ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-08 08:11:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:vanhauser-thc/AFLplusplus

Browse Source
This commit is contained in:
Andrea Fioraldi 2020-02-25 21:24:43 +01:00
commit e12edca29a
41 changed files with 238 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.travis.yml
View File

@ -17,10 +17,10 @@ matrix:
- os: linux
dist: trusty
env: NAME="trusty-amd64" MODERN="no" GCC="4.8"
- os: linux
dist: xenial
arch: arm64
env: NAME="xenial-arm64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0" AFL_NO_X86="1" CPU_TARGET="aarch64"
# - os: linux # until travis can fix this!
# dist: xenial
# arch: arm64
# env: NAME="xenial-arm64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0" AFL_NO_X86="1" CPU_TARGET="aarch64"
# - os: osx
# osx_image: xcode11.2
# env: NAME="osx" HOMEBREW_NO_ANALYTICS="1" LINK="http://releases.llvm.org/9.0.0/" NAME="clang+llvm-9.0.0-x86_64-darwin-apple"
@ -50,3 +50,4 @@ script:
- if [ "$TRAVIS_OS_NAME" = "linux" -a "$TRAVIS_CPU_ARCH" = "amd64" ]; then make distrib ASAN_BUILD=1 ; fi
- if [ "$TRAVIS_CPU_ARCH" = "arm64" ] ; then echo DEBUG ; find / -name llvm-config.h 2>/dev/null; apt-cache search clang | grep clang- ; apt-cache search llvm | grep llvm- ; dpkg -l | egrep 'clang|llvm'; echo DEBUG ; export LLVM_CONFIG=llvm-config-6.0 ; make ASAN_BUILD=1 ; cd qemu_mode && sh ./build_qemu_support.sh ; cd .. ; fi
- make tests
- travis_terminate 0

6
Makefile
View File

@ -103,9 +103,9 @@ ifneq "$(shell which python)" ""
endif
ifdef SOURCE_DATE_EPOCH
BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" -I 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" -I 2>/dev/null || date -u -I)
BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u "+%Y-%m-%d")
else
BUILD_DATE ?= $(shell date -I)
BUILD_DATE ?= $(shell date "+%Y-%m-%d")
endif
ifneq "$(filter Linux GNU%,$(shell uname))" ""
@ -344,7 +344,7 @@ endif
all_done: test_build
@if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi
@if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.md for a faster alternative to afl-gcc."; fi
@echo "[+] All done! Be sure to review the README.md - it's pretty short and useful."
@if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.md for advice.\033[0m\n" 2>/dev/null

58
README.md
View File

@ -4,9 +4,9 @@
![Travis State](https://api.travis-ci.com/vanhauser-thc/AFLplusplus.svg?branch=master)
Release Version: 2.60c
Release Version: 2.61c
Github Version: 2.60d
Github Version: 2.61d
includes all necessary/interesting changes from Google's afl 2.56b
@ -89,7 +89,9 @@
read this file.
## Shameless plug to students and enthusiast developers
## Google Summer of Code 2020 (and any other students and enthusiast developers)
We are happy to be part of [Google Summer of Code 2020](https://summerofcode.withgoogle.com/organizations/5100744400699392/)! :-)
We have several ideas we would like to see in AFL++ to make it even better.
However we already work on so many things that we do not have the time for
@ -106,6 +108,7 @@ afl++ has many build options.
The easiest is to build and install everything:
```shell
$ sudo apt install build-essential libtool-bin python3 automake bison libglib2.0-dev libpixman-1-dev clang
$ make distrib
$ sudo make install
```
@ -153,7 +156,8 @@ Hence gcc-9 and especially llvm-9 should be the compilers of choice.
If your distribution does not have them, you can use the Dockerfile:
```shell
$ docker build -t aflplusplus
$ cd AFLplusplus
$ sudo docker build -t aflplusplus .
```
@ -295,6 +299,8 @@ $ ./build_qemu_support.sh
For additional instructions and caveats, see [qemu_mode/README.md](qemu_mode/README.md).
If possible you should use the persistent mode, see [README.persistent.md](README.persistent.md).
The mode is approximately 2-5x slower than compile-time instrumentation, is
less conducive to parallelization, and may have some other quirks.
@ -306,7 +312,17 @@ A more comprehensive description of these and other options can be found in
[docs/binaryonly_fuzzing.md](docs/binaryonly_fuzzing.md)
## 5) Power schedules
## 5) Good examples and writeups
Here are some good writeups to show how to effectibly use AFL++:
* [https://aflplus.plus/docs/tutorials/libxml2_tutorial/](https://aflplus.plus/docs/tutorials/libxml2_tutorial/)
* [https://bananamafia.dev/post/gb-fuzz/](https://bananamafia.dev/post/gb-fuzz/)
* [https://securitylab.github.com/research/fuzzing-challenges-solutions-1](https://securitylab.github.com/research/fuzzing-challenges-solutions-1)
If you find other good ones, please send them to us :-)
## 6) Power schedules
The power schedules were copied from Marcel Böhme's excellent AFLfast
implementation and expand on the ability to discover new paths and
@ -333,7 +349,8 @@ made the default mode).
More details can be found in the paper published at the 23rd ACM Conference on
Computer and Communications Security [CCS'16](https://www.sigsac.org/ccs/CCS2016/accepted-papers/)
## 6) Choosing initial test cases
## 7) Choosing initial test cases
To operate correctly, the fuzzer requires one or more starting file that
contains a good example of the input data normally expected by the targeted
@ -354,7 +371,7 @@ the afl-cmin utility to identify a subset of functionally distinct files that
exercise different code paths in the target binary.
## 7) Fuzzing binaries
## 8) Fuzzing binaries
The fuzzing process itself is carried out by the afl-fuzz utility. This program
requires a read-only directory with initial test cases, a separate place to
@ -391,8 +408,7 @@ steps, which can take several days, but tend to produce neat test cases. If you
want quick & dirty results right away - akin to zzuf and other traditional
fuzzers - add the -d option to the command line.
## 8) Interpreting output
## 9) Interpreting output
See the [docs/status_screen.md](docs/status_screen.md) file for information on
how to interpret the displayed stats and monitor the health of the process. Be
@ -452,8 +468,7 @@ If you have gnuplot installed, you can also generate some pretty graphs for any
active fuzzing task using afl-plot. For an example of how this looks like,
see [http://lcamtuf.coredump.cx/afl/plot/](http://lcamtuf.coredump.cx/afl/plot/).
## 9) Parallelized fuzzing
## 10) Parallelized fuzzing
Every instance of afl-fuzz takes up roughly one core. This means that on
multi-core systems, parallelization is necessary to fully utilize the hardware.
@ -464,8 +479,7 @@ The parallel fuzzing mode also offers a simple way for interfacing AFL to other
fuzzers, to symbolic or concolic execution engines, and so forth; again, see the
last section of [docs/parallel_fuzzing.md](docs/parallel_fuzzing.md) for tips.
## 10) Fuzzer dictionaries
## 12) Fuzzer dictionaries
By default, afl-fuzz mutation engine is optimized for compact data formats -
say, images, multimedia, compressed data, regular expression syntax, or shell
@ -500,8 +514,7 @@ If a dictionary is really hard to come by, another option is to let AFL run
for a while, and then use the token capture library that comes as a companion
utility with AFL. For that, see [libtokencap/README.md](libtokencap/README.tokencap.md).
## 11) Crash triage
## 13) Crash triage
The coverage-based grouping of crashes usually produces a small data set that
can be quickly triaged manually or with a very simple GDB or Valgrind script.
@ -549,7 +562,7 @@ insights into complex file formats. More info about its operation can be found
near the end of [docs/technical_details.md](docs/technical_details.md).
## 12) Going beyond crashes
## 14) Going beyond crashes
Fuzzing is a wonderful and underutilized technique for discovering non-crashing
design and implementation errors, too. Quite a few interesting bugs have been
@ -572,8 +585,7 @@ if you are the maintainer of a particular package, you can make this code
conditional with `#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` (a flag also
shared with libfuzzer) or `#ifdef __AFL_COMPILER` (this one is just for AFL).
## 13) Common-sense risks
## 15) Common-sense risks
Please keep in mind that, similarly to many other computationally-intensive
tasks, fuzzing may put strain on your hardware and on the OS. In particular:
@ -602,8 +614,7 @@ tasks, fuzzing may put strain on your hardware and on the OS. In particular:
$ iostat -d 3 -x -k [...optional disk ID...]
```
## 14) Known limitations & areas for improvement
## 16) Known limitations & areas for improvement
Here are some of the most important caveats for AFL:
@ -643,8 +654,7 @@ Here are some of the most important caveats for AFL:
Beyond this, see INSTALL for platform-specific tips.
## 15) Special thanks
## 17) Special thanks
Many of the improvements to the original afl and afl++ wouldn't be possible
without feedback, bug reports, or patches from:
@ -696,9 +706,9 @@ without feedback, bug reports, or patches from:
```
Thank you!
(For people sending pull requests - please add yourself to this list :-)
## 16) Contact
## 18) Contact
Questions? Concerns? Bug reports? The contributors can be reached via
[https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus)

2
afl-cmin.bash
View File

@ -126,7 +126,7 @@ Minimization settings:
-C - keep crashing inputs, reject everything else
-e - solve for edge coverage only, ignore hit counts
For additional tips, please consult docs/README.
For additional tips, please consult docs/README.md.
Environment variables used:
AFL_KEEP_TRACES: leave the temporary <out_dir>\.traces directory

2
afl-plot
View File

@ -32,6 +32,8 @@ an empty directory where this tool can write the resulting plots to.
The program will put index.html and three PNG images in the output directory;
you should be able to view it with any web browser of your choice.
Environment variables used:
AFL_ALLOW_TMP: allow /var/tmp or /tmp for input and output directories
_EOF_
exit 1

33
docs/Changelog.md
View File

@ -1,7 +1,7 @@
# Changelog
This is the list of all noteworthy changes made in every public release of
the tool. See README for the general instruction manual.
the tool. See README.md for the general instruction manual.
## Staying informed
@ -9,7 +9,12 @@ Want to stay in the loop on major new features? Join our mailing list by
sending a mail to <afl-users+subscribe@googlegroups.com>.
### Version ++2.60d (develop):
### Version ++2.61d (develop):
- ...
### Version ++2.61c (release):
- use -march=native if available
- most tools now check for mistyped environment variables
@ -17,6 +22,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- the memory safety checks are now disabled for a little more speed during
fuzzing (only affects creating queue entries), can be toggled in config.h
- afl-fuzz:
- MOpt out of bounds writing crash fixed
- now prints the real python version support compiled in
- set stronger performance compile options and little tweaks
- Android: prefer bigcores when selecting a CPU
@ -28,13 +34,18 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- bugfix for dictionary insert stage count (fix via Google repo PR)
- added warning if -M is used together with custom mutators with _ONLY option
- AFL_TMPDIR checks are now later and better explained if they fail
- llvm_mode InsTrim: no pointless instrumentation of 1 block functions
- llvm_mode
- InsTrim: three bug fixes:
1. (minor) no pointless instrumentation of 1 block functions
2. (medium) path bug that leads a few blocks not instrumented that
should be
3. (major) incorrect prev_loc was written, fixed!
- afl-clang-fast:
- show in the help output for which llvm version it was compiled for
- now does not need to be recompiled between trace-pc and pass
instrumentation. compile normally and set AFL_LLVM_USE_TRACE_PC :)
- LLVM 11 is supported
- CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog)
- CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog.md)
- afl-gcc, afl-clang-fast, afl-gcc-fast:
- experimental support for undefined behaviour sanitizer UBSAN
(set AFL_USE_UBSAN=1)
@ -178,7 +189,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- fix llvm_mode AFL_TRACE_PC with modern llvm
- fix a crash in qemu_mode which also exists in stock afl
- added libcompcov, a laf-intel implementation for qemu! :)
see qemu_mode/libcompcov/README.libcompcov
see qemu_mode/libcompcov/README.libcompcov.md
- afl-fuzz now displays the selected core in the status screen (blue {#})
- updated afl-fuzz and afl-system-config for new scaling governor location
in modern kernels
@ -187,8 +198,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- if llvm_mode was compiled, afl-clang/afl-clang++ will point to these
instead of afl-gcc
- added instrim, a much faster llvm_mode instrumentation at the cost of
path discovery. See llvm_mode/README.instrim (https://github.com/csienslab/instrim)
- added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt
path discovery. See llvm_mode/README.instrim.md (https://github.com/csienslab/instrim)
- added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt.md
- added code to make it more portable to other platforms than Intel Linux
- added never zero counters for afl-gcc and optionally (because of an
optimization issue in llvm < 9) for llvm_mode (AFL_LLVM_NEVER_ZERO=1)
@ -218,11 +229,11 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
LLVM and Qemu modes are now faster.
Important changes:
afl-fuzz: -e EXTENSION commandline option
llvm_mode: LAF-intel performance (needs activation, see llvm/README.laf-intel)
a few new environment variables for afl-fuzz, llvm and qemu, see docs/env_variables.txt
llvm_mode: LAF-intel performance (needs activation, see llvm/README.laf-intel.md)
a few new environment variables for afl-fuzz, llvm and qemu, see docs/env_variables.md
- Added the power schedules of AFLfast by Marcel Boehme, but set the default
to the AFL schedule, not to the FAST schedule. So nothing changes unless
you use the new -p option :-) - see docs/power_schedules.txt
you use the new -p option :-) - see docs/power_schedules.md
- added afl-system-config script to set all system performance options for fuzzing
- llvm_mode works with llvm 3.9 up to including 8 !
- qemu_mode got upgraded from 2.1 to 3.1 - incorporated from
@ -465,7 +476,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- Added libtokencap, a simple feature to intercept strcmp / memcmp and
generate dictionary entries that can help extend coverage.
- Moved libdislocator to its own dir, added README.
- Moved libdislocator to its own dir, added README.md.
- The demo in examples/instrumented_cmp is no more.

2
docs/QuickStartGuide.md
View File

@ -27,7 +27,7 @@ how to hit the ground running:
4) Get a small but valid input file that makes sense to the program. When
fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in
dictionaries/README.dictionaries, too.
dictionaries/README.md, too.
5) If the program reads from stdin, run 'afl-fuzz' like so:

2
docs/env_variables.md
View File

@ -2,7 +2,7 @@
This document discusses the environment variables used by American Fuzzy Lop++
to expose various exotic functions that may be (rarely) useful for power
users or for some types of custom fuzzing setups. See README for the general
users or for some types of custom fuzzing setups. See README.md for the general
instruction manual.
## 1) Settings for afl-gcc, afl-clang, and afl-as - and gcc_plugin afl-gcc-fast

2
docs/life_pro_tips.md
View File

@ -62,7 +62,7 @@ Specify `AFL_HARDEN=1` in the environment to enable hardening flags.
## Bumping into problems with non-reproducible crashes?
It happens, but usually
isn't hard to diagnose. See section #7 in README for tips.
isn't hard to diagnose. See section #7 in README.md for tips.
## Fuzzing is not just about memory corruption issues in the codebase.
Add some

2
docs/notes_for_asan.md
View File

@ -1,7 +1,7 @@
# Notes for using ASAN with afl-fuzz
This file discusses some of the caveats for fuzzing under ASAN, and suggests
a handful of alternatives. See README for the general instruction manual.
a handful of alternatives. See README.md for the general instruction manual.
## 1) Short version

2
docs/parallel_fuzzing.md
View File

@ -1,7 +1,7 @@
# Tips for parallel fuzzing
This document talks about synchronizing afl-fuzz jobs on a single machine
or across a fleet of systems. See README for the general instruction manual.
or across a fleet of systems. See README.md for the general instruction manual.
## 1) Introduction

2
docs/perf_tips.md
View File

@ -1,7 +1,7 @@
## Tips for performance optimization
This file provides tips for troubleshooting slow or wasteful fuzzing jobs.
See README for the general instruction manual.
See README.md for the general instruction manual.
## 1. Keep your test cases small

4
docs/sister_projects.md
View File

@ -1,7 +1,7 @@
# Sister projects
This doc lists some of the projects that are inspired by, derived from,
designed for, or meant to integrate with AFL. See README for the general
designed for, or meant to integrate with AFL. See README.md for the general
instruction manual.
!!!
@ -252,7 +252,7 @@ https://code.google.com/p/address-sanitizer/wiki/AsanCoverage#Coverage_counters
### AFL JS (Han Choongwoo)
One-off optimizations to speed up the fuzzing of JavaScriptCore (now likely
superseded by LLVM deferred forkserver init - see llvm_mode/README.llvm).
superseded by LLVM deferred forkserver init - see llvm_mode/README.md).
https://github.com/tunz/afl-fuzz-js

2
docs/status_screen.md
View File

@ -1,7 +1,7 @@
# Understanding the status screen
This document provides an overview of the status screen - plus tips for
troubleshooting any warnings and red text shown in the UI. See README for
troubleshooting any warnings and red text shown in the UI. See README.md for
the general instruction manual.
## A note about colors

2
docs/technical_details.md
View File

@ -1,7 +1,7 @@
# Technical "whitepaper" for afl-fuzz
This document provides a quick overview of the guts of American Fuzzy Lop.
See README for the general instruction manual; and for a discussion of
See README.md for the general instruction manual; and for a discussion of
motivations and design goals behind AFL, see historical_notes.md.
## 0. Design statement

16
examples/argv_fuzzing/Makefile
View File

@ -24,18 +24,28 @@ ifneq "$(filter Linux GNU%,$(shell uname))" ""
LDFLAGS += -ldl
endif
# on gcc for arm there is no -m32, but -mbe32
M32FLAG = -m32
M64FLAG = -m64
ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
ifneq (,$(findstring arm, "$(shell $(CC) -v 2>&1 >/dev/null)"))
M32FLAG = -mbe32
endif
endif
all: argvfuzz32.so argvfuzz64.so
argvfuzz32.so: argvfuzz.c
-$(CC) -m32 $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz32 build failure (that's fine)"
-$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz32 build failure (that's fine)"
argvfuzz64.so: argvfuzz.c
-$(CC) $(CFLAGS) $^ $(LDFLAGS) -o $@
-$(CC) $(M64FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz64 build failure (that's fine)"
install: argvfuzz32.so argvfuzz64.so
install -d -m 755 $(DESTDIR)$(HELPER_PATH)/
if [ -f argvfuzz32.so ]; then set -e; install -m 755 argvfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi
install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/
if [ -f argvfuzz64.so ]; then set -e; install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi
clean:
rm -f argvfuzz32.so argvfuzz64.so

15
examples/socket_fuzzing/Makefile
View File

@ -22,18 +22,27 @@ ifneq "$(filter Linux GNU%,$(shell uname))" ""
LDFLAGS += -ldl
endif
# on gcc for arm there is no -m32, but -mbe32
M32FLAG = -m32
M64FLAG = -m64
ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
ifneq (,$(findstring arm, "$(shell $(CC) -v 2>&1 >/dev/null)"))
M32FLAG = -mbe32
endif
endif
all: socketfuzz32.so socketfuzz64.so
socketfuzz32.so: socketfuzz.c
-$(CC) -m32 $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz32 build failure (that's fine)"
-$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz32 build failure (that's fine)"
socketfuzz64.so: socketfuzz.c
-$(CC) $(CFLAGS) $^ $(LDFLAGS) -o $@
-$(CC) $(M64FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz64 build failure (that's fine)"
install: socketfuzz32.so socketfuzz64.so
install -d -m 755 $(DESTDIR)$(HELPER_PATH)/
if [ -f socketfuzz32.so ]; then set -e; install -m 755 socketfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi
install -m 755 socketfuzz64.so $(DESTDIR)$(HELPER_PATH)/
if [ -f socketfuzz64.so ]; then set -e; install -m 755 socketfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi
clean:
rm -f socketfuzz32.so socketfuzz64.so

2
gcc_plugin/afl-gcc-fast.c
View File

@ -330,7 +330,7 @@ int main(int argc, char** argv, char** envp) {
exit(1);
} else if (isatty(2) && !getenv("AFL_QUIET")) {
} else if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) {
SAYF(cCYA "afl-gcc-fast" VERSION cRST
" initially by <aseipp@pobox.com>, maintainer: hexcoder-\n");

2
gcc_plugin/afl-gcc-pass.so.cc
View File

@ -533,7 +533,7 @@ int plugin_init(struct plugin_name_args * plugin_info,
}
/* Show a banner */
if (isatty(2) && !getenv("AFL_QUIET")) {
if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) {
SAYF(G_(cCYA "afl-gcc-pass" VERSION cRST
" initially by <aseipp@pobox.com>, maintainer: hexcoder-\n"));

2
gcc_plugin/afl-gcc-rt.o.c
View File

@ -214,7 +214,7 @@ static void __afl_start_forkserver(void) {
}
/* A simplified persistent mode handler, used as explained in README.llvm. */
/* A simplified persistent mode handler, used as explained in README.md. */
int __afl_persistent_loop(unsigned int max_cnt) {

2
include/afl-as.h
View File

@ -261,6 +261,7 @@ static const u8* main_payload_32 =
" je __afl_setup_abort\n"
"\n"
#endif
" movb $1, (%eax)\n"
" /* Store the address of the SHM region. */\n"
"\n"
" movl %eax, __afl_area_ptr\n"
@ -563,6 +564,7 @@ static const u8* main_payload_64 =
" je __afl_setup_abort\n"
"\n"
#endif
" movb $1, (%rax)\n"
" /* Store the address of the SHM region. */\n"
"\n"
" movq %rax, %rdx\n"

2
include/config.h
View File

@ -27,7 +27,7 @@
/* Version string: */
// c = release, d = volatile github dev, e = experimental branch
#define VERSION "++2.60d"
#define VERSION "++2.61d"
/******************************************************
* *

2
include/envs.h
View File

@ -59,7 +59,7 @@ const char *afl_environment_variables[] = {
"AFL_NO_CPU_RED",
"AFL_NO_FORKSRV",
"AFL_NO_UI",
"AFL_NO_X86", // not really an env but we dont want to warn on it
"AFL_NO_X86", // not really an env but we dont want to warn on it
"AFL_PATH",
"AFL_PERFORMANCE_FILE",
"AFL_PERSISTENT",

2
libdislocator/README.md
View File

@ -1,6 +1,6 @@
# libdislocator, an abusive allocator
(See ../docs/README for the general instruction manual.)
(See ../docs/README.md for the general instruction manual.)
This is a companion library that can be used as a drop-in replacement for the
libc allocator in the fuzzed binaries. It improves the odds of bumping into

2
libtokencap/README.md
View File

@ -1,6 +1,6 @@
# strcmp() / memcmp() token capture library
(See ../docs/README for the general instruction manual.)
(See ../docs/README.md for the general instruction manual.)
This companion library allows you to instrument `strcmp()`, `memcmp()`,
and related functions to automatically extract syntax tokens passed to any of

98
llvm_mode/LLVMInsTrim.so.cc
View File

@ -169,6 +169,7 @@ struct InsTrim : public ModulePass {
ConstantInt *Zero = ConstantInt::get(Int8Ty, 0);
ConstantInt *One = ConstantInt::get(Int8Ty, 1);
ConstantInt *One32 = ConstantInt::get(Int32Ty, 1);
u64 total_rs = 0;
u64 total_hs = 0;
@ -382,19 +383,64 @@ struct InsTrim : public ModulePass {
}
auto *EBB = &F.getEntryBlock();
if (succ_begin(EBB) == succ_end(EBB)) {
MS.insert(EBB);
total_rs += 1;
}
// Bugfix #1: remove single block function instrumentation
for (BasicBlock &BB : F) {
if (MS.find(&BB) == MS.end()) { continue; }
IRBuilder<> IRB(&*BB.getFirstInsertionPt());
IRB.CreateStore(ConstantInt::get(Int32Ty, genLabel()), OldPrev);
if (MarkSetOpt && MS.find(&BB) == MS.end()) {
// Bugfix #2: instrument blocks that should be but InsTrim
// doesn't due to an algorithmic bug
int more_than_one = -1;
for (pred_iterator PI = pred_begin(&BB), E = pred_end(&BB); PI != E;
++PI) {
BasicBlock *Pred = *PI;
int count = 0;
if (more_than_one == -1) more_than_one = 0;
for (succ_iterator SI = succ_begin(Pred), E = succ_end(Pred);
SI != E; ++SI) {
BasicBlock *Succ = *SI;
if (Succ != NULL) count++;
}
if (count > 1) more_than_one = 1;
}
if (more_than_one != 1) continue;
for (succ_iterator SI = succ_begin(&BB), E = succ_end(&BB); SI != E;
++SI) {
BasicBlock *Succ = *SI;
if (Succ != NULL && MS.find(Succ) == MS.end()) {
int cnt = 0;
for (succ_iterator SI2 = succ_begin(Succ), E2 = succ_end(Succ);
SI2 != E2; ++SI2) {
BasicBlock *Succ2 = *SI2;
if (Succ2 != NULL) cnt++;
}
if (cnt == 0) {
// fprintf(stderr, "INSERT!\n");
MS.insert(Succ);
total_rs += 1;
}
}
}
}
}
@ -402,33 +448,24 @@ struct InsTrim : public ModulePass {
for (BasicBlock &BB : F) {
auto PI = pred_begin(&BB);
auto PE = pred_end(&BB);
if (MarkSetOpt && MS.find(&BB) == MS.end()) { continue; }
IRBuilder<> IRB(&*BB.getFirstInsertionPt());
Value * L = NULL;
if (PI == PE) {
L = ConstantInt::get(Int32Ty, genLabel());
auto *PN = PHINode::Create(Int32Ty, 0, "", &*BB.begin());
DenseMap<BasicBlock *, unsigned> PredMap;
for (auto PI = pred_begin(&BB), PE = pred_end(&BB); PI != PE; ++PI) {
} else {
auto *PN = PHINode::Create(Int32Ty, 0, "", &*BB.begin());
DenseMap<BasicBlock *, unsigned> PredMap;
for (auto PI = pred_begin(&BB), PE = pred_end(&BB); PI != PE; ++PI) {
BasicBlock *PBB = *PI;
auto It = PredMap.insert({PBB, genLabel()});
unsigned Label = It.first->second;
PN->addIncoming(ConstantInt::get(Int32Ty, Label), PBB);
}
L = PN;
BasicBlock *PBB = *PI;
auto It = PredMap.insert({PBB, genLabel()});
unsigned Label = It.first->second;
PN->addIncoming(ConstantInt::get(Int32Ty, Label), PBB);
}
L = PN;
/* Load prev_loc */
LoadInst *PrevLoc = IRB.CreateLoad(OldPrev);
PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
@ -475,6 +512,11 @@ struct InsTrim : public ModulePass {
IRB.CreateStore(Incr, MapPtrIdx)
->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
// Bugfix #3: save the actually location ID to OldPrev
Value *Shr = IRB.CreateLShr(L, One32);
IRB.CreateStore(Shr, OldPrev)
->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
total_instr++;
}

2
llvm_mode/README.md
View File

@ -2,7 +2,7 @@
(See [../README](../README.md) for the general instruction manual.)
(See [../gcc_plugin/README.gcc](../gcc_plugin/README.gcc.md) for the GCC-based instrumentation.)
(See [../gcc_plugin/README](../gcc_plugin/README.md) for the GCC-based instrumentation.)
## 1) Introduction

4
llvm_mode/afl-llvm-rt.o.c
View File

@ -260,7 +260,7 @@ static void __afl_start_forkserver(void) {
}
/* A simplified persistent mode handler, used as explained in README.llvm. */
/* A simplified persistent mode handler, used as explained in llvm_mode/README.md. */
int __afl_persistent_loop(unsigned int max_cnt) {
@ -346,7 +346,7 @@ __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) {
/* The following stuff deals with supporting -fsanitize-coverage=trace-pc-guard.
It remains non-operational in the traditional, plugin-backed LLVM mode.
For more info about 'trace-pc-guard', see README.llvm.
For more info about 'trace-pc-guard', see llvm_mode/README.md.
The first function (__sanitizer_cov_trace_pc_guard) is called back on every
edge (as opposed to every basic block). */

4
qemu_mode/README.md
View File

@ -1,6 +1,6 @@
# High-performance binary-only instrumentation for afl-fuzz
(See ../docs/README for the general instruction manual.)
(See ../docs/README.md for the general instruction manual.)
## 1) Introduction
@ -60,7 +60,7 @@ binary on x86_64) use QEMU_LD_PREFIX.
## 3) Bonus feature #1: deferred initialization
As for LLVM mode (refer to its README for mode details) QEMU mode supports
As for LLVM mode (refer to its README.md for mode details) QEMU mode supports
the deferred initialization.
This can be enabled setting the environment variable AFL_ENTRYPOINT which allows

2
qemu_mode/libcompcov/libcompcov.so.c
View File

@ -15,7 +15,7 @@
This Linux-only companion library allows you to instrument strcmp(),
memcmp(), and related functions to get compare coverage.
See README.compcov for more info.
See README.md for more info.
*/

2
qemu_mode/patches/afl-qemu-cpu-inl.h
View File

@ -407,7 +407,7 @@ void afl_forkserver(CPUState *cpu) {
}
/* A simplified persistent mode handler, used as explained in README.llvm. */
/* A simplified persistent mode handler, used as explained in llvm_mode/README.md. */
void afl_persistent_loop(void) {

14
src/afl-analyze.c
View File

@ -798,9 +798,19 @@ static void usage(u8* argv0) {
" -e - look for edge coverage only, ignore hit counts\n\n"
"For additional tips, please consult %s/README.\n\n",
"For additional tips, please consult %s/README.md.\n\n"
argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path);
"Environment variables used:\n"
"TMPDIR: directory to use for temporary input files\n"
"ASAN_OPTIONS: custom settings for ASAN\n"
" (must contain abort_on_error=1 and symbolize=0)\n"
"MSAN_OPTIONS: custom settings for MSAN\n"
" (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n"
"AFL_PRELOAD: LD_PRELOAD settings for target\n"
"AFL_ANALYZE_HEX: print file offsets in hexadecimal instead of decimal\n"
"AFL_SKIP_BIN_CHECK: skip checking the location of and the target\n"
, argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path);
exit(1);

8
src/afl-as.c
View File

@ -529,10 +529,10 @@ int main(int argc, char** argv) {
"don't want to run this program directly.\n\n"
"Rarely, when dealing with extremely complex projects, it may be "
"advisable to\n"
"set AFL_INST_RATIO to a value less than 100 in order to reduce the "
"odds of\n"
"instrumenting every discovered branch.\n\n"
"advisable\n"
"to set AFL_INST_RATIO to a value less than 100 in order to reduce "
"the\n"
"odds of instrumenting every discovered branch.\n\n"
"Environment variables used:\n"
"AFL_AS: path to assembler to use for instrumented files\n"
"AFL_CC: fall back path to assembler\n"

8
src/afl-common.c
View File

@ -112,7 +112,7 @@ char** get_qemu_argv(u8* own_loc, char** argv, int argc) {
char** new_argv = ck_alloc(sizeof(char*) * (argc + 4));
u8 * tmp, *cp, *rsl, *own_copy;
memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc);
memcpy(new_argv + 3, argv + 1, (int)(sizeof(char*)) * argc);
new_argv[2] = target_path;
new_argv[1] = "--";
@ -163,7 +163,7 @@ char** get_qemu_argv(u8* own_loc, char** argv, int argc) {
SAYF("\n" cLRD "[-] " cRST
"Oops, unable to find the 'afl-qemu-trace' binary. The binary must be "
"built\n"
" separately by following the instructions in qemu_mode/README.qemu. "
" separately by following the instructions in qemu_mode/README.md. "
"If you\n"
" already have the binary installed, you may need to specify "
"AFL_PATH in the\n"
@ -187,7 +187,7 @@ char** get_wine_argv(u8* own_loc, char** argv, int argc) {
char** new_argv = ck_alloc(sizeof(char*) * (argc + 3));
u8 * tmp, *cp, *rsl, *own_copy;
memcpy(new_argv + 2, argv + 1, sizeof(char*) * argc);
memcpy(new_argv + 2, argv + 1, (int)(sizeof(char*)) * argc);
new_argv[1] = target_path;
@ -259,7 +259,7 @@ char** get_wine_argv(u8* own_loc, char** argv, int argc) {
SAYF("\n" cLRD "[-] " cRST
"Oops, unable to find the '%s' binary. The binary must be "
"built\n"
" separately by following the instructions in qemu_mode/README.qemu. "
" separately by following the instructions in qemu_mode/README.md. "
"If you\n"
" already have the binary installed, you may need to specify "
"AFL_PATH in the\n"

4
src/afl-fuzz-init.c
View File

@ -1980,11 +1980,11 @@ void check_binary(u8* fname) {
"while\n"
" mutating the input data. For more information, and for tips on "
"how to\n"
" instrument binaries, please see %s/README.\n\n"
" instrument binaries, please see %s/README.md.\n\n"
" When source code is not available, you may be able to leverage "
"QEMU\n"
" mode support. Consult the README for tips on how to enable this.\n"
" mode support. Consult the README.md for tips on how to enable this.\n"
" (It is also possible to use afl-fuzz as a traditional, \"dumb\" "
"fuzzer.\n"

4
src/afl-fuzz-one.c
View File

@ -3714,7 +3714,7 @@ pacemaker_fuzzing:
case 1:
if (temp_len < 2) break;
temp_len_puppet = UR((temp_len << 3) -1);
temp_len_puppet = UR((temp_len << 3) - 1);
FLIP_BIT(out_buf, temp_len_puppet);
FLIP_BIT(out_buf, temp_len_puppet + 1);
MOpt_globals.cycles_v2[STAGE_FLIP2] += 1;
@ -3722,7 +3722,7 @@ pacemaker_fuzzing:
case 2:
if (temp_len < 2) break;
temp_len_puppet = UR((temp_len << 3) -3);
temp_len_puppet = UR((temp_len << 3) - 3);
FLIP_BIT(out_buf, temp_len_puppet);
FLIP_BIT(out_buf, temp_len_puppet + 1);
FLIP_BIT(out_buf, temp_len_puppet + 2);

8
src/afl-fuzz-redqueen.c
View File

@ -243,7 +243,7 @@ u8 cmp_extend_encoding(struct cmp_header* h, u64 pattern, u64 repl, u32 idx,
if (SHAPE_BYTES(h->shape) == 8) {
if (its_len >= 8 && *buf_64 == pattern) {// && *o_buf_64 == pattern) {
if (its_len >= 8 && *buf_64 == pattern) { // && *o_buf_64 == pattern) {
*buf_64 = repl;
if (unlikely(its_fuzz(buf, len, status))) return 1;
@ -261,7 +261,8 @@ u8 cmp_extend_encoding(struct cmp_header* h, u64 pattern, u64 repl, u32 idx,
if (SHAPE_BYTES(h->shape) == 4 || *status == 2) {
if (its_len >= 4 && *buf_32 == (u32)pattern) {// && *o_buf_32 == (u32)pattern) {
if (its_len >= 4 &&
*buf_32 == (u32)pattern) { // && *o_buf_32 == (u32)pattern) {
*buf_32 = (u32)repl;
if (unlikely(its_fuzz(buf, len, status))) return 1;
@ -279,7 +280,8 @@ u8 cmp_extend_encoding(struct cmp_header* h, u64 pattern, u64 repl, u32 idx,
if (SHAPE_BYTES(h->shape) == 2 || *status == 2) {
if (its_len >= 2 && *buf_16 == (u16)pattern) {// && *o_buf_16 == (u16)pattern) {
if (its_len >= 2 &&
*buf_16 == (u16)pattern) { // && *o_buf_16 == (u16)pattern) {
*buf_16 = (u16)repl;
if (unlikely(its_fuzz(buf, len, status))) return 1;

6
src/afl-fuzz.c
View File

@ -112,7 +112,7 @@ static void usage(u8* argv0) {
"entering the\n"
" pacemaker mode (minutes of no new paths, 0 = "
"immediately).\n"
" a recommended value is 10-60. see docs/README.MOpt\n"
" a recommended value is 10-60. see docs/README.MOpt.md\n"
" -c program - enable CmpLog by specifying a binary compiled for "
"it.\n"
" if using QEMU, just use -c 0.\n\n"
@ -121,7 +121,7 @@ static void usage(u8* argv0) {
" -N - do not unlink the fuzzing input file\n"
" -d - quick & dirty mode (skips deterministic steps)\n"
" -n - fuzz without instrumentation (dumb mode)\n"
" -x dir - optional fuzzer dictionary (see README, its really "
" -x dir - optional fuzzer dictionary (see README.md, its really "
"good!)\n\n"
"Testing settings:\n"
@ -1087,7 +1087,7 @@ stop_fuzzing:
SAYF("\n" cYEL "[!] " cRST
"Stopped during the first cycle, results may be incomplete.\n"
" (For info on resuming, see %s/README)\n",
" (For info on resuming, see %s/README.md)\n",
doc_path);
}

2
src/afl-showmap.c
View File

@ -647,7 +647,7 @@ static void usage(u8* argv0) {
" -c - allow core dumps\n\n"
"This tool displays raw tuple data captured by AFL instrumentation.\n"
"For additional help, consult %s/README.\n\n" cRST,
"For additional help, consult %s/README.md.\n\n" cRST,
argv0, MEM_LIMIT, doc_path);

13
src/afl-tmin.c
View File

@ -977,9 +977,18 @@ static void usage(u8* argv0) {
" -e - solve for edge coverage only, ignore hit counts\n"
" -x - treat non-zero exit codes as crashes\n\n"
"For additional tips, please consult %s/README.\n\n",
"For additional tips, please consult %s/README.md.\n\n"
argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path);
"Environment variables used:\n"
"TMPDIR: directory to use for temporary input files\n"
"ASAN_OPTIONS: custom settings for ASAN\n"
" (must contain abort_on_error=1 and symbolize=0)\n"
"MSAN_OPTIONS: custom settings for MSAN\n"
" (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n"
"AFL_PRELOAD: LD_PRELOAD settings for target\n"
"AFL_TMIN_EXACT: require execution paths to match for crashing inputs\n"
, argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path);
exit(1);

2
test/test.sh
View File

@ -120,7 +120,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc
}
rm -f test-instr.plain.0 test-instr.plain.1
TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'`
test "$TUPLES" -gt 3 -a "$TUPLES" -lt 7 && {
test "$TUPLES" -gt 3 -a "$TUPLES" -lt 8 && {
$ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine"
} || {
$ECHO "$RED[!] ${AFL_GCC} produces weird instrumentation numbers: $TUPLES"