about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--llvm_mode/afl-llvm-rt.o.c19
-rw-r--r--qemu_mode/patches/afl-qemu-cpu-inl.h14
-rw-r--r--src/afl-forkserver.c2
-rw-r--r--src/afl-fuzz-init.c28
-rw-r--r--unicorn_mode/UNICORNAFL_VERSION2
-rw-r--r--unicorn_mode/samples/compcov_x64/compcov_test_harness.py12
-rw-r--r--unicorn_mode/samples/persistent/Makefile2
-rw-r--r--unicorn_mode/samples/persistent/harness.c10
m---------unicorn_mode/unicornafl0
9 files changed, 49 insertions, 40 deletions
diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c
index e039d42e..cc1c7c20 100644
--- a/llvm_mode/afl-llvm-rt.o.c
+++ b/llvm_mode/afl-llvm-rt.o.c
@@ -122,6 +122,8 @@ static void __afl_map_shm_fuzz() {
 
   if (id_str) {
 
+    u8 *map = NULL;
+
 #ifdef USEMMAP
     const char *   shm_file_path = id_str;
     int            shm_fd = -1;
@@ -137,26 +139,29 @@ static void __afl_map_shm_fuzz() {
 
     }
 
-    __afl_fuzz_len = (u32 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0);
+    map = (u8 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0);
 
 #else
     u32 shm_id = atoi(id_str);
-
-    __afl_fuzz_len = (u32 *)shmat(shm_id, NULL, 0);
+    map = (u8 *)shmat(shm_id, NULL, 0);
 
 #endif
 
     /* Whooooops. */
 
-    if (__afl_fuzz_len == (void *)-1) {
+    if (!map || map == (void *)-1) {
 
-      fprintf(stderr, "Error: could not access fuzzing shared memory\n");
+      perror("Could not access fuzzign shared memory");
       exit(1);
 
     }
 
-    if (getenv("AFL_DEBUG"))
+    __afl_fuzz_len = (u32 *)map;
+    __afl_fuzz_ptr = (u8 *)(map + sizeof(u32));
+
+    if (getenv("AFL_DEBUG")) {
       fprintf(stderr, "DEBUG: successfully got fuzzing shared memory\n");
+    }
 
   } else {
 
@@ -165,8 +170,6 @@ static void __afl_map_shm_fuzz() {
 
   }
 
-  __afl_fuzz_ptr = (u8 *)(__afl_fuzz_len + sizeof(int));
-
 }
 
 /* SHM setup. */
diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h
index e4953cb1..8dea004e 100644
--- a/qemu_mode/patches/afl-qemu-cpu-inl.h
+++ b/qemu_mode/patches/afl-qemu-cpu-inl.h
@@ -147,20 +147,22 @@ static void afl_map_shm_fuzz(void) {
   if (id_str) {
 
     u32 shm_id = atoi(id_str);
-    shared_buf_len = (u32 *)shmat(shm_id, NULL, 0);
-    shared_buf = (u8 *)(shared_buf_len + sizeof(int));
-
+    u8 *map = (u8 *)shmat(shm_id, NULL, 0);
     /* Whooooops. */
 
-    if (shared_buf == (void *)-1) {
+    if (!map || map == (void *)-1) {
 
-      fprintf(stderr, "[AFL] ERROR:  could not access fuzzing shared memory\n");
+      perror("[AFL] ERROR: could not access fuzzing shared memory");
       exit(1);
 
     }
 
-    if (getenv("AFL_DEBUG"))
+    shared_buf_len = (u32 *)map;
+    shared_buf = map + sizeof(u32);
+
+    if (getenv("AFL_DEBUG")) {
       fprintf(stderr, "[AFL] DEBUG: successfully got fuzzing shared memory\n");
+    }
 
   } else {
 
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 505fb7a3..36126aa7 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -835,7 +835,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) {
 
     *fsrv->shmem_fuzz_len = len;
     memcpy(fsrv->shmem_fuzz, buf, len);
-    // fprintf(stderr, "test case len: %u\n", *fsrv->shmem_fuzz_len);
+    //printf("test case len: %u [0]:0x%02x\n", *fsrv->shmem_fuzz_len, buf[0]); fflush(stdout);
 
   } else {
 
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index 96d4fc46..54d65b9e 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -1960,28 +1960,22 @@ void setup_testcase_shmem(afl_state_t *afl) {
   afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t));
 
   // we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR
-  if ((afl->fsrv.shmem_fuzz_len =
-           (u32 *)afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(int), 1))) {
+  u8 *map = afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(u32), 1);
+
+  if (!map) { FATAL("BUG: Zero return from afl_shm_init."); }
 
 #ifdef USEMMAP
-    setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1);
+  setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1);
 #else
-    u8 *shm_str;
-    shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id);
-    setenv(SHM_FUZZ_ENV_VAR, shm_str, 1);
-    ck_free(shm_str);
+  u8 *shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id);
+  setenv(SHM_FUZZ_ENV_VAR, shm_str, 1);
+  ck_free(shm_str);
 #endif
-    afl->fsrv.support_shmem_fuzz = 1;
-    afl->fsrv.shmem_fuzz = (u8 *)(afl->fsrv.shmem_fuzz_len + sizeof(int));
-
-  } else {
-
-    ck_free(afl->shm_fuzz);
-    afl->shm_fuzz = NULL;
+  afl->fsrv.support_shmem_fuzz = 1;
+  afl->fsrv.shmem_fuzz_len = (u32 *)map;
+  afl->fsrv.shmem_fuzz = map + sizeof(u32);
 
-  }
-
-}
+ }
 
 /* Do a PATH search and find target binary to see that it exists and
    isn't a shell script - a common and painful mistake. We also check for
diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION
index 5d10f094..a8527cd5 100644
--- a/unicorn_mode/UNICORNAFL_VERSION
+++ b/unicorn_mode/UNICORNAFL_VERSION
@@ -1 +1 @@
-9e9b72a
+e30e3eb
diff --git a/unicorn_mode/samples/compcov_x64/compcov_test_harness.py b/unicorn_mode/samples/compcov_x64/compcov_test_harness.py
index 3861f205..b9ebb61d 100644
--- a/unicorn_mode/samples/compcov_x64/compcov_test_harness.py
+++ b/unicorn_mode/samples/compcov_x64/compcov_test_harness.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-""" 
+"""
    Simple test harness for AFL's Unicorn Mode.
 
    This loads the compcov_target.bin binary (precompiled as MIPS code) into
@@ -11,7 +11,7 @@
    Run under AFL as follows:
 
    $ cd <afl_path>/unicorn_mode/samples/simple/
-   $ ../../../afl-fuzz -U -m none -i ./sample_inputs -o ./output -- python compcov_test_harness.py @@ 
+   $ AFL_COMPCOV_LEVEL=2 ../../../afl-fuzz -U -m none -i ./sample_inputs -o ./output -- python compcov_test_harness.py @@
 """
 
 import argparse
@@ -42,22 +42,22 @@ try:
             print("    Instr: {:#016x}:\t{}\t{}".format(address, cs_mnemonic, cs_opstr))
 except ImportError:
     def unicorn_debug_instruction(uc, address, size, user_data):
-        print("    Instr: addr=0x{0:016x}, size=0x{1:016x}".format(address, size))    
+        print("    Instr: addr=0x{0:016x}, size=0x{1:016x}".format(address, size))
 
 def unicorn_debug_block(uc, address, size, user_data):
     print("Basic Block: addr=0x{0:016x}, size=0x{1:016x}".format(address, size))
-    
+
 def unicorn_debug_mem_access(uc, access, address, size, value, user_data):
     if access == UC_MEM_WRITE:
         print("        >>> Write: addr=0x{0:016x} size={1} data=0x{2:016x}".format(address, size, value))
     else:
-        print("        >>> Read: addr=0x{0:016x} size={1}".format(address, size))    
+        print("        >>> Read: addr=0x{0:016x} size={1}".format(address, size))
 
 def unicorn_debug_mem_invalid_access(uc, access, address, size, value, user_data):
     if access == UC_MEM_WRITE_UNMAPPED:
         print("        >>> INVALID Write: addr=0x{0:016x} size={1} data=0x{2:016x}".format(address, size, value))
     else:
-        print("        >>> INVALID Read: addr=0x{0:016x} size={1}".format(address, size))   
+        print("        >>> INVALID Read: addr=0x{0:016x} size={1}".format(address, size))
 
 def main():
 
diff --git a/unicorn_mode/samples/persistent/Makefile b/unicorn_mode/samples/persistent/Makefile
index cd43bf02..80a47550 100644
--- a/unicorn_mode/samples/persistent/Makefile
+++ b/unicorn_mode/samples/persistent/Makefile
@@ -38,7 +38,7 @@ harness.o: harness.c ../../unicornafl/include/unicorn/*.h
 	${MYCC} ${CFLAGS} -O3 -c harness.c
 
 harness-debug.o: harness.c ../../unicornafl/include/unicorn/*.h
-	${MYCC} ${CFLAGS} -g -c harness.c -o $@
+	${MYCC} ${CFLAGS} -DAFL_DEBUG=1 -g -c harness.c -o $@
 
 harness: harness.o
 	${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o $@
diff --git a/unicorn_mode/samples/persistent/harness.c b/unicorn_mode/samples/persistent/harness.c
index a30af109..30013b4c 100644
--- a/unicorn_mode/samples/persistent/harness.c
+++ b/unicorn_mode/samples/persistent/harness.c
@@ -129,6 +129,16 @@ static bool place_input_callback(
         return false;
     }
 
+#if defined(AFL_DEBUG)
+    printf("[d] harness: input len=%ld, [ ", input_len);
+    int i = 0;
+    for (i = 0; i < input_len && i < 16; i++) {
+        printf("0x%02x ", (unsigned char) input[i]);
+    }
+    if (input_len > 16) printf("... ");
+    printf("]\n");
+#endif
+
     // For persistent mode, we have to set up stack and memory each time.
     uc_reg_write(uc, UC_X86_REG_RIP, &CODE_ADDRESS); // Set the instruction pointer back
     // Set up the function parameters accordingly RSI, RDI (see calling convention/disassembly)
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl
-Subproject 9e9b72a91f84588defa1984e562cee19b4b4932
+Subproject e30e3ebbdba4d170fe9052ce5ce965a85b2e6b7
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-06-01 16:55:44 +0000