ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-12 01:58:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2172 from AFLplusplus/dev

Browse Source 
push to stable
This commit is contained in:
van Hauser
2024-07-24 14:50:57 +02:00
committed by GitHub
parent 19ca7b3761 6e37f9b237
commit db23931e7c
9 changed files with 52 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -6,6 +6,7 @@
*.pyc
*.so
*.swp
.DS_Store
.sync_tmp
.test
.test2

10
GNUmakefile.llvm
View File

@ -61,7 +61,6 @@ LLVM_HAVE_LTO := $(shell test $(LLVM_MAJOR) -ge 12 && echo 1 || e
LLVM_BINDIR := $(shell $(LLVM_CONFIG) --bindir 2>/dev/null)
LLVM_LIBDIR := $(shell $(LLVM_CONFIG) --libdir 2>/dev/null)
LLVM_STDCXX := gnu++11
LLVM_APPLE_XCODE := $(shell $(CC) -v 2>&1 | grep -q Apple && echo 1 || echo 0)
LLVM_LTO := 0
LLVM_UNSUPPORTED := $(shell echo "$(LLVMVER)" | grep -E -q '^[0-2]\.|^3\.[0-8]\.' && echo 1 || echo 0)
# Uncomment to see the values assigned above
@ -112,10 +111,6 @@ ifeq "$(LLVM_LTO)" "0"
$(info [+] llvm_mode detected llvm < 12, afl-lto LTO will not be build.)
endif
ifeq "$(LLVM_APPLE_XCODE)" "1"
$(warning llvm_mode will not compile with Xcode clang...)
endif
# We were using llvm-config --bindir to get the location of clang, but
# this seems to be busted on some distros, so using the one in $PATH is
# probably better.
@ -123,6 +118,11 @@ endif
CC = $(LLVM_BINDIR)/clang
CXX = $(LLVM_BINDIR)/clang++
LLVM_APPLE_XCODE := $(shell $(CC) -v 2>&1 | grep -q Apple && echo 1 || echo 0)
ifeq "$(LLVM_APPLE_XCODE)" "1"
$(warning llvm_mode will not compile with Xcode clang...)
endif
# llvm-config --bindir may not providing a valid path, so ...
ifeq "$(shell test -e $(CC) || echo 1 )" "1"
# however we must ensure that this is not a "CC=gcc make"

8
afl-whatsup
View File

@ -112,12 +112,12 @@ if [ -z "$NO_COLOR" ]; then
fi
PLATFORM=`uname -s`
if [ "$PLATFORM" = "Linux" ] ; then
CUR_TIME=`cat /proc/uptime | awk '{printf "%.0f\n", $1}'`
else
#if [ "$PLATFORM" = "Linux" ] ; then
# CUR_TIME=`cat /proc/uptime | awk '{printf "%.0f\n", $1}'`
#else
# This will lead to inacurate results but will prevent the script from breaking on platforms other than Linux
CUR_TIME=`date +%s`
fi
#fi
TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1
trap "rm -f $TMP" 1 2 3 13 15

2
docs/Changelog.md
View File

@ -13,6 +13,8 @@
- improved seed selection algorithm
- added `AFL_CUSTOM_MUTATOR_LATE_SEND=1` to call the custom send()
function after the target has been restarted.
- because of bad math and undefined behaviour fixes we have to change
the CMPLOG map. **YOU NEED TO RECOMPILE CMPLOG TARGETS**
- frida_mode:
- AFL_FRIDA_PERSISTENT_ADDR can now be be any reachable address not just
a function entry

12
frida_mode/src/asan/asan_arm64.c
View File

@ -39,18 +39,18 @@ static void asan_callout(GumCpuContext *ctx, gpointer user_data) {
address = base + index + mem->disp;
if ((operand->access & CS_AC_READ) == CS_AC_READ) {
asan_loadN(address, asan_ctx->size);
}
if ((operand->access & CS_AC_WRITE) == CS_AC_WRITE) {
asan_storeN(address, asan_ctx->size);
}
if ((operand->access & CS_AC_READ) == CS_AC_READ) {
asan_loadN(address, asan_ctx->size);
}
}
void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) {

7
frida_mode/src/instrument/instrument_coverage.c
View File

@ -818,6 +818,9 @@ void instrument_coverage_unstable_find_output(void) {
GDir *dir = g_dir_open(fds_name, 0, NULL);
gchar *path_tmp = getenv("AFL_CUSTOM_INFO_OUT");
gchar *instance_name = g_path_get_basename(path_tmp);
FVERBOSE("Coverage Unstable - fds: %s", fds_name);
for (const gchar *filename = g_dir_read_name(dir); filename != NULL;
@ -829,7 +832,7 @@ void instrument_coverage_unstable_find_output(void) {
if (link == NULL) { FFATAL("Failed to read link: %s", fullname); }
gchar *basename = g_path_get_basename(link);
if (g_strcmp0(basename, "default") != 0) {
if (g_strcmp0(basename, instance_name) != 0) {
g_free(basename);
g_free(link);
@ -874,6 +877,8 @@ void instrument_coverage_unstable_find_output(void) {
}
g_dir_close(dir);
g_free(instance_name);
g_free(path_tmp);
g_free(fds_name);
if (unstable_coverage_fuzzer_stats == NULL) {

13
include/cmplog.h
View File

@ -53,21 +53,24 @@ struct cmp_header { // 16 bit = 2 bytes
struct cmp_operands {
u64 v0;
u64 v1;
u64 v0_128;
u64 v0_256_0; // u256 is unsupported by any compiler for now, so future use
u64 v0_256_1;
u64 v1;
u64 v1_128;
u64 unused;
u8 unused1;
u8 unused2;
u64 v1_256_0;
u64 v1_256_1;
u8 unused[8];
} __attribute__((packed));
struct cmpfn_operands {
u8 v0[32];
u8 v0_len;
u8 v1[32];
u8 v0_len;
u8 v1_len;
u8 unused[6];
} __attribute__((packed));

25
instrumentation/afl-compiler-rt.o.c
View File

@ -872,7 +872,7 @@ static void __afl_start_forkserver(void) {
__afl_old_forkserver = 1;
status = 0;
if (__afl_final_loc && __afl_final_loc > MAP_SIZE) {
if (__afl_final_loc > MAP_SIZE) {
fprintf(stderr,
"Warning: AFL_OLD_FORKSERVER is used with a target compiled with "
@ -969,13 +969,13 @@ static void __afl_start_forkserver(void) {
/* Wait for parent by reading from the pipe. Abort if read fails. */
if (already_read_first) {
if (unlikely(already_read_first)) {
already_read_first = 0;
} else {
if (read(FORKSRV_FD, &was_killed, 4) != 4) {
if (unlikely(read(FORKSRV_FD, &was_killed, 4) != 4)) {
write_error("read from AFL++ tool");
_exit(1);
@ -1014,10 +1014,10 @@ static void __afl_start_forkserver(void) {
condition and afl-fuzz already issued SIGKILL, write off the old
process. */
if (child_stopped && was_killed) {
if (unlikely(child_stopped && was_killed)) {
child_stopped = 0;
if (waitpid(child_pid, &status, 0) < 0) {
if (unlikely(waitpid(child_pid, &status, 0) < 0)) {
write_error("child_stopped && was_killed");
_exit(1);
@ -1026,12 +1026,12 @@ static void __afl_start_forkserver(void) {
}
if (!child_stopped) {
if (unlikely(!child_stopped)) {
/* Once woken up, create a clone of our process. */
child_pid = fork();
if (child_pid < 0) {
if (unlikely(child_pid < 0)) {
write_error("fork");
_exit(1);
@ -1040,7 +1040,7 @@ static void __afl_start_forkserver(void) {
/* In child process: close fds, resume execution. */
if (!child_pid) {
if (unlikely(!child_pid)) { // just to signal afl-fuzz faster
//(void)nice(-20);
@ -1065,14 +1065,15 @@ static void __afl_start_forkserver(void) {
/* In parent process: write PID to pipe, then wait for child. */
if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) {
if (unlikely(write(FORKSRV_FD + 1, &child_pid, 4) != 4)) {
write_error("write to afl-fuzz");
_exit(1);
}
if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0) {
if (unlikely(waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) <
0)) {
write_error("waitpid");
_exit(1);
@ -1083,11 +1084,11 @@ static void __afl_start_forkserver(void) {
a successful run. In this case, we want to wake it up without forking
again. */
if (WIFSTOPPED(status)) child_stopped = 1;
if (likely(WIFSTOPPED(status))) { child_stopped = 1; }
/* Relay wait status to pipe, then loop back. */
if (write(FORKSRV_FD + 1, &status, 4) != 4) {
if (unlikely(write(FORKSRV_FD + 1, &status, 4) != 4)) {
write_error("writing to afl-fuzz");
_exit(1);

7
instrumentation/afl-llvm-dict2file.so.cc
View File

@ -661,6 +661,13 @@ bool AFLdict2filePass::runOnModule(Module &M) {
Value *op2 = callInst->getArgOperand(2);
ConstantInt *ilen = dyn_cast<ConstantInt>(op2);
if (!ilen) {
op2 = callInst->getArgOperand(1);
ilen = dyn_cast<ConstantInt>(op2);
}
if (ilen) {
uint64_t literalLength = optLen;