 | 151 | if (!done) { 152 | char* map_size = getenv("AFL_MAP_SIZE"); 153 | uint32_t bitmap_size = atoi(map_size); 154 | 155 | trace_buffer = mmap((void*)NULL, bitmap_size, PROT_READ | PROT_WRITE, 156 | MAP_SHARED | MAP_ANONYMOUS, -1, 0); 157 | memset(trace_buffer, 0xff, bitmap_size); 158 | mlock(trace_buffer, bitmap_size); 159 | 160 | hprintf("[*] %s: trace_buffer = %p\n", __func__, trace_buffer); 161 | 162 | if (!!getenv("MOZ_FUZZ_COVERAGE")) { 163 | pcmap_buffer_size = bitmap_size * sizeof(void*); 164 | pcmap_buffer = 165 | mmap((void*)NULL, pcmap_buffer_size, PROT_READ | PROT_WRITE, 166 | MAP_SHARED | MAP_ANONYMOUS, -1, 0); 167 | memset(pcmap_buffer, 0x00, pcmap_buffer_size); 168 | mlock(pcmap_buffer, pcmap_buffer_size); 169 | 170 | hprintf("[*] %s: pcmap_buffer = %p\n", __func__, pcmap_buffer); 171 | } 172 | 173 | done = true; 174 | } 175 | } 176 | 177 | void capabilites_configuration(bool timeout_detection, bool agent_tracing, 178 | bool ijon_tracing) { 179 | static bool done = false; 180 | 181 | if (!done) { 182 | hprintf("[*] %s: agent_tracing: %d\n", __func__, agent_tracing); 183 | agent_config_t agent_config = {0}; 184 | 185 | agent_config.agent_magic = NYX_AGENT_MAGIC; 186 | agent_config.agent_version = NYX_AGENT_VERSION; 187 | 188 | agent_config.agent_timeout_detection = (uint8_t)timeout_detection; 189 | agent_config.agent_tracing = (uint8_t)agent_tracing; 190 | 191 | agent_config.agent_ijon_tracing = 0; 192 | agent_config.ijon_trace_buffer_vaddr = (uintptr_t)NULL; 193 | 194 | /* AFL++ LTO support */ 195 | if (__afl_final_loc_ptr) { 196 | uint32_t bitmap_size; 197 | if (!!getenv("MOZ_FUZZ_COVERAGE")) { 198 | bitmap_size = atoi(getenv("AFL_MAP_SIZE")); 199 | } else { 200 | bitmap_size = __afl_final_loc == 0 ? 65536 : __afl_final_loc; 201 | } 202 | 203 | hprintf("[capablities] overwriting bitmap_size: 0x%x\n", bitmap_size); 204 | agent_config.coverage_bitmap_size = bitmap_size; 205 | } 206 | 207 | hprintf("[capablities] trace_buffer: %p __afl_area_ptr: %p \n", 208 | trace_buffer, __afl_area_ptr); 209 | 210 | agent_config.trace_buffer_vaddr = (uint64_t)trace_buffer; 211 | agent_config.agent_non_reload_mode = 0; 212 | 213 | kAFL_hypercall(HYPERCALL_KAFL_SET_AGENT_CONFIG, (uintptr_t)&agent_config); 214 | done = true; 215 | } 216 | } 217 | 218 | void dump_mappings(void) { 219 | char filename[256]; 220 | 221 | char* buffer = malloc(0x1000); 222 | 223 | kafl_dump_file_t file_obj = {0}; 224 | 225 | file_obj.file_name_str_ptr = (uint64_t) "proc_maps.txt"; 226 | file_obj.append = 0; 227 | file_obj.bytes = 0; 228 | kAFL_hypercall(HYPERCALL_KAFL_DUMP_FILE, (uint64_t)(&file_obj)); 229 | file_obj.append = 1; 230 | 231 | snprintf(filename, 256, "/proc/%d/maps", getpid()); 232 | 233 | FILE* f = fopen(filename, "r"); 234 | uint32_t len = 0; 235 | while (1) { 236 | len = fread(buffer, 1, 0x1000, f); 237 | if (!len) { 238 | break; 239 | } else { 240 | file_obj.bytes = len; 241 | file_obj.data_ptr = (uint64_t)buffer; 242 | kAFL_hypercall(HYPERCALL_KAFL_DUMP_FILE, (uint64_t)(&file_obj)); 243 | } 244 | } 245 | fclose(f); 246 | } 247 | 248 | static void check_afl_auto_dict() { 249 | /* copy AFL autodict over to host */ 250 | if (__afl_dictionary_len_ptr && __afl_dictionary_ptr) { 251 | if (__afl_dictionary_len && __afl_dictionary) { 252 | _mlock((void*)__afl_dictionary, (size_t)__afl_dictionary_len); 253 | kafl_dump_file_t file_obj = {0}; 254 | file_obj.file_name_str_ptr = (uintptr_t) "afl_autodict.txt"; 255 | file_obj.append = 1; 256 | file_obj.bytes = __afl_dictionary_len; 257 | file_obj.data_ptr = (uintptr_t)__afl_dictionary; 258 | kAFL_hypercall(HYPERCALL_KAFL_DUMP_FILE, (uintptr_t)(&file_obj)); 259 | _munlock((void*)__afl_dictionary, (size_t)__afl_dictionary_len); 260 | } 261 | } 262 | } 263 | 264 | void nyx_init_start(void) { 265 | static bool already_called = false; 266 | ASSERT(!already_called); 267 | already_called = true; 268 | 269 | dump_mappings(); 270 | check_afl_auto_dict(); 271 | 272 | #if defined(REDIRECT_STDERR_TO_HPRINTF) || defined(REDIRECT_STDOUT_TO_HPRINTF) 273 | char buf[HPRINTF_MAX_SIZE]; 274 | #endif 275 | printf("nyx_init_start\n"); 276 | 277 | remove("/tmp/target_executable"); 278 | 279 | struct rlimit r; 280 | int fd, fd2 = 0; 281 | int pipefd[2]; 282 | int ret = pipe(pipefd); 283 | 284 | #ifndef REPRODUCER 285 | 286 | # ifdef REDIRECT_STDERR_TO_HPRINTF 287 | int pipe_stderr_hprintf[2]; 288 | ret = pipe(pipe_stderr_hprintf); 289 | # endif 290 | # ifdef REDIRECT_STDOUT_TO_HPRINTF 291 | int pipe_stdout_hprintf[2]; 292 | ret = pipe(pipe_stdout_hprintf); 293 | # endif 294 | 295 | #endif 296 | 297 | struct iovec iov; 298 | int pid; 299 | int status = 0; 300 | int res = 0; 301 | int i; 302 | 303 | uint64_t memlimit_200 = 200; 304 | r.rlim_max = (rlim_t)(memlimit_200 << 20); 305 | r.rlim_cur = (rlim_t)(memlimit_200 << 20); 306 | 307 | #ifndef REPRODUCER 308 | /* check via env var if we should disable stdout/stderr -> might be useful for 309 | * debug purposes */ 310 | dup2(open("/dev/null", O_WRONLY), STDOUT_FILENO); 311 | dup2(open("/dev/null", O_WRONLY), STDERR_FILENO); 312 | 313 | kAFL_payload* payload_buffer = mmap((void*)NULL, PAYLOAD_SIZE, PROT_READ, 314 | MAP_SHARED | MAP_ANONYMOUS, -1, 0); 315 | 316 | _mlock(payload_buffer, (size_t)PAYLOAD_SIZE); 317 | global_payload_buffer = (uint8_t*)payload_buffer; 318 | 319 | kAFL_hypercall(HYPERCALL_KAFL_GET_PAYLOAD, (uintptr_t)payload_buffer); 320 | 321 | hprintf("payload_buffer at %p\n", payload_buffer); 322 | 323 | kAFL_ranges* range_buffer = mmap((void*)NULL, 0x1000, PROT_READ | PROT_WRITE, 324 | MAP_SHARED | MAP_ANONYMOUS, -1, 0); 325 | memset(range_buffer, 0xff, 0x1000); 326 | kAFL_hypercall(HYPERCALL_KAFL_USER_RANGE_ADVISE, (uintptr_t)range_buffer); 327 | 328 | for (i = 0; i < 4; i++) { 329 | hprintf("Range %d Enabled: %x\t(%" PRIx64 "-%" PRIx64 ")\n", i, 330 | (uint8_t)range_buffer->enabled[i], range_buffer->ip[i], 331 | range_buffer->size[i]); 332 | } 333 | 334 | # if defined(__i386__) 335 | kAFL_hypercall(HYPERCALL_KAFL_USER_SUBMIT_MODE, KAFL_MODE_32); 336 | # elif defined(__x86_64__) 337 | kAFL_hypercall(HYPERCALL_KAFL_USER_SUBMIT_MODE, KAFL_MODE_64); 338 | # endif 339 | 340 | #endif 341 | 342 | if (!asan_executable) { 343 | setrlimit(RLIMIT_AS, &r); 344 | } 345 | 346 | hprintf("============================YOOOOO\n\n\n\n\n"); 347 | 348 | uint8_t mlock_enabled = 1; 349 | 350 | hprintf("asan_executable -> %d\n", asan_executable); 351 | 352 | if (!asan_executable) { 353 | if (_mlockall(MCL_CURRENT)) { 354 | hprintf("mlockall(MCL_CURRENT) failed!\n"); 355 | kAFL_hypercall(HYPERCALL_KAFL_USER_ABORT, 0); 356 | } 357 | } 358 | 359 | setHandler(fault_handler); 360 | 361 | hprintf("========================================================\n"); 362 | 363 | while (1) { 364 | if (!asan_executable) { 365 | if (mlock_enabled) { 366 | setHandler(fault_handler); 367 | if (_mlockall(MCL_CURRENT)) { 368 | hprintf("mlockall(MCL_CURRENT) failed!\n"); 369 | kAFL_hypercall(HYPERCALL_KAFL_USER_ABORT, 0); 370 | } 371 | } 372 | } 373 | 374 | kAFL_hypercall(HYPERCALL_KAFL_USER_FAST_ACQUIRE, 0); 375 | 376 | #ifdef REPRODUCER 377 | memset(global_payload_buffer, 0, PAYLOAD_SIZE); 378 | FILE* TFILE = fopen(getenv("MOZ_FUZZ_TESTFILE"), "r"); 379 | if (!TFILE) { 380 | fprintf(stderr, "Can't open specified file: %s\n", 381 | getenv("MOZ_FUZZ_TESTFILE")); 382 | exit(1); 383 | } 384 | fread(global_payload_buffer, 1, PAYLOAD_SIZE, TFILE); 385 | #endif 386 | 387 | #ifdef REDIRECT_STDERR_TO_HPRINTF 388 | dup2(pipe_stderr_hprintf[1], STDERR_FILENO); 389 | close(pipe_stderr_hprintf[0]); 390 | #endif 391 | #ifdef REDIRECT_STDOUT_TO_HPRINTF 392 | dup2(pipe_stdout_hprintf[1], STDOUT_FILENO); 393 | close(pipe_stdout_hprintf[0]); 394 | #endif 395 | return; 396 | } 397 | } 398 | 399 | bool file_exists(char* filename) { 400 | struct stat buffer; 401 | return (stat(filename, &buffer) == 0); 402 | } 403 | 404 | bool get_parent_process(int argc, char** ubp_av) { 405 | bool is_parent_process = false; 406 | for (int i = 0; i < argc; i++) { 407 | if (!strcmp(ubp_av[i], "-parentBuildID")) { 408 | is_parent_process = true; 409 | } 410 | } 411 | 412 | is_parent_process = true; 413 | 414 | if (is_parent_process && !file_exists("/tmp/firefox_fuzzing_lock")) { 415 | close(open("/tmp/firefox_fuzzing_lock", O_CREAT | O_WRONLY, 777)); 416 | return true; 417 | } 418 | return false; 419 | } 420 | 421 | /* verify that we only monitor our non-sandboxed parent process */ 422 | bool nyx_firefox_is_parent = false; 423 | 424 | char* getenv(const char* name) { 425 | char* (*_getenv)(const char* name) = dlsym(RTLD_NEXT, "getenv"); 426 | 427 | if (!strcmp(name, "__AFL_SHM_ID")) { 428 | hprintf("[*] %s: AFL instrumentation requesting __AFL_SHM_ID\n", __func__); 429 | return "5134680"; 430 | } 431 | 432 | if (!strcmp(name, "__AFL_PCMAP_SHM_ID")) { 433 | hprintf("[*] %s: AFL instrumentation requesting __AFL_PCMAP_SHM_ID\n", 434 | __func__); 435 | return "5134681"; 436 | } 437 | 438 | return _getenv(name); 439 | } 440 | 441 | void* shmat(int shmid, const void* shmaddr, int shmflg) { 442 | if (shmid == 5134680) { 443 | init_trace_buffers(); 444 | 445 | hprintf("[%d] AFL BITMAP IS at: %p\n", getpid(), trace_buffer); 446 | return trace_buffer; 447 | } 448 | 449 | if (shmid == 5134681) { 450 | return pcmap_buffer; 451 | } 452 | 453 | void* (*_shmat)(int shmid, const void* shmaddr, int shmflg) = 454 | dlsym(RTLD_NEXT, "shmat"); 455 | return _shmat(shmid, shmaddr, shmflg); 456 | } 457 | 458 | int __libc_start_main(int (*main)(int, char**, char**), int argc, char** ubp_av, 459 | void (*init)(void), void (*fini)(void), 460 | void (*rtld_fini)(void), void(*stack_end)) { 461 | int (*original__libc_start_main)(int (*main)(int, char**, char**), int argc, 462 | char** ubp_av, void (*init)(void), 463 | void (*fini)(void), void (*rtld_fini)(void), 464 | void(*stack_end)); 465 | 466 | original__libc_start_main = dlsym(RTLD_NEXT, "__libc_start_main"); 467 | 468 | nyx_firefox_is_parent = get_parent_process(argc, ubp_av); 469 | 470 | init_trace_buffers(); 471 | if (nyx_firefox_is_parent) { 472 | hprintf("[*] Parent: %d\n", getpid()); 473 | } else { 474 | hprintf("[*] New child: %d\n", getpid()); 475 | if (!!getenv("MOZ_FUZZ_PRIORITIZE_PARENT")) { 476 | setpriority(PRIO_PROCESS, 0, 10); 477 | } 478 | } 479 | 480 | return original__libc_start_main(main, argc, ubp_av, init, fini, rtld_fini, 481 | stack_end); 482 | } 483 | -------------------------------------------------------------------------------- /preload/harness/src/moz_interface.c: -------------------------------------------------------------------------------- 1 | /* This Source Code Form is subject to the terms of the Mozilla Public 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 | 5 | #include "config.h" 6 | 7 | #define _GNU_SOURCE 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #include "nyx.h" 15 | #include "crash_handler.h" 16 | #include "fuzz.h" 17 | #include "stats.h" 18 | #include "afl_runtime.h" 19 | 20 | /* 21 | * This file defines a set of APIs exposed to mozilla-central 22 | * for the purpose of implementing the NYX interface in our 23 | * codebase. Any changes or extensions to this interface must 24 | * be reflected in tools/fuzzing/nyx/ in mozilla-central as well. 25 | */ 26 | 27 | // External function to configure agent capabilities 28 | void capabilites_configuration(bool timeout_detection, bool agent_tracing, 29 | bool ijon_tracing); 30 | 31 | // This is the per-iteration trace buffer used by AFL for coverage 32 | extern unsigned char* trace_buffer; 33 | 34 | // External reference to the buffer holding all PCs (from pc-table) 35 | extern void* pcmap_buffer; 36 | extern size_t pcmap_buffer_size; 37 | 38 | // Used to suppress output with MOZ_FUZZ_NYX_QUIET 39 | static bool nyx_quiet = false; 40 | 41 | // Used by prctl interceptor 42 | bool nyx_started = false; 43 | 44 | void check_host_config(host_config_t host_config) { 45 | if (host_config.host_magic != NYX_HOST_MAGIC) { 46 | hprintf( 47 | "Error: NYX_HOST_MAGIC not found in host configuration - You are " 48 | "probably using an outdated version of QEMU-Nyx..."); 49 | kAFL_hypercall(HYPERCALL_KAFL_USER_ABORT, 0); 50 | } 51 | 52 | if (host_config.host_version != NYX_HOST_VERSION) { 53 | hprintf( 54 | "Error: NYX_HOST_VERSION not found in host configuration - You are " 55 | "probably using an outdated version of QEMU-Nyx..."); 56 | kAFL_hypercall(HYPERCALL_KAFL_USER_ABORT, 0); 57 | } 58 | 59 | hprintf("[*] %s: host_config.bitmap_size: 0x%x\n", __func__, 60 | host_config.bitmap_size); 61 | hprintf("[*] %s: host_config.ijon_bitmap_size: 0x%x\n", __func__, 62 | host_config.ijon_bitmap_size); 63 | hprintf("[*] %s: host_config.payload_buffer_size: 0x%x\n", __func__, 64 | host_config.payload_buffer_size); 65 | } 66 | 67 | void nyx_start(void) { 68 | // Stats use a persistent page, we need to make sure to initialize this 69 | // late enough so the process won't fork/exit afterwards. 70 | init_stats(); 71 | 72 | host_config_t host_config; 73 | kAFL_hypercall(HYPERCALL_KAFL_GET_HOST_CONFIG, (uintptr_t)&host_config); 74 | check_host_config(host_config); 75 | 76 | capabilites_configuration(false, true, true); 77 | nyx_quiet = !!getenv("MOZ_FUZZ_NYX_QUIET"); 78 | 79 | init_crash_handling(); 80 | 81 | if (!!getenv("MOZ_FUZZ_COVERAGE")) { 82 | // Write module info, this is the mapping of modules into address space 83 | char* modinfo = get_afl_modinfo_string(); 84 | if (modinfo) { 85 | upload_file_to_host(modinfo, strlen(modinfo), "modinfo.txt"); 86 | } 87 | 88 | // Write PC table, this is the mapping of coverage map index to PC 89 | upload_file_to_host(pcmap_buffer, pcmap_buffer_size, "pcmap.dump"); 90 | } 91 | 92 | nyx_init_start(); 93 | nyx_started = true; 94 | } 95 | 96 | uint32_t nyx_get_owned_raw_fuzz_data(void** data) { 97 | return internal_get_owned_raw_fuzz_data(data); 98 | } 99 | 100 | uint32_t nyx_get_raw_fuzz_data(void* data, uint32_t len) { 101 | return internal_get_raw_fuzz_data(data, len); 102 | } 103 | 104 | uint32_t nyx_get_next_fuzz_data(void* data, uint32_t len) { 105 | return internal_get_next_fuzz_data(data, len); 106 | } 107 | 108 | void nyx_release(uint32_t iterations) { 109 | on_iteration(iterations); 110 | kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0); 111 | } 112 | 113 | void nyx_handle_event(const char* type, const char* file, int line, 114 | const char* reason) { 115 | if (!strcmp(type, "MOZ_CRASH")) { 116 | on_moz_crash(); 117 | firefox_handler_MOZ_CRASH(file, line); 118 | } else if (!strcmp(type, "MOZ_ASSERT")) { 119 | on_moz_assert(); 120 | firefox_handler_MOZ_ASSERT(file, line, reason); 121 | } else if (!strcmp(type, "MOZ_RELEASE_ASSERT")) { 122 | on_moz_release_assert(); 123 | firefox_handler_MOZ_RELEASE_ASSERT(file, line, reason); 124 | } else if (!strcmp(type, "MOZ_DIAGNOSTIC_ASSERT")) { 125 | on_moz_diagnostic_assert(); 126 | firefox_handler_MOZ_DIAGNOSTIC_ASSERT(file, line, reason); 127 | } else if (!strcmp(type, "MOZ_IPC_DROP_PEER")) { 128 | on_drop_peer(); 129 | } else if (!strcmp(type, "MOZ_IPC_UNKNOWN_TYPE")) { 130 | on_msgtype_unknown(); 131 | } else if (!strcmp(type, "MOZ_IPC_DESERIALIZE_ERROR")) { 132 | on_msg_deserialize_error(); 133 | } else if (!strcmp(type, "MOZ_IPC_PROCESS_ERROR")) { 134 | on_msg_process_error(); 135 | } else if (!strcmp(type, "MOZ_IPC_ROUTE_ERROR")) { 136 | on_msg_route_error(); 137 | } else if (!strcmp(type, "MOZ_IPC_NOTALLOWED_ERROR")) { 138 | on_msg_notallowed_error(); 139 | } else if (!strcmp(type, "MOZ_TIMEOUT")) { 140 | on_timeout(); 141 | } else { 142 | #ifdef DEBUG 143 | __assert(__func__, __FILE__, __LINE__, "Unknown event type"); 144 | #else 145 | hprintf("Unknown event type: %s\n", type); 146 | #endif 147 | } 148 | } 149 | 150 | void nyx_puts(const char* msgbuf) { 151 | if (!nyx_quiet) { 152 | hprintf("%s", msgbuf); 153 | } 154 | } 155 | 156 | void nyx_dump_file(void* buffer, size_t len, const char* filename) { 157 | upload_file_to_host(buffer, len, filename); 158 | } 159 | -------------------------------------------------------------------------------- /preload/harness/src/nyx.h: -------------------------------------------------------------------------------- 1 | /* 2 | This file is part of NYX. 3 | 4 | Copyright (c) 2021 Sergej Schumilo 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | The above copyright notice and this permission notice shall be included in all 12 | copies or substantial portions of the Software. 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | SOFTWARE. 20 | */ 21 | #ifndef KAFL_USER_H 22 | #define KAFL_USER_H 23 | 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #ifndef __MINGW64__ 30 | #include 31 | #endif 32 | 33 | #ifdef __MINGW64__ 34 | #ifndef uint64_t 35 | #define uint64_t UINT64 36 | #endif 37 | #ifndef int32_t 38 | #define int32_t INT32 39 | #endif 40 | #ifndef uint8_t 41 | #define uint8_t UINT8 42 | #endif 43 | #else 44 | #include 45 | #endif 46 | 47 | #define HYPERCALL_KAFL_RAX_ID 0x01f 48 | #define HYPERCALL_KAFL_ACQUIRE 0 49 | #define HYPERCALL_KAFL_GET_PAYLOAD 1 50 | 51 | /* deprecated */ 52 | #define HYPERCALL_KAFL_GET_PROGRAM 2 53 | /* deprecated */ 54 | #define HYPERCALL_KAFL_GET_ARGV 3 55 | 56 | #define HYPERCALL_KAFL_RELEASE 4 57 | #define HYPERCALL_KAFL_SUBMIT_CR3 5 58 | #define HYPERCALL_KAFL_SUBMIT_PANIC 6 59 | 60 | /* deprecated */ 61 | #define HYPERCALL_KAFL_SUBMIT_KASAN 7 62 | 63 | #define HYPERCALL_KAFL_PANIC 8 64 | 65 | /* deprecated */ 66 | #define HYPERCALL_KAFL_KASAN 9 67 | #define HYPERCALL_KAFL_LOCK 10 68 | 69 | /* deprecated */ 70 | #define HYPERCALL_KAFL_INFO 11 71 | 72 | #define HYPERCALL_KAFL_NEXT_PAYLOAD 12 73 | #define HYPERCALL_KAFL_PRINTF 13 74 | 75 | /* deprecated */ 76 | #define HYPERCALL_KAFL_PRINTK_ADDR 14 77 | /* deprecated */ 78 | #define HYPERCALL_KAFL_PRINTK 15 79 | 80 | /* user space only hypercalls */ 81 | #define HYPERCALL_KAFL_USER_RANGE_ADVISE 16 82 | #define HYPERCALL_KAFL_USER_SUBMIT_MODE 17 83 | #define HYPERCALL_KAFL_USER_FAST_ACQUIRE 18 84 | /* 19 is already used for exit reason KVM_EXIT_KAFL_TOPA_MAIN_FULL */ 85 | #define HYPERCALL_KAFL_USER_ABORT 20 86 | #define HYPERCALL_KAFL_RANGE_SUBMIT 29 87 | #define HYPERCALL_KAFL_REQ_STREAM_DATA 30 88 | #define HYPERCALL_KAFL_PANIC_EXTENDED 32 89 | 90 | #define HYPERCALL_KAFL_CREATE_TMP_SNAPSHOT 33 91 | #define HYPERCALL_KAFL_DEBUG_TMP_SNAPSHOT 34 /* hypercall for debugging / development purposes */ 92 | 93 | #define HYPERCALL_KAFL_GET_HOST_CONFIG 35 94 | #define HYPERCALL_KAFL_SET_AGENT_CONFIG 36 95 | 96 | #define HYPERCALL_KAFL_DUMP_FILE 37 97 | 98 | #define HYPERCALL_KAFL_REQ_STREAM_DATA_BULK 38 99 | #define HYPERCALL_KAFL_PERSIST_PAGE_PAST_SNAPSHOT 39 100 | 101 | /* hypertrash only hypercalls */ 102 | #define HYPERTRASH_HYPERCALL_MASK 0xAA000000 103 | 104 | #define HYPERCALL_KAFL_NESTED_PREPARE (0 | HYPERTRASH_HYPERCALL_MASK) 105 | #define HYPERCALL_KAFL_NESTED_CONFIG (1 | HYPERTRASH_HYPERCALL_MASK) 106 | #define HYPERCALL_KAFL_NESTED_ACQUIRE (2 | HYPERTRASH_HYPERCALL_MASK) 107 | #define HYPERCALL_KAFL_NESTED_RELEASE (3 | HYPERTRASH_HYPERCALL_MASK) 108 | #define HYPERCALL_KAFL_NESTED_HPRINTF (4 | HYPERTRASH_HYPERCALL_MASK)gre 109 | 110 | #define HPRINTF_MAX_SIZE 0x1000 /* up to 4KB hprintf strings */ 111 | 112 | /* specific defines to enable support for NYX hypercalls on unmodified KVM builds */ 113 | /* PIO port number used by VMWare backdoor */ 114 | #define VMWARE_PORT 0x5658 115 | /* slightly changed RAX_ID to avoid vmware backdoor collisions */ 116 | #define HYPERCALL_KAFL_RAX_ID_VMWARE 0x8080801f 117 | 118 | typedef struct{ 119 | int32_t size; 120 | uint8_t data[]; 121 | } kAFL_payload; 122 | 123 | typedef struct{ 124 | uint64_t ip[4]; 125 | uint64_t size[4]; 126 | uint8_t enabled[4]; 127 | } kAFL_ranges; 128 | 129 | #define KAFL_MODE_64 0 130 | #define KAFL_MODE_32 1 131 | #define KAFL_MODE_16 2 132 | 133 | #if defined(__i386__) 134 | #define KAFL_HYPERCALL_NO_PT(_ebx, _ecx) ({ \ 135 | uint32_t _eax = HYPERCALL_KAFL_RAX_ID_VMWARE; \ 136 | do{ \ 137 | asm volatile( \ 138 | "outl %%eax, %%dx;" \ 139 | : "+a" (_eax) \ 140 | : "b" (_ebx), "c" (_ecx), "d" (VMWARE_PORT) \ 141 | : "cc", "memory" \ 142 | ); \ 143 | } while(0); \ 144 | _eax; \ 145 | }) 146 | 147 | #define KAFL_HYPERCALL_PT(_ebx, _ecx) ({ \ 148 | uint32_t _eax = HYPERCALL_KAFL_RAX_ID; \ 149 | do{ \ 150 | asm volatile( \ 151 | "vmcall;" \ 152 | : "+a" (_eax) \ 153 | : "b" (_ebx), "c" (_ecx) \ 154 | : "cc", "memory" \ 155 | ); \ 156 | } while(0); \ 157 | _eax; \ 158 | }) 159 | 160 | #else 161 | 162 | #define KAFL_HYPERCALL_NO_PT(_rbx, _rcx) ({ \ 163 | uint64_t _rax = HYPERCALL_KAFL_RAX_ID_VMWARE; \ 164 | do{ \ 165 | asm volatile( \ 166 | "outl %%eax, %%dx;" \ 167 | : "+a" (_rax) \ 168 | : "b" (_rbx), "c" (_rcx), "d" (VMWARE_PORT) \ 169 | : "cc", "memory" \ 170 | ); \ 171 | } while(0); \ 172 | _rax; \ 173 | }) 174 | 175 | #define KAFL_HYPERCALL_PT(_rbx, _rcx) ({ \ 176 | uint64_t _rax = HYPERCALL_KAFL_RAX_ID; \ 177 | do{ \ 178 | asm volatile( \ 179 | "vmcall;" \ 180 | : "+a" (_rax) \ 181 | : "b" (_rbx), "c" (_rcx) \ 182 | : "cc", "memory" \ 183 | ); \ 184 | } while(0); \ 185 | _rax; \ 186 | }) 187 | #endif 188 | 189 | 190 | #if defined(__i386__) 191 | #ifdef NO_PT_NYX 192 | 193 | #define KAFL_HYPERCALL(__rbx, __rcx) \ 194 | KAFL_HYPERCALL_NO_PT(_rbx, _rcx); \ 195 | }while(0) 196 | 197 | static inline uint32_t kAFL_hypercall(uint32_t rbx, uint32_t rcx){ 198 | return KAFL_HYPERCALL_NO_PT(rbx, rcx); 199 | } 200 | #else 201 | #define KAFL_HYPERCALL(__rbx, __rcx) \ 202 | KAFL_HYPERCALL_PT(_rbx, _rcx); \ 203 | }while(0) 204 | 205 | static inline uint32_t kAFL_hypercall(uint32_t rbx, uint32_t rcx){ 206 | # ifndef __NOKAFL 207 | return KAFL_HYPERCALL_PT(rbx, rcx); 208 | # endif 209 | return 0; 210 | } 211 | #endif 212 | #elif defined(__x86_64__) 213 | #ifdef NO_PT_NYX 214 | 215 | #define KAFL_HYPERCALL(__rbx, __rcx) \ 216 | KAFL_HYPERCALL_NO_PT(_rbx, _rcx); \ 217 | }while(0) 218 | 219 | static inline uint64_t kAFL_hypercall(uint64_t rbx, uint64_t rcx){ 220 | return KAFL_HYPERCALL_NO_PT(rbx, rcx); 221 | } 222 | #else 223 | #define KAFL_HYPERCALL(__rbx, __rcx) \ 224 | KAFL_HYPERCALL_PT(_rbx, _rcx); \ 225 | }while(0) 226 | 227 | static inline uint64_t kAFL_hypercall(uint64_t rbx, uint64_t rcx){ 228 | # ifndef __NOKAFL 229 | return KAFL_HYPERCALL_PT(rbx, rcx); 230 | # endif 231 | return 0; 232 | } 233 | #endif 234 | #endif 235 | 236 | //extern uint8_t* hprintf_buffer; 237 | 238 | static inline uint8_t alloc_hprintf_buffer(uint8_t** hprintf_buffer){ 239 | if(!*hprintf_buffer){ 240 | #ifdef __MINGW64__ 241 | *hprintf_buffer = (uint8_t*)VirtualAlloc(0, HPRINTF_MAX_SIZE, MEM_COMMIT, PAGE_READWRITE); 242 | #else 243 | *hprintf_buffer = (uint8_t*)mmap((void*)NULL, HPRINTF_MAX_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 244 | #endif 245 | if(!*hprintf_buffer){ 246 | return 0; 247 | } 248 | } 249 | return 1; 250 | } 251 | 252 | #ifdef __NOKAFL 253 | # define hprintf(...) fprintf(stderr, __VA_ARGS__) 254 | #else 255 | static void hprintf(const char * format, ...) __attribute__ ((unused)); 256 | 257 | static void hprintf(const char * format, ...){ 258 | static uint8_t* hprintf_buffer = NULL; 259 | 260 | va_list args; 261 | va_start(args, format); 262 | if(alloc_hprintf_buffer(&hprintf_buffer)){ 263 | vsnprintf((char*)hprintf_buffer, HPRINTF_MAX_SIZE, format, args); 264 | kAFL_hypercall(HYPERCALL_KAFL_PRINTF, (uintptr_t)hprintf_buffer); 265 | } 266 | //vprintf(format, args); 267 | va_end(args); 268 | } 269 | #endif 270 | 271 | static void habort(char* msg){ 272 | kAFL_hypercall(HYPERCALL_KAFL_USER_ABORT, (uintptr_t)msg); 273 | } 274 | 275 | #define NYX_HOST_MAGIC 0x4878794e 276 | #define NYX_AGENT_MAGIC 0x4178794e 277 | 278 | #define NYX_HOST_VERSION 2 279 | #define NYX_AGENT_VERSION 1 280 | 281 | typedef struct host_config_s{ 282 | uint32_t host_magic; 283 | uint32_t host_version; 284 | uint32_t bitmap_size; 285 | uint32_t ijon_bitmap_size; 286 | uint32_t payload_buffer_size; 287 | uint32_t worker_id; 288 | /* more to come */ 289 | } __attribute__((packed)) host_config_t; 290 | 291 | typedef struct agent_config_s{ 292 | uint32_t agent_magic; 293 | uint32_t agent_version; 294 | uint8_t agent_timeout_detection; 295 | uint8_t agent_tracing; 296 | uint8_t agent_ijon_tracing; 297 | uint8_t agent_non_reload_mode; 298 | uint64_t trace_buffer_vaddr; 299 | uint64_t ijon_trace_buffer_vaddr; 300 | uint32_t coverage_bitmap_size; 301 | uint32_t input_buffer_size; // TODO: remove this later 302 | 303 | uint8_t dump_payloads; /* set by hypervisor */ 304 | /* more to come */ 305 | } __attribute__((packed)) agent_config_t; 306 | 307 | typedef struct kafl_dump_file_s{ 308 | uint64_t file_name_str_ptr; 309 | uint64_t data_ptr; 310 | uint64_t bytes; 311 | uint8_t append; 312 | } __attribute__((packed)) kafl_dump_file_t; 313 | 314 | 315 | enum nyx_cpu_type{ 316 | unkown = 0, 317 | nyx_cpu_v1, /* Nyx CPU used by KVM-PT */ 318 | nyx_cpu_v2 /* Nyx CPU used by vanilla KVM + VMWare backdoor */ 319 | }; 320 | 321 | #define cpuid(in,a,b,c,d)\ 322 | asm("cpuid": "=a" (a), "=b" (b), "=c" (c), "=d" (d) : "a" (in)); 323 | 324 | static int is_nyx_vcpu(void){ 325 | unsigned long eax,ebx,ecx,edx; 326 | char str[8]; 327 | cpuid(0x80000004,eax,ebx,ecx,edx); 328 | 329 | for(int j=0;j<4;j++){ 330 | str[j] = eax >> (8*j); 331 | str[j+4] = ebx >> (8*j); 332 | } 333 | 334 | return !memcmp(&str, "NYX vCPU", 8); 335 | } 336 | 337 | static int get_nyx_cpu_type(void){ 338 | unsigned long eax,ebx,ecx,edx; 339 | char str[9]; 340 | cpuid(0x80000004,eax,ebx,ecx,edx); 341 | 342 | for(int j=0;j<4;j++){ 343 | str[j] = eax >> (8*j); 344 | str[j+4] = ebx >> (8*j); 345 | } 346 | 347 | if(memcmp(&str, "NYX vCPU", 8) != 0){ 348 | return unkown; 349 | } 350 | 351 | for(int j=0;j<4;j++){ 352 | str[j] = ecx >> (8*j); 353 | str[j+4] = edx >> (8*j); 354 | } 355 | 356 | if(memcmp(&str, " (NO-PT)", 8) != 0){ 357 | return nyx_cpu_v1; 358 | } 359 | 360 | return nyx_cpu_v2; 361 | 362 | str[8] = 0; 363 | printf("ECX: %s\n", str); 364 | } 365 | 366 | typedef struct req_data_bulk_s{ 367 | char file_name[256]; 368 | uint64_t num_addresses; 369 | uint64_t addresses[479]; 370 | } req_data_bulk_t; 371 | 372 | #endif 373 | -------------------------------------------------------------------------------- /preload/harness/src/stats.c: -------------------------------------------------------------------------------- 1 | /* This Source Code Form is subject to the terms of the Mozilla Public 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 | 5 | #define _GNU_SOURCE 6 | #include 7 | #include 8 | #include 9 | #include "nyx.h" 10 | #include "stats.h" 11 | 12 | stats_t* fuzz_stats = NULL; 13 | 14 | #define FUZZ_STATS_SIZE 0x1000 15 | 16 | void init_stats() { 17 | fuzz_stats = (void*)mmap(NULL, FUZZ_STATS_SIZE, PROT_READ | PROT_WRITE, 18 | MAP_SHARED | MAP_ANONYMOUS, -1, 0); 19 | if ((void*)fuzz_stats == (void*)-1) { 20 | kAFL_hypercall(HYPERCALL_KAFL_USER_ABORT, 21 | (uint64_t) "parent: fuzz_stats mmap failed!\n"); 22 | } 23 | 24 | hprintf("[*] %s: mmap returned %p\n", __func__, fuzz_stats); 25 | memset((void*)fuzz_stats, 0, FUZZ_STATS_SIZE); 26 | mlock((void*)fuzz_stats, FUZZ_STATS_SIZE); 27 | 28 | kAFL_hypercall(HYPERCALL_KAFL_PERSIST_PAGE_PAST_SNAPSHOT, 29 | (uintptr_t)fuzz_stats); 30 | } 31 | 32 | void emit_stats() { 33 | hprintf("\n"); 34 | hprintf("*** Fuzzing Statistics ***\n"); 35 | hprintf("Total Iterations:\t\t%" PRIu64 "\n", fuzz_stats->event_iteration); 36 | hprintf("Event - Timeout:\t\t%" PRIu64 "\n", fuzz_stats->event_timeout); 37 | hprintf("Event - Drop Peer:\t\t%" PRIu64 "\n", fuzz_stats->event_drop_peer); 38 | hprintf("Event - Msg Type Unknown:\t\t%" PRIu64 "\n", 39 | fuzz_stats->event_msgtype_unknown); 40 | hprintf("Event - Msg Deserialize Error:\t\t%" PRIu64 "\n", 41 | fuzz_stats->event_msg_deserialize_error); 42 | hprintf("Event - Msg Process Error:\t\t%" PRIu64 "\n", 43 | fuzz_stats->event_msg_process_error); 44 | hprintf("Event - Msg Route Error:\t\t%" PRIu64 "\n", 45 | fuzz_stats->event_msg_route_error); 46 | hprintf("Event - Msg NotAllowed Error:\t\t%" PRIu64 "\n", 47 | fuzz_stats->event_msg_notallowed_error); 48 | hprintf("Event - MOZ_CRASH:\t\t%" PRIu64 "\n", fuzz_stats->event_moz_crash); 49 | hprintf("Event - MOZ_ASSERT:\t\t%" PRIu64 "\n", fuzz_stats->event_moz_assert); 50 | hprintf("Event - MOZ_RELEASE_ASSERT:\t\t%" PRIu64 "\n", 51 | fuzz_stats->event_moz_release_assert); 52 | hprintf("Event - MOZ_DIAGNOSTIC_ASSERT:\t\t%" PRIu64 "\n", 53 | fuzz_stats->event_moz_diagnostic_assert); 54 | hprintf("*** End of Statistics ***\n"); 55 | } 56 | 57 | void upload_file_to_host(void* buffer, size_t len, const char* filename) { 58 | kafl_dump_file_t file_obj = {0}; 59 | 60 | file_obj.file_name_str_ptr = (uintptr_t)filename; 61 | file_obj.append = 0; 62 | file_obj.bytes = 0; 63 | kAFL_hypercall(HYPERCALL_KAFL_DUMP_FILE, (uintptr_t)(&file_obj)); 64 | 65 | file_obj.bytes = len; 66 | file_obj.data_ptr = (uintptr_t)buffer; 67 | kAFL_hypercall(HYPERCALL_KAFL_DUMP_FILE, (uintptr_t)(&file_obj)); 68 | } 69 | 70 | void on_iteration(uint32_t iterations) { 71 | if (fuzz_stats) { 72 | if ((fuzz_stats->event_iteration % 1000) + iterations >= 1000) { 73 | emit_stats(); 74 | } 75 | 76 | fuzz_stats->event_iteration += iterations; 77 | } 78 | } 79 | 80 | void on_drop_peer() { 81 | if (fuzz_stats) fuzz_stats->event_drop_peer++; 82 | } 83 | void on_msgtype_unknown() { 84 | if (fuzz_stats) fuzz_stats->event_msgtype_unknown++; 85 | } 86 | void on_msg_deserialize_error() { 87 | if (fuzz_stats) fuzz_stats->event_msg_deserialize_error++; 88 | } 89 | void on_msg_process_error() { 90 | if (fuzz_stats) fuzz_stats->event_msg_process_error++; 91 | } 92 | void on_msg_route_error() { 93 | if (fuzz_stats) fuzz_stats->event_msg_route_error++; 94 | } 95 | void on_msg_notallowed_error() { 96 | if (fuzz_stats) fuzz_stats->event_msg_notallowed_error++; 97 | } 98 | void on_timeout() { 99 | if (fuzz_stats) fuzz_stats->event_timeout++; 100 | } 101 | void on_moz_crash() { 102 | if (fuzz_stats) fuzz_stats->event_moz_crash++; 103 | } 104 | void on_moz_assert() { 105 | if (fuzz_stats) fuzz_stats->event_moz_assert++; 106 | } 107 | void on_moz_release_assert() { 108 | if (fuzz_stats) fuzz_stats->event_moz_release_assert++; 109 | } 110 | void on_moz_diagnostic_assert() { 111 | if (fuzz_stats) fuzz_stats->event_moz_diagnostic_assert++; 112 | } 113 | -------------------------------------------------------------------------------- /preload/harness/src/stats.h: -------------------------------------------------------------------------------- 1 | /* This Source Code Form is subject to the terms of the Mozilla Public 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 | 5 | #pragma once 6 | 7 | #include 8 | 9 | typedef struct stats_s { 10 | uint64_t event_iteration; 11 | uint64_t event_timeout; 12 | uint64_t event_drop_peer; 13 | uint64_t event_msgtype_unknown; 14 | uint64_t event_msg_deserialize_error; 15 | uint64_t event_msg_process_error; 16 | uint64_t event_msg_route_error; 17 | uint64_t event_msg_notallowed_error; 18 | uint64_t event_moz_crash; 19 | uint64_t event_moz_assert; 20 | uint64_t event_moz_release_assert; 21 | uint64_t event_moz_diagnostic_assert; 22 | } stats_t; 23 | 24 | extern stats_t* fuzz_stats; 25 | 26 | void init_stats(); 27 | 28 | void on_iteration(uint32_t iterations); 29 | void on_drop_peer(); 30 | void on_msgtype_unknown(); 31 | void on_msg_deserialize_error(); 32 | void on_msg_process_error(); 33 | void on_msg_route_error(); 34 | void on_msg_notallowed_error(); 35 | 36 | void on_timeout(); 37 | void on_moz_crash(); 38 | void on_moz_assert(); 39 | void on_moz_release_assert(); 40 | void on_moz_diagnostic_assert(); 41 | 42 | void emit_stats(); 43 | void upload_file_to_host(void* buffer, size_t len, const char* filename); 44 | -------------------------------------------------------------------------------- /userspace-tools/LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | , 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | -------------------------------------------------------------------------------- /userspace-tools/Makefile: -------------------------------------------------------------------------------- 1 | CFLAGS?=-O2 -m64 -Werror -I/path/to/AFLplusplus/nyx_mode/QEMU-Nyx/libxdc/ 2 | 3 | HTOOLS=bin64/habort bin64/hcat bin64/hget bin64/hget_bulk bin64/hpush bin64/hrelease 4 | HTOOLS_NO_PT=$(foreach tool,$(HTOOLS),$(tool)_no_pt) 5 | 6 | all: $(HTOOLS) $(HTOOLS_NO_PT) 7 | htools: $(HTOOLS) 8 | htools_no_pt: $(HTOOLS_NO_PT) 9 | 10 | # pt mode builds 11 | bin64/h%: src/htools/h%.c 12 | @mkdir -p $(@D) 13 | $(CC) $(CPPFLAGS) $(CFLAGS) $< -I../preload/harness/src -o $@ 14 | 15 | # no-pt mode builds 16 | bin64/h%_no_pt: src/htools/h%.c 17 | @mkdir -p $(@D) 18 | $(CC) $(CPPFLAGS) $(CFLAGS) -DNO_PT_NYX $< -I../preload/harness/src -o $@ 19 | 20 | clean: 21 | $(RM) $(HTOOLS) $(HTOOLS_NO_PT) 22 | 23 | .PHONY: all clean htools htools_no_pt 24 | -------------------------------------------------------------------------------- /userspace-tools/README.md: -------------------------------------------------------------------------------- 1 | # Nyx Userspace Tools 2 | 3 | These tools are by now part of the [Nyx Packer](https://github.com/nyx-fuzz/packer/) 4 | and only included here for legacy reasons as they are referenced by existing 5 | build scripts. 6 | 7 | The original license of these tools is GPLv2, see also LICENSE. 8 | -------------------------------------------------------------------------------- /userspace-tools/compile_64.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | cd "$(dirname "$0")" 4 | make -B all 5 | -------------------------------------------------------------------------------- /userspace-tools/qemu_tool.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | BASEDIR="/path/to/AFLPlusplus" 4 | 5 | # Simple tool for Nyx VM image operations (create, configure, create pre_image snapshot) 6 | 7 | QEMU_PT_BIN="$BASEDIR/nyx_mode/QEMU-Nyx/x86_64-softmmu/qemu-system-x86_64" 8 | MEMORY_SIZE=6144 9 | 10 | error () { 11 | echo "$0: " 12 | echo "" 13 | echo "Modes: " 14 | echo " - create_image" 15 | echo " - install" 16 | echo " - post_install" 17 | echo " - create_snapshot" 18 | echo "" 19 | echo "Debug Modes: " 20 | echo " - run_kernel" 21 | exit 3 22 | } 23 | 24 | error_image () { 25 | echo "$0: create_image " 26 | exit 3 27 | } 28 | 29 | error_install () { 30 | echo "$0: install " 31 | exit 3 32 | } 33 | 34 | error_post_install () { 35 | echo "$0: post_install " 36 | exit 3 37 | } 38 | 39 | error_create_snapshot () { 40 | echo "$0: create_snapshot " 41 | exit 3 42 | } 43 | 44 | error_run_kernel () { 45 | echo "$0: run_kernel " 46 | exit 3 47 | } 48 | 49 | if [ "$#" == 0 ] ; then 50 | error 51 | fi 52 | 53 | if [ "$1" == "create_image" ]; 54 | then 55 | echo CREATE_IMAGE; 56 | if [ "$#" != 3 ] ; then 57 | error_image 58 | fi 59 | 60 | dd if=/dev/zero of=$2 bs=1048576 count=$3 61 | exit 0 62 | fi 63 | 64 | if [ "$1" == "install" ]; 65 | then 66 | echo INSTALL; 67 | if [ "$#" != 3 ] ; then 68 | error_install 69 | fi 70 | 71 | NYX_DISABLE_DIRTY_RING=TRUE NYX_DISABLE_BLOCK_COW=TRUE $QEMU_PT_BIN --enable-kvm -drive format=raw,file=$2 -cdrom $3 -k de -vnc :0 -m $MEMORY_SIZE 72 | exit 0 73 | fi 74 | 75 | if [ "$1" == "post_install" ]; 76 | then 77 | echo POST_INSTALL; 78 | if [ "$#" != 2 ] ; then 79 | error_post_install 80 | fi 81 | 82 | NYX_DISABLE_DIRTY_RING=TRUE NYX_DISABLE_BLOCK_COW=TRUE $QEMU_PT_BIN --enable-kvm -drive format=raw,file=$2 -k de -vnc :0 -m $MEMORY_SIZE -net user,hostfwd=tcp::2222-:22 -net nic 83 | exit 0 84 | fi 85 | 86 | if [ "$1" == "create_snapshot" ]; 87 | then 88 | echo CREATE_SNAPSHOT; 89 | if [ "$#" != 4 ] ; then 90 | error_create_snapshot 91 | fi 92 | 93 | mkdir $4 && \ 94 | NYX_DISABLE_DIRTY_RING=TRUE $QEMU_PT_BIN --enable-kvm -hda $2 -k de -vnc :0 -m $3 -net none -machine kAFL64-v1 -cpu kAFL64-Hypervisor-v1 -fast_vm_reload pre_path=$4,load=off 95 | exit 0 96 | fi 97 | 98 | if [ "$1" == "run_kernel" ]; 99 | then 100 | echo RUN_KERNEL; 101 | if [ "$#" != 2 ] ; then 102 | error_run_kernel 103 | fi 104 | 105 | SCRIPT=$(readlink -f "$0") 106 | SCRIPTPATH=$(dirname "$SCRIPT") 107 | 108 | # exit via (ctrl+a) & q 109 | $QEMU_PT_BIN -kernel $2 -initrd $SCRIPTPATH/linux_initramfs/init_debug_shell.cpio.gz -serial mon:stdio -enable-kvm -k de -m 300 -append "root=/dev/sda console=ttyS0 nokaslr" -nographic 110 | exit 0 111 | fi 112 | 113 | error 114 | -------------------------------------------------------------------------------- /userspace-tools/src/htools/habort.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include "nyx.h" 5 | #include 6 | #include 7 | 8 | int main(int argc, char** argv){ 9 | char buf[256]; 10 | 11 | if(!is_nyx_vcpu()){ 12 | printf("Error: NYX vCPU not found!\n"); 13 | return 0; 14 | } 15 | 16 | if(argc != 1){ 17 | printf("Usage: \n"); 18 | return 1; 19 | } 20 | 21 | kAFL_hypercall(HYPERCALL_KAFL_USER_ABORT, (uintptr_t)"SOMETHING WENT WRONG -> ABORT!"); 22 | 23 | return 0; 24 | } -------------------------------------------------------------------------------- /userspace-tools/src/htools/hcat.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include "nyx.h" 5 | #include 6 | #include 7 | 8 | int main(int argc, char** argv){ 9 | char buf[1024]; 10 | 11 | if(!is_nyx_vcpu()){ 12 | printf("Error: NYX vCPU not found!\n"); 13 | return 0; 14 | } 15 | 16 | if(argc != 1){ 17 | printf("Usage: \n"); 18 | return 1; 19 | } 20 | 21 | ssize_t received = 0; 22 | while((received = read(0, buf, sizeof(buf)-1))>0) { 23 | buf[1023] = 0; 24 | buf[received] = 0; 25 | 26 | hprintf("%s", buf); 27 | memset(buf, 0, 1024); 28 | } 29 | return 0; 30 | } -------------------------------------------------------------------------------- /userspace-tools/src/htools/hget.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include "nyx.h" 5 | #include 6 | #include 7 | 8 | int main(int argc, char** argv){ 9 | 10 | if(!is_nyx_vcpu()){ 11 | printf("Error: NYX vCPU not found!\n"); 12 | return 0; 13 | } 14 | 15 | if(argc == 3){ 16 | void* stream_data = mmap((void*)NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 17 | 18 | FILE* f = NULL; 19 | 20 | 21 | uint64_t bytes = 0; 22 | uint64_t total = 0; 23 | 24 | do{ 25 | strcpy(stream_data, argv[1]); 26 | bytes = kAFL_hypercall(HYPERCALL_KAFL_REQ_STREAM_DATA, (uintptr_t)stream_data); 27 | 28 | if(bytes == 0xFFFFFFFFFFFFFFFFUL){ 29 | hprintf("HYPERVISOR: ERROR\n"); 30 | break; 31 | } 32 | 33 | if(f == NULL){ 34 | f = fopen(argv[2], "w+"); 35 | } 36 | 37 | fwrite(stream_data, 1, bytes, f); 38 | 39 | total += bytes; 40 | 41 | } while(bytes); 42 | 43 | hprintf("%"PRId64" bytes received from hypervisor! (%s)\n", total, argv[1]); 44 | 45 | if(f){ 46 | fclose(f); 47 | return 0; 48 | } 49 | return -1; 50 | 51 | } 52 | printf("Usage: \n"); 53 | return 0; 54 | } 55 | -------------------------------------------------------------------------------- /userspace-tools/src/htools/hget_bulk.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include "nyx.h" 5 | #include 6 | #include 7 | #include 8 | 9 | 10 | 11 | int main(int argc, char** argv){ 12 | 13 | if(!is_nyx_vcpu()){ 14 | printf("Error: NYX vCPU not found!\n"); 15 | return 0; 16 | } 17 | 18 | if(argc == 3){ 19 | 20 | req_data_bulk_t* stream_data_ctrl = (req_data_bulk_t*)mmap((void*)NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 21 | memset((void*)stream_data_ctrl, 0, 0x1000); 22 | for(int i = 0; i < 479; i++){ 23 | stream_data_ctrl->addresses[i] = (uintptr_t)mmap((void*)NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 24 | if(stream_data_ctrl->addresses[i] == (uint64_t)-1){ 25 | hprintf("Error: Cannot allocate page number %d\n", i); 26 | return 1; 27 | } 28 | memset((void*)stream_data_ctrl->addresses[i], 0, 0x1000); 29 | stream_data_ctrl->num_addresses++; 30 | } 31 | 32 | strncpy(stream_data_ctrl->file_name, argv[1], 256); 33 | 34 | FILE* f = NULL; 35 | 36 | 37 | uint64_t bytes = 0; 38 | uint64_t total = 0; 39 | bool recv_data = true; 40 | 41 | do{ 42 | bytes = kAFL_hypercall(HYPERCALL_KAFL_REQ_STREAM_DATA_BULK, (uintptr_t)stream_data_ctrl); 43 | 44 | if(bytes == 0xFFFFFFFFFFFFFFFFUL){ 45 | hprintf("HYPERVISOR: ERROR\n"); 46 | break; 47 | } 48 | 49 | total += bytes; 50 | 51 | //hprintf("Total %d\n", bytes); 52 | 53 | if(f == NULL){ 54 | f = fopen(argv[2], "w+"); 55 | } 56 | 57 | if(bytes != (479*0x1000)){ 58 | recv_data = false; 59 | } 60 | 61 | for(int i = 0; i < stream_data_ctrl->num_addresses; i++){ 62 | if(bytes >= 0x1000){ 63 | fwrite((void*)stream_data_ctrl->addresses[i], 1, 0x1000, f); 64 | bytes -= 0x1000; 65 | } 66 | else{ 67 | fwrite((void*)stream_data_ctrl->addresses[i], 1, bytes, f); 68 | bytes = 0; 69 | break; 70 | } 71 | } 72 | 73 | } while(recv_data); 74 | 75 | hprintf("%ld bytes received from hypervisor! (%s)\n", total, argv[1]); 76 | 77 | if(f){ 78 | fclose(f); 79 | return 0; 80 | } 81 | return -1; 82 | 83 | } 84 | printf("Usage: \n"); 85 | return 0; 86 | } -------------------------------------------------------------------------------- /userspace-tools/src/htools/hpush.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | #include "nyx.h" 18 | 19 | 20 | #define round_up(x, y) (((x) + (y) - 1) & ~((y) - 1)) 21 | 22 | void *mapfile(char *fn, uint64_t *size) 23 | { 24 | int fd = open(fn, O_RDONLY); 25 | if (fd < 0) 26 | return NULL; 27 | struct stat st; 28 | void *map = (void *)-1L; 29 | if (fstat(fd, &st) >= 0) { 30 | *size = (uint64_t)st.st_size; 31 | map = mmap(NULL, round_up(*size, sysconf(_SC_PAGESIZE)), 32 | PROT_READ|PROT_WRITE, 33 | MAP_PRIVATE, fd, 0); 34 | } 35 | close(fd); 36 | 37 | 38 | if(map){ 39 | void* copy = malloc(*size); 40 | memcpy(copy, map, st.st_size); 41 | munmap(map, round_up(*size, sysconf(_SC_PAGESIZE))); 42 | return copy; 43 | } 44 | return NULL; 45 | } 46 | 47 | static void dump_payload(void* buffer, size_t len, const char* filename){ 48 | static bool init = false; 49 | static kafl_dump_file_t file_obj = {0}; 50 | 51 | //printf("%s -> ptr: %p size: %lx - %s\n", __func__, buffer, len, filename); 52 | 53 | if (!init){ 54 | file_obj.file_name_str_ptr = (uintptr_t)filename; 55 | file_obj.append = 0; 56 | file_obj.bytes = 0; 57 | kAFL_hypercall(HYPERCALL_KAFL_DUMP_FILE, (uintptr_t) (&file_obj)); 58 | init=true; 59 | } 60 | 61 | file_obj.append = 1; 62 | file_obj.bytes = len; 63 | file_obj.data_ptr = (uintptr_t)buffer; 64 | kAFL_hypercall(HYPERCALL_KAFL_DUMP_FILE, (uintptr_t) (&file_obj)); 65 | } 66 | 67 | int main(int argc, char** argv){ 68 | char buf[256]; 69 | 70 | if(!is_nyx_vcpu()){ 71 | printf("Error: NYX vCPU not found!\n"); 72 | return 0; 73 | } 74 | 75 | if(argc != 2){ 76 | hprintf("Usage: \n"); 77 | return 1; 78 | } 79 | 80 | uint64_t size = 0; 81 | void* ptr = mapfile(argv[1], &size); 82 | 83 | if(ptr && size){ 84 | dump_payload(ptr, size, basename(argv[1])); 85 | } 86 | else{ 87 | hprintf("FILE NOT FOUND!\n"); 88 | } 89 | 90 | return 0; 91 | } -------------------------------------------------------------------------------- /userspace-tools/src/htools/hrelease.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include "nyx.h" 5 | #include 6 | #include 7 | 8 | int main(int argc, char** argv){ 9 | char buf[256]; 10 | 11 | if(!is_nyx_vcpu()){ 12 | printf("Error: NYX vCPU not found!\n"); 13 | return 0; 14 | } 15 | 16 | if(argc != 1){ 17 | printf("Usage: \n"); 18 | return 1; 19 | } 20 | 21 | kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0); 22 | 23 | return 0; 24 | } 25 | --------------------------------------------------------------------------------