1 /*
2
3 american fuzzy lop++ - extract tokens passed to strcmp / memcmp
4 -------------------------------------------------------------
5
6 Originally written by Michal Zalewski
7
8 Copyright 2016 Google Inc. All rights reserved.
9 Copyright 2019-2022 AFLplusplus Project. All rights reserved.
10
11 Licensed under the Apache License, Version 2.0 (the "License");
12 you may not use this file except in compliance with the License.
13 You may obtain a copy of the License at:
14
15 http://www.apache.org/licenses/LICENSE-2.0
16
17 This Linux-only companion library allows you to instrument strcmp(),
18 memcmp(), and related functions to automatically extract tokens.
19 See README.tokencap.md for more info.
20
21 */
22
23 #ifndef _GNU_SOURCE
24 #define _GNU_SOURCE
25 #endif
26 #include <stdio.h>
27 #include <string.h>
28 #include <ctype.h>
29 #include <unistd.h>
30 #include <fcntl.h>
31 #include <stdbool.h>
32
33 #include "../types.h"
34 #include "../config.h"
35
36 #include "debug.h"
37
38 #if !defined __linux__ && !defined __APPLE__ && !defined __FreeBSD__ && \
39 !defined __OpenBSD__ && !defined __NetBSD__ && !defined __DragonFly__ && \
40 !defined(__HAIKU__) && !defined(__sun)
41 #error "Sorry, this library is unsupported in this platform for now!"
42 #endif /* !__linux__ && !__APPLE__ && ! __FreeBSD__ && ! __OpenBSD__ && \
43 !__NetBSD__*/
44
45 #if defined __APPLE__
46 #include <mach/vm_map.h>
47 #include <mach/mach_init.h>
48 #elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__
49 #include <sys/types.h>
50 #include <sys/sysctl.h>
51 #if !defined __NetBSD__
52 #include <sys/user.h>
53 #endif
54 #include <sys/mman.h>
55 #elif defined __HAIKU__
56 #include <kernel/image.h>
57 #elif defined __sun
58 /* For map addresses the old struct is enough */
59 #include <sys/procfs.h>
60 #include <limits.h>
61 #endif
62
63 #include <dlfcn.h>
64
65 #ifdef RTLD_NEXT
66 /* The libc functions are a magnitude faster than our replacements.
67 Use them when RTLD_NEXT is available. */
68 int (*__libc_strcmp)(const char *str1, const char *str2);
69 int (*__libc_strncmp)(const char *str1, const char *str2, size_t len);
70 int (*__libc_strcasecmp)(const char *str1, const char *str2);
71 int (*__libc_strncasecmp)(const char *str1, const char *str2, size_t len);
72 int (*__libc_memcmp)(const void *mem1, const void *mem2, size_t len);
73 int (*__libc_bcmp)(const void *mem1, const void *mem2, size_t len);
74 char *(*__libc_strstr)(const char *haystack, const char *needle);
75 char *(*__libc_strcasestr)(const char *haystack, const char *needle);
76 void *(*__libc_memmem)(const void *haystack, size_t haystack_len,
77 const void *needle, size_t needle_len);
78 #endif
79
80 /* Mapping data and such */
81
82 #define MAX_MAPPINGS 1024
83
84 static struct mapping { void *st, *en; } __tokencap_ro[MAX_MAPPINGS];
85
86 static u32 __tokencap_ro_cnt;
87 static u8 __tokencap_ro_loaded;
88 static int __tokencap_out_file = -1;
89 static pid_t __tokencap_pid = -1;
90
91 /* Identify read-only regions in memory. Only parameters that fall into these
92 ranges are worth dumping when passed to strcmp() and so on. Read-write
93 regions are far more likely to contain user input instead. */
94
__tokencap_load_mappings(void)95 static void __tokencap_load_mappings(void) {
96
97 #if defined __linux__
98
99 u8 buf[MAX_LINE];
100 FILE *f = fopen("/proc/self/maps", "r");
101
102 __tokencap_ro_loaded = 1;
103
104 if (!f) return;
105
106 while (fgets(buf, MAX_LINE, f)) {
107
108 u8 rf, wf;
109 void *st, *en;
110
111 if (sscanf(buf, "%p-%p %c%c", &st, &en, &rf, &wf) != 4) continue;
112 if (wf == 'w' || rf != 'r') continue;
113
114 __tokencap_ro[__tokencap_ro_cnt].st = (void *)st;
115 __tokencap_ro[__tokencap_ro_cnt].en = (void *)en;
116
117 if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
118
119 }
120
121 fclose(f);
122
123 #elif defined __APPLE__
124
125 struct vm_region_submap_info_64 region;
126 mach_msg_type_number_t cnt = VM_REGION_SUBMAP_INFO_COUNT_64;
127 vm_address_t base = 0;
128 vm_size_t size = 0;
129 natural_t depth = 0;
130
131 __tokencap_ro_loaded = 1;
132
133 while (1) {
134
135 if (vm_region_recurse_64(mach_task_self(), &base, &size, &depth,
136 (vm_region_info_64_t)®ion,
137 &cnt) != KERN_SUCCESS)
138 break;
139
140 if (region.is_submap) {
141
142 depth++;
143
144 } else {
145
146 /* We only care of main map addresses and the read only kinds */
147 if ((region.protection & VM_PROT_READ) &&
148 !(region.protection & VM_PROT_WRITE)) {
149
150 __tokencap_ro[__tokencap_ro_cnt].st = (void *)base;
151 __tokencap_ro[__tokencap_ro_cnt].en = (void *)(base + size);
152
153 if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
154
155 }
156
157 base += size;
158 size = 0;
159
160 }
161
162 }
163
164 #elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__
165
166 #if defined __FreeBSD__
167 int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, __tokencap_pid};
168 #elif defined __OpenBSD__
169 int mib[] = {CTL_KERN, KERN_PROC_VMMAP, __tokencap_pid};
170 #elif defined __NetBSD__
171 int mib[] = {CTL_VM, VM_PROC, VM_PROC_MAP, __tokencap_pid,
172 sizeof(struct kinfo_vmentry)};
173 #endif
174 char * buf, *low, *high;
175 size_t miblen = sizeof(mib) / sizeof(mib[0]);
176 size_t len;
177
178 if (sysctl(mib, miblen, NULL, &len, NULL, 0) == -1) return;
179
180 #if defined __FreeBSD__ || defined __NetBSD__
181 len = len * 4 / 3;
182 #elif defined __OpenBSD__
183 len -= len % sizeof(struct kinfo_vmentry);
184 #endif
185
186 buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANON, -1, 0);
187 if (buf == MAP_FAILED) return;
188
189 if (sysctl(mib, miblen, buf, &len, NULL, 0) == -1) {
190
191 munmap(buf, len);
192 return;
193
194 }
195
196 low = buf;
197 high = low + len;
198
199 __tokencap_ro_loaded = 1;
200
201 while (low < high) {
202
203 struct kinfo_vmentry *region = (struct kinfo_vmentry *)low;
204
205 #if defined __FreeBSD__ || defined __NetBSD__
206
207 #if defined __FreeBSD__
208 size_t size = region->kve_structsize;
209
210 if (size == 0) break;
211 #elif defined __NetBSD__
212 size_t size = sizeof(*region);
213 #endif
214
215 /* We go through the whole mapping of the process and track read-only
216 * addresses */
217 if ((region->kve_protection & KVME_PROT_READ) &&
218 !(region->kve_protection & KVME_PROT_WRITE)) {
219
220 #elif defined __OpenBSD__
221
222 size_t size = sizeof(*region);
223
224 /* We go through the whole mapping of the process and track read-only
225 * addresses */
226 if ((region->kve_protection & KVE_PROT_READ) &&
227 !(region->kve_protection & KVE_PROT_WRITE)) {
228
229 #endif
230 __tokencap_ro[__tokencap_ro_cnt].st = (void *)region->kve_start;
231 __tokencap_ro[__tokencap_ro_cnt].en = (void *)region->kve_end;
232
233 if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
234
235 }
236
237 low += size;
238
239 }
240
241 munmap(buf, len);
242 #elif defined __HAIKU__
243 image_info ii;
244 int32_t group = 0;
245
246 __tokencap_ro_loaded = 1;
247
248 while (get_next_image_info(0, &group, &ii) == B_OK) {
249
250 __tokencap_ro[__tokencap_ro_cnt].st = ii.text;
251 __tokencap_ro[__tokencap_ro_cnt].en = ((char *)ii.text) + ii.text_size;
252
253 if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
254
255 }
256
257 #elif defined __sun
258 prmap_t *c, *map;
259 char path[PATH_MAX];
260 ssize_t r;
261 size_t hint;
262 int fd;
263
264 snprintf(path, sizeof(path), "/proc/%ld/map", getpid());
265 fd = open(path, O_RDONLY);
266 hint = (1 << 20);
267 map = malloc(hint);
268
269 __tokencap_ro_loaded = 1;
270
271 for (; (r = pread(fd, map, hint, 0)) == hint;) {
272
273 hint <<= 1;
274 map = realloc(map, hint);
275
276 }
277
278 for (c = map; r > 0; c++, r -= sizeof(prmap_t)) {
279
280 __tokencap_ro[__tokencap_ro_cnt].st = (void *)c->pr_vaddr;
281 __tokencap_ro[__tokencap_ro_cnt].en = (void *)(c->pr_vaddr + c->pr_size);
282
283 if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
284
285 }
286
287 free(map);
288 close(fd);
289 #endif
290
291 }
292
293 /* Check an address against the list of read-only mappings. */
294
295 static u8 __tokencap_is_ro(const void *ptr) {
296
297 u32 i;
298
299 if (!__tokencap_ro_loaded) __tokencap_load_mappings();
300
301 for (i = 0; i < __tokencap_ro_cnt; i++)
302 if (ptr >= __tokencap_ro[i].st && ptr <= __tokencap_ro[i].en) return 1;
303
304 return 0;
305
306 }
307
308 /* Dump an interesting token to output file, quoting and escaping it
309 properly. */
310
311 static void __tokencap_dump(const u8 *ptr, size_t len, u8 is_text) {
312
313 u8 buf[MAX_AUTO_EXTRA * 4 + 1];
314 u32 i;
315 u32 pos = 0;
316
317 if (len < MIN_AUTO_EXTRA || len > MAX_AUTO_EXTRA || __tokencap_out_file == -1)
318 return;
319
320 for (i = 0; i < len; i++) {
321
322 if (is_text && !ptr[i]) break;
323
324 switch (ptr[i]) {
325
326 case 0 ... 31:
327 case 127 ... 255:
328 case '\"':
329 case '\\':
330
331 sprintf(buf + pos, "\\x%02x", ptr[i]);
332 pos += 4;
333 break;
334
335 default:
336 buf[pos++] = ptr[i];
337
338 }
339
340 }
341
342 buf[pos] = 0;
343
344 int wrt_ok = (1 == write(__tokencap_out_file, "\"", 1));
345 wrt_ok &= (pos == write(__tokencap_out_file, buf, pos));
346 wrt_ok &= (2 == write(__tokencap_out_file, "\"\n", 2));
347
348 if (!wrt_ok) { DEBUGF("%s", "writing to the token file failed\n"); }
349
350 }
351
352 /* Replacements for strcmp(), memcmp(), and so on. Note that these will be used
353 only if the target is compiled with -fno-builtins and linked dynamically. */
354
355 #undef strcmp
356
357 int strcmp(const char *str1, const char *str2) {
358
359 if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
360 if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);
361
362 #ifdef RTLD_NEXT
363 if (__libc_strcmp) return __libc_strcmp(str1, str2);
364 #endif
365
366 while (1) {
367
368 const unsigned char c1 = *str1, c2 = *str2;
369
370 if (c1 != c2) return (c1 > c2) ? 1 : -1;
371 if (!c1) return 0;
372 str1++;
373 str2++;
374
375 }
376
377 }
378
379 #undef strncmp
380
381 int strncmp(const char *str1, const char *str2, size_t len) {
382
383 if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
384 if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);
385
386 #ifdef RTLD_NEXT
387 if (__libc_strncmp) return __libc_strncmp(str1, str2, len);
388 #endif
389
390 while (len--) {
391
392 unsigned char c1 = *str1, c2 = *str2;
393
394 if (c1 != c2) return (c1 > c2) ? 1 : -1;
395 if (!c1) return 0;
396 str1++;
397 str2++;
398
399 }
400
401 return 0;
402
403 }
404
405 #undef strcasecmp
406
407 int strcasecmp(const char *str1, const char *str2) {
408
409 if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
410 if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);
411
412 #ifdef RTLD_NEXT
413 if (__libc_strcasecmp) return __libc_strcasecmp(str1, str2);
414 #endif
415
416 while (1) {
417
418 const unsigned char c1 = tolower((int)*str1), c2 = tolower((int)*str2);
419
420 if (c1 != c2) return (c1 > c2) ? 1 : -1;
421 if (!c1) return 0;
422 str1++;
423 str2++;
424
425 }
426
427 }
428
429 #undef strncasecmp
430
431 int strncasecmp(const char *str1, const char *str2, size_t len) {
432
433 if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
434 if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);
435
436 #ifdef RTLD_NEXT
437 if (__libc_strncasecmp) return __libc_strncasecmp(str1, str2, len);
438 #endif
439
440 while (len--) {
441
442 const unsigned char c1 = tolower((int)*str1), c2 = tolower((int)*str2);
443
444 if (c1 != c2) return (c1 > c2) ? 1 : -1;
445 if (!c1) return 0;
446 str1++;
447 str2++;
448
449 }
450
451 return 0;
452
453 }
454
455 #undef memcmp
456
457 int memcmp(const void *mem1, const void *mem2, size_t len) {
458
459 if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
460 if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);
461
462 #ifdef RTLD_NEXT
463 if (__libc_memcmp) return __libc_memcmp(mem1, mem2, len);
464 #endif
465
466 const char *strmem1 = (const char *)mem1;
467 const char *strmem2 = (const char *)mem2;
468
469 while (len--) {
470
471 const unsigned char c1 = *strmem1, c2 = *strmem2;
472 if (c1 != c2) return (c1 > c2) ? 1 : -1;
473 strmem1++;
474 strmem2++;
475
476 }
477
478 return 0;
479
480 }
481
482 #undef bcmp
483
484 int bcmp(const void *mem1, const void *mem2, size_t len) {
485
486 if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
487 if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);
488
489 #ifdef RTLD_NEXT
490 if (__libc_bcmp) return __libc_bcmp(mem1, mem2, len);
491 #endif
492
493 const char *strmem1 = (const char *)mem1;
494 const char *strmem2 = (const char *)mem2;
495
496 while (len--) {
497
498 int diff = *strmem1 ^ *strmem2;
499 if (diff != 0) return 1;
500 strmem1++;
501 strmem2++;
502
503 }
504
505 return 0;
506
507 }
508
509 #undef strstr
510
511 char *strstr(const char *haystack, const char *needle) {
512
513 if (__tokencap_is_ro(haystack))
514 __tokencap_dump(haystack, strlen(haystack), 1);
515
516 if (__tokencap_is_ro(needle)) __tokencap_dump(needle, strlen(needle), 1);
517
518 #ifdef RTLD_NEXT
519 if (__libc_strstr) return __libc_strstr(haystack, needle);
520 #endif
521
522 do {
523
524 const char *n = needle;
525 const char *h = haystack;
526
527 while (*n && *h && *n == *h)
528 n++, h++;
529
530 if (!*n) return (char *)haystack;
531
532 } while (*(haystack++));
533
534 return 0;
535
536 }
537
538 #undef strcasestr
539
540 char *strcasestr(const char *haystack, const char *needle) {
541
542 if (__tokencap_is_ro(haystack))
543 __tokencap_dump(haystack, strlen(haystack), 1);
544
545 if (__tokencap_is_ro(needle)) __tokencap_dump(needle, strlen(needle), 1);
546
547 #ifdef RTLD_NEXT
548 if (__libc_strcasestr) return __libc_strcasestr(haystack, needle);
549 #endif
550
551 do {
552
553 const char *n = needle;
554 const char *h = haystack;
555
556 while (*n && *h && tolower((int)*n) == tolower((int)*h))
557 n++, h++;
558
559 if (!*n) return (char *)haystack;
560
561 } while (*(haystack++));
562
563 return 0;
564
565 }
566
567 #undef memmem
568
569 void *memmem(const void *haystack, size_t haystack_len, const void *needle,
570 size_t needle_len) {
571
572 if (__tokencap_is_ro(haystack)) __tokencap_dump(haystack, haystack_len, 1);
573
574 if (__tokencap_is_ro(needle)) __tokencap_dump(needle, needle_len, 1);
575
576 #ifdef RTLD_NEXT
577 if (__libc_memmem)
578 return __libc_memmem(haystack, haystack_len, needle, needle_len);
579 #endif
580
581 const char *n = (const char *)needle;
582 const char *h = (const char *)haystack;
583 if (haystack_len < needle_len) return 0;
584 if (needle_len == 0) return (void *)haystack;
585 if (needle_len == 1) return memchr(haystack, *n, haystack_len);
586
587 const char *end = h + (haystack_len - needle_len);
588
589 do {
590
591 if (*h == *n) {
592
593 if (memcmp(h, n, needle_len) == 0) return (void *)h;
594
595 }
596
597 } while (h++ <= end);
598
599 return 0;
600
601 }
602
603 /* Common libraries wrappers (from honggfuzz) */
604
605 /*
606 * Apache's httpd wrappers
607 */
608 int ap_cstr_casecmp(const char *s1, const char *s2) {
609
610 return strcasecmp(s1, s2);
611
612 }
613
614 int ap_cstr_casecmpn(const char *s1, const char *s2, size_t n) {
615
616 return strncasecmp(s1, s2, n);
617
618 }
619
620 const char *ap_strcasestr(const char *s1, const char *s2) {
621
622 return strcasestr(s1, s2);
623
624 }
625
626 int apr_cstr_casecmp(const char *s1, const char *s2) {
627
628 return strcasecmp(s1, s2);
629
630 }
631
632 int apr_cstr_casecmpn(const char *s1, const char *s2, size_t n) {
633
634 return strncasecmp(s1, s2, n);
635
636 }
637
638 /*
639 * *SSL wrappers
640 */
641 int CRYPTO_memcmp(const void *m1, const void *m2, size_t len) {
642
643 return memcmp(m1, m2, len);
644
645 }
646
647 int OPENSSL_memcmp(const void *m1, const void *m2, size_t len) {
648
649 return memcmp(m1, m2, len);
650
651 }
652
653 int OPENSSL_strcasecmp(const char *s1, const char *s2) {
654
655 return strcasecmp(s1, s2);
656
657 }
658
659 int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t len) {
660
661 return strncasecmp(s1, s2, len);
662
663 }
664
665 int32_t memcmpct(const void *s1, const void *s2, size_t len) {
666
667 return memcmp(s1, s2, len);
668
669 }
670
671 /*
672 * libXML wrappers
673 */
674 int xmlStrncmp(const char *s1, const char *s2, int len) {
675
676 if (len <= 0) { return 0; }
677 if (s1 == s2) { return 0; }
678 if (s1 == NULL) { return -1; }
679 if (s2 == NULL) { return 1; }
680 return strncmp(s1, s2, (size_t)len);
681
682 }
683
684 int xmlStrcmp(const char *s1, const char *s2) {
685
686 if (s1 == s2) { return 0; }
687 if (s1 == NULL) { return -1; }
688 if (s2 == NULL) { return 1; }
689 return strcmp(s1, s2);
690
691 }
692
693 int xmlStrEqual(const char *s1, const char *s2) {
694
695 if (s1 == s2) { return 1; }
696 if (s1 == NULL) { return 0; }
697 if (s2 == NULL) { return 0; }
698 if (strcmp(s1, s2) == 0) { return 1; }
699 return 0;
700
701 }
702
703 int xmlStrcasecmp(const char *s1, const char *s2) {
704
705 if (s1 == s2) { return 0; }
706 if (s1 == NULL) { return -1; }
707 if (s2 == NULL) { return 1; }
708 return strcasecmp(s1, s2);
709
710 }
711
712 int xmlStrncasecmp(const char *s1, const char *s2, int len) {
713
714 if (len <= 0) { return 0; }
715 if (s1 == s2) { return 0; }
716 if (s1 == NULL) { return -1; }
717 if (s2 == NULL) { return 1; }
718 return strncasecmp(s1, s2, (size_t)len);
719
720 }
721
722 const char *xmlStrstr(const char *haystack, const char *needle) {
723
724 if (haystack == NULL) { return NULL; }
725 if (needle == NULL) { return NULL; }
726 return strstr(haystack, needle);
727
728 }
729
730 const char *xmlStrcasestr(const char *haystack, const char *needle) {
731
732 if (haystack == NULL) { return NULL; }
733 if (needle == NULL) { return NULL; }
734 return strcasestr(haystack, needle);
735
736 }
737
738 /*
739 * Samba wrappers
740 */
741 int memcmp_const_time(const void *s1, const void *s2, size_t n) {
742
743 return memcmp(s1, s2, n);
744
745 }
746
747 bool strcsequal(const void *s1, const void *s2) {
748
749 if (s1 == s2) { return true; }
750 if (!s1 || !s2) { return false; }
751 return (strcmp(s1, s2) == 0);
752
753 }
754
755 /* bcmp/memcmp BSD flavors, similar to CRYPTO_memcmp */
756
757 int timingsafe_bcmp(const void *mem1, const void *mem2, size_t len) {
758
759 return bcmp(mem1, mem2, len);
760
761 }
762
763 int timingsafe_memcmp(const void *mem1, const void *mem2, size_t len) {
764
765 return memcmp(mem1, mem2, len);
766
767 }
768
769 /* Init code to open the output file (or default to stderr). */
770
771 __attribute__((constructor)) void __tokencap_init(void) {
772
773 u8 *fn = getenv("AFL_TOKEN_FILE");
774 if (fn) __tokencap_out_file = open(fn, O_RDWR | O_CREAT | O_APPEND, 0655);
775 if (__tokencap_out_file == -1) __tokencap_out_file = STDERR_FILENO;
776 __tokencap_pid = getpid();
777
778 #ifdef RTLD_NEXT
779 __libc_strcmp = dlsym(RTLD_NEXT, "strcmp");
780 __libc_strncmp = dlsym(RTLD_NEXT, "strncmp");
781 __libc_strcasecmp = dlsym(RTLD_NEXT, "strcasecmp");
782 __libc_strncasecmp = dlsym(RTLD_NEXT, "strncasecmp");
783 __libc_memcmp = dlsym(RTLD_NEXT, "memcmp");
784 __libc_bcmp = dlsym(RTLD_NEXT, "bcmp");
785 __libc_strstr = dlsym(RTLD_NEXT, "strstr");
786 __libc_strcasestr = dlsym(RTLD_NEXT, "strcasestr");
787 __libc_memmem = dlsym(RTLD_NEXT, "memmem");
788 #endif
789
790 }
791
792 /* closing as best as we can the tokens file */
793 __attribute__((destructor)) void __tokencap_shutdown(void) {
794
795 if (__tokencap_out_file != STDERR_FILENO) close(__tokencap_out_file);
796
797 }
798
799