merge conflict

9 files changed, 56 insertions, 22 deletions

diff --git a/.travis.yml b/.travis.yml
index 96cdc86c..0155aa68 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -54,6 +54,6 @@ script:
   - sudo sysctl -w kernel.shmmax=10000000000
   - if [ "$TRAVIS_OS_NAME" = "osx" ]; then export LLVM_CONFIG=`pwd`/"$NAME" ; make source-only ASAN_BUILD=1 ; fi
   - if [ "$TRAVIS_OS_NAME" = "linux" -a "$TRAVIS_CPU_ARCH" = "amd64" ]; then make distrib ASAN_BUILD=1 ; fi
-  - if [ "$TRAVIS_CPU_ARCH" = "arm64" ] ; then echo DEBUG ; find / -name llvm-config.h 2>/dev/null; apt-cache search clang | grep clang- ; apt-cache search llvm | grep llvm- ; dpkg -l | egrep 'clang|llvm'; echo DEBUG ; export LLVM_CONFIG=llvm-config-6.0 ; make ASAN_BUILD=1 ; cd qemu_mode && sh ./build_qemu_support.sh ; cd .. ; fi
+  - if [ "$TRAVIS_CPU_ARCH" = "arm64" ] ; then export LLVM_CONFIG=llvm-config-6.0 ; make ASAN_BUILD=1 ; cd qemu_mode && sh ./build_qemu_support.sh ; cd .. ; fi
   - make tests
 #  - travis_terminate 0
diff --git a/README.md b/README.md
index 2e24a534..e4271bb0 100644
--- a/README.md
+++ b/README.md
@@ -39,19 +39,19 @@
   with laf-intel and redqueen, unicorn mode, gcc plugin, full *BSD, Solaris and
   Android support and much, much, much more.
 
-  | Feature/Instrumentation | afl-gcc | llvm_mode | gcc_plugin | qemu_mode        | unicorn_mode |
-  | ----------------------- |:-------:|:---------:|:----------:|:----------------:|:------------:|
-  | NeverZero               |    x    |     x(1)  |      (2)   |         x        |       x      |
-  | Persistent mode         |         |     x     |     x      | x86[_64]/arm[64] |       x      |
-  | LAF-Intel / CompCov     |         |     x     |            | x86[_64]/arm[64] | x86[_64]/arm |
-  | CmpLog                  |         |     x     |            | x86[_64]/arm[64] |              |
-  | Instrument file list    |         |     x     |     x      |        (x)(3)    |              |
-  | Non-colliding coverage  |         |     x(4)  |            |        (x)(5)    |              |
-  | InsTrim                 |         |     x     |            |                  |              |
-  | Ngram prev_loc coverage |         |     x(6)  |            |                  |              |
-  | Context coverage        |         |     x     |            |                  |              |
-  | Auto dictionary         |         |     x(7)  |            |                  |              |
-  | Snapshot LKM support    |         |     x     |            |        (x)(5)    |              |
+  | Feature/Instrumentation  | afl-gcc | llvm_mode | gcc_plugin | qemu_mode        | unicorn_mode |
+  | ------------------------ |:-------:|:---------:|:----------:|:----------------:|:------------:|
+  | NeverZero                |    x    |     x(1)  |      (2)   |         x        |       x      |
+  | Persistent mode          |         |     x     |     x      | x86[_64]/arm[64] |       x      |
+  | LAF-Intel / CompCov      |         |     x     |            | x86[_64]/arm[64] | x86[_64]/arm |
+  | CmpLog                   |         |     x     |            | x86[_64]/arm[64] |              |
+  | Selective instrumentation|         |     x     |     x      |        (x)(3)    |              |
+  | Non-colliding coverage   |         |     x(4)  |            |        (x)(5)    |              |
+  | InsTrim                  |         |     x     |            |                  |              |
+  | Ngram prev_loc coverage  |         |     x(6)  |            |                  |              |
+  | Context coverage         |         |     x     |            |                  |              |
+  | Auto dictionary          |         |     x(7)  |            |                  |              |
+  | Snapshot LKM support     |         |     x     |            |        (x)(5)    |              |
 
   1. default for LLVM >= 9.0, env var for older version due an efficiency bug in llvm <= 8
   2. GCC creates non-performant code, hence it is disabled in gcc_plugin
@@ -72,7 +72,7 @@
   * The MOpt mutator: [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL)
   * LLVM mode Ngram coverage by Adrian Herrera [https://github.com/adrianherrera/afl-ngram-pass](https://github.com/adrianherrera/afl-ngram-pass)
   * InsTrim, an effective CFG llvm_mode instrumentation implementation for large targets: [https://github.com/csienslab/instrim](https://github.com/csienslab/instrim)
-  * C. Holler's afl-fuzz Python mutator module and llvm_mode instrument file support: [https://github.com/choller/afl](https://github.com/choller/afl)
+  * C. Holler's afl-fuzz Python mutator module: [https://github.com/choller/afl](https://github.com/choller/afl)
   * Custom mutator by a library (instead of Python) by kyakdan
   * LAF-Intel/CompCov support for llvm_mode, qemu_mode and unicorn_mode (with enhanced capabilities)
   * Radamsa and hongfuzz mutators (as custom mutators).
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 2324efa5..bb1bb314 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -986,7 +986,7 @@ uint64_t rand_next(afl_state_t *afl);
 
 static inline u32 rand_below(afl_state_t *afl, u32 limit) {
 
-  if (limit <= 1) return 0; 
+  if (limit <= 1) return 0;
 
   /* The boundary not being necessarily a power of 2,
      we need to ensure the result uniformity. */
@@ -1008,7 +1008,7 @@ static inline u32 rand_below(afl_state_t *afl, u32 limit) {
    expand havoc mode */
 static inline u32 rand_below_datalen(afl_state_t *afl, u32 limit) {
 
-  if (limit <= 1) return 0; 
+  if (limit <= 1) return 0;
 
   switch (rand_below(afl, 3)) {
 
diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c
index 10717124..1aa42150 100644
--- a/llvm_mode/afl-clang-fast.c
+++ b/llvm_mode/afl-clang-fast.c
@@ -400,7 +400,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
 
     if (lto_mode && !strncmp(cur, "-fuse-ld=", 9)) continue;
     if (lto_mode && !strncmp(cur, "--ld-path=", 10)) continue;
-    
+
     if (!strcmp(cur, "-E")) preprocessor_only = 1;
     if (!strcmp(cur, "-shared")) shared_linking = 1;
 
@@ -582,6 +582,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
        runtime. We must hence avoid attaching the runtime to shared objects. */
     cc_params[cc_par_cnt] = NULL;
     return;
+
   }
 
 #ifndef __ANDROID__
diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c
index 88abcbe0..fcacc675 100644
--- a/llvm_mode/afl-llvm-rt.o.c
+++ b/llvm_mode/afl-llvm-rt.o.c
@@ -876,9 +876,13 @@ void __sanitizer_cov_trace_pc_guard(uint32_t *guard) {
       if (bt_size > 0) {
 
         char **bt_syms = backtrace_symbols(bt, bt_size);
-        if (bt_syms)
+        if (bt_syms) {
+
           fprintf(stderr, "DEBUG: edge=%u caller=%s\n", unstable[idx],
   bt_syms[0]);
+          free(bt_syms);
+
+        }
 
       }
 
diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh
index a7bfe20d..30ac158f 100755
--- a/qemu_mode/build_qemu_support.sh
+++ b/qemu_mode/build_qemu_support.sh
@@ -176,6 +176,7 @@ echo Building for CPU target $CPU_TARGET
 echo "[*] Applying patches..."
 
 patch -p1 <../patches/elfload.diff || exit 1
+patch -p1 <../patches/mips-fpu.diff || exit 1
 patch -p1 <../patches/bsd-elfload.diff || exit 1
 patch -p1 <../patches/cpu-exec.diff || exit 1
 patch -p1 <../patches/syscall.diff || exit 1
diff --git a/qemu_mode/patches/mips-fpu.diff b/qemu_mode/patches/mips-fpu.diff
new file mode 100644
index 00000000..646d167e
--- /dev/null
+++ b/qemu_mode/patches/mips-fpu.diff
@@ -0,0 +1,15 @@
+--- a/linux-user/elfload.c	2020-07-13 20:10:37.776374566 -0700
++++ b/linux-user/elfload.c	2020-07-13 20:11:51.794957015 -0700
+@@ -2667,6 +2667,11 @@
+     char *elf_interpreter = NULL;
+     char *scratch;
+ 
++    memset(&interp_info, 0, sizeof(interp_info));
++#ifdef TARGET_MIPS
++    interp_info.fp_abi = MIPS_ABI_FP_UNKNOWN;
++#endif
++
+     info->start_mmap = (abi_ulong)ELF_START_MMAP;
+ 
+     load_elf_image(bprm->filename, bprm->fd, info,
+
diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c
index 71874283..f35df914 100644
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@@ -112,8 +112,10 @@ static u8 check_if_text(struct queue_entry *q) {
   u8  buf[MAX_FILE];
   s32 fd, len = q->len, offset = 0, ascii = 0, utf8 = 0, comp;
 
+  if (len >= MAX_FILE) len = MAX_FILE - 1;
   if ((fd = open(q->fname, O_RDONLY)) < 0) return 0;
   if ((comp = read(fd, buf, len)) != len) return 0;
+  buf[len] = 0;
   close(fd);
 
   while (offset < len) {
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index 44d3c522..ed4a1081 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -819,16 +819,27 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
 
       fd = open(q->fname, O_WRONLY | O_CREAT | O_TRUNC, 0600);
 
+      if (fd < 0) { PFATAL("Unable to create '%s'", q->fname); }
+
+      u32 written = 0;
+      while (written < q->len) {
+
+        ssize_t result = write(fd, in_buf, q->len - written);
+        if (result > 0) written += result;
+
+      }
+
     } else {
 
       unlink(q->fname);                                    /* ignore errors */
       fd = open(q->fname, O_WRONLY | O_CREAT | O_EXCL, 0600);
 
-    }
+      if (fd < 0) { PFATAL("Unable to create '%s'", q->fname); }
 
-    if (fd < 0) { PFATAL("Unable to create '%s'", q->fname); }
+      ck_write(fd, in_buf, q->len, q->fname);
+
+    }
 
-    ck_write(fd, in_buf, q->len, q->fname);
     close(fd);
 
     memcpy(afl->fsrv.trace_bits, afl->clean_trace, afl->fsrv.map_size);