diff options
| author | van Hauser <vh@thc.org> | 2021-03-19 23:54:36 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-03-19 23:54:36 +0100 |
| commit | 090128b3f8b8bc80cf47ae1481b01c0509dc6357 (patch) | |
| tree | 03c3314427f02533a8db3e06587ce3afe74a5f23 /src | |
| parent | d7e121e2c99c02d4b6984f21ba837d44bce9c77c (diff) | |
| parent | 749b03d812b76746b4a673f34a13fb0b067fd61d (diff) | |
| download | afl++-090128b3f8b8bc80cf47ae1481b01c0509dc6357.tar.gz | |
Merge branch 'dev' into dev
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-cc.c | 93 | ||||
| -rw-r--r-- | src/afl-common.c | 230 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 39 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 32 |
5 files changed, 180 insertions, 216 deletions
diff --git a/src/afl-cc.c b/src/afl-cc.c index 18401d0d..5251465b 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -682,17 +682,42 @@ static void edit_params(u32 argc, char **argv, char **envp) { /* Detect stray -v calls from ./configure scripts. */ + u8 skip_next = 0; while (--argc) { u8 *cur = *(++argv); + if (skip_next) { + + skip_next = 0; + continue; + + } + if (!strncmp(cur, "--afl", 5)) continue; if (lto_mode && !strncmp(cur, "-fuse-ld=", 9)) continue; if (lto_mode && !strncmp(cur, "--ld-path=", 10)) continue; if (!strncmp(cur, "-fno-unroll", 11)) continue; if (strstr(cur, "afl-compiler-rt") || strstr(cur, "afl-llvm-rt")) continue; - if (!strcmp(cur, "-Wl,-z,defs") || !strcmp(cur, "-Wl,--no-undefined")) + if (!strcmp(cur, "-Wl,-z,defs") || !strcmp(cur, "-Wl,--no-undefined") || + !strcmp(cur, "--no-undefined")) { + continue; + + } + + if (!strcmp(cur, "-z")) { + + u8 *param = *(argv + 1); + if (!strcmp(param, "defs")) { + + skip_next = 1; + continue; + + } + + } + if (!strncmp(cur, "-fsanitize=fuzzer-", strlen("-fsanitize=fuzzer-")) || !strncmp(cur, "-fsanitize-coverage", strlen("-fsanitize-coverage"))) { @@ -959,65 +984,73 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (compiler_mode != GCC && compiler_mode != CLANG) { - if (!shared_linking) { + switch (bit_mode) { - switch (bit_mode) { - - case 0: + case 0: + if (!shared_linking) cc_params[cc_par_cnt++] = alloc_printf("%s/afl-compiler-rt.o", obj_path); - if (lto_mode) - cc_params[cc_par_cnt++] = - alloc_printf("%s/afl-llvm-rt-lto.o", obj_path); - break; + if (lto_mode) + cc_params[cc_par_cnt++] = + alloc_printf("%s/afl-llvm-rt-lto.o", obj_path); + break; + + case 32: + if (!shared_linking) { - case 32: cc_params[cc_par_cnt++] = alloc_printf("%s/afl-compiler-rt-32.o", obj_path); if (access(cc_params[cc_par_cnt - 1], R_OK)) FATAL("-m32 is not supported by your compiler"); - if (lto_mode) { - cc_params[cc_par_cnt++] = - alloc_printf("%s/afl-llvm-rt-lto-32.o", obj_path); - if (access(cc_params[cc_par_cnt - 1], R_OK)) - FATAL("-m32 is not supported by your compiler"); + } - } + if (lto_mode) { - break; + cc_params[cc_par_cnt++] = + alloc_printf("%s/afl-llvm-rt-lto-32.o", obj_path); + if (access(cc_params[cc_par_cnt - 1], R_OK)) + FATAL("-m32 is not supported by your compiler"); + + } + + break; + + case 64: + if (!shared_linking) { - case 64: cc_params[cc_par_cnt++] = alloc_printf("%s/afl-compiler-rt-64.o", obj_path); if (access(cc_params[cc_par_cnt - 1], R_OK)) FATAL("-m64 is not supported by your compiler"); - if (lto_mode) { - cc_params[cc_par_cnt++] = - alloc_printf("%s/afl-llvm-rt-lto-64.o", obj_path); - if (access(cc_params[cc_par_cnt - 1], R_OK)) - FATAL("-m64 is not supported by your compiler"); + } - } + if (lto_mode) { - break; + cc_params[cc_par_cnt++] = + alloc_printf("%s/afl-llvm-rt-lto-64.o", obj_path); + if (access(cc_params[cc_par_cnt - 1], R_OK)) + FATAL("-m64 is not supported by your compiler"); - } + } + + break; + + } #if !defined(__APPLE__) && !defined(__sun) + if (!shared_linking) cc_params[cc_par_cnt++] = alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path); #endif - } + } #if defined(USEMMAP) && !defined(__HAIKU__) - cc_params[cc_par_cnt++] = "-lrt"; + cc_params[cc_par_cnt++] = "-lrt"; #endif - } - #endif cc_params[cc_par_cnt] = NULL; diff --git a/src/afl-common.c b/src/afl-common.c index 72a95fbc..6e485117 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -158,10 +158,6 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { } - if (!unlikely(own_loc)) { FATAL("BUG: param own_loc is NULL"); } - - u8 *tmp, *cp = NULL, *rsl, *own_copy; - char **new_argv = ck_alloc(sizeof(char *) * (argc + 4)); if (unlikely(!new_argv)) { FATAL("Illegal amount of arguments specified"); } @@ -173,70 +169,8 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { /* Now we need to actually find the QEMU binary to put in argv[0]. */ - tmp = getenv("AFL_PATH"); - - if (tmp) { - - cp = alloc_printf("%s/afl-qemu-trace", tmp); - - if (access(cp, X_OK)) { FATAL("Unable to find '%s'", tmp); } - - *target_path_p = new_argv[0] = cp; - return new_argv; - - } - - own_copy = ck_strdup(own_loc); - rsl = strrchr(own_copy, '/'); - - if (rsl) { - - *rsl = 0; - - cp = alloc_printf("%s/afl-qemu-trace", own_copy); - ck_free(own_copy); - - if (!access(cp, X_OK)) { - - *target_path_p = new_argv[0] = cp; - return new_argv; - - } - - } else { - - ck_free(own_copy); - - } - - if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) { - - if (cp) { ck_free(cp); } - *target_path_p = new_argv[0] = ck_strdup(BIN_PATH "/afl-qemu-trace"); - - return new_argv; - - } - - SAYF("\n" cLRD "[-] " cRST - "Oops, unable to find the 'afl-qemu-trace' binary. The binary must be " - "built\n" - " separately by following the instructions in " - "qemu_mode/README.md. " - "If you\n" - " already have the binary installed, you may need to specify " - "AFL_PATH in the\n" - " environment.\n\n" - - " Of course, even without QEMU, afl-fuzz can still work with " - "binaries that are\n" - " instrumented at compile time with afl-gcc. It is also possible to " - "use it as a\n" - " traditional non-instrumented fuzzer by specifying '-n' in the " - "command " - "line.\n"); - - FATAL("Failed to locate 'afl-qemu-trace'."); + *target_path_p = new_argv[0] = find_afl_binary(own_loc, "afl-qemu-trace"); + return new_argv; } @@ -244,10 +178,6 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { - if (!unlikely(own_loc)) { FATAL("BUG: param own_loc is NULL"); } - - u8 *tmp, *cp = NULL, *rsl, *own_copy; - char **new_argv = ck_alloc(sizeof(char *) * (argc + 3)); if (unlikely(!new_argv)) { FATAL("Illegal amount of arguments specified"); } @@ -258,92 +188,10 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { /* Now we need to actually find the QEMU binary to put in argv[0]. */ - tmp = getenv("AFL_PATH"); - - if (tmp) { - - cp = alloc_printf("%s/afl-qemu-trace", tmp); - - if (access(cp, X_OK)) { FATAL("Unable to find '%s'", tmp); } - - ck_free(cp); - - cp = alloc_printf("%s/afl-wine-trace", tmp); - - if (access(cp, X_OK)) { FATAL("Unable to find '%s'", tmp); } - - *target_path_p = new_argv[0] = cp; - return new_argv; - - } - - own_copy = ck_strdup(own_loc); - rsl = strrchr(own_copy, '/'); - - if (rsl) { - - *rsl = 0; - - cp = alloc_printf("%s/afl-qemu-trace", own_copy); - - if (cp && !access(cp, X_OK)) { - - ck_free(cp); - - cp = alloc_printf("%s/afl-wine-trace", own_copy); - - if (!access(cp, X_OK)) { - - *target_path_p = new_argv[0] = cp; - return new_argv; - - } - - } - - ck_free(own_copy); - - } else { - - ck_free(own_copy); - - } - - u8 *ncp = BIN_PATH "/afl-qemu-trace"; - - if (!access(ncp, X_OK)) { - - ncp = BIN_PATH "/afl-wine-trace"; - - if (!access(ncp, X_OK)) { - - *target_path_p = new_argv[0] = ck_strdup(ncp); - return new_argv; - - } - - } - - SAYF("\n" cLRD "[-] " cRST - "Oops, unable to find the '%s' binary. The binary must be " - "built\n" - " separately by following the instructions in " - "qemu_mode/README.md. " - "If you\n" - " already have the binary installed, you may need to specify " - "AFL_PATH in the\n" - " environment.\n\n" - - " Of course, even without QEMU, afl-fuzz can still work with " - "binaries that are\n" - " instrumented at compile time with afl-gcc. It is also possible to " - "use it as a\n" - " traditional non-instrumented fuzzer by specifying '-n' in the " - "command " - "line.\n", - ncp); - - FATAL("Failed to locate '%s'.", ncp); + u8 *tmp = find_afl_binary(own_loc, "afl-qemu-trace"); + ck_free(tmp); + *target_path_p = new_argv[0] = find_afl_binary(own_loc, "afl-wine-trace"); + return new_argv; } @@ -437,6 +285,70 @@ u8 *find_binary(u8 *fname) { } +u8 *find_afl_binary(u8 *own_loc, u8 *fname) { + + u8 *afl_path = NULL, *target_path, *own_copy; + + if ((afl_path = getenv("AFL_PATH"))) { + + target_path = alloc_printf("%s/%s", afl_path, fname); + if (!access(target_path, X_OK)) { + + return target_path; + + } else { + + ck_free(target_path); + + } + + } + + if (own_loc) { + + own_copy = ck_strdup(own_loc); + u8 *rsl = strrchr(own_copy, '/'); + + if (rsl) { + + *rsl = 0; + + target_path = alloc_printf("%s/%s", own_copy, fname); + ck_free(own_copy); + + if (!access(target_path, X_OK)) { + + return target_path; + + } else { + + ck_free(target_path); + + } + + } else { + + ck_free(own_copy); + + } + + } + + target_path = alloc_printf("%s/%s", BIN_PATH, fname); + if (!access(target_path, X_OK)) { + + return target_path; + + } else { + + ck_free(target_path); + + } + + return find_binary(fname); + +} + /* Parses the kill signal environment variable, FATALs on error. If the env is not set, sets the env to default_signal for the signal handlers and returns the default_signal. */ @@ -1168,7 +1080,7 @@ u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms) { /* Reads the map size from ENV */ u32 get_map_size(void) { - uint32_t map_size = 8000000; // a very large default map + uint32_t map_size = DEFAULT_SHMEM_SIZE; char * ptr; if ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE"))) { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 82c1799e..91076bf7 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1812,9 +1812,13 @@ static void handle_existing_out_dir(afl_state_t *afl) { } - fn = alloc_printf("%s/plot_data", afl->out_dir); - if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; } - ck_free(fn); + if (!afl->in_place_resume) { + + fn = alloc_printf("%s/plot_data", afl->out_dir); + if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; } + ck_free(fn); + + } fn = alloc_printf("%s/cmdline", afl->out_dir); if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; } @@ -2008,17 +2012,34 @@ void setup_dirs_fds(afl_state_t *afl) { /* Gnuplot output file. */ tmp = alloc_printf("%s/plot_data", afl->out_dir); - int fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) { PFATAL("Unable to create '%s'", tmp); } - ck_free(tmp); - afl->fsrv.plot_file = fdopen(fd, "w"); - if (!afl->fsrv.plot_file) { PFATAL("fdopen() failed"); } + if(!afl->in_place_resume) { - fprintf(afl->fsrv.plot_file, + int fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (fd < 0) { PFATAL("Unable to create '%s'", tmp); } + ck_free(tmp); + + afl->fsrv.plot_file = fdopen(fd, "w"); + if (!afl->fsrv.plot_file) { PFATAL("fdopen() failed"); } + + fprintf(afl->fsrv.plot_file, "# unix_time, cycles_done, cur_path, paths_total, " "pending_total, pending_favs, map_size, unique_crashes, " "unique_hangs, max_depth, execs_per_sec, total_execs, edges_found\n"); + + } else { + + int fd = open(tmp, O_WRONLY | O_CREAT, 0600); + if (fd < 0) { PFATAL("Unable to create '%s'", tmp); } + ck_free(tmp); + + afl->fsrv.plot_file = fdopen(fd, "w"); + if (!afl->fsrv.plot_file) { PFATAL("fdopen() failed"); } + + fseek(afl->fsrv.plot_file, 0, SEEK_END); + + } + fflush(afl->fsrv.plot_file); /* ignore errors */ diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 99059a2d..3e237003 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -391,7 +391,7 @@ void maybe_update_plot_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, fprintf(afl->fsrv.plot_file, "%llu, %llu, %u, %u, %u, %u, %0.02f%%, %llu, %llu, %u, %0.02f, %llu, " "%u\n", - get_cur_time() / 1000, afl->queue_cycle - 1, afl->current_entry, + (afl->prev_run_time + get_cur_time() - afl->start_time), afl->queue_cycle - 1, afl->current_entry, afl->queued_paths, afl->pending_not_fuzzed, afl->pending_favored, bitmap_cvg, afl->unique_crashes, afl->unique_hangs, afl->max_depth, eps, afl->plot_prev_ed, t_bytes); /* ignore errors */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 9ea1fb34..b1d01959 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1535,21 +1535,21 @@ int main(int argc, char **argv_orig, char **envp) { if (!afl->non_instrumented_mode && !afl->fsrv.qemu_mode && !afl->unicorn_mode) { - if (map_size <= 8000000 && !afl->non_instrumented_mode && + if (map_size <= DEFAULT_SHMEM_SIZE && !afl->non_instrumented_mode && !afl->fsrv.qemu_mode && !afl->unicorn_mode) { - afl->fsrv.map_size = 8000000; // dummy temporary value - setenv("AFL_MAP_SIZE", "8000000", 1); + afl->fsrv.map_size = DEFAULT_SHMEM_SIZE; // dummy temporary value + char vbuf[16]; + snprintf(vbuf, sizeof(vbuf), "%u", DEFAULT_SHMEM_SIZE); + setenv("AFL_MAP_SIZE", vbuf, 1); } u32 new_map_size = afl_fsrv_get_mapsize( &afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child); - // only reinitialize when it makes sense - if ((map_size < new_map_size || - (new_map_size != MAP_SIZE && new_map_size < map_size && - map_size - new_map_size > MAP_SIZE))) { + // only reinitialize if the map needs to be larger than what we have. + if (map_size < new_map_size) { OKF("Re-initializing maps to %u bytes", new_map_size); @@ -1578,8 +1578,6 @@ int main(int argc, char **argv_orig, char **envp) { } - afl->fsrv.map_size = map_size; - } if (afl->cmplog_binary) { @@ -1592,11 +1590,15 @@ int main(int argc, char **argv_orig, char **envp) { afl->cmplog_fsrv.cmplog_binary = afl->cmplog_binary; afl->cmplog_fsrv.init_child_func = cmplog_exec_child; - if (map_size <= 8000000 && !afl->non_instrumented_mode && - !afl->fsrv.qemu_mode && !afl->unicorn_mode) { + if ((map_size <= DEFAULT_SHMEM_SIZE || + afl->cmplog_fsrv.map_size < map_size) && + !afl->non_instrumented_mode && !afl->fsrv.qemu_mode && + !afl->unicorn_mode) { - afl->cmplog_fsrv.map_size = 8000000; // dummy temporary value - setenv("AFL_MAP_SIZE", "8000000", 1); + afl->cmplog_fsrv.map_size = MAX(map_size, (u32)DEFAULT_SHMEM_SIZE); + char vbuf[16]; + snprintf(vbuf, sizeof(vbuf), "%u", afl->cmplog_fsrv.map_size); + setenv("AFL_MAP_SIZE", vbuf, 1); } @@ -1637,10 +1639,6 @@ int main(int argc, char **argv_orig, char **envp) { afl_fsrv_start(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child); - } else { - - afl->cmplog_fsrv.map_size = new_map_size; - } OKF("Cmplog forkserver successfully started"); |