From 1b55df5848483f53227909c2a49d7ac9482c3891 Mon Sep 17 00:00:00 2001 From: Kaidan Date: Wed, 25 Sep 2019 21:43:31 +1000 Subject: [PATCH 1/8] Update .gitignore These appear to be compilation artifacts, and can probably be safely ignored. --- .gitignore | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.gitignore b/.gitignore index 43b8ad4b..f7907c76 100644 --- a/.gitignore +++ b/.gitignore @@ -17,6 +17,19 @@ afl-gotcpu afl-qemu-trace afl-showmap afl-tmin +afl-analyze.8 +afl-clang-fast++.8 +afl-clang-fast.8 +afl-cmin.8 +afl-fuzz.8 +afl-gcc.8 +afl-gotcpu.8 +afl-plot.8 +afl-showmap.8 +afl-system-config.8 +afl-tmin.8 +afl-whatsup.8 +qemu_mode/libcompcov/compcovtest as qemu_mode/qemu-* unicorn_mode/unicorn From 36fea4ba7b4723fe5247a2726b7fefe04f53b668 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 28 Sep 2019 11:57:29 +0200 Subject: [PATCH 2/8] typo corrected --- llvm_mode/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/llvm_mode/Makefile b/llvm_mode/Makefile index 96aba898..a1f47ecb 100644 --- a/llvm_mode/Makefile +++ b/llvm_mode/Makefile @@ -46,7 +46,7 @@ endif # this is not visible yet: ifeq "$(LLVM_MAJOR)" "9" - $(info llvm_mode deteted llvm 9, enabling neverZero implementation) + $(info llvm_mode detected llvm 9, enabling neverZero implementation) endif CFLAGS ?= -O3 -funroll-loops From 1e93146b494f9d6cf41db2f5e3da31a9a2e035bd Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 28 Sep 2019 12:38:22 +0200 Subject: [PATCH 3/8] ignore error code on 'make llvm_mode', it might not be installed --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 42c6d737..a978fb65 100644 --- a/Makefile +++ b/Makefile @@ -250,7 +250,7 @@ binary-only: all cd unicorn_mode && sh ./build_unicorn_support.sh source-only: all - $(MAKE) -C llvm_mode + -$(MAKE) -C llvm_mode $(MAKE) -C libdislocator $(MAKE) -C libtokencap From 1fc328b2ea489bd3ad1a262049da652e7eba0f0d Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 28 Sep 2019 13:16:12 +0200 Subject: [PATCH 4/8] portability: MacOS X has clang, so we need to use afl-clang instead of afl-gcc. Replaced afl-gcc with variable AFL_GCC, which is set accordingly. --- test/test.sh | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/test/test.sh b/test/test.sh index 00509c8e..24e75388 100755 --- a/test/test.sh +++ b/test/test.sh @@ -39,6 +39,11 @@ unset AFL_LLVM_LAF_SPLIT_SWITCHES unset AFL_LLVM_LAF_TRANSFORM_COMPARES unset AFL_LLVM_LAF_SPLIT_COMPARES +# on MacOS X we prefer afl-clang over afl-gcc, because +# afl-gcc does not work there +test `uname -s` = 'Darwin' && { +AFL_GCC=afl-clang +} GREY="\\033[1;90m" BLUE="\\033[1;94m" GREEN="\\033[0;32m" @@ -50,38 +55,38 @@ MEM_LIMIT=150 $ECHO "${RESET}${GREY}[*] starting afl++ test framework ..." -$ECHO "$BLUE[*] Testing: afl-gcc, afl-showmap and afl-fuzz" -test -e ../afl-gcc -a -e ../afl-showmap -a -e ../afl-fuzz && { - ../afl-gcc -o test-instr.plain ../test-instr.c > /dev/null 2>&1 - AFL_HARDEN=1 ../afl-gcc -o test-instr.harden ../test-instr.c > /dev/null 2>&1 +$ECHO "$BLUE[*] Testing: ${AFL_GCC}, afl-showmap and afl-fuzz" +test -e ../${AFL_GCC} -a -e ../afl-showmap -a -e ../afl-fuzz && { + ../${AFL_GCC} -o test-instr.plain ../test-instr.c > /dev/null 2>&1 + AFL_HARDEN=1 ../${AFL_GCC} -o test-instr.harden ../test-instr.c > /dev/null 2>&1 test -e test-instr.plain && { - $ECHO "$GREEN[+] afl-gcc compilation succeeded" + $ECHO "$GREEN[+] ${AFL_GCC} compilation succeeded" echo 0 | ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain > /dev/null 2>&1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain < /dev/null > /dev/null 2>&1 test -e test-instr.plain.0 -a -e test-instr.plain.1 && { diff -q test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { - $ECHO "$RED[!] afl-gcc instrumentation should be different on different input but is not" - } || $ECHO "$GREEN[+] afl-gcc instrumentation present and working correctly" - } || $ECHO "$RED[!] afl-gcc instrumentation failed" + $ECHO "$RED[!] ${AFL_GCC} instrumentation should be different on different input but is not" + } || $ECHO "$GREEN[+] ${AFL_GCC} instrumentation present and working correctly" + } || $ECHO "$RED[!] ${AFL_GCC} instrumentation failed" rm -f test-instr.plain.0 test-instr.plain.1 - } || $ECHO "$RED[!] afl-gcc failed" + } || $ECHO "$RED[!] ${AFL_GCC} failed" test -e test-instr.harden && { grep -qa fstack-protector-all test-instr.harden > /dev/null 2>&1 && { - $ECHO "$GREEN[+] afl-gcc hardened mode succeeded and is working" - } || $ECHO "$RED[!] afl-gcc hardened mode is not hardened" + $ECHO "$GREEN[+] ${AFL_GCC} hardened mode succeeded and is working" + } || $ECHO "$RED[!] ${AFL_GCC} hardened mode is not hardened" rm -f test-instr.harden - } || $ECHO "$RED[!] afl-gcc hardened mode compilation failed" + } || $ECHO "$RED[!] ${AFL_GCC} hardened mode compilation failed" # now we want to be sure that afl-fuzz is working { mkdir -p in echo 0 > in/in - $ECHO "$GREY[*] running afl-fuzz for afl-gcc, this will take approx 10 seconds" + $ECHO "$GREY[*] running afl-fuzz for ${AFL_GCC}, this will take approx 10 seconds" { ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-instr.plain > /dev/null 2>&1 } > /dev/null 2>&1 test -n "$( ls out/queue/id:000002* 2> /dev/null )" && { - $ECHO "$GREEN[+] afl-fuzz is working correctly with afl-gcc" - } || $ECHO "$RED[!] afl-fuzz is not working correctly with afl-gcc" + $ECHO "$GREEN[+] afl-fuzz is working correctly with ${AFL_GCC}" + } || $ECHO "$RED[!] afl-fuzz is not working correctly with ${AFL_GCC}" rm -rf in out } rm -f test-instr.plain From 3f65f534aaa8cffec5effc9487718028ee751a1e Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 28 Sep 2019 13:19:27 +0200 Subject: [PATCH 5/8] On Mac OS X afl-fuzz wants the crash reporter to be disabled. Add the corresponding commands to the script. The test, if they need to be run, is not tested yet (just copied). --- afl-system-config | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/afl-system-config b/afl-system-config index 6a495f0a..5e3103b6 100755 --- a/afl-system-config +++ b/afl-system-config @@ -48,5 +48,13 @@ if [ "$PLATFORM" = "OpenBSD" ] ; then echo echo 'System security features cannot be disabled on OpenBSD.' fi +if [ "$PLATFORM" = "Darwin" ] ; then + if [ $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') ] ; then +echo We unload the default crash reporter here +SL=/System/Library; PL=com.apple.ReportCrash +launchctl unload -w ${SL}/LaunchAgents/${PL}.plist +sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist + fi +fi echo echo Also use AFL_TMPDIR to use a tmpfs for the input file From ca765b5ebb1ca59c30076cbe843d5382e65fd128 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 28 Sep 2019 15:39:13 +0200 Subject: [PATCH 6/8] Oops, forgot to set AFL_GCC on other systems beside Mac OS X --- test/test.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/test.sh b/test/test.sh index 24e75388..716f7c27 100755 --- a/test/test.sh +++ b/test/test.sh @@ -43,6 +43,8 @@ unset AFL_LLVM_LAF_SPLIT_COMPARES # afl-gcc does not work there test `uname -s` = 'Darwin' && { AFL_GCC=afl-clang +} || { +AFL_GCC=afl-gcc } GREY="\\033[1;90m" BLUE="\\033[1;94m" From 9c31196610307839085654273b36841af26d6cdd Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 28 Sep 2019 16:33:53 +0200 Subject: [PATCH 7/8] check requirements before testing afl-fuzz (Linux and Mac OS X) --- test/test.sh | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/test/test.sh b/test/test.sh index 716f7c27..ea69db8d 100755 --- a/test/test.sh +++ b/test/test.sh @@ -79,7 +79,16 @@ test -e ../${AFL_GCC} -a -e ../afl-showmap -a -e ../afl-fuzz && { rm -f test-instr.harden } || $ECHO "$RED[!] ${AFL_GCC} hardened mode compilation failed" # now we want to be sure that afl-fuzz is working - { + # make sure core_pattern is set to core on linux + (test "$(uname -s)" = "Linux" && test "$(sysctl kernel.core_pattern)" != "kernel.core_pattern = core" && { + $ECHO "$RED[!] we cannot run afl-fuzz with enabled core dumps. Run 'sudo sh afl-system-config'.$RESET" + true + }) || + # make sure crash reporter is disabled on Mac OS X + (test "$(uname -s)" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { + $ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET" + true + }) || { mkdir -p in echo 0 > in/in $ECHO "$GREY[*] running afl-fuzz for ${AFL_GCC}, this will take approx 10 seconds" @@ -116,7 +125,15 @@ test -e ../afl-clang-fast && { rm -f test-compcov.harden } || $ECHO "$RED[!] llvm_mode hardened mode compilation failed" # now we want to be sure that afl-fuzz is working - { + (test "$(uname -s)" = "Linux" -a "$(sysctl kernel.core_pattern)" != "kernel.core_pattern = core" && { + $ECHO "$RED[!] we cannot run afl-fuzz with enabled core dumps. Run 'sudo sh afl-system-config'.$RESET" + true + }) || + # make sure crash reporter is disabled on Mac OS X + (test "$(uname -s)" = "Darwin" -a $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { + $ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET" + true + }) || { mkdir -p in echo 0 > in/in $ECHO "$GREY[*] running afl-fuzz for llvm_mode, this will take approx 10 seconds" From 783e5fa42f4560c6f82ea4c2f51719e9a1219548 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 28 Sep 2019 16:39:46 +0200 Subject: [PATCH 8/8] As usual I forgot the second usage test for afl-fuzz --- test/test.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/test.sh b/test/test.sh index ea69db8d..1e094f3c 100755 --- a/test/test.sh +++ b/test/test.sh @@ -125,12 +125,12 @@ test -e ../afl-clang-fast && { rm -f test-compcov.harden } || $ECHO "$RED[!] llvm_mode hardened mode compilation failed" # now we want to be sure that afl-fuzz is working - (test "$(uname -s)" = "Linux" -a "$(sysctl kernel.core_pattern)" != "kernel.core_pattern = core" && { + (test "$(uname -s)" = "Linux" && test "$(sysctl kernel.core_pattern)" != "kernel.core_pattern = core" && { $ECHO "$RED[!] we cannot run afl-fuzz with enabled core dumps. Run 'sudo sh afl-system-config'.$RESET" true }) || # make sure crash reporter is disabled on Mac OS X - (test "$(uname -s)" = "Darwin" -a $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { + (test "$(uname -s)" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { $ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET" true }) || {