diff options
41 files changed, 239 insertions, 131 deletions
diff --git a/.travis.yml b/.travis.yml index ae34fe0b..fe81d19f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -17,10 +17,10 @@ matrix: - os: linux dist: trusty env: NAME="trusty-amd64" MODERN="no" GCC="4.8" - - os: linux - dist: xenial - arch: arm64 - env: NAME="xenial-arm64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0" AFL_NO_X86="1" CPU_TARGET="aarch64" +# - os: linux # until travis can fix this! +# dist: xenial +# arch: arm64 +# env: NAME="xenial-arm64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0" AFL_NO_X86="1" CPU_TARGET="aarch64" # - os: osx # osx_image: xcode11.2 # env: NAME="osx" HOMEBREW_NO_ANALYTICS="1" LINK="http://releases.llvm.org/9.0.0/" NAME="clang+llvm-9.0.0-x86_64-darwin-apple" @@ -50,3 +50,4 @@ script: - if [ "$TRAVIS_OS_NAME" = "linux" -a "$TRAVIS_CPU_ARCH" = "amd64" ]; then make distrib ASAN_BUILD=1 ; fi - if [ "$TRAVIS_CPU_ARCH" = "arm64" ] ; then echo DEBUG ; find / -name llvm-config.h 2>/dev/null; apt-cache search clang | grep clang- ; apt-cache search llvm | grep llvm- ; dpkg -l | egrep 'clang|llvm'; echo DEBUG ; export LLVM_CONFIG=llvm-config-6.0 ; make ASAN_BUILD=1 ; cd qemu_mode && sh ./build_qemu_support.sh ; cd .. ; fi - make tests + - travis_terminate 0 diff --git a/Makefile b/Makefile index b9d4bf5a..e002516a 100644 --- a/Makefile +++ b/Makefile @@ -103,9 +103,9 @@ ifneq "$(shell which python)" "" endif ifdef SOURCE_DATE_EPOCH - BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" -I 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" -I 2>/dev/null || date -u -I) + BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u "+%Y-%m-%d") else - BUILD_DATE ?= $(shell date -I) + BUILD_DATE ?= $(shell date "+%Y-%m-%d") endif ifneq "$(filter Linux GNU%,$(shell uname))" "" @@ -344,7 +344,7 @@ endif all_done: test_build - @if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi + @if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.md for a faster alternative to afl-gcc."; fi @echo "[+] All done! Be sure to review the README.md - it's pretty short and useful." @if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi @! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.md for advice.\033[0m\n" 2>/dev/null diff --git a/README.md b/README.md index 01d61fea..c764d85a 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,9 @@  - Release Version: 2.60c + Release Version: 2.61c - Github Version: 2.60d + Github Version: 2.61d includes all necessary/interesting changes from Google's afl 2.56b @@ -89,7 +89,9 @@ read this file. -## Shameless plug to students and enthusiast developers +## Google Summer of Code 2020 (and any other students and enthusiast developers) + +We are happy to be part of [Google Summer of Code 2020](https://summerofcode.withgoogle.com/organizations/5100744400699392/)! :-) We have several ideas we would like to see in AFL++ to make it even better. However we already work on so many things that we do not have the time for @@ -106,6 +108,7 @@ afl++ has many build options. The easiest is to build and install everything: ```shell +$ sudo apt install build-essential libtool-bin python3 automake bison libglib2.0-dev libpixman-1-dev clang $ make distrib $ sudo make install ``` @@ -153,7 +156,8 @@ Hence gcc-9 and especially llvm-9 should be the compilers of choice. If your distribution does not have them, you can use the Dockerfile: ```shell -$ docker build -t aflplusplus +$ cd AFLplusplus +$ sudo docker build -t aflplusplus . ``` @@ -295,6 +299,8 @@ $ ./build_qemu_support.sh For additional instructions and caveats, see [qemu_mode/README.md](qemu_mode/README.md). +If possible you should use the persistent mode, see [README.persistent.md](README.persistent.md). + The mode is approximately 2-5x slower than compile-time instrumentation, is less conducive to parallelization, and may have some other quirks. @@ -306,7 +312,17 @@ A more comprehensive description of these and other options can be found in [docs/binaryonly_fuzzing.md](docs/binaryonly_fuzzing.md) -## 5) Power schedules +## 5) Good examples and writeups + +Here are some good writeups to show how to effectibly use AFL++: + + * [https://aflplus.plus/docs/tutorials/libxml2_tutorial/](https://aflplus.plus/docs/tutorials/libxml2_tutorial/) + * [https://bananamafia.dev/post/gb-fuzz/](https://bananamafia.dev/post/gb-fuzz/) + * [https://securitylab.github.com/research/fuzzing-challenges-solutions-1](https://securitylab.github.com/research/fuzzing-challenges-solutions-1) + +If you find other good ones, please send them to us :-) + +## 6) Power schedules The power schedules were copied from Marcel Böhme's excellent AFLfast implementation and expand on the ability to discover new paths and @@ -333,7 +349,8 @@ made the default mode). More details can be found in the paper published at the 23rd ACM Conference on Computer and Communications Security [CCS'16](https://www.sigsac.org/ccs/CCS2016/accepted-papers/) -## 6) Choosing initial test cases + +## 7) Choosing initial test cases To operate correctly, the fuzzer requires one or more starting file that contains a good example of the input data normally expected by the targeted @@ -354,7 +371,7 @@ the afl-cmin utility to identify a subset of functionally distinct files that exercise different code paths in the target binary. -## 7) Fuzzing binaries +## 8) Fuzzing binaries The fuzzing process itself is carried out by the afl-fuzz utility. This program requires a read-only directory with initial test cases, a separate place to @@ -391,8 +408,7 @@ steps, which can take several days, but tend to produce neat test cases. If you want quick & dirty results right away - akin to zzuf and other traditional fuzzers - add the -d option to the command line. - -## 8) Interpreting output +## 9) Interpreting output See the [docs/status_screen.md](docs/status_screen.md) file for information on how to interpret the displayed stats and monitor the health of the process. Be @@ -452,8 +468,7 @@ If you have gnuplot installed, you can also generate some pretty graphs for any active fuzzing task using afl-plot. For an example of how this looks like, see [http://lcamtuf.coredump.cx/afl/plot/](http://lcamtuf.coredump.cx/afl/plot/). - -## 9) Parallelized fuzzing +## 10) Parallelized fuzzing Every instance of afl-fuzz takes up roughly one core. This means that on multi-core systems, parallelization is necessary to fully utilize the hardware. @@ -464,8 +479,7 @@ The parallel fuzzing mode also offers a simple way for interfacing AFL to other fuzzers, to symbolic or concolic execution engines, and so forth; again, see the last section of [docs/parallel_fuzzing.md](docs/parallel_fuzzing.md) for tips. - -## 10) Fuzzer dictionaries +## 12) Fuzzer dictionaries By default, afl-fuzz mutation engine is optimized for compact data formats - say, images, multimedia, compressed data, regular expression syntax, or shell @@ -500,8 +514,7 @@ If a dictionary is really hard to come by, another option is to let AFL run for a while, and then use the token capture library that comes as a companion utility with AFL. For that, see [libtokencap/README.md](libtokencap/README.tokencap.md). - -## 11) Crash triage +## 13) Crash triage The coverage-based grouping of crashes usually produces a small data set that can be quickly triaged manually or with a very simple GDB or Valgrind script. @@ -549,7 +562,7 @@ insights into complex file formats. More info about its operation can be found near the end of [docs/technical_details.md](docs/technical_details.md). -## 12) Going beyond crashes +## 14) Going beyond crashes Fuzzing is a wonderful and underutilized technique for discovering non-crashing design and implementation errors, too. Quite a few interesting bugs have been @@ -572,8 +585,7 @@ if you are the maintainer of a particular package, you can make this code conditional with `#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` (a flag also shared with libfuzzer) or `#ifdef __AFL_COMPILER` (this one is just for AFL). - -## 13) Common-sense risks +## 15) Common-sense risks Please keep in mind that, similarly to many other computationally-intensive tasks, fuzzing may put strain on your hardware and on the OS. In particular: @@ -602,8 +614,7 @@ tasks, fuzzing may put strain on your hardware and on the OS. In particular: $ iostat -d 3 -x -k [...optional disk ID...] ``` - -## 14) Known limitations & areas for improvement +## 16) Known limitations & areas for improvement Here are some of the most important caveats for AFL: @@ -643,8 +654,7 @@ Here are some of the most important caveats for AFL: Beyond this, see INSTALL for platform-specific tips. - -## 15) Special thanks +## 17) Special thanks Many of the improvements to the original afl and afl++ wouldn't be possible without feedback, bug reports, or patches from: @@ -696,9 +706,9 @@ without feedback, bug reports, or patches from: ``` Thank you! +(For people sending pull requests - please add yourself to this list :-) - -## 16) Contact +## 18) Contact Questions? Concerns? Bug reports? The contributors can be reached via [https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus) diff --git a/afl-cmin.bash b/afl-cmin.bash index 948e0655..b1378eb5 100755 --- a/afl-cmin.bash +++ b/afl-cmin.bash @@ -126,7 +126,7 @@ Minimization settings: -C - keep crashing inputs, reject everything else -e - solve for edge coverage only, ignore hit counts -For additional tips, please consult docs/README. +For additional tips, please consult docs/README.md. Environment variables used: AFL_KEEP_TRACES: leave the temporary <out_dir>\.traces directory diff --git a/afl-plot b/afl-plot index d99abff0..0f0154a6 100755 --- a/afl-plot +++ b/afl-plot @@ -32,6 +32,8 @@ an empty directory where this tool can write the resulting plots to. The program will put index.html and three PNG images in the output directory; you should be able to view it with any web browser of your choice. +Environment variables used: +AFL_ALLOW_TMP: allow /var/tmp or /tmp for input and output directories _EOF_ exit 1 diff --git a/docs/Changelog.md b/docs/Changelog.md index 5d781545..2f8674c8 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -1,7 +1,7 @@ # Changelog This is the list of all noteworthy changes made in every public release of - the tool. See README for the general instruction manual. + the tool. See README.md for the general instruction manual. ## Staying informed @@ -9,7 +9,12 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to <afl-users+subscribe@googlegroups.com>. -### Version ++2.60d (develop): +### Version ++2.61d (develop): + + - ... + + +### Version ++2.61c (release): - use -march=native if available - most tools now check for mistyped environment variables @@ -17,6 +22,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - the memory safety checks are now disabled for a little more speed during fuzzing (only affects creating queue entries), can be toggled in config.h - afl-fuzz: + - MOpt out of bounds writing crash fixed - now prints the real python version support compiled in - set stronger performance compile options and little tweaks - Android: prefer bigcores when selecting a CPU @@ -28,13 +34,18 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - bugfix for dictionary insert stage count (fix via Google repo PR) - added warning if -M is used together with custom mutators with _ONLY option - AFL_TMPDIR checks are now later and better explained if they fail - - llvm_mode InsTrim: no pointless instrumentation of 1 block functions + - llvm_mode + - InsTrim: three bug fixes: + 1. (minor) no pointless instrumentation of 1 block functions + 2. (medium) path bug that leads a few blocks not instrumented that + should be + 3. (major) incorrect prev_loc was written, fixed! - afl-clang-fast: - show in the help output for which llvm version it was compiled for - now does not need to be recompiled between trace-pc and pass instrumentation. compile normally and set AFL_LLVM_USE_TRACE_PC :) - LLVM 11 is supported - - CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog) + - CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog.md) - afl-gcc, afl-clang-fast, afl-gcc-fast: - experimental support for undefined behaviour sanitizer UBSAN (set AFL_USE_UBSAN=1) @@ -178,7 +189,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - fix llvm_mode AFL_TRACE_PC with modern llvm - fix a crash in qemu_mode which also exists in stock afl - added libcompcov, a laf-intel implementation for qemu! :) - see qemu_mode/libcompcov/README.libcompcov + see qemu_mode/libcompcov/README.libcompcov.md - afl-fuzz now displays the selected core in the status screen (blue {#}) - updated afl-fuzz and afl-system-config for new scaling governor location in modern kernels @@ -187,8 +198,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - if llvm_mode was compiled, afl-clang/afl-clang++ will point to these instead of afl-gcc - added instrim, a much faster llvm_mode instrumentation at the cost of - path discovery. See llvm_mode/README.instrim (https://github.com/csienslab/instrim) - - added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt + path discovery. See llvm_mode/README.instrim.md (https://github.com/csienslab/instrim) + - added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt.md - added code to make it more portable to other platforms than Intel Linux - added never zero counters for afl-gcc and optionally (because of an optimization issue in llvm < 9) for llvm_mode (AFL_LLVM_NEVER_ZERO=1) @@ -218,11 +229,11 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. LLVM and Qemu modes are now faster. Important changes: afl-fuzz: -e EXTENSION commandline option - llvm_mode: LAF-intel performance (needs activation, see llvm/README.laf-intel) - a few new environment variables for afl-fuzz, llvm and qemu, see docs/env_variables.txt + llvm_mode: LAF-intel performance (needs activation, see llvm/README.laf-intel.md) + a few new environment variables for afl-fuzz, llvm and qemu, see docs/env_variables.md - Added the power schedules of AFLfast by Marcel Boehme, but set the default to the AFL schedule, not to the FAST schedule. So nothing changes unless - you use the new -p option :-) - see docs/power_schedules.txt + you use the new -p option :-) - see docs/power_schedules.md - added afl-system-config script to set all system performance options for fuzzing - llvm_mode works with llvm 3.9 up to including 8 ! - qemu_mode got upgraded from 2.1 to 3.1 - incorporated from @@ -465,7 +476,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - Added libtokencap, a simple feature to intercept strcmp / memcmp and generate dictionary entries that can help extend coverage. - - Moved libdislocator to its own dir, added README. + - Moved libdislocator to its own dir, added README.md. - The demo in examples/instrumented_cmp is no more. diff --git a/docs/QuickStartGuide.md b/docs/QuickStartGuide.md index f9e3b256..1e1d60b7 100644 --- a/docs/QuickStartGuide.md +++ b/docs/QuickStartGuide.md @@ -27,7 +27,7 @@ how to hit the ground running: 4) Get a small but valid input file that makes sense to the program. When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in - dictionaries/README.dictionaries, too. + dictionaries/README.md, too. 5) If the program reads from stdin, run 'afl-fuzz' like so: diff --git a/docs/env_variables.md b/docs/env_variables.md index c60821dc..9fc60187 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -2,7 +2,7 @@ This document discusses the environment variables used by American Fuzzy Lop++ to expose various exotic functions that may be (rarely) useful for power - users or for some types of custom fuzzing setups. See README for the general + users or for some types of custom fuzzing setups. See README.md for the general instruction manual. ## 1) Settings for afl-gcc, afl-clang, and afl-as - and gcc_plugin afl-gcc-fast diff --git a/docs/life_pro_tips.md b/docs/life_pro_tips.md index a0d90659..0724e83c 100644 --- a/docs/life_pro_tips.md +++ b/docs/life_pro_tips.md @@ -62,7 +62,7 @@ Specify `AFL_HARDEN=1` in the environment to enable hardening flags. ## Bumping into problems with non-reproducible crashes? It happens, but usually -isn't hard to diagnose. See section #7 in README for tips. +isn't hard to diagnose. See section #7 in README.md for tips. ## Fuzzing is not just about memory corruption issues in the codebase. Add some @@ -87,4 +87,4 @@ use a postprocessor! See examples/post_library/ for more. ## Dealing with a very slow target or hoping for instant results? -Specify `-d` when calling afl-fuzz! \ No newline at end of file +Specify `-d` when calling afl-fuzz! diff --git a/docs/notes_for_asan.md b/docs/notes_for_asan.md index 9c49dc1f..feac49f9 100644 --- a/docs/notes_for_asan.md +++ b/docs/notes_for_asan.md @@ -1,7 +1,7 @@ # Notes for using ASAN with afl-fuzz This file discusses some of the caveats for fuzzing under ASAN, and suggests - a handful of alternatives. See README for the general instruction manual. + a handful of alternatives. See README.md for the general instruction manual. ## 1) Short version diff --git a/docs/parallel_fuzzing.md b/docs/parallel_fuzzing.md index 0a2863fe..8b39df04 100644 --- a/docs/parallel_fuzzing.md +++ b/docs/parallel_fuzzing.md @@ -1,7 +1,7 @@ # Tips for parallel fuzzing This document talks about synchronizing afl-fuzz jobs on a single machine - or across a fleet of systems. See README for the general instruction manual. + or across a fleet of systems. See README.md for the general instruction manual. ## 1) Introduction diff --git a/docs/perf_tips.md b/docs/perf_tips.md index 41d74447..fcd03db7 100644 --- a/docs/perf_tips.md +++ b/docs/perf_tips.md @@ -1,7 +1,7 @@ ## Tips for performance optimization This file provides tips for troubleshooting slow or wasteful fuzzing jobs. - See README for the general instruction manual. + See README.md for the general instruction manual. ## 1. Keep your test cases small @@ -221,4 +221,4 @@ early on, you can always resort to the `-d` mode. The mode causes `afl-fuzz` to skip all the deterministic fuzzing steps, which makes output a lot less neat and can ultimately make the testing a bit less in-depth, but it will give you an experience more familiar from other fuzzing -tools. \ No newline at end of file +tools. diff --git a/docs/sister_projects.md b/docs/sister_projects.md index ecc3b924..1625044c 100644 --- a/docs/sister_projects.md +++ b/docs/sister_projects.md @@ -1,7 +1,7 @@ # Sister projects This doc lists some of the projects that are inspired by, derived from, -designed for, or meant to integrate with AFL. See README for the general +designed for, or meant to integrate with AFL. See README.md for the general instruction manual. !!! @@ -252,7 +252,7 @@ https://code.google.com/p/address-sanitizer/wiki/AsanCoverage#Coverage_counters ### AFL JS (Han Choongwoo) One-off optimizations to speed up the fuzzing of JavaScriptCore (now likely -superseded by LLVM deferred forkserver init - see llvm_mode/README.llvm). +superseded by LLVM deferred forkserver init - see llvm_mode/README.md). https://github.com/tunz/afl-fuzz-js diff --git a/docs/status_screen.md b/docs/status_screen.md index 066c2c07..0bc636c4 100644 --- a/docs/status_screen.md +++ b/docs/status_screen.md @@ -1,7 +1,7 @@ # Understanding the status screen This document provides an overview of the status screen - plus tips for -troubleshooting any warnings and red text shown in the UI. See README for +troubleshooting any warnings and red text shown in the UI. See README.md for the general instruction manual. ## A note about colors diff --git a/docs/technical_details.md b/docs/technical_details.md index d53b30e3..996bf162 100644 --- a/docs/technical_details.md +++ b/docs/technical_details.md @@ -1,7 +1,7 @@ # Technical "whitepaper" for afl-fuzz This document provides a quick overview of the guts of American Fuzzy Lop. -See README for the general instruction manual; and for a discussion of +See README.md for the general instruction manual; and for a discussion of motivations and design goals behind AFL, see historical_notes.md. ## 0. Design statement @@ -542,4 +542,4 @@ It uses the following classification scheme: takes place. - "Magic value section" - a generic token where changes cause the type of binary behavior outlined earlier, but that doesn't meet any of the - other criteria. May be an atomically compared keyword or so. \ No newline at end of file + other criteria. May be an atomically compared keyword or so. diff --git a/examples/argv_fuzzing/Makefile b/examples/argv_fuzzing/Makefile index ab16be87..34192e39 100644 --- a/examples/argv_fuzzing/Makefile +++ b/examples/argv_fuzzing/Makefile @@ -24,18 +24,28 @@ ifneq "$(filter Linux GNU%,$(shell uname))" "" LDFLAGS += -ldl endif +# on gcc for arm there is no -m32, but -mbe32 +M32FLAG = -m32 +M64FLAG = -m64 +ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" "" + ifneq (,$(findstring arm, "$(shell $(CC) -v 2>&1 >/dev/null)")) + M32FLAG = -mbe32 + endif +endif + + all: argvfuzz32.so argvfuzz64.so argvfuzz32.so: argvfuzz.c - -$(CC) -m32 $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz32 build failure (that's fine)" + -$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz32 build failure (that's fine)" argvfuzz64.so: argvfuzz.c - -$(CC) $(CFLAGS) $^ $(LDFLAGS) -o $@ + -$(CC) $(M64FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz64 build failure (that's fine)" install: argvfuzz32.so argvfuzz64.so install -d -m 755 $(DESTDIR)$(HELPER_PATH)/ if [ -f argvfuzz32.so ]; then set -e; install -m 755 argvfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi - install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/ + if [ -f argvfuzz64.so ]; then set -e; install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi clean: rm -f argvfuzz32.so argvfuzz64.so diff --git a/examples/socket_fuzzing/Makefile b/examples/socket_fuzzing/Makefile index 0191ba53..ad921664 100644 --- a/examples/socket_fuzzing/Makefile +++ b/examples/socket_fuzzing/Makefile @@ -22,18 +22,27 @@ ifneq "$(filter Linux GNU%,$(shell uname))" "" LDFLAGS += -ldl endif +# on gcc for arm there is no -m32, but -mbe32 +M32FLAG = -m32 +M64FLAG = -m64 +ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" "" + ifneq (,$(findstring arm, "$(shell $(CC) -v 2>&1 >/dev/null)")) + M32FLAG = -mbe32 + endif +endif + all: socketfuzz32.so socketfuzz64.so socketfuzz32.so: socketfuzz.c - -$(CC) -m32 $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz32 build failure (that's fine)" + -$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz32 build failure (that's fine)" socketfuzz64.so: socketfuzz.c - -$(CC) $(CFLAGS) $^ $(LDFLAGS) -o $@ + -$(CC) $(M64FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz64 build failure (that's fine)" install: socketfuzz32.so socketfuzz64.so install -d -m 755 $(DESTDIR)$(HELPER_PATH)/ if [ -f socketfuzz32.so ]; then set -e; install -m 755 socketfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi - install -m 755 socketfuzz64.so $(DESTDIR)$(HELPER_PATH)/ + if [ -f socketfuzz64.so ]; then set -e; install -m 755 socketfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi clean: rm -f socketfuzz32.so socketfuzz64.so diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c index 2aee8f4a..28190f93 100644 --- a/gcc_plugin/afl-gcc-fast.c +++ b/gcc_plugin/afl-gcc-fast.c @@ -330,7 +330,7 @@ int main(int argc, char** argv, char** envp) { exit(1); - } else if (isatty(2) && !getenv("AFL_QUIET")) { + } else if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { SAYF(cCYA "afl-gcc-fast" VERSION cRST " initially by <aseipp@pobox.com>, maintainer: hexcoder-\n"); diff --git a/gcc_plugin/afl-gcc-pass.so.cc b/gcc_plugin/afl-gcc-pass.so.cc index f77af5fa..9c08cec4 100644 --- a/gcc_plugin/afl-gcc-pass.so.cc +++ b/gcc_plugin/afl-gcc-pass.so.cc @@ -533,7 +533,7 @@ int plugin_init(struct plugin_name_args * plugin_info, } /* Show a banner */ - if (isatty(2) && !getenv("AFL_QUIET")) { + if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { SAYF(G_(cCYA "afl-gcc-pass" VERSION cRST " initially by <aseipp@pobox.com>, maintainer: hexcoder-\n")); diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index 1831f935..356d0b6d 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -214,7 +214,7 @@ static void __afl_start_forkserver(void) { } -/* A simplified persistent mode handler, used as explained in README.llvm. */ +/* A simplified persistent mode handler, used as explained in README.md. */ int __afl_persistent_loop(unsigned int max_cnt) { diff --git a/include/afl-as.h b/include/afl-as.h index bd5e734a..de9fb646 100644 --- a/include/afl-as.h +++ b/include/afl-as.h @@ -261,6 +261,7 @@ static const u8* main_payload_32 = " je __afl_setup_abort\n" "\n" #endif + " movb $1, (%eax)\n" " /* Store the address of the SHM region. */\n" "\n" " movl %eax, __afl_area_ptr\n" @@ -563,6 +564,7 @@ static const u8* main_payload_64 = " je __afl_setup_abort\n" "\n" #endif + " movb $1, (%rax)\n" " /* Store the address of the SHM region. */\n" "\n" " movq %rax, %rdx\n" diff --git a/include/config.h b/include/config.h index 12e2d092..59a476c9 100644 --- a/include/config.h +++ b/include/config.h @@ -27,7 +27,7 @@ /* Version string: */ // c = release, d = volatile github dev, e = experimental branch -#define VERSION "++2.60d" +#define VERSION "++2.61d" /****************************************************** * * diff --git a/include/envs.h b/include/envs.h index 4650dc54..8e6e3731 100644 --- a/include/envs.h +++ b/include/envs.h @@ -59,7 +59,7 @@ const char *afl_environment_variables[] = { "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_UI", - "AFL_NO_X86", // not really an env but we dont want to warn on it + "AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_PATH", "AFL_PERFORMANCE_FILE", "AFL_PERSISTENT", diff --git a/libdislocator/README.md b/libdislocator/README.md index 4a11c138..873d8806 100644 --- a/libdislocator/README.md +++ b/libdislocator/README.md @@ -1,6 +1,6 @@ # libdislocator, an abusive allocator - (See ../docs/README for the general instruction manual.) + (See ../docs/README.md for the general instruction manual.) This is a companion library that can be used as a drop-in replacement for the libc allocator in the fuzzed binaries. It improves the odds of bumping into diff --git a/libtokencap/README.md b/libtokencap/README.md index 8aae38bf..0a3591eb 100644 --- a/libtokencap/README.md +++ b/libtokencap/README.md @@ -1,6 +1,6 @@ # strcmp() / memcmp() token capture library - (See ../docs/README for the general instruction manual.) + (See ../docs/README.md for the general instruction manual.) This companion library allows you to instrument `strcmp()`, `memcmp()`, and related functions to automatically extract syntax tokens passed to any of diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index 08d3f68f..390e0697 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -169,6 +169,7 @@ struct InsTrim : public ModulePass { ConstantInt *Zero = ConstantInt::get(Int8Ty, 0); ConstantInt *One = ConstantInt::get(Int8Ty, 1); + ConstantInt *One32 = ConstantInt::get(Int32Ty, 1); u64 total_rs = 0; u64 total_hs = 0; @@ -382,19 +383,64 @@ struct InsTrim : public ModulePass { } - auto *EBB = &F.getEntryBlock(); - if (succ_begin(EBB) == succ_end(EBB)) { + // Bugfix #1: remove single block function instrumentation - MS.insert(EBB); - total_rs += 1; + for (BasicBlock &BB : F) { - } + if (MarkSetOpt && MS.find(&BB) == MS.end()) { - for (BasicBlock &BB : F) { + // Bugfix #2: instrument blocks that should be but InsTrim + // doesn't due to an algorithmic bug + int more_than_one = -1; + + for (pred_iterator PI = pred_begin(&BB), E = pred_end(&BB); PI != E; + ++PI) { + + BasicBlock *Pred = *PI; + int count = 0; + + if (more_than_one == -1) more_than_one = 0; + for (succ_iterator SI = succ_begin(Pred), E = succ_end(Pred); + SI != E; ++SI) { + + BasicBlock *Succ = *SI; + if (Succ != NULL) count++; + + } + + if (count > 1) more_than_one = 1; + + } + + if (more_than_one != 1) continue; + for (succ_iterator SI = succ_begin(&BB), E = succ_end(&BB); SI != E; + ++SI) { + + BasicBlock *Succ = *SI; + if (Succ != NULL && MS.find(Succ) == MS.end()) { + + int cnt = 0; + for (succ_iterator SI2 = succ_begin(Succ), E2 = succ_end(Succ); + SI2 != E2; ++SI2) { + + BasicBlock *Succ2 = *SI2; + if (Succ2 != NULL) cnt++; + + } - if (MS.find(&BB) == MS.end()) { continue; } - IRBuilder<> IRB(&*BB.getFirstInsertionPt()); - IRB.CreateStore(ConstantInt::get(Int32Ty, genLabel()), OldPrev); + if (cnt == 0) { + + // fprintf(stderr, "INSERT!\n"); + MS.insert(Succ); + total_rs += 1; + + } + + } + + } + + } } @@ -402,33 +448,24 @@ struct InsTrim : public ModulePass { for (BasicBlock &BB : F) { - auto PI = pred_begin(&BB); - auto PE = pred_end(&BB); if (MarkSetOpt && MS.find(&BB) == MS.end()) { continue; } IRBuilder<> IRB(&*BB.getFirstInsertionPt()); Value * L = NULL; - if (PI == PE) { - L = ConstantInt::get(Int32Ty, genLabel()); + auto *PN = PHINode::Create(Int32Ty, 0, "", &*BB.begin()); + DenseMap<BasicBlock *, unsigned> PredMap; + for (auto PI = pred_begin(&BB), PE = pred_end(&BB); PI != PE; ++PI) { - } else { - - auto *PN = PHINode::Create(Int32Ty, 0, "", &*BB.begin()); - DenseMap<BasicBlock *, unsigned> PredMap; - for (auto PI = pred_begin(&BB), PE = pred_end(&BB); PI != PE; ++PI) { - - BasicBlock *PBB = *PI; - auto It = PredMap.insert({PBB, genLabel()}); - unsigned Label = It.first->second; - PN->addIncoming(ConstantInt::get(Int32Ty, Label), PBB); - - } - - L = PN; + BasicBlock *PBB = *PI; + auto It = PredMap.insert({PBB, genLabel()}); + unsigned Label = It.first->second; + PN->addIncoming(ConstantInt::get(Int32Ty, Label), PBB); } + L = PN; + /* Load prev_loc */ LoadInst *PrevLoc = IRB.CreateLoad(OldPrev); PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); @@ -475,6 +512,11 @@ struct InsTrim : public ModulePass { IRB.CreateStore(Incr, MapPtrIdx) ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + // Bugfix #3: save the actually location ID to OldPrev + Value *Shr = IRB.CreateLShr(L, One32); + IRB.CreateStore(Shr, OldPrev) + ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + total_instr++; } diff --git a/llvm_mode/README.md b/llvm_mode/README.md index ee6e51b5..e6c47c9c 100644 --- a/llvm_mode/README.md +++ b/llvm_mode/README.md @@ -2,7 +2,7 @@ (See [../README](../README.md) for the general instruction manual.) - (See [../gcc_plugin/README.gcc](../gcc_plugin/README.gcc.md) for the GCC-based instrumentation.) + (See [../gcc_plugin/README](../gcc_plugin/README.md) for the GCC-based instrumentation.) ## 1) Introduction diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 53852320..b3561cb2 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -129,7 +129,7 @@ static void __afl_map_shm(void) { __afl_area_ptr[0] = 1; } - + id_str = getenv(CMPLOG_SHM_ENV_VAR); if (id_str) { @@ -260,7 +260,7 @@ static void __afl_start_forkserver(void) { } -/* A simplified persistent mode handler, used as explained in README.llvm. */ +/* A simplified persistent mode handler, used as explained in llvm_mode/README.md. */ int __afl_persistent_loop(unsigned int max_cnt) { @@ -346,7 +346,7 @@ __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) { /* The following stuff deals with supporting -fsanitize-coverage=trace-pc-guard. It remains non-operational in the traditional, plugin-backed LLVM mode. - For more info about 'trace-pc-guard', see README.llvm. + For more info about 'trace-pc-guard', see llvm_mode/README.md. The first function (__sanitizer_cov_trace_pc_guard) is called back on every edge (as opposed to every basic block). */ diff --git a/qemu_mode/README.md b/qemu_mode/README.md index 0759f4fb..71a3ada7 100644 --- a/qemu_mode/README.md +++ b/qemu_mode/README.md @@ -1,6 +1,6 @@ # High-performance binary-only instrumentation for afl-fuzz - (See ../docs/README for the general instruction manual.) + (See ../docs/README.md for the general instruction manual.) ## 1) Introduction @@ -60,7 +60,7 @@ binary on x86_64) use QEMU_LD_PREFIX. ## 3) Bonus feature #1: deferred initialization -As for LLVM mode (refer to its README for mode details) QEMU mode supports +As for LLVM mode (refer to its README.md for mode details) QEMU mode supports the deferred initialization. This can be enabled setting the environment variable AFL_ENTRYPOINT which allows diff --git a/qemu_mode/libcompcov/libcompcov.so.c b/qemu_mode/libcompcov/libcompcov.so.c index ceb0a041..8e2c279b 100644 --- a/qemu_mode/libcompcov/libcompcov.so.c +++ b/qemu_mode/libcompcov/libcompcov.so.c @@ -15,7 +15,7 @@ This Linux-only companion library allows you to instrument strcmp(), memcmp(), and related functions to get compare coverage. - See README.compcov for more info. + See README.md for more info. */ diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index 9d74713d..f85f8caa 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -407,7 +407,7 @@ void afl_forkserver(CPUState *cpu) { } -/* A simplified persistent mode handler, used as explained in README.llvm. */ +/* A simplified persistent mode handler, used as explained in llvm_mode/README.md. */ void afl_persistent_loop(void) { diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 6816f6c8..2f9b0550 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -798,9 +798,19 @@ static void usage(u8* argv0) { " -e - look for edge coverage only, ignore hit counts\n\n" - "For additional tips, please consult %s/README.\n\n", - - argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); + "For additional tips, please consult %s/README.md.\n\n" + + "Environment variables used:\n" + "TMPDIR: directory to use for temporary input files\n" + "ASAN_OPTIONS: custom settings for ASAN\n" + " (must contain abort_on_error=1 and symbolize=0)\n" + "MSAN_OPTIONS: custom settings for MSAN\n" + " (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n" + "AFL_PRELOAD: LD_PRELOAD settings for target\n" + "AFL_ANALYZE_HEX: print file offsets in hexadecimal instead of decimal\n" + "AFL_SKIP_BIN_CHECK: skip checking the location of and the target\n" + + , argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); exit(1); diff --git a/src/afl-as.c b/src/afl-as.c index 72a27cd2..98bd3ff5 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -529,10 +529,10 @@ int main(int argc, char** argv) { "don't want to run this program directly.\n\n" "Rarely, when dealing with extremely complex projects, it may be " - "advisable to\n" - "set AFL_INST_RATIO to a value less than 100 in order to reduce the " - "odds of\n" - "instrumenting every discovered branch.\n\n" + "advisable\n" + "to set AFL_INST_RATIO to a value less than 100 in order to reduce " + "the\n" + "odds of instrumenting every discovered branch.\n\n" "Environment variables used:\n" "AFL_AS: path to assembler to use for instrumented files\n" "AFL_CC: fall back path to assembler\n" diff --git a/src/afl-common.c b/src/afl-common.c index fee520c9..0f8094be 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -112,7 +112,7 @@ char** get_qemu_argv(u8* own_loc, char** argv, int argc) { char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); u8 * tmp, *cp, *rsl, *own_copy; - memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); + memcpy(new_argv + 3, argv + 1, (int)(sizeof(char*)) * argc); new_argv[2] = target_path; new_argv[1] = "--"; @@ -163,7 +163,7 @@ char** get_qemu_argv(u8* own_loc, char** argv, int argc) { SAYF("\n" cLRD "[-] " cRST "Oops, unable to find the 'afl-qemu-trace' binary. The binary must be " "built\n" - " separately by following the instructions in qemu_mode/README.qemu. " + " separately by following the instructions in qemu_mode/README.md. " "If you\n" " already have the binary installed, you may need to specify " "AFL_PATH in the\n" @@ -187,7 +187,7 @@ char** get_wine_argv(u8* own_loc, char** argv, int argc) { char** new_argv = ck_alloc(sizeof(char*) * (argc + 3)); u8 * tmp, *cp, *rsl, *own_copy; - memcpy(new_argv + 2, argv + 1, sizeof(char*) * argc); + memcpy(new_argv + 2, argv + 1, (int)(sizeof(char*)) * argc); new_argv[1] = target_path; @@ -259,7 +259,7 @@ char** get_wine_argv(u8* own_loc, char** argv, int argc) { SAYF("\n" cLRD "[-] " cRST "Oops, unable to find the '%s' binary. The binary must be " "built\n" - " separately by following the instructions in qemu_mode/README.qemu. " + " separately by following the instructions in qemu_mode/README.md. " "If you\n" " already have the binary installed, you may need to specify " "AFL_PATH in the\n" diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 93ecfe99..1858fabd 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1980,11 +1980,11 @@ void check_binary(u8* fname) { "while\n" " mutating the input data. For more information, and for tips on " "how to\n" - " instrument binaries, please see %s/README.\n\n" + " instrument binaries, please see %s/README.md.\n\n" " When source code is not available, you may be able to leverage " "QEMU\n" - " mode support. Consult the README for tips on how to enable this.\n" + " mode support. Consult the README.md for tips on how to enable this.\n" " (It is also possible to use afl-fuzz as a traditional, \"dumb\" " "fuzzer.\n" diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 0ddeeb8a..f1efe2df 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -3714,7 +3714,7 @@ pacemaker_fuzzing: case 1: if (temp_len < 2) break; - temp_len_puppet = UR((temp_len << 3) -1); + temp_len_puppet = UR((temp_len << 3) - 1); FLIP_BIT(out_buf, temp_len_puppet); FLIP_BIT(out_buf, temp_len_puppet + 1); MOpt_globals.cycles_v2[STAGE_FLIP2] += 1; @@ -3722,7 +3722,7 @@ pacemaker_fuzzing: case 2: if (temp_len < 2) break; - temp_len_puppet = UR((temp_len << 3) -3); + temp_len_puppet = UR((temp_len << 3) - 3); FLIP_BIT(out_buf, temp_len_puppet); FLIP_BIT(out_buf, temp_len_puppet + 1); FLIP_BIT(out_buf, temp_len_puppet + 2); diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 6cb229e3..19fc51f0 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -243,7 +243,7 @@ u8 cmp_extend_encoding(struct cmp_header* h, u64 pattern, u64 repl, u32 idx, if (SHAPE_BYTES(h->shape) == 8) { - if (its_len >= 8 && *buf_64 == pattern) {// && *o_buf_64 == pattern) { + if (its_len >= 8 && *buf_64 == pattern) { // && *o_buf_64 == pattern) { *buf_64 = repl; if (unlikely(its_fuzz(buf, len, status))) return 1; @@ -261,7 +261,8 @@ u8 cmp_extend_encoding(struct cmp_header* h, u64 pattern, u64 repl, u32 idx, if (SHAPE_BYTES(h->shape) == 4 || *status == 2) { - if (its_len >= 4 && *buf_32 == (u32)pattern) {// && *o_buf_32 == (u32)pattern) { + if (its_len >= 4 && + *buf_32 == (u32)pattern) { // && *o_buf_32 == (u32)pattern) { *buf_32 = (u32)repl; if (unlikely(its_fuzz(buf, len, status))) return 1; @@ -279,7 +280,8 @@ u8 cmp_extend_encoding(struct cmp_header* h, u64 pattern, u64 repl, u32 idx, if (SHAPE_BYTES(h->shape) == 2 || *status == 2) { - if (its_len >= 2 && *buf_16 == (u16)pattern) {// && *o_buf_16 == (u16)pattern) { + if (its_len >= 2 && + *buf_16 == (u16)pattern) { // && *o_buf_16 == (u16)pattern) { *buf_16 = (u16)repl; if (unlikely(its_fuzz(buf, len, status))) return 1; @@ -531,7 +533,7 @@ u8 input_to_state_stage(char** argv, u8* orig_buf, u8* buf, u32 len, stage_max += MIN(cmp_map->headers[k].hits, CMP_MAP_RTN_H); } - + for (k = 0; k < CMP_MAP_W; ++k) { if (!cmp_map->headers[k].hits) continue; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 5fa737d7..cc895f74 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -112,7 +112,7 @@ static void usage(u8* argv0) { "entering the\n" " pacemaker mode (minutes of no new paths, 0 = " "immediately).\n" - " a recommended value is 10-60. see docs/README.MOpt\n" + " a recommended value is 10-60. see docs/README.MOpt.md\n" " -c program - enable CmpLog by specifying a binary compiled for " "it.\n" " if using QEMU, just use -c 0.\n\n" @@ -121,7 +121,7 @@ static void usage(u8* argv0) { " -N - do not unlink the fuzzing input file\n" " -d - quick & dirty mode (skips deterministic steps)\n" " -n - fuzz without instrumentation (dumb mode)\n" - " -x dir - optional fuzzer dictionary (see README, its really " + " -x dir - optional fuzzer dictionary (see README.md, its really " "good!)\n\n" "Testing settings:\n" @@ -1087,7 +1087,7 @@ stop_fuzzing: SAYF("\n" cYEL "[!] " cRST "Stopped during the first cycle, results may be incomplete.\n" - " (For info on resuming, see %s/README)\n", + " (For info on resuming, see %s/README.md)\n", doc_path); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 5ea164f8..2f6a263f 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -647,7 +647,7 @@ static void usage(u8* argv0) { " -c - allow core dumps\n\n" "This tool displays raw tuple data captured by AFL instrumentation.\n" - "For additional help, consult %s/README.\n\n" cRST, + "For additional help, consult %s/README.md.\n\n" cRST, argv0, MEM_LIMIT, doc_path); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index d1e87be1..1b05a6c2 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -977,9 +977,18 @@ static void usage(u8* argv0) { " -e - solve for edge coverage only, ignore hit counts\n" " -x - treat non-zero exit codes as crashes\n\n" - "For additional tips, please consult %s/README.\n\n", - - argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); + "For additional tips, please consult %s/README.md.\n\n" + + "Environment variables used:\n" + "TMPDIR: directory to use for temporary input files\n" + "ASAN_OPTIONS: custom settings for ASAN\n" + " (must contain abort_on_error=1 and symbolize=0)\n" + "MSAN_OPTIONS: custom settings for MSAN\n" + " (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n" + "AFL_PRELOAD: LD_PRELOAD settings for target\n" + "AFL_TMIN_EXACT: require execution paths to match for crashing inputs\n" + + , argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); exit(1); diff --git a/test/test.sh b/test/test.sh index d5ba59da..0d68413d 100755 --- a/test/test.sh +++ b/test/test.sh @@ -120,7 +120,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc } rm -f test-instr.plain.0 test-instr.plain.1 TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'` - test "$TUPLES" -gt 3 -a "$TUPLES" -lt 7 && { + test "$TUPLES" -gt 3 -a "$TUPLES" -lt 8 && { $ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine" } || { $ECHO "$RED[!] ${AFL_GCC} produces weird instrumentation numbers: $TUPLES" |