COMPCOV off-by-one (or more!), index overflowing map

[AlLongley]

I have managed to trigger a buffer overflow in my Qiling target if _uc_hook_sub_impl_64 is called with a cur_loc close to, but less than the total MAP_SIZE. I believe the per-byte comparison "+" offsets push it over, incrementing an index beyond the map's buffer itself.

Take for example the following values:

MAP_SIZE = afl_inst_rms_ = 0x10000
cur_loc = 0xffff
afl_prev_loc_ = 0x3777

unicornafl/unicornafl.cpp

Lines 367 to 370 in 2abdcd3

	void _uc_hook_sub_impl_64(uint64_t cur_loc, uint64_t arg1, uint64_t arg2) {
	if ((arg1 & 0xff00000000000000) == (arg2 & 0xff00000000000000)) {
	this->afl_area_ptr_[(cur_loc + 6) ^ this->afl_prev_loc_]++;

The resulting incremented afl_area_ptr_ index is: 0x13772, overflowing the MAP_SIZE by a lot, losing a coverage point and potentially crashing the target.

I can see there's a check to attempt to avoid this before the individual byte checks are called, should the comparison instead be >= (ucafl->afl_inst_rms_-6)) or similar ?

unicornafl/unicornafl.cpp

Line 418 in 2abdcd3

if (unlikely(cur_loc >= ucafl->afl_inst_rms_)) {

[vanhauser-thc]

thanks for the bug report! I just pushed a simple fix.

[wtdcode]

Nice catch and thanks @vanhauser-thc for the quick fix.