Lines Matching full:n
113 "\n"
114 "/* --- AFL TRAMPOLINE (32-BIT) --- */\n"
115 "\n"
116 ".align 4\n"
117 "\n"
118 "leal -16(%%esp), %%esp\n"
119 "movl %%edi, 0(%%esp)\n"
120 "movl %%edx, 4(%%esp)\n"
121 "movl %%ecx, 8(%%esp)\n"
122 "movl %%eax, 12(%%esp)\n"
123 "movl $0x%08x, %%ecx\n"
124 "call __afl_maybe_log\n"
125 "movl 12(%%esp), %%eax\n"
126 "movl 8(%%esp), %%ecx\n"
127 "movl 4(%%esp), %%edx\n"
128 "movl 0(%%esp), %%edi\n"
129 "leal 16(%%esp), %%esp\n"
130 "\n"
131 "/* --- END --- */\n"
132 "\n";
136 "\n"
137 "/* --- AFL TRAMPOLINE (64-BIT) --- */\n"
138 "\n"
139 ".align 4\n"
140 "\n"
141 "leaq -(128+24)(%%rsp), %%rsp\n"
142 "movq %%rdx, 0(%%rsp)\n"
143 "movq %%rcx, 8(%%rsp)\n"
144 "movq %%rax, 16(%%rsp)\n"
145 "movq $0x%08x, %%rcx\n"
146 "call __afl_maybe_log\n"
147 "movq 16(%%rsp), %%rax\n"
148 "movq 8(%%rsp), %%rcx\n"
149 "movq 0(%%rsp), %%rdx\n"
150 "leaq (128+24)(%%rsp), %%rsp\n"
151 "\n"
152 "/* --- END --- */\n"
153 "\n";
157 "\n"
158 "/* --- AFL MAIN PAYLOAD (32-BIT) --- */\n"
159 "\n"
160 ".text\n"
161 ".att_syntax\n"
162 ".code32\n"
163 ".align 8\n"
164 "\n"
166 "__afl_maybe_log:\n"
167 "\n"
168 " lahf\n"
169 " seto %al\n"
170 "\n"
171 " /* Check if SHM region is already mapped. */\n"
172 "\n"
173 " movl __afl_area_ptr, %edx\n"
174 " testl %edx, %edx\n"
175 " je __afl_setup\n"
176 "\n"
177 "__afl_store:\n"
178 "\n"
179 " /* Calculate and store hit for the code location specified in ecx. There\n"
180 " is a double-XOR way of doing this without tainting another register,\n"
181 " and we use it on 64-bit systems; but it's slower for 32-bit ones. */\n"
182 "\n"
184 " movl __afl_prev_loc, %edi\n"
185 " xorl %ecx, %edi\n"
186 " shrl $1, %ecx\n"
187 " movl %ecx, __afl_prev_loc\n"
189 " movl %ecx, %edi\n"
191 "\n"
193 " orb $1, (%edx, %edi, 1)\n"
195 " addb $1, (%edx, %edi, 1)\n"
196 …" adcb $0, (%edx, %edi, 1)\n" // never zero counter implementation. slightly better path discover…
198 "\n"
199 "__afl_return:\n"
200 "\n"
201 " addb $127, %al\n"
202 " sahf\n"
203 " ret\n"
204 "\n"
205 ".align 8\n"
206 "\n"
207 "__afl_setup:\n"
208 "\n"
209 " /* Do not retry setup if we had previous failures. */\n"
210 "\n"
211 " cmpb $0, __afl_setup_failure\n"
212 " jne __afl_return\n"
213 "\n"
214 " /* Map SHM, jumping to __afl_setup_abort if something goes wrong.\n"
215 " We do not save FPU/MMX/SSE registers here, but hopefully, nobody\n"
216 " will notice this early in the game. */\n"
217 "\n"
218 " pushl %eax\n"
219 " pushl %ecx\n"
220 "\n"
221 " pushl $.AFL_SHM_ENV\n"
222 " call getenv\n"
223 " addl $4, %esp\n"
224 "\n"
225 " testl %eax, %eax\n"
226 " je __afl_setup_abort\n"
227 "\n"
229 " pushl $384 /* shm_open mode 0600 */\n"
230 " pushl $2 /* flags O_RDWR */\n"
231 " pushl %eax /* SHM file path */\n"
232 " call shm_open\n"
233 " addl $12, %esp\n"
234 "\n"
235 " cmpl $-1, %eax\n"
236 " je __afl_setup_abort\n"
237 "\n"
238 " pushl $0 /* mmap off */\n"
239 " pushl %eax /* shm fd */\n"
240 " pushl $1 /* mmap flags */\n"
241 " pushl $3 /* mmap prot */\n"
242 " pushl $"STRINGIFY(MAP_SIZE)" /* mmap len */\n"
243 " pushl $0 /* mmap addr */\n"
244 " call mmap\n"
245 " addl $12, %esp\n"
246 "\n"
247 " cmpl $-1, %eax\n"
248 " je __afl_setup_abort\n"
249 "\n"
251 " pushl %eax\n"
252 " call atoi\n"
253 " addl $4, %esp\n"
254 "\n"
255 " pushl $0 /* shmat flags */\n"
256 " pushl $0 /* requested addr */\n"
257 " pushl %eax /* SHM ID */\n"
258 " call shmat\n"
259 " addl $12, %esp\n"
260 "\n"
261 " cmpl $-1, %eax\n"
262 " je __afl_setup_abort\n"
263 "\n"
265 " movb $1, (%eax)\n"
266 " /* Store the address of the SHM region. */\n"
267 "\n"
268 " movl %eax, __afl_area_ptr\n"
269 " movl %eax, %edx\n"
270 "\n"
271 " popl %ecx\n"
272 " popl %eax\n"
273 "\n"
274 "__afl_forkserver:\n"
275 "\n"
276 " /* Enter the fork server mode to avoid the overhead of execve() calls. */\n"
277 "\n"
278 " pushl %eax\n"
279 " pushl %ecx\n"
280 " pushl %edx\n"
281 "\n"
282 " /* Phone home and tell the parent that we're OK. (Note that signals with\n"
283 " no SA_RESTART will mess it up). If this fails, assume that the fd is\n"
284 " closed because we were execve()d from an instrumented binary, or because\n"
285 " the parent doesn't want to use the fork server. */\n"
286 "\n"
287 " pushl $4 /* length */\n"
288 " pushl $__afl_temp /* data */\n"
289 " pushl $" STRINGIFY((FORKSRV_FD + 1)) " /* file desc */\n"
290 " call write\n"
291 " addl $12, %esp\n"
292 "\n"
293 " cmpl $4, %eax\n"
294 " jne __afl_fork_resume\n"
295 "\n"
296 "__afl_fork_wait_loop:\n"
297 "\n"
298 " /* Wait for parent by reading from the pipe. Abort if read fails. */\n"
299 "\n"
300 " pushl $4 /* length */\n"
301 " pushl $__afl_temp /* data */\n"
302 " pushl $" STRINGIFY(FORKSRV_FD) " /* file desc */\n"
303 " call read\n"
304 " addl $12, %esp\n"
305 "\n"
306 " cmpl $4, %eax\n"
307 " jne __afl_die\n"
308 "\n"
309 " /* Once woken up, create a clone of our process. This is an excellent use\n"
310 " case for syscall(__NR_clone, 0, CLONE_PARENT), but glibc boneheadedly\n"
311 " caches getpid() results and offers no way to update the value, breaking\n"
312 " abort(), raise(), and a bunch of other things :-( */\n"
313 "\n"
314 " call fork\n"
315 "\n"
316 " cmpl $0, %eax\n"
317 " jl __afl_die\n"
318 " je __afl_fork_resume\n"
319 "\n"
320 " /* In parent process: write PID to pipe, then wait for child. */\n"
321 "\n"
322 " movl %eax, __afl_fork_pid\n"
323 "\n"
324 " pushl $4 /* length */\n"
325 " pushl $__afl_fork_pid /* data */\n"
326 " pushl $" STRINGIFY((FORKSRV_FD + 1)) " /* file desc */\n"
327 " call write\n"
328 " addl $12, %esp\n"
329 "\n"
330 " pushl $0 /* no flags */\n"
331 " pushl $__afl_temp /* status */\n"
332 " pushl __afl_fork_pid /* PID */\n"
333 " call waitpid\n"
334 " addl $12, %esp\n"
335 "\n"
336 " cmpl $0, %eax\n"
337 " jle __afl_die\n"
338 "\n"
339 " /* Relay wait status to pipe, then loop back. */\n"
340 "\n"
341 " pushl $4 /* length */\n"
342 " pushl $__afl_temp /* data */\n"
343 " pushl $" STRINGIFY((FORKSRV_FD + 1)) " /* file desc */\n"
344 " call write\n"
345 " addl $12, %esp\n"
346 "\n"
347 " jmp __afl_fork_wait_loop\n"
348 "\n"
349 "__afl_fork_resume:\n"
350 "\n"
351 " /* In child process: close fds, resume execution. */\n"
352 "\n"
353 " pushl $" STRINGIFY(FORKSRV_FD) "\n"
354 " call close\n"
355 "\n"
356 " pushl $" STRINGIFY((FORKSRV_FD + 1)) "\n"
357 " call close\n"
358 "\n"
359 " addl $8, %esp\n"
360 "\n"
361 " popl %edx\n"
362 " popl %ecx\n"
363 " popl %eax\n"
364 " jmp __afl_store\n"
365 "\n"
366 "__afl_die:\n"
367 "\n"
368 " xorl %eax, %eax\n"
369 " call _exit\n"
370 "\n"
371 "__afl_setup_abort:\n"
372 "\n"
373 " /* Record setup failure so that we don't keep calling\n"
374 " shmget() / shmat() over and over again. */\n"
375 "\n"
376 " incb __afl_setup_failure\n"
377 " popl %ecx\n"
378 " popl %eax\n"
379 " jmp __afl_return\n"
380 "\n"
381 ".AFL_VARS:\n"
382 "\n"
383 " .comm __afl_area_ptr, 4, 32\n"
384 " .comm __afl_setup_failure, 1, 32\n"
386 " .comm __afl_prev_loc, 4, 32\n"
388 " .comm __afl_final_loc, 4, 32\n"
389 " .comm __afl_fork_pid, 4, 32\n"
390 " .comm __afl_temp, 4, 32\n"
391 "\n"
392 ".AFL_SHM_ENV:\n"
393 " .asciz \"" SHM_ENV_VAR "\"\n"
394 "\n"
395 "/* --- END --- */\n"
396 "\n";
407 #define CALL_L64(str) "call _" str "\n"
409 #define CALL_L64(str) "call " str "@PLT\n"
414 "\n"
415 "/* --- AFL MAIN PAYLOAD (64-BIT) --- */\n"
416 "\n"
417 ".text\n"
418 ".att_syntax\n"
419 ".code64\n"
420 ".align 8\n"
421 "\n"
422 "__afl_maybe_log:\n"
423 "\n"
425 " .byte 0x9f /* lahf */\n"
427 " lahf\n"
429 " seto %al\n"
430 "\n"
431 " /* Check if SHM region is already mapped. */\n"
432 "\n"
433 " movq __afl_area_ptr(%rip), %rdx\n"
434 " testq %rdx, %rdx\n"
435 " je __afl_setup\n"
436 "\n"
437 "__afl_store:\n"
438 "\n"
439 " /* Calculate and store hit for the code location specified in rcx. */\n"
440 "\n"
442 " xorq __afl_prev_loc(%rip), %rcx\n"
443 " xorq %rcx, __afl_prev_loc(%rip)\n"
444 " shrq $1, __afl_prev_loc(%rip)\n"
446 "\n"
448 " orb $1, (%rdx, %rcx, 1)\n"
450 " addb $1, (%rdx, %rcx, 1)\n"
451 …" adcb $0, (%rdx, %rcx, 1)\n" // never zero counter implementation. slightly better path discover…
453 "\n"
454 "__afl_return:\n"
455 "\n"
456 " addb $127, %al\n"
458 " .byte 0x9e /* sahf */\n"
460 " sahf\n"
462 " ret\n"
463 "\n"
464 ".align 8\n"
465 "\n"
466 "__afl_setup:\n"
467 "\n"
468 " /* Do not retry setup if we had previous failures. */\n"
469 "\n"
470 " cmpb $0, __afl_setup_failure(%rip)\n"
471 " jne __afl_return\n"
472 "\n"
473 " /* Check out if we have a global pointer on file. */\n"
474 "\n"
476 " movq __afl_global_area_ptr@GOTPCREL(%rip), %rdx\n"
477 " movq (%rdx), %rdx\n"
479 " movq __afl_global_area_ptr(%rip), %rdx\n"
481 " testq %rdx, %rdx\n"
482 " je __afl_setup_first\n"
483 "\n"
484 " movq %rdx, __afl_area_ptr(%rip)\n"
485 " jmp __afl_store\n"
486 "\n"
487 "__afl_setup_first:\n"
488 "\n"
489 " /* Save everything that is not yet saved and that may be touched by\n"
490 " getenv() and several other libcalls we'll be relying on. */\n"
491 "\n"
492 " leaq -352(%rsp), %rsp\n"
493 "\n"
494 " movq %rax, 0(%rsp)\n"
495 " movq %rcx, 8(%rsp)\n"
496 " movq %rdi, 16(%rsp)\n"
497 " movq %rsi, 32(%rsp)\n"
498 " movq %r8, 40(%rsp)\n"
499 " movq %r9, 48(%rsp)\n"
500 " movq %r10, 56(%rsp)\n"
501 " movq %r11, 64(%rsp)\n"
502 "\n"
503 " movq %xmm0, 96(%rsp)\n"
504 " movq %xmm1, 112(%rsp)\n"
505 " movq %xmm2, 128(%rsp)\n"
506 " movq %xmm3, 144(%rsp)\n"
507 " movq %xmm4, 160(%rsp)\n"
508 " movq %xmm5, 176(%rsp)\n"
509 " movq %xmm6, 192(%rsp)\n"
510 " movq %xmm7, 208(%rsp)\n"
511 " movq %xmm8, 224(%rsp)\n"
512 " movq %xmm9, 240(%rsp)\n"
513 " movq %xmm10, 256(%rsp)\n"
514 " movq %xmm11, 272(%rsp)\n"
515 " movq %xmm12, 288(%rsp)\n"
516 " movq %xmm13, 304(%rsp)\n"
517 " movq %xmm14, 320(%rsp)\n"
518 " movq %xmm15, 336(%rsp)\n"
519 "\n"
520 " /* Map SHM, jumping to __afl_setup_abort if something goes wrong. */\n"
521 "\n"
522 " /* The 64-bit ABI requires 16-byte stack alignment. We'll keep the\n"
523 " original stack ptr in the callee-saved r12. */\n"
524 "\n"
525 " pushq %r12\n"
526 " movq %rsp, %r12\n"
527 " subq $16, %rsp\n"
528 " andq $0xfffffffffffffff0, %rsp\n"
529 "\n"
530 " leaq .AFL_SHM_ENV(%rip), %rdi\n"
532 "\n"
533 " testq %rax, %rax\n"
534 " je __afl_setup_abort\n"
535 "\n"
537 " movl $384, %edx /* shm_open mode 0600 */\n"
538 " movl $2, %esi /* flags O_RDWR */\n"
539 " movq %rax, %rdi /* SHM file path */\n"
541 "\n"
542 " cmpq $-1, %rax\n"
543 " je __afl_setup_abort\n"
544 "\n"
545 " movl $0, %r9d\n"
546 " movl %eax, %r8d\n"
547 " movl $1, %ecx\n"
548 " movl $3, %edx\n"
549 " movl $"STRINGIFY(MAP_SIZE)", %esi\n"
550 " movl $0, %edi\n"
552 "\n"
553 " cmpq $-1, %rax\n"
554 " je __afl_setup_abort\n"
555 "\n"
557 " movq %rax, %rdi\n"
559 "\n"
560 " xorq %rdx, %rdx /* shmat flags */\n"
561 " xorq %rsi, %rsi /* requested addr */\n"
562 " movq %rax, %rdi /* SHM ID */\n"
564 "\n"
565 " cmpq $-1, %rax\n"
566 " je __afl_setup_abort\n"
567 "\n"
569 " movb $1, (%rax)\n"
570 " /* Store the address of the SHM region. */\n"
571 "\n"
572 " movq %rax, %rdx\n"
573 " movq %rax, __afl_area_ptr(%rip)\n"
574 "\n"
576 " movq %rax, __afl_global_area_ptr(%rip)\n"
578 " movq __afl_global_area_ptr@GOTPCREL(%rip), %rdx\n"
579 " movq %rax, (%rdx)\n"
581 " movq %rax, %rdx\n"
582 "\n"
583 "__afl_forkserver:\n"
584 "\n"
585 " /* Enter the fork server mode to avoid the overhead of execve() calls. We\n"
586 " push rdx (area ptr) twice to keep stack alignment neat. */\n"
587 "\n"
588 " pushq %rdx\n"
589 " pushq %rdx\n"
590 "\n"
591 " /* Phone home and tell the parent that we're OK. (Note that signals with\n"
592 " no SA_RESTART will mess it up). If this fails, assume that the fd is\n"
593 " closed because we were execve()d from an instrumented binary, or because\n"
594 " the parent doesn't want to use the fork server. */\n"
595 "\n"
596 " movq $4, %rdx /* length */\n"
597 " leaq __afl_temp(%rip), %rsi /* data */\n"
598 " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi /* file desc */\n"
600 "\n"
601 " cmpq $4, %rax\n"
602 " jne __afl_fork_resume\n"
603 "\n"
604 "__afl_fork_wait_loop:\n"
605 "\n"
606 " /* Wait for parent by reading from the pipe. Abort if read fails. */\n"
607 "\n"
608 " movq $4, %rdx /* length */\n"
609 " leaq __afl_temp(%rip), %rsi /* data */\n"
610 " movq $" STRINGIFY(FORKSRV_FD) ", %rdi /* file desc */\n"
612 " cmpq $4, %rax\n"
613 " jne __afl_die\n"
614 "\n"
615 " /* Once woken up, create a clone of our process. This is an excellent use\n"
616 " case for syscall(__NR_clone, 0, CLONE_PARENT), but glibc boneheadedly\n"
617 " caches getpid() results and offers no way to update the value, breaking\n"
618 " abort(), raise(), and a bunch of other things :-( */\n"
619 "\n"
621 " cmpq $0, %rax\n"
622 " jl __afl_die\n"
623 " je __afl_fork_resume\n"
624 "\n"
625 " /* In parent process: write PID to pipe, then wait for child. */\n"
626 "\n"
627 " movl %eax, __afl_fork_pid(%rip)\n"
628 "\n"
629 " movq $4, %rdx /* length */\n"
630 " leaq __afl_fork_pid(%rip), %rsi /* data */\n"
631 " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi /* file desc */\n"
633 "\n"
634 " movq $0, %rdx /* no flags */\n"
635 " leaq __afl_temp(%rip), %rsi /* status */\n"
636 " movq __afl_fork_pid(%rip), %rdi /* PID */\n"
638 " cmpq $0, %rax\n"
639 " jle __afl_die\n"
640 "\n"
641 " /* Relay wait status to pipe, then loop back. */\n"
642 "\n"
643 " movq $4, %rdx /* length */\n"
644 " leaq __afl_temp(%rip), %rsi /* data */\n"
645 " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi /* file desc */\n"
647 "\n"
648 " jmp __afl_fork_wait_loop\n"
649 "\n"
650 "__afl_fork_resume:\n"
651 "\n"
652 " /* In child process: close fds, resume execution. */\n"
653 "\n"
654 " movq $" STRINGIFY(FORKSRV_FD) ", %rdi\n"
656 "\n"
657 " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi\n"
659 "\n"
660 " popq %rdx\n"
661 " popq %rdx\n"
662 "\n"
663 " movq %r12, %rsp\n"
664 " popq %r12\n"
665 "\n"
666 " movq 0(%rsp), %rax\n"
667 " movq 8(%rsp), %rcx\n"
668 " movq 16(%rsp), %rdi\n"
669 " movq 32(%rsp), %rsi\n"
670 " movq 40(%rsp), %r8\n"
671 " movq 48(%rsp), %r9\n"
672 " movq 56(%rsp), %r10\n"
673 " movq 64(%rsp), %r11\n"
674 "\n"
675 " movq 96(%rsp), %xmm0\n"
676 " movq 112(%rsp), %xmm1\n"
677 " movq 128(%rsp), %xmm2\n"
678 " movq 144(%rsp), %xmm3\n"
679 " movq 160(%rsp), %xmm4\n"
680 " movq 176(%rsp), %xmm5\n"
681 " movq 192(%rsp), %xmm6\n"
682 " movq 208(%rsp), %xmm7\n"
683 " movq 224(%rsp), %xmm8\n"
684 " movq 240(%rsp), %xmm9\n"
685 " movq 256(%rsp), %xmm10\n"
686 " movq 272(%rsp), %xmm11\n"
687 " movq 288(%rsp), %xmm12\n"
688 " movq 304(%rsp), %xmm13\n"
689 " movq 320(%rsp), %xmm14\n"
690 " movq 336(%rsp), %xmm15\n"
691 "\n"
692 " leaq 352(%rsp), %rsp\n"
693 "\n"
694 " jmp __afl_store\n"
695 "\n"
696 "__afl_die:\n"
697 "\n"
698 " xorq %rax, %rax\n"
700 "\n"
701 "__afl_setup_abort:\n"
702 "\n"
703 " /* Record setup failure so that we don't keep calling\n"
704 " shmget() / shmat() over and over again. */\n"
705 "\n"
706 " incb __afl_setup_failure(%rip)\n"
707 "\n"
708 " movq %r12, %rsp\n"
709 " popq %r12\n"
710 "\n"
711 " movq 0(%rsp), %rax\n"
712 " movq 8(%rsp), %rcx\n"
713 " movq 16(%rsp), %rdi\n"
714 " movq 32(%rsp), %rsi\n"
715 " movq 40(%rsp), %r8\n"
716 " movq 48(%rsp), %r9\n"
717 " movq 56(%rsp), %r10\n"
718 " movq 64(%rsp), %r11\n"
719 "\n"
720 " movq 96(%rsp), %xmm0\n"
721 " movq 112(%rsp), %xmm1\n"
722 " movq 128(%rsp), %xmm2\n"
723 " movq 144(%rsp), %xmm3\n"
724 " movq 160(%rsp), %xmm4\n"
725 " movq 176(%rsp), %xmm5\n"
726 " movq 192(%rsp), %xmm6\n"
727 " movq 208(%rsp), %xmm7\n"
728 " movq 224(%rsp), %xmm8\n"
729 " movq 240(%rsp), %xmm9\n"
730 " movq 256(%rsp), %xmm10\n"
731 " movq 272(%rsp), %xmm11\n"
732 " movq 288(%rsp), %xmm12\n"
733 " movq 304(%rsp), %xmm13\n"
734 " movq 320(%rsp), %xmm14\n"
735 " movq 336(%rsp), %xmm15\n"
736 "\n"
737 " leaq 352(%rsp), %rsp\n"
738 "\n"
739 " jmp __afl_return\n"
740 "\n"
741 ".AFL_VARS:\n"
742 "\n"
746 " .comm __afl_area_ptr, 8\n"
748 " .comm __afl_prev_loc, 8\n"
750 " .comm __afl_fork_pid, 4\n"
751 " .comm __afl_temp, 4\n"
752 " .comm __afl_setup_failure, 1\n"
756 " .lcomm __afl_area_ptr, 8\n"
758 " .lcomm __afl_prev_loc, 8\n"
760 " .lcomm __afl_fork_pid, 4\n"
761 " .lcomm __afl_temp, 4\n"
762 " .lcomm __afl_setup_failure, 1\n"
766 " .comm __afl_global_area_ptr, 8, 8\n"
767 "\n"
768 ".AFL_SHM_ENV:\n"
769 " .asciz \"" SHM_ENV_VAR "\"\n"
770 "\n"
771 "/* --- END --- */\n"
772 "\n";