Merge pull request #2220 from AFLplusplus/dev

push to stable

13 files changed, 75 insertions, 27 deletions

diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm
index d5dcb09b..2e806ab8 100644
--- a/GNUmakefile.llvm
+++ b/GNUmakefile.llvm
@@ -327,7 +327,7 @@ endif
 
 # User teor2345 reports that this is required to make things work on MacOS X.
 ifeq "$(SYS)" "Darwin"
-  CLANG_LFL += -Wl,-flat_namespace -Wl,-undefined,suppress
+  CLANG_LFL += -Wl,-undefined,dynamic_lookup
   override LLVM_HAVE_LTO := 0
   override LLVM_LTO := 0
 else
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 7043202f..5b809d61 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -15,6 +15,7 @@
       function after the target has been restarted.
     - because of bad math and undefined behaviour fixes we have to change
       the CMPLOG map. **YOU NEED TO RECOMPILE CMPLOG TARGETS**
+    - fixed custom_post_process for calibration
   - frida_mode:
     - AFL_FRIDA_PERSISTENT_ADDR can now be be any reachable address not just
       a function entry
@@ -25,9 +26,12 @@
       @CowBoy4mH3LL
   - unicorn_mode:
     - fix install and forkserver (thanks aarnav!)
+  - nyx_mode:
+    - bugfixes
   - custom mutators:
     - custom_send_tcp custom mutator added, thanks to @dergoegge
   - afl-cc
+    - fix to support pointless changes in LLVM 20
     - new runtime (!) variable: `AFL_OLD_FORKSERVER` to use the old vanilla
       AFL type forkserver. Useful for symcc/symqemu/nautilus/etc. with
       AFL_LLVM_INSTRUMENT=CLASSIC
diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc
index 63ea71c1..6ec84dcd 100644
--- a/instrumentation/SanitizerCoverageLTO.so.cc
+++ b/instrumentation/SanitizerCoverageLTO.so.cc
@@ -50,7 +50,11 @@
 #include "llvm/Support/SpecialCaseList.h"
 #include "llvm/Support/VirtualFileSystem.h"
 #include "llvm/Support/raw_ostream.h"
-#include "llvm/Transforms/Instrumentation.h"
+#if LLVM_VERSION_MAJOR < 20
+  #include "llvm/Transforms/Instrumentation.h"
+#else
+  #include "llvm/Transforms/Utils/Instrumentation.h"
+#endif
 #if LLVM_VERSION_MAJOR < 17
   #include "llvm/Transforms/IPO/PassManagerBuilder.h"
 #endif
diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc
index 49fe904b..859b4e7b 100644
--- a/instrumentation/SanitizerCoveragePCGUARD.so.cc
+++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc
@@ -63,11 +63,16 @@
 #if LLVM_VERSION_MAJOR < 15
   #include "llvm/Support/raw_ostream.h"
 #endif
-#if LLVM_VERSION_MAJOR < 17
-  #include "llvm/Transforms/Instrumentation.h"
+#if LLVM_VERSION_MAJOR < 20
+  #if LLVM_VERSION_MAJOR < 17
+    #include "llvm/Transforms/Instrumentation.h"
+  #else
+    #include "llvm/TargetParser/Triple.h"
+  #endif
 #else
-  #include "llvm/TargetParser/Triple.h"
+  #include "llvm/Transforms/Utils/Instrumentation.h"
 #endif
+
 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
 #include "llvm/Transforms/Utils/ModuleUtils.h"
 
diff --git a/nyx_mode/LIBNYX_VERSION b/nyx_mode/LIBNYX_VERSION
index 5f7c9a5b..fdd1b46b 100644
--- a/nyx_mode/LIBNYX_VERSION
+++ b/nyx_mode/LIBNYX_VERSION
@@ -1 +1 @@
-ea6ceb9
\ No newline at end of file
+ea6ceb9
diff --git a/nyx_mode/QEMU-Nyx b/nyx_mode/QEMU-Nyx
-Subproject e5e1c4c21ff9c4dc80e6409d4eab47146c6024c
+Subproject ff1c89732115274e912a2809fcba58e67df23df
diff --git a/nyx_mode/QEMU_NYX_VERSION b/nyx_mode/QEMU_NYX_VERSION
index c6ed0c6a..4543932d 100644
--- a/nyx_mode/QEMU_NYX_VERSION
+++ b/nyx_mode/QEMU_NYX_VERSION
@@ -1 +1 @@
-e5e1c4c21ff9c4dc80e6409d4eab47146c6024cd
+ff1c897321
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index ae3c7ccc..51299009 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -536,12 +536,15 @@ static void report_error_and_exit(int error) {
 
 #ifdef __linux__
 void nyx_load_target_hash(afl_forkserver_t *fsrv) {
+
   void *nyx_config = fsrv->nyx_handlers->nyx_config_load(fsrv->target_path);
-  fsrv->nyx_target_hash64 = fsrv->nyx_handlers->nyx_get_target_hash64(nyx_config);
+  fsrv->nyx_target_hash64 =
+      fsrv->nyx_handlers->nyx_get_target_hash64(nyx_config);
   fsrv->nyx_handlers->nyx_config_free(nyx_config);
+
 }
-#endif
 
+#endif
 
 /* Spins up fork server. The idea is explained here:
 
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index 9eaa661d..a9397232 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -1237,19 +1237,26 @@ void perform_dry_run(afl_state_t *afl) {
             u8 crash_log_fn[PATH_MAX];
 
             snprintf(crash_log_fn, PATH_MAX, "%s.log", crash_fn);
-            fd = open(crash_log_fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
-            if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", crash_log_fn); }
+            fd = open(crash_log_fn, O_WRONLY | O_CREAT | O_EXCL,
+                      DEFAULT_PERMISSION);
+            if (unlikely(fd < 0)) {
+
+              PFATAL("Unable to create '%s'", crash_log_fn);
+
+            }
 
             u32 nyx_aux_string_len = afl->fsrv.nyx_handlers->nyx_get_aux_string(
                 afl->fsrv.nyx_runner, afl->fsrv.nyx_aux_string,
                 afl->fsrv.nyx_aux_string_len);
 
-            ck_write(fd, afl->fsrv.nyx_aux_string, nyx_aux_string_len, crash_log_fn);
+            ck_write(fd, afl->fsrv.nyx_aux_string, nyx_aux_string_len,
+                     crash_log_fn);
             close(fd);
 
           }
+
 #endif
-           
+
           afl->last_crash_time = get_cur_time();
           afl->last_crash_execs = afl->fsrv.total_execs;
 
@@ -2905,6 +2912,7 @@ void check_binary(afl_state_t *afl, u8 *fname) {
             afl->fsrv.target_path);
 
     }
+
 #endif
 
     if (stat(afl->fsrv.target_path, &st) || !S_ISREG(st.st_mode) ||
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index 4ce17eb2..a3787e5c 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -487,6 +487,10 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
 
   }
 
+  u8 saved_afl_post_process_keep_original =
+      afl->afl_env.afl_post_process_keep_original;
+  afl->afl_env.afl_post_process_keep_original = 1;
+
   /* we need a dummy run if this is LTO + cmplog */
   if (unlikely(afl->shm.cmplog_mode)) {
 
@@ -661,6 +665,9 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
 
 abort_calibration:
 
+  afl->afl_env.afl_post_process_keep_original =
+      saved_afl_post_process_keep_original;
+
   if (new_bits == 2 && !q->has_new_cov) {
 
     q->has_new_cov = 1;
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index b1a84cb6..a7465330 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -83,12 +83,16 @@ void write_setup_file(afl_state_t *afl, u32 argc, char **argv) {
 
 #ifdef __linux__
   if (afl->fsrv.nyx_mode) {
+
     nyx_load_target_hash(&afl->fsrv);
     fprintf(f2, "%llx\n", afl->fsrv.nyx_target_hash64);
-  }
-  else {
+
+  } else {
+
     fprintf(f2, "%p\n", (void *)get_binary_hash(afl->fsrv.target_path));
+
   }
+
 #else
   fprintf(f2, "%p\n", (void *)get_binary_hash(afl->fsrv.target_path));
 #endif
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index a2fd4b76..7a940031 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -1505,7 +1505,8 @@ int main(int argc, char **argv_orig, char **envp) {
   #ifdef __linux__
   if (afl->fsrv.nyx_mode) {
 
-    OKF("AFL++ Nyx mode is enabled (developed and maintained by Sergej Schumilo)");
+    OKF("AFL++ Nyx mode is enabled (developed and maintained by Sergej "
+        "Schumilo)");
     OKF("Nyx is open source, get it at https://github.com/Nyx-Fuzz");
 
   }
@@ -2225,23 +2226,27 @@ int main(int argc, char **argv_orig, char **envp) {
 
   if (afl->in_place_resume && !afl->afl_env.afl_no_fastresume) {
 
-#ifdef __linux__
+  #ifdef __linux__
     u64 target_hash = 0;
     if (afl->fsrv.nyx_mode) {
+
       nyx_load_target_hash(&afl->fsrv);
       target_hash = afl->fsrv.nyx_target_hash64;
-    }
-    else {
+
+    } else {
+
       target_hash = get_binary_hash(afl->fsrv.target_path);
+
     }
-#else
+
+  #else
     u64 target_hash = get_binary_hash(afl->fsrv.target_path);
-#endif
+  #endif
 
     if ((!target_hash || prev_target_hash != target_hash)
-#ifdef __linux__
-      || (afl->fsrv.nyx_mode && target_hash == 0)
-#endif
+  #ifdef __linux__
+        || (afl->fsrv.nyx_mode && target_hash == 0)
+  #endif
     ) {
 
       ACTF("Target binary is different, cannot perform FAST RESUME!");
@@ -2386,10 +2391,11 @@ int main(int argc, char **argv_orig, char **envp) {
   #ifdef AFL_PERSISTENT_RECORD
   if (unlikely(afl->fsrv.persistent_record)) {
 
-    if (!getenv(PERSIST_ENV_VAR)) {
+    if (!getenv(PERSIST_ENV_VAR) && !getenv("AFL_FRIDA_PERSISTENT_ADDR") &&
+        !getenv("AFL_QEMU_PERSISTENT_ADDR")) {
 
       FATAL(
-          "Target binary is not compiled in persistent mode, "
+          "Target binary is not compiled/run in persistent mode, "
           "AFL_PERSISTENT_RECORD makes no sense.");
 
     }
diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c
index b80be1a1..f41491b1 100644
--- a/utils/libdislocator/libdislocator.so.c
+++ b/utils/libdislocator/libdislocator.so.c
@@ -162,7 +162,7 @@ static u8     alloc_verbose,            /* Additional debug messages        */
 static _Atomic size_t total_mem;        /* Currently allocated mem          */
 
 static __thread u32 call_depth;         /* To avoid recursion via fprintf() */
-static u32          alloc_canary;
+static u32          alloc_canary = ALLOC_CANARY;
 
 /* This is the main alloc function. It allocates one page more than necessary,
    sets that tailing page to PROT_NONE, and then increments the return address
@@ -578,6 +578,13 @@ __attribute__((constructor)) void __dislocator_init(void) {
 
 }
 
+__attribute__((destructor)) void __dislocator_fini(void) {
+
+  alloc_canary = ALLOC_CANARY; // restore to default canary value
+
+}
+
+   
 /* NetBSD fault handler specific api subset */
 
 void (*esetfunc(void (*fn)(int, const char *, ...)))(int, const char *, ...) {