ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 02:58:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

code format

Browse Source
This commit is contained in:
van Hauser
2020-06-03 10:50:49 +02:00
parent 1c95e2e8e0
commit fc164e4709
13 changed files with 90 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
examples/aflpp_driver/aflpp_qemu_driver.c
View File

@ -6,12 +6,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
__attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv);
int main(int argc, char **argv) { int main(int argc, char **argv) {
if (LLVMFuzzerInitialize)
LLVMFuzzerInitialize(&argc, &argv); if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv);
// Do any other expensive one-time initialization here. // Do any other expensive one-time initialization here.
uint8_t dummy_input[1] = {0}; uint8_t dummy_input[1] = {0};
LLVMFuzzerTestOneInput(dummy_input, 1); LLVMFuzzerTestOneInput(dummy_input, 1);
return 0; return 0;
} }

5
examples/aflpp_driver/aflpp_qemu_driver_hook.c
View File

@ -7,9 +7,9 @@
#define REGS_RSI 6 #define REGS_RSI 6
void afl_persistent_hook(uint64_t *regs, uint64_t guest_base, void afl_persistent_hook(uint64_t *regs, uint64_t guest_base,
uint8_t* input_buf, uint32_t input_len) { uint8_t *input_buf, uint32_t input_len) {
memcpy(g2h(regs[REGS_RDI]), input_buf, input_len); memcpy(g2h(regs[REGS_RDI]), input_buf, input_len);
regs[REGS_RSI] = input_len; regs[REGS_RSI] = input_len;
} }
@ -19,3 +19,4 @@ int afl_persistent_hook_init(void) {
return 1; return 1;
} }

11
examples/qemu_persistent_hook/read_into_rdi.c
View File

@ -36,7 +36,7 @@ enum {
}; };
void afl_persistent_hook(uint64_t *regs, uint64_t guest_base, void afl_persistent_hook(uint64_t *regs, uint64_t guest_base,
uint8_t* input_buf, uint32_t input_len) { uint8_t *input_buf, uint32_t input_len) {
// In this example the register RDI is pointing to the memory location // In this example the register RDI is pointing to the memory location
// of the target buffer, and the length of the input is in RSI. // of the target buffer, and the length of the input is in RSI.
@ -44,16 +44,17 @@ void afl_persistent_hook(uint64_t *regs, uint64_t guest_base,
printf("placing input into %p\n", regs[R_EDI]); printf("placing input into %p\n", regs[R_EDI]);
if (input_len > 1024) if (input_len > 1024) input_len = 1024;
input_len = 1024; memcpy(g2h(regs[R_EDI]), input_buf, input_len);
memcpy(g2h(regs[R_EDI]), input_buf, input_len);
regs[R_ESI] = input_len; regs[R_ESI] = input_len;
} }
int afl_persistent_hook_init(void) { int afl_persistent_hook_init(void) {
// 1 for shared memory input (faster), 0 for normal input (you have to use read(), input_buf will be NULL) // 1 for shared memory input (faster), 0 for normal input (you have to use
// read(), input_buf will be NULL)
return 1; return 1;
} }

7
qemu_mode/patches/afl-qemu-common.h
View File

@ -63,9 +63,8 @@
#define INC_AFL_AREA(loc) afl_area_ptr[loc]++ #define INC_AFL_AREA(loc) afl_area_ptr[loc]++
#endif #endif
typedef void (*afl_persistent_hook_fn)(uint64_t *regs, typedef void (*afl_persistent_hook_fn)(uint64_t *regs, uint64_t guest_base,
uint64_t guest_base, uint8_t *input_buf,
uint8_t* input_buf,
uint32_t input_buf_len); uint32_t input_buf_len);
/* Declared in afl-qemu-cpu-inl.h */ /* Declared in afl-qemu-cpu-inl.h */
@ -86,7 +85,7 @@ extern int persisent_retaddr_offset;
extern u8 *shared_buf; extern u8 *shared_buf;
extern u32 shared_buf_len; extern u32 shared_buf_len;
extern u8 sharedmem_fuzzing; extern u8 sharedmem_fuzzing;
extern afl_persistent_hook_fn afl_persistent_hook_ptr; extern afl_persistent_hook_fn afl_persistent_hook_ptr;

33
qemu_mode/patches/afl-qemu-cpu-inl.h
View File

@ -85,7 +85,7 @@ int persisent_retaddr_offset;
u8 *shared_buf; u8 *shared_buf;
u32 shared_buf_len; u32 shared_buf_len;
u8 sharedmem_fuzzing; u8 sharedmem_fuzzing;
afl_persistent_hook_fn afl_persistent_hook_ptr; afl_persistent_hook_fn afl_persistent_hook_ptr;
@ -163,7 +163,8 @@ static void afl_map_shm_fuzz(void) {
} else { } else {
fprintf(stderr, "[AFL] ERROR: variable for fuzzing shared memory is not set\n"); fprintf(stderr,
"[AFL] ERROR: variable for fuzzing shared memory is not set\n");
exit(1); exit(1);
} }
@ -282,9 +283,9 @@ void afl_setup(void) {
exit(1); exit(1);
} }
int (*afl_persistent_hook_init_ptr)(void) = dlsym(plib, int (*afl_persistent_hook_init_ptr)(void) =
"afl_persistent_hook_init"); dlsym(plib, "afl_persistent_hook_init");
if (afl_persistent_hook_init_ptr) if (afl_persistent_hook_init_ptr)
sharedmem_fuzzing = afl_persistent_hook_init_ptr(); sharedmem_fuzzing = afl_persistent_hook_init_ptr();
@ -302,7 +303,7 @@ void afl_setup(void) {
#endif #endif
} }
if (getenv("AFL_QEMU_PERSISTENT_RETADDR_OFFSET")) if (getenv("AFL_QEMU_PERSISTENT_RETADDR_OFFSET"))
persisent_retaddr_offset = persisent_retaddr_offset =
strtoll(getenv("AFL_QEMU_PERSISTENT_RETADDR_OFFSET"), NULL, 0); strtoll(getenv("AFL_QEMU_PERSISTENT_RETADDR_OFFSET"), NULL, 0);
@ -318,7 +319,7 @@ void afl_setup(void) {
void afl_forkserver(CPUState *cpu) { void afl_forkserver(CPUState *cpu) {
//u32 map_size = 0; // u32 map_size = 0;
unsigned char tmp[4] = {0}; unsigned char tmp[4] = {0};
if (forkserver_installed == 1) return; if (forkserver_installed == 1) return;
@ -331,8 +332,8 @@ void afl_forkserver(CPUState *cpu) {
pid_t child_pid; pid_t child_pid;
int t_fd[2]; int t_fd[2];
u8 child_stopped = 0; u8 child_stopped = 0;
u32 was_killed; u32 was_killed;
int status; int status;
// with the max ID value // with the max ID value
if (MAP_SIZE <= FS_OPT_MAX_MAPSIZE) if (MAP_SIZE <= FS_OPT_MAX_MAPSIZE)
@ -349,7 +350,7 @@ void afl_forkserver(CPUState *cpu) {
afl_forksrv_pid = getpid(); afl_forksrv_pid = getpid();
int first_run = 1; int first_run = 1;
if (sharedmem_fuzzing) { if (sharedmem_fuzzing) {
if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(2); if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(2);
@ -358,11 +359,12 @@ void afl_forkserver(CPUState *cpu) {
(FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ))
afl_map_shm_fuzz(); afl_map_shm_fuzz();
else { else {
fprintf(stderr, "[AFL] ERROR: afl-fuzz is old and does not support" fprintf(stderr,
" shmem input"); "[AFL] ERROR: afl-fuzz is old and does not support"
" shmem input");
exit(1); exit(1);
} }
} }
@ -374,7 +376,7 @@ void afl_forkserver(CPUState *cpu) {
/* Whoops, parent dead? */ /* Whoops, parent dead? */
if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(2); if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(2);
shared_buf_len = (was_killed >> 8); shared_buf_len = (was_killed >> 8);
was_killed = (was_killed & 0xff); was_killed = (was_killed & 0xff);
@ -459,7 +461,6 @@ void afl_forkserver(CPUState *cpu) {
} }
/* A simplified persistent mode handler, used as explained in /* A simplified persistent mode handler, used as explained in
* llvm_mode/README.md. */ * llvm_mode/README.md. */

6
src/afl-common.c
View File

@ -253,7 +253,8 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
"binaries that are\n" "binaries that are\n"
" instrumented at compile time with afl-gcc. It is also possible to " " instrumented at compile time with afl-gcc. It is also possible to "
"use it as a\n" "use it as a\n"
" traditional non-instrumented fuzzer by specifying '-n' in the command " " traditional non-instrumented fuzzer by specifying '-n' in the "
"command "
"line.\n"); "line.\n");
FATAL("Failed to locate 'afl-qemu-trace'."); FATAL("Failed to locate 'afl-qemu-trace'.");
@ -353,7 +354,8 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
"binaries that are\n" "binaries that are\n"
" instrumented at compile time with afl-gcc. It is also possible to " " instrumented at compile time with afl-gcc. It is also possible to "
"use it as a\n" "use it as a\n"
" traditional non-instrumented fuzzer by specifying '-n' in the command " " traditional non-instrumented fuzzer by specifying '-n' in the "
"command "
"line.\n", "line.\n",
ncp); ncp);

4
src/afl-forkserver.c
View File

@ -524,7 +524,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
} else { } else {
FATAL("Target requested sharedmem fuzzing, but we failed to enable it."); FATAL(
"Target requested sharedmem fuzzing, but we failed to enable "
"it.");
} }

9
src/afl-fuzz-init.c
View File

@ -1859,7 +1859,11 @@ void fix_up_sync(afl_state_t *afl) {
u8 *x = afl->sync_id; u8 *x = afl->sync_id;
if (afl->non_instrumented_mode) { FATAL("-S / -M and -n are mutually exclusive"); } if (afl->non_instrumented_mode) {
FATAL("-S / -M and -n are mutually exclusive");
}
while (*x) { while (*x) {
@ -2126,7 +2130,8 @@ void check_binary(afl_state_t *afl, u8 *fname) {
#endif /* ^!__APPLE__ */ #endif /* ^!__APPLE__ */
if (!afl->fsrv.qemu_mode && !afl->unicorn_mode && !afl->non_instrumented_mode && if (!afl->fsrv.qemu_mode && !afl->unicorn_mode &&
!afl->non_instrumented_mode &&
!memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) {
SAYF("\n" cLRD "[-] " cRST SAYF("\n" cLRD "[-] " cRST

15
src/afl-fuzz-one.c
View File

@ -512,7 +512,8 @@ u8 fuzz_one_original(afl_state_t *afl) {
* TRIMMING * * TRIMMING *
************/ ************/
if (!afl->non_instrumented_mode && !afl->queue_cur->trim_done && !afl->disable_trim) { if (!afl->non_instrumented_mode && !afl->queue_cur->trim_done &&
!afl->disable_trim) {
u8 res = trim_case(afl, afl->queue_cur, in_buf); u8 res = trim_case(afl, afl->queue_cur, in_buf);
@ -579,8 +580,8 @@ u8 fuzz_one_original(afl_state_t *afl) {
/* Skip deterministic fuzzing if exec path checksum puts this out of scope /* Skip deterministic fuzzing if exec path checksum puts this out of scope
for this main instance. */ for this main instance. */
if (afl->main_node_max && if (afl->main_node_max && (afl->queue_cur->exec_cksum % afl->main_node_max) !=
(afl->queue_cur->exec_cksum % afl->main_node_max) != afl->main_node_id - 1) { afl->main_node_id - 1) {
goto custom_mutator_stage; goto custom_mutator_stage;
@ -2732,8 +2733,8 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
/* Skip deterministic fuzzing if exec path checksum puts this out of scope /* Skip deterministic fuzzing if exec path checksum puts this out of scope
for this main instance. */ for this main instance. */
if (afl->main_node_max && if (afl->main_node_max && (afl->queue_cur->exec_cksum % afl->main_node_max) !=
(afl->queue_cur->exec_cksum % afl->main_node_max) != afl->main_node_id - 1) { afl->main_node_id - 1) {
goto havoc_stage; goto havoc_stage;
@ -2975,8 +2976,8 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
u32 cksum; u32 cksum;
/* If in non-instrumented mode or if the file is very short, just flag everything /* If in non-instrumented mode or if the file is very short, just flag
without wasting time on checksums. */ everything without wasting time on checksums. */
if (!afl->non_instrumented_mode && len >= EFF_MIN_LEN) { if (!afl->non_instrumented_mode && len >= EFF_MIN_LEN) {

7
src/afl-fuzz-run.c
View File

@ -562,10 +562,11 @@ void sync_fuzzers(afl_state_t *afl) {
closedir(sd); closedir(sd);
// If we are a secondary and no main was found to sync then become the main // If we are a secondary and no main was found to sync then become the main
if (unlikely(synced == 0) && likely(entries) && likely(afl->is_secondary_node)) { if (unlikely(synced == 0) && likely(entries) &&
likely(afl->is_secondary_node)) {
// there is a small race condition here that another secondary runs at the same // there is a small race condition here that another secondary runs at the
// time. If so, the first temporary main node running again will demote // same time. If so, the first temporary main node running again will demote
// themselves so this is not an issue // themselves so this is not an issue
u8 path[PATH_MAX]; u8 path[PATH_MAX];

11
src/afl-fuzz-stats.c
View File

@ -126,8 +126,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
t_bytes, afl->var_byte_count, afl->use_banner, t_bytes, afl->var_byte_count, afl->use_banner,
afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "", afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "",
afl->non_instrumented_mode ? " non_instrumented " : "", afl->non_instrumented_mode ? " non_instrumented " : "",
afl->no_forkserver ? "no_fsrv " : "", afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "",
afl->crash_mode ? "crash " : "",
afl->persistent_mode ? "persistent " : "", afl->persistent_mode ? "persistent " : "",
afl->shmem_testcase_mode ? "shmem_testcase " : "", afl->shmem_testcase_mode ? "shmem_testcase " : "",
afl->deferred_mode ? "deferred " : "", afl->deferred_mode ? "deferred " : "",
@ -526,8 +525,9 @@ void show_stats(afl_state_t *afl) {
t_byte_ratio); t_byte_ratio);
SAYF(" map density : %s%-21s" bSTG bV "\n", SAYF(" map density : %s%-21s" bSTG bV "\n",
t_byte_ratio > 70 ? cLRD t_byte_ratio > 70
: ((t_bytes < 200 && !afl->non_instrumented_mode) ? cPIN : cRST), ? cLRD
: ((t_bytes < 200 && !afl->non_instrumented_mode) ? cPIN : cRST),
tmp); tmp);
sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->cur_skipped_paths), sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->cur_skipped_paths),
@ -1022,7 +1022,8 @@ void show_init_stats(afl_state_t *afl) {
} }
/* In non-instrumented mode, re-running every timing out test case with a generous time /* In non-instrumented mode, re-running every timing out test case with a
generous time
limit is very expensive, so let's select a more conservative default. */ limit is very expensive, so let's select a more conservative default. */
if (afl->non_instrumented_mode && !(afl->afl_env.afl_hang_tmout)) { if (afl->non_instrumented_mode && !(afl->afl_env.afl_hang_tmout)) {

19
src/afl-fuzz.c
View File

@ -379,9 +379,11 @@ int main(int argc, char **argv_orig, char **envp) {
*c = 0; *c = 0;
if (sscanf(c + 1, "%u/%u", &afl->main_node_id, &afl->main_node_max) != 2 || if (sscanf(c + 1, "%u/%u", &afl->main_node_id, &afl->main_node_max) !=
2 ||
!afl->main_node_id || !afl->main_node_max || !afl->main_node_id || !afl->main_node_max ||
afl->main_node_id > afl->main_node_max || afl->main_node_max > 1000000) { afl->main_node_id > afl->main_node_max ||
afl->main_node_max > 1000000) {
FATAL("Bogus main node ID passed to -M"); FATAL("Bogus main node ID passed to -M");
@ -533,7 +535,12 @@ int main(int argc, char **argv_orig, char **envp) {
case 'n': /* dumb mode */ case 'n': /* dumb mode */
if (afl->non_instrumented_mode) { FATAL("Multiple -n options not supported"); } if (afl->non_instrumented_mode) {
FATAL("Multiple -n options not supported");
}
if (afl->afl_env.afl_dumb_forksrv) { if (afl->afl_env.afl_dumb_forksrv) {
afl->non_instrumented_mode = 2; afl->non_instrumented_mode = 2;
@ -793,10 +800,12 @@ int main(int argc, char **argv_orig, char **envp) {
OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL"); OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL");
OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL"); OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL");
if (afl->sync_id && afl->is_main_node && afl->afl_env.afl_custom_mutator_only) { if (afl->sync_id && afl->is_main_node &&
afl->afl_env.afl_custom_mutator_only) {
WARNF( WARNF(
"Using -M main node with the AFL_CUSTOM_MUTATOR_ONLY mutator options will " "Using -M main node with the AFL_CUSTOM_MUTATOR_ONLY mutator options "
"will "
"result in no deterministic mutations being done!"); "result in no deterministic mutations being done!");
} }

19
src/afl-sharedmem.c
View File

@ -96,7 +96,8 @@ void afl_shm_deinit(sharedmem_t *shm) {
Returns a pointer to shm->map for ease of use. Returns a pointer to shm->map for ease of use.
*/ */
u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char non_instrumented_mode) { u8 *afl_shm_init(sharedmem_t *shm, size_t map_size,
unsigned char non_instrumented_mode) {
shm->map_size = map_size; shm->map_size = map_size;
@ -137,10 +138,10 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char non_instrument
} }
/* If somebody is asking us to fuzz instrumented binaries in non-instrumented mode, /* If somebody is asking us to fuzz instrumented binaries in non-instrumented
we don't want them to detect instrumentation, since we won't be sending mode, we don't want them to detect instrumentation, since we won't be
fork server commands. This should be replaced with better auto-detection sending fork server commands. This should be replaced with better
later on, perhaps? */ auto-detection later on, perhaps? */
if (!non_instrumented_mode) setenv(SHM_ENV_VAR, shm->g_shm_file_path, 1); if (!non_instrumented_mode) setenv(SHM_ENV_VAR, shm->g_shm_file_path, 1);
@ -164,10 +165,10 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char non_instrument
shm_str = alloc_printf("%d", shm->shm_id); shm_str = alloc_printf("%d", shm->shm_id);
/* If somebody is asking us to fuzz instrumented binaries in non-instrumented mode, /* If somebody is asking us to fuzz instrumented binaries in non-instrumented
we don't want them to detect instrumentation, since we won't be sending mode, we don't want them to detect instrumentation, since we won't be
fork server commands. This should be replaced with better auto-detection sending fork server commands. This should be replaced with better
later on, perhaps? */ auto-detection later on, perhaps? */
if (!non_instrumented_mode) { setenv(SHM_ENV_VAR, shm_str, 1); } if (!non_instrumented_mode) { setenv(SHM_ENV_VAR, shm_str, 1); }