diff options
| author | Dominik Maier <domenukk@gmail.com> | 2020-05-31 04:13:41 +0200 |
|---|---|---|
| committer | Dominik Maier <domenukk@gmail.com> | 2020-05-31 04:13:41 +0200 |
| commit | ee14785f687d1fc99a16c4143a1fec0eba13afed (patch) | |
| tree | 907baaafea2f59e66d3b2320f1a69241e4831bbb | |
| parent | c0ed118ba553846fb80cfed5c02d66e5435b94c5 (diff) | |
| download | afl++-ee14785f687d1fc99a16c4143a1fec0eba13afed.tar.gz | |
starting shmap support for unicorn
| -rw-r--r-- | include/afl-fuzz.h | 6 | ||||
| -rw-r--r-- | include/forkserver.h | 4 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 12 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 54 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 3 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 7 | ||||
| -rw-r--r-- | unicorn_mode/UNICORNAFL_VERSION | 2 | ||||
| m--------- | unicorn_mode/unicornafl | 0 |
9 files changed, 55 insertions, 35 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 32ae2a58..bb0bbfe2 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -444,7 +444,8 @@ typedef struct afl_state { deferred_mode, /* Deferred forkserver mode? */ fixed_seed, /* do not reseed */ fast_cal, /* Try to calibrate faster? */ - disable_trim; /* Never trim in fuzz_one */ + disable_trim, /* Never trim in fuzz_one */ + shmem_testcase_mode; /* If sharedmem testcases are used */ u8 *virgin_bits, /* Regions yet untouched by fuzzing */ *virgin_tmout, /* Bits we haven't seen in tmouts */ @@ -806,6 +807,9 @@ void afl_states_clear_screen(void); /* Sets the skip flag on all states */ void afl_states_request_skip(void); +/* Setup shmem for testcase delivery */ +void setup_testcase_shmem(afl_state_t *afl); + void read_afl_environment(afl_state_t *, char **); /**** Prototypes ****/ diff --git a/include/forkserver.h b/include/forkserver.h index 00555d7e..840ab509 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -81,9 +81,9 @@ typedef struct afl_forkserver { u8 qemu_mode; /* if running in qemu mode or not */ - u32 shdmem_fuzz_len; /* length of the fuzzing test case */ + u32 shmem_fuzz_len; /* length of the fuzzing test case */ - u8 *shdmem_fuzz; /* allocated memory for fuzzing */ + u8 *shmem_fuzz; /* allocated memory for fuzzing */ char *cmplog_binary; /* the name of the cmplog binary */ diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 76674389..961748ec 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -286,7 +286,7 @@ static void report_error_and_exit(int error) { } -/* Spins up fork server (instrumented mode only). The idea is explained here: +/* Spins up fork server. The idea is explained here: http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html @@ -305,7 +305,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (fsrv->use_fauxsrv) { - /* TODO: Come up with sone nice way to initalize this all */ + /* TODO: Come up with sone nice way to initialize this all */ if (fsrv->init_child_func != fsrv_exec_child) { @@ -823,10 +823,10 @@ static void afl_fsrv_kill(afl_forkserver_t *fsrv) { void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { - if (fsrv->shdmem_fuzz) { + if (fsrv->shmem_fuzz) { - memcpy(fsrv->shdmem_fuzz, buf, len); - fsrv->shdmem_fuzz_len = len; + memcpy(fsrv->shmem_fuzz, buf, len); + fsrv->shmem_fuzz_len = len; } else { @@ -888,7 +888,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, MEM_BARRIER(); - if (fsrv->shdmem_fuzz_len) write_value += (fsrv->shdmem_fuzz_len << 8); + if (fsrv->shmem_fuzz_len) write_value += (fsrv->shmem_fuzz_len << 8); /* we have the fork server (or faux server) up and running First, tell it if the previous run timed out. */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 9349fefe..840b57f4 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1949,6 +1949,36 @@ static void handle_skipreq(int sig) { } + +/* Setup shared map for fuzzing with input via sharedmem */ + +void setup_testcase_shmem(afl_state_t *afl) { + + afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + + // we need to set the dumb mode to not overwrite the SHM_ENV_VAR + if ((afl->fsrv.shmem_fuzz = afl_shm_init(afl->shm_fuzz, MAX_FILE, 1))) { + +#ifdef USEMMAP + setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1); +#else + u8 *shm_str; + shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id); + setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); + ck_free(shm_str); +#endif + afl->fsrv.support_shdmen_fuzz = 1; + + } else { + + ck_free(afl->shm_fuzz); + afl->shm_fuzz = NULL; + + } + +} + + /* Do a PATH search and find target binary to see that it exists and isn't a shell script - a common and painful mistake. We also check for a valid ELF header and for evidence of AFL instrumentation. */ @@ -2153,30 +2183,8 @@ void check_binary(afl_state_t *afl, u8 *fname) { OKF(cPIN "Persistent mode binary detected."); setenv(PERSIST_ENV_VAR, "1", 1); afl->persistent_mode = 1; - // do not fail if we can not get the fuzzing shared mem - if ((afl->shm_fuzz = calloc(1, sizeof(sharedmem_t)))) { - - // we need to set the dumb mode to not overwrite the SHM_ENV_VAR - if ((afl->fsrv.shdmem_fuzz = afl_shm_init(afl->shm_fuzz, MAX_FILE, 1))) { - -#ifdef USEMMAP - setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1); -#else - u8 *shm_str; - shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id); - setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); - ck_free(shm_str); -#endif - afl->fsrv.support_shdmen_fuzz = 1; - - } else { - - free(afl->shm_fuzz); - afl->shm_fuzz = NULL; - } - - } + afl->shmem_testcase_mode = 1; } else if (getenv("AFL_PERSISTENT")) { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 04450363..982825d8 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -237,7 +237,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, free(afl->shm_fuzz); afl->shm_fuzz = NULL; afl->fsrv.support_shdmen_fuzz = 0; - afl->fsrv.shdmem_fuzz = NULL; + afl->fsrv.shmem_fuzz = NULL; } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 014ed34d..bc75f54e 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -103,7 +103,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, "afl_banner : %s\n" "afl_version : " VERSION "\n" - "target_mode : %s%s%s%s%s%s%s%s\n" + "target_mode : %s%s%s%s%s%s%s%s%s\n" "command_line : %s\n", afl->start_time / 1000, cur_time / 1000, (cur_time - afl->start_time) / 1000, (u32)getpid(), @@ -128,6 +128,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, afl->dumb_mode ? " dumb " : "", afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", afl->persistent_mode ? "persistent " : "", + afl->shmem_testcase_mode ? "shmem_testcase " : "", afl->deferred_mode ? "deferred " : "", (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->dumb_mode || afl->no_forkserver || afl->crash_mode || afl->persistent_mode || diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index e024e9a4..1c797424 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -572,6 +572,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->unicorn_mode) { FATAL("Multiple -U options not supported"); } afl->unicorn_mode = 1; + afl->shmem_testcase_mode = 1; if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_UNICORN; } @@ -1178,6 +1179,12 @@ int main(int argc, char **argv_orig, char **envp) { check_binary(afl, argv[optind]); + if (afl->shmem_testcase_mode) { + + setup_testcase_shmem(afl); + + } + afl->start_time = get_cur_time(); if (afl->fsrv.qemu_mode) { diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index f44af758..308f68fa 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -212110c +37067ac diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl -Subproject 212110cece6355222330906c5392a4255535cf0 +Subproject 37067ac1288febfe7157e6bc996d7771454f962 |