diff options
| author | van Hauser <vh@thc.org> | 2022-01-26 11:00:55 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-26 11:00:55 +0100 |
| commit | 143c9d175e9357ba548413ee7dcee6a8de23f733 (patch) | |
| tree | a82736c060150480df81d19b50dfb7939cda7524 /src | |
| parent | a790bf6cc2bb63f0659d8c96b46f5f4db2f9d4bc (diff) | |
| parent | b0758ac8db0a2ec833b5ef7a60ab2d04cc7f6a9a (diff) | |
| download | afl++-143c9d175e9357ba548413ee7dcee6a8de23f733.tar.gz | |
Merge pull request #1301 from AFLplusplus/dev 4.00c
v4.00c release
Diffstat (limited to 'src')
| -rw-r--r-- | src/README.md | 2 | ||||
| -rw-r--r-- | src/afl-cc.c | 8 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 87 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 72 |
4 files changed, 142 insertions, 27 deletions
diff --git a/src/README.md b/src/README.md index 35af6ab9..3f332280 100644 --- a/src/README.md +++ b/src/README.md @@ -18,7 +18,7 @@ Quick explanation about the files here: - `afl-fuzz-performance.c` - hash64 and rand functions - `afl-fuzz-python.c` - afl-fuzz the python mutator extension - `afl-fuzz-queue.c` - afl-fuzz handling the queue -- `afl-fuzz-redqueen.c` - afl-fuzz redqueen implemention +- `afl-fuzz-redqueen.c` - afl-fuzz redqueen implementation - `afl-fuzz-run.c` - afl-fuzz running the target - `afl-fuzz-state.c` - afl-fuzz state and globals - `afl-fuzz-stats.c` - afl-fuzz writing the statistics file diff --git a/src/afl-cc.c b/src/afl-cc.c index 974b1d2a..9197c74b 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -767,15 +767,13 @@ static void edit_params(u32 argc, char **argv, char **envp) { u8 *afllib = find_object("libAFLDriver.a", argv[0]); if (!be_quiet) - WARNF( - "Found erroneous '-fsanitize=fuzzer', trying to replace with " - "libAFLDriver.a"); + OKF("Found '-fsanitize=fuzzer', replacing with libAFLDriver.a"); if (!afllib) { WARNF( - "Cannot find 'libAFLDriver.a' to replace a wrong " - "'-fsanitize=fuzzer' in the flags - this will fail!"); + "Cannot find 'libAFLDriver.a' to replace '-fsanitize=fuzzer' in " + "the flags - this will fail!"); } else { diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index eebbb7c8..ce554170 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -405,24 +405,34 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } - if (fsrv->nyx_parent) { + if (fsrv->nyx_standalone) { fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new( - fsrv->target_path, x, fsrv->nyx_id, fsrv->nyx_bind_cpu_id, - !fsrv->nyx_standalone); + fsrv->target_path, x, fsrv->nyx_bind_cpu_id, MAX_FILE, true); } else { - fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new( - fsrv->target_path, x, fsrv->nyx_id, fsrv->nyx_bind_cpu_id, true); + if (fsrv->nyx_parent) { + + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new_parent( + fsrv->target_path, x, fsrv->nyx_bind_cpu_id, MAX_FILE, true); + + } else { + + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new_child( + fsrv->target_path, x, fsrv->nyx_bind_cpu_id, fsrv->nyx_id); + + } } + ck_free(x); + if (fsrv->nyx_runner == NULL) { FATAL("Something went wrong ..."); } u32 tmp_map_size = fsrv->nyx_handlers->nyx_get_bitmap_buffer_size(fsrv->nyx_runner); - fsrv->real_map_size = fsrv->map_size; + fsrv->real_map_size = tmp_map_size; fsrv->map_size = (((tmp_map_size + 63) >> 6) << 6); if (!be_quiet) { ACTF("Target map size: %u", fsrv->real_map_size); } @@ -456,6 +466,71 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } + /* autodict in Nyx mode */ + if (!ignore_autodict) { + + x = alloc_printf("%s/workdir/dump/afl_autodict.txt", fsrv->out_dir_path); + int nyx_autodict_fd = open(x, O_RDONLY); + ck_free(x); + + if (nyx_autodict_fd >= 0) { + + struct stat st; + if (fstat(nyx_autodict_fd, &st) >= 0) { + + u32 f_len = st.st_size; + u8 *dict = ck_alloc(f_len); + if (dict == NULL) { + + FATAL("Could not allocate %u bytes of autodictionary memory", + f_len); + + } + + u32 offset = 0, count = 0; + u32 len = f_len; + + while (len != 0) { + + rlen = read(nyx_autodict_fd, dict + offset, len); + if (rlen > 0) { + + len -= rlen; + offset += rlen; + + } else { + + FATAL( + "Reading autodictionary fail at position %u with %u bytes " + "left.", + offset, len); + + } + + } + + offset = 0; + while (offset < (u32)f_len && + (u8)dict[offset] + offset < (u32)f_len) { + + fsrv->add_extra_func(fsrv->afl_ptr, dict + offset + 1, + (u8)dict[offset]); + offset += (1 + dict[offset]); + count++; + + } + + if (!be_quiet) { ACTF("Loaded %u autodictionary entries", count); } + ck_free(dict); + + } + + close(nyx_autodict_fd); + + } + + } + return; } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 1edf82f4..a96dee97 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -46,18 +46,34 @@ extern u64 time_spent_working; static void at_exit() { - s32 i, pid1 = 0, pid2 = 0; + s32 i, pid1 = 0, pid2 = 0, pgrp = -1; char *list[4] = {SHM_ENV_VAR, SHM_FUZZ_ENV_VAR, CMPLOG_SHM_ENV_VAR, NULL}; char *ptr; - ptr = getenv(CPU_AFFINITY_ENV_VAR); - if (ptr && *ptr) unlink(ptr); + ptr = getenv("__AFL_TARGET_PID2"); + if (ptr && *ptr && (pid2 = atoi(ptr)) > 0) { + +#if defined(__linux__) + pgrp = getpgid(pid2); +#endif + if (pgrp > 0) { killpg(pgrp, SIGTERM); } + kill(pid2, SIGTERM); + + } ptr = getenv("__AFL_TARGET_PID1"); - if (ptr && *ptr && (pid1 = atoi(ptr)) > 0) kill(pid1, SIGTERM); + if (ptr && *ptr && (pid1 = atoi(ptr)) > 0) { - ptr = getenv("__AFL_TARGET_PID2"); - if (ptr && *ptr && (pid2 = atoi(ptr)) > 0) kill(pid2, SIGTERM); +#if defined(__linux__) + pgrp = getpgid(pid1); +#endif + if (pgrp > 0) { killpg(pgrp, SIGTERM); } + kill(pid1, SIGTERM); + + } + + ptr = getenv(CPU_AFFINITY_ENV_VAR); + if (ptr && *ptr) unlink(ptr); i = 0; while (list[i] != NULL) { @@ -85,8 +101,25 @@ static void at_exit() { /* AFL_KILL_SIGNAL should already be a valid int at this point */ if ((ptr = getenv("AFL_KILL_SIGNAL"))) { kill_signal = atoi(ptr); } - if (pid1 > 0) { kill(pid1, kill_signal); } - if (pid2 > 0) { kill(pid2, kill_signal); } + if (pid1 > 0) { + +#if defined(__linux__) + pgrp = getpgid(pid1); +#endif + if (pgrp > 0) { killpg(pgrp, kill_signal); } + kill(pid1, kill_signal); + + } + + if (pid2 > 0) { + +#if defined(__linux__) + pgrp = getpgid(pid1); +#endif + if (pgrp > 0) { killpg(pgrp, kill_signal); } + kill(pid2, kill_signal); + + } } @@ -121,8 +154,7 @@ static void usage(u8 *argv0, int more_help) { #if defined(__linux__) " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" - " -W - use qemu-based instrumentation with Wine (Wine " - "mode)\n" + " -W - use qemu-based instrumentation with Wine (Wine mode)\n" #endif #if defined(__linux__) " -X - use VM fuzzing (NYX mode - standalone mode)\n" @@ -173,8 +205,8 @@ static void usage(u8 *argv0, int more_help) { " -T text - text banner to show on the screen\n" " -I command - execute this command/script when a new crash is " "found\n" - //" -B bitmap.txt - mutate a specific test case, use the out/fuzz_bitmap - //" "file\n" + //" -B bitmap.txt - mutate a specific test case, use the + //out/default/fuzz_bitmap file\n" " -C - crash exploration mode (the peruvian rabbit thing)\n" " -b cpu_id - bind the fuzzing process to the specified CPU core " "(0-...)\n" @@ -283,7 +315,7 @@ static void usage(u8 *argv0, int more_help) { SAYF("Compiled with %s module support, see docs/custom_mutator.md\n", (char *)PYTHON_VERSION); #else - SAYF("Compiled without python module support.\n"); + SAYF("Compiled without Python module support.\n"); #endif #ifdef AFL_PERSISTENT_RECORD @@ -404,6 +436,12 @@ nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary) { plugin->nyx_new = dlsym(handle, "nyx_new"); if (plugin->nyx_new == NULL) { goto fail; } + plugin->nyx_new_parent = dlsym(handle, "nyx_new_parent"); + if (plugin->nyx_new_parent == NULL) { goto fail; } + + plugin->nyx_new_child = dlsym(handle, "nyx_new_child"); + if (plugin->nyx_new_child == NULL) { goto fail; } + plugin->nyx_shutdown = dlsym(handle, "nyx_shutdown"); if (plugin->nyx_shutdown == NULL) { goto fail; } @@ -738,6 +776,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'f': /* target file */ if (afl->fsrv.out_file) { FATAL("Multiple -f options not supported"); } + afl->fsrv.out_file = ck_strdup(optarg); afl->fsrv.use_stdin = 0; break; @@ -917,6 +956,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'Y': /* NYX distributed mode */ if (afl->fsrv.nyx_mode) { FATAL("Multiple -Y options not supported"); } + afl->fsrv.nyx_mode = 1; break; @@ -960,6 +1000,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'Q': /* QEMU mode */ if (afl->fsrv.qemu_mode) { FATAL("Multiple -Q options not supported"); } + afl->fsrv.qemu_mode = 1; if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_QEMU; } @@ -1070,6 +1111,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'L': { /* MOpt mode */ if (afl->limit_time_sig) { FATAL("Multiple -L options not supported"); } + afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT; if (sscanf(optarg, "%d", &afl->limit_time_puppet) < 1) { @@ -1270,8 +1312,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->fsrv.nyx_mode) { OKF("afl++ Nyx mode is enabled (developed and mainted by Sergej Schumilo)"); - OKF("Nyx is open source, get it at " - "https://github.com/Nyx-Fuzz"); + OKF("Nyx is open source, get it at https://github.com/Nyx-Fuzz"); } @@ -1341,6 +1382,7 @@ int main(int argc, char **argv_orig, char **envp) { } + afl->fsrv.nyx_parent = true; afl->fsrv.nyx_id = 0; } |