libinject/cmp/

wrappers.rs

//! **`dr_wrap` wrapper functions for external compare symbols:** (e.g. `memcmp`) found in the loaded module
//! space. These wrapper functions collect byte-by-byte coverage information on the comparisons.
//! The calls to the wrapped functions are **not** skipped, hence the application logic is
//! unaffected.

use crate::{
    cli, cmp,
    drcore::{self, log},
    drwrap, ffi,
};
use std::os::raw::c_void;

/// Helper function to be called within a dr_wrap wrapper function. Obtains and returns a pointer
/// to the AFL coverage bitmap and a suitable bitmap index corresponding to the wrapped function (the index is generated from the program
/// address of the wrapped function, via hashing and masking).
unsafe fn setup(wrapctx: *mut c_void) -> Option<(*mut u8, usize)> {
    unsafe {
        // Only instrument when the callsite is in the target module.
        let cli_args = cli::get_args().expect("args were parsed in libinject_init");
        let retaddr = ffi::drwrap_get_retaddr(wrapctx);
        if !drcore::app_pc_is_in_target_module(retaddr, cli_args) {
            return None;
        }

        let afl_cmp_area = match cmp::utils::get_afl_cmp_area() {
            Ok(cmp_area_ptr) => cmp_area_ptr,
            Err(reason) => {
                log(&reason);
                return None;
            }
        };

        // Use the memcmp callsite (in the target module) to generate the hashed and masked
        // base_idx used to index intot the afl bitmap.
        let base_idx = cmp::utils::base_idx_of_app_pc(retaddr);
        Some((afl_cmp_area, base_idx))
    }
}

#[unsafe(no_mangle)]
pub extern "C" fn pre_wmemcmp(wrapctx: *mut c_void, _user_data: *mut *mut c_void) {
    unsafe {
        let a = drwrap::get_arg(wrapctx, 0) as *const u8;
        let b = drwrap::get_arg(wrapctx, 1) as *const u8;
        // Multiple the number of wide characters by 2 to get number of bytes (on Windows wide
        // characters are UTF-16.
        let n = drwrap::get_arg(wrapctx, 2) as usize * 2;

        let (afl_cmp_area, base_idx) = match setup(wrapctx) {
            Some(x) => x,
            None => return,
        };

        match cmp::utils::compare_ptrs("wmemcmp", afl_cmp_area, base_idx, a, b, n) {
            Ok(()) => (),
            Err(reason) => log(&format!(
                "[wmemcmp] Failed to write cmp data to afl bitmap: {:?}",
                reason
            )),
        };
    }
}

#[unsafe(no_mangle)]
pub extern "C" fn pre_memcmp(wrapctx: *mut c_void, _user_data: *mut *mut c_void) {
    unsafe {
        let a = drwrap::get_arg(wrapctx, 0) as *const u8;
        let b = drwrap::get_arg(wrapctx, 1) as *const u8;
        let n = drwrap::get_arg(wrapctx, 2) as usize;

        let (afl_cmp_area, base_idx) = match setup(wrapctx) {
            Some(x) => x,
            None => return,
        };

        match cmp::utils::compare_ptrs("memcmp", afl_cmp_area, base_idx, a, b, n) {
            Ok(()) => (),
            Err(reason) => log(&format!(
                "[memcmp] Failed to write cmp data to afl bitmap: {:?}",
                reason
            )),
        };
    }
}

#[unsafe(no_mangle)]
pub extern "C" fn pre_strcmp(wrapctx: *mut c_void, _user_data: *mut *mut c_void) {
    unsafe {
        let a = drwrap::get_arg(wrapctx, 0) as *const u8;
        let b = drwrap::get_arg(wrapctx, 1) as *const u8;

        let (afl_cmp_area, base_idx) = match setup(wrapctx) {
            Some(x) => x,
            None => return,
        };

        // strcmp compares until '\0', so include the terminator
        let len_a = libc::strlen(a as *const libc::c_char);
        let len_b = libc::strlen(b as *const libc::c_char);
        let n = core::cmp::min(len_a, len_b) + 1;

        match cmp::utils::compare_ptrs("strcmp", afl_cmp_area, base_idx, a, b, n) {
            Ok(()) => (),
            Err(reason) => log(&format!(
                "[strcmp] Failed to write cmp data to afl bitmap: {:?}",
                reason
            )),
        };
    }
}