diff options
| -rw-r--r-- | .gitmodules | 3 | ||||
| -rw-r--r-- | Makefile | 4 | ||||
| -rw-r--r-- | README.md | 4 | ||||
| -rw-r--r-- | docs/ChangeLog | 14 | ||||
| -rw-r--r-- | include/config.h | 2 | ||||
| -rw-r--r-- | libdislocator/libdislocator.so.c | 6 | ||||
| -rw-r--r-- | llvm_mode/afl-clang-fast.c | 9 | ||||
| -rwxr-xr-x | qemu_mode/build_qemu_support.sh | 5 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-common.h | 4 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-tcg-inl.h | 4 | ||||
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 3 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 7 | ||||
| -rwxr-xr-x | unicorn_mode/build_unicorn_support.sh | 8 | ||||
| -rw-r--r-- | unicorn_mode/samples/compcov_x64/compcov_test_harness.py | 27 | ||||
| -rw-r--r-- | unicorn_mode/samples/simple/simple_test_harness.py | 31 | ||||
| m--------- | unicorn_mode/unicorn | 0 |
16 files changed, 47 insertions, 84 deletions
diff --git a/.gitmodules b/.gitmodules deleted file mode 100644 index 05bd3b04..00000000 --- a/.gitmodules +++ /dev/null @@ -1,3 +0,0 @@ -[submodule "unicorn_mode/unicorn"] - path = unicorn_mode/unicorn - url = https://github.com/vanhauser-thc/unicorn.git diff --git a/Makefile b/Makefile index ab70e9cb..1247ba83 100644 --- a/Makefile +++ b/Makefile @@ -310,7 +310,7 @@ all_done: test_build .NOTPARALLEL: clean clean: - rm -f $(PROGS) libradamsa.so afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast *.so *.8 + rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast *.so *.8 rm -rf out_dir qemu_mode/qemu-3.1.1 *.dSYM */*.dSYM -$(MAKE) -C llvm_mode clean -$(MAKE) -C gcc_plugin clean @@ -319,7 +319,7 @@ clean: $(MAKE) -C qemu_mode/unsigaction clean $(MAKE) -C qemu_mode/libcompcov clean $(MAKE) -C src/third_party/libradamsa/ clean - $(MAKE) -C unicorn_mode/unicorn clean + -$(MAKE) -C unicorn_mode/unicorn clean distrib: all radamsa -$(MAKE) -C llvm_mode diff --git a/README.md b/README.md index 09df08c6..bb98357e 100644 --- a/README.md +++ b/README.md @@ -2,9 +2,9 @@  - Release Version: 2.58c + Release Version: 2.59c - Github Version: 2.58d + Github Version: 2.59d includes all necessary/interesting changes from Google's afl 2.56b diff --git a/docs/ChangeLog b/docs/ChangeLog index 408c5692..5fd004b1 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -13,9 +13,17 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to <afl-users+subscribe@googlegroups.com>. ----------------------- -Version ++2.58d (dev): ----------------------- +-------------------------- +Version ++2.59d (develop): +-------------------------- + + - your patch? :-) + + + +-------------------------- +Version ++2.59c (release): +-------------------------- - qbdi_mode: fuzz android native libraries via QBDI framework - unicorn_mode: switched to the new unicornafl, thanks domenukk diff --git a/include/config.h b/include/config.h index 29bdf048..e0b2555b 100644 --- a/include/config.h +++ b/include/config.h @@ -26,7 +26,7 @@ /* Version string: */ -#define VERSION "++2.58d" // c = release, d = volatile github dev +#define VERSION "++2.59d" // c = release, d = volatile github dev /****************************************************** * * diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index 33985ce9..0eb3f628 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -130,7 +130,7 @@ static u8 alloc_verbose, /* Additional debug messages */ static __thread size_t total_mem; /* Currently allocated mem */ static __thread u32 call_depth; /* To avoid recursion via fprintf() */ -static u32 alloc_canary; +static u32 alloc_canary; /* This is the main alloc function. It allocates one page more than necessary, sets that tailing page to PROT_NONE, and then increments the return address @@ -348,10 +348,10 @@ int posix_memalign(void** ptr, size_t align, size_t len) { return 0; } - + size_t rem = len % align; if (rem) len += align - rem; - + *ptr = __dislocator_alloc(len); if (*ptr && len) memset(*ptr, ALLOC_CLOBBER, len); diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index c2b54a51..6f6d55ed 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -358,7 +358,7 @@ static void edit_params(u32 argc, char** argv) { } -//#ifndef __ANDROID__ // not sure, we might need these ifdefs for Android + //#ifndef __ANDROID__ // not sure, we might need these ifdefs for Android switch (bit_mode) { case 0: @@ -382,7 +382,8 @@ static void edit_params(u32 argc, char** argv) { break; } -//#endif + + //#endif } @@ -443,9 +444,9 @@ int main(int argc, char** argv) { } -//#ifndef __ANDROID__ // not sure this is needed for Android, so at the moment we rather keep this out +#ifndef __ANDROID__ find_obj(argv[0]); -//#endif +#endif edit_params(argc, argv); diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index c3983aa1..afd82f72 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -243,10 +243,9 @@ else fi echo "[+] Building libcompcov ..." -make -C libcompcov +make -C libcompcov && echo "[+] libcompcov ready" echo "[+] Building unsigaction ..." -make -C unsigaction -echo "[+] libcompcov ready" +make -C unsigaction && echo "[+] unsigaction ready" echo "[+] All done for qemu_mode, enjoy!" exit 0 diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h index 2c1939aa..bddf0515 100644 --- a/qemu_mode/patches/afl-qemu-common.h +++ b/qemu_mode/patches/afl-qemu-common.h @@ -79,8 +79,8 @@ void afl_debug_dump_saved_regs(); void afl_persistent_loop(); void tcg_gen_afl_call0(void *func); -void tcg_gen_afl_compcov_log_call(void *func, target_ulong cur_loc, - TCGv arg1, TCGv arg2); +void tcg_gen_afl_compcov_log_call(void *func, target_ulong cur_loc, TCGv arg1, + TCGv arg2); void tcg_gen_afl_maybe_log_call(target_ulong cur_loc); diff --git a/qemu_mode/patches/afl-qemu-tcg-inl.h b/qemu_mode/patches/afl-qemu-tcg-inl.h index 33e0d2a7..8ac993a2 100644 --- a/qemu_mode/patches/afl-qemu-tcg-inl.h +++ b/qemu_mode/patches/afl-qemu-tcg-inl.h @@ -376,8 +376,8 @@ void tcg_gen_afl_call0(void *func) { } -void tcg_gen_afl_compcov_log_call(void *func, target_ulong cur_loc, - TCGv arg1, TCGv arg2) { +void tcg_gen_afl_compcov_log_call(void *func, target_ulong cur_loc, TCGv arg1, + TCGv arg2) { int i, real_args, nb_rets, pi; unsigned sizemask, flags; diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 8f00611c..c1aeb9ac 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -685,13 +685,14 @@ u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { ++unique_crashes; if (infoexec) { // if the user wants to be informed on new crashes - do #if !TARGET_OS_IPHONE - // that + // that if (system(infoexec) == -1) hnb += 0; // we dont care if system errors, but we dont want a // compiler warning either #else WARNF("command execution unsupported"); #endif + } last_crash_time = get_cur_time(); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index c91b7bb7..825169cf 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1905,9 +1905,10 @@ void check_binary(u8* fname) { #else #if !defined(__arm__) && !defined(__arm64__) - if ((f_data[0] != 0xCF || f_data[1] != 0xFA || f_data[2] != 0xED) - && (f_data[0] != 0xCA || f_data[1] != 0xFE || f_data[2] != 0xBA)) - FATAL("Program '%s' is not a 64-bit or universal Mach-O binary", target_path); + if ((f_data[0] != 0xCF || f_data[1] != 0xFA || f_data[2] != 0xED) && + (f_data[0] != 0xCA || f_data[1] != 0xFE || f_data[2] != 0xBA)) + FATAL("Program '%s' is not a 64-bit or universal Mach-O binary", + target_path); #endif #endif /* ^!__APPLE__ */ diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index 707e47bb..1c176bca 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -89,7 +89,7 @@ if [ "$PLT" = "NetBSD" ] || [ "$PLT" = "OpenBSD" ]; then TARCMD=gtar fi -for i in wget $PYTHONBIN automake autoconf $MAKECMD $TARCMD; do +for i in wget $PYTHONBIN automake autoconf git $MAKECMD $TARCMD; do T=`which "$i" 2>/dev/null` @@ -124,8 +124,10 @@ fi echo "[+] All checks passed!" echo "[*] Making sure unicornafl is checked out" -git submodule init || exit 1 -git submodule update || exit 1 +rm -rf unicorn # workaround for travis ... sadly ... +#test -d unicorn && { cd unicorn && { git stash ; git pull ; cd .. ; } } +test -d unicorn || git clone https://github.com/vanhauser-thc/unicorn +test -d unicorn || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; } echo "[+] Got unicornafl." echo "[*] making sure config.h matches" diff --git a/unicorn_mode/samples/compcov_x64/compcov_test_harness.py b/unicorn_mode/samples/compcov_x64/compcov_test_harness.py index 9a5da520..3861f205 100644 --- a/unicorn_mode/samples/compcov_x64/compcov_test_harness.py +++ b/unicorn_mode/samples/compcov_x64/compcov_test_harness.py @@ -59,35 +59,17 @@ def unicorn_debug_mem_invalid_access(uc, access, address, size, value, user_data else: print(" >>> INVALID Read: addr=0x{0:016x} size={1}".format(address, size)) -def force_crash(uc_error): - # This function should be called to indicate to AFL that a crash occurred during emulation. - # Pass in the exception received from Uc.emu_start() - mem_errors = [ - UC_ERR_READ_UNMAPPED, UC_ERR_READ_PROT, UC_ERR_READ_UNALIGNED, - UC_ERR_WRITE_UNMAPPED, UC_ERR_WRITE_PROT, UC_ERR_WRITE_UNALIGNED, - UC_ERR_FETCH_UNMAPPED, UC_ERR_FETCH_PROT, UC_ERR_FETCH_UNALIGNED, - ] - if uc_error.errno in mem_errors: - # Memory error - throw SIGSEGV - os.kill(os.getpid(), signal.SIGSEGV) - elif uc_error.errno == UC_ERR_INSN_INVALID: - # Invalid instruction - throw SIGILL - os.kill(os.getpid(), signal.SIGILL) - else: - # Not sure what happened - throw SIGABRT - os.kill(os.getpid(), signal.SIGABRT) - def main(): parser = argparse.ArgumentParser(description="Test harness for compcov_target.bin") parser.add_argument('input_file', type=str, help="Path to the file containing the mutated input to load") - parser.add_argument('-d', '--debug', default=False, action="store_true", help="Enables debug tracing") + parser.add_argument('-t', '--trace', default=False, action="store_true", help="Enables debug tracing") args = parser.parse_args() # Instantiate a MIPS32 big endian Unicorn Engine instance uc = Uc(UC_ARCH_X86, UC_MODE_64) - if args.debug: + if args.trace: uc.hook_add(UC_HOOK_BLOCK, unicorn_debug_block) uc.hook_add(UC_HOOK_CODE, unicorn_debug_instruction) uc.hook_add(UC_HOOK_MEM_WRITE | UC_HOOK_MEM_READ, unicorn_debug_mem_access) @@ -132,11 +114,6 @@ def main(): """ Callback that loads the mutated input into memory. """ - # Load the mutated input from disk - input_file = open(args.input_file, 'rb') - input = input_file.read() - input_file.close() - # Apply constraints to the mutated input if len(input) > DATA_SIZE_MAX: return diff --git a/unicorn_mode/samples/simple/simple_test_harness.py b/unicorn_mode/samples/simple/simple_test_harness.py index d85ec9f5..f4002ca8 100644 --- a/unicorn_mode/samples/simple/simple_test_harness.py +++ b/unicorn_mode/samples/simple/simple_test_harness.py @@ -5,8 +5,8 @@ This loads the simple_target.bin binary (precompiled as MIPS code) into Unicorn's memory map for emulation, places the specified input into simple_target's buffer (hardcoded to be at 0x300000), and executes 'main()'. - If any crashes occur during emulation, this script throws a matching signal - to tell AFL that a crash occurred. + If any crashes occur during emulation, unicornafl will + tell AFL that a crash occurred. Run under AFL as follows: @@ -59,35 +59,17 @@ def unicorn_debug_mem_invalid_access(uc, access, address, size, value, user_data else: print(" >>> INVALID Read: addr=0x{0:016x} size={1}".format(address, size)) -def force_crash(uc_error): - # This function should be called to indicate to AFL that a crash occurred during emulation. - # Pass in the exception received from Uc.emu_start() - mem_errors = [ - UC_ERR_READ_UNMAPPED, UC_ERR_READ_PROT, UC_ERR_READ_UNALIGNED, - UC_ERR_WRITE_UNMAPPED, UC_ERR_WRITE_PROT, UC_ERR_WRITE_UNALIGNED, - UC_ERR_FETCH_UNMAPPED, UC_ERR_FETCH_PROT, UC_ERR_FETCH_UNALIGNED, - ] - if uc_error.errno in mem_errors: - # Memory error - throw SIGSEGV - os.kill(os.getpid(), signal.SIGSEGV) - elif uc_error.errno == UC_ERR_INSN_INVALID: - # Invalid instruction - throw SIGILL - os.kill(os.getpid(), signal.SIGILL) - else: - # Not sure what happened - throw SIGABRT - os.kill(os.getpid(), signal.SIGABRT) - def main(): parser = argparse.ArgumentParser(description="Test harness for simple_target.bin") parser.add_argument('input_file', type=str, help="Path to the file containing the mutated input to load") - parser.add_argument('-d', '--debug', default=False, action="store_true", help="Enables debug tracing") + parser.add_argument('-t', '--trace', default=False, action="store_true", help="Enables debug tracing") args = parser.parse_args() # Instantiate a MIPS32 big endian Unicorn Engine instance uc = Uc(UC_ARCH_MIPS, UC_MODE_MIPS32 + UC_MODE_BIG_ENDIAN) - if args.debug: + if args.trace: uc.hook_add(UC_HOOK_BLOCK, unicorn_debug_block) uc.hook_add(UC_HOOK_CODE, unicorn_debug_instruction) uc.hook_add(UC_HOOK_MEM_WRITE | UC_HOOK_MEM_READ, unicorn_debug_mem_access) @@ -129,11 +111,6 @@ def main(): # We did not pass in any data and don't use persistent mode, so we can ignore these params. # Be sure to check out the docstrings for the uc.afl_* functions. def place_input_callback(uc, input, persistent_round, data): - # Load the mutated input from disk - input_file = open(args.input_file, 'rb') - input = input_file.read() - input_file.close() - # Apply constraints to the mutated input if len(input) > DATA_SIZE_MAX: #print("Test input is too long (> {} bytes)") diff --git a/unicorn_mode/unicorn b/unicorn_mode/unicorn -Subproject aa5ebf5e16f4f5781cfe94229b41eee7ff93b35 +Subproject db248c8d8167e47ee07943961d1ce6244d57602 |