ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 11:08:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #689 from AFLplusplus/cmplog_merge

Browse Source 
cmplog merge
This commit is contained in:
van Hauser
2021-01-21 12:03:21 +01:00
committed by GitHub
parent b39b87b2f7 0d472adef0
commit fc3f06caec
26 changed files with 3081 additions and 548 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
GNUmakefile
View File

@ -428,8 +428,8 @@ src/afl-sharedmem.o : $(COMM_HDR) src/afl-sharedmem.c include/sharedmem.h
afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o | test_x86 afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o | test_x86
$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS) -lm $(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS) -lm
afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86 afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(LDFLAGS) $(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(LDFLAGS)
afl-tmin: src/afl-tmin.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86 afl-tmin: src/afl-tmin.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(LDFLAGS) $(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(LDFLAGS)

25
include/afl-fuzz.h
View File

@ -141,12 +141,22 @@ extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN];
extern s32 extern s32
interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN]; interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN];
struct tainted {
u32 pos;
u32 len;
struct tainted *next;
struct tainted *prev;
};
struct queue_entry { struct queue_entry {
u8 *fname; /* File name for the test case */ u8 *fname; /* File name for the test case */
u32 len; /* Input length */ u32 len; /* Input length */
u8 cal_failed; /* Calibration failed? */ u8 colorized, /* Do not run redqueen stage again */
cal_failed; /* Calibration failed? */
bool trim_done, /* Trimmed? */ bool trim_done, /* Trimmed? */
was_fuzzed, /* historical, but needed for MOpt */ was_fuzzed, /* historical, but needed for MOpt */
passed_det, /* Deterministic stages passed? */ passed_det, /* Deterministic stages passed? */
@ -154,7 +164,6 @@ struct queue_entry {
var_behavior, /* Variable behavior? */ var_behavior, /* Variable behavior? */
favored, /* Currently favored? */ favored, /* Currently favored? */
fs_redundant, /* Marked as redundant in the fs? */ fs_redundant, /* Marked as redundant in the fs? */
fully_colorized, /* Do not run redqueen stage again */
is_ascii, /* Is the input just ascii text? */ is_ascii, /* Is the input just ascii text? */
disabled; /* Is disabled from fuzz selection */ disabled; /* Is disabled from fuzz selection */
@ -179,7 +188,11 @@ struct queue_entry {
u8 *testcase_buf; /* The testcase buffer, if loaded. */ u8 *testcase_buf; /* The testcase buffer, if loaded. */
struct queue_entry *next; /* Next element, if any */ u8 * cmplog_colorinput; /* the result buf of colorization */
struct tainted *taint; /* Taint information from CmpLog */
struct queue_entry *mother, /* queue entry this based on */
*next; /* Next element, if any */
}; };
@ -632,6 +645,8 @@ typedef struct afl_state {
/* cmplog forkserver ids */ /* cmplog forkserver ids */
s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd; s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd;
u32 cmplog_prev_timed_out; u32 cmplog_prev_timed_out;
u32 cmplog_max_filesize;
u32 cmplog_lvl;
struct afl_pass_stat *pass_stats; struct afl_pass_stat *pass_stats;
struct cmp_map * orig_cmp_map; struct cmp_map * orig_cmp_map;
@ -1117,9 +1132,9 @@ void read_foreign_testcases(afl_state_t *, int);
u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len); u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len);
/* RedQueen */ /* RedQueen */
u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len);
u64 exec_cksum);
/* our RNG wrapper */
AFL_RAND_RETURN rand_next(afl_state_t *afl); AFL_RAND_RETURN rand_next(afl_state_t *afl);
/* probability between 0.0 and 1.0 */ /* probability between 0.0 and 1.0 */

23
include/cmplog.h
View File

@ -30,24 +30,25 @@
#include "config.h" #include "config.h"
#define CMPLOG_LVL_MAX 3
#define CMP_MAP_W 65536 #define CMP_MAP_W 65536
#define CMP_MAP_H 256 #define CMP_MAP_H 32
#define CMP_MAP_RTN_H (CMP_MAP_H / 4) #define CMP_MAP_RTN_H (CMP_MAP_H / 4)
#define SHAPE_BYTES(x) (x + 1) #define SHAPE_BYTES(x) (x + 1)
#define CMP_TYPE_INS 0 #define CMP_TYPE_INS 1
#define CMP_TYPE_RTN 1 #define CMP_TYPE_RTN 2
struct cmp_header { struct cmp_header {
unsigned hits : 20; unsigned hits : 24;
unsigned id : 24;
unsigned cnt : 20; unsigned shape : 5;
unsigned id : 16; unsigned type : 2;
unsigned attribute : 4;
unsigned shape : 5; // from 0 to 31 unsigned reserved : 5;
unsigned type : 1;
} __attribute__((packed)); } __attribute__((packed));
@ -55,6 +56,8 @@ struct cmp_operands {
u64 v0; u64 v0;
u64 v1; u64 v1;
u64 v0_128;
u64 v1_128;
}; };

2
include/config.h
View File

@ -23,8 +23,6 @@
#ifndef _HAVE_CONFIG_H #ifndef _HAVE_CONFIG_H
#define _HAVE_CONFIG_H #define _HAVE_CONFIG_H
#include "types.h"
/* Version string: */ /* Version string: */
// c = release, d = volatile github dev, e = experimental branch // c = release, d = volatile github dev, e = experimental branch

16
include/debug.h
View File

@ -295,8 +295,8 @@ static inline const char *colorfilter(const char *x) {
\ \
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \
"\n[-] PROGRAM ABORT : " cRST x); \ "\n[-] PROGRAM ABORT : " cRST x); \
SAYF(cLRD "\n Location : " cRST "%s(), %s:%d\n\n", __func__, \ SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", __func__, \
__FILE__, __LINE__); \ __FILE__, (u32)__LINE__); \
exit(1); \ exit(1); \
\ \
} while (0) } while (0)
@ -308,8 +308,8 @@ static inline const char *colorfilter(const char *x) {
\ \
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \
"\n[-] PROGRAM ABORT : " cRST x); \ "\n[-] PROGRAM ABORT : " cRST x); \
SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%d\n\n", __func__, \ SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", __func__, \
__FILE__, __LINE__); \ __FILE__, (u32)__LINE__); \
abort(); \ abort(); \
\ \
} while (0) } while (0)
@ -322,8 +322,8 @@ static inline const char *colorfilter(const char *x) {
fflush(stdout); \ fflush(stdout); \
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \
"\n[-] SYSTEM ERROR : " cRST x); \ "\n[-] SYSTEM ERROR : " cRST x); \
SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%d\n", __func__, \ SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", __func__, \
__FILE__, __LINE__); \ __FILE__, (u32)__LINE__); \
SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \ SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \
exit(1); \ exit(1); \
\ \
@ -347,8 +347,8 @@ static inline const char *colorfilter(const char *x) {
#define DEBUGF(x...) \ #define DEBUGF(x...) \
do { \ do { \
\ \
SAYF(cMGN "[D] " cBRI "DEBUG: " cRST x); \ fprintf(stderr, cMGN "[D] " cBRI "DEBUG: " cRST x); \
SAYF(cRST ""); \ fprintf(stderr, cRST ""); \
\ \
} while (0) } while (0)

36
include/types.h
View File

@ -25,10 +25,15 @@
#include <stdint.h> #include <stdint.h>
#include <stdlib.h> #include <stdlib.h>
#include "config.h"
typedef uint8_t u8; typedef uint8_t u8;
typedef uint16_t u16; typedef uint16_t u16;
typedef uint32_t u32; typedef uint32_t u32;
#ifdef WORD_SIZE_64
typedef unsigned __int128 uint128_t;
typedef uint128_t u128;
#endif
/* Extended forkserver option values */ /* Extended forkserver option values */
@ -61,6 +66,10 @@ typedef int8_t s8;
typedef int16_t s16; typedef int16_t s16;
typedef int32_t s32; typedef int32_t s32;
typedef int64_t s64; typedef int64_t s64;
#ifdef WORD_SIZE_64
typedef __int128 int128_t;
typedef int128_t s128;
#endif
#ifndef MIN #ifndef MIN
#define MIN(a, b) \ #define MIN(a, b) \
@ -114,6 +123,33 @@ typedef int64_t s64;
\ \
}) })
// It is impossible to define 128 bit constants, so ...
#ifdef WORD_SIZE_64
#define SWAPN(_x, _l) \
({ \
\
u128 _res = (_x), _ret; \
char *d = (char *)&_ret, *s = (char *)&_res; \
int i; \
for (i = 0; i < 16; i++) \
d[15 - i] = s[i]; \
u32 sr = 128U - ((_l) << 3U); \
(_ret >>= sr); \
(u128) _ret; \
\
})
#endif
#define SWAPNN(_x, _y, _l) \
({ \
\
char *d = (char *)(_x), *s = (char *)(_y); \
u32 i, l = (_l)-1; \
for (i = 0; i <= l; i++) \
d[l - i] = s[i]; \
\
})
#ifdef AFL_LLVM_PASS #ifdef AFL_LLVM_PASS
#if defined(__linux__) || !defined(__ANDROID__) #if defined(__linux__) || !defined(__ANDROID__)
#define AFL_SR(s) (srandom(s)) #define AFL_SR(s) (srandom(s))

275
instrumentation/afl-compiler-rt.o.c
View File

@ -161,7 +161,7 @@ void send_forkserver_error(int error) {
u32 status; u32 status;
if (!error || error > 0xffff) return; if (!error || error > 0xffff) return;
status = (FS_OPT_ERROR | FS_OPT_SET_ERROR(error)); status = (FS_OPT_ERROR | FS_OPT_SET_ERROR(error));
if (write(FORKSRV_FD + 1, (char *)&status, 4) != 4) return; if (write(FORKSRV_FD + 1, (char *)&status, 4) != 4) { return; }
} }
@ -544,11 +544,11 @@ static void __afl_start_snapshots(void) {
if (__afl_dictionary_len && __afl_dictionary) status |= FS_OPT_AUTODICT; if (__afl_dictionary_len && __afl_dictionary) status |= FS_OPT_AUTODICT;
memcpy(tmp, &status, 4); memcpy(tmp, &status, 4);
if (write(FORKSRV_FD + 1, tmp, 4) != 4) return; if (write(FORKSRV_FD + 1, tmp, 4) != 4) { return; }
if (__afl_sharedmem_fuzzing || (__afl_dictionary_len && __afl_dictionary)) { if (__afl_sharedmem_fuzzing || (__afl_dictionary_len && __afl_dictionary)) {
if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1); if (read(FORKSRV_FD, &was_killed, 4) != 4) { _exit(1); }
if (getenv("AFL_DEBUG")) { if (getenv("AFL_DEBUG")) {
@ -1207,72 +1207,207 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) {
///// CmpLog instrumentation ///// CmpLog instrumentation
void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2) { void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2, uint8_t attr) {
if (unlikely(!__afl_cmp_map)) return; // fprintf(stderr, "hook1 arg0=%02x arg1=%02x attr=%u\n",
// (u8) arg1, (u8) arg2, attr);
if (unlikely(!__afl_cmp_map || arg1 == arg2)) return;
uintptr_t k = (uintptr_t)__builtin_return_address(0); uintptr_t k = (uintptr_t)__builtin_return_address(0);
k = (k >> 4) ^ (k << 8); k = (k >> 4) ^ (k << 8);
k &= CMP_MAP_W - 1; k &= CMP_MAP_W - 1;
u32 hits;
if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) {
__afl_cmp_map->headers[k].type = CMP_TYPE_INS; __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
hits = 0;
u32 hits = __afl_cmp_map->headers[k].hits; __afl_cmp_map->headers[k].hits = 1;
__afl_cmp_map->headers[k].hits = hits + 1;
// if (!__afl_cmp_map->headers[k].cnt)
// __afl_cmp_map->headers[k].cnt = __afl_cmp_counter++;
__afl_cmp_map->headers[k].shape = 0; __afl_cmp_map->headers[k].shape = 0;
} else {
hits = __afl_cmp_map->headers[k].hits++;
}
__afl_cmp_map->headers[k].attribute = attr;
hits &= CMP_MAP_H - 1; hits &= CMP_MAP_H - 1;
__afl_cmp_map->log[k][hits].v0 = arg1; __afl_cmp_map->log[k][hits].v0 = arg1;
__afl_cmp_map->log[k][hits].v1 = arg2; __afl_cmp_map->log[k][hits].v1 = arg2;
} }
void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2) { void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2, uint8_t attr) {
if (unlikely(!__afl_cmp_map)) return; if (unlikely(!__afl_cmp_map || arg1 == arg2)) return;
uintptr_t k = (uintptr_t)__builtin_return_address(0); uintptr_t k = (uintptr_t)__builtin_return_address(0);
k = (k >> 4) ^ (k << 8); k = (k >> 4) ^ (k << 8);
k &= CMP_MAP_W - 1; k &= CMP_MAP_W - 1;
__afl_cmp_map->headers[k].type = CMP_TYPE_INS; u32 hits;
u32 hits = __afl_cmp_map->headers[k].hits; if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) {
__afl_cmp_map->headers[k].hits = hits + 1;
__afl_cmp_map->headers[k].type = CMP_TYPE_INS;
hits = 0;
__afl_cmp_map->headers[k].hits = 1;
__afl_cmp_map->headers[k].shape = 1;
} else {
hits = __afl_cmp_map->headers[k].hits++;
if (!__afl_cmp_map->headers[k].shape) {
__afl_cmp_map->headers[k].shape = 1; __afl_cmp_map->headers[k].shape = 1;
}
}
__afl_cmp_map->headers[k].attribute = attr;
hits &= CMP_MAP_H - 1; hits &= CMP_MAP_H - 1;
__afl_cmp_map->log[k][hits].v0 = arg1; __afl_cmp_map->log[k][hits].v0 = arg1;
__afl_cmp_map->log[k][hits].v1 = arg2; __afl_cmp_map->log[k][hits].v1 = arg2;
} }
void __cmplog_ins_hook4(uint32_t arg1, uint32_t arg2) { void __cmplog_ins_hook4(uint32_t arg1, uint32_t arg2, uint8_t attr) {
if (unlikely(!__afl_cmp_map)) return; // fprintf(stderr, "hook4 arg0=%x arg1=%x attr=%u\n", arg1, arg2, attr);
if (unlikely(!__afl_cmp_map || arg1 == arg2)) return;
uintptr_t k = (uintptr_t)__builtin_return_address(0); uintptr_t k = (uintptr_t)__builtin_return_address(0);
k = (k >> 4) ^ (k << 8); k = (k >> 4) ^ (k << 8);
k &= CMP_MAP_W - 1; k &= CMP_MAP_W - 1;
__afl_cmp_map->headers[k].type = CMP_TYPE_INS; u32 hits;
u32 hits = __afl_cmp_map->headers[k].hits; if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) {
__afl_cmp_map->headers[k].hits = hits + 1;
__afl_cmp_map->headers[k].type = CMP_TYPE_INS;
hits = 0;
__afl_cmp_map->headers[k].hits = 1;
__afl_cmp_map->headers[k].shape = 3;
} else {
hits = __afl_cmp_map->headers[k].hits++;
if (__afl_cmp_map->headers[k].shape < 3) {
__afl_cmp_map->headers[k].shape = 3; __afl_cmp_map->headers[k].shape = 3;
}
}
__afl_cmp_map->headers[k].attribute = attr;
hits &= CMP_MAP_H - 1; hits &= CMP_MAP_H - 1;
__afl_cmp_map->log[k][hits].v0 = arg1; __afl_cmp_map->log[k][hits].v0 = arg1;
__afl_cmp_map->log[k][hits].v1 = arg2; __afl_cmp_map->log[k][hits].v1 = arg2;
} }
void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2) { void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2, uint8_t attr) {
// fprintf(stderr, "hook8 arg0=%lx arg1=%lx attr=%u\n", arg1, arg2, attr);
if (unlikely(!__afl_cmp_map || arg1 == arg2)) return;
uintptr_t k = (uintptr_t)__builtin_return_address(0);
k = (k >> 4) ^ (k << 8);
k &= CMP_MAP_W - 1;
u32 hits;
if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) {
__afl_cmp_map->headers[k].type = CMP_TYPE_INS;
hits = 0;
__afl_cmp_map->headers[k].hits = 1;
__afl_cmp_map->headers[k].shape = 7;
} else {
hits = __afl_cmp_map->headers[k].hits++;
if (__afl_cmp_map->headers[k].shape < 7) {
__afl_cmp_map->headers[k].shape = 7;
}
}
__afl_cmp_map->headers[k].attribute = attr;
hits &= CMP_MAP_H - 1;
__afl_cmp_map->log[k][hits].v0 = arg1;
__afl_cmp_map->log[k][hits].v1 = arg2;
}
#ifdef WORD_SIZE_64
// support for u24 to u120 via llvm _ExitInt(). size is in bytes minus 1
void __cmplog_ins_hookN(uint128_t arg1, uint128_t arg2, uint8_t attr,
uint8_t size) {
// fprintf(stderr, "hookN arg0=%llx:%llx arg1=%llx:%llx bytes=%u attr=%u\n",
// (u64)(arg1 >> 64), (u64)arg1, (u64)(arg2 >> 64), (u64)arg2, size + 1,
// attr);
if (unlikely(!__afl_cmp_map || arg1 == arg2)) return;
uintptr_t k = (uintptr_t)__builtin_return_address(0);
k = (k >> 4) ^ (k << 8);
k &= CMP_MAP_W - 1;
u32 hits;
if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) {
__afl_cmp_map->headers[k].type = CMP_TYPE_INS;
hits = 0;
__afl_cmp_map->headers[k].hits = 1;
__afl_cmp_map->headers[k].shape = size;
} else {
hits = __afl_cmp_map->headers[k].hits++;
if (__afl_cmp_map->headers[k].shape < size) {
__afl_cmp_map->headers[k].shape = size;
}
}
__afl_cmp_map->headers[k].attribute = attr;
hits &= CMP_MAP_H - 1;
__afl_cmp_map->log[k][hits].v0 = (u64)arg1;
__afl_cmp_map->log[k][hits].v1 = (u64)arg2;
if (size > 7) {
__afl_cmp_map->log[k][hits].v0_128 = (u64)(arg1 >> 64);
__afl_cmp_map->log[k][hits].v1_128 = (u64)(arg2 >> 64);
}
}
void __cmplog_ins_hook16(uint128_t arg1, uint128_t arg2, uint8_t attr) {
if (unlikely(!__afl_cmp_map)) return; if (unlikely(!__afl_cmp_map)) return;
@ -1280,29 +1415,51 @@ void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2) {
k = (k >> 4) ^ (k << 8); k = (k >> 4) ^ (k << 8);
k &= CMP_MAP_W - 1; k &= CMP_MAP_W - 1;
u32 hits;
if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) {
__afl_cmp_map->headers[k].type = CMP_TYPE_INS; __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
hits = 0;
__afl_cmp_map->headers[k].hits = 1;
__afl_cmp_map->headers[k].shape = 15;
u32 hits = __afl_cmp_map->headers[k].hits; } else {
__afl_cmp_map->headers[k].hits = hits + 1;
__afl_cmp_map->headers[k].shape = 7; hits = __afl_cmp_map->headers[k].hits++;
hits &= CMP_MAP_H - 1; if (__afl_cmp_map->headers[k].shape < 15) {
__afl_cmp_map->log[k][hits].v0 = arg1;
__afl_cmp_map->log[k][hits].v1 = arg2; __afl_cmp_map->headers[k].shape = 15;
} }
}
__afl_cmp_map->headers[k].attribute = attr;
hits &= CMP_MAP_H - 1;
__afl_cmp_map->log[k][hits].v0 = (u64)arg1;
__afl_cmp_map->log[k][hits].v1 = (u64)arg2;
__afl_cmp_map->log[k][hits].v0_128 = (u64)(arg1 >> 64);
__afl_cmp_map->log[k][hits].v1_128 = (u64)(arg2 >> 64);
}
#endif
#if defined(__APPLE__) #if defined(__APPLE__)
#pragma weak __sanitizer_cov_trace_const_cmp1 = __cmplog_ins_hook1 #pragma weak __sanitizer_cov_trace_const_cmp1 = __cmplog_ins_hook1
#pragma weak __sanitizer_cov_trace_const_cmp2 = __cmplog_ins_hook2 #pragma weak __sanitizer_cov_trace_const_cmp2 = __cmplog_ins_hook2
#pragma weak __sanitizer_cov_trace_const_cmp4 = __cmplog_ins_hook4 #pragma weak __sanitizer_cov_trace_const_cmp4 = __cmplog_ins_hook4
#pragma weak __sanitizer_cov_trace_const_cmp8 = __cmplog_ins_hook8 #pragma weak __sanitizer_cov_trace_const_cmp8 = __cmplog_ins_hook8
#pragma weak __sanitizer_cov_trace_const_cmp16 = __cmplog_ins_hook16
#pragma weak __sanitizer_cov_trace_cmp1 = __cmplog_ins_hook1 #pragma weak __sanitizer_cov_trace_cmp1 = __cmplog_ins_hook1
#pragma weak __sanitizer_cov_trace_cmp2 = __cmplog_ins_hook2 #pragma weak __sanitizer_cov_trace_cmp2 = __cmplog_ins_hook2
#pragma weak __sanitizer_cov_trace_cmp4 = __cmplog_ins_hook4 #pragma weak __sanitizer_cov_trace_cmp4 = __cmplog_ins_hook4
#pragma weak __sanitizer_cov_trace_cmp8 = __cmplog_ins_hook8 #pragma weak __sanitizer_cov_trace_cmp8 = __cmplog_ins_hook8
#pragma weak __sanitizer_cov_trace_cmp16 = __cmplog_ins_hook16
#else #else
void __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2) void __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2)
__attribute__((alias("__cmplog_ins_hook1"))); __attribute__((alias("__cmplog_ins_hook1")));
@ -1312,6 +1469,10 @@ void __sanitizer_cov_trace_const_cmp4(uint32_t arg1, uint32_t arg2)
__attribute__((alias("__cmplog_ins_hook4"))); __attribute__((alias("__cmplog_ins_hook4")));
void __sanitizer_cov_trace_const_cmp8(uint64_t arg1, uint64_t arg2) void __sanitizer_cov_trace_const_cmp8(uint64_t arg1, uint64_t arg2)
__attribute__((alias("__cmplog_ins_hook8"))); __attribute__((alias("__cmplog_ins_hook8")));
#ifdef WORD_SIZE_64
void __sanitizer_cov_trace_const_cmp16(uint128_t arg1, uint128_t arg2)
__attribute__((alias("__cmplog_ins_hook16")));
#endif
void __sanitizer_cov_trace_cmp1(uint8_t arg1, uint8_t arg2) void __sanitizer_cov_trace_cmp1(uint8_t arg1, uint8_t arg2)
__attribute__((alias("__cmplog_ins_hook1"))); __attribute__((alias("__cmplog_ins_hook1")));
@ -1321,6 +1482,10 @@ void __sanitizer_cov_trace_cmp4(uint32_t arg1, uint32_t arg2)
__attribute__((alias("__cmplog_ins_hook4"))); __attribute__((alias("__cmplog_ins_hook4")));
void __sanitizer_cov_trace_cmp8(uint64_t arg1, uint64_t arg2) void __sanitizer_cov_trace_cmp8(uint64_t arg1, uint64_t arg2)
__attribute__((alias("__cmplog_ins_hook8"))); __attribute__((alias("__cmplog_ins_hook8")));
#ifdef WORD_SIZE_64
void __sanitizer_cov_trace_cmp16(uint128_t arg1, uint128_t arg2)
__attribute__((alias("__cmplog_ins_hook16")));
#endif
#endif /* defined(__APPLE__) */ #endif /* defined(__APPLE__) */
void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) { void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) {
@ -1333,13 +1498,29 @@ void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) {
k = (k >> 4) ^ (k << 8); k = (k >> 4) ^ (k << 8);
k &= CMP_MAP_W - 1; k &= CMP_MAP_W - 1;
__afl_cmp_map->headers[k].type = CMP_TYPE_INS; u32 hits;
u32 hits = __afl_cmp_map->headers[k].hits; if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) {
__afl_cmp_map->headers[k].hits = hits + 1;
__afl_cmp_map->headers[k].type = CMP_TYPE_INS;
hits = 0;
__afl_cmp_map->headers[k].hits = 1;
__afl_cmp_map->headers[k].shape = 7;
} else {
hits = __afl_cmp_map->headers[k].hits++;
if (__afl_cmp_map->headers[k].shape < 7) {
__afl_cmp_map->headers[k].shape = 7; __afl_cmp_map->headers[k].shape = 7;
}
}
__afl_cmp_map->headers[k].attribute = 1;
hits &= CMP_MAP_H - 1; hits &= CMP_MAP_H - 1;
__afl_cmp_map->log[k][hits].v0 = val; __afl_cmp_map->log[k][hits].v0 = val;
__afl_cmp_map->log[k][hits].v1 = cases[i + 2]; __afl_cmp_map->log[k][hits].v1 = cases[i + 2];
@ -1364,6 +1545,18 @@ static int area_is_mapped(void *ptr, size_t len) {
void __cmplog_rtn_hook(u8 *ptr1, u8 *ptr2) { void __cmplog_rtn_hook(u8 *ptr1, u8 *ptr2) {
/*
u32 i;
if (!area_is_mapped(ptr1, 32) || !area_is_mapped(ptr2, 32)) return;
fprintf(stderr, "rtn arg0=");
for (i = 0; i < 8; i++)
fprintf(stderr, "%02x", ptr1[i]);
fprintf(stderr, " arg1=");
for (i = 0; i < 8; i++)
fprintf(stderr, "%02x", ptr2[i]);
fprintf(stderr, "\n");
*/
if (unlikely(!__afl_cmp_map)) return; if (unlikely(!__afl_cmp_map)) return;
if (!area_is_mapped(ptr1, 32) || !area_is_mapped(ptr2, 32)) return; if (!area_is_mapped(ptr1, 32) || !area_is_mapped(ptr2, 32)) return;
@ -1372,13 +1565,27 @@ void __cmplog_rtn_hook(u8 *ptr1, u8 *ptr2) {
k = (k >> 4) ^ (k << 8); k = (k >> 4) ^ (k << 8);
k &= CMP_MAP_W - 1; k &= CMP_MAP_W - 1;
__afl_cmp_map->headers[k].type = CMP_TYPE_RTN; u32 hits;
u32 hits = __afl_cmp_map->headers[k].hits; if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) {
__afl_cmp_map->headers[k].hits = hits + 1;
__afl_cmp_map->headers[k].type = CMP_TYPE_RTN;
hits = 0;
__afl_cmp_map->headers[k].hits = 1;
__afl_cmp_map->headers[k].shape = 31;
} else {
hits = __afl_cmp_map->headers[k].hits++;
if (__afl_cmp_map->headers[k].shape < 31) {
__afl_cmp_map->headers[k].shape = 31; __afl_cmp_map->headers[k].shape = 31;
}
}
hits &= CMP_MAP_RTN_H - 1; hits &= CMP_MAP_RTN_H - 1;
__builtin_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0, __builtin_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0,
ptr1, 32); ptr1, 32);

532
instrumentation/cmplog-instructions-pass.cc
View File

@ -85,9 +85,25 @@ class CmpLogInstructions : public ModulePass {
char CmpLogInstructions::ID = 0; char CmpLogInstructions::ID = 0;
template <class Iterator>
Iterator Unique(Iterator first, Iterator last) {
while (first != last) {
Iterator next(first);
last = std::remove(++next, last, *first);
first = next;
}
return last;
}
bool CmpLogInstructions::hookInstrs(Module &M) { bool CmpLogInstructions::hookInstrs(Module &M) {
std::vector<Instruction *> icomps; std::vector<Instruction *> icomps;
std::vector<SwitchInst *> switches;
LLVMContext & C = M.getContext(); LLVMContext & C = M.getContext();
Type * VoidTy = Type::getVoidTy(C); Type * VoidTy = Type::getVoidTy(C);
@ -95,13 +111,15 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
IntegerType *Int16Ty = IntegerType::getInt16Ty(C); IntegerType *Int16Ty = IntegerType::getInt16Ty(C);
IntegerType *Int32Ty = IntegerType::getInt32Ty(C); IntegerType *Int32Ty = IntegerType::getInt32Ty(C);
IntegerType *Int64Ty = IntegerType::getInt64Ty(C); IntegerType *Int64Ty = IntegerType::getInt64Ty(C);
IntegerType *Int128Ty = IntegerType::getInt128Ty(C);
#if LLVM_VERSION_MAJOR < 9 #if LLVM_VERSION_MAJOR < 9
Constant * Constant *
#else #else
FunctionCallee FunctionCallee
#endif #endif
c1 = M.getOrInsertFunction("__cmplog_ins_hook1", VoidTy, Int8Ty, Int8Ty c1 = M.getOrInsertFunction("__cmplog_ins_hook1", VoidTy, Int8Ty, Int8Ty,
Int8Ty
#if LLVM_VERSION_MAJOR < 5 #if LLVM_VERSION_MAJOR < 5
, ,
NULL NULL
@ -118,7 +136,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
#else #else
FunctionCallee FunctionCallee
#endif #endif
c2 = M.getOrInsertFunction("__cmplog_ins_hook2", VoidTy, Int16Ty, Int16Ty c2 = M.getOrInsertFunction("__cmplog_ins_hook2", VoidTy, Int16Ty, Int16Ty,
Int8Ty
#if LLVM_VERSION_MAJOR < 5 #if LLVM_VERSION_MAJOR < 5
, ,
NULL NULL
@ -135,7 +154,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
#else #else
FunctionCallee FunctionCallee
#endif #endif
c4 = M.getOrInsertFunction("__cmplog_ins_hook4", VoidTy, Int32Ty, Int32Ty c4 = M.getOrInsertFunction("__cmplog_ins_hook4", VoidTy, Int32Ty, Int32Ty,
Int8Ty
#if LLVM_VERSION_MAJOR < 5 #if LLVM_VERSION_MAJOR < 5
, ,
NULL NULL
@ -152,7 +172,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
#else #else
FunctionCallee FunctionCallee
#endif #endif
c8 = M.getOrInsertFunction("__cmplog_ins_hook8", VoidTy, Int64Ty, Int64Ty c8 = M.getOrInsertFunction("__cmplog_ins_hook8", VoidTy, Int64Ty, Int64Ty,
Int8Ty
#if LLVM_VERSION_MAJOR < 5 #if LLVM_VERSION_MAJOR < 5
, ,
NULL NULL
@ -164,6 +185,42 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
FunctionCallee cmplogHookIns8 = c8; FunctionCallee cmplogHookIns8 = c8;
#endif #endif
#if LLVM_VERSION_MAJOR < 9
Constant *
#else
FunctionCallee
#endif
c16 = M.getOrInsertFunction("__cmplog_ins_hook16", VoidTy, Int128Ty,
Int128Ty, Int8Ty
#if LLVM_VERSION_MAJOR < 5
,
NULL
#endif
);
#if LLVM_VERSION_MAJOR < 9
Function *cmplogHookIns16 = cast<Function>(c16);
#else
FunctionCallee cmplogHookIns16 = c16;
#endif
#if LLVM_VERSION_MAJOR < 9
Constant *
#else
FunctionCallee
#endif
cN = M.getOrInsertFunction("__cmplog_ins_hookN", VoidTy, Int128Ty,
Int128Ty, Int8Ty, Int8Ty
#if LLVM_VERSION_MAJOR < 5
,
NULL
#endif
);
#if LLVM_VERSION_MAJOR < 9
Function *cmplogHookInsN = cast<Function>(cN);
#else
FunctionCallee cmplogHookInsN = cN;
#endif
/* iterate over all functions, bbs and instruction and add suitable calls */ /* iterate over all functions, bbs and instruction and add suitable calls */
for (auto &F : M) { for (auto &F : M) {
@ -174,36 +231,17 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
for (auto &IN : BB) { for (auto &IN : BB) {
CmpInst *selectcmpInst = nullptr; CmpInst *selectcmpInst = nullptr;
if ((selectcmpInst = dyn_cast<CmpInst>(&IN))) { if ((selectcmpInst = dyn_cast<CmpInst>(&IN))) {
if (selectcmpInst->getPredicate() == CmpInst::ICMP_EQ ||
selectcmpInst->getPredicate() == CmpInst::ICMP_NE ||
selectcmpInst->getPredicate() == CmpInst::ICMP_UGT ||
selectcmpInst->getPredicate() == CmpInst::ICMP_SGT ||
selectcmpInst->getPredicate() == CmpInst::ICMP_ULT ||
selectcmpInst->getPredicate() == CmpInst::ICMP_SLT ||
selectcmpInst->getPredicate() == CmpInst::ICMP_UGE ||
selectcmpInst->getPredicate() == CmpInst::ICMP_SGE ||
selectcmpInst->getPredicate() == CmpInst::ICMP_ULE ||
selectcmpInst->getPredicate() == CmpInst::ICMP_SLE ||
selectcmpInst->getPredicate() == CmpInst::FCMP_OGE ||
selectcmpInst->getPredicate() == CmpInst::FCMP_UGE ||
selectcmpInst->getPredicate() == CmpInst::FCMP_OLE ||
selectcmpInst->getPredicate() == CmpInst::FCMP_ULE ||
selectcmpInst->getPredicate() == CmpInst::FCMP_OGT ||
selectcmpInst->getPredicate() == CmpInst::FCMP_UGT ||
selectcmpInst->getPredicate() == CmpInst::FCMP_OLT ||
selectcmpInst->getPredicate() == CmpInst::FCMP_ULT ||
selectcmpInst->getPredicate() == CmpInst::FCMP_UEQ ||
selectcmpInst->getPredicate() == CmpInst::FCMP_OEQ ||
selectcmpInst->getPredicate() == CmpInst::FCMP_UNE ||
selectcmpInst->getPredicate() == CmpInst::FCMP_ONE) {
icomps.push_back(selectcmpInst); icomps.push_back(selectcmpInst);
} }
SwitchInst *switchInst = nullptr;
if ((switchInst = dyn_cast<SwitchInst>(BB.getTerminator()))) {
if (switchInst->getNumCases() > 1) { switches.push_back(switchInst); }
} }
} }
@ -212,23 +250,267 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
} }
if (!icomps.size()) return false; // unique the collected switches
// if (!be_quiet) errs() << "Hooking " << icomps.size() << " cmp switches.erase(Unique(switches.begin(), switches.end()), switches.end());
// instructions\n";
// Instrument switch values for cmplog
if (switches.size()) {
if (!be_quiet)
errs() << "Hooking " << switches.size() << " switch instructions\n";
for (auto &SI : switches) {
Value * Val = SI->getCondition();
unsigned int max_size = Val->getType()->getIntegerBitWidth(), cast_size;
unsigned char do_cast = 0;
if (!SI->getNumCases() || max_size <= 8) {
// if (!be_quiet) errs() << "skip trivial switch..\n";
continue;
}
IRBuilder<> IRB(SI->getParent());
IRB.SetInsertPoint(SI);
if (max_size % 8) {
max_size = (((max_size / 8) + 1) * 8);
do_cast = 1;
}
if (max_size > 128) {
if (!be_quiet) {
fprintf(stderr,
"Cannot handle this switch bit size: %u (truncating)\n",
max_size);
}
max_size = 128;
do_cast = 1;
}
// do we need to cast?
switch (max_size) {
case 8:
case 16:
case 32:
case 64:
case 128:
cast_size = max_size;
break;
default:
cast_size = 128;
do_cast = 1;
}
Value *CompareTo = Val;
if (do_cast) {
ConstantInt *cint = dyn_cast<ConstantInt>(Val);
if (cint) {
uint64_t val = cint->getZExtValue();
// fprintf(stderr, "ConstantInt: %lu\n", val);
switch (cast_size) {
case 8:
CompareTo = ConstantInt::get(Int8Ty, val);
break;
case 16:
CompareTo = ConstantInt::get(Int16Ty, val);
break;
case 32:
CompareTo = ConstantInt::get(Int32Ty, val);
break;
case 64:
CompareTo = ConstantInt::get(Int64Ty, val);
break;
case 128:
CompareTo = ConstantInt::get(Int128Ty, val);
break;
}
} else {
CompareTo = IRB.CreateBitCast(Val, IntegerType::get(C, cast_size));
}
}
for (SwitchInst::CaseIt i = SI->case_begin(), e = SI->case_end(); i != e;
++i) {
#if LLVM_VERSION_MAJOR < 5
ConstantInt *cint = i.getCaseValue();
#else
ConstantInt *cint = i->getCaseValue();
#endif
if (cint) {
std::vector<Value *> args;
args.push_back(CompareTo);
Value *new_param = cint;
if (do_cast) {
uint64_t val = cint->getZExtValue();
// fprintf(stderr, "ConstantInt: %lu\n", val);
switch (cast_size) {
case 8:
new_param = ConstantInt::get(Int8Ty, val);
break;
case 16:
new_param = ConstantInt::get(Int16Ty, val);
break;
case 32:
new_param = ConstantInt::get(Int32Ty, val);
break;
case 64:
new_param = ConstantInt::get(Int64Ty, val);
break;
case 128:
new_param = ConstantInt::get(Int128Ty, val);
break;
}
}
if (new_param) {
args.push_back(new_param);
ConstantInt *attribute = ConstantInt::get(Int8Ty, 1);
args.push_back(attribute);
if (cast_size != max_size) {
ConstantInt *bitsize =
ConstantInt::get(Int8Ty, (max_size / 8) - 1);
args.push_back(bitsize);
}
switch (cast_size) {
case 8:
IRB.CreateCall(cmplogHookIns1, args);
break;
case 16:
IRB.CreateCall(cmplogHookIns2, args);
break;
case 32:
IRB.CreateCall(cmplogHookIns4, args);
break;
case 64:
IRB.CreateCall(cmplogHookIns8, args);
break;
case 128:
#ifdef WORD_SIZE_64
if (max_size == 128) {
IRB.CreateCall(cmplogHookIns16, args);
} else {
IRB.CreateCall(cmplogHookInsN, args);
}
#endif
break;
default:
break;
}
}
}
}
}
}
if (icomps.size()) {
// if (!be_quiet) errs() << "Hooking " << icomps.size() <<
// " cmp instructions\n";
for (auto &selectcmpInst : icomps) { for (auto &selectcmpInst : icomps) {
IRBuilder<> IRB(selectcmpInst->getParent()); IRBuilder<> IRB(selectcmpInst->getParent());
IRB.SetInsertPoint(selectcmpInst); IRB.SetInsertPoint(selectcmpInst);
auto op0 = selectcmpInst->getOperand(0); Value *op0 = selectcmpInst->getOperand(0);
auto op1 = selectcmpInst->getOperand(1); Value *op1 = selectcmpInst->getOperand(1);
IntegerType * intTyOp0 = NULL; IntegerType * intTyOp0 = NULL;
IntegerType * intTyOp1 = NULL; IntegerType * intTyOp1 = NULL;
unsigned max_size = 0; unsigned max_size = 0, cast_size = 0;
unsigned char attr = 0, do_cast = 0;
std::vector<Value *> args; std::vector<Value *> args;
CmpInst *cmpInst = dyn_cast<CmpInst>(selectcmpInst);
if (!cmpInst) { continue; }
switch (cmpInst->getPredicate()) {
case CmpInst::ICMP_NE:
case CmpInst::FCMP_UNE:
case CmpInst::FCMP_ONE:
break;
case CmpInst::ICMP_EQ:
case CmpInst::FCMP_UEQ:
case CmpInst::FCMP_OEQ:
attr += 1;
break;
case CmpInst::ICMP_UGT:
case CmpInst::ICMP_SGT:
case CmpInst::FCMP_OGT:
case CmpInst::FCMP_UGT:
attr += 2;
break;
case CmpInst::ICMP_UGE:
case CmpInst::ICMP_SGE:
case CmpInst::FCMP_OGE:
case CmpInst::FCMP_UGE:
attr += 3;
break;
case CmpInst::ICMP_ULT:
case CmpInst::ICMP_SLT:
case CmpInst::FCMP_OLT:
case CmpInst::FCMP_ULT:
attr += 4;
break;
case CmpInst::ICMP_ULE:
case CmpInst::ICMP_SLE:
case CmpInst::FCMP_OLE:
case CmpInst::FCMP_ULE:
attr += 5;
break;
default:
break;
}
if (selectcmpInst->getOpcode() == Instruction::FCmp) { if (selectcmpInst->getOpcode() == Instruction::FCmp) {
auto ty0 = op0->getType(); auto ty0 = op0->getType();
@ -242,29 +524,13 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
max_size = 32; max_size = 32;
else if (ty0->isDoubleTy()) else if (ty0->isDoubleTy())
max_size = 64; max_size = 64;
else if (ty0->isX86_FP80Ty())
max_size = 80;
else if (ty0->isFP128Ty() || ty0->isPPC_FP128Ty())
max_size = 128;
if (max_size) { attr += 8;
do_cast = 1;
Value *V0 = IRB.CreateBitCast(op0, IntegerType::get(C, max_size));
intTyOp0 = dyn_cast<IntegerType>(V0->getType());
Value *V1 = IRB.CreateBitCast(op1, IntegerType::get(C, max_size));
intTyOp1 = dyn_cast<IntegerType>(V1->getType());
if (intTyOp0 && intTyOp1) {
max_size = intTyOp0->getBitWidth() > intTyOp1->getBitWidth()
? intTyOp0->getBitWidth()
: intTyOp1->getBitWidth();
args.push_back(V0);
args.push_back(V1);
} else {
max_size = 0;
}
}
} else { } else {
@ -276,16 +542,149 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
max_size = intTyOp0->getBitWidth() > intTyOp1->getBitWidth() max_size = intTyOp0->getBitWidth() > intTyOp1->getBitWidth()
? intTyOp0->getBitWidth() ? intTyOp0->getBitWidth()
: intTyOp1->getBitWidth(); : intTyOp1->getBitWidth();
}
}
if (!max_size) { continue; }
// _ExtInt() with non-8th values
if (max_size % 8) {
max_size = (((max_size / 8) + 1) * 8);
do_cast = 1;
}
if (max_size > 128) {
if (!be_quiet) {
fprintf(stderr,
"Cannot handle this compare bit size: %u (truncating)\n",
max_size);
}
max_size = 128;
do_cast = 1;
}
// do we need to cast?
switch (max_size) {
case 8:
case 16:
case 32:
case 64:
case 128:
cast_size = max_size;
break;
default:
cast_size = 128;
do_cast = 1;
}
if (do_cast) {
// F*cking LLVM optimized out any kind of bitcasts of ConstantInt values
// creating illegal calls. WTF. So we have to work around this.
ConstantInt *cint = dyn_cast<ConstantInt>(op0);
if (cint) {
uint64_t val = cint->getZExtValue();
// fprintf(stderr, "ConstantInt: %lu\n", val);
ConstantInt *new_param = NULL;
switch (cast_size) {
case 8:
new_param = ConstantInt::get(Int8Ty, val);
break;
case 16:
new_param = ConstantInt::get(Int16Ty, val);
break;
case 32:
new_param = ConstantInt::get(Int32Ty, val);
break;
case 64:
new_param = ConstantInt::get(Int64Ty, val);
break;
case 128:
new_param = ConstantInt::get(Int128Ty, val);
break;
}
if (!new_param) { continue; }
args.push_back(new_param);
} else {
Value *V0 = IRB.CreateBitCast(op0, IntegerType::get(C, cast_size));
args.push_back(V0);
}
cint = dyn_cast<ConstantInt>(op1);
if (cint) {
uint64_t val = cint->getZExtValue();
ConstantInt *new_param = NULL;
switch (cast_size) {
case 8:
new_param = ConstantInt::get(Int8Ty, val);
break;
case 16:
new_param = ConstantInt::get(Int16Ty, val);
break;
case 32:
new_param = ConstantInt::get(Int32Ty, val);
break;
case 64:
new_param = ConstantInt::get(Int64Ty, val);
break;
case 128:
new_param = ConstantInt::get(Int128Ty, val);
break;
}
if (!new_param) { continue; }
args.push_back(new_param);
} else {
Value *V1 = IRB.CreateBitCast(op1, IntegerType::get(C, cast_size));
args.push_back(V1);
}
} else {
args.push_back(op0); args.push_back(op0);
args.push_back(op1); args.push_back(op1);
} }
ConstantInt *attribute = ConstantInt::get(Int8Ty, attr);
args.push_back(attribute);
if (cast_size != max_size) {
ConstantInt *bitsize = ConstantInt::get(Int8Ty, (max_size / 8) - 1);
args.push_back(bitsize);
} }
if (max_size < 8 || max_size > 64 || !intTyOp0 || !intTyOp1) continue; // fprintf(stderr, "_ExtInt(%u) castTo %u with attr %u didcast %u\n",
// max_size, cast_size, attr, do_cast);
switch (max_size) { switch (cast_size) {
case 8: case 8:
IRB.CreateCall(cmplogHookIns1, args); IRB.CreateCall(cmplogHookIns1, args);
@ -299,14 +698,29 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
case 64: case 64:
IRB.CreateCall(cmplogHookIns8, args); IRB.CreateCall(cmplogHookIns8, args);
break; break;
default: case 128:
if (max_size == 128) {
IRB.CreateCall(cmplogHookIns16, args);
} else {
IRB.CreateCall(cmplogHookInsN, args);
}
break; break;
} }
} }
}
if (switches.size() || icomps.size())
return true; return true;
else
return false;
} }

2
instrumentation/llvm-ngram-coverage.h
View File

@ -1,7 +1,7 @@
#ifndef AFL_NGRAM_CONFIG_H #ifndef AFL_NGRAM_CONFIG_H
#define AFL_NGRAM_CONFIG_H #define AFL_NGRAM_CONFIG_H
#include "../config.h" #include "types.h"
#if (MAP_SIZE_POW2 <= 16) #if (MAP_SIZE_POW2 <= 16)
typedef u16 PREV_LOC_T; typedef u16 PREV_LOC_T;

57
src/afl-cc.c
View File

@ -528,10 +528,10 @@ static void edit_params(u32 argc, char **argv, char **envp) {
cc_params[cc_par_cnt++] = alloc_printf( cc_params[cc_par_cnt++] = alloc_printf(
"-Wl,-mllvm=-load=%s/cmplog-routines-pass.so", obj_path); "-Wl,-mllvm=-load=%s/cmplog-routines-pass.so", obj_path);
cc_params[cc_par_cnt++] = alloc_printf(
"-Wl,-mllvm=-load=%s/split-switches-pass.so", obj_path);
cc_params[cc_par_cnt++] = alloc_printf( cc_params[cc_par_cnt++] = alloc_printf(
"-Wl,-mllvm=-load=%s/cmplog-instructions-pass.so", obj_path); "-Wl,-mllvm=-load=%s/cmplog-instructions-pass.so", obj_path);
cc_params[cc_par_cnt++] = alloc_printf(
"-Wl,-mllvm=-load=%s/split-switches-pass.so", obj_path);
} else { } else {
@ -541,6 +541,12 @@ static void edit_params(u32 argc, char **argv, char **envp) {
cc_params[cc_par_cnt++] = cc_params[cc_par_cnt++] =
alloc_printf("%s/cmplog-routines-pass.so", obj_path); alloc_printf("%s/cmplog-routines-pass.so", obj_path);
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = "-load";
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] =
alloc_printf("%s/cmplog-instructions-pass.so", obj_path);
// reuse split switches from laf // reuse split switches from laf
cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-load";
@ -548,12 +554,6 @@ static void edit_params(u32 argc, char **argv, char **envp) {
cc_params[cc_par_cnt++] = cc_params[cc_par_cnt++] =
alloc_printf("%s/split-switches-pass.so", obj_path); alloc_printf("%s/split-switches-pass.so", obj_path);
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = "-load";
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] =
alloc_printf("%s/cmplog-instructions-pass.so", obj_path);
} }
cc_params[cc_par_cnt++] = "-fno-inline"; cc_params[cc_par_cnt++] = "-fno-inline";
@ -687,6 +687,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
if (!strncmp(cur, "--afl", 5)) continue; if (!strncmp(cur, "--afl", 5)) continue;
if (lto_mode && !strncmp(cur, "-fuse-ld=", 9)) continue; if (lto_mode && !strncmp(cur, "-fuse-ld=", 9)) continue;
if (lto_mode && !strncmp(cur, "--ld-path=", 10)) continue; if (lto_mode && !strncmp(cur, "--ld-path=", 10)) continue;
if (!strncmp(cur, "-fno-unroll", 11)) continue;
if (!strcmp(cur, "-Wl,-z,defs") || !strcmp(cur, "-Wl,--no-undefined")) if (!strcmp(cur, "-Wl,-z,defs") || !strcmp(cur, "-Wl,--no-undefined"))
continue; continue;
@ -707,7 +708,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
if (!strcmp(cur, "-shared")) shared_linking = 1; if (!strcmp(cur, "-shared")) shared_linking = 1;
if (!strncmp(cur, "-O", 2)) have_o = 1; if (!strncmp(cur, "-O", 2)) have_o = 1;
if (!strncmp(cur, "-f", 2) && strstr(cur, "unroll-loop")) have_unroll = 1; if (!strncmp(cur, "-funroll-loop", 13)) have_unroll = 1;
cc_params[cc_par_cnt++] = cur; cc_params[cc_par_cnt++] = cur;
@ -796,11 +797,9 @@ static void edit_params(u32 argc, char **argv, char **envp) {
} }
#if defined(USEMMAP) #if defined(USEMMAP) && !defined(__HAIKU__)
#if !defined(__HAIKU__)
cc_params[cc_par_cnt++] = "-lrt"; cc_params[cc_par_cnt++] = "-lrt";
#endif #endif
#endif
cc_params[cc_par_cnt++] = "-D__AFL_HAVE_MANUAL_CONTROL=1"; cc_params[cc_par_cnt++] = "-D__AFL_HAVE_MANUAL_CONTROL=1";
cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1"; cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1";
@ -971,11 +970,9 @@ static void edit_params(u32 argc, char **argv, char **envp) {
alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path); alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path);
#endif #endif
#if defined(USEMMAP) #if defined(USEMMAP) && !defined(__HAIKU__)
#if !defined(__HAIKU__)
cc_params[cc_par_cnt++] = "-lrt"; cc_params[cc_par_cnt++] = "-lrt";
#endif #endif
#endif
} }
@ -1286,7 +1283,6 @@ int main(int argc, char **argv, char **envp) {
} }
// this is a hidden option
if (strncasecmp(ptr2, "llvmnative", strlen("llvmnative")) == 0 || if (strncasecmp(ptr2, "llvmnative", strlen("llvmnative")) == 0 ||
strncasecmp(ptr2, "llvm-native", strlen("llvm-native")) == 0) { strncasecmp(ptr2, "llvm-native", strlen("llvm-native")) == 0) {
@ -1357,29 +1353,28 @@ int main(int argc, char **argv, char **envp) {
if (strncasecmp(ptr2, "ngram", strlen("ngram")) == 0) { if (strncasecmp(ptr2, "ngram", strlen("ngram")) == 0) {
ptr2 += strlen("ngram"); u8 *ptr3 = ptr2 + strlen("ngram");
while (*ptr2 && (*ptr2 < '0' || *ptr2 > '9')) while (*ptr3 && (*ptr3 < '0' || *ptr3 > '9'))
ptr2++; ptr3++;
if (!*ptr2) { if (!*ptr3) {
if ((ptr2 = getenv("AFL_LLVM_NGRAM_SIZE")) == NULL) if ((ptr3 = getenv("AFL_LLVM_NGRAM_SIZE")) == NULL)
FATAL( FATAL(
"you must set the NGRAM size with (e.g. for value 2) " "you must set the NGRAM size with (e.g. for value 2) "
"AFL_LLVM_INSTRUMENT=ngram-2"); "AFL_LLVM_INSTRUMENT=ngram-2");
} }
ngram_size = atoi(ptr2); ngram_size = atoi(ptr3);
if (ngram_size < 2 || ngram_size > NGRAM_SIZE_MAX) if (ngram_size < 2 || ngram_size > NGRAM_SIZE_MAX)
FATAL( FATAL(
"NGRAM instrumentation option must be between 2 and " "NGRAM instrumentation option must be between 2 and "
"NGRAM_SIZE_MAX " "NGRAM_SIZE_MAX (%u)",
"(%u)",
NGRAM_SIZE_MAX); NGRAM_SIZE_MAX);
instrument_opt_mode |= (INSTRUMENT_OPT_NGRAM); instrument_opt_mode |= (INSTRUMENT_OPT_NGRAM);
ptr2 = alloc_printf("%u", ngram_size); u8 *ptr4 = alloc_printf("%u", ngram_size);
setenv("AFL_LLVM_NGRAM_SIZE", ptr2, 1); setenv("AFL_LLVM_NGRAM_SIZE", ptr4, 1);
} }
@ -1515,6 +1510,7 @@ int main(int argc, char **argv, char **envp) {
"((instrumentation/README.ngram.md)\n" "((instrumentation/README.ngram.md)\n"
" INSTRIM: Dominator tree (for LLVM <= 6.0) " " INSTRIM: Dominator tree (for LLVM <= 6.0) "
"(instrumentation/README.instrim.md)\n\n"); "(instrumentation/README.instrim.md)\n\n");
#undef NATIVE_MSG #undef NATIVE_MSG
SAYF( SAYF(
@ -1649,16 +1645,15 @@ int main(int argc, char **argv, char **envp) {
if (have_lto) if (have_lto)
SAYF("afl-cc LTO with ld=%s %s\n", AFL_REAL_LD, AFL_CLANG_FLTO); SAYF("afl-cc LTO with ld=%s %s\n", AFL_REAL_LD, AFL_CLANG_FLTO);
if (have_llvm) if (have_llvm)
SAYF("afl-cc LLVM version %d using binary path \"%s\".\n", LLVM_MAJOR, SAYF("afl-cc LLVM version %d using the binary path \"%s\".\n", LLVM_MAJOR,
LLVM_BINDIR); LLVM_BINDIR);
#endif #endif
#if defined(USEMMAP) #ifdef USEMMAP
#if !defined(__HAIKU__) #if !defined(__HAIKU__)
cc_params[cc_par_cnt++] = "-lrt";
SAYF("Compiled with shm_open support (adds -lrt when linking).\n");
#else
SAYF("Compiled with shm_open support.\n"); SAYF("Compiled with shm_open support.\n");
#else
SAYF("Compiled with shm_open support (adds -lrt when linking).\n");
#endif #endif
#else #else
SAYF("Compiled with shmat support.\n"); SAYF("Compiled with shmat support.\n");

8
src/afl-forkserver.c
View File

@ -58,7 +58,7 @@ static list_t fsrv_list = {.element_prealloc_count = 0};
static void fsrv_exec_child(afl_forkserver_t *fsrv, char **argv) { static void fsrv_exec_child(afl_forkserver_t *fsrv, char **argv) {
if (fsrv->qemu_mode) setenv("AFL_DISABLE_LLVM_INSTRUMENTATION", "1", 0); if (fsrv->qemu_mode) { setenv("AFL_DISABLE_LLVM_INSTRUMENTATION", "1", 0); }
execv(fsrv->target_path, argv); execv(fsrv->target_path, argv);
@ -396,6 +396,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
struct rlimit r; struct rlimit r;
if (!fsrv->cmplog_binary && fsrv->qemu_mode == false) {
unsetenv(CMPLOG_SHM_ENV_VAR); // we do not want that in non-cmplog fsrv
}
/* Umpf. On OpenBSD, the default fd limit for root users is set to /* Umpf. On OpenBSD, the default fd limit for root users is set to
soft 128. Let's try to fix that... */ soft 128. Let's try to fix that... */
if (!getrlimit(RLIMIT_NOFILE, &r) && r.rlim_cur < FORKSRV_FD + 2) { if (!getrlimit(RLIMIT_NOFILE, &r) && r.rlim_cur < FORKSRV_FD + 2) {

2
src/afl-fuzz-cmplog.c
View File

@ -33,6 +33,8 @@ void cmplog_exec_child(afl_forkserver_t *fsrv, char **argv) {
setenv("___AFL_EINS_ZWEI_POLIZEI___", "1", 1); setenv("___AFL_EINS_ZWEI_POLIZEI___", "1", 1);
if (fsrv->qemu_mode) { setenv("AFL_DISABLE_LLVM_INSTRUMENTATION", "1", 0); }
if (!fsrv->qemu_mode && argv[0] != fsrv->cmplog_binary) { if (!fsrv->qemu_mode && argv[0] != fsrv->cmplog_binary) {
argv[0] = fsrv->cmplog_binary; argv[0] = fsrv->cmplog_binary;

38
src/afl-fuzz-init.c
View File

@ -729,6 +729,30 @@ void read_testcases(afl_state_t *afl, u8 *directory) {
add_to_queue(afl, fn2, st.st_size >= MAX_FILE ? MAX_FILE : st.st_size, add_to_queue(afl, fn2, st.st_size >= MAX_FILE ? MAX_FILE : st.st_size,
passed_det); passed_det);
if (unlikely(afl->shm.cmplog_mode)) {
if (afl->cmplog_lvl == 1) {
if (!afl->cmplog_max_filesize ||
afl->cmplog_max_filesize < st.st_size) {
afl->cmplog_max_filesize = st.st_size;
}
} else if (afl->cmplog_lvl == 2) {
if (!afl->cmplog_max_filesize ||
afl->cmplog_max_filesize > st.st_size) {
afl->cmplog_max_filesize = st.st_size;
}
}
}
if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) { if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) {
u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
@ -756,6 +780,20 @@ void read_testcases(afl_state_t *afl, u8 *directory) {
} }
if (unlikely(afl->shm.cmplog_mode)) {
if (afl->cmplog_max_filesize < 1024) {
afl->cmplog_max_filesize = 1024;
} else {
afl->cmplog_max_filesize = (((afl->cmplog_max_filesize >> 10) + 1) << 10);
}
}
afl->last_path_time = 0; afl->last_path_time = 0;
afl->queued_at_start = afl->queued_paths; afl->queued_at_start = afl->queued_paths;

75
src/afl-fuzz-one.c
View File

@ -165,7 +165,7 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) {
/* See if one-byte adjustments to any byte could produce this result. */ /* See if one-byte adjustments to any byte could produce this result. */
for (i = 0; i < blen; ++i) { for (i = 0; (u8)i < blen; ++i) {
u8 a = old_val >> (8 * i), b = new_val >> (8 * i); u8 a = old_val >> (8 * i), b = new_val >> (8 * i);
@ -193,7 +193,7 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) {
diffs = 0; diffs = 0;
for (i = 0; i < blen / 2; ++i) { for (i = 0; (u8)i < blen / 2; ++i) {
u16 a = old_val >> (16 * i), b = new_val >> (16 * i); u16 a = old_val >> (16 * i), b = new_val >> (16 * i);
@ -290,7 +290,7 @@ static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) {
/* See if two-byte insertions over old_val could give us new_val. */ /* See if two-byte insertions over old_val could give us new_val. */
for (i = 0; (s32)i < blen - 1; ++i) { for (i = 0; (u8)i < blen - 1; ++i) {
for (j = 0; j < sizeof(interesting_16) / 2; ++j) { for (j = 0; j < sizeof(interesting_16) / 2; ++j) {
@ -545,12 +545,24 @@ u8 fuzz_one_original(afl_state_t *afl) {
else else
orig_perf = perf_score = calculate_score(afl, afl->queue_cur); orig_perf = perf_score = calculate_score(afl, afl->queue_cur);
if (unlikely(perf_score == 0)) { goto abandon_entry; } if (unlikely(perf_score <= 0)) { goto abandon_entry; }
if (unlikely(afl->shm.cmplog_mode && !afl->queue_cur->fully_colorized)) { if (unlikely(afl->shm.cmplog_mode &&
afl->queue_cur->colorized < afl->cmplog_lvl &&
(u32)len <= afl->cmplog_max_filesize)) {
if (input_to_state_stage(afl, in_buf, out_buf, len, if (unlikely(len < 4)) {
afl->queue_cur->exec_cksum)) {
afl->queue_cur->colorized = 0xff;
} else {
if (afl->cmplog_lvl == 3 ||
(afl->cmplog_lvl == 2 && afl->queue_cur->tc_ref) ||
!(afl->fsrv.total_execs % afl->queued_paths) ||
get_cur_time() - afl->last_path_time > 15000) {
if (input_to_state_stage(afl, in_buf, out_buf, len)) {
goto abandon_entry; goto abandon_entry;
@ -558,6 +570,10 @@ u8 fuzz_one_original(afl_state_t *afl) {
} }
}
}
/* Skip right away if -d is given, if it has not been chosen sufficiently /* Skip right away if -d is given, if it has not been chosen sufficiently
often to warrant the expensive deterministic stage (fuzz_level), or often to warrant the expensive deterministic stage (fuzz_level), or
if it has gone through deterministic testing in earlier, resumed runs if it has gone through deterministic testing in earlier, resumed runs
@ -2796,7 +2812,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
} }
s32 len, temp_len; u32 len, temp_len;
u32 i; u32 i;
u32 j; u32 j;
u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0; u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0;
@ -2952,12 +2968,24 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
else else
orig_perf = perf_score = calculate_score(afl, afl->queue_cur); orig_perf = perf_score = calculate_score(afl, afl->queue_cur);
if (unlikely(perf_score == 0)) { goto abandon_entry; } if (unlikely(perf_score <= 0)) { goto abandon_entry; }
if (unlikely(afl->shm.cmplog_mode && !afl->queue_cur->fully_colorized)) { if (unlikely(afl->shm.cmplog_mode &&
afl->queue_cur->colorized < afl->cmplog_lvl &&
(u32)len <= afl->cmplog_max_filesize)) {
if (input_to_state_stage(afl, in_buf, out_buf, len, if (unlikely(len < 4)) {
afl->queue_cur->exec_cksum)) {
afl->queue_cur->colorized = 0xff;
} else {
if (afl->cmplog_lvl == 3 ||
(afl->cmplog_lvl == 2 && afl->queue_cur->tc_ref) ||
!(afl->fsrv.total_execs % afl->queued_paths) ||
get_cur_time() - afl->last_path_time > 15000) {
if (input_to_state_stage(afl, in_buf, out_buf, len)) {
goto abandon_entry; goto abandon_entry;
@ -2965,6 +2993,10 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
} }
}
}
/* Go to pacemker fuzzing if MOpt is doing well */ /* Go to pacemker fuzzing if MOpt is doing well */
cur_ms_lv = get_cur_time(); cur_ms_lv = get_cur_time();
@ -3315,7 +3347,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
orig_hit_cnt = new_hit_cnt; orig_hit_cnt = new_hit_cnt;
for (i = 0; (s32)i < len - 1; ++i) { for (i = 0; i < len - 1; ++i) {
/* Let's consult the effector map... */ /* Let's consult the effector map... */
@ -3357,7 +3389,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
orig_hit_cnt = new_hit_cnt; orig_hit_cnt = new_hit_cnt;
for (i = 0; (s32)i < len - 3; ++i) { for (i = 0; i < len - 3; ++i) {
/* Let's consult the effector map... */ /* Let's consult the effector map... */
if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] &&
@ -3489,7 +3521,7 @@ skip_bitflip:
orig_hit_cnt = new_hit_cnt; orig_hit_cnt = new_hit_cnt;
for (i = 0; (s32)i < len - 1; ++i) { for (i = 0; i < len - 1; ++i) {
u16 orig = *(u16 *)(out_buf + i); u16 orig = *(u16 *)(out_buf + i);
@ -3615,7 +3647,7 @@ skip_bitflip:
orig_hit_cnt = new_hit_cnt; orig_hit_cnt = new_hit_cnt;
for (i = 0; (s32)i < len - 3; ++i) { for (i = 0; i < len - 3; ++i) {
u32 orig = *(u32 *)(out_buf + i); u32 orig = *(u32 *)(out_buf + i);
@ -3805,7 +3837,7 @@ skip_arith:
orig_hit_cnt = new_hit_cnt; orig_hit_cnt = new_hit_cnt;
for (i = 0; (s32)i < len - 1; ++i) { for (i = 0; i < len - 1; ++i) {
u16 orig = *(u16 *)(out_buf + i); u16 orig = *(u16 *)(out_buf + i);
@ -3891,7 +3923,7 @@ skip_arith:
orig_hit_cnt = new_hit_cnt; orig_hit_cnt = new_hit_cnt;
for (i = 0; (s32)i < len - 3; ++i) { for (i = 0; i < len - 3; ++i) {
u32 orig = *(u32 *)(out_buf + i); u32 orig = *(u32 *)(out_buf + i);
@ -4120,7 +4152,7 @@ skip_user_extras:
/* See the comment in the earlier code; extras are sorted by size. */ /* See the comment in the earlier code; extras are sorted by size. */
if ((s32)(afl->a_extras[j].len) > (s32)(len - i) || if ((afl->a_extras[j].len) > (len - i) ||
!memcmp(afl->a_extras[j].data, out_buf + i, afl->a_extras[j].len) || !memcmp(afl->a_extras[j].data, out_buf + i, afl->a_extras[j].len) ||
!memchr(eff_map + EFF_APOS(i), 1, !memchr(eff_map + EFF_APOS(i), 1,
EFF_SPAN_ALEN(i, afl->a_extras[j].len))) { EFF_SPAN_ALEN(i, afl->a_extras[j].len))) {
@ -4837,7 +4869,7 @@ pacemaker_fuzzing:
u32 copy_from, copy_to, copy_len; u32 copy_from, copy_to, copy_len;
copy_len = choose_block_len(afl, new_len - 1); copy_len = choose_block_len(afl, new_len - 1);
if ((s32)copy_len > temp_len) copy_len = temp_len; if (copy_len > temp_len) copy_len = temp_len;
copy_from = rand_below(afl, new_len - copy_len + 1); copy_from = rand_below(afl, new_len - copy_len + 1);
copy_to = rand_below(afl, temp_len - copy_len + 1); copy_to = rand_below(afl, temp_len - copy_len + 1);
@ -5033,8 +5065,7 @@ pacemaker_fuzzing:
the last differing byte. Bail out if the difference is just a single the last differing byte. Bail out if the difference is just a single
byte or so. */ byte or so. */
locate_diffs(in_buf, new_buf, MIN(len, (s32)target->len), &f_diff, locate_diffs(in_buf, new_buf, MIN(len, target->len), &f_diff, &l_diff);
&l_diff);
if (f_diff < 0 || l_diff < 2 || f_diff == l_diff) { if (f_diff < 0 || l_diff < 2 || f_diff == l_diff) {

1
src/afl-fuzz-queue.c
View File

@ -433,6 +433,7 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
q->passed_det = passed_det; q->passed_det = passed_det;
q->trace_mini = NULL; q->trace_mini = NULL;
q->testcase_buf = NULL; q->testcase_buf = NULL;
q->mother = afl->queue_cur;
#ifdef INTROSPECTION #ifdef INTROSPECTION
q->bitsmap_size = afl->bitsmap_size; q->bitsmap_size = afl->bitsmap_size;

2111
src/afl-fuzz-redqueen.c
View File

File diff suppressed because it is too large Load Diff

1
src/afl-fuzz-state.c
View File

@ -102,6 +102,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
afl->stats_update_freq = 1; afl->stats_update_freq = 1;
afl->stats_avg_exec = 0; afl->stats_avg_exec = 0;
afl->skip_deterministic = 1; afl->skip_deterministic = 1;
afl->cmplog_lvl = 1;
#ifndef NO_SPLICING #ifndef NO_SPLICING
afl->use_splicing = 1; afl->use_splicing = 1;
#endif #endif

61
src/afl-fuzz.c
View File

@ -77,13 +77,8 @@ static void at_exit() {
} }
int kill_signal = SIGKILL; int kill_signal = SIGKILL;
/* AFL_KILL_SIGNAL should already be a valid int at this point */ /* AFL_KILL_SIGNAL should already be a valid int at this point */
if (getenv("AFL_KILL_SIGNAL")) { if ((ptr = getenv("AFL_KILL_SIGNAL"))) { kill_signal = atoi(ptr); }
kill_signal = atoi(getenv("AFL_KILL_SIGNAL"));
}
if (pid1 > 0) { kill(pid1, kill_signal); } if (pid1 > 0) { kill(pid1, kill_signal); }
if (pid2 > 0) { kill(pid2, kill_signal); } if (pid2 > 0) { kill(pid2, kill_signal); }
@ -103,13 +98,14 @@ static void usage(u8 *argv0, int more_help) {
"Execution control settings:\n" "Execution control settings:\n"
" -p schedule - power schedules compute a seed's performance score:\n" " -p schedule - power schedules compute a seed's performance score:\n"
" <fast(default), rare, exploit, seek, mmopt, coe, " " fast(default), explore, exploit, seek, rare, mmopt, "
"explore,\n" "coe, lin\n"
" lin, quad> -- see docs/power_schedules.md\n" " quad -- see docs/power_schedules.md\n"
" -f file - location read by the fuzzed program (default: stdin " " -f file - location read by the fuzzed program (default: stdin "
"or @@)\n" "or @@)\n"
" -t msec - timeout for each run (auto-scaled, 50-%u ms)\n" " -t msec - timeout for each run (auto-scaled, 50-%u ms)\n"
" -m megs - memory limit for child process (%u MB, 0 = no limit)\n" " -m megs - memory limit for child process (%u MB, 0 = no limit "
"[default])\n"
" -Q - use binary-only instrumentation (QEMU mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n"
" -U - use unicorn-based instrumentation (Unicorn mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n"
" -W - use qemu-based instrumentation with Wine (Wine " " -W - use qemu-based instrumentation with Wine (Wine "
@ -125,7 +121,9 @@ static void usage(u8 *argv0, int more_help) {
" See docs/README.MOpt.md\n" " See docs/README.MOpt.md\n"
" -c program - enable CmpLog by specifying a binary compiled for " " -c program - enable CmpLog by specifying a binary compiled for "
"it.\n" "it.\n"
" if using QEMU, just use -c 0.\n\n" " if using QEMU, just use -c 0.\n"
" -l cmplog_level - set the complexity/intensivity of CmpLog.\n"
" Values: 1 (default), 2 (intensive) and 3 (heavy)\n\n"
"Fuzzing behavior settings:\n" "Fuzzing behavior settings:\n"
" -Z - sequential queue selection instead of weighted " " -Z - sequential queue selection instead of weighted "
@ -357,7 +355,8 @@ int main(int argc, char **argv_orig, char **envp) {
while ((opt = getopt( while ((opt = getopt(
argc, argv, argc, argv,
"+b:c:i:I:o:f:F:m:t:T:dDnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:Z")) > 0) { "+b:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNo:p:P:RQs:S:t:T:UV:Wx:Z")) >
0) {
switch (opt) { switch (opt) {
@ -786,6 +785,26 @@ int main(int argc, char **argv_orig, char **envp) {
} break; } break;
case 'l': {
afl->cmplog_lvl = atoi(optarg);
if (afl->cmplog_lvl < 1 || afl->cmplog_lvl > CMPLOG_LVL_MAX) {
FATAL(
"Bad complog level value, accepted values are 1 (default), 2 and "
"%u.",
CMPLOG_LVL_MAX);
}
if (afl->cmplog_lvl == CMPLOG_LVL_MAX) {
afl->cmplog_max_filesize = MAX_FILE;
}
} break;
case 'L': { /* MOpt mode */ case 'L': { /* MOpt mode */
if (afl->limit_time_sig) { FATAL("Multiple -L options not supported"); } if (afl->limit_time_sig) { FATAL("Multiple -L options not supported"); }
@ -1075,6 +1094,8 @@ int main(int argc, char **argv_orig, char **envp) {
} }
if (afl->shm.cmplog_mode) { OKF("CmpLog level: %u", afl->cmplog_lvl); }
/* Dynamically allocate memory for AFLFast schedules */ /* Dynamically allocate memory for AFLFast schedules */
if (afl->schedule >= FAST && afl->schedule <= RARE) { if (afl->schedule >= FAST && afl->schedule <= RARE) {
@ -1634,6 +1655,14 @@ int main(int argc, char **argv_orig, char **envp) {
if (afl->use_splicing) { if (afl->use_splicing) {
++afl->cycles_wo_finds; ++afl->cycles_wo_finds;
if (unlikely(afl->shm.cmplog_mode &&
afl->cmplog_max_filesize < MAX_FILE)) {
afl->cmplog_max_filesize <<= 4;
}
switch (afl->expand_havoc) { switch (afl->expand_havoc) {
case 0: case 0:
@ -1651,6 +1680,7 @@ int main(int argc, char **argv_orig, char **envp) {
} }
afl->expand_havoc = 2; afl->expand_havoc = 2;
if (afl->cmplog_lvl < 2) afl->cmplog_lvl = 2;
break; break;
case 2: case 2:
// if (!have_p) afl->schedule = EXPLOIT; // if (!have_p) afl->schedule = EXPLOIT;
@ -1664,11 +1694,14 @@ int main(int argc, char **argv_orig, char **envp) {
afl->expand_havoc = 4; afl->expand_havoc = 4;
break; break;
case 4: case 4:
// if not in sync mode, enable deterministic mode?
// if (!afl->sync_id) afl->skip_deterministic = 0;
afl->expand_havoc = 5; afl->expand_havoc = 5;
if (afl->cmplog_lvl < 3) afl->cmplog_lvl = 3;
break; break;
case 5: case 5:
// if not in sync mode, enable deterministic mode?
if (!afl->sync_id) afl->skip_deterministic = 0;
afl->expand_havoc = 6;
case 6:
// nothing else currently // nothing else currently
break; break;

25
src/afl-showmap.c
View File

@ -39,6 +39,7 @@
#include "sharedmem.h" #include "sharedmem.h"
#include "forkserver.h" #include "forkserver.h"
#include "common.h" #include "common.h"
#include "hash.h"
#include <stdio.h> #include <stdio.h>
#include <unistd.h> #include <unistd.h>
@ -83,7 +84,8 @@ static u8 quiet_mode, /* Hide non-essential messages? */
binary_mode, /* Write output as a binary map */ binary_mode, /* Write output as a binary map */
keep_cores, /* Allow coredumps? */ keep_cores, /* Allow coredumps? */
remove_shm = 1, /* remove shmem? */ remove_shm = 1, /* remove shmem? */
collect_coverage; /* collect coverage */ collect_coverage, /* collect coverage */
no_classify; /* do not classify counts */
static volatile u8 stop_soon, /* Ctrl-C pressed? */ static volatile u8 stop_soon, /* Ctrl-C pressed? */
child_crashed; /* Child crashed? */ child_crashed; /* Child crashed? */
@ -314,7 +316,9 @@ static void showmap_run_target_forkserver(afl_forkserver_t *fsrv, u8 *mem,
} }
classify_counts(fsrv); if (fsrv->trace_bits[0] == 1) { fsrv->trace_bits[0] = 0; }
if (!no_classify) { classify_counts(fsrv); }
if (!quiet_mode) { SAYF(cRST "-- Program output ends --\n"); } if (!quiet_mode) { SAYF(cRST "-- Program output ends --\n"); }
@ -487,7 +491,9 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) {
} }
classify_counts(fsrv); if (fsrv->trace_bits[0] == 1) { fsrv->trace_bits[0] = 0; }
if (!no_classify) { classify_counts(fsrv); }
if (!quiet_mode) { SAYF(cRST "-- Program output ends --\n"); } if (!quiet_mode) { SAYF(cRST "-- Program output ends --\n"); }
@ -677,6 +683,7 @@ static void usage(u8 *argv0) {
" -q - sink program's output and don't show messages\n" " -q - sink program's output and don't show messages\n"
" -e - show edge coverage only, ignore hit counts\n" " -e - show edge coverage only, ignore hit counts\n"
" -r - show real tuple values instead of AFL filter values\n" " -r - show real tuple values instead of AFL filter values\n"
" -s - do not classify the map\n"
" -c - allow core dumps\n\n" " -c - allow core dumps\n\n"
"This tool displays raw tuple data captured by AFL instrumentation.\n" "This tool displays raw tuple data captured by AFL instrumentation.\n"
@ -726,10 +733,14 @@ int main(int argc, char **argv_orig, char **envp) {
if (getenv("AFL_QUIET") != NULL) { be_quiet = 1; } if (getenv("AFL_QUIET") != NULL) { be_quiet = 1; }
while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZQUWbcrh")) > 0) { while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZQUWbcrsh")) > 0) {
switch (opt) { switch (opt) {
case 's':
no_classify = 1;
break;
case 'C': case 'C':
collect_coverage = 1; collect_coverage = 1;
quiet_mode = 1; quiet_mode = 1;
@ -1210,6 +1221,12 @@ int main(int argc, char **argv_orig, char **envp) {
showmap_run_target(fsrv, use_argv); showmap_run_target(fsrv, use_argv);
tcnt = write_results_to_file(fsrv, out_file); tcnt = write_results_to_file(fsrv, out_file);
if (!quiet_mode) {
OKF("Hash of coverage map: %llx",
hash64(fsrv->trace_bits, fsrv->map_size, HASH_CONST));
}
} }

8
test/test-basic.sh
View File

@ -27,13 +27,13 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc
rm -f test-instr.plain.0 test-instr.plain.1 rm -f test-instr.plain.0 test-instr.plain.1
SKIP= SKIP=
TUPLES=`echo 1|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'` TUPLES=`echo 1|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'`
test "$TUPLES" -gt 2 -a "$TUPLES" -lt 12 && { test "$TUPLES" -gt 1 -a "$TUPLES" -lt 12 && {
$ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine" $ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine"
} || { } || {
$ECHO "$RED[!] ${AFL_GCC} instrumentation produces weird numbers: $TUPLES" $ECHO "$RED[!] ${AFL_GCC} instrumentation produces weird numbers: $TUPLES"
CODE=1 CODE=1
} }
test "$TUPLES" -lt 4 && SKIP=1 test "$TUPLES" -lt 3 && SKIP=1
true # this is needed because of the test above true # this is needed because of the test above
} || { } || {
$ECHO "$RED[!] ${AFL_GCC} failed" $ECHO "$RED[!] ${AFL_GCC} failed"
@ -147,13 +147,13 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc
} }
rm -f test-instr.plain.0 test-instr.plain.1 rm -f test-instr.plain.0 test-instr.plain.1
TUPLES=`echo 1|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'` TUPLES=`echo 1|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'`
test "$TUPLES" -gt 2 -a "$TUPLES" -lt 12 && { test "$TUPLES" -gt 1 -a "$TUPLES" -lt 12 && {
$ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine" $ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine"
} || { } || {
$ECHO "$RED[!] ${AFL_GCC} instrumentation produces weird numbers: $TUPLES" $ECHO "$RED[!] ${AFL_GCC} instrumentation produces weird numbers: $TUPLES"
CODE=1 CODE=1
} }
test "$TUPLES" -lt 4 && SKIP=1 test "$TUPLES" -lt 3 && SKIP=1
true # this is needed because of the test above true # this is needed because of the test above
} || { } || {
$ECHO "$RED[!] ${AFL_GCC} failed" $ECHO "$RED[!] ${AFL_GCC} failed"

4
test/test-gcc-plugin.sh
View File

@ -19,14 +19,14 @@ test -e ../afl-gcc-fast -a -e ../afl-compiler-rt.o && {
} || { } || {
$ECHO "$GREEN[+] gcc_plugin instrumentation present and working correctly" $ECHO "$GREEN[+] gcc_plugin instrumentation present and working correctly"
TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain.gccpi 2>&1 | grep Captur | awk '{print$3}'` TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain.gccpi 2>&1 | grep Captur | awk '{print$3}'`
test "$TUPLES" -gt 3 -a "$TUPLES" -lt 9 && { test "$TUPLES" -gt 2 -a "$TUPLES" -lt 9 && {
$ECHO "$GREEN[+] gcc_plugin run reported $TUPLES instrumented locations which is fine" $ECHO "$GREEN[+] gcc_plugin run reported $TUPLES instrumented locations which is fine"
} || { } || {
$ECHO "$RED[!] gcc_plugin instrumentation produces a weird numbers: $TUPLES" $ECHO "$RED[!] gcc_plugin instrumentation produces a weird numbers: $TUPLES"
$ECHO "$YELLOW[-] this is a known issue in gcc, not afl++. It is not flagged as an error because travis builds would all fail otherwise :-(" $ECHO "$YELLOW[-] this is a known issue in gcc, not afl++. It is not flagged as an error because travis builds would all fail otherwise :-("
#CODE=1 #CODE=1
} }
test "$TUPLES" -lt 4 && SKIP=1 test "$TUPLES" -lt 3 && SKIP=1
true true
} }
} || { } || {

2
test/test-llvm-lto.sh
View File

@ -25,7 +25,7 @@ test -e ../afl-clang-lto -a -e ../afl-llvm-lto-instrumentation.so && {
} || { } || {
$ECHO "$GREEN[+] llvm_mode LTO instrumentation present and working correctly" $ECHO "$GREEN[+] llvm_mode LTO instrumentation present and working correctly"
TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'` TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'`
test "$TUPLES" -gt 3 -a "$TUPLES" -lt 7 && { test "$TUPLES" -gt 2 -a "$TUPLES" -lt 7 && {
$ECHO "$GREEN[+] llvm_mode LTO run reported $TUPLES instrumented locations which is fine" $ECHO "$GREEN[+] llvm_mode LTO run reported $TUPLES instrumented locations which is fine"
} || { } || {
$ECHO "$RED[!] llvm_mode LTO instrumentation produces weird numbers: $TUPLES" $ECHO "$RED[!] llvm_mode LTO instrumentation produces weird numbers: $TUPLES"

6
test/test-llvm.sh
View File

@ -25,13 +25,13 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && {
} || { } || {
$ECHO "$GREEN[+] llvm_mode instrumentation present and working correctly" $ECHO "$GREEN[+] llvm_mode instrumentation present and working correctly"
TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'` TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'`
test "$TUPLES" -gt 3 -a "$TUPLES" -lt 8 && { test "$TUPLES" -gt 2 -a "$TUPLES" -lt 8 && {
$ECHO "$GREEN[+] llvm_mode run reported $TUPLES instrumented locations which is fine" $ECHO "$GREEN[+] llvm_mode run reported $TUPLES instrumented locations which is fine"
} || { } || {
$ECHO "$RED[!] llvm_mode instrumentation produces weird numbers: $TUPLES" $ECHO "$RED[!] llvm_mode instrumentation produces weird numbers: $TUPLES"
CODE=1 CODE=1
} }
test "$TUPLES" -lt 4 && SKIP=1 test "$TUPLES" -lt 3 && SKIP=1
true true
} }
} || { } || {
@ -129,7 +129,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && {
AFL_LLVM_INSTRUMENT=CFG AFL_LLVM_INSTRIM_LOOPHEAD=1 ../afl-clang-fast -o test-instr.instrim ../test-instr.c > /dev/null 2>test.out AFL_LLVM_INSTRUMENT=CFG AFL_LLVM_INSTRIM_LOOPHEAD=1 ../afl-clang-fast -o test-instr.instrim ../test-instr.c > /dev/null 2>test.out
test -e test-instr.instrim && { test -e test-instr.instrim && {
TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.instrim 2>&1 | grep Captur | awk '{print$3}'` TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.instrim 2>&1 | grep Captur | awk '{print$3}'`
test "$TUPLES" -gt 2 -a "$TUPLES" -lt 5 && { test "$TUPLES" -gt 1 -a "$TUPLES" -lt 5 && {
$ECHO "$GREEN[+] llvm_mode InsTrim reported $TUPLES instrumented locations which is fine" $ECHO "$GREEN[+] llvm_mode InsTrim reported $TUPLES instrumented locations which is fine"
} || { } || {
$ECHO "$RED[!] llvm_mode InsTrim instrumentation produces weird numbers: $TUPLES" $ECHO "$RED[!] llvm_mode InsTrim instrumentation produces weird numbers: $TUPLES"

5
unicorn_mode/build_unicorn_support.sh
View File

@ -177,8 +177,9 @@ echo "[*] Checking out $UNICORNAFL_VERSION"
sh -c 'git stash && git stash drop' 1>/dev/null 2>/dev/null sh -c 'git stash && git stash drop' 1>/dev/null 2>/dev/null
git checkout "$UNICORNAFL_VERSION" || exit 1 git checkout "$UNICORNAFL_VERSION" || exit 1
echo "[*] making sure config.h matches" echo "[*] making sure afl++ header files match"
cp "../../config.h" "." || exit 1 cp "../../include/config.h" "." || exit 1
cp "../../include/types.h" "." || exit 1
echo "[*] Configuring Unicorn build..." echo "[*] Configuring Unicorn build..."

1
utils/aflpp_driver/aflpp_driver.c
View File

@ -47,6 +47,7 @@ $AFL_HOME/afl-fuzz -i IN -o OUT ./a.out
#include <sys/mman.h> #include <sys/mman.h>
#include "config.h" #include "config.h"
#include "types.h"
#include "cmplog.h" #include "cmplog.h"
#ifdef _DEBUG #ifdef _DEBUG

1
utils/defork/defork.c
View File

@ -5,6 +5,7 @@
#include <stdbool.h> #include <stdbool.h>
#include "../../include/config.h" #include "../../include/config.h"
#include "../../include/types.h"
/* we want to fork once (for the afl++ forkserver), /* we want to fork once (for the afl++ forkserver),
then immediately return as child on subsequent forks. */ then immediately return as child on subsequent forks. */