From c0837409bd50b6d14789c0415d8e49406f9a2509 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 14 Oct 2024 09:29:10 +0200 Subject: [PATCH 01/12] fix cycles_wo_finds count --- src/afl-fuzz.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 7a940031..c61eae1f 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2937,9 +2937,9 @@ int main(int argc, char **argv_orig, char **envp) { 3600 */ )) { - if (afl->use_splicing) { + ++afl->cycles_wo_finds; - ++afl->cycles_wo_finds; + if (afl->use_splicing) { if (unlikely(afl->shm.cmplog_mode && afl->cmplog_max_filesize < MAX_FILE)) { From b3d16f7b8c19c3fb06cdbb2ef8df977b6b674b59 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 14 Oct 2024 09:45:59 +0200 Subject: [PATCH 02/12] update how AFL_EXIT_WHEN_DONE and colors of cycles done are working --- docs/env_variables.md | 5 ++--- src/afl-fuzz-stats.c | 28 ++++++---------------------- 2 files changed, 8 insertions(+), 25 deletions(-) diff --git a/docs/env_variables.md b/docs/env_variables.md index 3db46b36..ef67abec 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -424,9 +424,8 @@ checks or alter some of the more exotic semantics of the tool: types of automated jobs. - `AFL_EXIT_WHEN_DONE` causes afl-fuzz to terminate when all existing paths - have been fuzzed and there were no new finds for a while. This would be - normally indicated by the cycle counter in the UI turning green. May be - convenient for some types of automated jobs. + have been fuzzed and there were no new finds for a while. This is basically + when the fuzzing state says `state: finished` - Setting `AFL_EXPAND_HAVOC_NOW` will start in the extended havoc mode that includes costly mutations. afl-fuzz automatically enables this mode when diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index a7465330..e0127e54 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -56,6 +56,8 @@ char *get_fuzzing_state(afl_state_t *afl) { if (unlikely(percent_cur >= 80 && percent_total >= 80)) { + if (unlikely(afl->afl_env.afl_exit_when_done)) { afl->stop_soon = 2; } + return fuzzing_state[3]; } else if (unlikely(percent_cur >= 55 && percent_total >= 55)) { @@ -822,15 +824,6 @@ void show_stats_normal(afl_state_t *afl) { } - /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */ - - if (unlikely(!afl->non_instrumented_mode && afl->cycles_wo_finds > 100 && - !afl->pending_not_fuzzed && afl->afl_env.afl_exit_when_done)) { - - afl->stop_soon = 2; - - } - /* AFL_EXIT_ON_TIME. */ /* If no coverage was found yet, check whether run time is greater than @@ -998,14 +991,14 @@ void show_stats_normal(afl_state_t *afl) { } else /* Subsequent cycles, but we're still making finds. */ - if (afl->cycles_wo_finds < 25 || min_wo_finds < 30) { + if (afl->cycles_wo_finds < 2 || min_wo_finds <= 30) { strcpy(tmp, cYEL); } else /* No finds for a long time and no test cases to try. */ - if (afl->cycles_wo_finds > 100 && !afl->pending_not_fuzzed && + if (afl->cycles_wo_finds > 1 && !afl->pending_not_fuzzed && min_wo_finds > 120) { strcpy(tmp, cLGN); @@ -1656,15 +1649,6 @@ void show_stats_pizza(afl_state_t *afl) { } - /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */ - - if (unlikely(!afl->non_instrumented_mode && afl->cycles_wo_finds > 100 && - !afl->pending_not_fuzzed && afl->afl_env.afl_exit_when_done)) { - - afl->stop_soon = 2; - - } - /* AFL_EXIT_ON_TIME. */ /* If no coverage was found yet, check whether run time is greater than @@ -1813,14 +1797,14 @@ void show_stats_pizza(afl_state_t *afl) { } else /* Subsequent cycles, but we're still making finds. */ - if (afl->cycles_wo_finds < 25 || min_wo_finds < 30) { + if (afl->cycles_wo_finds < 2 || min_wo_finds <= 30) { strcpy(tmp, cYEL); } else /* No finds for a long time and no test cases to try. */ - if (afl->cycles_wo_finds > 100 && !afl->pending_not_fuzzed && + if (afl->cycles_wo_finds > 1 && !afl->pending_not_fuzzed && min_wo_finds > 120) { strcpy(tmp, cLGN); From 20c46c0ed6465d49034939416efc979674425dd6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 15 Oct 2024 15:18:51 +0200 Subject: [PATCH 03/12] nits --- GNUmakefile.llvm | 2 +- docs/Changelog.md | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 2e806ab8..367c437f 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -163,7 +163,7 @@ endif # sanity check. # Are versions of clang --version and llvm-config --version equal? -CLANGVER = $(shell $(CC) --version | sed -E -ne '/^.*version\ (1?[0-9]\.[0-9]\.[0-9]).*/s//\1/p') +CLANGVER = $(shell $(CC) --version | sed -E -ne '/^.*version\ ([12]?[0-9]\.[0-9]\.[0-9]).*/s//\1/p') # I disable this because it does not make sense with what we did before (marc) # We did exactly set these 26 lines above with these values, and it would break diff --git a/docs/Changelog.md b/docs/Changelog.md index 5b809d61..48f67803 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -16,6 +16,8 @@ - because of bad math and undefined behaviour fixes we have to change the CMPLOG map. **YOU NEED TO RECOMPILE CMPLOG TARGETS** - fixed custom_post_process for calibration + - fixes for AFL_EXIT_ON_TIME and AFL_EXIT_WHEN_DONE, changed behaviour of + AFL_EXIT_WHEN_DONE to finish when really done :-) - frida_mode: - AFL_FRIDA_PERSISTENT_ADDR can now be be any reachable address not just a function entry From 4cc9232485618712a158ca8fddc42f1fee1c530f Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 16 Oct 2024 18:26:08 +0200 Subject: [PATCH 04/12] add AFL_OPT_LEVEL support --- docs/env_variables.md | 3 +++ include/envs.h | 2 +- src/afl-cc.c | 42 +++++++++++++++++++++++++++++++++++++++--- 3 files changed, 43 insertions(+), 4 deletions(-) diff --git a/docs/env_variables.md b/docs/env_variables.md index ef67abec..4824860c 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -64,6 +64,9 @@ fairly broad use of environment variables instead: optimizations, set `AFL_DONT_OPTIMIZE`. However, if `-O...` and/or `-fno-unroll-loops` are set, these are not overridden. + - The optimization level can also be set with `AFL_OPT_LEVEL`, e.g. + `AFL_OPT_LEVEL=z` for `-Oz` + - Setting `AFL_HARDEN` automatically adds code hardening options when invoking the downstream compiler. This currently includes `-D_FORTIFY_SOURCE=2` and `-fstack-protector-all`. The setting is useful for catching non-crashing diff --git a/include/envs.h b/include/envs.h index 3accbda0..202de752 100644 --- a/include/envs.h +++ b/include/envs.h @@ -49,7 +49,7 @@ static char *afl_environment_variables[] = { "AFL_FRIDA_PERSISTENT_RET", "AFL_FRIDA_STALKER_ADJACENT_BLOCKS", "AFL_FRIDA_STALKER_IC_ENTRIES", "AFL_FRIDA_STALKER_NO_BACKPATCH", "AFL_FRIDA_STATS_FILE", "AFL_FRIDA_STATS_INTERVAL", "AFL_FRIDA_TRACEABLE", - "AFL_FRIDA_VERBOSE", "AFL_OLD_FORKSERVER", + "AFL_FRIDA_VERBOSE", "AFL_OLD_FORKSERVER", "AFL_OPT_LEVEL", "AFL_FUZZER_ARGS", // oss-fuzz "AFL_FUZZER_STATS_UPDATE_INTERVAL", "AFL_GDB", "AFL_GCC_ALLOWLIST", "AFL_GCC_DENYLIST", "AFL_GCC_BLOCKLIST", "AFL_GCC_INSTRUMENT_FILE", diff --git a/src/afl-cc.c b/src/afl-cc.c index 7afab850..677a6b2f 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -98,7 +98,8 @@ typedef enum { } compiler_mode_id; -static u8 cwd[4096]; +static u8 cwd[4096]; +static char opt_level = '3'; char instrument_mode_string[18][18] = { @@ -881,9 +882,17 @@ static void instrument_mode_old_environ(aflcc_state_t *aflcc) { */ static void instrument_mode_new_environ(aflcc_state_t *aflcc) { + u8 *ptr2; + + if ((ptr2 = getenv("AFL_OPT_LEVEL"))) { + + opt_level = ptr2[0]; // ignore invalid data + + } + if (!getenv("AFL_LLVM_INSTRUMENT")) { return; } - u8 *ptr2 = strtok(getenv("AFL_LLVM_INSTRUMENT"), ":,;"); + ptr2 = strtok(getenv("AFL_LLVM_INSTRUMENT"), ":,;"); while (ptr2) { @@ -2561,6 +2570,33 @@ void add_gcc_plugin(aflcc_state_t *aflcc) { } +char *get_opt_level() { + + static char levels[8][8] = {"-O0", "-O1", "-O2", "-O3", + "-Oz", "-Os", "-Ofast", "-Og"}; + switch (opt_level) { + + case '0': + return levels[0]; + case '1': + return levels[1]; + case '2': + return levels[2]; + case 'z': + return levels[4]; + case 's': + return levels[5]; + case 'f': + return levels[6]; + case 'g': + return levels[7]; + default: + return levels[3]; + + } + +} + /* Add some miscellaneous params required by our instrumentation. */ void add_misc_params(aflcc_state_t *aflcc) { @@ -2592,7 +2628,7 @@ void add_misc_params(aflcc_state_t *aflcc) { if (!getenv("AFL_DONT_OPTIMIZE")) { insert_param(aflcc, "-g"); - if (!aflcc->have_o) insert_param(aflcc, "-O3"); + if (!aflcc->have_o) insert_param(aflcc, get_opt_level()); if (!aflcc->have_unroll) insert_param(aflcc, "-funroll-loops"); // if (strlen(aflcc->march_opt) > 1 && aflcc->march_opt[0] == '-') // insert_param(aflcc, aflcc->march_opt); From a11488b9dcc71e5b52876e8c11ea6ee231e433ba Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 16 Oct 2024 18:27:10 +0200 Subject: [PATCH 05/12] changelog --- docs/Changelog.md | 2 ++ docs/env_variables.md | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 48f67803..8a445084 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -37,6 +37,8 @@ - new runtime (!) variable: `AFL_OLD_FORKSERVER` to use the old vanilla AFL type forkserver. Useful for symcc/symqemu/nautilus/etc. with AFL_LLVM_INSTRUMENT=CLASSIC + - new compile time variable: `AFL_OPT_LEVEL` to set a specific optimization + level, default is `3` - code formatting updated to llvm 18 - improved custom_mutators/aflpp/standalone/aflpp-standalone - added custom_mutators/autotokens/standalone/autotokens-standalone diff --git a/docs/env_variables.md b/docs/env_variables.md index 4824860c..d0789105 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -65,7 +65,7 @@ fairly broad use of environment variables instead: `-fno-unroll-loops` are set, these are not overridden. - The optimization level can also be set with `AFL_OPT_LEVEL`, e.g. - `AFL_OPT_LEVEL=z` for `-Oz` + `AFL_OPT_LEVEL=z` for `-Oz`, default is `3` - Setting `AFL_HARDEN` automatically adds code hardening options when invoking the downstream compiler. This currently includes `-D_FORTIFY_SOURCE=2` and From 8a060a4b68a0aa1c812916bcbcf4bf3424854124 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 19 Oct 2024 13:54:48 +0200 Subject: [PATCH 06/12] fix the cleanup of previous generated SHA1 files in function handle_existing_out_dir() --- src/afl-fuzz-init.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index a9397232..af6e6d4c 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1714,13 +1714,15 @@ static u8 delete_files(u8 *path, u8 *prefix) { while ((d_ent = readdir(d))) { - if (d_ent->d_name[0] != '.' && - (!prefix || !strncmp(d_ent->d_name, prefix, strlen(prefix)))) { + if ((d_ent->d_name[0] != '.' && + (!prefix || !strncmp(d_ent->d_name, prefix, strlen(prefix)))) + /* heiko: don't forget the SHA1 files */ + || strspn(d_ent->d_name, "0123456789abcdef") == 2 * 20 /* TODO use 2 * HASH_LENGTH */ + ) { u8 *fname = alloc_printf("%s/%s", path, d_ent->d_name); if (unlink(fname)) { PFATAL("Unable to delete '%s'", fname); } ck_free(fname); - } } From c1d9a4fab9b652a0ea810086ce064ec3836c7bd9 Mon Sep 17 00:00:00 2001 From: rapt0r Date: Sat, 19 Oct 2024 22:19:41 +0900 Subject: [PATCH 07/12] feat: introduce GCC disable environment variable This change is to disable the GCC plugin version check for GCC plugin and CMPLOG, to overcome the issues with incompatability with expected GCC version and actual GCC version used to compile using `AFL_GCC_DISABLE_VERSION_CHECK` environment variable. --- include/envs.h | 6 +++--- instrumentation/README.gcc_plugin.md | 5 ++++- instrumentation/afl-gcc-cmplog-pass.so.cc | 3 ++- instrumentation/afl-gcc-cmptrs-pass.so.cc | 3 ++- instrumentation/afl-gcc-pass.so.cc | 3 ++- 5 files changed, 13 insertions(+), 7 deletions(-) diff --git a/include/envs.h b/include/envs.h index 202de752..cca9baa8 100644 --- a/include/envs.h +++ b/include/envs.h @@ -52,9 +52,9 @@ static char *afl_environment_variables[] = { "AFL_FRIDA_VERBOSE", "AFL_OLD_FORKSERVER", "AFL_OPT_LEVEL", "AFL_FUZZER_ARGS", // oss-fuzz "AFL_FUZZER_STATS_UPDATE_INTERVAL", "AFL_GDB", "AFL_GCC_ALLOWLIST", - "AFL_GCC_DENYLIST", "AFL_GCC_BLOCKLIST", "AFL_GCC_INSTRUMENT_FILE", - "AFL_GCC_OUT_OF_LINE", "AFL_GCC_SKIP_NEVERZERO", "AFL_GCJ", - "AFL_HANG_TMOUT", "AFL_FORKSRV_INIT_TMOUT", "AFL_HARDEN", + "AFL_GCC_DENYLIST", "AFL_GCC_BLOCKLIST", "AFL_GCC_DISABLE_VERSION_CHECK", + "AFL_GCC_INSTRUMENT_FILE", "AFL_GCC_OUT_OF_LINE", "AFL_GCC_SKIP_NEVERZERO", + "AFL_GCJ", "AFL_HANG_TMOUT", "AFL_FORKSRV_INIT_TMOUT", "AFL_HARDEN", "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", "AFL_IGNORE_PROBLEMS", "AFL_IGNORE_PROBLEMS_COVERAGE", "AFL_IGNORE_SEED_PROBLEMS", "AFL_IGNORE_TIMEOUTS", "AFL_IGNORE_UNKNOWN_ENVS", "AFL_IMPORT_FIRST", diff --git a/instrumentation/README.gcc_plugin.md b/instrumentation/README.gcc_plugin.md index 011a574a..34004dc7 100644 --- a/instrumentation/README.gcc_plugin.md +++ b/instrumentation/README.gcc_plugin.md @@ -51,7 +51,10 @@ The idea and much of the implementation comes from Laszlo Szekeres. In order to leverage this mechanism, you need to have modern enough GCC (>= version 4.5.0) and the plugin development headers installed on your system. That should be all you need. On Debian machines, these headers can be acquired by -installing the `gcc-VERSION-plugin-dev` packages. +installing the `gcc-VERSION-plugin-dev` packages. If you're compiling a GCC +plugin that differs from the system-installed version and encounter issues +with version checks, you can use the `AFL_GCC_DISABLE_VERSION_CHECK` environment +variable. To build the instrumentation itself, type `make`. This will generate binaries called `afl-gcc-fast` and `afl-g++-fast` in the parent directory. diff --git a/instrumentation/afl-gcc-cmplog-pass.so.cc b/instrumentation/afl-gcc-cmplog-pass.so.cc index 774dd5fd..38fce961 100644 --- a/instrumentation/afl-gcc-cmplog-pass.so.cc +++ b/instrumentation/afl-gcc-cmplog-pass.so.cc @@ -370,7 +370,8 @@ Set AFL_QUIET in the environment to silence it.\n\ int plugin_init(struct plugin_name_args *info, struct plugin_gcc_version *version) { - if (!plugin_default_version_check(version, &gcc_version)) + if (!plugin_default_version_check(version, &gcc_version) && + !getenv("AFL_GCC_DISABLE_VERSION_CHECK")) FATAL(G_("GCC and plugin have incompatible versions, expected GCC %s, " "is %s"), gcc_version.basever, version->basever); diff --git a/instrumentation/afl-gcc-cmptrs-pass.so.cc b/instrumentation/afl-gcc-cmptrs-pass.so.cc index 96bd5ba8..360b035a 100644 --- a/instrumentation/afl-gcc-cmptrs-pass.so.cc +++ b/instrumentation/afl-gcc-cmptrs-pass.so.cc @@ -338,7 +338,8 @@ Set AFL_QUIET in the environment to silence it.\n\ int plugin_init(struct plugin_name_args *info, struct plugin_gcc_version *version) { - if (!plugin_default_version_check(version, &gcc_version)) + if (!plugin_default_version_check(version, &gcc_version) && + !getenv("AFL_GCC_DISABLE_VERSION_CHECK")) FATAL(G_("GCC and plugin have incompatible versions, expected GCC %s, " "is %s"), gcc_version.basever, version->basever); diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc index 41b1e5af..26f7bd19 100644 --- a/instrumentation/afl-gcc-pass.so.cc +++ b/instrumentation/afl-gcc-pass.so.cc @@ -478,7 +478,8 @@ Specify -frandom-seed for reproducible instrumentation.\n\ int plugin_init(struct plugin_name_args *info, struct plugin_gcc_version *version) { - if (!plugin_default_version_check(version, &gcc_version)) + if (!plugin_default_version_check(version, &gcc_version) && + !getenv("AFL_GCC_DISABLE_VERSION_CHECK")) FATAL(G_("GCC and plugin have incompatible versions, expected GCC %s, " "is %s"), gcc_version.basever, version->basever); From 04d2476b324f5c6124c665b24989d15dd61f0f2b Mon Sep 17 00:00:00 2001 From: rapt0r Date: Sun, 20 Oct 2024 16:00:17 +0900 Subject: [PATCH 08/12] doc: add description for AFL_GCC_DISABLE_VERSION_CHECK --- docs/env_variables.md | 5 +++++ src/afl-cc.c | 2 ++ 2 files changed, 7 insertions(+) diff --git a/docs/env_variables.md b/docs/env_variables.md index d0789105..d1edb6fd 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -326,6 +326,11 @@ mode. [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) for more information. + Setting `AFL_GCC_DISABLE_VERSION_CHECK=1` will disable the GCC plugin + version check if the target GCC plugin differs from the system-installed + version, resolving issues caused by version mismatches between GCC and + the plugin. + Setting `AFL_GCC_OUT_OF_LINE=1` will instruct afl-gcc-fast to instrument the code with calls to an injected subroutine instead of the much more efficient inline instrumentation. diff --git a/src/afl-cc.c b/src/afl-cc.c index 677a6b2f..6f634b53 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -2958,6 +2958,8 @@ static void maybe_usage(aflcc_state_t *aflcc, int argc, char **argv) { SAYF( "\nGCC Plugin-specific environment variables:\n" " AFL_GCC_CMPLOG: log operands of comparisons (RedQueen mutator)\n" + " AFL_GCC_DISABLE_VERSION_CHECK: disable GCC plugin version " + "control\n" " AFL_GCC_OUT_OF_LINE: disable inlined instrumentation\n" " AFL_GCC_SKIP_NEVERZERO: do not skip zero on trace counters\n" " AFL_GCC_INSTRUMENT_FILE: enable selective instrumentation by " From 1efb7c8a8b54c3ff236701221e532481ea63b575 Mon Sep 17 00:00:00 2001 From: dergoegge Date: Wed, 21 Aug 2024 10:37:39 +0100 Subject: [PATCH 09/12] Make __AFL_COVERAGE_START_OFF work for targets with "small" maps --- instrumentation/afl-compiler-rt.o.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 0da689b2..6084880f 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -630,22 +630,22 @@ static void __afl_map_shm(void) { __afl_area_ptr_dummy = (u8 *)malloc(__afl_map_size); - if (__afl_area_ptr_dummy) { + } - if (__afl_selective_coverage_start_off) { + if (__afl_area_ptr_dummy) { - __afl_area_ptr = __afl_area_ptr_dummy; + if (__afl_selective_coverage_start_off) { - } - - } else { - - fprintf(stderr, "Error: __afl_selective_coverage failed!\n"); - __afl_selective_coverage = 0; - // continue; + __afl_area_ptr = __afl_area_ptr_dummy; } + } else { + + fprintf(stderr, "Error: __afl_selective_coverage failed!\n"); + __afl_selective_coverage = 0; + // continue; + } } From 577b286508a72114d607e41ec37f6f201e9e5ce6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 28 Oct 2024 09:52:51 +0100 Subject: [PATCH 10/12] fix explanation how to obtain the map size --- docs/Changelog.md | 1 + instrumentation/afl-compiler-rt.o.c | 6 ++++++ src/afl-forkserver.c | 6 +++--- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 8a445084..1d6d9060 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -39,6 +39,7 @@ AFL_LLVM_INSTRUMENT=CLASSIC - new compile time variable: `AFL_OPT_LEVEL` to set a specific optimization level, default is `3` + - correctly explain how to get the correct map size for large targets - code formatting updated to llvm 18 - improved custom_mutators/aflpp/standalone/aflpp-standalone - added custom_mutators/autotokens/standalone/autotokens-standalone diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 6084880f..075d4d29 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -367,6 +367,12 @@ static void __afl_map_shm(void) { } + if (__afl_debug) { + + fprintf(stderr, "DEBUG: AFL_MAP_SIZE=%u\n", __afl_map_size); + + } + if (__afl_final_loc > MAP_SIZE) { char *ptr; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 51299009..9f619c14 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -495,9 +495,9 @@ static void report_error_and_exit(int error) { FATAL( "AFL_MAP_SIZE is not set and fuzzing target reports that the " "required size is very large. Solution: Run the fuzzing target " - "stand-alone with the environment variable AFL_DEBUG=1 set and set " - "the value for __afl_final_loc in the AFL_MAP_SIZE environment " - "variable for afl-fuzz."); + "stand-alone with the environment variable AFL_DUMP_MAP_SIZE=1 set " + "the displayed value in the AFL_MAP_SIZE environment variable for " + "afl-fuzz."); break; case FS_ERROR_MAP_ADDR: FATAL( From a9bda37d1816b67cd2fbeae41a0e132dfbd69e3f Mon Sep 17 00:00:00 2001 From: Michael Mior Date: Tue, 29 Oct 2024 12:28:22 -0400 Subject: [PATCH 11/12] Add JSON Schema dictionary --- dictionaries/jsonschema.dict | 120 +++++++++++++++++++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 dictionaries/jsonschema.dict diff --git a/dictionaries/jsonschema.dict b/dictionaries/jsonschema.dict new file mode 100644 index 00000000..8a32c6f3 --- /dev/null +++ b/dictionaries/jsonschema.dict @@ -0,0 +1,120 @@ +# +# AFL dictionary for JSON Schema +# https://json-schema.org/ +# ----------------------- +# + +"\"$schema\"" +"\"$id\"" +"\"$ref\"" +"\"$defs\"" +"\"definitions\"" +"\"enum\"" +"\"const\"" +"\"type\"" + +# Annotations + +"\"title\"" +"\"description\"" +"\"default\"" +"\"examples\"" +"\"$comment\"" +"\"readOnly\"" +"\"writeOnly\"" +"\"deprecated\"" + +# Types + +"\"string\"" +"\"integer\"" +"\"number\"" +"\"object\"" +"\"array\"" +"\"null\"" +"\"boolean\"" + +# String + +"\"minLength\"" +"\"maxLength\"" +"\"pattern\"" +"\"format\"" +"\"contentMediaType\"" +"\"contentEncoding\"" +"\"contentSchema\"" + +# Formats + +"\"date-time\"" +"\"time\"" +"\"date\"" +"\"duration\"" +"\"email\"" +"\"idn-email\"" +"\"hostname\"" +"\"idn-hostname\"" +"\"ipv4\"" +"\"ipv6\"" +"\"uuid\"" +"\"uri\"" +"\"uri-reference\"" +"\"iri\"" +"\"iri-reference\"" +"\"uri-template\"" +"\"json-pointer\"" +"\"relative-json-pointer\"" +"\"regex\"" + +# Numeric + +"\"multipleOf\"" +"\"minimum\"" +"\"exclusiveMinimum\"" +"\"maximum\"" +"\"exclusiveMaximum\"" + +# Object + +"\"properties\"" +"\"patternProperties\"" +"\"additionalProperties\"" +"\"unevaluatedProperties\"" +"\"required\"" +"\"propertyNames\"" +"\"minProperties\"" +"\"maxProperties\"" +"\"dependencies\"" + +# Array + +"\"items\"" +"\"prefixItems\"" +"\"additionalItems\"" +"\"unevaluatedItems\"" +"\"contains\"" +"\"minContains\"" +"\"maxContains\"" +"\"minItems\"" +"\"maxItems\"" +"\"uniqueItems\"" + +# Booleans + +"true" +"false" + +# Composition + +"\"allOf\"" +"\"anyOf\"" +"\"oneOf\"" +"\"not\"" + +# Conditions + +"\"dependentRequired\"" +"\"dependentSchemas\"" +"\"if\"" +"\"then\"" +"\"else\"" From d1fd072b793cba16c28249abefe73ecb7feae4f2 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 30 Oct 2024 10:55:38 +0100 Subject: [PATCH 12/12] fix --- instrumentation/afl-compiler-rt.o.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 075d4d29..77a9623c 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -419,7 +419,7 @@ static void __afl_map_shm(void) { if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) { val = atoi(ptr); } - if (val > MAP_INITIAL_SIZE) { + if (val > MAP_INITIAL_SIZE && val > __afl_final_loc) { __afl_map_size = val;