1 /*
2
3 american fuzzy lop++ - extract tokens passed to strcmp / memcmp
4 -------------------------------------------------------------
5
6 Originally written by Michal Zalewski
7
8 Copyright 2016 Google Inc. All rights reserved.
9 Copyright 2019-2020 AFLplusplus Project. All rights reserved.
10
11 Licensed under the Apache License, Version 2.0 (the "License");
12 you may not use this file except in compliance with the License.
13 You may obtain a copy of the License at:
14
15 http://www.apache.org/licenses/LICENSE-2.0
16
17 This Linux-only companion library allows you to instrument strcmp(),
18 memcmp(), and related functions to automatically extract tokens.
19 See README.tokencap.md for more info.
20
21 */
22
23 #ifndef _GNU_SOURCE
24 #define _GNU_SOURCE
25 #endif
26 #include <stdio.h>
27 #include <string.h>
28 #include <ctype.h>
29 #include <unistd.h>
30 #include <fcntl.h>
31 #include <stdbool.h>
32
33 #include "../types.h"
34 #include "../config.h"
35
36 #if !defined __linux__ && !defined __APPLE__ && !defined __FreeBSD__ && \
37 !defined __OpenBSD__ && !defined __NetBSD__ && !defined __DragonFly__ && \
38 !defined(__HAIKU__) && !defined(__sun)
39 #error "Sorry, this library is unsupported in this platform for now!"
40 #endif /* !__linux__ && !__APPLE__ && ! __FreeBSD__ && ! __OpenBSD__ && \
41 !__NetBSD__*/
42
43 #if defined __APPLE__
44 #include <mach/vm_map.h>
45 #include <mach/mach_init.h>
46 #elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__
47 #include <sys/types.h>
48 #include <sys/sysctl.h>
49 #if !defined __NetBSD__
50 #include <sys/user.h>
51 #endif
52 #include <sys/mman.h>
53 #elif defined __HAIKU__
54 #include <kernel/image.h>
55 #elif defined __sun
56 /* For map addresses the old struct is enough */
57 #include <sys/procfs.h>
58 #include <limits.h>
59 #endif
60
61 #include <dlfcn.h>
62
63 #ifdef RTLD_NEXT
64 /* The libc functions are a magnitude faster than our replacements.
65 Use them when RTLD_NEXT is available. */
66 int (*__libc_strcmp)(const char *str1, const char *str2);
67 int (*__libc_strncmp)(const char *str1, const char *str2, size_t len);
68 int (*__libc_strcasecmp)(const char *str1, const char *str2);
69 int (*__libc_strncasecmp)(const char *str1, const char *str2, size_t len);
70 int (*__libc_memcmp)(const void *mem1, const void *mem2, size_t len);
71 int (*__libc_bcmp)(const void *mem1, const void *mem2, size_t len);
72 char *(*__libc_strstr)(const char *haystack, const char *needle);
73 char *(*__libc_strcasestr)(const char *haystack, const char *needle);
74 void *(*__libc_memmem)(const void *haystack, size_t haystack_len,
75 const void *needle, size_t needle_len);
76 #endif
77
78 /* Mapping data and such */
79
80 #define MAX_MAPPINGS 1024
81
82 static struct mapping { void *st, *en; } __tokencap_ro[MAX_MAPPINGS];
83
84 static u32 __tokencap_ro_cnt;
85 static u8 __tokencap_ro_loaded;
86 static int __tokencap_out_file = -1;
87 static pid_t __tokencap_pid = -1;
88
89 /* Identify read-only regions in memory. Only parameters that fall into these
90 ranges are worth dumping when passed to strcmp() and so on. Read-write
91 regions are far more likely to contain user input instead. */
92
__tokencap_load_mappings(void)93 static void __tokencap_load_mappings(void) {
94
95 #if defined __linux__
96
97 u8 buf[MAX_LINE];
98 FILE *f = fopen("/proc/self/maps", "r");
99
100 __tokencap_ro_loaded = 1;
101
102 if (!f) return;
103
104 while (fgets(buf, MAX_LINE, f)) {
105
106 u8 rf, wf;
107 void *st, *en;
108
109 if (sscanf(buf, "%p-%p %c%c", &st, &en, &rf, &wf) != 4) continue;
110 if (wf == 'w' || rf != 'r') continue;
111
112 __tokencap_ro[__tokencap_ro_cnt].st = (void *)st;
113 __tokencap_ro[__tokencap_ro_cnt].en = (void *)en;
114
115 if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
116
117 }
118
119 fclose(f);
120
121 #elif defined __APPLE__
122
123 struct vm_region_submap_info_64 region;
124 mach_msg_type_number_t cnt = VM_REGION_SUBMAP_INFO_COUNT_64;
125 vm_address_t base = 0;
126 vm_size_t size = 0;
127 natural_t depth = 0;
128
129 __tokencap_ro_loaded = 1;
130
131 while (1) {
132
133 if (vm_region_recurse_64(mach_task_self(), &base, &size, &depth,
134 (vm_region_info_64_t)®ion,
135 &cnt) != KERN_SUCCESS)
136 break;
137
138 if (region.is_submap) {
139
140 depth++;
141
142 } else {
143
144 /* We only care of main map addresses and the read only kinds */
145 if ((region.protection & VM_PROT_READ) &&
146 !(region.protection & VM_PROT_WRITE)) {
147
148 __tokencap_ro[__tokencap_ro_cnt].st = (void *)base;
149 __tokencap_ro[__tokencap_ro_cnt].en = (void *)(base + size);
150
151 if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
152
153 }
154
155 base += size;
156 size = 0;
157
158 }
159
160 }
161
162 #elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__
163
164 #if defined __FreeBSD__
165 int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, __tokencap_pid};
166 #elif defined __OpenBSD__
167 int mib[] = {CTL_KERN, KERN_PROC_VMMAP, __tokencap_pid};
168 #elif defined __NetBSD__
169 int mib[] = {CTL_VM, VM_PROC, VM_PROC_MAP, __tokencap_pid,
170 sizeof(struct kinfo_vmentry)};
171 #endif
172 char * buf, *low, *high;
173 size_t miblen = sizeof(mib) / sizeof(mib[0]);
174 size_t len;
175
176 if (sysctl(mib, miblen, NULL, &len, NULL, 0) == -1) return;
177
178 #if defined __FreeBSD__ || defined __NetBSD__
179 len = len * 4 / 3;
180 #elif defined __OpenBSD__
181 len -= len % sizeof(struct kinfo_vmentry);
182 #endif
183
184 buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANON, -1, 0);
185 if (buf == MAP_FAILED) return;
186
187 if (sysctl(mib, miblen, buf, &len, NULL, 0) == -1) {
188
189 munmap(buf, len);
190 return;
191
192 }
193
194 low = buf;
195 high = low + len;
196
197 __tokencap_ro_loaded = 1;
198
199 while (low < high) {
200
201 struct kinfo_vmentry *region = (struct kinfo_vmentry *)low;
202
203 #if defined __FreeBSD__ || defined __NetBSD__
204
205 #if defined __FreeBSD__
206 size_t size = region->kve_structsize;
207
208 if (size == 0) break;
209 #elif defined __NetBSD__
210 size_t size = sizeof(*region);
211 #endif
212
213 /* We go through the whole mapping of the process and track read-only
214 * addresses */
215 if ((region->kve_protection & KVME_PROT_READ) &&
216 !(region->kve_protection & KVME_PROT_WRITE)) {
217
218 #elif defined __OpenBSD__
219
220 size_t size = sizeof(*region);
221
222 /* We go through the whole mapping of the process and track read-only
223 * addresses */
224 if ((region->kve_protection & KVE_PROT_READ) &&
225 !(region->kve_protection & KVE_PROT_WRITE)) {
226
227 #endif
228 __tokencap_ro[__tokencap_ro_cnt].st = (void *)region->kve_start;
229 __tokencap_ro[__tokencap_ro_cnt].en = (void *)region->kve_end;
230
231 if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
232
233 }
234
235 low += size;
236
237 }
238
239 munmap(buf, len);
240 #elif defined __HAIKU__
241 image_info ii;
242 int32_t group = 0;
243
244 __tokencap_ro_loaded = 1;
245
246 while (get_next_image_info(0, &group, &ii) == B_OK) {
247
248 __tokencap_ro[__tokencap_ro_cnt].st = ii.text;
249 __tokencap_ro[__tokencap_ro_cnt].en = ((char *)ii.text) + ii.text_size;
250
251 if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
252
253 }
254
255 #elif defined __sun
256 prmap_t *c, *map;
257 char path[PATH_MAX];
258 ssize_t r;
259 size_t hint;
260 int fd;
261
262 snprintf(path, sizeof(path), "/proc/%ld/map", getpid());
263 fd = open(path, O_RDONLY);
264 hint = (1 << 20);
265 map = malloc(hint);
266
267 __tokencap_ro_loaded = 1;
268
269 for (; (r = pread(fd, map, hint, 0)) == hint;) {
270
271 hint <<= 1;
272 map = realloc(map, hint);
273
274 }
275
276 for (c = map; r > 0; c++, r -= sizeof(prmap_t)) {
277
278 __tokencap_ro[__tokencap_ro_cnt].st = (void *)c->pr_vaddr;
279 __tokencap_ro[__tokencap_ro_cnt].en = (void *)(c->pr_vaddr + c->pr_size);
280
281 if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
282
283 }
284
285 free(map);
286 close(fd);
287 #endif
288
289 }
290
291 /* Check an address against the list of read-only mappings. */
292
293 static u8 __tokencap_is_ro(const void *ptr) {
294
295 u32 i;
296
297 if (!__tokencap_ro_loaded) __tokencap_load_mappings();
298
299 for (i = 0; i < __tokencap_ro_cnt; i++)
300 if (ptr >= __tokencap_ro[i].st && ptr <= __tokencap_ro[i].en) return 1;
301
302 return 0;
303
304 }
305
306 /* Dump an interesting token to output file, quoting and escaping it
307 properly. */
308
309 static void __tokencap_dump(const u8 *ptr, size_t len, u8 is_text) {
310
311 u8 buf[MAX_AUTO_EXTRA * 4 + 1];
312 u32 i;
313 u32 pos = 0;
314
315 if (len < MIN_AUTO_EXTRA || len > MAX_AUTO_EXTRA || __tokencap_out_file == -1)
316 return;
317
318 for (i = 0; i < len; i++) {
319
320 if (is_text && !ptr[i]) break;
321
322 switch (ptr[i]) {
323
324 case 0 ... 31:
325 case 127 ... 255:
326 case '\"':
327 case '\\':
328
329 sprintf(buf + pos, "\\x%02x", ptr[i]);
330 pos += 4;
331 break;
332
333 default:
334 buf[pos++] = ptr[i];
335
336 }
337
338 }
339
340 buf[pos] = 0;
341
342 int wrt_ok = (1 == write(__tokencap_out_file, "\"", 1));
343 wrt_ok &= (pos == write(__tokencap_out_file, buf, pos));
344 wrt_ok &= (2 == write(__tokencap_out_file, "\"\n", 2));
345
346 }
347
348 /* Replacements for strcmp(), memcmp(), and so on. Note that these will be used
349 only if the target is compiled with -fno-builtins and linked dynamically. */
350
351 #undef strcmp
352
353 int strcmp(const char *str1, const char *str2) {
354
355 if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
356 if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);
357
358 #ifdef RTLD_NEXT
359 if (__libc_strcmp) return __libc_strcmp(str1, str2);
360 #endif
361
362 while (1) {
363
364 const unsigned char c1 = *str1, c2 = *str2;
365
366 if (c1 != c2) return (c1 > c2) ? 1 : -1;
367 if (!c1) return 0;
368 str1++;
369 str2++;
370
371 }
372
373 }
374
375 #undef strncmp
376
377 int strncmp(const char *str1, const char *str2, size_t len) {
378
379 if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
380 if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);
381
382 #ifdef RTLD_NEXT
383 if (__libc_strncmp) return __libc_strncmp(str1, str2, len);
384 #endif
385
386 while (len--) {
387
388 unsigned char c1 = *str1, c2 = *str2;
389
390 if (c1 != c2) return (c1 > c2) ? 1 : -1;
391 if (!c1) return 0;
392 str1++;
393 str2++;
394
395 }
396
397 return 0;
398
399 }
400
401 #undef strcasecmp
402
403 int strcasecmp(const char *str1, const char *str2) {
404
405 if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
406 if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);
407
408 #ifdef RTLD_NEXT
409 if (__libc_strcasecmp) return __libc_strcasecmp(str1, str2);
410 #endif
411
412 while (1) {
413
414 const unsigned char c1 = tolower((int)*str1), c2 = tolower((int)*str2);
415
416 if (c1 != c2) return (c1 > c2) ? 1 : -1;
417 if (!c1) return 0;
418 str1++;
419 str2++;
420
421 }
422
423 }
424
425 #undef strncasecmp
426
427 int strncasecmp(const char *str1, const char *str2, size_t len) {
428
429 if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
430 if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);
431
432 #ifdef RTLD_NEXT
433 if (__libc_strncasecmp) return __libc_strncasecmp(str1, str2, len);
434 #endif
435
436 while (len--) {
437
438 const unsigned char c1 = tolower((int)*str1), c2 = tolower((int)*str2);
439
440 if (c1 != c2) return (c1 > c2) ? 1 : -1;
441 if (!c1) return 0;
442 str1++;
443 str2++;
444
445 }
446
447 return 0;
448
449 }
450
451 #undef memcmp
452
453 int memcmp(const void *mem1, const void *mem2, size_t len) {
454
455 if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
456 if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);
457
458 #ifdef RTLD_NEXT
459 if (__libc_memcmp) return __libc_memcmp(mem1, mem2, len);
460 #endif
461
462 const char *strmem1 = (const char *)mem1;
463 const char *strmem2 = (const char *)mem2;
464
465 while (len--) {
466
467 const unsigned char c1 = *strmem1, c2 = *strmem2;
468 if (c1 != c2) return (c1 > c2) ? 1 : -1;
469 strmem1++;
470 strmem2++;
471
472 }
473
474 return 0;
475
476 }
477
478 #undef bcmp
479
480 int bcmp(const void *mem1, const void *mem2, size_t len) {
481
482 if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
483 if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);
484
485 #ifdef RTLD_NEXT
486 if (__libc_bcmp) return __libc_bcmp(mem1, mem2, len);
487 #endif
488
489 const char *strmem1 = (const char *)mem1;
490 const char *strmem2 = (const char *)mem2;
491
492 while (len--) {
493
494 int diff = *strmem1 ^ *strmem2;
495 if (diff != 0) return 1;
496 strmem1++;
497 strmem2++;
498
499 }
500
501 return 0;
502
503 }
504
505 #undef strstr
506
507 char *strstr(const char *haystack, const char *needle) {
508
509 if (__tokencap_is_ro(haystack))
510 __tokencap_dump(haystack, strlen(haystack), 1);
511
512 if (__tokencap_is_ro(needle)) __tokencap_dump(needle, strlen(needle), 1);
513
514 #ifdef RTLD_NEXT
515 if (__libc_strstr) return __libc_strstr(haystack, needle);
516 #endif
517
518 do {
519
520 const char *n = needle;
521 const char *h = haystack;
522
523 while (*n && *h && *n == *h)
524 n++, h++;
525
526 if (!*n) return (char *)haystack;
527
528 } while (*(haystack++));
529
530 return 0;
531
532 }
533
534 #undef strcasestr
535
536 char *strcasestr(const char *haystack, const char *needle) {
537
538 if (__tokencap_is_ro(haystack))
539 __tokencap_dump(haystack, strlen(haystack), 1);
540
541 if (__tokencap_is_ro(needle)) __tokencap_dump(needle, strlen(needle), 1);
542
543 #ifdef RTLD_NEXT
544 if (__libc_strcasestr) return __libc_strcasestr(haystack, needle);
545 #endif
546
547 do {
548
549 const char *n = needle;
550 const char *h = haystack;
551
552 while (*n && *h && tolower((int)*n) == tolower((int)*h))
553 n++, h++;
554
555 if (!*n) return (char *)haystack;
556
557 } while (*(haystack++));
558
559 return 0;
560
561 }
562
563 #undef memmem
564
565 void *memmem(const void *haystack, size_t haystack_len, const void *needle,
566 size_t needle_len) {
567
568 if (__tokencap_is_ro(haystack)) __tokencap_dump(haystack, haystack_len, 1);
569
570 if (__tokencap_is_ro(needle)) __tokencap_dump(needle, needle_len, 1);
571
572 #ifdef RTLD_NEXT
573 if (__libc_memmem)
574 return __libc_memmem(haystack, haystack_len, needle, needle_len);
575 #endif
576
577 const char *n = (const char *)needle;
578 const char *h = (const char *)haystack;
579 if (haystack_len < needle_len) return 0;
580 if (needle_len == 0) return (void *)haystack;
581 if (needle_len == 1) return memchr(haystack, *n, haystack_len);
582
583 const char *end = h + (haystack_len - needle_len);
584
585 do {
586
587 if (*h == *n) {
588
589 if (memcmp(h, n, needle_len) == 0) return (void *)h;
590
591 }
592
593 } while (h++ <= end);
594
595 return 0;
596
597 }
598
599 /* Common libraries wrappers (from honggfuzz) */
600
601 /*
602 * Apache's httpd wrappers
603 */
604 int ap_cstr_casecmp(const char *s1, const char *s2) {
605
606 return strcasecmp(s1, s2);
607
608 }
609
610 int ap_cstr_casecmpn(const char *s1, const char *s2, size_t n) {
611
612 return strncasecmp(s1, s2, n);
613
614 }
615
616 const char *ap_strcasestr(const char *s1, const char *s2) {
617
618 return strcasestr(s1, s2);
619
620 }
621
622 int apr_cstr_casecmp(const char *s1, const char *s2) {
623
624 return strcasecmp(s1, s2);
625
626 }
627
628 int apr_cstr_casecmpn(const char *s1, const char *s2, size_t n) {
629
630 return strncasecmp(s1, s2, n);
631
632 }
633
634 /*
635 * *SSL wrappers
636 */
637 int CRYPTO_memcmp(const void *m1, const void *m2, size_t len) {
638
639 return memcmp(m1, m2, len);
640
641 }
642
643 int OPENSSL_memcmp(const void *m1, const void *m2, size_t len) {
644
645 return memcmp(m1, m2, len);
646
647 }
648
649 int OPENSSL_strcasecmp(const char *s1, const char *s2) {
650
651 return strcasecmp(s1, s2);
652
653 }
654
655 int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t len) {
656
657 return strncasecmp(s1, s2, len);
658
659 }
660
661 int32_t memcmpct(const void *s1, const void *s2, size_t len) {
662
663 return memcmp(s1, s2, len);
664
665 }
666
667 /*
668 * libXML wrappers
669 */
670 int xmlStrncmp(const char *s1, const char *s2, int len) {
671
672 if (len <= 0) { return 0; }
673 if (s1 == s2) { return 0; }
674 if (s1 == NULL) { return -1; }
675 if (s2 == NULL) { return 1; }
676 return strncmp(s1, s2, (size_t)len);
677
678 }
679
680 int xmlStrcmp(const char *s1, const char *s2) {
681
682 if (s1 == s2) { return 0; }
683 if (s1 == NULL) { return -1; }
684 if (s2 == NULL) { return 1; }
685 return strcmp(s1, s2);
686
687 }
688
689 int xmlStrEqual(const char *s1, const char *s2) {
690
691 if (s1 == s2) { return 1; }
692 if (s1 == NULL) { return 0; }
693 if (s2 == NULL) { return 0; }
694 if (strcmp(s1, s2) == 0) { return 1; }
695 return 0;
696
697 }
698
699 int xmlStrcasecmp(const char *s1, const char *s2) {
700
701 if (s1 == s2) { return 0; }
702 if (s1 == NULL) { return -1; }
703 if (s2 == NULL) { return 1; }
704 return strcasecmp(s1, s2);
705
706 }
707
708 int xmlStrncasecmp(const char *s1, const char *s2, int len) {
709
710 if (len <= 0) { return 0; }
711 if (s1 == s2) { return 0; }
712 if (s1 == NULL) { return -1; }
713 if (s2 == NULL) { return 1; }
714 return strncasecmp(s1, s2, (size_t)len);
715
716 }
717
718 const char *xmlStrstr(const char *haystack, const char *needle) {
719
720 if (haystack == NULL) { return NULL; }
721 if (needle == NULL) { return NULL; }
722 return strstr(haystack, needle);
723
724 }
725
726 const char *xmlStrcasestr(const char *haystack, const char *needle) {
727
728 if (haystack == NULL) { return NULL; }
729 if (needle == NULL) { return NULL; }
730 return strcasestr(haystack, needle);
731
732 }
733
734 /*
735 * Samba wrappers
736 */
737 int memcmp_const_time(const void *s1, const void *s2, size_t n) {
738
739 return memcmp(s1, s2, n);
740
741 }
742
743 bool strcsequal(const void *s1, const void *s2) {
744
745 if (s1 == s2) { return true; }
746 if (!s1 || !s2) { return false; }
747 return (strcmp(s1, s2) == 0);
748
749 }
750
751 /* bcmp/memcmp BSD flavors, similar to CRYPTO_memcmp */
752
753 int timingsafe_bcmp(const void *mem1, const void *mem2, size_t len) {
754
755 return bcmp(mem1, mem2, len);
756
757 }
758
759 int timingsafe_memcmp(const void *mem1, const void *mem2, size_t len) {
760
761 return memcmp(mem1, mem2, len);
762
763 }
764
765 /* Init code to open the output file (or default to stderr). */
766
767 __attribute__((constructor)) void __tokencap_init(void) {
768
769 u8 *fn = getenv("AFL_TOKEN_FILE");
770 if (fn) __tokencap_out_file = open(fn, O_RDWR | O_CREAT | O_APPEND, 0655);
771 if (__tokencap_out_file == -1) __tokencap_out_file = STDERR_FILENO;
772 __tokencap_pid = getpid();
773
774 #ifdef RTLD_NEXT
775 __libc_strcmp = dlsym(RTLD_NEXT, "strcmp");
776 __libc_strncmp = dlsym(RTLD_NEXT, "strncmp");
777 __libc_strcasecmp = dlsym(RTLD_NEXT, "strcasecmp");
778 __libc_strncasecmp = dlsym(RTLD_NEXT, "strncasecmp");
779 __libc_memcmp = dlsym(RTLD_NEXT, "memcmp");
780 __libc_bcmp = dlsym(RTLD_NEXT, "bcmp");
781 __libc_strstr = dlsym(RTLD_NEXT, "strstr");
782 __libc_strcasestr = dlsym(RTLD_NEXT, "strcasestr");
783 __libc_memmem = dlsym(RTLD_NEXT, "memmem");
784 #endif
785
786 }
787
788 /* closing as best as we can the tokens file */
789 __attribute__((destructor)) void __tokencap_shutdown(void) {
790
791 if (__tokencap_out_file != STDERR_FILENO) close(__tokencap_out_file);
792
793 }
794
795