diff options
| author | hexcoder- <heiko@hexco.de> | 2021-01-02 20:01:19 +0100 |
|---|---|---|
| committer | hexcoder- <heiko@hexco.de> | 2021-01-02 20:01:19 +0100 |
| commit | 84d3192f01702b4b43e531e3f0dac4743bf1ab0d (patch) | |
| tree | 356a30cb5fb94a670e8040caeae3ab9d784b6dd9 | |
| parent | d2a1f05a69afd19ae6017575e0e620fc07827bad (diff) | |
| parent | 7620f6f39672a4dc799d3875a2c6f7a0d1f0b815 (diff) | |
| download | afl++-84d3192f01702b4b43e531e3f0dac4743bf1ab0d.tar.gz | |
Merge branch 'dev' of https://github.com/AFLplusplus/AFLplusplus into dev
| -rw-r--r-- | Dockerfile | 2 | ||||
| -rw-r--r-- | GNUmakefile | 2 | ||||
| -rw-r--r-- | include/afl-fuzz.h | 5 | ||||
| -rw-r--r-- | qemu_mode/QEMUAFL_VERSION | 2 | ||||
| m--------- | qemu_mode/qemuafl | 0 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 32 | ||||
| -rw-r--r-- | src/afl-fuzz-queue.c | 65 | ||||
| -rw-r--r-- | src/afl-fuzz-redqueen.c | 3 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 4 | ||||
| -rwxr-xr-x | test/test-basic.sh | 4 | ||||
| -rwxr-xr-x | test/test-gcc-plugin.sh | 2 | ||||
| -rwxr-xr-x | test/test-llvm.sh | 4 | ||||
| -rwxr-xr-x | unicorn_mode/build_unicorn_support.sh | 1 | ||||
| -rw-r--r-- | utils/libdislocator/README.md | 2 | ||||
| -rw-r--r-- | utils/libdislocator/libdislocator.so.c | 8 | ||||
| -rw-r--r-- | utils/libtokencap/README.md | 7 |
16 files changed, 81 insertions, 62 deletions
@@ -20,7 +20,7 @@ RUN apt-get update && \ python3 python3-dev python3-setuptools python-is-python3 \ libtool libtool-bin \ libglib2.0-dev \ - wget vim jupp nano bash-completion \ + wget vim jupp nano bash-completion less \ apt-utils apt-transport-https ca-certificates gnupg dialog \ libpixman-1-dev \ gnuplot-nox \ diff --git a/GNUmakefile b/GNUmakefile index 58a49571..7b05a1d5 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -414,7 +414,7 @@ afl-as: src/afl-as.c include/afl-as.h $(COMM_HDR) | test_x86 @ln -sf afl-as as src/afl-performance.o : $(COMM_HDR) src/afl-performance.c include/hash.h - $(CC) -Iinclude $(SPECIAL_PERFORMANCE) -O3 -fno-unroll-loops -c src/afl-performance.c -o src/afl-performance.o + $(CC) $(CFLAGS) -Iinclude $(SPECIAL_PERFORMANCE) -O3 -fno-unroll-loops -c src/afl-performance.c -o src/afl-performance.o src/afl-common.o : $(COMM_HDR) src/afl-common.c include/common.h $(CC) $(CFLAGS) $(CFLAGS_FLTO) -c src/afl-common.c -o src/afl-common.o diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 57b0e6cc..a99e4991 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -590,7 +590,8 @@ typedef struct afl_state { u32 rand_cnt; /* Random number counter */ - u64 rand_seed[3]; +/* unsigned long rand_seed[3]; would also work */ + AFL_RAND_RETURN rand_seed[3]; s64 init_seed; u64 total_cal_us, /* Total calibration time (us) */ @@ -644,7 +645,7 @@ typedef struct afl_state { unsigned long long int last_avg_exec_update; u32 last_avg_execs; - float last_avg_execs_saved; + double last_avg_execs_saved; /* foreign sync */ #define FOREIGN_SYNCS_MAX 32 diff --git a/qemu_mode/QEMUAFL_VERSION b/qemu_mode/QEMUAFL_VERSION index 43403430..b73ccc52 100644 --- a/qemu_mode/QEMUAFL_VERSION +++ b/qemu_mode/QEMUAFL_VERSION @@ -1 +1 @@ -d66c9e2654 +5400ce883a diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl -Subproject 21ff34383764a8c6f66509b3b8d5282468c721e +Subproject 5400ce883a751582473665d8fd18f8e8f9d14cd diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 75c0384f..dbffa4f9 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1667,21 +1667,21 @@ static void handle_existing_out_dir(afl_state_t *afl) { if (afl->in_place_resume && rmdir(fn)) { - time_t cur_t = time(0); - struct tm t; + time_t cur_t = time(0); + struct tm t; localtime_r(&cur_t, &t); #ifndef SIMPLE_FILES - u8 *nfn = alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn, - t.tm_year + 1900, t.tm_mon + 1, t.tm_mday, - t.tm_hour, t.tm_min, t.tm_sec); + u8 *nfn = + alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn, t.tm_year + 1900, + t.tm_mon + 1, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec); #else - u8 *nfn = alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t.tm_year + 1900, - t.tm_mon + 1, t.tm_mday, t.tm_hour, t.tm_min, - t.tm_sec); + u8 *nfn = + alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t.tm_year + 1900, + t.tm_mon + 1, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec); #endif /* ^!SIMPLE_FILES */ @@ -1699,21 +1699,21 @@ static void handle_existing_out_dir(afl_state_t *afl) { if (afl->in_place_resume && rmdir(fn)) { - time_t cur_t = time(0); - struct tm t; + time_t cur_t = time(0); + struct tm t; localtime_r(&cur_t, &t); #ifndef SIMPLE_FILES - u8 *nfn = alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn, - t.tm_year + 1900, t.tm_mon + 1, t.tm_mday, - t.tm_hour, t.tm_min, t.tm_sec); + u8 *nfn = + alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn, t.tm_year + 1900, + t.tm_mon + 1, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec); #else - u8 *nfn = alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t.tm_year + 1900, - t.tm_mon + 1, t.tm_mday, t.tm_hour, t.tm_min, - t.tm_sec); + u8 *nfn = + alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t.tm_year + 1900, + t.tm_mon + 1, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec); #endif /* ^!SIMPLE_FILES */ diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index d4b35ad2..9a0d199e 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -45,25 +45,19 @@ inline u32 select_next_queue_entry(afl_state_t *afl) { double compute_weight(afl_state_t *afl, struct queue_entry *q, double avg_exec_us, double avg_bitmap_size) { - u32 hits; + double weight = 1.0; if (likely(afl->schedule >= FAST && afl->schedule <= RARE)) { - hits = afl->n_fuzz[q->n_fuzz_entry]; - if (hits == 0) { hits = 1; } - - } else { - - hits = 1; + u32 hits = afl->n_fuzz[q->n_fuzz_entry]; + if (likely(hits)) { weight *= log10(hits) + 1; } } - double weight = 1.0; weight *= avg_exec_us / q->exec_us; - weight *= log(q->bitmap_size) / avg_bitmap_size; - weight /= log10(hits) + 1; + weight *= (log(q->bitmap_size) / avg_bitmap_size); - if (q->favored) weight *= 5; + if (unlikely(q->favored)) weight *= 5; return weight; @@ -97,30 +91,43 @@ void create_alias_table(afl_state_t *afl) { double avg_exec_us = 0.0; double avg_bitmap_size = 0.0; + u32 active = 0; + for (i = 0; i < n; i++) { struct queue_entry *q = afl->queue_buf[i]; - avg_exec_us += q->exec_us; - avg_bitmap_size += log(q->bitmap_size); + + // disabled entries might have timings and bitmap values + if (likely(!q->disabled)) { + + avg_exec_us += q->exec_us; + avg_bitmap_size += log(q->bitmap_size); + ++active; + + } } - avg_exec_us /= afl->queued_paths; - avg_bitmap_size /= afl->queued_paths; + avg_exec_us /= active; + avg_bitmap_size /= active; for (i = 0; i < n; i++) { struct queue_entry *q = afl->queue_buf[i]; - q->weight = q->disabled ? 0 : compute_weight(afl, q, avg_exec_us, avg_bitmap_size); - q->perf_score = q->disabled ? 0 : calculate_score(afl, q); + if (likely(!q->disabled)) { - sum += q->weight; + q->weight = compute_weight(afl, q, avg_exec_us, avg_bitmap_size); + q->perf_score = calculate_score(afl, q); + sum += q->weight; + + } } for (i = 0; i < n; i++) { + // weight is always 0 for disabled entries P[i] = (afl->queue_buf[i]->weight * n) / sum; } @@ -139,8 +146,8 @@ void create_alias_table(afl_state_t *afl) { for (i = 0; i < n; i++) { - struct queue_entry *q = afl->queue_buf[i]; - P[i] = (q->perf_score * n) / sum; + // perf_score is always 0 for disabled entries + P[i] = (afl->queue_buf[i]->perf_score * n) / sum; } @@ -197,11 +204,13 @@ void create_alias_table(afl_state_t *afl) { struct queue_entry *q = afl->queue_buf[i]; fprintf( f, - "entry=%u name=%s variable=%s disabled=%s len=%u exec_us=%u " + "entry=%u name=%s favored=%s variable=%s disabled=%s len=%u " + "exec_us=%u " "bitmap_size=%u bitsmap_size=%u tops=%u weight=%f perf_score=%f\n", - i, q->fname, q->var_behavior ? "true" : "false", - q->disabled ? "true" : "false", q->len, (u32)q->exec_us, - q->bitmap_size, q->bitsmap_size, q->tc_ref, q->weight, q->perf_score); + i, q->fname, q->favored ? "true" : "false", + q->var_behavior ? "true" : "false", q->disabled ? "true" : "false", + q->len, (u32)q->exec_us, q->bitmap_size, q->bitsmap_size, q->tc_ref, + q->weight, q->perf_score); } @@ -213,10 +222,10 @@ void create_alias_table(afl_state_t *afl) { #endif /* - fprintf(stderr, " entry alias probability perf_score filename\n"); - for (u32 i = 0; i < n; ++i) - fprintf(stderr, " %5u %5u %11u %0.9f %s\n", i, afl->alias_table[i], - afl->alias_probability[i], afl->queue_buf[i]->perf_score, + fprintf(stderr, " entry alias probability perf_score weight + filename\n"); for (u32 i = 0; i < n; ++i) fprintf(stderr, " %5u %5u %11u + %0.9f %0.9f %s\n", i, afl->alias_table[i], afl->alias_probability[i], + afl->queue_buf[i]->perf_score, afl->queue_buf[i]->weight, afl->queue_buf[i]->fname); */ diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 5b3ade1d..37d66aef 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -456,7 +456,8 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } - if (/* SHAPE_BYTES(h->shape) >= 1 && */ *status != 1) { /* avoid CodeQL warning on unsigned overflow */ + /* avoid CodeQL warning on unsigned overflow */ + if (/* SHAPE_BYTES(h->shape) >= 1 && */ *status != 1) { if (its_len >= 1 && *buf_8 == (u8)pattern && *o_buf_8 == (u8)o_pattern) { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index cb0d3dcd..1c211da6 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -120,8 +120,8 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, cur_time - afl->last_avg_exec_update >= 60000))) { afl->last_avg_execs_saved = - (float)(1000 * (afl->fsrv.total_execs - afl->last_avg_execs)) / - (float)(cur_time - afl->last_avg_exec_update); + (double)(1000 * (afl->fsrv.total_execs - afl->last_avg_execs)) / + (double)(cur_time - afl->last_avg_exec_update); afl->last_avg_execs = afl->fsrv.total_execs; afl->last_avg_exec_update = cur_time; diff --git a/test/test-basic.sh b/test/test-basic.sh index 2ddf14af..79f90ea0 100755 --- a/test/test-basic.sh +++ b/test/test-basic.sh @@ -71,7 +71,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc test -z "$SKIP" && { $ECHO "$GREY[*] running afl-fuzz for ${AFL_GCC}, this will take approx 10 seconds" { - ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-instr.plain >>errors 2>&1 + ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -D -- ./test-instr.plain >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with ${AFL_GCC}" @@ -191,7 +191,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc test -z "$SKIP" && { $ECHO "$GREY[*] running afl-fuzz for ${AFL_GCC}, this will take approx 10 seconds" { - ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-instr.plain >>errors 2>&1 + ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -D -- ./test-instr.plain >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with ${AFL_GCC}" diff --git a/test/test-gcc-plugin.sh b/test/test-gcc-plugin.sh index 2b09e753..9fe63ea3 100755 --- a/test/test-gcc-plugin.sh +++ b/test/test-gcc-plugin.sh @@ -67,7 +67,7 @@ test -e ../afl-gcc-fast -a -e ../afl-compiler-rt.o && { echo 0 > in/in $ECHO "$GREY[*] running afl-fuzz for gcc_plugin, this will take approx 10 seconds" { - ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-instr.plain.gccpi >>errors 2>&1 + ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -D -- ./test-instr.plain.gccpi >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with gcc_plugin" diff --git a/test/test-llvm.sh b/test/test-llvm.sh index 09ade0c3..e5005d72 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -71,7 +71,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { test -z "$SKIP" && { $ECHO "$GREY[*] running afl-fuzz for llvm_mode, this will take approx 10 seconds" { - ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-instr.plain >>errors 2>&1 + ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -D -- ./test-instr.plain >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with llvm_mode" @@ -164,7 +164,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { echo ZZZZ > in/in $ECHO "$GREY[*] running afl-fuzz with floating point splitting, this will take max. 30 seconds" { - AFL_BENCH_UNTIL_CRASH=1 AFL_NO_UI=1 ../afl-fuzz -s 1 -V30 -m ${MEM_LIMIT} -i in -o out -- ./test-floatingpoint >>errors 2>&1 + AFL_BENCH_UNTIL_CRASH=1 AFL_NO_UI=1 ../afl-fuzz -s 1 -V30 -m ${MEM_LIMIT} -i in -o out -D -- ./test-floatingpoint >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/crashes/id:* 2>/dev/null )" && { $ECHO "$GREEN[+] llvm_mode laf-intel floatingpoint splitting feature works correctly" diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index d6fc58e4..8f6ceab7 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -156,6 +156,7 @@ if [ $? -eq 0 ]; then echo "[*] initializing unicornafl submodule" git submodule init || exit 1 git submodule update ./unicornafl 2>/dev/null # ignore errors + git submodule sync ./unicornafl 2>/dev/null # ignore errors else echo "[*] cloning unicornafl" test -d unicornafl || { diff --git a/utils/libdislocator/README.md b/utils/libdislocator/README.md index 1785463e..d0340af0 100644 --- a/utils/libdislocator/README.md +++ b/utils/libdislocator/README.md @@ -1,6 +1,6 @@ # libdislocator, an abusive allocator - (See ../README.md for the general instruction manual.) + (See ../../README.md for the general instruction manual.) This is a companion library that can be used as a drop-in replacement for the libc allocator in the fuzzed binaries. It improves the odds of bumping into diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index 2324e390..c2b200cb 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -345,10 +345,10 @@ void free(void *ptr) { len = PTR_L(ptr); total_mem -= len; + u8 * ptr_ = ptr; if (align_allocations && (len & (ALLOC_ALIGN_SIZE - 1))) { - u8 * ptr_ = ptr; size_t rlen = (len & ~(ALLOC_ALIGN_SIZE - 1)) + ALLOC_ALIGN_SIZE; for (; len < rlen; ++len) if (ptr_[len] != TAIL_ALLOC_CANARY) @@ -359,11 +359,13 @@ void free(void *ptr) { /* Protect everything. Note that the extra page at the end is already set as PROT_NONE, so we don't need to touch that. */ - ptr -= PAGE_SIZE * PG_COUNT(len + 8) - len - 8; + ptr_ -= PAGE_SIZE * PG_COUNT(len + 8) - len - 8; - if (mprotect(ptr - 8, PG_COUNT(len + 8) * PAGE_SIZE, PROT_NONE)) + if (mprotect(ptr_ - 8, PG_COUNT(len + 8) * PAGE_SIZE, PROT_NONE)) FATAL("mprotect() failed when freeing memory"); + ptr = ptr_; + /* Keep the mapping; this is wasteful, but prevents ptr reuse. */ } diff --git a/utils/libtokencap/README.md b/utils/libtokencap/README.md index 13a440da..a39ed3a5 100644 --- a/utils/libtokencap/README.md +++ b/utils/libtokencap/README.md @@ -1,6 +1,11 @@ # strcmp() / memcmp() token capture library - (See ../README.md for the general instruction manual.) + NOTE: libtokencap is only recommended for binary-only targets or targets that + do not compile with afl-clang-fast/afl-clang-lto. + The afl-clang-fast AFL_LLVM_DICT2FILE feature is much better, afl-clang-lto + has that feature automatically integrated. + + (See ../../README.md for the general instruction manual.) This companion library allows you to instrument `strcmp()`, `memcmp()`, and related functions to automatically extract syntax tokens passed to any of |