Merge pull request #2252 from StepanGulyaev/dev

Added CFISAN option for verbose output on crash
2025-06-19 21:13:45 +00:00 · 2024-11-21 15:51:51 +01:00
parent 701e89bbcd 46b87a6d62
commit 31c8a052a6
3 changed files with 22 additions and 7 deletions
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@ -104,6 +104,7 @@ fairly broad use of environment variables instead:
      detection)
    - `AFL_USE_CFISAN=1` - activates the Control Flow Integrity sanitizer (e.g.
      type confusion vulnerabilities)
+    - `AFL_CFISAN_VERBOSE=1` - outputs detailed information when control flow integrity violations occur, instead of simply terminating with "Illegal Instruction"
    - `AFL_USE_LSAN` - activates the leak sanitizer. To perform a leak check
      within your program at a certain point (such as at the end of an
      `__AFL_LOOP()`), you can run the macro  `__AFL_LEAK_CHECK();` which will
@ -114,6 +115,9 @@ fairly broad use of environment variables instead:
    - `AFL_USE_TSAN=1` - activates the thread sanitizer to find thread race
      conditions
    - `AFL_USE_UBSAN=1` - activates the undefined behavior sanitizer
+    - `AFL_UBSAN_VERBOSE=1` - outputs detailed diagnostic information when undefined behavior is detected, instead of simply terminating with "Illegal Instruction"
+
+    - Note: both `AFL_CFISAN_VERBOSE=1` and `AFL_UBSAN_VERBOSE=1` are disabled by default as verbose output can significantly slow down fuzzing performance. Use these options only during debugging or when additional crash diagnostics are required

  - `TMPDIR` is used by afl-as for temporary files; if this variable is not set,
    the tool defaults to /tmp.
--- a/include/envs.h
+++ b/include/envs.h
@ -114,10 +114,10 @@ static char *afl_environment_variables[] = {
    "AFL_STATSD_TAGS_FLAVOR", "AFL_SYNC_TIME", "AFL_TESTCACHE_SIZE",
    "AFL_TESTCACHE_ENTRIES", "AFL_TMIN_EXACT", "AFL_TMPDIR", "AFL_TOKEN_FILE",
    "AFL_TRACE_PC", "AFL_USE_ASAN", "AFL_USE_MSAN", "AFL_USE_TRACE_PC",
-    "AFL_USE_UBSAN", "AFL_USE_TSAN", "AFL_USE_CFISAN", "AFL_USE_LSAN",
-    "AFL_WINE_PATH", "AFL_NO_SNAPSHOT", "AFL_EXPAND_HAVOC_NOW", "AFL_USE_FASAN",
-    "AFL_USE_QASAN", "AFL_PRINT_FILENAMES", "AFL_PIZZA_MODE",
-    "AFL_NO_FASTRESUME", NULL
+    "AFL_USE_UBSAN", "AFL_UBSAN_VERBOSE", "AFL_USE_TSAN", "AFL_USE_CFISAN",
+    "AFL_CFISAN_VERBOSE", "AFL_USE_LSAN", "AFL_WINE_PATH", "AFL_NO_SNAPSHOT",
+    "AFL_EXPAND_HAVOC_NOW", "AFL_USE_FASAN", "AFL_USE_QASAN",
+    "AFL_PRINT_FILENAMES", "AFL_PIZZA_MODE", "AFL_NO_FASTRESUME", NULL

 };

--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@ -1945,10 +1945,15 @@ void add_sanitizers(aflcc_state_t *aflcc, char **envp) {

  if (getenv("AFL_USE_UBSAN") || aflcc->have_ubsan) {

-    if (!aflcc->have_ubsan) {
+    if (!aflcc->have_ubsan) { insert_param(aflcc, "-fsanitize=undefined"); }

-      insert_param(aflcc, "-fsanitize=undefined");
-      insert_param(aflcc, "-fno-sanitize-recover=all");
+    if (getenv("AFL_UBSAN_VERBOSE")) {
+
+      insert_param(aflcc, "-fno-sanitize-recover=undefined");
+
+    } else {
+
+      insert_param(aflcc, "-fsanitize-trap=undefined");

    }

@ -2009,6 +2014,12 @@ void add_sanitizers(aflcc_state_t *aflcc, char **envp) {

      if (!aflcc->have_cfisan) { insert_param(aflcc, "-fsanitize=cfi"); }

+      if (getenv("AFL_CFISAN_VERBOSE")) {
+
+        insert_param(aflcc, "-fno-sanitize-trap=cfi");
+
+      }
+
      if (!aflcc->have_hidden) {

        insert_param(aflcc, "-fvisibility=hidden");