diff options
| -rw-r--r-- | include/afl-fuzz.h | 6 | ||||
| -rw-r--r-- | include/sharedmem.h | 2 | ||||
| -rw-r--r-- | libdislocator/libdislocator.so.c | 47 | ||||
| -rw-r--r-- | llvm_mode/afl-clang-fast.c | 59 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-cpu-inl.h | 8 | ||||
| -rw-r--r-- | src/afl-fuzz-cmplog.c | 1 | ||||
| -rw-r--r-- | src/afl-fuzz-globals.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 5 | ||||
| -rw-r--r-- | src/afl-fuzz-redqueen.c | 1 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 8 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 3 | ||||
| -rw-r--r-- | src/afl-sharedmem.c | 2 |
12 files changed, 93 insertions, 51 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 967e16fe..751bd93c 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -655,12 +655,12 @@ void save_cmdline(u32, char**); /* CmpLog */ void init_cmplog_forkserver(char** argv); -u8 common_fuzz_cmplog_stuff(char** argv, u8* out_buf, u32 len); +u8 common_fuzz_cmplog_stuff(char** argv, u8* out_buf, u32 len); /* RedQueen */ -u8 input_to_state_stage(char** argv, u8* orig_buf, u8* buf, u32 len, - u32 exec_cksum); +u8 input_to_state_stage(char** argv, u8* orig_buf, u8* buf, u32 len, + u32 exec_cksum); /**** Inline routines ****/ diff --git a/include/sharedmem.h b/include/sharedmem.h index f92fd8be..8c1c2b20 100644 --- a/include/sharedmem.h +++ b/include/sharedmem.h @@ -30,7 +30,7 @@ void setup_shm(unsigned char dumb_mode); void remove_shm(void); -extern int cmplog_mode; +extern int cmplog_mode; extern struct cmp_map* cmp_map; #endif diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index 221a629b..480d2fc6 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -62,6 +62,8 @@ #include "config.h" #include "types.h" +#define ALLOC_ALIGN_SIZE (sizeof(void*)) + #ifndef PAGE_SIZE #define PAGE_SIZE 4096 #endif /* !PAGE_SIZE */ @@ -114,6 +116,8 @@ #define ALLOC_CANARY 0xAACCAACC #define ALLOC_CLOBBER 0xCC +#define TAIL_ALLOC_CANARY 0xAC + #define PTR_C(_p) (((u32*)(_p))[-1]) #define PTR_L(_p) (((u32*)(_p))[-2]) @@ -122,7 +126,8 @@ static u32 max_mem = MAX_ALLOC; /* Max heap usage to permit */ static u8 alloc_verbose, /* Additional debug messages */ hard_fail, /* abort() when max_mem exceeded? */ - no_calloc_over; /* abort() on calloc() overflows? */ + no_calloc_over, /* abort() on calloc() overflows? */ + align_allocations; /* Force alignment to sizeof(void*) */ #if defined __OpenBSD__ || defined __APPLE__ #define __thread @@ -140,7 +145,7 @@ static u32 alloc_canary; static void* __dislocator_alloc(size_t len) { - void* ret; + u8* ret; size_t tlen; int flags, fd, sp; @@ -154,11 +159,17 @@ static void* __dislocator_alloc(size_t len) { } - tlen = (1 + PG_COUNT(len + 8)) * PAGE_SIZE; + size_t rlen; + if (align_allocations && (len & (ALLOC_ALIGN_SIZE - 1))) + rlen = (len & ~(ALLOC_ALIGN_SIZE - 1)) + ALLOC_ALIGN_SIZE; + else + rlen = len; + + tlen = (1 + PG_COUNT(rlen + 8)) * PAGE_SIZE; flags = MAP_PRIVATE | MAP_ANONYMOUS; fd = -1; #if defined(USEHUGEPAGE) - sp = (len >= SUPER_PAGE_SIZE && !(len % SUPER_PAGE_SIZE)); + sp = (rlen >= SUPER_PAGE_SIZE && !(rlen % SUPER_PAGE_SIZE)); #if defined(__APPLE__) if (sp) fd = VM_FLAGS_SUPERPAGE_SIZE_2MB; @@ -174,7 +185,7 @@ static void* __dislocator_alloc(size_t len) { /* We will also store buffer length and a canary below the actual buffer, so let's add 8 bytes for that. */ - ret = mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0); + ret = (u8*)mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0); #if defined(USEHUGEPAGE) /* We try one more time with regular call */ if (ret == MAP_FAILED) { @@ -186,7 +197,7 @@ static void* __dislocator_alloc(size_t len) { #elif defined(__FreeBSD__) flags &= -MAP_ALIGNED_SUPER; #endif - ret = mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0); + ret = (u8*)mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0); } @@ -204,13 +215,13 @@ static void* __dislocator_alloc(size_t len) { /* Set PROT_NONE on the last page. */ - if (mprotect(ret + PG_COUNT(len + 8) * PAGE_SIZE, PAGE_SIZE, PROT_NONE)) + if (mprotect(ret + PG_COUNT(rlen + 8) * PAGE_SIZE, PAGE_SIZE, PROT_NONE)) FATAL("mprotect() failed when allocating memory"); /* Offset the return pointer so that it's right-aligned to the page boundary. */ - ret += PAGE_SIZE * PG_COUNT(len + 8) - len - 8; + ret += PAGE_SIZE * PG_COUNT(rlen + 8) - rlen - 8; /* Store allocation metadata. */ @@ -221,6 +232,14 @@ static void* __dislocator_alloc(size_t len) { total_mem += len; + if (rlen != len) { + + size_t i; + for (i = len; i < rlen; ++i) + ret[i] = TAIL_ALLOC_CANARY; + + } + return ret; } @@ -299,6 +318,16 @@ void free(void* ptr) { total_mem -= len; + if (align_allocations && (len & (ALLOC_ALIGN_SIZE - 1))) { + + u8* ptr_ = ptr; + size_t rlen = (len & ~(ALLOC_ALIGN_SIZE - 1)) + ALLOC_ALIGN_SIZE; + for (; len < rlen; ++len) + if (ptr_[len] != TAIL_ALLOC_CANARY) + FATAL("bad tail allocator canary on free()"); + + } + /* Protect everything. Note that the extra page at the end is already set as PROT_NONE, so we don't need to touch that. */ @@ -323,6 +352,7 @@ void* realloc(void* ptr, size_t len) { if (ret && ptr) { if (PTR_C(ptr) != alloc_canary) FATAL("bad allocator canary on realloc()"); + // Here the tail canary check is delayed to free() memcpy(ret, ptr, MIN(len, PTR_L(ptr))); free(ptr); @@ -441,6 +471,7 @@ __attribute__((constructor)) void __dislocator_init(void) { alloc_verbose = !!getenv("AFL_LD_VERBOSE"); hard_fail = !!getenv("AFL_LD_HARD_FAIL"); no_calloc_over = !!getenv("AFL_LD_NO_CALLOC_OVER"); + align_allocations = !!getenv("AFL_ALIGNED_ALLOC"); } diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 4fbaf9ec..1baa3ea6 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -204,31 +204,32 @@ static void edit_params(u32 argc, char** argv) { } else { #ifdef USE_TRACE_PC - - cc_params[cc_par_cnt++] = - "-fsanitize-coverage=trace-pc-guard"; // edge coverage by default - // cc_params[cc_par_cnt++] = "-mllvm"; - // cc_params[cc_par_cnt++] = - // "-fsanitize-coverage=trace-cmp,trace-div,trace-gep"; - // cc_params[cc_par_cnt++] = "-sanitizer-coverage-block-threshold=0"; -#else - if (getenv("USE_TRACE_PC") || getenv("AFL_USE_TRACE_PC") || - getenv("AFL_LLVM_USE_TRACE_PC") || getenv("AFL_TRACE_PC")) { cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard"; // edge coverage by default + // cc_params[cc_par_cnt++] = "-mllvm"; + // cc_params[cc_par_cnt++] = + // "-fsanitize-coverage=trace-cmp,trace-div,trace-gep"; + // cc_params[cc_par_cnt++] = "-sanitizer-coverage-block-threshold=0"; +#else + if (getenv("USE_TRACE_PC") || getenv("AFL_USE_TRACE_PC") || + getenv("AFL_LLVM_USE_TRACE_PC") || getenv("AFL_TRACE_PC")) { - } else { + cc_params[cc_par_cnt++] = + "-fsanitize-coverage=trace-pc-guard"; // edge coverage by default - cc_params[cc_par_cnt++] = "-Xclang"; - cc_params[cc_par_cnt++] = "-load"; - cc_params[cc_par_cnt++] = "-Xclang"; - if (getenv("AFL_LLVM_INSTRIM") != NULL || getenv("INSTRIM_LIB") != NULL) - cc_params[cc_par_cnt++] = alloc_printf("%s/libLLVMInsTrim.so", obj_path); - else - cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path); + } else { - } + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = "-load"; + cc_params[cc_par_cnt++] = "-Xclang"; + if (getenv("AFL_LLVM_INSTRIM") != NULL || getenv("INSTRIM_LIB") != NULL) + cc_params[cc_par_cnt++] = + alloc_printf("%s/libLLVMInsTrim.so", obj_path); + else + cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path); + + } #endif /* ^USE_TRACE_PC */ @@ -401,16 +402,19 @@ static void edit_params(u32 argc, char** argv) { case 0: if (cmplog_mode) - cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-cmplog-rt.o", obj_path); + cc_params[cc_par_cnt++] = + alloc_printf("%s/afl-llvm-cmplog-rt.o", obj_path); else cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt.o", obj_path); break; case 32: if (cmplog_mode) - cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-cmplog-rt-32.o", obj_path); + cc_params[cc_par_cnt++] = + alloc_printf("%s/afl-llvm-cmplog-rt-32.o", obj_path); else - cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-32.o", obj_path); + cc_params[cc_par_cnt++] = + alloc_printf("%s/afl-llvm-rt-32.o", obj_path); if (access(cc_params[cc_par_cnt - 1], R_OK)) FATAL("-m32 is not supported by your compiler"); @@ -419,9 +423,11 @@ static void edit_params(u32 argc, char** argv) { case 64: if (cmplog_mode) - cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-cmplog-rt-64.o", obj_path); + cc_params[cc_par_cnt++] = + alloc_printf("%s/afl-llvm-cmplog-rt-64.o", obj_path); else - cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-64.o", obj_path); + cc_params[cc_par_cnt++] = + alloc_printf("%s/afl-llvm-rt-64.o", obj_path); if (access(cc_params[cc_par_cnt - 1], R_OK)) FATAL("-m64 is not supported by your compiler"); @@ -494,10 +500,9 @@ int main(int argc, char** argv) { #endif /* ^USE_TRACE_PC */ } - + cmplog_mode = getenv("AFL_CMPLOG") || getenv("AFL_LLVM_CMPLOG"); - if (cmplog_mode) - printf("CmpLog mode by <andreafioraldi@gmail.com>\n"); + if (cmplog_mode) printf("CmpLog mode by <andreafioraldi@gmail.com>\n"); #ifndef __ANDROID__ find_obj(argv[0]); diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index aaf041df..ac847371 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -272,7 +272,7 @@ static void afl_forkserver(CPUState *cpu) { if (write(FORKSRV_FD + 1, tmp, 4) != 4) return; afl_forksrv_pid = getpid(); - + int first_run = 1; /* All right, let's await orders... */ @@ -350,8 +350,10 @@ static void afl_forkserver(CPUState *cpu) { a successful run. In this case, we want to wake it up without forking again. */ - if (WIFSTOPPED(status)) child_stopped = 1; - else if(unlikely(first_run && is_persistent)) exit(12); // Persistent is wrong + if (WIFSTOPPED(status)) + child_stopped = 1; + else if (unlikely(first_run && is_persistent)) + exit(12); // Persistent is wrong first_run = 0; if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(7); diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index fcb545e1..5906756d 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -633,3 +633,4 @@ u8 common_fuzz_cmplog_stuff(char** argv, u8* out_buf, u32 len) { return 0; } + diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index e92558d3..154f281e 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -251,7 +251,7 @@ u32 a_extras_cnt; /* Total number of tokens available */ u8 *(*post_handler)(u8 *buf, u32 *len); -u8* cmplog_binary; +u8 *cmplog_binary; s32 cmplog_forksrv_pid; /* hooks for the custom mutator function */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 33b89a89..c4a02698 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -238,7 +238,7 @@ void bind_to_free_cpu(void) { #elif defined(__FreeBSD__) || defined(__DragonFly__) if (pthread_setaffinity_np(pthread_self(), sizeof(c), &c)) { - + if (cpu_start == cpu_core_count) PFATAL("pthread_setaffinity failed for cpu %d, exit", i); WARNF("pthread_setaffinity failed to CPU %d, trying next CPU", i); @@ -247,9 +247,10 @@ void bind_to_free_cpu(void) { ; } + #elif defined(__NetBSD__) if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { - + if (cpu_start == cpu_core_count) PFATAL("pthread_setaffinity failed for cpu %d, exit", i); WARNF("pthread_setaffinity failed to CPU %d, trying next CPU", i); diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index f6f659da..c21c973f 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -371,3 +371,4 @@ u8 input_to_state_stage(char** argv, u8* orig_buf, u8* buf, u32 len, return 0; } + diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index d00c6750..be065647 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -599,7 +599,8 @@ void show_stats(void) { if (cmplog_mode) { sprintf(tmp, "%s/%s, %s/%s, %s/%s, %s/%s", DI(stage_finds[STAGE_PYTHON]), - DI(stage_cycles[STAGE_PYTHON]), DI(stage_finds[STAGE_CUSTOM_MUTATOR]), + DI(stage_cycles[STAGE_PYTHON]), + DI(stage_finds[STAGE_CUSTOM_MUTATOR]), DI(stage_cycles[STAGE_CUSTOM_MUTATOR]), DI(stage_finds[STAGE_COLORIZATION]), DI(stage_cycles[STAGE_COLORIZATION]), DI(stage_finds[STAGE_ITS]), @@ -607,11 +608,12 @@ void show_stats(void) { SAYF(bV bSTOP " custom/rq : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB "\n", tmp); - + } else { sprintf(tmp, "%s/%s, %s/%s", DI(stage_finds[STAGE_PYTHON]), - DI(stage_cycles[STAGE_PYTHON]), DI(stage_finds[STAGE_CUSTOM_MUTATOR]), + DI(stage_cycles[STAGE_PYTHON]), + DI(stage_finds[STAGE_CUSTOM_MUTATOR]), DI(stage_cycles[STAGE_CUSTOM_MUTATOR])); SAYF(bV bSTOP " py/custom : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB "\n", diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 74bc0ee2..39e737c2 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -867,8 +867,7 @@ int main(int argc, char** argv) { if (!out_file) setup_stdio_file(); - if (cmplog_binary) - check_binary(cmplog_binary); + if (cmplog_binary) check_binary(cmplog_binary); check_binary(argv[optind]); start_time = get_cur_time(); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 3f552881..47185012 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -149,7 +149,7 @@ void setup_shm(unsigned char dumb_mode) { if (!trace_bits) PFATAL("mmap() failed"); #else - u8* shm_str; + u8 *shm_str; shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600); |