Merge pull request #488 from AFLplusplus/dev

Dev
2025-06-11 01:31:37 +00:00 · 2020-08-04 13:30:08 +02:00 · 2020-08-04 13:30:08 +02:00 · b2aa8b03d9
commit b2aa8b03d9
parent d5d8d664d0 e1d20706ca
7 changed files with 92 additions and 48 deletions
--- a/examples/afl_untracer/afl-untracer.c
+++ b/examples/afl_untracer/afl-untracer.c
@ -437,6 +437,8 @@ inline static u32 __afl_next_testcase(u8 *buf, u32 max_len) {
  if (write(FORKSRV_FD + 1, &pid, 4) != 4) do_exit = 1;
  // fprintf(stderr, "write1 %d\n", do_exit);

+  __afl_area_ptr[0] = 1;  // put something in the map
+
  return status;

 }
--- a/examples/afl_untracer/libtestinstr.so
+++ b/examples/afl_untracer/libtestinstr.so
--- a/examples/afl_untracer/patches.txt
+++ b/examples/afl_untracer/patches.txt
@ -1,23 +1,34 @@
-libtestinstr.so:0x2000L
-0x1050L
-0x1063L
-0x106fL
-0x1078L
-0x1080L
-0x10a4L
-0x10b0L
-0x10b8L
-0x10c0L
-0x10c9L
-0x10d7L
-0x10e3L
-0x10f8L
-0x1100L
-0x1105L
-0x111aL
-0x1135L
-0x1143L
-0x114eL
-0x115cL
-0x116aL
-0x116bL
+libtestinstr.so:0x1000
+0x10
+0x12
+0x20
+0x36
+0x30
+0x40
+0x50
+0x63
+0x6f
+0x78
+0x80
+0xa4
+0xb0
+0xb8
+0x100
+0xc0
+0xc9
+0xd7
+0xe3
+0xe8
+0xf8
+0x105
+0x11a
+0x135
+0x141
+0x143
+0x14e
+0x15a
+0x15c
+0x168
+0x16a
+0x16b
+0x170
--- a/libtokencap/Makefile
+++ b/libtokencap/Makefile
@ -28,23 +28,22 @@ UNAME_S =$(shell uname -s)# GNU make
 UNAME_S:sh=uname -s       # BSD make
 _UNIQ=_QINU_

-     _OS_DL = $(_UNIQ)$(UNAME_S)
-    __OS_DL =     $(_OS_DL:$(_UNIQ)Linux=$(_UNIQ))
-   ___OS_DL =    $(__OS_DL:$(_UNIQ)Darwin=$(_UNIQ))
-  ____OS_DL =   $(___OS_DL:$(_UNIQ)DragonFly=$(_UNIQ))
- _____OS_DL =  $(____OS_DL:$(_UNIQ)$(UNAME_S)=)
-______OS_DL = $(_____OS_DL:$(_UNIQ)="-ldl")
+    _OS_DL = $(_UNIQ)$(UNAME_S)
+   __OS_DL =     $(_OS_DL:$(_UNIQ)Linux=$(_UNIQ))
+  ___OS_DL =    $(__OS_DL:$(_UNIQ)Darwin=$(_UNIQ))
+ ____OS_DL =   $(___OS_DL:$(_UNIQ)$(UNAME_S)=)
+_____OS_DL =  $(____OS_DL:$(_UNIQ)="-ldl")

-     _OS_TARGET = $(____OS_DL:$(_UNIQ)FreeBSD=$(_UNIQ))
+     _OS_TARGET = $(___OS_DL:$(_UNIQ)FreeBSD=$(_UNIQ))
    __OS_TARGET =     $(_OS_TARGET:$(_UNIQ)OpenBSD=$(_UNIQ))
   ___OS_TARGET =    $(__OS_TARGET:$(_UNIQ)NetBSD=$(_UNIQ))
  ____OS_TARGET =   $(___OS_TARGET:$(_UNIQ)Haiku=$(_UNIQ))
 _____OS_TARGET =  $(____OS_TARGET:$(_UNIQ)SunOS=$(_UNIQ))
-______OS_TARGET =  $(____OS_TARGET:$(_UNIQ)$(UNAME_S)=)
+______OS_TARGET = $(_____OS_TARGET:$(_UNIQ)$(UNAME_S)=)

-TARGETS       =  $(_____OS_TARGET:$(_UNIQ)=libtokencap.so)
+TARGETS       =  $(______OS_TARGET:$(_UNIQ)=libtokencap.so)

-LDFLAGS     += $(______OS_DL)
+LDFLAGS     += $(_____OS_DL)

 #ifeq "$(shell uname)" "Linux"
 #  TARGETS = libtokencap.so
--- a/llvm_mode/afl-clang-fast.c
+++ b/llvm_mode/afl-clang-fast.c
@ -255,12 +255,6 @@ static void edit_params(u32 argc, char **argv, char **envp) {
  if (getenv("LAF_TRANSFORM_COMPARES") ||
      getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES")) {

-    if (!be_quiet && getenv("AFL_LLVM_LTO_AUTODICTIONARY") && lto_mode)
-      WARNF(
-          "using AFL_LLVM_LAF_TRANSFORM_COMPARES together with "
-          "AFL_LLVM_LTO_AUTODICTIONARY makes no sense. Use only "
-          "AFL_LLVM_LTO_AUTODICTIONARY.");
-
    cc_params[cc_par_cnt++] = "-Xclang";
    cc_params[cc_par_cnt++] = "-load";
    cc_params[cc_par_cnt++] = "-Xclang";
@ -311,6 +305,11 @@ static void edit_params(u32 argc, char **argv, char **envp) {

  if (lto_mode) {

+    if (cmplog_mode)
+      unsetenv("AFL_LLVM_LTO_AUTODICTIONARY");
+    else
+      setenv("AFL_LLVM_LTO_AUTODICTIONARY", "1", 1);
+
    cc_params[cc_par_cnt++] = alloc_printf("-fuse-ld=%s", AFL_REAL_LD);
    cc_params[cc_par_cnt++] = "-Wl,--allow-multiple-definition";
    /*
@ -398,6 +397,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
      continue;

    if (lto_mode && !strncmp(cur, "-fuse-ld=", 9)) continue;
+    if (lto_mode && !strncmp(cur, "--ld-path=", 10)) continue;

    cc_params[cc_par_cnt++] = cur;

@ -472,9 +472,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
  }

  if (getenv("AFL_NO_BUILTIN") || getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES") ||
-      getenv("LAF_TRANSFORM_COMPARES") ||
-      (lto_mode && (getenv("AFL_LLVM_LTO_AUTODICTIONARY") ||
-                    getenv("AFL_LLVM_AUTODICTIONARY")))) {
+      getenv("LAF_TRANSFORM_COMPARES") || lto_mode) {

    cc_params[cc_par_cnt++] = "-fno-builtin-strcmp";
    cc_params[cc_par_cnt++] = "-fno-builtin-strncmp";
--- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc
+++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc
@ -86,7 +86,7 @@ class AFLLTOPass : public ModulePass {
  bool runOnModule(Module &M) override;

 protected:
-  int      afl_global_id = 1, autodictionary = 1;
+  int      afl_global_id = 1, autodictionary = 0;
  uint32_t function_minimum_size = 1;
  uint32_t inst_blocks = 0, inst_funcs = 0, total_instr = 0;
  uint64_t map_addr = 0x10000;
@ -105,6 +105,11 @@ bool AFLLTOPass::runOnModule(Module &M) {
  char *                           ptr;
  FILE *                           documentFile = NULL;

+  srand((unsigned int)time(NULL));
+
+  unsigned long long int moduleID =
+      (((unsigned long long int)(rand() & 0xffffffff)) << 32) | getpid();
+
  IntegerType *Int8Ty = IntegerType::getInt8Ty(C);
  IntegerType *Int32Ty = IntegerType::getInt32Ty(C);
  IntegerType *Int64Ty = IntegerType::getInt64Ty(C);
@ -128,6 +133,8 @@ bool AFLLTOPass::runOnModule(Module &M) {

  }

+  if (getenv("AFL_LLVM_LTO_AUTODICTIONARY")) autodictionary = 1;
+
  if (getenv("AFL_LLVM_MAP_DYNAMIC")) map_addr = 0;

  if (getenv("AFL_LLVM_SKIPSINGLEBLOCK")) function_minimum_size = 2;
@ -189,13 +196,32 @@ bool AFLLTOPass::runOnModule(Module &M) {
  ConstantInt *Zero = ConstantInt::get(Int8Ty, 0);
  ConstantInt *One = ConstantInt::get(Int8Ty, 1);

+  /* This dumps all inialized global strings - might be useful in the future
+  for (auto G=M.getGlobalList().begin(); G!=M.getGlobalList().end(); G++) {
+
+    GlobalVariable &GV=*G;
+    if (!GV.getName().str().empty()) {
+
+      fprintf(stderr, "Global Variable: %s", GV.getName().str().c_str());
+      if (GV.hasInitializer())
+        if (auto *Val = dyn_cast<ConstantDataArray>(GV.getInitializer()))
+          fprintf(stderr, " Value: \"%s\"", Val->getAsString().str().c_str());
+      fprintf(stderr, "\n");
+
+    }
+
+  }
+
+  */
+
  /* Instrument all the things! */

  int inst_blocks = 0;

  for (auto &F : M) {

-    // fprintf(stderr, "DEBUG: Function %s\n", F.getName().str().c_str());
+    // fprintf(stderr, "DEBUG: Module %s Function %s\n",
+    // M.getName().str().c_str(), F.getName().str().c_str());

    if (F.size() < function_minimum_size) continue;
    if (isIgnoreFunction(&F)) continue;
@ -603,8 +629,8 @@ bool AFLLTOPass::runOnModule(Module &M) {

          if (documentFile) {

-            fprintf(documentFile, "%s %u\n", F.getName().str().c_str(),
-                    afl_global_id);
+            fprintf(documentFile, "ModuleID=%llu Function=%s edgeID=%u\n",
+                    moduleID, F.getName().str().c_str(), afl_global_id);

          }

--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@ -490,9 +490,13 @@ void read_foreign_testcases(afl_state_t *afl, int first) {

      if (nl_cnt == 0) {

-        if (first)
+        if (first) {
+
          WARNF("directory %s is currently empty",
                afl->foreign_syncs[iter].dir);
+
+        }
+
        continue;

      }
@ -540,11 +544,15 @@ void read_foreign_testcases(afl_state_t *afl, int first) {

        if (st.st_size > MAX_FILE) {

-          if (first)
+          if (first) {
+
            WARNF(
                "Test case '%s' is too big (%s, limit is %s), skipping", fn2,
                stringify_mem_size(val_buf[0], sizeof(val_buf[0]), st.st_size),
                stringify_mem_size(val_buf[1], sizeof(val_buf[1]), MAX_FILE));
+
+          }
+
          ck_free(fn2);
          continue;