diff options
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | docs/env_variables.md | 5 | ||||
| -rw-r--r-- | gcc_plugin/afl-gcc-fast.c | 4 | ||||
| -rw-r--r-- | gcc_plugin/afl-gcc-pass.so.cc | 2 | ||||
| -rw-r--r-- | include/envs.h | 124 | ||||
| -rw-r--r-- | llvm_mode/afl-clang-fast.c | 30 | ||||
| -rw-r--r-- | src/afl-analyze.c | 6 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 37 | ||||
| -rw-r--r-- | src/afl-showmap.c | 13 | ||||
| -rw-r--r-- | src/afl-tmin.c | 6 |
10 files changed, 97 insertions, 132 deletions
diff --git a/Makefile b/Makefile index e002516a..f97f7f4f 100644 --- a/Makefile +++ b/Makefile @@ -399,7 +399,7 @@ source-only: all radamsa @echo >> $@ @echo .SH OPTIONS >> $@ @echo .nf >> $@ - @./$* -h 2>&1 | tail -n +4 >> $@ + @./$* -hh 2>&1 | tail -n +4 >> $@ @echo >> $@ @echo .SH AUTHOR >> $@ @echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de> and Andrea Fioraldi <andreafioraldi@gmail.com>" >> $@ diff --git a/docs/env_variables.md b/docs/env_variables.md index 7ac69e8b..fdc86a42 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -228,7 +228,8 @@ checks or alter some of the more exotic semantics of the tool: performed with/from the library. See [custom_mutator.md](custom_mutator.md) - For AFL_PYTHON_MODULE and AFL_PYTHON_ONLY - they require afl-fuzz to - be compiled with -DUSE_PYTHON. Please see [python_mutators.md](python_mutators.md). + be compiled with Python (which is autodetected during builing afl-fuzz). + Please see [python_mutators.md](python_mutators.md). This feature allows to configure custom mutators which can be very helpful in e.g. fuzzing XML or other highly flexible structured input. @@ -264,7 +265,7 @@ checks or alter some of the more exotic semantics of the tool: - Setting AFL_NO_CPU_RED will not display very high cpu usages in red color. - - Outdated environment variables are: + - Outdated environment variables that are that not supported anymore: AFL_DEFER_FORKSRV AFL_PERSISTENT diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c index c939e803..91b786ba 100644 --- a/gcc_plugin/afl-gcc-fast.c +++ b/gcc_plugin/afl-gcc-fast.c @@ -339,8 +339,8 @@ int main(int argc, char** argv, char** envp) { "AFL_GCC_WHITELIST: enable whitelisting (selective instrumentation)\n" "\nafl-gcc-fast was built for gcc %s with the gcc binary path of " - "\"%s\".\n\n" - , BIN_PATH, BIN_PATH, GCC_VERSION, GCC_BINDIR); + "\"%s\".\n\n", + BIN_PATH, BIN_PATH, GCC_VERSION, GCC_BINDIR); exit(1); diff --git a/gcc_plugin/afl-gcc-pass.so.cc b/gcc_plugin/afl-gcc-pass.so.cc index 1346979c..41139d6e 100644 --- a/gcc_plugin/afl-gcc-pass.so.cc +++ b/gcc_plugin/afl-gcc-pass.so.cc @@ -52,7 +52,7 @@ #include "../config.h" #include "../include/debug.h" -/* clear helper macros AFL types pull in, which intervene with gcc-plugin +/* clear helper macros AFL types pull in, which intervene with gcc-plugin * headers from GCC-8 */ #ifdef likely #undef likely diff --git a/include/envs.h b/include/envs.h index 8e6e3731..0f7ed37a 100644 --- a/include/envs.h +++ b/include/envs.h @@ -1,97 +1,37 @@ const char *afl_environment_variables[] = { - "AFL_ALIGNED_ALLOC", - "AFL_ALLOW_TMP", - "AFL_ANALYZE_HEX", - "AFL_AS", - "AFL_AS_FORCE_INSTRUMENT", - "AFL_BENCH_JUST_ONE", - "AFL_BENCH_UNTIL_CRASH", - "AFL_CAL_FAST", - "AFL_CC", - "AFL_CMIN_ALLOW_ANY", - "AFL_CMIN_CRASHES_ONLY", - "AFL_CODE_END", - "AFL_CODE_START", - "AFL_COMPCOV_BINNAME", - "AFL_COMPCOV_LEVEL", - "AFL_CUSTOM_MUTATOR_LIBRARY", - "AFL_CUSTOM_MUTATOR_ONLY", - "AFL_CXX", - "AFL_DEBUG", - "AFL_DEBUG_CHILD_OUTPUT", - "AFL_DEFER_FORKSRV", - "AFL_DISABLE_TRIM", - "AFL_DONT_OPTIMIZE", - "AFL_DUMB_FORKSRV", - "AFL_ENTRYPOINT", - "AFL_EXIT_WHEN_DONE", - "AFL_FAST_CAL", - "AFL_FORCE_UI", - "AFL_GCC_WHITELIST", - "AFL_GCJ", - "AFL_HANG_TMOUT", - "AFL_HARDEN", - "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", - "AFL_IMPORT_FIRST", - "AFL_INST_LIBS", - "AFL_INST_RATIO", - "AFL_KEEP_TRACES", - "AFL_KEEP_ASSEMBLY", - "AFL_LD_HARD_FAIL", - "AFL_LD_LIMIT_MB", - "AFL_LD_NO_CALLOC_OVER", - "AFL_LD_PRELOAD", - "AFL_LD_VERBOSE", - "AFL_LLVM_CMPLOG", - "AFL_LLVM_INSTRIM", - "AFL_LLVM_INSTRIM_LOOPHEAD", - "AFL_LLVM_LAF_SPLIT_COMPARES", - "AFL_LLVM_LAF_SPLIT_COMPARES_BITW", - "AFL_LLVM_LAF_SPLIT_FLOATS", - "AFL_LLVM_LAF_SPLIT_SWITCHES", - "AFL_LLVM_LAF_TRANSFORM_COMPARES", - "AFL_LLVM_NOT_ZERO", - "AFL_LLVM_WHITELIST", - "AFL_NO_AFFINITY", - "AFL_NO_ARITH", - "AFL_NO_BUILTIN", - "AFL_NO_CPU_RED", - "AFL_NO_FORKSRV", + "AFL_ALIGNED_ALLOC", "AFL_ALLOW_TMP", "AFL_ANALYZE_HEX", "AFL_AS", + "AFL_AS_FORCE_INSTRUMENT", "AFL_BENCH_JUST_ONE", "AFL_BENCH_UNTIL_CRASH", + "AFL_CAL_FAST", "AFL_CC", "AFL_CMIN_ALLOW_ANY", "AFL_CMIN_CRASHES_ONLY", + "AFL_CODE_END", "AFL_CODE_START", "AFL_COMPCOV_BINNAME", + "AFL_COMPCOV_LEVEL", "AFL_CUSTOM_MUTATOR_LIBRARY", + "AFL_CUSTOM_MUTATOR_ONLY", "AFL_CXX", "AFL_DEBUG", "AFL_DEBUG_CHILD_OUTPUT", + //"AFL_DEFER_FORKSRV", // not implemented anymore, so warn additionally + "AFL_DISABLE_TRIM", "AFL_DONT_OPTIMIZE", "AFL_DUMB_FORKSRV", + "AFL_ENTRYPOINT", "AFL_EXIT_WHEN_DONE", "AFL_FAST_CAL", "AFL_FORCE_UI", + "AFL_GCC_WHITELIST", "AFL_GCJ", "AFL_HANG_TMOUT", "AFL_HARDEN", + "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", "AFL_IMPORT_FIRST", + "AFL_INST_LIBS", "AFL_INST_RATIO", "AFL_KEEP_TRACES", "AFL_KEEP_ASSEMBLY", + "AFL_LD_HARD_FAIL", "AFL_LD_LIMIT_MB", "AFL_LD_NO_CALLOC_OVER", + "AFL_LD_PRELOAD", "AFL_LD_VERBOSE", "AFL_LLVM_CMPLOG", "AFL_LLVM_INSTRIM", + "AFL_LLVM_INSTRIM_LOOPHEAD", "AFL_LLVM_LAF_SPLIT_COMPARES", + "AFL_LLVM_LAF_SPLIT_COMPARES_BITW", "AFL_LLVM_LAF_SPLIT_FLOATS", + "AFL_LLVM_LAF_SPLIT_SWITCHES", "AFL_LLVM_LAF_TRANSFORM_COMPARES", + "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST", "AFL_NO_AFFINITY", + "AFL_NO_ARITH", "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_UI", "AFL_NO_X86", // not really an env but we dont want to warn on it - "AFL_PATH", - "AFL_PERFORMANCE_FILE", - "AFL_PERSISTENT", - "AFL_POST_LIBRARY", - "AFL_PRELOAD", - "AFL_PYTHON_MODULE", - "AFL_PYTHON_ONLY", - "AFL_QEMU_COMPCOV", - "AFL_QEMU_COMPCOV_DEBUG", - "AFL_QEMU_DEBUG_MAPS", - "AFL_QEMU_DISABLE_CACHE", - "AFL_QEMU_PERSISTENT_ADDR", - "AFL_QEMU_PERSISTENT_CNT", - "AFL_QEMU_PERSISTENT_GPR", - "AFL_QEMU_PERSISTENT_HOOK", - "AFL_QEMU_PERSISTENT_RET", - "AFL_QEMU_PERSISTENT_RETADDR_OFFSET", - "AFL_QUIET", - "AFL_RANDOM_ALLOC_CANARY", - "AFL_REAL_PATH", - "AFL_SHUFFLE_QUEUE", - "AFL_SKIP_BIN_CHECK", - "AFL_SKIP_CPUFREQ", - "AFL_SKIP_CRASHES", - "AFL_TMIN_EXACT", - "AFL_TMPDIR", - "AFL_TOKEN_FILE", - "AFL_TRACE_PC", - "AFL_USE_ASAN", - "AFL_USE_MSAN", - "AFL_USE_TRACE_PC", - "AFL_USE_UBSAN", - "AFL_WINE_PATH", - NULL}; + "AFL_PATH", "AFL_PERFORMANCE_FILE", + //"AFL_PERSISTENT", // not implemented anymore, so warn additionally + "AFL_POST_LIBRARY", "AFL_PRELOAD", "AFL_PYTHON_MODULE", "AFL_PYTHON_ONLY", + "AFL_QEMU_COMPCOV", "AFL_QEMU_COMPCOV_DEBUG", "AFL_QEMU_DEBUG_MAPS", + "AFL_QEMU_DISABLE_CACHE", "AFL_QEMU_PERSISTENT_ADDR", + "AFL_QEMU_PERSISTENT_CNT", "AFL_QEMU_PERSISTENT_GPR", + "AFL_QEMU_PERSISTENT_HOOK", "AFL_QEMU_PERSISTENT_RET", + "AFL_QEMU_PERSISTENT_RETADDR_OFFSET", "AFL_QUIET", + "AFL_RANDOM_ALLOC_CANARY", "AFL_REAL_PATH", "AFL_SHUFFLE_QUEUE", + "AFL_SKIP_BIN_CHECK", "AFL_SKIP_CPUFREQ", "AFL_SKIP_CRASHES", + "AFL_TMIN_EXACT", "AFL_TMPDIR", "AFL_TOKEN_FILE", "AFL_TRACE_PC", + "AFL_USE_ASAN", "AFL_USE_MSAN", "AFL_USE_TRACE_PC", "AFL_USE_UBSAN", + "AFL_WINE_PATH", NULL}; diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 44b786f9..1ad1fab7 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -507,24 +507,32 @@ int main(int argc, char** argv, char** envp) { "AFL_LLVM_WHITELIST: enable whitelisting (selective instrumentation)\n" "AFL_LLVM_NOT_ZERO: use cycling trace counters that skip zero\n" - "AFL_USE_TRACE_PC, USE_TRACE_PC, AFL_LLVM_USE_TRACE_PC, AFL_TRACE_PC: \n" + "AFL_USE_TRACE_PC, USE_TRACE_PC, AFL_LLVM_USE_TRACE_PC, AFL_TRACE_PC: " + "\n" " use LLVM trace-pc-guard instrumentation\n" - "AFL_LLVM_LAF_SPLIT_COMPARES, LAF_SPLIT_COMPARES: enable cascaded comparisons\n" - "AFL_LLVM_LAF_SPLIT_SWITCHES, LAF_SPLIT_SWITCHES: casc. comp. in 'switch'\n" + "AFL_LLVM_LAF_SPLIT_COMPARES, LAF_SPLIT_COMPARES: enable cascaded " + "comparisons\n" + "AFL_LLVM_LAF_SPLIT_SWITCHES, LAF_SPLIT_SWITCHES: casc. comp. in " + "'switch'\n" "AFL_LLVM_LAF_TRANSFORM_COMPARES, LAF_TRANSFORM_COMPARES:\n" - " transform library comparison function calls to cascaded comparisons\n" - "AFL_LLVM_LAF_SPLIT_FLOATS: transform floating point comp. to cascaded comp.\n" - "AFL_LLVM_LAF_SPLIT_COMPARES_BITW, LAF_SPLIT_COMPARES_BITW: size limit (default 8)\n" - - "AFL_LLVM_INSTRIM, INSTRIM_LIB: use light weight instrumentation InsTrim\n" + " transform library comparison function calls to cascaded " + "comparisons\n" + "AFL_LLVM_LAF_SPLIT_FLOATS: transform floating point comp. to cascaded " + "comp.\n" + "AFL_LLVM_LAF_SPLIT_COMPARES_BITW, LAF_SPLIT_COMPARES_BITW: size limit " + "(default 8)\n" + + "AFL_LLVM_INSTRIM, INSTRIM_LIB: use light weight instrumentation " + "InsTrim\n" "AFL_LLVM_INSTRIM_LOOPHEAD, LOOPHEAD: optimize loop tracing for speed\n" - "AFL_CMPLOG, AFL_LLVM_CMPLOG: log operands of comparisons (RedQueen mutator)\n" + "AFL_CMPLOG, AFL_LLVM_CMPLOG: log operands of comparisons (RedQueen " + "mutator)\n" "\nafl-clang-fast was built for llvm %s with the llvm binary path of " - "\"%s\".\n\n" - , BIN_PATH, BIN_PATH, LLVM_VERSION, LLVM_BINDIR); + "\"%s\".\n\n", + BIN_PATH, BIN_PATH, LLVM_VERSION, LLVM_BINDIR); exit(1); diff --git a/src/afl-analyze.c b/src/afl-analyze.c index f566d3fe..bee78519 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -728,9 +728,11 @@ static void set_up_environment(void) { } if (qemu_preload) - buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", qemu_preload, afl_preload, afl_preload); + buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", + qemu_preload, afl_preload, afl_preload); else - buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", afl_preload, afl_preload); + buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", + afl_preload, afl_preload); setenv("QEMU_SET_ENV", buf, 1); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 24491998..6b80e066 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -82,7 +82,7 @@ static u8* get_libradamsa_path(u8* own_loc) { /* Display usage hints. */ -static void usage(u8* argv0) { +static void usage(u8* argv0, int more_help) { SAYF( "\n%s [ options ] -- /path/to/fuzzed_app [ ... ]\n\n" @@ -143,8 +143,11 @@ static void usage(u8* argv0) { "file\n" " -C - crash exploration mode (the peruvian rabbit thing)\n" " -e ext - File extension for the temporarily generated test " - "case\n\n" + "case\n\n", + argv0, EXEC_TIMEOUT, MEM_LIMIT); + if (more_help > 1) + SAYF( "Environment variables used:\n" "AFL_PATH: path to AFL support binaries\n" "AFL_QUIET: suppress forkserver status messages\n" @@ -179,11 +182,16 @@ static void usage(u8* argv0) { "MSAN_OPTIONS: custom settings for MSAN\n" " (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n" "AFL_SKIP_BIN_CHECK: skip the check, if the target is an excutable\n" - "AFL_PERSISTENT: not supported anymore -> no effect, just a warning\n" - "AFL_DEFER_FORKSRV: not supported anymore -> no effect, just a warning\n" + //"AFL_PERSISTENT: not supported anymore -> no effect, just a warning\n" + //"AFL_DEFER_FORKSRV: not supported anymore -> no effect, just a warning\n" "AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found\n" "AFL_BENCH_UNTIL_CRASH: exit soon when the first crashing input has been found\n" - , argv0, EXEC_TIMEOUT, MEM_LIMIT); + "\n" + ); + else + SAYF( + "To view also the supported environment variables of afl-fuzz please " + "use \"-hh\".\n\n"); #ifdef USE_PYTHON SAYF("Compiled with %s module support, see docs/python_mutators.md\n", @@ -217,7 +225,7 @@ int main(int argc, char** argv, char** envp) { s32 opt; u64 prev_queued = 0; - u32 sync_interval_cnt = 0, seek_to; + u32 sync_interval_cnt = 0, seek_to, show_help = 0; u8* extras_dir = 0; u8 mem_limit_given = 0; u8 exit_1 = !!getenv("AFL_BENCH_JUST_ONE"); @@ -621,10 +629,7 @@ int main(int argc, char** argv, char** envp) { } break; - case 'h': - usage(argv[0]); - return -1; - break; // not needed + case 'h': show_help++; break; // not needed case 'R': @@ -635,11 +640,13 @@ int main(int argc, char** argv, char** envp) { break; - default: usage(argv[0]); + default: + if (!show_help) show_help = 1; } - if (optind == argc || !in_dir || !out_dir) usage(argv[0]); + if (optind == argc || !in_dir || !out_dir || show_help) + usage(argv[0], show_help); OKF("afl++ is maintained by Marc \"van Hauser\" Heuse, Heiko \"hexcoder\" " "Eißfeldt and Andrea Fioraldi"); @@ -777,9 +784,11 @@ int main(int argc, char** argv, char** envp) { } if (qemu_preload) - buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", qemu_preload, afl_preload, afl_preload); + buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", + qemu_preload, afl_preload, afl_preload); else - buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", afl_preload, afl_preload); + buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", + afl_preload, afl_preload); setenv("QEMU_SET_ENV", buf, 1); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 01e29d38..d6ac1e7d 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -560,9 +560,11 @@ static void set_up_environment(void) { } if (qemu_preload) - buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", qemu_preload, afl_preload, afl_preload); + buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", + qemu_preload, afl_preload, afl_preload); else - buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", afl_preload, afl_preload); + buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", + afl_preload, afl_preload); setenv("QEMU_SET_ENV", buf, 1); @@ -652,10 +654,11 @@ static void usage(u8* argv0) { "Environment variables used:\n" "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" "AFL_DEBUG: enable extra developer output\n" - "AFL_CMIN_CRASHES_ONLY: (cmin_mode) only write tuples for crashing inputs\n" + "AFL_CMIN_CRASHES_ONLY: (cmin_mode) only write tuples for crashing " + "inputs\n" "AFL_CMIN_ALLOW_ANY: (cmin_mode) write tuples for crashing inputs also\n" - "LD_BIND_LAZY: do not set LD_BIND_NOW env var for target\n" - , argv0, MEM_LIMIT, doc_path); + "LD_BIND_LAZY: do not set LD_BIND_NOW env var for target\n", + argv0, MEM_LIMIT, doc_path); exit(1); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 156dc8af..f6878903 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -903,9 +903,11 @@ static void set_up_environment(void) { } if (qemu_preload) - buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", qemu_preload, afl_preload, afl_preload); + buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", + qemu_preload, afl_preload, afl_preload); else - buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", afl_preload, afl_preload); + buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", + afl_preload, afl_preload); setenv("QEMU_SET_ENV", buf, 1); |