Merge pull request #2172 from AFLplusplus/dev

push to stable

9 files changed, 50 insertions, 31 deletions

diff --git a/.gitignore b/.gitignore
index 8e191e29..9ac577d3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,7 @@
 *.pyc
 *.so
 *.swp
+.DS_Store
 .sync_tmp
 .test
 .test2
diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm
index 8b4c6054..52ff778c 100644
--- a/GNUmakefile.llvm
+++ b/GNUmakefile.llvm
@@ -61,7 +61,6 @@ LLVM_HAVE_LTO                := $(shell test $(LLVM_MAJOR) -ge 12 && echo 1 || e
 LLVM_BINDIR                  := $(shell $(LLVM_CONFIG) --bindir 2>/dev/null)
 LLVM_LIBDIR                  := $(shell $(LLVM_CONFIG) --libdir 2>/dev/null)
 LLVM_STDCXX                  := gnu++11
-LLVM_APPLE_XCODE             := $(shell $(CC) -v 2>&1 | grep -q Apple && echo 1 || echo 0)
 LLVM_LTO                     := 0
 LLVM_UNSUPPORTED             := $(shell echo "$(LLVMVER)" | grep -E -q '^[0-2]\.|^3\.[0-8]\.' && echo 1 || echo 0)
 # Uncomment to see the values assigned above
@@ -112,10 +111,6 @@ ifeq "$(LLVM_LTO)" "0"
   $(info [+] llvm_mode detected llvm < 12, afl-lto LTO will not be build.)
 endif
 
-ifeq "$(LLVM_APPLE_XCODE)" "1"
-  $(warning llvm_mode will not compile with Xcode clang...)
-endif
-
 # We were using llvm-config --bindir to get the location of clang, but
 # this seems to be busted on some distros, so using the one in $PATH is
 # probably better.
@@ -123,6 +118,11 @@ endif
 CC         = $(LLVM_BINDIR)/clang
 CXX        = $(LLVM_BINDIR)/clang++
 
+LLVM_APPLE_XCODE             := $(shell $(CC) -v 2>&1 | grep -q Apple && echo 1 || echo 0)
+ifeq "$(LLVM_APPLE_XCODE)" "1"
+  $(warning llvm_mode will not compile with Xcode clang...)
+endif
+
 # llvm-config --bindir may not providing a valid path, so ...
 ifeq "$(shell test -e $(CC) || echo 1 )" "1"
   # however we must ensure that this is not a "CC=gcc make"
diff --git a/afl-whatsup b/afl-whatsup
index 19841755..6fa2dfc2 100755
--- a/afl-whatsup
+++ b/afl-whatsup
@@ -112,12 +112,12 @@ if [ -z "$NO_COLOR" ]; then
 fi
 
 PLATFORM=`uname -s`
-if [ "$PLATFORM" = "Linux" ] ; then
-  CUR_TIME=`cat /proc/uptime | awk '{printf "%.0f\n", $1}'`
-else
+#if [ "$PLATFORM" = "Linux" ] ; then
+#  CUR_TIME=`cat /proc/uptime | awk '{printf "%.0f\n", $1}'`
+#else
   # This will lead to inacurate results but will prevent the script from breaking on platforms other than Linux
   CUR_TIME=`date +%s`
-fi
+#fi
 
 TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1
 trap "rm -f $TMP" 1 2 3 13 15
diff --git a/docs/Changelog.md b/docs/Changelog.md
index d33d3121..3f9f0161 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -13,6 +13,8 @@
     - improved seed selection algorithm
     - added `AFL_CUSTOM_MUTATOR_LATE_SEND=1` to call the custom send()
       function after the target has been restarted.
+    - because of bad math and undefined behaviour fixes we have to change
+      the CMPLOG map. **YOU NEED TO RECOMPILE CMPLOG TARGETS**
   - frida_mode:
     - AFL_FRIDA_PERSISTENT_ADDR can now be be any reachable address not just
       a function entry
diff --git a/frida_mode/src/asan/asan_arm64.c b/frida_mode/src/asan/asan_arm64.c
index 94729939..c1d5c10f 100644
--- a/frida_mode/src/asan/asan_arm64.c
+++ b/frida_mode/src/asan/asan_arm64.c
@@ -39,15 +39,15 @@ static void asan_callout(GumCpuContext *ctx, gpointer user_data) {
 
   address = base + index + mem->disp;
 
-  if ((operand->access & CS_AC_READ) == CS_AC_READ) {
+  if ((operand->access & CS_AC_WRITE) == CS_AC_WRITE) {
 
-    asan_loadN(address, asan_ctx->size);
+    asan_storeN(address, asan_ctx->size);
 
   }
 
-  if ((operand->access & CS_AC_WRITE) == CS_AC_WRITE) {
+  if ((operand->access & CS_AC_READ) == CS_AC_READ) {
 
-    asan_storeN(address, asan_ctx->size);
+    asan_loadN(address, asan_ctx->size);
 
   }
 
diff --git a/frida_mode/src/instrument/instrument_coverage.c b/frida_mode/src/instrument/instrument_coverage.c
index ff2f4024..a546dc24 100644
--- a/frida_mode/src/instrument/instrument_coverage.c
+++ b/frida_mode/src/instrument/instrument_coverage.c
@@ -818,6 +818,9 @@ void instrument_coverage_unstable_find_output(void) {
 
   GDir *dir = g_dir_open(fds_name, 0, NULL);
 
+  gchar *path_tmp = getenv("AFL_CUSTOM_INFO_OUT");
+  gchar *instance_name = g_path_get_basename(path_tmp);
+
   FVERBOSE("Coverage Unstable - fds: %s", fds_name);
 
   for (const gchar *filename = g_dir_read_name(dir); filename != NULL;
@@ -829,7 +832,7 @@ void instrument_coverage_unstable_find_output(void) {
     if (link == NULL) { FFATAL("Failed to read link: %s", fullname); }
 
     gchar *basename = g_path_get_basename(link);
-    if (g_strcmp0(basename, "default") != 0) {
+    if (g_strcmp0(basename, instance_name) != 0) {
 
       g_free(basename);
       g_free(link);
@@ -874,6 +877,8 @@ void instrument_coverage_unstable_find_output(void) {
   }
 
   g_dir_close(dir);
+  g_free(instance_name);
+  g_free(path_tmp);
   g_free(fds_name);
 
   if (unstable_coverage_fuzzer_stats == NULL) {
diff --git a/include/cmplog.h b/include/cmplog.h
index a4449a60..9f995da6 100644
--- a/include/cmplog.h
+++ b/include/cmplog.h
@@ -53,21 +53,24 @@ struct cmp_header {  // 16 bit = 2 bytes
 struct cmp_operands {
 
   u64 v0;
-  u64 v1;
   u64 v0_128;
+  u64 v0_256_0;  // u256 is unsupported by any compiler for now, so future use
+  u64 v0_256_1;
+  u64 v1;
   u64 v1_128;
-  u64 unused;
-  u8  unused1;
-  u8  unused2;
+  u64 v1_256_0;
+  u64 v1_256_1;
+  u8  unused[8];
 
 } __attribute__((packed));
 
 struct cmpfn_operands {
 
   u8 v0[32];
-  u8 v0_len;
   u8 v1[32];
+  u8 v0_len;
   u8 v1_len;
+  u8 unused[6];
 
 } __attribute__((packed));
 
diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c
index 372b9f5a..6e04ae47 100644
--- a/instrumentation/afl-compiler-rt.o.c
+++ b/instrumentation/afl-compiler-rt.o.c
@@ -872,7 +872,7 @@ static void __afl_start_forkserver(void) {
     __afl_old_forkserver = 1;
     status = 0;
 
-    if (__afl_final_loc && __afl_final_loc > MAP_SIZE) {
+    if (__afl_final_loc > MAP_SIZE) {
 
       fprintf(stderr,
               "Warning: AFL_OLD_FORKSERVER is used with a target compiled with "
@@ -969,13 +969,13 @@ static void __afl_start_forkserver(void) {
 
     /* Wait for parent by reading from the pipe. Abort if read fails. */
 
-    if (already_read_first) {
+    if (unlikely(already_read_first)) {
 
       already_read_first = 0;
 
     } else {
 
-      if (read(FORKSRV_FD, &was_killed, 4) != 4) {
+      if (unlikely(read(FORKSRV_FD, &was_killed, 4) != 4)) {
 
         write_error("read from AFL++ tool");
         _exit(1);
@@ -1014,10 +1014,10 @@ static void __afl_start_forkserver(void) {
        condition and afl-fuzz already issued SIGKILL, write off the old
        process. */
 
-    if (child_stopped && was_killed) {
+    if (unlikely(child_stopped && was_killed)) {
 
       child_stopped = 0;
-      if (waitpid(child_pid, &status, 0) < 0) {
+      if (unlikely(waitpid(child_pid, &status, 0) < 0)) {
 
         write_error("child_stopped && was_killed");
         _exit(1);
@@ -1026,12 +1026,12 @@ static void __afl_start_forkserver(void) {
 
     }
 
-    if (!child_stopped) {
+    if (unlikely(!child_stopped)) {
 
       /* Once woken up, create a clone of our process. */
 
       child_pid = fork();
-      if (child_pid < 0) {
+      if (unlikely(child_pid < 0)) {
 
         write_error("fork");
         _exit(1);
@@ -1040,7 +1040,7 @@ static void __afl_start_forkserver(void) {
 
       /* In child process: close fds, resume execution. */
 
-      if (!child_pid) {
+      if (unlikely(!child_pid)) {  // just to signal afl-fuzz faster
 
         //(void)nice(-20);
 
@@ -1065,14 +1065,15 @@ static void __afl_start_forkserver(void) {
 
     /* In parent process: write PID to pipe, then wait for child. */
 
-    if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) {
+    if (unlikely(write(FORKSRV_FD + 1, &child_pid, 4) != 4)) {
 
       write_error("write to afl-fuzz");
       _exit(1);
 
     }
 
-    if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0) {
+    if (unlikely(waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) <
+                 0)) {
 
       write_error("waitpid");
       _exit(1);
@@ -1083,11 +1084,11 @@ static void __afl_start_forkserver(void) {
        a successful run. In this case, we want to wake it up without forking
        again. */
 
-    if (WIFSTOPPED(status)) child_stopped = 1;
+    if (likely(WIFSTOPPED(status))) { child_stopped = 1; }
 
     /* Relay wait status to pipe, then loop back. */
 
-    if (write(FORKSRV_FD + 1, &status, 4) != 4) {
+    if (unlikely(write(FORKSRV_FD + 1, &status, 4) != 4)) {
 
       write_error("writing to afl-fuzz");
       _exit(1);
diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc
index b93f61f0..6559bc84 100644
--- a/instrumentation/afl-llvm-dict2file.so.cc
+++ b/instrumentation/afl-llvm-dict2file.so.cc
@@ -661,6 +661,13 @@ bool AFLdict2filePass::runOnModule(Module &M) {
             Value       *op2 = callInst->getArgOperand(2);
             ConstantInt *ilen = dyn_cast<ConstantInt>(op2);
 
+            if (!ilen) {
+
+              op2 = callInst->getArgOperand(1);
+              ilen = dyn_cast<ConstantInt>(op2);
+
+            }
+
             if (ilen) {
 
               uint64_t literalLength = optLen;