diff options
37 files changed, 433 insertions, 337 deletions
diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 70c54f1c..8b4c6054 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -32,6 +32,9 @@ VERSION = $(shell grep '^$(HASH)define VERSION ' ./config.h | cut -d '"' -f2 SYS = $(shell uname -s) +override LLVM_TOO_NEW_DEFAULT := 18 +override LLVM_TOO_OLD_DEFAULT := 13 + ifeq "$(SYS)" "OpenBSD" LLVM_CONFIG ?= $(BIN_PATH)/llvm-config HAS_OPT = $(shell test -x $(BIN_PATH)/opt && echo 0 || echo 1) @@ -39,24 +42,30 @@ ifeq "$(SYS)" "OpenBSD" $(warning llvm_mode needs a complete llvm installation (versions 6.0 up to 13) -> e.g. "pkg_add llvm-7.0.1p9") endif else - LLVM_CONFIG ?= llvm-config -endif - -LLVMVER = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/git//' | sed 's/svn//' ) -LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/\..*//' ) -LLVM_MINOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/.*\.//' | sed 's/git//' | sed 's/svn//' | sed 's/ .*//' | sed 's/rc.*//' ) -LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[0-2]\.|^3.[0-8]\.' && echo 1 || echo 0 ) -LLVM_TOO_NEW = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^19|^2[0-9]' && echo 1 || echo 0 ) -LLVM_TOO_OLD = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[1-9]\.|^1[012]\.' && echo 1 || echo 0 ) -LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[0-9]' && echo 1 || echo 0 ) -LLVM_NEWER_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[6-9]' && echo 1 || echo 0 ) -LLVM_13_OK = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[3-9]' && echo 1 || echo 0 ) -LLVM_HAVE_LTO = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[2-9]' && echo 1 || echo 0 ) -LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) -LLVM_LIBDIR = $(shell $(LLVM_CONFIG) --libdir 2>/dev/null) -LLVM_STDCXX = gnu++11 -LLVM_APPLE_XCODE = $(shell $(CC) -v 2>&1 | grep -q Apple && echo 1 || echo 0) -LLVM_LTO = 0 + # Small function to use Bash to detect the latest available clang and clang++ binaries, if using them by that name fails + override _CLANG_VERSIONS_TO_TEST := $(patsubst %,-%,$(shell seq $(LLVM_TOO_NEW_DEFAULT) -1 $(LLVM_TOO_OLD_DEFAULT))) + detect_newest=$(shell for v in "" $(_CLANG_VERSIONS_TO_TEST); do test -n "$$(command -v -- $1$$v)" && { echo "$1$$v"; break; }; done) + LLVM_CONFIG ?= $(call detect_newest,llvm-config) +endif + +override LLVM_RAW_VER := $(shell $(LLVM_CONFIG) --version 2>/dev/null) +LLVMVER := $(subst svn,,$(subst git,,$(LLVM_RAW_VER))) +LLVM_MAJOR := $(firstword $(subst ., ,$(LLVMVER))) +LLVM_MINOR := $(firstword $(subst ., ,$(subst $(LLVM_MAJOR).,,$(LLVMVER)))) +LLVM_TOO_NEW := $(shell test $(LLVM_MAJOR) -gt $(LLVM_TOO_NEW_DEFAULT) && echo 1 || echo 0) +LLVM_TOO_OLD := $(shell test $(LLVM_MAJOR) -lt $(LLVM_TOO_OLD_DEFAULT) && echo 1 || echo 0) +LLVM_NEW_API := $(shell test $(LLVM_MAJOR) -ge 10 && echo 1 || echo 0) +LLVM_NEWER_API := $(shell test $(LLVM_MAJOR) -ge 16 && echo 1 || echo 0) +LLVM_13_OK := $(shell test $(LLVM_MAJOR) -ge 13 && echo 1 || echo 0) +LLVM_HAVE_LTO := $(shell test $(LLVM_MAJOR) -ge 12 && echo 1 || echo 0) +LLVM_BINDIR := $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) +LLVM_LIBDIR := $(shell $(LLVM_CONFIG) --libdir 2>/dev/null) +LLVM_STDCXX := gnu++11 +LLVM_APPLE_XCODE := $(shell $(CC) -v 2>&1 | grep -q Apple && echo 1 || echo 0) +LLVM_LTO := 0 +LLVM_UNSUPPORTED := $(shell echo "$(LLVMVER)" | grep -E -q '^[0-2]\.|^3\.[0-8]\.' && echo 1 || echo 0) +# Uncomment to see the values assigned above +# $(foreach var,LLVM_CONFIG LLVMVER LLVM_MAJOR LLVM_MINOR LLVM_TOO_NEW LLVM_TOO_OLD LLVM_TOO_NEW_DEFAULT LLVM_TOO_OLD_DEFAULT LLVM_NEW_API LLVM_NEWER_API LLVM_13_OK LLVM_HAVE_LTO LLVM_BINDIR LLVM_LIBDIR LLVM_STDCXX LLVM_APPLE_XCODE LLVM_LTO LLVM_UNSUPPORTED,$(warning $(var) = $($(var)))) ifeq "$(LLVMVER)" "" $(warning [!] llvm_mode needs llvm-config, which was not found. Set LLVM_CONFIG to its path and retry.) @@ -245,7 +254,7 @@ endif AFL_CLANG_FUSELD= ifeq "$(LLVM_LTO)" "1" - ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=`command -v ld` -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1" + ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=$$(command -v ld) -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1" AFL_CLANG_FUSELD=1 ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=ld.lld --ld-path=$(AFL_REAL_LD) -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1" AFL_CLANG_LDPATH=1 @@ -300,8 +309,8 @@ endif ifneq "$(LLVM_CONFIG)" "" CLANG_CFL += -I$(shell dirname $(LLVM_CONFIG))/../include endif -CLANG_CPPFL = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fno-exceptions -fPIC $(CXXFLAGS) $(CPPFLAGS) -Wno-deprecated-declarations -CLANG_LFL = `$(LLVM_CONFIG) --ldflags` $(LDFLAGS) +CLANG_CPPFL = $$($(LLVM_CONFIG) --cxxflags) -fno-rtti -fno-exceptions -fPIC $(CXXFLAGS) $(CPPFLAGS) -Wno-deprecated-declarations +CLANG_LFL = $$($(LLVM_CONFIG) --ldflags) $(LDFLAGS) # wasm fuzzing: disable thread-local storage and unset LLVM debug flag ifdef WAFL_MODE @@ -319,7 +328,7 @@ else endif ifeq "$(SYS)" "OpenBSD" - CLANG_LFL += `$(LLVM_CONFIG) --libdir`/libLLVM.so + CLANG_LFL += $$($(LLVM_CONFIG) --libdir)/libLLVM.so CLANG_CPPFL += -mno-retpoline CFLAGS += -mno-retpoline # Needed for unwind symbols @@ -417,7 +426,7 @@ endif endif instrumentation/afl-llvm-common.o: instrumentation/afl-llvm-common.cc instrumentation/afl-llvm-common.h - $(CXX) $(CFLAGS) $(CPPFLAGS) `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fPIC -std=$(LLVM_STDCXX) -c $< -o $@ + $(CXX) $(CFLAGS) $(CPPFLAGS) $$($(LLVM_CONFIG) --cxxflags) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -c $< -o $@ ./afl-llvm-pass.so: instrumentation/afl-llvm-pass.so.cc instrumentation/afl-llvm-common.o | test_deps ifeq "$(LLVM_MIN_4_0_1)" "0" diff --git a/frida_mode/addr/addr.c b/frida_mode/addr/addr.c index 371f69d4..69a04b17 100644 --- a/frida_mode/addr/addr.c +++ b/frida_mode/addr/addr.c @@ -6,34 +6,39 @@ #define UNUSED_PARAMETER(x) (void)(x) -int phdr_callback(struct dl_phdr_info *info, size_t size, void *data) -{ - UNUSED_PARAMETER (size); +int phdr_callback(struct dl_phdr_info *info, size_t size, void *data) { - ElfW(Addr) * base = data; + UNUSED_PARAMETER(size); + + ElfW(Addr) *base = data; + + if (info->dlpi_name[0] == 0) { *base = info->dlpi_addr; } + return 0; - if (info->dlpi_name[0] == 0) { *base = info->dlpi_addr; } - return 0; } -int main (int argc, char** argv, char** envp) { - UNUSED_PARAMETER (argc); +int main(int argc, char **argv, char **envp) { + + UNUSED_PARAMETER(argc); - ElfW(Addr) base = 0; + ElfW(Addr) base = 0; - int persona = personality(ADDR_NO_RANDOMIZE); - if (persona == -1) { + int persona = personality(ADDR_NO_RANDOMIZE); + if (persona == -1) { - printf("Failed to set ADDR_NO_RANDOMIZE: %d", errno); - return 1; - } + printf("Failed to set ADDR_NO_RANDOMIZE: %d", errno); + return 1; - if ((persona & ADDR_NO_RANDOMIZE) == 0) { execvpe(argv[0], argv, envp); } + } - dl_iterate_phdr(phdr_callback, &base); + if ((persona & ADDR_NO_RANDOMIZE) == 0) { execvpe(argv[0], argv, envp); } - printf("%p\n", (void *)base); - if (base == 0) { return 1; } + dl_iterate_phdr(phdr_callback, &base); + + printf("%p\n", (void *)base); + if (base == 0) { return 1; } + + return 0; - return 0; } + diff --git a/frida_mode/frida.map b/frida_mode/frida.map index a98c2096..90ea1421 100644 --- a/frida_mode/frida.map +++ b/frida_mode/frida.map @@ -45,6 +45,7 @@ js_api_set_stdout; js_api_set_traceable; js_api_set_verbose; + js_api_ijon_set; local: *; diff --git a/frida_mode/hook/qemu_hook.c b/frida_mode/hook/qemu_hook.c index 56e787e3..d7d45974 100644 --- a/frida_mode/hook/qemu_hook.c +++ b/frida_mode/hook/qemu_hook.c @@ -36,7 +36,7 @@ struct x86_64_regs { void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base, uint8_t *input_buf, uint32_t input_buf_len) { - (void)guest_base; /* unused */ + (void)guest_base; /* unused */ memcpy((void *)regs->rdi, input_buf, input_buf_len); regs->rsi = input_buf_len; @@ -76,14 +76,15 @@ struct x86_regs { void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base, uint8_t *input_buf, uint32_t input_buf_len) { - (void)guest_base; /* unused */ + (void)guest_base; /* unused */ void **esp = (void **)regs->esp; - void * arg1 = esp[1]; + void *arg1 = esp[1]; void **arg2 = &esp[2]; memcpy(arg1, input_buf, input_buf_len); *arg2 = (void *)input_buf_len; } + #elif defined(__aarch64__) struct arm64_regs { @@ -177,9 +178,10 @@ struct arm64_regs { void afl_persistent_hook(struct arm64_regs *regs, uint64_t guest_base, uint8_t *input_buf, uint32_t input_buf_len) { - (void)guest_base; /* unused */ + (void)guest_base; /* unused */ memcpy((void *)regs->x0, input_buf, input_buf_len); regs->x1 = input_buf_len; + } #else @@ -193,3 +195,4 @@ int afl_persistent_hook_init(void) { return 1; } + diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index 1825e331..9287019a 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -22,6 +22,7 @@ extern guint64 instrument_fixed_seed; extern uint8_t *__afl_area_ptr; extern uint32_t __afl_map_size; +extern void __afl_coverage_interesting(uint8_t, uint32_t); extern __thread guint64 *instrument_previous_pc_addr; @@ -72,5 +73,7 @@ void instrument_cache(const cs_insn *instr, GumStalkerOutput *output); void instrument_write_regs(GumCpuContext *cpu_context, gpointer user_data); void instrument_regs_format(int fd, char *format, ...); +void ijon_set(uint32_t edge); + #endif diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index db73d845..d30e21ec 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -449,3 +449,9 @@ void instrument_regs_format(int fd, char *format, ...) { } +void ijon_set(uint32_t edge) { + + __afl_coverage_interesting(1, edge); + +} + diff --git a/frida_mode/src/js/api.js b/frida_mode/src/js/api.js index a65d32df..9e2b15c5 100644 --- a/frida_mode/src/js/api.js +++ b/frida_mode/src/js/api.js @@ -326,6 +326,12 @@ class Afl { static jsApiGetSymbol(name) { return Afl.module.getExportByName(name); } + + static IJON = class { + static set(addr, val) { + Afl.jsApiIjonSet((addr ^ val) & 0xffffffff); + } + } } /** * Field containing the `Module` object for `afl-frida-trace.so` (the FRIDA mode @@ -377,3 +383,4 @@ Afl.jsApiSetVerbose = Afl.jsApiGetFunction("js_api_set_verbose", "void", []); Afl.jsApiWrite = new NativeFunction( /* tslint:disable-next-line:no-null-keyword */ Module.getExportByName(null, "write"), "int", ["int", "pointer", "int"]); +Afl.jsApiIjonSet = Afl.jsApiGetFunction("js_api_ijon_set", "void", ["uint32"]); diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index 288aec95..274cd1bc 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -316,3 +316,9 @@ __attribute__((visibility("default"))) void js_api_set_verbose(void) { } +__attribute__((visibility("default"))) void js_api_ijon_set(uint32_t edge) { + + ijon_set(edge); + +} + diff --git a/frida_mode/test/cache/cache.c b/frida_mode/test/cache/cache.c index b4102205..6ee8bf01 100644 --- a/frida_mode/test/cache/cache.c +++ b/frida_mode/test/cache/cache.c @@ -6,46 +6,45 @@ void LLVMFuzzerTestOneInput(char *buf, int len); -__asm__ ( - "LLVMFuzzerTestOneInput:\n" - ".func LLVMFuzzerTestOneInput\n" - ".global LLVMFuzzerTestOneInput\n" - " jmpq *jmp_offset(%rip)\n" - " nop\n" - " nop\n" - "call_target:\n" - " ret\n" - " nop\n" - " nop\n" - "jmp_target:\n" - " callq *call_offset(%rip)\n" - " nop\n" - " nop\n" - " leaq rax_offset(%rip), %rax\n" - " jmp (%rax)\n" - " nop\n" - " ud2\n" - " nop\n" - "rax_target:\n" - " ret\n" - "\n" - "\n" - ".global jmp_offset\n" - ".p2align 3\n" - "jmp_offset:\n" - " .quad jmp_target\n" - "call_offset:\n" - " .quad call_target\n" - "rax_offset:\n" - " .quad rax_target\n" -); +__asm__( + "LLVMFuzzerTestOneInput:\n" + ".func LLVMFuzzerTestOneInput\n" + ".global LLVMFuzzerTestOneInput\n" + " jmpq *jmp_offset(%rip)\n" + " nop\n" + " nop\n" + "call_target:\n" + " ret\n" + " nop\n" + " nop\n" + "jmp_target:\n" + " callq *call_offset(%rip)\n" + " nop\n" + " nop\n" + " leaq rax_offset(%rip), %rax\n" + " jmp (%rax)\n" + " nop\n" + " ud2\n" + " nop\n" + "rax_target:\n" + " ret\n" + "\n" + "\n" + ".global jmp_offset\n" + ".p2align 3\n" + "jmp_offset:\n" + " .quad jmp_target\n" + "call_offset:\n" + " .quad call_target\n" + "rax_offset:\n" + " .quad rax_target\n"); int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/cmov/cmov.c b/frida_mode/test/cmov/cmov.c index 08c7c132..97f2fb7f 100644 --- a/frida_mode/test/cmov/cmov.c +++ b/frida_mode/test/cmov/cmov.c @@ -6,8 +6,8 @@ static bool cmov_test(char *x, char *y, size_t len) { - register char * __rdi __asm__("rdi") = x; - register char * __rsi __asm__("rsi") = y; + register char *__rdi __asm__("rdi") = x; + register char *__rsi __asm__("rsi") = y; register size_t __rcx __asm__("rcx") = len; register long __rax __asm__("rax"); @@ -49,10 +49,10 @@ void LLVMFuzzerTestOneInput(char *buf, int len) { int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/deferred/testinstr.c b/frida_mode/test/deferred/testinstr.c index 4e5124ed..2bd1d718 100644 --- a/frida_mode/test/deferred/testinstr.c +++ b/frida_mode/test/deferred/testinstr.c @@ -41,7 +41,7 @@ int run(char *file) { int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; @@ -51,6 +51,7 @@ int run(char *file) { fd = open(file, O_RDONLY); if (fd < 0) { + perror("open"); break; @@ -110,8 +111,10 @@ void slow() { } -TESTINSTR_SECTION int do_run(char * file) { +TESTINSTR_SECTION int do_run(char *file) { + return run(file); + } int main(int argc, char **argv) { diff --git a/frida_mode/test/dynamic/testinstr.c b/frida_mode/test/dynamic/testinstr.c index 0abc61fd..55bf579e 100644 --- a/frida_mode/test/dynamic/testinstr.c +++ b/frida_mode/test/dynamic/testinstr.c @@ -19,32 +19,40 @@ typedef void (*fntestinstrlib)(char *buf, int len); void testinstr(char *buf, int len) { + void *lib = dlopen("testinstrlib.so", RTLD_NOW); if (lib == NULL) { + puts("Library not found"); abort(); + } fntestinstrlib fn = (fntestinstrlib)(dlsym(lib, "testinstrlib")); if (fn == NULL) { + puts("Function not found"); abort(); + } fn(buf, len); + } int main(int argc, char **argv) { - char * file; + + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; if (argc != 2) { return 1; } do { + file = argv[1]; printf("file: %s\n", file); @@ -52,33 +60,43 @@ int main(int argc, char **argv) { fd = open(file, O_RDONLY); if (fd < 0) { + perror("open"); break; + } len = lseek(fd, 0, SEEK_END); if (len < 0) { + perror("lseek (SEEK_END)"); break; + } if (lseek(fd, 0, SEEK_SET) != 0) { + perror("lseek (SEEK_SET)"); break; + } printf("len: %ld\n", len); buf = malloc(len); if (buf == NULL) { + perror("malloc"); break; + } n_read = read(fd, buf, len); if (n_read != len) { + perror("read"); break; + } dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read); @@ -95,4 +113,6 @@ int main(int argc, char **argv) { if (fd != -1) { close(fd); } return result; + } + diff --git a/frida_mode/test/dynamic/testinstrlib.c b/frida_mode/test/dynamic/testinstrlib.c index 987cbf91..85e2c837 100644 --- a/frida_mode/test/dynamic/testinstrlib.c +++ b/frida_mode/test/dynamic/testinstrlib.c @@ -1,6 +1,7 @@ #include <stdio.h> void testinstrlib(char *buf, int len) { + if (len < 1) return; buf[len] = 0; @@ -11,4 +12,6 @@ void testinstrlib(char *buf, int len) { printf("Pretty sure that is a one!\n"); else printf("Neither one or zero? How quaint!\n"); + } + diff --git a/frida_mode/test/entry_point/testinstr.c b/frida_mode/test/entry_point/testinstr.c index 75e71bda..5fe17165 100644 --- a/frida_mode/test/entry_point/testinstr.c +++ b/frida_mode/test/entry_point/testinstr.c @@ -41,7 +41,7 @@ int run(char *file) { int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/exe/testinstr.c b/frida_mode/test/exe/testinstr.c index 7b603659..8b99352e 100644 --- a/frida_mode/test/exe/testinstr.c +++ b/frida_mode/test/exe/testinstr.c @@ -39,10 +39,10 @@ void testinstr(char *buf, int len) { TESTINSTR_SECTION int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/js/test.c b/frida_mode/test/js/test.c index 9799bf3b..e233f13a 100644 --- a/frida_mode/test/js/test.c +++ b/frida_mode/test/js/test.c @@ -35,7 +35,7 @@ int run(char *file) { int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/js/test2.c b/frida_mode/test/js/test2.c index 60b30eb5..c3557bbf 100644 --- a/frida_mode/test/js/test2.c +++ b/frida_mode/test/js/test2.c @@ -22,60 +22,60 @@ #define IGNORED_RETURN(x) (void)!(x) const uint32_t crc32_tab[] = { - 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, - 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, - 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, - 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, - 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, - 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, - 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, - 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, - 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, - 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, - 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, - 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, - 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, - 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, - 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, - 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, - 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, - 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, - 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, - 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, - 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, - 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, - 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, - 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, - 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, - 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, - 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, - 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, - 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, - 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, - 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28, - 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, - 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, - 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, - 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, - 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, - 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, - 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, - 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, - 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, - 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, - 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, - 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d -}; - -uint32_t -crc32(const void *buf, size_t size) -{ - const uint8_t *p = buf; - uint32_t crc; - crc = ~0U; - while (size--) - crc = crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8); - return crc ^ ~0U; + + 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, + 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, + 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, + 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, + 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, + 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, + 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, + 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, + 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, + 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, + 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, + 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, + 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, + 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, + 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, + 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, + 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, + 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, + 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, + 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, + 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, + 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, + 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, + 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, + 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, + 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, + 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, + 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, + 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, + 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, + 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28, + 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, + 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, + 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, + 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, + 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, + 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, + 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, + 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, + 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, + 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, + 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, + 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d}; + +uint32_t crc32(const void *buf, size_t size) { + + const uint8_t *p = buf; + uint32_t crc; + crc = ~0U; + while (size--) + crc = crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8); + return crc ^ ~0U; + } /* @@ -83,11 +83,13 @@ crc32(const void *buf, size_t size) * FRIDA to patch this function out and always return success. Otherwise, we * could change it to actually correct the checksum. */ -int crc32_check (char * buf, int len) { +int crc32_check(char *buf, int len) { + if (len < sizeof(uint32_t)) { return 0; } uint32_t expected = *(uint32_t *)&buf[len - sizeof(uint32_t)]; uint32_t calculated = crc32(buf, len - sizeof(uint32_t)); return expected == calculated; + } /* @@ -97,27 +99,31 @@ int crc32_check (char * buf, int len) { * cloud your output unnecessarily. Again, we can use FRIDA to patch it out. */ void some_boring_bug(char c) { + switch (c) { - case 'A'...'Z': - case 'a'...'z': + + case 'A' ... 'Z': + case 'a' ... 'z': __builtin_trap(); break; + } + } extern void some_boring_bug2(char c); -__asm__ ( - ".text \n" - "some_boring_bug2: \n" - ".global some_boring_bug2 \n" - ".type some_boring_bug2, @function \n" - "mov %edi, %eax \n" - "cmp $0xb4, %al \n" - "jne ok \n" - "ud2 \n" - "ok: \n" - "ret \n"); +__asm__( + ".text \n" + "some_boring_bug2: \n" + ".global some_boring_bug2 \n" + ".type some_boring_bug2, @function \n" + "mov %edi, %eax \n" + "cmp $0xb4, %al \n" + "jne ok \n" + "ud2 \n" + "ok: \n" + "ret \n"); void LLVMFuzzerTestOneInput(char *buf, int len) { @@ -127,16 +133,20 @@ void LLVMFuzzerTestOneInput(char *buf, int len) { some_boring_bug2(buf[0]); if (buf[0] == '0') { + printf("Looks like a zero to me!\n"); - } - else if (buf[0] == '1') { + + } else if (buf[0] == '1') { + printf("Pretty sure that is a one!\n"); - } - else if (buf[0] == '2') { + + } else if (buf[0] == '2') { + printf("Oh we, weren't expecting that!"); __builtin_trap(); - } - else + + } else + printf("Neither one or zero? How quaint!\n"); } @@ -145,7 +155,7 @@ int main(int argc, char **argv) { int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; @@ -173,5 +183,6 @@ int main(int argc, char **argv) { printf("Done: %s: (%zd bytes)\n", argv[1], n_read); return 0; + } diff --git a/frida_mode/test/osx-lib/harness.c b/frida_mode/test/osx-lib/harness.c index 3d427b4a..186cfcee 100644 --- a/frida_mode/test/osx-lib/harness.c +++ b/frida_mode/test/osx-lib/harness.c @@ -4,66 +4,68 @@ #include <stdlib.h> #include <dlfcn.h> - -//typedef for our exported target function. +// typedef for our exported target function. typedef void (*CRASHME)(const uint8_t *Data, size_t Size); -//globals +// globals CRASHME fpn_crashme = NULL; +int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { + + fpn_crashme(data, size); + return 0; -int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size){ - fpn_crashme(data, size); - return 0; } -int main(int argc, const char * argv[]) -{ - - for (int i = 1; i < argc; i++) { - fprintf(stderr, "Running: %s\n", argv[i]); - FILE *f = fopen(argv[i], "r"); - assert(f); - fseek(f, 0, SEEK_END); - size_t len = ftell(f); - fseek(f, 0, SEEK_SET); - unsigned char *buf = (unsigned char*)malloc(len); - size_t n_read = fread(buf, 1, len, f); - fclose(f); - assert(n_read == len); - LLVMFuzzerTestOneInput(buf, len); - free(buf); - fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); - } - - return 0; +int main(int argc, const char *argv[]) { + + for (int i = 1; i < argc; i++) { + + fprintf(stderr, "Running: %s\n", argv[i]); + FILE *f = fopen(argv[i], "r"); + assert(f); + fseek(f, 0, SEEK_END); + size_t len = ftell(f); + fseek(f, 0, SEEK_SET); + unsigned char *buf = (unsigned char *)malloc(len); + size_t n_read = fread(buf, 1, len, f); + fclose(f); + assert(n_read == len); + LLVMFuzzerTestOneInput(buf, len); + free(buf); + fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); + + } + + return 0; + } -__attribute__((constructor())) -void constructor(void) { - // handles to required libs - void *dylib = NULL; +__attribute__((constructor())) void constructor(void) { + + // handles to required libs + void *dylib = NULL; - dylib = dlopen("./libcrashme.dylib", RTLD_NOW); - if (dylib == NULL) - { + dylib = dlopen("./libcrashme.dylib", RTLD_NOW); + if (dylib == NULL) { - printf("[-] Failed to load lib\n"); - printf("[-] Dlerror: %s\n", dlerror()); - exit(1); + printf("[-] Failed to load lib\n"); + printf("[-] Dlerror: %s\n", dlerror()); + exit(1); - } + } - printf("[+] Resolve function\n"); + printf("[+] Resolve function\n"); - fpn_crashme = (CRASHME)dlsym(dylib, "crashme"); - if (!fpn_crashme) - { + fpn_crashme = (CRASHME)dlsym(dylib, "crashme"); + if (!fpn_crashme) { - printf("[-] Failed to find function\n"); - exit(1); + printf("[-] Failed to find function\n"); + exit(1); - } + } + + printf("[+] Found function.\n"); - printf("[+] Found function.\n"); } + diff --git a/frida_mode/test/osx-lib/harness2.c b/frida_mode/test/osx-lib/harness2.c index 464614ee..ed0b85d8 100644 --- a/frida_mode/test/osx-lib/harness2.c +++ b/frida_mode/test/osx-lib/harness2.c @@ -4,66 +4,68 @@ #include <stdlib.h> #include <dlfcn.h> - -//typedef for our exported target function. +// typedef for our exported target function. typedef void (*CRASHME)(const uint8_t *Data, size_t Size); -//globals +// globals CRASHME fpn_crashme = NULL; +int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { + + fpn_crashme(data, size); + return 0; -int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size){ - fpn_crashme(data, size); - return 0; } -int main(int argc, const char * argv[]) -{ - - for (int i = 1; i < argc; i++) { - fprintf(stderr, "Running: %s\n", argv[i]); - FILE *f = fopen(argv[i], "r"); - assert(f); - fseek(f, 0, SEEK_END); - size_t len = ftell(f); - fseek(f, 0, SEEK_SET); - unsigned char *buf = (unsigned char*)malloc(len); - size_t n_read = fread(buf, 1, len, f); - fclose(f); - assert(n_read == len); - LLVMFuzzerTestOneInput(buf, len); - free(buf); - fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); - } - - return 0; +int main(int argc, const char *argv[]) { + + for (int i = 1; i < argc; i++) { + + fprintf(stderr, "Running: %s\n", argv[i]); + FILE *f = fopen(argv[i], "r"); + assert(f); + fseek(f, 0, SEEK_END); + size_t len = ftell(f); + fseek(f, 0, SEEK_SET); + unsigned char *buf = (unsigned char *)malloc(len); + size_t n_read = fread(buf, 1, len, f); + fclose(f); + assert(n_read == len); + LLVMFuzzerTestOneInput(buf, len); + free(buf); + fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); + + } + + return 0; + } -__attribute__((constructor())) -void constructor(void) { - // handles to required libs - void *dylib = NULL; +__attribute__((constructor())) void constructor(void) { + + // handles to required libs + void *dylib = NULL; - dylib = dlopen("./libcrashme2.dylib", RTLD_NOW); - if (dylib == NULL) - { + dylib = dlopen("./libcrashme2.dylib", RTLD_NOW); + if (dylib == NULL) { - printf("[-] Failed to load lib\n"); - printf("[-] Dlerror: %s\n", dlerror()); - exit(1); + printf("[-] Failed to load lib\n"); + printf("[-] Dlerror: %s\n", dlerror()); + exit(1); - } + } - printf("[+] Resolve function\n"); + printf("[+] Resolve function\n"); - fpn_crashme = (CRASHME)dlsym(dylib, "crashme"); - if (!fpn_crashme) - { + fpn_crashme = (CRASHME)dlsym(dylib, "crashme"); + if (!fpn_crashme) { - printf("[-] Failed to find function\n"); - exit(1); + printf("[-] Failed to find function\n"); + exit(1); - } + } + + printf("[+] Found function.\n"); - printf("[+] Found function.\n"); } + diff --git a/frida_mode/test/osx-lib/harness3.c b/frida_mode/test/osx-lib/harness3.c index 83983c99..ae24db33 100644 --- a/frida_mode/test/osx-lib/harness3.c +++ b/frida_mode/test/osx-lib/harness3.c @@ -4,37 +4,42 @@ #include <stdlib.h> #include <dlfcn.h> - extern void crashme(const uint8_t *Data, size_t Size); -int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size){ - crashme(data, size); - return 0; +int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { + + crashme(data, size); + return 0; + } -void run (int argc, const char * argv[]) -{ - for (int i = 1; i < argc; i++) { - fprintf(stderr, "Running: %s\n", argv[i]); - FILE *f = fopen(argv[i], "r"); - assert(f); - fseek(f, 0, SEEK_END); - size_t len = ftell(f); - fseek(f, 0, SEEK_SET); - unsigned char *buf = (unsigned char*)malloc(len); - size_t n_read = fread(buf, 1, len, f); - fclose(f); - assert(n_read == len); - LLVMFuzzerTestOneInput(buf, len); - free(buf); - fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); - } +void run(int argc, const char *argv[]) { + + for (int i = 1; i < argc; i++) { + + fprintf(stderr, "Running: %s\n", argv[i]); + FILE *f = fopen(argv[i], "r"); + assert(f); + fseek(f, 0, SEEK_END); + size_t len = ftell(f); + fseek(f, 0, SEEK_SET); + unsigned char *buf = (unsigned char *)malloc(len); + size_t n_read = fread(buf, 1, len, f); + fclose(f); + assert(n_read == len); + LLVMFuzzerTestOneInput(buf, len); + free(buf); + fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); + + } + } -int main(int argc, const char * argv[]) -{ +int main(int argc, const char *argv[]) { - run(argc, argv); + run(argc, argv); + + return 0; - return 0; } + diff --git a/frida_mode/test/osx-lib/lib.c b/frida_mode/test/osx-lib/lib.c index b2dad098..84ceb9da 100644 --- a/frida_mode/test/osx-lib/lib.c +++ b/frida_mode/test/osx-lib/lib.c @@ -2,7 +2,6 @@ #include <stdlib.h> #include <stdint.h> - void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { if (Size < 5) return; @@ -13,5 +12,5 @@ void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { if (Data[3] == '$') if (Data[4] == '$') abort(); - } + diff --git a/frida_mode/test/osx-lib/lib2.c b/frida_mode/test/osx-lib/lib2.c index ba207210..a84ee6f2 100644 --- a/frida_mode/test/osx-lib/lib2.c +++ b/frida_mode/test/osx-lib/lib2.c @@ -3,7 +3,6 @@ #include <stdint.h> #include <string.h> - void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { if (Size < 1) return; @@ -56,6 +55,5 @@ void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { } - } diff --git a/frida_mode/test/output/testinstr.c b/frida_mode/test/output/testinstr.c index 7b603659..8b99352e 100644 --- a/frida_mode/test/output/testinstr.c +++ b/frida_mode/test/output/testinstr.c @@ -39,10 +39,10 @@ void testinstr(char *buf, int len) { TESTINSTR_SECTION int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/perf/perf.c b/frida_mode/test/perf/perf.c index 55efba26..596d1bd3 100644 --- a/frida_mode/test/perf/perf.c +++ b/frida_mode/test/perf/perf.c @@ -20,22 +20,32 @@ void LLVMFuzzerTestOneInput(char *buf, int len) { int ret = 0; for (int i = 0; i < 1000; i++) { - switch(buf[i]) { - case 'A': ret += 2; break; - case '1': ret += 3; break; - default: ret++; + + switch (buf[i]) { + + case 'A': + ret += 2; + break; + case '1': + ret += 3; + break; + default: + ret++; + } + } + printf("ret: %d\n", ret); } int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/persistent_ret/testinstr.c b/frida_mode/test/persistent_ret/testinstr.c index 85aa2b80..aa28d953 100644 --- a/frida_mode/test/persistent_ret/testinstr.c +++ b/frida_mode/test/persistent_ret/testinstr.c @@ -18,7 +18,7 @@ void LLVMFuzzerTestOneInput(char *buf, int len) { - printf (">>> LLVMFuzzerTestOneInput >>>\n"); + printf(">>> LLVMFuzzerTestOneInput >>>\n"); if (len < 1) return; buf[len] = 0; @@ -40,10 +40,10 @@ void slow() { int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/testinstr/testinstr.c b/frida_mode/test/testinstr/testinstr.c index 7b603659..8b99352e 100644 --- a/frida_mode/test/testinstr/testinstr.c +++ b/frida_mode/test/testinstr/testinstr.c @@ -39,10 +39,10 @@ void testinstr(char *buf, int len) { TESTINSTR_SECTION int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/unstable/unstable.c b/frida_mode/test/unstable/unstable.c index 16978e7e..98198578 100644 --- a/frida_mode/test/unstable/unstable.c +++ b/frida_mode/test/unstable/unstable.c @@ -22,7 +22,7 @@ #define TESTINSTR_SECTION __attribute__((section(".testinstr"))) #endif -void LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { +void LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (size < 1) return; @@ -30,9 +30,13 @@ void LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { if (gettimeofday(&tv, NULL) < 0) return; if ((tv.tv_usec % 2) == 0) { - printf ("Hooray all even\n"); + + printf("Hooray all even\n"); + } else { - printf ("Hmm that's odd\n"); + + printf("Hmm that's odd\n"); + } // we support three input cases @@ -45,26 +49,33 @@ void LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { } -void run_test(char * file) { +void run_test(char *file) { + fprintf(stderr, "Running: %s\n", file); FILE *f = fopen(file, "r"); assert(f); fseek(f, 0, SEEK_END); size_t len = ftell(f); fseek(f, 0, SEEK_SET); - unsigned char *buf = (unsigned char*)malloc(len); - size_t n_read = fread(buf, 1, len, f); + unsigned char *buf = (unsigned char *)malloc(len); + size_t n_read = fread(buf, 1, len, f); fclose(f); assert(n_read == len); LLVMFuzzerTestOneInput(buf, len); free(buf); fprintf(stderr, "Done: %s: (%zd bytes)\n", file, n_read); + } int main(int argc, char **argv) { + srand(1); fprintf(stderr, "StandaloneFuzzTargetMain: running %d inputs\n", argc - 1); for (int i = 1; i < argc; i++) { + run_test(argv[i]); + } + } + diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 83aa9486..372b9f5a 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -2725,7 +2725,7 @@ void __afl_coverage_skip() { // mark this area as especially interesting void __afl_coverage_interesting(u8 val, u32 id) { - __afl_area_ptr[id] = val; + __afl_area_ptr[id % __afl_map_size] = val; } diff --git a/qemu_mode/hooking_bridge/README.md b/qemu_mode/hooking_bridge/README.md index ae8e62e4..c6276305 100644 --- a/qemu_mode/hooking_bridge/README.md +++ b/qemu_mode/hooking_bridge/README.md @@ -22,7 +22,7 @@ Run build_qemu_support.sh as you do to compile qemuafl, additionally with three return &to_ret; } ``` - i. Hook functions must be named as `hook_<left padded hook location>`. Here, `<left padded hook location>` means `<hook location>` left padded with 0's to until the `(system word length)/4` number of hex characters, e.g. 16 on a 64 bit machine. The unpaded part of `<hook location>` is the absolute address where you want to place the hook. It is basically the file base address (which does not change in QEMU as of now) plus the instruction offset where the hooks is to be placed. The hook function must return a `struct ret *`, which is touched upon later. + i. Hook functions must be named as `hook_<left padded hook location>`. Here, `<left padded hook location>` means `<hook location>` left padded with 0's to until 16 hex characters. The unpaded part of `<hook location>` is the absolute address where you want to place the hook. It is basically the file base address (which does not change in QEMU as of now) plus the instruction offset where the hooks is to be placed. The hook function must return a `struct ret *`, which is touched upon later. ii. Most likely you will need to access memory or registers in the hook. So we provide four functions ```C @@ -77,11 +77,6 @@ Run build_qemu_support.sh as you do to compile qemuafl, additionally with three ## Running with hooks Set `QEMU_PLUGIN="file=<AFL download path>qemu_mode/hooking_bridge/build/plugin.so,arg=<your hook .so>"` before running AFL++ in QEMU mode. Note `<your hook .so>` is the absolute path to your hooks library. -## Contributing -* If you want to enable debugging - * Compile with an additional `DEBUG=1` switch. - * Akin to QEMU's own documentation, set `QEMU_LOG=plugin QEMU_LOG_FILENAME=<your plugin log path>` before you run. - ## Current limitations 1. Cannot be used to debug (-g option) when using the bridge as it uses the gdbstub internally. This is not a problem if used with AFL++, so not such a big issue. 2. Cannot put a hook on the first block after `<entry point>`. Not typically a hookable location. diff --git a/src/afl-common.c b/src/afl-common.c index efdb5d60..04a984cb 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -979,6 +979,7 @@ inline u64 get_cur_time(void) { struct timeval tv; struct timezone tz; + // TO NOT REPLACE WITH clock_gettime!!! gettimeofday(&tv, &tz); return (tv.tv_sec * 1000ULL) + (tv.tv_usec / 1000); @@ -992,6 +993,7 @@ inline u64 get_cur_time_us(void) { struct timeval tv; struct timezone tz; + // TO NOT REPLACE WITH clock_gettime!!! gettimeofday(&tv, &tz); return (tv.tv_sec * 1000000ULL) + tv.tv_usec; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index cec91f76..6366f473 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -241,6 +241,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { fsrv->mem_limit = MEM_LIMIT; fsrv->out_file = NULL; fsrv->child_kill_signal = SIGKILL; + fsrv->max_length = MAX_FILE; /* exec related stuff */ fsrv->child_pid = -1; diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c index 55b6be04..da996602 100644 --- a/src/afl-fuzz-extras.c +++ b/src/afl-fuzz-extras.c @@ -455,13 +455,13 @@ void deunicode_extras(afl_state_t *afl) { case 2: if (!afl->extras[i].data[j]) { ++z3; } - // fall through + __attribute__((fallthrough)); case 0: if (!afl->extras[i].data[j]) { ++z1; } break; case 3: if (!afl->extras[i].data[j]) { ++z4; } - // fall through + __attribute__((fallthrough)); case 1: if (!afl->extras[i].data[j]) { ++z2; } break; diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 98de26dd..4f366b0d 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2717,7 +2717,11 @@ void fix_up_sync(afl_state_t *afl) { } - if (strlen(afl->sync_id) > 32) { FATAL("Fuzzer ID too long"); } + if (strlen(afl->sync_id) > 50) { + + FATAL("sync_id max length is 50 characters"); + + } x = alloc_printf("%s/%s", afl->out_dir, afl->sync_id); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 8a84d447..9867eba3 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1610,17 +1610,7 @@ int main(int argc, char **argv_orig, char **envp) { #endif - if (afl->sync_id) { - - if (strlen(afl->sync_id) > 50) { - - FATAL("sync_id max length is 50 characters"); - - } - - fix_up_sync(afl); - - } + if (afl->sync_id) { fix_up_sync(afl); } if (!strcmp(afl->in_dir, afl->out_dir)) { @@ -2815,7 +2805,7 @@ int main(int argc, char **argv_orig, char **envp) { // (void)nice(-20); // does not improve the speed #ifdef INTROSPECTION - u32 prev_saved_crashes = 0, prev_saved_tmouts = 0; + u32 prev_saved_crashes = 0, prev_saved_tmouts = 0, stat_prev_queued_items = 0; #endif u32 prev_queued_items = 0, runs_in_current_cycle = (u32)-1; u8 skipped_fuzz; @@ -3132,10 +3122,11 @@ int main(int argc, char **argv_orig, char **envp) { } else { - if (unlikely(afl->queued_items > prev_queued_items)) { + if (unlikely(afl->queued_items > stat_prev_queued_items)) { - afl->queue_cur->stats_finds += afl->queued_items - prev_queued_items; - prev_queued_items = afl->queued_items; + afl->queue_cur->stats_finds += + afl->queued_items - stat_prev_queued_items; + stat_prev_queued_items = afl->queued_items; } diff --git a/test/test-custom-mutators.sh b/test/test-custom-mutators.sh index 8c8b0ad3..3f0a96ba 100755 --- a/test/test-custom-mutators.sh +++ b/test/test-custom-mutators.sh @@ -38,7 +38,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS # Run afl-fuzz w/ the C mutator $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 10 seconds" { - AFL_CUSTOM_MUTATOR_LIBRARY=./libexamplemutator.so AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V07 -m ${MEM_LIMIT} -i in -o out -d -- ./test-custom-mutator >>errors 2>&1 + AFL_CUSTOM_MUTATOR_LIBRARY=./libexamplemutator.so AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V20 -m ${MEM_LIMIT} -i in -o out -d -- ./test-custom-mutator >>errors 2>&1 } >>errors 2>&1 # Check results @@ -58,7 +58,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS # Run afl-fuzz w/ multiple C mutators $ECHO "$GREY[*] running afl-fuzz with multiple custom C mutators, this will take approx 10 seconds" { - AFL_CUSTOM_MUTATOR_LIBRARY="./libexamplemutator.so;./libexamplemutator2.so" AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V07 -m ${MEM_LIMIT} -i in -o out -d -- ./test-multiple-mutators >>errors 2>&1 + AFL_CUSTOM_MUTATOR_LIBRARY="./libexamplemutator.so;./libexamplemutator2.so" AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V20 -m ${MEM_LIMIT} -i in -o out -d -- ./test-multiple-mutators >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/crashes/id:000000* 2>/dev/null )" && { # TODO: update here @@ -88,7 +88,7 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { { export PYTHONPATH=${CUSTOM_MUTATOR_PATH} export AFL_PYTHON_MODULE=example - AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V07 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 + AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V20 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 unset PYTHONPATH unset AFL_PYTHON_MODULE } >>errors 2>&1 diff --git a/unicorn_mode/helper_scripts/unicorn_loader.py b/unicorn_mode/helper_scripts/unicorn_loader.py index a83e7000..4219c6ab 100644 --- a/unicorn_mode/helper_scripts/unicorn_loader.py +++ b/unicorn_mode/helper_scripts/unicorn_loader.py @@ -90,7 +90,7 @@ class UnicornSimpleHeap(object): _chunks_freed = [] # List of all freed chunks _debug_print = False # True to print debug information - def __init__(self, uc, debug_print=Falseļ¼ uaf_check=False): + def __init__(self, uc, debug_print=False, uaf_check=False): self._uc = uc self._debug_print = debug_print diff --git a/unicorn_mode/samples/c/sample_all.sh b/unicorn_mode/samples/c/sample_all.sh index 01daf365..3bb396e7 100644 --- a/unicorn_mode/samples/c/sample_all.sh +++ b/unicorn_mode/samples/c/sample_all.sh @@ -12,7 +12,7 @@ fi -if [ ! test -e $DIR/harness]; then +if [ ! -e $DIR/harness ]; then echo "[!] harness not found in $DIR" exit 1 -fi \ No newline at end of file +fi |