diff options
| -rw-r--r-- | docs/Changelog.md | 2 | ||||
| -rw-r--r-- | instrumentation/SanitizerCoverageLTO.so.cc | 6 | ||||
| -rw-r--r-- | instrumentation/SanitizerCoveragePCGUARD.so.cc | 11 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 7 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 16 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 7 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 8 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 28 |
8 files changed, 62 insertions, 23 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md index 7043202f..3800a718 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -15,6 +15,7 @@ function after the target has been restarted. - because of bad math and undefined behaviour fixes we have to change the CMPLOG map. **YOU NEED TO RECOMPILE CMPLOG TARGETS** + - fixed custom_post_process for calibration - frida_mode: - AFL_FRIDA_PERSISTENT_ADDR can now be be any reachable address not just a function entry @@ -28,6 +29,7 @@ - custom mutators: - custom_send_tcp custom mutator added, thanks to @dergoegge - afl-cc + - fix to support pointless changes in LLVM 20 - new runtime (!) variable: `AFL_OLD_FORKSERVER` to use the old vanilla AFL type forkserver. Useful for symcc/symqemu/nautilus/etc. with AFL_LLVM_INSTRUMENT=CLASSIC diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 63ea71c1..6ec84dcd 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -50,7 +50,11 @@ #include "llvm/Support/SpecialCaseList.h" #include "llvm/Support/VirtualFileSystem.h" #include "llvm/Support/raw_ostream.h" -#include "llvm/Transforms/Instrumentation.h" +#if LLVM_VERSION_MAJOR < 20 + #include "llvm/Transforms/Instrumentation.h" +#else + #include "llvm/Transforms/Utils/Instrumentation.h" +#endif #if LLVM_VERSION_MAJOR < 17 #include "llvm/Transforms/IPO/PassManagerBuilder.h" #endif diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 49fe904b..859b4e7b 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -63,11 +63,16 @@ #if LLVM_VERSION_MAJOR < 15 #include "llvm/Support/raw_ostream.h" #endif -#if LLVM_VERSION_MAJOR < 17 - #include "llvm/Transforms/Instrumentation.h" +#if LLVM_VERSION_MAJOR < 20 + #if LLVM_VERSION_MAJOR < 17 + #include "llvm/Transforms/Instrumentation.h" + #else + #include "llvm/TargetParser/Triple.h" + #endif #else - #include "llvm/TargetParser/Triple.h" + #include "llvm/Transforms/Utils/Instrumentation.h" #endif + #include "llvm/Transforms/Utils/BasicBlockUtils.h" #include "llvm/Transforms/Utils/ModuleUtils.h" diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index ae3c7ccc..51299009 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -536,12 +536,15 @@ static void report_error_and_exit(int error) { #ifdef __linux__ void nyx_load_target_hash(afl_forkserver_t *fsrv) { + void *nyx_config = fsrv->nyx_handlers->nyx_config_load(fsrv->target_path); - fsrv->nyx_target_hash64 = fsrv->nyx_handlers->nyx_get_target_hash64(nyx_config); + fsrv->nyx_target_hash64 = + fsrv->nyx_handlers->nyx_get_target_hash64(nyx_config); fsrv->nyx_handlers->nyx_config_free(nyx_config); + } -#endif +#endif /* Spins up fork server. The idea is explained here: diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 9eaa661d..a9397232 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1237,19 +1237,26 @@ void perform_dry_run(afl_state_t *afl) { u8 crash_log_fn[PATH_MAX]; snprintf(crash_log_fn, PATH_MAX, "%s.log", crash_fn); - fd = open(crash_log_fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); - if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", crash_log_fn); } + fd = open(crash_log_fn, O_WRONLY | O_CREAT | O_EXCL, + DEFAULT_PERMISSION); + if (unlikely(fd < 0)) { + + PFATAL("Unable to create '%s'", crash_log_fn); + + } u32 nyx_aux_string_len = afl->fsrv.nyx_handlers->nyx_get_aux_string( afl->fsrv.nyx_runner, afl->fsrv.nyx_aux_string, afl->fsrv.nyx_aux_string_len); - ck_write(fd, afl->fsrv.nyx_aux_string, nyx_aux_string_len, crash_log_fn); + ck_write(fd, afl->fsrv.nyx_aux_string, nyx_aux_string_len, + crash_log_fn); close(fd); } + #endif - + afl->last_crash_time = get_cur_time(); afl->last_crash_execs = afl->fsrv.total_execs; @@ -2905,6 +2912,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { afl->fsrv.target_path); } + #endif if (stat(afl->fsrv.target_path, &st) || !S_ISREG(st.st_mode) || diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 4ce17eb2..a3787e5c 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -487,6 +487,10 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, } + u8 saved_afl_post_process_keep_original = + afl->afl_env.afl_post_process_keep_original; + afl->afl_env.afl_post_process_keep_original = 1; + /* we need a dummy run if this is LTO + cmplog */ if (unlikely(afl->shm.cmplog_mode)) { @@ -661,6 +665,9 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, abort_calibration: + afl->afl_env.afl_post_process_keep_original = + saved_afl_post_process_keep_original; + if (new_bits == 2 && !q->has_new_cov) { q->has_new_cov = 1; diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index b1a84cb6..a7465330 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -83,12 +83,16 @@ void write_setup_file(afl_state_t *afl, u32 argc, char **argv) { #ifdef __linux__ if (afl->fsrv.nyx_mode) { + nyx_load_target_hash(&afl->fsrv); fprintf(f2, "%llx\n", afl->fsrv.nyx_target_hash64); - } - else { + + } else { + fprintf(f2, "%p\n", (void *)get_binary_hash(afl->fsrv.target_path)); + } + #else fprintf(f2, "%p\n", (void *)get_binary_hash(afl->fsrv.target_path)); #endif diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index a2fd4b76..7a940031 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1505,7 +1505,8 @@ int main(int argc, char **argv_orig, char **envp) { #ifdef __linux__ if (afl->fsrv.nyx_mode) { - OKF("AFL++ Nyx mode is enabled (developed and maintained by Sergej Schumilo)"); + OKF("AFL++ Nyx mode is enabled (developed and maintained by Sergej " + "Schumilo)"); OKF("Nyx is open source, get it at https://github.com/Nyx-Fuzz"); } @@ -2225,23 +2226,27 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->in_place_resume && !afl->afl_env.afl_no_fastresume) { -#ifdef __linux__ + #ifdef __linux__ u64 target_hash = 0; if (afl->fsrv.nyx_mode) { + nyx_load_target_hash(&afl->fsrv); target_hash = afl->fsrv.nyx_target_hash64; - } - else { + + } else { + target_hash = get_binary_hash(afl->fsrv.target_path); + } -#else + + #else u64 target_hash = get_binary_hash(afl->fsrv.target_path); -#endif + #endif if ((!target_hash || prev_target_hash != target_hash) -#ifdef __linux__ - || (afl->fsrv.nyx_mode && target_hash == 0) -#endif + #ifdef __linux__ + || (afl->fsrv.nyx_mode && target_hash == 0) + #endif ) { ACTF("Target binary is different, cannot perform FAST RESUME!"); @@ -2386,10 +2391,11 @@ int main(int argc, char **argv_orig, char **envp) { #ifdef AFL_PERSISTENT_RECORD if (unlikely(afl->fsrv.persistent_record)) { - if (!getenv(PERSIST_ENV_VAR)) { + if (!getenv(PERSIST_ENV_VAR) && !getenv("AFL_FRIDA_PERSISTENT_ADDR") && + !getenv("AFL_QEMU_PERSISTENT_ADDR")) { FATAL( - "Target binary is not compiled in persistent mode, " + "Target binary is not compiled/run in persistent mode, " "AFL_PERSISTENT_RECORD makes no sense."); } |