diff --git a/docs/env_variables.md b/docs/env_variables.md index 62fbef13..a492a1bc 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -111,7 +111,7 @@ fairly broad use of environment variables instead: - Note: both `AFL_CFISAN_VERBOSE=1` and `AFL_UBSAN_VERBOSE=1` are disabled by default as verbose output can significantly slow down fuzzing performance. Use these options only during debugging or when additional crash diagnostics are required - - `AFL_LLVM_ONLY_FSRV` will inject forkserver but not pc instrumentation. Please note this is different compared to `AFL_LLVM_DISABLE_INSTRUMENTATION`, which will totally disable forkserver implementation. This env is pretty useful in two cases: + - `AFL_LLVM_ONLY_FSRV`/`AFL_GCC_ONLY_FSRV` will inject forkserver but not pc instrumentation. Please note this is different compared to `AFL_LLVM_DISABLE_INSTRUMENTATION`, which will totally disable forkserver implementation. This env is pretty useful in two cases: - [SAND](./SAND.md). In this case, the binaries built in this way will serve as extra oracles. Check the corresponding documents for details. - Compatible with LibAFL ForkserverExecutor implementation and thus faster to repeatedly run, compared to simple CommandExecutor. diff --git a/include/envs.h b/include/envs.h index f5137247..eda9ceaf 100644 --- a/include/envs.h +++ b/include/envs.h @@ -119,7 +119,7 @@ static char *afl_environment_variables[] = { "AFL_CFISAN_VERBOSE", "AFL_USE_LSAN", "AFL_WINE_PATH", "AFL_NO_SNAPSHOT", "AFL_EXPAND_HAVOC_NOW", "AFL_USE_FASAN", "AFL_USE_QASAN", "AFL_PRINT_FILENAMES", "AFL_PIZZA_MODE", "AFL_NO_FASTRESUME", - "AFL_SAN_ABSTRACTION", "AFL_LLVM_ONLY_FSRV", "AFL_SAN_RECOVER", + "AFL_SAN_ABSTRACTION", "AFL_LLVM_ONLY_FSRV", "AFL_GCC_ONLY_FRSV", "AFL_SAN_RECOVER", "AFL_PRELOAD_DISCRIMINATE_FORKSERVER_PARENT", NULL}; extern char *afl_environment_variables[]; diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 5dee57c8..10a271cd 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1241,8 +1241,8 @@ void __afl_manual_init(void) { } - if (getenv("AFL_LLVM_ONLY_FSRV")) { - fprintf(stderr, "DEBUG: Overwrite area_ptr to dummy due to AFL_LLVM_ONLY_FSRV\n"); + if (getenv("AFL_LLVM_ONLY_FSRV") || getenv("AFL_GCC_ONLY_FRSV")) { + fprintf(stderr, "DEBUG: Overwrite area_ptr to dummy due to AFL_LLVM_ONLY_FSRV/AFL_GCC_ONLY_FRSV\n"); __afl_area_ptr = __afl_area_ptr_dummy; } diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc index 26f7bd19..8509d60f 100644 --- a/instrumentation/afl-gcc-pass.so.cc +++ b/instrumentation/afl-gcc-pass.so.cc @@ -462,6 +462,7 @@ static struct plugin_info afl_plugin = { .help = G_("AFL gcc plugin\n\ \n\ Set AFL_QUIET in the environment to silence it.\n\ +Set AFL_GCC_ONLY_FRSV in the environment to disable instrumentation.\n\ \n\ Set AFL_INST_RATIO in the environment to a number from 0 to 100\n\ to control how likely a block will be chosen for instrumentation.\n\ @@ -502,9 +503,12 @@ int plugin_init(struct plugin_name_args *info, case it was specified in the command line's -frandom-seed for reproducible instrumentation. */ srandom(get_random_seed(false)); + bool fsrv_only = !!getenv("AFL_GCC_ONLY_FRSV"); const char *name = info->base_name; - register_callback(name, PLUGIN_INFO, NULL, &afl_plugin); + if (!fsrv_only) { + register_callback(name, PLUGIN_INFO, NULL, &afl_plugin); + } afl_pass *aflp = new afl_pass(quiet, inst_ratio); struct register_pass_info pass_info = { @@ -516,14 +520,18 @@ int plugin_init(struct plugin_name_args *info, }; - register_callback(name, PLUGIN_PASS_MANAGER_SETUP, NULL, &pass_info); - register_callback(name, PLUGIN_FINISH, afl_pass::plugin_finalize, - pass_info.pass); + if (!fsrv_only) { + register_callback(name, PLUGIN_PASS_MANAGER_SETUP, NULL, &pass_info); + register_callback(name, PLUGIN_FINISH, afl_pass::plugin_finalize, + pass_info.pass); + } if (!quiet) ACTF(G_("%s instrumentation at ratio of %u%% in %s mode."), aflp->out_of_line ? G_("Call-based") : G_("Inline"), inst_ratio, getenv("AFL_HARDEN") ? G_("hardened") : G_("non-hardened")); + else if (fsrv_only) + ACTF("Instrumentation disabled due to AFL_GCC_ONLY_FRSV"); return 0; diff --git a/src/afl-cc.c b/src/afl-cc.c index e01484b8..2892db14 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -2600,7 +2600,7 @@ void add_assembler(aflcc_state_t *aflcc) { /* Add params to launch the gcc plugins for instrumentation. */ void add_gcc_plugin(aflcc_state_t *aflcc) { - if (getenv("AFL_LLVM_ONLY_FSRV")) { + if (getenv("AFL_GCC_ONLY_FSRV")) { if (!be_quiet) { DEBUGF("SAND: Coverage instrumentation disabled\n"); } return; diff --git a/src/afl-common.c b/src/afl-common.c index e6e5a0ee..e61b8388 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -821,8 +821,9 @@ void check_environment_vars(char **envp) { afl_environment_deprecated[i]); if (strncmp(afl_environment_deprecated[i], - "AFL_SAN_NO_INST", strlen(afl_environment_deprecated[i])) == 0 && !getenv("AFL_LLVM_ONLY_FSRV")) { - WARNF("AFL_LLVM_ONLY_FSRV is induced and set instead."); + "AFL_SAN_NO_INST", strlen(afl_environment_deprecated[i])) == 0) { + WARNF("AFL_LLVM_ONLY_FSRV/AFL_GCC_ONLY_FSRV is induced and set instead."); + setenv("AFL_GCC_ONLY_FSRV", "1", 0); setenv("AFL_LLVM_ONLY_FSRV", "1", 0); } else { issue_detected = 1;