Merge branch 'dev' of https://github.com/AFLplusplus/AFLplusplus into dev

author: Ruben ten Hove <git@rhtenhove.nl> 2022-07-07 17:07:57 +0000
committer: Ruben ten Hove <git@rhtenhove.nl> 2022-07-07 17:07:57 +0000
commit: b883faa94260026bc5ba013f82913ba0dbc7321c (patch)
tree: 126e1d2c313855e7c9c4cecbc4c41e8a6330180d /src
parent: c90dd00fc977170048271ca8f4f614b8b625e67a (diff)
parent: b1e0d6e6403c6f7f4796af9603e2b528b9776865 (diff)
download: afl++-b883faa94260026bc5ba013f82913ba0dbc7321c.tar.gz
4 files changed, 107 insertions, 19 deletions
diff --git a/src/afl-cc.c b/src/afl-cc.c
index 4a56169f..246e01cd 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -422,8 +422,24 @@ static void edit_params(u32 argc, char **argv, char **envp) {
 
   if (compiler_mode == GCC_PLUGIN) {
 
-    char *fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path);
-    cc_params[cc_par_cnt++] = fplugin_arg;
+    char *fplugin_arg;
+
+    if (cmplog_mode) {
+
+      fplugin_arg =
+          alloc_printf("-fplugin=%s/afl-gcc-cmplog-pass.so", obj_path);
+      cc_params[cc_par_cnt++] = fplugin_arg;
+      fplugin_arg =
+          alloc_printf("-fplugin=%s/afl-gcc-cmptrs-pass.so", obj_path);
+      cc_params[cc_par_cnt++] = fplugin_arg;
+
+    } else {
+
+      fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path);
+      cc_params[cc_par_cnt++] = fplugin_arg;
+
+    }
+
     cc_params[cc_par_cnt++] = "-fno-if-conversion";
     cc_params[cc_par_cnt++] = "-fno-if-conversion2";
 
@@ -1879,6 +1895,7 @@ int main(int argc, char **argv, char **envp) {
       if (have_gcc_plugin)
         SAYF(
             "\nGCC Plugin-specific environment variables:\n"
+            "  AFL_GCC_CMPLOG: log operands of comparisons (RedQueen mutator)\n"
             "  AFL_GCC_OUT_OF_LINE: disable inlined instrumentation\n"
             "  AFL_GCC_SKIP_NEVERZERO: do not skip zero on trace counters\n"
             "  AFL_GCC_INSTRUMENT_FILE: enable selective instrumentation by "
@@ -2149,9 +2166,8 @@ int main(int argc, char **argv, char **envp) {
 
   }
 
-  cmplog_mode = getenv("AFL_CMPLOG") || getenv("AFL_LLVM_CMPLOG");
-  if (!be_quiet && cmplog_mode)
-    printf("CmpLog mode by <andreafioraldi@gmail.com>\n");
+  cmplog_mode = getenv("AFL_CMPLOG") || getenv("AFL_LLVM_CMPLOG") ||
+                getenv("AFL_GCC_CMPLOG");
 
 #if !defined(__ANDROID__) && !defined(ANDROID)
   ptr = find_object("afl-compiler-rt.o", argv[0]);
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index 6a653a00..f4b2d908 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -146,6 +146,10 @@ void bind_to_free_cpu(afl_state_t *afl) {
 
       }
 
+    } else {
+
+      OKF("CPU binding request using -b %d successful.", afl->cpu_to_bind);
+
     }
 
     return;
diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c
index 65501c8c..0231d2cd 100644
--- a/src/afl-fuzz-python.c
+++ b/src/afl-fuzz-python.c
@@ -28,6 +28,36 @@
 /* Python stuff */
 #ifdef USE_PYTHON
 
+// Tries to cast a python bytearray or bytes to a char ptr
+static inline bool py_bytes(PyObject *py_value, /* out */ char **bytes,
+                            /* out */ size_t *size) {
+
+  if (!py_value) { return false; }
+
+  *bytes = PyByteArray_AsString(py_value);
+  if (*bytes) {
+
+    // we got a bytearray
+    *size = PyByteArray_Size(py_value);
+
+  } else {
+
+    *bytes = PyBytes_AsString(py_value);
+    if (!*bytes) {
+
+      // No valid type returned.
+      return false;
+
+    }
+
+    *size = PyBytes_Size(py_value);
+
+  }
+
+  return true;
+
+}
+
 static void *unsupported(afl_state_t *afl, unsigned int seed) {
 
   (void)afl;
@@ -93,12 +123,22 @@ static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf,
 
   if (py_value != NULL) {
 
-    mutated_size = PyByteArray_Size(py_value);
+    char *bytes;
+    if (!py_bytes(py_value, &bytes, &mutated_size)) {
+
+      FATAL("Python mutator fuzz() should return a bytearray or bytes");
+
+    }
+
+    if (mutated_size) {
+
+      *out_buf = afl_realloc(BUF_PARAMS(fuzz), mutated_size);
+      if (unlikely(!*out_buf)) { PFATAL("alloc"); }
+
+      memcpy(*out_buf, bytes, mutated_size);
 
-    *out_buf = afl_realloc(BUF_PARAMS(fuzz), mutated_size);
-    if (unlikely(!*out_buf)) { PFATAL("alloc"); }
+    }
 
-    memcpy(*out_buf, PyByteArray_AsString(py_value), mutated_size);
     Py_DECREF(py_value);
     return mutated_size;
 
@@ -625,7 +665,7 @@ s32 post_trim_py(void *py_mutator, u8 success) {
 size_t trim_py(void *py_mutator, u8 **out_buf) {
 
   PyObject *py_args, *py_value;
-  size_t    ret;
+  size_t    trimmed_size;
 
   py_args = PyTuple_New(0);
   py_value = PyObject_CallObject(
@@ -634,10 +674,21 @@ size_t trim_py(void *py_mutator, u8 **out_buf) {
 
   if (py_value != NULL) {
 
-    ret = PyByteArray_Size(py_value);
-    *out_buf = afl_realloc(BUF_PARAMS(trim), ret);
-    if (unlikely(!*out_buf)) { PFATAL("alloc"); }
-    memcpy(*out_buf, PyByteArray_AsString(py_value), ret);
+    char *bytes;
+    if (!py_bytes(py_value, &bytes, &trimmed_size)) {
+
+      FATAL("Python mutator fuzz() should return a bytearray");
+
+    }
+
+    if (trimmed_size) {
+
+      *out_buf = afl_realloc(BUF_PARAMS(trim), trimmed_size);
+      if (unlikely(!*out_buf)) { PFATAL("alloc"); }
+      memcpy(*out_buf, bytes, trimmed_size);
+
+    }
+
     Py_DECREF(py_value);
 
   } else {
@@ -647,7 +698,7 @@ size_t trim_py(void *py_mutator, u8 **out_buf) {
 
   }
 
-  return ret;
+  return trimmed_size;
 
 }
 
@@ -692,7 +743,13 @@ size_t havoc_mutation_py(void *py_mutator, u8 *buf, size_t buf_size,
 
   if (py_value != NULL) {
 
-    mutated_size = PyByteArray_Size(py_value);
+    char *bytes;
+    if (!py_bytes(py_value, &bytes, &mutated_size)) {
+
+      FATAL("Python mutator fuzz() should return a bytearray");
+
+    }
+
     if (mutated_size <= buf_size) {
 
       /* We reuse the input buf here. */
@@ -706,7 +763,7 @@ size_t havoc_mutation_py(void *py_mutator, u8 *buf, size_t buf_size,
 
     }
 
-    memcpy(*out_buf, PyByteArray_AsString(py_value), mutated_size);
+    if (mutated_size) { memcpy(*out_buf, bytes, mutated_size); }
 
     Py_DECREF(py_value);
     return mutated_size;
@@ -762,7 +819,17 @@ const char *introspection_py(void *py_mutator) {
 
   } else {
 
-    return PyByteArray_AsString(py_value);
+    char * ret;
+    size_t len;
+    if (!py_bytes(py_value, &ret, &len)) {
+
+      FATAL(
+          "Python mutator introspection call returned illegal type (expected "
+          "bytes or bytearray)");
+
+    }
+
+    return ret;
 
   }
 
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 7c33ba29..18367cf2 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -296,6 +296,7 @@ static void usage(u8 *argv0, int more_help) {
       "                        Supported formats are: 'dogstatsd', 'librato',\n"
       "                        'signalfx' and 'influxdb'\n"
       "AFL_SYNC_TIME: sync time between fuzzing instances (in minutes)\n"
+      "AFL_NO_CRASH_README: do not create a README in the crashes directory\n"
       "AFL_TESTCACHE_SIZE: use a cache for testcases, improves performance (in MB)\n"
       "AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)\n"
       "AFL_EARLY_FORKSERVER: force an early forkserver in an afl-clang-fast/\n"
@@ -1468,7 +1469,7 @@ int main(int argc, char **argv_orig, char **envp) {
   if (afl->shm.cmplog_mode &&
       (!strcmp("-", afl->cmplog_binary) || !strcmp("0", afl->cmplog_binary))) {
 
-    afl->cmplog_binary = argv[optind];
+    afl->cmplog_binary = strdup(argv[optind]);
 
   }
author	Ruben ten Hove <git@rhtenhove.nl>	2022-07-07 17:07:57 +0000
committer	Ruben ten Hove <git@rhtenhove.nl>	2022-07-07 17:07:57 +0000
commit	b883faa94260026bc5ba013f82913ba0dbc7321c (patch)
tree	126e1d2c313855e7c9c4cecbc4c41e8a6330180d /src
parent	c90dd00fc977170048271ca8f4f614b8b625e67a (diff)
parent	b1e0d6e6403c6f7f4796af9603e2b528b9776865 (diff)
download	afl++-b883faa94260026bc5ba013f82913ba0dbc7321c.tar.gz