diff options
author | Mark <mteffeteller@google.com> | 2023-06-22 00:59:06 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2023-06-22 00:59:06 +0000 |
commit | 33edd6723662ea34453766bfdca85dbfdd5342b8 (patch) | |
tree | 68cf332a40b94b2d28b256b19b916f99220bb0c4 /src/jmh/native/com/code_intelligence/jazzer/runtime/fuzzer_callbacks.cpp | |
parent | ba37c2e361c2ba91bacc47fcae5383c52e50f6be (diff) | |
parent | f1ff6ce482549c51088d0a4b011d676904ad2506 (diff) | |
download | jazzer-api-33edd6723662ea34453766bfdca85dbfdd5342b8.tar.gz |
Sync jazzer in AOSP with upstream repo (new SHA: 30decf81a147c66fa5a098072c38ab6924ba0aa6) am: 9350e0ab03 am: 99d9a79746 am: 34a8e5c8aa am: e73be1680d am: 54819157ea am: f1ff6ce482HEADandroid-14.0.0_r51android-14.0.0_r50android-14.0.0_r37android-14.0.0_r36android-14.0.0_r35android-14.0.0_r34android-14.0.0_r33android-14.0.0_r32android-14.0.0_r31android-14.0.0_r30android-14.0.0_r29mastermainandroid14-qpr3-releaseandroid14-qpr2-s5-releaseandroid14-qpr2-s4-releaseandroid14-qpr2-s3-releaseandroid14-qpr2-s2-releaseandroid14-qpr2-s1-releaseandroid14-qpr2-release
Original change: https://android-review.googlesource.com/c/platform/external/jazzer-api/+/2627336
Change-Id: Iaaed944c1e9e457640f7055fc57e8678f90f4603
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
Diffstat (limited to 'src/jmh/native/com/code_intelligence/jazzer/runtime/fuzzer_callbacks.cpp')
-rw-r--r-- | src/jmh/native/com/code_intelligence/jazzer/runtime/fuzzer_callbacks.cpp | 213 |
1 files changed, 213 insertions, 0 deletions
diff --git a/src/jmh/native/com/code_intelligence/jazzer/runtime/fuzzer_callbacks.cpp b/src/jmh/native/com/code_intelligence/jazzer/runtime/fuzzer_callbacks.cpp new file mode 100644 index 00000000..ec357610 --- /dev/null +++ b/src/jmh/native/com/code_intelligence/jazzer/runtime/fuzzer_callbacks.cpp @@ -0,0 +1,213 @@ +// Copyright 2022 Code Intelligence GmbH +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include <jni.h> + +#include <cstddef> +#include <cstdint> + +#include "com_code_intelligence_jazzer_runtime_FuzzerCallbacks.h" +#include "com_code_intelligence_jazzer_runtime_FuzzerCallbacksOptimizedCritical.h" +#include "com_code_intelligence_jazzer_runtime_FuzzerCallbacksOptimizedNonCritical.h" +#include "com_code_intelligence_jazzer_runtime_FuzzerCallbacksWithPc.h" +#include "src/main/native/com/code_intelligence/jazzer/driver/sanitizer_hooks_with_pc.h" + +extern "C" { +void __sanitizer_weak_hook_compare_bytes(void *caller_pc, const void *s1, + const void *s2, std::size_t n1, + std::size_t n2, int result); +void __sanitizer_weak_hook_strstr(void *caller_pc, const char *s1, + const char *s2, const char *result); +void __sanitizer_weak_hook_memmem(void *caller_pc, const void *b1, + std::size_t n1, const void *s2, + std::size_t n2, void *result); +void __sanitizer_cov_trace_cmp4(uint32_t arg1, uint32_t arg2); +void __sanitizer_cov_trace_cmp8(uint64_t arg1, uint64_t arg2); + +void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases); + +void __sanitizer_cov_trace_div4(uint32_t val); +void __sanitizer_cov_trace_div8(uint64_t val); + +void __sanitizer_cov_trace_gep(uintptr_t idx); +} + +inline __attribute__((always_inline)) void *idToPc(jint id) { + return reinterpret_cast<void *>(static_cast<uintptr_t>(id)); +} + +void Java_com_code_1intelligence_jazzer_runtime_FuzzerCallbacks_traceCmpInt( + JNIEnv *env, jclass cls, jint value1, jint value2, jint id) { + __sanitizer_cov_trace_cmp4(value1, value2); +} + +void Java_com_code_1intelligence_jazzer_runtime_FuzzerCallbacksWithPc_traceCmpInt( + JNIEnv *env, jclass cls, jint value1, jint value2, jint id) { + __sanitizer_cov_trace_cmp4_with_pc(idToPc(id), value1, value2); +} + +void Java_com_code_1intelligence_jazzer_runtime_FuzzerCallbacksOptimizedCritical_traceCmpInt( + JNIEnv *env, jclass cls, jint value1, jint value2, jint id) { + __sanitizer_cov_trace_cmp4(value1, value2); +} + +extern "C" JNIEXPORT void JNICALL +JavaCritical_com_code_1intelligence_jazzer_runtime_FuzzerCallbacksOptimizedCritical_traceCmpInt( + jint value1, jint value2, jint id) { + __sanitizer_cov_trace_cmp4(value1, value2); +} + +void Java_com_code_1intelligence_jazzer_runtime_FuzzerCallbacks_traceSwitch( + JNIEnv *env, jclass cls, jlong switch_value, + jlongArray libfuzzer_case_values, jint id) { + jlong *case_values = + env->GetLongArrayElements(libfuzzer_case_values, nullptr); + if (env->ExceptionCheck()) env->ExceptionDescribe(); + __sanitizer_cov_trace_switch(switch_value, + reinterpret_cast<uint64_t *>(case_values)); + env->ReleaseLongArrayElements(libfuzzer_case_values, case_values, JNI_ABORT); + if (env->ExceptionCheck()) env->ExceptionDescribe(); +} + +void Java_com_code_1intelligence_jazzer_runtime_FuzzerCallbacksOptimizedNonCritical_traceSwitch( + JNIEnv *env, jclass cls, jlong switch_value, + jlongArray libfuzzer_case_values, jint id) { + auto *case_values = static_cast<jlong *>( + env->GetPrimitiveArrayCritical(libfuzzer_case_values, nullptr)); + __sanitizer_cov_trace_switch(switch_value, + reinterpret_cast<uint64_t *>(case_values)); + env->ReleasePrimitiveArrayCritical(libfuzzer_case_values, case_values, + JNI_ABORT); +} + +void Java_com_code_1intelligence_jazzer_runtime_FuzzerCallbacksWithPc_traceSwitch( + JNIEnv *env, jclass cls, jlong switch_value, + jlongArray libfuzzer_case_values, jint id) { + jlong *case_values = + env->GetLongArrayElements(libfuzzer_case_values, nullptr); + if (env->ExceptionCheck()) env->ExceptionDescribe(); + __sanitizer_cov_trace_switch_with_pc( + idToPc(id), switch_value, reinterpret_cast<uint64_t *>(case_values)); + env->ReleaseLongArrayElements(libfuzzer_case_values, case_values, JNI_ABORT); + if (env->ExceptionCheck()) env->ExceptionDescribe(); +} + +void Java_com_code_1intelligence_jazzer_runtime_FuzzerCallbacksOptimizedCritical_traceSwitch( + JNIEnv *env, jclass cls, jlong switch_value, + jlongArray libfuzzer_case_values, jint id) { + Java_com_code_1intelligence_jazzer_runtime_FuzzerCallbacksOptimizedNonCritical_traceSwitch( + env, cls, switch_value, libfuzzer_case_values, id); +} + +extern "C" JNIEXPORT void JNICALL +JavaCritical_com_code_1intelligence_jazzer_runtime_FuzzerCallbacksOptimizedCritical_traceSwitch( + jlong switch_value, jint case_values_length, jlong *case_values, jint id) { + __sanitizer_cov_trace_switch(switch_value, + reinterpret_cast<uint64_t *>(case_values)); +} + +void Java_com_code_1intelligence_jazzer_runtime_FuzzerCallbacks_traceMemcmp( + JNIEnv *env, jclass cls, jbyteArray b1, jbyteArray b2, jint result, + jint id) { + jbyte *b1_native = env->GetByteArrayElements(b1, nullptr); + if (env->ExceptionCheck()) env->ExceptionDescribe(); + jbyte *b2_native = env->GetByteArrayElements(b2, nullptr); + if (env->ExceptionCheck()) env->ExceptionDescribe(); + jint b1_length = env->GetArrayLength(b1); + if (env->ExceptionCheck()) env->ExceptionDescribe(); + jint b2_length = env->GetArrayLength(b2); + if (env->ExceptionCheck()) env->ExceptionDescribe(); + __sanitizer_weak_hook_compare_bytes(idToPc(id), b1_native, b2_native, + b1_length, b2_length, result); + env->ReleaseByteArrayElements(b1, b1_native, JNI_ABORT); + if (env->ExceptionCheck()) env->ExceptionDescribe(); + env->ReleaseByteArrayElements(b2, b2_native, JNI_ABORT); + if (env->ExceptionCheck()) env->ExceptionDescribe(); +} + +void Java_com_code_1intelligence_jazzer_runtime_FuzzerCallbacksOptimizedNonCritical_traceMemcmp( + JNIEnv *env, jclass cls, jbyteArray b1, jbyteArray b2, jint result, + jint id) { + auto *b1_native = + static_cast<jbyte *>(env->GetPrimitiveArrayCritical(b1, nullptr)); + auto *b2_native = + static_cast<jbyte *>(env->GetPrimitiveArrayCritical(b2, nullptr)); + jint b1_length = env->GetArrayLength(b1); + jint b2_length = env->GetArrayLength(b2); + __sanitizer_weak_hook_compare_bytes(idToPc(id), b1_native, b2_native, + b1_length, b2_length, result); + env->ReleasePrimitiveArrayCritical(b1, b1_native, JNI_ABORT); + env->ReleasePrimitiveArrayCritical(b2, b2_native, JNI_ABORT); +} + +void Java_com_code_1intelligence_jazzer_runtime_FuzzerCallbacksOptimizedCritical_traceMemcmp( + JNIEnv *env, jclass cls, jbyteArray b1, jbyteArray b2, jint result, + jint id) { + Java_com_code_1intelligence_jazzer_runtime_FuzzerCallbacksOptimizedNonCritical_traceMemcmp( + env, cls, b1, b2, result, id); +} + +extern "C" JNIEXPORT void JNICALL +JavaCritical_com_code_1intelligence_jazzer_runtime_FuzzerCallbacksOptimizedCritical_traceMemcmp( + jint b1_length, jbyte *b1, jint b2_length, jbyte *b2, jint result, + jint id) { + __sanitizer_weak_hook_compare_bytes(idToPc(id), b1, b2, b1_length, b2_length, + result); +} + +void Java_com_code_1intelligence_jazzer_runtime_FuzzerCallbacks_traceStrstr( + JNIEnv *env, jclass cls, jstring s1, jstring s2, jint id) { + const char *s1_native = env->GetStringUTFChars(s1, nullptr); + if (env->ExceptionCheck()) env->ExceptionDescribe(); + const char *s2_native = env->GetStringUTFChars(s2, nullptr); + if (env->ExceptionCheck()) env->ExceptionDescribe(); + // libFuzzer currently ignores the result, which allows us to simply pass a + // valid but arbitrary pointer here instead of performing an actual strstr + // operation. + __sanitizer_weak_hook_strstr(idToPc(id), s1_native, s2_native, s1_native); + env->ReleaseStringUTFChars(s1, s1_native); + if (env->ExceptionCheck()) env->ExceptionDescribe(); + env->ReleaseStringUTFChars(s2, s2_native); + if (env->ExceptionCheck()) env->ExceptionDescribe(); +} + +void Java_com_code_1intelligence_jazzer_runtime_FuzzerCallbacksOptimizedNonCritical_traceStrstr( + JNIEnv *env, jclass cls, jstring s1, jstring s2, jint id) { + const char *s2_native = env->GetStringUTFChars(s2, nullptr); + __sanitizer_weak_hook_strstr(idToPc(id), nullptr, s2_native, s2_native); + env->ReleaseStringUTFChars(s2, s2_native); +} + +void Java_com_code_1intelligence_jazzer_runtime_FuzzerCallbacksOptimizedNonCritical_traceStrstrInternal( + JNIEnv *env, jclass cls, jbyteArray needle, jint id) { + auto *needle_native = + static_cast<jbyte *>(env->GetPrimitiveArrayCritical(needle, nullptr)); + jint needle_length = env->GetArrayLength(needle); + __sanitizer_weak_hook_memmem(idToPc(id), nullptr, 0, needle_native, + needle_length, nullptr); + env->ReleasePrimitiveArrayCritical(needle, needle_native, JNI_ABORT); +} + +void Java_com_code_1intelligence_jazzer_runtime_FuzzerCallbacksOptimizedCritical_traceStrstrInternal( + JNIEnv *env, jclass cls, jbyteArray needle, jint id) { + Java_com_code_1intelligence_jazzer_runtime_FuzzerCallbacksOptimizedNonCritical_traceStrstrInternal( + env, cls, needle, id); +} + +extern "C" JNIEXPORT void JNICALL +JavaCritical_com_code_1intelligence_jazzer_runtime_FuzzerCallbacksOptimizedCritical_traceStrstrInternal( + jint needle_length, jbyte *needle, jint id) { + __sanitizer_weak_hook_memmem(idToPc(id), nullptr, 0, needle, needle_length, + nullptr); +} |