ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-08 16:21:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #628 from AFLplusplus/dev

Browse Source 
Final push to stable
This commit is contained in:
van Hauser 2020-12-15 09:39:10 +01:00 committed by GitHub
commit 8e712d1a74
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 235 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
GNUmakefile
View File

@ -510,15 +510,25 @@ code-format:
.PHONY: test_build .PHONY: test_build
ifndef AFL_NO_X86 ifndef AFL_NO_X86
test_build: afl-cc afl-as afl-showmap test_build: afl-cc afl-gcc afl-as afl-showmap
@echo "[*] Testing the CC wrapper and instrumentation output..." @echo "[*] Testing the CC wrapper afl-cc and its instrumentation output..."
@unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_ASAN AFL_USE_MSAN AFL_CC; AFL_INST_RATIO=100 AFL_PATH=. ./afl-cc test-instr.c -o test-instr 2>&1 || (echo "Oops, afl-cc failed"; exit 1 ) @unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_ASAN AFL_USE_MSAN AFL_CC; AFL_INST_RATIO=100 AFL_PATH=. ./afl-cc test-instr.c -o test-instr 2>&1 || (echo "Oops, afl-cc failed"; exit 1 )
ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
@rm -f test-instr @rm -f test-instr
@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi @cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation of afl-cc does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi
@echo @echo
@echo "[+] All right, the instrumentation seems to be working!" @echo "[+] All right, the instrumentation of afl-cc seems to be working!"
@echo "[*] Testing the CC wrapper afl-gcc and its instrumentation output..."
@unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_ASAN AFL_USE_MSAN AFL_CC; AFL_INST_RATIO=100 AFL_PATH=. ./afl-gcc test-instr.c -o test-instr 2>&1 || (echo "Oops, afl-gcc failed"; exit 1 )
ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
@rm -f test-instr
@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation of afl-gcc does not seem to be behaving correctly!"; \
gcc -v 2>&1 | grep -q -- --with-as= && ( echo; echo "Gcc is configured not to use an external assembler with the -B option."; echo "See docs/INSTALL.md section 5 how to build a -B enabled gcc." ) || \
( echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue." ); echo; exit 0; fi
@echo
@echo "[+] All right, the instrumentation of afl-gcc seems to be working!"
else else
test_build: afl-cc afl-as afl-showmap test_build: afl-cc afl-as afl-showmap
@echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)." @echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)."
@ -526,10 +536,10 @@ endif
.PHONY: all_done .PHONY: all_done
all_done: test_build all_done: test_build
@test -e afl-cc && echo "[+] Main compiler 'afl-cc' successfully built!" || { echo "[-] Main compiler 'afl-cc' failed to built, set up a working build environment first!" ; exit 1 ; } @test -e afl-cc && echo "[+] Main compiler 'afl-cc' successfully built!" || { echo "[-] Main compiler 'afl-cc' failed to build, set up a working build environment first!" ; exit 1 ; }
@test -e cmplog-instructions-pass.so && echo "[+] LLVM mode for 'afl-cc' successfully built!" || echo "[-] LLVM mode for 'afl-cc' failed to built, likely you either don't llvm installed, or you need to set LLVM_CONFIG, to point to e.g. llvm-config-11. See instrumenation/README.llvm.md how to do this. Highly recommended!" @test -e cmplog-instructions-pass.so && echo "[+] LLVM mode for 'afl-cc' successfully built!" || echo "[-] LLVM mode for 'afl-cc' failed to build, likely you either don't have llvm installed, or you need to set LLVM_CONFIG, to point to e.g. llvm-config-11. See instrumentation/README.llvm.md how to do this. Highly recommended!"
@test -e SanitizerCoverageLTO.so && echo "[+] LLVM LTO mode for 'afl-cc' successfully built!" || echo "[-] LLVM LTO mode for 'afl-cc' failed to built, this would need LLVM 11+, see instrumentation/README.lto.md how to build it" @test -e SanitizerCoverageLTO.so && echo "[+] LLVM LTO mode for 'afl-cc' successfully built!" || echo "[-] LLVM LTO mode for 'afl-cc' failed to build, this would need LLVM 11+, see instrumentation/README.lto.md how to build it"
@test -e afl-gcc-pass.so && echo "[+] gcc_plugin for 'afl-cc' successfully built!" || echo "[-] gcc_plugin for 'afl-cc' failed to built, unless you really need it that is fine - or read instrumentation/README.gcc_plugin.md how to build it" @test -e afl-gcc-pass.so && echo "[+] gcc_plugin for 'afl-cc' successfully built!" || echo "[-] gcc_plugin for 'afl-cc' failed to build, unless you really need it that is fine - or read instrumentation/README.gcc_plugin.md how to build it"
@echo "[+] All done! Be sure to review the README.md - it's pretty short and useful." @echo "[+] All done! Be sure to review the README.md - it's pretty short and useful."
@if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi @if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.md for advice.\033[0m\n" 2>/dev/null @! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.md for advice.\033[0m\n" 2>/dev/null

2
README.md
View File

@ -4,7 +4,7 @@
![Travis State](https://api.travis-ci.com/AFLplusplus/AFLplusplus.svg?branch=stable) ![Travis State](https://api.travis-ci.com/AFLplusplus/AFLplusplus.svg?branch=stable)
Release Version: [2.68c](https://github.com/AFLplusplus/AFLplusplus/releases) Release Version: [3.00c](https://github.com/AFLplusplus/AFLplusplus/releases)
Github Version: 3.00a Github Version: 3.00a

1
afl-system-config
View File

@ -80,4 +80,3 @@ if [ "$PLATFORM" = "Darwin" ] ; then
DONE=1 DONE=1
fi fi
test -z "$DONE" && echo Error: Unknown platform: $PLATFORM test -z "$DONE" && echo Error: Unknown platform: $PLATFORM
test -z "$AFL_TMPDIR" && echo Also use AFL_TMPDIR and point it to a tmpfs for the input file caching

2
docs/Changelog.md
View File

@ -9,7 +9,7 @@ Want to stay in the loop on major new features? Join our mailing list by
sending a mail to <afl-users+subscribe@googlegroups.com>. sending a mail to <afl-users+subscribe@googlegroups.com>.
### Version ++3.00a (develop) ### Version ++3.00c (release)
- llvm_mode/ and gcc_plugin/ moved to instrumentation/ - llvm_mode/ and gcc_plugin/ moved to instrumentation/
- examples/ renamed to utils/ - examples/ renamed to utils/
- moved libdislocator, libtokencap and qdbi_mode to utils/ - moved libdislocator, libtokencap and qdbi_mode to utils/

4
docs/INSTALL.md
View File

@ -4,7 +4,7 @@
issues for a variety of platforms. See README.md for the general instruction issues for a variety of platforms. See README.md for the general instruction
manual. manual.
## 1) Linux on x86 ## 1. Linux on x86
--------------- ---------------
This platform is expected to work well. Compile the program with: This platform is expected to work well. Compile the program with:
@ -34,7 +34,7 @@ You may have to change several settings to get optimal results (most notably,
disable crash reporting utilities and switch to a different CPU governor), but disable crash reporting utilities and switch to a different CPU governor), but
afl-fuzz will guide you through that if necessary. afl-fuzz will guide you through that if necessary.
## OpenBSD, FreeBSD, NetBSD on x86 ## 2. OpenBSD, FreeBSD, NetBSD on x86
Similarly to Linux, these platforms are expected to work well and are Similarly to Linux, these platforms are expected to work well and are
regularly tested. Compile everything with GNU make: regularly tested. Compile everything with GNU make:

3
include/alloc-inl.h
View File

@ -94,7 +94,8 @@ static inline void *DFL_ck_alloc_nozero(u32 size) {
} }
/* Allocate a buffer, returning zeroed memory. */ /* Allocate a buffer, returning zeroed memory.
Returns null for 0 size */
static inline void *DFL_ck_alloc(u32 size) { static inline void *DFL_ck_alloc(u32 size) {

2
include/config.h
View File

@ -28,7 +28,7 @@
/* Version string: */ /* Version string: */
// c = release, d = volatile github dev, e = experimental branch // c = release, d = volatile github dev, e = experimental branch
#define VERSION "++3.00a" #define VERSION "++3.00c"
/****************************************************** /******************************************************
* * * *

2
instrumentation/afl-compiler-rt.o.c
View File

@ -229,7 +229,7 @@ static void __afl_map_shm_fuzz() {
static void __afl_map_shm(void) { static void __afl_map_shm(void) {
// we we are not running in afl ensure the map exists // if we are not running in afl ensure the map exists
if (!__afl_area_ptr) { __afl_area_ptr = __afl_area_initial; } if (!__afl_area_ptr) { __afl_area_ptr = __afl_area_initial; }
char *id_str = getenv(SHM_ENV_VAR); char *id_str = getenv(SHM_ENV_VAR);

6
src/afl-as.c
View File

@ -47,6 +47,7 @@
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <time.h> #include <time.h>
#include <limits.h>
#include <ctype.h> #include <ctype.h>
#include <fcntl.h> #include <fcntl.h>
@ -131,6 +132,11 @@ static void edit_params(int argc, char **argv) {
if (!tmp_dir) { tmp_dir = "/tmp"; } if (!tmp_dir) { tmp_dir = "/tmp"; }
as_params = ck_alloc((argc + 32) * sizeof(u8 *)); as_params = ck_alloc((argc + 32) * sizeof(u8 *));
if (unlikely((INT_MAX - 32) < argc || !as_params)) {
FATAL("Too many parameters passed to as");
}
as_params[0] = afl_as ? afl_as : (u8 *)"as"; as_params[0] = afl_as ? afl_as : (u8 *)"as";

26
src/afl-cc.c
View File

@ -69,6 +69,7 @@ enum {
INSTRUMENT_INSTRIM = 3, INSTRUMENT_INSTRIM = 3,
INSTRUMENT_CFG = 3, INSTRUMENT_CFG = 3,
INSTRUMENT_LTO = 4, INSTRUMENT_LTO = 4,
INSTRUMENT_LLVMNATIVE = 5,
INSTRUMENT_OPT_CTX = 8, INSTRUMENT_OPT_CTX = 8,
INSTRUMENT_OPT_NGRAM = 16 INSTRUMENT_OPT_NGRAM = 16
@ -76,8 +77,9 @@ enum {
char instrument_mode_string[18][18] = { char instrument_mode_string[18][18] = {
"DEFAULT", "CLASSIC", "PCGUARD", "CFG", "LTO", "", "", "", "CTX", "", "DEFAULT", "CLASSIC", "PCGUARD", "CFG", "LTO", "", "PCGUARD-NATIVE",
"", "", "", "", "", "", "NGRAM", "" "", "CTX", "", "", "", "", "",
"", "", "NGRAM", ""
}; };
@ -580,6 +582,14 @@ static void edit_params(u32 argc, char **argv, char **envp) {
#endif #endif
#endif #endif
} else if (instrument_mode == INSTRUMENT_LLVMNATIVE) {
#if LLVM_MAJOR >= 4
cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard";
#else
FATAL("pcguard instrumentation requires llvm 4.0.1+");
#endif
} else { } else {
cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-Xclang";
@ -1162,6 +1172,18 @@ int main(int argc, char **argv, char **envp) {
} }
// this is a hidden option
if (strncasecmp(ptr, "llvmnative", strlen("llvmnative")) == 0 ||
strncasecmp(ptr, "llvm-native", strlen("llvm-native")) == 0) {
if (!instrument_mode || instrument_mode == INSTRUMENT_LLVMNATIVE)
instrument_mode = INSTRUMENT_LLVMNATIVE;
else
FATAL("main instrumentation mode already set with %s",
instrument_mode_string[instrument_mode]);
}
if (strncasecmp(ptr, "cfg", strlen("cfg")) == 0 || if (strncasecmp(ptr, "cfg", strlen("cfg")) == 0 ||
strncasecmp(ptr, "instrim", strlen("instrim")) == 0) { strncasecmp(ptr, "instrim", strlen("instrim")) == 0) {

24
src/afl-common.c
View File

@ -108,6 +108,7 @@ char **argv_cpy_dup(int argc, char **argv) {
int i = 0; int i = 0;
char **ret = ck_alloc((argc + 1) * sizeof(char *)); char **ret = ck_alloc((argc + 1) * sizeof(char *));
if (unlikely(!ret)) { FATAL("Amount of arguments specified is too high"); }
for (i = 0; i < argc; i++) { for (i = 0; i < argc; i++) {
@ -130,6 +131,7 @@ void argv_cpy_free(char **argv) {
while (argv[i]) { while (argv[i]) {
ck_free(argv[i]); ck_free(argv[i]);
argv[i] = NULL;
i++; i++;
} }
@ -142,8 +144,12 @@ void argv_cpy_free(char **argv) {
char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
if (!unlikely(own_loc)) { FATAL("BUG: param own_loc is NULL"); }
u8 *tmp, *cp = NULL, *rsl, *own_copy;
char **new_argv = ck_alloc(sizeof(char *) * (argc + 4)); char **new_argv = ck_alloc(sizeof(char *) * (argc + 4));
u8 * tmp, *cp = NULL, *rsl, *own_copy; if (unlikely(!new_argv)) { FATAL("Illegal amount of arguments specified"); }
memcpy(&new_argv[3], &argv[1], (int)(sizeof(char *)) * (argc - 1)); memcpy(&new_argv[3], &argv[1], (int)(sizeof(char *)) * (argc - 1));
new_argv[argc + 3] = NULL; new_argv[argc + 3] = NULL;
@ -224,8 +230,12 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
if (!unlikely(own_loc)) { FATAL("BUG: param own_loc is NULL"); }
u8 *tmp, *cp = NULL, *rsl, *own_copy;
char **new_argv = ck_alloc(sizeof(char *) * (argc + 3)); char **new_argv = ck_alloc(sizeof(char *) * (argc + 3));
u8 * tmp, *cp = NULL, *rsl, *own_copy; if (unlikely(!new_argv)) { FATAL("Illegal amount of arguments specified"); }
memcpy(&new_argv[2], &argv[1], (int)(sizeof(char *)) * (argc - 1)); memcpy(&new_argv[2], &argv[1], (int)(sizeof(char *)) * (argc - 1));
new_argv[argc + 2] = NULL; new_argv[argc + 2] = NULL;
@ -335,6 +345,8 @@ u8 *find_binary(u8 *fname) {
struct stat st; struct stat st;
if (unlikely(!fname)) { FATAL("No binary supplied"); }
if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { if (strchr(fname, '/') || !(env_path = getenv("PATH"))) {
target_path = ck_strdup(fname); target_path = ck_strdup(fname);
@ -356,6 +368,14 @@ u8 *find_binary(u8 *fname) {
if (delim) { if (delim) {
cur_elem = ck_alloc(delim - env_path + 1); cur_elem = ck_alloc(delim - env_path + 1);
if (unlikely(!cur_elem)) {
FATAL(
"Unexpected overflow when processing ENV. This should never "
"happend.");
}
memcpy(cur_elem, env_path, delim - env_path); memcpy(cur_elem, env_path, delim - env_path);
delim++; delim++;

18
src/afl-fuzz-init.c
View File

@ -772,10 +772,17 @@ void perform_dry_run(afl_state_t *afl) {
while (q) { while (q) {
u8 *use_mem; u8 use_mem[MAX_FILE];
u8 res; u8 res;
s32 fd; s32 fd;
if (unlikely(!q->len)) {
WARNF("Skipping 0-sized entry in queue (%s)", q->fname);
continue;
}
u8 *fn = strrchr(q->fname, '/') + 1; u8 *fn = strrchr(q->fname, '/') + 1;
ACTF("Attempting dry run with '%s'...", fn); ACTF("Attempting dry run with '%s'...", fn);
@ -783,9 +790,8 @@ void perform_dry_run(afl_state_t *afl) {
fd = open(q->fname, O_RDONLY); fd = open(q->fname, O_RDONLY);
if (fd < 0) { PFATAL("Unable to open '%s'", q->fname); } if (fd < 0) { PFATAL("Unable to open '%s'", q->fname); }
use_mem = ck_alloc_nozero(q->len); u32 read_len = MIN(q->len, (u32)MAX_FILE);
if (read(fd, use_mem, read_len) != (ssize_t)read_len) {
if (read(fd, use_mem, q->len) != (ssize_t)q->len) {
FATAL("Short read from '%s'", q->fname); FATAL("Short read from '%s'", q->fname);
@ -794,7 +800,6 @@ void perform_dry_run(afl_state_t *afl) {
close(fd); close(fd);
res = calibrate_case(afl, q, use_mem, 0, 1); res = calibrate_case(afl, q, use_mem, 0, 1);
ck_free(use_mem);
if (afl->stop_soon) { return; } if (afl->stop_soon) { return; }
@ -2449,6 +2454,8 @@ void setup_testcase_shmem(afl_state_t *afl) {
void check_binary(afl_state_t *afl, u8 *fname) { void check_binary(afl_state_t *afl, u8 *fname) {
if (unlikely(!fname)) { FATAL("BUG: Binary name is NULL"); }
u8 * env_path = 0; u8 * env_path = 0;
struct stat st; struct stat st;
@ -2477,6 +2484,7 @@ void check_binary(afl_state_t *afl, u8 *fname) {
if (delim) { if (delim) {
cur_elem = ck_alloc(delim - env_path + 1); cur_elem = ck_alloc(delim - env_path + 1);
if (unlikely(!cur_elem)) { FATAL("Unexpected large PATH"); }
memcpy(cur_elem, env_path, delim - env_path); memcpy(cur_elem, env_path, delim - env_path);
++delim; ++delim;

14
src/afl-fuzz-run.c
View File

@ -94,9 +94,9 @@ write_to_testcase(afl_state_t *afl, void *mem, u32 len) {
if (unlikely(afl->custom_mutators_count)) { if (unlikely(afl->custom_mutators_count)) {
u8 * new_buf = NULL;
ssize_t new_size = len; ssize_t new_size = len;
void * new_mem = mem; u8 * new_mem = mem;
u8 * new_buf = NULL;
LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
@ -152,13 +152,13 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
if (unlikely(!mem_trimmed)) { PFATAL("alloc"); } if (unlikely(!mem_trimmed)) { PFATAL("alloc"); }
ssize_t new_size = len - skip_len; ssize_t new_size = len - skip_len;
void * new_mem = mem; u8 * new_mem = mem;
u8 * new_buf = NULL;
bool post_process_skipped = true; bool post_process_skipped = true;
if (unlikely(afl->custom_mutators_count)) { if (unlikely(afl->custom_mutators_count)) {
u8 *new_buf = NULL;
new_mem = mem_trimmed; new_mem = mem_trimmed;
LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
@ -205,9 +205,9 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
if (!post_process_skipped) { if (!post_process_skipped) {
// If we did post_processing, copy directly from the new_buf bufer // If we did post_processing, copy directly from the new_mem buffer
memcpy(afl->fsrv.shmem_fuzz, new_buf, new_size); memcpy(afl->fsrv.shmem_fuzz, new_mem, new_size);
} }
@ -265,7 +265,7 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
if (!post_process_skipped) { if (!post_process_skipped) {
ck_write(fd, new_buf, new_size, afl->fsrv.out_file); ck_write(fd, new_mem, new_size, afl->fsrv.out_file);
} else { } else {

2
src/afl-sharedmem.c
View File

@ -205,7 +205,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size,
/* map the shared memory segment to the address space of the process */ /* map the shared memory segment to the address space of the process */
shm->cmp_map = mmap(0, map_size, PROT_READ | PROT_WRITE, MAP_SHARED, shm->cmp_map = mmap(0, map_size, PROT_READ | PROT_WRITE, MAP_SHARED,
shm->cmplog_g_shm_fd, 0); shm->cmplog_g_shm_fd, 0);
if (shm->map == MAP_FAILED) { if (shm->cmp_map == MAP_FAILED) {
close(shm->cmplog_g_shm_fd); close(shm->cmplog_g_shm_fd);
shm->cmplog_g_shm_fd = -1; shm->cmplog_g_shm_fd = -1;

137
test/test-basic.sh
View File

@ -2,6 +2,8 @@
. ./test-pre.sh . ./test-pre.sh
AFL_GCC=afl-gcc
$ECHO "$BLUE[*] Testing: ${AFL_GCC}, afl-showmap, afl-fuzz, afl-cmin and afl-tmin" $ECHO "$BLUE[*] Testing: ${AFL_GCC}, afl-showmap, afl-fuzz, afl-cmin and afl-tmin"
test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "i386" && { test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "i386" && {
test -e ../${AFL_GCC} -a -e ../afl-showmap -a -e ../afl-fuzz && { test -e ../${AFL_GCC} -a -e ../afl-showmap -a -e ../afl-fuzz && {
@ -23,8 +25,8 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc
CODE=1 CODE=1
} }
rm -f test-instr.plain.0 test-instr.plain.1 rm -f test-instr.plain.0 test-instr.plain.1
TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'` TUPLES=`echo 1|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'`
test "$TUPLES" -gt 3 -a "$TUPLES" -lt 11 && { test "$TUPLES" -gt 4 -a "$TUPLES" -lt 11 && {
$ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine" $ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine"
} || { } || {
$ECHO "$RED[!] ${AFL_GCC} instrumentation produces weird numbers: $TUPLES" $ECHO "$RED[!] ${AFL_GCC} instrumentation produces weird numbers: $TUPLES"
@ -117,6 +119,137 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc
$ECHO "$YELLOW[-] afl is not compiled, cannot test" $ECHO "$YELLOW[-] afl is not compiled, cannot test"
INCOMPLETE=1 INCOMPLETE=1
} }
if [ ${AFL_GCC} = "afl-gcc" ] ; then AFL_GCC=afl-clang ; else AFL_GCC=afl-gcc ; fi
$ECHO "$BLUE[*] Testing: ${AFL_GCC}, afl-showmap, afl-fuzz, afl-cmin and afl-tmin"
test -e ../${AFL_GCC} -a -e ../afl-showmap -a -e ../afl-fuzz && {
../${AFL_GCC} -o test-instr.plain ../test-instr.c > /dev/null 2>&1
AFL_HARDEN=1 ../${AFL_GCC} -o test-compcov.harden test-compcov.c > /dev/null 2>&1
test -e test-instr.plain && {
$ECHO "$GREEN[+] ${AFL_GCC} compilation succeeded"
echo 0 | ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain > /dev/null 2>&1
../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain < /dev/null > /dev/null 2>&1
test -e test-instr.plain.0 -a -e test-instr.plain.1 && {
diff test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && {
$ECHO "$RED[!] ${AFL_GCC} instrumentation should be different on different input but is not"
CODE=1
} || {
$ECHO "$GREEN[+] ${AFL_GCC} instrumentation present and working correctly"
}
} || {
$ECHO "$RED[!] ${AFL_GCC} instrumentation failed"
CODE=1
}
rm -f test-instr.plain.0 test-instr.plain.1
TUPLES=`echo 1|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'`
test "$TUPLES" -gt 4 -a "$TUPLES" -lt 11 && {
$ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine"
} || {
$ECHO "$RED[!] ${AFL_GCC} instrumentation produces weird numbers: $TUPLES"
CODE=1
}
} || {
$ECHO "$RED[!] ${AFL_GCC} failed"
echo CUT------------------------------------------------------------------CUT
uname -a
../${AFL_GCC} -o test-instr.plain ../test-instr.c
echo CUT------------------------------------------------------------------CUT
CODE=1
}
test -e test-compcov.harden && {
grep -Eq$GREPAOPTION 'stack_chk_fail|fstack-protector-all|fortified' test-compcov.harden > /dev/null 2>&1 && {
$ECHO "$GREEN[+] ${AFL_GCC} hardened mode succeeded and is working"
} || {
$ECHO "$RED[!] ${AFL_GCC} hardened mode is not hardened"
CODE=1
}
rm -f test-compcov.harden
} || {
$ECHO "$RED[!] ${AFL_GCC} hardened mode compilation failed"
CODE=1
}
# now we want to be sure that afl-fuzz is working
# make sure core_pattern is set to core on linux
(test "$(uname -s)" = "Linux" && test "$(sysctl kernel.core_pattern)" != "kernel.core_pattern = core" && {
$ECHO "$YELLOW[-] we should not run afl-fuzz with enabled core dumps. Run 'sudo sh afl-system-config'.$RESET"
true
}) ||
# make sure crash reporter is disabled on Mac OS X
(test "$(uname -s)" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && {
$ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET"
true
}) || {
mkdir -p in
echo 0 > in/in
$ECHO "$GREY[*] running afl-fuzz for ${AFL_GCC}, this will take approx 10 seconds"
{
../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-instr.plain >>errors 2>&1
} >>errors 2>&1
test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && {
$ECHO "$GREEN[+] afl-fuzz is working correctly with ${AFL_GCC}"
} || {
echo CUT------------------------------------------------------------------CUT
cat errors
echo CUT------------------------------------------------------------------CUT
$ECHO "$RED[!] afl-fuzz is not working correctly with ${AFL_GCC}"
CODE=1
}
echo 000000000000000000000000 > in/in2
echo AAA > in/in3
mkdir -p in2
../afl-cmin -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null 2>&1 # why is afl-forkserver writing to stderr?
CNT=`ls in2/* 2>/dev/null | wc -l`
case "$CNT" in
*2) $ECHO "$GREEN[+] afl-cmin correctly minimized the number of testcases" ;;
1) {
test -s in2/* && $ECHO "$YELLOW[?] afl-cmin did minimize to one testcase. This can be a bug or due compiler optimization."
test -s in2/* || {
$ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)"
CODE=1
}
}
;;
*) $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)"
CODE=1
;;
esac
rm -f in2/in*
export AFL_QUIET=1
if command -v bash >/dev/null ; then {
../afl-cmin.bash -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null
CNT=`ls in2/* 2>/dev/null | wc -l`
case "$CNT" in
*2) $ECHO "$GREEN[+] afl-cmin.bash correctly minimized the number of testcases" ;;
1) {
test -s in2/* && $ECHO "$YELLOW[?] afl-cmin did minimize to one testcase. This can be a bug or due compiler optimization."
test -s in2/* || {
$ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)"
CODE=1
}
}
;;
*) $ECHO "$RED[!] afl-cmin.bash did not correctly minimize the number of testcases ($CNT)"
CODE=1
;;
esac
} else {
$ECHO "$GRAY[*] no bash available, cannot test afl-cmin.bash"
}
fi
../afl-tmin -m ${MEM_LIMIT} -i in/in2 -o in2/in2 -- ./test-instr.plain > /dev/null 2>&1
SIZE=`ls -l in2/in2 2>/dev/null | awk '{print$5}'`
test "$SIZE" = 1 && $ECHO "$GREEN[+] afl-tmin correctly minimized the testcase"
test "$SIZE" = 1 || {
$ECHO "$RED[!] afl-tmin did incorrectly minimize the testcase to $SIZE"
CODE=1
}
rm -rf in out errors in2
unset AFL_QUIET
}
rm -f test-instr.plain
} || {
$ECHO "$YELLOW[-] afl is not compiled, cannot test"
INCOMPLETE=1
}
} || { } || {
$ECHO "$GREY[*] not an intel platform, skipped tests of afl-gcc" $ECHO "$GREY[*] not an intel platform, skipped tests of afl-gcc"
#this is not incomplete as this feature doesnt exist, so all good #this is not incomplete as this feature doesnt exist, so all good

8
utils/aflpp_driver/aflpp_driver_test.c
View File

@ -18,13 +18,7 @@ void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size) if (Size) crashme(Data, Size);
fprintf(stderr, "FUNC crc: %016llx len: %lu\n",
hash64((u8 *)Data, (unsigned int)Size,
(unsigned long long int)0xa5b35705),
Size);
crashme(Data, Size);
return 0; return 0;