From e3fae3e9b0cdbfd24defe8eee4acc2785fb80961 Mon Sep 17 00:00:00 2001 From: Stepan Gulyaev Date: Thu, 21 Nov 2024 12:32:48 +0300 Subject: [PATCH 1/9] Added CFISAN option for verbose output on crash --- src/afl-cc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/afl-cc.c b/src/afl-cc.c index f47f3d50..2cda84e0 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -2007,7 +2007,12 @@ void add_sanitizers(aflcc_state_t *aflcc, char **envp) { } - if (!aflcc->have_cfisan) { insert_param(aflcc, "-fsanitize=cfi"); } + if (!aflcc->have_cfisan) { + + insert_param(aflcc, "-fsanitize=cfi"); + insert_param(aflcc, "-fno-sanitize-trap=cfi"); + + } if (!aflcc->have_hidden) { From b43f37456f82fd60654d2c92c552b0e34dd3218a Mon Sep 17 00:00:00 2001 From: Stepan Gulyaev Date: Thu, 21 Nov 2024 15:14:54 +0300 Subject: [PATCH 2/9] Adding AFL_CFISAN_VERBOSE variable --- include/envs.h | 2 +- src/afl-cc.c | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/include/envs.h b/include/envs.h index edfcc209..305caa0a 100644 --- a/include/envs.h +++ b/include/envs.h @@ -114,7 +114,7 @@ static char *afl_environment_variables[] = { "AFL_STATSD_TAGS_FLAVOR", "AFL_SYNC_TIME", "AFL_TESTCACHE_SIZE", "AFL_TESTCACHE_ENTRIES", "AFL_TMIN_EXACT", "AFL_TMPDIR", "AFL_TOKEN_FILE", "AFL_TRACE_PC", "AFL_USE_ASAN", "AFL_USE_MSAN", "AFL_USE_TRACE_PC", - "AFL_USE_UBSAN", "AFL_USE_TSAN", "AFL_USE_CFISAN", "AFL_USE_LSAN", + "AFL_USE_UBSAN", "AFL_USE_TSAN", "AFL_USE_CFISAN","AFL_CFISAN_VERBOSE", "AFL_USE_LSAN", "AFL_WINE_PATH", "AFL_NO_SNAPSHOT", "AFL_EXPAND_HAVOC_NOW", "AFL_USE_FASAN", "AFL_USE_QASAN", "AFL_PRINT_FILENAMES", "AFL_PIZZA_MODE", "AFL_NO_FASTRESUME", NULL diff --git a/src/afl-cc.c b/src/afl-cc.c index 2cda84e0..5c3273c7 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -2010,10 +2010,14 @@ void add_sanitizers(aflcc_state_t *aflcc, char **envp) { if (!aflcc->have_cfisan) { insert_param(aflcc, "-fsanitize=cfi"); - insert_param(aflcc, "-fno-sanitize-trap=cfi"); - } + if ( getenv("AFL_CFISAN_VERBOSE") ) + { + insert_param(aflcc, "-fno-sanitize-trap=cfi"); + } + + if (!aflcc->have_hidden) { insert_param(aflcc, "-fvisibility=hidden"); From ebb919f7717152420fe0ab129e738807cd3c947b Mon Sep 17 00:00:00 2001 From: Stepan Gulyaev Date: Thu, 21 Nov 2024 15:31:34 +0300 Subject: [PATCH 3/9] Code formatted --- include/envs.h | 6 +++--- src/afl-cc.c | 13 +++++-------- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/include/envs.h b/include/envs.h index 305caa0a..36744005 100644 --- a/include/envs.h +++ b/include/envs.h @@ -114,9 +114,9 @@ static char *afl_environment_variables[] = { "AFL_STATSD_TAGS_FLAVOR", "AFL_SYNC_TIME", "AFL_TESTCACHE_SIZE", "AFL_TESTCACHE_ENTRIES", "AFL_TMIN_EXACT", "AFL_TMPDIR", "AFL_TOKEN_FILE", "AFL_TRACE_PC", "AFL_USE_ASAN", "AFL_USE_MSAN", "AFL_USE_TRACE_PC", - "AFL_USE_UBSAN", "AFL_USE_TSAN", "AFL_USE_CFISAN","AFL_CFISAN_VERBOSE", "AFL_USE_LSAN", - "AFL_WINE_PATH", "AFL_NO_SNAPSHOT", "AFL_EXPAND_HAVOC_NOW", "AFL_USE_FASAN", - "AFL_USE_QASAN", "AFL_PRINT_FILENAMES", "AFL_PIZZA_MODE", + "AFL_USE_UBSAN", "AFL_USE_TSAN", "AFL_USE_CFISAN", "AFL_CFISAN_VERBOSE", + "AFL_USE_LSAN", "AFL_WINE_PATH", "AFL_NO_SNAPSHOT", "AFL_EXPAND_HAVOC_NOW", + "AFL_USE_FASAN", "AFL_USE_QASAN", "AFL_PRINT_FILENAMES", "AFL_PIZZA_MODE", "AFL_NO_FASTRESUME", NULL }; diff --git a/src/afl-cc.c b/src/afl-cc.c index 5c3273c7..c568a845 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -2007,17 +2007,14 @@ void add_sanitizers(aflcc_state_t *aflcc, char **envp) { } - if (!aflcc->have_cfisan) { + if (!aflcc->have_cfisan) { insert_param(aflcc, "-fsanitize=cfi"); } + + if (getenv("AFL_CFISAN_VERBOSE")) { + + insert_param(aflcc, "-fno-sanitize-trap=cfi"); - insert_param(aflcc, "-fsanitize=cfi"); } - if ( getenv("AFL_CFISAN_VERBOSE") ) - { - insert_param(aflcc, "-fno-sanitize-trap=cfi"); - } - - if (!aflcc->have_hidden) { insert_param(aflcc, "-fvisibility=hidden"); From 7aecf14c07f20a16c9343298d5a79645bc448589 Mon Sep 17 00:00:00 2001 From: Stepan Gulyaev Date: Thu, 21 Nov 2024 16:37:24 +0300 Subject: [PATCH 4/9] Added AFL_UBSAN_VERBOSE variable --- include/envs.h | 10 ++++++---- src/afl-cc.c | 11 ++++++++--- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/include/envs.h b/include/envs.h index 36744005..88655778 100644 --- a/include/envs.h +++ b/include/envs.h @@ -114,10 +114,12 @@ static char *afl_environment_variables[] = { "AFL_STATSD_TAGS_FLAVOR", "AFL_SYNC_TIME", "AFL_TESTCACHE_SIZE", "AFL_TESTCACHE_ENTRIES", "AFL_TMIN_EXACT", "AFL_TMPDIR", "AFL_TOKEN_FILE", "AFL_TRACE_PC", "AFL_USE_ASAN", "AFL_USE_MSAN", "AFL_USE_TRACE_PC", - "AFL_USE_UBSAN", "AFL_USE_TSAN", "AFL_USE_CFISAN", "AFL_CFISAN_VERBOSE", - "AFL_USE_LSAN", "AFL_WINE_PATH", "AFL_NO_SNAPSHOT", "AFL_EXPAND_HAVOC_NOW", - "AFL_USE_FASAN", "AFL_USE_QASAN", "AFL_PRINT_FILENAMES", "AFL_PIZZA_MODE", - "AFL_NO_FASTRESUME", NULL + "AFL_USE_UBSAN", + "AFL_UBSAN_VERBOSE" + "AFL_USE_TSAN", + "AFL_USE_CFISAN", "AFL_CFISAN_VERBOSE", "AFL_USE_LSAN", "AFL_WINE_PATH", + "AFL_NO_SNAPSHOT", "AFL_EXPAND_HAVOC_NOW", "AFL_USE_FASAN", "AFL_USE_QASAN", + "AFL_PRINT_FILENAMES", "AFL_PIZZA_MODE", "AFL_NO_FASTRESUME", NULL }; diff --git a/src/afl-cc.c b/src/afl-cc.c index c568a845..d8a629a2 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -1945,10 +1945,15 @@ void add_sanitizers(aflcc_state_t *aflcc, char **envp) { if (getenv("AFL_USE_UBSAN") || aflcc->have_ubsan) { - if (!aflcc->have_ubsan) { + if (!aflcc->have_ubsan) { insert_param(aflcc, "-fsanitize=undefined"); } - insert_param(aflcc, "-fsanitize=undefined"); - insert_param(aflcc, "-fno-sanitize-recover=all"); + if (getenv("AFL_UBSAN_VERBOSE")) { + + insert_param(aflcc, "-fno-sanitize-recover=undefined"); + + } else { + + insert_param(aflcc, "-fsanitize-trap=undefined"); } From 41de56935348549dd617e49ee719d90e5785b4c7 Mon Sep 17 00:00:00 2001 From: Fahnenfluchtige Date: Thu, 21 Nov 2024 17:10:54 +0300 Subject: [PATCH 5/9] Adding envs to docs --- docs/env_variables.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/env_variables.md b/docs/env_variables.md index d1edb6fd..26b7dac9 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -115,6 +115,10 @@ fairly broad use of environment variables instead: conditions - `AFL_USE_UBSAN=1` - activates the undefined behavior sanitizer + - Setting `AFL_UBSAN_VERBOSE=1` or `AFL_CFISAN_VERBOSE=1` enables verbose output for the respective sanitizers: + - `AFL_UBSAN_VERBOSE=1` - outputs detailed diagnostic information when undefined behavior is detected + - `AFL_CFISAN_VERBOSE=1` - outputs detailed information when control flow integrity violations occur, instead of simply terminating with "Illegal Instruction" + - `TMPDIR` is used by afl-as for temporary files; if this variable is not set, the tool defaults to /tmp. From 945309c3165d53ccf7572c7d9ec2c0992ddf4592 Mon Sep 17 00:00:00 2001 From: Stepan Gulyaev Date: Thu, 21 Nov 2024 16:55:35 +0300 Subject: [PATCH 6/9] Typing fix --- include/envs.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/envs.h b/include/envs.h index 88655778..91ee1c2a 100644 --- a/include/envs.h +++ b/include/envs.h @@ -115,7 +115,7 @@ static char *afl_environment_variables[] = { "AFL_TESTCACHE_ENTRIES", "AFL_TMIN_EXACT", "AFL_TMPDIR", "AFL_TOKEN_FILE", "AFL_TRACE_PC", "AFL_USE_ASAN", "AFL_USE_MSAN", "AFL_USE_TRACE_PC", "AFL_USE_UBSAN", - "AFL_UBSAN_VERBOSE" + "AFL_UBSAN_VERBOSE", "AFL_USE_TSAN", "AFL_USE_CFISAN", "AFL_CFISAN_VERBOSE", "AFL_USE_LSAN", "AFL_WINE_PATH", "AFL_NO_SNAPSHOT", "AFL_EXPAND_HAVOC_NOW", "AFL_USE_FASAN", "AFL_USE_QASAN", From 4a492d5d8ea009de04efa07f8e5c81e4c82eaa79 Mon Sep 17 00:00:00 2001 From: Stepan Gulyaev Date: Thu, 21 Nov 2024 17:01:31 +0300 Subject: [PATCH 7/9] Code formatting --- include/envs.h | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/include/envs.h b/include/envs.h index 91ee1c2a..05fa2d3c 100644 --- a/include/envs.h +++ b/include/envs.h @@ -114,11 +114,9 @@ static char *afl_environment_variables[] = { "AFL_STATSD_TAGS_FLAVOR", "AFL_SYNC_TIME", "AFL_TESTCACHE_SIZE", "AFL_TESTCACHE_ENTRIES", "AFL_TMIN_EXACT", "AFL_TMPDIR", "AFL_TOKEN_FILE", "AFL_TRACE_PC", "AFL_USE_ASAN", "AFL_USE_MSAN", "AFL_USE_TRACE_PC", - "AFL_USE_UBSAN", - "AFL_UBSAN_VERBOSE", - "AFL_USE_TSAN", - "AFL_USE_CFISAN", "AFL_CFISAN_VERBOSE", "AFL_USE_LSAN", "AFL_WINE_PATH", - "AFL_NO_SNAPSHOT", "AFL_EXPAND_HAVOC_NOW", "AFL_USE_FASAN", "AFL_USE_QASAN", + "AFL_USE_UBSAN", "AFL_UBSAN_VERBOSE", "AFL_USE_TSAN", "AFL_USE_CFISAN", + "AFL_CFISAN_VERBOSE", "AFL_USE_LSAN", "AFL_WINE_PATH", "AFL_NO_SNAPSHOT", + "AFL_EXPAND_HAVOC_NOW", "AFL_USE_FASAN", "AFL_USE_QASAN", "AFL_PRINT_FILENAMES", "AFL_PIZZA_MODE", "AFL_NO_FASTRESUME", NULL }; From b4208dde94e33581e5da152ca53ea093ffadcd7f Mon Sep 17 00:00:00 2001 From: Fahnenfluchtige Date: Thu, 21 Nov 2024 17:19:51 +0300 Subject: [PATCH 8/9] little fix for docs --- docs/env_variables.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/env_variables.md b/docs/env_variables.md index 26b7dac9..3cd82078 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -104,6 +104,7 @@ fairly broad use of environment variables instead: detection) - `AFL_USE_CFISAN=1` - activates the Control Flow Integrity sanitizer (e.g. type confusion vulnerabilities) + - `AFL_CFISAN_VERBOSE=1` - outputs detailed information when control flow integrity violations occur, instead of simply terminating with "Illegal Instruction" - `AFL_USE_LSAN` - activates the leak sanitizer. To perform a leak check within your program at a certain point (such as at the end of an `__AFL_LOOP()`), you can run the macro `__AFL_LEAK_CHECK();` which will @@ -114,10 +115,7 @@ fairly broad use of environment variables instead: - `AFL_USE_TSAN=1` - activates the thread sanitizer to find thread race conditions - `AFL_USE_UBSAN=1` - activates the undefined behavior sanitizer - - - Setting `AFL_UBSAN_VERBOSE=1` or `AFL_CFISAN_VERBOSE=1` enables verbose output for the respective sanitizers: - - `AFL_UBSAN_VERBOSE=1` - outputs detailed diagnostic information when undefined behavior is detected - - `AFL_CFISAN_VERBOSE=1` - outputs detailed information when control flow integrity violations occur, instead of simply terminating with "Illegal Instruction" + - `AFL_UBSAN_VERBOSE=1` - outputs detailed diagnostic information when undefined behavior is detected, instead of simply terminating with "Illegal Instruction" - `TMPDIR` is used by afl-as for temporary files; if this variable is not set, the tool defaults to /tmp. From 46b87a6d62d546c4d09f14cfc9ced6b2bd02e7c6 Mon Sep 17 00:00:00 2001 From: Fahnenfluchtige Date: Thu, 21 Nov 2024 17:36:30 +0300 Subject: [PATCH 9/9] adding details --- docs/env_variables.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/env_variables.md b/docs/env_variables.md index 3cd82078..8de2359d 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -115,7 +115,9 @@ fairly broad use of environment variables instead: - `AFL_USE_TSAN=1` - activates the thread sanitizer to find thread race conditions - `AFL_USE_UBSAN=1` - activates the undefined behavior sanitizer - - `AFL_UBSAN_VERBOSE=1` - outputs detailed diagnostic information when undefined behavior is detected, instead of simply terminating with "Illegal Instruction" + - `AFL_UBSAN_VERBOSE=1` - outputs detailed diagnostic information when undefined behavior is detected, instead of simply terminating with "Illegal Instruction" + + - Note: both `AFL_CFISAN_VERBOSE=1` and `AFL_UBSAN_VERBOSE=1` are disabled by default as verbose output can significantly slow down fuzzing performance. Use these options only during debugging or when additional crash diagnostics are required - `TMPDIR` is used by afl-as for temporary files; if this variable is not set, the tool defaults to /tmp.