diff options
Diffstat (limited to 'test')
| -rw-r--r-- | test/test-compcov.c | 21 | ||||
| -rw-r--r-- | test/test-custom-mutator.c | 19 | ||||
| -rw-r--r-- | test/test-unsigaction.c | 50 | ||||
| -rwxr-xr-x | test/test.sh | 27 | ||||
| -rw-r--r-- | test/unittests/unit_list.c | 2 | ||||
| -rw-r--r-- | test/unittests/unit_maybe_alloc.c | 4 | ||||
| -rw-r--r-- | test/unittests/unit_preallocable.c | 2 |
7 files changed, 88 insertions, 37 deletions
diff --git a/test/test-compcov.c b/test/test-compcov.c index 89611bfb..f1743265 100644 --- a/test/test-compcov.c +++ b/test/test-compcov.c @@ -3,30 +3,47 @@ #include <unistd.h> #include <string.h> +char global_cmpval[] = "GLOBALVARIABLE"; + int main(int argc, char **argv) { + char *input = argv[1], *buf, buffer[20]; + char cmpval[] = "LOCALVARIABLE"; + char shortval[4] = "abc"; if (argc < 2) { + ssize_t ret = read(0, buffer, sizeof(buffer) - 1); buffer[ret] = 0; input = buffer; + } - + if (strcmp(input, "LIBTOKENCAP") == 0) printf("your string was libtokencap\n"); else if (strcmp(input, "BUGMENOT") == 0) printf("your string was bugmenot\n"); else if (strcmp(input, "BUFFEROVERFLOW") == 0) { + buf = malloc(16); strcpy(buf, "TEST"); strcat(buf, input); printf("This will only crash with libdislocator: %s\n", buf); return 0; - } else if (*(unsigned int*)input == 0xabadcafe) + + } else if (*(unsigned int *)input == 0xabadcafe) + printf("GG you eat cmp tokens for breakfast!\n"); + else if (memcmp(cmpval, input, 8) == 0) + printf("local var memcmp works!\n"); + else if (memcmp(shortval, input, 4) == 0) + printf("short local var memcmp works!\n"); + else if (memcmp(global_cmpval, input, sizeof(global_cmpval)) == 0) + printf("global var memcmp works!\n"); else printf("I do not know your string\n"); return 0; } + diff --git a/test/test-custom-mutator.c b/test/test-custom-mutator.c index 83baafab..f868550c 100644 --- a/test/test-custom-mutator.c +++ b/test/test-custom-mutator.c @@ -1,5 +1,6 @@ /** - * Reference: https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/blob/master/4_libprotobuf_aflpp_custom_mutator/vuln.c + * Reference: + * https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/blob/master/4_libprotobuf_aflpp_custom_mutator/vuln.c */ #include <stdio.h> @@ -8,12 +9,12 @@ #include <stdlib.h> #include <unistd.h> -int main(int argc, char *argv[]) -{ - char str[100]; - read(0, str, 100); - if( str[6] == 'A') { - abort(); - } - return 0; +int main(int argc, char *argv[]) { + + char str[100]; + read(0, str, 100); + if (str[6] == 'A') { abort(); } + return 0; + } + diff --git a/test/test-unsigaction.c b/test/test-unsigaction.c index 1a5e4b26..8c6c7f41 100644 --- a/test/test-unsigaction.c +++ b/test/test-unsigaction.c @@ -1,25 +1,31 @@ -#include <signal.h> /* sigemptyset(), sigaction(), kill(), SIGUSR1 */ -#include <stdlib.h> /* exit() */ -#include <unistd.h> /* getpid() */ -#include <errno.h> /* errno */ -#include <stdio.h> /* fprintf() */ - -static void mysig_handler(int sig) -{ - exit(2); +#include <signal.h> /* sigemptyset(), sigaction(), kill(), SIGUSR1 */ +#include <stdlib.h> /* exit() */ +#include <unistd.h> /* getpid() */ +#include <errno.h> /* errno */ +#include <stdio.h> /* fprintf() */ + +static void mysig_handler(int sig) { + + exit(2); + } -int main() -{ - /* setup sig handler */ - struct sigaction sa; - sa.sa_handler = mysig_handler; - sigemptyset(&sa.sa_mask); - sa.sa_flags = 0; - if (sigaction(SIGCHLD, &sa, NULL)) { - fprintf(stderr, "could not set signal handler %d, aborted\n", errno); - exit(1); - } - kill(getpid(), SIGCHLD); - return 0; +int main() { + + /* setup sig handler */ + struct sigaction sa; + sa.sa_handler = mysig_handler; + sigemptyset(&sa.sa_mask); + sa.sa_flags = 0; + if (sigaction(SIGCHLD, &sa, NULL)) { + + fprintf(stderr, "could not set signal handler %d, aborted\n", errno); + exit(1); + + } + + kill(getpid(), SIGCHLD); + return 0; + } + diff --git a/test/test.sh b/test/test.sh index 0666ca36..9a53825b 100755 --- a/test/test.sh +++ b/test/test.sh @@ -185,7 +185,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc esac rm -f in2/in* export AFL_QUIET=1 - if type bash >/dev/null ; then { + if command -v bash >/dev/null ; then { AFL_PATH=`pwd`/.. ../afl-cmin.bash -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null CNT=`ls in2/* 2>/dev/null | wc -l` case "$CNT" in @@ -353,7 +353,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { } AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_SWITCHES=1 AFL_LLVM_LAF_TRANSFORM_COMPARES=1 AFL_LLVM_LAF_SPLIT_COMPARES=1 ../afl-clang-fast -o test-compcov.compcov test-compcov.c > test.out 2>&1 test -e test-compcov.compcov && { - grep -Eq " [3-9][0-9] location" test.out && { + grep -Eq " [ 12][0-9][0-9] location| [3-9][0-9] location" test.out && { $ECHO "$GREEN[+] llvm_mode laf-intel/compcov feature works correctly" } || { $ECHO "$RED[!] llvm_mode laf-intel/compcov feature failed" @@ -581,6 +581,8 @@ test -e ../afl-gcc-fast -a -e ../afl-gcc-rt.o && { INCOMPLETE=1 } +test -z "$AFL_CC" && unset AFL_CC + $ECHO "$BLUE[*] Testing: shared library extensions" cc $CFLAGS -o test-compcov test-compcov.c > /dev/null 2>&1 test -e ../libtokencap.so && { @@ -669,7 +671,7 @@ test -e ../afl-qemu-trace && { test -e test-instr -a -e test-compcov && { { mkdir -p in - echo 0 > in/in + echo 00000 > in/in $ECHO "$GREY[*] running afl-fuzz for qemu_mode, this will take approx 10 seconds" { ../afl-fuzz -m ${MEM_LIMIT} -V10 -Q -i in -o out -- ./test-instr >>errors 2>&1 @@ -734,6 +736,25 @@ test -e ../afl-qemu-trace && { } || { $ECHO "$YELLOW[-] not an intel or arm platform, cannot test qemu_mode compcov" } + + test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { + $ECHO "$GREY[*] running afl-fuzz for qemu_mode cmplog, this will take approx 10 seconds" + { + ../afl-fuzz -m none -V10 -Q -c 0 -i in -o out -- ./test-compcov >>errors 2>&1 + } >>errors 2>&1 + test -n "$( ls out/queue/id:000001* 2>/dev/null )" && { + $ECHO "$GREEN[+] afl-fuzz is working correctly with qemu_mode cmplog" + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode cmplog" + CODE=1 + } + rm -f errors + } || { + $ECHO "$YELLOW[-] not an intel or arm platform, cannot test qemu_mode cmplog" + } test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { $ECHO "$GREY[*] running afl-fuzz for persistent qemu_mode, this will take approx 10 seconds" diff --git a/test/unittests/unit_list.c b/test/unittests/unit_list.c index 11d3227c..90700a11 100644 --- a/test/unittests/unit_list.c +++ b/test/unittests/unit_list.c @@ -27,6 +27,7 @@ extern void mock_assert(const int result, const char* const expression, (compile with `--wrap=exit`) */ extern void exit(int status); extern void __real_exit(int status); +void __wrap_exit(int status); void __wrap_exit(int status) { assert(0); } @@ -34,6 +35,7 @@ void __wrap_exit(int status) { /* ignore all printfs */ extern int printf(const char *format, ...); extern int __real_printf(const char *format, ...); +int __wrap_printf(const char *format, ...); int __wrap_printf(const char *format, ...) { return 1; } diff --git a/test/unittests/unit_maybe_alloc.c b/test/unittests/unit_maybe_alloc.c index a856fa08..8cd8b11a 100644 --- a/test/unittests/unit_maybe_alloc.c +++ b/test/unittests/unit_maybe_alloc.c @@ -22,6 +22,7 @@ extern void mock_assert(const int result, const char* const expression, mock_assert((int)(expression), #expression, __FILE__, __LINE__); #include "alloc-inl.h" +void __wrap_exit(int status); /* remap exit -> assert, then use cmocka's mock_assert (compile with `--wrap=exit`) */ extern void exit(int status); @@ -30,6 +31,7 @@ void __wrap_exit(int status) { assert(0); } +int __wrap_printf(const char *format, ...); /* ignore all printfs */ extern int printf(const char *format, ...); extern int __real_printf(const char *format, ...); @@ -71,7 +73,7 @@ static void test_nonpow2_size(void **state) { } -static void test_zero_size() { +static void test_zero_size(void **state) { char *buf = NULL; size_t size = 0; diff --git a/test/unittests/unit_preallocable.c b/test/unittests/unit_preallocable.c index 8cd36165..8d619b78 100644 --- a/test/unittests/unit_preallocable.c +++ b/test/unittests/unit_preallocable.c @@ -27,6 +27,7 @@ extern void mock_assert(const int result, const char* const expression, (compile with `--wrap=exit`) */ extern void exit(int status); extern void __real_exit(int status); +void __wrap_exit(int status); void __wrap_exit(int status) { assert(0); } @@ -34,6 +35,7 @@ void __wrap_exit(int status) { /* ignore all printfs */ extern int printf(const char *format, ...); extern int __real_printf(const char *format, ...); +int __wrap_printf(const char *format, ...); int __wrap_printf(const char *format, ...) { return 1; } |