├── .gitmodules
├── Dockerfile
├── README.md
├── artifact
    ├── README.md
    ├── common.sh
    ├── other-allocators
    │   ├── .gitignore
    │   ├── DieHarder-5a0f8a52
    │   │   ├── .gitignore
    │   │   └── run.sh
    │   ├── FreeGuard-bfdf6d9a
    │   │   ├── .gitignore
    │   │   └── run.sh
    │   ├── Guarder-9e85978a
    │   │   ├── .gitignore
    │   │   └── run.sh
    │   ├── dlmalloc-2.7.2
    │   │   ├── .gitignore
    │   │   └── run.sh
    │   ├── dlmalloc-2.8.6
    │   │   ├── .gitignore
    │   │   └── run.sh
    │   ├── jemalloc-5.2.1
    │   │   ├── .gitignore
    │   │   └── run.sh
    │   ├── mesh-a49b6134
    │   │   ├── .gitignore
    │   │   └── run.sh
    │   ├── mimalloc-1.0.8
    │   │   ├── .gitignore
    │   │   └── run.sh
    │   ├── mimalloc-secure-1.0.8
    │   │   ├── .gitignore
    │   │   └── run.sh
    │   ├── musl-1.1.24
    │   │   ├── .gitignore
    │   │   └── run.sh
    │   ├── musl-1.1.9
    │   │   ├── .gitignore
    │   │   └── run.sh
    │   ├── scudo-9.0.0
    │   │   ├── .gitignore
    │   │   └── run.sh
    │   └── tcmalloc-2.7
    │   │   ├── .gitignore
    │   │   └── run.sh
    └── ptmalloc2-glibc2.23
    │   ├── .gitignore
    │   └── run.sh
├── build.sh
├── driver
    ├── .gitignore
    ├── Makefile
    ├── driver.c
    ├── minimize.py
    └── minimize_all.py
├── install_dependencies.sh
├── setup.sh
├── techniques
    ├── Makefile
    ├── dlmalloc-2.8.6
    │   ├── .gitignore
    │   └── house-of-lily.c
    ├── malloc-lib.h
    └── ptmalloc2-glibc2.23
    │   ├── .gitignore
    │   ├── fast-bin-to-other-bin.c
    │   ├── house-of-unsorted-einherjar.c
    │   ├── overlapping-chunks-smallbin.c
    │   └── unaligned-double-free.c
└── tool
    ├── .gitignore
    └── afl.patch


/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "tool/villoc"]
2 | 	path = tool/villoc
3 | 	url = https://github.com/wapiflapi/villoc.git
4 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:16.04
 2 | 
 3 | ADD . /src
 4 | WORKDIR /src
 5 | 
 6 | RUN apt update
 7 | RUN apt install -y sudo
 8 | 
 9 | RUN ./install_dependencies.sh
10 | RUN ./build.sh
11 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # ArcHeap: Automatic Techniques to Systematically Discover New Heap Exploitation Primitives
 2 | 
 3 | ## Environment
 4 | - Tested on Ubuntu 16.04 64bit
 5 | 
 6 | ## Installation
 7 | ```bash
 8 | $ ./setup.sh
 9 | $ ./install_dependencies.sh
10 | $ ./build.sh
11 | ```
12 | 
13 | ## Installation using Docker
14 | ```bash
15 | $ ./setup.sh
16 | $ docker build -t archeap .
17 | $ docker run -it archeap /bin/bash
18 | ```
19 | 
20 | ## How to use
21 | Please check our [artifact](artifact).
22 | 
23 | ## Trophies
24 | - [Overlapping chunks with double free in mimalloc](https://github.com/microsoft/mimalloc/issues/161)
25 | - [Overlapping chunks with double free in DieHarder](https://github.com/emeryberger/DieHard/issues/12)
26 | - [Overlapping chunks with negative size allocation in mesh](https://github.com/plasma-umass/Mesh/issues/62)
27 | - [Arbitrary chunks with overflow in ptmalloc2](https://github.com/shellphish/how2heap/pull/77)
28 | - [Several other techniques](techniques)
29 | 
30 | ## Authors
31 | - Insu Yun (insu@gatech.edu)
32 | - Dhaval Kapil (me@dhavalkapil.com)
33 | - Taesoo Kim (taesoo@gatech.edu)
34 | 
35 | ## Publications
36 | ```
37 | @inproceedings{yun:archeap,
38 |   title        = {{Automatic Techniques to Systematically Discover New Heap Exploitation Primitives}},
39 |   author       = {Insu Yun and Dhaval Kapil and Taesoo Kim},
40 |   booktitle    = {Proceedings of the 29th USENIX Security Symposium (Security)},
41 |   month        = aug,
42 |   year         = 2020,
43 | }
44 | ```
45 | 


--------------------------------------------------------------------------------
/artifact/README.md:
--------------------------------------------------------------------------------
  1 | # Artifact for ArcHeap
  2 | 
  3 | ## Getting started
  4 | 
  5 | First of all, we need to specify an initial seed for ArcHeap, which relies on
  6 | [AFL](https://github.com/google/AFL). According to our experience, choice of
  7 | this seed is not important since ArcHeap will eventually converge. So, we will
  8 | use a dumb seed (e.g, AAAA).
  9 | 
 10 | ```bash
 11 | $ mkdir input
 12 | $ echo "AAAA" > input/seed
 13 | ```
 14 | 
 15 | After specifying the seed, we can run ArcHeap as same with AFL. If we don't
 16 | specify any allocator, ArcHeap will use a system allocator by default (e.g.,
 17 | ptmalloc2 in Linux).
 18 | 
 19 | ```bash
 20 | # Run ArcHeap without any model for a system allocator
 21 | $ ../tool/afl-2.52b/afl-fuzz -i input -o output ../driver/driver-fuzz @@
 22 | ```
 23 | 
 24 | Unfortunately, if we run ArcHeap without any model, it will converge to random,
 25 | trivial exploit techniques. To discover more specific techniques, ArcHeap
 26 | supports several model specifications, which can be defined using arguments of
 27 | `driver-fuzz`. You can check available model specifications from its help
 28 | message. It is worth noting that ArcHeap's specifications are exclusive, i.e.,
 29 | ArcHeap limits capabilities with specifications and its default mode allows
 30 | every action. Here is an example to specify the model.
 31 | 
 32 | ```bash
 33 | $ ../driver/driver-fuzz -h
 34 | Usage: ../driver/driver-fuzz [OPTION]... FILE [MAPFILE]
 35 |   -c <cap>: Disable a capability
 36 |      <cap>:= HEAP_ADDR | CONTAINER_ADDR | BUFFER_ADDR | DEALLOC | HEAP_WRITE | BUFFER_WRITE
 37 |   -v <vuln>: Disable a vulnerbility
 38 |      <vuln>:= OVERFLOW | OFF_BY_ONE_NULL | OFF_BY_ONE | WRITE_AFTER_FREE | DOUBLE_FREE | ARBITRARY_FREE
 39 |   -e <event>: Disable an event
 40 |      <event>:= OVERLAP | RESTRICTED_WRITE_IN_CONTAINER | RESTRICTED_WRITE_IN_BUFFER | ARBITRARY_WRITE_IN_CONTAINER | ARBITRARY_WRITE_IN_BUFFER | ALLOC_IN_CONTAINER | ALLOC_IN_BUFFER
 41 |   -u <ub>: Set upper bound of allocation
 42 |   -l <lb>: Set lower bound of allocation
 43 |   -s <list-of-sizes>: Set allocations sizes (e.g., 1,2,3)
 44 |   -a <header>:<footer>:<round>:<minsz>: Set information for allocator
 45 |     e.g. For ptmalloc in 64-bit, -a 8:0:16:32
 46 |   -h: Display this help and exit
 47 | 
 48 | # Discover a technique rendering an arbitrary chunk with double free
 49 | # i.e., no DOUBLE_FREE in vulnerbilities, no ALLOC_IN_CONTAINER and ALLOC_IN_BUFFER in events
 50 | $ SPEC="-a 8:0:16:32 \
 51 | 	-v OVERFLOW -v OFF_BY_ONE_NULL -v OFF_BY_ONE -v WRITE_AFTER_FREE -v ARBITRARY_FREE \
 52 | 	-e OVERLAP -e RESTRICTED_WRITE_IN_CONTAINER -e RESTRICTED_WRITE_IN_BUFFER -e ARBITRARY_WRITE_IN_CONTAINER -e ARBITRARY_WRITE_IN_BUFFER"
 53 | $ eval "../tool/afl-2.52b/afl-fuzz -i input -o output ../driver/driver-fuzz $SPEC @@"
 54 | ```
 55 | 
 56 | If AFL finds a crash, the `driver-fuzz` can be used for generating PoC,
 57 | which is C code that triggers the discovered technique. In most of cases, the C
 58 | code is compilable, but a user might need to fix a trivial compilation error
 59 | because of a trailing error message from an allocator. The same specifications
 60 | that are used for discovering should be provided for making valid PoC.
 61 | 
 62 | ```bash
 63 | # Generate PoC code
 64 | $ eval "../driver/driver-fuzz $SPEC ./output/crashes/id:000000* 2>&1|tee poc.c"
 65 | 
 66 | # Compile and validate the PoC
 67 | $ gcc -o poc poc.c
 68 | $ ./poc
 69 | ```
 70 | 
 71 | Because of ArcHeap's random search, the PoC file could have irrelevant code.
 72 | This can be minimized using delta debugging. In particular, ArcHeap makes a
 73 | bitmap file that represents whether each action is essential to trigger this
 74 | exploit technique. This also can be done for all crashes in the output
 75 | directory. In this case, ArcHeap also provides a visual representation of heap
 76 | layout using [villoc](https://github.com/wapiflapi/villoc) for better
 77 | understanding of found techniques.
 78 | 
 79 | ```bash
 80 | # Make a bitmap for minimizing PoC using delta debugging
 81 | $ eval "../driver/minimize.py bitmap_file -- ../driver/driver-fuzz $SPEC ./output/crashes/id:000000*"
 82 | 
 83 | # Generate minimal PoC code using the bitmap and validate
 84 | $ eval " ../driver/driver-fuzz $SPEC ./output/crashes/id:000000* bitmap_file 2>&1|tee poc-min.c"
 85 | $ gcc -o poc-min poc-min.c
 86 | $ ./poc-min
 87 | 
 88 | # Minimize all crashes in the output directory
 89 | $ ../driver/minimize_all.py output minimized_output
 90 | 
 91 | # Check minimized PoC and heap layout from villoc
 92 | $ cat minimized_output/id:000000*.log
 93 | $ open minimized_output/id:000000*.html
 94 | ```
 95 | 
 96 | ArcHeap supports discovering techniques in other allocators using `LD_PRELOAD`.
 97 | To this end, a shared library for the allocator should be defined in the
 98 | `AFL_PRELOAD`, which is `LD_PRELOAD` for AFL, in a discovering and a
 99 | minimization phase. When validating PoC, the allocator should be specified
100 | using `LD_PRELOAD`. 
101 | 
102 | ```bash
103 | # Repeat the same procedures in a non-system allocator that is specified as $(SO_FILE)
104 | $ eval "AFL_PRELOAD=$(SO_FILE) ../tool/afl-2.52b/afl-fuzz -i input -o output ../driver/driver-fuzz $SPEC @@"
105 | $ eval "AFL_PRELOAD=$(SO_FILE) ../driver/minimize.py bitmap_file -- ../driver/driver-fuzz $SPEC ./output/crashes/id:000000*"
106 | $ eval "LD_PRELOAD=$(SO_FILE) ../driver/driver-fuzz $SPEC ./output/crashes/id:000000* bitmap_file 2>&1|tee poc-min.c"
107 | $ gcc -o poc-min poc-min.c
108 | $ LD_PRELOAD=$(SO_FILE) ./poc-min
109 | ```
110 | 
111 | ## 7.1 New Heap Exploitation Techniques
112 | 
113 | This section discusses how to find new exploit techniques in ptmalloc2, which
114 | is described in Section 7.1 in our paper. For convenient evaluation, we provide
115 | a bash script (`run.sh`) that encodes every model that we used. Note that we
116 | omit `fast bin into other bin` because ArcHeap usually converges to `fast bin
117 | dup`, whose model is a subset of the previous one's. This issue is also
118 | illustrated in Section 8.1. In the following, we will re-discover `unsorted bin
119 | into stack` using ArcHeap.
120 | 
121 | ```bash
122 | $ cd ptmalloc2-glibc2.23
123 | $ ./run.sh 
124 | Usage: run.sh <technique>
125 | 
126 | Available techniques:
127 |   UBS: Unsorted bin into stack
128 |   HUE: House of unsorted einherjar
129 |   UDF: Unaligned double free
130 |   OCS: Overlapping small chunks
131 | 
132 | # Run and wait until ArcHeap discovers crashes
133 | $ ./run.sh UBS
134 | 
135 | # Check model specifications, which will be called as $SPEC in the following code
136 | $ tail -n 1 output-UBS/fuzzer_stats
137 | # This output will be 'commaond_line:  ... driver-fuzz $SPEC @@'
138 | 
139 | # Generate PoC (also can be validated and minimized as before)
140 | $ eval "../../driver/driver-fuzz $SPEC ./output/crashes/id:000000*"
141 | ```
142 | 
143 | ## 7.2 Different Types of Heap Allocators
144 | 
145 | This section describes how to use ArcHeap for finding new exploit techniques in
146 | other allocators. Similar to the previous one, we also provide script files
147 | (`other-allocators/*/run.sh`) to run ArcHeap for each allocator with different
148 | events (i.e., impacts of exploitation).  After discovering crashes, we can find
149 | ArcHeap's current model specifications from AFL's `fuzzer_stats` and a shared
150 | library path in `run.sh`.  After properly setting the specifications and the
151 | library, ArcHeap can make valid PoC for this allocator. Here, we will show how
152 | to find an exploit technique in [DieHarder](https://github.com/emeryberger/DieHard)
153 | as an example.
154 | 
155 | ```bash
156 | # Run and wait until ArcHeap discovers crashes
157 | $ cd ./other-allocators/DieHarder-5a0f8a52/
158 | $ ./run.sh
159 | 
160 | # Check model specifications, which will be called as $SPEC in the following code
161 | $ tail -n 1 output-OC/fuzzer_stats
162 | # This output will be 'commaond_line:  ... driver-fuzz $SPEC @@'
163 | 
164 | # Generate PoC (also can be validated and minimized as before)
165 | $ eval "LD_PRELOAD=$(pwd)/DieHard/src/dieharder.so ../../../driver/driver-fuzz $SPEC output-OC/crashes/id:000000*"
166 | ```
167 | 
168 | If you have any question, let us know. Thank you!
169 | 


--------------------------------------------------------------------------------
/artifact/common.sh:
--------------------------------------------------------------------------------
 1 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 2 | ROOT=$DIR/..
 3 | 
 4 | AFL_ROOT=$ROOT/tool/afl-2.52b
 5 | AFL_FUZZ=$AFL_ROOT/afl-fuzz
 6 | AFL_GCC=$AFL_ROOT/afl-gcc
 7 | 
 8 | DRIVER_ROOT=$ROOT/driver
 9 | DRIVER=$DRIVER_ROOT/driver-fuzz
10 | 
11 | function make_input() {
12 |   if [ ! -e input ]; then
13 |     mkdir -p input
14 |     echo "AAAA" > input/seed
15 |   fi
16 | }
17 | 
18 | function run_all() {
19 |   if [ "$#" -eq 1 ]; then
20 |     APP=$1
21 |   else
22 |     APP=$DRIVER
23 |   fi
24 | 
25 |   export AFL_NO_UI=1
26 |   $AFL_FUZZ -m none -i input -o output-OC -- $APP \
27 |     -e RESTRICTED_WRITE_IN_CONTAINER -e RESTRICTED_WRITE_IN_BUFFER \
28 |     -e ARBITRARY_WRITE_IN_CONTAINER -e ARBITRARY_WRITE_IN_BUFFER \
29 |     -e ALLOC_IN_CONTAINER -e ALLOC_IN_BUFFER \
30 |     @@ &
31 | 
32 |   $AFL_FUZZ -m none -i input -o output-AC -- $APP \
33 |     -e OVERLAP \
34 |     -e RESTRICTED_WRITE_IN_CONTAINER -e RESTRICTED_WRITE_IN_BUFFER \
35 |     -e ARBITRARY_WRITE_IN_CONTAINER -e ARBITRARY_WRITE_IN_BUFFER \
36 |     @@ &
37 | 
38 |   $AFL_FUZZ -m none -i input -o output-RW -- $APP \
39 |     -e OVERLAP \
40 |     -e ARBITRARY_WRITE_IN_CONTAINER -e ARBITRARY_WRITE_IN_BUFFER \
41 |     -e ALLOC_IN_CONTAINER -e ALLOC_IN_BUFFER \
42 |     @@ &
43 | 
44 |   $AFL_FUZZ -m none -i input -o output-AW -- $APP \
45 |     -e OVERLAP \
46 |     -e RESTRICTED_WRITE_IN_CONTAINER -e RESTRICTED_WRITE_IN_BUFFER \
47 |     -e ALLOC_IN_CONTAINER -e ALLOC_IN_BUFFER \
48 |     @@
49 | }
50 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/.gitignore:
--------------------------------------------------------------------------------
1 | /*/input
2 | /*/output-AC
3 | /*/output-AW
4 | /*/output-OC
5 | /*/output-RW
6 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/DieHarder-5a0f8a52/.gitignore:
--------------------------------------------------------------------------------
1 | /DieHard
2 | 
3 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/DieHarder-5a0f8a52/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | source ../../common.sh
 4 | 
 5 | SO_FILE=$(pwd)/DieHard/src/dieharder.so
 6 | if [ ! -e $SO_FILE ]; then
 7 |   git clone --recursive https://github.com/emeryberger/DieHard
 8 |   pushd DieHard/src
 9 |   git checkout 5a0f8a5
10 |   TARGET=dieharder make linux-gcc-x86-64
11 |   popd
12 | 
13 |   make_input
14 | fi
15 | 
16 | AFL_PRELOAD=$SO_FILE run_all
17 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/FreeGuard-bfdf6d9a/.gitignore:
--------------------------------------------------------------------------------
1 | /FreeGuard
2 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/FreeGuard-bfdf6d9a/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | source ../../common.sh
 4 | 
 5 | SO_FILE=$(pwd)/FreeGuard/libfreeguard.so
 6 | 
 7 | if [ ! -e $SO_FILE ]; then
 8 |   git clone git@github.com:UTSASRG/FreeGuard.git
 9 |   pushd FreeGuard
10 |   git checkout bfdf6d9a
11 |   make SSE2RNG=1
12 |   popd
13 | 
14 |   make_input
15 | fi
16 | 
17 | AFL_PRELOAD=$SO_FILE run_all
18 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/Guarder-9e85978a/.gitignore:
--------------------------------------------------------------------------------
1 | /Guarder
2 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/Guarder-9e85978a/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | source ../../common.sh
 4 | 
 5 | SO_FILE=$(pwd)/Guarder/libguarder.so
 6 | 
 7 | if [ ! -e $SO_FILE ]; then
 8 |   git clone git@github.com:UTSASRG/Guarder.git
 9 |   pushd Guarder
10 |   git checkout 9e85978a
11 |   make
12 |   popd
13 | 
14 |   make_input
15 | fi
16 | 
17 | AFL_PRELOAD=$SO_FILE run_all
18 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/dlmalloc-2.7.2/.gitignore:
--------------------------------------------------------------------------------
1 | /malloc-2.7.2.c
2 | *.o
3 | *.so
4 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/dlmalloc-2.7.2/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | source ../../common.sh
 4 | 
 5 | SO_FILE=$(pwd)/libdlmalloc.so
 6 | 
 7 | if [ ! -f $SO_FILE ]; then
 8 |   wget http://gee.cs.oswego.edu/pub/misc/malloc-2.7.2.c
 9 |   gcc -c -fpic malloc-2.7.2.c
10 |   gcc -shared -o libdlmalloc.so malloc-2.7.2.o
11 | 
12 |   make_input
13 | fi
14 | 
15 | AFL_PRELOAD=$SO_FILE run_all
16 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/dlmalloc-2.8.6/.gitignore:
--------------------------------------------------------------------------------
1 | /malloc.c
2 | /malloc.o
3 | /libdlmalloc.so
4 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/dlmalloc-2.8.6/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | source ../../common.sh
 4 | 
 5 | SO_FILE=$(pwd)/libdlmalloc.so
 6 | if [ ! -f $SO_FILE ]; then
 7 |   wget ftp://gee.cs.oswego.edu/pub/misc/malloc.c
 8 | 	gcc -c -Wall -Werror -fpic malloc.c
 9 | 	gcc -shared -o libdlmalloc.so malloc.o
10 | 
11 |   make_input
12 | fi
13 | 
14 | AFL_PRELOAD=$SO_FILE run_all
15 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/jemalloc-5.2.1/.gitignore:
--------------------------------------------------------------------------------
1 | /jemalloc
2 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/jemalloc-5.2.1/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | source ../../common.sh
 4 | 
 5 | if [ ! -e jemalloc ]; then
 6 |   git clone https://github.com/jemalloc/jemalloc
 7 |   pushd jemalloc
 8 |   git checkout 5.2.1
 9 |   ./autogen.sh
10 |   make
11 | 
12 |   chmod +x bin/jemalloc-config
13 |   popd
14 | 
15 |   make_input
16 | fi
17 | 
18 | PATH=$PATH:$(pwd)/jemalloc/bin
19 | AFL_PRELOAD=$(jemalloc-config --libdir)/libjemalloc.so.$(jemalloc-config --revision) run_all
20 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/mesh-a49b6134/.gitignore:
--------------------------------------------------------------------------------
1 | /mesh
2 | 
3 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/mesh-a49b6134/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | source ../../common.sh
 4 | 
 5 | SO_FILE=$(pwd)/mesh/libmesh.so
 6 | 
 7 | if [ ! -e $SO_FILE ]; then
 8 |   git clone --recurse-submodules https://github.com/plasma-umass/mesh
 9 |   pushd mesh
10 |   git checkout a49b6134
11 |   ./configure
12 |   make
13 |   popd
14 | 
15 |   make_input
16 | fi
17 | 
18 | AFL_PRELOAD=$SO_FILE run_all
19 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/mimalloc-1.0.8/.gitignore:
--------------------------------------------------------------------------------
1 | /mimalloc
2 | /mimalloc-more-secure
3 | /output-secure
4 | /output-more-secure
5 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/mimalloc-1.0.8/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | source ../../common.sh
 4 | 
 5 | SO_FILE=$(pwd)/mimalloc/out/release/libmimalloc.so
 6 | 
 7 | if [ ! -e $SO_FILE ]; then
 8 |   git clone git@github.com:microsoft/mimalloc.git
 9 | 
10 |   pushd mimalloc
11 | 
12 |   git checkout v1.0.8
13 |   mkdir -p out/release
14 |   cd out/release
15 |   cmake ../..
16 |   make
17 | 
18 |   popd
19 | 
20 |   make_input
21 | fi
22 | 
23 | AFL_PRELOAD=$SO_FILE run_all
24 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/mimalloc-secure-1.0.8/.gitignore:
--------------------------------------------------------------------------------
1 | /mimalloc
2 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/mimalloc-secure-1.0.8/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | source ../../common.sh
 4 | 
 5 | SO_FILE=$(pwd)/mimalloc/out/secure/libmimalloc-secure.so
 6 | 
 7 | if [ ! -e $SO_FILE ]; then
 8 |   git clone git@github.com:microsoft/mimalloc.git
 9 | 
10 |   pushd mimalloc
11 | 
12 |   git checkout v1.0.8
13 |   mkdir -p out/secure
14 |   cd out/secure
15 |   cmake -DMI_SECURE=ON ../..
16 |   make
17 | 
18 |   popd
19 | 
20 |   make_input
21 | fi
22 | 
23 | AFL_PRELOAD=$SO_FILE run_all
24 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/musl-1.1.24/.gitignore:
--------------------------------------------------------------------------------
1 | /musl-1.1.*
2 | /musl-1.1.*.tar.gz
3 | /driver
4 | /driver-fuzz
5 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/musl-1.1.24/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | source ../../common.sh
 4 | 
 5 | MUSL_GCC=$(pwd)/musl-1.1.24/obj/musl-gcc
 6 | 
 7 | if [ ! -e $MUSL_GCC ]; then
 8 |   wget https://www.musl-libc.org/releases/musl-1.1.24.tar.gz
 9 |   tar -zxvf musl-1.1.24.tar.gz
10 | 
11 |   pushd musl-1.1.24
12 |   ./configure
13 |   make
14 |   sudo make install
15 |   popd
16 | 
17 |   make_input
18 | fi
19 | 
20 | REALGCC=$AFL_GCC $MUSL_GCC -o ./driver-fuzz $DRIVER_ROOT/driver.c
21 | $MUSL_GCC -o ./driver $DRIVER_ROOT/driver.c
22 | 
23 | unset AFL_PRELOAD
24 | run_all ./driver-fuzz
25 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/musl-1.1.9/.gitignore:
--------------------------------------------------------------------------------
1 | /musl-1.1.*
2 | /musl-1.1.*.tar.gz
3 | /driver
4 | /driver-fuzz
5 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/musl-1.1.9/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | source ../../common.sh
 4 | 
 5 | MUSL_GCC=$(pwd)/musl-1.1.9/tools/musl-gcc
 6 | 
 7 | if [ ! -e $MUSL_GCC ]; then
 8 |   wget https://www.musl-libc.org/releases/musl-1.1.9.tar.gz
 9 |   tar -zxvf musl-1.1.9.tar.gz
10 | 
11 |   pushd musl-1.1.9
12 |   ./configure
13 |   make
14 |   make tools/musl-gcc
15 |   sudo make install
16 |   popd
17 | 
18 |   make_input
19 | fi
20 | 
21 | REALGCC=$AFL_GCC $MUSL_GCC -o ./driver-fuzz $DRIVER_ROOT/driver.c
22 | $MUSL_GCC -o ./driver $DRIVER_ROOT/driver.c
23 | 
24 | unset AFL_PRELOAD
25 | run_all ./driver-fuzz
26 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/scudo-9.0.0/.gitignore:
--------------------------------------------------------------------------------
1 | /clang+llvm-9.0.0-x86_64-linux-gnu-ubuntu-16.04*
2 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/scudo-9.0.0/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | source ../../common.sh
 4 | 
 5 | SO_FILE=$(pwd)/clang+llvm-9.0.0-x86_64-linux-gnu-ubuntu-16.04/lib/clang/9.0.0/lib/linux/libclang_rt.scudo-x86_64.so
 6 | 
 7 | if [ ! -e $SO_FILE ]; then
 8 |   wget http://releases.llvm.org/9.0.0/clang+llvm-9.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz
 9 |   tar -xvf clang+llvm-9.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz
10 | 
11 |   make_input
12 | fi
13 | 
14 | AFL_PRELOAD=$SO_FILE run_all
15 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/tcmalloc-2.7/.gitignore:
--------------------------------------------------------------------------------
1 | /gperftools
2 | 


--------------------------------------------------------------------------------
/artifact/other-allocators/tcmalloc-2.7/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | source ../../common.sh
 4 | 
 5 | SO_FILE=$(pwd)/gperftools/build/.libs/libtcmalloc.so
 6 | 
 7 | 
 8 | if [ ! -e $SO_FILE ]; then
 9 |   git clone git@github.com:gperftools/gperftools.git
10 |   pushd gperftools
11 |   git checkout gperftools-2.7
12 |   ./autogen.sh
13 |   mkdir build
14 |   cd build
15 |   ../configure
16 |   make -j$(nproc)
17 |   popd
18 | 
19 |   make_input
20 | fi
21 | 
22 | AFL_PRELOAD=$SO_FILE run_all
23 | 


--------------------------------------------------------------------------------
/artifact/ptmalloc2-glibc2.23/.gitignore:
--------------------------------------------------------------------------------
1 | /input
2 | /output-UBS
3 | /output-HUE
4 | /output-UDF
5 | /output-OCS
6 | 
7 | 


--------------------------------------------------------------------------------
/artifact/ptmalloc2-glibc2.23/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | . ../common.sh
 4 | 
 5 | case "$1" in
 6 |   UBS) # WF, AC, Small
 7 |     make_input
 8 |     $AFL_FUZZ -i input -o output-$1 -- $DRIVER \
 9 |       -a 8:0:16:32 -l 128 -u 1016 \
10 |       -v OVERFLOW -v OFF_BY_ONE_NULL -v OFF_BY_ONE \
11 |       -v DOUBLE_FREE -v ARBITRARY_FREE \
12 |       -e OVERLAP \
13 |       -e RESTRICTED_WRITE_IN_CONTAINER -e RESTRICTED_WRITE_IN_BUFFER \
14 |       -e ARBITRARY_WRITE_IN_CONTAINER -e ARBITRARY_WRITE_IN_BUFFER \
15 |       @@
16 |     ;;
17 | 
18 |   HUE) # O1, AC, Small
19 |     make_input
20 |     $AFL_FUZZ -i input -o output-$1 -- $DRIVER \
21 |       -a 8:0:16:32 -l 128 -u 1016 \
22 |       -v OVERFLOW \
23 |       -v WRITE_AFTER_FREE -v DOUBLE_FREE -v ARBITRARY_FREE \
24 |       -e OVERLAP \
25 |       -e RESTRICTED_WRITE_IN_CONTAINER -e RESTRICTED_WRITE_IN_BUFFER \
26 |       -e ARBITRARY_WRITE_IN_CONTAINER -e ARBITRARY_WRITE_IN_BUFFER \
27 |       @@
28 |     ;;
29 | 
30 |   OCS) # OV, OC, Small
31 |     make_input
32 |     $AFL_FUZZ -i input -o output-$1 -- $DRIVER \
33 |       -a 8:0:16:32 -l 128 -u 1016 \
34 |       -v OFF_BY_ONE_NULL -v OFF_BY_ONE \
35 |       -v WRITE_AFTER_FREE -v DOUBLE_FREE -v ARBITRARY_FREE \
36 |       -e OVERLAP \
37 |       -e RESTRICTED_WRITE_IN_CONTAINER -e RESTRICTED_WRITE_IN_BUFFER \
38 |       -e ARBITRARY_WRITE_IN_CONTAINER -e ARBITRARY_WRITE_IN_BUFFER \
39 |       @@
40 |     ;;
41 | 
42 |   UDF) # DF, OC, Small
43 |     make_input
44 |     $AFL_FUZZ -i input -o output-$1 -- $DRIVER \
45 |       -a 8:0:16:32 -l 128 -u 1016 \
46 |       -v OVERFLOW -v OFF_BY_ONE_NULL -v OFF_BY_ONE \
47 |       -v WRITE_AFTER_FREE -v ARBITRARY_FREE \
48 |       -e RESTRICTED_WRITE_IN_CONTAINER -e RESTRICTED_WRITE_IN_BUFFER \
49 |       -e ARBITRARY_WRITE_IN_CONTAINER -e ARBITRARY_WRITE_IN_BUFFER \
50 |       -e ALLOC_IN_CONTAINER -e ALLOC_IN_BUFFER \
51 |       @@
52 |     ;;
53 | 
54 |   *)
55 |     echo "Usage: $(basename "$0") <technique>"
56 |     echo ''
57 |     echo 'Available techniques:'
58 |     echo '  UBS: Unsorted bin into stack'
59 |     echo '  HUE: House of unsorted einherjar'
60 |     echo '  UDF: Unaligned double free'
61 |     echo '  OCS: Overlapping small chunks'
62 |     ;;
63 | esac
64 | 


--------------------------------------------------------------------------------
/build.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | git submodule init
 4 | git submodule update
 5 | 
 6 | if [ ! -e tool/afl-2.52b ]; then
 7 |   pushd tool
 8 |   wget http://lcamtuf.coredump.cx/afl/releases/afl-2.52b.tgz
 9 |   tar -zxvf afl-2.52b.tgz
10 |   rm afl-2.52b.tgz
11 |   cd afl-2.52b
12 |   patch < ../afl.patch
13 |   popd
14 | fi
15 | 
16 | pushd tool/afl-2.52b
17 | make clean
18 | make
19 | popd
20 | 
21 | pushd driver
22 | make clean
23 | make
24 | popd
25 | 


--------------------------------------------------------------------------------
/driver/.gitignore:
--------------------------------------------------------------------------------
1 | /driver
2 | /driver-fuzz
3 | /input
4 | /output*
5 | /input.bin
6 | /testcases
7 | 


--------------------------------------------------------------------------------
/driver/Makefile:
--------------------------------------------------------------------------------
 1 | CC ?= gcc
 2 | AFL_DIR := ../tool/afl-2.52b
 3 | CFLAGS += -std=gnu99 -g
 4 | 
 5 | APP := driver
 6 | FUZZ_APP := driver-fuzz
 7 | OUTPUT ?= output
 8 | 
 9 | all: $(APP) $(FUZZ_APP)
10 | 
11 | $(APP): driver.c
12 | 	$(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) $(LDLIBS)
13 | 
14 | $(FUZZ_APP): driver.c
15 | 	$(AFL_DIR)/afl-gcc $(CFLAGS) -o $@ $^ $(LDFLAGS) $(LDLIBS)
16 | 
17 | clean:
18 | 	rm -rf $(APP) $(FUZZ_APP)
19 | 
20 | .PHONY: all clean
21 | 


--------------------------------------------------------------------------------
/driver/driver.c:
--------------------------------------------------------------------------------
   1 | #include <signal.h>
   2 | #include <time.h>
   3 | #include <assert.h>
   4 | #include <stdarg.h>
   5 | #include <stdbool.h>
   6 | #include <stdlib.h>
   7 | #include <stdio.h>
   8 | #include <stdint.h>
   9 | #include <string.h>
  10 | #include <malloc.h>
  11 | #include <unistd.h>
  12 | #include <sys/mman.h>
  13 | #include <sys/types.h>
  14 | #include <signal.h>
  15 | #include <fcntl.h>
  16 | 
  17 | #define FIRST_ARG(N, ...) N
  18 | 
  19 | #define DEBUG(...) do{ \
  20 |   assert(!strchr(FIRST_ARG(__VA_ARGS__), '\n')); \
  21 |   STMT("  // "); \
  22 |   STMT(__VA_ARGS__ ); \
  23 |   STMT("\n"); \
  24 | } while( false );
  25 | 
  26 | 
  27 | // API for printing statements
  28 | #define BEGIN_STMT \
  29 |   add_stmt("  ");
  30 | 
  31 | #define STMT(...) do { \
  32 |   add_stmt(__VA_ARGS__); \
  33 | } while (false);
  34 | 
  35 | #define END_STMT \
  36 |   flush_stmt();
  37 | 
  38 | #define CLEAR_STMT \
  39 |   clear_stmt();
  40 | 
  41 | #define DBG_VALUE "[VALUE] "
  42 | #define DBG_INFO "[INFO] "
  43 | #define FATAL(...) do { DEBUG(__VA_ARGS__); done(); } while(false)
  44 | 
  45 | #define MIN(a,b) \
  46 |   ({ __typeof__ (a) _a = (a); \
  47 |    __typeof__ (b) _b = (b); \
  48 |    _a < _b ? _a : _b; })
  49 | 
  50 | #define MAX(a,b) \
  51 |   ({ __typeof__ (a) _a = (a); \
  52 |    __typeof__ (b) _b = (b); \
  53 |    _a > _b ? _a : _b; })
  54 | 
  55 | typedef enum {
  56 |   VULN_OVERFLOW,
  57 |   VULN_OFF_BY_ONE_NULL,
  58 |   VULN_OFF_BY_ONE,
  59 |   VULN_WRITE_AFTER_FREE,
  60 |   VULN_DOUBLE_FREE,
  61 |   VULN_ARBITRARY_FREE,
  62 |   VULN_LAST
  63 | } VulnType;
  64 | 
  65 | typedef enum {
  66 |   EVENT_OVERLAP,
  67 |   EVENT_RESTRICTED_WRITE_IN_CONTAINER,
  68 |   EVENT_RESTRICTED_WRITE_IN_BUFFER,
  69 |   EVENT_ARBITRARY_WRITE_IN_CONTAINER,
  70 |   EVENT_ARBITRARY_WRITE_IN_BUFFER,
  71 |   EVENT_ALLOC_IN_CONTAINER,
  72 |   EVENT_ALLOC_IN_BUFFER,
  73 |   EVENT_LAST
  74 | } EventType;
  75 | 
  76 | typedef enum {
  77 |   CAP_HEAP_ADDR,
  78 |   CAP_CONTAINER_ADDR,
  79 |   CAP_BUFFER_ADDR,
  80 |   CAP_DEALLOC,
  81 |   CAP_HEAP_WRITE,
  82 |   CAP_BUFFER_WRITE,
  83 |   CAP_LAST,
  84 | } CapabilityType;
  85 | 
  86 | typedef struct {
  87 |   uintptr_t orig;
  88 |   uintptr_t orig_real;
  89 |   uintptr_t shadow;
  90 |   uintptr_t shadow_real;
  91 |   int front;
  92 |   int limit;
  93 |   int memory_size;
  94 |   int memory_size_real;
  95 |   int nmemb;
  96 | } ShadowMemory;
  97 | 
  98 | typedef struct {
  99 |   size_t limit;
 100 |   size_t size;
 101 |   char* buf;
 102 |   int index;
 103 | } Command;
 104 | 
 105 | typedef struct {
 106 |   ShadowMemory smem;
 107 |   bool* freed;
 108 |   bool* valid;
 109 |   size_t* usable_size;
 110 |   int limit;
 111 |   int* size;
 112 | } HeapManager;
 113 | 
 114 | typedef struct {
 115 |   char* name;
 116 |   int type;
 117 |   bool enable;
 118 | } Option;
 119 | 
 120 | typedef struct __attribute__((packed)) {
 121 |   int header;
 122 |   int footer;
 123 |   int round;
 124 |   int minsz;
 125 | } AllocatorInfo;
 126 | 
 127 | const uintptr_t kBadPtr = 0xcccccccc;
 128 | 
 129 | // Global variables
 130 | EventType       g_event_type = EVENT_LAST;
 131 | Command         g_cmd;
 132 | HeapManager     g_hmgr;
 133 | ShadowMemory    g_buffer;
 134 | uintptr_t       g_lower_bound = 0;
 135 | uintptr_t       g_upper_bound = 0;
 136 | char            g_stmt_buf[0x1000];
 137 | int             g_stmt_size = 0;
 138 | Command         g_actions;
 139 | int             g_skipped = 0;
 140 | // Info: header, footer, round, minsz
 141 | AllocatorInfo  g_allocator_info = {-1, -1, -1, -1};
 142 | 
 143 | // NOTE: MAX_NUM_SIZES should be <= 65535
 144 | #define MAX_NUM_SIZES 0x1000
 145 | uintptr_t       g_sizes[MAX_NUM_SIZES];
 146 | uintptr_t       g_num_sizes;
 147 | 
 148 | #define MAX_NUM_TXN 0x1000
 149 | uintptr_t       g_txns[MAX_NUM_TXN];
 150 | uintptr_t       g_num_txn;
 151 | uintptr_t       g_idx_txn;
 152 | 
 153 | #define TXN_ID_ALLOCATE 0
 154 | #define TXN_ID_DEALLOCATE 1
 155 | #define TXN_ID_VULN 2
 156 | 
 157 | Option  g_capabilities[] = {
 158 |   {"HEAP_ADDR", CAP_HEAP_ADDR, true},
 159 |   {"CONTAINER_ADDR", CAP_CONTAINER_ADDR, true},
 160 |   {"BUFFER_ADDR", CAP_BUFFER_ADDR, true},
 161 |   {"DEALLOC", CAP_DEALLOC, true},
 162 |   {"HEAP_WRITE", CAP_HEAP_WRITE, true},
 163 |   {"BUFFER_WRITE", CAP_BUFFER_WRITE, true},
 164 | };
 165 | 
 166 | Option g_vulns[] = {
 167 |   {"OVERFLOW", VULN_OVERFLOW, true},
 168 |   {"OFF_BY_ONE_NULL", VULN_OFF_BY_ONE_NULL, true},
 169 |   {"OFF_BY_ONE", VULN_OFF_BY_ONE, true},
 170 |   {"WRITE_AFTER_FREE", VULN_WRITE_AFTER_FREE, true},
 171 |   {"DOUBLE_FREE", VULN_DOUBLE_FREE, true},
 172 |   {"ARBITRARY_FREE", VULN_ARBITRARY_FREE, true}
 173 | };
 174 | 
 175 | Option g_events[] = {
 176 |   {"OVERLAP", EVENT_OVERLAP, true},
 177 |   {"RESTRICTED_WRITE_IN_CONTAINER", EVENT_RESTRICTED_WRITE_IN_CONTAINER, true},
 178 |   {"RESTRICTED_WRITE_IN_BUFFER", EVENT_RESTRICTED_WRITE_IN_BUFFER, true},
 179 |   {"ARBITRARY_WRITE_IN_CONTAINER", EVENT_ARBITRARY_WRITE_IN_CONTAINER, true},
 180 |   {"ARBITRARY_WRITE_IN_BUFFER", EVENT_ARBITRARY_WRITE_IN_BUFFER, true},
 181 |   {"ALLOC_IN_CONTAINER", EVENT_ALLOC_IN_CONTAINER, true},
 182 |   {"ALLOC_IN_BUFFER", EVENT_ALLOC_IN_BUFFER, true},
 183 | };
 184 | 
 185 | uintptr_t interesting_values[] = {
 186 |   -1,
 187 |   -sizeof(void*),
 188 |   0,
 189 |   sizeof(void*),
 190 | };
 191 | 
 192 | void add_stmt(char* fmt, ...) {
 193 |   va_list ap;
 194 |   int i, sum;
 195 | 
 196 |   va_start (ap, fmt);
 197 |   int size = vsnprintf(g_stmt_buf + g_stmt_size,
 198 |       sizeof(g_stmt_buf) - g_stmt_size,
 199 |       fmt, ap);
 200 | 
 201 |   if (size < 0) {
 202 |     DEBUG("Error occurred when copying a statement");
 203 |     exit(-1);
 204 |   }
 205 |   g_stmt_size += size;
 206 |   va_end(ap);
 207 | }
 208 | 
 209 | void clear_stmt() {
 210 |   g_stmt_size = 0;
 211 |   g_stmt_buf[0] = 0;
 212 | }
 213 | 
 214 | void flush_stmt() {
 215 |   if (g_stmt_size != 0) {
 216 |     g_stmt_buf[g_stmt_size] = 0;
 217 |     if (g_stmt_buf[g_stmt_size - 1] == '\n')
 218 |       fprintf(stderr, "%s", g_stmt_buf);
 219 |     else
 220 |       fprintf(stderr, "%s;\n", g_stmt_buf);
 221 |     clear_stmt();
 222 |   }
 223 | }
 224 | 
 225 | void done() {
 226 |   fprintf(stderr,
 227 |       "}\n");
 228 | 
 229 |   fprintf(stderr, "// The number of actions: %d\n", g_actions.index - g_skipped);
 230 |   if (g_event_type != EVENT_LAST) {
 231 |     fprintf(stderr, "// " DBG_INFO "EVENT_%s is detected\n",
 232 |         g_events[g_event_type].name);
 233 |     kill(getpid(), SIGUSR2);
 234 |   }
 235 |   else
 236 |     exit(-1);
 237 | }
 238 | 
 239 | void set_event_type(EventType ety) {
 240 |   // EVENT_* is ascending ordered by interesting
 241 |   // e.g., ALLOC_IN_BUFFER is more interesting than OVERLAP or RESTRICTED_WRITE_IN_BUFFER
 242 |   if (ety != EVENT_LAST
 243 |        && g_events[ety].enable) {
 244 |     if (g_event_type == EVENT_LAST)
 245 |       g_event_type = ety; // At first time
 246 |     else
 247 |       g_event_type = MAX(g_event_type, ety);
 248 |   }
 249 | }
 250 | 
 251 | uintptr_t round_up(uintptr_t value, int multiple) {
 252 |   uintptr_t remainder = value % multiple;
 253 |   if (remainder == 0)
 254 |     return value;
 255 |   else
 256 |     return value + multiple - remainder;
 257 | }
 258 | 
 259 | uintptr_t round_up_page_size(uintptr_t size) {
 260 |   return round_up(size, getpagesize());
 261 | }
 262 | 
 263 | void* random_mmap(size_t size) {
 264 |   // Randomly allocate maps to prevent interactions between them
 265 |   while (true) {
 266 |     uintptr_t base = rand() & (~0xfff);
 267 |     void* addr = mmap((void*)base, size,
 268 |         PROT_READ | PROT_WRITE,
 269 |         MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, -1, 0);
 270 | 
 271 |     if (addr != MAP_FAILED)
 272 |       return addr;
 273 |   }
 274 | }
 275 | 
 276 | void shadow_mem_init(ShadowMemory* smem, int limit, int nmemb) {
 277 |   smem->limit = limit;
 278 |   smem->front = 0;
 279 |   smem->nmemb = nmemb;
 280 |   smem->memory_size = round_up_page_size(limit * nmemb);
 281 |   // Shadow memory looks like [UNUSED_AREA | USED_AREA | UNUSED_AREA]
 282 |   // This helps to detect out of bounds modification
 283 |   smem->memory_size_real = smem->memory_size * 3;
 284 |   smem->orig_real = (uintptr_t)random_mmap(smem->memory_size_real);
 285 |   smem->orig = (uintptr_t)smem->orig_real + smem->memory_size;
 286 |   smem->shadow_real = (uintptr_t)random_mmap(smem->memory_size_real);
 287 |   smem->shadow = (uintptr_t)smem->shadow_real + smem->memory_size;
 288 | }
 289 | 
 290 | uintptr_t shadow_mem_get(ShadowMemory* smem, int index) {
 291 |   uintptr_t value = 0;
 292 |   memcpy(&value, (void*)(smem->orig + index * smem->nmemb), smem->nmemb);
 293 |   return value;
 294 | }
 295 | 
 296 | void shadow_mem_set(ShadowMemory* smem, int index, uintptr_t elem) {
 297 |   assert(index < smem->limit);
 298 | 
 299 |   int off = index * smem->nmemb;
 300 |   memcpy((void*)(smem->orig + off), &elem, smem->nmemb);
 301 |   memcpy((void*)(smem->shadow + off), &elem, smem->nmemb);
 302 | }
 303 | 
 304 | void shadow_mem_push(ShadowMemory* smem, uintptr_t elem) {
 305 |   if (smem->front == smem->limit)
 306 |     FATAL(DBG_INFO "Reach the maximum in ShadowMemory");
 307 | 
 308 |   shadow_mem_set(smem, smem->front, elem);
 309 |   smem->front++;
 310 | }
 311 | 
 312 | bool shadow_mem_verify(ShadowMemory* smem) {
 313 |   return memcmp((void*)smem->orig, (void*)smem->shadow,
 314 |       smem->limit * smem->nmemb);
 315 | }
 316 | 
 317 | int shadow_mem_diff(ShadowMemory* smem, intptr_t* orig, intptr_t* shadow) {
 318 |   void* ptr_orig = (void*)smem->orig;
 319 |   void* ptr_shadow = (void*)smem->shadow;
 320 | 
 321 |   for (int i = 0; i < smem->limit; i ++) {
 322 |     if (memcmp(ptr_orig, ptr_shadow, smem->nmemb)) {
 323 |       *orig = *(intptr_t*)ptr_orig;
 324 |       *shadow = *(intptr_t*)ptr_shadow;
 325 |       return i;
 326 |     }
 327 | 
 328 |     ptr_orig += smem->nmemb;
 329 |     ptr_shadow += smem->nmemb;
 330 |   }
 331 | 
 332 |   return -1;
 333 | }
 334 | 
 335 | void shadow_mem_make_same(ShadowMemory* smem) {
 336 |   memcpy((void*)smem->shadow, (void*)smem->orig,
 337 |       smem->limit * smem->nmemb);
 338 | }
 339 | 
 340 | void command_init(Command* cmd, const char* filename, int limit) {
 341 |   cmd->limit = limit;
 342 |   cmd->buf = (char*)random_mmap(limit);
 343 |   cmd->index = 0;
 344 | 
 345 |   if (filename != NULL) {
 346 |     int fd = open(filename, O_RDONLY);
 347 |     if (fd < 0) {
 348 |       FATAL("Cannot open a file: %s", filename);
 349 |     }
 350 |     cmd->size = read(fd, cmd->buf, limit);
 351 |     close(fd);
 352 |   }
 353 |   else
 354 |     cmd->size = limit;
 355 | 
 356 |   assert(cmd->size != -1);
 357 | }
 358 | 
 359 | void command_check_index(Command* cmd, int req) {
 360 |   if (cmd->index + req > cmd->size)
 361 |     FATAL(DBG_INFO "Reach the end of input");
 362 | }
 363 | 
 364 | void command_next(Command* cmd, void* buf, size_t size) {
 365 |   command_check_index(cmd, size);
 366 |   memcpy(buf, cmd->buf + cmd->index, size);
 367 |   cmd->index += size;
 368 | }
 369 | 
 370 | const char* command_name(Command* cmd, const char* prefix) {
 371 |   static char name[256];
 372 |   snprintf(name, sizeof(name), "%s:%d", prefix, cmd->index);
 373 |   return name;
 374 | }
 375 | 
 376 | #define DEFINE_COMMAND_NEXT(sz) \
 377 |   uint##sz##_t command_next_##sz(Command* cmd) { \
 378 |   uint##sz##_t ch; \
 379 |   command_next(cmd, &ch, sizeof(ch)); \
 380 |   return ch; \
 381 | }
 382 | 
 383 | DEFINE_COMMAND_NEXT(8);
 384 | DEFINE_COMMAND_NEXT(16);
 385 | DEFINE_COMMAND_NEXT(32);
 386 | DEFINE_COMMAND_NEXT(64);
 387 | DEFINE_COMMAND_NEXT(ptr);
 388 | 
 389 | intptr_t command_next_offset(Command* cmd) {
 390 |   return command_next_8(cmd) % 9 - 4;
 391 | }
 392 | 
 393 | uintptr_t command_next_range(Command* cmd, int beg, int end) {
 394 |   return command_next_32(cmd) % (end - beg) + beg;
 395 | }
 396 | 
 397 | void heap_mgr_init(HeapManager* hmgr, int limit) {
 398 |   hmgr->limit = limit;
 399 |   shadow_mem_init(&hmgr->smem, limit, sizeof(void*));
 400 |   hmgr->freed = (bool*)random_mmap(round_up_page_size(limit));
 401 |   hmgr->valid = (bool*)random_mmap(round_up_page_size(limit));
 402 |   hmgr->usable_size = (size_t*)random_mmap(round_up_page_size(limit * sizeof(size_t)));
 403 |   hmgr->size = (int*)random_mmap(round_up_page_size(limit * sizeof(int)));
 404 | }
 405 | 
 406 | void* heap_mgr_get_heap(HeapManager* hmgr, int* index) {
 407 |   if (hmgr->smem.front == 0)
 408 |     return NULL;
 409 |   *index %= hmgr->smem.front;
 410 |   if (hmgr->valid[*index])
 411 |     return (void*)shadow_mem_get(&hmgr->smem, *index);
 412 |   else
 413 |     return (void*)kBadPtr;
 414 | }
 415 | 
 416 | void* heap_mgr_get_valid_heap(HeapManager* hmgr, int* index) {
 417 |   if (hmgr->smem.front == 0)
 418 |     return NULL;
 419 | 
 420 |   *index %= hmgr->smem.front;
 421 |   if (hmgr->freed[*index])
 422 |     return NULL;
 423 | 
 424 |   return (void*)heap_mgr_get_heap(hmgr, index);
 425 | }
 426 | 
 427 | void* heap_mgr_get_freed_heap(HeapManager* hmgr, int* index) {
 428 |   if (hmgr->smem.front == 0)
 429 |     return NULL;
 430 | 
 431 |   *index %= hmgr->smem.front;
 432 |   if (!hmgr->freed[*index])
 433 |     return NULL;
 434 | 
 435 |   return heap_mgr_get_heap(hmgr, index);
 436 | }
 437 | 
 438 | // XXX: Don't like name..
 439 | bool do_action() {
 440 |   if (command_next_8(&g_actions) == 0) {
 441 |     return true;
 442 |   }
 443 |   else {
 444 |     g_skipped++;
 445 |     // Remove the statement for this operation
 446 |     CLEAR_STMT;
 447 |     return false;
 448 |   }
 449 | }
 450 | 
 451 | bool do_action_heap(void* h) {
 452 |   if (do_action() && (uintptr_t)h != kBadPtr)
 453 |     return true;
 454 |   else {
 455 |     CLEAR_STMT;
 456 |     return false;
 457 |   }
 458 | }
 459 | 
 460 | void check_overlap(HeapManager* hmgr, ShadowMemory* buffer, int i) {
 461 |   uintptr_t h1 = (uintptr_t)heap_mgr_get_valid_heap(hmgr, &i);
 462 | 
 463 |   for (int j = 0; j < hmgr->smem.front; j++) {
 464 |     if (i == j)
 465 |       continue;
 466 |     uintptr_t h2 = (uintptr_t)heap_mgr_get_valid_heap(hmgr, &j);
 467 | 
 468 |     if (h1 == 0 || h2 == 0 || h1 == kBadPtr || h2 == kBadPtr)
 469 |       continue;
 470 | 
 471 |     if ((h1 <= h2 && h2 < h1 + hmgr->usable_size[i])
 472 |         || (h2 <= h1 && h1 < h2 + hmgr->usable_size[j])) {
 473 |       DEBUG("[BUG] Found overlap");
 474 |       DEBUG("p[%d]=%p (size=%ld), "
 475 |           "p[%d]=%p (size=%ld)", i, (void*)h1, hmgr->usable_size[i],
 476 |           j, (void*)h2, hmgr->usable_size[j]);
 477 |       BEGIN_STMT;
 478 |       STMT("assert((p[%d] <= p[%d] && p[%d] < p[%d] + %ld)"
 479 |               " || (p[%d] <= p[%d] && p[%d] < p[%d] + %ld))",
 480 |               i, j, j, i, hmgr->usable_size[i],
 481 |               j, i, i, j, hmgr->usable_size[j]);
 482 |       END_STMT;
 483 |       set_event_type(EVENT_OVERLAP);
 484 |     }
 485 |   }
 486 | 
 487 |   if (h1 >= buffer->orig
 488 |       && h1 < buffer->orig + buffer->memory_size) {
 489 |     DEBUG("[BUG] Found allocation in buffer");
 490 |     DEBUG("p[%d]=%p (size=%ld), "
 491 |         "buf=%p (size=%d)",
 492 |         i,
 493 |         (void*)h1, hmgr->usable_size[i],
 494 |         (void*)buffer->orig, buffer->memory_size);
 495 |     BEGIN_STMT;
 496 |     STMT("assert((void*)buf <= p[%d] "
 497 |           "&& p[%d] <= (void*)buf + sizeof(buf))", i, i);
 498 |     END_STMT;
 499 |     set_event_type(EVENT_ALLOC_IN_BUFFER);
 500 |   }
 501 | 
 502 |   if (h1 >= hmgr->smem.orig
 503 |       && h1 < hmgr->smem.orig + hmgr->smem.memory_size) {
 504 |     DEBUG("[BUG] Found allocation in a container");
 505 |     DEBUG("p[%d]=%p (size=%ld), "
 506 |         "container=%p (size=%d)",
 507 |         i,
 508 |         (void*)h1, hmgr->usable_size[i],
 509 |         (void*)hmgr->smem.orig, hmgr->smem.memory_size);
 510 |     BEGIN_STMT;
 511 |     STMT("assert((void*)p <= p[%d] "
 512 |           "&& p[%d] <= (void*)p + sizeof(p))", i, i);
 513 |     END_STMT;
 514 |     set_event_type(EVENT_ALLOC_IN_CONTAINER);
 515 |   }
 516 | }
 517 | 
 518 | void check_buffer_modify(ShadowMemory *buffer, bool write) {
 519 |   if (shadow_mem_verify(buffer)) {
 520 |     intptr_t orig = 0, shadow = 0;
 521 |     int index = shadow_mem_diff(buffer, &orig, &shadow);
 522 | 
 523 |     DEBUG("[BUG] Found modification in buffer at index %d - %p -> %p",
 524 |         index, shadow, orig);
 525 |     shadow_mem_make_same(buffer);
 526 |     if (write)
 527 |       set_event_type(EVENT_ARBITRARY_WRITE_IN_BUFFER);
 528 |     else
 529 |       set_event_type(EVENT_RESTRICTED_WRITE_IN_BUFFER);
 530 |     END_STMT
 531 |   }
 532 | }
 533 | 
 534 | void check_container_modify(HeapManager* hmgr, bool write) {
 535 |   if (shadow_mem_verify(&hmgr->smem)) {
 536 |     intptr_t orig = 0, shadow = 0;
 537 |     int index = shadow_mem_diff(&hmgr->smem, &orig, &shadow);
 538 | 
 539 |     DEBUG("[BUG] Found modification in container at index %d - %p -> %p",
 540 |         index, shadow, orig);
 541 |     shadow_mem_make_same(&hmgr->smem);
 542 |     if (write)
 543 |       set_event_type(EVENT_ARBITRARY_WRITE_IN_CONTAINER);
 544 |     else
 545 |       set_event_type(EVENT_RESTRICTED_WRITE_IN_CONTAINER);
 546 |     END_STMT
 547 |   }
 548 | }
 549 | 
 550 | uintptr_t fuzz_unaligned_size(Command* cmd) {
 551 |   // Return aligned size
 552 |   int beg = 0, end = 0;
 553 | 
 554 |   if (g_num_sizes != 0) {
 555 |     // If -s option is given, then use size from the input
 556 |     return g_sizes[command_next_16(cmd) % g_num_sizes];
 557 |   }
 558 | 
 559 |   switch (command_next_8(cmd) % 6)  {
 560 |     case 0 ... 1:
 561 |       beg = (1 << 0);
 562 |       end = 1 << 5;
 563 |       break;
 564 | 
 565 |     case 2 ... 3:
 566 |       beg = (1 << 5);
 567 |       end = (1 << 10);
 568 |       break;
 569 | 
 570 |     case 4:
 571 |       beg = (1 << 10);
 572 |       end = (1 << 15);
 573 |       break;
 574 | 
 575 |     case 5:
 576 |       beg = (1 << 15);
 577 |       end = 1 << 20;
 578 |       break;
 579 | 
 580 |     default:
 581 |       assert(false);
 582 |   }
 583 |   return command_next_range(cmd, beg, end);
 584 | }
 585 | 
 586 | uintptr_t fuzz_aligned_size(Command* cmd) {
 587 |   return round_up(fuzz_unaligned_size(cmd), 8);
 588 | }
 589 | 
 590 | uintptr_t fuzz_size(HeapManager* hmgr, Command* cmd) {
 591 |   int index = command_next_16(cmd);
 592 |   if (heap_mgr_get_heap(hmgr, &index) == NULL) {
 593 |     // If there is no size.. return random size
 594 |     return fuzz_aligned_size(cmd);
 595 |   }
 596 |   else {
 597 |     if (command_next_8(cmd) & 1) {
 598 |       // Return usable size
 599 |       return hmgr->usable_size[index];
 600 |     }
 601 |     else {
 602 |       // Chunk size would be the usable_size + overhead
 603 |       int overhead = 0;
 604 |       if (g_allocator_info.header != -1)
 605 |         overhead = g_allocator_info.header + g_allocator_info.footer;
 606 |       else {
 607 |         // We don't have information about overhead.
 608 |         // Let's use random value (but we believe it is address-aligned).
 609 |         overhead = (command_next_8(cmd) % 4) * sizeof(void*);
 610 |       }
 611 |       return hmgr->usable_size[index] + overhead;
 612 |     }
 613 |   }
 614 | }
 615 | 
 616 | uintptr_t get_txn(uintptr_t orig) {
 617 |   // No transaction has been specified
 618 |   if (g_num_txn == 0)
 619 |     return orig;
 620 | 
 621 |   // Consumed all transactions
 622 |   if (g_num_txn == g_idx_txn)
 623 |     done();
 624 | 
 625 |   return g_txns[g_idx_txn++];
 626 | }
 627 | 
 628 | uintptr_t fuzz_transform_linear(Command* cmd, uintptr_t size) {
 629 |   int a = 1, b = 0;
 630 |   switch (command_next_8(cmd) % 5) {
 631 |     case 0 ... 1:
 632 |       a = 1;
 633 |       b = command_next_offset(cmd) * sizeof(void*);
 634 |       break;
 635 | 
 636 |     case 2 ... 3:
 637 |       a = command_next_8(cmd) % 3 + 1;
 638 |       b = 0;
 639 |       break;
 640 | 
 641 |     case 4:
 642 |       a = command_next_8(cmd) % 3 + 1;
 643 |       b = command_next_offset(cmd) * sizeof(void*);
 644 |       break;
 645 | 
 646 |     default:
 647 |       assert(false);
 648 |   }
 649 | 
 650 |   return a * size + b + (command_next_8(cmd) & 7);
 651 | }
 652 | 
 653 | uintptr_t fuzz_int(HeapManager* hmgr, ShadowMemory* buffer, Command* cmd) {
 654 |   uintptr_t value = 0;
 655 |   int op;
 656 | 
 657 | retry:
 658 |   op = command_next_8(cmd);
 659 | 
 660 |   switch (op % 13) {
 661 |     case 0: {
 662 |       // Interesting values
 663 |       value = interesting_values[command_next_8(cmd)
 664 |         % (sizeof(interesting_values) / sizeof(intptr_t))];
 665 |       break;
 666 |     }
 667 | 
 668 |     case 1: {
 669 |       // Offset of the buffer and a chunk
 670 |       if (!g_capabilities[CAP_HEAP_ADDR].enable
 671 |           || !g_capabilities[CAP_BUFFER_ADDR].enable)
 672 |         goto retry;
 673 |       int index_h = command_next_16(cmd);
 674 |       void* h = heap_mgr_get_heap(hmgr, &index_h);
 675 |       if (h == NULL)
 676 |         goto retry;
 677 | 
 678 |       int index_b = command_next_16(cmd) % buffer->limit;
 679 |       if (h == NULL)
 680 |         goto retry;
 681 |       uintptr_t buffer_heap_off
 682 |           = buffer->orig + index_b * sizeof(void*)
 683 |           - (uintptr_t)h;
 684 |       int sign = command_next_8(cmd) & 1 ? -1 : 1;
 685 |       int off = command_next_offset(cmd) * sizeof(void*);
 686 |       if (sign == 1) {
 687 |         STMT("(uintptr_t)&buf[%d] - (uintptr_t)p[%d] + %d",
 688 |           index_b, index_h, off);
 689 |       }
 690 |       else {
 691 |         STMT("(uintptr_t)p[%d] - (uintptr_t)&buf[%d] + %d",
 692 |           index_h, index_b, off);
 693 |       }
 694 |       return sign * buffer_heap_off + off;
 695 |     }
 696 | 
 697 |     case 2: {
 698 |       // Offset of the container and a chunk
 699 |       if (!g_capabilities[CAP_HEAP_ADDR].enable
 700 |           || !g_capabilities[CAP_CONTAINER_ADDR].enable)
 701 |         goto retry;
 702 |       int index_h = command_next_16(cmd);
 703 |       void* h = heap_mgr_get_heap(hmgr, &index_h);
 704 |       if (h == NULL)
 705 |         goto retry;
 706 | 
 707 |       int size = hmgr->smem.front == 0 ? hmgr->limit : hmgr->smem.front;
 708 |       int index_c = command_next_16(cmd) % size;
 709 | 
 710 |       uintptr_t container_heap_off
 711 |         = hmgr->smem.orig + index_c * sizeof(void*)
 712 |         - (uintptr_t)h;
 713 |       int sign = command_next_8(cmd) & 1 ? -1 : 1;
 714 |       int off = command_next_offset(cmd) * sizeof(void*);
 715 |       if (sign == 1) {
 716 |         STMT("(uintptr_t)&p[%d] - (uintptr_t)p[%d] + %d",
 717 |             index_c, index_h, off);
 718 |       }
 719 |       else {
 720 |         STMT("(uintptr_t)p[%d] - (uintptr_t)&p[%d] + %d",
 721 |             index_h, index_c, off);
 722 |       }
 723 |       return sign * container_heap_off + off;
 724 |     }
 725 | 
 726 |     case 3: {
 727 |       // Aligned random size
 728 |       value = fuzz_aligned_size(cmd);
 729 |       break;
 730 |     }
 731 | 
 732 |     case 4: {
 733 |       // Unaligned random size
 734 |       value = fuzz_unaligned_size(cmd);
 735 |       break;
 736 |     }
 737 | 
 738 |     case 5 ... 8: {
 739 |       // Fuzzy size
 740 |       value = fuzz_size(hmgr, cmd);
 741 |       break;
 742 |     }
 743 | 
 744 |     case 9 ... 12: {
 745 |       // Fuzzy size + Linear transformation
 746 |       value = fuzz_transform_linear(cmd, fuzz_size(hmgr, cmd));
 747 |       break;
 748 |     }
 749 | 
 750 |     default:
 751 |       assert(false);
 752 |   }
 753 | 
 754 |   STMT("%ld", value);
 755 |   return value;
 756 | }
 757 | 
 758 | uintptr_t fuzz_ptr(HeapManager* hmgr, ShadowMemory* buffer, Command* cmd) {
 759 |   uintptr_t value = 0;
 760 |   int op;
 761 | 
 762 | retry:
 763 |   op = command_next_8(cmd);
 764 | 
 765 |   switch (op % 4) {
 766 |     case 0: {
 767 |       break;
 768 |     }
 769 | 
 770 |     case 1: {
 771 |       // Heap address
 772 |       if (!g_capabilities[CAP_HEAP_ADDR].enable)
 773 |         goto retry;
 774 |       int index = command_next_16(cmd);
 775 |       void* h = heap_mgr_get_heap(hmgr, &index);
 776 |       if (h == NULL)
 777 |         break;
 778 |       int off = command_next_offset(cmd) * sizeof(void*);
 779 |       STMT("(uintptr_t)p[%d] + %d", index, off);
 780 |       return (uintptr_t)h + off;
 781 |     }
 782 | 
 783 |     case 2: {
 784 |       // Buffer address
 785 |       if (!g_capabilities[CAP_BUFFER_ADDR].enable)
 786 |         goto retry;
 787 |       int index = command_next_16(cmd) % buffer->limit;
 788 |       STMT("(uintptr_t)&buf[%d]", index);
 789 |       return (uintptr_t)buffer->orig + index * sizeof(uintptr_t);
 790 |     }
 791 | 
 792 |     case 3: {
 793 |       // Container address
 794 |       if (!g_capabilities[CAP_CONTAINER_ADDR].enable)
 795 |         goto retry;
 796 |       int size = hmgr->smem.front == 0 ? hmgr->limit : hmgr->smem.front;
 797 |       int index = command_next_16(cmd) % size;
 798 |       uintptr_t h = hmgr->smem.orig;
 799 |       int off = command_next_offset(cmd) * sizeof(void*);
 800 |       STMT("(uintptr_t)&p[%d] + %d", index, off);
 801 |       return h + index * sizeof(uintptr_t) + off;
 802 |     }
 803 | 
 804 |     default:
 805 |       assert(false);
 806 |   }
 807 | 
 808 |   // NULL
 809 |   STMT("%ld", value);
 810 |   return value;
 811 | }
 812 | 
 813 | 
 814 | // XXX: bad naming
 815 | uintptr_t fuzz_aligned_to_unaligned_lower(Command* cmd, uintptr_t size) {
 816 |   switch (command_next_8(cmd) % 3) {
 817 |     case 0:
 818 |       return size;
 819 |     case 1:
 820 |       return size | 1;
 821 |     case 2:
 822 |       return size | (command_next_8(cmd) & 7);
 823 |     default:
 824 |       assert(false);
 825 |   }
 826 | }
 827 | 
 828 | int heap_mgr_allocate(HeapManager* hmgr, ShadowMemory* buffer, size_t size) {
 829 |   // Returns -1 if it does not actually allocate
 830 | 
 831 |   void* ptr = NULL;
 832 |   bool valid;
 833 | 
 834 |   if (do_action()) {
 835 |     ptr = malloc(size);
 836 |     valid = true;
 837 |   }
 838 |   else {
 839 |     ptr = (void*)kBadPtr;
 840 |     valid = false;
 841 |   }
 842 | 
 843 |   shadow_mem_push(&hmgr->smem, (uintptr_t)ptr);
 844 |   int index = hmgr->smem.front - 1;
 845 |   hmgr->valid[index] = valid;
 846 | 
 847 |   if (g_allocator_info.header != -1) {
 848 |     int overhead = g_allocator_info.header + g_allocator_info.footer;
 849 |     hmgr->usable_size[index] = MAX(g_allocator_info.minsz,
 850 |         round_up(size + overhead, g_allocator_info.round)) - overhead;
 851 |   }
 852 |   else if (valid) {
 853 |     hmgr->usable_size[index] = size;
 854 | 
 855 |     // Since malloc_usable_size() can be failed due to an invalid chunk,
 856 |     // e.g., tcmalloc, we check techniques before calling malloc_usable_size()
 857 |     check_overlap(hmgr, buffer, index);
 858 |     check_buffer_modify(buffer, false);
 859 |     check_container_modify(hmgr, false);
 860 | 
 861 |     hmgr->usable_size[index] = malloc_usable_size(ptr);
 862 |   }
 863 |   // TODO: Remove hmgr->size
 864 |   hmgr->size[index] = size;
 865 |   return (ptr == (void*)kBadPtr) ? -1 : index;
 866 | }
 867 | 
 868 | bool heap_mgr_force_deallocate(HeapManager* hmgr, int* index) {
 869 |   if (hmgr->smem.front < 2)
 870 |     return false;
 871 | 
 872 |   *index %= hmgr->smem.front;
 873 |   void* ptr = (void*)shadow_mem_get(&hmgr->smem, *index);
 874 |   hmgr->freed[*index] = true;
 875 | 
 876 |   if (do_action_heap(ptr)) {
 877 |     free(ptr);
 878 |     return true;
 879 |   }
 880 |   else
 881 |     return false;
 882 | }
 883 | 
 884 | bool heap_mgr_deallocate(HeapManager* hmgr, int* index) {
 885 |   if (hmgr->smem.front < 2)
 886 |     return false;
 887 | 
 888 |   *index %= hmgr->smem.front;
 889 |   if (hmgr->freed[*index])
 890 |     return false;
 891 | 
 892 |   return heap_mgr_force_deallocate(hmgr, index);
 893 | }
 894 | 
 895 | uintptr_t fuzz_value(HeapManager* hmgr, ShadowMemory* buffer, Command* cmd) {
 896 |   int op = command_next_8(cmd);
 897 | 
 898 |   switch (op % 2) {
 899 |     case 0:
 900 |       return fuzz_int(hmgr, buffer, cmd);
 901 |     case 1:
 902 |       return fuzz_ptr(hmgr, buffer, cmd);
 903 |     default:
 904 |       assert(false);
 905 |   }
 906 | }
 907 | 
 908 | void fuzz_allocate(HeapManager* hmgr, ShadowMemory* buffer, Command* cmd) {
 909 | retry:
 910 |   BEGIN_STMT;
 911 |   STMT("p[%d] = malloc(", hmgr->smem.front);
 912 | 
 913 |   uintptr_t size = 0;
 914 |   if (g_num_sizes != 0) {
 915 |     // If -s option is given, then use size from the input
 916 |     size = g_sizes[command_next_16(cmd) % g_num_sizes];
 917 |     STMT("%ld", size);
 918 |   }
 919 |   else
 920 |     size = fuzz_int(hmgr, buffer, cmd);
 921 | 
 922 |   if ((g_lower_bound != 0 && g_lower_bound > size) ||
 923 |       (g_upper_bound != 0 && size > g_upper_bound)) {
 924 |     CLEAR_STMT;
 925 |     goto retry;
 926 |   }
 927 |   STMT(")");
 928 |   END_STMT;
 929 |   int index = heap_mgr_allocate(hmgr, buffer, size);
 930 | 
 931 |   if (index != -1) {
 932 |     check_overlap(hmgr, buffer, index);
 933 |     check_buffer_modify(buffer, false);
 934 |     check_container_modify(hmgr, false);
 935 |   }
 936 | }
 937 | 
 938 | void fuzz_deallocate(HeapManager* hmgr, ShadowMemory* buffer, Command* cmd) {
 939 |   // Do nothing if less than one memory is allocated
 940 |   int index = command_next_16(cmd);
 941 | 
 942 |   if (heap_mgr_deallocate(hmgr, &index)) {
 943 |     BEGIN_STMT;
 944 |     STMT("free(p[%d])", index);
 945 |     END_STMT;
 946 |     check_buffer_modify(buffer, false);
 947 |     check_container_modify(hmgr, false);
 948 |   }
 949 | }
 950 | 
 951 | void fuzz_fill_heap(HeapManager* hmgr, ShadowMemory* buffer, Command* cmd) {
 952 |   int index = command_next_16(cmd);
 953 |   void* h = heap_mgr_get_valid_heap(hmgr, &index);
 954 |   // Not a valid heap
 955 |   if (h == NULL)
 956 |     return;
 957 | 
 958 |   int num_slots = hmgr->usable_size[index] / sizeof(uintptr_t);
 959 |   if (num_slots == 0)
 960 |     return;
 961 | 
 962 |   bool higher = command_next_8(cmd) & 1;
 963 |   int beg = 0, end = 0;
 964 | 
 965 |   if (higher) {
 966 |     beg = 0;
 967 |     end = command_next_8(cmd) % MIN(num_slots, 8) + 1;
 968 |   }
 969 |   else {
 970 |     beg = num_slots - (command_next_8(cmd) % MIN(num_slots, 8) + 1);
 971 |     end = num_slots;
 972 |   }
 973 | 
 974 |   assert(beg >= 0 && end <= num_slots);
 975 | 
 976 |   for (int i = beg; i < end; i++) {
 977 |     BEGIN_STMT;
 978 |     STMT("((uintptr_t*)p[%d])[%d] = ", index, i);
 979 |     uintptr_t value = fuzz_value(hmgr, buffer, cmd);
 980 | 
 981 |     if (do_action_heap(h))
 982 |       *((uintptr_t*)h + i) = value;
 983 |     END_STMT;
 984 |   }
 985 | 
 986 |   check_buffer_modify(buffer, true);
 987 |   check_container_modify(hmgr, true);
 988 | }
 989 | 
 990 | void fuzz_fill_buffer(HeapManager *hmgr,
 991 |     ShadowMemory* buffer, Command* cmd) {
 992 |   int index = command_next_16(cmd) % buffer->limit;
 993 |   int remainder = buffer->limit - index;
 994 |   int num = command_next_8(cmd) % MIN(8, remainder) + 1;
 995 | 
 996 |   for (int i = 0; i < num; i++) {
 997 |     BEGIN_STMT;
 998 |     STMT("buf[%d] = ", index + i);
 999 |     uintptr_t value = fuzz_value(hmgr, buffer, cmd);
1000 |     if (do_action())
1001 |       shadow_mem_set(buffer, index + i, value);
1002 |     END_STMT;
1003 |   }
1004 | 
1005 |   check_buffer_modify(buffer, true);
1006 |   check_container_modify(hmgr, true);
1007 | }
1008 | 
1009 | VulnType get_random_vuln_type(Command* cmd) {
1010 |   while (true) {
1011 |     VulnType vuln = command_next_8(cmd) % VULN_LAST;
1012 |     if (g_vulns[vuln].enable)
1013 |       return vuln;
1014 |   }
1015 | }
1016 | 
1017 | void fuzz_vuln(HeapManager* hmgr,
1018 |     ShadowMemory* buffer, Command* cmd) {
1019 |   static VulnType prev_vuln = VULN_LAST;
1020 |   VulnType vuln = get_random_vuln_type(cmd);
1021 |   vuln = get_txn(vuln);
1022 | 
1023 |   // Do not allow two types of vulnerability
1024 |   if (prev_vuln != VULN_LAST
1025 |       && vuln != prev_vuln)
1026 |     return;
1027 | 
1028 |   switch (vuln) {
1029 |     case VULN_OVERFLOW: {
1030 |       int index = command_next_16(cmd);
1031 |       void* h = heap_mgr_get_valid_heap(hmgr, &index);
1032 |       if (h == NULL)
1033 |         return;
1034 | 
1035 |       int num = command_next_8(cmd) % 8 + 1;
1036 | 
1037 |       bool first = true;
1038 |       for (int i = 0; i < num; i ++) {
1039 |         if (first) DEBUG("[VULN] Overflow");
1040 |         BEGIN_STMT;
1041 |         // NOTE: We overflow from usable_size[index] - sizeof(void*).
1042 |         // This is sensitive to ptmalloc that contains metadata at the last
1043 |         int off = hmgr->usable_size[index] + (i - 1) * sizeof(void*);
1044 |         STMT("*(uintptr_t*)(p[%d] + %d) = ", index, off);
1045 |         uintptr_t value = fuzz_value(hmgr, buffer, cmd);
1046 |         if (do_action_heap(h)) {
1047 |           if (first) first = false;
1048 |           *(uintptr_t*)((uintptr_t)h + off) = value;
1049 |         }
1050 |         END_STMT;
1051 |       }
1052 |     }
1053 |     break;
1054 | 
1055 |     case VULN_OFF_BY_ONE: {
1056 |       int index = command_next_16(cmd);
1057 |       void* h = heap_mgr_get_valid_heap(hmgr, &index);
1058 |       if (h == NULL)
1059 |         return;
1060 | 
1061 |       if (do_action_heap(h)) {
1062 |         uint8_t value = command_next_8(cmd);
1063 |         uint8_t old = *(uint8_t*)((uintptr_t)h + hmgr->usable_size[index]);
1064 | 
1065 |         DEBUG("[VULN] Off-by-one");
1066 |         DEBUG("old = %d, new=%d", old, value);
1067 | 
1068 |         BEGIN_STMT;
1069 |         STMT("*(char*)(p[%d] + %ld) = %d", index, hmgr->usable_size[index], value);
1070 |         *(uint8_t*)((uintptr_t)h + hmgr->usable_size[index]) = value;
1071 |         END_STMT;
1072 |       }
1073 |     }
1074 |     break;
1075 | 
1076 |     case VULN_OFF_BY_ONE_NULL: {
1077 |       int index = command_next_16(cmd);
1078 |       void* h = heap_mgr_get_valid_heap(hmgr, &index);
1079 |       if (h == NULL)
1080 |         return;
1081 | 
1082 |       if (do_action_heap(h)) {
1083 |         uint8_t old = *(uint8_t*)((uintptr_t)h + hmgr->usable_size[index]);
1084 |         DEBUG("[VULN] Off-by-one NULL");
1085 |         DEBUG("old = %d", old);
1086 | 
1087 |         BEGIN_STMT;
1088 |         STMT("*(char*)(p[%d] + %ld) = 0", index, hmgr->usable_size[index]);
1089 | 
1090 |         *(uint8_t*)((uintptr_t)h + hmgr->usable_size[index]) = 0;
1091 | 
1092 |         END_STMT;
1093 |       }
1094 |     }
1095 |     break;
1096 | 
1097 |     case VULN_WRITE_AFTER_FREE: {
1098 |       // XXX: Merge with fill heap
1099 |       int index = command_next_16(cmd);
1100 |       void* h = heap_mgr_get_freed_heap(hmgr, &index);
1101 |       // Not a valid heap
1102 |       if (h == NULL)
1103 |         return;
1104 | 
1105 |       int num_slots = hmgr->usable_size[index] / sizeof(uintptr_t);
1106 |       if (num_slots == 0)
1107 |         return;
1108 | 
1109 |       bool higher = command_next_8(cmd) & 1;
1110 |       int beg = 0, end = 0;
1111 | 
1112 |       if (higher) {
1113 |         beg = 0;
1114 |         end = command_next_8(cmd) % MIN(num_slots, 8) + 1;
1115 |       }
1116 |       else {
1117 |         beg = num_slots - (command_next_8(cmd) % MIN(num_slots, 8) + 1);
1118 |         end = num_slots;
1119 |       }
1120 | 
1121 |       assert(beg >= 0 && end <= num_slots);
1122 | 
1123 |       bool first = true;
1124 |       for (int i = beg; i < end; i++) {
1125 |         if (first) DEBUG("[VULN] Write-after-free");
1126 |         BEGIN_STMT;
1127 |         STMT("((uintptr_t*)p[%d])[%d] = ", index, i);
1128 |         uintptr_t value = fuzz_value(hmgr, buffer, cmd);
1129 |         if (do_action_heap(h)) {
1130 |           if (first) first = false;
1131 |           *((uintptr_t*)h + i) = value;
1132 |         }
1133 |         END_STMT;
1134 |       }
1135 |     }
1136 |     break;
1137 | 
1138 |     case VULN_DOUBLE_FREE: {
1139 |       int index = command_next_16(cmd);
1140 |       void* h = heap_mgr_get_freed_heap(hmgr, &index);
1141 |       if (h == NULL)
1142 |         return;
1143 | 
1144 |       for (int i = 0 ; i < hmgr->limit; i++) {
1145 |         int other_index = i;
1146 |         void* other_h = heap_mgr_get_valid_heap(hmgr, &other_index);
1147 |         if (other_h == h && (uintptr_t)h != kBadPtr) {
1148 |           DEBUG(DBG_INFO "This is not really freed memory");
1149 |           return;
1150 |         }
1151 |       }
1152 | 
1153 |       if (do_action()) {
1154 |         DEBUG("[VULN] Double free");
1155 |         if (heap_mgr_force_deallocate(hmgr, &index)) {
1156 |           BEGIN_STMT;
1157 |           STMT("free(p[%d])", index);
1158 |           END_STMT;
1159 | 
1160 |           check_buffer_modify(buffer, false);
1161 |           check_container_modify(hmgr, false);
1162 |         }
1163 |       }
1164 |     }
1165 |     break;
1166 | 
1167 |     case VULN_ARBITRARY_FREE: {
1168 |       int index = command_next_16(cmd) % buffer->limit;
1169 | 
1170 |       if (do_action()) {
1171 |         DEBUG("[VULN] Arbitrary free");
1172 | 
1173 |         BEGIN_STMT;
1174 |         STMT("free(&buf[%d])", index);
1175 |         END_STMT;
1176 | 
1177 |         free((void*)(buffer->orig + index * sizeof(uintptr_t)));
1178 |         check_buffer_modify(buffer, false);
1179 |         check_container_modify(hmgr, false);
1180 |       }
1181 |     }
1182 |     break;
1183 | 
1184 |     default:
1185 |       assert(false);
1186 |   }
1187 | 
1188 |   prev_vuln = vuln;
1189 | }
1190 | 
1191 | void print_options(char* name, Option* options, int num_elem) {
1192 |   bool first = true;
1193 |   fprintf(stderr, "     <%s>:= ", name);
1194 |   for (int i = 0; i < num_elem; i++) {
1195 |     if (first)
1196 |       first = false;
1197 |     else
1198 |       fprintf(stderr, " | ");
1199 |     fprintf(stderr, "%s", options[i].name);
1200 |   }
1201 |   fprintf(stderr, "\n");
1202 | }
1203 | 
1204 | void set_option(char* name, Option* options, int num_elem) {
1205 |   for (int i = 0; i < num_elem; i++) {
1206 |     if (!strcmp(optarg, options[i].name)) {
1207 |       options[i].enable = false;
1208 |       return;
1209 |     }
1210 |   }
1211 | 
1212 |   fprintf(stderr, "// [ERROR] No such %s: %s\n", name, optarg);
1213 |   exit(-1);
1214 | }
1215 | 
1216 | void set_allocator_information() {
1217 |   char* saveptr = optarg;
1218 |   // TODO: Better way to parse AllocatorInfo
1219 |   assert(sizeof(AllocatorInfo) == 4 * sizeof(int));
1220 |   int* ptr = (int*)&g_allocator_info;
1221 |   for (int i = 0; i < 4; i++) {
1222 |     char* p = strtok_r(saveptr, ":", &saveptr);
1223 |     if (p == NULL) {
1224 |       fprintf(stderr, "// [ERROR] Invalid format for allocator information\n");
1225 |       exit(-1);
1226 |     }
1227 |     ptr[i] = atoi(p);
1228 |   }
1229 | 
1230 |   if (g_allocator_info.round == 0) {
1231 |     // Round cannot be zero
1232 |     fprintf(stderr, "// [ERROR] Round cannot be zero\n");
1233 |     exit(-1);
1234 |   }
1235 | 
1236 |   fprintf(stderr,
1237 |       "// [INFO] Allocator information: header=%d, footer=%d, round=%d, minsz=%d\n",
1238 |       g_allocator_info.header,
1239 |       g_allocator_info.footer,
1240 |       g_allocator_info.round,
1241 |       g_allocator_info.minsz);
1242 | }
1243 | 
1244 | void usage(char* filename) {
1245 |   fprintf(stderr,
1246 |   "Usage: %s [OPTION]... FILE [MAPFILE]\n"
1247 |   "  -c <cap>: Disable a capability\n", filename);
1248 |   print_options("cap", g_capabilities, CAP_LAST);
1249 | 
1250 |   fprintf(stderr,
1251 |   "  -v <vuln>: Disable a vulnerbility\n");
1252 |   print_options("vuln", g_vulns, VULN_LAST);
1253 | 
1254 |   fprintf(stderr,
1255 |   "  -e <event>: Disable an event\n");
1256 |   print_options("event", g_events, EVENT_LAST);
1257 | 
1258 |   fprintf(stderr,
1259 |   "  -u <ub>: Set upper bound of allocation\n"
1260 |   "  -l <lb>: Set lower bound of allocation\n"
1261 |   "  -s <list-of-sizes>: Set allocations sizes (e.g., 1,2,3)\n"
1262 |   "  -a <header>:<footer>:<round>:<minsz>: Set information for allocator\n"
1263 | #if 0
1264 |   // Make this option hidden, which is only used for evaluation
1265 |   "  -A <list-of-transactions>: Set a sequence of transactions\n"
1266 |   "     Possible Transactions - "
1267 |   "        M: alloc, F: free\n"
1268 |   "        OV: overflow, O1: off-by-one, O1N: off-by-one NULL\n"
1269 |   "        FF: double free, AF: arbitrary free, WF: write-after-free\n"
1270 |   "        (e.g., M-M-OV-F-M)\n"
1271 | #endif
1272 |   "    e.g. For ptmalloc in 64-bit, -a 8:0:16:32\n"
1273 |   "  -h: Display this help and exit\n");
1274 | }
1275 | 
1276 | int main(int argc, char** argv) {
1277 |   int c;
1278 |   while ((c = getopt(argc, argv, "A:s:c:v:e:u:l:a:h")) != -1) {
1279 |     switch (c) {
1280 |       case 'c':
1281 |         set_option("capability", g_capabilities, CAP_LAST);
1282 |         break;
1283 |       case 'v':
1284 |         set_option("vuln", g_vulns, VULN_LAST);
1285 |         break;
1286 |       case 'e':
1287 |         set_option("event", g_events, EVENT_LAST);
1288 |         break;
1289 |       case 'u':
1290 |         g_upper_bound = strtoul(optarg, NULL, 10);
1291 |         if (g_upper_bound)
1292 |           fprintf(stderr, "// [INFO] Set upper bound: %ld\n", g_upper_bound);
1293 |         break;
1294 |       case 'l':
1295 |         g_lower_bound = strtoul(optarg, NULL, 10);
1296 |         if (g_lower_bound)
1297 |           fprintf(stderr, "// [INFO] Set lower bound: %ld\n", g_lower_bound);
1298 |         break;
1299 |       case 's': {
1300 |         char *ptr = strtok(optarg, ",");
1301 |         while (ptr != NULL) {
1302 |           int size = atoi(ptr);
1303 |           if (size <= 0) {
1304 |             fprintf(stderr, "[FATAL] Invalid size in -s option\n");
1305 |             exit(-1);
1306 |           }
1307 | 
1308 |           if (g_num_sizes >= MAX_NUM_SIZES) {
1309 |             fprintf(stderr, "[FATAL] Too many sizes in -s option\n");
1310 |             exit(-1);
1311 |           }
1312 | 
1313 |           g_sizes[g_num_sizes++] = size;
1314 |           ptr = strtok(NULL, ",");
1315 | 
1316 |         }
1317 | 
1318 |         fprintf(stderr, "[INFO] Sizes: {");
1319 |         bool first = true;
1320 | 
1321 |         for (uintptr_t i = 0; i < g_num_sizes; i++) {
1322 |           if (!first)
1323 |             fprintf(stderr, ", ");
1324 |           if (first)
1325 |             first = false;
1326 | 
1327 |           fprintf(stderr, "%ld", g_sizes[i]);
1328 |         }
1329 |         fprintf(stderr, "}\n");
1330 | 
1331 |         break;
1332 |       }
1333 | 
1334 |       case 'A': {
1335 |         // TODO: 'A' option should be mutually exclusive with 'c' and 'v'
1336 |         char * ptr = strtok(optarg, "-");
1337 |         while (ptr != NULL) {
1338 |           if (!strcmp(ptr, "M")) {
1339 |             g_txns[g_num_txn++] = TXN_ID_ALLOCATE;
1340 |           }
1341 |           else if (!strcmp(ptr, "F")) {
1342 |             g_txns[g_num_txn++] = TXN_ID_DEALLOCATE;
1343 |           }
1344 |           else if (!strcmp(ptr, "OV")) {
1345 |             g_txns[g_num_txn++] = TXN_ID_VULN;
1346 |             g_txns[g_num_txn++] = VULN_OVERFLOW;
1347 |           }
1348 |           else if (!strcmp(ptr, "O1")) {
1349 |             g_txns[g_num_txn++] = TXN_ID_VULN;
1350 |             g_txns[g_num_txn++] = VULN_OFF_BY_ONE;
1351 |           }
1352 |           else if (!strcmp(ptr, "O1N")) {
1353 |             g_txns[g_num_txn++] = TXN_ID_VULN;
1354 |             g_txns[g_num_txn++] = VULN_OFF_BY_ONE_NULL;
1355 |           }
1356 |           else if (!strcmp(ptr, "AF")) {
1357 |             g_txns[g_num_txn++] = TXN_ID_VULN;
1358 |             g_txns[g_num_txn++] = VULN_ARBITRARY_FREE;
1359 |           }
1360 |           else if (!strcmp(ptr, "FF")) {
1361 |             g_txns[g_num_txn++] = TXN_ID_VULN;
1362 |             g_txns[g_num_txn++] = VULN_DOUBLE_FREE;
1363 |           }
1364 |           else if (!strcmp(ptr, "WF")) {
1365 |             g_txns[g_num_txn++] = TXN_ID_VULN;
1366 |             g_txns[g_num_txn++] = VULN_WRITE_AFTER_FREE;
1367 |           }
1368 |           else {
1369 |             fprintf(stderr, "[FATAL] Unknown transaction: %s", ptr);
1370 |             exit(-1);
1371 |           }
1372 |           ptr = strtok(NULL, "-");
1373 |         }
1374 | 
1375 |         // TODO: Make more pretty printing
1376 |         fprintf(stderr, "// [INFO] List of transactions: ");
1377 |         bool first = true;
1378 |         for (uintptr_t i = 0; i < g_num_txn; i++) {
1379 |           if (!first)
1380 |             fprintf(stderr, ", ");
1381 |           if (first)
1382 |             first = false;
1383 | 
1384 |           fprintf(stderr, "%ld", g_txns[i]);
1385 |         }
1386 |         fprintf(stderr, "\n");
1387 |         break;
1388 |       }
1389 | 
1390 |       case 'a':
1391 |         set_allocator_information();
1392 |         break;
1393 |       case 'h':
1394 |       default:
1395 |         usage(argv[0]);
1396 |         exit(-1);
1397 |     }
1398 |   }
1399 | 
1400 |   if (argc == optind || argc > optind + 2) {
1401 |     usage(argv[0]);
1402 |     exit(-1);
1403 |   }
1404 | 
1405 |   char* input_file = argv[optind];
1406 |   char* bitmap_file = NULL;
1407 | 
1408 |   const int heap_limit = 0x100;
1409 |   const int buffer_limit = 0x100;
1410 | 
1411 |   fprintf(stderr,
1412 |       "#include <assert.h>\n"
1413 |       "#include <stdio.h>\n"
1414 |       "#include <stdlib.h>\n"
1415 |       "#include <stdint.h>\n"
1416 |       "#include <malloc.h>\n\n"
1417 |       "void* p[%d];\n"
1418 |       "uintptr_t buf[%d];\n\n"
1419 |       "int main() {\n", heap_limit, buffer_limit);
1420 | 
1421 |   srand(time(NULL));
1422 | 
1423 |   struct sigaction sa;
1424 |   sa.sa_handler = NULL;
1425 |   memset(&sa, 0, sizeof(struct sigaction));
1426 |   sigemptyset(&sa.sa_mask);
1427 |   sa.sa_handler = done;
1428 |   sigaction(SIGABRT, &sa, NULL);
1429 |   sigaction(SIGSEGV, &sa, NULL);
1430 | 
1431 |   // Use global variables to avoid using heap
1432 |   if (argc == optind + 1)
1433 |     command_init(&g_actions, NULL, 0x1000);
1434 |   else
1435 |     command_init(&g_actions, argv[optind + 1], 0x1000);
1436 | 
1437 |   command_init(&g_cmd, argv[optind], 0x1000);
1438 |   DEBUG(DBG_INFO "Command buffer: %p", g_cmd.buf);
1439 |   DEBUG(DBG_INFO "Input size: %lu", g_cmd.size);
1440 | 
1441 |   heap_mgr_init(&g_hmgr, heap_limit);
1442 |   shadow_mem_init(&g_buffer, buffer_limit, sizeof(uintptr_t));
1443 | 
1444 |   while (true) {
1445 |     uint8_t op;
1446 |     bool is_txn;
1447 | 
1448 | retry:
1449 |     op = command_next_8(&g_cmd);
1450 | 
1451 |     // Transactions: allocate, deallocate, vuln
1452 |     // Non-transactions: heap writes, buffer writes
1453 |     switch (op % 5) {
1454 |       case 0:
1455 |       case 1:
1456 |       case 2:
1457 |         is_txn = true;
1458 |         break;
1459 |       case 3:
1460 |       case 4:
1461 |         is_txn = false;
1462 |         break;
1463 |     }
1464 | 
1465 |     if (is_txn) {
1466 |       op = get_txn(op);
1467 |       switch (op % 3) {
1468 |         case TXN_ID_ALLOCATE:
1469 |           fuzz_allocate(&g_hmgr, &g_buffer, &g_cmd);
1470 |           break;
1471 |         case TXN_ID_DEALLOCATE:
1472 |           if (!g_capabilities[CAP_DEALLOC].enable)
1473 |             goto retry;
1474 |           fuzz_deallocate(&g_hmgr, &g_buffer, &g_cmd);
1475 |           break;
1476 |         case TXN_ID_VULN:
1477 |           fuzz_vuln(&g_hmgr, &g_buffer, &g_cmd);
1478 |           break;
1479 |         default:
1480 |           assert(false);
1481 |       }
1482 |     }
1483 |     else {
1484 |       switch (op % 2) {
1485 |         case 0:
1486 |           if (!g_capabilities[CAP_HEAP_WRITE].enable)
1487 |             goto retry;
1488 |           fuzz_fill_heap(&g_hmgr, &g_buffer, &g_cmd);
1489 |           break;
1490 |         case 1:
1491 |           if (!g_capabilities[CAP_BUFFER_WRITE].enable)
1492 |             goto retry;
1493 |           fuzz_fill_buffer(&g_hmgr, &g_buffer, &g_cmd);
1494 |           break;
1495 |         default:
1496 |           assert(false);
1497 |       }
1498 |     }
1499 |   }
1500 | }
1501 | 


--------------------------------------------------------------------------------
/driver/minimize.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | import argparse
  3 | import copy
  4 | import logging
  5 | import os
  6 | import re
  7 | import subprocess
  8 | import shutil
  9 | import time
 10 | import tempfile
 11 | import signal
 12 | 
 13 | BUF_MAX = 4096
 14 | 
 15 | l = logging.getLogger('heap_exp.minimize')
 16 | 
 17 | def get_driver_exe():
 18 |     return os.path.abspath(os.path.join(os.path.dirname(__file__), "driver"))
 19 | 
 20 | def parse_args():
 21 |     p = argparse.ArgumentParser()
 22 |     p.add_argument("-abort", action='store_true')
 23 |     p.add_argument("-html", default=None)
 24 |     p.add_argument("action_map_file")
 25 |     p.add_argument("cmd", nargs="+")
 26 |     return p.parse_args()
 27 | 
 28 | class Minimizer(object):
 29 |     def __init__(self, cmd, abort=False):
 30 |         self.cmd = cmd[:-1]
 31 |         assert(cmd[-1] == "@@")
 32 |         self.abort = abort
 33 | 
 34 |     @property
 35 |     def crash_signals(self):
 36 |         sig = signal.SIGABRT if self.abort else signal.SIGUSR2
 37 |         return [-sig, 128 + sig]
 38 | 
 39 |     def run_driver(self, input_file, action_map_file=None):
 40 |         env = copy.copy(os.environ)
 41 |         env["LIBC_FATAL_STDERR_"] = "1"
 42 |         if "AFL_PRELOAD" in env:
 43 |             env["LD_PRELOAD"] = env["AFL_PRELOAD"]
 44 | 
 45 |         stdout = open(os.devnull, "wb")
 46 |         stderr = subprocess.PIPE
 47 | 
 48 |         cmd = ["timeout", "-k", "1", "5"] + self.cmd + [input_file]
 49 |         if action_map_file:
 50 |             cmd += [action_map_file]
 51 | 
 52 |         p = subprocess.Popen(
 53 |                 cmd,
 54 |                 env=env,
 55 |                 stdout=stdout, stderr=stderr)
 56 |         _, stderr = p.communicate()
 57 |         return stderr.decode('utf-8'), p.wait()
 58 | 
 59 |     def check_crash(self, input_file):
 60 |         _, retcode = self.run_driver(input_file)
 61 |         return retcode in self.crash_signals
 62 | 
 63 |     def get_event(self, input_file, action_map_file=None):
 64 |         stderr, _ = self.run_driver(input_file, action_map_file)
 65 |         events = re.findall(r"(EVENT_.*) is detected", stderr)
 66 |         if not events:
 67 |             return None
 68 |         assert(len(events) == 1)
 69 |         return events[0]
 70 | 
 71 |     def get_num_actions(self, input_file, action_map_file=None):
 72 |         stderr, _ = self.run_driver(input_file, action_map_file)
 73 |         nactions = re.findall(r"The number of actions: (\d+)", stderr)
 74 |         assert(len(nactions) == 1)
 75 |         return int(nactions[0])
 76 | 
 77 |     def get_vuln(self, input_file, action_map_file=None):
 78 |         stderr, _ = self.run_driver(input_file, action_map_file)
 79 |         vuln = re.findall(r"\[VULN\] (.*)", stderr)
 80 |         if not vuln:
 81 |             return "NO_VULN"
 82 | 
 83 |         return vuln[0]
 84 | 
 85 |     def minimize(self, crash_file, action_map_file, out_html=None, log_file=None,
 86 |             timeout=5 * 60):
 87 |         # Check if it is really crash file
 88 |         if not self.check_crash(crash_file):
 89 |             l.info("No crash file: %s" % crash_file)
 90 |             return None, None, None
 91 | 
 92 |         l.info("Start to minimize: %s" % crash_file)
 93 | 
 94 |         event = self.get_event(crash_file)
 95 |         nactions = self.get_num_actions(crash_file)
 96 | 
 97 |         if not nactions:
 98 |             l.info("No crash file: %s" % crash_file)
 99 |             return None, None, None
100 | 
101 |         action_map = bytearray(b"\x00" * nactions)
102 | 
103 |         start_time = time.time()
104 |         for i in range(len(action_map)):
105 |             action_map[i] = 0xff # Disable it
106 |             with open(action_map_file, "wb") as f:
107 |                 f.write(action_map)
108 |             new_event = self.get_event(crash_file, action_map_file)
109 |             if event != new_event:
110 |                 action_map[i] = 0x00
111 |                 l.info("Need %dth action" % i)
112 |             if time.time() - start_time > timeout:
113 |                 break
114 | 
115 |         with open(action_map_file, "wb") as f:
116 |             f.write(action_map)
117 | 
118 |         villoc = os.path.join(os.path.dirname(__file__), "../tool/villoc/villoc.py")
119 | 
120 |         # Generate out.html
121 |         cmd = self.cmd + [crash_file, action_map_file]
122 |         if out_html:
123 |             os.system('/bin/bash -c "ltrace %s |& %s - %s 2>/dev/null"'
124 |                     % (' '.join(cmd), villoc, out_html))
125 | 
126 |         if log_file:
127 |             p = subprocess.Popen(cmd,
128 |                     stdout=open(os.devnull, "wb"),
129 |                     stderr=open(log_file, "wb"))
130 |             p.wait()
131 | 
132 |         nactions = self.get_num_actions(crash_file, action_map_file)
133 |         event = self.get_event(crash_file, action_map_file)
134 |         vuln = self.get_vuln(crash_file, action_map_file)
135 | 
136 |         if any([not bool(b) for b in [nactions, event, vuln]]):
137 |             return None, None, None
138 | 
139 |         return nactions, event, vuln
140 | 
141 | def write_to_tmp(data, tmp):
142 |     with open(tmp, "wb") as f:
143 |         f.write(data)
144 | 
145 | def shrink(data, tmp, abort):
146 |     stdout, stderr, _ = run_driver(data, tmp)
147 | 
148 |     pat = re.compile(r".*\[CMD\] beg=(\d+), end=(\d+)")
149 | 
150 |     for l in reversed(stderr.splitlines()):
151 |         m = pat.match(l)
152 |         if m:
153 |             beg, end = map(int, m.groups())
154 |             new_data = data[:beg] + data[end:]
155 |             if check(new_data, tmp, abort):
156 |                 return new_data, beg, end
157 |     return [None, None, None]
158 | 
159 | 
160 | if __name__ == "__main__":
161 |     logging.basicConfig(level=logging.DEBUG)
162 |     args = parse_args()
163 | 
164 |     cmd = copy.copy(args.cmd)
165 |     crash_file = cmd[-1]
166 |     cmd[-1] = "@@"
167 |     minimizer = Minimizer(cmd, args.abort)
168 |     minimizer.minimize(crash_file, args.action_map_file, args.html)
169 | 
170 |     # Run to show the minimized one
171 |     import sys
172 |     sys.stderr.write("\n")
173 |     os.system(" ".join(args.cmd[:-1] + [crash_file, args.action_map_file]))
174 | 


--------------------------------------------------------------------------------
/driver/minimize_all.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python2
 2 | 
 3 | import argparse
 4 | import logging
 5 | import os
 6 | import re
 7 | import subprocess
 8 | import signal
 9 | import shutil
10 | import tempfile
11 | 
12 | import minimize
13 | 
14 | RUN_SH ="""#!/bin/bash
15 | if [ $# -eq 0 ]
16 |     then
17 |         echo "No arguments supplied"
18 |         exit
19 | fi
20 | {0} $1 $1.min
21 | """
22 | 
23 | def parse_args():
24 |     p = argparse.ArgumentParser()
25 |     p.add_argument("-abort", action='store_true')
26 |     p.add_argument('afl_dir')
27 |     p.add_argument('output_dir')
28 |     return p.parse_args()
29 | 
30 | if __name__ == "__main__":
31 |     args = parse_args()
32 | 
33 |     logging.basicConfig(level=logging.DEBUG)
34 | 
35 |     if not os.path.exists(args.output_dir):
36 |         os.mkdir(args.output_dir)
37 | 
38 |     # Read fuzzer_stats to find cmd
39 |     fuzzer_stats = open(os.path.join(args.afl_dir, "fuzzer_stats")).read()
40 |     command_line = fuzzer_stats.split("\n")[-2].replace("driver-fuzz", "driver")
41 |     cmd = re.findall(r"[^\s]*driver.*", command_line)[0].split(" ")
42 |     cmd[0] = os.path.abspath(cmd[0])
43 | 
44 |     run_script = os.path.join(args.output_dir, "run.sh")
45 |     with open(run_script, "w") as f:
46 |         f.write(RUN_SH.format(' '.join(cmd[:-1])))
47 |     os.chmod(run_script, 0775)
48 | 
49 |     minimals = {}
50 |     crash_dir = os.path.join(args.afl_dir, "crashes")
51 |     minimizer = minimize.Minimizer(cmd, args.abort)
52 |     for name in sorted(os.listdir(crash_dir)):
53 |         if name in ["README.txt"]:
54 |             continue
55 |         path = os.path.join(crash_dir, name)
56 |         action_map_file = os.path.join(args.output_dir, name + ".min")
57 |         out_html = os.path.join(args.output_dir, name + ".html")
58 |         log_file = os.path.join(args.output_dir, name + ".log")
59 |         try:
60 |             nactions, event, vuln = minimizer.minimize(path, action_map_file, out_html, log_file)
61 |         except AssertionError:
62 |             continue
63 |         except UnicodeDecodeError:
64 |             continue
65 |         except OSError:
66 |             # sometimes OOM happens..
67 |             continue
68 | 
69 |         if nactions is None:
70 |             continue
71 |         key = event.decode("utf-8") + ":" + vuln.decode("utf-8")
72 | 
73 |         if not key in minimals:
74 |             minimals[key] = (2**32, "initial_file")
75 |         min_nactions, _ = minimals[key]
76 |         if min_nactions > nactions:
77 |             minimals[key] = (nactions, name)
78 | 
79 |         shutil.copy(path, os.path.join(args.output_dir, name))
80 | 
81 |         # Save raw log file
82 |         raw_log_file = os.path.join(args.output_dir, name + ".rawlog")
83 |         stderr, _ = minimizer.run_driver(path)
84 |         with open(raw_log_file, "wb") as f:
85 |             f.write(stderr)
86 | 
87 |     with open(os.path.join(args.output_dir, "minimal.info"), "w") as f:
88 |         for k, v in minimals.items():
89 |             f.write("%s: %s (%d)\n" % (k, v[1], v[0]))
90 | 


--------------------------------------------------------------------------------
/install_dependencies.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | set -x
4 | 
5 | sudo apt update
6 | sudo apt install -y build-essential git wget python3 ltrace
7 | 


--------------------------------------------------------------------------------
/setup.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | sudo bash -c "echo core >/proc/sys/kernel/core_pattern"
3 | sudo bash -c "cd /sys/devices/system/cpu && echo performance | tee cpu*/cpufreq/scaling_governor"
4 | 
5 | 


--------------------------------------------------------------------------------
/techniques/Makefile:
--------------------------------------------------------------------------------
 1 | PTMALLOC := $(addprefix ptmalloc2-glibc2.23/, house-of-unsorted-einherjar unaligned-double-free fast-bin-to-other-bin overlapping-chunks-smallbin)
 2 | DLMALLOC := dlmalloc-2.8.6/house-of-lily
 3 | TARGET := $(PTMALLOC) $(DLMALLOC)
 4 | 
 5 | CFLAGS := -I.
 6 | 
 7 | all: $(TARGET)
 8 | 
 9 | clean:
10 | 	rm -rf $(TARGET)
11 | 
12 | .PHONY: all clean
13 | 


--------------------------------------------------------------------------------
/techniques/dlmalloc-2.8.6/.gitignore:
--------------------------------------------------------------------------------
1 | /house-of-lily
2 | 


--------------------------------------------------------------------------------
/techniques/dlmalloc-2.8.6/house-of-lily.c:
--------------------------------------------------------------------------------
 1 | // Thanks to @jinmo123 for analysis
 2 | #include <assert.h>
 3 | #include <stdlib.h>
 4 | #include <stdint.h>
 5 | 
 6 | #include "malloc-lib.h"
 7 | 
 8 | intptr_t target;
 9 | 
10 | int main() {
11 |   size_t sz = 256;
12 |   size_t xlsz = 0x10000000000;
13 |   size_t lsz = 0x1000;
14 |   size_t fsz = 16;
15 |   void* dst = &target;
16 | 
17 |   // [PRE-CONDITION]
18 |   //   fsz: fast bin size
19 |   //   sz: non-fast-bin size
20 |   //   lsz: size larger than page (>= 4096)
21 |   //   xlsz: very large size that cannot be allocated
22 |   // [BUG] buffer overflow
23 |   // [POST-CONDITION]
24 |   //    malloc(sz) == dst
25 | 
26 |   // Make top chunk available
27 |   void* p0 = malloc(sz);
28 | 
29 |   // Set mr.mflags |= USE_NONCONTIGUOUS_BIT
30 |   void* p1 = malloc(xlsz);
31 | 
32 |   // Current top size < lsz (4096) and no available bins, so dlmalloc calls sys_alloc
33 |   // Instead of using sbrk(), it inserts current top chunk into treebins
34 |   // and set mmapped area as a new top chunk because of the non-continous bit
35 |   void* p2 = malloc(lsz);
36 | 
37 |   void* p3 = malloc(sz);
38 |   // [BUG] overflowing p3 to overwrite treebins
39 |   struct malloc_chunk *tc = raw_to_chunk(p3 + chunk_size(sz));
40 |   tc->size = 0;
41 | 
42 |   // dlmalloc believes that treebins (i.e., top chunk) has enough size
43 |   // However, underflow happens because its size is actually zero
44 |   void* p4 = malloc(fsz);
45 | 
46 |   // Similar to house-of-force, we can allocate an arbitrary chunk
47 |   void* p5 = malloc(dst - p4 - chunk_size(fsz) \
48 |                   - offsetof(struct malloc_chunk, fd));
49 |   assert(dst == malloc(sz));
50 | }
51 | 


--------------------------------------------------------------------------------
/techniques/malloc-lib.h:
--------------------------------------------------------------------------------
 1 | #include <stddef.h>
 2 | #include <stdio.h>
 3 | 
 4 | #define MAX(x, y) (((x) > (y)) ? (x) : (y))
 5 | 
 6 | typedef size_t INTERNAL_SIZE_T;
 7 | 
 8 | struct malloc_chunk {
 9 |     INTERNAL_SIZE_T      prev_size;  /* Size of previous chunk (if free).  */
10 |     INTERNAL_SIZE_T      size;       /* Size in bytes, including overhead. */
11 | 
12 |     struct malloc_chunk* fd;         /* double links -- used only if free. */
13 |     struct malloc_chunk* bk;
14 | 
15 |     /* Only used for large blocks: pointer to next larger size.  */
16 |     struct malloc_chunk* fd_nextsize; /* double links -- used only if free. */
17 |     struct malloc_chunk* bk_nextsize;
18 | };
19 | 
20 | struct malloc_chunk* raw_to_chunk(void* p) {
21 |   return p - offsetof(struct malloc_chunk, fd);
22 | }
23 | 
24 | int round_up(int num, int multiple) {
25 |     assert(multiple);
26 |     return ((num + multiple - 1) / multiple) * multiple;
27 | }
28 | 
29 | int chunk_size(int sz) {
30 |   return MAX(
31 |       round_up(sz + sizeof(INTERNAL_SIZE_T), sizeof(INTERNAL_SIZE_T) * 2),
32 |       offsetof(struct malloc_chunk, fd_nextsize));
33 | }
34 | 


--------------------------------------------------------------------------------
/techniques/ptmalloc2-glibc2.23/.gitignore:
--------------------------------------------------------------------------------
1 | /fast-bin-to-other-bin
2 | /overlapping-chunks-smallbin
3 | /unaligned-double-free
4 | /house-of-unsorted-einherjar
5 | 


--------------------------------------------------------------------------------
/techniques/ptmalloc2-glibc2.23/fast-bin-to-other-bin.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <stdint.h>
 3 | #include <unistd.h>
 4 | #include <assert.h>
 5 | #include <stdio.h>
 6 | 
 7 | #include "malloc-lib.h"
 8 | 
 9 | intptr_t target;
10 | 
11 | int main() {
12 |   int fsz = 8;
13 |   int sz = 0x100;
14 |   int lsz = 0x1000;
15 |   void* dst = &target;
16 | 
17 |   // [PRE-CONDITION]
18 |   //    fsz: any fastbin size
19 |   //    sz: any non-fastbin size
20 |   //    lsz: any largebin size
21 |   // [BUG] write free memory p1
22 |   // [POST-CONDITION]
23 |   //    malloc(sz) = fake - offsetof(struct malloc_chunk, fd)
24 |   void* p1 = malloc(fsz);
25 |   void* p2 = malloc(fsz);
26 |   void* p3 = malloc(fsz);
27 | 
28 |   free(p1);
29 |   free(p2);
30 | 
31 |   // [BUG] double free p1
32 |   free(p1);
33 | 
34 |   // p4 is same with p1, but p1 is still in a fast bin freelist
35 |   void* p4 = malloc(fsz);
36 |   void* p5 = malloc(fsz);
37 | 
38 |   // create a fake chunk
39 |   struct malloc_chunk *fake = dst;
40 |   // set P=1 to avoid a security check
41 |   fake->size = chunk_size(sz) | 1;
42 |   fake->fd = NULL;
43 | 
44 |   // create 'fake2': a next chunk of 'fake'
45 |   struct malloc_chunk *fake2 = dst + chunk_size(sz);
46 |   // set P=1 to avoid a security check
47 |   fake2->size = 1;
48 | 
49 |   struct malloc_chunk *c4 = raw_to_chunk(p4);
50 |   // set a forward pointer of fast bin into fake
51 |   // this can be done by a normal heap write since p4 is allocated
52 |   c4->fd = fake;
53 | 
54 |   // now a fast bin list: c1 -> fake
55 |   // call malloc_consolidate to move
56 |   // 'fake' to the unsorted bin
57 |   malloc(lsz);
58 | 
59 |   assert(raw_to_chunk(malloc(sz)) == fake);
60 | }
61 | 


--------------------------------------------------------------------------------
/techniques/ptmalloc2-glibc2.23/house-of-unsorted-einherjar.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <stdint.h>
 3 | #include <unistd.h>
 4 | #include <assert.h>
 5 | 
 6 | #include "malloc-lib.h"
 7 | 
 8 | uintptr_t buf[4];
 9 | 
10 | int main() {
11 |   int sz = 0x100 - 8;
12 | 
13 |   // [PRE-CONDITION]
14 |   //    sz: small bin size
15 |   //    assert(chunk_size(sz) & 0xff == 0);
16 |   // [BUG] off-by-one NULL
17 |   // [POST-CONDITION]
18 |   //    assert(raw_to_chunk(malloc(sz)) == fake);
19 | 
20 |   // the lowest byte of chunk_size(sz) needs to be zero
21 |   // to avoid chaning its size when triggering a bug
22 |   // assert(chunk_size(sz) & 0xff == 0);
23 |   char *p1 = malloc(sz);
24 |   char *p2 = malloc(sz);
25 |   char *p3 = malloc(sz);
26 |   char *p4 = malloc(sz);
27 | 
28 |   // move p1 to unsorted bin
29 |   free(p1);
30 | 
31 |   struct malloc_chunk* c3 = raw_to_chunk(p3);
32 |   // make prev_size into double to cover a large chunk
33 |   // this is valid by writing p2's last data
34 |   c3->prev_size = chunk_size(sz) * 2;
35 |   // [BUG] use off-by-one NULL to make P=0 in c3
36 |   assert((c3->size & 0xff) == 0x01);
37 |   c3->size &= ~1;
38 | 
39 |   // this will merge p1 & p3
40 |   free(p3);
41 | 
42 |   // if we allocate p5, p2 is now points to a free chunk in the unsorted bin
43 |   char *p5 = malloc(sz);
44 | 
45 |   // it's unsorted bin into stack
46 |   struct malloc_chunk* fake = (void*)buf;
47 |   // set fake->size to chunk_size(sz) for later allocation
48 |   fake->size = chunk_size(sz);
49 |   // set fake->bk to any writable address to avoid crash
50 |   fake->bk = (void*)buf;
51 | 
52 |   struct malloc_chunk* c2 = raw_to_chunk(p2);
53 |   c2->bk = fake;
54 | 
55 |   assert(raw_to_chunk(malloc(sz)) == fake);
56 | }
57 | 


--------------------------------------------------------------------------------
/techniques/ptmalloc2-glibc2.23/overlapping-chunks-smallbin.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <stdint.h>
 3 | #include <unistd.h>
 4 | #include <assert.h>
 5 | #include <stdio.h>
 6 | 
 7 | #include "malloc-lib.h"
 8 | 
 9 | int main() {
10 |   int sz = 0x100;
11 |   int sz2 = 0x200;
12 | 
13 |   // [PRE-CONDITION]
14 |   //    sz : any small bin size
15 |   //    sz2 : any small bin size
16 |   //    assert(sz2 > sz)
17 |   // [BUG]
18 |   // [POST-CONDITION]
19 |   //    two chunks overlap
20 | 
21 |   void* p1 = malloc(sz);
22 |   void* p2 = malloc(sz);
23 |   void* p3 = malloc(sz);
24 | 
25 |   // move p2 to the unsorted bin
26 |   free(p2);
27 | 
28 |   // move p2 to the small bin
29 |   void* p4 = malloc(sz2);
30 | 
31 |   // [BUG] overflowing p1
32 |   struct malloc_chunk *c2 = raw_to_chunk(p2);
33 |   // growing size into double
34 |   c2->size = 2 * chunk_size(sz) | 1;
35 | 
36 |   // p5's chunk size = chunk_size(sz) * 2
37 |   void *p5 = malloc(sz);
38 |   // move p5 to the unsorted bin
39 |   free(p5);
40 | 
41 |   // splitting p5 into half and returning p6
42 |   void* p6 = malloc(sz);
43 |   // returning the remainder
44 |   void* p7 = malloc(sz);
45 | 
46 |   // p3 and p7 overlap
47 |   assert(p3 == p7);
48 | }
49 | 


--------------------------------------------------------------------------------
/techniques/ptmalloc2-glibc2.23/unaligned-double-free.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <stdint.h>
 3 | #include <unistd.h>
 4 | #include <assert.h>
 5 | #include <stdio.h>
 6 | 
 7 | #include "malloc-lib.h"
 8 | 
 9 | int main() {
10 |   const int a = 3;
11 |   const int b = 4;
12 | 
13 |   int sz1 = 0x400 - 8;
14 |   int sz2 = 0x300 - 8;
15 | 
16 |   void *p1[a], *p2[b];
17 | 
18 |   // [PRE-CONDITION]
19 |   //    sz1: non-fast-bin size
20 |   //    sz2: non-fast-bin size
21 |   //    sz1 and sz2 have the following relationship;
22 |   //    assert(chunk_size(sz1) * a == chunk_size(sz2) * b);
23 |   // [BUG] double free
24 |   // [POST-CONDITION]
25 |   //    two chunks overlap
26 | 
27 |   for (int i = 0; i < a; i++)
28 |     p1[i] = malloc(sz1);
29 | 
30 |   // allocate a chunk to prevent merging with the top chunk
31 |   void* p = malloc(0);
32 | 
33 |   // free from backward not to modify size of p1[a - 1]
34 |   for (int i = a - 1; i >= 0; i--)
35 |     free(p1[i]);
36 | 
37 |   // allocate chunks to fill empty space
38 |   for (int i = 0; i < b; i++)
39 |     p2[i] = malloc(sz2);
40 | 
41 |   // now a next free chunk of p1[a-1] is p whose P=1,
42 |   // and p1[a-1] contains valid metadata
43 |   // since malloc does not clean up the memory
44 | 
45 |   // [BUG] double free
46 |   free(p1[a-1]);
47 | 
48 |   // now new allocation returns p1[a-1]
49 |   // that overlaps with p2[b-1]
50 |   assert(malloc(sz1) == p1[a-1]);
51 | }
52 | 


--------------------------------------------------------------------------------
/tool/.gitignore:
--------------------------------------------------------------------------------
1 | /afl-2.52b
2 | 


--------------------------------------------------------------------------------
/tool/afl.patch:
--------------------------------------------------------------------------------
  1 | diff --git afl-fuzz.c afl-fuzz.c
  2 | index 01b4afe..6d9b50b 100644
  3 | --- afl-fuzz.c
  4 | +++ afl-fuzz.c
  5 | @@ -45,6 +45,7 @@
  6 |  #include <termios.h>
  7 |  #include <dlfcn.h>
  8 |  #include <sched.h>
  9 | +#include <assert.h>
 10 |  
 11 |  #include <sys/wait.h>
 12 |  #include <sys/time.h>
 13 | @@ -79,6 +80,8 @@
 14 |  /* Lots of globals, but mostly for the status UI and other things where it
 15 |     really makes no sense to haul them around as function parameters. */
 16 |  
 17 | +#define CONFIRM_NUM 16
 18 | +
 19 |  
 20 |  EXP_ST u8 *in_dir,                    /* Input directory with test cases  */
 21 |            *out_file,                  /* File to fuzz, if any             */
 22 | @@ -98,12 +101,17 @@ EXP_ST u64 mem_limit  = MEM_LIMIT;    /* Memory cap for child (MB)        */
 23 |  
 24 |  static u32 stats_update_freq = 1;     /* Stats update frequency (execs)   */
 25 |  
 26 | -EXP_ST u8  skip_deterministic,        /* Skip deterministic stages?       */
 27 | +// HEAP
 28 | +u8         confirm_mode;
 29 | +
 30 | +// HEAP: No deterministic step..
 31 | +EXP_ST u8  skip_deterministic = 1,        /* Skip deterministic stages?       */
 32 |             force_deterministic,       /* Force deterministic stages?      */
 33 |             use_splicing,              /* Recombine input files?           */
 34 |             dumb_mode,                 /* Run in non-instrumented mode?    */
 35 |             score_changed,             /* Scoring for favorites changed?   */
 36 |             kill_signal,               /* Signal that killed the child     */
 37 | +           abort_mode,                /* HEAP: Abort mode */
 38 |             resuming_fuzz,             /* Resuming an older fuzzing job?   */
 39 |             timeout_given,             /* Specific timeout given?          */
 40 |             not_on_tty,                /* stdout is not a tty              */
 41 | @@ -402,6 +410,7 @@ static void bind_to_free_cpu(void) {
 42 |  
 43 |    u8 cpu_used[4096] = { 0 };
 44 |    u32 i;
 45 | +  char* proc_dir;
 46 |  
 47 |    if (cpu_core_count < 2) return;
 48 |  
 49 | @@ -412,7 +421,13 @@ static void bind_to_free_cpu(void) {
 50 |  
 51 |    }
 52 |  
 53 | -  d = opendir("/proc");
 54 | +  proc_dir = "/host/proc";
 55 | +  d = opendir(proc_dir);
 56 | +  if (!d) {
 57 | +    WARNF("Unable to access /host/proc - not running in the docker");
 58 | +    proc_dir = "/proc";
 59 | +    d = opendir(proc_dir);
 60 | +  }
 61 |  
 62 |    if (!d) {
 63 |  
 64 | @@ -442,7 +457,7 @@ static void bind_to_free_cpu(void) {
 65 |  
 66 |      if (!isdigit(de->d_name[0])) continue;
 67 |  
 68 | -    fn = alloc_printf("/proc/%s/status", de->d_name);
 69 | +    fn = alloc_printf("%s/%s/status", proc_dir, de->d_name);
 70 |  
 71 |      if (!(f = fopen(fn, "r"))) {
 72 |        ck_free(fn);
 73 | @@ -2272,7 +2287,8 @@ static u8 run_target(char** argv, u32 timeout) {
 74 |       must prevent any earlier operations from venturing into that
 75 |       territory. */
 76 |  
 77 | -  memset(trace_bits, 0, MAP_SIZE);
 78 | +  if (confirm_mode == 0)
 79 | +    memset(trace_bits, 0, MAP_SIZE);
 80 |    MEM_BARRIER();
 81 |  
 82 |    /* If we're running in "dumb" mode, we can't rely on the fork server
 83 | @@ -2287,10 +2303,9 @@ static u8 run_target(char** argv, u32 timeout) {
 84 |      if (child_pid < 0) PFATAL("fork() failed");
 85 |  
 86 |      if (!child_pid) {
 87 | -
 88 |        struct rlimit r;
 89 |  
 90 | -      if (mem_limit) {
 91 | +      if (confirm_mode == 0 && mem_limit) {
 92 |  
 93 |          r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20;
 94 |  
 95 | @@ -2312,9 +2327,12 @@ static u8 run_target(char** argv, u32 timeout) {
 96 |  
 97 |        /* Isolate the process and configure standard descriptors. If out_file is
 98 |           specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */
 99 | -
100 |        setsid();
101 |  
102 | +      if (confirm_mode == 1) {
103 | +        unsetenv(SHM_ENV_VAR);
104 | +      }
105 | +
106 |        dup2(dev_null_fd, 1);
107 |        dup2(dev_null_fd, 2);
108 |  
109 | @@ -2441,8 +2459,10 @@ static u8 run_target(char** argv, u32 timeout) {
110 |  
111 |      if (child_timed_out && kill_signal == SIGKILL) return FAULT_TMOUT;
112 |  
113 | +    // HEAP: CRASH ONLY WHEN EXPLOIT IS DETECTED
114 | +    if (kill_signal != (abort_mode ? SIGABRT : SIGUSR2))
115 | +      return FAULT_NONE;
116 |      return FAULT_CRASH;
117 | -
118 |    }
119 |  
120 |    /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and
121 | @@ -3241,10 +3261,25 @@ keep_as_crash:
122 |           except for slightly different limits and no need to re-run test
123 |           cases. */
124 |  
125 | -      total_crashes++;
126 | -
127 |        if (unique_crashes >= KEEP_UNIQUE_CRASH) return keeping;
128 |  
129 | +      u8 new_fault = FAULT_NONE;
130 | +
131 | +      for (int i = 0; i < CONFIRM_NUM; i++) {
132 | +        dumb_mode = 1;
133 | +        confirm_mode = 1;
134 | +
135 | +        new_fault = run_target(argv, exec_tmout);
136 | +
137 | +        dumb_mode = 0;
138 | +        confirm_mode = 0;
139 | +
140 | +        if (new_fault != FAULT_CRASH)
141 | +          return keeping;
142 | +      }
143 | +
144 | +      total_crashes++;
145 | +
146 |        if (!dumb_mode) {
147 |  
148 |  #ifdef __x86_64__
149 | @@ -3253,8 +3288,8 @@ keep_as_crash:
150 |          simplify_trace((u32*)trace_bits);
151 |  #endif /* ^__x86_64__ */
152 |  
153 | -        if (!has_new_bits(virgin_crash)) return keeping;
154 |  
155 | +        if (!has_new_bits(virgin_crash)) return keeping;
156 |        }
157 |  
158 |        if (!unique_crashes) write_crash_readme();
159 | @@ -6093,174 +6128,10 @@ havoc_stage:
160 |   
161 |      for (i = 0; i < use_stacking; i++) {
162 |  
163 | -      switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) {
164 | +      switch (UR(5)) {
165 |  
166 |          case 0:
167 |  
168 | -          /* Flip a single bit somewhere. Spooky! */
169 | -
170 | -          FLIP_BIT(out_buf, UR(temp_len << 3));
171 | -          break;
172 | -
173 | -        case 1: 
174 | -
175 | -          /* Set byte to interesting value. */
176 | -
177 | -          out_buf[UR(temp_len)] = interesting_8[UR(sizeof(interesting_8))];
178 | -          break;
179 | -
180 | -        case 2:
181 | -
182 | -          /* Set word to interesting value, randomly choosing endian. */
183 | -
184 | -          if (temp_len < 2) break;
185 | -
186 | -          if (UR(2)) {
187 | -
188 | -            *(u16*)(out_buf + UR(temp_len - 1)) =
189 | -              interesting_16[UR(sizeof(interesting_16) >> 1)];
190 | -
191 | -          } else {
192 | -
193 | -            *(u16*)(out_buf + UR(temp_len - 1)) = SWAP16(
194 | -              interesting_16[UR(sizeof(interesting_16) >> 1)]);
195 | -
196 | -          }
197 | -
198 | -          break;
199 | -
200 | -        case 3:
201 | -
202 | -          /* Set dword to interesting value, randomly choosing endian. */
203 | -
204 | -          if (temp_len < 4) break;
205 | -
206 | -          if (UR(2)) {
207 | -  
208 | -            *(u32*)(out_buf + UR(temp_len - 3)) =
209 | -              interesting_32[UR(sizeof(interesting_32) >> 2)];
210 | -
211 | -          } else {
212 | -
213 | -            *(u32*)(out_buf + UR(temp_len - 3)) = SWAP32(
214 | -              interesting_32[UR(sizeof(interesting_32) >> 2)]);
215 | -
216 | -          }
217 | -
218 | -          break;
219 | -
220 | -        case 4:
221 | -
222 | -          /* Randomly subtract from byte. */
223 | -
224 | -          out_buf[UR(temp_len)] -= 1 + UR(ARITH_MAX);
225 | -          break;
226 | -
227 | -        case 5:
228 | -
229 | -          /* Randomly add to byte. */
230 | -
231 | -          out_buf[UR(temp_len)] += 1 + UR(ARITH_MAX);
232 | -          break;
233 | -
234 | -        case 6:
235 | -
236 | -          /* Randomly subtract from word, random endian. */
237 | -
238 | -          if (temp_len < 2) break;
239 | -
240 | -          if (UR(2)) {
241 | -
242 | -            u32 pos = UR(temp_len - 1);
243 | -
244 | -            *(u16*)(out_buf + pos) -= 1 + UR(ARITH_MAX);
245 | -
246 | -          } else {
247 | -
248 | -            u32 pos = UR(temp_len - 1);
249 | -            u16 num = 1 + UR(ARITH_MAX);
250 | -
251 | -            *(u16*)(out_buf + pos) =
252 | -              SWAP16(SWAP16(*(u16*)(out_buf + pos)) - num);
253 | -
254 | -          }
255 | -
256 | -          break;
257 | -
258 | -        case 7:
259 | -
260 | -          /* Randomly add to word, random endian. */
261 | -
262 | -          if (temp_len < 2) break;
263 | -
264 | -          if (UR(2)) {
265 | -
266 | -            u32 pos = UR(temp_len - 1);
267 | -
268 | -            *(u16*)(out_buf + pos) += 1 + UR(ARITH_MAX);
269 | -
270 | -          } else {
271 | -
272 | -            u32 pos = UR(temp_len - 1);
273 | -            u16 num = 1 + UR(ARITH_MAX);
274 | -
275 | -            *(u16*)(out_buf + pos) =
276 | -              SWAP16(SWAP16(*(u16*)(out_buf + pos)) + num);
277 | -
278 | -          }
279 | -
280 | -          break;
281 | -
282 | -        case 8:
283 | -
284 | -          /* Randomly subtract from dword, random endian. */
285 | -
286 | -          if (temp_len < 4) break;
287 | -
288 | -          if (UR(2)) {
289 | -
290 | -            u32 pos = UR(temp_len - 3);
291 | -
292 | -            *(u32*)(out_buf + pos) -= 1 + UR(ARITH_MAX);
293 | -
294 | -          } else {
295 | -
296 | -            u32 pos = UR(temp_len - 3);
297 | -            u32 num = 1 + UR(ARITH_MAX);
298 | -
299 | -            *(u32*)(out_buf + pos) =
300 | -              SWAP32(SWAP32(*(u32*)(out_buf + pos)) - num);
301 | -
302 | -          }
303 | -
304 | -          break;
305 | -
306 | -        case 9:
307 | -
308 | -          /* Randomly add to dword, random endian. */
309 | -
310 | -          if (temp_len < 4) break;
311 | -
312 | -          if (UR(2)) {
313 | -
314 | -            u32 pos = UR(temp_len - 3);
315 | -
316 | -            *(u32*)(out_buf + pos) += 1 + UR(ARITH_MAX);
317 | -
318 | -          } else {
319 | -
320 | -            u32 pos = UR(temp_len - 3);
321 | -            u32 num = 1 + UR(ARITH_MAX);
322 | -
323 | -            *(u32*)(out_buf + pos) =
324 | -              SWAP32(SWAP32(*(u32*)(out_buf + pos)) + num);
325 | -
326 | -          }
327 | -
328 | -          break;
329 | -
330 | -        case 10:
331 | -
332 |            /* Just set a random byte to a random value. Because,
333 |               why not. We use XOR with 1-255 to eliminate the
334 |               possibility of a no-op. */
335 | @@ -6268,7 +6139,7 @@ havoc_stage:
336 |            out_buf[UR(temp_len)] ^= 1 + UR(255);
337 |            break;
338 |  
339 | -        case 11 ... 12: {
340 | +        case 1 ... 2: {
341 |  
342 |              /* Delete bytes. We're making this a bit more likely
343 |                 than insertion (the next option) in hopes of keeping
344 | @@ -6293,7 +6164,7 @@ havoc_stage:
345 |  
346 |            }
347 |  
348 | -        case 13:
349 | +        case 3:
350 |  
351 |            if (temp_len + HAVOC_BLK_XL < MAX_FILE) {
352 |  
353 | @@ -6327,9 +6198,11 @@ havoc_stage:
354 |  
355 |              if (actually_clone)
356 |                memcpy(new_buf + clone_to, out_buf + clone_from, clone_len);
357 | -            else
358 | -              memset(new_buf + clone_to,
359 | -                     UR(2) ? UR(256) : out_buf[UR(temp_len)], clone_len);
360 | +            else {
361 | +              u32 i;
362 | +              for (i = 0; i < clone_len; i++)
363 | +                *(new_buf + clone_to + i) = UR(256);
364 | +            }
365 |  
366 |              /* Tail */
367 |              memcpy(new_buf + clone_to + clone_len, out_buf + clone_to,
368 | @@ -6343,7 +6216,7 @@ havoc_stage:
369 |  
370 |            break;
371 |  
372 | -        case 14: {
373 | +        case 4: {
374 |  
375 |              /* Overwrite bytes with a randomly selected chunk (75%) or fixed
376 |                 bytes (25%). */
377 | @@ -6362,101 +6235,12 @@ havoc_stage:
378 |                if (copy_from != copy_to)
379 |                  memmove(out_buf + copy_to, out_buf + copy_from, copy_len);
380 |  
381 | -            } else memset(out_buf + copy_to,
382 | -                          UR(2) ? UR(256) : out_buf[UR(temp_len)], copy_len);
383 | -
384 | -            break;
385 | -
386 | -          }
387 | -
388 | -        /* Values 15 and 16 can be selected only if there are any extras
389 | -           present in the dictionaries. */
390 | -
391 | -        case 15: {
392 | -
393 | -            /* Overwrite bytes with an extra. */
394 | -
395 | -            if (!extras_cnt || (a_extras_cnt && UR(2))) {
396 | -
397 | -              /* No user-specified extras or odds in our favor. Let's use an
398 | -                 auto-detected one. */
399 | -
400 | -              u32 use_extra = UR(a_extras_cnt);
401 | -              u32 extra_len = a_extras[use_extra].len;
402 | -              u32 insert_at;
403 | -
404 | -              if (extra_len > temp_len) break;
405 | -
406 | -              insert_at = UR(temp_len - extra_len + 1);
407 | -              memcpy(out_buf + insert_at, a_extras[use_extra].data, extra_len);
408 | -
409 | -            } else {
410 | -
411 | -              /* No auto extras or odds in our favor. Use the dictionary. */
412 | -
413 | -              u32 use_extra = UR(extras_cnt);
414 | -              u32 extra_len = extras[use_extra].len;
415 | -              u32 insert_at;
416 | -
417 | -              if (extra_len > temp_len) break;
418 | -
419 | -              insert_at = UR(temp_len - extra_len + 1);
420 | -              memcpy(out_buf + insert_at, extras[use_extra].data, extra_len);
421 | -
422 | -            }
423 | -
424 | -            break;
425 | -
426 | -          }
427 | -
428 | -        case 16: {
429 | -
430 | -            u32 use_extra, extra_len, insert_at = UR(temp_len + 1);
431 | -            u8* new_buf;
432 | -
433 | -            /* Insert an extra. Do the same dice-rolling stuff as for the
434 | -               previous case. */
435 | -
436 | -            if (!extras_cnt || (a_extras_cnt && UR(2))) {
437 | -
438 | -              use_extra = UR(a_extras_cnt);
439 | -              extra_len = a_extras[use_extra].len;
440 | -
441 | -              if (temp_len + extra_len >= MAX_FILE) break;
442 | -
443 | -              new_buf = ck_alloc_nozero(temp_len + extra_len);
444 | -
445 | -              /* Head */
446 | -              memcpy(new_buf, out_buf, insert_at);
447 | -
448 | -              /* Inserted part */
449 | -              memcpy(new_buf + insert_at, a_extras[use_extra].data, extra_len);
450 | -
451 | -            } else {
452 | -
453 | -              use_extra = UR(extras_cnt);
454 | -              extra_len = extras[use_extra].len;
455 | -
456 | -              if (temp_len + extra_len >= MAX_FILE) break;
457 | -
458 | -              new_buf = ck_alloc_nozero(temp_len + extra_len);
459 | -
460 | -              /* Head */
461 | -              memcpy(new_buf, out_buf, insert_at);
462 | -
463 | -              /* Inserted part */
464 | -              memcpy(new_buf + insert_at, extras[use_extra].data, extra_len);
465 | -
466 | +            } else  {
467 | +              u32 i;
468 | +              for (i = 0; i < copy_len; i++)
469 | +                *(out_buf + copy_to + i) = UR(256);
470 |              }
471 |  
472 | -            /* Tail */
473 | -            memcpy(new_buf + insert_at + extra_len, out_buf + insert_at,
474 | -                   temp_len - insert_at);
475 | -
476 | -            ck_free(out_buf);
477 | -            out_buf   = new_buf;
478 | -            temp_len += extra_len;
479 | -
480 |              break;
481 |  
482 |            }
483 | @@ -7066,6 +6850,7 @@ static void usage(u8* argv0) {
484 |  
485 |         "  -T text       - text banner to show on the screen\n"
486 |         "  -M / -S id    - distributed mode (see parallel_fuzzing.txt)\n"
487 | +       "  -a            - crash at abort\n"
488 |         "  -C            - crash exploration mode (the peruvian rabbit thing)\n\n"
489 |  
490 |         "For additional tips, please consult %s/README.\n\n",
491 | @@ -7723,7 +7508,7 @@ int main(int argc, char** argv) {
492 |    gettimeofday(&tv, &tz);
493 |    srandom(tv.tv_sec ^ tv.tv_usec ^ getpid());
494 |  
495 | -  while ((opt = getopt(argc, argv, "+i:o:f:m:t:T:dnCB:S:M:x:Q")) > 0)
496 | +  while ((opt = getopt(argc, argv, "+i:o:f:m:t:T:dnCaB:S:M:x:Q")) > 0)
497 |  
498 |      switch (opt) {
499 |  
500 | @@ -7765,6 +7550,13 @@ int main(int argc, char** argv) {
501 |  
502 |          break;
503 |  
504 | +      case 'a': {
505 | +        // HEAP: ABORT MODE
506 | +        if (abort_mode) FATAL("Multiple -a options not supported");
507 | +        abort_mode = 1;
508 | +        break;
509 | +      }
510 | +
511 |        case 'S': 
512 |  
513 |          if (sync_id) FATAL("Multiple -S or -M options not supported");
514 | 


--------------------------------------------------------------------------------