AFL++'s cmplog passes can add integer comparisons with any byte size, not just power-of-2s.
When LibAFL encounters such a size, it panics:
|
match shape { |
|
0 => Some(CmpValues::U8(( |
|
self.vals.operands[idx][execution].v0 as u8, |
|
self.vals.operands[idx][execution].v1 as u8, |
|
false, |
|
))), |
|
1 => Some(CmpValues::U16(( |
|
self.vals.operands[idx][execution].v0 as u16, |
|
self.vals.operands[idx][execution].v1 as u16, |
|
false, |
|
))), |
|
3 => Some(CmpValues::U32(( |
|
self.vals.operands[idx][execution].v0 as u32, |
|
self.vals.operands[idx][execution].v1 as u32, |
|
false, |
|
))), |
|
7 => Some(CmpValues::U64(( |
|
self.vals.operands[idx][execution].v0, |
|
self.vals.operands[idx][execution].v1, |
|
false, |
|
))), |
|
// TODO handle 128 bits & 256 bits & 512 bits cmps |
|
15 | 31 | 63 => None, |
|
_ => panic!("Invalid CmpLog shape {shape}"), |
|
} |
AFL++'s GCC and clang plugin is not perfectly in sync how they choose the cmplog shape.
E.g. a 24-bit comparison is treated as a 32-bit in the clang plugin: https://github.com/AFLplusplus/AFLplusplus/blob/2c1f988ae6735f79af447dcbf8bd3011ec45a07e/instrumentation/cmplog-instructions-pass.cc#L416-L417
The GCC plugin on the other hand reports it as 24-bit via the hookN variant:
https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/afl-gcc-cmplog-pass.so.cc#L170-L173
I suggest treating 24-bit values as 32-bit, 40/48/56-bit values as 64-bit.
Larger values are not implemented currently, there is a TODO for that already in the code, that's another problem.
AFL++'s cmplog passes can add integer comparisons with any byte size, not just power-of-2s.
When LibAFL encounters such a size, it panics:
LibAFL/crates/libafl_targets/src/cmps/mod.rs
Lines 610 to 634 in c59e61e
AFL++'s GCC and clang plugin is not perfectly in sync how they choose the cmplog shape.
E.g. a 24-bit comparison is treated as a 32-bit in the clang plugin: https://github.com/AFLplusplus/AFLplusplus/blob/2c1f988ae6735f79af447dcbf8bd3011ec45a07e/instrumentation/cmplog-instructions-pass.cc#L416-L417
The GCC plugin on the other hand reports it as 24-bit via the
hookNvariant:https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/afl-gcc-cmplog-pass.so.cc#L170-L173
I suggest treating 24-bit values as 32-bit, 40/48/56-bit values as 64-bit.
Larger values are not implemented currently, there is a TODO for that already in the code, that's another problem.