Merge pull request #628 from AFLplusplus/dev 3.0c

Final push to stable
author: van Hauser <vh@thc.org> 2020-12-15 09:39:10 +0100
committer: GitHub <noreply@github.com> 2020-12-15 09:39:10 +0100
commit: 8e712d1a740b30f9e2d5655d97d4cac6e8aed543 (patch)
tree: 912ea1a05ba03709563b9ebea43957cd9a463fbf /src
parent: 12d62d539353517abee8069df6e591f4fc474e93 (diff)
parent: 149ec41e9039d79420088c6de7bfc7feba5fe937 (diff)
download: afl++-8e712d1a740b30f9e2d5655d97d4cac6e8aed543.tar.gz
6 files changed, 73 insertions, 17 deletions
diff --git a/src/afl-as.c b/src/afl-as.c
index 3d6f7d5e..7de267a3 100644
--- a/src/afl-as.c
+++ b/src/afl-as.c
@@ -47,6 +47,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <time.h>
+#include <limits.h>
 #include <ctype.h>
 #include <fcntl.h>
 
@@ -131,6 +132,11 @@ static void edit_params(int argc, char **argv) {
   if (!tmp_dir) { tmp_dir = "/tmp"; }
 
   as_params = ck_alloc((argc + 32) * sizeof(u8 *));
+  if (unlikely((INT_MAX - 32) < argc || !as_params)) {
+
+    FATAL("Too many parameters passed to as");
+
+  }
 
   as_params[0] = afl_as ? afl_as : (u8 *)"as";
 
diff --git a/src/afl-cc.c b/src/afl-cc.c
index c43ac2c1..2aeb2178 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -69,6 +69,7 @@ enum {
   INSTRUMENT_INSTRIM = 3,
   INSTRUMENT_CFG = 3,
   INSTRUMENT_LTO = 4,
+  INSTRUMENT_LLVMNATIVE = 5,
   INSTRUMENT_OPT_CTX = 8,
   INSTRUMENT_OPT_NGRAM = 16
 
@@ -76,8 +77,9 @@ enum {
 
 char instrument_mode_string[18][18] = {
 
-    "DEFAULT", "CLASSIC", "PCGUARD", "CFG", "LTO", "", "",      "", "CTX", "",
-    "",        "",        "",        "",    "",    "", "NGRAM", ""
+    "DEFAULT", "CLASSIC", "PCGUARD", "CFG", "LTO", "", "PCGUARD-NATIVE",
+    "",        "CTX",     "",        "",    "",    "", "",
+    "",        "",        "NGRAM",   ""
 
 };
 
@@ -580,6 +582,14 @@ static void edit_params(u32 argc, char **argv, char **envp) {
   #endif
 #endif
 
+      } else if (instrument_mode == INSTRUMENT_LLVMNATIVE) {
+
+#if LLVM_MAJOR >= 4
+        cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard";
+#else
+        FATAL("pcguard instrumentation requires llvm 4.0.1+");
+#endif
+
       } else {
 
         cc_params[cc_par_cnt++] = "-Xclang";
@@ -1162,6 +1172,18 @@ int main(int argc, char **argv, char **envp) {
 
       }
 
+      // this is a hidden option
+      if (strncasecmp(ptr, "llvmnative", strlen("llvmnative")) == 0 ||
+          strncasecmp(ptr, "llvm-native", strlen("llvm-native")) == 0) {
+
+        if (!instrument_mode || instrument_mode == INSTRUMENT_LLVMNATIVE)
+          instrument_mode = INSTRUMENT_LLVMNATIVE;
+        else
+          FATAL("main instrumentation mode already set with %s",
+                instrument_mode_string[instrument_mode]);
+
+      }
+
       if (strncasecmp(ptr, "cfg", strlen("cfg")) == 0 ||
           strncasecmp(ptr, "instrim", strlen("instrim")) == 0) {
 
diff --git a/src/afl-common.c b/src/afl-common.c
index ed0b0e53..4df22394 100644
--- a/src/afl-common.c
+++ b/src/afl-common.c
@@ -108,6 +108,7 @@ char **argv_cpy_dup(int argc, char **argv) {
   int i = 0;
 
   char **ret = ck_alloc((argc + 1) * sizeof(char *));
+  if (unlikely(!ret)) { FATAL("Amount of arguments specified is too high"); }
 
   for (i = 0; i < argc; i++) {
 
@@ -130,6 +131,7 @@ void argv_cpy_free(char **argv) {
   while (argv[i]) {
 
     ck_free(argv[i]);
+    argv[i] = NULL;
     i++;
 
   }
@@ -142,8 +144,12 @@ void argv_cpy_free(char **argv) {
 
 char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
 
+  if (!unlikely(own_loc)) { FATAL("BUG: param own_loc is NULL"); }
+
+  u8 *tmp, *cp = NULL, *rsl, *own_copy;
+
   char **new_argv = ck_alloc(sizeof(char *) * (argc + 4));
-  u8 *   tmp, *cp = NULL, *rsl, *own_copy;
+  if (unlikely(!new_argv)) { FATAL("Illegal amount of arguments specified"); }
 
   memcpy(&new_argv[3], &argv[1], (int)(sizeof(char *)) * (argc - 1));
   new_argv[argc + 3] = NULL;
@@ -224,8 +230,12 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
 
 char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
 
+  if (!unlikely(own_loc)) { FATAL("BUG: param own_loc is NULL"); }
+
+  u8 *tmp, *cp = NULL, *rsl, *own_copy;
+
   char **new_argv = ck_alloc(sizeof(char *) * (argc + 3));
-  u8 *   tmp, *cp = NULL, *rsl, *own_copy;
+  if (unlikely(!new_argv)) { FATAL("Illegal amount of arguments specified"); }
 
   memcpy(&new_argv[2], &argv[1], (int)(sizeof(char *)) * (argc - 1));
   new_argv[argc + 2] = NULL;
@@ -335,6 +345,8 @@ u8 *find_binary(u8 *fname) {
 
   struct stat st;
 
+  if (unlikely(!fname)) { FATAL("No binary supplied"); }
+
   if (strchr(fname, '/') || !(env_path = getenv("PATH"))) {
 
     target_path = ck_strdup(fname);
@@ -356,6 +368,14 @@ u8 *find_binary(u8 *fname) {
       if (delim) {
 
         cur_elem = ck_alloc(delim - env_path + 1);
+        if (unlikely(!cur_elem)) {
+
+          FATAL(
+              "Unexpected overflow when processing ENV. This should never "
+              "happend.");
+
+        }
+
         memcpy(cur_elem, env_path, delim - env_path);
         delim++;
 
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index 6707340b..0db3a111 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -772,10 +772,17 @@ void perform_dry_run(afl_state_t *afl) {
 
   while (q) {
 
-    u8 *use_mem;
+    u8  use_mem[MAX_FILE];
     u8  res;
     s32 fd;
 
+    if (unlikely(!q->len)) {
+
+      WARNF("Skipping 0-sized entry in queue (%s)", q->fname);
+      continue;
+
+    }
+
     u8 *fn = strrchr(q->fname, '/') + 1;
 
     ACTF("Attempting dry run with '%s'...", fn);
@@ -783,9 +790,8 @@ void perform_dry_run(afl_state_t *afl) {
     fd = open(q->fname, O_RDONLY);
     if (fd < 0) { PFATAL("Unable to open '%s'", q->fname); }
 
-    use_mem = ck_alloc_nozero(q->len);
-
-    if (read(fd, use_mem, q->len) != (ssize_t)q->len) {
+    u32 read_len = MIN(q->len, (u32)MAX_FILE);
+    if (read(fd, use_mem, read_len) != (ssize_t)read_len) {
 
       FATAL("Short read from '%s'", q->fname);
 
@@ -794,7 +800,6 @@ void perform_dry_run(afl_state_t *afl) {
     close(fd);
 
     res = calibrate_case(afl, q, use_mem, 0, 1);
-    ck_free(use_mem);
 
     if (afl->stop_soon) { return; }
 
@@ -2449,6 +2454,8 @@ void setup_testcase_shmem(afl_state_t *afl) {
 
 void check_binary(afl_state_t *afl, u8 *fname) {
 
+  if (unlikely(!fname)) { FATAL("BUG: Binary name is NULL"); }
+
   u8 *        env_path = 0;
   struct stat st;
 
@@ -2477,6 +2484,7 @@ void check_binary(afl_state_t *afl, u8 *fname) {
       if (delim) {
 
         cur_elem = ck_alloc(delim - env_path + 1);
+        if (unlikely(!cur_elem)) { FATAL("Unexpected large PATH"); }
         memcpy(cur_elem, env_path, delim - env_path);
         ++delim;
 
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index 5948d83a..a97ceb89 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -94,9 +94,9 @@ write_to_testcase(afl_state_t *afl, void *mem, u32 len) {
 
   if (unlikely(afl->custom_mutators_count)) {
 
-    u8 *    new_buf = NULL;
     ssize_t new_size = len;
-    void *  new_mem = mem;
+    u8 *    new_mem = mem;
+    u8 *    new_buf = NULL;
 
     LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
 
@@ -152,13 +152,13 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
   if (unlikely(!mem_trimmed)) { PFATAL("alloc"); }
 
   ssize_t new_size = len - skip_len;
-  void *  new_mem = mem;
-  u8 *    new_buf = NULL;
+  u8 *    new_mem = mem;
 
   bool post_process_skipped = true;
 
   if (unlikely(afl->custom_mutators_count)) {
 
+    u8 *new_buf = NULL;
     new_mem = mem_trimmed;
 
     LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
@@ -205,9 +205,9 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
 
     if (!post_process_skipped) {
 
-      // If we did post_processing, copy directly from the new_buf bufer
+      // If we did post_processing, copy directly from the new_mem buffer
 
-      memcpy(afl->fsrv.shmem_fuzz, new_buf, new_size);
+      memcpy(afl->fsrv.shmem_fuzz, new_mem, new_size);
 
     }
 
@@ -265,7 +265,7 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
 
   if (!post_process_skipped) {
 
-    ck_write(fd, new_buf, new_size, afl->fsrv.out_file);
+    ck_write(fd, new_mem, new_size, afl->fsrv.out_file);
 
   } else {
 
diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c
index 3e671df5..fe641d0d 100644
--- a/src/afl-sharedmem.c
+++ b/src/afl-sharedmem.c
@@ -205,7 +205,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size,
     /* map the shared memory segment to the address space of the process */
     shm->cmp_map = mmap(0, map_size, PROT_READ | PROT_WRITE, MAP_SHARED,
                         shm->cmplog_g_shm_fd, 0);
-    if (shm->map == MAP_FAILED) {
+    if (shm->cmp_map == MAP_FAILED) {
 
       close(shm->cmplog_g_shm_fd);
       shm->cmplog_g_shm_fd = -1;
author	van Hauser <vh@thc.org>	2020-12-15 09:39:10 +0100
committer	GitHub <noreply@github.com>	2020-12-15 09:39:10 +0100
commit	8e712d1a740b30f9e2d5655d97d4cac6e8aed543 (patch)
tree	912ea1a05ba03709563b9ebea43957cd9a463fbf /src
parent	12d62d539353517abee8069df6e591f4fc474e93 (diff)
parent	149ec41e9039d79420088c6de7bfc7feba5fe937 (diff)
download	afl++-8e712d1a740b30f9e2d5655d97d4cac6e8aed543.tar.gz