diff options
| author | Fabian Meumertzheim <meumertzheim@code-intelligence.com> | 2021-05-03 16:29:46 +0200 |
|---|---|---|
| committer | Fabian Meumertzheim <fabian@meumertzhe.im> | 2021-05-05 16:07:24 +0200 |
| commit | efde1dbfd3523022ddb088e6deb698b13329cf7f (patch) | |
| tree | bf72229a4f95301c013c844eb5820ad18f527b3e /agent | |
| parent | de0189a7edd68086e7878a8fcd60508d557d01e9 (diff) | |
| download | jazzer-api-efde1dbfd3523022ddb088e6deb698b13329cf7f.tar.gz | |
Add Jazzer#guideTowardsEquality for byte[]
Diffstat (limited to 'agent')
3 files changed, 30 insertions, 10 deletions
diff --git a/agent/src/main/java/com/code_intelligence/jazzer/api/Jazzer.java b/agent/src/main/java/com/code_intelligence/jazzer/api/Jazzer.java index c9b30a22..61eb8f0b 100644 --- a/agent/src/main/java/com/code_intelligence/jazzer/api/Jazzer.java +++ b/agent/src/main/java/com/code_intelligence/jazzer/api/Jazzer.java @@ -27,6 +27,7 @@ final public class Jazzer { private static MethodHandle traceStrcmp = null; private static MethodHandle traceStrstr = null; + private static MethodHandle traceMemcmp = null; static { try { @@ -43,6 +44,10 @@ final public class Jazzer { MethodType.methodType(void.class, String.class, String.class, int.class); traceStrstr = MethodHandles.publicLookup().findStatic( traceDataFlowNativeCallbacks, "traceStrstr", traceStrstrType); + MethodType traceMemcmpType = + MethodType.methodType(void.class, byte[].class, byte[].class, int.class, int.class); + traceMemcmp = MethodHandles.publicLookup().findStatic( + traceDataFlowNativeCallbacks, "traceMemcmp", traceMemcmpType); } catch (ClassNotFoundException ignore) { // Not running in the context of the agent. This is fine as long as no methods are called on // this class. @@ -76,6 +81,26 @@ final public class Jazzer { } /** + * Instructs the fuzzer to guide its mutations towards making {@code current} equal to {@code + * target}. + * + * If the relation between the raw fuzzer input and the value of {@code current} is relatively + * complex, running the fuzzer with the argument {@code -use_value_profile=1} may be necessary to + * achieve equality. + * + * @param current a non-constant byte array observed during fuzz target execution + * @param target a byte array that {@code current} should become equal to, but currently isn't + * @param id a (probabilistically) unique identifier for this particular compare hint + */ + public static void guideTowardsEquality(byte[] current, byte[] target, int id) { + try { + traceMemcmp.invokeExact(current, target, 1, id); + } catch (Throwable e) { + e.printStackTrace(); + } + } + + /** * Instructs the fuzzer to guide its mutations towards making {@code haystack} contain {@code * needle} as a substring. * diff --git a/agent/src/main/java/com/code_intelligence/jazzer/runtime/TraceCmpHooks.java b/agent/src/main/java/com/code_intelligence/jazzer/runtime/TraceCmpHooks.java index 394de853..078253df 100644 --- a/agent/src/main/java/com/code_intelligence/jazzer/runtime/TraceCmpHooks.java +++ b/agent/src/main/java/com/code_intelligence/jazzer/runtime/TraceCmpHooks.java @@ -199,8 +199,7 @@ final public class TraceCmpHooks { byte[] first = (byte[]) arguments[0]; byte[] second = (byte[]) arguments[1]; if (!returnValue) { - TraceDataFlowNativeCallbacks.traceMemcmp( - first, first.length, second, second.length, 1, hookId); + TraceDataFlowNativeCallbacks.traceMemcmp(first, second, 1, hookId); } } @@ -214,8 +213,7 @@ final public class TraceCmpHooks { byte[] second = Arrays.copyOfRange((byte[]) arguments[3], (int) arguments[4], (int) arguments[5]); if (!returnValue) { - TraceDataFlowNativeCallbacks.traceMemcmp( - first, first.length, second, second.length, 1, hookId); + TraceDataFlowNativeCallbacks.traceMemcmp(first, second, 1, hookId); } } @@ -229,8 +227,7 @@ final public class TraceCmpHooks { byte[] first = (byte[]) arguments[0]; byte[] second = (byte[]) arguments[1]; if (returnValue != 0) { - TraceDataFlowNativeCallbacks.traceMemcmp( - first, first.length, second, second.length, returnValue, hookId); + TraceDataFlowNativeCallbacks.traceMemcmp(first, second, returnValue, hookId); } } @@ -246,8 +243,7 @@ final public class TraceCmpHooks { byte[] second = Arrays.copyOfRange((byte[]) arguments[3], (int) arguments[4], (int) arguments[5]); if (returnValue != 0) { - TraceDataFlowNativeCallbacks.traceMemcmp( - first, first.length, second, second.length, returnValue, hookId); + TraceDataFlowNativeCallbacks.traceMemcmp(first, second, returnValue, hookId); } } } diff --git a/agent/src/main/java/com/code_intelligence/jazzer/runtime/TraceDataFlowNativeCallbacks.java b/agent/src/main/java/com/code_intelligence/jazzer/runtime/TraceDataFlowNativeCallbacks.java index f779cec6..92b21478 100644 --- a/agent/src/main/java/com/code_intelligence/jazzer/runtime/TraceDataFlowNativeCallbacks.java +++ b/agent/src/main/java/com/code_intelligence/jazzer/runtime/TraceDataFlowNativeCallbacks.java @@ -34,8 +34,7 @@ final public class TraceDataFlowNativeCallbacks { // Calls: void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *b1, const void *b2, // size_t n, int result); - public static native void traceMemcmp( - byte[] b1, int b1Length, byte[] b2, int b2Length, int result, int pc); + public static native void traceMemcmp(byte[] b1, byte[] b2, int result, int pc); // Calls: void __sanitizer_weak_hook_strcmp(void *called_pc, const char *s1, const char *s2, int // result); |