ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-12 01:58:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1880 from AFLplusplus/dev

Browse Source 
push to stable
This commit is contained in:
van Hauser
2023-10-03 10:36:21 +02:00
committed by GitHub
parent 1c582b6aee 63100d2012
commit d09950f4bb
9 changed files with 107 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
GNUmakefile
View File

@ -32,7 +32,7 @@ VERSION = $(shell grep '^$(HASH)define VERSION ' ../config.h | cut -d '"' -f
# PROGS intentionally omit afl-as, which gets installed elsewhere. # PROGS intentionally omit afl-as, which gets installed elsewhere.
PROGS = afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze PROGS = afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
SH_PROGS = afl-plot afl-cmin afl-cmin.bash afl-whatsup afl-system-config afl-persistent-config afl-cc SH_PROGS = afl-plot afl-cmin afl-cmin.bash afl-whatsup afl-addseeds afl-system-config afl-persistent-config afl-cc
MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8) afl-as.8 MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8) afl-as.8
ASAN_OPTIONS=detect_leaks=0 ASAN_OPTIONS=detect_leaks=0

54
afl-addseeds Executable file
View File

@ -0,0 +1,54 @@
#!/bin/sh
test -z "$1" -o "$1" = "-h" -o "$1" = "--help" && {
echo Syntax: afl-addseeds -o afl-out-dir [-i seed_file_or_dir] seed_file_or_seed_dir seed_file_or_seed_dir ...
echo
echo Options:
echo " -o afl-out-dir the output directory being used in the fuzzing campaign"
echo " -i seed_file_or_dir file or directory of files to add"
echo
echo Adds new seeds to an existing AFL++ fuzzing campaign.
exit 0
}
for TOOL in find ls; do
X=`which $TOOL`
test -n "$X" || { echo "Error: required tool '$TOOL' not found."; exit 1; }
done
TEST=`printf %06d 123 2>/dev/null`
test "$TEST" = "000123" || { echo "Error: required tool 'printf' not found."; exit 1; }
OUT=
NEXT=
for i in $*; do
test -n "$NEXT" && { OUT=$i ; NEXT=""; }
test "$i" = "-o" && { NEXT=1; }
done
test -d "$OUT" || { echo Error: $OUT is not an existing directory; exit 1; }
OK=`ls $OUT/*/fuzzer_stats 2>/dev/null`
test -n "$OK" || { echo "Error: $OUT is not an 'afl-fuzz -o ... ' output directory" ; exit 1; }
OUTDIR=$OUT/addseeds/queue
mkdir -p "$OUTDIR" 2>/dev/null
test -d "$OUTDIR" || { echo Error: could not create $OUTDIR ; exit 1 ; }
echo Adding seeds ...
NEXTID=0
for i in $*; do
test -z "$i" -o "$i" = "$OUT" -o "$i" = "-i" -o "$i" = "-o" || {
find "$i" -type f | while read FILE; do
N=xxx
while [ -n "$N" ]; do
ID=$NEXTID
N=`ls "$OUTDIR/id:$(printf %06d $ID),"* 2>/dev/null`
NEXTID=$(($NEXTID + 1))
done
FN=`echo "$FILE" | sed 's/.*\///'`
cp -v "$FILE" "$OUTDIR/id:$(printf %06d $ID),time:0,execs:0,orig:$FN"
done
}
done
echo Done.

1
docs/Changelog.md
View File

@ -19,6 +19,7 @@
- fix for a few string compare transform functions for LAF - fix for a few string compare transform functions for LAF
- frida_mode: - frida_mode:
- fixes support for large map offsets - fixes support for large map offsets
- added new tool afl-addseeds that adds new seeds to a running campaign
- added benchmark/benchmark.sh if you want to see how good your fuzzing - added benchmark/benchmark.sh if you want to see how good your fuzzing
speed is in comparison to other setups. speed is in comparison to other setups.

6
instrumentation/afl-compiler-rt.o.c
View File

@ -666,8 +666,8 @@ static void __afl_map_shm(void) {
} }
if (id_str) { if (id_str) {
// /dev/null doesn't work so we use /dev/urandom
if ((__afl_dummy_fd[1] = open("/dev/null", O_WRONLY)) < 0) { if ((__afl_dummy_fd[1] = open("/dev/urandom", O_WRONLY)) < 0) {
if (pipe(__afl_dummy_fd) < 0) { __afl_dummy_fd[1] = 1; } if (pipe(__afl_dummy_fd) < 0) { __afl_dummy_fd[1] = 1; }
@ -2294,7 +2294,7 @@ void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u64 len) {
int len1 = strnlen(ptr1, len0); int len1 = strnlen(ptr1, len0);
if (len1 < 31) len1 = area_is_valid(ptr1, len1 + 1); if (len1 < 31) len1 = area_is_valid(ptr1, len1 + 1);
int len2 = strnlen(ptr2, len0); int len2 = strnlen(ptr2, len0);
if (len2 < 31) len2 = area_is_valid(ptr1, len2 + 1); if (len2 < 31) len2 = area_is_valid(ptr2, len2 + 1);
int l = MAX(len1, len2); int l = MAX(len1, len2);
if (l < 2) return; if (l < 2) return;

2
nyx_mode/QEMU-Nyx

Submodule nyx_mode/QEMU-Nyx updated: 874fa033d1...92ed7cefc1

33
src/afl-fuzz-stats.c
View File

@ -778,10 +778,29 @@ void show_stats_normal(afl_state_t *afl) {
if (unlikely(!banner[0])) { if (unlikely(!banner[0])) {
char *si = ""; char *si = "";
char *fuzzer_name;
if (afl->sync_id) { si = afl->sync_id; } if (afl->sync_id) { si = afl->sync_id; }
memset(banner, 0, sizeof(banner)); memset(banner, 0, sizeof(banner));
banner_len = (afl->crash_mode ? 20 : 18) + strlen(VERSION) + strlen(si) +
strlen(afl->power_name) + 4 + 6; banner_len = strlen(VERSION) + strlen(si) + strlen(afl->power_name) + 4 + 6;
if (afl->crash_mode) {
fuzzer_name = "peruvian were-rabbit";
} else {
fuzzer_name = "american fuzzy lop";
if (banner_len + strlen(fuzzer_name) + strlen(afl->use_banner) > 75) {
fuzzer_name = "AFL";
}
}
banner_len += strlen(fuzzer_name);
if (strlen(afl->use_banner) + banner_len > 75) { if (strlen(afl->use_banner) + banner_len > 75) {
@ -798,18 +817,16 @@ void show_stats_normal(afl_state_t *afl) {
if (afl->fsrv.nyx_mode) { if (afl->fsrv.nyx_mode) {
snprintf(banner + banner_pad, sizeof(banner) - banner_pad, snprintf(banner + banner_pad, sizeof(banner) - banner_pad,
"%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s] - Nyx", "%s%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s] - Nyx",
afl->crash_mode ? cPIN "peruvian were-rabbit" afl->crash_mode ? cPIN : cYEL, fuzzer_name,
: cYEL "american fuzzy lop",
si, afl->use_banner, afl->power_name); si, afl->use_banner, afl->power_name);
} else { } else {
#endif #endif
snprintf(banner + banner_pad, sizeof(banner) - banner_pad, snprintf(banner + banner_pad, sizeof(banner) - banner_pad,
"%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s]", "%s%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s]",
afl->crash_mode ? cPIN "peruvian were-rabbit" afl->crash_mode ? cPIN : cYEL, fuzzer_name,
: cYEL "american fuzzy lop",
si, afl->use_banner, afl->power_name); si, afl->use_banner, afl->power_name);
#ifdef __linux__ #ifdef __linux__

10
src/afl-fuzz.c
View File

@ -1346,6 +1346,12 @@ int main(int argc, char **argv_orig, char **envp) {
} }
if (afl->sync_id && strcmp(afl->sync_id, "addseeds") == 0) {
FATAL("-M/-S name 'addseeds' is a reserved name, choose something else");
}
if (afl->is_main_node == 1 && afl->schedule != FAST && if (afl->is_main_node == 1 && afl->schedule != FAST &&
afl->schedule != EXPLORE) { afl->schedule != EXPLORE) {
@ -2826,7 +2832,9 @@ int main(int argc, char **argv_orig, char **envp) {
if (likely(afl->switch_fuzz_mode && afl->fuzz_mode == 0 && if (likely(afl->switch_fuzz_mode && afl->fuzz_mode == 0 &&
!afl->non_instrumented_mode) && !afl->non_instrumented_mode) &&
unlikely(cur_time > afl->last_find_time + afl->switch_fuzz_mode)) { unlikely(cur_time > (likely(afl->last_find_time) ? afl->last_find_time
: afl->start_time) +
afl->switch_fuzz_mode)) {
if (afl->afl_env.afl_no_ui) { if (afl->afl_env.afl_no_ui) {

21
src/afl-performance.c
View File

@ -1,24 +1,3 @@
/*
Written in 2019 by David Blackman and Sebastiano Vigna (vigna@acm.org)
To the extent possible under law, the author has dedicated all copyright
and related and neighboring rights to this software to the public domain
worldwide. This software is distributed without any warranty.
See <https://creativecommons.org/publicdomain/zero/1.0/>.
This is xoshiro256++ 1.0, one of our all-purpose, rock-solid generators.
It has excellent (sub-ns) speed, a state (256 bits) that is large
enough for any parallel application, and it passes all tests we are
aware of.
For generating just floating-point numbers, xoshiro256+ is even faster.
The state must be seeded so that it is not everywhere zero. If you have
a 64-bit seed, we suggest to seed a splitmix64 generator and use its
output to fill s[].
*/
#include <stdint.h> #include <stdint.h>
#include "afl-fuzz.h" #include "afl-fuzz.h"
#include "types.h" #include "types.h"

26
unicorn_mode/helper_scripts/unicorn_dumper_pwndbg.py
View File

@ -40,10 +40,10 @@ import gdb
pwndbg_loaded = False pwndbg_loaded = False
try: try:
import pwndbg.arch import pwndbg.gdblib.arch
import pwndbg.regs import pwndbg.gdblib.regs
import pwndbg.vmmap import pwndbg.gdblib.vmmap
import pwndbg.memory import pwndbg.gdblib.memory
pwndbg_loaded = True pwndbg_loaded = True
@ -64,7 +64,7 @@ INDEX_FILE_NAME = "_index.json"
def map_arch(): def map_arch():
arch = pwndbg.arch.current # from PWNDBG arch = pwndbg.gdblib.arch.current # from PWNDBG
if "x86_64" in arch or "x86-64" in arch: if "x86_64" in arch or "x86-64" in arch:
return "x64" return "x64"
elif "x86" in arch or "i386" in arch: elif "x86" in arch or "i386" in arch:
@ -74,9 +74,9 @@ def map_arch():
elif "aarch64_be" in arch: elif "aarch64_be" in arch:
return "arm64be" return "arm64be"
elif "arm" in arch: elif "arm" in arch:
cpsr = pwndbg.regs["cpsr"] cpsr = pwndbg.gdblib.regs["cpsr"]
# check endianess # check endianess
if pwndbg.arch.endian == "big": if pwndbg.gdblib.arch.endian == "big":
# check for THUMB mode # check for THUMB mode
if cpsr & (1 << 5): if cpsr & (1 << 5):
return "armbethumb" return "armbethumb"
@ -89,7 +89,7 @@ def map_arch():
else: else:
return "armle" return "armle"
elif "mips" in arch: elif "mips" in arch:
if pwndbg.arch.endian == "little": if pwndbg.gdblib.arch.endian == "little":
return "mipsel" return "mipsel"
else: else:
return "mips" return "mips"
@ -109,8 +109,8 @@ def dump_arch_info():
def dump_regs(): def dump_regs():
reg_state = {} reg_state = {}
for reg in pwndbg.regs.all: for reg in pwndbg.gdblib.regs.all:
reg_val = pwndbg.regs[reg] reg_val = pwndbg.gdblib.regs[reg]
# current dumper script looks for register values to be hex strings # current dumper script looks for register values to be hex strings
# reg_str = "0x{:08x}".format(reg_val) # reg_str = "0x{:08x}".format(reg_val)
# if "64" in get_arch(): # if "64" in get_arch():
@ -125,7 +125,7 @@ def dump_process_memory(output_dir):
final_segment_list = [] final_segment_list = []
# PWNDBG: # PWNDBG:
vmmap = pwndbg.vmmap.get() vmmap = pwndbg.gdblib.vmmap.get()
# Pointer to end of last dumped memory segment # Pointer to end of last dumped memory segment
segment_last_addr = 0x0 segment_last_addr = 0x0
@ -165,7 +165,7 @@ def dump_process_memory(output_dir):
if entry.read and not "(deleted)" in entry.objfile: if entry.read and not "(deleted)" in entry.objfile:
try: try:
# Compress and dump the content to a file # Compress and dump the content to a file
seg_content = pwndbg.memory.read(start, end - start) seg_content = pwndbg.gdblib.memory.read(start, end - start)
if seg_content == None: if seg_content == None:
print( print(
"Segment empty: @0x{0:016x} (size:UNKNOWN) {1}".format( "Segment empty: @0x{0:016x} (size:UNKNOWN) {1}".format(
@ -181,7 +181,7 @@ def dump_process_memory(output_dir):
repr(seg_info["permissions"]), repr(seg_info["permissions"]),
) )
) )
compressed_seg_content = zlib.compress(str(seg_content)) compressed_seg_content = zlib.compress(bytes(seg_content))
md5_sum = hashlib.md5(compressed_seg_content).hexdigest() + ".bin" md5_sum = hashlib.md5(compressed_seg_content).hexdigest() + ".bin"
seg_info["content_file"] = md5_sum seg_info["content_file"] = md5_sum