From e0d1529061a5de9d32066c05f8faedac65b29ea5 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 3 Aug 2020 10:03:45 +0200 Subject: edge id documentation example for sancov --- docs/FAQ.md | 9 +++++---- llvm_mode/afl-llvm-rt.o.c | 21 +++++++++++++++++++++ 2 files changed, 26 insertions(+), 4 deletions(-) diff --git a/docs/FAQ.md b/docs/FAQ.md index ee221d02..c15cd484 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -103,10 +103,11 @@ afl-clang-fast PCGUARD and afl-clang-lto LTO instrumentation! b) For PCGUARD instrumented binaries it is much more difficult. Here you can either modify the __sanitizer_cov_trace_pc_guard function in llvm_mode/afl-llvm-rt.o.c to write a backtrace to a file if the ID in - __afl_area_ptr[*guard] is one of the unstable edge IDs. Then recompile - and reinstall llvm_mode and rebuild your target. Run the recompiled - target with afl-fuzz for a while and then check the file that you - wrote with the backtrace information. + __afl_area_ptr[*guard] is one of the unstable edge IDs. + (Example code is already there). + Then recompile and reinstall llvm_mode and rebuild your target. + Run the recompiled target with afl-fuzz for a while and then check the + file that you wrote with the backtrace information. Alternatively you can use `gdb` to hook __sanitizer_cov_trace_pc_guard_init on start, check to which memory address the edge ID value is written and set a write breakpoint to that address (`watch 0x.....`). diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index c0ed1bcf..c2859d9c 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -859,6 +859,27 @@ __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) { void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { + // For stability analysis, if you want to know to which function unstable + // edge IDs belong to - uncomment, recompile+install llvm_mode, recompile + // the target. libunwind and libbacktrace are better solutions. + // Set AFL_DEBUG_CHILD_OUTPUT=1 and run afl-fuzz with 2>file to capture + // the backtrace output + /* + uint32_t unstable[] = { ... unstable edge IDs }; + uint32_t idx; + char bt[1024]; + for (idx = 0; i < sizeof(unstable)/sizeof(uint32_t); i++) { + if (unstable[idx] == __afl_area_ptr[*guard]) { + int bt_size = backtrace(bt, 256); + if (bt_size > 0) { + char **bt_syms = backtrace_symbols(bt, bt_size); + if (bt_syms) + fprintf(stderr, "DEBUG: edge=%u caller=%s\n", unstable[idx], bt_syms[0]); + } + } + } + */ + __afl_area_ptr[*guard]++; } -- cgit 1.4.1 From 491cee669f858bfea2b0db2fe540200b0f2625e6 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Mon, 3 Aug 2020 11:15:12 +0200 Subject: fix #483 --- src/afl-fuzz-redqueen.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index d86190a6..b58c8537 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -673,14 +673,15 @@ static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h, for (i = 0; i < its_len; ++i) { - if (pattern[idx + i] != buf[idx + i] || - o_pattern[idx + i] != orig_buf[idx + i] || *status == 1) { + if (pattern[i] != buf[idx + i] || + o_pattern[i] != orig_buf[idx + i] || *status == 1) { break; } - buf[idx + i] = repl[idx + i]; + buf[idx + i] = repl[i]; + if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } } @@ -726,7 +727,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { } for (idx = 0; idx < len && fails < 8; ++idx) { - + if (unlikely(rtn_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx, orig_buf, buf, len, &status))) { -- cgit 1.4.1 From 9d82c3cf5e131030073d6a4df1b2102573a8ace4 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Mon, 3 Aug 2020 11:30:34 +0200 Subject: test for llvm cmplog --- test/test-cmplog.c | 27 +++++++++++++++++++++++++++ test/test.sh | 22 ++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 test/test-cmplog.c diff --git a/test/test-cmplog.c b/test/test-cmplog.c new file mode 100644 index 00000000..75efd887 --- /dev/null +++ b/test/test-cmplog.c @@ -0,0 +1,27 @@ +#include +#include +#include +#include +#include +#include +int main(int argc, char *argv[]) { + char buf[1024]; + ssize_t i; + if ((i = read(0, buf, sizeof(buf) - 1)) < 24) + return 0; + buf[i] = 0; + if (buf[0] != 'A') + return 0; + if (buf[1] != 'B') + return 0; + if (buf[2] != 'C') + return 0; + if (buf[3] != 'D') + return 0; + if (memcmp(buf + 4, "1234", 4) || memcmp(buf + 8, "EFGH", 4)) + return 0; + if (strncmp(buf + 12, "IJKL", 4) == 0 && strcmp(buf + 16, "DEADBEEF") == 0) + abort(); + return 0; +} + diff --git a/test/test.sh b/test/test.sh index dea9134f..46843d4a 100755 --- a/test/test.sh +++ b/test/test.sh @@ -423,6 +423,28 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { CODE=1 } rm -f test-compcov test.out instrumentlist.txt + AFL_LLVM_CMPLOG=1 ../afl-clang-fast -o test-cmplog test-cmplog.c > /dev/null 2>&1 + test -e test-cmplog && { + $ECHO "$GREY[*] running afl-fuzz for llvm_mode cmplog, this will take approx 10 seconds" + { + mkdir -p in + echo 0000000000000000000000000 > in/in + ../afl-fuzz -m none -V10 -i in -o out -c./test-cmplog -- ./test-cmplog >>errors 2>&1 + } >>errors 2>&1 + test -n "$( ls out/crashes/id:000000* 2>/dev/null )" && { + $ECHO "$GREEN[+] afl-fuzz is working correctly with llvm_mode cmplog" + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with llvm_mode cmplog" + CODE=1 + } + } || { + $ECHO "$YELLOW[-] we cannot test llvm_mode cmplog because it is not present" + INCOMPLETE=1 + } + rm -rf errors test-cmplog in ../afl-clang-fast -o test-persistent ../examples/persistent_demo/persistent_demo.c > /dev/null 2>&1 test -e test-persistent && { echo foo | ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -q -r ./test-persistent && { -- cgit 1.4.1 From f335c48686c2f4119d1d0b1207f5d5ceb3d4ff04 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 3 Aug 2020 11:50:10 +0200 Subject: better PS1 in dockerfile --- Dockerfile | 8 +++++--- TODO.md | 12 ++++++++++++ 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4d9f6e84..64b04ba6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -50,13 +50,15 @@ ENV LLVM_CONFIG=llvm-config-11 ENV AFL_SKIP_CPUFREQ=1 RUN git clone https://github.com/vanhauser-thc/afl-cov /afl-cov -RUN cd /afl-cov && make install +RUN cd /afl-cov && make install && cd .. COPY . /AFLplusplus WORKDIR /AFLplusplus RUN export REAL_CXX=g++-10 && export CC=gcc-10 && \ - export CXX=g++-10 && make clean && make distrib && make install && make clean + export CXX=g++-10 && make clean && \ + make distrib && make install && make clean RUN echo 'alias joe="jupp --wordwrap"' >> ~/.bashrc - +RUN echo 'export PS1="[afl++]$PS1"' >> ~/.bashrc +ENV IS_DOCKER="1" diff --git a/TODO.md b/TODO.md index 3e55f2f1..999cb9d3 100644 --- a/TODO.md +++ b/TODO.md @@ -30,3 +30,15 @@ qemu_mode: persistent mode - add/implement AFL_QEMU_INST_LIBLIST and AFL_QEMU_NOINST_PROGRAM - add/implement AFL_QEMU_INST_REGIONS as a list of _START/_END addresses + +## Ideas + + - LTO/sancov: write current edge to prev_loc and use that information when + using cmplog or __sanitizer_cov_trace_cmp*. maybe we can deduct by follow + up edge numbers that both following cmp paths have been found and then + disable working on this edge id + + - new tancov: use some lightweight taint analysis to see which parts of a + new queue entry is accessed and only fuzz these bytes - or better, only + fuzz those bytes that are newly in coverage compared to the queue entry + the new one is based on -- cgit 1.4.1 From 409e4ae945ab5aeb31b1e3a1497ce5fc65226f07 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 3 Aug 2020 13:13:32 +0200 Subject: fix expand havoc for ..._only modes --- docs/Changelog.md | 1 + examples/persistent_demo/persistent_demo_new.c | 4 +-- llvm_mode/afl-llvm-rt.o.c | 48 +++++++++++++++----------- src/afl-fuzz-redqueen.c | 8 ++--- src/afl-fuzz.c | 3 +- test/test-cmplog.c | 22 +++++------- 6 files changed, 46 insertions(+), 40 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 8ab3fdf4..ae7377f2 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -19,6 +19,7 @@ sending a mail to . - eliminated CPU affinity race condition for -S/-M runs - expanded havoc mode added, on no cycle finds add extra splicing and MOpt into the mix + - fixed a bug in redqueen for strings - llvm_mode: - now supports llvm 12! - fixes for laf-intel float splitting (thanks to mark-griffin for diff --git a/examples/persistent_demo/persistent_demo_new.c b/examples/persistent_demo/persistent_demo_new.c index 5f347667..7f878c0c 100644 --- a/examples/persistent_demo/persistent_demo_new.c +++ b/examples/persistent_demo/persistent_demo_new.c @@ -31,8 +31,8 @@ /* this lets the source compile without afl-clang-fast/lto */ #ifndef __AFL_FUZZ_TESTCASE_LEN - ssize_t fuzz_len; - unsigned char fuzz_buf[1024000]; +ssize_t fuzz_len; +unsigned char fuzz_buf[1024000]; #define __AFL_FUZZ_TESTCASE_LEN fuzz_len #define __AFL_FUZZ_TESTCASE_BUF fuzz_buf diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index c2859d9c..88abcbe0 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -859,26 +859,34 @@ __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) { void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { - // For stability analysis, if you want to know to which function unstable - // edge IDs belong to - uncomment, recompile+install llvm_mode, recompile - // the target. libunwind and libbacktrace are better solutions. - // Set AFL_DEBUG_CHILD_OUTPUT=1 and run afl-fuzz with 2>file to capture - // the backtrace output - /* - uint32_t unstable[] = { ... unstable edge IDs }; - uint32_t idx; - char bt[1024]; - for (idx = 0; i < sizeof(unstable)/sizeof(uint32_t); i++) { - if (unstable[idx] == __afl_area_ptr[*guard]) { - int bt_size = backtrace(bt, 256); - if (bt_size > 0) { - char **bt_syms = backtrace_symbols(bt, bt_size); - if (bt_syms) - fprintf(stderr, "DEBUG: edge=%u caller=%s\n", unstable[idx], bt_syms[0]); - } - } - } - */ + // For stability analysis, if you want to know to which function unstable + // edge IDs belong to - uncomment, recompile+install llvm_mode, recompile + // the target. libunwind and libbacktrace are better solutions. + // Set AFL_DEBUG_CHILD_OUTPUT=1 and run afl-fuzz with 2>file to capture + // the backtrace output + /* + uint32_t unstable[] = { ... unstable edge IDs }; + uint32_t idx; + char bt[1024]; + for (idx = 0; i < sizeof(unstable)/sizeof(uint32_t); i++) { + + if (unstable[idx] == __afl_area_ptr[*guard]) { + + int bt_size = backtrace(bt, 256); + if (bt_size > 0) { + + char **bt_syms = backtrace_symbols(bt, bt_size); + if (bt_syms) + fprintf(stderr, "DEBUG: edge=%u caller=%s\n", unstable[idx], + bt_syms[0]); + + } + + } + + } + + */ __afl_area_ptr[*guard]++; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index b58c8537..cb4c78df 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -673,15 +673,15 @@ static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h, for (i = 0; i < its_len; ++i) { - if (pattern[i] != buf[idx + i] || - o_pattern[i] != orig_buf[idx + i] || *status == 1) { + if (pattern[i] != buf[idx + i] || o_pattern[i] != orig_buf[idx + i] || + *status == 1) { break; } buf[idx + i] = repl[i]; - + if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } } @@ -727,7 +727,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { } for (idx = 0; idx < len && fails < 8; ++idx) { - + if (unlikely(rtn_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx, orig_buf, buf, len, &status))) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 326ccc1c..da30797c 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1304,7 +1304,8 @@ int main(int argc, char **argv_orig, char **envp) { afl->expand_havoc = 1; break; case 1: - if (afl->limit_time_sig == 0) { + if (afl->limit_time_sig == 0 && !afl->custom_only && + !afl->python_only) { afl->limit_time_sig = -1; afl->limit_time_puppet = 0; diff --git a/test/test-cmplog.c b/test/test-cmplog.c index 75efd887..b077e3ab 100644 --- a/test/test-cmplog.c +++ b/test/test-cmplog.c @@ -5,23 +5,19 @@ #include #include int main(int argc, char *argv[]) { - char buf[1024]; + + char buf[1024]; ssize_t i; - if ((i = read(0, buf, sizeof(buf) - 1)) < 24) - return 0; + if ((i = read(0, buf, sizeof(buf) - 1)) < 24) return 0; buf[i] = 0; - if (buf[0] != 'A') - return 0; - if (buf[1] != 'B') - return 0; - if (buf[2] != 'C') - return 0; - if (buf[3] != 'D') - return 0; - if (memcmp(buf + 4, "1234", 4) || memcmp(buf + 8, "EFGH", 4)) - return 0; + if (buf[0] != 'A') return 0; + if (buf[1] != 'B') return 0; + if (buf[2] != 'C') return 0; + if (buf[3] != 'D') return 0; + if (memcmp(buf + 4, "1234", 4) || memcmp(buf + 8, "EFGH", 4)) return 0; if (strncmp(buf + 12, "IJKL", 4) == 0 && strcmp(buf + 16, "DEADBEEF") == 0) abort(); return 0; + } -- cgit 1.4.1 From 898353c87ae2b7e212e1012e847f02f8e18f9428 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 3 Aug 2020 14:17:51 +0200 Subject: enforce no built-ins for lto --- llvm_mode/afl-clang-fast.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 738433ac..484943d2 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -255,12 +255,6 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (getenv("LAF_TRANSFORM_COMPARES") || getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES")) { - if (!be_quiet && getenv("AFL_LLVM_LTO_AUTODICTIONARY") && lto_mode) - WARNF( - "using AFL_LLVM_LAF_TRANSFORM_COMPARES together with " - "AFL_LLVM_LTO_AUTODICTIONARY makes no sense. Use only " - "AFL_LLVM_LTO_AUTODICTIONARY."); - cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; @@ -472,9 +466,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } if (getenv("AFL_NO_BUILTIN") || getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES") || - getenv("LAF_TRANSFORM_COMPARES") || - (lto_mode && (getenv("AFL_LLVM_LTO_AUTODICTIONARY") || - getenv("AFL_LLVM_AUTODICTIONARY")))) { + getenv("LAF_TRANSFORM_COMPARES") || lto_mode) { cc_params[cc_par_cnt++] = "-fno-builtin-strcmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strncmp"; -- cgit 1.4.1