From 044d3e823e5aeb172a01009e4d461b563fc27d24 Mon Sep 17 00:00:00 2001 From: むぎ茶 <49231682+verifsec@users.noreply.github.com> Date: Tue, 5 Apr 2022 17:38:34 +0900 Subject: [wantfix] make error @SIMPLE_FILES MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Hi there! I tried to compile with SIMPLE_FILES, but got an error message. Please have a look through it. Sincerely. ``` src/afl-fuzz-bitmap.c: In function ‘save_if_interesting’: src/afl-fuzz-bitmap.c:706:39: error: ‘afl_state_t’ {aka ‘struct afl_state’} has no member named ‘last_kill_signal’ 706 | afl->saved_crashes, afl->last_kill_signal); | ^~ make: *** [GNUmakefile:437: afl-fuzz] Error 1 ``` --- src/afl-fuzz-bitmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 99f37cbf..e4124bf5 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -703,7 +703,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #else snprintf(fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir, - afl->saved_crashes, afl->last_kill_signal); + afl->saved_crashes, afl->fsrv.last_kill_signal); #endif /* ^!SIMPLE_FILES */ -- cgit 1.4.1 From 84e03e4a4d24dc851f01d53394ecfae57d2c82f8 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Tue, 5 Apr 2022 22:54:36 +0100 Subject: network client mem leak fix. --- utils/afl_network_proxy/afl-network-client.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/utils/afl_network_proxy/afl-network-client.c b/utils/afl_network_proxy/afl-network-client.c index ceffb1ed..7d04a89a 100644 --- a/utils/afl_network_proxy/afl-network-client.c +++ b/utils/afl_network_proxy/afl-network-client.c @@ -407,7 +407,9 @@ int main(int argc, char *argv[]) { #ifdef USE_DEFLATE libdeflate_free_compressor(compressor); libdeflate_free_decompressor(decompressor); + free(buf2); #endif + free(buf); return 0; -- cgit 1.4.1 From 0e9d0ebbfe759519fb69c204a69205b851cc42ef Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 6 Apr 2022 09:36:57 +0200 Subject: fix cmplog! --- instrumentation/cmplog-instructions-pass.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index fd7930a1..4d37bcb2 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -515,7 +515,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) { while (1) { std::vector args; - bool skip = true; + bool skip = false; if (vector_cnt) { -- cgit 1.4.1 From 3c5edab724f7e067163e85e94077c48894989573 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 6 Apr 2022 10:10:10 +0200 Subject: add cmplog icmp testcase to CI --- test/test-cmplog.c | 8 +++++--- test/test-llvm.sh | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/test/test-cmplog.c b/test/test-cmplog.c index 1a314653..d724ecaf 100644 --- a/test/test-cmplog.c +++ b/test/test-cmplog.c @@ -8,13 +8,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t i) { - if (i < 24) return 0; + if (i < 30) return 0; if (buf[0] != 'A') return 0; if (buf[1] != 'B') return 0; if (buf[2] != 'C') return 0; if (buf[3] != 'D') return 0; - if (memcmp(buf + 4, "1234", 4) || memcmp(buf + 8, "EFGH", 4)) return 0; - if (strncmp(buf + 12, "IJKL", 4) == 0 && strcmp(buf + 16, "DEADBEEF") == 0) + int *icmp = (int *)(buf + 4); + if (*icmp != 0x69694141) return 0; + if (memcmp(buf + 8, "1234", 4) || memcmp(buf + 12, "EFGH", 4)) return 0; + if (strncmp(buf + 16, "IJKL", 4) == 0 && strcmp(buf + 20, "DEADBEEF") == 0) abort(); return 0; diff --git a/test/test-llvm.sh b/test/test-llvm.sh index ddbee378..ce64d76c 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -261,7 +261,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { $ECHO "$GREY[*] running afl-fuzz for llvm_mode cmplog, this will take approx 10 seconds" { mkdir -p in - echo 0000000000000000000000000 > in/in + echo 00000000000000000000000000000000 > in/in AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -m none -V60 -i in -o out -c./test-cmplog -- ./test-cmplog >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/crashes/id:000000* out/default/hangs/id:000000* 2>/dev/null )" & { -- cgit 1.4.1 From 8385bc794a43dbb5f9a5a68189bb9a540f790bca Mon Sep 17 00:00:00 2001 From: Michael Rodler Date: Mon, 4 Apr 2022 13:26:52 +0200 Subject: make flag to avoid building nyx mode --- GNUmakefile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/GNUmakefile b/GNUmakefile index d31c52da..3301a915 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -625,7 +625,9 @@ ifeq "$(ARCH)" "aarch64" -$(MAKE) -C coresight_mode endif ifeq "$(SYS)" "Linux" +ifndef NO_NYX -cd nyx_mode && ./build_nyx_support.sh +endif endif -cd qemu_mode && sh ./build_qemu_support.sh -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh @@ -645,7 +647,9 @@ ifeq "$(ARCH)" "aarch64" -$(MAKE) -C coresight_mode endif ifeq "$(SYS)" "Linux" +ifndef NO_NYX -cd nyx_mode && ./build_nyx_support.sh +endif endif -cd qemu_mode && sh ./build_qemu_support.sh -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh @@ -661,8 +665,10 @@ endif -$(MAKE) -C utils/libtokencap # -$(MAKE) -C utils/plot_ui ifeq "$(SYS)" "Linux" +ifndef NO_NYX -cd nyx_mode && ./build_nyx_support.sh endif +endif %.8: % @echo .TH $* 8 $(BUILD_DATE) "afl++" > $@ -- cgit 1.4.1 From bf5b90f95a11090fdbda0da7468f657125cd4fab Mon Sep 17 00:00:00 2001 From: Michael Rodler Date: Wed, 6 Apr 2022 14:20:36 +0200 Subject: added NO_NYX flag to docs and help message --- GNUmakefile | 1 + docs/INSTALL.md | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/GNUmakefile b/GNUmakefile index 3301a915..ec81cbac 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -373,6 +373,7 @@ help: @echo INTROSPECTION - compile afl-fuzz with mutation introspection @echo NO_PYTHON - disable python support @echo NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing + @echo NO_NYX - disable building nyx mode dependencies @echo AFL_NO_X86 - if compiling on non-intel/amd platforms @echo "LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g. Debian)" @echo "==========================================" diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 3fa7fd13..348b681e 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -80,6 +80,7 @@ These build options exist: * NO_PYTHON - disable python support * NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing +* NO_NYX - disable building nyx mode dependencies * AFL_NO_X86 - if compiling on non-intel/amd platforms * LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g., Debian) @@ -178,4 +179,4 @@ sysctl kern.sysv.shmall=98304 See [http://www.spy-hill.com/help/apple/SharedMemory.html](http://www.spy-hill.com/help/apple/SharedMemory.html) -for documentation for these settings and how to make them permanent. \ No newline at end of file +for documentation for these settings and how to make them permanent. -- cgit 1.4.1 From 3ccebbf9c5b19c0afd1ad72114b61057db290d55 Mon Sep 17 00:00:00 2001 From: hexcoder Date: Wed, 6 Apr 2022 17:30:27 +0200 Subject: Typo --- docs/Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index d50a679b..2406e7ba 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -20,7 +20,7 @@ sending a mail to . - reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow persistent mode and manual forkserver support if these are not in the target binary (e.g. are in a shared library) - - add AFL_EARY_FORKSERVER to install the forkserver as earliest as + - add AFL_EARLY_FORKSERVER to install the forkserver as earliest as possible in the target (for afl-gcc-fast/afl-clang-fast/ afl-clang-lto) - document and auto-activate pizza mode on condition -- cgit 1.4.1 From 3261e86a3a5f5d2078a88b955f2a61cea99d7ed6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 7 Apr 2022 09:43:51 +0200 Subject: save timeouts --- src/afl-fuzz-bitmap.c | 30 +++++++++++++++++++++++++----- unicorn_mode/unicornafl | 2 +- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index e4124bf5..cdcc1d4a 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -292,6 +292,15 @@ void minimize_bits(afl_state_t *afl, u8 *dst, u8 *src) { u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) { + u8 is_timeout = 0; + + if (new_bits & 0xf0) { + + new_bits -= 0x80; + is_timeout = 1; + + } + size_t real_max_len = MIN(max_description_len, sizeof(afl->describe_op_buf_256)); u8 *ret = afl->describe_op_buf_256; @@ -325,6 +334,7 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) { ret[len_current] = '\0'; ssize_t size_left = real_max_len - len_current - strlen(",+cov") - 2; + if (is_timeout) { size_left -= strlen(",+tout"); } if (unlikely(size_left <= 0)) FATAL("filename got too long"); const char *custom_description = @@ -370,6 +380,8 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) { } + if (is_timeout) { strcat(ret, ",+tout"); } + if (new_bits == 2) { strcat(ret, ",+cov"); } if (unlikely(strlen(ret) >= max_description_len)) @@ -447,7 +459,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { u8 fn[PATH_MAX]; u8 *queue_fn = ""; - u8 new_bits = 0, keeping = 0, res, classified = 0; + u8 new_bits = 0, keeping = 0, res, classified = 0, is_timeout = 0; s32 fd; u64 cksum = 0; @@ -481,11 +493,14 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { classified = new_bits; + save_to_queue: + #ifndef SIMPLE_FILES - queue_fn = alloc_printf( - "%s/queue/id:%06u,%s", afl->out_dir, afl->queued_items, - describe_op(afl, new_bits, NAME_MAX - strlen("id:000000,"))); + queue_fn = + alloc_printf("%s/queue/id:%06u,%s", afl->out_dir, afl->queued_items, + describe_op(afl, new_bits + is_timeout, + NAME_MAX - strlen("id:000000,"))); #else @@ -597,6 +612,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } ++afl->saved_tmouts; + is_timeout = 0x80; #ifdef INTROSPECTION if (afl->custom_mutators_count && afl->current_custom_fuzz) { @@ -647,7 +663,11 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { return keeping; } + if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { + + goto save_to_queue; + + } } diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index a44fa944..d4915053 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit a44fa94488d01aba60401ccf81f8bebcce685bf2 +Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e -- cgit 1.4.1 From 9933a6f3ab6c5b02c9f108dded6eb93ed59d2941 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 7 Apr 2022 10:21:44 +0200 Subject: update grammar mutator --- custom_mutators/grammar_mutator/GRAMMAR_VERSION | 2 +- custom_mutators/grammar_mutator/grammar_mutator | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/custom_mutators/grammar_mutator/GRAMMAR_VERSION b/custom_mutators/grammar_mutator/GRAMMAR_VERSION index 93f9321c..2568c6a5 100644 --- a/custom_mutators/grammar_mutator/GRAMMAR_VERSION +++ b/custom_mutators/grammar_mutator/GRAMMAR_VERSION @@ -1 +1 @@ -cbe5e32 +ff4e5a2 diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator index cbe5e327..ff4e5a26 160000 --- a/custom_mutators/grammar_mutator/grammar_mutator +++ b/custom_mutators/grammar_mutator/grammar_mutator @@ -1 +1 @@ -Subproject commit cbe5e32752773945e0142fac9f1b7a0ccb5dcdff +Subproject commit ff4e5a265daf5d88c4a636fb6a2c22b1d733db09 -- cgit 1.4.1 From 891f4d3c8e58ed06b0131673f9c58606f5d99978 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 8 Apr 2022 09:31:39 +0200 Subject: correct counting for tmouts --- src/afl-fuzz-bitmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index cdcc1d4a..0f6f0778 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -611,7 +611,6 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - ++afl->saved_tmouts; is_timeout = 0x80; #ifdef INTROSPECTION if (afl->custom_mutators_count && afl->current_custom_fuzz) { @@ -665,6 +664,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { + ++afl->saved_tmouts; goto save_to_queue; } -- cgit 1.4.1 From e9288bcfad6e350b6f3e85d45a42bae5aea480c1 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 8 Apr 2022 22:44:10 +0200 Subject: add AFL_KEEP_TIMEOUTS --- docs/Changelog.md | 3 +++ docs/env_variables.md | 3 +++ include/afl-fuzz.h | 2 +- include/envs.h | 1 + src/afl-fuzz-bitmap.c | 12 ++++++++++-- src/afl-fuzz-state.c | 7 +++++++ 6 files changed, 25 insertions(+), 3 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 2406e7ba..689cc94b 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -23,6 +23,9 @@ sending a mail to . - add AFL_EARLY_FORKSERVER to install the forkserver as earliest as possible in the target (for afl-gcc-fast/afl-clang-fast/ afl-clang-lto) + - "saved timeouts" was wrong information, timeouts are still thrown + away by default even if they have new coverage (hangs are always + kept), unless AFL_KEEP_TIMEOUTS are set - document and auto-activate pizza mode on condition - afl-cc: - converted all passed to use the new llvm pass manager for llvm 11+ diff --git a/docs/env_variables.md b/docs/env_variables.md index 9ffb08e7..fe9c6e07 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -349,6 +349,9 @@ checks or alter some of the more exotic semantics of the tool: - Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is usually a bad idea! + - Setting `AFL_KEEP_TIMEOUTS` will keep longer running inputs if they reach + new coverage + - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behavior which does not allow crashes or timeout seeds in the initial -i corpus. diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 4f4d63b2..8bb61e22 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -385,7 +385,7 @@ typedef struct afl_env_vars { afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast, afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new, afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems, - afl_pizza_mode; + afl_keep_timeouts, afl_pizza_mode; u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload, diff --git a/include/envs.h b/include/envs.h index 1746f946..25b792fa 100644 --- a/include/envs.h +++ b/include/envs.h @@ -106,6 +106,7 @@ static char *afl_environment_variables[] = { "AFL_INPUT_LEN_MAX", "AFL_INST_LIBS", "AFL_INST_RATIO", + "AFL_KEEP_TIMEOUTS", "AFL_KILL_SIGNAL", "AFL_KEEP_TRACES", "AFL_KEEP_ASSEMBLY", diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 0f6f0778..7c2b35d6 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -664,8 +664,16 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { - ++afl->saved_tmouts; - goto save_to_queue; + if (afl->afl_env.afl_keep_timeouts) { + + ++afl->saved_tmouts; + goto save_to_queue; + + } else { + + return keeping; + + } } diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 5924dd7b..47e39762 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -222,6 +222,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_hang_tmout = (u8 *)get_afl_env(afl_environment_variables[i]); + } else if (!strncmp(env, "AFL_KEEP_TIMEOUTS", + + afl_environment_variable_len)) { + + afl->afl_env.afl_keep_timeouts = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_SKIP_BIN_CHECK", afl_environment_variable_len)) { -- cgit 1.4.1 From d8317182ef5e2afbff56de697be85b10a4abece1 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 8 Apr 2022 23:10:35 +0200 Subject: update fuzzing in depth --- docs/fuzzing_in_depth.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index cff00f77..2bbfa1c1 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -911,16 +911,17 @@ normal fuzzing campaigns as these are much shorter runnings. * Keep the generated corpus, use afl-cmin and reuse it every time! 2. Additionally randomize the AFL++ compilation options, e.g.: - * 40% for `AFL_LLVM_CMPLOG` - * 10% for `AFL_LLVM_LAF_ALL` + * 30% for `AFL_LLVM_CMPLOG` + * 5% for `AFL_LLVM_LAF_ALL` 3. Also randomize the afl-fuzz runtime options, e.g.: * 65% for `AFL_DISABLE_TRIM` + * 50% for `AFL_KEEP_TIMEOUTS` * 50% use a dictionary generated by `AFL_LLVM_DICT2FILE` * 40% use MOpt (`-L 0`) * 40% for `AFL_EXPAND_HAVOC_NOW` * 20% for old queue processing (`-Z`) - * for CMPLOG targets, 60% for `-l 2`, 40% for `-l 3` + * for CMPLOG targets, 70% for `-l 2`, 10% for `-l 3`, 20% for `-l 2AT` 4. Do *not* run any `-M` modes, just running `-S` modes is better for CI fuzzing. `-M` enables old queue handling etc. which is good for a fuzzing -- cgit 1.4.1 From 5d4b0938d5c3ddad18c85c1f2a4c516d46bbf243 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 8 Apr 2022 23:28:01 +0200 Subject: link https://github.com/fuzzah/exeptor --- docs/fuzzing_in_depth.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index 2bbfa1c1..2c27dfe1 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -333,6 +333,9 @@ is a non-standard way to set this, otherwise set up the build normally and edit the generated build environment afterwards manually to point it to the right compiler (and/or `RANLIB` and `AR`). +In complex, weird, alien build systems you can try this neat project: +[https://github.com/fuzzah/exeptor](https://github.com/fuzzah/exeptor) + #### Linker scripts If the project uses linker scripts to hide the symbols exported by the -- cgit 1.4.1