ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-17 12:18:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

fixed shmap fuzzing

Browse Source
This commit is contained in:
Dominik Maier
2020-06-09 03:03:21 +02:00
parent 646237e234
commit 92b8c5bb60
9 changed files with 50 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
llvm_mode/afl-llvm-rt.o.c
View File

@ -122,6 +122,8 @@ static void __afl_map_shm_fuzz() {
if (id_str) { if (id_str) {
u8 *map = NULL;
#ifdef USEMMAP #ifdef USEMMAP
const char * shm_file_path = id_str; const char * shm_file_path = id_str;
int shm_fd = -1; int shm_fd = -1;
@ -137,26 +139,29 @@ static void __afl_map_shm_fuzz() {
} }
__afl_fuzz_len = (u32 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0); map = (u8 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0);
#else #else
u32 shm_id = atoi(id_str); u32 shm_id = atoi(id_str);
map = (u8 *)shmat(shm_id, NULL, 0);
__afl_fuzz_len = (u32 *)shmat(shm_id, NULL, 0);
#endif #endif
/* Whooooops. */ /* Whooooops. */
if (__afl_fuzz_len == (void *)-1) { if (!map || map == (void *)-1) {
fprintf(stderr, "Error: could not access fuzzing shared memory\n"); perror("Could not access fuzzign shared memory");
exit(1); exit(1);
} }
if (getenv("AFL_DEBUG")) __afl_fuzz_len = (u32 *)map;
__afl_fuzz_ptr = (u8 *)(map + sizeof(u32));
if (getenv("AFL_DEBUG")) {
fprintf(stderr, "DEBUG: successfully got fuzzing shared memory\n"); fprintf(stderr, "DEBUG: successfully got fuzzing shared memory\n");
}
} else { } else {
@ -165,8 +170,6 @@ static void __afl_map_shm_fuzz() {
} }
__afl_fuzz_ptr = (u8 *)(__afl_fuzz_len + sizeof(int));
} }
/* SHM setup. */ /* SHM setup. */

14
qemu_mode/patches/afl-qemu-cpu-inl.h
View File

@ -147,20 +147,22 @@ static void afl_map_shm_fuzz(void) {
if (id_str) { if (id_str) {
u32 shm_id = atoi(id_str); u32 shm_id = atoi(id_str);
shared_buf_len = (u32 *)shmat(shm_id, NULL, 0); u8 *map = (u8 *)shmat(shm_id, NULL, 0);
shared_buf = (u8 *)(shared_buf_len + sizeof(int));
/* Whooooops. */ /* Whooooops. */
if (shared_buf == (void *)-1) { if (!map || map == (void *)-1) {
fprintf(stderr, "[AFL] ERROR: could not access fuzzing shared memory\n"); perror("[AFL] ERROR: could not access fuzzing shared memory");
exit(1); exit(1);
} }
if (getenv("AFL_DEBUG")) shared_buf_len = (u32 *)map;
shared_buf = map + sizeof(u32);
if (getenv("AFL_DEBUG")) {
fprintf(stderr, "[AFL] DEBUG: successfully got fuzzing shared memory\n"); fprintf(stderr, "[AFL] DEBUG: successfully got fuzzing shared memory\n");
}
} else { } else {

2
src/afl-forkserver.c
View File

@ -835,7 +835,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) {
*fsrv->shmem_fuzz_len = len; *fsrv->shmem_fuzz_len = len;
memcpy(fsrv->shmem_fuzz, buf, len); memcpy(fsrv->shmem_fuzz, buf, len);
// fprintf(stderr, "test case len: %u\n", *fsrv->shmem_fuzz_len); //printf("test case len: %u [0]:0x%02x\n", *fsrv->shmem_fuzz_len, buf[0]); fflush(stdout);
} else { } else {

28
src/afl-fuzz-init.c
View File

@ -1960,28 +1960,22 @@ void setup_testcase_shmem(afl_state_t *afl) {
afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t)); afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t));
// we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR // we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR
if ((afl->fsrv.shmem_fuzz_len = u8 *map = afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(u32), 1);
(u32 *)afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(int), 1))) {
if (!map) { FATAL("BUG: Zero return from afl_shm_init."); }
#ifdef USEMMAP #ifdef USEMMAP
setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1); setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1);
#else #else
u8 *shm_str; u8 *shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id);
shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id); setenv(SHM_FUZZ_ENV_VAR, shm_str, 1);
setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); ck_free(shm_str);
ck_free(shm_str);
#endif #endif
afl->fsrv.support_shmem_fuzz = 1; afl->fsrv.support_shmem_fuzz = 1;
afl->fsrv.shmem_fuzz = (u8 *)(afl->fsrv.shmem_fuzz_len + sizeof(int)); afl->fsrv.shmem_fuzz_len = (u32 *)map;
afl->fsrv.shmem_fuzz = map + sizeof(u32);
} else { }
ck_free(afl->shm_fuzz);
afl->shm_fuzz = NULL;
}
}
/* Do a PATH search and find target binary to see that it exists and /* Do a PATH search and find target binary to see that it exists and
isn't a shell script - a common and painful mistake. We also check for isn't a shell script - a common and painful mistake. We also check for

2
unicorn_mode/UNICORNAFL_VERSION
View File

@ -1 +1 @@
9e9b72a e30e3eb

12
unicorn_mode/samples/compcov_x64/compcov_test_harness.py
View File

@ -1,5 +1,5 @@
#!/usr/bin/env python #!/usr/bin/env python
""" """
Simple test harness for AFL's Unicorn Mode. Simple test harness for AFL's Unicorn Mode.
This loads the compcov_target.bin binary (precompiled as MIPS code) into This loads the compcov_target.bin binary (precompiled as MIPS code) into
@ -11,7 +11,7 @@
Run under AFL as follows: Run under AFL as follows:
$ cd <afl_path>/unicorn_mode/samples/simple/ $ cd <afl_path>/unicorn_mode/samples/simple/
$ ../../../afl-fuzz -U -m none -i ./sample_inputs -o ./output -- python compcov_test_harness.py @@ $ AFL_COMPCOV_LEVEL=2 ../../../afl-fuzz -U -m none -i ./sample_inputs -o ./output -- python compcov_test_harness.py @@
""" """
import argparse import argparse
@ -42,22 +42,22 @@ try:
print(" Instr: {:#016x}:\t{}\t{}".format(address, cs_mnemonic, cs_opstr)) print(" Instr: {:#016x}:\t{}\t{}".format(address, cs_mnemonic, cs_opstr))
except ImportError: except ImportError:
def unicorn_debug_instruction(uc, address, size, user_data): def unicorn_debug_instruction(uc, address, size, user_data):
print(" Instr: addr=0x{0:016x}, size=0x{1:016x}".format(address, size)) print(" Instr: addr=0x{0:016x}, size=0x{1:016x}".format(address, size))
def unicorn_debug_block(uc, address, size, user_data): def unicorn_debug_block(uc, address, size, user_data):
print("Basic Block: addr=0x{0:016x}, size=0x{1:016x}".format(address, size)) print("Basic Block: addr=0x{0:016x}, size=0x{1:016x}".format(address, size))
def unicorn_debug_mem_access(uc, access, address, size, value, user_data): def unicorn_debug_mem_access(uc, access, address, size, value, user_data):
if access == UC_MEM_WRITE: if access == UC_MEM_WRITE:
print(" >>> Write: addr=0x{0:016x} size={1} data=0x{2:016x}".format(address, size, value)) print(" >>> Write: addr=0x{0:016x} size={1} data=0x{2:016x}".format(address, size, value))
else: else:
print(" >>> Read: addr=0x{0:016x} size={1}".format(address, size)) print(" >>> Read: addr=0x{0:016x} size={1}".format(address, size))
def unicorn_debug_mem_invalid_access(uc, access, address, size, value, user_data): def unicorn_debug_mem_invalid_access(uc, access, address, size, value, user_data):
if access == UC_MEM_WRITE_UNMAPPED: if access == UC_MEM_WRITE_UNMAPPED:
print(" >>> INVALID Write: addr=0x{0:016x} size={1} data=0x{2:016x}".format(address, size, value)) print(" >>> INVALID Write: addr=0x{0:016x} size={1} data=0x{2:016x}".format(address, size, value))
else: else:
print(" >>> INVALID Read: addr=0x{0:016x} size={1}".format(address, size)) print(" >>> INVALID Read: addr=0x{0:016x} size={1}".format(address, size))
def main(): def main():

2
unicorn_mode/samples/persistent/Makefile
View File

@ -38,7 +38,7 @@ harness.o: harness.c ../../unicornafl/include/unicorn/*.h
${MYCC} ${CFLAGS} -O3 -c harness.c ${MYCC} ${CFLAGS} -O3 -c harness.c
harness-debug.o: harness.c ../../unicornafl/include/unicorn/*.h harness-debug.o: harness.c ../../unicornafl/include/unicorn/*.h
${MYCC} ${CFLAGS} -g -c harness.c -o $@ ${MYCC} ${CFLAGS} -DAFL_DEBUG=1 -g -c harness.c -o $@
harness: harness.o harness: harness.o
${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o $@ ${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o $@

10
unicorn_mode/samples/persistent/harness.c
View File

@ -129,6 +129,16 @@ static bool place_input_callback(
return false; return false;
} }
#if defined(AFL_DEBUG)
printf("[d] harness: input len=%ld, [ ", input_len);
int i = 0;
for (i = 0; i < input_len && i < 16; i++) {
printf("0x%02x ", (unsigned char) input[i]);
}
if (input_len > 16) printf("... ");
printf("]\n");
#endif
// For persistent mode, we have to set up stack and memory each time. // For persistent mode, we have to set up stack and memory each time.
uc_reg_write(uc, UC_X86_REG_RIP, &CODE_ADDRESS); // Set the instruction pointer back uc_reg_write(uc, UC_X86_REG_RIP, &CODE_ADDRESS); // Set the instruction pointer back
// Set up the function parameters accordingly RSI, RDI (see calling convention/disassembly) // Set up the function parameters accordingly RSI, RDI (see calling convention/disassembly)

2
unicorn_mode/unicornafl

Submodule unicorn_mode/unicornafl updated: 9e9b72a91f...e30e3ebbdb