From 586aec711679e1cdaac17cc9749746055fdb55f8 Mon Sep 17 00:00:00 2001 From: cl3nn0 <47954881+cl3nn0@users.noreply.github.com> Date: Thu, 29 Sep 2022 18:42:04 +0800 Subject: [PATCH 01/12] Fixed typo in README.llvm.md (#1538) Co-authored-by: van Hauser --- instrumentation/README.llvm.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md index 7855a987..9da1b0f6 100644 --- a/instrumentation/README.llvm.md +++ b/instrumentation/README.llvm.md @@ -116,7 +116,7 @@ PCGUARD analysis. Several options are present to make llvm_mode faster or help it rearrange the code to make afl-fuzz path discovery easier. -If you need just to instrument specific parts of the code, you can the +If you need just to instrument specific parts of the code, you can create the instrument file list which C/C++ files to actually instrument. See [README.instrument_list.md](README.instrument_list.md) @@ -275,4 +275,4 @@ then this can give a small performance boost. Please note that the default counter implementations are not thread safe! Support for thread safe counters in mode LLVM CLASSIC can be activated with -setting `AFL_LLVM_THREADSAFE_INST=1`. \ No newline at end of file +setting `AFL_LLVM_THREADSAFE_INST=1`. From 0eeddda2c84b13158bfda1505e5ff2467dec08f0 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sat, 1 Oct 2022 16:10:09 +0100 Subject: [PATCH 02/12] libdislocator adding netbsd's reallocarr --- utils/libdislocator/libdislocator.so.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index a6d8ecfd..638735ef 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -510,6 +510,24 @@ __attribute__((alloc_size(2, 3))) void *reallocarray(void *ptr, size_t elem_len, } +int reallocarr(void *ptr, size_t elem_len, size_t elem_cnt) { + + void *ret = NULL; + const size_t elem_tot = elem_len * elem_cnt; + + if (elem_tot == 0) { + + void **h = &ptr; + *h = ret; + return 0; + + } + + ret = reallocarray(ptr, elem_len, elem_cnt); + return ret ? 0 : -1; + +} + #if defined(__APPLE__) size_t malloc_size(const void *ptr) { From 9c6aebba059bd3d4477d2560cb771effca74a82f Mon Sep 17 00:00:00 2001 From: hexcoder Date: Mon, 3 Oct 2022 11:04:23 +0200 Subject: [PATCH 03/12] typos --- utils/libdislocator/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/libdislocator/README.md b/utils/libdislocator/README.md index e4934b5d..d0e45fff 100644 --- a/utils/libdislocator/README.md +++ b/utils/libdislocator/README.md @@ -34,8 +34,8 @@ heap-related security bugs in several ways: - Size alignment to `max_align_t` can be enforced with `AFL_ALIGNED_ALLOC=1`. In this case, a tail canary is inserted in the padding bytes at the end of the - allocated zone. This reduce the ability of libdislocator to detect - off-by-one bugs but also it make slibdislocator compliant to the C standard. + allocated zone. This reduces the ability of libdislocator to detect + off-by-one bugs but also it makes libdislocator compliant to the C standard. Basically, it is inspired by some of the non-default options available for the OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is From 97fb0b5099483b2413172dd63a9feaf0e6bf91dc Mon Sep 17 00:00:00 2001 From: jma <94166787+jma-qb@users.noreply.github.com> Date: Mon, 3 Oct 2022 12:06:43 +0200 Subject: [PATCH 04/12] fix Rust speedtest example dependency (#1542) --- unicorn_mode/samples/speedtest/rust/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unicorn_mode/samples/speedtest/rust/Cargo.toml b/unicorn_mode/samples/speedtest/rust/Cargo.toml index 766b2f27..73e6ba4c 100644 --- a/unicorn_mode/samples/speedtest/rust/Cargo.toml +++ b/unicorn_mode/samples/speedtest/rust/Cargo.toml @@ -11,5 +11,5 @@ panic = "abort" [dependencies] unicornafl = { path = "../../../unicornafl/bindings/rust/", version="1.0.0" } -capstone="0.10.0" +capstone="0.11.0" libc="0.2.66" From 9e4137a3ebdda76d7cfa3da03ae2f4b1317be012 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 3 Oct 2022 22:58:21 +0200 Subject: [PATCH 05/12] Enabled tricore arch for unicornafl --- custom_mutators/gramatron/json-c | 2 +- docs/Changelog.md | 3 +++ unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/unicornafl | 2 +- 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/custom_mutators/gramatron/json-c b/custom_mutators/gramatron/json-c index af8dd4a3..11546bfd 160000 --- a/custom_mutators/gramatron/json-c +++ b/custom_mutators/gramatron/json-c @@ -1 +1 @@ -Subproject commit af8dd4a307e7b837f9fa2959549548ace4afe08b +Subproject commit 11546bfd07a575c47416924cb98de3d33a4e6424 diff --git a/docs/Changelog.md b/docs/Changelog.md index 9503f493..732c5218 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -10,6 +10,9 @@ scripts - afl-cc: - make gcc_mode (afl-gcc-fast) work with gcc down to version 3.6 + - unicornafl: + - Enabled tricore arch (by @jma-qb) + - Updated Capstone version in Rust bindings ### Version ++4.03c (release) diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index bba4215c..09bc04ad 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -6e00ceac +0a31c2b28bf7037fe8b0ff376521fdbdf28a9efe diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 6e00ceac..0a31c2b2 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 6e00ceac6fd5627e42e1858c543c84f2fbdaedda +Subproject commit 0a31c2b28bf7037fe8b0ff376521fdbdf28a9efe From 5e04c9693b19038871f3aa93544cac187785bc1a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 4 Oct 2022 08:39:07 +0200 Subject: [PATCH 06/12] fix qemu_mode speed bug --- docs/Changelog.md | 5 ++++- qemu_mode/QEMUAFL_VERSION | 2 +- qemu_mode/qemuafl | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 732c5218..33dc9466 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -10,7 +10,10 @@ scripts - afl-cc: - make gcc_mode (afl-gcc-fast) work with gcc down to version 3.6 - - unicornafl: + - qemu_mode: + - fixed 10x speed degredation in v4.03c, thanks to @ele7enxxh for + reporting! + - unicorn_mode: - Enabled tricore arch (by @jma-qb) - Updated Capstone version in Rust bindings diff --git a/qemu_mode/QEMUAFL_VERSION b/qemu_mode/QEMUAFL_VERSION index 412dbf45..8f4db04a 100644 --- a/qemu_mode/QEMUAFL_VERSION +++ b/qemu_mode/QEMUAFL_VERSION @@ -1 +1 @@ -dc19175a0b +ff9de4fbeb diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index dc19175a..ff9de4fb 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit dc19175a0bf4cf34e19944d084d92f33f26df93d +Subproject commit ff9de4fbeb33088b0273f9bb05ecf374a749222f From 2107ece114e66952f16d2dbc888d46a1061e6faf Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 7 Oct 2022 15:40:04 +0200 Subject: [PATCH 07/12] auto shmem fuzzing (#1541) * auto shmem fuzzing * print warning when forcing shmem fuzzing * typos * Shmem always * typo fix * fixes Co-authored-by: Dominik Maier --- docs/Changelog.md | 5 ++++- instrumentation/afl-compiler-rt.o.c | 27 +++++++++++++++++++++------ src/afl-cc.c | 2 +- src/afl-fuzz.c | 14 ++++++++++++++ src/afl-showmap.c | 2 +- src/afl-tmin.c | 2 +- utils/aflpp_driver/aflpp_driver.c | 20 ++++++++++++-------- 7 files changed, 54 insertions(+), 18 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 33dc9466..d4dfb709 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -5,7 +5,7 @@ ### Version ++4.04a (dev) - - fix gramatron and grammar_mutatur build scripts + - fix gramatron and grammar_mutator build scripts - enhancements to the afl-persistent-config and afl-system-config scripts - afl-cc: @@ -16,6 +16,9 @@ - unicorn_mode: - Enabled tricore arch (by @jma-qb) - Updated Capstone version in Rust bindings + - llvm-mode: + - AFL runtime will always pass inputs via shared memory, when possible, + ignoring the command line. ### Version ++4.03c (release) diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 194d49b0..20069824 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -97,6 +97,7 @@ u8 *__afl_dictionary; u8 *__afl_fuzz_ptr; static u32 __afl_fuzz_len_dummy; u32 *__afl_fuzz_len = &__afl_fuzz_len_dummy; +int __afl_sharedmem_fuzzing __attribute__((weak)); u32 __afl_final_loc; u32 __afl_map_size = MAP_SIZE; @@ -119,8 +120,6 @@ __thread PREV_LOC_T __afl_prev_caller[CTX_MAX_K]; __thread u32 __afl_prev_ctx; #endif -int __afl_sharedmem_fuzzing __attribute__((weak)); - struct cmp_map *__afl_cmp_map; struct cmp_map *__afl_cmp_map_backup; @@ -347,6 +346,22 @@ static void __afl_map_shm(void) { } + if (__afl_sharedmem_fuzzing && (!id_str || !getenv(SHM_FUZZ_ENV_VAR) || + fcntl(FORKSRV_FD, F_GETFD) == -1 || + fcntl(FORKSRV_FD + 1, F_GETFD) == -1)) { + + if (__afl_debug) { + + fprintf(stderr, + "DEBUG: running not inside afl-fuzz, disabling shared memory " + "testcases\n"); + + } + + __afl_sharedmem_fuzzing = 0; + + } + if (!id_str) { u32 val = 0; @@ -543,7 +558,7 @@ static void __afl_map_shm(void) { if (!__afl_area_ptr_dummy) { fprintf(stderr, - "Error: AFL++ could not aquire %u bytes of memory, exiting!\n", + "Error: AFL++ could not acquire %u bytes of memory, exiting!\n", __afl_final_loc); exit(-1); @@ -757,10 +772,10 @@ static void __afl_start_snapshots(void) { assume we're not running in forkserver mode and just execute program. */ status |= (FS_OPT_ENABLED | FS_OPT_SNAPSHOT | FS_OPT_NEWCMPLOG); - if (__afl_sharedmem_fuzzing != 0) status |= FS_OPT_SHDMEM_FUZZ; + if (__afl_sharedmem_fuzzing) { status |= FS_OPT_SHDMEM_FUZZ; } if (__afl_map_size <= FS_OPT_MAX_MAPSIZE) status |= (FS_OPT_SET_MAPSIZE(__afl_map_size) | FS_OPT_MAPSIZE); - if (__afl_dictionary_len && __afl_dictionary) status |= FS_OPT_AUTODICT; + if (__afl_dictionary_len && __afl_dictionary) { status |= FS_OPT_AUTODICT; } memcpy(tmp, &status, 4); if (write(FORKSRV_FD + 1, tmp, 4) != 4) { return; } @@ -1021,7 +1036,7 @@ static void __afl_start_forkserver(void) { } - if (__afl_sharedmem_fuzzing != 0) { status_for_fsrv |= FS_OPT_SHDMEM_FUZZ; } + if (__afl_sharedmem_fuzzing) { status_for_fsrv |= FS_OPT_SHDMEM_FUZZ; } if (status_for_fsrv) { status_for_fsrv |= (FS_OPT_ENABLED | FS_OPT_NEWCMPLOG); diff --git a/src/afl-cc.c b/src/afl-cc.c index 53fba1e7..469aa825 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -317,7 +317,7 @@ void parse_fsanitize(char *string) { char *tmp = malloc(strlen(ptr)); u32 count = 0, len, ende = 0; - if (!new || !tmp) { FATAL("could not aquire memory"); } + if (!new || !tmp) { FATAL("could not acquire memory"); } strcpy(new, "-fsanitize="); do { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 294c42f6..84ae54ff 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2132,6 +2132,20 @@ int main(int argc, char **argv_orig, char **envp) { } + if (afl->fsrv.out_file && afl->fsrv.use_shmem_fuzz) { + + afl->fsrv.out_file = NULL; + afl->fsrv.use_stdin = 0; + if (!afl->unicorn_mode && !afl->fsrv.use_stdin) { + + WARNF( + "You specified -f or @@ on the command line but the target harness " + "specified fuzz cases via shmem, switching to shmem!"); + + } + + } + deunicode_extras(afl); dedup_extras(afl); if (afl->extras_cnt) { OKF("Loaded a total of %u extras.", afl->extras_cnt); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index b0b21011..0b724758 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1268,7 +1268,7 @@ int main(int argc, char **argv_orig, char **envp) { (new_map_size > map_size && new_map_size - map_size > MAP_SIZE)) { if (!be_quiet) - ACTF("Aquired new map size for target: %u bytes\n", new_map_size); + ACTF("Acquired new map size for target: %u bytes\n", new_map_size); afl_shm_deinit(&shm); afl_fsrv_kill(fsrv); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 78537f9f..694c9c21 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -1252,7 +1252,7 @@ int main(int argc, char **argv_orig, char **envp) { (new_map_size > map_size && new_map_size - map_size > MAP_SIZE)) { if (!be_quiet) - ACTF("Aquired new map size for target: %u bytes\n", new_map_size); + ACTF("Acquired new map size for target: %u bytes\n", new_map_size); afl_shm_deinit(&shm); afl_fsrv_kill(fsrv); diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 7e553723..87bd2aa2 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -35,6 +35,7 @@ $AFL_HOME/afl-fuzz -i IN -o OUT ./a.out #include #include #include +#include #include #include #include @@ -68,7 +69,7 @@ __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); int LLVMFuzzerRunDriver(int *argc, char ***argv, int (*callback)(const uint8_t *data, size_t size)); -// Default nop ASan hooks for manual posisoning when not linking the ASan +// Default nop ASan hooks for manual poisoning when not linking the ASan // runtime // https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning __attribute__((weak)) void __asan_poison_memory_region( @@ -290,6 +291,12 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, } + bool in_afl = !(!getenv(SHM_FUZZ_ENV_VAR) || !getenv(SHM_ENV_VAR) || + fcntl(FORKSRV_FD, F_GETFD) == -1 || + fcntl(FORKSRV_FD + 1, F_GETFD) == -1); + + if (!in_afl) { __afl_sharedmem_fuzzing = 0; } + output_file = stderr; maybe_duplicate_stderr(); maybe_close_fd_mask(); @@ -310,23 +317,20 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, int N = INT_MAX; - if (argc == 2 && !strcmp(argv[1], "-")) { + if (!in_afl && argc == 2 && !strcmp(argv[1], "-")) { - __afl_sharedmem_fuzzing = 0; __afl_manual_init(); return ExecuteFilesOnyByOne(argc, argv, callback); - } else if (argc == 2 && argv[1][0] == '-') { + } else if (argc == 2 && argv[1][0] == '-' && argv[1][1]) { N = atoi(argv[1] + 1); - } else if (argc == 2 && (N = atoi(argv[1])) > 0) { + } else if (argc == 2 && argv[1][0] != '-' && (N = atoi(argv[1])) > 0) { printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N); - } else if (argc > 1) { - - __afl_sharedmem_fuzzing = 0; + } else if (!in_afl && argc > 1 && argv[1][0] != '-') { if (argc == 2) { __afl_manual_init(); } From 680e6e91a176e5b11aa6ce55cce39bf05784039f Mon Sep 17 00:00:00 2001 From: quinox Date: Wed, 5 Oct 2022 20:29:31 +0200 Subject: [PATCH 08/12] Support building LTO on Gentoo --- GNUmakefile.llvm | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index c37c4a51..2349e587 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -214,6 +214,17 @@ ifeq "$(LLVM_LTO)" "1" ifeq "$(AFL_REAL_LD)" "" ifneq "$(shell readlink $(LLVM_BINDIR)/ld.lld 2>&1)" "" AFL_REAL_LD = $(LLVM_BINDIR)/ld.lld + else ifneq "$(shell command -v ld.lld 2>/dev/null)" "" + AFL_REAL_LD = $(shell command -v ld.lld) + TMP_LDLDD_VERSION = $(shell $(AFL_REAL_LD) --version | awk '{ print $$2 }') + ifeq "$(LLVMVER)" "$(TMP_LDLDD_VERSION)" + $(warning ld.lld found in a weird location ($(AFL_REAL_LD)), but its the same version as LLVM so we will allow it) + else + $(warning ld.lld found in a weird location ($(AFL_REAL_LD)) and its of a different version than LLMV ($(TMP_LDLDD_VERSION) vs. $(LLVMVER)) - cannot enable LTO mode) + AFL_REAL_LD= + LLVM_LTO = 0 + endif + undefine TMP_LDLDD_VERSION else $(warning ld.lld not found, cannot enable LTO mode) LLVM_LTO = 0 @@ -229,7 +240,7 @@ AFL_CLANG_FUSELD= ifeq "$(LLVM_LTO)" "1" ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=`command -v ld` -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1" AFL_CLANG_FUSELD=1 - ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=ld.lld --ld-path=$(LLVM_BINDIR)/ld.lld -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1" + ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=ld.lld --ld-path=$(AFL_REAL_LD) -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1" AFL_CLANG_LDPATH=1 endif else From db4fa9319dab293f77cb57659eb3d8f3381a0160 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Mon, 10 Oct 2022 14:37:16 +0200 Subject: [PATCH 09/12] Fix #1548 --- qemu_mode/libqasan/malloc.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/qemu_mode/libqasan/malloc.c b/qemu_mode/libqasan/malloc.c index c83b5eb2..d81b15e9 100644 --- a/qemu_mode/libqasan/malloc.c +++ b/qemu_mode/libqasan/malloc.c @@ -306,9 +306,7 @@ int __libqasan_posix_memalign(void **ptr, size_t align, size_t len) { } - size_t rem = len % align; - size_t size = len; - if (rem) size += rem; + size_t size = len + align; int state = QASAN_SWAP(QASAN_DISABLED); // disable qasan for this thread From e6e82948bf95fab90466cb2dfa78457c4d2d80a6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 11 Oct 2022 08:53:49 +0200 Subject: [PATCH 10/12] fastexit + code format --- GNUmakefile | 1 + docs/Changelog.md | 3 +++ instrumentation/afl-gcc-cmplog-pass.so.cc | 4 +-- instrumentation/afl-gcc-common.h | 5 ++-- instrumentation/afl-gcc-pass.so.cc | 2 +- qemu_mode/fastexit/Makefile | 30 +++++++++++++++++++++++ qemu_mode/fastexit/README.md | 5 ++++ qemu_mode/fastexit/fastexit.c | 6 +++++ src/afl-fuzz.c | 1 + utils/aflpp_driver/aflpp_driver.c | 6 ++--- utils/libdislocator/libdislocator.so.c | 2 +- 11 files changed, 56 insertions(+), 9 deletions(-) create mode 100644 qemu_mode/fastexit/Makefile create mode 100644 qemu_mode/fastexit/README.md create mode 100644 qemu_mode/fastexit/fastexit.c diff --git a/GNUmakefile b/GNUmakefile index 70299fc3..d1f28a76 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -592,6 +592,7 @@ clean: -$(MAKE) -C utils/argv_fuzzing clean -$(MAKE) -C utils/plot_ui clean -$(MAKE) -C qemu_mode/unsigaction clean + -$(MAKE) -C qemu_mode/fastexit clean -$(MAKE) -C qemu_mode/libcompcov clean -$(MAKE) -C qemu_mode/libqasan clean -$(MAKE) -C frida_mode clean diff --git a/docs/Changelog.md b/docs/Changelog.md index d4dfb709..b4f758e8 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -8,11 +8,14 @@ - fix gramatron and grammar_mutator build scripts - enhancements to the afl-persistent-config and afl-system-config scripts + - afl-fuzz: + - force writing all stats on exit - afl-cc: - make gcc_mode (afl-gcc-fast) work with gcc down to version 3.6 - qemu_mode: - fixed 10x speed degredation in v4.03c, thanks to @ele7enxxh for reporting! + - added qemu_mode/fastexit helper library - unicorn_mode: - Enabled tricore arch (by @jma-qb) - Updated Capstone version in Rust bindings diff --git a/instrumentation/afl-gcc-cmplog-pass.so.cc b/instrumentation/afl-gcc-cmplog-pass.so.cc index e42e8bc0..3c781fd7 100644 --- a/instrumentation/afl-gcc-cmplog-pass.so.cc +++ b/instrumentation/afl-gcc-cmplog-pass.so.cc @@ -245,7 +245,7 @@ struct afl_cmplog_pass : afl_base_pass { tree s = make_ssa_name(t); gimple g = gimple_build_assign(s, VIEW_CONVERT_EXPR, - build1(VIEW_CONVERT_EXPR, t, lhs)); + build1(VIEW_CONVERT_EXPR, t, lhs)); lhs = s; gsi_insert_before(&gsi, g, GSI_SAME_STMT); @@ -281,7 +281,7 @@ struct afl_cmplog_pass : afl_base_pass { } /* Insert the call. */ - tree att = build_int_cst(t8u, attr); + tree att = build_int_cst(t8u, attr); gimple call; if (pass_n) call = gimple_build_call(fn, 4, lhs, rhs, att, diff --git a/instrumentation/afl-gcc-common.h b/instrumentation/afl-gcc-common.h index 766c0eff..cda3f9d8 100644 --- a/instrumentation/afl-gcc-common.h +++ b/instrumentation/afl-gcc-common.h @@ -501,7 +501,8 @@ struct afl_base_pass : gimple_opt_pass { // compatibility for older gcc versions #if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= \ 60200 /* >= version 6.2.0 */ -#define gimple gimple * + #define gimple gimple * #else -#define gimple gimple + #define gimple gimple #endif + diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc index 2b251075..ea938a7f 100644 --- a/instrumentation/afl-gcc-pass.so.cc +++ b/instrumentation/afl-gcc-pass.so.cc @@ -127,7 +127,7 @@ #include "afl-gcc-common.h" #if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= \ 60200 /* >= version 6.2.0 */ -#include "memmodel.h" + #include "memmodel.h" #endif /* This plugin, being under the same license as GCC, satisfies the diff --git a/qemu_mode/fastexit/Makefile b/qemu_mode/fastexit/Makefile new file mode 100644 index 00000000..80a5ec48 --- /dev/null +++ b/qemu_mode/fastexit/Makefile @@ -0,0 +1,30 @@ +# +# american fuzzy lop++ - fastexit +# -------------------------------- +# +# Written by Andrea Fioraldi +# +# Copyright 2019-2022 Andrea Fioraldi. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# + +TARGETS=fastexit.so fastexit32.so fastexit64.so + +all: $(TARGETS) + +fastexit.so: fastexit.c + @if $(CC) -fPIC -shared fastexit.c -o fastexit.so 2>/dev/null ; then echo "fastexit build success"; else echo "fastexit build failure (that's fine)"; fi + +fastexit32.so: fastexit.c + @if $(CC) -fPIC -m32 -shared fastexit.c -o fastexit32.so 2>/dev/null ; then echo "fastexit32 build success"; else echo "fastexit32 build failure (that's fine)"; fi + +fastexit64.so: fastexit.c + @if $(CC) -fPIC -m64 -shared fastexit.c -o fastexit64.so 2>/dev/null ; then echo "fastexit64 build success"; else echo "fastexit64 build failure (that's fine)"; fi + +clean: + rm -f fastexit.so diff --git a/qemu_mode/fastexit/README.md b/qemu_mode/fastexit/README.md new file mode 100644 index 00000000..f01340c2 --- /dev/null +++ b/qemu_mode/fastexit/README.md @@ -0,0 +1,5 @@ +# fastexit + +This library forces _exit on exit when preloaded to gain speed. + +Gives speed on complex tarets like Android or Wine. diff --git a/qemu_mode/fastexit/fastexit.c b/qemu_mode/fastexit/fastexit.c new file mode 100644 index 00000000..44141af1 --- /dev/null +++ b/qemu_mode/fastexit/fastexit.c @@ -0,0 +1,6 @@ +#include +#include + +void exit(int status) { + _exit(status); +} diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 84ae54ff..d116822a 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2570,6 +2570,7 @@ int main(int argc, char **argv_orig, char **envp) { stop_fuzzing: afl->force_ui_update = 1; // ensure the screen is reprinted + afl->stop_soon = 1; // ensure everything is written show_stats(afl); // print the screen one last time write_bitmap(afl); save_auto(afl); diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 87bd2aa2..a76ba6c2 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -292,10 +292,10 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, } bool in_afl = !(!getenv(SHM_FUZZ_ENV_VAR) || !getenv(SHM_ENV_VAR) || - fcntl(FORKSRV_FD, F_GETFD) == -1 || - fcntl(FORKSRV_FD + 1, F_GETFD) == -1); + fcntl(FORKSRV_FD, F_GETFD) == -1 || + fcntl(FORKSRV_FD + 1, F_GETFD) == -1); - if (!in_afl) { __afl_sharedmem_fuzzing = 0; } + if (!in_afl) { __afl_sharedmem_fuzzing = 0; } output_file = stderr; maybe_duplicate_stderr(); diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index 638735ef..c390d004 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -512,7 +512,7 @@ __attribute__((alloc_size(2, 3))) void *reallocarray(void *ptr, size_t elem_len, int reallocarr(void *ptr, size_t elem_len, size_t elem_cnt) { - void *ret = NULL; + void *ret = NULL; const size_t elem_tot = elem_len * elem_cnt; if (elem_tot == 0) { From de9d1ff4a09a72c8bd4bb892f146646296f3f2fa Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 11 Oct 2022 12:43:06 +0200 Subject: [PATCH 11/12] doc fixes --- qemu_mode/README.md | 15 ++++----------- qemu_mode/README.persistent.md | 11 ++++++----- qemu_mode/build_qemu_support.sh | 4 +++- qemu_mode/fastexit/README.md | 2 +- 4 files changed, 14 insertions(+), 18 deletions(-) diff --git a/qemu_mode/README.md b/qemu_mode/README.md index 3ebfc54c..4ed2f298 100644 --- a/qemu_mode/README.md +++ b/qemu_mode/README.md @@ -13,8 +13,8 @@ afl-cc. The usual performance cost is 2-5x, which is considerably better than seen so far in experiments with tools such as DynamoRIO and PIN. -The idea and much of the initial implementation comes from Andrew Griffiths. The -actual implementation on current QEMU (shipped as qemuafl) is from Andrea +The idea and much of the initial implementation comes from Andrew Griffiths. +The actual implementation on current QEMU (shipped as qemuafl) is from Andrea Fioraldi. Special thanks to abiondo that re-enabled TCG chaining. ## 2) How to use QEMU mode @@ -30,17 +30,13 @@ glib2-devel). Once the binaries are compiled, you can leverage the QEMU tool by calling afl-fuzz and all the related utilities with `-Q` in the command line. -Note that QEMU requires a generous memory limit to run; somewhere around 200 MB -is a good starting point, but considerably more may be needed for more complex -programs. The default `-m` limit will be automatically bumped up to 200 MB when -specifying `-Q` to afl-fuzz; be careful when overriding this. - In principle, if you set `CPU_TARGET` before calling ./build_qemu_support.sh, you should get a build capable of running non-native binaries (say, you can try `CPU_TARGET=arm`). This is also necessary for running 32-bit binaries on a 64-bit system (`CPU_TARGET=i386`). If you're trying to run QEMU on a different architecture, you can also set `HOST` to the cross-compiler prefix to use (for example `HOST=arm-linux-gnueabi` to use arm-linux-gnueabi-gcc). +Another common target is `CPU_TARGET=aarch64`. You can also compile statically-linked binaries by setting `STATIC=1`. This can be useful when compiling QEMU on a different system than the one you're planning @@ -219,9 +215,6 @@ program may be utilizing. In particular, it does not appear to have full support for AVX2/FMA3. Using binaries for older CPUs or recompiling them with `-march=core2`, can help. -Beyond that, this is an early-stage mechanism, so fields reports are welcome. -You can send them to . - ## 14) Alternatives: static rewriting Statically rewriting binaries just once, instead of attempting to translate them @@ -230,4 +223,4 @@ with peril, because it depends on being able to properly and fully model program control flow without actually executing each and every code path. For more information and hints, check out -[docs/fuzzing_binary-only_targets.md](../docs/fuzzing_binary-only_targets.md). \ No newline at end of file +[docs/fuzzing_binary-only_targets.md](../docs/fuzzing_binary-only_targets.md). diff --git a/qemu_mode/README.persistent.md b/qemu_mode/README.persistent.md index ab45860d..ef8fb71b 100644 --- a/qemu_mode/README.persistent.md +++ b/qemu_mode/README.persistent.md @@ -27,11 +27,12 @@ function and will patch the return address (on stack or in the link register) to return to START (like WinAFL). *Note:* If the target is compiled with position independent code (PIE/PIC) qemu -loads these to a specific base address. For 64 bit you have to add 0x4000000000 -(9 zeroes) and for 32 bit 0x40000000 (7 zeroes) to the address. On strange -setups the base address set by QEMU for PIE executable may change. You can check -it printing the process map using `AFL_QEMU_DEBUG_MAPS=1 afl-qemu-trace -TARGET-BINARY`. +loads these to a specific base address. For amd64 bit you have to add +0x4000000000 (9 zeroes) and for 32 bit 0x40000000 (7 zeroes) to the address. +For aarch64 it is usually 0x5500000000. +On strange setups the base address set by QEMU for PIE executable may change. +You can check it printing the process map using +`AFL_QEMU_DEBUG_MAPS=1 afl-qemu-trace TARGET-BINARY`. If this address is not valid, afl-fuzz will error during startup with the message that the forkserver was not found. diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index 277a6323..c108675e 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -360,8 +360,10 @@ if ! command -v "$CROSS" > /dev/null ; then make -C libcompcov && echo "[+] libcompcov ready" echo "[+] Building unsigaction ..." make -C unsigaction && echo "[+] unsigaction ready" + echo "[+] Building fastexit ..." + make -C fastexit && echo "[+] fastexit ready" echo "[+] Building libqasan ..." - make -C libqasan && echo "[+] unsigaction ready" + make -C libqasan && echo "[+] libqasan ready" echo "[+] Building qemu libfuzzer helpers ..." make -C ../utils/aflpp_driver else diff --git a/qemu_mode/fastexit/README.md b/qemu_mode/fastexit/README.md index f01340c2..66763e94 100644 --- a/qemu_mode/fastexit/README.md +++ b/qemu_mode/fastexit/README.md @@ -2,4 +2,4 @@ This library forces _exit on exit when preloaded to gain speed. -Gives speed on complex tarets like Android or Wine. +Gives speed on complex targets like Android or Wine. From bac6ba89074019e0f095774ecebc435970f4940d Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 11 Oct 2022 15:39:27 +0200 Subject: [PATCH 12/12] v4.04c --- README.md | 2 +- docs/Changelog.md | 2 +- include/config.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 935c71ce..fd92a8c0 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ AFL++ logo -Release version: [4.03c](https://github.com/AFLplusplus/AFLplusplus/releases) +Release version: [4.04c](https://github.com/AFLplusplus/AFLplusplus/releases) GitHub version: 4.04a diff --git a/docs/Changelog.md b/docs/Changelog.md index b4f758e8..ef721bb1 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -4,7 +4,7 @@ release of the tool. See README.md for the general instruction manual. -### Version ++4.04a (dev) +### Version ++4.04c (release) - fix gramatron and grammar_mutator build scripts - enhancements to the afl-persistent-config and afl-system-config scripts diff --git a/include/config.h b/include/config.h index 21701515..6b1e1e26 100644 --- a/include/config.h +++ b/include/config.h @@ -26,7 +26,7 @@ /* Version string: */ // c = release, a = volatile github dev, e = experimental branch -#define VERSION "++4.04a" +#define VERSION "++4.04c" /****************************************************** * *