diff options
| -rw-r--r-- | README.md | 4 | ||||
| -rw-r--r-- | TODO.md | 2 | ||||
| -rw-r--r-- | docs/Changelog.md | 10 | ||||
| -rw-r--r-- | docs/FAQ.md | 51 | ||||
| -rw-r--r-- | docs/custom_mutators.md | 15 | ||||
| -rw-r--r-- | include/config.h | 2 | ||||
| -rw-r--r-- | instrumentation/afl-gcc-cmptrs-pass.so.cc | 5 | ||||
| -rw-r--r-- | test/test-cmplog.c | 6 | ||||
| -rwxr-xr-x | test/test-frida-mode.sh | 2 | ||||
| -rwxr-xr-x | test/test-llvm.sh | 4 | ||||
| -rwxr-xr-x | test/test-qemu-mode.sh | 2 |
11 files changed, 84 insertions, 19 deletions
diff --git a/README.md b/README.md index 0208a9fe..05c662c1 100644 --- a/README.md +++ b/README.md @@ -2,9 +2,9 @@ <img align="right" src="https://raw.githubusercontent.com/AFLplusplus/Website/main/static/aflpp_bg.svg" alt="AFL++ logo" width="250" heigh="250"> -Release version: [4.06c](https://github.com/AFLplusplus/AFLplusplus/releases) +Release version: [4.07c](https://github.com/AFLplusplus/AFLplusplus/releases) -GitHub version: 4.07a +GitHub version: 4.08a Repository: [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) diff --git a/TODO.md b/TODO.md index 2b7e8fcf..26e12cee 100644 --- a/TODO.md +++ b/TODO.md @@ -2,6 +2,8 @@ ## Should + - afl-crash-analysis + - show in the UI when fuzzing is "done" - test cmplog for less than 16bit - support persistent and deferred fork server in afl-showmap? - better autodetection of shifting runtime timeout values diff --git a/docs/Changelog.md b/docs/Changelog.md index facf2196..98d59527 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -3,7 +3,14 @@ This is the list of all noteworthy changes made in every public release of the tool. See README.md for the general instruction manual. -### Version ++4.07a (dev) +### Version ++4.08a (dev) + - new mutation engine: mutations that favor discovery more paths are prefered + until no new finds for 10 minutes then switching to mutations that favor + triggering crashes. Modes and switch time can be configured wie `-P`. + - display the state of the fuzzing run in the UI :-) + + +### Version ++4.07c (release) - afl-fuzz: - reverse reading the seeds only on restarts (increases performance) - new env `AFL_POST_PROCESS_KEEP_ORIGINAL` to keep the orignal @@ -18,6 +25,7 @@ - rewrote our PCGUARD pass to be compatible with LLVM 15+ shenanigans, requires LLVM 13+ now instead of 10.0.1+ - fallback to native LLVM PCGUARD if our PCGUARD is unavailable + - fixed a crash in GCC CMPLOG - afl-showmap: - added custom mutator post_process and send support - add `-I filelist` option, an alternative to `-i in_dir` diff --git a/docs/FAQ.md b/docs/FAQ.md index 8178db46..9275eb94 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -279,3 +279,54 @@ If you find an interesting or important question missing, submit it via Solution: just do an `export AFL_MAP_SIZE=(the value in the warning)`. </p></details> + +<details> + <summary id="linker-errors">Linker errors.</summary><p> + + If you compile C++ harnesses and see `undefined reference` errors for + variables named `__afl_...`, e.g.: + + ``` + /usr/bin/ld: /tmp/test-d3085f.o: in function `foo::test()': + test.cpp:(.text._ZN3fooL4testEv[_ZN3fooL4testEv]+0x35): undefined reference to `foo::__afl_connected' + clang: error: linker command failed with exit code 1 (use -v to see invocation) + ``` + + Then you use AFL++ macros like `__AFL_LOOP` within a namespace and this + will not work. + + Solution: Move that harness portion to the global namespace, e.g. before: + ``` + #include <cstdio> + namespace foo { + static void test() { + while(__AFL_LOOP(1000)) { + foo::function(); + } + } + } + + int main(int argc, char** argv) { + foo::test(); + return 0; + } + ``` + after: + ``` + #include <cstdio> + static void mytest() { + while(__AFL_LOOP(1000)) { + foo::function(); + } + } + namespace foo { + static void test() { + mytest(); + } + } + int main(int argc, char** argv) { + foo::test(); + return 0; + } + ``` +</p></details> diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 3f7e9e6e..c5a64622 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -145,12 +145,15 @@ def deinit(): # optional for Python - `fuzz` (optional): - This method performs custom mutations on a given input. It also accepts an - additional test case. Note that this function is optional - but it makes - sense to use it. You would only skip this if `post_process` is used to fix - checksums etc. so if you are using it, e.g., as a post processing library. - Note that a length > 0 *must* be returned! - The returned output buffer is under **your** memory management! + This method performs your custom mutations on a given input. + The add_buf is the contents of another queue item that can be used for + splicing - or anything else - and can also be ignored. If you are not + using this additional data then define `splice_optout` (see above). + This function is optional. + Returing a length of 0 is valid and is interpreted as skipping this + one mutation result. + For non-Python: the returned output buffer is under **your** memory + management! - `describe` (optional): diff --git a/include/config.h b/include/config.h index 09d8620d..5100d88f 100644 --- a/include/config.h +++ b/include/config.h @@ -26,7 +26,7 @@ /* Version string: */ // c = release, a = volatile github dev, e = experimental branch -#define VERSION "++4.07a" +#define VERSION "++4.08a" /****************************************************** * * diff --git a/instrumentation/afl-gcc-cmptrs-pass.so.cc b/instrumentation/afl-gcc-cmptrs-pass.so.cc index dbb408b0..c56263dd 100644 --- a/instrumentation/afl-gcc-cmptrs-pass.so.cc +++ b/instrumentation/afl-gcc-cmptrs-pass.so.cc @@ -157,6 +157,9 @@ struct afl_cmptrs_pass : afl_base_pass { /* We expect it to be a record type. */ if (TREE_CODE(t) != RECORD_TYPE) return false; + /* The type has an identifier. */ + if (!TYPE_IDENTIFIER(t)) return false; + /* The type of the template is basic_string. */ if (strcmp(IDENTIFIER_POINTER(TYPE_IDENTIFIER(t)), "basic_string") != 0) return false; @@ -201,7 +204,7 @@ struct afl_cmptrs_pass : afl_base_pass { /* Now go back to the first data member. Its type should be a record type named _Alloc_hider. */ c = TREE_TYPE(c); - if (!c || TREE_CODE(c) != RECORD_TYPE || + if (!c || TREE_CODE(c) != RECORD_TYPE || !TYPE_IDENTIFIER(t) || strcmp(IDENTIFIER_POINTER(TYPE_IDENTIFIER(c)), "_Alloc_hider") != 0) return false; diff --git a/test/test-cmplog.c b/test/test-cmplog.c index bd1b73e3..2ab579b0 100644 --- a/test/test-cmplog.c +++ b/test/test-cmplog.c @@ -8,16 +8,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t i) { - if (i < 30) return -1; + if (i < 15) return -1; if (buf[0] != 'A') return 0; if (buf[1] != 'B') return 0; if (buf[2] != 'C') return 0; if (buf[3] != 'D') return 0; int *icmp = (int *)(buf + 4); if (*icmp != 0x69694141) return 0; - if (memcmp(buf + 8, "1234", 4) || memcmp(buf + 12, "EFGH", 4)) return 0; - if (strncmp(buf + 16, "IJKL", 4) == 0 && strcmp(buf + 20, "DEADBEEF") == 0) - abort(); + if (memcmp(buf + 8, "1234EF", 6) == 0) abort(); return 0; } diff --git a/test/test-frida-mode.sh b/test/test-frida-mode.sh index 3ae84656..8c528da5 100755 --- a/test/test-frida-mode.sh +++ b/test/test-frida-mode.sh @@ -39,7 +39,7 @@ test -e ../afl-frida-trace.so && { test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { $ECHO "$GREY[*] running afl-fuzz for frida_mode cmplog, this will take approx 10 seconds" { - ../afl-fuzz -m none -V07 -O -c 0 -i in -o out -- ./test-compcov >>errors 2>&1 + ../afl-fuzz -m none -V07 -O -c 0 -l 3 -i in -o out -- ./test-compcov >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/queue/id:000003* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with frida_mode cmplog" diff --git a/test/test-llvm.sh b/test/test-llvm.sh index 714bda93..95e43b1c 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -257,13 +257,13 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { } rm -f test-compcov test.out instrumentlist.txt AFL_LLVM_CMPLOG=1 ../afl-clang-fast -o test-cmplog test-cmplog.c > /dev/null 2>&1 - ../afl-clang-fast -o test-c test-cmplog.c > /dev/null 2>&1 + ../afl-clang-fast -O0 -o test-c test-cmplog.c > /dev/null 2>&1 test -e test-cmplog && { $ECHO "$GREY[*] running afl-fuzz for llvm_mode cmplog, this will take approx 10 seconds" { mkdir -p in echo 00000000000000000000000000000000 > in/in - AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -m none -V30 -i in -o out -c./test-cmplog -- ./test-c >>errors 2>&1 + AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -l 3 -m none -V30 -i in -o out -c ./test-cmplog -- ./test-c >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/crashes/id:000000* out/default/hangs/id:000000* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with llvm_mode cmplog" diff --git a/test/test-qemu-mode.sh b/test/test-qemu-mode.sh index 9e268963..8eb7cb67 100755 --- a/test/test-qemu-mode.sh +++ b/test/test-qemu-mode.sh @@ -88,7 +88,7 @@ test -e ../afl-qemu-trace && { test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { $ECHO "$GREY[*] running afl-fuzz for qemu_mode cmplog, this will take approx 10 seconds" { - ../afl-fuzz -m none -V07 -Q -c 0 -i in -o out -- ./test-compcov >>errors 2>&1 + ../afl-fuzz -m none -V07 -Q -c 0 -l 3 -i in -o out -- ./test-compcov >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/queue/id:000001* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with qemu_mode cmplog" |