diff options
| author | Andrea Fioraldi <andreafioraldi@gmail.com> | 2019-11-11 14:32:50 +0100 |
|---|---|---|
| committer | Andrea Fioraldi <andreafioraldi@gmail.com> | 2019-11-11 14:32:50 +0100 |
| commit | cd84339bccc104a51a5da614a9f82cc4ae615cce (patch) | |
| tree | 7eba7ed8cdfa670e0e92f3240c17829ebc2445c3 | |
| parent | 66791a5dad72e56c60fde4db2e53ff91c491da95 (diff) | |
| download | afl++-cd84339bccc104a51a5da614a9f82cc4ae615cce.tar.gz | |
libradamsa dlopen
| -rw-r--r-- | Makefile | 17 | ||||
| -rw-r--r-- | include/afl-fuzz.h | 1 | ||||
| -rw-r--r-- | src/afl-fuzz-globals.c | 1 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 7 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 71 | ||||
| -rw-r--r-- | src/third_party/libradamsa/Makefile | 7 |
6 files changed, 86 insertions, 18 deletions
diff --git a/Makefile b/Makefile index 1b1a8d68..7ab9ae45 100644 --- a/Makefile +++ b/Makefile @@ -34,7 +34,7 @@ MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8) CFLAGS ?= -O3 -funroll-loops CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \ - -I include/ -I src/third_party/libradamsa/ \ + -I include/ \ -DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \ -DBIN_PATH=\"$(BIN_PATH)\" -Wno-unused-function @@ -184,11 +184,14 @@ src/afl-forkserver.o : src/afl-forkserver.c include/forkserver.h src/afl-sharedmem.o : src/afl-sharedmem.c include/sharedmem.h $(CC) $(CFLAGS) -c src/afl-sharedmem.c -o src/afl-sharedmem.o -src/third_party/libradamsa/libradamsa.a : src/third_party/libradamsa/libradamsa.c src/third_party/libradamsa/radamsa.h +radamsa: src/third_party/libradamsa/libradamsa.so + cp src/third_party/libradamsa/libradamsa.so . + +src/third_party/libradamsa/libradamsa.so: src/third_party/libradamsa/libradamsa.c src/third_party/libradamsa/radamsa.h $(MAKE) -C src/third_party/libradamsa/ -afl-fuzz: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86 - $(CC) $(CFLAGS) $(AFL_FUZZ_FILES) src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(PYFLAGS) $(LDFLAGS) +afl-fuzz: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86 + $(CC) $(CFLAGS) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(PYFLAGS) $(LDFLAGS) afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o $(COMM_HDR) | test_x86 $(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o -o $@ $(LDFLAGS) @@ -204,8 +207,8 @@ afl-gotcpu: src/afl-gotcpu.c $(COMM_HDR) | test_x86 # document all mutations and only do one run (use with only one input file!) -document: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86 - $(CC) $(CFLAGS) $(AFL_FUZZ_FILES) -D_AFL_DOCUMENT_MUTATIONS src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o afl-fuzz-document $(LDFLAGS) $(PYFLAGS) +document: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86 + $(CC) $(CFLAGS) $(AFL_FUZZ_FILES) -D_AFL_DOCUMENT_MUTATIONS src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o afl-fuzz-document $(LDFLAGS) $(PYFLAGS) code-format: @@ -253,7 +256,7 @@ all_done: test_build .NOTPARALLEL: clean clean: - rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast *.so unicorn_mode/24f55a7973278f20f0de21b904851d99d4716263.tar.gz *.8 + rm -f $(PROGS) libradamsa.so afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast *.so unicorn_mode/24f55a7973278f20f0de21b904851d99d4716263.tar.gz *.8 rm -rf out_dir qemu_mode/qemu-3.1.1 unicorn_mode/unicorn *.dSYM */*.dSYM -$(MAKE) -C llvm_mode clean $(MAKE) -C libdislocator clean diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 7de4699a..a1a4ed50 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -286,6 +286,7 @@ extern u8 schedule; /* Power schedule (default: EXPLORE)*/ extern u8 havoc_max_mult; extern u8 use_radamsa; +extern size_t (*radamsa_mutate_ptr)(u8*, size_t, u8*, size_t, u32); extern u8 skip_deterministic, /* Skip deterministic stages? */ force_deterministic, /* Force deterministic stages? */ diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index 236c4dd3..da134807 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -96,6 +96,7 @@ u8 schedule = EXPLORE; /* Power schedule (default: EXPLORE)*/ u8 havoc_max_mult = HAVOC_MAX_MULT; u8 use_radamsa; +size_t (*radamsa_mutate_ptr)(u8*, size_t, u8*, size_t, u32); u8 skip_deterministic, /* Skip deterministic stages? */ force_deterministic, /* Force deterministic stages? */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index d10c1922..c02dbeb7 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -24,9 +24,6 @@ */ #include "afl-fuzz.h" -#include "radamsa.h" - -#define RADAMSA_CHANCE 24 /* MOpt */ @@ -2285,7 +2282,7 @@ retry_splicing: radamsa_stage: - if (!use_radamsa) + if (!use_radamsa || !radamsa_mutate_ptr) goto abandon_entry; stage_name = "radamsa"; @@ -2305,7 +2302,7 @@ radamsa_stage: u8 *tmp_buf; for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) { - u32 new_len = radamsa_mutate(save_buf, len, new_buf, max_len, get_rand_seed()); + u32 new_len = radamsa_mutate_ptr(save_buf, len, new_buf, max_len, get_rand_seed()); if (new_len) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 14462fb7..a9a576fe 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -24,7 +24,58 @@ */ #include "afl-fuzz.h" -#include "radamsa.h" + +static u8* get_libradamsa_path(u8* own_loc) { + + u8 *tmp, *cp, *rsl, *own_copy; + + tmp = getenv("AFL_PATH"); + + if (tmp) { + + cp = alloc_printf("%s/libradamsa.so", tmp); + + if (access(cp, X_OK)) FATAL("Unable to find '%s'", cp); + + return cp; + + } + + own_copy = ck_strdup(own_loc); + rsl = strrchr(own_copy, '/'); + + if (rsl) { + + *rsl = 0; + + cp = alloc_printf("%s/libradamsa.so", own_copy); + ck_free(own_copy); + + if (!access(cp, X_OK)) + return cp; + + } else + + ck_free(own_copy); + + if (!access(BIN_PATH "/libradamsa.so", X_OK)) { + + return ck_strdup(BIN_PATH "/libradamsa.so"); + + } + + SAYF("\n" cLRD "[-] " cRST + "Oops, unable to find the 'libradamsa.so' binary. The binary must be " + "built\n" + " separately using 'make radamsa'." + "If you\n" + " already have the binary installed, you may need to specify " + "AFL_PATH in the\n" + " environment.\n"); + + FATAL("Failed to locate 'libradamsa.so'."); + +} /* Display usage hints. */ @@ -545,9 +596,21 @@ int main(int argc, char** argv) { if (use_radamsa) { OKF("Using Radamsa add-on"); - /* randamsa_init installs some signal hadlers, call it firstly so that - AFL++ can then replace those signal handlers */ - radamsa_init(); + + u8* libradamsa_path = get_libradamsa_path(argv[0]); + void* handle = dlopen(libradamsa_path, RTLD_NOW); + ck_free(libradamsa_path); + + if (!handle) FATAL("Failed to dlopen() libradamsa"); + + void (*radamsa_init_ptr)(void) = dlsym(handle, "radamsa_init"); + radamsa_mutate_ptr = dlsym(handle, "radamsa_mutate"); + + if (!radamsa_init_ptr || !radamsa_mutate_ptr) FATAL("Failed to dlsym() libradamsa"); + + /* randamsa_init installs some signal hadlers, call it before setup_signal_handlers + so that AFL++ can then replace those signal handlers */ + radamsa_init_ptr(); } diff --git a/src/third_party/libradamsa/Makefile b/src/third_party/libradamsa/Makefile index 9b89817b..d366a3b0 100644 --- a/src/third_party/libradamsa/Makefile +++ b/src/third_party/libradamsa/Makefile @@ -1,6 +1,9 @@ CUR_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -all: libradamsa.a +all: libradamsa.so + +libradamsa.so: libradamsa.a + $(CC) -shared libradamsa.a -o libradamsa.so libradamsa.a: libradamsa.c radamsa.h @echo " ***************************************************************" @@ -14,4 +17,4 @@ test: libradamsa.a libradamsa-test.c rm /tmp/libradamsa-*.fuzz clean: - rm -f libradamsa.a libradamsa-test + rm -f libradamsa.a libradamsa.so libradamsa-test |