xref: /freebsd/contrib/llvm-project/compiler-rt/lib/fuzzer/FuzzerInterceptors.cpp (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c) 
1 //===-- FuzzerInterceptors.cpp --------------------------------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 // Intercept certain libc functions to aid fuzzing.
9 // Linked only when other RTs that define their own interceptors are not linked.
10 //===----------------------------------------------------------------------===//
11 
12 #include "FuzzerPlatform.h"
13 
14 #if LIBFUZZER_LINUX
15 
16 #define GET_CALLER_PC() __builtin_return_address(0)
17 
18 #define PTR_TO_REAL(x) real_##x
19 #define REAL(x) __interception::PTR_TO_REAL(x)
20 #define FUNC_TYPE(x) x##_type
21 #define DEFINE_REAL(ret_type, func, ...)                                       \
22   typedef ret_type (*FUNC_TYPE(func))(__VA_ARGS__);                            \
23   namespace __interception {                                                   \
24   FUNC_TYPE(func) PTR_TO_REAL(func);                                           \
25   }
26 
27 #include <cassert>
28 #include <cstddef> // for size_t
29 #include <cstdint>
30 #include <dlfcn.h> // for dlsym()
31 
32 static void *getFuncAddr(const char *name, uintptr_t wrapper_addr) {
33   void *addr = dlsym(RTLD_NEXT, name);
34   if (!addr) {
35     // If the lookup using RTLD_NEXT failed, the sanitizer runtime library is
36     // later in the library search order than the DSO that we are trying to
37     // intercept, which means that we cannot intercept this function. We still
38     // want the address of the real definition, though, so look it up using
39     // RTLD_DEFAULT.
40     addr = dlsym(RTLD_DEFAULT, name);
41 
42     // In case `name' is not loaded, dlsym ends up finding the actual wrapper.
43     // We don't want to intercept the wrapper and have it point to itself.
44     if (reinterpret_cast<uintptr_t>(addr) == wrapper_addr)
45       addr = nullptr;
46   }
47   return addr;
48 }
49 
50 static int FuzzerInited = 0;
51 static bool FuzzerInitIsRunning;
52 
53 static void fuzzerInit();
54 
55 static void ensureFuzzerInited() {
56   assert(!FuzzerInitIsRunning);
57   if (!FuzzerInited) {
58     fuzzerInit();
59   }
60 }
61 
62 static int internal_strcmp_strncmp(const char *s1, const char *s2, bool strncmp,
63                                    size_t n) {
64   size_t i = 0;
65   while (true) {
66     if (strncmp) {
67       if (i == n)
68         break;
69       i++;
70     }
71     unsigned c1 = *s1;
72     unsigned c2 = *s2;
73     if (c1 != c2)
74       return (c1 < c2) ? -1 : 1;
75     if (c1 == 0)
76       break;
77     s1++;
78     s2++;
79   }
80   return 0;
81 }
82 
83 static int internal_strncmp(const char *s1, const char *s2, size_t n) {
84   return internal_strcmp_strncmp(s1, s2, true, n);
85 }
86 
87 static int internal_strcmp(const char *s1, const char *s2) {
88   return internal_strcmp_strncmp(s1, s2, false, 0);
89 }
90 
91 static int internal_memcmp(const void *s1, const void *s2, size_t n) {
92   const uint8_t *t1 = static_cast<const uint8_t *>(s1);
93   const uint8_t *t2 = static_cast<const uint8_t *>(s2);
94   for (size_t i = 0; i < n; ++i, ++t1, ++t2)
95     if (*t1 != *t2)
96       return *t1 < *t2 ? -1 : 1;
97   return 0;
98 }
99 
100 static size_t internal_strlen(const char *s) {
101   size_t i = 0;
102   while (s[i])
103     i++;
104   return i;
105 }
106 
107 static char *internal_strstr(const char *haystack, const char *needle) {
108   // This is O(N^2), but we are not using it in hot places.
109   size_t len1 = internal_strlen(haystack);
110   size_t len2 = internal_strlen(needle);
111   if (len1 < len2)
112     return nullptr;
113   for (size_t pos = 0; pos <= len1 - len2; pos++) {
114     if (internal_memcmp(haystack + pos, needle, len2) == 0)
115       return const_cast<char *>(haystack) + pos;
116   }
117   return nullptr;
118 }
119 
120 extern "C" {
121 
122 // Weak hooks forward-declared to avoid dependency on
123 // <sanitizer/common_interface_defs.h>.
124 void __sanitizer_weak_hook_memcmp(void *called_pc, const void *s1,
125                                   const void *s2, size_t n, int result);
126 void __sanitizer_weak_hook_strncmp(void *called_pc, const char *s1,
127                                    const char *s2, size_t n, int result);
128 void __sanitizer_weak_hook_strncasecmp(void *called_pc, const char *s1,
129                                        const char *s2, size_t n, int result);
130 void __sanitizer_weak_hook_strcmp(void *called_pc, const char *s1,
131                                   const char *s2, int result);
132 void __sanitizer_weak_hook_strcasecmp(void *called_pc, const char *s1,
133                                       const char *s2, int result);
134 void __sanitizer_weak_hook_strstr(void *called_pc, const char *s1,
135                                   const char *s2, char *result);
136 void __sanitizer_weak_hook_strcasestr(void *called_pc, const char *s1,
137                                       const char *s2, char *result);
138 void __sanitizer_weak_hook_memmem(void *called_pc, const void *s1, size_t len1,
139                                   const void *s2, size_t len2, void *result);
140 
141 DEFINE_REAL(int, bcmp, const void *, const void *, size_t)
142 DEFINE_REAL(int, memcmp, const void *, const void *, size_t)
143 DEFINE_REAL(int, strncmp, const char *, const char *, size_t)
144 DEFINE_REAL(int, strcmp, const char *, const char *)
145 DEFINE_REAL(int, strncasecmp, const char *, const char *, size_t)
146 DEFINE_REAL(int, strcasecmp, const char *, const char *)
147 DEFINE_REAL(char *, strstr, const char *, const char *)
148 DEFINE_REAL(char *, strcasestr, const char *, const char *)
149 DEFINE_REAL(void *, memmem, const void *, size_t, const void *, size_t)
150 
151 ATTRIBUTE_INTERFACE int bcmp(const char *s1, const char *s2, size_t n) {
152   if (!FuzzerInited)
153     return internal_memcmp(s1, s2, n);
154   int result = REAL(bcmp)(s1, s2, n);
155   __sanitizer_weak_hook_memcmp(GET_CALLER_PC(), s1, s2, n, result);
156   return result;
157 }
158 
159 ATTRIBUTE_INTERFACE int memcmp(const void *s1, const void *s2, size_t n) {
160   if (!FuzzerInited)
161     return internal_memcmp(s1, s2, n);
162   int result = REAL(memcmp)(s1, s2, n);
163   __sanitizer_weak_hook_memcmp(GET_CALLER_PC(), s1, s2, n, result);
164   return result;
165 }
166 
167 ATTRIBUTE_INTERFACE int strncmp(const char *s1, const char *s2, size_t n) {
168   if (!FuzzerInited)
169     return internal_strncmp(s1, s2, n);
170   int result = REAL(strncmp)(s1, s2, n);
171   __sanitizer_weak_hook_strncmp(GET_CALLER_PC(), s1, s2, n, result);
172   return result;
173 }
174 
175 ATTRIBUTE_INTERFACE int strcmp(const char *s1, const char *s2) {
176   if (!FuzzerInited)
177     return internal_strcmp(s1, s2);
178   int result = REAL(strcmp)(s1, s2);
179   __sanitizer_weak_hook_strcmp(GET_CALLER_PC(), s1, s2, result);
180   return result;
181 }
182 
183 ATTRIBUTE_INTERFACE int strncasecmp(const char *s1, const char *s2, size_t n) {
184   ensureFuzzerInited();
185   int result = REAL(strncasecmp)(s1, s2, n);
186   __sanitizer_weak_hook_strncasecmp(GET_CALLER_PC(), s1, s2, n, result);
187   return result;
188 }
189 
190 ATTRIBUTE_INTERFACE int strcasecmp(const char *s1, const char *s2) {
191   ensureFuzzerInited();
192   int result = REAL(strcasecmp)(s1, s2);
193   __sanitizer_weak_hook_strcasecmp(GET_CALLER_PC(), s1, s2, result);
194   return result;
195 }
196 
197 ATTRIBUTE_INTERFACE char *strstr(const char *s1, const char *s2) {
198   if (!FuzzerInited)
199     return internal_strstr(s1, s2);
200   char *result = REAL(strstr)(s1, s2);
201   __sanitizer_weak_hook_strstr(GET_CALLER_PC(), s1, s2, result);
202   return result;
203 }
204 
205 ATTRIBUTE_INTERFACE char *strcasestr(const char *s1, const char *s2) {
206   ensureFuzzerInited();
207   char *result = REAL(strcasestr)(s1, s2);
208   __sanitizer_weak_hook_strcasestr(GET_CALLER_PC(), s1, s2, result);
209   return result;
210 }
211 
212 ATTRIBUTE_INTERFACE
213 void *memmem(const void *s1, size_t len1, const void *s2, size_t len2) {
214   ensureFuzzerInited();
215   void *result = REAL(memmem)(s1, len1, s2, len2);
216   __sanitizer_weak_hook_memmem(GET_CALLER_PC(), s1, len1, s2, len2, result);
217   return result;
218 }
219 
220 __attribute__((section(".preinit_array"),
221                used)) static void (*__local_fuzzer_preinit)(void) = fuzzerInit;
222 
223 } // extern "C"
224 
225 static void fuzzerInit() {
226   assert(!FuzzerInitIsRunning);
227   if (FuzzerInited)
228     return;
229   FuzzerInitIsRunning = true;
230 
231   REAL(bcmp) = reinterpret_cast<memcmp_type>(
232       getFuncAddr("bcmp", reinterpret_cast<uintptr_t>(&bcmp)));
233   REAL(memcmp) = reinterpret_cast<memcmp_type>(
234       getFuncAddr("memcmp", reinterpret_cast<uintptr_t>(&memcmp)));
235   REAL(strncmp) = reinterpret_cast<strncmp_type>(
236       getFuncAddr("strncmp", reinterpret_cast<uintptr_t>(&strncmp)));
237   REAL(strcmp) = reinterpret_cast<strcmp_type>(
238       getFuncAddr("strcmp", reinterpret_cast<uintptr_t>(&strcmp)));
239   REAL(strncasecmp) = reinterpret_cast<strncasecmp_type>(
240       getFuncAddr("strncasecmp", reinterpret_cast<uintptr_t>(&strncasecmp)));
241   REAL(strcasecmp) = reinterpret_cast<strcasecmp_type>(
242       getFuncAddr("strcasecmp", reinterpret_cast<uintptr_t>(&strcasecmp)));
243   REAL(strstr) = reinterpret_cast<strstr_type>(
244       getFuncAddr("strstr", reinterpret_cast<uintptr_t>(&strstr)));
245   REAL(strcasestr) = reinterpret_cast<strcasestr_type>(
246       getFuncAddr("strcasestr", reinterpret_cast<uintptr_t>(&strcasestr)));
247   REAL(memmem) = reinterpret_cast<memmem_type>(
248       getFuncAddr("memmem", reinterpret_cast<uintptr_t>(&memmem)));
249 
250   FuzzerInitIsRunning = false;
251   FuzzerInited = 1;
252 }
253 
254 #endif
255