Merge pull request #488 from AFLplusplus/dev

Dev
author: van Hauser <vh@thc.org> 2020-08-04 13:30:08 +0200
committer: GitHub <noreply@github.com> 2020-08-04 13:30:08 +0200
commit: b2aa8b03d91b5d19384df2cb0318f65c5cb4b934 (patch)
tree: a1ae0e98728da60f929f834148d426911ed5d2a0
parent: d5d8d664d0d4b95792aaccd16264f3a3cff48cc8 (diff)
parent: e1d20706ca97faf871abc03a9db3b551277d6b3f (diff)
download: afl++-b2aa8b03d91b5d19384df2cb0318f65c5cb4b934.tar.gz
7 files changed, 92 insertions, 48 deletions
diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c
index 77b15eb8..cb6f948c 100644
--- a/examples/afl_untracer/afl-untracer.c
+++ b/examples/afl_untracer/afl-untracer.c
@@ -437,6 +437,8 @@ inline static u32 __afl_next_testcase(u8 *buf, u32 max_len) {
   if (write(FORKSRV_FD + 1, &pid, 4) != 4) do_exit = 1;
   // fprintf(stderr, "write1 %d\n", do_exit);
 
+  __afl_area_ptr[0] = 1;  // put something in the map
+
   return status;
 
 }
diff --git a/examples/afl_untracer/libtestinstr.so b/examples/afl_untracer/libtestinstr.so
new file mode 100755
index 00000000..389a946c
--- /dev/null
+++ b/examples/afl_untracer/libtestinstr.so
Binary files differdiff --git a/examples/afl_untracer/patches.txt b/examples/afl_untracer/patches.txt
index b3063e3a..7e964249 100644
--- a/examples/afl_untracer/patches.txt
+++ b/examples/afl_untracer/patches.txt
@@ -1,23 +1,34 @@
-libtestinstr.so:0x2000L
-0x1050L
-0x1063L
-0x106fL
-0x1078L
-0x1080L
-0x10a4L
-0x10b0L
-0x10b8L
-0x10c0L
-0x10c9L
-0x10d7L
-0x10e3L
-0x10f8L
-0x1100L
-0x1105L
-0x111aL
-0x1135L
-0x1143L
-0x114eL
-0x115cL
-0x116aL
-0x116bL
+libtestinstr.so:0x1000
+0x10
+0x12
+0x20
+0x36
+0x30
+0x40
+0x50
+0x63
+0x6f
+0x78
+0x80
+0xa4
+0xb0
+0xb8
+0x100
+0xc0
+0xc9
+0xd7
+0xe3
+0xe8
+0xf8
+0x105
+0x11a
+0x135
+0x141
+0x143
+0x14e
+0x15a
+0x15c
+0x168
+0x16a
+0x16b
+0x170
diff --git a/libtokencap/Makefile b/libtokencap/Makefile
index 8bdfa5ac..244ee58f 100644
--- a/libtokencap/Makefile
+++ b/libtokencap/Makefile
@@ -28,23 +28,22 @@ UNAME_S =$(shell uname -s)# GNU make
 UNAME_S:sh=uname -s       # BSD make
 _UNIQ=_QINU_
 
-     _OS_DL = $(_UNIQ)$(UNAME_S)
-    __OS_DL =     $(_OS_DL:$(_UNIQ)Linux=$(_UNIQ))
-   ___OS_DL =    $(__OS_DL:$(_UNIQ)Darwin=$(_UNIQ))
-  ____OS_DL =   $(___OS_DL:$(_UNIQ)DragonFly=$(_UNIQ))
- _____OS_DL =  $(____OS_DL:$(_UNIQ)$(UNAME_S)=)
-______OS_DL = $(_____OS_DL:$(_UNIQ)="-ldl")
+    _OS_DL = $(_UNIQ)$(UNAME_S)
+   __OS_DL =     $(_OS_DL:$(_UNIQ)Linux=$(_UNIQ))
+  ___OS_DL =    $(__OS_DL:$(_UNIQ)Darwin=$(_UNIQ))
+ ____OS_DL =   $(___OS_DL:$(_UNIQ)$(UNAME_S)=)
+_____OS_DL =  $(____OS_DL:$(_UNIQ)="-ldl")
 
-     _OS_TARGET = $(____OS_DL:$(_UNIQ)FreeBSD=$(_UNIQ))
+     _OS_TARGET = $(___OS_DL:$(_UNIQ)FreeBSD=$(_UNIQ))
     __OS_TARGET =     $(_OS_TARGET:$(_UNIQ)OpenBSD=$(_UNIQ))
    ___OS_TARGET =    $(__OS_TARGET:$(_UNIQ)NetBSD=$(_UNIQ))
   ____OS_TARGET =   $(___OS_TARGET:$(_UNIQ)Haiku=$(_UNIQ))
  _____OS_TARGET =  $(____OS_TARGET:$(_UNIQ)SunOS=$(_UNIQ))
-______OS_TARGET =  $(____OS_TARGET:$(_UNIQ)$(UNAME_S)=)
+______OS_TARGET = $(_____OS_TARGET:$(_UNIQ)$(UNAME_S)=)
 
-TARGETS       =  $(_____OS_TARGET:$(_UNIQ)=libtokencap.so)
+TARGETS       =  $(______OS_TARGET:$(_UNIQ)=libtokencap.so)
 
-LDFLAGS     += $(______OS_DL)
+LDFLAGS     += $(_____OS_DL)
 
 #ifeq "$(shell uname)" "Linux"
 #  TARGETS = libtokencap.so
diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c
index 738433ac..ef99e3f3 100644
--- a/llvm_mode/afl-clang-fast.c
+++ b/llvm_mode/afl-clang-fast.c
@@ -255,12 +255,6 @@ static void edit_params(u32 argc, char **argv, char **envp) {
   if (getenv("LAF_TRANSFORM_COMPARES") ||
       getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES")) {
 
-    if (!be_quiet && getenv("AFL_LLVM_LTO_AUTODICTIONARY") && lto_mode)
-      WARNF(
-          "using AFL_LLVM_LAF_TRANSFORM_COMPARES together with "
-          "AFL_LLVM_LTO_AUTODICTIONARY makes no sense. Use only "
-          "AFL_LLVM_LTO_AUTODICTIONARY.");
-
     cc_params[cc_par_cnt++] = "-Xclang";
     cc_params[cc_par_cnt++] = "-load";
     cc_params[cc_par_cnt++] = "-Xclang";
@@ -311,6 +305,11 @@ static void edit_params(u32 argc, char **argv, char **envp) {
 
   if (lto_mode) {
 
+    if (cmplog_mode)
+      unsetenv("AFL_LLVM_LTO_AUTODICTIONARY");
+    else
+      setenv("AFL_LLVM_LTO_AUTODICTIONARY", "1", 1);
+
     cc_params[cc_par_cnt++] = alloc_printf("-fuse-ld=%s", AFL_REAL_LD);
     cc_params[cc_par_cnt++] = "-Wl,--allow-multiple-definition";
     /*
@@ -398,6 +397,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
       continue;
 
     if (lto_mode && !strncmp(cur, "-fuse-ld=", 9)) continue;
+    if (lto_mode && !strncmp(cur, "--ld-path=", 10)) continue;
 
     cc_params[cc_par_cnt++] = cur;
 
@@ -472,9 +472,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
   }
 
   if (getenv("AFL_NO_BUILTIN") || getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES") ||
-      getenv("LAF_TRANSFORM_COMPARES") ||
-      (lto_mode && (getenv("AFL_LLVM_LTO_AUTODICTIONARY") ||
-                    getenv("AFL_LLVM_AUTODICTIONARY")))) {
+      getenv("LAF_TRANSFORM_COMPARES") || lto_mode) {
 
     cc_params[cc_par_cnt++] = "-fno-builtin-strcmp";
     cc_params[cc_par_cnt++] = "-fno-builtin-strncmp";
diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc
index 5686eb56..38c3f202 100644
--- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc
+++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc
@@ -86,7 +86,7 @@ class AFLLTOPass : public ModulePass {
   bool runOnModule(Module &M) override;
 
  protected:
-  int      afl_global_id = 1, autodictionary = 1;
+  int      afl_global_id = 1, autodictionary = 0;
   uint32_t function_minimum_size = 1;
   uint32_t inst_blocks = 0, inst_funcs = 0, total_instr = 0;
   uint64_t map_addr = 0x10000;
@@ -105,6 +105,11 @@ bool AFLLTOPass::runOnModule(Module &M) {
   char *                           ptr;
   FILE *                           documentFile = NULL;
 
+  srand((unsigned int)time(NULL));
+
+  unsigned long long int moduleID =
+      (((unsigned long long int)(rand() & 0xffffffff)) << 32) | getpid();
+
   IntegerType *Int8Ty = IntegerType::getInt8Ty(C);
   IntegerType *Int32Ty = IntegerType::getInt32Ty(C);
   IntegerType *Int64Ty = IntegerType::getInt64Ty(C);
@@ -128,6 +133,8 @@ bool AFLLTOPass::runOnModule(Module &M) {
 
   }
 
+  if (getenv("AFL_LLVM_LTO_AUTODICTIONARY")) autodictionary = 1;
+
   if (getenv("AFL_LLVM_MAP_DYNAMIC")) map_addr = 0;
 
   if (getenv("AFL_LLVM_SKIPSINGLEBLOCK")) function_minimum_size = 2;
@@ -189,13 +196,32 @@ bool AFLLTOPass::runOnModule(Module &M) {
   ConstantInt *Zero = ConstantInt::get(Int8Ty, 0);
   ConstantInt *One = ConstantInt::get(Int8Ty, 1);
 
+  /* This dumps all inialized global strings - might be useful in the future
+  for (auto G=M.getGlobalList().begin(); G!=M.getGlobalList().end(); G++) {
+
+    GlobalVariable &GV=*G;
+    if (!GV.getName().str().empty()) {
+
+      fprintf(stderr, "Global Variable: %s", GV.getName().str().c_str());
+      if (GV.hasInitializer())
+        if (auto *Val = dyn_cast<ConstantDataArray>(GV.getInitializer()))
+          fprintf(stderr, " Value: \"%s\"", Val->getAsString().str().c_str());
+      fprintf(stderr, "\n");
+
+    }
+
+  }
+
+  */
+
   /* Instrument all the things! */
 
   int inst_blocks = 0;
 
   for (auto &F : M) {
 
-    // fprintf(stderr, "DEBUG: Function %s\n", F.getName().str().c_str());
+    // fprintf(stderr, "DEBUG: Module %s Function %s\n",
+    // M.getName().str().c_str(), F.getName().str().c_str());
 
     if (F.size() < function_minimum_size) continue;
     if (isIgnoreFunction(&F)) continue;
@@ -603,8 +629,8 @@ bool AFLLTOPass::runOnModule(Module &M) {
 
           if (documentFile) {
 
-            fprintf(documentFile, "%s %u\n", F.getName().str().c_str(),
-                    afl_global_id);
+            fprintf(documentFile, "ModuleID=%llu Function=%s edgeID=%u\n",
+                    moduleID, F.getName().str().c_str(), afl_global_id);
 
           }
 
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index 396a20f0..2c17ffbb 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -490,9 +490,13 @@ void read_foreign_testcases(afl_state_t *afl, int first) {
 
       if (nl_cnt == 0) {
 
-        if (first)
+        if (first) {
+
           WARNF("directory %s is currently empty",
                 afl->foreign_syncs[iter].dir);
+
+        }
+
         continue;
 
       }
@@ -540,11 +544,15 @@ void read_foreign_testcases(afl_state_t *afl, int first) {
 
         if (st.st_size > MAX_FILE) {
 
-          if (first)
+          if (first) {
+
             WARNF(
                 "Test case '%s' is too big (%s, limit is %s), skipping", fn2,
                 stringify_mem_size(val_buf[0], sizeof(val_buf[0]), st.st_size),
                 stringify_mem_size(val_buf[1], sizeof(val_buf[1]), MAX_FILE));
+
+          }
+
           ck_free(fn2);
           continue;
author	van Hauser <vh@thc.org>	2020-08-04 13:30:08 +0200
committer	GitHub <noreply@github.com>	2020-08-04 13:30:08 +0200
commit	b2aa8b03d91b5d19384df2cb0318f65c5cb4b934 (patch)
tree	a1ae0e98728da60f929f834148d426911ed5d2a0
parent	d5d8d664d0d4b95792aaccd16264f3a3cff48cc8 (diff)
parent	e1d20706ca97faf871abc03a9db3b551277d6b3f (diff)
download	afl++-b2aa8b03d91b5d19384df2cb0318f65c5cb4b934.tar.gz