diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-analyze.c | 1 | ||||
| -rw-r--r-- | src/afl-cc.c | 18 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 9 | ||||
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 16 | ||||
| -rw-r--r-- | src/afl-fuzz-mutators.c | 39 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 15 | ||||
| -rw-r--r-- | src/afl-fuzz-python.c | 24 | ||||
| -rw-r--r-- | src/afl-fuzz-queue.c | 20 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-state.c | 7 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 31 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 9 | ||||
| -rw-r--r-- | src/afl-sharedmem.c | 8 | ||||
| -rw-r--r-- | src/afl-showmap.c | 1 | ||||
| -rw-r--r-- | src/afl-tmin.c | 1 |
16 files changed, 152 insertions, 51 deletions
diff --git a/src/afl-analyze.c b/src/afl-analyze.c index dbf2920f..e19df3ce 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -984,6 +984,7 @@ int main(int argc, char **argv_orig, char **envp) { frida_mode = 1; fsrv.frida_mode = frida_mode; + setenv("AFL_FRIDA_INST_SEED", "0x0", 1); break; diff --git a/src/afl-cc.c b/src/afl-cc.c index 9899f973..e49addc4 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -793,7 +793,9 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (!strcmp(cur, "-x")) x_set = 1; if (!strcmp(cur, "-E")) preprocessor_only = 1; if (!strcmp(cur, "-shared")) shared_linking = 1; + if (!strcmp(cur, "-dynamiclib")) shared_linking = 1; if (!strcmp(cur, "-Wl,-r")) partial_linking = 1; + if (!strcmp(cur, "-Wl,-i")) partial_linking = 1; if (!strcmp(cur, "-Wl,--relocatable")) partial_linking = 1; if (!strcmp(cur, "-r")) partial_linking = 1; if (!strcmp(cur, "--relocatable")) partial_linking = 1; @@ -1084,6 +1086,18 @@ static void edit_params(u32 argc, char **argv, char **envp) { alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path); #endif + #if defined(__APPLE__) + if (shared_linking || partial_linking) { + + cc_params[cc_par_cnt++] = "-Wl,-U"; + cc_params[cc_par_cnt++] = "-Wl,___afl_area_ptr"; + cc_params[cc_par_cnt++] = "-Wl,-U"; + cc_params[cc_par_cnt++] = "-Wl,___sanitizer_cov_trace_pc_guard_init"; + + } + + #endif + } #if defined(USEMMAP) && !defined(__HAIKU__) @@ -1921,9 +1935,7 @@ int main(int argc, char **argv, char **envp) { // ptr = instrument_mode_string[instrument_mode]; // } - } else if (instrument_mode == INSTRUMENT_LTO || - - instrument_mode == INSTRUMENT_CLASSIC) { + } else if (instrument_mode == INSTRUMENT_CLASSIC) { lto_mode = 1; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 5e8fb9b5..c8c94c08 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -845,9 +845,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, " from the fuzzer! Since it seems to be built with ASAN and you " "have a\n" " restrictive memory limit configured, this is expected; please " - "read\n" - " %s/notes_for_asan.md for help and run with '-m 0'.\n", - doc_path); + "run with '-m 0'.\n"); } else if (!fsrv->mem_limit) { @@ -946,8 +944,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, "with ASAN and\n" " you have a restrictive memory limit configured, this is " "expected; please\n" - " read %s/notes_for_asan.md for help and run with '-m 0'.\n", - doc_path); + " run with '-m 0'.\n"); } else if (!fsrv->mem_limit) { @@ -1105,7 +1102,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { if (getenv("AFL_DEBUG")) { fprintf(stderr, "FS crc: %016llx len: %u\n", - hash64(fsrv->shmem_fuzz, *fsrv->shmem_fuzz_len, 0xa5b35705), + hash64(fsrv->shmem_fuzz, *fsrv->shmem_fuzz_len, HASH_CONST), *fsrv->shmem_fuzz_len); fprintf(stderr, "SHM :"); for (u32 i = 0; i < *fsrv->shmem_fuzz_len; i++) diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 0a9242a5..59b1d279 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -560,7 +560,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } /* due to classify counts we have to recalculate the checksum */ - cksum = afl->queue_top->exec_cksum = + afl->queue_top->exec_cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); /* Try to calibrate inline; this also calls update_bitmap_score() when diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 5e4f1585..9bb25785 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -881,11 +881,7 @@ void perform_dry_run(afl_state_t *afl) { u32 read_len = MIN(q->len, (u32)MAX_FILE); use_mem = afl_realloc(AFL_BUF_PARAM(in), read_len); - if (read(fd, use_mem, read_len) != (ssize_t)read_len) { - - FATAL("Short read from '%s'", q->fname); - - } + ck_read(fd, use_mem, read_len, q->fname); close(fd); @@ -982,7 +978,7 @@ void perform_dry_run(afl_state_t *afl) { "quickly\n" " estimate the required amount of virtual memory for the " "binary. Also,\n" - " if you are using ASAN, see %s/notes_for_asan.md.\n\n" + " if you are using ASAN, set '-m 0'.\n\n" " - In QEMU persistent mode the selected address(es) for the " "loop are not\n" @@ -998,7 +994,7 @@ void perform_dry_run(afl_state_t *afl) { "troubleshooting tips.\n", stringify_mem_size(val_buf, sizeof(val_buf), afl->fsrv.mem_limit << 20), - afl->fsrv.mem_limit - 1, doc_path); + afl->fsrv.mem_limit - 1); } else { @@ -1350,6 +1346,12 @@ void pivot_inputs(afl_state_t *afl) { if (q->passed_det) { mark_as_det_done(afl, q); } + if (afl->custom_mutators_count) { + + run_afl_custom_queue_new_entry(afl, q, q->fname, NULL); + + } + ++id; } diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 79a47744..5332b9fe 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -31,6 +31,45 @@ struct custom_mutator *load_custom_mutator(afl_state_t *, const char *); struct custom_mutator *load_custom_mutator_py(afl_state_t *, char *); #endif +void run_afl_custom_queue_new_entry(afl_state_t *afl, struct queue_entry *q, + u8 *fname, u8 *mother_fname) { + + if (afl->custom_mutators_count) { + + u8 updated = 0; + + LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { + + if (el->afl_custom_queue_new_entry) { + + if (el->afl_custom_queue_new_entry(el->data, fname, mother_fname)) { + + updated = 1; + + } + + } + + }); + + if (updated) { + + struct stat st; + if (stat(fname, &st)) { PFATAL("File %s is gone!", fname); } + if (!st.st_size) { + + FATAL("File %s became empty in custom mutator!", fname); + + } + + q->len = st.st_size; + + } + + } + +} + void setup_custom_mutators(afl_state_t *afl) { /* Try mutator library first */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 7274f679..17749601 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -547,7 +547,11 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->queue_cur->perf_score = orig_perf = perf_score = calculate_score(afl, afl->queue_cur); - if (unlikely(perf_score <= 0)) { goto abandon_entry; } + if (unlikely(perf_score <= 0 && afl->active_paths > 1)) { + + goto abandon_entry; + + } if (unlikely(afl->shm.cmplog_mode && afl->queue_cur->colorized < afl->cmplog_lvl && @@ -3047,7 +3051,11 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { else orig_perf = perf_score = calculate_score(afl, afl->queue_cur); - if (unlikely(perf_score <= 0)) { goto abandon_entry; } + if (unlikely(perf_score <= 0 && afl->active_paths > 1)) { + + goto abandon_entry; + + } if (unlikely(afl->shm.cmplog_mode && afl->queue_cur->colorized < afl->cmplog_lvl && @@ -5241,7 +5249,6 @@ pacemaker_fuzzing: } afl->temp_puppet_find = afl->total_puppet_find; - u64 temp_stage_finds_puppet = 0; for (i = 0; i < operator_num; ++i) { if (MOpt_globals.is_pilot_mode) { @@ -5267,7 +5274,6 @@ pacemaker_fuzzing: MOpt_globals.finds[i] = MOpt_globals.finds_v2[i]; MOpt_globals.cycles[i] = MOpt_globals.cycles_v2[i]; - temp_stage_finds_puppet += MOpt_globals.finds[i]; } /* for i = 0; i < operator_num */ @@ -5329,7 +5335,6 @@ pacemaker_fuzzing: afl->core_operator_finds_puppet_v2[i]; afl->core_operator_cycles_puppet[i] = afl->core_operator_cycles_puppet_v2[i]; - temp_stage_finds_puppet += afl->core_operator_finds_puppet[i]; } diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 3aa97635..065977c0 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -446,6 +446,10 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, /* Initialize the custom mutator */ init_py(afl, py_mutator, rand_below(afl, 0xFFFFFFFF)); + mutator->stacked_custom = (mutator && mutator->afl_custom_havoc_mutation); + mutator->stacked_custom_prob = + 6; // like one of the default mutations in havoc + return mutator; } @@ -813,8 +817,8 @@ u8 queue_get_py(void *py_mutator, const u8 *filename) { } -void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, - const u8 *filename_orig_queue) { +u8 queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, + const u8 *filename_orig_queue) { PyObject *py_args, *py_value; @@ -861,7 +865,21 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, py_args); Py_DECREF(py_args); - if (py_value == NULL) { + if (py_value != NULL) { + + int ret = PyObject_IsTrue(py_value); + Py_DECREF(py_value); + + if (ret == -1) { + + PyErr_Print(); + FATAL("Failed to convert return value"); + + } + + return (u8)ret & 0xFF; + + } else { PyErr_Print(); FATAL("Call failed"); diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index b759532c..16af2c6b 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -474,24 +474,12 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) { if (afl->custom_mutators_count) { - LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { + /* At the initialization stage, queue_cur is NULL */ + if (afl->queue_cur && !afl->syncing_party) { - if (el->afl_custom_queue_new_entry) { + run_afl_custom_queue_new_entry(afl, q, fname, afl->queue_cur->fname); - u8 *fname_orig = NULL; - - /* At the initialization stage, queue_cur is NULL */ - if (afl->queue_cur && !afl->syncing_party) { - - fname_orig = afl->queue_cur->fname; - - } - - el->afl_custom_queue_new_entry(el->data, fname, fname_orig); - - } - - }); + } } diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index e876beea..4173f4e1 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -220,7 +220,7 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at, fprintf( stderr, "FS crc: %16llx len: %u\n", - hash64(afl->fsrv.shmem_fuzz, *afl->fsrv.shmem_fuzz_len, 0xa5b35705), + hash64(afl->fsrv.shmem_fuzz, *afl->fsrv.shmem_fuzz_len, HASH_CONST), *afl->fsrv.shmem_fuzz_len); fprintf(stderr, "SHM :"); for (u32 i = 0; i < *afl->fsrv.shmem_fuzz_len; i++) diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index b832c11e..24ccc108 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -267,6 +267,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_force_ui = get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_IGNORE_PROBLEMS", + + afl_environment_variable_len)) { + + afl->afl_env.afl_ignore_problems = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", afl_environment_variable_len)) { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index e0930234..eb1fe2d9 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -147,8 +147,19 @@ void load_stats_file(afl_state_t *afl) { afl->fsrv.total_execs = strtoull(lptr, &nptr, 10); break; case 10: - if (!strcmp(keystring, "paths_total ")) - afl->queued_paths = strtoul(lptr, &nptr, 10); + if (!strcmp(keystring, "paths_total ")) { + + u32 paths_total = strtoul(lptr, &nptr, 10); + if (paths_total != afl->queued_paths) { + + WARNF( + "queue/ has been modified -- things might not work, you're " + "on your own!"); + + } + + } + break; case 12: if (!strcmp(keystring, "paths_found ")) @@ -523,6 +534,20 @@ void show_stats(afl_state_t *afl) { t_bytes = count_non_255_bytes(afl, afl->virgin_bits); t_byte_ratio = ((double)t_bytes * 100) / afl->fsrv.real_map_size; + if (unlikely(t_bytes > afl->fsrv.real_map_size)) { + + if (unlikely(!afl->afl_env.afl_ignore_problems)) { + + FATAL( + "Incorrect fuzzing setup detected. Your target seems to have loaded " + "incorrectly instrumented shared libraries. If you use LTO mode " + "please see instrumentation/README.lto.md. To ignore this problem " + "and continue fuzzing just set 'AFL_IGNORE_PROBLEMS=1'.\n"); + + } + + } + if (likely(t_bytes) && unlikely(afl->var_byte_count)) { stab_ratio = 100 - (((double)afl->var_byte_count * 100) / t_bytes); @@ -1314,7 +1339,7 @@ void show_init_stats(afl_state_t *afl) { } - ACTF("No -t option specified, so I'll use exec timeout of %u ms.", + ACTF("No -t option specified, so I'll use an exec timeout of %u ms.", afl->fsrv.exec_tmout); afl->timeout_given = 1; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 0c7b6e42..8ffc0e77 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -216,6 +216,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_HANG_TMOUT: override timeout value (in milliseconds)\n" "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers\n" "AFL_IGNORE_UNKNOWN_ENVS: don't warn on unknown env vars\n" + "AFL_IGNORE_PROBLEMS: do not abort fuzzing if an incorrect setup is detected during a run\n" "AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n" "AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n" "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n" @@ -339,7 +340,7 @@ static void fasan_check_afl_preload(char *afl_preload) { char * separator = strchr(afl_preload, ':'); size_t first_preload_len = PATH_MAX; char * basename; - char clang_runtime_prefix[] = "libclang_rt.asan-"; + char clang_runtime_prefix[] = "libclang_rt.asan"; if (separator != NULL && (separator - afl_preload) < PATH_MAX) { @@ -1398,6 +1399,9 @@ int main(int argc, char **argv_orig, char **envp) { afl->fsrv.use_fauxsrv = afl->non_instrumented_mode == 1 || afl->no_forkserver; + check_crash_handling(); + check_cpu_governor(afl); + if (getenv("LD_PRELOAD")) { WARNF( @@ -1498,9 +1502,6 @@ int main(int argc, char **argv_orig, char **envp) { } - check_crash_handling(); - check_cpu_governor(afl); - get_core_count(afl); atexit(at_exit); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index fbb8e65d..22fe5a62 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -244,7 +244,11 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, shm->shm_id = shmget(IPC_PRIVATE, map_size, IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION); - if (shm->shm_id < 0) { PFATAL("shmget() failed"); } + if (shm->shm_id < 0) { + + PFATAL("shmget() failed, try running afl-system-config"); + + } if (shm->cmplog_mode) { @@ -254,7 +258,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, if (shm->cmplog_shm_id < 0) { shmctl(shm->shm_id, IPC_RMID, NULL); // do not leak shmem - PFATAL("shmget() failed"); + PFATAL("shmget() failed, try running afl-system-config"); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 5c899e69..9122cd25 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1035,6 +1035,7 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); } fsrv->frida_mode = true; + setenv("AFL_FRIDA_INST_SEED", "0x0", 1); break; diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 2d80abe4..792770e0 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -1027,6 +1027,7 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); } fsrv->frida_mode = 1; + setenv("AFL_FRIDA_INST_SEED", "0x0", 1); break; |