diff --git a/include/asanfuzz.h b/include/asanfuzz.h index a2423e49..693a12b3 100644 --- a/include/asanfuzz.h +++ b/include/asanfuzz.h @@ -7,9 +7,9 @@ Forkserver design by Jann Horn Now maintained by Marc Heuse , - Heiko Eißfeldt , + Dominik Maier , Andrea Fioraldi , - Dominik Maier + Heiko Eissfeldt Copyright 2016, 2017 Google Inc. All rights reserved. Copyright 2019-2023 AFLplusplus Project. All rights reserved. @@ -36,9 +36,13 @@ #define NON_COV_INCREASE_BUG (1 << 5) enum SanitizerAbstraction { - SIMPLIFY_TRACE = 0, // Feed all unique trace to sanitizers, the most sensitive + + SIMPLIFY_TRACE = 0, // Feed all unique trace to sanitizers, the + // most sensitive UNIQUE_TRACE, - COVERAGE_INCREASE // Feed all coverage increasing cases to sanitizers, the least sensitive + COVERAGE_INCREASE // Feed all coverage increasing cases to sanitizers, the + // least sensitive + }; /* Execs the child */ diff --git a/include/common.h b/include/common.h index 79f4a8b8..7c665c9d 100644 --- a/include/common.h +++ b/include/common.h @@ -76,8 +76,9 @@ u8 *find_afl_binary(u8 *own_loc, u8 *fname); int parse_afl_kill_signal(u8 *numeric_signal_as_str, int default_signal); /* Configure the signals that are used to kill the forkserver - and the forked children. If `afl_kill_signal_env` or `afl_fsrv_kill_signal_env` - is NULL, the appropriate values are read from the environment. */ + and the forked children. If `afl_kill_signal_env` or + `afl_fsrv_kill_signal_env` is NULL, the appropriate values are read from the + environment. */ void configure_afl_kill_signals(afl_forkserver_t *fsrv, char *afl_kill_signal_env, char *afl_fsrv_kill_signal_env, diff --git a/include/config.h b/include/config.h index 88ba84d2..b171519f 100644 --- a/include/config.h +++ b/include/config.h @@ -97,7 +97,7 @@ /* Maximum allowed fails per CMP value. Default: 96 */ #define CMPLOG_FAIL_MAX 96 -/* +/* * Effective fuzzing with selective feeding inputs */ diff --git a/include/coverage-64.h b/include/coverage-64.h index 6f658460..5d2f6a57 100644 --- a/include/coverage-64.h +++ b/include/coverage-64.h @@ -74,7 +74,7 @@ inline void classify_counts(afl_forkserver_t *fsrv) { inline static void classify_counts_mem(u64 *mem, u32 size) { - u32 i = (size >> 3); + u32 i = (size >> 3); while (i--) { diff --git a/include/envs.h b/include/envs.h index 3ef78f05..7913e6b9 100644 --- a/include/envs.h +++ b/include/envs.h @@ -118,8 +118,7 @@ static char *afl_environment_variables[] = { "AFL_CFISAN_VERBOSE", "AFL_USE_LSAN", "AFL_WINE_PATH", "AFL_NO_SNAPSHOT", "AFL_EXPAND_HAVOC_NOW", "AFL_USE_FASAN", "AFL_USE_QASAN", "AFL_PRINT_FILENAMES", "AFL_PIZZA_MODE", "AFL_NO_FASTRESUME", - "AFL_SAN_ABSTRACTION", "AFL_SAN_NO_INST", "AFL_SAN_RECOVER", NULL -}; + "AFL_SAN_ABSTRACTION", "AFL_SAN_NO_INST", "AFL_SAN_RECOVER", NULL}; extern char *afl_environment_variables[]; diff --git a/include/forkserver.h b/include/forkserver.h index 7b915c18..caea1848 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -159,7 +159,8 @@ typedef struct afl_forkserver { bool debug; /* debug mode? */ - u8 san_but_not_instrumented; /* Is it sanitizer enabled but not instrumented? */ + u8 san_but_not_instrumented; /* Is it sanitizer enabled but not instrumented? + */ bool uses_crash_exitcode; /* Custom crash exitcode specified? */ u8 crash_exitcode; /* The crash exitcode specified */ diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 7f355b68..74795279 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -326,15 +326,18 @@ class ModuleSanitizerCoverageLTOLegacyPass : public ModulePass { .getPostDomTree(); }; - + if (!getenv("AFL_SAN_NO_INST")) { + return ModuleSancov.instrumentModule(M, DTCallback, PDTCallback); + } else { - if (getenv("AFL_DEBUG")) { - DEBUGF("Instrument disabled\n"); - } + + if (getenv("AFL_DEBUG")) { DEBUGF("Instrument disabled\n"); } return false; + } + } private: @@ -387,12 +390,14 @@ PreservedAnalyses ModuleSanitizerCoverageLTO::run(Module &M, }; if (!getenv("AFL_SAN_NO_INST")) { + if (ModuleSancov.instrumentModule(M, DTCallback, PDTCallback)) return PreservedAnalyses::none(); + } else { - if (debug) { - DEBUGF("Instrument disabled\n"); - } + + if (debug) { DEBUGF("Instrument disabled\n"); } + } return PreservedAnalyses::all(); diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 439d3626..a1d89071 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -262,15 +262,19 @@ PreservedAnalyses ModuleSanitizerCoverageAFL::run(Module &M, }; // TODO: Support LTO or llvm classic? - // Note we still need afl-compiler-rt so we just disable the instrumentation here. + // Note we still need afl-compiler-rt so we just disable the instrumentation + // here. if (!getenv("AFL_SAN_NO_INST")) { + if (ModuleSancov.instrumentModule(M, DTCallback, PDTCallback)) return PreservedAnalyses::none(); + } else { - if (getenv("AFL_DEBUG")) { - DEBUGF("Instrument disabled\n"); - } + + if (getenv("AFL_DEBUG")) { DEBUGF("Instrument disabled\n"); } + } + return PreservedAnalyses::all(); } diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 4823f2d1..91a62d36 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -225,18 +225,20 @@ bool AFLCoverage::runOnModule(Module &M) { #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ if (getenv("AFL_SAN_NO_INST")) { - if (debug) { - fprintf(stderr, "Instrument disabled\n"); - } + + if (debug) { fprintf(stderr, "Instrument disabled\n"); } return PreservedAnalyses::all(); + } + #else if (getenv("AFL_SAN_NO_INST")) { - if (debug) { - fprintf(stderr, "Instrument disabled\n"); - } + + if (debug) { fprintf(stderr, "Instrument disabled\n"); } return true; + } + #endif if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index d46ab160..328f818d 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -1918,10 +1918,12 @@ fsrv_run_result_t __attribute__((hot)) afl_fsrv_run_target( must prevent any earlier operations from venturing into that territory. */ - /* If the binary is not instrumented, we don't care about the coverage. Make it a bit faster */ + /* If the binary is not instrumented, we don't care about the coverage. Make + * it a bit faster */ if (!fsrv->san_but_not_instrumented) { + #ifdef __linux__ - if (likely(!fsrv->nyx_mode)) { + if (likely(!fsrv->nyx_mode)) { memset(fsrv->trace_bits, 0, fsrv->map_size); MEM_BARRIER(); @@ -1932,6 +1934,7 @@ fsrv_run_result_t __attribute__((hot)) afl_fsrv_run_target( memset(fsrv->trace_bits, 0, fsrv->map_size); MEM_BARRIER(); #endif + } /* we have the fork server (or faux server) up and running diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 03475914..19cdf511 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -543,8 +543,8 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem, simplify_trace(afl, afl->san_fsrvs[0].trace_bits); // Note: Original SAND implementation used XXHASH32 - cksum_simplified = hash32(afl->san_fsrvs[0].trace_bits, - afl->fsrv.map_size, HASH_CONST); + cksum_simplified = + hash32(afl->san_fsrvs[0].trace_bits, afl->fsrv.map_size, HASH_CONST); if (unlikely(!bitmap_read(afl->simplified_n_fuzz, cksum_simplified))) { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 1c0411ee..a89c256b 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2328,16 +2328,20 @@ void setup_dirs_fds(afl_state_t *afl) { afl->fsrv.plot_file = fdopen(fd, "w"); if (!afl->fsrv.plot_file) { PFATAL("fdopen() failed"); } - fprintf( - afl->fsrv.plot_file, - "# relative_time, cycles_done, cur_item, corpus_count, " - "pending_total, pending_favs, map_size, saved_crashes, " - "saved_hangs, max_depth, execs_per_sec, total_execs, edges_found, total_crashes, servers_count"); + fprintf(afl->fsrv.plot_file, + "# relative_time, cycles_done, cur_item, corpus_count, " + "pending_total, pending_favs, map_size, saved_crashes, " + "saved_hangs, max_depth, execs_per_sec, total_execs, edges_found, " + "total_crashes, servers_count"); if (afl->san_binary_length) { + for (u8 i = 0; i < afl->san_binary_length; i++) { + fprintf(afl->fsrv.plot_file, ", sand_fsrv%u_exec", i); + } + } fprintf(afl->fsrv.plot_file, "\n"); diff --git a/src/afl-fuzz-sanfuzz.c b/src/afl-fuzz-sanfuzz.c index d9a36ad8..3b25c57b 100644 --- a/src/afl-fuzz-sanfuzz.c +++ b/src/afl-fuzz-sanfuzz.c @@ -32,7 +32,8 @@ void sanfuzz_exec_child(afl_forkserver_t *fsrv, char **argv) { - if (!fsrv->qemu_mode && !fsrv->frida_mode && argv[0] != fsrv->asanfuzz_binary) { + if (!fsrv->qemu_mode && !fsrv->frida_mode && + argv[0] != fsrv->asanfuzz_binary) { argv[0] = fsrv->asanfuzz_binary; @@ -40,4 +41,5 @@ void sanfuzz_exec_child(afl_forkserver_t *fsrv, char **argv) { execv(fsrv->target_path, argv); -} \ No newline at end of file +} + diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 2830ace2..a2718164 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2249,7 +2249,9 @@ int main(int argc, char **argv_orig, char **envp) { // so that we won't overwrite target_path. // Lazymio: why does cmplog fsrv even work?! for (u8 i = 0; i < afl->san_binary_length; i++) { + check_binary(afl, afl->san_binary[i]); + } check_binary(afl, argv[optind]); @@ -3611,11 +3613,10 @@ stop_fuzzing: ck_free(afl->san_fsrvs[i].trace_bits); afl_fsrv_deinit(&afl->san_fsrvs[i]); + } - if (afl->cmplog_binary) { - afl_fsrv_deinit(&afl->cmplog_fsrv); - } + if (afl->cmplog_binary) { afl_fsrv_deinit(&afl->cmplog_fsrv); } /* remove tmpfile */ if (!afl->in_place_resume && afl->fsrv.out_file) { diff --git a/src/afl-performance.c b/src/afl-performance.c index 2bb787e4..b824fd35 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -423,4 +423,5 @@ char *sha1_hex_for_file(const char *fname, u32 len) { ck_free(tmp); return hex; -} \ No newline at end of file +} +