mirror of
https://github.com/AFLplusplus/AFLplusplus.git
synced 2025-06-17 20:28:08 +00:00
fixed shmap fuzzing
This commit is contained in:
Dominik Maier
@ -122,6 +122,8 @@ static void __afl_map_shm_fuzz() {
|
||||
|
||||
if (id_str) {
|
||||
|
||||
u8 *map = NULL;
|
||||
|
||||
#ifdef USEMMAP
|
||||
const char * shm_file_path = id_str;
|
||||
int shm_fd = -1;
|
||||
@ -137,26 +139,29 @@ static void __afl_map_shm_fuzz() {
|
||||
|
||||
}
|
||||
|
||||
__afl_fuzz_len = (u32 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0);
|
||||
map = (u8 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0);
|
||||
|
||||
#else
|
||||
u32 shm_id = atoi(id_str);
|
||||
|
||||
__afl_fuzz_len = (u32 *)shmat(shm_id, NULL, 0);
|
||||
map = (u8 *)shmat(shm_id, NULL, 0);
|
||||
|
||||
#endif
|
||||
|
||||
/* Whooooops. */
|
||||
|
||||
if (__afl_fuzz_len == (void *)-1) {
|
||||
if (!map || map == (void *)-1) {
|
||||
|
||||
fprintf(stderr, "Error: could not access fuzzing shared memory\n");
|
||||
perror("Could not access fuzzign shared memory");
|
||||
exit(1);
|
||||
|
||||
}
|
||||
|
||||
if (getenv("AFL_DEBUG"))
|
||||
__afl_fuzz_len = (u32 *)map;
|
||||
__afl_fuzz_ptr = (u8 *)(map + sizeof(u32));
|
||||
|
||||
if (getenv("AFL_DEBUG")) {
|
||||
fprintf(stderr, "DEBUG: successfully got fuzzing shared memory\n");
|
||||
}
|
||||
|
||||
} else {
|
||||
|
||||
@ -165,8 +170,6 @@ static void __afl_map_shm_fuzz() {
|
||||
|
||||
}
|
||||
|
||||
__afl_fuzz_ptr = (u8 *)(__afl_fuzz_len + sizeof(int));
|
||||
|
||||
}
|
||||
|
||||
/* SHM setup. */
|
||||
|
||||
@ -147,20 +147,22 @@ static void afl_map_shm_fuzz(void) {
|
||||
if (id_str) {
|
||||
|
||||
u32 shm_id = atoi(id_str);
|
||||
shared_buf_len = (u32 *)shmat(shm_id, NULL, 0);
|
||||
shared_buf = (u8 *)(shared_buf_len + sizeof(int));
|
||||
|
||||
u8 *map = (u8 *)shmat(shm_id, NULL, 0);
|
||||
/* Whooooops. */
|
||||
|
||||
if (shared_buf == (void *)-1) {
|
||||
if (!map || map == (void *)-1) {
|
||||
|
||||
fprintf(stderr, "[AFL] ERROR: could not access fuzzing shared memory\n");
|
||||
perror("[AFL] ERROR: could not access fuzzing shared memory");
|
||||
exit(1);
|
||||
|
||||
}
|
||||
|
||||
if (getenv("AFL_DEBUG"))
|
||||
shared_buf_len = (u32 *)map;
|
||||
shared_buf = map + sizeof(u32);
|
||||
|
||||
if (getenv("AFL_DEBUG")) {
|
||||
fprintf(stderr, "[AFL] DEBUG: successfully got fuzzing shared memory\n");
|
||||
}
|
||||
|
||||
} else {
|
||||
|
||||
|
||||
@ -835,7 +835,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) {
|
||||
|
||||
*fsrv->shmem_fuzz_len = len;
|
||||
memcpy(fsrv->shmem_fuzz, buf, len);
|
||||
// fprintf(stderr, "test case len: %u\n", *fsrv->shmem_fuzz_len);
|
||||
//printf("test case len: %u [0]:0x%02x\n", *fsrv->shmem_fuzz_len, buf[0]); fflush(stdout);
|
||||
|
||||
} else {
|
||||
|
||||
|
||||
@ -1960,26 +1960,20 @@ void setup_testcase_shmem(afl_state_t *afl) {
|
||||
afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t));
|
||||
|
||||
// we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR
|
||||
if ((afl->fsrv.shmem_fuzz_len =
|
||||
(u32 *)afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(int), 1))) {
|
||||
u8 *map = afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(u32), 1);
|
||||
|
||||
if (!map) { FATAL("BUG: Zero return from afl_shm_init."); }
|
||||
|
||||
#ifdef USEMMAP
|
||||
setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1);
|
||||
#else
|
||||
u8 *shm_str;
|
||||
shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id);
|
||||
u8 *shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id);
|
||||
setenv(SHM_FUZZ_ENV_VAR, shm_str, 1);
|
||||
ck_free(shm_str);
|
||||
#endif
|
||||
afl->fsrv.support_shmem_fuzz = 1;
|
||||
afl->fsrv.shmem_fuzz = (u8 *)(afl->fsrv.shmem_fuzz_len + sizeof(int));
|
||||
|
||||
} else {
|
||||
|
||||
ck_free(afl->shm_fuzz);
|
||||
afl->shm_fuzz = NULL;
|
||||
|
||||
}
|
||||
afl->fsrv.shmem_fuzz_len = (u32 *)map;
|
||||
afl->fsrv.shmem_fuzz = map + sizeof(u32);
|
||||
|
||||
}
|
||||
|
||||
|
||||
@ -1 +1 @@
|
||||
9e9b72a
|
||||
e30e3eb
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
Run under AFL as follows:
|
||||
|
||||
$ cd <afl_path>/unicorn_mode/samples/simple/
|
||||
$ ../../../afl-fuzz -U -m none -i ./sample_inputs -o ./output -- python compcov_test_harness.py @@
|
||||
$ AFL_COMPCOV_LEVEL=2 ../../../afl-fuzz -U -m none -i ./sample_inputs -o ./output -- python compcov_test_harness.py @@
|
||||
"""
|
||||
|
||||
import argparse
|
||||
|
||||
@ -38,7 +38,7 @@ harness.o: harness.c ../../unicornafl/include/unicorn/*.h
|
||||
${MYCC} ${CFLAGS} -O3 -c harness.c
|
||||
|
||||
harness-debug.o: harness.c ../../unicornafl/include/unicorn/*.h
|
||||
${MYCC} ${CFLAGS} -g -c harness.c -o $@
|
||||
${MYCC} ${CFLAGS} -DAFL_DEBUG=1 -g -c harness.c -o $@
|
||||
|
||||
harness: harness.o
|
||||
${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o $@
|
||||
|
||||
@ -129,6 +129,16 @@ static bool place_input_callback(
|
||||
return false;
|
||||
}
|
||||
|
||||
#if defined(AFL_DEBUG)
|
||||
printf("[d] harness: input len=%ld, [ ", input_len);
|
||||
int i = 0;
|
||||
for (i = 0; i < input_len && i < 16; i++) {
|
||||
printf("0x%02x ", (unsigned char) input[i]);
|
||||
}
|
||||
if (input_len > 16) printf("... ");
|
||||
printf("]\n");
|
||||
#endif
|
||||
|
||||
// For persistent mode, we have to set up stack and memory each time.
|
||||
uc_reg_write(uc, UC_X86_REG_RIP, &CODE_ADDRESS); // Set the instruction pointer back
|
||||
// Set up the function parameters accordingly RSI, RDI (see calling convention/disassembly)
|
||||
|
||||
Submodule unicorn_mode/unicornafl updated: 9e9b72a91f...e30e3ebbdb
Reference in New Issue
Block a user