diff options
| author | van Hauser <vh@thc.org> | 2022-09-28 22:56:28 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-28 22:56:28 +0200 |
| commit | 7e0171006a32bf6b510e08df76ca6d8555272140 (patch) | |
| tree | e163306b4bdf270c2c787d23007fb61921bb9c40 | |
| parent | ad4b7274766418d2006177edebf0d242b49c5fef (diff) | |
| parent | 96b774261172a2259ab98cc529eba3d7212375cb (diff) | |
| download | afl++-7e0171006a32bf6b510e08df76ca6d8555272140.tar.gz | |
Merge pull request #1537 from AFLplusplus/dev
push to stable
| -rwxr-xr-x | afl-persistent-config | 4 | ||||
| -rwxr-xr-x | afl-system-config | 4 | ||||
| -rwxr-xr-x | custom_mutators/gramatron/build_gramatron_mutator.sh | 2 | ||||
| m--------- | custom_mutators/gramatron/json-c | 0 | ||||
| -rwxr-xr-x | custom_mutators/grammar_mutator/build_grammar_mutator.sh | 2 | ||||
| -rw-r--r-- | docs/Changelog.md | 8 | ||||
| -rw-r--r-- | docs/custom_mutators.md | 2 | ||||
| -rw-r--r-- | include/config.h | 2 | ||||
| -rw-r--r-- | instrumentation/afl-compiler-rt.o.c | 61 | ||||
| -rw-r--r-- | instrumentation/afl-gcc-cmplog-pass.so.cc | 16 | ||||
| -rw-r--r-- | instrumentation/afl-gcc-cmptrs-pass.so.cc | 8 | ||||
| -rw-r--r-- | instrumentation/afl-gcc-common.h | 7 | ||||
| -rw-r--r-- | instrumentation/afl-gcc-pass.so.cc | 3 |
13 files changed, 78 insertions, 41 deletions
diff --git a/afl-persistent-config b/afl-persistent-config index 927f0062..6d96c196 100755 --- a/afl-persistent-config +++ b/afl-persistent-config @@ -113,10 +113,10 @@ EOF grep -E -q '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub 2>/dev/null || echo Error: /etc/default/grub with GRUB_CMDLINE_LINUX_DEFAULT is not present, cannot set boot options grep -E -q '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub 2>/dev/null && { - grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | grep -E -q hardened_usercopy=off || { + grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | grep -E -q 'noibrs pcid nopti' || { echo "Configuring performance boot options" LINE=`grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | sed 's/^GRUB_CMDLINE_LINUX_DEFAULT=//' | tr -d '"'` - OPTIONS="$LINE ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx=on tsx_async_abort=off mitigations=off audit=0 hardened_usercopy=off ssbd=force-off" + OPTIONS="$LINE ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs pcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=on pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx=on tsx_async_abort=off mitigations=off audit=0 hardened_usercopy=off ssbd=force-off" echo Setting boot options in /etc/default/grub to GRUB_CMDLINE_LINUX_DEFAULT=\"$OPTIONS\" sed -i "s|^GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT=\"$OPTIONS\"|" /etc/default/grub } diff --git a/afl-system-config b/afl-system-config index faa64487..bf6397fa 100755 --- a/afl-system-config +++ b/afl-system-config @@ -47,9 +47,9 @@ if [ "$PLATFORM" = "Linux" ] ; then } > /dev/null echo Settings applied. echo - dmesg | grep -E -q 'nospectre_v2|spectre_v2=off' || { + dmesg | grep -E -q 'noibrs pcid nopti' || { echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this: - echo ' /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=0 l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx_async_abort=off arm64.nopauth audit=0 hardened_usercopy=off ssbd=force-off"' + echo ' /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=0 l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs pcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=on pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx_async_abort=off arm64.nopauth audit=0 hardened_usercopy=off ssbd=force-off"' echo } echo If you run fuzzing instances in docker, run them with \"--security-opt seccomp=unconfined\" for more speed. diff --git a/custom_mutators/gramatron/build_gramatron_mutator.sh b/custom_mutators/gramatron/build_gramatron_mutator.sh index 9952e7f5..ff88ff26 100755 --- a/custom_mutators/gramatron/build_gramatron_mutator.sh +++ b/custom_mutators/gramatron/build_gramatron_mutator.sh @@ -125,7 +125,7 @@ else } fi -test -d json-c/.git || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; } +test -e json-c/.git || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; } echo "[+] Got json-c." test -e json-c/.libs/libjson-c.a || { diff --git a/custom_mutators/gramatron/json-c b/custom_mutators/gramatron/json-c -Subproject 11546bfd07a575c47416924cb98de3d33a4e642 +Subproject af8dd4a307e7b837f9fa2959549548ace4afe08 diff --git a/custom_mutators/grammar_mutator/build_grammar_mutator.sh b/custom_mutators/grammar_mutator/build_grammar_mutator.sh index 5121b07f..74cae8aa 100755 --- a/custom_mutators/grammar_mutator/build_grammar_mutator.sh +++ b/custom_mutators/grammar_mutator/build_grammar_mutator.sh @@ -119,7 +119,7 @@ else } fi -test -f grammar_mutator/.git || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; } +test -e grammar_mutator/.git || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; } echo "[+] Got grammar mutator." cd "grammar_mutator" || exit 1 diff --git a/docs/Changelog.md b/docs/Changelog.md index 7d34d364..9503f493 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -4,6 +4,14 @@ release of the tool. See README.md for the general instruction manual. +### Version ++4.04a (dev) + - fix gramatron and grammar_mutatur build scripts + - enhancements to the afl-persistent-config and afl-system-config + scripts + - afl-cc: + - make gcc_mode (afl-gcc-fast) work with gcc down to version 3.6 + + ### Version ++4.03c (release) - Building now gives a build summary what succeeded and what not - afl-fuzz: diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 6f3353ec..6b72430a 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -68,7 +68,7 @@ Python: def init(seed): pass -def fuzz_count(buf, add_buf, max_size): +def fuzz_count(buf): return cnt def fuzz(buf, add_buf, max_size): diff --git a/include/config.h b/include/config.h index 2882c9de..21701515 100644 --- a/include/config.h +++ b/include/config.h @@ -26,7 +26,7 @@ /* Version string: */ // c = release, a = volatile github dev, e = experimental branch -#define VERSION "++4.03c" +#define VERSION "++4.04a" /****************************************************** * * diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 1759898e..194d49b0 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -102,6 +102,7 @@ u32 __afl_final_loc; u32 __afl_map_size = MAP_SIZE; u32 __afl_dictionary_len; u64 __afl_map_addr; +u32 __afl_first_final_loc; // for the __AFL_COVERAGE_ON/__AFL_COVERAGE_OFF features to work: int __afl_selective_coverage __attribute__((weak)); @@ -319,13 +320,16 @@ static void __afl_map_shm(void) { } else { - if (!getenv("AFL_QUIET")) + if (__afl_final_loc > MAP_INITIAL_SIZE && !getenv("AFL_QUIET")) { + fprintf(stderr, "Warning: AFL++ tools might need to set AFL_MAP_SIZE to %u " "to be able to run this instrumented program if this " "crashes!\n", __afl_final_loc); + } + } } @@ -343,29 +347,35 @@ static void __afl_map_shm(void) { } - if (!id_str && __afl_area_ptr_dummy == __afl_area_initial) { + if (!id_str) { u32 val = 0; u8 *ptr; - if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) val = atoi(ptr); + if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) { val = atoi(ptr); } if (val > MAP_INITIAL_SIZE) { __afl_map_size = val; - __afl_area_ptr_dummy = malloc(__afl_map_size); - if (!__afl_area_ptr_dummy) { - fprintf(stderr, - "Error: AFL++ could not aquire %u bytes of memory, exiting!\n", - __afl_map_size); - exit(-1); + } else { + + if (__afl_first_final_loc > MAP_INITIAL_SIZE) { + + // done in second stage constructor + __afl_map_size = __afl_first_final_loc; + + } else { + + __afl_map_size = MAP_INITIAL_SIZE; } - } else { + } + + if (__afl_map_size > MAP_INITIAL_SIZE && __afl_final_loc < __afl_map_size) { - __afl_map_size = MAP_INITIAL_SIZE; + __afl_final_loc = __afl_map_size; } @@ -516,7 +526,9 @@ static void __afl_map_shm(void) { } - } else if (__afl_final_loc > __afl_map_size) { + } else if (__afl_final_loc > MAP_INITIAL_SIZE && + + __afl_final_loc > __afl_first_final_loc) { if (__afl_area_initial != __afl_area_ptr_dummy) { @@ -537,7 +549,7 @@ static void __afl_map_shm(void) { } - } + } // else: nothing to be done __afl_area_ptr_backup = __afl_area_ptr; @@ -1375,21 +1387,24 @@ __attribute__((constructor(1))) void __afl_auto_second(void) { if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; u8 *ptr; - if (__afl_final_loc) { + if (__afl_final_loc > MAP_INITIAL_SIZE) { + + __afl_first_final_loc = __afl_final_loc + 1; if (__afl_area_ptr && __afl_area_ptr != __afl_area_initial) free(__afl_area_ptr); if (__afl_map_addr) - ptr = (u8 *)mmap((void *)__afl_map_addr, __afl_final_loc, + ptr = (u8 *)mmap((void *)__afl_map_addr, __afl_first_final_loc, PROT_READ | PROT_WRITE, MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0); else - ptr = (u8 *)malloc(__afl_final_loc); + ptr = (u8 *)malloc(__afl_first_final_loc); if (ptr && (ssize_t)ptr != -1) { __afl_area_ptr = ptr; + __afl_area_ptr_dummy = __afl_area_ptr; __afl_area_ptr_backup = __afl_area_ptr; } @@ -1407,14 +1422,18 @@ __attribute__((constructor(0))) void __afl_auto_first(void) { __afl_already_initialized_first = 1; if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; - u8 *ptr = (u8 *)malloc(MAP_INITIAL_SIZE); - if (ptr && (ssize_t)ptr != -1) { + /* + u8 *ptr = (u8 *)malloc(MAP_INITIAL_SIZE); - __afl_area_ptr = ptr; - __afl_area_ptr_backup = __afl_area_ptr; + if (ptr && (ssize_t)ptr != -1) { - } + __afl_area_ptr = ptr; + __afl_area_ptr_backup = __afl_area_ptr; + + } + + */ } // ptr memleak report is a false positive diff --git a/instrumentation/afl-gcc-cmplog-pass.so.cc b/instrumentation/afl-gcc-cmplog-pass.so.cc index 5e5792c3..e42e8bc0 100644 --- a/instrumentation/afl-gcc-cmplog-pass.so.cc +++ b/instrumentation/afl-gcc-cmplog-pass.so.cc @@ -243,8 +243,8 @@ struct afl_cmplog_pass : afl_base_pass { tree t = build_nonstandard_integer_type(sz, 1); - tree s = make_ssa_name(t); - gimple *g = gimple_build_assign(s, VIEW_CONVERT_EXPR, + tree s = make_ssa_name(t); + gimple g = gimple_build_assign(s, VIEW_CONVERT_EXPR, build1(VIEW_CONVERT_EXPR, t, lhs)); lhs = s; gsi_insert_before(&gsi, g, GSI_SAME_STMT); @@ -263,8 +263,8 @@ struct afl_cmplog_pass : afl_base_pass { lhs = fold_convert_loc(UNKNOWN_LOCATION, t, lhs); if (!is_gimple_val(lhs)) { - tree s = make_ssa_name(t); - gimple *g = gimple_build_assign(s, lhs); + tree s = make_ssa_name(t); + gimple g = gimple_build_assign(s, lhs); lhs = s; gsi_insert_before(&gsi, g, GSI_SAME_STMT); @@ -273,8 +273,8 @@ struct afl_cmplog_pass : afl_base_pass { rhs = fold_convert_loc(UNKNOWN_LOCATION, t, rhs); if (!is_gimple_val(rhs)) { - tree s = make_ssa_name(t); - gimple *g = gimple_build_assign(s, rhs); + tree s = make_ssa_name(t); + gimple g = gimple_build_assign(s, rhs); rhs = s; gsi_insert_before(&gsi, g, GSI_SAME_STMT); @@ -282,7 +282,7 @@ struct afl_cmplog_pass : afl_base_pass { /* Insert the call. */ tree att = build_int_cst(t8u, attr); - gimple *call; + gimple call; if (pass_n) call = gimple_build_call(fn, 4, lhs, rhs, att, build_int_cst(t8u, sz / 8 - 1)); @@ -305,7 +305,7 @@ struct afl_cmplog_pass : afl_base_pass { gimple_stmt_iterator gsi = gsi_last_bb(bb); if (gsi_end_p(gsi)) continue; - gimple *stmt = gsi_stmt(gsi); + gimple stmt = gsi_stmt(gsi); if (gimple_code(stmt) == GIMPLE_COND) { diff --git a/instrumentation/afl-gcc-cmptrs-pass.so.cc b/instrumentation/afl-gcc-cmptrs-pass.so.cc index e9e2fe0d..0ddbac15 100644 --- a/instrumentation/afl-gcc-cmptrs-pass.so.cc +++ b/instrumentation/afl-gcc-cmptrs-pass.so.cc @@ -241,7 +241,7 @@ struct afl_cmptrs_pass : afl_base_pass { for (gimple_stmt_iterator gsi = gsi_after_labels(bb); !gsi_end_p(gsi); gsi_next(&gsi)) { - gimple *stmt = gsi_stmt(gsi); + gimple stmt = gsi_stmt(gsi); /* We're only interested in GIMPLE_CALLs. */ if (gimple_code(stmt) != GIMPLE_CALL) continue; @@ -291,8 +291,8 @@ struct afl_cmptrs_pass : afl_base_pass { tree c = fold_convert_loc(UNKNOWN_LOCATION, tp8u, arg[i]); if (!is_gimple_val(c)) { - tree s = make_ssa_name(tp8u); - gimple *g = gimple_build_assign(s, c); + tree s = make_ssa_name(tp8u); + gimple g = gimple_build_assign(s, c); c = s; gsi_insert_before(&gsi, g, GSI_SAME_STMT); @@ -302,7 +302,7 @@ struct afl_cmptrs_pass : afl_base_pass { } - gimple *call = gimple_build_call(fn, 2, arg[0], arg[1]); + gimple call = gimple_build_call(fn, 2, arg[0], arg[1]); gsi_insert_before(&gsi, call, GSI_SAME_STMT); } diff --git a/instrumentation/afl-gcc-common.h b/instrumentation/afl-gcc-common.h index 2b71bd22..766c0eff 100644 --- a/instrumentation/afl-gcc-common.h +++ b/instrumentation/afl-gcc-common.h @@ -498,3 +498,10 @@ struct afl_base_pass : gimple_opt_pass { } // namespace +// compatibility for older gcc versions +#if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= \ + 60200 /* >= version 6.2.0 */ +#define gimple gimple * +#else +#define gimple gimple +#endif diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc index 052b3159..2b251075 100644 --- a/instrumentation/afl-gcc-pass.so.cc +++ b/instrumentation/afl-gcc-pass.so.cc @@ -125,7 +125,10 @@ */ #include "afl-gcc-common.h" +#if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= \ + 60200 /* >= version 6.2.0 */ #include "memmodel.h" +#endif /* This plugin, being under the same license as GCC, satisfies the "GPL-compatible Software" definition in the GCC RUNTIME LIBRARY |