diff options
| author | Andrea Fioraldi <andreafioraldi@gmail.com> | 2020-02-21 16:50:06 +0100 |
|---|---|---|
| committer | Andrea Fioraldi <andreafioraldi@gmail.com> | 2020-02-21 16:50:06 +0100 |
| commit | 7323833888142d0e6357f22d7e1b6450cd062579 (patch) | |
| tree | 064f16e477f305bf73ebb00586f9d552ee0f2072 | |
| parent | 8904200d4825021324569f816ce728d122dc77d3 (diff) | |
| download | afl++-7323833888142d0e6357f22d7e1b6450cd062579.tar.gz | |
block the usage of mopt with optionals mutators (redqueen/radamsa/etc...)
| -rw-r--r-- | llvm_mode/afl-clang-fast.c | 10 | ||||
| -rw-r--r-- | llvm_mode/afl-llvm-rt.o.c | 25 | ||||
| -rw-r--r-- | llvm_mode/cmplog-routines-pass.cc | 38 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 6 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 6 | ||||
| -rw-r--r-- | src/afl-fuzz-python.c | 6 | ||||
| -rw-r--r-- | src/afl-fuzz-redqueen.c | 39 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 12 | ||||
| -rw-r--r-- | src/afl-showmap.c | 2 |
9 files changed, 83 insertions, 61 deletions
diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 683b6bee..fe987157 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -202,13 +202,13 @@ static void edit_params(u32 argc, char** argv) { if (cmplog_mode) { cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard,trace-cmp"; - + cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/cmplog-routines-pass.so", obj_path); - + cc_params[cc_par_cnt++] = "-fno-inline"; } else { @@ -423,8 +423,7 @@ static void edit_params(u32 argc, char** argv) { break; case 32: - cc_params[cc_par_cnt++] = - alloc_printf("%s/afl-llvm-rt-32.o", obj_path); + cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-32.o", obj_path); if (access(cc_params[cc_par_cnt - 1], R_OK)) FATAL("-m32 is not supported by your compiler"); @@ -432,8 +431,7 @@ static void edit_params(u32 argc, char** argv) { break; case 64: - cc_params[cc_par_cnt++] = - alloc_printf("%s/afl-llvm-rt-64.o", obj_path); + cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-64.o", obj_path); if (access(cc_params[cc_par_cnt - 1], R_OK)) FATAL("-m64 is not supported by your compiler"); diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index d776462c..5d6e30f5 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -370,7 +370,7 @@ void __sanitizer_cov_trace_cmp2(uint16_t Arg1, uint16_t Arg2) { uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (k >> 4) ^ (k << 8); k &= CMP_MAP_W - 1; - + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; u32 hits = __afl_cmp_map->headers[k].hits; @@ -394,7 +394,7 @@ void __sanitizer_cov_trace_cmp4(uint32_t Arg1, uint32_t Arg2) { uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (k >> 4) ^ (k << 8); k &= CMP_MAP_W - 1; - + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; u32 hits = __afl_cmp_map->headers[k].hits; @@ -415,7 +415,7 @@ void __sanitizer_cov_trace_cmp8(uint64_t Arg1, uint64_t Arg2) { uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (k >> 4) ^ (k << 8); k &= CMP_MAP_W - 1; - + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; u32 hits = __afl_cmp_map->headers[k].hits; @@ -473,21 +473,19 @@ void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t* Cases) { // to avoid to call it on .text addresses static int area_is_mapped(void* ptr, size_t len) { - char * p = ptr; - char * page = (char*)((uintptr_t)p & ~(sysconf(_SC_PAGE_SIZE) -1)); + char* p = ptr; + char* page = (char*)((uintptr_t)p & ~(sysconf(_SC_PAGE_SIZE) - 1)); int r = msync(page, (p - page) + len, MS_ASYNC); - if (r < 0) - return errno != ENOMEM; + if (r < 0) return errno != ENOMEM; return 1; } void __cmplog_rtn_hook(void* ptr1, void* ptr2) { - if (!area_is_mapped(ptr1, 32) || !area_is_mapped(ptr2, 32)) - return; - + if (!area_is_mapped(ptr1, 32) || !area_is_mapped(ptr2, 32)) return; + uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (k >> 4) ^ (k << 8); k &= CMP_MAP_W - 1; @@ -500,7 +498,10 @@ void __cmplog_rtn_hook(void* ptr1, void* ptr2) { __afl_cmp_map->headers[k].shape = 31; hits &= CMP_MAP_RTN_H - 1; - __builtin_memcpy(((struct cmpfn_operands*)__afl_cmp_map->log[k])[hits].v0, ptr1, 32); - __builtin_memcpy(((struct cmpfn_operands*)__afl_cmp_map->log[k])[hits].v1, ptr2, 32); + __builtin_memcpy(((struct cmpfn_operands*)__afl_cmp_map->log[k])[hits].v0, + ptr1, 32); + __builtin_memcpy(((struct cmpfn_operands*)__afl_cmp_map->log[k])[hits].v1, + ptr2, 32); } + diff --git a/llvm_mode/cmplog-routines-pass.cc b/llvm_mode/cmplog-routines-pass.cc index e7125f9f..b24aaa4e 100644 --- a/llvm_mode/cmplog-routines-pass.cc +++ b/llvm_mode/cmplog-routines-pass.cc @@ -107,15 +107,16 @@ bool CmpLogRoutines::hookRtns(Module &M) { std::vector<CallInst *> calls; LLVMContext & C = M.getContext(); - Type * VoidTy = Type::getVoidTy(C); - PointerType * VoidPtrTy = PointerType::get(VoidTy, 0); + Type * VoidTy = Type::getVoidTy(C); + PointerType *VoidPtrTy = PointerType::get(VoidTy, 0); #if LLVM_VERSION_MAJOR < 9 Constant * #else FunctionCallee #endif - c = M.getOrInsertFunction("__cmplog_rtn_hook", VoidTy, VoidPtrTy, VoidPtrTy + c = M.getOrInsertFunction("__cmplog_rtn_hook", VoidTy, VoidPtrTy, + VoidPtrTy #if LLVM_VERSION_MAJOR < 5 , NULL @@ -255,14 +256,13 @@ bool CmpLogRoutines::hookRtns(Module &M) { FunctionType *FT = Callee->getFunctionType(); - bool isPtrRtn = - FT->getNumParams() >= 2 && !FT->getReturnType()->isVoidTy() && - FT->getParamType(0) == FT->getParamType(1) && - FT->getParamType(0)->isPointerTy(); - - if (!isPtrRtn) - continue; - + bool isPtrRtn = FT->getNumParams() >= 2 && + !FT->getReturnType()->isVoidTy() && + FT->getParamType(0) == FT->getParamType(1) && + FT->getParamType(0)->isPointerTy(); + + if (!isPtrRtn) continue; + calls.push_back(callInst); } @@ -278,16 +278,15 @@ bool CmpLogRoutines::hookRtns(Module &M) { for (auto &callInst : calls) { - Value *v1P = callInst->getArgOperand(0), - *v2P = callInst->getArgOperand(1); - + Value *v1P = callInst->getArgOperand(0), *v2P = callInst->getArgOperand(1); + IRBuilder<> IRB(callInst->getParent()); IRB.SetInsertPoint(callInst); - - std::vector<Value*> args; + + std::vector<Value *> args; args.push_back(v1P); args.push_back(v2P); - + IRB.CreateCall(cmplogHookFn, args, "tmp"); // errs() << callInst->getCalledFunction()->getName() << "\n"; @@ -301,7 +300,8 @@ bool CmpLogRoutines::hookRtns(Module &M) { bool CmpLogRoutines::runOnModule(Module &M) { if (getenv("AFL_QUIET") == NULL) - llvm::errs() << "Running cmplog-routines-pass by andreafioraldi@gmail.com\n"; + llvm::errs() + << "Running cmplog-routines-pass by andreafioraldi@gmail.com\n"; hookRtns(M); verifyModule(M); @@ -310,7 +310,7 @@ bool CmpLogRoutines::runOnModule(Module &M) { } static void registerCmpLogRoutinesPass(const PassManagerBuilder &, - legacy::PassManagerBase &PM) { + legacy::PassManagerBase &PM) { auto p = new CmpLogRoutines(); PM.add(p); diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 57d46391..ce809532 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -154,8 +154,7 @@ void init_forkserver(char **argv) { int status; s32 rlen; - if (!getenv("AFL_QUIET")) - ACTF("Spinning up the fork server..."); + if (!getenv("AFL_QUIET")) ACTF("Spinning up the fork server..."); if (pipe(st_pipe) || pipe(ctl_pipe)) PFATAL("pipe() failed"); @@ -312,8 +311,7 @@ void init_forkserver(char **argv) { if (rlen == 4) { - if (!getenv("AFL_QUIET")) - OKF("All right - fork server is up."); + if (!getenv("AFL_QUIET")) OKF("All right - fork server is up."); return; } diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 2176c5cf..93ecfe99 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -303,6 +303,12 @@ void setup_custom_mutator(void) { if (!fn) return; + if (limit_time_sig) + FATAL( + "MOpt and custom mutator are mutually exclusive. We accept pull " + "requests that integrates MOpt with the optional mutators " + "(custom/radamsa/redquenn/...)."); + ACTF("Loading custom mutator library from '%s'...", fn); dh = dlopen(fn, RTLD_NOW); diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index f06c8e25..42286527 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -35,6 +35,12 @@ int init_py() { if (module_name) { + if (limit_time_sig) + FATAL( + "MOpt and Python mutator are mutually exclusive. We accept pull " + "requests that integrates MOpt with the optional mutators " + "(custom/radamsa/redquenn/...)."); + #if PY_MAJOR_VERSION >= 3 PyObject* py_name = PyUnicode_FromString(module_name); #else diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index b09a977f..a335656b 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -145,9 +145,8 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) { --stage_cur; } - - if (stage_cur) - queue_cur->fully_colorized = 1; + + if (stage_cur) queue_cur->fully_colorized = 1; new_hit_cnt = queued_paths + unique_crashes; stage_finds[STAGE_COLORIZATION] += new_hit_cnt - orig_hit_cnt; @@ -418,22 +417,21 @@ u8 rtn_extend_encoding(struct cmp_header* h, u8* pattern, u8* repl, u32 idx, u32 i; u32 its_len = MIN(32, len - idx); - + u8 save[32]; memcpy(save, &buf[idx], its_len); *status = 0; for (i = 0; i < its_len; ++i) { - - if (pattern[idx + i] != orig_buf[idx + i] || *status == 1) - break; - - buf[idx +i] = repl[idx + i]; + + if (pattern[idx + i] != orig_buf[idx + i] || *status == 1) break; + + buf[idx + i] = repl[idx + i]; if (unlikely(its_fuzz(buf, len, status))) return 1; - + } - + memcpy(&buf[idx], save, i); return 0; @@ -457,7 +455,8 @@ u8 rtn_fuzz(u32 key, u8* orig_buf, u8* buf, u32 len) { // opt not in the paper for (j = 0; j < i; ++j) - if (!memcmp(&((struct cmpfn_operands*)cmp_map->log[key])[j], o, sizeof(struct cmpfn_operands))) + if (!memcmp(&((struct cmpfn_operands*)cmp_map->log[key])[j], o, + sizeof(struct cmpfn_operands))) goto rtn_fuzz_next_iter; for (idx = 0; idx < len && fails < 8; ++idx) { @@ -532,17 +531,19 @@ u8 input_to_state_stage(char** argv, u8* orig_buf, u8* buf, u32 len, stage_max += MIN(cmp_map->headers[k].hits, CMP_MAP_RTN_H); } - + for (k = 0; k < CMP_MAP_W; ++k) { if (!cmp_map->headers[k].hits) continue; - + if (cmp_map->headers[k].type == CMP_TYPE_INS) { - if (unlikely(cmp_fuzz(k, orig_buf, buf, len))) - goto exit_its; + + if (unlikely(cmp_fuzz(k, orig_buf, buf, len))) goto exit_its; + } else { - if (unlikely(rtn_fuzz(k, orig_buf, buf, len))) - goto exit_its; + + if (unlikely(rtn_fuzz(k, orig_buf, buf, len))) goto exit_its; + } } @@ -551,7 +552,7 @@ u8 input_to_state_stage(char** argv, u8* orig_buf, u8* buf, u32 len, exit_its: memcpy(orig_buf, buf, len); - + new_hit_cnt = queued_paths + unique_crashes; stage_finds[STAGE_ITS] += new_hit_cnt - orig_hit_cnt; stage_cycles[STAGE_ITS] += total_execs - orig_execs; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index a9a6db97..5fa737d7 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -624,6 +624,12 @@ int main(int argc, char** argv, char** envp) { if (use_radamsa) { + if (limit_time_sig) + FATAL( + "MOpt and Radamsa are mutually exclusive. We accept pull requests " + "that integrates MOpt with the optional mutators " + "(custom/radamsa/redquenn/...)."); + OKF("Using Radamsa add-on"); u8* libradamsa_path = get_libradamsa_path(argv[0]); @@ -892,6 +898,12 @@ int main(int argc, char** argv, char** envp) { if (cmplog_binary) { + if (limit_time_sig) + FATAL( + "MOpt and CmpLog are mutually exclusive. We accept pull requests " + "that integrates MOpt with the optional mutators " + "(custom/radamsa/redquenn/...)."); + if (unicorn_mode) FATAL("CmpLog and Unicorn mode are not compatible at the moment, sorry"); if (!qemu_mode) check_binary(cmplog_binary); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index cd4f2b7b..5ea164f8 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -80,7 +80,7 @@ u8 *out_file, /* Trace output file */ *stdin_file, /* stdin file */ *in_dir, /* input folder */ *doc_path, /* Path to docs */ - *at_file = NULL; /* Substitution string for @@ */ + *at_file = NULL; /* Substitution string for @@ */ static u8* in_data; /* Input data */ |