7 files changed, 24 insertions, 70 deletions

diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c
index c6f5a76c..30e6ebb9 100644
--- a/utils/aflpp_driver/aflpp_driver.c
+++ b/utils/aflpp_driver/aflpp_driver.c
@@ -1,12 +1,8 @@
-//===- afl_driver.cpp - a glue between AFL and libFuzzer --------*- C++ -* ===//
-//
-// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
-// See https://llvm.org/LICENSE.txt for license information.
-// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//===- afl_driver.cpp - a glue between AFL++ and libFuzzer ------*- C++ -* ===//
 //===----------------------------------------------------------------------===//
 
 /* This file allows to fuzz libFuzzer-style target functions
- (LLVMFuzzerTestOneInput) with AFL using AFL's persistent (in-process) mode.
+ (LLVMFuzzerTestOneInput) with AFL++ using persistent in-memory fuzzing.
 
 Usage:
 ################################################################################
@@ -25,25 +21,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 
 EOF
 # Build your target with -fsanitize-coverage=trace-pc-guard using fresh clang.
-clang -g -fsanitize-coverage=trace-pc-guard test_fuzzer.cc -c
+clang -c aflpp_driver.c
 # Build afl-compiler-rt.o.c from the AFL distribution.
-clang -c -w $AFL_HOME/instrumentation/afl-compiler-rt.o.c
+clang -c $AFL_HOME/instrumentation/afl-compiler-rt.o.c
 # Build this file, link it with afl-compiler-rt.o.o and the target code.
-clang++ afl_driver.cpp test_fuzzer.o afl-compiler-rt.o.o
+afl-clang-fast -o test_fuzzer test_fuzzer.cc afl-compiler-rt.o aflpp_driver.o
 # Run AFL:
 rm -rf IN OUT; mkdir IN OUT; echo z > IN/z;
 $AFL_HOME/afl-fuzz -i IN -o OUT ./a.out
 ################################################################################
-AFL_DRIVER_STDERR_DUPLICATE_FILENAME: Setting this *appends* stderr to the file
-specified. If the file does not exist, it is created. This is useful for getting
-stack traces (when using ASAN for example) or original error messages on hard
-to reproduce bugs. Note that any content written to stderr will be written to
-this file instead of stderr's usual location.
-
-AFL_DRIVER_CLOSE_FD_MASK: Similar to libFuzzer's -close_fd_mask behavior option.
-If 1, close stdout at startup. If 2 close stderr; if 3 close both.
-
 */
+
 #include <assert.h>
 #include <errno.h>
 #include <stdarg.h>
@@ -65,47 +53,6 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both.
   #include "hash.h"
 #endif
 
-#ifndef MAP_FIXED_NOREPLACE
-  #define MAP_FIXED_NOREPLACE 0x100000
-#endif
-
-#define MAX_DUMMY_SIZE 256000
-
-// Platform detection. Copied from FuzzerInternal.h
-#ifdef __linux__
-  #define LIBFUZZER_LINUX 1
-  #define LIBFUZZER_APPLE 0
-  #define LIBFUZZER_NETBSD 0
-  #define LIBFUZZER_FREEBSD 0
-  #define LIBFUZZER_OPENBSD 0
-#elif __APPLE__
-  #define LIBFUZZER_LINUX 0
-  #define LIBFUZZER_APPLE 1
-  #define LIBFUZZER_NETBSD 0
-  #define LIBFUZZER_FREEBSD 0
-  #define LIBFUZZER_OPENBSD 0
-#elif __NetBSD__
-  #define LIBFUZZER_LINUX 0
-  #define LIBFUZZER_APPLE 0
-  #define LIBFUZZER_NETBSD 1
-  #define LIBFUZZER_FREEBSD 0
-  #define LIBFUZZER_OPENBSD 0
-#elif __FreeBSD__
-  #define LIBFUZZER_LINUX 0
-  #define LIBFUZZER_APPLE 0
-  #define LIBFUZZER_NETBSD 0
-  #define LIBFUZZER_FREEBSD 1
-  #define LIBFUZZER_OPENBSD 0
-#elif __OpenBSD__
-  #define LIBFUZZER_LINUX 0
-  #define LIBFUZZER_APPLE 0
-  #define LIBFUZZER_NETBSD 0
-  #define LIBFUZZER_FREEBSD 0
-  #define LIBFUZZER_OPENBSD 1
-#else
-  #error "Support for your platform has not been implemented"
-#endif
-
 int                   __afl_sharedmem_fuzzing = 1;
 extern unsigned int * __afl_fuzz_len;
 extern unsigned char *__afl_fuzz_ptr;
diff --git a/utils/defork/defork.c b/utils/defork/defork.c
index f71d1124..f50b9a4b 100644
--- a/utils/defork/defork.c
+++ b/utils/defork/defork.c
@@ -1,4 +1,4 @@
-#define __GNU_SOURCE
+#define _GNU_SOURCE
 #include <dlfcn.h>
 #include <unistd.h>
 #include <stdio.h>
diff --git a/utils/libdislocator/README.md b/utils/libdislocator/README.md
index 1785463e..d0340af0 100644
--- a/utils/libdislocator/README.md
+++ b/utils/libdislocator/README.md
@@ -1,6 +1,6 @@
 # libdislocator, an abusive allocator
 
-  (See ../README.md for the general instruction manual.)
+  (See ../../README.md for the general instruction manual.)
 
 This is a companion library that can be used as a drop-in replacement for the
 libc allocator in the fuzzed binaries. It improves the odds of bumping into
diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c
index 2324e390..c041fec6 100644
--- a/utils/libdislocator/libdislocator.so.c
+++ b/utils/libdislocator/libdislocator.so.c
@@ -345,10 +345,10 @@ void free(void *ptr) {
   len = PTR_L(ptr);
 
   total_mem -= len;
+  u8 *ptr_ = ptr;
 
   if (align_allocations && (len & (ALLOC_ALIGN_SIZE - 1))) {
 
-    u8 *   ptr_ = ptr;
     size_t rlen = (len & ~(ALLOC_ALIGN_SIZE - 1)) + ALLOC_ALIGN_SIZE;
     for (; len < rlen; ++len)
       if (ptr_[len] != TAIL_ALLOC_CANARY)
@@ -359,11 +359,13 @@ void free(void *ptr) {
   /* Protect everything. Note that the extra page at the end is already
      set as PROT_NONE, so we don't need to touch that. */
 
-  ptr -= PAGE_SIZE * PG_COUNT(len + 8) - len - 8;
+  ptr_ -= PAGE_SIZE * PG_COUNT(len + 8) - len - 8;
 
-  if (mprotect(ptr - 8, PG_COUNT(len + 8) * PAGE_SIZE, PROT_NONE))
+  if (mprotect(ptr_ - 8, PG_COUNT(len + 8) * PAGE_SIZE, PROT_NONE))
     FATAL("mprotect() failed when freeing memory");
 
+  ptr = ptr_;
+
   /* Keep the mapping; this is wasteful, but prevents ptr reuse. */
 
 }
diff --git a/utils/libtokencap/README.md b/utils/libtokencap/README.md
index 13a440da..a39ed3a5 100644
--- a/utils/libtokencap/README.md
+++ b/utils/libtokencap/README.md
@@ -1,6 +1,11 @@
 # strcmp() / memcmp() token capture library
 
-  (See ../README.md for the general instruction manual.)
+ NOTE: libtokencap is only recommended for binary-only targets or targets that
+ do not compile with afl-clang-fast/afl-clang-lto.
+ The afl-clang-fast AFL_LLVM_DICT2FILE feature is much better, afl-clang-lto
+ has that feature automatically integrated.
+
+  (See ../../README.md for the general instruction manual.)
 
 This companion library allows you to instrument `strcmp()`, `memcmp()`,
 and related functions to automatically extract syntax tokens passed to any of
diff --git a/utils/persistent_mode/Makefile b/utils/persistent_mode/Makefile
index 6fa1c30e..e348c46c 100644
--- a/utils/persistent_mode/Makefile
+++ b/utils/persistent_mode/Makefile
@@ -1,10 +1,10 @@
 all:
-	afl-clang-fast -o persistent_demo persistent_demo.c
-	afl-clang-fast -o persistent_demo_new persistent_demo_new.c
-	AFL_DONT_OPTIMIZE=1 afl-clang-fast -o test-instr test-instr.c
+	../../afl-clang-fast -o persistent_demo persistent_demo.c
+	../../afl-clang-fast -o persistent_demo_new persistent_demo_new.c
+	AFL_DONT_OPTIMIZE=1 ../../afl-clang-fast -o test-instr test-instr.c
 
 document:
-	AFL_DONT_OPTIMIZE=1 afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c
+	AFL_DONT_OPTIMIZE=1 ../../afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c
 
 clean:
 	rm -f persistent_demo persistent_demo_new test-instr
diff --git a/utils/qemu_persistent_hook/test.c b/utils/qemu_persistent_hook/test.c
index afeff202..a0e815dc 100644
--- a/utils/qemu_persistent_hook/test.c
+++ b/utils/qemu_persistent_hook/test.c
@@ -2,7 +2,7 @@
 
 int target_func(unsigned char *buf, int size) {
 
-  printf("buffer:%p, size:%p\n", buf, size);
+  printf("buffer:%p, size:%d\n", buf, size);
   switch (buf[0]) {
 
     case 1: