diff options
46 files changed, 214 insertions, 97 deletions
diff --git a/Dockerfile b/Dockerfile index 1b5ffd28..e1616198 100644 --- a/Dockerfile +++ b/Dockerfile @@ -42,7 +42,7 @@ RUN apt-get update && \ python3 python3-dev python3-pip python-is-python3 \ libtool libtool-bin libglib2.0-dev \ apt-transport-https gnupg dialog \ - gnuplot-nox libpixman-1-dev \ + gnuplot-nox libpixman-1-dev bc \ gcc-${GCC_VERSION} g++-${GCC_VERSION} gcc-${GCC_VERSION}-plugin-dev gdb lcov \ clang-${LLVM_VERSION} clang-tools-${LLVM_VERSION} libc++1-${LLVM_VERSION} \ libc++-${LLVM_VERSION}-dev libc++abi1-${LLVM_VERSION} libc++abi-${LLVM_VERSION}-dev \ diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 6ffac68f..f298060e 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -47,6 +47,7 @@ LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/\..*//' ) LLVM_MINOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/.*\.//' | sed 's/git//' | sed 's/svn//' | sed 's/ .*//' ) LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[0-2]\.|^3.[0-7]\.' && echo 1 || echo 0 ) LLVM_TOO_NEW = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[7-9]' && echo 1 || echo 0 ) +LLVM_TOO_OLD = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[1-9]\.|^1[012]\.' && echo 1 || echo 0 ) LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[0-9]' && echo 1 || echo 0 ) LLVM_NEWER_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[6-9]' && echo 1 || echo 0 ) LLVM_13_OK = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[3-9]' && echo 1 || echo 0 ) @@ -69,6 +70,12 @@ ifeq "$(LLVM_TOO_NEW)" "1" $(warning you are using an in-development llvm version - this might break llvm_mode!) endif +ifeq "$(LLVM_TOO_OLD)" "1" + $(warning you are using an outdated LLVM version! Please use at least LLVM 13 or newer!) + $(shell sleep 2) +endif + +# No switching the meaning of LLVM_TOO_OLD LLVM_TOO_OLD=1 ifeq "$(LLVM_MAJOR)" "9" @@ -87,11 +94,6 @@ ifeq "$(LLVM_NEWER_API)" "1" LLVM_STDCXX = c++17 endif -ifeq "$(LLVM_TOO_OLD)" "1" - $(info [!] llvm_mode detected an old version of llvm, upgrade to at least 9 or preferable 11!) - $(shell sleep 1) -endif - ifeq "$(LLVM_HAVE_LTO)" "1" $(info [+] llvm_mode detected llvm 11+, enabling afl-lto LTO implementation) LLVM_LTO = 1 diff --git a/afl-cmin b/afl-cmin index d0bbed2b..23532b63 100755 --- a/afl-cmin +++ b/afl-cmin @@ -425,7 +425,7 @@ BEGIN { cmd = "stat --version 2>/dev/null" cmd | getline statversion close(cmd) - if (statversion ~ /GNU coreutils/) { + if (statversion ~ /GNU coreutils/ || statversion ~ /BusyBox/) { stat_format = "-c '%s %n'" # GNU } else { stat_format = "-f '%z %N'" # *BSD, MacOS @@ -493,6 +493,11 @@ BEGIN { } } + if (in_count < threads) { + threads = in_count + print "[!] WARNING: less inputs than threads, reducing threads to "threads" and likely the overhead of threading makes things slower..." + } + # Let's roll! ############################# diff --git a/afl-cmin.bash b/afl-cmin.bash index 1d080491..b326bee8 100755 --- a/afl-cmin.bash +++ b/afl-cmin.bash @@ -339,6 +339,13 @@ fi echo "[*] Are you aware that afl-cmin is faster than this afl-cmin.bash script?" echo "[+] Found $IN_COUNT files for minimizing." +if [ -n "$THREADS" ]; then + if [ "$IN_COUNT" -lt "$THREADS" ]; then + THREADS=$IN_COUNT + echo "[!] WARNING: less inputs than threads, reducing threads to $THREADS and likely the overhead of threading makes things slower..." + fi +fi + FIRST_FILE=`ls "$IN_DIR" | head -1` # Make sure that we're not dealing with a directory. diff --git a/docs/Changelog.md b/docs/Changelog.md index ad58e99e..d61ce8ec 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -19,6 +19,7 @@ - fixed a bug inherited from vanilla AFL where a coverage of map[123] = 11 would be the same as map[1123] = 1 - warn on crashing inputs + - adjust threads if less inputs than threads specified - afl-cc: - fixed an off-by-one instrumentation of iselect, hurting coverage a bit. Thanks to @amykweon for spotting and fixing! @@ -27,6 +28,9 @@ - more LLVM compatability - frida_mode: - support for long form instrumentation on x86_x64 and arm64 + - renamed utils/get_symbol_addr.sh to utils/frida_get_symbol_addr.sh + - qemu_mode: + - added qemu_mode/utils/qemu_get_symbol_addr.sh ### Version ++4.07c (release) diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index 51f78a35..c1e3f187 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -15,7 +15,7 @@ static GHashTable *coverage_blocks = NULL; extern __thread guint64 instrument_previous_pc; -__attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[MAP_SIZE]; +__attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[MAP_INITIAL_SIZE]; #pragma pack(push, 1) typedef struct { diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index 131eb4c5..2256f941 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -22,7 +22,7 @@ gboolean instrument_cache_enabled = FALSE; gsize instrument_cache_size = 0; static GHashTable *coverage_blocks = NULL; -__attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[MAP_SIZE]; +__attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[MAP_INITIAL_SIZE]; #pragma pack(push, 1) typedef struct { diff --git a/frida_mode/test/bloaty/GNUmakefile b/frida_mode/test/bloaty/GNUmakefile index 8e767fae..02a0a1e2 100644 --- a/frida_mode/test/bloaty/GNUmakefile +++ b/frida_mode/test/bloaty/GNUmakefile @@ -35,7 +35,7 @@ endif endif ADDR_BIN:=$(ROOT)frida_mode/build/addr -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh AFL_FRIDA_BASE_ADDR:=$(shell $(ADDR_BIN)) AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput $(AFL_FRIDA_BASE_ADDR)) diff --git a/frida_mode/test/cache/GNUmakefile b/frida_mode/test/cache/GNUmakefile index 12736a3f..98776193 100644 --- a/frida_mode/test/cache/GNUmakefile +++ b/frida_mode/test/cache/GNUmakefile @@ -11,7 +11,7 @@ QEMU_OUT:=$(BUILD_DIR)qemu-out FRIDA_OUT:=$(BUILD_DIR)frida-out ADDR_BIN:=$(ROOT)frida_mode/build/addr -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so diff --git a/frida_mode/test/cmov/GNUmakefile b/frida_mode/test/cmov/GNUmakefile index 96f1ae5b..0712e33b 100644 --- a/frida_mode/test/cmov/GNUmakefile +++ b/frida_mode/test/cmov/GNUmakefile @@ -11,7 +11,7 @@ QEMU_OUT:=$(BUILD_DIR)qemu-out FRIDA_OUT:=$(BUILD_DIR)frida-out ADDR_BIN:=$(ROOT)frida_mode/build/addr -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so diff --git a/frida_mode/test/deferred/GNUmakefile b/frida_mode/test/deferred/GNUmakefile index 22aeb2bf..e0b48797 100644 --- a/frida_mode/test/deferred/GNUmakefile +++ b/frida_mode/test/deferred/GNUmakefile @@ -10,7 +10,7 @@ TESTINSTSRC:=$(PWD)testinstr.c QEMU_OUT:=$(BUILD_DIR)qemu-out FRIDA_OUT:=$(BUILD_DIR)frida-out -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh ifndef ARCH diff --git a/frida_mode/test/dynamic/GNUmakefile b/frida_mode/test/dynamic/GNUmakefile index f43416f7..6c577dff 100644 --- a/frida_mode/test/dynamic/GNUmakefile +++ b/frida_mode/test/dynamic/GNUmakefile @@ -17,7 +17,7 @@ FRIDA_OUT:=$(BUILD_DIR)frida-out AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so ADDR_BIN:=$(ROOT)frida_mode/build/addr -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh AFL_FRIDA_BASE_ADDR:=$(shell $(ADDR_BIN)) AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TESTINSTBIN) testinstr $(AFL_FRIDA_BASE_ADDR)) diff --git a/frida_mode/test/entry_point/GNUmakefile b/frida_mode/test/entry_point/GNUmakefile index 08c660f7..b8c0ecb5 100644 --- a/frida_mode/test/entry_point/GNUmakefile +++ b/frida_mode/test/entry_point/GNUmakefile @@ -10,7 +10,7 @@ TESTINSTSRC:=$(PWD)testinstr.c QEMU_OUT:=$(BUILD_DIR)qemu-out FRIDA_OUT:=$(BUILD_DIR)frida-out -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh ifndef ARCH diff --git a/frida_mode/test/freetype2/GNUmakefile b/frida_mode/test/freetype2/GNUmakefile index 8c35d5de..23318d52 100644 --- a/frida_mode/test/freetype2/GNUmakefile +++ b/frida_mode/test/freetype2/GNUmakefile @@ -64,7 +64,7 @@ endif endif ADDR_BIN:=$(ROOT)frida_mode/build/addr -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh AFL_FRIDA_BASE_ADDR:=$(shell $(ADDR_BIN)) AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput $(AFL_FRIDA_BASE_ADDR)) diff --git a/frida_mode/test/jpeg/GNUmakefile b/frida_mode/test/jpeg/GNUmakefile index a8242081..a4967039 100644 --- a/frida_mode/test/jpeg/GNUmakefile +++ b/frida_mode/test/jpeg/GNUmakefile @@ -47,7 +47,7 @@ endif endif ADDR_BIN:=$(ROOT)frida_mode/build/addr -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh AFL_FRIDA_BASE_ADDR:=$(shell $(ADDR_BIN)) AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput $(AFL_FRIDA_BASE_ADDR)) diff --git a/frida_mode/test/libpcap/GNUmakefile b/frida_mode/test/libpcap/GNUmakefile index 1bf9cd7f..745d7057 100644 --- a/frida_mode/test/libpcap/GNUmakefile +++ b/frida_mode/test/libpcap/GNUmakefile @@ -56,7 +56,7 @@ endif endif ADDR_BIN:=$(ROOT)frida_mode/build/addr -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh AFL_FRIDA_BASE_ADDR:=$(shell $(ADDR_BIN)) AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput $(AFL_FRIDA_BASE_ADDR)) diff --git a/frida_mode/test/libxml/GNUmakefile b/frida_mode/test/libxml/GNUmakefile index 6fc87585..f1f4a738 100644 --- a/frida_mode/test/libxml/GNUmakefile +++ b/frida_mode/test/libxml/GNUmakefile @@ -43,7 +43,7 @@ endif endif ADDR_BIN:=$(ROOT)frida_mode/build/addr -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh AFL_FRIDA_BASE_ADDR:=$(shell $(ADDR_BIN)) AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput $(AFL_FRIDA_BASE_ADDR)) diff --git a/frida_mode/test/libxslt/GNUmakefile b/frida_mode/test/libxslt/GNUmakefile index 655e652b..48bb0b40 100644 --- a/frida_mode/test/libxslt/GNUmakefile +++ b/frida_mode/test/libxslt/GNUmakefile @@ -42,7 +42,7 @@ endif endif ADDR_BIN:=$(ROOT)frida_mode/build/addr -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh AFL_FRIDA_BASE_ADDR:=$(shell $(ADDR_BIN)) AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput $(AFL_FRIDA_BASE_ADDR)) diff --git a/frida_mode/test/osx-lib/GNUmakefile b/frida_mode/test/osx-lib/GNUmakefile index 96dbb5ad..fdc9ec04 100644 --- a/frida_mode/test/osx-lib/GNUmakefile +++ b/frida_mode/test/osx-lib/GNUmakefile @@ -26,7 +26,7 @@ FRIDA_OUT:=$(BUILD_DIR)frida-out HARNESS_LDFLAGS:=-Wl,-no_pie LIB_CFLAGS:=-dynamiclib -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh AFL_FRIDA_MAIN_ADDR=$(shell $(GET_SYMBOL_ADDR) $(HARNESS_BIN) main 0x0) AFL_FRIDA_MAIN_ADDR2=$(shell $(GET_SYMBOL_ADDR) $(HARNESS2_BIN) main 0x0) AFL_FRIDA_FUZZ_ADDR=$(shell $(GET_SYMBOL_ADDR) $(HARNESS_BIN) LLVMFuzzerTestOneInput 0x0) diff --git a/frida_mode/test/perf/GNUmakefile b/frida_mode/test/perf/GNUmakefile index 2d7c0239..6b49c2ba 100644 --- a/frida_mode/test/perf/GNUmakefile +++ b/frida_mode/test/perf/GNUmakefile @@ -31,7 +31,7 @@ endif endif ADDR_BIN:=$(ROOT)frida_mode/build/addr -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh AFL_FRIDA_BASE_ADDR:=$(shell $(ADDR_BIN)) AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput $(AFL_FRIDA_BASE_ADDR)) diff --git a/frida_mode/test/persistent_ret/GNUmakefile b/frida_mode/test/persistent_ret/GNUmakefile index 71f6a124..73d710a1 100644 --- a/frida_mode/test/persistent_ret/GNUmakefile +++ b/frida_mode/test/persistent_ret/GNUmakefile @@ -23,7 +23,7 @@ endif endif ADDR_BIN:=$(ROOT)frida_mode/build/addr -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh ifeq "$(shell uname)" "Darwin" TEST_BIN_LDFLAGS:=-Wl,-no_pie diff --git a/frida_mode/test/png/persistent/GNUmakefile b/frida_mode/test/png/persistent/GNUmakefile index 94e2be38..3dab713e 100644 --- a/frida_mode/test/png/persistent/GNUmakefile +++ b/frida_mode/test/png/persistent/GNUmakefile @@ -22,7 +22,7 @@ endif endif ADDR_BIN:=$(ROOT)frida_mode/build/addr -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh AFL_FRIDA_BASE_ADDR:=$(shell $(ADDR_BIN)) AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput $(AFL_FRIDA_BASE_ADDR)) diff --git a/frida_mode/test/png/persistent/hook/GNUmakefile b/frida_mode/test/png/persistent/hook/GNUmakefile index b6a1ca1a..f3d06c87 100644 --- a/frida_mode/test/png/persistent/hook/GNUmakefile +++ b/frida_mode/test/png/persistent/hook/GNUmakefile @@ -33,7 +33,7 @@ endif endif ADDR_BIN:=$(ROOT)frida_mode/build/addr -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh AFL_FRIDA_BASE_ADDR:=$(shell $(ADDR_BIN)) AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput $(AFL_FRIDA_BASE_ADDR)) diff --git a/frida_mode/test/proj4/GNUmakefile b/frida_mode/test/proj4/GNUmakefile index debc8a88..17850fa8 100644 --- a/frida_mode/test/proj4/GNUmakefile +++ b/frida_mode/test/proj4/GNUmakefile @@ -47,7 +47,7 @@ endif endif ADDR_BIN:=$(ROOT)frida_mode/build/addr -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh AFL_FRIDA_BASE_ADDR:=$(shell $(ADDR_BIN)) AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput $(AFL_FRIDA_BASE_ADDR)) diff --git a/frida_mode/test/re2/GNUmakefile b/frida_mode/test/re2/GNUmakefile index 220e7616..0b79210b 100644 --- a/frida_mode/test/re2/GNUmakefile +++ b/frida_mode/test/re2/GNUmakefile @@ -48,7 +48,7 @@ endif endif ADDR_BIN:=$(ROOT)frida_mode/build/addr -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh AFL_FRIDA_BASE_ADDR:=$(shell $(ADDR_BIN)) AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput $(AFL_FRIDA_BASE_ADDR)) diff --git a/frida_mode/test/sqlite/GNUmakefile b/frida_mode/test/sqlite/GNUmakefile index df470af8..6d3c7496 100644 --- a/frida_mode/test/sqlite/GNUmakefile +++ b/frida_mode/test/sqlite/GNUmakefile @@ -43,7 +43,7 @@ endif endif ADDR_BIN:=$(ROOT)frida_mode/build/addr -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh AFL_FRIDA_BASE_ADDR:=$(shell $(ADDR_BIN)) AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput $(AFL_FRIDA_BASE_ADDR)) diff --git a/frida_mode/test/unstable/GNUmakefile b/frida_mode/test/unstable/GNUmakefile index 59b49449..3b7b6ddb 100644 --- a/frida_mode/test/unstable/GNUmakefile +++ b/frida_mode/test/unstable/GNUmakefile @@ -23,7 +23,7 @@ endif endif ADDR_BIN:=$(ROOT)frida_mode/build/addr -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh AFL_FRIDA_BASE_ADDR:=$(shell $(ADDR_BIN)) AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput $(AFL_FRIDA_BASE_ADDR)) diff --git a/frida_mode/test/vorbis/GNUmakefile b/frida_mode/test/vorbis/GNUmakefile index 4cb5d417..b10d059e 100644 --- a/frida_mode/test/vorbis/GNUmakefile +++ b/frida_mode/test/vorbis/GNUmakefile @@ -54,7 +54,7 @@ endif endif ADDR_BIN:=$(ROOT)frida_mode/build/addr -GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/frida_get_symbol_addr.sh AFL_FRIDA_BASE_ADDR:=$(shell $(ADDR_BIN)) AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput $(AFL_FRIDA_BASE_ADDR)) diff --git a/frida_mode/util/frida_get_symbol_addr.sh b/frida_mode/util/frida_get_symbol_addr.sh new file mode 100755 index 00000000..fb0002b7 --- /dev/null +++ b/frida_mode/util/frida_get_symbol_addr.sh @@ -0,0 +1,55 @@ +#!/bin/bash +# Copyright 2023 AFLplusplus +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +target="$1" +symbol="$2" +base="$3" + +test -z "$target" -o -z "$symbol" -o '!' -x "$target" && { + echo "Syntax: $0 executable function [baseaddress]" + echo + echo Help script to calculate the function address of a binary QEMU will load it to. + echo function is e.g. LLVMFuzzerTestOneInput, afl_qemu_driver_stdin, etc. + echo "baseaddress is tried to be auto-detected, you can use 'AFL_QEMU_DEBUG_MAPS=1 afl-qemu-trace ./executable' to see the maps." + exit 1 +} + +file=$(file $target|sed 's/.*: //') + +arch=$(echo $file|awk -F, '{print$2}'|tr -d ' ') +bits=$(echo $file|sed 's/-bit .*//'|sed 's/.* //') +pie=$(echo $file|grep -wqi pie && echo pie) + +test $(uname -s) = "Darwin" && symbol=_"$symbol" +tmp_addr=$(nm "$target" | grep -i "T $symbol" | awk '{print$1}' | tr a-f A-F) + +test -z "$tmp_addr" && { echo Error: function $symbol not found 1>&2; exit 1; } +test -z "$pie" && { echo 0x$tmp_addr; exit 0; } + +test -z "$base" && { + test "$bits" = 32 -o "$bits" = 64 || { echo "Error: could not identify arch (bits=$bits)" 1>&2 ; exit 1; } + # is this true for arm/aarch64/i386 too? + base=0x555555554000 + #test "$arch" = Intel80386 && base=0x5555554000 + #test "$arch" = x86-64 && base=0x555555554000 + #test "$arch" = ARMaarch64 && base=0x5500000000 + # add more here, e.g. "$arch" = ARM +} + +test -z "$base" && { echo "Error: could not identify base address! bits=$bits arch=$arch" 1>&2 ; exit 1; } + +hex_base=$(echo "$base" | awk '{sub("^0x","");print $0}' | tr a-f A-F ) +echo $tmp_addr | echo "ibase=16;obase=10;$hex_base + $tmp_addr" | bc | tr A-F a-f | awk '{print "0x"$0}' +exit 0 diff --git a/frida_mode/util/get_symbol_addr.sh b/frida_mode/util/get_symbol_addr.sh deleted file mode 100755 index f5d8df91..00000000 --- a/frida_mode/util/get_symbol_addr.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/bash -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# set -x -target="$1" -symbol="$2" -base="$3" - -test -z "$target" -o -z "$symbol" -o '!' -e "$target" && exit 0 - -test $(uname -s) = "Darwin" && symbol=_"$symbol" - -file "$target" | grep -q executable && { - nm "$target" | grep -i "T $symbol" | awk '{print"0x"$1}' - exit 0 -} - -hex_base=$(echo "$3" | awk '{sub("^0x","");print $0}' | tr a-f A-F ) -nm "$target" | grep -i "T $symbol" | awk '{print$1}' | tr a-f A-F | \ - xargs echo "ibase=16;obase=10;$hex_base + " | bc | tr A-F a-f | awk '{print "0x"$0}' -exit 0 diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 9da5cc03..27668da0 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -31,7 +31,7 @@ #define MESSAGES_TO_STDOUT #ifndef _GNU_SOURCE - #define _GNU_SOURCE 1 + #define _GNU_SOURCE #endif #ifndef _FILE_OFFSET_BITS #define _FILE_OFFSET_BITS 64 diff --git a/include/android-ashmem.h b/include/android-ashmem.h index 1bfd3220..065c213b 100644 --- a/include/android-ashmem.h +++ b/include/android-ashmem.h @@ -2,7 +2,9 @@ #ifndef _ANDROID_ASHMEM_H #define _ANDROID_ASHMEM_H - #define _GNU_SOURCE + #ifndef _GNU_SOURCE + #define _GNU_SOURCE + #endif #include <sys/syscall.h> #include <unistd.h> #include <fcntl.h> diff --git a/include/config.h b/include/config.h index 8585041e..7c29a674 100644 --- a/include/config.h +++ b/include/config.h @@ -360,9 +360,10 @@ 65535, /* Overflow unsig 16-bit when incremented */ \ 65536, /* Overflow unsig 16 bit */ \ 100663045, /* Large positive number (endian-agnostic) */ \ + 2139095040, /* float infinite */ \ 2147483647 /* Overflow signed 32-bit when incremented */ -#define INTERESTING_32_LEN 8 +#define INTERESTING_32_LEN 9 /*********************************************************** * * @@ -446,7 +447,15 @@ after changing this - otherwise, SEGVs may ensue. */ #define MAP_SIZE_POW2 16 + +/* Do not change this unless you really know what you are doing. */ + #define MAP_SIZE (1U << MAP_SIZE_POW2) +#if MAP_SIZE <= 65536 + #define MAP_INITIAL_SIZE (2 << 20) // = 2097152 +#else + #define MAP_INITIAL_SIZE MAP_SIZE +#endif /* Maximum allocator request size (keep well under INT_MAX): */ diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md index 126cf1a2..34b80c85 100644 --- a/instrumentation/README.llvm.md +++ b/instrumentation/README.llvm.md @@ -7,7 +7,7 @@ For the GCC-based instrumentation, see ## 1) Introduction -! llvm_mode works with llvm versions 3.8 up to 13 ! +! llvm_mode works with llvm versions 3.8 up to 17 - but 13+ is recommended ! The code in this directory allows you to instrument programs for AFL++ using true compiler-level instrumentation, instead of the more crude assembly-level diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index d7b03634..c70fbd4f 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1081,7 +1081,7 @@ bool ModuleSanitizerCoverageLTO::instrumentModule( } if (!be_quiet) - printf("AUTODICTIONARY: %lu string%s found\n", count, + printf("AUTODICTIONARY: %zu string%s found\n", count, count == 1 ? "" : "s"); if (count) { diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 7d614f43..98c5973c 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -227,6 +227,7 @@ llvmGetPassPluginInfo() { PreservedAnalyses ModuleSanitizerCoverageAFL::run(Module &M, ModuleAnalysisManager &MAM) { + ModuleSanitizerCoverageAFL ModuleSancov(Options); auto &FAM = MAM.getResult<FunctionAnalysisManagerModuleProxy>(M).getManager(); auto DTCallback = [&FAM](Function &F) -> const DominatorTree *{ diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 3f8b519b..dd9aae77 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -87,12 +87,6 @@ is used for instrumentation output before __afl_map_shm() has a chance to run. It will end up as .comm, so it shouldn't be too wasteful. */ -#if MAP_SIZE <= 65536 - #define MAP_INITIAL_SIZE 2097152 -#else - #define MAP_INITIAL_SIZE MAP_SIZE -#endif - #if defined(__HAIKU__) extern ssize_t _kern_write(int fd, off_t pos, const void *buffer, size_t bufferSize); diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc index 6eafb332..09463fc5 100644 --- a/instrumentation/split-compares-pass.so.cc +++ b/instrumentation/split-compares-pass.so.cc @@ -1740,7 +1740,7 @@ bool SplitComparesTransform::runOnModule(Module &M) { if (!be_quiet && !debug) { errs() << "Split-floatingpoint-compare-pass: " << count - << " FP comparisons splitted\n"; + << " FP comparisons split\n"; } diff --git a/qemu_mode/util/qemu_get_symbol_addr.sh b/qemu_mode/util/qemu_get_symbol_addr.sh new file mode 100755 index 00000000..e0a7ae80 --- /dev/null +++ b/qemu_mode/util/qemu_get_symbol_addr.sh @@ -0,0 +1,53 @@ +#!/bin/bash +# Copyright 2023 AFLplusplus +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +target="$1" +symbol="$2" +base="$3" + +test -z "$target" -o -z "$symbol" -o '!' -x "$target" && { + echo "Syntax: $0 executable function [baseaddress]" + echo + echo Help script to calculate the function address of a binary QEMU will load it to. + echo function is e.g. LLVMFuzzerTestOneInput, afl_qemu_driver_stdin, etc. + echo "baseaddress is tried to be auto-detected, you can use 'AFL_QEMU_DEBUG_MAPS=1 afl-qemu-trace ./executable' to see the maps." + exit 1 +} + +file=$(file $target|sed 's/.*: //') + +arch=$(echo $file|awk -F, '{print$2}'|tr -d ' ') +bits=$(echo $file|sed 's/-bit .*//'|sed 's/.* //') +pie=$(echo $file|grep -wqi pie && echo pie) + +test $(uname -s) = "Darwin" && symbol=_"$symbol" +tmp_addr=$(nm "$target" | grep -i "T $symbol" | awk '{print$1}' | tr a-f A-F) + +test -z "$tmp_addr" && { echo Error: function $symbol not found 1>&2; exit 1; } +test -z "$pie" && { echo 0x$tmp_addr; exit 0; } + +test -z "$base" && { + test "$bits" = 32 -o "$bits" = 64 || { echo "Error: could not identify arch (bits=$bits)" 1>&2 ; exit 1; } + test "$arch" = Intel80386 && base=0x40000000 + test "$arch" = x86-64 && base=0x4000000000 + test "$arch" = ARMaarch64 && base=0x5500000000 + # add more here, e.g. "$arch" = ARM +} + +test -z "$base" && { echo "Error: could not identify base address! bits=$bits arch=$arch" 1>&2 ; exit 1; } + +hex_base=$(echo "$base" | awk '{sub("^0x","");print $0}' | tr a-f A-F ) +echo $tmp_addr | echo "ibase=16;obase=10;$hex_base + $tmp_addr" | bc | tr A-F a-f | awk '{print "0x"$0}' +exit 0 diff --git a/src/afl-cc.c b/src/afl-cc.c index 58d44e5d..86b81459 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -383,11 +383,17 @@ static u8 fortify_set = 0, asan_set = 0, x_set = 0, bit_mode = 0, have_o = 0, have_pic = 0, have_c = 0, partial_linking = 0, non_dash = 0; -#define MAX_PARAMS_NUM 2048 +#ifndef MAX_PARAMS_NUM + #define MAX_PARAMS_NUM 2048 +#endif static void process_params(u32 argc, char **argv) { - if (cc_par_cnt + argc >= MAX_PARAMS_NUM) { FATAL("Too many command line parameters, please increase MAX_PARAMS_NUM."); } + if (cc_par_cnt + argc >= MAX_PARAMS_NUM) { + + FATAL("Too many command line parameters, please increase MAX_PARAMS_NUM."); + + } if (lto_mode && argc > 1) { @@ -2109,11 +2115,6 @@ int main(int argc, char **argv, char **envp) { "-------------|\n" "MODES: NCC PERSIST DICT LAF " "CMPLOG SELECT\n" - " [LTO] LLVM LTO: %s%s\n" - " PCGUARD DEFAULT yes yes yes yes yes " - " yes\n" - " CLASSIC yes yes yes yes yes " - " yes\n" " [LLVM] LLVM: %s%s\n" " PCGUARD %s yes yes module yes yes " "yes\n" @@ -2123,16 +2124,21 @@ int main(int argc, char **argv, char **envp) { " - CALLER\n" " - CTX\n" " - NGRAM-{2-16}\n" + " [LTO] LLVM LTO: %s%s\n" + " PCGUARD DEFAULT yes yes yes yes yes " + " yes\n" + " CLASSIC yes yes yes yes yes " + " yes\n" " [GCC_PLUGIN] gcc plugin: %s%s\n" " CLASSIC DEFAULT no yes no no no " "yes\n" " [GCC/CLANG] simple gcc/clang: %s%s\n" " CLASSIC DEFAULT no no no no no " "no\n\n", - have_lto ? "AVAILABLE" : "unavailable!", - compiler_mode == LTO ? " [SELECTED]" : "", have_llvm ? "AVAILABLE" : "unavailable!", compiler_mode == LLVM ? " [SELECTED]" : "", + have_lto ? "AVAILABLE" : "unavailable!", + compiler_mode == LTO ? " [SELECTED]" : "", LLVM_MAJOR >= 7 ? "DEFAULT" : " ", LLVM_MAJOR >= 7 ? " " : "DEFAULT", have_gcc_plugin ? "AVAILABLE" : "unavailable!", @@ -2348,6 +2354,15 @@ int main(int argc, char **argv, char **envp) { "AFL_LLVM_CMPLOG and " "AFL_LLVM_DICT2FILE+AFL_LLVM_DICT2FILE_NO_MAIN.\n\n"); + if (LLVM_MAJOR < 13) { + + SAYF( + "Warning: It is highly recommended to use at least LLVM version 13 " + "(or better, higher) rather than %d!\n\n", + LLVM_MAJOR); + + } + exit(1); } diff --git a/src/afl-common.c b/src/afl-common.c index 3e1ec09d..b4143a1b 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -403,7 +403,7 @@ u8 *find_binary(u8 *fname) { FATAL( "Unexpected overflow when processing ENV. This should never " - "happend."); + "had happened."); } diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 7322f1ad..ba7cdd66 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -667,13 +667,13 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, switch (fsrv->nyx_handlers->nyx_exec(fsrv->nyx_runner)) { case Abort: - NYX_PRE_FATAL(fsrv, "Error: Nyx abort occured..."); + NYX_PRE_FATAL(fsrv, "Error: Nyx abort occurred..."); break; case IoError: NYX_PRE_FATAL(fsrv, "Error: QEMU-Nyx has died..."); break; case Error: - NYX_PRE_FATAL(fsrv, "Error: Nyx runtime error has occured..."); + NYX_PRE_FATAL(fsrv, "Error: Nyx runtime error has occurred..."); break; default: break; @@ -1581,7 +1581,7 @@ afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, FATAL("FixMe: Nyx InvalidWriteToPayload handler is missing"); break; case Abort: - FATAL("Error: Nyx abort occured..."); + FATAL("Error: Nyx abort occurred..."); case IoError: if (*stop_soon_p) { @@ -1595,7 +1595,7 @@ afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, break; case Error: - FATAL("Error: Nyx runtime error has occured..."); + FATAL("Error: Nyx runtime error has occurred..."); break; } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index ab7d6534..9afece66 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1281,6 +1281,10 @@ int main(int argc, char **argv_orig, char **envp) { } + WARNF( + "Note that the MOpt mode is not maintained and is not as effective " + "as normal havoc mode."); + } break; case 'h': diff --git a/src/afl-ld-lto.c b/src/afl-ld-lto.c index 420dd817..b1e6c848 100644 --- a/src/afl-ld-lto.c +++ b/src/afl-ld-lto.c @@ -23,7 +23,9 @@ */ #define AFL_MAIN -#define _GNU_SOURCE +#ifndef _GNU_SOURCE + #define _GNU_SOURCE +#endif #include "config.h" #include "types.h" @@ -37,6 +39,7 @@ #include <time.h> #include <ctype.h> #include <fcntl.h> +#include <limits.h> #include <sys/stat.h> #include <sys/types.h> @@ -45,11 +48,6 @@ #include <dirent.h> -#if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) || \ - defined(__DragonFly__) - #include <limits.h> -#endif - #ifdef __APPLE__ #include <sys/syslimits.h> #endif diff --git a/test/test-basic.sh b/test/test-basic.sh index 5bb2ca28..61ad4b7c 100755 --- a/test/test-basic.sh +++ b/test/test-basic.sh @@ -28,7 +28,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc rm -f test-instr.plain.0 test-instr.plain.1 SKIP= TUPLES=`echo 1|AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'` - test "$TUPLES" -gt 1 -a "$TUPLES" -lt 12 && { + test "$TUPLES" -gt 1 -a "$TUPLES" -lt 22 && { $ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine" } || { $ECHO "$RED[!] ${AFL_GCC} instrumentation produces weird numbers: $TUPLES" @@ -152,7 +152,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc } rm -f test-instr.plain.0 test-instr.plain.1 TUPLES=`echo 1|AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'` - test "$TUPLES" -gt 1 -a "$TUPLES" -lt 12 && { + test "$TUPLES" -gt 1 -a "$TUPLES" -lt 22 && { $ECHO "$GREEN[+] ${AFL_CLANG} run reported $TUPLES instrumented locations which is fine" } || { $ECHO "$RED[!] ${AFL_CLANG} instrumentation produces weird numbers: $TUPLES" diff --git a/test/test-libextensions.sh b/test/test-libextensions.sh index 40a898c8..f7f86de5 100755 --- a/test/test-libextensions.sh +++ b/test/test-libextensions.sh @@ -5,7 +5,7 @@ test -z "$AFL_CC" && unset AFL_CC $ECHO "$BLUE[*] Testing: shared library extensions" -cc $CFLAGS -o test-compcov test-compcov.c > /dev/null 2>&1 +cc $CFLAGS -O0 -o test-compcov test-compcov.c > /dev/null 2>&1 test -e ../libtokencap.so && { AFL_TOKEN_FILE=token.out LD_PRELOAD=../libtokencap.so DYLD_INSERT_LIBRARIES=../libtokencap.so DYLD_FORCE_FLAT_NAMESPACE=1 ./test-compcov foobar > /dev/null 2>&1 grep -q BUGMENOT token.out > /dev/null 2>&1 && { |