Merge branch 'master' of ssh://github.com/zyedidia/lfi

zyedidia · Nov 15, 2024 · 161cda2 · 161cda2
2 parents e00b62a + eec395c
commit 161cda2
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 17 deletions.
diff --git a/lfi-fuzz/arm64/generator.c b/lfi-fuzz/arm64/generator.c
@@ -3,6 +3,7 @@
 #include <stdlib.h>
 #include <unistd.h>
 
+#include "rand.h"
 #include "lfiv.h"
 #include "generator.h"
 
@@ -15,6 +16,23 @@ static LFIvOpts vopts = (LFIvOpts) {
 
 static bool filterinsn(uint32_t);
 
+struct InsnBuf {
+    uint8_t* data;
+    size_t size;
+    size_t cap;
+};
+
+static void
+ibufappend(struct InsnBuf* ibuf, uint32_t* data, size_t size)
+{
+    if (ibuf->size + size >= ibuf->cap) {
+        ibuf->cap = ibuf->cap * 2 + ibuf->size + size;
+        ibuf->data = realloc(ibuf->data, ibuf->cap);
+    }
+    memcpy(&ibuf->data[ibuf->size], data, size);
+    ibuf->size += size;
+}
+
 static uint32_t
 rnginsn()
 {
@@ -52,7 +70,7 @@ filterinsn(uint32_t insn)
 }
 
 static void
-bbgen(uint32_t* insnbuf, size_t nbuf, struct Options opts)
+bbgen(struct InsnBuf* ibuf, size_t nbuf, struct Options opts)
 {
     const size_t presize = 0;
     const size_t postsize = 0;
@@ -67,7 +85,7 @@ bbgen(uint32_t* insnbuf, size_t nbuf, struct Options opts)
     while (i < nbuf - (presize + postsize)) {
         uint32_t insn = rnginsn();
         if (filterinsn(insn)) {
-            insnbuf[i] = insn;
+            ibufappend(ibuf, &insn, 4);
             i++;
         }
     }
@@ -77,33 +95,27 @@ bbgen(uint32_t* insnbuf, size_t nbuf, struct Options opts)
     }
 }
 
-enum {
-    NOP = 0xd503201f,
-};
-
 size_t
 codegen(uint8_t** o_buf, size_t ninsn, struct Options opts)
 {
-    uint8_t* buf = malloc(ninsn * sizeof(uint32_t));
-    assert(buf);
-    *o_buf = buf;
-    uint32_t* insnbuf = (uint32_t*) buf;
+    struct InsnBuf ibuf = {0};
     size_t i = 0;
     while (i < ninsn) {
         size_t bbsize = min(ninsn - i, rngbbsize(opts));
         if (bbsize < BBMIN)
             break;
-        bbgen(&insnbuf[i], bbsize, opts);
+        bbgen(&ibuf, bbsize, opts);
         i += bbsize;
     }
+    uint32_t nop = 0xd503201f;
     while (i < ninsn) {
-        insnbuf[i] = NOP;
+        ibufappend(&ibuf, &nop, sizeof(nop));
         i++;
     }
     while (i * sizeof(uint32_t) % getpagesize() != 0) {
-        insnbuf[i] = NOP;
+        ibufappend(&ibuf, &nop, sizeof(nop));
         i++;
     }
-    assert(ninsn == i);
-    return ninsn * sizeof(uint32_t);
+    *o_buf = (uint8_t*) ibuf.data;
+    return ibuf.size;
 }
diff --git a/lfi-fuzz/main.c b/lfi-fuzz/main.c
@@ -65,6 +65,10 @@ main(int argc, char** argv)
 {
     argp_parse(&argp, argc, argv, ARGP_NO_HELP, 0, &args);
 
+    if (args.seed == 0) {
+        args.seed = 2463534242;
+    }
+
     rand_init();
 
     uint8_t* buf;

diff --git a/lfi-leg/minipeg/minipeg.c b/lfi-leg/minipeg/minipeg.c
@@ -225,8 +225,12 @@ static char *makeCharClass(unsigned char *cclass)
     }
 
   ptr= string;
-  for (c= 0;  c < 32;  ++c)
-    ptr += sprintf(ptr, "\\%03o", bits[c]);
+  size_t size = sizeof(string);
+  for (c= 0;  c < 32;  ++c) {
+    int n = snprintf(ptr, size, "\\%03o", bits[c]);
+    size -= n;
+    ptr += n;
+  }
 
   return string;
 }

diff --git a/liblfix/lfix.c b/liblfix/lfix.c
@@ -32,6 +32,8 @@ lfix_syscall(void* ctxp, uint64_t sysno, uint64_t a0, uint64_t a1,
 bool
 lfix_init(LFIXEngine* lfix)
 {
+    *lfix = (LFIXEngine){0};
+
     LFIOptions options = (LFIOptions) {
         .pagesize = getpagesize(),
         .stacksize = mb(2),