ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-12 18:18:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

auto shmem fuzzing (#1541)

Browse Source 
* auto shmem fuzzing

* print warning when forcing shmem fuzzing

* typos

* Shmem always

* typo fix

* fixes

Co-authored-by: Dominik Maier <dmnk@google.com>
This commit is contained in:
van Hauser
2022-10-07 15:40:04 +02:00
committed by GitHub
parent 5e04c9693b
commit 2107ece114
7 changed files with 54 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/Changelog.md
View File

@ -5,7 +5,7 @@
### Version ++4.04a (dev) ### Version ++4.04a (dev)
- fix gramatron and grammar_mutatur build scripts - fix gramatron and grammar_mutator build scripts
- enhancements to the afl-persistent-config and afl-system-config - enhancements to the afl-persistent-config and afl-system-config
scripts scripts
- afl-cc: - afl-cc:
@ -16,6 +16,9 @@
- unicorn_mode: - unicorn_mode:
- Enabled tricore arch (by @jma-qb) - Enabled tricore arch (by @jma-qb)
- Updated Capstone version in Rust bindings - Updated Capstone version in Rust bindings
- llvm-mode:
- AFL runtime will always pass inputs via shared memory, when possible,
ignoring the command line.
### Version ++4.03c (release) ### Version ++4.03c (release)

27
instrumentation/afl-compiler-rt.o.c
View File

@ -97,6 +97,7 @@ u8 *__afl_dictionary;
u8 *__afl_fuzz_ptr; u8 *__afl_fuzz_ptr;
static u32 __afl_fuzz_len_dummy; static u32 __afl_fuzz_len_dummy;
u32 *__afl_fuzz_len = &__afl_fuzz_len_dummy; u32 *__afl_fuzz_len = &__afl_fuzz_len_dummy;
int __afl_sharedmem_fuzzing __attribute__((weak));
u32 __afl_final_loc; u32 __afl_final_loc;
u32 __afl_map_size = MAP_SIZE; u32 __afl_map_size = MAP_SIZE;
@ -119,8 +120,6 @@ __thread PREV_LOC_T __afl_prev_caller[CTX_MAX_K];
__thread u32 __afl_prev_ctx; __thread u32 __afl_prev_ctx;
#endif #endif
int __afl_sharedmem_fuzzing __attribute__((weak));
struct cmp_map *__afl_cmp_map; struct cmp_map *__afl_cmp_map;
struct cmp_map *__afl_cmp_map_backup; struct cmp_map *__afl_cmp_map_backup;
@ -347,6 +346,22 @@ static void __afl_map_shm(void) {
} }
if (__afl_sharedmem_fuzzing && (!id_str || !getenv(SHM_FUZZ_ENV_VAR) ||
fcntl(FORKSRV_FD, F_GETFD) == -1 ||
fcntl(FORKSRV_FD + 1, F_GETFD) == -1)) {
if (__afl_debug) {
fprintf(stderr,
"DEBUG: running not inside afl-fuzz, disabling shared memory "
"testcases\n");
}
__afl_sharedmem_fuzzing = 0;
}
if (!id_str) { if (!id_str) {
u32 val = 0; u32 val = 0;
@ -543,7 +558,7 @@ static void __afl_map_shm(void) {
if (!__afl_area_ptr_dummy) { if (!__afl_area_ptr_dummy) {
fprintf(stderr, fprintf(stderr,
"Error: AFL++ could not aquire %u bytes of memory, exiting!\n", "Error: AFL++ could not acquire %u bytes of memory, exiting!\n",
__afl_final_loc); __afl_final_loc);
exit(-1); exit(-1);
@ -757,10 +772,10 @@ static void __afl_start_snapshots(void) {
assume we're not running in forkserver mode and just execute program. */ assume we're not running in forkserver mode and just execute program. */
status |= (FS_OPT_ENABLED | FS_OPT_SNAPSHOT | FS_OPT_NEWCMPLOG); status |= (FS_OPT_ENABLED | FS_OPT_SNAPSHOT | FS_OPT_NEWCMPLOG);
if (__afl_sharedmem_fuzzing != 0) status |= FS_OPT_SHDMEM_FUZZ; if (__afl_sharedmem_fuzzing) { status |= FS_OPT_SHDMEM_FUZZ; }
if (__afl_map_size <= FS_OPT_MAX_MAPSIZE) if (__afl_map_size <= FS_OPT_MAX_MAPSIZE)
status |= (FS_OPT_SET_MAPSIZE(__afl_map_size) | FS_OPT_MAPSIZE); status |= (FS_OPT_SET_MAPSIZE(__afl_map_size) | FS_OPT_MAPSIZE);
if (__afl_dictionary_len && __afl_dictionary) status |= FS_OPT_AUTODICT; if (__afl_dictionary_len && __afl_dictionary) { status |= FS_OPT_AUTODICT; }
memcpy(tmp, &status, 4); memcpy(tmp, &status, 4);
if (write(FORKSRV_FD + 1, tmp, 4) != 4) { return; } if (write(FORKSRV_FD + 1, tmp, 4) != 4) { return; }
@ -1021,7 +1036,7 @@ static void __afl_start_forkserver(void) {
} }
if (__afl_sharedmem_fuzzing != 0) { status_for_fsrv |= FS_OPT_SHDMEM_FUZZ; } if (__afl_sharedmem_fuzzing) { status_for_fsrv |= FS_OPT_SHDMEM_FUZZ; }
if (status_for_fsrv) { if (status_for_fsrv) {
status_for_fsrv |= (FS_OPT_ENABLED | FS_OPT_NEWCMPLOG); status_for_fsrv |= (FS_OPT_ENABLED | FS_OPT_NEWCMPLOG);

2
src/afl-cc.c
View File

@ -317,7 +317,7 @@ void parse_fsanitize(char *string) {
char *tmp = malloc(strlen(ptr)); char *tmp = malloc(strlen(ptr));
u32 count = 0, len, ende = 0; u32 count = 0, len, ende = 0;
if (!new || !tmp) { FATAL("could not aquire memory"); } if (!new || !tmp) { FATAL("could not acquire memory"); }
strcpy(new, "-fsanitize="); strcpy(new, "-fsanitize=");
do { do {

14
src/afl-fuzz.c
View File

@ -2132,6 +2132,20 @@ int main(int argc, char **argv_orig, char **envp) {
} }
if (afl->fsrv.out_file && afl->fsrv.use_shmem_fuzz) {
afl->fsrv.out_file = NULL;
afl->fsrv.use_stdin = 0;
if (!afl->unicorn_mode && !afl->fsrv.use_stdin) {
WARNF(
"You specified -f or @@ on the command line but the target harness "
"specified fuzz cases via shmem, switching to shmem!");
}
}
deunicode_extras(afl); deunicode_extras(afl);
dedup_extras(afl); dedup_extras(afl);
if (afl->extras_cnt) { OKF("Loaded a total of %u extras.", afl->extras_cnt); } if (afl->extras_cnt) { OKF("Loaded a total of %u extras.", afl->extras_cnt); }

2
src/afl-showmap.c
View File

@ -1268,7 +1268,7 @@ int main(int argc, char **argv_orig, char **envp) {
(new_map_size > map_size && new_map_size - map_size > MAP_SIZE)) { (new_map_size > map_size && new_map_size - map_size > MAP_SIZE)) {
if (!be_quiet) if (!be_quiet)
ACTF("Aquired new map size for target: %u bytes\n", new_map_size); ACTF("Acquired new map size for target: %u bytes\n", new_map_size);
afl_shm_deinit(&shm); afl_shm_deinit(&shm);
afl_fsrv_kill(fsrv); afl_fsrv_kill(fsrv);

2
src/afl-tmin.c
View File

@ -1252,7 +1252,7 @@ int main(int argc, char **argv_orig, char **envp) {
(new_map_size > map_size && new_map_size - map_size > MAP_SIZE)) { (new_map_size > map_size && new_map_size - map_size > MAP_SIZE)) {
if (!be_quiet) if (!be_quiet)
ACTF("Aquired new map size for target: %u bytes\n", new_map_size); ACTF("Acquired new map size for target: %u bytes\n", new_map_size);
afl_shm_deinit(&shm); afl_shm_deinit(&shm);
afl_fsrv_kill(fsrv); afl_fsrv_kill(fsrv);

20
utils/aflpp_driver/aflpp_driver.c
View File

@ -35,6 +35,7 @@ $AFL_HOME/afl-fuzz -i IN -o OUT ./a.out
#include <assert.h> #include <assert.h>
#include <errno.h> #include <errno.h>
#include <stdarg.h> #include <stdarg.h>
#include <stdbool.h>
#include <stdint.h> #include <stdint.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
@ -68,7 +69,7 @@ __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv);
int LLVMFuzzerRunDriver(int *argc, char ***argv, int LLVMFuzzerRunDriver(int *argc, char ***argv,
int (*callback)(const uint8_t *data, size_t size)); int (*callback)(const uint8_t *data, size_t size));
// Default nop ASan hooks for manual posisoning when not linking the ASan // Default nop ASan hooks for manual poisoning when not linking the ASan
// runtime // runtime
// https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning // https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning
__attribute__((weak)) void __asan_poison_memory_region( __attribute__((weak)) void __asan_poison_memory_region(
@ -290,6 +291,12 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp,
} }
bool in_afl = !(!getenv(SHM_FUZZ_ENV_VAR) || !getenv(SHM_ENV_VAR) ||
fcntl(FORKSRV_FD, F_GETFD) == -1 ||
fcntl(FORKSRV_FD + 1, F_GETFD) == -1);
if (!in_afl) { __afl_sharedmem_fuzzing = 0; }
output_file = stderr; output_file = stderr;
maybe_duplicate_stderr(); maybe_duplicate_stderr();
maybe_close_fd_mask(); maybe_close_fd_mask();
@ -310,23 +317,20 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp,
int N = INT_MAX; int N = INT_MAX;
if (argc == 2 && !strcmp(argv[1], "-")) { if (!in_afl && argc == 2 && !strcmp(argv[1], "-")) {
__afl_sharedmem_fuzzing = 0;
__afl_manual_init(); __afl_manual_init();
return ExecuteFilesOnyByOne(argc, argv, callback); return ExecuteFilesOnyByOne(argc, argv, callback);
} else if (argc == 2 && argv[1][0] == '-') { } else if (argc == 2 && argv[1][0] == '-' && argv[1][1]) {
N = atoi(argv[1] + 1); N = atoi(argv[1] + 1);
} else if (argc == 2 && (N = atoi(argv[1])) > 0) { } else if (argc == 2 && argv[1][0] != '-' && (N = atoi(argv[1])) > 0) {
printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N); printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N);
} else if (argc > 1) { } else if (!in_afl && argc > 1 && argv[1][0] != '-') {
__afl_sharedmem_fuzzing = 0;
if (argc == 2) { __afl_manual_init(); } if (argc == 2) { __afl_manual_init(); }