diff options
| author | van Hauser <vh@thc.org> | 2022-01-21 08:51:29 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-21 08:51:29 +0100 |
| commit | 5933e787f90819b467658b63977b1dc472acad29 (patch) | |
| tree | 2fec687da836de4c4604ddefa6bda579a256c3c6 /nyx_mode/custom_harness/example.c | |
| parent | a9d549ca073ca3fc37b63c1fa454c575bba174b9 (diff) | |
| parent | 6ce736aa913363647760d088ef0cb3610a765ff4 (diff) | |
| download | afl++-5933e787f90819b467658b63977b1dc472acad29.tar.gz | |
Merge pull request #1300 from schumilo/dev
add Nyx LTO support (and some other improvements)
Diffstat (limited to 'nyx_mode/custom_harness/example.c')
| -rw-r--r-- | nyx_mode/custom_harness/example.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/nyx_mode/custom_harness/example.c b/nyx_mode/custom_harness/example.c index 0b12e60b..7cfecc24 100644 --- a/nyx_mode/custom_harness/example.c +++ b/nyx_mode/custom_harness/example.c @@ -4,8 +4,7 @@ #include <inttypes.h> #include "nyx.h" -/* this is our "bitmap" that is later shared with the fuzzer (you can also pass the pointer of the bitmap used by compile-time instrumentations in your target) */ -uint8_t* trace_buffer[64*1024] = {0}; +#define TRACE_BUFFER_SIZE (1024*64) int main(int argc, char** argv){ /* if you want to debug code running in Nyx, hprintf() is the way to go. @@ -20,21 +19,27 @@ int main(int argc, char** argv){ hprintf("[capablities] host_config.ijon_bitmap_size: 0x%"PRIx64"\n", host_config.ijon_bitmap_size); hprintf("[capablities] host_config.payload_buffer_size: 0x%"PRIx64"x\n", host_config.payload_buffer_size); + /* this is our "bitmap" that is later shared with the fuzzer (you can also pass the pointer of the bitmap used by compile-time instrumentations in your target) */ + uint8_t* trace_buffer = mmap(NULL, TRACE_BUFFER_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); + memset(trace_buffer, 0, TRACE_BUFFER_SIZE); // makes sure that the bitmap buffer is already mapped into the guest's memory (alternatively you can use mlock) */ + /* Submit agent configuration */ - memset(trace_buffer, 0, 64*1024); // makes sure that the bitmap buffer is already mapped into the guest's memory (alternatively you can use mlock) */ agent_config_t agent_config = {0}; + agent_config.agent_magic = NYX_AGENT_MAGIC; + agent_config.agent_version = NYX_AGENT_VERSION; agent_config.agent_timeout_detection = 0; /* timeout detection is implemented by the agent (currently not used) */ agent_config.agent_tracing = 1; /* set this flag to propagade that instrumentation-based fuzzing is availabe */ agent_config.agent_ijon_tracing = 0; /* set this flag to propagade that IJON extension is implmented agent-wise */ agent_config.trace_buffer_vaddr = (uintptr_t)trace_buffer; /* trace "bitmap" pointer - required for instrumentation-only fuzzing */ agent_config.ijon_trace_buffer_vaddr = (uintptr_t)NULL; /* "IJON" buffer pointer */ agent_config.agent_non_reload_mode = 1; /* non-reload mode is supported (usually because the agent implements a fork-server; currently not used) */ + agent_config.coverage_bitmap_size = TRACE_BUFFER_SIZE; kAFL_hypercall(HYPERCALL_KAFL_SET_AGENT_CONFIG, (uintptr_t)&agent_config); /* Tell hypervisor the virtual address of the payload (input) buffer (call mlock to ensure that this buffer stays in the guest's memory)*/ - kAFL_payload* payload_buffer = mmap((void*)0x4000000ULL, PAYLOAD_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS | MAP_FIXED, -1, 0); - mlock(payload_buffer, (size_t)PAYLOAD_SIZE); - memset(payload_buffer, 0, PAYLOAD_SIZE); + kAFL_payload* payload_buffer = mmap(NULL, host_config.payload_buffer_size, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); + mlock(payload_buffer, (size_t)host_config.payload_buffer_size); + memset(payload_buffer, 0, host_config.payload_buffer_size); kAFL_hypercall(HYPERCALL_KAFL_GET_PAYLOAD, (uintptr_t)payload_buffer); hprintf("[init] payload buffer is mapped at %p\n", payload_buffer); |