Merge pull request #1847 from AFLplusplus/dev

push to stable

afl-whatsup

@@ -174,11 +174,15 @@ FIRST=true
 TOTAL_WCOP=
 TOTAL_LAST_FIND=0
 
-for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do
+for j in `find . -maxdepth 2 -iname fuzzer_setup | sort`; do
+  
+  DIR=$(dirname "$j")
+  i=$DIR/fuzzer_stats
+  
+  if [ -f "$i" ]; then
     
     sed 's/^command_line.*$/_skip:1/;s/[ ]*:[ ]*/="/;s/$/"/' "$i" >"$TMP"
     . "$TMP"
-  DIR=$(dirname "$i")
     DIRECTORY=$DIR
     DIR=${DIR##*/}
     RUN_UNIX=$run_time
@@ -210,9 +214,9 @@ for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do
       IS_STARTING=
       IS_DEAD=
       
-    if [ -e "$i" ] && [ -e "$DIRECTORY/fuzzer_setup" ] && [ -n "$FUSER" ]; then
+      if [ -e "$i" ] && [ -e "$j" ] && [ -n "$FUSER" ]; then
         
-      if [ "$i" -ot "$DIRECTORY/fuzzer_setup" ]; then
+        if [ "$i" -ot "$j" ]; then
           
           # fuzzer_setup is newer than fuzzer_stats, maybe the instance is starting?
           TMP_PID=`fuser -v "$DIRECTORY" 2>&1 | grep afl-fuzz`
@@ -336,6 +340,21 @@ for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do
       
     fi
 
+  else
+
+    if [ ! -e "$i" -a -e "$j" ]; then
+
+      if [ '!' "$PROCESS_DEAD" = "" ]; then
+        ALIVE_CNT=$((ALIVE_CNT + 1))
+      fi
+      START_CNT=$((START_CNT + 1))
+      last_find=0
+      IS_STARTING=1
+      
+    fi
+
+  fi
+  
 done
 
 # Formatting for total time, time since last find, crash, and hang
@@ -346,7 +365,7 @@ EXECS_MILLION=$((TOTAL_EXECS / 1000 / 1000))
 EXECS_THOUSAND=$((TOTAL_EXECS / 1000 % 1000))
 if [ $EXECS_MILLION -gt 9 ]; then
   FMT_EXECS="$EXECS_MILLION millions"
-elif [ $EXECS_MILLION -gt 0 ]; then
+  elif [ $EXECS_MILLION -gt 0 ]; then
   FMT_EXECS="$EXECS_MILLION millions, $EXECS_THOUSAND thousands"
 else
   FMT_EXECS="$EXECS_THOUSAND thousands"

docs/Changelog.md

@@ -14,6 +14,8 @@
     - now also shows coverage reached
     - option -m shows only very relevant stats
     - option -n will not use color in the output
+  - frida_mode:
+    - fixes support for large map offsets
   - added benchmark/benchmark.sh if you want to see how good your fuzzing
     speed is in comparison to other setups.
 

docs/fuzzing_in_depth.md

@@ -616,7 +616,7 @@ For every secondary fuzzer there should be a variation, e.g.:
   be one of them! (Although this is not really recommended.)
 
 All other secondaries should be used like this:
-* a quarter to a third with the MOpt mutator enabled: `-L 0`
+* 10-20% with the MOpt mutator enabled: `-L 0`
 * run with a different power schedule, recommended are: `fast` (default),
   `explore`, `coe`, `lin`, `quad`, `exploit`, and `rare` which you can set with
   the `-p` option, e.g., `-p explore`. See the
@@ -940,7 +940,7 @@ too long for your overall available fuzz run time.
     * 65% for `AFL_DISABLE_TRIM`
     * 50% for `AFL_KEEP_TIMEOUTS`
     * 50% use a dictionary generated by `AFL_LLVM_DICT2FILE` + `AFL_LLVM_DICT2FILE_NO_MAIN=1`
-    * 40% use MOpt (`-L 0`)
+    * 10% use MOpt (`-L 0`)
     * 40% for `AFL_EXPAND_HAVOC_NOW`
     * 20% for old queue processing (`-Z`)
     * for CMPLOG targets, 70% for `-l 2`, 10% for `-l 3`, 20% for `-l 2AT`

frida_mode/src/instrument/instrument_arm64.c

@@ -402,6 +402,18 @@ bool instrument_write_inline(GumArm64Writer *cw, GumAddress code_addr,
 
   }
 
+  /* 
+   * The mov instruction supports up to a 16-bit offset. If our offset is out of 
+   * range, then it can end up clobbering the op-code portion of the instruction 
+   * rather than just the operands. So return false and fall back to the 
+   * alternative instrumentation.
+   */
+  if (area_offset > UINT16_MAX) {
+
+    return false;
+    
+  }
+
   code.code.mov_x0_curr_loc |= area_offset << 5;
 
   if (!instrument_patch_ardp(

frida_mode/test/png/GNUmakefile

@@ -8,7 +8,7 @@ HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/
 PNGTEST_BUILD_DIR:=$(BUILD_DIR)pngtest/
 
 LIBZ_FILE:=$(LIBZ_BUILD_DIR)zlib-1.2.13.tar.gz
-LIBZ_URL:=http://www.zlib.net/zlib-1.2.13.tar.gz
+LIBZ_URL:=http://www.zlib.net/fossils/zlib-1.2.13.tar.gz
 LIBZ_DIR:=$(LIBZ_BUILD_DIR)zlib-1.2.13/
 LIBZ_PC:=$(LIBZ_DIR)zlib.pc
 LIBZ_LIB:=$(LIBZ_DIR)libz.a

frida_mode/util/frida_get_symbol_addr.sh

@@ -31,12 +31,13 @@ file=$(file $target|sed 's/.*: //')
 arch=$(echo $file|awk -F, '{print$2}'|tr -d ' ')
 bits=$(echo $file|sed 's/-bit .*//'|sed 's/.* //')
 pie=$(echo $file|grep -wqi pie && echo pie)
+dso=$(echo $file|grep -wqi "shared object" && echo dso)
 
 test $(uname -s) = "Darwin" && symbol=_"$symbol"
 tmp_addr=$(nm "$target" | grep -i "T $symbol" | awk '{print$1}' | tr a-f A-F)
 
 test -z "$tmp_addr" && { echo Error: function $symbol not found 1>&2; exit 1; }
-test -z "$pie" && { echo 0x$tmp_addr; exit 0; }
+test -z "$pie" && test -z "$dso" && { echo 0x$tmp_addr; exit 0; }
 
 test -z "$base" && {
   test "$bits" = 32 -o "$bits" = 64 || { echo "Error: could not identify arch (bits=$bits)" 1>&2 ; exit 1; }

src/afl-cc.c

@@ -317,7 +317,7 @@ void parse_fsanitize(char *string) {
 
   char *p, *ptr = string + strlen("-fsanitize=");
   char *new = malloc(strlen(string) + 1);
-  char *tmp = malloc(strlen(ptr));
+  char *tmp = malloc(strlen(ptr) + 1);
   u32   count = 0, len, ende = 0;
 
   if (!new || !tmp) { FATAL("could not acquire memory"); }

src/afl-fuzz.c

@@ -176,6 +176,7 @@ static void usage(u8 *argv0, int more_help) {
       "                  pacemaker mode (minutes of no new finds). 0 = "
       "immediately,\n"
       "                  -1 = immediately and together with normal mutation.\n"
+      "                  Note: this option is usually not very effective\n"
       "  -c program    - enable CmpLog by specifying a binary compiled for "
       "it.\n"
       "                  if using QEMU/FRIDA or the fuzzing target is "
@@ -265,6 +266,7 @@ static void usage(u8 *argv0, int more_help) {
       "AFL_DUMB_FORKSRV: use fork server without feedback from target\n"
       "AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found\n"
       "AFL_EXIT_ON_TIME: exit when no new coverage is found within the specified time\n"
+      "AFL_EXIT_ON_SEED_ISSUES: exit on any kind of seed issues\n"
       "AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60\n"
       "                      minutes and a cycle without finds)\n"
       "AFL_FAST_CAL: limit the calibration stage to three cycles for speedup\n"
@@ -331,6 +333,7 @@ static void usage(u8 *argv0, int more_help) {
       "AFL_STATSD_TAGS_FLAVOR: set statsd tags format (default: disable tags)\n"
       "                        suported formats: dogstatsd, librato, signalfx, influxdb\n"
       "AFL_SYNC_TIME: sync time between fuzzing instances (in minutes)\n"
+      "AFL_FINAL_SYNC: sync a final time when exiting (will delay the exit!)\n"
       "AFL_NO_CRASH_README: do not create a README in the crashes directory\n"
       "AFL_TESTCACHE_SIZE: use a cache for testcases, improves performance (in MB)\n"
       "AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)\n"