ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-09 16:51:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1392 from AFLplusplus/dev

Browse Source 
push to stable
This commit is contained in:
van Hauser 2022-04-25 10:14:19 +02:00 committed by GitHub
commit c7bb0a9638
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
27 changed files with 163 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CITATION.cff
View File

@ -11,12 +11,12 @@ authors:
family-names: Fioraldi
email: andreafioraldi@gmail.com
- given-names: Dominik
family-names: Meier
family-names: Maier
email: mail@dmnk.co
title: "AFL++"
version: 3.14
version: 4.00c
type: software
date-released: 2021-07-19
date-released: 2022-01-26
url: "https://github.com/AFLplusplus/AFLplusplus"
keywords:
- fuzzing

9
GNUmakefile
View File

@ -145,7 +145,7 @@ else
CFLAGS ?= -O2 $(CFLAGS_OPT) # -funroll-loops is slower on modern compilers
endif
override CFLAGS += -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wpointer-arith \
override CFLAGS += -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wno-pointer-arith \
-fPIC -I include/ -DAFL_PATH=\"$(HELPER_PATH)\" \
-DBIN_PATH=\"$(BIN_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\"
# -fstack-protector
@ -373,6 +373,7 @@ help:
@echo INTROSPECTION - compile afl-fuzz with mutation introspection
@echo NO_PYTHON - disable python support
@echo NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing
@echo NO_NYX - disable building nyx mode dependencies
@echo AFL_NO_X86 - if compiling on non-intel/amd platforms
@echo "LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g. Debian)"
@echo "=========================================="
@ -625,7 +626,9 @@ ifeq "$(ARCH)" "aarch64"
-$(MAKE) -C coresight_mode
endif
ifeq "$(SYS)" "Linux"
ifndef NO_NYX
-cd nyx_mode && ./build_nyx_support.sh
endif
endif
-cd qemu_mode && sh ./build_qemu_support.sh
-cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
@ -645,7 +648,9 @@ ifeq "$(ARCH)" "aarch64"
-$(MAKE) -C coresight_mode
endif
ifeq "$(SYS)" "Linux"
ifndef NO_NYX
-cd nyx_mode && ./build_nyx_support.sh
endif
endif
-cd qemu_mode && sh ./build_qemu_support.sh
-cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
@ -661,8 +666,10 @@ endif
-$(MAKE) -C utils/libtokencap
# -$(MAKE) -C utils/plot_ui
ifeq "$(SYS)" "Linux"
ifndef NO_NYX
-cd nyx_mode && ./build_nyx_support.sh
endif
endif
%.8: %
@echo .TH $* 8 $(BUILD_DATE) "afl++" > $@

2
afl-cmin
View File

@ -217,7 +217,7 @@ BEGIN {
for (; Optind < ARGC; Optind++) {
prog_args[i++] = ARGV[Optind]
if (i > 1)
prog_args_string = prog_args_string" "ARGV[Optind]
prog_args_string = prog_args_string" '"ARGV[Optind]"'"
}
# sanity checks

2
custom_mutators/grammar_mutator/GRAMMAR_VERSION
View File

@ -1 +1 @@
cbe5e32
ff4e5a2

2
custom_mutators/grammar_mutator/grammar_mutator

@ -1 +1 @@
Subproject commit cbe5e32752773945e0142fac9f1b7a0ccb5dcdff
Subproject commit ff4e5a265daf5d88c4a636fb6a2c22b1d733db09

5
custom_mutators/symcc/README.md
View File

@ -1,6 +1,9 @@
# custum mutator: symcc
This uses the excellent symcc to find new paths into the target.
This uses the symcc to find new paths into the target.
Note that this is a just a proof of concept example! It is better to use
the fuzzing helpers of symcc, symqemu, Fuzzolic, etc. rather than this.
To use this custom mutator follow the steps in the symcc repository
[https://github.com/eurecom-s3/symcc/](https://github.com/eurecom-s3/symcc/)

7
docs/Changelog.md
View File

@ -20,15 +20,20 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow
persistent mode and manual forkserver support if these are not
in the target binary (e.g. are in a shared library)
- add AFL_EARY_FORKSERVER to install the forkserver as earliest as
- add AFL_EARLY_FORKSERVER to install the forkserver as earliest as
possible in the target (for afl-gcc-fast/afl-clang-fast/
afl-clang-lto)
- "saved timeouts" was wrong information, timeouts are still thrown
away by default even if they have new coverage (hangs are always
kept), unless AFL_KEEP_TIMEOUTS are set
- document and auto-activate pizza mode on condition
- afl-cc:
- converted all passed to use the new llvm pass manager for llvm 11+
- AFL++ PCGUARD mode is not available for 10.0.1 anymore (11+ only)
- frida_mode:
- update to new frida release, handles now c++ throw/catch
- unicorn_mode:
- update unicorn engine, fix C example
### Version ++4.00c (release)

7
docs/INSTALL.md
View File

@ -21,8 +21,8 @@ is to build and install everything:
```shell
sudo apt-get update
sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools
# try to install llvm 11 and install the distro default if that fails
sudo apt-get install -y lld-11 llvm-11 llvm-11-dev clang-11 || sudo apt-get install -y lld llvm llvm-dev clang
# try to install llvm 12 and install the distro default if that fails
sudo apt-get install -y lld-12 llvm-12 llvm-12-dev clang-12 || sudo apt-get install -y lld llvm llvm-dev clang
sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev
sudo apt-get install -y ninja-build # for QEMU mode
git clone https://github.com/AFLplusplus/AFLplusplus
@ -80,6 +80,7 @@ These build options exist:
* NO_PYTHON - disable python support
* NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for
normal fuzzing
* NO_NYX - disable building nyx mode dependencies
* AFL_NO_X86 - if compiling on non-intel/amd platforms
* LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config
(e.g., Debian)
@ -178,4 +179,4 @@ sysctl kern.sysv.shmall=98304
See
[http://www.spy-hill.com/help/apple/SharedMemory.html](http://www.spy-hill.com/help/apple/SharedMemory.html)
for documentation for these settings and how to make them permanent.
for documentation for these settings and how to make them permanent.

3
docs/env_variables.md
View File

@ -349,6 +349,9 @@ checks or alter some of the more exotic semantics of the tool:
- Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is
usually a bad idea!
- Setting `AFL_KEEP_TIMEOUTS` will keep longer running inputs if they reach
new coverage
- `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behavior which
does not allow crashes or timeout seeds in the initial -i corpus.

10
docs/fuzzing_in_depth.md
View File

@ -333,6 +333,9 @@ is a non-standard way to set this, otherwise set up the build normally and edit
the generated build environment afterwards manually to point it to the right
compiler (and/or `RANLIB` and `AR`).
In complex, weird, alien build systems you can try this neat project:
[https://github.com/fuzzah/exeptor](https://github.com/fuzzah/exeptor)
#### Linker scripts
If the project uses linker scripts to hide the symbols exported by the
@ -911,16 +914,17 @@ normal fuzzing campaigns as these are much shorter runnings.
* Keep the generated corpus, use afl-cmin and reuse it every time!
2. Additionally randomize the AFL++ compilation options, e.g.:
* 40% for `AFL_LLVM_CMPLOG`
* 10% for `AFL_LLVM_LAF_ALL`
* 30% for `AFL_LLVM_CMPLOG`
* 5% for `AFL_LLVM_LAF_ALL`
3. Also randomize the afl-fuzz runtime options, e.g.:
* 65% for `AFL_DISABLE_TRIM`
* 50% for `AFL_KEEP_TIMEOUTS`
* 50% use a dictionary generated by `AFL_LLVM_DICT2FILE`
* 40% use MOpt (`-L 0`)
* 40% for `AFL_EXPAND_HAVOC_NOW`
* 20% for old queue processing (`-Z`)
* for CMPLOG targets, 60% for `-l 2`, 40% for `-l 3`
* for CMPLOG targets, 70% for `-l 2`, 10% for `-l 3`, 20% for `-l 2AT`
4. Do *not* run any `-M` modes, just running `-S` modes is better for CI
fuzzing. `-M` enables old queue handling etc. which is good for a fuzzing

4
frida_mode/src/instrument/instrument_arm64.c
View File

@ -18,8 +18,8 @@
#if defined(__aarch64__)
gboolean instrument_cache_enabled = FALSE;
gsize instrument_cache_size = 0;
gboolean instrument_cache_enabled = FALSE;
gsize instrument_cache_size = 0;
static GHashTable *coverage_blocks = NULL;
__attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[MAP_SIZE];

3
frida_mode/src/instrument/instrument_x64.c
View File

@ -336,7 +336,8 @@ void instrument_coverage_optimize(const cs_insn * instr,
GumStalkerOutput *output) {
GumX86Writer *cw = output->writer.x86;
/* guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address)); */
/* guint64 area_offset =
* instrument_get_offset_hash(GUM_ADDRESS(instr->address)); */
if (instrument_previous_pc_addr == NULL) {
GumAddressSpec spec = {.near_address = cw->code,

2
include/afl-fuzz.h
View File

@ -385,7 +385,7 @@ typedef struct afl_env_vars {
afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast,
afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new,
afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems,
afl_pizza_mode;
afl_keep_timeouts, afl_pizza_mode;
u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
*afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload,

47
include/debug.h
View File

@ -355,20 +355,39 @@ static inline const char *colorfilter(const char *x) {
/* Error-checking versions of read() and write() that call RPFATAL() as
appropriate. */
#define ck_write(fd, buf, len, fn) \
do { \
\
int _fd = (fd); \
\
s32 _len = (s32)(len); \
s32 _res = write(_fd, (buf), _len); \
if (_res != _len) { \
\
RPFATAL(_res, "Short write to %s, fd %d (%d of %d bytes)", fn, _fd, \
_res, _len); \
\
} \
\
#define ck_write(fd, buf, len, fn) \
do { \
\
if (len <= 0) break; \
int _fd = (fd); \
s32 _written = 0, _off = 0, _len = (s32)(len); \
\
do { \
\
s32 _res = write(_fd, (buf) + _off, _len); \
if (_res != _len && (_res > 0 && _written + _res != _len)) { \
\
if (_res > 0) { \
\
_written += _res; \
_len -= _res; \
_off += _res; \
\
} else { \
\
RPFATAL(_res, "Short write to %s, fd %d (%d of %d bytes)", fn, _fd, \
_res, _len); \
\
} \
\
} else { \
\
break; \
\
} \
\
} while (1); \
\
} while (0)
#define ck_read(fd, buf, len, fn) \

1
include/envs.h
View File

@ -106,6 +106,7 @@ static char *afl_environment_variables[] = {
"AFL_INPUT_LEN_MAX",
"AFL_INST_LIBS",
"AFL_INST_RATIO",
"AFL_KEEP_TIMEOUTS",
"AFL_KILL_SIGNAL",
"AFL_KEEP_TRACES",
"AFL_KEEP_ASSEMBLY",

4
instrumentation/afl-gcc-pass.so.cc
View File

@ -714,9 +714,11 @@ struct afl_pass : gimple_opt_pass {
}
/* Returns the source file name attached to the function declaration F. If
there is no source location information, returns an empty string. */
std::string getSourceName(function *F) {
return DECL_SOURCE_FILE(F->decl);
return DECL_SOURCE_FILE(F->decl) ? DECL_SOURCE_FILE(F->decl) : "";
}

23
src/afl-cc.c
View File

@ -58,6 +58,7 @@ static u8 debug;
static u8 cwd[4096];
static u8 cmplog_mode;
u8 use_stdin; /* dummy */
static int passthrough;
// static u8 *march_opt = CFLAGS_OPT;
enum {
@ -315,7 +316,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
u8 fortify_set = 0, asan_set = 0, x_set = 0, bit_mode = 0, shared_linking = 0,
preprocessor_only = 0, have_unroll = 0, have_o = 0, have_pic = 0,
have_c = 0, partial_linking = 0, wasm_linking = 0;
have_c = 0, partial_linking = 0;
cc_params = ck_alloc((argc + 128) * sizeof(u8 *));
@ -826,7 +827,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
if (!strcmp(cur, "-E")) preprocessor_only = 1;
if (!strcmp(cur, "-shared")) shared_linking = 1;
if (!strcmp(cur, "-dynamiclib")) shared_linking = 1;
if (!strcmp(cur, "--target=wasm32-wasi")) wasm_linking = 1;
if (!strcmp(cur, "--target=wasm32-wasi")) passthrough = 1;
if (!strcmp(cur, "-Wl,-r")) partial_linking = 1;
if (!strcmp(cur, "-Wl,-i")) partial_linking = 1;
if (!strcmp(cur, "-Wl,--relocatable")) partial_linking = 1;
@ -845,8 +846,8 @@ static void edit_params(u32 argc, char **argv, char **envp) {
// e.g. compiled download or compiled from github then its ./lib directory
// might not be in the search path. Add it if so.
u8 *libdir = strdup(LLVM_LIBDIR);
if (plusplus_mode && !wasm_linking && strlen(libdir) &&
strncmp(libdir, "/usr", 4) && strncmp(libdir, "/lib", 4)) {
if (plusplus_mode && strlen(libdir) && strncmp(libdir, "/usr", 4) &&
strncmp(libdir, "/lib", 4)) {
cc_params[cc_par_cnt++] = "-rpath";
cc_params[cc_par_cnt++] = libdir;
@ -1034,7 +1035,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
cc_params[cc_par_cnt++] =
"-D__AFL_LOOP(_A)="
"({ static volatile char *_B __attribute__((used)); "
"({ static volatile char *_B __attribute__((used,unused)); "
" _B = (char*)\"" PERSIST_SIG
"\"; "
#ifdef __APPLE__
@ -1048,7 +1049,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
cc_params[cc_par_cnt++] =
"-D__AFL_INIT()="
"do { static volatile char *_A __attribute__((used)); "
"do { static volatile char *_A __attribute__((used,unused)); "
" _A = (char*)\"" DEFER_SIG
"\"; "
#ifdef __APPLE__
@ -1093,7 +1094,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
switch (bit_mode) {
case 0:
if (!shared_linking && !partial_linking && !wasm_linking)
if (!shared_linking && !partial_linking)
cc_params[cc_par_cnt++] =
alloc_printf("%s/afl-compiler-rt.o", obj_path);
if (lto_mode)
@ -1102,7 +1103,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
break;
case 32:
if (!shared_linking && !partial_linking && !wasm_linking) {
if (!shared_linking && !partial_linking) {
cc_params[cc_par_cnt++] =
alloc_printf("%s/afl-compiler-rt-32.o", obj_path);
@ -1123,7 +1124,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
break;
case 64:
if (!shared_linking && !partial_linking && !wasm_linking) {
if (!shared_linking && !partial_linking) {
cc_params[cc_par_cnt++] =
alloc_printf("%s/afl-compiler-rt-64.o", obj_path);
@ -1146,7 +1147,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
}
#if !defined(__APPLE__) && !defined(__sun)
if (!shared_linking && !partial_linking && !wasm_linking)
if (!shared_linking && !partial_linking)
cc_params[cc_par_cnt++] =
alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path);
#endif
@ -1179,7 +1180,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
int main(int argc, char **argv, char **envp) {
int i, passthrough = 0;
int i;
char *callname = argv[0], *ptr = NULL;
if (getenv("AFL_DEBUG")) {

40
src/afl-fuzz-bitmap.c
View File

@ -292,6 +292,15 @@ void minimize_bits(afl_state_t *afl, u8 *dst, u8 *src) {
u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) {
u8 is_timeout = 0;
if (new_bits & 0xf0) {
new_bits -= 0x80;
is_timeout = 1;
}
size_t real_max_len =
MIN(max_description_len, sizeof(afl->describe_op_buf_256));
u8 *ret = afl->describe_op_buf_256;
@ -325,6 +334,7 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) {
ret[len_current] = '\0';
ssize_t size_left = real_max_len - len_current - strlen(",+cov") - 2;
if (is_timeout) { size_left -= strlen(",+tout"); }
if (unlikely(size_left <= 0)) FATAL("filename got too long");
const char *custom_description =
@ -370,6 +380,8 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) {
}
if (is_timeout) { strcat(ret, ",+tout"); }
if (new_bits == 2) { strcat(ret, ",+cov"); }
if (unlikely(strlen(ret) >= max_description_len))
@ -447,7 +459,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
u8 fn[PATH_MAX];
u8 *queue_fn = "";
u8 new_bits = 0, keeping = 0, res, classified = 0;
u8 new_bits = 0, keeping = 0, res, classified = 0, is_timeout = 0;
s32 fd;
u64 cksum = 0;
@ -481,11 +493,14 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
classified = new_bits;
save_to_queue:
#ifndef SIMPLE_FILES
queue_fn = alloc_printf(
"%s/queue/id:%06u,%s", afl->out_dir, afl->queued_items,
describe_op(afl, new_bits, NAME_MAX - strlen("id:000000,")));
queue_fn =
alloc_printf("%s/queue/id:%06u,%s", afl->out_dir, afl->queued_items,
describe_op(afl, new_bits + is_timeout,
NAME_MAX - strlen("id:000000,")));
#else
@ -596,7 +611,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
}
++afl->saved_tmouts;
is_timeout = 0x80;
#ifdef INTROSPECTION
if (afl->custom_mutators_count && afl->current_custom_fuzz) {
@ -647,7 +662,20 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
}
if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { return keeping; }
if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) {
if (afl->afl_env.afl_keep_timeouts) {
++afl->saved_tmouts;
goto save_to_queue;
} else {
return keeping;
}
}
}

7
src/afl-fuzz-state.c
View File

@ -222,6 +222,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
afl->afl_env.afl_hang_tmout =
(u8 *)get_afl_env(afl_environment_variables[i]);
} else if (!strncmp(env, "AFL_KEEP_TIMEOUTS",
afl_environment_variable_len)) {
afl->afl_env.afl_keep_timeouts =
get_afl_env(afl_environment_variables[i]) ? 1 : 0;
} else if (!strncmp(env, "AFL_SKIP_BIN_CHECK",
afl_environment_variable_len)) {

2
src/afl-fuzz.c
View File

@ -1650,7 +1650,7 @@ int main(int argc, char **argv_orig, char **envp) {
}
OKF("Generating fuzz data with a a length of min=%u max=%u", afl->min_length,
OKF("Generating fuzz data with a length of min=%u max=%u", afl->min_length,
afl->max_length);
u32 min_alloc = MAX(64U, afl->min_length);
afl_realloc(AFL_BUF_PARAM(in_scratch), min_alloc);

2
unicorn_mode/UNICORNAFL_VERSION
View File

@ -1 +1 @@
a44fa94488d01aba60401ccf81f8bebcce685bf2
09ad7d4784e50ec4ddf590a2c29764e2a7f37442

2
unicorn_mode/samples/c/Makefile
View File

@ -15,7 +15,7 @@ V ?= 0
CFLAGS += -Wall -Werror -I../../unicornafl/unicorn/include -I../../unicornafl/include
LDFLAGS += -L$(UNICORNAFL_LIB) -L$(UNICORN_LIB) -lpthread -lm -lunicornafl -lunicorn -lc++
LDFLAGS += -L$(UNICORNAFL_LIB) -L$(UNICORN_LIB) -lunicorn -lunicornafl -lpthread -lm -lstdc++
ifeq ($(UNAME), Linux)
# do something Linux-y

2
unicorn_mode/samples/persistent/Makefile
View File

@ -15,7 +15,7 @@ V ?= 0
CFLAGS += -Wall -Werror -I../../unicornafl/unicorn/include -I../../unicornafl/include
LDFLAGS += -L$(UNICORNAFL_LIB) -L$(UNICORN_LIB) -lpthread -lm -lunicornafl -lunicorn -lc++
LDFLAGS += -L$(UNICORNAFL_LIB) -L$(UNICORN_LIB) -lunicornafl -lunicorn -lpthread -lm -lstdc++
ifeq ($(UNAME), Linux)
# do something Linux-y

2
unicorn_mode/unicornafl

@ -1 +1 @@
Subproject commit a44fa94488d01aba60401ccf81f8bebcce685bf2
Subproject commit c3e15a7d44101ff288abe114b7954ce6cfa070b1

3
utils/libdislocator/Makefile
View File

@ -19,9 +19,10 @@ HELPER_PATH = $(PREFIX)/lib/afl
VERSION = $(shell grep '^\#define VERSION ' ../../config.h | cut -d '"' -f2)
CFLAGS ?= -O3 -funroll-loops -D_FORTIFY_SOURCE=2
override CFLAGS += -I ../../include/ -Wall -g -Wno-pointer-sign
CFLAGS += -I ../../include/ -Wall -g -Wno-pointer-sign
CFLAGS_ADD=$(USEHUGEPAGE:1=-DUSEHUGEPAGE)
CFLAGS_ADD += $(USENAMEDPAGE:1=-DUSENAMEDPAGE)
CFLAGS += $(CFLAGS_ADD)
all: libdislocator.so

5
utils/libdislocator/README.md
View File

@ -29,6 +29,9 @@ heap-related security bugs in several ways:
- Optionally, in platforms supporting it, huge pages can be used by passing
`USEHUGEPAGE=1` to make.
- Optionally, in platforms supporting it, `named` pages can be used by passing
`USENAMEDPAGE=1` to make.
- Size alignment to `max_align_t` can be enforced with `AFL_ALIGNED_ALLOC=1`. In
this case, a tail canary is inserted in the padding bytes at the end of the
allocated zone. This reduce the ability of libdislocator to detect
@ -64,4 +67,4 @@ require AFL-instrumented binaries to work.
Note that the AFL_PRELOAD approach (which AFL++ internally maps to LD_PRELOAD or
DYLD_INSERT_LIBRARIES, depending on the OS) works only if the target binary is
dynamically linked. Otherwise, attempting to use the library will have no
effect.
effect.

19
utils/libdislocator/libdislocator.so.c
View File

@ -39,6 +39,7 @@
#if (defined(__linux__) && !defined(__ANDROID__)) || defined(__HAIKU__)
#include <unistd.h>
#include <sys/prctl.h>
#ifdef __linux__
#include <sys/syscall.h>
#include <malloc.h>
@ -66,6 +67,10 @@
} while (0)
#endif
#ifndef PR_SET_VMA
#define PR_SET_VMA 0x53564d41
#define PR_SET_VMA_ANON_NAME 0
#endif
#endif
#include "config.h"
@ -251,6 +256,20 @@ static void *__dislocator_alloc(size_t len) {
}
#if defined(USENAMEDPAGE)
#if defined(__linux__)
// in the /proc/<pid>/maps file, the anonymous page appears as
// `<start>-<end> ---p 00000000 00:00 0 [anon:libdislocator]`
if (prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, (unsigned long)ret, tlen,
(unsigned long)"libdislocator") < 0) {
DEBUGF("prctl() failed");
}
#endif
#endif
/* Set PROT_NONE on the last page. */
if (mprotect(ret + PG_COUNT(rlen + 8) * PAGE_SIZE, PAGE_SIZE, PROT_NONE))