diff options
| -rw-r--r-- | TODO | 4 | ||||
| -rw-r--r-- | afl-fuzz.c | 2 | ||||
| -rw-r--r-- | docs/sister_projects.txt | 6 | ||||
| -rw-r--r-- | gcc_plugin/CRASH | 23 | ||||
| -rw-r--r-- | gcc_plugin/README.gcc | 6 | ||||
| -rw-r--r-- | gcc_plugin/afl-gcc-pass.so.cc | 9 | ||||
| -rw-r--r-- | qemu_mode/README.qemu | 2 |
7 files changed, 46 insertions, 6 deletions
diff --git a/TODO b/TODO index d89524c2..2c5d05a5 100644 --- a/TODO +++ b/TODO @@ -4,6 +4,8 @@ Roadmap 2.53d: - README.md + - update docs/sister_projects.txt + - better defaults: * laf-intel activated, needs deactiatation * fast mode schedule @@ -15,7 +17,7 @@ afl-fuzz: - reuse forkserver for showmap, afl-cmin, etc. gcc_plugin: - (see TODOs) + - fix crashes when compiling :( - whitelist support - skip over uninteresting blocks - laf-intel diff --git a/afl-fuzz.c b/afl-fuzz.c index 422260ef..e917ed9c 100644 --- a/afl-fuzz.c +++ b/afl-fuzz.c @@ -11247,7 +11247,7 @@ static void usage(u8* argv0) { " -Q - use binary-only instrumentation (QEMU mode)\n" " -L minutes - use MOpt(imize) mode and set the limit time for entering the\n" " pacemaker mode (minutes of no new paths, 0 = immediately).\n" - " see docs/README.MOpt\n\n" + " a recommended value is 10-60. see docs/README.MOpt\n\n" "Fuzzing behavior settings:\n" " -d - quick & dirty mode (skips deterministic steps)\n" diff --git a/docs/sister_projects.txt b/docs/sister_projects.txt index 41701e2f..a2eb2a22 100644 --- a/docs/sister_projects.txt +++ b/docs/sister_projects.txt @@ -6,6 +6,10 @@ Sister projects designed for, or meant to integrate with AFL. See README for the general instruction manual. +!!! +!!! This list is outdated and needs an update, missing: e.g. Angora, FairFuzz +!!! + ------------------------------------------- Support for other languages / environments: ------------------------------------------- @@ -263,7 +267,7 @@ Static binary-only instrumentation (Aleksandar Nikolich) reports better performance compared to QEMU, but occasional translation errors with stripped binaries. - https://github.com/vrtadmin/moflow/tree/master/afl-dyninst + https://github.com/vanhauser-thc/afl-dyninst AFL PIN (Parker Thompson) ------------------------- diff --git a/gcc_plugin/CRASH b/gcc_plugin/CRASH new file mode 100644 index 00000000..51930bb3 --- /dev/null +++ b/gcc_plugin/CRASH @@ -0,0 +1,23 @@ +to reproduce: +============= +tiff-4.0.4.tar.gz +CC=afl-gcc-fast CXX=afl-g++-fast ./configure --disable-shared +make + +result +====== +[+] Instrumented 11 locations in TIFFInitJPEG +during GIMPLE pass: evrp +tif_jpeg.c: In function ‘JPEGFixupTagsSubsamplingSec’: +tif_jpeg.c:2388:1: internal compiler error: Segmentation fault + } + ^ +0x7ffff758e83f ??? + /build/glibc-vjB4T1/glibc-2.28/signal/../sysdeps/unix/sysv/linux/x86_64/sigaction.c:0 +0x7ffff757b09a __libc_start_main + ../csu/libc-start.c:308 +Please submit a full bug report, +with preprocessed source if appropriate. +Please include the complete backtrace with any bug report. +See <file:///usr/share/doc/gcc-8/README.Bugs> for instructions. +make[2]: *** [Makefile:696: tif_jpeg.lo] Error 1 diff --git a/gcc_plugin/README.gcc b/gcc_plugin/README.gcc index fe62020b..a002c741 100644 --- a/gcc_plugin/README.gcc +++ b/gcc_plugin/README.gcc @@ -5,6 +5,12 @@ Fast GCC-based instrumentation for afl-fuzz (See ../docs/README for the general instruction manual.) (See ../llvm_mode/README.llvm for the LLVM-based instrumentation.) + +!!! +!!! gcc_plugin is not stable yet and can crash when compiling +!!! + + 1) Introduction --------------- diff --git a/gcc_plugin/afl-gcc-pass.so.cc b/gcc_plugin/afl-gcc-pass.so.cc index 8d1888ef..b1ca8325 100644 --- a/gcc_plugin/afl-gcc-pass.so.cc +++ b/gcc_plugin/afl-gcc-pass.so.cc @@ -1,7 +1,9 @@ // -// There are two TODOs in this file: +// There are some TODOs in this file: // - dont instrument blocks that are uninterested // - implement whitelist feature +// - implement notZero +// - fix crash // /* @@ -102,7 +104,7 @@ static unsigned int ext_call_instrument(function *fun) { if (!fcnt_blocks++) continue; /* skip block 0 */ - // TODO: if the predecessor does not have to destinations + // TODO: if the predecessor does not have ast least two destinations // then skip this block :TODO /* Bail on this block if we trip the specified ratio */ @@ -223,6 +225,9 @@ static unsigned int inline_instrument(function *fun) { g = gimple_build_assign(tmp3, PLUS_EXPR, tmp2, one); gimple_seq_add_stmt(&seq, g); // tmp3 = tmp2 + 1 + // TODO: neverZero: here we have to check if tmp3 == 0 + // and add 1 if so + // tree tmp4 = create_tmp_var(map_type, "tmp4"); // g = gimple_build_assign(tmp4, PLUS_EXPR, map_ptr_g, area_off); // gimple_seq_add_stmt(&seq, g); // tmp4 = __afl_area_ptr + area_off diff --git a/qemu_mode/README.qemu b/qemu_mode/README.qemu index cf29088b..124fce12 100644 --- a/qemu_mode/README.qemu +++ b/qemu_mode/README.qemu @@ -117,7 +117,7 @@ program control flow without actually executing each and every code path. If you want to experiment with this mode of operation, there is a module contributed by Aleksandar Nikolich: - https://github.com/vrtadmin/moflow/tree/master/afl-dyninst + https://github.com/vanhauser-thc/afl-dyninst https://groups.google.com/forum/#!topic/afl-users/HlSQdbOTlpg At this point, the author reports the possibility of hiccups with stripped |