libinject/cmp/

cmp.rs

//! **Fine-grained coverage instrumentation for CMP and TEST instructions:** Instructions are instrumented _iff_ they are in the target module, which is passed via the CLI.
//!

use crate::drcore::{self, log};
use crate::utils::{self, Boolean};
use crate::{cli, cmp, ffi};
use std::os::raw::{c_uint, c_void};
use std::ptr;

/// **Instrumentation function called on each instruction in the basic block**, optionally transforming
/// the block, just before it is added to the code cache. `instrlist` is the list of instructions in
/// the basic block, and `instr` is the instruction focused on.
///
/// Only code blocks in the target module are instrumented.
#[unsafe(no_mangle)]
pub unsafe extern "C" fn cmp_coverage(
    drcontext: *mut c_void,
    tag: *mut c_void,
    instrlist: *mut ffi::instrlist_t,
    instr: *mut ffi::instr_t,
    _for_trace: ffi::bool_,
    _translating: ffi::bool_,
    _user_data: *mut c_void,
) -> ffi::dr_emit_flags_t {
    unsafe {
        let cli_args = cli::get_args().expect("args were parsed in libinject_init");

        let bb_start_addr = ffi::dr_fragment_app_pc(tag);

        // Only instrument CMP instructions that are in the target module.
        if !drcore::app_pc_is_in_target_module(bb_start_addr, cli_args) {
            return ffi::dr_emit_flags_t_DR_EMIT_DEFAULT;
        }

        match ffi::instr_get_opcode(instr) {
            ffi::OP_cmp | ffi::OP_test => instrument_cmp(drcontext, instrlist, instr),
            _ => ffi::dr_emit_flags_t_DR_EMIT_DEFAULT,
        }
    }
}

/// **The instrumentation applied to a CMP or TEST instruction:** The instruction operands may be
/// registers, immediates, or memory references (or any combination). The correct instrumentation
/// must be added (conditional on the operand types) to load the operand values into two scratch registers. These scratch registers are then passed as arguments to a clean call that does a byte-by-byte comparison and writes coverage information to the AFL bitmap.
#[unsafe(no_mangle)]
pub unsafe extern "C" fn instrument_cmp(
    drcontext: *mut c_void,
    instrlist: *mut ffi::instrlist_t,
    instr: *mut ffi::instr_t,
) -> ffi::dr_emit_flags_t {
    unsafe {
        if ffi::instr_num_srcs(instr) < 2 {
            return ffi::dr_emit_flags_t_DR_EMIT_DEFAULT;
        }

        // Reserve 2 scratch registers, one for each operand.
        let mut scratch_regs: [ffi::reg_id_t; 2] = [0; 2];
        let mut reserved = 0_usize;
        for reg in scratch_regs.iter_mut() {
            let status = ffi::drreg_reserve_register(
                drcontext,
                instrlist,
                instr,
                ptr::null_mut(),
                reg as *mut ffi::reg_id_t,
            );
            if status != ffi::drreg_status_t_DRREG_SUCCESS {
                for &r in &scratch_regs[..reserved] {
                    ffi::drreg_unreserve_register(drcontext, instrlist, instr, r);
                }
                log(&format!(
                    "[cmp] drreg_reserve_register failed with status {}",
                    status as i32
                ));
                return ffi::dr_emit_flags_t_DR_EMIT_DEFAULT;
            }
            reserved += 1;
        }

        // Insert instrumentation that parses the CMP operands (e.g. as register operands,
        // immediates, or memory references) and inserts instrumentation to load them into the two
        // scratch registers.
        let (left_operand, right_operand) = match scratch_regs
            .iter()
            .enumerate()
            .map(|(i, scratch_reg)| {
                parse_operand(
                    ffi::instr_get_src(instr, i as c_uint),
                    *scratch_reg,
                    drcontext,
                    instrlist,
                    instr,
                )
            })
            .collect::<Result<Vec<Operand>, _>>()
        {
            Ok(operands) => (operands[0], operands[1]),
            Err(reason) => {
                log(&format!("Failed parsing left operand of cmp: {reason}"));
                return ffi::dr_emit_flags_t_DR_EMIT_DEFAULT;
            }
        };

        // Insert a clean call to collect the coverage information. Pass the IDs of the two scratch
        // registers which will have the values of the two operands loaded into by the time the
        // clean call fires. The scratch registers are passed as register operand arguments to the
        // clean call.
        ffi::dr_insert_clean_call(
            drcontext,
            instrlist,
            instr,
            cmp_clean_call as *mut c_void,
            false as ffi::bool_,
            5,
            utils::opnd_create_uintptr(ffi::instr_get_app_pc(instr) as usize),
            ffi::opnd_create_reg(left_operand.reg_id),
            utils::opnd_create_uintptr(left_operand.size as usize),
            ffi::opnd_create_reg(right_operand.reg_id),
            utils::opnd_create_uintptr(right_operand.size as usize),
        );

        scratch_regs.iter().for_each(|reg_id| {
            ffi::drreg_unreserve_register(drcontext, instrlist, instr, *reg_id);
        });

        return ffi::dr_emit_flags_t_DR_EMIT_DEFAULT;
    }
}

/// A function inserted as instrumentation that takes two values (via registers) as arguments,
/// along with the size (in bytes) of those values, and the current application program counter.
///
/// The input values are compared byte-by-byte. For every byte that matches, a corresponding byte
/// on the CMP partition of the AFL bitmap is incremented (saturating at 8, rather than wrapping).
/// The routine exits as soon as the first non-matching bytes occur.
#[unsafe(no_mangle)]
unsafe extern "C" fn cmp_clean_call(
    app_pc: *const u8,
    left_reg: ffi::reg_t,
    left_size: usize,
    right_reg: ffi::reg_t,
    right_size: usize,
) {
    unsafe {
        let afl_cmp_area = match cmp::utils::get_afl_cmp_area() {
            Ok(cmp_area_ptr) => cmp_area_ptr,
            Err(reason) => {
                log(&reason);
                return;
            }
        };

        let base_idx = cmp::utils::base_idx_of_app_pc(app_pc);

        // CMP must compare operands of the same size, but it is possible that smaller operand is
        // compared by first promoting to the size of the other.
        let cmp_len = usize::max(left_size, right_size);

        // Operands will be <= full-register width (4 bytes on 32-bit, 8 bytes on 64-bit).
        const MAX_OPND_SIZE: usize = if cfg!(target_pointer_width = "32") {
            4
        } else {
            8
        };
        let buf_len = cmp_len.min(MAX_OPND_SIZE);

        let mut left_buf = [0u8; MAX_OPND_SIZE];
        let mut right_buf = [0u8; MAX_OPND_SIZE];
        Operand::read_into(left_reg, buf_len, &mut left_buf[..buf_len]);
        Operand::read_into(right_reg, buf_len, &mut right_buf[..buf_len]);

        cmp::utils::write_coverage(
            afl_cmp_area,
            base_idx,
            &left_buf[..buf_len],
            &right_buf[..buf_len],
            buf_len,
        )
    }
}

/// The id of a register holding the value, and the size of the operand value in bytes.
#[derive(Debug, Copy, Clone)]
pub struct Operand {
    pub reg_id: ffi::reg_id_t,
    pub size: u32,
}

impl Operand {
    /// Fill a buffer with the operand’s value at runtime
    fn read_into(reg_value: ffi::reg_t, buf_len: usize, buf: &mut [u8]) {
        let bytes = reg_value.to_le_bytes();
        buf[..buf_len].copy_from_slice(&bytes[..buf_len]);
    }
}

/// Parse the operand type and insert instrumentation to load the value into the provided
/// `dst_reg`.
///
/// The inserted instrumentation must be sensitive to size of the src operand, normalising it to
/// the full width scratch register passed in as `dst_reg`.
///
/// In all cases the ID of the full-width scratch register is returned - even if the inserted
/// instrumentation moves the value into the corresponding half-width sub-register. Returning with
/// the full-width register (that is e.g. passed as an arg to a clean call) completes the
/// normalisation, ensuring that downstream instrumentation can safely read the value as
/// a usize.
unsafe fn parse_operand(
    operand: ffi::opnd_t,
    dst_reg: ffi::reg_id_t,
    drcontext: *mut c_void,
    instrlist: *mut ffi::instrlist_t,
    instr: *mut ffi::instr_t,
) -> Result<Operand, String> {
    unsafe {
        let size: c_uint = ffi::opnd_size_in_bytes(ffi::opnd_get_size(operand));

        // Valid normalising move op code is dependent on the size of the src operand.
        let norm_move_op = match size {
            1 | 2 => ffi::OP_movzx,
            _ => ffi::OP_mov_ld,
        };

        if ffi::opnd_is_reg(operand).as_bool() {
            let resized_dst_reg = get_resized_reg(dst_reg, size);

            let move_ld = ffi::instr_create_1dst_1src(
                drcontext,
                norm_move_op,
                ffi::opnd_create_reg(resized_dst_reg),
                operand,
            );
            ffi::instr_set_meta(move_ld);
            ffi::instrlist_meta_preinsert(instrlist, instr, move_ld);
            Ok(Operand {
                reg_id: dst_reg,
                size,
            })
        } else if ffi::opnd_is_immed(operand).as_bool() {
            // Noramlise the immediate to a full-width immediate.
            const OPSZ_PTR: ffi::opnd_size_t = if cfg!(target_pointer_width = "64") {
                ffi::OPSZ_8 as u8
            } else {
                ffi::OPSZ_4 as u8
            };

            let norm_opnd = ffi::opnd_create_immed_int(
                ffi::opnd_get_immed_int(operand),
                OPSZ_PTR as ffi::opnd_size_t,
            );
            let move_imm = ffi::instr_create_1dst_1src(
                drcontext,
                ffi::OP_mov_imm,
                ffi::opnd_create_reg(dst_reg),
                norm_opnd,
            );
            ffi::instr_set_meta(move_imm);
            ffi::instrlist_meta_preinsert(instrlist, instr, move_imm);
            Ok(Operand {
                reg_id: dst_reg,
                size,
            })
        } else if ffi::opnd_is_memory_reference(operand).as_bool() {
            let resized_dst_reg = get_resized_reg(dst_reg, size);
            let mov_ld = ffi::instr_create_1dst_1src(
                drcontext,
                norm_move_op,
                ffi::opnd_create_reg(resized_dst_reg),
                operand,
            );
            ffi::instr_set_meta(mov_ld);
            ffi::instrlist_meta_preinsert(instrlist, instr, mov_ld);
            Ok(Operand {
                reg_id: dst_reg,
                size,
            })
        } else {
            Err("Unhandled cmp operand type".to_string())
        }
    }
}

unsafe fn get_resized_reg(reg: ffi::reg_id_t, size: u32) -> ffi::reg_id_t {
    unsafe {
        #[cfg(target_pointer_width = "64")]
        if size == 4 {
            ffi::reg_64_to_32(reg)
        } else {
            reg
        }

        #[cfg(target_pointer_width = "32")]
        reg
    }
}