From 3fc03d4b6b6b7a0718a9ab9514ea3afdebc868f1 Mon Sep 17 00:00:00 2001 From: lazymio Date: Mon, 4 Apr 2022 11:45:49 +0200 Subject: [PATCH 01/29] Fix unicornafl static build Signed-off-by: lazymio --- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/samples/c/Makefile | 2 +- unicorn_mode/unicornafl | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index fe7be8e1..16f7e4ac 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -a44fa94488d01aba60401ccf81f8bebcce685bf2 +baf52ac2cf4fb005014f1b9527005a06a369c7f5 diff --git a/unicorn_mode/samples/c/Makefile b/unicorn_mode/samples/c/Makefile index fd6dbe77..3362654d 100644 --- a/unicorn_mode/samples/c/Makefile +++ b/unicorn_mode/samples/c/Makefile @@ -15,7 +15,7 @@ V ?= 0 CFLAGS += -Wall -Werror -I../../unicornafl/unicorn/include -I../../unicornafl/include -LDFLAGS += -L$(UNICORNAFL_LIB) -L$(UNICORN_LIB) -lpthread -lm -lunicornafl -lunicorn -lc++ +LDFLAGS += -L$(UNICORNAFL_LIB) -L$(UNICORN_LIB) -lunicorn-static -lunicornafl -lm -lpthread -lstdc++ ifeq ($(UNAME), Linux) # do something Linux-y diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index a44fa944..baf52ac2 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit a44fa94488d01aba60401ccf81f8bebcce685bf2 +Subproject commit baf52ac2cf4fb005014f1b9527005a06a369c7f5 From 8385bc794a43dbb5f9a5a68189bb9a540f790bca Mon Sep 17 00:00:00 2001 From: Michael Rodler Date: Mon, 4 Apr 2022 13:26:52 +0200 Subject: [PATCH 02/29] make flag to avoid building nyx mode --- GNUmakefile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/GNUmakefile b/GNUmakefile index d31c52da..3301a915 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -625,7 +625,9 @@ ifeq "$(ARCH)" "aarch64" -$(MAKE) -C coresight_mode endif ifeq "$(SYS)" "Linux" +ifndef NO_NYX -cd nyx_mode && ./build_nyx_support.sh +endif endif -cd qemu_mode && sh ./build_qemu_support.sh -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh @@ -645,7 +647,9 @@ ifeq "$(ARCH)" "aarch64" -$(MAKE) -C coresight_mode endif ifeq "$(SYS)" "Linux" +ifndef NO_NYX -cd nyx_mode && ./build_nyx_support.sh +endif endif -cd qemu_mode && sh ./build_qemu_support.sh -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh @@ -661,8 +665,10 @@ endif -$(MAKE) -C utils/libtokencap # -$(MAKE) -C utils/plot_ui ifeq "$(SYS)" "Linux" +ifndef NO_NYX -cd nyx_mode && ./build_nyx_support.sh endif +endif %.8: % @echo .TH $* 8 $(BUILD_DATE) "afl++" > $@ From bf5b90f95a11090fdbda0da7468f657125cd4fab Mon Sep 17 00:00:00 2001 From: Michael Rodler Date: Wed, 6 Apr 2022 14:20:36 +0200 Subject: [PATCH 03/29] added NO_NYX flag to docs and help message --- GNUmakefile | 1 + docs/INSTALL.md | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/GNUmakefile b/GNUmakefile index 3301a915..ec81cbac 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -373,6 +373,7 @@ help: @echo INTROSPECTION - compile afl-fuzz with mutation introspection @echo NO_PYTHON - disable python support @echo NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing + @echo NO_NYX - disable building nyx mode dependencies @echo AFL_NO_X86 - if compiling on non-intel/amd platforms @echo "LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g. Debian)" @echo "==========================================" diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 3fa7fd13..348b681e 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -80,6 +80,7 @@ These build options exist: * NO_PYTHON - disable python support * NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing +* NO_NYX - disable building nyx mode dependencies * AFL_NO_X86 - if compiling on non-intel/amd platforms * LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g., Debian) @@ -178,4 +179,4 @@ sysctl kern.sysv.shmall=98304 See [http://www.spy-hill.com/help/apple/SharedMemory.html](http://www.spy-hill.com/help/apple/SharedMemory.html) -for documentation for these settings and how to make them permanent. \ No newline at end of file +for documentation for these settings and how to make them permanent. From 3ccebbf9c5b19c0afd1ad72114b61057db290d55 Mon Sep 17 00:00:00 2001 From: hexcoder Date: Wed, 6 Apr 2022 17:30:27 +0200 Subject: [PATCH 04/29] Typo --- docs/Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index d50a679b..2406e7ba 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -20,7 +20,7 @@ sending a mail to . - reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow persistent mode and manual forkserver support if these are not in the target binary (e.g. are in a shared library) - - add AFL_EARY_FORKSERVER to install the forkserver as earliest as + - add AFL_EARLY_FORKSERVER to install the forkserver as earliest as possible in the target (for afl-gcc-fast/afl-clang-fast/ afl-clang-lto) - document and auto-activate pizza mode on condition From 3261e86a3a5f5d2078a88b955f2a61cea99d7ed6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 7 Apr 2022 09:43:51 +0200 Subject: [PATCH 05/29] save timeouts --- src/afl-fuzz-bitmap.c | 30 +++++++++++++++++++++++++----- unicorn_mode/unicornafl | 2 +- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index e4124bf5..cdcc1d4a 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -292,6 +292,15 @@ void minimize_bits(afl_state_t *afl, u8 *dst, u8 *src) { u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) { + u8 is_timeout = 0; + + if (new_bits & 0xf0) { + + new_bits -= 0x80; + is_timeout = 1; + + } + size_t real_max_len = MIN(max_description_len, sizeof(afl->describe_op_buf_256)); u8 *ret = afl->describe_op_buf_256; @@ -325,6 +334,7 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) { ret[len_current] = '\0'; ssize_t size_left = real_max_len - len_current - strlen(",+cov") - 2; + if (is_timeout) { size_left -= strlen(",+tout"); } if (unlikely(size_left <= 0)) FATAL("filename got too long"); const char *custom_description = @@ -370,6 +380,8 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) { } + if (is_timeout) { strcat(ret, ",+tout"); } + if (new_bits == 2) { strcat(ret, ",+cov"); } if (unlikely(strlen(ret) >= max_description_len)) @@ -447,7 +459,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { u8 fn[PATH_MAX]; u8 *queue_fn = ""; - u8 new_bits = 0, keeping = 0, res, classified = 0; + u8 new_bits = 0, keeping = 0, res, classified = 0, is_timeout = 0; s32 fd; u64 cksum = 0; @@ -481,11 +493,14 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { classified = new_bits; + save_to_queue: + #ifndef SIMPLE_FILES - queue_fn = alloc_printf( - "%s/queue/id:%06u,%s", afl->out_dir, afl->queued_items, - describe_op(afl, new_bits, NAME_MAX - strlen("id:000000,"))); + queue_fn = + alloc_printf("%s/queue/id:%06u,%s", afl->out_dir, afl->queued_items, + describe_op(afl, new_bits + is_timeout, + NAME_MAX - strlen("id:000000,"))); #else @@ -597,6 +612,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } ++afl->saved_tmouts; + is_timeout = 0x80; #ifdef INTROSPECTION if (afl->custom_mutators_count && afl->current_custom_fuzz) { @@ -647,7 +663,11 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { return keeping; } + if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { + + goto save_to_queue; + + } } diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index a44fa944..d4915053 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit a44fa94488d01aba60401ccf81f8bebcce685bf2 +Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e From 9933a6f3ab6c5b02c9f108dded6eb93ed59d2941 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 7 Apr 2022 10:21:44 +0200 Subject: [PATCH 06/29] update grammar mutator --- custom_mutators/grammar_mutator/GRAMMAR_VERSION | 2 +- custom_mutators/grammar_mutator/grammar_mutator | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/custom_mutators/grammar_mutator/GRAMMAR_VERSION b/custom_mutators/grammar_mutator/GRAMMAR_VERSION index 93f9321c..2568c6a5 100644 --- a/custom_mutators/grammar_mutator/GRAMMAR_VERSION +++ b/custom_mutators/grammar_mutator/GRAMMAR_VERSION @@ -1 +1 @@ -cbe5e32 +ff4e5a2 diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator index cbe5e327..ff4e5a26 160000 --- a/custom_mutators/grammar_mutator/grammar_mutator +++ b/custom_mutators/grammar_mutator/grammar_mutator @@ -1 +1 @@ -Subproject commit cbe5e32752773945e0142fac9f1b7a0ccb5dcdff +Subproject commit ff4e5a265daf5d88c4a636fb6a2c22b1d733db09 From 891f4d3c8e58ed06b0131673f9c58606f5d99978 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 8 Apr 2022 09:31:39 +0200 Subject: [PATCH 07/29] correct counting for tmouts --- src/afl-fuzz-bitmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index cdcc1d4a..0f6f0778 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -611,7 +611,6 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - ++afl->saved_tmouts; is_timeout = 0x80; #ifdef INTROSPECTION if (afl->custom_mutators_count && afl->current_custom_fuzz) { @@ -665,6 +664,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { + ++afl->saved_tmouts; goto save_to_queue; } From 396de6fc9c49e6865b3130489ed39c7ea47540d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc=20Poulhi=C3=A8s?= Date: Thu, 3 Mar 2022 13:05:17 +0100 Subject: [PATCH 08/29] Fix GCC plugin crash when using deny/allow list The provided function declaration F may not have valid location information. Return an empty string in this case as the two callers are already using this convention to filter out functions from being instrumented when deny/allow list are used. --- instrumentation/afl-gcc-pass.so.cc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc index 734fa170..bb5483fc 100644 --- a/instrumentation/afl-gcc-pass.so.cc +++ b/instrumentation/afl-gcc-pass.so.cc @@ -714,9 +714,11 @@ struct afl_pass : gimple_opt_pass { } + /* Returns the source file name attached to the function declaration F. If + there is no source location information, returns an empty string. */ std::string getSourceName(function *F) { - return DECL_SOURCE_FILE(F->decl); + return DECL_SOURCE_FILE(F->decl) ? DECL_SOURCE_FILE(F->decl) : ""; } From e9288bcfad6e350b6f3e85d45a42bae5aea480c1 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 8 Apr 2022 22:44:10 +0200 Subject: [PATCH 09/29] add AFL_KEEP_TIMEOUTS --- docs/Changelog.md | 3 +++ docs/env_variables.md | 3 +++ include/afl-fuzz.h | 2 +- include/envs.h | 1 + src/afl-fuzz-bitmap.c | 12 ++++++++++-- src/afl-fuzz-state.c | 7 +++++++ 6 files changed, 25 insertions(+), 3 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 2406e7ba..689cc94b 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -23,6 +23,9 @@ sending a mail to . - add AFL_EARLY_FORKSERVER to install the forkserver as earliest as possible in the target (for afl-gcc-fast/afl-clang-fast/ afl-clang-lto) + - "saved timeouts" was wrong information, timeouts are still thrown + away by default even if they have new coverage (hangs are always + kept), unless AFL_KEEP_TIMEOUTS are set - document and auto-activate pizza mode on condition - afl-cc: - converted all passed to use the new llvm pass manager for llvm 11+ diff --git a/docs/env_variables.md b/docs/env_variables.md index 9ffb08e7..fe9c6e07 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -349,6 +349,9 @@ checks or alter some of the more exotic semantics of the tool: - Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is usually a bad idea! + - Setting `AFL_KEEP_TIMEOUTS` will keep longer running inputs if they reach + new coverage + - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behavior which does not allow crashes or timeout seeds in the initial -i corpus. diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 4f4d63b2..8bb61e22 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -385,7 +385,7 @@ typedef struct afl_env_vars { afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast, afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new, afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems, - afl_pizza_mode; + afl_keep_timeouts, afl_pizza_mode; u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload, diff --git a/include/envs.h b/include/envs.h index 1746f946..25b792fa 100644 --- a/include/envs.h +++ b/include/envs.h @@ -106,6 +106,7 @@ static char *afl_environment_variables[] = { "AFL_INPUT_LEN_MAX", "AFL_INST_LIBS", "AFL_INST_RATIO", + "AFL_KEEP_TIMEOUTS", "AFL_KILL_SIGNAL", "AFL_KEEP_TRACES", "AFL_KEEP_ASSEMBLY", diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 0f6f0778..7c2b35d6 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -664,8 +664,16 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { - ++afl->saved_tmouts; - goto save_to_queue; + if (afl->afl_env.afl_keep_timeouts) { + + ++afl->saved_tmouts; + goto save_to_queue; + + } else { + + return keeping; + + } } diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 5924dd7b..47e39762 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -222,6 +222,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_hang_tmout = (u8 *)get_afl_env(afl_environment_variables[i]); + } else if (!strncmp(env, "AFL_KEEP_TIMEOUTS", + + afl_environment_variable_len)) { + + afl->afl_env.afl_keep_timeouts = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_SKIP_BIN_CHECK", afl_environment_variable_len)) { From d8317182ef5e2afbff56de697be85b10a4abece1 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 8 Apr 2022 23:10:35 +0200 Subject: [PATCH 10/29] update fuzzing in depth --- docs/fuzzing_in_depth.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index cff00f77..2bbfa1c1 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -911,16 +911,17 @@ normal fuzzing campaigns as these are much shorter runnings. * Keep the generated corpus, use afl-cmin and reuse it every time! 2. Additionally randomize the AFL++ compilation options, e.g.: - * 40% for `AFL_LLVM_CMPLOG` - * 10% for `AFL_LLVM_LAF_ALL` + * 30% for `AFL_LLVM_CMPLOG` + * 5% for `AFL_LLVM_LAF_ALL` 3. Also randomize the afl-fuzz runtime options, e.g.: * 65% for `AFL_DISABLE_TRIM` + * 50% for `AFL_KEEP_TIMEOUTS` * 50% use a dictionary generated by `AFL_LLVM_DICT2FILE` * 40% use MOpt (`-L 0`) * 40% for `AFL_EXPAND_HAVOC_NOW` * 20% for old queue processing (`-Z`) - * for CMPLOG targets, 60% for `-l 2`, 40% for `-l 3` + * for CMPLOG targets, 70% for `-l 2`, 10% for `-l 3`, 20% for `-l 2AT` 4. Do *not* run any `-M` modes, just running `-S` modes is better for CI fuzzing. `-M` enables old queue handling etc. which is good for a fuzzing From 5d4b0938d5c3ddad18c85c1f2a4c516d46bbf243 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 8 Apr 2022 23:28:01 +0200 Subject: [PATCH 11/29] link https://github.com/fuzzah/exeptor --- docs/fuzzing_in_depth.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index 2bbfa1c1..2c27dfe1 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -333,6 +333,9 @@ is a non-standard way to set this, otherwise set up the build normally and edit the generated build environment afterwards manually to point it to the right compiler (and/or `RANLIB` and `AR`). +In complex, weird, alien build systems you can try this neat project: +[https://github.com/fuzzah/exeptor](https://github.com/fuzzah/exeptor) + #### Linker scripts If the project uses linker scripts to hide the symbols exported by the From ce1fc4b27d6fd7e6068eb8501309bbb097e6a136 Mon Sep 17 00:00:00 2001 From: Cornul11 Date: Mon, 11 Apr 2022 19:30:06 +0200 Subject: [PATCH 12/29] updated citation --- CITATION.cff | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CITATION.cff b/CITATION.cff index efd6cad8..45658ac2 100644 --- a/CITATION.cff +++ b/CITATION.cff @@ -14,9 +14,9 @@ authors: family-names: Meier email: mail@dmnk.co title: "AFL++" -version: 3.14 +version: 4.00c type: software -date-released: 2021-07-19 +date-released: 2022-01-26 url: "https://github.com/AFLplusplus/AFLplusplus" keywords: - fuzzing From 6aa470d641638a74fe254dea5a51c5ab3d7571a5 Mon Sep 17 00:00:00 2001 From: lazymio Date: Tue, 12 Apr 2022 22:57:36 +0200 Subject: [PATCH 13/29] Sync unicornafl --- unicorn_mode/UNICORNAFL_VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index 16f7e4ac..f0c5c1e0 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -baf52ac2cf4fb005014f1b9527005a06a369c7f5 +c3e15a7d44101ff288abe114b7954ce6cfa070b1 From 2263989e125bb9e7fbbe2f759e00c969ab227a38 Mon Sep 17 00:00:00 2001 From: lazymio Date: Tue, 12 Apr 2022 22:57:43 +0200 Subject: [PATCH 14/29] Fix linkage --- unicorn_mode/samples/c/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unicorn_mode/samples/c/Makefile b/unicorn_mode/samples/c/Makefile index 3362654d..c3ea5940 100644 --- a/unicorn_mode/samples/c/Makefile +++ b/unicorn_mode/samples/c/Makefile @@ -15,7 +15,7 @@ V ?= 0 CFLAGS += -Wall -Werror -I../../unicornafl/unicorn/include -I../../unicornafl/include -LDFLAGS += -L$(UNICORNAFL_LIB) -L$(UNICORN_LIB) -lunicorn-static -lunicornafl -lm -lpthread -lstdc++ +LDFLAGS += -L$(UNICORNAFL_LIB) -L$(UNICORN_LIB) -lunicorn -lunicornafl -lpthread -lm -lstdc++ ifeq ($(UNAME), Linux) # do something Linux-y From 0540382c410a57d9cddf509171c0cf6391e47be2 Mon Sep 17 00:00:00 2001 From: lazymio Date: Wed, 13 Apr 2022 00:43:47 +0200 Subject: [PATCH 15/29] Fix persistant sample build --- unicorn_mode/samples/persistent/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unicorn_mode/samples/persistent/Makefile b/unicorn_mode/samples/persistent/Makefile index 35584416..a1dc9b26 100644 --- a/unicorn_mode/samples/persistent/Makefile +++ b/unicorn_mode/samples/persistent/Makefile @@ -15,7 +15,7 @@ V ?= 0 CFLAGS += -Wall -Werror -I../../unicornafl/unicorn/include -I../../unicornafl/include -LDFLAGS += -L$(UNICORNAFL_LIB) -L$(UNICORN_LIB) -lpthread -lm -lunicornafl -lunicorn -lc++ +LDFLAGS += -L$(UNICORNAFL_LIB) -L$(UNICORN_LIB) -lunicornafl -lunicorn -lpthread -lm -lstdc++ ifeq ($(UNAME), Linux) # do something Linux-y From 57db3e7f4f814c7b32a0aff7367057ffb0d12ebd Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 13 Apr 2022 13:11:17 +0200 Subject: [PATCH 16/29] afl-cmin: quote program arguments Quote the program arguments in the system() function to allow them to contain spaces. --- afl-cmin | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/afl-cmin b/afl-cmin index 879aead2..853c9398 100755 --- a/afl-cmin +++ b/afl-cmin @@ -217,7 +217,7 @@ BEGIN { for (; Optind < ARGC; Optind++) { prog_args[i++] = ARGV[Optind] if (i > 1) - prog_args_string = prog_args_string" "ARGV[Optind] + prog_args_string = prog_args_string" '"ARGV[Optind]"'" } # sanity checks From 8971c9a5ce5bebd235caa4e785b019ae057c0722 Mon Sep 17 00:00:00 2001 From: yuawn Date: Thu, 14 Apr 2022 11:26:54 +0000 Subject: [PATCH 17/29] update llvm version in INSTALL.md --- docs/INSTALL.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 348b681e..01343b7f 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -21,8 +21,8 @@ is to build and install everything: ```shell sudo apt-get update sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools -# try to install llvm 11 and install the distro default if that fails -sudo apt-get install -y lld-11 llvm-11 llvm-11-dev clang-11 || sudo apt-get install -y lld llvm llvm-dev clang +# try to install llvm 12 and install the distro default if that fails +sudo apt-get install -y lld-12 llvm-12 llvm-12-dev clang-12 || sudo apt-get install -y lld llvm llvm-dev clang sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev sudo apt-get install -y ninja-build # for QEMU mode git clone https://github.com/AFLplusplus/AFLplusplus From 6e790552fe7a1f34e584160ceef051b6f66b7ce4 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Fri, 15 Apr 2022 17:34:19 +0100 Subject: [PATCH 18/29] libdislocator, new option to name an anonymous address range. For performance matter tough, disabled by default. --- unicorn_mode/unicornafl | 2 +- utils/libdislocator/Makefile | 3 ++- utils/libdislocator/README.md | 5 ++++- utils/libdislocator/libdislocator.so.c | 18 ++++++++++++++++++ 4 files changed, 25 insertions(+), 3 deletions(-) diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index d4915053..a44fa944 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e +Subproject commit a44fa94488d01aba60401ccf81f8bebcce685bf2 diff --git a/utils/libdislocator/Makefile b/utils/libdislocator/Makefile index f0b4bb72..6bfb79ec 100644 --- a/utils/libdislocator/Makefile +++ b/utils/libdislocator/Makefile @@ -19,9 +19,10 @@ HELPER_PATH = $(PREFIX)/lib/afl VERSION = $(shell grep '^\#define VERSION ' ../../config.h | cut -d '"' -f2) CFLAGS ?= -O3 -funroll-loops -D_FORTIFY_SOURCE=2 -override CFLAGS += -I ../../include/ -Wall -g -Wno-pointer-sign +CFLAGS += -I ../../include/ -Wall -g -Wno-pointer-sign CFLAGS_ADD=$(USEHUGEPAGE:1=-DUSEHUGEPAGE) +CFLAGS_ADD += $(USENAMEDPAGE:1=-DUSENAMEDPAGE) CFLAGS += $(CFLAGS_ADD) all: libdislocator.so diff --git a/utils/libdislocator/README.md b/utils/libdislocator/README.md index 68ac9143..e4934b5d 100644 --- a/utils/libdislocator/README.md +++ b/utils/libdislocator/README.md @@ -29,6 +29,9 @@ heap-related security bugs in several ways: - Optionally, in platforms supporting it, huge pages can be used by passing `USEHUGEPAGE=1` to make. + - Optionally, in platforms supporting it, `named` pages can be used by passing + `USENAMEDPAGE=1` to make. + - Size alignment to `max_align_t` can be enforced with `AFL_ALIGNED_ALLOC=1`. In this case, a tail canary is inserted in the padding bytes at the end of the allocated zone. This reduce the ability of libdislocator to detect @@ -64,4 +67,4 @@ require AFL-instrumented binaries to work. Note that the AFL_PRELOAD approach (which AFL++ internally maps to LD_PRELOAD or DYLD_INSERT_LIBRARIES, depending on the OS) works only if the target binary is dynamically linked. Otherwise, attempting to use the library will have no -effect. \ No newline at end of file +effect. diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index 103da9d5..72fafa4b 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -39,6 +39,7 @@ #if (defined(__linux__) && !defined(__ANDROID__)) || defined(__HAIKU__) #include + #include #ifdef __linux__ #include #include @@ -66,6 +67,10 @@ } while (0) #endif + #ifndef PR_SET_VMA + #define PR_SET_VMA 0x53564d41 + #define PR_SET_VMA_ANON_NAME 0 + #endif #endif #include "config.h" @@ -251,6 +256,19 @@ static void *__dislocator_alloc(size_t len) { } +#if defined(USENAMEDPAGE) +#if defined(__linux__) + // in the /proc//maps file, the anonymous page appears as + // `- ---p 00000000 00:00 0 [anon:libdislocator]` + if (prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, + (unsigned long)ret, tlen, (unsigned long)"libdislocator") < 0) { + + DEBUGF("prctl() failed"); + + } +#endif +#endif + /* Set PROT_NONE on the last page. */ if (mprotect(ret + PG_COUNT(rlen + 8) * PAGE_SIZE, PAGE_SIZE, PROT_NONE)) From b1da7500b2ef915887322d4a1903fe981d49acb5 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Apr 2022 13:06:13 +0200 Subject: [PATCH 19/29] fix msg --- instrumentation/cmplog-instructions-pass.cc | 79 ++++++++++++++++++++- instrumentation/cmplog-routines-pass.cc | 2 + src/afl-fuzz.c | 2 +- 3 files changed, 79 insertions(+), 4 deletions(-) diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index 4d37bcb2..e21289b4 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -32,9 +32,15 @@ #include "llvm/Support/Debug.h" #include "llvm/Support/raw_ostream.h" #if LLVM_MAJOR >= 11 + #include "llvm/Pass.h" + #include "llvm/InitializePasses.h" #include "llvm/Passes/PassPlugin.h" #include "llvm/Passes/PassBuilder.h" #include "llvm/IR/PassManager.h" + #include "llvm/Analysis/EHPersonalities.h" + #include "llvm/Analysis/PostDominators.h" + #include "llvm/Analysis/LoopInfo.h" + #include "llvm/Analysis/LoopPass.h" #else #include "llvm/IR/LegacyPassManager.h" #include "llvm/Transforms/IPO/PassManagerBuilder.h" @@ -64,7 +70,10 @@ using namespace llvm; namespace { +using LoopInfoCallback = function_ref; + #if LLVM_MAJOR >= 11 /* use new pass manager */ + class CmpLogInstructions : public PassInfoMixin { public: @@ -88,6 +97,7 @@ class CmpLogInstructions : public ModulePass { #endif #if LLVM_MAJOR >= 11 /* use new pass manager */ + PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM); #else bool runOnModule(Module &M) override; @@ -106,7 +116,8 @@ class CmpLogInstructions : public ModulePass { #endif private: - bool hookInstrs(Module &M); + bool hookInstrs(Module &M, LoopInfoCallback LCallback); + unsigned int instrumented = 0; }; @@ -153,7 +164,7 @@ Iterator Unique(Iterator first, Iterator last) { } -bool CmpLogInstructions::hookInstrs(Module &M) { +bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { std::vector icomps; LLVMContext & C = M.getContext(); @@ -290,14 +301,62 @@ bool CmpLogInstructions::hookInstrs(Module &M) { if (!isInInstrumentList(&F, MNAME)) continue; + std::vector lcomps; + const LoopInfo * LI = LCallback(F); +#if 0 + for (LoopInfo::iterator I = LI->begin(), E = LI->end(); I != E; ++I) { + Loop * L = *I; + BasicBlock *In, *Out; + bool ok = false ; L->getIncomingAndBackEdge(In, Out); + if (ok) { + + BasicBlock *decisionBB = In->getSingleSuccessor(); + + if (decisionBB) { + + /* + std::string errMsg1; + raw_string_ostream os1(errMsg1); + In->print(os1); + fprintf(stderr, "In: %s\n", os1.str().c_str()); + std::string errMsg2; + raw_string_ostream os2(errMsg2); + Out->print(os2); + fprintf(stderr, "Out: %s\n", os2.str().c_str()); + std::string errMsg3; + raw_string_ostream os3(errMsg3); + decisionBB->print(os3); + fprintf(stderr, "Dec: %s\n", os3.str().c_str()); + */ + lcomps.push_back(decisionBB); + + } + + } + } +#endif + + + // fprintf(stderr, "Loops in %s: %zu\n", F.getName().str().c_str(), + // lcomps.size()); + for (auto &BB : F) { + if (std::find(lcomps.begin(), lcomps.end(), &BB) != lcomps.end()) { + + fprintf(stderr, "skipping: %p %s\n", &BB, BB.getName().str().c_str()); + + continue; + + } + for (auto &IN : BB) { CmpInst *selectcmpInst = nullptr; if ((selectcmpInst = dyn_cast(&IN))) { icomps.push_back(selectcmpInst); + fprintf(stderr, "Found icomp %p in %p\n", selectcmpInst, &BB); } @@ -644,6 +703,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) { break; } + + ++instrumented; } @@ -657,6 +718,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) { } } + + fprintf(stderr, "instrumented: %u (%zu)\n", instrumented, icomps.size()); if (icomps.size()) return true; @@ -678,9 +741,19 @@ bool CmpLogInstructions::runOnModule(Module &M) { printf("Running cmplog-instructions-pass by andreafioraldi@gmail.com\n"); else be_quiet = 1; - hookInstrs(M); + + auto &FAM = MAM.getResult(M).getManager(); + auto LoopCallback = [&FAM](Function &F) -> const LoopInfo * { + + return &FAM.getResult(F); + + }; + + hookInstrs(M, LoopCallback); verifyModule(M); + fprintf(stderr, "done cmplog-instructions-pass\n"); + #if LLVM_MAJOR >= 11 /* use new pass manager */ return PreservedAnalyses::all(); #else diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc index 8205cfb0..708a94bc 100644 --- a/instrumentation/cmplog-routines-pass.cc +++ b/instrumentation/cmplog-routines-pass.cc @@ -761,6 +761,8 @@ bool CmpLogRoutines::runOnModule(Module &M) { #endif verifyModule(M); + fprintf(stderr, "done cmplog-routines-pass\n"); + #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ return PA; #else diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 92243fbb..c5ab364a 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1650,7 +1650,7 @@ int main(int argc, char **argv_orig, char **envp) { } - OKF("Generating fuzz data with a a length of min=%u max=%u", afl->min_length, + OKF("Generating fuzz data with a length of min=%u max=%u", afl->min_length, afl->max_length); u32 min_alloc = MAX(64U, afl->min_length); afl_realloc(AFL_BUF_PARAM(in_scratch), min_alloc); From 1d00bde6c508ed86366e4a7d3730e6d1203bcb60 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Apr 2022 13:11:19 +0200 Subject: [PATCH 20/29] code format --- custom_mutators/symcc/README.md | 5 ++++- frida_mode/src/instrument/instrument_arm64.c | 4 ++-- frida_mode/src/instrument/instrument_x64.c | 3 ++- instrumentation/cmplog-instructions-pass.cc | 12 +++++++----- utils/libdislocator/libdislocator.so.c | 9 +++++---- 5 files changed, 20 insertions(+), 13 deletions(-) diff --git a/custom_mutators/symcc/README.md b/custom_mutators/symcc/README.md index 337362ae..364a348e 100644 --- a/custom_mutators/symcc/README.md +++ b/custom_mutators/symcc/README.md @@ -1,6 +1,9 @@ # custum mutator: symcc -This uses the excellent symcc to find new paths into the target. +This uses the symcc to find new paths into the target. + +Note that this is a just a proof of concept example! It is better to use +the fuzzing helpers of symcc, symqemu, Fuzzolic, etc. rather than this. To use this custom mutator follow the steps in the symcc repository [https://github.com/eurecom-s3/symcc/](https://github.com/eurecom-s3/symcc/) diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index e6251cb4..2bc8f8aa 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -18,8 +18,8 @@ #if defined(__aarch64__) -gboolean instrument_cache_enabled = FALSE; -gsize instrument_cache_size = 0; +gboolean instrument_cache_enabled = FALSE; +gsize instrument_cache_size = 0; static GHashTable *coverage_blocks = NULL; __attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[MAP_SIZE]; diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index d54c8353..f02c971e 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -336,7 +336,8 @@ void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output) { GumX86Writer *cw = output->writer.x86; - /* guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address)); */ + /* guint64 area_offset = + * instrument_get_offset_hash(GUM_ADDRESS(instr->address)); */ if (instrument_previous_pc_addr == NULL) { GumAddressSpec spec = {.near_address = cw->code, diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index e21289b4..85d48835 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -116,7 +116,7 @@ class CmpLogInstructions : public ModulePass { #endif private: - bool hookInstrs(Module &M, LoopInfoCallback LCallback); + bool hookInstrs(Module &M, LoopInfoCallback LCallback); unsigned int instrumented = 0; }; @@ -305,6 +305,7 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { const LoopInfo * LI = LCallback(F); #if 0 for (LoopInfo::iterator I = LI->begin(), E = LI->end(); I != E; ++I) { + Loop * L = *I; BasicBlock *In, *Out; bool ok = false ; L->getIncomingAndBackEdge(In, Out); @@ -333,9 +334,10 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { } } - } -#endif + } + +#endif // fprintf(stderr, "Loops in %s: %zu\n", F.getName().str().c_str(), // lcomps.size()); @@ -703,7 +705,7 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { break; } - + ++instrumented; } @@ -718,7 +720,7 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { } } - + fprintf(stderr, "instrumented: %u (%zu)\n", instrumented, icomps.size()); if (icomps.size()) diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index 72fafa4b..bd08a678 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -257,16 +257,17 @@ static void *__dislocator_alloc(size_t len) { } #if defined(USENAMEDPAGE) -#if defined(__linux__) + #if defined(__linux__) // in the /proc//maps file, the anonymous page appears as // `- ---p 00000000 00:00 0 [anon:libdislocator]` - if (prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, - (unsigned long)ret, tlen, (unsigned long)"libdislocator") < 0) { + if (prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, (unsigned long)ret, tlen, + (unsigned long)"libdislocator") < 0) { DEBUGF("prctl() failed"); } -#endif + + #endif #endif /* Set PROT_NONE on the last page. */ From 4f42ecd8150f9b72e0fef37292572b7ad3ef6870 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Apr 2022 13:16:10 +0200 Subject: [PATCH 21/29] remove WIP code --- .../grammar_mutator/grammar_mutator | 2 +- instrumentation/cmplog-instructions-pass.cc | 81 +------------------ instrumentation/cmplog-routines-pass.cc | 2 - unicorn_mode/unicornafl | 2 +- 4 files changed, 5 insertions(+), 82 deletions(-) diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator index ff4e5a26..cbe5e327 160000 --- a/custom_mutators/grammar_mutator/grammar_mutator +++ b/custom_mutators/grammar_mutator/grammar_mutator @@ -1 +1 @@ -Subproject commit ff4e5a265daf5d88c4a636fb6a2c22b1d733db09 +Subproject commit cbe5e32752773945e0142fac9f1b7a0ccb5dcdff diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index 85d48835..4d37bcb2 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -32,15 +32,9 @@ #include "llvm/Support/Debug.h" #include "llvm/Support/raw_ostream.h" #if LLVM_MAJOR >= 11 - #include "llvm/Pass.h" - #include "llvm/InitializePasses.h" #include "llvm/Passes/PassPlugin.h" #include "llvm/Passes/PassBuilder.h" #include "llvm/IR/PassManager.h" - #include "llvm/Analysis/EHPersonalities.h" - #include "llvm/Analysis/PostDominators.h" - #include "llvm/Analysis/LoopInfo.h" - #include "llvm/Analysis/LoopPass.h" #else #include "llvm/IR/LegacyPassManager.h" #include "llvm/Transforms/IPO/PassManagerBuilder.h" @@ -70,10 +64,7 @@ using namespace llvm; namespace { -using LoopInfoCallback = function_ref; - #if LLVM_MAJOR >= 11 /* use new pass manager */ - class CmpLogInstructions : public PassInfoMixin { public: @@ -97,7 +88,6 @@ class CmpLogInstructions : public ModulePass { #endif #if LLVM_MAJOR >= 11 /* use new pass manager */ - PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM); #else bool runOnModule(Module &M) override; @@ -116,8 +106,7 @@ class CmpLogInstructions : public ModulePass { #endif private: - bool hookInstrs(Module &M, LoopInfoCallback LCallback); - unsigned int instrumented = 0; + bool hookInstrs(Module &M); }; @@ -164,7 +153,7 @@ Iterator Unique(Iterator first, Iterator last) { } -bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { +bool CmpLogInstructions::hookInstrs(Module &M) { std::vector icomps; LLVMContext & C = M.getContext(); @@ -301,64 +290,14 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { if (!isInInstrumentList(&F, MNAME)) continue; - std::vector lcomps; - const LoopInfo * LI = LCallback(F); -#if 0 - for (LoopInfo::iterator I = LI->begin(), E = LI->end(); I != E; ++I) { - - Loop * L = *I; - BasicBlock *In, *Out; - bool ok = false ; L->getIncomingAndBackEdge(In, Out); - if (ok) { - - BasicBlock *decisionBB = In->getSingleSuccessor(); - - if (decisionBB) { - - /* - std::string errMsg1; - raw_string_ostream os1(errMsg1); - In->print(os1); - fprintf(stderr, "In: %s\n", os1.str().c_str()); - std::string errMsg2; - raw_string_ostream os2(errMsg2); - Out->print(os2); - fprintf(stderr, "Out: %s\n", os2.str().c_str()); - std::string errMsg3; - raw_string_ostream os3(errMsg3); - decisionBB->print(os3); - fprintf(stderr, "Dec: %s\n", os3.str().c_str()); - */ - lcomps.push_back(decisionBB); - - } - - } - - } - -#endif - - // fprintf(stderr, "Loops in %s: %zu\n", F.getName().str().c_str(), - // lcomps.size()); - for (auto &BB : F) { - if (std::find(lcomps.begin(), lcomps.end(), &BB) != lcomps.end()) { - - fprintf(stderr, "skipping: %p %s\n", &BB, BB.getName().str().c_str()); - - continue; - - } - for (auto &IN : BB) { CmpInst *selectcmpInst = nullptr; if ((selectcmpInst = dyn_cast(&IN))) { icomps.push_back(selectcmpInst); - fprintf(stderr, "Found icomp %p in %p\n", selectcmpInst, &BB); } @@ -706,8 +645,6 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { } - ++instrumented; - } /* else fprintf(stderr, "skipped\n"); */ @@ -721,8 +658,6 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { } - fprintf(stderr, "instrumented: %u (%zu)\n", instrumented, icomps.size()); - if (icomps.size()) return true; else @@ -743,19 +678,9 @@ bool CmpLogInstructions::runOnModule(Module &M) { printf("Running cmplog-instructions-pass by andreafioraldi@gmail.com\n"); else be_quiet = 1; - - auto &FAM = MAM.getResult(M).getManager(); - auto LoopCallback = [&FAM](Function &F) -> const LoopInfo * { - - return &FAM.getResult(F); - - }; - - hookInstrs(M, LoopCallback); + hookInstrs(M); verifyModule(M); - fprintf(stderr, "done cmplog-instructions-pass\n"); - #if LLVM_MAJOR >= 11 /* use new pass manager */ return PreservedAnalyses::all(); #else diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc index 708a94bc..8205cfb0 100644 --- a/instrumentation/cmplog-routines-pass.cc +++ b/instrumentation/cmplog-routines-pass.cc @@ -761,8 +761,6 @@ bool CmpLogRoutines::runOnModule(Module &M) { #endif verifyModule(M); - fprintf(stderr, "done cmplog-routines-pass\n"); - #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ return PA; #else diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index a44fa944..d4915053 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit a44fa94488d01aba60401ccf81f8bebcce685bf2 +Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e From 630eb943a539dd423d005466520d06e8420fa6ba Mon Sep 17 00:00:00 2001 From: Jesse Schwartzentruber Date: Wed, 20 Apr 2022 15:38:37 -0400 Subject: [PATCH 22/29] use passthrough mode for wasm --- src/afl-cc.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/src/afl-cc.c b/src/afl-cc.c index ffdda386..a383dd4e 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -58,6 +58,7 @@ static u8 debug; static u8 cwd[4096]; static u8 cmplog_mode; u8 use_stdin; /* dummy */ +static int passthrough; // static u8 *march_opt = CFLAGS_OPT; enum { @@ -315,7 +316,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { u8 fortify_set = 0, asan_set = 0, x_set = 0, bit_mode = 0, shared_linking = 0, preprocessor_only = 0, have_unroll = 0, have_o = 0, have_pic = 0, - have_c = 0, partial_linking = 0, wasm_linking = 0; + have_c = 0, partial_linking = 0; cc_params = ck_alloc((argc + 128) * sizeof(u8 *)); @@ -826,7 +827,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (!strcmp(cur, "-E")) preprocessor_only = 1; if (!strcmp(cur, "-shared")) shared_linking = 1; if (!strcmp(cur, "-dynamiclib")) shared_linking = 1; - if (!strcmp(cur, "--target=wasm32-wasi")) wasm_linking = 1; + if (!strcmp(cur, "--target=wasm32-wasi")) passthrough = 1; if (!strcmp(cur, "-Wl,-r")) partial_linking = 1; if (!strcmp(cur, "-Wl,-i")) partial_linking = 1; if (!strcmp(cur, "-Wl,--relocatable")) partial_linking = 1; @@ -845,7 +846,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { // e.g. compiled download or compiled from github then its ./lib directory // might not be in the search path. Add it if so. u8 *libdir = strdup(LLVM_LIBDIR); - if (plusplus_mode && !wasm_linking && strlen(libdir) && + if (plusplus_mode && strlen(libdir) && strncmp(libdir, "/usr", 4) && strncmp(libdir, "/lib", 4)) { cc_params[cc_par_cnt++] = "-rpath"; @@ -1093,7 +1094,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { switch (bit_mode) { case 0: - if (!shared_linking && !partial_linking && !wasm_linking) + if (!shared_linking && !partial_linking) cc_params[cc_par_cnt++] = alloc_printf("%s/afl-compiler-rt.o", obj_path); if (lto_mode) @@ -1102,7 +1103,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { break; case 32: - if (!shared_linking && !partial_linking && !wasm_linking) { + if (!shared_linking && !partial_linking) { cc_params[cc_par_cnt++] = alloc_printf("%s/afl-compiler-rt-32.o", obj_path); @@ -1123,7 +1124,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { break; case 64: - if (!shared_linking && !partial_linking && !wasm_linking) { + if (!shared_linking && !partial_linking) { cc_params[cc_par_cnt++] = alloc_printf("%s/afl-compiler-rt-64.o", obj_path); @@ -1146,7 +1147,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } #if !defined(__APPLE__) && !defined(__sun) - if (!shared_linking && !partial_linking && !wasm_linking) + if (!shared_linking && !partial_linking) cc_params[cc_par_cnt++] = alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path); #endif @@ -1179,7 +1180,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { int main(int argc, char **argv, char **envp) { - int i, passthrough = 0; + int i; char *callname = argv[0], *ptr = NULL; if (getenv("AFL_DEBUG")) { From f53e6a6cf2ed621ab1ca0eec271d75405e906ba5 Mon Sep 17 00:00:00 2001 From: Jesse Schwartzentruber Date: Wed, 20 Apr 2022 15:39:28 -0400 Subject: [PATCH 23/29] fix instrumentation for -Werror,-Wunused-but-set-variable `used` is so it isn't optimized out. `unused` is to avoid the warning. --- src/afl-cc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/afl-cc.c b/src/afl-cc.c index a383dd4e..e8643bf8 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -1035,7 +1035,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-D__AFL_LOOP(_A)=" - "({ static volatile char *_B __attribute__((used)); " + "({ static volatile char *_B __attribute__((used,unused)); " " _B = (char*)\"" PERSIST_SIG "\"; " #ifdef __APPLE__ @@ -1049,7 +1049,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-D__AFL_INIT()=" - "do { static volatile char *_A __attribute__((used)); " + "do { static volatile char *_A __attribute__((used,unused)); " " _A = (char*)\"" DEFER_SIG "\"; " #ifdef __APPLE__ From 7f26d133458f5034499f40129e9a5517cee21cce Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 22 Apr 2022 10:28:14 +0200 Subject: [PATCH 24/29] try repeating write --- GNUmakefile | 2 +- .../grammar_mutator/grammar_mutator | 2 +- include/debug.h | 47 +++++++++++++------ unicorn_mode/unicornafl | 2 +- 4 files changed, 36 insertions(+), 17 deletions(-) diff --git a/GNUmakefile b/GNUmakefile index ec81cbac..8b09c51a 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -145,7 +145,7 @@ else CFLAGS ?= -O2 $(CFLAGS_OPT) # -funroll-loops is slower on modern compilers endif -override CFLAGS += -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wpointer-arith \ +override CFLAGS += -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wno-pointer-arith \ -fPIC -I include/ -DAFL_PATH=\"$(HELPER_PATH)\" \ -DBIN_PATH=\"$(BIN_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" # -fstack-protector diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator index cbe5e327..ff4e5a26 160000 --- a/custom_mutators/grammar_mutator/grammar_mutator +++ b/custom_mutators/grammar_mutator/grammar_mutator @@ -1 +1 @@ -Subproject commit cbe5e32752773945e0142fac9f1b7a0ccb5dcdff +Subproject commit ff4e5a265daf5d88c4a636fb6a2c22b1d733db09 diff --git a/include/debug.h b/include/debug.h index 31ebd0f2..e2ee16a8 100644 --- a/include/debug.h +++ b/include/debug.h @@ -355,20 +355,39 @@ static inline const char *colorfilter(const char *x) { /* Error-checking versions of read() and write() that call RPFATAL() as appropriate. */ -#define ck_write(fd, buf, len, fn) \ - do { \ - \ - int _fd = (fd); \ - \ - s32 _len = (s32)(len); \ - s32 _res = write(_fd, (buf), _len); \ - if (_res != _len) { \ - \ - RPFATAL(_res, "Short write to %s, fd %d (%d of %d bytes)", fn, _fd, \ - _res, _len); \ - \ - } \ - \ +#define ck_write(fd, buf, len, fn) \ + do { \ + \ + if (len <= 0) break; \ + int _fd = (fd); \ + s32 _written = 0, _off = 0, _len = (s32)(len); \ + \ + do { \ + \ + s32 _res = write(_fd, (buf) + _off, _len); \ + if (_res != _len && (_res > 0 && _written + _res != _len)) { \ + \ + if (_res > 0) { \ + \ + _written += _res; \ + _len -= _res; \ + _off += _res; \ + \ + } else { \ + \ + RPFATAL(_res, "Short write to %s, fd %d (%d of %d bytes)", fn, _fd, \ + _res, _len); \ + \ + } \ + \ + } else { \ + \ + break; \ + \ + } \ + \ + } while (1); \ + \ } while (0) #define ck_read(fd, buf, len, fn) \ diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index d4915053..a44fa944 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e +Subproject commit a44fa94488d01aba60401ccf81f8bebcce685bf2 From b2c96f66eef42a58d2b62f98a5cec6f5f483dbde Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 22 Apr 2022 10:29:56 +0200 Subject: [PATCH 25/29] unicorn --- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index fe7be8e1..77fc69b5 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -a44fa94488d01aba60401ccf81f8bebcce685bf2 +c3e15a7d diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index a44fa944..c3e15a7d 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit a44fa94488d01aba60401ccf81f8bebcce685bf2 +Subproject commit c3e15a7d44101ff288abe114b7954ce6cfa070b1 From aeeca164b5a01eebc9c7cb386155375980e1fdc2 Mon Sep 17 00:00:00 2001 From: lazymio Date: Sun, 24 Apr 2022 20:12:42 +0200 Subject: [PATCH 26/29] Bump unicornafl --- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index f0c5c1e0..cda1d700 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -c3e15a7d44101ff288abe114b7954ce6cfa070b1 +09ad7d4784e50ec4ddf590a2c29764e2a7f37442 diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index baf52ac2..09ad7d47 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit baf52ac2cf4fb005014f1b9527005a06a369c7f5 +Subproject commit 09ad7d4784e50ec4ddf590a2c29764e2a7f37442 From 9ac3c53104d351d9ffa67b3f320bf0788aceb280 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sun, 24 Apr 2022 20:52:31 +0200 Subject: [PATCH 27/29] fix my name --- CITATION.cff | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CITATION.cff b/CITATION.cff index 45658ac2..37a4a174 100644 --- a/CITATION.cff +++ b/CITATION.cff @@ -11,7 +11,7 @@ authors: family-names: Fioraldi email: andreafioraldi@gmail.com - given-names: Dominik - family-names: Meier + family-names: Maier email: mail@dmnk.co title: "AFL++" version: 4.00c From 5d5aa430d2328e247ffbad45f486a835f5dc8852 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 25 Apr 2022 09:10:59 +0200 Subject: [PATCH 28/29] add changelog --- docs/Changelog.md | 2 ++ unicorn_mode/unicornafl | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 689cc94b..a841cca3 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -32,6 +32,8 @@ sending a mail to . - AFL++ PCGUARD mode is not available for 10.0.1 anymore (11+ only) - frida_mode: - update to new frida release, handles now c++ throw/catch + - unicorn_mode: + - update unicorn engine, fix C example ### Version ++4.00c (release) diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 09ad7d47..c3e15a7d 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 09ad7d4784e50ec4ddf590a2c29764e2a7f37442 +Subproject commit c3e15a7d44101ff288abe114b7954ce6cfa070b1 From ee409d18a6678c3f5948f51db8964148cae021dc Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 25 Apr 2022 10:14:04 +0200 Subject: [PATCH 29/29] code format --- src/afl-cc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/afl-cc.c b/src/afl-cc.c index e8643bf8..2667ae28 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -846,8 +846,8 @@ static void edit_params(u32 argc, char **argv, char **envp) { // e.g. compiled download or compiled from github then its ./lib directory // might not be in the search path. Add it if so. u8 *libdir = strdup(LLVM_LIBDIR); - if (plusplus_mode && strlen(libdir) && - strncmp(libdir, "/usr", 4) && strncmp(libdir, "/lib", 4)) { + if (plusplus_mode && strlen(libdir) && strncmp(libdir, "/usr", 4) && + strncmp(libdir, "/lib", 4)) { cc_params[cc_par_cnt++] = "-rpath"; cc_params[cc_par_cnt++] = libdir;