diff options
| -rwxr-xr-x | afl-cmin | 6 | ||||
| -rw-r--r-- | custom_mutators/grammar_mutator/GRAMMAR_VERSION | 2 | ||||
| m--------- | custom_mutators/grammar_mutator/grammar_mutator | 0 | ||||
| -rw-r--r-- | docs/Changelog.md | 2 | ||||
| -rw-r--r-- | docs/resources/1_instrument_target.drawio.svg | 2 | ||||
| -rw-r--r-- | instrumentation/README.lto.md | 12 | ||||
| -rw-r--r-- | instrumentation/SanitizerCoveragePCGUARD.so.cc | 7 | ||||
| -rw-r--r-- | instrumentation/afl-llvm-common.cc | 4 | ||||
| -rw-r--r-- | nyx_mode/LIBNYX_VERSION | 2 | ||||
| m--------- | nyx_mode/QEMU-Nyx | 0 | ||||
| -rw-r--r-- | nyx_mode/QEMU_NYX_VERSION | 2 | ||||
| m--------- | nyx_mode/libnyx | 0 | ||||
| -rw-r--r-- | src/afl-cc.c | 713 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 2 | ||||
| -rwxr-xr-x | test/test-basic.sh | 69 | ||||
| -rwxr-xr-x | test/test-compilers.sh | 7 | ||||
| -rwxr-xr-x | test/test-llvm.sh | 28 |
17 files changed, 706 insertions, 152 deletions
diff --git a/afl-cmin b/afl-cmin index 566f157d..4aaf3953 100755 --- a/afl-cmin +++ b/afl-cmin @@ -1,11 +1,15 @@ #!/usr/bin/env sh +SYS=$(uname -s) +test "$SYS" = "Darwin" && { + echo Error: afl-cmin does not work on Apple currently. please use afl-cmin.bash instead. + exit 1 +} export AFL_QUIET=1 export ASAN_OPTIONS=detect_leaks=0 THISPATH=`dirname ${0}` export PATH="${THISPATH}:$PATH" awk -f - -- ${@+"$@"} <<'EOF' #!/usr/bin/awk -f - # awk script to minimize a test corpus of input files # # based on afl-cmin bash script written by Michal Zalewski diff --git a/custom_mutators/grammar_mutator/GRAMMAR_VERSION b/custom_mutators/grammar_mutator/GRAMMAR_VERSION index 2568c6a5..3a019448 100644 --- a/custom_mutators/grammar_mutator/GRAMMAR_VERSION +++ b/custom_mutators/grammar_mutator/GRAMMAR_VERSION @@ -1 +1 @@ -ff4e5a2 +5ed4f8d diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator -Subproject ff4e5a265daf5d88c4a636fb6a2c22b1d733db0 +Subproject 5ed4f8d6e6524df9670af6b411b13031833d67d diff --git a/docs/Changelog.md b/docs/Changelog.md index c681c4e1..9accb9da 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -25,7 +25,9 @@ - plugins are now activated by default and a new module is included that produces drcov compatible traces for lighthouse/lightkeeper/... thanks to @JRomainG to submitting! + - updated Nyx checkout (fixes a bug) - updated the custom grammar mutator + - document afl-cmin does not work on macOS ### Version ++4.09c (release) diff --git a/docs/resources/1_instrument_target.drawio.svg b/docs/resources/1_instrument_target.drawio.svg index af6ac397..c93fa2b8 100644 --- a/docs/resources/1_instrument_target.drawio.svg +++ b/docs/resources/1_instrument_target.drawio.svg @@ -1,4 +1,4 @@ <?xml version="1.0" encoding="UTF-8"?> <!-- Do not edit this file with editors other than diagrams.net --> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> -<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="1041px" height="301px" viewBox="-0.5 -0.5 1041 301" content="<mxfile host="Electron" modified="2022-01-14T14:14:06.979Z" agent="5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/16.1.2 Chrome/96.0.4664.55 Electron/16.0.5 Safari/537.36" etag="SKxyD_wE9pHQQvyJq3sV" version="16.1.2" type="device"><diagram name="1 - instrument target" id="y32N0Cs56pMhbVcY_pYT">7Vttd6I4FP41nrPzgR5efP2oTm27o213nZlt90tPgADZBsKE0Gp//SYQRISK2mo9HT19ITfJDbnPzcPNDTaMoT+7oCD0JsSGuKGr9qxhfG3out7qafyfkMxTSbfTSgUuRXYq0nLBFL1AKVSlNEY2jAoNGSGYobAotEgQQIsVZIBS8lxs5hBcHDUELiwJphbAZek/yGaelGrtXl5xCZHryaG7eietMIH16FISB3K8hm44ySet9kGmS0408oBNnpdExnnDGFJCWHrlz4YQC9tmZruY3/9g19AaOffjqKOi7o19paTKRtt0WcyQwoDtrFo5DxXj7urbX5cPF1SfKt+mPVN2UZ8AjmFmhWSubJ7ZN7EQFErUhjF49hCD0xBYovaZexSXeczHvKTxy4hR8giHBBPKJQEJeLOBHANSBmcrmNXMSFuYmbsvJD5kdM77SS0KB1lOYF70yeclR1CbUugtOYGhSiGQ3ucutOcm5BfSiluApVdYtI2ZsE0IAn7tiuurgFsq9sXs+XIB1IUsa8ZHXW75NjwchPEKGg4J2FSqexUyQC250jVdFM2I4JjB/kKsLm5tMxAr8H8d1049rHo1qnsC1SiB+jf8FSPKYRDwRY9rUNK2XTUN4Z3iI8EaAR9hYYlLiJ8gQxYQiGDkBlxmcdtD3msgzMurcF9W+Mi2Max2AU7FDKBA9EuAXEF7b7g2280CrnqnYr22DwlsswTsTcgQCQB+F2BtEHmLtr8LynpPPTKUWyUUoc1jCFkklHnEFZif59JBkWbzNmNCQgnof5CxuTQpiBk54KJ+E5Zi8muRpBADhp6KAVYVKrLrLUHJg+xV/m72zlpFLRGJqQVlx+WopaTLqNWVPj9LuhJXWcxqd+/p1sdIB3Cn40a81ymj1G7vCHmvWa9sz5hnEccnoowj9xi9rW7kLu+GsHZC+LAIG1rvsAh/CE/DGWJ3ojt/SqWl+6WarzOpOSnMs0LAZ7rUSRTvl+vybkkp6/dbe1One1hvKu8BTwRyWMibvQM/IponAvnE3tRe0bHvkPJDdqG7eNNxbzU6RjGJpHWNHfcZtZr27RHtikdKmgQGIjVCoZNI279iccbAYWXiTKUvbkQfuYh5sXlmEZ8X+qNxiONI/JZKJiamSCozYHKf0kc2sYTYiV9eUOA+oODBhiHzznybEwBQIoihxXiNwjyomDBiCnCwwscJEYZUcQhV0CJ9nbVb5LDlvWbp62mirSGOf9L+S2lukOe4U5lJX5eMv99wLT6xYbnuj6oUu4VB4PJR5P9B8qOKsH/waqq9rOVLTdu1tzz+OXmPezbOuoe76Yvh8OF2/OPi6nq7W3cti3doHfRGea/huH998fqdEu6b9EuJeD88O88EfW+XtG1tTcVb5Gw1rVV8OrYqcrbdipytvreDNK1zfOxoLrFjzoFAnBgoJDk4iNZQYN5iJwYs61H5rcHARoIrVBKUu3DvX6ZeYZz6cYY3k9vhzc+q1RRg4TSS17gY+MKN07+i4vvNl41G8MMxcfc4gETpScx+BaeKUZNHy3AxrrjKWfCN5LH3E6BjY5LV5O3HE4l+HDv3N0XVaUy7rp3Mhsg4bI013j1OfxvLV52ufDDLW0ssH4EAMQ4bXUfsi0a7UvsEzM4SCodFbSqbh0IEgeWVe6FAIMJ/5TQE1XOqBAkxbET1/Wn/uoKeR1eV8nGldFIp/V4p/TFIxCdC3eZlGOPYCDXL4x/TmoVb7EmHaTyUs+WCX0WslO8jtl3F9XpLAZuaRmhmjLAtms8jBv0NFy/3Rwe5Ma3Y9wwn4LFCPIFRMuhADjdNhyu1S3ZNpWVaszCLq/h3WJmGdmwrUy+/z/T5Qp3FW8Z1oU7GU0cS6mSKj4k2bcUnNnLmdZQ5SVo1Kt5V3Y4hKQQMlqIWD9AARlG5vTlPagNBVg4RAZHJHS+JjKDjIAvBwJqfnQKKrWirpX8gbbXvx6Ydxrfqv+r1n8/+3eQFKUrVwlhlrcDuiy8L5NarfPRs/1pyLTksmaVVYZVM9tZjjVIGbsPz7fqDrlVF73eqUQmmfgKzlATZGcvVNykPjOUmmZPPjuXq/mtnLFs1C3zPWG4SGn52LFcffTtjadQs8D1j2TphWdp97YylVrPAd8aSF/NvB6bN869gGuf/Aw==</diagram></mxfile>" style="background-color: rgb(255, 255, 255);"><defs/><g><rect x="0" y="0" width="1040" height="300" fill="rgb(255, 255, 255)" stroke="none" pointer-events="all"/><rect x="400" y="0" width="240" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 15px; margin-left: 401px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;"><span>Instrument target</span></div></div></div></foreignObject><text x="520" y="19" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle" font-weight="bold">Instrument target</text></switch></g><rect x="696" y="260" width="160" height="30" rx="3.6" ry="3.6" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 275px; margin-left: 697px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Required task</div></div></div></foreignObject><text x="776" y="279" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Required task</text></switch></g><rect x="870" y="260" width="160" height="30" rx="3.6" ry="3.6" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 275px; margin-left: 871px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Optional task</div></div></div></foreignObject><text x="950" y="279" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Optional task</text></switch></g><path d="M 400 139.5 L 423.63 139.5" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 428.88 139.5 L 421.88 143 L 423.63 139.5 L 421.88 136 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 190 139.66 L 213.63 139.66" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 218.88 139.66 L 211.88 143.16 L 213.63 139.66 L 211.88 136.16 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="10" y="40" width="180" height="200" rx="9" ry="9" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 11px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#a-selecting-the-best-afl-compiler-for-instrumenting-the-target">Select compiler</a><br /><br />LTO mode<br />(<span>clang/clang++ 11+</span><span>)</span><br /><br />LLVM mode<br />(<span>clang/clang++ 3.8+</span><span>)</span><br /><br />GCC_PLUGIN mode<br />(<span>gcc 5+</span><span>)</span><br /><br />GCC/CLANG mode<br />(other)</div></div></div></foreignObject><text x="100" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Select compiler...</text></switch></g><rect x="220" y="40" width="180" height="200" rx="9" ry="9" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 221px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#b-selecting-instrumentation-options">Select options</a><br /><br />Select options depending on<br />the compiler:<br /><br />COMPCOV<br />(only LLVM & LTO)<br /><br />CmpLog<br />(only LLVM & LTO)<br /><br />selective instrumentation<br />(LTO, LLVM, GCC_PLUGIN)</div></div></div></foreignObject><text x="310" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Select options...</text></switch></g><path d="M 610 140 L 630 140 L 620 140 L 633.63 140" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 638.88 140 L 631.88 143.5 L 633.63 140 L 631.88 136.5 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="430" y="40" width="180" height="200" rx="9" ry="9" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 431px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#c-selecting-sanitizers">Select sanitizer</a><br /><br />Max. one sanitizer type each<br />in a fuzzing campaign:<br /><br />ASAN<br />CFISAN<br />LSAN<br />MSAN<br />TSAN<br />UBSAN</div></div></div></foreignObject><text x="520" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Select sanitizer...</text></switch></g><rect x="850" y="40" width="180" height="200" rx="9" ry="9" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 851px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#e-instrumenting-the-target">Compile target source code</a><br /><br />Compile target source code depending on the build system:<br /><br />configure<br />CMake<br />Meson Build System<br />other</div></div></div></foreignObject><text x="940" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Compile target source code...</text></switch></g><path d="M 820 140 L 840 140 L 830 140 L 843.63 140" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 848.88 140 L 841.88 143.5 L 843.63 140 L 841.88 136.5 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="640" y="40" width="180" height="200" rx="9" ry="9" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 641px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#d-modifying-the-target">Modify target</a><br /><br />Create a fuzzing harness<br />by hand for better efficiency.</div></div></div></foreignObject><text x="730" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Modify target...</text></switch></g><path d="M 10 68 L 190 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 220 68 L 400 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 430 68 L 610 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 640 68 L 820 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 850 68 L 1030 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Viewer does not support full SVG 1.1</text></a></switch></svg> \ No newline at end of file +<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="1041px" height="301px" viewBox="-0.5 -0.5 1041 301" content="<mxfile host="Electron" modified="2022-01-14T14:14:06.979Z" agent="5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/16.1.2 Chrome/96.0.4664.55 Electron/16.0.5 Safari/537.36" etag="SKxyD_wE9pHQQvyJq3sV" version="16.1.2" type="device"><diagram name="1 - instrument target" id="y32N0Cs56pMhbVcY_pYT">7Vttd6I4FP41nrPzgR5efP2oTm27o213nZlt90tPgADZBsKE0Gp//SYQRISK2mo9HT19ITfJDbnPzcPNDTaMoT+7oCD0JsSGuKGr9qxhfG3out7qafyfkMxTSbfTSgUuRXYq0nLBFL1AKVSlNEY2jAoNGSGYobAotEgQQIsVZIBS8lxs5hBcHDUELiwJphbAZek/yGaelGrtXl5xCZHryaG7eietMIH16FISB3K8hm44ySet9kGmS0408oBNnpdExnnDGFJCWHrlz4YQC9tmZruY3/9g19AaOffjqKOi7o19paTKRtt0WcyQwoDtrFo5DxXj7urbX5cPF1SfKt+mPVN2UZ8AjmFmhWSubJ7ZN7EQFErUhjF49hCD0xBYovaZexSXeczHvKTxy4hR8giHBBPKJQEJeLOBHANSBmcrmNXMSFuYmbsvJD5kdM77SS0KB1lOYF70yeclR1CbUugtOYGhSiGQ3ucutOcm5BfSiluApVdYtI2ZsE0IAn7tiuurgFsq9sXs+XIB1IUsa8ZHXW75NjwchPEKGg4J2FSqexUyQC250jVdFM2I4JjB/kKsLm5tMxAr8H8d1049rHo1qnsC1SiB+jf8FSPKYRDwRY9rUNK2XTUN4Z3iI8EaAR9hYYlLiJ8gQxYQiGDkBlxmcdtD3msgzMurcF9W+Mi2Max2AU7FDKBA9EuAXEF7b7g2280CrnqnYr22DwlsswTsTcgQCQB+F2BtEHmLtr8LynpPPTKUWyUUoc1jCFkklHnEFZif59JBkWbzNmNCQgnof5CxuTQpiBk54KJ+E5Zi8muRpBADhp6KAVYVKrLrLUHJg+xV/m72zlpFLRGJqQVlx+WopaTLqNWVPj9LuhJXWcxqd+/p1sdIB3Cn40a81ymj1G7vCHmvWa9sz5hnEccnoowj9xi9rW7kLu+GsHZC+LAIG1rvsAh/CE/DGWJ3ojt/SqWl+6WarzOpOSnMs0LAZ7rUSRTvl+vybkkp6/dbe1One1hvKu8BTwRyWMibvQM/IponAvnE3tRe0bHvkPJDdqG7eNNxbzU6RjGJpHWNHfcZtZr27RHtikdKmgQGIjVCoZNI279iccbAYWXiTKUvbkQfuYh5sXlmEZ8X+qNxiONI/JZKJiamSCozYHKf0kc2sYTYiV9eUOA+oODBhiHzznybEwBQIoihxXiNwjyomDBiCnCwwscJEYZUcQhV0CJ9nbVb5LDlvWbp62mirSGOf9L+S2lukOe4U5lJX5eMv99wLT6xYbnuj6oUu4VB4PJR5P9B8qOKsH/waqq9rOVLTdu1tzz+OXmPezbOuoe76Yvh8OF2/OPi6nq7W3cti3doHfRGea/huH998fqdEu6b9EuJeD88O88EfW+XtG1tTcVb5Gw1rVV8OrYqcrbdipytvreDNK1zfOxoLrFjzoFAnBgoJDk4iNZQYN5iJwYs61H5rcHARoIrVBKUu3DvX6ZeYZz6cYY3k9vhzc+q1RRg4TSS17gY+MKN07+i4vvNl41G8MMxcfc4gETpScx+BaeKUZNHy3AxrrjKWfCN5LH3E6BjY5LV5O3HE4l+HDv3N0XVaUy7rp3Mhsg4bI013j1OfxvLV52ufDDLW0ssH4EAMQ4bXUfsi0a7UvsEzM4SCodFbSqbh0IEgeWVe6FAIMJ/5TQE1XOqBAkxbET1/Wn/uoKeR1eV8nGldFIp/V4p/TFIxCdC3eZlGOPYCDXL4x/TmoVb7EmHaTyUs+WCX0WslO8jtl3F9XpLAZuaRmhmjLAtms8jBv0NFy/3Rwe5Ma3Y9wwn4LFCPIFRMuhADjdNhyu1S3ZNpWVaszCLq/h3WJmGdmwrUy+/z/T5Qp3FW8Z1oU7GU0cS6mSKj4k2bcUnNnLmdZQ5SVo1Kt5V3Y4hKQQMlqIWD9AARlG5vTlPagNBVg4RAZHJHS+JjKDjIAvBwJqfnQKKrWirpX8gbbXvx6Ydxrfqv+r1n8/+3eQFKUrVwlhlrcDuiy8L5NarfPRs/1pyLTksmaVVYZVM9tZjjVIGbsPz7fqDrlVF73eqUQmmfgKzlATZGcvVNykPjOUmmZPPjuXq/mtnLFs1C3zPWG4SGn52LFcffTtjadQs8D1j2TphWdp97YylVrPAd8aSF/NvB6bN869gGuf/Aw==</diagram></mxfile>" style="background-color: rgb(255, 255, 255);"><defs/><g><rect x="0" y="0" width="1040" height="300" fill="rgb(255, 255, 255)" stroke="none" pointer-events="all"/><rect x="400" y="0" width="240" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 15px; margin-left: 401px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;"><span>Instrument target</span></div></div></div></foreignObject><text x="520" y="19" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle" font-weight="bold">Instrument target</text></switch></g><rect x="696" y="260" width="160" height="30" rx="3.6" ry="3.6" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 275px; margin-left: 697px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Required task</div></div></div></foreignObject><text x="776" y="279" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Required task</text></switch></g><rect x="870" y="260" width="160" height="30" rx="3.6" ry="3.6" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 275px; margin-left: 871px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Optional task</div></div></div></foreignObject><text x="950" y="279" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Optional task</text></switch></g><path d="M 400 139.5 L 423.63 139.5" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 428.88 139.5 L 421.88 143 L 423.63 139.5 L 421.88 136 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 190 139.66 L 213.63 139.66" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 218.88 139.66 L 211.88 143.16 L 213.63 139.66 L 211.88 136.16 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="10" y="40" width="180" height="200" rx="9" ry="9" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 11px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#a-selecting-the-best-afl-compiler-for-instrumenting-the-target">Select compiler</a><br /><br />LTO mode<br />(<span>clang/clang++ 12+</span><span>)</span><br /><br />LLVM mode<br />(<span>clang/clang++ 3.8+</span><span>)</span><br /><br />GCC_PLUGIN mode<br />(<span>gcc 5+</span><span>)</span><br /><br />GCC/CLANG mode<br />(other)</div></div></div></foreignObject><text x="100" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Select compiler...</text></switch></g><rect x="220" y="40" width="180" height="200" rx="9" ry="9" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 221px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#b-selecting-instrumentation-options">Select options</a><br /><br />Select options depending on<br />the compiler:<br /><br />COMPCOV<br />(only LLVM & LTO)<br /><br />CmpLog<br />(only LLVM & LTO)<br /><br />selective instrumentation<br />(LTO, LLVM, GCC_PLUGIN)</div></div></div></foreignObject><text x="310" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Select options...</text></switch></g><path d="M 610 140 L 630 140 L 620 140 L 633.63 140" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 638.88 140 L 631.88 143.5 L 633.63 140 L 631.88 136.5 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="430" y="40" width="180" height="200" rx="9" ry="9" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 431px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#c-selecting-sanitizers">Select sanitizer</a><br /><br />Max. one sanitizer type each<br />in a fuzzing campaign:<br /><br />ASAN<br />CFISAN<br />LSAN<br />MSAN<br />TSAN<br />UBSAN</div></div></div></foreignObject><text x="520" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Select sanitizer...</text></switch></g><rect x="850" y="40" width="180" height="200" rx="9" ry="9" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 851px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#e-instrumenting-the-target">Compile target source code</a><br /><br />Compile target source code depending on the build system:<br /><br />configure<br />CMake<br />Meson Build System<br />other</div></div></div></foreignObject><text x="940" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Compile target source code...</text></switch></g><path d="M 820 140 L 840 140 L 830 140 L 843.63 140" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 848.88 140 L 841.88 143.5 L 843.63 140 L 841.88 136.5 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="640" y="40" width="180" height="200" rx="9" ry="9" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 641px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#d-modifying-the-target">Modify target</a><br /><br />Create a fuzzing harness<br />by hand for better efficiency.</div></div></div></foreignObject><text x="730" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Modify target...</text></switch></g><path d="M 10 68 L 190 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 220 68 L 400 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 430 68 L 610 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 640 68 L 820 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 850 68 L 1030 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Viewer does not support full SVG 1.1</text></a></switch></svg> \ No newline at end of file diff --git a/instrumentation/README.lto.md b/instrumentation/README.lto.md index df59cc2a..bd479c26 100644 --- a/instrumentation/README.lto.md +++ b/instrumentation/README.lto.md @@ -2,7 +2,7 @@ ## TL;DR: -This version requires a LLVM 11 or newer. +This version requires a LLVM 12 or newer. 1. Use afl-clang-lto/afl-clang-lto++ because the resulting binaries run slightly faster and give better coverage. @@ -10,7 +10,7 @@ This version requires a LLVM 11 or newer. 2. You can use it together with COMPCOV, COMPLOG and the instrument file listing features. -3. It only works with LLVM 11 or newer. +3. It only works with LLVM 12 or newer. 4. AUTODICTIONARY feature (see below) @@ -60,7 +60,7 @@ AUTODICTIONARY: 11 strings found [+] Instrumented 12071 locations with no collisions (on average 1046 collisions would be in afl-gcc/afl-clang-fast) (non-hardened mode). ``` -## Getting LLVM 11+ +## Getting LLVM 12+ ### Installing llvm @@ -73,7 +73,7 @@ chmod +x llvm.sh sudo ./llvm.sh 15 all ``` -LLVM 11 to 16 should be available in all current Linux repositories. +LLVM 12 to 18 should be available in all current Linux repositories. ## How to build afl-clang-lto @@ -277,7 +277,7 @@ AS=llvm-as ... afl-clang-lto is still work in progress. Known issues: -* Anything that LLVM 11+ cannot compile, afl-clang-lto cannot compile either - +* Anything that LLVM 12+ cannot compile, afl-clang-lto cannot compile either - obviously. * Anything that does not compile with LTO, afl-clang-lto cannot compile either - obviously. @@ -319,7 +319,7 @@ Still more problems came up though as this only works without bugs from LLVM 9 onwards, and with high optimization the link optimization ruins the instrumented control flow graph. -This is all now fixed with LLVM 11+. The llvm's own linker is now able to load +This is all now fixed with LLVM 12+. The llvm's own linker is now able to load passes and this bypasses all problems we had. Happy end :) diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index aae04bb1..f88ce126 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -627,6 +627,13 @@ void ModuleSanitizerCoverageAFL::instrumentFunction( } + if (debug) { + + fprintf(stderr, "SanitizerCoveragePCGUARD: instrumenting %s in %s\n", + F.getName().str().c_str(), F.getParent()->getName().str().c_str()); + + } + InjectCoverage(F, BlocksToInstrument, IsLeafFunc); // InjectTraceForCmp(F, CmpTraceTargets); // InjectTraceForSwitch(F, SwitchTraceTargets); diff --git a/instrumentation/afl-llvm-common.cc b/instrumentation/afl-llvm-common.cc index 96952bd6..8e9e7800 100644 --- a/instrumentation/afl-llvm-common.cc +++ b/instrumentation/afl-llvm-common.cc @@ -201,7 +201,7 @@ void initInstrumentList() { if (debug) DEBUGF("loaded allowlist with %zu file and %zu function entries\n", - allowListFiles.size(), allowListFunctions.size()); + allowListFiles.size() / 4, allowListFunctions.size() / 4); } @@ -276,7 +276,7 @@ void initInstrumentList() { if (debug) DEBUGF("loaded denylist with %zu file and %zu function entries\n", - denyListFiles.size(), denyListFunctions.size()); + denyListFiles.size() / 4, denyListFunctions.size() / 4); } diff --git a/nyx_mode/LIBNYX_VERSION b/nyx_mode/LIBNYX_VERSION index da3939ad..9aae19be 100644 --- a/nyx_mode/LIBNYX_VERSION +++ b/nyx_mode/LIBNYX_VERSION @@ -1 +1 @@ -512058a +6833d23 diff --git a/nyx_mode/QEMU-Nyx b/nyx_mode/QEMU-Nyx -Subproject 02a6f2aed360cfe76bb3d788dafe517c350d74e +Subproject 1def26f83e83556d767754581fa52081ffb54b0 diff --git a/nyx_mode/QEMU_NYX_VERSION b/nyx_mode/QEMU_NYX_VERSION index 4f58054c..cac32d41 100644 --- a/nyx_mode/QEMU_NYX_VERSION +++ b/nyx_mode/QEMU_NYX_VERSION @@ -1 +1 @@ -02a6f2aed3 +1def26f83e diff --git a/nyx_mode/libnyx b/nyx_mode/libnyx -Subproject 512058a68d58b1a90a4e3971b526a955559735b +Subproject 6833d236dfe785a8a23d8c8d79e74c99fa63500 diff --git a/src/afl-cc.c b/src/afl-cc.c index 192c5423..dee90946 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -170,8 +170,10 @@ typedef struct aflcc_state { u8 have_instr_env, have_gcc, have_clang, have_llvm, have_gcc_plugin, have_lto, have_optimized_pcguard, have_instr_list; - u8 fortify_set, asan_set, x_set, bit_mode, preprocessor_only, have_unroll, - have_o, have_pic, have_c, shared_linking, partial_linking, non_dash; + u8 fortify_set, x_set, bit_mode, preprocessor_only, have_unroll, have_o, + have_pic, have_c, shared_linking, partial_linking, non_dash, have_fp, + have_flto, have_hidden, have_fortify, have_fcf, have_staticasan, + have_asan, have_msan, have_ubsan, have_lsan, have_tsan, have_cfisan; // u8 *march_opt; u8 need_aflpplib; @@ -611,26 +613,18 @@ void compiler_mode_by_callname(aflcc_state_t *aflcc) { aflcc->compiler_mode = GCC_PLUGIN; -#if defined(__x86_64__) - } else if (strncmp(aflcc->callname, "afl-gcc", 7) == 0 || strncmp(aflcc->callname, "afl-g++", 7) == 0) { aflcc->compiler_mode = GCC; -#endif - -#if defined(__x86_64__) - } else if (strcmp(aflcc->callname, "afl-clang") == 0 || strcmp(aflcc->callname, "afl-clang++") == 0) { aflcc->compiler_mode = CLANG; -#endif - } } @@ -656,7 +650,7 @@ void compiler_mode_by_environ(aflcc_state_t *aflcc) { "selected by command line parameter or symlink, ignoring the " "environment variable!"); - } + if (aflcc->compiler_mode) { } else { @@ -675,22 +669,14 @@ void compiler_mode_by_environ(aflcc_state_t *aflcc) { aflcc->compiler_mode = GCC_PLUGIN; -#if defined(__x86_64__) - } else if (strcasecmp(ptr, "GCC") == 0) { aflcc->compiler_mode = GCC; -#endif - -#if defined(__x86_64__) - } else if (strcasecmp(ptr, "CLANG") == 0) { aflcc->compiler_mode = CLANG; -#endif - } else FATAL("Unknown AFL_CC_COMPILER mode: %s\n", ptr); @@ -722,7 +708,7 @@ void compiler_mode_by_cmdline(aflcc_state_t *aflcc, int argc, char **argv) { "--afl-... compiler mode supersedes the AFL_CC_COMPILER and " "symlink compiler selection!"); - } + char *ptr = NULL; ptr = argv[i]; ptr += 5; @@ -774,22 +760,14 @@ void compiler_mode_by_cmdline(aflcc_state_t *aflcc, int argc, char **argv) { aflcc->compiler_mode = GCC_PLUGIN; -#if defined(__x86_64__) - } else if (strcasecmp(ptr, "GCC") == 0) { aflcc->compiler_mode = GCC; -#endif - -#if defined(__x86_64__) - } else if (strncasecmp(ptr, "CLANG", 5) == 0) { aflcc->compiler_mode = CLANG; -#endif - } else FATAL("Unknown --afl-... compiler mode: %s\n", argv[i]); @@ -853,7 +831,8 @@ static void instrument_mode_old_environ(aflcc_state_t *aflcc) { aflcc->instrument_opt_mode |= INSTRUMENT_OPT_CTX_K; - } + if (getenv("USE_TRACE_PC") || getenv("AFL_USE_TRACE_PC") || + getenv("AFL_LLVM_USE_TRACE_PC") || getenv("AFL_TRACE_PC")) { } @@ -960,7 +939,6 @@ static void instrument_mode_new_environ(aflcc_state_t *aflcc) { } -#if defined(__x86_64__) if (strcasecmp(ptr2, "gcc") == 0) { if (!aflcc->instrument_mode || aflcc->instrument_mode == INSTRUMENT_GCC) @@ -975,9 +953,6 @@ static void instrument_mode_new_environ(aflcc_state_t *aflcc) { } -#endif - -#if defined(__x86_64__) if (strcasecmp(ptr2, "clang") == 0) { if (!aflcc->instrument_mode || aflcc->instrument_mode == INSTRUMENT_CLANG) @@ -992,8 +967,6 @@ static void instrument_mode_new_environ(aflcc_state_t *aflcc) { } -#endif - if (strncasecmp(ptr2, "ctx-", strlen("ctx-")) == 0 || strncasecmp(ptr2, "kctx-", strlen("c-ctx-")) == 0 || strncasecmp(ptr2, "k-ctx-", strlen("k-ctx-")) == 0) { @@ -1032,21 +1005,26 @@ static void instrument_mode_new_environ(aflcc_state_t *aflcc) { } - } + if ((ptr3 = getenv("AFL_LLVM_CTX_K")) == NULL) + FATAL( + "you must set the K-CTX K with (e.g. for value 2) " + "AFL_LLVM_INSTRUMENT=ctx-2"); if (strcasecmp(ptr2, "ctx") == 0) { aflcc->instrument_opt_mode |= INSTRUMENT_OPT_CTX; setenv("AFL_LLVM_CTX", "1", 1); - } + if (aflcc->ctx_k == 1) { if (strncasecmp(ptr2, "caller", strlen("caller")) == 0) { aflcc->instrument_opt_mode |= INSTRUMENT_OPT_CALLER; setenv("AFL_LLVM_CALLER", "1", 1); - } + aflcc->instrument_opt_mode |= (INSTRUMENT_OPT_CTX_K); + u8 *ptr4 = alloc_printf("%u", aflcc->ctx_k); + setenv("AFL_LLVM_CTX_K", ptr4, 1); if (strncasecmp(ptr2, "ngram", strlen("ngram")) == 0) { @@ -1180,11 +1158,11 @@ void mode_final_checkout(aflcc_state_t *aflcc, int argc, char **argv) { switch (aflcc->compiler_mode) { case GCC: - if (!aflcc->have_gcc) FATAL("afl-gcc not available on your platform!"); + if (!aflcc->have_gcc) FATAL("afl-gcc is not available on your platform!"); break; case CLANG: if (!aflcc->have_clang) - FATAL("afl-clang not available on your platform!"); + FATAL("afl-clang is not available on your platform!"); break; case LLVM: if (!aflcc->have_llvm) @@ -1226,7 +1204,8 @@ void mode_final_checkout(aflcc_state_t *aflcc, int argc, char **argv) { aflcc->instrument_mode = INSTRUMENT_CLANG; setenv(CLANG_ENV_VAR, "1", 1); // used by afl-as - } + aflcc->instrument_mode = INSTRUMENT_CLASSIC; + aflcc->compiler_mode = LLVM; } @@ -1286,7 +1265,7 @@ void mode_final_checkout(aflcc_state_t *aflcc, int argc, char **argv) { aflcc->instrument_mode = INSTRUMENT_AFL; #endif - } + if (!be_quiet) { if (!aflcc->instrument_opt_mode && aflcc->lto_mode && aflcc->instrument_mode == INSTRUMENT_CFG) { @@ -1311,7 +1290,7 @@ void mode_final_checkout(aflcc_state_t *aflcc, int argc, char **argv) { else aflcc->compiler_mode = LTO; - } + } else if (getenv("AFL_LLVM_SKIP_NEVERZERO") && getenv("AFL_LLVM_NOT_ZERO")) FATAL( @@ -1385,9 +1364,17 @@ void mode_notification(aflcc_state_t *aflcc) { "gcc-plugin and use afl-clang-fast/afl-clang-lto/afl-gcc-fast " "instead!"); - } + char *ptr2 = alloc_printf(" + NGRAM-%u", aflcc->ngram_size); + char *ptr3 = alloc_printf(" + K-CTX-%u", aflcc->ctx_k); -} + char *ptr1 = alloc_printf( + "%s%s%s%s%s", instrument_mode_2str(aflcc->instrument_mode), + (aflcc->instrument_opt_mode & INSTRUMENT_OPT_CTX) ? " + CTX" : "", + (aflcc->instrument_opt_mode & INSTRUMENT_OPT_CALLER) ? " + CALLER" : "", + (aflcc->instrument_opt_mode & INSTRUMENT_OPT_NGRAM) ? ptr2 : "", + (aflcc->instrument_opt_mode & INSTRUMENT_OPT_CTX_K) ? ptr3 : ""); + + } void add_real_argv0(aflcc_state_t *aflcc) { @@ -1447,7 +1434,7 @@ void add_real_argv0(aflcc_state_t *aflcc) { } - } + alt_cc = "clang"; aflcc->cc_params[0] = alt_cc; @@ -1583,6 +1570,8 @@ void add_defs_persistent_mode(aflcc_state_t *aflcc) { /* Control _FORTIFY_SOURCE */ void add_defs_fortify(aflcc_state_t *aflcc, u8 action) { + if (aflcc->have_fortify) { return; } + switch (action) { case 1: @@ -1597,7 +1586,9 @@ void add_defs_fortify(aflcc_state_t *aflcc, u8 action) { insert_param(aflcc, "-U_FORTIFY_SOURCE"); break; - } + case 2: + insert_param(aflcc, "-D_FORTIFY_SOURCE=2"); + break; } @@ -1696,6 +1687,42 @@ param_st parse_fsanitize(aflcc_state_t *aflcc, u8 *cur_argv, u8 scan) { param_st final_ = PARAM_MISS; + if (strstr(cur_argv, "=address") || strstr(cur_argv, ",address")) { + + aflcc->have_asan = 1; + + } + + if (strstr(cur_argv, "=memory") || strstr(cur_argv, ",memory")) { + + aflcc->have_msan = 1; + + } + + if (strstr(cur_argv, "=undefined") || strstr(cur_argv, ",undefined")) { + + aflcc->have_ubsan = 1; + + } + + if (strstr(cur_argv, "=thread") || strstr(cur_argv, ",thread")) { + + aflcc->have_tsan = 1; + + } else { + + if (strstr(cur_argv, "=leak") || strstr(cur_argv, ",leak")) { + + aflcc->have_lsan = 1; + + } + + if (strstr(cur_argv, "=cfi") || strstr(cur_argv, ",cfi")) { + + aflcc->have_cfisan = 1; + + } + if (!strncmp(cur_argv, "-fsanitize-coverage-", 20) && strstr(cur_argv, "list=")) { @@ -1771,23 +1798,20 @@ param_st parse_fsanitize(aflcc_state_t *aflcc, u8 *cur_argv, u8 scan) { if (!be_quiet) { WARNF("Found '%s' - stripping!", cur_argv); } final_ = PARAM_DROP; - } + if (getenv("AFL_HARDEN")) + FATAL("ASAN and AFL_HARDEN are mutually exclusive"); - } + add_defs_fortify(aflcc, 0); + insert_param(aflcc, "-fsanitize=address"); - if (!strcmp(cur_argv, "-fsanitize=address") || - !strcmp(cur_argv, "-fsanitize=memory")) { + if (final_ == PARAM_MISS) { if (scan) { - // "-fsanitize=undefined,address" may be un-treated, but it's OK. - aflcc->asan_set = 1; final_ = PARAM_SCAN; } else { - // It's impossible that final_ is PARAM_DROP before, - // so no checks are needed here. final_ = PARAM_KEEP; } @@ -1802,74 +1826,114 @@ param_st parse_fsanitize(aflcc_state_t *aflcc, u8 *cur_argv, u8 scan) { void add_sanitizers(aflcc_state_t *aflcc, char **envp) { - if (!aflcc->asan_set) { + if (getenv("AFL_USE_ASAN") || aflcc->have_asan) { - if (getenv("AFL_USE_ASAN")) { + if (getenv("AFL_USE_MSAN") || aflcc->have_msan) + FATAL("ASAN and MSAN are mutually exclusive"); - if (getenv("AFL_USE_MSAN")) FATAL("ASAN and MSAN are mutually exclusive"); + if (getenv("AFL_HARDEN")) + FATAL("ASAN and AFL_HARDEN are mutually exclusive"); - if (getenv("AFL_HARDEN")) - FATAL("ASAN and AFL_HARDEN are mutually exclusive"); + if (aflcc->compiler_mode == GCC_PLUGIN && !aflcc->have_staticasan) { - add_defs_fortify(aflcc, 0); - insert_param(aflcc, "-fsanitize=address"); + insert_param(aflcc, "-static-libasan"); - } else if (getenv("AFL_USE_MSAN")) { + } - if (getenv("AFL_USE_ASAN")) FATAL("ASAN and MSAN are mutually exclusive"); + add_defs_fortify(aflcc, 0); + if (!aflcc->have_asan) { insert_param(aflcc, "-fsanitize=address"); } + aflcc->have_asan = 1; - if (getenv("AFL_HARDEN")) - FATAL("MSAN and AFL_HARDEN are mutually exclusive"); + } else if (getenv("AFL_USE_MSAN") || aflcc->have_msan) { - add_defs_fortify(aflcc, 0); - insert_param(aflcc, "-fsanitize=memory"); + if (getenv("AFL_USE_ASAN") || aflcc->have_asan) + FATAL("ASAN and MSAN are mutually exclusive"); - } + if (getenv("AFL_HARDEN")) + FATAL("MSAN and AFL_HARDEN are mutually exclusive"); + + add_defs_fortify(aflcc, 0); + insert_param(aflcc, "-fsanitize=memory"); + aflcc->have_msan = 1; } - if (getenv("AFL_USE_UBSAN")) { + if (getenv("AFL_USE_UBSAN") || aflcc->have_ubsan) { + + if (!aflcc->have_ubsan) { + + insert_param(aflcc, "-fsanitize=undefined"); + insert_param(aflcc, "-fsanitize-undefined-trap-on-error"); + insert_param(aflcc, "-fno-sanitize-recover=all"); + + } + + if (!aflcc->have_fp) { + + insert_param(aflcc, "-fno-omit-frame-pointer"); + aflcc->have_fp = 1; - insert_param(aflcc, "-fsanitize=undefined"); - insert_param(aflcc, "-fsanitize-undefined-trap-on-error"); - insert_param(aflcc, "-fno-sanitize-recover=all"); - insert_param(aflcc, "-fno-omit-frame-pointer"); + } + + aflcc->have_ubsan = 1; } - if (getenv("AFL_USE_TSAN")) { + if (getenv("AFL_USE_TSAN") || aflcc->have_tsan) { + + if (!aflcc->have_fp) { - insert_param(aflcc, "-fsanitize=thread"); - insert_param(aflcc, "-fno-omit-frame-pointer"); + insert_param(aflcc, "-fno-omit-frame-pointer"); + aflcc->have_fp = 1; + + } + + if (!aflcc->have_tsan) { insert_param(aflcc, "-fsanitize=thread"); } + aflcc->have_tsan = 1; } - if (getenv("AFL_USE_LSAN")) { + if (getenv("AFL_USE_LSAN") && !aflcc->have_lsan) { insert_param(aflcc, "-fsanitize=leak"); add_defs_lsan_ctrl(aflcc); + aflcc->have_lsan = 1; } - if (getenv("AFL_USE_CFISAN")) { + if (getenv("AFL_USE_CFISAN") || aflcc->have_cfisan) { if (aflcc->compiler_mode == GCC_PLUGIN || aflcc->compiler_mode == GCC) { - insert_param(aflcc, "-fcf-protection=full"); + if (!aflcc->have_fcf) { insert_param(aflcc, "-fcf-protection=full"); } } else { - if (!aflcc->lto_mode) { + if (!aflcc->lto_mode && !aflcc->have_flto) { uint32_t i = 0, found = 0; - while (envp[i] != NULL && !found) + while (envp[i] != NULL && !found) { + if (strncmp("-flto", envp[i++], 5) == 0) found = 1; - if (!found) insert_param(aflcc, "-flto"); + + #endif +#endif + + if (!found) { insert_param(aflcc, "-flto"); } + aflcc->have_flto = 1; } - insert_param(aflcc, "-fsanitize=cfi"); - insert_param(aflcc, "-fvisibility=hidden"); + if (!aflcc->have_cfisan) { insert_param(aflcc, "-fsanitize=cfi"); } + + if (!aflcc->have_hidden) { + + insert_param(aflcc, "-fvisibility=hidden"); + aflcc->have_hidden = 1; + + if (aflcc->lto_mode && !strncmp(cur_argv, "-flto=thin", 10)) { + + aflcc->have_cfisan = 1; } @@ -2037,7 +2101,10 @@ param_st parse_linking_params(aflcc_state_t *aflcc, u8 *cur_argv, u8 scan, final_ = PARAM_SCAN; - } else { + WARNF( + "'%s': multiple link options after '-Wl,' may enable report " + "unresolved symbol references and result in a bad link.", + ptr_); final_ = PARAM_DROP; @@ -2062,8 +2129,392 @@ param_st parse_linking_params(aflcc_state_t *aflcc, u8 *cur_argv, u8 scan, } +} + +void add_lto_linker(aflcc_state_t *aflcc) { + + unsetenv("AFL_LD"); + unsetenv("AFL_LD_CALLER"); + + u8 *ld_path = NULL; + if (getenv("AFL_REAL_LD")) { + + ld_path = strdup(getenv("AFL_REAL_LD")); + + } else { + + ld_path = strdup(AFL_REAL_LD); + + } + + if (!ld_path || !*ld_path) { + + if (ld_path) { + + // Freeing empty string + free(ld_path); + + } + + ld_path = strdup("ld.lld"); + + } + + if (!ld_path) { PFATAL("Could not allocate mem for ld_path"); } +#if defined(AFL_CLANG_LDPATH) && LLVM_MAJOR >= 12 + insert_param(aflcc, alloc_printf("--ld-path=%s", ld_path)); +#else + insert_param(aflcc, alloc_printf("-fuse-ld=%s", ld_path)); +#endif + free(ld_path); + +} + +void add_lto_passes(aflcc_state_t *aflcc) { + +#if defined(AFL_CLANG_LDPATH) && LLVM_MAJOR >= 15 + // The NewPM implementation only works fully since LLVM 15. + insert_object(aflcc, "SanitizerCoverageLTO.so", "-Wl,--load-pass-plugin=%s", + 0); +#elif defined(AFL_CLANG_LDPATH) && LLVM_MAJOR >= 13 + insert_param(aflcc, "-Wl,--lto-legacy-pass-manager"); + insert_object(aflcc, "SanitizerCoverageLTO.so", "-Wl,-mllvm=-load=%s", 0); +#else + insert_param(aflcc, "-fno-experimental-new-pass-manager"); + insert_object(aflcc, "SanitizerCoverageLTO.so", "-Wl,-mllvm=-load=%s", 0); +#endif + + insert_param(aflcc, "-Wl,--allow-multiple-definition"); + +} + +static void add_aflpplib(aflcc_state_t *aflcc) { + + if (!aflcc->need_aflpplib) return; + + u8 *afllib = find_object(aflcc, "libAFLDriver.a"); + + if (!be_quiet) { + + OKF("Found '-fsanitize=fuzzer', replacing with libAFLDriver.a"); + + } + + if (!afllib) { + + if (!be_quiet) { + + WARNF( + "Cannot find 'libAFLDriver.a' to replace '-fsanitize=fuzzer' in " + "the flags - this will fail!"); + + } + + } else { + + insert_param(aflcc, afllib); + +#ifdef __APPLE__ + insert_param(aflcc, "-Wl,-undefined"); + insert_param(aflcc, "dynamic_lookup"); +#endif + + } + +} + +void add_runtime(aflcc_state_t *aflcc) { + + if (aflcc->preprocessor_only || aflcc->have_c || !aflcc->non_dash) { + + /* In the preprocessor_only case (-E), we are not actually compiling at + all but requesting the compiler to output preprocessed sources only. + We must not add the runtime in this case because the compiler will + simply output its binary content back on stdout, breaking any build + systems that rely on a separate source preprocessing step. */ + return; + + } + + if (aflcc->compiler_mode != GCC_PLUGIN && aflcc->compiler_mode != GCC && + !getenv("AFL_LLVM_NO_RPATH")) { + + // in case LLVM is installed not via a package manager or "make install" + // e.g. compiled download or compiled from github then its ./lib directory + // might not be in the search path. Add it if so. + const char *libdir = LLVM_LIBDIR; + if (aflcc->plusplus_mode && strlen(libdir) && strncmp(libdir, "/usr", 4) && + strncmp(libdir, "/lib", 4)) { + + u8 *libdir_opt = strdup("-Wl,-rpath=" LLVM_LIBDIR); + insert_param(aflcc, libdir_opt); + + } + + } + +#ifndef __ANDROID__ + + #define M32_ERR_MSG "-m32 is not supported by your compiler" + #define M64_ERR_MSG "-m64 is not supported by your compiler" + + if (aflcc->compiler_mode != GCC && aflcc->compiler_mode != CLANG) { + + switch (aflcc->bit_mode) { + + case 0: + if (!aflcc->shared_linking && !aflcc->partial_linking) + insert_object(aflcc, "afl-compiler-rt.o", 0, 0); + if (aflcc->lto_mode) insert_object(aflcc, "afl-llvm-rt-lto.o", 0, 0); + break; + + case 32: + if (!aflcc->shared_linking && !aflcc->partial_linking) + insert_object(aflcc, "afl-compiler-rt-32.o", 0, M32_ERR_MSG); + if (aflcc->lto_mode) + insert_object(aflcc, "afl-llvm-rt-lto-32.o", 0, M32_ERR_MSG); + break; + + case 64: + if (!aflcc->shared_linking && !aflcc->partial_linking) + insert_object(aflcc, "afl-compiler-rt-64.o", 0, M64_ERR_MSG); + if (aflcc->lto_mode) + insert_object(aflcc, "afl-llvm-rt-lto-64.o", 0, M64_ERR_MSG); + break; + + } + + #if !defined(__APPLE__) && !defined(__sun) + if (!aflcc->shared_linking && !aflcc->partial_linking) + insert_object(aflcc, "dynamic_list.txt", "-Wl,--dynamic-list=%s", 0); + #endif + + #if defined(__APPLE__) + if (aflcc->shared_linking || aflcc->partial_linking) { + + insert_param(aflcc, "-Wl,-U"); + insert_param(aflcc, "-Wl,___afl_area_ptr"); + insert_param(aflcc, "-Wl,-U"); + insert_param(aflcc, "-Wl,___sanitizer_cov_trace_pc_guard_init"); + + } + + #endif + } +#endif + + add_aflpplib(aflcc); + +#if defined(USEMMAP) && !defined(__HAIKU__) && !__APPLE__ + insert_param(aflcc, "-Wl,-lrt"); +#endif + +} + +/* Misc */ + +void add_assembler(aflcc_state_t *aflcc) { + + u8 *afl_as = find_object(aflcc, "as"); + + if (!afl_as) FATAL("Cannot find 'as' (symlink to 'afl-as')."); + + u8 *slash = strrchr(afl_as, '/'); + if (slash) *slash = 0; + + insert_param(aflcc, "-B"); + insert_param(aflcc, afl_as); + + if (aflcc->compiler_mode == CLANG) insert_param(aflcc, "-no-integrated-as"); + +} + +void add_gcc_plugin(aflcc_state_t *aflcc) { + + if (aflcc->cmplog_mode) { + + insert_object(aflcc, "afl-gcc-cmplog-pass.so", "-fplugin=%s", 0); + insert_object(aflcc, "afl-gcc-cmptrs-pass.so", "-fplugin=%s", 0); + + } + + insert_object(aflcc, "afl-gcc-pass.so", "-fplugin=%s", 0); + + insert_param(aflcc, "-fno-if-conversion"); + insert_param(aflcc, "-fno-if-conversion2"); + +} + +void add_misc_params(aflcc_state_t *aflcc) { + + if (getenv("AFL_NO_BUILTIN") || getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES") || + getenv("AFL_LLVM_LAF_ALL") || getenv("AFL_LLVM_CMPLOG") || + aflcc->lto_mode) { + + insert_param(aflcc, "-fno-builtin-strcmp"); + insert_param(aflcc, "-fno-builtin-strncmp"); + insert_param(aflcc, "-fno-builtin-strcasecmp"); + insert_param(aflcc, "-fno-builtin-strncasecmp"); + insert_param(aflcc, "-fno-builtin-memcmp"); + insert_param(aflcc, "-fno-builtin-bcmp"); + insert_param(aflcc, "-fno-builtin-strstr"); + insert_param(aflcc, "-fno-builtin-strcasestr"); + + } + + if (!aflcc->have_pic) { insert_param(aflcc, "-fPIC"); } + + if (getenv("AFL_HARDEN")) { + + insert_param(aflcc, "-fstack-protector-all"); + + if (!aflcc->fortify_set) add_defs_fortify(aflcc, 2); + + } + + if (!getenv("AFL_DONT_OPTIMIZE")) { + + insert_param(aflcc, "-g"); + if (!aflcc->have_o) insert_param(aflcc, "-O3"); + if (!aflcc->have_unroll) insert_param(aflcc, "-funroll-loops"); + // if (strlen(aflcc->march_opt) > 1 && aflcc->march_opt[0] == '-') + // insert_param(aflcc, aflcc->march_opt); + + } + + if (aflcc->x_set) { + + insert_param(aflcc, "-x"); + insert_param(aflcc, "none"); + + } + +} + +param_st parse_misc_params(aflcc_state_t *aflcc, u8 *cur_argv, u8 scan) { + + param_st final_ = PARAM_MISS; + +// MACRO START +#define SCAN_KEEP(dst, src) \ + do { \ + \ + if (scan) { \ + \ + dst = src; \ + final_ = PARAM_SCAN; \ + \ + } else { \ + \ + final_ = PARAM_KEEP; \ + \ + } \ + \ + } while (0) + + // MACRO END + + if (!strncasecmp(cur_argv, "-fpic", 5)) { + + SCAN_KEEP(aflcc->have_pic, 1); + + } else if (!strcmp(cur_argv, "-m32") || + + !strcmp(cur_argv, "armv7a-linux-androideabi")) { + + SCAN_KEEP(aflcc->bit_mode, 32); + + } else if (!strcmp(cur_argv, "-m64")) { + + SCAN_KEEP(aflcc->bit_mode, 64); + + } else if (strstr(cur_argv, "FORTIFY_SOURCE")) { + + SCAN_KEEP(aflcc->fortify_set, 1); + + } else if (!strcmp(cur_argv, "-x")) { + + SCAN_KEEP(aflcc->x_set, 1); + + } else if (!strcmp(cur_argv, "-E")) { + + SCAN_KEEP(aflcc->preprocessor_only, 1); + + } else if (!strcmp(cur_argv, "--target=wasm32-wasi")) { + + SCAN_KEEP(aflcc->passthrough, 1); + + } else if (!strcmp(cur_argv, "-c")) { + + SCAN_KEEP(aflcc->have_c, 1); + + } else if (!strncmp(cur_argv, "-O", 2)) { + + SCAN_KEEP(aflcc->have_o, 1); + + } else if (!strncmp(cur_argv, "-funroll-loop", 13)) { + + SCAN_KEEP(aflcc->have_unroll, 1); + + } else if (!strncmp(cur_argv, "--afl", 5)) { + + if (scan) + final_ = PARAM_SCAN; + else + final_ = PARAM_DROP; + + } else if (!strncmp(cur_argv, "-fno-unroll", 11)) { + + if (scan) + final_ = PARAM_SCAN; + else + final_ = PARAM_DROP; + + } else if (!strcmp(cur_argv, "-pipe") && aflcc->compiler_mode == GCC_PLUGIN) { + + if (scan) + final_ = PARAM_SCAN; + else + final_ = PARAM_DROP; + + } else if (!strncmp(cur_argv, "-stdlib=", 8) && + + (aflcc->compiler_mode == GCC || + aflcc->compiler_mode == GCC_PLUGIN)) { + + if (scan) { + + final_ = PARAM_SCAN; + + } else { + + if (!be_quiet) WARNF("Found '%s' - stripping!", cur_argv); + final_ = PARAM_DROP; + + } + + } else if (cur_argv[0] != '-') { + + /* It's a weak, loose pattern, with very different purpose + than others. We handle it at last, cautiously and robustly. */ + + if (scan && cur_argv[0] != '@') // response file support + aflcc->non_dash = 1; + + } + +#undef SCAN_KEEP + + if (final_ == PARAM_KEEP) insert_param(aflcc, cur_argv); + + return final_; + +} + +static void maybe_usage(aflcc_state_t *aflcc, int argc, char **argv) { + // Try to warn user for some unsupported cases if (scan && final_ == PARAM_MISS) { @@ -2447,6 +2898,32 @@ param_st parse_misc_params(aflcc_state_t *aflcc, u8 *cur_argv, u8 scan) { SCAN_KEEP(aflcc->have_c, 1); + } else if (!strcmp(cur_argv, "-static-libasan")) { + + SCAN_KEEP(aflcc->have_staticasan, 1); + + } else if (!strcmp(cur_argv, "-fno-omit-frame-pointer")) { + + SCAN_KEEP(aflcc->have_fp, 1); + + } else if (!strcmp(cur_argv, "-fvisibility=hidden")) { + + SCAN_KEEP(aflcc->have_hidden, 1); + + } else if (!strcmp(cur_argv, "-flto") || !strcmp(cur_argv, "-flto=full")) { + + SCAN_KEEP(aflcc->have_flto, 1); + + } else if (!strncmp(cur_argv, "-D_FORTIFY_SOURCE", + + strlen("-D_FORTIFY_SOURCE"))) { + + SCAN_KEEP(aflcc->have_fortify, 1); + + } else if (!strncmp(cur_argv, "-fcf-protection", strlen("-fcf-protection"))) { + + SCAN_KEEP(aflcc->have_cfisan, 1); + } else if (!strncmp(cur_argv, "-O", 2)) { SCAN_KEEP(aflcc->have_o, 1); @@ -2538,11 +3015,11 @@ static void maybe_usage(aflcc_state_t *aflcc, int argc, char **argv) { "MODES: NCC PERSIST DICT LAF " "CMPLOG SELECT\n" " [LLVM] LLVM: %s%s\n" - " PCGUARD %s yes yes module yes yes " + " PCGUARD %s yes yes module yes yes " "yes\n" - " NATIVE AVAILABLE no yes no no " + " NATIVE AVAILABLE no yes no no " "part. yes\n" - " CLASSIC %s no yes module yes yes " + " CLASSIC %s no yes module yes yes " "yes\n" " - NORMAL\n" " - CALLER\n" @@ -2958,14 +3435,6 @@ static void process_params(aflcc_state_t *aflcc, u8 scan, u32 argc, free(tmpbuf); - continue; - - } - - if (!scan) insert_param(aflcc, cur); - - } - } /* Copy argv to cc_params, making the necessary edits. */ @@ -3141,6 +3610,56 @@ int main(int argc, char **argv, char **envp) { if (aflcc->debug) debugf_args((s32)aflcc->cc_par_cnt, (char **)aflcc->cc_params); + /* Inspect the command line parameters. */ + + process_params(aflcc, 0, argc, argv); + + add_sanitizers(aflcc, envp); + + add_misc_params(aflcc); + + add_defs_common(aflcc); + add_defs_selective_instr(aflcc); + add_defs_persistent_mode(aflcc); + + add_runtime(aflcc); + + insert_param(aflcc, NULL); + +} + +/* Main entry point */ + +int main(int argc, char **argv, char **envp) { + + aflcc_state_t *aflcc = malloc(sizeof(aflcc_state_t)); + aflcc_state_init(aflcc, (u8 *)argv[0]); + + check_environment_vars(envp); + + find_built_deps(aflcc); + + compiler_mode_by_callname(aflcc); + compiler_mode_by_environ(aflcc); + compiler_mode_by_cmdline(aflcc, argc, argv); + + instrument_mode_by_environ(aflcc); + + mode_final_checkout(aflcc, argc, argv); + + process_params(aflcc, 1, argc, argv); + + maybe_usage(aflcc, argc, argv); + + mode_notification(aflcc); + + if (aflcc->debug) debugf_args(argc, argv); + + edit_params(aflcc, argc, argv, envp); + + if (aflcc->debug) + debugf_args((s32)aflcc->cc_par_cnt, (char **)aflcc->cc_params); + if (aflcc->passthrough) { argv[0] = aflcc->cc_params[0]; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 2d5787e8..5aec072e 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -165,7 +165,7 @@ static void usage(u8 *argv0, int more_help) { "\n" "Mutator settings:\n" - " -a - target input format, \"text\" or \"binary\" (default: " + " -a type - target input format, \"text\" or \"binary\" (default: " "generic)\n" " -g minlength - set min length of generated fuzz input (default: 1)\n" " -G maxlength - set max length of generated fuzz input (default: " diff --git a/test/test-basic.sh b/test/test-basic.sh index 61ad4b7c..7005d3ce 100755 --- a/test/test-basic.sh +++ b/test/test-basic.sh @@ -2,6 +2,7 @@ . ./test-pre.sh +OS=$(uname -s) AFL_GCC=afl-gcc $ECHO "$BLUE[*] Testing: ${AFL_GCC}, afl-showmap, afl-fuzz, afl-cmin and afl-tmin" @@ -61,7 +62,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc } # now we want to be sure that afl-fuzz is working # make sure crash reporter is disabled on Mac OS X - (test "$(uname -s)" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { + (test "$OS" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { $ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET" true }) || { @@ -84,16 +85,20 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc } echo 000000000000000000000000 > in/in2 echo 111 > in/in3 - mkdir -p in2 - ../afl-cmin -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null 2>&1 # why is afl-forkserver writing to stderr? - CNT=`ls in2/* 2>/dev/null | wc -l` - case "$CNT" in - *2) $ECHO "$GREEN[+] afl-cmin correctly minimized the number of testcases" ;; - *) $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)" - CODE=1 - ;; - esac - rm -f in2/in* + test "$OS" = "Darwin" && { + $ECHO "$GREY[*] afl-cmin not available on macOS, cannot test afl-cmin" + } || { + mkdir -p in2 + ../afl-cmin -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null 2>&1 # why is afl-forkserver writing to stderr? + CNT=`ls in2/* 2>/dev/null | wc -l` + case "$CNT" in + *2) $ECHO "$GREEN[+] afl-cmin correctly minimized the number of testcases" ;; + *) $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)" + CODE=1 + ;; + esac + rm -f in2/in* + } export AFL_QUIET=1 if command -v bash >/dev/null ; then { ../afl-cmin.bash -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null @@ -182,7 +187,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc } # now we want to be sure that afl-fuzz is working # make sure crash reporter is disabled on Mac OS X - (test "$(uname -s)" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { + (test "$OS" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { $ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET" true }) || { @@ -204,25 +209,29 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc } } echo 000000000000000000000000 > in/in2 - echo AAA > in/in3 - mkdir -p in2 - ../afl-cmin -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null 2>&1 # why is afl-forkserver writing to stderr? - CNT=`ls in2/* 2>/dev/null | wc -l` - case "$CNT" in - *2) $ECHO "$GREEN[+] afl-cmin correctly minimized the number of testcases" ;; - \ *1|1) { # allow leading whitecase for portability - test -s in2/* && $ECHO "$YELLOW[?] afl-cmin did minimize to one testcase. This can be a bug or due compiler optimization." - test -s in2/* || { - $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)" - CODE=1 + echo AAA > in/in2 + test "$OS" = "Darwin" && { + $ECHO "$GREY[*] afl-cmin not available on macOS, cannot test afl-cmin" + } || { + mkdir -p in2 + ../afl-cmin -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null 2>&1 # why is afl-forkserver writing to stderr? + CNT=`ls in2/* 2>/dev/null | wc -l` + case "$CNT" in + *2) $ECHO "$GREEN[+] afl-cmin correctly minimized the number of testcases" ;; + \ *1|1) { # allow leading whitecase for portability + test -s in2/* && $ECHO "$YELLOW[?] afl-cmin did minimize to one testcase. This can be a bug or due compiler optimization." + test -s in2/* || { + $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)" + CODE=1 + } } - } - ;; - *) $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)" - CODE=1 - ;; - esac - rm -f in2/in* + ;; + *) $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)" + CODE=1 + ;; + esac + rm -f in2/in* + } export AFL_QUIET=1 if command -v bash >/dev/null ; then { ../afl-cmin.bash -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null diff --git a/test/test-compilers.sh b/test/test-compilers.sh new file mode 100755 index 00000000..b47cf38d --- /dev/null +++ b/test/test-compilers.sh @@ -0,0 +1,7 @@ +#!/bin/sh +echo Testing compilers ... +for cc in afl-cc afl-gcc afl-clang afl-clang-fast afl-clang-lto afl-gcc-fast; do + test -e ../$cc && { { ../$cc -o t ../test-instr.c >/dev/null 2<&1 && echo Success: $cc ; } || echo Failing: $cc ; } || echo Missing: $cc +done +rm -f t +echo Done! diff --git a/test/test-llvm.sh b/test/test-llvm.sh index 95e43b1c..53bbd7b4 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -2,6 +2,8 @@ . ./test-pre.sh +OS=$(uname -s) + $ECHO "$BLUE[*] Testing: llvm_mode, afl-showmap, afl-fuzz, afl-cmin and afl-tmin" test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { ../afl-clang-fast -o test-instr.plain ../test-instr.c > /dev/null 2>&1 @@ -123,7 +125,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { } # now we want to be sure that afl-fuzz is working # make sure crash reporter is disabled on Mac OS X - (test "$(uname -s)" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { + (test "$OS" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { $ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET" CODE=1 true @@ -146,18 +148,22 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { } } test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" || { + mkdir -p in2 echo 000000000000000000000000 > in/in2 echo 111 > in/in3 - mkdir -p in2 - ../afl-cmin -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null 2>&1 # why is afl-forkserver writing to stderr? - CNT=`ls in2/* 2>/dev/null | wc -l` - case "$CNT" in - *2) $ECHO "$GREEN[+] afl-cmin correctly minimized the number of testcases" ;; - *) $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)" - CODE=1 - ;; - esac - rm -f in2/in* + test "$OS" = "Darwin" && { + $ECHO "$GREY[*] afl-cmin not available on macOS, cannot test afl-cmin" + } || { + ../afl-cmin -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null 2>&1 # why is afl-forkserver writing to stderr? + CNT=`ls in2/* 2>/dev/null | wc -l` + case "$CNT" in + *2) $ECHO "$GREEN[+] afl-cmin correctly minimized the number of testcases" ;; + *) $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)" + CODE=1 + ;; + esac + rm -f in2/in* + } export AFL_QUIET=1 if type bash >/dev/null ; then { ../afl-cmin.bash -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null |
