ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 19:08:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

added AFL_NO_AUTODICT

Browse Source
This commit is contained in:
van Hauser
2020-12-01 13:13:11 +01:00
parent f7d8643dc4
commit 8584f9d2b5
6 changed files with 112 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/Changelog.md
View File

@ -34,6 +34,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- crashing seeds are now not prohibiting a run anymore but are - crashing seeds are now not prohibiting a run anymore but are
skipped. They are used for splicing though. skipped. They are used for splicing though.
- update MOpt for expanded havoc modes - update MOpt for expanded havoc modes
- setting the env var AFL_NO_AUTODICT will not load an LTO autodictionary
- added NO_SPLICING compile option and makefile define - added NO_SPLICING compile option and makefile define
- added INTROSPECTION make target that writes all mutations to - added INTROSPECTION make target that writes all mutations to
out/NAME/introspection.txt out/NAME/introspection.txt

3
docs/env_variables.md
View File

@ -294,6 +294,9 @@ checks or alter some of the more exotic semantics of the tool:
on Linux systems. This slows things down, but lets you run more instances on Linux systems. This slows things down, but lets you run more instances
of afl-fuzz than would be prudent (if you really want to). of afl-fuzz than would be prudent (if you really want to).
- Setting `AFL_NO_AUTODICT` will not load an LTO generated auto dictionary
that is compiled into the target.
- `AFL_SKIP_CRASHES` causes AFL++ to tolerate crashing files in the input - `AFL_SKIP_CRASHES` causes AFL++ to tolerate crashing files in the input
queue. This can help with rare situations where a program crashes only queue. This can help with rare situations where a program crashes only
intermittently, but it's not really recommended under normal operating intermittently, but it's not really recommended under normal operating

1
include/envs.h
View File

@ -100,6 +100,7 @@ static char *afl_environment_variables[] = {
"AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_STARTID",
"AFL_LLVM_LTO_DONTWRITEID", "AFL_LLVM_LTO_DONTWRITEID",
"AFL_NO_ARITH", "AFL_NO_ARITH",
"AFL_NO_AUTODICT",
"AFL_NO_BUILTIN", "AFL_NO_BUILTIN",
"AFL_NO_CPU_RED", "AFL_NO_CPU_RED",
"AFL_NO_FORKSRV", "AFL_NO_FORKSRV",

33
instrumentation/README.lto.md
View File

@ -60,7 +60,12 @@ AUTODICTIONARY: 11 strings found
## Getting llvm 11+ ## Getting llvm 11+
### Installing llvm from the llvm repository (version 11) ### Installing llvm version 11
llvm 11 should be available in all current Linux repository.
If you use an outdated Linux distribution read the next section.
### Installing llvm from the llvm repository (version 12)
Installing the llvm snapshot builds is easy and mostly painless: Installing the llvm snapshot builds is easy and mostly painless:
@ -73,11 +78,11 @@ then add the pgp key of llvm and install the packages:
``` ```
wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -
apt-get update && apt-get upgrade -y apt-get update && apt-get upgrade -y
apt-get install -y clang-11 clang-tools-11 libc++1-11 libc++-11-dev \ apt-get install -y clang-12 clang-tools-12 libc++1-12 libc++-12-dev \
libc++abi1-11 libc++abi-11-dev libclang1-11 libclang-11-dev \ libc++abi1-12 libc++abi-12-dev libclang1-12 libclang-12-dev \
libclang-common-11-dev libclang-cpp11 libclang-cpp11-dev liblld-11 \ libclang-common-12-dev libclang-cpp11 libclang-cpp11-dev liblld-12 \
liblld-11-dev liblldb-11 liblldb-11-dev libllvm11 libomp-11-dev \ liblld-12-dev liblldb-12 liblldb-12-dev libllvm11 libomp-12-dev \
libomp5-11 lld-11 lldb-11 llvm-11 llvm-11-dev llvm-11-runtime llvm-11-tools libomp5-12 lld-12 lldb-12 llvm-12 llvm-12-dev llvm-12-runtime llvm-12-tools
``` ```
### Building llvm yourself (version 12) ### Building llvm yourself (version 12)
@ -120,16 +125,22 @@ While compiling, a dictionary based on string comparisons is automatically
generated and put into the target binary. This dictionary is transfered to afl-fuzz generated and put into the target binary. This dictionary is transfered to afl-fuzz
on start. This improves coverage statistically by 5-10% :) on start. This improves coverage statistically by 5-10% :)
Note that if for any reason you do not want to use the autodictionary feature
then just set the environment variable `AFL_NO_AUTODICT` when starting afl-fuzz.
## Fixed memory map ## Fixed memory map
To speed up fuzzing, it is possible to set a fixed shared memory map. To speed up fuzzing a little bit more, it is possible to set a fixed shared
memory map.
Recommended is the value 0x10000. Recommended is the value 0x10000.
In most cases this will work without any problems. However if a target uses In most cases this will work without any problems. However if a target uses
early constructors, ifuncs or a deferred forkserver this can crash the target. early constructors, ifuncs or a deferred forkserver this can crash the target.
On unusual operating systems/processors/kernels or weird libraries this might
fail so to change the fixed address at compile time set Also on unusual operating systems/processors/kernels or weird libraries the
AFL_LLVM_MAP_ADDR with a better value (a value of 0 or empty sets the map address recommended 0x10000 address might not work, so then change the fixed address.
to be dynamic - the original afl way, which is slower).
To enable this feature set AFL_LLVM_MAP_ADDR with the address.
## Document edge IDs ## Document edge IDs

159
src/afl-forkserver.c
View File

@ -348,9 +348,10 @@ static void report_error_and_exit(int error) {
void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
volatile u8 *stop_soon_p, u8 debug_child_output) { volatile u8 *stop_soon_p, u8 debug_child_output) {
int st_pipe[2], ctl_pipe[2]; int st_pipe[2], ctl_pipe[2];
s32 status; s32 status;
s32 rlen; s32 rlen;
char *ignore_autodict = getenv("AFL_NO_AUTODICT");
if (!be_quiet) { ACTF("Spinning up the fork server..."); } if (!be_quiet) { ACTF("Spinning up the fork server..."); }
@ -607,7 +608,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
fsrv->use_shmem_fuzz = 1; fsrv->use_shmem_fuzz = 1;
if (!be_quiet) { ACTF("Using SHARED MEMORY FUZZING feature."); } if (!be_quiet) { ACTF("Using SHARED MEMORY FUZZING feature."); }
if ((status & FS_OPT_AUTODICT) == 0) { if ((status & FS_OPT_AUTODICT) == 0 || ignore_autodict) {
u32 send_status = (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ); u32 send_status = (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ);
if (write(fsrv->fsrv_ctl_fd, &send_status, 4) != 4) { if (write(fsrv->fsrv_ctl_fd, &send_status, 4) != 4) {
@ -660,16 +661,44 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
if ((status & FS_OPT_AUTODICT) == FS_OPT_AUTODICT) { if ((status & FS_OPT_AUTODICT) == FS_OPT_AUTODICT) {
if (fsrv->add_extra_func == NULL || fsrv->afl_ptr == NULL) { if (ignore_autodict) {
if (!be_quiet) { WARNF("Ignoring offered AUTODICT feature."); }
} else {
if (fsrv->add_extra_func == NULL || fsrv->afl_ptr == NULL) {
// this is not afl-fuzz - or it is cmplog - we deny and return
if (fsrv->use_shmem_fuzz) {
status = (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ);
} else {
status = (FS_OPT_ENABLED);
}
if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) {
FATAL("Writing to forkserver failed.");
}
return;
}
if (!be_quiet) { ACTF("Using AUTODICT feature."); }
// this is not afl-fuzz - or it is cmplog - we deny and return
if (fsrv->use_shmem_fuzz) { if (fsrv->use_shmem_fuzz) {
status = (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ); status = (FS_OPT_ENABLED | FS_OPT_AUTODICT | FS_OPT_SHDMEM_FUZZ);
} else { } else {
status = (FS_OPT_ENABLED); status = (FS_OPT_ENABLED | FS_OPT_AUTODICT);
} }
@ -679,82 +708,62 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
} }
return; if (read(fsrv->fsrv_st_fd, &status, 4) != 4) {
} FATAL("Reading from forkserver failed.");
if (!be_quiet) { ACTF("Using AUTODICT feature."); }
if (fsrv->use_shmem_fuzz) {
status = (FS_OPT_ENABLED | FS_OPT_AUTODICT | FS_OPT_SHDMEM_FUZZ);
} else {
status = (FS_OPT_ENABLED | FS_OPT_AUTODICT);
}
if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) {
FATAL("Writing to forkserver failed.");
}
if (read(fsrv->fsrv_st_fd, &status, 4) != 4) {
FATAL("Reading from forkserver failed.");
}
if (status < 2 || (u32)status > 0xffffff) {
FATAL("Dictionary has an illegal size: %d", status);
}
u32 offset = 0, count = 0;
u32 len = status;
u8 *dict = ck_alloc(len);
if (dict == NULL) {
FATAL("Could not allocate %u bytes of autodictionary memory", len);
}
while (len != 0) {
rlen = read(fsrv->fsrv_st_fd, dict + offset, len);
if (rlen > 0) {
len -= rlen;
offset += rlen;
} else {
FATAL(
"Reading autodictionary fail at position %u with %u bytes "
"left.",
offset, len);
} }
} if (status < 2 || (u32)status > 0xffffff) {
offset = 0; FATAL("Dictionary has an illegal size: %d", status);
while (offset < (u32)status &&
(u8)dict[offset] + offset < (u32)status) {
fsrv->add_extra_func(fsrv->afl_ptr, dict + offset + 1, }
(u8)dict[offset]);
offset += (1 + dict[offset]); u32 offset = 0, count = 0;
count++; u32 len = status;
u8 *dict = ck_alloc(len);
if (dict == NULL) {
FATAL("Could not allocate %u bytes of autodictionary memory", len);
}
while (len != 0) {
rlen = read(fsrv->fsrv_st_fd, dict + offset, len);
if (rlen > 0) {
len -= rlen;
offset += rlen;
} else {
FATAL(
"Reading autodictionary fail at position %u with %u bytes "
"left.",
offset, len);
}
}
offset = 0;
while (offset < (u32)status &&
(u8)dict[offset] + offset < (u32)status) {
fsrv->add_extra_func(fsrv->afl_ptr, dict + offset + 1,
(u8)dict[offset]);
offset += (1 + dict[offset]);
count++;
}
if (!be_quiet) { ACTF("Loaded %u autodictionary entries", count); }
ck_free(dict);
} }
if (!be_quiet) { ACTF("Loaded %u autodictionary entries", count); }
ck_free(dict);
} }
} }

1
src/afl-fuzz.c
View File

@ -187,6 +187,7 @@ static void usage(u8 *argv0, int more_help) {
" used. Defaults to 200.\n" " used. Defaults to 200.\n"
"AFL_NO_AFFINITY: do not check for an unused cpu core to use for fuzzing\n" "AFL_NO_AFFINITY: do not check for an unused cpu core to use for fuzzing\n"
"AFL_NO_ARITH: skip arithmetic mutations in deterministic stage\n" "AFL_NO_ARITH: skip arithmetic mutations in deterministic stage\n"
"AFL_NO_AUTODICT: do not load an offered auto dictionary compiled into a target\n"
"AFL_NO_CPU_RED: avoid red color for showing very high cpu usage\n" "AFL_NO_CPU_RED: avoid red color for showing very high cpu usage\n"
"AFL_NO_FORKSRV: run target via execve instead of using the forkserver\n" "AFL_NO_FORKSRV: run target via execve instead of using the forkserver\n"
"AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)\n" "AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)\n"