mirror of
https://github.com/AFLplusplus/AFLplusplus.git
synced 2025-06-14 02:58:08 +00:00
support AFL_LLVM_INSTRUMENT env for our own PCGUARD
This commit is contained in:
@ -37,24 +37,27 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
|
|||||||
- added NO_SPLICING compile option and makefile define
|
- added NO_SPLICING compile option and makefile define
|
||||||
- added INTROSPECTION make target that writes all mutations to
|
- added INTROSPECTION make target that writes all mutations to
|
||||||
out/NAME/introspection.txt
|
out/NAME/introspection.txt
|
||||||
- added INTROSPECTION support for custom modules
|
|
||||||
- print special compile time options used in help output
|
- print special compile time options used in help output
|
||||||
|
- somewhere we broke -n dumb fuzzing, fixed
|
||||||
- instrumentation
|
- instrumentation
|
||||||
- We received an enhanced gcc_plugin module from AdaCore, thank you
|
- We received an enhanced gcc_plugin module from AdaCore, thank you
|
||||||
very much!!
|
very much!!
|
||||||
- not overriding -Ox or -fno-unroll-loops anymore
|
- not overriding -Ox or -fno-unroll-loops anymore
|
||||||
- we now have our own trace-pc-guard implementation. It is the same as
|
- we now have our own trace-pc-guard implementation. It is the same as
|
||||||
-fsanitize-coverage=trace-pc-guard from llvm 12, but: it is a) inline
|
-fsanitize-coverage=trace-pc-guard from llvm 12, but: it is a) inline
|
||||||
and b) works from llvm 10+ on :)
|
and b) works from llvm 10.0.1 + onwards :)
|
||||||
- new llvm pass: dict2file via AFL_LLVM_DICT2FILE, create afl-fuzz
|
- new llvm pass: dict2file via AFL_LLVM_DICT2FILE, create afl-fuzz
|
||||||
-x dictionary of string comparisons found during compilation
|
-x dictionary of string comparisons found during compilation
|
||||||
- LTO autodict now also collects interesting cmp comparisons,
|
- LTO autodict now also collects interesting cmp comparisons,
|
||||||
std::string compare + find + ==, bcmp
|
std::string compare + find + ==, bcmp
|
||||||
- fix crash in dict2file for integers > 64 bit
|
- fix crash in dict2file for integers > 64 bit
|
||||||
|
- custom mutators
|
||||||
|
- added a new custom mutator: symcc -> https://github.com/eurecom-s3/symcc/
|
||||||
|
- added a new custom mutator: libfuzzer that integrates libfuzzer mutations
|
||||||
|
- Our afl++ Grammar-Mutator is now better integrated into custom_mutators/
|
||||||
|
- added INTROSPECTION support for custom modules
|
||||||
|
- python fuzz function was not optional, fixed
|
||||||
- unicornafl synced with upstream (arm64 fix, better rust bindings)
|
- unicornafl synced with upstream (arm64 fix, better rust bindings)
|
||||||
- added a new custom mutator: symcc -> https://github.com/eurecom-s3/symcc/
|
|
||||||
- added a new custom mutator: libfuzzer that integrates libfuzzer mutations
|
|
||||||
- Our afl++ Grammar-Mutator is now better integrated into custom_mutators/
|
|
||||||
|
|
||||||
|
|
||||||
### Version ++2.68c (release)
|
### Version ++2.68c (release)
|
||||||
|
@ -544,7 +544,9 @@ bool ModuleSanitizerCoverage::instrumentModule(
|
|||||||
be_quiet = 1;
|
be_quiet = 1;
|
||||||
|
|
||||||
skip_nozero = getenv("AFL_LLVM_SKIP_NEVERZERO");
|
skip_nozero = getenv("AFL_LLVM_SKIP_NEVERZERO");
|
||||||
// scanForDangerousFunctions(&M);
|
|
||||||
|
initInstrumentList();
|
||||||
|
scanForDangerousFunctions(&M);
|
||||||
|
|
||||||
if (debug) {
|
if (debug) {
|
||||||
|
|
||||||
@ -819,6 +821,8 @@ void ModuleSanitizerCoverage::instrumentFunction(
|
|||||||
Function &F, DomTreeCallback DTCallback, PostDomTreeCallback PDTCallback) {
|
Function &F, DomTreeCallback DTCallback, PostDomTreeCallback PDTCallback) {
|
||||||
|
|
||||||
if (F.empty()) return;
|
if (F.empty()) return;
|
||||||
|
if (!isInInstrumentList(&F)) return;
|
||||||
|
|
||||||
if (F.getName().find(".module_ctor") != std::string::npos)
|
if (F.getName().find(".module_ctor") != std::string::npos)
|
||||||
return; // Should not instrument sanitizer init functions.
|
return; // Should not instrument sanitizer init functions.
|
||||||
if (F.getName().startswith("__sanitizer_"))
|
if (F.getName().startswith("__sanitizer_"))
|
||||||
@ -1315,6 +1319,7 @@ std::string ModuleSanitizerCoverage::getSectionEnd(
|
|||||||
}
|
}
|
||||||
|
|
||||||
char ModuleSanitizerCoverageLegacyPass::ID = 0;
|
char ModuleSanitizerCoverageLegacyPass::ID = 0;
|
||||||
|
|
||||||
INITIALIZE_PASS_BEGIN(ModuleSanitizerCoverageLegacyPass, "sancov",
|
INITIALIZE_PASS_BEGIN(ModuleSanitizerCoverageLegacyPass, "sancov",
|
||||||
"Pass for instrumenting coverage on functions", false,
|
"Pass for instrumenting coverage on functions", false,
|
||||||
false)
|
false)
|
||||||
@ -1323,6 +1328,7 @@ INITIALIZE_PASS_DEPENDENCY(PostDominatorTreeWrapperPass)
|
|||||||
INITIALIZE_PASS_END(ModuleSanitizerCoverageLegacyPass, "sancov",
|
INITIALIZE_PASS_END(ModuleSanitizerCoverageLegacyPass, "sancov",
|
||||||
"Pass for instrumenting coverage on functions", false,
|
"Pass for instrumenting coverage on functions", false,
|
||||||
false)
|
false)
|
||||||
|
|
||||||
ModulePass *llvm::createModuleSanitizerCoverageLegacyPassPass(
|
ModulePass *llvm::createModuleSanitizerCoverageLegacyPassPass(
|
||||||
const SanitizerCoverageOptions &Options,
|
const SanitizerCoverageOptions &Options,
|
||||||
const std::vector<std::string> &AllowlistFiles,
|
const std::vector<std::string> &AllowlistFiles,
|
||||||
|
113
src/afl-cc.c
113
src/afl-cc.c
@ -49,14 +49,14 @@ static u8 * obj_path; /* Path to runtime libraries */
|
|||||||
static u8 **cc_params; /* Parameters passed to the real CC */
|
static u8 **cc_params; /* Parameters passed to the real CC */
|
||||||
static u32 cc_par_cnt = 1; /* Param count, including argv0 */
|
static u32 cc_par_cnt = 1; /* Param count, including argv0 */
|
||||||
static u8 llvm_fullpath[PATH_MAX];
|
static u8 llvm_fullpath[PATH_MAX];
|
||||||
static u8 instrument_mode, instrument_opt_mode, ngram_size, lto_mode,
|
static u8 instrument_mode, instrument_opt_mode, ngram_size, lto_mode;
|
||||||
compiler_mode, plusplus_mode;
|
static u8 compiler_mode, plusplus_mode, have_instr_env = 0;
|
||||||
static u8 have_gcc, have_llvm, have_gcc_plugin, have_lto;
|
static u8 have_gcc, have_llvm, have_gcc_plugin, have_lto, have_instr_list = 0;
|
||||||
static u8 *lto_flag = AFL_CLANG_FLTO, *argvnull;
|
static u8 * lto_flag = AFL_CLANG_FLTO, *argvnull;
|
||||||
static u8 debug;
|
static u8 debug;
|
||||||
static u8 cwd[4096];
|
static u8 cwd[4096];
|
||||||
static u8 cmplog_mode;
|
static u8 cmplog_mode;
|
||||||
u8 use_stdin; /* dummy */
|
u8 use_stdin; /* dummy */
|
||||||
// static u8 *march_opt = CFLAGS_OPT;
|
// static u8 *march_opt = CFLAGS_OPT;
|
||||||
|
|
||||||
enum {
|
enum {
|
||||||
@ -354,19 +354,13 @@ static void edit_params(u32 argc, char **argv, char **envp) {
|
|||||||
if (lto_mode && plusplus_mode)
|
if (lto_mode && plusplus_mode)
|
||||||
cc_params[cc_par_cnt++] = "-lc++"; // needed by fuzzbench, early
|
cc_params[cc_par_cnt++] = "-lc++"; // needed by fuzzbench, early
|
||||||
|
|
||||||
if (lto_mode) {
|
if (lto_mode && have_instr_env) {
|
||||||
|
|
||||||
if (getenv("AFL_LLVM_INSTRUMENT_FILE") != NULL ||
|
cc_params[cc_par_cnt++] = "-Xclang";
|
||||||
getenv("AFL_LLVM_WHITELIST") || getenv("AFL_LLVM_ALLOWLIST") ||
|
cc_params[cc_par_cnt++] = "-load";
|
||||||
getenv("AFL_LLVM_DENYLIST") || getenv("AFL_LLVM_BLOCKLIST")) {
|
cc_params[cc_par_cnt++] = "-Xclang";
|
||||||
|
cc_params[cc_par_cnt++] =
|
||||||
cc_params[cc_par_cnt++] = "-Xclang";
|
alloc_printf("%s/afl-llvm-lto-instrumentlist.so", obj_path);
|
||||||
cc_params[cc_par_cnt++] = "-load";
|
|
||||||
cc_params[cc_par_cnt++] = "-Xclang";
|
|
||||||
cc_params[cc_par_cnt++] =
|
|
||||||
alloc_printf("%s/afl-llvm-lto-instrumentlist.so", obj_path);
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -508,11 +502,25 @@ static void edit_params(u32 argc, char **argv, char **envp) {
|
|||||||
if (instrument_mode == INSTRUMENT_PCGUARD) {
|
if (instrument_mode == INSTRUMENT_PCGUARD) {
|
||||||
|
|
||||||
#if LLVM_MAJOR > 10 || (LLVM_MAJOR == 10 && LLVM_MINOR > 0)
|
#if LLVM_MAJOR > 10 || (LLVM_MAJOR == 10 && LLVM_MINOR > 0)
|
||||||
cc_params[cc_par_cnt++] = "-Xclang";
|
if (have_instr_list) {
|
||||||
cc_params[cc_par_cnt++] = "-load";
|
|
||||||
cc_params[cc_par_cnt++] = "-Xclang";
|
if (!be_quiet)
|
||||||
cc_params[cc_par_cnt++] =
|
SAYF(
|
||||||
alloc_printf("%s/SanitizerCoveragePCGUARD.so", obj_path);
|
"Using unoptimized trace-pc-guard, due usage of "
|
||||||
|
"-fsanitize-coverage-allow/denylist, you can use "
|
||||||
|
"AFL_LLVM_ALLOWLIST/AFL_LLMV_DENYLIST instead.\n");
|
||||||
|
cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard";
|
||||||
|
|
||||||
|
} else {
|
||||||
|
|
||||||
|
cc_params[cc_par_cnt++] = "-Xclang";
|
||||||
|
cc_params[cc_par_cnt++] = "-load";
|
||||||
|
cc_params[cc_par_cnt++] = "-Xclang";
|
||||||
|
cc_params[cc_par_cnt++] =
|
||||||
|
alloc_printf("%s/SanitizerCoveragePCGUARD.so", obj_path);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
#else
|
#else
|
||||||
#if LLVM_MAJOR >= 4
|
#if LLVM_MAJOR >= 4
|
||||||
if (!be_quiet)
|
if (!be_quiet)
|
||||||
@ -590,6 +598,9 @@ static void edit_params(u32 argc, char **argv, char **envp) {
|
|||||||
if (!strcmp(cur, "armv7a-linux-androideabi")) bit_mode = 32;
|
if (!strcmp(cur, "armv7a-linux-androideabi")) bit_mode = 32;
|
||||||
if (!strcmp(cur, "-m64")) bit_mode = 64;
|
if (!strcmp(cur, "-m64")) bit_mode = 64;
|
||||||
|
|
||||||
|
if (!strncmp(cur, "-fsanitize-coverage-", 20) && strstr(cur, "list="))
|
||||||
|
have_instr_list = 1;
|
||||||
|
|
||||||
if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory"))
|
if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory"))
|
||||||
asan_set = 1;
|
asan_set = 1;
|
||||||
|
|
||||||
@ -856,6 +867,14 @@ int main(int argc, char **argv, char **envp) {
|
|||||||
|
|
||||||
be_quiet = 1;
|
be_quiet = 1;
|
||||||
|
|
||||||
|
if (getenv("AFL_LLVM_INSTRUMENT_FILE") || getenv("AFL_LLVM_WHITELIST") ||
|
||||||
|
getenv("AFL_LLVM_ALLOWLIST") || getenv("AFL_LLVM_DENYLIST") ||
|
||||||
|
getenv("AFL_LLVM_BLOCKLIST")) {
|
||||||
|
|
||||||
|
have_instr_env = 1;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
if ((ptr = strrchr(callname, '/')) != NULL) callname = ptr + 1;
|
if ((ptr = strrchr(callname, '/')) != NULL) callname = ptr + 1;
|
||||||
argvnull = (u8 *)argv[0];
|
argvnull = (u8 *)argv[0];
|
||||||
check_environment_vars(envp);
|
check_environment_vars(envp);
|
||||||
@ -1015,14 +1034,14 @@ int main(int argc, char **argv, char **envp) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((getenv("AFL_LLVM_INSTRUMENT_FILE") != NULL ||
|
if (have_instr_env && getenv("AFL_DONT_OPTIMIZE")) {
|
||||||
getenv("AFL_LLVM_WHITELIST") || getenv("AFL_LLVM_ALLOWLIST") ||
|
|
||||||
getenv("AFL_LLVM_DENYLIST") || getenv("AFL_LLVM_BLOCKLIST")) &&
|
|
||||||
getenv("AFL_DONT_OPTIMIZE"))
|
|
||||||
WARNF(
|
WARNF(
|
||||||
"AFL_LLVM_ALLOWLIST/DENYLIST and AFL_DONT_OPTIMIZE cannot be combined "
|
"AFL_LLVM_ALLOWLIST/DENYLIST and AFL_DONT_OPTIMIZE cannot be combined "
|
||||||
"for file matching, only function matching!");
|
"for file matching, only function matching!");
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
if (getenv("AFL_LLVM_INSTRIM") || getenv("INSTRIM") ||
|
if (getenv("AFL_LLVM_INSTRIM") || getenv("INSTRIM") ||
|
||||||
getenv("INSTRIM_LIB")) {
|
getenv("INSTRIM_LIB")) {
|
||||||
|
|
||||||
@ -1426,22 +1445,20 @@ int main(int argc, char **argv, char **envp) {
|
|||||||
#if LLVM_MAJOR <= 6
|
#if LLVM_MAJOR <= 6
|
||||||
instrument_mode = INSTRUMENT_AFL;
|
instrument_mode = INSTRUMENT_AFL;
|
||||||
#else
|
#else
|
||||||
if (getenv("AFL_LLVM_INSTRUMENT_FILE") != NULL ||
|
#if LLVM_MAJOR < 11 && (LLVM_MAJOR < 10 || LLVM_MINOR < 1)
|
||||||
getenv("AFL_LLVM_WHITELIST") || getenv("AFL_LLVM_ALLOWLIST") ||
|
if (have_instr_env) {
|
||||||
getenv("AFL_LLVM_DENYLIST") || getenv("AFL_LLVM_BLOCKLIST")) {
|
|
||||||
|
|
||||||
instrument_mode = INSTRUMENT_AFL;
|
instrument_mode = INSTRUMENT_AFL;
|
||||||
WARNF(
|
if (!be_quiet)
|
||||||
"switching to classic instrumentation because "
|
WARNF(
|
||||||
"AFL_LLVM_ALLOWLIST/DENYLIST does not work with PCGUARD. Use "
|
"Switching to classic instrumentation because "
|
||||||
"-fsanitize-coverage-allowlist=allowlist.txt or "
|
"AFL_LLVM_ALLOWLIST/DENYLIST does not work with PCGUARD < 10.0.1.");
|
||||||
"-fsanitize-coverage-blocklist=denylist.txt if you want to use "
|
|
||||||
"PCGUARD. Requires llvm 12+. See https://clang.llvm.org/docs/ "
|
|
||||||
"SanitizerCoverage.html#partially-disabling-instrumentation");
|
|
||||||
|
|
||||||
} else
|
} else
|
||||||
|
|
||||||
|
#endif
|
||||||
instrument_mode = INSTRUMENT_PCGUARD;
|
instrument_mode = INSTRUMENT_PCGUARD;
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
}
|
}
|
||||||
@ -1487,18 +1504,16 @@ int main(int argc, char **argv, char **envp) {
|
|||||||
"AFL_LLVM_NOT_ZERO and AFL_LLVM_SKIP_NEVERZERO can not be set "
|
"AFL_LLVM_NOT_ZERO and AFL_LLVM_SKIP_NEVERZERO can not be set "
|
||||||
"together");
|
"together");
|
||||||
|
|
||||||
if (instrument_mode == INSTRUMENT_PCGUARD &&
|
#if LLVM_MAJOR < 11 && (LLVM_MAJOR < 10 || LLVM_MINOR < 1)
|
||||||
(getenv("AFL_LLVM_INSTRUMENT_FILE") != NULL ||
|
if (instrument_mode == INSTRUMENT_PCGUARD && have_instr_env) {
|
||||||
getenv("AFL_LLVM_WHITELIST") || getenv("AFL_LLVM_ALLOWLIST") ||
|
|
||||||
getenv("AFL_LLVM_DENYLIST") || getenv("AFL_LLVM_BLOCKLIST")))
|
|
||||||
FATAL(
|
FATAL(
|
||||||
"Instrumentation type PCGUARD does not support "
|
"Instrumentation type PCGUARD does not support "
|
||||||
"AFL_LLVM_ALLOWLIST/DENYLIST! Use "
|
"AFL_LLVM_ALLOWLIST/DENYLIST! Use LLVM 10.0.1+ instead.");
|
||||||
"-fsanitize-coverage-allowlist=allowlist.txt or "
|
|
||||||
"-fsanitize-coverage-blocklist=denylist.txt instead (requires llvm "
|
}
|
||||||
"12+), see "
|
|
||||||
"https://clang.llvm.org/docs/"
|
#endif
|
||||||
"SanitizerCoverage.html#partially-disabling-instrumentation");
|
|
||||||
|
|
||||||
u8 *ptr2;
|
u8 *ptr2;
|
||||||
|
|
||||||
|
@ -2497,7 +2497,8 @@ void check_binary(afl_state_t *afl, u8 *fname) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode || afl->non_instrumented_mode) {
|
if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode ||
|
||||||
|
afl->non_instrumented_mode) {
|
||||||
|
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
@ -435,11 +435,23 @@ int main(int argc, char **argv_orig, char **envp) {
|
|||||||
|
|
||||||
u8 *c;
|
u8 *c;
|
||||||
|
|
||||||
if (afl->non_instrumented_mode) { FATAL("-M is not supported in non-instrumented mode"); }
|
if (afl->non_instrumented_mode) {
|
||||||
|
|
||||||
|
FATAL("-M is not supported in non-instrumented mode");
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); }
|
if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); }
|
||||||
|
|
||||||
/* sanity check for argument: should not begin with '-' (possible option) */
|
/* sanity check for argument: should not begin with '-' (possible
|
||||||
if (optarg && *optarg == '-') { FATAL("argument for -M started with a dash '-', which is used for options"); }
|
* option) */
|
||||||
|
if (optarg && *optarg == '-') {
|
||||||
|
|
||||||
|
FATAL(
|
||||||
|
"argument for -M started with a dash '-', which is used for "
|
||||||
|
"options");
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
afl->sync_id = ck_strdup(optarg);
|
afl->sync_id = ck_strdup(optarg);
|
||||||
afl->skip_deterministic = 0; // force deterministic fuzzing
|
afl->skip_deterministic = 0; // force deterministic fuzzing
|
||||||
@ -469,11 +481,23 @@ int main(int argc, char **argv_orig, char **envp) {
|
|||||||
|
|
||||||
case 'S': /* secondary sync id */
|
case 'S': /* secondary sync id */
|
||||||
|
|
||||||
if (afl->non_instrumented_mode) { FATAL("-S is not supported in non-instrumented mode"); }
|
if (afl->non_instrumented_mode) {
|
||||||
|
|
||||||
|
FATAL("-S is not supported in non-instrumented mode");
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); }
|
if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); }
|
||||||
|
|
||||||
/* sanity check for argument: should not begin with '-' (possible option) */
|
/* sanity check for argument: should not begin with '-' (possible
|
||||||
if (optarg && *optarg == '-') { FATAL("argument for -M started with a dash '-', which is used for options"); }
|
* option) */
|
||||||
|
if (optarg && *optarg == '-') {
|
||||||
|
|
||||||
|
FATAL(
|
||||||
|
"argument for -M started with a dash '-', which is used for "
|
||||||
|
"options");
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
afl->sync_id = ck_strdup(optarg);
|
afl->sync_id = ck_strdup(optarg);
|
||||||
afl->is_secondary_node = 1;
|
afl->is_secondary_node = 1;
|
||||||
@ -1354,7 +1378,11 @@ int main(int argc, char **argv_orig, char **envp) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!afl->fsrv.qemu_mode && !afl->non_instrumented_mode) { check_binary(afl, afl->cmplog_binary); }
|
if (!afl->fsrv.qemu_mode && !afl->non_instrumented_mode) {
|
||||||
|
|
||||||
|
check_binary(afl, afl->cmplog_binary);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user