diff options
| -rw-r--r-- | CITATION.cff | 4 | ||||
| -rw-r--r-- | GNUmakefile | 2 | ||||
| -rwxr-xr-x | afl-cmin | 2 | ||||
| -rw-r--r-- | custom_mutators/symcc/README.md | 5 | ||||
| -rw-r--r-- | docs/INSTALL.md | 4 | ||||
| -rw-r--r-- | frida_mode/src/instrument/instrument_arm64.c | 4 | ||||
| -rw-r--r-- | frida_mode/src/instrument/instrument_x64.c | 3 | ||||
| -rw-r--r-- | include/debug.h | 47 | ||||
| -rw-r--r-- | instrumentation/afl-gcc-pass.so.cc | 4 | ||||
| -rw-r--r-- | src/afl-cc.c | 21 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 2 | ||||
| -rw-r--r-- | utils/libdislocator/Makefile | 3 | ||||
| -rw-r--r-- | utils/libdislocator/README.md | 5 | ||||
| -rw-r--r-- | utils/libdislocator/libdislocator.so.c | 19 |
14 files changed, 87 insertions, 38 deletions
diff --git a/CITATION.cff b/CITATION.cff index efd6cad8..45658ac2 100644 --- a/CITATION.cff +++ b/CITATION.cff @@ -14,9 +14,9 @@ authors: family-names: Meier email: mail@dmnk.co title: "AFL++" -version: 3.14 +version: 4.00c type: software -date-released: 2021-07-19 +date-released: 2022-01-26 url: "https://github.com/AFLplusplus/AFLplusplus" keywords: - fuzzing diff --git a/GNUmakefile b/GNUmakefile index ec81cbac..8b09c51a 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -145,7 +145,7 @@ else CFLAGS ?= -O2 $(CFLAGS_OPT) # -funroll-loops is slower on modern compilers endif -override CFLAGS += -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wpointer-arith \ +override CFLAGS += -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wno-pointer-arith \ -fPIC -I include/ -DAFL_PATH=\"$(HELPER_PATH)\" \ -DBIN_PATH=\"$(BIN_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" # -fstack-protector diff --git a/afl-cmin b/afl-cmin index 879aead2..853c9398 100755 --- a/afl-cmin +++ b/afl-cmin @@ -217,7 +217,7 @@ BEGIN { for (; Optind < ARGC; Optind++) { prog_args[i++] = ARGV[Optind] if (i > 1) - prog_args_string = prog_args_string" "ARGV[Optind] + prog_args_string = prog_args_string" '"ARGV[Optind]"'" } # sanity checks diff --git a/custom_mutators/symcc/README.md b/custom_mutators/symcc/README.md index 337362ae..364a348e 100644 --- a/custom_mutators/symcc/README.md +++ b/custom_mutators/symcc/README.md @@ -1,6 +1,9 @@ # custum mutator: symcc -This uses the excellent symcc to find new paths into the target. +This uses the symcc to find new paths into the target. + +Note that this is a just a proof of concept example! It is better to use +the fuzzing helpers of symcc, symqemu, Fuzzolic, etc. rather than this. To use this custom mutator follow the steps in the symcc repository [https://github.com/eurecom-s3/symcc/](https://github.com/eurecom-s3/symcc/) diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 348b681e..01343b7f 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -21,8 +21,8 @@ is to build and install everything: ```shell sudo apt-get update sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools -# try to install llvm 11 and install the distro default if that fails -sudo apt-get install -y lld-11 llvm-11 llvm-11-dev clang-11 || sudo apt-get install -y lld llvm llvm-dev clang +# try to install llvm 12 and install the distro default if that fails +sudo apt-get install -y lld-12 llvm-12 llvm-12-dev clang-12 || sudo apt-get install -y lld llvm llvm-dev clang sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev sudo apt-get install -y ninja-build # for QEMU mode git clone https://github.com/AFLplusplus/AFLplusplus diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index e6251cb4..2bc8f8aa 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -18,8 +18,8 @@ #if defined(__aarch64__) -gboolean instrument_cache_enabled = FALSE; -gsize instrument_cache_size = 0; +gboolean instrument_cache_enabled = FALSE; +gsize instrument_cache_size = 0; static GHashTable *coverage_blocks = NULL; __attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[MAP_SIZE]; diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index d54c8353..f02c971e 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -336,7 +336,8 @@ void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output) { GumX86Writer *cw = output->writer.x86; - /* guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address)); */ + /* guint64 area_offset = + * instrument_get_offset_hash(GUM_ADDRESS(instr->address)); */ if (instrument_previous_pc_addr == NULL) { GumAddressSpec spec = {.near_address = cw->code, diff --git a/include/debug.h b/include/debug.h index 31ebd0f2..e2ee16a8 100644 --- a/include/debug.h +++ b/include/debug.h @@ -355,20 +355,39 @@ static inline const char *colorfilter(const char *x) { /* Error-checking versions of read() and write() that call RPFATAL() as appropriate. */ -#define ck_write(fd, buf, len, fn) \ - do { \ - \ - int _fd = (fd); \ - \ - s32 _len = (s32)(len); \ - s32 _res = write(_fd, (buf), _len); \ - if (_res != _len) { \ - \ - RPFATAL(_res, "Short write to %s, fd %d (%d of %d bytes)", fn, _fd, \ - _res, _len); \ - \ - } \ - \ +#define ck_write(fd, buf, len, fn) \ + do { \ + \ + if (len <= 0) break; \ + int _fd = (fd); \ + s32 _written = 0, _off = 0, _len = (s32)(len); \ + \ + do { \ + \ + s32 _res = write(_fd, (buf) + _off, _len); \ + if (_res != _len && (_res > 0 && _written + _res != _len)) { \ + \ + if (_res > 0) { \ + \ + _written += _res; \ + _len -= _res; \ + _off += _res; \ + \ + } else { \ + \ + RPFATAL(_res, "Short write to %s, fd %d (%d of %d bytes)", fn, _fd, \ + _res, _len); \ + \ + } \ + \ + } else { \ + \ + break; \ + \ + } \ + \ + } while (1); \ + \ } while (0) #define ck_read(fd, buf, len, fn) \ diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc index 734fa170..bb5483fc 100644 --- a/instrumentation/afl-gcc-pass.so.cc +++ b/instrumentation/afl-gcc-pass.so.cc @@ -714,9 +714,11 @@ struct afl_pass : gimple_opt_pass { } + /* Returns the source file name attached to the function declaration F. If + there is no source location information, returns an empty string. */ std::string getSourceName(function *F) { - return DECL_SOURCE_FILE(F->decl); + return DECL_SOURCE_FILE(F->decl) ? DECL_SOURCE_FILE(F->decl) : ""; } diff --git a/src/afl-cc.c b/src/afl-cc.c index ffdda386..e8643bf8 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -58,6 +58,7 @@ static u8 debug; static u8 cwd[4096]; static u8 cmplog_mode; u8 use_stdin; /* dummy */ +static int passthrough; // static u8 *march_opt = CFLAGS_OPT; enum { @@ -315,7 +316,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { u8 fortify_set = 0, asan_set = 0, x_set = 0, bit_mode = 0, shared_linking = 0, preprocessor_only = 0, have_unroll = 0, have_o = 0, have_pic = 0, - have_c = 0, partial_linking = 0, wasm_linking = 0; + have_c = 0, partial_linking = 0; cc_params = ck_alloc((argc + 128) * sizeof(u8 *)); @@ -826,7 +827,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (!strcmp(cur, "-E")) preprocessor_only = 1; if (!strcmp(cur, "-shared")) shared_linking = 1; if (!strcmp(cur, "-dynamiclib")) shared_linking = 1; - if (!strcmp(cur, "--target=wasm32-wasi")) wasm_linking = 1; + if (!strcmp(cur, "--target=wasm32-wasi")) passthrough = 1; if (!strcmp(cur, "-Wl,-r")) partial_linking = 1; if (!strcmp(cur, "-Wl,-i")) partial_linking = 1; if (!strcmp(cur, "-Wl,--relocatable")) partial_linking = 1; @@ -845,7 +846,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { // e.g. compiled download or compiled from github then its ./lib directory // might not be in the search path. Add it if so. u8 *libdir = strdup(LLVM_LIBDIR); - if (plusplus_mode && !wasm_linking && strlen(libdir) && + if (plusplus_mode && strlen(libdir) && strncmp(libdir, "/usr", 4) && strncmp(libdir, "/lib", 4)) { cc_params[cc_par_cnt++] = "-rpath"; @@ -1034,7 +1035,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-D__AFL_LOOP(_A)=" - "({ static volatile char *_B __attribute__((used)); " + "({ static volatile char *_B __attribute__((used,unused)); " " _B = (char*)\"" PERSIST_SIG "\"; " #ifdef __APPLE__ @@ -1048,7 +1049,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-D__AFL_INIT()=" - "do { static volatile char *_A __attribute__((used)); " + "do { static volatile char *_A __attribute__((used,unused)); " " _A = (char*)\"" DEFER_SIG "\"; " #ifdef __APPLE__ @@ -1093,7 +1094,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { switch (bit_mode) { case 0: - if (!shared_linking && !partial_linking && !wasm_linking) + if (!shared_linking && !partial_linking) cc_params[cc_par_cnt++] = alloc_printf("%s/afl-compiler-rt.o", obj_path); if (lto_mode) @@ -1102,7 +1103,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { break; case 32: - if (!shared_linking && !partial_linking && !wasm_linking) { + if (!shared_linking && !partial_linking) { cc_params[cc_par_cnt++] = alloc_printf("%s/afl-compiler-rt-32.o", obj_path); @@ -1123,7 +1124,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { break; case 64: - if (!shared_linking && !partial_linking && !wasm_linking) { + if (!shared_linking && !partial_linking) { cc_params[cc_par_cnt++] = alloc_printf("%s/afl-compiler-rt-64.o", obj_path); @@ -1146,7 +1147,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } #if !defined(__APPLE__) && !defined(__sun) - if (!shared_linking && !partial_linking && !wasm_linking) + if (!shared_linking && !partial_linking) cc_params[cc_par_cnt++] = alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path); #endif @@ -1179,7 +1180,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { int main(int argc, char **argv, char **envp) { - int i, passthrough = 0; + int i; char *callname = argv[0], *ptr = NULL; if (getenv("AFL_DEBUG")) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 92243fbb..c5ab364a 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1650,7 +1650,7 @@ int main(int argc, char **argv_orig, char **envp) { } - OKF("Generating fuzz data with a a length of min=%u max=%u", afl->min_length, + OKF("Generating fuzz data with a length of min=%u max=%u", afl->min_length, afl->max_length); u32 min_alloc = MAX(64U, afl->min_length); afl_realloc(AFL_BUF_PARAM(in_scratch), min_alloc); diff --git a/utils/libdislocator/Makefile b/utils/libdislocator/Makefile index f0b4bb72..6bfb79ec 100644 --- a/utils/libdislocator/Makefile +++ b/utils/libdislocator/Makefile @@ -19,9 +19,10 @@ HELPER_PATH = $(PREFIX)/lib/afl VERSION = $(shell grep '^\#define VERSION ' ../../config.h | cut -d '"' -f2) CFLAGS ?= -O3 -funroll-loops -D_FORTIFY_SOURCE=2 -override CFLAGS += -I ../../include/ -Wall -g -Wno-pointer-sign +CFLAGS += -I ../../include/ -Wall -g -Wno-pointer-sign CFLAGS_ADD=$(USEHUGEPAGE:1=-DUSEHUGEPAGE) +CFLAGS_ADD += $(USENAMEDPAGE:1=-DUSENAMEDPAGE) CFLAGS += $(CFLAGS_ADD) all: libdislocator.so diff --git a/utils/libdislocator/README.md b/utils/libdislocator/README.md index 68ac9143..e4934b5d 100644 --- a/utils/libdislocator/README.md +++ b/utils/libdislocator/README.md @@ -29,6 +29,9 @@ heap-related security bugs in several ways: - Optionally, in platforms supporting it, huge pages can be used by passing `USEHUGEPAGE=1` to make. + - Optionally, in platforms supporting it, `named` pages can be used by passing + `USENAMEDPAGE=1` to make. + - Size alignment to `max_align_t` can be enforced with `AFL_ALIGNED_ALLOC=1`. In this case, a tail canary is inserted in the padding bytes at the end of the allocated zone. This reduce the ability of libdislocator to detect @@ -64,4 +67,4 @@ require AFL-instrumented binaries to work. Note that the AFL_PRELOAD approach (which AFL++ internally maps to LD_PRELOAD or DYLD_INSERT_LIBRARIES, depending on the OS) works only if the target binary is dynamically linked. Otherwise, attempting to use the library will have no -effect. \ No newline at end of file +effect. diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index 103da9d5..bd08a678 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -39,6 +39,7 @@ #if (defined(__linux__) && !defined(__ANDROID__)) || defined(__HAIKU__) #include <unistd.h> + #include <sys/prctl.h> #ifdef __linux__ #include <sys/syscall.h> #include <malloc.h> @@ -66,6 +67,10 @@ } while (0) #endif + #ifndef PR_SET_VMA + #define PR_SET_VMA 0x53564d41 + #define PR_SET_VMA_ANON_NAME 0 + #endif #endif #include "config.h" @@ -251,6 +256,20 @@ static void *__dislocator_alloc(size_t len) { } +#if defined(USENAMEDPAGE) + #if defined(__linux__) + // in the /proc/<pid>/maps file, the anonymous page appears as + // `<start>-<end> ---p 00000000 00:00 0 [anon:libdislocator]` + if (prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, (unsigned long)ret, tlen, + (unsigned long)"libdislocator") < 0) { + + DEBUGF("prctl() failed"); + + } + + #endif +#endif + /* Set PROT_NONE on the last page. */ if (mprotect(ret + PG_COUNT(rlen + 8) * PAGE_SIZE, PAGE_SIZE, PROT_NONE)) |