tools/fuzzing/libfuzzer/FuzzerInterceptors.cpp

   1 //===-- FuzzerInterceptors.cpp --------------------------------------------===//
   2 //
   3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
   4 // See https://llvm.org/LICENSE.txt for license information.
   5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
   6 //
   7 //===----------------------------------------------------------------------===//
   8 // Intercept certain libc functions to aid fuzzing.
   9 // Linked only when other RTs that define their own interceptors are not linked.
  10 //===----------------------------------------------------------------------===//
  11
  12 #include "FuzzerPlatform.h"
  13
  14 #if LIBFUZZER_LINUX
  15
  16 #define GET_CALLER_PC() __builtin_return_address(0)
  17
  18 #define PTR_TO_REAL(x) real_##x
  19 #define REAL(x) __interception::PTR_TO_REAL(x)
  20 #define FUNC_TYPE(x) x##_type
  21 #define DEFINE_REAL(ret_type, func, ...)                                       \
  22   typedef ret_type (*FUNC_TYPE(func))(__VA_ARGS__);                            \
  23   namespace __interception {                                                   \
  24   FUNC_TYPE(func) PTR_TO_REAL(func);                                           \
  25   }
  26
  27 #include <cassert>
  28 #include <cstdint>
  29 #include <dlfcn.h> // for dlsym()
  30 #include <sanitizer/common_interface_defs.h>
  31
  32 static void *getFuncAddr(const char *name, uintptr_t wrapper_addr) {
  33   void *addr = dlsym(RTLD_NEXT, name);
  34   if (!addr) {
  35     // If the lookup using RTLD_NEXT failed, the sanitizer runtime library is
  36     // later in the library search order than the DSO that we are trying to
  37     // intercept, which means that we cannot intercept this function. We still
  38     // want the address of the real definition, though, so look it up using
  39     // RTLD_DEFAULT.
  40     addr = dlsym(RTLD_DEFAULT, name);
  41
  42     // In case `name' is not loaded, dlsym ends up finding the actual wrapper.
  43     // We don't want to intercept the wrapper and have it point to itself.
  44     if (reinterpret_cast<uintptr_t>(addr) == wrapper_addr)
  45       addr = nullptr;
  46   }
  47   return addr;
  48 }
  49
  50 static int FuzzerInited = 0;
  51 static bool FuzzerInitIsRunning;
  52
  53 static void fuzzerInit();
  54
  55 static void ensureFuzzerInited() {
  56   assert(!FuzzerInitIsRunning);
  57   if (!FuzzerInited) {
  58     fuzzerInit();
  59   }
  60 }
  61
  62 static int internal_strcmp_strncmp(const char *s1, const char *s2, bool strncmp,
  63                                    size_t n) {
  64   size_t i = 0;
  65   while (true) {
  66     if (strncmp) {
  67       if (i == n)
  68         break;
  69       i++;
  70     }
  71     unsigned c1 = *s1;
  72     unsigned c2 = *s2;
  73     if (c1 != c2)
  74       return (c1 < c2) ? -1 : 1;
  75     if (c1 == 0)
  76       break;
  77     s1++;
  78     s2++;
  79   }
  80   return 0;
  81 }
  82
  83 static int internal_strncmp(const char *s1, const char *s2, size_t n) {
  84   return internal_strcmp_strncmp(s1, s2, true, n);
  85 }
  86
  87 static int internal_strcmp(const char *s1, const char *s2) {
  88   return internal_strcmp_strncmp(s1, s2, false, 0);
  89 }
  90
  91 static int internal_memcmp(const void *s1, const void *s2, size_t n) {
  92   const uint8_t *t1 = static_cast<const uint8_t *>(s1);
  93   const uint8_t *t2 = static_cast<const uint8_t *>(s2);
  94   for (size_t i = 0; i < n; ++i, ++t1, ++t2)
  95     if (*t1 != *t2)
  96       return *t1 < *t2 ? -1 : 1;
  97   return 0;
  98 }
  99
 100 static size_t internal_strlen(const char *s) {
 101   size_t i = 0;
 102   while (s[i])
 103     i++;
 104   return i;
 105 }
 106
 107 static char *internal_strstr(const char *haystack, const char *needle) {
 108   // This is O(N^2), but we are not using it in hot places.
 109   size_t len1 = internal_strlen(haystack);
 110   size_t len2 = internal_strlen(needle);
 111   if (len1 < len2)
 112     return nullptr;
 113   for (size_t pos = 0; pos <= len1 - len2; pos++) {
 114     if (internal_memcmp(haystack + pos, needle, len2) == 0)
 115       return const_cast<char *>(haystack) + pos;
 116   }
 117   return nullptr;
 118 }
 119
 120 extern "C" {
 121
 122 DEFINE_REAL(int, bcmp, const void *, const void *, size_t)
 123 DEFINE_REAL(int, memcmp, const void *, const void *, size_t)
 124 DEFINE_REAL(int, strncmp, const char *, const char *, size_t)
 125 DEFINE_REAL(int, strcmp, const char *, const char *)
 126 DEFINE_REAL(int, strncasecmp, const char *, const char *, size_t)
 127 DEFINE_REAL(int, strcasecmp, const char *, const char *)
 128 DEFINE_REAL(char *, strstr, const char *, const char *)
 129 DEFINE_REAL(char *, strcasestr, const char *, const char *)
 130 DEFINE_REAL(void *, memmem, const void *, size_t, const void *, size_t)
 131
 132 ATTRIBUTE_INTERFACE int bcmp(const char *s1, const char *s2, size_t n) {
 133   if (!FuzzerInited)
 134     return internal_memcmp(s1, s2, n);
 135   int result = REAL(bcmp)(s1, s2, n);
 136   __sanitizer_weak_hook_memcmp(GET_CALLER_PC(), s1, s2, n, result);
 137   return result;
 138 }
 139
 140 ATTRIBUTE_INTERFACE int memcmp(const void *s1, const void *s2, size_t n) {
 141   if (!FuzzerInited)
 142     return internal_memcmp(s1, s2, n);
 143   int result = REAL(memcmp)(s1, s2, n);
 144   __sanitizer_weak_hook_memcmp(GET_CALLER_PC(), s1, s2, n, result);
 145   return result;
 146 }
 147
 148 ATTRIBUTE_INTERFACE int strncmp(const char *s1, const char *s2, size_t n) {
 149   if (!FuzzerInited)
 150     return internal_strncmp(s1, s2, n);
 151   int result = REAL(strncmp)(s1, s2, n);
 152   __sanitizer_weak_hook_strncmp(GET_CALLER_PC(), s1, s2, n, result);
 153   return result;
 154 }
 155
 156 ATTRIBUTE_INTERFACE int strcmp(const char *s1, const char *s2) {
 157   if (!FuzzerInited)
 158     return internal_strcmp(s1, s2);
 159   int result = REAL(strcmp)(s1, s2);
 160   __sanitizer_weak_hook_strcmp(GET_CALLER_PC(), s1, s2, result);
 161   return result;
 162 }
 163
 164 ATTRIBUTE_INTERFACE int strncasecmp(const char *s1, const char *s2, size_t n) {
 165   ensureFuzzerInited();
 166   int result = REAL(strncasecmp)(s1, s2, n);
 167   __sanitizer_weak_hook_strncasecmp(GET_CALLER_PC(), s1, s2, n, result);
 168   return result;
 169 }
 170
 171 ATTRIBUTE_INTERFACE int strcasecmp(const char *s1, const char *s2) {
 172   ensureFuzzerInited();
 173   int result = REAL(strcasecmp)(s1, s2);
 174   __sanitizer_weak_hook_strcasecmp(GET_CALLER_PC(), s1, s2, result);
 175   return result;
 176 }
 177
 178 ATTRIBUTE_INTERFACE char *strstr(const char *s1, const char *s2) {
 179   if (!FuzzerInited)
 180     return internal_strstr(s1, s2);
 181   char *result = REAL(strstr)(s1, s2);
 182   __sanitizer_weak_hook_strstr(GET_CALLER_PC(), s1, s2, result);
 183   return result;
 184 }
 185
 186 ATTRIBUTE_INTERFACE char *strcasestr(const char *s1, const char *s2) {
 187   ensureFuzzerInited();
 188   char *result = REAL(strcasestr)(s1, s2);
 189   __sanitizer_weak_hook_strcasestr(GET_CALLER_PC(), s1, s2, result);
 190   return result;
 191 }
 192
 193 ATTRIBUTE_INTERFACE
 194 void *memmem(const void *s1, size_t len1, const void *s2, size_t len2) {
 195   ensureFuzzerInited();
 196   void *result = REAL(memmem)(s1, len1, s2, len2);
 197   __sanitizer_weak_hook_memmem(GET_CALLER_PC(), s1, len1, s2, len2, result);
 198   return result;
 199 }
 200
 201 __attribute__((section(".preinit_array"),
 202                used)) static void (*__local_fuzzer_preinit)(void) = fuzzerInit;
 203
 204 } // extern "C"
 205
 206 static void fuzzerInit() {
 207   assert(!FuzzerInitIsRunning);
 208   if (FuzzerInited)
 209     return;
 210   FuzzerInitIsRunning = true;
 211
 212   REAL(bcmp) = reinterpret_cast<memcmp_type>(
 213       getFuncAddr("bcmp", reinterpret_cast<uintptr_t>(&bcmp)));
 214   REAL(memcmp) = reinterpret_cast<memcmp_type>(
 215       getFuncAddr("memcmp", reinterpret_cast<uintptr_t>(&memcmp)));
 216   REAL(strncmp) = reinterpret_cast<strncmp_type>(
 217       getFuncAddr("strncmp", reinterpret_cast<uintptr_t>(&strncmp)));
 218   REAL(strcmp) = reinterpret_cast<strcmp_type>(
 219       getFuncAddr("strcmp", reinterpret_cast<uintptr_t>(&strcmp)));
 220   REAL(strncasecmp) = reinterpret_cast<strncasecmp_type>(
 221       getFuncAddr("strncasecmp", reinterpret_cast<uintptr_t>(&strncasecmp)));
 222   REAL(strcasecmp) = reinterpret_cast<strcasecmp_type>(
 223       getFuncAddr("strcasecmp", reinterpret_cast<uintptr_t>(&strcasecmp)));
 224   REAL(strstr) = reinterpret_cast<strstr_type>(
 225       getFuncAddr("strstr", reinterpret_cast<uintptr_t>(&strstr)));
 226   REAL(strcasestr) = reinterpret_cast<strcasestr_type>(
 227       getFuncAddr("strcasestr", reinterpret_cast<uintptr_t>(&strcasestr)));
 228   REAL(memmem) = reinterpret_cast<memmem_type>(
 229       getFuncAddr("memmem", reinterpret_cast<uintptr_t>(&memmem)));
 230
 231   FuzzerInitIsRunning = false;
 232   FuzzerInited = 1;
 233 }
 234
 235 #endif