From 664f603a31ff7b118d14fa6409dd662ee604b36c Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Thu, 31 Oct 2019 16:19:12 +0100 Subject: [PATCH 01/16] better wine trace with winepath on .cur_input --- afl-wine-trace | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/afl-wine-trace b/afl-wine-trace index f8284d7e..65525a33 100755 --- a/afl-wine-trace +++ b/afl-wine-trace @@ -4,9 +4,10 @@ import os import sys import pefile import shutil +import subprocess if len(sys.argv) < 2: - print("[afl-wine-trace] usage: wine-cov binary [args...]\n") + print("[afl-wine-trace] usage: ./afl-wine-trace binary [args...]\n") exit(1) if os.getenv("AFL_PATH"): @@ -42,14 +43,20 @@ else: elif pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_I386"]: qemu_path += "i386" else: - print ("[wine-cov] unsuppoted architecture\n") + print ("[afl-wine-trace] unsuppoted architecture\n") exit(1) qemu_path = shutil.which(qemu_path) -if os.getenv("WINECOV_WINE_PATH"): - wine_path = os.getenv("WINECOV_WINE_PATH") +wine_path = None +if os.getenv("AFL_WINE_PATH"): + wine_path = os.getenv("AFL_WINE_PATH") else: - wine_path = "/usr/lib/wine/wine" + if not wine_path and shutil.which("wine"): + wine_path = shutil.which("wine") + if not wine_path and os.path.exists("/usr/bin/wine"): + wine_path = "/usr/bin/wine" + if not wine_path and os.path.exists("/usr/lib/wine/wine"): + wine_path = "/usr/lib/wine/wine" if pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_AMD64"] or pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_IA64"]: wine_path += "64" elif pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_I386"]: @@ -58,4 +65,11 @@ else: print ("[afl-wine-trace] unsopported architecture\n") exit(1) -os.execve(qemu_path, [qemu_path, wine_path] + sys.argv[1:], os.environ) +argv = sys.argv[1:] +for i in range(len(argv)): + if ".cur_input" in argv[i]: + argv[i] = subprocess.run([os.path.join(os.path.dirname(wine_path), "winepath"), "--windows", argv[i]], universal_newlines=True, stdout=subprocess.PIPE).stdout + break + +print("[afl-wine-trace] exec:", " ".join([qemu_path, wine_path] + argv)) +os.execve(qemu_path, [qemu_path, wine_path] + argv, os.environ) From 1c7b6a5e0590b4a34819fec3cdfe430d32b041d5 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 4 Nov 2019 13:10:52 +0100 Subject: [PATCH 02/16] travis --- .travis.yml | 3 +- dictionaries/regexp.dict | 244 +++++++++++++++++++++++++++++++++++++++ docs/ChangeLog | 1 + test/test.sh | 162 +++++++++++++++++++++----- 4 files changed, 376 insertions(+), 34 deletions(-) create mode 100644 dictionaries/regexp.dict diff --git a/.travis.yml b/.travis.yml index 87b3ef04..00d58853 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,8 +9,7 @@ env: before_install: - sudo apt update - - sudo apt install -y libtool libtool-bin automake bison libglib2.0 build-essential clang gcc-8 gcc-8-plugin-dev libc++-8-dev -# libc++-7-dev + - sudo apt install -y libtool libtool-bin automake bison libglib2.0 build-essential clang gcc-7 gcc-7-plugin-dev libc++-7-dev script: - gcc -v diff --git a/dictionaries/regexp.dict b/dictionaries/regexp.dict new file mode 100644 index 00000000..957d18e2 --- /dev/null +++ b/dictionaries/regexp.dict @@ -0,0 +1,244 @@ +# +# AFL dictionary for JS regex +# --------------------------- +# +# Contains various regular expressions. +# +# Created by Yang Guo +# +# Contributed by Dhiraj Mishra +# +"?" +"abc" +"()" +"[]" +"abc|def" +"abc|def|ghi" +"^xxx$" +"ab\\b\\d\\bcd" +"\\w|\\d" +"a*?" +"abc+" +"abc+?" +"xyz?" +"xyz??" +"xyz{0,1}" +"xyz{0,1}?" +"xyz{93}" +"xyz{1,32}" +"xyz{1,32}?" +"xyz{1,}" +"xyz{1,}?" +"a\\fb\\nc\\rd\\te\\vf" +"a\\nb\\bc" +"/^\d*\./" +"(?:foo)" +"(?: foo )" +"foo|(bar|baz)|quux" +"foo(?=bar)baz" +"foo(?!bar)baz" +"foo(?<=bar)baz" +"foo(?)" +"(?.)" +"(?.)\\k" +"\\p{Script=Greek}" +"\\P{sc=Greek}" +"\\p{Script_Extensions=Greek}" +"\\P{scx=Greek}" +"\\p{General_Category=Decimal_Number}" +"\\P{gc=Decimal_Number}" +"\\p{gc=Nd}" +"\\P{Decimal_Number}" +"\\p{Nd}" +"\\P{Any}" +"\\p{Changes_When_NFKC_Casefolded}" diff --git a/docs/ChangeLog b/docs/ChangeLog index 4c51502b..3a5961ad 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -23,6 +23,7 @@ Version ++2.58d (dev): - llvm_mode: float splitting is now configured via AFL_LLVM_LAF_SPLIT_FLOATS - libtokencap: support for *BSD/OSX added - libcompcov floating point splitting support for qemu and unicorn + - ripped regex.dictionary from Google afl PR - removed unnecessary warnings diff --git a/test/test.sh b/test/test.sh index 2d5c5e39..f954776f 100755 --- a/test/test.sh +++ b/test/test.sh @@ -24,6 +24,8 @@ $ECHO \\101 2>&1 | grep -qE '^A' || { } test -z "$ECHO" && { printf Error: printf command does not support octal character codes ; exit 1 ; } +CODE=0 + export AFL_EXIT_WHEN_DONE=1 export AFL_SKIP_CPUFREQ=1 export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 @@ -75,16 +77,26 @@ test -e ../${AFL_GCC} -a -e ../afl-showmap -a -e ../afl-fuzz && { test -e test-instr.plain.0 -a -e test-instr.plain.1 && { diff -q test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { $ECHO "$RED[!] ${AFL_GCC} instrumentation should be different on different input but is not" + CODE=1 } || $ECHO "$GREEN[+] ${AFL_GCC} instrumentation present and working correctly" - } || $ECHO "$RED[!] ${AFL_GCC} instrumentation failed" + } || { + $ECHO "$RED[!] ${AFL_GCC} instrumentation failed" + CODE=1 + } rm -f test-instr.plain.0 test-instr.plain.1 } || $ECHO "$RED[!] ${AFL_GCC} failed" test -e test-compcov.harden && { grep -Eqa 'stack_chk_fail|fstack-protector-all|fortified' test-compcov.harden > /dev/null 2>&1 && { $ECHO "$GREEN[+] ${AFL_GCC} hardened mode succeeded and is working" - } || $ECHO "$RED[!] ${AFL_GCC} hardened mode is not hardened" + } || { + $ECHO "$RED[!] ${AFL_GCC} hardened mode is not hardened" + CODE=1 + } rm -f test-compcov.harden - } || $ECHO "$RED[!] ${AFL_GCC} hardened mode compilation failed" + } || { + $ECHO "$RED[!] ${AFL_GCC} hardened mode compilation failed" + CODE=1 + } # now we want to be sure that afl-fuzz is working # make sure core_pattern is set to core on linux (test "$(uname -s)" = "Linux" && test "$(sysctl kernel.core_pattern)" != "kernel.core_pattern = core" && { @@ -109,6 +121,7 @@ test -e ../${AFL_GCC} -a -e ../afl-showmap -a -e ../afl-fuzz && { cat errors echo CUT------------------------------------------------------------------CUT $ECHO "$RED[!] afl-fuzz is not working correctly with ${AFL_GCC}" + CODE=1 } rm -rf in out errors } @@ -132,16 +145,29 @@ test -e ../afl-clang-fast && { test -e test-instr.plain.0 -a -e test-instr.plain.1 && { diff -q test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { $ECHO "$RED[!] llvm_mode instrumentation should be different on different input but is not" + CODE=1 } || $ECHO "$GREEN[+] llvm_mode instrumentation present and working correctly" - } || $ECHO "$RED[!] llvm_mode instrumentation failed" + } || { + $ECHO "$RED[!] llvm_mode instrumentation failed" + CODE=1 + } rm -f test-instr.plain.0 test-instr.plain.1 - } || $ECHO "$RED[!] llvm_mode failed" + } || { + $ECHO "$RED[!] llvm_mode failed" + CODE=1 + } test -e test-compcov.harden && { grep -Eqa 'stack_chk_fail|fstack-protector-all|fortified' test-compcov.harden > /dev/null 2>&1 && { $ECHO "$GREEN[+] llvm_mode hardened mode succeeded and is working" - } || $ECHO "$RED[!] llvm_mode hardened mode is not hardened" + } || { + $ECHO "$RED[!] llvm_mode hardened mode is not hardened" + CODE=1 + } rm -f test-compcov.harden - } || $ECHO "$RED[!] llvm_mode hardened mode compilation failed" + } || { + $ECHO "$RED[!] llvm_mode hardened mode compilation failed" + CODE=1 + } # now we want to be sure that afl-fuzz is working (test "$(uname -s)" = "Linux" && test "$(sysctl kernel.core_pattern)" != "kernel.core_pattern = core" && { $ECHO "$YELLOW[!] we should not run afl-fuzz with enabled core dumps. Run 'sudo sh afl-system-config'.$RESET" @@ -150,6 +176,7 @@ test -e ../afl-clang-fast && { # make sure crash reporter is disabled on Mac OS X (test "$(uname -s)" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { $ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET" + CODE=1 true }) || { mkdir -p in @@ -165,6 +192,7 @@ test -e ../afl-clang-fast && { cat errors echo CUT------------------------------------------------------------------CUT $ECHO "$RED[!] afl-fuzz is not working correctly with llvm_mode" + CODE=1 } rm -rf in out errors } @@ -175,30 +203,54 @@ test -e ../afl-clang-fast && { test -e test-compcov.instrim && { grep -Eq " [1-3] location" test.out && { $ECHO "$GREEN[+] llvm_mode InsTrim feature works correctly" - } || $ECHO "$RED[!] llvm_mode InsTrim feature failed" - } || $ECHO "$RED[!] llvm_mode InsTrim feature compilation failed" + } || { + $ECHO "$RED[!] llvm_mode InsTrim feature failed" + CODE=1 + } + } || { + $ECHO "$RED[!] llvm_mode InsTrim feature compilation failed" + CODE=1 + } rm -f test-compcov.instrim test.out AFL_LLVM_LAF_SPLIT_SWITCHES=1 AFL_LLVM_LAF_TRANSFORM_COMPARES=1 AFL_LLVM_LAF_SPLIT_COMPARES=1 ../afl-clang-fast -o test-compcov.compcov test-compcov.c > /dev/null 2> test.out test -e test-compcov.compcov && { grep -Eq " [3-9][0-9] location" test.out && { $ECHO "$GREEN[+] llvm_mode laf-intel/compcov feature works correctly" - } || $ECHO "$RED[!] llvm_mode laf-intel/compcov feature failed" - } || $ECHO "$RED[!] llvm_mode laf-intel/compcov feature compilation failed" + } || { + $ECHO "$RED[!] llvm_mode laf-intel/compcov feature failed" + CODE=1 + } + } || { + $ECHO "$RED[!] llvm_mode laf-intel/compcov feature compilation failed" + CODE=1 + } rm -f test-compcov.compcov test.out echo foobar.c > whitelist.txt AFL_LLVM_WHITELIST=whitelist.txt ../afl-clang-fast -o test-compcov test-compcov.c > test.out 2>&1 test -e test-compcov && { grep -q "No instrumentation targets found" test.out && { $ECHO "$GREEN[+] llvm_mode whitelist feature works correctly" - } || $ECHO "$RED[!] llvm_mode whitelist feature failed" - } || $ECHO "$RED[!] llvm_mode whitelist feature compilation failed" + } || { + $ECHO "$RED[!] llvm_mode whitelist feature failed" + CODE=1 + } + } || { + $ECHO "$RED[!] llvm_mode whitelist feature compilation failed" + CODE=1 + } rm -f test-compcov test.out whitelist.txt ../afl-clang-fast -o test-persistent ../experimental/persistent_demo/persistent_demo.c > /dev/null 2>&1 test -e test-persistent && { echo foo | ../afl-showmap -o /dev/null -q -r ./test-persistent && { $ECHO "$GREEN[+] llvm_mode persistent mode feature works correctly" - } || $ECHO "$RED[!] llvm_mode persistent mode feature failed to work" - } || $ECHO "$RED[!] llvm_mode persistent mode feature compilation failed" + } || { + $ECHO "$RED[!] llvm_mode persistent mode feature failed to work" + CODE=1 + } + } || { + $ECHO "$RED[!] llvm_mode persistent mode feature compilation failed" + CODE=1 + } rm -f test-persistent } || $ECHO "$YELLOW[-] llvm_mode not compiled, cannot test" @@ -214,17 +266,32 @@ test -e ../afl-gcc-fast && { test -e test-instr.plain.0 -a -e test-instr.plain.1 && { diff -q test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { $ECHO "$RED[!] gcc_plugin instrumentation should be different on different input but is not" - } || $ECHO "$GREEN[+] gcc_plugin instrumentation present and working correctly" - } || $ECHO "$RED[!] gcc_plugin instrumentation failed" + CODE=1 + } || { + $ECHO "$GREEN[+] gcc_plugin instrumentation present and working correctly" + } + } || { + $ECHO "$RED[!] gcc_plugin instrumentation failed" + CODE=1 + } rm -f test-instr.plain.0 test-instr.plain.1 - } || $ECHO "$RED[!] gcc_plugin failed" + } || { + $ECHO "$RED[!] gcc_plugin failed" + CODE=1 + } test -e test-compcov.harden.gccpi && { grep -Eqa 'stack_chk_fail|fstack-protector-all|fortified' test-compcov.harden.gccpi > /dev/null 2>&1 && { $ECHO "$GREEN[+] gcc_plugin hardened mode succeeded and is working" - } || $ECHO "$RED[!] gcc_plugin hardened mode is not hardened" + } || { + $ECHO "$RED[!] gcc_plugin hardened mode is not hardened" + CODE=1 + } rm -f test-compcov.harden.gccpi - } || $ECHO "$RED[!] gcc_plugin hardened mode compilation failed" + } || { + $ECHO "$RED[!] gcc_plugin hardened mode compilation failed" + CODE=1 + } # now we want to be sure that afl-fuzz is working (test "$(uname -s)" = "Linux" && test "$(sysctl kernel.core_pattern)" != "kernel.core_pattern = core" && { $ECHO "$YELLOW[!] we should not run afl-fuzz with enabled core dumps. Run 'sudo sh afl-system-config'.$RESET" @@ -233,6 +300,7 @@ test -e ../afl-gcc-fast && { # make sure crash reporter is disabled on Mac OS X (test "$(uname -s)" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { $ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET" + CODE=1 true }) || { mkdir -p in @@ -248,6 +316,7 @@ test -e ../afl-gcc-fast && { cat errors echo CUT------------------------------------------------------------------CUT $ECHO "$RED[!] afl-fuzz is not working correctly with gcc_plugin" + CODE=1 } rm -rf in out errors } @@ -259,15 +328,27 @@ test -e ../afl-gcc-fast && { test -e test-compcov && { echo 1 | ../afl-showmap -m ${MEM_LIMIT} -o - -r -- ./test-compcov 2>&1 | grep -q "Captured 1 tuples" && { $ECHO "$GREEN[+] gcc_plugin whitelist feature works correctly" - } || $ECHO "$RED[!] gcc_plugin whitelist feature failed" - } || $ECHO "$RED[!] gcc_plugin whitelist feature compilation failed" + } || { + $ECHO "$RED[!] gcc_plugin whitelist feature failed" + CODE=1 + } + } || { + $ECHO "$RED[!] gcc_plugin whitelist feature compilation failed" + CODE=1 + } rm -f test-compcov test.out whitelist.txt ../afl-gcc-fast -o test-persistent ../experimental/persistent_demo/persistent_demo.c > /dev/null 2>&1 test -e test-persistent && { echo foo | ../afl-showmap -o /dev/null -q -r ./test-persistent && { $ECHO "$GREEN[+] gcc_plugin persistent mode feature works correctly" - } || $ECHO "$RED[!] gcc_plugin persistent mode feature failed to work" - } || $ECHO "$RED[!] gcc_plugin persistent mode feature compilation failed" + } || { + $ECHO "$RED[!] gcc_plugin persistent mode feature failed to work" + CODE=1 + } + } || { + $ECHO "$RED[!] gcc_plugin persistent mode feature compilation failed" + CODE=1 + } rm -f test-persistent } || $ECHO "$YELLOW[-] gcc_plugin not compiled, cannot test" @@ -277,7 +358,10 @@ test -e ../libtokencap.so && { AFL_TOKEN_FILE=token.out LD_PRELOAD=../libtokencap.so DYLD_INSERT_LIBRARIES=../libtokencap.so DYLD_FORCE_FLAT_NAMESPACE=1 ./test-compcov foobar > /dev/null 2>&1 grep -q BUGMENOT token.out > /dev/null 2>&1 && { $ECHO "$GREEN[+] libtokencap did successfully capture tokens" - } || $ECHO "$RED[!] libtokencap did not capture tokens" + } || { + $ECHO "$RED[!] libtokencap did not capture tokens" + CODE=1 + } rm -f token.out } || $ECHO "$YELLOW[-] libtokencap is not compiled, cannot test" test -e ../libdislocator.so && { @@ -288,6 +372,7 @@ test -e ../libdislocator.so && { } > /dev/null 2>&1 grep -q BUFFEROVERFLOW test.out > /dev/null 2>&1 && { $ECHO "$RED[!] libdislocator did not detect the memory corruption" + CODE=1 } || $ECHO "$GREEN[+] libdislocator did successfully detect the memory corruption" rm -f test.out core test-compcov.core core.test-compcov } || $ECHO "$YELLOW[-] libdislocator is not compiled, cannot test" @@ -313,6 +398,7 @@ test -e ../afl-qemu-trace && { cat errors echo CUT------------------------------------------------------------------CUT $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode" + CODE=1 } rm -f errors @@ -330,6 +416,7 @@ test -e ../afl-qemu-trace && { cat errors echo CUT------------------------------------------------------------------CUT $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode libcompcov" + CODE=1 } } || $ECHO "$YELLOW[-] we cannot test qemu_mode libcompcov because it is not present" rm -f errors @@ -359,12 +446,16 @@ test -e ../afl-qemu-trace && { cat errors echo CUT------------------------------------------------------------------CUT $ECHO "$RED[!] afl-fuzz is not working correctly with persistent qemu_mode" + CODE=1 exit 1 } $ECHO "$YELLOW[?] we need a test case for qemu_mode unsigaction library" rm -rf in out errors } - } || $ECHO "$RED[-] gcc compilation of test targets failed - what is going on??" + } || { + $ECHO "$RED[-] gcc compilation of test targets failed - what is going on??" + CODE=1 + } rm -f test-instr test-compcov } || $ECHO "$YELLOW[-] qemu_mode is not compiled, cannot test" @@ -379,9 +470,9 @@ test -d ../unicorn_mode/unicorn && { mkdir -p in echo 0 > in/in $ECHO "$GREY[*] Using python binary $PY" - $ECHO "$GREY[*] running afl-fuzz for unicorn_mode, this will take approx 20 seconds" + $ECHO "$GREY[*] running afl-fuzz for unicorn_mode, this will take approx 25 seconds" { - ../afl-fuzz -V20 -U -i in -o out -d -- "$PY" ../unicorn_mode/samples/simple/simple_test_harness.py @@ >>errors 2>&1 + ../afl-fuzz -V25 -U -i in -o out -d -- "$PY" ../unicorn_mode/samples/simple/simple_test_harness.py @@ >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/queue/id:000002* 2> /dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with unicorn_mode" @@ -390,13 +481,14 @@ test -d ../unicorn_mode/unicorn && { cat errors echo CUT------------------------------------------------------------------CUT $ECHO "$RED[!] afl-fuzz is not working correctly with unicorn_mode" + CODE=1 } rm -f errors - $ECHO "$GREY[*] running afl-fuzz for unicorn_mode compcov, this will take approx 25 seconds" + $ECHO "$GREY[*] running afl-fuzz for unicorn_mode compcov, this will take approx 35 seconds" { export AFL_COMPCOV_LEVEL=2 - ../afl-fuzz -V25 -U -i in -o out -d -- "$PY" ../unicorn_mode/samples/compcov_x64/compcov_test_harness.py @@ >>errors 2>&1 + ../afl-fuzz -V35 -U -i in -o out -d -- "$PY" ../unicorn_mode/samples/compcov_x64/compcov_test_harness.py @@ >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/queue/id:000001* 2> /dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with unicorn_mode compcov" @@ -405,12 +497,18 @@ test -d ../unicorn_mode/unicorn && { cat errors echo CUT------------------------------------------------------------------CUT $ECHO "$RED[!] afl-fuzz is not working correctly with unicorn_mode compcov" + CODE=1 } rm -rf in out errors } - } || $ECHO "$RED[-] missing sample binaries in unicorn_mode/samples/ - what is going on??" + } || { + $ECHO "$RED[-] missing sample binaries in unicorn_mode/samples/ - what is going on??" + CODE=1 + } } || $ECHO "$YELLOW[-] unicorn_mode is not compiled, cannot test" $ECHO "$GREY[*] all test cases completed.$RESET" - +test "$CODE" = "0" && $ECHO "$GREEN[+] all tests were successful :-)$RESET" +test "$CODE" = "0" || $ECHO "$RED[-] failure in tests :-($RESET" +exit $CODE From adae07d0138d25594efb765dc30e19af32222bee Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Mon, 4 Nov 2019 15:46:49 +0100 Subject: [PATCH 03/16] restored big-endian compcov in unicorn --- .../patches/afl-unicorn-tcg-runtime-inl.h | 74 ++++++++++++++++++- 1 file changed, 73 insertions(+), 1 deletion(-) diff --git a/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h b/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h index 53ab654c..3603fae0 100644 --- a/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h +++ b/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h @@ -33,6 +33,78 @@ #include "uc_priv.h" #include "afl-unicorn-common.h" +void HELPER(afl_compcov_log_16)(void* uc_ptr, uint64_t cur_loc, uint64_t arg1, + uint64_t arg2) { + + u8* afl_area_ptr = ((struct uc_struct*)uc_ptr)->afl_area_ptr; + + if ((arg1 & 0xff) == (arg2 & 0xff)) { INC_AFL_AREA(cur_loc); } + +} + +void HELPER(afl_compcov_log_32)(void* uc_ptr, uint64_t cur_loc, uint64_t arg1, + uint64_t arg2) { + + u8* afl_area_ptr = ((struct uc_struct*)uc_ptr)->afl_area_ptr; + + if ((arg1 & 0xff) == (arg2 & 0xff)) { + + INC_AFL_AREA(cur_loc); + if ((arg1 & 0xffff) == (arg2 & 0xffff)) { + + INC_AFL_AREA(cur_loc + 1); + if ((arg1 & 0xffffff) == (arg2 & 0xffffff)) { INC_AFL_AREA(cur_loc + 2); } + + } + + } + +} + +void HELPER(afl_compcov_log_64)(void* uc_ptr, uint64_t cur_loc, uint64_t arg1, + uint64_t arg2) { + + u8* afl_area_ptr = ((struct uc_struct*)uc_ptr)->afl_area_ptr; + + if ((arg1 & 0xff) == (arg2 & 0xff)) { + + INC_AFL_AREA(cur_loc); + if ((arg1 & 0xffff) == (arg2 & 0xffff)) { + + INC_AFL_AREA(cur_loc + 1); + if ((arg1 & 0xffffff) == (arg2 & 0xffffff)) { + + INC_AFL_AREA(cur_loc + 2); + if ((arg1 & 0xffffffff) == (arg2 & 0xffffffff)) { + + INC_AFL_AREA(cur_loc + 3); + if ((arg1 & 0xffffffffff) == (arg2 & 0xffffffffff)) { + + INC_AFL_AREA(cur_loc + 4); + if ((arg1 & 0xffffffffffff) == (arg2 & 0xffffffffffff)) { + + INC_AFL_AREA(cur_loc + 5); + if ((arg1 & 0xffffffffffffff) == (arg2 & 0xffffffffffffff)) { + + INC_AFL_AREA(cur_loc + 6); + + } + + } + + } + + } + + } + + } + + } + +} + +/* // Little endian CompCov void HELPER(afl_compcov_log_16)(void* uc_ptr, uint64_t cur_loc, uint64_t arg1, uint64_t arg2) { @@ -99,4 +171,4 @@ void HELPER(afl_compcov_log_64)(void* uc_ptr, uint64_t cur_loc, uint64_t arg1, } } - +*/ From 14c359700b6b1d4408853f878931937ac586059c Mon Sep 17 00:00:00 2001 From: David Carlier Date: Mon, 4 Nov 2019 15:37:56 +0000 Subject: [PATCH 04/16] Basic docker build proposal. --- Dockerfile | 21 +++++++++++++++++++++ docs/QuickStartGuide.txt | 2 ++ 2 files changed, 23 insertions(+) create mode 100644 Dockerfile diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..af85ee8d --- /dev/null +++ b/Dockerfile @@ -0,0 +1,21 @@ +FROM gcc:8.3.0 + +RUN apt-get update && apt-get install -y --no-install-recommends \ + automake \ + bison \ + clang \ + flex \ + gcc-8-plugin-dev \ + libc++-7-dev \ + libtool \ + libtool-bin \ + llvm-7-tools \ + python-setuptools \ + && rm -fr /var/lib/apt/lists/* +RUN mkdir /app +WORKDIR ["/app"] +COPY . . +ENV CC=gcc-8 +ENV CXX=g++-8 +ENV LLVM_CONFIG=llvm-config-7 +RUN make clean && make distrib && make tests diff --git a/docs/QuickStartGuide.txt b/docs/QuickStartGuide.txt index 9190dc98..723611e3 100644 --- a/docs/QuickStartGuide.txt +++ b/docs/QuickStartGuide.txt @@ -45,6 +45,8 @@ how to hit the ground running: 7) compile and use llvm_mode (afl-clang-fast/afl-clang-fast++) as it is way faster and has a few cool features +8) There is a basic docker build with 'docker build -t aflplusplus .' + That's it. Sit back, relax, and - time permitting - try to skim through the following files: From 67ae54c957926bd382433c2a08ebba9f1dd711da Mon Sep 17 00:00:00 2001 From: David Carlier Date: Mon, 4 Nov 2019 17:15:56 +0000 Subject: [PATCH 05/16] Using LLVM/GCC 9 tooling --- Dockerfile | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index af85ee8d..7defa8e9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,21 +1,25 @@ -FROM gcc:8.3.0 - +FROM ubuntu:eoan RUN apt-get update && apt-get install -y --no-install-recommends \ automake \ bison \ + build-essential \ clang \ + clang-9 \ flex \ - gcc-8-plugin-dev \ - libc++-7-dev \ + gcc-9 \ + gcc-9-plugin-dev \ + libc++-9-dev \ libtool \ libtool-bin \ - llvm-7-tools \ + libglib2.0-dev \ + llvm-9-tools \ python-setuptools \ + wget \ && rm -fr /var/lib/apt/lists/* RUN mkdir /app WORKDIR ["/app"] COPY . . -ENV CC=gcc-8 -ENV CXX=g++-8 -ENV LLVM_CONFIG=llvm-config-7 +ENV CC=gcc-9 +ENV CXX=g++-9 +ENV LLVM_CONFIG=llvm-config-9 RUN make clean && make distrib && make tests From dede2e976400cec53099ab42fa3f4fa73e324d2c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 5 Nov 2019 09:16:04 +0100 Subject: [PATCH 06/16] dockerfile additions --- Dockerfile | 4 +++- README.md | 8 ++++++++ docs/ChangeLog | 1 + 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 7defa8e9..558968d8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,6 @@ FROM ubuntu:eoan +MAINTAINER David Carlier +LABEL "about"="AFLplusplus docker image" RUN apt-get update && apt-get install -y --no-install-recommends \ automake \ bison \ @@ -22,4 +24,4 @@ COPY . . ENV CC=gcc-9 ENV CXX=g++-9 ENV LLVM_CONFIG=llvm-config-9 -RUN make clean && make distrib && make tests +RUN make clean && make distrib && make install diff --git a/README.md b/README.md index e8d4e6a8..583b7df8 100644 --- a/README.md +++ b/README.md @@ -115,6 +115,14 @@ afl++ binaries by passing the STATIC=1 argument to make: $ make all STATIC=1 ``` +Note that afl++ is faster and better the newer the compilers used. +Hence gcc-9 and especially llvm-9 should be the compilers of choice. +If your distribution does not have them, you can use the Dockerfile: + +```shell +$ docker build -t aflplusplus +``` + ## 1) Challenges of guided fuzzing diff --git a/docs/ChangeLog b/docs/ChangeLog index 3a5961ad..3924226e 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -23,6 +23,7 @@ Version ++2.58d (dev): - llvm_mode: float splitting is now configured via AFL_LLVM_LAF_SPLIT_FLOATS - libtokencap: support for *BSD/OSX added - libcompcov floating point splitting support for qemu and unicorn + - Dockerfile by courtesy of devnexen - ripped regex.dictionary from Google afl PR - removed unnecessary warnings From 61e46a636ccf143dc648fef6189112dfdce37933 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Tue, 5 Nov 2019 10:59:22 +0000 Subject: [PATCH 07/16] catching current pid before library usage in case implementations rely on those string calls --- libtokencap/libtokencap.so.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libtokencap/libtokencap.so.c b/libtokencap/libtokencap.so.c index 7495180d..467be05b 100644 --- a/libtokencap/libtokencap.so.c +++ b/libtokencap/libtokencap.so.c @@ -51,6 +51,7 @@ static struct mapping { void *st, *en; } __tokencap_ro[MAX_MAPPINGS]; static u32 __tokencap_ro_cnt; static u8 __tokencap_ro_loaded; static int __tokencap_out_file = -1; +static pid_t __tokencap_pid = -1; /* Identify read-only regions in memory. Only parameters that fall into these ranges are worth dumping when passed to strcmp() and so on. Read-write @@ -115,11 +116,11 @@ static void __tokencap_load_mappings(void) { #elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__ #if defined __FreeBSD__ - int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, -1}; + int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, __tokencap_pid}; #elif defined __OpenBSD__ - int mib[] = {CTL_KERN, KERN_PROC_VMMAP, getpid()}; + int mib[] = {CTL_KERN, KERN_PROC_VMMAP, __tokencap_pid}; #elif defined __NetBSD__ - int mib[] = {CTL_VM, VM_PROC, VM_PROC_MAP, getpid(), sizeof(struct kinfo_vmentry)}; + int mib[] = {CTL_VM, VM_PROC, VM_PROC_MAP, __tokencap_pid, sizeof(struct kinfo_vmentry)}; #endif char *buf, *low, *high; size_t miblen = sizeof(mib)/sizeof(mib[0]); @@ -431,6 +432,7 @@ __attribute__((constructor)) void __tokencap_init(void) { u8* fn = getenv("AFL_TOKEN_FILE"); if (fn) __tokencap_out_file = open(fn, O_RDWR | O_CREAT | O_APPEND, 0655); if (__tokencap_out_file == -1) __tokencap_out_file = STDERR_FILENO; + __tokencap_pid = getpid(); } From 73cb58726649b860cbea9eef727e90ad14be4b31 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 5 Nov 2019 18:39:16 +0100 Subject: [PATCH 08/16] test unicorn && AFL_DISABLE_TRIM env var --- include/afl-fuzz.h | 3 ++- src/afl-fuzz-globals.c | 3 ++- src/afl-fuzz-one.c | 2 +- src/afl-fuzz.c | 3 +++ test/test.sh | 1 + .../samples/compcov_x64/compcov_target.bin | Bin 86 -> 86 bytes .../samples/compcov_x64/compcov_target.c | 4 +--- .../samples/compcov_x64/compcov_target.elf | Bin 5728 -> 5728 bytes 8 files changed, 10 insertions(+), 6 deletions(-) diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 637c2795..90f3b419 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -315,7 +315,8 @@ extern u8 skip_deterministic, /* Skip deterministic stages? */ deferred_mode, /* Deferred forkserver mode? */ fixed_seed, /* do not reseed */ fast_cal, /* Try to calibrate faster? */ - uses_asan; /* Target uses ASAN? */ + uses_asan, /* Target uses ASAN? */ + disable_trim; /* Never trim in fuzz_one */ extern s32 out_fd, /* Persistent fd for out_file */ #ifndef HAVE_ARC4RANDOM diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index 36ba6e14..06eb06d8 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -122,7 +122,8 @@ u8 skip_deterministic, /* Skip deterministic stages? */ deferred_mode, /* Deferred forkserver mode? */ fixed_seed, /* do not reseed */ fast_cal, /* Try to calibrate faster? */ - uses_asan; /* Target uses ASAN? */ + uses_asan, /* Target uses ASAN? */ + disable_trim; /* Never trim in fuzz_one */ s32 out_fd, /* Persistent fd for out_file */ #ifndef HAVE_ARC4RANDOM diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index bed8d254..8ca219b5 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -449,7 +449,7 @@ u8 fuzz_one_original(char** argv) { * TRIMMING * ************/ - if (!dumb_mode && !queue_cur->trim_done && !custom_mutator) { + if (!dumb_mode && !queue_cur->trim_done && !custom_mutator && !disable_trim) { u8 res = trim_case(argv, queue_cur, in_buf); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 14d7802d..26ed7b61 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -551,6 +551,9 @@ int main(int argc, char** argv) { } + if (getenv("AFL_DISABLE_TRIM")) + disable_trim = 1; + if (getenv("AFL_NO_UI") && getenv("AFL_FORCE_UI")) FATAL("AFL_NO_UI and AFL_FORCE_UI are mutually exclusive"); diff --git a/test/test.sh b/test/test.sh index f954776f..f086ee50 100755 --- a/test/test.sh +++ b/test/test.sh @@ -485,6 +485,7 @@ test -d ../unicorn_mode/unicorn && { } rm -f errors + echo -e '\xbf' > in/in $ECHO "$GREY[*] running afl-fuzz for unicorn_mode compcov, this will take approx 35 seconds" { export AFL_COMPCOV_LEVEL=2 diff --git a/unicorn_mode/samples/compcov_x64/compcov_target.bin b/unicorn_mode/samples/compcov_x64/compcov_target.bin index 091bf1db5ae383ed061927128d887bcd1d4ee5f9..30eada89b12ee1838ba55156590d8215580ec246 100644 GIT binary patch delta 29 lcmWFw6A$(1eCl!B^#=ok0fR@k>kt0z3~9EzS4|YR2LPm_3lIPR delta 29 lcmWFw6A$(1eCl!B^#=ok0fR@k>yK^*+kdCluAV4v4*;wv3@QKs diff --git a/unicorn_mode/samples/compcov_x64/compcov_target.c b/unicorn_mode/samples/compcov_x64/compcov_target.c index eb1205b1..f4576261 100644 --- a/unicorn_mode/samples/compcov_x64/compcov_target.c +++ b/unicorn_mode/samples/compcov_x64/compcov_target.c @@ -16,11 +16,9 @@ int main(void) { unsigned int *data_buf = (unsigned int *) DATA_ADDRESS; - if (data_buf[0] == 0xabadcafe) { - // Cause an 'invalid read' crash if data[0..3] == '\x01\x02\x03\x04' + if (((unsigned short*)data_buf)[0] == 0xaabb) { unsigned char invalid_read = *(unsigned char *) 0x00000000; } else if (data_buf[1] == data_buf[2] + 0x4141) { - // Cause an 'invalid read' crash if (0x10 < data[0] < 0x20) and data[1] > data[2] unsigned char invalid_read = *(unsigned char *) 0x00000000; } diff --git a/unicorn_mode/samples/compcov_x64/compcov_target.elf b/unicorn_mode/samples/compcov_x64/compcov_target.elf index 7015fb46661776654c4bba59f7926d39b6ba6da8..9f90f8d299144e3edaca0f7af960ec861117ddc9 100755 GIT binary patch delta 45 zcmV+|0Mh^9EZ{7#WC9c|e7VXAWDEH5Th(ugVR!z6^}DZ=cmhcW54QkjJ-e#2$O4!X D?hq9N delta 45 zcmV+|0Mh^9EZ{7#WC9dGZvjtqKd41fxX=$MI Date: Tue, 5 Nov 2019 18:41:23 +0100 Subject: [PATCH 09/16] reduce time for unicorn compcov test --- test/test.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/test/test.sh b/test/test.sh index f086ee50..89310389 100755 --- a/test/test.sh +++ b/test/test.sh @@ -486,10 +486,12 @@ test -d ../unicorn_mode/unicorn && { rm -f errors echo -e '\xbf' > in/in - $ECHO "$GREY[*] running afl-fuzz for unicorn_mode compcov, this will take approx 35 seconds" + # This seed is close to the first byte of the comparison. + # If CompCov works, a new tuple will appear in the map => new input in queue + $ECHO "$GREY[*] running afl-fuzz for unicorn_mode compcov, this will take approx 15 seconds" { export AFL_COMPCOV_LEVEL=2 - ../afl-fuzz -V35 -U -i in -o out -d -- "$PY" ../unicorn_mode/samples/compcov_x64/compcov_test_harness.py @@ >>errors 2>&1 + ../afl-fuzz -V15 -U -i in -o out -- "$PY" ../unicorn_mode/samples/compcov_x64/compcov_test_harness.py @@ >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/queue/id:000001* 2> /dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with unicorn_mode compcov" From ed1628173717a91dbb8bd5b0498cb618da6d349c Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 5 Nov 2019 19:48:17 +0100 Subject: [PATCH 10/16] mmmm travis doh --- test/test.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/test.sh b/test/test.sh index 89310389..a56466c4 100755 --- a/test/test.sh +++ b/test/test.sh @@ -488,10 +488,10 @@ test -d ../unicorn_mode/unicorn && { echo -e '\xbf' > in/in # This seed is close to the first byte of the comparison. # If CompCov works, a new tuple will appear in the map => new input in queue - $ECHO "$GREY[*] running afl-fuzz for unicorn_mode compcov, this will take approx 15 seconds" + $ECHO "$GREY[*] running afl-fuzz for unicorn_mode compcov, this will take approx 30 seconds" { export AFL_COMPCOV_LEVEL=2 - ../afl-fuzz -V15 -U -i in -o out -- "$PY" ../unicorn_mode/samples/compcov_x64/compcov_test_harness.py @@ >>errors 2>&1 + ../afl-fuzz -V30 -U -i in -o out -d -- "$PY" ../unicorn_mode/samples/compcov_x64/compcov_test_harness.py @@ >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/queue/id:000001* 2> /dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with unicorn_mode compcov" From 62d972962938fc84150768bbda448841e6c9d3e7 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 5 Nov 2019 20:06:11 +0100 Subject: [PATCH 11/16] travis is drunk --- test/test.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/test.sh b/test/test.sh index a56466c4..3b071468 100755 --- a/test/test.sh +++ b/test/test.sh @@ -485,13 +485,13 @@ test -d ../unicorn_mode/unicorn && { } rm -f errors - echo -e '\xbf' > in/in + printf '\xbf' > in/in # This seed is close to the first byte of the comparison. # If CompCov works, a new tuple will appear in the map => new input in queue - $ECHO "$GREY[*] running afl-fuzz for unicorn_mode compcov, this will take approx 30 seconds" + $ECHO "$GREY[*] running afl-fuzz for unicorn_mode compcov, this will take approx 35 seconds" { export AFL_COMPCOV_LEVEL=2 - ../afl-fuzz -V30 -U -i in -o out -d -- "$PY" ../unicorn_mode/samples/compcov_x64/compcov_test_harness.py @@ >>errors 2>&1 + ../afl-fuzz -V35 -U -i in -o out -d -- "$PY" ../unicorn_mode/samples/compcov_x64/compcov_test_harness.py @@ >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/queue/id:000001* 2> /dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with unicorn_mode compcov" From 5cb0012c836965bbf7828dcb1e3d9f31f97dc346 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 6 Nov 2019 13:08:07 +0100 Subject: [PATCH 12/16] test travis --- .travis.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 00d58853..9ff3edef 100644 --- a/.travis.yml +++ b/.travis.yml @@ -16,4 +16,3 @@ script: - clang -v - make distrib - make tests - - make clean From 7c99027c3165e2f411ca6caa0c119e7b69a2132c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 6 Nov 2019 13:31:58 +0100 Subject: [PATCH 13/16] unicorn libcompcov testcase made easier --- .../samples/compcov_x64/compcov_target.bin | Bin 86 -> 86 bytes .../samples/compcov_x64/compcov_target.c | 4 ++-- .../samples/compcov_x64/compcov_target.elf | Bin 5728 -> 13200 bytes 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/unicorn_mode/samples/compcov_x64/compcov_target.bin b/unicorn_mode/samples/compcov_x64/compcov_target.bin index 30eada89b12ee1838ba55156590d8215580ec246..2874860b9e3a78e70311822238d0f685d36d2b15 100644 GIT binary patch delta 70 zcmWFwn;`1Qz*x$=g8>Nmw=s0Met)g$(e3)fqxk?!H-kraD3EoCqg$x)(7*o-43-y4 Mxe-dgftj&~0bXzz$N&HU delta 70 zcmWFwn;`1AdsQj#4hA6L-^S44`t7x*N4M(_kLCj`-3%Vxp+MFlj&7mGLynFN43-y4 Mxe-dggPF010g^x%u>b%7 diff --git a/unicorn_mode/samples/compcov_x64/compcov_target.c b/unicorn_mode/samples/compcov_x64/compcov_target.c index f4576261..0c863b25 100644 --- a/unicorn_mode/samples/compcov_x64/compcov_target.c +++ b/unicorn_mode/samples/compcov_x64/compcov_target.c @@ -16,9 +16,9 @@ int main(void) { unsigned int *data_buf = (unsigned int *) DATA_ADDRESS; - if (((unsigned short*)data_buf)[0] == 0xaabb) { + if (((unsigned short*)data_buf)[0] == 0x0100) { unsigned char invalid_read = *(unsigned char *) 0x00000000; - } else if (data_buf[1] == data_buf[2] + 0x4141) { + } else if (data_buf[1] == data_buf[2] + 0xfffe) { unsigned char invalid_read = *(unsigned char *) 0x00000000; } diff --git a/unicorn_mode/samples/compcov_x64/compcov_target.elf b/unicorn_mode/samples/compcov_x64/compcov_target.elf index 9f90f8d299144e3edaca0f7af960ec861117ddc9..0f1ad91667dce7e689e7b5815345ffece3ed63f1 100755 GIT binary patch literal 13200 zcmeI3-%Aux6vxl5rb}ur_5;C$2_p1i$3;c9qS~<4B_dR`x0Ky>br;-S*`0;8mxv$= zU;G351NsZ9N3ozDeeAUdA?TqXG$C+1XXbuw8xf2k3eSO=?>+aPGk5N1?mo=Uy$=$% z#)5$W!J6nQxn9_-iJOMiC?bgB6r(mixAVD$tDE_Vn`Xb}f?fkOWa64wCGWXu_v={` z2gMzVO5Q&;x=V2{u0;f!Whvg#t z#ReAh>5<`q#Y|)|U#!+5wb)2xWZ15h>_K&JVf1 z>8YKsavdC8R8s;VTDi5>Nt4 zKnW-TC7=Y9fD%vwN)!R*|0{3PflB+mnCzU2UUv#qNC9;bpCu=Vht9H7Y=hfKx47pw|RmqW^SuR$V z3!XYF!n=hvd*|}VX>)^RjsY3o9+4o9?Lbm9D!Jnw`71rkQ?Au>}{RHR( z&jtQTF0?k}AGD4h@mLQJ{{k1b`5B^r%o8a3N1p#7%l|Jj2IONNK{0P+-pRcqAN4V= zlc|S%%uA?$yna8r!LGIoB{Ah3Ah1rLJ{TBG$A|Lw`7C2Y>$Nykl^vqQB!Z#|hVvUNv Ry%z7>Yx0*GD;x4q{R2VHpBw-H literal 5728 zcmeHL&1(};5T7KqO|7-DC2437VhtgJ5o939K#+kT13?CY3G zpVE>8TK{&3|NZt6uAWfGw`xZy?AF0vKH}!p%eN8o>E%}u^6ur^-F}6a?{MpAFCV42 zs;|9#r`s3s@_4I@ti0bg`r2G%7Nwz$T3<~2aAwOrd6n3BF(H= z1?{3)*K+j|_Yz8ZvS&r3RwONd)#N8QXjMtG3Jr_2LQ$Wr8s&ms%rl3Xt!0!;6Qpqj z<$`H(fPZ1g`;m98j<@@L<2y%x3R~gaW4?ujju!jn`asY}KL_(c7QXSFfc+av0AhdG z`7e!OwwF5y_BdBS+)Hw=iSMunpJh&t3hZ(Ifc|*>^ONeixF_*_0`Z-)nmzpXvMwC< zU#=hKSUWv8$b$SCdhBuTfvHwymJvT_lLhe|*9Fcm`en095&supkFz_?>*7E9NlM*4 z+&f&t5fFbXBKB6*q}pIsDX!r~X>DSEygxqquJ5h(G1bpK+DfvFeL=5d0kMM Date: Wed, 6 Nov 2019 13:41:23 +0100 Subject: [PATCH 14/16] even easier test case solving :) --- test/test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/test.sh b/test/test.sh index 3b071468..617401eb 100755 --- a/test/test.sh +++ b/test/test.sh @@ -485,7 +485,7 @@ test -d ../unicorn_mode/unicorn && { } rm -f errors - printf '\xbf' > in/in + printf '\x01\x01' > in/in # This seed is close to the first byte of the comparison. # If CompCov works, a new tuple will appear in the map => new input in queue $ECHO "$GREY[*] running afl-fuzz for unicorn_mode compcov, this will take approx 35 seconds" From 92669e65ee7bfb588134b29e569858ba91408140 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 7 Nov 2019 10:38:16 +0100 Subject: [PATCH 15/16] we only do one vm for the testing. having 3 just gives headache --- .travis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 9ff3edef..4569bd9c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,9 +3,9 @@ language: c env: - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_STOP_MANUALLY=1 - - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_EXIT_WHEN_DONE=1 + # - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_EXIT_WHEN_DONE=1 # TODO: test AFL_BENCH_UNTIL_CRASH once we have a target that crashes - - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_BENCH_JUST_ONE=1 + # - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_BENCH_JUST_ONE=1 before_install: - sudo apt update From 499f078c3759a22dd5cfd81d2271969f19b75090 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 7 Nov 2019 11:48:39 +0100 Subject: [PATCH 16/16] f*ckin travis --- docs/ChangeLog | 2 ++ qemu_mode/build_qemu_support.sh | 5 ++++- unicorn_mode/build_unicorn_support.sh | 5 ++++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/docs/ChangeLog b/docs/ChangeLog index 3924226e..7bc6dec4 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -25,6 +25,8 @@ Version ++2.58d (dev): - libcompcov floating point splitting support for qemu and unicorn - Dockerfile by courtesy of devnexen - ripped regex.dictionary from Google afl PR + - qemu and unicorn download scripts now try to download until the full + download succeeded. f*ckin travis fails downloading 40% of the time! - removed unnecessary warnings diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index 6b9f91f9..c3983aa1 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -100,7 +100,10 @@ if [ ! "$CKSUM" = "$QEMU_SHA384" ]; then echo "[*] Downloading QEMU ${VERSION} from the web..." rm -f "$ARCHIVE" - wget -O "$ARCHIVE" -- "$QEMU_URL" || exit 1 + OK= + while [ -z "$OK" ]; do + wget -c -O "$ARCHIVE" -- "$QEMU_URL" && OK=1 + done CKSUM=`sha384sum -- "$ARCHIVE" 2>/dev/null | cut -d' ' -f1` diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index 3bd404b8..fdbcda62 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -106,7 +106,10 @@ if [ ! "$CKSUM" = "$UNICORN_SHA384" ]; then echo "[*] Downloading Unicorn v1.0.1 from the web..." rm -f "$ARCHIVE" - wget -O "$ARCHIVE" -- "$UNICORN_URL" || exit 1 + OK= + while [ -z "$OK" ]; do + wget -c -O "$ARCHIVE" -- "$UNICORN_URL" && OK=1 + done CKSUM=`sha384sum -- "$ARCHIVE" 2>/dev/null | cut -d' ' -f1`