reintroduce AFL_PERSISTENT and AFL_DEFER_FORKSRV

2025-06-14 11:08:06 +00:00 · 2022-02-08 20:15:48 +01:00
parent fa628865c1
commit cf853fb249
7 changed files with 33 additions and 45 deletions
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -14,6 +14,9 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
  - afl-fuzz:
    - new commandline options -g/G to set min/max length of generated
      fuzz inputs
    - reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow
      persistent mode and manual forkserver support if these are not
      in the target binary (e.g. are in a shared library)
  - frida_mode:
    - update to new frida release, handles now c++ throw/catch
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@ -532,9 +532,13 @@ checks or alter some of the more exotic semantics of the tool:
  - Setting `AFL_TRY_AFFINITY` tries to attempt binding to a specific CPU core
    on Linux systems, but will not terminate if that fails.
-  - Outdated environment variables that are not supported anymore:
+  - The following environment variables are only needed if you implemented
-    - `AFL_DEFER_FORKSRV`
+    your own forkserver or persistent mode, or if __AFL_LOOP or __AFL_INIT
-    - `AFL_PERSISTENT`
+    are in a shared library and not the main binary:
    - `AFL_DEFER_FORKSRV` enforces a deferred forkserver even if none was
      detected in the target binary
    - `AFL_PERSISTENT` enforces persistent mode even if none was detected
      in the target binary
 ## 5) Settings for afl-qemu-trace
--- a/frida_mode/src/entry.c
+++ b/frida_mode/src/entry.c
@ -84,6 +84,7 @@ void entry_start(void) {
    stalker_trust();
  }
  if (entry_point == 0) { entry_launch(); }
 }
--- a/src/afl-common.c
+++ b/src/afl-common.c
@ -63,8 +63,7 @@ u32 check_binary_signatures(u8 *fn) {
  if (f_data == MAP_FAILED) { PFATAL("Unable to mmap file '%s'", fn); }
  close(fd);
-  if (memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1) ||
+  if (memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1)) {
      getenv(PERSIST_ENV_VAR)) {
    if (!be_quiet) { OKF(cPIN "Persistent mode binary detected."); }
    setenv(PERSIST_ENV_VAR, "1", 1);
@ -72,11 +71,9 @@ u32 check_binary_signatures(u8 *fn) {
  } else if (getenv("AFL_PERSISTENT")) {
-    if (!be_quiet) {
+    if (!be_quiet) { OKF(cPIN "Persistent mode enforced."); }
-
+    setenv(PERSIST_ENV_VAR, "1", 1);
-      WARNF("AFL_PERSISTENT is no longer supported and may misbehave!");
+    ret = 1;
    }
  } else if (getenv("AFL_FRIDA_PERSISTENT_ADDR")) {
@ -91,8 +88,7 @@ u32 check_binary_signatures(u8 *fn) {
  }
-  if (memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1) ||
+  if (memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) {
      getenv(DEFER_ENV_VAR)) {
    if (!be_quiet) { OKF(cPIN "Deferred forkserver binary detected."); }
    setenv(DEFER_ENV_VAR, "1", 1);
@ -100,11 +96,9 @@ u32 check_binary_signatures(u8 *fn) {
  } else if (getenv("AFL_DEFER_FORKSRV")) {
-    if (!be_quiet) {
+    if (!be_quiet) { OKF(cPIN "Deferred forkserver enforced."); }
-
+    setenv(DEFER_ENV_VAR, "1", 1);
-      WARNF("AFL_DEFER_FORKSRV is no longer supported and may misbehave!");
+    ret += 2;
    }
  }
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@ -2822,7 +2822,11 @@ void check_binary(afl_state_t *afl, u8 *fname) {
  } else if (getenv("AFL_PERSISTENT")) {
-    WARNF("AFL_PERSISTENT is no longer supported and may misbehave!");
+    OKF(cPIN "Persistent mode enforced.");
    setenv(PERSIST_ENV_VAR, "1", 1);
    afl->persistent_mode = 1;
    afl->fsrv.persistent_mode = 1;
    afl->shmem_testcase_mode = 1;
  } else if (getenv("AFL_FRIDA_PERSISTENT_ADDR")) {
@ -2843,7 +2847,9 @@ void check_binary(afl_state_t *afl, u8 *fname) {
  } else if (getenv("AFL_DEFER_FORKSRV")) {
-    WARNF("AFL_DEFER_FORKSRV is no longer supported and may misbehave!");
+    OKF(cPIN "Deferred forkserver enforced.");
    setenv(DEFER_ENV_VAR, "1", 1);
    afl->deferred_mode = 1;
  }
--- a/src/afl-fuzz-state.c
+++ b/src/afl-fuzz-state.c
@ -486,15 +486,15 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
                              afl_environment_variable_len)) {
-            afl->min_length = atoi(
+            afl->min_length =
-                (u8 *)get_afl_env(afl_environment_variables[i]));
+                atoi((u8 *)get_afl_env(afl_environment_variables[i]));
          } else if (!strncmp(env, "AFL_INPUT_LEN_MAX",
                              afl_environment_variable_len)) {
-            afl->max_length = atoi(
+            afl->max_length =
-                (u8 *)get_afl_env(afl_environment_variables[i]));
+                atoi((u8 *)get_afl_env(afl_environment_variables[i]));
          }
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@ -294,8 +294,8 @@ static void usage(u8 *argv0, int more_help) {
      "                        'signalfx' and 'influxdb'\n"
      "AFL_TESTCACHE_SIZE: use a cache for testcases, improves performance (in MB)\n"
      "AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)\n"
-      //"AFL_PERSISTENT: not supported anymore -> no effect, just a warning\n"
+      "AFL_PERSISTENT: enforce persistent mode (if __AFL_LOOP is in a shared lib\n"
-      //"AFL_DEFER_FORKSRV: not supported anymore -> no effect, just a warning\n"
+      "AFL_DEFER_FORKSRV: enforced deferred forkserver (__AFL_INIT is in a .so\n"
      "\n"
    );
@ -1920,26 +1920,6 @@ int main(int argc, char **argv_orig, char **envp) {
  check_binary(afl, argv[optind]);
  if (getenv(PERSIST_ENV_VAR) && !afl->persistent_mode) {
    WARNF(
        "Persistent mode environment variable detected, forcing persistent "
        "mode!");
    afl->persistent_mode = 1;
    afl->fsrv.persistent_mode = 1;
    afl->shmem_testcase_mode = 1;
  }
  if (getenv(DEFER_ENV_VAR) && !afl->deferred_mode) {
    WARNF(
        "Deferred forkserver mode environment variable detected, forcing "
        "deferred forkserver!");
    afl->deferred_mode = 1;
  }
  #ifdef AFL_PERSISTENT_RECORD
  if (unlikely(afl->fsrv.persistent_record)) {