about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Makefile11
-rw-r--r--README.md6
-rw-r--r--qemu_mode/README.md8
-rwxr-xr-xqemu_mode/build_qemu_support.sh35
-rw-r--r--src/afl-fuzz-init.c4
-rw-r--r--src/afl-fuzz-run.c11
6 files changed, 65 insertions, 10 deletions
diff --git a/Makefile b/Makefile
index 3a056a73..802e7bc8 100644
--- a/Makefile
+++ b/Makefile
@@ -70,6 +70,15 @@ else
 	PYFLAGS=
 endif
 
+ifdef STATIC
+  $(info Compiling static version of binaries)
+  # Disable python for static compilation to simplify things
+  PYTHON_OK=0
+  PYFLAGS=
+
+  CFLAGS += -static
+  LDFLAGS += -lm -lrt -lpthread -lz -lutil
+endif
 
 ifeq "$(shell echo '\#include <sys/ipc.h>@\#include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 )" "1"
 	SHMAT_OK=1
@@ -175,7 +184,7 @@ src/afl-sharedmem.o : src/afl-sharedmem.c include/sharedmem.h
 	$(CC) $(CFLAGS) -c src/afl-sharedmem.c -o src/afl-sharedmem.o
 
 afl-fuzz: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(LDFLAGS) $(PYFLAGS)
+	$(CC) $(CFLAGS) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(PYFLAGS) $(LDFLAGS)
 
 afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o $(COMM_HDR) | test_x86
 	$(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o -o $@ $(LDFLAGS)
diff --git a/README.md b/README.md
index cfcdb860..f818e271 100644
--- a/README.md
+++ b/README.md
@@ -105,6 +105,12 @@ These build options exist:
 * clean: cleans everything. for qemu_mode and unicorn_mode it means it deletes all downloads as well
 * help: shows these build options
 
+You can also build statically linked versions of the afl++ binaries by passing the STATIC=1 argument to make:
+
+```shell
+$ make all STATIC=1
+```
+
 
 ## 1) Challenges of guided fuzzing
 
diff --git a/qemu_mode/README.md b/qemu_mode/README.md
index 81e91854..81904cf1 100644
--- a/qemu_mode/README.md
+++ b/qemu_mode/README.md
@@ -38,7 +38,13 @@ to 200 MB when specifying -Q to afl-fuzz; be careful when overriding this.
 In principle, if you set CPU_TARGET before calling ./build_qemu_support.sh,
 you should get a build capable of running non-native binaries (say, you
 can try CPU_TARGET=arm). This is also necessary for running 32-bit binaries
-on a 64-bit system (CPU_TARGET=i386).
+on a 64-bit system (CPU_TARGET=i386). If you're trying to run QEMU on a
+different architecture you can also set HOST to the cross-compiler prefix
+to use (for example HOST=arm-linux-gnueabi to use arm-linux-gnueabi-gcc).
+
+You can also compile statically-linked binaries by setting STATIC=1. This
+can be useful when compiling QEMU on a different system than the one you're
+planning to run the fuzzer on and is most often used with the HOST variable.
 
 Note: if you want the QEMU helper to be installed on your system for all
 users, you need to build it before issuing 'make install' in the parent
diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh
index 02379eb2..b05b3abb 100755
--- a/qemu_mode/build_qemu_support.sh
+++ b/qemu_mode/build_qemu_support.sh
@@ -125,6 +125,13 @@ tar xf "$ARCHIVE" || exit 1
 
 echo "[+] Unpacking successful."
 
+if [ -n "$HOST" ]; then
+  echo "[+] Configuring host architecture to $HOST..."
+  CROSS_PREFIX=$HOST-
+else
+  CROSS_PREFIX=
+fi
+
 echo "[*] Configuring QEMU for $CPU_TARGET..."
 
 ORIG_CPU_TARGET="$CPU_TARGET"
@@ -145,12 +152,30 @@ patch -p1 <../patches/i386-translate.diff || exit 1
 
 echo "[+] Patching done."
 
-# --enable-pie seems to give a couple of exec's a second performance
-# improvement, much to my surprise. Not sure how universal this is..
+if [ "$STATIC" -eq "1" ]; then
+
+  CFLAGS="-O3 -ggdb" ./configure --disable-bsd-user --disable-guest-agent --disable-strip --disable-werror \
+	  --disable-gcrypt --disable-debug-info --disable-debug-tcg --enable-docs --disable-tcg-interpreter \
+	  --enable-attr --disable-brlapi --disable-linux-aio --disable-bzip2 --disable-bluez --disable-cap-ng \
+	  --disable-curl --disable-fdt --disable-glusterfs --disable-gnutls --disable-nettle --disable-gtk \
+	  --disable-rdma --disable-libiscsi --disable-vnc-jpeg --enable-kvm --disable-lzo --disable-curses \
+	  --disable-libnfs --disable-numa --disable-opengl --disable-vnc-png --disable-rbd --disable-vnc-sasl \
+	  --disable-sdl --disable-seccomp --disable-smartcard --disable-snappy --disable-spice --disable-libssh2 \
+	  --disable-libusb --disable-usb-redir --disable-vde --disable-vhost-net --disable-virglrenderer \
+	  --disable-virtfs --disable-vnc --disable-vte --disable-xen --disable-xen-pci-passthrough --disable-xfsctl \
+	  --enable-linux-user --disable-system --disable-blobs --disable-tools \
+	  --target-list="${CPU_TARGET}-linux-user" --static --disable-pie --cross-prefix=$CROSS_PREFIX || exit 1
 
-CFLAGS="-O3 -ggdb" ./configure --disable-system \
-  --enable-linux-user --disable-gtk --disable-sdl --disable-vnc \
-  --target-list="${CPU_TARGET}-linux-user" --enable-pie --enable-kvm || exit 1
+else
+
+  # --enable-pie seems to give a couple of exec's a second performance
+  # improvement, much to my surprise. Not sure how universal this is..
+  
+  CFLAGS="-O3 -ggdb" ./configure --disable-system \
+    --enable-linux-user --disable-gtk --disable-sdl --disable-vnc \
+    --target-list="${CPU_TARGET}-linux-user" --enable-pie --enable-kvm $CROSS_PREFIX || exit 1
+
+fi
 
 echo "[+] Configuration complete."
 
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index aa413e2e..de16f901 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -738,10 +738,10 @@ void find_timeout(void) {
   (void)i;                                                 /* Ignore errors */
   close(fd);
 
-  off = strstr(tmp, "exec_timeout   : ");
+  off = strstr(tmp, "exec_timeout      : ");
   if (!off) return;
 
-  ret = atoi(off + 17);
+  ret = atoi(off + 20);
   if (ret <= 4) return;
 
   exec_tmout = ret;
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index 220433fc..c0fa928e 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -178,7 +178,16 @@ u8 run_target(char** argv, u32 timeout) {
     if ((res = read(fsrv_st_fd, &status, 4)) != 4) {
 
       if (stop_soon) return 0;
-      RPFATAL(res, "Unable to communicate with fork server (OOM?)");
+      SAYF("\n" cLRD "[-] " cRST
+           "Unable to communicate with fork server. Some possible reasons:\n\n" 
+           "    - You've run out of memory. Use -m to increase the the memory limit\n"
+           "      to something higher than %lld.\n"
+           "    - The binary or one of the libraries it uses manages to create\n"
+           "      threads before the forkserver initializes.\n"
+           "    - The binary, at least in some circumstances, exits in a way that\n"
+           "      also kills the parent process - raise() could be the culprit.\n\n"
+	   "If all else fails you can disable the fork server via AFL_NO_FORKSRV=1.\n", mem_limit);
+      RPFATAL(res, "Unable to communicate with fork server");
 
     }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-17 17:18:37 +0000