Merge branch 'master' of github.com:vanhauser-thc/AFLplusplus

.travis.yml

@@ -17,10 +17,10 @@ matrix:
   - os: linux
     dist: trusty
     env: NAME="trusty-amd64" MODERN="no" GCC="4.8"
-  - os: linux
+#  - os: linux # until travis can fix this!
-    dist: xenial
+#    dist: xenial
-    arch: arm64
+#    arch: arm64
-    env: NAME="xenial-arm64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0" AFL_NO_X86="1" CPU_TARGET="aarch64"
+#    env: NAME="xenial-arm64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0" AFL_NO_X86="1" CPU_TARGET="aarch64"
 #  - os: osx
 #    osx_image: xcode11.2
 #    env: NAME="osx" HOMEBREW_NO_ANALYTICS="1" LINK="http://releases.llvm.org/9.0.0/" NAME="clang+llvm-9.0.0-x86_64-darwin-apple"
@@ -50,3 +50,4 @@ script:
   - if [ "$TRAVIS_OS_NAME" = "linux" -a "$TRAVIS_CPU_ARCH" = "amd64" ]; then make distrib ASAN_BUILD=1 ; fi
   - if [ "$TRAVIS_CPU_ARCH" = "arm64" ] ; then echo DEBUG ; find / -name llvm-config.h 2>/dev/null; apt-cache search clang | grep clang- ; apt-cache search llvm | grep llvm- ; dpkg -l | egrep 'clang|llvm'; echo DEBUG ; export LLVM_CONFIG=llvm-config-6.0 ; make ASAN_BUILD=1 ; cd qemu_mode && sh ./build_qemu_support.sh ; cd .. ; fi
   - make tests
+  - travis_terminate 0

Makefile

@@ -103,9 +103,9 @@ ifneq "$(shell which python)" ""
 endif
 
 ifdef SOURCE_DATE_EPOCH
-    BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" -I 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" -I 2>/dev/null || date -u -I)
+    BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u "+%Y-%m-%d")
 else
-    BUILD_DATE ?= $(shell date -I)
+    BUILD_DATE ?= $(shell date "+%Y-%m-%d")
 endif
 
 ifneq "$(filter Linux GNU%,$(shell uname))" ""
@@ -344,7 +344,7 @@ endif
 
 
 all_done: test_build
-	@if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi
+	@if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.md for a faster alternative to afl-gcc."; fi
 	@echo "[+] All done! Be sure to review the README.md - it's pretty short and useful."
 	@if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
 	@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.md for advice.\033[0m\n" 2>/dev/null

README.md

@@ -4,9 +4,9 @@
 
   ![Travis State](https://api.travis-ci.com/vanhauser-thc/AFLplusplus.svg?branch=master)
 
-  Release Version: 2.60c 
+  Release Version: 2.61c 
 
-  Github Version: 2.60d
+  Github Version: 2.61d
 
   includes all necessary/interesting changes from Google's afl 2.56b
 
@@ -89,7 +89,9 @@
   read this file.
 
 
-## Shameless plug to students and enthusiast developers
+## Google Summer of Code 2020 (and any other students and enthusiast developers)
+
+We are happy to be part of [Google Summer of Code 2020](https://summerofcode.withgoogle.com/organizations/5100744400699392/)! :-)
 
 We have several ideas we would like to see in AFL++ to make it even better.
 However we already work on so many things that we do not have the time for
@@ -106,6 +108,7 @@ afl++ has many build options.
 The easiest is to build and install everything:
 
 ```shell
+$ sudo apt install build-essential libtool-bin python3 automake bison libglib2.0-dev libpixman-1-dev clang
 $ make distrib
 $ sudo make install
 ```
@@ -153,7 +156,8 @@ Hence gcc-9 and especially llvm-9 should be the compilers of choice.
 If your distribution does not have them, you can use the Dockerfile:
 
 ```shell
-$ docker build -t aflplusplus
+$ cd AFLplusplus
+$ sudo docker build -t aflplusplus .
 ```
 
 
@@ -295,6 +299,8 @@ $ ./build_qemu_support.sh
 
 For additional instructions and caveats, see [qemu_mode/README.md](qemu_mode/README.md).
 
+If possible you should use the persistent mode, see [README.persistent.md](README.persistent.md).
+
 The mode is approximately 2-5x slower than compile-time instrumentation, is
 less conducive to parallelization, and may have some other quirks.
 
@@ -306,7 +312,17 @@ A more comprehensive description of these and other options can be found in
 [docs/binaryonly_fuzzing.md](docs/binaryonly_fuzzing.md)
 
 
-## 5) Power schedules
+## 5) Good examples and writeups
+
+Here are some good writeups to show how to effectibly use AFL++:
+
+ * [https://aflplus.plus/docs/tutorials/libxml2_tutorial/](https://aflplus.plus/docs/tutorials/libxml2_tutorial/)
+ * [https://bananamafia.dev/post/gb-fuzz/](https://bananamafia.dev/post/gb-fuzz/)
+ * [https://securitylab.github.com/research/fuzzing-challenges-solutions-1](https://securitylab.github.com/research/fuzzing-challenges-solutions-1)
+
+If you find other good ones, please send them to us :-)
+
+## 6) Power schedules
 
 The power schedules were copied from Marcel Böhme's excellent AFLfast
 implementation and expand on the ability to discover new paths and
@@ -333,7 +349,8 @@ made the default mode).
 
 More details can be found in the paper published at the 23rd ACM Conference on
 Computer and Communications Security [CCS'16](https://www.sigsac.org/ccs/CCS2016/accepted-papers/)
-## 6) Choosing initial test cases
+
+## 7) Choosing initial test cases
 
 To operate correctly, the fuzzer requires one or more starting file that
 contains a good example of the input data normally expected by the targeted
@@ -354,7 +371,7 @@ the afl-cmin utility to identify a subset of functionally distinct files that
 exercise different code paths in the target binary.
 
 
-## 7) Fuzzing binaries
+## 8) Fuzzing binaries
 
 The fuzzing process itself is carried out by the afl-fuzz utility. This program
 requires a read-only directory with initial test cases, a separate place to
@@ -391,8 +408,7 @@ steps, which can take several days, but tend to produce neat test cases. If you
 want quick & dirty results right away - akin to zzuf and other traditional
 fuzzers - add the -d option to the command line.
 
-
+## 9) Interpreting output
-## 8) Interpreting output
 
 See the [docs/status_screen.md](docs/status_screen.md) file for information on
 how to interpret the displayed stats and monitor the health of the process. Be
@@ -452,8 +468,7 @@ If you have gnuplot installed, you can also generate some pretty graphs for any
 active fuzzing task using afl-plot. For an example of how this looks like,
 see [http://lcamtuf.coredump.cx/afl/plot/](http://lcamtuf.coredump.cx/afl/plot/).
 
-
+## 10) Parallelized fuzzing
-## 9) Parallelized fuzzing
 
 Every instance of afl-fuzz takes up roughly one core. This means that on
 multi-core systems, parallelization is necessary to fully utilize the hardware.
@@ -464,8 +479,7 @@ The parallel fuzzing mode also offers a simple way for interfacing AFL to other
 fuzzers, to symbolic or concolic execution engines, and so forth; again, see the
 last section of [docs/parallel_fuzzing.md](docs/parallel_fuzzing.md) for tips.
 
-
+## 12) Fuzzer dictionaries
-## 10) Fuzzer dictionaries
 
 By default, afl-fuzz mutation engine is optimized for compact data formats -
 say, images, multimedia, compressed data, regular expression syntax, or shell
@@ -500,8 +514,7 @@ If a dictionary is really hard to come by, another option is to let AFL run
 for a while, and then use the token capture library that comes as a companion
 utility with AFL. For that, see [libtokencap/README.md](libtokencap/README.tokencap.md).
 
-
+## 13) Crash triage
-## 11) Crash triage
 
 The coverage-based grouping of crashes usually produces a small data set that
 can be quickly triaged manually or with a very simple GDB or Valgrind script.
@@ -549,7 +562,7 @@ insights into complex file formats. More info about its operation can be found
 near the end of [docs/technical_details.md](docs/technical_details.md).
 
 
-## 12) Going beyond crashes
+## 14) Going beyond crashes
 
 Fuzzing is a wonderful and underutilized technique for discovering non-crashing
 design and implementation errors, too. Quite a few interesting bugs have been
@@ -572,8 +585,7 @@ if you are the maintainer of a particular package, you can make this code
 conditional with `#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` (a flag also
 shared with libfuzzer) or `#ifdef __AFL_COMPILER` (this one is just for AFL).
 
-
+## 15) Common-sense risks
-## 13) Common-sense risks
 
 Please keep in mind that, similarly to many other computationally-intensive
 tasks, fuzzing may put strain on your hardware and on the OS. In particular:
@@ -602,8 +614,7 @@ tasks, fuzzing may put strain on your hardware and on the OS. In particular:
     $ iostat -d 3 -x -k [...optional disk ID...]
 ```
 
-
+## 16) Known limitations & areas for improvement
-## 14) Known limitations & areas for improvement
 
 Here are some of the most important caveats for AFL:
 
@@ -643,8 +654,7 @@ Here are some of the most important caveats for AFL:
 
 Beyond this, see INSTALL for platform-specific tips.
 
-
+## 17) Special thanks
-## 15) Special thanks
 
 Many of the improvements to the original afl and afl++ wouldn't be possible
 without feedback, bug reports, or patches from:
@@ -696,9 +706,9 @@ without feedback, bug reports, or patches from:
 ```
 
 Thank you!
+(For people sending pull requests - please add yourself to this list :-)
 
-
+## 18) Contact
-## 16) Contact
 
 Questions? Concerns? Bug reports? The contributors can be reached via
 [https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus)

afl-cmin.bash

@@ -126,7 +126,7 @@ Minimization settings:
   -C            - keep crashing inputs, reject everything else
   -e            - solve for edge coverage only, ignore hit counts
 
-For additional tips, please consult docs/README.
+For additional tips, please consult docs/README.md.
 
 Environment variables used:
 AFL_KEEP_TRACES: leave the temporary <out_dir>\.traces directory

afl-plot

@@ -32,6 +32,8 @@ an empty directory where this tool can write the resulting plots to.
 The program will put index.html and three PNG images in the output directory;
 you should be able to view it with any web browser of your choice.
 
+Environment variables used:
+AFL_ALLOW_TMP: allow /var/tmp or /tmp for input and output directories
 _EOF_
 
   exit 1

docs/Changelog.md

@@ -1,7 +1,7 @@
 # Changelog
 
   This is the list of all noteworthy changes made in every public release of
-  the tool. See README for the general instruction manual.
+  the tool. See README.md for the general instruction manual.
 
 ## Staying informed
 
@@ -9,7 +9,12 @@ Want to stay in the loop on major new features? Join our mailing list by
 sending a mail to <afl-users+subscribe@googlegroups.com>.
 
 
-### Version ++2.60d (develop):
+### Version ++2.61d (develop):
+
+  - ...
+
+
+### Version ++2.61c (release):
 
   - use -march=native if available
   - most tools now check for mistyped environment variables
@@ -17,6 +22,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
   - the memory safety checks are now disabled for a little more speed during
     fuzzing (only affects creating queue entries), can be toggled in config.h
   - afl-fuzz:
+     - MOpt out of bounds writing crash fixed
      - now prints the real python version support compiled in
      - set stronger performance compile options and little tweaks
      - Android: prefer bigcores when selecting a CPU
@@ -28,13 +34,18 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
      - bugfix for dictionary insert stage count (fix via Google repo PR)
      - added warning if -M is used together with custom mutators with _ONLY option
      - AFL_TMPDIR checks are now later and better explained if they fail
-  - llvm_mode InsTrim: no pointless instrumentation of 1 block functions
+  - llvm_mode 
+     - InsTrim: three bug fixes:
+        1. (minor) no pointless instrumentation of 1 block functions
+        2. (medium) path bug that leads a few blocks not instrumented that
+           should be
+        3. (major) incorrect prev_loc was written, fixed!
   - afl-clang-fast:
      - show in the help output for which llvm version it was compiled for
      - now does not need to be recompiled between trace-pc and pass
        instrumentation. compile normally and set AFL_LLVM_USE_TRACE_PC :)
      - LLVM 11 is supported
-     - CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog)
+     - CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog.md)
   - afl-gcc, afl-clang-fast, afl-gcc-fast:
      - experimental support for undefined behaviour sanitizer UBSAN
        (set AFL_USE_UBSAN=1)
@@ -178,7 +189,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
   - fix llvm_mode AFL_TRACE_PC with modern llvm
   - fix a crash in qemu_mode which also exists in stock afl
   - added libcompcov, a laf-intel implementation for qemu! :)
-    see qemu_mode/libcompcov/README.libcompcov
+    see qemu_mode/libcompcov/README.libcompcov.md
   - afl-fuzz now displays the selected core in the status screen (blue {#})
   - updated afl-fuzz and afl-system-config for new scaling governor location
     in modern kernels
@@ -187,8 +198,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
   - if llvm_mode was compiled, afl-clang/afl-clang++ will point to these
     instead of afl-gcc
   - added instrim, a much faster llvm_mode instrumentation at the cost of
-    path discovery. See llvm_mode/README.instrim (https://github.com/csienslab/instrim)
+    path discovery. See llvm_mode/README.instrim.md (https://github.com/csienslab/instrim)
-  - added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt
+  - added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt.md
   - added code to make it more portable to other platforms than Intel Linux
   - added never zero counters for afl-gcc and optionally (because of an
     optimization issue in llvm < 9) for llvm_mode (AFL_LLVM_NEVER_ZERO=1)
@@ -218,11 +229,11 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
     LLVM and Qemu modes are now faster.
     Important changes:
       afl-fuzz: -e EXTENSION commandline option
-      llvm_mode: LAF-intel performance (needs activation, see llvm/README.laf-intel)
+      llvm_mode: LAF-intel performance (needs activation, see llvm/README.laf-intel.md)
-      a few new environment variables for afl-fuzz, llvm and qemu, see docs/env_variables.txt
+      a few new environment variables for afl-fuzz, llvm and qemu, see docs/env_variables.md
   - Added the power schedules of AFLfast by Marcel Boehme, but set the default
     to the AFL schedule, not to the FAST schedule. So nothing changes unless
-    you use the new -p option :-) - see docs/power_schedules.txt
+    you use the new -p option :-) - see docs/power_schedules.md
   - added afl-system-config script to set all system performance options for fuzzing
   - llvm_mode works with llvm 3.9 up to including 8 !
   - qemu_mode got upgraded from 2.1 to 3.1 - incorporated from 
@@ -465,7 +476,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
   - Added libtokencap, a simple feature to intercept strcmp / memcmp and
     generate dictionary entries that can help extend coverage.
 
-  - Moved libdislocator to its own dir, added README.
+  - Moved libdislocator to its own dir, added README.md.
 
   - The demo in examples/instrumented_cmp is no more.
 

docs/QuickStartGuide.md

@@ -27,7 +27,7 @@ how to hit the ground running:
 
 4) Get a small but valid input file that makes sense to the program. When
    fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in
-   dictionaries/README.dictionaries, too.
+   dictionaries/README.md, too.
 
 5) If the program reads from stdin, run 'afl-fuzz' like so:
 

docs/env_variables.md

@@ -2,7 +2,7 @@
 
   This document discusses the environment variables used by American Fuzzy Lop++
   to expose various exotic functions that may be (rarely) useful for power
-  users or for some types of custom fuzzing setups. See README for the general
+  users or for some types of custom fuzzing setups. See README.md for the general
   instruction manual.
 
 ## 1) Settings for afl-gcc, afl-clang, and afl-as - and gcc_plugin afl-gcc-fast

docs/life_pro_tips.md

@@ -62,7 +62,7 @@ Specify `AFL_HARDEN=1` in the environment to enable hardening flags.
 
 ## Bumping into problems with non-reproducible crashes? 
 It happens, but usually
-isn't hard to diagnose. See section #7 in README for tips.
+isn't hard to diagnose. See section #7 in README.md for tips.
 
 ## Fuzzing is not just about memory corruption issues in the codebase. 
 Add some
@@ -87,4 +87,4 @@ use a postprocessor! See examples/post_library/ for more.
 
 ## Dealing with a very slow target or hoping for instant results? 
 
-Specify `-d` when calling afl-fuzz!
+Specify `-d` when calling afl-fuzz!

docs/notes_for_asan.md

@@ -1,7 +1,7 @@
 # Notes for using ASAN with afl-fuzz
 
   This file discusses some of the caveats for fuzzing under ASAN, and suggests
-  a handful of alternatives. See README for the general instruction manual.
+  a handful of alternatives. See README.md for the general instruction manual.
 
 ## 1) Short version
 

docs/parallel_fuzzing.md

@@ -1,7 +1,7 @@
 # Tips for parallel fuzzing
 
   This document talks about synchronizing afl-fuzz jobs on a single machine
-  or across a fleet of systems. See README for the general instruction manual.
+  or across a fleet of systems. See README.md for the general instruction manual.
 
 ## 1) Introduction
 

docs/perf_tips.md

@@ -1,7 +1,7 @@
 ## Tips for performance optimization
 
   This file provides tips for troubleshooting slow or wasteful fuzzing jobs.
-  See README for the general instruction manual.
+  See README.md for the general instruction manual.
 
 ## 1. Keep your test cases small
 
@@ -221,4 +221,4 @@ early on, you can always resort to the `-d` mode.
 The mode causes `afl-fuzz` to skip all the deterministic fuzzing steps, which
 makes output a lot less neat and can ultimately make the testing a bit less
 in-depth, but it will give you an experience more familiar from other fuzzing
-tools.
+tools.

docs/sister_projects.md

@@ -1,7 +1,7 @@
 # Sister projects
 
 This doc lists some of the projects that are inspired by, derived from,
-designed for, or meant to integrate with AFL. See README for the general
+designed for, or meant to integrate with AFL. See README.md for the general
 instruction manual.
 
 !!!
@@ -252,7 +252,7 @@ https://code.google.com/p/address-sanitizer/wiki/AsanCoverage#Coverage_counters
 ### AFL JS (Han Choongwoo)
 
 One-off optimizations to speed up the fuzzing of JavaScriptCore (now likely
-superseded by LLVM deferred forkserver init - see llvm_mode/README.llvm).
+superseded by LLVM deferred forkserver init - see llvm_mode/README.md).
 
 https://github.com/tunz/afl-fuzz-js
 

docs/status_screen.md

@@ -1,7 +1,7 @@
 # Understanding the status screen
 
 This document provides an overview of the status screen - plus tips for
-troubleshooting any warnings and red text shown in the UI. See README for
+troubleshooting any warnings and red text shown in the UI. See README.md for
 the general instruction manual.
 
 ## A note about colors

docs/technical_details.md

@@ -1,7 +1,7 @@
 # Technical "whitepaper" for afl-fuzz
 
 This document provides a quick overview of the guts of American Fuzzy Lop.
-See README for the general instruction manual; and for a discussion of
+See README.md for the general instruction manual; and for a discussion of
 motivations and design goals behind AFL, see historical_notes.md.
 
 ## 0. Design statement
@@ -542,4 +542,4 @@ It uses the following classification scheme:
     takes place.
   - "Magic value section" - a generic token where changes cause the type
     of binary behavior outlined earlier, but that doesn't meet any of the
-    other criteria. May be an atomically compared keyword or so.
+    other criteria. May be an atomically compared keyword or so.

examples/argv_fuzzing/Makefile

@@ -24,18 +24,28 @@ ifneq "$(filter Linux GNU%,$(shell uname))" ""
   LDFLAGS  += -ldl
 endif
 
+# on gcc for arm there is no -m32, but -mbe32
+M32FLAG = -m32
+M64FLAG = -m64
+ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
+ ifneq (,$(findstring arm, "$(shell $(CC) -v 2>&1 >/dev/null)"))
+  M32FLAG = -mbe32
+ endif
+endif
+
+
 all: argvfuzz32.so argvfuzz64.so
 
 argvfuzz32.so: argvfuzz.c
-	-$(CC) -m32 $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz32 build failure (that's fine)"
+	-$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz32 build failure (that's fine)"
 
 argvfuzz64.so: argvfuzz.c
-	-$(CC) $(CFLAGS) $^ $(LDFLAGS) -o $@
+	-$(CC) $(M64FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz64 build failure (that's fine)"
 
 install: argvfuzz32.so argvfuzz64.so
 	install -d -m 755 $(DESTDIR)$(HELPER_PATH)/
 	if [ -f argvfuzz32.so ]; then set -e; install -m 755 argvfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi
-	install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/
+	if [ -f argvfuzz64.so ]; then set -e; install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi
 
 clean:
 	rm -f argvfuzz32.so argvfuzz64.so

examples/socket_fuzzing/Makefile

@@ -22,18 +22,27 @@ ifneq "$(filter Linux GNU%,$(shell uname))" ""
   LDFLAGS  += -ldl
 endif
 
+# on gcc for arm there is no -m32, but -mbe32
+M32FLAG = -m32
+M64FLAG = -m64
+ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
+ ifneq (,$(findstring arm, "$(shell $(CC) -v 2>&1 >/dev/null)"))
+  M32FLAG = -mbe32
+ endif
+endif
+
 all: socketfuzz32.so socketfuzz64.so
 
 socketfuzz32.so: socketfuzz.c
-	-$(CC) -m32 $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz32 build failure (that's fine)"
+	-$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz32 build failure (that's fine)"
 
 socketfuzz64.so: socketfuzz.c
-	-$(CC) $(CFLAGS) $^ $(LDFLAGS) -o $@
+	-$(CC) $(M64FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz64 build failure (that's fine)"
 
 install: socketfuzz32.so socketfuzz64.so
 	install -d -m 755 $(DESTDIR)$(HELPER_PATH)/
 	if [ -f socketfuzz32.so ]; then set -e; install -m 755 socketfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi
-	install -m 755 socketfuzz64.so $(DESTDIR)$(HELPER_PATH)/
+	if [ -f socketfuzz64.so ]; then set -e; install -m 755 socketfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi
 
 clean:
 	rm -f socketfuzz32.so socketfuzz64.so

gcc_plugin/afl-gcc-fast.c

@@ -330,7 +330,7 @@ int main(int argc, char** argv, char** envp) {
 
     exit(1);
 
-  } else if (isatty(2) && !getenv("AFL_QUIET")) {
+  } else if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) {
 
     SAYF(cCYA "afl-gcc-fast" VERSION cRST
               " initially by <aseipp@pobox.com>, maintainer: hexcoder-\n");

gcc_plugin/afl-gcc-pass.so.cc

@@ -533,7 +533,7 @@ int plugin_init(struct plugin_name_args *  plugin_info,
   }
 
   /* Show a banner */
-  if (isatty(2) && !getenv("AFL_QUIET")) {
+  if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) {
 
     SAYF(G_(cCYA "afl-gcc-pass" VERSION cRST
                  " initially by <aseipp@pobox.com>, maintainer: hexcoder-\n"));

gcc_plugin/afl-gcc-rt.o.c

@@ -214,7 +214,7 @@ static void __afl_start_forkserver(void) {
 
 }
 
-/* A simplified persistent mode handler, used as explained in README.llvm. */
+/* A simplified persistent mode handler, used as explained in README.md. */
 
 int __afl_persistent_loop(unsigned int max_cnt) {
 

include/afl-as.h

@@ -261,6 +261,7 @@ static const u8* main_payload_32 =
   "  je   __afl_setup_abort\n"
   "\n"
 #endif
+  "  movb $1, (%eax)\n"
   "  /* Store the address of the SHM region. */\n"
   "\n"
   "  movl %eax, __afl_area_ptr\n"
@@ -563,6 +564,7 @@ static const u8* main_payload_64 =
   "  je   __afl_setup_abort\n"
   "\n"
 #endif
+  "  movb $1, (%rax)\n"
   "  /* Store the address of the SHM region. */\n"
   "\n"
   "  movq %rax, %rdx\n"

include/config.h

@@ -27,7 +27,7 @@
 /* Version string: */
 
 // c = release, d = volatile github dev, e = experimental branch
-#define VERSION "++2.60d"
+#define VERSION "++2.61d"
 
 /******************************************************
  *                                                    *

include/envs.h

@@ -59,7 +59,7 @@ const char *afl_environment_variables[] = {
     "AFL_NO_CPU_RED",
     "AFL_NO_FORKSRV",
     "AFL_NO_UI",
-    "AFL_NO_X86", // not really an env but we dont want to warn on it
+    "AFL_NO_X86",  // not really an env but we dont want to warn on it
     "AFL_PATH",
     "AFL_PERFORMANCE_FILE",
     "AFL_PERSISTENT",

libdislocator/README.md

@@ -1,6 +1,6 @@
 # libdislocator, an abusive allocator
 
-  (See ../docs/README for the general instruction manual.)
+  (See ../docs/README.md for the general instruction manual.)
 
 This is a companion library that can be used as a drop-in replacement for the
 libc allocator in the fuzzed binaries. It improves the odds of bumping into

libtokencap/README.md

@@ -1,6 +1,6 @@
 # strcmp() / memcmp() token capture library
 
-  (See ../docs/README for the general instruction manual.)
+  (See ../docs/README.md for the general instruction manual.)
 
 This companion library allows you to instrument `strcmp()`, `memcmp()`,
 and related functions to automatically extract syntax tokens passed to any of

llvm_mode/LLVMInsTrim.so.cc

@@ -169,6 +169,7 @@ struct InsTrim : public ModulePass {
 
     ConstantInt *Zero = ConstantInt::get(Int8Ty, 0);
     ConstantInt *One = ConstantInt::get(Int8Ty, 1);
+    ConstantInt *One32 = ConstantInt::get(Int32Ty, 1);
 
     u64 total_rs = 0;
     u64 total_hs = 0;
@@ -382,19 +383,64 @@ struct InsTrim : public ModulePass {
 
         }
 
-        auto *EBB = &F.getEntryBlock();
+        // Bugfix #1: remove single block function instrumentation
-        if (succ_begin(EBB) == succ_end(EBB)) {
-
-          MS.insert(EBB);
-          total_rs += 1;
-
-        }
 
         for (BasicBlock &BB : F) {
 
-          if (MS.find(&BB) == MS.end()) { continue; }
+          if (MarkSetOpt && MS.find(&BB) == MS.end()) {
-          IRBuilder<> IRB(&*BB.getFirstInsertionPt());
+
-          IRB.CreateStore(ConstantInt::get(Int32Ty, genLabel()), OldPrev);
+            // Bugfix #2: instrument blocks that should be but InsTrim
+            //            doesn't due to an algorithmic bug
+            int more_than_one = -1;
+
+            for (pred_iterator PI = pred_begin(&BB), E = pred_end(&BB); PI != E;
+                 ++PI) {
+
+              BasicBlock *Pred = *PI;
+              int         count = 0;
+
+              if (more_than_one == -1) more_than_one = 0;
+              for (succ_iterator SI = succ_begin(Pred), E = succ_end(Pred);
+                   SI != E; ++SI) {
+
+                BasicBlock *Succ = *SI;
+                if (Succ != NULL) count++;
+
+              }
+
+              if (count > 1) more_than_one = 1;
+
+            }
+
+            if (more_than_one != 1) continue;
+            for (succ_iterator SI = succ_begin(&BB), E = succ_end(&BB); SI != E;
+                 ++SI) {
+
+              BasicBlock *Succ = *SI;
+              if (Succ != NULL && MS.find(Succ) == MS.end()) {
+
+                int cnt = 0;
+                for (succ_iterator SI2 = succ_begin(Succ), E2 = succ_end(Succ);
+                     SI2 != E2; ++SI2) {
+
+                  BasicBlock *Succ2 = *SI2;
+                  if (Succ2 != NULL) cnt++;
+
+                }
+
+                if (cnt == 0) {
+
+                  // fprintf(stderr, "INSERT!\n");
+                  MS.insert(Succ);
+                  total_rs += 1;
+
+                }
+
+              }
+
+            }
+
+          }
 
         }
 
@@ -402,33 +448,24 @@ struct InsTrim : public ModulePass {
 
       for (BasicBlock &BB : F) {
 
-        auto PI = pred_begin(&BB);
-        auto PE = pred_end(&BB);
         if (MarkSetOpt && MS.find(&BB) == MS.end()) { continue; }
 
         IRBuilder<> IRB(&*BB.getFirstInsertionPt());
         Value *     L = NULL;
-        if (PI == PE) {
 
-          L = ConstantInt::get(Int32Ty, genLabel());
+        auto *PN = PHINode::Create(Int32Ty, 0, "", &*BB.begin());
+        DenseMap<BasicBlock *, unsigned> PredMap;
+        for (auto PI = pred_begin(&BB), PE = pred_end(&BB); PI != PE; ++PI) {
 
-        } else {
+          BasicBlock *PBB = *PI;
-
+          auto        It = PredMap.insert({PBB, genLabel()});
-          auto *PN = PHINode::Create(Int32Ty, 0, "", &*BB.begin());
+          unsigned    Label = It.first->second;
-          DenseMap<BasicBlock *, unsigned> PredMap;
+          PN->addIncoming(ConstantInt::get(Int32Ty, Label), PBB);
-          for (auto PI = pred_begin(&BB), PE = pred_end(&BB); PI != PE; ++PI) {
-
-            BasicBlock *PBB = *PI;
-            auto        It = PredMap.insert({PBB, genLabel()});
-            unsigned    Label = It.first->second;
-            PN->addIncoming(ConstantInt::get(Int32Ty, Label), PBB);
-
-          }
-
-          L = PN;
 
         }
 
+        L = PN;
+
         /* Load prev_loc */
         LoadInst *PrevLoc = IRB.CreateLoad(OldPrev);
         PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
@@ -475,6 +512,11 @@ struct InsTrim : public ModulePass {
         IRB.CreateStore(Incr, MapPtrIdx)
             ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
 
+        // Bugfix #3: save the actually location ID to OldPrev
+        Value *Shr = IRB.CreateLShr(L, One32);
+        IRB.CreateStore(Shr, OldPrev)
+            ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+
         total_instr++;
 
       }

llvm_mode/README.md

@@ -2,7 +2,7 @@
 
   (See [../README](../README.md) for the general instruction manual.)
 
-  (See [../gcc_plugin/README.gcc](../gcc_plugin/README.gcc.md) for the GCC-based instrumentation.)
+  (See [../gcc_plugin/README](../gcc_plugin/README.md) for the GCC-based instrumentation.)
 
 ## 1) Introduction
 

llvm_mode/afl-llvm-rt.o.c

@@ -129,7 +129,7 @@ static void __afl_map_shm(void) {
     __afl_area_ptr[0] = 1;
 
   }
-  
+
   id_str = getenv(CMPLOG_SHM_ENV_VAR);
 
   if (id_str) {
@@ -260,7 +260,7 @@ static void __afl_start_forkserver(void) {
 
 }
 
-/* A simplified persistent mode handler, used as explained in README.llvm. */
+/* A simplified persistent mode handler, used as explained in llvm_mode/README.md. */
 
 int __afl_persistent_loop(unsigned int max_cnt) {
 
@@ -346,7 +346,7 @@ __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) {
 
 /* The following stuff deals with supporting -fsanitize-coverage=trace-pc-guard.
    It remains non-operational in the traditional, plugin-backed LLVM mode.
-   For more info about 'trace-pc-guard', see README.llvm.
+   For more info about 'trace-pc-guard', see llvm_mode/README.md.
 
    The first function (__sanitizer_cov_trace_pc_guard) is called back on every
    edge (as opposed to every basic block). */

qemu_mode/README.md

@@ -1,6 +1,6 @@
 # High-performance binary-only instrumentation for afl-fuzz
 
-  (See ../docs/README for the general instruction manual.)
+  (See ../docs/README.md for the general instruction manual.)
 
 ## 1) Introduction
 
@@ -60,7 +60,7 @@ binary on x86_64) use QEMU_LD_PREFIX.
 
 ## 3) Bonus feature #1: deferred initialization
 
-As for LLVM mode (refer to its README for mode details) QEMU mode supports
+As for LLVM mode (refer to its README.md for mode details) QEMU mode supports
 the deferred initialization.
 
 This can be enabled setting the environment variable AFL_ENTRYPOINT which allows

qemu_mode/libcompcov/libcompcov.so.c

@@ -15,7 +15,7 @@
 
    This Linux-only companion library allows you to instrument strcmp(),
    memcmp(), and related functions to get compare coverage.
-   See README.compcov for more info.
+   See README.md for more info.
 
  */
 

qemu_mode/patches/afl-qemu-cpu-inl.h

@@ -407,7 +407,7 @@ void afl_forkserver(CPUState *cpu) {
 
 }
 
-/* A simplified persistent mode handler, used as explained in README.llvm. */
+/* A simplified persistent mode handler, used as explained in llvm_mode/README.md. */
 
 void afl_persistent_loop(void) {
 

src/afl-analyze.c

@@ -798,9 +798,19 @@ static void usage(u8* argv0) {
 
       "  -e            - look for edge coverage only, ignore hit counts\n\n"
 
-      "For additional tips, please consult %s/README.\n\n",
+      "For additional tips, please consult %s/README.md.\n\n"
 
-      argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path);
+      "Environment variables used:\n"
+      "TMPDIR: directory to use for temporary input files\n"
+      "ASAN_OPTIONS: custom settings for ASAN\n"
+      "              (must contain abort_on_error=1 and symbolize=0)\n"
+      "MSAN_OPTIONS: custom settings for MSAN\n"
+      "              (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n"
+      "AFL_PRELOAD: LD_PRELOAD settings for target\n"
+      "AFL_ANALYZE_HEX: print file offsets in hexadecimal instead of decimal\n"
+      "AFL_SKIP_BIN_CHECK: skip checking the location of and the target\n"
+
+      , argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path);
 
   exit(1);
 

src/afl-as.c

@@ -529,10 +529,10 @@ int main(int argc, char** argv) {
         "don't want to run this program directly.\n\n"
 
         "Rarely, when dealing with extremely complex projects, it may be "
-        "advisable to\n"
+        "advisable\n"
-        "set AFL_INST_RATIO to a value less than 100 in order to reduce the "
+        "to set AFL_INST_RATIO to a value less than 100 in order to reduce "
-        "odds of\n"
+        "the\n"
-        "instrumenting every discovered branch.\n\n"
+        "odds of instrumenting every discovered branch.\n\n"
         "Environment variables used:\n"
         "AFL_AS: path to assembler to use for instrumented files\n"
         "AFL_CC: fall back path to assembler\n"

src/afl-common.c

@@ -112,7 +112,7 @@ char** get_qemu_argv(u8* own_loc, char** argv, int argc) {
   char** new_argv = ck_alloc(sizeof(char*) * (argc + 4));
   u8 *   tmp, *cp, *rsl, *own_copy;
 
-  memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc);
+  memcpy(new_argv + 3, argv + 1, (int)(sizeof(char*)) * argc);
 
   new_argv[2] = target_path;
   new_argv[1] = "--";
@@ -163,7 +163,7 @@ char** get_qemu_argv(u8* own_loc, char** argv, int argc) {
   SAYF("\n" cLRD "[-] " cRST
        "Oops, unable to find the 'afl-qemu-trace' binary. The binary must be "
        "built\n"
-       "    separately by following the instructions in qemu_mode/README.qemu. "
+       "    separately by following the instructions in qemu_mode/README.md. "
        "If you\n"
        "    already have the binary installed, you may need to specify "
        "AFL_PATH in the\n"
@@ -187,7 +187,7 @@ char** get_wine_argv(u8* own_loc, char** argv, int argc) {
   char** new_argv = ck_alloc(sizeof(char*) * (argc + 3));
   u8 *   tmp, *cp, *rsl, *own_copy;
 
-  memcpy(new_argv + 2, argv + 1, sizeof(char*) * argc);
+  memcpy(new_argv + 2, argv + 1, (int)(sizeof(char*)) * argc);
 
   new_argv[1] = target_path;
 
@@ -259,7 +259,7 @@ char** get_wine_argv(u8* own_loc, char** argv, int argc) {
   SAYF("\n" cLRD "[-] " cRST
        "Oops, unable to find the '%s' binary. The binary must be "
        "built\n"
-       "    separately by following the instructions in qemu_mode/README.qemu. "
+       "    separately by following the instructions in qemu_mode/README.md. "
        "If you\n"
        "    already have the binary installed, you may need to specify "
        "AFL_PATH in the\n"

src/afl-fuzz-init.c

@@ -1980,11 +1980,11 @@ void check_binary(u8* fname) {
         "while\n"
         "    mutating the input data. For more information, and for tips on "
         "how to\n"
-        "    instrument binaries, please see %s/README.\n\n"
+        "    instrument binaries, please see %s/README.md.\n\n"
 
         "    When source code is not available, you may be able to leverage "
         "QEMU\n"
-        "    mode support. Consult the README for tips on how to enable this.\n"
+        "    mode support. Consult the README.md for tips on how to enable this.\n"
 
         "    (It is also possible to use afl-fuzz as a traditional, \"dumb\" "
         "fuzzer.\n"

src/afl-fuzz-one.c

@@ -3714,7 +3714,7 @@ pacemaker_fuzzing:
 
             case 1:
               if (temp_len < 2) break;
-              temp_len_puppet = UR((temp_len << 3) -1);
+              temp_len_puppet = UR((temp_len << 3) - 1);
               FLIP_BIT(out_buf, temp_len_puppet);
               FLIP_BIT(out_buf, temp_len_puppet + 1);
               MOpt_globals.cycles_v2[STAGE_FLIP2] += 1;
@@ -3722,7 +3722,7 @@ pacemaker_fuzzing:
 
             case 2:
               if (temp_len < 2) break;
-              temp_len_puppet = UR((temp_len << 3) -3);
+              temp_len_puppet = UR((temp_len << 3) - 3);
               FLIP_BIT(out_buf, temp_len_puppet);
               FLIP_BIT(out_buf, temp_len_puppet + 1);
               FLIP_BIT(out_buf, temp_len_puppet + 2);

src/afl-fuzz-redqueen.c

@@ -243,7 +243,7 @@ u8 cmp_extend_encoding(struct cmp_header* h, u64 pattern, u64 repl, u32 idx,
 
   if (SHAPE_BYTES(h->shape) == 8) {
 
-    if (its_len >= 8 && *buf_64 == pattern) {// && *o_buf_64 == pattern) {
+    if (its_len >= 8 && *buf_64 == pattern) {  // && *o_buf_64 == pattern) {
 
       *buf_64 = repl;
       if (unlikely(its_fuzz(buf, len, status))) return 1;
@@ -261,7 +261,8 @@ u8 cmp_extend_encoding(struct cmp_header* h, u64 pattern, u64 repl, u32 idx,
 
   if (SHAPE_BYTES(h->shape) == 4 || *status == 2) {
 
-    if (its_len >= 4 && *buf_32 == (u32)pattern) {// && *o_buf_32 == (u32)pattern) {
+    if (its_len >= 4 &&
+        *buf_32 == (u32)pattern) {  // && *o_buf_32 == (u32)pattern) {
 
       *buf_32 = (u32)repl;
       if (unlikely(its_fuzz(buf, len, status))) return 1;
@@ -279,7 +280,8 @@ u8 cmp_extend_encoding(struct cmp_header* h, u64 pattern, u64 repl, u32 idx,
 
   if (SHAPE_BYTES(h->shape) == 2 || *status == 2) {
 
-    if (its_len >= 2 && *buf_16 == (u16)pattern) {// && *o_buf_16 == (u16)pattern) {
+    if (its_len >= 2 &&
+        *buf_16 == (u16)pattern) {  // && *o_buf_16 == (u16)pattern) {
 
       *buf_16 = (u16)repl;
       if (unlikely(its_fuzz(buf, len, status))) return 1;
@@ -531,7 +533,7 @@ u8 input_to_state_stage(char** argv, u8* orig_buf, u8* buf, u32 len,
       stage_max += MIN(cmp_map->headers[k].hits, CMP_MAP_RTN_H);
 
   }
-  
+
   for (k = 0; k < CMP_MAP_W; ++k) {
 
     if (!cmp_map->headers[k].hits) continue;

src/afl-fuzz.c

@@ -112,7 +112,7 @@ static void usage(u8* argv0) {
       "entering the\n"
       "                  pacemaker mode (minutes of no new paths, 0 = "
       "immediately).\n"
-      "                  a recommended value is 10-60. see docs/README.MOpt\n"
+      "                  a recommended value is 10-60. see docs/README.MOpt.md\n"
       "  -c program    - enable CmpLog by specifying a binary compiled for "
       "it.\n"
       "                  if using QEMU, just use -c 0.\n\n"
@@ -121,7 +121,7 @@ static void usage(u8* argv0) {
       "  -N            - do not unlink the fuzzing input file\n"
       "  -d            - quick & dirty mode (skips deterministic steps)\n"
       "  -n            - fuzz without instrumentation (dumb mode)\n"
-      "  -x dir        - optional fuzzer dictionary (see README, its really "
+      "  -x dir        - optional fuzzer dictionary (see README.md, its really "
       "good!)\n\n"
 
       "Testing settings:\n"
@@ -1087,7 +1087,7 @@ stop_fuzzing:
 
     SAYF("\n" cYEL "[!] " cRST
          "Stopped during the first cycle, results may be incomplete.\n"
-         "    (For info on resuming, see %s/README)\n",
+         "    (For info on resuming, see %s/README.md)\n",
          doc_path);
 
   }

src/afl-showmap.c

@@ -647,7 +647,7 @@ static void usage(u8* argv0) {
       "  -c            - allow core dumps\n\n"
 
       "This tool displays raw tuple data captured by AFL instrumentation.\n"
-      "For additional help, consult %s/README.\n\n" cRST,
+      "For additional help, consult %s/README.md.\n\n" cRST,
 
       argv0, MEM_LIMIT, doc_path);
 

src/afl-tmin.c

@@ -977,9 +977,18 @@ static void usage(u8* argv0) {
       "  -e            - solve for edge coverage only, ignore hit counts\n"
       "  -x            - treat non-zero exit codes as crashes\n\n"
 
-      "For additional tips, please consult %s/README.\n\n",
+      "For additional tips, please consult %s/README.md.\n\n"
 
-      argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path);
+      "Environment variables used:\n"
+      "TMPDIR: directory to use for temporary input files\n"
+      "ASAN_OPTIONS: custom settings for ASAN\n"
+      "              (must contain abort_on_error=1 and symbolize=0)\n"
+      "MSAN_OPTIONS: custom settings for MSAN\n"
+      "              (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n"
+      "AFL_PRELOAD: LD_PRELOAD settings for target\n"
+      "AFL_TMIN_EXACT: require execution paths to match for crashing inputs\n"
+
+      , argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path);
 
   exit(1);
 

test/test.sh

@@ -120,7 +120,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc
     }
     rm -f test-instr.plain.0 test-instr.plain.1
     TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'`
-    test "$TUPLES" -gt 3 -a "$TUPLES" -lt 7 && {
+    test "$TUPLES" -gt 3 -a "$TUPLES" -lt 8 && {
       $ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine"
     } || {
       $ECHO "$RED[!] ${AFL_GCC} produces weird instrumentation numbers: $TUPLES"