ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-23 14:34:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/dev' into statsd_implem

Browse Source
This commit is contained in:
Edznux
2020-10-04 16:03:15 +02:00
parent b0de6fed11 44c0dc6d96
commit 1e0bc2e5c3
176 changed files with 17451 additions and 6908 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
src/README.md
View File

@ -2,23 +2,28 @@
Quick explanation about the files here:
- `afl-analyze.c` - afl-analyze binary tool
- `afl-analyze.c` - afl-analyze binary tool
- `afl-as.c` - afl-as binary tool
- `afl-gotcpu.c` - afl-gotcpu binary tool
- `afl-showmap.c` - afl-showmap binary tool
- `afl-tmin.c` - afl-tmin binary tool
- `afl-fuzz.c` - afl-fuzz binary tool (just main() and usage())
- `afl-cc.c` - afl-cc binary tool
- `afl-common.c` - common functions, used by afl-analyze, afl-fuzz, afl-showmap and afl-tmin
- `afl-forkserver.c` - forkserver implementation, used by afl-fuzz afl-showmap, afl-tmin
- `afl-fuzz-bitmap.c` - afl-fuzz bitmap handling
- `afl-fuzz.c` - afl-fuzz binary tool (just main() and usage())
- `afl-fuzz-cmplog.c` - afl-fuzz cmplog functions
- `afl-fuzz-extras.c` - afl-fuzz the *extra* function calls
- `afl-fuzz-state.c` - afl-fuzz state and globals
- `afl-fuzz-init.c` - afl-fuzz initialization
- `afl-fuzz-misc.c` - afl-fuzz misc functions
- `afl-fuzz-one.c` - afl-fuzz fuzzer_one big loop, this is where the mutation is happening
- `afl-fuzz-init.c` - afl-fuzz initialization
- `afl-fuzz-misc.c` - afl-fuzz misc functions
- `afl-fuzz-mutators.c` - afl-fuzz custom mutator and python support
- `afl-fuzz-one.c` - afl-fuzz fuzzer_one big loop, this is where the mutation is happening
- `afl-fuzz-performance.c` - hash64 and rand functions
- `afl-fuzz-python.c` - afl-fuzz the python mutator extension
- `afl-fuzz-queue.c` - afl-fuzz handling the queue
- `afl-fuzz-run.c` - afl-fuzz running the target
- `afl-fuzz-redqueen.c` - afl-fuzz redqueen implemention
- `afl-fuzz-run.c` - afl-fuzz running the target
- `afl-fuzz-state.c` - afl-fuzz state and globals
- `afl-fuzz-stats.c` - afl-fuzz writing the statistics file
- `afl-gcc.c` - afl-gcc binary tool (deprecated)
- `afl-common.c` - common functions, used by afl-analyze, afl-fuzz, afl-showmap and afl-tmin
- `afl-forkserver.c` - forkserver implementation, used by afl-fuzz and afl-tmin
afl-sharedmem.c - sharedmem implementation, used by afl-fuzz and afl-tmin
- `afl-gotcpu.c` - afl-gotcpu binary tool
- `afl-ld-lto.c` - LTO linker helper
- `afl-sharedmem.c` - sharedmem implementation, used by afl-fuzz, afl-showmap, afl-tmin
- `afl-showmap.c` - afl-showmap binary tool
- `afl-tmin.c` - afl-tmin binary tool

1553
src/afl-cc.c Normal file
View File

File diff suppressed because it is too large Load Diff

4
src/afl-common.c
View File

@ -146,7 +146,7 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
u8 * tmp, *cp = NULL, *rsl, *own_copy;
memcpy(&new_argv[3], &argv[1], (int)(sizeof(char *)) * (argc - 1));
new_argv[argc - 1] = NULL;
new_argv[argc + 2] = NULL;
new_argv[2] = *target_path_p;
new_argv[1] = "--";
@ -228,7 +228,7 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
u8 * tmp, *cp = NULL, *rsl, *own_copy;
memcpy(&new_argv[2], &argv[1], (int)(sizeof(char *)) * (argc - 1));
new_argv[argc - 1] = NULL;
new_argv[argc + 2] = NULL;
new_argv[1] = *target_path_p;

7
src/afl-forkserver.c
View File

@ -1043,7 +1043,12 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
}
if (fsrv->child_pid <= 0) { FATAL("Fork server is misbehaving (OOM?)"); }
if (fsrv->child_pid <= 0) {
if (*stop_soon_p) { return 0; }
FATAL("Fork server is misbehaving (OOM?)");
}
exec_ms = read_s32_timed(fsrv->fsrv_st_fd, &fsrv->child_status, timeout,
stop_soon_p);

113
src/afl-fuzz-extras.c
View File

@ -101,7 +101,8 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len,
if (rptr < lptr || *rptr != '"') {
FATAL("Malformed name=\"value\" pair in line %u.", cur_line);
WARNF("Malformed name=\"value\" pair in line %u.", cur_line);
continue;
}
@ -141,13 +142,19 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len,
if (*lptr != '"') {
FATAL("Malformed name=\"keyword\" pair in line %u.", cur_line);
WARNF("Malformed name=\"keyword\" pair in line %u.", cur_line);
continue;
}
++lptr;
if (!*lptr) { FATAL("Empty keyword in line %u.", cur_line); }
if (!*lptr) {
WARNF("Empty keyword in line %u.", cur_line);
continue;
}
/* Okay, let's allocate memory and copy data between "...", handling
\xNN escaping, \\, and \". */
@ -169,7 +176,9 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len,
case 1 ... 31:
case 128 ... 255:
FATAL("Non-printable characters in line %u.", cur_line);
WARNF("Non-printable characters in line %u.", cur_line);
continue;
break;
case '\\':
@ -185,7 +194,8 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len,
if (*lptr != 'x' || !isxdigit(lptr[1]) || !isxdigit(lptr[2])) {
FATAL("Invalid escaping (not \\xNN) in line %u.", cur_line);
WARNF("Invalid escaping (not \\xNN) in line %u.", cur_line);
continue;
}
@ -209,10 +219,11 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len,
if (afl->extras[afl->extras_cnt].len > MAX_DICT_FILE) {
FATAL(
WARNF(
"Keyword too big in line %u (%s, limit is %s)", cur_line,
stringify_mem_size(val_bufs[0], sizeof(val_bufs[0]), klen),
stringify_mem_size(val_bufs[1], sizeof(val_bufs[1]), MAX_DICT_FILE));
continue;
}
@ -232,14 +243,19 @@ static void extras_check_and_sort(afl_state_t *afl, u32 min_len, u32 max_len,
u8 val_bufs[2][STRINGIFY_VAL_SIZE_MAX];
if (!afl->extras_cnt) { FATAL("No usable files in '%s'", dir); }
if (!afl->extras_cnt) {
WARNF("No usable data in '%s'", dir);
return;
}
qsort(afl->extras, afl->extras_cnt, sizeof(struct extra_data),
compare_extras_len);
OKF("Loaded %u extra tokens, size range %s to %s.", afl->extras_cnt,
stringify_mem_size(val_bufs[0], sizeof(val_bufs[0]), min_len),
stringify_mem_size(val_bufs[1], sizeof(val_bufs[1]), max_len));
ACTF("Loaded %u extra tokens, size range %s to %s.", afl->extras_cnt,
stringify_mem_size(val_bufs[0], sizeof(val_bufs[0]), min_len),
stringify_mem_size(val_bufs[1], sizeof(val_bufs[1]), max_len));
if (max_len > 32) {
@ -250,8 +266,8 @@ static void extras_check_and_sort(afl_state_t *afl, u32 min_len, u32 max_len,
if (afl->extras_cnt > afl->max_det_extras) {
OKF("More than %d tokens - will use them probabilistically.",
afl->max_det_extras);
WARNF("More than %d tokens - will use them probabilistically.",
afl->max_det_extras);
}
@ -320,9 +336,10 @@ void load_extras(afl_state_t *afl, u8 *dir) {
if (st.st_size > MAX_DICT_FILE) {
WARNF(
"Extra '%s' is very big (%s, limit is %s)", fn,
"Extra '%s' is too big (%s, limit is %s)", fn,
stringify_mem_size(val_bufs[0], sizeof(val_bufs[0]), st.st_size),
stringify_mem_size(val_bufs[1], sizeof(val_bufs[1]), MAX_DICT_FILE));
continue;
}
@ -370,16 +387,74 @@ static inline u8 memcmp_nocase(u8 *m1, u8 *m2, u32 len) {
}
/* Adds a new extra / dict entry. Used for LTO autodict. */
/* Removes duplicates from the loaded extras. This can happen if multiple files
are loaded */
void dedup_extras(afl_state_t *afl) {
if (afl->extras_cnt < 2) return;
u32 i, j, orig_cnt = afl->extras_cnt;
for (i = 0; i < afl->extras_cnt - 1; i++) {
for (j = i + 1; j < afl->extras_cnt; j++) {
restart_dedup:
// if the goto was used we could be at the end of the list
if (j >= afl->extras_cnt || afl->extras[i].len != afl->extras[j].len)
break;
if (memcmp(afl->extras[i].data, afl->extras[j].data,
afl->extras[i].len) == 0) {
ck_free(afl->extras[j].data);
if (j + 1 < afl->extras_cnt) // not at the end of the list?
memmove((char *)&afl->extras[j], (char *)&afl->extras[j + 1],
(afl->extras_cnt - j - 1) * sizeof(struct extra_data));
afl->extras_cnt--;
goto restart_dedup; // restart if several duplicates are in a row
}
}
}
if (afl->extras_cnt != orig_cnt)
afl->extras = afl_realloc((void **)&afl->extras,
afl->extras_cnt * sizeof(struct extra_data));
}
/* Adds a new extra / dict entry. */
void add_extra(afl_state_t *afl, u8 *mem, u32 len) {
u8 val_bufs[2][STRINGIFY_VAL_SIZE_MAX];
u8 val_bufs[2][STRINGIFY_VAL_SIZE_MAX];
u32 i, found = 0;
for (i = 0; i < afl->extras_cnt; i++) {
if (afl->extras[i].len == len) {
if (memcmp(afl->extras[i].data, mem, len) == 0) return;
found = 1;
} else {
if (found) break;
}
}
if (len > MAX_DICT_FILE) {
WARNF("Extra '%.*s' is very big (%s, limit is %s)", (int)len, mem,
WARNF("Extra '%.*s' is too big (%s, limit is %s)", (int)len, mem,
stringify_mem_size(val_bufs[0], sizeof(val_bufs[0]), len),
stringify_mem_size(val_bufs[1], sizeof(val_bufs[1]), MAX_DICT_FILE));
return;
} else if (len > 32) {
@ -405,8 +480,8 @@ void add_extra(afl_state_t *afl, u8 *mem, u32 len) {
if (afl->extras_cnt == afl->max_det_extras + 1) {
OKF("More than %d tokens - will use them probabilistically.",
afl->max_det_extras);
WARNF("More than %d tokens - will use them probabilistically.",
afl->max_det_extras);
}
@ -609,7 +684,7 @@ void load_auto(afl_state_t *afl) {
} else {
OKF("No auto-generated dictionary tokens to reuse.");
ACTF("No auto-generated dictionary tokens to reuse.");
}

164
src/afl-fuzz-init.c
View File

@ -311,7 +311,7 @@ void bind_to_free_cpu(afl_state_t *afl) {
}
for (i = 0; i < proccount; i++) {
for (i = 0; i < (s32)proccount; i++) {
if (procs[i].p_cpuid < sizeof(cpu_used) && procs[i].p_pctcpu > 0)
cpu_used[procs[i].p_cpuid] = 1;
@ -611,37 +611,43 @@ void read_foreign_testcases(afl_state_t *afl, int first) {
/* Read all testcases from the input directory, then queue them for testing.
Called at startup. */
void read_testcases(afl_state_t *afl) {
void read_testcases(afl_state_t *afl, u8 *directory) {
struct dirent **nl;
s32 nl_cnt;
s32 nl_cnt, subdirs = 1;
u32 i;
u8 * fn1;
u8 val_buf[2][STRINGIFY_VAL_SIZE_MAX];
u8 * fn1, *dir = directory;
u8 val_buf[2][STRINGIFY_VAL_SIZE_MAX];
/* Auto-detect non-in-place resumption attempts. */
fn1 = alloc_printf("%s/queue", afl->in_dir);
if (!access(fn1, F_OK)) {
if (dir == NULL) {
afl->in_dir = fn1;
fn1 = alloc_printf("%s/queue", afl->in_dir);
if (!access(fn1, F_OK)) {
} else {
afl->in_dir = fn1;
subdirs = 0;
ck_free(fn1);
} else {
ck_free(fn1);
}
dir = afl->in_dir;
}
ACTF("Scanning '%s'...", afl->in_dir);
ACTF("Scanning '%s'...", dir);
/* We use scandir() + alphasort() rather than readdir() because otherwise,
the ordering of test cases would vary somewhat randomly and would be
difficult to control. */
nl_cnt = scandir(afl->in_dir, &nl, NULL, alphasort);
nl_cnt = scandir(dir, &nl, NULL, alphasort);
if (nl_cnt < 0) {
if (nl_cnt < 0 && directory == NULL) {
if (errno == ENOENT || errno == ENOTDIR) {
@ -656,7 +662,7 @@ void read_testcases(afl_state_t *afl) {
}
PFATAL("Unable to open '%s'", afl->in_dir);
PFATAL("Unable to open '%s'", dir);
}
@ -674,19 +680,29 @@ void read_testcases(afl_state_t *afl) {
u8 dfn[PATH_MAX];
snprintf(dfn, PATH_MAX, "%s/.state/deterministic_done/%s", afl->in_dir,
nl[i]->d_name);
u8 *fn2 = alloc_printf("%s/%s", afl->in_dir, nl[i]->d_name);
u8 *fn2 = alloc_printf("%s/%s", dir, nl[i]->d_name);
u8 passed_det = 0;
free(nl[i]); /* not tracked */
if (lstat(fn2, &st) || access(fn2, R_OK)) {
PFATAL("Unable to access '%s'", fn2);
}
/* This also takes care of . and .. */
/* obviously we want to skip "descending" into . and .. directories,
however it is a good idea to skip also directories that start with
a dot */
if (subdirs && S_ISDIR(st.st_mode) && nl[i]->d_name[0] != '.') {
free(nl[i]); /* not tracked */
read_testcases(afl, fn2);
ck_free(fn2);
continue;
}
free(nl[i]);
if (!S_ISREG(st.st_mode) || !st.st_size || strstr(fn2, "/README.txt")) {
@ -697,11 +713,9 @@ void read_testcases(afl_state_t *afl) {
if (st.st_size > MAX_FILE) {
WARNF("Test case '%s' is too big (%s, limit is %s), skipping", fn2,
WARNF("Test case '%s' is too big (%s, limit is %s), partial reading", fn2,
stringify_mem_size(val_buf[0], sizeof(val_buf[0]), st.st_size),
stringify_mem_size(val_buf[1], sizeof(val_buf[1]), MAX_FILE));
ck_free(fn2);
continue;
}
@ -712,13 +726,14 @@ void read_testcases(afl_state_t *afl) {
if (!access(dfn, F_OK)) { passed_det = 1; }
add_to_queue(afl, fn2, st.st_size, passed_det);
add_to_queue(afl, fn2, st.st_size >= MAX_FILE ? MAX_FILE : st.st_size,
passed_det);
}
free(nl); /* not tracked */
if (!afl->queued_paths) {
if (!afl->queued_paths && directory == NULL) {
SAYF("\n" cLRD "[-] " cRST
"Looks like there are no valid test cases in the input directory! The "
@ -931,7 +946,31 @@ void perform_dry_run(afl_state_t *afl) {
#undef MSG_ULIMIT_USAGE
#undef MSG_FORK_ON_APPLE
FATAL("Test case '%s' results in a crash", fn);
WARNF("Test case '%s' results in a crash, skipping", fn);
/* Remove from fuzzing queue but keep for splicing */
struct queue_entry *p = afl->queue;
while (p && p->next != q)
p = p->next;
if (p)
p->next = q->next;
else
afl->queue = q->next;
--afl->pending_not_fuzzed;
afl->max_depth = 0;
p = afl->queue;
while (p) {
if (p->depth > afl->max_depth) afl->max_depth = p->depth;
p = p->next;
}
break;
case FSRV_RUN_ERROR:
@ -985,6 +1024,76 @@ void perform_dry_run(afl_state_t *afl) {
}
/* Now we remove all entries from the queue that have a duplicate trace map */
q = afl->queue;
struct queue_entry *p, *prev = NULL;
int duplicates = 0;
restart_outer_cull_loop:
while (q) {
if (q->cal_failed || !q->exec_cksum) continue;
restart_inner_cull_loop:
p = q->next;
while (p) {
if (!p->cal_failed && p->exec_cksum == q->exec_cksum) {
duplicates = 1;
--afl->pending_not_fuzzed;
// We do not remove any of the memory allocated because for
// splicing the data might still be interesting.
// We only decouple them from the linked list.
// This will result in some leaks at exit, but who cares.
// we keep the shorter file
if (p->len >= q->len) {
q->next = p->next;
goto restart_inner_cull_loop;
} else {
if (prev)
prev->next = q = p;
else
afl->queue = q = p;
goto restart_outer_cull_loop;
}
}
p = p->next;
}
prev = q;
q = q->next;
}
if (duplicates) {
afl->max_depth = 0;
q = afl->queue;
while (q) {
if (q->depth > afl->max_depth) afl->max_depth = q->depth;
q = q->next;
}
afl->queue_top = afl->queue;
}
OKF("All test cases processed.");
}
@ -1666,7 +1775,6 @@ int check_main_node_exists(afl_state_t *afl) {
void setup_dirs_fds(afl_state_t *afl) {
u8 *tmp;
s32 fd;
ACTF("Setting up output directories...");
@ -1792,7 +1900,7 @@ void setup_dirs_fds(afl_state_t *afl) {
/* Gnuplot output file. */
tmp = alloc_printf("%s/plot_data", afl->out_dir);
fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, 0600);
int fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, 0600);
if (fd < 0) { PFATAL("Unable to create '%s'", tmp); }
ck_free(tmp);
@ -2074,6 +2182,8 @@ void check_cpu_governor(afl_state_t *afl) {
"drop.\n",
min / 1024, max / 1024);
FATAL("Suboptimal CPU scaling governor");
#else
(void)afl;
#endif
}

4
src/afl-fuzz-mutators.c
View File

@ -93,9 +93,9 @@ void setup_custom_mutators(afl_state_t *afl) {
}
struct custom_mutator *mutator = load_custom_mutator_py(afl, module_name);
struct custom_mutator *m = load_custom_mutator_py(afl, module_name);
afl->custom_mutators_count++;
list_append(&afl->custom_mutator_list, mutator);
list_append(&afl->custom_mutator_list, m);
}

31
src/afl-fuzz-one.c
View File

@ -1707,20 +1707,8 @@ custom_mutator_stage:
} while (tid == afl->current_entry && afl->queued_paths > 1);
target = afl->queue;
while (tid >= 100) {
target = target->next_100;
tid -= 100;
}
while (tid--) {
target = target->next;
}
afl->splicing_with = tid;
target = afl->queue_buf[tid];
/* Make sure that the target has a reasonable length. */
@ -4518,20 +4506,7 @@ pacemaker_fuzzing:
} while (tid == afl->current_entry);
afl->splicing_with = tid;
target = afl->queue;
while (tid >= 100) {
target = target->next_100;
tid -= 100;
}
while (tid--) {
target = target->next;
}
target = afl->queue_buf[tid];
/* Make sure that the target has a reasonable length. */

19
src/afl-fuzz-queue.c
View File

@ -230,7 +230,7 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
} else {
afl->q_prev100 = afl->queue = afl->queue_top = q;
afl->queue = afl->queue_top = q;
}
@ -239,13 +239,6 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
afl->cycles_wo_finds = 0;
if (!(afl->queued_paths % 100)) {
afl->q_prev100->next_100 = q;
afl->q_prev100 = q;
}
struct queue_entry **queue_buf = afl_realloc(
AFL_BUF_PARAM(queue), afl->queued_paths * sizeof(struct queue_entry *));
if (unlikely(!queue_buf)) { PFATAL("alloc"); }
@ -281,15 +274,15 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
void destroy_queue(afl_state_t *afl) {
struct queue_entry *q = afl->queue, *n;
struct queue_entry *q;
u32 i;
while (q) {
for (i = 0; i < afl->queued_paths; i++) {
n = q->next;
q = afl->queue_buf[i];
ck_free(q->fname);
ck_free(q->trace_mini);
ck_free(q);
q = n;
}
@ -509,7 +502,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
// Longer execution time means longer work on the input, the deeper in
// coverage, the better the fuzzing, right? -mh
if (afl->schedule >= RARE && likely(!afl->fixed_seed)) {
if (likely(afl->schedule < RARE) && likely(!afl->fixed_seed)) {
if (q->exec_us * 0.1 > avg_exec_us) {

2
src/afl-fuzz-run.c
View File

@ -394,6 +394,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
unlikely(afl->first_trace[i] != afl->fsrv.trace_bits[i])) {
afl->var_bytes[i] = 1;
// ignore the variable edge by setting it to fully discovered
afl->virgin_bits[i] = 0;
}

2
src/afl-fuzz-state.c
View File

@ -87,7 +87,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
afl->w_end = 0.3;
afl->g_max = 5000;
afl->period_pilot_tmp = 5000.0;
afl->schedule = EXPLORE; /* Power schedule (default: EXPLORE)*/
afl->schedule = SEEK; /* Power schedule (default: SEEK) */
afl->havoc_max_mult = HAVOC_MAX_MULT;
afl->clear_screen = 1; /* Window resized? */

32
src/afl-fuzz-stats.c
View File

@ -35,12 +35,12 @@ void write_setup_file(afl_state_t *afl, u32 argc, char **argv) {
u8 fn[PATH_MAX];
snprintf(fn, PATH_MAX, "%s/fuzzer_setup", afl->out_dir);
FILE *f = create_ffile(fn);
u32 i;
u32 i;
fprintf(f, "# environment variables:\n");
u32 s_afl_env = (u32)
sizeof(afl_environment_variables) / sizeof(afl_environment_variables[0]) -
1U;
u32 s_afl_env = (u32)sizeof(afl_environment_variables) /
sizeof(afl_environment_variables[0]) -
1U;
for (i = 0; i < s_afl_env; ++i) {
@ -75,6 +75,7 @@ void write_setup_file(afl_state_t *afl, u32 argc, char **argv) {
}
}
fprintf(f, "\n");
fclose(f);
@ -992,10 +993,9 @@ void show_stats(afl_state_t *afl) {
void show_init_stats(afl_state_t *afl) {
struct queue_entry *q = afl->queue;
u32 min_bits = 0, max_bits = 0;
u32 min_bits = 0, max_bits = 0, max_len = 0, count = 0;
u64 min_us = 0, max_us = 0;
u64 avg_us = 0;
u32 max_len = 0;
u8 val_bufs[4][STRINGIFY_VAL_SIZE_MAX];
#define IB(i) val_bufs[(i)], sizeof(val_bufs[(i)])
@ -1016,6 +1016,7 @@ void show_init_stats(afl_state_t *afl) {
if (q->len > max_len) { max_len = q->len; }
++count;
q = q->next;
}
@ -1031,7 +1032,11 @@ void show_init_stats(afl_state_t *afl) {
/* Let's keep things moving with slow binaries. */
if (avg_us > 50000) {
if (unlikely(afl->fixed_seed)) {
afl->havoc_div = 1;
} else if (avg_us > 50000) {
afl->havoc_div = 10; /* 0-19 execs/sec */
@ -1082,11 +1087,12 @@ void show_init_stats(afl_state_t *afl) {
OKF("Here are some useful stats:\n\n"
cGRA " Test case count : " cRST
"%u favored, %u variable, %u total\n" cGRA " Bitmap range : " cRST
"%u favored, %u variable, %u ignored, %u total\n" cGRA
" Bitmap range : " cRST
"%u to %u bits (average: %0.02f bits)\n" cGRA
" Exec timing : " cRST "%s to %s us (average: %s us)\n",
afl->queued_favored, afl->queued_variable, afl->queued_paths, min_bits,
max_bits,
afl->queued_favored, afl->queued_variable, afl->queued_paths - count,
afl->queued_paths, min_bits, max_bits,
((double)afl->total_bitmap_size) /
(afl->total_bitmap_entries ? afl->total_bitmap_entries : 1),
stringify_int(IB(0), min_us), stringify_int(IB(1), max_us),
@ -1101,7 +1107,11 @@ void show_init_stats(afl_state_t *afl) {
random scheduler jitter is less likely to have any impact, and because
our patience is wearing thin =) */
if (avg_us > 50000) {
if (unlikely(afl->fixed_seed)) {
afl->fsrv.exec_tmout = avg_us * 5 / 1000;
} else if (avg_us > 50000) {
afl->fsrv.exec_tmout = avg_us * 2 / 1000;

168
src/afl-fuzz.c
View File

@ -89,11 +89,10 @@ static void usage(u8 *argv0, int more_help) {
" -o dir - output directory for fuzzer findings\n\n"
"Execution control settings:\n"
" -p schedule - power schedules compute a seed's performance score. "
"<explore\n"
" (default), fast, coe, lin, quad, exploit, mmopt, "
"rare, seek>\n"
" see docs/power_schedules.md\n"
" -p schedule - power schedules compute a seed's performance score:\n"
" <seek (default), explore, rare, exploit, mmopt, coe, "
"fast,\n"
" lin, quad> -- see docs/power_schedules.md\n"
" -f file - location read by the fuzzed program (default: stdin "
"or @@)\n"
" -t msec - timeout for each run (auto-scaled, 50-%d ms)\n"
@ -119,8 +118,8 @@ static void usage(u8 *argv0, int more_help) {
"etc.)\n"
" -d - quick & dirty mode (skips deterministic steps)\n"
" -n - fuzz without instrumentation (non-instrumented mode)\n"
" -x dict_file - optional fuzzer dictionary (see README.md, its really "
"good!)\n\n"
" -x dict_file - fuzzer dictionary (see README.md, specify up to 4 "
"times)\n\n"
"Testing settings:\n"
" -s seed - use a fixed seed for the RNG\n"
@ -243,11 +242,11 @@ static int stricmp(char const *a, char const *b) {
int main(int argc, char **argv_orig, char **envp) {
s32 opt;
u64 prev_queued = 0;
u32 sync_interval_cnt = 0, seek_to, show_help = 0, map_size = MAP_SIZE;
u8 * extras_dir = 0;
u8 mem_limit_given = 0, exit_1 = 0, debug = 0;
s32 opt, i;
u64 prev_queued = 0;
u32 sync_interval_cnt = 0, seek_to, show_help = 0, map_size = MAP_SIZE;
u8 *extras_dir[4];
u8 mem_limit_given = 0, exit_1 = 0, debug = 0, extras_dir_cnt = 0, have_p = 0;
char **use_argv;
struct timeval tv;
@ -349,22 +348,24 @@ int main(int argc, char **argv_orig, char **envp) {
afl->schedule = RARE;
} else if (!stricmp(optarg, "seek")) {
afl->schedule = SEEK;
} else if (!stricmp(optarg, "explore") || !stricmp(optarg, "default") ||
!stricmp(optarg, "normal") || !stricmp(optarg, "afl")) {
} else if (!stricmp(optarg, "explore") || !stricmp(optarg, "afl")) {
afl->schedule = EXPLORE;
} else if (!stricmp(optarg, "seek") || !stricmp(optarg, "default") ||
!stricmp(optarg, "normal")) {
afl->schedule = SEEK;
} else {
FATAL("Unknown -p power schedule");
}
have_p = 1;
break;
case 'e':
@ -450,8 +451,13 @@ int main(int argc, char **argv_orig, char **envp) {
case 'x': /* dictionary */
if (extras_dir) { FATAL("Multiple -x options not supported"); }
extras_dir = optarg;
if (extras_dir_cnt >= 4) {
FATAL("More than four -x options are not supported");
}
extras_dir[extras_dir_cnt++] = optarg;
break;
case 't': { /* timeout */
@ -694,7 +700,7 @@ int main(int argc, char **argv_orig, char **envp) {
afl->swarm_now = 0;
if (afl->limit_time_puppet == 0) { afl->key_puppet = 1; }
int i;
int j;
int tmp_swarm = 0;
if (afl->g_now > afl->g_max) { afl->g_now = 0; }
@ -707,70 +713,70 @@ int main(int argc, char **argv_orig, char **envp) {
double total_puppet_temp = 0.0;
afl->swarm_fitness[tmp_swarm] = 0.0;
for (i = 0; i < operator_num; ++i) {
for (j = 0; j < operator_num; ++j) {
afl->stage_finds_puppet[tmp_swarm][i] = 0;
afl->probability_now[tmp_swarm][i] = 0.0;
afl->x_now[tmp_swarm][i] =
afl->stage_finds_puppet[tmp_swarm][j] = 0;
afl->probability_now[tmp_swarm][j] = 0.0;
afl->x_now[tmp_swarm][j] =
((double)(random() % 7000) * 0.0001 + 0.1);
total_puppet_temp += afl->x_now[tmp_swarm][i];
afl->v_now[tmp_swarm][i] = 0.1;
afl->L_best[tmp_swarm][i] = 0.5;
afl->G_best[i] = 0.5;
afl->eff_best[tmp_swarm][i] = 0.0;
total_puppet_temp += afl->x_now[tmp_swarm][j];
afl->v_now[tmp_swarm][j] = 0.1;
afl->L_best[tmp_swarm][j] = 0.5;
afl->G_best[j] = 0.5;
afl->eff_best[tmp_swarm][j] = 0.0;
}
for (i = 0; i < operator_num; ++i) {
for (j = 0; j < operator_num; ++j) {
afl->stage_cycles_puppet_v2[tmp_swarm][i] =
afl->stage_cycles_puppet[tmp_swarm][i];
afl->stage_finds_puppet_v2[tmp_swarm][i] =
afl->stage_finds_puppet[tmp_swarm][i];
afl->x_now[tmp_swarm][i] =
afl->x_now[tmp_swarm][i] / total_puppet_temp;
afl->stage_cycles_puppet_v2[tmp_swarm][j] =
afl->stage_cycles_puppet[tmp_swarm][j];
afl->stage_finds_puppet_v2[tmp_swarm][j] =
afl->stage_finds_puppet[tmp_swarm][j];
afl->x_now[tmp_swarm][j] =
afl->x_now[tmp_swarm][j] / total_puppet_temp;
}
double x_temp = 0.0;
for (i = 0; i < operator_num; ++i) {
for (j = 0; j < operator_num; ++j) {
afl->probability_now[tmp_swarm][i] = 0.0;
afl->v_now[tmp_swarm][i] =
afl->w_now * afl->v_now[tmp_swarm][i] +
afl->probability_now[tmp_swarm][j] = 0.0;
afl->v_now[tmp_swarm][j] =
afl->w_now * afl->v_now[tmp_swarm][j] +
RAND_C *
(afl->L_best[tmp_swarm][i] - afl->x_now[tmp_swarm][i]) +
RAND_C * (afl->G_best[i] - afl->x_now[tmp_swarm][i]);
(afl->L_best[tmp_swarm][j] - afl->x_now[tmp_swarm][j]) +
RAND_C * (afl->G_best[j] - afl->x_now[tmp_swarm][j]);
afl->x_now[tmp_swarm][i] += afl->v_now[tmp_swarm][i];
afl->x_now[tmp_swarm][j] += afl->v_now[tmp_swarm][j];
if (afl->x_now[tmp_swarm][i] > v_max) {
if (afl->x_now[tmp_swarm][j] > v_max) {
afl->x_now[tmp_swarm][i] = v_max;
afl->x_now[tmp_swarm][j] = v_max;
} else if (afl->x_now[tmp_swarm][i] < v_min) {
} else if (afl->x_now[tmp_swarm][j] < v_min) {
afl->x_now[tmp_swarm][i] = v_min;
afl->x_now[tmp_swarm][j] = v_min;
}
x_temp += afl->x_now[tmp_swarm][i];
x_temp += afl->x_now[tmp_swarm][j];
}
for (i = 0; i < operator_num; ++i) {
for (j = 0; j < operator_num; ++j) {
afl->x_now[tmp_swarm][i] = afl->x_now[tmp_swarm][i] / x_temp;
if (likely(i != 0)) {
afl->x_now[tmp_swarm][j] = afl->x_now[tmp_swarm][j] / x_temp;
if (likely(j != 0)) {
afl->probability_now[tmp_swarm][i] =
afl->probability_now[tmp_swarm][i - 1] +
afl->x_now[tmp_swarm][i];
afl->probability_now[tmp_swarm][j] =
afl->probability_now[tmp_swarm][j - 1] +
afl->x_now[tmp_swarm][j];
} else {
afl->probability_now[tmp_swarm][i] = afl->x_now[tmp_swarm][i];
afl->probability_now[tmp_swarm][j] = afl->x_now[tmp_swarm][j];
}
@ -785,13 +791,13 @@ int main(int argc, char **argv_orig, char **envp) {
}
for (i = 0; i < operator_num; ++i) {
for (j = 0; j < operator_num; ++j) {
afl->core_operator_finds_puppet[i] = 0;
afl->core_operator_finds_puppet_v2[i] = 0;
afl->core_operator_cycles_puppet[i] = 0;
afl->core_operator_cycles_puppet_v2[i] = 0;
afl->core_operator_cycles_puppet_v3[i] = 0;
afl->core_operator_finds_puppet[j] = 0;
afl->core_operator_finds_puppet_v2[j] = 0;
afl->core_operator_cycles_puppet[j] = 0;
afl->core_operator_cycles_puppet_v2[j] = 0;
afl->core_operator_cycles_puppet_v3[j] = 0;
}
@ -828,10 +834,6 @@ int main(int argc, char **argv_orig, char **envp) {
"Eißfeldt, Andrea Fioraldi and Dominik Maier");
OKF("afl++ is open source, get it at "
"https://github.com/AFLplusplus/AFLplusplus");
OKF("Power schedules from github.com/mboehme/aflfast");
OKF("Python Mutator and llvm_mode instrument file list from "
"github.com/choller/afl");
OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL");
if (afl->sync_id && afl->is_main_node &&
afl->afl_env.afl_custom_mutator_only) {
@ -1010,10 +1012,10 @@ int main(int argc, char **argv_orig, char **envp) {
u8 *afl_preload = getenv("AFL_PRELOAD");
u8 *buf;
s32 i, afl_preload_size = strlen(afl_preload);
for (i = 0; i < afl_preload_size; ++i) {
s32 j, afl_preload_size = strlen(afl_preload);
for (j = 0; j < afl_preload_size; ++j) {
if (afl_preload[i] == ',') {
if (afl_preload[j] == ',') {
PFATAL(
"Comma (',') is not allowed in AFL_PRELOAD when -Q is "
@ -1132,14 +1134,23 @@ int main(int argc, char **argv_orig, char **envp) {
setup_cmdline_file(afl, argv + optind);
read_testcases(afl);
read_testcases(afl, NULL);
// read_foreign_testcases(afl, 1); for the moment dont do this
OKF("Loaded a total of %u seeds.", afl->queued_paths);
load_auto(afl);
pivot_inputs(afl);
if (extras_dir) { load_extras(afl, extras_dir); }
if (extras_dir_cnt) {
for (i = 0; i < extras_dir_cnt; i++)
load_extras(afl, extras_dir[i]);
dedup_extras(afl);
OKF("Loaded a total of %u extras.", afl->extras_cnt);
}
if (!afl->timeout_given) { find_timeout(afl); }
@ -1179,10 +1190,10 @@ int main(int argc, char **argv_orig, char **envp) {
if (!afl->fsrv.out_file) {
u32 i = optind + 1;
while (argv[i]) {
u32 j = optind + 1;
while (argv[j]) {
u8 *aa_loc = strstr(argv[i], "@@");
u8 *aa_loc = strstr(argv[j], "@@");
if (aa_loc && !afl->fsrv.out_file) {
@ -1205,7 +1216,7 @@ int main(int argc, char **argv_orig, char **envp) {
}
++i;
++j;
}
@ -1272,6 +1283,9 @@ int main(int argc, char **argv_orig, char **envp) {
cull_queue(afl);
if (!afl->pending_not_fuzzed)
FATAL("We need at least on valid input seed that does not crash!");
show_init_stats(afl);
seek_to = find_start_position(afl);
@ -1352,7 +1366,7 @@ int main(int argc, char **argv_orig, char **envp) {
afl->expand_havoc = 2;
break;
case 2:
// afl->cycle_schedules = 1;
if (!have_p) afl->schedule = EXPLOIT;
afl->expand_havoc = 3;
break;
case 3:

488
src/afl-gcc.c
View File

@ -1,488 +0,0 @@
/*
american fuzzy lop++ - wrapper for GCC and clang
------------------------------------------------
Originally written by Michal Zalewski
Now maintained by Marc Heuse <mh@mh-sec.de>,
Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
Andrea Fioraldi <andreafioraldi@gmail.com>
Copyright 2016, 2017 Google Inc. All rights reserved.
Copyright 2019-2020 AFLplusplus Project. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
This program is a drop-in replacement for GCC or clang. The most common way
of using it is to pass the path to afl-gcc or afl-clang via CC when invoking
./configure.
(Of course, use CXX and point it to afl-g++ / afl-clang++ for C++ code.)
The wrapper needs to know the path to afl-as (renamed to 'as'). The default
is /usr/local/lib/afl/. A convenient way to specify alternative directories
would be to set AFL_PATH.
If AFL_HARDEN is set, the wrapper will compile the target app with various
hardening options that may help detect memory management issues more
reliably. You can also specify AFL_USE_ASAN to enable ASAN.
If you want to call a non-default compiler as a next step of the chain,
specify its location via AFL_CC or AFL_CXX.
*/
#define AFL_MAIN
#include "config.h"
#include "types.h"
#include "debug.h"
#include "alloc-inl.h"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
static u8 * as_path; /* Path to the AFL 'as' wrapper */
static u8 **cc_params; /* Parameters passed to the real CC */
static u32 cc_par_cnt = 1; /* Param count, including argv0 */
static u8 be_quiet, /* Quiet mode */
clang_mode; /* Invoked as afl-clang*? */
/* Try to find our "fake" GNU assembler in AFL_PATH or at the location derived
from argv[0]. If that fails, abort. */
static void find_as(u8 *argv0) {
u8 *afl_path = getenv("AFL_PATH");
u8 *slash, *tmp;
if (afl_path) {
tmp = alloc_printf("%s/as", afl_path);
if (!access(tmp, X_OK)) {
as_path = afl_path;
ck_free(tmp);
return;
}
ck_free(tmp);
}
slash = strrchr(argv0, '/');
if (slash) {
u8 *dir;
*slash = 0;
dir = ck_strdup(argv0);
*slash = '/';
tmp = alloc_printf("%s/afl-as", dir);
if (!access(tmp, X_OK)) {
as_path = dir;
ck_free(tmp);
return;
}
ck_free(tmp);
ck_free(dir);
}
if (!access(AFL_PATH "/as", X_OK)) {
as_path = AFL_PATH;
return;
}
FATAL("Unable to find AFL wrapper binary for 'as'. Please set AFL_PATH");
}
/* Copy argv to cc_params, making the necessary edits. */
static void edit_params(u32 argc, char **argv) {
u8 fortify_set = 0, asan_set = 0;
u8 *name;
#if defined(__FreeBSD__) && defined(WORD_SIZE_64)
u8 m32_set = 0;
#endif
cc_params = ck_alloc((argc + 128) * sizeof(u8 *));
name = strrchr(argv[0], '/');
if (!name) {
name = argv[0];
/* This should never happen but fixes a scan-build warning */
if (!name) { FATAL("Empty argv set"); }
} else {
++name;
}
if (!strncmp(name, "afl-clang", 9)) {
clang_mode = 1;
setenv(CLANG_ENV_VAR, "1", 1);
if (!strcmp(name, "afl-clang++")) {
u8 *alt_cxx = getenv("AFL_CXX");
cc_params[0] = alt_cxx && *alt_cxx ? alt_cxx : (u8 *)"clang++";
} else if (!strcmp(name, "afl-clang")) {
u8 *alt_cc = getenv("AFL_CC");
cc_params[0] = alt_cc && *alt_cc ? alt_cc : (u8 *)"clang";
} else {
fprintf(stderr, "Name of the binary: %s\n", argv[0]);
FATAL("Name of the binary is not a known name, expected afl-clang(++)");
}
} else {
/* With GCJ and Eclipse installed, you can actually compile Java! The
instrumentation will work (amazingly). Alas, unhandled exceptions do
not call abort(), so afl-fuzz would need to be modified to equate
non-zero exit codes with crash conditions when working with Java
binaries. Meh. */
#ifdef __APPLE__
if (!strcmp(name, "afl-g++")) {
cc_params[0] = getenv("AFL_CXX");
} else if (!strcmp(name, "afl-gcj")) {
cc_params[0] = getenv("AFL_GCJ");
} else if (!strcmp(name, "afl-gcc")) {
cc_params[0] = getenv("AFL_CC");
} else {
fprintf(stderr, "Name of the binary: %s\n", argv[0]);
FATAL("Name of the binary is not a known name, expected afl-gcc/g++/gcj");
}
if (!cc_params[0]) {
SAYF("\n" cLRD "[-] " cRST
"On Apple systems, 'gcc' is usually just a wrapper for clang. "
"Please use the\n"
" 'afl-clang' utility instead of 'afl-gcc'. If you really have "
"GCC installed,\n"
" set AFL_CC or AFL_CXX to specify the correct path to that "
"compiler.\n");
FATAL("AFL_CC or AFL_CXX required on MacOS X");
}
#else
if (!strcmp(name, "afl-g++")) {
u8 *alt_cxx = getenv("AFL_CXX");
cc_params[0] = alt_cxx && *alt_cxx ? alt_cxx : (u8 *)"g++";
} else if (!strcmp(name, "afl-gcj")) {
u8 *alt_cc = getenv("AFL_GCJ");
cc_params[0] = alt_cc && *alt_cc ? alt_cc : (u8 *)"gcj";
} else if (!strcmp(name, "afl-gcc")) {
u8 *alt_cc = getenv("AFL_CC");
cc_params[0] = alt_cc && *alt_cc ? alt_cc : (u8 *)"gcc";
} else {
fprintf(stderr, "Name of the binary: %s\n", argv[0]);
FATAL("Name of the binary is not a known name, expected afl-gcc/g++/gcj");
}
#endif /* __APPLE__ */
}
while (--argc) {
u8 *cur = *(++argv);
if (!strncmp(cur, "-B", 2)) {
if (!be_quiet) { WARNF("-B is already set, overriding"); }
if (!cur[2] && argc > 1) {
argc--;
argv++;
}
continue;
}
if (!strcmp(cur, "-integrated-as")) { continue; }
if (!strcmp(cur, "-pipe")) { continue; }
#if defined(__FreeBSD__) && defined(WORD_SIZE_64)
if (!strcmp(cur, "-m32")) m32_set = 1;
#endif
if (!strcmp(cur, "-fsanitize=address") ||
!strcmp(cur, "-fsanitize=memory")) {
asan_set = 1;
}
if (strstr(cur, "FORTIFY_SOURCE")) { fortify_set = 1; }
cc_params[cc_par_cnt++] = cur;
}
cc_params[cc_par_cnt++] = "-B";
cc_params[cc_par_cnt++] = as_path;
if (clang_mode) { cc_params[cc_par_cnt++] = "-no-integrated-as"; }
if (getenv("AFL_HARDEN")) {
cc_params[cc_par_cnt++] = "-fstack-protector-all";
if (!fortify_set) { cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2"; }
}
if (asan_set) {
/* Pass this on to afl-as to adjust map density. */
setenv("AFL_USE_ASAN", "1", 1);
} else if (getenv("AFL_USE_ASAN")) {
if (getenv("AFL_USE_MSAN")) {
FATAL("ASAN and MSAN are mutually exclusive");
}
if (getenv("AFL_HARDEN")) {
FATAL("ASAN and AFL_HARDEN are mutually exclusive");
}
cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
cc_params[cc_par_cnt++] = "-fsanitize=address";
} else if (getenv("AFL_USE_MSAN")) {
if (getenv("AFL_USE_ASAN")) {
FATAL("ASAN and MSAN are mutually exclusive");
}
if (getenv("AFL_HARDEN")) {
FATAL("MSAN and AFL_HARDEN are mutually exclusive");
}
cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
cc_params[cc_par_cnt++] = "-fsanitize=memory";
}
if (getenv("AFL_USE_UBSAN")) {
cc_params[cc_par_cnt++] = "-fsanitize=undefined";
cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error";
cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all";
}
#if defined(USEMMAP) && !defined(__HAIKU__)
cc_params[cc_par_cnt++] = "-lrt";
#endif
if (!getenv("AFL_DONT_OPTIMIZE")) {
#if defined(__FreeBSD__) && defined(WORD_SIZE_64)
/* On 64-bit FreeBSD systems, clang -g -m32 is broken, but -m32 itself
works OK. This has nothing to do with us, but let's avoid triggering
that bug. */
if (!clang_mode || !m32_set) cc_params[cc_par_cnt++] = "-g";
#else
cc_params[cc_par_cnt++] = "-g";
#endif
cc_params[cc_par_cnt++] = "-O3";
cc_params[cc_par_cnt++] = "-funroll-loops";
/* Two indicators that you're building for fuzzing; one of them is
AFL-specific, the other is shared with libfuzzer. */
cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1";
cc_params[cc_par_cnt++] = "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1";
}
if (getenv("AFL_NO_BUILTIN")) {
cc_params[cc_par_cnt++] = "-fno-builtin-strcmp";
cc_params[cc_par_cnt++] = "-fno-builtin-strncmp";
cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp";
cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp";
cc_params[cc_par_cnt++] = "-fno-builtin-memcmp";
cc_params[cc_par_cnt++] = "-fno-builtin-bcmp";
cc_params[cc_par_cnt++] = "-fno-builtin-strstr";
cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr";
}
cc_params[cc_par_cnt] = NULL;
}
/* Main entry point */
int main(int argc, char **argv) {
char *env_info =
"Environment variables used by afl-gcc:\n"
"AFL_CC: path to the C compiler to use\n"
"AFL_CXX: path to the C++ compiler to use\n"
"AFL_GCJ: path to the java compiler to use\n"
"AFL_PATH: path to the instrumenting assembler\n"
"AFL_DONT_OPTIMIZE: disable optimization instead of -O3\n"
"AFL_NO_BUILTIN: compile for use with libtokencap.so\n"
"AFL_QUIET: suppress verbose output\n"
"AFL_CAL_FAST: speed up the initial calibration\n"
"AFL_HARDEN: adds code hardening to catch memory bugs\n"
"AFL_USE_ASAN: activate address sanitizer\n"
"AFL_USE_MSAN: activate memory sanitizer\n"
"AFL_USE_UBSAN: activate undefined behaviour sanitizer\n"
"\nEnvironment variables used by afl-as (called by afl-gcc):\n"
"AFL_AS: path to the assembler to use\n"
"TMPDIR: set the directory for temporary files of afl-as\n"
"TEMP: fall back path to directory for temporary files\n"
"TMP: fall back path to directory for temporary files\n"
"AFL_INST_RATIO: percentage of branches to instrument\n"
"AFL_QUIET: suppress verbose output\n"
"AFL_KEEP_ASSEMBLY: leave instrumented assembly files\n"
"AFL_AS_FORCE_INSTRUMENT: force instrumentation for asm sources\n";
if (argc == 2 && strncmp(argv[1], "-h", 2) == 0) {
printf("afl-cc" VERSION " by Michal Zalewski\n\n");
printf("%s \n\n", argv[0]);
printf("afl-gcc has no command line options\n\n%s\n", env_info);
printf(
"NOTE: afl-gcc is deprecated, llvm_mode is much faster and has more "
"options\n");
return -1;
}
if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) {
SAYF(cCYA "afl-cc" VERSION cRST " by Michal Zalewski\n");
SAYF(cYEL "[!] " cBRI "NOTE: " cRST
"afl-gcc is deprecated, llvm_mode is much faster and has more "
"options\n");
} else {
be_quiet = 1;
}
if (argc < 2) {
SAYF(
"\n"
"This is a helper application for afl-fuzz. It serves as a drop-in "
"replacement\n"
"for gcc or clang, letting you recompile third-party code with the "
"required\n"
"runtime instrumentation. A common use pattern would be one of the "
"following:\n\n"
" CC=%s/afl-gcc ./configure\n"
" CXX=%s/afl-g++ ./configure\n\n%s"
,
BIN_PATH, BIN_PATH, env_info);
exit(1);
}
u8 *ptr;
if (!be_quiet &&
((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE")))) {
u32 map_size = atoi(ptr);
if (map_size != MAP_SIZE) {
WARNF("AFL_MAP_SIZE is not supported by afl-gcc");
}
}
find_as(argv[0]);
edit_params(argc, argv);
execvp(cc_params[0], (char **)cc_params);
FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]);
return 0;
}

358
src/afl-ld-lto.c Normal file
View File

@ -0,0 +1,358 @@
/*
american fuzzy lop++ - wrapper for llvm 11+ lld
-----------------------------------------------
Written by Marc Heuse <mh@mh-sec.de> for afl++
Maintained by Marc Heuse <mh@mh-sec.de>,
Heiko Eißfeldt <heiko.eissfeldt@hexco.de>
Andrea Fioraldi <andreafioraldi@gmail.com>
Dominik Maier <domenukk@gmail.com>
Copyright 2019-2020 AFLplusplus Project. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
The sole purpose of this wrapper is to preprocess clang LTO files when
linking with lld and performing the instrumentation on the whole program.
*/
#define AFL_MAIN
#define _GNU_SOURCE
#include "config.h"
#include "types.h"
#include "debug.h"
#include "alloc-inl.h"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <ctype.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/time.h>
#include <dirent.h>
#define MAX_PARAM_COUNT 4096
static u8 **ld_params; /* Parameters passed to the real 'ld' */
static u8 *afl_path = AFL_PATH;
static u8 *real_ld = AFL_REAL_LD;
static u8 be_quiet, /* Quiet mode (no stderr output) */
debug, /* AFL_DEBUG */
passthrough, /* AFL_LD_PASSTHROUGH - no link+optimize*/
just_version; /* Just show version? */
static u32 ld_param_cnt = 1; /* Number of params to 'ld' */
/* Examine and modify parameters to pass to 'ld', 'llvm-link' and 'llmv-ar'.
Note that the file name is always the last parameter passed by GCC,
so we exploit this property to keep the code "simple". */
static void edit_params(int argc, char **argv) {
u32 i, instrim = 0, gold_pos = 0, gold_present = 0, rt_present = 0,
rt_lto_present = 0, inst_present = 0;
char *ptr;
ld_params = ck_alloc(4096 * sizeof(u8 *));
ld_params[0] = (u8 *)real_ld;
if (!passthrough) {
for (i = 1; i < argc; i++) {
if (strstr(argv[i], "/afl-llvm-rt-lto.o") != NULL) rt_lto_present = 1;
if (strstr(argv[i], "/afl-llvm-rt.o") != NULL) rt_present = 1;
if (strstr(argv[i], "/afl-llvm-lto-instr") != NULL) inst_present = 1;
}
for (i = 1; i < argc && !gold_pos; i++) {
if (strcmp(argv[i], "-plugin") == 0) {
if (strncmp(argv[i], "-plugin=", strlen("-plugin=")) == 0) {
if (strcasestr(argv[i], "LLVMgold.so") != NULL)
gold_present = gold_pos = i + 1;
} else if (i < argc && strcasestr(argv[i + 1], "LLVMgold.so") != NULL) {
gold_present = gold_pos = i + 2;
}
}
}
if (!gold_pos) {
for (i = 1; i + 1 < argc && !gold_pos; i++) {
if (argv[i][0] != '-') {
if (argv[i - 1][0] == '-') {
switch (argv[i - 1][1]) {
case 'b':
break;
case 'd':
break;
case 'e':
break;
case 'F':
break;
case 'f':
break;
case 'I':
break;
case 'l':
break;
case 'L':
break;
case 'm':
break;
case 'o':
break;
case 'O':
break;
case 'p':
if (index(argv[i - 1], '=') == NULL) gold_pos = i;
break;
case 'R':
break;
case 'T':
break;
case 'u':
break;
case 'y':
break;
case 'z':
break;
case '-': {
if (strcmp(argv[i - 1], "--oformat") == 0) break;
if (strcmp(argv[i - 1], "--output") == 0) break;
if (strncmp(argv[i - 1], "--opt-remarks-", 14) == 0) break;
gold_pos = i;
break;
}
default:
gold_pos = i;
}
} else
gold_pos = i;
}
}
}
if (!gold_pos) gold_pos = 1;
}
if (getenv("AFL_LLVM_INSTRIM"))
instrim = 1;
else if ((ptr = getenv("AFL_LLVM_INSTRUMENT")) &&
(strcasestr(ptr, "CFG") == 0 || strcasestr(ptr, "INSTRIM") == 0))
instrim = 1;
if (debug)
SAYF(cMGN "[D] " cRST
"passthrough=%s instrim=%d, gold_pos=%d, gold_present=%s "
"inst_present=%s rt_present=%s rt_lto_present=%s\n",
passthrough ? "true" : "false", instrim, gold_pos,
gold_present ? "true" : "false", inst_present ? "true" : "false",
rt_present ? "true" : "false", rt_lto_present ? "true" : "false");
for (i = 1; i < argc; i++) {
if (ld_param_cnt >= MAX_PARAM_COUNT)
FATAL(
"Too many command line parameters because of unpacking .a archives, "
"this would need to be done by hand ... sorry! :-(");
if (strcmp(argv[i], "--afl") == 0) {
if (!be_quiet) OKF("afl++ test command line flag detected, exiting.");
exit(0);
}
if (i == gold_pos && !passthrough) {
ld_params[ld_param_cnt++] = alloc_printf("-L%s/../lib", LLVM_BINDIR);
if (!gold_present) {
ld_params[ld_param_cnt++] = "-plugin";
ld_params[ld_param_cnt++] =
alloc_printf("%s/../lib/LLVMgold.so", LLVM_BINDIR);
}
ld_params[ld_param_cnt++] = "--allow-multiple-definition";
if (!inst_present) {
if (instrim)
ld_params[ld_param_cnt++] =
alloc_printf("-mllvm=-load=%s/afl-llvm-lto-instrim.so", afl_path);
else
ld_params[ld_param_cnt++] = alloc_printf(
"-mllvm=-load=%s/afl-llvm-lto-instrumentation.so", afl_path);
}
if (!rt_present)
ld_params[ld_param_cnt++] = alloc_printf("%s/afl-llvm-rt.o", afl_path);
if (!rt_lto_present)
ld_params[ld_param_cnt++] =
alloc_printf("%s/afl-llvm-rt-lto.o", afl_path);
}
ld_params[ld_param_cnt++] = argv[i];
}
ld_params[ld_param_cnt] = NULL;
}
/* Main entry point */
int main(int argc, char **argv) {
s32 pid, i, status;
u8 * ptr;
char thecwd[PATH_MAX];
if ((ptr = getenv("AFL_LD_CALLER")) != NULL) {
FATAL("ld loop detected! Set AFL_REAL_LD!\n");
}
if (isatty(2) && !getenv("AFL_QUIET") && !getenv("AFL_DEBUG")) {
SAYF(cCYA "afl-ld-to" VERSION cRST
" by Marc \"vanHauser\" Heuse <mh@mh-sec.de>\n");
} else
be_quiet = 1;
if (getenv("AFL_DEBUG") != NULL) debug = 1;
if (getenv("AFL_PATH") != NULL) afl_path = getenv("AFL_PATH");
if (getenv("AFL_LD_PASSTHROUGH") != NULL) passthrough = 1;
if (getenv("AFL_REAL_LD") != NULL) real_ld = getenv("AFL_REAL_LD");
if (!afl_path || !*afl_path) afl_path = "/usr/local/lib/afl";
setenv("AFL_LD_CALLER", "1", 1);
if (debug) {
if (getcwd(thecwd, sizeof(thecwd)) != 0) strcpy(thecwd, ".");
SAYF(cMGN "[D] " cRST "cd \"%s\";", thecwd);
for (i = 0; i < argc; i++)
SAYF(" \"%s\"", argv[i]);
SAYF("\n");
}
if (argc < 2) {
SAYF(
"\n"
"This is a helper application for afl-clang-lto. It is a wrapper "
"around GNU "
"llvm's 'lld',\n"
"executed by the toolchain whenever using "
"afl-clang-lto/afl-clang-lto++.\n"
"You probably don't want to run this program directly but rather pass "
"it as LD parameter to configure scripts\n\n"
"Environment variables:\n"
" AFL_LD_PASSTHROUGH do not link+optimize == no instrumentation\n"
" AFL_REAL_LD point to the real llvm 11 lld if necessary\n"
"\nafl-ld-to was compiled with the fixed real 'ld' of %s and the "
"binary path of %s\n\n",
real_ld, LLVM_BINDIR);
exit(1);
}
edit_params(argc, argv); // here most of the magic happens :-)
if (debug) {
SAYF(cMGN "[D]" cRST " cd \"%s\";", thecwd);
for (i = 0; i < ld_param_cnt; i++)
SAYF(" \"%s\"", ld_params[i]);
SAYF("\n");
}
if (!(pid = fork())) {
if (strlen(real_ld) > 1) execvp(real_ld, (char **)ld_params);
execvp("ld", (char **)ld_params); // fallback
FATAL("Oops, failed to execute 'ld' - check your PATH");
}
if (pid < 0) PFATAL("fork() failed");
if (waitpid(pid, &status, 0) <= 0) PFATAL("waitpid() failed");
if (debug) SAYF(cMGN "[D] " cRST "linker result: %d\n", status);
if (!just_version) {
if (status == 0) {
if (!be_quiet) OKF("Linker was successful");
} else {
SAYF(cLRD "[-] " cRST
"Linker failed, please investigate and send a bug report. Most "
"likely an 'ld' option is incompatible with %s.\n",
AFL_CLANG_FLTO);
}
}
exit(WEXITSTATUS(status));
}