integrate frida_mode, code-format

GNUmakefile

@@ -593,6 +593,7 @@ distrib: all
 	$(MAKE) -C utils/afl_network_proxy
 	$(MAKE) -C utils/socket_fuzzing
 	$(MAKE) -C utils/argv_fuzzing
+	-$(MAKE) -C frida_mode
 	-cd qemu_mode && sh ./build_qemu_support.sh
 	-cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
 
@@ -603,6 +604,7 @@ binary-only: test_shm test_python ready $(PROGS)
 	$(MAKE) -C utils/afl_network_proxy
 	$(MAKE) -C utils/socket_fuzzing
 	$(MAKE) -C utils/argv_fuzzing
+	-$(MAKE) -C frida_mode
 	-cd qemu_mode && sh ./build_qemu_support.sh
 	-cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
 
@@ -648,6 +650,7 @@ install: all $(MANPAGES)
 	@if [ -f afl-fuzz-document ]; then set -e; install -m 755 afl-fuzz-document $${DESTDIR}$(BIN_PATH); fi
 	@if [ -f socketfuzz32.so -o -f socketfuzz64.so ]; then $(MAKE) -C utils/socket_fuzzing install; fi
 	@if [ -f argvfuzz32.so -o -f argvfuzz64.so ]; then $(MAKE) -C utils/argv_fuzzing install; fi
+	@if [ -f afl-frida-trace.so ]; then install -m 755 afl-frida-trace.so $${DESTDIR}$(HELPER_PATH); fi
 	@if [ -f utils/afl_network_proxy/afl-network-server ]; then $(MAKE) -C utils/afl_network_proxy install; fi
 	@if [ -f utils/aflpp_driver/libAFLDriver.a ]; then set -e; install -m 644 utils/aflpp_driver/libAFLDriver.a $${DESTDIR}$(HELPER_PATH); fi
 	@if [ -f utils/aflpp_driver/libAFLQemuDriver.a ]; then set -e; install -m 644 utils/aflpp_driver/libAFLQemuDriver.a $${DESTDIR}$(HELPER_PATH); fi

docs/Changelog.md

@@ -9,6 +9,8 @@ Want to stay in the loop on major new features? Join our mailing list by
 sending a mail to <afl-users+subscribe@googlegroups.com>.
 
 ### Version ++3.13a (development)
+  - frida_mode - new mode that uses frida to fuzz binary-only targets,
+    thanks to @WorksButNotTested!
   - afl-fuzz:
     - added patch by @realmadsci to support @@ as part of command line
       options, e.g. `afl-fuzz ... -- ./target --infile=@@`

docs/env_variables.md

@@ -372,7 +372,8 @@ checks or alter some of the more exotic semantics of the tool:
     may complain of high load prematurely, especially on systems with low core
     counts. To avoid the alarming red color, you can set `AFL_NO_CPU_RED`.
 
-  - In QEMU mode (-Q), `AFL_PATH` will be searched for afl-qemu-trace.
+  - In QEMU mode (-Q), Unicorn mode (-U) and Frida mode (-O), `AFL_PATH` will
+    be searched for afl-qemu-trace.
 
   - In QEMU mode (-Q), setting `AFL_QEMU_CUSTOM_BIN` cause afl-fuzz to skip
     prepending `afl-qemu-trace` to your command line. Use this if you wish to use a
@@ -605,7 +606,7 @@ optimal values if not already present in the environment:
     override this by setting `LD_BIND_LAZY` beforehand, but it is almost
     certainly pointless.
 
-  - By default, `ASAN_OPTIONS` are set to:
+  - By default, `ASAN_OPTIONS` are set to (among others):
 ```
     abort_on_error=1
     detect_leaks=0

frida_mode/Makefile

@@ -1,41 +1,39 @@
 PWD:=$(shell pwd)/
-INC_DIR:=$(PWD)inc/
+INC_DIR:=$(PWD)include/
 SRC_DIR:=$(PWD)src/
 INCLUDES:=$(wildcard $(INC_DIR)*.h)
 SOURCES:=$(wildcard $(SRC_DIR)*.c)
 BUILD_DIR:=$(PWD)build/
-CFLAGS:= $(CFLAGS) \
+CFLAGS+=-fPIC -D_GNU_SOURCE
-		-fPIC \
-		-D_GNU_SOURCE
 
 FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/
 FRIDA_TRACE:=$(FRIDA_BUILD_DIR)afl-frida-trace.so
 
 ARCH=$(shell uname -m)
 ifeq "$(ARCH)" "aarch64"
-ARCH:=arm64
+ ARCH:=arm64
-TESTINSTR_BASE:=0x0000aaaaaaaaa000
+ TESTINSTR_BASE:=0x0000aaaaaaaaa000
 endif
 
 ifeq "$(ARCH)" "x86_64"
-TESTINSTR_BASE:=0x0000555555554000
+ TESTINSTR_BASE:=0x0000555555554000
 endif
 
 ifeq "$(shell uname)" "Darwin"
-OS:=macos
+ OS:=macos
-AFL_FRIDA_INST_RANGES=0x0000000000001000-0xFFFFFFFFFFFFFFFF
+ AFL_FRIDA_INST_RANGES=0x0000000000001000-0xFFFFFFFFFFFFFFFF
-CFLAGS:=$(CFLAGS) -Wno-deprecated-declarations
+ CFLAGS:=$(CFLAGS) -Wno-deprecated-declarations
-TEST_LDFLAGS:=-undefined dynamic_lookup
+ TEST_LDFLAGS:=-undefined dynamic_lookup
 endif
 ifeq "$(shell uname)" "Linux"
-OS:=linux
+ OS:=linux
-AFL_FRIDA_INST_RANGES=$(shell $(PWD)test/testinstr.py -f $(BUILD_DIR)testinstr -s .testinstr -b $(TESTINSTR_BASE))
+ AFL_FRIDA_INST_RANGES=$(shell $(PWD)test/testinstr.py -f $(BUILD_DIR)testinstr -s .testinstr -b $(TESTINSTR_BASE))
-CFLAGS:=$(CFLAGS) -Wno-prio-ctor-dtor
+ CFLAGS:=$(CFLAGS) -Wno-prio-ctor-dtor
-TEST_LDFLAGS:=
+ TEST_LDFLAGS:=
 endif
 
 ifndef OS
-$(error "Operating system unsupported")
+ $(error "Operating system unsupported")
 endif
 
 VERSION=14.2.13
@@ -347,4 +345,4 @@ cmin_bash_frida: $(TEST_BIN)
 			-i $(TEST_DATA_DIR) \
 			-o $(FRIDA_OUT) \
 			-- \
-				$(TEST_BIN) @@
+				$(TEST_BIN) @@

frida_mode/src/main.c

@@ -22,10 +22,10 @@
 extern mach_port_t mach_task_self();
 extern GumAddress  gum_darwin_find_entrypoint(mach_port_t task);
 #else
-extern int __libc_start_main(int *(main)(int, char **, char **), int argc,
+extern int  __libc_start_main(int *(main)(int, char **, char **), int argc,
-                             char **ubp_av, void (*init)(void),
+                              char **ubp_av, void (*init)(void),
-                             void (*fini)(void), void (*rtld_fini)(void),
+                              void (*fini)(void), void (*rtld_fini)(void),
-                             void(*stack_end));
+                              void(*stack_end));
 #endif
 
 typedef int *(*main_fn_t)(int argc, char **argv, char **envp);

include/forkserver.h

@@ -77,7 +77,7 @@ typedef struct afl_forkserver {
 
   bool qemu_mode;                       /* if running in qemu mode or not   */
 
-  bool frida_mode;                       /* if running in frida mode or not   */
+  bool frida_mode;                     /* if running in frida mode or not   */
 
   bool use_stdin;                       /* use stdin for sending data       */
 

src/afl-cc.c

@@ -638,8 +638,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
         cc_params[cc_par_cnt++] = "-Xclang";
         cc_params[cc_par_cnt++] = "-load";
         cc_params[cc_par_cnt++] = "-Xclang";
-          cc_params[cc_par_cnt++] =
+        cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path);
-              alloc_printf("%s/afl-llvm-pass.so", obj_path);
 
       }
 
@@ -1247,7 +1246,9 @@ int main(int argc, char **argv, char **envp) {
 
                  strcasecmp(ptr, "CFG") == 0) {
 
-        FATAL("InsTrim instrumentation was removed. Use a modern LLVM and PCGUARD (default in afl-cc).\n");
+        FATAL(
+            "InsTrim instrumentation was removed. Use a modern LLVM and "
+            "PCGUARD (default in afl-cc).\n");
 
       } else if (strcasecmp(ptr, "AFL") == 0 ||
 
@@ -1313,7 +1314,9 @@ int main(int argc, char **argv, char **envp) {
   if (getenv("AFL_LLVM_INSTRIM") || getenv("INSTRIM") ||
       getenv("INSTRIM_LIB")) {
 
-        FATAL("InsTrim instrumentation was removed. Use a modern LLVM and PCGUARD (default in afl-cc).\n");
+    FATAL(
+        "InsTrim instrumentation was removed. Use a modern LLVM and PCGUARD "
+        "(default in afl-cc).\n");
 
   }
 
@@ -1400,7 +1403,9 @@ int main(int argc, char **argv, char **envp) {
       if (strncasecmp(ptr2, "cfg", strlen("cfg")) == 0 ||
           strncasecmp(ptr2, "instrim", strlen("instrim")) == 0) {
 
-        FATAL("InsTrim instrumentation was removed. Use a modern LLVM and PCGUARD (default in afl-cc).\n");
+        FATAL(
+            "InsTrim instrumentation was removed. Use a modern LLVM and "
+            "PCGUARD (default in afl-cc).\n");
 
       }
 
@@ -1765,7 +1770,8 @@ int main(int argc, char **argv, char **envp) {
             "  AFL_LLVM_CMPLOG: log operands of comparisons (RedQueen "
             "mutator)\n"
             "  AFL_LLVM_INSTRUMENT: set instrumentation mode:\n"
-            "    CLASSIC, PCGUARD, LTO, GCC, CLANG, CALLER, CTX, NGRAM-2 ..-16\n"
+            "    CLASSIC, PCGUARD, LTO, GCC, CLANG, CALLER, CTX, NGRAM-2 "
+            "..-16\n"
             " You can also use the old environment variables instead:\n"
             "  AFL_LLVM_USE_TRACE_PC: use LLVM trace-pc-guard instrumentation\n"
             "  AFL_LLVM_CALLER: use single context sensitive coverage (for "

src/afl-common.c

@@ -336,7 +336,16 @@ u8 *find_afl_binary(u8 *own_loc, u8 *fname) {
 
   }
 
-  target_path = alloc_printf("%s/%s", BIN_PATH, fname);
+  if (perm == X_OK) {
+
+    target_path = alloc_printf("%s/%s", BIN_PATH, fname);
+
+  } else {
+
+    target_path = alloc_printf("%s/%s", AFL_PATH, fname);
+
+  }
+
   if (!access(target_path, perm)) {
 
     return target_path;

src/afl-ld-lto.c

@@ -73,7 +73,8 @@ static u32 ld_param_cnt = 1;        /* Number of params to 'ld'             */
    so we exploit this property to keep the code "simple". */
 static void edit_params(int argc, char **argv) {
 
-  u32 i, gold_pos = 0, gold_present = 0, rt_present = 0, rt_lto_present = 0, inst_present = 0;
+  u32 i, gold_pos = 0, gold_present = 0, rt_present = 0, rt_lto_present = 0,
+         inst_present = 0;
   char *ptr;
 
   ld_params = ck_alloc(4096 * sizeof(u8 *));
@@ -185,10 +186,12 @@ static void edit_params(int argc, char **argv) {
 
   }
 
-  if (getenv("AFL_LLVM_INSTRIM") || 
+  if (getenv("AFL_LLVM_INSTRIM") ||
       ((ptr = getenv("AFL_LLVM_INSTRUMENT")) &&
-           (strcasestr(ptr, "CFG") == 0 || strcasestr(ptr, "INSTRIM") == 0)))
+       (strcasestr(ptr, "CFG") == 0 || strcasestr(ptr, "INSTRIM") == 0)))
-    FATAL("InsTrim was removed because it is not effective. Use a modern LLVM and PCGUARD (which is the default in afl-cc).\n");
+    FATAL(
+        "InsTrim was removed because it is not effective. Use a modern LLVM "
+        "and PCGUARD (which is the default in afl-cc).\n");
 
   if (debug)
     DEBUGF(
@@ -228,8 +231,8 @@ static void edit_params(int argc, char **argv) {
 
       if (!inst_present) {
 
-          ld_params[ld_param_cnt++] = alloc_printf(
+        ld_params[ld_param_cnt++] = alloc_printf(
-              "-mllvm=-load=%s/afl-llvm-lto-instrumentation.so", afl_path);
+            "-mllvm=-load=%s/afl-llvm-lto-instrumentation.so", afl_path);
 
       }