diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-cc.c | 28 | ||||
| -rw-r--r-- | src/afl-common.c | 27 | ||||
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 3 | ||||
| -rw-r--r-- | src/afl-fuzz-extras.c | 5 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 31 | ||||
| -rw-r--r-- | src/afl-fuzz-redqueen.c | 257 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 22 |
7 files changed, 315 insertions, 58 deletions
diff --git a/src/afl-cc.c b/src/afl-cc.c index 037a5c30..c3c677b4 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -1144,19 +1144,23 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (!have_pic) { cc_params[cc_par_cnt++] = "-fPIC"; } - // in case LLVM is installed not via a package manager or "make install" - // e.g. compiled download or compiled from github then its ./lib directory - // might not be in the search path. Add it if so. - u8 *libdir = strdup(LLVM_LIBDIR); - if (plusplus_mode && strlen(libdir) && strncmp(libdir, "/usr", 4) && - strncmp(libdir, "/lib", 4)) { + if (!getenv("AFL_LLVM_NO_RPATH")) { - cc_params[cc_par_cnt++] = "-Wl,-rpath"; - cc_params[cc_par_cnt++] = libdir; + // in case LLVM is installed not via a package manager or "make install" + // e.g. compiled download or compiled from github then its ./lib directory + // might not be in the search path. Add it if so. + u8 *libdir = strdup(LLVM_LIBDIR); + if (plusplus_mode && strlen(libdir) && strncmp(libdir, "/usr", 4) && + strncmp(libdir, "/lib", 4)) { - } else { + cc_params[cc_par_cnt++] = "-Wl,-rpath"; + cc_params[cc_par_cnt++] = libdir; + + } else { - free(libdir); + free(libdir); + + } } @@ -2289,7 +2293,9 @@ int main(int argc, char **argv, char **envp) { " AFL_LLVM_CTX: use full context sensitive coverage (for " "CLASSIC)\n" " AFL_LLVM_NGRAM_SIZE: use ngram prev_loc count coverage (for " - "CLASSIC)\n"); + "CLASSIC)\n" + " AFL_LLVM_NO_RPATH: disable rpath setting for custom LLVM " + "locations\n"); #ifdef AFL_CLANG_FLTO if (have_lto) diff --git a/src/afl-common.c b/src/afl-common.c index b4143a1b..ba498b3b 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -98,12 +98,27 @@ void set_sanitizer_defaults() { } /* LSAN does not support abort_on_error=1. (is this still true??) */ + u8 should_detect_leaks = 0; if (!have_lsan_options) { u8 buf[2048] = ""; if (!have_san_options) { strcpy(buf, default_options); } - strcat(buf, "exitcode=" STRINGIFY(LSAN_ERROR) ":fast_unwind_on_malloc=0:print_suppressions=0:detect_leaks=1:malloc_context_size=30:"); + if (have_asan_options) { + + if (NULL != strstr(have_asan_options, "detect_leaks=0")) { + + strcat(buf, "exitcode=" STRINGIFY(LSAN_ERROR) ":fast_unwind_on_malloc=0:print_suppressions=0:detect_leaks=0:malloc_context_size=0:"); + + } else { + + should_detect_leaks = 1; + strcat(buf, "exitcode=" STRINGIFY(LSAN_ERROR) ":fast_unwind_on_malloc=0:print_suppressions=0:detect_leaks=1:malloc_context_size=30:"); + + } + + } + setenv("LSAN_OPTIONS", buf, 1); } @@ -112,7 +127,15 @@ void set_sanitizer_defaults() { if (!have_lsan_options) { - strcat(default_options, "detect_leaks=0:malloc_context_size=0:"); + if (should_detect_leaks) { + + strcat(default_options, "detect_leaks=1:malloc_context_size=30:"); + + } else { + + strcat(default_options, "detect_leaks=0:malloc_context_size=0:"); + + } } diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index d76158ce..568c5274 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -866,7 +866,8 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", fn_log); } u32 nyx_aux_string_len = afl->fsrv.nyx_handlers->nyx_get_aux_string( - afl->fsrv.nyx_runner, afl->fsrv.nyx_aux_string, afl->fsrv.nyx_aux_string_len); + afl->fsrv.nyx_runner, afl->fsrv.nyx_aux_string, + afl->fsrv.nyx_aux_string_len); ck_write(fd, afl->fsrv.nyx_aux_string, nyx_aux_string_len, fn_log); close(fd); diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c index f6de11ae..905431d1 100644 --- a/src/afl-fuzz-extras.c +++ b/src/afl-fuzz-extras.c @@ -176,6 +176,8 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len, afl->extras = afl_realloc((void **)&afl->extras, (afl->extras_cnt + 1) * sizeof(struct extra_data)); + char *hexdigits = "0123456789abcdef"; + if (unlikely(!afl->extras)) { PFATAL("alloc"); } wptr = afl->extras[afl->extras_cnt].data = ck_alloc(rptr - lptr); @@ -184,13 +186,12 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len, while (*lptr) { - char *hexdigits = "0123456789abcdef"; - switch (*lptr) { case 1 ... 31: case 128 ... 255: WARNF("Non-printable characters in line %u.", cur_line); + ++lptr; continue; break; diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 2003be1f..67dafda8 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -577,13 +577,13 @@ u8 fuzz_one_original(afl_state_t *afl) { * SIMPLE BITFLIP (+dictionary construction) * *********************************************/ -#define FLIP_BIT(_ar, _b) \ - do { \ - \ - u8 *_arf = (u8 *)(_ar); \ - u32 _bf = (_b); \ - _arf[(_bf) >> 3] ^= (128 >> ((_bf)&7)); \ - \ +#define FLIP_BIT(_ar, _b) \ + do { \ + \ + u8 *_arf = (u8 *)(_ar); \ + u32 _bf = (_b); \ + _arf[(_bf) >> 3] ^= (128 >> ((_bf) & 7)); \ + \ } while (0) /* Single walking bit. */ @@ -1894,6 +1894,7 @@ custom_mutator_stage: LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { if (el->afl_custom_fuzz) { + havoc_queued = afl->queued_items; afl->current_custom_fuzz = el; afl->stage_name = el->name_short; @@ -2216,7 +2217,7 @@ havoc_stage: } - retry_havoc_step : { + retry_havoc_step: { u32 r = rand_below(afl, rand_max), item; @@ -3703,13 +3704,13 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { * SIMPLE BITFLIP (+dictionary construction) * *********************************************/ -#define FLIP_BIT(_ar, _b) \ - do { \ - \ - u8 *_arf = (u8 *)(_ar); \ - u32 _bf = (_b); \ - _arf[(_bf) >> 3] ^= (128 >> ((_bf)&7)); \ - \ +#define FLIP_BIT(_ar, _b) \ + do { \ + \ + u8 *_arf = (u8 *)(_ar); \ + u32 _bf = (_b); \ + _arf[(_bf) >> 3] ^= (128 >> ((_bf) & 7)); \ + \ } while (0) /* Single walking bit. */ diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index db4991db..86e7f1cf 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -40,7 +40,7 @@ enum { IS_FP = 8, // is a floating point, not an integer /* --- below are internal settings, not from target cmplog */ IS_FP_MOD = 16, // arithemtic changed floating point - IS_INT_MOD = 32, // arithmetic changed interger + IS_INT_MOD = 32, // arithmetic changed integer IS_TRANSFORM = 64 // transformed integer }; @@ -775,6 +775,13 @@ static u32 to_base64(u8 *src, u8 *dst, u32 dst_len) { } +#ifdef WORD_SIZE_64 +static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h, + u128 pattern, u128 repl, u128 o_pattern, + u128 changed_val, u8 attr, u32 idx, + u32 taint_len, u8 *orig_buf, u8 *buf, u8 *cbuf, + u32 len, u8 do_reverse, u8 lvl, u8 *status); +#endif static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u64 pattern, u64 repl, u64 o_pattern, u64 changed_val, u8 attr, u32 idx, u32 taint_len, @@ -807,6 +814,29 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, hshape, attr); */ + u8 bytes; + + switch (hshape) { + + case 0: + case 1: + bytes = 1; + break; + case 2: + bytes = 2; + break; + case 3: + case 4: + bytes = 4; + break; + default: + bytes = 8; + + } + + // necessary for preventing heap access overflow + bytes = MIN(bytes, len - idx); + // reverse atoi()/strnu?toll() is expensive, so we only to it in lvl 3 if (afl->cmplog_enable_transform && (lvl & LVL3)) { @@ -895,29 +925,6 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, if (pattern != o_pattern && repl == changed_val && attr <= IS_EQUAL) { u64 b_val, o_b_val, mask; - u8 bytes; - - switch (hshape) { - - case 0: - case 1: - bytes = 1; - break; - case 2: - bytes = 2; - break; - case 3: - case 4: - bytes = 4; - break; - default: - bytes = 8; - - } - - // necessary for preventing heap access overflow - bytes = MIN(bytes, len - idx); - switch (bytes) { case 0: // cannot happen @@ -1285,6 +1292,135 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } + // If 'S' is set for cmplog mode then we try a scale encoding of the value. + // Currently we can only handle bytes up to 1 << 55 on 32 bit and 1 << 119 + // on 64 bit systems. + // Caveat: This implementation here works only on little endian systems. + + if (attr < IS_FP && (afl->cmplog_enable_scale || lvl >= LVL3) && + repl == changed_val) { + + u8 do_call = 1; + u64 new_val = repl << 2; + u32 ilen = 0; + + if (changed_val <= 255) { + + ilen = 1; + + } else if (new_val <= 65535) { + + new_val += 1; // two byte mode + ilen = 2; + + } else if (new_val <= 4294967295) { + + new_val += 2; // four byte mode + ilen = 4; + + } else { + +#ifndef WORD_SIZE_64 + if (repl <= 0x00ffffffffffffff { + + new_val = repl << 8; + u8 scale_len = 0; + u64 tmp_val = repl; + while (tmp_val) { + + tmp_val >>= 8; + ++scale_len; + + } // scale_len will be >= 4; + + if (scale_len >= 4) { + + scale_len -= 4; + + } else { + + scale_len = 0; + + }; + + new_val += (scale_len << 2) + 3; + ilen = scale_len + 5; + + } else { + + do_call = 0; + + } + +#else + { + + u128 new_vall = ((u128)repl) << 8; + u8 scale_len = 0; + u128 tmp_val = (u128)repl; + + while (tmp_val) { + + tmp_val >>= 8; + ++scale_len; + + } // scale_len will be >= 4; + + if (scale_len >= 4) { + + scale_len -= 4; + + } else { + + scale_len = 0; + + }; + + new_vall += (scale_len << 2) + 3; + ilen = scale_len + 5; + + if (ilen <= its_len) { + + u8 tmpbuf[32]; + memcpy(tmpbuf, buf + idx, ilen); + memcpy(buf + idx, (char *)&new_vall, ilen); + + if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } + #ifdef CMPLOG_COMBINE + if (*status == 1) { memcpy(cbuf + idx, (char *)&new_vall, ilen); } + #endif + memcpy(buf + idx, tmpbuf, ilen); + + }; + + do_call = 0; + + } + +#endif + + } + + if (do_call) { + + if (ilen <= its_len) { + + u8 tmpbuf[32]; + memcpy(tmpbuf, buf + idx, ilen); + memcpy(buf + idx, (char *)&new_val, ilen); + + if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } +#ifdef CMPLOG_COMBINE + if (*status == 1) { memcpy(cbuf + idx, (char *)&new_val, ilen); } +#endif + memcpy(buf + idx, tmpbuf, ilen); + + }; + + } + + } + // here we add and subract 1 from the value, but only if it is not an // == or != comparison // Bits: 1 = Equal, 2 = Greater, 4 = Lesser, 8 = Float @@ -1551,6 +1687,77 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h, } + // Scale encoding only works on little endian systems + + if (attr < IS_FP && attr < 32 && + (afl->cmplog_enable_scale || lvl >= LVL3)) { + + u128 new_val = repl << 2; + u128 max_scale = (u128)1 << 120; + u32 ilen = 0; + u8 do_call = 1; + + if (new_val <= 255) { + + ilen = 1; + + } else if (new_val <= 65535) { + + new_val += 1; // two byte mode + ilen = 2; + + } else if (new_val <= 4294967295) { + + new_val += 2; // four byte mode + ilen = 4; + + } else if (repl < max_scale) { + + new_val = (u128)repl << 8; + u8 scale_len = 0; + u128 tmp_val = (u128)repl; + while (tmp_val) { + + tmp_val >>= 8; + ++scale_len; + + } // scale_len will be >= 4; + + if (scale_len >= 4) { + + scale_len -= 4; + + } else { + + scale_len = 0; + + }; + + new_val += (scale_len << 2) + 3; + ilen = scale_len + 5; + + } else { + + do_call = 0; + + } + + if (do_call && ilen <= its_len) { + + u8 tmpbuf[32]; + memcpy(tmpbuf, buf + idx, ilen); + memcpy(buf + idx, (char *)&new_val, ilen); + + if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } + #ifdef CMPLOG_COMBINE + if (*status == 1) { memcpy(cbuf + idx, (char *)&new_val, ilen); } + #endif + memcpy(buf + idx, tmpbuf, ilen); + + }; + + } + } return 0; @@ -1621,7 +1828,7 @@ static void try_to_add_to_dictN(afl_state_t *afl, u128 v, u8 size) { for (k = 0; k < size; ++k) { #else - u32 off = 16 - size; + u32 off = 16 - size; for (k = 16 - size; k < 16; ++k) { #endif diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 2538f4a4..becad351 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -486,6 +486,22 @@ int main(int argc, char **argv_orig, char **envp) { struct timeval tv; struct timezone tz; + doc_path = access(DOC_PATH, F_OK) != 0 ? (u8 *)"docs" : (u8 *)DOC_PATH; + + if (argc > 1 && strcmp(argv_orig[1], "--version") == 0) { + + printf("afl-fuzz" VERSION "\n"); + exit(0); + + } + + if (argc > 1 && strcmp(argv_orig[1], "--help") == 0) { + + usage(argv_orig[0], 1); + exit(0); + + } + #if defined USE_COLOR && defined ALWAYS_COLORED if (getenv("AFL_NO_COLOR") || getenv("AFL_NO_COLOUR")) { @@ -515,8 +531,6 @@ int main(int argc, char **argv_orig, char **envp) { SAYF(cCYA "afl-fuzz" VERSION cRST " based on afl by Michal Zalewski and a large online community\n"); - doc_path = access(DOC_PATH, F_OK) != 0 ? (u8 *)"docs" : (u8 *)DOC_PATH; - gettimeofday(&tv, &tz); rand_set_seed(afl, tv.tv_sec ^ tv.tv_usec ^ getpid()); @@ -1152,6 +1166,10 @@ int main(int argc, char **argv_orig, char **envp) { case 'A': afl->cmplog_enable_arith = 1; break; + case 's': + case 'S': + afl->cmplog_enable_scale = 1; + break; case 't': case 'T': afl->cmplog_enable_transform = 1; |