showmap -A -> -H, accurate help output

10 files changed, 43 insertions, 22 deletions

diff --git a/GNUmakefile b/GNUmakefile
index ab57e7ad..673d2bf8 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -346,7 +346,7 @@ help:
 	@echo "HELP --- the following make targets exist:"
 	@echo "=========================================="
 	@echo "all: just the main afl++ binaries"
-	@echo "binary-only: everything for binary-only fuzzing: coresight_mode, qemu_mode, unicorn_mode, libdislocator, libtokencap"
+	@echo "binary-only: everything for binary-only fuzzing: qemu_mode, frida_mode, unicorn_mode, coresight_mode, libdislocator, libtokencap"
 	@echo "source-only: everything for source code fuzzing: gcc_plugin, libdislocator, libtokencap"
 	@echo "distrib: everything (for both binary-only and source code fuzzing)"
 	@echo "man: creates simple man pages from the help option of the programs"
diff --git a/afl-cmin b/afl-cmin
index e6f8c175..879aead2 100755
--- a/afl-cmin
+++ b/afl-cmin
@@ -396,7 +396,7 @@ BEGIN {
       system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -- \""target_bin"\" "prog_args_string" <\""in_dir"/"first_file"\"")
     } else {
       system("cp \""in_dir"/"first_file"\" "stdin_file)
-      system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -A \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null")
+      system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null")
     }
 
     first_count = 0
@@ -432,8 +432,8 @@ BEGIN {
     retval = system( AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string)
   } else {
     print "    Processing "in_count" files (forkserver mode)..."
-#    print AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -A \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null"
-    retval = system( AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -A \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null")
+#    print AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null"
+    retval = system( AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null")
   }
 
   if (retval && !AFL_CMIN_CRASHES_ONLY) {
diff --git a/afl-cmin.bash b/afl-cmin.bash
index e25ddc74..9ac65199 100755
--- a/afl-cmin.bash
+++ b/afl-cmin.bash
@@ -310,7 +310,7 @@ if [ "$STDIN_FILE" = "" ]; then
 else
 
   cp "$IN_DIR/$FIRST_FILE" "$STDIN_FILE"
-  AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null
+  AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -H "$STDIN_FILE" -- "$@" </dev/null
 
 fi
 
@@ -360,7 +360,7 @@ echo "[*] Obtaining traces for input files in '$IN_DIR'..."
 
       cp "$IN_DIR/$fn" "$STDIN_FILE"
 
-      "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null
+      "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -H "$STDIN_FILE" -- "$@" </dev/null
 
     done
 
diff --git a/coresight_mode/README.md b/coresight_mode/README.md
index 31e77d92..dac44076 100644
--- a/coresight_mode/README.md
+++ b/coresight_mode/README.md
@@ -55,7 +55,6 @@ There are AFL++ CoreSight mode-specific environment variables for run-time confi
 
 ## TODO List
 
-* Change `afl-showmap` ARM CoreSight mode option to `-A` without conflict
 * Eliminate modified glibc dependency
 * Support parallel fuzzing
 
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 6a9c895c..054f0fef 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -10,12 +10,14 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
 
 ### Version ++3.15a (dev)
   - documentation restructuring, made possible by Google Season of Docs :)
+  - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :)
+    thanks to RICSecLab submitting!
   - afl-fuzz:
     - cmplog binaries will need to be recompiled for this version
       (it is better!)
     - fix a regression introduced in 3.10 that resulted in less
       coverage being detected. thanks to Collin May for reporting!
-    - added AFL_IGNORE_PROBLEMS plus checks to identify and abort on
+    - added AFL_IGNORE_PROBLEMS, plus checks to identify and abort on
       incorrect LTO usage setups and enhanced the READMEs for better
       information on how to deal with instrumenting libraries
     - fix -n dumb mode (nobody should use this)
@@ -30,6 +32,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
     - honor persistent mode for more speed. thanks to dloffre-snl
       for reporting!
     - fix bug where targets are not killed on timeouts
+    - moved hidden afl-showmap -A option to -H to be used for
+      coresight_mode
   - Prevent accidently killing non-afl/fuzz services when aborting
     afl-showmap and other tools.
   - afl-cc:
diff --git a/src/afl-analyze.c b/src/afl-analyze.c
index bc562c15..ac5a324c 100644
--- a/src/afl-analyze.c
+++ b/src/afl-analyze.c
@@ -848,12 +848,17 @@ static void usage(u8 *argv0) {
       "  -f file       - input file read by the tested program (stdin)\n"
       "  -t msec       - timeout for each run (%u ms)\n"
       "  -m megs       - memory limit for child process (%u MB)\n"
+#if defined(__linux__) && defined(__aarch64__)
       "  -A            - use binary-only instrumentation (ARM CoreSight mode)\n"
+#endif
       "  -O            - use binary-only instrumentation (FRIDA mode)\n"
+#if defined(__linux__)
       "  -Q            - use binary-only instrumentation (QEMU mode)\n"
       "  -U            - use unicorn-based instrumentation (Unicorn mode)\n"
       "  -W            - use qemu-based instrumentation with Wine (Wine "
-      "mode)\n\n"
+      "mode)\n"
+#endif
+      "\n"
 
       "Analysis settings:\n"
 
diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c
index f7b59f25..a204e374 100644
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@@ -452,14 +452,12 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
 
   if (unlikely(len == 0)) { return 0; }
 
+  u8  fn[PATH_MAX];
   u8 *queue_fn = "";
-  u8  new_bits = '\0';
+  u8  new_bits = 0, keeping = 0, res, classified = 0;
   s32 fd;
-  u8  keeping = 0, res, classified = 0;
   u64 cksum = 0;
 
-  u8 fn[PATH_MAX];
-
   /* Update path frequency. */
 
   /* Generating a hash on every input is super expensive. Bad idea and should
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index dfd62db8..195366bd 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -113,12 +113,17 @@ static void usage(u8 *argv0, int more_help) {
       "maximum.\n"
       "  -m megs       - memory limit for child process (%u MB, 0 = no limit "
       "[default])\n"
+#if defined(__linux__) && defined(__aarch64__)
       "  -A            - use binary-only instrumentation (ARM CoreSight mode)\n"
+#endif
       "  -O            - use binary-only instrumentation (FRIDA mode)\n"
+#if defined(__linux__)
       "  -Q            - use binary-only instrumentation (QEMU mode)\n"
       "  -U            - use unicorn-based instrumentation (Unicorn mode)\n"
       "  -W            - use qemu-based instrumentation with Wine (Wine "
-      "mode)\n\n"
+      "mode)\n"
+#endif
+      "\n"
 
       "Mutator settings:\n"
       "  -D            - enable deterministic fuzzing (once per queue entry)\n"
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index 899baaa0..0ba265ab 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -844,13 +844,18 @@ static void usage(u8 *argv0) {
       "Execution control settings:\n"
       "  -t msec    - timeout for each run (none)\n"
       "  -m megs    - memory limit for child process (%u MB)\n"
+#if defined(__linux__) && defined(__aarch64__)
+      "  -A         - use binary-only instrumentation (ARM CoreSight mode)\n"
+#endif
       "  -O         - use binary-only instrumentation (FRIDA mode)\n"
-      "  -P         - use binary-only instrumentation (ARM CoreSight mode)\n"
+#if defined(__linux__)
       "  -Q         - use binary-only instrumentation (QEMU mode)\n"
       "  -U         - use Unicorn-based instrumentation (Unicorn mode)\n"
       "  -W         - use qemu-based instrumentation with Wine (Wine mode)\n"
       "               (Not necessary, here for consistency with other afl-* "
-      "tools)\n\n"
+      "tools)\n"
+#endif
+      "\n"
       "Other settings:\n"
       "  -i dir     - process all files below this directory, must be combined "
       "with -o.\n"
@@ -920,7 +925,7 @@ int main(int argc, char **argv_orig, char **envp) {
 
   if (getenv("AFL_QUIET") != NULL) { be_quiet = true; }
 
-  while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZOPQUWbcrsh")) > 0) {
+  while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZOHQUWbcrsh")) > 0) {
 
     switch (opt) {
 
@@ -1049,7 +1054,7 @@ int main(int argc, char **argv_orig, char **envp) {
         quiet_mode = true;
         break;
 
-      case 'A':
+      case 'H':
         /* Another afl-cmin specific feature. */
         at_file = optarg;
         break;
@@ -1065,13 +1070,13 @@ int main(int argc, char **argv_orig, char **envp) {
 
       /* FIXME: We want to use -P for consistency, but it is already unsed for
        * undocumenetd feature "Another afl-cmin specific feature." */
-      case 'P':                                           /* CoreSight mode */
+      case 'A':                                           /* CoreSight mode */
 
 #if !defined(__aarch64__) || !defined(__linux__)
-        FATAL("-P option is not supported on this platform");
+        FATAL("-A option is not supported on this platform");
 #endif
 
-        if (fsrv->cs_mode) { FATAL("Multiple -P options not supported"); }
+        if (fsrv->cs_mode) { FATAL("Multiple -A options not supported"); }
 
         fsrv->cs_mode = true;
         break;
diff --git a/src/afl-tmin.c b/src/afl-tmin.c
index 22383a4e..89546c45 100644
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@@ -866,14 +866,19 @@ static void usage(u8 *argv0) {
       "  -f file       - input file read by the tested program (stdin)\n"
       "  -t msec       - timeout for each run (%u ms)\n"
       "  -m megs       - memory limit for child process (%u MB)\n"
+#if defined(__linux__) && defined(__aarch64__)
       "  -A            - use binary-only instrumentation (ARM CoreSight mode)\n"
+#endif
       "  -O            - use binary-only instrumentation (FRIDA mode)\n"
+#if defined(__linux__)
       "  -Q            - use binary-only instrumentation (QEMU mode)\n"
       "  -U            - use unicorn-based instrumentation (Unicorn mode)\n"
       "  -W            - use qemu-based instrumentation with Wine (Wine "
       "mode)\n"
       "                  (Not necessary, here for consistency with other afl-* "
-      "tools)\n\n"
+      "tools)\n"
+#endif
+      "\n"
 
       "Minimization settings:\n"