Add Android Support (aflnet#46)

Author: JoeyJiao

afl-analyze.c

@@ -28,6 +28,7 @@
 */
 
 #define AFL_MAIN
+#include "android-ashmem.h"
 
 #include "config.h"
 #include "types.h"

afl-as.c

@@ -74,7 +74,7 @@ static u32  inst_ratio = 100,   /* Instrumentation probability (%)      */
    instrumentation for whichever mode we were compiled with. This is not
    perfect, but should do the trick for almost all use cases. */
 
-#ifdef __x86_64__
+#ifdef WORD_SIZE_64
 
 static u8   use_64bit = 1;
 
@@ -86,7 +86,7 @@ static u8   use_64bit = 0;
 #  error "Sorry, 32-bit Apple platforms are not supported."
 #endif /* __APPLE__ */
 
-#endif /* ^__x86_64__ */
+#endif /* ^WORD_SIZE_64 */
 
 
 /* Examine and modify parameters to pass to 'as'. Note that the file name

afl-fuzz.c

@@ -29,6 +29,7 @@
 */
 
 #define AFL_MAIN
+#include "android-ashmem.h"
 #define MESSAGES_TO_STDOUT
 
 #ifndef _GNU_SOURCE
@@ -888,7 +889,7 @@ EXP_ST void read_bitmap(u8* fname) {
 
 static inline u8 has_new_bits(u8* virgin_map) {
 
-#ifdef __x86_64__
+#ifdef WORD_SIZE_64
 
   u64* current = (u64*)trace_bits;
   u64* virgin  = (u64*)virgin_map;
@@ -902,7 +903,7 @@ static inline u8 has_new_bits(u8* virgin_map) {
 
   u32  i = (MAP_SIZE >> 2);
 
-#endif /* ^__x86_64__ */
+#endif /* ^WORD_SIZE_64 */
 
   u8   ret = 0;
 
@@ -922,7 +923,7 @@ static inline u8 has_new_bits(u8* virgin_map) {
         /* Looks like we have not found any new bytes yet; see if any non-zero
            bytes in current[] are pristine in virgin[]. */
 
-#ifdef __x86_64__
+#ifdef WORD_SIZE_64
 
         if ((cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) ||
             (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff) ||
@@ -936,7 +937,7 @@ static inline u8 has_new_bits(u8* virgin_map) {
             (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff)) ret = 2;
         else ret = 1;
 
-#endif /* ^__x86_64__ */
+#endif /* ^WORD_SIZE_64 */
 
       }
 
@@ -1058,7 +1059,7 @@ static const u8 simplify_lookup[256] = {
 
 };
 
-#ifdef __x86_64__
+#ifdef WORD_SIZE_64
 
 static void simplify_trace(u64* mem) {
 
@@ -1115,7 +1116,7 @@ static void simplify_trace(u32* mem) {
 
 }
 
-#endif /* ^__x86_64__ */
+#endif /* ^WORD_SIZE_64 */
 
 
 /* Destructively classify execution counts in a trace. This is used as a
@@ -1152,7 +1153,7 @@ EXP_ST void init_count_class16(void) {
 }
 
 
-#ifdef __x86_64__
+#ifdef WORD_SIZE_64
 
 static inline void classify_counts(u64* mem) {
 
@@ -1204,7 +1205,7 @@ static inline void classify_counts(u32* mem) {
 
 }
 
-#endif /* ^__x86_64__ */
+#endif /* ^WORD_SIZE_64 */
 
 
 /* Get rid of shared memory (atexit handler). */
@@ -2441,11 +2442,11 @@ static u8 run_target(char** argv, u32 timeout) {
 
   tb4 = *(u32*)trace_bits;
 
-#ifdef __x86_64__
+#ifdef WORD_SIZE_64
   classify_counts((u64*)trace_bits);
 #else
   classify_counts((u32*)trace_bits);
-#endif /* ^__x86_64__ */
+#endif /* ^WORD_SIZE_64 */
 
   prev_timed_out = child_timed_out;
 
@@ -3205,11 +3206,11 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) {
 
       if (!dumb_mode) {
 
-#ifdef __x86_64__
+#ifdef WORD_SIZE_64
         simplify_trace((u64*)trace_bits);
 #else
         simplify_trace((u32*)trace_bits);
-#endif /* ^__x86_64__ */
+#endif /* ^WORD_SIZE_64 */
 
         if (!has_new_bits(virgin_tmout)) return keeping;
 
@@ -3269,11 +3270,11 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) {
 
       if (!dumb_mode) {
 
-#ifdef __x86_64__
+#ifdef WORD_SIZE_64
         simplify_trace((u64*)trace_bits);
 #else
         simplify_trace((u32*)trace_bits);
-#endif /* ^__x86_64__ */
+#endif /* ^WORD_SIZE_64 */
 
         if (!has_new_bits(virgin_crash)) return keeping;
 
@@ -7071,6 +7072,7 @@ static void check_term_size(void) {
 
   if (ioctl(1, TIOCGWINSZ, &ws)) return;
 
+  if (ws.ws_row == 0 && ws.ws_col == 0) return;
   if (ws.ws_row < 25 || ws.ws_col < 80) term_too_small = 1;
 
 }

afl-gotcpu.c

@@ -33,6 +33,7 @@
 */
 
 #define AFL_MAIN
+#include "android-ashmem.h"
 #define _GNU_SOURCE
 
 #include <stdio.h>
@@ -150,7 +151,7 @@ int main(int argc, char** argv) {
       CPU_SET(i, &c);
 
       if (sched_setaffinity(0, sizeof(c), &c))
-        PFATAL("sched_setaffinity failed");
+        PFATAL("sched_setaffinity failed for cpu %d", i);
 
       util_perc = measure_preemption(CTEST_CORE_TRG_MS);
 

afl-showmap.c

@@ -29,6 +29,7 @@
 */
 
 #define AFL_MAIN
+#include "android-ashmem.h"
 
 #include "config.h"
 #include "types.h"

afl-tmin.c

@@ -27,6 +27,7 @@
 */
 
 #define AFL_MAIN
+#include "android-ashmem.h"
 
 #include "config.h"
 #include "types.h"

afl-whatsup

@@ -54,7 +54,7 @@ fi
 
 CUR_TIME=`date +%s`
 
-TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || exit 1
+TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1
 
 ALIVE_CNT=0
 DEAD_CNT=0

android-ashmem.h

@@ -0,0 +1,82 @@
+#ifdef __ANDROID__
+#ifndef _ANDROID_ASHMEM_H
+#define _ANDROID_ASHMEM_H
+
+#include <fcntl.h>
+#include <linux/ashmem.h>
+#include <linux/shm.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+
+#if __ANDROID_API__ >= 26
+#define shmat bionic_shmat
+#define shmctl bionic_shmctl
+#define shmdt bionic_shmdt
+#define shmget bionic_shmget
+#endif
+#include <sys/shm.h>
+#undef shmat
+#undef shmctl
+#undef shmdt
+#undef shmget
+#include <stdio.h>
+
+#define ASHMEM_DEVICE "/dev/ashmem"
+
+static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) {
+  int ret = 0;
+  if (__cmd == IPC_RMID) {
+    int length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
+    struct ashmem_pin pin = {0, length};
+    ret = ioctl(__shmid, ASHMEM_UNPIN, &pin);
+    close(__shmid);
+  }
+
+  return ret;
+}
+
+static inline int shmget(key_t __key, size_t __size, int __shmflg) {
+  (void) __shmflg;
+  int fd, ret;
+  char ourkey[11];
+
+  fd = open(ASHMEM_DEVICE, O_RDWR);
+  if (fd < 0)
+    return fd;
+
+  sprintf(ourkey, "%d", __key);
+  ret = ioctl(fd, ASHMEM_SET_NAME, ourkey);
+  if (ret < 0)
+    goto error;
+
+  ret = ioctl(fd, ASHMEM_SET_SIZE, __size);
+  if (ret < 0)
+    goto error;
+
+  return fd;
+
+error:
+  close(fd);
+  return ret;
+}
+
+static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) {
+  (void) __shmflg;
+  int size;
+  void *ptr;
+
+  size = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
+  if (size < 0) {
+    return NULL;
+  }
+
+  ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, __shmid, 0);
+  if (ptr == MAP_FAILED) {
+    return NULL;
+  }
+
+  return ptr;
+}
+
+#endif /* !_ANDROID_ASHMEM_H */
+#endif /* !__ANDROID__ */

config.h

@@ -54,13 +54,18 @@
 
 #define EXEC_TM_ROUND       20
 
+/* 64bit arch MACRO */
+#if (defined (__x86_64__) || defined (__arm64__) || defined (__aarch64__))
+#define WORD_SIZE_64 1
+#endif
+
 /* Default memory limit for child process (MB): */
 
-#ifndef __x86_64__ 
+#ifndef WORD_SIZE_64
 #  define MEM_LIMIT         25
 #else
 #  define MEM_LIMIT         50
-#endif /* ^!__x86_64__ */
+#endif /* ^!WORD_SIZE_64 */
 
 /* Default memory limit when running in QEMU mode (MB): */
 

llvm_mode/afl-clang-fast.c

@@ -147,6 +147,7 @@ static void edit_params(u32 argc, char** argv) {
     u8* cur = *(++argv);
 
     if (!strcmp(cur, "-m32")) bit_mode = 32;
+    if (!strcmp(cur, "armv7a-linux-androideabi")) bit_mode = 32;
     if (!strcmp(cur, "-m64")) bit_mode = 64;
 
     if (!strcmp(cur, "-x")) x_set = 1;

llvm_mode/afl-llvm-rt.o.c

@@ -26,6 +26,7 @@
    This code is the rewrite of afl-as.h's main_payload.
 */
 
+#include "../android-ashmem.h"
 #include "../config.h"
 #include "../types.h"