ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-12 01:58:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

important InsTrim fixes!

Browse Source
This commit is contained in:
van Hauser
2020-02-24 02:45:17 +01:00
parent f240c5381a
commit f807d7cefb
7 changed files with 88 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/Changelog.md
View File

@ -17,6 +17,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- the memory safety checks are now disabled for a little more speed during
fuzzing (only affects creating queue entries), can be toggled in config.h
- afl-fuzz:
- MOpt out of bounds writing crash fixed
- now prints the real python version support compiled in
- set stronger performance compile options and little tweaks
- Android: prefer bigcores when selecting a CPU
@ -28,7 +29,12 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- bugfix for dictionary insert stage count (fix via Google repo PR)
- added warning if -M is used together with custom mutators with _ONLY option
- AFL_TMPDIR checks are now later and better explained if they fail
- llvm_mode InsTrim: no pointless instrumentation of 1 block functions
- llvm_mode
- InsTrim: three bug fixes:
1. (minor) no pointless instrumentation of 1 block functions
2. (medium) path bug that leads a few blocks not instrumented that
should be
3. (major) incorrect prev_loc was written, fixed!
- afl-clang-fast:
- show in the help output for which llvm version it was compiled for
- now does not need to be recompiled between trace-pc and pass

2
include/envs.h
View File

@ -59,7 +59,7 @@ const char *afl_environment_variables[] = {
"AFL_NO_CPU_RED",
"AFL_NO_FORKSRV",
"AFL_NO_UI",
"AFL_NO_X86", // not really an env but we dont want to warn on it
"AFL_NO_X86", // not really an env but we dont want to warn on it
"AFL_PATH",
"AFL_PERFORMANCE_FILE",
"AFL_PERSISTENT",

97
llvm_mode/LLVMInsTrim.so.cc
View File

@ -382,19 +382,64 @@ struct InsTrim : public ModulePass {
}
auto *EBB = &F.getEntryBlock();
if (succ_begin(EBB) == succ_end(EBB)) {
MS.insert(EBB);
total_rs += 1;
}
// Bugfix #1: remove single block function instrumentation
for (BasicBlock &BB : F) {
if (MS.find(&BB) == MS.end()) { continue; }
IRBuilder<> IRB(&*BB.getFirstInsertionPt());
IRB.CreateStore(ConstantInt::get(Int32Ty, genLabel()), OldPrev);
if (MarkSetOpt && MS.find(&BB) == MS.end()) {
// Bugfix #2: instrument blocks that should be but InsTrim
// doesn't due to an algorithmic bug
int more_than_one = -1;
for (pred_iterator PI = pred_begin(&BB), E = pred_end(&BB); PI != E;
++PI) {
BasicBlock *Pred = *PI;
int count = 0;
if (more_than_one == -1) more_than_one = 0;
for (succ_iterator SI = succ_begin(Pred), E = succ_end(Pred);
SI != E; ++SI) {
BasicBlock *Succ = *SI;
if (Succ != NULL) count++;
}
if (count > 1) more_than_one = 1;
}
if (more_than_one != 1) continue;
for (succ_iterator SI = succ_begin(&BB), E = succ_end(&BB); SI != E;
++SI) {
BasicBlock *Succ = *SI;
if (Succ != NULL && MS.find(Succ) == MS.end()) {
int cnt = 0;
for (succ_iterator SI2 = succ_begin(Succ), E2 = succ_end(Succ);
SI2 != E2; ++SI2) {
BasicBlock *Succ2 = *SI2;
if (Succ2 != NULL) cnt++;
}
if (cnt == 0) {
// fprintf(stderr, "INSERT!\n");
MS.insert(Succ);
total_rs += 1;
}
}
}
}
}
@ -402,33 +447,24 @@ struct InsTrim : public ModulePass {
for (BasicBlock &BB : F) {
auto PI = pred_begin(&BB);
auto PE = pred_end(&BB);
if (MarkSetOpt && MS.find(&BB) == MS.end()) { continue; }
IRBuilder<> IRB(&*BB.getFirstInsertionPt());
Value * L = NULL;
if (PI == PE) {
L = ConstantInt::get(Int32Ty, genLabel());
auto *PN = PHINode::Create(Int32Ty, 0, "", &*BB.begin());
DenseMap<BasicBlock *, unsigned> PredMap;
for (auto PI = pred_begin(&BB), PE = pred_end(&BB); PI != PE; ++PI) {
} else {
auto *PN = PHINode::Create(Int32Ty, 0, "", &*BB.begin());
DenseMap<BasicBlock *, unsigned> PredMap;
for (auto PI = pred_begin(&BB), PE = pred_end(&BB); PI != PE; ++PI) {
BasicBlock *PBB = *PI;
auto It = PredMap.insert({PBB, genLabel()});
unsigned Label = It.first->second;
PN->addIncoming(ConstantInt::get(Int32Ty, Label), PBB);
}
L = PN;
BasicBlock *PBB = *PI;
auto It = PredMap.insert({PBB, genLabel()});
unsigned Label = It.first->second;
PN->addIncoming(ConstantInt::get(Int32Ty, Label), PBB);
}
L = PN;
/* Load prev_loc */
LoadInst *PrevLoc = IRB.CreateLoad(OldPrev);
PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
@ -475,6 +511,11 @@ struct InsTrim : public ModulePass {
IRB.CreateStore(Incr, MapPtrIdx)
->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
// Bugfix #3: save the actually location ID to OldPrev
Value *Shr = IRB.CreateLShr(L, One);
IRB.CreateStore(Shr, OldPrev)
->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
total_instr++;
}

2
llvm_mode/afl-llvm-rt.o.c
View File

@ -129,7 +129,7 @@ static void __afl_map_shm(void) {
__afl_area_ptr[0] = 1;
}
id_str = getenv(CMPLOG_SHM_ENV_VAR);
if (id_str) {

3
src/afl-as.c
View File

@ -530,7 +530,8 @@ int main(int argc, char** argv) {
"Rarely, when dealing with extremely complex projects, it may be "
"advisable\n"
"to set AFL_INST_RATIO to a value less than 100 in order to reduce the\n"
"to set AFL_INST_RATIO to a value less than 100 in order to reduce "
"the\n"
"odds of instrumenting every discovered branch.\n\n"
"Environment variables used:\n"
"AFL_AS: path to assembler to use for instrumented files\n"

4
src/afl-fuzz-one.c
View File

@ -3714,7 +3714,7 @@ pacemaker_fuzzing:
case 1:
if (temp_len < 2) break;
temp_len_puppet = UR((temp_len << 3) -1);
temp_len_puppet = UR((temp_len << 3) - 1);
FLIP_BIT(out_buf, temp_len_puppet);
FLIP_BIT(out_buf, temp_len_puppet + 1);
MOpt_globals.cycles_v2[STAGE_FLIP2] += 1;
@ -3722,7 +3722,7 @@ pacemaker_fuzzing:
case 2:
if (temp_len < 2) break;
temp_len_puppet = UR((temp_len << 3) -3);
temp_len_puppet = UR((temp_len << 3) - 3);
FLIP_BIT(out_buf, temp_len_puppet);
FLIP_BIT(out_buf, temp_len_puppet + 1);
FLIP_BIT(out_buf, temp_len_puppet + 2);

10
src/afl-fuzz-redqueen.c
View File

@ -243,7 +243,7 @@ u8 cmp_extend_encoding(struct cmp_header* h, u64 pattern, u64 repl, u32 idx,
if (SHAPE_BYTES(h->shape) == 8) {
if (its_len >= 8 && *buf_64 == pattern) {// && *o_buf_64 == pattern) {
if (its_len >= 8 && *buf_64 == pattern) { // && *o_buf_64 == pattern) {
*buf_64 = repl;
if (unlikely(its_fuzz(buf, len, status))) return 1;
@ -261,7 +261,8 @@ u8 cmp_extend_encoding(struct cmp_header* h, u64 pattern, u64 repl, u32 idx,
if (SHAPE_BYTES(h->shape) == 4 || *status == 2) {
if (its_len >= 4 && *buf_32 == (u32)pattern) {// && *o_buf_32 == (u32)pattern) {
if (its_len >= 4 &&
*buf_32 == (u32)pattern) { // && *o_buf_32 == (u32)pattern) {
*buf_32 = (u32)repl;
if (unlikely(its_fuzz(buf, len, status))) return 1;
@ -279,7 +280,8 @@ u8 cmp_extend_encoding(struct cmp_header* h, u64 pattern, u64 repl, u32 idx,
if (SHAPE_BYTES(h->shape) == 2 || *status == 2) {
if (its_len >= 2 && *buf_16 == (u16)pattern) {// && *o_buf_16 == (u16)pattern) {
if (its_len >= 2 &&
*buf_16 == (u16)pattern) { // && *o_buf_16 == (u16)pattern) {
*buf_16 = (u16)repl;
if (unlikely(its_fuzz(buf, len, status))) return 1;
@ -531,7 +533,7 @@ u8 input_to_state_stage(char** argv, u8* orig_buf, u8* buf, u32 len,
stage_max += MIN(cmp_map->headers[k].hits, CMP_MAP_RTN_H);
}
for (k = 0; k < CMP_MAP_W; ++k) {
if (!cmp_map->headers[k].hits) continue;