diff options
| author | van Hauser <vh@thc.org> | 2023-08-04 09:12:27 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-08-04 09:12:27 +0200 |
| commit | 4a9264444f8868cc476c926f48c233709766050d (patch) | |
| tree | 82f8d4b1feacf026fabda235a301838ff94265da | |
| parent | 0265b39c138e1451accc048d3442a1e15d7ae86c (diff) | |
| parent | 5d78a6f592fff853ff722f2722a6576b0f565abd (diff) | |
| download | afl++-4a9264444f8868cc476c926f48c233709766050d.tar.gz | |
Merge pull request #1823 from schumilo/dev
Nyx mode updates
| -rw-r--r-- | include/envs.h | 1 | ||||
| -rw-r--r-- | include/forkserver.h | 1 | ||||
| -rw-r--r-- | nyx_mode/LIBNYX_VERSION | 2 | ||||
| -rw-r--r-- | nyx_mode/PACKER_VERSION | 2 | ||||
| m--------- | nyx_mode/QEMU-Nyx | 0 | ||||
| -rw-r--r-- | nyx_mode/QEMU_NYX_VERSION | 2 | ||||
| -rw-r--r-- | nyx_mode/README.md | 21 | ||||
| m--------- | nyx_mode/libnyx | 0 | ||||
| m--------- | nyx_mode/packer | 0 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 10 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 3 |
11 files changed, 39 insertions, 3 deletions
diff --git a/include/envs.h b/include/envs.h index edfd06e4..0ef331ae 100644 --- a/include/envs.h +++ b/include/envs.h @@ -189,6 +189,7 @@ static char *afl_environment_variables[] = { "AFL_MAX_DET_EXTRAS", "AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_NOOPT", + "AFL_NYX_AUX_SIZE", "AFL_PASSTHROUGH", "AFL_PATH", "AFL_PERFORMANCE_FILE", diff --git a/include/forkserver.h b/include/forkserver.h index f5069ce2..c93c6f61 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -86,6 +86,7 @@ typedef struct { uint32_t size); bool (*nyx_remove_work_dir)(const char *workdir); + bool (*nyx_config_set_aux_buffer_size)(void *config, uint32_t aux_buffer_size); } nyx_plugin_handler_t; diff --git a/nyx_mode/LIBNYX_VERSION b/nyx_mode/LIBNYX_VERSION index ed88ec10..a4ffd230 100644 --- a/nyx_mode/LIBNYX_VERSION +++ b/nyx_mode/LIBNYX_VERSION @@ -1 +1 @@ -c8a72dc +8291ef4 diff --git a/nyx_mode/PACKER_VERSION b/nyx_mode/PACKER_VERSION index 7db88233..cc20a3b6 100644 --- a/nyx_mode/PACKER_VERSION +++ b/nyx_mode/PACKER_VERSION @@ -1 +1 @@ -202bace +bcf3e24 diff --git a/nyx_mode/QEMU-Nyx b/nyx_mode/QEMU-Nyx -Subproject 60c216bc9e4c79834716d4099993d8397a3a8fd +Subproject a09d3ae2e66cfe82884a227ea872e48dd2c2ad2 diff --git a/nyx_mode/QEMU_NYX_VERSION b/nyx_mode/QEMU_NYX_VERSION index 98cb134f..75dcbe83 100644 --- a/nyx_mode/QEMU_NYX_VERSION +++ b/nyx_mode/QEMU_NYX_VERSION @@ -1 +1 @@ -60c216bc9e +a09d3ae2e6 diff --git a/nyx_mode/README.md b/nyx_mode/README.md index eee7d363..605bc103 100644 --- a/nyx_mode/README.md +++ b/nyx_mode/README.md @@ -313,6 +313,27 @@ command: If you want to disable fast snapshots (except for crashes), you can simply set the `NYX_DISABLE_SNAPSHOT_MODE` environment variable. +### Nyx crash reports + +If the Nyx agent detects a crash in the target application, it can pass +additional information on that crash to AFL++ (assuming that the agent +implements this feature). For each saved crashing input AFL++ will also create +an additional file in the `crashes` directory with a `.log` file extension. +Crash reports generated by the default agent shipped with the Nyx packer will +contain information such as the faulting address and signal number. +Additionally, if the target is compiled with AddressSanitizer, the crash report +will also contain the entire ASan report. + +From a technical perspective, the crash report is passed from QEMU-Nyx to AFL++ +via a shared memory region called Nyx Auxiliary Buffer which is by default 4096 +bytes in size. In this shared memory region a specific amount is reserved for +the header (1408 bytes) and the remaining bytes can be used to transfer crash +reports (also the `hprintf` feature utilizes the very same shared memory for +transferring data). By default a crash report will be truncated to 2688 bytes. +However, if you want to increase the size of the shared memory region, you can +set the `NYX_AUX_BUFFER_SIZE` environment variable to a higher value (keep in +mind that this value must be a multiple of 4096). + ### Run AFL++Nyx with a custom agent Most of the common use-cases for linux userland targets are already handled by diff --git a/nyx_mode/libnyx b/nyx_mode/libnyx -Subproject 2da7f08b6e0267ccfe64e1320b24cdb29223459 +Subproject 8291ef4cb4f1d4bfe3026fe198167fd5c98e3a1 diff --git a/nyx_mode/packer b/nyx_mode/packer -Subproject 202bace888d237e4e8f4507d0eba6791a811554 +Subproject bcf3e248b660764f48af54232a3388389a2dfc2 diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index ba7cdd66..957cb2b7 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -129,6 +129,9 @@ nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary) { plugin->nyx_remove_work_dir = dlsym(handle, "nyx_remove_work_dir"); if (plugin->nyx_remove_work_dir == NULL) { goto fail; } + plugin->nyx_config_set_aux_buffer_size = dlsym(handle, "nyx_config_set_aux_buffer_size"); + if (plugin->nyx_config_set_aux_buffer_size == NULL) { goto fail; } + OKF("libnyx plugin is ready!"); return plugin; @@ -589,6 +592,13 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } + if (getenv("AFL_NYX_AUX_SIZE") != NULL) { + if(fsrv->nyx_handlers->nyx_config_set_aux_buffer_size( + nyx_config, atoi(getenv("AFL_NYX_AUX_SIZE"))) != 1) { + NYX_PRE_FATAL(fsrv, "Invalid AFL_NYX_AUX_SIZE value set (must be a multiple of 4096) ..."); + } + } + if (getenv("NYX_REUSE_SNAPSHOT") != NULL) { if (access(getenv("NYX_REUSE_SNAPSHOT"), F_OK) == -1) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index bacbafc4..9504d908 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -299,6 +299,9 @@ static void usage(u8 *argv0, int more_help) { "AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)\n" "AFL_NO_STARTUP_CALIBRATION: no initial seed calibration, start fuzzing at once\n" "AFL_NO_UI: switch status screen off\n" + "AFL_NYX_AUX_SIZE: size of the Nyx auxiliary buffer. Must be a multiple of 4096.\n" + " Increase this value in case the crash reports are truncated.\n" + " Default value is 4096.\n" DYN_COLOR |