diff options
| -rw-r--r-- | GNUmakefile.llvm | 2 | ||||
| -rw-r--r-- | TODO.md | 1 | ||||
| -rw-r--r-- | docs/Changelog.md | 2 | ||||
| -rw-r--r-- | include/config.h | 2 | ||||
| -rw-r--r-- | include/envs.h | 24 | ||||
| -rw-r--r-- | include/forkserver.h | 2 | ||||
| -rw-r--r-- | instrumentation/SanitizerCoveragePCGUARD.so.cc | 6 | ||||
| -rw-r--r-- | instrumentation/afl-llvm-common.cc | 45 | ||||
| -rw-r--r-- | instrumentation/afl-llvm-common.h | 1 | ||||
| -rw-r--r-- | instrumentation/compare-transform-pass.so.cc | 37 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 3 | ||||
| -rw-r--r-- | test/test-cmplog.c | 7 | ||||
| -rwxr-xr-x | test/test-llvm.sh | 5 |
14 files changed, 105 insertions, 34 deletions
diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 98ae461c..70c54f1c 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -46,7 +46,7 @@ LLVMVER = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/git//' | sed 's LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/\..*//' ) LLVM_MINOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/.*\.//' | sed 's/git//' | sed 's/svn//' | sed 's/ .*//' | sed 's/rc.*//' ) LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[0-2]\.|^3.[0-8]\.' && echo 1 || echo 0 ) -LLVM_TOO_NEW = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[8-9]|^2[0-9]' && echo 1 || echo 0 ) +LLVM_TOO_NEW = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^19|^2[0-9]' && echo 1 || echo 0 ) LLVM_TOO_OLD = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[1-9]\.|^1[012]\.' && echo 1 || echo 0 ) LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[0-9]' && echo 1 || echo 0 ) LLVM_NEWER_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[6-9]' && echo 1 || echo 0 ) diff --git a/TODO.md b/TODO.md index d47372b8..20f3425f 100644 --- a/TODO.md +++ b/TODO.md @@ -11,6 +11,7 @@ - afl-showmap -f support - afl-fuzz multicore wrapper script - when trimming then perform crash detection + - cyclomatic complexity: 2 + calls + edges - blocks ## Should diff --git a/docs/Changelog.md b/docs/Changelog.md index 818010a7..79594e38 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -15,6 +15,8 @@ - re-enable i386 support that was accidently disabled - fixes for LTO and outdated afl-gcc mode - fix COMPCOV split compare for old LLVMs + - disable xml/curl/g_ string transform functions because we do not check + for null pointers ... TODO - ensure shared memory variables are visible in weird build setups * afl-cmin - work with input files that have a space diff --git a/include/config.h b/include/config.h index a2ff68ea..3727dab1 100644 --- a/include/config.h +++ b/include/config.h @@ -464,7 +464,7 @@ /* Do not change this unless you really know what you are doing. */ #define MAP_SIZE (1U << MAP_SIZE_POW2) -#if MAP_SIZE <= 65536 +#if MAP_SIZE <= 2097152 #define MAP_INITIAL_SIZE (2 << 20) // = 2097152 #else #define MAP_INITIAL_SIZE MAP_SIZE diff --git a/include/envs.h b/include/envs.h index 2f5b0d60..5b516905 100644 --- a/include/envs.h +++ b/include/envs.h @@ -21,18 +21,18 @@ static char *afl_environment_variables[] = { "AFL_BENCH_UNTIL_CRASH", "AFL_CAL_FAST", "AFL_CC", "AFL_CC_COMPILER", "AFL_CMIN_ALLOW_ANY", "AFL_CMIN_CRASHES_ONLY", "AFL_CMPLOG_ONLY_NEW", "AFL_CODE_END", "AFL_CODE_START", "AFL_COMPCOV_BINNAME", - "AFL_CMPLOG_MAX_LEN", "AFL_COMPCOV_LEVEL", "AFL_CRASH_EXITCODE", - "AFL_CRASHING_SEEDS_AS_NEW_CRASH", "AFL_CUSTOM_MUTATOR_LIBRARY", - "AFL_CUSTOM_MUTATOR_ONLY", "AFL_CUSTOM_INFO_PROGRAM", - "AFL_CUSTOM_INFO_PROGRAM_ARGV", "AFL_CUSTOM_INFO_PROGRAM_INPUT", - "AFL_CUSTOM_INFO_OUT", "AFL_CXX", "AFL_CYCLE_SCHEDULES", "AFL_DEBUG", - "AFL_DEBUG_CHILD", "AFL_DEBUG_GDB", "AFL_DEBUG_UNICORN", - "AFL_DISABLE_REDUNDANT", "AFL_NO_REDUNDANT", "AFL_DISABLE_TRIM", - "AFL_NO_TRIM", "AFL_DISABLE_LLVM_INSTRUMENTATION", "AFL_DONT_OPTIMIZE", - "AFL_DRIVER_STDERR_DUPLICATE_FILENAME", "AFL_DUMB_FORKSRV", - "AFL_EARLY_FORKSERVER", "AFL_ENTRYPOINT", "AFL_EXIT_WHEN_DONE", - "AFL_EXIT_ON_TIME", "AFL_EXIT_ON_SEED_ISSUES", "AFL_FAST_CAL", - "AFL_FINAL_SYNC", "AFL_FORCE_UI", "AFL_FRIDA_DEBUG_MAPS", + "AFL_DUMP_CYCLOMATIC_COMPLEXITY", "AFL_CMPLOG_MAX_LEN", "AFL_COMPCOV_LEVEL", + "AFL_CRASH_EXITCODE", "AFL_CRASHING_SEEDS_AS_NEW_CRASH", + "AFL_CUSTOM_MUTATOR_LIBRARY", "AFL_CUSTOM_MUTATOR_ONLY", + "AFL_CUSTOM_INFO_PROGRAM", "AFL_CUSTOM_INFO_PROGRAM_ARGV", + "AFL_CUSTOM_INFO_PROGRAM_INPUT", "AFL_CUSTOM_INFO_OUT", "AFL_CXX", + "AFL_CYCLE_SCHEDULES", "AFL_DEBUG", "AFL_DEBUG_CHILD", "AFL_DEBUG_GDB", + "AFL_DEBUG_UNICORN", "AFL_DISABLE_REDUNDANT", "AFL_NO_REDUNDANT", + "AFL_DISABLE_TRIM", "AFL_NO_TRIM", "AFL_DISABLE_LLVM_INSTRUMENTATION", + "AFL_DONT_OPTIMIZE", "AFL_DRIVER_STDERR_DUPLICATE_FILENAME", + "AFL_DUMB_FORKSRV", "AFL_EARLY_FORKSERVER", "AFL_ENTRYPOINT", + "AFL_EXIT_WHEN_DONE", "AFL_EXIT_ON_TIME", "AFL_EXIT_ON_SEED_ISSUES", + "AFL_FAST_CAL", "AFL_FINAL_SYNC", "AFL_FORCE_UI", "AFL_FRIDA_DEBUG_MAPS", "AFL_FRIDA_DRIVER_NO_HOOK", "AFL_FRIDA_EXCLUDE_RANGES", "AFL_FRIDA_INST_CACHE_SIZE", "AFL_FRIDA_INST_COVERAGE_ABSOLUTE", "AFL_FRIDA_INST_COVERAGE_FILE", "AFL_FRIDA_INST_DEBUG_FILE", diff --git a/include/forkserver.h b/include/forkserver.h index 68907376..593e34a2 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -188,6 +188,8 @@ typedef struct afl_forkserver { u8 persistent_mode; + u32 max_length; + #ifdef __linux__ nyx_plugin_handler_t *nyx_handlers; char *out_dir_path; /* path to the output directory */ diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index f88ce126..01881f28 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -195,7 +195,7 @@ class ModuleSanitizerCoverageAFL SanitizerCoverageOptions Options; - uint32_t instr = 0, selects = 0, unhandled = 0; + uint32_t instr = 0, selects = 0, unhandled = 0, dump_cc = 0; GlobalVariable *AFLMapPtr = NULL; ConstantInt *One = NULL; ConstantInt *Zero = NULL; @@ -330,6 +330,8 @@ bool ModuleSanitizerCoverageAFL::instrumentModule( if (getenv("AFL_DEBUG")) { debug = 1; } + if (getenv("AFL_DUMP_CYCLOMATIC_COMPLEXITY")) { dump_cc = 1; } + if ((isatty(2) && !getenv("AFL_QUIET")) || debug) { SAYF(cCYA "SanitizerCoveragePCGUARD" VERSION cRST "\n"); @@ -638,6 +640,8 @@ void ModuleSanitizerCoverageAFL::instrumentFunction( // InjectTraceForCmp(F, CmpTraceTargets); // InjectTraceForSwitch(F, SwitchTraceTargets); + if (dump_cc) { calcCyclomaticComplexity(&F); } + } GlobalVariable *ModuleSanitizerCoverageAFL::CreateFunctionLocalArrayInSection( diff --git a/instrumentation/afl-llvm-common.cc b/instrumentation/afl-llvm-common.cc index 8e9e7800..ed9268dc 100644 --- a/instrumentation/afl-llvm-common.cc +++ b/instrumentation/afl-llvm-common.cc @@ -26,6 +26,51 @@ static std::list<std::string> allowListFunctions; static std::list<std::string> denyListFiles; static std::list<std::string> denyListFunctions; +unsigned int calcCyclomaticComplexity(llvm::Function *F) { + + unsigned int numBlocks = 0; + unsigned int numEdges = 0; + unsigned int numCalls = 0; + + // Iterate through each basic block in the function + for (BasicBlock &BB : *F) { + + // count all nodes == basic blocks + numBlocks++; + // Count the number of successors (outgoing edges) + for (BasicBlock *Succ : successors(&BB)) { + + // count edges for CC + numEdges++; + (void)(Succ); + + } + + for (Instruction &I : BB) { + + // every call is also an edge, so we need to count the calls too + if (isa<CallInst>(&I) || isa<InvokeInst>(&I)) { numCalls++; } + + } + + } + + // Cyclomatic Complexity V(G) = E - N + 2P + // For a single function, P (number of connected components) is 1 + // Calls are considered to be an edge + unsigned int CC = 2 + numCalls + numEdges - numBlocks; + + // if (debug) { + + fprintf(stderr, "CyclomaticComplexity for %s: %u\n", + F->getName().str().c_str(), CC); + + //} + + return CC; + +} + char *getBBName(const llvm::BasicBlock *BB) { static char *name; diff --git a/instrumentation/afl-llvm-common.h b/instrumentation/afl-llvm-common.h index 23f67179..6b628d64 100644 --- a/instrumentation/afl-llvm-common.h +++ b/instrumentation/afl-llvm-common.h @@ -55,6 +55,7 @@ void initInstrumentList(); bool isInInstrumentList(llvm::Function *F, std::string Filename); unsigned long long int calculateCollisions(uint32_t edges); void scanForDangerousFunctions(llvm::Module *M); +unsigned int calcCyclomaticComplexity(llvm::Function *F); #ifndef IS_EXTERN #define IS_EXTERN diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc index f8ba9de5..496d69fc 100644 --- a/instrumentation/compare-transform-pass.so.cc +++ b/instrumentation/compare-transform-pass.so.cc @@ -230,38 +230,38 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, if (callInst->getCallingConv() != llvm::CallingConv::C) continue; StringRef FuncName = Callee->getName(); isStrcmp &= - (!FuncName.compare("strcmp") || !FuncName.compare("xmlStrcmp") || + (!FuncName.compare("strcmp") /*|| !FuncName.compare("xmlStrcmp") || !FuncName.compare("xmlStrEqual") || !FuncName.compare("curl_strequal") || !FuncName.compare("strcsequal") || - !FuncName.compare("g_strcmp0")); + !FuncName.compare("g_strcmp0")*/); isMemcmp &= (!FuncName.compare("memcmp") || !FuncName.compare("bcmp") || !FuncName.compare("CRYPTO_memcmp") || !FuncName.compare("OPENSSL_memcmp") || !FuncName.compare("memcmp_const_time") || !FuncName.compare("memcmpct")); - isStrncmp &= (!FuncName.compare("strncmp") || + isStrncmp &= (!FuncName.compare("strncmp")/* || !FuncName.compare("curl_strnequal") || - !FuncName.compare("xmlStrncmp")); + !FuncName.compare("xmlStrncmp")*/); isStrcasecmp &= (!FuncName.compare("strcasecmp") || !FuncName.compare("stricmp") || !FuncName.compare("ap_cstr_casecmp") || !FuncName.compare("OPENSSL_strcasecmp") || - !FuncName.compare("xmlStrcasecmp") || + /*!FuncName.compare("xmlStrcasecmp") || !FuncName.compare("g_strcasecmp") || !FuncName.compare("g_ascii_strcasecmp") || !FuncName.compare("Curl_strcasecompare") || - !FuncName.compare("Curl_safe_strcasecompare") || + !FuncName.compare("Curl_safe_strcasecompare") ||*/ !FuncName.compare("cmsstrcasecmp")); isStrncasecmp &= (!FuncName.compare("strncasecmp") || !FuncName.compare("strnicmp") || !FuncName.compare("ap_cstr_casecmpn") || - !FuncName.compare("OPENSSL_strncasecmp") || + !FuncName.compare("OPENSSL_strncasecmp") /*|| !FuncName.compare("xmlStrncasecmp") || !FuncName.compare("g_ascii_strncasecmp") || !FuncName.compare("Curl_strncasecompare") || - !FuncName.compare("g_strncasecmp")); + !FuncName.compare("g_strncasecmp")*/); isIntMemcpy &= !FuncName.compare("llvm.memcpy.p0i8.p0i8.i64"); if (!isStrcmp && !isMemcmp && !isStrncmp && !isStrcasecmp && @@ -465,8 +465,20 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, bool isCaseInsensitive = false; bool needs_null = false; bool success_is_one = false; + bool nullCheck = false; Function *Callee = callInst->getCalledFunction(); + /* + fprintf(stderr, "%s - %s - %s\n", + callInst->getParent() + ->getParent() + ->getParent() + ->getName() + .str() + .c_str(), + callInst->getParent()->getParent()->getName().str().c_str(), + Callee ? Callee->getName().str().c_str() : "NULL");*/ + if (Callee) { if (!Callee->getName().compare("memcmp") || @@ -520,6 +532,11 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, } if (!isSizedcmp) needs_null = true; + if (Callee->getName().startswith("g_") || + Callee->getName().startswith("curl_") || + Callee->getName().startswith("Curl_") || + Callee->getName().startswith("xml")) + nullCheck = true; Value *sizedValue = isSizedcmp ? callInst->getArgOperand(2) : NULL; bool isConstSized = sizedValue && isa<ConstantInt>(sizedValue); @@ -604,8 +621,10 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, /* split before the call instruction */ BasicBlock *bb = callInst->getParent(); BasicBlock *end_bb = bb->splitBasicBlock(BasicBlock::iterator(callInst)); - BasicBlock *next_lenchk_bb = NULL; + + if (nullCheck) { fprintf(stderr, "TODO: null check\n"); } + if (isSizedcmp && !isConstSized) { next_lenchk_bb = diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index e5f64c81..beb6bdeb 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -578,7 +578,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, void *nyx_config = fsrv->nyx_handlers->nyx_config_load(fsrv->target_path); fsrv->nyx_handlers->nyx_config_set_workdir_path(nyx_config, workdir_path); - fsrv->nyx_handlers->nyx_config_set_input_buffer_size(nyx_config, MAX_FILE); + fsrv->nyx_handlers->nyx_config_set_input_buffer_size(nyx_config, fsrv->max_length); fsrv->nyx_handlers->nyx_config_set_input_buffer_write_protection(nyx_config, true); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index bb9c270f..1f0037ba 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1805,7 +1805,8 @@ int main(int argc, char **argv_orig, char **envp) { afl_realloc(AFL_BUF_PARAM(ex), min_alloc); afl->fsrv.use_fauxsrv = afl->non_instrumented_mode == 1 || afl->no_forkserver; - + afl->fsrv.max_length = afl->max_length; + #ifdef __linux__ if (!afl->fsrv.nyx_mode) { diff --git a/test/test-cmplog.c b/test/test-cmplog.c index 2ab579b0..0c91b21c 100644 --- a/test/test-cmplog.c +++ b/test/test-cmplog.c @@ -10,12 +10,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t i) { if (i < 15) return -1; if (buf[0] != 'A') return 0; - if (buf[1] != 'B') return 0; - if (buf[2] != 'C') return 0; - if (buf[3] != 'D') return 0; - int *icmp = (int *)(buf + 4); + int *icmp = (int *)(buf + 1); if (*icmp != 0x69694141) return 0; - if (memcmp(buf + 8, "1234EF", 6) == 0) abort(); + if (memcmp(buf + 5, "1234EF", 6) == 0) abort(); return 0; } diff --git a/test/test-llvm.sh b/test/test-llvm.sh index 13e1bad1..4dd35e6e 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -264,13 +264,12 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { } rm -f test-compcov test.out instrumentlist.txt AFL_LLVM_CMPLOG=1 ../afl-clang-fast -o test-cmplog test-cmplog.c > /dev/null 2>&1 - ../afl-clang-fast -O0 -o test-c test-cmplog.c > /dev/null 2>&1 test -e test-cmplog && { $ECHO "$GREY[*] running afl-fuzz for llvm_mode cmplog, this will take approx 10 seconds" { mkdir -p in echo 00000000000000000000000000000000 > in/in - AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -Z -l 3 -m none -V30 -i in -o out -c ./test-cmplog -- ./test-c >>errors 2>&1 + AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -Z -l 3 -m none -V30 -i in -o out -c 0 -- ./test-cmplog >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/crashes/id:000000* out/default/hangs/id:000000* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with llvm_mode cmplog" @@ -285,7 +284,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { $ECHO "$YELLOW[-] we cannot test llvm_mode cmplog because it is not present" INCOMPLETE=1 } - rm -rf errors test-cmplog test-c in core.* + rm -rf errors test-cmplog in core.* ../afl-clang-fast -o test-persistent ../utils/persistent_mode/persistent_demo.c > /dev/null 2>&1 test -e test-persistent && { echo foo | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -q -r ./test-persistent && { |