diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-analyze.c | 1 | ||||
| -rw-r--r-- | src/afl-cc.c | 14 | ||||
| -rw-r--r-- | src/afl-common.c | 64 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 7 | ||||
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 20 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 4 | ||||
| -rw-r--r-- | src/afl-fuzz-python.c | 4 | ||||
| -rw-r--r-- | src/afl-fuzz-state.c | 7 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 31 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 2 | ||||
| -rw-r--r-- | src/afl-sharedmem.c | 7 | ||||
| -rw-r--r-- | src/afl-showmap.c | 2 | ||||
| -rw-r--r-- | src/afl-tmin.c | 1 |
13 files changed, 138 insertions, 26 deletions
diff --git a/src/afl-analyze.c b/src/afl-analyze.c index e19df3ce..eef08494 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -1093,6 +1093,7 @@ int main(int argc, char **argv_orig, char **envp) { parse_afl_kill_signal_env(getenv("AFL_KILL_SIGNAL"), SIGKILL); read_initial_file(); + (void)check_binary_signatures(fsrv.target_path); ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", mem_limit, exec_tmout, edges_only ? ", edges only" : ""); diff --git a/src/afl-cc.c b/src/afl-cc.c index 244b46d1..e49addc4 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -793,7 +793,9 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (!strcmp(cur, "-x")) x_set = 1; if (!strcmp(cur, "-E")) preprocessor_only = 1; if (!strcmp(cur, "-shared")) shared_linking = 1; + if (!strcmp(cur, "-dynamiclib")) shared_linking = 1; if (!strcmp(cur, "-Wl,-r")) partial_linking = 1; + if (!strcmp(cur, "-Wl,-i")) partial_linking = 1; if (!strcmp(cur, "-Wl,--relocatable")) partial_linking = 1; if (!strcmp(cur, "-r")) partial_linking = 1; if (!strcmp(cur, "--relocatable")) partial_linking = 1; @@ -1084,6 +1086,18 @@ static void edit_params(u32 argc, char **argv, char **envp) { alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path); #endif + #if defined(__APPLE__) + if (shared_linking || partial_linking) { + + cc_params[cc_par_cnt++] = "-Wl,-U"; + cc_params[cc_par_cnt++] = "-Wl,___afl_area_ptr"; + cc_params[cc_par_cnt++] = "-Wl,-U"; + cc_params[cc_par_cnt++] = "-Wl,___sanitizer_cov_trace_pc_guard_init"; + + } + + #endif + } #if defined(USEMMAP) && !defined(__HAIKU__) diff --git a/src/afl-common.c b/src/afl-common.c index 9ca2b3e8..db19f0a7 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -25,8 +25,12 @@ #include <stdlib.h> #include <stdio.h> +#define _GNU_SOURCE +#define __USE_GNU +#include <string.h> #include <strings.h> #include <math.h> +#include <sys/mman.h> #include "debug.h" #include "alloc-inl.h" @@ -51,6 +55,66 @@ u8 last_intr = 0; #define AFL_PATH "/usr/local/lib/afl/" #endif +u32 check_binary_signatures(u8 *fn) { + + int ret = 0, fd = open(fn, O_RDONLY); + if (fd < 0) { PFATAL("Unable to open '%s'", fn); } + struct stat st; + if (fstat(fd, &st) < 0) { PFATAL("Unable to fstat '%s'", fn); } + u32 f_len = st.st_size; + u8 *f_data = mmap(0, f_len, PROT_READ, MAP_PRIVATE, fd, 0); + if (f_data == MAP_FAILED) { PFATAL("Unable to mmap file '%s'", fn); } + close(fd); + + if (memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1)) { + + if (!be_quiet) { OKF(cPIN "Persistent mode binary detected."); } + setenv(PERSIST_ENV_VAR, "1", 1); + ret = 1; + + } else if (getenv("AFL_PERSISTENT")) { + + if (!be_quiet) { + + WARNF("AFL_PERSISTENT is no longer supported and may misbehave!"); + + } + + } else if (getenv("AFL_FRIDA_PERSISTENT_ADDR")) { + + if (!be_quiet) { + + OKF("FRIDA Persistent mode configuration options detected."); + + } + + setenv(PERSIST_ENV_VAR, "1", 1); + ret = 1; + + } + + if (memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) { + + if (!be_quiet) { OKF(cPIN "Deferred forkserver binary detected."); } + setenv(DEFER_ENV_VAR, "1", 1); + ret += 2; + + } else if (getenv("AFL_DEFER_FORKSRV")) { + + if (!be_quiet) { + + WARNF("AFL_DEFER_FORKSRV is no longer supported and may misbehave!"); + + } + + } + + if (munmap(f_data, f_len)) { PFATAL("unmap() failed"); } + + return ret; + +} + void detect_file_args(char **argv, u8 *prog_in, bool *use_stdin) { u32 i = 0; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 26a9aaed..c8c94c08 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -845,9 +845,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, " from the fuzzer! Since it seems to be built with ASAN and you " "have a\n" " restrictive memory limit configured, this is expected; please " - "read\n" - " %s/notes_for_asan.md for help and run with '-m 0'.\n", - doc_path); + "run with '-m 0'.\n"); } else if (!fsrv->mem_limit) { @@ -946,8 +944,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, "with ASAN and\n" " you have a restrictive memory limit configured, this is " "expected; please\n" - " read %s/notes_for_asan.md for help and run with '-m 0'.\n", - doc_path); + " run with '-m 0'.\n"); } else if (!fsrv->mem_limit) { diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 59b1d279..0ae4d607 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -143,17 +143,9 @@ u32 count_non_255_bytes(afl_state_t *afl, u8 *mem) { and replacing it with 0x80 or 0x01 depending on whether the tuple is hit or not. Called on every new crash or timeout, should be reasonably fast. */ -#define TIMES4(x) x, x, x, x -#define TIMES8(x) TIMES4(x), TIMES4(x) -#define TIMES16(x) TIMES8(x), TIMES8(x) -#define TIMES32(x) TIMES16(x), TIMES16(x) -#define TIMES64(x) TIMES32(x), TIMES32(x) -#define TIMES255(x) \ - TIMES64(x), TIMES64(x), TIMES64(x), TIMES32(x), TIMES16(x), TIMES8(x), \ - TIMES4(x), x, x, x const u8 simplify_lookup[256] = { - [0] = 1, [1] = TIMES255(128) + [0] = 1, [1 ... 255] = 128 }; @@ -167,11 +159,11 @@ const u8 count_class_lookup8[256] = { [1] = 1, [2] = 2, [3] = 4, - [4] = TIMES4(8), - [8] = TIMES8(16), - [16] = TIMES16(32), - [32] = TIMES32(64), - [128] = TIMES64(128) + [4 ... 7] = 8, + [8 ... 15] = 16, + [16 ... 31] = 32, + [32 ... 127] = 64, + [128 ... 255] = 128 }; diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index faa45a4e..9bb25785 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -978,7 +978,7 @@ void perform_dry_run(afl_state_t *afl) { "quickly\n" " estimate the required amount of virtual memory for the " "binary. Also,\n" - " if you are using ASAN, see %s/notes_for_asan.md.\n\n" + " if you are using ASAN, set '-m 0'.\n\n" " - In QEMU persistent mode the selected address(es) for the " "loop are not\n" @@ -994,7 +994,7 @@ void perform_dry_run(afl_state_t *afl) { "troubleshooting tips.\n", stringify_mem_size(val_buf, sizeof(val_buf), afl->fsrv.mem_limit << 20), - afl->fsrv.mem_limit - 1, doc_path); + afl->fsrv.mem_limit - 1); } else { diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index bb4eabcc..065977c0 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -446,6 +446,10 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, /* Initialize the custom mutator */ init_py(afl, py_mutator, rand_below(afl, 0xFFFFFFFF)); + mutator->stacked_custom = (mutator && mutator->afl_custom_havoc_mutation); + mutator->stacked_custom_prob = + 6; // like one of the default mutations in havoc + return mutator; } diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index b832c11e..24ccc108 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -267,6 +267,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_force_ui = get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_IGNORE_PROBLEMS", + + afl_environment_variable_len)) { + + afl->afl_env.afl_ignore_problems = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", afl_environment_variable_len)) { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index e0930234..eb1fe2d9 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -147,8 +147,19 @@ void load_stats_file(afl_state_t *afl) { afl->fsrv.total_execs = strtoull(lptr, &nptr, 10); break; case 10: - if (!strcmp(keystring, "paths_total ")) - afl->queued_paths = strtoul(lptr, &nptr, 10); + if (!strcmp(keystring, "paths_total ")) { + + u32 paths_total = strtoul(lptr, &nptr, 10); + if (paths_total != afl->queued_paths) { + + WARNF( + "queue/ has been modified -- things might not work, you're " + "on your own!"); + + } + + } + break; case 12: if (!strcmp(keystring, "paths_found ")) @@ -523,6 +534,20 @@ void show_stats(afl_state_t *afl) { t_bytes = count_non_255_bytes(afl, afl->virgin_bits); t_byte_ratio = ((double)t_bytes * 100) / afl->fsrv.real_map_size; + if (unlikely(t_bytes > afl->fsrv.real_map_size)) { + + if (unlikely(!afl->afl_env.afl_ignore_problems)) { + + FATAL( + "Incorrect fuzzing setup detected. Your target seems to have loaded " + "incorrectly instrumented shared libraries. If you use LTO mode " + "please see instrumentation/README.lto.md. To ignore this problem " + "and continue fuzzing just set 'AFL_IGNORE_PROBLEMS=1'.\n"); + + } + + } + if (likely(t_bytes) && unlikely(afl->var_byte_count)) { stab_ratio = 100 - (((double)afl->var_byte_count * 100) / t_bytes); @@ -1314,7 +1339,7 @@ void show_init_stats(afl_state_t *afl) { } - ACTF("No -t option specified, so I'll use exec timeout of %u ms.", + ACTF("No -t option specified, so I'll use an exec timeout of %u ms.", afl->fsrv.exec_tmout); afl->timeout_given = 1; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index c97427e1..8ffc0e77 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -216,6 +216,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_HANG_TMOUT: override timeout value (in milliseconds)\n" "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers\n" "AFL_IGNORE_UNKNOWN_ENVS: don't warn on unknown env vars\n" + "AFL_IGNORE_PROBLEMS: do not abort fuzzing if an incorrect setup is detected during a run\n" "AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n" "AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n" "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n" @@ -1501,7 +1502,6 @@ int main(int argc, char **argv_orig, char **envp) { } - get_core_count(afl); atexit(at_exit); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index b2cdac9b..22fe5a62 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -244,7 +244,11 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, shm->shm_id = shmget(IPC_PRIVATE, map_size, IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION); - if (shm->shm_id < 0) { PFATAL("shmget() failed, try running afl-system-config"); } + if (shm->shm_id < 0) { + + PFATAL("shmget() failed, try running afl-system-config"); + + } if (shm->cmplog_mode) { @@ -325,3 +329,4 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, return shm->map; } + diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 9122cd25..e143371e 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1189,6 +1189,8 @@ int main(int argc, char **argv_orig, char **envp) { } + if (in_dir) { (void)check_binary_signatures(fsrv->target_path); } + shm_fuzz = ck_alloc(sizeof(sharedmem_t)); /* initialize cmplog_mode */ diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 792770e0..dff51e84 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -1209,6 +1209,7 @@ int main(int argc, char **argv_orig, char **envp) { fsrv->shmem_fuzz = map + sizeof(u32); read_initial_file(); + (void)check_binary_signatures(fsrv->target_path); if (!fsrv->qemu_mode && !unicorn_mode) { |