16a2cf3873
5af28808 Update Auto-Sync to Python 3.13 and tree-sitter-py 24.0 (#2705) 99f018ac Python binding: (#2742) a07baf83 Auto-Sync update Sparc LLVM-18 (#2704) 81c5c93d Enable to generate legacy MC tests for the fuzzer. (#2733) a25d4980 Add warning about naive search and replace to patch reg names. (#2728) 7ac87d17 Print immediate only memory operands for AArch64. (#2732) c34034c8 Add x30 implicit read to the RET alias. (#2739) 95a4ca3e Update source list before installing valgrind. (#2730) 6909724e Make assertion hit warnings optional in release builds. (#2729) fe6bdc6e Make SStream respect the CS_OPT_UNSIGNED flag. (#2723) 21ce3624 Use cs_ac_type for operand access mode in all arches and use cs_xtensa_op_type for Xtensa operand type (#2721) df26583f clang-format: change license to BSD-3-Clause (#2724) 280b749e Remove unused files. (#2709) 87908ece Add flag for the SoftFail case of the LLVM disassembler. (#2707) efc0ba44 Fix missing operand for smstart, due to space replaced by tab (#2720) 2ae64133 Fix missing sp register read in ret instruction (#2719) 8df252a6 Fix arm pop reg access (#2718) 14612272 ARM: fix typo, cspr -> cpsr (#2716) f2f0a3c3 Fix LoongArch ld/st instructions register info (#2701) 829be2bf LoongArch: Compute absolute address for address operand (#2699) 42fbce6c Add jump group for generic jirl (#2698) fc525c73 Apple AArch64 proprietary (#2692) 895f2f2e Build PDB for debugging on Windows (#2685) 5c3aef03 Version: Update to v6.0.0-alpha4 (#2682) 106f7d3b Update read/written registers for x87 comparison instructions (#2680) ebe3ef2a Add workflow for building on Windows (#2675) 72f7d305 Revert "Add a script to compare the inc file content with the latest generate…" (#2678) 5b5c5ed8 Fix nanomips decoding of jalrc (#2672) ae03cca4 Mips32r6_64r632 is for both mips32r6 and mips64r6 (#2673) 21178aea Add a script to compare the inc file content with the latest generated ones. (#2667) 81a6ba03 MIPS: Fix MIPS16 decoding, wrong flags and ghost registers (#2665) 98a393e3 Stringify BH fields when printing ppc details (#2663) 2607d0f3 Remove undefined constants in riscv_const.py (#2660) (#2661) 5058c634 Decode BH field in print_insn_detail_ppc (#2662) 6461ed08 Add Call group to svc, smc and hvc. (#2651) e2f1dc8d Tms32c64x Little Endian (#2648) 5464c91d Fix build for compilers requiring explicit static for inline functions.. (#2645) bb2f6579 Enhance shift value and types of shift instructions. (#2638) cd282ef5 Update operand type enums of all arch modules to the one in `capstone.h` (#2633) dc0c0909 cmake: Fix building capstone as sub-project (#2629) cd8dd20c - Added missing files for sdist archive (#2624) 9affd99b Give the user some guidance where to add missing enumeration values. (#2639) 1bea3fab Add checks for MIPS details on cstest_py (#2640) ace8056c Add aliases mapping for MIPS & test for id, alias_id (#2635) 1abe1868 Build Tarball before DEB/RPM package. (#2627) 0a012190 Switch to ubuntu-24.04-arm runner image (#2625) 4e0b8c48 Fix wrong version requirement of tricore instructions: (#2620) 8ac2843b chore(version): Update Version to 6.0.0-Alpha3 (#2616) d7ef910b Rebased #2570 (#2614) c831cd5e Fix SystemZ macro in Makefile (#2603) 30601176 Apply new EVM opcode updates (#2602) 3c4d7fc8 Add tricore tc1.8 instructions (#2595) 5f290cad Create debian and rpm package on releases (#2590) 0f09210a delete travis (#2600) 5c5f756f Downgrade labeler to v4 due to https://github.com/actions/labeler/issues/710. (#2598) git-subtree-dir: external/capstone git-subtree-split: 5af288083e9f03e32723f9708c305692f866b666
Fuzzing
Build the fuzz target
To build the fuzz target, you can simply run make with appropriate flags set :
ASAN_OPTIONS=detect_leaks=0 CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize=fuzzer-no-link" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize=fuzzer-no-link" LDFLAGS="-fsanitize=address" make
You can replace address with another sanitizer : memory or undefined
The fuzz target is then suite/fuzz/fuzz_bindisasm2
You can find this in travis configuration .travis.yml
Another way is to use oss-fuzz, see https://github.com/google/oss-fuzz/blob/master/projects/capstone/build.sh
Troubleshooting
If you get cc: error: unrecognized argument to ‘-fsanitize=’ option: ‘fuzzer’ check if you have a workable
version of libfuzz installed. Also try to build with CC=clang make
Interpret OSS-Fuzz report
A reported bug by OSS-fuzz looks usually like this:
...
#20 0x7f3a42062082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
#21 0x55ad814876dd in _start (build-out/fuzz_disasmnext+0x5246dd)
DEDUP_TOKEN: raise--abort--
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x4300b) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e) in raise
==62==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x7,0xe8,0x3,0x4e,0xc0,0xf8,
\007\350\003N\300\370
It emits the bytes fed to Capstone in the last two lines.
The first byte determines the arch+mode. The following bytes the actual data producing the crash.
You can run ./fuzz_decode_platform to get the arch+mode used:
./fuzz_decode_platform 0x7
cstool arch+mode = aarch64
And reproduce the bug with cstool:
# Make sureevery hex number has two digits!
cstool -d aarch64 0xe8,0x03,0x4e,0xc0,0xf8,
Make sure the every hex number has two digits (0x3 -> 0x03)!
cstool won't parse it correctly otherwise.
Fuzz drivers
There are custom drivers :
- driverbin.c : prints cstool command before running one input
- drivermc.c : converts MC test data to raw binary data before running as many inputs as there are lines in a file
- onefile.c : simple one file driver
For libfuzzer, the preferred main function is now to use linker option -fsanitize=fuzzer
Fuzzit integration
Travis will build the fuzz target with the different sanitizers. Then, Travis will launch sanity fuzzit jobs as part of continuous integration (for each of the sanitizers) The fuzzit target ids are stored in a configuration file fuzzitid.txt and used by fuzzit.sh