diff options
| author | van Hauser <vh@thc.org> | 2020-03-21 21:10:38 +0100 |
|---|---|---|
| committer | van Hauser <vh@thc.org> | 2020-03-21 21:10:38 +0100 |
| commit | c6db05c5ae11e2a33df8aa450d6ccac7d6109a02 (patch) | |
| tree | f125708d2fe71c72d1c1ff61e720477e989587be | |
| parent | 6f78b67f033f430b2b71f88b9f596847d7cbedb1 (diff) | |
| download | afl++-c6db05c5ae11e2a33df8aa450d6ccac7d6109a02.tar.gz | |
test.sh with -no-pie
| -rw-r--r-- | Makefile | 18 | ||||
| -rw-r--r-- | README.md | 1 | ||||
| -rw-r--r-- | include/afl-fuzz.h | 3 | ||||
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 1 | ||||
| -rw-r--r-- | src/afl-fuzz-globals.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 1 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 2 | ||||
| -rwxr-xr-x | test/test.sh | 10 |
10 files changed, 32 insertions, 10 deletions
diff --git a/Makefile b/Makefile index 018efe29..9913c603 100644 --- a/Makefile +++ b/Makefile @@ -151,6 +151,18 @@ ifdef STATIC LDFLAGS += -lm -lpthread -lz -lutil endif +ifdef ASAN_BUILD + $(info Compiling ASAN version of binaries) + CFLAGS+=-fsanitize=address + LDFLAGS+=-fsanitize=address +endif + +ifdef PROFILING + $(info Compiling profiling version of binaries) + CFLAGS+=-pg + LDFLAGS+=-pg +endif + ifeq "$(shell echo '$(HASH)include <sys/ipc.h>@$(HASH)include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1" SHMAT_OK=1 else @@ -165,11 +177,6 @@ ifeq "$(TEST_MMAP)" "1" LDFLAGS+=-Wno-deprecated-declarations endif -ifdef ASAN_BUILD - CFLAGS+=-fsanitize=address - LDFLAGS+=-fsanitize=address -endif - all: test_x86 test_shm test_python ready $(PROGS) afl-as test_build all_done man: $(MANPAGES) @@ -208,6 +215,7 @@ help: @echo "==========================================" @echo STATIC - compile AFL++ static @echo ASAN_BUILD - compiles with memory sanitizer for debug purposes + @echo PROFILING - compile afl-fuzz with profiling information @echo AFL_NO_X86 - if compiling on non-intel/amd platforms @echo "==========================================" @echo e.g.: make ASAN_BUILD=1 diff --git a/README.md b/README.md index 1476b440..8982d76a 100644 --- a/README.md +++ b/README.md @@ -174,6 +174,7 @@ These build options exist: * STATIC - compile AFL++ static * ASAN_BUILD - compiles with memory sanitizer for debug purposes +* PROFILING - compile with profiling information (gprof) * AFL_NO_X86 - if compiling on non-intel/amd platforms * LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g. Debian) diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 1d83f335..ef68ba5d 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -118,6 +118,9 @@ extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN]; extern s32 interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN]; +extern u32 bmcnt, initcnt, one1cnt, one2cnt, runcnt; + + struct queue_entry { u8 *fname; /* File name for the test case */ diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 86474adc..06078fc2 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -578,6 +578,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { /* Try to calibrate inline; this also calls update_bitmap_score() when successful. */ + bmcnt++; res = calibrate_case(afl, afl->queue_top, mem, afl->queue_cycle - 1, 0); if (res == FAULT_ERROR) FATAL("Unable to execute target application"); diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index 88633a1b..108952e4 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -38,6 +38,8 @@ u8 *doc_path = NULL; /* gath to documentation dir */ /* Initialize MOpt "globals" for this afl state */ +u32 bmcnt, initcnt, one1cnt, one2cnt, runcnt; + static void init_mopt_globals(afl_state_t *afl) { MOpt_globals_t *core = &afl->mopt_globals_core; diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index c3f3fac0..456415f9 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -473,6 +473,7 @@ void perform_dry_run(afl_state_t *afl) { close(fd); + initcnt++; res = calibrate_case(afl, q, use_mem, 0, 1); ck_free(use_mem); diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index c1458dbb..5211d565 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -442,6 +442,7 @@ u8 fuzz_one_original(afl_state_t *afl) { if (afl->queue_cur->cal_failed < CAL_CHANCES) { + one1cnt++; res = calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0); @@ -2460,6 +2461,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->queue_cur->cal_failed < CAL_CHANCES) { + one2cnt++; res = calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0); diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index c8153857..6fbb7539 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -303,6 +303,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, trying to calibrate already-added finds. This helps avoid trouble due to intermittent latency. */ + runcnt++; + if (!from_queue || afl->resuming_fuzz) use_tmout = MAX(afl->fsrv.exec_tmout + CAL_TMOUT_ADD, afl->fsrv.exec_tmout * CAL_TMOUT_PERC / 100); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 15caa65f..9692c1cb 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1196,6 +1196,8 @@ stop_fuzzing: OKF("We're done here. Have a nice day!\n"); +printf("%u %u %u %u %u\n", bmcnt, initcnt, one1cnt, one2cnt, runcnt); + exit(0); } diff --git a/test/test.sh b/test/test.sh index 5246a3ec..19231e50 100755 --- a/test/test.sh +++ b/test/test.sh @@ -653,7 +653,7 @@ test -e ../libradamsa.so && { $ECHO "$BLUE[*] Testing: qemu_mode" test -e ../afl-qemu-trace && { - gcc -pie -fPIE -o test-instr ../test-instr.c + gcc -no-pie -fPIE -o test-instr ../test-instr.c gcc -o test-compcov test-compcov.c test -e test-instr -a -e test-compcov && { { @@ -678,8 +678,8 @@ test -e ../afl-qemu-trace && { $ECHO "$GREY[*] running afl-fuzz for qemu_mode AFL_ENTRYPOINT, this will take approx 6 seconds" { { - export AFL_ENTRYPOINT=`expr 0x4$(nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.......//')` - $ECHO AFL_ENTRYPOINT=$AFL_ENTRYPOINT - $(m test-instr | grep "T main") - $(file ./test-instr) + export AFL_ENTRYPOINT=`expr 0x4$(nm test-instr | grep "T main" | awk '{print $1}' )` + #$ECHO AFL_ENTRYPOINT=$AFL_ENTRYPOINT - $(nm test-instr | grep "T main") - $(file ./test-instr) ../afl-fuzz -m ${MEM_LIMIT} -V2 -Q -i in -o out -- ./test-instr unset AFL_ENTRYPOINT } >>errors 2>&1 @@ -727,9 +727,9 @@ test -e ../afl-qemu-trace && { test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { $ECHO "$GREY[*] running afl-fuzz for persistent qemu_mode, this will take approx 10 seconds" { - export AFL_QEMU_PERSISTENT_ADDR=`expr 0x4$(nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.......//')` + export AFL_QEMU_PERSISTENT_ADDR=`expr 0x4$(nm test-instr | grep "T main" | awk '{print $1}' )` export AFL_QEMU_PERSISTENT_GPR=1 - $ECHO "Info: AFL_QEMU_PERSISTENT_ADDR=$AFL_QEMU_PERSISTENT_ADDR <= $(nm test-instr | grep "T main" | awk '{print $1}')" + #$ECHO "Info: AFL_QEMU_PERSISTENT_ADDR=$AFL_QEMU_PERSISTENT_ADDR <= $(nm test-instr | grep "T main" | awk '{print $1}')" file test-instr ../afl-fuzz -m ${MEM_LIMIT} -V10 -Q -i in -o out -- ./test-instr unset AFL_QEMU_PERSISTENT_ADDR |