diff options
| author | Andrea Fioraldi <andreafioraldi@gmail.com> | 2020-02-16 13:19:36 +0100 |
|---|---|---|
| committer | Andrea Fioraldi <andreafioraldi@gmail.com> | 2020-02-16 13:19:36 +0100 |
| commit | 8acd503526eda9d8c87374d8cf570aeac54ced73 (patch) | |
| tree | ee7ddf089545f8807530abf4bee96d16bc6e5380 | |
| parent | 4bca8af499a6ecbd2c6111f4820b66c2ba4710b5 (diff) | |
| parent | 4d7f39f819b97c9985750331f12b576222cb12e2 (diff) | |
| download | afl++-8acd503526eda9d8c87374d8cf570aeac54ced73.tar.gz | |
Merge branch 'master' of github.com:vanhauser-thc/AFLplusplus
| -rw-r--r-- | docs/Changelog.md | 4 | ||||
| -rw-r--r-- | docs/env_variables.md | 5 | ||||
| -rw-r--r-- | docs/notes_for_asan.md | 3 | ||||
| -rw-r--r-- | gcc_plugin/afl-gcc-fast.c | 10 | ||||
| -rw-r--r-- | llvm_mode/afl-clang-fast.c | 10 | ||||
| -rw-r--r-- | src/afl-fuzz-redqueen.c | 16 | ||||
| -rw-r--r-- | src/afl-gcc.c | 12 |
7 files changed, 37 insertions, 23 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md index e0bb500a..e8b95604 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -28,6 +28,10 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. instrumentation. compile normally and set AFL_LLVM_USE_TRACE_PC :) - LLVM 11 is supported - CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog) + - afl-gcc, afl-clang-fast, afl-gcc-fast: + - experimental support for undefined behaviour sanitizer UBSAN + (set AFL_USE_UBSAN=1) + - the instrumentation summary output now also lists activated sanitizers - qemu_mode: - persistent mode is now also available for arm and aarch64 - CmpLog instrumentation for QEMU (-c afl-fuzz command line option) diff --git a/docs/env_variables.md b/docs/env_variables.md index ebfe12c2..f2642e56 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -25,9 +25,8 @@ tools make fairly broad use of environmental variables: - see [notes_for_asan.md](notes_for_asan.md). (You can also enable MSAN via AFL_USE_MSAN; ASAN and MSAN come with the - same gotchas; the modes are mutually exclusive. UBSAN and other exotic - sanitizers are not officially supported yet, but are easy to get to work - by hand.) + same gotchas; the modes are mutually exclusive. UBSAN can be enabled + similarly by setting the environment variable AFL_USE_UBSAN=1) - Setting AFL_CC, AFL_CXX, and AFL_AS lets you use alternate downstream compilation tools, rather than the default 'clang', 'gcc', or 'as' binaries diff --git a/docs/notes_for_asan.md b/docs/notes_for_asan.md index c10a9726..9c49dc1f 100644 --- a/docs/notes_for_asan.md +++ b/docs/notes_for_asan.md @@ -136,7 +136,8 @@ istruction that will cause SIGILL (ud2 on x86) when an undefined behaviour is detected. This is the option that you want to use when combining AFL++ and UBSan. -AFL_USE_UBSAN=1 env var will add this compiler flag to afl-clang-fast for you. +AFL_USE_UBSAN=1 env var will add this compiler flag to afl-clang-fast, +afl-gcc-fast and afl-gcc for you. Old versions of UBSAN don't offer a consistent way to abort() on fault conditions or to terminate with a distinctive exit code diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c index 2eef8798..bf89b867 100644 --- a/gcc_plugin/afl-gcc-fast.c +++ b/gcc_plugin/afl-gcc-fast.c @@ -192,13 +192,13 @@ static void edit_params(u32 argc, char** argv) { } - if (getenv("AFL_USE_UBSAN")) { + } - cc_params[cc_par_cnt++] = "-fsanitize=undefined"; - cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error"; - cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all"; + if (getenv("AFL_USE_UBSAN")) { - } + cc_params[cc_par_cnt++] = "-fsanitize=undefined"; + cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error"; + cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all"; } diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 348b5333..a9a86957 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -300,13 +300,13 @@ static void edit_params(u32 argc, char** argv) { } - if (getenv("AFL_USE_UBSAN")) { + } - cc_params[cc_par_cnt++] = "-fsanitize=undefined"; - cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error"; - cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all"; + if (getenv("AFL_USE_UBSAN")) { - } + cc_params[cc_par_cnt++] = "-fsanitize=undefined"; + cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error"; + cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all"; } diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 296fcd98..4f5d69f7 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -128,7 +128,7 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) { rand_replace(buf + rng->start, s); u32 cksum; - if (unlikely(get_exec_checksum(buf, len, &cksum))) return 1; + if (unlikely(get_exec_checksum(buf, len, &cksum))) goto checksum_fail; if (cksum != exec_cksum) { @@ -149,6 +149,7 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) { new_hit_cnt = queued_paths + unique_crashes; stage_finds[STAGE_COLORIZATION] += new_hit_cnt - orig_hit_cnt; stage_cycles[STAGE_COLORIZATION] += stage_max - stage_cur; + ck_free(backup); while (ranges) { @@ -186,6 +187,19 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) { return 0; +checksum_fail: + ck_free(backup); + + while (ranges) { + + rng = ranges; + ranges = ranges->next; + ck_free(rng); + + } + + return 1; + } ///// Input to State replacement diff --git a/src/afl-gcc.c b/src/afl-gcc.c index 5ead32fb..03468d3d 100644 --- a/src/afl-gcc.c +++ b/src/afl-gcc.c @@ -282,15 +282,11 @@ static void edit_params(u32 argc, char** argv) { } - if (!asan_set) { + if (getenv("AFL_USE_UBSAN")) { - if (getenv("AFL_USE_UBSAN")) { - - cc_params[cc_par_cnt++] = "-fsanitize=undefined"; - cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error"; - cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all"; - - } + cc_params[cc_par_cnt++] = "-fsanitize=undefined"; + cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error"; + cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all"; } |