diff options
80 files changed, 1224 insertions, 1331 deletions
diff --git a/.clang-format b/.clang-format index bf15cdc0..478c7a84 100644 --- a/.clang-format +++ b/.clang-format @@ -72,6 +72,7 @@ IncludeCategories: Priority: 3 IncludeIsMainRegex: '([-_](test|unittest))?$' IndentCaseLabels: true +IndentPPDirectives: BeforeHash IndentWidth: 2 IndentWrappedFunctionNames: false JavaScriptQuotes: Leave diff --git a/.gitignore b/.gitignore index 5a7f9408..ab890bf3 100644 --- a/.gitignore +++ b/.gitignore @@ -48,3 +48,5 @@ core\.* test/unittests/unit_maybe_alloc test/unittests/unit_preallocable test/unittests/unit_list +examples/afl_network_proxy/afl-network-server +examples/afl_network_proxy/afl-network-client diff --git a/.travis.yml b/.travis.yml index a360bd42..d3b1bd69 100644 --- a/.travis.yml +++ b/.travis.yml @@ -10,6 +10,9 @@ branches: matrix: include: - os: linux + dist: focal + env: NAME="focal-amd64" MODERN="yes" GCC="9" + - os: linux dist: bionic env: NAME="bionic-amd64" MODERN="yes" GCC="7" - os: linux @@ -41,8 +44,8 @@ before_install: # export LLVM_DIR=${TRAVIS_BUILD_DIR}/${LLVM_PACKAGE} - echo Testing on $NAME - if [ "$TRAVIS_OS_NAME" = "osx" ]; then wget "$LINK""$NAME".tar.xz ; export LLVM_CONFIG=`pwd`/"$NAME" ; tar xJf "$NAME".tar.xz ; fi - - if [ "$MODERN" = "yes" ]; then sudo apt update ; sudo apt upgrade ; sudo apt install -y git libtool libtool-bin automake bison libglib2.0 build-essential clang gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-"$GCC"-dev findutils libcmocka-dev ; fi - - if [ "$MODERN" = "no" ]; then sudo apt update ; sudo apt install -y git libtool $EXTRA libpixman-1-dev automake bison libglib2.0 build-essential gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-dev findutils libcmocka-dev ; fi + - if [ "$MODERN" = "yes" ]; then sudo apt update ; sudo apt upgrade ; sudo apt install -y git libtool libtool-bin automake bison libglib2.0-0 build-essential clang gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-"$GCC"-dev findutils libcmocka-dev python3-setuptools ; fi + - if [ "$MODERN" = "no" ]; then sudo apt update ; sudo apt install -y git libtool $EXTRA libpixman-1-dev automake bison libglib2.0 build-essential gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-dev findutils libcmocka-dev python3-setuptools ; fi script: - gcc -v diff --git a/Dockerfile b/Dockerfile index 1adc2167..c8bfaf33 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:eoan +FROM ubuntu MAINTAINER David Carlier <devnexen@gmail.com> LABEL "about"="AFLplusplus docker image" RUN apt-get update && apt-get -y install \ @@ -10,8 +10,10 @@ RUN apt-get update && apt-get -y install \ clang-9 \ flex \ git \ - python3.7 \ - python3.7-dev \ + python3 \ + python3-dev \ + python3-setuptools \ + python-is-python3 \ gcc-9 \ gcc-9-plugin-dev \ gcc-9-multilib \ @@ -20,8 +22,6 @@ RUN apt-get update && apt-get -y install \ libtool-bin \ libglib2.0-dev \ llvm-9-dev \ - python-setuptools \ - python2.7-dev \ wget \ ca-certificates \ libpixman-1-dev \ diff --git a/GNUmakefile b/GNUmakefile index d3e9275c..7d9e6d83 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -89,13 +89,23 @@ override CFLAGS += -Wall -g -Wno-pointer-sign -Wmissing-declarations\ -I include/ -Werror -DAFL_PATH=\"$(HELPER_PATH)\" \ -DBIN_PATH=\"$(BIN_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" +ifeq "$(shell uname -s)" "OpenBSD" + override CFLAGS += -I /usr/local/include/ + LDFLAGS += -L /usr/local/lib/ +endif + +ifeq "$(shell uname -s)" "NetBSD" + override CFLAGS += -I /usr/pkg/include/ + LDFLAGS += -L /usr/pkg/lib/ +endif + AFL_FUZZ_FILES = $(wildcard src/afl-fuzz*.c) ifneq "$(shell command -v python3m 2>/dev/null)" "" ifneq "$(shell command -v python3m-config 2>/dev/null)" "" PYTHON_INCLUDE ?= $(shell python3m-config --includes) PYTHON_VERSION ?= $(strip $(shell python3m --version 2>&1)) - # Starting with python3.8, we need to pass the `embed` flag. Earier versions didn't know this flag. + # Starting with python3.8, we need to pass the `embed` flag. Earlier versions didn't know this flag. ifeq "$(shell python3m-config --embed --libs 2>/dev/null | grep -q lpython && echo 1 )" "1" PYTHON_LIB ?= $(shell python3m-config --libs --embed --ldflags) else @@ -193,15 +203,17 @@ ifdef NO_PYTHON endif IN_REPO=0 -ifeq "$(shell git status >/dev/null 2>&1 && echo 1 || echo 0)" "1" +ifeq "$(shell command -v git >/dev/null && git status >/dev/null 2>&1 && echo 1 || echo 0)" "1" IN_REPO=1 endif -ifeq "$(shell svn proplist . 2>/dev/null && echo 1 || echo 0)" "1" +ifeq "$(shell command -v svn >/dev/null && svn proplist . 2>/dev/null && echo 1 || echo 0)" "1" IN_REPO=1 endif -ASAN_CFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer -ASAN_LDFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer +ifeq "$(shell echo 'int main() { return 0;}' | $(CC) $(CFLAGS) -fsanitize=address -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1" + ASAN_CFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer + ASAN_LDFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer +endif ifdef ASAN_BUILD $(info Compiling ASAN version of binaries) @@ -252,7 +264,7 @@ help: @echo "deepclean: cleans everything including downloads" @echo "code-format: format the code, do this before you commit and send a PR please!" @echo "tests: this runs the test framework. It is more catered for the developers, but if you run into problems this helps pinpointing the problem" - @echo "unit: perform unit tests (based on cmocka)" + @echo "unit: perform unit tests (based on cmocka and GNU linker)" @echo "document: creates afl-fuzz-document which will only do one run and save all manipulated inputs into out/queue/mutations" @echo "help: shows these build options :-)" @echo "==========================================" @@ -385,8 +397,17 @@ unit_preallocable: test/unittests/unit_preallocable.o unit_clean: @rm -f ./test/unittests/unit_preallocable ./test/unittests/unit_list ./test/unittests/unit_maybe_alloc test/unittests/*.o +ifneq "$(shell uname)" "Darwin" + unit: unit_maybe_alloc unit_preallocable unit_list unit_clean +else + +unit: + @echo [-] unit tests are skipped on Darwin \(lacks GNU linker feature --wrap\) + +endif + code-format: ./.custom-format.py -i src/*.c ./.custom-format.py -i include/*.h @@ -439,7 +460,7 @@ all_done: test_build .NOTPARALLEL: clean all clean: - rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable + rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable .afl-* rm -rf out_dir qemu_mode/qemu-3.1.1 *.dSYM */*.dSYM -$(MAKE) -C llvm_mode clean -$(MAKE) -C gcc_plugin clean diff --git a/Makefile b/Makefile index 0b306dde..08dd29d7 100644 --- a/Makefile +++ b/Makefile @@ -1,2 +1,42 @@ all: - @echo please use GNU make, thanks! + @echo trying to use GNU make... + @gmake all + +source-only: + @gmake source-only + +binary-only: + @gmake binary-only + +distrib: + @gmake distrib + +man: + @gmake man + +install: + @gmake install + +document: + @gmake document + +deepclean: + @gmake deepclean + +code-format: + @gmake code-format + +help: + @gmake help + +tests: + @gmake tests + +unit: + @gmake unit + +unit_clean: + @gmake unit_clean + +clean: + @gmake clean diff --git a/README.md b/README.md index 04ead78e..253275e2 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,9 @@  - Release Version: [2.64c](https://github.com/AFLplusplus/AFLplusplus/releases) + Release Version: [2.65c](https://github.com/AFLplusplus/AFLplusplus/releases) - Github Version: 2.64d + Github Version: 2.65d includes all necessary/interesting changes from Google's afl 2.56b @@ -137,7 +137,7 @@ afl++ has many build options. The easiest is to build and install everything: ```shell -$ sudo apt install build-essential libtool-bin python3 automake flex bison libglib2.0-dev libpixman-1-dev clang python-setuptools llvm +$ sudo apt install build-essential libtool-bin python3-dev automake flex bison libglib2.0-dev libpixman-1-dev clang python3-setuptools llvm $ make distrib $ sudo make install ``` @@ -672,8 +672,9 @@ Here are some of the most important caveats for AFL: To work around this, you can comment out the relevant checks (see examples/libpng_no_checksum/ for inspiration); if this is not possible, - you can also write a postprocessor, as explained in - examples/post_library/ (with AFL_POST_LIBRARY) + you can also write a postprocessor, one of the hooks of custom mutators. + See [docs/custom_mutators.md](docs/custom_mutators.md) on how to use + `AFL_CUSTOM_MUTATOR_LIBRARY` - There are some unfortunate trade-offs with ASAN and 64-bit binaries. This isn't due to any specific fault of afl-fuzz; see [docs/notes_for_asan.md](docs/notes_for_asan.md) diff --git a/TODO.md b/TODO.md index dd88dcc2..d084f6e8 100644 --- a/TODO.md +++ b/TODO.md @@ -2,17 +2,17 @@ ## Roadmap 2.65+ - - InsTrim mode for LTO solution + - sync_fuzzers(): only masters sync from all, slaves only sync from master + (@andrea: be careful, often people run all slaves) - AFL_MAP_SIZE for qemu_mode and unicorn_mode - random crc32 HASH_CONST per run? because with 65536 paths we have collisions - namespace for targets? e.g. network - libradamsa as a custom module? + - focal for travis ## Further down the road afl-fuzz: - - sync_fuzzers(): only masters sync from all, slaves only sync from master - (@andrea: be careful, often people run all slaves) - ascii_only mode for mutation output - or use a custom mutator for this? - setting min_len/max_len/start_offset/end_offset limits for mutation output diff --git a/docs/Changelog.md b/docs/Changelog.md index 0b5c11e8..ef5759c8 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,12 +9,14 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to <afl-users+subscribe@googlegroups.com>. -### Version ++2.64d (develop): +### Version ++2.65c (release): - afl-fuzz: - AFL_MAP_SIZE was not working correctly - better python detection - an old, old bug in afl that would show negative stability in rare circumstances is now hopefully fixed + - AFL_POST_LIBRARY was deprecated, use AFL_CUSTOM_MUTATOR_LIBRARY + instead (see docs/custom_mutators.md) - llvm_mode: - afl-clang-fast/lto now do not skip single block functions. This behaviour can be reactivated with AFL_LLVM_SKIPSINGLEBLOCK @@ -35,6 +37,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - gcc_plugin: - better dependency checks - unicorn_mode: + - validate_crash_callback can now count non-crashing inputs as crash as well - better submodule handling - afl-showmap: fix for -Q mode - added examples/afl_network_proxy which allows to fuzz a target over the diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 3cd874b9..464acbee 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -33,13 +33,14 @@ C/C++: ```c void *afl_custom_init(afl_t *afl, unsigned int seed); size_t afl_custom_fuzz(void *data, uint8_t *buf, size_t buf_size, u8 **out_buf, uint8_t *add_buf, size_t add_buf_size, size_t max_size); -size_t afl_custom_pre_save(void *data, uint8_t *buf, size_t buf_size, uint8_t **out_buf); +size_t afl_custom_post_process(void *data, uint8_t *buf, size_t buf_size, uint8_t **out_buf); int32_t afl_custom_init_trim(void *data, uint8_t *buf, size_t buf_size); size_t afl_custom_trim(void *data, uint8_t **out_buf); int32_t afl_custom_post_trim(void *data, int success) { size_t afl_custom_havoc_mutation(void *data, u8 *buf, size_t buf_size, u8 **out_buf, size_t max_size); uint8_t afl_custom_havoc_mutation_probability(void *data); -uint8_t afl_custom_queue_get(void *data, const uint8_t *filename); void afl_custom_queue_new_entry(void *data, const uint8_t *filename_new_queue, const uint8_t *filename_orig_queue); +uint8_t afl_custom_queue_get(void *data, const uint8_t *filename); +void afl_custom_queue_new_entry(void *data, const uint8_t *filename_new_queue, const uint8_t *filename_orig_queue); void afl_custom_deinit(void *data); ``` @@ -51,7 +52,7 @@ def init(seed): def fuzz(buf, add_buf, max_size): return mutated_out -def pre_save(buf): +def post_process(buf): return out_buf def init_trim(buf): @@ -84,13 +85,16 @@ def queue_new_entry(filename_new_queue, filename_orig_queue): - `queue_get` (optional): - This method determines whether the fuzzer should fuzz the current queue - entry or not + This method determines whether the custom fuzzer should fuzz the current + queue entry or not -- `fuzz` (required): +- `fuzz` (optional): This method performs custom mutations on a given input. It also accepts an additional test case. + Note that this function is optional - but it makes sense to use it. + You would only skip this if `post_process` is used to fix checksums etc. + so you are using it e.g. as a post processing library. - `havoc_mutation` and `havoc_mutation_probability` (optional): @@ -99,7 +103,7 @@ def queue_new_entry(filename_new_queue, filename_orig_queue): `havoc_mutation_probability`, returns the probability that `havoc_mutation` is called in havoc. By default, it is 6%. -- `pre_save` (optional): +- `post_process` (optional): For some cases, the format of the mutated data returned from the custom mutator is not suitable to directly execute the target with this input. @@ -107,13 +111,20 @@ def queue_new_entry(filename_new_queue, filename_orig_queue): protobuf format which corresponds to a given grammar. In order to execute the target, the protobuf data must be converted to the plain-text format expected by the target. In such scenarios, the user can define the - `pre_save` function. This function is then transforms the data into the + `post_process` function. This function is then transforming the data into the format expected by the API before executing the target. - `queue_new_entry` (optional): This methods is called after adding a new test case to the queue. +- `deinit`: + + The last method to be called, deinitializing the state. + +Note that there are also three functions for trimming as described in the +next section. + ### Trimming Support The generic trimming routines implemented in AFL++ can easily destroy the @@ -160,10 +171,8 @@ trimmed input. Here's a quick API description: In any case, this method must return the next trim iteration index (from 0 to the maximum amount of steps you returned in `init_trim`). -`deinit` the last method to be called, deinitializing the state. - -Omitting any of three methods will cause the trimming to be disabled and trigger -a fallback to the builtin default trimming routine. +Omitting any of three trimming methods will cause the trimming to be disabled +and trigger a fallback to the builtin default trimming routine. ### Environment Variables @@ -214,7 +223,7 @@ For C/C++ mutator, the source code must be compiled as a shared object: gcc -shared -Wall -O3 example.c -o example.so ``` Note that if you specify multiple custom mutators, the corresponding functions will -be called in the order in which they are specified. e.g first `pre_save` function of +be called in the order in which they are specified. e.g first `post_process` function of `example_first.so` will be called and then that of `example_second.so` ### Run diff --git a/docs/env_variables.md b/docs/env_variables.md index 36e5a432..2668be7d 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -310,9 +310,8 @@ checks or alter some of the more exotic semantics of the tool: else. This makes the "own finds" counter in the UI more accurate. Beyond counter aesthetics, not much else should change. - - Setting AFL_POST_LIBRARY allows you to configure a postprocessor for - mutated files - say, to fix up checksums. See examples/post_library/ - for more. + - Note that AFL_POST_LIBRARY is deprecated, use AFL_CUSTOM_MUTATOR_LIBRARY + instead (see below). - Setting AFL_CUSTOM_MUTATOR_LIBRARY to a shared library with afl_custom_fuzz() creates additional mutations through this library. diff --git a/docs/sister_projects.md b/docs/sister_projects.md index 1625044c..a501ecbd 100644 --- a/docs/sister_projects.md +++ b/docs/sister_projects.md @@ -56,13 +56,6 @@ functionality is now available as the "persistent" feature described in http://llvm.org/docs/LibFuzzer.html -## AFL fixup shim (Ben Nagy) - -Allows AFL_POST_LIBRARY postprocessors to be written in arbitrary languages -that don't have C / .so bindings. Includes examples in Go. - -https://github.com/bnagy/aflfix - ## TriforceAFL (Tim Newsham and Jesse Hertz) Leverages QEMU full system emulation mode to allow AFL to target operating diff --git a/examples/afl_network_proxy/afl-network-client.c b/examples/afl_network_proxy/afl-network-client.c index cf09b2ad..68bd0706 100644 --- a/examples/afl_network_proxy/afl-network-client.c +++ b/examples/afl_network_proxy/afl-network-client.c @@ -15,7 +15,7 @@ */ #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -42,7 +42,7 @@ #include <fcntl.h> #ifdef USE_DEFLATE -#include <libdeflate.h> + #include <libdeflate.h> #endif u8 *__afl_area_ptr; @@ -321,7 +321,7 @@ int main(int argc, char *argv[]) { // fprintf(stderr, "Sending testcase with len %u\n", *lenptr); #ifdef USE_DEFLATE -#ifdef COMPRESS_TESTCASES + #ifdef COMPRESS_TESTCASES // we only compress the testcase if it does not fit in the TCP packet if (*lenptr > 1500 - 20 - 32 - 4) { @@ -341,17 +341,17 @@ int main(int argc, char *argv[]) { } else { -#endif + #endif #endif if (send(s, buf, *lenptr + 4, 0) != *lenptr + 4) PFATAL("sending test data failed"); #ifdef USE_DEFLATE -#ifdef COMPRESS_TESTCASES + #ifdef COMPRESS_TESTCASES // fprintf(stderr, "unCOMPRESS (%u)\n", *lenptr); } -#endif + #endif #endif received = 0; diff --git a/examples/afl_network_proxy/afl-network-server.c b/examples/afl_network_proxy/afl-network-server.c index 59064b2c..ab7874fd 100644 --- a/examples/afl_network_proxy/afl-network-server.c +++ b/examples/afl_network_proxy/afl-network-server.c @@ -25,7 +25,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" @@ -62,7 +62,7 @@ #include <netdb.h> #ifdef USE_DEFLATE -#include <libdeflate.h> + #include <libdeflate.h> struct libdeflate_compressor * compressor; struct libdeflate_decompressor *decompressor; #endif diff --git a/examples/afl_proxy/afl-proxy.c b/examples/afl_proxy/afl-proxy.c index 36121e17..f2dfeac1 100644 --- a/examples/afl_proxy/afl-proxy.c +++ b/examples/afl_proxy/afl-proxy.c @@ -24,7 +24,7 @@ */ #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" #include "types.h" diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c index af16a6bf..664e691c 100644 --- a/examples/afl_untracer/afl-untracer.c +++ b/examples/afl_untracer/afl-untracer.c @@ -34,7 +34,7 @@ #define _GNU_SOURCE #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -58,14 +58,14 @@ #include <sys/types.h> #if defined(__linux__) -#include <sys/ucontext.h> + #include <sys/ucontext.h> #elif defined(__APPLE__) && defined(__LP64__) -#include <mach-o/dyld_images.h> + #include <mach-o/dyld_images.h> #elif defined(__FreeBSD__) -#include <sys/sysctl.h> -#include <sys/user.h> + #include <sys/sysctl.h> + #include <sys/user.h> #else -#error "Unsupported platform" + #error "Unsupported platform" #endif #define MEMORY_MAP_DECREMENT 0x200000000000 @@ -446,15 +446,15 @@ static void __afl_end_testcase(int status) { } #ifdef __aarch64__ -#define SHADOW(addr) \ - ((uint64_t *)(((uintptr_t)addr & 0xfffffffffffffff8) - \ - MEMORY_MAP_DECREMENT - \ - ((uintptr_t)addr & 0x7) * 0x10000000000)) + #define SHADOW(addr) \ + ((uint64_t *)(((uintptr_t)addr & 0xfffffffffffffff8) - \ + MEMORY_MAP_DECREMENT - \ + ((uintptr_t)addr & 0x7) * 0x10000000000)) #else -#define SHADOW(addr) \ - ((uint32_t *)(((uintptr_t)addr & 0xfffffffffffffffc) - \ - MEMORY_MAP_DECREMENT - \ - ((uintptr_t)addr & 0x3) * 0x10000000000)) + #define SHADOW(addr) \ + ((uint32_t *)(((uintptr_t)addr & 0xfffffffffffffffc) - \ + MEMORY_MAP_DECREMENT - \ + ((uintptr_t)addr & 0x3) * 0x10000000000)) #endif void setup_trap_instrumentation() { @@ -583,7 +583,7 @@ void setup_trap_instrumentation() { #else // this will be ARM and AARCH64 // for ARM we will need to identify if the code is in thumb or ARM -#error "non x86_64/aarch64 not supported yet" + #error "non x86_64/aarch64 not supported yet" //__arm__: // linux thumb: 0xde01 // linux arm: 0xe7f001f0 @@ -622,20 +622,20 @@ static void sigtrap_handler(int signum, siginfo_t *si, void *context) { ctx->uc_mcontext->__ss.__rip -= 1; addr = ctx->uc_mcontext->__ss.__rip; #elif defined(__linux__) -#if defined(__x86_64__) || defined(__i386__) + #if defined(__x86_64__) || defined(__i386__) ctx->uc_mcontext.gregs[REG_RIP] -= 1; addr = ctx->uc_mcontext.gregs[REG_RIP]; -#elif defined(__aarch64__) + #elif defined(__aarch64__) ctx->uc_mcontext.pc -= 4; addr = ctx->uc_mcontext.pc; -#else -#error "Unsupported processor" -#endif + #else + #error "Unsupported processor" + #endif #elif defined(__FreeBSD__) && defined(__LP64__) ctx->uc_mcontext.mc_rip -= 1; addr = ctx->uc_mcontext.mc_rip; #else -#error "Unsupported platform" + #error "Unsupported platform" #endif // fprintf(stderr, "TRAP at context addr = %lx, fault addr = %lx\n", addr, diff --git a/examples/custom_mutators/README.md b/examples/custom_mutators/README.md index 6fc7be6c..99fb9da3 100644 --- a/examples/custom_mutators/README.md +++ b/examples/custom_mutators/README.md @@ -6,6 +6,9 @@ See [docs/custom_mutators.md](../docs/custom_mutators.md) for more information Note that if you compile with python3.7 you must use python3 scripts, and if you use python2.7 to compile python2 scripts! +simple_example.c - most simplest example. generates a random sized buffer + filled with 'A' + example.c - this is a simple example written in C and should be compiled to a shared library. Use make to compile it and produce libexamplemutator.so diff --git a/examples/custom_mutators/example.c b/examples/custom_mutators/example.c index c8200b26..23add128 100644 --- a/examples/custom_mutators/example.c +++ b/examples/custom_mutators/example.c @@ -38,7 +38,7 @@ typedef struct my_mutator { BUF_VAR(u8, data); BUF_VAR(u8, havoc); BUF_VAR(u8, trim); - BUF_VAR(u8, pre_save); + BUF_VAR(u8, post_process); } my_mutator_t; @@ -139,11 +139,12 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, * @return Size of the output buffer after processing or the needed amount. * A return of 0 indicates an error. */ -size_t afl_custom_pre_save(my_mutator_t *data, uint8_t *buf, size_t buf_size, - uint8_t **out_buf) { +size_t afl_custom_post_process(my_mutator_t *data, uint8_t *buf, + size_t buf_size, uint8_t **out_buf) { - uint8_t *pre_save_buf = maybe_grow(BUF_PARAMS(data, pre_save), buf_size + 5); - if (!pre_save_buf) { + uint8_t *post_process_buf = + maybe_grow(BUF_PARAMS(data, post_process), buf_size + 5); + if (!post_process_buf) { perror("custom mutator realloc failed."); *out_buf = NULL; @@ -151,14 +152,14 @@ size_t afl_custom_pre_save(my_mutator_t *data, uint8_t *buf, size_t buf_size, } - memcpy(pre_save_buf + 5, buf, buf_size); - pre_save_buf[0] = 'A'; - pre_save_buf[1] = 'F'; - pre_save_buf[2] = 'L'; - pre_save_buf[3] = '+'; - pre_save_buf[4] = '+'; + memcpy(post_process_buf + 5, buf, buf_size); + post_process_buf[0] = 'A'; + post_process_buf[1] = 'F'; + post_process_buf[2] = 'L'; + post_process_buf[3] = '+'; + post_process_buf[4] = '+'; - *out_buf = pre_save_buf; + *out_buf = post_process_buf; return buf_size + 5; @@ -364,7 +365,7 @@ void afl_custom_queue_new_entry(my_mutator_t * data, */ void afl_custom_deinit(my_mutator_t *data) { - free(data->pre_save_buf); + free(data->post_process_buf); free(data->havoc_buf); free(data->data_buf); free(data->fuzz_buf); diff --git a/examples/custom_mutators/example.py b/examples/custom_mutators/example.py index 9e95eed6..cf659e5a 100644 --- a/examples/custom_mutators/example.py +++ b/examples/custom_mutators/example.py @@ -21,6 +21,7 @@ COMMANDS = [ b"GET", b"PUT", b"DEL", + b"AAAAAAAAAAAAAAAAA", ] @@ -119,7 +120,7 @@ def fuzz(buf, add_buf, max_size): # # return next_index # -# def pre_save(buf): +# def post_process(buf): # ''' # Called just before the execution to write the test case in the format # expected by the target diff --git a/examples/custom_mutators/simple_example.c b/examples/custom_mutators/simple_example.c new file mode 100644 index 00000000..a351d787 --- /dev/null +++ b/examples/custom_mutators/simple_example.c @@ -0,0 +1,74 @@ +// This simple example just creates random buffer <= 100 filled with 'A' +// needs -I /path/to/AFLplusplus/include +#include "custom_mutator_helpers.h" + +#include <stdint.h> +#include <stdlib.h> +#include <string.h> +#include <stdio.h> + +#ifndef _FIXED_CHAR + #define 0x41 +#endif + +typedef struct my_mutator { + + afl_t *afl; + + // Reused buffers: + BUF_VAR(u8, fuzz); + +} my_mutator_t; + +my_mutator_t *afl_custom_init(afl_t *afl, unsigned int seed) { + + srand(seed); + my_mutator_t *data = calloc(1, sizeof(my_mutator_t)); + if (!data) { + + perror("afl_custom_init alloc"); + return NULL; + + } + + data->afl = afl; + + return data; + +} + +size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, + u8 **out_buf, uint8_t *add_buf, + size_t add_buf_size, // add_buf can be NULL + size_t max_size) { + + int size = (rand() % 100) + 1; + if (size > max_size) size = max_size; + u8 *mutated_out = maybe_grow(BUF_PARAMS(data, fuzz), size); + if (!mutated_out) { + + *out_buf = NULL; + perror("custom mutator allocation (maybe_grow)"); + return 0; /* afl-fuzz will very likely error out after this. */ + + } + + memset(mutated_out, _FIXED_CHAR, size); + + *out_buf = mutated_out; + return size; + +} + +/** + * Deinitialize everything + * + * @param data The data ptr from afl_custom_init + */ +void afl_custom_deinit(my_mutator_t *data) { + + free(data->fuzz_buf); + free(data); + +} + diff --git a/examples/post_library/post_library.so.c b/examples/post_library/post_library.so.c deleted file mode 100644 index 0aa780cb..00000000 --- a/examples/post_library/post_library.so.c +++ /dev/null @@ -1,159 +0,0 @@ -/* - american fuzzy lop++ - postprocessor library example - -------------------------------------------------- - - Originally written by Michal Zalewski - Edited by Dominik Maier, 2020 - - Copyright 2015 Google Inc. All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Postprocessor libraries can be passed to afl-fuzz to perform final cleanup - of any mutated test cases - for example, to fix up checksums in PNG files. - - Please heed the following warnings: - - 1) In almost all cases, it is more productive to comment out checksum logic - in the targeted binary (as shown in ../libpng_no_checksum/). One possible - exception is the process of fuzzing binary-only software in QEMU mode. - - 2) The use of postprocessors for anything other than checksums is - questionable and may cause more harm than good. AFL is normally pretty good - about dealing with length fields, magic values, etc. - - 3) Postprocessors that do anything non-trivial must be extremely robust to - gracefully handle malformed data and other error conditions - otherwise, - they will crash and take afl-fuzz down with them. Be wary of reading past - *len and of integer overflows when calculating file offsets. - - In other words, THIS IS PROBABLY NOT WHAT YOU WANT - unless you really, - honestly know what you're doing =) - - With that out of the way: the postprocessor library is passed to afl-fuzz - via AFL_POST_LIBRARY. The library must be compiled with: - - gcc -shared -Wall -O3 post_library.so.c -o post_library.so - - AFL will call the afl_postprocess() function for every mutated output buffer. - From there, you have three choices: - - 1) If you don't want to modify the test case, simply set `*out_buf = in_buf` - and return the original `len`. - - 2) If you want to skip this test case altogether and have AFL generate a - new one, return 0 or set `*out_buf = NULL`. - Use this sparingly - it's faster than running the target program - with patently useless inputs, but still wastes CPU time. - - 3) If you want to modify the test case, allocate an appropriately-sized - buffer, move the data into that buffer, make the necessary changes, and - then return the new pointer as out_buf. Return an appropriate len - afterwards. - - Note that the buffer will *not* be freed for you. To avoid memory leaks, - you need to free it or reuse it on subsequent calls (as shown below). - - *** Feel free to reuse the original 'in_buf' BUFFER and return it. *** - - Aight. The example below shows a simple postprocessor that tries to make - sure that all input files start with "GIF89a". - - PS. If you don't like C, you can try out the unix-based wrapper from - Ben Nagy instead: https://github.com/bnagy/aflfix - - */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -/* Header that must be present at the beginning of every test case: */ - -#define HEADER "GIF89a" - -typedef struct post_state { - - unsigned char *buf; - size_t size; - -} post_state_t; - -void *afl_postprocess_init(void *afl) { - - post_state_t *state = malloc(sizeof(post_state_t)); - if (!state) { - - perror("malloc"); - return NULL; - - } - - state->buf = calloc(sizeof(unsigned char), 4096); - if (!state->buf) { return NULL; } - - return state; - -} - -/* The actual postprocessor routine called by afl-fuzz: */ - -size_t afl_postprocess(post_state_t *data, unsigned char *in_buf, - unsigned int len, unsigned char **out_buf) { - - /* Skip execution altogether for buffers shorter than 6 bytes (just to - show how it's done). We can trust len to be sane. */ - - if (len < strlen(HEADER)) return 0; - - /* Do nothing for buffers that already start with the expected header. */ - - if (!memcmp(in_buf, HEADER, strlen(HEADER))) { - - *out_buf = in_buf; - return len; - - } - - /* Allocate memory for new buffer, reusing previous allocation if - possible. */ - - *out_buf = realloc(data->buf, len); - - /* If we're out of memory, the most graceful thing to do is to return the - original buffer and give up on modifying it. Let AFL handle OOM on its - own later on. */ - - if (!*out_buf) { - - *out_buf = in_buf; - return len; - - } - - /* Copy the original data to the new location. */ - - memcpy(*out_buf, in_buf, len); - - /* Insert the new header. */ - - memcpy(*out_buf, HEADER, strlen(HEADER)); - - /* Return the new len. It hasn't changed, so it's just len. */ - - return len; - -} - -/* Gets called afterwards */ -void afl_postprocess_deinit(post_state_t *data) { - - free(data->buf); - free(data); - -} - diff --git a/examples/post_library/post_library_png.so.c b/examples/post_library/post_library_png.so.c deleted file mode 100644 index 41ba4f5e..00000000 --- a/examples/post_library/post_library_png.so.c +++ /dev/null @@ -1,156 +0,0 @@ -/* - american fuzzy lop++ - postprocessor for PNG - ------------------------------------------ - - Originally written by Michal Zalewski - - Copyright 2015 Google Inc. All rights reserved. - Adapted to the new API, 2020 by Dominik Maier - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - See post_library.so.c for a general discussion of how to implement - postprocessors. This specific postprocessor attempts to fix up PNG - checksums, providing a slightly more complicated example than found - in post_library.so.c. - - Compile with: - - gcc -shared -Wall -O3 post_library_png.so.c -o post_library_png.so -lz - - */ - -#include <stdio.h> -#include <stdlib.h> -#include <stdint.h> -#include <string.h> -#include <zlib.h> - -#include <arpa/inet.h> - -/* A macro to round an integer up to 4 kB. */ - -#define UP4K(_i) ((((_i) >> 12) + 1) << 12) - -typedef struct post_state { - - unsigned char *buf; - size_t size; - -} post_state_t; - -void *afl_postprocess_init(void *afl) { - - post_state_t *state = malloc(sizeof(post_state_t)); - if (!state) { - - perror("malloc"); - return NULL; - - } - - state->buf = calloc(sizeof(unsigned char), 4096); - if (!state->buf) { return NULL; } - - return state; - -} - -size_t afl_postprocess(post_state_t *data, const unsigned char *in_buf, - unsigned int len, const unsigned char **out_buf) { - - unsigned char *new_buf = (unsigned char *)in_buf; - unsigned int pos = 8; - - /* Don't do anything if there's not enough room for the PNG header - (8 bytes). */ - - if (len < 8) { - - *out_buf = in_buf; - return len; - - } - - /* Minimum size of a zero-length PNG chunk is 12 bytes; if we - don't have that, we can bail out. */ - - while (pos + 12 <= len) { - - unsigned int chunk_len, real_cksum, file_cksum; - - /* Chunk length is the first big-endian dword in the chunk. */ - - chunk_len = ntohl(*(uint32_t *)(in_buf + pos)); - - /* Bail out if chunk size is too big or goes past EOF. */ - - if (chunk_len > 1024 * 1024 || pos + 12 + chunk_len > len) break; - - /* Chunk checksum is calculated for chunk ID (dword) and the actual - payload. */ - - real_cksum = htonl(crc32(0, in_buf + pos + 4, chunk_len + 4)); - - /* The in-file checksum is the last dword past the chunk data. */ - - file_cksum = *(uint32_t *)(in_buf + pos + 8 + chunk_len); - - /* If the checksums do not match, we need to fix the file. */ - - if (real_cksum != file_cksum) { - - /* First modification? Make a copy of the input buffer. Round size - up to 4 kB to minimize the number of reallocs needed. */ - - if (new_buf == in_buf) { - - if (len <= data->size) { - - new_buf = data->buf; - - } else { - - new_buf = realloc(data->buf, UP4K(len)); - if (!new_buf) { - - *out_buf = in_buf; - return len; - - } - - data->buf = new_buf; - data->size = UP4K(len); - memcpy(new_buf, in_buf, len); - - } - - } - - *(uint32_t *)(new_buf + pos + 8 + chunk_len) = real_cksum; - - } - - /* Skip the entire chunk and move to the next one. */ - - pos += 12 + chunk_len; - - } - - *out_buf = new_buf; - return len; - -} - -/* Gets called afterwards */ -void afl_postprocess_deinit(post_state_t *data) { - - free(data->buf); - free(data); - -} - diff --git a/gcc_plugin/afl-gcc-pass.so.cc b/gcc_plugin/afl-gcc-pass.so.cc index 6e4e1335..e6a4a766 100644 --- a/gcc_plugin/afl-gcc-pass.so.cc +++ b/gcc_plugin/afl-gcc-pass.so.cc @@ -55,10 +55,10 @@ /* clear helper macros AFL types pull in, which intervene with gcc-plugin * headers from GCC-8 */ #ifdef likely -#undef likely + #undef likely #endif #ifdef unlikely -#undef unlikely + #undef unlikely #endif #include <stdio.h> @@ -295,16 +295,16 @@ static unsigned int inline_instrument(function *fun) { update_stmt(g); #if 1 -#if 0 + #if 0 tree addr = build2(ADDR_EXPR, map_type, map_ptr, area_off); g = gimple_build_assign(map_ptr2, MODIFY_EXPR, addr); gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off update_stmt(g); -#else + #else g = gimple_build_assign(map_ptr2, PLUS_EXPR, map_ptr, area_off); gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off update_stmt(g); -#endif + #endif // gimple_assign <mem_ref, _3, *p_6, NULL, NULL> tree tmp1 = create_tmp_var_raw(unsigned_char_type_node, "tmp1"); diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index 0a2246e7..f41bea17 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -20,13 +20,13 @@ */ #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "../config.h" #include "../types.h" #ifdef USEMMAP -#include <stdio.h> + #include <stdio.h> #endif #include <stdlib.h> #include <signal.h> diff --git a/include/afl-as.h b/include/afl-as.h index a2bf1f9c..e90289d4 100644 --- a/include/afl-as.h +++ b/include/afl-as.h @@ -404,9 +404,9 @@ static const u8 *main_payload_32 = recognize .string. */ #ifdef __APPLE__ -#define CALL_L64(str) "call _" str "\n" + #define CALL_L64(str) "call _" str "\n" #else -#define CALL_L64(str) "call " str "@PLT\n" + #define CALL_L64(str) "call " str "@PLT\n" #endif /* ^__APPLE__ */ static const u8 *main_payload_64 = @@ -744,9 +744,9 @@ static const u8 *main_payload_64 = #ifdef __APPLE__ " .comm __afl_area_ptr, 8\n" -#ifndef COVERAGE_ONLY + #ifndef COVERAGE_ONLY " .comm __afl_prev_loc, 8\n" -#endif /* !COVERAGE_ONLY */ + #endif /* !COVERAGE_ONLY */ " .comm __afl_fork_pid, 4\n" " .comm __afl_temp, 4\n" " .comm __afl_setup_failure, 1\n" @@ -754,9 +754,9 @@ static const u8 *main_payload_64 = #else " .lcomm __afl_area_ptr, 8\n" -#ifndef COVERAGE_ONLY + #ifndef COVERAGE_ONLY " .lcomm __afl_prev_loc, 8\n" -#endif /* !COVERAGE_ONLY */ + #endif /* !COVERAGE_ONLY */ " .lcomm __afl_fork_pid, 4\n" " .lcomm __afl_temp, 4\n" " .lcomm __afl_setup_failure, 1\n" diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 9f306b7e..9907c245 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -31,14 +31,14 @@ #define MESSAGES_TO_STDOUT #ifndef _GNU_SOURCE -#define _GNU_SOURCE 1 + #define _GNU_SOURCE 1 #endif #ifndef _FILE_OFFSET_BITS -#define _FILE_OFFSET_BITS 64 + #define _FILE_OFFSET_BITS 64 #endif #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" @@ -76,7 +76,7 @@ #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \ defined(__NetBSD__) || defined(__DragonFly__) -#include <sys/sysctl.h> + #include <sys/sysctl.h> #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ /* For systems that have sched_setaffinity; right now just Linux, but one @@ -84,31 +84,31 @@ #if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || \ defined(__DragonFly__) -#define HAVE_AFFINITY 1 -#if defined(__FreeBSD__) || defined(__DragonFly__) -#include <sys/param.h> -#if defined(__FreeBSD__) -#include <sys/cpuset.h> -#endif -#include <sys/user.h> -#include <pthread.h> -#include <pthread_np.h> -#define cpu_set_t cpuset_t -#elif defined(__NetBSD__) -#include <pthread.h> -#endif + #define HAVE_AFFINITY 1 + #if defined(__FreeBSD__) || defined(__DragonFly__) + #include <sys/param.h> + #if defined(__FreeBSD__) + #include <sys/cpuset.h> + #endif + #include <sys/user.h> + #include <pthread.h> + #include <pthread_np.h> + #define cpu_set_t cpuset_t + #elif defined(__NetBSD__) + #include <pthread.h> + #endif #endif /* __linux__ */ #ifdef __APPLE__ -#include <TargetConditionals.h> + #include <TargetConditionals.h> #endif #undef LIST_FOREACH /* clashes with FreeBSD */ #include "list.h" #ifndef SIMPLE_FILES -#define CASE_PREFIX "id:" + #define CASE_PREFIX "id:" #else -#define CASE_PREFIX "id_" + #define CASE_PREFIX "id_" #endif /* ^!SIMPLE_FILES */ #define STAGE_BUF_SIZE (64) /* usable size for stage name buf in afl_state */ @@ -231,36 +231,36 @@ enum { /* Python stuff */ #ifdef USE_PYTHON -// because Python sets stuff it should not ... -#ifdef _POSIX_C_SOURCE -#define _SAVE_POSIX_C_SOURCE _POSIX_C_SOURCE -#undef _POSIX_C_SOURCE -#endif -#ifdef _XOPEN_SOURCE -#define _SAVE_XOPEN_SOURCE _XOPEN_SOURCE -#undef _XOPEN_SOURCE -#endif - -#include <Python.h> - -#ifdef _SAVE_POSIX_C_SOURCE -#ifdef _POSIX_C_SOURCE -#undef _POSIX_C_SOURCE -#endif -#define _POSIX_C_SOURCE _SAVE_POSIX_C_SOURCE -#endif -#ifdef _SAVE_XOPEN_SOURCE -#ifdef _XOPEN_SOURCE -#undef _XOPEN_SOURCE -#endif -#define _XOPEN_SOURCE _SAVE_XOPEN_SOURCE -#endif + // because Python sets stuff it should not ... + #ifdef _POSIX_C_SOURCE + #define _SAVE_POSIX_C_SOURCE _POSIX_C_SOURCE + #undef _POSIX_C_SOURCE + #endif + #ifdef _XOPEN_SOURCE + #define _SAVE_XOPEN_SOURCE _XOPEN_SOURCE + #undef _XOPEN_SOURCE + #endif + + #include <Python.h> + + #ifdef _SAVE_POSIX_C_SOURCE + #ifdef _POSIX_C_SOURCE + #undef _POSIX_C_SOURCE + #endif + #define _POSIX_C_SOURCE _SAVE_POSIX_C_SOURCE + #endif + #ifdef _SAVE_XOPEN_SOURCE + #ifdef _XOPEN_SOURCE + #undef _XOPEN_SOURCE + #endif + #define _XOPEN_SOURCE _SAVE_XOPEN_SOURCE + #endif enum { /* 00 */ PY_FUNC_INIT, /* 01 */ PY_FUNC_FUZZ, - /* 02 */ PY_FUNC_PRE_SAVE, + /* 02 */ PY_FUNC_POST_PROCESS, /* 03 */ PY_FUNC_INIT_TRIM, /* 04 */ PY_FUNC_POST_TRIM, /* 05 */ PY_FUNC_TRIM, @@ -283,8 +283,8 @@ typedef struct py_mutator { u8 * fuzz_buf; size_t fuzz_size; - u8 * pre_save_buf; - size_t pre_save_size; + u8 * post_process_buf; + size_t post_process_size; u8 * trim_buf; size_t trim_size; @@ -323,9 +323,8 @@ typedef struct afl_env_vars { afl_bench_until_crash, afl_debug_child_output, afl_autoresume, afl_cal_fast; - u8 *afl_tmpdir, *afl_post_library, *afl_custom_mutator_library, - *afl_python_module, *afl_path, *afl_hang_tmout, *afl_skip_crashes, - *afl_preload; + u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, + *afl_hang_tmout, *afl_skip_crashes, *afl_preload; } afl_env_vars_t; @@ -407,7 +406,9 @@ typedef struct afl_state { no_unlink, /* do not unlink cur_input */ debug, /* Debug mode */ custom_only, /* Custom mutator only mode */ - python_only; /* Python-only mode */ + python_only, /* Python-only mode */ + is_master, /* if this is a master */ + is_slave; /* if this is a slave */ u32 stats_update_freq; /* Stats update frequency (execs) */ @@ -418,7 +419,6 @@ typedef struct afl_state { size_t (*radamsa_mutate_ptr)(u8 *, size_t, u8 *, size_t, u32); u8 skip_deterministic, /* Skip deterministic stages? */ - force_deterministic, /* Force deterministic stages? */ use_splicing, /* Recombine input files? */ dumb_mode, /* Run in non-instrumented mode? */ score_changed, /* Scoring for favorites changed? */ @@ -545,11 +545,9 @@ typedef struct afl_state { struct extra_data *a_extras; /* Automatically selected extras */ u32 a_extras_cnt; /* Total number of tokens available */ - /* afl_postprocess API */ - void *(*post_init)(struct afl_state *afl); - size_t (*post_handler)(void *data, u8 *buf, u32 len, u8 **out_buf); - void *(*post_deinit)(void *data); - void *post_data; + /* afl_postprocess API - Now supported via custom mutators */ + + struct custom_mutator *post_library_mutator; /* CmpLog */ @@ -623,8 +621,8 @@ struct custom_mutator { const char *name; void * dh; - u8 * pre_save_buf; - size_t pre_save_size; + u8 * post_process_buf; + size_t post_process_size; u8 stacked_custom_prob, stacked_custom; void *data; /* custom mutator data ptr */ @@ -675,8 +673,8 @@ struct custom_mutator { * It can chose to alter buf in-place, if the space is large enough. * @return Size of the output buffer. */ - size_t (*afl_custom_pre_save)(void *data, u8 *buf, size_t buf_size, - u8 **out_buf); + size_t (*afl_custom_post_process)(void *data, u8 *buf, size_t buf_size, + u8 **out_buf); /** * This method is called at the start of each trimming operation and receives @@ -825,7 +823,7 @@ u8 trim_case_custom(afl_state_t *, struct queue_entry *q, u8 *in_buf, struct custom_mutator *load_custom_mutator_py(afl_state_t *, char *); void finalize_py_module(void *); -size_t pre_save_py(void *, u8 *, size_t, u8 **); +size_t post_process_py(void *, u8 *, size_t, u8 **); s32 init_trim_py(void *, u8 *, size_t); s32 post_trim_py(void *, u8); size_t trim_py(void *, u8 **); diff --git a/include/alloc-inl.h b/include/alloc-inl.h index 485446de..ca593549 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -41,44 +41,44 @@ // Be careful! _WANT_ORIGINAL_AFL_ALLOC is not compatible with custom mutators #ifndef _WANT_ORIGINAL_AFL_ALLOC -// afl++ stuff without memory corruption checks - for speed + // afl++ stuff without memory corruption checks - for speed -/* User-facing macro to sprintf() to a dynamically allocated buffer. */ + /* User-facing macro to sprintf() to a dynamically allocated buffer. */ -#define alloc_printf(_str...) \ - ({ \ - \ - u8 *_tmp; \ - s32 _len = snprintf(NULL, 0, _str); \ - if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ - _tmp = ck_alloc(_len + 1); \ - snprintf((char *)_tmp, _len + 1, _str); \ - _tmp; \ - \ - }) + #define alloc_printf(_str...) \ + ({ \ + \ + u8 *_tmp; \ + s32 _len = snprintf(NULL, 0, _str); \ + if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ + _tmp = ck_alloc(_len + 1); \ + snprintf((char *)_tmp, _len + 1, _str); \ + _tmp; \ + \ + }) -/* Macro to enforce allocation limits as a last-resort defense against - integer overflows. */ + /* Macro to enforce allocation limits as a last-resort defense against + integer overflows. */ -#define ALLOC_CHECK_SIZE(_s) \ - do { \ - \ - if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \ - \ - } while (0) + #define ALLOC_CHECK_SIZE(_s) \ + do { \ + \ + if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \ + \ + } while (0) -/* Macro to check malloc() failures and the like. */ + /* Macro to check malloc() failures and the like. */ -#define ALLOC_CHECK_RESULT(_r, _s) \ - do { \ - \ - if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \ - \ - } while (0) + #define ALLOC_CHECK_RESULT(_r, _s) \ + do { \ + \ + if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \ + \ + } while (0) -/* Allocator increments for ck_realloc_block(). */ + /* Allocator increments for ck_realloc_block(). */ -#define ALLOC_BLK_INC 256 + #define ALLOC_BLK_INC 256 /* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized requests. */ @@ -214,104 +214,104 @@ static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) { } -/* In non-debug mode, we just do straightforward aliasing of the above - functions to user-visible names such as ck_alloc(). */ + /* In non-debug mode, we just do straightforward aliasing of the above + functions to user-visible names such as ck_alloc(). */ -#define ck_alloc DFL_ck_alloc -#define ck_alloc_nozero DFL_ck_alloc_nozero -#define ck_realloc DFL_ck_realloc -#define ck_realloc_block DFL_ck_realloc_block -#define ck_strdup DFL_ck_strdup -#define ck_memdup DFL_ck_memdup -#define ck_memdup_str DFL_ck_memdup_str -#define ck_free DFL_ck_free + #define ck_alloc DFL_ck_alloc + #define ck_alloc_nozero DFL_ck_alloc_nozero + #define ck_realloc DFL_ck_realloc + #define ck_realloc_block DFL_ck_realloc_block + #define ck_strdup DFL_ck_strdup + #define ck_memdup DFL_ck_memdup + #define ck_memdup_str DFL_ck_memdup_str + #define ck_free DFL_ck_free -#define alloc_report() + #define alloc_report() #else -// This is the original alloc-inl of stock afl - -/* User-facing macro to sprintf() to a dynamically allocated buffer. */ - -#define alloc_printf(_str...) \ - ({ \ - \ - u8 *_tmp; \ - s32 _len = snprintf(NULL, 0, _str); \ - if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ - _tmp = ck_alloc(_len + 1); \ - snprintf((char *)_tmp, _len + 1, _str); \ - _tmp; \ - \ - }) - -/* Macro to enforce allocation limits as a last-resort defense against - integer overflows. */ -#define ALLOC_CHECK_SIZE(_s) \ - do { \ - \ - if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \ - \ - } while (0) - -/* Macro to check malloc() failures and the like. */ - -#define ALLOC_CHECK_RESULT(_r, _s) \ - do { \ - \ - if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \ - \ - } while (0) - -/* Magic tokens used to mark used / freed chunks. */ - -#define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */ -#define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */ -#define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */ - -/* Positions of guard tokens in relation to the user-visible pointer. */ - -#define ALLOC_C1(_ptr) (((u32 *)(_ptr))[-2]) -#define ALLOC_S(_ptr) (((u32 *)(_ptr))[-1]) -#define ALLOC_C2(_ptr) (((u8 *)(_ptr))[ALLOC_S(_ptr)]) - -#define ALLOC_OFF_HEAD 8 -#define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1) - -/* Allocator increments for ck_realloc_block(). */ - -#define ALLOC_BLK_INC 256 - -/* Sanity-checking macros for pointers. */ - -#define CHECK_PTR(_p) \ - do { \ - \ - if (_p) { \ - \ - if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) { \ - \ - if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \ - ABORT("Use after free."); \ - else \ - ABORT("Corrupted head alloc canary."); \ - \ - } \ - if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \ - ABORT("Corrupted tail alloc canary."); \ - \ - } \ - \ - } while (0) - -#define CHECK_PTR_EXPR(_p) \ - ({ \ - \ - typeof(_p) _tmp = (_p); \ - CHECK_PTR(_tmp); \ - _tmp; \ - \ - }) + // This is the original alloc-inl of stock afl + + /* User-facing macro to sprintf() to a dynamically allocated buffer. */ + + #define alloc_printf(_str...) \ + ({ \ + \ + u8 *_tmp; \ + s32 _len = snprintf(NULL, 0, _str); \ + if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ + _tmp = ck_alloc(_len + 1); \ + snprintf((char *)_tmp, _len + 1, _str); \ + _tmp; \ + \ + }) + + /* Macro to enforce allocation limits as a last-resort defense against + integer overflows. */ + #define ALLOC_CHECK_SIZE(_s) \ + do { \ + \ + if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \ + \ + } while (0) + + /* Macro to check malloc() failures and the like. */ + + #define ALLOC_CHECK_RESULT(_r, _s) \ + do { \ + \ + if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \ + \ + } while (0) + + /* Magic tokens used to mark used / freed chunks. */ + + #define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */ + #define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */ + #define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */ + + /* Positions of guard tokens in relation to the user-visible pointer. */ + + #define ALLOC_C1(_ptr) (((u32 *)(_ptr))[-2]) + #define ALLOC_S(_ptr) (((u32 *)(_ptr))[-1]) + #define ALLOC_C2(_ptr) (((u8 *)(_ptr))[ALLOC_S(_ptr)]) + + #define ALLOC_OFF_HEAD 8 + #define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1) + + /* Allocator increments for ck_realloc_block(). */ + + #define ALLOC_BLK_INC 256 + + /* Sanity-checking macros for pointers. */ + + #define CHECK_PTR(_p) \ + do { \ + \ + if (_p) { \ + \ + if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) { \ + \ + if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \ + ABORT("Use after free."); \ + else \ + ABORT("Corrupted head alloc canary."); \ + \ + } \ + if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \ + ABORT("Corrupted tail alloc canary."); \ + \ + } \ + \ + } while (0) + + #define CHECK_PTR_EXPR(_p) \ + ({ \ + \ + typeof(_p) _tmp = (_p); \ + CHECK_PTR(_tmp); \ + _tmp; \ + \ + }) /* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized requests. */ @@ -357,12 +357,12 @@ static inline void DFL_ck_free(void *mem) { if (!mem) return; CHECK_PTR(mem); -#ifdef DEBUG_BUILD + #ifdef DEBUG_BUILD /* Catch pointer issues sooner. */ memset(mem, 0xFF, ALLOC_S(mem)); -#endif /* DEBUG_BUILD */ + #endif /* DEBUG_BUILD */ ALLOC_C1(mem) = ALLOC_MAGIC_F; @@ -377,7 +377,7 @@ static inline void DFL_ck_free(void *mem) { static inline void *DFL_ck_realloc(void *orig, u32 size) { void *ret; - u32 old_size = 0; + u32 old_size = 0; if (!size) { @@ -390,9 +390,9 @@ static inline void *DFL_ck_realloc(void *orig, u32 size) { CHECK_PTR(orig); -#ifndef DEBUG_BUILD + #ifndef DEBUG_BUILD ALLOC_C1(orig) = ALLOC_MAGIC_F; -#endif /* !DEBUG_BUILD */ + #endif /* !DEBUG_BUILD */ old_size = ALLOC_S(orig); orig -= ALLOC_OFF_HEAD; @@ -403,12 +403,12 @@ static inline void *DFL_ck_realloc(void *orig, u32 size) { ALLOC_CHECK_SIZE(size); -#ifndef DEBUG_BUILD + #ifndef DEBUG_BUILD ret = realloc(orig, size + ALLOC_OFF_TOTAL); ALLOC_CHECK_RESULT(ret, size); -#else + #else /* Catch pointer issues sooner: force relocation and make sure that the original buffer is wiped. */ @@ -427,7 +427,7 @@ static inline void *DFL_ck_realloc(void *orig, u32 size) { } -#endif /* ^!DEBUG_BUILD */ + #endif /* ^!DEBUG_BUILD */ ret += ALLOC_OFF_HEAD; @@ -446,7 +446,7 @@ static inline void *DFL_ck_realloc(void *orig, u32 size) { static inline void *DFL_ck_realloc_block(void *orig, u32 size) { -#ifndef DEBUG_BUILD + #ifndef DEBUG_BUILD if (orig) { @@ -458,7 +458,7 @@ static inline void *DFL_ck_realloc_block(void *orig, u32 size) { } -#endif /* !DEBUG_BUILD */ + #endif /* !DEBUG_BUILD */ return DFL_ck_realloc(orig, size); @@ -469,7 +469,7 @@ static inline void *DFL_ck_realloc_block(void *orig, u32 size) { static inline u8 *DFL_ck_strdup(u8 *str) { void *ret; - u32 size; + u32 size; if (!str) return NULL; @@ -538,30 +538,30 @@ static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) { } -#ifndef DEBUG_BUILD + #ifndef DEBUG_BUILD -/* In non-debug mode, we just do straightforward aliasing of the above - functions to user-visible names such as ck_alloc(). */ + /* In non-debug mode, we just do straightforward aliasing of the above + functions to user-visible names such as ck_alloc(). */ -#define ck_alloc DFL_ck_alloc -#define ck_alloc_nozero DFL_ck_alloc_nozero -#define ck_realloc DFL_ck_realloc -#define ck_realloc_block DFL_ck_realloc_block -#define ck_strdup DFL_ck_strdup -#define ck_memdup DFL_ck_memdup -#define ck_memdup_str DFL_ck_memdup_str -#define ck_free DFL_ck_free + #define ck_alloc DFL_ck_alloc + #define ck_alloc_nozero DFL_ck_alloc_nozero + #define ck_realloc DFL_ck_realloc + #define ck_realloc_block DFL_ck_realloc_block + #define ck_strdup DFL_ck_strdup + #define ck_memdup DFL_ck_memdup + #define ck_memdup_str DFL_ck_memdup_str + #define ck_free DFL_ck_free -#define alloc_report() + #define alloc_report() -#else + #else -/* In debugging mode, we also track allocations to detect memory leaks, and - the flow goes through one more layer of indirection. */ + /* In debugging mode, we also track allocations to detect memory leaks, and + the flow goes through one more layer of indirection. */ -/* Alloc tracking data structures: */ + /* Alloc tracking data structures: */ -#define ALLOC_BUCKETS 4096 + #define ALLOC_BUCKETS 4096 struct TRK_obj { @@ -571,25 +571,25 @@ struct TRK_obj { }; -#ifdef AFL_MAIN + #ifdef AFL_MAIN struct TRK_obj *TRK[ALLOC_BUCKETS]; u32 TRK_cnt[ALLOC_BUCKETS]; -#define alloc_report() TRK_report() + #define alloc_report() TRK_report() -#else + #else extern struct TRK_obj *TRK[ALLOC_BUCKETS]; extern u32 TRK_cnt[ALLOC_BUCKETS]; -#define alloc_report() + #define alloc_report() -#endif /* ^AFL_MAIN */ + #endif /* ^AFL_MAIN */ -/* Bucket-assigning function for a given pointer: */ + /* Bucket-assigning function for a given pointer: */ -#define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS) + #define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS) /* Add a new entry to the list of allocated objects. */ @@ -739,29 +739,30 @@ static inline void TRK_ck_free(void *ptr, const char *file, const char *func, } -/* Aliasing user-facing names to tracking functions: */ + /* Aliasing user-facing names to tracking functions: */ -#define ck_alloc(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) + #define ck_alloc(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) -#define ck_alloc_nozero(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) + #define ck_alloc_nozero(_p1) \ + TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) -#define ck_realloc(_p1, _p2) \ - TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) + #define ck_realloc(_p1, _p2) \ + TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -#define ck_realloc_block(_p1, _p2) \ - TRK_ck_realloc_block(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) + #define ck_realloc_block(_p1, _p2) \ + TRK_ck_realloc_block(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -#define ck_strdup(_p1) TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__) + #define ck_strdup(_p1) TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__) -#define ck_memdup(_p1, _p2) \ - TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) + #define ck_memdup(_p1, _p2) \ + TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -#define ck_memdup_str(_p1, _p2) \ - TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) + #define ck_memdup_str(_p1, _p2) \ + TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -#define ck_free(_p1) TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__) + #define ck_free(_p1) TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__) -#endif /* ^!DEBUG_BUILD */ + #endif /* ^!DEBUG_BUILD */ #endif /* _WANT_ORIGINAL_AFL_ALLOC */ diff --git a/include/android-ashmem.h b/include/android-ashmem.h index 77914c35..41d4d2da 100644 --- a/include/android-ashmem.h +++ b/include/android-ashmem.h @@ -28,27 +28,27 @@ #ifdef __ANDROID__ -#include <fcntl.h> -#include <linux/shm.h> -#include <linux/ashmem.h> -#include <sys/ioctl.h> -#include <sys/mman.h> - -#if __ANDROID_API__ >= 26 -#define shmat bionic_shmat -#define shmctl bionic_shmctl -#define shmdt bionic_shmdt -#define shmget bionic_shmget -#endif - -#include <sys/shm.h> -#undef shmat -#undef shmctl -#undef shmdt -#undef shmget -#include <stdio.h> - -#define ASHMEM_DEVICE "/dev/ashmem" + #include <fcntl.h> + #include <linux/shm.h> + #include <linux/ashmem.h> + #include <sys/ioctl.h> + #include <sys/mman.h> + + #if __ANDROID_API__ >= 26 + #define shmat bionic_shmat + #define shmctl bionic_shmctl + #define shmdt bionic_shmdt + #define shmget bionic_shmget + #endif + + #include <sys/shm.h> + #undef shmat + #undef shmctl + #undef shmdt + #undef shmget + #include <stdio.h> + + #define ASHMEM_DEVICE "/dev/ashmem" static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) { diff --git a/include/config.h b/include/config.h index c21d775a..cd6ff641 100644 --- a/include/config.h +++ b/include/config.h @@ -28,7 +28,7 @@ /* Version string: */ // c = release, d = volatile github dev, e = experimental branch -#define VERSION "++2.64d" +#define VERSION "++2.65c" /****************************************************** * * @@ -49,7 +49,7 @@ /* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */ #ifndef ANDROID_DISABLE_FANCY // Fancy boxes are ugly from adb -#define FANCY_BOXES + #define FANCY_BOXES #endif /* Default timeout for fuzzed code (milliseconds). This is the upper bound, @@ -63,20 +63,20 @@ /* 64bit arch MACRO */ #if (defined(__x86_64__) || defined(__arm64__) || defined(__aarch64__)) -#define WORD_SIZE_64 1 + #define WORD_SIZE_64 1 #endif /* Default memory limit for child process (MB): */ #ifndef __NetBSD__ -#ifndef WORD_SIZE_64 -#define MEM_LIMIT 25 -#else -#define MEM_LIMIT 50 -#endif /* ^!WORD_SIZE_64 */ -#else /* NetBSD's kernel needs more space for stack, see discussion for issue \ - #165 */ -#define MEM_LIMIT 200 + #ifndef WORD_SIZE_64 + #define MEM_LIMIT 25 + #else + #define MEM_LIMIT 50 + #endif /* ^!WORD_SIZE_64 */ +#else /* NetBSD's kernel needs more space for stack, see discussion for issue \ + #165 */ + #define MEM_LIMIT 200 #endif /* Default memory limit when running in QEMU mode (MB): */ @@ -395,9 +395,9 @@ /* for *BSD: use ARC4RANDOM and save a file descriptor */ #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) -#ifndef HAVE_ARC4RANDOM -#define HAVE_ARC4RANDOM 1 -#endif + #ifndef HAVE_ARC4RANDOM + #define HAVE_ARC4RANDOM 1 + #endif #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ #endif /* ! _HAVE_CONFIG_H */ diff --git a/include/debug.h b/include/debug.h index 4cce56b5..9dd21ace 100644 --- a/include/debug.h +++ b/include/debug.h @@ -30,7 +30,7 @@ /* __FUNCTION__ is non-iso */ #ifdef __func__ -#define __FUNCTION__ __func__ + #define __FUNCTION__ __func__ #endif /******************* @@ -38,82 +38,82 @@ *******************/ #ifndef MESSAGES_TO_STDOUT -#define MESSAGES_TO_STDOUT + #define MESSAGES_TO_STDOUT #endif #ifdef USE_COLOR -#define cBLK "\x1b[0;30m" -#define cRED "\x1b[0;31m" -#define cGRN "\x1b[0;32m" -#define cBRN "\x1b[0;33m" -#define cBLU "\x1b[0;34m" -#define cMGN "\x1b[0;35m" -#define cCYA "\x1b[0;36m" -#define cLGR "\x1b[0;37m" -#define cGRA "\x1b[1;90m" -#define cLRD "\x1b[1;91m" -#define cLGN "\x1b[1;92m" -#define cYEL "\x1b[1;93m" -#define cLBL "\x1b[1;94m" -#define cPIN "\x1b[1;95m" -#define cLCY "\x1b[1;96m" -#define cBRI "\x1b[1;97m" -#define cRST "\x1b[0m" - -#define bgBLK "\x1b[40m" -#define bgRED "\x1b[41m" -#define bgGRN "\x1b[42m" -#define bgBRN "\x1b[43m" -#define bgBLU "\x1b[44m" -#define bgMGN "\x1b[45m" -#define bgCYA "\x1b[46m" -#define bgLGR "\x1b[47m" -#define bgGRA "\x1b[100m" -#define bgLRD "\x1b[101m" -#define bgLGN "\x1b[102m" -#define bgYEL "\x1b[103m" -#define bgLBL "\x1b[104m" -#define bgPIN "\x1b[105m" -#define bgLCY "\x1b[106m" -#define bgBRI "\x1b[107m" + #define cBLK "\x1b[0;30m" + #define cRED "\x1b[0;31m" + #define cGRN "\x1b[0;32m" + #define cBRN "\x1b[0;33m" + #define cBLU "\x1b[0;34m" + #define cMGN "\x1b[0;35m" + #define cCYA "\x1b[0;36m" + #define cLGR "\x1b[0;37m" + #define cGRA "\x1b[1;90m" + #define cLRD "\x1b[1;91m" + #define cLGN "\x1b[1;92m" + #define cYEL "\x1b[1;93m" + #define cLBL "\x1b[1;94m" + #define cPIN "\x1b[1;95m" + #define cLCY "\x1b[1;96m" + #define cBRI "\x1b[1;97m" + #define cRST "\x1b[0m" + + #define bgBLK "\x1b[40m" + #define bgRED "\x1b[41m" + #define bgGRN "\x1b[42m" + #define bgBRN "\x1b[43m" + #define bgBLU "\x1b[44m" + #define bgMGN "\x1b[45m" + #define bgCYA "\x1b[46m" + #define bgLGR "\x1b[47m" + #define bgGRA "\x1b[100m" + #define bgLRD "\x1b[101m" + #define bgLGN "\x1b[102m" + #define bgYEL "\x1b[103m" + #define bgLBL "\x1b[104m" + #define bgPIN "\x1b[105m" + #define bgLCY "\x1b[106m" + #define bgBRI "\x1b[107m" #else -#define cBLK "" -#define cRED "" -#define cGRN "" -#define cBRN "" -#define cBLU "" -#define cMGN "" -#define cCYA "" -#define cLGR "" -#define cGRA "" -#define cLRD "" -#define cLGN "" -#define cYEL "" -#define cLBL "" -#define cPIN "" -#define cLCY "" -#define cBRI "" -#define cRST "" - -#define bgBLK "" -#define bgRED "" -#define bgGRN "" -#define bgBRN "" -#define bgBLU "" -#define bgMGN "" -#define bgCYA "" -#define bgLGR "" -#define bgGRA "" -#define bgLRD "" -#define bgLGN "" -#define bgYEL "" -#define bgLBL "" -#define bgPIN "" -#define bgLCY "" -#define bgBRI "" + #define cBLK "" + #define cRED "" + #define cGRN "" + #define cBRN "" + #define cBLU "" + #define cMGN "" + #define cCYA "" + #define cLGR "" + #define cGRA "" + #define cLRD "" + #define cLGN "" + #define cYEL "" + #define cLBL "" + #define cPIN "" + #define cLCY "" + #define cBRI "" + #define cRST "" + + #define bgBLK "" + #define bgRED "" + #define bgGRN "" + #define bgBRN "" + #define bgBLU "" + #define bgMGN "" + #define bgCYA "" + #define bgLGR "" + #define bgGRA "" + #define bgLRD "" + #define bgLGN "" + #define bgYEL "" + #define bgLBL "" + #define bgPIN "" + #define bgLCY "" + #define bgBRI "" #endif /* ^USE_COLOR */ @@ -123,39 +123,39 @@ #ifdef FANCY_BOXES -#define SET_G1 "\x1b)0" /* Set G1 for box drawing */ -#define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */ -#define bSTART "\x0e" /* Enter G1 drawing mode */ -#define bSTOP "\x0f" /* Leave G1 drawing mode */ -#define bH "q" /* Horizontal line */ -#define bV "x" /* Vertical line */ -#define bLT "l" /* Left top corner */ -#define bRT "k" /* Right top corner */ -#define bLB "m" /* Left bottom corner */ -#define bRB "j" /* Right bottom corner */ -#define bX "n" /* Cross */ -#define bVR "t" /* Vertical, branch right */ -#define bVL "u" /* Vertical, branch left */ -#define bHT "v" /* Horizontal, branch top */ -#define bHB "w" /* Horizontal, branch bottom */ + #define SET_G1 "\x1b)0" /* Set G1 for box drawing */ + #define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */ + #define bSTART "\x0e" /* Enter G1 drawing mode */ + #define bSTOP "\x0f" /* Leave G1 drawing mode */ + #define bH "q" /* Horizontal line */ + #define bV "x" /* Vertical line */ + #define bLT "l" /* Left top corner */ + #define bRT "k" /* Right top corner */ + #define bLB "m" /* Left bottom corner */ + #define bRB "j" /* Right bottom corner */ + #define bX "n" /* Cross */ + #define bVR "t" /* Vertical, branch right */ + #define bVL "u" /* Vertical, branch left */ + #define bHT "v" /* Horizontal, branch top */ + #define bHB "w" /* Horizontal, branch bottom */ #else -#define SET_G1 "" -#define RESET_G1 "" -#define bSTART "" -#define bSTOP "" -#define bH "-" -#define bV "|" -#define bLT "+" -#define bRT "+" -#define bLB "+" -#define bRB "+" -#define bX "+" -#define bVR "+" -#define bVL "+" -#define bHT "+" -#define bHB "+" + #define SET_G1 "" + #define RESET_G1 "" + #define bSTART "" + #define bSTOP "" + #define bH "-" + #define bV "|" + #define bLT "+" + #define bRT "+" + #define bLB "+" + #define bRB "+" + #define bX "+" + #define bVR "+" + #define bVL "+" + #define bHT "+" + #define bHB "+" #endif /* ^FANCY_BOXES */ @@ -176,9 +176,9 @@ /* Just print stuff to the appropriate stream. */ #ifdef MESSAGES_TO_STDOUT -#define SAYF(x...) printf(x) + #define SAYF(x...) printf(x) #else -#define SAYF(x...) fprintf(stderr, x) + #define SAYF(x...) fprintf(stderr, x) #endif /* ^MESSAGES_TO_STDOUT */ /* Show a prefixed warning. */ diff --git a/include/forkserver.h b/include/forkserver.h index 7e7784f5..e8ac2837 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -110,20 +110,20 @@ void afl_fsrv_killall(void); void afl_fsrv_deinit(afl_forkserver_t *fsrv); #ifdef __APPLE__ -#define MSG_FORK_ON_APPLE \ - " - On MacOS X, the semantics of fork() syscalls are non-standard and " \ - "may\n" \ - " break afl-fuzz performance optimizations when running " \ - "platform-specific\n" \ - " targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" + #define MSG_FORK_ON_APPLE \ + " - On MacOS X, the semantics of fork() syscalls are non-standard and " \ + "may\n" \ + " break afl-fuzz performance optimizations when running " \ + "platform-specific\n" \ + " targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" #else -#define MSG_FORK_ON_APPLE "" + #define MSG_FORK_ON_APPLE "" #endif #ifdef RLIMIT_AS -#define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%llu << 10];" + #define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%llu << 10];" #else -#define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%llu << 10];" + #define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%llu << 10];" #endif /* ^RLIMIT_AS */ #endif diff --git a/include/hash.h b/include/hash.h index 3751ac33..cec51eac 100644 --- a/include/hash.h +++ b/include/hash.h @@ -32,7 +32,7 @@ #ifdef __x86_64__ -#define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r)))) + #define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r)))) static inline u32 hash32(const void *key, u32 len, u32 seed) { @@ -67,7 +67,7 @@ static inline u32 hash32(const void *key, u32 len, u32 seed) { #else -#define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r)))) + #define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r)))) static inline u32 hash32(const void *key, u32 len, u32 seed) { diff --git a/include/types.h b/include/types.h index 72d2ba51..f95c4be2 100644 --- a/include/types.h +++ b/include/types.h @@ -81,23 +81,23 @@ typedef int32_t s32; typedef int64_t s64; #ifndef MIN -#define MIN(a, b) \ - ({ \ - \ - __typeof__(a) _a = (a); \ - __typeof__(b) _b = (b); \ - _a < _b ? _a : _b; \ - \ - }) - -#define MAX(a, b) \ - ({ \ - \ - __typeof__(a) _a = (a); \ - __typeof__(b) _b = (b); \ - _a > _b ? _a : _b; \ - \ - }) + #define MIN(a, b) \ + ({ \ + \ + __typeof__(a) _a = (a); \ + __typeof__(b) _b = (b); \ + _a < _b ? _a : _b; \ + \ + }) + + #define MAX(a, b) \ + ({ \ + \ + __typeof__(a) _a = (a); \ + __typeof__(b) _b = (b); \ + _a > _b ? _a : _b; \ + \ + }) #endif /* !MIN */ @@ -133,21 +133,21 @@ typedef int64_t s64; }) #ifdef AFL_LLVM_PASS -#if defined(__linux__) || !defined(__ANDROID__) -#define AFL_SR(s) (srandom(s)) -#define AFL_R(x) (random() % (x)) -#else -#define AFL_SR(s) ((void)s) -#define AFL_R(x) (arc4random_uniform(x)) -#endif -#else -#if defined(__linux__) || !defined(__ANDROID__) -#define SR(s) (srandom(s)) -#define R(x) (random() % (x)) + #if defined(__linux__) || !defined(__ANDROID__) + #define AFL_SR(s) (srandom(s)) + #define AFL_R(x) (random() % (x)) + #else + #define AFL_SR(s) ((void)s) + #define AFL_R(x) (arc4random_uniform(x)) + #endif #else -#define SR(s) ((void)s) -#define R(x) (arc4random_uniform(x)) -#endif + #if defined(__linux__) || !defined(__ANDROID__) + #define SR(s) (srandom(s)) + #define R(x) (random() % (x)) + #else + #define SR(s) ((void)s) + #define R(x) (arc4random_uniform(x)) + #endif #endif /* ^AFL_LLVM_PASS */ #define STRINGIFY_INTERNAL(x) #x @@ -156,19 +156,19 @@ typedef int64_t s64; #define MEM_BARRIER() __asm__ volatile("" ::: "memory") #if __GNUC__ < 6 -#ifndef likely -#define likely(_x) (_x) -#endif -#ifndef unlikely -#define unlikely(_x) (_x) -#endif + #ifndef likely + #define likely(_x) (_x) + #endif + #ifndef unlikely + #define unlikely(_x) (_x) + #endif #else -#ifndef likely -#define likely(_x) __builtin_expect(!!(_x), 1) -#endif -#ifndef unlikely -#define unlikely(_x) __builtin_expect(!!(_x), 0) -#endif + #ifndef likely + #define likely(_x) __builtin_expect(!!(_x), 1) + #endif + #ifndef unlikely + #define unlikely(_x) __builtin_expect(!!(_x), 0) + #endif #endif #endif /* ! _HAVE_TYPES_H */ diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index 73ddc292..1c22897c 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -30,39 +30,39 @@ #include <sys/mman.h> #ifdef __APPLE__ -#include <mach/vm_statistics.h> + #include <mach/vm_statistics.h> #endif #ifdef __FreeBSD__ -#include <sys/param.h> + #include <sys/param.h> #endif #if defined(__linux__) && !defined(__ANDROID__) -#include <unistd.h> -#include <sys/syscall.h> -#ifdef __NR_getrandom -#define arc4random_buf(p, l) \ - do { \ - \ - ssize_t rd = syscall(__NR_getrandom, p, l, 0); \ - if (rd != l) DEBUGF("getrandom failed"); \ - \ - } while (0) - -#else -#include <time.h> -#define arc4random_buf(p, l) \ - do { \ - \ - srand(time(NULL)); \ - u32 i; \ - u8 *ptr = (u8 *)p; \ - for (i = 0; i < l; i++) \ - ptr[i] = rand() % INT_MAX; \ - \ - } while (0) - -#endif + #include <unistd.h> + #include <sys/syscall.h> + #ifdef __NR_getrandom + #define arc4random_buf(p, l) \ + do { \ + \ + ssize_t rd = syscall(__NR_getrandom, p, l, 0); \ + if (rd != l) DEBUGF("getrandom failed"); \ + \ + } while (0) + + #else + #include <time.h> + #define arc4random_buf(p, l) \ + do { \ + \ + srand(time(NULL)); \ + u32 i; \ + u8 *ptr = (u8 *)p; \ + for (i = 0; i < l; i++) \ + ptr[i] = rand() % INT_MAX; \ + \ + } while (0) + + #endif #endif #include "config.h" @@ -83,11 +83,11 @@ typedef struct { #define ALLOC_ALIGN_SIZE (_Alignof(max_align_t)) #ifndef PAGE_SIZE -#define PAGE_SIZE 4096 + #define PAGE_SIZE 4096 #endif /* !PAGE_SIZE */ #ifndef MAP_ANONYMOUS -#define MAP_ANONYMOUS MAP_ANON + #define MAP_ANONYMOUS MAP_ANON #endif /* !MAP_ANONYMOUS */ #define SUPER_PAGE_SIZE 1 << 21 @@ -148,8 +148,8 @@ static u8 alloc_verbose, /* Additional debug messages */ align_allocations; /* Force alignment to sizeof(void*) */ #if defined __OpenBSD__ || defined __APPLE__ -#define __thread -#warning no thread support available + #define __thread + #warning no thread support available #endif static __thread size_t total_mem; /* Currently allocated mem */ @@ -192,13 +192,13 @@ static void *__dislocator_alloc(size_t len) { #if defined(USEHUGEPAGE) sp = (rlen >= SUPER_PAGE_SIZE && !(rlen % SUPER_PAGE_SIZE)); -#if defined(__APPLE__) + #if defined(__APPLE__) if (sp) fd = VM_FLAGS_SUPERPAGE_SIZE_2MB; -#elif defined(__linux__) + #elif defined(__linux__) if (sp) flags |= MAP_HUGETLB; -#elif defined(__FreeBSD__) + #elif defined(__FreeBSD__) if (sp) flags |= MAP_ALIGNED_SUPER; -#endif + #endif #else (void)sp; #endif @@ -208,13 +208,13 @@ static void *__dislocator_alloc(size_t len) { /* We try one more time with regular call */ if (ret == MAP_FAILED) { -#if defined(__APPLE__) + #if defined(__APPLE__) fd = -1; -#elif defined(__linux__) + #elif defined(__linux__) flags &= -MAP_HUGETLB; -#elif defined(__FreeBSD__) + #elif defined(__FreeBSD__) flags &= -MAP_ALIGNED_SUPER; -#endif + #endif ret = (u8 *)mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0); } diff --git a/libtokencap/libtokencap.so.c b/libtokencap/libtokencap.so.c index 56b2cd4b..fdfa3e53 100644 --- a/libtokencap/libtokencap.so.c +++ b/libtokencap/libtokencap.so.c @@ -21,7 +21,7 @@ */ #ifndef _GNU_SOURCE -#define _GNU_SOURCE + #define _GNU_SOURCE #endif #include <stdio.h> #include <string.h> @@ -35,20 +35,20 @@ #if !defined __linux__ && !defined __APPLE__ && !defined __FreeBSD__ && \ !defined __OpenBSD__ && !defined __NetBSD__ && !defined __DragonFly__ -#error "Sorry, this library is unsupported in this platform for now!" + #error "Sorry, this library is unsupported in this platform for now!" #endif /* !__linux__ && !__APPLE__ && ! __FreeBSD__ && ! __OpenBSD__ && \ !__NetBSD__*/ #if defined __APPLE__ -#include <mach/vm_map.h> -#include <mach/mach_init.h> + #include <mach/vm_map.h> + #include <mach/mach_init.h> #elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__ -#include <sys/types.h> -#include <sys/sysctl.h> -#if !defined __NetBSD__ -#include <sys/user.h> -#endif -#include <sys/mman.h> + #include <sys/types.h> + #include <sys/sysctl.h> + #if !defined __NetBSD__ + #include <sys/user.h> + #endif + #include <sys/mman.h> #endif #include <dlfcn.h> @@ -154,25 +154,25 @@ static void __tokencap_load_mappings(void) { #elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__ -#if defined __FreeBSD__ + #if defined __FreeBSD__ int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, __tokencap_pid}; -#elif defined __OpenBSD__ + #elif defined __OpenBSD__ int mib[] = {CTL_KERN, KERN_PROC_VMMAP, __tokencap_pid}; -#elif defined __NetBSD__ + #elif defined __NetBSD__ int mib[] = {CTL_VM, VM_PROC, VM_PROC_MAP, __tokencap_pid, sizeof(struct kinfo_vmentry)}; -#endif + #endif char * buf, *low, *high; size_t miblen = sizeof(mib) / sizeof(mib[0]); size_t len; if (sysctl(mib, miblen, NULL, &len, NULL, 0) == -1) return; -#if defined __FreeBSD__ || defined __NetBSD__ + #if defined __FreeBSD__ || defined __NetBSD__ len = len * 4 / 3; -#elif defined __OpenBSD__ + #elif defined __OpenBSD__ len -= len % sizeof(struct kinfo_vmentry); -#endif + #endif buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANON, -1, 0); if (buf == MAP_FAILED) return; @@ -193,22 +193,22 @@ static void __tokencap_load_mappings(void) { struct kinfo_vmentry *region = (struct kinfo_vmentry *)low; -#if defined __FreeBSD__ || defined __NetBSD__ + #if defined __FreeBSD__ || defined __NetBSD__ -#if defined __FreeBSD__ + #if defined __FreeBSD__ size_t size = region->kve_structsize; if (size == 0) break; -#elif defined __NetBSD__ + #elif defined __NetBSD__ size_t size = sizeof(*region); -#endif + #endif /* We go through the whole mapping of the process and track read-only * addresses */ if ((region->kve_protection & KVME_PROT_READ) && !(region->kve_protection & KVME_PROT_WRITE)) { -#elif defined __OpenBSD__ + #elif defined __OpenBSD__ size_t size = sizeof(*region); @@ -217,7 +217,7 @@ static void __tokencap_load_mappings(void) { if ((region->kve_protection & KVE_PROT_READ) && !(region->kve_protection & KVE_PROT_WRITE)) { -#endif + #endif __tokencap_ro[__tokencap_ro_cnt].st = (void *)region->kve_start; __tokencap_ro[__tokencap_ro_cnt].en = (void *)region->kve_end; diff --git a/llvm_mode/GNUmakefile b/llvm_mode/GNUmakefile index ab14e545..01c83787 100644 --- a/llvm_mode/GNUmakefile +++ b/llvm_mode/GNUmakefile @@ -39,7 +39,7 @@ else endif LLVMVER = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/git//' ) -LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^3\.[0-7]|^1[2-9]' && echo 1 || echo 0 ) +LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^3\.[0-3]|^1[2-9]' && echo 1 || echo 0 ) LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[0-9]' && echo 1 || echo 0 ) LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/\..*//') LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index 837b093a..7dc96bc3 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -12,13 +12,13 @@ typedef long double max_align_t; #include "llvm/ADT/DenseSet.h" #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/CFG.h" -#include "llvm/IR/Dominators.h" -#include "llvm/IR/DebugInfo.h" + #include "llvm/IR/CFG.h" + #include "llvm/IR/Dominators.h" + #include "llvm/IR/DebugInfo.h" #else -#include "llvm/Support/CFG.h" -#include "llvm/Analysis/Dominators.h" -#include "llvm/DebugInfo.h" + #include "llvm/Support/CFG.h" + #include "llvm/Analysis/Dominators.h" + #include "llvm/DebugInfo.h" #endif #include "llvm/IR/IRBuilder.h" #include "llvm/IR/Instructions.h" @@ -97,7 +97,7 @@ struct InsTrim : public ModulePass { #if LLVM_VERSION_MAJOR >= 4 || \ (LLVM_VERSION_MAJOR == 4 && LLVM_VERSION_PATCH >= 1) -#define AFL_HAVE_VECTOR_INTRINSICS 1 + #define AFL_HAVE_VECTOR_INTRINSICS 1 #endif bool runOnModule(Module &M) override { @@ -160,9 +160,21 @@ struct InsTrim : public ModulePass { else #else if (ngram_size_str) +#ifdef LLVM_VERSION_STRING FATAL( "Sorry, NGRAM branch coverage is not supported with llvm version %s!", LLVM_VERSION_STRING); +#else +#ifndef LLVM_VERSION_PATCH + FATAL( + "Sorry, NGRAM branch coverage is not supported with llvm version %d.%d.%d!", + LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR, 0); +#else + FATAL( + "Sorry, NGRAM branch coverage is not supported with llvm version %d.%d.%d!", + LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR, LLVM_VERISON_PATCH); +#endif +#endif #endif PrevLocSize = 1; @@ -196,17 +208,17 @@ struct InsTrim : public ModulePass { #ifdef AFL_HAVE_VECTOR_INTRINSICS if (ngram_size) -#ifdef __ANDROID__ + #ifdef __ANDROID__ AFLPrevLoc = new GlobalVariable( M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, /* Initializer */ nullptr, "__afl_prev_loc"); -#else + #else AFLPrevLoc = new GlobalVariable( M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, /* Initializer */ nullptr, "__afl_prev_loc", /* InsertBefore */ nullptr, GlobalVariable::GeneralDynamicTLSModel, /* AddressSpace */ 0, /* IsExternallyInitialized */ false); -#endif + #endif else #endif #ifdef __ANDROID__ diff --git a/llvm_mode/MarkNodes.cc b/llvm_mode/MarkNodes.cc index cff6c90a..20a7df35 100644 --- a/llvm_mode/MarkNodes.cc +++ b/llvm_mode/MarkNodes.cc @@ -15,9 +15,9 @@ typedef long double max_align_t; #include "llvm/IR/BasicBlock.h" #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/CFG.h" + #include "llvm/IR/CFG.h" #else -#include "llvm/Support/CFG.h" + #include "llvm/Support/CFG.h" #endif #include "llvm/IR/Constants.h" #include "llvm/IR/Function.h" diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 07754d1d..49dc6c1c 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -844,14 +844,14 @@ int main(int argc, char **argv, char **envp) { "\nafl-clang-fast specific environment variables:\n" "AFL_LLVM_CMPLOG: log operands of comparisons (RedQueen mutator)\n" "AFL_LLVM_INSTRUMENT: set instrumentation mode: DEFAULT, CFG " - "(INSTRIM), LTO, CTX, NGRAM-2 ... NGRAM-16\n" + "(INSTRIM), PCGUARD, LTO, CTX, NGRAM-2 ... NGRAM-16\n" " You can also use the old environment variables instead:" - " AFL_LLVM_CTX: use context sensitive coverage\n" " AFL_LLVM_USE_TRACE_PC: use LLVM trace-pc-guard instrumentation\n" - " AFL_LLVM_NGRAM_SIZE: use ngram prev_loc count coverage\n" " AFL_LLVM_INSTRIM: use light weight instrumentation InsTrim\n" " AFL_LLVM_INSTRIM_LOOPHEAD: optimize loop tracing for speed (sub " - "option to INSTRIM)\n"); + "option to INSTRIM)\n" + " AFL_LLVM_CTX: use context sensitive coverage\n" + " AFL_LLVM_NGRAM_SIZE: use ngram prev_loc count coverage\n"); #ifdef AFL_CLANG_FLTO SAYF( diff --git a/llvm_mode/afl-llvm-common.cc b/llvm_mode/afl-llvm-common.cc index db604e14..35eabbf0 100644 --- a/llvm_mode/afl-llvm-common.cc +++ b/llvm_mode/afl-llvm-common.cc @@ -33,7 +33,10 @@ char *getBBName(const llvm::BasicBlock *BB) { std::string Str; raw_string_ostream OS(Str); +#if LLVM_VERSION_MAJOR >= 4 || \ + (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR >= 7) BB->printAsOperand(OS, false); +#endif name = strdup(OS.str().c_str()); return name; @@ -171,7 +174,7 @@ bool isInWhitelist(llvm::Function *F) { #else if (!Loc.isUnknown()) { - DILocation cDILoc(Loc.getAsMDNode(C)); + DILocation cDILoc(Loc.getAsMDNode(F->getContext())); unsigned int instLine = cDILoc.getLineNumber(); StringRef instFilename = cDILoc.getFilename(); diff --git a/llvm_mode/afl-llvm-common.h b/llvm_mode/afl-llvm-common.h index cf14d2e1..50ad3abc 100644 --- a/llvm_mode/afl-llvm-common.h +++ b/llvm_mode/afl-llvm-common.h @@ -25,11 +25,11 @@ typedef long double max_align_t; #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/DebugInfo.h" -#include "llvm/IR/CFG.h" + #include "llvm/IR/DebugInfo.h" + #include "llvm/IR/CFG.h" #else -#include "llvm/DebugInfo.h" -#include "llvm/Support/CFG.h" + #include "llvm/DebugInfo.h" + #include "llvm/Support/CFG.h" #endif char * getBBName(const llvm::BasicBlock *BB); diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index 2d23ad21..5bf705f8 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -54,11 +54,11 @@ typedef long double max_align_t; #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/DebugInfo.h" -#include "llvm/IR/CFG.h" + #include "llvm/IR/DebugInfo.h" + #include "llvm/IR/CFG.h" #else -#include "llvm/DebugInfo.h" -#include "llvm/Support/CFG.h" + #include "llvm/DebugInfo.h" + #include "llvm/Support/CFG.h" #endif #include "afl-llvm-common.h" @@ -115,7 +115,7 @@ uint64_t PowerOf2Ceil(unsigned in) { /* #if LLVM_VERSION_STRING >= "4.0.1" */ #if LLVM_VERSION_MAJOR >= 4 || \ (LLVM_VERSION_MAJOR == 4 && LLVM_VERSION_PATCH >= 1) -#define AFL_HAVE_VECTOR_INTRINSICS 1 + #define AFL_HAVE_VECTOR_INTRINSICS 1 #endif bool AFLCoverage::runOnModule(Module &M) { @@ -211,8 +211,15 @@ bool AFLCoverage::runOnModule(Module &M) { else #else if (ngram_size_str) - FATAL("Sorry, NGRAM branch coverage is not supported with llvm version %s!", - LLVM_VERSION_STRING); +#ifndef LLVM_VERSION_PATCH + FATAL("Sorry, NGRAM branch coverage is not supported with llvm version %d.%d.%d!", + LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR, + 0); +#else + FATAL("Sorry, NGRAM branch coverage is not supported with llvm version %d.%d.%d!", + LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR, + LLVM_VERSION_PATCH); +#endif #endif PrevLocSize = 1; @@ -242,17 +249,17 @@ bool AFLCoverage::runOnModule(Module &M) { #ifdef AFL_HAVE_VECTOR_INTRINSICS if (ngram_size) -#ifdef __ANDROID__ + #ifdef __ANDROID__ AFLPrevLoc = new GlobalVariable( M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, /* Initializer */ nullptr, "__afl_prev_loc"); -#else + #else AFLPrevLoc = new GlobalVariable( M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, /* Initializer */ nullptr, "__afl_prev_loc", /* InsertBefore */ nullptr, GlobalVariable::GeneralDynamicTLSModel, /* AddressSpace */ 0, /* IsExternallyInitialized */ false); -#endif + #endif else #endif #ifdef __ANDROID__ diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index ce8df332..c0d1569d 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -21,7 +21,7 @@ */ #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -43,7 +43,7 @@ #include <sys/types.h> #ifdef __linux__ -#include "snapshot-inl.h" + #include "snapshot-inl.h" #endif /* This is a somewhat ugly hack for the experimental 'trace-pc-guard' mode. @@ -53,7 +53,7 @@ #define CONST_PRIO 5 #ifndef MAP_FIXED_NOREPLACE -#define MAP_FIXED_NOREPLACE MAP_FIXED + #define MAP_FIXED_NOREPLACE MAP_FIXED #endif #include <sys/mman.h> @@ -826,15 +826,15 @@ void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2) { } #if defined(__APPLE__) -#pragma weak __sanitizer_cov_trace_const_cmp1 = __cmplog_ins_hook1 -#pragma weak __sanitizer_cov_trace_const_cmp2 = __cmplog_ins_hook2 -#pragma weak __sanitizer_cov_trace_const_cmp4 = __cmplog_ins_hook4 -#pragma weak __sanitizer_cov_trace_const_cmp8 = __cmplog_ins_hook8 - -#pragma weak __sanitizer_cov_trace_cmp1 = __cmplog_ins_hook1 -#pragma weak __sanitizer_cov_trace_cmp2 = __cmplog_ins_hook2 -#pragma weak __sanitizer_cov_trace_cmp4 = __cmplog_ins_hook4 -#pragma weak __sanitizer_cov_trace_cmp8 = __cmplog_ins_hook8 + #pragma weak __sanitizer_cov_trace_const_cmp1 = __cmplog_ins_hook1 + #pragma weak __sanitizer_cov_trace_const_cmp2 = __cmplog_ins_hook2 + #pragma weak __sanitizer_cov_trace_const_cmp4 = __cmplog_ins_hook4 + #pragma weak __sanitizer_cov_trace_const_cmp8 = __cmplog_ins_hook8 + + #pragma weak __sanitizer_cov_trace_cmp1 = __cmplog_ins_hook1 + #pragma weak __sanitizer_cov_trace_cmp2 = __cmplog_ins_hook2 + #pragma weak __sanitizer_cov_trace_cmp4 = __cmplog_ins_hook4 + #pragma weak __sanitizer_cov_trace_cmp8 = __cmplog_ins_hook8 #else void __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2) __attribute__((alias("__cmplog_ins_hook1"))); diff --git a/llvm_mode/cmplog-instructions-pass.cc b/llvm_mode/cmplog-instructions-pass.cc index 628151c6..b7f3cffa 100644 --- a/llvm_mode/cmplog-instructions-pass.cc +++ b/llvm_mode/cmplog-instructions-pass.cc @@ -38,12 +38,12 @@ #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/Verifier.h" -#include "llvm/IR/DebugInfo.h" + #include "llvm/IR/Verifier.h" + #include "llvm/IR/DebugInfo.h" #else -#include "llvm/Analysis/Verifier.h" -#include "llvm/DebugInfo.h" -#define nullptr 0 + #include "llvm/Analysis/Verifier.h" + #include "llvm/DebugInfo.h" + #define nullptr 0 #endif #include <set> diff --git a/llvm_mode/cmplog-routines-pass.cc b/llvm_mode/cmplog-routines-pass.cc index b74fb712..bb78273a 100644 --- a/llvm_mode/cmplog-routines-pass.cc +++ b/llvm_mode/cmplog-routines-pass.cc @@ -38,12 +38,12 @@ #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/Verifier.h" -#include "llvm/IR/DebugInfo.h" + #include "llvm/IR/Verifier.h" + #include "llvm/IR/DebugInfo.h" #else -#include "llvm/Analysis/Verifier.h" -#include "llvm/DebugInfo.h" -#define nullptr 0 + #include "llvm/Analysis/Verifier.h" + #include "llvm/DebugInfo.h" + #define nullptr 0 #endif #include <set> diff --git a/llvm_mode/compare-transform-pass.so.cc b/llvm_mode/compare-transform-pass.so.cc index 00732dbc..1ebc54d7 100644 --- a/llvm_mode/compare-transform-pass.so.cc +++ b/llvm_mode/compare-transform-pass.so.cc @@ -25,7 +25,6 @@ #include "llvm/Config/llvm-config.h" #include "llvm/ADT/Statistic.h" -#include "llvm/IR/DebugInfo.h" #include "llvm/IR/IRBuilder.h" #include "llvm/IR/LegacyPassManager.h" #include "llvm/IR/Module.h" @@ -38,12 +37,12 @@ #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/Verifier.h" -#include "llvm/IR/DebugInfo.h" + #include "llvm/IR/Verifier.h" + #include "llvm/IR/DebugInfo.h" #else -#include "llvm/Analysis/Verifier.h" -#include "llvm/DebugInfo.h" -#define nullptr 0 + #include "llvm/Analysis/Verifier.h" + #include "llvm/DebugInfo.h" + #define nullptr 0 #endif #include <set> diff --git a/llvm_mode/split-compares-pass.so.cc b/llvm_mode/split-compares-pass.so.cc index 9c91e44f..2c4ed71c 100644 --- a/llvm_mode/split-compares-pass.so.cc +++ b/llvm_mode/split-compares-pass.so.cc @@ -27,7 +27,6 @@ #include "llvm/Config/llvm-config.h" #include "llvm/Pass.h" -#include "llvm/IR/DebugInfo.h" #include "llvm/Support/raw_ostream.h" #include "llvm/IR/LegacyPassManager.h" #include "llvm/Transforms/IPO/PassManagerBuilder.h" @@ -37,12 +36,12 @@ #include "llvm/IR/IRBuilder.h" #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/Verifier.h" -#include "llvm/IR/DebugInfo.h" + #include "llvm/IR/Verifier.h" + #include "llvm/IR/DebugInfo.h" #else -#include "llvm/Analysis/Verifier.h" -#include "llvm/DebugInfo.h" -#define nullptr 0 + #include "llvm/Analysis/Verifier.h" + #include "llvm/DebugInfo.h" + #define nullptr 0 #endif using namespace llvm; diff --git a/llvm_mode/split-switches-pass.so.cc b/llvm_mode/split-switches-pass.so.cc index e8639347..4a6ca3d9 100644 --- a/llvm_mode/split-switches-pass.so.cc +++ b/llvm_mode/split-switches-pass.so.cc @@ -26,7 +26,6 @@ #include "llvm/Config/llvm-config.h" #include "llvm/ADT/Statistic.h" -#include "llvm/IR/DebugInfo.h" #include "llvm/IR/IRBuilder.h" #include "llvm/IR/LegacyPassManager.h" #include "llvm/IR/Module.h" @@ -40,12 +39,12 @@ #include "llvm/IR/IRBuilder.h" #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/Verifier.h" -#include "llvm/IR/DebugInfo.h" + #include "llvm/IR/Verifier.h" + #include "llvm/IR/DebugInfo.h" #else -#include "llvm/Analysis/Verifier.h" -#include "llvm/DebugInfo.h" -#define nullptr 0 + #include "llvm/Analysis/Verifier.h" + #include "llvm/DebugInfo.h" + #define nullptr 0 #endif #include <set> diff --git a/qbdi_mode/template.cpp b/qbdi_mode/template.cpp index d4ac25e3..55c5a3f3 100755 --- a/qbdi_mode/template.cpp +++ b/qbdi_mode/template.cpp @@ -11,7 +11,7 @@ #include <dlfcn.h> #ifdef __ANDROID__ -#include "../include/android-ashmem.h" + #include "../include/android-ashmem.h" #endif #include <sys/ipc.h> @@ -23,15 +23,15 @@ /* NeverZero */ #if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO) -#define INC_AFL_AREA(loc) \ - asm volatile( \ - "incb (%0, %1, 1)\n" \ - "adcb $0, (%0, %1, 1)\n" \ - : /* no out */ \ - : "r"(afl_area_ptr), "r"(loc) \ - : "memory", "eax") + #define INC_AFL_AREA(loc) \ + asm volatile( \ + "incb (%0, %1, 1)\n" \ + "adcb $0, (%0, %1, 1)\n" \ + : /* no out */ \ + : "r"(afl_area_ptr), "r"(loc) \ + : "memory", "eax") #else -#define INC_AFL_AREA(loc) afl_area_ptr[loc]++ + #define INC_AFL_AREA(loc) afl_area_ptr[loc]++ #endif using namespace QBDI; diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index bd18927f..1828528e 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -63,7 +63,7 @@ if [ ! -f "../afl-showmap" ]; then fi PREREQ_NOTFOUND= -for i in libtool wget python automake autoconf sha384sum bison flex iconv patch pkg-config; do +for i in libtool wget automake autoconf sha384sum bison flex iconv patch pkg-config; do T=`command -v "$i" 2>/dev/null` @@ -76,6 +76,14 @@ for i in libtool wget python automake autoconf sha384sum bison flex iconv patch done +PYTHONBIN=`command -v python3 || command -v python || command -v python2` + +if [ "$PYTHONBIN" = "" ]; then + echo "[-] Error: 'python' not found, please install using 'sudo apt install python3'." + PREREQ_NOTFOUND=1 +fi + + if [ ! -d "/usr/include/glib-2.0/" -a ! -d "/usr/local/include/glib-2.0/" ]; then echo "[-] Error: devel version of 'glib2' not found, please install first." @@ -202,16 +210,17 @@ if [ "$STATIC" = "1" ]; then --disable-libusb --disable-usb-redir --disable-vde --disable-vhost-net --disable-virglrenderer \ --disable-virtfs --disable-vnc --disable-vte --disable-xen --disable-xen-pci-passthrough --disable-xfsctl \ --enable-linux-user --disable-system --disable-blobs --disable-tools --enable-capstone=internal \ - --target-list="${CPU_TARGET}-linux-user" --static --disable-pie --cross-prefix=$CROSS_PREFIX || exit 1 + --target-list="${CPU_TARGET}-linux-user" --static --disable-pie --cross-prefix=$CROSS_PREFIX --python="$PYTHONBIN" \ + || exit 1 else # --enable-pie seems to give a couple of exec's a second performance # improvement, much to my surprise. Not sure how universal this is.. - + ./configure --disable-system \ --enable-linux-user --disable-gtk --disable-sdl --disable-vnc --enable-capstone=internal \ - --target-list="${CPU_TARGET}-linux-user" --enable-pie $CROSS_PREFIX || exit 1 + --target-list="${CPU_TARGET}-linux-user" --enable-pie $CROSS_PREFIX --python="$PYTHONBIN" || exit 1 fi @@ -279,6 +288,7 @@ echo "[+] Building libcompcov ..." make -C libcompcov && echo "[+] libcompcov ready" echo "[+] Building unsigaction ..." make -C unsigaction && echo "[+] unsigaction ready" + echo "[+] All done for qemu_mode, enjoy!" exit 0 diff --git a/qemu_mode/libcompcov/libcompcov.so.c b/qemu_mode/libcompcov/libcompcov.so.c index bffdd5d8..23f465a4 100644 --- a/qemu_mode/libcompcov/libcompcov.so.c +++ b/qemu_mode/libcompcov/libcompcov.so.c @@ -20,7 +20,7 @@ */ #ifndef _GNU_SOURCE -#define _GNU_SOURCE + #define _GNU_SOURCE #endif #include <dlfcn.h> #include <stdio.h> @@ -36,7 +36,7 @@ #include "pmparser.h" #ifndef __linux__ -#error "Sorry, this library is Linux-specific for now!" + #error "Sorry, this library is Linux-specific for now!" #endif /* !__linux__ */ /* Change this value to tune the compare coverage */ diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h index 94f853cc..dbdb41bc 100644 --- a/qemu_mode/patches/afl-qemu-common.h +++ b/qemu_mode/patches/afl-qemu-common.h @@ -40,27 +40,27 @@ #define PERSISTENT_DEFAULT_MAX_CNT 1000 #ifdef CPU_NB_REGS -#define AFL_REGS_NUM CPU_NB_REGS + #define AFL_REGS_NUM CPU_NB_REGS #elif TARGET_ARM -#define AFL_REGS_NUM 32 + #define AFL_REGS_NUM 32 #elif TARGET_AARCH64 -#define AFL_REGS_NUM 32 + #define AFL_REGS_NUM 32 #else -#define AFL_REGS_NUM 100 + #define AFL_REGS_NUM 100 #endif /* NeverZero */ #if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO) -#define INC_AFL_AREA(loc) \ - asm volatile( \ - "incb (%0, %1, 1)\n" \ - "adcb $0, (%0, %1, 1)\n" \ - : /* no out */ \ - : "r"(afl_area_ptr), "r"(loc) \ - : "memory", "eax") + #define INC_AFL_AREA(loc) \ + asm volatile( \ + "incb (%0, %1, 1)\n" \ + "adcb $0, (%0, %1, 1)\n" \ + : /* no out */ \ + : "r"(afl_area_ptr), "r"(loc) \ + : "memory", "eax") #else -#define INC_AFL_AREA(loc) afl_area_ptr[loc]++ + #define INC_AFL_AREA(loc) afl_area_ptr[loc]++ #endif typedef void (*afl_persistent_hook_fn)(uint64_t *regs, uint64_t guest_base); diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index 78a8f800..e4ebaf88 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -35,7 +35,7 @@ #include "afl-qemu-common.h" #ifndef AFL_QEMU_STATIC_BUILD -#include <dlfcn.h> + #include <dlfcn.h> #endif /*************************** diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index 2e740ad9..083c27e5 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -36,9 +36,9 @@ #include "tcg-op.h" #if TCG_TARGET_REG_BITS == 64 -#define _DEFAULT_MO MO_64 + #define _DEFAULT_MO MO_64 #else -#define _DEFAULT_MO MO_32 + #define _DEFAULT_MO MO_32 #endif static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2, diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 4e973672..900fbeb1 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -27,7 +27,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" #include "types.h" diff --git a/src/afl-as.c b/src/afl-as.c index cf7f8bb6..4809a731 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -79,9 +79,9 @@ static u8 use_64bit = 1; static u8 use_64bit = 0; -#ifdef __APPLE__ -#error "Sorry, 32-bit Apple platforms are not supported." -#endif /* __APPLE__ */ + #ifdef __APPLE__ + #error "Sorry, 32-bit Apple platforms are not supported." + #endif /* __APPLE__ */ #endif /* ^WORD_SIZE_64 */ diff --git a/src/afl-common.c b/src/afl-common.c index d9d57863..808c9812 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -34,7 +34,7 @@ /* Detect @@ in args. */ #ifndef __glibc__ -#include <unistd.h> + #include <unistd.h> #endif #include <limits.h> #include <sys/types.h> @@ -72,11 +72,11 @@ char *afl_environment_variables[] = { "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST", "AFL_LLVM_SKIP_NEVERZERO", "AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID", "AFL_NO_ARITH", "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", - "AFL_NO_UI", "AFL_NO_PYTHON", "AFL_UNTRACER_FILE", + "AFL_NO_UI", "AFL_NO_PYTHON", "AFL_UNTRACER_FILE", "AFL_LLVM_USE_TRACE_PC", "AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_MAP_SIZE", "AFL_MAPSIZE", "AFL_PATH", "AFL_PERFORMANCE_FILE", //"AFL_PERSISTENT", // not implemented anymore, so warn additionally - "AFL_POST_LIBRARY", "AFL_PRELOAD", "AFL_PYTHON_MODULE", "AFL_QEMU_COMPCOV", + "AFL_PRELOAD", "AFL_PYTHON_MODULE", "AFL_QEMU_COMPCOV", "AFL_QEMU_COMPCOV_DEBUG", "AFL_QEMU_DEBUG_MAPS", "AFL_QEMU_DISABLE_CACHE", "AFL_QEMU_PERSISTENT_ADDR", "AFL_QEMU_PERSISTENT_CNT", "AFL_QEMU_PERSISTENT_GPR", "AFL_QEMU_PERSISTENT_HOOK", diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index c1623f22..1c0ba349 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -676,12 +676,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } else if (!fsrv->mem_limit) { SAYF("\n" cLRD "[-] " cRST - "Hmm, looks like the target binary terminated " - "before we could complete a\n" - " handshake with the injected code. Perhaps there is a horrible " - "bug in the\n" - " fuzzer. Poke <afl-users@googlegroups.com> for troubleshooting " - "tips.\n"); + "Hmm, looks like the target binary terminated before we could" + "complete a handshake with the injected code.\n" + "If the target was compiled with afl-clang-lto then recompiling with" + "AFL_LLVM_MAP_DYNAMIC might solve your problem.\n" + "Otherwise there is a horrible bug in the fuzzer.\n" + "Poke <afl-users@googlegroups.com> for troubleshooting tips.\n"); } else { @@ -708,6 +708,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, " estimate the required amount of virtual memory for the " "binary.\n\n" + " - the target was compiled with afl-clang-lto and a constructor " + "was\n" + " instrumented, recompiling with AFL_LLVM_MAP_DYNAMIC might solve " + "your\n" + " problem\n\n" + " - Less likely, there is a horrible bug in the fuzzer. If other " "options\n" " fail, poke <afl-users@googlegroups.com> for troubleshooting " diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index d4966889..ff078319 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -442,7 +442,7 @@ u8 *describe_op(afl_state_t *afl, u8 hnb) { sprintf(ret + strlen(ret), "+%06d", afl->splicing_with); } - + sprintf(ret + strlen(ret), ",time:%llu", get_cur_time() - afl->start_time); sprintf(ret + strlen(ret), ",op:%s", afl->stage_short); diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 9452fa90..faf4dcb7 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -51,18 +51,6 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { u8 fault; - if (afl->post_handler) { - - u8 *post_buf = NULL; - - size_t post_len = - afl->post_handler(afl->post_data, out_buf, len, &post_buf); - if (!post_buf || !post_len) { return 0; } - out_buf = post_buf; - len = post_len; - - } - write_to_testcase(afl, out_buf, len); fault = fuzz_run_target(afl, &afl->cmplog_fsrv, afl->fsrv.exec_tmout); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 32481887..613d1437 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -33,11 +33,11 @@ void bind_to_free_cpu(afl_state_t *afl) { -#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) + #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) cpu_set_t c; -#elif defined(__NetBSD__) + #elif defined(__NetBSD__) cpuset_t * c; -#endif + #endif u8 cpu_used[4096] = {0}; u32 i; @@ -51,7 +51,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } -#if defined(__linux__) + #if defined(__linux__) DIR * d; struct dirent *de; d = opendir("/proc"); @@ -112,7 +112,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } closedir(d); -#elif defined(__FreeBSD__) || defined(__DragonFly__) + #elif defined(__FreeBSD__) || defined(__DragonFly__) struct kinfo_proc *procs; size_t nprocs; size_t proccount; @@ -133,7 +133,7 @@ void bind_to_free_cpu(afl_state_t *afl) { for (i = 0; i < proccount; i++) { -#if defined(__FreeBSD__) + #if defined(__FreeBSD__) if (!strcmp(procs[i].ki_comm, "idle")) continue; // fix when ki_oncpu = -1 @@ -143,16 +143,16 @@ void bind_to_free_cpu(afl_state_t *afl) { if (oncpu != -1 && oncpu < sizeof(cpu_used) && procs[i].ki_pctcpu > 60) cpu_used[oncpu] = 1; -#elif defined(__DragonFly__) + #elif defined(__DragonFly__) if (procs[i].kp_lwp.kl_cpuid < sizeof(cpu_used) && procs[i].kp_lwp.kl_pctcpu > 10) cpu_used[procs[i].kp_lwp.kl_cpuid] = 1; -#endif + #endif } ck_free(procs); -#elif defined(__NetBSD__) + #elif defined(__NetBSD__) struct kinfo_proc2 *procs; size_t nprocs; size_t proccount; @@ -181,15 +181,15 @@ void bind_to_free_cpu(afl_state_t *afl) { } ck_free(procs); -#else -#warning \ - "For this platform we do not have free CPU binding code yet. If possible, please supply a PR to https://github.com/AFLplusplus/AFLplusplus" -#endif + #else + #warning \ + "For this platform we do not have free CPU binding code yet. If possible, please supply a PR to https://github.com/AFLplusplus/AFLplusplus" + #endif size_t cpu_start = 0; try: -#ifndef __ANDROID__ + #ifndef __ANDROID__ for (i = cpu_start; i < afl->cpu_core_count; i++) { if (!cpu_used[i]) { break; } @@ -198,12 +198,12 @@ void bind_to_free_cpu(afl_state_t *afl) { if (i == afl->cpu_core_count) { -#else + #else for (i = afl->cpu_core_count - cpu_start - 1; i > -1; i--) if (!cpu_used[i]) break; if (i == -1) { -#endif + #endif SAYF("\n" cLRD "[-] " cRST "Uh-oh, looks like all %d CPU cores on your system are allocated to\n" @@ -221,16 +221,16 @@ void bind_to_free_cpu(afl_state_t *afl) { afl->cpu_aff = i; -#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) + #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) CPU_ZERO(&c); CPU_SET(i, &c); -#elif defined(__NetBSD__) + #elif defined(__NetBSD__) c = cpuset_create(); if (c == NULL) PFATAL("cpuset_create failed"); cpuset_set(i, c); -#endif + #endif -#if defined(__linux__) + #if defined(__linux__) if (sched_setaffinity(0, sizeof(c), &c)) { if (cpu_start == afl->cpu_core_count) { @@ -246,7 +246,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } -#elif defined(__FreeBSD__) || defined(__DragonFly__) + #elif defined(__FreeBSD__) || defined(__DragonFly__) if (pthread_setaffinity_np(pthread_self(), sizeof(c), &c)) { if (cpu_start == afl->cpu_core_count) @@ -258,7 +258,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } -#elif defined(__NetBSD__) + #elif defined(__NetBSD__) if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { if (cpu_start == afl->cpu_core_count) @@ -271,60 +271,15 @@ if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { } cpuset_destroy(c); -#else -// this will need something for other platforms -// TODO: Solaris/Illumos has processor_bind ... might worth a try -#endif + #else + // this will need something for other platforms + // TODO: Solaris/Illumos has processor_bind ... might worth a try + #endif } #endif /* HAVE_AFFINITY */ -/* Load postprocessor, if available. */ - -void setup_post(afl_state_t *afl) { - - void *dh; - u8 * fn = afl->afl_env.afl_post_library; - u8 tbuf[6]; - u32 tlen = 6; - strncpy(tbuf, "hello", tlen); - - if (!fn) { return; } - - ACTF("Loading postprocessor from '%s'...", fn); - - dh = dlopen(fn, RTLD_NOW); - if (!dh) { FATAL("%s", dlerror()); } - - afl->post_handler = dlsym(dh, "afl_postprocess"); - if (!afl->post_handler) { FATAL("Symbol 'afl_postprocess' not found."); } - afl->post_init = dlsym(dh, "afl_postprocess_init"); - if (!afl->post_init) { FATAL("Symbol 'afl_postprocess_init' not found."); } - afl->post_deinit = dlsym(dh, "afl_postprocess_deinit"); - if (!afl->post_deinit) { - - FATAL("Symbol 'afl_postprocess_deinit' not found."); - - } - - /* Do a quick test. It's better to segfault now than later =) */ - - u8 *post_buf = NULL; - afl->post_data = afl->post_init(afl); - if (!afl->post_data) { FATAL("Could not initialize post handler."); } - - size_t post_len = afl->post_handler(afl->post_data, tbuf, tlen, &post_buf); - if (!post_len || !post_buf) { - - SAYF("Empty return in test post handler for buf=\"hello\\0\"."); - - } - - OKF("Postprocessor installed successfully."); - -} - /* Shuffle an array of pointers. Might be slightly biased. */ static void shuffle_ptrs(afl_state_t *afl, void **ptrs, u32 cnt) { @@ -1375,6 +1330,19 @@ void setup_dirs_fds(afl_state_t *afl) { } + /* + if (afl->is_master) { + + u8 *x = alloc_printf("%s/%s/is_master", afl->sync_dir, afl->sync_id); + int fd = open(x, O_CREAT | O_RDWR, 0644); + if (fd < 0) FATAL("cannot create %s", x); + free(x); + close(fd); + + } + + */ + if (mkdir(afl->out_dir, 0700)) { if (errno != EEXIST) { PFATAL("Unable to create '%s'", afl->out_dir); } @@ -1565,7 +1533,7 @@ void check_crash_handling(void) { until I get a box to test the code. So, for now, we check for crash reporting the awful way. */ -#if !TARGET_OS_IPHONE + #if !TARGET_OS_IPHONE if (system("launchctl list 2>/dev/null | grep -q '\\.ReportCrash$'")) return; SAYF( @@ -1583,7 +1551,7 @@ void check_crash_handling(void) { " launchctl unload -w ${SL}/LaunchAgents/${PL}.plist\n" " sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist\n"); -#endif + #endif if (!get_afl_env("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) FATAL("Crash reporter detected"); @@ -1778,26 +1746,26 @@ void get_core_count(afl_state_t *afl) { /* On *BSD systems, we can just use a sysctl to get the number of CPUs. */ -#ifdef __APPLE__ + #ifdef __APPLE__ if (sysctlbyname("hw.logicalcpu", &afl->cpu_core_count, &s, NULL, 0) < 0) return; -#else + #else int s_name[2] = {CTL_HW, HW_NCPU}; if (sysctl(s_name, 2, &afl->cpu_core_count, &s, NULL, 0) < 0) return; -#endif /* ^__APPLE__ */ + #endif /* ^__APPLE__ */ #else -#ifdef HAVE_AFFINITY + #ifdef HAVE_AFFINITY afl->cpu_core_count = sysconf(_SC_NPROCESSORS_ONLN); -#else + #else FILE *f = fopen("/proc/stat", "r"); u8 tmp[1024]; @@ -1809,7 +1777,7 @@ void get_core_count(afl_state_t *afl) { fclose(f); -#endif /* ^HAVE_AFFINITY */ + #endif /* ^HAVE_AFFINITY */ #endif /* ^(__APPLE__ || __FreeBSD__ || __OpenBSD__) */ @@ -1863,14 +1831,6 @@ void fix_up_sync(afl_state_t *afl) { if (afl->dumb_mode) { FATAL("-S / -M and -n are mutually exclusive"); } - if (afl->skip_deterministic) { - - if (afl->force_deterministic) { FATAL("use -S instead of -M -d"); } - // else - // FATAL("-S already implies -d"); - - } - while (*x) { if (!isalnum(*x) && *x != '_' && *x != '-') { @@ -1890,13 +1850,6 @@ void fix_up_sync(afl_state_t *afl) { afl->sync_dir = afl->out_dir; afl->out_dir = x; - if (!afl->force_deterministic) { - - afl->skip_deterministic = 1; - afl->use_splicing = 1; - - } - } /* Handle screen resize (SIGWINCH). */ @@ -2043,7 +1996,11 @@ void check_binary(afl_state_t *afl, u8 *fname) { } - if (afl->afl_env.afl_skip_bin_check || afl->use_wine) { return; } + if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode) { + + return; + + } /* Check for blatant user errors. */ @@ -2102,12 +2059,12 @@ void check_binary(afl_state_t *afl, u8 *fname) { #else -#if !defined(__arm__) && !defined(__arm64__) + #if !defined(__arm__) && !defined(__arm64__) if ((f_data[0] != 0xCF || f_data[1] != 0xFA || f_data[2] != 0xED) && (f_data[0] != 0xCA || f_data[1] != 0xFE || f_data[2] != 0xBA)) FATAL("Program '%s' is not a 64-bit or universal Mach-O binary", afl->fsrv.target_path); -#endif + #endif #endif /* ^!__APPLE__ */ diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 027add49..87cb86fa 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -108,6 +108,9 @@ void setup_custom_mutators(afl_state_t *afl) { #endif + if (afl->post_library_mutator) + list_append(&afl->custom_mutator_list, afl->post_library_mutator); + } void destroy_custom_mutators(afl_state_t *afl) { @@ -117,14 +120,14 @@ void destroy_custom_mutators(afl_state_t *afl) { LIST_FOREACH_CLEAR(&afl->custom_mutator_list, struct custom_mutator, { if (!el->data) { FATAL("Deintializing NULL mutator"); } - el->afl_custom_deinit(el->data); + if (el->afl_custom_deinit) el->afl_custom_deinit(el->data); if (el->dh) dlclose(el->dh); - if (el->pre_save_buf) { + if (el->post_process_buf) { - ck_free(el->pre_save_buf); - el->pre_save_buf = NULL; - el->pre_save_size = 0; + ck_free(el->post_process_buf); + el->post_process_buf = NULL; + el->post_process_size = 0; } @@ -151,7 +154,7 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { /* Mutator */ /* "afl_custom_init", optional for backward compatibility */ mutator->afl_custom_init = dlsym(dh, "afl_custom_init"); - if (!mutator->afl_custom_init) WARNF("Symbol 'afl_custom_init' not found."); + if (!mutator->afl_custom_init) FATAL("Symbol 'afl_custom_init' not found."); /* "afl_custom_fuzz" or "afl_custom_mutator", required */ mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_fuzz"); @@ -162,36 +165,41 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_mutator"); if (!mutator->afl_custom_fuzz) - FATAL("Symbol 'afl_custom_mutator' not found."); + WARNF("Symbol 'afl_custom_mutator' not found."); } - /* "afl_custom_pre_save", optional */ - mutator->afl_custom_pre_save = dlsym(dh, "afl_custom_pre_save"); - if (!mutator->afl_custom_pre_save) - WARNF("Symbol 'afl_custom_pre_save' not found."); + /* "afl_custom_deinit", optional for backward compatibility */ + mutator->afl_custom_deinit = dlsym(dh, "afl_custom_deinit"); + if (!mutator->afl_custom_deinit) FATAL("Symbol 'afl_custom_init' not found."); + + /* "afl_custom_post_process", optional */ + mutator->afl_custom_post_process = dlsym(dh, "afl_custom_post_process"); + if (!mutator->afl_custom_post_process) + ACTF("optional symbol 'afl_custom_post_process' not found."); u8 notrim = 0; /* "afl_custom_init_trim", optional */ mutator->afl_custom_init_trim = dlsym(dh, "afl_custom_init_trim"); if (!mutator->afl_custom_init_trim) - WARNF("Symbol 'afl_custom_init_trim' not found."); + ACTF("optional symbol 'afl_custom_init_trim' not found."); /* "afl_custom_trim", optional */ mutator->afl_custom_trim = dlsym(dh, "afl_custom_trim"); - if (!mutator->afl_custom_trim) WARNF("Symbol 'afl_custom_trim' not found."); + if (!mutator->afl_custom_trim) + ACTF("optional symbol 'afl_custom_trim' not found."); /* "afl_custom_post_trim", optional */ mutator->afl_custom_post_trim = dlsym(dh, "afl_custom_post_trim"); if (!mutator->afl_custom_post_trim) - WARNF("Symbol 'afl_custom_post_trim' not found."); + ACTF("optional symbol 'afl_custom_post_trim' not found."); if (notrim) { mutator->afl_custom_init_trim = NULL; mutator->afl_custom_trim = NULL; mutator->afl_custom_post_trim = NULL; - WARNF( + ACTF( "Custom mutator does not implement all three trim APIs, standard " "trimming will be used."); @@ -200,23 +208,23 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { /* "afl_custom_havoc_mutation", optional */ mutator->afl_custom_havoc_mutation = dlsym(dh, "afl_custom_havoc_mutation"); if (!mutator->afl_custom_havoc_mutation) - WARNF("Symbol 'afl_custom_havoc_mutation' not found."); + ACTF("optional symbol 'afl_custom_havoc_mutation' not found."); /* "afl_custom_havoc_mutation", optional */ mutator->afl_custom_havoc_mutation_probability = dlsym(dh, "afl_custom_havoc_mutation_probability"); if (!mutator->afl_custom_havoc_mutation_probability) - WARNF("Symbol 'afl_custom_havoc_mutation_probability' not found."); + ACTF("optional symbol 'afl_custom_havoc_mutation_probability' not found."); /* "afl_custom_queue_get", optional */ mutator->afl_custom_queue_get = dlsym(dh, "afl_custom_queue_get"); if (!mutator->afl_custom_queue_get) - WARNF("Symbol 'afl_custom_queue_get' not found."); + ACTF("optional symbol 'afl_custom_queue_get' not found."); /* "afl_custom_queue_new_entry", optional */ mutator->afl_custom_queue_new_entry = dlsym(dh, "afl_custom_queue_new_entry"); if (!mutator->afl_custom_queue_new_entry) - WARNF("Symbol 'afl_custom_queue_new_entry' not found"); + ACTF("optional symbol 'afl_custom_queue_new_entry' not found"); OKF("Custom mutator '%s' installed successfully.", fn); diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 832dba06..2044c97d 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -35,11 +35,11 @@ static void *unsupported(afl_state_t *afl, unsigned int seed) { } -/* sorry for this makro... -it just fills in `&py_mutator->something_buf, &py_mutator->something_size`. */ -#define BUF_PARAMS(name) \ - (void **)&((py_mutator_t *)py_mutator)->name##_buf, \ - &((py_mutator_t *)py_mutator)->name##_size + /* sorry for this makro... + it just fills in `&py_mutator->something_buf, &py_mutator->something_size`. */ + #define BUF_PARAMS(name) \ + (void **)&((py_mutator_t *)py_mutator)->name##_buf, \ + &((py_mutator_t *)py_mutator)->name##_size static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, u8 *add_buf, size_t add_buf_size, size_t max_size) { @@ -71,12 +71,12 @@ static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, PyTuple_SetItem(py_args, 1, py_value); -/* max_size */ -#if PY_MAJOR_VERSION >= 3 + /* max_size */ + #if PY_MAJOR_VERSION >= 3 py_value = PyLong_FromLong(max_size); -#else + #else py_value = PyInt_FromLong(max_size); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -118,11 +118,11 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { Py_Initialize(); -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 PyObject *py_name = PyUnicode_FromString(module_name); -#else + #else PyObject *py_name = PyString_FromString(module_name); -#endif + #endif py->py_module = PyImport_Import(py_name); Py_DECREF(py_name); @@ -135,9 +135,15 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { u8 py_notrim = 0, py_idx; /* init, required */ py_functions[PY_FUNC_INIT] = PyObject_GetAttrString(py_module, "init"); + if (!py_functions[PY_FUNC_INIT]) + FATAL("init function not found in python module"); py_functions[PY_FUNC_FUZZ] = PyObject_GetAttrString(py_module, "fuzz"); - py_functions[PY_FUNC_PRE_SAVE] = - PyObject_GetAttrString(py_module, "pre_save"); + if (!py_functions[PY_FUNC_FUZZ]) + py_functions[PY_FUNC_FUZZ] = PyObject_GetAttrString(py_module, "mutate"); + if (!py_functions[PY_FUNC_FUZZ]) + WARNF("fuzz function not found in python module"); + py_functions[PY_FUNC_POST_PROCESS] = + PyObject_GetAttrString(py_module, "post_process"); py_functions[PY_FUNC_INIT_TRIM] = PyObject_GetAttrString(py_module, "init_trim"); py_functions[PY_FUNC_POST_TRIM] = @@ -152,14 +158,16 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { py_functions[PY_FUNC_QUEUE_NEW_ENTRY] = PyObject_GetAttrString(py_module, "queue_new_entry"); py_functions[PY_FUNC_DEINIT] = PyObject_GetAttrString(py_module, "deinit"); + if (!py_functions[PY_FUNC_DEINIT]) + FATAL("deinit function not found in python module"); for (py_idx = 0; py_idx < PY_FUNC_COUNT; ++py_idx) { if (!py_functions[py_idx] || !PyCallable_Check(py_functions[py_idx])) { - if (py_idx == PY_FUNC_PRE_SAVE) { + if (py_idx == PY_FUNC_POST_PROCESS) { - // Implenting the pre_save API is optional for now + // Implenting the post_process API is optional for now if (PyErr_Occurred()) { PyErr_Print(); } } else if (py_idx >= PY_FUNC_INIT_TRIM && py_idx <= PY_FUNC_TRIM) { @@ -243,11 +251,11 @@ static void init_py(afl_state_t *afl, py_mutator_t *py_mutator, /* Provide the init function a seed for the Python RNG */ py_args = PyTuple_New(1); -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 py_value = PyLong_FromLong(seed); -#else + #else py_value = PyInt_FromLong(seed); -#endif + #endif if (!py_value) { @@ -301,8 +309,8 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, struct custom_mutator *mutator; mutator = ck_alloc(sizeof(struct custom_mutator)); - mutator->pre_save_buf = NULL; - mutator->pre_save_size = 0; + mutator->post_process_buf = NULL; + mutator->post_process_size = 0; mutator->name = module_name; ACTF("Loading Python mutator library from '%s'...", module_name); @@ -322,9 +330,9 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, is quite different from the custom mutator. */ mutator->afl_custom_fuzz = fuzz_py; - if (py_functions[PY_FUNC_PRE_SAVE]) { + if (py_functions[PY_FUNC_POST_PROCESS]) { - mutator->afl_custom_pre_save = pre_save_py; + mutator->afl_custom_post_process = post_process_py; } @@ -376,7 +384,8 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, } -size_t pre_save_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) { +size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, + u8 **out_buf) { size_t py_out_buf_size; PyObject * py_args, *py_value; @@ -387,14 +396,15 @@ size_t pre_save_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) { if (!py_value) { Py_DECREF(py_args); - FATAL("Failed to convert arguments in custom pre_save"); + FATAL("Failed to convert arguments in custom post_process"); } PyTuple_SetItem(py_args, 0, py_value); py_value = PyObject_CallObject( - ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_PRE_SAVE], py_args); + ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_POST_PROCESS], + py_args); Py_DECREF(py_args); @@ -402,18 +412,19 @@ size_t pre_save_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) { py_out_buf_size = PyByteArray_Size(py_value); - ck_maybe_grow(BUF_PARAMS(pre_save), py_out_buf_size); + ck_maybe_grow(BUF_PARAMS(post_process), py_out_buf_size); - memcpy(py->pre_save_buf, PyByteArray_AsString(py_value), py_out_buf_size); + memcpy(py->post_process_buf, PyByteArray_AsString(py_value), + py_out_buf_size); Py_DECREF(py_value); - *out_buf = py->pre_save_buf; + *out_buf = py->post_process_buf; return py_out_buf_size; } else { PyErr_Print(); - FATAL("Python custom mutator: pre_save call failed."); + FATAL("Python custom mutator: post_process call failed."); } @@ -440,11 +451,11 @@ s32 init_trim_py(void *py_mutator, u8 *buf, size_t buf_size) { if (py_value != NULL) { -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 u32 retcnt = (u32)PyLong_AsLong(py_value); -#else + #else u32 retcnt = PyInt_AsLong(py_value); -#endif + #endif Py_DECREF(py_value); return retcnt; @@ -479,11 +490,11 @@ s32 post_trim_py(void *py_mutator, u8 success) { if (py_value != NULL) { -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 u32 retcnt = (u32)PyLong_AsLong(py_value); -#else + #else u32 retcnt = PyInt_AsLong(py_value); -#endif + #endif Py_DECREF(py_value); return retcnt; @@ -542,12 +553,12 @@ size_t havoc_mutation_py(void *py_mutator, u8 *buf, size_t buf_size, PyTuple_SetItem(py_args, 0, py_value); -/* max_size */ -#if PY_MAJOR_VERSION >= 3 + /* max_size */ + #if PY_MAJOR_VERSION >= 3 py_value = PyLong_FromLong(max_size); -#else + #else py_value = PyInt_FromLong(max_size); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -624,12 +635,12 @@ u8 queue_get_py(void *py_mutator, const u8 *filename) { py_args = PyTuple_New(1); -// File name -#if PY_MAJOR_VERSION >= 3 + // File name + #if PY_MAJOR_VERSION >= 3 py_value = PyUnicode_FromString(filename); -#else + #else py_value = PyString_FromString(filename); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -674,12 +685,12 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, py_args = PyTuple_New(2); -// New queue -#if PY_MAJOR_VERSION >= 3 + // New queue + #if PY_MAJOR_VERSION >= 3 py_value = PyUnicode_FromString(filename_new_queue); -#else + #else py_value = PyString_FromString(filename_new_queue); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -693,11 +704,11 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, py_value = Py_None; if (filename_orig_queue) { -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 py_value = PyUnicode_FromString(filename_orig_queue); -#else + #else py_value = PyString_FromString(filename_orig_queue); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -724,7 +735,7 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, } -#undef BUF_PARAMS + #undef BUF_PARAMS #endif /* USE_PYTHON */ diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 4a22dad6..bbcd9a99 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -97,10 +97,10 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { - if (el->afl_custom_pre_save) { + if (el->afl_custom_post_process) { new_size = - el->afl_custom_pre_save(el->data, new_mem, new_size, &new_buf); + el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf); } @@ -110,7 +110,7 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { if (unlikely(!new_buf && (new_size <= 0))) { - FATAL("Custom_pre_save failed (ret: %lu)", (long unsigned)new_size); + FATAL("Custom_post_process failed (ret: %lu)", (long unsigned)new_size); } else if (likely(new_buf)) { @@ -119,7 +119,7 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { } else { - /* custom mutators do not has a custom_pre_save function */ + /* custom mutators do not has a custom_post_process function */ afl_fsrv_write_to_testcase(&afl->fsrv, mem, len); } @@ -191,7 +191,7 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, u32 handicap, u8 from_queue) { - u8 fault = 0, new_bits = 0, var_detected = 0, + u8 fault = 0, new_bits = 0, var_detected = 0, hnb = 0, first_run = (q->exec_cksum == 0); u64 start_us, stop_us; @@ -236,7 +236,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, if (q->exec_cksum) { memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size); - u8 hnb = has_new_bits(afl, afl->virgin_bits); + hnb = has_new_bits(afl, afl->virgin_bits); if (hnb > new_bits) { new_bits = hnb; } } @@ -271,11 +271,11 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, } cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); - u8 hnb = has_new_bits(afl, afl->virgin_bits); - if (hnb > new_bits) { new_bits = hnb; } - if (q->exec_cksum != cksum) { + hnb = has_new_bits(afl, afl->virgin_bits); + if (hnb > new_bits) { new_bits = hnb; } + if (q->exec_cksum) { u32 i; @@ -401,6 +401,20 @@ void sync_fuzzers(afl_state_t *afl) { } + /* + // a slave only syncs from a master, a master syncs from everyone + if (likely(afl->is_slave)) { + + u8 x = alloc_printf("%s/%s/is_master", afl->sync_dir, sd_ent->d_name); + int res = access(x, F_OK); + free(x); + if (res != 0) + continue; + + } + + */ + /* Skip anything that doesn't have a queue/ subdirectory. */ qd_path = alloc_printf("%s/%s/queue", afl->sync_dir, sd_ent->d_name); @@ -690,18 +704,6 @@ u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { u8 fault; - if (afl->post_handler) { - - u8 *post_buf = NULL; - - size_t post_len = - afl->post_handler(afl->post_data, out_buf, len, &post_buf); - if (!post_buf || !post_len) { return 0; } - out_buf = post_buf; - len = post_len; - - } - write_to_testcase(afl, out_buf, len); fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 4f5389e3..99863103 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -313,8 +313,10 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl_environment_variable_len)) { - afl->afl_env.afl_post_library = - (u8 *)get_afl_env(afl_environment_variables[i]); + FATAL( + "AFL_POST_LIBRARY is deprecated, use " + "AFL_CUSTOM_MUTATOR_LIBRARY instead, see " + "docs/custom_mutators.md"); } else if (!strncmp(env, "AFL_CUSTOM_MUTATOR_LIBRARY", @@ -371,7 +373,6 @@ void read_afl_environment(afl_state_t *afl, char **envp) { void afl_state_deinit(afl_state_t *afl) { - if (afl->post_deinit) { afl->post_deinit(afl->post_data); } if (afl->in_place_resume) { ck_free(afl->in_dir); } if (afl->sync_id) { ck_free(afl->out_dir); } if (afl->pass_stats) { ck_free(afl->pass_stats); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index aaf615e9..8625c37c 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -187,7 +187,6 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)\n" "AFL_NO_UI: switch status screen off\n" "AFL_PATH: path to AFL support binaries\n" - "AFL_POST_LIBRARY: postprocess generated test cases before use as target input\n" "AFL_PYTHON_MODULE: mutate and trim inputs with the specified Python module\n" "AFL_QUIET: suppress forkserver status messages\n" "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" @@ -390,7 +389,7 @@ int main(int argc, char **argv_orig, char **envp) { } - afl->force_deterministic = 1; + afl->is_master = 1; } @@ -400,6 +399,9 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } afl->sync_id = ck_strdup(optarg); + afl->is_slave = 1; + afl->skip_deterministic = 1; + afl->use_splicing = 1; break; case 'f': /* target file */ @@ -500,12 +502,6 @@ int main(int argc, char **argv_orig, char **envp) { case 'd': /* skip deterministic */ - if (afl->skip_deterministic) { - - FATAL("Multiple -d options not supported"); - - } - afl->skip_deterministic = 1; afl->use_splicing = 1; break; @@ -794,8 +790,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL"); OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL"); - if (afl->sync_id && afl->force_deterministic && - afl->afl_env.afl_custom_mutator_only) { + if (afl->sync_id && afl->is_master && afl->afl_env.afl_custom_mutator_only) { WARNF( "Using -M master with the AFL_CUSTOM_MUTATOR_ONLY mutator options will " @@ -853,7 +848,7 @@ int main(int argc, char **argv_orig, char **envp) { } -#if defined(__SANITIZE_ADDRESS__) + #if defined(__SANITIZE_ADDRESS__) if (afl->fsrv.mem_limit) { WARNF("in the ASAN build we disable all memory limits"); @@ -861,7 +856,7 @@ int main(int argc, char **argv_orig, char **envp) { } -#endif + #endif setup_signal_handlers(); check_asan_opts(); @@ -1054,9 +1049,9 @@ int main(int argc, char **argv_orig, char **envp) { get_core_count(afl); -#ifdef HAVE_AFFINITY + #ifdef HAVE_AFFINITY bind_to_free_cpu(afl); -#endif /* HAVE_AFFINITY */ + #endif /* HAVE_AFFINITY */ check_crash_handling(); check_cpu_governor(afl); @@ -1064,8 +1059,6 @@ int main(int argc, char **argv_orig, char **envp) { afl->fsrv.trace_bits = afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->dumb_mode); - setup_post(afl); - if (!afl->in_bitmap) { memset(afl->virgin_bits, 255, afl->fsrv.map_size); } memset(afl->virgin_tmout, 255, afl->fsrv.map_size); memset(afl->virgin_crash, 255, afl->fsrv.map_size); @@ -1352,12 +1345,12 @@ stop_fuzzing: } -#ifdef PROFILING + #ifdef PROFILING SAYF(cYEL "[!] " cRST "Profiling information: %llu ms total work, %llu ns/run\n", time_spent_working / 1000000, time_spent_working / afl->fsrv.total_execs); -#endif + #endif fclose(afl->fsrv.plot_file); destroy_queue(afl); diff --git a/src/afl-gotcpu.c b/src/afl-gotcpu.c index ab7aad5c..43b3196b 100644 --- a/src/afl-gotcpu.c +++ b/src/afl-gotcpu.c @@ -32,11 +32,11 @@ #define AFL_MAIN #ifndef _GNU_SOURCE -#define _GNU_SOURCE + #define _GNU_SOURCE #endif #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include <stdio.h> #include <stdlib.h> @@ -55,22 +55,22 @@ #if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || \ defined(__APPLE__) || defined(__DragonFly__) -#define HAVE_AFFINITY 1 -#if defined(__FreeBSD__) || defined(__DragonFly__) -#include <pthread.h> -#include <pthread_np.h> -#if defined(__FreeBSD__) -#include <sys/cpuset.h> -#endif -#define cpu_set_t cpuset_t -#elif defined(__NetBSD__) -#include <pthread.h> -#include <sched.h> -#elif defined(__APPLE__) -#include <pthread.h> -#include <mach/thread_act.h> -#include <mach/thread_policy.h> -#endif + #define HAVE_AFFINITY 1 + #if defined(__FreeBSD__) || defined(__DragonFly__) + #include <pthread.h> + #include <pthread_np.h> + #if defined(__FreeBSD__) + #include <sys/cpuset.h> + #endif + #define cpu_set_t cpuset_t + #elif defined(__NetBSD__) + #include <pthread.h> + #include <sched.h> + #elif defined(__APPLE__) + #include <pthread.h> + #include <mach/thread_act.h> + #include <mach/thread_policy.h> + #endif #endif /* __linux__ || __FreeBSD__ || __NetBSD__ || __APPLE__ */ /* Get CPU usage in microseconds. */ @@ -163,46 +163,46 @@ int main(int argc, char **argv) { if (!fr) { u32 util_perc; -#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) + #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) cpu_set_t c; CPU_ZERO(&c); CPU_SET(i, &c); -#elif defined(__NetBSD__) + #elif defined(__NetBSD__) cpuset_t *c; c = cpuset_create(); if (c == NULL) PFATAL("cpuset_create failed"); cpuset_set(i, c); -#elif defined(__APPLE__) + #elif defined(__APPLE__) thread_affinity_policy_data_t c = {i}; thread_port_t native_thread = pthread_mach_thread_np(pthread_self()); if (thread_policy_set(native_thread, THREAD_AFFINITY_POLICY, (thread_policy_t)&c, 1) != KERN_SUCCESS) PFATAL("thread_policy_set failed"); -#endif + #endif -#if defined(__FreeBSD__) || defined(__DragonFly__) + #if defined(__FreeBSD__) || defined(__DragonFly__) if (pthread_setaffinity_np(pthread_self(), sizeof(c), &c)) PFATAL("pthread_setaffinity_np failed"); -#endif + #endif -#if defined(__NetBSD__) + #if defined(__NetBSD__) if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) PFATAL("pthread_setaffinity_np failed"); cpuset_destroy(c); -#endif + #endif -#if defined(__linux__) + #if defined(__linux__) if (sched_setaffinity(0, sizeof(c), &c)) { PFATAL("sched_setaffinity failed for cpu %d", i); } -#endif + #endif util_perc = measure_preemption(CTEST_CORE_TRG_MS); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index e024eb18..f5817293 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -27,7 +27,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -56,8 +56,8 @@ #include <sys/mman.h> #ifndef USEMMAP -#include <sys/ipc.h> -#include <sys/shm.h> + #include <sys/ipc.h> + #include <sys/shm.h> #endif static list_t shm_list = {.element_prealloc_count = 0}; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index ed59f2f5..560c8cf6 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -32,7 +32,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" #include "types.h" diff --git a/src/afl-tmin.c b/src/afl-tmin.c index e15dc72d..091e5177 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -30,7 +30,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" diff --git a/test/test-multiple-mutators.c b/test/test-multiple-mutators.c index 0f6f5c64..dafc817c 100644 --- a/test/test-multiple-mutators.c +++ b/test/test-multiple-mutators.c @@ -12,11 +12,10 @@ int main(int argc, char **argv) { int a = 0; - char s[16]; - memset(s, 0, 16); - read(0, s, 0xa0); + char s[100]; + read(0, s, 100); - if (s[17] != '\x00') { abort(); } + if (s[7] == 'B') { abort(); } return 0; diff --git a/test/test.sh b/test/test.sh index 919d7a9c..2559f058 100755 --- a/test/test.sh +++ b/test/test.sh @@ -60,7 +60,6 @@ unset AFL_QEMU_PERSISTENT_GPR unset AFL_QEMU_PERSISTENT_RET unset AFL_QEMU_PERSISTENT_HOOK unset AFL_QEMU_PERSISTENT_CNT -unset AFL_POST_LIBRARY unset AFL_CUSTOM_MUTATOR_LIBRARY unset AFL_PYTHON_MODULE unset AFL_PRELOAD @@ -339,23 +338,28 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { rm -f test-instr.plain # now for the special llvm_mode things - AFL_LLVM_INSTRIM=1 AFL_LLVM_INSTRIM_LOOPHEAD=1 ../afl-clang-fast -o test-instr.instrim ../test-instr.c > /dev/null 2>test.out - test -e test-instr.instrim && { - TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.instrim 2>&1 | grep Captur | awk '{print$3}'` - test "$TUPLES" -gt 2 -a "$TUPLES" -lt 5 && { - $ECHO "$GREEN[+] llvm_mode InsTrim reported $TUPLES instrumented locations which is fine" + test -e ../libLLVMInsTrim.so && { + AFL_LLVM_INSTRIM=1 AFL_LLVM_INSTRIM_LOOPHEAD=1 ../afl-clang-fast -o test-instr.instrim ../test-instr.c > /dev/null 2>test.out + test -e test-instr.instrim && { + TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.instrim 2>&1 | grep Captur | awk '{print$3}'` + test "$TUPLES" -gt 2 -a "$TUPLES" -lt 5 && { + $ECHO "$GREEN[+] llvm_mode InsTrim reported $TUPLES instrumented locations which is fine" + } || { + $ECHO "$RED[!] llvm_mode InsTrim instrumentation produces weird numbers: $TUPLES" + CODE=1 + } + rm -f test-instr.instrim test.out } || { - $ECHO "$RED[!] llvm_mode InsTrim instrumentation produces weird numbers: $TUPLES" + $ECHO "$RED[!] llvm_mode InsTrim compilation failed" CODE=1 } - rm -f test-instr.instrim test.out } || { - $ECHO "$RED[!] llvm_mode InsTrim compilation failed" - CODE=1 + $ECHO "$YELLOW[-] llvm_mode InsTrim not compiled, cannot test" + INCOMPLETE=1 } AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_SWITCHES=1 AFL_LLVM_LAF_TRANSFORM_COMPARES=1 AFL_LLVM_LAF_SPLIT_COMPARES=1 ../afl-clang-fast -o test-compcov.compcov test-compcov.c > test.out 2>&1 test -e test-compcov.compcov && { - grep -Eq " [ 12][0-9][0-9] location| [3-9][0-9] location" test.out && { + grep --binary-files=text -Eq " [ 12][0-9][0-9] location| [3-9][0-9] location" test.out && { $ECHO "$GREEN[+] llvm_mode laf-intel/compcov feature works correctly" } || { $ECHO "$RED[!] llvm_mode laf-intel/compcov feature failed" @@ -882,8 +886,28 @@ $ECHO "$BLUE[*] Testing: unicorn_mode" test -d ../unicorn_mode/unicornafl && { test -e ../unicorn_mode/samples/simple/simple_target.bin -a -e ../unicorn_mode/samples/compcov_x64/compcov_target.bin && { { + # some python version should be available now + PYTHONS="`command -v python3` `command -v python` `command -v python2`" + EASY_INSTALL_FOUND=0 + for PYTHON in $PYTHONS ; do + + if $PYTHON -c "help('easy_install');" </dev/null | grep -q module ; then + + EASY_INSTALL_FOUND=1 + PY=$PYTHON + break + + fi + + done + if [ "0" = $EASY_INSTALL_FOUND ]; then + + echo "[-] Error: Python setup-tools not found. Run 'sudo apt-get install python-setuptools'." + PREREQ_NOTFOUND=1 + + fi + # travis workaround - PY=`command -v python` test "$PY" = "/opt/pyenv/shims/python" -a -x /usr/bin/python && PY=/usr/bin/python mkdir -p in echo 0 > in/in @@ -942,11 +966,8 @@ test -d ../unicorn_mode/unicornafl && { $ECHO "$BLUE[*] Testing: custom mutator" test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { - test `uname -s` = 'Darwin' && { - CUSTOM_MUTATOR_PATH=$( realpath ../examples/custom_mutators ) - } || { - CUSTOM_MUTATOR_PATH=$( readlink -f ../examples/custom_mutators ) - } + # normalize path + CUSTOM_MUTATOR_PATH=$(cd $(pwd)/../examples/custom_mutators;pwd) test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUSTOM_MUTATOR_PATH}/example.py && { unset AFL_CC # Compile the vulnerable program for single mutator @@ -970,16 +991,17 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { } } # Compile the custom mutator - make -C ../examples/custom_mutators libexamplemutator.so > /dev/null 2>&1 - test -e test-custom-mutator -a -e ${CUSTOM_MUTATOR_PATH}/libexamplemutator.so && { + cc -D_FIXED_CHAR=0x41 -g -fPIC -shared -I../include ../examples/custom_mutators/simple_example.c -o libexamplemutator.so > /dev/null 2>&1 + cc -D_FIXED_CHAR=0x42 -g -fPIC -shared -I../include ../examples/custom_mutators/simple_example.c -o libexamplemutator2.so > /dev/null 2>&1 + test -e test-custom-mutator -a -e ./libexamplemutator.so && { # Create input directory mkdir -p in echo "00000" > in/in # Run afl-fuzz w/ the C mutator - $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 10 seconds" + $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 5 seconds" { - AFL_CUSTOM_MUTATOR_LIBRARY=${CUSTOM_MUTATOR_PATH}/libexamplemutator.so ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 + AFL_CUSTOM_MUTATOR_LIBRARY=./libexamplemutator.so AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V1 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 } >>errors 2>&1 # Check results @@ -996,10 +1018,10 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { # Clean rm -rf out errors - #Run afl-fuzz w/ multiple C mutators - $ECHO "$GREY[*] running afl-fuzz with multiple custom C mutators, this will take approx 20 seconds" + # Run afl-fuzz w/ multiple C mutators + $ECHO "$GREY[*] running afl-fuzz with multiple custom C mutators, this will take approx 5 seconds" { - AFL_CUSTOM_MUTATOR_LIBRARY="${CUSTOM_MUTATOR_PATH}/libexamplemutator.so;${CUSTOM_MUTATOR_PATH}/libexamplemutator.so" ../afl-fuzz -V20 -m ${MEM_LIMIT} -i in -o out -- ./test-multiple-mutators >>errors 2>&1 + AFL_CUSTOM_MUTATOR_LIBRARY="./libexamplemutator.so;./libexamplemutator2.so" AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V1 -m ${MEM_LIMIT} -i in -o out -- ./test-multiple-mutators >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/crashes/id:000000* 2>/dev/null )" && { # TODO: update here @@ -1016,11 +1038,11 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { rm -rf out errors # Run afl-fuzz w/ the Python mutator - $ECHO "$GREY[*] running afl-fuzz for the Python mutator, this will take approx 10 seconds" + $ECHO "$GREY[*] running afl-fuzz for the Python mutator, this will take approx 5 seconds" { export PYTHONPATH=${CUSTOM_MUTATOR_PATH} export AFL_PYTHON_MODULE=example - ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 + AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V5 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 unset PYTHONPATH unset AFL_PYTHON_MODULE } >>errors 2>&1 @@ -1039,7 +1061,7 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { # Clean rm -rf in out errors rm -rf ${CUSTOM_MUTATOR_PATH}/__pycache__/ - rm -f test-multiple-mutators + rm -f test-multiple-mutators test-custom-mutator libexamplemutator.so libexamplemutator2.so } || { ls . ls ${CUSTOM_MUTATOR_PATH} diff --git a/test/travis/bionic/Dockerfile b/test/travis/bionic/Dockerfile index 3883f775..d1b53e70 100644 --- a/test/travis/bionic/Dockerfile +++ b/test/travis/bionic/Dockerfile @@ -16,6 +16,7 @@ RUN apt-get update && apt-get -y install \ flex \ git \ python3.7 python3.7-dev \ + python3-setuptools \ libtool libtool-bin \ libglib2.0-dev \ python-setuptools \ diff --git a/test/travis/focal/Dockerfile b/test/travis/focal/Dockerfile new file mode 100644 index 00000000..27d994f2 --- /dev/null +++ b/test/travis/focal/Dockerfile @@ -0,0 +1,45 @@ +# This is the Dockerfile for testing problems in Travis build +# configuration #1. +# This needs not to be rebuild everytime, most of the time it needs just to +# be build once and then started when debugging issues and execute: +# cd /AFLplusplus/ +# git pull +# make distrib +# +FROM ubuntu:focal +LABEL "about"="travis image 4" +ARG DEBIAN_FRONTEND=noninteractive +RUN apt-get update && apt-get -y install \ + automake \ + bison \ + build-essential \ + clang \ + flex \ + git \ + python3 python3-dev \ + python3-setuptools \ + libtool libtool-bin \ + libglib2.0-dev \ + python-setuptools \ + wget \ + ca-certificates \ + libpixman-1-dev \ + gcc-9 gcc-9-plugin-dev libc++-9-dev \ + findutils \ + libcmocka-dev \ + joe nano vim locate \ + && rm -rf /var/lib/apt/lists/* + +ENV AFL_NO_UI=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 + +RUN cd / && \ + git clone https://github.com/AFLplusplus/AFLplusplus && \ + cd AFLplusplus && \ + git checkout dev && \ + cd qemu_mode && wget http://download.qemu-project.org/qemu-3.1.1.tar.xz && \ + cd ../unicorn_mode && git submodule init && git submodule update || true && \ + cd /AFLplusplus && ASAN_BUILD=1 make source-only || true + +WORKDIR /AFLplusplus +CMD ["/bin/bash"] diff --git a/test/travis/trusty/Dockerfile b/test/travis/trusty/Dockerfile index 7b86f3e7..0a6f1804 100644 --- a/test/travis/trusty/Dockerfile +++ b/test/travis/trusty/Dockerfile @@ -16,6 +16,7 @@ RUN apt-get update && apt-get -y install \ flex \ git \ python2.7 python2.7-dev \ + python3-setuptools \ libtool \ libglib2.0-dev \ python-setuptools \ diff --git a/test/travis/xenial/Dockerfile b/test/travis/xenial/Dockerfile index a5f8d359..6aa4b1d1 100644 --- a/test/travis/xenial/Dockerfile +++ b/test/travis/xenial/Dockerfile @@ -16,6 +16,7 @@ RUN apt-get update && apt-get -y install \ flex \ git \ python3 python3-dev \ + python3-setuptools \ libtool libtool-bin \ libglib2.0-dev \ python-setuptools \ diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index 336c171b..bb3959ea 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -a5b7900 +5833117 diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index aeb26945..79a5a4a9 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -65,9 +65,8 @@ if [ ! -f "../afl-showmap" ]; then fi -PYTHONBIN=python +PYTHONBIN=`command -v python3 || command -v python || command -v python2 || echo python3` MAKECMD=make -EASY_INSTALL='easy_install' TARCMD=tar if [ "$PLT" = "Linux" ]; then @@ -77,14 +76,12 @@ fi if [ "$PLT" = "Darwin" ]; then CORES=`sysctl -n hw.ncpu` TARCMD=tar - PYTHONBIN=python3 fi if [ "$PLT" = "FreeBSD" ]; then MAKECMD=gmake CORES=`sysctl -n hw.ncpu` TARCMD=gtar - PYTHONBIN=python3 fi if [ "$PLT" = "NetBSD" ] || [ "$PLT" = "OpenBSD" ]; then @@ -107,28 +104,24 @@ for i in $PYTHONBIN automake autoconf git $MAKECMD $TARCMD; do done -if ! command -v $EASY_INSTALL >/dev/null; then +# some python version should be available now +PYTHONS="`command -v python3` `command -v python` `command -v python2`" +EASY_INSTALL_FOUND=0 +for PYTHON in $PYTHONS ; do - # work around for installs with executable easy_install - EASY_INSTALL_FOUND=0 - MYPYTHONPATH=`python -v </dev/null 2>&1 >/dev/null | sed -n -e '/^# \/.*\/os.py/{ s/.*matches //; s/os.py$//; p}'` - for PATHCANDIDATE in \ - "dist-packages/" \ - "site-packages/" - do - if [ -e "${MYPYTHONPATH}/${PATHCANDIDATE}/easy_install.py" ] ; then + if $PYTHON -c "import setuptools" ; then - EASY_INSTALL_FOUND=1 - break + EASY_INSTALL_FOUND=1 + PYTHONBIN=$PYTHON + break - fi - done - if [ "0" = $EASY_INSTALL_FOUND ]; then + fi - echo "[-] Error: Python setup-tools not found. Run 'sudo apt-get install python-setuptools'." - PREREQ_NOTFOUND=1 +done +if [ "0" = $EASY_INSTALL_FOUND ]; then - fi + echo "[-] Error: Python setup-tools not found. Run 'sudo apt-get install python-setuptools', or install python3-setuptools, or run '$PYTHONBIN -m ensurepip', or create a virtualenv, or ..." + PREREQ_NOTFOUND=1 fi diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl -Subproject a5b79002ca18219c83f9aec4e71007917c6be2e +Subproject 5833117abf55d54c4191ead81312764df03a48b diff --git a/unicorn_mode/update_uc_ref.sh b/unicorn_mode/update_uc_ref.sh index 486f37d6..21450e69 100755 --- a/unicorn_mode/update_uc_ref.sh +++ b/unicorn_mode/update_uc_ref.sh @@ -24,6 +24,7 @@ cd ./unicornafl || exit 1 git fetch origin master 1>/dev/null || exit 1 git stash 1>/dev/null 2>/dev/null git stash drop 1>/dev/null 2>/dev/null +git checkout master if [ -z "$NEW_VERSION" ]; then # No version provided, take HEAD. |