ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-13 02:28:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1824 from schumilo/dev

Browse Source 
Nyx mode - minor changes
This commit is contained in:
van Hauser
2023-08-04 10:50:46 +00:00
committed by GitHub
parent 0a28bce016 c2a0a24594
commit 738a6c0731
7 changed files with 25 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -229,7 +229,7 @@ Thank you! (For people sending pull requests - please add yourself to this list
Thomas Rooijakkers David Carlier Thomas Rooijakkers David Carlier
Ruben ten Hove Joey Jiao Ruben ten Hove Joey Jiao
fuzzah @intrigus-lgtm fuzzah @intrigus-lgtm
Yaakov Saxon Yaakov Saxon Sergej Schumilo
``` ```
</details> </details>

2
include/envs.h
View File

@ -190,6 +190,8 @@ static char *afl_environment_variables[] = {
"AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_NO_X86", // not really an env but we dont want to warn on it
"AFL_NOOPT", "AFL_NOOPT",
"AFL_NYX_AUX_SIZE", "AFL_NYX_AUX_SIZE",
"AFL_NYX_DISABLE_SNAPSHOT_MODE",
"AFL_NYX_REUSE_SNAPSHOT",
"AFL_PASSTHROUGH", "AFL_PASSTHROUGH",
"AFL_PATH", "AFL_PATH",
"AFL_PERFORMANCE_FILE", "AFL_PERFORMANCE_FILE",

2
nyx_mode/QEMU-Nyx

Submodule nyx_mode/QEMU-Nyx updated: a09d3ae2e6...874fa033d1

2
nyx_mode/QEMU_NYX_VERSION
View File

@ -1 +1 @@
a09d3ae2e6 874fa033d1

8
nyx_mode/README.md
View File

@ -150,12 +150,12 @@ afl-cmin -i in_dir -o out_dir -X -- ./PACKAGE-DIRECTORY
On each program startup of one the AFL++ tools in Nyx mode, a Nyx VM is spawned, and a bootstrapping procedure is performed inside the VM to prepare the target environment. As a consequence, due to the bootstrapping procedure, the launch performance is much slower compared to other modes. However, this can be optimized by reusing an existing fuzzing snapshot to avoid the slow re-execution of the bootstrap procedure. On each program startup of one the AFL++ tools in Nyx mode, a Nyx VM is spawned, and a bootstrapping procedure is performed inside the VM to prepare the target environment. As a consequence, due to the bootstrapping procedure, the launch performance is much slower compared to other modes. However, this can be optimized by reusing an existing fuzzing snapshot to avoid the slow re-execution of the bootstrap procedure.
A fuzzing snapshot is automatically created and stored in the output directory at `out_dir/workdir/snapshot/` by the first parent process of `afl-fuzz` if parallel mode is used. To enable this feature, set the path to an existing snapshot directory in the `NYX_REUSE_SNAPSHOT` environment variable and use the tools as usual: A fuzzing snapshot is automatically created and stored in the output directory at `out_dir/workdir/snapshot/` by the first parent process of `afl-fuzz` if parallel mode is used. To enable this feature, set the path to an existing snapshot directory in the `AFL_NYX_REUSE_SNAPSHOT` environment variable and use the tools as usual:
```shell ```shell
afl-fuzz -i ./in_dir -o ./out_dir -Y -M 0 ./PACKAGE-DIRECTORY afl-fuzz -i ./in_dir -o ./out_dir -Y -M 0 ./PACKAGE-DIRECTORY
NYX_REUSE_SNAPSHOT=./out_dir/workdir/snapshot/ afl-analyze -i in_file -X -- ./PACKAGE-DIRECTORY AFL_NYX_REUSE_SNAPSHOT=./out_dir/workdir/snapshot/ afl-analyze -i in_file -X -- ./PACKAGE-DIRECTORY
``` ```
@ -311,7 +311,7 @@ command:
``` ```
If you want to disable fast snapshots (except for crashes), you can simply set If you want to disable fast snapshots (except for crashes), you can simply set
the `NYX_DISABLE_SNAPSHOT_MODE` environment variable. the `AFL_NYX_DISABLE_SNAPSHOT_MODE` environment variable.
### Nyx crash reports ### Nyx crash reports
@ -331,7 +331,7 @@ the header (1408 bytes) and the remaining bytes can be used to transfer crash
reports (also the `hprintf` feature utilizes the very same shared memory for reports (also the `hprintf` feature utilizes the very same shared memory for
transferring data). By default a crash report will be truncated to 2688 bytes. transferring data). By default a crash report will be truncated to 2688 bytes.
However, if you want to increase the size of the shared memory region, you can However, if you want to increase the size of the shared memory region, you can
set the `NYX_AUX_BUFFER_SIZE` environment variable to a higher value (keep in set the `AFL_NYX_AUX_SIZE` environment variable to a higher value (keep in
mind that this value must be a multiple of 4096). mind that this value must be a multiple of 4096).
### Run AFL++Nyx with a custom agent ### Run AFL++Nyx with a custom agent

27
src/afl-forkserver.c
View File

@ -606,23 +606,23 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
} }
if (getenv("NYX_REUSE_SNAPSHOT") != NULL) { if (getenv("AFL_NYX_REUSE_SNAPSHOT") != NULL) {
if (access(getenv("NYX_REUSE_SNAPSHOT"), F_OK) == -1) { if (access(getenv("AFL_NYX_REUSE_SNAPSHOT"), F_OK) == -1) {
NYX_PRE_FATAL(fsrv, "NYX_REUSE_SNAPSHOT path does not exist"); NYX_PRE_FATAL(fsrv, "AFL_NYX_REUSE_SNAPSHOT path does not exist");
} }
/* stupid sanity check to avoid passing an empty or invalid snapshot /* stupid sanity check to avoid passing an empty or invalid snapshot
* directory */ * directory */
char *snapshot_file_path = char *snapshot_file_path =
alloc_printf("%s/global.state", getenv("NYX_REUSE_SNAPSHOT")); alloc_printf("%s/global.state", getenv("AFL_NYX_REUSE_SNAPSHOT"));
if (access(snapshot_file_path, R_OK) == -1) { if (access(snapshot_file_path, R_OK) == -1) {
NYX_PRE_FATAL( NYX_PRE_FATAL(fsrv,
fsrv, "AFL_NYX_REUSE_SNAPSHOT path does not contain a valid "
"NYX_REUSE_SNAPSHOT path does not contain a valid Nyx snapshot"); "Nyx snapshot");
} }
@ -634,13 +634,14 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
char *workdir_snapshot_path = char *workdir_snapshot_path =
alloc_printf("%s/workdir/snapshot", outdir_path_absolute); alloc_printf("%s/workdir/snapshot", outdir_path_absolute);
char *reuse_snapshot_path_real = char *reuse_snapshot_path_real =
realpath(getenv("NYX_REUSE_SNAPSHOT"), NULL); realpath(getenv("AFL_NYX_REUSE_SNAPSHOT"), NULL);
if (strcmp(workdir_snapshot_path, reuse_snapshot_path_real) == 0) { if (strcmp(workdir_snapshot_path, reuse_snapshot_path_real) == 0) {
NYX_PRE_FATAL(fsrv, NYX_PRE_FATAL(
"NYX_REUSE_SNAPSHOT path is located in current workdir " fsrv,
"(use another output directory)"); "AFL_NYX_REUSE_SNAPSHOT path is located in current workdir "
"(use another output directory)");
} }
@ -648,7 +649,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
ck_free(workdir_snapshot_path); ck_free(workdir_snapshot_path);
fsrv->nyx_handlers->nyx_config_set_reuse_snapshot_path( fsrv->nyx_handlers->nyx_config_set_reuse_snapshot_path(
nyx_config, getenv("NYX_REUSE_SNAPSHOT")); nyx_config, getenv("AFL_NYX_REUSE_SNAPSHOT"));
} }
@ -670,7 +671,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
fsrv->nyx_handlers->nyx_get_bitmap_buffer(fsrv->nyx_runner); fsrv->nyx_handlers->nyx_get_bitmap_buffer(fsrv->nyx_runner);
fsrv->nyx_handlers->nyx_option_set_reload_mode( fsrv->nyx_handlers->nyx_option_set_reload_mode(
fsrv->nyx_runner, getenv("NYX_DISABLE_SNAPSHOT_MODE") == NULL); fsrv->nyx_runner, getenv("AFL_NYX_DISABLE_SNAPSHOT_MODE") == NULL);
fsrv->nyx_handlers->nyx_option_apply(fsrv->nyx_runner); fsrv->nyx_handlers->nyx_option_apply(fsrv->nyx_runner);
fsrv->nyx_handlers->nyx_option_set_timeout(fsrv->nyx_runner, 2, 0); fsrv->nyx_handlers->nyx_option_set_timeout(fsrv->nyx_runner, 2, 0);

3
src/afl-fuzz.c
View File

@ -302,7 +302,8 @@ static void usage(u8 *argv0, int more_help) {
"AFL_NYX_AUX_SIZE: size of the Nyx auxiliary buffer. Must be a multiple of 4096.\n" "AFL_NYX_AUX_SIZE: size of the Nyx auxiliary buffer. Must be a multiple of 4096.\n"
" Increase this value in case the crash reports are truncated.\n" " Increase this value in case the crash reports are truncated.\n"
" Default value is 4096.\n" " Default value is 4096.\n"
"AFL_NYX_DISABLE_SNAPSHOT_MODE: disable snapshot mode (must be supported by the agent)\n"
"AFL_NYX_REUSE_SNAPSHOT: reuse an existing Nyx root snapshot\n"
DYN_COLOR DYN_COLOR
"AFL_PATH: path to AFL support binaries\n" "AFL_PATH: path to AFL support binaries\n"