From 20a8a93fd193f7526f5e3d0cd1dfa43df9d2c4f6 Mon Sep 17 00:00:00 2001 From: Rumata888 Date: Thu, 12 Nov 2020 01:13:57 +0300 Subject: [PATCH 01/85] Fixed symcc custom mutator --- custom_mutators/symcc/symcc.c | 67 +++++++++++++------ .../symcc/test_examples/file_test.c | 27 ++++++++ .../symcc/test_examples/stdin_test.c | 22 ++++++ src/afl-fuzz-bitmap.c | 10 ++- 4 files changed, 101 insertions(+), 25 deletions(-) create mode 100644 custom_mutators/symcc/test_examples/file_test.c create mode 100644 custom_mutators/symcc/test_examples/stdin_test.c diff --git a/custom_mutators/symcc/symcc.c b/custom_mutators/symcc/symcc.c index 18b475b8..ab3d70ca 100644 --- a/custom_mutators/symcc/symcc.c +++ b/custom_mutators/symcc/symcc.c @@ -1,7 +1,10 @@ +#define _GNU_SOURCE #include #include #include #include +#include +#include #include "config.h" #include "debug.h" #include "afl-fuzz.h" @@ -95,40 +98,66 @@ void afl_custom_queue_new_entry(my_mutator_t * data, const uint8_t *filename_new_queue, const uint8_t *filename_orig_queue) { + int pipefd[2]; + struct stat st; + ACTF("Queueing to symcc: %s", filename_new_queue); + u8 *fn = alloc_printf("%s", filename_new_queue); + if (!(stat(fn, &st) == 0 && S_ISREG(st.st_mode) && st.st_size)) { + PFATAL("Couldn't find enqueued file: %s",fn); + } + + if (afl_struct->fsrv.use_stdin){ + if (pipe(pipefd)==-1) + { + exit(-1); + } + } int pid = fork(); if (pid == -1) return; + + if (pid){ - if (pid) pid = waitpid(pid, NULL, 0); + if (afl_struct->fsrv.use_stdin){ - if (pid == 0) { - - setenv("SYMCC_INPUT_FILE", afl_struct->fsrv.out_file, 1); - - if (afl_struct->fsrv.use_stdin) { - - u8 *fn = alloc_printf("%s/%s", afl_struct->out_dir, filename_new_queue); + close(pipefd[0]); int fd = open(fn, O_RDONLY); - + if (fd >= 0) { - + ssize_t r = read(fd, data->mutator_buf, MAX_FILE); - close(fd); DBG("fn=%s, fd=%d, size=%ld\n", fn, fd, r); if (r <= 0) return; - close(0); - ck_write(0, data->mutator_buf, r, fn); - ck_free(fn); - + close(fd); + if (r>fcntl(pipefd[1],F_GETPIPE_SZ)) fcntl(pipefd[1],F_SETPIPE_SZ,MAX_FILE); + ck_write(pipefd[1], data->mutator_buf, r, filename_new_queue); + } else { + PFATAL("Something happened to the enqueued file before sending its contents to symcc binary"); } + close(pipefd[1]); + ck_free(fn); } + pid = waitpid(pid,NULL, 0); + } + if (pid == 0) { + if (afl_struct->fsrv.use_stdin) { + unsetenv("SYMCC_INPUT_FILE"); + close(pipefd[1]); + dup2(pipefd[0],0); + } + else + { + setenv("SYMCC_INPUT_FILE", afl_struct->fsrv.out_file, 1); + } + DBG("exec=%s\n", data->target); close(1); close(2); dup2(afl_struct->fsrv.dev_null_fd, 1); dup2(afl_struct->fsrv.dev_null_fd, 2); + execvp(data->target, afl_struct->argv); DBG("exec=FAIL\n"); exit(-1); @@ -179,8 +208,8 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, struct dirent **nl; int32_t i, done = 0, items = scandir(data->out_dir, &nl, NULL, NULL); - size_t size = 0; - + ssize_t size = 0; + if (items <= 0) return 0; for (i = 0; i < (u32)items; ++i) { @@ -195,9 +224,9 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, int fd = open(fn, O_RDONLY); if (fd >= 0) { - size = read(fd, data->mutator_buf, max_size); *out_buf = data->mutator_buf; + close(fd); done = 1; @@ -216,7 +245,7 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, free(nl); DBG("FUZZ size=%lu\n", size); - return size; + return (uint32_t)size; } diff --git a/custom_mutators/symcc/test_examples/file_test.c b/custom_mutators/symcc/test_examples/file_test.c new file mode 100644 index 00000000..25271788 --- /dev/null +++ b/custom_mutators/symcc/test_examples/file_test.c @@ -0,0 +1,27 @@ +#include +#include +#include +#include +#include + +int main(int argc, char** argv){ + if (argc<2){ + printf("Need a file argument\n"); + return 1; + } + int fd=open(argv[1],O_RDONLY); + if (fd<0){ + printf("Couldn't open file\n"); + return 1; + } + uint32_t value = 0; + + read(fd,&value,sizeof(value)); + close(fd); + + value=value^0xffffffff; + if (value== 0x11223344) printf("Value one\n"); + if (value == 0x44332211) printf("Value two\n"); + if (value != 0x0) printf("Not zero\n"); + return 0; +} diff --git a/custom_mutators/symcc/test_examples/stdin_test.c b/custom_mutators/symcc/test_examples/stdin_test.c new file mode 100644 index 00000000..be87419b --- /dev/null +++ b/custom_mutators/symcc/test_examples/stdin_test.c @@ -0,0 +1,22 @@ +#include +#include +#include +#include + +int main(int argc, char** argv) +{ + char input_buffer[16]; + uint32_t comparisonValue; + size_t bytesRead; + bytesRead=read(STDIN_FILENO,input_buffer, sizeof(input_buffer)); + if (bytesRead < 0) exit(-1); + comparisonValue=*(uint32_t*)input_buffer; + comparisonValue=comparisonValue^0xff112233; + if (comparisonValue==0x66554493){ + printf("First value\n"); + } + else{ + if (comparisonValue==0x84444415) printf("Second value\n"); + } + return 0; +} diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 735420c3..4b29672a 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -584,7 +584,10 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { alloc_printf("%s/queue/id_%06u", afl->out_dir, afl->queued_paths); #endif /* ^!SIMPLE_FILES */ - + fd = open(queue_fn, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", queue_fn); } + ck_write(fd, mem, len, queue_fn); + close(fd); add_to_queue(afl, queue_fn, len, 0); #ifdef INTROSPECTION @@ -623,11 +626,6 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - fd = open(queue_fn, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", queue_fn); } - ck_write(fd, mem, len, queue_fn); - close(fd); - if (likely(afl->q_testcase_max_cache_size)) { queue_testcase_store_mem(afl, afl->queue_top, mem); From bb218b330f43fada18b910a7bf2b00c6d1a32b23 Mon Sep 17 00:00:00 2001 From: Rumata888 Date: Thu, 12 Nov 2020 01:29:17 +0300 Subject: [PATCH 02/85] Formatted changed/added files --- custom_mutators/symcc/symcc.c | 69 +++++++++++-------- .../symcc/test_examples/file_test.c | 27 +++++--- .../symcc/test_examples/stdin_test.c | 36 ++++++---- 3 files changed, 81 insertions(+), 51 deletions(-) diff --git a/custom_mutators/symcc/symcc.c b/custom_mutators/symcc/symcc.c index ab3d70ca..abb58d5e 100644 --- a/custom_mutators/symcc/symcc.c +++ b/custom_mutators/symcc/symcc.c @@ -98,60 +98,74 @@ void afl_custom_queue_new_entry(my_mutator_t * data, const uint8_t *filename_new_queue, const uint8_t *filename_orig_queue) { - int pipefd[2]; + int pipefd[2]; struct stat st; ACTF("Queueing to symcc: %s", filename_new_queue); u8 *fn = alloc_printf("%s", filename_new_queue); if (!(stat(fn, &st) == 0 && S_ISREG(st.st_mode) && st.st_size)) { - PFATAL("Couldn't find enqueued file: %s",fn); + + PFATAL("Couldn't find enqueued file: %s", fn); + } - - if (afl_struct->fsrv.use_stdin){ - if (pipe(pipefd)==-1) - { - exit(-1); - } + + if (afl_struct->fsrv.use_stdin) { + + if (pipe(pipefd) == -1) { exit(-1); } + } + int pid = fork(); if (pid == -1) return; - - if (pid){ - if (afl_struct->fsrv.use_stdin){ + if (pid) { + + if (afl_struct->fsrv.use_stdin) { close(pipefd[0]); int fd = open(fn, O_RDONLY); - + if (fd >= 0) { - + ssize_t r = read(fd, data->mutator_buf, MAX_FILE); DBG("fn=%s, fd=%d, size=%ld\n", fn, fd, r); if (r <= 0) return; close(fd); - if (r>fcntl(pipefd[1],F_GETPIPE_SZ)) fcntl(pipefd[1],F_SETPIPE_SZ,MAX_FILE); + if (r > fcntl(pipefd[1], F_GETPIPE_SZ)) + fcntl(pipefd[1], F_SETPIPE_SZ, MAX_FILE); ck_write(pipefd[1], data->mutator_buf, r, filename_new_queue); + } else { - PFATAL("Something happened to the enqueued file before sending its contents to symcc binary"); + + PFATAL( + "Something happened to the enqueued file before sending its " + "contents to symcc binary"); + } close(pipefd[1]); ck_free(fn); + } - pid = waitpid(pid,NULL, 0); + + pid = waitpid(pid, NULL, 0); + } if (pid == 0) { - if (afl_struct->fsrv.use_stdin) { - unsetenv("SYMCC_INPUT_FILE"); - close(pipefd[1]); - dup2(pipefd[0],0); - } - else - { + + if (afl_struct->fsrv.use_stdin) { + + unsetenv("SYMCC_INPUT_FILE"); + close(pipefd[1]); + dup2(pipefd[0], 0); + + } else { + setenv("SYMCC_INPUT_FILE", afl_struct->fsrv.out_file, 1); - } - + + } + DBG("exec=%s\n", data->target); close(1); close(2); @@ -208,8 +222,8 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, struct dirent **nl; int32_t i, done = 0, items = scandir(data->out_dir, &nl, NULL, NULL); - ssize_t size = 0; - + ssize_t size = 0; + if (items <= 0) return 0; for (i = 0; i < (u32)items; ++i) { @@ -224,6 +238,7 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, int fd = open(fn, O_RDONLY); if (fd >= 0) { + size = read(fd, data->mutator_buf, max_size); *out_buf = data->mutator_buf; diff --git a/custom_mutators/symcc/test_examples/file_test.c b/custom_mutators/symcc/test_examples/file_test.c index 25271788..f2b92986 100644 --- a/custom_mutators/symcc/test_examples/file_test.c +++ b/custom_mutators/symcc/test_examples/file_test.c @@ -4,24 +4,33 @@ #include #include -int main(int argc, char** argv){ - if (argc<2){ +int main(int argc, char **argv) { + + if (argc < 2) { + printf("Need a file argument\n"); return 1; + } - int fd=open(argv[1],O_RDONLY); - if (fd<0){ + + int fd = open(argv[1], O_RDONLY); + if (fd < 0) { + printf("Couldn't open file\n"); return 1; + } + uint32_t value = 0; - - read(fd,&value,sizeof(value)); + + read(fd, &value, sizeof(value)); close(fd); - value=value^0xffffffff; - if (value== 0x11223344) printf("Value one\n"); + value = value ^ 0xffffffff; + if (value == 0x11223344) printf("Value one\n"); if (value == 0x44332211) printf("Value two\n"); if (value != 0x0) printf("Not zero\n"); - return 0; + return 0; + } + diff --git a/custom_mutators/symcc/test_examples/stdin_test.c b/custom_mutators/symcc/test_examples/stdin_test.c index be87419b..3acfc523 100644 --- a/custom_mutators/symcc/test_examples/stdin_test.c +++ b/custom_mutators/symcc/test_examples/stdin_test.c @@ -3,20 +3,26 @@ #include #include -int main(int argc, char** argv) -{ - char input_buffer[16]; - uint32_t comparisonValue; - size_t bytesRead; - bytesRead=read(STDIN_FILENO,input_buffer, sizeof(input_buffer)); - if (bytesRead < 0) exit(-1); - comparisonValue=*(uint32_t*)input_buffer; - comparisonValue=comparisonValue^0xff112233; - if (comparisonValue==0x66554493){ +int main(int argc, char **argv) { + + char input_buffer[16]; + uint32_t comparisonValue; + size_t bytesRead; + bytesRead = read(STDIN_FILENO, input_buffer, sizeof(input_buffer)); + if (bytesRead < 0) exit(-1); + comparisonValue = *(uint32_t *)input_buffer; + comparisonValue = comparisonValue ^ 0xff112233; + if (comparisonValue == 0x66554493) { + printf("First value\n"); - } - else{ - if (comparisonValue==0x84444415) printf("Second value\n"); - } - return 0; + + } else { + + if (comparisonValue == 0x84444415) printf("Second value\n"); + + } + + return 0; + } + From c05c5b787b77e537eae256905c13809f56d213d4 Mon Sep 17 00:00:00 2001 From: Rumata888 Date: Thu, 12 Nov 2020 02:36:08 +0300 Subject: [PATCH 03/85] Fixed name collision problem --- custom_mutators/symcc/symcc.c | 41 ++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/custom_mutators/symcc/symcc.c b/custom_mutators/symcc/symcc.c index abb58d5e..531a462b 100644 --- a/custom_mutators/symcc/symcc.c +++ b/custom_mutators/symcc/symcc.c @@ -24,6 +24,7 @@ typedef struct my_mutator { afl_state_t *afl; u8 * mutator_buf; u8 * out_dir; + u8 * tmp_dir; u8 * target; uint32_t seed; @@ -57,10 +58,11 @@ my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) { if (!(data->out_dir = getenv("SYMCC_OUTPUT_DIR"))) { data->out_dir = alloc_printf("%s/symcc", afl->out_dir); - setenv("SYMCC_OUTPUT_DIR", data->out_dir, 1); } + data->tmp_dir = alloc_printf("%s/tmp", data->out_dir); + setenv("SYMCC_OUTPUT_DIR", data->tmp_dir, 1); int pid = fork(); if (pid == -1) return NULL; @@ -86,6 +88,10 @@ my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) { if (mkdir(data->out_dir, 0755)) PFATAL("Could not create directory %s", data->out_dir); + + if (mkdir(data->tmp_dir, 0755)) + PFATAL("Could not create directory %s", data->tmp_dir); + DBG("out_dir=%s, target=%s\n", data->out_dir, data->target); return data; @@ -150,6 +156,39 @@ void afl_custom_queue_new_entry(my_mutator_t * data, pid = waitpid(pid, NULL, 0); + // At this point we need to transfer files to output dir, since their names + // collide and symcc will just overwrite them + + struct dirent **nl; + int32_t items = scandir(data->tmp_dir, &nl, NULL, NULL); + u8 * origin_name = basename(filename_new_queue); + int32_t i; + if (items > 0) { + + for (i = 0; i < (u32)items; ++i) { + + struct stat st; + u8 *source_name = alloc_printf("%s/%s", data->tmp_dir, nl[i]->d_name); + u8 *destination_name = + alloc_printf("%s/%s.%s", data->out_dir, origin_name, nl[i]->d_name); + DBG("test=%s\n", fn); + if (stat(source_name, &st) == 0 && S_ISREG(st.st_mode) && st.st_size) { + + rename(source_name, destination_name); + DBG("found=%s\n", source_name); + + } + + ck_free(source_name); + ck_free(destination_name); + free(nl[i]); + + } + + free(nl); + + } + } if (pid == 0) { From 622f942555772c9d15569ecdd77a67d1a2f6bd78 Mon Sep 17 00:00:00 2001 From: Rumata888 Date: Fri, 13 Nov 2020 14:54:36 +0300 Subject: [PATCH 04/85] Fixed memleaks, change exit to PFATAL --- custom_mutators/symcc/symcc.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/custom_mutators/symcc/symcc.c b/custom_mutators/symcc/symcc.c index 531a462b..54a7fbb0 100644 --- a/custom_mutators/symcc/symcc.c +++ b/custom_mutators/symcc/symcc.c @@ -110,13 +110,19 @@ void afl_custom_queue_new_entry(my_mutator_t * data, u8 *fn = alloc_printf("%s", filename_new_queue); if (!(stat(fn, &st) == 0 && S_ISREG(st.st_mode) && st.st_size)) { + ck_free(fn); PFATAL("Couldn't find enqueued file: %s", fn); } if (afl_struct->fsrv.use_stdin) { - if (pipe(pipefd) == -1) { exit(-1); } + if (pipe(pipefd) == -1) { + + ck_free(fn); + PFATAL("Couldn't create a pipe for interacting with symcc child process"); + + } } @@ -135,6 +141,7 @@ void afl_custom_queue_new_entry(my_mutator_t * data, ssize_t r = read(fd, data->mutator_buf, MAX_FILE); DBG("fn=%s, fd=%d, size=%ld\n", fn, fd, r); + ck_free(fn); if (r <= 0) return; close(fd); if (r > fcntl(pipefd[1], F_GETPIPE_SZ)) @@ -143,6 +150,8 @@ void afl_custom_queue_new_entry(my_mutator_t * data, } else { + ck_free(fn); + PFATAL( "Something happened to the enqueued file before sending its " "contents to symcc binary"); @@ -150,7 +159,6 @@ void afl_custom_queue_new_entry(my_mutator_t * data, } close(pipefd[1]); - ck_free(fn); } From 155c2767a06e95da2e7ae44b3cd9720d25fbfbd7 Mon Sep 17 00:00:00 2001 From: Benjamin Beasley Date: Fri, 13 Nov 2020 18:58:50 -0500 Subject: [PATCH 05/85] fix you/your typo in README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b1e20f75..fd368cc8 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ afl++ is a superior fork to Google's afl - more speed, more and better mutations, more and better instrumentation, custom module support, etc. - If you want to use afl++ for you academic work, check the [papers page](https://aflplus.plus/papers/) + If you want to use afl++ for your academic work, check the [papers page](https://aflplus.plus/papers/) in the website. ## Major changes in afl++ 3.0 From fb38de8d7351475359993c01ff1d65d3b3b2bfb3 Mon Sep 17 00:00:00 2001 From: Benjamin Beasley Date: Fri, 13 Nov 2020 19:01:29 -0500 Subject: [PATCH 06/85] =?UTF-8?q?In=20README.md,=20change=20=E2=80=9Cin=20?= =?UTF-8?q?the=20website=E2=80=9D=20to=20=E2=80=9Con=20the=20website,?= =?UTF-8?q?=E2=80=9D=20which=20is=20more=20idiomatic.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fd368cc8..494a6bb7 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ mutations, more and better instrumentation, custom module support, etc. If you want to use afl++ for your academic work, check the [papers page](https://aflplus.plus/papers/) - in the website. + on the website. ## Major changes in afl++ 3.0 From 389ee822e80a8b003034ccc69fbcbc356750f0d3 Mon Sep 17 00:00:00 2001 From: Benjamin Beasley Date: Fri, 13 Nov 2020 19:04:35 -0500 Subject: [PATCH 07/85] More idiomatic phrasing in CONTRIBUTING.md --- CONTRIBUTING.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index ccacef5f..c36ed9d8 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -16,9 +16,9 @@ project, or added a file in a directory we already format, otherwise run: ``` Regarding the coding style, please follow the AFL style. -No camel case at all and use the AFL's macros wherever possible +No camel case at all and use AFL's macros wherever possible (e.g. WARNF, FATAL, MAP_SIZE, ...). Remember that AFLplusplus has to build and run on many platforms, so generalize your Makefiles/GNUmakefile (or your patches to our pre-existing -Makefiles) to be as much generic as possible. +Makefiles) to be as generic as possible. From bd313d4039d094c0caf657b4ed1a666da7eded1b Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 14 Nov 2020 11:31:18 +0100 Subject: [PATCH 08/85] no binary checking in noninstrumented mode --- src/afl-fuzz.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 269ce1bf..59772b3f 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1338,11 +1338,11 @@ int main(int argc, char **argv_orig, char **envp) { } - if (!afl->fsrv.qemu_mode) { check_binary(afl, afl->cmplog_binary); } + if (!afl->fsrv.qemu_mode && !afl->non_instrumented_mode) { check_binary(afl, afl->cmplog_binary); } } - check_binary(afl, argv[optind]); + if (afl->non_instrumented_mode) check_binary(afl, argv[optind]); if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } From 30cd8a8397419b3eedb6ee939e290b4c6b8c2cf1 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 14 Nov 2020 12:28:51 +0100 Subject: [PATCH 09/85] fix non instrumented mode, fix check_binary --- qemu_mode/qemuafl | 2 +- src/afl-fuzz-init.c | 6 ------ src/afl-fuzz.c | 10 +++++++++- unicorn_mode/unicornafl | 2 +- 4 files changed, 11 insertions(+), 9 deletions(-) diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index d66c9e26..21ff3438 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit d66c9e2654efa8939f0fe6995d11a72b98a4da3e +Subproject commit 21ff34383764a8c6f66509b3b8d5282468c721e1 diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 19a8d77b..01929a0a 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2300,12 +2300,6 @@ void fix_up_sync(afl_state_t *afl) { u8 *x = afl->sync_id; - if (afl->non_instrumented_mode) { - - FATAL("-S / -M and -n are mutually exclusive"); - - } - while (*x) { if (!isalnum(*x) && *x != '_' && *x != '-') { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 59772b3f..f662b308 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -435,6 +435,7 @@ int main(int argc, char **argv_orig, char **envp) { u8 *c; + if (afl->non_instrumented_mode) { FATAL("-M is not supported in non-instrumented mode "); } if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } afl->sync_id = ck_strdup(optarg); afl->skip_deterministic = 0; // force determinsitic fuzzing @@ -464,6 +465,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'S': /* secondary sync id */ + if (afl->non_instrumented_mode) { FATAL("-S is not supported in non-instrumented mode "); } if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } afl->sync_id = ck_strdup(optarg); afl->is_secondary_node = 1; @@ -620,6 +622,12 @@ int main(int argc, char **argv_orig, char **envp) { case 'n': /* dumb mode */ + if (afl->is_main_node || afl->is_secondary_node) { + + FATAL("Non instrumented mode is not supported with -M / -S"); + + } + if (afl->non_instrumented_mode) { FATAL("Multiple -n options not supported"); @@ -1342,7 +1350,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (afl->non_instrumented_mode) check_binary(afl, argv[optind]); + if (!afl->non_instrumented_mode) check_binary(afl, argv[optind]); if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index c6d66471..f44ec48f 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit c6d6647161a32bae88785a618fcd828d1711d9e6 +Subproject commit f44ec48f8d5929f243522c1152b5b3c0985a5548 From e750a5c856486bb89401f3555ca529bf743146f4 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 14 Nov 2020 12:36:28 +0100 Subject: [PATCH 10/85] add sanity check for -M/-S arguments --- src/afl-fuzz.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index f662b308..6b19d648 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -435,8 +435,12 @@ int main(int argc, char **argv_orig, char **envp) { u8 *c; - if (afl->non_instrumented_mode) { FATAL("-M is not supported in non-instrumented mode "); } + if (afl->non_instrumented_mode) { FATAL("-M is not supported in non-instrumented mode"); } if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } + + /* sanity check for argument: should not begin with '-' (possible option) */ + if (optarg && *optarg == '-') { FATAL("argument for -M started with a dash '-', which is used for options"); } + afl->sync_id = ck_strdup(optarg); afl->skip_deterministic = 0; // force determinsitic fuzzing afl->old_seed_selection = 1; // force old queue walking seed selection @@ -465,8 +469,12 @@ int main(int argc, char **argv_orig, char **envp) { case 'S': /* secondary sync id */ - if (afl->non_instrumented_mode) { FATAL("-S is not supported in non-instrumented mode "); } + if (afl->non_instrumented_mode) { FATAL("-S is not supported in non-instrumented mode"); } if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } + + /* sanity check for argument: should not begin with '-' (possible option) */ + if (optarg && *optarg == '-') { FATAL("argument for -M started with a dash '-', which is used for options"); } + afl->sync_id = ck_strdup(optarg); afl->is_secondary_node = 1; break; From 40e10895a2b7b69425ee03b2ec6e478184120ee2 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 14 Nov 2020 17:21:43 +0100 Subject: [PATCH 11/85] now really fix -n --- src/afl-forkserver.c | 25 +++++++++++++++++-------- src/afl-fuzz-init.c | 2 +- src/afl-fuzz.c | 2 +- 3 files changed, 19 insertions(+), 10 deletions(-) diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 45be2abd..266f021b 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -116,7 +116,7 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) { fsrv_to->use_fauxsrv = 0; fsrv_to->last_run_timed_out = 0; - fsrv_to->init_child_func = fsrv_exec_child; + fsrv_to->init_child_func = from->init_child_func; // Note: do not copy ->add_extra_func list_append(&fsrv_list, fsrv_to); @@ -220,7 +220,15 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { } void (*old_sigchld_handler)(int) = signal(SIGCHLD, SIG_DFL); - +#if 0 + WARNF("targetpath=%s", fsrv->target_path); + if (argv) { + for (char *p = argv[0]; p; ++p) { + WARNF(" %s", p); + } + } + WARNF("\n"); +#endif while (1) { uint32_t was_killed; @@ -272,7 +280,8 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { *(u32 *)fsrv->trace_bits = EXEC_FAIL_SIG; - PFATAL("Execv failed in fauxserver."); + WARNF("Execv failed in fauxserver."); + break; } @@ -286,13 +295,13 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { if (waitpid(child_pid, &status, 0) < 0) { // Zombie Child could not be collected. Scary! - PFATAL("Fauxserver could not determin child's exit code. "); + WARNF("Fauxserver could not determine child's exit code. "); } /* Relay wait status to AFL pipe, then loop back. */ - if (write(FORKSRV_FD + 1, &status, 4) != 4) { exit(0); } + if (write(FORKSRV_FD + 1, &status, 4) != 4) { exit(1); } } @@ -330,7 +339,7 @@ static void report_error_and_exit(int error) { "memory failed."); break; default: - FATAL("unknown error code %u from fuzzing target!", error); + FATAL("unknown error code %d from fuzzing target!", error); } @@ -355,7 +364,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (fsrv->use_fauxsrv) { - /* TODO: Come up with sone nice way to initialize this all */ + /* TODO: Come up with some nice way to initialize this all */ if (fsrv->init_child_func != fsrv_exec_child) { @@ -520,7 +529,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, *(u32 *)fsrv->trace_bits = EXEC_FAIL_SIG; fprintf(stderr, "Error: execv to target failed\n"); - exit(0); + exit(1); } diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 01929a0a..8b9b0a6f 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2497,7 +2497,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { } - if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode) { + if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode || afl->non_instrumented_mode) { return; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 6b19d648..39af1e18 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1358,7 +1358,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (!afl->non_instrumented_mode) check_binary(afl, argv[optind]); + check_binary(afl, argv[optind]); if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } From 76c5b8a3b420bfb74191cf4d3e44b067a268dc7f Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 14 Nov 2020 19:38:06 +0100 Subject: [PATCH 12/85] fix error handling in fauxserver --- src/afl-forkserver.c | 12 ++---------- src/afl-fuzz.c | 4 ++-- 2 files changed, 4 insertions(+), 12 deletions(-) diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 266f021b..3814a77e 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -220,15 +220,7 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { } void (*old_sigchld_handler)(int) = signal(SIGCHLD, SIG_DFL); -#if 0 - WARNF("targetpath=%s", fsrv->target_path); - if (argv) { - for (char *p = argv[0]; p; ++p) { - WARNF(" %s", p); - } - } - WARNF("\n"); -#endif + while (1) { uint32_t was_killed; @@ -1146,7 +1138,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, } // Fauxserver should handle this now. - // if (tb4 == EXEC_FAIL_SIG) return FSRV_RUN_ERROR; + if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG) return FSRV_RUN_ERROR; return FSRV_RUN_OK; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 39af1e18..c1ddd413 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -442,7 +442,7 @@ int main(int argc, char **argv_orig, char **envp) { if (optarg && *optarg == '-') { FATAL("argument for -M started with a dash '-', which is used for options"); } afl->sync_id = ck_strdup(optarg); - afl->skip_deterministic = 0; // force determinsitic fuzzing + afl->skip_deterministic = 0; // force deterministic fuzzing afl->old_seed_selection = 1; // force old queue walking seed selection if ((c = strchr(afl->sync_id, ':'))) { @@ -922,7 +922,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->power_name = power_names[afl->schedule]; - if (!afl->sync_id) { + if (!afl->non_instrumented_mode && !afl->sync_id) { auto_sync = 1; afl->sync_id = ck_strdup("default"); From 3ac953ec33c02de90ff746d4a27d750d8e0e4bac Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 14 Nov 2020 20:09:33 +0100 Subject: [PATCH 13/85] typo --- instrumentation/afl-compiler-rt.o.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 864f5bb6..18501b65 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -182,7 +182,7 @@ static void __afl_map_shm_fuzz() { if (!map || map == (void *)-1) { - perror("Could not access fuzzign shared memory"); + perror("Could not access fuzzing shared memory"); exit(1); } From ea689076b330c46223ed1c36f9b02fc319c798f8 Mon Sep 17 00:00:00 2001 From: Dustin Spicuzza Date: Sat, 14 Nov 2020 19:54:51 -0500 Subject: [PATCH 14/85] Actually make python 'fuzz' method optional At some point mutator->afl_custom_fuzz was allowed to be NULL, so do that instead of crashing --- src/afl-fuzz-python.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 596b733e..cfaf055d 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -329,9 +329,7 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, if (py_functions[PY_FUNC_DEINIT]) { mutator->afl_custom_deinit = deinit_py; } - /* "afl_custom_fuzz" should not be NULL, but the interface of Python mutator - is quite different from the custom mutator. */ - mutator->afl_custom_fuzz = fuzz_py; + if (py_functions[PY_FUNC_FUZZ]) { mutator->afl_custom_fuzz = fuzz_py; } if (py_functions[PY_FUNC_POST_PROCESS]) { From 1cc637a0a05a043a223f69fb9661ecc3d5597d23 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 16 Nov 2020 10:59:09 +0100 Subject: [PATCH 15/85] support AFL_LLVM_INSTRUMENT env for our own PCGUARD --- docs/Changelog.md | 13 +- .../SanitizerCoveragePCGUARD.so.cc | 8 +- src/afl-cc.c | 113 ++++++++++-------- src/afl-fuzz-init.c | 3 +- src/afl-fuzz.c | 42 +++++-- 5 files changed, 116 insertions(+), 63 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index a69f2ff4..baa2667b 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -37,24 +37,27 @@ sending a mail to . - added NO_SPLICING compile option and makefile define - added INTROSPECTION make target that writes all mutations to out/NAME/introspection.txt - - added INTROSPECTION support for custom modules - print special compile time options used in help output + - somewhere we broke -n dumb fuzzing, fixed - instrumentation - We received an enhanced gcc_plugin module from AdaCore, thank you very much!! - not overriding -Ox or -fno-unroll-loops anymore - we now have our own trace-pc-guard implementation. It is the same as -fsanitize-coverage=trace-pc-guard from llvm 12, but: it is a) inline - and b) works from llvm 10+ on :) + and b) works from llvm 10.0.1 + onwards :) - new llvm pass: dict2file via AFL_LLVM_DICT2FILE, create afl-fuzz -x dictionary of string comparisons found during compilation - LTO autodict now also collects interesting cmp comparisons, std::string compare + find + ==, bcmp - fix crash in dict2file for integers > 64 bit + - custom mutators + - added a new custom mutator: symcc -> https://github.com/eurecom-s3/symcc/ + - added a new custom mutator: libfuzzer that integrates libfuzzer mutations + - Our afl++ Grammar-Mutator is now better integrated into custom_mutators/ + - added INTROSPECTION support for custom modules + - python fuzz function was not optional, fixed - unicornafl synced with upstream (arm64 fix, better rust bindings) - - added a new custom mutator: symcc -> https://github.com/eurecom-s3/symcc/ - - added a new custom mutator: libfuzzer that integrates libfuzzer mutations - - Our afl++ Grammar-Mutator is now better integrated into custom_mutators/ ### Version ++2.68c (release) diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index b3c55108..e85f9cd3 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -544,7 +544,9 @@ bool ModuleSanitizerCoverage::instrumentModule( be_quiet = 1; skip_nozero = getenv("AFL_LLVM_SKIP_NEVERZERO"); - // scanForDangerousFunctions(&M); + + initInstrumentList(); + scanForDangerousFunctions(&M); if (debug) { @@ -819,6 +821,8 @@ void ModuleSanitizerCoverage::instrumentFunction( Function &F, DomTreeCallback DTCallback, PostDomTreeCallback PDTCallback) { if (F.empty()) return; + if (!isInInstrumentList(&F)) return; + if (F.getName().find(".module_ctor") != std::string::npos) return; // Should not instrument sanitizer init functions. if (F.getName().startswith("__sanitizer_")) @@ -1315,6 +1319,7 @@ std::string ModuleSanitizerCoverage::getSectionEnd( } char ModuleSanitizerCoverageLegacyPass::ID = 0; + INITIALIZE_PASS_BEGIN(ModuleSanitizerCoverageLegacyPass, "sancov", "Pass for instrumenting coverage on functions", false, false) @@ -1323,6 +1328,7 @@ INITIALIZE_PASS_DEPENDENCY(PostDominatorTreeWrapperPass) INITIALIZE_PASS_END(ModuleSanitizerCoverageLegacyPass, "sancov", "Pass for instrumenting coverage on functions", false, false) + ModulePass *llvm::createModuleSanitizerCoverageLegacyPassPass( const SanitizerCoverageOptions &Options, const std::vector &AllowlistFiles, diff --git a/src/afl-cc.c b/src/afl-cc.c index 771a58f5..5d8d33a5 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -49,14 +49,14 @@ static u8 * obj_path; /* Path to runtime libraries */ static u8 **cc_params; /* Parameters passed to the real CC */ static u32 cc_par_cnt = 1; /* Param count, including argv0 */ static u8 llvm_fullpath[PATH_MAX]; -static u8 instrument_mode, instrument_opt_mode, ngram_size, lto_mode, - compiler_mode, plusplus_mode; -static u8 have_gcc, have_llvm, have_gcc_plugin, have_lto; -static u8 *lto_flag = AFL_CLANG_FLTO, *argvnull; -static u8 debug; -static u8 cwd[4096]; -static u8 cmplog_mode; -u8 use_stdin; /* dummy */ +static u8 instrument_mode, instrument_opt_mode, ngram_size, lto_mode; +static u8 compiler_mode, plusplus_mode, have_instr_env = 0; +static u8 have_gcc, have_llvm, have_gcc_plugin, have_lto, have_instr_list = 0; +static u8 * lto_flag = AFL_CLANG_FLTO, *argvnull; +static u8 debug; +static u8 cwd[4096]; +static u8 cmplog_mode; +u8 use_stdin; /* dummy */ // static u8 *march_opt = CFLAGS_OPT; enum { @@ -354,19 +354,13 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (lto_mode && plusplus_mode) cc_params[cc_par_cnt++] = "-lc++"; // needed by fuzzbench, early - if (lto_mode) { + if (lto_mode && have_instr_env) { - if (getenv("AFL_LLVM_INSTRUMENT_FILE") != NULL || - getenv("AFL_LLVM_WHITELIST") || getenv("AFL_LLVM_ALLOWLIST") || - getenv("AFL_LLVM_DENYLIST") || getenv("AFL_LLVM_BLOCKLIST")) { - - cc_params[cc_par_cnt++] = "-Xclang"; - cc_params[cc_par_cnt++] = "-load"; - cc_params[cc_par_cnt++] = "-Xclang"; - cc_params[cc_par_cnt++] = - alloc_printf("%s/afl-llvm-lto-instrumentlist.so", obj_path); - - } + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = "-load"; + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = + alloc_printf("%s/afl-llvm-lto-instrumentlist.so", obj_path); } @@ -508,11 +502,25 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (instrument_mode == INSTRUMENT_PCGUARD) { #if LLVM_MAJOR > 10 || (LLVM_MAJOR == 10 && LLVM_MINOR > 0) - cc_params[cc_par_cnt++] = "-Xclang"; - cc_params[cc_par_cnt++] = "-load"; - cc_params[cc_par_cnt++] = "-Xclang"; - cc_params[cc_par_cnt++] = - alloc_printf("%s/SanitizerCoveragePCGUARD.so", obj_path); + if (have_instr_list) { + + if (!be_quiet) + SAYF( + "Using unoptimized trace-pc-guard, due usage of " + "-fsanitize-coverage-allow/denylist, you can use " + "AFL_LLVM_ALLOWLIST/AFL_LLMV_DENYLIST instead.\n"); + cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard"; + + } else { + + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = "-load"; + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = + alloc_printf("%s/SanitizerCoveragePCGUARD.so", obj_path); + + } + #else #if LLVM_MAJOR >= 4 if (!be_quiet) @@ -590,6 +598,9 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (!strcmp(cur, "armv7a-linux-androideabi")) bit_mode = 32; if (!strcmp(cur, "-m64")) bit_mode = 64; + if (!strncmp(cur, "-fsanitize-coverage-", 20) && strstr(cur, "list=")) + have_instr_list = 1; + if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory")) asan_set = 1; @@ -856,6 +867,14 @@ int main(int argc, char **argv, char **envp) { be_quiet = 1; + if (getenv("AFL_LLVM_INSTRUMENT_FILE") || getenv("AFL_LLVM_WHITELIST") || + getenv("AFL_LLVM_ALLOWLIST") || getenv("AFL_LLVM_DENYLIST") || + getenv("AFL_LLVM_BLOCKLIST")) { + + have_instr_env = 1; + + } + if ((ptr = strrchr(callname, '/')) != NULL) callname = ptr + 1; argvnull = (u8 *)argv[0]; check_environment_vars(envp); @@ -1015,14 +1034,14 @@ int main(int argc, char **argv, char **envp) { } - if ((getenv("AFL_LLVM_INSTRUMENT_FILE") != NULL || - getenv("AFL_LLVM_WHITELIST") || getenv("AFL_LLVM_ALLOWLIST") || - getenv("AFL_LLVM_DENYLIST") || getenv("AFL_LLVM_BLOCKLIST")) && - getenv("AFL_DONT_OPTIMIZE")) + if (have_instr_env && getenv("AFL_DONT_OPTIMIZE")) { + WARNF( "AFL_LLVM_ALLOWLIST/DENYLIST and AFL_DONT_OPTIMIZE cannot be combined " "for file matching, only function matching!"); + } + if (getenv("AFL_LLVM_INSTRIM") || getenv("INSTRIM") || getenv("INSTRIM_LIB")) { @@ -1426,22 +1445,20 @@ int main(int argc, char **argv, char **envp) { #if LLVM_MAJOR <= 6 instrument_mode = INSTRUMENT_AFL; #else - if (getenv("AFL_LLVM_INSTRUMENT_FILE") != NULL || - getenv("AFL_LLVM_WHITELIST") || getenv("AFL_LLVM_ALLOWLIST") || - getenv("AFL_LLVM_DENYLIST") || getenv("AFL_LLVM_BLOCKLIST")) { + #if LLVM_MAJOR < 11 && (LLVM_MAJOR < 10 || LLVM_MINOR < 1) + if (have_instr_env) { instrument_mode = INSTRUMENT_AFL; - WARNF( - "switching to classic instrumentation because " - "AFL_LLVM_ALLOWLIST/DENYLIST does not work with PCGUARD. Use " - "-fsanitize-coverage-allowlist=allowlist.txt or " - "-fsanitize-coverage-blocklist=denylist.txt if you want to use " - "PCGUARD. Requires llvm 12+. See https://clang.llvm.org/docs/ " - "SanitizerCoverage.html#partially-disabling-instrumentation"); + if (!be_quiet) + WARNF( + "Switching to classic instrumentation because " + "AFL_LLVM_ALLOWLIST/DENYLIST does not work with PCGUARD < 10.0.1."); } else + #endif instrument_mode = INSTRUMENT_PCGUARD; + #endif } @@ -1487,18 +1504,16 @@ int main(int argc, char **argv, char **envp) { "AFL_LLVM_NOT_ZERO and AFL_LLVM_SKIP_NEVERZERO can not be set " "together"); - if (instrument_mode == INSTRUMENT_PCGUARD && - (getenv("AFL_LLVM_INSTRUMENT_FILE") != NULL || - getenv("AFL_LLVM_WHITELIST") || getenv("AFL_LLVM_ALLOWLIST") || - getenv("AFL_LLVM_DENYLIST") || getenv("AFL_LLVM_BLOCKLIST"))) +#if LLVM_MAJOR < 11 && (LLVM_MAJOR < 10 || LLVM_MINOR < 1) + if (instrument_mode == INSTRUMENT_PCGUARD && have_instr_env) { + FATAL( "Instrumentation type PCGUARD does not support " - "AFL_LLVM_ALLOWLIST/DENYLIST! Use " - "-fsanitize-coverage-allowlist=allowlist.txt or " - "-fsanitize-coverage-blocklist=denylist.txt instead (requires llvm " - "12+), see " - "https://clang.llvm.org/docs/" - "SanitizerCoverage.html#partially-disabling-instrumentation"); + "AFL_LLVM_ALLOWLIST/DENYLIST! Use LLVM 10.0.1+ instead."); + + } + +#endif u8 *ptr2; diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 8b9b0a6f..6884bb1d 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2497,7 +2497,8 @@ void check_binary(afl_state_t *afl, u8 *fname) { } - if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode || afl->non_instrumented_mode) { + if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode || + afl->non_instrumented_mode) { return; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index c1ddd413..cedfdf8f 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -435,11 +435,23 @@ int main(int argc, char **argv_orig, char **envp) { u8 *c; - if (afl->non_instrumented_mode) { FATAL("-M is not supported in non-instrumented mode"); } + if (afl->non_instrumented_mode) { + + FATAL("-M is not supported in non-instrumented mode"); + + } + if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } - /* sanity check for argument: should not begin with '-' (possible option) */ - if (optarg && *optarg == '-') { FATAL("argument for -M started with a dash '-', which is used for options"); } + /* sanity check for argument: should not begin with '-' (possible + * option) */ + if (optarg && *optarg == '-') { + + FATAL( + "argument for -M started with a dash '-', which is used for " + "options"); + + } afl->sync_id = ck_strdup(optarg); afl->skip_deterministic = 0; // force deterministic fuzzing @@ -469,11 +481,23 @@ int main(int argc, char **argv_orig, char **envp) { case 'S': /* secondary sync id */ - if (afl->non_instrumented_mode) { FATAL("-S is not supported in non-instrumented mode"); } + if (afl->non_instrumented_mode) { + + FATAL("-S is not supported in non-instrumented mode"); + + } + if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } - /* sanity check for argument: should not begin with '-' (possible option) */ - if (optarg && *optarg == '-') { FATAL("argument for -M started with a dash '-', which is used for options"); } + /* sanity check for argument: should not begin with '-' (possible + * option) */ + if (optarg && *optarg == '-') { + + FATAL( + "argument for -M started with a dash '-', which is used for " + "options"); + + } afl->sync_id = ck_strdup(optarg); afl->is_secondary_node = 1; @@ -1354,7 +1378,11 @@ int main(int argc, char **argv_orig, char **envp) { } - if (!afl->fsrv.qemu_mode && !afl->non_instrumented_mode) { check_binary(afl, afl->cmplog_binary); } + if (!afl->fsrv.qemu_mode && !afl->non_instrumented_mode) { + + check_binary(afl, afl->cmplog_binary); + + } } From 9d22c8a02ca9043e62c250a32d5affdaeab11dcd Mon Sep 17 00:00:00 2001 From: Rumata888 Date: Tue, 17 Nov 2020 12:00:06 +0300 Subject: [PATCH 16/85] Fixed fd leak on early exit and closed pipes before early exits and PFATAL --- custom_mutators/symcc/symcc.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/custom_mutators/symcc/symcc.c b/custom_mutators/symcc/symcc.c index 54a7fbb0..acec29da 100644 --- a/custom_mutators/symcc/symcc.c +++ b/custom_mutators/symcc/symcc.c @@ -142,8 +142,14 @@ void afl_custom_queue_new_entry(my_mutator_t * data, ssize_t r = read(fd, data->mutator_buf, MAX_FILE); DBG("fn=%s, fd=%d, size=%ld\n", fn, fd, r); ck_free(fn); - if (r <= 0) return; close(fd); + if (r <= 0) { + + close(pipefd[1]); + return; + + } + if (r > fcntl(pipefd[1], F_GETPIPE_SZ)) fcntl(pipefd[1], F_SETPIPE_SZ, MAX_FILE); ck_write(pipefd[1], data->mutator_buf, r, filename_new_queue); @@ -151,7 +157,7 @@ void afl_custom_queue_new_entry(my_mutator_t * data, } else { ck_free(fn); - + close(pipefd[1]); PFATAL( "Something happened to the enqueued file before sending its " "contents to symcc binary"); From c06b5a156480d70e5013a780bb41bd074637475c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 17 Nov 2020 17:02:33 +0100 Subject: [PATCH 17/85] fix sync issue --- src/afl-fuzz-run.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index e969994d..b96fe71a 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -590,7 +590,7 @@ void sync_fuzzers(afl_state_t *afl) { while (m < n) { - if (strcmp(namelist[m]->d_name, entry)) { + if (strncmp(namelist[m]->d_name, entry, 9)) { m++; From d042a63ab43545a5038fe46d11fef1bde8327028 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 17 Nov 2020 20:09:52 +0100 Subject: [PATCH 18/85] micro optimization: allocate only when needed --- custom_mutators/symcc/symcc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/custom_mutators/symcc/symcc.c b/custom_mutators/symcc/symcc.c index 9c6c0cb8..a609dafb 100644 --- a/custom_mutators/symcc/symcc.c +++ b/custom_mutators/symcc/symcc.c @@ -184,18 +184,18 @@ void afl_custom_queue_new_entry(my_mutator_t * data, struct stat st; u8 *source_name = alloc_printf("%s/%s", data->tmp_dir, nl[i]->d_name); - u8 *destination_name = - alloc_printf("%s/%s.%s", data->out_dir, origin_name, nl[i]->d_name); DBG("test=%s\n", fn); if (stat(source_name, &st) == 0 && S_ISREG(st.st_mode) && st.st_size) { + u8 *destination_name = + alloc_printf("%s/%s.%s", data->out_dir, origin_name, nl[i]->d_name); rename(source_name, destination_name); + ck_free(destination_name); DBG("found=%s\n", source_name); } ck_free(source_name); - ck_free(destination_name); free(nl[i]); } From add108ec2386736f683e34172311af2c5a9d6237 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 17 Nov 2020 21:06:47 +0100 Subject: [PATCH 19/85] fix two exotic mem leaks detected by cppcheck --- include/alloc-inl.h | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/include/alloc-inl.h b/include/alloc-inl.h index d7aa51a7..a6194f86 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -636,7 +636,7 @@ struct afl_alloc_buf { #define AFL_ALLOC_SIZE_OFFSET (offsetof(struct afl_alloc_buf, buf)) -/* Returs the container element to this ptr */ +/* Returns the container element to this ptr */ static inline struct afl_alloc_buf *afl_alloc_bufptr(void *buf) { return (struct afl_alloc_buf *)((u8 *)buf - AFL_ALLOC_SIZE_OFFSET); @@ -694,14 +694,20 @@ static inline void *afl_realloc(void **buf, size_t size_needed) { } /* alloc */ - new_buf = (struct afl_alloc_buf *)realloc(new_buf, next_size); - if (unlikely(!new_buf)) { + struct afl_alloc_buf *newer_buf = (struct afl_alloc_buf *)realloc(new_buf, next_size); + if (unlikely(!newer_buf)) { + free(new_buf); // avoid a leak *buf = NULL; return NULL; + } else { + + new_buf = newer_buf; + } + new_buf->complete_size = next_size; *buf = (void *)(new_buf->buf); return *buf; @@ -730,12 +736,17 @@ static inline void *afl_realloc_exact(void **buf, size_t size_needed) { if (unlikely(current_size == size_needed)) { return *buf; } /* alloc */ - new_buf = (struct afl_alloc_buf *)realloc(new_buf, size_needed); - if (unlikely(!new_buf)) { + struct afl_alloc_buf *newer_buf = (struct afl_alloc_buf *)realloc(new_buf, size_needed); + if (unlikely(!newer_buf)) { + free(new_buf); // avoid a leak *buf = NULL; return NULL; + } else { + + new_buf = newer_buf; + } new_buf->complete_size = size_needed; From 54fdec0e51d17ac47582ca23c32ce10da5591aa2 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 17 Nov 2020 21:07:29 +0100 Subject: [PATCH 20/85] fix: avoid preprocessor logic in macro arguments (not portable) --- src/afl-cc.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/afl-cc.c b/src/afl-cc.c index 5d8d33a5..ef4d2c74 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -1326,15 +1326,18 @@ int main(int argc, char **argv, char **envp) { " AFL_GCC_INSTRUMENT_FILE: enable selective instrumentation by " "filename\n"); +#if LLVM_MAJOR < 9 +#define COUNTER_BEHAVIOUR " AFL_LLVM_NOT_ZERO: use cycling trace counters that skip zero\n" +#else +#define COUNTER_BEHAVIOUR " AFL_LLVM_SKIP_NEVERZERO: do not skip zero on trace counters\n" +#endif if (have_llvm) SAYF( "\nLLVM/LTO/afl-clang-fast/afl-clang-lto specific environment " "variables:\n" -#if LLVM_MAJOR < 9 - " AFL_LLVM_NOT_ZERO: use cycling trace counters that skip zero\n" -#else - " AFL_LLVM_SKIP_NEVERZERO: do not skip zero on trace counters\n" -#endif + + COUNTER_BEHAVIOUR + " AFL_LLVM_DICT2FILE: generate an afl dictionary based on found " "comparisons\n" " AFL_LLVM_LAF_ALL: enables all LAF splits/transforms\n" From 23f37ff5054d77abf7baf7b6d01d660b435d81cd Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 18 Nov 2020 02:33:47 +0100 Subject: [PATCH 21/85] fixed alloc errors, code format --- examples/afl_network_proxy/afl-network-server.c | 8 ++++---- include/alloc-inl.h | 11 ++++++----- src/afl-cc.c | 6 ++++-- src/afl-fuzz-python.c | 6 +++--- src/afl-fuzz-queue.c | 7 ++++++- src/afl-fuzz.c | 2 ++ 6 files changed, 25 insertions(+), 15 deletions(-) diff --git a/examples/afl_network_proxy/afl-network-server.c b/examples/afl_network_proxy/afl-network-server.c index 75eb3d20..3831f985 100644 --- a/examples/afl_network_proxy/afl-network-server.c +++ b/examples/afl_network_proxy/afl-network-server.c @@ -358,8 +358,8 @@ int recv_testcase(int s, void **buf) { if ((size & 0xff000000) != 0xff000000) { - *buf = afl_realloc((void **)&buf, size); - if (unlikely(!buf)) { PFATAL("Alloc"); } + *buf = afl_realloc(buf, size); + if (unlikely(!*buf)) { PFATAL("Alloc"); } received = 0; // fprintf(stderr, "unCOMPRESS (%u)\n", size); while (received < size && @@ -371,8 +371,8 @@ int recv_testcase(int s, void **buf) { #ifdef USE_DEFLATE u32 clen; size -= 0xff000000; - *buf = afl_realloc((void **)&buf, size); - if (unlikely(!buf)) { PFATAL("Alloc"); } + *buf = afl_realloc(buf, size); + if (unlikely(!*buf)) { PFATAL("Alloc"); } received = 0; while (received < 4 && (ret = recv(s, &clen + received, 4 - received, 0)) > 0) diff --git a/include/alloc-inl.h b/include/alloc-inl.h index a6194f86..68255fb6 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -694,10 +694,11 @@ static inline void *afl_realloc(void **buf, size_t size_needed) { } /* alloc */ - struct afl_alloc_buf *newer_buf = (struct afl_alloc_buf *)realloc(new_buf, next_size); + struct afl_alloc_buf *newer_buf = + (struct afl_alloc_buf *)realloc(new_buf, next_size); if (unlikely(!newer_buf)) { - free(new_buf); // avoid a leak + free(new_buf); // avoid a leak *buf = NULL; return NULL; @@ -707,7 +708,6 @@ static inline void *afl_realloc(void **buf, size_t size_needed) { } - new_buf->complete_size = next_size; *buf = (void *)(new_buf->buf); return *buf; @@ -736,10 +736,11 @@ static inline void *afl_realloc_exact(void **buf, size_t size_needed) { if (unlikely(current_size == size_needed)) { return *buf; } /* alloc */ - struct afl_alloc_buf *newer_buf = (struct afl_alloc_buf *)realloc(new_buf, size_needed); + struct afl_alloc_buf *newer_buf = + (struct afl_alloc_buf *)realloc(new_buf, size_needed); if (unlikely(!newer_buf)) { - free(new_buf); // avoid a leak + free(new_buf); // avoid a leak *buf = NULL; return NULL; diff --git a/src/afl-cc.c b/src/afl-cc.c index ef4d2c74..9c23c18b 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -1327,9 +1327,11 @@ int main(int argc, char **argv, char **envp) { "filename\n"); #if LLVM_MAJOR < 9 -#define COUNTER_BEHAVIOUR " AFL_LLVM_NOT_ZERO: use cycling trace counters that skip zero\n" + #define COUNTER_BEHAVIOUR \ + " AFL_LLVM_NOT_ZERO: use cycling trace counters that skip zero\n" #else -#define COUNTER_BEHAVIOUR " AFL_LLVM_SKIP_NEVERZERO: do not skip zero on trace counters\n" + #define COUNTER_BEHAVIOUR \ + " AFL_LLVM_SKIP_NEVERZERO: do not skip zero on trace counters\n" #endif if (have_llvm) SAYF( diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index cfaf055d..80532774 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -96,7 +96,7 @@ static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, mutated_size = PyByteArray_Size(py_value); *out_buf = afl_realloc(BUF_PARAMS(fuzz), mutated_size); - if (unlikely(!out_buf)) { PFATAL("alloc"); } + if (unlikely(!*out_buf)) { PFATAL("alloc"); } memcpy(*out_buf, PyByteArray_AsString(py_value), mutated_size); Py_DECREF(py_value); @@ -579,7 +579,7 @@ size_t trim_py(void *py_mutator, u8 **out_buf) { ret = PyByteArray_Size(py_value); *out_buf = afl_realloc(BUF_PARAMS(trim), ret); - if (unlikely(!out_buf)) { PFATAL("alloc"); } + if (unlikely(!*out_buf)) { PFATAL("alloc"); } memcpy(*out_buf, PyByteArray_AsString(py_value), ret); Py_DECREF(py_value); @@ -645,7 +645,7 @@ size_t havoc_mutation_py(void *py_mutator, u8 *buf, size_t buf_size, /* A new buf is needed... */ *out_buf = afl_realloc(BUF_PARAMS(havoc), mutated_size); - if (unlikely(!out_buf)) { PFATAL("alloc"); } + if (unlikely(!*out_buf)) { PFATAL("alloc"); } } diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index c78df8be..32bed06f 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -56,7 +56,12 @@ void create_alias_table(afl_state_t *afl) { int * S = (u32 *)afl_realloc(AFL_BUF_PARAM(out_scratch), n * sizeof(u32)); int * L = (u32 *)afl_realloc(AFL_BUF_PARAM(in_scratch), n * sizeof(u32)); - if (!P || !S || !L) { FATAL("could not aquire memory for alias table"); } + if (!P || !S || !L || !afl->alias_table || !afl->alias_probability) { + + FATAL("could not aquire memory for alias table"); + + } + memset((void *)afl->alias_table, 0, n * sizeof(u32)); memset((void *)afl->alias_probability, 0, n * sizeof(double)); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index cedfdf8f..ac77bb1f 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -350,6 +350,7 @@ int main(int argc, char **argv_orig, char **envp) { case 's': { + if (optarg == NULL) { FATAL("No valid seed provided. Got NULL."); } rand_set_seed(afl, strtoul(optarg, 0L, 10)); afl->fixed_seed = 1; break; @@ -419,6 +420,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'i': /* input dir */ if (afl->in_dir) { FATAL("Multiple -i options not supported"); } + if (afl->in_dir == NULL) { FATAL("Invalid -i option (got NULL)."); } afl->in_dir = optarg; if (!strcmp(afl->in_dir, "-")) { afl->in_place_resume = 1; } From 57f8aec3814e1959d36210815a0369d7bc149ac7 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 18 Nov 2020 02:41:35 +0100 Subject: [PATCH 22/85] brought back missing env vars --- docs/env_variables.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/env_variables.md b/docs/env_variables.md index a36f2b4e..469fc957 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -306,6 +306,14 @@ checks or alter some of the more exotic semantics of the tool: don't want AFL++ to spend too much time classifying that stuff and just rapidly put all timeouts in that bin. + - Setting `AFL_FORKSRV_INIT_TMOUT` allows yout to specify a different timeout + to wait for the forkserver to spin up. The default is the `-t` value times + `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the + default would wait `1000` milis. Setting a different time here is useful + if the target has a very slow startup time, for example when doing + full-system fuzzing or emulation, but you don't want the actual runs + to wait too long for timeouts. + - `AFL_NO_ARITH` causes AFL++ to skip most of the deterministic arithmetics. This can be useful to speed up the fuzzing of text-based file formats. @@ -389,6 +397,13 @@ checks or alter some of the more exotic semantics of the tool: for an existing out folder, even if a different `-i` was provided. Without this setting, afl-fuzz will refuse execution for a long-fuzzed out dir. + - Setting `AFL_MAX_DET_EXRAS` will change the threshold at what number of elements + in the `-x` dictionary and LTO autodict (combined) the probabilistic mode will + kick off. In probabilistic mode, not all dictionary entires will be used all + of the times for fuzzing mutations to not make fuzzing slower by it. + The default count is `200` element. So for the 200 + 1st element, there is a + 1 in 201 chance, that one of the dictionary entry will not be used directly. + - Setting `AFL_NO_FORKSRV` disables the forkserver optimization, reverting to fork + execve() call for every tested input. This is useful mostly when working with unruly libraries that create threads or do other crazy From f80f62f14bb5222344925a7ec51c81aa2f95d86e Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 18 Nov 2020 03:02:13 +0100 Subject: [PATCH 23/85] renamed env var to AFL_DEBUG_CHILD --- docs/Changelog.md | 1 + docs/env_variables.md | 2 +- examples/afl_network_proxy/afl-network-server.c | 7 +++++-- include/afl-fuzz.h | 4 ++-- include/envs.h | 3 ++- instrumentation/afl-compiler-rt.o.c | 2 +- src/afl-fuzz-run.c | 2 +- src/afl-fuzz-state.c | 6 ++++-- src/afl-fuzz.c | 4 ++-- src/afl-showmap.c | 6 +++++- src/afl-tmin.c | 7 +++++-- test/test-unicorn-mode.sh | 6 +++--- 12 files changed, 32 insertions(+), 18 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index baa2667b..9426ed54 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -58,6 +58,7 @@ sending a mail to . - added INTROSPECTION support for custom modules - python fuzz function was not optional, fixed - unicornafl synced with upstream (arm64 fix, better rust bindings) + - renamed AFL_DEBUG_CHILD_OUTPUT to AFL_DEBUG_CHILD ### Version ++2.68c (release) diff --git a/docs/env_variables.md b/docs/env_variables.md index 469fc957..1ce6f206 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -388,7 +388,7 @@ checks or alter some of the more exotic semantics of the tool: processing the first queue entry; and `AFL_BENCH_UNTIL_CRASH` causes it to exit soon after the first crash is found. - - Setting `AFL_DEBUG_CHILD_OUTPUT` will not suppress the child output. + - Setting `AFL_DEBUG_CHILD` will not suppress the child output. Not pretty but good for debugging purposes. - Setting `AFL_NO_CPU_RED` will not display very high cpu usages in red color. diff --git a/examples/afl_network_proxy/afl-network-server.c b/examples/afl_network_proxy/afl-network-server.c index 3831f985..513dc8f2 100644 --- a/examples/afl_network_proxy/afl-network-server.c +++ b/examples/afl_network_proxy/afl-network-server.c @@ -636,8 +636,11 @@ int main(int argc, char **argv_orig, char **envp) { if (listen(sock, 1) < 0) { PFATAL("listen() failed"); } - afl_fsrv_start(fsrv, use_argv, &stop_soon, - get_afl_env("AFL_DEBUG_CHILD_OUTPUT") ? 1 : 0); + afl_fsrv_start( + fsrv, use_argv, &stop_soon, + (get_afl_env("AFL_DEBUG_CHILD") || get_afl_env("AFL_DEBUG_CHILD_OUTPUT")) + ? 1 + : 0); #ifdef USE_DEFLATE compressor = libdeflate_alloc_compressor(1); diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index c355263b..b484b93e 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -362,8 +362,8 @@ typedef struct afl_env_vars { u8 afl_skip_cpufreq, afl_exit_when_done, afl_no_affinity, afl_skip_bin_check, afl_dumb_forksrv, afl_import_first, afl_custom_mutator_only, afl_no_ui, afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one, - afl_bench_until_crash, afl_debug_child_output, afl_autoresume, - afl_cal_fast, afl_cycle_schedules, afl_expand_havoc, afl_statsd; + afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast, + afl_cycle_schedules, afl_expand_havoc, afl_statsd; u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_skip_crashes, *afl_preload, diff --git a/include/envs.h b/include/envs.h index b753d5f8..8255cf4f 100644 --- a/include/envs.h +++ b/include/envs.h @@ -6,6 +6,7 @@ static char *afl_environment_deprecated[] = { "AFL_LLVM_WHITELIST", "AFL_GCC_WHITELIST", + "AFL_DEBUG_CHILD_OUTPUT", "AFL_DEFER_FORKSRV", "AFL_POST_LIBRARY", "AFL_PERSISTENT", @@ -36,7 +37,7 @@ static char *afl_environment_variables[] = { "AFL_CXX", "AFL_CYCLE_SCHEDULES", "AFL_DEBUG", - "AFL_DEBUG_CHILD_OUTPUT", + "AFL_DEBUG_CHILD", "AFL_DEBUG_GDB", "AFL_DISABLE_TRIM", "AFL_DONT_OPTIMIZE", diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 18501b65..485f500c 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -992,7 +992,7 @@ void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { // For stability analysis, if you want to know to which function unstable // edge IDs belong - uncomment, recompile+install llvm_mode, recompile // the target. libunwind and libbacktrace are better solutions. - // Set AFL_DEBUG_CHILD_OUTPUT=1 and run afl-fuzz with 2>file to capture + // Set AFL_DEBUG_CHILD=1 and run afl-fuzz with 2>file to capture // the backtrace output /* uint32_t unstable[] = { ... unstable edge IDs }; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index b96fe71a..95b3ee8a 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -332,7 +332,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, } afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, - afl->afl_env.afl_debug_child_output); + afl->afl_env.afl_debug_child); if (afl->fsrv.support_shmem_fuzz && !afl->fsrv.use_shmem_fuzz) { diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 61bd06b7..489d4e53 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -268,11 +268,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_bench_until_crash = get_afl_env(afl_environment_variables[i]) ? 1 : 0; - } else if (!strncmp(env, "AFL_DEBUG_CHILD_OUTPUT", + } else if (!strncmp(env, "AFL_DEBUG_CHILD", + afl_environment_variable_len) || + !strncmp(env, "AFL_DEBUG_CHILD_OUTPUT", afl_environment_variable_len)) { - afl->afl_env.afl_debug_child_output = + afl->afl_env.afl_debug_child = get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_AUTORESUME", diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index ac77bb1f..e04ae649 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -166,7 +166,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_CUSTOM_MUTATOR_ONLY: avoid AFL++'s internal mutators\n" "AFL_CYCLE_SCHEDULES: after completing a cycle, switch to a different -p schedule\n" "AFL_DEBUG: extra debugging output for Python mode trimming\n" - "AFL_DEBUG_CHILD_OUTPUT: do not suppress stdout/stderr from target\n" + "AFL_DEBUG_CHILD: do not suppress stdout/stderr from target\n" "AFL_DISABLE_TRIM: disable the trimming of test cases\n" "AFL_DUMB_FORKSRV: use fork server without feedback from target\n" "AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found\n" @@ -1426,7 +1426,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->cmplog_fsrv.cmplog_binary = afl->cmplog_binary; afl->cmplog_fsrv.init_child_func = cmplog_exec_child; afl_fsrv_start(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon, - afl->afl_env.afl_debug_child_output); + afl->afl_env.afl_debug_child); OKF("Cmplog forkserver successfully started"); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 4b357254..69527007 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1091,7 +1091,11 @@ int main(int argc, char **argv_orig, char **envp) { } afl_fsrv_start(fsrv, use_argv, &stop_soon, - get_afl_env("AFL_DEBUG_CHILD_OUTPUT") ? 1 : 0); + (get_afl_env("AFL_DEBUG_CHILD") || + get_afl_env("AFL_DEBUG_CHILD_OUTPUT")) + ? 1 + : 0); + map_size = fsrv->map_size; if (fsrv->support_shmem_fuzz && !fsrv->use_shmem_fuzz) diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 06037d61..e4fb068d 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -1141,8 +1141,11 @@ int main(int argc, char **argv_orig, char **envp) { read_initial_file(); - afl_fsrv_start(fsrv, use_argv, &stop_soon, - get_afl_env("AFL_DEBUG_CHILD_OUTPUT") ? 1 : 0); + afl_fsrv_start( + fsrv, use_argv, &stop_soon, + (get_afl_env("AFL_DEBUG_CHILD") || get_afl_env("AFL_DEBUG_CHILD_OUTPUT")) + ? 1 + : 0); if (fsrv->support_shmem_fuzz && !fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); diff --git a/test/test-unicorn-mode.sh b/test/test-unicorn-mode.sh index 7ac4cdd2..b4c6eb3e 100755 --- a/test/test-unicorn-mode.sh +++ b/test/test-unicorn-mode.sh @@ -7,7 +7,7 @@ test -d ../unicorn_mode/unicornafl -a -e ../unicorn_mode/unicornafl/samples/shel test -e ../unicorn_mode/samples/simple/simple_target.bin -a -e ../unicorn_mode/samples/compcov_x64/compcov_target.bin && { { # We want to see python errors etc. in logs, in case something doesn't work - export AFL_DEBUG_CHILD_OUTPUT=1 + export AFL_DEBUG_CHILD=1 # some python version should be available now PYTHONS="`command -v python3` `command -v python` `command -v python2`" @@ -34,7 +34,7 @@ test -d ../unicorn_mode/unicornafl -a -e ../unicorn_mode/unicornafl/samples/shel cd ../unicorn_mode/samples/persistent make >>errors 2>&1 $ECHO "$GREY[*] running afl-fuzz for unicorn_mode (persistent), this will take approx 25 seconds" - AFL_DEBUG_CHILD_OUTPUT=1 ../../../afl-fuzz -m none -V25 -U -i sample_inputs -o out -d -- ./harness @@ >>errors 2>&1 + AFL_DEBUG_CHILD=1 ../../../afl-fuzz -m none -V25 -U -i sample_inputs -o out -d -- ./harness @@ >>errors 2>&1 test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with unicorn_mode (persistent)" } || { @@ -96,7 +96,7 @@ test -d ../unicorn_mode/unicornafl -a -e ../unicorn_mode/unicornafl/samples/shel } fi - unset AFL_DEBUG_CHILD_OUTPUT + unset AFL_DEBUG_CHILD } } || { From 631b6d0187ae59409549c431c657def8c30da8cf Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 18 Nov 2020 03:03:49 +0100 Subject: [PATCH 24/85] fixed simple yet stupid bug --- src/afl-fuzz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index e04ae649..1008f28c 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -420,7 +420,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'i': /* input dir */ if (afl->in_dir) { FATAL("Multiple -i options not supported"); } - if (afl->in_dir == NULL) { FATAL("Invalid -i option (got NULL)."); } + if (optarg == NULL) { FATAL("Invalid -i option (got NULL)."); } afl->in_dir = optarg; if (!strcmp(afl->in_dir, "-")) { afl->in_place_resume = 1; } From 68e18dbb7a261b0343bc3580f26cf59531c18152 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 18 Nov 2020 03:09:50 +0100 Subject: [PATCH 25/85] more info about child_debug --- docs/env_variables.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/env_variables.md b/docs/env_variables.md index 1ce6f206..e6f9c275 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -389,7 +389,11 @@ checks or alter some of the more exotic semantics of the tool: exit soon after the first crash is found. - Setting `AFL_DEBUG_CHILD` will not suppress the child output. + This lets you see all output of the child, making setup issues obvious. + For example, in an unicornafl harness, you might see python stacktraces. + You may also see other logs that way, indicating why the forkserver won't start. Not pretty but good for debugging purposes. + Note that `AFL_DEBUG_CHILD_OUTPUT` is deprecated. - Setting `AFL_NO_CPU_RED` will not display very high cpu usages in red color. From 108a89b55959ed41fa3b050696148e698e6de2df Mon Sep 17 00:00:00 2001 From: hexcoder Date: Wed, 18 Nov 2020 08:33:06 +0100 Subject: [PATCH 26/85] typo --- src/afl-fuzz-queue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 32bed06f..f35b4f57 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -58,7 +58,7 @@ void create_alias_table(afl_state_t *afl) { if (!P || !S || !L || !afl->alias_table || !afl->alias_probability) { - FATAL("could not aquire memory for alias table"); + FATAL("could not acquire memory for alias table"); } From 211a6eb411a6e57cd22a24bb50ae095676d8b0c5 Mon Sep 17 00:00:00 2001 From: hexcoder Date: Wed, 18 Nov 2020 08:40:12 +0100 Subject: [PATCH 27/85] typos and wording --- docs/env_variables.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/env_variables.md b/docs/env_variables.md index e6f9c275..04ba032a 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -306,10 +306,10 @@ checks or alter some of the more exotic semantics of the tool: don't want AFL++ to spend too much time classifying that stuff and just rapidly put all timeouts in that bin. - - Setting `AFL_FORKSRV_INIT_TMOUT` allows yout to specify a different timeout + - Setting `AFL_FORKSRV_INIT_TMOUT` allows you to specify a different timeout to wait for the forkserver to spin up. The default is the `-t` value times `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the - default would wait `1000` milis. Setting a different time here is useful + default would wait for `1000` milliseconds. Setting a different time here is useful if the target has a very slow startup time, for example when doing full-system fuzzing or emulation, but you don't want the actual runs to wait too long for timeouts. @@ -403,10 +403,10 @@ checks or alter some of the more exotic semantics of the tool: - Setting `AFL_MAX_DET_EXRAS` will change the threshold at what number of elements in the `-x` dictionary and LTO autodict (combined) the probabilistic mode will - kick off. In probabilistic mode, not all dictionary entires will be used all - of the times for fuzzing mutations to not make fuzzing slower by it. - The default count is `200` element. So for the 200 + 1st element, there is a - 1 in 201 chance, that one of the dictionary entry will not be used directly. + kick off. In probabilistic mode not all dictionary entires will be used all + of the times for fuzzing mutations to not slow down fuzzing. + The default count is `200` elements. So for the 200 + 1st element, there is a + 1 in 201 chance, that one of the dictionary entries will not be used directly. - Setting `AFL_NO_FORKSRV` disables the forkserver optimization, reverting to fork + execve() call for every tested input. This is useful mostly when From b260204b728efcc4ba13dfa77692cfc5721db606 Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Wed, 18 Nov 2020 18:13:03 +0000 Subject: [PATCH 28/85] Solaris/Illumos build fix. (#609) --- include/afl-fuzz.h | 1 + src/afl-cc.c | 2 +- src/afl-fuzz-init.c | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index b484b93e..423230f1 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -113,6 +113,7 @@ #include #include #include + #include #endif #endif /* __linux__ */ diff --git a/src/afl-cc.c b/src/afl-cc.c index 9c23c18b..19dc9a6a 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -837,7 +837,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } - #ifndef __APPLE__ + #if !defined(__APPLE__) && !defined(__sun) if (!shared_linking) cc_params[cc_par_cnt++] = alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 6884bb1d..0360cdb0 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -355,7 +355,7 @@ void bind_to_free_cpu(afl_state_t *afl) { if (ncpus > sizeof(cpu_used)) ncpus = sizeof(cpu_used); - for (i = 0; i < ncpus; i++) { + for (i = 0; i < (s32)ncpus; i++) { k = kstat_lookup(m, "cpu_stat", i, NULL); if (kstat_read(m, k, &cs)) { From cd0a25be5e9b05a2ab6a11592cd95e7f653bf42d Mon Sep 17 00:00:00 2001 From: Dustin Spicuzza Date: Wed, 18 Nov 2020 14:29:17 -0500 Subject: [PATCH 29/85] Use buffer protocol to retrieve result from python post_process (#605) Saves an extra copy, gives post processing functions more flexibility --- docs/custom_mutators.md | 3 +++ include/afl-fuzz.h | 3 +-- src/afl-fuzz-python.c | 34 ++++++++++++++++++++++++---------- 3 files changed, 28 insertions(+), 12 deletions(-) diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 2516e511..53f783fe 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -130,6 +130,9 @@ def introspection(): `post_process` function. This function is then transforming the data into the format expected by the API before executing the target. + This can return any python object that implements the buffer protocol and + supports PyBUF_SIMPLE. These include bytes, bytearray, etc. + - `queue_new_entry` (optional): This methods is called after adding a new test case to the queue. diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 423230f1..933af65d 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -326,8 +326,7 @@ typedef struct py_mutator { u8 * fuzz_buf; size_t fuzz_size; - u8 * post_process_buf; - size_t post_process_size; + Py_buffer post_process_buf; u8 * trim_buf; size_t trim_size; diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 80532774..9ac4403b 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -134,6 +134,18 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { PyObject * py_module = py->py_module; PyObject **py_functions = py->py_functions; + // initialize the post process buffer; ensures it's always valid + PyObject *unused_bytes = PyByteArray_FromStringAndSize("OHAI", 4); + if (!unused_bytes) { FATAL("allocation failed!"); } + if (PyObject_GetBuffer(unused_bytes, &py->post_process_buf, PyBUF_SIMPLE) == + -1) { + + FATAL("buffer initialization failed"); + + } + + Py_DECREF(unused_bytes); + if (py_module != NULL) { u8 py_notrim = 0, py_idx; @@ -313,7 +325,6 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, struct custom_mutator *mutator; mutator = ck_alloc(sizeof(struct custom_mutator)); - mutator->post_process_buf = NULL; mutator->name = module_name; ACTF("Loading Python mutator library from '%s'...", module_name); @@ -403,10 +414,13 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) { - size_t py_out_buf_size; PyObject * py_args, *py_value; py_mutator_t *py = (py_mutator_t *)py_mutator; + // buffer returned previously must be released; initialized during init + // so we don't need to do comparisons + PyBuffer_Release(&py->post_process_buf); + py_args = PyTuple_New(1); py_value = PyByteArray_FromStringAndSize(buf, buf_size); if (!py_value) { @@ -426,20 +440,20 @@ size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, if (py_value != NULL) { - py_out_buf_size = PyByteArray_Size(py_value); + if (PyObject_GetBuffer(py_value, &py->post_process_buf, PyBUF_SIMPLE) == + -1) { - if (unlikely(!afl_realloc(BUF_PARAMS(post_process), py_out_buf_size))) { - - PFATAL("alloc"); + PyErr_Print(); + FATAL( + "Python custom mutator: post_process call return value not a " + "bytes-like object"); } - memcpy(py->post_process_buf, PyByteArray_AsString(py_value), - py_out_buf_size); Py_DECREF(py_value); - *out_buf = py->post_process_buf; - return py_out_buf_size; + *out_buf = (u8 *)py->post_process_buf.buf; + return py->post_process_buf.len; } else { From e32b7eeb83c0571a2bdaadfd5b7b769fec1405cc Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 19 Nov 2020 16:14:19 +0100 Subject: [PATCH 30/85] fixed child not killed with -c --- docs/Changelog.md | 1 + instrumentation/afl-compiler-rt.o.c | 22 ++++++++++++++++++++-- src/afl-fuzz.c | 9 ++++++--- 3 files changed, 27 insertions(+), 5 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 9426ed54..3c20f8bd 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -38,6 +38,7 @@ sending a mail to . - added INTROSPECTION make target that writes all mutations to out/NAME/introspection.txt - print special compile time options used in help output + - when using -c cmplog, one of the childs was not killed, fixed - somewhere we broke -n dumb fuzzing, fixed - instrumentation - We received an enhanced gcc_plugin module from AdaCore, thank you diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 485f500c..b07aeb83 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -101,6 +101,11 @@ int __afl_sharedmem_fuzzing __attribute__((weak)); struct cmp_map *__afl_cmp_map; +/* Child pid? */ + +static s32 child_pid; +static void (*old_sigterm_handler)(int) = 0; + /* Running in persistent mode? */ static u8 is_persistent; @@ -109,6 +114,14 @@ static u8 is_persistent; static u8 _is_sancov; +/* ensure we kill the child on termination */ + +void at_exit(int signal) { + + if (child_pid > 0) { kill(child_pid, SIGKILL); } + +} + /* Uninspired gcc plugin instrumentation */ void __afl_trace(const u32 x) { @@ -432,7 +445,6 @@ static void __afl_map_shm(void) { static void __afl_start_snapshots(void) { static u8 tmp[4] = {0, 0, 0, 0}; - s32 child_pid; u32 status = 0; u32 already_read_first = 0; u32 was_killed; @@ -579,6 +591,7 @@ static void __afl_start_snapshots(void) { //(void)nice(-20); // does not seem to improve signal(SIGCHLD, old_sigchld_handler); + signal(SIGTERM, old_sigterm_handler); close(FORKSRV_FD); close(FORKSRV_FD + 1); @@ -633,6 +646,11 @@ static void __afl_start_snapshots(void) { static void __afl_start_forkserver(void) { + struct sigaction orig_action; + sigaction(SIGTERM, NULL, &orig_action); + old_sigterm_handler = orig_action.sa_handler; + signal(SIGTERM, at_exit); + #ifdef __linux__ if (/*!is_persistent &&*/ !__afl_cmp_map && !getenv("AFL_NO_SNAPSHOT") && afl_snapshot_init() >= 0) { @@ -645,7 +663,6 @@ static void __afl_start_forkserver(void) { #endif u8 tmp[4] = {0, 0, 0, 0}; - s32 child_pid; u32 status = 0; u32 already_read_first = 0; u32 was_killed; @@ -793,6 +810,7 @@ static void __afl_start_forkserver(void) { //(void)nice(-20); signal(SIGCHLD, old_sigchld_handler); + signal(SIGTERM, old_sigterm_handler); close(FORKSRV_FD); close(FORKSRV_FD + 1); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 1008f28c..b60908da 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -40,7 +40,7 @@ extern u64 time_spent_working; static void at_exit() { - int i; + s32 i, pid1 = 0, pid2 = 0; char *list[4] = {SHM_ENV_VAR, SHM_FUZZ_ENV_VAR, CMPLOG_SHM_ENV_VAR, NULL}; char *ptr; @@ -48,10 +48,10 @@ static void at_exit() { if (ptr && *ptr) unlink(ptr); ptr = getenv("__AFL_TARGET_PID1"); - if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL); + if (ptr && *ptr && (pid1 = atoi(ptr)) > 0) kill(pid1, SIGTERM); ptr = getenv("__AFL_TARGET_PID2"); - if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL); + if (ptr && *ptr && (pid2 = atoi(ptr)) > 0) kill(pid2, SIGTERM); i = 0; while (list[i] != NULL) { @@ -75,6 +75,9 @@ static void at_exit() { } + if (pid1 > 0) { kill(pid1, SIGKILL); } + if (pid2 > 0) { kill(pid2, SIGKILL); } + } /* Display usage hints. */ From cf30f52f255ec9ad5e70b73b65fff323d2184c77 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 23 Nov 2020 10:07:15 +0100 Subject: [PATCH 31/85] fix links --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 494a6bb7..8b522a81 100644 --- a/README.md +++ b/README.md @@ -273,7 +273,7 @@ anything below 9 is not recommended. v +---------------------------------+ | clang/clang++ 3.3+ is available | --> use LLVM mode (afl-clang-fast/afl-clang-fast++) -+---------------------------------+ see [instrumentation/README.md](instrumentation/README.md) ++---------------------------------+ see [instrumentation/README.llvm.md](instrumentation/README.llvm.md) | | if not, or if the target fails with LLVM afl-clang-fast/++ | @@ -292,7 +292,7 @@ anything below 9 is not recommended. Clickable README links for the chosen compiler: * [LTO mode - afl-clang-lto](instrumentation/README.lto.md) - * [LLVM mode - afl-clang-fast](instrumentation/README.md) + * [LLVM mode - afl-clang-fast](instrumentation/README.llvm.md) * [GCC_PLUGIN mode - afl-gcc-fast](instrumentation/README.gcc_plugin.md) * GCC mode (afl-gcc) has no README as it has no own features From ed2f82eaf40a49d76d7615370ea8749c2f1fefaa Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 24 Nov 2020 16:13:58 +0100 Subject: [PATCH 32/85] fix compiler warning turned error on NetBSD --- src/afl-fuzz-run.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 95b3ee8a..b716b8c8 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -484,7 +484,7 @@ void sync_fuzzers(afl_state_t *afl) { DIR * sd; struct dirent *sd_ent; u32 sync_cnt = 0, synced = 0, entries = 0; - u8 path[PATH_MAX + 256]; + u8 path[PATH_MAX + 1 + NAME_MAX]; sd = opendir(afl->sync_dir); if (!sd) { PFATAL("Unable to open '%s'", afl->sync_dir); } From 27c3423fb6f1cf568cf0e50b16a82c035945ae7c Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 24 Nov 2020 19:38:55 +0100 Subject: [PATCH 33/85] test-pre.sh: remove old uses of afl-clang, afl-cc.c: add missing env.var. AFL_LLVM_LAF_ALL --- src/afl-cc.c | 6 +++--- test/test-pre.sh | 11 ++--------- 2 files changed, 5 insertions(+), 12 deletions(-) diff --git a/src/afl-cc.c b/src/afl-cc.c index 19dc9a6a..1ad43c43 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -686,7 +686,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } if (getenv("AFL_NO_BUILTIN") || getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES") || - getenv("LAF_TRANSFORM_COMPARES") || lto_mode) { + getenv("LAF_TRANSFORM_COMPARES") || getenv("AFL_LLVM_LAF_ALL") || lto_mode) { cc_params[cc_par_cnt++] = "-fno-builtin-strcmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strncmp"; @@ -1030,7 +1030,7 @@ int main(int argc, char **argv, char **envp) { if (instrument_mode == 0) instrument_mode = INSTRUMENT_PCGUARD; else if (instrument_mode != INSTRUMENT_PCGUARD) - FATAL("you can not set AFL_LLVM_INSTRUMENT and AFL_TRACE_PC together"); + FATAL("you cannot set AFL_LLVM_INSTRUMENT and AFL_TRACE_PC together"); } @@ -1049,7 +1049,7 @@ int main(int argc, char **argv, char **envp) { instrument_mode = INSTRUMENT_CFG; else if (instrument_mode != INSTRUMENT_CFG) FATAL( - "you can not set AFL_LLVM_INSTRUMENT and AFL_LLVM_INSTRIM together"); + "you cannot set AFL_LLVM_INSTRUMENT and AFL_LLVM_INSTRIM together"); } diff --git a/test/test-pre.sh b/test/test-pre.sh index fc14ee0b..fc84cb47 100755 --- a/test/test-pre.sh +++ b/test/test-pre.sh @@ -106,14 +106,7 @@ export AFL_LLVM_INSTRUMENT=AFL test -e /usr/local/bin/opt && { export PATH="/usr/local/bin:${PATH}" } -# on MacOS X we prefer afl-clang over afl-gcc, because -# afl-gcc does not work there -test `uname -s` = 'Darwin' -o `uname -s` = 'FreeBSD' && { - AFL_GCC=afl-clang -} || { - AFL_GCC=afl-gcc -} -command -v gcc >/dev/null 2>&1 || AFL_GCC=afl-clang +AFL_GCC=afl-gcc SYS=`uname -m` @@ -135,4 +128,4 @@ test -z "$SYS" && $ECHO "$YELLOW[-] uname -m did not succeed" CODE=0 INCOMPLETE=0 -fi \ No newline at end of file +fi From 5a84db7c67fb10f772d4538c10b217b816ada6d6 Mon Sep 17 00:00:00 2001 From: hexcoder Date: Tue, 24 Nov 2020 20:14:32 +0100 Subject: [PATCH 34/85] Fix reference, add missing word 'directory' --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8b522a81..d7cad092 100644 --- a/README.md +++ b/README.md @@ -525,7 +525,7 @@ as test data in there. If you do not want anything special, the defaults are already usually best, hence all you need is to specify the seed input directory with the result of -step [2. Collect inputs](#a)a-collect-inputs)): +step [2a. Collect inputs](#a-collect-inputs): `afl-fuzz -i input -o output -- bin/target -d @@` Note that the directory specified with -o will be created if it does not exist. @@ -541,7 +541,7 @@ that it could not connect to the forkserver), then you can increase this with the `-m` option, the value is in MB. To disable any memory limits (beware!) set `-m none` - which is usually required for ASAN compiled targets. -Adding a dictionary is helpful. See the [dictionaries/](dictionaries/) if +Adding a dictionary is helpful. See the directory [dictionaries/](dictionaries/) if something is already included for your data format, and tell afl-fuzz to load that dictionary by adding `-x dictionaries/FORMAT.dict`. With afl-clang-lto you have an autodictionary generation for which you need to do nothing except From ded80870a933b83d8186a160f7717641ce441a81 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sun, 1 Nov 2020 06:22:18 +0100 Subject: [PATCH 35/85] reenable afl-clang(++) --- GNUmakefile | 4 +++- GNUmakefile.llvm | 2 ++ src/afl-cc.c | 43 ++++++++++++++++++++++++++++++++++++++++--- 3 files changed, 45 insertions(+), 4 deletions(-) diff --git a/GNUmakefile b/GNUmakefile index 764c9baa..00753241 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -538,7 +538,7 @@ all_done: test_build .PHONY: clean clean: - rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable .afl-* afl-gcc afl-g++ test/unittests/unit_hash test/unittests/unit_rand + rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable .afl-* afl-gcc afl-g++ afl-clang afl-clang++ test/unittests/unit_hash test/unittests/unit_rand -$(MAKE) -f GNUmakefile.llvm clean -$(MAKE) -f GNUmakefile.gcc_plugin clean $(MAKE) -C libdislocator clean @@ -633,6 +633,8 @@ install: all $(MANPAGES) -$(MAKE) -f GNUmakefile.gcc_plugin install ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-gcc ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-g++ + ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang + ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang++ @mkdir -m 0755 -p ${DESTDIR}$(MAN_PATH) install -m0644 *.8 ${DESTDIR}$(MAN_PATH) install -m 755 afl-as $${DESTDIR}$(HELPER_PATH) diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index cc28695d..5ab998bb 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -361,6 +361,8 @@ instrumentation/afl-common.o: ./src/afl-common.c @ln -sf afl-cc ./afl-c++ @ln -sf afl-cc ./afl-gcc @ln -sf afl-cc ./afl-g++ + @ln -sf afl-cc ./afl-clang + @ln -sf afl-cc ./afl-clang++ @ln -sf afl-cc ./afl-clang-fast @ln -sf afl-cc ./afl-clang-fast++ ifneq "$(AFL_CLANG_FLTO)" "" diff --git a/src/afl-cc.c b/src/afl-cc.c index 1ad43c43..25ed923a 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -48,6 +48,7 @@ static u8 * obj_path; /* Path to runtime libraries */ static u8 **cc_params; /* Parameters passed to the real CC */ static u32 cc_par_cnt = 1; /* Param count, including argv0 */ +static u8 clang_mode; /* Invoked as afl-clang*? */ static u8 llvm_fullpath[PATH_MAX]; static u8 instrument_mode, instrument_opt_mode, ngram_size, lto_mode; static u8 compiler_mode, plusplus_mode, have_instr_env = 0; @@ -288,7 +289,15 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (compiler_mode >= GCC_PLUGIN) { - alt_cxx = "g++"; + if (compiler_mode == GCC) { + + alt_cxx = clang_mode ? "clang++" : "g++"; + + } else { + + alt_cxx = "g++"; + + } } else { @@ -313,7 +322,15 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (compiler_mode >= GCC_PLUGIN) { - alt_cc = "gcc"; + if (compiler_mode == GCC) { + + alt_cc = clang_mode ? "clang" : "gcc"; + + } else { + + alt_cc = "gcc"; + + } } else { @@ -337,6 +354,11 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-B"; cc_params[cc_par_cnt++] = obj_path; + if (clang_mode) { + + cc_params[cc_par_cnt++] = "-no-integrated-as"; + + } } if (compiler_mode == GCC_PLUGIN) { @@ -934,7 +956,9 @@ int main(int argc, char **argv, char **envp) { } else if (strncmp(callname, "afl-gcc", 7) == 0 || - strncmp(callname, "afl-g++", 7) == 0) { + strncmp(callname, "afl-g++", 7) == 0 || + + strncmp(callname, "afl-clang", 9) == 0) { compiler_mode = GCC; @@ -978,6 +1002,19 @@ int main(int argc, char **argv, char **envp) { } + + if (strncmp(callname, "afl-clang", 9) == 0) { + + clang_mode = 1; + + if (strncmp(callname, "afl-clang++", 11) == 0) { + + plusplus_mode = 1; + + } + + } + for (i = 1; i < argc; i++) { if (strncmp(argv[i], "--afl", 5) == 0) { From d1259d09149fc1fa599240a54e146f83d54c75f6 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 27 Nov 2020 20:54:07 +0100 Subject: [PATCH 36/85] add -lm, afl-fuzz-queue.c wants log2(), fix GNUmakefile syntax --- GNUmakefile | 2 +- GNUmakefile.llvm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/GNUmakefile b/GNUmakefile index 00753241..a7d8bd9b 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -417,7 +417,7 @@ src/afl-sharedmem.o : $(COMM_HDR) src/afl-sharedmem.c include/sharedmem.h $(CC) $(CFLAGS) $(CFLAGS_FLTO) -c src/afl-sharedmem.c -o src/afl-sharedmem.o afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o | test_x86 - $(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS) + $(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS) -lm afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86 $(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(LDFLAGS) diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 5ab998bb..4ee64dc6 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -34,7 +34,7 @@ ifeq "$(shell uname)" "OpenBSD" LLVM_CONFIG ?= $(BIN_PATH)/llvm-config HAS_OPT = $(shell test -x $(BIN_PATH)/opt && echo 0 || echo 1) ifeq "$(HAS_OPT)" "1" - $(warn llvm_mode needs a complete llvm installation (versions 3.4 up to 12) -> e.g. "pkg_add llvm-7.0.1p9") + $(warning llvm_mode needs a complete llvm installation \(versions 3.4 up to 12\) -> e.g. "pkg_add llvm-7.0.1p9") endif else LLVM_CONFIG ?= llvm-config From b792c5908098a79184c48946698fce3e734ac191 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 27 Nov 2020 21:02:27 +0100 Subject: [PATCH 37/85] remove wrong quoting --- GNUmakefile.llvm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 4ee64dc6..6e80de81 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -34,7 +34,7 @@ ifeq "$(shell uname)" "OpenBSD" LLVM_CONFIG ?= $(BIN_PATH)/llvm-config HAS_OPT = $(shell test -x $(BIN_PATH)/opt && echo 0 || echo 1) ifeq "$(HAS_OPT)" "1" - $(warning llvm_mode needs a complete llvm installation \(versions 3.4 up to 12\) -> e.g. "pkg_add llvm-7.0.1p9") + $(warning llvm_mode needs a complete llvm installation (versions 3.4 up to 12) -> e.g. "pkg_add llvm-7.0.1p9") endif else LLVM_CONFIG ?= llvm-config From fdac887660d776c725c148bf144548f9d1b7f1e6 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 27 Nov 2020 21:10:55 +0100 Subject: [PATCH 38/85] no fancy special options for the fundamental test compile (no unnecessary dependencies) --- GNUmakefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GNUmakefile b/GNUmakefile index a7d8bd9b..f17a6253 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -512,7 +512,7 @@ code-format: ifndef AFL_NO_X86 test_build: afl-cc afl-as afl-showmap @echo "[*] Testing the CC wrapper and instrumentation output..." - @unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_ASAN AFL_USE_MSAN AFL_CC; AFL_INST_RATIO=100 AFL_PATH=. ./afl-cc $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS) 2>&1 || (echo "Oops, afl-cc failed"; exit 1 ) + @unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_ASAN AFL_USE_MSAN AFL_CC; AFL_INST_RATIO=100 AFL_PATH=. ./afl-cc test-instr.c -o test-instr 2>&1 || (echo "Oops, afl-cc failed"; exit 1 ) ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr @rm -f test-instr From e83426a79be11378cdef89a2a96a434cf8fc305e Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 28 Nov 2020 19:09:13 +0100 Subject: [PATCH 39/85] fix make DEBUG=1 --- GNUmakefile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/GNUmakefile b/GNUmakefile index f17a6253..521ab683 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -85,7 +85,9 @@ ifneq "$(shell uname)" "Darwin" endif endif # OS X does not like _FORTIFY_SOURCE=2 - CFLAGS_OPT += -D_FORTIFY_SOURCE=2 + ifndef DEBUG + CFLAGS_OPT += -D_FORTIFY_SOURCE=2 + endif endif ifeq "$(shell uname)" "SunOS" @@ -232,7 +234,9 @@ else endif ifneq "$(filter Linux GNU%,$(shell uname))" "" + ifndef DEBUG override CFLAGS += -D_FORTIFY_SOURCE=2 + endif LDFLAGS += -ldl -lrt -lm endif From aff4ccb0b2324259554537983e9261e48cccf275 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 30 Nov 2020 12:56:47 +0100 Subject: [PATCH 40/85] more explanation --- examples/persistent_demo/persistent_demo_new.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/persistent_demo/persistent_demo_new.c b/examples/persistent_demo/persistent_demo_new.c index b8b4cda0..a29792ff 100644 --- a/examples/persistent_demo/persistent_demo_new.c +++ b/examples/persistent_demo/persistent_demo_new.c @@ -58,11 +58,11 @@ int main(int argc, char **argv) { and similar hiccups. */ __AFL_INIT(); - buf = __AFL_FUZZ_TESTCASE_BUF; + buf = __AFL_FUZZ_TESTCASE_BUF; // this must be assigned before __AFL_LOOP! while (__AFL_LOOP(1000)) { // increase if you have good stability - len = __AFL_FUZZ_TESTCASE_LEN; + len = __AFL_FUZZ_TESTCASE_LEN; // do not use the macro directly in a call! fprintf(stderr, "input: %zd \"%s\"\n", len, buf); From 63c317218bfe1ffc91443a2620c653581aff0ba1 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 30 Nov 2020 13:03:33 +0100 Subject: [PATCH 41/85] persistent_demo -> persistent_mode --- examples/README.md | 2 +- examples/persistent_mode/Makefile | 10 ++ examples/persistent_mode/persistent_demo.c | 112 +++++++++++++++++ .../persistent_mode/persistent_demo_new.c | 117 ++++++++++++++++++ examples/persistent_mode/test-instr.c | 69 +++++++++++ instrumentation/README.gcc_plugin.md | 2 +- instrumentation/README.persistent_mode.md | 9 +- test/test-gcc-plugin.sh | 2 +- test/test-llvm-lto.sh | 2 +- test/test-llvm.sh | 2 +- 10 files changed, 320 insertions(+), 7 deletions(-) create mode 100644 examples/persistent_mode/Makefile create mode 100644 examples/persistent_mode/persistent_demo.c create mode 100644 examples/persistent_mode/persistent_demo_new.c create mode 100644 examples/persistent_mode/test-instr.c diff --git a/examples/README.md b/examples/README.md index 46a92c6e..7dd70d6a 100644 --- a/examples/README.md +++ b/examples/README.md @@ -39,7 +39,7 @@ Here's a quick overview of the stuff you can find in this directory: - libpng_no_checksum - a sample patch for removing CRC checks in libpng. - - persistent_demo - an example of how to use the LLVM persistent process + - persistent_mode - an example of how to use the LLVM persistent process mode to speed up certain fuzzing jobs. - socket_fuzzing - a LD_PRELOAD library 'redirects' a socket to stdin diff --git a/examples/persistent_mode/Makefile b/examples/persistent_mode/Makefile new file mode 100644 index 00000000..6fa1c30e --- /dev/null +++ b/examples/persistent_mode/Makefile @@ -0,0 +1,10 @@ +all: + afl-clang-fast -o persistent_demo persistent_demo.c + afl-clang-fast -o persistent_demo_new persistent_demo_new.c + AFL_DONT_OPTIMIZE=1 afl-clang-fast -o test-instr test-instr.c + +document: + AFL_DONT_OPTIMIZE=1 afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c + +clean: + rm -f persistent_demo persistent_demo_new test-instr diff --git a/examples/persistent_mode/persistent_demo.c b/examples/persistent_mode/persistent_demo.c new file mode 100644 index 00000000..4cedc32c --- /dev/null +++ b/examples/persistent_mode/persistent_demo.c @@ -0,0 +1,112 @@ +/* + american fuzzy lop++ - persistent mode example + -------------------------------------------- + + Originally written by Michal Zalewski + + Copyright 2015 Google Inc. All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + This file demonstrates the high-performance "persistent mode" that may be + suitable for fuzzing certain fast and well-behaved libraries, provided that + they are stateless or that their internal state can be easily reset + across runs. + + To make this work, the library and this shim need to be compiled in LLVM + mode using afl-clang-fast (other compiler wrappers will *not* work). + + */ + +#include +#include +#include +#include +#include + +/* Main entry point. */ + +int main(int argc, char **argv) { + + ssize_t len; /* how much input did we read? */ + char buf[100]; /* Example-only buffer, you'd replace it with other global or + local variables appropriate for your use case. */ + + /* The number passed to __AFL_LOOP() controls the maximum number of + iterations before the loop exits and the program is allowed to + terminate normally. This limits the impact of accidental memory leaks + and similar hiccups. */ + + __AFL_INIT(); + while (__AFL_LOOP(1000)) { + + /*** PLACEHOLDER CODE ***/ + + /* STEP 1: Fully re-initialize all critical variables. In our example, this + involves zeroing buf[], our input buffer. */ + + memset(buf, 0, 100); + + /* STEP 2: Read input data. When reading from stdin, no special preparation + is required. When reading from a named file, you need to close + the old descriptor and reopen the file first! + + Beware of reading from buffered FILE* objects such as stdin. Use + raw file descriptors or call fopen() / fdopen() in every pass. */ + + len = read(0, buf, 100); + + /* STEP 3: This is where we'd call the tested library on the read data. + We just have some trivial inline code that faults on 'foo!'. */ + + /* do we have enough data? */ + if (len < 8) continue; + + if (buf[0] == 'f') { + + printf("one\n"); + if (buf[1] == 'o') { + + printf("two\n"); + if (buf[2] == 'o') { + + printf("three\n"); + if (buf[3] == '!') { + + printf("four\n"); + if (buf[4] == '!') { + + printf("five\n"); + if (buf[5] == '!') { + + printf("six\n"); + abort(); + + } + + } + + } + + } + + } + + } + + /*** END PLACEHOLDER CODE ***/ + + } + + /* Once the loop is exited, terminate normally - AFL will restart the process + when this happens, with a clean slate when it comes to allocated memory, + leftover file descriptors, etc. */ + + return 0; + +} + diff --git a/examples/persistent_mode/persistent_demo_new.c b/examples/persistent_mode/persistent_demo_new.c new file mode 100644 index 00000000..a29792ff --- /dev/null +++ b/examples/persistent_mode/persistent_demo_new.c @@ -0,0 +1,117 @@ +/* + american fuzzy lop++ - persistent mode example + -------------------------------------------- + + Originally written by Michal Zalewski + + Copyright 2015 Google Inc. All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + This file demonstrates the high-performance "persistent mode" that may be + suitable for fuzzing certain fast and well-behaved libraries, provided that + they are stateless or that their internal state can be easily reset + across runs. + + To make this work, the library and this shim need to be compiled in LLVM + mode using afl-clang-fast (other compiler wrappers will *not* work). + + */ + +#include +#include +#include +#include +#include + +/* this lets the source compile without afl-clang-fast/lto */ +#ifndef __AFL_FUZZ_TESTCASE_LEN + +ssize_t fuzz_len; +unsigned char fuzz_buf[1024000]; + + #define __AFL_FUZZ_TESTCASE_LEN fuzz_len + #define __AFL_FUZZ_TESTCASE_BUF fuzz_buf + #define __AFL_FUZZ_INIT() void sync(void); + #define __AFL_LOOP(x) \ + ((fuzz_len = read(0, fuzz_buf, sizeof(fuzz_buf))) > 0 ? 1 : 0) + #define __AFL_INIT() sync() + +#endif + +__AFL_FUZZ_INIT(); + +/* Main entry point. */ + +int main(int argc, char **argv) { + + ssize_t len; /* how much input did we read? */ + unsigned char *buf; /* test case buffer pointer */ + + /* The number passed to __AFL_LOOP() controls the maximum number of + iterations before the loop exits and the program is allowed to + terminate normally. This limits the impact of accidental memory leaks + and similar hiccups. */ + + __AFL_INIT(); + buf = __AFL_FUZZ_TESTCASE_BUF; // this must be assigned before __AFL_LOOP! + + while (__AFL_LOOP(1000)) { // increase if you have good stability + + len = __AFL_FUZZ_TESTCASE_LEN; // do not use the macro directly in a call! + + fprintf(stderr, "input: %zd \"%s\"\n", len, buf); + + /* do we have enough data? */ + if (len < 8) continue; + + if (strcmp((char *)buf, "thisisateststring") == 0) printf("teststring\n"); + + if (buf[0] == 'f') { + + printf("one\n"); + if (buf[1] == 'o') { + + printf("two\n"); + if (buf[2] == 'o') { + + printf("three\n"); + if (buf[3] == '!') { + + printf("four\n"); + if (buf[4] == '!') { + + printf("five\n"); + if (buf[6] == '!') { + + printf("six\n"); + abort(); + + } + + } + + } + + } + + } + + } + + /*** END PLACEHOLDER CODE ***/ + + } + + /* Once the loop is exited, terminate normally - AFL will restart the process + when this happens, with a clean slate when it comes to allocated memory, + leftover file descriptors, etc. */ + + return 0; + +} + diff --git a/examples/persistent_mode/test-instr.c b/examples/persistent_mode/test-instr.c new file mode 100644 index 00000000..a6188b22 --- /dev/null +++ b/examples/persistent_mode/test-instr.c @@ -0,0 +1,69 @@ +/* + american fuzzy lop++ - a trivial program to test the build + -------------------------------------------------------- + Originally written by Michal Zalewski + Copyright 2014 Google Inc. All rights reserved. + Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include +#include +#include +#include + +__AFL_FUZZ_INIT(); + +int main(int argc, char **argv) { + + __AFL_INIT(); + unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; + + while (__AFL_LOOP(2147483647)) { // MAX_INT if you have 100% stability + + unsigned int len = __AFL_FUZZ_TESTCASE_LEN; + +#ifdef _AFL_DOCUMENT_MUTATIONS + static unsigned int counter = 0; + char fn[32]; + sprintf(fn, "%09u:test-instr", counter); + int fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (fd_doc >= 0) { + + if (write(fd_doc, buf, len) != __afl_fuzz_len) { + + fprintf(stderr, "write of mutation file failed: %s\n", fn); + unlink(fn); + + } + + close(fd_doc); + + } + + counter++; +#endif + + // fprintf(stderr, "len: %u\n", len); + + if (!len) continue; + + if (buf[0] == '0') + printf("Looks like a zero to me!\n"); + else if (buf[0] == '1') + printf("Pretty sure that is a one!\n"); + else + printf("Neither one or zero? How quaint!\n"); + + } + + return 0; + +} + diff --git a/instrumentation/README.gcc_plugin.md b/instrumentation/README.gcc_plugin.md index 919801d1..6ccb5fd3 100644 --- a/instrumentation/README.gcc_plugin.md +++ b/instrumentation/README.gcc_plugin.md @@ -147,7 +147,7 @@ The numerical value specified within the loop controls the maximum number of iterations before AFL will restart the process from scratch. This minimizes the impact of memory leaks and similar glitches; 1000 is a good starting point. -A more detailed template is shown in ../examples/persistent_demo/. +A more detailed template is shown in ../examples/persistent_mode/. Similarly to the previous mode, the feature works only with afl-gcc-fast or afl-clang-fast; #ifdef guards can be used to suppress it when using other compilers. diff --git a/instrumentation/README.persistent_mode.md b/instrumentation/README.persistent_mode.md index e095f036..2fd7027d 100644 --- a/instrumentation/README.persistent_mode.md +++ b/instrumentation/README.persistent_mode.md @@ -23,15 +23,20 @@ __AFL_FUZZ_INIT(); main() { + // anything else here, eg. command line arguments, initialization, etc. + #ifdef __AFL_HAVE_MANUAL_CONTROL __AFL_INIT(); #endif unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; // must be after __AFL_INIT + // and before __AFL_LOOP! while (__AFL_LOOP(10000)) { - int len = __AFL_FUZZ_TESTCASE_LEN; + int len = __AFL_FUZZ_TESTCASE_LEN; // don't use the macro directly in a + // call! + if (len < 8) continue; // check for a required/useful minimum input length /* Setup function call, e.g. struct target *tmp = libtarget_init() */ @@ -169,7 +174,7 @@ the impact of memory leaks and similar glitches; 1000 is a good starting point, and going much higher increases the likelihood of hiccups without giving you any real performance benefits. -A more detailed template is shown in ../examples/persistent_demo/. +A more detailed template is shown in ../examples/persistent_mode/. Similarly to the previous mode, the feature works only with afl-clang-fast; #ifdef guards can be used to suppress it when using other compilers. diff --git a/test/test-gcc-plugin.sh b/test/test-gcc-plugin.sh index b0ff2be0..8740eff5 100755 --- a/test/test-gcc-plugin.sh +++ b/test/test-gcc-plugin.sh @@ -94,7 +94,7 @@ test -e ../afl-gcc-fast -a -e ../afl-compiler-rt.o && { CODE=1 } rm -f test-compcov test.out instrumentlist.txt - ../afl-gcc-fast -o test-persistent ../examples/persistent_demo/persistent_demo.c > /dev/null 2>&1 + ../afl-gcc-fast -o test-persistent ../examples/persistent_mode/persistent_mode.c > /dev/null 2>&1 test -e test-persistent && { echo foo | ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -q -r ./test-persistent && { $ECHO "$GREEN[+] gcc_plugin persistent mode feature works correctly" diff --git a/test/test-llvm-lto.sh b/test/test-llvm-lto.sh index 6b327633..bdb08559 100755 --- a/test/test-llvm-lto.sh +++ b/test/test-llvm-lto.sh @@ -57,7 +57,7 @@ test -e ../afl-clang-lto -a -e ../afl-llvm-lto-instrumentation.so && { CODE=1 } rm -f test-compcov test.out instrumentlist.txt - ../afl-clang-lto -o test-persistent ../examples/persistent_demo/persistent_demo.c > /dev/null 2>&1 + ../afl-clang-lto -o test-persistent ../examples/persistent_mode/persistent_mode.c > /dev/null 2>&1 test -e test-persistent && { echo foo | ../afl-showmap -m none -o /dev/null -q -r ./test-persistent && { $ECHO "$GREEN[+] llvm_mode LTO persistent mode feature works correctly" diff --git a/test/test-llvm.sh b/test/test-llvm.sh index 7daac0f2..1480316a 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -209,7 +209,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { INCOMPLETE=1 } rm -rf errors test-cmplog in core.* - ../afl-clang-fast -o test-persistent ../examples/persistent_demo/persistent_demo.c > /dev/null 2>&1 + ../afl-clang-fast -o test-persistent ../examples/persistent_mode/persistent_mode.c > /dev/null 2>&1 test -e test-persistent && { echo foo | ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -q -r ./test-persistent && { $ECHO "$GREEN[+] llvm_mode persistent mode feature works correctly" From 856968c13b6222c3fc72d7a5d5f22e2e728ac0c6 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 30 Nov 2020 13:03:51 +0100 Subject: [PATCH 42/85] persistent_demo -> persistent_mode --- examples/persistent_demo/Makefile | 10 -- examples/persistent_demo/persistent_demo.c | 112 ----------------- .../persistent_demo/persistent_demo_new.c | 117 ------------------ examples/persistent_demo/test-instr.c | 69 ----------- 4 files changed, 308 deletions(-) delete mode 100644 examples/persistent_demo/Makefile delete mode 100644 examples/persistent_demo/persistent_demo.c delete mode 100644 examples/persistent_demo/persistent_demo_new.c delete mode 100644 examples/persistent_demo/test-instr.c diff --git a/examples/persistent_demo/Makefile b/examples/persistent_demo/Makefile deleted file mode 100644 index 6fa1c30e..00000000 --- a/examples/persistent_demo/Makefile +++ /dev/null @@ -1,10 +0,0 @@ -all: - afl-clang-fast -o persistent_demo persistent_demo.c - afl-clang-fast -o persistent_demo_new persistent_demo_new.c - AFL_DONT_OPTIMIZE=1 afl-clang-fast -o test-instr test-instr.c - -document: - AFL_DONT_OPTIMIZE=1 afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c - -clean: - rm -f persistent_demo persistent_demo_new test-instr diff --git a/examples/persistent_demo/persistent_demo.c b/examples/persistent_demo/persistent_demo.c deleted file mode 100644 index 4cedc32c..00000000 --- a/examples/persistent_demo/persistent_demo.c +++ /dev/null @@ -1,112 +0,0 @@ -/* - american fuzzy lop++ - persistent mode example - -------------------------------------------- - - Originally written by Michal Zalewski - - Copyright 2015 Google Inc. All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - This file demonstrates the high-performance "persistent mode" that may be - suitable for fuzzing certain fast and well-behaved libraries, provided that - they are stateless or that their internal state can be easily reset - across runs. - - To make this work, the library and this shim need to be compiled in LLVM - mode using afl-clang-fast (other compiler wrappers will *not* work). - - */ - -#include -#include -#include -#include -#include - -/* Main entry point. */ - -int main(int argc, char **argv) { - - ssize_t len; /* how much input did we read? */ - char buf[100]; /* Example-only buffer, you'd replace it with other global or - local variables appropriate for your use case. */ - - /* The number passed to __AFL_LOOP() controls the maximum number of - iterations before the loop exits and the program is allowed to - terminate normally. This limits the impact of accidental memory leaks - and similar hiccups. */ - - __AFL_INIT(); - while (__AFL_LOOP(1000)) { - - /*** PLACEHOLDER CODE ***/ - - /* STEP 1: Fully re-initialize all critical variables. In our example, this - involves zeroing buf[], our input buffer. */ - - memset(buf, 0, 100); - - /* STEP 2: Read input data. When reading from stdin, no special preparation - is required. When reading from a named file, you need to close - the old descriptor and reopen the file first! - - Beware of reading from buffered FILE* objects such as stdin. Use - raw file descriptors or call fopen() / fdopen() in every pass. */ - - len = read(0, buf, 100); - - /* STEP 3: This is where we'd call the tested library on the read data. - We just have some trivial inline code that faults on 'foo!'. */ - - /* do we have enough data? */ - if (len < 8) continue; - - if (buf[0] == 'f') { - - printf("one\n"); - if (buf[1] == 'o') { - - printf("two\n"); - if (buf[2] == 'o') { - - printf("three\n"); - if (buf[3] == '!') { - - printf("four\n"); - if (buf[4] == '!') { - - printf("five\n"); - if (buf[5] == '!') { - - printf("six\n"); - abort(); - - } - - } - - } - - } - - } - - } - - /*** END PLACEHOLDER CODE ***/ - - } - - /* Once the loop is exited, terminate normally - AFL will restart the process - when this happens, with a clean slate when it comes to allocated memory, - leftover file descriptors, etc. */ - - return 0; - -} - diff --git a/examples/persistent_demo/persistent_demo_new.c b/examples/persistent_demo/persistent_demo_new.c deleted file mode 100644 index a29792ff..00000000 --- a/examples/persistent_demo/persistent_demo_new.c +++ /dev/null @@ -1,117 +0,0 @@ -/* - american fuzzy lop++ - persistent mode example - -------------------------------------------- - - Originally written by Michal Zalewski - - Copyright 2015 Google Inc. All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - This file demonstrates the high-performance "persistent mode" that may be - suitable for fuzzing certain fast and well-behaved libraries, provided that - they are stateless or that their internal state can be easily reset - across runs. - - To make this work, the library and this shim need to be compiled in LLVM - mode using afl-clang-fast (other compiler wrappers will *not* work). - - */ - -#include -#include -#include -#include -#include - -/* this lets the source compile without afl-clang-fast/lto */ -#ifndef __AFL_FUZZ_TESTCASE_LEN - -ssize_t fuzz_len; -unsigned char fuzz_buf[1024000]; - - #define __AFL_FUZZ_TESTCASE_LEN fuzz_len - #define __AFL_FUZZ_TESTCASE_BUF fuzz_buf - #define __AFL_FUZZ_INIT() void sync(void); - #define __AFL_LOOP(x) \ - ((fuzz_len = read(0, fuzz_buf, sizeof(fuzz_buf))) > 0 ? 1 : 0) - #define __AFL_INIT() sync() - -#endif - -__AFL_FUZZ_INIT(); - -/* Main entry point. */ - -int main(int argc, char **argv) { - - ssize_t len; /* how much input did we read? */ - unsigned char *buf; /* test case buffer pointer */ - - /* The number passed to __AFL_LOOP() controls the maximum number of - iterations before the loop exits and the program is allowed to - terminate normally. This limits the impact of accidental memory leaks - and similar hiccups. */ - - __AFL_INIT(); - buf = __AFL_FUZZ_TESTCASE_BUF; // this must be assigned before __AFL_LOOP! - - while (__AFL_LOOP(1000)) { // increase if you have good stability - - len = __AFL_FUZZ_TESTCASE_LEN; // do not use the macro directly in a call! - - fprintf(stderr, "input: %zd \"%s\"\n", len, buf); - - /* do we have enough data? */ - if (len < 8) continue; - - if (strcmp((char *)buf, "thisisateststring") == 0) printf("teststring\n"); - - if (buf[0] == 'f') { - - printf("one\n"); - if (buf[1] == 'o') { - - printf("two\n"); - if (buf[2] == 'o') { - - printf("three\n"); - if (buf[3] == '!') { - - printf("four\n"); - if (buf[4] == '!') { - - printf("five\n"); - if (buf[6] == '!') { - - printf("six\n"); - abort(); - - } - - } - - } - - } - - } - - } - - /*** END PLACEHOLDER CODE ***/ - - } - - /* Once the loop is exited, terminate normally - AFL will restart the process - when this happens, with a clean slate when it comes to allocated memory, - leftover file descriptors, etc. */ - - return 0; - -} - diff --git a/examples/persistent_demo/test-instr.c b/examples/persistent_demo/test-instr.c deleted file mode 100644 index a6188b22..00000000 --- a/examples/persistent_demo/test-instr.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - american fuzzy lop++ - a trivial program to test the build - -------------------------------------------------------- - Originally written by Michal Zalewski - Copyright 2014 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 - */ - -#include -#include -#include -#include -#include -#include -#include - -__AFL_FUZZ_INIT(); - -int main(int argc, char **argv) { - - __AFL_INIT(); - unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; - - while (__AFL_LOOP(2147483647)) { // MAX_INT if you have 100% stability - - unsigned int len = __AFL_FUZZ_TESTCASE_LEN; - -#ifdef _AFL_DOCUMENT_MUTATIONS - static unsigned int counter = 0; - char fn[32]; - sprintf(fn, "%09u:test-instr", counter); - int fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); - if (fd_doc >= 0) { - - if (write(fd_doc, buf, len) != __afl_fuzz_len) { - - fprintf(stderr, "write of mutation file failed: %s\n", fn); - unlink(fn); - - } - - close(fd_doc); - - } - - counter++; -#endif - - // fprintf(stderr, "len: %u\n", len); - - if (!len) continue; - - if (buf[0] == '0') - printf("Looks like a zero to me!\n"); - else if (buf[0] == '1') - printf("Pretty sure that is a one!\n"); - else - printf("Neither one or zero? How quaint!\n"); - - } - - return 0; - -} - From e865f274f1323402d2f7e2dd50f847bc3fa9287d Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 30 Nov 2020 13:36:27 +0100 Subject: [PATCH 43/85] fix wrong rename in test --- test/test-gcc-plugin.sh | 2 +- test/test-llvm.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/test-gcc-plugin.sh b/test/test-gcc-plugin.sh index 8740eff5..af8674c9 100755 --- a/test/test-gcc-plugin.sh +++ b/test/test-gcc-plugin.sh @@ -94,7 +94,7 @@ test -e ../afl-gcc-fast -a -e ../afl-compiler-rt.o && { CODE=1 } rm -f test-compcov test.out instrumentlist.txt - ../afl-gcc-fast -o test-persistent ../examples/persistent_mode/persistent_mode.c > /dev/null 2>&1 + ../afl-gcc-fast -o test-persistent ../examples/persistent_mode/persistent_demo.c > /dev/null 2>&1 test -e test-persistent && { echo foo | ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -q -r ./test-persistent && { $ECHO "$GREEN[+] gcc_plugin persistent mode feature works correctly" diff --git a/test/test-llvm.sh b/test/test-llvm.sh index 1480316a..14778e1c 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -209,7 +209,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { INCOMPLETE=1 } rm -rf errors test-cmplog in core.* - ../afl-clang-fast -o test-persistent ../examples/persistent_mode/persistent_mode.c > /dev/null 2>&1 + ../afl-clang-fast -o test-persistent ../examples/persistent_mode/persistent_demo.c > /dev/null 2>&1 test -e test-persistent && { echo foo | ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -q -r ./test-persistent && { $ECHO "$GREEN[+] llvm_mode persistent mode feature works correctly" From 403b8a10864484153b9931c915279372b946a7ff Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 30 Nov 2020 21:13:16 +0100 Subject: [PATCH 44/85] update persistent doc --- instrumentation/README.persistent_mode.md | 34 ++++------------------- 1 file changed, 5 insertions(+), 29 deletions(-) diff --git a/instrumentation/README.persistent_mode.md b/instrumentation/README.persistent_mode.md index 2fd7027d..49f5ee8b 100644 --- a/instrumentation/README.persistent_mode.md +++ b/instrumentation/README.persistent_mode.md @@ -115,37 +115,13 @@ With the location selected, add this code in the appropriate spot: ``` You don't need the #ifdef guards, but including them ensures that the program -will keep working normally when compiled with a tool other than afl-clang-fast. +will keep working normally when compiled with a tool other than afl-clang-fast/ +afl-clang-lto/afl-gcc-fast. -Finally, recompile the program with afl-clang-fast/lto (afl-gcc or afl-clang will -*not* generate a deferred-initialization binary) - and you should be all set! +Finally, recompile the program with afl-clang-fast/afl-clang-lto/afl-gcc-fast +(afl-gcc or afl-clang will *not* generate a deferred-initialization binary) - +and you should be all set! -*NOTE:* In the code between `main` and `__AFL_INIT()` should not be any code -run that is instrumented - otherwise a crash might occure. -In case this is useful (e.g. for expensive one time initialization) you can -try to do the following: - -Add after the includes: -``` -extern unsigned char *__afl_area_ptr; -#define MAX_DUMMY_SIZE 256000 - -__attribute__((constructor(1))) void __afl_protect(void) { -#ifdef MAP_FIXED_NOREPLACE - __afl_area_ptr = (unsigned char*) mmap((void *)0x10000, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0); - if ((uint64_t)__afl_area_ptr == -1) -#endif - __afl_area_ptr = (unsigned char*) mmap((void *)0x10000, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); - if ((uint64_t)__afl_area_ptr == -1) - __afl_area_ptr = (unsigned char*) mmap(NULL, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); -} - -``` -and just before `__AFL_INIT()`: -``` - munmap(__afl_area_ptr, MAX_DUMMY_SIZE); - __afl_area_ptr = NULL; -``` ## 4) Persistent mode From 1b75cc9f742ca6f5c95788269c66c346036b7233 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 30 Nov 2020 21:38:15 +0100 Subject: [PATCH 45/85] add DEBUGF --- src/afl-cc.c | 4 ++-- src/afl-ld-lto.c | 10 ++++------ src/afl-showmap.c | 4 ++-- 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/src/afl-cc.c b/src/afl-cc.c index 25ed923a..6d39b890 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -1582,7 +1582,7 @@ int main(int argc, char **argv, char **envp) { if (debug) { - SAYF(cMGN "[D]" cRST " cd '%s';", getthecwd()); + DEBUGF("cd '%s';", getthecwd()); for (i = 0; i < argc; i++) SAYF(" '%s'", argv[i]); SAYF("\n"); @@ -1610,7 +1610,7 @@ int main(int argc, char **argv, char **envp) { if (debug) { - SAYF(cMGN "[D]" cRST " cd '%s';", getthecwd()); + DEBUGF("cd '%s';", getthecwd()); for (i = 0; i < (s32)cc_par_cnt; i++) SAYF(" '%s'", cc_params[i]); SAYF("\n"); diff --git a/src/afl-ld-lto.c b/src/afl-ld-lto.c index 771e2d0d..e6ea1f1d 100644 --- a/src/afl-ld-lto.c +++ b/src/afl-ld-lto.c @@ -182,9 +182,7 @@ static void edit_params(int argc, char **argv) { instrim = 1; if (debug) - SAYF(cMGN "[D] " cRST - "passthrough=%s instrim=%d, gold_pos=%d, gold_present=%s " - "inst_present=%s rt_present=%s rt_lto_present=%s\n", + DEBUGF("passthrough=%s instrim=%d, gold_pos=%d, gold_present=%s inst_present=%s rt_present=%s rt_lto_present=%s\n", passthrough ? "true" : "false", instrim, gold_pos, gold_present ? "true" : "false", inst_present ? "true" : "false", rt_present ? "true" : "false", rt_lto_present ? "true" : "false"); @@ -280,7 +278,7 @@ int main(int argc, char **argv) { if (getcwd(thecwd, sizeof(thecwd)) != 0) strcpy(thecwd, "."); - SAYF(cMGN "[D] " cRST "cd \"%s\";", thecwd); + DEBUGF("cd \"%s\";", thecwd); for (i = 0; i < argc; i++) SAYF(" \"%s\"", argv[i]); SAYF("\n"); @@ -315,7 +313,7 @@ int main(int argc, char **argv) { if (debug) { - SAYF(cMGN "[D]" cRST " cd \"%s\";", thecwd); + DEBUGF("cd \"%s\";", thecwd); for (i = 0; i < ld_param_cnt; i++) SAYF(" \"%s\"", ld_params[i]); SAYF("\n"); @@ -333,7 +331,7 @@ int main(int argc, char **argv) { if (pid < 0) PFATAL("fork() failed"); if (waitpid(pid, &status, 0) <= 0) PFATAL("waitpid() failed"); - if (debug) SAYF(cMGN "[D] " cRST "linker result: %d\n", status); + if (debug) DEBUGF("linker result: %d\n", status); if (!just_version) { diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 69527007..a8e7d3f9 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -904,7 +904,7 @@ int main(int argc, char **argv_orig, char **envp) { if (getenv("AFL_DEBUG")) { - SAYF(cMGN "[D]" cRST); + DEBUGF(""); for (i = 0; i < argc; i++) SAYF(" %s", argv[i]); SAYF("\n"); @@ -1066,7 +1066,7 @@ int main(int argc, char **argv_orig, char **envp) { if (get_afl_env("AFL_DEBUG")) { int i = optind; - SAYF(cMGN "[D]" cRST " %s:", fsrv->target_path); + DEBUGF("%s:", fsrv->target_path); while (argv[i] != NULL) { SAYF(" \"%s\"", argv[i++]); From e769102491a4a5aa90afe57cce48211338133d3f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 30 Nov 2020 21:54:18 +0100 Subject: [PATCH 46/85] more DEBUGF --- include/debug.h | 10 ++++++ instrumentation/LLVMInsTrim.so.cc | 4 +-- instrumentation/afl-gcc-pass.so.cc | 36 +++++++++---------- instrumentation/afl-llvm-common.cc | 34 +++++++++--------- .../afl-llvm-lto-instrumentlist.so.cc | 9 +++-- src/afl-cc.c | 18 +++------- src/afl-ld-lto.c | 10 +++--- 7 files changed, 60 insertions(+), 61 deletions(-) diff --git a/include/debug.h b/include/debug.h index e6d3c3fc..5512023c 100644 --- a/include/debug.h +++ b/include/debug.h @@ -270,6 +270,16 @@ \ } while (0) +/* Show a prefixed debug output. */ + +#define DEBUGF(x...) \ + do { \ + \ + SAYF(cMGN "[D] " cBRI "DEBUG: " cRST x); \ + SAYF(cRST ""); \ + \ + } while (0) + /* Error-checking versions of read() and write() that call RPFATAL() as appropriate. */ diff --git a/instrumentation/LLVMInsTrim.so.cc b/instrumentation/LLVMInsTrim.so.cc index 61a420ba..6b3231e6 100644 --- a/instrumentation/LLVMInsTrim.so.cc +++ b/instrumentation/LLVMInsTrim.so.cc @@ -268,8 +268,8 @@ struct InsTrim : public ModulePass { for (auto &BB : F) if (BB.size() > 0) ++bb_cnt; - SAYF(cMGN "[D] " cRST "Function %s size %zu %u\n", - F.getName().str().c_str(), F.size(), bb_cnt); + DEBUGF("Function %s size %zu %u\n", F.getName().str().c_str(), F.size(), + bb_cnt); } diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc index f94bb57f..e116e7d1 100644 --- a/instrumentation/afl-gcc-pass.so.cc +++ b/instrumentation/afl-gcc-pass.so.cc @@ -627,9 +627,8 @@ struct afl_pass : gimple_opt_pass { } if (debug) - SAYF(cMGN "[D] " cRST - "loaded allowlist with %zu file and %zu function entries\n", - allowListFiles.size(), allowListFunctions.size()); + DEBUGF("loaded allowlist with %zu file and %zu function entries\n", + allowListFiles.size(), allowListFunctions.size()); } @@ -702,9 +701,8 @@ struct afl_pass : gimple_opt_pass { } if (debug) - SAYF(cMGN "[D] " cRST - "loaded denylist with %zu file and %zu function entries\n", - denyListFiles.size(), denyListFunctions.size()); + DEBUGF("loaded denylist with %zu file and %zu function entries\n", + denyListFiles.size(), denyListFunctions.size()); } @@ -745,10 +743,10 @@ struct afl_pass : gimple_opt_pass { if (fnmatch(("*" + *it).c_str(), instFunction.c_str(), 0) == 0) { if (debug) - SAYF(cMGN "[D] " cRST - "Function %s is in the deny function list, " - "not instrumenting ... \n", - instFunction.c_str()); + DEBUGF( + "Function %s is in the deny function list, not " + "instrumenting ... \n", + instFunction.c_str()); return false; } @@ -825,10 +823,10 @@ struct afl_pass : gimple_opt_pass { if (fnmatch(("*" + *it).c_str(), instFunction.c_str(), 0) == 0) { if (debug) - SAYF(cMGN "[D] " cRST - "Function %s is in the allow function list, " - "instrumenting ... \n", - instFunction.c_str()); + DEBUGF( + "Function %s is in the allow function list, instrumenting " + "... \n", + instFunction.c_str()); return true; } @@ -859,11 +857,11 @@ struct afl_pass : gimple_opt_pass { if (fnmatch(("*" + *it).c_str(), source_file.c_str(), 0) == 0) { if (debug) - SAYF(cMGN "[D] " cRST - "Function %s is in the allowlist (%s), " - "instrumenting ... \n", - IDENTIFIER_POINTER(DECL_NAME(F->decl)), - source_file.c_str()); + DEBUGF( + "Function %s is in the allowlist (%s), instrumenting ... " + "\n", + IDENTIFIER_POINTER(DECL_NAME(F->decl)), + source_file.c_str()); return true; } diff --git a/instrumentation/afl-llvm-common.cc b/instrumentation/afl-llvm-common.cc index 189b4ec6..21c4d204 100644 --- a/instrumentation/afl-llvm-common.cc +++ b/instrumentation/afl-llvm-common.cc @@ -173,9 +173,8 @@ void initInstrumentList() { } if (debug) - SAYF(cMGN "[D] " cRST - "loaded allowlist with %zu file and %zu function entries\n", - allowListFiles.size(), allowListFunctions.size()); + DEBUGF("loaded allowlist with %zu file and %zu function entries\n", + allowListFiles.size(), allowListFunctions.size()); } @@ -248,9 +247,8 @@ void initInstrumentList() { } if (debug) - SAYF(cMGN "[D] " cRST - "loaded denylist with %zu file and %zu function entries\n", - denyListFiles.size(), denyListFunctions.size()); + DEBUGF("loaded denylist with %zu file and %zu function entries\n", + denyListFiles.size(), denyListFunctions.size()); } @@ -409,10 +407,10 @@ bool isInInstrumentList(llvm::Function *F) { if (fnmatch(("*" + *it).c_str(), instFunction.c_str(), 0) == 0) { if (debug) - SAYF(cMGN "[D] " cRST - "Function %s is in the deny function list, " - "not instrumenting ... \n", - instFunction.c_str()); + DEBUGF( + "Function %s is in the deny function list, not instrumenting " + "... \n", + instFunction.c_str()); return false; } @@ -489,10 +487,10 @@ bool isInInstrumentList(llvm::Function *F) { if (fnmatch(("*" + *it).c_str(), instFunction.c_str(), 0) == 0) { if (debug) - SAYF(cMGN "[D] " cRST - "Function %s is in the allow function list, " - "instrumenting ... \n", - instFunction.c_str()); + DEBUGF( + "Function %s is in the allow function list, instrumenting " + "... \n", + instFunction.c_str()); return true; } @@ -523,10 +521,10 @@ bool isInInstrumentList(llvm::Function *F) { if (fnmatch(("*" + *it).c_str(), source_file.c_str(), 0) == 0) { if (debug) - SAYF(cMGN "[D] " cRST - "Function %s is in the allowlist (%s), " - "instrumenting ... \n", - F->getName().str().c_str(), source_file.c_str()); + DEBUGF( + "Function %s is in the allowlist (%s), instrumenting ... " + "\n", + F->getName().str().c_str(), source_file.c_str()); return true; } diff --git a/instrumentation/afl-llvm-lto-instrumentlist.so.cc b/instrumentation/afl-llvm-lto-instrumentlist.so.cc index a7331444..416dbb88 100644 --- a/instrumentation/afl-llvm-lto-instrumentlist.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentlist.so.cc @@ -105,15 +105,14 @@ bool AFLcheckIfInstrument::runOnModule(Module &M) { if (isInInstrumentList(&F)) { if (debug) - SAYF(cMGN "[D] " cRST "function %s is in the instrument file list\n", - F.getName().str().c_str()); + DEBUGF("function %s is in the instrument file list\n", + F.getName().str().c_str()); } else { if (debug) - SAYF(cMGN "[D] " cRST - "function %s is NOT in the instrument file list\n", - F.getName().str().c_str()); + DEBUGF("function %s is NOT in the instrument file list\n", + F.getName().str().c_str()); auto & Ctx = F.getContext(); AttributeList Attrs = F.getAttributes(); diff --git a/src/afl-cc.c b/src/afl-cc.c index 6d39b890..cc9854b6 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -354,11 +354,8 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-B"; cc_params[cc_par_cnt++] = obj_path; - if (clang_mode) { + if (clang_mode) { cc_params[cc_par_cnt++] = "-no-integrated-as"; } - cc_params[cc_par_cnt++] = "-no-integrated-as"; - - } } if (compiler_mode == GCC_PLUGIN) { @@ -708,7 +705,8 @@ static void edit_params(u32 argc, char **argv, char **envp) { } if (getenv("AFL_NO_BUILTIN") || getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES") || - getenv("LAF_TRANSFORM_COMPARES") || getenv("AFL_LLVM_LAF_ALL") || lto_mode) { + getenv("LAF_TRANSFORM_COMPARES") || getenv("AFL_LLVM_LAF_ALL") || + lto_mode) { cc_params[cc_par_cnt++] = "-fno-builtin-strcmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strncmp"; @@ -1002,16 +1000,11 @@ int main(int argc, char **argv, char **envp) { } - if (strncmp(callname, "afl-clang", 9) == 0) { clang_mode = 1; - if (strncmp(callname, "afl-clang++", 11) == 0) { - - plusplus_mode = 1; - - } + if (strncmp(callname, "afl-clang++", 11) == 0) { plusplus_mode = 1; } } @@ -1085,8 +1078,7 @@ int main(int argc, char **argv, char **envp) { if (instrument_mode == 0) instrument_mode = INSTRUMENT_CFG; else if (instrument_mode != INSTRUMENT_CFG) - FATAL( - "you cannot set AFL_LLVM_INSTRUMENT and AFL_LLVM_INSTRIM together"); + FATAL("you cannot set AFL_LLVM_INSTRUMENT and AFL_LLVM_INSTRIM together"); } diff --git a/src/afl-ld-lto.c b/src/afl-ld-lto.c index e6ea1f1d..16feaa80 100644 --- a/src/afl-ld-lto.c +++ b/src/afl-ld-lto.c @@ -182,10 +182,12 @@ static void edit_params(int argc, char **argv) { instrim = 1; if (debug) - DEBUGF("passthrough=%s instrim=%d, gold_pos=%d, gold_present=%s inst_present=%s rt_present=%s rt_lto_present=%s\n", - passthrough ? "true" : "false", instrim, gold_pos, - gold_present ? "true" : "false", inst_present ? "true" : "false", - rt_present ? "true" : "false", rt_lto_present ? "true" : "false"); + DEBUGF( + "passthrough=%s instrim=%d, gold_pos=%d, gold_present=%s " + "inst_present=%s rt_present=%s rt_lto_present=%s\n", + passthrough ? "true" : "false", instrim, gold_pos, + gold_present ? "true" : "false", inst_present ? "true" : "false", + rt_present ? "true" : "false", rt_lto_present ? "true" : "false"); for (i = 1; i < argc; i++) { From f7d8643dc4531a9aa8849d4acf2a96b0d8ae5c3c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 30 Nov 2020 22:08:26 +0100 Subject: [PATCH 47/85] update clang-format to 11 --- .custom-format.py | 10 +++++----- instrumentation/SanitizerCoveragePCGUARD.so.cc | 10 +++++----- instrumentation/split-compares-pass.so.cc | 15 ++++++--------- qbdi_mode/template.cpp | 2 +- 4 files changed, 17 insertions(+), 20 deletions(-) diff --git a/.custom-format.py b/.custom-format.py index 60f6d9c3..fad74a69 100755 --- a/.custom-format.py +++ b/.custom-format.py @@ -29,7 +29,7 @@ CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN") if CLANG_FORMAT_BIN is None: o = 0 try: - p = subprocess.Popen(["clang-format-10", "--version"], stdout=subprocess.PIPE) + p = subprocess.Popen(["clang-format-11", "--version"], stdout=subprocess.PIPE) o, _ = p.communicate() o = str(o, "utf-8") o = re.sub(r".*ersion ", "", o) @@ -37,7 +37,7 @@ if CLANG_FORMAT_BIN is None: o = o[:o.find(".")] o = int(o) except: - print ("clang-format-10 is needed. Aborted.") + print ("clang-format-11 is needed. Aborted.") exit(1) #if o < 7: # if subprocess.call(['which', 'clang-format-7'], stdout=subprocess.PIPE) == 0: @@ -46,13 +46,13 @@ if CLANG_FORMAT_BIN is None: # CLANG_FORMAT_BIN = 'clang-format-8' # elif subprocess.call(['which', 'clang-format-9'], stdout=subprocess.PIPE) == 0: # CLANG_FORMAT_BIN = 'clang-format-9' - # elif subprocess.call(['which', 'clang-format-10'], stdout=subprocess.PIPE) == 0: - # CLANG_FORMAT_BIN = 'clang-format-10' + # elif subprocess.call(['which', 'clang-format-11'], stdout=subprocess.PIPE) == 0: + # CLANG_FORMAT_BIN = 'clang-format-11' # else: # print ("clang-format 7 or above is needed. Aborted.") # exit(1) else: - CLANG_FORMAT_BIN = 'clang-format-10' + CLANG_FORMAT_BIN = 'clang-format-11' COLUMN_LIMIT = 80 for line in fmt.split("\n"): diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index e85f9cd3..102b44a4 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -1127,11 +1127,11 @@ void ModuleSanitizerCoverage::InjectTraceForCmp( Value * A1 = ICMP->getOperand(1); if (!A0->getType()->isIntegerTy()) continue; uint64_t TypeSize = DL->getTypeStoreSizeInBits(A0->getType()); - int CallbackIdx = - TypeSize == 8 - ? 0 - : TypeSize == 16 ? 1 - : TypeSize == 32 ? 2 : TypeSize == 64 ? 3 : -1; + int CallbackIdx = TypeSize == 8 ? 0 + : TypeSize == 16 ? 1 + : TypeSize == 32 ? 2 + : TypeSize == 64 ? 3 + : -1; if (CallbackIdx < 0) continue; // __sanitizer_cov_trace_cmp((type_size << 32) | predicate, A0, A1); auto CallbackFunc = SanCovTraceCmpFunction[CallbackIdx]; diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc index 3f05dd97..33a87719 100644 --- a/instrumentation/split-compares-pass.so.cc +++ b/instrumentation/split-compares-pass.so.cc @@ -601,15 +601,12 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { if (op_size != op1->getType()->getPrimitiveSizeInBits()) { continue; } const unsigned int sizeInBits = op0->getType()->getPrimitiveSizeInBits(); - const unsigned int precision = - sizeInBits == 32 - ? 24 - : sizeInBits == 64 - ? 53 - : sizeInBits == 128 ? 113 - : sizeInBits == 16 ? 11 - /* sizeInBits == 80 */ - : 65; + const unsigned int precision = sizeInBits == 32 ? 24 + : sizeInBits == 64 ? 53 + : sizeInBits == 128 ? 113 + : sizeInBits == 16 ? 11 + /* sizeInBits == 80 */ + : 65; const unsigned shiftR_exponent = precision - 1; const unsigned long long mask_fraction = diff --git a/qbdi_mode/template.cpp b/qbdi_mode/template.cpp index 55c5a3f3..b2066cc8 100755 --- a/qbdi_mode/template.cpp +++ b/qbdi_mode/template.cpp @@ -44,7 +44,7 @@ target_func p_target_func = NULL; rword module_base = 0; rword module_end = 0; static unsigned char - dummy[MAP_SIZE]; /* costs MAP_SIZE but saves a few instructions */ + dummy[MAP_SIZE]; /* costs MAP_SIZE but saves a few instructions */ unsigned char *afl_area_ptr = NULL; /* Exported for afl_gen_trace */ unsigned long afl_prev_loc = 0; From 8584f9d2b5de9687c518c672e471f4f8cd9166fa Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 1 Dec 2020 13:13:11 +0100 Subject: [PATCH 48/85] added AFL_NO_AUTODICT --- docs/Changelog.md | 1 + docs/env_variables.md | 3 + include/envs.h | 1 + instrumentation/README.lto.md | 33 ++++--- src/afl-forkserver.c | 159 ++++++++++++++++++---------------- src/afl-fuzz.c | 1 + 6 files changed, 112 insertions(+), 86 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 3c20f8bd..7fa7ff53 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -34,6 +34,7 @@ sending a mail to . - crashing seeds are now not prohibiting a run anymore but are skipped. They are used for splicing though. - update MOpt for expanded havoc modes + - setting the env var AFL_NO_AUTODICT will not load an LTO autodictionary - added NO_SPLICING compile option and makefile define - added INTROSPECTION make target that writes all mutations to out/NAME/introspection.txt diff --git a/docs/env_variables.md b/docs/env_variables.md index 04ba032a..f7b4c994 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -294,6 +294,9 @@ checks or alter some of the more exotic semantics of the tool: on Linux systems. This slows things down, but lets you run more instances of afl-fuzz than would be prudent (if you really want to). + - Setting `AFL_NO_AUTODICT` will not load an LTO generated auto dictionary + that is compiled into the target. + - `AFL_SKIP_CRASHES` causes AFL++ to tolerate crashing files in the input queue. This can help with rare situations where a program crashes only intermittently, but it's not really recommended under normal operating diff --git a/include/envs.h b/include/envs.h index 8255cf4f..3aa05cb5 100644 --- a/include/envs.h +++ b/include/envs.h @@ -100,6 +100,7 @@ static char *afl_environment_variables[] = { "AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID", "AFL_NO_ARITH", + "AFL_NO_AUTODICT", "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", diff --git a/instrumentation/README.lto.md b/instrumentation/README.lto.md index abdbd2ac..62e98902 100644 --- a/instrumentation/README.lto.md +++ b/instrumentation/README.lto.md @@ -60,7 +60,12 @@ AUTODICTIONARY: 11 strings found ## Getting llvm 11+ -### Installing llvm from the llvm repository (version 11) +### Installing llvm version 11 + +llvm 11 should be available in all current Linux repository. +If you use an outdated Linux distribution read the next section. + +### Installing llvm from the llvm repository (version 12) Installing the llvm snapshot builds is easy and mostly painless: @@ -73,11 +78,11 @@ then add the pgp key of llvm and install the packages: ``` wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - apt-get update && apt-get upgrade -y -apt-get install -y clang-11 clang-tools-11 libc++1-11 libc++-11-dev \ - libc++abi1-11 libc++abi-11-dev libclang1-11 libclang-11-dev \ - libclang-common-11-dev libclang-cpp11 libclang-cpp11-dev liblld-11 \ - liblld-11-dev liblldb-11 liblldb-11-dev libllvm11 libomp-11-dev \ - libomp5-11 lld-11 lldb-11 llvm-11 llvm-11-dev llvm-11-runtime llvm-11-tools +apt-get install -y clang-12 clang-tools-12 libc++1-12 libc++-12-dev \ + libc++abi1-12 libc++abi-12-dev libclang1-12 libclang-12-dev \ + libclang-common-12-dev libclang-cpp11 libclang-cpp11-dev liblld-12 \ + liblld-12-dev liblldb-12 liblldb-12-dev libllvm11 libomp-12-dev \ + libomp5-12 lld-12 lldb-12 llvm-12 llvm-12-dev llvm-12-runtime llvm-12-tools ``` ### Building llvm yourself (version 12) @@ -120,16 +125,22 @@ While compiling, a dictionary based on string comparisons is automatically generated and put into the target binary. This dictionary is transfered to afl-fuzz on start. This improves coverage statistically by 5-10% :) +Note that if for any reason you do not want to use the autodictionary feature +then just set the environment variable `AFL_NO_AUTODICT` when starting afl-fuzz. + ## Fixed memory map -To speed up fuzzing, it is possible to set a fixed shared memory map. +To speed up fuzzing a little bit more, it is possible to set a fixed shared +memory map. Recommended is the value 0x10000. + In most cases this will work without any problems. However if a target uses early constructors, ifuncs or a deferred forkserver this can crash the target. -On unusual operating systems/processors/kernels or weird libraries this might -fail so to change the fixed address at compile time set -AFL_LLVM_MAP_ADDR with a better value (a value of 0 or empty sets the map address -to be dynamic - the original afl way, which is slower). + +Also on unusual operating systems/processors/kernels or weird libraries the +recommended 0x10000 address might not work, so then change the fixed address. + +To enable this feature set AFL_LLVM_MAP_ADDR with the address. ## Document edge IDs diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 3814a77e..01ef1d9e 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -348,9 +348,10 @@ static void report_error_and_exit(int error) { void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, volatile u8 *stop_soon_p, u8 debug_child_output) { - int st_pipe[2], ctl_pipe[2]; - s32 status; - s32 rlen; + int st_pipe[2], ctl_pipe[2]; + s32 status; + s32 rlen; + char *ignore_autodict = getenv("AFL_NO_AUTODICT"); if (!be_quiet) { ACTF("Spinning up the fork server..."); } @@ -607,7 +608,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, fsrv->use_shmem_fuzz = 1; if (!be_quiet) { ACTF("Using SHARED MEMORY FUZZING feature."); } - if ((status & FS_OPT_AUTODICT) == 0) { + if ((status & FS_OPT_AUTODICT) == 0 || ignore_autodict) { u32 send_status = (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ); if (write(fsrv->fsrv_ctl_fd, &send_status, 4) != 4) { @@ -660,16 +661,44 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if ((status & FS_OPT_AUTODICT) == FS_OPT_AUTODICT) { - if (fsrv->add_extra_func == NULL || fsrv->afl_ptr == NULL) { + if (ignore_autodict) { + + if (!be_quiet) { WARNF("Ignoring offered AUTODICT feature."); } + + } else { + + if (fsrv->add_extra_func == NULL || fsrv->afl_ptr == NULL) { + + // this is not afl-fuzz - or it is cmplog - we deny and return + if (fsrv->use_shmem_fuzz) { + + status = (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ); + + } else { + + status = (FS_OPT_ENABLED); + + } + + if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) { + + FATAL("Writing to forkserver failed."); + + } + + return; + + } + + if (!be_quiet) { ACTF("Using AUTODICT feature."); } - // this is not afl-fuzz - or it is cmplog - we deny and return if (fsrv->use_shmem_fuzz) { - status = (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ); + status = (FS_OPT_ENABLED | FS_OPT_AUTODICT | FS_OPT_SHDMEM_FUZZ); } else { - status = (FS_OPT_ENABLED); + status = (FS_OPT_ENABLED | FS_OPT_AUTODICT); } @@ -679,82 +708,62 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } - return; + if (read(fsrv->fsrv_st_fd, &status, 4) != 4) { - } - - if (!be_quiet) { ACTF("Using AUTODICT feature."); } - - if (fsrv->use_shmem_fuzz) { - - status = (FS_OPT_ENABLED | FS_OPT_AUTODICT | FS_OPT_SHDMEM_FUZZ); - - } else { - - status = (FS_OPT_ENABLED | FS_OPT_AUTODICT); - - } - - if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) { - - FATAL("Writing to forkserver failed."); - - } - - if (read(fsrv->fsrv_st_fd, &status, 4) != 4) { - - FATAL("Reading from forkserver failed."); - - } - - if (status < 2 || (u32)status > 0xffffff) { - - FATAL("Dictionary has an illegal size: %d", status); - - } - - u32 offset = 0, count = 0; - u32 len = status; - u8 *dict = ck_alloc(len); - if (dict == NULL) { - - FATAL("Could not allocate %u bytes of autodictionary memory", len); - - } - - while (len != 0) { - - rlen = read(fsrv->fsrv_st_fd, dict + offset, len); - if (rlen > 0) { - - len -= rlen; - offset += rlen; - - } else { - - FATAL( - "Reading autodictionary fail at position %u with %u bytes " - "left.", - offset, len); + FATAL("Reading from forkserver failed."); } - } + if (status < 2 || (u32)status > 0xffffff) { - offset = 0; - while (offset < (u32)status && - (u8)dict[offset] + offset < (u32)status) { + FATAL("Dictionary has an illegal size: %d", status); - fsrv->add_extra_func(fsrv->afl_ptr, dict + offset + 1, - (u8)dict[offset]); - offset += (1 + dict[offset]); - count++; + } + + u32 offset = 0, count = 0; + u32 len = status; + u8 *dict = ck_alloc(len); + if (dict == NULL) { + + FATAL("Could not allocate %u bytes of autodictionary memory", len); + + } + + while (len != 0) { + + rlen = read(fsrv->fsrv_st_fd, dict + offset, len); + if (rlen > 0) { + + len -= rlen; + offset += rlen; + + } else { + + FATAL( + "Reading autodictionary fail at position %u with %u bytes " + "left.", + offset, len); + + } + + } + + offset = 0; + while (offset < (u32)status && + (u8)dict[offset] + offset < (u32)status) { + + fsrv->add_extra_func(fsrv->afl_ptr, dict + offset + 1, + (u8)dict[offset]); + offset += (1 + dict[offset]); + count++; + + } + + if (!be_quiet) { ACTF("Loaded %u autodictionary entries", count); } + ck_free(dict); } - if (!be_quiet) { ACTF("Loaded %u autodictionary entries", count); } - ck_free(dict); - } } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index b60908da..b91d862d 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -187,6 +187,7 @@ static void usage(u8 *argv0, int more_help) { " used. Defaults to 200.\n" "AFL_NO_AFFINITY: do not check for an unused cpu core to use for fuzzing\n" "AFL_NO_ARITH: skip arithmetic mutations in deterministic stage\n" + "AFL_NO_AUTODICT: do not load an offered auto dictionary compiled into a target\n" "AFL_NO_CPU_RED: avoid red color for showing very high cpu usage\n" "AFL_NO_FORKSRV: run target via execve instead of using the forkserver\n" "AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)\n" From c05e4efbe9b4e7d1ff078b7a392621f2ca7572e6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 1 Dec 2020 14:40:30 +0100 Subject: [PATCH 49/85] renamed examples/ to utils/ --- GNUmakefile | 36 +++++++++--------- README.md | 7 ++-- docs/Changelog.md | 1 + docs/FAQ.md | 2 +- docs/binaryonly_fuzzing.md | 6 +-- docs/custom_mutators.md | 4 +- docs/env_variables.md | 2 +- docs/life_pro_tips.md | 4 +- docs/notes_for_asan.md | 4 +- docs/parallel_fuzzing.md | 2 +- examples/afl_untracer/libtestinstr.so | Bin 17152 -> 0 bytes instrumentation/README.gcc_plugin.md | 2 +- instrumentation/README.persistent_mode.md | 4 +- qemu_mode/README.md | 2 +- qemu_mode/README.persistent.md | 2 +- src/afl-as.c | 2 +- test/test-custom-mutators.sh | 8 ++-- test/test-gcc-plugin.sh | 2 +- test/test-llvm-lto.sh | 2 +- test/test-llvm.sh | 2 +- {examples => utils}/README.md | 2 +- {examples => utils}/afl_frida/GNUmakefile | 0 {examples => utils}/afl_frida/Makefile | 0 {examples => utils}/afl_frida/README.md | 0 {examples => utils}/afl_frida/afl-frida.c | 0 {examples => utils}/afl_frida/afl-frida.h | 0 {examples => utils}/afl_frida/libtestinstr.c | 0 .../afl_network_proxy/GNUmakefile | 0 .../afl_network_proxy/Makefile | 0 .../afl_network_proxy/README.md | 0 .../afl_network_proxy/afl-network-client.c | 0 .../afl_network_proxy/afl-network-server.c | 0 {examples => utils}/afl_proxy/Makefile | 0 {examples => utils}/afl_proxy/README.md | 0 {examples => utils}/afl_proxy/afl-proxy.c | 0 {examples => utils}/afl_untracer/Makefile | 0 {examples => utils}/afl_untracer/README.md | 0 {examples => utils}/afl_untracer/TODO | 0 .../afl_untracer/afl-untracer.c | 0 .../afl_untracer/ghidra_get_patchpoints.java | 2 +- .../afl_untracer/ida_get_patchpoints.py | 0 .../afl_untracer/libtestinstr.c | 0 {examples => utils}/afl_untracer/patches.txt | 0 {examples => utils}/aflpp_driver/GNUmakefile | 0 {examples => utils}/aflpp_driver/Makefile | 0 .../aflpp_driver/aflpp_driver.c | 0 .../aflpp_driver/aflpp_driver_test.c | 0 .../aflpp_driver/aflpp_qemu_driver.c | 0 .../aflpp_driver/aflpp_qemu_driver_hook.c | 0 .../analysis_scripts/queue2csv.sh | 0 {examples => utils}/argv_fuzzing/Makefile | 0 {examples => utils}/argv_fuzzing/README.md | 0 .../argv_fuzzing/argv-fuzz-inl.h | 0 {examples => utils}/argv_fuzzing/argvfuzz.c | 0 .../asan_cgroups/limit_memory.sh | 0 .../bash_shellshock/shellshock-fuzz.diff | 0 .../canvas_harness/canvas_harness.html | 0 {examples => utils}/clang_asm_normalize/as | 0 .../crash_triage/triage_crashes.sh | 0 {examples => utils}/custom_mutators/Makefile | 0 {examples => utils}/custom_mutators/README.md | 0 .../custom_mutators/XmlMutatorMin.py | 0 {examples => utils}/custom_mutators/common.py | 0 .../custom_mutators/custom_mutator_helpers.h | 0 {examples => utils}/custom_mutators/example.c | 0 .../custom_mutators/example.py | 0 .../custom_mutators/post_library_gif.so.c | 0 .../custom_mutators/post_library_png.so.c | 0 .../custom_mutators/simple-chunk-replace.py | 0 .../custom_mutators/simple_example.c | 0 .../custom_mutators/wrapper_afl_min.py | 0 {examples => utils}/defork/Makefile | 0 {examples => utils}/defork/README.md | 0 {examples => utils}/defork/defork.c | 0 {examples => utils}/defork/forking_target.c | 0 .../distributed_fuzzing/sync_script.sh | 0 .../libpng_no_checksum/libpng-nocrc.patch | 0 {examples => utils}/persistent_mode/Makefile | 0 .../persistent_mode/persistent_demo.c | 0 .../persistent_mode/persistent_demo_new.c | 0 .../persistent_mode/test-instr.c | 0 .../qemu_persistent_hook/Makefile | 0 .../qemu_persistent_hook/README.md | 0 .../qemu_persistent_hook/read_into_rdi.c | 0 .../qemu_persistent_hook/test.c | 0 {examples => utils}/socket_fuzzing/Makefile | 0 {examples => utils}/socket_fuzzing/README.md | 0 .../socket_fuzzing/socketfuzz.c | 0 88 files changed, 50 insertions(+), 48 deletions(-) delete mode 100755 examples/afl_untracer/libtestinstr.so rename {examples => utils}/README.md (97%) rename {examples => utils}/afl_frida/GNUmakefile (100%) rename {examples => utils}/afl_frida/Makefile (100%) rename {examples => utils}/afl_frida/README.md (100%) rename {examples => utils}/afl_frida/afl-frida.c (100%) rename {examples => utils}/afl_frida/afl-frida.h (100%) rename {examples => utils}/afl_frida/libtestinstr.c (100%) rename {examples => utils}/afl_network_proxy/GNUmakefile (100%) rename {examples => utils}/afl_network_proxy/Makefile (100%) rename {examples => utils}/afl_network_proxy/README.md (100%) rename {examples => utils}/afl_network_proxy/afl-network-client.c (100%) rename {examples => utils}/afl_network_proxy/afl-network-server.c (100%) rename {examples => utils}/afl_proxy/Makefile (100%) rename {examples => utils}/afl_proxy/README.md (100%) rename {examples => utils}/afl_proxy/afl-proxy.c (100%) rename {examples => utils}/afl_untracer/Makefile (100%) rename {examples => utils}/afl_untracer/README.md (100%) rename {examples => utils}/afl_untracer/TODO (100%) rename {examples => utils}/afl_untracer/afl-untracer.c (100%) rename {examples => utils}/afl_untracer/ghidra_get_patchpoints.java (97%) rename {examples => utils}/afl_untracer/ida_get_patchpoints.py (100%) rename {examples => utils}/afl_untracer/libtestinstr.c (100%) rename {examples => utils}/afl_untracer/patches.txt (100%) rename {examples => utils}/aflpp_driver/GNUmakefile (100%) rename {examples => utils}/aflpp_driver/Makefile (100%) rename {examples => utils}/aflpp_driver/aflpp_driver.c (100%) rename {examples => utils}/aflpp_driver/aflpp_driver_test.c (100%) rename {examples => utils}/aflpp_driver/aflpp_qemu_driver.c (100%) rename {examples => utils}/aflpp_driver/aflpp_qemu_driver_hook.c (100%) rename {examples => utils}/analysis_scripts/queue2csv.sh (100%) rename {examples => utils}/argv_fuzzing/Makefile (100%) rename {examples => utils}/argv_fuzzing/README.md (100%) rename {examples => utils}/argv_fuzzing/argv-fuzz-inl.h (100%) rename {examples => utils}/argv_fuzzing/argvfuzz.c (100%) rename {examples => utils}/asan_cgroups/limit_memory.sh (100%) rename {examples => utils}/bash_shellshock/shellshock-fuzz.diff (100%) rename {examples => utils}/canvas_harness/canvas_harness.html (100%) rename {examples => utils}/clang_asm_normalize/as (100%) rename {examples => utils}/crash_triage/triage_crashes.sh (100%) rename {examples => utils}/custom_mutators/Makefile (100%) rename {examples => utils}/custom_mutators/README.md (100%) rename {examples => utils}/custom_mutators/XmlMutatorMin.py (100%) rename {examples => utils}/custom_mutators/common.py (100%) rename {examples => utils}/custom_mutators/custom_mutator_helpers.h (100%) rename {examples => utils}/custom_mutators/example.c (100%) rename {examples => utils}/custom_mutators/example.py (100%) rename {examples => utils}/custom_mutators/post_library_gif.so.c (100%) rename {examples => utils}/custom_mutators/post_library_png.so.c (100%) rename {examples => utils}/custom_mutators/simple-chunk-replace.py (100%) rename {examples => utils}/custom_mutators/simple_example.c (100%) rename {examples => utils}/custom_mutators/wrapper_afl_min.py (100%) rename {examples => utils}/defork/Makefile (100%) rename {examples => utils}/defork/README.md (100%) rename {examples => utils}/defork/defork.c (100%) rename {examples => utils}/defork/forking_target.c (100%) rename {examples => utils}/distributed_fuzzing/sync_script.sh (100%) rename {examples => utils}/libpng_no_checksum/libpng-nocrc.patch (100%) rename {examples => utils}/persistent_mode/Makefile (100%) rename {examples => utils}/persistent_mode/persistent_demo.c (100%) rename {examples => utils}/persistent_mode/persistent_demo_new.c (100%) rename {examples => utils}/persistent_mode/test-instr.c (100%) rename {examples => utils}/qemu_persistent_hook/Makefile (100%) rename {examples => utils}/qemu_persistent_hook/README.md (100%) rename {examples => utils}/qemu_persistent_hook/read_into_rdi.c (100%) rename {examples => utils}/qemu_persistent_hook/test.c (100%) rename {examples => utils}/socket_fuzzing/Makefile (100%) rename {examples => utils}/socket_fuzzing/README.md (100%) rename {examples => utils}/socket_fuzzing/socketfuzz.c (100%) diff --git a/GNUmakefile b/GNUmakefile index 521ab683..309a7d4c 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -500,8 +500,8 @@ code-format: ./.custom-format.py -i instrumentation/*.c @#./.custom-format.py -i custom_mutators/*/*.c* # destroys libfuzzer :-( @#./.custom-format.py -i custom_mutators/*/*.h # destroys honggfuzz :-( - ./.custom-format.py -i examples/*/*.c* - ./.custom-format.py -i examples/*/*.h + ./.custom-format.py -i utils/*/*.c* + ./.custom-format.py -i utils/*/*.h ./.custom-format.py -i test/*.c ./.custom-format.py -i qemu_mode/libcompcov/*.c ./.custom-format.py -i qemu_mode/libcompcov/*.cc @@ -547,9 +547,9 @@ clean: -$(MAKE) -f GNUmakefile.gcc_plugin clean $(MAKE) -C libdislocator clean $(MAKE) -C libtokencap clean - $(MAKE) -C examples/afl_network_proxy clean - $(MAKE) -C examples/socket_fuzzing clean - $(MAKE) -C examples/argv_fuzzing clean + $(MAKE) -C utils/afl_network_proxy clean + $(MAKE) -C utils/socket_fuzzing clean + $(MAKE) -C utils/argv_fuzzing clean $(MAKE) -C qemu_mode/unsigaction clean $(MAKE) -C qemu_mode/libcompcov clean ifeq "$(IN_REPO)" "1" @@ -572,10 +572,10 @@ distrib: all -$(MAKE) -f GNUmakefile.gcc_plugin $(MAKE) -C libdislocator $(MAKE) -C libtokencap - $(MAKE) -C examples/aflpp_driver - $(MAKE) -C examples/afl_network_proxy - $(MAKE) -C examples/socket_fuzzing - $(MAKE) -C examples/argv_fuzzing + $(MAKE) -C utils/aflpp_driver + $(MAKE) -C utils/afl_network_proxy + $(MAKE) -C utils/socket_fuzzing + $(MAKE) -C utils/argv_fuzzing -cd qemu_mode && sh ./build_qemu_support.sh -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh @@ -583,9 +583,9 @@ distrib: all binary-only: all $(MAKE) -C libdislocator $(MAKE) -C libtokencap - $(MAKE) -C examples/afl_network_proxy - $(MAKE) -C examples/socket_fuzzing - $(MAKE) -C examples/argv_fuzzing + $(MAKE) -C utils/afl_network_proxy + $(MAKE) -C utils/socket_fuzzing + $(MAKE) -C utils/argv_fuzzing -cd qemu_mode && sh ./build_qemu_support.sh -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh @@ -595,7 +595,7 @@ source-only: all -$(MAKE) -f GNUmakefile.gcc_plugin $(MAKE) -C libdislocator $(MAKE) -C libtokencap - $(MAKE) -C examples/aflpp_driver + $(MAKE) -C utils/aflpp_driver %.8: % @echo .TH $* 8 $(BUILD_DATE) "afl++" > $@ @@ -628,11 +628,11 @@ install: all $(MANPAGES) @if [ -f libtokencap.so ]; then set -e; install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH); fi @if [ -f libcompcov.so ]; then set -e; install -m 755 libcompcov.so $${DESTDIR}$(HELPER_PATH); fi @if [ -f afl-fuzz-document ]; then set -e; install -m 755 afl-fuzz-document $${DESTDIR}$(BIN_PATH); fi - @if [ -f socketfuzz32.so -o -f socketfuzz64.so ]; then $(MAKE) -C examples/socket_fuzzing install; fi - @if [ -f argvfuzz32.so -o -f argvfuzz64.so ]; then $(MAKE) -C examples/argv_fuzzing install; fi - @if [ -f examples/afl_network_proxy/afl-network-server ]; then $(MAKE) -C examples/afl_network_proxy install; fi - @if [ -f examples/aflpp_driver/libAFLDriver.a ]; then set -e; install -m 644 examples/aflpp_driver/libAFLDriver.a $${DESTDIR}$(HELPER_PATH); fi - @if [ -f examples/aflpp_driver/libAFLQemuDriver.a ]; then set -e; install -m 644 examples/aflpp_driver/libAFLQemuDriver.a $${DESTDIR}$(HELPER_PATH); fi + @if [ -f socketfuzz32.so -o -f socketfuzz64.so ]; then $(MAKE) -C utils/socket_fuzzing install; fi + @if [ -f argvfuzz32.so -o -f argvfuzz64.so ]; then $(MAKE) -C utils/argv_fuzzing install; fi + @if [ -f utils/afl_network_proxy/afl-network-server ]; then $(MAKE) -C utils/afl_network_proxy install; fi + @if [ -f utils/aflpp_driver/libAFLDriver.a ]; then set -e; install -m 644 utils/aflpp_driver/libAFLDriver.a $${DESTDIR}$(HELPER_PATH); fi + @if [ -f utils/aflpp_driver/libAFLQemuDriver.a ]; then set -e; install -m 644 utils/aflpp_driver/libAFLQemuDriver.a $${DESTDIR}$(HELPER_PATH); fi -$(MAKE) -f GNUmakefile.llvm install -$(MAKE) -f GNUmakefile.gcc_plugin install ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-gcc diff --git a/README.md b/README.md index d7cad092..b00e5d00 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,7 @@ behaviours and defaults: * a caching of testcases can now be performed and can be modified by editing config.h for TESTCASE_CACHE or by specifying the env variable `AFL_TESTCACHE_SIZE` (in MB). Good values are between 50-500 (default: 50). + * utils/ got renamed to utils/ ## Contents @@ -760,10 +761,10 @@ cd unicorn_mode If the goal is to fuzz a dynamic library then there are two options available. For both you need to write a small hardness that loads and calls the library. -Faster is the frida solution: [examples/afl_frida/README.md](examples/afl_frida/README.md) +Faster is the frida solution: [utils/afl_frida/README.md](utils/afl_frida/README.md) Another, less precise and slower option is using ptrace with debugger interrupt -instrumentation: [examples/afl_untracer/README.md](examples/afl_untracer/README.md) +instrumentation: [utils/afl_untracer/README.md](utils/afl_untracer/README.md) ### More @@ -1037,7 +1038,7 @@ Here are some of the most important caveats for AFL: wholly wrap the actual data format to be tested. To work around this, you can comment out the relevant checks (see - examples/libpng_no_checksum/ for inspiration); if this is not possible, + utils/libpng_no_checksum/ for inspiration); if this is not possible, you can also write a postprocessor, one of the hooks of custom mutators. See [docs/custom_mutators.md](docs/custom_mutators.md) on how to use `AFL_CUSTOM_MUTATOR_LIBRARY` diff --git a/docs/Changelog.md b/docs/Changelog.md index 7fa7ff53..fd30c7b0 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -11,6 +11,7 @@ sending a mail to . ### Version ++3.00a (develop) - llvm_mode/ and gcc_plugin/ moved to instrumentation/ + - examples/ renamed to utils/ - all compilers combined to afl-cc which emulates the previous ones - afl-llvm/gcc-rt.o merged into afl-compiler-rt.o - afl-fuzz diff --git a/docs/FAQ.md b/docs/FAQ.md index 064638f4..714d50eb 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -63,7 +63,7 @@ x10 - that is a x100 difference!). If modifying the source is not an option (e.g. because you only have a binary and perform binary fuzzing) you can also use a shared library with AFL_PRELOAD to emulate the network. This is also much faster than the real network would be. -See [examples/socket_fuzzing/](../examples/socket_fuzzing/). +See [utils/socket_fuzzing/](../utils/socket_fuzzing/). There is an outdated afl++ branch that implements networking if you are desperate though: [https://github.com/AFLplusplus/AFLplusplus/tree/networking](https://github.com/AFLplusplus/AFLplusplus/tree/networking) - diff --git a/docs/binaryonly_fuzzing.md b/docs/binaryonly_fuzzing.md index cb1288ef..66734452 100644 --- a/docs/binaryonly_fuzzing.md +++ b/docs/binaryonly_fuzzing.md @@ -15,7 +15,7 @@ high enough. Otherwise try retrowrite, afl-dyninst and if these fail too then try standard qemu_mode with AFL_ENTRYPOINT to where you need it. - If your target is a library use examples/afl_frida/. + If your target is a library use utils/afl_frida/. If your target is non-linux then use unicorn_mode/. @@ -65,14 +65,14 @@ ## AFL FRIDA If you want to fuzz a binary-only shared library then you can fuzz it with - frida-gum via examples/afl_frida/, you will have to write a harness to + frida-gum via utils/afl_frida/, you will have to write a harness to call the target function in the library, use afl-frida.c as a template. ## AFL UNTRACER If you want to fuzz a binary-only shared library then you can fuzz it with - examples/afl_untracer/, use afl-untracer.c as a template. + utils/afl_untracer/, use afl-untracer.c as a template. It is slower than AFL FRIDA (see above). diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 53f783fe..6e16ba0f 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -268,8 +268,8 @@ afl-fuzz /path/to/program ## 4) Example -Please see [example.c](../examples/custom_mutators/example.c) and -[example.py](../examples/custom_mutators/example.py) +Please see [example.c](../utils/custom_mutators/example.c) and +[example.py](../utils/custom_mutators/example.py) ## 5) Other Resources diff --git a/docs/env_variables.md b/docs/env_variables.md index f7b4c994..ada89257 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -55,7 +55,7 @@ make fairly broad use of environmental variables instead: in your `$PATH`. - `AFL_PATH` can be used to point afl-gcc to an alternate location of afl-as. - One possible use of this is examples/clang_asm_normalize/, which lets + One possible use of this is utils/clang_asm_normalize/, which lets you instrument hand-written assembly when compiling clang code by plugging a normalizer into the chain. (There is no equivalent feature for GCC.) diff --git a/docs/life_pro_tips.md b/docs/life_pro_tips.md index 323f16f1..77845c63 100644 --- a/docs/life_pro_tips.md +++ b/docs/life_pro_tips.md @@ -78,10 +78,10 @@ Be sure to check out docs/sister_projects.md before writing your own. ## Need to fuzz the command-line arguments of a particular program? -You can find a simple solution in examples/argv_fuzzing. +You can find a simple solution in utils/argv_fuzzing. ## Attacking a format that uses checksums? Remove the checksum-checking code or use a postprocessor! -See examples/custom_mutators/ for more. +See utils/custom_mutators/ for more. diff --git a/docs/notes_for_asan.md b/docs/notes_for_asan.md index 2e18c15f..f08ae3fb 100644 --- a/docs/notes_for_asan.md +++ b/docs/notes_for_asan.md @@ -20,7 +20,7 @@ Because of this, fuzzing with ASAN is recommended only in four scenarios: - Precisely gauge memory needs using http://jwilk.net/software/recidivm . - Limit the memory available to process using cgroups on Linux (see - examples/asan_cgroups). + utils/asan_cgroups). To compile with ASAN, set AFL_USE_ASAN=1 before calling 'make clean all'. The afl-gcc / afl-clang wrappers will pick that up and add the appropriate flags. @@ -74,7 +74,7 @@ There are also cgroups, but they are Linux-specific, not universally available even on Linux systems, and they require root permissions to set up; I'm a bit hesitant to make afl-fuzz require root permissions just for that. That said, if you are on Linux and want to use cgroups, check out the contributed script -that ships in examples/asan_cgroups/. +that ships in utils/asan_cgroups/. In settings where cgroups aren't available, we have no nice, portable way to avoid counting the ASAN allocation toward the limit. On 32-bit systems, or for diff --git a/docs/parallel_fuzzing.md b/docs/parallel_fuzzing.md index bf57ace8..8f2afe1b 100644 --- a/docs/parallel_fuzzing.md +++ b/docs/parallel_fuzzing.md @@ -152,7 +152,7 @@ write a simple script that performs two actions: done ``` -There is an example of such a script in examples/distributed_fuzzing/. +There is an example of such a script in utils/distributed_fuzzing/. There are other (older) more featured, experimental tools: * https://github.com/richo/roving diff --git a/examples/afl_untracer/libtestinstr.so b/examples/afl_untracer/libtestinstr.so deleted file mode 100755 index 389a946c882529d4ea3d7bd082ed637b27ce10ae..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 17152 zcmeHOZ)_Y#6`#HJ*_WJSJO7H4v}6+5B}Mpbhvt7BpY7N=gOixx2o<$#*LUl?YwmW< z?w(_Zwpc{8L{Xw31ga=skoZ9PSVUFv1y>DGp#r5+DV0zqQ(8z#p{W!qBT$a_cIKUT z*XOnpf4;C|-M)FhdA~QaZ|7!qd^2Ai9vg`%3Zta5!wj|YHi4vN!NNhA0g-0=*&4X+ zVBE89ST0(Tdr}sXWYRCz5l3sOhvl4X5=kmY*mKE|42gT!n*66!N&0z>P}Y_b25pCf zvOOkrE+z3$MIM(tE_oyuWIIVFgd4Ao*v|dZUs!fXJCfc#0XF`Yo5TDATo{BU*^?yR z=YWUp{HTe-ep1%AT3l|*`y(k;@BTJHWh#7*9zVs>FCD$}l|RiqdEwIUZoJWb;GG-k zi6^iv6hGw2_Cb?57J2$luI_xwQ&zcPJ9(Wl4X_P$aIA;d!9TSMJ_7j8I`*dk+rXMx ze7z_vkd3D0%a*A*u5P=U#<}BYDT%5dHJ@x2^I>LvO1SD^3| za3BzEne&e>ov++F_vkJ5*!YFvTbb;&%!T2ljB@QN_=Q~Sv+TZ}N((glN(*>@_ja{< zV;2?lE*HFt1+8HA8#H?nHRbXzFsfd>0}%!=N>K!&2t*NxA`nF&ia->BC<0Lgq6kD0 zh$0Y0;J+M!G0Qsb@KW)#!F7Jtur2Odylm`XWzQ(Tk?*87bS;LmaGC_*{9nTD=eCn;`Lb%cpNvtB-)h-;gmW zXHPO^woTdA+?2QsKQwj#b|-x1!JdO;Eo~z$?Vo8)o=MEJ{;h{T`RR_G2qPc<9l&P6 zj()pD9Jvp`rxWV&{#!B7()M_4XkBA03pJocl%fbk5r`rXMIeem6oDuLQ3Rq0L=lK0 z@P8fwxlfe#h0>l+T(eP_`@-FuJBG2C4(A}ivvV%K!Y{j;Ep04J0)kZ=AXT)N>?j~Gid z-33LlhNhh;ltd9ltm#*t)_B^};)@{EhB*B1fyEMW>^2PvuSjXM(IVmXB=Ch#Dh@x( zGi7sQxH{!~jgyrrD7nKx&NmBKH)CT<}*1?j= z!vH}8WEP^(&;HLj>h9)sQE3hYtObMJ!js<~y$c*S&zdDF;oH0YkT^W6g@W7DOIgP-o4 zG1G0#>gDN@;dJX$C9Pt*ww^WYa4TzWvIX77g93c0cc1JvysPY1OrtMvn1)@f$uI2RSOE*)ELJEEmRU zHVor53x;tV_ks!Mkp}i&HHeCNIR>*co!g>v9Ow|A4?XuC5?=`6`v6ybalra84Z%l& z6EWfE@-X1&pU#({Ev6axC;*0^@3#T3*Z$S+>j$2nHnzke6H4{`JOehdI{o%Jz!kRg zx&Pe5SN5x4dv&es&%c*`!u{kg9=@`_sc>U4I4uWXfk0XVI1eB~=>)vqxu$)q*pGPj zE6*v7uVVi&;5d!0NLkx;+{)AxOfAdDnKZYoW${3h!!#{tY59^hsh6~zYuS#bS7uq( z!a2Y-a;cvB7I?_1sOh$?&uIos5_4?I*2{*LtCY)gK=ElBSh@kz(3GcXBPR!r4Qs>4 zkKoBG^o*4{mR8Ws93Hqja{uvxW1~ZW!c?OTXCxtW)<;;~~S_A3YLKY}zTCS1G zo0ZgLrC7>!6?4qf3c6EZsob0iOd;VInO8Dn*iO+h1BwP^wo%fNAam0tm!-U0PeC@7 zw?K7`S-5%uPT5vYcXgIB3i4qUa^QqCK^0F;Fenc-=;dM-s<&M942|>rOgaurLBA>rb>_2-(?*k+|LNzpm^c3jt z!#jLT;t$CTN#fJ{J*^+e&3?$>nuYkZt|3Y546GNvy0vu@%}8m$&^PhvJ%l8!i@?N7 z=)<2fpx_#X`1HO)66X(0)PAxfc?!yK%|kl9*O25$h7@kUK*bv`mJy%ce@N2(Q~eY_ zx_?vp9+VE}(HSI?WQTkhoma$f7BGwntt)Hev>dPD{XUSS`x@pz&d=wPSCchMk)dgT z}cU7-g~^^(7fAwIqDk)-u4*@y4{Tar)Dk8x=!<^576 zLG32}Dac?GiND%;XR;61|8$5y&xIw)M~En8xc(mlj(wc^7rn30dFZe`=_G#!+*Ti- z-jCXGV1Pt+LR;1ee+de(?@|5qeoN=g7ce-G=)Q?Z&+%(eh9<vRzv`$^ktMGez1@TKC!r!_I|B~bv zK7@a_ /dev/null 2>&1 - cc -D_FIXED_CHAR=0x42 -g -fPIC -shared -I../include ../examples/custom_mutators/simple_example.c -o libexamplemutator2.so > /dev/null 2>&1 + cc -D_FIXED_CHAR=0x41 -g -fPIC -shared -I../include ../utils/custom_mutators/simple_example.c -o libexamplemutator.so > /dev/null 2>&1 + cc -D_FIXED_CHAR=0x42 -g -fPIC -shared -I../include ../utils/custom_mutators/simple_example.c -o libexamplemutator2.so > /dev/null 2>&1 test -e test-custom-mutator -a -e ./libexamplemutator.so && { # Create input directory mkdir -p in @@ -109,7 +109,7 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { #test "$CODE" = 1 && { $ECHO "$YELLOW[!] custom mutator tests currently will not fail travis" ; CODE=0 ; } - make -C ../examples/custom_mutators clean > /dev/null 2>&1 + make -C ../utils/custom_mutators clean > /dev/null 2>&1 rm -f test-custom-mutator rm -f test-custom-mutators } || { diff --git a/test/test-gcc-plugin.sh b/test/test-gcc-plugin.sh index af8674c9..71d86364 100755 --- a/test/test-gcc-plugin.sh +++ b/test/test-gcc-plugin.sh @@ -94,7 +94,7 @@ test -e ../afl-gcc-fast -a -e ../afl-compiler-rt.o && { CODE=1 } rm -f test-compcov test.out instrumentlist.txt - ../afl-gcc-fast -o test-persistent ../examples/persistent_mode/persistent_demo.c > /dev/null 2>&1 + ../afl-gcc-fast -o test-persistent ../utils/persistent_mode/persistent_demo.c > /dev/null 2>&1 test -e test-persistent && { echo foo | ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -q -r ./test-persistent && { $ECHO "$GREEN[+] gcc_plugin persistent mode feature works correctly" diff --git a/test/test-llvm-lto.sh b/test/test-llvm-lto.sh index bdb08559..e10f4cf7 100755 --- a/test/test-llvm-lto.sh +++ b/test/test-llvm-lto.sh @@ -57,7 +57,7 @@ test -e ../afl-clang-lto -a -e ../afl-llvm-lto-instrumentation.so && { CODE=1 } rm -f test-compcov test.out instrumentlist.txt - ../afl-clang-lto -o test-persistent ../examples/persistent_mode/persistent_mode.c > /dev/null 2>&1 + ../afl-clang-lto -o test-persistent ../utils/persistent_mode/persistent_mode.c > /dev/null 2>&1 test -e test-persistent && { echo foo | ../afl-showmap -m none -o /dev/null -q -r ./test-persistent && { $ECHO "$GREEN[+] llvm_mode LTO persistent mode feature works correctly" diff --git a/test/test-llvm.sh b/test/test-llvm.sh index 14778e1c..4fcaf367 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -209,7 +209,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { INCOMPLETE=1 } rm -rf errors test-cmplog in core.* - ../afl-clang-fast -o test-persistent ../examples/persistent_mode/persistent_demo.c > /dev/null 2>&1 + ../afl-clang-fast -o test-persistent ../utils/persistent_mode/persistent_demo.c > /dev/null 2>&1 test -e test-persistent && { echo foo | ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -q -r ./test-persistent && { $ECHO "$GREEN[+] llvm_mode persistent mode feature works correctly" diff --git a/examples/README.md b/utils/README.md similarity index 97% rename from examples/README.md rename to utils/README.md index 7dd70d6a..336b6b6c 100644 --- a/examples/README.md +++ b/utils/README.md @@ -45,7 +45,7 @@ Here's a quick overview of the stuff you can find in this directory: - socket_fuzzing - a LD_PRELOAD library 'redirects' a socket to stdin for fuzzing access with afl++ -Note that the minimize_corpus.sh tool has graduated from the examples/ +Note that the minimize_corpus.sh tool has graduated from the utils/ directory and is now available as ../afl-cmin. The LLVM mode has likewise graduated to ../instrumentation/*. diff --git a/examples/afl_frida/GNUmakefile b/utils/afl_frida/GNUmakefile similarity index 100% rename from examples/afl_frida/GNUmakefile rename to utils/afl_frida/GNUmakefile diff --git a/examples/afl_frida/Makefile b/utils/afl_frida/Makefile similarity index 100% rename from examples/afl_frida/Makefile rename to utils/afl_frida/Makefile diff --git a/examples/afl_frida/README.md b/utils/afl_frida/README.md similarity index 100% rename from examples/afl_frida/README.md rename to utils/afl_frida/README.md diff --git a/examples/afl_frida/afl-frida.c b/utils/afl_frida/afl-frida.c similarity index 100% rename from examples/afl_frida/afl-frida.c rename to utils/afl_frida/afl-frida.c diff --git a/examples/afl_frida/afl-frida.h b/utils/afl_frida/afl-frida.h similarity index 100% rename from examples/afl_frida/afl-frida.h rename to utils/afl_frida/afl-frida.h diff --git a/examples/afl_frida/libtestinstr.c b/utils/afl_frida/libtestinstr.c similarity index 100% rename from examples/afl_frida/libtestinstr.c rename to utils/afl_frida/libtestinstr.c diff --git a/examples/afl_network_proxy/GNUmakefile b/utils/afl_network_proxy/GNUmakefile similarity index 100% rename from examples/afl_network_proxy/GNUmakefile rename to utils/afl_network_proxy/GNUmakefile diff --git a/examples/afl_network_proxy/Makefile b/utils/afl_network_proxy/Makefile similarity index 100% rename from examples/afl_network_proxy/Makefile rename to utils/afl_network_proxy/Makefile diff --git a/examples/afl_network_proxy/README.md b/utils/afl_network_proxy/README.md similarity index 100% rename from examples/afl_network_proxy/README.md rename to utils/afl_network_proxy/README.md diff --git a/examples/afl_network_proxy/afl-network-client.c b/utils/afl_network_proxy/afl-network-client.c similarity index 100% rename from examples/afl_network_proxy/afl-network-client.c rename to utils/afl_network_proxy/afl-network-client.c diff --git a/examples/afl_network_proxy/afl-network-server.c b/utils/afl_network_proxy/afl-network-server.c similarity index 100% rename from examples/afl_network_proxy/afl-network-server.c rename to utils/afl_network_proxy/afl-network-server.c diff --git a/examples/afl_proxy/Makefile b/utils/afl_proxy/Makefile similarity index 100% rename from examples/afl_proxy/Makefile rename to utils/afl_proxy/Makefile diff --git a/examples/afl_proxy/README.md b/utils/afl_proxy/README.md similarity index 100% rename from examples/afl_proxy/README.md rename to utils/afl_proxy/README.md diff --git a/examples/afl_proxy/afl-proxy.c b/utils/afl_proxy/afl-proxy.c similarity index 100% rename from examples/afl_proxy/afl-proxy.c rename to utils/afl_proxy/afl-proxy.c diff --git a/examples/afl_untracer/Makefile b/utils/afl_untracer/Makefile similarity index 100% rename from examples/afl_untracer/Makefile rename to utils/afl_untracer/Makefile diff --git a/examples/afl_untracer/README.md b/utils/afl_untracer/README.md similarity index 100% rename from examples/afl_untracer/README.md rename to utils/afl_untracer/README.md diff --git a/examples/afl_untracer/TODO b/utils/afl_untracer/TODO similarity index 100% rename from examples/afl_untracer/TODO rename to utils/afl_untracer/TODO diff --git a/examples/afl_untracer/afl-untracer.c b/utils/afl_untracer/afl-untracer.c similarity index 100% rename from examples/afl_untracer/afl-untracer.c rename to utils/afl_untracer/afl-untracer.c diff --git a/examples/afl_untracer/ghidra_get_patchpoints.java b/utils/afl_untracer/ghidra_get_patchpoints.java similarity index 97% rename from examples/afl_untracer/ghidra_get_patchpoints.java rename to utils/afl_untracer/ghidra_get_patchpoints.java index d341bea4..2a93642b 100644 --- a/examples/afl_untracer/ghidra_get_patchpoints.java +++ b/utils/afl_untracer/ghidra_get_patchpoints.java @@ -13,7 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -// Find patch points for untracer tools (e.g. afl++ examples/afl_untracer) +// Find patch points for untracer tools (e.g. afl++ utils/afl_untracer) // // Copy to ..../Ghidra/Features/Search/ghidra_scripts/ // Writes the results to ~/Desktop/patches.txt diff --git a/examples/afl_untracer/ida_get_patchpoints.py b/utils/afl_untracer/ida_get_patchpoints.py similarity index 100% rename from examples/afl_untracer/ida_get_patchpoints.py rename to utils/afl_untracer/ida_get_patchpoints.py diff --git a/examples/afl_untracer/libtestinstr.c b/utils/afl_untracer/libtestinstr.c similarity index 100% rename from examples/afl_untracer/libtestinstr.c rename to utils/afl_untracer/libtestinstr.c diff --git a/examples/afl_untracer/patches.txt b/utils/afl_untracer/patches.txt similarity index 100% rename from examples/afl_untracer/patches.txt rename to utils/afl_untracer/patches.txt diff --git a/examples/aflpp_driver/GNUmakefile b/utils/aflpp_driver/GNUmakefile similarity index 100% rename from examples/aflpp_driver/GNUmakefile rename to utils/aflpp_driver/GNUmakefile diff --git a/examples/aflpp_driver/Makefile b/utils/aflpp_driver/Makefile similarity index 100% rename from examples/aflpp_driver/Makefile rename to utils/aflpp_driver/Makefile diff --git a/examples/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c similarity index 100% rename from examples/aflpp_driver/aflpp_driver.c rename to utils/aflpp_driver/aflpp_driver.c diff --git a/examples/aflpp_driver/aflpp_driver_test.c b/utils/aflpp_driver/aflpp_driver_test.c similarity index 100% rename from examples/aflpp_driver/aflpp_driver_test.c rename to utils/aflpp_driver/aflpp_driver_test.c diff --git a/examples/aflpp_driver/aflpp_qemu_driver.c b/utils/aflpp_driver/aflpp_qemu_driver.c similarity index 100% rename from examples/aflpp_driver/aflpp_qemu_driver.c rename to utils/aflpp_driver/aflpp_qemu_driver.c diff --git a/examples/aflpp_driver/aflpp_qemu_driver_hook.c b/utils/aflpp_driver/aflpp_qemu_driver_hook.c similarity index 100% rename from examples/aflpp_driver/aflpp_qemu_driver_hook.c rename to utils/aflpp_driver/aflpp_qemu_driver_hook.c diff --git a/examples/analysis_scripts/queue2csv.sh b/utils/analysis_scripts/queue2csv.sh similarity index 100% rename from examples/analysis_scripts/queue2csv.sh rename to utils/analysis_scripts/queue2csv.sh diff --git a/examples/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile similarity index 100% rename from examples/argv_fuzzing/Makefile rename to utils/argv_fuzzing/Makefile diff --git a/examples/argv_fuzzing/README.md b/utils/argv_fuzzing/README.md similarity index 100% rename from examples/argv_fuzzing/README.md rename to utils/argv_fuzzing/README.md diff --git a/examples/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h similarity index 100% rename from examples/argv_fuzzing/argv-fuzz-inl.h rename to utils/argv_fuzzing/argv-fuzz-inl.h diff --git a/examples/argv_fuzzing/argvfuzz.c b/utils/argv_fuzzing/argvfuzz.c similarity index 100% rename from examples/argv_fuzzing/argvfuzz.c rename to utils/argv_fuzzing/argvfuzz.c diff --git a/examples/asan_cgroups/limit_memory.sh b/utils/asan_cgroups/limit_memory.sh similarity index 100% rename from examples/asan_cgroups/limit_memory.sh rename to utils/asan_cgroups/limit_memory.sh diff --git a/examples/bash_shellshock/shellshock-fuzz.diff b/utils/bash_shellshock/shellshock-fuzz.diff similarity index 100% rename from examples/bash_shellshock/shellshock-fuzz.diff rename to utils/bash_shellshock/shellshock-fuzz.diff diff --git a/examples/canvas_harness/canvas_harness.html b/utils/canvas_harness/canvas_harness.html similarity index 100% rename from examples/canvas_harness/canvas_harness.html rename to utils/canvas_harness/canvas_harness.html diff --git a/examples/clang_asm_normalize/as b/utils/clang_asm_normalize/as similarity index 100% rename from examples/clang_asm_normalize/as rename to utils/clang_asm_normalize/as diff --git a/examples/crash_triage/triage_crashes.sh b/utils/crash_triage/triage_crashes.sh similarity index 100% rename from examples/crash_triage/triage_crashes.sh rename to utils/crash_triage/triage_crashes.sh diff --git a/examples/custom_mutators/Makefile b/utils/custom_mutators/Makefile similarity index 100% rename from examples/custom_mutators/Makefile rename to utils/custom_mutators/Makefile diff --git a/examples/custom_mutators/README.md b/utils/custom_mutators/README.md similarity index 100% rename from examples/custom_mutators/README.md rename to utils/custom_mutators/README.md diff --git a/examples/custom_mutators/XmlMutatorMin.py b/utils/custom_mutators/XmlMutatorMin.py similarity index 100% rename from examples/custom_mutators/XmlMutatorMin.py rename to utils/custom_mutators/XmlMutatorMin.py diff --git a/examples/custom_mutators/common.py b/utils/custom_mutators/common.py similarity index 100% rename from examples/custom_mutators/common.py rename to utils/custom_mutators/common.py diff --git a/examples/custom_mutators/custom_mutator_helpers.h b/utils/custom_mutators/custom_mutator_helpers.h similarity index 100% rename from examples/custom_mutators/custom_mutator_helpers.h rename to utils/custom_mutators/custom_mutator_helpers.h diff --git a/examples/custom_mutators/example.c b/utils/custom_mutators/example.c similarity index 100% rename from examples/custom_mutators/example.c rename to utils/custom_mutators/example.c diff --git a/examples/custom_mutators/example.py b/utils/custom_mutators/example.py similarity index 100% rename from examples/custom_mutators/example.py rename to utils/custom_mutators/example.py diff --git a/examples/custom_mutators/post_library_gif.so.c b/utils/custom_mutators/post_library_gif.so.c similarity index 100% rename from examples/custom_mutators/post_library_gif.so.c rename to utils/custom_mutators/post_library_gif.so.c diff --git a/examples/custom_mutators/post_library_png.so.c b/utils/custom_mutators/post_library_png.so.c similarity index 100% rename from examples/custom_mutators/post_library_png.so.c rename to utils/custom_mutators/post_library_png.so.c diff --git a/examples/custom_mutators/simple-chunk-replace.py b/utils/custom_mutators/simple-chunk-replace.py similarity index 100% rename from examples/custom_mutators/simple-chunk-replace.py rename to utils/custom_mutators/simple-chunk-replace.py diff --git a/examples/custom_mutators/simple_example.c b/utils/custom_mutators/simple_example.c similarity index 100% rename from examples/custom_mutators/simple_example.c rename to utils/custom_mutators/simple_example.c diff --git a/examples/custom_mutators/wrapper_afl_min.py b/utils/custom_mutators/wrapper_afl_min.py similarity index 100% rename from examples/custom_mutators/wrapper_afl_min.py rename to utils/custom_mutators/wrapper_afl_min.py diff --git a/examples/defork/Makefile b/utils/defork/Makefile similarity index 100% rename from examples/defork/Makefile rename to utils/defork/Makefile diff --git a/examples/defork/README.md b/utils/defork/README.md similarity index 100% rename from examples/defork/README.md rename to utils/defork/README.md diff --git a/examples/defork/defork.c b/utils/defork/defork.c similarity index 100% rename from examples/defork/defork.c rename to utils/defork/defork.c diff --git a/examples/defork/forking_target.c b/utils/defork/forking_target.c similarity index 100% rename from examples/defork/forking_target.c rename to utils/defork/forking_target.c diff --git a/examples/distributed_fuzzing/sync_script.sh b/utils/distributed_fuzzing/sync_script.sh similarity index 100% rename from examples/distributed_fuzzing/sync_script.sh rename to utils/distributed_fuzzing/sync_script.sh diff --git a/examples/libpng_no_checksum/libpng-nocrc.patch b/utils/libpng_no_checksum/libpng-nocrc.patch similarity index 100% rename from examples/libpng_no_checksum/libpng-nocrc.patch rename to utils/libpng_no_checksum/libpng-nocrc.patch diff --git a/examples/persistent_mode/Makefile b/utils/persistent_mode/Makefile similarity index 100% rename from examples/persistent_mode/Makefile rename to utils/persistent_mode/Makefile diff --git a/examples/persistent_mode/persistent_demo.c b/utils/persistent_mode/persistent_demo.c similarity index 100% rename from examples/persistent_mode/persistent_demo.c rename to utils/persistent_mode/persistent_demo.c diff --git a/examples/persistent_mode/persistent_demo_new.c b/utils/persistent_mode/persistent_demo_new.c similarity index 100% rename from examples/persistent_mode/persistent_demo_new.c rename to utils/persistent_mode/persistent_demo_new.c diff --git a/examples/persistent_mode/test-instr.c b/utils/persistent_mode/test-instr.c similarity index 100% rename from examples/persistent_mode/test-instr.c rename to utils/persistent_mode/test-instr.c diff --git a/examples/qemu_persistent_hook/Makefile b/utils/qemu_persistent_hook/Makefile similarity index 100% rename from examples/qemu_persistent_hook/Makefile rename to utils/qemu_persistent_hook/Makefile diff --git a/examples/qemu_persistent_hook/README.md b/utils/qemu_persistent_hook/README.md similarity index 100% rename from examples/qemu_persistent_hook/README.md rename to utils/qemu_persistent_hook/README.md diff --git a/examples/qemu_persistent_hook/read_into_rdi.c b/utils/qemu_persistent_hook/read_into_rdi.c similarity index 100% rename from examples/qemu_persistent_hook/read_into_rdi.c rename to utils/qemu_persistent_hook/read_into_rdi.c diff --git a/examples/qemu_persistent_hook/test.c b/utils/qemu_persistent_hook/test.c similarity index 100% rename from examples/qemu_persistent_hook/test.c rename to utils/qemu_persistent_hook/test.c diff --git a/examples/socket_fuzzing/Makefile b/utils/socket_fuzzing/Makefile similarity index 100% rename from examples/socket_fuzzing/Makefile rename to utils/socket_fuzzing/Makefile diff --git a/examples/socket_fuzzing/README.md b/utils/socket_fuzzing/README.md similarity index 100% rename from examples/socket_fuzzing/README.md rename to utils/socket_fuzzing/README.md diff --git a/examples/socket_fuzzing/socketfuzz.c b/utils/socket_fuzzing/socketfuzz.c similarity index 100% rename from examples/socket_fuzzing/socketfuzz.c rename to utils/socket_fuzzing/socketfuzz.c From 0942158ad1210e3933ea15dd9c5ab0a6516febb0 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 1 Dec 2020 23:17:20 +0100 Subject: [PATCH 50/85] remove docs/README symlink and update references --- afl-cmin | 2 +- afl-cmin.bash | 2 +- dictionaries/README.md | 2 +- docs/README.md | 1 - libdislocator/README.md | 2 +- libtokencap/README.md | 2 +- qemu_mode/README.md | 2 +- 7 files changed, 6 insertions(+), 7 deletions(-) delete mode 120000 docs/README.md diff --git a/afl-cmin b/afl-cmin index 0dbf1390..91ed8d6d 100755 --- a/afl-cmin +++ b/afl-cmin @@ -113,7 +113,7 @@ function usage() { " -C - keep crashing inputs, reject everything else\n" \ " -e - solve for edge coverage only, ignore hit counts\n" \ "\n" \ -"For additional tips, please consult docs/README.md\n" \ +"For additional tips, please consult README.md\n" \ "\n" \ "Environment variables used:\n" \ "AFL_KEEP_TRACES: leave the temporary /.traces directory\n" \ diff --git a/afl-cmin.bash b/afl-cmin.bash index 3e29aa5c..637949bc 100755 --- a/afl-cmin.bash +++ b/afl-cmin.bash @@ -128,7 +128,7 @@ Minimization settings: -C - keep crashing inputs, reject everything else -e - solve for edge coverage only, ignore hit counts -For additional tips, please consult docs/README.md. +For additional tips, please consult README.md. Environment variables used: AFL_KEEP_TRACES: leave the temporary \.traces directory diff --git a/dictionaries/README.md b/dictionaries/README.md index 616a83cc..7c587abb 100644 --- a/dictionaries/README.md +++ b/dictionaries/README.md @@ -1,6 +1,6 @@ # AFL dictionaries -(See [../docs/README.md](../docs/README.md) for the general instruction manual.) +(See [../README.md](../README.md) for the general instruction manual.) This subdirectory contains a set of dictionaries that can be used in conjunction with the -x option to allow the fuzzer to effortlessly explore the diff --git a/docs/README.md b/docs/README.md deleted file mode 120000 index 32d46ee8..00000000 --- a/docs/README.md +++ /dev/null @@ -1 +0,0 @@ -../README.md \ No newline at end of file diff --git a/libdislocator/README.md b/libdislocator/README.md index 873d8806..1785463e 100644 --- a/libdislocator/README.md +++ b/libdislocator/README.md @@ -1,6 +1,6 @@ # libdislocator, an abusive allocator - (See ../docs/README.md for the general instruction manual.) + (See ../README.md for the general instruction manual.) This is a companion library that can be used as a drop-in replacement for the libc allocator in the fuzzed binaries. It improves the odds of bumping into diff --git a/libtokencap/README.md b/libtokencap/README.md index 0a3591eb..13a440da 100644 --- a/libtokencap/README.md +++ b/libtokencap/README.md @@ -1,6 +1,6 @@ # strcmp() / memcmp() token capture library - (See ../docs/README.md for the general instruction manual.) + (See ../README.md for the general instruction manual.) This companion library allows you to instrument `strcmp()`, `memcmp()`, and related functions to automatically extract syntax tokens passed to any of diff --git a/qemu_mode/README.md b/qemu_mode/README.md index 58e48e91..9818846d 100644 --- a/qemu_mode/README.md +++ b/qemu_mode/README.md @@ -1,6 +1,6 @@ # High-performance binary-only instrumentation for afl-fuzz - (See ../docs/README.md for the general instruction manual.) + (See ../README.md for the general instruction manual.) ## 1) Introduction From 16a6bbb3c9b826359e3fe193b1f66a941fde6d62 Mon Sep 17 00:00:00 2001 From: hexcoder Date: Wed, 2 Dec 2020 13:26:38 +0100 Subject: [PATCH 51/85] typo --- instrumentation/README.lto.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/instrumentation/README.lto.md b/instrumentation/README.lto.md index 62e98902..37d51de8 100644 --- a/instrumentation/README.lto.md +++ b/instrumentation/README.lto.md @@ -62,7 +62,7 @@ AUTODICTIONARY: 11 strings found ### Installing llvm version 11 -llvm 11 should be available in all current Linux repository. +llvm 11 should be available in all current Linux repositories. If you use an outdated Linux distribution read the next section. ### Installing llvm from the llvm repository (version 12) From 1890d7b9cf5a32368c0700ef790f97087b948e1f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 2 Dec 2020 15:03:21 +0100 Subject: [PATCH 52/85] very complete runtime lookup rewrite --- src/afl-cc.c | 237 +++++++++++++++++++++++------------------- test/test-llvm-lto.sh | 2 +- 2 files changed, 133 insertions(+), 106 deletions(-) diff --git a/src/afl-cc.c b/src/afl-cc.c index cc9854b6..2b5ae7c3 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -106,20 +106,42 @@ u8 *getthecwd() { } -/* Try to find the runtime libraries. If that fails, abort. */ +/* Try to find a specific runtime we need, returns NULL on fail. */ + +/* + in find_object() we look here: + + 1. if obj_path is already set we look there first + 2. then we check the $AFL_PATH environment variable location if set + 3. next we check argv[0] if has path information and use it + a) we also check ../lib/ + 4. if 3. failed we check /proc (only Linux, Android, NetBSD, DragonFly, and + FreeBSD with procfs + a) and check here in ../lib/ too + 5. we look into the AFL_PATH define (usually /usr/local/lib/afl) + 6. we finally try the current directory + + if this all fail - we fail. +*/ static u8 *find_object(u8 *obj, u8 *argv0) { u8 *afl_path = getenv("AFL_PATH"); u8 *slash = NULL, *tmp; + if (obj_path) { + + tmp = alloc_printf("%s/%s", obj_path, obj); + + if (!access(tmp, R_OK)) { return tmp; } + + ck_free(tmp); + + } + if (afl_path) { -#ifdef __ANDROID__ tmp = alloc_printf("%s/%s", afl_path, obj); -#else - tmp = alloc_printf("%s/%s", afl_path, obj); -#endif if (!access(tmp, R_OK)) { @@ -132,128 +154,120 @@ static u8 *find_object(u8 *obj, u8 *argv0) { } - if (argv0) slash = strrchr(argv0, '/'); + if (argv0) { - if (slash) { + slash = strrchr(argv0, '/'); - u8 *dir; + if (slash) { - *slash = 0; - dir = ck_strdup(argv0); - *slash = '/'; + u8 *dir = ck_strdup(argv0); -#ifdef __ANDROID__ - tmp = alloc_printf("%s/%s", dir, obj); -#else - tmp = alloc_printf("%s/%s", dir, obj); + slash = strrchr(dir, '/'); + *slash = 0; + + tmp = alloc_printf("%s/%s", dir, obj); + + if (!access(tmp, R_OK)) { + + obj_path = dir; + return tmp; + + } + + ck_free(tmp); + tmp = alloc_printf("%s/../lib/%s", dir, obj); + + if (!access(tmp, R_OK)) { + + u8 *dir2 = alloc_printf("%s/../lib", dir); + obj_path = dir2; + ck_free(dir); + return tmp; + + } + + ck_free(tmp); + ck_free(dir); + + } else { + + char *procname = NULL; +#if defined(__FreeBSD__) || defined(__DragonFly__) + procname = "/proc/curproc/file"; + #elsif defined(__linux__) || defined(__ANDROID__) + procname = "/proc/self/exe"; + #elsif defined(__NetBSD__) + procname = "/proc/curproc/exe"; #endif + if (procname) { - if (!access(tmp, R_OK)) { + char exepath[PATH_MAX]; + ssize_t exepath_len = readlink(procname, exepath, sizeof(exepath)); + if (exepath_len > 0 && exepath_len < PATH_MAX) { - obj_path = dir; - return tmp; + exepath[exepath_len] = 0; + slash = strrchr(exepath, '/'); + + if (slash) { + + *slash = 0; + tmp = alloc_printf("%s/%s", exepath, obj); + + if (!access(tmp, R_OK)) { + + u8 *dir = alloc_printf("%s/../lib/", exepath); + obj_path = dir; + return tmp; + + } + + ck_free(tmp); + tmp = alloc_printf("%s/../lib/%s", exepath, obj); + + if (!access(tmp, R_OK)) { + + u8 *dir = alloc_printf("%s/../lib/", exepath); + obj_path = dir; + return tmp; + + } + + } + + } + + } } - ck_free(tmp); - ck_free(dir); - } tmp = alloc_printf("%s/%s", AFL_PATH, obj); -#ifdef __ANDROID__ - if (!access(tmp, R_OK)) { -#else if (!access(tmp, R_OK)) { -#endif - obj_path = AFL_PATH; return tmp; } ck_free(tmp); + + tmp = alloc_printf("./%s", obj); + + if (!access(tmp, R_OK)) { + + obj_path = "."; + return tmp; + + } + + ck_free(tmp); + return NULL; } -/* Try to find the runtime libraries. If that fails, abort. */ - -static void find_obj(u8 *argv0) { - - u8 *afl_path = getenv("AFL_PATH"); - u8 *slash, *tmp; - - if (afl_path) { - -#ifdef __ANDROID__ - tmp = alloc_printf("%s/afl-compiler-rt.so", afl_path); -#else - tmp = alloc_printf("%s/afl-compiler-rt.o", afl_path); -#endif - - if (!access(tmp, R_OK)) { - - obj_path = afl_path; - ck_free(tmp); - return; - - } - - ck_free(tmp); - - } - - slash = strrchr(argv0, '/'); - - if (slash) { - - u8 *dir; - - *slash = 0; - dir = ck_strdup(argv0); - *slash = '/'; - -#ifdef __ANDROID__ - tmp = alloc_printf("%s/afl-compiler-rt.so", dir); -#else - tmp = alloc_printf("%s/afl-compiler-rt.o", dir); -#endif - - if (!access(tmp, R_OK)) { - - obj_path = dir; - ck_free(tmp); - return; - - } - - ck_free(tmp); - ck_free(dir); - - } - -#ifdef __ANDROID__ - if (!access(AFL_PATH "/afl-compiler-rt.so", R_OK)) { - -#else - if (!access(AFL_PATH "/afl-compiler-rt.o", R_OK)) { - -#endif - - obj_path = AFL_PATH; - return; - - } - - FATAL( - "Unable to find 'afl-compiler-rt.o' or 'afl-llvm-pass.so'. Please set " - "AFL_PATH"); - -} - /* Copy argv to cc_params, making the necessary edits. */ static void edit_params(u32 argc, char **argv, char **envp) { @@ -360,8 +374,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (compiler_mode == GCC_PLUGIN) { - char *fplugin_arg = - alloc_printf("-fplugin=%s", find_object("afl-gcc-pass.so", argvnull)); + char *fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path); cc_params[cc_par_cnt++] = fplugin_arg; } @@ -1594,10 +1607,24 @@ int main(int argc, char **argv, char **envp) { if (!be_quiet && cmplog_mode) printf("CmpLog mode by \n"); -#ifndef __ANDROID__ - find_obj(argv[0]); +#ifdef __ANDROID__ + ptr = find_object("afl-compiler-rt.so", argv[0]); +#else + ptr = find_object("afl-compiler-rt.o", argv[0]); #endif + if (debug) { DEBUGF("obj_path=%s\n", obj_path); } + + if (!ptr) { + + FATAL( + "Unable to find 'afl-compiler-rt.o'. Please set the AFL_PATH " + "environment variable."); + + } + + ck_free(ptr); + edit_params(argc, argv, envp); if (debug) { diff --git a/test/test-llvm-lto.sh b/test/test-llvm-lto.sh index e10f4cf7..d0b8f8fc 100755 --- a/test/test-llvm-lto.sh +++ b/test/test-llvm-lto.sh @@ -57,7 +57,7 @@ test -e ../afl-clang-lto -a -e ../afl-llvm-lto-instrumentation.so && { CODE=1 } rm -f test-compcov test.out instrumentlist.txt - ../afl-clang-lto -o test-persistent ../utils/persistent_mode/persistent_mode.c > /dev/null 2>&1 + ../afl-clang-lto -o test-persistent ../utils/persistent_mode/persistent_demo.c > /dev/null 2>&1 test -e test-persistent && { echo foo | ../afl-showmap -m none -o /dev/null -q -r ./test-persistent && { $ECHO "$GREEN[+] llvm_mode LTO persistent mode feature works correctly" From 0f803c63dfb1dafdef3bfe1b43674157efcd7107 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 2 Dec 2020 15:08:08 +0100 Subject: [PATCH 53/85] move debug print --- src/afl-cc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/afl-cc.c b/src/afl-cc.c index 2b5ae7c3..854359e2 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -1613,8 +1613,6 @@ int main(int argc, char **argv, char **envp) { ptr = find_object("afl-compiler-rt.o", argv[0]); #endif - if (debug) { DEBUGF("obj_path=%s\n", obj_path); } - if (!ptr) { FATAL( @@ -1623,6 +1621,8 @@ int main(int argc, char **argv, char **envp) { } + if (debug) { DEBUGF("rt=%s obj_path=%s\n", ptr, obj_path); } + ck_free(ptr); edit_params(argc, argv, envp); From a2e2fae840e9946c7994ac6807bed8496d71af56 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 3 Dec 2020 14:43:06 +0100 Subject: [PATCH 54/85] AFL_CRASH_EXITCODE env var added, u8->bool --- .gitignore | 1 + afl-cmin | 5 +++-- docs/Changelog.md | 4 +++- docs/env_variables.md | 7 +++++++ include/afl-fuzz.h | 7 ++++--- include/common.h | 2 +- include/envs.h | 1 + include/forkserver.h | 21 +++++++++++++-------- src/afl-analyze.c | 4 ++-- src/afl-common.c | 4 ++-- src/afl-forkserver.c | 22 +++++++++++++++------- src/afl-fuzz-init.c | 27 +++++++++++++++++++++++++-- src/afl-fuzz-state.c | 7 +++++++ src/afl-fuzz.c | 26 ++++++++++++++++++++++++-- src/afl-showmap.c | 19 +++++++++++++++++++ src/afl-tmin.c | 32 +++++++++++++++++++++++++------- 16 files changed, 152 insertions(+), 37 deletions(-) diff --git a/.gitignore b/.gitignore index 97f99bf6..82a81605 100644 --- a/.gitignore +++ b/.gitignore @@ -8,6 +8,7 @@ *.pyc *.dSYM as +a.out ld in out diff --git a/afl-cmin b/afl-cmin index 91ed8d6d..b3b1ead8 100755 --- a/afl-cmin +++ b/afl-cmin @@ -116,11 +116,12 @@ function usage() { "For additional tips, please consult README.md\n" \ "\n" \ "Environment variables used:\n" \ +"AFL_ALLOW_TMP: allow unsafe use of input/output directories under {/var}/tmp\n" \ +"AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash\n" \ +"AFL_FORKSRV_INIT_TMOUT: time the fuzzer waits for the target to come up, initially\n" \ "AFL_KEEP_TRACES: leave the temporary /.traces directory\n" \ "AFL_PATH: path for the afl-showmap binary\n" \ "AFL_SKIP_BIN_CHECK: skip check for target binary\n" \ -"AFL_ALLOW_TMP: allow unsafe use of input/output directories under {/var}/tmp\n" -"AFL_FORKSRV_INIT_TMOUT: time the fuzzer waits for the target to come up, initially\n" exit 1 } diff --git a/docs/Changelog.md b/docs/Changelog.md index fd30c7b0..02728f10 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -60,8 +60,10 @@ sending a mail to . - Our afl++ Grammar-Mutator is now better integrated into custom_mutators/ - added INTROSPECTION support for custom modules - python fuzz function was not optional, fixed - - unicornafl synced with upstream (arm64 fix, better rust bindings) + - some python mutator speed improvements + - unicornafl synced with upstream version 1.02 (fixes, better rust bindings) - renamed AFL_DEBUG_CHILD_OUTPUT to AFL_DEBUG_CHILD + - added AFL_CRASH_EXITCODE env variable to treat a child exitcode as crash ### Version ++2.68c (release) diff --git a/docs/env_variables.md b/docs/env_variables.md index ada89257..e203055f 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -428,6 +428,13 @@ checks or alter some of the more exotic semantics of the tool: matches your StatsD server. Available flavors are `dogstatsd`, `librato`, `signalfx` and `influxdb`. + - Setting `AFL_CRASH_EXITCODE` sets the exit code afl treats as crash. + For example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting + in an `-1` return code (i.e. `exit(-1)` got called), will be treated + as if a crash had ocurred. + This may be beneficial if you look for higher-level faulty conditions in which your + target still exits gracefully. + - Outdated environment variables that are not supported anymore: `AFL_DEFER_FORKSRV` `AFL_PERSISTENT` diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 933af65d..62d76323 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -144,8 +144,8 @@ struct queue_entry { u8 *fname; /* File name for the test case */ u32 len; /* Input length */ - u8 cal_failed, /* Calibration failed? */ - trim_done, /* Trimmed? */ + u8 cal_failed; /* Calibration failed? */ + bool trim_done, /* Trimmed? */ was_fuzzed, /* historical, but needed for MOpt */ passed_det, /* Deterministic stages passed? */ has_new_cov, /* Triggers new coverage? */ @@ -368,7 +368,8 @@ typedef struct afl_env_vars { u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_skip_crashes, *afl_preload, *afl_max_det_extras, *afl_statsd_host, *afl_statsd_port, - *afl_statsd_tags_flavor, *afl_testcache_size, *afl_testcache_entries; + *afl_crash_exitcode, *afl_statsd_tags_flavor, *afl_testcache_size, + *afl_testcache_entries; } afl_env_vars_t; diff --git a/include/common.h b/include/common.h index c364ade0..6e5039d8 100644 --- a/include/common.h +++ b/include/common.h @@ -38,7 +38,7 @@ #define STRINGIFY_VAL_SIZE_MAX (16) -void detect_file_args(char **argv, u8 *prog_in, u8 *use_stdin); +void detect_file_args(char **argv, u8 *prog_in, bool *use_stdin); void check_environment_vars(char **env); char **argv_cpy_dup(int argc, char **argv); diff --git a/include/envs.h b/include/envs.h index 3aa05cb5..43c87148 100644 --- a/include/envs.h +++ b/include/envs.h @@ -32,6 +32,7 @@ static char *afl_environment_variables[] = { "AFL_CODE_START", "AFL_COMPCOV_BINNAME", "AFL_COMPCOV_LEVEL", + "AFL_CRASH_EXITCODE", "AFL_CUSTOM_MUTATOR_LIBRARY", "AFL_CUSTOM_MUTATOR_ONLY", "AFL_CXX", diff --git a/include/forkserver.h b/include/forkserver.h index 300ecffc..5d5c728f 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -37,9 +37,7 @@ typedef struct afl_forkserver { /* a program that includes afl-forkserver needs to define these */ - u8 uses_asan; /* Target uses ASAN? */ u8 *trace_bits; /* SHM with instrumentation bitmap */ - u8 use_stdin; /* use stdin for sending data */ s32 fsrv_pid, /* PID of the fork server */ child_pid, /* PID of the fuzzed program */ @@ -53,8 +51,6 @@ typedef struct afl_forkserver { fsrv_ctl_fd, /* Fork server control pipe (write) */ fsrv_st_fd; /* Fork server status pipe (read) */ - u8 no_unlink; /* do not unlink cur_input */ - u32 exec_tmout; /* Configurable exec timeout (ms) */ u32 init_tmout; /* Configurable init timeout (ms) */ u32 map_size; /* map size used by the target */ @@ -73,13 +69,22 @@ typedef struct afl_forkserver { u8 last_kill_signal; /* Signal that killed the child */ - u8 use_shmem_fuzz; /* use shared mem for test cases */ + bool use_shmem_fuzz; /* use shared mem for test cases */ - u8 support_shmem_fuzz; /* set by afl-fuzz */ + bool support_shmem_fuzz; /* set by afl-fuzz */ - u8 use_fauxsrv; /* Fauxsrv for non-forking targets? */ + bool use_fauxsrv; /* Fauxsrv for non-forking targets? */ - u8 qemu_mode; /* if running in qemu mode or not */ + bool qemu_mode; /* if running in qemu mode or not */ + + bool use_stdin; /* use stdin for sending data */ + + bool no_unlink; /* do not unlink cur_input */ + + bool uses_asan; /* Target uses ASAN? */ + + bool uses_crash_exitcode; /* Custom crash exitcode specified? */ + u8 crash_exitcode; /* The crash exitcode specified */ u32 *shmem_fuzz_len; /* length of the fuzzing test case */ diff --git a/src/afl-analyze.c b/src/afl-analyze.c index c8acebb3..2780deff 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -78,9 +78,9 @@ static u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ static s32 dev_null_fd = -1; /* FD to /dev/null */ -static u8 edges_only, /* Ignore hit counts? */ +static bool edges_only, /* Ignore hit counts? */ use_hex_offsets, /* Show hex offsets? */ - use_stdin = 1; /* Use stdin for program input? */ + use_stdin = true; /* Use stdin for program input? */ static volatile u8 stop_soon, /* Ctrl-C pressed? */ child_timed_out; /* Child timed out? */ diff --git a/src/afl-common.c b/src/afl-common.c index 8cf1a444..ed0b0e53 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -46,7 +46,7 @@ u8 be_quiet = 0; u8 *doc_path = ""; u8 last_intr = 0; -void detect_file_args(char **argv, u8 *prog_in, u8 *use_stdin) { +void detect_file_args(char **argv, u8 *prog_in, bool *use_stdin) { u32 i = 0; u8 cwd[PATH_MAX]; @@ -63,7 +63,7 @@ void detect_file_args(char **argv, u8 *prog_in, u8 *use_stdin) { if (!prog_in) { FATAL("@@ syntax is not supported by this tool."); } - *use_stdin = 0; + *use_stdin = false; if (prog_in[0] != 0) { // not afl-showmap special case diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 01ef1d9e..20117c1d 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -76,8 +76,8 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { fsrv->dev_urandom_fd = -1; /* Settings */ - fsrv->use_stdin = 1; - fsrv->no_unlink = 0; + fsrv->use_stdin = true; + fsrv->no_unlink = false; fsrv->exec_tmout = EXEC_TIMEOUT; fsrv->init_tmout = EXEC_TIMEOUT * FORK_WAIT_MULT; fsrv->mem_limit = MEM_LIMIT; @@ -86,8 +86,11 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { /* exec related stuff */ fsrv->child_pid = -1; fsrv->map_size = get_map_size(); - fsrv->use_fauxsrv = 0; - fsrv->last_run_timed_out = 0; + fsrv->use_fauxsrv = false; + fsrv->last_run_timed_out = false; + + fsrv->uses_crash_exitcode = false; + fsrv->uses_asan = false; fsrv->init_child_func = fsrv_exec_child; @@ -109,6 +112,8 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) { fsrv_to->dev_urandom_fd = from->dev_urandom_fd; fsrv_to->out_fd = from->out_fd; // not sure this is a good idea fsrv_to->no_unlink = from->no_unlink; + fsrv_to->uses_crash_exitcode = from->uses_crash_exitcode; + fsrv_to->crash_exitcode = from->crash_exitcode; // These are forkserver specific. fsrv_to->out_dir_fd = -1; @@ -1136,10 +1141,13 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, } - /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and - must use a special exit code. */ + /* MSAN in uses_asan mode uses a special exit code as it doesn't support + abort_on_error. + On top, a user may specify a custom AFL_CRASH_EXITCODE. Handle both here. */ - if (fsrv->uses_asan && WEXITSTATUS(fsrv->child_status) == MSAN_ERROR) { + if ((fsrv->uses_asan && WEXITSTATUS(fsrv->child_status) == MSAN_ERROR) || + (fsrv->uses_crash_exitcode && + WEXITSTATUS(fsrv->child_status) == fsrv->crash_exitcode)) { fsrv->last_kill_signal = 0; return FSRV_RUN_CRASH; diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 0360cdb0..6707340b 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -868,7 +868,19 @@ void perform_dry_run(afl_state_t *afl) { if (skip_crashes) { - WARNF("Test case results in a crash (skipping)"); + if (afl->fsrv.uses_crash_exitcode) { + + WARNF( + "Test case results in a crash or AFL_CRASH_EXITCODE %d " + "(skipping)", + (int)(s8)afl->fsrv.crash_exitcode); + + } else { + + WARNF("Test case results in a crash (skipping)"); + + } + q->cal_failed = CAL_CHANCES; ++cal_failures; break; @@ -954,7 +966,18 @@ void perform_dry_run(afl_state_t *afl) { #undef MSG_ULIMIT_USAGE #undef MSG_FORK_ON_APPLE - WARNF("Test case '%s' results in a crash, skipping", fn); + if (afl->fsrv.uses_crash_exitcode) { + + WARNF( + "Test case '%s' results in a crash or AFL_CRASH_EXITCODE %d, " + "skipping", + fn, (int)(s8)afl->fsrv.crash_exitcode); + + } else { + + WARNF("Test case '%s' results in a crash, skipping", fn); + + } /* Remove from fuzzing queue but keep for splicing */ diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 489d4e53..73b94466 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -394,6 +394,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_statsd_tags_flavor = (u8 *)get_afl_env(afl_environment_variables[i]); + } else if (!strncmp(env, "AFL_CRASH_EXITCODE", + + afl_environment_variable_len)) { + + afl->afl_env.afl_crash_exitcode = + (u8 *)get_afl_env(afl_environment_variables[i]); + } } else { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index b91d862d..eb5e9307 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -26,6 +26,7 @@ #include "afl-fuzz.h" #include "cmplog.h" #include +#include #ifndef USEMMAP #include #include @@ -165,6 +166,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_AUTORESUME: resume fuzzing if directory specified by -o already exists\n" "AFL_BENCH_JUST_ONE: run the target just once\n" "AFL_BENCH_UNTIL_CRASH: exit soon when the first crashing input has been found\n" + "AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash\n" "AFL_CUSTOM_MUTATOR_LIBRARY: lib with afl_custom_fuzz() to mutate inputs\n" "AFL_CUSTOM_MUTATOR_ONLY: avoid AFL++'s internal mutators\n" "AFL_CYCLE_SCHEDULES: after completing a cycle, switch to a different -p schedule\n" @@ -702,7 +704,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'N': /* Unicorn mode */ if (afl->no_unlink) { FATAL("Multiple -N options not supported"); } - afl->fsrv.no_unlink = afl->no_unlink = 1; + afl->fsrv.no_unlink = (afl->no_unlink = true); break; @@ -1135,6 +1137,23 @@ int main(int argc, char **argv_orig, char **envp) { } + if (afl->afl_env.afl_crash_exitcode) { + + long exitcode = strtol(afl->afl_env.afl_crash_exitcode, NULL, 10); + if ((!exitcode && (errno == EINVAL || errno == ERANGE)) || + exitcode < -127 || exitcode > 128) { + + FATAL("Invalid crash exitcode, expected -127 to 128, but got %s", + afl->afl_env.afl_crash_exitcode); + + } + + afl->fsrv.uses_crash_exitcode = true; + // WEXITSTATUS is 8 bit unsigned + afl->fsrv.crash_exitcode = (u8)exitcode; + + } + if (afl->non_instrumented_mode == 2 && afl->no_forkserver) { FATAL("AFL_DUMB_FORKSRV and AFL_NO_FORKSRV are mutually exclusive"); @@ -1486,9 +1505,12 @@ int main(int argc, char **argv_orig, char **envp) { cull_queue(afl); - if (!afl->pending_not_fuzzed) + if (!afl->pending_not_fuzzed) { + FATAL("We need at least on valid input seed that does not crash!"); + } + show_init_stats(afl); if (unlikely(afl->old_seed_selection)) seek_to = find_start_position(afl); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index a8e7d3f9..e07e76c8 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -667,6 +667,8 @@ static void usage(u8 *argv0) { "AFL_CMIN_CRASHES_ONLY: (cmin_mode) only write tuples for crashing " "inputs\n" "AFL_CMIN_ALLOW_ANY: (cmin_mode) write tuples for crashing inputs also\n" + "AFL_CRASH_EXITCODE: optional child exit code to be interpreted as " + "crash\n" "AFL_DEBUG: enable extra developer output\n" "AFL_MAP_SIZE: the shared memory size for that target. must be >= the " "size\n" @@ -1090,6 +1092,23 @@ int main(int argc, char **argv_orig, char **envp) { } + if (getenv("AFL_CRASH_EXITCODE")) { + + long exitcode = strtol(getenv("AFL_CRASH_EXITCODE"), NULL, 10); + if ((!exitcode && (errno == EINVAL || errno == ERANGE)) || + exitcode < -127 || exitcode > 128) { + + FATAL("Invalid crash exitcode, expected -127 to 128, but got %s", + getenv("AFL_CRASH_EXITCODE")); + + } + + fsrv->uses_crash_exitcode = true; + // WEXITSTATUS is 8 bit unsigned + fsrv->crash_exitcode = (u8)exitcode; + + } + afl_fsrv_start(fsrv, use_argv, &stop_soon, (get_afl_env("AFL_DEBUG_CHILD") || get_afl_env("AFL_DEBUG_CHILD_OUTPUT")) diff --git a/src/afl-tmin.c b/src/afl-tmin.c index e4fb068d..b9045551 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -51,6 +51,7 @@ #include #include #include +#include #include #include @@ -841,17 +842,17 @@ static void usage(u8 *argv0) { "For additional tips, please consult %s/README.md.\n\n" "Environment variables used:\n" - "TMPDIR: directory to use for temporary input files\n" - "ASAN_OPTIONS: custom settings for ASAN\n" - " (must contain abort_on_error=1 and symbolize=0)\n" - "MSAN_OPTIONS: custom settings for MSAN\n" - " (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n" + "AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash\n" + "AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in milliseconds)\n" "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n" " the target was compiled for\n" "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" "AFL_TMIN_EXACT: require execution paths to match for crashing inputs\n" - "AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in milliseconds)\n" - + "ASAN_OPTIONS: custom settings for ASAN\n" + " (must contain abort_on_error=1 and symbolize=0)\n" + "MSAN_OPTIONS: custom settings for MSAN\n" + " (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n" + "TMPDIR: directory to use for temporary input files\n" , argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); exit(1); @@ -1122,6 +1123,23 @@ int main(int argc, char **argv_orig, char **envp) { } + if (getenv("AFL_CRASH_EXITCODE")) { + + long exitcode = strtol(getenv("AFL_CRASH_EXITCODE"), NULL, 10); + if ((!exitcode && (errno == EINVAL || errno == ERANGE)) || + exitcode < -127 || exitcode > 128) { + + FATAL("Invalid crash exitcode, expected -127 to 128, but got %s", + getenv("AFL_CRASH_EXITCODE")); + + } + + fsrv->uses_crash_exitcode = true; + // WEXITSTATUS is 8 bit unsigned + fsrv->crash_exitcode = (u8)exitcode; + + } + shm_fuzz = ck_alloc(sizeof(sharedmem_t)); /* initialize cmplog_mode */ From 295ddaf96b411b41017e609b6b3537db78147dfa Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 3 Dec 2020 15:19:10 +0100 Subject: [PATCH 55/85] fix for afl-cc --- src/afl-cc.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/afl-cc.c b/src/afl-cc.c index 854359e2..cc4f44f5 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -114,10 +114,10 @@ u8 *getthecwd() { 1. if obj_path is already set we look there first 2. then we check the $AFL_PATH environment variable location if set 3. next we check argv[0] if has path information and use it - a) we also check ../lib/ + a) we also check ../lib/afl 4. if 3. failed we check /proc (only Linux, Android, NetBSD, DragonFly, and FreeBSD with procfs - a) and check here in ../lib/ too + a) and check here in ../lib/afl too 5. we look into the AFL_PATH define (usually /usr/local/lib/afl) 6. we finally try the current directory @@ -175,11 +175,11 @@ static u8 *find_object(u8 *obj, u8 *argv0) { } ck_free(tmp); - tmp = alloc_printf("%s/../lib/%s", dir, obj); + tmp = alloc_printf("%s/../lib/afl/%s", dir, obj); if (!access(tmp, R_OK)) { - u8 *dir2 = alloc_printf("%s/../lib", dir); + u8 *dir2 = alloc_printf("%s/../lib/afl", dir); obj_path = dir2; ck_free(dir); return tmp; @@ -215,18 +215,18 @@ static u8 *find_object(u8 *obj, u8 *argv0) { if (!access(tmp, R_OK)) { - u8 *dir = alloc_printf("%s/../lib/", exepath); + u8 *dir = alloc_printf("%s", exepath); obj_path = dir; return tmp; } ck_free(tmp); - tmp = alloc_printf("%s/../lib/%s", exepath, obj); + tmp = alloc_printf("%s/../lib/afl/%s", exepath, obj); if (!access(tmp, R_OK)) { - u8 *dir = alloc_printf("%s/../lib/", exepath); + u8 *dir = alloc_printf("%s/../lib/afl/", exepath); obj_path = dir; return tmp; From f0e81b230146dba93ac265485bbbc5b5c77a0343 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 3 Dec 2020 22:26:28 +0100 Subject: [PATCH 56/85] updated unicorn --- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index c5569fbd..99025a06 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -f44ec48f +8cca4801 diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index f44ec48f..8cca4801 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit f44ec48f8d5929f243522c1152b5b3c0985a5548 +Subproject commit 8cca4801adb767dce7cf72202d7d25bdb420cf7d From b31d5a7cef66b47fc457159de84088139a5bbf7c Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 4 Dec 2020 07:32:56 +0100 Subject: [PATCH 57/85] afl-cmin usage fix --- afl-cmin | 2 +- unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/afl-cmin b/afl-cmin index b3b1ead8..93174b8b 100755 --- a/afl-cmin +++ b/afl-cmin @@ -121,7 +121,7 @@ function usage() { "AFL_FORKSRV_INIT_TMOUT: time the fuzzer waits for the target to come up, initially\n" \ "AFL_KEEP_TRACES: leave the temporary /.traces directory\n" \ "AFL_PATH: path for the afl-showmap binary\n" \ -"AFL_SKIP_BIN_CHECK: skip check for target binary\n" \ +"AFL_SKIP_BIN_CHECK: skip check for target binary\n" exit 1 } diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 8cca4801..f44ec48f 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 8cca4801adb767dce7cf72202d7d25bdb420cf7d +Subproject commit f44ec48f8d5929f243522c1152b5b3c0985a5548 From e9a342f3d96b15594f95122b9dbd4de358f5923e Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 4 Dec 2020 08:43:58 +0100 Subject: [PATCH 58/85] common.h change from user header include to system header include --- include/common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/common.h b/include/common.h index 6e5039d8..125c3abf 100644 --- a/include/common.h +++ b/include/common.h @@ -31,8 +31,8 @@ #include #include #include +#include #include "types.h" -#include "stdbool.h" /* STRINGIFY_VAL_SIZE_MAX will fit all stringify_ strings. */ From aca5b55b6d1f2d7079830b805e12d8585e98aa2e Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 4 Dec 2020 08:46:46 +0100 Subject: [PATCH 59/85] test-pre.sh revert removal of afl-clang --- test/test-pre.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/test/test-pre.sh b/test/test-pre.sh index fc84cb47..4c708a68 100755 --- a/test/test-pre.sh +++ b/test/test-pre.sh @@ -106,7 +106,14 @@ export AFL_LLVM_INSTRUMENT=AFL test -e /usr/local/bin/opt && { export PATH="/usr/local/bin:${PATH}" } -AFL_GCC=afl-gcc +# on MacOS X we prefer afl-clang over afl-gcc, because +# afl-gcc does not work there +test `uname -s` = 'Darwin' -o `uname -s` = 'FreeBSD' && { + AFL_GCC=afl-clang +} || { + AFL_GCC=afl-gcc +} +command -v gcc >/dev/null 2>&1 || AFL_GCC=afl-clang SYS=`uname -m` From a19b3022d93195d3703817c728817d7e071e89fe Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 3 Dec 2020 19:22:44 +0100 Subject: [PATCH 60/85] afl_custom_describe api added --- docs/Changelog.md | 10 +++--- include/afl-fuzz.h | 14 ++++++++ src/afl-fuzz-bitmap.c | 63 ++++++++++++++++++++++++-------- src/afl-fuzz-mutators.c | 80 +++++++++++++++++++++++++++++++++-------- src/afl-fuzz-one.c | 9 +++-- unicorn_mode/unicornafl | 2 +- 6 files changed, 143 insertions(+), 35 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 02728f10..5201eb8b 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -22,18 +22,18 @@ sending a mail to . a schedule performance score, which is much better that the previous walk the whole queue approach. Select the old mode with -Z (auto enabled with -M) - - rpc.statsd support by Edznux, thanks a lot! + - rpc.statsd support, for stats and charts, by Edznux, thanks a lot! - Marcel Boehme submitted a patch that improves all AFFast schedules :) - not specifying -M or -S will now auto-set "-S default" - reading testcases from -i now descends into subdirectories - - allow up to 4 times the -x command line option - - loaded extras now have a duplicate protection + - allow the -x command line option up to 4 times + - loaded extras now have a duplication protection - If test cases are too large we do a partial read on the maximum supported size - longer seeds with the same trace information will now be ignored for fuzzing but still be used for splicing - crashing seeds are now not prohibiting a run anymore but are - skipped. They are used for splicing though. + skipped - they are used for splicing, though - update MOpt for expanded havoc modes - setting the env var AFL_NO_AUTODICT will not load an LTO autodictionary - added NO_SPLICING compile option and makefile define @@ -42,6 +42,8 @@ sending a mail to . - print special compile time options used in help output - when using -c cmplog, one of the childs was not killed, fixed - somewhere we broke -n dumb fuzzing, fixed + - added afl_custom_describe to the custom mutator API to allow for easy + mutation reproduction on crashing inputs - instrumentation - We received an enhanced gcc_plugin module from AdaCore, thank you very much!! diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 62d76323..92465e7e 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -798,6 +798,20 @@ struct custom_mutator { size_t (*afl_custom_fuzz)(void *data, u8 *buf, size_t buf_size, u8 **out_buf, u8 *add_buf, size_t add_buf_size, size_t max_size); + /** + * Describe the current testcase, generated by the last mutation. + * This will be called, for example, to give the written testcase a name + * after a crash ocurred. It can help to reproduce crashing mutations. + * + * (Optional) + * + * @param data pointer returned in afl_custom_init for this fuzz case + * @param[in] max_size Maximum size of the mutated output. The mutation must + * not produce data larger than max_size. + * @return A valid ptr to a 0-terminated string, or NULL on error. + */ + const char *(*afl_custom_describe)(void *data, size_t max_size); + /** * A post-processing function to use right before AFL writes the test case to * disk in order to execute the target. diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 2d14b04e..a78bf374 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -425,7 +425,7 @@ void minimize_bits(afl_state_t *afl, u8 *dst, u8 *src) { /* Construct a file name for a new test case, capturing the operation that led to its discovery. Returns a ptr to afl->describe_op_buf_256. */ -u8 *describe_op(afl_state_t *afl, u8 hnb) { +u8 *describe_op(afl_state_t *afl, u8 new_bits) { u8 *ret = afl->describe_op_buf_256; @@ -445,29 +445,64 @@ u8 *describe_op(afl_state_t *afl, u8 hnb) { sprintf(ret + strlen(ret), ",time:%llu", get_cur_time() - afl->start_time); - sprintf(ret + strlen(ret), ",op:%s", afl->stage_short); + if (afl->current_custom_fuzz && + afl->current_custom_fuzz->afl_custom_describe) { - if (afl->stage_cur_byte >= 0) { + /* We are currently in a custom mutator that supports afl_custom_describe, + * use it! */ - sprintf(ret + strlen(ret), ",pos:%d", afl->stage_cur_byte); + size_t len_current = strlen(ret); + ret[len_current++] = ','; + ret[len_current++] = '\0'; - if (afl->stage_val_type != STAGE_VAL_NONE) { + size_t size_left = + sizeof(afl->describe_op_buf_256) - len_current - strlen(",+cov") - 2; + assert(size_left > 0); - sprintf(ret + strlen(ret), ",val:%s%+d", - (afl->stage_val_type == STAGE_VAL_BE) ? "be:" : "", - afl->stage_cur_val); + const char *custom_description = + afl->current_custom_fuzz->afl_custom_describe( + afl->current_custom_fuzz->data, size_left); + if (!custom_description || !custom_description[0]) { + + DEBUGF("Error getting a description from afl_custom_describe"); + /* Take the stage name as description fallback */ + sprintf(ret + len_current, "op:%s", afl->stage_short); + + } else { + + /* We got a proper custom description, use it */ + strncat(ret + len_current, custom_description, size_left); } } else { - sprintf(ret + strlen(ret), ",rep:%d", afl->stage_cur_val); + /* Normal testcase descriptions start here */ + sprintf(ret + strlen(ret), ",op:%s", afl->stage_short); + + if (afl->stage_cur_byte >= 0) { + + sprintf(ret + strlen(ret), ",pos:%d", afl->stage_cur_byte); + + if (afl->stage_val_type != STAGE_VAL_NONE) { + + sprintf(ret + strlen(ret), ",val:%s%+d", + (afl->stage_val_type == STAGE_VAL_BE) ? "be:" : "", + afl->stage_cur_val); + + } + + } else { + + sprintf(ret + strlen(ret), ",rep:%d", afl->stage_cur_val); + + } } } - if (hnb == 2) { strcat(ret, ",+cov"); } + if (new_bits == 2) { strcat(ret, ",+cov"); } return ret; @@ -540,7 +575,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (unlikely(len == 0)) { return 0; } u8 *queue_fn = ""; - u8 hnb = '\0'; + u8 new_bits = '\0'; s32 fd; u8 keeping = 0, res; u64 cksum = 0; @@ -566,7 +601,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { /* Keep only if there are new bits in the map, add to queue for future fuzzing, etc. */ - if (!(hnb = has_new_bits(afl, afl->virgin_bits))) { + if (!(new_bits = has_new_bits(afl, afl->virgin_bits))) { if (unlikely(afl->crash_mode)) { ++afl->total_crashes; } return 0; @@ -576,7 +611,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #ifndef SIMPLE_FILES queue_fn = alloc_printf("%s/queue/id:%06u,%s", afl->out_dir, - afl->queued_paths, describe_op(afl, hnb)); + afl->queued_paths, describe_op(afl, new_bits)); #else @@ -619,7 +654,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #endif - if (hnb == 2) { + if (new_bits == 2) { afl->queue_top->has_new_cov = 1; ++afl->queued_with_cov; diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 1d14f657..0c85458e 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -151,7 +151,11 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { /* Mutator */ /* "afl_custom_init", optional for backward compatibility */ mutator->afl_custom_init = dlsym(dh, "afl_custom_init"); - if (!mutator->afl_custom_init) FATAL("Symbol 'afl_custom_init' not found."); + if (!mutator->afl_custom_init) { + + FATAL("Symbol 'afl_custom_init' not found."); + + } /* "afl_custom_fuzz" or "afl_custom_mutator", required */ mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_fuzz"); @@ -161,49 +165,74 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { WARNF("Symbol 'afl_custom_fuzz' not found. Try 'afl_custom_mutator'."); mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_mutator"); - if (!mutator->afl_custom_fuzz) + if (!mutator->afl_custom_fuzz) { + WARNF("Symbol 'afl_custom_mutator' not found."); + } + } /* "afl_custom_introspection", optional */ #ifdef INTROSPECTION mutator->afl_custom_introspection = dlsym(dh, "afl_custom_introspection"); - if (!mutator->afl_custom_introspection) + if (!mutator->afl_custom_introspection) { + ACTF("optional symbol 'afl_custom_introspection' not found."); + + } + #endif /* "afl_custom_fuzz_count", optional */ mutator->afl_custom_fuzz_count = dlsym(dh, "afl_custom_fuzz_count"); - if (!mutator->afl_custom_fuzz_count) + if (!mutator->afl_custom_fuzz_count) { + ACTF("optional symbol 'afl_custom_fuzz_count' not found."); + } + /* "afl_custom_deinit", optional for backward compatibility */ mutator->afl_custom_deinit = dlsym(dh, "afl_custom_deinit"); - if (!mutator->afl_custom_deinit) + if (!mutator->afl_custom_deinit) { + FATAL("Symbol 'afl_custom_deinit' not found."); + } + /* "afl_custom_post_process", optional */ mutator->afl_custom_post_process = dlsym(dh, "afl_custom_post_process"); - if (!mutator->afl_custom_post_process) + if (!mutator->afl_custom_post_process) { + ACTF("optional symbol 'afl_custom_post_process' not found."); + } + u8 notrim = 0; /* "afl_custom_init_trim", optional */ mutator->afl_custom_init_trim = dlsym(dh, "afl_custom_init_trim"); - if (!mutator->afl_custom_init_trim) + if (!mutator->afl_custom_init_trim) { + ACTF("optional symbol 'afl_custom_init_trim' not found."); + } + /* "afl_custom_trim", optional */ mutator->afl_custom_trim = dlsym(dh, "afl_custom_trim"); - if (!mutator->afl_custom_trim) + if (!mutator->afl_custom_trim) { + ACTF("optional symbol 'afl_custom_trim' not found."); + } + /* "afl_custom_post_trim", optional */ mutator->afl_custom_post_trim = dlsym(dh, "afl_custom_post_trim"); - if (!mutator->afl_custom_post_trim) + if (!mutator->afl_custom_post_trim) { + ACTF("optional symbol 'afl_custom_post_trim' not found."); + } + if (notrim) { mutator->afl_custom_init_trim = NULL; @@ -217,31 +246,54 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { /* "afl_custom_havoc_mutation", optional */ mutator->afl_custom_havoc_mutation = dlsym(dh, "afl_custom_havoc_mutation"); - if (!mutator->afl_custom_havoc_mutation) + if (!mutator->afl_custom_havoc_mutation) { + ACTF("optional symbol 'afl_custom_havoc_mutation' not found."); + } + /* "afl_custom_havoc_mutation", optional */ mutator->afl_custom_havoc_mutation_probability = dlsym(dh, "afl_custom_havoc_mutation_probability"); - if (!mutator->afl_custom_havoc_mutation_probability) + if (!mutator->afl_custom_havoc_mutation_probability) { + ACTF("optional symbol 'afl_custom_havoc_mutation_probability' not found."); + } + /* "afl_custom_queue_get", optional */ mutator->afl_custom_queue_get = dlsym(dh, "afl_custom_queue_get"); - if (!mutator->afl_custom_queue_get) + if (!mutator->afl_custom_queue_get) { + ACTF("optional symbol 'afl_custom_queue_get' not found."); + } + /* "afl_custom_queue_new_entry", optional */ mutator->afl_custom_queue_new_entry = dlsym(dh, "afl_custom_queue_new_entry"); - if (!mutator->afl_custom_queue_new_entry) + if (!mutator->afl_custom_queue_new_entry) { + ACTF("optional symbol 'afl_custom_queue_new_entry' not found"); + } + + /* "afl_custom_describe", optional */ + mutator->afl_custom_describe = dlsym(dh, "afl_custom_describe"); + if (!mutator->afl_custom_describe) { + + ACTF("Symbol 'afl_custom_describe' not found."); + + } + OKF("Custom mutator '%s' installed successfully.", fn); /* Initialize the custom mutator */ - if (mutator->afl_custom_init) + if (mutator->afl_custom_init) { + mutator->data = mutator->afl_custom_init(afl, rand_below(afl, 0xFFFFFFFF)); + } + mutator->stacked_custom = (mutator && mutator->afl_custom_havoc_mutation); mutator->stacked_custom_prob = 6; // like one of the default mutations in havoc diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 0adc3719..ca48f72a 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -1790,11 +1790,16 @@ custom_mutator_stage: afl->current_custom_fuzz = el; - if (el->afl_custom_fuzz_count) + if (el->afl_custom_fuzz_count) { + afl->stage_max = el->afl_custom_fuzz_count(el->data, out_buf, len); - else + + } else { + afl->stage_max = saved_max; + } + has_custom_fuzz = true; afl->stage_short = el->name_short; diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index f44ec48f..8cca4801 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit f44ec48f8d5929f243522c1152b5b3c0985a5548 +Subproject commit 8cca4801adb767dce7cf72202d7d25bdb420cf7d From 1f34b9f8e185998e4c9c4b96b0c1878b6615115a Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 4 Dec 2020 05:28:36 +0100 Subject: [PATCH 61/85] added python mutator, documentation --- docs/custom_mutators.md | 11 +++++++++++ include/afl-fuzz.h | 36 +++++++++++++++++++----------------- src/afl-fuzz-python.c | 39 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+), 17 deletions(-) diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 6e16ba0f..6d3c9f38 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -34,6 +34,7 @@ C/C++: void *afl_custom_init(afl_state_t *afl, unsigned int seed); unsigned int afl_custom_fuzz_count(void *data, const unsigned char *buf, size_t buf_size); size_t afl_custom_fuzz(void *data, unsigned char *buf, size_t buf_size, unsigned char **out_buf, unsigned char *add_buf, size_t add_buf_size, size_t max_size); +const char *afl_custom_describe(void *data, size_t max_description_len); size_t afl_custom_post_process(void *data, unsigned char *buf, size_t buf_size, unsigned char **out_buf); int afl_custom_init_trim(void *data, unsigned char *buf, size_t buf_size); size_t afl_custom_trim(void *data, unsigned char **out_buf); @@ -57,6 +58,9 @@ def fuzz_count(buf, add_buf, max_size): def fuzz(buf, add_buf, max_size): return mutated_out +def describe(max_description_length): + return "description_of_current_mutation" + def post_process(buf): return out_buf @@ -112,6 +116,13 @@ def introspection(): You would only skip this if `post_process` is used to fix checksums etc. so you are using it e.g. as a post processing library. +- `describe` (optional): + + When this function is called, is shall describe the current testcase, + generated by the last mutation. This will be called, for example, + to give the written testcase a name after a crash ocurred. + Using it can help to reproduce crashing mutations. + - `havoc_mutation` and `havoc_mutation_probability` (optional): `havoc_mutation` performs a single custom mutation on a given input. This diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 92465e7e..4efa1a6c 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -312,6 +312,7 @@ enum { /* 10 */ PY_FUNC_QUEUE_GET, /* 11 */ PY_FUNC_QUEUE_NEW_ENTRY, /* 12 */ PY_FUNC_INTROSPECTION, + /* 13 */ PY_FUNC_DESCRIBE, PY_FUNC_COUNT }; @@ -755,7 +756,7 @@ struct custom_mutator { * When afl-fuzz was compiled with INTROSPECTION=1 then custom mutators can * also give introspection information back with this function. * - * @param data pointer returned in afl_custom_init for this fuzz case + * @param data pointer returned in afl_custom_init by this custom mutator * @return pointer to a text string (const char*) */ const char *(*afl_custom_introspection)(void *data); @@ -771,7 +772,7 @@ struct custom_mutator { * * (Optional) * - * @param data pointer returned in afl_custom_init for this fuzz case + * @param data pointer returned in afl_custom_init by this custom mutator * @param buf Buffer containing the test case * @param buf_size Size of the test case * @return The amount of fuzzes to perform on this queue entry, 0 = skip @@ -783,7 +784,7 @@ struct custom_mutator { * * (Optional for now. Required in the future) * - * @param data pointer returned in afl_custom_init for this fuzz case + * @param data pointer returned in afl_custom_init by this custom mutator * @param[in] buf Pointer to the input data to be mutated and the mutated * output * @param[in] buf_size Size of the input/output data @@ -805,12 +806,13 @@ struct custom_mutator { * * (Optional) * - * @param data pointer returned in afl_custom_init for this fuzz case - * @param[in] max_size Maximum size of the mutated output. The mutation must - * not produce data larger than max_size. - * @return A valid ptr to a 0-terminated string, or NULL on error. + * @param data pointer returned by afl_customm_init for this custom mutator + * @paramp[in] max_description_len maximum size avaliable for the description. + * A longer return string is legal, but will be truncated. + * @return A valid ptr to a 0-terminated string. + * An empty or NULL return will result in a default description */ - const char *(*afl_custom_describe)(void *data, size_t max_size); + const char *(*afl_custom_describe)(void *data, size_t max_description_len); /** * A post-processing function to use right before AFL writes the test case to @@ -819,7 +821,7 @@ struct custom_mutator { * (Optional) If this functionality is not needed, simply don't define this * function. * - * @param[in] data pointer returned in afl_custom_init for this fuzz case + * @param[in] data pointer returned in afl_custom_init by this custom mutator * @param[in] buf Buffer containing the test case to be executed * @param[in] buf_size Size of the test case * @param[out] out_buf Pointer to the buffer storing the test case after @@ -846,7 +848,7 @@ struct custom_mutator { * * (Optional) * - * @param data pointer returned in afl_custom_init for this fuzz case + * @param data pointer returned in afl_custom_init by this custom mutator * @param buf Buffer containing the test case * @param buf_size Size of the test case * @return The amount of possible iteration steps to trim the input. @@ -865,7 +867,7 @@ struct custom_mutator { * * (Optional) * - * @param data pointer returned in afl_custom_init for this fuzz case + * @param data pointer returned in afl_custom_init by this custom mutator * @param[out] out_buf Pointer to the buffer containing the trimmed test case. * The library can reuse a buffer for each call * and will have to free the buf (for example in deinit) @@ -880,7 +882,7 @@ struct custom_mutator { * * (Optional) * - * @param data pointer returned in afl_custom_init for this fuzz case + * @param data pointer returned in afl_custom_init by this custom mutator * @param success Indicates if the last trim operation was successful. * @return The next trim iteration index (from 0 to the maximum amount of * steps returned in init_trim). Negative on error. @@ -893,7 +895,7 @@ struct custom_mutator { * * (Optional) * - * @param[in] data pointer returned in afl_custom_init for this fuzz case + * @param[in] data pointer returned in afl_custom_init by this custom mutator * @param[in] buf Pointer to the input data to be mutated and the mutated * output * @param[in] buf_size Size of input data @@ -912,7 +914,7 @@ struct custom_mutator { * * (Optional) * - * @param data pointer returned in afl_custom_init for this fuzz case + * @param data pointer returned in afl_custom_init by this custom mutator * @return The probability (0-100). */ u8 (*afl_custom_havoc_mutation_probability)(void *data); @@ -922,7 +924,7 @@ struct custom_mutator { * * (Optional) * - * @param data pointer returned in afl_custom_init for this fuzz case + * @param data pointer returned in afl_custom_init by this custom mutator * @param filename File name of the test case in the queue entry * @return Return True(1) if the fuzzer will fuzz the queue entry, and * False(0) otherwise. @@ -935,7 +937,7 @@ struct custom_mutator { * * (Optional) * - * @param data pointer returned in afl_custom_init for this fuzz case + * @param data pointer returned in afl_custom_init by this custom mutator * @param filename_new_queue File name of the new queue entry * @param filename_orig_queue File name of the original queue entry. This * argument can be NULL while initializing the fuzzer @@ -945,7 +947,7 @@ struct custom_mutator { /** * Deinitialize the custom mutator. * - * @param data pointer returned in afl_custom_init for this fuzz case + * @param data pointer returned in afl_custom_init by this custom mutator */ void (*afl_custom_deinit)(void *data); diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 9ac4403b..8760194c 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -111,6 +111,37 @@ static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, } +static const char *custom_describe_py(void * py_mutator, + size_t max_description_len) { + + PyObject *py_args, *py_value; + + py_args = PyTuple_New(1); + + PyLong_FromSize_t(max_description_len); + + /* add_buf */ + py_value = PyLong_FromSize_t(max_description_len); + if (!py_value) { + + Py_DECREF(py_args); + FATAL("Failed to convert arguments"); + + } + + PyTuple_SetItem(py_args, 0, py_value); + + py_value = PyObject_CallObject( + ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_DESCRIBE], py_args); + + Py_DECREF(py_args); + + if (py_value != NULL) { return PyBytes_AsString(py_value); } + + return NULL; + +} + static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { (void)afl; @@ -156,6 +187,8 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { py_functions[PY_FUNC_FUZZ] = PyObject_GetAttrString(py_module, "fuzz"); if (!py_functions[PY_FUNC_FUZZ]) py_functions[PY_FUNC_FUZZ] = PyObject_GetAttrString(py_module, "mutate"); + py_functions[PY_FUNC_DESCRIBE] = + PyObject_GetAttrString(py_module, "describe"); py_functions[PY_FUNC_FUZZ_COUNT] = PyObject_GetAttrString(py_module, "fuzz_count"); if (!py_functions[PY_FUNC_FUZZ]) @@ -342,6 +375,12 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, if (py_functions[PY_FUNC_FUZZ]) { mutator->afl_custom_fuzz = fuzz_py; } + if (py_functions[PY_FUNC_DESCRIBE]) { + + mutator->afl_custom_describe = custom_describe_py; + + } + if (py_functions[PY_FUNC_POST_PROCESS]) { mutator->afl_custom_post_process = post_process_py; From 1dbefc14eae4f7a189851785aa3f0982af4236f2 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 4 Dec 2020 14:25:18 +0100 Subject: [PATCH 62/85] fixed bugs in custom_describe, reported by wizche --- include/afl-fuzz.h | 2 +- src/afl-fuzz-bitmap.c | 21 +++++++++++++-------- src/afl-fuzz-run.c | 3 ++- 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 4efa1a6c..bdf44def 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -1023,7 +1023,7 @@ void classify_counts(afl_forkserver_t *); void init_count_class16(void); void minimize_bits(afl_state_t *, u8 *, u8 *); #ifndef SIMPLE_FILES -u8 *describe_op(afl_state_t *, u8); +u8 *describe_op(afl_state_t *, u8, size_t); #endif u8 save_if_interesting(afl_state_t *, void *, u32, u8); u8 has_new_bits(afl_state_t *, u8 *); diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index a78bf374..f920efa4 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -425,8 +425,10 @@ void minimize_bits(afl_state_t *afl, u8 *dst, u8 *src) { /* Construct a file name for a new test case, capturing the operation that led to its discovery. Returns a ptr to afl->describe_op_buf_256. */ -u8 *describe_op(afl_state_t *afl, u8 new_bits) { +u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) { + size_t real_max_len = + MIN(max_description_len, sizeof(afl->describe_op_buf_256)); u8 *ret = afl->describe_op_buf_256; if (unlikely(afl->syncing_party)) { @@ -453,10 +455,9 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits) { size_t len_current = strlen(ret); ret[len_current++] = ','; - ret[len_current++] = '\0'; + ret[len_current] = '\0'; - size_t size_left = - sizeof(afl->describe_op_buf_256) - len_current - strlen(",+cov") - 2; + size_t size_left = real_max_len - len_current - strlen(",+cov") - 2; assert(size_left > 0); const char *custom_description = @@ -504,6 +505,8 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits) { if (new_bits == 2) { strcat(ret, ",+cov"); } + assert(strlen(ret) <= max_description_len); + return ret; } @@ -610,8 +613,9 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #ifndef SIMPLE_FILES - queue_fn = alloc_printf("%s/queue/id:%06u,%s", afl->out_dir, - afl->queued_paths, describe_op(afl, new_bits)); + queue_fn = alloc_printf( + "%s/queue/id:%06u,%s", afl->out_dir, afl->queued_paths, + describe_op(afl, new_bits, NAME_MAX - strlen("id:000000,"))); #else @@ -777,7 +781,8 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #ifndef SIMPLE_FILES snprintf(fn, PATH_MAX, "%s/hangs/id:%06llu,%s", afl->out_dir, - afl->unique_hangs, describe_op(afl, 0)); + afl->unique_hangs, + describe_op(afl, 0, NAME_MAX - strlen("id:000000,"))); #else @@ -822,7 +827,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { snprintf(fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s", afl->out_dir, afl->unique_crashes, afl->fsrv.last_kill_signal, - describe_op(afl, 0)); + describe_op(afl, 0, NAME_MAX - strlen("id:000000,sig:00,"))); #else diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index b716b8c8..5948d83a 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -79,7 +79,8 @@ write_to_testcase(afl_state_t *afl, void *mem, u32 len) { s32 doc_fd; char fn[PATH_MAX]; snprintf(fn, PATH_MAX, "%s/mutations/%09u:%s", afl->out_dir, - afl->document_counter++, describe_op(afl, 0)); + afl->document_counter++, + describe_op(afl, 0, NAME_MAX - strlen("000000000:"))); if ((doc_fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600)) >= 0) { From c18ca63519c19aae359ba34923551ee487888071 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 4 Dec 2020 14:51:31 +0100 Subject: [PATCH 63/85] unicorn updated --- unicorn_mode/unicornafl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index f44ec48f..8cca4801 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit f44ec48f8d5929f243522c1152b5b3c0985a5548 +Subproject commit 8cca4801adb767dce7cf72202d7d25bdb420cf7d From 3d233b34b88dc49b33e4d1f91668194c6f59637a Mon Sep 17 00:00:00 2001 From: ThomasTNO <49478940+ThomasTNO@users.noreply.github.com> Date: Fri, 4 Dec 2020 15:10:07 +0100 Subject: [PATCH 64/85] Restore contribution list (#619) --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b00e5d00..e2cb04f7 100644 --- a/README.md +++ b/README.md @@ -1110,7 +1110,8 @@ without feedback, bug reports, or patches from: Andrea Biondo Vincent Le Garrec Khaled Yakdan Kuang-che Wu Josephine Calliotte Konrad Welc - David Carlier Ruben ten Hove + Thomas Rooijakkers David Carlier + Ruben ten Hove ``` Thank you! From 330f33a4356f46f25d0930aa61ef18c78a559fea Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 4 Dec 2020 15:40:38 +0100 Subject: [PATCH 65/85] updated helper_scripts from battelle/afl-unicorn --- .../helper_scripts/unicorn_dumper_gdb.py | 64 +++-- .../helper_scripts/unicorn_dumper_ida.py | 2 +- unicorn_mode/helper_scripts/unicorn_loader.py | 269 +++++++++++++----- 3 files changed, 239 insertions(+), 96 deletions(-) diff --git a/unicorn_mode/helper_scripts/unicorn_dumper_gdb.py b/unicorn_mode/helper_scripts/unicorn_dumper_gdb.py index 22b9fd47..8c8f9641 100644 --- a/unicorn_mode/helper_scripts/unicorn_dumper_gdb.py +++ b/unicorn_mode/helper_scripts/unicorn_dumper_gdb.py @@ -1,13 +1,13 @@ """ unicorn_dumper_gdb.py - + When run with GDB sitting at a debug breakpoint, this dumps the current state (registers/memory/etc) of - the process to a directory consisting of an index - file with register and segment information and + the process to a directory consisting of an index + file with register and segment information and sub-files containing all actual process memory. - - The output of this script is expected to be used + + The output of this script is expected to be used to initialize context for Unicorn emulation. ----------- @@ -44,6 +44,7 @@ MAX_SEG_SIZE = 128 * 1024 * 1024 # Name of the index file INDEX_FILE_NAME = "_index.json" + #---------------------- #---- Helper Functions @@ -59,14 +60,14 @@ def map_arch(): return "arm64be" elif 'armeb' in arch: # check for THUMB mode - cpsr = get_register('cpsr') + cpsr = get_register('$cpsr') if (cpsr & (1 << 5)): return "armbethumb" else: return "armbe" elif 'arm' in arch: # check for THUMB mode - cpsr = get_register('cpsr') + cpsr = get_register('$cpsr') if (cpsr & (1 << 5)): return "armlethumb" else: @@ -88,19 +89,15 @@ def dump_regs(): reg_state = {} for reg in current_arch.all_registers: reg_val = get_register(reg) - # current dumper script looks for register values to be hex strings -# reg_str = "0x{:08x}".format(reg_val) -# if "64" in get_arch(): -# reg_str = "0x{:016x}".format(reg_val) -# reg_state[reg.strip().strip('$')] = reg_str reg_state[reg.strip().strip('$')] = reg_val + return reg_state def dump_process_memory(output_dir): # Segment information dictionary final_segment_list = [] - + # GEF: vmmap = get_process_maps() if not vmmap: @@ -110,7 +107,7 @@ def dump_process_memory(output_dir): for entry in vmmap: if entry.page_start == entry.page_end: continue - + seg_info = {'start': entry.page_start, 'end': entry.page_end, 'name': entry.path, 'permissions': { "r": entry.is_readable() > 0, "w": entry.is_writable() > 0, @@ -129,7 +126,7 @@ def dump_process_memory(output_dir): compressed_seg_content = zlib.compress(seg_content) md5_sum = hashlib.md5(compressed_seg_content).hexdigest() + ".bin" seg_info["content_file"] = md5_sum - + # Write the compressed contents to disk out_file = open(os.path.join(output_dir, md5_sum), 'wb') out_file.write(compressed_seg_content) @@ -143,12 +140,27 @@ def dump_process_memory(output_dir): # Add the segment to the list final_segment_list.append(seg_info) - + return final_segment_list +#--------------------------------------------- +#---- ARM Extention (dump floating point regs) + +def dump_float(rge=32): + reg_convert = "" + if map_arch() == "armbe" or map_arch() == "armle" or map_arch() == "armbethumb" or map_arch() == "armbethumb": + reg_state = {} + for reg_num in range(32): + value = gdb.selected_frame().read_register("d" + str(reg_num)) + reg_state["d" + str(reg_num)] = int(str(value["u64"]), 16) + value = gdb.selected_frame().read_register("fpscr") + reg_state["fpscr"] = int(str(value), 16) + + return reg_state + #---------- -#---- Main - +#---- Main + def main(): print("----- Unicorn Context Dumper -----") print("You must be actively debugging before running this!") @@ -159,32 +171,32 @@ def main(): print("!!! GEF not running in GDB. Please run gef.py by executing:") print('\tpython execfile ("/gef.py")') return - + try: - + # Create the output directory timestamp = datetime.datetime.fromtimestamp(time.time()).strftime('%Y%m%d_%H%M%S') output_path = "UnicornContext_" + timestamp if not os.path.exists(output_path): os.makedirs(output_path) print("Process context will be output to {}".format(output_path)) - + # Get the context context = { "arch": dump_arch_info(), - "regs": dump_regs(), + "regs": dump_regs(), + "regs_extended": dump_float(), "segments": dump_process_memory(output_path), } # Write the index file index_file = open(os.path.join(output_path, INDEX_FILE_NAME), 'w') index_file.write(json.dumps(context, indent=4)) - index_file.close() + index_file.close() print("Done.") - + except Exception as e: print("!!! ERROR:\n\t{}".format(repr(e))) - + if __name__ == "__main__": main() - diff --git a/unicorn_mode/helper_scripts/unicorn_dumper_ida.py b/unicorn_mode/helper_scripts/unicorn_dumper_ida.py index 6cf9f30f..3f955a5c 100644 --- a/unicorn_mode/helper_scripts/unicorn_dumper_ida.py +++ b/unicorn_mode/helper_scripts/unicorn_dumper_ida.py @@ -206,4 +206,4 @@ def main(): print("!!! ERROR:\n\t{}".format(str(e))) if __name__ == "__main__": - main() + main() \ No newline at end of file diff --git a/unicorn_mode/helper_scripts/unicorn_loader.py b/unicorn_mode/helper_scripts/unicorn_loader.py index adf21b64..1914a83d 100644 --- a/unicorn_mode/helper_scripts/unicorn_loader.py +++ b/unicorn_mode/helper_scripts/unicorn_loader.py @@ -1,8 +1,8 @@ """ unicorn_loader.py - - Loads a process context dumped created using a - Unicorn Context Dumper script into a Unicorn Engine + + Loads a process context dumped created using a + Unicorn Context Dumper script into a Unicorn Engine instance. Once this is performed emulation can be started. """ @@ -26,6 +26,13 @@ from unicorn.arm64_const import * from unicorn.x86_const import * from unicorn.mips_const import * +# If Capstone libraries are availible (only check once) +try: + from capstone import * + CAPSTONE_EXISTS = 1 +except: + CAPSTONE_EXISTS = 0 + # Name of the index file INDEX_FILE_NAME = "_index.json" @@ -86,7 +93,7 @@ class UnicornSimpleHeap(object): total_chunk_size = UNICORN_PAGE_SIZE + ALIGN_PAGE_UP(size) + UNICORN_PAGE_SIZE # Gross but efficient way to find space for the chunk: chunk = None - for addr in xrange(self.HEAP_MIN_ADDR, self.HEAP_MAX_ADDR, UNICORN_PAGE_SIZE): + for addr in range(self.HEAP_MIN_ADDR, self.HEAP_MAX_ADDR, UNICORN_PAGE_SIZE): try: self._uc.mem_map(addr, total_chunk_size, UC_PROT_READ | UC_PROT_WRITE) chunk = self.HeapChunk(addr, total_chunk_size, size) @@ -97,7 +104,7 @@ class UnicornSimpleHeap(object): continue # Something went very wrong if chunk == None: - return 0 + return 0 self._chunks.append(chunk) return chunk.data_addr @@ -112,8 +119,8 @@ class UnicornSimpleHeap(object): old_chunk = None for chunk in self._chunks: if chunk.data_addr == ptr: - old_chunk = chunk - new_chunk_addr = self.malloc(new_size) + old_chunk = chunk + new_chunk_addr = self.malloc(new_size) if old_chunk != None: self._uc.mem_write(new_chunk_addr, str(self._uc.mem_read(old_chunk.data_addr, old_chunk.data_size))) self.free(old_chunk.data_addr) @@ -184,39 +191,27 @@ class AflUnicornEngine(Uc): # Load the registers regs = context['regs'] reg_map = self.__get_register_map(self._arch_str) - for register, value in regs.iteritems(): - if debug_print: - print("Reg {0} = {1}".format(register, value)) - if not reg_map.has_key(register.lower()): - if debug_print: - print("Skipping Reg: {}".format(register)) - else: - reg_write_retry = True - try: - self.reg_write(reg_map[register.lower()], value) - reg_write_retry = False - except Exception as e: - if debug_print: - print("ERROR writing register: {}, value: {} -- {}".format(register, value, repr(e))) + self.__load_registers(regs, reg_map, debug_print) + # If we have extra FLOATING POINT regs, load them in! + if 'regs_extended' in context: + if context['regs_extended']: + regs_extended = context['regs_extended'] + reg_map = self.__get_registers_extended(self._arch_str) + self.__load_registers(regs_extended, reg_map, debug_print) + + # For ARM, sometimes the stack pointer is erased ??? (I think I fixed this (issue with ordering of dumper.py, I'll keep the write anyways) + if self.__get_arch_and_mode(self.get_arch_str())[0] == UC_ARCH_ARM: + self.reg_write(UC_ARM_REG_SP, regs['sp']) - if reg_write_retry: - if debug_print: - print("Trying to parse value ({}) as hex string".format(value)) - try: - self.reg_write(reg_map[register.lower()], int(value, 16)) - except Exception as e: - if debug_print: - print("ERROR writing hex string register: {}, value: {} -- {}".format(register, value, repr(e))) - # Setup the memory map and load memory content self.__map_segments(context['segments'], context_directory, debug_print) - + if enable_trace: self.hook_add(UC_HOOK_BLOCK, self.__trace_block) self.hook_add(UC_HOOK_CODE, self.__trace_instruction) self.hook_add(UC_HOOK_MEM_WRITE | UC_HOOK_MEM_READ, self.__trace_mem_access) self.hook_add(UC_HOOK_MEM_WRITE_UNMAPPED | UC_HOOK_MEM_READ_INVALID, self.__trace_mem_invalid_access) - + if debug_print: print("Done loading context.") @@ -228,7 +223,7 @@ class AflUnicornEngine(Uc): def get_arch_str(self): return self._arch_str - + def force_crash(self, uc_error): """ This function should be called to indicate to AFL that a crash occurred during emulation. You can pass the exception received from Uc.emu_start @@ -253,21 +248,76 @@ class AflUnicornEngine(Uc): for reg in sorted(self.__get_register_map(self._arch_str).items(), key=lambda reg: reg[0]): print(">>> {0:>4}: 0x{1:016x}".format(reg[0], self.reg_read(reg[1]))) + def dump_regs_extended(self): + """ Dumps the contents of all the registers to STDOUT """ + try: + for reg in sorted(self.__get_registers_extended(self._arch_str).items(), key=lambda reg: reg[0]): + print(">>> {0:>4}: 0x{1:016x}".format(reg[0], self.reg_read(reg[1]))) + except Exception as e: + print("ERROR: Are extended registers loaded?") + # TODO: Make this dynamically get the stack pointer register and pointer width for the current architecture """ def dump_stack(self, window=10): + arch = self.get_arch() + mode = self.get_mode() + # Get stack pointers and bit sizes for given architecture + if arch == UC_ARCH_X86 and mode == UC_MODE_64: + stack_ptr_addr = self.reg_read(UC_X86_REG_RSP) + bit_size = 8 + elif arch == UC_ARCH_X86 and mode == UC_MODE_32: + stack_ptr_addr = self.reg_read(UC_X86_REG_ESP) + bit_size = 4 + elif arch == UC_ARCH_ARM64: + stack_ptr_addr = self.reg_read(UC_ARM64_REG_SP) + bit_size = 8 + elif arch == UC_ARCH_ARM: + stack_ptr_addr = self.reg_read(UC_ARM_REG_SP) + bit_size = 4 + elif arch == UC_ARCH_ARM and mode == UC_MODE_THUMB: + stack_ptr_addr = self.reg_read(UC_ARM_REG_SP) + bit_size = 4 + elif arch == UC_ARCH_MIPS: + stack_ptr_addr = self.reg_read(UC_MIPS_REG_SP) + bit_size = 4 + print("") print(">>> Stack:") stack_ptr_addr = self.reg_read(UC_X86_REG_RSP) for i in xrange(-window, window + 1): addr = stack_ptr_addr + (i*8) print("{0}0x{1:016x}: 0x{2:016x}".format( \ - 'SP->' if i == 0 else ' ', addr, \ + 'SP->' if i == 0 else ' ', addr, \ struct.unpack('>> Write: addr=0x{0:016x} size={1} data=0x{2:016x}".format(address, size, value)) else: - print(" >>> Read: addr=0x{0:016x} size={1}".format(address, size)) + print(" >>> Read: addr=0x{0:016x} size={1}".format(address, size)) def __trace_mem_invalid_access(self, uc, access, address, size, value, user_data): if access == UC_MEM_WRITE_UNMAPPED: print(" >>> INVALID Write: addr=0x{0:016x} size={1} data=0x{2:016x}".format(address, size, value)) else: - print(" >>> INVALID Read: addr=0x{0:016x} size={1}".format(address, size)) + print(" >>> INVALID Read: addr=0x{0:016x} size={1}".format(address, size)) + def bit_size_arch(self): + arch = self.get_arch() + mode = self.get_mode() + # Get bit sizes for given architecture + if arch == UC_ARCH_X86 and mode == UC_MODE_64: + bit_size = 8 + elif arch == UC_ARCH_X86 and mode == UC_MODE_32: + bit_size = 4 + elif arch == UC_ARCH_ARM64: + bit_size = 8 + elif arch == UC_ARCH_ARM: + bit_size = 4 + elif arch == UC_ARCH_MIPS: + bit_size = 4 + return bit_size From d59d1fcd9fa356b98380dd5ab2ca1d82b3b80747 Mon Sep 17 00:00:00 2001 From: Thomas Rooijakkers Date: Fri, 4 Dec 2020 17:11:09 +0100 Subject: [PATCH 66/85] Add missing env var used in https://github.com/qemu/qemu/blob/bec7edf41d2d0e8006637a739881abcea1d1305c/accel/tcg/cpu-exec.c#L389 and ./qemu_mode/README.persistent.md --- include/envs.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/envs.h b/include/envs.h index 43c87148..c0f41ca5 100644 --- a/include/envs.h +++ b/include/envs.h @@ -126,6 +126,7 @@ static char *afl_environment_variables[] = { "AFL_QEMU_PERSISTENT_CNT", "AFL_QEMU_PERSISTENT_GPR", "AFL_QEMU_PERSISTENT_HOOK", + "AFL_QEMU_PERSISTENT_MEM", "AFL_QEMU_PERSISTENT_RET", "AFL_QEMU_PERSISTENT_RETADDR_OFFSET", "AFL_QEMU_PERSISTENT_EXITS", From 9a7d045897befd0388966ffd1d9c532e4158d096 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 4 Dec 2020 17:59:11 +0100 Subject: [PATCH 67/85] build_unicorn_support no longer fetches qemuafl --- unicorn_mode/build_unicorn_support.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index b4d2058f..f1306a06 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -149,7 +149,7 @@ git status 1>/dev/null 2>/dev/null if [ $? -eq 0 ]; then echo "[*] initializing unicornafl submodule" git submodule init || exit 1 - git submodule update 2>/dev/null # ignore errors + git submodule update ./unicornafl 2>/dev/null # ignore errors else echo "[*] cloning unicornafl" test -d unicornafl || { From f8c33f29e8cf7de30604be2c6818dd8d2d0ad3a6 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 5 Dec 2020 09:19:14 +0100 Subject: [PATCH 68/85] Typos --- src/afl-cc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/afl-cc.c b/src/afl-cc.c index cc4f44f5..fcc10122 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -113,15 +113,15 @@ u8 *getthecwd() { 1. if obj_path is already set we look there first 2. then we check the $AFL_PATH environment variable location if set - 3. next we check argv[0] if has path information and use it + 3. next we check argv[0] if it has path information and use it a) we also check ../lib/afl 4. if 3. failed we check /proc (only Linux, Android, NetBSD, DragonFly, and - FreeBSD with procfs + FreeBSD with procfs) a) and check here in ../lib/afl too 5. we look into the AFL_PATH define (usually /usr/local/lib/afl) 6. we finally try the current directory - if this all fail - we fail. + if all this fails - we fail. */ static u8 *find_object(u8 *obj, u8 *argv0) { From 8f79116a15e53f0ecd4889ebf8980cc0cd85a494 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 5 Dec 2020 09:48:55 +0100 Subject: [PATCH 69/85] fix find_object proc search (#elsif -> #elif), optimize static if away --- src/afl-cc.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/src/afl-cc.c b/src/afl-cc.c index fcc10122..1cd53f98 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -189,14 +189,25 @@ static u8 *find_object(u8 *obj, u8 *argv0) { ck_free(tmp); ck_free(dir); - } else { + } + +#if \ + defined(__FreeBSD__) \ +|| defined(__DragonFly__) \ +|| defined(__linux__) \ +|| defined(__ANDROID__) \ +|| defined(__NetBSD__) +#define HAS_PROC_FS 1 +#endif +#ifdef HAS_PROC_FS + else { char *procname = NULL; #if defined(__FreeBSD__) || defined(__DragonFly__) procname = "/proc/curproc/file"; - #elsif defined(__linux__) || defined(__ANDROID__) + #elif defined(__linux__) || defined(__ANDROID__) procname = "/proc/self/exe"; - #elsif defined(__NetBSD__) + #elif defined(__NetBSD__) procname = "/proc/curproc/exe"; #endif if (procname) { @@ -239,6 +250,8 @@ static u8 *find_object(u8 *obj, u8 *argv0) { } } +#endif +#undef HAS_PROC_FS } From 4c2e375e22a0b3c88380e6dd51dbac5d2c5ac5ff Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 7 Dec 2020 14:29:59 +0100 Subject: [PATCH 70/85] little fixes --- README.md | 2 +- src/afl-cc.c | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e2cb04f7..94d5008e 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ behaviours and defaults: * a caching of testcases can now be performed and can be modified by editing config.h for TESTCASE_CACHE or by specifying the env variable `AFL_TESTCACHE_SIZE` (in MB). Good values are between 50-500 (default: 50). - * utils/ got renamed to utils/ + * examples/ got renamed to utils/ ## Contents diff --git a/src/afl-cc.c b/src/afl-cc.c index 1cd53f98..50334139 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -121,7 +121,8 @@ u8 *getthecwd() { 5. we look into the AFL_PATH define (usually /usr/local/lib/afl) 6. we finally try the current directory - if all this fails - we fail. + if all these attempts fail - we return NULL and the caller has to decide + what to do. */ static u8 *find_object(u8 *obj, u8 *argv0) { From e6de85861c4ec8fcc13a7f945bc8b3dfefa193bc Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 7 Dec 2020 14:36:04 +0100 Subject: [PATCH 71/85] fixes and code format --- instrumentation/README.lto.md | 4 ++-- src/afl-cc.c | 15 ++++++--------- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/instrumentation/README.lto.md b/instrumentation/README.lto.md index 37d51de8..a2814173 100644 --- a/instrumentation/README.lto.md +++ b/instrumentation/README.lto.md @@ -80,8 +80,8 @@ wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - apt-get update && apt-get upgrade -y apt-get install -y clang-12 clang-tools-12 libc++1-12 libc++-12-dev \ libc++abi1-12 libc++abi-12-dev libclang1-12 libclang-12-dev \ - libclang-common-12-dev libclang-cpp11 libclang-cpp11-dev liblld-12 \ - liblld-12-dev liblldb-12 liblldb-12-dev libllvm11 libomp-12-dev \ + libclang-common-12-dev libclang-cpp12 libclang-cpp12-dev liblld-12 \ + liblld-12-dev liblldb-12 liblldb-12-dev libllvm12 libomp-12-dev \ libomp5-12 lld-12 lldb-12 llvm-12 llvm-12-dev llvm-12-runtime llvm-12-tools ``` diff --git a/src/afl-cc.c b/src/afl-cc.c index 50334139..273a9f2f 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -192,25 +192,21 @@ static u8 *find_object(u8 *obj, u8 *argv0) { } -#if \ - defined(__FreeBSD__) \ -|| defined(__DragonFly__) \ -|| defined(__linux__) \ -|| defined(__ANDROID__) \ -|| defined(__NetBSD__) -#define HAS_PROC_FS 1 +#if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__linux__) || \ + defined(__ANDROID__) || defined(__NetBSD__) + #define HAS_PROC_FS 1 #endif #ifdef HAS_PROC_FS else { char *procname = NULL; -#if defined(__FreeBSD__) || defined(__DragonFly__) + #if defined(__FreeBSD__) || defined(__DragonFly__) procname = "/proc/curproc/file"; #elif defined(__linux__) || defined(__ANDROID__) procname = "/proc/self/exe"; #elif defined(__NetBSD__) procname = "/proc/curproc/exe"; -#endif + #endif if (procname) { char exepath[PATH_MAX]; @@ -251,6 +247,7 @@ static u8 *find_object(u8 *obj, u8 *argv0) { } } + #endif #undef HAS_PROC_FS From 06ec5ab3d723bf7f0a2ee76be8b12c09fa870a9d Mon Sep 17 00:00:00 2001 From: Marcel Boehme Date: Mon, 7 Dec 2020 21:32:25 +0000 Subject: [PATCH 72/85] Sampling next seed by weight (hit_count, bitmap_size, exec_us) --- include/afl-fuzz.h | 3 ++- src/afl-fuzz-one.c | 6 ++++-- src/afl-fuzz-queue.c | 43 ++++++++++++++++++++++++++++++++++--------- 3 files changed, 40 insertions(+), 12 deletions(-) diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index bdf44def..6ce032df 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -168,7 +168,8 @@ struct queue_entry { u8 *trace_mini; /* Trace bytes, if kept */ u32 tc_ref; /* Trace bytes ref count */ - double perf_score; /* performance score */ + double perf_score, /* performance score */ + weight; u8 *testcase_buf; /* The testcase buffer, if loaded. */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index ca48f72a..a48afffb 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -445,8 +445,10 @@ u8 fuzz_one_original(afl_state_t *afl) { if (unlikely(afl->not_on_tty)) { - ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", - afl->current_entry, afl->queued_paths, afl->unique_crashes); + ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found, perf_score=%0.0f, exec_us=%llu, hits=%u, map=%u)...", + afl->current_entry, afl->queued_paths, afl->unique_crashes, + afl->queue_cur->perf_score, afl->queue_cur->exec_us, + afl->n_fuzz[afl->queue_cur->n_fuzz_entry], afl->queue_cur->bitmap_size); fflush(stdout); } diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index f35b4f57..1e997c55 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -42,6 +42,21 @@ inline u32 select_next_queue_entry(afl_state_t *afl) { } +double compute_weight(afl_state_t *afl, struct queue_entry *q, double avg_exec_us, double avg_bitmap_size) { + + u32 hits = afl->n_fuzz[q->n_fuzz_entry]; + if (hits == 0) hits = 1; + + double weight = 1.0; + weight *= avg_exec_us / q->exec_us; + weight *= log(q->bitmap_size) / avg_bitmap_size; + weight /= log10(hits) + 1; + + if (q->favored) weight *= 5; + + return weight; +} + /* create the alias table that allows weighted random selection - expensive */ void create_alias_table(afl_state_t *afl) { @@ -65,24 +80,34 @@ void create_alias_table(afl_state_t *afl) { memset((void *)afl->alias_table, 0, n * sizeof(u32)); memset((void *)afl->alias_probability, 0, n * sizeof(double)); + double avg_exec_us = 0.0; + double avg_bitmap_size = 0.0; + for (i = 0; i < n; i++) { + + struct queue_entry *q = afl->queue_buf[i]; + avg_exec_us += q->exec_us; + avg_bitmap_size += log(q->bitmap_size); + + } + avg_exec_us /= afl->queued_paths; + avg_bitmap_size /= afl->queued_paths; + double sum = 0; - for (i = 0; i < n; i++) { struct queue_entry *q = afl->queue_buf[i]; - if (!q->disabled) { q->perf_score = calculate_score(afl, q); } + if (!q->disabled) { + q->weight = compute_weight(afl, q, avg_exec_us, avg_bitmap_size); + q->perf_score = calculate_score(afl, q); + } - sum += q->perf_score; + sum += q->weight; } - for (i = 0; i < n; i++) { - - struct queue_entry *q = afl->queue_buf[i]; - P[i] = (q->perf_score * n) / sum; - - } + for (i = 0; i < n; i++) + P[i] = (afl->queue_buf[i]->weight * n) / sum; int nS = 0, nL = 0, s; for (s = (s32)n - 1; s >= 0; --s) { From 5d6b1129f0e95a29a3fd7a7e09a93a5c1db6c78a Mon Sep 17 00:00:00 2001 From: "R. Elliott Childre" Date: Tue, 8 Dec 2020 03:30:17 -0500 Subject: [PATCH 73/85] Fix Grammar Mutator Submodule (#623) Fixes: 651ad18e2179 ("added the grammar mutator as a git submodule ...") * Project pointer never pushed * Reduces dirctory complexity * Building and dependencies for the subproject should be isolated to the subproject's documentation * Fix broken link to README * Use `--init` for `git submodule` --- .gitmodules | 5 ++--- custom_mutators/README.md | 10 ++++------ custom_mutators/grammar_mutator | 1 + custom_mutators/grammar_mutator/README.md | 6 ------ .../grammar_mutator/build_grammar_mutator.sh | 17 ----------------- 5 files changed, 7 insertions(+), 32 deletions(-) create mode 160000 custom_mutators/grammar_mutator delete mode 100644 custom_mutators/grammar_mutator/README.md delete mode 100755 custom_mutators/grammar_mutator/build_grammar_mutator.sh diff --git a/.gitmodules b/.gitmodules index 7c7613ac..78e9f439 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,9 +1,8 @@ [submodule "unicorn_mode/unicornafl"] path = unicorn_mode/unicornafl url = https://github.com/AFLplusplus/unicornafl - -[submodule "custom_mutators/Grammar-Mutator"] - path = custom_mutators/Grammar-Mutator +[submodule "custom_mutators/grammar_mutator"] + path = custom_mutators/grammar_mutator url = https://github.com/AFLplusplus/Grammar-Mutator [submodule "qemu_mode/qemuafl"] path = qemu_mode/qemuafl diff --git a/custom_mutators/README.md b/custom_mutators/README.md index 0cf52746..b0444c85 100644 --- a/custom_mutators/README.md +++ b/custom_mutators/README.md @@ -7,15 +7,13 @@ For further information and documentation on how to write your own, read [the do If you use git to clone afl++, then the following will incorporate our excellent grammar custom mutator: -``` -git submodule init -git submodule update +```sh +git submodule update --init ``` -otherwise just use the script: `grammar_mutator/build_grammar_mutator.sh` +Read the README in the [Grammar-Mutator] repository on how to use it. -Read the [Grammar-Mutator/README.md](Grammar-Mutator/README.md) on how to use -it. +[Grammar-Mutator]: https://github.com/AFLplusplus/Grammar-Mutator ## Production-Ready Custom Mutators diff --git a/custom_mutators/grammar_mutator b/custom_mutators/grammar_mutator new file mode 160000 index 00000000..b3c4fcfa --- /dev/null +++ b/custom_mutators/grammar_mutator @@ -0,0 +1 @@ +Subproject commit b3c4fcfa6ae28918bc410f7747135eafd4fb7263 diff --git a/custom_mutators/grammar_mutator/README.md b/custom_mutators/grammar_mutator/README.md deleted file mode 100644 index a015744c..00000000 --- a/custom_mutators/grammar_mutator/README.md +++ /dev/null @@ -1,6 +0,0 @@ -# Grammar-Mutator - -This is just a stub directory that will clone the real grammar mutator -directory. - -Execute `./build_grammar_mutator.sh` to set everything up. diff --git a/custom_mutators/grammar_mutator/build_grammar_mutator.sh b/custom_mutators/grammar_mutator/build_grammar_mutator.sh deleted file mode 100755 index f3f5e164..00000000 --- a/custom_mutators/grammar_mutator/build_grammar_mutator.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh - -test -d Grammar-Mutator || git clone --depth=1 https://github.com/AFLplusplus/Grammar-Mutator - -cd Grammar-Mutator || exit 1 -git stash ; git pull - -wget -c https://www.antlr.org/download/antlr-4.8-complete.jar - -echo -echo -echo "All successfully prepared!" -echo "To build for your grammar just do:" -echo " cd Grammar_Mutator" -echo " make GRAMMAR_FILE=/path/to/your/grammar" -echo "You will find a JSON and RUBY grammar in Grammar_Mutator/grammars to play with." -echo From eda068751e1876797e1ec481ece356ecfb63f0cc Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 8 Dec 2020 10:09:35 +0100 Subject: [PATCH 74/85] streamlined grammar mutator submodule --- .gitmodules | 2 +- .../grammar_mutator/GRAMMAR_VERSION | 1 + custom_mutators/grammar_mutator/README.md | 6 + .../grammar_mutator/build_grammar_mutator.sh | 141 ++++++++++++++++++ .../{ => grammar_mutator}/grammar_mutator | 0 .../grammar_mutator/update_grammar_ref.sh | 50 +++++++ qemu_mode/build_qemu_support.sh | 2 +- unicorn_mode/build_unicorn_support.sh | 2 +- 8 files changed, 201 insertions(+), 3 deletions(-) create mode 100644 custom_mutators/grammar_mutator/GRAMMAR_VERSION create mode 100644 custom_mutators/grammar_mutator/README.md create mode 100644 custom_mutators/grammar_mutator/build_grammar_mutator.sh rename custom_mutators/{ => grammar_mutator}/grammar_mutator (100%) create mode 100644 custom_mutators/grammar_mutator/update_grammar_ref.sh diff --git a/.gitmodules b/.gitmodules index 78e9f439..c787ec0e 100644 --- a/.gitmodules +++ b/.gitmodules @@ -2,7 +2,7 @@ path = unicorn_mode/unicornafl url = https://github.com/AFLplusplus/unicornafl [submodule "custom_mutators/grammar_mutator"] - path = custom_mutators/grammar_mutator + path = custom_mutators/grammar_mutator/grammar_mutator url = https://github.com/AFLplusplus/Grammar-Mutator [submodule "qemu_mode/qemuafl"] path = qemu_mode/qemuafl diff --git a/custom_mutators/grammar_mutator/GRAMMAR_VERSION b/custom_mutators/grammar_mutator/GRAMMAR_VERSION new file mode 100644 index 00000000..a3fe6bb1 --- /dev/null +++ b/custom_mutators/grammar_mutator/GRAMMAR_VERSION @@ -0,0 +1 @@ +b3c4fcf diff --git a/custom_mutators/grammar_mutator/README.md b/custom_mutators/grammar_mutator/README.md new file mode 100644 index 00000000..a015744c --- /dev/null +++ b/custom_mutators/grammar_mutator/README.md @@ -0,0 +1,6 @@ +# Grammar-Mutator + +This is just a stub directory that will clone the real grammar mutator +directory. + +Execute `./build_grammar_mutator.sh` to set everything up. diff --git a/custom_mutators/grammar_mutator/build_grammar_mutator.sh b/custom_mutators/grammar_mutator/build_grammar_mutator.sh new file mode 100644 index 00000000..b097ebd3 --- /dev/null +++ b/custom_mutators/grammar_mutator/build_grammar_mutator.sh @@ -0,0 +1,141 @@ +#!/bin/sh +# +# american fuzzy lop++ - unicorn mode build script +# ------------------------------------------------ +# +# Originally written by Nathan Voss +# +# Adapted from code by Andrew Griffiths and +# Michal Zalewski +# +# Adapted for AFLplusplus by Dominik Maier +# +# CompareCoverage and NeverZero counters by Andrea Fioraldi +# +# +# Copyright 2017 Battelle Memorial Institute. All rights reserved. +# Copyright 2019-2020 AFLplusplus Project. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# This script downloads, patches, and builds a version of Unicorn with +# minor tweaks to allow Unicorn-emulated binaries to be run under +# afl-fuzz. +# +# The modifications reside in patches/*. The standalone Unicorn library +# will be written to /usr/lib/libunicornafl.so, and the Python bindings +# will be installed system-wide. +# +# You must make sure that Unicorn Engine is not already installed before +# running this script. If it is, please uninstall it first. + +GRAMMAR_VERSION="$(cat ./GRAMMAR_VERSION)" +GRAMMAR_REPO="https://github.com/AFLplusplus/grammar-mutator" + +echo "=================================================" +echo "Grammar Mutator build script" +echo "=================================================" +echo + +echo "[*] Performing basic sanity checks..." + +PLT=`uname -s` + +if [ ! -f "../../config.h" ]; then + + echo "[-] Error: key files not found - wrong working directory?" + exit 1 + +fi + +PYTHONBIN=`command -v python3 || command -v python || command -v python2 || echo python3` +MAKECMD=make +TARCMD=tar + +if [ "$PLT" = "Darwin" ]; then + CORES=`sysctl -n hw.ncpu` + TARCMD=tar +fi + +if [ "$PLT" = "FreeBSD" ]; then + MAKECMD=gmake + CORES=`sysctl -n hw.ncpu` + TARCMD=gtar +fi + +if [ "$PLT" = "NetBSD" ] || [ "$PLT" = "OpenBSD" ]; then + MAKECMD=gmake + CORES=`sysctl -n hw.ncpu` + TARCMD=gtar +fi + +PREREQ_NOTFOUND= +for i in git $MAKECMD $TARCMD; do + + T=`command -v "$i" 2>/dev/null` + + if [ "$T" = "" ]; then + + echo "[-] Error: '$i' not found. Run 'sudo apt-get install $i' or similar." + PREREQ_NOTFOUND=1 + + fi + +done + +if echo "$CC" | grep -qF /afl-; then + + echo "[-] Error: do not use afl-gcc or afl-clang to compile this tool." + PREREQ_NOTFOUND=1 + +fi + +if [ "$PREREQ_NOTFOUND" = "1" ]; then + exit 1 +fi + +echo "[+] All checks passed!" + +echo "[*] Making sure grammar mutator is checked out" + +git status 1>/dev/null 2>/dev/null +if [ $? -eq 0 ]; then + echo "[*] initializing grammar mutator submodule" + git submodule init || exit 1 + git submodule update ./grammar_mutator 2>/dev/null # ignore errors +else + echo "[*] cloning grammar mutator" + test -d grammar_mutator || { + CNT=1 + while [ '!' -d grammar_mutator -a "$CNT" -lt 4 ]; do + echo "Trying to clone grammar_mutator (attempt $CNT/3)" + git clone --depth=1 "$GRAMMAR_REPO" + CNT=`expr "$CNT" + 1` + done + } +fi + +test -d grammar_mutator || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; } +echo "[+] Got grammar mutator." + +cd "grammar_mutator" || exit 1 +echo "[*] Checking out $GRAMMAR_VERSION" +sh -c 'git stash && git stash drop' 1>/dev/null 2>/dev/null +git checkout "$GRAMMAR_VERSION" || exit 1 +cd .. + +echo "[*] Downloading antlr..." +wget -c https://www.antlr.org/download/antlr-4.8-complete.jar + +echo +echo +echo "[+] All successfully prepared!" +echo "[!] To build for your grammar just do:" +echo " `cd grammar_mutator`" +echo " `make GRAMMAR_FILE=/path/to/your/grammar`" +echo "[+] You will find a JSON and RUBY grammar in grammar_mutator/grammars to play with." +echo diff --git a/custom_mutators/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator similarity index 100% rename from custom_mutators/grammar_mutator rename to custom_mutators/grammar_mutator/grammar_mutator diff --git a/custom_mutators/grammar_mutator/update_grammar_ref.sh b/custom_mutators/grammar_mutator/update_grammar_ref.sh new file mode 100644 index 00000000..478a73a8 --- /dev/null +++ b/custom_mutators/grammar_mutator/update_grammar_ref.sh @@ -0,0 +1,50 @@ +#/bin/sh + +################################################## +# AFL++ tool to update a git ref. +# Usage: ./