ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-15 11:28:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' into atat-plusplus

Browse Source
This commit is contained in:
hexcoder
2021-03-17 08:00:32 +01:00
committed by GitHub
parent 62f067ec71 b715050de9
commit d17abce59b
26 changed files with 147 additions and 386 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -65,7 +65,6 @@ qemu_mode/qemu-*
qemu_mode/qemuafl qemu_mode/qemuafl
unicorn_mode/samples/*/\.test-* unicorn_mode/samples/*/\.test-*
unicorn_mode/samples/*/output/ unicorn_mode/samples/*/output/
unicorn_mode/unicornafl
test/unittests/unit_maybe_alloc test/unittests/unit_maybe_alloc
test/unittests/unit_preallocable test/unittests/unit_preallocable
test/unittests/unit_list test/unittests/unit_list

2
.gitmodules vendored
View File

@ -1,6 +1,6 @@
[submodule "unicorn_mode/unicornafl"] [submodule "unicorn_mode/unicornafl"]
path = unicorn_mode/unicornafl path = unicorn_mode/unicornafl
url = https://github.com/AFLplusplus/unicornafl url = https://github.com/aflplusplus/unicornafl
[submodule "custom_mutators/grammar_mutator"] [submodule "custom_mutators/grammar_mutator"]
path = custom_mutators/grammar_mutator/grammar_mutator path = custom_mutators/grammar_mutator/grammar_mutator
url = https://github.com/AFLplusplus/Grammar-Mutator url = https://github.com/AFLplusplus/Grammar-Mutator

4
GNUmakefile
View File

@ -576,7 +576,11 @@ endif
deepclean: clean deepclean: clean
rm -rf unicorn_mode/unicornafl rm -rf unicorn_mode/unicornafl
rm -rf qemu_mode/qemuafl rm -rf qemu_mode/qemuafl
ifeq "$(IN_REPO)" "1"
# NEVER EVER ACTIVATE THAT!!!!! git reset --hard >/dev/null 2>&1 || true # NEVER EVER ACTIVATE THAT!!!!! git reset --hard >/dev/null 2>&1 || true
git checkout unicorn_mode/unicornafl
git checkout qemu_mode/qemuafl
endif
.PHONY: distrib .PHONY: distrib
distrib: all distrib: all

4
README.md
View File

@ -2,9 +2,9 @@
<img align="right" src="https://raw.githubusercontent.com/andreafioraldi/AFLplusplus-website/master/static/logo_256x256.png" alt="AFL++ Logo"> <img align="right" src="https://raw.githubusercontent.com/andreafioraldi/AFLplusplus-website/master/static/logo_256x256.png" alt="AFL++ Logo">
Release Version: [3.10c](https://github.com/AFLplusplus/AFLplusplus/releases) Release Version: [3.11c](https://github.com/AFLplusplus/AFLplusplus/releases)
Github Version: 3.11a Github Version: 3.12a
Repository: [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) Repository: [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus)

13
docs/Changelog.md
View File

@ -8,9 +8,19 @@
Want to stay in the loop on major new features? Join our mailing list by Want to stay in the loop on major new features? Join our mailing list by
sending a mail to <afl-users+subscribe@googlegroups.com>. sending a mail to <afl-users+subscribe@googlegroups.com>.
### Version ++3.11a (dev) ### Version ++3.12a (dev)
- afl-cc:
- fix cmplog rtn (rare crash and not being able to gather ptr data)
- link runtime not to shared libs
- qemu_mode (thanks @realmadsci):
- move AFL_PRELOAD and AFL_USE_QASAN logic inside afl-qemu-trace
- add AFL_QEMU_CUSTOM_BIN
### Version ++3.11c (release)
- afl-fuzz: - afl-fuzz:
- better auto detection of map size
- fix sanitizer settings (bug since 3.10c) - fix sanitizer settings (bug since 3.10c)
- fix an off-by-one overwrite in cmplog
- add non-unicode variants from unicode-looking dictionary entries - add non-unicode variants from unicode-looking dictionary entries
- Rust custom mutator API improvements - Rust custom mutator API improvements
- Imported crash stats painted yellow on resume (only new ones are red) - Imported crash stats painted yellow on resume (only new ones are red)
@ -36,7 +46,6 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- we no longer perform a "git drop" - we no longer perform a "git drop"
- afl-cmin: support filenames with spaces - afl-cmin: support filenames with spaces
### Version ++3.10c (release) ### Version ++3.10c (release)
- Mac OS ARM64 support - Mac OS ARM64 support
- Android support fixed and updated by Joey Jiaojg - thanks! - Android support fixed and updated by Joey Jiaojg - thanks!

4
docs/env_variables.md
View File

@ -393,6 +393,10 @@ checks or alter some of the more exotic semantics of the tool:
- In QEMU mode (-Q), `AFL_PATH` will be searched for afl-qemu-trace. - In QEMU mode (-Q), `AFL_PATH` will be searched for afl-qemu-trace.
- In QEMU mode (-Q), setting `AFL_QEMU_CUSTOM_BIN` cause afl-fuzz to skip
prepending `afl-qemu-trace` to your command line. Use this if you wish to use a
custom afl-qemu-trace or if you need to modify the afl-qemu-trace arguments.
- Setting `AFL_CYCLE_SCHEDULES` will switch to a different schedule everytime - Setting `AFL_CYCLE_SCHEDULES` will switch to a different schedule everytime
a cycle is finished. a cycle is finished.

1
include/common.h
View File

@ -48,7 +48,6 @@ void argv_cpy_free(char **argv);
char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv); char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv);
char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv); char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv);
char * get_afl_env(char *env); char * get_afl_env(char *env);
u8 * get_libqasan_path(u8 *own_loc);
extern u8 be_quiet; extern u8 be_quiet;
extern u8 *doc_path; /* path to documentation dir */ extern u8 *doc_path; /* path to documentation dir */

2
include/config.h
View File

@ -26,7 +26,7 @@
/* Version string: */ /* Version string: */
// c = release, a = volatile github dev, e = experimental branch // c = release, a = volatile github dev, e = experimental branch
#define VERSION "++3.11a" #define VERSION "++3.12a"
/****************************************************** /******************************************************
* * * *

2
include/envs.h
View File

@ -50,6 +50,7 @@ static char *afl_environment_variables[] = {
"AFL_FAST_CAL", "AFL_FAST_CAL",
"AFL_FORCE_UI", "AFL_FORCE_UI",
"AFL_FUZZER_ARGS", // oss-fuzz "AFL_FUZZER_ARGS", // oss-fuzz
"AFL_GDB",
"AFL_GCC_ALLOWLIST", "AFL_GCC_ALLOWLIST",
"AFL_GCC_DENYLIST", "AFL_GCC_DENYLIST",
"AFL_GCC_BLOCKLIST", "AFL_GCC_BLOCKLIST",
@ -130,6 +131,7 @@ static char *afl_environment_variables[] = {
"AFL_PERFORMANCE_FILE", "AFL_PERFORMANCE_FILE",
"AFL_PRELOAD", "AFL_PRELOAD",
"AFL_PYTHON_MODULE", "AFL_PYTHON_MODULE",
"AFL_QEMU_CUSTOM_BIN",
"AFL_QEMU_COMPCOV", "AFL_QEMU_COMPCOV",
"AFL_QEMU_COMPCOV_DEBUG", "AFL_QEMU_COMPCOV_DEBUG",
"AFL_QEMU_DEBUG_MAPS", "AFL_QEMU_DEBUG_MAPS",

30
instrumentation/afl-compiler-rt.o.c
View File

@ -1730,29 +1730,30 @@ __attribute__((weak)) void *__asan_region_is_poisoned(void *beg, size_t size) {
// to avoid to call it on .text addresses // to avoid to call it on .text addresses
static int area_is_valid(void *ptr, size_t len) { static int area_is_valid(void *ptr, size_t len) {
if (unlikely(__asan_region_is_poisoned(ptr, len))) { return 0; } if (unlikely(!ptr || __asan_region_is_poisoned(ptr, len))) { return 0; }
long r = syscall(__afl_dummy_fd[1], SYS_write, ptr, len); long r = syscall(SYS_write, __afl_dummy_fd[1], ptr, len);
if (unlikely(r <= 0 || r > len)) { // fail - maybe hitting asan boundary? if (r <= 0 || r > len) return 0;
char *p = (char *)ptr; // even if the write succeed this can be a false positive if we cross
long page_size = sysconf(_SC_PAGE_SIZE); // a page boundary. who knows why.
char *page = (char *)((uintptr_t)p & ~(page_size - 1)) + page_size;
if (page < p + len) { return 0; } // no isnt, return fail
len -= (p + len - page);
r = syscall(__afl_dummy_fd[1], SYS_write, p, len);
} char *p = (char *)ptr;
long page_size = sysconf(_SC_PAGE_SIZE);
char *page = (char *)((uintptr_t)p & ~(page_size - 1)) + page_size;
// partial writes - we return what was written. if (page > p + len) {
if (likely(r >= 0 && r <= len)) {
// no, not crossing a page boundary
return (int)r; return (int)r;
} else { } else {
return 0; // yes it crosses a boundary, hence we can only return the length of
// rest of the first page, we cannot detect if the next page is valid
// or not, neither by SYS_write nor msync() :-(
return (int)(page - p);
} }
@ -1773,12 +1774,14 @@ void __cmplog_rtn_hook(u8 *ptr1, u8 *ptr2) {
*/ */
if (unlikely(!__afl_cmp_map)) return; if (unlikely(!__afl_cmp_map)) return;
//fprintf(stderr, "RTN1 %p %p\n", ptr1, ptr2);
int l1, l2; int l1, l2;
if ((l1 = area_is_valid(ptr1, 32)) <= 0 || if ((l1 = area_is_valid(ptr1, 32)) <= 0 ||
(l2 = area_is_valid(ptr2, 32)) <= 0) (l2 = area_is_valid(ptr2, 32)) <= 0)
return; return;
int len = MIN(l1, l2); int len = MIN(l1, l2);
//fprintf(stderr, "RTN2 %u\n", len);
uintptr_t k = (uintptr_t)__builtin_return_address(0); uintptr_t k = (uintptr_t)__builtin_return_address(0);
k = (k >> 4) ^ (k << 8); k = (k >> 4) ^ (k << 8);
k &= CMP_MAP_W - 1; k &= CMP_MAP_W - 1;
@ -1809,6 +1812,7 @@ void __cmplog_rtn_hook(u8 *ptr1, u8 *ptr2) {
ptr1, len); ptr1, len);
__builtin_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1, __builtin_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1,
ptr2, len); ptr2, len);
//fprintf(stderr, "RTN3\n");
} }

29
instrumentation/afl-llvm-common.cc
View File

@ -60,7 +60,7 @@ bool isIgnoreFunction(const llvm::Function *F) {
"asan.", "asan.",
"llvm.", "llvm.",
"sancov.", "sancov.",
"__ubsan_", "__ubsan",
"ign.", "ign.",
"__afl", "__afl",
"_fini", "_fini",
@ -69,13 +69,16 @@ bool isIgnoreFunction(const llvm::Function *F) {
"__msan", "__msan",
"__cmplog", "__cmplog",
"__sancov", "__sancov",
"__san",
"__cxx_", "__cxx_",
"__decide_deferred",
"_GLOBAL", "_GLOBAL",
"_ZZN6__asan",
"_ZZN6__lsan",
"msan.", "msan.",
"LLVMFuzzerM", "LLVMFuzzerM",
"LLVMFuzzerC", "LLVMFuzzerC",
"LLVMFuzzerI", "LLVMFuzzerI",
"__decide_deferred",
"maybe_duplicate_stderr", "maybe_duplicate_stderr",
"discard_output", "discard_output",
"close_stdout", "close_stdout",
@ -91,6 +94,28 @@ bool isIgnoreFunction(const llvm::Function *F) {
} }
static const char *ignoreSubstringList[] = {
"__asan",
"__msan",
"__ubsan",
"__lsan",
"__san",
"__sanitize",
"__cxx",
"_GLOBAL__",
"DebugCounter",
"DwarfDebug",
"DebugLoc"
};
for (auto const &ignoreListFunc : ignoreSubstringList) {
if (F->getName().contains(ignoreListFunc)) { return true; }
}
return false; return false;
} }

2
qemu_mode/QEMUAFL_VERSION
View File

@ -1 +1 @@
d1ca56b84e 0fb212daab

2
qemu_mode/libqasan/hooks.c
View File

@ -51,6 +51,7 @@ ssize_t write(int fd, const void *buf, size_t count) {
void *rtv = __builtin_return_address(0); void *rtv = __builtin_return_address(0);
QASAN_DEBUG("%14p: write(%d, %p, %zu)\n", rtv, fd, buf, count); QASAN_DEBUG("%14p: write(%d, %p, %zu)\n", rtv, fd, buf, count);
QASAN_LOAD(buf, count);
ssize_t r = __lq_libc_write(fd, buf, count); ssize_t r = __lq_libc_write(fd, buf, count);
QASAN_DEBUG("\t\t = %zd\n", r); QASAN_DEBUG("\t\t = %zd\n", r);
@ -63,6 +64,7 @@ ssize_t read(int fd, void *buf, size_t count) {
void *rtv = __builtin_return_address(0); void *rtv = __builtin_return_address(0);
QASAN_DEBUG("%14p: read(%d, %p, %zu)\n", rtv, fd, buf, count); QASAN_DEBUG("%14p: read(%d, %p, %zu)\n", rtv, fd, buf, count);
QASAN_STORE(buf, count);
ssize_t r = __lq_libc_read(fd, buf, count); ssize_t r = __lq_libc_read(fd, buf, count);
QASAN_DEBUG("\t\t = %zd\n", r); QASAN_DEBUG("\t\t = %zd\n", r);

6
qemu_mode/libqasan/malloc.c
View File

@ -159,6 +159,9 @@ size_t __libqasan_malloc_usable_size(void *ptr) {
char *p = ptr; char *p = ptr;
p -= sizeof(struct chunk_begin); p -= sizeof(struct chunk_begin);
// Validate that the chunk marker is readable (a crude check
// to verify that ptr is a valid malloc region before we dereference it)
QASAN_LOAD(p, sizeof(struct chunk_begin) - REDZONE_SIZE);
return ((struct chunk_begin *)p)->requested_size; return ((struct chunk_begin *)p)->requested_size;
} }
@ -225,6 +228,9 @@ void __libqasan_free(void *ptr) {
struct chunk_begin *p = ptr; struct chunk_begin *p = ptr;
p -= 1; p -= 1;
// Validate that the chunk marker is readable (a crude check
// to verify that ptr is a valid malloc region before we dereference it)
QASAN_LOAD(p, sizeof(struct chunk_begin) - REDZONE_SIZE);
size_t n = p->requested_size; size_t n = p->requested_size;
QASAN_STORE(ptr, n); QASAN_STORE(ptr, n);

2
qemu_mode/qemuafl

Submodule qemu_mode/qemuafl updated: d1ca56b84e...0fb212daab

58
src/afl-analyze.c
View File

@ -822,38 +822,7 @@ static void set_up_environment(void) {
if (qemu_mode) { if (qemu_mode) {
u8 *qemu_preload = getenv("QEMU_SET_ENV"); /* afl-qemu-trace takes care of converting AFL_PRELOAD. */
u8 *afl_preload = getenv("AFL_PRELOAD");
u8 *buf;
s32 i, afl_preload_size = strlen(afl_preload);
for (i = 0; i < afl_preload_size; ++i) {
if (afl_preload[i] == ',') {
PFATAL(
"Comma (',') is not allowed in AFL_PRELOAD when -Q is "
"specified!");
}
}
if (qemu_preload) {
buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
qemu_preload, afl_preload, afl_preload);
} else {
buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
afl_preload, afl_preload);
}
setenv("QEMU_SET_ENV", buf, 1);
ck_free(buf);
} else { } else {
@ -1079,31 +1048,6 @@ int main(int argc, char **argv_orig, char **envp) {
if (optind == argc || !in_file) { usage(argv[0]); } if (optind == argc || !in_file) { usage(argv[0]); }
if (qemu_mode && getenv("AFL_USE_QASAN")) {
u8 *preload = getenv("AFL_PRELOAD");
u8 *libqasan = get_libqasan_path(argv_orig[0]);
if (!preload) {
setenv("AFL_PRELOAD", libqasan, 0);
} else {
u8 *result = ck_alloc(strlen(libqasan) + strlen(preload) + 2);
strcpy(result, libqasan);
strcat(result, " ");
strcat(result, preload);
setenv("AFL_PRELOAD", result, 1);
ck_free(result);
}
ck_free(libqasan);
}
map_size = get_map_size(); map_size = get_map_size();
use_hex_offsets = !!get_afl_env("AFL_ANALYZE_HEX"); use_hex_offsets = !!get_afl_env("AFL_ANALYZE_HEX");

63
src/afl-cc.c
View File

@ -959,62 +959,65 @@ static void edit_params(u32 argc, char **argv, char **envp) {
if (compiler_mode != GCC && compiler_mode != CLANG) { if (compiler_mode != GCC && compiler_mode != CLANG) {
switch (bit_mode) { switch (bit_mode) {
case 0: case 0:
cc_params[cc_par_cnt++] = if (!shared_linking)
alloc_printf("%s/afl-compiler-rt.o", obj_path);
if (lto_mode)
cc_params[cc_par_cnt++] = cc_params[cc_par_cnt++] =
alloc_printf("%s/afl-llvm-rt-lto.o", obj_path); alloc_printf("%s/afl-compiler-rt.o", obj_path);
break; if (lto_mode)
cc_params[cc_par_cnt++] =
case 32: alloc_printf("%s/afl-llvm-rt-lto.o", obj_path);
cc_params[cc_par_cnt++] = break;
alloc_printf("%s/afl-compiler-rt-32.o", obj_path);
if (access(cc_params[cc_par_cnt - 1], R_OK))
FATAL("-m32 is not supported by your compiler");
if (lto_mode) {
case 32:
if (!shared_linking)
cc_params[cc_par_cnt++] = cc_params[cc_par_cnt++] =
alloc_printf("%s/afl-llvm-rt-lto-32.o", obj_path); alloc_printf("%s/afl-compiler-rt-32.o", obj_path);
if (access(cc_params[cc_par_cnt - 1], R_OK)) if (access(cc_params[cc_par_cnt - 1], R_OK))
FATAL("-m32 is not supported by your compiler"); FATAL("-m32 is not supported by your compiler");
if (lto_mode) {
} cc_params[cc_par_cnt++] =
alloc_printf("%s/afl-llvm-rt-lto-32.o", obj_path);
if (access(cc_params[cc_par_cnt - 1], R_OK))
FATAL("-m32 is not supported by your compiler");
break; }
case 64: break;
cc_params[cc_par_cnt++] =
alloc_printf("%s/afl-compiler-rt-64.o", obj_path);
if (access(cc_params[cc_par_cnt - 1], R_OK))
FATAL("-m64 is not supported by your compiler");
if (lto_mode) {
case 64:
if (!shared_linking)
cc_params[cc_par_cnt++] = cc_params[cc_par_cnt++] =
alloc_printf("%s/afl-llvm-rt-lto-64.o", obj_path); alloc_printf("%s/afl-compiler-rt-64.o", obj_path);
if (access(cc_params[cc_par_cnt - 1], R_OK)) if (access(cc_params[cc_par_cnt - 1], R_OK))
FATAL("-m64 is not supported by your compiler"); FATAL("-m64 is not supported by your compiler");
if (lto_mode) {
} cc_params[cc_par_cnt++] =
alloc_printf("%s/afl-llvm-rt-lto-64.o", obj_path);
if (access(cc_params[cc_par_cnt - 1], R_OK))
FATAL("-m64 is not supported by your compiler");
break; }
} break;
}
#if !defined(__APPLE__) && !defined(__sun) #if !defined(__APPLE__) && !defined(__sun)
if (!shared_linking) if (!shared_linking)
cc_params[cc_par_cnt++] = cc_params[cc_par_cnt++] =
alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path); alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path);
#endif #endif
}
#if defined(USEMMAP) && !defined(__HAIKU__) #if defined(USEMMAP) && !defined(__HAIKU__)
cc_params[cc_par_cnt++] = "-lrt"; cc_params[cc_par_cnt++] = "-lrt";
#endif #endif
}
#endif #endif
cc_params[cc_par_cnt] = NULL; cc_params[cc_par_cnt] = NULL;

69
src/afl-common.c
View File

@ -144,6 +144,15 @@ void argv_cpy_free(char **argv) {
char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
if (unlikely(getenv("AFL_QEMU_CUSTOM_BIN"))) {
WARNF(
"AFL_QEMU_CUSTOM_BIN is enabled. "
"You must run your target under afl-qemu-trace on your own!");
return argv;
}
if (!unlikely(own_loc)) { FATAL("BUG: param own_loc is NULL"); } if (!unlikely(own_loc)) { FATAL("BUG: param own_loc is NULL"); }
u8 *tmp, *cp = NULL, *rsl, *own_copy; u8 *tmp, *cp = NULL, *rsl, *own_copy;
@ -333,66 +342,6 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
} }
/* Get libqasan path. */
u8 *get_libqasan_path(u8 *own_loc) {
if (!unlikely(own_loc)) { FATAL("BUG: param own_loc is NULL"); }
u8 *tmp, *cp = NULL, *rsl, *own_copy;
tmp = getenv("AFL_PATH");
if (tmp) {
cp = alloc_printf("%s/libqasan.so", tmp);
if (access(cp, X_OK)) { FATAL("Unable to find '%s'", tmp); }
return cp;
}
own_copy = ck_strdup(own_loc);
rsl = strrchr(own_copy, '/');
if (rsl) {
*rsl = 0;
cp = alloc_printf("%s/libqasan.so", own_copy);
ck_free(own_copy);
if (!access(cp, X_OK)) { return cp; }
} else {
ck_free(own_copy);
}
if (!access(AFL_PATH "/libqasan.so", X_OK)) {
if (cp) { ck_free(cp); }
return ck_strdup(AFL_PATH "/libqasan.so");
}
SAYF("\n" cLRD "[-] " cRST
"Oops, unable to find the 'libqasan.so' binary. The binary must be "
"built\n"
" separately by following the instructions in "
"qemu_mode/libqasan/README.md. "
"If you\n"
" already have the binary installed, you may need to specify "
"AFL_PATH in the\n"
" environment.\n");
FATAL("Failed to locate 'libqasan.so'.");
}
/* Find binary, used by analyze, showmap, tmin /* Find binary, used by analyze, showmap, tmin
@returns the path, allocating the string */ @returns the path, allocating the string */

1
src/afl-fuzz-init.c
View File

@ -2592,6 +2592,7 @@ void check_binary(afl_state_t *afl, u8 *fname) {
} }
if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode || if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode ||
(afl->fsrv.qemu_mode && getenv("AFL_QEMU_CUSTOM_BIN")) ||
afl->non_instrumented_mode) { afl->non_instrumented_mode) {
return; return;

2
src/afl-fuzz-queue.c
View File

@ -325,7 +325,7 @@ static u8 check_if_text(afl_state_t *afl, struct queue_entry *q) {
if (len >= MAX_FILE) len = MAX_FILE - 1; if (len >= MAX_FILE) len = MAX_FILE - 1;
if ((fd = open(q->fname, O_RDONLY)) < 0) return 0; if ((fd = open(q->fname, O_RDONLY)) < 0) return 0;
buf = afl_realloc(AFL_BUF_PARAM(in_scratch), len); buf = afl_realloc(AFL_BUF_PARAM(in_scratch), len + 1);
comp = read(fd, buf, len); comp = read(fd, buf, len);
close(fd); close(fd);
if (comp != (ssize_t)len) return 0; if (comp != (ssize_t)len) return 0;

75
src/afl-fuzz.c
View File

@ -1022,32 +1022,6 @@ int main(int argc, char **argv_orig, char **envp) {
} }
if (afl->fsrv.qemu_mode && getenv("AFL_USE_QASAN")) {
u8 *preload = getenv("AFL_PRELOAD");
u8 *libqasan = get_libqasan_path(argv_orig[0]);
if (!preload) {
setenv("AFL_PRELOAD", libqasan, 0);
} else {
u8 *result = ck_alloc(strlen(libqasan) + strlen(preload) + 2);
strcpy(result, libqasan);
strcat(result, " ");
strcat(result, preload);
setenv("AFL_PRELOAD", result, 1);
ck_free(result);
}
afl->afl_env.afl_preload = (u8 *)getenv("AFL_PRELOAD");
ck_free(libqasan);
}
if (afl->fsrv.mem_limit && afl->shm.cmplog_mode) afl->fsrv.mem_limit += 260; if (afl->fsrv.mem_limit && afl->shm.cmplog_mode) afl->fsrv.mem_limit += 260;
OKF("afl++ is maintained by Marc \"van Hauser\" Heuse, Heiko \"hexcoder\" " OKF("afl++ is maintained by Marc \"van Hauser\" Heuse, Heiko \"hexcoder\" "
@ -1312,38 +1286,7 @@ int main(int argc, char **argv_orig, char **envp) {
if (afl->fsrv.qemu_mode) { if (afl->fsrv.qemu_mode) {
u8 *qemu_preload = getenv("QEMU_SET_ENV"); /* afl-qemu-trace takes care of converting AFL_PRELOAD. */
u8 *afl_preload = getenv("AFL_PRELOAD");
u8 *buf;
s32 j, afl_preload_size = strlen(afl_preload);
for (j = 0; j < afl_preload_size; ++j) {
if (afl_preload[j] == ',') {
PFATAL(
"Comma (',') is not allowed in AFL_PRELOAD when -Q is "
"specified!");
}
}
if (qemu_preload) {
buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
qemu_preload, afl_preload, afl_preload);
} else {
buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
afl_preload, afl_preload);
}
setenv("QEMU_SET_ENV", buf, 1);
ck_free(buf);
} else { } else {
@ -1596,9 +1539,9 @@ int main(int argc, char **argv_orig, char **envp) {
&afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child); &afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child);
// only reinitialize when it makes sense // only reinitialize when it makes sense
if ((map_size < new_map_size || if ((map_size < new_map_size /*||
(new_map_size != MAP_SIZE && new_map_size < map_size && (new_map_size != MAP_SIZE && new_map_size < map_size &&
map_size - new_map_size > MAP_SIZE))) { map_size - new_map_size > MAP_SIZE)*/)) {
OKF("Re-initializing maps to %u bytes", new_map_size); OKF("Re-initializing maps to %u bytes", new_map_size);
@ -1627,8 +1570,6 @@ int main(int argc, char **argv_orig, char **envp) {
} }
afl->fsrv.map_size = map_size;
} }
if (afl->cmplog_binary) { if (afl->cmplog_binary) {
@ -1680,21 +1621,23 @@ int main(int argc, char **argv_orig, char **envp) {
setenv("AFL_NO_AUTODICT", "1", 1); // loaded already setenv("AFL_NO_AUTODICT", "1", 1); // loaded already
afl->fsrv.trace_bits = afl->fsrv.trace_bits =
afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode); afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode);
afl->cmplog_fsrv.trace_bits = afl->fsrv.trace_bits;
afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon,
afl->afl_env.afl_debug_child); afl->afl_env.afl_debug_child);
afl_fsrv_start(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon, afl_fsrv_start(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon,
afl->afl_env.afl_debug_child); afl->afl_env.afl_debug_child);
} else {
afl->cmplog_fsrv.map_size = new_map_size;
} }
OKF("Cmplog forkserver successfully started"); OKF("Cmplog forkserver successfully started");
} }
if (afl->debug) {
printf("NORMAL %u, CMPLOG %u\n", afl->fsrv.map_size, afl->cmplog_fsrv.map_size);
fprintf(stderr, "NORMAL %u, CMPLOG %u\n", afl->fsrv.map_size, afl->cmplog_fsrv.map_size);
}
load_auto(afl); load_auto(afl);
if (extras_dir_cnt) { if (extras_dir_cnt) {

58
src/afl-showmap.c
View File

@ -598,38 +598,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
if (fsrv->qemu_mode) { if (fsrv->qemu_mode) {
u8 *qemu_preload = getenv("QEMU_SET_ENV"); /* afl-qemu-trace takes care of converting AFL_PRELOAD. */
u8 *afl_preload = getenv("AFL_PRELOAD");
u8 *buf;
s32 i, afl_preload_size = strlen(afl_preload);
for (i = 0; i < afl_preload_size; ++i) {
if (afl_preload[i] == ',') {
PFATAL(
"Comma (',') is not allowed in AFL_PRELOAD when -Q is "
"specified!");
}
}
if (qemu_preload) {
buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
qemu_preload, afl_preload, afl_preload);
} else {
buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
afl_preload, afl_preload);
}
setenv("QEMU_SET_ENV", buf, 1);
ck_free(buf);
} else { } else {
@ -945,31 +914,6 @@ int main(int argc, char **argv_orig, char **envp) {
if (optind == argc || !out_file) { usage(argv[0]); } if (optind == argc || !out_file) { usage(argv[0]); }
if (fsrv->qemu_mode && getenv("AFL_USE_QASAN")) {
u8 *preload = getenv("AFL_PRELOAD");
u8 *libqasan = get_libqasan_path(argv_orig[0]);
if (!preload) {
setenv("AFL_PRELOAD", libqasan, 0);
} else {
u8 *result = ck_alloc(strlen(libqasan) + strlen(preload) + 2);
strcpy(result, libqasan);
strcat(result, " ");
strcat(result, preload);
setenv("AFL_PRELOAD", result, 1);
ck_free(result);
}
ck_free(libqasan);
}
if (in_dir) { if (in_dir) {
if (!out_file && !collect_coverage) if (!out_file && !collect_coverage)

58
src/afl-tmin.c
View File

@ -753,38 +753,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
if (fsrv->qemu_mode) { if (fsrv->qemu_mode) {
u8 *qemu_preload = getenv("QEMU_SET_ENV"); /* afl-qemu-trace takes care of converting AFL_PRELOAD. */
u8 *afl_preload = getenv("AFL_PRELOAD");
u8 *buf;
s32 i, afl_preload_size = strlen(afl_preload);
for (i = 0; i < afl_preload_size; ++i) {
if (afl_preload[i] == ',') {
PFATAL(
"Comma (',') is not allowed in AFL_PRELOAD when -Q is "
"specified!");
}
}
if (qemu_preload) {
buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
qemu_preload, afl_preload, afl_preload);
} else {
buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
afl_preload, afl_preload);
}
setenv("QEMU_SET_ENV", buf, 1);
ck_free(buf);
} else { } else {
@ -1079,31 +1048,6 @@ int main(int argc, char **argv_orig, char **envp) {
check_environment_vars(envp); check_environment_vars(envp);
setenv("AFL_NO_AUTODICT", "1", 1); setenv("AFL_NO_AUTODICT", "1", 1);
if (fsrv->qemu_mode && getenv("AFL_USE_QASAN")) {
u8 *preload = getenv("AFL_PRELOAD");
u8 *libqasan = get_libqasan_path(argv_orig[0]);
if (!preload) {
setenv("AFL_PRELOAD", libqasan, 0);
} else {
u8 *result = ck_alloc(strlen(libqasan) + strlen(preload) + 2);
strcpy(result, libqasan);
strcat(result, " ");
strcat(result, preload);
setenv("AFL_PRELOAD", result, 1);
ck_free(result);
}
ck_free(libqasan);
}
/* initialize cmplog_mode */ /* initialize cmplog_mode */
shm.cmplog_mode = 0; shm.cmplog_mode = 0;

2
test/test-llvm.sh
View File

@ -164,7 +164,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && {
echo ZZZZ > in/in echo ZZZZ > in/in
$ECHO "$GREY[*] running afl-fuzz with floating point splitting, this will take max. 45 seconds" $ECHO "$GREY[*] running afl-fuzz with floating point splitting, this will take max. 45 seconds"
{ {
AFL_BENCH_UNTIL_CRASH=1 AFL_NO_UI=1 ../afl-fuzz -Z -s 1 -V45 -m ${MEM_LIMIT} -i in -o out -D -- ./test-floatingpoint >>errors 2>&1 AFL_BENCH_UNTIL_CRASH=1 AFL_NO_UI=1 ../afl-fuzz -Z -s 123 -V50 -m ${MEM_LIMIT} -i in -o out -D -- ./test-floatingpoint >>errors 2>&1
} >>errors 2>&1 } >>errors 2>&1
test -n "$( ls out/default/crashes/id:* 2>/dev/null )" && { test -n "$( ls out/default/crashes/id:* 2>/dev/null )" && {
$ECHO "$GREEN[+] llvm_mode laf-intel floatingpoint splitting feature works correctly" $ECHO "$GREEN[+] llvm_mode laf-intel floatingpoint splitting feature works correctly"

33
utils/afl_network_proxy/afl-network-server.c
View File

@ -237,38 +237,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
if (fsrv->qemu_mode) { if (fsrv->qemu_mode) {
u8 *qemu_preload = getenv("QEMU_SET_ENV"); /* afl-qemu-trace takes care of converting AFL_PRELOAD. */
u8 *afl_preload = getenv("AFL_PRELOAD");
u8 *buf;
s32 i, afl_preload_size = strlen(afl_preload);
for (i = 0; i < afl_preload_size; ++i) {
if (afl_preload[i] == ',') {
PFATAL(
"Comma (',') is not allowed in AFL_PRELOAD when -Q is "
"specified!");
}
}
if (qemu_preload) {
buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
qemu_preload, afl_preload, afl_preload);
} else {
buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
afl_preload, afl_preload);
}
setenv("QEMU_SET_ENV", buf, 1);
afl_free(buf);
} else { } else {

10
utils/aflpp_driver/aflpp_driver.c
View File

@ -208,6 +208,16 @@ int main(int argc, char **argv) {
"======================================================\n", "======================================================\n",
argv[0], argv[0]); argv[0], argv[0]);
if (getenv("AFL_GDB")) {
char cmd[64];
snprintf(cmd, sizeof(cmd), "cat /proc/%d/maps", getpid());
system(cmd);
fprintf(stderr, "DEBUG: aflpp_driver pid is %d\n", getpid());
sleep(1);
}
output_file = stderr; output_file = stderr;
maybe_duplicate_stderr(); maybe_duplicate_stderr();
maybe_close_fd_mask(); maybe_close_fd_mask();