diff options
| author | van Hauser <vh@thc.org> | 2020-04-23 12:20:58 +0200 |
|---|---|---|
| committer | van Hauser <vh@thc.org> | 2020-04-23 12:20:58 +0200 |
| commit | b120ca27f86c332854687bb67c4c18d2e6b74ac9 (patch) | |
| tree | ae701489462ac8569a02c69cca6b1e3bd8bd17f6 | |
| parent | 5eb1f3a4c609851e7ee2127d29433b2ed6e56e56 (diff) | |
| download | afl++-b120ca27f86c332854687bb67c4c18d2e6b74ac9.tar.gz | |
add documentation for LTO fixed map address feature
| -rw-r--r-- | docs/Changelog.md | 4 | ||||
| -rw-r--r-- | docs/env_variables.md | 5 | ||||
| -rw-r--r-- | llvm_mode/NOTES | 88 | ||||
| -rw-r--r-- | llvm_mode/README.lto.md | 12 |
4 files changed, 21 insertions, 88 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md index 8f584393..ea669eed 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -17,6 +17,10 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - better dependency checks - unicorn_mode: - better submodule handling + - llvm_mode: + - if LLVM 11 is installed the posix shm_open+mmap is used and a fixed + address for the shared memory map is used as this increases the + fuzzing speed - all: - fix 32 bit build options - make clean now leaves qemu-3.1.1.tar.xz and the unicornafl directory diff --git a/docs/env_variables.md b/docs/env_variables.md index 21bf9fad..f6f14dd2 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -123,6 +123,11 @@ Then there are a few specific features that are only available in llvm_mode: These are used if several seperated instrumentation are performed which are then later combined. + + - AFL_LLVM_MAP_ADDR sets the fixed map address to a different address than + the default 0x10000. A value of 0 or empty sets the map address to be + dynamic (the original afl way, which is slower) + - AFL_LLVM_MAP_DYNAMIC sets the shared memory address to be dynamic - AFL_LLVM_LTO_STARTID sets the starting location ID for the instrumentation. This defaults to 1 - AFL_LLVM_LTO_DONTWRITEID prevents that the highest location ID written diff --git a/llvm_mode/NOTES b/llvm_mode/NOTES deleted file mode 100644 index 9aee7f46..00000000 --- a/llvm_mode/NOTES +++ /dev/null @@ -1,88 +0,0 @@ - -markNodes - -> - -whitelist: - set meta information/context to functions? ask llvm-dev - setAttribute/hasAttribute? - -afl-ld: - handle(=instrument) .a archives on the cmdline - -afl-pass-lto-instrument.so: - either a or b: - a) use instrim - b) start in main() or _init() and first otherwise (warn!) - keep list of done functions - final: go through function list and instrument those missing - - - ---------------------------- - - - -for (auto &module : Ctx.getModules()) { - auto &functionList = module->getModule()->getFunctionList(); - for (auto &function : functionList) { - for (auto &bb : function) { - for (auto &instruction : bb) { - if (CallInst *callInst = dyn_cast<CallInst>(&instruction)) { - if (Function *calledFunction = callInst->getCalledFunction()) { - if (calledFunction->getName().startswith("llvm.dbg.declare")) { - - -for (auto &U : F.getUsers()) { <- unbekannt - if (auto CS = CallSite(U)) { - if (CS->getCalledFunction() == F) - -getCalledValue()->stripPointerCasts() - -> for indirect calls - - -CallGraph(M) - - - -#include "llvm/IR/CallSite.h" - -unsigned int indirect_call_cnt = 0; - - printf("Function: %s\n", F.getName().str().c_str()); - int cnt=0; - for (auto *U : F.users()) { -// auto *I = dyn_cast<Instruction>(U); -// if (I) { -// if (cast<CallInst>(I)->getCalledFunction()->getName() == F.getName()) { -// printf("DIRECT CALL %s->%s->%s\n", cast<CallInst>(I)->getParent()->getParent()->getName().str().c_str(), cast<CallInst>(I)->getCalledFunction()->getName().str().c_str(), F.getName().str().c_str()); -// } -printf("Callsite #%d\n", ++cnt); - CallSite CS(U); - auto *I = CS.getInstruction(); - if (I) { - Value *called = CS.getCalledValue()->stripPointerCasts(); - Function* f = dyn_cast<Function>(called); - if (f->getName().size() > 0) { - printf("test %s->%s->%s\n", cast<CallInst>(I)->getParent()->getParent()->getName().str().c_str(), f->getName().str().c_str(), F.getName().str().c_str()); - if (f->getName() == F.getName()) { - printf("CALL %s->%s->%s\n", cast<CallInst>(I)->getParent()->getParent()->getName().str().c_str(), f->getName().str().c_str(), F.getName().str().c_str()); - } - } else - printf("FOO %s->...->%s\n", cast<CallInst>(I)->getParent()->getParent()->getName().str().c_str(), F.getName().str().c_str()); - if (cast<CallInst>(I)->getCalledFunction()->getName() == F.getName()) { - printf("DIRECT %s->%s->%s\n", cast<CallInst>(I)->getParent()->getParent()->getName().str().c_str(), cast<CallInst>(I)->getCalledFunction()->getName().str().c_str(), F.getName().str().c_str()); - } - } else { - printf("WE MISSED SOMETHING HERE!!\n"); - indirect_call_cnt++; - } - } - -oder: - for (auto *U : F.users()) { - if (auto CS = CallSite(U->getUser())) { - if (CS->isCallee(&U)) { - // foo - } - } - } diff --git a/llvm_mode/README.lto.md b/llvm_mode/README.lto.md index 9af9ffff..49407727 100644 --- a/llvm_mode/README.lto.md +++ b/llvm_mode/README.lto.md @@ -95,6 +95,18 @@ target binary based on string compare and memory compare functions. afl-fuzz will automatically get these transmitted when starting to fuzz. This improves coverage on a lot of targets. +## Fixed memory map + +To sped up fuzzing, the shared memory map is hard set to a specific address, +by default 0x10000. +In most cases this will work without any problems. +On unusual operating systems/processors/kernels or weird libraries this might +fail so to change the fixed address at compile time set +AFL_LLVM_MAP_ADDR (a value of 0 or empty sets the map address to be +dynamic - the original afl way, which is slower). +AFL_LLVM_MAP_DYNAMIC can be set so the shared memory address is dynamic (which +is safer but also slower). + ## Potential issues ### compiling libraries fails |