diff options
| author | lazymio <mio@lazym.io> | 2022-04-12 21:16:34 +0200 |
|---|---|---|
| committer | lazymio <mio@lazym.io> | 2022-04-12 21:16:34 +0200 |
| commit | 0db57c3eecb46dd5c875222517f0c5dd1ba585af (patch) | |
| tree | d3740b749901087ece5f031e99af4fff2c83d582 | |
| parent | 3fc03d4b6b6b7a0718a9ab9514ea3afdebc868f1 (diff) | |
| parent | 5d4b0938d5c3ddad18c85c1f2a4c516d46bbf243 (diff) | |
| download | afl++-0db57c3eecb46dd5c875222517f0c5dd1ba585af.tar.gz | |
Merge origin/dev
| -rw-r--r-- | GNUmakefile | 7 | ||||
| -rw-r--r-- | custom_mutators/grammar_mutator/GRAMMAR_VERSION | 2 | ||||
| m--------- | custom_mutators/grammar_mutator/grammar_mutator | 0 | ||||
| -rw-r--r-- | docs/Changelog.md | 5 | ||||
| -rw-r--r-- | docs/INSTALL.md | 3 | ||||
| -rw-r--r-- | docs/env_variables.md | 3 | ||||
| -rw-r--r-- | docs/fuzzing_in_depth.md | 10 | ||||
| -rw-r--r-- | include/afl-fuzz.h | 2 | ||||
| -rw-r--r-- | include/envs.h | 1 | ||||
| -rw-r--r-- | instrumentation/cmplog-instructions-pass.cc | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 42 | ||||
| -rw-r--r-- | src/afl-fuzz-state.c | 7 | ||||
| -rw-r--r-- | test/test-cmplog.c | 8 | ||||
| -rwxr-xr-x | test/test-llvm.sh | 2 | ||||
| -rw-r--r-- | utils/afl_network_proxy/afl-network-client.c | 2 |
15 files changed, 77 insertions, 19 deletions
diff --git a/GNUmakefile b/GNUmakefile index d31c52da..ec81cbac 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -373,6 +373,7 @@ help: @echo INTROSPECTION - compile afl-fuzz with mutation introspection @echo NO_PYTHON - disable python support @echo NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing + @echo NO_NYX - disable building nyx mode dependencies @echo AFL_NO_X86 - if compiling on non-intel/amd platforms @echo "LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g. Debian)" @echo "==========================================" @@ -625,8 +626,10 @@ ifeq "$(ARCH)" "aarch64" -$(MAKE) -C coresight_mode endif ifeq "$(SYS)" "Linux" +ifndef NO_NYX -cd nyx_mode && ./build_nyx_support.sh endif +endif -cd qemu_mode && sh ./build_qemu_support.sh -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh endif @@ -645,8 +648,10 @@ ifeq "$(ARCH)" "aarch64" -$(MAKE) -C coresight_mode endif ifeq "$(SYS)" "Linux" +ifndef NO_NYX -cd nyx_mode && ./build_nyx_support.sh endif +endif -cd qemu_mode && sh ./build_qemu_support.sh -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh endif @@ -661,8 +666,10 @@ endif -$(MAKE) -C utils/libtokencap # -$(MAKE) -C utils/plot_ui ifeq "$(SYS)" "Linux" +ifndef NO_NYX -cd nyx_mode && ./build_nyx_support.sh endif +endif %.8: % @echo .TH $* 8 $(BUILD_DATE) "afl++" > $@ diff --git a/custom_mutators/grammar_mutator/GRAMMAR_VERSION b/custom_mutators/grammar_mutator/GRAMMAR_VERSION index 93f9321c..2568c6a5 100644 --- a/custom_mutators/grammar_mutator/GRAMMAR_VERSION +++ b/custom_mutators/grammar_mutator/GRAMMAR_VERSION @@ -1 +1 @@ -cbe5e32 +ff4e5a2 diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator -Subproject cbe5e32752773945e0142fac9f1b7a0ccb5dcdf +Subproject ff4e5a265daf5d88c4a636fb6a2c22b1d733db0 diff --git a/docs/Changelog.md b/docs/Changelog.md index d50a679b..689cc94b 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -20,9 +20,12 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow persistent mode and manual forkserver support if these are not in the target binary (e.g. are in a shared library) - - add AFL_EARY_FORKSERVER to install the forkserver as earliest as + - add AFL_EARLY_FORKSERVER to install the forkserver as earliest as possible in the target (for afl-gcc-fast/afl-clang-fast/ afl-clang-lto) + - "saved timeouts" was wrong information, timeouts are still thrown + away by default even if they have new coverage (hangs are always + kept), unless AFL_KEEP_TIMEOUTS are set - document and auto-activate pizza mode on condition - afl-cc: - converted all passed to use the new llvm pass manager for llvm 11+ diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 3fa7fd13..348b681e 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -80,6 +80,7 @@ These build options exist: * NO_PYTHON - disable python support * NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing +* NO_NYX - disable building nyx mode dependencies * AFL_NO_X86 - if compiling on non-intel/amd platforms * LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g., Debian) @@ -178,4 +179,4 @@ sysctl kern.sysv.shmall=98304 See [http://www.spy-hill.com/help/apple/SharedMemory.html](http://www.spy-hill.com/help/apple/SharedMemory.html) -for documentation for these settings and how to make them permanent. \ No newline at end of file +for documentation for these settings and how to make them permanent. diff --git a/docs/env_variables.md b/docs/env_variables.md index 9ffb08e7..fe9c6e07 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -349,6 +349,9 @@ checks or alter some of the more exotic semantics of the tool: - Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is usually a bad idea! + - Setting `AFL_KEEP_TIMEOUTS` will keep longer running inputs if they reach + new coverage + - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behavior which does not allow crashes or timeout seeds in the initial -i corpus. diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index cff00f77..2c27dfe1 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -333,6 +333,9 @@ is a non-standard way to set this, otherwise set up the build normally and edit the generated build environment afterwards manually to point it to the right compiler (and/or `RANLIB` and `AR`). +In complex, weird, alien build systems you can try this neat project: +[https://github.com/fuzzah/exeptor](https://github.com/fuzzah/exeptor) + #### Linker scripts If the project uses linker scripts to hide the symbols exported by the @@ -911,16 +914,17 @@ normal fuzzing campaigns as these are much shorter runnings. * Keep the generated corpus, use afl-cmin and reuse it every time! 2. Additionally randomize the AFL++ compilation options, e.g.: - * 40% for `AFL_LLVM_CMPLOG` - * 10% for `AFL_LLVM_LAF_ALL` + * 30% for `AFL_LLVM_CMPLOG` + * 5% for `AFL_LLVM_LAF_ALL` 3. Also randomize the afl-fuzz runtime options, e.g.: * 65% for `AFL_DISABLE_TRIM` + * 50% for `AFL_KEEP_TIMEOUTS` * 50% use a dictionary generated by `AFL_LLVM_DICT2FILE` * 40% use MOpt (`-L 0`) * 40% for `AFL_EXPAND_HAVOC_NOW` * 20% for old queue processing (`-Z`) - * for CMPLOG targets, 60% for `-l 2`, 40% for `-l 3` + * for CMPLOG targets, 70% for `-l 2`, 10% for `-l 3`, 20% for `-l 2AT` 4. Do *not* run any `-M` modes, just running `-S` modes is better for CI fuzzing. `-M` enables old queue handling etc. which is good for a fuzzing diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 4f4d63b2..8bb61e22 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -385,7 +385,7 @@ typedef struct afl_env_vars { afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast, afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new, afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems, - afl_pizza_mode; + afl_keep_timeouts, afl_pizza_mode; u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload, diff --git a/include/envs.h b/include/envs.h index 1746f946..25b792fa 100644 --- a/include/envs.h +++ b/include/envs.h @@ -106,6 +106,7 @@ static char *afl_environment_variables[] = { "AFL_INPUT_LEN_MAX", "AFL_INST_LIBS", "AFL_INST_RATIO", + "AFL_KEEP_TIMEOUTS", "AFL_KILL_SIGNAL", "AFL_KEEP_TRACES", "AFL_KEEP_ASSEMBLY", diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index fd7930a1..4d37bcb2 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -515,7 +515,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) { while (1) { std::vector<Value *> args; - bool skip = true; + bool skip = false; if (vector_cnt) { diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 99f37cbf..7c2b35d6 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -292,6 +292,15 @@ void minimize_bits(afl_state_t *afl, u8 *dst, u8 *src) { u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) { + u8 is_timeout = 0; + + if (new_bits & 0xf0) { + + new_bits -= 0x80; + is_timeout = 1; + + } + size_t real_max_len = MIN(max_description_len, sizeof(afl->describe_op_buf_256)); u8 *ret = afl->describe_op_buf_256; @@ -325,6 +334,7 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) { ret[len_current] = '\0'; ssize_t size_left = real_max_len - len_current - strlen(",+cov") - 2; + if (is_timeout) { size_left -= strlen(",+tout"); } if (unlikely(size_left <= 0)) FATAL("filename got too long"); const char *custom_description = @@ -370,6 +380,8 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) { } + if (is_timeout) { strcat(ret, ",+tout"); } + if (new_bits == 2) { strcat(ret, ",+cov"); } if (unlikely(strlen(ret) >= max_description_len)) @@ -447,7 +459,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { u8 fn[PATH_MAX]; u8 *queue_fn = ""; - u8 new_bits = 0, keeping = 0, res, classified = 0; + u8 new_bits = 0, keeping = 0, res, classified = 0, is_timeout = 0; s32 fd; u64 cksum = 0; @@ -481,11 +493,14 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { classified = new_bits; + save_to_queue: + #ifndef SIMPLE_FILES - queue_fn = alloc_printf( - "%s/queue/id:%06u,%s", afl->out_dir, afl->queued_items, - describe_op(afl, new_bits, NAME_MAX - strlen("id:000000,"))); + queue_fn = + alloc_printf("%s/queue/id:%06u,%s", afl->out_dir, afl->queued_items, + describe_op(afl, new_bits + is_timeout, + NAME_MAX - strlen("id:000000,"))); #else @@ -596,7 +611,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - ++afl->saved_tmouts; + is_timeout = 0x80; #ifdef INTROSPECTION if (afl->custom_mutators_count && afl->current_custom_fuzz) { @@ -647,7 +662,20 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { return keeping; } + if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { + + if (afl->afl_env.afl_keep_timeouts) { + + ++afl->saved_tmouts; + goto save_to_queue; + + } else { + + return keeping; + + } + + } } @@ -703,7 +731,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #else snprintf(fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir, - afl->saved_crashes, afl->last_kill_signal); + afl->saved_crashes, afl->fsrv.last_kill_signal); #endif /* ^!SIMPLE_FILES */ diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 5924dd7b..47e39762 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -222,6 +222,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_hang_tmout = (u8 *)get_afl_env(afl_environment_variables[i]); + } else if (!strncmp(env, "AFL_KEEP_TIMEOUTS", + + afl_environment_variable_len)) { + + afl->afl_env.afl_keep_timeouts = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_SKIP_BIN_CHECK", afl_environment_variable_len)) { diff --git a/test/test-cmplog.c b/test/test-cmplog.c index 1a314653..d724ecaf 100644 --- a/test/test-cmplog.c +++ b/test/test-cmplog.c @@ -8,13 +8,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t i) { - if (i < 24) return 0; + if (i < 30) return 0; if (buf[0] != 'A') return 0; if (buf[1] != 'B') return 0; if (buf[2] != 'C') return 0; if (buf[3] != 'D') return 0; - if (memcmp(buf + 4, "1234", 4) || memcmp(buf + 8, "EFGH", 4)) return 0; - if (strncmp(buf + 12, "IJKL", 4) == 0 && strcmp(buf + 16, "DEADBEEF") == 0) + int *icmp = (int *)(buf + 4); + if (*icmp != 0x69694141) return 0; + if (memcmp(buf + 8, "1234", 4) || memcmp(buf + 12, "EFGH", 4)) return 0; + if (strncmp(buf + 16, "IJKL", 4) == 0 && strcmp(buf + 20, "DEADBEEF") == 0) abort(); return 0; diff --git a/test/test-llvm.sh b/test/test-llvm.sh index ddbee378..ce64d76c 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -261,7 +261,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { $ECHO "$GREY[*] running afl-fuzz for llvm_mode cmplog, this will take approx 10 seconds" { mkdir -p in - echo 0000000000000000000000000 > in/in + echo 00000000000000000000000000000000 > in/in AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -m none -V60 -i in -o out -c./test-cmplog -- ./test-cmplog >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/crashes/id:000000* out/default/hangs/id:000000* 2>/dev/null )" & { diff --git a/utils/afl_network_proxy/afl-network-client.c b/utils/afl_network_proxy/afl-network-client.c index ceffb1ed..7d04a89a 100644 --- a/utils/afl_network_proxy/afl-network-client.c +++ b/utils/afl_network_proxy/afl-network-client.c @@ -407,7 +407,9 @@ int main(int argc, char *argv[]) { #ifdef USE_DEFLATE libdeflate_free_compressor(compressor); libdeflate_free_decompressor(decompressor); + free(buf2); #endif + free(buf); return 0; |