From 649a0124d6d20e72d62eedae272385a56fdb18df Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 22 Feb 2020 19:43:41 +0100 Subject: [PATCH 01/20] readme update --- README.md | 50 +++++++++++++++++++++++++++++--------------------- 1 file changed, 29 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 01d61fea..7c609389 100644 --- a/README.md +++ b/README.md @@ -89,7 +89,9 @@ read this file. -## Shameless plug to students and enthusiast developers +## Google Summer of Code 2020 (and any other students and enthusiast developers) + +We are happy to be part of [Google Summer of Code 2020](https://summerofcode.withgoogle.com/organizations/5100744400699392/)! :-) We have several ideas we would like to see in AFL++ to make it even better. However we already work on so many things that we do not have the time for @@ -295,6 +297,8 @@ $ ./build_qemu_support.sh For additional instructions and caveats, see [qemu_mode/README.md](qemu_mode/README.md). +If possible you should use the persistent mode, see [README.persistent.md](README.persistent.md). + The mode is approximately 2-5x slower than compile-time instrumentation, is less conducive to parallelization, and may have some other quirks. @@ -306,7 +310,17 @@ A more comprehensive description of these and other options can be found in [docs/binaryonly_fuzzing.md](docs/binaryonly_fuzzing.md) -## 5) Power schedules +## 5) Good examples and writeups + +Here are some good writeups to show how to effectibly use AFL++: + + * [https://aflplus.plus/docs/tutorials/libxml2_tutorial/](https://aflplus.plus/docs/tutorials/libxml2_tutorial/) + * [https://bananamafia.dev/post/gb-fuzz/](https://bananamafia.dev/post/gb-fuzz/) + * [https://securitylab.github.com/research/fuzzing-challenges-solutions-1](https://securitylab.github.com/research/fuzzing-challenges-solutions-1) + +If you find other good ones, please send them to us :-) + +## 6) Power schedules The power schedules were copied from Marcel Böhme's excellent AFLfast implementation and expand on the ability to discover new paths and @@ -333,7 +347,8 @@ made the default mode). More details can be found in the paper published at the 23rd ACM Conference on Computer and Communications Security [CCS'16](https://www.sigsac.org/ccs/CCS2016/accepted-papers/) -## 6) Choosing initial test cases + +## 7) Choosing initial test cases To operate correctly, the fuzzer requires one or more starting file that contains a good example of the input data normally expected by the targeted @@ -354,7 +369,7 @@ the afl-cmin utility to identify a subset of functionally distinct files that exercise different code paths in the target binary. -## 7) Fuzzing binaries +## 8) Fuzzing binaries The fuzzing process itself is carried out by the afl-fuzz utility. This program requires a read-only directory with initial test cases, a separate place to @@ -391,8 +406,7 @@ steps, which can take several days, but tend to produce neat test cases. If you want quick & dirty results right away - akin to zzuf and other traditional fuzzers - add the -d option to the command line. - -## 8) Interpreting output +## 9) Interpreting output See the [docs/status_screen.md](docs/status_screen.md) file for information on how to interpret the displayed stats and monitor the health of the process. Be @@ -452,8 +466,7 @@ If you have gnuplot installed, you can also generate some pretty graphs for any active fuzzing task using afl-plot. For an example of how this looks like, see [http://lcamtuf.coredump.cx/afl/plot/](http://lcamtuf.coredump.cx/afl/plot/). - -## 9) Parallelized fuzzing +## 10) Parallelized fuzzing Every instance of afl-fuzz takes up roughly one core. This means that on multi-core systems, parallelization is necessary to fully utilize the hardware. @@ -464,8 +477,7 @@ The parallel fuzzing mode also offers a simple way for interfacing AFL to other fuzzers, to symbolic or concolic execution engines, and so forth; again, see the last section of [docs/parallel_fuzzing.md](docs/parallel_fuzzing.md) for tips. - -## 10) Fuzzer dictionaries +## 12) Fuzzer dictionaries By default, afl-fuzz mutation engine is optimized for compact data formats - say, images, multimedia, compressed data, regular expression syntax, or shell @@ -500,8 +512,7 @@ If a dictionary is really hard to come by, another option is to let AFL run for a while, and then use the token capture library that comes as a companion utility with AFL. For that, see [libtokencap/README.md](libtokencap/README.tokencap.md). - -## 11) Crash triage +## 13) Crash triage The coverage-based grouping of crashes usually produces a small data set that can be quickly triaged manually or with a very simple GDB or Valgrind script. @@ -549,7 +560,7 @@ insights into complex file formats. More info about its operation can be found near the end of [docs/technical_details.md](docs/technical_details.md). -## 12) Going beyond crashes +## 14) Going beyond crashes Fuzzing is a wonderful and underutilized technique for discovering non-crashing design and implementation errors, too. Quite a few interesting bugs have been @@ -572,8 +583,7 @@ if you are the maintainer of a particular package, you can make this code conditional with `#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` (a flag also shared with libfuzzer) or `#ifdef __AFL_COMPILER` (this one is just for AFL). - -## 13) Common-sense risks +## 15) Common-sense risks Please keep in mind that, similarly to many other computationally-intensive tasks, fuzzing may put strain on your hardware and on the OS. In particular: @@ -602,8 +612,7 @@ tasks, fuzzing may put strain on your hardware and on the OS. In particular: $ iostat -d 3 -x -k [...optional disk ID...] ``` - -## 14) Known limitations & areas for improvement +## 16) Known limitations & areas for improvement Here are some of the most important caveats for AFL: @@ -643,8 +652,7 @@ Here are some of the most important caveats for AFL: Beyond this, see INSTALL for platform-specific tips. - -## 15) Special thanks +## 17) Special thanks Many of the improvements to the original afl and afl++ wouldn't be possible without feedback, bug reports, or patches from: @@ -696,9 +704,9 @@ without feedback, bug reports, or patches from: ``` Thank you! +(For people sending pull requests - please add yourself to this list :-) - -## 16) Contact +## 18) Contact Questions? Concerns? Bug reports? The contributors can be reached via [https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus) From 524d792308a5436e2a57f73b0d4036aacac83323 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 22 Feb 2020 20:48:36 +0100 Subject: [PATCH 02/20] fix travis weirdness - hopefully --- .travis.yml | 2 ++ src/afl-as.c | 7 +++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index ae34fe0b..c4ad9585 100644 --- a/.travis.yml +++ b/.travis.yml @@ -50,3 +50,5 @@ script: - if [ "$TRAVIS_OS_NAME" = "linux" -a "$TRAVIS_CPU_ARCH" = "amd64" ]; then make distrib ASAN_BUILD=1 ; fi - if [ "$TRAVIS_CPU_ARCH" = "arm64" ] ; then echo DEBUG ; find / -name llvm-config.h 2>/dev/null; apt-cache search clang | grep clang- ; apt-cache search llvm | grep llvm- ; dpkg -l | egrep 'clang|llvm'; echo DEBUG ; export LLVM_CONFIG=llvm-config-6.0 ; make ASAN_BUILD=1 ; cd qemu_mode && sh ./build_qemu_support.sh ; cd .. ; fi - make tests + - exit 0 + diff --git a/src/afl-as.c b/src/afl-as.c index 72a27cd2..acb026df 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -529,10 +529,9 @@ int main(int argc, char** argv) { "don't want to run this program directly.\n\n" "Rarely, when dealing with extremely complex projects, it may be " - "advisable to\n" - "set AFL_INST_RATIO to a value less than 100 in order to reduce the " - "odds of\n" - "instrumenting every discovered branch.\n\n" + "advisable\n" + "to set AFL_INST_RATIO to a value less than 100 in order to reduce the\n" + "odds of instrumenting every discovered branch.\n\n" "Environment variables used:\n" "AFL_AS: path to assembler to use for instrumented files\n" "AFL_CC: fall back path to assembler\n" From dd4c2604885487365d47f560818defdbf4a3b6e5 Mon Sep 17 00:00:00 2001 From: Ankit Choudhary Date: Sun, 23 Feb 2020 02:31:50 +0530 Subject: [PATCH 03/20] packages at readme (#209) * packages at readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7c609389..b61cbfd0 100644 --- a/README.md +++ b/README.md @@ -108,6 +108,7 @@ afl++ has many build options. The easiest is to build and install everything: ```shell +$ sudo apt install build-essential libtool-bin python3 automake bison libglib2.0-dev libpixman-1-dev clang $ make distrib $ sudo make install ``` From d23d44a3d5c19d17707731557509181767cdb426 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sun, 23 Feb 2020 09:54:07 +0100 Subject: [PATCH 04/20] fix stupid gcc compiler warnings on arm32 (specified size 4294967284 exceeds maximum object size 2147483647) --- src/afl-common.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/afl-common.c b/src/afl-common.c index fee520c9..330b1497 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -112,7 +112,7 @@ char** get_qemu_argv(u8* own_loc, char** argv, int argc) { char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); u8 * tmp, *cp, *rsl, *own_copy; - memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); + memcpy(new_argv + 3, argv + 1, (int)(sizeof(char*)) * argc); new_argv[2] = target_path; new_argv[1] = "--"; @@ -187,7 +187,7 @@ char** get_wine_argv(u8* own_loc, char** argv, int argc) { char** new_argv = ck_alloc(sizeof(char*) * (argc + 3)); u8 * tmp, *cp, *rsl, *own_copy; - memcpy(new_argv + 2, argv + 1, sizeof(char*) * argc); + memcpy(new_argv + 2, argv + 1, (int)(sizeof(char*)) * argc); new_argv[1] = target_path; From 32281ddcb0f1771b4f3ad6dc3599fa4c42555595 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sun, 23 Feb 2020 12:40:05 +0100 Subject: [PATCH 05/20] fix -m32 on arm 32 bit (is -m32be). make 32 and 64 bit varaints optional --- examples/argv_fuzzing/Makefile | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/examples/argv_fuzzing/Makefile b/examples/argv_fuzzing/Makefile index ab16be87..34192e39 100644 --- a/examples/argv_fuzzing/Makefile +++ b/examples/argv_fuzzing/Makefile @@ -24,18 +24,28 @@ ifneq "$(filter Linux GNU%,$(shell uname))" "" LDFLAGS += -ldl endif +# on gcc for arm there is no -m32, but -mbe32 +M32FLAG = -m32 +M64FLAG = -m64 +ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" "" + ifneq (,$(findstring arm, "$(shell $(CC) -v 2>&1 >/dev/null)")) + M32FLAG = -mbe32 + endif +endif + + all: argvfuzz32.so argvfuzz64.so argvfuzz32.so: argvfuzz.c - -$(CC) -m32 $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz32 build failure (that's fine)" + -$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz32 build failure (that's fine)" argvfuzz64.so: argvfuzz.c - -$(CC) $(CFLAGS) $^ $(LDFLAGS) -o $@ + -$(CC) $(M64FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz64 build failure (that's fine)" install: argvfuzz32.so argvfuzz64.so install -d -m 755 $(DESTDIR)$(HELPER_PATH)/ if [ -f argvfuzz32.so ]; then set -e; install -m 755 argvfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi - install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/ + if [ -f argvfuzz64.so ]; then set -e; install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi clean: rm -f argvfuzz32.so argvfuzz64.so From f240c5381a3c241cedc74b25f50dca2b40a17b10 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sun, 23 Feb 2020 22:03:51 +0100 Subject: [PATCH 06/20] fix -m32 on arm (-> -m32be), make 64 bit version explicit (do not assume 64 bit as default) --- examples/socket_fuzzing/Makefile | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/examples/socket_fuzzing/Makefile b/examples/socket_fuzzing/Makefile index 0191ba53..ad921664 100644 --- a/examples/socket_fuzzing/Makefile +++ b/examples/socket_fuzzing/Makefile @@ -22,18 +22,27 @@ ifneq "$(filter Linux GNU%,$(shell uname))" "" LDFLAGS += -ldl endif +# on gcc for arm there is no -m32, but -mbe32 +M32FLAG = -m32 +M64FLAG = -m64 +ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" "" + ifneq (,$(findstring arm, "$(shell $(CC) -v 2>&1 >/dev/null)")) + M32FLAG = -mbe32 + endif +endif + all: socketfuzz32.so socketfuzz64.so socketfuzz32.so: socketfuzz.c - -$(CC) -m32 $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz32 build failure (that's fine)" + -$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz32 build failure (that's fine)" socketfuzz64.so: socketfuzz.c - -$(CC) $(CFLAGS) $^ $(LDFLAGS) -o $@ + -$(CC) $(M64FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz64 build failure (that's fine)" install: socketfuzz32.so socketfuzz64.so install -d -m 755 $(DESTDIR)$(HELPER_PATH)/ if [ -f socketfuzz32.so ]; then set -e; install -m 755 socketfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi - install -m 755 socketfuzz64.so $(DESTDIR)$(HELPER_PATH)/ + if [ -f socketfuzz64.so ]; then set -e; install -m 755 socketfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi clean: rm -f socketfuzz32.so socketfuzz64.so From f807d7cefbc3c0e71cac6aad5cc28006f6a253be Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 24 Feb 2020 02:45:17 +0100 Subject: [PATCH 07/20] important InsTrim fixes! --- docs/Changelog.md | 8 ++- include/envs.h | 2 +- llvm_mode/LLVMInsTrim.so.cc | 97 ++++++++++++++++++++++++++----------- llvm_mode/afl-llvm-rt.o.c | 2 +- src/afl-as.c | 3 +- src/afl-fuzz-one.c | 4 +- src/afl-fuzz-redqueen.c | 10 ++-- 7 files changed, 88 insertions(+), 38 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 5d781545..0d67e807 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -17,6 +17,7 @@ sending a mail to . - the memory safety checks are now disabled for a little more speed during fuzzing (only affects creating queue entries), can be toggled in config.h - afl-fuzz: + - MOpt out of bounds writing crash fixed - now prints the real python version support compiled in - set stronger performance compile options and little tweaks - Android: prefer bigcores when selecting a CPU @@ -28,7 +29,12 @@ sending a mail to . - bugfix for dictionary insert stage count (fix via Google repo PR) - added warning if -M is used together with custom mutators with _ONLY option - AFL_TMPDIR checks are now later and better explained if they fail - - llvm_mode InsTrim: no pointless instrumentation of 1 block functions + - llvm_mode + - InsTrim: three bug fixes: + 1. (minor) no pointless instrumentation of 1 block functions + 2. (medium) path bug that leads a few blocks not instrumented that + should be + 3. (major) incorrect prev_loc was written, fixed! - afl-clang-fast: - show in the help output for which llvm version it was compiled for - now does not need to be recompiled between trace-pc and pass diff --git a/include/envs.h b/include/envs.h index 4650dc54..8e6e3731 100644 --- a/include/envs.h +++ b/include/envs.h @@ -59,7 +59,7 @@ const char *afl_environment_variables[] = { "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_UI", - "AFL_NO_X86", // not really an env but we dont want to warn on it + "AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_PATH", "AFL_PERFORMANCE_FILE", "AFL_PERSISTENT", diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index 08d3f68f..afe89ec7 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -382,19 +382,64 @@ struct InsTrim : public ModulePass { } - auto *EBB = &F.getEntryBlock(); - if (succ_begin(EBB) == succ_end(EBB)) { - - MS.insert(EBB); - total_rs += 1; - - } + // Bugfix #1: remove single block function instrumentation for (BasicBlock &BB : F) { - if (MS.find(&BB) == MS.end()) { continue; } - IRBuilder<> IRB(&*BB.getFirstInsertionPt()); - IRB.CreateStore(ConstantInt::get(Int32Ty, genLabel()), OldPrev); + if (MarkSetOpt && MS.find(&BB) == MS.end()) { + + // Bugfix #2: instrument blocks that should be but InsTrim + // doesn't due to an algorithmic bug + int more_than_one = -1; + + for (pred_iterator PI = pred_begin(&BB), E = pred_end(&BB); PI != E; + ++PI) { + + BasicBlock *Pred = *PI; + int count = 0; + + if (more_than_one == -1) more_than_one = 0; + for (succ_iterator SI = succ_begin(Pred), E = succ_end(Pred); + SI != E; ++SI) { + + BasicBlock *Succ = *SI; + if (Succ != NULL) count++; + + } + + if (count > 1) more_than_one = 1; + + } + + if (more_than_one != 1) continue; + for (succ_iterator SI = succ_begin(&BB), E = succ_end(&BB); SI != E; + ++SI) { + + BasicBlock *Succ = *SI; + if (Succ != NULL && MS.find(Succ) == MS.end()) { + + int cnt = 0; + for (succ_iterator SI2 = succ_begin(Succ), E2 = succ_end(Succ); + SI2 != E2; ++SI2) { + + BasicBlock *Succ2 = *SI2; + if (Succ2 != NULL) cnt++; + + } + + if (cnt == 0) { + + // fprintf(stderr, "INSERT!\n"); + MS.insert(Succ); + total_rs += 1; + + } + + } + + } + + } } @@ -402,33 +447,24 @@ struct InsTrim : public ModulePass { for (BasicBlock &BB : F) { - auto PI = pred_begin(&BB); - auto PE = pred_end(&BB); if (MarkSetOpt && MS.find(&BB) == MS.end()) { continue; } IRBuilder<> IRB(&*BB.getFirstInsertionPt()); Value * L = NULL; - if (PI == PE) { - L = ConstantInt::get(Int32Ty, genLabel()); + auto *PN = PHINode::Create(Int32Ty, 0, "", &*BB.begin()); + DenseMap PredMap; + for (auto PI = pred_begin(&BB), PE = pred_end(&BB); PI != PE; ++PI) { - } else { - - auto *PN = PHINode::Create(Int32Ty, 0, "", &*BB.begin()); - DenseMap PredMap; - for (auto PI = pred_begin(&BB), PE = pred_end(&BB); PI != PE; ++PI) { - - BasicBlock *PBB = *PI; - auto It = PredMap.insert({PBB, genLabel()}); - unsigned Label = It.first->second; - PN->addIncoming(ConstantInt::get(Int32Ty, Label), PBB); - - } - - L = PN; + BasicBlock *PBB = *PI; + auto It = PredMap.insert({PBB, genLabel()}); + unsigned Label = It.first->second; + PN->addIncoming(ConstantInt::get(Int32Ty, Label), PBB); } + L = PN; + /* Load prev_loc */ LoadInst *PrevLoc = IRB.CreateLoad(OldPrev); PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); @@ -475,6 +511,11 @@ struct InsTrim : public ModulePass { IRB.CreateStore(Incr, MapPtrIdx) ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + // Bugfix #3: save the actually location ID to OldPrev + Value *Shr = IRB.CreateLShr(L, One); + IRB.CreateStore(Shr, OldPrev) + ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + total_instr++; } diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 53852320..93b03bb2 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -129,7 +129,7 @@ static void __afl_map_shm(void) { __afl_area_ptr[0] = 1; } - + id_str = getenv(CMPLOG_SHM_ENV_VAR); if (id_str) { diff --git a/src/afl-as.c b/src/afl-as.c index acb026df..98bd3ff5 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -530,7 +530,8 @@ int main(int argc, char** argv) { "Rarely, when dealing with extremely complex projects, it may be " "advisable\n" - "to set AFL_INST_RATIO to a value less than 100 in order to reduce the\n" + "to set AFL_INST_RATIO to a value less than 100 in order to reduce " + "the\n" "odds of instrumenting every discovered branch.\n\n" "Environment variables used:\n" "AFL_AS: path to assembler to use for instrumented files\n" diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 0ddeeb8a..f1efe2df 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -3714,7 +3714,7 @@ pacemaker_fuzzing: case 1: if (temp_len < 2) break; - temp_len_puppet = UR((temp_len << 3) -1); + temp_len_puppet = UR((temp_len << 3) - 1); FLIP_BIT(out_buf, temp_len_puppet); FLIP_BIT(out_buf, temp_len_puppet + 1); MOpt_globals.cycles_v2[STAGE_FLIP2] += 1; @@ -3722,7 +3722,7 @@ pacemaker_fuzzing: case 2: if (temp_len < 2) break; - temp_len_puppet = UR((temp_len << 3) -3); + temp_len_puppet = UR((temp_len << 3) - 3); FLIP_BIT(out_buf, temp_len_puppet); FLIP_BIT(out_buf, temp_len_puppet + 1); FLIP_BIT(out_buf, temp_len_puppet + 2); diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 6cb229e3..19fc51f0 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -243,7 +243,7 @@ u8 cmp_extend_encoding(struct cmp_header* h, u64 pattern, u64 repl, u32 idx, if (SHAPE_BYTES(h->shape) == 8) { - if (its_len >= 8 && *buf_64 == pattern) {// && *o_buf_64 == pattern) { + if (its_len >= 8 && *buf_64 == pattern) { // && *o_buf_64 == pattern) { *buf_64 = repl; if (unlikely(its_fuzz(buf, len, status))) return 1; @@ -261,7 +261,8 @@ u8 cmp_extend_encoding(struct cmp_header* h, u64 pattern, u64 repl, u32 idx, if (SHAPE_BYTES(h->shape) == 4 || *status == 2) { - if (its_len >= 4 && *buf_32 == (u32)pattern) {// && *o_buf_32 == (u32)pattern) { + if (its_len >= 4 && + *buf_32 == (u32)pattern) { // && *o_buf_32 == (u32)pattern) { *buf_32 = (u32)repl; if (unlikely(its_fuzz(buf, len, status))) return 1; @@ -279,7 +280,8 @@ u8 cmp_extend_encoding(struct cmp_header* h, u64 pattern, u64 repl, u32 idx, if (SHAPE_BYTES(h->shape) == 2 || *status == 2) { - if (its_len >= 2 && *buf_16 == (u16)pattern) {// && *o_buf_16 == (u16)pattern) { + if (its_len >= 2 && + *buf_16 == (u16)pattern) { // && *o_buf_16 == (u16)pattern) { *buf_16 = (u16)repl; if (unlikely(its_fuzz(buf, len, status))) return 1; @@ -531,7 +533,7 @@ u8 input_to_state_stage(char** argv, u8* orig_buf, u8* buf, u32 len, stage_max += MIN(cmp_map->headers[k].hits, CMP_MAP_RTN_H); } - + for (k = 0; k < CMP_MAP_W; ++k) { if (!cmp_map->headers[k].hits) continue; From 28b43ab1379c9be9ea80abda160d1582a4cdb348 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 24 Feb 2020 03:03:53 +0100 Subject: [PATCH 08/20] important InsTrim bugfix! --- llvm_mode/LLVMInsTrim.so.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index afe89ec7..390e0697 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -169,6 +169,7 @@ struct InsTrim : public ModulePass { ConstantInt *Zero = ConstantInt::get(Int8Ty, 0); ConstantInt *One = ConstantInt::get(Int8Ty, 1); + ConstantInt *One32 = ConstantInt::get(Int32Ty, 1); u64 total_rs = 0; u64 total_hs = 0; @@ -512,7 +513,7 @@ struct InsTrim : public ModulePass { ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); // Bugfix #3: save the actually location ID to OldPrev - Value *Shr = IRB.CreateLShr(L, One); + Value *Shr = IRB.CreateLShr(L, One32); IRB.CreateStore(Shr, OldPrev) ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); From 6fece5525e73bd88731bd7e4fe21d51e5b1498e6 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 24 Feb 2020 13:27:13 +0100 Subject: [PATCH 09/20] workaround for travis bug --- .travis.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index c4ad9585..284a2ffe 100644 --- a/.travis.yml +++ b/.travis.yml @@ -50,5 +50,4 @@ script: - if [ "$TRAVIS_OS_NAME" = "linux" -a "$TRAVIS_CPU_ARCH" = "amd64" ]; then make distrib ASAN_BUILD=1 ; fi - if [ "$TRAVIS_CPU_ARCH" = "arm64" ] ; then echo DEBUG ; find / -name llvm-config.h 2>/dev/null; apt-cache search clang | grep clang- ; apt-cache search llvm | grep llvm- ; dpkg -l | egrep 'clang|llvm'; echo DEBUG ; export LLVM_CONFIG=llvm-config-6.0 ; make ASAN_BUILD=1 ; cd qemu_mode && sh ./build_qemu_support.sh ; cd .. ; fi - make tests - - exit 0 - + - travis_terminate 0 From 3f6bfbd98148f7decb5ca8a049d334d05c560c09 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 24 Feb 2020 17:24:06 +0100 Subject: [PATCH 10/20] v2.61c --- README.md | 4 ++-- docs/Changelog.md | 2 +- include/config.h | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index b61cbfd0..4c305412 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,9 @@ ![Travis State](https://api.travis-ci.com/vanhauser-thc/AFLplusplus.svg?branch=master) - Release Version: 2.60c + Release Version: 2.61c - Github Version: 2.60d + Github Version: 2.61d includes all necessary/interesting changes from Google's afl 2.56b diff --git a/docs/Changelog.md b/docs/Changelog.md index 0d67e807..5019a0a7 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,7 +9,7 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . -### Version ++2.60d (develop): +### Version ++2.61c (release): - use -march=native if available - most tools now check for mistyped environment variables diff --git a/include/config.h b/include/config.h index 12e2d092..d1b40245 100644 --- a/include/config.h +++ b/include/config.h @@ -27,7 +27,7 @@ /* Version string: */ // c = release, d = volatile github dev, e = experimental branch -#define VERSION "++2.60d" +#define VERSION "++2.61c" /****************************************************** * * From 9cc8ebd35123ee67ae0533f2cf03d725d402868b Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 24 Feb 2020 17:26:02 +0100 Subject: [PATCH 11/20] 2.61d init --- docs/Changelog.md | 5 +++++ include/config.h | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 5019a0a7..4e99bcac 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,6 +9,11 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . +### Version ++2.61d (develop): + + - ... + + ### Version ++2.61c (release): - use -march=native if available diff --git a/include/config.h b/include/config.h index d1b40245..59a476c9 100644 --- a/include/config.h +++ b/include/config.h @@ -27,7 +27,7 @@ /* Version string: */ // c = release, d = volatile github dev, e = experimental branch -#define VERSION "++2.61c" +#define VERSION "++2.61d" /****************************************************** * * From c8295e148510cb4b1ef5447882ca48df14c40f8e Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Mon, 24 Feb 2020 22:23:51 +0100 Subject: [PATCH 12/20] add env info to afl-tmin --- src/afl-tmin.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/afl-tmin.c b/src/afl-tmin.c index d1e87be1..1b05a6c2 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -977,9 +977,18 @@ static void usage(u8* argv0) { " -e - solve for edge coverage only, ignore hit counts\n" " -x - treat non-zero exit codes as crashes\n\n" - "For additional tips, please consult %s/README.\n\n", + "For additional tips, please consult %s/README.md.\n\n" - argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); + "Environment variables used:\n" + "TMPDIR: directory to use for temporary input files\n" + "ASAN_OPTIONS: custom settings for ASAN\n" + " (must contain abort_on_error=1 and symbolize=0)\n" + "MSAN_OPTIONS: custom settings for MSAN\n" + " (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n" + "AFL_PRELOAD: LD_PRELOAD settings for target\n" + "AFL_TMIN_EXACT: require execution paths to match for crashing inputs\n" + + , argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); exit(1); From 901360b902b57d538eebaa38b7d20fe0eb639c33 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Mon, 24 Feb 2020 23:19:56 +0100 Subject: [PATCH 13/20] sync afl-as setup with afl-llvm-rt (add __afl_area_ptr[0] = 1) --- include/afl-as.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/afl-as.h b/include/afl-as.h index bd5e734a..de9fb646 100644 --- a/include/afl-as.h +++ b/include/afl-as.h @@ -261,6 +261,7 @@ static const u8* main_payload_32 = " je __afl_setup_abort\n" "\n" #endif + " movb $1, (%eax)\n" " /* Store the address of the SHM region. */\n" "\n" " movl %eax, __afl_area_ptr\n" @@ -563,6 +564,7 @@ static const u8* main_payload_64 = " je __afl_setup_abort\n" "\n" #endif + " movb $1, (%rax)\n" " /* Store the address of the SHM region. */\n" "\n" " movq %rax, %rdx\n" From 891b568678848f17e2502758569781f78b4fc0a2 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 25 Feb 2020 08:34:44 +0100 Subject: [PATCH 14/20] fix references to README docs --- afl-cmin.bash | 2 +- docs/Changelog.md | 18 +++++++++--------- docs/QuickStartGuide.md | 2 +- docs/env_variables.md | 2 +- docs/life_pro_tips.md | 4 ++-- docs/notes_for_asan.md | 2 +- docs/parallel_fuzzing.md | 2 +- docs/perf_tips.md | 4 ++-- docs/sister_projects.md | 4 ++-- docs/status_screen.md | 2 +- docs/technical_details.md | 4 ++-- gcc_plugin/afl-gcc-rt.o.c | 2 +- libdislocator/README.md | 2 +- libtokencap/README.md | 2 +- llvm_mode/README.md | 2 +- llvm_mode/afl-llvm-rt.o.c | 4 ++-- qemu_mode/README.md | 4 ++-- qemu_mode/libcompcov/libcompcov.so.c | 2 +- qemu_mode/patches/afl-qemu-cpu-inl.h | 2 +- src/afl-analyze.c | 2 +- src/afl-common.c | 4 ++-- src/afl-fuzz-init.c | 4 ++-- src/afl-fuzz.c | 6 +++--- src/afl-showmap.c | 2 +- 24 files changed, 42 insertions(+), 42 deletions(-) diff --git a/afl-cmin.bash b/afl-cmin.bash index 948e0655..b1378eb5 100755 --- a/afl-cmin.bash +++ b/afl-cmin.bash @@ -126,7 +126,7 @@ Minimization settings: -C - keep crashing inputs, reject everything else -e - solve for edge coverage only, ignore hit counts -For additional tips, please consult docs/README. +For additional tips, please consult docs/README.md. Environment variables used: AFL_KEEP_TRACES: leave the temporary \.traces directory diff --git a/docs/Changelog.md b/docs/Changelog.md index 4e99bcac..2f8674c8 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -1,7 +1,7 @@ # Changelog This is the list of all noteworthy changes made in every public release of - the tool. See README for the general instruction manual. + the tool. See README.md for the general instruction manual. ## Staying informed @@ -45,7 +45,7 @@ sending a mail to . - now does not need to be recompiled between trace-pc and pass instrumentation. compile normally and set AFL_LLVM_USE_TRACE_PC :) - LLVM 11 is supported - - CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog) + - CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog.md) - afl-gcc, afl-clang-fast, afl-gcc-fast: - experimental support for undefined behaviour sanitizer UBSAN (set AFL_USE_UBSAN=1) @@ -189,7 +189,7 @@ sending a mail to . - fix llvm_mode AFL_TRACE_PC with modern llvm - fix a crash in qemu_mode which also exists in stock afl - added libcompcov, a laf-intel implementation for qemu! :) - see qemu_mode/libcompcov/README.libcompcov + see qemu_mode/libcompcov/README.libcompcov.md - afl-fuzz now displays the selected core in the status screen (blue {#}) - updated afl-fuzz and afl-system-config for new scaling governor location in modern kernels @@ -198,8 +198,8 @@ sending a mail to . - if llvm_mode was compiled, afl-clang/afl-clang++ will point to these instead of afl-gcc - added instrim, a much faster llvm_mode instrumentation at the cost of - path discovery. See llvm_mode/README.instrim (https://github.com/csienslab/instrim) - - added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt + path discovery. See llvm_mode/README.instrim.md (https://github.com/csienslab/instrim) + - added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt.md - added code to make it more portable to other platforms than Intel Linux - added never zero counters for afl-gcc and optionally (because of an optimization issue in llvm < 9) for llvm_mode (AFL_LLVM_NEVER_ZERO=1) @@ -229,11 +229,11 @@ sending a mail to . LLVM and Qemu modes are now faster. Important changes: afl-fuzz: -e EXTENSION commandline option - llvm_mode: LAF-intel performance (needs activation, see llvm/README.laf-intel) - a few new environment variables for afl-fuzz, llvm and qemu, see docs/env_variables.txt + llvm_mode: LAF-intel performance (needs activation, see llvm/README.laf-intel.md) + a few new environment variables for afl-fuzz, llvm and qemu, see docs/env_variables.md - Added the power schedules of AFLfast by Marcel Boehme, but set the default to the AFL schedule, not to the FAST schedule. So nothing changes unless - you use the new -p option :-) - see docs/power_schedules.txt + you use the new -p option :-) - see docs/power_schedules.md - added afl-system-config script to set all system performance options for fuzzing - llvm_mode works with llvm 3.9 up to including 8 ! - qemu_mode got upgraded from 2.1 to 3.1 - incorporated from @@ -476,7 +476,7 @@ sending a mail to . - Added libtokencap, a simple feature to intercept strcmp / memcmp and generate dictionary entries that can help extend coverage. - - Moved libdislocator to its own dir, added README. + - Moved libdislocator to its own dir, added README.md. - The demo in examples/instrumented_cmp is no more. diff --git a/docs/QuickStartGuide.md b/docs/QuickStartGuide.md index f9e3b256..1e1d60b7 100644 --- a/docs/QuickStartGuide.md +++ b/docs/QuickStartGuide.md @@ -27,7 +27,7 @@ how to hit the ground running: 4) Get a small but valid input file that makes sense to the program. When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in - dictionaries/README.dictionaries, too. + dictionaries/README.md, too. 5) If the program reads from stdin, run 'afl-fuzz' like so: diff --git a/docs/env_variables.md b/docs/env_variables.md index c60821dc..9fc60187 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -2,7 +2,7 @@ This document discusses the environment variables used by American Fuzzy Lop++ to expose various exotic functions that may be (rarely) useful for power - users or for some types of custom fuzzing setups. See README for the general + users or for some types of custom fuzzing setups. See README.md for the general instruction manual. ## 1) Settings for afl-gcc, afl-clang, and afl-as - and gcc_plugin afl-gcc-fast diff --git a/docs/life_pro_tips.md b/docs/life_pro_tips.md index a0d90659..0724e83c 100644 --- a/docs/life_pro_tips.md +++ b/docs/life_pro_tips.md @@ -62,7 +62,7 @@ Specify `AFL_HARDEN=1` in the environment to enable hardening flags. ## Bumping into problems with non-reproducible crashes? It happens, but usually -isn't hard to diagnose. See section #7 in README for tips. +isn't hard to diagnose. See section #7 in README.md for tips. ## Fuzzing is not just about memory corruption issues in the codebase. Add some @@ -87,4 +87,4 @@ use a postprocessor! See examples/post_library/ for more. ## Dealing with a very slow target or hoping for instant results? -Specify `-d` when calling afl-fuzz! \ No newline at end of file +Specify `-d` when calling afl-fuzz! diff --git a/docs/notes_for_asan.md b/docs/notes_for_asan.md index 9c49dc1f..feac49f9 100644 --- a/docs/notes_for_asan.md +++ b/docs/notes_for_asan.md @@ -1,7 +1,7 @@ # Notes for using ASAN with afl-fuzz This file discusses some of the caveats for fuzzing under ASAN, and suggests - a handful of alternatives. See README for the general instruction manual. + a handful of alternatives. See README.md for the general instruction manual. ## 1) Short version diff --git a/docs/parallel_fuzzing.md b/docs/parallel_fuzzing.md index 0a2863fe..8b39df04 100644 --- a/docs/parallel_fuzzing.md +++ b/docs/parallel_fuzzing.md @@ -1,7 +1,7 @@ # Tips for parallel fuzzing This document talks about synchronizing afl-fuzz jobs on a single machine - or across a fleet of systems. See README for the general instruction manual. + or across a fleet of systems. See README.md for the general instruction manual. ## 1) Introduction diff --git a/docs/perf_tips.md b/docs/perf_tips.md index 41d74447..fcd03db7 100644 --- a/docs/perf_tips.md +++ b/docs/perf_tips.md @@ -1,7 +1,7 @@ ## Tips for performance optimization This file provides tips for troubleshooting slow or wasteful fuzzing jobs. - See README for the general instruction manual. + See README.md for the general instruction manual. ## 1. Keep your test cases small @@ -221,4 +221,4 @@ early on, you can always resort to the `-d` mode. The mode causes `afl-fuzz` to skip all the deterministic fuzzing steps, which makes output a lot less neat and can ultimately make the testing a bit less in-depth, but it will give you an experience more familiar from other fuzzing -tools. \ No newline at end of file +tools. diff --git a/docs/sister_projects.md b/docs/sister_projects.md index ecc3b924..1625044c 100644 --- a/docs/sister_projects.md +++ b/docs/sister_projects.md @@ -1,7 +1,7 @@ # Sister projects This doc lists some of the projects that are inspired by, derived from, -designed for, or meant to integrate with AFL. See README for the general +designed for, or meant to integrate with AFL. See README.md for the general instruction manual. !!! @@ -252,7 +252,7 @@ https://code.google.com/p/address-sanitizer/wiki/AsanCoverage#Coverage_counters ### AFL JS (Han Choongwoo) One-off optimizations to speed up the fuzzing of JavaScriptCore (now likely -superseded by LLVM deferred forkserver init - see llvm_mode/README.llvm). +superseded by LLVM deferred forkserver init - see llvm_mode/README.md). https://github.com/tunz/afl-fuzz-js diff --git a/docs/status_screen.md b/docs/status_screen.md index 066c2c07..0bc636c4 100644 --- a/docs/status_screen.md +++ b/docs/status_screen.md @@ -1,7 +1,7 @@ # Understanding the status screen This document provides an overview of the status screen - plus tips for -troubleshooting any warnings and red text shown in the UI. See README for +troubleshooting any warnings and red text shown in the UI. See README.md for the general instruction manual. ## A note about colors diff --git a/docs/technical_details.md b/docs/technical_details.md index d53b30e3..996bf162 100644 --- a/docs/technical_details.md +++ b/docs/technical_details.md @@ -1,7 +1,7 @@ # Technical "whitepaper" for afl-fuzz This document provides a quick overview of the guts of American Fuzzy Lop. -See README for the general instruction manual; and for a discussion of +See README.md for the general instruction manual; and for a discussion of motivations and design goals behind AFL, see historical_notes.md. ## 0. Design statement @@ -542,4 +542,4 @@ It uses the following classification scheme: takes place. - "Magic value section" - a generic token where changes cause the type of binary behavior outlined earlier, but that doesn't meet any of the - other criteria. May be an atomically compared keyword or so. \ No newline at end of file + other criteria. May be an atomically compared keyword or so. diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index 1831f935..356d0b6d 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -214,7 +214,7 @@ static void __afl_start_forkserver(void) { } -/* A simplified persistent mode handler, used as explained in README.llvm. */ +/* A simplified persistent mode handler, used as explained in README.md. */ int __afl_persistent_loop(unsigned int max_cnt) { diff --git a/libdislocator/README.md b/libdislocator/README.md index 4a11c138..873d8806 100644 --- a/libdislocator/README.md +++ b/libdislocator/README.md @@ -1,6 +1,6 @@ # libdislocator, an abusive allocator - (See ../docs/README for the general instruction manual.) + (See ../docs/README.md for the general instruction manual.) This is a companion library that can be used as a drop-in replacement for the libc allocator in the fuzzed binaries. It improves the odds of bumping into diff --git a/libtokencap/README.md b/libtokencap/README.md index 8aae38bf..0a3591eb 100644 --- a/libtokencap/README.md +++ b/libtokencap/README.md @@ -1,6 +1,6 @@ # strcmp() / memcmp() token capture library - (See ../docs/README for the general instruction manual.) + (See ../docs/README.md for the general instruction manual.) This companion library allows you to instrument `strcmp()`, `memcmp()`, and related functions to automatically extract syntax tokens passed to any of diff --git a/llvm_mode/README.md b/llvm_mode/README.md index ee6e51b5..e6c47c9c 100644 --- a/llvm_mode/README.md +++ b/llvm_mode/README.md @@ -2,7 +2,7 @@ (See [../README](../README.md) for the general instruction manual.) - (See [../gcc_plugin/README.gcc](../gcc_plugin/README.gcc.md) for the GCC-based instrumentation.) + (See [../gcc_plugin/README](../gcc_plugin/README.md) for the GCC-based instrumentation.) ## 1) Introduction diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 93b03bb2..b3561cb2 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -260,7 +260,7 @@ static void __afl_start_forkserver(void) { } -/* A simplified persistent mode handler, used as explained in README.llvm. */ +/* A simplified persistent mode handler, used as explained in llvm_mode/README.md. */ int __afl_persistent_loop(unsigned int max_cnt) { @@ -346,7 +346,7 @@ __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) { /* The following stuff deals with supporting -fsanitize-coverage=trace-pc-guard. It remains non-operational in the traditional, plugin-backed LLVM mode. - For more info about 'trace-pc-guard', see README.llvm. + For more info about 'trace-pc-guard', see llvm_mode/README.md. The first function (__sanitizer_cov_trace_pc_guard) is called back on every edge (as opposed to every basic block). */ diff --git a/qemu_mode/README.md b/qemu_mode/README.md index 0759f4fb..71a3ada7 100644 --- a/qemu_mode/README.md +++ b/qemu_mode/README.md @@ -1,6 +1,6 @@ # High-performance binary-only instrumentation for afl-fuzz - (See ../docs/README for the general instruction manual.) + (See ../docs/README.md for the general instruction manual.) ## 1) Introduction @@ -60,7 +60,7 @@ binary on x86_64) use QEMU_LD_PREFIX. ## 3) Bonus feature #1: deferred initialization -As for LLVM mode (refer to its README for mode details) QEMU mode supports +As for LLVM mode (refer to its README.md for mode details) QEMU mode supports the deferred initialization. This can be enabled setting the environment variable AFL_ENTRYPOINT which allows diff --git a/qemu_mode/libcompcov/libcompcov.so.c b/qemu_mode/libcompcov/libcompcov.so.c index ceb0a041..8e2c279b 100644 --- a/qemu_mode/libcompcov/libcompcov.so.c +++ b/qemu_mode/libcompcov/libcompcov.so.c @@ -15,7 +15,7 @@ This Linux-only companion library allows you to instrument strcmp(), memcmp(), and related functions to get compare coverage. - See README.compcov for more info. + See README.md for more info. */ diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index d4ae4b8d..63869898 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -407,7 +407,7 @@ void afl_forkserver(CPUState *cpu) { } -/* A simplified persistent mode handler, used as explained in README.llvm. */ +/* A simplified persistent mode handler, used as explained in llvm_mode/README.md. */ void afl_persistent_loop(void) { diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 6816f6c8..3b91285c 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -798,7 +798,7 @@ static void usage(u8* argv0) { " -e - look for edge coverage only, ignore hit counts\n\n" - "For additional tips, please consult %s/README.\n\n", + "For additional tips, please consult %s/README.md.\n\n", argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); diff --git a/src/afl-common.c b/src/afl-common.c index 330b1497..0f8094be 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -163,7 +163,7 @@ char** get_qemu_argv(u8* own_loc, char** argv, int argc) { SAYF("\n" cLRD "[-] " cRST "Oops, unable to find the 'afl-qemu-trace' binary. The binary must be " "built\n" - " separately by following the instructions in qemu_mode/README.qemu. " + " separately by following the instructions in qemu_mode/README.md. " "If you\n" " already have the binary installed, you may need to specify " "AFL_PATH in the\n" @@ -259,7 +259,7 @@ char** get_wine_argv(u8* own_loc, char** argv, int argc) { SAYF("\n" cLRD "[-] " cRST "Oops, unable to find the '%s' binary. The binary must be " "built\n" - " separately by following the instructions in qemu_mode/README.qemu. " + " separately by following the instructions in qemu_mode/README.md. " "If you\n" " already have the binary installed, you may need to specify " "AFL_PATH in the\n" diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 93ecfe99..1858fabd 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1980,11 +1980,11 @@ void check_binary(u8* fname) { "while\n" " mutating the input data. For more information, and for tips on " "how to\n" - " instrument binaries, please see %s/README.\n\n" + " instrument binaries, please see %s/README.md.\n\n" " When source code is not available, you may be able to leverage " "QEMU\n" - " mode support. Consult the README for tips on how to enable this.\n" + " mode support. Consult the README.md for tips on how to enable this.\n" " (It is also possible to use afl-fuzz as a traditional, \"dumb\" " "fuzzer.\n" diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 5fa737d7..cc895f74 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -112,7 +112,7 @@ static void usage(u8* argv0) { "entering the\n" " pacemaker mode (minutes of no new paths, 0 = " "immediately).\n" - " a recommended value is 10-60. see docs/README.MOpt\n" + " a recommended value is 10-60. see docs/README.MOpt.md\n" " -c program - enable CmpLog by specifying a binary compiled for " "it.\n" " if using QEMU, just use -c 0.\n\n" @@ -121,7 +121,7 @@ static void usage(u8* argv0) { " -N - do not unlink the fuzzing input file\n" " -d - quick & dirty mode (skips deterministic steps)\n" " -n - fuzz without instrumentation (dumb mode)\n" - " -x dir - optional fuzzer dictionary (see README, its really " + " -x dir - optional fuzzer dictionary (see README.md, its really " "good!)\n\n" "Testing settings:\n" @@ -1087,7 +1087,7 @@ stop_fuzzing: SAYF("\n" cYEL "[!] " cRST "Stopped during the first cycle, results may be incomplete.\n" - " (For info on resuming, see %s/README)\n", + " (For info on resuming, see %s/README.md)\n", doc_path); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 5ea164f8..2f6a263f 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -647,7 +647,7 @@ static void usage(u8* argv0) { " -c - allow core dumps\n\n" "This tool displays raw tuple data captured by AFL instrumentation.\n" - "For additional help, consult %s/README.\n\n" cRST, + "For additional help, consult %s/README.md.\n\n" cRST, argv0, MEM_LIMIT, doc_path); From a540bae7a9af6f17630190127d053945b1ddeb25 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 25 Feb 2020 08:43:49 +0100 Subject: [PATCH 15/20] left over README reference fix --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index b9d4bf5a..fea6f5c0 100644 --- a/Makefile +++ b/Makefile @@ -344,7 +344,7 @@ endif all_done: test_build - @if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi + @if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.md for a faster alternative to afl-gcc."; fi @echo "[+] All done! Be sure to review the README.md - it's pretty short and useful." @if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi @! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.md for advice.\033[0m\n" 2>/dev/null From 2c9c2e139e506a7a5bb2dab00c524bc9ed1f54eb Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 25 Feb 2020 14:01:55 +0100 Subject: [PATCH 16/20] afl-gcc change -> test.sh --- gcc_plugin/afl-gcc-fast.c | 2 +- gcc_plugin/afl-gcc-pass.so.cc | 2 +- test/test.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c index 2aee8f4a..28190f93 100644 --- a/gcc_plugin/afl-gcc-fast.c +++ b/gcc_plugin/afl-gcc-fast.c @@ -330,7 +330,7 @@ int main(int argc, char** argv, char** envp) { exit(1); - } else if (isatty(2) && !getenv("AFL_QUIET")) { + } else if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { SAYF(cCYA "afl-gcc-fast" VERSION cRST " initially by , maintainer: hexcoder-\n"); diff --git a/gcc_plugin/afl-gcc-pass.so.cc b/gcc_plugin/afl-gcc-pass.so.cc index f77af5fa..9c08cec4 100644 --- a/gcc_plugin/afl-gcc-pass.so.cc +++ b/gcc_plugin/afl-gcc-pass.so.cc @@ -533,7 +533,7 @@ int plugin_init(struct plugin_name_args * plugin_info, } /* Show a banner */ - if (isatty(2) && !getenv("AFL_QUIET")) { + if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { SAYF(G_(cCYA "afl-gcc-pass" VERSION cRST " initially by , maintainer: hexcoder-\n")); diff --git a/test/test.sh b/test/test.sh index d5ba59da..0d68413d 100755 --- a/test/test.sh +++ b/test/test.sh @@ -120,7 +120,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc } rm -f test-instr.plain.0 test-instr.plain.1 TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'` - test "$TUPLES" -gt 3 -a "$TUPLES" -lt 7 && { + test "$TUPLES" -gt 3 -a "$TUPLES" -lt 8 && { $ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine" } || { $ECHO "$RED[!] ${AFL_GCC} produces weird instrumentation numbers: $TUPLES" From 84426631b42afd8a1a7668bb17ad077dbd6b913a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 25 Feb 2020 16:30:22 +0100 Subject: [PATCH 17/20] update docker info --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4c305412..c764d85a 100644 --- a/README.md +++ b/README.md @@ -156,7 +156,8 @@ Hence gcc-9 and especially llvm-9 should be the compilers of choice. If your distribution does not have them, you can use the Dockerfile: ```shell -$ docker build -t aflplusplus +$ cd AFLplusplus +$ sudo docker build -t aflplusplus . ``` From d7c9f947ed264e2b7dc520e92d5de409a5f3a878 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 25 Feb 2020 17:49:39 +0100 Subject: [PATCH 18/20] disable arm64 travis because they are buggy --- .travis.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 284a2ffe..fe81d19f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -17,10 +17,10 @@ matrix: - os: linux dist: trusty env: NAME="trusty-amd64" MODERN="no" GCC="4.8" - - os: linux - dist: xenial - arch: arm64 - env: NAME="xenial-arm64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0" AFL_NO_X86="1" CPU_TARGET="aarch64" +# - os: linux # until travis can fix this! +# dist: xenial +# arch: arm64 +# env: NAME="xenial-arm64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0" AFL_NO_X86="1" CPU_TARGET="aarch64" # - os: osx # osx_image: xcode11.2 # env: NAME="osx" HOMEBREW_NO_ANALYTICS="1" LINK="http://releases.llvm.org/9.0.0/" NAME="clang+llvm-9.0.0-x86_64-darwin-apple" From d39830a4dc822b2ee0d6846587a3089259f5447f Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 25 Feb 2020 20:31:08 +0100 Subject: [PATCH 19/20] portability: replace GNU extension of date (-I) with posix "+%y-%m-%d" --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index fea6f5c0..e002516a 100644 --- a/Makefile +++ b/Makefile @@ -103,9 +103,9 @@ ifneq "$(shell which python)" "" endif ifdef SOURCE_DATE_EPOCH - BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" -I 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" -I 2>/dev/null || date -u -I) + BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u "+%Y-%m-%d") else - BUILD_DATE ?= $(shell date -I) + BUILD_DATE ?= $(shell date "+%Y-%m-%d") endif ifneq "$(filter Linux GNU%,$(shell uname))" "" From 4bd736e1a79ada95ae4266be72c331106e580075 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 25 Feb 2020 20:54:08 +0100 Subject: [PATCH 20/20] more env info for afl-plot and afl-analyze --- afl-plot | 2 ++ src/afl-analyze.c | 14 ++++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/afl-plot b/afl-plot index d99abff0..0f0154a6 100755 --- a/afl-plot +++ b/afl-plot @@ -32,6 +32,8 @@ an empty directory where this tool can write the resulting plots to. The program will put index.html and three PNG images in the output directory; you should be able to view it with any web browser of your choice. +Environment variables used: +AFL_ALLOW_TMP: allow /var/tmp or /tmp for input and output directories _EOF_ exit 1 diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 3b91285c..2f9b0550 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -798,9 +798,19 @@ static void usage(u8* argv0) { " -e - look for edge coverage only, ignore hit counts\n\n" - "For additional tips, please consult %s/README.md.\n\n", + "For additional tips, please consult %s/README.md.\n\n" - argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); + "Environment variables used:\n" + "TMPDIR: directory to use for temporary input files\n" + "ASAN_OPTIONS: custom settings for ASAN\n" + " (must contain abort_on_error=1 and symbolize=0)\n" + "MSAN_OPTIONS: custom settings for MSAN\n" + " (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n" + "AFL_PRELOAD: LD_PRELOAD settings for target\n" + "AFL_ANALYZE_HEX: print file offsets in hexadecimal instead of decimal\n" + "AFL_SKIP_BIN_CHECK: skip checking the location of and the target\n" + + , argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); exit(1);