fixed shmap fuzzing

2025-06-17 12:18:08 +00:00 · 2020-06-09 03:03:21 +02:00
parent 646237e234
commit 92b8c5bb60
9 changed files with 50 additions and 41 deletions
--- a/llvm_mode/afl-llvm-rt.o.c
+++ b/llvm_mode/afl-llvm-rt.o.c
@ -122,6 +122,8 @@ static void __afl_map_shm_fuzz() {
  if (id_str) {
    u8 *map = NULL;
 #ifdef USEMMAP
    const char *   shm_file_path = id_str;
    int            shm_fd = -1;
@ -137,26 +139,29 @@ static void __afl_map_shm_fuzz() {
    }
-    __afl_fuzz_len = (u32 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0);
+    map = (u8 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0);
 #else
    u32 shm_id = atoi(id_str);
-
+    map = (u8 *)shmat(shm_id, NULL, 0);
    __afl_fuzz_len = (u32 *)shmat(shm_id, NULL, 0);
 #endif
    /* Whooooops. */
-    if (__afl_fuzz_len == (void *)-1) {
+    if (!map || map == (void *)-1) {
-      fprintf(stderr, "Error: could not access fuzzing shared memory\n");
+      perror("Could not access fuzzign shared memory");
      exit(1);
    }
-    if (getenv("AFL_DEBUG"))
+    __afl_fuzz_len = (u32 *)map;
    __afl_fuzz_ptr = (u8 *)(map + sizeof(u32));
    if (getenv("AFL_DEBUG")) {
      fprintf(stderr, "DEBUG: successfully got fuzzing shared memory\n");
    }
  } else {
@ -165,8 +170,6 @@ static void __afl_map_shm_fuzz() {
  }
  __afl_fuzz_ptr = (u8 *)(__afl_fuzz_len + sizeof(int));
 }
 /* SHM setup. */
--- a/qemu_mode/patches/afl-qemu-cpu-inl.h
+++ b/qemu_mode/patches/afl-qemu-cpu-inl.h
@ -147,20 +147,22 @@ static void afl_map_shm_fuzz(void) {
  if (id_str) {
    u32 shm_id = atoi(id_str);
-    shared_buf_len = (u32 *)shmat(shm_id, NULL, 0);
+    u8 *map = (u8 *)shmat(shm_id, NULL, 0);
    shared_buf = (u8 *)(shared_buf_len + sizeof(int));
    /* Whooooops. */
-    if (shared_buf == (void *)-1) {
+    if (!map || map == (void *)-1) {
-      fprintf(stderr, "[AFL] ERROR:  could not access fuzzing shared memory\n");
+      perror("[AFL] ERROR: could not access fuzzing shared memory");
      exit(1);
    }
-    if (getenv("AFL_DEBUG"))
+    shared_buf_len = (u32 *)map;
    shared_buf = map + sizeof(u32);
    if (getenv("AFL_DEBUG")) {
      fprintf(stderr, "[AFL] DEBUG: successfully got fuzzing shared memory\n");
    }
  } else {
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@ -835,7 +835,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) {
    *fsrv->shmem_fuzz_len = len;
    memcpy(fsrv->shmem_fuzz, buf, len);
-    // fprintf(stderr, "test case len: %u\n", *fsrv->shmem_fuzz_len);
+    //printf("test case len: %u [0]:0x%02x\n", *fsrv->shmem_fuzz_len, buf[0]); fflush(stdout);
  } else {
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@ -1960,26 +1960,20 @@ void setup_testcase_shmem(afl_state_t *afl) {
  afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t));
  // we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR
-  if ((afl->fsrv.shmem_fuzz_len =
+  u8 *map = afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(u32), 1);
-           (u32 *)afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(int), 1))) {
+
  if (!map) { FATAL("BUG: Zero return from afl_shm_init."); }
 #ifdef USEMMAP
  setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1);
 #else
-    u8 *shm_str;
+  u8 *shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id);
    shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id);
  setenv(SHM_FUZZ_ENV_VAR, shm_str, 1);
  ck_free(shm_str);
 #endif
  afl->fsrv.support_shmem_fuzz = 1;
-    afl->fsrv.shmem_fuzz = (u8 *)(afl->fsrv.shmem_fuzz_len + sizeof(int));
+  afl->fsrv.shmem_fuzz_len = (u32 *)map;
-
+  afl->fsrv.shmem_fuzz = map + sizeof(u32);
  } else {
    ck_free(afl->shm_fuzz);
    afl->shm_fuzz = NULL;
  }
 }
--- a/unicorn_mode/UNICORNAFL_VERSION
+++ b/unicorn_mode/UNICORNAFL_VERSION
@ -1 +1 @@
-9e9b72a
+e30e3eb
--- a/unicorn_mode/samples/compcov_x64/compcov_test_harness.py
+++ b/unicorn_mode/samples/compcov_x64/compcov_test_harness.py
@ -11,7 +11,7 @@
   Run under AFL as follows:
   $ cd <afl_path>/unicorn_mode/samples/simple/
-   $ ../../../afl-fuzz -U -m none -i ./sample_inputs -o ./output -- python compcov_test_harness.py @@ 
+   $ AFL_COMPCOV_LEVEL=2 ../../../afl-fuzz -U -m none -i ./sample_inputs -o ./output -- python compcov_test_harness.py @@
 """
 import argparse
--- a/unicorn_mode/samples/persistent/Makefile
+++ b/unicorn_mode/samples/persistent/Makefile
@ -38,7 +38,7 @@ harness.o: harness.c ../../unicornafl/include/unicorn/*.h
 	${MYCC} ${CFLAGS} -O3 -c harness.c
 harness-debug.o: harness.c ../../unicornafl/include/unicorn/*.h
-	${MYCC} ${CFLAGS} -g -c harness.c -o $@
+	${MYCC} ${CFLAGS} -DAFL_DEBUG=1 -g -c harness.c -o $@
 harness: harness.o
 	${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o $@
--- a/unicorn_mode/samples/persistent/harness.c
+++ b/unicorn_mode/samples/persistent/harness.c
@ -129,6 +129,16 @@ static bool place_input_callback(
        return false;
    }
 #if defined(AFL_DEBUG)
    printf("[d] harness: input len=%ld, [ ", input_len);
    int i = 0;
    for (i = 0; i < input_len && i < 16; i++) {
        printf("0x%02x ", (unsigned char) input[i]);
    }
    if (input_len > 16) printf("... ");
    printf("]\n");
 #endif
    // For persistent mode, we have to set up stack and memory each time.
    uc_reg_write(uc, UC_X86_REG_RIP, &CODE_ADDRESS); // Set the instruction pointer back
    // Set up the function parameters accordingly RSI, RDI (see calling convention/disassembly)
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl