From a161aac7c1eb8b689f4afc818b25072796e62746 Mon Sep 17 00:00:00 2001 From: Giovanni Di Santi Date: Sat, 29 Jun 2024 22:05:22 +0200 Subject: [PATCH 01/18] ijon set: init --- dynamic_list.txt | 1 + frida_mode/frida.map | 1 + frida_mode/include/instrument.h | 3 +++ frida_mode/src/instrument/instrument.c | 6 ++++++ frida_mode/src/js/api.js | 7 +++++++ frida_mode/src/js/js_api.c | 6 ++++++ frida_mode/test/fasan/.gdb_history | 0 instrumentation/afl-compiler-rt.o.c | 6 ++++++ src/afl-cc.c | 7 +++++-- 9 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 frida_mode/test/fasan/.gdb_history diff --git a/dynamic_list.txt b/dynamic_list.txt index 50c0c6b8..1a5c514a 100644 --- a/dynamic_list.txt +++ b/dynamic_list.txt @@ -30,6 +30,7 @@ "__afl_selective_coverage_temp"; "__afl_sharedmem_fuzzing"; "__afl_trace"; + "__afl_ijon_set"; "__cmplog_ins_hook1"; "__cmplog_ins_hook16"; "__cmplog_ins_hook2"; diff --git a/frida_mode/frida.map b/frida_mode/frida.map index a98c2096..90ea1421 100644 --- a/frida_mode/frida.map +++ b/frida_mode/frida.map @@ -45,6 +45,7 @@ js_api_set_stdout; js_api_set_traceable; js_api_set_verbose; + js_api_ijon_set; local: *; diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index 1825e331..7f4958a2 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -22,6 +22,7 @@ extern guint64 instrument_fixed_seed; extern uint8_t *__afl_area_ptr; extern uint32_t __afl_map_size; +extern void __afl_ijon_set(uint32_t); extern __thread guint64 *instrument_previous_pc_addr; @@ -72,5 +73,7 @@ void instrument_cache(const cs_insn *instr, GumStalkerOutput *output); void instrument_write_regs(GumCpuContext *cpu_context, gpointer user_data); void instrument_regs_format(int fd, char *format, ...); +void ijon_set(uint32_t edge); + #endif diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index db73d845..cbb8afd9 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -449,3 +449,9 @@ void instrument_regs_format(int fd, char *format, ...) { } +void ijon_set(uint32_t edge) { + + __afl_ijon_set(edge); + +} + diff --git a/frida_mode/src/js/api.js b/frida_mode/src/js/api.js index a65d32df..9e2b15c5 100644 --- a/frida_mode/src/js/api.js +++ b/frida_mode/src/js/api.js @@ -326,6 +326,12 @@ class Afl { static jsApiGetSymbol(name) { return Afl.module.getExportByName(name); } + + static IJON = class { + static set(addr, val) { + Afl.jsApiIjonSet((addr ^ val) & 0xffffffff); + } + } } /** * Field containing the `Module` object for `afl-frida-trace.so` (the FRIDA mode @@ -377,3 +383,4 @@ Afl.jsApiSetVerbose = Afl.jsApiGetFunction("js_api_set_verbose", "void", []); Afl.jsApiWrite = new NativeFunction( /* tslint:disable-next-line:no-null-keyword */ Module.getExportByName(null, "write"), "int", ["int", "pointer", "int"]); +Afl.jsApiIjonSet = Afl.jsApiGetFunction("js_api_ijon_set", "void", ["uint32"]); diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index 288aec95..274cd1bc 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -316,3 +316,9 @@ __attribute__((visibility("default"))) void js_api_set_verbose(void) { } +__attribute__((visibility("default"))) void js_api_ijon_set(uint32_t edge) { + + ijon_set(edge); + +} + diff --git a/frida_mode/test/fasan/.gdb_history b/frida_mode/test/fasan/.gdb_history new file mode 100644 index 00000000..e69de29b diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index c08e6380..bf498781 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -2761,5 +2761,11 @@ void __afl_injection_xss(u8 *buf) { } +void __afl_ijon_set(u32 edge) { + + __afl_area_ptr[edge % __afl_map_size] |= 1; + +} + #undef write_error diff --git a/src/afl-cc.c b/src/afl-cc.c index 7afab850..2a027ce4 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -1528,7 +1528,8 @@ void add_defs_selective_instr(aflcc_state_t *aflcc) { "extern \"C\" void __afl_coverage_discard();" "extern \"C\" void __afl_coverage_skip();" "extern \"C\" void __afl_coverage_on();" - "extern \"C\" void __afl_coverage_off();"); + "extern \"C\" void __afl_coverage_off();" + "extern \"C\" void __afl_ijon_set(unsigned int);"); } else { @@ -1537,7 +1538,8 @@ void add_defs_selective_instr(aflcc_state_t *aflcc) { "void __afl_coverage_discard();" "void __afl_coverage_skip();" "void __afl_coverage_on();" - "void __afl_coverage_off();"); + "void __afl_coverage_off();" + "void __afl_ijon_set(unsigned int);"); } @@ -1549,6 +1551,7 @@ void add_defs_selective_instr(aflcc_state_t *aflcc) { insert_param(aflcc, "-D__AFL_COVERAGE_OFF()=__afl_coverage_off()"); insert_param(aflcc, "-D__AFL_COVERAGE_DISCARD()=__afl_coverage_discard()"); insert_param(aflcc, "-D__AFL_COVERAGE_SKIP()=__afl_coverage_skip()"); + insert_param(aflcc, "-D__AFL_IJON_SET(_A)=__afl_ijon_set(_A)"); } From 2a489f844b7bc910caad2ab46aa3d86c3e6fbef8 Mon Sep 17 00:00:00 2001 From: Giovanni Di Santi Date: Sat, 29 Jun 2024 23:08:21 +0200 Subject: [PATCH 02/18] ijon set: remove gdb_history --- frida_mode/test/fasan/.gdb_history | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 frida_mode/test/fasan/.gdb_history diff --git a/frida_mode/test/fasan/.gdb_history b/frida_mode/test/fasan/.gdb_history deleted file mode 100644 index e69de29b..00000000 From 8fbeeb143989f4ebbcc238a96305e4c534e074c7 Mon Sep 17 00:00:00 2001 From: Giovanni Di Santi Date: Sun, 30 Jun 2024 15:50:37 +0200 Subject: [PATCH 03/18] ijon set: discard source code instrumentation --- frida_mode/src/instrument/instrument.c | 2 +- instrumentation/afl-compiler-rt.o.c | 6 ------ src/afl-cc.c | 7 ++----- 3 files changed, 3 insertions(+), 12 deletions(-) diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index cbb8afd9..e0495cdf 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -451,7 +451,7 @@ void instrument_regs_format(int fd, char *format, ...) { void ijon_set(uint32_t edge) { - __afl_ijon_set(edge); + __afl_area_ptr[edge % __afl_map_size] |= 1; } diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index bf498781..c08e6380 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -2761,11 +2761,5 @@ void __afl_injection_xss(u8 *buf) { } -void __afl_ijon_set(u32 edge) { - - __afl_area_ptr[edge % __afl_map_size] |= 1; - -} - #undef write_error diff --git a/src/afl-cc.c b/src/afl-cc.c index 2a027ce4..7afab850 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -1528,8 +1528,7 @@ void add_defs_selective_instr(aflcc_state_t *aflcc) { "extern \"C\" void __afl_coverage_discard();" "extern \"C\" void __afl_coverage_skip();" "extern \"C\" void __afl_coverage_on();" - "extern \"C\" void __afl_coverage_off();" - "extern \"C\" void __afl_ijon_set(unsigned int);"); + "extern \"C\" void __afl_coverage_off();"); } else { @@ -1538,8 +1537,7 @@ void add_defs_selective_instr(aflcc_state_t *aflcc) { "void __afl_coverage_discard();" "void __afl_coverage_skip();" "void __afl_coverage_on();" - "void __afl_coverage_off();" - "void __afl_ijon_set(unsigned int);"); + "void __afl_coverage_off();"); } @@ -1551,7 +1549,6 @@ void add_defs_selective_instr(aflcc_state_t *aflcc) { insert_param(aflcc, "-D__AFL_COVERAGE_OFF()=__afl_coverage_off()"); insert_param(aflcc, "-D__AFL_COVERAGE_DISCARD()=__afl_coverage_discard()"); insert_param(aflcc, "-D__AFL_COVERAGE_SKIP()=__afl_coverage_skip()"); - insert_param(aflcc, "-D__AFL_IJON_SET(_A)=__afl_ijon_set(_A)"); } From 9c54be6cf102548bef94f039edf9108011822b9a Mon Sep 17 00:00:00 2001 From: "Subhojeet Mukherjee, PhD" <57270300+CowBoy4mH3LL@users.noreply.github.com> Date: Mon, 1 Jul 2024 14:54:01 +0530 Subject: [PATCH 04/18] Update README.md to reflect latest changes 1. fixed hook name length to 16 2. no native debug logging at this time -- will bridge with AFL++ macros latter --- qemu_mode/hooking_bridge/README.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/qemu_mode/hooking_bridge/README.md b/qemu_mode/hooking_bridge/README.md index ae8e62e4..c6276305 100644 --- a/qemu_mode/hooking_bridge/README.md +++ b/qemu_mode/hooking_bridge/README.md @@ -22,7 +22,7 @@ Run build_qemu_support.sh as you do to compile qemuafl, additionally with three return &to_ret; } ``` - i. Hook functions must be named as `hook_`. Here, `` means `` left padded with 0's to until the `(system word length)/4` number of hex characters, e.g. 16 on a 64 bit machine. The unpaded part of `` is the absolute address where you want to place the hook. It is basically the file base address (which does not change in QEMU as of now) plus the instruction offset where the hooks is to be placed. The hook function must return a `struct ret *`, which is touched upon later. + i. Hook functions must be named as `hook_`. Here, `` means `` left padded with 0's to until 16 hex characters. The unpaded part of `` is the absolute address where you want to place the hook. It is basically the file base address (which does not change in QEMU as of now) plus the instruction offset where the hooks is to be placed. The hook function must return a `struct ret *`, which is touched upon later. ii. Most likely you will need to access memory or registers in the hook. So we provide four functions ```C @@ -77,11 +77,6 @@ Run build_qemu_support.sh as you do to compile qemuafl, additionally with three ## Running with hooks Set `QEMU_PLUGIN="file=qemu_mode/hooking_bridge/build/plugin.so,arg="` before running AFL++ in QEMU mode. Note `` is the absolute path to your hooks library. -## Contributing -* If you want to enable debugging - * Compile with an additional `DEBUG=1` switch. - * Akin to QEMU's own documentation, set `QEMU_LOG=plugin QEMU_LOG_FILENAME=` before you run. - ## Current limitations 1. Cannot be used to debug (-g option) when using the bridge as it uses the gdbstub internally. This is not a problem if used with AFL++, so not such a big issue. 2. Cannot put a hook on the first block after ``. Not typically a hookable location. From 37d9afc5ccf0b37edc6744a5edf7753e52d1e103 Mon Sep 17 00:00:00 2001 From: Richard Barnes Date: Mon, 1 Jul 2024 06:59:37 -0700 Subject: [PATCH 05/18] Make fallthroughs explicit in afl-fuzz-extras.c Using `__attribute__((fallthrough))` makes fallthroughs explicit in a way the compiler can understand. This allows the enablement of `-Wimplicit-fallthrough`. --- src/afl-fuzz-extras.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c index 55b6be04..da996602 100644 --- a/src/afl-fuzz-extras.c +++ b/src/afl-fuzz-extras.c @@ -455,13 +455,13 @@ void deunicode_extras(afl_state_t *afl) { case 2: if (!afl->extras[i].data[j]) { ++z3; } - // fall through + __attribute__((fallthrough)); case 0: if (!afl->extras[i].data[j]) { ++z1; } break; case 3: if (!afl->extras[i].data[j]) { ++z4; } - // fall through + __attribute__((fallthrough)); case 1: if (!afl->extras[i].data[j]) { ++z2; } break; From b840ac91dc1d53cb0216edcecc9a0f17ab6e64db Mon Sep 17 00:00:00 2001 From: Chenhao Date: Fri, 5 Jul 2024 16:43:20 +0800 Subject: [PATCH 06/18] Fixed the syntax errors in `unicorn_loader.py` within `unicorn_mode`. (#2144) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaced a Chinese comma "," with an English comma "," to ensure the code runs correctly. --- unicorn_mode/helper_scripts/unicorn_loader.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unicorn_mode/helper_scripts/unicorn_loader.py b/unicorn_mode/helper_scripts/unicorn_loader.py index a83e7000..4219c6ab 100644 --- a/unicorn_mode/helper_scripts/unicorn_loader.py +++ b/unicorn_mode/helper_scripts/unicorn_loader.py @@ -90,7 +90,7 @@ class UnicornSimpleHeap(object): _chunks_freed = [] # List of all freed chunks _debug_print = False # True to print debug information - def __init__(self, uc, debug_print=False, uaf_check=False): + def __init__(self, uc, debug_print=False, uaf_check=False): self._uc = uc self._debug_print = debug_print From 365129d811e3207651ede2330e681ae43acab4d4 Mon Sep 17 00:00:00 2001 From: Vito <48046520+AlbertnQ@users.noreply.github.com> Date: Mon, 8 Jul 2024 14:34:06 +0800 Subject: [PATCH 07/18] Update sample_all.sh (#2146) Incorrect shell syntax --- unicorn_mode/samples/c/sample_all.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/unicorn_mode/samples/c/sample_all.sh b/unicorn_mode/samples/c/sample_all.sh index 01daf365..3bb396e7 100644 --- a/unicorn_mode/samples/c/sample_all.sh +++ b/unicorn_mode/samples/c/sample_all.sh @@ -12,7 +12,7 @@ fi -if [ ! test -e $DIR/harness]; then +if [ ! -e $DIR/harness ]; then echo "[!] harness not found in $DIR" exit 1 -fi \ No newline at end of file +fi From d1a7b6988c608c75e96b8b4776acb5177d9d5aed Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 8 Jul 2024 09:46:47 +0200 Subject: [PATCH 08/18] update timeout for custom mutator tests --- test/test-custom-mutators.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/test-custom-mutators.sh b/test/test-custom-mutators.sh index 8c8b0ad3..3f0a96ba 100755 --- a/test/test-custom-mutators.sh +++ b/test/test-custom-mutators.sh @@ -38,7 +38,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS # Run afl-fuzz w/ the C mutator $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 10 seconds" { - AFL_CUSTOM_MUTATOR_LIBRARY=./libexamplemutator.so AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V07 -m ${MEM_LIMIT} -i in -o out -d -- ./test-custom-mutator >>errors 2>&1 + AFL_CUSTOM_MUTATOR_LIBRARY=./libexamplemutator.so AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V20 -m ${MEM_LIMIT} -i in -o out -d -- ./test-custom-mutator >>errors 2>&1 } >>errors 2>&1 # Check results @@ -58,7 +58,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS # Run afl-fuzz w/ multiple C mutators $ECHO "$GREY[*] running afl-fuzz with multiple custom C mutators, this will take approx 10 seconds" { - AFL_CUSTOM_MUTATOR_LIBRARY="./libexamplemutator.so;./libexamplemutator2.so" AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V07 -m ${MEM_LIMIT} -i in -o out -d -- ./test-multiple-mutators >>errors 2>&1 + AFL_CUSTOM_MUTATOR_LIBRARY="./libexamplemutator.so;./libexamplemutator2.so" AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V20 -m ${MEM_LIMIT} -i in -o out -d -- ./test-multiple-mutators >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/crashes/id:000000* 2>/dev/null )" && { # TODO: update here @@ -88,7 +88,7 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { { export PYTHONPATH=${CUSTOM_MUTATOR_PATH} export AFL_PYTHON_MODULE=example - AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V07 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 + AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V20 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 unset PYTHONPATH unset AFL_PYTHON_MODULE } >>errors 2>&1 From 835a4b6497727bfe1df650e0973b90df3bdaffef Mon Sep 17 00:00:00 2001 From: Oliver Schneider Date: Tue, 9 Jul 2024 17:10:35 +0000 Subject: [PATCH 09/18] Some fixups to the GNUmakefile.llvm * rely less on the shell and more on GNU make to parse the versions * fixed retrieval of minor version (for 18.1.8 it gave 8 instead of 1!) * auto-detection of llvm-config within the supported version range * replaced backticks by `$(...)` syntax * tested against `busybox static-sh`, `bash`, `dash` and `csh` --- GNUmakefile.llvm | 51 ++++++++++++++++++++++++++++-------------------- 1 file changed, 30 insertions(+), 21 deletions(-) diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 70c54f1c..0d9d974e 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -32,6 +32,9 @@ VERSION = $(shell grep '^$(HASH)define VERSION ' ./config.h | cut -d '"' -f2 SYS = $(shell uname -s) +override LLVM_TOO_NEW_DEFAULT := 18 +override LLVM_TOO_OLD_DEFAULT := 13 + ifeq "$(SYS)" "OpenBSD" LLVM_CONFIG ?= $(BIN_PATH)/llvm-config HAS_OPT = $(shell test -x $(BIN_PATH)/opt && echo 0 || echo 1) @@ -39,24 +42,30 @@ ifeq "$(SYS)" "OpenBSD" $(warning llvm_mode needs a complete llvm installation (versions 6.0 up to 13) -> e.g. "pkg_add llvm-7.0.1p9") endif else - LLVM_CONFIG ?= llvm-config + # Small function to use Bash to detect the latest available clang and clang++ binaries, if using them by that name fails + override _CLANG_VERSIONS_TO_TEST := $(patsubst %,-%,$(shell seq $(LLVM_TOO_NEW_DEFAULT) -1 $(LLVM_TOO_OLD_DEFAULT))) + detect_newest=$(shell for v in "" $(_CLANG_VERSIONS_TO_TEST); do test -n "$$(command -v -- $1$$v)" && { echo "$1$$v"; break; }; done) + LLVM_CONFIG ?= $(call detect_newest,llvm-config) endif -LLVMVER = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/git//' | sed 's/svn//' ) -LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/\..*//' ) -LLVM_MINOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/.*\.//' | sed 's/git//' | sed 's/svn//' | sed 's/ .*//' | sed 's/rc.*//' ) -LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[0-2]\.|^3.[0-8]\.' && echo 1 || echo 0 ) -LLVM_TOO_NEW = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^19|^2[0-9]' && echo 1 || echo 0 ) -LLVM_TOO_OLD = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[1-9]\.|^1[012]\.' && echo 1 || echo 0 ) -LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[0-9]' && echo 1 || echo 0 ) -LLVM_NEWER_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[6-9]' && echo 1 || echo 0 ) -LLVM_13_OK = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[3-9]' && echo 1 || echo 0 ) -LLVM_HAVE_LTO = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[2-9]' && echo 1 || echo 0 ) -LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) -LLVM_LIBDIR = $(shell $(LLVM_CONFIG) --libdir 2>/dev/null) -LLVM_STDCXX = gnu++11 -LLVM_APPLE_XCODE = $(shell $(CC) -v 2>&1 | grep -q Apple && echo 1 || echo 0) -LLVM_LTO = 0 +override LLVM_RAW_VER := $(shell $(LLVM_CONFIG) --version 2>/dev/null) +LLVMVER := $(subst svn,,$(subst git,,$(LLVM_RAW_VER))) +LLVM_MAJOR := $(firstword $(subst ., ,$(LLVMVER))) +LLVM_MINOR := $(firstword $(subst ., ,$(subst $(LLVM_MAJOR).,,$(LLVMVER)))) +LLVM_TOO_NEW := $(shell test $(LLVM_MAJOR) -gt $(LLVM_TO_NEW_LIMIT) && echo 1 || echo 0) +LLVM_TOO_OLD := $(shell test $(LLVM_MAJOR) -lt $(LLVM_TO_OLD_LIMIT) && echo 1 || echo 0) +LLVM_NEW_API := $(shell test $(LLVM_MAJOR) -ge 10 && echo 1 || echo 0) +LLVM_NEWER_API := $(shell test $(LLVM_MAJOR) -ge 16 && echo 1 || echo 0) +LLVM_13_OK := $(shell test $(LLVM_MAJOR) -ge 13 && echo 1 || echo 0) +LLVM_HAVE_LTO := $(shell test $(LLVM_MAJOR) -ge 12 && echo 1 || echo 0) +LLVM_BINDIR := $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) +LLVM_LIBDIR := $(shell $(LLVM_CONFIG) --libdir 2>/dev/null) +LLVM_STDCXX := gnu++11 +LLVM_APPLE_XCODE := $(shell $(CC) -v 2>&1 | grep -q Apple && echo 1 || echo 0) +LLVM_LTO := 0 +LLVM_UNSUPPORTED := $(shell echo "$(LLVMVER)" | grep -E -q '^[0-2]\.|^3\.[0-8]\.' && echo 1 || echo 0) +# Uncomment to see the values assigned above +# $(foreach var,LLVM_CONFIG LLVMVER LLVM_MAJOR LLVM_MINOR LLVM_TOO_NEW LLVM_TOO_OLD LLVM_TOO_NEW_DEFAULT LLVM_TOO_OLD_DEFAULT LLVM_NEW_API LLVM_NEWER_API LLVM_13_OK LLVM_HAVE_LTO LLVM_BINDIR LLVM_LIBDIR LLVM_STDCXX LLVM_APPLE_XCODE LLVM_LTO LLVM_UNSUPPORTED,$(warning $(var) = $($(var)))) ifeq "$(LLVMVER)" "" $(warning [!] llvm_mode needs llvm-config, which was not found. Set LLVM_CONFIG to its path and retry.) @@ -245,7 +254,7 @@ endif AFL_CLANG_FUSELD= ifeq "$(LLVM_LTO)" "1" - ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=`command -v ld` -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1" + ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=$$(command -v ld) -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1" AFL_CLANG_FUSELD=1 ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=ld.lld --ld-path=$(AFL_REAL_LD) -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1" AFL_CLANG_LDPATH=1 @@ -300,8 +309,8 @@ endif ifneq "$(LLVM_CONFIG)" "" CLANG_CFL += -I$(shell dirname $(LLVM_CONFIG))/../include endif -CLANG_CPPFL = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fno-exceptions -fPIC $(CXXFLAGS) $(CPPFLAGS) -Wno-deprecated-declarations -CLANG_LFL = `$(LLVM_CONFIG) --ldflags` $(LDFLAGS) +CLANG_CPPFL = $$($(LLVM_CONFIG) --cxxflags) -fno-rtti -fno-exceptions -fPIC $(CXXFLAGS) $(CPPFLAGS) -Wno-deprecated-declarations +CLANG_LFL = $$($(LLVM_CONFIG) --ldflags) $(LDFLAGS) # wasm fuzzing: disable thread-local storage and unset LLVM debug flag ifdef WAFL_MODE @@ -319,7 +328,7 @@ else endif ifeq "$(SYS)" "OpenBSD" - CLANG_LFL += `$(LLVM_CONFIG) --libdir`/libLLVM.so + CLANG_LFL += $$($(LLVM_CONFIG) --libdir)/libLLVM.so CLANG_CPPFL += -mno-retpoline CFLAGS += -mno-retpoline # Needed for unwind symbols @@ -417,7 +426,7 @@ endif endif instrumentation/afl-llvm-common.o: instrumentation/afl-llvm-common.cc instrumentation/afl-llvm-common.h - $(CXX) $(CFLAGS) $(CPPFLAGS) `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fPIC -std=$(LLVM_STDCXX) -c $< -o $@ + $(CXX) $(CFLAGS) $(CPPFLAGS) $$($(LLVM_CONFIG) --cxxflags) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -c $< -o $@ ./afl-llvm-pass.so: instrumentation/afl-llvm-pass.so.cc instrumentation/afl-llvm-common.o | test_deps ifeq "$(LLVM_MIN_4_0_1)" "0" From 77bad3ad239c557d17ab2788837d2a7aa854b235 Mon Sep 17 00:00:00 2001 From: Giovanni Di Santi Date: Wed, 10 Jul 2024 10:16:14 +0200 Subject: [PATCH 10/18] ijon set: use __afl_coverage_interesting --- dynamic_list.txt | 1 - frida_mode/include/instrument.h | 2 +- frida_mode/src/instrument/instrument.c | 2 +- instrumentation/afl-compiler-rt.o.c | 2 +- 4 files changed, 3 insertions(+), 4 deletions(-) diff --git a/dynamic_list.txt b/dynamic_list.txt index 1a5c514a..50c0c6b8 100644 --- a/dynamic_list.txt +++ b/dynamic_list.txt @@ -30,7 +30,6 @@ "__afl_selective_coverage_temp"; "__afl_sharedmem_fuzzing"; "__afl_trace"; - "__afl_ijon_set"; "__cmplog_ins_hook1"; "__cmplog_ins_hook16"; "__cmplog_ins_hook2"; diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index 7f4958a2..a1969e37 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -22,7 +22,7 @@ extern guint64 instrument_fixed_seed; extern uint8_t *__afl_area_ptr; extern uint32_t __afl_map_size; -extern void __afl_ijon_set(uint32_t); +extern void __afl_coverage_interesting(uint8_t, uint32_t); extern __thread guint64 *instrument_previous_pc_addr; diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index e0495cdf..d30e21ec 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -451,7 +451,7 @@ void instrument_regs_format(int fd, char *format, ...) { void ijon_set(uint32_t edge) { - __afl_area_ptr[edge % __afl_map_size] |= 1; + __afl_coverage_interesting(1, edge); } diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index c08e6380..f28f5ea4 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -2704,7 +2704,7 @@ void __afl_coverage_skip() { // mark this area as especially interesting void __afl_coverage_interesting(u8 val, u32 id) { - __afl_area_ptr[id] = val; + __afl_area_ptr[id % __afl_map_size] = val; } From 02f4f755263bac8a5568e5b65aba940a3e506292 Mon Sep 17 00:00:00 2001 From: Takuya Shimizu Date: Wed, 10 Jul 2024 21:39:04 +0900 Subject: [PATCH 11/18] Fix missed updates of alias table when INTROSPECTION is on In src/afl-fuzz.c `prev_queued_items` is used to decide whether the alias table should be recreated through the comparison with `afl->queued_items`. https://github.com/AFLplusplus/AFLplusplus/blob/43f462c91b3699b66e4aa1c5703b30f5189b5618/src/afl-fuzz.c#L3103-L3117 However, this variable is also updated to `afl->queued_items` when INTROSPECTION is enabled and the `fuzz_one` appends seeds. https://github.com/AFLplusplus/AFLplusplus/blob/43f462c91b3699b66e4aa1c5703b30f5189b5618/src/afl-fuzz.c#L3135-L3140 Due to the update of `prev_queued_items` when INTROSPECTION is on, alias table may not be recreated when it actually should be. This can lead to potential heap buffer-overflow in `select_next_queue_entry` due to the lack of `afl_realloc` called in `create_alias_table`. This patch fixes this bug by utilizing another variable for the INTROSPECTION part like other variables such as `prev_saved_tmouts`. --- src/afl-fuzz.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 8a84d447..8d85aec5 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2815,7 +2815,7 @@ int main(int argc, char **argv_orig, char **envp) { // (void)nice(-20); // does not improve the speed #ifdef INTROSPECTION - u32 prev_saved_crashes = 0, prev_saved_tmouts = 0; + u32 prev_saved_crashes = 0, prev_saved_tmouts = 0, stat_prev_queued_items = 0; #endif u32 prev_queued_items = 0, runs_in_current_cycle = (u32)-1; u8 skipped_fuzz; @@ -3132,10 +3132,11 @@ int main(int argc, char **argv_orig, char **envp) { } else { - if (unlikely(afl->queued_items > prev_queued_items)) { + if (unlikely(afl->queued_items > stat_prev_queued_items)) { - afl->queue_cur->stats_finds += afl->queued_items - prev_queued_items; - prev_queued_items = afl->queued_items; + afl->queue_cur->stats_finds += + afl->queued_items - stat_prev_queued_items; + stat_prev_queued_items = afl->queued_items; } From ea42feb06a41fdc888891ec21400d2d15ca45ebc Mon Sep 17 00:00:00 2001 From: "Christian Holler (:decoder)" Date: Fri, 12 Jul 2024 20:08:52 +0200 Subject: [PATCH 12/18] Initialize max_length in afl_fsrv_init #2155 --- src/afl-forkserver.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index cec91f76..6366f473 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -241,6 +241,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { fsrv->mem_limit = MEM_LIMIT; fsrv->out_file = NULL; fsrv->child_kill_signal = SIGKILL; + fsrv->max_length = MAX_FILE; /* exec related stuff */ fsrv->child_pid = -1; From bd83eb0f424528bc156ef5bb0d025a8d20e85a6c Mon Sep 17 00:00:00 2001 From: William Tan <1284324+Ninja3047@users.noreply.github.com> Date: Fri, 12 Jul 2024 16:10:40 -0400 Subject: [PATCH 13/18] check the sync_id length once --- src/afl-fuzz-init.c | 6 +++++- src/afl-fuzz.c | 12 +----------- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 98de26dd..4f366b0d 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2717,7 +2717,11 @@ void fix_up_sync(afl_state_t *afl) { } - if (strlen(afl->sync_id) > 32) { FATAL("Fuzzer ID too long"); } + if (strlen(afl->sync_id) > 50) { + + FATAL("sync_id max length is 50 characters"); + + } x = alloc_printf("%s/%s", afl->out_dir, afl->sync_id); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 8d85aec5..9867eba3 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1610,17 +1610,7 @@ int main(int argc, char **argv_orig, char **envp) { #endif - if (afl->sync_id) { - - if (strlen(afl->sync_id) > 50) { - - FATAL("sync_id max length is 50 characters"); - - } - - fix_up_sync(afl); - - } + if (afl->sync_id) { fix_up_sync(afl); } if (!strcmp(afl->in_dir, afl->out_dir)) { From 88e2affe7398499c271d8fae50ca200f0fd53e43 Mon Sep 17 00:00:00 2001 From: Oliver Schneider Date: Sat, 13 Jul 2024 21:29:41 +0000 Subject: [PATCH 14/18] Fixing change from PR#2152, misspelled variable names --- GNUmakefile.llvm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 0d9d974e..8b4c6054 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -52,8 +52,8 @@ override LLVM_RAW_VER := $(shell $(LLVM_CONFIG) --version 2>/dev/null) LLVMVER := $(subst svn,,$(subst git,,$(LLVM_RAW_VER))) LLVM_MAJOR := $(firstword $(subst ., ,$(LLVMVER))) LLVM_MINOR := $(firstword $(subst ., ,$(subst $(LLVM_MAJOR).,,$(LLVMVER)))) -LLVM_TOO_NEW := $(shell test $(LLVM_MAJOR) -gt $(LLVM_TO_NEW_LIMIT) && echo 1 || echo 0) -LLVM_TOO_OLD := $(shell test $(LLVM_MAJOR) -lt $(LLVM_TO_OLD_LIMIT) && echo 1 || echo 0) +LLVM_TOO_NEW := $(shell test $(LLVM_MAJOR) -gt $(LLVM_TOO_NEW_DEFAULT) && echo 1 || echo 0) +LLVM_TOO_OLD := $(shell test $(LLVM_MAJOR) -lt $(LLVM_TOO_OLD_DEFAULT) && echo 1 || echo 0) LLVM_NEW_API := $(shell test $(LLVM_MAJOR) -ge 10 && echo 1 || echo 0) LLVM_NEWER_API := $(shell test $(LLVM_MAJOR) -ge 16 && echo 1 || echo 0) LLVM_13_OK := $(shell test $(LLVM_MAJOR) -ge 13 && echo 1 || echo 0) From 7c380a6612f00e4a7ed02364dc2b3769e8edc8f8 Mon Sep 17 00:00:00 2001 From: carpintero-de-c <175505615+carpintero-de-c@users.noreply.github.com> Date: Sun, 14 Jul 2024 03:55:58 +0530 Subject: [PATCH 15/18] Replace gettimeofday with clock_gettime (#2159) --- custom_mutators/gramatron/test.c | 23 ++++++++++----------- custom_mutators/symqemu/symqemu.c | 7 +++---- frida_mode/test/unstable/unstable.c | 31 +++++++++++++++++++---------- include/afl-fuzz.h | 1 - instrumentation/afl-llvm-pass.so.cc | 9 ++++----- src/afl-as.c | 8 +++----- src/afl-common.c | 15 ++++++-------- src/afl-fuzz.c | 7 +++---- 8 files changed, 50 insertions(+), 51 deletions(-) diff --git a/custom_mutators/gramatron/test.c b/custom_mutators/gramatron/test.c index 0dfbc197..3577faa1 100644 --- a/custom_mutators/gramatron/test.c +++ b/custom_mutators/gramatron/test.c @@ -8,8 +8,8 @@ state *create_pda(u8 *automaton_file) { struct json_object *parsed_json; - state * pda; - json_object * source_obj, *attr; + state *pda; + json_object *source_obj, *attr; int arraylen, ii, ii2, trigger_len, error; printf("\n[GF] Automaton file passed:%s", automaton_file); @@ -41,7 +41,7 @@ state *create_pda(u8 *automaton_file) { enum json_type type; json_object_object_foreach(source_obj, key, val) { - state * state_ptr; + state *state_ptr; trigger *trigger_ptr; int offset; @@ -97,12 +97,12 @@ state *create_pda(u8 *automaton_file) { void SanityCheck(char *automaton_path) { - state * pda = create_pda(automaton_path); + state *pda = create_pda(automaton_path); int count = 0, state; Get_Dupes_Ret *getdupesret; - IdxMap_new * statemap; - IdxMap_new * statemap_ptr; - terminal * term_ptr; + IdxMap_new *statemap; + IdxMap_new *statemap_ptr; + terminal *term_ptr; while (count < NUMINPUTS) { @@ -117,12 +117,9 @@ void SanityCheck(char *automaton_path) { int main(int argc, char *argv[]) { - char * mode; - char * automaton_path; - char * output_dir = NULL; - struct timeval tv; - struct timeval tz; - // gettimeofday(&tv, &tz); + char *mode; + char *automaton_path; + char *output_dir = NULL; srand(1337); if (argc == 3) { diff --git a/custom_mutators/symqemu/symqemu.c b/custom_mutators/symqemu/symqemu.c index 73a1640a..b9912923 100644 --- a/custom_mutators/symqemu/symqemu.c +++ b/custom_mutators/symqemu/symqemu.c @@ -196,12 +196,11 @@ void afl_custom_splice_optout(void *data) { inline u64 get_cur_time(void) { - struct timeval tv; - struct timezone tz; + struct timespec spec; - gettimeofday(&tv, &tz); + clock_gettime(CLOCK_REALTIME, &spec); - return (tv.tv_sec * 1000ULL) + (tv.tv_usec / 1000); + return (spec.tv_sec * 1000ULL) + (spec.tv_nsec / 1000000ULL); } diff --git a/frida_mode/test/unstable/unstable.c b/frida_mode/test/unstable/unstable.c index 16978e7e..8466cba0 100644 --- a/frida_mode/test/unstable/unstable.c +++ b/frida_mode/test/unstable/unstable.c @@ -14,7 +14,7 @@ #include #include #include -#include +#include #ifdef __APPLE__ #define TESTINSTR_SECTION @@ -22,17 +22,21 @@ #define TESTINSTR_SECTION __attribute__((section(".testinstr"))) #endif -void LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { +void LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (size < 1) return; - struct timeval tv = {0}; - if (gettimeofday(&tv, NULL) < 0) return; + struct timespec spec = {0}; + if (clock_gettime(CLOCK_REALTIME, &spec) < 0) return; + + if ((spec.tv_nsec % 2) == 0) { + + printf("Hooray all even\n"); - if ((tv.tv_usec % 2) == 0) { - printf ("Hooray all even\n"); } else { - printf ("Hmm that's odd\n"); + + printf("Hmm that's odd\n"); + } // we support three input cases @@ -45,26 +49,33 @@ void LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { } -void run_test(char * file) { +void run_test(char *file) { + fprintf(stderr, "Running: %s\n", file); FILE *f = fopen(file, "r"); assert(f); fseek(f, 0, SEEK_END); size_t len = ftell(f); fseek(f, 0, SEEK_SET); - unsigned char *buf = (unsigned char*)malloc(len); - size_t n_read = fread(buf, 1, len, f); + unsigned char *buf = (unsigned char *)malloc(len); + size_t n_read = fread(buf, 1, len, f); fclose(f); assert(n_read == len); LLVMFuzzerTestOneInput(buf, len); free(buf); fprintf(stderr, "Done: %s: (%zd bytes)\n", file, n_read); + } int main(int argc, char **argv) { + srand(1); fprintf(stderr, "StandaloneFuzzTargetMain: running %d inputs\n", argc - 1); for (int i = 1; i < argc; i++) { + run_test(argv[i]); + } + } + diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 0f0e45d3..a7526aff 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -64,7 +64,6 @@ #include #include -#include #ifndef USEMMAP #include #endif diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 75b8532b..fb5b856c 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -32,12 +32,12 @@ #include "debug.h" #include #include +#include #include #include #include #include -#include #include "llvm/Config/llvm-config.h" #if LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR < 5 @@ -211,14 +211,13 @@ bool AFLCoverage::runOnModule(Module &M) { IntegerType *IntLocTy = IntegerType::getIntNTy(C, sizeof(PREV_LOC_T) * CHAR_BIT); #endif - struct timeval tv; - struct timezone tz; + struct timespec spec; u32 rand_seed; unsigned int cur_loc = 0; /* Setup random() so we get Actually Random(TM) outputs from AFL_R() */ - gettimeofday(&tv, &tz); - rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); + clock_gettime(CLOCK_REALTIME, &spec); + rand_seed = spec.tv_sec ^ spec.tv_nsec ^ getpid(); AFL_SR(rand_seed); /* Show a banner */ diff --git a/src/afl-as.c b/src/afl-as.c index d4ddb94d..df487cbc 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -52,7 +52,6 @@ #include #include -#include static u8 **as_params; /* Parameters passed to the real 'as' */ @@ -557,8 +556,7 @@ int main(int argc, char **argv) { int status; u8 *inst_ratio_str = getenv("AFL_INST_RATIO"); - struct timeval tv; - struct timezone tz; + struct timespec spec; clang_mode = !!getenv(CLANG_ENV_VAR); @@ -609,9 +607,9 @@ int main(int argc, char **argv) { } - gettimeofday(&tv, &tz); + clock_gettime(CLOCK_REALTIME, &spec); - rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); + rand_seed = spec.tv_sec ^ spec.tv_nsec ^ getpid(); // in fast systems where pids can repeat in the same seconds we need this for (i = 1; (s32)i < argc; i++) for (j = 0; j < strlen(argv[i]); j++) diff --git a/src/afl-common.c b/src/afl-common.c index efdb5d60..62432158 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -976,12 +976,11 @@ void read_bitmap(u8 *fname, u8 *map, size_t len) { inline u64 get_cur_time(void) { - struct timeval tv; - struct timezone tz; + struct timespec spec; - gettimeofday(&tv, &tz); + clock_gettime(CLOCK_REALTIME, &spec); - return (tv.tv_sec * 1000ULL) + (tv.tv_usec / 1000); + return (spec.tv_sec * 1000ULL) + (spec.tv_nsec / 1000000ULL); } @@ -989,19 +988,17 @@ inline u64 get_cur_time(void) { inline u64 get_cur_time_us(void) { - struct timeval tv; - struct timezone tz; + struct timespec spec; - gettimeofday(&tv, &tz); + clock_gettime(CLOCK_REALTIME, &spec); - return (tv.tv_sec * 1000000ULL) + tv.tv_usec; + return (spec.tv_sec * 1000000ULL) + (spec.tv_nsec / 1000ULL); } /* Describe integer. The buf should be at least 6 bytes to fit all ints we randomly see. Will return buf for convenience. */ - u8 *stringify_int(u8 *buf, size_t len, u64 val) { \ #define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 9867eba3..0f84b79b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -555,8 +555,7 @@ int main(int argc, char **argv_orig, char **envp) { char *frida_afl_preload = NULL; char **use_argv; - struct timeval tv; - struct timezone tz; + struct timespec spec; doc_path = access(DOC_PATH, F_OK) != 0 ? (u8 *)"docs" : (u8 *)DOC_PATH; @@ -603,8 +602,8 @@ int main(int argc, char **argv_orig, char **envp) { SAYF(cCYA "afl-fuzz" VERSION cRST " based on afl by Michal Zalewski and a large online community\n"); - gettimeofday(&tv, &tz); - rand_set_seed(afl, tv.tv_sec ^ tv.tv_usec ^ getpid()); + clock_gettime(CLOCK_REALTIME, &spec); + rand_set_seed(afl, spec.tv_sec ^ spec.tv_nsec ^ getpid()); afl->shmem_testcase_mode = 1; // we always try to perform shmem fuzzing From ccb952dde8dbf2165a0d84308e558cd68679fb13 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 14 Jul 2024 10:18:23 +0200 Subject: [PATCH 16/18] Revert "Replace gettimeofday with clock_gettime (#2159)" This reverts commit 7c380a6612f00e4a7ed02364dc2b3769e8edc8f8. --- custom_mutators/gramatron/test.c | 23 +++++++++++---------- custom_mutators/symqemu/symqemu.c | 7 ++++--- frida_mode/test/unstable/unstable.c | 31 ++++++++++------------------- include/afl-fuzz.h | 1 + instrumentation/afl-llvm-pass.so.cc | 9 +++++---- src/afl-as.c | 8 +++++--- src/afl-common.c | 15 ++++++++------ src/afl-fuzz.c | 7 ++++--- 8 files changed, 51 insertions(+), 50 deletions(-) diff --git a/custom_mutators/gramatron/test.c b/custom_mutators/gramatron/test.c index 3577faa1..0dfbc197 100644 --- a/custom_mutators/gramatron/test.c +++ b/custom_mutators/gramatron/test.c @@ -8,8 +8,8 @@ state *create_pda(u8 *automaton_file) { struct json_object *parsed_json; - state *pda; - json_object *source_obj, *attr; + state * pda; + json_object * source_obj, *attr; int arraylen, ii, ii2, trigger_len, error; printf("\n[GF] Automaton file passed:%s", automaton_file); @@ -41,7 +41,7 @@ state *create_pda(u8 *automaton_file) { enum json_type type; json_object_object_foreach(source_obj, key, val) { - state *state_ptr; + state * state_ptr; trigger *trigger_ptr; int offset; @@ -97,12 +97,12 @@ state *create_pda(u8 *automaton_file) { void SanityCheck(char *automaton_path) { - state *pda = create_pda(automaton_path); + state * pda = create_pda(automaton_path); int count = 0, state; Get_Dupes_Ret *getdupesret; - IdxMap_new *statemap; - IdxMap_new *statemap_ptr; - terminal *term_ptr; + IdxMap_new * statemap; + IdxMap_new * statemap_ptr; + terminal * term_ptr; while (count < NUMINPUTS) { @@ -117,9 +117,12 @@ void SanityCheck(char *automaton_path) { int main(int argc, char *argv[]) { - char *mode; - char *automaton_path; - char *output_dir = NULL; + char * mode; + char * automaton_path; + char * output_dir = NULL; + struct timeval tv; + struct timeval tz; + // gettimeofday(&tv, &tz); srand(1337); if (argc == 3) { diff --git a/custom_mutators/symqemu/symqemu.c b/custom_mutators/symqemu/symqemu.c index b9912923..73a1640a 100644 --- a/custom_mutators/symqemu/symqemu.c +++ b/custom_mutators/symqemu/symqemu.c @@ -196,11 +196,12 @@ void afl_custom_splice_optout(void *data) { inline u64 get_cur_time(void) { - struct timespec spec; + struct timeval tv; + struct timezone tz; - clock_gettime(CLOCK_REALTIME, &spec); + gettimeofday(&tv, &tz); - return (spec.tv_sec * 1000ULL) + (spec.tv_nsec / 1000000ULL); + return (tv.tv_sec * 1000ULL) + (tv.tv_usec / 1000); } diff --git a/frida_mode/test/unstable/unstable.c b/frida_mode/test/unstable/unstable.c index 8466cba0..16978e7e 100644 --- a/frida_mode/test/unstable/unstable.c +++ b/frida_mode/test/unstable/unstable.c @@ -14,7 +14,7 @@ #include #include #include -#include +#include #ifdef __APPLE__ #define TESTINSTR_SECTION @@ -22,21 +22,17 @@ #define TESTINSTR_SECTION __attribute__((section(".testinstr"))) #endif -void LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { +void LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { if (size < 1) return; - struct timespec spec = {0}; - if (clock_gettime(CLOCK_REALTIME, &spec) < 0) return; - - if ((spec.tv_nsec % 2) == 0) { - - printf("Hooray all even\n"); + struct timeval tv = {0}; + if (gettimeofday(&tv, NULL) < 0) return; + if ((tv.tv_usec % 2) == 0) { + printf ("Hooray all even\n"); } else { - - printf("Hmm that's odd\n"); - + printf ("Hmm that's odd\n"); } // we support three input cases @@ -49,33 +45,26 @@ void LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { } -void run_test(char *file) { - +void run_test(char * file) { fprintf(stderr, "Running: %s\n", file); FILE *f = fopen(file, "r"); assert(f); fseek(f, 0, SEEK_END); size_t len = ftell(f); fseek(f, 0, SEEK_SET); - unsigned char *buf = (unsigned char *)malloc(len); - size_t n_read = fread(buf, 1, len, f); + unsigned char *buf = (unsigned char*)malloc(len); + size_t n_read = fread(buf, 1, len, f); fclose(f); assert(n_read == len); LLVMFuzzerTestOneInput(buf, len); free(buf); fprintf(stderr, "Done: %s: (%zd bytes)\n", file, n_read); - } int main(int argc, char **argv) { - srand(1); fprintf(stderr, "StandaloneFuzzTargetMain: running %d inputs\n", argc - 1); for (int i = 1; i < argc; i++) { - run_test(argv[i]); - } - } - diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index a7526aff..0f0e45d3 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -64,6 +64,7 @@ #include #include +#include #ifndef USEMMAP #include #endif diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index fb5b856c..75b8532b 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -32,12 +32,12 @@ #include "debug.h" #include #include -#include #include #include #include #include +#include #include "llvm/Config/llvm-config.h" #if LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR < 5 @@ -211,13 +211,14 @@ bool AFLCoverage::runOnModule(Module &M) { IntegerType *IntLocTy = IntegerType::getIntNTy(C, sizeof(PREV_LOC_T) * CHAR_BIT); #endif - struct timespec spec; + struct timeval tv; + struct timezone tz; u32 rand_seed; unsigned int cur_loc = 0; /* Setup random() so we get Actually Random(TM) outputs from AFL_R() */ - clock_gettime(CLOCK_REALTIME, &spec); - rand_seed = spec.tv_sec ^ spec.tv_nsec ^ getpid(); + gettimeofday(&tv, &tz); + rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); AFL_SR(rand_seed); /* Show a banner */ diff --git a/src/afl-as.c b/src/afl-as.c index df487cbc..d4ddb94d 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -52,6 +52,7 @@ #include #include +#include static u8 **as_params; /* Parameters passed to the real 'as' */ @@ -556,7 +557,8 @@ int main(int argc, char **argv) { int status; u8 *inst_ratio_str = getenv("AFL_INST_RATIO"); - struct timespec spec; + struct timeval tv; + struct timezone tz; clang_mode = !!getenv(CLANG_ENV_VAR); @@ -607,9 +609,9 @@ int main(int argc, char **argv) { } - clock_gettime(CLOCK_REALTIME, &spec); + gettimeofday(&tv, &tz); - rand_seed = spec.tv_sec ^ spec.tv_nsec ^ getpid(); + rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); // in fast systems where pids can repeat in the same seconds we need this for (i = 1; (s32)i < argc; i++) for (j = 0; j < strlen(argv[i]); j++) diff --git a/src/afl-common.c b/src/afl-common.c index 62432158..efdb5d60 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -976,11 +976,12 @@ void read_bitmap(u8 *fname, u8 *map, size_t len) { inline u64 get_cur_time(void) { - struct timespec spec; + struct timeval tv; + struct timezone tz; - clock_gettime(CLOCK_REALTIME, &spec); + gettimeofday(&tv, &tz); - return (spec.tv_sec * 1000ULL) + (spec.tv_nsec / 1000000ULL); + return (tv.tv_sec * 1000ULL) + (tv.tv_usec / 1000); } @@ -988,17 +989,19 @@ inline u64 get_cur_time(void) { inline u64 get_cur_time_us(void) { - struct timespec spec; + struct timeval tv; + struct timezone tz; - clock_gettime(CLOCK_REALTIME, &spec); + gettimeofday(&tv, &tz); - return (spec.tv_sec * 1000000ULL) + (spec.tv_nsec / 1000ULL); + return (tv.tv_sec * 1000000ULL) + tv.tv_usec; } /* Describe integer. The buf should be at least 6 bytes to fit all ints we randomly see. Will return buf for convenience. */ + u8 *stringify_int(u8 *buf, size_t len, u64 val) { \ #define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 0f84b79b..9867eba3 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -555,7 +555,8 @@ int main(int argc, char **argv_orig, char **envp) { char *frida_afl_preload = NULL; char **use_argv; - struct timespec spec; + struct timeval tv; + struct timezone tz; doc_path = access(DOC_PATH, F_OK) != 0 ? (u8 *)"docs" : (u8 *)DOC_PATH; @@ -602,8 +603,8 @@ int main(int argc, char **argv_orig, char **envp) { SAYF(cCYA "afl-fuzz" VERSION cRST " based on afl by Michal Zalewski and a large online community\n"); - clock_gettime(CLOCK_REALTIME, &spec); - rand_set_seed(afl, spec.tv_sec ^ spec.tv_nsec ^ getpid()); + gettimeofday(&tv, &tz); + rand_set_seed(afl, tv.tv_sec ^ tv.tv_usec ^ getpid()); afl->shmem_testcase_mode = 1; // we always try to perform shmem fuzzing From 69a596c0898e3ae295c4f606857ed2ca6d8d0605 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 14 Jul 2024 10:20:53 +0200 Subject: [PATCH 17/18] ensure this does not happen again --- src/afl-common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/afl-common.c b/src/afl-common.c index efdb5d60..04a984cb 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -979,6 +979,7 @@ inline u64 get_cur_time(void) { struct timeval tv; struct timezone tz; + // TO NOT REPLACE WITH clock_gettime!!! gettimeofday(&tv, &tz); return (tv.tv_sec * 1000ULL) + (tv.tv_usec / 1000); @@ -992,6 +993,7 @@ inline u64 get_cur_time_us(void) { struct timeval tv; struct timezone tz; + // TO NOT REPLACE WITH clock_gettime!!! gettimeofday(&tv, &tz); return (tv.tv_sec * 1000000ULL) + tv.tv_usec; From 55a2362348cd467b65d6aea33e93ec44c6de1a38 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 14 Jul 2024 10:33:12 +0200 Subject: [PATCH 18/18] code format --- frida_mode/addr/addr.c | 43 +++--- frida_mode/hook/qemu_hook.c | 11 +- frida_mode/include/instrument.h | 2 +- frida_mode/test/cache/cache.c | 69 +++++---- frida_mode/test/cmov/cmov.c | 8 +- frida_mode/test/deferred/testinstr.c | 7 +- frida_mode/test/dynamic/testinstr.c | 24 +++- frida_mode/test/dynamic/testinstrlib.c | 3 + frida_mode/test/entry_point/testinstr.c | 2 +- frida_mode/test/exe/testinstr.c | 4 +- frida_mode/test/js/test.c | 2 +- frida_mode/test/js/test2.c | 159 +++++++++++---------- frida_mode/test/osx-lib/harness.c | 88 ++++++------ frida_mode/test/osx-lib/harness2.c | 88 ++++++------ frida_mode/test/osx-lib/harness3.c | 55 +++---- frida_mode/test/osx-lib/lib.c | 3 +- frida_mode/test/osx-lib/lib2.c | 2 - frida_mode/test/output/testinstr.c | 4 +- frida_mode/test/perf/perf.c | 22 ++- frida_mode/test/persistent_ret/testinstr.c | 6 +- frida_mode/test/testinstr/testinstr.c | 4 +- frida_mode/test/unstable/unstable.c | 23 ++- 22 files changed, 350 insertions(+), 279 deletions(-) diff --git a/frida_mode/addr/addr.c b/frida_mode/addr/addr.c index 371f69d4..69a04b17 100644 --- a/frida_mode/addr/addr.c +++ b/frida_mode/addr/addr.c @@ -6,34 +6,39 @@ #define UNUSED_PARAMETER(x) (void)(x) -int phdr_callback(struct dl_phdr_info *info, size_t size, void *data) -{ - UNUSED_PARAMETER (size); +int phdr_callback(struct dl_phdr_info *info, size_t size, void *data) { - ElfW(Addr) * base = data; + UNUSED_PARAMETER(size); + + ElfW(Addr) *base = data; + + if (info->dlpi_name[0] == 0) { *base = info->dlpi_addr; } + return 0; - if (info->dlpi_name[0] == 0) { *base = info->dlpi_addr; } - return 0; } -int main (int argc, char** argv, char** envp) { - UNUSED_PARAMETER (argc); +int main(int argc, char **argv, char **envp) { - ElfW(Addr) base = 0; + UNUSED_PARAMETER(argc); - int persona = personality(ADDR_NO_RANDOMIZE); - if (persona == -1) { + ElfW(Addr) base = 0; - printf("Failed to set ADDR_NO_RANDOMIZE: %d", errno); - return 1; - } + int persona = personality(ADDR_NO_RANDOMIZE); + if (persona == -1) { - if ((persona & ADDR_NO_RANDOMIZE) == 0) { execvpe(argv[0], argv, envp); } + printf("Failed to set ADDR_NO_RANDOMIZE: %d", errno); + return 1; - dl_iterate_phdr(phdr_callback, &base); + } - printf("%p\n", (void *)base); - if (base == 0) { return 1; } + if ((persona & ADDR_NO_RANDOMIZE) == 0) { execvpe(argv[0], argv, envp); } + + dl_iterate_phdr(phdr_callback, &base); + + printf("%p\n", (void *)base); + if (base == 0) { return 1; } + + return 0; - return 0; } + diff --git a/frida_mode/hook/qemu_hook.c b/frida_mode/hook/qemu_hook.c index 56e787e3..d7d45974 100644 --- a/frida_mode/hook/qemu_hook.c +++ b/frida_mode/hook/qemu_hook.c @@ -36,7 +36,7 @@ struct x86_64_regs { void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base, uint8_t *input_buf, uint32_t input_buf_len) { - (void)guest_base; /* unused */ + (void)guest_base; /* unused */ memcpy((void *)regs->rdi, input_buf, input_buf_len); regs->rsi = input_buf_len; @@ -76,14 +76,15 @@ struct x86_regs { void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base, uint8_t *input_buf, uint32_t input_buf_len) { - (void)guest_base; /* unused */ + (void)guest_base; /* unused */ void **esp = (void **)regs->esp; - void * arg1 = esp[1]; + void *arg1 = esp[1]; void **arg2 = &esp[2]; memcpy(arg1, input_buf, input_buf_len); *arg2 = (void *)input_buf_len; } + #elif defined(__aarch64__) struct arm64_regs { @@ -177,9 +178,10 @@ struct arm64_regs { void afl_persistent_hook(struct arm64_regs *regs, uint64_t guest_base, uint8_t *input_buf, uint32_t input_buf_len) { - (void)guest_base; /* unused */ + (void)guest_base; /* unused */ memcpy((void *)regs->x0, input_buf, input_buf_len); regs->x1 = input_buf_len; + } #else @@ -193,3 +195,4 @@ int afl_persistent_hook_init(void) { return 1; } + diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index a1969e37..9287019a 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -22,7 +22,7 @@ extern guint64 instrument_fixed_seed; extern uint8_t *__afl_area_ptr; extern uint32_t __afl_map_size; -extern void __afl_coverage_interesting(uint8_t, uint32_t); +extern void __afl_coverage_interesting(uint8_t, uint32_t); extern __thread guint64 *instrument_previous_pc_addr; diff --git a/frida_mode/test/cache/cache.c b/frida_mode/test/cache/cache.c index b4102205..6ee8bf01 100644 --- a/frida_mode/test/cache/cache.c +++ b/frida_mode/test/cache/cache.c @@ -6,46 +6,45 @@ void LLVMFuzzerTestOneInput(char *buf, int len); -__asm__ ( - "LLVMFuzzerTestOneInput:\n" - ".func LLVMFuzzerTestOneInput\n" - ".global LLVMFuzzerTestOneInput\n" - " jmpq *jmp_offset(%rip)\n" - " nop\n" - " nop\n" - "call_target:\n" - " ret\n" - " nop\n" - " nop\n" - "jmp_target:\n" - " callq *call_offset(%rip)\n" - " nop\n" - " nop\n" - " leaq rax_offset(%rip), %rax\n" - " jmp (%rax)\n" - " nop\n" - " ud2\n" - " nop\n" - "rax_target:\n" - " ret\n" - "\n" - "\n" - ".global jmp_offset\n" - ".p2align 3\n" - "jmp_offset:\n" - " .quad jmp_target\n" - "call_offset:\n" - " .quad call_target\n" - "rax_offset:\n" - " .quad rax_target\n" -); +__asm__( + "LLVMFuzzerTestOneInput:\n" + ".func LLVMFuzzerTestOneInput\n" + ".global LLVMFuzzerTestOneInput\n" + " jmpq *jmp_offset(%rip)\n" + " nop\n" + " nop\n" + "call_target:\n" + " ret\n" + " nop\n" + " nop\n" + "jmp_target:\n" + " callq *call_offset(%rip)\n" + " nop\n" + " nop\n" + " leaq rax_offset(%rip), %rax\n" + " jmp (%rax)\n" + " nop\n" + " ud2\n" + " nop\n" + "rax_target:\n" + " ret\n" + "\n" + "\n" + ".global jmp_offset\n" + ".p2align 3\n" + "jmp_offset:\n" + " .quad jmp_target\n" + "call_offset:\n" + " .quad call_target\n" + "rax_offset:\n" + " .quad rax_target\n"); int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/cmov/cmov.c b/frida_mode/test/cmov/cmov.c index 08c7c132..97f2fb7f 100644 --- a/frida_mode/test/cmov/cmov.c +++ b/frida_mode/test/cmov/cmov.c @@ -6,8 +6,8 @@ static bool cmov_test(char *x, char *y, size_t len) { - register char * __rdi __asm__("rdi") = x; - register char * __rsi __asm__("rsi") = y; + register char *__rdi __asm__("rdi") = x; + register char *__rsi __asm__("rsi") = y; register size_t __rcx __asm__("rcx") = len; register long __rax __asm__("rax"); @@ -49,10 +49,10 @@ void LLVMFuzzerTestOneInput(char *buf, int len) { int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/deferred/testinstr.c b/frida_mode/test/deferred/testinstr.c index 4e5124ed..2bd1d718 100644 --- a/frida_mode/test/deferred/testinstr.c +++ b/frida_mode/test/deferred/testinstr.c @@ -41,7 +41,7 @@ int run(char *file) { int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; @@ -51,6 +51,7 @@ int run(char *file) { fd = open(file, O_RDONLY); if (fd < 0) { + perror("open"); break; @@ -110,8 +111,10 @@ void slow() { } -TESTINSTR_SECTION int do_run(char * file) { +TESTINSTR_SECTION int do_run(char *file) { + return run(file); + } int main(int argc, char **argv) { diff --git a/frida_mode/test/dynamic/testinstr.c b/frida_mode/test/dynamic/testinstr.c index 0abc61fd..55bf579e 100644 --- a/frida_mode/test/dynamic/testinstr.c +++ b/frida_mode/test/dynamic/testinstr.c @@ -19,32 +19,40 @@ typedef void (*fntestinstrlib)(char *buf, int len); void testinstr(char *buf, int len) { + void *lib = dlopen("testinstrlib.so", RTLD_NOW); if (lib == NULL) { + puts("Library not found"); abort(); + } fntestinstrlib fn = (fntestinstrlib)(dlsym(lib, "testinstrlib")); if (fn == NULL) { + puts("Function not found"); abort(); + } fn(buf, len); + } int main(int argc, char **argv) { - char * file; + + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; if (argc != 2) { return 1; } do { + file = argv[1]; printf("file: %s\n", file); @@ -52,33 +60,43 @@ int main(int argc, char **argv) { fd = open(file, O_RDONLY); if (fd < 0) { + perror("open"); break; + } len = lseek(fd, 0, SEEK_END); if (len < 0) { + perror("lseek (SEEK_END)"); break; + } if (lseek(fd, 0, SEEK_SET) != 0) { + perror("lseek (SEEK_SET)"); break; + } printf("len: %ld\n", len); buf = malloc(len); if (buf == NULL) { + perror("malloc"); break; + } n_read = read(fd, buf, len); if (n_read != len) { + perror("read"); break; + } dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read); @@ -95,4 +113,6 @@ int main(int argc, char **argv) { if (fd != -1) { close(fd); } return result; + } + diff --git a/frida_mode/test/dynamic/testinstrlib.c b/frida_mode/test/dynamic/testinstrlib.c index 987cbf91..85e2c837 100644 --- a/frida_mode/test/dynamic/testinstrlib.c +++ b/frida_mode/test/dynamic/testinstrlib.c @@ -1,6 +1,7 @@ #include void testinstrlib(char *buf, int len) { + if (len < 1) return; buf[len] = 0; @@ -11,4 +12,6 @@ void testinstrlib(char *buf, int len) { printf("Pretty sure that is a one!\n"); else printf("Neither one or zero? How quaint!\n"); + } + diff --git a/frida_mode/test/entry_point/testinstr.c b/frida_mode/test/entry_point/testinstr.c index 75e71bda..5fe17165 100644 --- a/frida_mode/test/entry_point/testinstr.c +++ b/frida_mode/test/entry_point/testinstr.c @@ -41,7 +41,7 @@ int run(char *file) { int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/exe/testinstr.c b/frida_mode/test/exe/testinstr.c index 7b603659..8b99352e 100644 --- a/frida_mode/test/exe/testinstr.c +++ b/frida_mode/test/exe/testinstr.c @@ -39,10 +39,10 @@ void testinstr(char *buf, int len) { TESTINSTR_SECTION int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/js/test.c b/frida_mode/test/js/test.c index 9799bf3b..e233f13a 100644 --- a/frida_mode/test/js/test.c +++ b/frida_mode/test/js/test.c @@ -35,7 +35,7 @@ int run(char *file) { int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/js/test2.c b/frida_mode/test/js/test2.c index 60b30eb5..c3557bbf 100644 --- a/frida_mode/test/js/test2.c +++ b/frida_mode/test/js/test2.c @@ -22,60 +22,60 @@ #define IGNORED_RETURN(x) (void)!(x) const uint32_t crc32_tab[] = { - 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, - 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, - 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, - 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, - 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, - 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, - 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, - 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, - 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, - 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, - 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, - 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, - 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, - 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, - 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, - 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, - 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, - 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, - 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, - 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, - 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, - 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, - 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, - 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, - 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, - 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, - 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, - 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, - 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, - 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, - 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28, - 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, - 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, - 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, - 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, - 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, - 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, - 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, - 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, - 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, - 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, - 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, - 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d -}; -uint32_t -crc32(const void *buf, size_t size) -{ - const uint8_t *p = buf; - uint32_t crc; - crc = ~0U; - while (size--) - crc = crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8); - return crc ^ ~0U; + 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, + 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, + 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, + 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, + 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, + 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, + 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, + 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, + 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, + 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, + 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, + 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, + 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, + 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, + 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, + 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, + 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, + 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, + 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, + 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, + 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, + 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, + 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, + 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, + 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, + 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, + 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, + 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, + 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, + 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, + 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28, + 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, + 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, + 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, + 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, + 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, + 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, + 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, + 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, + 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, + 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, + 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, + 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d}; + +uint32_t crc32(const void *buf, size_t size) { + + const uint8_t *p = buf; + uint32_t crc; + crc = ~0U; + while (size--) + crc = crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8); + return crc ^ ~0U; + } /* @@ -83,11 +83,13 @@ crc32(const void *buf, size_t size) * FRIDA to patch this function out and always return success. Otherwise, we * could change it to actually correct the checksum. */ -int crc32_check (char * buf, int len) { +int crc32_check(char *buf, int len) { + if (len < sizeof(uint32_t)) { return 0; } uint32_t expected = *(uint32_t *)&buf[len - sizeof(uint32_t)]; uint32_t calculated = crc32(buf, len - sizeof(uint32_t)); return expected == calculated; + } /* @@ -97,27 +99,31 @@ int crc32_check (char * buf, int len) { * cloud your output unnecessarily. Again, we can use FRIDA to patch it out. */ void some_boring_bug(char c) { + switch (c) { - case 'A'...'Z': - case 'a'...'z': + + case 'A' ... 'Z': + case 'a' ... 'z': __builtin_trap(); break; + } + } extern void some_boring_bug2(char c); -__asm__ ( - ".text \n" - "some_boring_bug2: \n" - ".global some_boring_bug2 \n" - ".type some_boring_bug2, @function \n" - "mov %edi, %eax \n" - "cmp $0xb4, %al \n" - "jne ok \n" - "ud2 \n" - "ok: \n" - "ret \n"); +__asm__( + ".text \n" + "some_boring_bug2: \n" + ".global some_boring_bug2 \n" + ".type some_boring_bug2, @function \n" + "mov %edi, %eax \n" + "cmp $0xb4, %al \n" + "jne ok \n" + "ud2 \n" + "ok: \n" + "ret \n"); void LLVMFuzzerTestOneInput(char *buf, int len) { @@ -127,16 +133,20 @@ void LLVMFuzzerTestOneInput(char *buf, int len) { some_boring_bug2(buf[0]); if (buf[0] == '0') { + printf("Looks like a zero to me!\n"); - } - else if (buf[0] == '1') { + + } else if (buf[0] == '1') { + printf("Pretty sure that is a one!\n"); - } - else if (buf[0] == '2') { + + } else if (buf[0] == '2') { + printf("Oh we, weren't expecting that!"); __builtin_trap(); - } - else + + } else + printf("Neither one or zero? How quaint!\n"); } @@ -145,7 +155,7 @@ int main(int argc, char **argv) { int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; @@ -173,5 +183,6 @@ int main(int argc, char **argv) { printf("Done: %s: (%zd bytes)\n", argv[1], n_read); return 0; + } diff --git a/frida_mode/test/osx-lib/harness.c b/frida_mode/test/osx-lib/harness.c index 3d427b4a..186cfcee 100644 --- a/frida_mode/test/osx-lib/harness.c +++ b/frida_mode/test/osx-lib/harness.c @@ -4,66 +4,68 @@ #include #include - -//typedef for our exported target function. +// typedef for our exported target function. typedef void (*CRASHME)(const uint8_t *Data, size_t Size); -//globals +// globals CRASHME fpn_crashme = NULL; +int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { + + fpn_crashme(data, size); + return 0; -int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size){ - fpn_crashme(data, size); - return 0; } -int main(int argc, const char * argv[]) -{ +int main(int argc, const char *argv[]) { - for (int i = 1; i < argc; i++) { - fprintf(stderr, "Running: %s\n", argv[i]); - FILE *f = fopen(argv[i], "r"); - assert(f); - fseek(f, 0, SEEK_END); - size_t len = ftell(f); - fseek(f, 0, SEEK_SET); - unsigned char *buf = (unsigned char*)malloc(len); - size_t n_read = fread(buf, 1, len, f); - fclose(f); - assert(n_read == len); - LLVMFuzzerTestOneInput(buf, len); - free(buf); - fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); - } + for (int i = 1; i < argc; i++) { + + fprintf(stderr, "Running: %s\n", argv[i]); + FILE *f = fopen(argv[i], "r"); + assert(f); + fseek(f, 0, SEEK_END); + size_t len = ftell(f); + fseek(f, 0, SEEK_SET); + unsigned char *buf = (unsigned char *)malloc(len); + size_t n_read = fread(buf, 1, len, f); + fclose(f); + assert(n_read == len); + LLVMFuzzerTestOneInput(buf, len); + free(buf); + fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); + + } + + return 0; - return 0; } -__attribute__((constructor())) -void constructor(void) { - // handles to required libs - void *dylib = NULL; +__attribute__((constructor())) void constructor(void) { - dylib = dlopen("./libcrashme.dylib", RTLD_NOW); - if (dylib == NULL) - { + // handles to required libs + void *dylib = NULL; - printf("[-] Failed to load lib\n"); - printf("[-] Dlerror: %s\n", dlerror()); - exit(1); + dylib = dlopen("./libcrashme.dylib", RTLD_NOW); + if (dylib == NULL) { - } + printf("[-] Failed to load lib\n"); + printf("[-] Dlerror: %s\n", dlerror()); + exit(1); - printf("[+] Resolve function\n"); + } - fpn_crashme = (CRASHME)dlsym(dylib, "crashme"); - if (!fpn_crashme) - { + printf("[+] Resolve function\n"); - printf("[-] Failed to find function\n"); - exit(1); + fpn_crashme = (CRASHME)dlsym(dylib, "crashme"); + if (!fpn_crashme) { - } + printf("[-] Failed to find function\n"); + exit(1); + + } + + printf("[+] Found function.\n"); - printf("[+] Found function.\n"); } + diff --git a/frida_mode/test/osx-lib/harness2.c b/frida_mode/test/osx-lib/harness2.c index 464614ee..ed0b85d8 100644 --- a/frida_mode/test/osx-lib/harness2.c +++ b/frida_mode/test/osx-lib/harness2.c @@ -4,66 +4,68 @@ #include #include - -//typedef for our exported target function. +// typedef for our exported target function. typedef void (*CRASHME)(const uint8_t *Data, size_t Size); -//globals +// globals CRASHME fpn_crashme = NULL; +int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { + + fpn_crashme(data, size); + return 0; -int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size){ - fpn_crashme(data, size); - return 0; } -int main(int argc, const char * argv[]) -{ +int main(int argc, const char *argv[]) { - for (int i = 1; i < argc; i++) { - fprintf(stderr, "Running: %s\n", argv[i]); - FILE *f = fopen(argv[i], "r"); - assert(f); - fseek(f, 0, SEEK_END); - size_t len = ftell(f); - fseek(f, 0, SEEK_SET); - unsigned char *buf = (unsigned char*)malloc(len); - size_t n_read = fread(buf, 1, len, f); - fclose(f); - assert(n_read == len); - LLVMFuzzerTestOneInput(buf, len); - free(buf); - fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); - } + for (int i = 1; i < argc; i++) { + + fprintf(stderr, "Running: %s\n", argv[i]); + FILE *f = fopen(argv[i], "r"); + assert(f); + fseek(f, 0, SEEK_END); + size_t len = ftell(f); + fseek(f, 0, SEEK_SET); + unsigned char *buf = (unsigned char *)malloc(len); + size_t n_read = fread(buf, 1, len, f); + fclose(f); + assert(n_read == len); + LLVMFuzzerTestOneInput(buf, len); + free(buf); + fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); + + } + + return 0; - return 0; } -__attribute__((constructor())) -void constructor(void) { - // handles to required libs - void *dylib = NULL; +__attribute__((constructor())) void constructor(void) { - dylib = dlopen("./libcrashme2.dylib", RTLD_NOW); - if (dylib == NULL) - { + // handles to required libs + void *dylib = NULL; - printf("[-] Failed to load lib\n"); - printf("[-] Dlerror: %s\n", dlerror()); - exit(1); + dylib = dlopen("./libcrashme2.dylib", RTLD_NOW); + if (dylib == NULL) { - } + printf("[-] Failed to load lib\n"); + printf("[-] Dlerror: %s\n", dlerror()); + exit(1); - printf("[+] Resolve function\n"); + } - fpn_crashme = (CRASHME)dlsym(dylib, "crashme"); - if (!fpn_crashme) - { + printf("[+] Resolve function\n"); - printf("[-] Failed to find function\n"); - exit(1); + fpn_crashme = (CRASHME)dlsym(dylib, "crashme"); + if (!fpn_crashme) { - } + printf("[-] Failed to find function\n"); + exit(1); + + } + + printf("[+] Found function.\n"); - printf("[+] Found function.\n"); } + diff --git a/frida_mode/test/osx-lib/harness3.c b/frida_mode/test/osx-lib/harness3.c index 83983c99..ae24db33 100644 --- a/frida_mode/test/osx-lib/harness3.c +++ b/frida_mode/test/osx-lib/harness3.c @@ -4,37 +4,42 @@ #include #include - extern void crashme(const uint8_t *Data, size_t Size); -int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size){ - crashme(data, size); - return 0; +int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { + + crashme(data, size); + return 0; + } -void run (int argc, const char * argv[]) -{ - for (int i = 1; i < argc; i++) { - fprintf(stderr, "Running: %s\n", argv[i]); - FILE *f = fopen(argv[i], "r"); - assert(f); - fseek(f, 0, SEEK_END); - size_t len = ftell(f); - fseek(f, 0, SEEK_SET); - unsigned char *buf = (unsigned char*)malloc(len); - size_t n_read = fread(buf, 1, len, f); - fclose(f); - assert(n_read == len); - LLVMFuzzerTestOneInput(buf, len); - free(buf); - fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); - } +void run(int argc, const char *argv[]) { + + for (int i = 1; i < argc; i++) { + + fprintf(stderr, "Running: %s\n", argv[i]); + FILE *f = fopen(argv[i], "r"); + assert(f); + fseek(f, 0, SEEK_END); + size_t len = ftell(f); + fseek(f, 0, SEEK_SET); + unsigned char *buf = (unsigned char *)malloc(len); + size_t n_read = fread(buf, 1, len, f); + fclose(f); + assert(n_read == len); + LLVMFuzzerTestOneInput(buf, len); + free(buf); + fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); + + } + } -int main(int argc, const char * argv[]) -{ +int main(int argc, const char *argv[]) { - run(argc, argv); + run(argc, argv); + + return 0; - return 0; } + diff --git a/frida_mode/test/osx-lib/lib.c b/frida_mode/test/osx-lib/lib.c index b2dad098..84ceb9da 100644 --- a/frida_mode/test/osx-lib/lib.c +++ b/frida_mode/test/osx-lib/lib.c @@ -2,7 +2,6 @@ #include #include - void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { if (Size < 5) return; @@ -13,5 +12,5 @@ void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { if (Data[3] == '$') if (Data[4] == '$') abort(); - } + diff --git a/frida_mode/test/osx-lib/lib2.c b/frida_mode/test/osx-lib/lib2.c index ba207210..a84ee6f2 100644 --- a/frida_mode/test/osx-lib/lib2.c +++ b/frida_mode/test/osx-lib/lib2.c @@ -3,7 +3,6 @@ #include #include - void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { if (Size < 1) return; @@ -56,6 +55,5 @@ void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { } - } diff --git a/frida_mode/test/output/testinstr.c b/frida_mode/test/output/testinstr.c index 7b603659..8b99352e 100644 --- a/frida_mode/test/output/testinstr.c +++ b/frida_mode/test/output/testinstr.c @@ -39,10 +39,10 @@ void testinstr(char *buf, int len) { TESTINSTR_SECTION int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/perf/perf.c b/frida_mode/test/perf/perf.c index 55efba26..596d1bd3 100644 --- a/frida_mode/test/perf/perf.c +++ b/frida_mode/test/perf/perf.c @@ -20,22 +20,32 @@ void LLVMFuzzerTestOneInput(char *buf, int len) { int ret = 0; for (int i = 0; i < 1000; i++) { - switch(buf[i]) { - case 'A': ret += 2; break; - case '1': ret += 3; break; - default: ret++; + + switch (buf[i]) { + + case 'A': + ret += 2; + break; + case '1': + ret += 3; + break; + default: + ret++; + } + } + printf("ret: %d\n", ret); } int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/persistent_ret/testinstr.c b/frida_mode/test/persistent_ret/testinstr.c index 85aa2b80..aa28d953 100644 --- a/frida_mode/test/persistent_ret/testinstr.c +++ b/frida_mode/test/persistent_ret/testinstr.c @@ -18,7 +18,7 @@ void LLVMFuzzerTestOneInput(char *buf, int len) { - printf (">>> LLVMFuzzerTestOneInput >>>\n"); + printf(">>> LLVMFuzzerTestOneInput >>>\n"); if (len < 1) return; buf[len] = 0; @@ -40,10 +40,10 @@ void slow() { int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/testinstr/testinstr.c b/frida_mode/test/testinstr/testinstr.c index 7b603659..8b99352e 100644 --- a/frida_mode/test/testinstr/testinstr.c +++ b/frida_mode/test/testinstr/testinstr.c @@ -39,10 +39,10 @@ void testinstr(char *buf, int len) { TESTINSTR_SECTION int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/unstable/unstable.c b/frida_mode/test/unstable/unstable.c index 16978e7e..98198578 100644 --- a/frida_mode/test/unstable/unstable.c +++ b/frida_mode/test/unstable/unstable.c @@ -22,7 +22,7 @@ #define TESTINSTR_SECTION __attribute__((section(".testinstr"))) #endif -void LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { +void LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (size < 1) return; @@ -30,9 +30,13 @@ void LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { if (gettimeofday(&tv, NULL) < 0) return; if ((tv.tv_usec % 2) == 0) { - printf ("Hooray all even\n"); + + printf("Hooray all even\n"); + } else { - printf ("Hmm that's odd\n"); + + printf("Hmm that's odd\n"); + } // we support three input cases @@ -45,26 +49,33 @@ void LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { } -void run_test(char * file) { +void run_test(char *file) { + fprintf(stderr, "Running: %s\n", file); FILE *f = fopen(file, "r"); assert(f); fseek(f, 0, SEEK_END); size_t len = ftell(f); fseek(f, 0, SEEK_SET); - unsigned char *buf = (unsigned char*)malloc(len); - size_t n_read = fread(buf, 1, len, f); + unsigned char *buf = (unsigned char *)malloc(len); + size_t n_read = fread(buf, 1, len, f); fclose(f); assert(n_read == len); LLVMFuzzerTestOneInput(buf, len); free(buf); fprintf(stderr, "Done: %s: (%zd bytes)\n", file, n_read); + } int main(int argc, char **argv) { + srand(1); fprintf(stderr, "StandaloneFuzzTargetMain: running %d inputs\n", argc - 1); for (int i = 1; i < argc; i++) { + run_test(argv[i]); + } + } +