mirror of
https://github.com/AFLplusplus/AFLplusplus.git
synced 2025-06-14 19:08:08 +00:00
finalize first beta! yay!
This commit is contained in:
van Hauser
14
README.md
14
README.md
@ -1,5 +1,7 @@
|
||||
# qemu_taint variant.
|
||||
|
||||
UPDATE: **WORKS NOW** **PLEASE TEST** **:-)**
|
||||
|
||||
## HOWTO
|
||||
|
||||
cd qemu_taint && ./build_qemu_taint.sh
|
||||
@ -8,13 +10,13 @@ afl-fuzz -A ...
|
||||
|
||||
## CAVEATS
|
||||
|
||||
* segfaults ~10-15 minutes in ...
|
||||
|
||||
* shmem persistent mode does not work
|
||||
* custom mutators? dunno if they work or not
|
||||
* MOpt works but totally ignores the taint information
|
||||
* llvm shmem persistent mode does not and can not not work
|
||||
* MOpt works but totally ignores the taint information, so disabled here
|
||||
* custom mutators? dunno if they work or not. depends on how they work.
|
||||
* not tested with qemu_mode
|
||||
* if all seed entries are fully touched it might not work
|
||||
* there are several debug checks to ensure the data is fine which slows down
|
||||
fuzzing, if the beta experiment runs fine these will be improved and it
|
||||
will result in quite a speed gain.
|
||||
|
||||
## THE TAINT
|
||||
|
||||
|
||||
@ -107,8 +107,6 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both.
|
||||
#endif
|
||||
|
||||
int __afl_sharedmem_fuzzing = 0;
|
||||
extern unsigned char *__afl_area_ptr;
|
||||
// extern struct cmp_map *__afl_cmp_map;
|
||||
|
||||
// libFuzzer interface is thin, so we don't include any libFuzzer headers.
|
||||
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
|
||||
@ -246,28 +244,8 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) {
|
||||
|
||||
}
|
||||
|
||||
__attribute__((constructor(1))) void __afl_protect(void) {
|
||||
|
||||
setenv("__AFL_DEFER_FORKSRV", "1", 1);
|
||||
__afl_area_ptr = (unsigned char *)mmap(
|
||||
(void *)0x10000, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE,
|
||||
MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
|
||||
if ((uint64_t)__afl_area_ptr == -1)
|
||||
__afl_area_ptr = (unsigned char *)mmap((void *)0x10000, MAX_DUMMY_SIZE,
|
||||
PROT_READ | PROT_WRITE,
|
||||
MAP_SHARED | MAP_ANONYMOUS, -1, 0);
|
||||
if ((uint64_t)__afl_area_ptr == -1)
|
||||
__afl_area_ptr =
|
||||
(unsigned char *)mmap(NULL, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE,
|
||||
MAP_SHARED | MAP_ANONYMOUS, -1, 0);
|
||||
// __afl_cmp_map = (struct cmp_map *)__afl_area_ptr;
|
||||
|
||||
}
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
|
||||
fprintf(stderr, "map is at %p\n", __afl_area_ptr);
|
||||
|
||||
printf(
|
||||
"======================= INFO =========================\n"
|
||||
"This binary is built for afl++.\n"
|
||||
@ -307,8 +285,6 @@ int main(int argc, char **argv) {
|
||||
|
||||
if (!getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) {
|
||||
|
||||
munmap(__afl_area_ptr, MAX_DUMMY_SIZE); // we need to free 0x10000
|
||||
__afl_area_ptr = NULL;
|
||||
__afl_manual_init();
|
||||
|
||||
}
|
||||
@ -321,15 +297,11 @@ int main(int argc, char **argv) {
|
||||
|
||||
if (!getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) {
|
||||
|
||||
munmap(__afl_area_ptr, MAX_DUMMY_SIZE);
|
||||
__afl_area_ptr = NULL;
|
||||
fprintf(stderr, "performing manual init\n");
|
||||
__afl_manual_init();
|
||||
|
||||
}
|
||||
|
||||
fprintf(stderr, "map is now at %p\n", __afl_area_ptr);
|
||||
|
||||
// Call LLVMFuzzerTestOneInput here so that coverage caused by initialization
|
||||
// on the first execution of LLVMFuzzerTestOneInput is ignored.
|
||||
LLVMFuzzerTestOneInput(dummy_input, 1);
|
||||
|
||||
@ -771,9 +771,13 @@ void perform_dry_run(afl_state_t *afl) {
|
||||
close(fd);
|
||||
|
||||
res = calibrate_case(afl, q, use_mem, 0, 1);
|
||||
ck_free(use_mem);
|
||||
|
||||
if (afl->stop_soon) { return; }
|
||||
if (afl->stop_soon) {
|
||||
|
||||
ck_free(use_mem);
|
||||
return;
|
||||
|
||||
}
|
||||
|
||||
if (res == afl->crash_mode || res == FSRV_RUN_NOBITS) {
|
||||
|
||||
@ -962,6 +966,7 @@ void perform_dry_run(afl_state_t *afl) {
|
||||
|
||||
/* perform taint gathering on the input seed */
|
||||
if (afl->taint_mode) perform_taint_run(afl, q, q->fname, use_mem, q->len);
|
||||
ck_free(use_mem);
|
||||
|
||||
q = q->next;
|
||||
|
||||
|
||||
@ -2342,7 +2342,7 @@ havoc_stage:
|
||||
}
|
||||
|
||||
/* Tail */
|
||||
memcpy(new_buf + clone_to + clone_len, out_buf + clone_to,
|
||||
memmove(new_buf + clone_to + clone_len, out_buf + clone_to,
|
||||
temp_len - clone_to);
|
||||
|
||||
swap_bufs(BUF_PARAMS(out), BUF_PARAMS(out_scratch));
|
||||
|
||||
@ -122,7 +122,7 @@ void perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname,
|
||||
|
||||
afl->taint_fsrv.map_size = plen; // speed :)
|
||||
write_to_testcase(afl, mem, len);
|
||||
if (afl_fsrv_run_target(&afl->taint_fsrv, afl->fsrv.exec_tmout,
|
||||
if (afl_fsrv_run_target(&afl->taint_fsrv, afl->fsrv.exec_tmout * 4,
|
||||
&afl->stop_soon) == 0) {
|
||||
|
||||
bytes = q->taint_bytes_all =
|
||||
|
||||
Reference in New Issue
Block a user