diff options
| author | Dominik Maier <domenukk@gmail.com> | 2020-06-09 03:03:21 +0200 |
|---|---|---|
| committer | Dominik Maier <domenukk@gmail.com> | 2020-06-09 03:03:21 +0200 |
| commit | 92b8c5bb6037cb6626682653eacaa124504c592b (patch) | |
| tree | 23976001fee17bd4da81ee965173a24e85bb947b | |
| parent | 646237e234f74f7f70780f1d880e666fcf75c65e (diff) | |
| download | afl++-92b8c5bb6037cb6626682653eacaa124504c592b.tar.gz | |
fixed shmap fuzzing
| -rw-r--r-- | llvm_mode/afl-llvm-rt.o.c | 19 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-cpu-inl.h | 14 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 28 | ||||
| -rw-r--r-- | unicorn_mode/UNICORNAFL_VERSION | 2 | ||||
| -rw-r--r-- | unicorn_mode/samples/compcov_x64/compcov_test_harness.py | 12 | ||||
| -rw-r--r-- | unicorn_mode/samples/persistent/Makefile | 2 | ||||
| -rw-r--r-- | unicorn_mode/samples/persistent/harness.c | 10 | ||||
| m--------- | unicorn_mode/unicornafl | 0 |
9 files changed, 49 insertions, 40 deletions
diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index e039d42e..cc1c7c20 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -122,6 +122,8 @@ static void __afl_map_shm_fuzz() { if (id_str) { + u8 *map = NULL; + #ifdef USEMMAP const char * shm_file_path = id_str; int shm_fd = -1; @@ -137,26 +139,29 @@ static void __afl_map_shm_fuzz() { } - __afl_fuzz_len = (u32 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0); + map = (u8 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0); #else u32 shm_id = atoi(id_str); - - __afl_fuzz_len = (u32 *)shmat(shm_id, NULL, 0); + map = (u8 *)shmat(shm_id, NULL, 0); #endif /* Whooooops. */ - if (__afl_fuzz_len == (void *)-1) { + if (!map || map == (void *)-1) { - fprintf(stderr, "Error: could not access fuzzing shared memory\n"); + perror("Could not access fuzzign shared memory"); exit(1); } - if (getenv("AFL_DEBUG")) + __afl_fuzz_len = (u32 *)map; + __afl_fuzz_ptr = (u8 *)(map + sizeof(u32)); + + if (getenv("AFL_DEBUG")) { fprintf(stderr, "DEBUG: successfully got fuzzing shared memory\n"); + } } else { @@ -165,8 +170,6 @@ static void __afl_map_shm_fuzz() { } - __afl_fuzz_ptr = (u8 *)(__afl_fuzz_len + sizeof(int)); - } /* SHM setup. */ diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index e4953cb1..8dea004e 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -147,20 +147,22 @@ static void afl_map_shm_fuzz(void) { if (id_str) { u32 shm_id = atoi(id_str); - shared_buf_len = (u32 *)shmat(shm_id, NULL, 0); - shared_buf = (u8 *)(shared_buf_len + sizeof(int)); - + u8 *map = (u8 *)shmat(shm_id, NULL, 0); /* Whooooops. */ - if (shared_buf == (void *)-1) { + if (!map || map == (void *)-1) { - fprintf(stderr, "[AFL] ERROR: could not access fuzzing shared memory\n"); + perror("[AFL] ERROR: could not access fuzzing shared memory"); exit(1); } - if (getenv("AFL_DEBUG")) + shared_buf_len = (u32 *)map; + shared_buf = map + sizeof(u32); + + if (getenv("AFL_DEBUG")) { fprintf(stderr, "[AFL] DEBUG: successfully got fuzzing shared memory\n"); + } } else { diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 505fb7a3..36126aa7 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -835,7 +835,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { *fsrv->shmem_fuzz_len = len; memcpy(fsrv->shmem_fuzz, buf, len); - // fprintf(stderr, "test case len: %u\n", *fsrv->shmem_fuzz_len); + //printf("test case len: %u [0]:0x%02x\n", *fsrv->shmem_fuzz_len, buf[0]); fflush(stdout); } else { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 96d4fc46..54d65b9e 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1960,28 +1960,22 @@ void setup_testcase_shmem(afl_state_t *afl) { afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t)); // we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR - if ((afl->fsrv.shmem_fuzz_len = - (u32 *)afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(int), 1))) { + u8 *map = afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(u32), 1); + + if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } #ifdef USEMMAP - setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1); + setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1); #else - u8 *shm_str; - shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id); - setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); - ck_free(shm_str); + u8 *shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id); + setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); + ck_free(shm_str); #endif - afl->fsrv.support_shmem_fuzz = 1; - afl->fsrv.shmem_fuzz = (u8 *)(afl->fsrv.shmem_fuzz_len + sizeof(int)); - - } else { - - ck_free(afl->shm_fuzz); - afl->shm_fuzz = NULL; + afl->fsrv.support_shmem_fuzz = 1; + afl->fsrv.shmem_fuzz_len = (u32 *)map; + afl->fsrv.shmem_fuzz = map + sizeof(u32); - } - -} + } /* Do a PATH search and find target binary to see that it exists and isn't a shell script - a common and painful mistake. We also check for diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index 5d10f094..a8527cd5 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -9e9b72a +e30e3eb diff --git a/unicorn_mode/samples/compcov_x64/compcov_test_harness.py b/unicorn_mode/samples/compcov_x64/compcov_test_harness.py index 3861f205..b9ebb61d 100644 --- a/unicorn_mode/samples/compcov_x64/compcov_test_harness.py +++ b/unicorn_mode/samples/compcov_x64/compcov_test_harness.py @@ -1,5 +1,5 @@ #!/usr/bin/env python -""" +""" Simple test harness for AFL's Unicorn Mode. This loads the compcov_target.bin binary (precompiled as MIPS code) into @@ -11,7 +11,7 @@ Run under AFL as follows: $ cd <afl_path>/unicorn_mode/samples/simple/ - $ ../../../afl-fuzz -U -m none -i ./sample_inputs -o ./output -- python compcov_test_harness.py @@ + $ AFL_COMPCOV_LEVEL=2 ../../../afl-fuzz -U -m none -i ./sample_inputs -o ./output -- python compcov_test_harness.py @@ """ import argparse @@ -42,22 +42,22 @@ try: print(" Instr: {:#016x}:\t{}\t{}".format(address, cs_mnemonic, cs_opstr)) except ImportError: def unicorn_debug_instruction(uc, address, size, user_data): - print(" Instr: addr=0x{0:016x}, size=0x{1:016x}".format(address, size)) + print(" Instr: addr=0x{0:016x}, size=0x{1:016x}".format(address, size)) def unicorn_debug_block(uc, address, size, user_data): print("Basic Block: addr=0x{0:016x}, size=0x{1:016x}".format(address, size)) - + def unicorn_debug_mem_access(uc, access, address, size, value, user_data): if access == UC_MEM_WRITE: print(" >>> Write: addr=0x{0:016x} size={1} data=0x{2:016x}".format(address, size, value)) else: - print(" >>> Read: addr=0x{0:016x} size={1}".format(address, size)) + print(" >>> Read: addr=0x{0:016x} size={1}".format(address, size)) def unicorn_debug_mem_invalid_access(uc, access, address, size, value, user_data): if access == UC_MEM_WRITE_UNMAPPED: print(" >>> INVALID Write: addr=0x{0:016x} size={1} data=0x{2:016x}".format(address, size, value)) else: - print(" >>> INVALID Read: addr=0x{0:016x} size={1}".format(address, size)) + print(" >>> INVALID Read: addr=0x{0:016x} size={1}".format(address, size)) def main(): diff --git a/unicorn_mode/samples/persistent/Makefile b/unicorn_mode/samples/persistent/Makefile index cd43bf02..80a47550 100644 --- a/unicorn_mode/samples/persistent/Makefile +++ b/unicorn_mode/samples/persistent/Makefile @@ -38,7 +38,7 @@ harness.o: harness.c ../../unicornafl/include/unicorn/*.h ${MYCC} ${CFLAGS} -O3 -c harness.c harness-debug.o: harness.c ../../unicornafl/include/unicorn/*.h - ${MYCC} ${CFLAGS} -g -c harness.c -o $@ + ${MYCC} ${CFLAGS} -DAFL_DEBUG=1 -g -c harness.c -o $@ harness: harness.o ${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o $@ diff --git a/unicorn_mode/samples/persistent/harness.c b/unicorn_mode/samples/persistent/harness.c index a30af109..30013b4c 100644 --- a/unicorn_mode/samples/persistent/harness.c +++ b/unicorn_mode/samples/persistent/harness.c @@ -129,6 +129,16 @@ static bool place_input_callback( return false; } +#if defined(AFL_DEBUG) + printf("[d] harness: input len=%ld, [ ", input_len); + int i = 0; + for (i = 0; i < input_len && i < 16; i++) { + printf("0x%02x ", (unsigned char) input[i]); + } + if (input_len > 16) printf("... "); + printf("]\n"); +#endif + // For persistent mode, we have to set up stack and memory each time. uc_reg_write(uc, UC_X86_REG_RIP, &CODE_ADDRESS); // Set the instruction pointer back // Set up the function parameters accordingly RSI, RDI (see calling convention/disassembly) diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl -Subproject 9e9b72a91f84588defa1984e562cee19b4b4932 +Subproject e30e3ebbdba4d170fe9052ce5ce965a85b2e6b7 |