diff options
| author | vanhauser-thc <vh@thc.org> | 2022-06-27 08:31:03 +0200 |
|---|---|---|
| committer | vanhauser-thc <vh@thc.org> | 2022-06-27 08:31:03 +0200 |
| commit | 48c2d516899dcd77f1c167b195eb45b2a71cc303 (patch) | |
| tree | b0bcfd4e56120e0d68bf2b41f4d878fb5b7a72b5 | |
| parent | a7f3f87f411c01008b1f5aede918a6bca549d5ff (diff) | |
| download | afl++-48c2d516899dcd77f1c167b195eb45b2a71cc303.tar.gz | |
nits
| -rw-r--r-- | README.md | 4 | ||||
| -rwxr-xr-x | custom_mutators/gramatron/build_gramatron_mutator.sh | 4 | ||||
| -rw-r--r-- | custom_mutators/gramatron/gramfuzz-mutators.c | 3 | ||||
| -rw-r--r-- | custom_mutators/gramatron/gramfuzz.c | 48 | ||||
| -rw-r--r-- | custom_mutators/gramatron/hashmap.c | 6 | ||||
| -rw-r--r-- | custom_mutators/gramatron/testMakefile.mk | 3 | ||||
| -rw-r--r-- | custom_mutators/gramatron/uthash.h | 41 | ||||
| -rw-r--r-- | docs/INSTALL.md | 9 | ||||
| -rw-r--r-- | instrumentation/afl-llvm-common.cc | 4 | ||||
| -rwxr-xr-x | test/test-frida-mode.sh | 2 |
10 files changed, 39 insertions, 85 deletions
diff --git a/README.md b/README.md index 91345d0c..e851359e 100644 --- a/README.md +++ b/README.md @@ -53,8 +53,8 @@ To have AFL++ easily available with everything compiled, pull the image directly from the Docker Hub (available for both x86_64 and arm64): ```shell -docker pull docker.io/aflplusplus/aflplusplus:stable -docker run -ti -v /location/of/your/target:/src docker.io/aflplusplus/aflplusplus:stable +docker pull aflplusplus/aflplusplus +docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus ``` This image is automatically published when a push to the stable branch happens diff --git a/custom_mutators/gramatron/build_gramatron_mutator.sh b/custom_mutators/gramatron/build_gramatron_mutator.sh index 0638e3b2..9952e7f5 100755 --- a/custom_mutators/gramatron/build_gramatron_mutator.sh +++ b/custom_mutators/gramatron/build_gramatron_mutator.sh @@ -125,7 +125,7 @@ else } fi -test -f json-c/.git || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; } +test -d json-c/.git || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; } echo "[+] Got json-c." test -e json-c/.libs/libjson-c.a || { @@ -144,6 +144,6 @@ echo echo echo "[+] Json-c successfully prepared!" echo "[+] Builing gramatron now." -$CC -O3 -g -fPIC -Wno-unused-result -Wl,--allow-multiple-definition -I../../include -o gramatron.so -shared -I. -I/prg/dev/include gramfuzz.c gramfuzz-helpers.c gramfuzz-mutators.c gramfuzz-util.c hashmap.c automaton-parser.c ../../src/afl-performance.o json-c/.libs/libjson-c.a || exit 1 +$CC -O3 -g -fPIC -Wno-unused-result -Wl,--allow-multiple-definition -I../../include -o gramatron.so -shared -I. -I/prg/dev/include gramfuzz.c gramfuzz-helpers.c gramfuzz-mutators.c gramfuzz-util.c hashmap.c ../../src/afl-performance.o json-c/.libs/libjson-c.a || exit 1 echo echo "[+] gramatron successfully built!" diff --git a/custom_mutators/gramatron/gramfuzz-mutators.c b/custom_mutators/gramatron/gramfuzz-mutators.c index 789a36fd..0fc9c307 100644 --- a/custom_mutators/gramatron/gramfuzz-mutators.c +++ b/custom_mutators/gramatron/gramfuzz-mutators.c @@ -58,8 +58,7 @@ Array *performSpliceOne(Array *originput, IdxMap_new *statemap_orig, int length = utarray_len(stateptr); if (length) { - int *splice_idx = - (int *)utarray_eltptr(stateptr, rand_below(global_afl, length)); + int *splice_idx = (int *)utarray_eltptr(stateptr, rand_below(global_afl, length)); ip.orig_idx = *splice_idx; ip.splice_idx = x; utarray_push_back(pairs, &ip); diff --git a/custom_mutators/gramatron/gramfuzz.c b/custom_mutators/gramatron/gramfuzz.c index f25dfead..9c9dbb43 100644 --- a/custom_mutators/gramatron/gramfuzz.c +++ b/custom_mutators/gramatron/gramfuzz.c @@ -9,7 +9,6 @@ #include "afl-fuzz.h" #include "gramfuzz.h" -#include "automaton-parser.h" #define MUTATORS 4 // Specify the total number of mutators @@ -164,12 +163,6 @@ my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) { if (automaton_file) { pda = create_pda(automaton_file); - symbols = create_array_of_chars(); - pda_map = create_pda_hashmap((struct state *)pda, symbols); - print_symbols_arr(symbols); - first_chars = create_array_of_chars(); - first_char_to_symbols_map = - create_first_char_to_symbols_hashmap(symbols, first_chars); } else { @@ -289,27 +282,11 @@ u8 afl_custom_queue_new_entry(my_mutator_t * data, if (filename_orig_queue) { - if (data->mutated_walk) { - - write_input(data->mutated_walk, automaton_fn); - - } else { - - Array *parsed_walk = automaton_parser(filename_new_queue); - if (!parsed_walk) PFATAL("Parser unsuccessful on %s", filename_new_queue); - write_input(parsed_walk, automaton_fn); - free(parsed_walk->start); - free(parsed_walk); - - } + write_input(data->mutated_walk, automaton_fn); } else { - // TODO: try to parse the input seeds here, if they can be parsed, then - // generate the corresponding automaton file if not, then generate a new - // input - new_input = automaton_parser(filename_new_queue); - if (new_input == NULL) { new_input = gen_input(pda, NULL); } + new_input = gen_input(pda, NULL); write_input(new_input, automaton_fn); // Update the placeholder file @@ -350,21 +327,7 @@ u8 afl_custom_queue_new_entry(my_mutator_t * data, uint8_t afl_custom_queue_get(my_mutator_t *data, const uint8_t *filename) { // get the filename - u8 *automaton_fn = alloc_printf("%s.aut", filename); - // find the automaton file, if the automaton file cannot be found, do not fuzz - // the current entry on the queue - FILE *fp; - fp = fopen(automaton_fn, "rb"); - if (fp == NULL) { - - printf( - "File '%s' does not exist, exiting. Would not fuzz current entry on " - "the queue\n", - automaton_fn); - return 0; - - } - + u8 * automaton_fn = alloc_printf("%s.aut", filename); IdxMap_new *statemap_ptr; terminal * term_ptr; int state; @@ -461,11 +424,6 @@ void afl_custom_deinit(my_mutator_t *data) { free(data->mutator_buf); free(data); - free_hashmap(pda_map, &free_terminal_arr); - free_hashmap(first_char_to_symbols_map, &free_array_of_chars); - free_pda(pda); - free_array_of_chars(NULL, symbols); // free the array of symbols - free_array_of_chars(NULL, first_chars); } diff --git a/custom_mutators/gramatron/hashmap.c b/custom_mutators/gramatron/hashmap.c index db4f9f98..09715b87 100644 --- a/custom_mutators/gramatron/hashmap.c +++ b/custom_mutators/gramatron/hashmap.c @@ -151,7 +151,7 @@ static unsigned long crc32_tab[] = { /* Return a 32-bit CRC of the contents of the buffer. */ -unsigned long custom_crc32(const unsigned char *s, unsigned int len) { +unsigned long crc32(const unsigned char *s, unsigned int len) { unsigned int i; unsigned long crc32val; @@ -172,9 +172,7 @@ unsigned long custom_crc32(const unsigned char *s, unsigned int len) { */ unsigned int hashmap_hash_int(hashmap_map *m, char *keystring) { - unsigned int keystring_len = strlen(keystring); - - unsigned long key = custom_crc32((unsigned char *)(keystring), keystring_len); + unsigned long key = crc32((unsigned char *)(keystring), strlen(keystring)); /* Robert Jenkins' 32 bit Mix Function */ key += (key << 12); diff --git a/custom_mutators/gramatron/testMakefile.mk b/custom_mutators/gramatron/testMakefile.mk deleted file mode 100644 index ff19826b..00000000 --- a/custom_mutators/gramatron/testMakefile.mk +++ /dev/null @@ -1,3 +0,0 @@ -test: test.c - gcc -g -fPIC -Wno-unused-result -Wl,--allow-multiple-definition -I../../include -o test -I. -I/prg/dev/include test.c gramfuzz-helpers.c gramfuzz-mutators.c gramfuzz-util.c hashmap.c ../../src/afl-performance.o json-c/.libs/libjson-c.a - diff --git a/custom_mutators/gramatron/uthash.h b/custom_mutators/gramatron/uthash.h index 93322d5b..05c8abe6 100644 --- a/custom_mutators/gramatron/uthash.h +++ b/custom_mutators/gramatron/uthash.h @@ -127,8 +127,6 @@ typedef unsigned char uint8_t; #if HASH_NONFATAL_OOM /* malloc failures can be recovered from */ - #define IF_HASH_NONFATAL_OOM(x) x - #ifndef uthash_nonfatal_oom #define uthash_nonfatal_oom(obj) \ do { \ @@ -142,6 +140,8 @@ typedef unsigned char uint8_t; (oomed) = 1; \ \ } while (0) +\ + #define IF_HASH_NONFATAL_OOM(x) x #else /* malloc failures result in lost memory, hash tables are unusable */ @@ -156,10 +156,11 @@ typedef unsigned char uint8_t; #endif /* initial number of buckets */ -#define HASH_INITIAL_NUM_BUCKETS 32U /* initial number of buckets */ -#define HASH_INITIAL_NUM_BUCKETS_LOG2 5U /* lg2 of initial number of buckets \ - */ -#define HASH_BKT_CAPACITY_THRESH 10U /* expand when bucket count reaches */ +#define HASH_INITIAL_NUM_BUCKETS 32U /* initial number of buckets */ +#define HASH_INITIAL_NUM_BUCKETS_LOG2 \ + 5U /* lg2 of initial number of buckets \ + */ +#define HASH_BKT_CAPACITY_THRESH 10U /* expand when bucket count reaches */ /* calculate the element whose hash handle address is hhp */ #define ELMT_FROM_HH(tbl, hhp) ((void *)(((char *)(hhp)) - ((tbl)->hho))) @@ -646,7 +647,7 @@ typedef unsigned char uint8_t; HASH_FIND(hh, head, findstr, _uthash_hfstr_keylen, out); \ \ } while (0) - +\ #define HASH_ADD_STR(head, strfield, add) \ do { \ \ @@ -654,7 +655,7 @@ typedef unsigned char uint8_t; HASH_ADD(hh, head, strfield[0], _uthash_hastr_keylen, add); \ \ } while (0) - +\ #define HASH_REPLACE_STR(head, strfield, add, replaced) \ do { \ \ @@ -662,7 +663,7 @@ typedef unsigned char uint8_t; HASH_REPLACE(hh, head, strfield[0], _uthash_hrstr_keylen, add, replaced); \ \ } while (0) - +\ #define HASH_FIND_INT(head, findint, out) \ HASH_FIND(hh, head, findint, sizeof(int), out) #define HASH_ADD_INT(head, intfield, add) \ @@ -682,17 +683,17 @@ typedef unsigned char uint8_t; * isn't defined. */ #ifdef HASH_DEBUG - #define HASH_OOPS(...) \ + #define HASH_OOPS(...) \ + do { \ + \ + fprintf(stderr, __VA_ARGS__); \ + exit(-1); \ + \ + } while (0) +\ + #define HASH_FSCK(hh, head, where) \ do { \ \ - fprintf(stderr, __VA_ARGS__); \ - exit(-1); \ - \ - } while (0) \ - \ - \ - #define HASH_FSCK(hh, head, where) do { \ - \ struct UT_hash_handle *_thh; \ if (head) { \ \ @@ -758,8 +759,7 @@ typedef unsigned char uint8_t; \ } \ \ - } \ - while (0) + } while (0) #else #define HASH_FSCK(hh, head, where) @@ -1352,7 +1352,6 @@ typedef unsigned char uint8_t; \ } else if ((cmpfcn(DECLTYPE(head)( \ \ - \ ELMT_FROM_HH((head)->hh.tbl, _hs_p)), \ DECLTYPE(head)(ELMT_FROM_HH((head)->hh.tbl, \ _hs_q)))) <= 0) { \ diff --git a/docs/INSTALL.md b/docs/INSTALL.md index e29fca96..41ec8561 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -8,11 +8,11 @@ hence afl-clang-lto is available) or just pull directly from the Docker Hub (for x86_64 and arm64): ```shell -docker pull docker.io/aflplusplus/aflplusplus:stable -docker run -ti -v /location/of/your/target:/src docker.io/aflplusplus/aflplusplus:stable +docker pull aflplusplus/aflplusplus: +docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus ``` -This image is automatically generated when a push to the stable repo happens. +This image is automatically generated when a push to the stable branch happens. You will find your target source code in `/src` in the container. Note: you can also pull `aflplusplus/aflplusplus:dev` which is the most current @@ -21,6 +21,9 @@ development state of AFL++. If you want to build AFL++ yourself, you have many options. The easiest choice is to build and install everything: +NOTE: depending on your Debian/Ubuntu/Kali/... version replease `-12` with +whatever llvm version is available! + ```shell sudo apt-get update sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools diff --git a/instrumentation/afl-llvm-common.cc b/instrumentation/afl-llvm-common.cc index 9483da83..5fcf27fb 100644 --- a/instrumentation/afl-llvm-common.cc +++ b/instrumentation/afl-llvm-common.cc @@ -291,7 +291,7 @@ void scanForDangerousFunctions(llvm::Module *M) { StringRef r_name = cast<Function>(r->getOperand(0))->getName(); if (!be_quiet) fprintf(stderr, - "Info: Found an ifunc with name %s that points to resolver " + "Note: Found an ifunc with name %s that points to resolver " "function %s, we will not instrument this, putting it into the " "block list.\n", ifunc_name.str().c_str(), r_name.str().c_str()); @@ -329,7 +329,7 @@ void scanForDangerousFunctions(llvm::Module *M) { if (!be_quiet) fprintf(stderr, - "Info: Found constructor function %s with prio " + "Note: Found constructor function %s with prio " "%u, we will not instrument this, putting it into a " "block list.\n", F->getName().str().c_str(), Priority); diff --git a/test/test-frida-mode.sh b/test/test-frida-mode.sh index 59b8e307..9e1f756d 100755 --- a/test/test-frida-mode.sh +++ b/test/test-frida-mode.sh @@ -62,7 +62,7 @@ test -e ../afl-frida-trace.so && { #else #fi export AFL_FRIDA_PERSISTENT_ADDR=0x`nm test-instr | grep -Ei "T _main|T main" | awk '{print $1}'` - $ECHO "Info: AFL_FRIDA_PERSISTENT_ADDR=$AFL_FRIDA_PERSISTENT_ADDR <= $(nm test-instr | grep "T main" | awk '{print $1}')" + $ECHO "Note: AFL_FRIDA_PERSISTENT_ADDR=$AFL_FRIDA_PERSISTENT_ADDR <= $(nm test-instr | grep "T main" | awk '{print $1}')" env|grep AFL_|sort file test-instr export AFL_DEBUG_CHILD=1 |