diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-cc.c | 16 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 170 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 39 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 28 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 173 | ||||
| -rw-r--r-- | src/afl-showmap.c | 11 |
6 files changed, 418 insertions, 19 deletions
diff --git a/src/afl-cc.c b/src/afl-cc.c index f90f62a8..9e5eed93 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -556,7 +556,16 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (lto_mode && !have_c) { u8 *ld_path = NULL; - if (getenv("AFL_REAL_LD")) { ld_path = strdup(getenv("AFL_REAL_LD")); } + if (getenv("AFL_REAL_LD")) { + + ld_path = strdup(getenv("AFL_REAL_LD")); + + } else { + + ld_path = strdup(AFL_REAL_LD); + + } + if (!ld_path || !*ld_path) { ld_path = strdup("ld.lld"); } if (!ld_path) { PFATAL("Could not allocate mem for ld_path"); } #if defined(AFL_CLANG_LDPATH) && LLVM_MAJOR >= 12 @@ -867,7 +876,10 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-fsanitize=leak"; cc_params[cc_par_cnt++] = "-includesanitizer/lsan_interface.h"; - cc_params[cc_par_cnt++] = "-D__AFL_LEAK_CHECK()=__lsan_do_leak_check()"; + cc_params[cc_par_cnt++] = "-D__AFL_LEAK_CHECK()={if(__lsan_do_recoverable_leak_check() > 0) _exit(23); }"; + cc_params[cc_par_cnt++] = "-D__AFL_LSAN_OFF()=__lsan_disable();"; + cc_params[cc_par_cnt++] = "-D__AFL_LSAN_ON()=__lsan_enable();"; + } diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index b871ea8c..4d57b95d 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -71,6 +71,17 @@ static void fsrv_exec_child(afl_forkserver_t *fsrv, char **argv) { void afl_fsrv_init(afl_forkserver_t *fsrv) { +#ifdef __linux__ + fsrv->nyx_handlers = NULL; + fsrv->out_dir_path = NULL; + fsrv->nyx_mode = 0; + fsrv->nyx_parent = false; + fsrv->nyx_standalone = false; + fsrv->nyx_runner = NULL; + fsrv->nyx_id = 0xFFFFFFFF; + fsrv->nyx_bind_cpu_id = 0xFFFFFFFF; +#endif + // this structure needs default so we initialize it if this was not done // already fsrv->out_fd = -1; @@ -375,6 +386,82 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, s32 rlen; char *ignore_autodict = getenv("AFL_NO_AUTODICT"); +#ifdef __linux__ + if (unlikely(fsrv->nyx_mode)) { + + if (fsrv->nyx_runner != NULL) { return; } + + if (!be_quiet) { ACTF("Spinning up the NYX backend..."); } + + if (fsrv->out_dir_path == NULL) { FATAL("Nyx workdir path not found..."); } + + char *x = alloc_printf("%s/workdir", fsrv->out_dir_path); + + if (fsrv->nyx_id == 0xFFFFFFFF) { FATAL("Nyx ID is not set..."); } + + if (fsrv->nyx_bind_cpu_id == 0xFFFFFFFF) { + + FATAL("Nyx CPU ID is not set..."); + + } + + if (fsrv->nyx_parent) { + + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new( + fsrv->target_path, x, fsrv->nyx_id, fsrv->nyx_bind_cpu_id, + !fsrv->nyx_standalone); + + } else { + + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new( + fsrv->target_path, x, fsrv->nyx_id, fsrv->nyx_bind_cpu_id, true); + + } + + if (fsrv->nyx_runner == NULL) { FATAL("Something went wrong ..."); } + + u32 tmp_map_size = + fsrv->nyx_handlers->nyx_get_bitmap_buffer_size(fsrv->nyx_runner); + fsrv->real_map_size = fsrv->map_size; + fsrv->map_size = (((tmp_map_size + 63) >> 6) << 6); + if (!be_quiet) { ACTF("Target map size: %u", fsrv->real_map_size); } + + fsrv->trace_bits = + fsrv->nyx_handlers->nyx_get_bitmap_buffer(fsrv->nyx_runner); + + fsrv->nyx_handlers->nyx_option_set_reload_mode( + fsrv->nyx_runner, getenv("NYX_DISABLE_SNAPSHOT_MODE") == NULL); + fsrv->nyx_handlers->nyx_option_apply(fsrv->nyx_runner); + + fsrv->nyx_handlers->nyx_option_set_timeout(fsrv->nyx_runner, 2, 0); + fsrv->nyx_handlers->nyx_option_apply(fsrv->nyx_runner); + + /* dry run */ + fsrv->nyx_handlers->nyx_set_afl_input(fsrv->nyx_runner, "INIT", 4); + switch (fsrv->nyx_handlers->nyx_exec(fsrv->nyx_runner)) { + + case Abort: + fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner); + FATAL("Error: Nyx abort occured..."); + break; + case IoError: + FATAL("Error: QEMU-Nyx has died..."); + break; + case Error: + fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner); + FATAL("Error: Nyx runtime error has occured..."); + break; + default: + break; + + } + + return; + + } + +#endif + if (!be_quiet) { ACTF("Spinning up the fork server..."); } #ifdef AFL_PERSISTENT_RECORD @@ -1085,6 +1172,10 @@ void afl_fsrv_kill(afl_forkserver_t *fsrv) { fsrv->fsrv_pid = -1; fsrv->child_pid = -1; +#ifdef __linux__ + if (fsrv->nyx_mode) { fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner); } +#endif + } /* Get the map size from the target forkserver */ @@ -1101,6 +1192,16 @@ u32 afl_fsrv_get_mapsize(afl_forkserver_t *fsrv, char **argv, void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { +#ifdef __linux__ + if (unlikely(fsrv->nyx_mode)) { + + fsrv->nyx_handlers->nyx_set_afl_input(fsrv->nyx_runner, buf, len); + return; + + } + +#endif + #ifdef AFL_PERSISTENT_RECORD if (unlikely(fsrv->persistent_record)) { @@ -1214,13 +1315,80 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, u32 exec_ms; u32 write_value = fsrv->last_run_timed_out; +#ifdef __linux__ + if (fsrv->nyx_mode) { + + static uint32_t last_timeout_value = 0; + + if (last_timeout_value != timeout) { + + fsrv->nyx_handlers->nyx_option_set_timeout( + fsrv->nyx_runner, timeout / 1000, (timeout % 1000) * 1000); + fsrv->nyx_handlers->nyx_option_apply(fsrv->nyx_runner); + last_timeout_value = timeout; + + } + + enum NyxReturnValue ret_val = + fsrv->nyx_handlers->nyx_exec(fsrv->nyx_runner); + + fsrv->total_execs++; + + switch (ret_val) { + + case Normal: + return FSRV_RUN_OK; + case Crash: + case Asan: + return FSRV_RUN_CRASH; + case Timout: + return FSRV_RUN_TMOUT; + case InvalidWriteToPayload: + /* ??? */ + FATAL("FixMe: Nyx InvalidWriteToPayload handler is missing"); + break; + case Abort: + fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner); + FATAL("Error: Nyx abort occured..."); + case IoError: + if (*stop_soon_p) { + + return 0; + + } else { + + FATAL("Error: QEMU-Nyx has died..."); + + } + + break; + case Error: + FATAL("Error: Nyx runtime error has occured..."); + break; + + } + + return FSRV_RUN_OK; + + } + +#endif /* After this memset, fsrv->trace_bits[] are effectively volatile, so we must prevent any earlier operations from venturing into that territory. */ - memset(fsrv->trace_bits, 0, fsrv->map_size); +#ifdef __linux__ + if (!fsrv->nyx_mode) { + + memset(fsrv->trace_bits, 0, fsrv->map_size); + MEM_BARRIER(); + + } +#else + memset(fsrv->trace_bits, 0, fsrv->map_size); MEM_BARRIER(); +#endif /* we have the fork server (or faux server) up and running First, tell it if the previous run timed out. */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 7a8bd674..dc18f1a9 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -412,6 +412,9 @@ void bind_to_free_cpu(afl_state_t *afl) { if (bind_cpu(afl, i)) { + #ifdef __linux__ + if (afl->fsrv.nyx_mode) { afl->fsrv.nyx_bind_cpu_id = i; } + #endif /* Success :) */ break; @@ -1090,6 +1093,14 @@ void perform_dry_run(afl_state_t *afl) { FATAL("Unable to execute target application ('%s')", afl->argv[0]); case FSRV_RUN_NOINST: +#ifdef __linux__ + if (afl->fsrv.nyx_mode && afl->fsrv.nyx_runner != NULL) { + + afl->fsrv.nyx_handlers->nyx_shutdown(afl->fsrv.nyx_runner); + + } + +#endif FATAL("No instrumentation detected"); case FSRV_RUN_NOBITS: @@ -2443,6 +2454,9 @@ void fix_up_sync(afl_state_t *afl) { x = alloc_printf("%s/%s", afl->out_dir, afl->sync_id); +#ifdef __linux__ + if (afl->fsrv.nyx_mode) { afl->fsrv.out_dir_path = afl->out_dir; } +#endif afl->sync_dir = afl->out_dir; afl->out_dir = x; @@ -2580,6 +2594,28 @@ void check_binary(afl_state_t *afl, u8 *fname) { if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { afl->fsrv.target_path = ck_strdup(fname); +#ifdef __linux__ + if (afl->fsrv.nyx_mode) { + + /* check if target_path is a nyx sharedir */ + if (stat(afl->fsrv.target_path, &st) || S_ISDIR(st.st_mode)) { + + char *tmp = alloc_printf("%s/config.ron", afl->fsrv.target_path); + if (stat(tmp, &st) || S_ISREG(st.st_mode)) { + + free(tmp); + return; + + } + + } + + FATAL("Directory '%s' not found or is not a nyx share directory", + afl->fsrv.target_path); + + } + +#endif if (stat(afl->fsrv.target_path, &st) || !S_ISREG(st.st_mode) || !(st.st_mode & 0111) || (f_len = st.st_size) < 4) { @@ -2719,6 +2755,9 @@ void check_binary(afl_state_t *afl, u8 *fname) { #endif /* ^!__APPLE__ */ if (!afl->fsrv.qemu_mode && !afl->fsrv.frida_mode && !afl->unicorn_mode && +#ifdef __linux__ + !afl->fsrv.nyx_mode && +#endif !afl->fsrv.cs_mode && !afl->non_instrumented_mode && !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 289f7e09..ba8faaf0 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -679,11 +679,29 @@ void show_stats(afl_state_t *afl) { banner_pad = (79 - banner_len) / 2; memset(banner, ' ', banner_pad); - sprintf(banner + banner_pad, - "%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s]", - afl->crash_mode ? cPIN "peruvian were-rabbit" - : cYEL "american fuzzy lop", - si, afl->use_banner, afl->power_name); +#ifdef __linux__ + if (afl->fsrv.nyx_mode) { + + sprintf(banner + banner_pad, + "%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s] - Nyx", + afl->crash_mode ? cPIN "peruvian were-rabbit" + : cYEL "american fuzzy lop", + si, afl->use_banner, afl->power_name); + + } else { + +#endif + sprintf(banner + banner_pad, + "%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s]", + afl->crash_mode ? cPIN "peruvian were-rabbit" + : cYEL "american fuzzy lop", + si, afl->use_banner, afl->power_name); + +#ifdef __linux__ + + } + +#endif } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index f52637f5..5c62262e 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -105,7 +105,7 @@ static void usage(u8 *argv0, int more_help) { " -p schedule - power schedules compute a seed's performance score:\n" " fast(default), explore, exploit, seek, rare, mmopt, " "coe, lin\n" - " quad -- see docs/power_schedules.md\n" + " quad -- see docs/FAQ.md for more information\n" " -f file - location read by the fuzzed program (default: stdin " "or @@)\n" " -t msec - timeout for each run (auto-scaled, default %u ms). " @@ -124,6 +124,10 @@ static void usage(u8 *argv0, int more_help) { " -W - use qemu-based instrumentation with Wine (Wine " "mode)\n" #endif +#if defined(__linux__) + " -X - use VM fuzzing (NYX mode - standalone mode)\n" + " -Y - use VM fuzzing (NYX mode - multiple instances mode)\n" +#endif "\n" "Mutator settings:\n" @@ -385,6 +389,60 @@ static void fasan_check_afl_preload(char *afl_preload) { } + #ifdef __linux__ + #include <dlfcn.h> + +nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary) { + + void * handle; + nyx_plugin_handler_t *plugin = calloc(1, sizeof(nyx_plugin_handler_t)); + + ACTF("Trying to load libnyx.so plugin..."); + handle = dlopen((char *)libnyx_binary, RTLD_NOW); + if (!handle) { goto fail; } + + plugin->nyx_new = dlsym(handle, "nyx_new"); + if (plugin->nyx_new == NULL) { goto fail; } + + plugin->nyx_shutdown = dlsym(handle, "nyx_shutdown"); + if (plugin->nyx_shutdown == NULL) { goto fail; } + + plugin->nyx_option_set_reload_mode = + dlsym(handle, "nyx_option_set_reload_mode"); + if (plugin->nyx_option_set_reload_mode == NULL) { goto fail; } + + plugin->nyx_option_set_timeout = dlsym(handle, "nyx_option_set_timeout"); + if (plugin->nyx_option_set_timeout == NULL) { goto fail; } + + plugin->nyx_option_apply = dlsym(handle, "nyx_option_apply"); + if (plugin->nyx_option_apply == NULL) { goto fail; } + + plugin->nyx_set_afl_input = dlsym(handle, "nyx_set_afl_input"); + if (plugin->nyx_set_afl_input == NULL) { goto fail; } + + plugin->nyx_exec = dlsym(handle, "nyx_exec"); + if (plugin->nyx_exec == NULL) { goto fail; } + + plugin->nyx_get_bitmap_buffer = dlsym(handle, "nyx_get_bitmap_buffer"); + if (plugin->nyx_get_bitmap_buffer == NULL) { goto fail; } + + plugin->nyx_get_bitmap_buffer_size = + dlsym(handle, "nyx_get_bitmap_buffer_size"); + if (plugin->nyx_get_bitmap_buffer_size == NULL) { goto fail; } + + OKF("libnyx plugin is ready!"); + return plugin; + +fail: + + FATAL("failed to load libnyx: %s\n", dlerror()); + free(plugin); + return NULL; + +} + + #endif + /* Main entry point */ int main(int argc, char **argv_orig, char **envp) { @@ -441,7 +499,7 @@ int main(int argc, char **argv_orig, char **envp) { while ((opt = getopt( argc, argv, - "+Ab:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNOo:p:RQs:S:t:T:UV:Wx:Z")) > + "+Ab:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNOXYo:p:RQs:S:t:T:UV:Wx:Z")) > 0) { switch (opt) { @@ -845,6 +903,29 @@ int main(int argc, char **argv_orig, char **envp) { afl->use_banner = optarg; break; + #ifdef __linux__ + case 'X': /* NYX mode */ + + if (afl->fsrv.nyx_mode) { FATAL("Multiple -X options not supported"); } + + afl->fsrv.nyx_parent = true; + afl->fsrv.nyx_standalone = true; + afl->fsrv.nyx_mode = 1; + afl->fsrv.nyx_id = 0; + + break; + + case 'Y': /* NYX distributed mode */ + if (afl->fsrv.nyx_mode) { FATAL("Multiple -Y options not supported"); } + afl->fsrv.nyx_mode = 1; + + break; + #else + case 'X': + case 'Y': + FATAL("Nyx mode is only availabe on linux..."); + break; + #endif case 'A': /* CoreSight mode */ #if !defined(__aarch64__) || !defined(__linux__) @@ -1185,6 +1266,16 @@ int main(int argc, char **argv_orig, char **envp) { OKF("NOTE: This is v3.x which changes defaults and behaviours - see " "README.md"); + #ifdef __linux__ + if (afl->fsrv.nyx_mode) { + + OKF("afl++ Nyx mode is enabled (developed and mainted by Sergej Schumilo)"); + OKF("Nyx is open source, get it at " + "https://github.com/Nyx-Fuzz"); + + } + + #endif if (afl->sync_id && afl->is_main_node && afl->afl_env.afl_custom_mutator_only) { @@ -1227,6 +1318,56 @@ int main(int argc, char **argv_orig, char **envp) { } + #ifdef __linux__ + if (afl->fsrv.nyx_mode) { + + if (afl->fsrv.nyx_standalone && + strncmp(afl->sync_id, "default", strlen("default")) != 0) { + + FATAL( + "distributed fuzzing is not supported in this Nyx mode (use -Y " + "instead)"); + + } + + if (!afl->fsrv.nyx_standalone) { + + if (afl->is_main_node) { + + if (strncmp("0", afl->sync_id, strlen("0") != 0)) { + + FATAL( + "for Nyx -Y mode, the Main (-M) parameter has to be set to 0 (-M " + "0)"); + + } + + afl->fsrv.nyx_id = 0; + + } + + if (afl->is_secondary_node) { + + long nyx_id = strtol(afl->sync_id, NULL, 10); + + if (nyx_id == 0 || nyx_id == LONG_MAX) { + + FATAL( + "for Nyx -Y mode, the Secondary (-S) parameter has to be a " + "numeric value and >= 1 (e.g. -S 1)"); + + } + + afl->fsrv.nyx_id = nyx_id; + + } + + } + + } + + #endif + if (afl->sync_id) { if (strlen(afl->sync_id) > 24) { @@ -1450,8 +1591,28 @@ int main(int argc, char **argv_orig, char **envp) { afl->fsrv.use_fauxsrv = afl->non_instrumented_mode == 1 || afl->no_forkserver; + #ifdef __linux__ + if (!afl->fsrv.nyx_mode) { + + check_crash_handling(); + check_cpu_governor(afl); + + } else { + + u8 *libnyx_binary = find_afl_binary(argv[0], "libnyx.so"); + afl->fsrv.nyx_handlers = afl_load_libnyx_plugin(libnyx_binary); + if (afl->fsrv.nyx_handlers == NULL) { + + FATAL("failed to initialize libnyx.so..."); + + } + + } + + #else check_crash_handling(); check_cpu_governor(afl); + #endif if (getenv("LD_PRELOAD")) { @@ -1935,6 +2096,14 @@ int main(int argc, char **argv_orig, char **envp) { if (!afl->pending_not_fuzzed || !valid_seeds) { + #ifdef __linux__ + if (afl->fsrv.nyx_mode) { + + afl->fsrv.nyx_handlers->nyx_shutdown(afl->fsrv.nyx_runner); + + } + + #endif FATAL("We need at least one valid input seed that does not crash!"); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 115f9f2a..e30819b3 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -105,15 +105,8 @@ static sharedmem_t * shm_fuzz; static const u8 count_class_human[256] = { - [0] = 0, - [1] = 1, - [2] = 2, - [3] = 3, - [4] = 4, - [8] = 5, - [16] = 6, - [32] = 7, - [128] = 8 + [0] = 0, [1] = 1, [2] = 2, [3] = 3, [4] = 4, + [8] = 5, [16] = 6, [32] = 7, [128] = 8 }; |