diff options
| author | Andrea Fioraldi <andreafioraldi@gmail.com> | 2019-12-28 18:22:15 +0100 |
|---|---|---|
| committer | Andrea Fioraldi <andreafioraldi@gmail.com> | 2019-12-28 18:22:15 +0100 |
| commit | 58c7a0f8fe1ae5a31a46ea215f678a3a27fc4537 (patch) | |
| tree | c298e5013a0807ff0a706766b04e0b6df6279d1e | |
| parent | 9a2f2f1ee9bb4e72367325a51cbb0e215b0f65c3 (diff) | |
| parent | c983e2c5b1c47618a4fac58154cb06020b31bbe3 (diff) | |
| download | afl++-58c7a0f8fe1ae5a31a46ea215f678a3a27fc4537.tar.gz | |
Merge branch 'master' of github.com:vanhauser-thc/AFLplusplus
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | experimental/socket_fuzzing/socketfuzz.c | 20 | ||||
| -rw-r--r-- | llvm_mode/split-compares-pass.so.cc | 8 | ||||
| -rwxr-xr-x | qbdi_mode/template.cpp | 4 | ||||
| -rw-r--r-- | src/afl-analyze.c | 15 | ||||
| -rw-r--r-- | src/afl-fuzz-python.c | 9 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 10 | ||||
| -rw-r--r-- | src/afl-showmap.c | 15 | ||||
| -rw-r--r-- | src/afl-tmin.c | 15 | ||||
| -rw-r--r-- | unicorn_mode/README.md | 14 |
10 files changed, 81 insertions, 31 deletions
@@ -280,6 +280,8 @@ code-format: ./.custom-format.py -i qemu_mode/libcompcov/*.c ./.custom-format.py -i qemu_mode/libcompcov/*.cc ./.custom-format.py -i qemu_mode/libcompcov/*.h + ./.custom-format.py -i qbdi_mode/*.c + ./.custom-format.py -i qbdi_mode/*.cpp ./.custom-format.py -i *.h ./.custom-format.py -i *.c diff --git a/experimental/socket_fuzzing/socketfuzz.c b/experimental/socket_fuzzing/socketfuzz.c index bd6b68ff..3ec8383b 100644 --- a/experimental/socket_fuzzing/socketfuzz.c +++ b/experimental/socket_fuzzing/socketfuzz.c @@ -69,6 +69,9 @@ int dup2(int old, int new) { int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen) { + (void)sockfd; + (void)addr; + (void)addrlen; fprintf(stderr, "Info: Emulating accept on %d\n", sockfd); return 0; @@ -76,6 +79,9 @@ int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen) { int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { + (void)sockfd; + (void)addr; + (void)addrlen; fprintf(stderr, "Info: Emulating bind on port %d\n", ntohs(((struct sockaddr_in *)addr)->sin_port)); return 0; @@ -84,6 +90,20 @@ int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { int listen(int sockfd, int backlog) { + (void)sockfd; + (void)backlog; + return 0; + +} + +int setsockopt(int sockfd, int level, int optid, const void *optdata, + socklen_t optdatalen) { + + (void)sockfd; + (void)level; + (void)optid; + (void)optdata; + (void)optdatalen; return 0; } diff --git a/llvm_mode/split-compares-pass.so.cc b/llvm_mode/split-compares-pass.so.cc index db884cde..eeac4a55 100644 --- a/llvm_mode/split-compares-pass.so.cc +++ b/llvm_mode/split-compares-pass.so.cc @@ -470,7 +470,9 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { if (selectcmpInst->getPredicate() == CmpInst::FCMP_OEQ || selectcmpInst->getPredicate() == CmpInst::FCMP_ONE || selectcmpInst->getPredicate() == CmpInst::FCMP_UNE || + selectcmpInst->getPredicate() == CmpInst::FCMP_UGT || selectcmpInst->getPredicate() == CmpInst::FCMP_OGT || + selectcmpInst->getPredicate() == CmpInst::FCMP_ULT || selectcmpInst->getPredicate() == CmpInst::FCMP_OLT) { auto op0 = selectcmpInst->getOperand(0); @@ -655,6 +657,7 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_NE, m_e0, m_e1); break; case CmpInst::FCMP_OGT: + case CmpInst::FCMP_UGT: Instruction *icmp_exponent; icmp_exponent = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_UGT, m_e0, m_e1); @@ -664,6 +667,7 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { BinaryOperator::Create(Instruction::Xor, icmp_exponent, t_s0); break; case CmpInst::FCMP_OLT: + case CmpInst::FCMP_ULT: icmp_exponent = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_ULT, m_e0, m_e1); signequal_bb->getInstList().insert( @@ -755,6 +759,7 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_NE, t_f0, t_f1); break; case CmpInst::FCMP_OGT: + case CmpInst::FCMP_UGT: Instruction *icmp_fraction; icmp_fraction = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_UGT, t_f0, t_f1); @@ -764,6 +769,7 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { BinaryOperator::Create(Instruction::Xor, icmp_fraction, t_s0); break; case CmpInst::FCMP_OLT: + case CmpInst::FCMP_ULT: icmp_fraction = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_ULT, t_f0, t_f1); middle_bb->getInstList().insert( @@ -802,6 +808,7 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { PN->addIncoming(icmp_fraction_result, middle_bb); break; case CmpInst::FCMP_OGT: + case CmpInst::FCMP_UGT: /* if op1 is negative goto true branch, else go on comparing */ PN->addIncoming(t_s1, bb); @@ -809,6 +816,7 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { PN->addIncoming(icmp_fraction_result, middle_bb); break; case CmpInst::FCMP_OLT: + case CmpInst::FCMP_ULT: /* if op0 is negative goto true branch, else go on comparing */ PN->addIncoming(t_s0, bb); diff --git a/qbdi_mode/template.cpp b/qbdi_mode/template.cpp index 18766d31..d4ac25e3 100755 --- a/qbdi_mode/template.cpp +++ b/qbdi_mode/template.cpp @@ -114,7 +114,7 @@ void afl_maybe_log(unsigned long cur_loc) { if (afl_area_ptr == NULL) { return; } unsigned long afl_idx = cur_loc ^ afl_prev_loc; - afl_idx &= MAP_SIZE -1; + afl_idx &= MAP_SIZE - 1; INC_AFL_AREA(afl_idx); afl_prev_loc = cur_loc >> 1; @@ -123,7 +123,7 @@ void afl_maybe_log(unsigned long cur_loc) { char *read_file(char *path, unsigned long *length) { unsigned long len; - char * buf; + char * buf; FILE *fp = fopen(path, "rb"); fseek(fp, 0, SEEK_END); diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 0a9b4785..f71893d8 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -716,11 +716,15 @@ static void set_up_environment(void) { u8* qemu_preload = getenv("QEMU_SET_ENV"); u8* afl_preload = getenv("AFL_PRELOAD"); u8* buf; - + s32 i, afl_preload_size = strlen(afl_preload); for (i = 0; i < afl_preload_size; ++i) { + if (afl_preload[i] == ',') - PFATAL("Comma (',') is not allowed in AFL_PRELOAD when -Q is specified!"); + PFATAL( + "Comma (',') is not allowed in AFL_PRELOAD when -Q is " + "specified!"); + } if (qemu_preload) @@ -729,7 +733,7 @@ static void set_up_environment(void) { buf = alloc_printf("LD_PRELOAD=%s", afl_preload); setenv("QEMU_SET_ENV", buf, 1); - + ck_free(buf); } else { @@ -861,9 +865,8 @@ static void find_binary(u8* fname) { int main(int argc, char** argv) { - s32 opt; - u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, - use_wine = 0; + s32 opt; + u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; char** use_argv; doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 73fcd138..6800c0c0 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -345,7 +345,12 @@ u8 trim_case_python(char** argv, struct queue_entry* q, u8* in_buf) { fault = run_target(argv, exec_tmout); ++trim_execs; - if (stop_soon || fault == FAULT_ERROR) goto abort_trimming; + if (stop_soon || fault == FAULT_ERROR) { + + free(retbuf); + goto abort_trimming; + + } cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); @@ -381,6 +386,8 @@ u8 trim_case_python(char** argv, struct queue_entry* q, u8* in_buf) { } + free(retbuf); + /* Since this can be slow, update the screen every now and then. */ if (!(trim_exec++ % stats_update_freq)) show_stats(); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 7df82b12..ebc11f01 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -717,11 +717,15 @@ int main(int argc, char** argv) { u8* qemu_preload = getenv("QEMU_SET_ENV"); u8* afl_preload = getenv("AFL_PRELOAD"); u8* buf; - + s32 i, afl_preload_size = strlen(afl_preload); for (i = 0; i < afl_preload_size; ++i) { + if (afl_preload[i] == ',') - PFATAL("Comma (',') is not allowed in AFL_PRELOAD when -Q is specified!"); + PFATAL( + "Comma (',') is not allowed in AFL_PRELOAD when -Q is " + "specified!"); + } if (qemu_preload) @@ -730,7 +734,7 @@ int main(int argc, char** argv) { buf = alloc_printf("LD_PRELOAD=%s", afl_preload); setenv("QEMU_SET_ENV", buf, 1); - + ck_free(buf); } else { diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 0e3e5351..94bbd421 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -365,11 +365,15 @@ static void set_up_environment(void) { u8* qemu_preload = getenv("QEMU_SET_ENV"); u8* afl_preload = getenv("AFL_PRELOAD"); u8* buf; - + s32 i, afl_preload_size = strlen(afl_preload); for (i = 0; i < afl_preload_size; ++i) { + if (afl_preload[i] == ',') - PFATAL("Comma (',') is not allowed in AFL_PRELOAD when -Q is specified!"); + PFATAL( + "Comma (',') is not allowed in AFL_PRELOAD when -Q is " + "specified!"); + } if (qemu_preload) @@ -378,7 +382,7 @@ static void set_up_environment(void) { buf = alloc_printf("LD_PRELOAD=%s", afl_preload); setenv("QEMU_SET_ENV", buf, 1); - + ck_free(buf); } else { @@ -524,9 +528,8 @@ static void find_binary(u8* fname) { int main(int argc, char** argv) { - s32 opt; - u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, - use_wine = 0; + s32 opt; + u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; u32 tcnt = 0; char** use_argv; diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 3230c952..b98208f9 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -889,11 +889,15 @@ static void set_up_environment(void) { u8* qemu_preload = getenv("QEMU_SET_ENV"); u8* afl_preload = getenv("AFL_PRELOAD"); u8* buf; - + s32 i, afl_preload_size = strlen(afl_preload); for (i = 0; i < afl_preload_size; ++i) { + if (afl_preload[i] == ',') - PFATAL("Comma (',') is not allowed in AFL_PRELOAD when -Q is specified!"); + PFATAL( + "Comma (',') is not allowed in AFL_PRELOAD when -Q is " + "specified!"); + } if (qemu_preload) @@ -902,7 +906,7 @@ static void set_up_environment(void) { buf = alloc_printf("LD_PRELOAD=%s", afl_preload); setenv("QEMU_SET_ENV", buf, 1); - + ck_free(buf); } else { @@ -1052,9 +1056,8 @@ static void read_bitmap(u8* fname) { int main(int argc, char** argv) { - s32 opt; - u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, - use_wine = 0; + s32 opt; + u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; char** use_argv; doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; diff --git a/unicorn_mode/README.md b/unicorn_mode/README.md index 904ea624..e6d3dfcf 100644 --- a/unicorn_mode/README.md +++ b/unicorn_mode/README.md @@ -2,9 +2,9 @@ The idea and much of the original implementation comes from Nathan Voss <njvoss299@gmail.com>. -The port to afl++ if by Dominik Maier <mail@dmnk.co>. +The port to afl++ is by Dominik Maier <mail@dmnk.co>. -The CompareCoverage and NeverZero counters features by Andrea Fioraldi <andreafioraldi@gmail.com>. +The CompareCoverage and NeverZero counters features are by Andrea Fioraldi <andreafioraldi@gmail.com>. ## 1) Introduction @@ -16,13 +16,13 @@ with afl-gcc or used in QEMU mode, or with other extensions such as TriforceAFL. There is a significant performance penalty compared to native AFL, -but at least we're able to use AFL on these binaries, right? +but at least we're able to use AFL++ on these binaries, right? ## 2) How to use Requirements: you need an installed python environment. -### Building AFL's Unicorn Mode +### Building AFL++'s Unicorn Mode First, make afl++ as usual. Once that completes successfully you need to build and add in the Unicorn Mode @@ -35,7 +35,7 @@ NOTE: This script checks out a Unicorn Engine fork as submodule that has been te and is stable-ish, based on the unicorn engine master. Building Unicorn will take a little bit (~5-10 minutes). Once it completes -it automatically compiles a sample application and verify that it works. +it automatically compiles a sample application and verifies that it works. ### Fuzzing with Unicorn Mode @@ -83,7 +83,7 @@ The 'helper_scripts' directory also contains several helper scripts that allow y to dump context from a running process, load it, and hook heap allocations. For details on how to use this check out the follow-up blog post to the one linked above. -A example use of AFL-Unicorn mode is discussed in the Paper Unicorefuzz: +A example use of AFL-Unicorn mode is discussed in the paper Unicorefuzz: https://www.usenix.org/conference/woot19/presentation/maier ## 3) Options @@ -91,7 +91,7 @@ https://www.usenix.org/conference/woot19/presentation/maier As for the QEMU-based instrumentation, the afl-unicorn twist of afl++ comes with a sub-instruction based instrumentation similar in purpose to laf-intel. -The options that enables Unicorn CompareCoverage are the same used for QEMU. +The options that enable Unicorn CompareCoverage are the same used for QEMU. AFL_COMPCOV_LEVEL=1 is to instrument comparisons with only immediate values. QEMU_COMPCOV_LEVEL=2 instruments all comparison instructions. Comparison instructions are currently instrumented only |