diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | GNUmakefile.llvm | 10 | ||||
| -rwxr-xr-x | afl-whatsup | 8 | ||||
| -rw-r--r-- | docs/Changelog.md | 2 | ||||
| -rw-r--r-- | frida_mode/src/asan/asan_arm64.c | 8 | ||||
| -rw-r--r-- | frida_mode/src/instrument/instrument_coverage.c | 7 | ||||
| -rw-r--r-- | include/cmplog.h | 13 | ||||
| -rw-r--r-- | instrumentation/afl-compiler-rt.o.c | 25 | ||||
| -rw-r--r-- | instrumentation/afl-llvm-dict2file.so.cc | 7 |
9 files changed, 50 insertions, 31 deletions
diff --git a/.gitignore b/.gitignore index 8e191e29..9ac577d3 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,7 @@ *.pyc *.so *.swp +.DS_Store .sync_tmp .test .test2 diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 8b4c6054..52ff778c 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -61,7 +61,6 @@ LLVM_HAVE_LTO := $(shell test $(LLVM_MAJOR) -ge 12 && echo 1 || e LLVM_BINDIR := $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) LLVM_LIBDIR := $(shell $(LLVM_CONFIG) --libdir 2>/dev/null) LLVM_STDCXX := gnu++11 -LLVM_APPLE_XCODE := $(shell $(CC) -v 2>&1 | grep -q Apple && echo 1 || echo 0) LLVM_LTO := 0 LLVM_UNSUPPORTED := $(shell echo "$(LLVMVER)" | grep -E -q '^[0-2]\.|^3\.[0-8]\.' && echo 1 || echo 0) # Uncomment to see the values assigned above @@ -112,10 +111,6 @@ ifeq "$(LLVM_LTO)" "0" $(info [+] llvm_mode detected llvm < 12, afl-lto LTO will not be build.) endif -ifeq "$(LLVM_APPLE_XCODE)" "1" - $(warning llvm_mode will not compile with Xcode clang...) -endif - # We were using llvm-config --bindir to get the location of clang, but # this seems to be busted on some distros, so using the one in $PATH is # probably better. @@ -123,6 +118,11 @@ endif CC = $(LLVM_BINDIR)/clang CXX = $(LLVM_BINDIR)/clang++ +LLVM_APPLE_XCODE := $(shell $(CC) -v 2>&1 | grep -q Apple && echo 1 || echo 0) +ifeq "$(LLVM_APPLE_XCODE)" "1" + $(warning llvm_mode will not compile with Xcode clang...) +endif + # llvm-config --bindir may not providing a valid path, so ... ifeq "$(shell test -e $(CC) || echo 1 )" "1" # however we must ensure that this is not a "CC=gcc make" diff --git a/afl-whatsup b/afl-whatsup index 19841755..6fa2dfc2 100755 --- a/afl-whatsup +++ b/afl-whatsup @@ -112,12 +112,12 @@ if [ -z "$NO_COLOR" ]; then fi PLATFORM=`uname -s` -if [ "$PLATFORM" = "Linux" ] ; then - CUR_TIME=`cat /proc/uptime | awk '{printf "%.0f\n", $1}'` -else +#if [ "$PLATFORM" = "Linux" ] ; then +# CUR_TIME=`cat /proc/uptime | awk '{printf "%.0f\n", $1}'` +#else # This will lead to inacurate results but will prevent the script from breaking on platforms other than Linux CUR_TIME=`date +%s` -fi +#fi TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1 trap "rm -f $TMP" 1 2 3 13 15 diff --git a/docs/Changelog.md b/docs/Changelog.md index d33d3121..3f9f0161 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -13,6 +13,8 @@ - improved seed selection algorithm - added `AFL_CUSTOM_MUTATOR_LATE_SEND=1` to call the custom send() function after the target has been restarted. + - because of bad math and undefined behaviour fixes we have to change + the CMPLOG map. **YOU NEED TO RECOMPILE CMPLOG TARGETS** - frida_mode: - AFL_FRIDA_PERSISTENT_ADDR can now be be any reachable address not just a function entry diff --git a/frida_mode/src/asan/asan_arm64.c b/frida_mode/src/asan/asan_arm64.c index 94729939..c1d5c10f 100644 --- a/frida_mode/src/asan/asan_arm64.c +++ b/frida_mode/src/asan/asan_arm64.c @@ -39,15 +39,15 @@ static void asan_callout(GumCpuContext *ctx, gpointer user_data) { address = base + index + mem->disp; - if ((operand->access & CS_AC_READ) == CS_AC_READ) { + if ((operand->access & CS_AC_WRITE) == CS_AC_WRITE) { - asan_loadN(address, asan_ctx->size); + asan_storeN(address, asan_ctx->size); } - if ((operand->access & CS_AC_WRITE) == CS_AC_WRITE) { + if ((operand->access & CS_AC_READ) == CS_AC_READ) { - asan_storeN(address, asan_ctx->size); + asan_loadN(address, asan_ctx->size); } diff --git a/frida_mode/src/instrument/instrument_coverage.c b/frida_mode/src/instrument/instrument_coverage.c index ff2f4024..a546dc24 100644 --- a/frida_mode/src/instrument/instrument_coverage.c +++ b/frida_mode/src/instrument/instrument_coverage.c @@ -818,6 +818,9 @@ void instrument_coverage_unstable_find_output(void) { GDir *dir = g_dir_open(fds_name, 0, NULL); + gchar *path_tmp = getenv("AFL_CUSTOM_INFO_OUT"); + gchar *instance_name = g_path_get_basename(path_tmp); + FVERBOSE("Coverage Unstable - fds: %s", fds_name); for (const gchar *filename = g_dir_read_name(dir); filename != NULL; @@ -829,7 +832,7 @@ void instrument_coverage_unstable_find_output(void) { if (link == NULL) { FFATAL("Failed to read link: %s", fullname); } gchar *basename = g_path_get_basename(link); - if (g_strcmp0(basename, "default") != 0) { + if (g_strcmp0(basename, instance_name) != 0) { g_free(basename); g_free(link); @@ -874,6 +877,8 @@ void instrument_coverage_unstable_find_output(void) { } g_dir_close(dir); + g_free(instance_name); + g_free(path_tmp); g_free(fds_name); if (unstable_coverage_fuzzer_stats == NULL) { diff --git a/include/cmplog.h b/include/cmplog.h index a4449a60..9f995da6 100644 --- a/include/cmplog.h +++ b/include/cmplog.h @@ -53,21 +53,24 @@ struct cmp_header { // 16 bit = 2 bytes struct cmp_operands { u64 v0; - u64 v1; u64 v0_128; + u64 v0_256_0; // u256 is unsupported by any compiler for now, so future use + u64 v0_256_1; + u64 v1; u64 v1_128; - u64 unused; - u8 unused1; - u8 unused2; + u64 v1_256_0; + u64 v1_256_1; + u8 unused[8]; } __attribute__((packed)); struct cmpfn_operands { u8 v0[32]; - u8 v0_len; u8 v1[32]; + u8 v0_len; u8 v1_len; + u8 unused[6]; } __attribute__((packed)); diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 372b9f5a..6e04ae47 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -872,7 +872,7 @@ static void __afl_start_forkserver(void) { __afl_old_forkserver = 1; status = 0; - if (__afl_final_loc && __afl_final_loc > MAP_SIZE) { + if (__afl_final_loc > MAP_SIZE) { fprintf(stderr, "Warning: AFL_OLD_FORKSERVER is used with a target compiled with " @@ -969,13 +969,13 @@ static void __afl_start_forkserver(void) { /* Wait for parent by reading from the pipe. Abort if read fails. */ - if (already_read_first) { + if (unlikely(already_read_first)) { already_read_first = 0; } else { - if (read(FORKSRV_FD, &was_killed, 4) != 4) { + if (unlikely(read(FORKSRV_FD, &was_killed, 4) != 4)) { write_error("read from AFL++ tool"); _exit(1); @@ -1014,10 +1014,10 @@ static void __afl_start_forkserver(void) { condition and afl-fuzz already issued SIGKILL, write off the old process. */ - if (child_stopped && was_killed) { + if (unlikely(child_stopped && was_killed)) { child_stopped = 0; - if (waitpid(child_pid, &status, 0) < 0) { + if (unlikely(waitpid(child_pid, &status, 0) < 0)) { write_error("child_stopped && was_killed"); _exit(1); @@ -1026,12 +1026,12 @@ static void __afl_start_forkserver(void) { } - if (!child_stopped) { + if (unlikely(!child_stopped)) { /* Once woken up, create a clone of our process. */ child_pid = fork(); - if (child_pid < 0) { + if (unlikely(child_pid < 0)) { write_error("fork"); _exit(1); @@ -1040,7 +1040,7 @@ static void __afl_start_forkserver(void) { /* In child process: close fds, resume execution. */ - if (!child_pid) { + if (unlikely(!child_pid)) { // just to signal afl-fuzz faster //(void)nice(-20); @@ -1065,14 +1065,15 @@ static void __afl_start_forkserver(void) { /* In parent process: write PID to pipe, then wait for child. */ - if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) { + if (unlikely(write(FORKSRV_FD + 1, &child_pid, 4) != 4)) { write_error("write to afl-fuzz"); _exit(1); } - if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0) { + if (unlikely(waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < + 0)) { write_error("waitpid"); _exit(1); @@ -1083,11 +1084,11 @@ static void __afl_start_forkserver(void) { a successful run. In this case, we want to wake it up without forking again. */ - if (WIFSTOPPED(status)) child_stopped = 1; + if (likely(WIFSTOPPED(status))) { child_stopped = 1; } /* Relay wait status to pipe, then loop back. */ - if (write(FORKSRV_FD + 1, &status, 4) != 4) { + if (unlikely(write(FORKSRV_FD + 1, &status, 4) != 4)) { write_error("writing to afl-fuzz"); _exit(1); diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc index b93f61f0..6559bc84 100644 --- a/instrumentation/afl-llvm-dict2file.so.cc +++ b/instrumentation/afl-llvm-dict2file.so.cc @@ -661,6 +661,13 @@ bool AFLdict2filePass::runOnModule(Module &M) { Value *op2 = callInst->getArgOperand(2); ConstantInt *ilen = dyn_cast<ConstantInt>(op2); + if (!ilen) { + + op2 = callInst->getArgOperand(1); + ilen = dyn_cast<ConstantInt>(op2); + + } + if (ilen) { uint64_t literalLength = optLen; |