diff options
Diffstat (limited to 'qemu_mode')
| -rw-r--r-- | qemu_mode/README.md | 4 | ||||
| -rw-r--r-- | qemu_mode/README.persistent.md | 12 | ||||
| -rwxr-xr-x | qemu_mode/build_qemu_support.sh | 9 | ||||
| -rw-r--r-- | qemu_mode/libcompcov/compcovtest.cc | 6 | ||||
| -rw-r--r-- | qemu_mode/libcompcov/libcompcov.so.c | 2 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 34 | ||||
| -rw-r--r-- | qemu_mode/unsigaction/Makefile | 4 |
7 files changed, 49 insertions, 22 deletions
diff --git a/qemu_mode/README.md b/qemu_mode/README.md index 71a3ada7..76b74e17 100644 --- a/qemu_mode/README.md +++ b/qemu_mode/README.md @@ -46,8 +46,8 @@ You can also compile statically-linked binaries by setting STATIC=1. This can be useful when compiling QEMU on a different system than the one you're planning to run the fuzzer on and is most often used with the HOST variable. -Note: when targetting the i386 architecture, on some bianries the forkserver -handshake may fail due to the lack of reversed memory. Fix it with +Note: when targetting the i386 architecture, on some binaries the forkserver +handshake may fail due to the lack of reserved memory. Fix it with export QEMU_RESERVED_VA=0x1000000 diff --git a/qemu_mode/README.persistent.md b/qemu_mode/README.persistent.md index 46077402..b6d5d2d0 100644 --- a/qemu_mode/README.persistent.md +++ b/qemu_mode/README.persistent.md @@ -23,8 +23,10 @@ in 2.2 and 2.3) have to be set. This address (as well as the RET address, see below) has to be defined in hexadecimal with the 0x prefix or as a decimal value. -If the target is compiled with position independant code (PIE/PIC), you must -add 0x4000000000 to that address, because qemu loads to this base address. +*Note:* If the target is compiled with position independant code (PIE/PIC) +qemu loads these to a specific base address. +For 64 bit you have to add 0x4000000000 (9 zeroes) and for 32 bit 0x40000000 +(7 zeroes) to the address. On strange setups the base address set by QEMU for PIE executable may change, you can check it printing the process map using `AFL_QEMU_DEBUG_MAPS=1 afl-qemu-trace TARGET-BINARY` @@ -32,7 +34,7 @@ you can check it printing the process map using If this address is not valid, afl-fuzz will error during startup with the message that the forkserver was not found. -### 2.2) the RET address +### 2.2) The RET address The RET address is the last instruction of the persistent loop. The emulator will emit a jump to START when translating the instruction at RET. @@ -46,7 +48,7 @@ patch the return address (on stack or in the link register) to return to START It is defined by setting AFL_QEMU_PERSISTENT_RET, and too 0x4000000000 has to be set if the target is position independant. -### 2.3) the OFFSET +### 2.3) The OFFSET This option is valid only for x86/x86_64 only, arm/aarch64 do not save the return address on stack. @@ -72,7 +74,7 @@ Now to get this value right here some help: 8. again print the ESP value 9. calculate the difference between the two values - and this is the offset -### 2.4) resetting the register state +### 2.4) Resetting the register state It is very, very likely you need to restore the general purpose registers state when starting a new loop. Because of this you 99% of the time should set diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index b34a149b..1b6690c6 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -83,6 +83,13 @@ if [ ! -d "/usr/include/glib-2.0/" -a ! -d "/usr/local/include/glib-2.0/" ]; the fi +if [ ! -d "/usr/include/pixman-1/" -a ! -d "/usr/local/include/pixman-1/" ]; then + + echo "[-] Error: devel version of 'pixman-1' not found, please install first." + PREREQ_NOTFOUND=1 + +fi + if echo "$CC" | grep -qF /afl-; then echo "[-] Error: do not use afl-gcc or afl-clang to compile this tool." @@ -230,7 +237,7 @@ if [ "$ORIG_CPU_TARGET" = "" ]; then make >/dev/null || exit 1 - gcc test-instr.c -o test-instr || exit 1 + cc test-instr.c -o test-instr || exit 1 unset AFL_INST_RATIO export ASAN_OPTIONS=detect_leaks=0 diff --git a/qemu_mode/libcompcov/compcovtest.cc b/qemu_mode/libcompcov/compcovtest.cc index faea75e5..d70bba91 100644 --- a/qemu_mode/libcompcov/compcovtest.cc +++ b/qemu_mode/libcompcov/compcovtest.cc @@ -51,9 +51,11 @@ int main() { switch (z) { - case 0xBEEF: break; + case 0xBEEF: + break; - default: return 4; + default: + return 4; } diff --git a/qemu_mode/libcompcov/libcompcov.so.c b/qemu_mode/libcompcov/libcompcov.so.c index 619bcc50..bffdd5d8 100644 --- a/qemu_mode/libcompcov/libcompcov.so.c +++ b/qemu_mode/libcompcov/libcompcov.so.c @@ -166,7 +166,7 @@ static void __compcov_trace(u64 cur_loc, const u8 *v0, const u8 *v1, size_t n) { if (debug_fd != 1) { char debugbuf[4096]; - snprintf(debugbuf, sizeof(debugbuf), "0x%llx %s %s %lu\n", cur_loc, + snprintf(debugbuf, sizeof(debugbuf), "0x%llx %s %s %zu\n", cur_loc, v0 == NULL ? "(null)" : (char *)v0, v1 == NULL ? "(null)" : (char *)v1, n); write(debug_fd, debugbuf, strlen(debugbuf)); diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index 1abec477..014471ca 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -55,11 +55,20 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2, switch (ot & MO_SIZE) { - case MO_64: gen_helper_afl_cmplog_64(cur_loc_v, arg1, arg2); break; - case MO_32: gen_helper_afl_cmplog_32(cur_loc_v, arg1, arg2); break; - case MO_16: gen_helper_afl_cmplog_16(cur_loc_v, arg1, arg2); break; - case MO_8: gen_helper_afl_cmplog_8(cur_loc_v, arg1, arg2); break; - default: break; + case MO_64: + gen_helper_afl_cmplog_64(cur_loc_v, arg1, arg2); + break; + case MO_32: + gen_helper_afl_cmplog_32(cur_loc_v, arg1, arg2); + break; + case MO_16: + gen_helper_afl_cmplog_16(cur_loc_v, arg1, arg2); + break; + case MO_8: + gen_helper_afl_cmplog_8(cur_loc_v, arg1, arg2); + break; + default: + break; } @@ -78,10 +87,17 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2, switch (ot & MO_SIZE) { - case MO_64: gen_helper_afl_compcov_64(cur_loc_v, arg1, arg2); break; - case MO_32: gen_helper_afl_compcov_32(cur_loc_v, arg1, arg2); break; - case MO_16: gen_helper_afl_compcov_16(cur_loc_v, arg1, arg2); break; - default: break; + case MO_64: + gen_helper_afl_compcov_64(cur_loc_v, arg1, arg2); + break; + case MO_32: + gen_helper_afl_compcov_32(cur_loc_v, arg1, arg2); + break; + case MO_16: + gen_helper_afl_compcov_16(cur_loc_v, arg1, arg2); + break; + default: + break; } diff --git a/qemu_mode/unsigaction/Makefile b/qemu_mode/unsigaction/Makefile index d5063dab..206a8f07 100644 --- a/qemu_mode/unsigaction/Makefile +++ b/qemu_mode/unsigaction/Makefile @@ -25,10 +25,10 @@ all: $(TARGETS) @if [ "$(AFL_NO_X86)" != "" ]; then echo "[!] Note: skipping compilation of unsigaction (AFL_NO_X86 set)."; fi unsigaction32.so: - @$(CC) -m32 -fPIC -shared unsigaction.c -o unsigaction32.so 2>/dev/null ; if [ "$$?" = "0" ]; then echo "unsigaction32 build success"; else echo "unsigaction32 build failure (that's fine)"; fi + @if $(CC) -m32 -fPIC -shared unsigaction.c -o unsigaction32.so 2>/dev/null ; then echo "unsigaction32 build success"; else echo "unsigaction32 build failure (that's fine)"; fi unsigaction64.so: - $(CC) -m64 -fPIC -shared unsigaction.c -o unsigaction64.so + @if $(CC) -m64 -fPIC -shared unsigaction.c -o unsigaction64.so 2>/dev/null ; then echo "unsigaction64 build success"; else echo "unsigaction64 build failure (that's fine)"; fi clean: rm -f unsigaction32.so unsigaction64.so |