- What is an "edge"?
+ What is an "edge"?
A program contains `functions`, `functions` contain the compiled machine code.
The compiled machine code in a `function` can be in a single or many `basic blocks`.
@@ -77,7 +77,7 @@ If you find an interesting or important question missing, submit it via
## Targets
- How can I fuzz a binary-only target?
+ How can I fuzz a binary-only target?
AFL++ is a great fuzzer if you have the source code available.
@@ -87,7 +87,7 @@ If you find an interesting or important question missing, submit it via
- How can I fuzz a network service?
+ How can I fuzz a network service?
The short answer is - you cannot, at least not "out of the box".
@@ -95,7 +95,7 @@ If you find an interesting or important question missing, submit it via
- How can I fuzz a GUI program?
+ How can I fuzz a GUI program?
Not all GUI programs are suitable for fuzzing. If the GUI program can read the fuzz data from a file without needing any user interaction, then it would be suitable for fuzzing.
@@ -105,13 +105,13 @@ If you find an interesting or important question missing, submit it via
## Performance
- How can I improve the fuzzing speed?
+ How can I improve the fuzzing speed?
There are a few things you can do to improve the fuzzing speed, see [best_practices.md#improving-speed](best_practices.md#improving-speed).
- Why is my stability below 100%?
+ Why is my stability below 100%?
Stability is measured by how many percent of the edges in the target are "stable".
Sending the same input again and again should take the exact same path through the target every time.
@@ -131,7 +131,7 @@ If you find an interesting or important question missing, submit it via
## Troubleshooting
- I got a weird compile error from clang.
+ I got a weird compile error from clang.
If you see this kind of error when trying to instrument a target with afl-cc/afl-clang-fast/afl-clang-lto:
From 78d7944bbf4608437563114c0e4291a9a516cfff Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Tue, 7 Sep 2021 14:01:27 +0200
Subject: [PATCH 027/305] Update docs/rpc_statsd.md
---
docs/rpc_statsd.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/rpc_statsd.md b/docs/rpc_statsd.md
index cff93b7c..2d340dd7 100644
--- a/docs/rpc_statsd.md
+++ b/docs/rpc_statsd.md
@@ -66,7 +66,7 @@ For all your fuzzers, only one instance of StatsD, Prometheus, and Grafana is re
You can create and move the infrastructure files into a directory of your choice. The directory will store all the required configuration files.
-To install and set up StatsD, Prometheus, and Grafana:
+To install and set up Prometheus and Grafana:
1. Install Docker and Docker Compose:
From cb01d566167b8c0d02a19485d13fdd05c1b8347b Mon Sep 17 00:00:00 2001
From: Dominik Maier
Date: Tue, 7 Sep 2021 15:49:42 +0200
Subject: [PATCH 028/305] unicornafl clippy
---
unicorn_mode/UNICORNAFL_VERSION | 2 +-
unicorn_mode/unicornafl | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION
index 0db54339..0d84243c 100644
--- a/unicorn_mode/UNICORNAFL_VERSION
+++ b/unicorn_mode/UNICORNAFL_VERSION
@@ -1 +1 @@
-c0e03d2c
+1c47d1ebc7e904ad4efc1370f23e269fb9ac3f93
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl
index 019b8715..1c47d1eb 160000
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl
@@ -1 +1 @@
-Subproject commit 019b871539fe9ed3f41d882385a8b02c243d49ad
+Subproject commit 1c47d1ebc7e904ad4efc1370f23e269fb9ac3f93
From f760e80729412a2cd44a12e76b81ccb433626e60 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Tue, 7 Sep 2021 17:15:54 +0200
Subject: [PATCH 029/305] add check_binary_signatures for afl-* utils
---
docs/Changelog.md | 3 ++-
include/common.h | 1 +
src/afl-analyze.c | 1 +
src/afl-common.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++
src/afl-showmap.c | 2 ++
src/afl-tmin.c | 1 +
6 files changed, 71 insertions(+), 1 deletion(-)
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 0ffbef05..de217c2e 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -15,7 +15,8 @@ sending a mail to .
information on how to deal with instrumenting libraries
- fix a regression introduced in 3.10 that resulted in less
coverage being detected. thanks to Collin May for reporting!
-
+ - afl-showmap, afl-tmin and afl-analyze now honor persistent mode
+ for more speed. thanks to dloffre-snl for reporting!
- afl-cc:
- fix for shared linking on MacOS
- llvm and LTO mode verified to work with new llvm 14-dev
diff --git a/include/common.h b/include/common.h
index 7bba9e91..2ca44301 100644
--- a/include/common.h
+++ b/include/common.h
@@ -38,6 +38,7 @@
#define STRINGIFY_VAL_SIZE_MAX (16)
+u32 check_binary_signatures(u8 *fn);
void detect_file_args(char **argv, u8 *prog_in, bool *use_stdin);
void print_suggested_envs(char *mispelled_env);
void check_environment_vars(char **env);
diff --git a/src/afl-analyze.c b/src/afl-analyze.c
index e19df3ce..eef08494 100644
--- a/src/afl-analyze.c
+++ b/src/afl-analyze.c
@@ -1093,6 +1093,7 @@ int main(int argc, char **argv_orig, char **envp) {
parse_afl_kill_signal_env(getenv("AFL_KILL_SIGNAL"), SIGKILL);
read_initial_file();
+ (void)check_binary_signatures(fsrv.target_path);
ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...",
mem_limit, exec_tmout, edges_only ? ", edges only" : "");
diff --git a/src/afl-common.c b/src/afl-common.c
index 9ca2b3e8..db19f0a7 100644
--- a/src/afl-common.c
+++ b/src/afl-common.c
@@ -25,8 +25,12 @@
#include
#include
+#define _GNU_SOURCE
+#define __USE_GNU
+#include
#include
#include
+#include
#include "debug.h"
#include "alloc-inl.h"
@@ -51,6 +55,66 @@ u8 last_intr = 0;
#define AFL_PATH "/usr/local/lib/afl/"
#endif
+u32 check_binary_signatures(u8 *fn) {
+
+ int ret = 0, fd = open(fn, O_RDONLY);
+ if (fd < 0) { PFATAL("Unable to open '%s'", fn); }
+ struct stat st;
+ if (fstat(fd, &st) < 0) { PFATAL("Unable to fstat '%s'", fn); }
+ u32 f_len = st.st_size;
+ u8 *f_data = mmap(0, f_len, PROT_READ, MAP_PRIVATE, fd, 0);
+ if (f_data == MAP_FAILED) { PFATAL("Unable to mmap file '%s'", fn); }
+ close(fd);
+
+ if (memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1)) {
+
+ if (!be_quiet) { OKF(cPIN "Persistent mode binary detected."); }
+ setenv(PERSIST_ENV_VAR, "1", 1);
+ ret = 1;
+
+ } else if (getenv("AFL_PERSISTENT")) {
+
+ if (!be_quiet) {
+
+ WARNF("AFL_PERSISTENT is no longer supported and may misbehave!");
+
+ }
+
+ } else if (getenv("AFL_FRIDA_PERSISTENT_ADDR")) {
+
+ if (!be_quiet) {
+
+ OKF("FRIDA Persistent mode configuration options detected.");
+
+ }
+
+ setenv(PERSIST_ENV_VAR, "1", 1);
+ ret = 1;
+
+ }
+
+ if (memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) {
+
+ if (!be_quiet) { OKF(cPIN "Deferred forkserver binary detected."); }
+ setenv(DEFER_ENV_VAR, "1", 1);
+ ret += 2;
+
+ } else if (getenv("AFL_DEFER_FORKSRV")) {
+
+ if (!be_quiet) {
+
+ WARNF("AFL_DEFER_FORKSRV is no longer supported and may misbehave!");
+
+ }
+
+ }
+
+ if (munmap(f_data, f_len)) { PFATAL("unmap() failed"); }
+
+ return ret;
+
+}
+
void detect_file_args(char **argv, u8 *prog_in, bool *use_stdin) {
u32 i = 0;
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index 9122cd25..27b1e14a 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -1189,6 +1189,8 @@ int main(int argc, char **argv_orig, char **envp) {
}
+ (void)check_binary_signatures(fsrv->target_path);
+
shm_fuzz = ck_alloc(sizeof(sharedmem_t));
/* initialize cmplog_mode */
diff --git a/src/afl-tmin.c b/src/afl-tmin.c
index 792770e0..dff51e84 100644
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@@ -1209,6 +1209,7 @@ int main(int argc, char **argv_orig, char **envp) {
fsrv->shmem_fuzz = map + sizeof(u32);
read_initial_file();
+ (void)check_binary_signatures(fsrv->target_path);
if (!fsrv->qemu_mode && !unicorn_mode) {
From 8af84c203cfe241b5a8321c62387fd107ebf1031 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Tue, 7 Sep 2021 19:26:25 +0200
Subject: [PATCH 030/305] fix afl-showmap
---
src/afl-showmap.c | 2 +-
unicorn_mode/unicornafl | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index 27b1e14a..e143371e 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -1189,7 +1189,7 @@ int main(int argc, char **argv_orig, char **envp) {
}
- (void)check_binary_signatures(fsrv->target_path);
+ if (in_dir) { (void)check_binary_signatures(fsrv->target_path); }
shm_fuzz = ck_alloc(sizeof(sharedmem_t));
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl
index 1c47d1eb..019b8715 160000
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl
@@ -1 +1 @@
-Subproject commit 1c47d1ebc7e904ad4efc1370f23e269fb9ac3f93
+Subproject commit 019b871539fe9ed3f41d882385a8b02c243d49ad
From 6546a0a5fd5532464916c6c4adfbb22d87a5acd5 Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Fri, 10 Sep 2021 14:26:51 +0200
Subject: [PATCH 031/305] Update docs/rpc_statsd.md
---
docs/rpc_statsd.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/rpc_statsd.md b/docs/rpc_statsd.md
index 2d340dd7..288d56cb 100644
--- a/docs/rpc_statsd.md
+++ b/docs/rpc_statsd.md
@@ -62,7 +62,7 @@ The easiest way to install and set up the infrastructure is with Docker and Dock
Depending on your fuzzing setup and infrastructure, you may not want to run these applications on your fuzzer instances. This setup may be modified before use in a production environment; for example, adding passwords, creating volumes for storage, tweaking the metrics gathering to get host metrics (CPU, RAM, and so on).
-For all your fuzzers, only one instance of StatsD, Prometheus, and Grafana is required.
+For all your fuzzing instances, only one instance of Prometheus and Grafana is required. The [statsd exporter](https://registry.hub.docker.com/r/prom/statsd-exporter) converts the StatsD metrics to Prometheus. If you are using a provider that supports StatsD directly, you can skip this part of the setup."
You can create and move the infrastructure files into a directory of your choice. The directory will store all the required configuration files.
From bd4ecd83b1e4126300475d5beb09b4a8327b045a Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Fri, 10 Sep 2021 15:35:29 +0200
Subject: [PATCH 032/305] Update README.md
---
README.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index db6a70b5..eb99d9bd 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,7 @@ You are free to copy, modify, and distribute AFL++ with attribution under the te
Here is some information to get you started:
-* For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab and [branches](docs/branches.md). Also take a look at the list of [major behaviour changes in AFL++](docs/behaviour_changes.md).
+* For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab and [branches](docs/branches.md). Also take a look at the list of [important behaviour changes in AFL++](docs/important_changes.md).
* If you want to use AFL++ for your academic work, check the [papers page](https://aflplus.plus/papers/) on the website.
* To cite our work, look at the [Cite](#cite) section.
* For comparisons, use the fuzzbench `aflplusplus` setup, or use `afl-clang-fast` with `AFL_LLVM_CMPLOG=1`. You can find the `aflplusplus` default configuration on Google's [fuzzbench](https://github.com/google/fuzzbench/tree/master/fuzzers/aflplusplus).
@@ -66,7 +66,7 @@ A common way to do this would be:
make clean all
2. Get a small but valid input file that makes sense to the program.
-When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in [dictionaries/README.md](../dictionaries/README.md), too.
+When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in [dictionaries/README.md](dictionaries/README.md), too.
3. If the program reads from stdin, run `afl-fuzz` like so:
@@ -82,7 +82,7 @@ When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described i
Questions? Concerns? Bug reports?
* The contributors can be reached via [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus).
-* Take a look at our [FAQ](docs/faq.md). If you find an interesting or important question missing, submit it via
+* Take a look at our [FAQ](docs/FAQ.md). If you find an interesting or important question missing, submit it via
[https://github.com/AFLplusplus/AFLplusplus/discussions](https://github.com/AFLplusplus/AFLplusplus/discussions).
* There is a mailing list for the AFL/AFL++ project ([browse archive](https://groups.google.com/group/afl-users)). To compare notes with other users or to get notified about major new features, send an email to .
* Or join the [Awesome Fuzzing](https://discord.gg/gCraWct) Discord server.
From 82ef4a90b0ff12a297e1bc3f1c8256ae9ace4f25 Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Fri, 10 Sep 2021 21:37:55 +0200
Subject: [PATCH 033/305] Fix links
---
README.md | 2 +-
docs/best_practices.md | 2 +-
docs/branches.md | 2 +-
docs/fuzzing_expert.md | 2 +-
docs/interpreting_output.md | 2 +-
docs/known_limitations.md | 2 +-
docs/life_pro_tips.md | 20 ++++++++++----------
docs/rpc_statsd.md | 2 +-
docs/triaging_crashes.md | 2 +-
9 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/README.md b/README.md
index eb99d9bd..25e47ef2 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,7 @@ You are free to copy, modify, and distribute AFL++ with attribution under the te
Here is some information to get you started:
-* For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab and [branches](docs/branches.md). Also take a look at the list of [important behaviour changes in AFL++](docs/important_changes.md).
+* For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab and [branches](docs/branches.md). Also take a look at the list of [important changes in AFL++](docs/important_changes.md).
* If you want to use AFL++ for your academic work, check the [papers page](https://aflplus.plus/papers/) on the website.
* To cite our work, look at the [Cite](#cite) section.
* For comparisons, use the fuzzbench `aflplusplus` setup, or use `afl-clang-fast` with `AFL_LLVM_CMPLOG=1`. You can find the `aflplusplus` default configuration on Google's [fuzzbench](https://github.com/google/fuzzbench/tree/master/fuzzers/aflplusplus).
diff --git a/docs/best_practices.md b/docs/best_practices.md
index 23fa237d..1521748a 100644
--- a/docs/best_practices.md
+++ b/docs/best_practices.md
@@ -59,7 +59,7 @@ which allows you to define network state with different type of data packets.
1. Use [llvm_mode](../instrumentation/README.llvm.md): afl-clang-lto (llvm >= 11) or afl-clang-fast (llvm >= 9 recommended).
2. Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 speed increase).
3. Use the [AFL++ snapshot module](https://github.com/AFLplusplus/AFL-Snapshot-LKM) (x2 speed increase).
-4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input file directory on a tempfs location, see [docs/env_variables.md](docs/env_variables.md).
+4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input file directory on a tempfs location, see [env_variables.md](env_variables.md).
5. Improve Linux kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system less secure).
6. Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem.
7. Use your cores! [README.md:3.b) Using multiple cores/threads](../README.md#b-using-multiple-coresthreads).
diff --git a/docs/branches.md b/docs/branches.md
index 1e4ebbb2..81c73a0f 100644
--- a/docs/branches.md
+++ b/docs/branches.md
@@ -7,4 +7,4 @@ The following branches exist:
* [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev): development state of AFL++ - bleeding edge and you might catch a checkout which does not compile or has a bug. *We only accept PRs in dev!!*
* (any other): experimental branches to work on specific features or testing new functionality or changes.
-For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab. Also take a look at the list of [major behaviour changes in AFL++](behaviour_changes.md).
\ No newline at end of file
+For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab. Also take a look at the list of [important changes in AFL++](important_changes.md).
\ No newline at end of file
diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md
index 23b24ad0..37ab8e2f 100644
--- a/docs/fuzzing_expert.md
+++ b/docs/fuzzing_expert.md
@@ -620,4 +620,4 @@ This is basically all you need to know to professionally run fuzzing campaigns.
If you want to know more, the tons of texts in [docs/](./) will have you covered.
Note that there are also a lot of tools out there that help fuzzing with AFL++
-(some might be deprecated or unsupported), see [links_tools.md](links_tools.md).
\ No newline at end of file
+(some might be deprecated or unsupported), see [tools.md](tools.md).
\ No newline at end of file
diff --git a/docs/interpreting_output.md b/docs/interpreting_output.md
index 54ad76df..364d2cf4 100644
--- a/docs/interpreting_output.md
+++ b/docs/interpreting_output.md
@@ -1,6 +1,6 @@
# Interpreting output
-See the [docs/status_screen.md](docs/status_screen.md) file for information on
+See the [status_screen.md](status_screen.md) file for information on
how to interpret the displayed stats and monitor the health of the process. Be
sure to consult this file especially if any UI elements are highlighted in red.
diff --git a/docs/known_limitations.md b/docs/known_limitations.md
index deb539e2..b5fc8446 100644
--- a/docs/known_limitations.md
+++ b/docs/known_limitations.md
@@ -15,7 +15,7 @@ Here are some of the most important caveats for AFL:
To work around this, you can comment out the relevant checks (see
utils/libpng_no_checksum/ for inspiration); if this is not possible,
you can also write a postprocessor, one of the hooks of custom mutators.
- See [docs/custom_mutators.md](docs/custom_mutators.md) on how to use
+ See [custom_mutators.md](custom_mutators.md) on how to use
`AFL_CUSTOM_MUTATOR_LIBRARY`
- There are some unfortunate trade-offs with ASAN and 64-bit binaries. This
diff --git a/docs/life_pro_tips.md b/docs/life_pro_tips.md
index 13ffcea0..e79bcafa 100644
--- a/docs/life_pro_tips.md
+++ b/docs/life_pro_tips.md
@@ -27,16 +27,16 @@ Run the bundled `afl-plot` utility to generate browser-friendly graphs.
Check out the `fuzzer_stats` file in the AFL output dir or try `afl-whatsup`.
## Puzzled by something showing up in red or purple in the AFL UI?
-It could be important - consult docs/status_screen.md right away!
+It could be important - consult [status_screen.md](status_screen.md) right away!
## Know your target? Convert it to persistent mode for a huge performance gain!
-Consult section #5 in README.llvm.md for tips.
+Consult section #5 in [instrumentation/README.llvm.md](../instrumentation/README.llvm.md) for tips.
## Using clang?
-Check out instrumentation/ for a faster alternative to afl-gcc!
+Check out [instrumentation/](../instrumentation/) for a faster alternative to afl-gcc!
## Did you know that AFL can fuzz closed-source or cross-platform binaries?
-Check out qemu_mode/README.md and unicorn_mode/README.md for more.
+Check out [qemu_mode/README.md](../qemu_mode/README.md) and [unicorn_mode/README.md](../unicorn_mode/README.md) for more.
## Did you know that afl-fuzz can minimize any test case for you?
Try the bundled `afl-tmin` tool - and get small repro files fast!
@@ -46,7 +46,7 @@ Try the bundled `afl-tmin` tool - and get small repro files fast!
## Trouble dealing with a machine uprising? Relax, we've all been there.
-Find essential survival tips at http://lcamtuf.coredump.cx/prep/.
+Find essential survival tips at [http://lcamtuf.coredump.cx/prep/](http://lcamtuf.coredump.cx/prep/).
## Want to automatically spot non-crashing memory handling bugs?
@@ -54,7 +54,7 @@ Try running an AFL-generated corpus through ASAN, MSAN, or Valgrind.
## Good selection of input files is critical to a successful fuzzing job.
-See docs/perf_tips.md for pro tips.
+See [perf_tips.md](perf_tips.md) for pro tips.
## You can improve the odds of automatically spotting stack corruption issues.
@@ -70,18 +70,18 @@ sanity-checking `assert()` / `abort()` statements to effortlessly catch logic bu
## Hey kid... pssst... want to figure out how AFL really works?
-Check out docs/technical_details.md for all the gory details in one place!
+Check out [technical_details.md](technical_details.md) for all the gory details in one place!
## There's a ton of third-party helper tools designed to work with AFL!
-Be sure to check out docs/sister_projects.md before writing your own.
+Be sure to check out [sister_projects.md](sister_projects.md) before writing your own.
## Need to fuzz the command-line arguments of a particular program?
-You can find a simple solution in utils/argv_fuzzing.
+You can find a simple solution in [utils/argv_fuzzing](../utils/argv_fuzzing/).
## Attacking a format that uses checksums?
Remove the checksum-checking code or use a postprocessor!
-See `afl_custom_post_process` in custom_mutators/examples/example.c for more.
+See `afl_custom_post_process` in [custom_mutators/examples/example.c](../custom_mutators/examples/example.c) for more.
diff --git a/docs/rpc_statsd.md b/docs/rpc_statsd.md
index 898ad099..efbd550b 100644
--- a/docs/rpc_statsd.md
+++ b/docs/rpc_statsd.md
@@ -41,7 +41,7 @@ To enable the StatsD reporting on your fuzzer instances, you need to set the env
Setting `AFL_STATSD_TAGS_FLAVOR` to the provider of your choice will assign tags / labels to each metric based on their format.
The possible values are `dogstatsd`, `librato`, `signalfx` or `influxdb`.
-For more information on these env vars, check out `docs/env_variables.md`.
+For more information on these env vars, check out [env_variables.md](env_variables.md).
The simplest way of using this feature is to use any metric provider and change the host/port of your StatsD daemon,
with `AFL_STATSD_HOST` and `AFL_STATSD_PORT`, if required (defaults are `localhost` and port `8125`).
diff --git a/docs/triaging_crashes.md b/docs/triaging_crashes.md
index 1857c4b1..21ccecaa 100644
--- a/docs/triaging_crashes.md
+++ b/docs/triaging_crashes.md
@@ -43,4 +43,4 @@ file, attempts to sequentially flip bytes, and observes the behavior of the
tested program. It then color-codes the input based on which sections appear to
be critical, and which are not; while not bulletproof, it can often offer quick
insights into complex file formats. More info about its operation can be found
-near the end of [docs/technical_details.md](docs/technical_details.md).
\ No newline at end of file
+near the end of [technical_details.md](technical_details.md).
\ No newline at end of file
From 51b2e86ec077c0b67ef1b54a9a30288b74c01be0 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Wed, 15 Sep 2021 12:28:05 +0200
Subject: [PATCH 034/305] fix links
---
GNUmakefile | 2 +-
afl-system-config | 2 +-
docs/ci_fuzzing.md | 2 +-
docs/fuzzing_binary-only_targets.md | 5 +++--
docs/fuzzing_expert.md | 2 +-
5 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/GNUmakefile b/GNUmakefile
index 376f6e9a..0a6f3950 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -541,7 +541,7 @@ test_build: afl-cc afl-gcc afl-as afl-showmap
# echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
# @rm -f test-instr
# @cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation of afl-gcc does not seem to be behaving correctly!"; \
-# gcc -v 2>&1 | grep -q -- --with-as= && ( echo; echo "Gcc is configured not to use an external assembler with the -B option."; echo "See docs/INSTALL.md section 5 how to build a -B enabled gcc." ) || \
+# gcc -v 2>&1 | grep -q -- --with-as= && ( echo; echo "Gcc is configured not to use an external assembler with the -B option." ) || \
# ( echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue." ); echo; exit 0; fi
# @echo
# @echo "[+] All right, the instrumentation of afl-gcc seems to be working!"
diff --git a/afl-system-config b/afl-system-config
index dbdbbf1f..3c14ba55 100755
--- a/afl-system-config
+++ b/afl-system-config
@@ -52,7 +52,7 @@ if [ "$PLATFORM" = "Linux" ] ; then
echo ' /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=0 l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx_async_abort=off arm64.nopauth audit=0 hardened_usercopy=off ssbd=force-off"'
echo
}
- echo If you run fuzzing instances in docker, run them with \"--security-opt seccomp=unconfined\" for more speed
+ echo If you run fuzzing instances in docker, run them with \"--security-opt seccomp=unconfined\" for more speed.
echo
DONE=1
fi
diff --git a/docs/ci_fuzzing.md b/docs/ci_fuzzing.md
index 316059f8..8d1a2f99 100644
--- a/docs/ci_fuzzing.md
+++ b/docs/ci_fuzzing.md
@@ -26,4 +26,4 @@ Some notes on CI Fuzzing - this fuzzing is different to normal fuzzing campaigns
`-M` enables old queue handling etc. which is good for a fuzzing campaign but not good for short CI runs.
How this can look like can e.g. be seen at AFL++'s setup in Google's [oss-fuzz](https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/compile_afl)
-and [clusterfuzz](https://github.com/google/clusterfuzz/blob/master/src/python/bot/fuzzers/afl/launcher.py).
\ No newline at end of file
+and [clusterfuzz](https://github.com/google/clusterfuzz/blob/master/src/clusterfuzz/_internal/bot/fuzzers/afl/launcher.py).
diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md
index a39e40a0..8b3bbeff 100644
--- a/docs/fuzzing_binary-only_targets.md
+++ b/docs/fuzzing_binary-only_targets.md
@@ -51,7 +51,7 @@ make
```
For additional instructions and caveats, see [frida_mode/README.md](../frida_mode/README.md).
-If possible you should use the persistent mode, see [qemu_frida/README.persistent.md](../qemu_frida/README.persistent.md).
+If possible you should use the persistent mode, see [qemu_frida/README.md](../qemu_frida/README.md).
The mode is approximately 2-5x slower than compile-time instrumentation, and is
less conducive to parallelization.
@@ -71,7 +71,8 @@ cd unicorn_mode
If the goal is to fuzz a dynamic library then there are two options available.
For both you need to write a small harness that loads and calls the library.
-Faster is the frida solution: [utils/afl_frida/README.md](../utils/afl_frida/README.md)
+Then you fuzz this with either frida_mode or qemu_mode, and either use
+`AFL_INST_LIBS=1` or `AFL_QEMU/FRIDA_INST_RANGES`
Another, less precise and slower option is using ptrace with debugger interrupt
instrumentation: [utils/afl_untracer/README.md](../utils/afl_untracer/README.md).
diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md
index 23b24ad0..7695e21f 100644
--- a/docs/fuzzing_expert.md
+++ b/docs/fuzzing_expert.md
@@ -472,7 +472,7 @@ If you are using AFL spinoffs or AFL conforming fuzzers, then just use the
same -o directory and give it a unique `-S` name.
Examples are:
* [Fuzzolic](https://github.com/season-lab/fuzzolic)
- * [symcc](https://github.com/eurecom-s/symcc/)
+ * [symcc](https://github.com/eurecom-s3/symcc/)
* [Eclipser](https://github.com/SoftSec-KAIST/Eclipser/)
* [AFLsmart](https://github.com/aflsmart/aflsmart)
* [FairFuzz](https://github.com/carolemieux/afl-rb)
From d6500eb298936c18af3f2d6529f23723dbdf67c5 Mon Sep 17 00:00:00 2001
From: mart1n
Date: Mon, 20 Sep 2021 18:55:39 +0800
Subject: [PATCH 035/305] fix a bug in frida_mode/test/libpcap/GNUMakefile
---
frida_mode/test/libpcap/GNUmakefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/frida_mode/test/libpcap/GNUmakefile b/frida_mode/test/libpcap/GNUmakefile
index 6f2b58af..f8dc3db7 100644
--- a/frida_mode/test/libpcap/GNUmakefile
+++ b/frida_mode/test/libpcap/GNUmakefile
@@ -59,7 +59,7 @@ GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh
AFL_QEMU_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput 0x4000000000)
-ifeq "$(ARCH)" "aarch64"
+ifeq "$(ARCH)" "arm64"
AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput 0x0000aaaaaaaaa000)
endif
From c8f6a313110db8db033bfbfc4eb3d7043daa430d Mon Sep 17 00:00:00 2001
From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Date: Wed, 22 Sep 2021 23:05:54 +0100
Subject: [PATCH 036/305] Performance improvements (#1094)
---
frida_mode/src/instrument/instrument_x64.c | 202 ++++++++++++++++---
frida_mode/test/freetype2/GNUmakefile | 192 ++++++++++++++++++
frida_mode/test/freetype2/Makefile | 13 ++
frida_mode/test/freetype2/get_symbol_addr.py | 36 ++++
4 files changed, 413 insertions(+), 30 deletions(-)
create mode 100644 frida_mode/test/freetype2/GNUmakefile
create mode 100644 frida_mode/test/freetype2/Makefile
create mode 100755 frida_mode/test/freetype2/get_symbol_addr.py
diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c
index fec8afbb..8948c4df 100644
--- a/frida_mode/src/instrument/instrument_x64.c
+++ b/frida_mode/src/instrument/instrument_x64.c
@@ -1,6 +1,9 @@
+#include
+
#include "frida-gumjs.h"
#include "config.h"
+#include "debug.h"
#include "instrument.h"
@@ -8,38 +11,120 @@
static GumAddress current_log_impl = GUM_ADDRESS(0);
-static const guint8 afl_log_code[] = {
+ #pragma pack(push, 1)
- 0x9c, /* pushfq */
- 0x51, /* push rcx */
- 0x52, /* push rdx */
+typedef struct {
- 0x48, 0x8b, 0x0d, 0x26,
- 0x00, 0x00, 0x00, /* mov rcx, sym.&previous_pc */
- 0x48, 0x8b, 0x11, /* mov rdx, qword [rcx] */
- 0x48, 0x31, 0xfa, /* xor rdx, rdi */
+ /*
+ * pushfq
+ * push rdx
+ * mov rdx, [&previouspc] (rip relative addr)
+ * xor rdx, rdi (current_pc)
+ * shr rdi. 1
+ * mov [&previouspc], rdi
+ * lea rsi, [&_afl_area_ptr] (rip relative)
+ * add rdx, rsi
+ * add byte ptr [rdx], 1
+ * adc byte ptr [rdx], 0
- 0x48, 0x03, 0x15, 0x11,
- 0x00, 0x00, 0x00, /* add rdx, sym._afl_area_ptr_ptr */
+ * pop rdx
+ * popfq
+ */
+ uint8_t push_fq;
+ uint8_t push_rdx;
+ uint8_t mov_rdx_rip_off[7];
+ uint8_t xor_rdx_rdi[3];
+ uint8_t shr_rdi[3];
+ uint8_t mov_rip_off_rdi[7];
- 0x80, 0x02, 0x01, /* add byte ptr [rdx], 1 */
- 0x80, 0x12, 0x00, /* adc byte ptr [rdx], 0 */
- 0x66, 0xd1, 0xcf, /* ror di, 1 */
- 0x48, 0x89, 0x39, /* mov qword [rcx], rdi */
+ uint8_t lea_rdi_rip_off[7];
+ uint8_t add_rdx_rdi[3];
+ uint8_t add_byte_ptr_rdx[3];
+ uint8_t adc_byte_ptr_rdx[3];
- 0x5a, /* pop rdx */
- 0x59, /* pop rcx */
- 0x9d, /* popfq */
+ uint8_t pop_rdx;
+ uint8_t pop_fq;
+ uint8_t ret;
- 0xc3, /* ret */
+} afl_log_code_asm_t;
- 0x90
+ #pragma pack(pop)
- /* Read-only data goes here: */
- /* uint8_t* __afl_area_ptr */
- /* uint64_t* &previous_pc */
+ #pragma pack(push, 8)
+typedef struct {
-};
+ afl_log_code_asm_t assembly;
+ uint64_t current_pc;
+
+} afl_log_code_t;
+
+ #pragma pack(pop)
+
+typedef union {
+
+ afl_log_code_t data;
+ uint8_t bytes[0];
+
+} afl_log_code;
+
+static const afl_log_code_asm_t template = {
+
+ .push_fq = 0x9c,
+ .push_rdx = 0x52,
+ .mov_rdx_rip_off =
+ {
+
+ 0x48, 0x8b, 0x15,
+ /* TBC */
+
+ },
+
+ .xor_rdx_rdi =
+ {
+
+ 0x48,
+ 0x31,
+ 0xfa,
+
+ },
+
+ .shr_rdi = {0x48, 0xd1, 0xef},
+ .mov_rip_off_rdi = {0x48, 0x89, 0x3d},
+
+ .lea_rdi_rip_off =
+ {
+
+ 0x48,
+ 0x8d,
+ 0x3d,
+
+ },
+
+ .add_rdx_rdi = {0x48, 0x01, 0xfA},
+
+ .add_byte_ptr_rdx =
+ {
+
+ 0x80,
+ 0x02,
+ 0x01,
+
+ },
+
+ .adc_byte_ptr_rdx =
+ {
+
+ 0x80,
+ 0x12,
+ 0x00,
+
+ },
+
+ .pop_rdx = 0x5a,
+ .pop_fq = 0x9d,
+ .ret = 0xc3};
+
+static guint8 align_pad[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90};
gboolean instrument_is_coverage_optimize_supported(void) {
@@ -47,12 +132,19 @@ gboolean instrument_is_coverage_optimize_supported(void) {
}
-static guint8 align_pad[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90};
+static gboolean instrument_coverage_in_range(gssize offset) {
+
+ return (offset >= G_MININT32 && offset <= G_MAXINT32);
+
+}
static void instrument_coverate_write_function(GumStalkerOutput *output) {
guint64 misalign = 0;
GumX86Writer *cw = output->writer.x86;
+ GumAddress code_addr = 0;
+ afl_log_code code = {0};
+ guint64 instrument_hash_zero = 0;
if (current_log_impl == 0 ||
!gum_x86_writer_can_branch_directly_between(cw->pc, current_log_impl) ||
@@ -71,13 +163,63 @@ static void instrument_coverate_write_function(GumStalkerOutput *output) {
}
current_log_impl = cw->pc;
- gum_x86_writer_put_bytes(cw, afl_log_code, sizeof(afl_log_code));
+ // gum_x86_writer_put_breakpoint(cw);
+ code_addr = cw->pc;
- uint64_t *afl_prev_loc_ptr = &instrument_previous_pc;
- gum_x86_writer_put_bytes(cw, (const guint8 *)&__afl_area_ptr,
- sizeof(__afl_area_ptr));
- gum_x86_writer_put_bytes(cw, (const guint8 *)&afl_prev_loc_ptr,
- sizeof(afl_prev_loc_ptr));
+ code.data.assembly = template;
+ code.data.current_pc = instrument_get_offset_hash(0);
+
+ gssize current_pc_value1 =
+ GPOINTER_TO_SIZE(&instrument_previous_pc) -
+ (code_addr + offsetof(afl_log_code, data.assembly.mov_rdx_rip_off) +
+ sizeof(code.data.assembly.mov_rdx_rip_off));
+ gssize patch_offset1 =
+ offsetof(afl_log_code, data.assembly.mov_rdx_rip_off) +
+ sizeof(code.data.assembly.mov_rdx_rip_off) - sizeof(gint);
+ if (!instrument_coverage_in_range(current_pc_value1)) {
+
+ FATAL("Patch out of range (current_pc_value1): 0x%016lX",
+ current_pc_value1);
+
+ }
+
+ *((gint *)&code.bytes[patch_offset1]) = (gint)current_pc_value1;
+
+ gssize current_pc_value2 =
+ GPOINTER_TO_SIZE(&instrument_previous_pc) -
+ (code_addr + offsetof(afl_log_code, data.assembly.mov_rip_off_rdi) +
+ sizeof(code.data.assembly.mov_rip_off_rdi));
+ gssize patch_offset2 =
+ offsetof(afl_log_code, data.assembly.mov_rip_off_rdi) +
+ sizeof(code.data.assembly.mov_rip_off_rdi) - sizeof(gint);
+
+ if (!instrument_coverage_in_range(current_pc_value2)) {
+
+ FATAL("Patch out of range (current_pc_value2): 0x%016lX",
+ current_pc_value2);
+
+ }
+
+ *((gint *)&code.bytes[patch_offset2]) = (gint)current_pc_value2;
+
+ gsize afl_area_ptr_value =
+ GPOINTER_TO_SIZE(__afl_area_ptr) -
+ (code_addr + offsetof(afl_log_code, data.assembly.lea_rdi_rip_off) +
+ sizeof(code.data.assembly.lea_rdi_rip_off));
+ gssize afl_area_ptr_offset =
+ offsetof(afl_log_code, data.assembly.lea_rdi_rip_off) +
+ sizeof(code.data.assembly.lea_rdi_rip_off) - sizeof(gint);
+
+ if (!instrument_coverage_in_range(afl_area_ptr_value)) {
+
+ FATAL("Patch out of range (afl_area_ptr_value): 0x%016lX",
+ afl_area_ptr_value);
+
+ }
+
+ *((gint *)&code.bytes[afl_area_ptr_offset]) = (gint)afl_area_ptr_value;
+
+ gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code));
gum_x86_writer_put_label(cw, after_log_impl);
diff --git a/frida_mode/test/freetype2/GNUmakefile b/frida_mode/test/freetype2/GNUmakefile
new file mode 100644
index 00000000..891660ca
--- /dev/null
+++ b/frida_mode/test/freetype2/GNUmakefile
@@ -0,0 +1,192 @@
+PWD:=$(shell pwd)/
+ROOT:=$(PWD)../../../
+BUILD_DIR:=$(PWD)build/
+
+AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so
+AFLPP_QEMU_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/qemu_hook.so
+
+# git clone git://git.sv.nongnu.org/freetype/freetype2.git
+# git clone https://github.com/unicode-org/text-rendering-tests.git TRT
+# wget https://github.com/libarchive/libarchive/releases/download/v3.4.3/libarchive-3.4.3.tar.xz
+
+# cp TRT/fonts/TestKERNOne.otf $OUT/seeds/
+# cp TRT/fonts/TestGLYFOne.ttf $OUT/seeds/
+
+# $CXX $CXXFLAGS -std=c++11 -I include -I . src/tools/ftfuzzer/ftfuzzer.cc \
+# objs/.libs/libfreetype.a $FUZZER_LIB -L /usr/local/lib -larchive \
+# -o $OUT/ftfuzzer
+
+LIBARCHIVE_URL:=https://github.com/libarchive/libarchive/releases/download/v3.4.3/libarchive-3.4.3.tar.xz
+LIBARCHIVE_BUILD_DIR:=$(BUILD_DIR)libarchive/
+LIBARCHIVE_TARBALL:=$(LIBARCHIVE_BUILD_DIR)libarchive-3.4.3.tar.xz
+LIBARCHIVE_DIR:=$(LIBARCHIVE_BUILD_DIR)libarchive-3.4.3/
+LIBARCHIVE_LIB:=$(LIBARCHIVE_DIR).libs/libarchive.a
+
+FREETYPE2_GIT_REPO:=git://git.sv.nongnu.org/freetype/freetype2.git
+FREETYPE2_BUILD_DIR:=$(BUILD_DIR)freetype2/
+FREETYPE2_DIR:=$(FREETYPE2_BUILD_DIR)freetype2/
+FREETYPE2_LIB:=$(FREETYPE2_DIR)objs/.libs/libfreetype.a
+
+HARNESS_URL:=https://raw.githubusercontent.com/llvm/llvm-project/main/compiler-rt/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c
+HARNESS_SRC:=$(BUILD_DIR)StandaloneFuzzTargetMain.c
+HARNESS_OBJ:=$(BUILD_DIR)StandaloneFuzzTargetMain.o
+
+TRT_GIT_REPO:=https://github.com/unicode-org/text-rendering-tests.git
+TRT_DIR:=$(BUILD_DIR)TRT/
+
+FUZZER_SRC:=$(FREETYPE2_DIR)src/tools/ftfuzzer/ftfuzzer.cc
+
+
+LDFLAGS += -lpthread
+
+TEST_BIN:=$(BUILD_DIR)test
+ifeq "$(shell uname)" "Darwin"
+TEST_BIN_LDFLAGS:=-undefined dynamic_lookup -Wl,-no_pie
+endif
+
+TEST_DATA_DIR:=$(BUILD_DIR)in/
+TEST_DATA_FILE:=$(TEST_DATA_DIR)default_seed
+
+FRIDA_OUT:=$(BUILD_DIR)frida-out
+QEMU_OUT:=$(BUILD_DIR)qemu-out
+
+ifndef ARCH
+
+ARCH=$(shell uname -m)
+ifeq "$(ARCH)" "aarch64"
+ ARCH:=arm64
+endif
+
+ifeq "$(ARCH)" "i686"
+ ARCH:=x86
+endif
+endif
+
+GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh
+
+AFL_QEMU_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput 0x4000000000)
+
+ifeq "$(ARCH)" "aarch64"
+ AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput 0x0000aaaaaaaaa000)
+endif
+
+ifeq "$(ARCH)" "x86_64"
+ AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput 0x0000555555554000)
+endif
+
+ifeq "$(ARCH)" "x86"
+ AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput 0x56555000)
+endif
+
+.PHONY: all clean frida hook
+
+all: $(TEST_BIN)
+ make -C $(ROOT)frida_mode/
+
+32:
+ CXXFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
+
+$(BUILD_DIR):
+ mkdir -p $@
+
+########## LIBARCHIVE #######
+
+$(LIBARCHIVE_BUILD_DIR): | $(BUILD_DIR)
+ mkdir -p $@
+
+$(LIBARCHIVE_TARBALL): | $(LIBARCHIVE_BUILD_DIR)
+ wget -O $@ $(LIBARCHIVE_URL)
+
+$(LIBARCHIVE_DIR): | $(LIBARCHIVE_TARBALL)
+ tar Jxvf $(LIBARCHIVE_TARBALL) -C $(LIBARCHIVE_BUILD_DIR)
+
+$(LIBARCHIVE_DIR)Makefile: | $(LIBARCHIVE_DIR)
+ cd $(LIBARCHIVE_DIR) && ./configure --disable-shared
+
+$(LIBARCHIVE_LIB): $(LIBARCHIVE_DIR)Makefile
+ make -C $(LIBARCHIVE_DIR) clean all
+
+########## FREETYPE2 #######
+
+$(FREETYPE2_BUILD_DIR): | $(BUILD_DIR)
+ mkdir -p $@
+
+$(FREETYPE2_DIR): | $(FREETYPE2_BUILD_DIR)
+ git clone $(FREETYPE2_GIT_REPO) $@
+ git -C $(FREETYPE2_DIR) checkout cd02d359a6d0455e9d16b87bf9665961c4699538
+
+$(FREETYPE2_LIB): | $(FREETYPE2_DIR)
+ cd $(FREETYPE2_DIR) && ./autogen.sh
+ cd $(FREETYPE2_DIR) && ./configure --with-harfbuzz=no --with-bzip2=no --with-png=no --without-zlib
+ make -C $(FREETYPE2_DIR) all
+
+########## HARNESS #######
+
+$(HARNESS_SRC):
+ wget -O $@ $(HARNESS_URL)
+
+$(HARNESS_OBJ): $(HARNESS_SRC)
+ $(CC) -o $@ -c $<
+
+########## TEST #######
+
+$(TEST_BIN): $(LIBARCHIVE_LIB) $(FREETYPE2_LIB) $(HARNESS_OBJ)
+ $(CXX) \
+ $(CXXFLAGS) \
+ -std=c++11 \
+ -I $(FREETYPE2_DIR)include \
+ -I $(FREETYPE2_DIR) \
+ -I $(LIBARCHIVE_DIR)/libarchive \
+ $(FUZZER_SRC) \
+ $(FREETYPE2_LIB) \
+ $(LIBARCHIVE_LIB) \
+ $(HARNESS_OBJ) \
+ -o $@
+
+########## DUMMY #######
+
+$(TRT_DIR): | $(BUILD_DIR)
+ git clone $(TRT_GIT_REPO) $@
+
+$(TEST_DATA_DIR): | $(TRT_DIR)
+ mkdir -p $@
+ cp $(TRT_DIR)fonts/TestKERNOne.otf $@
+ cp $(TRT_DIR)fonts/TestGLYFOne.ttf $@
+
+$(TEST_DATA_FILE): | $(TEST_DATA_DIR)
+ dd if=/dev/zero bs=1048576 count=1 of=$@
+
+###### TEST DATA #######
+
+clean:
+ rm -rf $(BUILD_DIR)
+
+frida: $(TEST_BIN) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE)
+ AFL_FRIDA_PERSISTENT_CNT=1000000 \
+ AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \
+ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
+ AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \
+ $(ROOT)afl-fuzz \
+ -i $(TEST_DATA_DIR) \
+ -o $(FRIDA_OUT) \
+ -m none \
+ -d \
+ -O \
+ -V 30 \
+ -- \
+ $(TEST_BIN) $(TEST_DATA_FILE)
+
+qemu: $(TEST_BIN) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE)
+ AFL_QEMU_PERSISTENT_CNT=1000000 \
+ AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_QEMU_DRIVER_HOOK_OBJ) \
+ AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \
+ AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \
+ $(ROOT)afl-fuzz \
+ -i $(TEST_DATA_DIR) \
+ -o $(QEMU_OUT) \
+ -m none \
+ -d \
+ -Q \
+ -V 30 \
+ -- \
+ $(TEST_BIN) $(TEST_DATA_FILE)
diff --git a/frida_mode/test/freetype2/Makefile b/frida_mode/test/freetype2/Makefile
new file mode 100644
index 00000000..07b139e9
--- /dev/null
+++ b/frida_mode/test/freetype2/Makefile
@@ -0,0 +1,13 @@
+all:
+ @echo trying to use GNU make...
+ @gmake all || echo please install GNUmake
+
+32:
+ @echo trying to use GNU make...
+ @gmake 32 || echo please install GNUmake
+
+clean:
+ @gmake clean
+
+frida:
+ @gmake frida
diff --git a/frida_mode/test/freetype2/get_symbol_addr.py b/frida_mode/test/freetype2/get_symbol_addr.py
new file mode 100755
index 00000000..1c46e010
--- /dev/null
+++ b/frida_mode/test/freetype2/get_symbol_addr.py
@@ -0,0 +1,36 @@
+#!/usr/bin/python3
+import argparse
+from elftools.elf.elffile import ELFFile
+
+def process_file(file, symbol, base):
+ with open(file, 'rb') as f:
+ elf = ELFFile(f)
+ symtab = elf.get_section_by_name('.symtab')
+ mains = symtab.get_symbol_by_name(symbol)
+ if len(mains) != 1:
+ print ("Failed to find main")
+ return 1
+
+ main_addr = mains[0]['st_value']
+ main = base + main_addr
+ print ("0x%016x" % main)
+ return 0
+
+def hex_value(x):
+ return int(x, 16)
+
+def main():
+ parser = argparse.ArgumentParser(description='Process some integers.')
+ parser.add_argument('-f', '--file', dest='file', type=str,
+ help='elf file name', required=True)
+ parser.add_argument('-s', '--symbol', dest='symbol', type=str,
+ help='symbol name', required=True)
+ parser.add_argument('-b', '--base', dest='base', type=hex_value,
+ help='elf base address', required=True)
+
+ args = parser.parse_args()
+ return process_file (args.file, args.symbol, args.base)
+
+if __name__ == "__main__":
+ ret = main()
+ exit(ret)
From 0ed0c9493ee2aeecd1a16a65e48348be8db5c662 Mon Sep 17 00:00:00 2001
From: root
Date: Mon, 27 Sep 2021 06:21:12 +0300
Subject: [PATCH 037/305] Fix null ptr dereference of unresolved symbols on
early init (linking stage)
---
qemu_mode/libcompcov/libcompcov.so.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/qemu_mode/libcompcov/libcompcov.so.c b/qemu_mode/libcompcov/libcompcov.so.c
index 4fc84e62..24867cda 100644
--- a/qemu_mode/libcompcov/libcompcov.so.c
+++ b/qemu_mode/libcompcov/libcompcov.so.c
@@ -41,6 +41,13 @@
#error "Sorry, this library is Linux-specific for now!"
#endif /* !__linux__ */
+#ifndef likely
+# define likely(x) __builtin_expect((!!(x)),1)
+#endif
+#ifndef unlikely
+# define unlikely(x) __builtin_expect((!!(x)),0)
+#endif
+
/* Change this value to tune the compare coverage */
#define MAX_CMP_LENGTH 32
@@ -199,6 +206,7 @@ static u8 __compcov_is_in_bound(const void *ptr) {
int strcmp(const char *str1, const char *str2) {
+ if (unlikely(!__libc_strcmp)) { __libc_strcmp = dlsym(RTLD_NEXT, "strcmp"); }
void *retaddr = __builtin_return_address(0);
if (__compcov_is_in_bound(retaddr) &&
@@ -227,6 +235,7 @@ int strcmp(const char *str1, const char *str2) {
int strncmp(const char *str1, const char *str2, size_t len) {
+ if (unlikely(!__libc_strncmp)) { __libc_strncmp = dlsym(RTLD_NEXT, "strncmp"); }
void *retaddr = __builtin_return_address(0);
if (__compcov_is_in_bound(retaddr) &&
@@ -256,6 +265,7 @@ int strncmp(const char *str1, const char *str2, size_t len) {
int strcasecmp(const char *str1, const char *str2) {
+ if (unlikely(!__libc_strcasecmp)) { __libc_strncasecmp = dlsym(RTLD_NEXT, "strcasecmp"); }
void *retaddr = __builtin_return_address(0);
if (__compcov_is_in_bound(retaddr) &&
@@ -286,6 +296,7 @@ int strcasecmp(const char *str1, const char *str2) {
int strncasecmp(const char *str1, const char *str2, size_t len) {
+ if (unlikely(!__libc_strncasecmp)) { __libc_strncasecmp = dlsym(RTLD_NEXT, "strncasecmp"); }
void *retaddr = __builtin_return_address(0);
if (__compcov_is_in_bound(retaddr) &&
@@ -317,6 +328,7 @@ int strncasecmp(const char *str1, const char *str2, size_t len) {
int memcmp(const void *mem1, const void *mem2, size_t len) {
+ if (unlikely(!__libc_memcmp)) { __libc_memcmp = dlsym(RTLD_NEXT, "memcmp"); }
void *retaddr = __builtin_return_address(0);
if (__compcov_is_in_bound(retaddr) &&
From 4473904bc0de7011a77309d96f7090a51c8fe768 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Fri, 1 Oct 2021 13:25:02 +0200
Subject: [PATCH 038/305] fix -n
---
docs/Changelog.md | 1 +
src/afl-fuzz-stats.c | 5 +++--
src/afl-fuzz.c | 2 +-
unicorn_mode/unicornafl | 2 +-
4 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/docs/Changelog.md b/docs/Changelog.md
index de217c2e..dad5fee2 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -15,6 +15,7 @@ sending a mail to .
information on how to deal with instrumenting libraries
- fix a regression introduced in 3.10 that resulted in less
coverage being detected. thanks to Collin May for reporting!
+ - fix -n dumb mode (nobody should use this)
- afl-showmap, afl-tmin and afl-analyze now honor persistent mode
for more speed. thanks to dloffre-snl for reporting!
- afl-cc:
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index eb1fe2d9..870ba69a 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -560,8 +560,9 @@ void show_stats(afl_state_t *afl) {
/* Roughly every minute, update fuzzer stats and save auto tokens. */
- if (unlikely(afl->force_ui_update ||
- cur_ms - afl->stats_last_stats_ms > STATS_UPDATE_SEC * 1000)) {
+ if (unlikely(!afl->non_instrumented_mode &&
+ (afl->force_ui_update ||
+ cur_ms - afl->stats_last_stats_ms > STATS_UPDATE_SEC * 1000))) {
afl->stats_last_stats_ms = cur_ms;
write_stats_file(afl, t_bytes, t_byte_ratio, stab_ratio,
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 8ffc0e77..87da9798 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -1918,7 +1918,7 @@ int main(int argc, char **argv_orig, char **envp) {
}
- write_stats_file(afl, 0, 0, 0, 0);
+ if (!afl->non_instrumented_mode) { write_stats_file(afl, 0, 0, 0, 0); }
maybe_update_plot_file(afl, 0, 0, 0);
save_auto(afl);
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl
index 019b8715..c0e03d2c 160000
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl
@@ -1 +1 @@
-Subproject commit 019b871539fe9ed3f41d882385a8b02c243d49ad
+Subproject commit c0e03d2c6b55a22025324f121746b41b1e756fb8
From d668f9697cc44a58ca38b42d99aa5143b13b703d Mon Sep 17 00:00:00 2001
From: Andrea Fioraldi
Date: Fri, 1 Oct 2021 16:29:48 +0200
Subject: [PATCH 039/305] update qemuafl
---
qemu_mode/QEMUAFL_VERSION | 2 +-
qemu_mode/qemuafl | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/qemu_mode/QEMUAFL_VERSION b/qemu_mode/QEMUAFL_VERSION
index 215826cc..ade3a779 100644
--- a/qemu_mode/QEMUAFL_VERSION
+++ b/qemu_mode/QEMUAFL_VERSION
@@ -1 +1 @@
-a6758d1cc3
+86dead4dcb
diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl
index a6758d1c..86dead4d 160000
--- a/qemu_mode/qemuafl
+++ b/qemu_mode/qemuafl
@@ -1 +1 @@
-Subproject commit a6758d1cc3e4dde88fca3f0b3a903581b7c8b2e5
+Subproject commit 86dead4dcb1aae7181fbf6b5f3706eee9f842e3a
From e80131bef50d343e71a08cdf6ae1aa57b4475867 Mon Sep 17 00:00:00 2001
From: hexcoder-
Date: Sat, 2 Oct 2021 22:47:22 +0200
Subject: [PATCH 040/305] fix some compiler warnings in 32-bit linux
---
frida_mode/src/instrument/instrument_x64.c | 11 +++++++----
frida_mode/src/prefetch.c | 8 +++++---
include/config.h | 4 ++--
src/afl-analyze.c | 2 +-
src/afl-fuzz.c | 2 +-
src/afl-showmap.c | 2 +-
src/afl-tmin.c | 2 +-
unicorn_mode/unicornafl | 2 +-
8 files changed, 19 insertions(+), 14 deletions(-)
diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c
index 8948c4df..1c2cf113 100644
--- a/frida_mode/src/instrument/instrument_x64.c
+++ b/frida_mode/src/instrument/instrument_x64.c
@@ -144,7 +144,7 @@ static void instrument_coverate_write_function(GumStalkerOutput *output) {
GumX86Writer *cw = output->writer.x86;
GumAddress code_addr = 0;
afl_log_code code = {0};
- guint64 instrument_hash_zero = 0;
+ /*guint64 instrument_hash_zero = 0;*/
if (current_log_impl == 0 ||
!gum_x86_writer_can_branch_directly_between(cw->pc, current_log_impl) ||
@@ -183,7 +183,8 @@ static void instrument_coverate_write_function(GumStalkerOutput *output) {
}
- *((gint *)&code.bytes[patch_offset1]) = (gint)current_pc_value1;
+ gint *dst_pc_value = (gint *)&code.bytes[patch_offset1];
+ *dst_pc_value = (gint)current_pc_value1;
gssize current_pc_value2 =
GPOINTER_TO_SIZE(&instrument_previous_pc) -
@@ -200,7 +201,8 @@ static void instrument_coverate_write_function(GumStalkerOutput *output) {
}
- *((gint *)&code.bytes[patch_offset2]) = (gint)current_pc_value2;
+ dst_pc_value = (gint *)&code.bytes[patch_offset2];
+ *dst_pc_value = (gint)current_pc_value2;
gsize afl_area_ptr_value =
GPOINTER_TO_SIZE(__afl_area_ptr) -
@@ -217,7 +219,8 @@ static void instrument_coverate_write_function(GumStalkerOutput *output) {
}
- *((gint *)&code.bytes[afl_area_ptr_offset]) = (gint)afl_area_ptr_value;
+ gint *dst_afl_area_ptr_value = (gint *)&code.bytes[afl_area_ptr_offset];
+ *dst_afl_area_ptr_value = (gint)afl_area_ptr_value;
gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code));
diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c
index 0efbc9bf..c30ca65c 100644
--- a/frida_mode/src/prefetch.c
+++ b/frida_mode/src/prefetch.c
@@ -44,8 +44,9 @@ static void gum_afl_stalker_backpatcher_notify(GumStalkerObserver *self,
sizeof(prefetch_data->backpatch_data) - prefetch_data->backpatch_size;
if (sizeof(gsize) + size > remaining) { return; }
- *(gsize *)(&prefetch_data->backpatch_data[prefetch_data->backpatch_size]) =
- size;
+ gsize *dst_backpatch_size = (gsize *)
+ &prefetch_data->backpatch_data[prefetch_data->backpatch_size];
+ *dst_backpatch_size = size;
prefetch_data->backpatch_size += sizeof(gsize);
memcpy(&prefetch_data->backpatch_data[prefetch_data->backpatch_size],
@@ -115,7 +116,8 @@ static void prefetch_read_patches(void) {
remaining > sizeof(gsize);
remaining = prefetch_data->backpatch_size - offset) {
- gsize size = *(gsize *)(&prefetch_data->backpatch_data[offset]);
+ gsize *src_backpatch_data = (gsize *)&prefetch_data->backpatch_data[offset];
+ gsize size = *src_backpatch_data;
offset += sizeof(gsize);
if (prefetch_data->backpatch_size - offset < size) {
diff --git a/include/config.h b/include/config.h
index da74989e..4630da0c 100644
--- a/include/config.h
+++ b/include/config.h
@@ -237,11 +237,11 @@
(note that if this value is changed, several areas in afl-cc.c, afl-fuzz.c
and afl-fuzz-state.c have to be changed as well! */
-#define MAX_FILE (1 * 1024 * 1024U)
+#define MAX_FILE (1 * 1024 * 1024L)
/* The same, for the test case minimizer: */
-#define TMIN_MAX_FILE (10 * 1024 * 1024)
+#define TMIN_MAX_FILE (10 * 1024 * 1024L)
/* Block normalization steps for afl-tmin: */
diff --git a/src/afl-analyze.c b/src/afl-analyze.c
index eef08494..8295488d 100644
--- a/src/afl-analyze.c
+++ b/src/afl-analyze.c
@@ -184,7 +184,7 @@ static void read_initial_file(void) {
if (st.st_size >= TMIN_MAX_FILE) {
- FATAL("Input file is too large (%u MB max)", TMIN_MAX_FILE / 1024 / 1024);
+ FATAL("Input file is too large (%ld MB max)", TMIN_MAX_FILE / 1024 / 1024);
}
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 87da9798..92a37697 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -1348,7 +1348,7 @@ int main(int argc, char **argv_orig, char **envp) {
} else if (afl->q_testcase_max_cache_size < 2 * MAX_FILE) {
- FATAL("AFL_TESTCACHE_SIZE must be set to %u or more, or 0 to disable",
+ FATAL("AFL_TESTCACHE_SIZE must be set to %ld or more, or 0 to disable",
(2 * MAX_FILE) % 1048576 == 0 ? (2 * MAX_FILE) / 1048576
: 1 + ((2 * MAX_FILE) / 1048576));
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index e143371e..75b0ff99 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -413,7 +413,7 @@ static u32 read_file(u8 *in_file) {
if (!be_quiet && !quiet_mode) {
- WARNF("Input file '%s' is too large, only reading %u bytes.", in_file,
+ WARNF("Input file '%s' is too large, only reading %ld bytes.", in_file,
MAX_FILE);
}
diff --git a/src/afl-tmin.c b/src/afl-tmin.c
index dff51e84..4f3a6b80 100644
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@@ -221,7 +221,7 @@ static void read_initial_file(void) {
if (st.st_size >= TMIN_MAX_FILE) {
- FATAL("Input file is too large (%u MB max)", TMIN_MAX_FILE / 1024 / 1024);
+ FATAL("Input file is too large (%ld MB max)", TMIN_MAX_FILE / 1024 / 1024);
}
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl
index c0e03d2c..1c47d1eb 160000
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl
@@ -1 +1 @@
-Subproject commit c0e03d2c6b55a22025324f121746b41b1e756fb8
+Subproject commit 1c47d1ebc7e904ad4efc1370f23e269fb9ac3f93
From 1a79a36762ccb5cac6da8ce09fd681166d02352b Mon Sep 17 00:00:00 2001
From: hexcoder-
Date: Sun, 3 Oct 2021 00:32:59 +0200
Subject: [PATCH 041/305] fix compiler warning in 32-Bit
---
frida_mode/src/seccomp/seccomp_callback.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/frida_mode/src/seccomp/seccomp_callback.c b/frida_mode/src/seccomp/seccomp_callback.c
index 4af2ed0c..7e1e2070 100644
--- a/frida_mode/src/seccomp/seccomp_callback.c
+++ b/frida_mode/src/seccomp/seccomp_callback.c
@@ -14,8 +14,12 @@ static void seccomp_callback_filter(struct seccomp_notif * req,
GumDebugSymbolDetails details = {0};
if (req->data.nr == SYS_OPENAT) {
+#if UINTPTR_MAX == 0xffffffffffffffffu
seccomp_print("SYS_OPENAT: (%s)\n", (char *)req->data.args[1]);
-
+#endif
+#if UINTPTR_MAX == 0xffffffff
+ seccomp_print("SYS_OPENAT: (%s)\n", (char *)(__u32)req->data.args[1]);
+#endif
}
seccomp_print(
From fc48a58e64b8c5abafa83b50ea68bf8e47d00552 Mon Sep 17 00:00:00 2001
From: David CARLIER
Date: Sun, 3 Oct 2021 07:35:13 +0100
Subject: [PATCH 042/305] frida mode macOs warning fix, syscall being
deprecated, using pthread_threadid_np available since snow leopard
---
frida_mode/src/instrument/instrument.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c
index fd0982f8..71d9bdf6 100644
--- a/frida_mode/src/instrument/instrument.c
+++ b/frida_mode/src/instrument/instrument.c
@@ -341,8 +341,14 @@ void instrument_init(void) {
* parallel fuzzing. The seed itself, doesn't have to be random, it
* just needs to be different for each instance.
*/
+ guint64 tid;
+#if defined(__APPLE__)
+ pthread_threadid_np(NULL, &tid);
+#else
+ tid = syscall(SYS_gettid);
+#endif
instrument_hash_seed = g_get_monotonic_time() ^
- (((guint64)getpid()) << 32) ^ syscall(SYS_gettid);
+ (((guint64)getpid()) << 32) ^ tid;
}
From 716d2029c0c2557486488ce6bb7910df9ce4ffcb Mon Sep 17 00:00:00 2001
From: David Carlier
Date: Sun, 3 Oct 2021 15:58:03 +0100
Subject: [PATCH 043/305] LLVM LTO plugin using smart pointer for
__afl_internal_directory variable
---
.../afl-llvm-lto-instrumentation.so.cc | 17 ++++++-----------
1 file changed, 6 insertions(+), 11 deletions(-)
diff --git a/instrumentation/afl-llvm-lto-instrumentation.so.cc b/instrumentation/afl-llvm-lto-instrumentation.so.cc
index e300044c..4a5738de 100644
--- a/instrumentation/afl-llvm-lto-instrumentation.so.cc
+++ b/instrumentation/afl-llvm-lto-instrumentation.so.cc
@@ -28,6 +28,7 @@
#include
#include
+#include
#include
#include
#include
@@ -1015,13 +1016,7 @@ bool AFLLTOPass::runOnModule(Module &M) {
if (count) {
- if ((ptr = (char *)malloc(memlen + count)) == NULL) {
-
- fprintf(stderr, "Error: malloc for %zu bytes failed!\n",
- memlen + count);
- exit(-1);
-
- }
+ auto ptrhld = std::unique_ptr(new char[memlen + count]);
count = 0;
@@ -1030,8 +1025,8 @@ bool AFLLTOPass::runOnModule(Module &M) {
if (offset + token.length() < 0xfffff0 && count < MAX_AUTO_EXTRAS) {
- ptr[offset++] = (uint8_t)token.length();
- memcpy(ptr + offset, token.c_str(), token.length());
+ ptrhld.get()[offset++] = (uint8_t)token.length();
+ memcpy(ptrhld.get() + offset, token.c_str(), token.length());
offset += token.length();
count++;
@@ -1051,10 +1046,10 @@ bool AFLLTOPass::runOnModule(Module &M) {
GlobalVariable *AFLInternalDictionary = new GlobalVariable(
M, ArrayTy, true, GlobalValue::ExternalLinkage,
ConstantDataArray::get(C,
- *(new ArrayRef((char *)ptr, offset))),
+ *(new ArrayRef(ptrhld.get(), offset))),
"__afl_internal_dictionary");
AFLInternalDictionary->setInitializer(ConstantDataArray::get(
- C, *(new ArrayRef((char *)ptr, offset))));
+ C, *(new ArrayRef(ptrhld.get(), offset))));
AFLInternalDictionary->setConstant(true);
GlobalVariable *AFLDictionary = new GlobalVariable(
From 46683d651656f1876f6d4aeb24807ed71fa91237 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Mon, 4 Oct 2021 08:19:42 +0200
Subject: [PATCH 044/305] update docs
---
README.md | 20 ++++++++++++++++----
docs/fuzzing_expert.md | 7 ++++++-
qemu_mode/qemuafl | 2 +-
unicorn_mode/unicornafl | 2 +-
4 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/README.md b/README.md
index db6a70b5..76ef8448 100644
--- a/README.md
+++ b/README.md
@@ -66,17 +66,29 @@ A common way to do this would be:
make clean all
2. Get a small but valid input file that makes sense to the program.
-When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in [dictionaries/README.md](../dictionaries/README.md), too.
+When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described
+in [dictionaries/README.md](../dictionaries/README.md), too.
3. If the program reads from stdin, run `afl-fuzz` like so:
- ./afl-fuzz -i testcase_dir -o findings_dir -- \
- /path/to/tested/program [...program's cmdline...]
+```
+ ./afl-fuzz -i seeds_dir -o output_dir -- \
+ /path/to/tested/program [...program's cmdline...]
+```
- If the program takes input from a file, you can put `@@` in the program's command line; AFL will put an auto-generated file name in there for you.
+ To add a dictionary, add `-x /path/to/dictionary.txt` to afl-fuzz.
+
+ If the program takes input from a file, you can put `@@` in the program's
+ command line; AFL will put an auto-generated file name in there for you.
4. Investigate anything shown in red in the fuzzer UI by promptly consulting [docs/status_screen.md](docs/status_screen.md).
+5. You will find found crashes and hangs in the subdirectories `crashes/` and
+ `hangs/` in the `-o output_dir` directory. You can replay the crashes by
+ feeding them to the target, e.g.:
+ `cat output_dir/crashes/id:000000,* | /path/to/tested/program [...program's cmdline...]`
+ You can generate cores or use gdb directly to follow up the crashes.
+
## Contact
Questions? Concerns? Bug reports?
diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md
index 7695e21f..ca884159 100644
--- a/docs/fuzzing_expert.md
+++ b/docs/fuzzing_expert.md
@@ -540,6 +540,11 @@ To have only the summary use the `-s` switch e.g.: `afl-whatsup -s out/`
If you have multiple servers then use the command after a sync, or you have
to execute this script per server.
+Another tool to inspect the current state and history of a specific instance
+is afl-plot, which generates an index.html file and a graphs that show how
+the fuzzing instance is performing.
+The syntax is `afl-plot instance_dir web_dir`, e.g. `afl-plot out/default /srv/www/htdocs/plot`
+
#### e) Stopping fuzzing, restarting fuzzing, adding new seeds
To stop an afl-fuzz run, simply press Control-C.
@@ -620,4 +625,4 @@ This is basically all you need to know to professionally run fuzzing campaigns.
If you want to know more, the tons of texts in [docs/](./) will have you covered.
Note that there are also a lot of tools out there that help fuzzing with AFL++
-(some might be deprecated or unsupported), see [links_tools.md](links_tools.md).
\ No newline at end of file
+(some might be deprecated or unsupported), see [links_tools.md](links_tools.md).
diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl
index 86dead4d..a6758d1c 160000
--- a/qemu_mode/qemuafl
+++ b/qemu_mode/qemuafl
@@ -1 +1 @@
-Subproject commit 86dead4dcb1aae7181fbf6b5f3706eee9f842e3a
+Subproject commit a6758d1cc3e4dde88fca3f0b3a903581b7c8b2e5
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl
index 1c47d1eb..c0e03d2c 160000
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl
@@ -1 +1 @@
-Subproject commit 1c47d1ebc7e904ad4efc1370f23e269fb9ac3f93
+Subproject commit c0e03d2c6b55a22025324f121746b41b1e756fb8
From b9f88ab166bd798d25d3acdbc6b5c305d7875482 Mon Sep 17 00:00:00 2001
From: Daniel Ebert
Date: Tue, 5 Oct 2021 17:40:23 -0700
Subject: [PATCH 045/305] fix stack-use-after-return in libfuzzer custom
mutator
---
custom_mutators/libfuzzer/libfuzzer.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/custom_mutators/libfuzzer/libfuzzer.inc b/custom_mutators/libfuzzer/libfuzzer.inc
index 01f21dbe..8c4bdbf6 100644
--- a/custom_mutators/libfuzzer/libfuzzer.inc
+++ b/custom_mutators/libfuzzer/libfuzzer.inc
@@ -2,7 +2,7 @@
extern "C" ATTRIBUTE_INTERFACE void
LLVMFuzzerMyInit(int (*Callback)(const uint8_t *Data, size_t Size), unsigned int Seed) {
- Random Rand(Seed);
+ auto *Rand = new Random(Seed);
FuzzingOptions Options;
Options.Verbosity = 3;
Options.MaxLen = 1024000;
@@ -30,7 +30,7 @@ LLVMFuzzerMyInit(int (*Callback)(const uint8_t *Data, size_t Size), unsigned int
struct EntropicOptions Entropic;
Entropic.Enabled = Options.Entropic;
EF = new ExternalFunctions();
- auto *MD = new MutationDispatcher(Rand, Options);
+ auto *MD = new MutationDispatcher(*Rand, Options);
auto *Corpus = new InputCorpus(Options.OutputCorpus, Entropic);
auto *F = new Fuzzer(Callback, *Corpus, *MD, Options);
}
From 65e63b9cf107ae914630a4fff7381cee150df5fe Mon Sep 17 00:00:00 2001
From: Andrea Fioraldi
Date: Wed, 6 Oct 2021 13:49:13 +0200
Subject: [PATCH 046/305] update qemu
---
qemu_mode/QEMUAFL_VERSION | 2 +-
qemu_mode/qemuafl | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/qemu_mode/QEMUAFL_VERSION b/qemu_mode/QEMUAFL_VERSION
index ade3a779..7bdedf7b 100644
--- a/qemu_mode/QEMUAFL_VERSION
+++ b/qemu_mode/QEMUAFL_VERSION
@@ -1 +1 @@
-86dead4dcb
+71ed0d206f
diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl
index a6758d1c..71ed0d20 160000
--- a/qemu_mode/qemuafl
+++ b/qemu_mode/qemuafl
@@ -1 +1 @@
-Subproject commit a6758d1cc3e4dde88fca3f0b3a903581b7c8b2e5
+Subproject commit 71ed0d206fd3d877420dceb4993a1011a4637ae6
From f0e6a7a4f8a387cd295a132ef0723f3257bed658 Mon Sep 17 00:00:00 2001
From: Daniel Ebert
Date: Wed, 6 Oct 2021 14:19:22 -0700
Subject: [PATCH 047/305] fix memory leak in libfuzzer custom mutator
---
custom_mutators/libfuzzer/FuzzerLoop.cpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/custom_mutators/libfuzzer/FuzzerLoop.cpp b/custom_mutators/libfuzzer/FuzzerLoop.cpp
index 08fda520..6716dbf5 100644
--- a/custom_mutators/libfuzzer/FuzzerLoop.cpp
+++ b/custom_mutators/libfuzzer/FuzzerLoop.cpp
@@ -1086,6 +1086,7 @@ ATTRIBUTE_INTERFACE size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size,
size_t MaxSize) {
assert(fuzzer::F);
+ fuzzer::F->GetMD().StartMutationSequence();
size_t r = fuzzer::F->GetMD().DefaultMutate(Data, Size, MaxSize);
#ifdef INTROSPECTION
introspection_ptr = fuzzer::F->GetMD().WriteMutationSequence();
From 0a88a6c53071e9c203fa602e99e6510de14dacc0 Mon Sep 17 00:00:00 2001
From: Dominik Maier
Date: Thu, 7 Oct 2021 15:02:04 +0200
Subject: [PATCH 048/305] get rid of i32 need for unicornafl regs in rust
---
unicorn_mode/UNICORNAFL_VERSION | 2 +-
.../samples/speedtest/rust/src/main.rs | 20 +++++++++----------
unicorn_mode/unicornafl | 2 +-
3 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION
index 0d84243c..cbca63e5 100644
--- a/unicorn_mode/UNICORNAFL_VERSION
+++ b/unicorn_mode/UNICORNAFL_VERSION
@@ -1 +1 @@
-1c47d1ebc7e904ad4efc1370f23e269fb9ac3f93
+f1c853648a74b0157d233a2ef9f1693cfee78c11
diff --git a/unicorn_mode/samples/speedtest/rust/src/main.rs b/unicorn_mode/samples/speedtest/rust/src/main.rs
index 105ba4b4..77356a67 100644
--- a/unicorn_mode/samples/speedtest/rust/src/main.rs
+++ b/unicorn_mode/samples/speedtest/rust/src/main.rs
@@ -105,7 +105,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> {
// Set the program counter to the start of the code
let main_locs = parse_locs("main").unwrap();
//println!("Entry Point: {:x}", main_locs[0]);
- uc.reg_write(RegisterX86::RIP as i32, main_locs[0])?;
+ uc.reg_write(RIP, main_locs[0])?;
// Setup the stack.
uc.mem_map(
@@ -114,14 +114,14 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> {
Permission::READ | Permission::WRITE,
)?;
// Setup the stack pointer, but allocate two pointers for the pointers to input.
- uc.reg_write(RSP as i32, STACK_ADDRESS + STACK_SIZE - 16)?;
+ uc.reg_write(RSP, STACK_ADDRESS + STACK_SIZE - 16)?;
// Setup our input space, and push the pointer to it in the function params
uc.mem_map(INPUT_ADDRESS, INPUT_MAX as usize, Permission::READ)?;
// We have argc = 2
- uc.reg_write(RDI as i32, 2)?;
+ uc.reg_write(RDI, 2)?;
// RSI points to our little 2 QWORD space at the beginning of the stack...
- uc.reg_write(RSI as i32, STACK_ADDRESS + STACK_SIZE - 16)?;
+ uc.reg_write(RSI, STACK_ADDRESS + STACK_SIZE - 16)?;
// ... which points to the Input. Write the ptr to mem in little endian.
uc.mem_write(
STACK_ADDRESS + STACK_SIZE - 16,
@@ -139,7 +139,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> {
abort();
}
// read the first param
- let malloc_size = uc.reg_read(RDI as i32).unwrap();
+ let malloc_size = uc.reg_read(RDI).unwrap();
if malloc_size > HEAP_SIZE_MAX {
println!(
"Tried to allocate {} bytes, but we may only allocate up to {}",
@@ -147,8 +147,8 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> {
);
abort();
}
- uc.reg_write(RAX as i32, HEAP_ADDRESS).unwrap();
- uc.reg_write(RIP as i32, addr + size as u64).unwrap();
+ uc.reg_write(RAX, HEAP_ADDRESS).unwrap();
+ uc.reg_write(RIP, addr + size as u64).unwrap();
already_allocated_malloc.set(true);
};
@@ -160,7 +160,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> {
abort();
}
// read the first param
- let free_ptr = uc.reg_read(RDI as i32).unwrap();
+ let free_ptr = uc.reg_read(RDI).unwrap();
if free_ptr != HEAP_ADDRESS {
println!(
"Tried to free wrong mem region {:x} at code loc {:x}",
@@ -168,7 +168,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> {
);
abort();
}
- uc.reg_write(RIP as i32, addr + size as u64).unwrap();
+ uc.reg_write(RIP, addr + size as u64).unwrap();
already_allocated_free.set(false);
};
@@ -178,7 +178,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> {
// This is a fancy print function that we're just going to skip for fuzzing.
let hook_magicfn = move |mut uc: UnicornHandle<'_, _>, addr, size| {
- uc.reg_write(RIP as i32, addr + size as u64).unwrap();
+ uc.reg_write(RIP, addr + size as u64).unwrap();
};
for addr in parse_locs("malloc").unwrap() {
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl
index c0e03d2c..f1c85364 160000
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl
@@ -1 +1 @@
-Subproject commit c0e03d2c6b55a22025324f121746b41b1e756fb8
+Subproject commit f1c853648a74b0157d233a2ef9f1693cfee78c11
From 580401591f36b0f6f7ba3ee08c867e12415e5cc5 Mon Sep 17 00:00:00 2001
From: David Carlier
Date: Sat, 9 Oct 2021 17:23:32 +0100
Subject: [PATCH 049/305] LLVM passes making slightly more C++
---
instrumentation/SanitizerCoverageLTO.so.cc | 17 +++++---------
instrumentation/afl-llvm-dict2file.so.cc | 23 ++++++++++---------
.../afl-llvm-lto-instrumentation.so.cc | 13 +++++------
3 files changed, 24 insertions(+), 29 deletions(-)
diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc
index e06f8b93..eb0f06b2 100644
--- a/instrumentation/SanitizerCoverageLTO.so.cc
+++ b/instrumentation/SanitizerCoverageLTO.so.cc
@@ -250,7 +250,7 @@ class ModuleSanitizerCoverage {
Module * Mo = NULL;
GlobalVariable * AFLMapPtr = NULL;
Value * MapPtrFixed = NULL;
- FILE * documentFile = NULL;
+ std::ofstream dFile;
size_t found = 0;
// afl++ END
@@ -446,7 +446,8 @@ bool ModuleSanitizerCoverage::instrumentModule(
if ((ptr = getenv("AFL_LLVM_DOCUMENT_IDS")) != NULL) {
- if ((documentFile = fopen(ptr, "a")) == NULL)
+ dFile.open(ptr, std::ofstream::out | std::ofstream::app);
+ if (dFile.is_open())
WARNF("Cannot access document file %s", ptr);
}
@@ -1003,12 +1004,7 @@ bool ModuleSanitizerCoverage::instrumentModule(
instrumentFunction(F, DTCallback, PDTCallback);
// afl++ START
- if (documentFile) {
-
- fclose(documentFile);
- documentFile = NULL;
-
- }
+ if (dFile.is_open()) dFile.close();
if (!getenv("AFL_LLVM_LTO_DONTWRITEID") || dictionary.size() || map_addr) {
@@ -1509,12 +1505,11 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB,
// afl++ START
++afl_global_id;
- if (documentFile) {
+ if (dFile.is_open()) {
unsigned long long int moduleID =
(((unsigned long long int)(rand() & 0xffffffff)) << 32) | getpid();
- fprintf(documentFile, "ModuleID=%llu Function=%s edgeID=%u\n", moduleID,
- F.getName().str().c_str(), afl_global_id);
+ dFile << "ModuleID=" << moduleID << " Function=" << F.getName().str() << " edgeID=" << afl_global_id << "\n";
}
diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc
index 4622e488..c4ad1783 100644
--- a/instrumentation/afl-llvm-dict2file.so.cc
+++ b/instrumentation/afl-llvm-dict2file.so.cc
@@ -65,7 +65,8 @@ using namespace llvm;
namespace {
class AFLdict2filePass : public ModulePass {
-
+ std::ofstream of;
+ void dict2file(u8 *, u32);
public:
static char ID;
@@ -81,7 +82,7 @@ class AFLdict2filePass : public ModulePass {
} // namespace
-void dict2file(int fd, u8 *mem, u32 len) {
+void AFLdict2filePass::dict2file(u8 *mem, u32 len) {
u32 i, j, binary = 0;
char line[MAX_AUTO_EXTRA * 8], tmp[8];
@@ -113,9 +114,8 @@ void dict2file(int fd, u8 *mem, u32 len) {
line[j] = 0;
strcat(line, "\"\n");
- if (write(fd, line, strlen(line)) <= 0)
- PFATAL("Could not write to dictionary file");
- fsync(fd);
+ of << line;
+ of.flush();
if (!be_quiet) fprintf(stderr, "Found dictionary token: %s", line);
@@ -125,7 +125,7 @@ bool AFLdict2filePass::runOnModule(Module &M) {
DenseMap valueMap;
char * ptr;
- int fd, found = 0;
+ int found = 0;
/* Show a banner */
setvbuf(stdout, NULL, _IONBF, 0);
@@ -146,7 +146,8 @@ bool AFLdict2filePass::runOnModule(Module &M) {
if (!ptr || *ptr != '/')
FATAL("AFL_LLVM_DICT2FILE is not set to an absolute path: %s", ptr);
- if ((fd = open(ptr, O_WRONLY | O_APPEND | O_CREAT | O_DSYNC, 0644)) < 0)
+ of.open(ptr, std::ofstream::out | std::ofstream::app);
+ if (!of.is_open())
PFATAL("Could not open/create %s.", ptr);
/* Instrument all the things! */
@@ -264,11 +265,11 @@ bool AFLdict2filePass::runOnModule(Module &M) {
}
- dict2file(fd, (u8 *)&val, len);
+ dict2file((u8 *)&val, len);
found++;
if (val2) {
- dict2file(fd, (u8 *)&val2, len);
+ dict2file((u8 *)&val2, len);
found++;
}
@@ -630,7 +631,7 @@ bool AFLdict2filePass::runOnModule(Module &M) {
ptr = (char *)thestring.c_str();
- dict2file(fd, (u8 *)ptr, optLen);
+ dict2file((u8 *)ptr, optLen);
found++;
}
@@ -641,7 +642,7 @@ bool AFLdict2filePass::runOnModule(Module &M) {
}
- close(fd);
+ of.close();
/* Say something nice. */
diff --git a/instrumentation/afl-llvm-lto-instrumentation.so.cc b/instrumentation/afl-llvm-lto-instrumentation.so.cc
index e300044c..d685e76c 100644
--- a/instrumentation/afl-llvm-lto-instrumentation.so.cc
+++ b/instrumentation/afl-llvm-lto-instrumentation.so.cc
@@ -107,8 +107,8 @@ bool AFLLTOPass::runOnModule(Module &M) {
// std::vector calls;
DenseMap valueMap;
std::vector BlockList;
+ std::ofstream dFile;
char * ptr;
- FILE * documentFile = NULL;
size_t found = 0;
srand((unsigned int)time(NULL));
@@ -136,7 +136,8 @@ bool AFLLTOPass::runOnModule(Module &M) {
if ((ptr = getenv("AFL_LLVM_DOCUMENT_IDS")) != NULL) {
- if ((documentFile = fopen(ptr, "a")) == NULL)
+ dFile.open(ptr, std::ofstream::out | std::ofstream::app);
+ if (!dFile.is_open())
WARNF("Cannot access document file %s", ptr);
}
@@ -844,10 +845,9 @@ bool AFLLTOPass::runOnModule(Module &M) {
}
- if (documentFile) {
+ if (dFile.is_open()) {
- fprintf(documentFile, "ModuleID=%llu Function=%s edgeID=%u\n",
- moduleID, F.getName().str().c_str(), afl_global_id);
+ dFile << "ModuleID=" << moduleID << " Function=" << F.getName().str() << " edgeID=" << afl_global_id << "\n";
}
@@ -919,8 +919,7 @@ bool AFLLTOPass::runOnModule(Module &M) {
}
- if (documentFile) fclose(documentFile);
- documentFile = NULL;
+ if (dFile.is_open()) dFile.close();
// save highest location ID to global variable
// do this after each function to fail faster
From 65afe5addc7d5bd741a5283eeba4813849e99836 Mon Sep 17 00:00:00 2001
From: David Carlier
Date: Sat, 9 Oct 2021 18:31:12 +0100
Subject: [PATCH 050/305] LLVM coverage making it more C++ too.
---
instrumentation/SanitizerCoverageLTO.so.cc | 17 +++++------------
1 file changed, 5 insertions(+), 12 deletions(-)
diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc
index eb0f06b2..960eb783 100644
--- a/instrumentation/SanitizerCoverageLTO.so.cc
+++ b/instrumentation/SanitizerCoverageLTO.so.cc
@@ -1065,7 +1065,6 @@ bool ModuleSanitizerCoverage::instrumentModule(
if (dictionary.size()) {
size_t memlen = 0, count = 0, offset = 0;
- char * ptr;
// sort and unique the dictionary
std::sort(dictionary.begin(), dictionary.end());
@@ -1085,13 +1084,7 @@ bool ModuleSanitizerCoverage::instrumentModule(
if (count) {
- if ((ptr = (char *)malloc(memlen + count)) == NULL) {
-
- fprintf(stderr, "Error: malloc for %lu bytes failed!\n",
- memlen + count);
- exit(-1);
-
- }
+ auto ptrhld = std::unique_ptr(new char[memlen + count]);
count = 0;
@@ -1099,8 +1092,8 @@ bool ModuleSanitizerCoverage::instrumentModule(
if (offset + token.length() < 0xfffff0 && count < MAX_AUTO_EXTRAS) {
- ptr[offset++] = (uint8_t)token.length();
- memcpy(ptr + offset, token.c_str(), token.length());
+ ptrhld.get()[offset++] = (uint8_t)token.length();
+ memcpy(ptrhld.get() + offset, token.c_str(), token.length());
offset += token.length();
count++;
@@ -1120,10 +1113,10 @@ bool ModuleSanitizerCoverage::instrumentModule(
GlobalVariable *AFLInternalDictionary = new GlobalVariable(
M, ArrayTy, true, GlobalValue::ExternalLinkage,
ConstantDataArray::get(Ctx,
- *(new ArrayRef((char *)ptr, offset))),
+ *(new ArrayRef(ptrhld.get(), offset))),
"__afl_internal_dictionary");
AFLInternalDictionary->setInitializer(ConstantDataArray::get(
- Ctx, *(new ArrayRef((char *)ptr, offset))));
+ Ctx, *(new ArrayRef(ptrhld.get(), offset))));
AFLInternalDictionary->setConstant(true);
GlobalVariable *AFLDictionary = new GlobalVariable(
From f6fbbf8150c8a41b7cd40a2413b1c6f66b24c6c8 Mon Sep 17 00:00:00 2001
From: Kuang-che Wu
Date: Sun, 10 Oct 2021 21:03:43 +0800
Subject: [PATCH 051/305] Fix document paths.
---
README.md | 8 ++++----
docs/best_practices.md | 6 +++---
docs/branches.md | 2 +-
docs/env_variables.md | 4 ++--
docs/fuzzing_expert.md | 4 ++--
docs/interpreting_output.md | 4 ++--
docs/known_limitations.md | 4 ++--
docs/parallel_fuzzing.md | 2 +-
docs/rpc_statsd.md | 4 ++--
docs/triaging_crashes.md | 2 +-
instrumentation/README.laf-intel.md | 5 ++---
instrumentation/README.llvm.md | 2 +-
12 files changed, 23 insertions(+), 24 deletions(-)
diff --git a/README.md b/README.md
index 76ef8448..1a22dd12 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,7 @@ You are free to copy, modify, and distribute AFL++ with attribution under the te
Here is some information to get you started:
-* For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab and [branches](docs/branches.md). Also take a look at the list of [major behaviour changes in AFL++](docs/behaviour_changes.md).
+* For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab and [branches](docs/branches.md). Also take a look at the list of [major changes in AFL++](docs/important_changes.md).
* If you want to use AFL++ for your academic work, check the [papers page](https://aflplus.plus/papers/) on the website.
* To cite our work, look at the [Cite](#cite) section.
* For comparisons, use the fuzzbench `aflplusplus` setup, or use `afl-clang-fast` with `AFL_LLVM_CMPLOG=1`. You can find the `aflplusplus` default configuration on Google's [fuzzbench](https://github.com/google/fuzzbench/tree/master/fuzzers/aflplusplus).
@@ -67,7 +67,7 @@ A common way to do this would be:
2. Get a small but valid input file that makes sense to the program.
When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described
-in [dictionaries/README.md](../dictionaries/README.md), too.
+in [dictionaries/README.md](dictionaries/README.md), too.
3. If the program reads from stdin, run `afl-fuzz` like so:
@@ -94,7 +94,7 @@ in [dictionaries/README.md](../dictionaries/README.md), too.
Questions? Concerns? Bug reports?
* The contributors can be reached via [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus).
-* Take a look at our [FAQ](docs/faq.md). If you find an interesting or important question missing, submit it via
+* Take a look at our [FAQ](docs/FAQ.md). If you find an interesting or important question missing, submit it via
[https://github.com/AFLplusplus/AFLplusplus/discussions](https://github.com/AFLplusplus/AFLplusplus/discussions).
* There is a mailing list for the AFL/AFL++ project ([browse archive](https://groups.google.com/group/afl-users)). To compare notes with other users or to get notified about major new features, send an email to .
* Or join the [Awesome Fuzzing](https://discord.gg/gCraWct) Discord server.
@@ -191,4 +191,4 @@ If you use AFL++ in scientific work, consider citing [our paper](https://www.use
}
```
-
\ No newline at end of file
+
diff --git a/docs/best_practices.md b/docs/best_practices.md
index 23fa237d..0708d49d 100644
--- a/docs/best_practices.md
+++ b/docs/best_practices.md
@@ -59,10 +59,10 @@ which allows you to define network state with different type of data packets.
1. Use [llvm_mode](../instrumentation/README.llvm.md): afl-clang-lto (llvm >= 11) or afl-clang-fast (llvm >= 9 recommended).
2. Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 speed increase).
3. Use the [AFL++ snapshot module](https://github.com/AFLplusplus/AFL-Snapshot-LKM) (x2 speed increase).
-4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input file directory on a tempfs location, see [docs/env_variables.md](docs/env_variables.md).
+4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input file directory on a tempfs location, see [env_variables.md](env_variables.md).
5. Improve Linux kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system less secure).
6. Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem.
-7. Use your cores! [README.md:3.b) Using multiple cores/threads](../README.md#b-using-multiple-coresthreads).
+7. Use your cores! [fuzzing_expert.md:b) Using multiple cores](fuzzing_expert.md#b-using-multiple-cores).
### Improving stability
@@ -117,4 +117,4 @@ Four steps are required to do this and it also requires quite some knowledge of
Recompile, fuzz it, be happy :)
- This link explains this process for [Fuzzbench](https://github.com/google/fuzzbench/issues/677).
\ No newline at end of file
+ This link explains this process for [Fuzzbench](https://github.com/google/fuzzbench/issues/677).
diff --git a/docs/branches.md b/docs/branches.md
index 1e4ebbb2..98fd6827 100644
--- a/docs/branches.md
+++ b/docs/branches.md
@@ -7,4 +7,4 @@ The following branches exist:
* [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev): development state of AFL++ - bleeding edge and you might catch a checkout which does not compile or has a bug. *We only accept PRs in dev!!*
* (any other): experimental branches to work on specific features or testing new functionality or changes.
-For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab. Also take a look at the list of [major behaviour changes in AFL++](behaviour_changes.md).
\ No newline at end of file
+For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab. Also take a look at the list of [major changes in AFL++](important_changes.md).
diff --git a/docs/env_variables.md b/docs/env_variables.md
index 0686f1a8..5f5c2510 100644
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@@ -2,7 +2,7 @@
This document discusses the environment variables used by American Fuzzy Lop++
to expose various exotic functions that may be (rarely) useful for power
- users or for some types of custom fuzzing setups. See [README.md](README.md) for the general
+ users or for some types of custom fuzzing setups. See [../README.md](../README.md) for the general
instruction manual.
Note that most tools will warn on any unknown AFL environment variables.
@@ -422,7 +422,7 @@ checks or alter some of the more exotic semantics of the tool:
- Setting `AFL_FORCE_UI` will force painting the UI on the screen even if
no valid terminal was detected (for virtual consoles)
- - If you are using persistent mode (you should, see [instrumentation/README.persistent_mode.md](instrumentation/README.persistent_mode.md))
+ - If you are using persistent mode (you should, see [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md))
some targets keep inherent state due which a detected crash testcase does
not crash the target again when the testcase is given. To be able to still
re-trigger these crashes you can use the `AFL_PERSISTENT_RECORD` variable
diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md
index ca884159..ef3f8a4e 100644
--- a/docs/fuzzing_expert.md
+++ b/docs/fuzzing_expert.md
@@ -613,7 +613,7 @@ switch or honggfuzz.
* If you do not use shmem persistent mode, use `AFL_TMPDIR` to point the input file on a tempfs location, see [env_variables.md](env_variables.md)
* Linux: Improve kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system more insecure) - you can also just run `sudo afl-persistent-config`
* Linux: Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem
- * Use your cores! [3.b) Using multiple cores/threads](#b-using-multiple-coresthreads)
+ * Use your cores! [b) Using multiple cores](#b-using-multiple-cores)
* Run `sudo afl-system-config` before starting the first afl-fuzz instance after a reboot
### The End
@@ -625,4 +625,4 @@ This is basically all you need to know to professionally run fuzzing campaigns.
If you want to know more, the tons of texts in [docs/](./) will have you covered.
Note that there are also a lot of tools out there that help fuzzing with AFL++
-(some might be deprecated or unsupported), see [links_tools.md](links_tools.md).
+(some might be deprecated or unsupported), see [tools.md](tools.md).
diff --git a/docs/interpreting_output.md b/docs/interpreting_output.md
index 54ad76df..327a0ac0 100644
--- a/docs/interpreting_output.md
+++ b/docs/interpreting_output.md
@@ -1,6 +1,6 @@
# Interpreting output
-See the [docs/status_screen.md](docs/status_screen.md) file for information on
+See the [status_screen.md](status_screen.md) file for information on
how to interpret the displayed stats and monitor the health of the process. Be
sure to consult this file especially if any UI elements are highlighted in red.
@@ -68,4 +68,4 @@ cd utils/plot_ui
make
cd ../../
sudo make install
-```
\ No newline at end of file
+```
diff --git a/docs/known_limitations.md b/docs/known_limitations.md
index deb539e2..2d8f84a5 100644
--- a/docs/known_limitations.md
+++ b/docs/known_limitations.md
@@ -15,7 +15,7 @@ Here are some of the most important caveats for AFL:
To work around this, you can comment out the relevant checks (see
utils/libpng_no_checksum/ for inspiration); if this is not possible,
you can also write a postprocessor, one of the hooks of custom mutators.
- See [docs/custom_mutators.md](docs/custom_mutators.md) on how to use
+ See [custom_mutators.md](custom_mutators.md) on how to use
`AFL_CUSTOM_MUTATOR_LIBRARY`
- There are some unfortunate trade-offs with ASAN and 64-bit binaries. This
@@ -33,4 +33,4 @@ Here are some of the most important caveats for AFL:
- Occasionally, sentient machines rise against their creators. If this
happens to you, please consult [http://lcamtuf.coredump.cx/prep/](http://lcamtuf.coredump.cx/prep/).
-Beyond this, see [INSTALL.md](INSTALL.md) for platform-specific tips.
\ No newline at end of file
+Beyond this, see [INSTALL.md](INSTALL.md) for platform-specific tips.
diff --git a/docs/parallel_fuzzing.md b/docs/parallel_fuzzing.md
index 90e12e89..e37276a5 100644
--- a/docs/parallel_fuzzing.md
+++ b/docs/parallel_fuzzing.md
@@ -4,7 +4,7 @@ This document talks about synchronizing afl-fuzz jobs on a single machine
or across a fleet of systems. See README.md for the general instruction manual.
Note that this document is rather outdated. please refer to the main document
-section on multiple core usage [../README.md#Using multiple cores](../README.md#b-using-multiple-coresthreads)
+section on multiple core usage [fuzzing_expert.md#Using multiple cores](fuzzing_expert.md#b-using-multiple-cores)
for up to date strategies!
## 1) Introduction
diff --git a/docs/rpc_statsd.md b/docs/rpc_statsd.md
index 288d56cb..9b3d8d40 100644
--- a/docs/rpc_statsd.md
+++ b/docs/rpc_statsd.md
@@ -50,7 +50,7 @@ Depending on your StatsD server, you will be able to monitor, trigger alerts, or
- `librato`
- `signalfx`
- For more information on environment variables, see [docs/env_variables.md](docs/env_variables.md).
+ For more information on environment variables, see [env_variables.md](env_variables.md).
Note: When using multiple fuzzer instances with StatsD it is *strongly* recommended to set up `AFL_STATSD_TAGS_FLAVOR` to match your StatsD server. This will allow you to see individual fuzzer performance, detect bad ones, and see the progress of each strategy.
@@ -152,4 +152,4 @@ To run your fuzzing instances:
AFL_STATSD_TAGS_FLAVOR=dogstatsd AFL_STATSD=1 afl-fuzz -M test-fuzzer-1 -i i -o o [./bin/my-application] @@
AFL_STATSD_TAGS_FLAVOR=dogstatsd AFL_STATSD=1 afl-fuzz -S test-fuzzer-2 -i i -o o [./bin/my-application] @@
...
-```
\ No newline at end of file
+```
diff --git a/docs/triaging_crashes.md b/docs/triaging_crashes.md
index 1857c4b1..b0015c90 100644
--- a/docs/triaging_crashes.md
+++ b/docs/triaging_crashes.md
@@ -43,4 +43,4 @@ file, attempts to sequentially flip bytes, and observes the behavior of the
tested program. It then color-codes the input based on which sections appear to
be critical, and which are not; while not bulletproof, it can often offer quick
insights into complex file formats. More info about its operation can be found
-near the end of [docs/technical_details.md](docs/technical_details.md).
\ No newline at end of file
+near the end of [technical_details.md](technical_details.md).
diff --git a/instrumentation/README.laf-intel.md b/instrumentation/README.laf-intel.md
index 229807e8..789055ed 100644
--- a/instrumentation/README.laf-intel.md
+++ b/instrumentation/README.laf-intel.md
@@ -3,9 +3,8 @@
## Introduction
This originally is the work of an individual nicknamed laf-intel.
-His blog [Circumventing Fuzzing Roadblocks with Compiler Transformations]
-(https://lafintel.wordpress.com/) and gitlab repo [laf-llvm-pass]
-(https://gitlab.com/laf-intel/laf-llvm-pass/)
+His blog [Circumventing Fuzzing Roadblocks with Compiler Transformations](https://lafintel.wordpress.com/)
+and gitlab repo [laf-llvm-pass](https://gitlab.com/laf-intel/laf-llvm-pass/)
describe some code transformations that
help AFL++ to enter conditional blocks, where conditions consist of
comparisons of large values.
diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md
index 6e210a7c..5b1e60cc 100644
--- a/instrumentation/README.llvm.md
+++ b/instrumentation/README.llvm.md
@@ -2,7 +2,7 @@
(See [../README.md](../README.md) for the general instruction manual.)
- (See [README.gcc_plugin.md](../README.gcc_plugin.md) for the GCC-based instrumentation.)
+ (See [README.gcc_plugin.md](README.gcc_plugin.md) for the GCC-based instrumentation.)
## 1) Introduction
From 228f6c5dad1a593b4113006e587e9885459a53c2 Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Sun, 10 Oct 2021 16:00:21 +0200
Subject: [PATCH 052/305] Update fuzzing_binary-only_targets.md
---
docs/fuzzing_binary-only_targets.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md
index a39e40a0..d568b976 100644
--- a/docs/fuzzing_binary-only_targets.md
+++ b/docs/fuzzing_binary-only_targets.md
@@ -71,7 +71,7 @@ cd unicorn_mode
If the goal is to fuzz a dynamic library then there are two options available.
For both you need to write a small harness that loads and calls the library.
-Faster is the frida solution: [utils/afl_frida/README.md](../utils/afl_frida/README.md)
+Faster is the frida solution: [frida_mode/README.md](../frida_mode/README.md)
Another, less precise and slower option is using ptrace with debugger interrupt
instrumentation: [utils/afl_untracer/README.md](../utils/afl_untracer/README.md).
From 659366ac6007eb679bc96c8e619afbb2f1d3ad50 Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Sun, 10 Oct 2021 16:09:39 +0200
Subject: [PATCH 053/305] Delete life_pro_tips.md
---
docs/life_pro_tips.md | 87 -------------------------------------------
1 file changed, 87 deletions(-)
delete mode 100644 docs/life_pro_tips.md
diff --git a/docs/life_pro_tips.md b/docs/life_pro_tips.md
deleted file mode 100644
index 13ffcea0..00000000
--- a/docs/life_pro_tips.md
+++ /dev/null
@@ -1,87 +0,0 @@
-# AFL "Life Pro Tips"
-
-Bite-sized advice for those who understand the basics, but can't be bothered
-to read or memorize every other piece of documentation for AFL.
-
-## Get more bang for your buck by using fuzzing dictionaries.
-
-See [dictionaries/README.md](../dictionaries/README.md) to learn how.
-
-## You can get the most out of your hardware by parallelizing AFL jobs.
-
-See [parallel_fuzzing.md](parallel_fuzzing.md) for step-by-step tips.
-
-## Improve the odds of spotting memory corruption bugs with libdislocator.so!
-
-It's easy. Consult [utils/libdislocator/README.md](../utils/libdislocator/README.md) for usage tips.
-
-## Want to understand how your target parses a particular input file?
-
-Try the bundled `afl-analyze` tool; it's got colors and all!
-
-## You can visually monitor the progress of your fuzzing jobs.
-
-Run the bundled `afl-plot` utility to generate browser-friendly graphs.
-
-## Need to monitor AFL jobs programmatically?
-Check out the `fuzzer_stats` file in the AFL output dir or try `afl-whatsup`.
-
-## Puzzled by something showing up in red or purple in the AFL UI?
-It could be important - consult docs/status_screen.md right away!
-
-## Know your target? Convert it to persistent mode for a huge performance gain!
-Consult section #5 in README.llvm.md for tips.
-
-## Using clang?
-Check out instrumentation/ for a faster alternative to afl-gcc!
-
-## Did you know that AFL can fuzz closed-source or cross-platform binaries?
-Check out qemu_mode/README.md and unicorn_mode/README.md for more.
-
-## Did you know that afl-fuzz can minimize any test case for you?
-Try the bundled `afl-tmin` tool - and get small repro files fast!
-
-## Not sure if a crash is exploitable? AFL can help you figure it out. Specify
-`-C` to enable the peruvian were-rabbit mode.
-
-## Trouble dealing with a machine uprising? Relax, we've all been there.
-
-Find essential survival tips at http://lcamtuf.coredump.cx/prep/.
-
-## Want to automatically spot non-crashing memory handling bugs?
-
-Try running an AFL-generated corpus through ASAN, MSAN, or Valgrind.
-
-## Good selection of input files is critical to a successful fuzzing job.
-
-See docs/perf_tips.md for pro tips.
-
-## You can improve the odds of automatically spotting stack corruption issues.
-
-Specify `AFL_HARDEN=1` in the environment to enable hardening flags.
-
-## Bumping into problems with non-reproducible crashes?
-It happens, but usually
-isn't hard to diagnose. See section #7 in README.md for tips.
-
-## Fuzzing is not just about memory corruption issues in the codebase.
-Add some
-sanity-checking `assert()` / `abort()` statements to effortlessly catch logic bugs.
-
-## Hey kid... pssst... want to figure out how AFL really works?
-
-Check out docs/technical_details.md for all the gory details in one place!
-
-## There's a ton of third-party helper tools designed to work with AFL!
-
-Be sure to check out docs/sister_projects.md before writing your own.
-
-## Need to fuzz the command-line arguments of a particular program?
-
-You can find a simple solution in utils/argv_fuzzing.
-
-## Attacking a format that uses checksums?
-
-Remove the checksum-checking code or use a postprocessor!
-See `afl_custom_post_process` in custom_mutators/examples/example.c for more.
-
From a8844eaceb1df92635a327fc4edba082b102a2ff Mon Sep 17 00:00:00 2001
From: Kuang-che Wu
Date: Mon, 11 Oct 2021 15:47:20 +0800
Subject: [PATCH 054/305] afl-showmap don't create empty "-" file
---
src/afl-showmap.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index 75b0ff99..a04c1f5b 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -242,9 +242,11 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) {
if (cmin_mode &&
(fsrv->last_run_timed_out || (!caa && child_crashed != cco))) {
- // create empty file to prevent error messages in afl-cmin
- fd = open(outfile, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
- close(fd);
+ if (strcmp(outfile, "-")) {
+ // create empty file to prevent error messages in afl-cmin
+ fd = open(outfile, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
+ close(fd);
+ }
return ret;
}
From 00aa689f40a3c8276af257cf0b54dc655cb0423e Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Mon, 11 Oct 2021 14:28:17 +0200
Subject: [PATCH 055/305] fix accidental bystander kills
---
docs/Changelog.md | 2 ++
qemu_mode/qemuafl | 2 +-
src/afl-forkserver.c | 6 +++---
unicorn_mode/unicornafl | 2 +-
4 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/docs/Changelog.md b/docs/Changelog.md
index dad5fee2..1c3830f9 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -18,6 +18,8 @@ sending a mail to .
- fix -n dumb mode (nobody should use this)
- afl-showmap, afl-tmin and afl-analyze now honor persistent mode
for more speed. thanks to dloffre-snl for reporting!
+ - Prevent accidently killing non-afl/fuzz services when aborting
+ afl-showmap and other tools.
- afl-cc:
- fix for shared linking on MacOS
- llvm and LTO mode verified to work with new llvm 14-dev
diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl
index 71ed0d20..a6758d1c 160000
--- a/qemu_mode/qemuafl
+++ b/qemu_mode/qemuafl
@@ -1 +1 @@
-Subproject commit 71ed0d206fd3d877420dceb4993a1011a4637ae6
+Subproject commit a6758d1cc3e4dde88fca3f0b3a903581b7c8b2e5
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index c8c94c08..54f510c4 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -610,12 +610,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
if (!time_ms) {
- kill(fsrv->fsrv_pid, fsrv->kill_signal);
+ if (fsrv->fsrv_pid > 0) { kill(fsrv->fsrv_pid, fsrv->kill_signal); }
} else if (time_ms > fsrv->init_tmout) {
fsrv->last_run_timed_out = 1;
- kill(fsrv->fsrv_pid, fsrv->kill_signal);
+ if (fsrv->fsrv_pid > 0) { kill(fsrv->fsrv_pid, fsrv->kill_signal); }
} else {
@@ -1248,7 +1248,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
/* If there was no response from forkserver after timeout seconds,
we kill the child. The forkserver should inform us afterwards */
- kill(fsrv->child_pid, fsrv->kill_signal);
+ if (fsrv->child_pid > 0) { kill(fsrv->child_pid, fsrv->kill_signal); }
fsrv->last_run_timed_out = 1;
if (read(fsrv->fsrv_st_fd, &fsrv->child_status, 4) < 4) { exec_ms = 0; }
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl
index f1c85364..c0e03d2c 160000
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl
@@ -1 +1 @@
-Subproject commit f1c853648a74b0157d233a2ef9f1693cfee78c11
+Subproject commit c0e03d2c6b55a22025324f121746b41b1e756fb8
From d0fc985e22328504dd0c4e21770ae2b31e63421a Mon Sep 17 00:00:00 2001
From: hexcoder-
Date: Tue, 12 Oct 2021 00:00:05 +0200
Subject: [PATCH 056/305] prototype compiles
---
instrumentation/split-compares-pass.so.cc | 71 ++++++++++++++++-------
1 file changed, 51 insertions(+), 20 deletions(-)
diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc
index 13f45b69..a0dbba7a 100644
--- a/instrumentation/split-compares-pass.so.cc
+++ b/instrumentation/split-compares-pass.so.cc
@@ -28,7 +28,11 @@
#include "llvm/Pass.h"
#include "llvm/Support/raw_ostream.h"
-#include "llvm/IR/LegacyPassManager.h"
+
+#include "llvm/Passes/PassPlugin.h"
+#include "llvm/Passes/PassBuilder.h"
+#include "llvm/IR/PassManager.h"
+//#include "llvm/IR/LegacyPassManager.h"
#include "llvm/Transforms/IPO/PassManagerBuilder.h"
#include "llvm/Transforms/Utils/BasicBlockUtils.h"
#include "llvm/IR/Module.h"
@@ -53,27 +57,17 @@ using namespace llvm;
namespace {
-class SplitComparesTransform : public ModulePass {
+//class SplitComparesTransform : public ModulePass {
+class SplitComparesTransform : public PassInfoMixin {
public:
static char ID;
- SplitComparesTransform() : ModulePass(ID), enableFPSplit(0) {
+ SplitComparesTransform() : enableFPSplit(0) {
initInstrumentList();
-
}
- bool runOnModule(Module &M) override;
-#if LLVM_VERSION_MAJOR >= 4
- StringRef getPassName() const override {
-
-#else
- const char *getPassName() const override {
-
-#endif
- return "AFL_SplitComparesTransform";
-
- }
+ PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM);
private:
int enableFPSplit;
@@ -162,6 +156,37 @@ class SplitComparesTransform : public ModulePass {
} // namespace
+extern "C" ::llvm::PassPluginLibraryInfo LLVM_ATTRIBUTE_WEAK
+llvmGetPassPluginInfo() {
+ return {
+ LLVM_PLUGIN_API_VERSION, "SplitCompares", "v0.1",
+ /* lambda to insert our pass into the pass pipeline. */
+ [](PassBuilder &PB) {
+#if 1
+ using OptimizationLevel = typename PassBuilder::OptimizationLevel;
+ PB.registerOptimizerLastEPCallback(
+ [](ModulePassManager &MPM, OptimizationLevel OL) {
+ MPM.addPass(SplitComparesTransform());
+ }
+ );
+/* TODO LTO registration */
+#else
+ using PipelineElement = typename PassBuilder::PipelineElement;
+ PB.registerPipelineParsingCallback(
+ [](StringRef Name, ModulePassManager &MPM, ArrayRef) {
+ if ( Name == "splitcompares" ) {
+ MPM.addPass(SplitComparesTransform);
+ return true;
+ } else {
+ return false;
+ }
+ }
+ );
+#endif
+ }
+ };
+}
+
char SplitComparesTransform::ID = 0;
/// This function splits FCMP instructions with xGE or xLE predicates into two
@@ -1316,7 +1341,7 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) {
}
-bool SplitComparesTransform::runOnModule(Module &M) {
+PreservedAnalyses SplitComparesTransform::run(Module &M, ModuleAnalysisManager &MAM) {
char *bitw_env = getenv("AFL_LLVM_LAF_SPLIT_COMPARES_BITW");
if (!bitw_env) bitw_env = getenv("LAF_SPLIT_COMPARES_BITW");
@@ -1339,6 +1364,8 @@ bool SplitComparesTransform::runOnModule(Module &M) {
}
+ auto PA = PreservedAnalyses::all();
+
if (enableFPSplit) {
count = splitFPCompares(M);
@@ -1371,7 +1398,7 @@ bool SplitComparesTransform::runOnModule(Module &M) {
auto op0 = CI->getOperand(0);
auto op1 = CI->getOperand(1);
- if (!op0 || !op1) { return false; }
+ if (!op0 || !op1) { return PA; }
auto iTy1 = dyn_cast(op0->getType());
if (iTy1 && isa(op1->getType())) {
@@ -1420,10 +1447,14 @@ bool SplitComparesTransform::runOnModule(Module &M) {
}
- return true;
+/* if (modified) {
+ PA.abandon();
+ }*/
+
+ return PA;
}
-
+#if 0
static void registerSplitComparesPass(const PassManagerBuilder &,
legacy::PassManagerBase &PM) {
@@ -1447,4 +1478,4 @@ static RegisterPass X("splitcompares",
"AFL++ split compares",
true /* Only looks at CFG */,
true /* Analysis Pass */);
-
+#endif
From d22b28d17b8cffabbb59c9e82373338a6343c648 Mon Sep 17 00:00:00 2001
From: Your Name
Date: Tue, 12 Oct 2021 08:13:29 +0100
Subject: [PATCH 057/305] Minimize inline assembly
---
frida_mode/GNUmakefile | 3 +-
frida_mode/include/instrument.h | 1 +
frida_mode/include/ranges.h | 2 +
frida_mode/src/instrument/instrument.c | 1 +
frida_mode/src/instrument/instrument_x64.c | 414 +++++++++++----------
frida_mode/src/ranges.c | 13 +-
6 files changed, 237 insertions(+), 197 deletions(-)
diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile
index 3e35e2f6..ab6efecf 100644
--- a/frida_mode/GNUmakefile
+++ b/frida_mode/GNUmakefile
@@ -31,7 +31,8 @@ AFL_CFLAGS:=-Wno-unused-parameter \
LDFLAGS+=-shared \
-lpthread \
-lresolv \
- -ldl
+ -ldl \
+ -lrt
ifdef DEBUG
CFLAGS+=-Werror \
diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h
index 909b2a2c..cac5ee93 100644
--- a/frida_mode/include/instrument.h
+++ b/frida_mode/include/instrument.h
@@ -29,6 +29,7 @@ GumStalkerTransformer *instrument_get_transformer(void);
/* Functions to be implemented by the different architectures */
gboolean instrument_is_coverage_optimize_supported(void);
+void instrument_coverage_optimize_init(void);
void instrument_coverage_optimize(const cs_insn * instr,
GumStalkerOutput *output);
diff --git a/frida_mode/include/ranges.h b/frida_mode/include/ranges.h
index 0220a59d..3bd9eaa6 100644
--- a/frida_mode/include/ranges.h
+++ b/frida_mode/include/ranges.h
@@ -10,6 +10,8 @@ extern gboolean ranges_inst_jit;
void ranges_config(void);
void ranges_init(void);
+void ranges_print_debug_maps(void);
+
gboolean range_is_excluded(GumAddress address);
void ranges_exclude();
diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c
index 71d9bdf6..81d85aa1 100644
--- a/frida_mode/src/instrument/instrument.c
+++ b/frida_mode/src/instrument/instrument.c
@@ -356,6 +356,7 @@ void instrument_init(void) {
instrument_hash_seed);
instrument_hash_zero = instrument_get_offset_hash(0);
+ instrument_coverage_optimize_init();
instrument_debug_init();
instrument_coverage_init();
asan_init();
diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c
index 1c2cf113..dc040a20 100644
--- a/frida_mode/src/instrument/instrument_x64.c
+++ b/frida_mode/src/instrument/instrument_x64.c
@@ -1,4 +1,9 @@
+#include
#include
+#include
+#include
+#include
+#include
#include "frida-gumjs.h"
@@ -6,126 +11,10 @@
#include "debug.h"
#include "instrument.h"
+#include "ranges.h"
#if defined(__x86_64__)
-static GumAddress current_log_impl = GUM_ADDRESS(0);
-
- #pragma pack(push, 1)
-
-typedef struct {
-
- /*
- * pushfq
- * push rdx
- * mov rdx, [&previouspc] (rip relative addr)
- * xor rdx, rdi (current_pc)
- * shr rdi. 1
- * mov [&previouspc], rdi
- * lea rsi, [&_afl_area_ptr] (rip relative)
- * add rdx, rsi
- * add byte ptr [rdx], 1
- * adc byte ptr [rdx], 0
-
- * pop rdx
- * popfq
- */
- uint8_t push_fq;
- uint8_t push_rdx;
- uint8_t mov_rdx_rip_off[7];
- uint8_t xor_rdx_rdi[3];
- uint8_t shr_rdi[3];
- uint8_t mov_rip_off_rdi[7];
-
- uint8_t lea_rdi_rip_off[7];
- uint8_t add_rdx_rdi[3];
- uint8_t add_byte_ptr_rdx[3];
- uint8_t adc_byte_ptr_rdx[3];
-
- uint8_t pop_rdx;
- uint8_t pop_fq;
- uint8_t ret;
-
-} afl_log_code_asm_t;
-
- #pragma pack(pop)
-
- #pragma pack(push, 8)
-typedef struct {
-
- afl_log_code_asm_t assembly;
- uint64_t current_pc;
-
-} afl_log_code_t;
-
- #pragma pack(pop)
-
-typedef union {
-
- afl_log_code_t data;
- uint8_t bytes[0];
-
-} afl_log_code;
-
-static const afl_log_code_asm_t template = {
-
- .push_fq = 0x9c,
- .push_rdx = 0x52,
- .mov_rdx_rip_off =
- {
-
- 0x48, 0x8b, 0x15,
- /* TBC */
-
- },
-
- .xor_rdx_rdi =
- {
-
- 0x48,
- 0x31,
- 0xfa,
-
- },
-
- .shr_rdi = {0x48, 0xd1, 0xef},
- .mov_rip_off_rdi = {0x48, 0x89, 0x3d},
-
- .lea_rdi_rip_off =
- {
-
- 0x48,
- 0x8d,
- 0x3d,
-
- },
-
- .add_rdx_rdi = {0x48, 0x01, 0xfA},
-
- .add_byte_ptr_rdx =
- {
-
- 0x80,
- 0x02,
- 0x01,
-
- },
-
- .adc_byte_ptr_rdx =
- {
-
- 0x80,
- 0x12,
- 0x00,
-
- },
-
- .pop_rdx = 0x5a,
- .pop_fq = 0x9d,
- .ret = 0xc3};
-
-static guint8 align_pad[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90};
-
gboolean instrument_is_coverage_optimize_supported(void) {
return true;
@@ -138,113 +27,258 @@ static gboolean instrument_coverage_in_range(gssize offset) {
}
-static void instrument_coverate_write_function(GumStalkerOutput *output) {
+ #pragma pack(push, 1)
+typedef struct {
- guint64 misalign = 0;
- GumX86Writer *cw = output->writer.x86;
- GumAddress code_addr = 0;
- afl_log_code code = {0};
- /*guint64 instrument_hash_zero = 0;*/
+ // cur_location = (block_address >> 4) ^ (block_address << 8);
+ // shared_mem[cur_location ^ prev_location]++;
+ // prev_location = cur_location >> 1;
- if (current_log_impl == 0 ||
- !gum_x86_writer_can_branch_directly_between(cw->pc, current_log_impl) ||
- !gum_x86_writer_can_branch_directly_between(cw->pc + 128,
- current_log_impl)) {
+ // => 0x7ffff6cfb086: lea rsp,[rsp-0x80]
+ // 0x7ffff6cfb08b: pushf
+ // 0x7ffff6cfb08c: push rsi
+ // 0x7ffff6cfb08d: mov rsi,0x228
+ // 0x7ffff6cfb094: xchg QWORD PTR [rip+0x3136a5],rsi # 0x7ffff700e740
+ // 0x7ffff6cfb09b: xor rsi,0x451
+ // 0x7ffff6cfb0a2: add BYTE PTR [rsi+0x10000],0x1
+ // 0x7ffff6cfb0a9: adc BYTE PTR [rsi+0x10000],0x0
+ // 0x7ffff6cfb0b0: pop rsi
+ // 0x7ffff6cfb0b1: popf
+ // 0x7ffff6cfb0b2: lea rsp,[rsp+0x80]
- gconstpointer after_log_impl = cw->code + 1;
- gum_x86_writer_put_jmp_near_label(cw, after_log_impl);
+ uint8_t lea_rsp_rsp_sub_rz[5];
+ uint8_t push_fq;
+ uint8_t push_rsi;
- misalign = (cw->pc & 0x7);
- if (misalign != 0) {
+ uint8_t mov_rsi_curr_loc_shr_1[7];
+ uint8_t xchg_rsi_prev_loc_curr_loc[7];
+ uint8_t xor_rsi_curr_loc[7];
- gum_x86_writer_put_bytes(cw, align_pad, 8 - misalign);
+ uint8_t add_rsi_1[7];
+ uint8_t adc_rsi_0[7];
- }
+ uint8_t pop_rsi;
+ uint8_t pop_fq;
+ uint8_t lsa_rsp_rsp_add_rz[8];
- current_log_impl = cw->pc;
- // gum_x86_writer_put_breakpoint(cw);
- code_addr = cw->pc;
+} afl_log_code_asm_t;
- code.data.assembly = template;
- code.data.current_pc = instrument_get_offset_hash(0);
+ #pragma pack(pop)
- gssize current_pc_value1 =
- GPOINTER_TO_SIZE(&instrument_previous_pc) -
- (code_addr + offsetof(afl_log_code, data.assembly.mov_rdx_rip_off) +
- sizeof(code.data.assembly.mov_rdx_rip_off));
- gssize patch_offset1 =
- offsetof(afl_log_code, data.assembly.mov_rdx_rip_off) +
- sizeof(code.data.assembly.mov_rdx_rip_off) - sizeof(gint);
- if (!instrument_coverage_in_range(current_pc_value1)) {
+typedef union {
- FATAL("Patch out of range (current_pc_value1): 0x%016lX",
- current_pc_value1);
+ afl_log_code_asm_t code;
+ uint8_t bytes[0];
- }
+} afl_log_code;
- gint *dst_pc_value = (gint *)&code.bytes[patch_offset1];
- *dst_pc_value = (gint)current_pc_value1;
+static const afl_log_code_asm_t template =
+ {
- gssize current_pc_value2 =
- GPOINTER_TO_SIZE(&instrument_previous_pc) -
- (code_addr + offsetof(afl_log_code, data.assembly.mov_rip_off_rdi) +
- sizeof(code.data.assembly.mov_rip_off_rdi));
- gssize patch_offset2 =
- offsetof(afl_log_code, data.assembly.mov_rip_off_rdi) +
- sizeof(code.data.assembly.mov_rip_off_rdi) - sizeof(gint);
+ .lea_rsp_rsp_sub_rz = {0x48, 0x8D, 0x64, 0x24, 0x80},
+ .push_fq = 0x9c,
+ .push_rsi = 0x56,
- if (!instrument_coverage_in_range(current_pc_value2)) {
+ .mov_rsi_curr_loc_shr_1 = {0x48, 0xC7, 0xC6},
+ .xchg_rsi_prev_loc_curr_loc = {0x48, 0x87, 0x35},
+ .xor_rsi_curr_loc = {0x48, 0x81, 0xF6},
- FATAL("Patch out of range (current_pc_value2): 0x%016lX",
- current_pc_value2);
+ .add_rsi_1 = {0x80, 0x86, 0x00, 0x00, 0x00, 0x00, 0x01},
+ .adc_rsi_0 = {0x80, 0x96, 0x00, 0x00, 0x00, 0x00, 0x00},
- }
+ .pop_rsi = 0x5E,
+ .pop_fq = 0x9D,
+ .lsa_rsp_rsp_add_rz = {0x48, 0x8D, 0xA4, 0x24, 0x80, 0x00, 0x00, 0x00},
- dst_pc_value = (gint *)&code.bytes[patch_offset2];
- *dst_pc_value = (gint)current_pc_value2;
+}
- gsize afl_area_ptr_value =
- GPOINTER_TO_SIZE(__afl_area_ptr) -
- (code_addr + offsetof(afl_log_code, data.assembly.lea_rdi_rip_off) +
- sizeof(code.data.assembly.lea_rdi_rip_off));
- gssize afl_area_ptr_offset =
- offsetof(afl_log_code, data.assembly.lea_rdi_rip_off) +
- sizeof(code.data.assembly.lea_rdi_rip_off) - sizeof(gint);
+;
- if (!instrument_coverage_in_range(afl_area_ptr_value)) {
+static gboolean instrument_coverage_find_low(const GumRangeDetails *details,
+ gpointer user_data) {
- FATAL("Patch out of range (afl_area_ptr_value): 0x%016lX",
- afl_area_ptr_value);
+ static GumAddress last_limit = (64ULL << 10);
+ gpointer * address = (gpointer *)user_data;
- }
+ if ((details->range->base_address - last_limit) > __afl_map_size) {
- gint *dst_afl_area_ptr_value = (gint *)&code.bytes[afl_area_ptr_offset];
- *dst_afl_area_ptr_value = (gint)afl_area_ptr_value;
-
- gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code));
-
- gum_x86_writer_put_label(cw, after_log_impl);
+ *address = GSIZE_TO_POINTER(last_limit);
+ return FALSE;
}
+ if (details->range->base_address > ((2ULL << 20) - __afl_map_size)) {
+
+ return FALSE;
+
+ }
+
+ last_limit = details->range->base_address + details->range->size;
+ return TRUE;
+
+}
+
+static void instrument_coverage_optimize_map_mmap_anon(gpointer address) {
+
+ __afl_area_ptr =
+ mmap(address, __afl_map_size, PROT_READ | PROT_WRITE,
+ MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+ if (__afl_area_ptr != address) {
+
+ FATAL("Failed to map mmap __afl_area_ptr: %d", errno);
+
+ }
+
+}
+
+static void instrument_coverage_optimize_map_mmap(char * shm_file_path,
+ gpointer address) {
+
+ int shm_fd = -1;
+
+ if (munmap(__afl_area_ptr, __afl_map_size) != 0) {
+
+ FATAL("Failed to unmap previous __afl_area_ptr");
+
+ }
+
+ __afl_area_ptr = NULL;
+
+ shm_fd = shm_open(shm_file_path, O_RDWR, DEFAULT_PERMISSION);
+ if (shm_fd == -1) { FATAL("shm_open() failed\n"); }
+
+ __afl_area_ptr = mmap(address, __afl_map_size, PROT_READ | PROT_WRITE,
+ MAP_FIXED_NOREPLACE | MAP_SHARED, shm_fd, 0);
+ if (__afl_area_ptr != address) {
+
+ FATAL("Failed to map mmap __afl_area_ptr: %d", errno);
+
+ }
+
+ if (close(shm_fd) != 0) { FATAL("Failed to close shm_fd"); }
+
+}
+
+static void instrument_coverage_optimize_map_shm(guint64 shm_env_val,
+ gpointer address) {
+
+ if (shmdt(__afl_area_ptr) != 0) {
+
+ FATAL("Failed to detach previous __afl_area_ptr");
+
+ }
+
+ __afl_area_ptr = shmat(shm_env_val, address, 0);
+ if (__afl_area_ptr != address) {
+
+ FATAL("Failed to map shm __afl_area_ptr: %d", errno);
+
+ }
+
+}
+
+void instrument_coverage_optimize_init(void) {
+
+ gpointer low_address = NULL;
+
+ gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, instrument_coverage_find_low,
+ &low_address);
+
+ OKF("Low address: %p", low_address);
+
+ if (low_address == 0 ||
+ GPOINTER_TO_SIZE(low_address) > ((2UL << 20) - __afl_map_size)) {
+
+ FATAL("Invalid low_address: %p", low_address);
+
+ }
+
+ ranges_print_debug_maps();
+
+ char *shm_env = getenv(SHM_ENV_VAR);
+ OKF("SHM_ENV_VAR: %s", shm_env);
+
+ if (shm_env == NULL) {
+
+ WARNF("SHM_ENV_VAR not set, using anonymous map for debugging purposes");
+
+ instrument_coverage_optimize_map_mmap_anon(low_address);
+
+ } else {
+
+ guint64 shm_env_val = g_ascii_strtoull(shm_env, NULL, 10);
+
+ if (shm_env_val == 0) {
+
+ instrument_coverage_optimize_map_mmap(shm_env, low_address);
+
+ } else {
+
+ instrument_coverage_optimize_map_shm(shm_env_val, low_address);
+
+ }
+
+ }
+
+ OKF("__afl_area_ptr: %p", __afl_area_ptr);
+ OKF("instrument_previous_pc: %p", &instrument_previous_pc);
+
}
void instrument_coverage_optimize(const cs_insn * instr,
GumStalkerOutput *output) {
+ afl_log_code code = {0};
GumX86Writer *cw = output->writer.x86;
guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address));
- instrument_coverate_write_function(output);
+ GumAddress code_addr = 0;
- gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
- -GUM_RED_ZONE_SIZE);
- gum_x86_writer_put_push_reg(cw, GUM_REG_RDI);
- gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RDI, area_offset);
- gum_x86_writer_put_call_address(cw, current_log_impl);
- gum_x86_writer_put_pop_reg(cw, GUM_REG_RDI);
- gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
- GUM_RED_ZONE_SIZE);
+ // gum_x86_writer_put_breakpoint(cw);
+ code_addr = cw->pc;
+ code.code = template;
+
+ gssize curr_loc_shr_1_offset =
+ offsetof(afl_log_code, code.mov_rsi_curr_loc_shr_1) +
+ sizeof(code.code.mov_rsi_curr_loc_shr_1) - sizeof(guint32);
+
+ *((guint32 *)&code.bytes[curr_loc_shr_1_offset]) =
+ (guint32)(area_offset >> 1);
+
+ gssize prev_loc_value =
+ GPOINTER_TO_SIZE(&instrument_previous_pc) -
+ (code_addr + offsetof(afl_log_code, code.xchg_rsi_prev_loc_curr_loc) +
+ sizeof(code.code.xchg_rsi_prev_loc_curr_loc));
+ gssize prev_loc_value_offset =
+ offsetof(afl_log_code, code.xchg_rsi_prev_loc_curr_loc) +
+ sizeof(code.code.xchg_rsi_prev_loc_curr_loc) - sizeof(gint);
+ if (!instrument_coverage_in_range(prev_loc_value)) {
+
+ FATAL("Patch out of range (current_pc_value1): 0x%016lX", prev_loc_value);
+
+ }
+
+ *((gint *)&code.bytes[prev_loc_value_offset]) = (gint)prev_loc_value;
+
+ gssize xor_curr_loc_offset = offsetof(afl_log_code, code.xor_rsi_curr_loc) +
+ sizeof(code.code.xor_rsi_curr_loc) -
+ sizeof(guint32);
+
+ *((guint32 *)&code.bytes[xor_curr_loc_offset]) = (guint32)(area_offset);
+
+ gssize add_rsi_1_offset = offsetof(afl_log_code, code.add_rsi_1) +
+ sizeof(code.code.add_rsi_1) - sizeof(guint32) - 1;
+
+ *((guint32 *)&code.bytes[add_rsi_1_offset]) =
+ (guint32)GPOINTER_TO_SIZE(__afl_area_ptr);
+
+ gssize adc_rsi_0_ffset = offsetof(afl_log_code, code.adc_rsi_0) +
+ sizeof(code.code.adc_rsi_0) - sizeof(guint32) - 1;
+
+ *((guint32 *)&code.bytes[adc_rsi_0_ffset]) =
+ (guint32)GPOINTER_TO_SIZE(__afl_area_ptr);
+
+ gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code));
}
diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c
index 5b6eb462..1b666fce 100644
--- a/frida_mode/src/ranges.c
+++ b/frida_mode/src/ranges.c
@@ -549,18 +549,19 @@ static GArray *merge_ranges(GArray *a) {
}
+void ranges_print_debug_maps(void) {
+
+ gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, print_ranges_callback, NULL);
+
+}
+
void ranges_config(void) {
if (getenv("AFL_FRIDA_DEBUG_MAPS") != NULL) { ranges_debug_maps = TRUE; }
if (getenv("AFL_INST_LIBS") != NULL) { ranges_inst_libs = TRUE; }
if (getenv("AFL_FRIDA_INST_JIT") != NULL) { ranges_inst_jit = TRUE; }
- if (ranges_debug_maps) {
-
- gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, print_ranges_callback,
- NULL);
-
- }
+ if (ranges_debug_maps) { ranges_print_debug_maps(); }
include_ranges = collect_ranges("AFL_FRIDA_INST_RANGES");
exclude_ranges = collect_ranges("AFL_FRIDA_EXCLUDE_RANGES");
From 269dc29efe920abf3935d2052e11dfb94ec799e2 Mon Sep 17 00:00:00 2001
From: David Carlier
Date: Tue, 12 Oct 2021 12:48:54 +0100
Subject: [PATCH 058/305] frida mode fix on x86_64 archs
---
frida_mode/GNUmakefile | 8 ++++----
frida_mode/src/instrument/instrument_arm32.c | 4 ++++
frida_mode/src/instrument/instrument_arm64.c | 3 +++
frida_mode/src/instrument/instrument_x64.c | 7 +++++--
frida_mode/src/instrument/instrument_x86.c | 3 +++
5 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile
index ab6efecf..4d6d7147 100644
--- a/frida_mode/GNUmakefile
+++ b/frida_mode/GNUmakefile
@@ -30,9 +30,7 @@ AFL_CFLAGS:=-Wno-unused-parameter \
LDFLAGS+=-shared \
-lpthread \
- -lresolv \
- -ldl \
- -lrt
+ -lresolv
ifdef DEBUG
CFLAGS+=-Werror \
@@ -72,7 +70,9 @@ ifdef DEBUG
endif
LDFLAGS+= -z noexecstack \
-Wl,--gc-sections \
- -Wl,--exclude-libs,ALL
+ -Wl,--exclude-libs,ALL \
+ -ldl \
+ -lrt
LDSCRIPT:=-Wl,--version-script=$(PWD)frida.map
endif
diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c
index 0e15940a..4b0a648e 100644
--- a/frida_mode/src/instrument/instrument_arm32.c
+++ b/frida_mode/src/instrument/instrument_arm32.c
@@ -22,6 +22,10 @@ void instrument_coverage_optimize(const cs_insn * instr,
}
+void instrument_coverage_optimize_init(void) {
+ WARNF("Optimized coverage not supported on this architecture");
+}
+
void instrument_flush(GumStalkerOutput *output) {
gum_arm_writer_flush(output->writer.arm);
diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c
index cf37e048..80d1d845 100644
--- a/frida_mode/src/instrument/instrument_arm64.c
+++ b/frida_mode/src/instrument/instrument_arm64.c
@@ -95,6 +95,9 @@ void instrument_coverage_optimize(const cs_insn * instr,
}
+void instrument_coverage_optimize_init(void) {
+}
+
void instrument_flush(GumStalkerOutput *output) {
gum_arm64_writer_flush(output->writer.arm64);
diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c
index dc040a20..60f443e0 100644
--- a/frida_mode/src/instrument/instrument_x64.c
+++ b/frida_mode/src/instrument/instrument_x64.c
@@ -1,10 +1,13 @@
#include
#include
-#include
#include
-#include
#include
+#if defined(__linux__)
+#include
+#include
+#endif
+
#include "frida-gumjs.h"
#include "config.h"
diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c
index 7bf48f96..1ff5c920 100644
--- a/frida_mode/src/instrument/instrument_x86.c
+++ b/frida_mode/src/instrument/instrument_x86.c
@@ -83,6 +83,9 @@ void instrument_coverage_optimize(const cs_insn * instr,
}
+void instrument_coverage_optimize_init(void) {
+}
+
void instrument_flush(GumStalkerOutput *output) {
gum_x86_writer_flush(output->writer.x86);
From 8e662898095ed6ba283a87119e383948b83b8d75 Mon Sep 17 00:00:00 2001
From: hexcoder-
Date: Tue, 12 Oct 2021 19:04:35 +0200
Subject: [PATCH 059/305] adapt compiler driver to laod new pass manager passes
---
instrumentation/split-compares-pass.so.cc | 20 +++++++++++++-------
src/afl-cc.c | 11 ++++++-----
2 files changed, 19 insertions(+), 12 deletions(-)
diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc
index a0dbba7a..2ae6f893 100644
--- a/instrumentation/split-compares-pass.so.cc
+++ b/instrumentation/split-compares-pass.so.cc
@@ -1,6 +1,7 @@
/*
* Copyright 2016 laf-intel
* extended for floating point by Heiko Eißfeldt
+ * adapted to new pass manager by Heiko Eißfeldt
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -33,7 +34,7 @@
#include "llvm/Passes/PassBuilder.h"
#include "llvm/IR/PassManager.h"
//#include "llvm/IR/LegacyPassManager.h"
-#include "llvm/Transforms/IPO/PassManagerBuilder.h"
+//#include "llvm/Transforms/IPO/PassManagerBuilder.h"
#include "llvm/Transforms/Utils/BasicBlockUtils.h"
#include "llvm/IR/Module.h"
@@ -61,7 +62,7 @@ namespace {
class SplitComparesTransform : public PassInfoMixin {
public:
- static char ID;
+// static char ID;
SplitComparesTransform() : enableFPSplit(0) {
initInstrumentList();
@@ -159,7 +160,7 @@ class SplitComparesTransform : public PassInfoMixin {
extern "C" ::llvm::PassPluginLibraryInfo LLVM_ATTRIBUTE_WEAK
llvmGetPassPluginInfo() {
return {
- LLVM_PLUGIN_API_VERSION, "SplitCompares", "v0.1",
+ LLVM_PLUGIN_API_VERSION, "splitcompares", "v0.1",
/* lambda to insert our pass into the pass pipeline. */
[](PassBuilder &PB) {
#if 1
@@ -187,7 +188,7 @@ llvmGetPassPluginInfo() {
};
}
-char SplitComparesTransform::ID = 0;
+//char SplitComparesTransform::ID = 0;
/// This function splits FCMP instructions with xGE or xLE predicates into two
/// FCMP instructions with predicate xGT or xLT and EQ
@@ -700,7 +701,7 @@ bool SplitComparesTransform::splitCompare(CmpInst *cmp_inst, Module &M,
ReplaceInstWithInst(cmp_inst->getParent()->getInstList(), ii, PN);
// We split the comparison into low and high. If this isn't our target
- // bitwidth we recursivly split the low and high parts again until we have
+ // bitwidth we recursively split the low and high parts again until we have
// target bitwidth.
if ((bitw / 2) > target_bitwidth) {
@@ -1352,7 +1353,7 @@ PreservedAnalyses SplitComparesTransform::run(Module &M, ModuleAnalysisManager &
if ((isatty(2) && getenv("AFL_QUIET") == NULL) ||
getenv("AFL_DEBUG") != NULL) {
- errs() << "Split-compare-pass by laf.intel@gmail.com, extended by "
+ errs() << "Split-compare-newpass by laf.intel@gmail.com, extended by "
"heiko@hexco.de (splitting icmp to "
<< target_bitwidth << " bit)\n";
@@ -1364,7 +1365,7 @@ PreservedAnalyses SplitComparesTransform::run(Module &M, ModuleAnalysisManager &
}
- auto PA = PreservedAnalyses::all();
+ auto PA = PreservedAnalyses::none();
if (enableFPSplit) {
@@ -1447,6 +1448,11 @@ PreservedAnalyses SplitComparesTransform::run(Module &M, ModuleAnalysisManager &
}
+ if ((isatty(2) && getenv("AFL_QUIET") == NULL) ||
+ getenv("AFL_DEBUG") != NULL) {
+ errs() << count << " comparisons found\n";
+ }
+
/* if (modified) {
PA.abandon();
}*/
diff --git a/src/afl-cc.c b/src/afl-cc.c
index e49addc4..f8621d72 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -500,11 +500,12 @@ static void edit_params(u32 argc, char **argv, char **envp) {
} else {
- cc_params[cc_par_cnt++] = "-Xclang";
- cc_params[cc_par_cnt++] = "-load";
- cc_params[cc_par_cnt++] = "-Xclang";
+// cc_params[cc_par_cnt++] = "-Xclang";
+// cc_params[cc_par_cnt++] = "-load";
+// cc_params[cc_par_cnt++] = "-Xclang";
+ cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager";
cc_params[cc_par_cnt++] =
- alloc_printf("%s/split-compares-pass.so", obj_path);
+ alloc_printf("-fpass-plugin=%s/split-compares-pass.so", obj_path);
}
@@ -548,7 +549,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
#if LLVM_MAJOR >= 13
// fuck you llvm 13
- cc_params[cc_par_cnt++] = "-fno-experimental-new-pass-manager";
+// cc_params[cc_par_cnt++] = "-fno-experimental-new-pass-manager";
#endif
if (lto_mode && !have_c) {
From 544a65db5470359c18436eca123282d74fa47f2e Mon Sep 17 00:00:00 2001
From: hexcoder-
Date: Tue, 12 Oct 2021 23:02:15 +0200
Subject: [PATCH 060/305] converted afl-llvm-pass to new pass manager
---
instrumentation/afl-llvm-pass.so.cc | 59 +++++++++++++++++++++++------
src/afl-cc.c | 10 ++---
2 files changed, 51 insertions(+), 18 deletions(-)
diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc
index ecf28f31..c2b87ecb 100644
--- a/instrumentation/afl-llvm-pass.so.cc
+++ b/instrumentation/afl-llvm-pass.so.cc
@@ -45,12 +45,15 @@ typedef long double max_align_t;
#endif
#include "llvm/IR/IRBuilder.h"
-#include "llvm/IR/LegacyPassManager.h"
+#include "llvm/Passes/PassPlugin.h"
+#include "llvm/Passes/PassBuilder.h"
+#include "llvm/IR/PassManager.h"
+//#include "llvm/IR/LegacyPassManager.h"
#include "llvm/IR/BasicBlock.h"
#include "llvm/IR/Module.h"
#include "llvm/Support/Debug.h"
#include "llvm/Support/MathExtras.h"
-#include "llvm/Transforms/IPO/PassManagerBuilder.h"
+//#include "llvm/Transforms/IPO/PassManagerBuilder.h"
#if LLVM_VERSION_MAJOR > 3 || \
(LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4)
@@ -68,17 +71,18 @@ using namespace llvm;
namespace {
-class AFLCoverage : public ModulePass {
+//class AFLCoverage : public ModulePass {
+class AFLCoverage : public PassInfoMixin {
public:
- static char ID;
- AFLCoverage() : ModulePass(ID) {
+// static char ID;
+ AFLCoverage() {
initInstrumentList();
}
- bool runOnModule(Module &M) override;
+ PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM);
protected:
uint32_t ngram_size = 0;
@@ -92,7 +96,38 @@ class AFLCoverage : public ModulePass {
} // namespace
-char AFLCoverage::ID = 0;
+extern "C" ::llvm::PassPluginLibraryInfo LLVM_ATTRIBUTE_WEAK
+llvmGetPassPluginInfo() {
+ return {
+ LLVM_PLUGIN_API_VERSION, "AFLCoverage", "v0.1",
+ /* lambda to insert our pass into the pass pipeline. */
+ [](PassBuilder &PB) {
+#if 1
+ using OptimizationLevel = typename PassBuilder::OptimizationLevel;
+ PB.registerOptimizerLastEPCallback(
+ [](ModulePassManager &MPM, OptimizationLevel OL) {
+ MPM.addPass(AFLCoverage());
+ }
+ );
+/* TODO LTO registration */
+#else
+ using PipelineElement = typename PassBuilder::PipelineElement;
+ PB.registerPipelineParsingCallback(
+ [](StringRef Name, ModulePassManager &MPM, ArrayRef) {
+ if ( Name == "AFLCoverage" ) {
+ MPM.addPass(AFLCoverage);
+ return true;
+ } else {
+ return false;
+ }
+ }
+ );
+#endif
+ }
+ };
+}
+
+//char AFLCoverage::ID = 0;
/* needed up to 3.9.0 */
#if LLVM_VERSION_MAJOR == 3 && \
@@ -118,7 +153,7 @@ uint64_t PowerOf2Ceil(unsigned in) {
(LLVM_VERSION_MAJOR == 4 && LLVM_VERSION_PATCH >= 1)
#define AFL_HAVE_VECTOR_INTRINSICS 1
#endif
-bool AFLCoverage::runOnModule(Module &M) {
+PreservedAnalyses AFLCoverage::run(Module &M, ModuleAnalysisManager &MAM) {
LLVMContext &C = M.getContext();
@@ -133,6 +168,8 @@ bool AFLCoverage::runOnModule(Module &M) {
u32 rand_seed;
unsigned int cur_loc = 0;
+ auto PA = PreservedAnalyses::none();
+
/* Setup random() so we get Actually Random(TM) outputs from AFL_R() */
gettimeofday(&tv, &tz);
rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid();
@@ -969,10 +1006,10 @@ bool AFLCoverage::runOnModule(Module &M) {
}
- return true;
+ return PA;
}
-
+#if 0
static void registerAFLPass(const PassManagerBuilder &,
legacy::PassManagerBase &PM) {
@@ -985,4 +1022,4 @@ static RegisterStandardPasses RegisterAFLPass(
static RegisterStandardPasses RegisterAFLPass0(
PassManagerBuilder::EP_EnabledOnOptLevel0, registerAFLPass);
-
+#endif
diff --git a/src/afl-cc.c b/src/afl-cc.c
index f8621d72..bbe548d9 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -500,12 +500,10 @@ static void edit_params(u32 argc, char **argv, char **envp) {
} else {
-// cc_params[cc_par_cnt++] = "-Xclang";
-// cc_params[cc_par_cnt++] = "-load";
-// cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager";
cc_params[cc_par_cnt++] =
alloc_printf("-fpass-plugin=%s/split-compares-pass.so", obj_path);
+// cc_params[cc_par_cnt++] = "-fno-experimental-new-pass-manager";
}
@@ -629,10 +627,8 @@ static void edit_params(u32 argc, char **argv, char **envp) {
} else {
- cc_params[cc_par_cnt++] = "-Xclang";
- cc_params[cc_par_cnt++] = "-load";
- cc_params[cc_par_cnt++] = "-Xclang";
- cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path);
+ cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager";
+ cc_params[cc_par_cnt++] = alloc_printf("-fpass-plugin=%s/afl-llvm-pass.so", obj_path);
}
From 6e08e809074763a9c4b35b65805e628689a2d562 Mon Sep 17 00:00:00 2001
From: hexcoder-
Date: Tue, 12 Oct 2021 23:24:28 +0200
Subject: [PATCH 061/305] converted compare-transform-pass to new pass manager
---
instrumentation/compare-transform-pass.so.cc | 69 ++++++++++++++------
src/afl-cc.c | 6 +-
2 files changed, 52 insertions(+), 23 deletions(-)
diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc
index 288e8282..e6695185 100644
--- a/instrumentation/compare-transform-pass.so.cc
+++ b/instrumentation/compare-transform-pass.so.cc
@@ -26,7 +26,10 @@
#include "llvm/ADT/Statistic.h"
#include "llvm/IR/IRBuilder.h"
-#include "llvm/IR/LegacyPassManager.h"
+#include "llvm/Passes/PassPlugin.h"
+#include "llvm/Passes/PassBuilder.h"
+#include "llvm/IR/PassManager.h"
+//#include "llvm/IR/LegacyPassManager.h"
#include "llvm/IR/Module.h"
#include "llvm/Support/Debug.h"
#include "llvm/Support/raw_ostream.h"
@@ -52,28 +55,16 @@ using namespace llvm;
namespace {
-class CompareTransform : public ModulePass {
+class CompareTransform : public PassInfoMixin {
public:
- static char ID;
- CompareTransform() : ModulePass(ID) {
+ CompareTransform() {
initInstrumentList();
}
- bool runOnModule(Module &M) override;
-
-#if LLVM_VERSION_MAJOR < 4
- const char *getPassName() const override {
-
-#else
- StringRef getPassName() const override {
-
-#endif
- return "transforms compare functions";
-
- }
+ PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM);
private:
bool transformCmps(Module &M, const bool processStrcmp,
@@ -85,7 +76,37 @@ class CompareTransform : public ModulePass {
} // namespace
-char CompareTransform::ID = 0;
+extern "C" ::llvm::PassPluginLibraryInfo LLVM_ATTRIBUTE_WEAK
+llvmGetPassPluginInfo() {
+ return {
+ LLVM_PLUGIN_API_VERSION, "comparetransform", "v0.1",
+ /* lambda to insert our pass into the pass pipeline. */
+ [](PassBuilder &PB) {
+#if 1
+ using OptimizationLevel = typename PassBuilder::OptimizationLevel;
+ PB.registerOptimizerLastEPCallback(
+ [](ModulePassManager &MPM, OptimizationLevel OL) {
+ MPM.addPass(CompareTransform());
+ }
+ );
+/* TODO LTO registration */
+#else
+ using PipelineElement = typename PassBuilder::PipelineElement;
+ PB.registerPipelineParsingCallback(
+ [](StringRef Name, ModulePassManager &MPM, ArrayRef) {
+ if ( Name == "comparetransform" ) {
+ MPM.addPass(CompareTransform);
+ return true;
+ } else {
+ return false;
+ }
+ }
+ );
+#endif
+ }
+ };
+}
+
bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
const bool processMemcmp,
@@ -592,7 +613,7 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
}
-bool CompareTransform::runOnModule(Module &M) {
+PreservedAnalyses CompareTransform::run(Module &M, ModuleAnalysisManager &MAM) {
if ((isatty(2) && getenv("AFL_QUIET") == NULL) || getenv("AFL_DEBUG") != NULL)
printf(
@@ -601,13 +622,22 @@ bool CompareTransform::runOnModule(Module &M) {
else
be_quiet = 1;
+ auto PA = PreservedAnalyses::none();
+
transformCmps(M, true, true, true, true, true);
verifyModule(M);
- return true;
+/* if (modified) {
+ PA.abandon();
+ }*/
+
+ return PA;
+
+// return true;
}
+#if 0
static void registerCompTransPass(const PassManagerBuilder &,
legacy::PassManagerBase &PM) {
@@ -626,4 +656,5 @@ static RegisterStandardPasses RegisterCompTransPass0(
static RegisterStandardPasses RegisterCompTransPassLTO(
PassManagerBuilder::EP_FullLinkTimeOptimizationLast, registerCompTransPass);
#endif
+#endif
diff --git a/src/afl-cc.c b/src/afl-cc.c
index bbe548d9..a51632a2 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -480,11 +480,9 @@ static void edit_params(u32 argc, char **argv, char **envp) {
} else {
- cc_params[cc_par_cnt++] = "-Xclang";
- cc_params[cc_par_cnt++] = "-load";
- cc_params[cc_par_cnt++] = "-Xclang";
+ cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager";
cc_params[cc_par_cnt++] =
- alloc_printf("%s/compare-transform-pass.so", obj_path);
+ alloc_printf("-fpass-plugin=%s/compare-transform-pass.so", obj_path);
}
From 379c5806580dd58824df0f4fb7d215841d1bd459 Mon Sep 17 00:00:00 2001
From: hexcoder-
Date: Tue, 12 Oct 2021 23:40:05 +0200
Subject: [PATCH 062/305] converted split-switches-pass to new pass manager
---
instrumentation/split-compares-pass.so.cc | 2 +-
instrumentation/split-switches-pass.so.cc | 71 ++++++++++++++++-------
src/afl-cc.c | 12 ++--
3 files changed, 54 insertions(+), 31 deletions(-)
diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc
index 2ae6f893..8d4935f5 100644
--- a/instrumentation/split-compares-pass.so.cc
+++ b/instrumentation/split-compares-pass.so.cc
@@ -176,7 +176,7 @@ llvmGetPassPluginInfo() {
PB.registerPipelineParsingCallback(
[](StringRef Name, ModulePassManager &MPM, ArrayRef) {
if ( Name == "splitcompares" ) {
- MPM.addPass(SplitComparesTransform);
+ MPM.addPass(SplitComparesTransform());
return true;
} else {
return false;
diff --git a/instrumentation/split-switches-pass.so.cc b/instrumentation/split-switches-pass.so.cc
index 82f198aa..ba143dca 100644
--- a/instrumentation/split-switches-pass.so.cc
+++ b/instrumentation/split-switches-pass.so.cc
@@ -27,11 +27,14 @@
#include "llvm/ADT/Statistic.h"
#include "llvm/IR/IRBuilder.h"
-#include "llvm/IR/LegacyPassManager.h"
+#include "llvm/Passes/PassPlugin.h"
+#include "llvm/Passes/PassBuilder.h"
+#include "llvm/IR/PassManager.h"
+//#include "llvm/IR/LegacyPassManager.h"
#include "llvm/IR/Module.h"
#include "llvm/Support/Debug.h"
#include "llvm/Support/raw_ostream.h"
-#include "llvm/Transforms/IPO/PassManagerBuilder.h"
+//#include "llvm/Transforms/IPO/PassManagerBuilder.h"
#include "llvm/Transforms/Utils/BasicBlockUtils.h"
#include "llvm/Pass.h"
#include "llvm/Analysis/ValueTracking.h"
@@ -54,28 +57,16 @@ using namespace llvm;
namespace {
-class SplitSwitchesTransform : public ModulePass {
+class SplitSwitchesTransform : public PassInfoMixin {
public:
- static char ID;
- SplitSwitchesTransform() : ModulePass(ID) {
+ SplitSwitchesTransform() {
initInstrumentList();
}
- bool runOnModule(Module &M) override;
-
-#if LLVM_VERSION_MAJOR >= 4
- StringRef getPassName() const override {
-
-#else
- const char *getPassName() const override {
-
-#endif
- return "splits switch constructs";
-
- }
+ PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM);
struct CaseExpr {
@@ -103,7 +94,36 @@ class SplitSwitchesTransform : public ModulePass {
} // namespace
-char SplitSwitchesTransform::ID = 0;
+extern "C" ::llvm::PassPluginLibraryInfo LLVM_ATTRIBUTE_WEAK
+llvmGetPassPluginInfo() {
+ return {
+ LLVM_PLUGIN_API_VERSION, "splitswitches", "v0.1",
+ /* lambda to insert our pass into the pass pipeline. */
+ [](PassBuilder &PB) {
+#if 1
+ using OptimizationLevel = typename PassBuilder::OptimizationLevel;
+ PB.registerOptimizerLastEPCallback(
+ [](ModulePassManager &MPM, OptimizationLevel OL) {
+ MPM.addPass(SplitSwitchesTransform());
+ }
+ );
+/* TODO LTO registration */
+#else
+ using PipelineElement = typename PassBuilder::PipelineElement;
+ PB.registerPipelineParsingCallback(
+ [](StringRef Name, ModulePassManager &MPM, ArrayRef) {
+ if ( Name == "splitswitches" ) {
+ MPM.addPass(SplitSwitchesTransform());
+ return true;
+ } else {
+ return false;
+ }
+ }
+ );
+#endif
+ }
+ };
+}
/* switchConvert - Transform simple list of Cases into list of CaseRange's */
BasicBlock *SplitSwitchesTransform::switchConvert(
@@ -415,19 +435,26 @@ bool SplitSwitchesTransform::splitSwitches(Module &M) {
}
-bool SplitSwitchesTransform::runOnModule(Module &M) {
+PreservedAnalyses SplitSwitchesTransform::run(Module &M, ModuleAnalysisManager &MAM) {
if ((isatty(2) && getenv("AFL_QUIET") == NULL) || getenv("AFL_DEBUG") != NULL)
printf("Running split-switches-pass by laf.intel@gmail.com\n");
else
be_quiet = 1;
+
+ auto PA = PreservedAnalyses::none();
+
splitSwitches(M);
verifyModule(M);
- return true;
+/* if (modified) {
+ PA.abandon();
+ }*/
+
+ return PA;
}
-
+#if 0
static void registerSplitSwitchesTransPass(const PassManagerBuilder &,
legacy::PassManagerBase &PM) {
@@ -447,4 +474,4 @@ static RegisterStandardPasses RegisterSplitSwitchesTransPassLTO(
PassManagerBuilder::EP_FullLinkTimeOptimizationLast,
registerSplitSwitchesTransPass);
#endif
-
+#endif
diff --git a/src/afl-cc.c b/src/afl-cc.c
index a51632a2..e8584d50 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -460,11 +460,9 @@ static void edit_params(u32 argc, char **argv, char **envp) {
} else {
- cc_params[cc_par_cnt++] = "-Xclang";
- cc_params[cc_par_cnt++] = "-load";
- cc_params[cc_par_cnt++] = "-Xclang";
+ cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager";
cc_params[cc_par_cnt++] =
- alloc_printf("%s/split-switches-pass.so", obj_path);
+ alloc_printf("-fpass-plugin=%s/split-switches-pass.so", obj_path);
}
@@ -531,11 +529,9 @@ static void edit_params(u32 argc, char **argv, char **envp) {
alloc_printf("%s/cmplog-switches-pass.so", obj_path);
// reuse split switches from laf
- cc_params[cc_par_cnt++] = "-Xclang";
- cc_params[cc_par_cnt++] = "-load";
- cc_params[cc_par_cnt++] = "-Xclang";
+ cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager";
cc_params[cc_par_cnt++] =
- alloc_printf("%s/split-switches-pass.so", obj_path);
+ alloc_printf("-fpass-plugin=%s/split-switches-pass.so", obj_path);
}
From e0c052cad70b5cf2c86e1bda1d279a2ac1440077 Mon Sep 17 00:00:00 2001
From: Dominik Maier
Date: Tue, 12 Oct 2021 23:46:47 +0200
Subject: [PATCH 063/305] unicornafl bindings improved
---
docs/Changelog.md | 1 +
unicorn_mode/UNICORNAFL_VERSION | 2 +-
.../samples/speedtest/rust/src/main.rs | 23 ++++++++-----------
unicorn_mode/unicornafl | 2 +-
4 files changed, 13 insertions(+), 15 deletions(-)
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 1c3830f9..ea58a386 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -34,6 +34,7 @@ sending a mail to .
- fix AFL_PRELOAD issues on MacOS
- removed utils/afl_frida because frida_mode/ is now so much better
- added uninstall target to makefile (todo: update new readme!)
+ - removed indirections in rust callbacks for unicornafl
### Version ++3.14c (release)
diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION
index cbca63e5..e76da957 100644
--- a/unicorn_mode/UNICORNAFL_VERSION
+++ b/unicorn_mode/UNICORNAFL_VERSION
@@ -1 +1 @@
-f1c853648a74b0157d233a2ef9f1693cfee78c11
+d06e3d5113dd96799a765a6514f7f5c45f071ca3
diff --git a/unicorn_mode/samples/speedtest/rust/src/main.rs b/unicorn_mode/samples/speedtest/rust/src/main.rs
index 77356a67..89e10833 100644
--- a/unicorn_mode/samples/speedtest/rust/src/main.rs
+++ b/unicorn_mode/samples/speedtest/rust/src/main.rs
@@ -12,11 +12,11 @@ use std::{
use unicornafl::{
unicorn_const::{uc_error, Arch, Mode, Permission},
- RegisterX86::{self, *},
- Unicorn, UnicornHandle,
+ RegisterX86::*,
+ Unicorn,
};
-const BINARY: &str = &"../target";
+const BINARY: &str = "../target";
// Memory map for the code to be tested
// Arbitrary address where code to test will be loaded
@@ -47,7 +47,7 @@ fn read_file(filename: &str) -> Result, io::Error> {
fn parse_locs(loc_name: &str) -> Result, io::Error> {
let contents = &read_file(&format!("../target.offsets.{}", loc_name))?;
//println!("Read: {:?}", contents);
- Ok(str_from_u8_unchecked(&contents)
+ Ok(str_from_u8_unchecked(contents)
.split('\n')
.map(|x| {
//println!("Trying to convert {}", &x[2..]);
@@ -87,8 +87,7 @@ fn main() {
}
fn fuzz(input_file: &str) -> Result<(), uc_error> {
- let mut unicorn = Unicorn::new(Arch::X86, Mode::MODE_64, 0)?;
- let mut uc: UnicornHandle<'_, _> = unicorn.borrow();
+ let mut uc = Unicorn::new(Arch::X86, Mode::MODE_64, 0)?;
let binary =
read_file(BINARY).unwrap_or_else(|_| panic!("Could not read modem image: {}", BINARY));
@@ -133,7 +132,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> {
let already_allocated_malloc = already_allocated.clone();
// We use a very simple malloc/free stub here,
// that only works for exactly one allocation at a time.
- let hook_malloc = move |mut uc: UnicornHandle<'_, _>, addr: u64, size: u32| {
+ let hook_malloc = move |uc: &mut Unicorn<'_, _>, addr: u64, size: u32| {
if already_allocated_malloc.get() {
println!("Double malloc, not supported right now!");
abort();
@@ -154,7 +153,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> {
let already_allocated_free = already_allocated;
// No real free, just set the "used"-flag to false.
- let hook_free = move |mut uc: UnicornHandle<'_, _>, addr, size| {
+ let hook_free = move |uc: &mut Unicorn<'_, _>, addr, size| {
if already_allocated_free.get() {
println!("Double free detected. Real bug?");
abort();
@@ -177,7 +176,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> {
*/
// This is a fancy print function that we're just going to skip for fuzzing.
- let hook_magicfn = move |mut uc: UnicornHandle<'_, _>, addr, size| {
+ let hook_magicfn = move |uc: &mut Unicorn<'_, _>, addr, size| {
uc.reg_write(RIP, addr + size as u64).unwrap();
};
@@ -195,7 +194,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> {
}
let place_input_callback =
- |uc: &mut UnicornHandle<'_, _>, afl_input: &mut [u8], _persistent_round| {
+ |uc: &mut Unicorn<'_, _>, afl_input: &mut [u8], _persistent_round| {
// apply constraints to the mutated input
if afl_input.len() > INPUT_MAX as usize {
//println!("Skipping testcase with leng {}", afl_input.len());
@@ -209,9 +208,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> {
// return true if the last run should be counted as crash
let crash_validation_callback =
- |_uc: &mut UnicornHandle<'_, _>, result, _input: &[u8], _persistent_round| {
- result != uc_error::OK
- };
+ |_uc: &mut Unicorn<'_, _>, result, _input: &[u8], _persistent_round| result != uc_error::OK;
let end_addrs = parse_locs("main_ends").unwrap();
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl
index c0e03d2c..d06e3d51 160000
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl
@@ -1 +1 @@
-Subproject commit c0e03d2c6b55a22025324f121746b41b1e756fb8
+Subproject commit d06e3d5113dd96799a765a6514f7f5c45f071ca3
From 319db6759ba9dfaac454d5669214ae3aa65831fe Mon Sep 17 00:00:00 2001
From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Date: Wed, 13 Oct 2021 18:41:45 +0100
Subject: [PATCH 064/305] Fix missing MAP_FIXED_NOREPLACE (#1116)
Co-authored-by: Your Name
---
frida_mode/src/instrument/instrument_x64.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c
index 60f443e0..ebdf1440 100644
--- a/frida_mode/src/instrument/instrument_x64.c
+++ b/frida_mode/src/instrument/instrument_x64.c
@@ -18,6 +18,14 @@
#if defined(__x86_64__)
+#ifndef MAP_FIXED_NOREPLACE
+ #ifdef MAP_EXCL
+ #define MAP_FIXED_NOREPLACE MAP_EXCL | MAP_FIXED
+ #else
+ #define MAP_FIXED_NOREPLACE MAP_FIXED
+ #endif
+#endif
+
gboolean instrument_is_coverage_optimize_supported(void) {
return true;
From 17c59de1c2ea73f358ff6d0df4c572c62ee650aa Mon Sep 17 00:00:00 2001
From: Dominik Maier
Date: Wed, 13 Oct 2021 19:53:32 +0200
Subject: [PATCH 065/305] updated uc
---
unicorn_mode/UNICORNAFL_VERSION | 2 +-
unicorn_mode/unicornafl | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION
index e76da957..cc8d5b34 100644
--- a/unicorn_mode/UNICORNAFL_VERSION
+++ b/unicorn_mode/UNICORNAFL_VERSION
@@ -1 +1 @@
-d06e3d5113dd96799a765a6514f7f5c45f071ca3
+d4915053d477dd827b3fe4b494173d3fbf9f456e
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl
index d06e3d51..d4915053 160000
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl
@@ -1 +1 @@
-Subproject commit d06e3d5113dd96799a765a6514f7f5c45f071ca3
+Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e
From 3deca3b09b46130c9e23320c0b98f60543f9b5ba Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Fri, 15 Oct 2021 11:25:02 +0200
Subject: [PATCH 066/305] fix lto cmplog stability issue
---
.../grammar_mutator/grammar_mutator | 2 +-
docs/Changelog.md | 1 +
qemu_mode/qemuafl | 2 +-
src/afl-fuzz-run.c | 30 +++++++++++++++++--
unicorn_mode/unicornafl | 2 +-
5 files changed, 32 insertions(+), 5 deletions(-)
diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator
index eedf07dd..b79d51a8 160000
--- a/custom_mutators/grammar_mutator/grammar_mutator
+++ b/custom_mutators/grammar_mutator/grammar_mutator
@@ -1 +1 @@
-Subproject commit eedf07ddb0fb1f437f5e76b77cfd4064cf6a5d63
+Subproject commit b79d51a8daccbd7a693f9b6765c81ead14f28e26
diff --git a/docs/Changelog.md b/docs/Changelog.md
index ea58a386..df4d343a 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -16,6 +16,7 @@ sending a mail to .
- fix a regression introduced in 3.10 that resulted in less
coverage being detected. thanks to Collin May for reporting!
- fix -n dumb mode (nobody should use this)
+ - fix stability issue with LTO and cmplog
- afl-showmap, afl-tmin and afl-analyze now honor persistent mode
for more speed. thanks to dloffre-snl for reporting!
- Prevent accidently killing non-afl/fuzz services when aborting
diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl
index a6758d1c..71ed0d20 160000
--- a/qemu_mode/qemuafl
+++ b/qemu_mode/qemuafl
@@ -1 +1 @@
-Subproject commit a6758d1cc3e4dde88fca3f0b3a903581b7c8b2e5
+Subproject commit 71ed0d206fd3d877420dceb4993a1011a4637ae6
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index 4173f4e1..da6ba7d9 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -291,8 +291,6 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
u32 handicap, u8 from_queue) {
- if (unlikely(afl->shm.cmplog_mode)) { q->exec_cksum = 0; }
-
u8 fault = 0, new_bits = 0, var_detected = 0, hnb = 0,
first_run = (q->exec_cksum == 0);
u64 start_us, stop_us, diff_us;
@@ -300,6 +298,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
u32 use_tmout = afl->fsrv.exec_tmout;
u8 *old_sn = afl->stage_name;
+ if (unlikely(afl->shm.cmplog_mode)) { q->exec_cksum = 0; }
+
/* Be a bit more generous about timeouts when resuming sessions, or when
trying to calibrate already-added finds. This helps avoid trouble due
to intermittent latency. */
@@ -343,6 +343,32 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
}
+ /* we need a dummy run if this is LTO + cmplog */
+ if (unlikely(afl->shm.cmplog_mode)) {
+
+ write_to_testcase(afl, use_mem, q->len);
+
+ fault = fuzz_run_target(afl, &afl->fsrv, use_tmout);
+
+ /* afl->stop_soon is set by the handler for Ctrl+C. When it's pressed,
+ we want to bail out quickly. */
+
+ if (afl->stop_soon || fault != afl->crash_mode) { goto abort_calibration; }
+
+ if (!afl->non_instrumented_mode && !afl->stage_cur &&
+ !count_bytes(afl, afl->fsrv.trace_bits)) {
+
+ fault = FSRV_RUN_NOINST;
+ goto abort_calibration;
+
+ }
+
+#ifdef INTROSPECTION
+ if (unlikely(!q->bitsmap_size)) q->bitsmap_size = afl->bitsmap_size;
+#endif
+
+ }
+
if (q->exec_cksum) {
memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size);
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl
index d4915053..f1c85364 160000
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl
@@ -1 +1 @@
-Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e
+Subproject commit f1c853648a74b0157d233a2ef9f1693cfee78c11
From 8b1910e2689876c8ed4d0b9529296dc144692d35 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Fri, 15 Oct 2021 12:55:40 +0200
Subject: [PATCH 067/305] fix submodules
---
unicorn_mode/unicornafl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl
index f1c85364..d4915053 160000
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl
@@ -1 +1 @@
-Subproject commit f1c853648a74b0157d233a2ef9f1693cfee78c11
+Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e
From c49b30879474042f16dcf8de200c603a47965ea4 Mon Sep 17 00:00:00 2001
From: hexcoder-
Date: Sat, 16 Oct 2021 12:56:31 +0200
Subject: [PATCH 068/305] switch PreservedAnalyses from none to all
---
instrumentation/afl-llvm-pass.so.cc | 4 ++--
instrumentation/compare-transform-pass.so.cc | 4 ++--
instrumentation/split-compares-pass.so.cc | 2 +-
instrumentation/split-switches-pass.so.cc | 2 +-
4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc
index c2b87ecb..92999443 100644
--- a/instrumentation/afl-llvm-pass.so.cc
+++ b/instrumentation/afl-llvm-pass.so.cc
@@ -115,7 +115,7 @@ llvmGetPassPluginInfo() {
PB.registerPipelineParsingCallback(
[](StringRef Name, ModulePassManager &MPM, ArrayRef) {
if ( Name == "AFLCoverage" ) {
- MPM.addPass(AFLCoverage);
+ MPM.addPass(AFLCoverage());
return true;
} else {
return false;
@@ -168,7 +168,7 @@ PreservedAnalyses AFLCoverage::run(Module &M, ModuleAnalysisManager &MAM) {
u32 rand_seed;
unsigned int cur_loc = 0;
- auto PA = PreservedAnalyses::none();
+ auto PA = PreservedAnalyses::all();
/* Setup random() so we get Actually Random(TM) outputs from AFL_R() */
gettimeofday(&tv, &tz);
diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc
index e6695185..ce8efaa7 100644
--- a/instrumentation/compare-transform-pass.so.cc
+++ b/instrumentation/compare-transform-pass.so.cc
@@ -95,7 +95,7 @@ llvmGetPassPluginInfo() {
PB.registerPipelineParsingCallback(
[](StringRef Name, ModulePassManager &MPM, ArrayRef) {
if ( Name == "comparetransform" ) {
- MPM.addPass(CompareTransform);
+ MPM.addPass(CompareTransform());
return true;
} else {
return false;
@@ -622,7 +622,7 @@ PreservedAnalyses CompareTransform::run(Module &M, ModuleAnalysisManager &MAM) {
else
be_quiet = 1;
- auto PA = PreservedAnalyses::none();
+ auto PA = PreservedAnalyses::all();
transformCmps(M, true, true, true, true, true);
verifyModule(M);
diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc
index 8d4935f5..75a9c35c 100644
--- a/instrumentation/split-compares-pass.so.cc
+++ b/instrumentation/split-compares-pass.so.cc
@@ -1365,7 +1365,7 @@ PreservedAnalyses SplitComparesTransform::run(Module &M, ModuleAnalysisManager &
}
- auto PA = PreservedAnalyses::none();
+ auto PA = PreservedAnalyses::all();
if (enableFPSplit) {
diff --git a/instrumentation/split-switches-pass.so.cc b/instrumentation/split-switches-pass.so.cc
index ba143dca..b8cd61c3 100644
--- a/instrumentation/split-switches-pass.so.cc
+++ b/instrumentation/split-switches-pass.so.cc
@@ -442,7 +442,7 @@ PreservedAnalyses SplitSwitchesTransform::run(Module &M, ModuleAnalysisManager &
else
be_quiet = 1;
- auto PA = PreservedAnalyses::none();
+ auto PA = PreservedAnalyses::all();
splitSwitches(M);
verifyModule(M);
From 1f2fa22dad4440bf053e24811b5ece89ca276afc Mon Sep 17 00:00:00 2001
From: hexcoder-
Date: Sat, 16 Oct 2021 14:37:54 +0200
Subject: [PATCH 069/305] make new pass manager interface compiler version
dependent (>=7)
---
instrumentation/afl-llvm-pass.so.cc | 43 ++++++++++++++----
instrumentation/compare-transform-pass.so.cc | 38 +++++++++++++---
instrumentation/split-compares-pass.so.cc | 48 ++++++++++++++++----
instrumentation/split-switches-pass.so.cc | 46 +++++++++++++++++--
src/afl-cc.c | 43 ++++++++++++++++--
5 files changed, 190 insertions(+), 28 deletions(-)
diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc
index 92999443..75f8621b 100644
--- a/instrumentation/afl-llvm-pass.so.cc
+++ b/instrumentation/afl-llvm-pass.so.cc
@@ -45,15 +45,18 @@ typedef long double max_align_t;
#endif
#include "llvm/IR/IRBuilder.h"
+#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */
#include "llvm/Passes/PassPlugin.h"
#include "llvm/Passes/PassBuilder.h"
#include "llvm/IR/PassManager.h"
-//#include "llvm/IR/LegacyPassManager.h"
+#else
+#include "llvm/IR/LegacyPassManager.h"
+#include "llvm/Transforms/IPO/PassManagerBuilder.h"
+#endif
#include "llvm/IR/BasicBlock.h"
#include "llvm/IR/Module.h"
#include "llvm/Support/Debug.h"
#include "llvm/Support/MathExtras.h"
-//#include "llvm/Transforms/IPO/PassManagerBuilder.h"
#if LLVM_VERSION_MAJOR > 3 || \
(LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4)
@@ -71,18 +74,26 @@ using namespace llvm;
namespace {
-//class AFLCoverage : public ModulePass {
+#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */
class AFLCoverage : public PassInfoMixin {
-
- public:
-// static char ID;
AFLCoverage() {
+ public:
+#else
+class AFLCoverage : public ModulePass {
+ public:
+ static char ID;
+ AFLCoverage() : ModulePass(ID) {
+#endif
initInstrumentList();
}
+#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */
PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM);
+#else
+ bool runOnModule(Module &M) override;
+#endif
protected:
uint32_t ngram_size = 0;
@@ -96,6 +107,7 @@ class AFLCoverage : public PassInfoMixin {
} // namespace
+#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */
extern "C" ::llvm::PassPluginLibraryInfo LLVM_ATTRIBUTE_WEAK
llvmGetPassPluginInfo() {
return {
@@ -126,8 +138,10 @@ llvmGetPassPluginInfo() {
}
};
}
+#else
-//char AFLCoverage::ID = 0;
+char AFLCoverage::ID = 0;
+#endif
/* needed up to 3.9.0 */
#if LLVM_VERSION_MAJOR == 3 && \
@@ -153,7 +167,13 @@ uint64_t PowerOf2Ceil(unsigned in) {
(LLVM_VERSION_MAJOR == 4 && LLVM_VERSION_PATCH >= 1)
#define AFL_HAVE_VECTOR_INTRINSICS 1
#endif
+
+
+#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */
PreservedAnalyses AFLCoverage::run(Module &M, ModuleAnalysisManager &MAM) {
+#else
+bool AFLCoverage::runOnModule(Module &M) {
+#endif
LLVMContext &C = M.getContext();
@@ -168,7 +188,9 @@ PreservedAnalyses AFLCoverage::run(Module &M, ModuleAnalysisManager &MAM) {
u32 rand_seed;
unsigned int cur_loc = 0;
+#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */
auto PA = PreservedAnalyses::all();
+#endif
/* Setup random() so we get Actually Random(TM) outputs from AFL_R() */
gettimeofday(&tv, &tz);
@@ -1006,10 +1028,15 @@ PreservedAnalyses AFLCoverage::run(Module &M, ModuleAnalysisManager &MAM) {
}
+#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */
return PA;
+#else
+ return true;
+#endif
}
-#if 0
+
+#if LLVM_VERSION_MAJOR < 7 /* use old pass manager */
static void registerAFLPass(const PassManagerBuilder &,
legacy::PassManagerBase &PM) {
diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc
index ce8efaa7..3c975fe8 100644
--- a/instrumentation/compare-transform-pass.so.cc
+++ b/instrumentation/compare-transform-pass.so.cc
@@ -26,14 +26,17 @@
#include "llvm/ADT/Statistic.h"
#include "llvm/IR/IRBuilder.h"
+#if LLVM_MAJOR >= 7 /* use new pass manager */
#include "llvm/Passes/PassPlugin.h"
#include "llvm/Passes/PassBuilder.h"
#include "llvm/IR/PassManager.h"
-//#include "llvm/IR/LegacyPassManager.h"
+#else
+#include "llvm/IR/LegacyPassManager.h"
+#include "llvm/Transforms/IPO/PassManagerBuilder.h"
+#endif
#include "llvm/IR/Module.h"
#include "llvm/Support/Debug.h"
#include "llvm/Support/raw_ostream.h"
-#include "llvm/Transforms/IPO/PassManagerBuilder.h"
#include "llvm/Transforms/Utils/BasicBlockUtils.h"
#include "llvm/Pass.h"
#include "llvm/Analysis/ValueTracking.h"
@@ -55,16 +58,28 @@ using namespace llvm;
namespace {
+#if LLVM_MAJOR >= 7 /* use new pass manager */
class CompareTransform : public PassInfoMixin {
public:
CompareTransform() {
+#else
+class CompareTransform : public ModulePass {
+
+ public:
+ static char ID;
+ CompareTransform() : ModulePass(ID) {
+#endif
initInstrumentList();
}
+#if LLVM_MAJOR >= 7 /* use new pass manager */
PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM);
+#else
+ bool runOnModule(Module &M) override;
+#endif
private:
bool transformCmps(Module &M, const bool processStrcmp,
@@ -76,6 +91,7 @@ class CompareTransform : public PassInfoMixin {
} // namespace
+#if LLVM_MAJOR >= 7 /* use new pass manager */
extern "C" ::llvm::PassPluginLibraryInfo LLVM_ATTRIBUTE_WEAK
llvmGetPassPluginInfo() {
return {
@@ -106,7 +122,9 @@ llvmGetPassPluginInfo() {
}
};
}
-
+#else
+char CompareTransform::ID = 0;
+#endif
bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
const bool processMemcmp,
@@ -613,7 +631,11 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
}
+#if LLVM_MAJOR >= 7 /* use new pass manager */
PreservedAnalyses CompareTransform::run(Module &M, ModuleAnalysisManager &MAM) {
+#else
+bool CompareTransform::runOnModule(Module &M) {
+#endif
if ((isatty(2) && getenv("AFL_QUIET") == NULL) || getenv("AFL_DEBUG") != NULL)
printf(
@@ -622,22 +644,26 @@ PreservedAnalyses CompareTransform::run(Module &M, ModuleAnalysisManager &MAM) {
else
be_quiet = 1;
+#if LLVM_MAJOR >= 7 /* use new pass manager */
auto PA = PreservedAnalyses::all();
+#endif
transformCmps(M, true, true, true, true, true);
verifyModule(M);
+#if LLVM_MAJOR >= 7 /* use new pass manager */
/* if (modified) {
PA.abandon();
}*/
return PA;
-
-// return true;
+#else
+ return true;
+#endif
}
-#if 0
+#if LLVM_MAJOR < 7 /* use old pass manager */
static void registerCompTransPass(const PassManagerBuilder &,
legacy::PassManagerBase &PM) {
diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc
index 75a9c35c..ed7e111e 100644
--- a/instrumentation/split-compares-pass.so.cc
+++ b/instrumentation/split-compares-pass.so.cc
@@ -30,11 +30,14 @@
#include "llvm/Pass.h"
#include "llvm/Support/raw_ostream.h"
+#if LLVM_MAJOR >= 7
#include "llvm/Passes/PassPlugin.h"
#include "llvm/Passes/PassBuilder.h"
#include "llvm/IR/PassManager.h"
-//#include "llvm/IR/LegacyPassManager.h"
-//#include "llvm/Transforms/IPO/PassManagerBuilder.h"
+#else
+#include "llvm/IR/LegacyPassManager.h"
+#include "llvm/Transforms/IPO/PassManagerBuilder.h"
+#endif
#include "llvm/Transforms/Utils/BasicBlockUtils.h"
#include "llvm/IR/Module.h"
@@ -58,17 +61,26 @@ using namespace llvm;
namespace {
-//class SplitComparesTransform : public ModulePass {
+#if LLVM_MAJOR >= 7
class SplitComparesTransform : public PassInfoMixin {
-
public:
// static char ID;
SplitComparesTransform() : enableFPSplit(0) {
+#else
+class SplitComparesTransform : public ModulePass {
+ public:
+ static char ID;
+ SplitComparesTransform() : ModulePass(ID), enableFPSplit(0) {
+#endif
initInstrumentList();
}
+#if LLVM_MAJOR >= 7
PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM);
+#else
+ bool runOnModule(Module &M) override;
+#endif
private:
int enableFPSplit;
@@ -157,6 +169,7 @@ class SplitComparesTransform : public PassInfoMixin {
} // namespace
+#if LLVM_MAJOR >= 7
extern "C" ::llvm::PassPluginLibraryInfo LLVM_ATTRIBUTE_WEAK
llvmGetPassPluginInfo() {
return {
@@ -187,8 +200,9 @@ llvmGetPassPluginInfo() {
}
};
}
-
-//char SplitComparesTransform::ID = 0;
+#else
+char SplitComparesTransform::ID = 0;
+#endif
/// This function splits FCMP instructions with xGE or xLE predicates into two
/// FCMP instructions with predicate xGT or xLT and EQ
@@ -1342,7 +1356,11 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) {
}
+#if LLVM_MAJOR >= 7
PreservedAnalyses SplitComparesTransform::run(Module &M, ModuleAnalysisManager &MAM) {
+#else
+bool SplitComparesTransform::runOnModule(Module &M) {
+#endif
char *bitw_env = getenv("AFL_LLVM_LAF_SPLIT_COMPARES_BITW");
if (!bitw_env) bitw_env = getenv("LAF_SPLIT_COMPARES_BITW");
@@ -1365,7 +1383,9 @@ PreservedAnalyses SplitComparesTransform::run(Module &M, ModuleAnalysisManager &
}
+#if LLVM_MAJOR >= 7
auto PA = PreservedAnalyses::all();
+#endif
if (enableFPSplit) {
@@ -1399,7 +1419,13 @@ PreservedAnalyses SplitComparesTransform::run(Module &M, ModuleAnalysisManager &
auto op0 = CI->getOperand(0);
auto op1 = CI->getOperand(1);
- if (!op0 || !op1) { return PA; }
+ if (!op0 || !op1) {
+#if LLVM_MAJOR >= 7
+ return PA;
+#else
+ return false;
+#endif
+ }
auto iTy1 = dyn_cast(op0->getType());
if (iTy1 && isa(op1->getType())) {
@@ -1453,14 +1479,20 @@ PreservedAnalyses SplitComparesTransform::run(Module &M, ModuleAnalysisManager &
errs() << count << " comparisons found\n";
}
+#if LLVM_MAJOR >= 7
/* if (modified) {
PA.abandon();
}*/
return PA;
+#else
+ return true;
+#endif
}
-#if 0
+
+#if LLVM_MAJOR < 7 /* use old pass manager */
+
static void registerSplitComparesPass(const PassManagerBuilder &,
legacy::PassManagerBase &PM) {
diff --git a/instrumentation/split-switches-pass.so.cc b/instrumentation/split-switches-pass.so.cc
index b8cd61c3..42441de1 100644
--- a/instrumentation/split-switches-pass.so.cc
+++ b/instrumentation/split-switches-pass.so.cc
@@ -27,14 +27,17 @@
#include "llvm/ADT/Statistic.h"
#include "llvm/IR/IRBuilder.h"
+#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */
#include "llvm/Passes/PassPlugin.h"
#include "llvm/Passes/PassBuilder.h"
#include "llvm/IR/PassManager.h"
-//#include "llvm/IR/LegacyPassManager.h"
+#else
+#include "llvm/IR/LegacyPassManager.h"
+#include "llvm/Transforms/IPO/PassManagerBuilder.h"
+#endif
#include "llvm/IR/Module.h"
#include "llvm/Support/Debug.h"
#include "llvm/Support/raw_ostream.h"
-//#include "llvm/Transforms/IPO/PassManagerBuilder.h"
#include "llvm/Transforms/Utils/BasicBlockUtils.h"
#include "llvm/Pass.h"
#include "llvm/Analysis/ValueTracking.h"
@@ -57,16 +60,38 @@ using namespace llvm;
namespace {
+#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */
class SplitSwitchesTransform : public PassInfoMixin {
public:
SplitSwitchesTransform() {
+#else
+class SplitSwitchesTransform : public ModulePass {
+ public:
+ static char ID;
+ SplitSwitchesTransform() : ModulePass(ID) {
+#endif
initInstrumentList();
}
+#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */
PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM);
+#else
+ bool runOnModule(Module &M) override;
+
+#if LLVM_VERSION_MAJOR >= 4
+ StringRef getPassName() const override {
+
+#else
+ const char *getPassName() const override {
+
+#endif
+ return "splits switch constructs";
+
+ }
+#endif
struct CaseExpr {
@@ -94,6 +119,7 @@ class SplitSwitchesTransform : public PassInfoMixin {
} // namespace
+#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */
extern "C" ::llvm::PassPluginLibraryInfo LLVM_ATTRIBUTE_WEAK
llvmGetPassPluginInfo() {
return {
@@ -124,6 +150,9 @@ llvmGetPassPluginInfo() {
}
};
}
+#else
+char SplitSwitchesTransform::ID = 0;
+#endif
/* switchConvert - Transform simple list of Cases into list of CaseRange's */
BasicBlock *SplitSwitchesTransform::switchConvert(
@@ -435,26 +464,37 @@ bool SplitSwitchesTransform::splitSwitches(Module &M) {
}
+#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */
PreservedAnalyses SplitSwitchesTransform::run(Module &M, ModuleAnalysisManager &MAM) {
+#else
+bool SplitSwitchesTransform::runOnModule(Module &M) {
+#endif
if ((isatty(2) && getenv("AFL_QUIET") == NULL) || getenv("AFL_DEBUG") != NULL)
printf("Running split-switches-pass by laf.intel@gmail.com\n");
else
be_quiet = 1;
+#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */
auto PA = PreservedAnalyses::all();
+#endif
splitSwitches(M);
verifyModule(M);
+#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */
/* if (modified) {
PA.abandon();
}*/
return PA;
+#else
+ return true;
+#endif
}
-#if 0
+
+#if LLVM_VERSION_MAJOR < 7 /* use old pass manager */
static void registerSplitSwitchesTransPass(const PassManagerBuilder &,
legacy::PassManagerBase &PM) {
diff --git a/src/afl-cc.c b/src/afl-cc.c
index e8584d50..7549e17b 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -460,10 +460,17 @@ static void edit_params(u32 argc, char **argv, char **envp) {
} else {
+#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */
cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager";
cc_params[cc_par_cnt++] =
alloc_printf("-fpass-plugin=%s/split-switches-pass.so", obj_path);
-
+#else
+ cc_params[cc_par_cnt++] = "-Xclang";
+ cc_params[cc_par_cnt++] = "-load";
+ cc_params[cc_par_cnt++] = "-Xclang";
+ cc_params[cc_par_cnt++] =
+ alloc_printf("%s/split-switches-pass.so", obj_path);
+#endif
}
}
@@ -478,9 +485,17 @@ static void edit_params(u32 argc, char **argv, char **envp) {
} else {
+#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */
cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager";
cc_params[cc_par_cnt++] =
alloc_printf("-fpass-plugin=%s/compare-transform-pass.so", obj_path);
+#else
+ cc_params[cc_par_cnt++] = "-Xclang";
+ cc_params[cc_par_cnt++] = "-load";
+ cc_params[cc_par_cnt++] = "-Xclang";
+ cc_params[cc_par_cnt++] =
+ alloc_printf("%s/compare-transform-pass.so", obj_path);
+#endif
}
@@ -496,10 +511,18 @@ static void edit_params(u32 argc, char **argv, char **envp) {
} else {
+#if LLVM_MAJOR >= 7
cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager";
cc_params[cc_par_cnt++] =
alloc_printf("-fpass-plugin=%s/split-compares-pass.so", obj_path);
// cc_params[cc_par_cnt++] = "-fno-experimental-new-pass-manager";
+#else
+ cc_params[cc_par_cnt++] = "-Xclang";
+ cc_params[cc_par_cnt++] = "-load";
+ cc_params[cc_par_cnt++] = "-Xclang";
+ cc_params[cc_par_cnt++] =
+ alloc_printf("%s/split-compares-pass.so", obj_path);
+#endif
}
@@ -529,9 +552,17 @@ static void edit_params(u32 argc, char **argv, char **envp) {
alloc_printf("%s/cmplog-switches-pass.so", obj_path);
// reuse split switches from laf
+#if LLVM_MAJOR >= 7
cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager";
cc_params[cc_par_cnt++] =
alloc_printf("-fpass-plugin=%s/split-switches-pass.so", obj_path);
+#else
+ cc_params[cc_par_cnt++] = "-Xclang";
+ cc_params[cc_par_cnt++] = "-load";
+ cc_params[cc_par_cnt++] = "-Xclang";
+ cc_params[cc_par_cnt++] =
+ alloc_printf("%s/split-switches-pass.so", obj_path);
+#endif
}
@@ -541,7 +572,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
#if LLVM_MAJOR >= 13
// fuck you llvm 13
-// cc_params[cc_par_cnt++] = "-fno-experimental-new-pass-manager";
+ cc_params[cc_par_cnt++] = "-fno-experimental-new-pass-manager";
#endif
if (lto_mode && !have_c) {
@@ -621,9 +652,15 @@ static void edit_params(u32 argc, char **argv, char **envp) {
} else {
+#if LLVM_MAJOR >= 7
cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager";
cc_params[cc_par_cnt++] = alloc_printf("-fpass-plugin=%s/afl-llvm-pass.so", obj_path);
-
+#else
+ cc_params[cc_par_cnt++] = "-Xclang";
+ cc_params[cc_par_cnt++] = "-load";
+ cc_params[cc_par_cnt++] = "-Xclang";
+ cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path);
+#endif
}
}
From 7d0e0cde0ad8c5b89eaf72a9751e3fb7513cc0e9 Mon Sep 17 00:00:00 2001
From: hexcoder-
Date: Sat, 16 Oct 2021 14:51:51 +0200
Subject: [PATCH 070/305] fix declaration for new pass manager
---
instrumentation/afl-llvm-pass.so.cc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc
index 75f8621b..67abc36a 100644
--- a/instrumentation/afl-llvm-pass.so.cc
+++ b/instrumentation/afl-llvm-pass.so.cc
@@ -76,8 +76,8 @@ namespace {
#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */
class AFLCoverage : public PassInfoMixin {
- AFLCoverage() {
public:
+ AFLCoverage() {
#else
class AFLCoverage : public ModulePass {
public:
From c96fdfac01829a5f6a9e98968817d6b6588389b8 Mon Sep 17 00:00:00 2001
From: David Carlier
Date: Sat, 16 Oct 2021 12:44:25 +0100
Subject: [PATCH 071/305] frida mode android build fix proposal.
also protecting seccomp the other way around in case it is ported
in another platform supported by frida.
---
frida_mode/GNUmakefile | 16 ++++++++++++++++
frida_mode/README.md | 14 ++++++++++++++
frida_mode/src/instrument/instrument_x64.c | 12 ++++++++++++
frida_mode/src/seccomp/seccomp_atomic.c | 2 +-
frida_mode/src/seccomp/seccomp_callback.c | 2 +-
frida_mode/src/seccomp/seccomp_child.c | 2 +-
frida_mode/src/seccomp/seccomp_event.c | 2 +-
frida_mode/src/seccomp/seccomp_filter.c | 2 +-
frida_mode/src/seccomp/seccomp_print.c | 2 +-
frida_mode/src/seccomp/seccomp_socket.c | 2 +-
frida_mode/src/seccomp/seccomp_syscall.c | 2 +-
11 files changed, 50 insertions(+), 8 deletions(-)
diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile
index 4d6d7147..ed35c9f6 100644
--- a/frida_mode/GNUmakefile
+++ b/frida_mode/GNUmakefile
@@ -80,6 +80,22 @@ ifeq "$(shell uname)" "Linux"
OS:=linux
endif
+ifneq "$(findstring android, $(shell $(CC) --version 2>/dev/null))" ""
+ OS:=android
+ ifneq "$(findstring aarch64, $(shell $(CC) --version 2>/dev/null))" ""
+ ARCH:=arm64
+ endif
+ ifneq "$(findstring arm, $(shell $(CC) --version 2>/dev/null))" ""
+ ARCH:=arm
+ endif
+ ifneq "$(findstring x86_64, $(shell $(CC) --version 2>/dev/null))" ""
+ ARCH:=x86_64
+ endif
+ ifneq "$(findstring i686, $(shell $(CC) --version 2>/dev/null))" ""
+ ARCH:=x86
+ endif
+endif
+
ifndef OS
$(error "Operating system unsupported")
endif
diff --git a/frida_mode/README.md b/frida_mode/README.md
index 165f8089..df40c771 100644
--- a/frida_mode/README.md
+++ b/frida_mode/README.md
@@ -55,6 +55,20 @@ tests in 32-bit mode, run `make ARCH=x86 frida`. When switching between
architectures it may be necessary to run `make clean` first for a given build
target to remove previously generated binaries for a different architecture.
+### Android
+
+In order to build, you need to download the Android SDK.
+
+```
+https://developer.android.com/ndk/downloads
+```
+
+Then creating locally a standalone chain as follow.
+
+```
+https://developer.android.com/ndk/guides/standalone_toolchain
+```
+
## Usage
FRIDA mode added some small modifications to `afl-fuzz` and similar tools
diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c
index ebdf1440..a7eb650a 100644
--- a/frida_mode/src/instrument/instrument_x64.c
+++ b/frida_mode/src/instrument/instrument_x64.c
@@ -4,8 +4,12 @@
#include
#if defined(__linux__)
+#if !defined(__ANDROID__)
#include
#include
+#else
+#include
+#endif
#endif
#include "frida-gumjs.h"
@@ -156,8 +160,16 @@ static void instrument_coverage_optimize_map_mmap(char * shm_file_path,
__afl_area_ptr = NULL;
+#if !defined(__ANDROID__)
shm_fd = shm_open(shm_file_path, O_RDWR, DEFAULT_PERMISSION);
if (shm_fd == -1) { FATAL("shm_open() failed\n"); }
+#else
+ shm_fd = open("/dev/ashmem", O_RDWR);
+ if (shm_fd == -1) { FATAL("open() failed\n"); }
+ if (ioctl(shm_fd, ASHMEM_SET_NAME, shm_file_path) == -1) { FATAL("ioctl(ASHMEM_SET_NAME) failed"); }
+ if (ioctl(shm_fd, ASHMEM_SET_SIZE, __afl_map_size) == -1) { FATAL("ioctl(ASHMEM_SET_SIZE) failed"); }
+
+#endif
__afl_area_ptr = mmap(address, __afl_map_size, PROT_READ | PROT_WRITE,
MAP_FIXED_NOREPLACE | MAP_SHARED, shm_fd, 0);
diff --git a/frida_mode/src/seccomp/seccomp_atomic.c b/frida_mode/src/seccomp/seccomp_atomic.c
index 5097511a..c2042f97 100644
--- a/frida_mode/src/seccomp/seccomp_atomic.c
+++ b/frida_mode/src/seccomp/seccomp_atomic.c
@@ -1,4 +1,4 @@
-#ifndef __APPLE__
+#if defined(__linux__) && !defined(__ANDROID__)
#include
#include
diff --git a/frida_mode/src/seccomp/seccomp_callback.c b/frida_mode/src/seccomp/seccomp_callback.c
index 7e1e2070..a88196ac 100644
--- a/frida_mode/src/seccomp/seccomp_callback.c
+++ b/frida_mode/src/seccomp/seccomp_callback.c
@@ -1,4 +1,4 @@
-#ifndef __APPLE__
+#if defined(__linux__) && !defined(__ANDROID__)
#include
#include
diff --git a/frida_mode/src/seccomp/seccomp_child.c b/frida_mode/src/seccomp/seccomp_child.c
index f665f472..43a79894 100644
--- a/frida_mode/src/seccomp/seccomp_child.c
+++ b/frida_mode/src/seccomp/seccomp_child.c
@@ -1,4 +1,4 @@
-#ifndef __APPLE__
+#if defined(__linux__) && !defined(__ANDROID__)
#include
#include
diff --git a/frida_mode/src/seccomp/seccomp_event.c b/frida_mode/src/seccomp/seccomp_event.c
index dd4abde7..e2f592ca 100644
--- a/frida_mode/src/seccomp/seccomp_event.c
+++ b/frida_mode/src/seccomp/seccomp_event.c
@@ -1,4 +1,4 @@
-#ifndef __APPLE__
+#if defined(__linux__) && !defined(__ANDROID__)
#include
#include
diff --git a/frida_mode/src/seccomp/seccomp_filter.c b/frida_mode/src/seccomp/seccomp_filter.c
index 13ff7522..8d56c367 100644
--- a/frida_mode/src/seccomp/seccomp_filter.c
+++ b/frida_mode/src/seccomp/seccomp_filter.c
@@ -1,4 +1,4 @@
-#ifndef __APPLE__
+#if defined(__linux__) && !defined(__ANDROID__)
#include
#include
diff --git a/frida_mode/src/seccomp/seccomp_print.c b/frida_mode/src/seccomp/seccomp_print.c
index be4d80ce..3cea1239 100644
--- a/frida_mode/src/seccomp/seccomp_print.c
+++ b/frida_mode/src/seccomp/seccomp_print.c
@@ -1,4 +1,4 @@
-#ifndef __APPLE__
+#if defined(__linux__) && !defined(__ANDROID__)
#include
diff --git a/frida_mode/src/seccomp/seccomp_socket.c b/frida_mode/src/seccomp/seccomp_socket.c
index fae95805..ef937420 100644
--- a/frida_mode/src/seccomp/seccomp_socket.c
+++ b/frida_mode/src/seccomp/seccomp_socket.c
@@ -1,4 +1,4 @@
-#ifndef __APPLE__
+#if defined(__linux__) && !defined(__ANDROID__)
#include
#include
diff --git a/frida_mode/src/seccomp/seccomp_syscall.c b/frida_mode/src/seccomp/seccomp_syscall.c
index e023c131..8335b93c 100644
--- a/frida_mode/src/seccomp/seccomp_syscall.c
+++ b/frida_mode/src/seccomp/seccomp_syscall.c
@@ -1,4 +1,4 @@
-#ifndef __APPLE__
+#if defined(__linux__) && !defined(__ANDROID__)
#include
#include
From 34f1074ba308e850feb08c51aad781f7d307a260 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Sat, 16 Oct 2021 18:44:29 +0200
Subject: [PATCH 072/305] changelog
---
docs/Changelog.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/docs/Changelog.md b/docs/Changelog.md
index df4d343a..d8dac557 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -17,6 +17,7 @@ sending a mail to .
coverage being detected. thanks to Collin May for reporting!
- fix -n dumb mode (nobody should use this)
- fix stability issue with LTO and cmplog
+ - frida_mode: David Carlier added Android support :)
- afl-showmap, afl-tmin and afl-analyze now honor persistent mode
for more speed. thanks to dloffre-snl for reporting!
- Prevent accidently killing non-afl/fuzz services when aborting
From 8bc2b52f6579ab44f536d1ccb818acf37b047ec7 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Sun, 17 Oct 2021 13:03:01 +0200
Subject: [PATCH 073/305] format
---
src/afl-showmap.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index a04c1f5b..5df07bf2 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -243,10 +243,13 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) {
(fsrv->last_run_timed_out || (!caa && child_crashed != cco))) {
if (strcmp(outfile, "-")) {
+
// create empty file to prevent error messages in afl-cmin
fd = open(outfile, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
close(fd);
+
}
+
return ret;
}
From ed10f3783bd8fab33ab5750f56bf87ed008f28ed Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Sun, 17 Oct 2021 13:05:33 +0200
Subject: [PATCH 074/305] new rtn cmplog: instrumentation side + supporting
functions
---
include/afl-fuzz.h | 1 +
include/cmplog.h | 12 +-
include/config.h | 4 +-
instrumentation/afl-compiler-rt.o.c | 202 ++++++++++++++++++++-
instrumentation/cmplog-routines-pass.cc | 225 +++++++++++++++++++++++-
src/afl-fuzz-one.c | 25 ++-
src/afl-fuzz-queue.c | 91 +++++++++-
src/afl-fuzz-stats.c | 3 +-
src/afl-fuzz.c | 14 ++
9 files changed, 551 insertions(+), 26 deletions(-)
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 4b19e698..5e52c0f0 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -1136,6 +1136,7 @@ void setup_signal_handlers(void);
void save_cmdline(afl_state_t *, u32, char **);
void read_foreign_testcases(afl_state_t *, int);
void write_crash_readme(afl_state_t *afl);
+u8 check_if_text_buf(u8 *buf, u32 len);
/* CmpLog */
diff --git a/include/cmplog.h b/include/cmplog.h
index 878ed60c..88aa0a61 100644
--- a/include/cmplog.h
+++ b/include/cmplog.h
@@ -33,7 +33,7 @@
#define CMPLOG_LVL_MAX 3
#define CMP_MAP_W 65536
-#define CMP_MAP_H 32
+#define CMP_MAP_H 64
#define CMP_MAP_RTN_H (CMP_MAP_H / 4)
#define SHAPE_BYTES(x) (x + 1)
@@ -59,14 +59,16 @@ struct cmp_operands {
u64 v0_128;
u64 v1_128;
-};
+} __attribute__((packed));
struct cmpfn_operands {
- u8 v0[32];
- u8 v1[32];
+ u8 v0[31];
+ u8 v0_len;
+ u8 v1[31];
+ u8 v1_len;
-};
+} __attribute__((packed));
typedef struct cmp_operands cmp_map_list[CMP_MAP_H];
diff --git a/include/config.h b/include/config.h
index 4630da0c..3b3b6daa 100644
--- a/include/config.h
+++ b/include/config.h
@@ -267,8 +267,8 @@
(first value), and to keep in memory as candidates. The latter should be much
higher than the former. */
-#define USE_AUTO_EXTRAS 128
-#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 64)
+#define USE_AUTO_EXTRAS 4096
+#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 8)
/* Scaling factor for the effector map used to skip some of the more
expensive deterministic steps. The actual divisor is set to
diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c
index 9acab4e7..21772ca0 100644
--- a/instrumentation/afl-compiler-rt.o.c
+++ b/instrumentation/afl-compiler-rt.o.c
@@ -1880,6 +1880,191 @@ static int area_is_valid(void *ptr, size_t len) {
}
+void __cmplog_rtn_hook_n(u8 *ptr1, u8 *ptr2, u32 len) {
+
+ /*
+ u32 i;
+ if (area_is_valid(ptr1, 32) <= 0 || area_is_valid(ptr2, 32) <= 0) return;
+ fprintf(stderr, "rtn_n len=%u arg0=", len);
+ for (i = 0; i < len; i++)
+ fprintf(stderr, "%02x", ptr1[i]);
+ fprintf(stderr, " arg1=");
+ for (i = 0; i < len; i++)
+ fprintf(stderr, "%02x", ptr2[i]);
+ fprintf(stderr, "\n");
+ */
+
+ if (likely(!__afl_cmp_map)) return;
+ // fprintf(stderr, "RTN1 %p %p %u\n", ptr1, ptr2, len);
+ if (unlikely(!len)) return;
+ int l = MIN(31, len);
+
+ // fprintf(stderr, "RTN2 %u\n", l);
+ uintptr_t k = (uintptr_t)__builtin_return_address(0);
+ k = (k >> 4) ^ (k << 8);
+ k &= CMP_MAP_W - 1;
+
+ u32 hits, reset = 1;
+
+ if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) {
+
+ __afl_cmp_map->headers[k].type = CMP_TYPE_RTN;
+ __afl_cmp_map->headers[k].hits = 1;
+ __afl_cmp_map->headers[k].shape = l - 1;
+ reset = hits = 0;
+
+ } else {
+
+ hits = __afl_cmp_map->headers[k].hits++;
+
+ if (__afl_cmp_map->headers[k].shape < l) {
+
+ __afl_cmp_map->headers[k].shape = l - 1;
+
+ }
+
+ }
+
+ struct cmpfn_operands *cmpfn = (struct cmpfn_operands *)__afl_cmp_map->log[k];
+ hits &= CMP_MAP_RTN_H - 1;
+ if (unlikely(reset && !hits)) {
+
+ __builtin_memset(cmpfn, 0, sizeof(struct cmpfn_operands));
+
+ }
+
+ cmpfn[hits].v0_len = l;
+ cmpfn[hits].v1_len = l;
+ __builtin_memcpy(cmpfn[hits].v0, ptr1, l);
+ __builtin_memcpy(cmpfn[hits].v1, ptr2, l);
+ // fprintf(stderr, "RTN3\n");
+
+}
+
+void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u32 len) {
+
+ /*
+ u32 i;
+ if (area_is_valid(ptr1, 32) <= 0 || area_is_valid(ptr2, 32) <= 0) return;
+ fprintf(stderr, "rtn_strn len=%u arg0=", len);
+ for (i = 0; i < len; i++)
+ fprintf(stderr, "%02x", ptr1[i]);
+ fprintf(stderr, " arg1=");
+ for (i = 0; i < len; i++)
+ fprintf(stderr, "%02x", ptr2[i]);
+ fprintf(stderr, "\n");
+ */
+
+ if (likely(!__afl_cmp_map)) return;
+ // fprintf(stderr, "RTN1 %p %p %u\n", ptr1, ptr2, len);
+ if (unlikely(!len)) return;
+ int l = MIN(31, len + 1);
+
+ // fprintf(stderr, "RTN2 %u\n", l);
+ uintptr_t k = (uintptr_t)__builtin_return_address(0);
+ k = (k >> 4) ^ (k << 8);
+ k &= CMP_MAP_W - 1;
+
+ u32 hits, reset = 1;
+
+ if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) {
+
+ __afl_cmp_map->headers[k].type = CMP_TYPE_RTN;
+ __afl_cmp_map->headers[k].hits = 1;
+ __afl_cmp_map->headers[k].shape = l - 1;
+ reset = hits = 0;
+
+ } else {
+
+ hits = __afl_cmp_map->headers[k].hits++;
+
+ if (__afl_cmp_map->headers[k].shape < l) {
+
+ __afl_cmp_map->headers[k].shape = l - 1;
+
+ }
+
+ }
+
+ struct cmpfn_operands *cmpfn = (struct cmpfn_operands *)__afl_cmp_map->log[k];
+ hits &= CMP_MAP_RTN_H - 1;
+ if (unlikely(reset && !hits)) {
+
+ __builtin_memset(cmpfn, 0, sizeof(struct cmpfn_operands));
+
+ }
+
+ cmpfn[hits].v0_len = 0x80 + l;
+ cmpfn[hits].v1_len = 0x80 + l;
+ __builtin_memcpy(cmpfn[hits].v0, ptr1, l);
+ __builtin_memcpy(cmpfn[hits].v1, ptr2, l);
+ // fprintf(stderr, "RTN3\n");
+
+}
+
+void __cmplog_rtn_hook_str(u8 *ptr1, u8 *ptr2) {
+
+ /*
+ u32 i;
+ if (area_is_valid(ptr1, 32) <= 0 || area_is_valid(ptr2, 32) <= 0) return;
+ fprintf(stderr, "rtn_str arg0=");
+ for (i = 0; i < len; i++)
+ fprintf(stderr, "%02x", ptr1[i]);
+ fprintf(stderr, " arg1=");
+ for (i = 0; i < len; i++)
+ fprintf(stderr, "%02x", ptr2[i]);
+ fprintf(stderr, "\n");
+ */
+
+ if (likely(!__afl_cmp_map)) return;
+ // fprintf(stderr, "RTN1 %p %p\n", ptr1, ptr2);
+ if (unlikely(!ptr1 || !ptr2)) return;
+ int len1 = MIN(31, strlen(ptr1) + 1);
+ int len2 = MIN(31, strlen(ptr2) + 1);
+ int l = MIN(MAX(len1, len2), 31);
+
+ // fprintf(stderr, "RTN2 %u\n", l);
+ uintptr_t k = (uintptr_t)__builtin_return_address(0);
+ k = (k >> 4) ^ (k << 8);
+ k &= CMP_MAP_W - 1;
+
+ u32 hits, reset = 1;
+
+ if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) {
+
+ __afl_cmp_map->headers[k].type = CMP_TYPE_RTN;
+ __afl_cmp_map->headers[k].hits = 1;
+ __afl_cmp_map->headers[k].shape = l - 1;
+ reset = hits = 0;
+
+ } else {
+
+ hits = __afl_cmp_map->headers[k].hits++;
+
+ if (__afl_cmp_map->headers[k].shape < l) {
+
+ __afl_cmp_map->headers[k].shape = l - 1;
+
+ }
+
+ }
+
+ struct cmpfn_operands *cmpfn = (struct cmpfn_operands *)__afl_cmp_map->log[k];
+ hits &= CMP_MAP_RTN_H - 1;
+ if (unlikely(reset && !hits)) {
+
+ __builtin_memset(cmpfn, 0, sizeof(struct cmpfn_operands));
+
+ }
+
+ cmpfn[hits].v0_len = 0x80 + len1;
+ cmpfn[hits].v1_len = 0x80 + len2;
+ __builtin_memcpy(cmpfn[hits].v0, ptr1, len1);
+ __builtin_memcpy(cmpfn[hits].v1, ptr2, len2);
+ // fprintf(stderr, "RTN3\n");
+
+}
+
void __cmplog_rtn_hook(u8 *ptr1, u8 *ptr2) {
/*
@@ -1907,14 +2092,14 @@ void __cmplog_rtn_hook(u8 *ptr1, u8 *ptr2) {
k = (k >> 4) ^ (k << 8);
k &= CMP_MAP_W - 1;
- u32 hits;
+ u32 hits, reset = 1;
if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) {
__afl_cmp_map->headers[k].type = CMP_TYPE_RTN;
__afl_cmp_map->headers[k].hits = 1;
__afl_cmp_map->headers[k].shape = len - 1;
- hits = 0;
+ reset = hits = 0;
} else {
@@ -1928,11 +2113,16 @@ void __cmplog_rtn_hook(u8 *ptr1, u8 *ptr2) {
}
+ struct cmpfn_operands *cmpfn = (struct cmpfn_operands *)__afl_cmp_map->log[k];
hits &= CMP_MAP_RTN_H - 1;
- __builtin_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0,
- ptr1, len);
- __builtin_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1,
- ptr2, len);
+ if (unlikely(reset && !hits)) {
+
+ __builtin_memset(cmpfn, 0, sizeof(struct cmpfn_operands));
+
+ }
+
+ __builtin_memcpy(cmpfn[hits].v0, ptr1, len);
+ __builtin_memcpy(cmpfn[hits].v1, ptr2, len);
// fprintf(stderr, "RTN3\n");
}
diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc
index 1e2610f2..56f1a083 100644
--- a/instrumentation/cmplog-routines-pass.cc
+++ b/instrumentation/cmplog-routines-pass.cc
@@ -87,12 +87,14 @@ char CmpLogRoutines::ID = 0;
bool CmpLogRoutines::hookRtns(Module &M) {
- std::vector calls, llvmStdStd, llvmStdC, gccStdStd, gccStdC;
- LLVMContext & C = M.getContext();
+ std::vector calls, llvmStdStd, llvmStdC, gccStdStd, gccStdC,
+ Memcmp, Strcmp, Strncmp;
+ LLVMContext &C = M.getContext();
Type *VoidTy = Type::getVoidTy(C);
// PointerType *VoidPtrTy = PointerType::get(VoidTy, 0);
IntegerType *Int8Ty = IntegerType::getInt8Ty(C);
+ IntegerType *Int32Ty = IntegerType::getInt32Ty(C);
PointerType *i8PtrTy = PointerType::get(Int8Ty, 0);
#if LLVM_VERSION_MAJOR < 9
@@ -184,6 +186,60 @@ bool CmpLogRoutines::hookRtns(Module &M) {
FunctionCallee cmplogGccStdC = c4;
#endif
+#if LLVM_VERSION_MAJOR < 9
+ Constant *
+#else
+ FunctionCallee
+#endif
+ c5 = M.getOrInsertFunction("__cmplog_rtn_hook_n", VoidTy, i8PtrTy,
+ i8PtrTy, Int32Ty
+#if LLVM_VERSION_MAJOR < 5
+ ,
+ NULL
+#endif
+ );
+#if LLVM_VERSION_MAJOR < 9
+ Function *cmplogHookFnN = cast(c5);
+#else
+ FunctionCallee cmplogHookFnN = c5;
+#endif
+
+#if LLVM_VERSION_MAJOR < 9
+ Constant *
+#else
+ FunctionCallee
+#endif
+ c6 = M.getOrInsertFunction("__cmplog_rtn_hook_strn", VoidTy, i8PtrTy,
+ i8PtrTy, Int32Ty
+#if LLVM_VERSION_MAJOR < 5
+ ,
+ NULL
+#endif
+ );
+#if LLVM_VERSION_MAJOR < 9
+ Function *cmplogHookFnStrN = cast(c6);
+#else
+ FunctionCallee cmplogHookFnStrN = c6;
+#endif
+
+#if LLVM_VERSION_MAJOR < 9
+ Constant *
+#else
+ FunctionCallee
+#endif
+ c7 = M.getOrInsertFunction("__cmplog_rtn_hook_str", VoidTy, i8PtrTy,
+ i8PtrTy
+#if LLVM_VERSION_MAJOR < 5
+ ,
+ NULL
+#endif
+ );
+#if LLVM_VERSION_MAJOR < 9
+ Function *cmplogHookFnStr = cast(c7);
+#else
+ FunctionCallee cmplogHookFnStr = c7;
+#endif
+
GlobalVariable *AFLCmplogPtr = M.getNamedGlobal("__afl_cmp_map");
if (!AFLCmplogPtr) {
@@ -214,12 +270,77 @@ bool CmpLogRoutines::hookRtns(Module &M) {
if (callInst->getCallingConv() != llvm::CallingConv::C) continue;
FunctionType *FT = Callee->getFunctionType();
+ std::string FuncName = Callee->getName().str();
bool isPtrRtn = FT->getNumParams() >= 2 &&
!FT->getReturnType()->isVoidTy() &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0)->isPointerTy();
+ bool isPtrRtnN = FT->getNumParams() >= 3 &&
+ !FT->getReturnType()->isVoidTy() &&
+ FT->getParamType(0) == FT->getParamType(1) &&
+ FT->getParamType(0)->isPointerTy() &&
+ FT->getParamType(2)->isIntegerTy();
+
+ bool isMemcmp =
+ (!FuncName.compare("memcmp") || !FuncName.compare("bcmp") ||
+ !FuncName.compare("CRYPTO_memcmp") ||
+ !FuncName.compare("OPENSSL_memcmp") ||
+ !FuncName.compare("memcmp_const_time") ||
+ !FuncName.compare("memcmpct"));
+ isMemcmp &= FT->getNumParams() == 3 &&
+ FT->getReturnType()->isIntegerTy(32) &&
+ FT->getParamType(0)->isPointerTy() &&
+ FT->getParamType(1)->isPointerTy() &&
+ FT->getParamType(2)->isIntegerTy();
+
+ bool isStrcmp =
+ (!FuncName.compare("strcmp") || !FuncName.compare("xmlStrcmp") ||
+ !FuncName.compare("xmlStrEqual") ||
+ !FuncName.compare("g_strcmp0") ||
+ !FuncName.compare("curl_strequal") ||
+ !FuncName.compare("strcsequal") ||
+ !FuncName.compare("strcasecmp") ||
+ !FuncName.compare("stricmp") ||
+ !FuncName.compare("ap_cstr_casecmp") ||
+ !FuncName.compare("OPENSSL_strcasecmp") ||
+ !FuncName.compare("xmlStrcasecmp") ||
+ !FuncName.compare("g_strcasecmp") ||
+ !FuncName.compare("g_ascii_strcasecmp") ||
+ !FuncName.compare("Curl_strcasecompare") ||
+ !FuncName.compare("Curl_safe_strcasecompare") ||
+ !FuncName.compare("cmsstrcasecmp") ||
+ !FuncName.compare("strstr") ||
+ !FuncName.compare("g_strstr_len") ||
+ !FuncName.compare("ap_strcasestr") ||
+ !FuncName.compare("xmlStrstr") ||
+ !FuncName.compare("xmlStrcasestr") ||
+ !FuncName.compare("g_str_has_prefix") ||
+ !FuncName.compare("g_str_has_suffix"));
+ isStrcmp &=
+ FT->getNumParams() == 2 && FT->getReturnType()->isIntegerTy(32) &&
+ FT->getParamType(0) == FT->getParamType(1) &&
+ FT->getParamType(0) == IntegerType::getInt8PtrTy(M.getContext());
+
+ bool isStrncmp = (!FuncName.compare("strncmp") ||
+ !FuncName.compare("xmlStrncmp") ||
+ !FuncName.compare("curl_strnequal") ||
+ !FuncName.compare("strncasecmp") ||
+ !FuncName.compare("strnicmp") ||
+ !FuncName.compare("ap_cstr_casecmpn") ||
+ !FuncName.compare("OPENSSL_strncasecmp") ||
+ !FuncName.compare("xmlStrncasecmp") ||
+ !FuncName.compare("g_ascii_strncasecmp") ||
+ !FuncName.compare("Curl_strncasecompare") ||
+ !FuncName.compare("g_strncasecmp"));
+ isStrncmp &= FT->getNumParams() == 3 &&
+ FT->getReturnType()->isIntegerTy(32) &&
+ FT->getParamType(0) == FT->getParamType(1) &&
+ FT->getParamType(0) ==
+ IntegerType::getInt8PtrTy(M.getContext()) &&
+ FT->getParamType(2)->isIntegerTy();
+
bool isGccStdStringStdString =
Callee->getName().find("__is_charIT_EE7__value") !=
std::string::npos &&
@@ -267,13 +388,19 @@ bool CmpLogRoutines::hookRtns(Module &M) {
*/
if (isGccStdStringCString || isGccStdStringStdString ||
- isLlvmStdStringStdString || isLlvmStdStringCString) {
+ isLlvmStdStringStdString || isLlvmStdStringCString || isMemcmp ||
+ isStrcmp || isStrncmp) {
- isPtrRtn = false;
+ isPtrRtnN = isPtrRtn = false;
}
+ if (isPtrRtnN) { isPtrRtn = false; }
+
if (isPtrRtn) { calls.push_back(callInst); }
+ if (isMemcmp || isPtrRtnN) { Memcmp.push_back(callInst); }
+ if (isStrcmp) { Strcmp.push_back(callInst); }
+ if (isStrncmp) { Strncmp.push_back(callInst); }
if (isGccStdStringStdString) { gccStdStd.push_back(callInst); }
if (isGccStdStringCString) { gccStdC.push_back(callInst); }
if (isLlvmStdStringStdString) { llvmStdStd.push_back(callInst); }
@@ -288,7 +415,8 @@ bool CmpLogRoutines::hookRtns(Module &M) {
}
if (!calls.size() && !gccStdStd.size() && !gccStdC.size() &&
- !llvmStdStd.size() && !llvmStdC.size())
+ !llvmStdStd.size() && !llvmStdC.size() && !Memcmp.size() &&
+ Strcmp.size() && Strncmp.size())
return false;
/*
@@ -323,6 +451,93 @@ bool CmpLogRoutines::hookRtns(Module &M) {
}
+ for (auto &callInst : Memcmp) {
+
+ Value *v1P = callInst->getArgOperand(0), *v2P = callInst->getArgOperand(1),
+ *v3P = callInst->getArgOperand(2);
+
+ IRBuilder<> IRB2(callInst->getParent());
+ IRB2.SetInsertPoint(callInst);
+
+ LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr);
+ CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+ auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null);
+ auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false);
+
+ IRBuilder<> IRB(ThenTerm);
+
+ std::vector args;
+ Value * v1Pcasted = IRB.CreatePointerCast(v1P, i8PtrTy);
+ Value * v2Pcasted = IRB.CreatePointerCast(v2P, i8PtrTy);
+ Value * v3Pcasted = IRB.CreateZExtOrBitCast(v3P, Int32Ty);
+ args.push_back(v1Pcasted);
+ args.push_back(v2Pcasted);
+ args.push_back(v3Pcasted);
+
+ IRB.CreateCall(cmplogHookFnN, args);
+
+ // errs() << callInst->getCalledFunction()->getName() << "\n";
+
+ }
+
+ for (auto &callInst : Strcmp) {
+
+ Value *v1P = callInst->getArgOperand(0), *v2P = callInst->getArgOperand(1),
+ *v3P = callInst->getArgOperand(2);
+
+ IRBuilder<> IRB2(callInst->getParent());
+ IRB2.SetInsertPoint(callInst);
+
+ LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr);
+ CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+ auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null);
+ auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false);
+
+ IRBuilder<> IRB(ThenTerm);
+
+ std::vector args;
+ Value * v1Pcasted = IRB.CreatePointerCast(v1P, i8PtrTy);
+ Value * v2Pcasted = IRB.CreatePointerCast(v2P, i8PtrTy);
+ Value * v3Pcasted = IRB.CreateZExtOrBitCast(v3P, Int32Ty);
+ args.push_back(v1Pcasted);
+ args.push_back(v2Pcasted);
+ args.push_back(v3Pcasted);
+
+ IRB.CreateCall(cmplogHookFnStr, args);
+
+ // errs() << callInst->getCalledFunction()->getName() << "\n";
+
+ }
+
+ for (auto &callInst : Strncmp) {
+
+ Value *v1P = callInst->getArgOperand(0), *v2P = callInst->getArgOperand(1),
+ *v3P = callInst->getArgOperand(2);
+
+ IRBuilder<> IRB2(callInst->getParent());
+ IRB2.SetInsertPoint(callInst);
+
+ LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr);
+ CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+ auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null);
+ auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false);
+
+ IRBuilder<> IRB(ThenTerm);
+
+ std::vector args;
+ Value * v1Pcasted = IRB.CreatePointerCast(v1P, i8PtrTy);
+ Value * v2Pcasted = IRB.CreatePointerCast(v2P, i8PtrTy);
+ Value * v3Pcasted = IRB.CreateZExtOrBitCast(v3P, Int32Ty);
+ args.push_back(v1Pcasted);
+ args.push_back(v2Pcasted);
+ args.push_back(v3Pcasted);
+
+ IRB.CreateCall(cmplogHookFnStrN, args);
+
+ // errs() << callInst->getCalledFunction()->getName() << "\n";
+
+ }
+
for (auto &callInst : gccStdStd) {
Value *v1P = callInst->getArgOperand(0), *v2P = callInst->getArgOperand(1);
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index 17749601..3217fb0f 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -448,11 +448,11 @@ u8 fuzz_one_original(afl_state_t *afl) {
ACTF(
"Fuzzing test case #%u (%u total, %llu uniq crashes found, "
- "perf_score=%0.0f, exec_us=%llu, hits=%u, map=%u)...",
+ "perf_score=%0.0f, exec_us=%llu, hits=%u, map=%u, ascii=%u)...",
afl->current_entry, afl->queued_paths, afl->unique_crashes,
afl->queue_cur->perf_score, afl->queue_cur->exec_us,
likely(afl->n_fuzz) ? afl->n_fuzz[afl->queue_cur->n_fuzz_entry] : 0,
- afl->queue_cur->bitmap_size);
+ afl->queue_cur->bitmap_size, afl->queue_cur->is_ascii);
fflush(stdout);
}
@@ -2003,11 +2003,16 @@ havoc_stage:
where we take the input file and make random stacked tweaks. */
#define MAX_HAVOC_ENTRY 59 /* 55 to 60 */
+#define MUTATE_ASCII_DICT 64
u32 r_max, r;
r_max = (MAX_HAVOC_ENTRY + 1) + (afl->extras_cnt ? 4 : 0) +
- (afl->a_extras_cnt ? 4 : 0);
+ (afl->a_extras_cnt
+ ? (unlikely(afl->cmplog_binary && afl->queue_cur->is_ascii)
+ ? MUTATE_ASCII_DICT
+ : 4)
+ : 0);
if (unlikely(afl->expand_havoc && afl->ready_for_splicing_count > 1)) {
@@ -2592,7 +2597,15 @@ havoc_stage:
if (afl->a_extras_cnt) {
- if (r < 2) {
+ u32 r_cmp = 2;
+
+ if (unlikely(afl->cmplog_binary && afl->queue_cur->is_ascii)) {
+
+ r_cmp = MUTATE_ASCII_DICT >> 1;
+
+ }
+
+ if (r < r_cmp) {
/* Use the dictionary. */
@@ -2612,7 +2625,7 @@ havoc_stage:
break;
- } else if (r < 4) {
+ } else if (r < (r_cmp << 1)) {
u32 use_extra = rand_below(afl, afl->a_extras_cnt);
u32 extra_len = afl->a_extras[use_extra].len;
@@ -2641,7 +2654,7 @@ havoc_stage:
} else {
- r -= 4;
+ r -= (r_cmp << 1);
}
diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c
index 16af2c6b..718f7cb6 100644
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@@ -315,7 +315,96 @@ void mark_as_redundant(afl_state_t *afl, struct queue_entry *q, u8 state) {
}
-/* check if ascii or UTF-8 */
+/* check if pointer is ascii or UTF-8 */
+
+u8 check_if_text_buf(u8 *buf, u32 len) {
+
+ u32 offset = 0, ascii = 0, utf8 = 0;
+
+ while (offset < len) {
+
+ // ASCII: <= 0x7F to allow ASCII control characters
+ if ((buf[offset + 0] == 0x09 || buf[offset + 0] == 0x0A ||
+ buf[offset + 0] == 0x0D ||
+ (0x20 <= buf[offset + 0] && buf[offset + 0] <= 0x7E))) {
+
+ offset++;
+ utf8++;
+ ascii++;
+ continue;
+
+ }
+
+ if (isascii((int)buf[offset]) || isprint((int)buf[offset])) {
+
+ ascii++;
+ // we continue though as it can also be a valid utf8
+
+ }
+
+ // non-overlong 2-byte
+ if (len - offset > 1 &&
+ ((0xC2 <= buf[offset + 0] && buf[offset + 0] <= 0xDF) &&
+ (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF))) {
+
+ offset += 2;
+ utf8++;
+ continue;
+
+ }
+
+ // excluding overlongs
+ if ((len - offset > 2) &&
+ ((buf[offset + 0] == 0xE0 &&
+ (0xA0 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) &&
+ (0x80 <= buf[offset + 2] &&
+ buf[offset + 2] <= 0xBF)) || // straight 3-byte
+ (((0xE1 <= buf[offset + 0] && buf[offset + 0] <= 0xEC) ||
+ buf[offset + 0] == 0xEE || buf[offset + 0] == 0xEF) &&
+ (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) &&
+ (0x80 <= buf[offset + 2] &&
+ buf[offset + 2] <= 0xBF)) || // excluding surrogates
+ (buf[offset + 0] == 0xED &&
+ (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0x9F) &&
+ (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF)))) {
+
+ offset += 3;
+ utf8++;
+ continue;
+
+ }
+
+ // planes 1-3
+ if ((len - offset > 3) &&
+ ((buf[offset + 0] == 0xF0 &&
+ (0x90 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) &&
+ (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) &&
+ (0x80 <= buf[offset + 3] &&
+ buf[offset + 3] <= 0xBF)) || // planes 4-15
+ ((0xF1 <= buf[offset + 0] && buf[offset + 0] <= 0xF3) &&
+ (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) &&
+ (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) &&
+ (0x80 <= buf[offset + 3] && buf[offset + 3] <= 0xBF)) || // plane 16
+ (buf[offset + 0] == 0xF4 &&
+ (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0x8F) &&
+ (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) &&
+ (0x80 <= buf[offset + 3] && buf[offset + 3] <= 0xBF)))) {
+
+ offset += 4;
+ utf8++;
+ continue;
+
+ }
+
+ offset++;
+
+ }
+
+ return (utf8 > ascii ? utf8 : ascii);
+
+}
+
+/* check if queue entry is ascii or UTF-8 */
static u8 check_if_text(afl_state_t *afl, struct queue_entry *q) {
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index 870ba69a..7796036b 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -278,6 +278,7 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
"total_edges : %u\n"
"var_byte_count : %u\n"
"havoc_expansion : %u\n"
+ "auto_dict_entries : %u\n"
"testcache_size : %llu\n"
"testcache_count : %u\n"
"testcache_evict : %u\n"
@@ -316,7 +317,7 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
-1,
#endif
t_bytes, afl->fsrv.real_map_size, afl->var_byte_count,
- afl->expand_havoc, afl->q_testcase_cache_size,
+ afl->expand_havoc, afl->a_extras_cnt, afl->q_testcase_cache_size,
afl->q_testcase_cache_count, afl->q_testcase_evictions,
afl->use_banner, afl->unicorn_mode ? "unicorn" : "",
afl->fsrv.qemu_mode ? "qemu " : "",
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 92a37697..6ec033b2 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -2261,6 +2261,20 @@ stop_fuzzing:
}
+ if (afl->not_on_tty) {
+
+ u32 t_bytes = count_non_255_bytes(afl, afl->virgin_bits);
+ u8 time_tmp[64];
+ u_stringify_time_diff(time_tmp, get_cur_time(), afl->start_time);
+ ACTF(
+ "Statistics: %u new paths found, %.02f%% coverage achieved, %llu "
+ "crashes found, %llu timeouts found, total runtime %s",
+ afl->queued_discovered,
+ ((double)t_bytes * 100) / afl->fsrv.real_map_size, afl->unique_crashes,
+ afl->unique_hangs, time_tmp);
+
+ }
+
#ifdef PROFILING
SAYF(cYEL "[!] " cRST
"Profiling information: %llu ms total work, %llu ns/run\n",
From e8cf04c90d730381eab3ef6c64ab957ab5ebc400 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Sun, 17 Oct 2021 13:20:32 +0200
Subject: [PATCH 075/305] fix
---
instrumentation/cmplog-routines-pass.cc | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc
index 56f1a083..3d6467ba 100644
--- a/instrumentation/cmplog-routines-pass.cc
+++ b/instrumentation/cmplog-routines-pass.cc
@@ -482,8 +482,7 @@ bool CmpLogRoutines::hookRtns(Module &M) {
for (auto &callInst : Strcmp) {
- Value *v1P = callInst->getArgOperand(0), *v2P = callInst->getArgOperand(1),
- *v3P = callInst->getArgOperand(2);
+ Value *v1P = callInst->getArgOperand(0), *v2P = callInst->getArgOperand(1);
IRBuilder<> IRB2(callInst->getParent());
IRB2.SetInsertPoint(callInst);
@@ -498,10 +497,8 @@ bool CmpLogRoutines::hookRtns(Module &M) {
std::vector args;
Value * v1Pcasted = IRB.CreatePointerCast(v1P, i8PtrTy);
Value * v2Pcasted = IRB.CreatePointerCast(v2P, i8PtrTy);
- Value * v3Pcasted = IRB.CreateZExtOrBitCast(v3P, Int32Ty);
args.push_back(v1Pcasted);
args.push_back(v2Pcasted);
- args.push_back(v3Pcasted);
IRB.CreateCall(cmplogHookFnStr, args);
@@ -527,7 +524,7 @@ bool CmpLogRoutines::hookRtns(Module &M) {
std::vector args;
Value * v1Pcasted = IRB.CreatePointerCast(v1P, i8PtrTy);
Value * v2Pcasted = IRB.CreatePointerCast(v2P, i8PtrTy);
- Value * v3Pcasted = IRB.CreateZExtOrBitCast(v3P, Int32Ty);
+ Value * v3Pcasted = IRB.CreateTruncOrBitCast(v3P, Int32Ty);
args.push_back(v1Pcasted);
args.push_back(v2Pcasted);
args.push_back(v3Pcasted);
From 2363a047500c133996e40808f1974e4aa97ed5bf Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Sun, 17 Oct 2021 14:21:08 +0200
Subject: [PATCH 076/305] simplify SHAPE_BYTES(h->shape)
---
src/afl-fuzz-redqueen.c | 97 ++++++++++++++++++++++-------------------
1 file changed, 51 insertions(+), 46 deletions(-)
diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c
index 268f726c..2d610132 100644
--- a/src/afl-fuzz-redqueen.c
+++ b/src/afl-fuzz-redqueen.c
@@ -64,6 +64,8 @@ struct range {
};
+static u32 hshape;
+
static struct range *add_range(struct range *ranges, u32 start, u32 end) {
struct range *r = ck_alloc_nozero(sizeof(struct range));
@@ -763,7 +765,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
// "Encode: %llx->%llx into %llx(<-%llx) at idx=%u "
// "taint_len=%u shape=%u attr=%u\n",
// o_pattern, pattern, repl, changed_val, idx, taint_len,
- // h->shape + 1, attr);
+ // hshape, attr);
//#ifdef CMPLOG_SOLVE_TRANSFORM
// reverse atoi()/strnu?toll() is expensive, so we only to it in lvl 3
@@ -845,7 +847,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
u64 b_val, o_b_val, mask;
u8 bytes;
- switch (SHAPE_BYTES(h->shape)) {
+ switch (hshape) {
case 0:
case 1:
@@ -924,7 +926,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
s64 diff = pattern - b_val;
s64 o_diff = o_pattern - o_b_val;
/* fprintf(stderr, "DIFF1 idx=%03u shape=%02u %llx-%llx=%lx\n", idx,
- h->shape + 1, o_pattern, o_b_val, o_diff);
+ hshape, o_pattern, o_b_val, o_diff);
fprintf(stderr, "DIFF1 %016llx %llx-%llx=%lx\n", repl, pattern,
b_val, diff); */
if (diff == o_diff && diff) {
@@ -953,7 +955,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
s64 o_diff = o_pattern ^ o_b_val;
/* fprintf(stderr, "DIFF2 idx=%03u shape=%02u %llx-%llx=%lx\n",
- idx, h->shape + 1, o_pattern, o_b_val, o_diff);
+ idx, hshape, o_pattern, o_b_val, o_diff);
fprintf(stderr,
"DIFF2 %016llx %llx-%llx=%lx\n", repl, pattern, b_val, diff);
*/
@@ -1002,7 +1004,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
}
/* fprintf(stderr, "DIFF3 idx=%03u shape=%02u %llx-%llx=%lx\n",
- idx, h->shape + 1, o_pattern, o_b_val, o_diff);
+ idx, hshape, o_pattern, o_b_val, o_diff);
fprintf(stderr,
"DIFF3 %016llx %llx-%llx=%lx\n", repl, pattern, b_val, diff);
*/
@@ -1051,7 +1053,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
}
/* fprintf(stderr, "DIFF4 idx=%03u shape=%02u %llx-%llx=%lx\n",
- idx, h->shape + 1, o_pattern, o_b_val, o_diff);
+ idx, hshape, o_pattern, o_b_val, o_diff);
fprintf(stderr,
"DIFF4 %016llx %llx-%llx=%lx\n", repl, pattern, b_val, diff);
*/
@@ -1089,7 +1091,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
if ((lvl & LVL1) || attr >= IS_FP_MOD) {
- if (SHAPE_BYTES(h->shape) >= 8 && *status != 1) {
+ if (hshape >= 8 && *status != 1) {
// if (its_len >= 8)
// fprintf(stderr,
@@ -1132,7 +1134,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
}
- if (SHAPE_BYTES(h->shape) >= 4 && *status != 1) {
+ if (hshape >= 4 && *status != 1) {
// if (its_len >= 4 && (attr <= 1 || attr >= 8))
// fprintf(stderr,
@@ -1173,7 +1175,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
}
- if (SHAPE_BYTES(h->shape) >= 2 && *status != 1) {
+ if (hshape >= 2 && *status != 1) {
if (its_len >= 2 &&
((*buf_16 == (u16)pattern && *o_buf_16 == (u16)o_pattern) ||
@@ -1244,7 +1246,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
}
- if (!(attr & (IS_GREATER | IS_LESSER)) || SHAPE_BYTES(h->shape) < 4) {
+ if (!(attr & (IS_GREATER | IS_LESSER)) || hshape < 4) {
return 0;
@@ -1272,7 +1274,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
if (attr & IS_GREATER) {
- if (SHAPE_BYTES(h->shape) == 4 && its_len >= 4) {
+ if (hshape == 4 && its_len >= 4) {
float *f = (float *)&repl;
float g = *f;
@@ -1280,7 +1282,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
u32 *r = (u32 *)&g;
repl_new = (u32)*r;
- } else if (SHAPE_BYTES(h->shape) == 8 && its_len >= 8) {
+ } else if (hshape == 8 && its_len >= 8) {
double *f = (double *)&repl;
double g = *f;
@@ -1307,7 +1309,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
} else {
- if (SHAPE_BYTES(h->shape) == 4) {
+ if (hshape == 4) {
float *f = (float *)&repl;
float g = *f;
@@ -1315,7 +1317,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
u32 *r = (u32 *)&g;
repl_new = (u32)*r;
- } else if (SHAPE_BYTES(h->shape) == 8) {
+ } else if (hshape == 8) {
double *f = (double *)&repl;
double g = *f;
@@ -1342,7 +1344,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
}
// transform double to float, llvm likes to do that internally ...
- if (SHAPE_BYTES(h->shape) == 8 && its_len >= 4) {
+ if (hshape == 8 && its_len >= 4) {
double *f = (double *)&repl;
float g = (float)*f;
@@ -1353,7 +1355,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
memcpy(((char *)&repl_new) + 4, (char *)&g, 4);
#endif
changed_val = repl_new;
- h->shape = 3; // modify shape
+ hshape = 4; // modify shape
// fprintf(stderr, "DOUBLE2FLOAT %llx\n", repl_new);
@@ -1361,12 +1363,12 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
afl, h, pattern, repl_new, o_pattern, changed_val, 16, idx,
taint_len, orig_buf, buf, cbuf, len, 1, lvl, status))) {
- h->shape = 7; // recover shape
+ hshape = 8; // recover shape
return 1;
}
- h->shape = 7; // recover shape
+ hshape = 7; // recover shape
}
@@ -1428,14 +1430,13 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h,
u8 *r = (u8 *)&repl;
u8 backup[16];
u32 its_len = MIN(len - idx, taint_len);
- u32 shape = h->shape + 1;
#if (__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__)
size_t off = 0;
#else
- size_t off = 16 - shape;
+ size_t off = 16 - hshape;
#endif
- if (its_len >= shape) {
+ if (its_len >= hshape) {
#ifdef _DEBUG
fprintf(stderr, "TestUN: %u>=%u (len=%u idx=%u attr=%u off=%lu) (%u) ",
@@ -1462,18 +1463,18 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h,
fprintf(stderr, "\n");
#endif
- if (!memcmp(ptr, p + off, shape) && !memcmp(o_ptr, o_p + off, shape)) {
+ if (!memcmp(ptr, p + off, hshape) && !memcmp(o_ptr, o_p + off, hshape)) {
- memcpy(backup, ptr, shape);
- memcpy(ptr, r + off, shape);
+ memcpy(backup, ptr, hshape);
+ memcpy(ptr, r + off, hshape);
if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; }
#ifdef CMPLOG_COMBINE
- if (*status == 1) { memcpy(cbuf + idx, r, shape); }
+ if (*status == 1) { memcpy(cbuf + idx, r, hshape); }
#endif
- memcpy(ptr, backup, shape);
+ memcpy(ptr, backup, hshape);
#ifdef _DEBUG
fprintf(stderr, "Status=%u\n", *status);
@@ -1485,8 +1486,8 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h,
if (do_reverse && *status != 1) {
if (unlikely(cmp_extend_encodingN(
- afl, h, SWAPN(pattern, (shape << 3)), SWAPN(repl, (shape << 3)),
- SWAPN(o_pattern, (shape << 3)), SWAPN(changed_val, (shape << 3)),
+ afl, h, SWAPN(pattern, (hshape << 3)), SWAPN(repl, (hshape << 3)),
+ SWAPN(o_pattern, (hshape << 3)), SWAPN(changed_val, (hshape << 3)),
attr, idx, taint_len, orig_buf, buf, cbuf, len, 0, lvl,
status))) {
@@ -1615,6 +1616,8 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
u8 s_v0_inc = 1, s_v1_inc = 1;
u8 s_v0_dec = 1, s_v1_dec = 1;
+ hshape = SHAPE_BYTES(h->shape);
+
if (h->hits > CMP_MAP_H) {
loggeds = CMP_MAP_H;
@@ -1626,7 +1629,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
}
#ifdef WORD_SIZE_64
- switch (SHAPE_BYTES(h->shape)) {
+ switch (hshape) {
case 1:
case 2:
@@ -1680,7 +1683,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
#ifdef _DEBUG
fprintf(stderr, "Handling: %llx->%llx vs %llx->%llx attr=%u shape=%u\n",
orig_o->v0, o->v0, orig_o->v1, o->v1, h->attribute,
- SHAPE_BYTES(h->shape));
+ hshape);
#endif
t = taint;
@@ -1830,7 +1833,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
"END: %llx->%llx vs %llx->%llx attr=%u i=%u found=%u "
"isN=%u size=%u\n",
orig_o->v0, o->v0, orig_o->v1, o->v1, h->attribute, i, found_one,
- is_n, SHAPE_BYTES(h->shape));
+ is_n, hshape);
#endif
// If failed, add to dictionary
@@ -1841,16 +1844,16 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
#ifdef WORD_SIZE_64
if (unlikely(is_n)) {
- try_to_add_to_dictN(afl, s128_v0, SHAPE_BYTES(h->shape));
- try_to_add_to_dictN(afl, s128_v1, SHAPE_BYTES(h->shape));
+ try_to_add_to_dictN(afl, s128_v0, hshape);
+ try_to_add_to_dictN(afl, s128_v1, hshape);
} else
#endif
{
- try_to_add_to_dict(afl, o->v0, SHAPE_BYTES(h->shape));
- try_to_add_to_dict(afl, o->v1, SHAPE_BYTES(h->shape));
+ try_to_add_to_dict(afl, o->v0, hshape);
+ try_to_add_to_dict(afl, o->v1, hshape);
}
@@ -2322,6 +2325,8 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
u32 i, j, idx, have_taint = 1, taint_len, loggeds;
u8 status = 0, found_one = 0;
+ hshape = SHAPE_BYTES(h->shape);
+
if (h->hits > CMP_MAP_RTN_H) {
loggeds = CMP_MAP_RTN_H;
@@ -2355,12 +2360,12 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
/*
struct cmp_header *hh = &afl->orig_cmp_map->headers[key];
fprintf(stderr, "RTN N hits=%u id=%u shape=%u attr=%u v0=", h->hits,
- h->id, h->shape, h->attribute);
+ h->id, hshape, h->attribute);
for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v0[j]);
fprintf(stderr, " v1=");
for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v1[j]);
fprintf(stderr, "\nRTN O hits=%u id=%u shape=%u attr=%u o0=",
- hh->hits, hh->id, hh->shape, hh->attribute);
+ hh->hits, hh->id, hshape, hh->attribute);
for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v0[j]);
fprintf(stderr, " o1=");
for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v1[j]);
@@ -2401,23 +2406,23 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
#ifdef _DEBUG
int w;
fprintf(stderr, "key=%u idx=%u len=%u o0=", key, idx,
- SHAPE_BYTES(h->shape));
- for (w = 0; w < SHAPE_BYTES(h->shape); ++w)
+ hshape);
+ for (w = 0; w < hshape; ++w)
fprintf(stderr, "%02x", orig_o->v0[w]);
fprintf(stderr, " v0=");
- for (w = 0; w < SHAPE_BYTES(h->shape); ++w)
+ for (w = 0; w < hshape; ++w)
fprintf(stderr, "%02x", o->v0[w]);
fprintf(stderr, " o1=");
- for (w = 0; w < SHAPE_BYTES(h->shape); ++w)
+ for (w = 0; w < hshape; ++w)
fprintf(stderr, "%02x", orig_o->v1[w]);
fprintf(stderr, " v1=");
- for (w = 0; w < SHAPE_BYTES(h->shape); ++w)
+ for (w = 0; w < hshape; ++w)
fprintf(stderr, "%02x", o->v1[w]);
fprintf(stderr, "\n");
#endif
if (unlikely(rtn_extend_encoding(
- afl, o->v0, o->v1, orig_o->v0, orig_o->v1, SHAPE_BYTES(h->shape),
+ afl, o->v0, o->v1, orig_o->v0, orig_o->v1, hshape,
idx, taint_len, orig_buf, buf, cbuf, len, lvl, &status))) {
return 1;
@@ -2434,7 +2439,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
status = 0;
if (unlikely(rtn_extend_encoding(
- afl, o->v1, o->v0, orig_o->v1, orig_o->v0, SHAPE_BYTES(h->shape),
+ afl, o->v1, o->v0, orig_o->v1, orig_o->v0, hshape,
idx, taint_len, orig_buf, buf, cbuf, len, lvl, &status))) {
return 1;
@@ -2455,8 +2460,8 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
if (unlikely(!afl->pass_stats[key].total)) {
- maybe_add_auto(afl, o->v0, SHAPE_BYTES(h->shape));
- maybe_add_auto(afl, o->v1, SHAPE_BYTES(h->shape));
+ maybe_add_auto(afl, o->v0, hshape);
+ maybe_add_auto(afl, o->v1, hshape);
}
From bf0fbc24ad32b0ec5421f4d2090c85d87aeceee3 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Sun, 17 Oct 2021 15:44:48 +0200
Subject: [PATCH 077/305] new cmplog add dict strategy
---
src/afl-fuzz-redqueen.c | 170 +++++++++++++++++++++++++++++++---------
1 file changed, 131 insertions(+), 39 deletions(-)
diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c
index 2d610132..30de12c1 100644
--- a/src/afl-fuzz-redqueen.c
+++ b/src/afl-fuzz-redqueen.c
@@ -45,6 +45,23 @@ enum {
};
+// add to dictionary enum
+// DEFAULT = 1, notTXT = 2, FOUND = 4, notSAME = 8
+enum {
+
+ DICT_ADD_NEVER = 0,
+ DICT_ADD_NOTFOUND_SAME_TXT = 1,
+ DICT_ADD_NOTFOUND_SAME = 3,
+ DICT_ADD_FOUND_SAME_TXT = 5,
+ DICT_ADD_FOUND_SAME = 7,
+ DICT_ADD_NOTFOUND_TXT = 9,
+ DICT_ADD_NOTFOUND = 11,
+ DICT_ADD_FOUND_TXT = 13,
+ DICT_ADD_FOUND = 15,
+ DICT_ADD_ANY = DICT_ADD_FOUND
+
+};
+
// CMPLOG LVL
enum {
@@ -54,6 +71,8 @@ enum {
};
+#define DICT_ADD_STRATEGY DICT_ADD_FOUND_SAME
+
struct range {
u32 start;
@@ -1246,11 +1265,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
}
- if (!(attr & (IS_GREATER | IS_LESSER)) || hshape < 4) {
-
- return 0;
-
- }
+ if (!(attr & (IS_GREATER | IS_LESSER)) || hshape < 4) { return 0; }
// transform >= to < and <= to >
if ((attr & IS_EQUAL) && (attr & (IS_GREATER | IS_LESSER))) {
@@ -1487,9 +1502,9 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h,
if (unlikely(cmp_extend_encodingN(
afl, h, SWAPN(pattern, (hshape << 3)), SWAPN(repl, (hshape << 3)),
- SWAPN(o_pattern, (hshape << 3)), SWAPN(changed_val, (hshape << 3)),
- attr, idx, taint_len, orig_buf, buf, cbuf, len, 0, lvl,
- status))) {
+ SWAPN(o_pattern, (hshape << 3)),
+ SWAPN(changed_val, (hshape << 3)), attr, idx, taint_len, orig_buf,
+ buf, cbuf, len, 0, lvl, status))) {
return 1;
@@ -1682,8 +1697,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
#ifdef _DEBUG
fprintf(stderr, "Handling: %llx->%llx vs %llx->%llx attr=%u shape=%u\n",
- orig_o->v0, o->v0, orig_o->v1, o->v1, h->attribute,
- hshape);
+ orig_o->v0, o->v0, orig_o->v1, o->v1, h->attribute, hshape);
#endif
t = taint;
@@ -1836,26 +1850,39 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
is_n, hshape);
#endif
- // If failed, add to dictionary
- if (!found_one) {
-
- if (afl->pass_stats[key].total == 0) {
+ u8 same0 = 0, same1 = 0, result = 1 + 2 + (found_one << 2);
+ if (o->v0 != orig_o->v0) { same0 = 8; }
+ if (o->v1 != orig_o->v1) { same1 = 8; }
#ifdef WORD_SIZE_64
- if (unlikely(is_n)) {
+ if (unlikely(is_n)) {
- try_to_add_to_dictN(afl, s128_v0, hshape);
- try_to_add_to_dictN(afl, s128_v1, hshape);
+ if (DICT_ADD_STRATEGY >= same0 + result) {
- } else
+ try_to_add_to_dictN(afl, s128_v0, hshape);
+
+ }
+
+ if (DICT_ADD_STRATEGY >= same1 + result) {
+
+ try_to_add_to_dictN(afl, s128_v1, hshape);
+
+ }
+
+ } else
#endif
- {
+ {
- try_to_add_to_dict(afl, o->v0, hshape);
- try_to_add_to_dict(afl, o->v1, hshape);
+ if (DICT_ADD_STRATEGY >= same0 + result) {
- }
+ try_to_add_to_dict(afl, o->v0, hshape);
+
+ }
+
+ if (DICT_ADD_STRATEGY >= same1 + result) {
+
+ try_to_add_to_dict(afl, o->v1, hshape);
}
@@ -1885,8 +1912,9 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
}
-static u8 rtn_extend_encoding(afl_state_t *afl, u8 *pattern, u8 *repl,
- u8 *o_pattern, u8 *changed_val, u8 plen, u32 idx,
+static u8 rtn_extend_encoding(afl_state_t *afl, u8 entry,
+ struct cmpfn_operands *o,
+ struct cmpfn_operands *orig_o, u32 idx,
u32 taint_len, u8 *orig_buf, u8 *buf, u8 *cbuf,
u32 len, u8 lvl, u8 *status) {
@@ -1897,9 +1925,50 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 *pattern, u8 *repl,
// (void)(changed_val);
//#endif
+ u8 *pattern, *repl, *o_pattern, *changed_val;
+ u8 l0, l1, ol0, ol1;
+
+ if (entry == 0) {
+
+ pattern = o->v0;
+ repl = o->v1;
+ o_pattern = orig_o->v0;
+ changed_val = orig_o->v1;
+ l0 = o->v0_len;
+ ol0 = orig_o->v0_len;
+ l1 = o->v1_len;
+ ol1 = orig_o->v1_len;
+
+ } else {
+
+ pattern = o->v1;
+ repl = o->v0;
+ o_pattern = orig_o->v1;
+ changed_val = orig_o->v0;
+ l0 = o->v1_len;
+ ol0 = orig_o->v1_len;
+ l1 = o->v0_len;
+ ol1 = orig_o->v0_len;
+
+ }
+
+ if (l0 >= 0x80) {
+
+ l0 -= 0x80;
+ l1 -= 0x80;
+ ol0 -= 0x80;
+ ol1 -= 0x80;
+
+ } else if (l0 == 0 || l1 == 0 || ol0 == 0 || ol1 == 0) {
+
+ l0 = l1 = ol0 = ol1 = hshape;
+
+ }
+
+ u8 lmax = MAX(l0, ol0);
u8 save[40];
u32 saved_idx = idx, pre, from = 0, to = 0, i, j;
- u32 its_len = MIN((u32)plen, len - idx);
+ u32 its_len = MIN(MIN(lmax, hshape), len - idx);
its_len = MIN(its_len, taint_len);
u32 saved_its_len = its_len;
@@ -1915,7 +1984,8 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 *pattern, u8 *repl,
(void)(j);
#ifdef _DEBUG
- fprintf(stderr, "RTN T idx=%u lvl=%02x ", idx, lvl);
+ fprintf(stderr, "RTN T idx=%u lvl=%02x is_txt=%u shape=%u/%u ", idx, lvl,
+ o->v0_len >= 0x80 ? 1 : 0, hshape, l0);
for (j = 0; j < 8; j++)
fprintf(stderr, "%02x", orig_buf[idx + j]);
fprintf(stderr, " -> ");
@@ -2405,8 +2475,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
#ifdef _DEBUG
int w;
- fprintf(stderr, "key=%u idx=%u len=%u o0=", key, idx,
- hshape);
+ fprintf(stderr, "key=%u idx=%u len=%u o0=", key, idx, hshape);
for (w = 0; w < hshape; ++w)
fprintf(stderr, "%02x", orig_o->v0[w]);
fprintf(stderr, " v0=");
@@ -2421,9 +2490,9 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
fprintf(stderr, "\n");
#endif
- if (unlikely(rtn_extend_encoding(
- afl, o->v0, o->v1, orig_o->v0, orig_o->v1, hshape,
- idx, taint_len, orig_buf, buf, cbuf, len, lvl, &status))) {
+ if (unlikely(rtn_extend_encoding(afl, 0, o, orig_o, idx, taint_len,
+ orig_buf, buf, cbuf, len, lvl,
+ &status))) {
return 1;
@@ -2438,9 +2507,9 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
status = 0;
- if (unlikely(rtn_extend_encoding(
- afl, o->v1, o->v0, orig_o->v1, orig_o->v0, hshape,
- idx, taint_len, orig_buf, buf, cbuf, len, lvl, &status))) {
+ if (unlikely(rtn_extend_encoding(afl, 1, o, orig_o, idx, taint_len,
+ orig_buf, buf, cbuf, len, lvl,
+ &status))) {
return 1;
@@ -2455,13 +2524,36 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
}
- // If failed, add to dictionary
- if (!found_one && (lvl & LVL1)) {
+ // if (unlikely(!afl->pass_stats[key].total)) {
- if (unlikely(!afl->pass_stats[key].total)) {
+ if (lvl & LVL1) {
- maybe_add_auto(afl, o->v0, hshape);
- maybe_add_auto(afl, o->v1, hshape);
+ u8 is_txt = 0, l0 = o->v0_len, ol0 = orig_o->v0_len, l1 = o->v1_len,
+ ol1 = orig_o->v1_len;
+ if (l0 >= 0x80) {
+
+ is_txt = 1;
+ l0 -= 0x80;
+ l1 -= 0x80;
+ ol0 -= 0x80;
+ ol1 -= 0x80;
+
+ }
+
+ u8 same0 = 0, same1 = 0, result = 1 + (found_one << 2);
+ if (!is_txt) result += 2;
+ if (l0 != ol0 || memcmp(o->v0, orig_o->v0, l0) != 0) { same0 = 8; }
+ if (l1 != ol1 || memcmp(o->v1, orig_o->v1, l1) != 0) { same1 = 8; }
+
+ if (DICT_ADD_STRATEGY >= same0 + result) {
+
+ maybe_add_auto(afl, o->v0, l0);
+
+ }
+
+ if (DICT_ADD_STRATEGY >= same1 + result) {
+
+ maybe_add_auto(afl, o->v1, l1);
}
From 65c94d914db9930eaae50c6d36bdcb4ed16ea908 Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Sun, 17 Oct 2021 20:29:24 +0200
Subject: [PATCH 078/305] Change line length to max. 80 characters
---
README.md | 109 +++++++++++++++++++++++++++++++++++-------------------
1 file changed, 70 insertions(+), 39 deletions(-)
diff --git a/README.md b/README.md
index 9fe1da7e..575a6a1a 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,8 @@ Release version: [3.14c](https://github.com/AFLplusplus/AFLplusplus/releases)
GitHub version: 3.15a
-Repository: [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus)
+Repository:
+[https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus)
AFL++ is maintained by:
@@ -17,56 +18,74 @@ AFL++ is maintained by:
Originally developed by Michał "lcamtuf" Zalewski.
-AFL++ is a superior fork to Google's AFL - more speed, more and better mutations, more and better instrumentation, custom module support, etc.
+AFL++ is a superior fork to Google's AFL - more speed, more and better
+mutations, more and better instrumentation, custom module support, etc.
-You are free to copy, modify, and distribute AFL++ with attribution under the terms of the Apache-2.0 License. See the [LICENSE](LICENSE) for details.
+You are free to copy, modify, and distribute AFL++ with attribution under the
+terms of the Apache-2.0 License. See the [LICENSE](LICENSE) for details.
## Getting started
Here is some information to get you started:
-* For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab and [branches](docs/branches.md). Also take a look at the list of [important changes in AFL++](docs/important_changes.md).
-* If you want to use AFL++ for your academic work, check the [papers page](https://aflplus.plus/papers/) on the website.
+* For releases, please see the
+ [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab and
+ [branches](docs/branches.md). Also take a look at the list of
+ [important changes in AFL++](docs/important_changes.md).
+* If you want to use AFL++ for your academic work, check the
+ [papers page](https://aflplus.plus/papers/) on the website.
* To cite our work, look at the [Cite](#cite) section.
-* For comparisons, use the fuzzbench `aflplusplus` setup, or use `afl-clang-fast` with `AFL_LLVM_CMPLOG=1`. You can find the `aflplusplus` default configuration on Google's [fuzzbench](https://github.com/google/fuzzbench/tree/master/fuzzers/aflplusplus).
-* To get you started with tutorials, go to [docs/tutorials.md](docs/tutorials.md).
+* For comparisons, use the fuzzbench `aflplusplus` setup, or use
+ `afl-clang-fast` with `AFL_LLVM_CMPLOG=1`. You can find the `aflplusplus`
+ default configuration on Google's
+ [fuzzbench](https://github.com/google/fuzzbench/tree/master/fuzzers/aflplusplus).
+* To get you started with tutorials, go to
+ [docs/tutorials.md](docs/tutorials.md).
## Building and installing AFL++
-To have AFL++ easily available with everything compiled, pull the image directly from the Docker Hub:
+To have AFL++ easily available with everything compiled, pull the image
+directly from the Docker Hub:
```shell
docker pull aflplusplus/aflplusplus
docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus
```
-This image is automatically generated when a push to the stable repo happens (see [docs/branches.md](docs/branches.md)).
-You will find your target source code in `/src` in the container.
+This image is automatically generated when a push to the stable repo happens
+(see [docs/branches.md](docs/branches.md)). You will find your target source
+code in `/src` in the container.
To build AFL++ yourself, continue at [docs/INSTALL.md](docs/INSTALL.md).
## Quick start: Fuzzing with AFL++
-*NOTE: Before you start, please read about the [common sense risks of fuzzing](docs/common_sense_risks.md).*
+*NOTE: Before you start, please read about the [common sense risks of
+fuzzing](docs/common_sense_risks.md).*
-This is a quick start for fuzzing targets with the source code available.
-To read about the process in detail, see [docs/fuzzing_expert.md](docs/fuzzing_expert.md).
+This is a quick start for fuzzing targets with the source code available. To
+read about the process in detail, see
+[docs/fuzzing_expert.md](docs/fuzzing_expert.md).
To learn about fuzzing other targets, see:
-* Binary-only targets: [docs/fuzzing_binary-only_targets.md](docs/fuzzing_binary-only_targets.md)
-* Network services: [docs/best_practices.md#fuzzing-a-network-service](docs/best_practices.md#fuzzing-a-network-service)
-* GUI programs: [docs/best_practices.md#fuzzing-a-gui-program](docs/best_practices.md#fuzzing-a-gui-program)
+* Binary-only targets:
+ [docs/fuzzing_binary-only_targets.md](docs/fuzzing_binary-only_targets.md)
+* Network services:
+ [docs/best_practices.md#fuzzing-a-network-service](docs/best_practices.md#fuzzing-a-network-service)
+* GUI programs:
+ [docs/best_practices.md#fuzzing-a-gui-program](docs/best_practices.md#fuzzing-a-gui-program)
Step-by-step quick start:
-1. Compile the program or library to be fuzzed using `afl-cc`.
-A common way to do this would be:
+1. Compile the program or library to be fuzzed using `afl-cc`. A common way to
+ do this would be:
CC=/path/to/afl-cc CXX=/path/to/afl-c++ ./configure --disable-shared
make clean all
-2. Get a small but valid input file that makes sense to the program.
-When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in [dictionaries/README.md](dictionaries/README.md), too.
+2. Get a small but valid input file that makes sense to the program. When
+ fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in
+ [dictionaries/README.md](dictionaries/README.md), too.
3. If the program reads from stdin, run `afl-fuzz` like so:
@@ -77,42 +96,52 @@ When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described i
To add a dictionary, add `-x /path/to/dictionary.txt` to afl-fuzz.
- If the program takes input from a file, you can put `@@` in the program's
+ If the program takes input from a file, you can put `@@` in the program's
command line; AFL will put an auto-generated file name in there for you.
-4. Investigate anything shown in red in the fuzzer UI by promptly consulting [docs/status_screen.md](docs/status_screen.md).
+4. Investigate anything shown in red in the fuzzer UI by promptly consulting
+ [docs/status_screen.md](docs/status_screen.md).
-5. You will find found crashes and hangs in the subdirectories `crashes/` and
- `hangs/` in the `-o output_dir` directory. You can replay the crashes by
- feeding them to the target, e.g.:
- `cat output_dir/crashes/id:000000,* | /path/to/tested/program [...program's cmdline...]`
- You can generate cores or use gdb directly to follow up the crashes.
+5. You will find found crashes and hangs in the subdirectories `crashes/` and
+ `hangs/` in the `-o output_dir` directory. You can replay the crashes by
+ feeding them to the target, e.g.: `cat output_dir/crashes/id:000000,* |
+ /path/to/tested/program [...program's cmdline...]` You can generate cores or
+ use gdb directly to follow up the crashes.
## Contact
Questions? Concerns? Bug reports?
-* The contributors can be reached via [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus).
-* Take a look at our [FAQ](docs/FAQ.md). If you find an interesting or important question missing, submit it via
-[https://github.com/AFLplusplus/AFLplusplus/discussions](https://github.com/AFLplusplus/AFLplusplus/discussions).
-* There is a mailing list for the AFL/AFL++ project ([browse archive](https://groups.google.com/group/afl-users)). To compare notes with other users or to get notified about major new features, send an email to .
+* The contributors can be reached via
+ [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus).
+* Take a look at our [FAQ](docs/FAQ.md). If you find an interesting or
+ important question missing, submit it via
+ [https://github.com/AFLplusplus/AFLplusplus/discussions](https://github.com/AFLplusplus/AFLplusplus/discussions).
+* There is a mailing list for the AFL/AFL++ project
+ ([browse archive](https://groups.google.com/group/afl-users)). To compare
+ notes with other users or to get notified about major new features, send an
+ email to .
* Or join the [Awesome Fuzzing](https://discord.gg/gCraWct) Discord server.
## Help wanted
-We have several [ideas](docs/ideas.md) we would like to see in AFL++ to make it even better.
-However, we already work on so many things that we do not have the time for all the big ideas.
+We have several [ideas](docs/ideas.md) we would like to see in AFL++ to make it
+even better. However, we already work on so many things that we do not have the
+time for all the big ideas.
-This can be your way to support and contribute to AFL++ - extend it to do something cool.
+This can be your way to support and contribute to AFL++ - extend it to do
+something cool.
-For everyone who wants to contribute (and send pull requests), please read our [contributing guidelines](CONTRIBUTING.md) before your submit.
+For everyone who wants to contribute (and send pull requests), please read our
+[contributing guidelines](CONTRIBUTING.md) before your submit.
## Special thanks
-Many of the improvements to the original AFL and AFL++ wouldn't be possible without feedback, bug reports, or patches from our contributors.
+Many of the improvements to the original AFL and AFL++ wouldn't be possible
+without feedback, bug reports, or patches from our contributors.
-Thank you!
-(For people sending pull requests - please add yourself to this list :-)
+Thank you! (For people sending pull requests - please add yourself to this list
+:-)
@@ -171,7 +200,9 @@ Thank you!
## Cite
-If you use AFL++ in scientific work, consider citing [our paper](https://www.usenix.org/conference/woot20/presentation/fioraldi) presented at WOOT'20:
+If you use AFL++ in scientific work, consider citing
+[our paper](https://www.usenix.org/conference/woot20/presentation/fioraldi)
+presented at WOOT'20:
Andrea Fioraldi, Dominik Maier, Heiko Eißfeldt, and Marc Heuse. “AFL++: Combining incremental steps of fuzzing research”. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association, Aug. 2020.
From 462149de642451024199557c7a7bb7ea76e5b8fa Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Sun, 17 Oct 2021 20:31:02 +0200
Subject: [PATCH 079/305] fix
---
instrumentation/afl-compiler-rt.o.c | 18 +-----
src/afl-fuzz-redqueen.c | 87 +++++++++++++++++------------
2 files changed, 53 insertions(+), 52 deletions(-)
diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c
index 21772ca0..38beafb7 100644
--- a/instrumentation/afl-compiler-rt.o.c
+++ b/instrumentation/afl-compiler-rt.o.c
@@ -1944,15 +1944,8 @@ void __cmplog_rtn_hook_n(u8 *ptr1, u8 *ptr2, u32 len) {
void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u32 len) {
/*
- u32 i;
if (area_is_valid(ptr1, 32) <= 0 || area_is_valid(ptr2, 32) <= 0) return;
- fprintf(stderr, "rtn_strn len=%u arg0=", len);
- for (i = 0; i < len; i++)
- fprintf(stderr, "%02x", ptr1[i]);
- fprintf(stderr, " arg1=");
- for (i = 0; i < len; i++)
- fprintf(stderr, "%02x", ptr2[i]);
- fprintf(stderr, "\n");
+ fprintf(stderr, "rtn_strn len=%u arg0=%s arg1=%s\n", len, ptr1, ptr2);
*/
if (likely(!__afl_cmp_map)) return;
@@ -2005,15 +1998,8 @@ void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u32 len) {
void __cmplog_rtn_hook_str(u8 *ptr1, u8 *ptr2) {
/*
- u32 i;
if (area_is_valid(ptr1, 32) <= 0 || area_is_valid(ptr2, 32) <= 0) return;
- fprintf(stderr, "rtn_str arg0=");
- for (i = 0; i < len; i++)
- fprintf(stderr, "%02x", ptr1[i]);
- fprintf(stderr, " arg1=");
- for (i = 0; i < len; i++)
- fprintf(stderr, "%02x", ptr2[i]);
- fprintf(stderr, "\n");
+ fprintf(stderr, "rtn_str arg0=%s arg1=%s\n", ptr1, ptr2);
*/
if (likely(!__afl_cmp_map)) return;
diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c
index 30de12c1..65d21b0a 100644
--- a/src/afl-fuzz-redqueen.c
+++ b/src/afl-fuzz-redqueen.c
@@ -1455,25 +1455,25 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h,
#ifdef _DEBUG
fprintf(stderr, "TestUN: %u>=%u (len=%u idx=%u attr=%u off=%lu) (%u) ",
- its_len, shape, len, idx, attr, off, do_reverse);
+ its_len, hshape, len, idx, attr, off, do_reverse);
u32 i;
u8 *o_r = (u8 *)&changed_val;
- for (i = 0; i < shape; i++)
+ for (i = 0; i < hshape; i++)
fprintf(stderr, "%02x", ptr[i]);
fprintf(stderr, "==");
- for (i = 0; i < shape; i++)
+ for (i = 0; i < hshape; i++)
fprintf(stderr, "%02x", p[off + i]);
fprintf(stderr, " ");
- for (i = 0; i < shape; i++)
+ for (i = 0; i < hshape; i++)
fprintf(stderr, "%02x", o_ptr[i]);
fprintf(stderr, "==");
- for (i = 0; i < shape; i++)
+ for (i = 0; i < hshape; i++)
fprintf(stderr, "%02x", o_p[off + i]);
fprintf(stderr, " <= ");
- for (i = 0; i < shape; i++)
+ for (i = 0; i < hshape; i++)
fprintf(stderr, "%02x", r[off + i]);
fprintf(stderr, "<-");
- for (i = 0; i < shape; i++)
+ for (i = 0; i < hshape; i++)
fprintf(stderr, "%02x", o_r[off + i]);
fprintf(stderr, "\n");
#endif
@@ -1850,39 +1850,46 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
is_n, hshape);
#endif
- u8 same0 = 0, same1 = 0, result = 1 + 2 + (found_one << 2);
- if (o->v0 != orig_o->v0) { same0 = 8; }
- if (o->v1 != orig_o->v1) { same1 = 8; }
+ // we only learn 16 bit +
+ if (hshape > 1) {
+
+ u8 same0 = 0, same1 = 0, result = 1 + 2 + (found_one << 2);
+ if (o->v0 != orig_o->v0) { same0 = 8; }
+ if (o->v1 != orig_o->v1) { same1 = 8; }
#ifdef WORD_SIZE_64
- if (unlikely(is_n)) {
+ if (unlikely(is_n)) {
- if (DICT_ADD_STRATEGY >= same0 + result) {
+ if (DICT_ADD_STRATEGY >= same0 + result) {
- try_to_add_to_dictN(afl, s128_v0, hshape);
+ try_to_add_to_dictN(afl, s128_v0, hshape);
- }
+ }
- if (DICT_ADD_STRATEGY >= same1 + result) {
+ if (DICT_ADD_STRATEGY >= same1 + result) {
- try_to_add_to_dictN(afl, s128_v1, hshape);
+ try_to_add_to_dictN(afl, s128_v1, hshape);
- }
+ }
- } else
+ } else
#endif
- {
+ {
- if (DICT_ADD_STRATEGY >= same0 + result) {
+ if (DICT_ADD_STRATEGY >= same0 + result) {
- try_to_add_to_dict(afl, o->v0, hshape);
+ // fprintf(stderr, "add v0 0x%llx\n", o->v0);
+ try_to_add_to_dict(afl, o->v0, hshape);
- }
+ }
- if (DICT_ADD_STRATEGY >= same1 + result) {
+ if (DICT_ADD_STRATEGY >= same1 + result) {
- try_to_add_to_dict(afl, o->v1, hshape);
+ // fprintf(stderr, "add v1 0x%llx\n", o->v1);
+ try_to_add_to_dict(afl, o->v1, hshape);
+
+ }
}
@@ -2428,18 +2435,22 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
}
/*
- struct cmp_header *hh = &afl->orig_cmp_map->headers[key];
- fprintf(stderr, "RTN N hits=%u id=%u shape=%u attr=%u v0=", h->hits,
- h->id, hshape, h->attribute);
- for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v0[j]);
- fprintf(stderr, " v1=");
- for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v1[j]);
- fprintf(stderr, "\nRTN O hits=%u id=%u shape=%u attr=%u o0=",
- hh->hits, hh->id, hshape, hh->attribute);
- for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v0[j]);
- fprintf(stderr, " o1=");
- for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v1[j]);
- fprintf(stderr, "\n");
+ struct cmp_header *hh = &afl->orig_cmp_map->headers[key];
+ fprintf(stderr, "RTN N hits=%u id=%u shape=%u attr=%u v0=", h->hits, h->id,
+ hshape, h->attribute);
+ for (j = 0; j < 8; j++)
+ fprintf(stderr, "%02x", o->v0[j]);
+ fprintf(stderr, " v1=");
+ for (j = 0; j < 8; j++)
+ fprintf(stderr, "%02x", o->v1[j]);
+ fprintf(stderr, "\nRTN O hits=%u id=%u shape=%u attr=%u o0=", hh->hits,
+ hh->id, hshape, hh->attribute);
+ for (j = 0; j < 8; j++)
+ fprintf(stderr, "%02x", orig_o->v0[j]);
+ fprintf(stderr, " o1=");
+ for (j = 0; j < 8; j++)
+ fprintf(stderr, "%02x", orig_o->v1[j]);
+ fprintf(stderr, "\n");
*/
t = taint;
@@ -2547,12 +2558,14 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
if (DICT_ADD_STRATEGY >= same0 + result) {
+ // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0);
maybe_add_auto(afl, o->v0, l0);
}
if (DICT_ADD_STRATEGY >= same1 + result) {
+ // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1);
maybe_add_auto(afl, o->v1, l1);
}
@@ -2727,11 +2740,13 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) {
if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) {
+ // fprintf(stderr, "INS %u\n", k);
afl->stage_max +=
MIN((u32)(afl->shm.cmp_map->headers[k].hits), (u32)CMP_MAP_H);
} else {
+ // fprintf(stderr, "RTN %u\n", k);
afl->stage_max +=
MIN((u32)(afl->shm.cmp_map->headers[k].hits), (u32)CMP_MAP_RTN_H);
From efda11024016c70fb00e85661e6aa42506f81557 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Sun, 17 Oct 2021 20:49:19 +0200
Subject: [PATCH 080/305] fix
---
GNUmakefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/GNUmakefile b/GNUmakefile
index 0a6f3950..f5d35c0c 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -32,7 +32,7 @@ VERSION = $(shell grep '^$(HASH)define VERSION ' ../config.h | cut -d '"' -f
# PROGS intentionally omit afl-as, which gets installed elsewhere.
PROGS = afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
-SH_PROGS = afl-plot afl-cmin afl-cmin.bash afl-whatsup afl-system-config afl-persistent-config
+SH_PROGS = afl-plot afl-cmin afl-cmin.bash afl-whatsup afl-system-config afl-persistent-config afl-cc
MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8) afl-as.8
ASAN_OPTIONS=detect_leaks=0
From fb481231b7493b7d22035598bb6d77167725f8cd Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Sun, 17 Oct 2021 21:20:00 +0200
Subject: [PATCH 081/305] update test
---
test/test-cmplog.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/test/test-cmplog.c b/test/test-cmplog.c
index b077e3ab..262df6bd 100644
--- a/test/test-cmplog.c
+++ b/test/test-cmplog.c
@@ -1,15 +1,13 @@
#include
#include
+#include
#include
#include
#include
#include
-int main(int argc, char *argv[]) {
- char buf[1024];
- ssize_t i;
- if ((i = read(0, buf, sizeof(buf) - 1)) < 24) return 0;
- buf[i] = 0;
+int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t i) {
+ if (i < 24) return 0;
if (buf[0] != 'A') return 0;
if (buf[1] != 'B') return 0;
if (buf[2] != 'C') return 0;
@@ -18,6 +16,17 @@ int main(int argc, char *argv[]) {
if (strncmp(buf + 12, "IJKL", 4) == 0 && strcmp(buf + 16, "DEADBEEF") == 0)
abort();
return 0;
-
}
+#ifdef __AFL_COMPILER
+int main(int argc, char *argv[]) {
+ unsigned char buf[1024];
+ ssize_t i;
+ while(__AFL_LOOP(1000)) {
+ i = read(0, (char*)buf, sizeof(buf) - 1);
+ if (i > 0) buf[i] = 0;
+ LLVMFuzzerTestOneInput(buf, i);
+ }
+ return 0;
+}
+#endif
From 4b4244bcf6cad5fdc897edef6ea810647a54ca9f Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Sun, 17 Oct 2021 21:47:08 +0200
Subject: [PATCH 082/305] fix
---
instrumentation/cmplog-routines-pass.cc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc
index 3d6467ba..50ced5d8 100644
--- a/instrumentation/cmplog-routines-pass.cc
+++ b/instrumentation/cmplog-routines-pass.cc
@@ -469,7 +469,7 @@ bool CmpLogRoutines::hookRtns(Module &M) {
std::vector args;
Value * v1Pcasted = IRB.CreatePointerCast(v1P, i8PtrTy);
Value * v2Pcasted = IRB.CreatePointerCast(v2P, i8PtrTy);
- Value * v3Pcasted = IRB.CreateZExtOrBitCast(v3P, Int32Ty);
+ Value * v3Pcasted = IRB.CreateTruncOrBitCast(v3P, Int32Ty);
args.push_back(v1Pcasted);
args.push_back(v2Pcasted);
args.push_back(v3Pcasted);
From 9c278df0385afb03a078e25e27a4763512d8831a Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Mon, 18 Oct 2021 00:21:33 +0200
Subject: [PATCH 083/305] try fix
---
instrumentation/afl-compiler-rt.o.c | 4 ++--
instrumentation/cmplog-routines-pass.cc | 19 ++++++++++++++-----
2 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c
index 38beafb7..5caf57b3 100644
--- a/instrumentation/afl-compiler-rt.o.c
+++ b/instrumentation/afl-compiler-rt.o.c
@@ -1880,7 +1880,7 @@ static int area_is_valid(void *ptr, size_t len) {
}
-void __cmplog_rtn_hook_n(u8 *ptr1, u8 *ptr2, u32 len) {
+void __cmplog_rtn_hook_n(u8 *ptr1, u8 *ptr2, u64 len) {
/*
u32 i;
@@ -1941,7 +1941,7 @@ void __cmplog_rtn_hook_n(u8 *ptr1, u8 *ptr2, u32 len) {
}
-void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u32 len) {
+void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u64 len) {
/*
if (area_is_valid(ptr1, 32) <= 0 || area_is_valid(ptr2, 32) <= 0) return;
diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc
index 50ced5d8..854492b1 100644
--- a/instrumentation/cmplog-routines-pass.cc
+++ b/instrumentation/cmplog-routines-pass.cc
@@ -94,7 +94,7 @@ bool CmpLogRoutines::hookRtns(Module &M) {
Type *VoidTy = Type::getVoidTy(C);
// PointerType *VoidPtrTy = PointerType::get(VoidTy, 0);
IntegerType *Int8Ty = IntegerType::getInt8Ty(C);
- IntegerType *Int32Ty = IntegerType::getInt32Ty(C);
+ IntegerType *Int64Ty = IntegerType::getInt64Ty(C);
PointerType *i8PtrTy = PointerType::get(Int8Ty, 0);
#if LLVM_VERSION_MAJOR < 9
@@ -192,7 +192,7 @@ bool CmpLogRoutines::hookRtns(Module &M) {
FunctionCallee
#endif
c5 = M.getOrInsertFunction("__cmplog_rtn_hook_n", VoidTy, i8PtrTy,
- i8PtrTy, Int32Ty
+ i8PtrTy, Int64Ty
#if LLVM_VERSION_MAJOR < 5
,
NULL
@@ -210,7 +210,7 @@ bool CmpLogRoutines::hookRtns(Module &M) {
FunctionCallee
#endif
c6 = M.getOrInsertFunction("__cmplog_rtn_hook_strn", VoidTy, i8PtrTy,
- i8PtrTy, Int32Ty
+ i8PtrTy, Int64Ty
#if LLVM_VERSION_MAJOR < 5
,
NULL
@@ -282,6 +282,15 @@ bool CmpLogRoutines::hookRtns(Module &M) {
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0)->isPointerTy() &&
FT->getParamType(2)->isIntegerTy();
+ if (isPtrRtnN) {
+ auto intTyOp = dyn_cast(callInst->getArgOperand(2)->getType());
+ if (intTyOp) {
+ if (intTyOp->getBitWidth() != 32 && intTyOp->getBitWidth() != 64) {
+ isPtrRtnN = false;
+ }
+ }
+ }
+
bool isMemcmp =
(!FuncName.compare("memcmp") || !FuncName.compare("bcmp") ||
@@ -469,7 +478,7 @@ bool CmpLogRoutines::hookRtns(Module &M) {
std::vector args;
Value * v1Pcasted = IRB.CreatePointerCast(v1P, i8PtrTy);
Value * v2Pcasted = IRB.CreatePointerCast(v2P, i8PtrTy);
- Value * v3Pcasted = IRB.CreateTruncOrBitCast(v3P, Int32Ty);
+ Value * v3Pcasted = IRB.CreateTruncOrBitCast(v3P, Int64Ty);
args.push_back(v1Pcasted);
args.push_back(v2Pcasted);
args.push_back(v3Pcasted);
@@ -524,7 +533,7 @@ bool CmpLogRoutines::hookRtns(Module &M) {
std::vector args;
Value * v1Pcasted = IRB.CreatePointerCast(v1P, i8PtrTy);
Value * v2Pcasted = IRB.CreatePointerCast(v2P, i8PtrTy);
- Value * v3Pcasted = IRB.CreateTruncOrBitCast(v3P, Int32Ty);
+ Value * v3Pcasted = IRB.CreateTruncOrBitCast(v3P, Int64Ty);
args.push_back(v1Pcasted);
args.push_back(v2Pcasted);
args.push_back(v3Pcasted);
From 6403fa4f70ebb9c475a5debe027e210b171f478e Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Mon, 18 Oct 2021 00:41:16 +0200
Subject: [PATCH 084/305] fix
---
instrumentation/cmplog-routines-pass.cc | 31 ++++++++++++++++++-------
1 file changed, 22 insertions(+), 9 deletions(-)
diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc
index 854492b1..5dd5dc39 100644
--- a/instrumentation/cmplog-routines-pass.cc
+++ b/instrumentation/cmplog-routines-pass.cc
@@ -283,14 +283,21 @@ bool CmpLogRoutines::hookRtns(Module &M) {
FT->getParamType(0)->isPointerTy() &&
FT->getParamType(2)->isIntegerTy();
if (isPtrRtnN) {
- auto intTyOp = dyn_cast(callInst->getArgOperand(2)->getType());
- if (intTyOp) {
- if (intTyOp->getBitWidth() != 32 && intTyOp->getBitWidth() != 64) {
- isPtrRtnN = false;
- }
- }
- }
+ auto intTyOp =
+ dyn_cast(callInst->getArgOperand(2)->getType());
+ if (intTyOp) {
+
+ if (intTyOp->getBitWidth() != 32 &&
+ intTyOp->getBitWidth() != 64) {
+
+ isPtrRtnN = false;
+
+ }
+
+ }
+
+ }
bool isMemcmp =
(!FuncName.compare("memcmp") || !FuncName.compare("bcmp") ||
@@ -478,7 +485,10 @@ bool CmpLogRoutines::hookRtns(Module &M) {
std::vector args;
Value * v1Pcasted = IRB.CreatePointerCast(v1P, i8PtrTy);
Value * v2Pcasted = IRB.CreatePointerCast(v2P, i8PtrTy);
- Value * v3Pcasted = IRB.CreateTruncOrBitCast(v3P, Int64Ty);
+ Value * v3Pbitcast = IRB.CreateBitCast(
+ v3P, IntegerType::get(C, v3P->getType()->getPrimitiveSizeInBits()));
+ Value *v3Pcasted =
+ IRB.CreateIntCast(v3Pbitcast, IntegerType::get(C, 64), false);
args.push_back(v1Pcasted);
args.push_back(v2Pcasted);
args.push_back(v3Pcasted);
@@ -533,7 +543,10 @@ bool CmpLogRoutines::hookRtns(Module &M) {
std::vector args;
Value * v1Pcasted = IRB.CreatePointerCast(v1P, i8PtrTy);
Value * v2Pcasted = IRB.CreatePointerCast(v2P, i8PtrTy);
- Value * v3Pcasted = IRB.CreateTruncOrBitCast(v3P, Int64Ty);
+ Value * v3Pbitcast = IRB.CreateBitCast(
+ v3P, IntegerType::get(C, v3P->getType()->getPrimitiveSizeInBits()));
+ Value *v3Pcasted =
+ IRB.CreateIntCast(v3Pbitcast, IntegerType::get(C, 64), false);
args.push_back(v1Pcasted);
args.push_back(v2Pcasted);
args.push_back(v3Pcasted);
From 72d10fee407f32d4041573d1906a047a67277eff Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Mon, 18 Oct 2021 10:03:39 +0200
Subject: [PATCH 085/305] dict enhancement
---
src/afl-fuzz-redqueen.c | 64 +++++++++++++++++++++++++----------------
1 file changed, 39 insertions(+), 25 deletions(-)
diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c
index 65d21b0a..10bcd63d 100644
--- a/src/afl-fuzz-redqueen.c
+++ b/src/afl-fuzz-redqueen.c
@@ -1853,41 +1853,48 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
// we only learn 16 bit +
if (hshape > 1) {
- u8 same0 = 0, same1 = 0, result = 1 + 2 + (found_one << 2);
+ u8 same0 = 0, same1 = 0, same2 = 0, same3 = 0,
+ result = 1 + 2 + (found_one << 2);
if (o->v0 != orig_o->v0) { same0 = 8; }
if (o->v1 != orig_o->v1) { same1 = 8; }
+ if (o->v0 != o->v1) { same2 = 8; }
+ if (orig_o->v0 != orig_o->v1) { same3 = 8; }
+
+ if (!(same0 && same1) && !same2 && !same3) {
#ifdef WORD_SIZE_64
- if (unlikely(is_n)) {
+ if (unlikely(is_n)) {
- if (DICT_ADD_STRATEGY >= same0 + result) {
+ if (DICT_ADD_STRATEGY >= same0 + result) {
- try_to_add_to_dictN(afl, s128_v0, hshape);
+ try_to_add_to_dictN(afl, s128_v0, hshape);
- }
+ }
- if (DICT_ADD_STRATEGY >= same1 + result) {
+ if (DICT_ADD_STRATEGY >= same1 + result) {
- try_to_add_to_dictN(afl, s128_v1, hshape);
+ try_to_add_to_dictN(afl, s128_v1, hshape);
- }
+ }
- } else
+ } else
#endif
- {
+ {
- if (DICT_ADD_STRATEGY >= same0 + result) {
+ if (DICT_ADD_STRATEGY >= same0 + result) {
- // fprintf(stderr, "add v0 0x%llx\n", o->v0);
- try_to_add_to_dict(afl, o->v0, hshape);
+ // fprintf(stderr, "add v0 0x%llx\n", o->v0);
+ try_to_add_to_dict(afl, o->v0, hshape);
- }
+ }
- if (DICT_ADD_STRATEGY >= same1 + result) {
+ if (DICT_ADD_STRATEGY >= same1 + result) {
- // fprintf(stderr, "add v1 0x%llx\n", o->v1);
- try_to_add_to_dict(afl, o->v1, hshape);
+ // fprintf(stderr, "add v1 0x%llx\n", o->v1);
+ try_to_add_to_dict(afl, o->v1, hshape);
+
+ }
}
@@ -2551,22 +2558,29 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
}
- u8 same0 = 0, same1 = 0, result = 1 + (found_one << 2);
+ u8 same0 = 0, same1 = 0, same2 = 0, same3 = 0,
+ result = 1 + (found_one << 2);
if (!is_txt) result += 2;
if (l0 != ol0 || memcmp(o->v0, orig_o->v0, l0) != 0) { same0 = 8; }
if (l1 != ol1 || memcmp(o->v1, orig_o->v1, l1) != 0) { same1 = 8; }
+ if (l0 != l1 || memcmp(o->v0, o->v1, l0) != 0) { same2 = 8; }
+ if (ol0 != ol1 || memcmp(orig_o->v0, orig_o->v1, l0) != 0) { same3 = 8; }
- if (DICT_ADD_STRATEGY >= same0 + result) {
+ if (!(same0 && same1) && !same2 && !same3) {
- // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0);
- maybe_add_auto(afl, o->v0, l0);
+ if (DICT_ADD_STRATEGY >= same0 + result) {
- }
+ // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0);
+ maybe_add_auto(afl, o->v0, l0);
- if (DICT_ADD_STRATEGY >= same1 + result) {
+ }
- // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1);
- maybe_add_auto(afl, o->v1, l1);
+ if (DICT_ADD_STRATEGY >= same1 + result) {
+
+ // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1);
+ maybe_add_auto(afl, o->v1, l1);
+
+ }
}
From 699df8f8ce4cc5de56510f72ebff611d26710557 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
+