diff options
| -rwxr-xr-x | .custom-format.py | 2 | ||||
| -rw-r--r-- | GNUmakefile | 4 | ||||
| -rwxr-xr-x | afl-cmin | 37 | ||||
| -rwxr-xr-x | afl-cmin.bash | 4 | ||||
| -rw-r--r-- | docs/Changelog.md | 11 | ||||
| -rw-r--r-- | frida_mode/src/instrument/instrument_x64.c | 289 | ||||
| -rw-r--r-- | include/alloc-inl.h | 8 | ||||
| -rw-r--r-- | instrumentation/SanitizerCoverageLTO.so.cc | 2 | ||||
| -rw-r--r-- | instrumentation/SanitizerCoveragePCGUARD.so.cc | 40 | ||||
| -rw-r--r-- | instrumentation/split-compares-pass.so.cc | 19 | ||||
| -rw-r--r-- | qemu_mode/libqasan/dlmalloc.c | 2 | ||||
| -rw-r--r-- | src/afl-cc.c | 6 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 8 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 3 | ||||
| -rw-r--r-- | src/afl-showmap.c | 5 | ||||
| -rw-r--r-- | utils/afl_network_proxy/afl-network-server.c | 2 |
17 files changed, 326 insertions, 118 deletions
diff --git a/.custom-format.py b/.custom-format.py index 1d5c8839..3521c05d 100755 --- a/.custom-format.py +++ b/.custom-format.py @@ -24,7 +24,7 @@ import importlib.metadata # string_re = re.compile('(\\"(\\\\.|[^"\\\\])*\\")') # TODO: for future use -CURRENT_LLVM = os.getenv('LLVM_VERSION', 15) +CURRENT_LLVM = os.getenv('LLVM_VERSION', 16) CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN", "") diff --git a/GNUmakefile b/GNUmakefile index 55676d97..71011858 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -318,7 +318,7 @@ all: test_x86 test_shm test_python ready $(PROGS) afl-as llvm gcc_plugin test_bu @echo Build Summary: @test -e afl-fuzz && echo "[+] afl-fuzz and supporting tools successfully built" || echo "[-] afl-fuzz could not be built, please set CC to a working compiler" @test -e afl-llvm-pass.so && echo "[+] LLVM basic mode successfully built" || echo "[-] LLVM mode could not be built, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md" - @test -e SanitizerCoveragePCGUARD.so && echo "[+] LLVM mode successfully built" || echo "[-] LLVM mode could not be built, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md" + @test -e SanitizerCoveragePCGUARD.so && echo "[+] LLVM mode successfully built" || echo "[-] LLVM mode could not be built, please install at least llvm-13 and clang-13 or newer, see docs/INSTALL.md" @test -e SanitizerCoverageLTO.so && echo "[+] LLVM LTO mode successfully built" || echo "[-] LLVM LTO mode could not be built, it is optional, if you want it, please install LLVM and LLD 11+. More information at instrumentation/README.lto.md on how to build it" ifneq "$(SYS)" "Darwin" @test -e afl-gcc-pass.so && echo "[+] gcc_mode successfully built" || echo "[-] gcc_mode could not be built, it is optional, install gcc-VERSION-plugin-dev to enable this" @@ -740,7 +740,7 @@ endif @echo Build Summary: @test -e afl-fuzz && echo "[+] afl-fuzz and supporting tools successfully built" || echo "[-] afl-fuzz could not be built, please set CC to a working compiler" @test -e afl-llvm-pass.so && echo "[+] LLVM basic mode successfully built" || echo "[-] LLVM mode could not be built, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md" - @test -e SanitizerCoveragePCGUARD.so && echo "[+] LLVM mode successfully built" || echo "[-] LLVM mode could not be built, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md" + @test -e SanitizerCoveragePCGUARD.so && echo "[+] LLVM mode successfully built" || echo "[-] LLVM mode could not be built, please install at least llvm-13 and clang-13 or newer, see docs/INSTALL.md" @test -e SanitizerCoverageLTO.so && echo "[+] LLVM LTO mode successfully built" || echo "[-] LLVM LTO mode could not be built, it is optional, if you want it, please install LLVM 11-14. More information at instrumentation/README.lto.md on how to build it" ifneq "$(SYS)" "Darwin" test -e afl-gcc-pass.so && echo "[+] gcc_mode successfully built" || echo "[-] gcc_mode could not be built, it is optional, install gcc-VERSION-plugin-dev to enable this" diff --git a/afl-cmin b/afl-cmin index de76caf8..d0bbed2b 100755 --- a/afl-cmin +++ b/afl-cmin @@ -318,7 +318,9 @@ BEGIN { if (!nyx_mode && target_bin && !exists_and_is_executable(target_bin)) { - "command -v "target_bin" 2>/dev/null" | getline tnew + cmd = "command -v "target_bin" 2>/dev/null" + cmd | getline tnew + close(cmd) if (!tnew || !exists_and_is_executable(tnew)) { print "[-] Error: binary '"target_bin"' not found or not executable." > "/dev/stderr" exit 1 @@ -330,6 +332,7 @@ BEGIN { echo "[!] Trying to obtain the map size of the target ..." get_map_size = "AFL_DUMP_MAP_SIZE=1 " target_bin get_map_size | getline mapsize + close(get_map_size) if (mapsize && mapsize > 65535 && mapsize < 100000000) { AFL_MAP_SIZE = "AFL_MAP_SIZE="mapsize" " print "[+] Setting "AFL_MAP_SIZE @@ -359,14 +362,18 @@ BEGIN { system("rm -rf "trace_dir" 2>/dev/null"); system("rm "out_dir"/id[:_]* 2>/dev/null") - "ls "out_dir"/* 2>/dev/null | wc -l" | getline noofentries + cmd = "ls "out_dir"/* 2>/dev/null | wc -l" + cmd | getline noofentries + close(cmd) if (0 == system( "test -d "out_dir" -a "noofentries" -gt 0" )) { print "[-] Error: directory '"out_dir"' exists and is not empty - delete it first." > "/dev/stderr" exit 1 } if (threads) { - "nproc" | getline nproc + cmd = "nproc" + cmd | getline nproc + close(cmd) if (threads == "all") { threads = nproc } else { @@ -386,12 +393,14 @@ BEGIN { if (stdin_file) { # truncate input file printf "" > stdin_file - close( stdin_file ) + close(stdin_file) } # First we look in PATH if (0 == system("command -v afl-showmap >/dev/null 2>&1")) { - "command -v afl-showmap 2>/dev/null" | getline showmap + cmd = "command -v afl-showmap 2>/dev/null" + cmd | getline showmap + close(cmd) } else { # then we look in the current directory if (0 == system("test -x ./afl-showmap")) { @@ -413,7 +422,9 @@ BEGIN { # yuck, gnu stat is option incompatible to bsd stat # we use a heuristic to differentiate between # GNU stat and other stats - "stat --version 2>/dev/null" | getline statversion + cmd = "stat --version 2>/dev/null" + cmd | getline statversion + close(cmd) if (statversion ~ /GNU coreutils/) { stat_format = "-c '%s %n'" # GNU } else { @@ -432,6 +443,7 @@ BEGIN { infilesSmallToBigFullMap[infilesSmallToBigFull[i]] = infilesSmallToBig[i] i++ } + close(cmdline) in_count = i first_file = infilesSmallToBigFull[0] @@ -468,6 +480,7 @@ BEGIN { while ((getline < runtest) > 0) { ++first_count } + close(runtest) if (first_count) { print "[+] OK, "first_count" tuples recorded." @@ -513,7 +526,7 @@ BEGIN { if (threads > 1) { - print "[*] Creating " threads " parallel tasks with about " inputsperfile " each." + print "[*] Creating " threads " parallel tasks with about " inputsperfile " items each." for (i = 1; i <= threads; i++) { if (!stdin_file) { @@ -582,6 +595,15 @@ BEGIN { else { print " Processing file "cur"/"in_count } # create path for the trace file from afl-showmap tracefile_path = trace_dir"/"fn + # ensure the file size is not zero + cmd = "du -b "tracefile_path + "ls -l "tracefile_path + cmd | getline output + close(cmd) + split(output, result, "\t") + if (result[1] == 0) { + print "[!] WARNING: file "fn" is crashing the target, ignoring..." + } # gather all keys, and count them while ((getline line < tracefile_path) > 0) { key = line @@ -643,6 +665,7 @@ BEGIN { } } close(sortedKeys) + print "" print "[+] Found "tuple_count" unique tuples across "in_count" files." if (out_count == 1) { diff --git a/afl-cmin.bash b/afl-cmin.bash index dc6d5342..1d080491 100755 --- a/afl-cmin.bash +++ b/afl-cmin.bash @@ -479,7 +479,7 @@ else echo "[+] all $THREADS running tasks completed." rm -f ${TMPFILE}* - echo trace dir files: $(ls $TRACE_DIR/*|wc -l) + #echo trace dir files: $(ls $TRACE_DIR/*|wc -l) fi @@ -523,6 +523,8 @@ ls -rS "$IN_DIR" | while read -r fn; do sed "s#\$# $fn#" "$TRACE_DIR/$fn" >>"$TRACE_DIR/.candidate_list" + test -s "$TRACE_DIR/$fn" || echo Warning: $fn is ignored because of crashing the target + done echo diff --git a/docs/Changelog.md b/docs/Changelog.md index 4454456e..e6b90d3d 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -14,6 +14,17 @@ command line tool! See custom_mutators/aflpp/standalone/ - display the state of the fuzzing run in the UI :-) - fix timeout setting if '+' is used or a session is restarted + - afl-cmin/afl-cmin.bash: + - fixed a bug inherited from vanilla AFL where a coverage of + map[123] = 11 would be the same as map[1123] = 1 + - warn on crashing inputs + - afl-cc: + - fixed an off-by-one instrumentation of iselect, hurting coverage a bit. + Thanks to @amykweon for spotting and fixing! + - @toka fixed a bug in laf-intel signed integer comparison splitting, + thanks a lot!! + - frida_mode: + - support for long form instrumentation on x86_x64 and arm64 ### Version ++4.07c (release) diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index 8338f8e7..3983c3ba 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -58,6 +58,7 @@ typedef union { } jcc_insn; static GHashTable *coverage_blocks = NULL; +static GHashTable *coverage_blocks_long = NULL; gboolean instrument_is_coverage_optimize_supported(void) { @@ -127,6 +128,64 @@ typedef struct { } afl_log_code_asm_t; +typedef struct { + + // cur_location = (block_address >> 4) ^ (block_address << 8); + // shared_mem[cur_location ^ prev_location]++; + // prev_location = cur_location >> 1; + + // mov QWORD PTR [rsp-0x88],rax + // lahf + // mov QWORD PTR [rsp-0x90],rax + // mov QWORD PTR [rsp-0x98],rbx + + // mov rax, 0xXXXXXXXXXXXXXXXXX /* p_prev_loc */ + // mov eax, dword ptr [rax] /* prev_loc */ + // xor eax,0x3f77 /* cur_loc */ + + // mov rbx, 0xXXXXXXXXXXXXXXXXX /* map */ + // add rax,rbx + + // mov bl,BYTE PTR [rax] + // add bl,0x1 + // adc bl,0x0 + // mov BYTE PTR [rax],bl + + // mov rax, 0xXXXXXXXXXXXXXXXXX /* p_prev_loc */ + // mov dword ptr [rax], 0xXXXXXXXXX /* prev_loc */ + + // mov rbx,QWORD PTR [rsp-0x98] + // mov rax,QWORD PTR [rsp-0x90] + // sahf + // mov rax,QWORD PTR [rsp-0x88] + + uint8_t mov_rax_rsp_88[8]; + uint8_t lahf; + uint8_t mov_rax_rsp_90[8]; + uint8_t mov_rbx_rsp_98[8]; + + uint8_t mov_rax_prev_loc_ptr1[10]; + uint8_t mov_eax_prev_loc[2]; + uint8_t xor_eax_curr_loc[5]; + + uint8_t mov_rbx_map_ptr[10]; + uint8_t add_rax_rbx[3]; + + uint8_t mov_rbx_ptr_rax[2]; + uint8_t add_bl_1[3]; + uint8_t adc_bl_0[3]; + uint8_t mov_ptr_rax_rbx[2]; + + uint8_t mov_rax_prev_loc_ptr2[10]; + uint8_t mov_prev_loc_curr_loc_shr1[6]; + + uint8_t mov_rsp_98_rbx[8]; + uint8_t mov_rsp_90_rax[8]; + uint8_t sahf; + uint8_t mov_rsp_88_rax[8]; + +} afl_log_code_asm_long_t; + #pragma pack(pop) static const afl_log_code_asm_t template = @@ -158,6 +217,41 @@ static const afl_log_code_asm_t template = ; +static const afl_log_code_asm_long_t template_long = + { + + .mov_rax_rsp_88 = {0x48, 0x89, 0x84, 0x24, 0x78, 0xFF, 0xFF, 0xFF}, + .lahf = 0x9f, + .mov_rax_rsp_90 = {0x48, 0x89, 0x84, 0x24, 0x70, 0xFF, 0xFF, 0xFF}, + .mov_rbx_rsp_98 = {0x48, 0x89, 0x9C, 0x24, 0x68, 0xFF, 0xFF, 0xFF}, + + .mov_rax_prev_loc_ptr1 = {0x48, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF}, + .mov_eax_prev_loc = {0x8b, 0x00}, + .xor_eax_curr_loc = {0x35}, + + .mov_rbx_map_ptr = {0x48, 0xBB, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF}, + .add_rax_rbx = {0x48, 0x01, 0xd8}, + + .mov_rbx_ptr_rax = {0x8a, 0x18}, + .add_bl_1 = {0x80, 0xc3, 0x01}, + .adc_bl_0 = {0x80, 0xd3, 0x00}, + .mov_ptr_rax_rbx = {0x88, 0x18}, + + .mov_rax_prev_loc_ptr2 = {0x48, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF}, + .mov_prev_loc_curr_loc_shr1 = {0xc7, 0x00, 0xFF, 0xFF, 0xFF, 0xFF}, + + .mov_rsp_98_rbx = {0x48, 0x8B, 0x9C, 0x24, 0x68, 0xFF, 0xFF, 0xFF}, + .mov_rsp_90_rax = {0x48, 0x8B, 0x84, 0x24, 0x70, 0xFF, 0xFF, 0xFF}, + .sahf = 0x9e, + .mov_rsp_88_rax = {0x48, 0x8B, 0x84, 0x24, 0x78, 0xFF, 0xFF, 0xFF}, + +} + +; + typedef union { afl_log_code_asm_t code; @@ -165,6 +259,13 @@ typedef union { } afl_log_code; +typedef union { + + afl_log_code_asm_long_t code; + uint8_t bytes[0]; + +} afl_log_code_long; + void instrument_coverage_optimize_init(void) { FVERBOSE("__afl_area_ptr: %p", __afl_area_ptr); @@ -182,16 +283,19 @@ static void instrument_coverage_switch_insn(GumStalkerObserver *self, cs_x86 *x86; cs_x86_op *op; + bool is_short = false; + bool is_long = false; + if (from_insn == NULL) { return; } x86 = &from_insn->detail->x86; op = x86->operands; - if (!g_hash_table_contains(coverage_blocks, GSIZE_TO_POINTER(*target))) { - - return; + is_short = g_hash_table_contains(coverage_blocks, GSIZE_TO_POINTER(*target)); + is_long = + g_hash_table_contains(coverage_blocks_long, GSIZE_TO_POINTER(*target)); - } + if (!is_short && !is_long) { return; } switch (from_insn->id) { @@ -212,15 +316,41 @@ static void instrument_coverage_switch_insn(GumStalkerObserver *self, break; case X86_INS_RET: - instrument_cache_insert(start_address, - (guint8 *)*target + sizeof(afl_log_code)); + if (is_short) { + + instrument_cache_insert(start_address, + (guint8 *)*target + sizeof(afl_log_code)); + + } else if (is_long) { + + instrument_cache_insert(start_address, + (guint8 *)*target + sizeof(afl_log_code_long)); + + } else { + + FATAL("Something has gone wrong here!"); + + } + break; default: return; } - *target = (guint8 *)*target + sizeof(afl_log_code); + if (is_short) { + + *target = (guint8 *)*target + sizeof(afl_log_code); + + } else if (is_long) { + + *target = (guint8 *)*target + sizeof(afl_log_code_long); + + } else { + + FATAL("Something has gone wrong here!"); + + } } @@ -270,22 +400,22 @@ static void instrument_coverage_suppress_init(void) { } + coverage_blocks_long = g_hash_table_new(g_direct_hash, g_direct_equal); + if (coverage_blocks_long == NULL) { + + FATAL("Failed to g_hash_table_new, errno: %d", errno); + + } + } -static void instrument_coverage_write(GumAddress address, - GumStalkerOutput *output) { +bool instrument_write_inline(GumX86Writer *cw, GumAddress code_addr, + guint32 area_offset, guint32 area_offset_ror) { - afl_log_code code = {0}; - GumX86Writer *cw = output->writer.x86; - guint64 area_offset = instrument_get_offset_hash(address); - gsize map_size_pow2; - gsize area_offset_ror; - GumAddress code_addr = cw->pc; + afl_log_code code = {0}; code.code = template; - /* mov_prev_loc_curr_loc_shr1 */ - gssize prev_loc_value = GPOINTER_TO_SIZE(instrument_previous_pc_addr) - (code_addr + offsetof(afl_log_code, code.mov_prev_loc_curr_loc_shr1) + @@ -294,11 +424,7 @@ static void instrument_coverage_write(GumAddress address, offsetof(afl_log_code, code.mov_prev_loc_curr_loc_shr1) + sizeof(code.code.mov_prev_loc_curr_loc_shr1) - sizeof(gint) - sizeof(guint32); - if (!instrument_coverage_in_range(prev_loc_value)) { - - FATAL("Patch out of range (current_pc_value1): 0x%016lX", prev_loc_value); - - } + if (!instrument_coverage_in_range(prev_loc_value)) { return false; } *((gint *)&code.bytes[prev_loc_value_offset]) = (gint)prev_loc_value; @@ -311,11 +437,7 @@ static void instrument_coverage_write(GumAddress address, gssize prev_loc_value_offset2 = offsetof(afl_log_code, code.mov_eax_prev_loc) + sizeof(code.code.mov_eax_prev_loc) - sizeof(gint); - if (!instrument_coverage_in_range(prev_loc_value)) { - - FATAL("Patch out of range (current_pc_value1): 0x%016lX", prev_loc_value2); - - } + if (!instrument_coverage_in_range(prev_loc_value)) { return false; } *((gint *)&code.bytes[prev_loc_value_offset2]) = (gint)prev_loc_value2; @@ -338,12 +460,7 @@ static void instrument_coverage_write(GumAddress address, (code_addr + offsetof(afl_log_code, code.lea_rbx_area_ptr) + sizeof(code.code.lea_rbx_area_ptr))); - if (!instrument_coverage_in_range(lea_rbx_area_ptr_value)) { - - FATAL("Patch out of range (lea_rbx_area_ptr_value): 0x%016lX", - lea_rbx_area_ptr_value); - - } + if (!instrument_coverage_in_range(lea_rbx_area_ptr_value)) { return false; } *((guint32 *)&code.bytes[lea_rbx_area_ptr_offset]) = lea_rbx_area_ptr_value; @@ -353,12 +470,100 @@ static void instrument_coverage_write(GumAddress address, offsetof(afl_log_code, code.mov_prev_loc_curr_loc_shr1) + sizeof(code.code.mov_prev_loc_curr_loc_shr1) - sizeof(guint32); - map_size_pow2 = util_log2(__afl_map_size); - area_offset_ror = util_rotate(area_offset, 1, map_size_pow2); - *((guint32 *)&code.bytes[curr_loc_shr_1_offset]) = (guint32)(area_offset_ror); + if (instrument_suppress) { + + if (!g_hash_table_add(coverage_blocks, GSIZE_TO_POINTER(cw->code))) { + + FATAL("Failed - g_hash_table_add"); + + } + + } + gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code)); + return true; + +} + +bool instrument_write_inline_long(GumX86Writer *cw, guint32 area_offset, + guint32 area_offset_ror) { + + afl_log_code_long code = {0}; + code.code = template_long; + + /* mov_rax_prev_loc_ptr1 */ + gssize mov_rax_prev_loc_ptr1_offset = + offsetof(afl_log_code_long, code.mov_rax_prev_loc_ptr1) + + sizeof(code.code.mov_rax_prev_loc_ptr1) - sizeof(gsize); + *((gsize *)&code.bytes[mov_rax_prev_loc_ptr1_offset]) = + GPOINTER_TO_SIZE(instrument_previous_pc_addr); + + /* xor_eax_curr_loc */ + gssize xor_eax_curr_loc_offset = + offsetof(afl_log_code_long, code.xor_eax_curr_loc) + + sizeof(code.code.xor_eax_curr_loc) - sizeof(guint32); + *((guint32 *)&code.bytes[xor_eax_curr_loc_offset]) = area_offset; + + /* mov_rbx_map_ptr */ + gsize mov_rbx_map_ptr_offset = + offsetof(afl_log_code_long, code.mov_rbx_map_ptr) + + sizeof(code.code.mov_rbx_map_ptr) - sizeof(gsize); + *((gsize *)&code.bytes[mov_rbx_map_ptr_offset]) = + GPOINTER_TO_SIZE(__afl_area_ptr); + + /* mov_rax_prev_loc_ptr2 */ + gssize mov_rax_prev_loc_ptr2_offset = + offsetof(afl_log_code_long, code.mov_rax_prev_loc_ptr2) + + sizeof(code.code.mov_rax_prev_loc_ptr2) - sizeof(gsize); + *((gsize *)&code.bytes[mov_rax_prev_loc_ptr2_offset]) = + GPOINTER_TO_SIZE(instrument_previous_pc_addr); + + /* mov_prev_loc_curr_loc_shr1 */ + gssize mov_prev_loc_curr_loc_shr1_offset = + offsetof(afl_log_code_long, code.mov_prev_loc_curr_loc_shr1) + + sizeof(code.code.mov_prev_loc_curr_loc_shr1) - sizeof(guint32); + *((guint32 *)&code.bytes[mov_prev_loc_curr_loc_shr1_offset]) = + (guint32)(area_offset_ror); + + if (instrument_suppress) { + + if (!g_hash_table_add(coverage_blocks_long, GSIZE_TO_POINTER(cw->code))) { + + FATAL("Failed - g_hash_table_add"); + + } + + } + + gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code_long)); + return true; + +} + +static void instrument_coverage_write(GumAddress address, + GumStalkerOutput *output) { + + GumX86Writer *cw = output->writer.x86; + guint64 area_offset = (guint32)instrument_get_offset_hash(address); + gsize map_size_pow2; + guint32 area_offset_ror; + GumAddress code_addr = cw->pc; + + map_size_pow2 = util_log2(__afl_map_size); + area_offset_ror = (guint32)util_rotate(instrument_get_offset_hash(address), 1, + map_size_pow2); + + if (!instrument_write_inline(cw, code_addr, area_offset, area_offset_ror)) { + + if (!instrument_write_inline_long(cw, area_offset, area_offset_ror)) { + + FATAL("Failed to write inline instrumentation"); + + } + + } } @@ -380,17 +585,7 @@ void instrument_coverage_optimize(const cs_insn *instr, } - if (instrument_suppress) { - - instrument_coverage_suppress_init(); - - if (!g_hash_table_add(coverage_blocks, GSIZE_TO_POINTER(cw->code))) { - - FATAL("Failed - g_hash_table_add"); - - } - - } + if (instrument_suppress) { instrument_coverage_suppress_init(); } instrument_coverage_write(GUM_ADDRESS(instr->address), output); diff --git a/include/alloc-inl.h b/include/alloc-inl.h index 1e9a192b..cff808b2 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -322,7 +322,7 @@ static inline void DFL_ck_free(void *mem) { static inline void *DFL_ck_realloc(void *orig, u32 size) { void *ret; - u32 old_size = 0; + u32 old_size = 0; if (!size) { @@ -392,7 +392,7 @@ static inline void *DFL_ck_realloc(void *orig, u32 size) { static inline u8 *DFL_ck_strdup(u8 *str) { void *ret; - u32 size; + u32 size; if (!str) return NULL; @@ -438,14 +438,14 @@ struct TRK_obj { void *ptr; char *file, *func; - u32 line; + u32 line; }; #ifdef AFL_MAIN struct TRK_obj *TRK[ALLOC_BUCKETS]; -u32 TRK_cnt[ALLOC_BUCKETS]; +u32 TRK_cnt[ALLOC_BUCKETS]; #define alloc_report() TRK_report() diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 2d17ffd4..d7b03634 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -331,7 +331,7 @@ llvmGetPassPluginInfo() { #if LLVM_VERSION_MAJOR <= 13 using OptimizationLevel = typename PassBuilder::OptimizationLevel; #endif -#if LLVM_VERSION_MAJOR >= 16 +#if LLVM_VERSION_MAJOR >= 15 PB.registerFullLinkTimeOptimizationLastEPCallback( #else PB.registerOptimizerLastEPCallback( diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index d87af775..7d614f43 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -225,10 +225,8 @@ llvmGetPassPluginInfo() { } -#if LLVM_VERSION_MAJOR == 1 PreservedAnalyses ModuleSanitizerCoverageAFL::run(Module &M, ModuleAnalysisManager &MAM) { - ModuleSanitizerCoverageAFL ModuleSancov(Options); auto &FAM = MAM.getResult<FunctionAnalysisManagerModuleProxy>(M).getManager(); auto DTCallback = [&FAM](Function &F) -> const DominatorTree *{ @@ -243,50 +241,12 @@ PreservedAnalyses ModuleSanitizerCoverageAFL::run(Module &M, }; - if (!ModuleSancov.instrumentModule(M, DTCallback, PDTCallback)) - return PreservedAnalyses::all(); - - PreservedAnalyses PA = PreservedAnalyses::none(); - // GlobalsAA is considered stateless and does not get invalidated unless - // explicitly invalidated; PreservedAnalyses::none() is not enough. Sanitizers - // make changes that require GlobalsAA to be invalidated. - PA.abandon<GlobalsAA>(); - return PA; - -} - -#else - #if LLVM_VERSION_MAJOR >= 16 -PreservedAnalyses ModuleSanitizerCoverageAFL::run(Module &M, - ModuleAnalysisManager &MAM) { - - #else -PreservedAnalyses ModuleSanitizerCoverageAFL::run(Module &M, - ModuleAnalysisManager &MAM) { - - #endif - ModuleSanitizerCoverageAFL ModuleSancov(Options); - auto &FAM = MAM.getResult<FunctionAnalysisManagerModuleProxy>(M).getManager(); - auto DTCallback = [&FAM](Function &F) -> const DominatorTree * { - - return &FAM.getResult<DominatorTreeAnalysis>(F); - - }; - - auto PDTCallback = [&FAM](Function &F) -> const PostDominatorTree * { - - return &FAM.getResult<PostDominatorTreeAnalysis>(F); - - }; - if (ModuleSancov.instrumentModule(M, DTCallback, PDTCallback)) return PreservedAnalyses::none(); return PreservedAnalyses::all(); } -#endif - std::pair<Value *, Value *> ModuleSanitizerCoverageAFL::CreateSecStartEnd( Module &M, const char *Section, Type *Ty) { diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc index aec6758e..6eafb332 100644 --- a/instrumentation/split-compares-pass.so.cc +++ b/instrumentation/split-compares-pass.so.cc @@ -463,8 +463,12 @@ bool SplitComparesTransform::simplifyOrEqualsCompare(CmpInst *IcmpInst, #else ReplaceInstWithInst(IcmpInst->getParent()->getInstList(), ii, PN); #endif + if (new_pred == CmpInst::ICMP_SGT || new_pred == CmpInst::ICMP_SLT) { + + simplifySignedCompare(icmp_np, M, worklist); + + } - worklist.push_back(icmp_np); worklist.push_back(icmp_eq); return true; @@ -740,17 +744,24 @@ bool SplitComparesTransform::splitCompare(CmpInst *cmp_inst, Module &M, CmpInst *icmp_inv_cmp = nullptr; BasicBlock *inv_cmp_bb = BasicBlock::Create(C, "inv_cmp", end_bb->getParent(), end_bb); - if (pred == CmpInst::ICMP_UGT || pred == CmpInst::ICMP_SGT || - pred == CmpInst::ICMP_UGE || pred == CmpInst::ICMP_SGE) { + if (pred == CmpInst::ICMP_UGT) { icmp_inv_cmp = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_ULT, op0_high, op1_high); - } else { + } else if (pred == CmpInst::ICMP_ULT) { icmp_inv_cmp = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_UGT, op0_high, op1_high); + } else { + + // Never gonna appen + if (!be_quiet) + fprintf(stderr, + "Error: split-compare: Equals or signed not removed: %d\n", + pred); + } #if LLVM_MAJOR >= 16 diff --git a/qemu_mode/libqasan/dlmalloc.c b/qemu_mode/libqasan/dlmalloc.c index 5d0b65ce..b459eb7b 100644 --- a/qemu_mode/libqasan/dlmalloc.c +++ b/qemu_mode/libqasan/dlmalloc.c @@ -1762,7 +1762,7 @@ static FORCEINLINE void *win32direct_mmap(size_t size) { static FORCEINLINE int win32munmap(void *ptr, size_t size) { MEMORY_BASIC_INFORMATION minfo; - char *cptr = (char *)ptr; + char *cptr = (char *)ptr; while (size) { diff --git a/src/afl-cc.c b/src/afl-cc.c index 9e56828c..58d44e5d 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -383,9 +383,11 @@ static u8 fortify_set = 0, asan_set = 0, x_set = 0, bit_mode = 0, have_o = 0, have_pic = 0, have_c = 0, partial_linking = 0, non_dash = 0; +#define MAX_PARAMS_NUM 2048 + static void process_params(u32 argc, char **argv) { - if (cc_par_cnt + argc >= 1024) { FATAL("Too many command line parameters"); } + if (cc_par_cnt + argc >= MAX_PARAMS_NUM) { FATAL("Too many command line parameters, please increase MAX_PARAMS_NUM."); } if (lto_mode && argc > 1) { @@ -679,7 +681,7 @@ static void process_params(u32 argc, char **argv) { static void edit_params(u32 argc, char **argv, char **envp) { - cc_params = ck_alloc(1024 * sizeof(u8 *)); + cc_params = ck_alloc(MAX_PARAMS_NUM * sizeof(u8 *)); if (lto_mode) { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 13802f40..24fd7077 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1542,8 +1542,8 @@ double get_runnable_processes(void) { processes well. */ FILE *f = fopen("/proc/stat", "r"); - u8 tmp[1024]; - u32 val = 0; + u8 tmp[1024]; + u32 val = 0; if (!f) { return 0; } @@ -2226,7 +2226,7 @@ void check_crash_handling(void) { *BSD, so we can just let it slide for now. */ s32 fd = open("/proc/sys/kernel/core_pattern", O_RDONLY); - u8 fchar; + u8 fchar; if (fd < 0) { return; } @@ -2365,7 +2365,7 @@ void check_cpu_governor(afl_state_t *afl) { FATAL("Suboptimal CPU scaling governor"); #elif defined __APPLE__ - u64 min = 0, max = 0; + u64 min = 0, max = 0; size_t mlen = sizeof(min); if (afl->afl_env.afl_skip_cpufreq) return; diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 389b82fc..4013370d 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -2350,6 +2350,8 @@ void show_init_stats(afl_state_t *afl) { afl->timeout_given = 1; + } else { + ACTF("-t option specified. We'll use an exec timeout of %u ms.", afl->fsrv.exec_tmout); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 9eabfae1..79b05da7 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -164,7 +164,8 @@ static void usage(u8 *argv0, int more_help) { "\n" "Mutator settings:\n" - " -a - target expects ascii text input\n" + " -a - target expects ascii text input (prefer text " + "mutators)\n" " -g minlength - set min length of generated fuzz input (default: 1)\n" " -G maxlength - set max length of generated fuzz input (default: " "%lu)\n" diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 9c029035..13867fda 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -243,7 +243,8 @@ static void analyze_results(afl_forkserver_t *fsrv) { total += fsrv->trace_bits[i]; if (fsrv->trace_bits[i] > highest) highest = fsrv->trace_bits[i]; - if (!coverage_map[i]) { coverage_map[i] = 1; } + // if (!coverage_map[i]) { coverage_map[i] = 1; } + coverage_map[i] |= fsrv->trace_bits[i]; } @@ -328,7 +329,7 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) { if (cmin_mode) { - fprintf(f, "%u%u\n", fsrv->trace_bits[i], i); + fprintf(f, "%u%03u\n", i, fsrv->trace_bits[i]); } else { diff --git a/utils/afl_network_proxy/afl-network-server.c b/utils/afl_network_proxy/afl-network-server.c index 7eb3d18e..95b0a551 100644 --- a/utils/afl_network_proxy/afl-network-server.c +++ b/utils/afl_network_proxy/afl-network-server.c @@ -173,7 +173,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) { } out_file = alloc_printf("%s/.afl-input-temp-%u", use_dir, getpid()); - fsrv->out_file = out_file; + fsrv->out_file = out_file; } |