From 50e2f9d46cb9552b11cf6dd6f5d2529cf3fb789d Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 11 Dec 2024 10:36:31 +0100 Subject: [PATCH 1/4] loose file and shared memory permissions on Android and iPhone --- GNUmakefile.llvm | 2 +- docs/Changelog.md | 2 +- include/config.h | 406 ++++++++++++++++++++++++---------------------- 3 files changed, 211 insertions(+), 199 deletions(-) diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index c325ee6c..5e0adb7f 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -28,7 +28,7 @@ MAN_PATH ?= $(PREFIX)/share/man/man8 BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u "+%Y-%m-%d") -VERSION = $(shell grep '^$(HASH)define VERSION ' ./config.h | cut -d '"' -f2) +VERSION = $(shell grep '^ *$(HASH)define VERSION ' ./config.h | cut -d '"' -f2) SYS = $(shell uname -s) diff --git a/docs/Changelog.md b/docs/Changelog.md index 30bb060f..0b22fc5f 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -5,7 +5,7 @@ ### Version ++4.31a (dev) - - your PR? + - loose file and shared memory permissions on Android and iPhone ### Version ++4.30c (release) diff --git a/include/config.h b/include/config.h index f4284f7d..cedd3d85 100644 --- a/include/config.h +++ b/include/config.h @@ -21,69 +21,81 @@ */ #ifndef _HAVE_CONFIG_H -#define _HAVE_CONFIG_H + #define _HAVE_CONFIG_H -/* Version string: */ + /* Version string: */ -// c = release, a = volatile github dev, e = experimental branch -#define VERSION "++4.31a" + // c = release, a = volatile github dev, e = experimental branch + #define VERSION "++4.31a" -/****************************************************** - * * - * Settings that may be of interest to power users: * - * * - ******************************************************/ + /****************************************************** + * * + * Settings that may be of interest to power users: * + * * + ******************************************************/ -/* Default shared memory map size. Most targets just need a coverage map - between 20-250kb. Plus there is an auto-detection feature in afl-fuzz. - However if a target has problematic constructors and init arrays then - this can fail. Hence afl-fuzz deploys a larger default map. The largest - map seen so far is the xlsx fuzzer for libreoffice which is 5MB. - At runtime this value can be overriden via AFL_MAP_SIZE. - Default: 8MB (defined in bytes) */ -#define DEFAULT_SHMEM_SIZE (8 * 1024 * 1024) + /* Default shared memory map size. Most targets just need a coverage map + between 20-250kb. Plus there is an auto-detection feature in afl-fuzz. + However if a target has problematic constructors and init arrays then + this can fail. Hence afl-fuzz deploys a larger default map. The largest + map seen so far is the xlsx fuzzer for libreoffice which is 5MB. + At runtime this value can be overriden via AFL_MAP_SIZE. + Default: 8MB (defined in bytes) */ + #define DEFAULT_SHMEM_SIZE (8 * 1024 * 1024) -/* Default time until when no more coverage finds are happening afl-fuzz - switches to exploitation mode. It automatically switches back when new - coverage is found. - Default: 300 (seconds) */ -#define STRATEGY_SWITCH_TIME 1000 + /* Default time until when no more coverage finds are happening afl-fuzz + switches to exploitation mode. It automatically switches back when new + coverage is found. + Default: 300 (seconds) */ + #define STRATEGY_SWITCH_TIME 1000 -/* Default file permission umode when creating files (default: 0600) */ -#define DEFAULT_PERMISSION 0600 + /* Default file permission umode when creating files (default: 0600) */ + #define DEFAULT_PERMISSION 0600 + + #ifdef __APPLE__ + #include + #if TARGET_OS_IOS + #undef DEFAULT_PERMISSION + #define 0666 + #endif + #endif + #ifdef __ANDROID__ + #undef DEFAULT_PERMISSION + #define 0666 + #endif /* SkipDet's global configuration */ -#define MINIMAL_BLOCK_SIZE 64 -#define SMALL_DET_TIME (60 * 1000 * 1000U) -#define MAXIMUM_INF_EXECS (16 * 1024U) -#define MAXIMUM_QUICK_EFF_EXECS (64 * 1024U) -#define THRESHOLD_DEC_TIME (20 * 60 * 1000U) + #define MINIMAL_BLOCK_SIZE 64 + #define SMALL_DET_TIME (60 * 1000 * 1000U) + #define MAXIMUM_INF_EXECS (16 * 1024U) + #define MAXIMUM_QUICK_EFF_EXECS (64 * 1024U) + #define THRESHOLD_DEC_TIME (20 * 60 * 1000U) -/* Set the Prob of selecting eff_bytes 3 times more than original, - Now disabled */ -#define EFF_HAVOC_RATE 3 + /* Set the Prob of selecting eff_bytes 3 times more than original, + Now disabled */ + #define EFF_HAVOC_RATE 3 -/* CMPLOG/REDQUEEN TUNING - * - * Here you can modify tuning and solving options for CMPLOG. - * Note that these are run-time options for afl-fuzz, no target - * recompilation required. - * - */ + /* CMPLOG/REDQUEEN TUNING + * + * Here you can modify tuning and solving options for CMPLOG. + * Note that these are run-time options for afl-fuzz, no target + * recompilation required. + * + */ -/* If a redqueen pass finds more than one solution, try to combine them? */ -#define CMPLOG_COMBINE + /* If a redqueen pass finds more than one solution, try to combine them? */ + #define CMPLOG_COMBINE -/* Minimum % of the corpus to perform cmplog on. Default: 10% */ -#define CMPLOG_CORPUS_PERCENT 5U + /* Minimum % of the corpus to perform cmplog on. Default: 10% */ + #define CMPLOG_CORPUS_PERCENT 5U -/* Number of potential positions from which we decide if cmplog becomes - useless, default 12288 */ -#define CMPLOG_POSITIONS_MAX (12 * 1024) + /* Number of potential positions from which we decide if cmplog becomes + useless, default 12288 */ + #define CMPLOG_POSITIONS_MAX (12 * 1024) -/* Maximum allowed fails per CMP value. Default: 96 */ -#define CMPLOG_FAIL_MAX 96 + /* Maximum allowed fails per CMP value. Default: 96 */ + #define CMPLOG_FAIL_MAX 96 /* -------------------------------------*/ /* Now non-cmplog configuration options */ @@ -115,22 +127,22 @@ /* Comment out to disable terminal colors (note that this makes afl-analyze a lot less nice): */ -#define USE_COLOR + #define USE_COLOR -#ifdef USE_COLOR - /* Comment in to always enable terminal colors */ - /* Comment out to enable runtime controlled terminal colors via AFL_NO_COLOR - */ - #define ALWAYS_COLORED 1 -#endif + #ifdef USE_COLOR + /* Comment in to always enable terminal colors */ + /* Comment out to enable runtime controlled terminal colors via AFL_NO_COLOR + */ + #define ALWAYS_COLORED 1 + #endif -/* StatsD config - Config can be adjusted via AFL_STATSD_HOST and AFL_STATSD_PORT environment - variable. -*/ -#define STATSD_UPDATE_SEC 1 -#define STATSD_DEFAULT_PORT 8125 -#define STATSD_DEFAULT_HOST "127.0.0.1" + /* StatsD config + Config can be adjusted via AFL_STATSD_HOST and AFL_STATSD_PORT environment + variable. + */ + #define STATSD_UPDATE_SEC 1 + #define STATSD_DEFAULT_PORT 8125 + #define STATSD_DEFAULT_HOST "127.0.0.1" /* If you want to have the original afl internal memory corruption checks. Disabled by default for speed. it is better to use "make ASAN_BUILD=1". */ @@ -139,70 +151,70 @@ /* Comment out to disable fancy boxes and use poor man's 7-bit UI: */ -#ifndef DISABLE_FANCY - #define FANCY_BOXES -#endif + #ifndef DISABLE_FANCY + #define FANCY_BOXES + #endif /* Default timeout for fuzzed code (milliseconds). This is the upper bound, also used for detecting hangs; the actual value is auto-scaled: */ -#define EXEC_TIMEOUT 1000U + #define EXEC_TIMEOUT 1000U /* Timeout rounding factor when auto-scaling (milliseconds): */ -#define EXEC_TM_ROUND 20U + #define EXEC_TM_ROUND 20U -/* 64bit arch MACRO */ -#if (defined(__x86_64__) || defined(__arm64__) || defined(__aarch64__)) - #define WORD_SIZE_64 1 -#endif + /* 64bit arch MACRO */ + #if (defined(__x86_64__) || defined(__arm64__) || defined(__aarch64__)) + #define WORD_SIZE_64 1 + #endif /* Default memory limit for child process (MB) 0 = disabled : */ -#define MEM_LIMIT 0U + #define MEM_LIMIT 0U /* Default memory limit when running in QEMU mode (MB) 0 = disabled : */ -#define MEM_LIMIT_QEMU 0U + #define MEM_LIMIT_QEMU 0U /* Default memory limit when running in Unicorn mode (MB) 0 = disabled : */ -#define MEM_LIMIT_UNICORN 0U + #define MEM_LIMIT_UNICORN 0U /* Number of calibration cycles per every new test case (and for test cases that show variable behavior): */ -#define CAL_CYCLES_FAST 3U -#define CAL_CYCLES 7U -#define CAL_CYCLES_LONG 12U + #define CAL_CYCLES_FAST 3U + #define CAL_CYCLES 7U + #define CAL_CYCLES_LONG 12U /* Number of subsequent timeouts before abandoning an input file: */ -#define TMOUT_LIMIT 250U + #define TMOUT_LIMIT 250U /* Maximum number of unique hangs or crashes to record: */ -#define KEEP_UNIQUE_HANG 500U -#define KEEP_UNIQUE_CRASH 10000U + #define KEEP_UNIQUE_HANG 500U + #define KEEP_UNIQUE_CRASH 10000U /* Baseline number of random tweaks during a single 'havoc' stage: */ -#define HAVOC_CYCLES 256U -#define HAVOC_CYCLES_INIT 1024U + #define HAVOC_CYCLES 256U + #define HAVOC_CYCLES_INIT 1024U /* Maximum multiplier for the above (should be a power of two, beware of 32-bit int overflows): */ -#define HAVOC_MAX_MULT 64U -#define HAVOC_MAX_MULT_MOPT 64U + #define HAVOC_MAX_MULT 64U + #define HAVOC_MAX_MULT_MOPT 64U /* Absolute minimum number of havoc cycles (after all adjustments): */ -#define HAVOC_MIN 12U + #define HAVOC_MIN 12U -/* Power Schedule Divisor */ -#define POWER_BETA 1U -#define MAX_FACTOR (POWER_BETA * 32) + /* Power Schedule Divisor */ + #define POWER_BETA 1U + #define MAX_FACTOR (POWER_BETA * 32) /* Maximum stacking for havoc-stage tweaks. The actual value is calculated like this: @@ -213,124 +225,124 @@ In other words, the default (n = 4) produces 2, 4, 8, 16 stacked tweaks: */ -#define HAVOC_STACK_POW2 4U + #define HAVOC_STACK_POW2 4U /* Caps on block sizes for cloning and deletion operations. Each of these ranges has a 33% probability of getting picked, except for the first two cycles where smaller blocks are favored: */ -#define HAVOC_BLK_SMALL 32U -#define HAVOC_BLK_MEDIUM 128U -#define HAVOC_BLK_LARGE 1500U + #define HAVOC_BLK_SMALL 32U + #define HAVOC_BLK_MEDIUM 128U + #define HAVOC_BLK_LARGE 1500U /* Extra-large blocks, selected very rarely (<5% of the time): */ -#define HAVOC_BLK_XL 32768U + #define HAVOC_BLK_XL 32768U /* Probabilities of skipping non-favored entries in the queue, expressed as percentages: */ -#define SKIP_TO_NEW_PROB 99 /* ...when there are new, pending favorites */ -#define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */ -#define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */ + #define SKIP_TO_NEW_PROB 99 /* ...when there are new, pending favorites */ + #define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */ + #define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */ /* Splicing cycle count: */ -#define SPLICE_CYCLES 15 + #define SPLICE_CYCLES 15 /* Nominal per-splice havoc cycle length: */ -#define SPLICE_HAVOC 32 + #define SPLICE_HAVOC 32 /* Maximum offset for integer addition / subtraction stages: */ -#define ARITH_MAX 35 + #define ARITH_MAX 35 /* Limits for the test case trimmer. The absolute minimum chunk size; and the starting and ending divisors for chopping up the input file: */ -#define TRIM_MIN_BYTES 4 -#define TRIM_START_STEPS 16 -#define TRIM_END_STEPS 1024 + #define TRIM_MIN_BYTES 4 + #define TRIM_START_STEPS 16 + #define TRIM_END_STEPS 1024 /* Maximum size of input file, in bytes (keep under 100MB, default 1MB): (note that if this value is changed, several areas in afl-cc.c, afl-fuzz.c and afl-fuzz-state.c have to be changed as well! */ -#define MAX_FILE (1 * 1024 * 1024L) + #define MAX_FILE (1 * 1024 * 1024L) /* The same, for the test case minimizer: */ -#define TMIN_MAX_FILE (10 * 1024 * 1024L) + #define TMIN_MAX_FILE (10 * 1024 * 1024L) /* Block normalization steps for afl-tmin: */ -#define TMIN_SET_MIN_SIZE 4 -#define TMIN_SET_STEPS 128 + #define TMIN_SET_MIN_SIZE 4 + #define TMIN_SET_STEPS 128 /* Maximum dictionary token size (-x), in bytes: */ -#define MAX_DICT_FILE 128 + #define MAX_DICT_FILE 128 /* Length limits for auto-detected dictionary tokens: */ -#define MIN_AUTO_EXTRA 3 -#define MAX_AUTO_EXTRA 32 + #define MIN_AUTO_EXTRA 3 + #define MAX_AUTO_EXTRA 32 /* Maximum number of user-specified dictionary tokens to use in deterministic steps; past this point, the "extras/user" step will be still carried out, but with proportionally lower odds: */ -#define MAX_DET_EXTRAS 256 + #define MAX_DET_EXTRAS 256 /* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing (first value), and to keep in memory as candidates. The latter should be much higher than the former. */ -#define USE_AUTO_EXTRAS 4096 -#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 8) + #define USE_AUTO_EXTRAS 4096 + #define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 8) /* Scaling factor for the effector map used to skip some of the more expensive deterministic steps. The actual divisor is set to 2^EFF_MAP_SCALE2 bytes: */ -#define EFF_MAP_SCALE2 3 + #define EFF_MAP_SCALE2 3 /* Minimum input file length at which the effector logic kicks in: */ -#define EFF_MIN_LEN 128 + #define EFF_MIN_LEN 128 /* Maximum effector density past which everything is just fuzzed unconditionally (%): */ -#define EFF_MAX_PERC 90 + #define EFF_MAX_PERC 90 /* UI refresh frequency (Hz): */ -#define UI_TARGET_HZ 5 + #define UI_TARGET_HZ 5 /* Fuzzer stats file, queue stats and plot update intervals (sec): */ -#define STATS_UPDATE_SEC 60 -#define PLOT_UPDATE_SEC 5 -#define QUEUE_UPDATE_SEC 1800 + #define STATS_UPDATE_SEC 60 + #define PLOT_UPDATE_SEC 5 + #define QUEUE_UPDATE_SEC 1800 /* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */ -#define AVG_SMOOTHING 16 + #define AVG_SMOOTHING 16 /* Sync interval (every n havoc cycles): */ -#define SYNC_INTERVAL 8 + #define SYNC_INTERVAL 8 /* Sync time (minimum time between syncing in ms, time is halfed for -M main nodes) - default is 20 minutes: */ -#define SYNC_TIME (20 * 60 * 1000) + #define SYNC_TIME (20 * 60 * 1000) /* Output directory reuse grace period (minutes): */ -#define OUTPUT_GRACE 25 + #define OUTPUT_GRACE 25 /* Uncomment to use simple file names (id_NNNNNN): */ @@ -338,45 +350,45 @@ /* List of interesting values to use in fuzzing. */ -#define INTERESTING_8 \ - -128, /* Overflow signed 8-bit when decremented */ \ - -1, /* */ \ - 0, /* */ \ - 1, /* */ \ - 16, /* One-off with common buffer size */ \ - 32, /* One-off with common buffer size */ \ - 64, /* One-off with common buffer size */ \ - 100, /* One-off with common buffer size */ \ - 127 /* Overflow signed 8-bit when incremented */ + #define INTERESTING_8 \ + -128, /* Overflow signed 8-bit when decremented */ \ + -1, /* */ \ + 0, /* */ \ + 1, /* */ \ + 16, /* One-off with common buffer size */ \ + 32, /* One-off with common buffer size */ \ + 64, /* One-off with common buffer size */ \ + 100, /* One-off with common buffer size */ \ + 127 /* Overflow signed 8-bit when incremented */ -#define INTERESTING_8_LEN 9 + #define INTERESTING_8_LEN 9 -#define INTERESTING_16 \ - -32768, /* Overflow signed 16-bit when decremented */ \ - -129, /* Overflow signed 8-bit */ \ - 128, /* Overflow signed 8-bit */ \ - 255, /* Overflow unsig 8-bit when incremented */ \ - 256, /* Overflow unsig 8-bit */ \ - 512, /* One-off with common buffer size */ \ - 1000, /* One-off with common buffer size */ \ - 1024, /* One-off with common buffer size */ \ - 4096, /* One-off with common buffer size */ \ - 32767 /* Overflow signed 16-bit when incremented */ + #define INTERESTING_16 \ + -32768, /* Overflow signed 16-bit when decremented */ \ + -129, /* Overflow signed 8-bit */ \ + 128, /* Overflow signed 8-bit */ \ + 255, /* Overflow unsig 8-bit when incremented */ \ + 256, /* Overflow unsig 8-bit */ \ + 512, /* One-off with common buffer size */ \ + 1000, /* One-off with common buffer size */ \ + 1024, /* One-off with common buffer size */ \ + 4096, /* One-off with common buffer size */ \ + 32767 /* Overflow signed 16-bit when incremented */ -#define INTERESTING_16_LEN 10 + #define INTERESTING_16_LEN 10 -#define INTERESTING_32 \ - -2147483648LL, /* Overflow signed 32-bit when decremented */ \ - -100663046, /* Large negative number (endian-agnostic) */ \ - -32769, /* Overflow signed 16-bit */ \ - 32768, /* Overflow signed 16-bit */ \ - 65535, /* Overflow unsig 16-bit when incremented */ \ - 65536, /* Overflow unsig 16 bit */ \ - 100663045, /* Large positive number (endian-agnostic) */ \ - 2139095040, /* float infinite */ \ - 2147483647 /* Overflow signed 32-bit when incremented */ + #define INTERESTING_32 \ + -2147483648LL, /* Overflow signed 32-bit when decremented */ \ + -100663046, /* Large negative number (endian-agnostic) */ \ + -32769, /* Overflow signed 16-bit */ \ + 32768, /* Overflow signed 16-bit */ \ + 65535, /* Overflow unsig 16-bit when incremented */ \ + 65536, /* Overflow unsig 16 bit */ \ + 100663045, /* Large positive number (endian-agnostic) */ \ + 2139095040, /* float infinite */ \ + 2147483647 /* Overflow signed 32-bit when incremented */ -#define INTERESTING_32_LEN 9 + #define INTERESTING_32_LEN 9 /*********************************************************** * * @@ -386,72 +398,72 @@ /* Call count interval between reseeding the PRNG from /dev/urandom: */ -#define RESEED_RNG 2500000 + #define RESEED_RNG 2500000 /* The default maximum testcase cache size in MB, 0 = disable. A value between 50 and 250 is a good default value. Note that the number of entries will be auto assigned if not specified via the AFL_TESTCACHE_ENTRIES env variable */ -#define TESTCASE_CACHE_SIZE 50 + #define TESTCASE_CACHE_SIZE 50 /* Maximum line length passed from GCC to 'as' and used for parsing configuration files: */ -#define MAX_LINE 8192 + #define MAX_LINE 8192 /* Environment variable used to pass SHM ID to the called program. */ -#define SHM_ENV_VAR "__AFL_SHM_ID" + #define SHM_ENV_VAR "__AFL_SHM_ID" /* Environment variable used to pass SHM FUZZ ID to the called program. */ -#define SHM_FUZZ_ENV_VAR "__AFL_SHM_FUZZ_ID" + #define SHM_FUZZ_ENV_VAR "__AFL_SHM_FUZZ_ID" /* Other less interesting, internal-only variables. */ -#define CLANG_ENV_VAR "__AFL_CLANG_MODE" -#define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK" -#define PERSIST_ENV_VAR "__AFL_PERSISTENT" -#define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV" + #define CLANG_ENV_VAR "__AFL_CLANG_MODE" + #define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK" + #define PERSIST_ENV_VAR "__AFL_PERSISTENT" + #define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV" /* In-code signatures for deferred and persistent mode. */ -#define PERSIST_SIG "##SIG_AFL_PERSISTENT##" -#define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##" + #define PERSIST_SIG "##SIG_AFL_PERSISTENT##" + #define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##" /* Distinctive bitmap signature used to indicate failed execution: */ -#define EXEC_FAIL_SIG 0xfee1dead + #define EXEC_FAIL_SIG 0xfee1dead /* Distinctive exit code used to indicate MSAN trip condition: */ -#define MSAN_ERROR 86 + #define MSAN_ERROR 86 /* Distinctive exit code used to indicate LSAN trip condition: */ -#define LSAN_ERROR 23 + #define LSAN_ERROR 23 /* Designated file descriptors for forkserver commands (the application will use FORKSRV_FD and FORKSRV_FD + 1): */ -#define FORKSRV_FD 198 + #define FORKSRV_FD 198 /* Fork server init timeout multiplier: we'll wait the user-selected timeout plus this much for the fork server to spin up. */ -#define FORK_WAIT_MULT 10 + #define FORK_WAIT_MULT 10 /* Calibration timeout adjustments, to be a bit more generous when resuming fuzzing sessions or trying to calibrate already-added internal finds. The first value is a percentage, the other is in milliseconds: */ -#define CAL_TMOUT_PERC 125 -#define CAL_TMOUT_ADD 50 + #define CAL_TMOUT_PERC 125 + #define CAL_TMOUT_ADD 50 /* Number of chances to calibrate a case before giving up: */ -#define CAL_CHANCES 3 + #define CAL_CHANCES 3 /* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than 2; you probably want to keep it under 18 or so for performance reasons @@ -459,42 +471,42 @@ problems with complex programs). You need to recompile the target binary after changing this - otherwise, SEGVs may ensue. */ -#define MAP_SIZE_POW2 16 + #define MAP_SIZE_POW2 16 /* Do not change this unless you really know what you are doing. */ -#define MAP_SIZE (1U << MAP_SIZE_POW2) -#if MAP_SIZE <= 2097152 - #define MAP_INITIAL_SIZE (2 << 20) // = 2097152 -#else - #define MAP_INITIAL_SIZE MAP_SIZE -#endif + #define MAP_SIZE (1U << MAP_SIZE_POW2) + #if MAP_SIZE <= 2097152 + #define MAP_INITIAL_SIZE (2 << 20) // = 2097152 + #else + #define MAP_INITIAL_SIZE MAP_SIZE + #endif /* Maximum allocator request size (keep well under INT_MAX): */ -#define MAX_ALLOC 0x40000000 + #define MAX_ALLOC 0x40000000 /* A made-up hashing seed: */ -#define HASH_CONST 0xa5b35705 + #define HASH_CONST 0xa5b35705 /* Constants for afl-gotcpu to control busy loop timing: */ -#define CTEST_TARGET_MS 5000 -#define CTEST_CORE_TRG_MS 1000 -#define CTEST_BUSY_CYCLES (10 * 1000 * 1000) + #define CTEST_TARGET_MS 5000 + #define CTEST_CORE_TRG_MS 1000 + #define CTEST_BUSY_CYCLES (10 * 1000 * 1000) /* Enable NeverZero counters in QEMU mode */ -#define AFL_QEMU_NOT_ZERO + #define AFL_QEMU_NOT_ZERO /* AFL RedQueen */ -#define CMPLOG_SHM_ENV_VAR "__AFL_CMPLOG_SHM_ID" + #define CMPLOG_SHM_ENV_VAR "__AFL_CMPLOG_SHM_ID" /* CPU Affinity lockfile env var */ -#define CPU_AFFINITY_ENV_VAR "__AFL_LOCKFILE" + #define CPU_AFFINITY_ENV_VAR "__AFL_LOCKFILE" /* Uncomment this to use inferior block-coverage-based instrumentation. Note that you need to recompile the target binary for this to have any effect: */ @@ -517,28 +529,28 @@ /* Minimum length of a queue input to be evaluated for "is_ascii"? */ -#define AFL_TXT_MIN_LEN 12 + #define AFL_TXT_MIN_LEN 12 /* Maximum length of a queue input to be evaluated for "is_ascii"? */ -#define AFL_TXT_MAX_LEN 65535 + #define AFL_TXT_MAX_LEN 65535 /* What is the minimum percentage of ascii characters present to be classifed as "is_ascii"? */ -#define AFL_TXT_MIN_PERCENT 99 + #define AFL_TXT_MIN_PERCENT 99 /* How often to perform ASCII mutations 0 = disable, 1-8 are good values */ -#define AFL_TXT_BIAS 6 + #define AFL_TXT_BIAS 6 /* Maximum length of a string to tamper with */ -#define AFL_TXT_STRING_MAX_LEN 1024 + #define AFL_TXT_STRING_MAX_LEN 1024 /* Maximum mutations on a string */ -#define AFL_TXT_STRING_MAX_MUTATIONS 6 + #define AFL_TXT_STRING_MAX_MUTATIONS 6 #endif /* ! _HAVE_CONFIG_H */ From 9160805f4a06ee81adfe177875ad8dee09013a40 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 12 Dec 2024 15:26:39 +0100 Subject: [PATCH 2/4] add __sanitizer_weak_hook_ support --- docs/Changelog.md | 3 ++ instrumentation/afl-compiler-rt.o.c | 83 +++++++++++++++++++++++++++++ src/afl-cc.c | 1 + 3 files changed, 87 insertions(+) diff --git a/docs/Changelog.md b/docs/Changelog.md index 0b22fc5f..8594d068 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -6,6 +6,9 @@ ### Version ++4.31a (dev) - loose file and shared memory permissions on Android and iPhone + - afl-cc: + - added __sanitizer_weak_hook_* functions (in case that is helpful in + weird setups) ### Version ++4.30c (release) diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 77a9623c..5a3d6af8 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -2670,6 +2670,89 @@ void __cmplog_rtn_llvm_stdstring_stdstring(u8 *stdstring1, u8 *stdstring2) { } +/* llvm weak hooks */ + +void __sanitizer_weak_hook_memcmp(void *pc, const void *s1, const void *s2, + size_t n, int result) { + + __cmplog_rtn_hook_n((u8 *)s1, (u8 *)s2, (u64)n); + (void)pc; + (void)result; + +} + +void __sanitizer_weak_hook_memmem(void *pc, const void *s1, size_t len1, + const void *s2, size_t len2, void *result) { + + __cmplog_rtn_hook_n((u8 *)s1, (u8 *)s2, len1 < len2 ? (u64)len1 : (u64)len2); + (void)pc; + (void)result; + +} + +void __sanitizer_weak_hook_strncasecmp(void *pc, const void *s1, const void *s2, + size_t n, int result) { + + __cmplog_rtn_hook_strn((u8 *)s1, (u8 *)s2, (u64)n); + (void)pc; + (void)result; + +} + +void __sanitizer_weak_hook_strncasestr(void *pc, const void *s1, const void *s2, + size_t n, char *result) { + + __cmplog_rtn_hook_strn((u8 *)s1, (u8 *)s2, (u64)n); + (void)pc; + (void)result; + +} + +void __sanitizer_weak_hook_strncmp(void *pc, const void *s1, const void *s2, + size_t n, int result) { + + __cmplog_rtn_hook_strn((u8 *)s1, (u8 *)s2, (u64)n); + (void)pc; + (void)result; + +} + +void __sanitizer_weak_hook_strcasecmp(void *pc, const void *s1, const void *s2, + int result) { + + __cmplog_rtn_hook_str((u8 *)s1, (u8 *)s2); + (void)pc; + (void)result; + +} + +void __sanitizer_weak_hook_strcasestr(void *pc, const void *s1, const void *s2, + size_t n, char *result) { + + __cmplog_rtn_hook_str((u8 *)s1, (u8 *)s2); + (void)pc; + (void)result; + +} + +void __sanitizer_weak_hook_strcmp(void *pc, const void *s1, const void *s2, + int result) { + + __cmplog_rtn_hook_str((u8 *)s1, (u8 *)s2); + (void)pc; + (void)result; + +} + +void __sanitizer_weak_hook_strstr(void *pc, const void *s1, const void *s2, + char *result) { + + __cmplog_rtn_hook_str((u8 *)s1, (u8 *)s2); + (void)pc; + (void)result; + +} + /* COVERAGE manipulation features */ // this variable is then used in the shm setup to create an additional map diff --git a/src/afl-cc.c b/src/afl-cc.c index 11e61fab..83984e91 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -2614,6 +2614,7 @@ void add_misc_params(aflcc_state_t *aflcc) { insert_param(aflcc, "-fno-builtin-strcasecmp"); insert_param(aflcc, "-fno-builtin-strncasecmp"); insert_param(aflcc, "-fno-builtin-memcmp"); + insert_param(aflcc, "-fno-builtin-memmem"); insert_param(aflcc, "-fno-builtin-bcmp"); insert_param(aflcc, "-fno-builtin-strstr"); insert_param(aflcc, "-fno-builtin-strcasestr"); From 2956b9cc4ca46631373b28fdb59c8ffa77538560 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 13 Dec 2024 11:05:17 +0100 Subject: [PATCH 3/4] support LLVMFuzzerTestOneInput archive targets --- docs/Changelog.md | 2 ++ src/afl-cc.c | 78 +++++++++++++++++++++++++---------------------- 2 files changed, 43 insertions(+), 37 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 8594d068..c8c817df 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -7,6 +7,8 @@ ### Version ++4.31a (dev) - loose file and shared memory permissions on Android and iPhone - afl-cc: + - -fsanitize=fuzzer now inserts libAFLDriver.a addtionally early to help + compiling if LLVMFuzzerTestOneOnput is in an .a archive - added __sanitizer_weak_hook_* functions (in case that is helpful in weird setups) diff --git a/src/afl-cc.c b/src/afl-cc.c index 83984e91..b793a6fc 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -1764,6 +1764,41 @@ static u8 fsanitize_fuzzer_comma(char *string) { } +/* Add params to link with libAFLDriver.a on request */ +static void add_aflpplib(aflcc_state_t *aflcc) { + + if (!aflcc->need_aflpplib) return; + + u8 *afllib = find_object(aflcc, "libAFLDriver.a"); + + if (!be_quiet) { + + OKF("Found '-fsanitize=fuzzer', replacing with libAFLDriver.a"); + + } + + if (!afllib) { + + if (!be_quiet) { + + WARNF( + "Cannot find 'libAFLDriver.a' to replace '-fsanitize=fuzzer' in " + "the flags - this will fail!"); + + } + + } else { + + insert_param(aflcc, afllib); + +#ifdef __APPLE__ + insert_param(aflcc, "-Wl,-undefined,dynamic_lookup"); +#endif + + } + +} + /* Parse and process possible -fsanitize related args, return PARAM_MISS if nothing matched. We have 3 main tasks here for these args: @@ -1777,6 +1812,7 @@ static u8 fsanitize_fuzzer_comma(char *string) { param_st parse_fsanitize(aflcc_state_t *aflcc, u8 *cur_argv, u8 scan) { param_st final_ = PARAM_MISS; + u8 insert = 0; // MACRO START #define HAVE_SANITIZER_SCAN_KEEP(v, k) \ @@ -1822,6 +1858,7 @@ param_st parse_fsanitize(aflcc_state_t *aflcc, u8 *cur_argv, u8 scan) { if (scan) { aflcc->need_aflpplib = 1; + insert = 1; final_ = PARAM_SCAN; } else { @@ -1842,6 +1879,7 @@ param_st parse_fsanitize(aflcc_state_t *aflcc, u8 *cur_argv, u8 scan) { if (fsanitize_fuzzer_comma(cur_argv_)) { aflcc->need_aflpplib = 1; + insert = 1; final_ = PARAM_SCAN; } @@ -1882,7 +1920,8 @@ param_st parse_fsanitize(aflcc_state_t *aflcc, u8 *cur_argv, u8 scan) { } - if (final_ == PARAM_KEEP) insert_param(aflcc, cur_argv); + if (final_ == PARAM_KEEP) { insert_param(aflcc, cur_argv); } + if (insert) { add_aflpplib(aflcc); } return final_; @@ -2352,41 +2391,6 @@ void add_lto_passes(aflcc_state_t *aflcc) { } -/* Add params to link with libAFLDriver.a on request */ -static void add_aflpplib(aflcc_state_t *aflcc) { - - if (!aflcc->need_aflpplib) return; - - u8 *afllib = find_object(aflcc, "libAFLDriver.a"); - - if (!be_quiet) { - - OKF("Found '-fsanitize=fuzzer', replacing with libAFLDriver.a"); - - } - - if (!afllib) { - - if (!be_quiet) { - - WARNF( - "Cannot find 'libAFLDriver.a' to replace '-fsanitize=fuzzer' in " - "the flags - this will fail!"); - - } - - } else { - - insert_param(aflcc, afllib); - -#ifdef __APPLE__ - insert_param(aflcc, "-Wl,-undefined,dynamic_lookup"); -#endif - - } - -} - /* Add params to link with runtimes depended by our instrumentation */ void add_runtime(aflcc_state_t *aflcc) { @@ -2479,7 +2483,7 @@ void add_runtime(aflcc_state_t *aflcc) { #endif - add_aflpplib(aflcc); + add_aflpplib(aflcc); // double insertion helps compiling #if defined(USEMMAP) && !defined(__HAIKU__) && !__APPLE__ insert_param(aflcc, "-Wl,-lrt"); From bbffece7d72b79c0e0d459ed0afa489fad59dac5 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 13 Dec 2024 11:27:26 +0100 Subject: [PATCH 4/4] nit --- src/afl-fuzz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index b7f99ddc..59d5f218 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -3430,7 +3430,7 @@ stop_fuzzing: ZLIBCLOSE(fr_fd); afl->var_byte_count = count_bytes(afl, afl->var_bytes); - OKF("Written fastresume.bin with %u bytes!", w); + OKF("fastresume.bin succesfully written with %u bytes.", w); } else {