ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-12 10:08:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

edge id documentation example for sancov

Browse Source
This commit is contained in:
van Hauser
2020-08-03 10:03:45 +02:00
parent 1cddd51662
commit e0d1529061
2 changed files with 26 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/FAQ.md
View File

@ -103,10 +103,11 @@ afl-clang-fast PCGUARD and afl-clang-lto LTO instrumentation!
b) For PCGUARD instrumented binaries it is much more difficult. Here you b) For PCGUARD instrumented binaries it is much more difficult. Here you
can either modify the __sanitizer_cov_trace_pc_guard function in can either modify the __sanitizer_cov_trace_pc_guard function in
llvm_mode/afl-llvm-rt.o.c to write a backtrace to a file if the ID in llvm_mode/afl-llvm-rt.o.c to write a backtrace to a file if the ID in
__afl_area_ptr[*guard] is one of the unstable edge IDs. Then recompile __afl_area_ptr[*guard] is one of the unstable edge IDs.
and reinstall llvm_mode and rebuild your target. Run the recompiled (Example code is already there).
target with afl-fuzz for a while and then check the file that you Then recompile and reinstall llvm_mode and rebuild your target.
wrote with the backtrace information. Run the recompiled target with afl-fuzz for a while and then check the
file that you wrote with the backtrace information.
Alternatively you can use `gdb` to hook __sanitizer_cov_trace_pc_guard_init Alternatively you can use `gdb` to hook __sanitizer_cov_trace_pc_guard_init
on start, check to which memory address the edge ID value is written on start, check to which memory address the edge ID value is written
and set a write breakpoint to that address (`watch 0x.....`). and set a write breakpoint to that address (`watch 0x.....`).

21
llvm_mode/afl-llvm-rt.o.c
View File

@ -859,6 +859,27 @@ __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) {
void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { void __sanitizer_cov_trace_pc_guard(uint32_t *guard) {
// For stability analysis, if you want to know to which function unstable
// edge IDs belong to - uncomment, recompile+install llvm_mode, recompile
// the target. libunwind and libbacktrace are better solutions.
// Set AFL_DEBUG_CHILD_OUTPUT=1 and run afl-fuzz with 2>file to capture
// the backtrace output
/*
uint32_t unstable[] = { ... unstable edge IDs };
uint32_t idx;
char bt[1024];
for (idx = 0; i < sizeof(unstable)/sizeof(uint32_t); i++) {
if (unstable[idx] == __afl_area_ptr[*guard]) {
int bt_size = backtrace(bt, 256);
if (bt_size > 0) {
char **bt_syms = backtrace_symbols(bt, bt_size);
if (bt_syms)
fprintf(stderr, "DEBUG: edge=%u caller=%s\n", unstable[idx], bt_syms[0]);
}
}
}
*/
__afl_area_ptr[*guard]++; __afl_area_ptr[*guard]++;
} }