From e4f7a4738e0fbeb2877bef8e3dd3faf5ce3a1912 Mon Sep 17 00:00:00 2001 From: Martin Nyhus Date: Tue, 11 Feb 2025 11:40:00 +0100 Subject: [PATCH 1/3] afl-fuzz: fix -a option This fixes the option string so -a will be parsed with an argument again, unbreaking the option. The result of the missing : was that optarg would always be NULL and we would abort in stricmp. Introduced in 1c9925c7d7 --- src/afl-fuzz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index e52e635c..f92ec178 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -615,7 +615,7 @@ int main(int argc, char **argv_orig, char **envp) { // still available: HjJkKqruvwz while ( (opt = getopt(argc, argv, - "+aw:Ab:B:c:CdDe:E:f:F:g:G:hi:I:l:L:m:M:nNo:Op:P:QRs:S:t:" + "+a:w:Ab:B:c:CdDe:E:f:F:g:G:hi:I:l:L:m:M:nNo:Op:P:QRs:S:t:" "T:uUV:WXx:YzZ")) > 0) { switch (opt) { From feed691dc0d033e04ac477d591a4cc390aeda9da Mon Sep 17 00:00:00 2001 From: etanner1 Date: Thu, 13 Feb 2025 16:23:22 -0500 Subject: [PATCH 2/3] Addressed frida-mode exec-speed regression on ARM64 for #2298 Co-authored-by: WorksButNotTested <@WorksButNotTested> --- frida_mode/src/persistent/persistent_arm64.c | 37 ++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c index cfd00b17..b6809a9e 100644 --- a/frida_mode/src/persistent/persistent_arm64.c +++ b/frida_mode/src/persistent/persistent_arm64.c @@ -295,6 +295,8 @@ void persistent_prologue_arch(GumStalkerOutput *output) { * CALL instrument_afl_persistent_loop * CALL hook (optionally) * RESTORE REGS + * CALL INSTRUMENTED PERSISTENT FUNC + * JMP loop * INSTRUMENTED PERSISTENT FUNC */ @@ -302,15 +304,25 @@ void persistent_prologue_arch(GumStalkerOutput *output) { FVERBOSE("Persistent loop reached"); + /* This is the location our epilogue should be written below */ if (persistent_ret == 0) { instrument_persitent_save_lr(cw); } /* Save the current context */ instrument_persitent_save_regs(cw, &saved_regs); - /* Store a pointer to where we should return for our next iteration */ + /* + * Store a pointer to where we should return for our next iteration. + * This is the location our epilogue should branch to + */ persistent_loop = gum_arm64_writer_cur(cw); - /* call __afl_persistent_loop and _exit if zero. Also reset our previous_pc */ + gconstpointer loop = cw->code + 1; + gum_arm64_writer_put_label(cw, loop); + + /* + * call __afl_persistent_loop which will _exit if we have reached our + * loop count. Also reset our previous_pc + */ instrument_afl_persistent_loop(cw); /* Optionally call the persistent hook */ @@ -319,6 +331,27 @@ void persistent_prologue_arch(GumStalkerOutput *output) { /* Restore our CPU context before we continue execution */ instrument_persitent_restore_regs(cw, &saved_regs); + gconstpointer original = cw->code + 1; + + /* + * Call our original code, that way we regain control if our target + * function returns without reaching the epilogue as an additional + * safety net + */ + gum_arm64_writer_put_bl_label(cw, original); + + /* + * Return for our next iteration if our original function returns + * and control hasn't reached the epilogue for some reason + */ + gum_arm64_writer_put_b_label(cw, loop); + + /* + * The original code for our target function will be emitted + * immediately following this + */ + gum_arm64_writer_put_label(cw, original); + if (persistent_debug) { gum_arm64_writer_put_brk_imm(cw, 0); } } From bbdcfb0e8e1a125eaa1c27c1122dd44111c32b06 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 14 Feb 2025 10:25:44 +0100 Subject: [PATCH 3/3] not --- src/afl-fuzz.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index f92ec178..30d471c1 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -612,11 +612,11 @@ int main(int argc, char **argv_orig, char **envp) { afl->shmem_testcase_mode = 1; // we always try to perform shmem fuzzing - // still available: HjJkKqruvwz + // still available: HjJkKqrv while ( (opt = getopt(argc, argv, - "+a:w:Ab:B:c:CdDe:E:f:F:g:G:hi:I:l:L:m:M:nNo:Op:P:QRs:S:t:" - "T:uUV:WXx:YzZ")) > 0) { + "+a:Ab:B:c:CdDe:E:f:F:g:G:hi:I:l:L:m:M:nNo:Op:P:QRs:S:t:T:" + "uUV:w:WXx:YzZ")) > 0) { switch (opt) {