diff options
| author | vanhauser-thc <vh@thc.org> | 2021-11-16 11:03:53 +0100 |
|---|---|---|
| committer | vanhauser-thc <vh@thc.org> | 2021-11-16 11:03:53 +0100 |
| commit | 268339a683aab00f8487eac1ca31ef5d6c6abc4b (patch) | |
| tree | 05bead029a76420a380c5d2625360c70743e04e8 | |
| parent | 464f1a78dff320609d4580a7b2493dc5b527df67 (diff) | |
| download | afl++-268339a683aab00f8487eac1ca31ef5d6c6abc4b.tar.gz | |
showmap -A -> -H, accurate help output
| -rw-r--r-- | GNUmakefile | 2 | ||||
| -rwxr-xr-x | afl-cmin | 6 | ||||
| -rwxr-xr-x | afl-cmin.bash | 4 | ||||
| -rw-r--r-- | coresight_mode/README.md | 1 | ||||
| -rw-r--r-- | docs/Changelog.md | 6 | ||||
| -rw-r--r-- | src/afl-analyze.c | 7 | ||||
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 6 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 7 | ||||
| -rw-r--r-- | src/afl-showmap.c | 19 | ||||
| -rw-r--r-- | src/afl-tmin.c | 7 |
10 files changed, 43 insertions, 22 deletions
diff --git a/GNUmakefile b/GNUmakefile index ab57e7ad..673d2bf8 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -346,7 +346,7 @@ help: @echo "HELP --- the following make targets exist:" @echo "==========================================" @echo "all: just the main afl++ binaries" - @echo "binary-only: everything for binary-only fuzzing: coresight_mode, qemu_mode, unicorn_mode, libdislocator, libtokencap" + @echo "binary-only: everything for binary-only fuzzing: qemu_mode, frida_mode, unicorn_mode, coresight_mode, libdislocator, libtokencap" @echo "source-only: everything for source code fuzzing: gcc_plugin, libdislocator, libtokencap" @echo "distrib: everything (for both binary-only and source code fuzzing)" @echo "man: creates simple man pages from the help option of the programs" diff --git a/afl-cmin b/afl-cmin index e6f8c175..879aead2 100755 --- a/afl-cmin +++ b/afl-cmin @@ -396,7 +396,7 @@ BEGIN { system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -- \""target_bin"\" "prog_args_string" <\""in_dir"/"first_file"\"") } else { system("cp \""in_dir"/"first_file"\" "stdin_file) - system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -A \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null") + system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null") } first_count = 0 @@ -432,8 +432,8 @@ BEGIN { retval = system( AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string) } else { print " Processing "in_count" files (forkserver mode)..." -# print AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -A \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null" - retval = system( AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -A \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null") +# print AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null" + retval = system( AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null") } if (retval && !AFL_CMIN_CRASHES_ONLY) { diff --git a/afl-cmin.bash b/afl-cmin.bash index e25ddc74..9ac65199 100755 --- a/afl-cmin.bash +++ b/afl-cmin.bash @@ -310,7 +310,7 @@ if [ "$STDIN_FILE" = "" ]; then else cp "$IN_DIR/$FIRST_FILE" "$STDIN_FILE" - AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null + AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -H "$STDIN_FILE" -- "$@" </dev/null fi @@ -360,7 +360,7 @@ echo "[*] Obtaining traces for input files in '$IN_DIR'..." cp "$IN_DIR/$fn" "$STDIN_FILE" - "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null + "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -H "$STDIN_FILE" -- "$@" </dev/null done diff --git a/coresight_mode/README.md b/coresight_mode/README.md index 31e77d92..dac44076 100644 --- a/coresight_mode/README.md +++ b/coresight_mode/README.md @@ -55,7 +55,6 @@ There are AFL++ CoreSight mode-specific environment variables for run-time confi ## TODO List -* Change `afl-showmap` ARM CoreSight mode option to `-A` without conflict * Eliminate modified glibc dependency * Support parallel fuzzing diff --git a/docs/Changelog.md b/docs/Changelog.md index 6a9c895c..054f0fef 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -10,12 +10,14 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. ### Version ++3.15a (dev) - documentation restructuring, made possible by Google Season of Docs :) + - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :) + thanks to RICSecLab submitting! - afl-fuzz: - cmplog binaries will need to be recompiled for this version (it is better!) - fix a regression introduced in 3.10 that resulted in less coverage being detected. thanks to Collin May for reporting! - - added AFL_IGNORE_PROBLEMS plus checks to identify and abort on + - added AFL_IGNORE_PROBLEMS, plus checks to identify and abort on incorrect LTO usage setups and enhanced the READMEs for better information on how to deal with instrumenting libraries - fix -n dumb mode (nobody should use this) @@ -30,6 +32,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - honor persistent mode for more speed. thanks to dloffre-snl for reporting! - fix bug where targets are not killed on timeouts + - moved hidden afl-showmap -A option to -H to be used for + coresight_mode - Prevent accidently killing non-afl/fuzz services when aborting afl-showmap and other tools. - afl-cc: diff --git a/src/afl-analyze.c b/src/afl-analyze.c index bc562c15..ac5a324c 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -848,12 +848,17 @@ static void usage(u8 *argv0) { " -f file - input file read by the tested program (stdin)\n" " -t msec - timeout for each run (%u ms)\n" " -m megs - memory limit for child process (%u MB)\n" +#if defined(__linux__) && defined(__aarch64__) " -A - use binary-only instrumentation (ARM CoreSight mode)\n" +#endif " -O - use binary-only instrumentation (FRIDA mode)\n" +#if defined(__linux__) " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" " -W - use qemu-based instrumentation with Wine (Wine " - "mode)\n\n" + "mode)\n" +#endif + "\n" "Analysis settings:\n" diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index f7b59f25..a204e374 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -452,14 +452,12 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (unlikely(len == 0)) { return 0; } + u8 fn[PATH_MAX]; u8 *queue_fn = ""; - u8 new_bits = '\0'; + u8 new_bits = 0, keeping = 0, res, classified = 0; s32 fd; - u8 keeping = 0, res, classified = 0; u64 cksum = 0; - u8 fn[PATH_MAX]; - /* Update path frequency. */ /* Generating a hash on every input is super expensive. Bad idea and should diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index dfd62db8..195366bd 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -113,12 +113,17 @@ static void usage(u8 *argv0, int more_help) { "maximum.\n" " -m megs - memory limit for child process (%u MB, 0 = no limit " "[default])\n" +#if defined(__linux__) && defined(__aarch64__) " -A - use binary-only instrumentation (ARM CoreSight mode)\n" +#endif " -O - use binary-only instrumentation (FRIDA mode)\n" +#if defined(__linux__) " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" " -W - use qemu-based instrumentation with Wine (Wine " - "mode)\n\n" + "mode)\n" +#endif + "\n" "Mutator settings:\n" " -D - enable deterministic fuzzing (once per queue entry)\n" diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 899baaa0..0ba265ab 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -844,13 +844,18 @@ static void usage(u8 *argv0) { "Execution control settings:\n" " -t msec - timeout for each run (none)\n" " -m megs - memory limit for child process (%u MB)\n" +#if defined(__linux__) && defined(__aarch64__) + " -A - use binary-only instrumentation (ARM CoreSight mode)\n" +#endif " -O - use binary-only instrumentation (FRIDA mode)\n" - " -P - use binary-only instrumentation (ARM CoreSight mode)\n" +#if defined(__linux__) " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use Unicorn-based instrumentation (Unicorn mode)\n" " -W - use qemu-based instrumentation with Wine (Wine mode)\n" " (Not necessary, here for consistency with other afl-* " - "tools)\n\n" + "tools)\n" +#endif + "\n" "Other settings:\n" " -i dir - process all files below this directory, must be combined " "with -o.\n" @@ -920,7 +925,7 @@ int main(int argc, char **argv_orig, char **envp) { if (getenv("AFL_QUIET") != NULL) { be_quiet = true; } - while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZOPQUWbcrsh")) > 0) { + while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZOHQUWbcrsh")) > 0) { switch (opt) { @@ -1049,7 +1054,7 @@ int main(int argc, char **argv_orig, char **envp) { quiet_mode = true; break; - case 'A': + case 'H': /* Another afl-cmin specific feature. */ at_file = optarg; break; @@ -1065,13 +1070,13 @@ int main(int argc, char **argv_orig, char **envp) { /* FIXME: We want to use -P for consistency, but it is already unsed for * undocumenetd feature "Another afl-cmin specific feature." */ - case 'P': /* CoreSight mode */ + case 'A': /* CoreSight mode */ #if !defined(__aarch64__) || !defined(__linux__) - FATAL("-P option is not supported on this platform"); + FATAL("-A option is not supported on this platform"); #endif - if (fsrv->cs_mode) { FATAL("Multiple -P options not supported"); } + if (fsrv->cs_mode) { FATAL("Multiple -A options not supported"); } fsrv->cs_mode = true; break; diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 22383a4e..89546c45 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -866,14 +866,19 @@ static void usage(u8 *argv0) { " -f file - input file read by the tested program (stdin)\n" " -t msec - timeout for each run (%u ms)\n" " -m megs - memory limit for child process (%u MB)\n" +#if defined(__linux__) && defined(__aarch64__) " -A - use binary-only instrumentation (ARM CoreSight mode)\n" +#endif " -O - use binary-only instrumentation (FRIDA mode)\n" +#if defined(__linux__) " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" " -W - use qemu-based instrumentation with Wine (Wine " "mode)\n" " (Not necessary, here for consistency with other afl-* " - "tools)\n\n" + "tools)\n" +#endif + "\n" "Minimization settings:\n" |