diff options
| -rw-r--r-- | docs/Changelog.md | 1 | ||||
| -rw-r--r-- | docs/env_variables.md | 2 | ||||
| -rw-r--r-- | docs/third_party_tools.md | 4 | ||||
| -rw-r--r-- | instrumentation/afl-llvm-pass.so.cc | 14 | ||||
| -rw-r--r-- | instrumentation/cmplog-instructions-pass.cc | 65 | ||||
| -rw-r--r-- | src/afl-analyze.c | 21 | ||||
| -rw-r--r-- | src/afl-cc.c | 5 | ||||
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 7 | ||||
| -rw-r--r-- | src/afl-showmap.c | 35 | ||||
| -rw-r--r-- | src/afl-tmin.c | 21 | ||||
| -rw-r--r-- | utils/autodict_ql/readme.md | 4 |
11 files changed, 95 insertions, 84 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md index 0253222b..1daa9a75 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -57,6 +57,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - added AFL_USE_TSAN thread sanitizer support - llvm and LTO mode modified to work with new llvm 14-dev (again. again.) - fix for AFL_REAL_LD + - make -v without options work - added the very good grammar mutator "GramaTron" to the custom_mutators - added optimin, a faster and better corpus minimizer by diff --git a/docs/env_variables.md b/docs/env_variables.md index c45f4ab9..dc79bf9e 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -397,7 +397,7 @@ checks or alter some of the more exotic semantics of the tool: target. This must be equal or larger than the size the target was compiled with. - - Setting `AFL_MAX_DET_EXRAS` will change the threshold at what number of + - Setting `AFL_MAX_DET_EXTRAS` will change the threshold at what number of elements in the `-x` dictionary and LTO autodict (combined) the probabilistic mode will kick off. In probabilistic mode, not all dictionary entries will be used all of the time for fuzzing mutations to not slow down diff --git a/docs/third_party_tools.md b/docs/third_party_tools.md index 92229e84..8d40c429 100644 --- a/docs/third_party_tools.md +++ b/docs/third_party_tools.md @@ -45,6 +45,8 @@ Deployment, management, monitoring, reporting parallelize afl-tmin, startup, and data collection. Crash processing +* [AFLTriage](https://github.com/quic/AFLTriage) - + triage crashing input files using gdb. * [afl-crash-analyzer](https://github.com/floyd-fuh/afl-crash-analyzer) - another crash analyzer for AFL. * [fuzzer-utils](https://github.com/ThePatrickStar/fuzzer-utils) - a set of @@ -54,4 +56,4 @@ Crash processing * [AFLize](https://github.com/d33tah/aflize) - a tool that automatically generates builds of debian packages suitable for AFL. * [afl-fid](https://github.com/FoRTE-Research/afl-fid) - a set of tools for - working with input data. \ No newline at end of file + working with input data. diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index be0bcbc8..18c0294e 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -456,7 +456,7 @@ bool AFLCoverage::runOnModule(Module &M) { PrevCaller = IRB.CreateLoad( #if LLVM_VERSION_MAJOR >= 14 - IRB.getInt32Ty(), + PrevCallerTy, #endif AFLPrevCaller); PrevCaller->setMetadata(M.getMDKindID("nosanitize"), @@ -628,11 +628,21 @@ bool AFLCoverage::runOnModule(Module &M) { /* Load prev_loc */ - LoadInst *PrevLoc = IRB.CreateLoad( + LoadInst *PrevLoc; + + if (ngram_size) { + PrevLoc = IRB.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PrevLocTy, +#endif + AFLPrevLoc); + } else { + PrevLoc = IRB.CreateLoad( #if LLVM_VERSION_MAJOR >= 14 IRB.getInt32Ty(), #endif AFLPrevLoc); + } PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); Value *PrevLocTrans; diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index a521960b..a2083a33 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -41,6 +41,7 @@ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) #include "llvm/IR/Verifier.h" #include "llvm/IR/DebugInfo.h" + #include "llvm/Support/raw_ostream.h" #else #include "llvm/Analysis/Verifier.h" #include "llvm/DebugInfo.h" @@ -285,7 +286,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) { IntegerType *intTyOp0 = NULL; IntegerType *intTyOp1 = NULL; unsigned max_size = 0, cast_size = 0; - unsigned attr = 0, vector_cnt = 0; + unsigned attr = 0, vector_cnt = 0, is_fp = 0; CmpInst * cmpInst = dyn_cast<CmpInst>(selectcmpInst); if (!cmpInst) { continue; } @@ -370,6 +371,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) { #endif attr += 8; + is_fp = 1; + // fprintf(stderr, "HAVE FP %u!\n", vector_cnt); } else { @@ -453,6 +456,9 @@ bool CmpLogInstructions::hookInstrs(Module &M) { } + // XXX FIXME BUG TODO + if (is_fp && vector_cnt) { continue; } + uint64_t cur = 0, last_val0 = 0, last_val1 = 0, cur_val; while (1) { @@ -464,21 +470,55 @@ bool CmpLogInstructions::hookInstrs(Module &M) { op0 = IRB.CreateExtractElement(op0_saved, cur); op1 = IRB.CreateExtractElement(op1_saved, cur); - ConstantInt *i0 = dyn_cast<ConstantInt>(op0); - ConstantInt *i1 = dyn_cast<ConstantInt>(op1); - if (i0 && i0->uge(0xffffffffffffffff) == false) { + /* + std::string errMsg; + raw_string_ostream os(errMsg); + op0_saved->print(os); + fprintf(stderr, "X: %s\n", os.str().c_str()); + */ + if (is_fp) { + +/* + ConstantFP *i0 = dyn_cast<ConstantFP>(op0); + ConstantFP *i1 = dyn_cast<ConstantFP>(op1); + // BUG FIXME TODO: this is null ... but why? + // fprintf(stderr, "%p %p\n", i0, i1); + if (i0) { - cur_val = i0->getZExtValue(); - if (last_val0 && last_val0 == cur_val) { skip = 1; } - last_val0 = cur_val; + cur_val = (uint64_t)i0->getValue().convertToDouble(); + if (last_val0 && last_val0 == cur_val) { skip = 1; } + last_val0 = cur_val; - } + } + + if (i1) { + + cur_val = (uint64_t)i1->getValue().convertToDouble(); + if (last_val1 && last_val1 == cur_val) { skip = 1; } + last_val1 = cur_val; + + } +*/ + + } else { + + ConstantInt *i0 = dyn_cast<ConstantInt>(op0); + ConstantInt *i1 = dyn_cast<ConstantInt>(op1); + if (i0 && i0->uge(0xffffffffffffffff) == false) { + + cur_val = i0->getZExtValue(); + if (last_val0 && last_val0 == cur_val) { skip = 1; } + last_val0 = cur_val; + + } + + if (i1 && i1->uge(0xffffffffffffffff) == false) { - if (i1 && i1->uge(0xffffffffffffffff) == false) { + cur_val = i1->getZExtValue(); + if (last_val1 && last_val1 == cur_val) { skip = 1; } + last_val1 = cur_val; - cur_val = i1->getZExtValue(); - if (last_val1 && last_val1 == cur_val) { skip = 1; } - last_val1 = cur_val; + } } @@ -557,6 +597,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) { ++cur; if (cur >= vector_cnt) { break; } + skip = 0; } diff --git a/src/afl-analyze.c b/src/afl-analyze.c index ac5a324c..86278c31 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -96,31 +96,20 @@ static afl_forkserver_t fsrv = {0}; /* The forkserver */ /* Classify tuple counts. This is a slow & naive version, but good enough here. */ -#define TIMES4(x) x, x, x, x -#define TIMES8(x) TIMES4(x), TIMES4(x) -#define TIMES16(x) TIMES8(x), TIMES8(x) -#define TIMES32(x) TIMES16(x), TIMES16(x) -#define TIMES64(x) TIMES32(x), TIMES32(x) static u8 count_class_lookup[256] = { [0] = 0, [1] = 1, [2] = 2, [3] = 4, - [4] = TIMES4(8), - [8] = TIMES8(16), - [16] = TIMES16(32), - [32] = TIMES32(64), - [128] = TIMES64(128) + [4 ... 7] = 8, + [8 ... 15] = 16, + [16 ... 31] = 32, + [32 ... 127] = 64, + [128 ... 255] = 128 }; -#undef TIMES64 -#undef TIMES32 -#undef TIMES16 -#undef TIMES8 -#undef TIMES4 - static void kill_child() { if (fsrv.child_pid > 0) { diff --git a/src/afl-cc.c b/src/afl-cc.c index cafb8e32..442cf265 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -695,7 +695,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { /* Detect stray -v calls from ./configure scripts. */ - u8 skip_next = 0; + u8 skip_next = 0, non_dash = 0; while (--argc) { u8 *cur = *(++argv); @@ -707,6 +707,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } + if (cur[0] != '-') { non_dash = 1; } if (!strncmp(cur, "--afl", 5)) continue; if (lto_mode && !strncmp(cur, "-fuse-ld=", 9)) continue; if (lto_mode && !strncmp(cur, "--ld-path=", 10)) continue; @@ -1025,7 +1026,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } - if (preprocessor_only || have_c) { + if (preprocessor_only || have_c || !non_dash) { /* In the preprocessor_only case (-E), we are not actually compiling at all but requesting the compiler to output preprocessed sources only. diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 2d88896f..7a236005 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -167,13 +167,6 @@ const u8 count_class_lookup8[256] = { }; -#undef TIMES255 -#undef TIMES64 -#undef TIMES32 -#undef TIMES16 -#undef TIMES8 -#undef TIMES4 - u16 count_class_lookup16[65536]; void init_count_class16(void) { diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 8cddcb32..115f9f2a 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -103,24 +103,17 @@ static sharedmem_t * shm_fuzz; /* Classify tuple counts. Instead of mapping to individual bits, as in afl-fuzz.c, we map to more user-friendly numbers between 1 and 8. */ -#define TIMES4(x) x, x, x, x -#define TIMES8(x) TIMES4(x), TIMES4(x) -#define TIMES16(x) TIMES8(x), TIMES8(x) -#define TIMES32(x) TIMES16(x), TIMES16(x) -#define TIMES64(x) TIMES32(x), TIMES32(x) -#define TIMES96(x) TIMES64(x), TIMES32(x) -#define TIMES128(x) TIMES64(x), TIMES64(x) static const u8 count_class_human[256] = { [0] = 0, [1] = 1, [2] = 2, [3] = 3, - [4] = TIMES4(4), - [8] = TIMES8(5), - [16] = TIMES16(6), - [32] = TIMES96(7), - [128] = TIMES128(8) + [4] = 4, + [8] = 5, + [16] = 6, + [32] = 7, + [128] = 8 }; @@ -130,22 +123,14 @@ static const u8 count_class_binary[256] = { [1] = 1, [2] = 2, [3] = 4, - [4] = TIMES4(8), - [8] = TIMES8(16), - [16] = TIMES16(32), - [32] = TIMES32(64), - [128] = TIMES64(128) + [4 ... 7] = 8, + [8 ... 15] = 16, + [16 ... 31] = 32, + [32 ... 127] = 64, + [128 ... 255] = 128 }; -#undef TIMES128 -#undef TIMES96 -#undef TIMES64 -#undef TIMES32 -#undef TIMES16 -#undef TIMES8 -#undef TIMES4 - static void kill_child() { timed_out = 1; diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 89546c45..b5b015ce 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -95,31 +95,20 @@ static sharedmem_t * shm_fuzz; /* Classify tuple counts. This is a slow & naive version, but good enough here. */ -#define TIMES4(x) x, x, x, x -#define TIMES8(x) TIMES4(x), TIMES4(x) -#define TIMES16(x) TIMES8(x), TIMES8(x) -#define TIMES32(x) TIMES16(x), TIMES16(x) -#define TIMES64(x) TIMES32(x), TIMES32(x) static const u8 count_class_lookup[256] = { [0] = 0, [1] = 1, [2] = 2, [3] = 4, - [4] = TIMES4(8), - [8] = TIMES8(16), - [16] = TIMES16(32), - [32] = TIMES32(64), - [128] = TIMES64(128) + [4 ... 7] = 8, + [8 ... 15] = 16, + [16 ... 31] = 32, + [32 ... 127] = 64, + [128 ... 255] = 128 }; -#undef TIMES64 -#undef TIMES32 -#undef TIMES16 -#undef TIMES8 -#undef TIMES4 - static void kill_child() { if (fsrv->child_pid > 0) { diff --git a/utils/autodict_ql/readme.md b/utils/autodict_ql/readme.md index f61026b7..42059f09 100644 --- a/utils/autodict_ql/readme.md +++ b/utils/autodict_ql/readme.md @@ -104,7 +104,7 @@ The usage of Autodict-QL is pretty easy. But let's describe it as: we want to compile `libxml` with codeql. Go to libxml and issue the following commands: - `./configure --disable-shared` - - `codeql create database libxml-db --language=cpp --command=make` + - `codeql database create libxml-db --language=cpp --command="make -j$(nproc)"` - Now you have the CodeQL database of the project :-) 3. The final step is to update the CodeQL database you created in step 2 (Suppose we are in `aflplusplus/utils/autodict_ql/` directory): @@ -144,4 +144,4 @@ There are 2 important points to remember: - Do not forget to set `AFL_MAX_DET_EXTRAS` at least to the number of generated dictionaries. If you forget to set this environment variable, then AFL++ uses just 200 tokens and use the rest of them only probabilistically. So this will - guarantee that your tokens will be used by AFL++. \ No newline at end of file + guarantee that your tokens will be used by AFL++. |