initial integration

2025-06-16 11:58:08 +00:00 · 2020-08-08 20:29:56 +02:00
parent ebc6f52868
commit d8f5502d83
5 changed files with 15 additions and 5 deletions
--- a/3
+++ b/3
@ -513,6 +513,7 @@ clean:
 	$(MAKE) -C examples/argv_fuzzing clean
 	$(MAKE) -C qemu_mode/unsigaction clean
 	$(MAKE) -C qemu_mode/libcompcov clean
+	test -d qemu_taint/qemu && { cd qemu_taint ; ./clean.sh ; }
 	rm -rf qemu_mode/qemu-3.1.1
 ifeq "$(IN_REPO)" "1"
 	test -d unicorn_mode/unicornafl && $(MAKE) -C unicorn_mode/unicornafl clean || true
@ -523,6 +524,7 @@ endif

 deepclean:	clean
 	rm -rf qemu_mode/qemu-3.1.1.tar.xz
+	rm -rf qemu_taint/qemu
 	rm -rf unicorn_mode/unicornafl
 	git reset --hard >/dev/null 2>&1 || true

@ -580,6 +582,7 @@ install: all $(MANPAGES)
 	install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH)
 	rm -f $${DESTDIR}$(BIN_PATH)/afl-as
 	if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
+	if [ -f afl-qemu-taint ]; then install -m 755 afl-qemu-taint $${DESTDIR}$(BIN_PATH); fi
 	if [ -f afl-gcc-fast ]; then set e; install -m 755 afl-gcc-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-gcc-fast $${DESTDIR}$(BIN_PATH)/afl-g++-fast; install -m 755 afl-gcc-pass.so afl-gcc-rt.o $${DESTDIR}$(HELPER_PATH); fi
 	if [ -f afl-clang-fast ]; then $(MAKE) -C llvm_mode install; fi
 	if [ -f libdislocator.so ]; then set -e; install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH); fi
--- a/include/envs.h
+++ b/include/envs.h
@ -123,6 +123,7 @@ static char *afl_environment_variables[] = {
    "AFL_SKIP_BIN_CHECK",
    "AFL_SKIP_CPUFREQ",
    "AFL_SKIP_CRASHES",
+    "AFL_TAINT_INPUT",
    "AFL_TMIN_EXACT",
    "AFL_TMPDIR",
    "AFL_TOKEN_FILE",
--- a/qemu_taint/README.md
+++ b/qemu_taint/README.md
@ -1,9 +1,11 @@
 # qemu_taint
+
 First level taint implementation with qemu for linux user mode

 **THIS IS NOT WORKING YET** **WIP**

 ## What is this for
+
 On new queue entries (newly discovered paths into the target) this tainter
 is run with the new input and the data gathered which bytes in the input
 file are actually touched.
@ -11,17 +13,21 @@ file are actually touched.
 Only touched bytes are then fuzzed by afl-fuzz

 ## How to build
+
 ./build_qemu_taint.sh

 ## How to use
+
 Add the -T flag to afl-fuzz

 ## Caveats
+
 For some targets this is amazing and improves fuzzing a lot, but if a target
 copies all input bytes first (e.g. for creating a crc checksum or just to
 safely work with the data), then this is not helping at all.

 ## Future
+
 Two fuzz modes for a queue entry which will be switched back and forth:

  1. fuzz all touched bytes
--- a/qemu_taint/build_qemu_taint.sh
+++ b/qemu_taint/build_qemu_taint.sh
@ -1,7 +1,7 @@
 #!/bin/bash
 test -d qemu ||  git clone https://github.com/vanhauser-thc/qemu_taint qemu || exit 1
 cd qemu || exit 1
-test -d .git || { git stash ; git pull ; }
-cp -fv ../../include/config.h ../../include/types.h .
-./build.sh
+test -d .git && { git stash ; git pull ; }
+cp -fv ../../include/config.h ../../include/types.h . || exit 1
+./build.sh || exit 1
 cp -fv ./afl-qemu-taint ../..
--- a/qemu_taint/clean.sh
+++ b/qemu_taint/clean.sh
@ -1,3 +1,3 @@
 #!/bin/sh
-rm -f afl-qemu-taint
-test -d qemu && rm -f qemu
+rm -f afl-qemu-taint qemu/afl-qemu-taint ../afl-qemu-taint
+test -d qemu && { cd qemu ; ./clean.sh ; }