1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
// Copyright 2021 Code Intelligence GmbH
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include <jni.h>
#include <algorithm>
#include <fstream>
#include <iostream>
#include <mutex>
#include <utility>
#include <vector>
#include "absl/strings/str_split.h"
#include "com_code_intelligence_jazzer_runtime_TraceDataFlowNativeCallbacks.h"
namespace {
bool is_using_native_libraries = false;
std::once_flag ignore_list_flag;
std::vector<std::pair<uintptr_t, uintptr_t>> ignore_for_interception_ranges;
/**
* Adds the address ranges of executable segmentes of the library lib_name to
* the ignorelist for C standard library function interception (strcmp, memcmp,
* ...).
*/
void ignoreLibraryForInterception(const std::string &lib_name) {
std::ifstream loaded_libs("/proc/self/maps");
if (!loaded_libs) {
// This early exit is taken e.g. on macOS, where /proc does not exist.
return;
}
std::string line;
while (std::getline(loaded_libs, line)) {
if (!absl::StrContains(line, lib_name)) continue;
// clang-format off
// A typical line looks as follows:
// 7f15356c9000-7f1536367000 r-xp 0020d000 fd:01 19275673 /usr/lib/jvm/java-15-openjdk-amd64/lib/server/libjvm.so
// clang-format on
std::vector<std::string> parts =
absl::StrSplit(line, ' ', absl::SkipEmpty());
if (parts.size() != 6) {
std::cout << "ERROR: Invalid format for /proc/self/maps\n"
<< line << std::endl;
exit(1);
}
// Skip non-executable address rang"s.
if (!absl::StrContains(parts[1], "x")) continue;
std::string range_str = parts[0];
std::vector<std::string> range = absl::StrSplit(range_str, "-");
if (range.size() != 2) {
std::cout
<< "ERROR: Unexpected address range format in /proc/self/maps line: "
<< range_str << std::endl;
exit(1);
}
std::size_t pos;
auto start = std::stoull(range[0], &pos, 16);
if (pos != range[0].size()) {
std::cout
<< "ERROR: Unexpected address range format in /proc/self/maps line: "
<< range_str << std::endl;
exit(1);
}
auto end = std::stoull(range[1], &pos, 16);
if (pos != range[0].size()) {
std::cout
<< "ERROR: Unexpected address range format in /proc/self/maps line: "
<< range_str << std::endl;
exit(1);
}
ignore_for_interception_ranges.emplace_back(start, end);
}
}
const std::vector<std::string> kLibrariesToIgnoreForInterception = {
// The driver executable itself can be treated just like a library.
"jazzer_driver", "libinstrument.so", "libjava.so",
"libjimage.so", "libjli.so", "libjvm.so",
"libnet.so", "libverify.so", "libzip.so",
};
} // namespace
extern "C" [[maybe_unused]] bool __sanitizer_weak_is_relevant_pc(
void *caller_pc) {
// If the fuzz target is not using native libraries, calls to strcmp, memcmp,
// etc. should never be intercepted. The values reported if they were at best
// duplicate the values received from our bytecode instrumentation and at
// worst pollute the table of recent compares with string internal to the JDK.
if (!is_using_native_libraries) return false;
// If the fuzz target is using native libraries, intercept calls only if they
// don't originate from those address ranges that are known to belong to the
// JDK.
return std::none_of(
ignore_for_interception_ranges.cbegin(),
ignore_for_interception_ranges.cend(),
[caller_pc](const std::pair<uintptr_t, uintptr_t> &range) {
uintptr_t start;
uintptr_t end;
std::tie(start, end) = range;
auto address = reinterpret_cast<uintptr_t>(caller_pc);
return start <= address && address <= end;
});
}
[[maybe_unused]] void
Java_com_code_1intelligence_jazzer_runtime_TraceDataFlowNativeCallbacks_handleLibraryLoad(
JNIEnv *, jclass) {
std::call_once(ignore_list_flag, [] {
std::cout << "INFO: detected a native library load, enabling interception "
"for libc functions"
<< std::endl;
for (const auto &lib_name : kLibrariesToIgnoreForInterception)
ignoreLibraryForInterception(lib_name);
// Enable the ignore list after it has been populated since vector is not
// thread-safe with respect to concurrent writes and reads.
is_using_native_libraries = true;
});
}
|
