diff options
27 files changed, 161 insertions, 56 deletions
diff --git a/CITATION.cff b/CITATION.cff index efd6cad8..37a4a174 100644 --- a/CITATION.cff +++ b/CITATION.cff @@ -11,12 +11,12 @@ authors: family-names: Fioraldi email: andreafioraldi@gmail.com - given-names: Dominik - family-names: Meier + family-names: Maier email: mail@dmnk.co title: "AFL++" -version: 3.14 +version: 4.00c type: software -date-released: 2021-07-19 +date-released: 2022-01-26 url: "https://github.com/AFLplusplus/AFLplusplus" keywords: - fuzzing diff --git a/GNUmakefile b/GNUmakefile index d31c52da..8b09c51a 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -145,7 +145,7 @@ else CFLAGS ?= -O2 $(CFLAGS_OPT) # -funroll-loops is slower on modern compilers endif -override CFLAGS += -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wpointer-arith \ +override CFLAGS += -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wno-pointer-arith \ -fPIC -I include/ -DAFL_PATH=\"$(HELPER_PATH)\" \ -DBIN_PATH=\"$(BIN_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" # -fstack-protector @@ -373,6 +373,7 @@ help: @echo INTROSPECTION - compile afl-fuzz with mutation introspection @echo NO_PYTHON - disable python support @echo NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing + @echo NO_NYX - disable building nyx mode dependencies @echo AFL_NO_X86 - if compiling on non-intel/amd platforms @echo "LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g. Debian)" @echo "==========================================" @@ -625,8 +626,10 @@ ifeq "$(ARCH)" "aarch64" -$(MAKE) -C coresight_mode endif ifeq "$(SYS)" "Linux" +ifndef NO_NYX -cd nyx_mode && ./build_nyx_support.sh endif +endif -cd qemu_mode && sh ./build_qemu_support.sh -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh endif @@ -645,8 +648,10 @@ ifeq "$(ARCH)" "aarch64" -$(MAKE) -C coresight_mode endif ifeq "$(SYS)" "Linux" +ifndef NO_NYX -cd nyx_mode && ./build_nyx_support.sh endif +endif -cd qemu_mode && sh ./build_qemu_support.sh -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh endif @@ -661,8 +666,10 @@ endif -$(MAKE) -C utils/libtokencap # -$(MAKE) -C utils/plot_ui ifeq "$(SYS)" "Linux" +ifndef NO_NYX -cd nyx_mode && ./build_nyx_support.sh endif +endif %.8: % @echo .TH $* 8 $(BUILD_DATE) "afl++" > $@ diff --git a/afl-cmin b/afl-cmin index 879aead2..853c9398 100755 --- a/afl-cmin +++ b/afl-cmin @@ -217,7 +217,7 @@ BEGIN { for (; Optind < ARGC; Optind++) { prog_args[i++] = ARGV[Optind] if (i > 1) - prog_args_string = prog_args_string" "ARGV[Optind] + prog_args_string = prog_args_string" '"ARGV[Optind]"'" } # sanity checks diff --git a/custom_mutators/grammar_mutator/GRAMMAR_VERSION b/custom_mutators/grammar_mutator/GRAMMAR_VERSION index 93f9321c..2568c6a5 100644 --- a/custom_mutators/grammar_mutator/GRAMMAR_VERSION +++ b/custom_mutators/grammar_mutator/GRAMMAR_VERSION @@ -1 +1 @@ -cbe5e32 +ff4e5a2 diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator -Subproject cbe5e32752773945e0142fac9f1b7a0ccb5dcdf +Subproject ff4e5a265daf5d88c4a636fb6a2c22b1d733db0 diff --git a/custom_mutators/symcc/README.md b/custom_mutators/symcc/README.md index 337362ae..364a348e 100644 --- a/custom_mutators/symcc/README.md +++ b/custom_mutators/symcc/README.md @@ -1,6 +1,9 @@ # custum mutator: symcc -This uses the excellent symcc to find new paths into the target. +This uses the symcc to find new paths into the target. + +Note that this is a just a proof of concept example! It is better to use +the fuzzing helpers of symcc, symqemu, Fuzzolic, etc. rather than this. To use this custom mutator follow the steps in the symcc repository [https://github.com/eurecom-s3/symcc/](https://github.com/eurecom-s3/symcc/) diff --git a/docs/Changelog.md b/docs/Changelog.md index d50a679b..a841cca3 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -20,15 +20,20 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow persistent mode and manual forkserver support if these are not in the target binary (e.g. are in a shared library) - - add AFL_EARY_FORKSERVER to install the forkserver as earliest as + - add AFL_EARLY_FORKSERVER to install the forkserver as earliest as possible in the target (for afl-gcc-fast/afl-clang-fast/ afl-clang-lto) + - "saved timeouts" was wrong information, timeouts are still thrown + away by default even if they have new coverage (hangs are always + kept), unless AFL_KEEP_TIMEOUTS are set - document and auto-activate pizza mode on condition - afl-cc: - converted all passed to use the new llvm pass manager for llvm 11+ - AFL++ PCGUARD mode is not available for 10.0.1 anymore (11+ only) - frida_mode: - update to new frida release, handles now c++ throw/catch + - unicorn_mode: + - update unicorn engine, fix C example ### Version ++4.00c (release) diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 3fa7fd13..01343b7f 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -21,8 +21,8 @@ is to build and install everything: ```shell sudo apt-get update sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools -# try to install llvm 11 and install the distro default if that fails -sudo apt-get install -y lld-11 llvm-11 llvm-11-dev clang-11 || sudo apt-get install -y lld llvm llvm-dev clang +# try to install llvm 12 and install the distro default if that fails +sudo apt-get install -y lld-12 llvm-12 llvm-12-dev clang-12 || sudo apt-get install -y lld llvm llvm-dev clang sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev sudo apt-get install -y ninja-build # for QEMU mode git clone https://github.com/AFLplusplus/AFLplusplus @@ -80,6 +80,7 @@ These build options exist: * NO_PYTHON - disable python support * NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing +* NO_NYX - disable building nyx mode dependencies * AFL_NO_X86 - if compiling on non-intel/amd platforms * LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g., Debian) @@ -178,4 +179,4 @@ sysctl kern.sysv.shmall=98304 See [http://www.spy-hill.com/help/apple/SharedMemory.html](http://www.spy-hill.com/help/apple/SharedMemory.html) -for documentation for these settings and how to make them permanent. \ No newline at end of file +for documentation for these settings and how to make them permanent. diff --git a/docs/env_variables.md b/docs/env_variables.md index 9ffb08e7..fe9c6e07 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -349,6 +349,9 @@ checks or alter some of the more exotic semantics of the tool: - Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is usually a bad idea! + - Setting `AFL_KEEP_TIMEOUTS` will keep longer running inputs if they reach + new coverage + - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behavior which does not allow crashes or timeout seeds in the initial -i corpus. diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index cff00f77..2c27dfe1 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -333,6 +333,9 @@ is a non-standard way to set this, otherwise set up the build normally and edit the generated build environment afterwards manually to point it to the right compiler (and/or `RANLIB` and `AR`). +In complex, weird, alien build systems you can try this neat project: +[https://github.com/fuzzah/exeptor](https://github.com/fuzzah/exeptor) + #### Linker scripts If the project uses linker scripts to hide the symbols exported by the @@ -911,16 +914,17 @@ normal fuzzing campaigns as these are much shorter runnings. * Keep the generated corpus, use afl-cmin and reuse it every time! 2. Additionally randomize the AFL++ compilation options, e.g.: - * 40% for `AFL_LLVM_CMPLOG` - * 10% for `AFL_LLVM_LAF_ALL` + * 30% for `AFL_LLVM_CMPLOG` + * 5% for `AFL_LLVM_LAF_ALL` 3. Also randomize the afl-fuzz runtime options, e.g.: * 65% for `AFL_DISABLE_TRIM` + * 50% for `AFL_KEEP_TIMEOUTS` * 50% use a dictionary generated by `AFL_LLVM_DICT2FILE` * 40% use MOpt (`-L 0`) * 40% for `AFL_EXPAND_HAVOC_NOW` * 20% for old queue processing (`-Z`) - * for CMPLOG targets, 60% for `-l 2`, 40% for `-l 3` + * for CMPLOG targets, 70% for `-l 2`, 10% for `-l 3`, 20% for `-l 2AT` 4. Do *not* run any `-M` modes, just running `-S` modes is better for CI fuzzing. `-M` enables old queue handling etc. which is good for a fuzzing diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index e6251cb4..2bc8f8aa 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -18,8 +18,8 @@ #if defined(__aarch64__) -gboolean instrument_cache_enabled = FALSE; -gsize instrument_cache_size = 0; +gboolean instrument_cache_enabled = FALSE; +gsize instrument_cache_size = 0; static GHashTable *coverage_blocks = NULL; __attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[MAP_SIZE]; diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index d54c8353..f02c971e 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -336,7 +336,8 @@ void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output) { GumX86Writer *cw = output->writer.x86; - /* guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address)); */ + /* guint64 area_offset = + * instrument_get_offset_hash(GUM_ADDRESS(instr->address)); */ if (instrument_previous_pc_addr == NULL) { GumAddressSpec spec = {.near_address = cw->code, diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 4f4d63b2..8bb61e22 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -385,7 +385,7 @@ typedef struct afl_env_vars { afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast, afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new, afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems, - afl_pizza_mode; + afl_keep_timeouts, afl_pizza_mode; u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload, diff --git a/include/debug.h b/include/debug.h index 31ebd0f2..e2ee16a8 100644 --- a/include/debug.h +++ b/include/debug.h @@ -355,20 +355,39 @@ static inline const char *colorfilter(const char *x) { /* Error-checking versions of read() and write() that call RPFATAL() as appropriate. */ -#define ck_write(fd, buf, len, fn) \ - do { \ - \ - int _fd = (fd); \ - \ - s32 _len = (s32)(len); \ - s32 _res = write(_fd, (buf), _len); \ - if (_res != _len) { \ - \ - RPFATAL(_res, "Short write to %s, fd %d (%d of %d bytes)", fn, _fd, \ - _res, _len); \ - \ - } \ - \ +#define ck_write(fd, buf, len, fn) \ + do { \ + \ + if (len <= 0) break; \ + int _fd = (fd); \ + s32 _written = 0, _off = 0, _len = (s32)(len); \ + \ + do { \ + \ + s32 _res = write(_fd, (buf) + _off, _len); \ + if (_res != _len && (_res > 0 && _written + _res != _len)) { \ + \ + if (_res > 0) { \ + \ + _written += _res; \ + _len -= _res; \ + _off += _res; \ + \ + } else { \ + \ + RPFATAL(_res, "Short write to %s, fd %d (%d of %d bytes)", fn, _fd, \ + _res, _len); \ + \ + } \ + \ + } else { \ + \ + break; \ + \ + } \ + \ + } while (1); \ + \ } while (0) #define ck_read(fd, buf, len, fn) \ diff --git a/include/envs.h b/include/envs.h index 1746f946..25b792fa 100644 --- a/include/envs.h +++ b/include/envs.h @@ -106,6 +106,7 @@ static char *afl_environment_variables[] = { "AFL_INPUT_LEN_MAX", "AFL_INST_LIBS", "AFL_INST_RATIO", + "AFL_KEEP_TIMEOUTS", "AFL_KILL_SIGNAL", "AFL_KEEP_TRACES", "AFL_KEEP_ASSEMBLY", diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc index 734fa170..bb5483fc 100644 --- a/instrumentation/afl-gcc-pass.so.cc +++ b/instrumentation/afl-gcc-pass.so.cc @@ -714,9 +714,11 @@ struct afl_pass : gimple_opt_pass { } + /* Returns the source file name attached to the function declaration F. If + there is no source location information, returns an empty string. */ std::string getSourceName(function *F) { - return DECL_SOURCE_FILE(F->decl); + return DECL_SOURCE_FILE(F->decl) ? DECL_SOURCE_FILE(F->decl) : ""; } diff --git a/src/afl-cc.c b/src/afl-cc.c index ffdda386..2667ae28 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -58,6 +58,7 @@ static u8 debug; static u8 cwd[4096]; static u8 cmplog_mode; u8 use_stdin; /* dummy */ +static int passthrough; // static u8 *march_opt = CFLAGS_OPT; enum { @@ -315,7 +316,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { u8 fortify_set = 0, asan_set = 0, x_set = 0, bit_mode = 0, shared_linking = 0, preprocessor_only = 0, have_unroll = 0, have_o = 0, have_pic = 0, - have_c = 0, partial_linking = 0, wasm_linking = 0; + have_c = 0, partial_linking = 0; cc_params = ck_alloc((argc + 128) * sizeof(u8 *)); @@ -826,7 +827,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (!strcmp(cur, "-E")) preprocessor_only = 1; if (!strcmp(cur, "-shared")) shared_linking = 1; if (!strcmp(cur, "-dynamiclib")) shared_linking = 1; - if (!strcmp(cur, "--target=wasm32-wasi")) wasm_linking = 1; + if (!strcmp(cur, "--target=wasm32-wasi")) passthrough = 1; if (!strcmp(cur, "-Wl,-r")) partial_linking = 1; if (!strcmp(cur, "-Wl,-i")) partial_linking = 1; if (!strcmp(cur, "-Wl,--relocatable")) partial_linking = 1; @@ -845,8 +846,8 @@ static void edit_params(u32 argc, char **argv, char **envp) { // e.g. compiled download or compiled from github then its ./lib directory // might not be in the search path. Add it if so. u8 *libdir = strdup(LLVM_LIBDIR); - if (plusplus_mode && !wasm_linking && strlen(libdir) && - strncmp(libdir, "/usr", 4) && strncmp(libdir, "/lib", 4)) { + if (plusplus_mode && strlen(libdir) && strncmp(libdir, "/usr", 4) && + strncmp(libdir, "/lib", 4)) { cc_params[cc_par_cnt++] = "-rpath"; cc_params[cc_par_cnt++] = libdir; @@ -1034,7 +1035,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-D__AFL_LOOP(_A)=" - "({ static volatile char *_B __attribute__((used)); " + "({ static volatile char *_B __attribute__((used,unused)); " " _B = (char*)\"" PERSIST_SIG "\"; " #ifdef __APPLE__ @@ -1048,7 +1049,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-D__AFL_INIT()=" - "do { static volatile char *_A __attribute__((used)); " + "do { static volatile char *_A __attribute__((used,unused)); " " _A = (char*)\"" DEFER_SIG "\"; " #ifdef __APPLE__ @@ -1093,7 +1094,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { switch (bit_mode) { case 0: - if (!shared_linking && !partial_linking && !wasm_linking) + if (!shared_linking && !partial_linking) cc_params[cc_par_cnt++] = alloc_printf("%s/afl-compiler-rt.o", obj_path); if (lto_mode) @@ -1102,7 +1103,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { break; case 32: - if (!shared_linking && !partial_linking && !wasm_linking) { + if (!shared_linking && !partial_linking) { cc_params[cc_par_cnt++] = alloc_printf("%s/afl-compiler-rt-32.o", obj_path); @@ -1123,7 +1124,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { break; case 64: - if (!shared_linking && !partial_linking && !wasm_linking) { + if (!shared_linking && !partial_linking) { cc_params[cc_par_cnt++] = alloc_printf("%s/afl-compiler-rt-64.o", obj_path); @@ -1146,7 +1147,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } #if !defined(__APPLE__) && !defined(__sun) - if (!shared_linking && !partial_linking && !wasm_linking) + if (!shared_linking && !partial_linking) cc_params[cc_par_cnt++] = alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path); #endif @@ -1179,7 +1180,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { int main(int argc, char **argv, char **envp) { - int i, passthrough = 0; + int i; char *callname = argv[0], *ptr = NULL; if (getenv("AFL_DEBUG")) { diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index e4124bf5..7c2b35d6 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -292,6 +292,15 @@ void minimize_bits(afl_state_t *afl, u8 *dst, u8 *src) { u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) { + u8 is_timeout = 0; + + if (new_bits & 0xf0) { + + new_bits -= 0x80; + is_timeout = 1; + + } + size_t real_max_len = MIN(max_description_len, sizeof(afl->describe_op_buf_256)); u8 *ret = afl->describe_op_buf_256; @@ -325,6 +334,7 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) { ret[len_current] = '\0'; ssize_t size_left = real_max_len - len_current - strlen(",+cov") - 2; + if (is_timeout) { size_left -= strlen(",+tout"); } if (unlikely(size_left <= 0)) FATAL("filename got too long"); const char *custom_description = @@ -370,6 +380,8 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) { } + if (is_timeout) { strcat(ret, ",+tout"); } + if (new_bits == 2) { strcat(ret, ",+cov"); } if (unlikely(strlen(ret) >= max_description_len)) @@ -447,7 +459,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { u8 fn[PATH_MAX]; u8 *queue_fn = ""; - u8 new_bits = 0, keeping = 0, res, classified = 0; + u8 new_bits = 0, keeping = 0, res, classified = 0, is_timeout = 0; s32 fd; u64 cksum = 0; @@ -481,11 +493,14 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { classified = new_bits; + save_to_queue: + #ifndef SIMPLE_FILES - queue_fn = alloc_printf( - "%s/queue/id:%06u,%s", afl->out_dir, afl->queued_items, - describe_op(afl, new_bits, NAME_MAX - strlen("id:000000,"))); + queue_fn = + alloc_printf("%s/queue/id:%06u,%s", afl->out_dir, afl->queued_items, + describe_op(afl, new_bits + is_timeout, + NAME_MAX - strlen("id:000000,"))); #else @@ -596,7 +611,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - ++afl->saved_tmouts; + is_timeout = 0x80; #ifdef INTROSPECTION if (afl->custom_mutators_count && afl->current_custom_fuzz) { @@ -647,7 +662,20 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { return keeping; } + if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { + + if (afl->afl_env.afl_keep_timeouts) { + + ++afl->saved_tmouts; + goto save_to_queue; + + } else { + + return keeping; + + } + + } } diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 5924dd7b..47e39762 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -222,6 +222,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_hang_tmout = (u8 *)get_afl_env(afl_environment_variables[i]); + } else if (!strncmp(env, "AFL_KEEP_TIMEOUTS", + + afl_environment_variable_len)) { + + afl->afl_env.afl_keep_timeouts = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_SKIP_BIN_CHECK", afl_environment_variable_len)) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 92243fbb..c5ab364a 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1650,7 +1650,7 @@ int main(int argc, char **argv_orig, char **envp) { } - OKF("Generating fuzz data with a a length of min=%u max=%u", afl->min_length, + OKF("Generating fuzz data with a length of min=%u max=%u", afl->min_length, afl->max_length); u32 min_alloc = MAX(64U, afl->min_length); afl_realloc(AFL_BUF_PARAM(in_scratch), min_alloc); diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index fe7be8e1..cda1d700 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -a44fa94488d01aba60401ccf81f8bebcce685bf2 +09ad7d4784e50ec4ddf590a2c29764e2a7f37442 diff --git a/unicorn_mode/samples/c/Makefile b/unicorn_mode/samples/c/Makefile index fd6dbe77..c3ea5940 100644 --- a/unicorn_mode/samples/c/Makefile +++ b/unicorn_mode/samples/c/Makefile @@ -15,7 +15,7 @@ V ?= 0 CFLAGS += -Wall -Werror -I../../unicornafl/unicorn/include -I../../unicornafl/include -LDFLAGS += -L$(UNICORNAFL_LIB) -L$(UNICORN_LIB) -lpthread -lm -lunicornafl -lunicorn -lc++ +LDFLAGS += -L$(UNICORNAFL_LIB) -L$(UNICORN_LIB) -lunicorn -lunicornafl -lpthread -lm -lstdc++ ifeq ($(UNAME), Linux) # do something Linux-y diff --git a/unicorn_mode/samples/persistent/Makefile b/unicorn_mode/samples/persistent/Makefile index 35584416..a1dc9b26 100644 --- a/unicorn_mode/samples/persistent/Makefile +++ b/unicorn_mode/samples/persistent/Makefile @@ -15,7 +15,7 @@ V ?= 0 CFLAGS += -Wall -Werror -I../../unicornafl/unicorn/include -I../../unicornafl/include -LDFLAGS += -L$(UNICORNAFL_LIB) -L$(UNICORN_LIB) -lpthread -lm -lunicornafl -lunicorn -lc++ +LDFLAGS += -L$(UNICORNAFL_LIB) -L$(UNICORN_LIB) -lunicornafl -lunicorn -lpthread -lm -lstdc++ ifeq ($(UNAME), Linux) # do something Linux-y diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl -Subproject a44fa94488d01aba60401ccf81f8bebcce685bf +Subproject c3e15a7d44101ff288abe114b7954ce6cfa070b diff --git a/utils/libdislocator/Makefile b/utils/libdislocator/Makefile index f0b4bb72..6bfb79ec 100644 --- a/utils/libdislocator/Makefile +++ b/utils/libdislocator/Makefile @@ -19,9 +19,10 @@ HELPER_PATH = $(PREFIX)/lib/afl VERSION = $(shell grep '^\#define VERSION ' ../../config.h | cut -d '"' -f2) CFLAGS ?= -O3 -funroll-loops -D_FORTIFY_SOURCE=2 -override CFLAGS += -I ../../include/ -Wall -g -Wno-pointer-sign +CFLAGS += -I ../../include/ -Wall -g -Wno-pointer-sign CFLAGS_ADD=$(USEHUGEPAGE:1=-DUSEHUGEPAGE) +CFLAGS_ADD += $(USENAMEDPAGE:1=-DUSENAMEDPAGE) CFLAGS += $(CFLAGS_ADD) all: libdislocator.so diff --git a/utils/libdislocator/README.md b/utils/libdislocator/README.md index 68ac9143..e4934b5d 100644 --- a/utils/libdislocator/README.md +++ b/utils/libdislocator/README.md @@ -29,6 +29,9 @@ heap-related security bugs in several ways: - Optionally, in platforms supporting it, huge pages can be used by passing `USEHUGEPAGE=1` to make. + - Optionally, in platforms supporting it, `named` pages can be used by passing + `USENAMEDPAGE=1` to make. + - Size alignment to `max_align_t` can be enforced with `AFL_ALIGNED_ALLOC=1`. In this case, a tail canary is inserted in the padding bytes at the end of the allocated zone. This reduce the ability of libdislocator to detect @@ -64,4 +67,4 @@ require AFL-instrumented binaries to work. Note that the AFL_PRELOAD approach (which AFL++ internally maps to LD_PRELOAD or DYLD_INSERT_LIBRARIES, depending on the OS) works only if the target binary is dynamically linked. Otherwise, attempting to use the library will have no -effect. \ No newline at end of file +effect. diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index 103da9d5..bd08a678 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -39,6 +39,7 @@ #if (defined(__linux__) && !defined(__ANDROID__)) || defined(__HAIKU__) #include <unistd.h> + #include <sys/prctl.h> #ifdef __linux__ #include <sys/syscall.h> #include <malloc.h> @@ -66,6 +67,10 @@ } while (0) #endif + #ifndef PR_SET_VMA + #define PR_SET_VMA 0x53564d41 + #define PR_SET_VMA_ANON_NAME 0 + #endif #endif #include "config.h" @@ -251,6 +256,20 @@ static void *__dislocator_alloc(size_t len) { } +#if defined(USENAMEDPAGE) + #if defined(__linux__) + // in the /proc/<pid>/maps file, the anonymous page appears as + // `<start>-<end> ---p 00000000 00:00 0 [anon:libdislocator]` + if (prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, (unsigned long)ret, tlen, + (unsigned long)"libdislocator") < 0) { + + DEBUGF("prctl() failed"); + + } + + #endif +#endif + /* Set PROT_NONE on the last page. */ if (mprotect(ret + PG_COUNT(rlen + 8) * PAGE_SIZE, PAGE_SIZE, PROT_NONE)) |