diff options
| author | van Hauser <vh@thc.org> | 2024-08-19 16:51:42 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-08-19 16:51:42 +0200 |
| commit | f27cbdb79349d6f4f6e859a356758b634be72652 (patch) | |
| tree | 8e1dbb1b8454c470aa5e0093f6d89c5cc86e9200 | |
| parent | db23931e7c1727ddac8691a6241c97b2203ec6fc (diff) | |
| parent | 1689a8e053c1f73e16331bfeda28c79e1ed4bbd0 (diff) | |
| download | afl++-f27cbdb79349d6f4f6e859a356758b634be72652.tar.gz | |
Merge pull request #2190 from AFLplusplus/dev
push to stable
32 files changed, 171 insertions, 125 deletions
diff --git a/.custom-format.py b/.custom-format.py index c8075ace..e787df28 100755 --- a/.custom-format.py +++ b/.custom-format.py @@ -24,7 +24,7 @@ import importlib.metadata # string_re = re.compile('(\\"(\\\\.|[^"\\\\])*\\")') # TODO: for future use -CURRENT_LLVM = os.getenv('LLVM_VERSION', 17) +CURRENT_LLVM = os.getenv('LLVM_VERSION', 18) CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN", "") @@ -112,3 +112,5 @@ utils/replay_record/persistent_demo_replay_compat utils/replay_record/persistent_demo_replay_argparse utils/plot_ui/afl-plot-ui vuln_prog +argv_fuzz_demo +argv_fuzz_persistent_demo
\ No newline at end of file diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 52ff778c..d5dcb09b 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -48,18 +48,25 @@ else LLVM_CONFIG ?= $(call detect_newest,llvm-config) endif -override LLVM_RAW_VER := $(shell $(LLVM_CONFIG) --version 2>/dev/null) -LLVMVER := $(subst svn,,$(subst git,,$(LLVM_RAW_VER))) -LLVM_MAJOR := $(firstword $(subst ., ,$(LLVMVER))) -LLVM_MINOR := $(firstword $(subst ., ,$(subst $(LLVM_MAJOR).,,$(LLVMVER)))) -LLVM_TOO_NEW := $(shell test $(LLVM_MAJOR) -gt $(LLVM_TOO_NEW_DEFAULT) && echo 1 || echo 0) -LLVM_TOO_OLD := $(shell test $(LLVM_MAJOR) -lt $(LLVM_TOO_OLD_DEFAULT) && echo 1 || echo 0) -LLVM_NEW_API := $(shell test $(LLVM_MAJOR) -ge 10 && echo 1 || echo 0) -LLVM_NEWER_API := $(shell test $(LLVM_MAJOR) -ge 16 && echo 1 || echo 0) -LLVM_13_OK := $(shell test $(LLVM_MAJOR) -ge 13 && echo 1 || echo 0) -LLVM_HAVE_LTO := $(shell test $(LLVM_MAJOR) -ge 12 && echo 1 || echo 0) -LLVM_BINDIR := $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) -LLVM_LIBDIR := $(shell $(LLVM_CONFIG) --libdir 2>/dev/null) +ifneq "$(LLVM_CONFIG)" "" + override LLVM_RAW_VER := $(shell $(LLVM_CONFIG) --version 2>/dev/null) + LLVMVER := $(subst svn,,$(subst git,,$(LLVM_RAW_VER))) + + LLVM_BINDIR := $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) + LLVM_LIBDIR := $(shell $(LLVM_CONFIG) --libdir 2>/dev/null) +endif + +ifneq "$(LLVMVER)" "" + LLVM_MAJOR := $(firstword $(subst ., ,$(LLVMVER))) + LLVM_MINOR := $(firstword $(subst ., ,$(subst $(LLVM_MAJOR).,,$(LLVMVER)))) + LLVM_TOO_NEW := $(shell test $(LLVM_MAJOR) -gt $(LLVM_TOO_NEW_DEFAULT) && echo 1 || echo 0) + LLVM_TOO_OLD := $(shell test $(LLVM_MAJOR) -lt $(LLVM_TOO_OLD_DEFAULT) && echo 1 || echo 0) + LLVM_NEW_API := $(shell test $(LLVM_MAJOR) -ge 10 && echo 1 || echo 0) + LLVM_NEWER_API := $(shell test $(LLVM_MAJOR) -ge 16 && echo 1 || echo 0) + LLVM_13_OK := $(shell test $(LLVM_MAJOR) -ge 13 && echo 1 || echo 0) + LLVM_HAVE_LTO := $(shell test $(LLVM_MAJOR) -ge 12 && echo 1 || echo 0) +endif + LLVM_STDCXX := gnu++11 LLVM_LTO := 0 LLVM_UNSUPPORTED := $(shell echo "$(LLVMVER)" | grep -E -q '^[0-2]\.|^3\.[0-8]\.' && echo 1 || echo 0) @@ -1,6 +1,6 @@ # American Fuzzy Lop plus plus (AFL++) -<img align="right" src="https://raw.githubusercontent.com/AFLplusplus/Website/main/static/aflpp_bg.svg" alt="AFL++ logo" width="250" heigh="250"> +<img align="right" src="https://raw.githubusercontent.com/AFLplusplus/Website/main/static/aflpp_bg.svg" alt="AFL++ logo" width="250" height="250"> Release version: [4.21c](https://github.com/AFLplusplus/AFLplusplus/releases) diff --git a/docs/Changelog.md b/docs/Changelog.md index 3f9f0161..f7c53b08 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -23,12 +23,15 @@ - qemu_mode: - new hooks supported (optional), see qemu_mode/hooking_bridge - thanks to @CowBoy4mH3LL + - unicorn_mode: + - fix install and forkserver (thanks aarnav!) - custom mutators: - custom_send_tcp custom mutator added, thanks to @dergoegge - afl-cc - new runtime (!) variable: `AFL_OLD_FORKSERVER` to use the old vanilla AFL type forkserver. Useful for symcc/symqemu/nautilus/etc. with AFL_LLVM_INSTRUMENT=CLASSIC + - code formatting updated to llvm 18 ### Version ++4.21c (release) diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 3089aab2..cea1ae6b 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -30,6 +30,9 @@ sudo apt-get install -y build-essential python3-dev automake cmake git flex biso sudo apt-get install -y lld-14 llvm-14 llvm-14-dev clang-14 || sudo apt-get install -y lld llvm llvm-dev clang sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev sudo apt-get install -y ninja-build # for QEMU mode +sudo apt-get install -y cpio libcapstone-dev # for Nyx mode +sudo apt-get install -y wget curl # for Frida mode +sudo apt-get install python3-pip # for Unicorn mode git clone https://github.com/AFLplusplus/AFLplusplus cd AFLplusplus make distrib diff --git a/frida_mode/src/instrument/instrument_coverage.c b/frida_mode/src/instrument/instrument_coverage.c index a546dc24..140072dd 100644 --- a/frida_mode/src/instrument/instrument_coverage.c +++ b/frida_mode/src/instrument/instrument_coverage.c @@ -878,7 +878,6 @@ void instrument_coverage_unstable_find_output(void) { g_dir_close(dir); g_free(instance_name); - g_free(path_tmp); g_free(fds_name); if (unstable_coverage_fuzzer_stats == NULL) { diff --git a/include/debug.h b/include/debug.h index 5496135c..e7cbdb5c 100644 --- a/include/debug.h +++ b/include/debug.h @@ -314,8 +314,8 @@ static inline const char *colorfilter(const char *x) { #define FATAL(x...) \ do { \ \ - SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ - "\n[-] PROGRAM ABORT : " cRST x); \ + SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ + "\n[-] PROGRAM ABORT : " cRST x); \ SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", __func__, \ __FILE__, (u32)__LINE__); \ exit(1); \ @@ -327,8 +327,8 @@ static inline const char *colorfilter(const char *x) { #define ABORT(x...) \ do { \ \ - SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ - "\n[-] PROGRAM ABORT : " cRST x); \ + SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ + "\n[-] PROGRAM ABORT : " cRST x); \ SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", __func__, \ __FILE__, (u32)__LINE__); \ abort(); \ @@ -341,8 +341,8 @@ static inline const char *colorfilter(const char *x) { do { \ \ fflush(stdout); \ - SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ - "\n[-] SYSTEM ERROR : " cRST x); \ + SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ + "\n[-] SYSTEM ERROR : " cRST x); \ SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", __func__, \ __FILE__, (u32)__LINE__); \ SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \ diff --git a/include/t1ha_bits.h b/include/t1ha_bits.h index 0b9bbda5..9ddc8589 100644 --- a/include/t1ha_bits.h +++ b/include/t1ha_bits.h @@ -455,9 +455,10 @@ typedef struct { } __attribute__((__packed__)) t1ha_unaligned_proxy; - #define read_unaligned(ptr, bits) \ - (((const t1ha_unaligned_proxy *)((const uint8_t *)(ptr)-offsetof( \ - t1ha_unaligned_proxy, unaligned_##bits))) \ + #define read_unaligned(ptr, bits) \ + (((const t1ha_unaligned_proxy *)((const uint8_t *)(ptr) - \ + offsetof(t1ha_unaligned_proxy, \ + unaligned_##bits))) \ ->unaligned_##bits) #elif defined(_MSC_VER) #pragma warning( \ @@ -477,9 +478,10 @@ typedef struct { } t1ha_unaligned_proxy; #pragma pack(pop) - #define read_unaligned(ptr, bits) \ - (((const t1ha_unaligned_proxy *)((const uint8_t *)(ptr)-offsetof( \ - t1ha_unaligned_proxy, unaligned_##bits))) \ + #define read_unaligned(ptr, bits) \ + (((const t1ha_unaligned_proxy *)((const uint8_t *)(ptr) - \ + offsetof(t1ha_unaligned_proxy, \ + unaligned_##bits))) \ ->unaligned_##bits) #endif #endif /* read_unaligned */ @@ -496,21 +498,24 @@ typedef struct { #elif __has_attribute(__assume_aligned__) static __always_inline const uint16_t *__attribute__(( - __assume_aligned__(ALIGNMENT_16))) cast_aligned_16(const void *ptr) { + __assume_aligned__(ALIGNMENT_16))) +cast_aligned_16(const void *ptr) { return (const uint16_t *)ptr; } static __always_inline const uint32_t *__attribute__(( - __assume_aligned__(ALIGNMENT_32))) cast_aligned_32(const void *ptr) { + __assume_aligned__(ALIGNMENT_32))) +cast_aligned_32(const void *ptr) { return (const uint32_t *)ptr; } static __always_inline const uint64_t *__attribute__(( - __assume_aligned__(ALIGNMENT_64))) cast_aligned_64(const void *ptr) { + __assume_aligned__(ALIGNMENT_64))) +cast_aligned_64(const void *ptr) { return (const uint64_t *)ptr; diff --git a/include/types.h b/include/types.h index cfb2f3d5..d370bcfb 100644 --- a/include/types.h +++ b/include/types.h @@ -155,7 +155,7 @@ typedef int128_t s128; ({ \ \ char *d = (char *)(_x), *s = (char *)(_y); \ - u32 i, l = (_l)-1; \ + u32 i, l = (_l) - 1; \ for (i = 0; i <= l; i++) \ d[l - i] = s[i]; \ \ diff --git a/include/xxhash.h b/include/xxhash.h index 991a8f1e..72044177 100644 --- a/include/xxhash.h +++ b/include/xxhash.h @@ -6616,12 +6616,14 @@ static XXH64_hash_t XXH3_mergeAccs(const xxh_u64 *XXH_RESTRICT acc, } - #define XXH3_INIT_ACC \ - { \ - \ - XXH_PRIME32_3, XXH_PRIME64_1, XXH_PRIME64_2, XXH_PRIME64_3, \ - XXH_PRIME64_4, XXH_PRIME32_2, XXH_PRIME64_5, XXH_PRIME32_1 \ - \ + #define XXH3_INIT_ACC \ + { \ + \ + \ + XXH_PRIME32_3, XXH_PRIME64_1, XXH_PRIME64_2, \ + XXH_PRIME64_3, XXH_PRIME64_4, XXH_PRIME32_2, \ + XXH_PRIME64_5, XXH_PRIME32_1 \ + \ } XXH_FORCE_INLINE XXH64_hash_t XXH3_hashLong_64b_internal( diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 6e04ae47..0da689b2 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -886,11 +886,11 @@ static void __afl_start_forkserver(void) { /* Phone home and tell the parent that we're OK. If parent isn't there, assume we're not running in forkserver mode and just execute program. */ - // return because possible non-forkserver usage - if (write(FORKSRV_FD + 1, msg, 4) != 4) { return; } - if (!__afl_old_forkserver) { + // return because possible non-forkserver usage + if (write(FORKSRV_FD + 1, msg, 4) != 4) { return; } + if (read(FORKSRV_FD, reply, 4) != 4) { _exit(1); } if (tmp != status2) { diff --git a/qemu_mode/libqasan/dlmalloc.c b/qemu_mode/libqasan/dlmalloc.c index 1919ae26..d1d4dc08 100644 --- a/qemu_mode/libqasan/dlmalloc.c +++ b/qemu_mode/libqasan/dlmalloc.c @@ -2355,7 +2355,7 @@ typedef unsigned int flag_t; /* The type of various bit flag sets */ /* conversion from malloc headers to user pointers, and back */ #define chunk2mem(p) ((void *)((char *)(p) + TWO_SIZE_T_SIZES)) - #define mem2chunk(mem) ((mchunkptr)((char *)(mem)-TWO_SIZE_T_SIZES)) + #define mem2chunk(mem) ((mchunkptr)((char *)(mem) - TWO_SIZE_T_SIZES)) /* chunk associated with aligned address A */ #define align_as_chunk(A) (mchunkptr)((A) + align_offset(chunk2mem(A))) diff --git a/src/afl-common.c b/src/afl-common.c index 04a984cb..892745a7 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -108,7 +108,8 @@ void set_sanitizer_defaults() { if (!have_san_options) { strcpy(buf, default_options); } if (have_asan_options) { - if (NULL != strstr(have_asan_options, "detect_leaks=0")) { + if (NULL != strstr(have_asan_options, "detect_leaks=0") || + NULL != strstr(have_asan_options, "detect_leaks=false")) { strcat(buf, "exitcode=" STRINGIFY(LSAN_ERROR) ":fast_unwind_on_malloc=0:print_suppressions=0:detect_leaks=0:malloc_context_size=0:"); diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 6366f473..c7c493cf 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -307,8 +307,8 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) { Returns the time passed to read. If the wait times out, returns timeout_ms + 1; Returns 0 if an error occurred (fd closed, signal, ...); */ -static u32 __attribute__((hot)) -read_s32_timed(s32 fd, s32 *buf, u32 timeout_ms, volatile u8 *stop_soon_p) { +static u32 __attribute__((hot)) read_s32_timed(s32 fd, s32 *buf, u32 timeout_ms, + volatile u8 *stop_soon_p) { fd_set readfds; FD_ZERO(&readfds); @@ -1338,6 +1338,10 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, fsrv->map_size = tmp_map_size; + } else { + + fsrv->real_map_size = fsrv->map_size = MAP_SIZE; + } if ((status & FS_OPT_AUTODICT) == FS_OPT_AUTODICT) { @@ -1444,6 +1448,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } + } else { + + // The binary is most likely instrumented using AFL's tool, and we will + // set map_size to MAP_SIZE. + fsrv->real_map_size = fsrv->map_size = MAP_SIZE; + } } @@ -1695,8 +1705,8 @@ u32 afl_fsrv_get_mapsize(afl_forkserver_t *fsrv, char **argv, /* Delete the current testcase and write the buf to the testcase file */ -void __attribute__((hot)) -afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { +void __attribute__((hot)) afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, + u8 *buf, size_t len) { #ifdef __linux__ if (unlikely(fsrv->nyx_mode)) { @@ -1814,9 +1824,8 @@ afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { /* Execute target application, monitoring for timeouts. Return status information. The called program will update afl->fsrv->trace_bits. */ -fsrv_run_result_t __attribute__((hot)) -afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, - volatile u8 *stop_soon_p) { +fsrv_run_result_t __attribute__((hot)) afl_fsrv_run_target( + afl_forkserver_t *fsrv, u32 timeout, volatile u8 *stop_soon_p) { s32 res; u32 exec_ms; diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 97ccd3d3..fd75a822 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -456,8 +456,8 @@ void write_crash_readme(afl_state_t *afl) { save or queue the input test case for further analysis if so. Returns 1 if entry is saved, 0 otherwise. */ -u8 __attribute__((hot)) -save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { +u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem, + u32 len, u8 fault) { if (unlikely(len == 0)) { return 0; } diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 74bb8cbc..fd5ed87c 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -3914,7 +3914,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { #define EFF_APOS(_p) ((_p) >> EFF_MAP_SCALE2) #define EFF_REM(_x) ((_x) & ((1 << EFF_MAP_SCALE2) - 1)) #define EFF_ALEN(_l) (EFF_APOS(_l) + !!EFF_REM(_l)) -#define EFF_SPAN_ALEN(_p, _l) (EFF_APOS((_p) + (_l)-1) - EFF_APOS(_p) + 1) +#define EFF_SPAN_ALEN(_p, _l) (EFF_APOS((_p) + (_l) - 1) - EFF_APOS(_p) + 1) /* Initialize effector map for the next step (see comments below). Always flag first and last byte as doing something. */ diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 999929a1..599d31f6 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -476,6 +476,17 @@ void mark_as_redundant(afl_state_t *afl, struct queue_entry *q, u8 state) { q->fs_redundant = state; + if (likely(q->fs_redundant)) { + + if (unlikely(q->trace_mini)) { + + ck_free(q->trace_mini); + q->trace_mini = NULL; + + } + + } + sprintf(fn, "%s/queue/.state/redundant_edges/%s", afl->out_dir, strrchr((char *)q->fname, '/') + 1); @@ -901,7 +912,7 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { if (!--afl->top_rated[i]->tc_ref) { ck_free(afl->top_rated[i]->trace_mini); - afl->top_rated[i]->trace_mini = 0; + afl->top_rated[i]->trace_mini = NULL; } @@ -962,7 +973,8 @@ void cull_queue(afl_state_t *afl) { for (i = 0; i < afl->fsrv.map_size; ++i) { - if (afl->top_rated[i] && (temp_v[i >> 3] & (1 << (i & 7)))) { + if (afl->top_rated[i] && (temp_v[i >> 3] & (1 << (i & 7))) && + afl->top_rated[i]->trace_mini) { u32 j = len; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 2f244a1d..4ce17eb2 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -41,8 +41,9 @@ u64 time_spent_working = 0; /* Execute target application, monitoring for timeouts. Return status information. The called program will update afl->fsrv->trace_bits. */ -fsrv_run_result_t __attribute__((hot)) -fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { +fsrv_run_result_t __attribute__((hot)) fuzz_run_target(afl_state_t *afl, + afl_forkserver_t *fsrv, + u32 timeout) { #ifdef PROFILING static u64 time_spent_start = 0; @@ -111,8 +112,8 @@ fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { old file is unlinked and a new one is created. Otherwise, afl->fsrv.out_fd is rewound and truncated. */ -u32 __attribute__((hot)) -write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) { +u32 __attribute__((hot)) write_to_testcase(afl_state_t *afl, void **mem, + u32 len, u32 fix) { u8 sent = 0; @@ -216,17 +217,17 @@ write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) { /* everything as planned. use the potentially new data. */ afl_fsrv_write_to_testcase(&afl->fsrv, *mem, new_size); - if (likely(!afl->afl_env.afl_post_process_keep_original)) { + } - len = new_size; + if (likely(!afl->afl_env.afl_post_process_keep_original)) { - } else { + len = new_size; - /* restore the original memory which was saved in new_mem */ - *mem = new_mem; - afl_swap_bufs(AFL_BUF_PARAM(out), AFL_BUF_PARAM(out_scratch)); + } else { - } + /* restore the original memory which was saved in new_mem */ + *mem = new_mem; + afl_swap_bufs(AFL_BUF_PARAM(out), AFL_BUF_PARAM(out_scratch)); } @@ -1173,8 +1174,8 @@ abort_trimming: error conditions, returning 1 if it's time to bail out. This is a helper function for fuzz_one(). */ -u8 __attribute__((hot)) -common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { +u8 __attribute__((hot)) common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, + u32 len) { u8 fault; diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index a20c46d0..9f5f59c0 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -963,9 +963,9 @@ void show_stats_normal(afl_state_t *afl) { /* Lord, forgive me this. */ - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA - " overall results " bSTG bH2 bH2 bRT "\n"); + " overall results " bSTG bH2 bH2 bRT "\n"); if (afl->non_instrumented_mode) { @@ -1007,7 +1007,7 @@ void show_stats_normal(afl_state_t *afl) { u_stringify_time_diff(time_tmp, afl->prev_run_time + cur_ms, afl->start_time); SAYF(bV bSTOP " run time : " cRST "%-33s " bSTG bV bSTOP - " cycles done : %s%-5s " bSTG bV "\n", + " cycles done : %s%-5s " bSTG bV "\n", time_tmp, tmp, u_stringify_int(IB(0), afl->queue_cycle - 1)); /* We want to warn people about not seeing new paths after a full cycle, @@ -1047,7 +1047,7 @@ void show_stats_normal(afl_state_t *afl) { u_stringify_time_diff(time_tmp, cur_ms, afl->last_crash_time); SAYF(bV bSTOP "last saved crash : " cRST "%-33s " bSTG bV bSTOP - "saved crashes : %s%-6s" bSTG bV "\n", + "saved crashes : %s%-6s" bSTG bV "\n", time_tmp, crash_color, tmp); sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->saved_hangs), @@ -1055,12 +1055,12 @@ void show_stats_normal(afl_state_t *afl) { u_stringify_time_diff(time_tmp, cur_ms, afl->last_hang_time); SAYF(bV bSTOP " last saved hang : " cRST "%-33s " bSTG bV bSTOP - " saved hangs : " cRST "%-6s" bSTG bV "\n", + " saved hangs : " cRST "%-6s" bSTG bV "\n", time_tmp, tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bH2 bHB bH bSTOP cCYA - " map coverage" bSTG bHT bH20 bH2 bVL "\n"); + " map coverage" bSTG bHT bH20 bH2 bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -1091,9 +1091,9 @@ void show_stats_normal(afl_state_t *afl) { SAYF(bSTOP " count coverage : " cRST "%-19s" bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bH2 bX bH bSTOP cCYA - " findings in depth " bSTG bH10 bH5 bH2 bVL "\n"); + " findings in depth " bSTG bH10 bH5 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored), ((double)afl->queued_favored) * 100 / afl->queued_items); @@ -1101,7 +1101,7 @@ void show_stats_normal(afl_state_t *afl) { /* Yeah... it's still going on... halp? */ SAYF(bV bSTOP " now trying : " cRST "%-22s " bSTG bV bSTOP - " favored items : " cRST "%-20s" bSTG bV "\n", + " favored items : " cRST "%-20s" bSTG bV "\n", afl->stage_name, tmp); if (!afl->stage_max) { @@ -1130,13 +1130,13 @@ void show_stats_normal(afl_state_t *afl) { if (afl->crash_mode) { SAYF(bV bSTOP " total execs : " cRST "%-22s " bSTG bV bSTOP - " new crashes : %s%-20s" bSTG bV "\n", + " new crashes : %s%-20s" bSTG bV "\n", u_stringify_int(IB(0), afl->fsrv.total_execs), crash_color, tmp); } else { SAYF(bV bSTOP " total execs : " cRST "%-22s " bSTG bV bSTOP - " total crashes : %s%-20s" bSTG bV "\n", + " total crashes : %s%-20s" bSTG bV "\n", u_stringify_int(IB(0), afl->fsrv.total_execs), crash_color, tmp); } @@ -1189,7 +1189,7 @@ void show_stats_normal(afl_state_t *afl) { } SAYF(bV bSTOP " bit flips : " cRST "%-36s " bSTG bV bSTOP - " levels : " cRST "%-10s" bSTG bV "\n", + " levels : " cRST "%-10s" bSTG bV "\n", tmp, u_stringify_int(IB(0), afl->max_depth)); if (unlikely(!afl->skip_deterministic)) { @@ -1205,7 +1205,7 @@ void show_stats_normal(afl_state_t *afl) { } SAYF(bV bSTOP " byte flips : " cRST "%-36s " bSTG bV bSTOP - " pending : " cRST "%-10s" bSTG bV "\n", + " pending : " cRST "%-10s" bSTG bV "\n", tmp, u_stringify_int(IB(0), afl->pending_not_fuzzed)); if (unlikely(!afl->skip_deterministic)) { @@ -1221,7 +1221,7 @@ void show_stats_normal(afl_state_t *afl) { } SAYF(bV bSTOP " arithmetics : " cRST "%-36s " bSTG bV bSTOP - " pend fav : " cRST "%-10s" bSTG bV "\n", + " pend fav : " cRST "%-10s" bSTG bV "\n", tmp, u_stringify_int(IB(0), afl->pending_favored)); if (unlikely(!afl->skip_deterministic)) { @@ -1237,7 +1237,7 @@ void show_stats_normal(afl_state_t *afl) { } SAYF(bV bSTOP " known ints : " cRST "%-36s " bSTG bV bSTOP - " own finds : " cRST "%-10s" bSTG bV "\n", + " own finds : " cRST "%-10s" bSTG bV "\n", tmp, u_stringify_int(IB(0), afl->queued_discovered)); if (unlikely(!afl->skip_deterministic)) { @@ -1263,7 +1263,7 @@ void show_stats_normal(afl_state_t *afl) { } SAYF(bV bSTOP " dictionary : " cRST "%-36s " bSTG bV bSTOP - " imported : " cRST "%-10s" bSTG bV "\n", + " imported : " cRST "%-10s" bSTG bV "\n", tmp, afl->sync_id ? u_stringify_int(IB(0), afl->queued_imported) : (u8 *)"n/a"); @@ -1451,8 +1451,8 @@ void show_stats_normal(afl_state_t *afl) { /* Last line */ - SAYF(SET_G1 "\n" bSTG bLB bH cCYA bSTOP " strategy:" cPIN - " %s " bSTG bH10 cCYA bSTOP " state:" cPIN + SAYF(SET_G1 "\n" bSTG bLB bH cCYA bSTOP " strategy:" cPIN + " %s " bSTG bH10 cCYA bSTOP " state:" cPIN " %s " bSTG bH2 bRB bSTOP cRST RESET_G1, afl->fuzz_mode == 0 ? "explore" : "exploit", get_fuzzing_state(afl)); @@ -1821,8 +1821,8 @@ void show_stats_pizza(afl_state_t *afl) { } u_stringify_time_diff(time_tmp, afl->prev_run_time + cur_ms, afl->start_time); - SAYF(bV bSTOP - " open time : " cRST "%-37s " bSTG bV bSTOP + SAYF(bV bSTOP + " open time : " cRST "%-37s " bSTG bV bSTOP " seasons done : %s%-5s " bSTG bV "\n", time_tmp, tmp, u_stringify_int(IB(0), afl->queue_cycle - 1)); @@ -1865,7 +1865,7 @@ void show_stats_pizza(afl_state_t *afl) { (afl->saved_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); u_stringify_time_diff(time_tmp, cur_ms, afl->last_crash_time); - SAYF(bV bSTOP + SAYF(bV bSTOP " last ordered pizza : " cRST "%-33s " bSTG bV bSTOP " at table : %s%-6s " bSTG bV "\n", time_tmp, crash_color, tmp); @@ -1874,15 +1874,15 @@ void show_stats_pizza(afl_state_t *afl) { (afl->saved_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); u_stringify_time_diff(time_tmp, cur_ms, afl->last_hang_time); - SAYF(bV bSTOP + SAYF(bV bSTOP " last conversation with customers : " cRST "%-33s " bSTG bV bSTOP " number of Peroni : " cRST "%-6s " bSTG bV "\n", time_tmp, tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " Baking progress " bSTG bH30 bH20 bH5 bH bX bH bSTOP cCYA - " Pizzeria busyness" bSTG bH30 bH5 bH bH bVL "\n"); + " Pizzeria busyness" bSTG bH30 bH5 bH bH bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -1918,8 +1918,8 @@ void show_stats_pizza(afl_state_t *afl) { SAYF(bSTOP " count coverage : " cRST "%-19s " bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA - " Pizzas almost ready " bSTG bH30 bH20 bH2 bH bX bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA + " Pizzas almost ready " bSTG bH30 bH20 bH2 bH bX bH bSTOP cCYA " Types of pizzas cooking " bSTG bH10 bH5 bH2 bH10 bH2 bH bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored), @@ -1928,7 +1928,7 @@ void show_stats_pizza(afl_state_t *afl) { /* Yeah... it's still going on... halp? */ SAYF(bV bSTOP " now preparing : " cRST - "%-22s " bSTG bV bSTOP + "%-22s " bSTG bV bSTOP " favourite topping : " cRST "%-20s" bSTG bV "\n", afl->stage_name, tmp); @@ -1961,14 +1961,14 @@ void show_stats_pizza(afl_state_t *afl) { if (afl->crash_mode) { SAYF(bV bSTOP " total pizzas : " cRST - "%-22s " bSTG bV bSTOP + "%-22s " bSTG bV bSTOP " pizzas with pineapple : %s%-20s" bSTG bV "\n", u_stringify_int(IB(0), afl->fsrv.total_execs), crash_color, tmp); } else { SAYF(bV bSTOP " total pizzas : " cRST - "%-22s " bSTG bV bSTOP + "%-22s " bSTG bV bSTOP " total pizzas with pineapple : %s%-20s" bSTG bV "\n", u_stringify_int(IB(0), afl->fsrv.total_execs), crash_color, tmp); @@ -2005,7 +2005,7 @@ void show_stats_pizza(afl_state_t *afl) { /* Aaaalmost there... hold on! */ SAYF(bVR bH cCYA bSTOP " Promotional campaign on TikTok yields " bSTG bH30 bH2 - bH bH2 bX bH bSTOP cCYA + bH bH2 bX bH bSTOP cCYA " Customer type " bSTG bH5 bH2 bH30 bH2 bH bVL "\n"); if (unlikely(afl->custom_only)) { @@ -2028,8 +2028,8 @@ void show_stats_pizza(afl_state_t *afl) { } - SAYF(bV bSTOP - " pizzas for celiac : " cRST "%-36s " bSTG bV bSTOP + SAYF(bV bSTOP + " pizzas for celiac : " cRST "%-36s " bSTG bV bSTOP " levels : " cRST "%-10s " bSTG bV "\n", tmp, u_stringify_int(IB(0), afl->max_depth)); @@ -2046,8 +2046,8 @@ void show_stats_pizza(afl_state_t *afl) { } - SAYF(bV bSTOP - " pizzas for kids : " cRST "%-36s " bSTG bV bSTOP + SAYF(bV bSTOP + " pizzas for kids : " cRST "%-36s " bSTG bV bSTOP " pizzas to make : " cRST "%-10s " bSTG bV "\n", tmp, u_stringify_int(IB(0), afl->pending_not_fuzzed)); @@ -2064,8 +2064,8 @@ void show_stats_pizza(afl_state_t *afl) { } - SAYF(bV bSTOP - " pizza bianca : " cRST "%-36s " bSTG bV bSTOP + SAYF(bV bSTOP + " pizza bianca : " cRST "%-36s " bSTG bV bSTOP " nice table : " cRST "%-10s " bSTG bV "\n", tmp, u_stringify_int(IB(0), afl->pending_favored)); @@ -2082,8 +2082,8 @@ void show_stats_pizza(afl_state_t *afl) { } - SAYF(bV bSTOP - " recurring customers : " cRST "%-36s " bSTG bV bSTOP + SAYF(bV bSTOP + " recurring customers : " cRST "%-36s " bSTG bV bSTOP " new customers : " cRST "%-10s " bSTG bV "\n", tmp, u_stringify_int(IB(0), afl->queued_discovered)); @@ -2110,8 +2110,8 @@ void show_stats_pizza(afl_state_t *afl) { } - SAYF(bV bSTOP - " dictionary : " cRST "%-36s " bSTG bV bSTOP + SAYF(bV bSTOP + " dictionary : " cRST "%-36s " bSTG bV bSTOP " patrons from old resturant : " cRST "%-10s " bSTG bV "\n", tmp, diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 9867eba3..726a2260 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -3344,6 +3344,8 @@ stop_fuzzing: #else if ((fr_fd = open(fr, O_WRONLY | O_TRUNC | O_CREAT, DEFAULT_PERMISSION)) >= + 0) { + #endif u8 ver_string[8]; diff --git a/test/test-unicorn-mode.sh b/test/test-unicorn-mode.sh index 338c5982..9a290bb5 100755 --- a/test/test-unicorn-mode.sh +++ b/test/test-unicorn-mode.sh @@ -34,8 +34,8 @@ test -d ../unicorn_mode/unicornafl -a -e ../unicorn_mode/unicornafl/Makefile && cd ../unicorn_mode/samples/persistent make >>errors 2>&1 $ECHO "$GREY[*] running afl-fuzz for unicorn_mode (persistent), this will take approx 25 seconds" - AFL_DEBUG_CHILD=1 ../../../afl-fuzz -m none -V15 -U -i sample_inputs -o out -d -- ./harness @@ >>errors 2>&1 - test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && { + AFL_DEBUG_CHILD=1 ../../../afl-fuzz -m none -V15 -U -i sample_inputs -o out -- ./harness @@ >>errors 2>&1 + test -n "$( ls out/default/queue/id:000006* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with unicorn_mode (persistent)" } || { echo CUT------------------------------------------------------------------CUT diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index deac0bf9..00a2aba3 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -4b4fdab1 +1c58dc97 diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index 097a2dc9..a21d05eb 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -203,22 +203,22 @@ $PYTHONBIN -m pip install --help 2>/dev/null | grep -q break-system-packages && cd unicorn/bindings/python || exit 1 if [ -z "$VIRTUAL_ENV" ]; then echo "[*] Info: Installing python unicornafl using --user" - THREADS=$CORES $PYTHONBIN -m pip install --user $XOPT --force .|| exit 1 + THREADS=$CORES $PYTHONBIN setup.py install --user $XOPT --force || exit 1 else echo "[*] Info: Installing python unicornafl to virtualenv: $VIRTUAL_ENV" - THREADS=$CORES $PYTHONBIN -m pip install --force .|| exit 1 + THREADS=$CORES $PYTHONBIN setup.py install --force || exit 1 fi cd ../../../ echo "[*] Installing Unicornafl python bindings..." cd bindings/python || exit 1 if [ -z "$VIRTUAL_ENV" ]; then echo "[*] Info: Installing python unicornafl using --user" - THREADS=$CORES $PYTHONBIN -m pip install --user $XOPT --force .|| exit 1 + THREADS=$CORES $PYTHONBIN setup.py install --user $XOPT --force || exit 1 else echo "[*] Info: Installing python unicornafl to virtualenv: $VIRTUAL_ENV" - THREADS=$CORES $PYTHONBIN -m pip install --force .|| exit 1 + THREADS=$CORES $PYTHONBIN setup.py install --force || exit 1 fi -echo '[*] If needed, you can (re)install the bindings in `./unicornafl/bindings/python` using `pip install --force .`' +echo '[*] If needed, you can (re)install the bindings in `./unicornafl/bindings/python` using `python setup.py install --force .`' cd ../../ || exit 1 diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl -Subproject 4b4fdab161c15529affcc1e785d779e318b882a +Subproject 1c58dc9774012bace730df5c1c273356762e848 diff --git a/utils/aflpp_driver/aflpp_qemu_driver_hook.c b/utils/aflpp_driver/aflpp_qemu_driver_hook.c index 2979fadc..d75de539 100644 --- a/utils/aflpp_driver/aflpp_qemu_driver_hook.c +++ b/utils/aflpp_driver/aflpp_qemu_driver_hook.c @@ -4,7 +4,7 @@ #include <string.h> #define g2h(x) ((void *)((unsigned long)(x) + guest_base)) -#define h2g(x) ((uint64_t)(x)-guest_base) +#define h2g(x) ((uint64_t)(x) - guest_base) void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base, uint8_t *input_buf, uint32_t input_buf_len) { diff --git a/utils/libtokencap/libtokencap.so.c b/utils/libtokencap/libtokencap.so.c index cc499150..8f693c51 100644 --- a/utils/libtokencap/libtokencap.so.c +++ b/utils/libtokencap/libtokencap.so.c @@ -167,7 +167,7 @@ static void __tokencap_load_mappings(void) { #elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__ - #if defined __FreeBSD__ + #if defined __FreeBSD__ int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, __tokencap_pid}; #elif defined __OpenBSD__ int mib[] = {CTL_KERN, KERN_PROC_VMMAP, __tokencap_pid}; @@ -183,7 +183,7 @@ static void __tokencap_load_mappings(void) { #if defined __FreeBSD__ || defined __NetBSD__ len = len * 4 / 3; - #elif defined __OpenBSD__ + #elif defined __OpenBSD__ len -= len % sizeof(struct kinfo_vmentry); #endif @@ -208,7 +208,7 @@ static void __tokencap_load_mappings(void) { #if defined __FreeBSD__ || defined __NetBSD__ - #if defined __FreeBSD__ + #if defined __FreeBSD__ size_t size = region->kve_structsize; if (size == 0) break; diff --git a/utils/persistent_mode/persistent_demo.c b/utils/persistent_mode/persistent_demo.c index f5e43728..00d59ef4 100644 --- a/utils/persistent_mode/persistent_demo.c +++ b/utils/persistent_mode/persistent_demo.c @@ -34,7 +34,7 @@ /* To ensure checks are not optimized out it is recommended to disable code optimization for the fuzzer harness main() */ #pragma clang optimize off -#pragma GCC optimize("O0") +#pragma GCC optimize("O0") int main(int argc, char **argv) { diff --git a/utils/persistent_mode/persistent_demo_new.c b/utils/persistent_mode/persistent_demo_new.c index 285f50aa..36a0043a 100644 --- a/utils/persistent_mode/persistent_demo_new.c +++ b/utils/persistent_mode/persistent_demo_new.c @@ -51,7 +51,7 @@ __AFL_FUZZ_INIT(); /* To ensure checks are not optimized out it is recommended to disable code optimization for the fuzzer harness main() */ #pragma clang optimize off -#pragma GCC optimize("O0") +#pragma GCC optimize("O0") int main(int argc, char **argv) { diff --git a/utils/persistent_mode/test-instr.c b/utils/persistent_mode/test-instr.c index 72e26e93..7c83f629 100644 --- a/utils/persistent_mode/test-instr.c +++ b/utils/persistent_mode/test-instr.c @@ -24,7 +24,7 @@ __AFL_FUZZ_INIT(); /* To ensure checks are not optimized out it is recommended to disable code optimization for the fuzzer harness main() */ #pragma clang optimize off -#pragma GCC optimize("O0") +#pragma GCC optimize("O0") int main(int argc, char **argv) { diff --git a/utils/qemu_persistent_hook/read_into_rdi.c b/utils/qemu_persistent_hook/read_into_rdi.c index 14b2ed85..3e913870 100644 --- a/utils/qemu_persistent_hook/read_into_rdi.c +++ b/utils/qemu_persistent_hook/read_into_rdi.c @@ -4,7 +4,7 @@ #include <string.h> #define g2h(x) ((void *)((unsigned long)(x) + guest_base)) -#define h2g(x) ((uint64_t)(x)-guest_base) +#define h2g(x) ((uint64_t)(x) - guest_base) void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base, uint8_t *input_buf, uint32_t input_buf_len) { diff --git a/utils/replay_record/persistent_demo_replay.c b/utils/replay_record/persistent_demo_replay.c index 6f6648f1..fa6255fd 100644 --- a/utils/replay_record/persistent_demo_replay.c +++ b/utils/replay_record/persistent_demo_replay.c @@ -46,7 +46,7 @@ __AFL_FUZZ_INIT(); /* To ensure checks are not optimized out it is recommended to disable code optimization for the fuzzer harness main() */ #pragma clang optimize off -#pragma GCC optimize("O0") +#pragma GCC optimize("O0") int main(int argc, char **argv) { |