ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-09 08:41:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #663 from AFLplusplus/dev

Browse Source 
Fix Dockerfile
This commit is contained in:
van Hauser 2020-12-28 13:32:51 +01:00 committed by GitHub
commit e22db8d609
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 31 additions and 299 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@ -56,7 +56,7 @@ WORKDIR /AFLplusplus
RUN export REAL_CXX=g++-10 && export CC=gcc-10 && \
export CXX=g++-10 && make clean && \
make distrib && make install && make clean
make distrib CFLAGS="-O3 -funroll-loops -D_FORTIFY_SOURCE=2" && make install && make clean
RUN echo 'alias joe="jupp --wordwrap"' >> ~/.bashrc
RUN echo 'export PS1="[afl++]$PS1"' >> ~/.bashrc

1
docs/Changelog.md
View File

@ -26,6 +26,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- LLVM mode is now compiled with -j4, unicorn with all cores. qemu was
already building with all cores, the gcc plugin needs only one.
- added dummy Makefile to instrumentation/
- Updated utils/afl_frida to be 5% faster
### Version ++3.00c (release)

4
src/afl-ld-lto.c
View File

@ -45,6 +45,10 @@
#include <dirent.h>
#ifdef __APPLE__
#include <sys/syslimits.h>
#endif
#define MAX_PARAM_COUNT 4096
static u8 **ld_params; /* Parameters passed to the real 'ld' */

2
utils/afl_frida/GNUmakefile
View File

@ -11,7 +11,7 @@ libfrida-gum.a:
@exit 1
afl-frida: afl-frida.c libfrida-gum.a
$(CC) -g $(OPT) -o afl-frida -Wno-format -Wno-pointer-sign -I. -fpermissive -fPIC afl-frida.c ../../afl-llvm-rt.o libfrida-gum.a -ldl -lresolv -pthread
$(CC) -g $(OPT) -o afl-frida -Wno-format -Wno-pointer-sign -I. -fpermissive -fPIC afl-frida.c ../../afl-compiler-rt.o libfrida-gum.a -ldl -lresolv -pthread
libtestinstr.so: libtestinstr.c
$(CC) -g -O0 -fPIC -o libtestinstr.so -shared libtestinstr.c

313
utils/afl_frida/afl-frida.c
View File

@ -37,7 +37,10 @@
#include <sys/shm.h>
#include <dlfcn.h>
#ifndef __APPLE__
#ifdef __APPLE__
#include <mach/mach.h>
#include <mach-o/dyld_images.h>
#else
#include <sys/wait.h>
#include <sys/personality.h>
#endif
@ -61,55 +64,12 @@ static void *(*o_function)(uint8_t *, int);
#include "frida-gum.h"
G_BEGIN_DECLS
#define GUM_TYPE_FAKE_EVENT_SINK (gum_fake_event_sink_get_type())
G_DECLARE_FINAL_TYPE(GumFakeEventSink, gum_fake_event_sink, GUM,
FAKE_EVENT_SINK, GObject)
struct _GumFakeEventSink {
GObject parent;
GumEventType mask;
};
GumEventSink *gum_fake_event_sink_new(void);
void gum_fake_event_sink_reset(GumFakeEventSink *self);
G_END_DECLS
static void gum_fake_event_sink_iface_init(gpointer g_iface,
gpointer iface_data);
static void gum_fake_event_sink_finalize(GObject *obj);
static GumEventType gum_fake_event_sink_query_mask(GumEventSink *sink);
static void gum_fake_event_sink_process(GumEventSink *sink, const GumEvent *ev);
void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output,
gpointer user_data);
void afl_setup(void);
void afl_start_forkserver(void);
int __afl_persistent_loop(unsigned int max_cnt);
static void gum_fake_event_sink_class_init(GumFakeEventSinkClass *klass) {
GObjectClass *object_class = G_OBJECT_CLASS(klass);
object_class->finalize = gum_fake_event_sink_finalize;
}
static void gum_fake_event_sink_iface_init(gpointer g_iface,
gpointer iface_data) {
GumEventSinkInterface *iface = (GumEventSinkInterface *)g_iface;
iface->query_mask = gum_fake_event_sink_query_mask;
iface->process = gum_fake_event_sink_process;
}
G_DEFINE_TYPE_EXTENDED(GumFakeEventSink, gum_fake_event_sink, G_TYPE_OBJECT, 0,
G_IMPLEMENT_INTERFACE(GUM_TYPE_EVENT_SINK,
gum_fake_event_sink_iface_init))
#include "../../config.h"
// Shared memory fuzzing.
@ -183,230 +143,6 @@ void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output,
}
static void gum_fake_event_sink_init(GumFakeEventSink *self) {
}
static void gum_fake_event_sink_finalize(GObject *obj) {
G_OBJECT_CLASS(gum_fake_event_sink_parent_class)->finalize(obj);
}
GumEventSink *gum_fake_event_sink_new(void) {
GumFakeEventSink *sink;
sink = (GumFakeEventSink *)g_object_new(GUM_TYPE_FAKE_EVENT_SINK, NULL);
return GUM_EVENT_SINK(sink);
}
void gum_fake_event_sink_reset(GumFakeEventSink *self) {
}
static GumEventType gum_fake_event_sink_query_mask(GumEventSink *sink) {
return 0;
}
typedef struct library_list {
uint8_t *name;
uint64_t addr_start, addr_end;
} library_list_t;
#define MAX_LIB_COUNT 256
static library_list_t liblist[MAX_LIB_COUNT];
static u32 liblist_cnt;
void read_library_information() {
#if defined(__linux__)
FILE *f;
u8 buf[1024], *b, *m, *e, *n;
if ((f = fopen("/proc/self/maps", "r")) == NULL) {
fprintf(stderr, "Error: cannot open /proc/self/maps\n");
exit(-1);
}
if (debug) fprintf(stderr, "Library list:\n");
while (fgets(buf, sizeof(buf), f)) {
if (strstr(buf, " r-x")) {
if (liblist_cnt >= MAX_LIB_COUNT) {
fprintf(
stderr,
"Warning: too many libraries to old, maximum count of %d reached\n",
liblist_cnt);
return;
}
b = buf;
m = index(buf, '-');
e = index(buf, ' ');
if ((n = rindex(buf, '/')) == NULL) n = rindex(buf, ' ');
if (n &&
((*n >= '0' && *n <= '9') || *n == '[' || *n == '{' || *n == '('))
n = NULL;
else
n++;
if (b && m && e && n && *n) {
*m++ = 0;
*e = 0;
if (n[strlen(n) - 1] == '\n') n[strlen(n) - 1] = 0;
if (rindex(n, '/') != NULL) {
n = rindex(n, '/');
n++;
}
liblist[liblist_cnt].name = strdup(n);
liblist[liblist_cnt].addr_start = strtoull(b, NULL, 16);
liblist[liblist_cnt].addr_end = strtoull(m, NULL, 16);
if (debug)
fprintf(
stderr, "%s:%llx (%llx-%llx)\n", liblist[liblist_cnt].name,
liblist[liblist_cnt].addr_end - liblist[liblist_cnt].addr_start,
liblist[liblist_cnt].addr_start,
liblist[liblist_cnt].addr_end - 1);
liblist_cnt++;
}
}
}
if (debug) fprintf(stderr, "\n");
#elif defined(__FreeBSD__)
int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, getpid()};
char * buf, *start, *end;
size_t miblen = sizeof(mib) / sizeof(mib[0]);
size_t len;
if (debug) fprintf(stderr, "Library list:\n");
if (sysctl(mib, miblen, NULL, &len, NULL, 0) == -1) { return; }
len = len * 4 / 3;
buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANON, -1, 0);
if (buf == MAP_FAILED) { return; }
if (sysctl(mib, miblen, buf, &len, NULL, 0) == -1) {
munmap(buf, len);
return;
}
start = buf;
end = buf + len;
while (start < end) {
struct kinfo_vmentry *region = (struct kinfo_vmentry *)start;
size_t size = region->kve_structsize;
if (size == 0) { break; }
if ((region->kve_protection & KVME_PROT_READ) &&
!(region->kve_protection & KVME_PROT_EXEC)) {
liblist[liblist_cnt].name =
region->kve_path[0] != '\0' ? strdup(region->kve_path) : 0;
liblist[liblist_cnt].addr_start = region->kve_start;
liblist[liblist_cnt].addr_end = region->kve_end;
if (debug) {
fprintf(stderr, "%s:%x (%lx-%lx)\n", liblist[liblist_cnt].name,
liblist[liblist_cnt].addr_end - liblist[liblist_cnt].addr_start,
liblist[liblist_cnt].addr_start,
liblist[liblist_cnt].addr_end - 1);
}
liblist_cnt++;
}
start += size;
}
#endif
}
library_list_t *find_library(char *name) {
char *filename = rindex(name, '/');
if (filename)
filename++;
else
filename = name;
#if defined(__linux__)
u32 i;
for (i = 0; i < liblist_cnt; i++)
if (strcmp(liblist[i].name, filename) == 0) return &liblist[i];
#elif defined(__APPLE__) && defined(__LP64__)
kern_return_t err;
static library_list_t lib;
// get the list of all loaded modules from dyld
// the task_info mach API will get the address of the dyld all_image_info
// struct for the given task from which we can get the names and load
// addresses of all modules
task_dyld_info_data_t task_dyld_info;
mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT;
err = task_info(mach_task_self(), TASK_DYLD_INFO,
(task_info_t)&task_dyld_info, &count);
const struct dyld_all_image_infos *all_image_infos =
(const struct dyld_all_image_infos *)task_dyld_info.all_image_info_addr;
const struct dyld_image_info *image_infos = all_image_infos->infoArray;
for (size_t i = 0; i < all_image_infos->infoArrayCount; i++) {
const char * image_name = image_infos[i].imageFilePath;
mach_vm_address_t image_load_address =
(mach_vm_address_t)image_infos[i].imageLoadAddress;
if (strstr(image_name, name)) {
lib.name = name;
lib.addr_start = (u64)image_load_address;
lib.addr_end = 0;
return &lib;
}
}
#endif
return NULL;
}
static void gum_fake_event_sink_process(GumEventSink * sink,
const GumEvent *ev) {
}
/* Because this CAN be called more than once, it will return the LAST range */
static int enumerate_ranges(const GumRangeDetails *details,
gpointer user_data) {
@ -445,16 +181,6 @@ int main() {
// END STEP 2
read_library_information();
library_list_t *lib = find_library(TARGET_LIBRARY);
if (lib == NULL) {
fprintf(stderr, "Could not find target library\n");
exit(-1);
}
gum_init_embedded();
if (!gum_stalker_is_supported()) {
@ -465,27 +191,29 @@ int main() {
GumStalker *stalker = gum_stalker_new();
/*
This does not work here as we load a shared library. pretty sure this
would also be easily solvable with frida gum, but I already have all the
code I need from afl-untracer
GumAddress base_address = gum_module_find_base_address(TARGET_LIBRARY);
GumAddress base_address = gum_module_find_base_address(TARGET_LIBRARY);
GumMemoryRange code_range;
gum_module_enumerate_ranges(TARGET_LIBRARY, GUM_PAGE_RX, enumerate_ranges,
&code_range);
guint64 code_start = code_range.base_address - base_address;
guint64 code_end = (code_range.base_address + code_range.size) - base_address;
range_t instr_range = {base_address, code_start, code_end};
*/
range_t instr_range = {0, lib->addr_start, lib->addr_end};
guint64 code_start = code_range.base_address;
guint64 code_end = code_range.base_address + code_range.size;
range_t instr_range = {0, code_start, code_end};
printf("Frida instrumentation: base=0x%lx instrumenting=0x%lx-%lx\n",
base_address, code_start, code_end);
if (!code_start || !code_end) {
fprintf(stderr, "Error: no valid memory address found for %s\n",
TARGET_LIBRARY);
exit(-1);
}
GumStalkerTransformer *transformer =
gum_stalker_transformer_make_from_callback(instr_basic_block,
&instr_range, NULL);
GumEventSink *event_sink = gum_fake_event_sink_new();
// to ensure that the signatures are not optimized out
memcpy(__afl_area_ptr, (void *)AFL_PERSISTENT, sizeof(AFL_PERSISTENT) + 1);
memcpy(__afl_area_ptr + 32, (void *)AFL_DEFER_FORKSVR,
@ -497,7 +225,7 @@ int main() {
// - put that here
//
gum_stalker_follow_me(stalker, transformer, event_sink);
gum_stalker_follow_me(stalker, transformer, NULL);
while (__afl_persistent_loop(UINT32_MAX) != 0) {
@ -533,7 +261,6 @@ int main() {
g_object_unref(stalker);
g_object_unref(transformer);
g_object_unref(event_sink);
gum_deinit_embedded();
return 0;

8
utils/aflpp_driver/aflpp_driver.c
View File

@ -26,10 +26,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
EOF
# Build your target with -fsanitize-coverage=trace-pc-guard using fresh clang.
clang -g -fsanitize-coverage=trace-pc-guard test_fuzzer.cc -c
# Build afl-llvm-rt.o.c from the AFL distribution.
clang -c -w $AFL_HOME/instrumentation/afl-llvm-rt.o.c
# Build this file, link it with afl-llvm-rt.o.o and the target code.
clang++ afl_driver.cpp test_fuzzer.o afl-llvm-rt.o.o
# Build afl-compiler-rt.o.c from the AFL distribution.
clang -c -w $AFL_HOME/instrumentation/afl-compiler-rt.o.c
# Build this file, link it with afl-compiler-rt.o.o and the target code.
clang++ afl_driver.cpp test_fuzzer.o afl-compiler-rt.o.o
# Run AFL:
rm -rf IN OUT; mkdir IN OUT; echo z > IN/z;
$AFL_HOME/afl-fuzz -i IN -o OUT ./a.out