diff options
| -rwxr-xr-x | afl-whatsup | 357 | ||||
| -rw-r--r-- | docs/Changelog.md | 2 | ||||
| -rw-r--r-- | docs/fuzzing_in_depth.md | 4 | ||||
| -rw-r--r-- | frida_mode/src/instrument/instrument_arm64.c | 12 | ||||
| -rw-r--r-- | frida_mode/test/png/GNUmakefile | 2 | ||||
| -rwxr-xr-x | frida_mode/util/frida_get_symbol_addr.sh | 3 | ||||
| -rw-r--r-- | src/afl-cc.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 3 |
8 files changed, 211 insertions, 174 deletions
diff --git a/afl-whatsup b/afl-whatsup index d28c46fe..fad4c3d3 100755 --- a/afl-whatsup +++ b/afl-whatsup @@ -46,7 +46,7 @@ unset RESET if [ -z "$TERM" ]; then export TERM=vt220; fi while [ "$1" = "-d" -o "$1" = "-m" -o "$1" = "-n" -o "$1" = "-s" ]; do - + if [ "$1" = "-d" ]; then PROCESS_DEAD=1 fi @@ -62,15 +62,15 @@ while [ "$1" = "-d" -o "$1" = "-m" -o "$1" = "-n" -o "$1" = "-s" ]; do if [ "$1" = "-s" ]; then SUMMARY_ONLY=1 fi - + shift - + done DIR="$1" if [ "$DIR" = "" -o "$DIR" = "-h" -o "$DIR" = "--help" ]; then - + echo "$0 status check tool for afl-fuzz by Michal Zalewski" 1>&2 echo 1>&2 echo "Usage: $0 [-d] [-m] [-n] [-s] afl_output_directory" 1>&2 @@ -82,7 +82,7 @@ if [ "$DIR" = "" -o "$DIR" = "-h" -o "$DIR" = "--help" ]; then echo " -s - skip details and output summary results only" 1>&2 echo 1>&2 exit 1 - + fi if [ -z "$MINIMAL_ONLY" ]; then @@ -93,10 +93,10 @@ fi cd "$DIR" || exit 1 if [ -d queue ]; then - + echo "[-] Error: parameter is an individual output directory, not a sync dir." 1>&2 exit 1 - + fi BC=`which bc 2>/dev/null` @@ -135,11 +135,11 @@ FMT_CRASH="none seen yet" FMT_HANG="none seen yet" if [ "$SUMMARY_ONLY" = "" ]; then - + echo "Individual fuzzers" echo "==================" echo - + fi fmt_duration() @@ -148,22 +148,22 @@ fmt_duration() if [ $1 -le 0 ]; then return 1 fi - + local duration=$((CUR_TIME - $1)) local days=$((duration / 60 / 60 / 24)) local hours=$(((duration / 60 / 60) % 24)) local minutes=$(((duration / 60) % 60)) local seconds=$((duration % 60)) - + if [ $duration -le 0 ]; then DUR_STRING="0 seconds" - elif [ $duration -eq 1 ]; then + elif [ $duration -eq 1 ]; then DUR_STRING="1 second" - elif [ $days -gt 0 ]; then + elif [ $days -gt 0 ]; then DUR_STRING="$days days, $hours hours" - elif [ $hours -gt 0 ]; then + elif [ $hours -gt 0 ]; then DUR_STRING="$hours hours, $minutes minutes" - elif [ $minutes -gt 0 ]; then + elif [ $minutes -gt 0 ]; then DUR_STRING="$minutes minutes, $seconds seconds" else DUR_STRING="$seconds seconds" @@ -174,168 +174,187 @@ FIRST=true TOTAL_WCOP= TOTAL_LAST_FIND=0 -for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do - - sed 's/^command_line.*$/_skip:1/;s/[ ]*:[ ]*/="/;s/$/"/' "$i" >"$TMP" - . "$TMP" - DIR=$(dirname "$i") - DIRECTORY=$DIR - DIR=${DIR##*/} - RUN_UNIX=$run_time - RUN_DAYS=$((RUN_UNIX / 60 / 60 / 24)) - RUN_HRS=$(((RUN_UNIX / 60 / 60) % 24)) - COVERAGE=$(echo $bitmap_cvg|tr -d %) - if [ -n "$TOTAL_COVERAGE" -a -n "$COVERAGE" -a -n "$BC" ]; then - if [ "$(echo "$TOTAL_COVERAGE < $COVERAGE" | bc)" -eq 1 ]; then - TOTAL_COVERAGE=$COVERAGE - fi - fi - if [ -z "$TOTAL_COVERAGE" ]; then TOTAL_COVERAGE=$COVERAGE ; fi - - test -n "$cycles_wo_finds" && { - test -z "$FIRST" && TOTAL_WCOP="${TOTAL_WCOP}/" - TOTAL_WCOP="${TOTAL_WCOP}${cycles_wo_finds}" - FIRST= - } - - if [ "$SUMMARY_ONLY" = "" ]; then - - echo ">>> $afl_banner instance: $DIR ($RUN_DAYS days, $RUN_HRS hrs) fuzzer PID: $fuzzer_pid <<<" - echo - - fi - - if ! kill -0 "$fuzzer_pid" 2>/dev/null; then - - IS_STARTING= - IS_DEAD= - - if [ -e "$i" ] && [ -e "$DIRECTORY/fuzzer_setup" ] && [ -n "$FUSER" ]; then - - if [ "$i" -ot "$DIRECTORY/fuzzer_setup" ]; then - - # fuzzer_setup is newer than fuzzer_stats, maybe the instance is starting? - TMP_PID=`fuser -v "$DIRECTORY" 2>&1 | grep afl-fuzz` - - if [ -n "$TMP_PID" ]; then - - if [ "$SUMMARY_ONLY" = "" ]; then - - echo " Instance is still starting up, skipping." - echo - - fi - - START_CNT=$((START_CNT + 1)) - last_find=0 - IS_STARTING=1 - - if [ "$PROCESS_DEAD" = "" ]; then - - continue - - fi - - fi - +for j in `find . -maxdepth 2 -iname fuzzer_setup | sort`; do + + DIR=$(dirname "$j") + i=$DIR/fuzzer_stats + + if [ -f "$i" ]; then + + sed 's/^command_line.*$/_skip:1/;s/[ ]*:[ ]*/="/;s/$/"/' "$i" >"$TMP" + . "$TMP" + DIRECTORY=$DIR + DIR=${DIR##*/} + RUN_UNIX=$run_time + RUN_DAYS=$((RUN_UNIX / 60 / 60 / 24)) + RUN_HRS=$(((RUN_UNIX / 60 / 60) % 24)) + COVERAGE=$(echo $bitmap_cvg|tr -d %) + if [ -n "$TOTAL_COVERAGE" -a -n "$COVERAGE" -a -n "$BC" ]; then + if [ "$(echo "$TOTAL_COVERAGE < $COVERAGE" | bc)" -eq 1 ]; then + TOTAL_COVERAGE=$COVERAGE fi - fi - - if [ -z "$IS_STARTING" ]; then - - if [ "$SUMMARY_ONLY" = "" ]; then - - echo " Instance is dead or running remotely, skipping." - echo - + if [ -z "$TOTAL_COVERAGE" ]; then TOTAL_COVERAGE=$COVERAGE ; fi + + test -n "$cycles_wo_finds" && { + test -z "$FIRST" && TOTAL_WCOP="${TOTAL_WCOP}/" + TOTAL_WCOP="${TOTAL_WCOP}${cycles_wo_finds}" + FIRST= + } + + if [ "$SUMMARY_ONLY" = "" ]; then + + echo ">>> $afl_banner instance: $DIR ($RUN_DAYS days, $RUN_HRS hrs) fuzzer PID: $fuzzer_pid <<<" + echo + + fi + + if ! kill -0 "$fuzzer_pid" 2>/dev/null; then + + IS_STARTING= + IS_DEAD= + + if [ -e "$i" ] && [ -e "$j" ] && [ -n "$FUSER" ]; then + + if [ "$i" -ot "$j" ]; then + + # fuzzer_setup is newer than fuzzer_stats, maybe the instance is starting? + TMP_PID=`fuser -v "$DIRECTORY" 2>&1 | grep afl-fuzz` + + if [ -n "$TMP_PID" ]; then + + if [ "$SUMMARY_ONLY" = "" ]; then + + echo " Instance is still starting up, skipping." + echo + + fi + + START_CNT=$((START_CNT + 1)) + last_find=0 + IS_STARTING=1 + + if [ "$PROCESS_DEAD" = "" ]; then + + continue + + fi + + fi + + fi + fi - - DEAD_CNT=$((DEAD_CNT + 1)) - IS_DEAD=1 - last_find=0 - - if [ "$PROCESS_DEAD" = "" ]; then - - continue - + + if [ -z "$IS_STARTING" ]; then + + if [ "$SUMMARY_ONLY" = "" ]; then + + echo " Instance is dead or running remotely, skipping." + echo + + fi + + DEAD_CNT=$((DEAD_CNT + 1)) + IS_DEAD=1 + last_find=0 + + if [ "$PROCESS_DEAD" = "" ]; then + + continue + + fi + fi - + fi - - fi - - ALIVE_CNT=$((ALIVE_CNT + 1)) - - EXEC_SEC=0 - test -z "$RUN_UNIX" -o "$RUN_UNIX" = 0 || EXEC_SEC=$((execs_done / RUN_UNIX)) - PATH_PERC=$((cur_item * 100 / corpus_count)) - - TOTAL_TIME=$((TOTAL_TIME + RUN_UNIX)) - TOTAL_EPS=$((TOTAL_EPS + EXEC_SEC)) - TOTAL_EXECS=$((TOTAL_EXECS + execs_done)) - TOTAL_CRASHES=$((TOTAL_CRASHES + saved_crashes)) - TOTAL_HANGS=$((TOTAL_HANGS + saved_hangs)) - TOTAL_PENDING=$((TOTAL_PENDING + pending_total)) - TOTAL_PFAV=$((TOTAL_PFAV + pending_favs)) - - if [ "$last_find" -gt "$TOTAL_LAST_FIND" ]; then - TOTAL_LAST_FIND=$last_find - fi - - if [ "$SUMMARY_ONLY" = "" ]; then - - # Warnings in red - TIMEOUT_PERC=$((exec_timeout * 100 / execs_done)) - if [ $TIMEOUT_PERC -ge 10 ]; then - echo " ${RED}timeout_ratio $TIMEOUT_PERC%${NC}" - fi - - if [ $EXEC_SEC -eq 0 ]; then - echo " ${YELLOW}no data yet, 0 execs/sec${NC}" - elif [ $EXEC_SEC -lt 100 ]; then - echo " ${RED}slow execution, $EXEC_SEC execs/sec${NC}" + + ALIVE_CNT=$((ALIVE_CNT + 1)) + + EXEC_SEC=0 + test -z "$RUN_UNIX" -o "$RUN_UNIX" = 0 || EXEC_SEC=$((execs_done / RUN_UNIX)) + PATH_PERC=$((cur_item * 100 / corpus_count)) + + TOTAL_TIME=$((TOTAL_TIME + RUN_UNIX)) + TOTAL_EPS=$((TOTAL_EPS + EXEC_SEC)) + TOTAL_EXECS=$((TOTAL_EXECS + execs_done)) + TOTAL_CRASHES=$((TOTAL_CRASHES + saved_crashes)) + TOTAL_HANGS=$((TOTAL_HANGS + saved_hangs)) + TOTAL_PENDING=$((TOTAL_PENDING + pending_total)) + TOTAL_PFAV=$((TOTAL_PFAV + pending_favs)) + + if [ "$last_find" -gt "$TOTAL_LAST_FIND" ]; then + TOTAL_LAST_FIND=$last_find fi - - fmt_duration $last_find && FMT_FIND=$DUR_STRING - fmt_duration $last_crash && FMT_CRASH=$DUR_STRING - fmt_duration $last_hang && FMT_HANG=$DUR_STRING - FMT_CWOP="not available" - test -n "$cycles_wo_finds" && { - test "$cycles_wo_finds" = 0 && FMT_CWOP="$cycles_wo_finds" - test "$cycles_wo_finds" -gt 10 && FMT_CWOP="${YELLOW}$cycles_wo_finds${NC}" - test "$cycles_wo_finds" -gt 50 && FMT_CWOP="${RED}$cycles_wo_finds${NC}" - } - - echo " last_find : $FMT_FIND" - echo " last_crash : $FMT_CRASH" - if [ -z "$MINIMAL_ONLY" ]; then - echo " last_hang : $FMT_HANG" - echo " cycles_wo_finds : $FMT_CWOP" + + if [ "$SUMMARY_ONLY" = "" ]; then + + # Warnings in red + TIMEOUT_PERC=$((exec_timeout * 100 / execs_done)) + if [ $TIMEOUT_PERC -ge 10 ]; then + echo " ${RED}timeout_ratio $TIMEOUT_PERC%${NC}" + fi + + if [ $EXEC_SEC -eq 0 ]; then + echo " ${YELLOW}no data yet, 0 execs/sec${NC}" + elif [ $EXEC_SEC -lt 100 ]; then + echo " ${RED}slow execution, $EXEC_SEC execs/sec${NC}" + fi + + fmt_duration $last_find && FMT_FIND=$DUR_STRING + fmt_duration $last_crash && FMT_CRASH=$DUR_STRING + fmt_duration $last_hang && FMT_HANG=$DUR_STRING + FMT_CWOP="not available" + test -n "$cycles_wo_finds" && { + test "$cycles_wo_finds" = 0 && FMT_CWOP="$cycles_wo_finds" + test "$cycles_wo_finds" -gt 10 && FMT_CWOP="${YELLOW}$cycles_wo_finds${NC}" + test "$cycles_wo_finds" -gt 50 && FMT_CWOP="${RED}$cycles_wo_finds${NC}" + } + + echo " last_find : $FMT_FIND" + echo " last_crash : $FMT_CRASH" + if [ -z "$MINIMAL_ONLY" ]; then + echo " last_hang : $FMT_HANG" + echo " cycles_wo_finds : $FMT_CWOP" + fi + echo " coverage : $COVERAGE%" + + if [ -z "$MINIMAL_ONLY" ]; then + + CPU_USAGE=$(ps aux | grep $fuzzer_pid | grep -v grep | awk '{print $3}') + MEM_USAGE=$(ps aux | grep $fuzzer_pid | grep -v grep | awk '{print $4}') + + echo " cpu usage $CPU_USAGE%, memory usage $MEM_USAGE%" + + fi + + echo " cycles $((cycles_done + 1)), lifetime speed $EXEC_SEC execs/sec, items $cur_item/$corpus_count (${PATH_PERC}%)" + + if [ "$saved_crashes" = "0" ]; then + echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, no crashes yet" + else + echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, crashes saved $saved_crashes (!)" + fi + + echo + fi - echo " coverage : $COVERAGE%" - if [ -z "$MINIMAL_ONLY" ]; then - - CPU_USAGE=$(ps aux | grep $fuzzer_pid | grep -v grep | awk '{print $3}') - MEM_USAGE=$(ps aux | grep $fuzzer_pid | grep -v grep | awk '{print $4}') - - echo " cpu usage $CPU_USAGE%, memory usage $MEM_USAGE%" - - fi + else - echo " cycles $((cycles_done + 1)), lifetime speed $EXEC_SEC execs/sec, items $cur_item/$corpus_count (${PATH_PERC}%)" + if [ ! -e "$i" -a -e "$j" ]; then - if [ "$saved_crashes" = "0" ]; then - echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, no crashes yet" - else - echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, crashes saved $saved_crashes (!)" + if [ '!' "$PROCESS_DEAD" = "" ]; then + ALIVE_CNT=$((ALIVE_CNT + 1)) + fi + START_CNT=$((START_CNT + 1)) + last_find=0 + IS_STARTING=1 + fi - echo - fi - + done # Formatting for total time, time since last find, crash, and hang @@ -346,7 +365,7 @@ EXECS_MILLION=$((TOTAL_EXECS / 1000 / 1000)) EXECS_THOUSAND=$((TOTAL_EXECS / 1000 % 1000)) if [ $EXECS_MILLION -gt 9 ]; then FMT_EXECS="$EXECS_MILLION millions" -elif [ $EXECS_MILLION -gt 0 ]; then + elif [ $EXECS_MILLION -gt 0 ]; then FMT_EXECS="$EXECS_MILLION millions, $EXECS_THOUSAND thousands" else FMT_EXECS="$EXECS_THOUSAND thousands" @@ -363,14 +382,14 @@ fmt_duration $TOTAL_LAST_FIND && TOTAL_LAST_FIND=$DUR_STRING test "$TOTAL_TIME" = "0" && TOTAL_TIME=1 if [ "$PROCESS_DEAD" = "" ]; then - + TXT="excluded from stats" - + else - + TXT="included in stats" ALIVE_CNT=$(($ALIVE_CNT - $DEAD_CNT - $START_CNT)) - + fi echo "Summary stats" diff --git a/docs/Changelog.md b/docs/Changelog.md index 87c01f21..8d9a0aa8 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -14,6 +14,8 @@ - now also shows coverage reached - option -m shows only very relevant stats - option -n will not use color in the output + - frida_mode: + - fixes support for large map offsets - added benchmark/benchmark.sh if you want to see how good your fuzzing speed is in comparison to other setups. diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index f75ca5dc..5a5acbb2 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -616,7 +616,7 @@ For every secondary fuzzer there should be a variation, e.g.: be one of them! (Although this is not really recommended.) All other secondaries should be used like this: -* a quarter to a third with the MOpt mutator enabled: `-L 0` +* 10-20% with the MOpt mutator enabled: `-L 0` * run with a different power schedule, recommended are: `fast` (default), `explore`, `coe`, `lin`, `quad`, `exploit`, and `rare` which you can set with the `-p` option, e.g., `-p explore`. See the @@ -940,7 +940,7 @@ too long for your overall available fuzz run time. * 65% for `AFL_DISABLE_TRIM` * 50% for `AFL_KEEP_TIMEOUTS` * 50% use a dictionary generated by `AFL_LLVM_DICT2FILE` + `AFL_LLVM_DICT2FILE_NO_MAIN=1` - * 40% use MOpt (`-L 0`) + * 10% use MOpt (`-L 0`) * 40% for `AFL_EXPAND_HAVOC_NOW` * 20% for old queue processing (`-Z`) * for CMPLOG targets, 70% for `-l 2`, 10% for `-l 3`, 20% for `-l 2AT` diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index 2256f941..a0c66697 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -402,6 +402,18 @@ bool instrument_write_inline(GumArm64Writer *cw, GumAddress code_addr, } + /* + * The mov instruction supports up to a 16-bit offset. If our offset is out of + * range, then it can end up clobbering the op-code portion of the instruction + * rather than just the operands. So return false and fall back to the + * alternative instrumentation. + */ + if (area_offset > UINT16_MAX) { + + return false; + + } + code.code.mov_x0_curr_loc |= area_offset << 5; if (!instrument_patch_ardp( diff --git a/frida_mode/test/png/GNUmakefile b/frida_mode/test/png/GNUmakefile index 408b7dcb..eccc66f6 100644 --- a/frida_mode/test/png/GNUmakefile +++ b/frida_mode/test/png/GNUmakefile @@ -8,7 +8,7 @@ HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/ PNGTEST_BUILD_DIR:=$(BUILD_DIR)pngtest/ LIBZ_FILE:=$(LIBZ_BUILD_DIR)zlib-1.2.13.tar.gz -LIBZ_URL:=http://www.zlib.net/zlib-1.2.13.tar.gz +LIBZ_URL:=http://www.zlib.net/fossils/zlib-1.2.13.tar.gz LIBZ_DIR:=$(LIBZ_BUILD_DIR)zlib-1.2.13/ LIBZ_PC:=$(LIBZ_DIR)zlib.pc LIBZ_LIB:=$(LIBZ_DIR)libz.a diff --git a/frida_mode/util/frida_get_symbol_addr.sh b/frida_mode/util/frida_get_symbol_addr.sh index fb0002b7..2e682255 100755 --- a/frida_mode/util/frida_get_symbol_addr.sh +++ b/frida_mode/util/frida_get_symbol_addr.sh @@ -31,12 +31,13 @@ file=$(file $target|sed 's/.*: //') arch=$(echo $file|awk -F, '{print$2}'|tr -d ' ') bits=$(echo $file|sed 's/-bit .*//'|sed 's/.* //') pie=$(echo $file|grep -wqi pie && echo pie) +dso=$(echo $file|grep -wqi "shared object" && echo dso) test $(uname -s) = "Darwin" && symbol=_"$symbol" tmp_addr=$(nm "$target" | grep -i "T $symbol" | awk '{print$1}' | tr a-f A-F) test -z "$tmp_addr" && { echo Error: function $symbol not found 1>&2; exit 1; } -test -z "$pie" && { echo 0x$tmp_addr; exit 0; } +test -z "$pie" && test -z "$dso" && { echo 0x$tmp_addr; exit 0; } test -z "$base" && { test "$bits" = 32 -o "$bits" = 64 || { echo "Error: could not identify arch (bits=$bits)" 1>&2 ; exit 1; } diff --git a/src/afl-cc.c b/src/afl-cc.c index 86b81459..12707007 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -317,7 +317,7 @@ void parse_fsanitize(char *string) { char *p, *ptr = string + strlen("-fsanitize="); char *new = malloc(strlen(string) + 1); - char *tmp = malloc(strlen(ptr)); + char *tmp = malloc(strlen(ptr) + 1); u32 count = 0, len, ende = 0; if (!new || !tmp) { FATAL("could not acquire memory"); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 08960ac6..90c255e3 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -176,6 +176,7 @@ static void usage(u8 *argv0, int more_help) { " pacemaker mode (minutes of no new finds). 0 = " "immediately,\n" " -1 = immediately and together with normal mutation.\n" + " Note: this option is usually not very effective\n" " -c program - enable CmpLog by specifying a binary compiled for " "it.\n" " if using QEMU/FRIDA or the fuzzing target is " @@ -265,6 +266,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_DUMB_FORKSRV: use fork server without feedback from target\n" "AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found\n" "AFL_EXIT_ON_TIME: exit when no new coverage is found within the specified time\n" + "AFL_EXIT_ON_SEED_ISSUES: exit on any kind of seed issues\n" "AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60\n" " minutes and a cycle without finds)\n" "AFL_FAST_CAL: limit the calibration stage to three cycles for speedup\n" @@ -331,6 +333,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_STATSD_TAGS_FLAVOR: set statsd tags format (default: disable tags)\n" " suported formats: dogstatsd, librato, signalfx, influxdb\n" "AFL_SYNC_TIME: sync time between fuzzing instances (in minutes)\n" + "AFL_FINAL_SYNC: sync a final time when exiting (will delay the exit!)\n" "AFL_NO_CRASH_README: do not create a README in the crashes directory\n" "AFL_TESTCACHE_SIZE: use a cache for testcases, improves performance (in MB)\n" "AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)\n" |