Various updates to librasan (#3106)

* Add rawmemchr

* Add stpncpy

* Add strchrnul

* Fix strcat

* Added strncat

* Add wcschr

* Minor tweak

* Add wcsncmp

* Add wcsnlen

* Add wcsrchr

* Add wmemchr

* Fix asan load/store sizes for wide string functions

* Refactor patches

* Rename tracking functions to prevent collision with allocator

* Change return type of asan_sym to make it consistent with the other native functions

* Fix mutex re-entrancy issue in Patches by splitting locks

* Fix tests on 32-bit platforms

---------

Co-authored-by: Your Name <[email protected]>

Author: WorksButNotTested

libafl_qemu/librasan/asan/src/allocator/frontend/default.rs

@@ -94,7 +94,7 @@ impl<B: GlobalAlloc + Send, S: Shadow, T: Tracking> AllocatorFrontend for Defaul
         );
 
         self.tracking
-            .alloc(data, len)
+            .track(data, len)
             .map_err(|e| DefaultFrontendError::TrackingError(e))?;
         self.shadow
             .poison(orig, data - orig, PoisonType::AsanHeapLeftRz)
@@ -130,7 +130,7 @@ impl<B: GlobalAlloc + Send, S: Shadow, T: Tracking> AllocatorFrontend for Defaul
             )
             .map_err(|e| DefaultFrontendError::ShadowError(e))?;
         self.tracking
-            .dealloc(addr)
+            .untrack(addr)
             .map_err(|e| DefaultFrontendError::TrackingError(e))?;
         self.quaratine_used += alloc.backend_len;
         self.quarantine.push_back(alloc);

libafl_qemu/librasan/asan/src/exit/libc.rs

@@ -1,4 +1,4 @@
-use core::ffi::{CStr, c_char, c_int};
+use core::ffi::{CStr, c_char, c_int, c_void};
 
 use libc::{SIGABRT, pid_t};
 
@@ -32,15 +32,15 @@ impl Function for FunctionExit {
 }
 
 unsafe extern "C" {
-    fn asan_sym(name: *const c_char) -> GuestAddr;
+    fn asan_sym(name: *const c_char) -> *const c_void;
 }
 
 pub fn abort() -> ! {
     let getpid_addr = unsafe { asan_sym(FunctionGetpid::NAME.as_ptr() as *const c_char) };
-    let fn_getpid = FunctionGetpid::as_ptr(getpid_addr).unwrap();
+    let fn_getpid = FunctionGetpid::as_ptr(getpid_addr as GuestAddr).unwrap();
 
     let kill_addr = unsafe { asan_sym(FunctionKill::NAME.as_ptr() as *const c_char) };
-    let fn_kill = FunctionKill::as_ptr(kill_addr).unwrap();
+    let fn_kill = FunctionKill::as_ptr(kill_addr as GuestAddr).unwrap();
 
     unsafe { asan_swap(false) };
     let pid = unsafe { fn_getpid() };
@@ -50,7 +50,7 @@ pub fn abort() -> ! {
 
 pub fn exit(status: c_int) -> ! {
     let exit_addr = unsafe { asan_sym(FunctionExit::NAME.as_ptr() as *const c_char) };
-    let fn_exit = FunctionExit::as_ptr(exit_addr).unwrap();
+    let fn_exit = FunctionExit::as_ptr(exit_addr as GuestAddr).unwrap();
     unsafe { asan_swap(false) };
     unsafe { fn_exit(status) };
 }

libafl_qemu/librasan/asan/src/hooks/fgets.rs

@@ -4,7 +4,7 @@ use libc::FILE;
 use log::trace;
 
 use crate::{
-    asan_load, asan_panic, asan_store, asan_swap, asan_sym,
+    GuestAddr, asan_load, asan_panic, asan_store, asan_swap, asan_sym,
     symbols::{AtomicGuestAddr, Function, FunctionPointer},
 };
 
@@ -36,8 +36,9 @@ pub unsafe extern "C" fn fgets(buf: *mut c_char, n: c_int, stream: *mut FILE) ->
 
         asan_store(buf as *const c_void, n as usize);
         asan_load(stream as *const c_void, size_of::<FILE>());
-        let addr = FGETS_ADDR
-            .get_or_insert_with(|| asan_sym(FunctionFgets::NAME.as_ptr() as *const c_char));
+        let addr = FGETS_ADDR.get_or_insert_with(|| {
+            asan_sym(FunctionFgets::NAME.as_ptr() as *const c_char) as GuestAddr
+        });
         let fn_fgets = FunctionFgets::as_ptr(addr).unwrap();
         asan_swap(false);
         let ret = fn_fgets(buf, n, stream);

libafl_qemu/librasan/asan/src/hooks/mmap/libc.rs

@@ -4,7 +4,7 @@ use libc::{c_int, c_void};
 use log::trace;
 
 use crate::{
-    asan_swap, asan_sym, asan_track, asan_unpoison, off_t, size_t,
+    GuestAddr, asan_swap, asan_sym, asan_track, asan_unpoison, off_t, size_t,
     symbols::{AtomicGuestAddr, Function, FunctionPointer},
 };
 
@@ -41,8 +41,9 @@ pub unsafe extern "C" fn mmap(
             "mmap - addr: {:p}, len: {:#x}, prot: {:#x}, flags: {:#x}, fd: {:#x}, offset: {:#x}",
             addr, len, prot, flags, fd, offset
         );
-        let mmap_addr =
-            MMAP_ADDR.get_or_insert_with(|| asan_sym(FunctionMmap::NAME.as_ptr() as *const c_char));
+        let mmap_addr = MMAP_ADDR.get_or_insert_with(|| {
+            asan_sym(FunctionMmap::NAME.as_ptr() as *const c_char) as GuestAddr
+        });
         asan_swap(false);
         let fn_mmap = FunctionMmap::as_ptr(mmap_addr).unwrap();
         asan_swap(true);

libafl_qemu/librasan/asan/src/hooks/mod.rs

@@ -28,45 +28,54 @@ pub mod mmap;
 pub mod munmap;
 pub mod posix_memalign;
 pub mod pvalloc;
+pub mod rawmemchr;
 pub mod read;
 pub mod realloc;
 pub mod reallocarray;
 pub mod stpcpy;
+pub mod stpncpy;
 pub mod strcasecmp;
 pub mod strcasestr;
 pub mod strcat;
 pub mod strchr;
+pub mod strchrnul;
 pub mod strcmp;
 pub mod strcpy;
 pub mod strdup;
 pub mod strlen;
 pub mod strncasecmp;
+pub mod strncat;
 pub mod strncmp;
 pub mod strncpy;
 pub mod strndup;
 pub mod strnlen;
 pub mod strrchr;
 pub mod strstr;
 pub mod valloc;
+pub mod wcschr;
 pub mod wcscmp;
 pub mod wcscpy;
 pub mod wcslen;
+pub mod wcsncmp;
+pub mod wcsnlen;
+pub mod wcsrchr;
+pub mod wmemchr;
 pub mod write;
 
 #[cfg(feature = "libc")]
 pub mod fgets;
 
-use alloc::vec::Vec;
+use alloc::vec::{IntoIter, Vec};
 use core::ffi::{CStr, c_char, c_int, c_void};
 
-use crate::{GuestAddr, hooks, size_t, wchar_t};
+use crate::{GuestAddr, hooks, size_t, symbols::Symbols, wchar_t};
 
 unsafe extern "C" {
     pub fn asprintf(strp: *mut *mut c_char, fmt: *const c_char, ...) -> c_int;
     pub fn vasprintf(strp: *mut *mut c_char, fmt: *const c_char, va: *const c_void) -> c_int;
 }
 
-#[derive(Clone)]
+#[derive(Debug, Clone)]
 pub struct PatchedHook {
     pub name: &'static CStr,
     pub destination: GuestAddr,
@@ -79,8 +88,27 @@ impl PatchedHook {
         Self { name, destination }
     }
 
-    pub fn all() -> Vec<Self> {
-        [
+    pub fn lookup<S: Symbols>(&self) -> Result<GuestAddr, S::Error> {
+        S::lookup(self.name.as_ptr() as *const c_char)
+    }
+}
+
+pub struct PatchedHooks {
+    hooks: Vec<PatchedHook>,
+}
+
+impl IntoIterator for PatchedHooks {
+    type Item = PatchedHook;
+    type IntoIter = IntoIter<Self::Item>;
+
+    fn into_iter(self) -> Self::IntoIter {
+        self.hooks.into_iter()
+    }
+}
+
+impl Default for PatchedHooks {
+    fn default() -> Self {
+        Self { hooks: [
             PatchedHook::new::<unsafe extern "C" fn(size_t, size_t) -> *mut c_void>(
                 c"aligned_alloc",
                 hooks::aligned_alloc::aligned_alloc,
@@ -124,10 +152,17 @@ impl PatchedHook {
                 c"memrchr",
                 hooks::memrchr::memrchr,
             ),
+            PatchedHook::new::<unsafe extern "C" fn(*const c_void, c_int) -> *mut c_void>(
+                c"rawmemchr",
+                hooks::rawmemchr::rawmemchr,
+            ),
             PatchedHook::new::<unsafe extern "C" fn(*mut c_char, *const c_char) -> *mut c_char>(
                 c"stpcpy",
                 hooks::stpcpy::stpcpy,
             ),
+            PatchedHook::new::<
+                unsafe extern "C" fn(*mut c_char, *const c_char, size_t) -> *mut c_char,
+            >(c"stpncpy", hooks::stpncpy::stpncpy),
             PatchedHook::new::<unsafe extern "C" fn(*const c_char, *const c_char) -> c_int>(
                 c"strcasecmp",
                 hooks::strcasecmp::strcasecmp,
@@ -144,6 +179,10 @@ impl PatchedHook {
                 c"strchr",
                 hooks::strchr::strchr,
             ),
+            PatchedHook::new::<unsafe extern "C" fn(*const c_char, c_int) -> *mut c_char>(
+                c"strchrnul",
+                hooks::strchrnul::strchrnul,
+            ),
             PatchedHook::new::<unsafe extern "C" fn(*const c_char, *const c_char) -> c_int>(
                 c"strcmp",
                 hooks::strcmp::strcmp,
@@ -164,6 +203,9 @@ impl PatchedHook {
                 c"strncasecmp",
                 hooks::strncasecmp::strncasecmp,
             ),
+            PatchedHook::new::<
+                unsafe extern "C" fn(*mut c_char, *const c_char, size_t) -> *mut c_char,
+            >(c"strncat", hooks::strncat::strncat),
             PatchedHook::new::<unsafe extern "C" fn(*const c_char, *const c_char, size_t) -> c_int>(
                 c"strncmp",
                 hooks::strncmp::strncmp,
@@ -190,6 +232,10 @@ impl PatchedHook {
             PatchedHook::new::<
                 unsafe extern "C" fn(*mut *mut c_char, *const c_char, *const c_void) -> c_int,
             >(c"vasprintf", hooks::vasprintf),
+            PatchedHook::new::<unsafe extern "C" fn(*const wchar_t, c_int) -> *mut wchar_t>(
+                c"wcschr",
+                hooks::wcschr::wcschr,
+            ),
             PatchedHook::new::<unsafe extern "C" fn(*const wchar_t, *const wchar_t) -> c_int>(
                 c"wcscmp",
                 hooks::wcscmp::wcscmp,
@@ -202,7 +248,24 @@ impl PatchedHook {
                 c"wcslen",
                 hooks::wcslen::wcslen,
             ),
+            PatchedHook::new::<unsafe extern "C" fn (*const wchar_t, *const wchar_t, size_t) -> c_int>(
+                c"wcsncmp",
+                hooks::wcsncmp::wcsncmp,
+            ),
+            PatchedHook::new::<unsafe extern "C" fn ( *const wchar_t,  size_t) -> size_t>(
+                c"wcsnlen",
+                hooks::wcsnlen::wcsnlen,
+            ),
+            PatchedHook::new::<unsafe extern "C" fn ( *const wchar_t,  c_int) -> *mut wchar_t >(
+                c"wcsrchr",
+                hooks::wcsrchr::wcsrchr,
+            ),
+            PatchedHook::new::<unsafe extern "C" fn ( *const wchar_t,  wchar_t,  size_t) -> *mut wchar_t>(
+                c"wmemchr",
+                hooks::wmemchr::wmemchr,
+            ),
+
         ]
-        .to_vec()
+        .to_vec() }
     }
 }

libafl_qemu/librasan/asan/src/hooks/munmap/libc.rs

@@ -4,7 +4,7 @@ use libc::{c_int, c_void};
 use log::trace;
 
 use crate::{
-    asan_swap, asan_sym, asan_untrack, size_t,
+    GuestAddr, asan_swap, asan_sym, asan_untrack, size_t,
     symbols::{AtomicGuestAddr, Function, FunctionPointer},
 };
 
@@ -24,8 +24,9 @@ static MUNMAP_ADDR: AtomicGuestAddr = AtomicGuestAddr::new();
 pub unsafe extern "C" fn munmap(addr: *mut c_void, len: size_t) -> c_int {
     unsafe {
         trace!("munmap - addr: {:p}, len: {:#x}", addr, len);
-        let mmap_addr = MUNMAP_ADDR
-            .get_or_insert_with(|| asan_sym(FunctionMunmap::NAME.as_ptr() as *const c_char));
+        let mmap_addr = MUNMAP_ADDR.get_or_insert_with(|| {
+            asan_sym(FunctionMunmap::NAME.as_ptr() as *const c_char) as GuestAddr
+        });
         asan_swap(false);
         let fn_munmap = FunctionMunmap::as_ptr(mmap_addr).unwrap();
         asan_swap(true);

libafl_qemu/librasan/asan/src/hooks/rawmemchr.rs

@@ -0,0 +1,26 @@
+use core::ffi::{c_char, c_int, c_void};
+
+use log::trace;
+
+use crate::{asan_load, asan_panic};
+
+/// # Safety
+/// See man pages
+#[unsafe(export_name = "patch_rawmemchr")]
+pub unsafe extern "C" fn rawmemchr(s: *const c_void, c: c_int) -> *mut c_void {
+    unsafe {
+        trace!("rawmemchr - s: {:p}, c: {:#x}", s, c);
+
+        if s.is_null() {
+            asan_panic(c"rawmemchr - s is null".as_ptr() as *const c_char);
+        }
+
+        let mut len = 0;
+        let pc = s as *const c_char;
+        while *pc.add(len) != c as c_char {
+            len += 1;
+        }
+        asan_load(s, len);
+        s.add(len) as *mut c_void
+    }
+}

libafl_qemu/librasan/asan/src/hooks/read/libc.rs

@@ -4,7 +4,7 @@ use libc::{SYS_read, c_int, c_void};
 use log::trace;
 
 use crate::{
-    asan_panic, asan_store, asan_swap, asan_sym, size_t, ssize_t,
+    GuestAddr, asan_panic, asan_store, asan_swap, asan_sym, size_t, ssize_t,
     symbols::{AtomicGuestAddr, Function, FunctionPointer},
 };
 
@@ -30,8 +30,9 @@ pub unsafe extern "C" fn read(fd: c_int, buf: *mut c_void, count: size_t) -> ssi
         }
 
         asan_store(buf, count);
-        let addr = SYSCALL_ADDR
-            .get_or_insert_with(|| asan_sym(FunctionSyscall::NAME.as_ptr() as *const c_char));
+        let addr = SYSCALL_ADDR.get_or_insert_with(|| {
+            asan_sym(FunctionSyscall::NAME.as_ptr() as *const c_char) as GuestAddr
+        });
         let fn_syscall = FunctionSyscall::as_ptr(addr).unwrap();
         asan_swap(false);
         let ret = fn_syscall(SYS_read, fd, buf, count);

libafl_qemu/librasan/asan/src/hooks/stpncpy.rs

@@ -0,0 +1,49 @@
+use core::{
+    cmp::min,
+    ffi::{c_char, c_void},
+    ptr::{copy, write_bytes},
+};
+
+use log::trace;
+
+use crate::{asan_load, asan_panic, asan_store, size_t};
+
+/// # Safety
+/// See man pages
+#[unsafe(export_name = "patch_stpncpy")]
+pub unsafe extern "C" fn stpncpy(
+    dst: *mut c_char,
+    src: *const c_char,
+    dsize: size_t,
+) -> *mut c_char {
+    unsafe {
+        trace!(
+            "stpncpy - dst: {:p}, src: {:p}, dsize: {:#x}",
+            dst, src, dsize
+        );
+
+        if dsize == 0 {
+            return dst;
+        }
+
+        if dst.is_null() {
+            asan_panic(c"stpncpy - dst is null".as_ptr() as *const c_char);
+        }
+
+        if src.is_null() {
+            asan_panic(c"stpncpy - src is null".as_ptr() as *const c_char);
+        }
+
+        let mut len = 0;
+        while *src.add(len) != 0 {
+            len += 1;
+        }
+        asan_load(src as *const c_void, len + 1);
+        asan_store(dst as *const c_void, dsize);
+
+        let dlen = min(len + 1, dsize);
+        copy(src, dst, dlen);
+        write_bytes(dst.add(dlen), 0, dsize - dlen);
+        dst.add(dsize)
+    }
+}

libafl_qemu/librasan/asan/src/hooks/strcat.rs

@@ -5,7 +5,7 @@ use core::{
 
 use log::trace;
 
-use crate::{asan_load, asan_panic};
+use crate::{asan_load, asan_panic, asan_store};
 
 /// # Safety
 /// See man pages
@@ -30,7 +30,7 @@ pub unsafe extern "C" fn strcat(s: *mut c_char, ct: *const c_char) -> *mut c_cha
         while *ct.add(ct_len) != 0 {
             ct_len += 1;
         }
-        asan_load(s as *const c_void, s_len + 1);
+        asan_store(s.add(s_len) as *const c_void, ct_len + 1);
         asan_load(ct as *const c_void, ct_len + 1);
         copy(ct, s.add(s_len), ct_len + 1);
         s