diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/Changelog.md | 7 | ||||
| -rw-r--r-- | docs/best_practices.md | 21 |
2 files changed, 27 insertions, 1 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md index 103f9f63..be5cac43 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,9 +9,14 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to <afl-users+subscribe@googlegroups.com>. ### Version ++3.15a (dev) - - documentation restructuring, made possible by Google Season of Docs :) + - documentation restructuring, made possible by Google Season of Docs - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :) thanks to RICSecLab submitting! + - if instrumented libaries are dlopen()'ed after the forkserver you + will now see crashes. before you would have colliding coverage. + we changed this to force fixing a broken setup rather then allowing + ineffective fuzzing. + See docs/best_practices.md how to fix such setups. - afl-fuzz: - cmplog binaries will need to be recompiled for this version (it is better!) diff --git a/docs/best_practices.md b/docs/best_practices.md index e6b252f6..96c6e3c2 100644 --- a/docs/best_practices.md +++ b/docs/best_practices.md @@ -5,6 +5,7 @@ ### Targets * [Fuzzing a target with source code available](#fuzzing-a-target-with-source-code-available) +* [Fuzzing a target with dlopen() instrumented libraries](#fuzzing-a-target-with-dlopen-instrumented-libraries) * [Fuzzing a binary-only target](#fuzzing-a-binary-only-target) * [Fuzzing a GUI program](#fuzzing-a-gui-program) * [Fuzzing a network service](#fuzzing-a-network-service) @@ -21,6 +22,26 @@ To learn how to fuzz a target if source code is available, see [fuzzing_in_depth.md](fuzzing_in_depth.md). +### Fuzzing a target with dlopen instrumented libraries + +If a source code based fuzzing target loads instrumented libraries with +dlopen() after the forkserver has been activated and non-colliding coverage +instrumentation is used (PCGUARD (which is the default), or LTO), then this +an issue, because this would enlarge the coverage map, but afl-fuzz doesn't +know about it. + +The solution is to use `AFL_PRELOAD` for all dlopen()'ed libraries to +ensure that all coverage targets are present on startup in the target, +even if accessed only later with dlopen(). + +For PCGUARD instrumentation `abort()` is called if this is detected, for LTO +there will either be no coverage for the instrumented dlopen()'ed libraries or +you will see lots of crashes in the UI. + +Note that this is not an issue if you use the inferiour `afl-gcc-fast`, +`afl-gcc` or`AFL_LLVM_INSTRUMENT=CLASSIC/NGRAM/CTX afl-clang-fast` +instrumentation. + ### Fuzzing a binary-only target For a comprehensive guide, see |