diff options
| -rw-r--r-- | GNUmakefile.llvm | 2 | ||||
| -rw-r--r-- | docs/Changelog.md | 4 | ||||
| -rw-r--r-- | instrumentation/SanitizerCoverageLTO.so.cc | 6 | ||||
| -rw-r--r-- | instrumentation/SanitizerCoveragePCGUARD.so.cc | 11 | ||||
| -rw-r--r-- | nyx_mode/LIBNYX_VERSION | 2 | ||||
| m--------- | nyx_mode/QEMU-Nyx | 0 | ||||
| -rw-r--r-- | nyx_mode/QEMU_NYX_VERSION | 2 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 7 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 16 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 7 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 8 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 28 | ||||
| -rw-r--r-- | utils/libdislocator/libdislocator.so.c | 9 |
13 files changed, 75 insertions, 27 deletions
diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index d5dcb09b..2e806ab8 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -327,7 +327,7 @@ endif # User teor2345 reports that this is required to make things work on MacOS X. ifeq "$(SYS)" "Darwin" - CLANG_LFL += -Wl,-flat_namespace -Wl,-undefined,suppress + CLANG_LFL += -Wl,-undefined,dynamic_lookup override LLVM_HAVE_LTO := 0 override LLVM_LTO := 0 else diff --git a/docs/Changelog.md b/docs/Changelog.md index 7043202f..5b809d61 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -15,6 +15,7 @@ function after the target has been restarted. - because of bad math and undefined behaviour fixes we have to change the CMPLOG map. **YOU NEED TO RECOMPILE CMPLOG TARGETS** + - fixed custom_post_process for calibration - frida_mode: - AFL_FRIDA_PERSISTENT_ADDR can now be be any reachable address not just a function entry @@ -25,9 +26,12 @@ @CowBoy4mH3LL - unicorn_mode: - fix install and forkserver (thanks aarnav!) + - nyx_mode: + - bugfixes - custom mutators: - custom_send_tcp custom mutator added, thanks to @dergoegge - afl-cc + - fix to support pointless changes in LLVM 20 - new runtime (!) variable: `AFL_OLD_FORKSERVER` to use the old vanilla AFL type forkserver. Useful for symcc/symqemu/nautilus/etc. with AFL_LLVM_INSTRUMENT=CLASSIC diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 63ea71c1..6ec84dcd 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -50,7 +50,11 @@ #include "llvm/Support/SpecialCaseList.h" #include "llvm/Support/VirtualFileSystem.h" #include "llvm/Support/raw_ostream.h" -#include "llvm/Transforms/Instrumentation.h" +#if LLVM_VERSION_MAJOR < 20 + #include "llvm/Transforms/Instrumentation.h" +#else + #include "llvm/Transforms/Utils/Instrumentation.h" +#endif #if LLVM_VERSION_MAJOR < 17 #include "llvm/Transforms/IPO/PassManagerBuilder.h" #endif diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 49fe904b..859b4e7b 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -63,11 +63,16 @@ #if LLVM_VERSION_MAJOR < 15 #include "llvm/Support/raw_ostream.h" #endif -#if LLVM_VERSION_MAJOR < 17 - #include "llvm/Transforms/Instrumentation.h" +#if LLVM_VERSION_MAJOR < 20 + #if LLVM_VERSION_MAJOR < 17 + #include "llvm/Transforms/Instrumentation.h" + #else + #include "llvm/TargetParser/Triple.h" + #endif #else - #include "llvm/TargetParser/Triple.h" + #include "llvm/Transforms/Utils/Instrumentation.h" #endif + #include "llvm/Transforms/Utils/BasicBlockUtils.h" #include "llvm/Transforms/Utils/ModuleUtils.h" diff --git a/nyx_mode/LIBNYX_VERSION b/nyx_mode/LIBNYX_VERSION index 5f7c9a5b..fdd1b46b 100644 --- a/nyx_mode/LIBNYX_VERSION +++ b/nyx_mode/LIBNYX_VERSION @@ -1 +1 @@ -ea6ceb9 \ No newline at end of file +ea6ceb9 diff --git a/nyx_mode/QEMU-Nyx b/nyx_mode/QEMU-Nyx -Subproject e5e1c4c21ff9c4dc80e6409d4eab47146c6024c +Subproject ff1c89732115274e912a2809fcba58e67df23df diff --git a/nyx_mode/QEMU_NYX_VERSION b/nyx_mode/QEMU_NYX_VERSION index c6ed0c6a..4543932d 100644 --- a/nyx_mode/QEMU_NYX_VERSION +++ b/nyx_mode/QEMU_NYX_VERSION @@ -1 +1 @@ -e5e1c4c21ff9c4dc80e6409d4eab47146c6024cd +ff1c897321 diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index ae3c7ccc..51299009 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -536,12 +536,15 @@ static void report_error_and_exit(int error) { #ifdef __linux__ void nyx_load_target_hash(afl_forkserver_t *fsrv) { + void *nyx_config = fsrv->nyx_handlers->nyx_config_load(fsrv->target_path); - fsrv->nyx_target_hash64 = fsrv->nyx_handlers->nyx_get_target_hash64(nyx_config); + fsrv->nyx_target_hash64 = + fsrv->nyx_handlers->nyx_get_target_hash64(nyx_config); fsrv->nyx_handlers->nyx_config_free(nyx_config); + } -#endif +#endif /* Spins up fork server. The idea is explained here: diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 9eaa661d..a9397232 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1237,19 +1237,26 @@ void perform_dry_run(afl_state_t *afl) { u8 crash_log_fn[PATH_MAX]; snprintf(crash_log_fn, PATH_MAX, "%s.log", crash_fn); - fd = open(crash_log_fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); - if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", crash_log_fn); } + fd = open(crash_log_fn, O_WRONLY | O_CREAT | O_EXCL, + DEFAULT_PERMISSION); + if (unlikely(fd < 0)) { + + PFATAL("Unable to create '%s'", crash_log_fn); + + } u32 nyx_aux_string_len = afl->fsrv.nyx_handlers->nyx_get_aux_string( afl->fsrv.nyx_runner, afl->fsrv.nyx_aux_string, afl->fsrv.nyx_aux_string_len); - ck_write(fd, afl->fsrv.nyx_aux_string, nyx_aux_string_len, crash_log_fn); + ck_write(fd, afl->fsrv.nyx_aux_string, nyx_aux_string_len, + crash_log_fn); close(fd); } + #endif - + afl->last_crash_time = get_cur_time(); afl->last_crash_execs = afl->fsrv.total_execs; @@ -2905,6 +2912,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { afl->fsrv.target_path); } + #endif if (stat(afl->fsrv.target_path, &st) || !S_ISREG(st.st_mode) || diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 4ce17eb2..a3787e5c 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -487,6 +487,10 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, } + u8 saved_afl_post_process_keep_original = + afl->afl_env.afl_post_process_keep_original; + afl->afl_env.afl_post_process_keep_original = 1; + /* we need a dummy run if this is LTO + cmplog */ if (unlikely(afl->shm.cmplog_mode)) { @@ -661,6 +665,9 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, abort_calibration: + afl->afl_env.afl_post_process_keep_original = + saved_afl_post_process_keep_original; + if (new_bits == 2 && !q->has_new_cov) { q->has_new_cov = 1; diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index b1a84cb6..a7465330 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -83,12 +83,16 @@ void write_setup_file(afl_state_t *afl, u32 argc, char **argv) { #ifdef __linux__ if (afl->fsrv.nyx_mode) { + nyx_load_target_hash(&afl->fsrv); fprintf(f2, "%llx\n", afl->fsrv.nyx_target_hash64); - } - else { + + } else { + fprintf(f2, "%p\n", (void *)get_binary_hash(afl->fsrv.target_path)); + } + #else fprintf(f2, "%p\n", (void *)get_binary_hash(afl->fsrv.target_path)); #endif diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index a2fd4b76..7a940031 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1505,7 +1505,8 @@ int main(int argc, char **argv_orig, char **envp) { #ifdef __linux__ if (afl->fsrv.nyx_mode) { - OKF("AFL++ Nyx mode is enabled (developed and maintained by Sergej Schumilo)"); + OKF("AFL++ Nyx mode is enabled (developed and maintained by Sergej " + "Schumilo)"); OKF("Nyx is open source, get it at https://github.com/Nyx-Fuzz"); } @@ -2225,23 +2226,27 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->in_place_resume && !afl->afl_env.afl_no_fastresume) { -#ifdef __linux__ + #ifdef __linux__ u64 target_hash = 0; if (afl->fsrv.nyx_mode) { + nyx_load_target_hash(&afl->fsrv); target_hash = afl->fsrv.nyx_target_hash64; - } - else { + + } else { + target_hash = get_binary_hash(afl->fsrv.target_path); + } -#else + + #else u64 target_hash = get_binary_hash(afl->fsrv.target_path); -#endif + #endif if ((!target_hash || prev_target_hash != target_hash) -#ifdef __linux__ - || (afl->fsrv.nyx_mode && target_hash == 0) -#endif + #ifdef __linux__ + || (afl->fsrv.nyx_mode && target_hash == 0) + #endif ) { ACTF("Target binary is different, cannot perform FAST RESUME!"); @@ -2386,10 +2391,11 @@ int main(int argc, char **argv_orig, char **envp) { #ifdef AFL_PERSISTENT_RECORD if (unlikely(afl->fsrv.persistent_record)) { - if (!getenv(PERSIST_ENV_VAR)) { + if (!getenv(PERSIST_ENV_VAR) && !getenv("AFL_FRIDA_PERSISTENT_ADDR") && + !getenv("AFL_QEMU_PERSISTENT_ADDR")) { FATAL( - "Target binary is not compiled in persistent mode, " + "Target binary is not compiled/run in persistent mode, " "AFL_PERSISTENT_RECORD makes no sense."); } diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index b80be1a1..f41491b1 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -162,7 +162,7 @@ static u8 alloc_verbose, /* Additional debug messages */ static _Atomic size_t total_mem; /* Currently allocated mem */ static __thread u32 call_depth; /* To avoid recursion via fprintf() */ -static u32 alloc_canary; +static u32 alloc_canary = ALLOC_CANARY; /* This is the main alloc function. It allocates one page more than necessary, sets that tailing page to PROT_NONE, and then increments the return address @@ -578,6 +578,13 @@ __attribute__((constructor)) void __dislocator_init(void) { } +__attribute__((destructor)) void __dislocator_fini(void) { + + alloc_canary = ALLOC_CANARY; // restore to default canary value + +} + + /* NetBSD fault handler specific api subset */ void (*esetfunc(void (*fn)(int, const char *, ...)))(int, const char *, ...) { |