ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-13 18:48:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

better replay mode error handling, added replay mode documentation, code formatting

Browse Source
This commit is contained in:
Davide Quarta
2024-02-05 18:26:46 +01:00
parent 8fedf49984
commit 023fc19ce0
7 changed files with 183 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
include/config.h
View File

@ -83,10 +83,14 @@
will be kept and written to the crash/ directory as RECORD:... files. will be kept and written to the crash/ directory as RECORD:... files.
Note that every crash will be written, not only unique ones! */ Note that every crash will be written, not only unique ones! */
// #define AFL_PERSISTENT_RECORD #define AFL_PERSISTENT_RECORD
/* Builds compiler-rt with support to replay persistent records */ /* Adds support in compiler-rt to replay persistent records */
// #define AFL_PERSISTENT_REPLAY #define AFL_PERSISTENT_REPLAY
/* Adds support in compiler-rt to replay persistent records in @@-style
* harnesses */
// #define AFL_PERSISTENT_REPLAY_ARGPARSE
/* console output colors: There are three ways to configure its behavior /* console output colors: There are three ways to configure its behavior
* 1. default: colored outputs fixed on: defined USE_COLOR && defined * 1. default: colored outputs fixed on: defined USE_COLOR && defined

74
include/persistent_replay.h
View File

@ -14,20 +14,28 @@ static unsigned short int is_replay_record;
static unsigned int replay_record; static unsigned int replay_record;
static unsigned int replay_record_cnt; static unsigned int replay_record_cnt;
static char replay_record_path[PATH_MAX]; static char replay_record_path[PATH_MAX];
static char **record_arg;
static char *replay_record_dir; static char *replay_record_dir;
static struct dirent **record_list; static struct dirent **record_list;
#ifdef AFL_PERSISTENT_REPLAY_ARGPARSE
static char **record_arg = NULL;
#endif // AFL_PERSISTENT_REPLAY_ARGPARSE
static int select_files(const struct dirent *dirbuf) { static int select_files(const struct dirent *dirbuf) {
char fn[4096]; char fn[4096];
if (dirbuf->d_name[0] == '.') { if (dirbuf->d_name[0] == '.') {
return 0; return 0;
} else { } else {
snprintf(fn, sizeof(fn), "RECORD:%06u", replay_record); snprintf(fn, sizeof(fn), "RECORD:%06u", replay_record);
return !!strstr(dirbuf->d_name, fn); return !!strstr(dirbuf->d_name, fn);
} }
} }
static int compare_files(const struct dirent **da, const struct dirent **db) { static int compare_files(const struct dirent **da, const struct dirent **db) {
@ -38,44 +46,81 @@ static int compare_files(const struct dirent **da, const struct dirent **db) {
sscanf((*db)->d_name, "RECORD:%*u,cnt:%06u", &c2); sscanf((*db)->d_name, "RECORD:%*u,cnt:%06u", &c2);
return c1 - c2; return c1 - c2;
} }
__attribute__((destructor)) static void __afl_record_replay_destroy(void) { __attribute__((destructor)) static void __afl_record_replay_destroy(void) {
for (int i = 0; i < replay_record_cnt; i++) { for (int i = 0; i < replay_record_cnt; i++) {
free(record_list[i]); free(record_list[i]);
} }
free(record_list); free(record_list);
} }
__attribute__((constructor)) static void __afl_record_replay_init(int argc, char **argv) { __attribute__((constructor)) static void __afl_record_replay_init(
#ifdef AFL_PERSISTENT_REPLAY_ARGPARSE
int argc, char **argv
#endif // AFL_PERSISTENT_REPLAY_ARGPARSE
) {
#ifdef AFL_PERSISTENT_REPLAY_ARGPARSE
char **argp; char **argp;
#endif // AFL_PERSISTENT_REPLAY_ARGPARSE
/* caveat: if harness uses @@ and we don't pass it, it will regardless loop the number of iterations defined for AFL_LOOP (on the same file)*/ struct stat sb;
/* caveat: if harness uses @@ and we don't pass it, it will regardless loop
* the number of iterations defined for AFL_LOOP (on the same file)*/
if (!(is_replay_record = !!getenv("AFL_PERSISTENT_REPLAY"))) { if (!(is_replay_record = !!getenv("AFL_PERSISTENT_REPLAY"))) {
// printf("[warning] AFL_PERSISTENT_REPLAY not set.\n"); // printf("[warning] AFL_PERSISTENT_REPLAY not set.\n");
return; return;
} }
replay_record = atoi(getenv("AFL_PERSISTENT_REPLAY")); replay_record = atoi(getenv("AFL_PERSISTENT_REPLAY"));
replay_record_dir = getenv("AFL_PERSISTENT_DIR"); replay_record_dir = getenv("AFL_PERSISTENT_DIR");
replay_record_cnt = scandir(replay_record_dir ? replay_record_dir : "./", &record_list, select_files, compare_files);
if (!replay_record_cnt){ if (!(stat(replay_record_dir, &sb) == 0 && S_ISDIR(sb.st_mode))) {
printf("[error] Can't find the requested record!\n");
fprintf(stderr, "[error] Can't find the requested record directory!\n");
is_replay_record = 0; is_replay_record = 0;
return;
} }
replay_record_cnt = scandir(replay_record_dir ? replay_record_dir : "./",
&record_list, select_files, compare_files);
if (!replay_record_cnt) {
fprintf(stderr, "[error] Can't find the requested record!\n");
is_replay_record = 0;
}
#ifdef AFL_PERSISTENT_REPLAY_ARGPARSE
argp = argv; argp = argv;
while (*argp) { while (*argp) {
if (!strcmp(*argp, "@@")) { if (!strcmp(*argp, "@@")) {
record_arg = argp; record_arg = argp;
*record_arg = replay_record_path; *record_arg = replay_record_path;
break; break;
} }
++argp; ++argp;
} }
#endif // AFL_PERSISTENT_REPLAY_ARGPARSE
} }
/* only used if explictly included for compatibility /* only used if explictly included for compatibility
@ -115,35 +160,48 @@ int __afl_persistent_loop(unsigned int max_cnt) {
if (is_replay_record) { if (is_replay_record) {
if (!inited) { if (!inited) {
cycle_cnt = replay_record_cnt; cycle_cnt = replay_record_cnt;
inited = 1; inited = 1;
} }
snprintf(tcase, PATH_MAX, "%s/%s", snprintf(tcase, PATH_MAX, "%s/%s",
replay_record_dir ? replay_record_dir : "./", replay_record_dir ? replay_record_dir : "./",
record_list[replay_record_cnt - cycle_cnt]->d_name); record_list[replay_record_cnt - cycle_cnt]->d_name);
#ifdef AFL_PERSISTENT_REPLAY_ARGPARSE
if (record_arg) { if (record_arg) {
*record_arg = tcase; *record_arg = tcase;
} else {
} else
#endif // AFL_PERSISTENT_REPLAY_ARGPARSE
{
int fd = open(tcase, O_RDONLY); int fd = open(tcase, O_RDONLY);
dup2(fd, 0); dup2(fd, 0);
close(fd); close(fd);
} }
} else { } else {
if (!inited) { if (!inited) {
cycle_cnt = max_cnt; cycle_cnt = max_cnt;
inited = 1; inited = 1;
} }
} }
return cycle_cnt--; return cycle_cnt--;
} }
#endif // AFL_COMPAT #endif // AFL_COMPAT
#endif // _HAVE_PERSISTENT_REPLAY_H #endif // _HAVE_PERSISTENT_REPLAY_H

28
instrumentation/README.persistent_mode.md
View File

@ -196,3 +196,31 @@ Then as first line after the `__AFL_LOOP` while loop:
``` ```
And that is all! And that is all!
## 6) Persistent record, and replay
If your software under test requires keeping a state between persistent loop iterations (i.e., a stateful network stack), you can use the `AFL_PERSISTENT_RECORD` variable as described in the [environment variables documentation](../docs/env_variables.md).
To easily replay a crashing, or hanging record, you can use the persistent replay functionality by compiling AFL++ after uncommenting the `AFL_PERSISTENT_REPLAY` define in [config.h](../include/config.h).
You can then run the test binary specifying the record number via the AFL_PERSISTENT_REPLAY environment variable (i.e., `RECORD:XXXXX`` -> `AFL_PERSISTENT_REPLAY=XXXXX`).
The directory where the record files live can be specified via the `AFL_PERSISTENT_DIR` environment varilable, otherwise by default it will be considered the current directory (`./`).
If your harness reads the input files from arguments using the special `@@` argument you will need to define `AFL_PERSISTENT_ARGPARSE` in `config.h`, or before including the `persistent_replay.h` header file as show before.
In order to offer transparent support to harnesses using the `@@` command line argument, arguments are parsed by the `__afl_record_replay_init` init function. Since not all systems support passing arguments to initializers, this functionality is disabled by default, it's recommendable to use the `__AFL_FUZZ_TESTCASE_BUF/__AFL_FUZZ_TESTCASE_LEN` shared memory mechanism instead.
### 7) Drop in replay functionality
To use the replay functionality without having to use `afl-cc` you can just define `AFL_COMPAT` and include the [include/persistent_replay.h](../include/persistent_replay.h) self contained header file that provides a drop-in replacement for the persistent loop mechanism.
```c
#ifndef __AFL_FUZZ_TESTCASE_LEN
#define AFL_COMPAT
// #define AFL_PERSISTENT_REPLAY_ARGPARSE
#include "persistent_replay.h"
#endif
__AFL_FUZZ_INIT();
```
A simple example is provided in [persistent_demo_new.c](../utils/persistent_mode/persistent_demo_new.c).

14
instrumentation/afl-compiler-rt.o.c
View File

@ -1354,22 +1354,34 @@ int __afl_persistent_loop(unsigned int max_cnt) {
if (unlikely(is_replay_record)) { if (unlikely(is_replay_record)) {
if (!inited) { if (!inited) {
cycle_cnt = replay_record_cnt; cycle_cnt = replay_record_cnt;
inited = 1; inited = 1;
} }
snprintf(tcase, PATH_MAX, "%s/%s", snprintf(tcase, PATH_MAX, "%s/%s",
replay_record_dir ? replay_record_dir : "./", replay_record_dir ? replay_record_dir : "./",
record_list[replay_record_cnt - cycle_cnt]->d_name); record_list[replay_record_cnt - cycle_cnt]->d_name);
#ifdef AFL_PERSISTENT_REPLAY_ARGPARSE
if (record_arg) { if (record_arg) {
*record_arg = tcase; *record_arg = tcase;
} else {
} else
#endif // AFL_PERSISTENT_REPLAY_ARGPARSE
{
int fd = open(tcase, O_RDONLY); int fd = open(tcase, O_RDONLY);
dup2(fd, 0); dup2(fd, 0);
close(fd); close(fd);
} }
return cycle_cnt--; return cycle_cnt--;
} else } else
#endif #endif

1
src/afl-forkserver.c
View File

@ -1803,6 +1803,7 @@ afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
persistent_out_fmt = "%s/hangs/RECORD:%06u,cnt:%06u"; persistent_out_fmt = "%s/hangs/RECORD:%06u,cnt:%06u";
goto store_persistent_record; goto store_persistent_record;
#endif #endif
} }
/* Did we crash? /* Did we crash?

2
utils/persistent_mode/persistent_demo_new.c
View File

@ -86,8 +86,6 @@ int main(int argc, char **argv) {
if (buf[5] == '!') { if (buf[5] == '!') {
printf("six\n"); printf("six\n");
char *nullo = NULL+1;
*nullo = 'p';
abort(); abort();
} }