From 4163f47e09bea05b2570d655c30c1d2a610ce7af Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 4 Aug 2020 13:54:13 +0200 Subject: fix example --- llvm_mode/afl-llvm-rt.o.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 88abcbe0..fcacc675 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -876,9 +876,13 @@ void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { if (bt_size > 0) { char **bt_syms = backtrace_symbols(bt, bt_size); - if (bt_syms) + if (bt_syms) { + fprintf(stderr, "DEBUG: edge=%u caller=%s\n", unstable[idx], bt_syms[0]); + free(bt_syms); + + } } -- cgit 1.4.1 From a1c93f24d46504c29353ec64c8410b68624651f8 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 5 Aug 2020 12:19:43 +1200 Subject: Fix support for mips in qemu mode --- qemu_mode/build_qemu_support.sh | 1 + qemu_mode/patches/mips-fpu.diff | 15 +++++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 qemu_mode/patches/mips-fpu.diff diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index a7bfe20d..30ac158f 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -176,6 +176,7 @@ echo Building for CPU target $CPU_TARGET echo "[*] Applying patches..." patch -p1 <../patches/elfload.diff || exit 1 +patch -p1 <../patches/mips-fpu.diff || exit 1 patch -p1 <../patches/bsd-elfload.diff || exit 1 patch -p1 <../patches/cpu-exec.diff || exit 1 patch -p1 <../patches/syscall.diff || exit 1 diff --git a/qemu_mode/patches/mips-fpu.diff b/qemu_mode/patches/mips-fpu.diff new file mode 100644 index 00000000..646d167e --- /dev/null +++ b/qemu_mode/patches/mips-fpu.diff @@ -0,0 +1,15 @@ +--- a/linux-user/elfload.c 2020-07-13 20:10:37.776374566 -0700 ++++ b/linux-user/elfload.c 2020-07-13 20:11:51.794957015 -0700 +@@ -2667,6 +2667,11 @@ + char *elf_interpreter = NULL; + char *scratch; + ++ memset(&interp_info, 0, sizeof(interp_info)); ++#ifdef TARGET_MIPS ++ interp_info.fp_abi = MIPS_ABI_FP_UNKNOWN; ++#endif ++ + info->start_mmap = (abi_ulong)ELF_START_MMAP; + + load_elf_image(bprm->filename, bprm->fd, info, + -- cgit 1.4.1 From 0712d44cbcf1153972cd5457508dec5387e5b72e Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 5 Aug 2020 10:42:41 +0200 Subject: minor fixes --- .travis.yml | 2 +- README.md | 28 ++++++++++++++-------------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.travis.yml b/.travis.yml index 96cdc86c..0155aa68 100644 --- a/.travis.yml +++ b/.travis.yml @@ -54,6 +54,6 @@ script: - sudo sysctl -w kernel.shmmax=10000000000 - if [ "$TRAVIS_OS_NAME" = "osx" ]; then export LLVM_CONFIG=`pwd`/"$NAME" ; make source-only ASAN_BUILD=1 ; fi - if [ "$TRAVIS_OS_NAME" = "linux" -a "$TRAVIS_CPU_ARCH" = "amd64" ]; then make distrib ASAN_BUILD=1 ; fi - - if [ "$TRAVIS_CPU_ARCH" = "arm64" ] ; then echo DEBUG ; find / -name llvm-config.h 2>/dev/null; apt-cache search clang | grep clang- ; apt-cache search llvm | grep llvm- ; dpkg -l | egrep 'clang|llvm'; echo DEBUG ; export LLVM_CONFIG=llvm-config-6.0 ; make ASAN_BUILD=1 ; cd qemu_mode && sh ./build_qemu_support.sh ; cd .. ; fi + - if [ "$TRAVIS_CPU_ARCH" = "arm64" ] ; then export LLVM_CONFIG=llvm-config-6.0 ; make ASAN_BUILD=1 ; cd qemu_mode && sh ./build_qemu_support.sh ; cd .. ; fi - make tests # - travis_terminate 0 diff --git a/README.md b/README.md index 2e24a534..e4271bb0 100644 --- a/README.md +++ b/README.md @@ -39,19 +39,19 @@ with laf-intel and redqueen, unicorn mode, gcc plugin, full *BSD, Solaris and Android support and much, much, much more. - | Feature/Instrumentation | afl-gcc | llvm_mode | gcc_plugin | qemu_mode | unicorn_mode | - | ----------------------- |:-------:|:---------:|:----------:|:----------------:|:------------:| - | NeverZero | x | x(1) | (2) | x | x | - | Persistent mode | | x | x | x86[_64]/arm[64] | x | - | LAF-Intel / CompCov | | x | | x86[_64]/arm[64] | x86[_64]/arm | - | CmpLog | | x | | x86[_64]/arm[64] | | - | Instrument file list | | x | x | (x)(3) | | - | Non-colliding coverage | | x(4) | | (x)(5) | | - | InsTrim | | x | | | | - | Ngram prev_loc coverage | | x(6) | | | | - | Context coverage | | x | | | | - | Auto dictionary | | x(7) | | | | - | Snapshot LKM support | | x | | (x)(5) | | + | Feature/Instrumentation | afl-gcc | llvm_mode | gcc_plugin | qemu_mode | unicorn_mode | + | ------------------------ |:-------:|:---------:|:----------:|:----------------:|:------------:| + | NeverZero | x | x(1) | (2) | x | x | + | Persistent mode | | x | x | x86[_64]/arm[64] | x | + | LAF-Intel / CompCov | | x | | x86[_64]/arm[64] | x86[_64]/arm | + | CmpLog | | x | | x86[_64]/arm[64] | | + | Selective instrumentation| | x | x | (x)(3) | | + | Non-colliding coverage | | x(4) | | (x)(5) | | + | InsTrim | | x | | | | + | Ngram prev_loc coverage | | x(6) | | | | + | Context coverage | | x | | | | + | Auto dictionary | | x(7) | | | | + | Snapshot LKM support | | x | | (x)(5) | | 1. default for LLVM >= 9.0, env var for older version due an efficiency bug in llvm <= 8 2. GCC creates non-performant code, hence it is disabled in gcc_plugin @@ -72,7 +72,7 @@ * The MOpt mutator: [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL) * LLVM mode Ngram coverage by Adrian Herrera [https://github.com/adrianherrera/afl-ngram-pass](https://github.com/adrianherrera/afl-ngram-pass) * InsTrim, an effective CFG llvm_mode instrumentation implementation for large targets: [https://github.com/csienslab/instrim](https://github.com/csienslab/instrim) - * C. Holler's afl-fuzz Python mutator module and llvm_mode instrument file support: [https://github.com/choller/afl](https://github.com/choller/afl) + * C. Holler's afl-fuzz Python mutator module: [https://github.com/choller/afl](https://github.com/choller/afl) * Custom mutator by a library (instead of Python) by kyakdan * LAF-Intel/CompCov support for llvm_mode, qemu_mode and unicorn_mode (with enhanced capabilities) * Radamsa and hongfuzz mutators (as custom mutators). -- cgit 1.4.1 From f30ca1476c2d4d08d46fe9657ad4aa1d828eb578 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 5 Aug 2020 11:17:15 +0200 Subject: fix short write --- include/afl-fuzz.h | 4 ++-- llvm_mode/afl-clang-fast.c | 10 ++++++---- src/afl-fuzz-queue.c | 2 ++ src/afl-fuzz-run.c | 17 ++++++++++++++--- 4 files changed, 24 insertions(+), 9 deletions(-) diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 2324efa5..bb1bb314 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -986,7 +986,7 @@ uint64_t rand_next(afl_state_t *afl); static inline u32 rand_below(afl_state_t *afl, u32 limit) { - if (limit <= 1) return 0; + if (limit <= 1) return 0; /* The boundary not being necessarily a power of 2, we need to ensure the result uniformity. */ @@ -1008,7 +1008,7 @@ static inline u32 rand_below(afl_state_t *afl, u32 limit) { expand havoc mode */ static inline u32 rand_below_datalen(afl_state_t *afl, u32 limit) { - if (limit <= 1) return 0; + if (limit <= 1) return 0; switch (rand_below(afl, 3)) { diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 16f2c9c0..3038df30 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -161,8 +161,8 @@ static void find_obj(u8 *argv0) { static void edit_params(u32 argc, char **argv, char **envp) { - u8 fortify_set = 0, asan_set = 0, x_set = 0, bit_mode = 0, - preprocessor_only = 0; + u8 fortify_set = 0, asan_set = 0, x_set = 0, bit_mode = 0, + preprocessor_only = 0; u8 have_pic = 0; u8 *name; @@ -400,7 +400,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (lto_mode && !strncmp(cur, "-fuse-ld=", 9)) continue; if (lto_mode && !strncmp(cur, "--ld-path=", 10)) continue; - + if (!strcmp(cur, "-E")) preprocessor_only = 1; cc_params[cc_par_cnt++] = cur; @@ -566,8 +566,9 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "none"; } - + if (preprocessor_only) { + /* In the preprocessor_only case (-E), we are not actually compiling at all but requesting the compiler to output preprocessed sources only. We must not add the runtime in this case because the compiler will @@ -575,6 +576,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { systems that rely on a separate source preprocessing step. */ cc_params[cc_par_cnt] = NULL; return; + } #ifndef __ANDROID__ diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 71874283..f35df914 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -112,8 +112,10 @@ static u8 check_if_text(struct queue_entry *q) { u8 buf[MAX_FILE]; s32 fd, len = q->len, offset = 0, ascii = 0, utf8 = 0, comp; + if (len >= MAX_FILE) len = MAX_FILE - 1; if ((fd = open(q->fname, O_RDONLY)) < 0) return 0; if ((comp = read(fd, buf, len)) != len) return 0; + buf[len] = 0; close(fd); while (offset < len) { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 44d3c522..ed4a1081 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -819,16 +819,27 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { fd = open(q->fname, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (fd < 0) { PFATAL("Unable to create '%s'", q->fname); } + + u32 written = 0; + while (written < q->len) { + + ssize_t result = write(fd, in_buf, q->len - written); + if (result > 0) written += result; + + } + } else { unlink(q->fname); /* ignore errors */ fd = open(q->fname, O_WRONLY | O_CREAT | O_EXCL, 0600); - } + if (fd < 0) { PFATAL("Unable to create '%s'", q->fname); } - if (fd < 0) { PFATAL("Unable to create '%s'", q->fname); } + ck_write(fd, in_buf, q->len, q->fname); + + } - ck_write(fd, in_buf, q->len, q->fname); close(fd); memcpy(afl->fsrv.trace_bits, afl->clean_trace, afl->fsrv.map_size); -- cgit 1.4.1