Merge branch 'master' of github.com:vanhauser-thc/AFLplusplus

Makefile

@@ -280,6 +280,8 @@ code-format:
 	./.custom-format.py -i qemu_mode/libcompcov/*.c
 	./.custom-format.py -i qemu_mode/libcompcov/*.cc
 	./.custom-format.py -i qemu_mode/libcompcov/*.h
+	./.custom-format.py -i qbdi_mode/*.c
+	./.custom-format.py -i qbdi_mode/*.cpp
 	./.custom-format.py -i *.h
 	./.custom-format.py -i *.c
 

experimental/socket_fuzzing/socketfuzz.c

@@ -69,6 +69,9 @@ int dup2(int old, int new) {
 
 int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen) {
 
+  (void)sockfd;
+  (void)addr;
+  (void)addrlen;
   fprintf(stderr, "Info: Emulating accept on %d\n", sockfd);
   return 0;
 
@@ -76,6 +79,9 @@ int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen) {
 
 int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
 
+  (void)sockfd;
+  (void)addr;
+  (void)addrlen;
   fprintf(stderr, "Info: Emulating bind on port %d\n",
           ntohs(((struct sockaddr_in *)addr)->sin_port));
   return 0;
@@ -84,6 +90,20 @@ int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
 
 int listen(int sockfd, int backlog) {
 
+  (void)sockfd;
+  (void)backlog;
+  return 0;
+
+}
+
+int setsockopt(int sockfd, int level, int optid, const void *optdata,
+               socklen_t optdatalen) {
+
+  (void)sockfd;
+  (void)level;
+  (void)optid;
+  (void)optdata;
+  (void)optdatalen;
   return 0;
 
 }

llvm_mode/split-compares-pass.so.cc

@@ -470,7 +470,9 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) {
           if (selectcmpInst->getPredicate() == CmpInst::FCMP_OEQ ||
               selectcmpInst->getPredicate() == CmpInst::FCMP_ONE ||
               selectcmpInst->getPredicate() == CmpInst::FCMP_UNE ||
+              selectcmpInst->getPredicate() == CmpInst::FCMP_UGT ||
               selectcmpInst->getPredicate() == CmpInst::FCMP_OGT ||
+              selectcmpInst->getPredicate() == CmpInst::FCMP_ULT ||
               selectcmpInst->getPredicate() == CmpInst::FCMP_OLT) {
 
             auto op0 = selectcmpInst->getOperand(0);
@@ -655,6 +657,7 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) {
             CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_NE, m_e0, m_e1);
         break;
       case CmpInst::FCMP_OGT:
+      case CmpInst::FCMP_UGT:
         Instruction *icmp_exponent;
         icmp_exponent =
             CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_UGT, m_e0, m_e1);
@@ -664,6 +667,7 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) {
             BinaryOperator::Create(Instruction::Xor, icmp_exponent, t_s0);
         break;
       case CmpInst::FCMP_OLT:
+      case CmpInst::FCMP_ULT:
         icmp_exponent =
             CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_ULT, m_e0, m_e1);
         signequal_bb->getInstList().insert(
@@ -755,6 +759,7 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) {
             CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_NE, t_f0, t_f1);
         break;
       case CmpInst::FCMP_OGT:
+      case CmpInst::FCMP_UGT:
         Instruction *icmp_fraction;
         icmp_fraction =
             CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_UGT, t_f0, t_f1);
@@ -764,6 +769,7 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) {
             BinaryOperator::Create(Instruction::Xor, icmp_fraction, t_s0);
         break;
       case CmpInst::FCMP_OLT:
+      case CmpInst::FCMP_ULT:
         icmp_fraction =
             CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_ULT, t_f0, t_f1);
         middle_bb->getInstList().insert(
@@ -802,6 +808,7 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) {
         PN->addIncoming(icmp_fraction_result, middle_bb);
         break;
       case CmpInst::FCMP_OGT:
+      case CmpInst::FCMP_UGT:
         /* if op1 is negative goto true branch,
            else go on comparing */
         PN->addIncoming(t_s1, bb);
@@ -809,6 +816,7 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) {
         PN->addIncoming(icmp_fraction_result, middle_bb);
         break;
       case CmpInst::FCMP_OLT:
+      case CmpInst::FCMP_ULT:
         /* if op0 is negative goto true branch,
            else go on comparing */
         PN->addIncoming(t_s0, bb);

qbdi_mode/template.cpp

@@ -114,7 +114,7 @@ void afl_maybe_log(unsigned long cur_loc) {
 
   if (afl_area_ptr == NULL) { return; }
   unsigned long afl_idx = cur_loc ^ afl_prev_loc;
-  afl_idx &= MAP_SIZE -1;
+  afl_idx &= MAP_SIZE - 1;
   INC_AFL_AREA(afl_idx);
   afl_prev_loc = cur_loc >> 1;
 
@@ -123,7 +123,7 @@ void afl_maybe_log(unsigned long cur_loc) {
 char *read_file(char *path, unsigned long *length) {
 
   unsigned long len;
-  char * buf;
+  char *        buf;
 
   FILE *fp = fopen(path, "rb");
   fseek(fp, 0, SEEK_END);

src/afl-analyze.c

@@ -716,11 +716,15 @@ static void set_up_environment(void) {
       u8* qemu_preload = getenv("QEMU_SET_ENV");
       u8* afl_preload = getenv("AFL_PRELOAD");
       u8* buf;
-      
+
       s32 i, afl_preload_size = strlen(afl_preload);
       for (i = 0; i < afl_preload_size; ++i) {
+
         if (afl_preload[i] == ',')
-          PFATAL("Comma (',') is not allowed in AFL_PRELOAD when -Q is specified!");
+          PFATAL(
+              "Comma (',') is not allowed in AFL_PRELOAD when -Q is "
+              "specified!");
+
       }
 
       if (qemu_preload)
@@ -729,7 +733,7 @@ static void set_up_environment(void) {
         buf = alloc_printf("LD_PRELOAD=%s", afl_preload);
 
       setenv("QEMU_SET_ENV", buf, 1);
-      
+
       ck_free(buf);
 
     } else {
@@ -861,9 +865,8 @@ static void find_binary(u8* fname) {
 
 int main(int argc, char** argv) {
 
-  s32 opt;
-  u8  mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0,
-     use_wine = 0;
+  s32    opt;
+  u8     mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0;
   char** use_argv;
 
   doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH;

src/afl-fuzz-python.c

@@ -345,7 +345,12 @@ u8 trim_case_python(char** argv, struct queue_entry* q, u8* in_buf) {
     fault = run_target(argv, exec_tmout);
     ++trim_execs;
 
-    if (stop_soon || fault == FAULT_ERROR) goto abort_trimming;
+    if (stop_soon || fault == FAULT_ERROR) {
+
+      free(retbuf);
+      goto abort_trimming;
+
+    }
 
     cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST);
 
@@ -381,6 +386,8 @@ u8 trim_case_python(char** argv, struct queue_entry* q, u8* in_buf) {
 
     }
 
+    free(retbuf);
+
     /* Since this can be slow, update the screen every now and then. */
 
     if (!(trim_exec++ % stats_update_freq)) show_stats();

src/afl-fuzz.c

@@ -717,11 +717,15 @@ int main(int argc, char** argv) {
       u8* qemu_preload = getenv("QEMU_SET_ENV");
       u8* afl_preload = getenv("AFL_PRELOAD");
       u8* buf;
-      
+
       s32 i, afl_preload_size = strlen(afl_preload);
       for (i = 0; i < afl_preload_size; ++i) {
+
         if (afl_preload[i] == ',')
-          PFATAL("Comma (',') is not allowed in AFL_PRELOAD when -Q is specified!");
+          PFATAL(
+              "Comma (',') is not allowed in AFL_PRELOAD when -Q is "
+              "specified!");
+
       }
 
       if (qemu_preload)
@@ -730,7 +734,7 @@ int main(int argc, char** argv) {
         buf = alloc_printf("LD_PRELOAD=%s", afl_preload);
 
       setenv("QEMU_SET_ENV", buf, 1);
-      
+
       ck_free(buf);
 
     } else {

src/afl-showmap.c

@@ -365,11 +365,15 @@ static void set_up_environment(void) {
       u8* qemu_preload = getenv("QEMU_SET_ENV");
       u8* afl_preload = getenv("AFL_PRELOAD");
       u8* buf;
-      
+
       s32 i, afl_preload_size = strlen(afl_preload);
       for (i = 0; i < afl_preload_size; ++i) {
+
         if (afl_preload[i] == ',')
-          PFATAL("Comma (',') is not allowed in AFL_PRELOAD when -Q is specified!");
+          PFATAL(
+              "Comma (',') is not allowed in AFL_PRELOAD when -Q is "
+              "specified!");
+
       }
 
       if (qemu_preload)
@@ -378,7 +382,7 @@ static void set_up_environment(void) {
         buf = alloc_printf("LD_PRELOAD=%s", afl_preload);
 
       setenv("QEMU_SET_ENV", buf, 1);
-      
+
       ck_free(buf);
 
     } else {
@@ -524,9 +528,8 @@ static void find_binary(u8* fname) {
 
 int main(int argc, char** argv) {
 
-  s32 opt;
-  u8  mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0,
-     use_wine = 0;
+  s32    opt;
+  u8     mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0;
   u32    tcnt = 0;
   char** use_argv;
 

src/afl-tmin.c

@@ -889,11 +889,15 @@ static void set_up_environment(void) {
       u8* qemu_preload = getenv("QEMU_SET_ENV");
       u8* afl_preload = getenv("AFL_PRELOAD");
       u8* buf;
-      
+
       s32 i, afl_preload_size = strlen(afl_preload);
       for (i = 0; i < afl_preload_size; ++i) {
+
         if (afl_preload[i] == ',')
-          PFATAL("Comma (',') is not allowed in AFL_PRELOAD when -Q is specified!");
+          PFATAL(
+              "Comma (',') is not allowed in AFL_PRELOAD when -Q is "
+              "specified!");
+
       }
 
       if (qemu_preload)
@@ -902,7 +906,7 @@ static void set_up_environment(void) {
         buf = alloc_printf("LD_PRELOAD=%s", afl_preload);
 
       setenv("QEMU_SET_ENV", buf, 1);
-      
+
       ck_free(buf);
 
     } else {
@@ -1052,9 +1056,8 @@ static void read_bitmap(u8* fname) {
 
 int main(int argc, char** argv) {
 
-  s32 opt;
-  u8  mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0,
-     use_wine = 0;
+  s32    opt;
+  u8     mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0;
   char** use_argv;
 
   doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH;

unicorn_mode/README.md

@@ -2,9 +2,9 @@
 
 The idea and much of the original implementation comes from Nathan Voss <njvoss299@gmail.com>.
 
-The port to afl++ if by Dominik Maier <mail@dmnk.co>.
+The port to afl++ is by Dominik Maier <mail@dmnk.co>.
 
-The CompareCoverage and NeverZero counters features by Andrea Fioraldi <andreafioraldi@gmail.com>.
+The CompareCoverage and NeverZero counters features are by Andrea Fioraldi <andreafioraldi@gmail.com>.
 
 ## 1) Introduction
 
@@ -16,13 +16,13 @@ with afl-gcc or used in QEMU mode, or with other extensions such as
 TriforceAFL.
 
 There is a significant performance penalty compared to native AFL,
-but at least we're able to use AFL on these binaries, right?
+but at least we're able to use AFL++ on these binaries, right?
 
 ## 2) How to use
 
 Requirements: you need an installed python environment.
 
-### Building AFL's Unicorn Mode
+### Building AFL++'s Unicorn Mode
 
 First, make afl++ as usual.
 Once that completes successfully you need to build and add in the Unicorn Mode 
@@ -35,7 +35,7 @@ NOTE: This script checks out a Unicorn Engine fork as submodule that has been te
 and is stable-ish, based on the unicorn engine master. 
 
 Building Unicorn will take a little bit (~5-10 minutes). Once it completes 
-it automatically compiles a sample application and verify that it works.
+it automatically compiles a sample application and verifies that it works.
 
 ### Fuzzing with Unicorn Mode
 
@@ -83,7 +83,7 @@ The 'helper_scripts' directory also contains several helper scripts that allow y
 to dump context from a running process, load it, and hook heap allocations. For details
 on how to use this check out the follow-up blog post to the one linked above.
 
-A example use of AFL-Unicorn mode is discussed in the Paper Unicorefuzz:
+A example use of AFL-Unicorn mode is discussed in the paper Unicorefuzz:
 https://www.usenix.org/conference/woot19/presentation/maier
 
 ## 3) Options
@@ -91,7 +91,7 @@ https://www.usenix.org/conference/woot19/presentation/maier
 As for the QEMU-based instrumentation, the afl-unicorn twist of afl++
 comes with a sub-instruction based instrumentation similar in purpose to laf-intel.
 
-The options that enables Unicorn CompareCoverage are the same used for QEMU.
+The options that enable Unicorn CompareCoverage are the same used for QEMU.
 AFL_COMPCOV_LEVEL=1 is to instrument comparisons with only immediate
 values. QEMU_COMPCOV_LEVEL=2 instruments all
 comparison instructions. Comparison instructions are currently instrumented only