AFL_IGNORE_PROBLEMS + library checks and documentation

README.md

@@ -473,6 +473,13 @@ compiler is used. Also - if possible - you should always configure the
 build system such that the target is compiled statically and not dynamically.
 How to do this is described below.
 
+The #1 rule when instrumenting a target is: avoid instrumenting shared
+libraries at all cost. You would need to set LD_LIBRARY_PATH to point to
+these, you could accidently type "make install" and install them system wide -
+so don't. Really don't.
+**Always compile libraries you want to have instrumented as static and link
+these to the target program!**
+
 Then build the target. (Usually with `make`)
 
 **NOTES**

docs/Changelog.md

@@ -9,6 +9,10 @@ Want to stay in the loop on major new features? Join our mailing list by
 sending a mail to <afl-users+subscribe@googlegroups.com>.
 
 ### Version ++3.15a (dev)
+  - afl-fuzz:
+    added AFL_IGNORE_PROBLEMS plus checks to identify and abort on
+    incorrect LTO usage setups and enhanced the READMEs for better
+    information on how to deal with instrumenting libraries
   - added the very good grammar mutator "GramaTron" to the
     custom_mutators
   - added optimin, a faster and better corpus minimizer by

docs/env_variables.md

@@ -432,6 +432,10 @@ checks or alter some of the more exotic semantics of the tool:
     and RECORD:000000,cnt:000009 being the crash case.
     NOTE: This option needs to be enabled in config.h first!
 
+  - If afl-fuzz encounters an incorrect fuzzing setup during a fuzzing session
+    (not at startup), it will terminate. If you do not want this then you can
+    set `AFL_IGNORE_PROBLEMS`.
+
   - If you are Jakub, you may need `AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES`.
     Others need not apply, unless they also want to disable the
     `/proc/sys/kernel/core_pattern` check.

include/afl-fuzz.h

@@ -384,7 +384,7 @@ typedef struct afl_env_vars {
       afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one,
       afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast,
       afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new,
-      afl_exit_on_seed_issues, afl_try_affinity;
+      afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems;
 
   u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
       *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload,

include/envs.h

@@ -88,6 +88,7 @@ static char *afl_environment_variables[] = {
     "AFL_HARDEN",
     "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES",
     "AFL_IGNORE_UNKNOWN_ENVS",
+    "AFL_IGNORE_PROBLEMS",
     "AFL_IMPORT_FIRST",
     "AFL_INST_LIBS",
     "AFL_INST_RATIO",

instrumentation/README.lto.md

@@ -138,6 +138,34 @@ make
 NOTE: some targets also need to set the linker, try both `afl-clang-lto` and
 `afl-ld-lto` for `LD=` before `configure`.
 
+## Instrumenting shared libraries
+
+Note: this is highly discouraged! Try to compile to static libraries with
+afl-clang-lto instead of shared libraries!
+
+To make instrumented shared libraries work with afl-clang-lto you have to do
+quite some extra steps.
+
+Every shared library you want to instrument has to be individually compiled-
+The environment variable `AFL_LLVM_LTO_DONTWRITEID=1` has to be set during
+compilation.
+Additionally the environment variable `AFL_LLVM_LTO_STARTID` has to be set to
+the combined edge values of all previous compiled instrumented shared
+libraries for that target.
+E.g. for the first shared library this would be `AFL_LLVM_LTO_STARTID=0` and
+afl-clang-lto will then report how many edges have been instrumented (let's say
+it reported 1000 instrumented edges).
+The second shared library then has to be set to that value
+(`AFL_LLVM_LTO_STARTID=1000` in our example), the third to all previous
+combined, etc.
+
+The final program compilation step then may *not* have `AFL_LLVM_LTO_DONTWRITEID`
+set, and `AFL_LLVM_LTO_STARTID` must be set to all combined edges of all shared
+libaries it will be linked to.
+
+This is quite some hands-on work, so better stay away from instrumenting
+shared libraries :-)
+
 ## AUTODICTIONARY feature
 
 While compiling, a dictionary based on string comparisons is automatically

src/afl-fuzz-state.c

@@ -267,6 +267,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
             afl->afl_env.afl_force_ui =
                 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
 
+          } else if (!strncmp(env, "AFL_IGNORE_PROBLEMS",
+
+                              afl_environment_variable_len)) {
+
+            afl->afl_env.afl_ignore_problems =
+                get_afl_env(afl_environment_variables[i]) ? 1 : 0;
+
           } else if (!strncmp(env, "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES",
 
                               afl_environment_variable_len)) {

src/afl-fuzz-stats.c

@@ -534,6 +534,20 @@ void show_stats(afl_state_t *afl) {
   t_bytes = count_non_255_bytes(afl, afl->virgin_bits);
   t_byte_ratio = ((double)t_bytes * 100) / afl->fsrv.real_map_size;
 
+  if (unlikely(t_bytes > afl->fsrv.real_map_size)) {
+
+    if (unlikely(!afl->afl_env.afl_ignore_problems)) {
+
+      FATAL(
+          "Incorrect fuzzing setup detected. Your target seems to have loaded "
+          "incorrectly instrumented shared libraries. If you use LTO mode "
+          "please see instrumentation/README.lto.md. To ignore this problem "
+          "and continue fuzzing just set 'AFL_IGNORE_PROBLEMS=1'.\n");
+
+    }
+
+  }
+
   if (likely(t_bytes) && unlikely(afl->var_byte_count)) {
 
     stab_ratio = 100 - (((double)afl->var_byte_count * 100) / t_bytes);

src/afl-fuzz.c

@@ -216,6 +216,7 @@ static void usage(u8 *argv0, int more_help) {
       "AFL_HANG_TMOUT: override timeout value (in milliseconds)\n"
       "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers\n"
       "AFL_IGNORE_UNKNOWN_ENVS: don't warn on unknown env vars\n"
+      "AFL_IGNORE_PROBLEMS: do not abort fuzzing if an incorrect setup is detected during a run\n"
       "AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n"
       "AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n"
       "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n"