From fad8a3feb842f5c9ae2ea009b3efe57619cb051a Mon Sep 17 00:00:00 2001 From: CityOfLight77 <75525669+CityOfLight77@users.noreply.github.com> Date: Wed, 15 Dec 2021 09:22:17 +0700 Subject: Fix CodeQL command typo fix command to create CodeQL database and use all cores to compile CodeQL database --- utils/autodict_ql/readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/autodict_ql/readme.md b/utils/autodict_ql/readme.md index f61026b7..42059f09 100644 --- a/utils/autodict_ql/readme.md +++ b/utils/autodict_ql/readme.md @@ -104,7 +104,7 @@ The usage of Autodict-QL is pretty easy. But let's describe it as: we want to compile `libxml` with codeql. Go to libxml and issue the following commands: - `./configure --disable-shared` - - `codeql create database libxml-db --language=cpp --command=make` + - `codeql database create libxml-db --language=cpp --command="make -j$(nproc)"` - Now you have the CodeQL database of the project :-) 3. The final step is to update the CodeQL database you created in step 2 (Suppose we are in `aflplusplus/utils/autodict_ql/` directory): @@ -144,4 +144,4 @@ There are 2 important points to remember: - Do not forget to set `AFL_MAX_DET_EXTRAS` at least to the number of generated dictionaries. If you forget to set this environment variable, then AFL++ uses just 200 tokens and use the rest of them only probabilistically. So this will - guarantee that your tokens will be used by AFL++. \ No newline at end of file + guarantee that your tokens will be used by AFL++. -- cgit 1.4.1 From 63087d9bd962fac2e7e76fead845e6a9392c3c49 Mon Sep 17 00:00:00 2001 From: CityOfLight77 <75525669+CityOfLight77@users.noreply.github.com> Date: Wed, 15 Dec 2021 09:24:28 +0700 Subject: Fix env var typo `AFL_MAX_EXRAS` -> `AFL_MAX_EXTRAS` --- docs/env_variables.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/env_variables.md b/docs/env_variables.md index c45f4ab9..dc79bf9e 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -397,7 +397,7 @@ checks or alter some of the more exotic semantics of the tool: target. This must be equal or larger than the size the target was compiled with. - - Setting `AFL_MAX_DET_EXRAS` will change the threshold at what number of + - Setting `AFL_MAX_DET_EXTRAS` will change the threshold at what number of elements in the `-x` dictionary and LTO autodict (combined) the probabilistic mode will kick off. In probabilistic mode, not all dictionary entries will be used all of the time for fuzzing mutations to not slow down -- cgit 1.4.1 From 176ede3fc82f8b6315942e103c260b93bf5cfe57 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 15 Dec 2021 09:50:35 +0100 Subject: afl-cc -v without errors --- docs/Changelog.md | 1 + src/afl-cc.c | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 0253222b..1daa9a75 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -57,6 +57,7 @@ sending a mail to . - added AFL_USE_TSAN thread sanitizer support - llvm and LTO mode modified to work with new llvm 14-dev (again. again.) - fix for AFL_REAL_LD + - make -v without options work - added the very good grammar mutator "GramaTron" to the custom_mutators - added optimin, a faster and better corpus minimizer by diff --git a/src/afl-cc.c b/src/afl-cc.c index cafb8e32..442cf265 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -695,7 +695,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { /* Detect stray -v calls from ./configure scripts. */ - u8 skip_next = 0; + u8 skip_next = 0, non_dash = 0; while (--argc) { u8 *cur = *(++argv); @@ -707,6 +707,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } + if (cur[0] != '-') { non_dash = 1; } if (!strncmp(cur, "--afl", 5)) continue; if (lto_mode && !strncmp(cur, "-fuse-ld=", 9)) continue; if (lto_mode && !strncmp(cur, "--ld-path=", 10)) continue; @@ -1025,7 +1026,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } - if (preprocessor_only || have_c) { + if (preprocessor_only || have_c || !non_dash) { /* In the preprocessor_only case (-E), we are not actually compiling at all but requesting the compiler to output preprocessed sources only. -- cgit 1.4.1 From a2314fc37fc2232647de0c9d434f3d2a955a4399 Mon Sep 17 00:00:00 2001 From: CityOfLight77 <75525669+CityOfLight77@users.noreply.github.com> Date: Wed, 15 Dec 2021 20:38:52 +0700 Subject: Add AFLtriage in crash processing tool --- docs/third_party_tools.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/third_party_tools.md b/docs/third_party_tools.md index 92229e84..8d40c429 100644 --- a/docs/third_party_tools.md +++ b/docs/third_party_tools.md @@ -45,6 +45,8 @@ Deployment, management, monitoring, reporting parallelize afl-tmin, startup, and data collection. Crash processing +* [AFLTriage](https://github.com/quic/AFLTriage) - + triage crashing input files using gdb. * [afl-crash-analyzer](https://github.com/floyd-fuh/afl-crash-analyzer) - another crash analyzer for AFL. * [fuzzer-utils](https://github.com/ThePatrickStar/fuzzer-utils) - a set of @@ -54,4 +56,4 @@ Crash processing * [AFLize](https://github.com/d33tah/aflize) - a tool that automatically generates builds of debian packages suitable for AFL. * [afl-fid](https://github.com/FoRTE-Research/afl-fid) - a set of tools for - working with input data. \ No newline at end of file + working with input data. -- cgit 1.4.1 From 9f911bf0bdad0c2283ad880d6ea83f586dd5b510 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 15 Dec 2021 20:43:18 +0100 Subject: cleanup of TIMES macro --- src/afl-analyze.c | 21 +++++---------------- src/afl-fuzz-bitmap.c | 7 ------- src/afl-showmap.c | 35 ++++++++++------------------------- src/afl-tmin.c | 21 +++++---------------- 4 files changed, 20 insertions(+), 64 deletions(-) diff --git a/src/afl-analyze.c b/src/afl-analyze.c index ac5a324c..86278c31 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -96,31 +96,20 @@ static afl_forkserver_t fsrv = {0}; /* The forkserver */ /* Classify tuple counts. This is a slow & naive version, but good enough here. */ -#define TIMES4(x) x, x, x, x -#define TIMES8(x) TIMES4(x), TIMES4(x) -#define TIMES16(x) TIMES8(x), TIMES8(x) -#define TIMES32(x) TIMES16(x), TIMES16(x) -#define TIMES64(x) TIMES32(x), TIMES32(x) static u8 count_class_lookup[256] = { [0] = 0, [1] = 1, [2] = 2, [3] = 4, - [4] = TIMES4(8), - [8] = TIMES8(16), - [16] = TIMES16(32), - [32] = TIMES32(64), - [128] = TIMES64(128) + [4 ... 7] = 8, + [8 ... 15] = 16, + [16 ... 31] = 32, + [32 ... 127] = 64, + [128 ... 255] = 128 }; -#undef TIMES64 -#undef TIMES32 -#undef TIMES16 -#undef TIMES8 -#undef TIMES4 - static void kill_child() { if (fsrv.child_pid > 0) { diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 2d88896f..7a236005 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -167,13 +167,6 @@ const u8 count_class_lookup8[256] = { }; -#undef TIMES255 -#undef TIMES64 -#undef TIMES32 -#undef TIMES16 -#undef TIMES8 -#undef TIMES4 - u16 count_class_lookup16[65536]; void init_count_class16(void) { diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 8cddcb32..115f9f2a 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -103,24 +103,17 @@ static sharedmem_t * shm_fuzz; /* Classify tuple counts. Instead of mapping to individual bits, as in afl-fuzz.c, we map to more user-friendly numbers between 1 and 8. */ -#define TIMES4(x) x, x, x, x -#define TIMES8(x) TIMES4(x), TIMES4(x) -#define TIMES16(x) TIMES8(x), TIMES8(x) -#define TIMES32(x) TIMES16(x), TIMES16(x) -#define TIMES64(x) TIMES32(x), TIMES32(x) -#define TIMES96(x) TIMES64(x), TIMES32(x) -#define TIMES128(x) TIMES64(x), TIMES64(x) static const u8 count_class_human[256] = { [0] = 0, [1] = 1, [2] = 2, [3] = 3, - [4] = TIMES4(4), - [8] = TIMES8(5), - [16] = TIMES16(6), - [32] = TIMES96(7), - [128] = TIMES128(8) + [4] = 4, + [8] = 5, + [16] = 6, + [32] = 7, + [128] = 8 }; @@ -130,22 +123,14 @@ static const u8 count_class_binary[256] = { [1] = 1, [2] = 2, [3] = 4, - [4] = TIMES4(8), - [8] = TIMES8(16), - [16] = TIMES16(32), - [32] = TIMES32(64), - [128] = TIMES64(128) + [4 ... 7] = 8, + [8 ... 15] = 16, + [16 ... 31] = 32, + [32 ... 127] = 64, + [128 ... 255] = 128 }; -#undef TIMES128 -#undef TIMES96 -#undef TIMES64 -#undef TIMES32 -#undef TIMES16 -#undef TIMES8 -#undef TIMES4 - static void kill_child() { timed_out = 1; diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 89546c45..b5b015ce 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -95,31 +95,20 @@ static sharedmem_t * shm_fuzz; /* Classify tuple counts. This is a slow & naive version, but good enough here. */ -#define TIMES4(x) x, x, x, x -#define TIMES8(x) TIMES4(x), TIMES4(x) -#define TIMES16(x) TIMES8(x), TIMES8(x) -#define TIMES32(x) TIMES16(x), TIMES16(x) -#define TIMES64(x) TIMES32(x), TIMES32(x) static const u8 count_class_lookup[256] = { [0] = 0, [1] = 1, [2] = 2, [3] = 4, - [4] = TIMES4(8), - [8] = TIMES8(16), - [16] = TIMES16(32), - [32] = TIMES32(64), - [128] = TIMES64(128) + [4 ... 7] = 8, + [8 ... 15] = 16, + [16 ... 31] = 32, + [32 ... 127] = 64, + [128 ... 255] = 128 }; -#undef TIMES64 -#undef TIMES32 -#undef TIMES16 -#undef TIMES8 -#undef TIMES4 - static void kill_child() { if (fsrv->child_pid > 0) { -- cgit 1.4.1 From ee10461f48c441ee89c8003828969381f5c21205 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 16 Dec 2021 01:44:50 +0100 Subject: fix llvm 14 changes for ctx and ngram --- instrumentation/afl-llvm-pass.so.cc | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index be0bcbc8..18c0294e 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -456,7 +456,7 @@ bool AFLCoverage::runOnModule(Module &M) { PrevCaller = IRB.CreateLoad( #if LLVM_VERSION_MAJOR >= 14 - IRB.getInt32Ty(), + PrevCallerTy, #endif AFLPrevCaller); PrevCaller->setMetadata(M.getMDKindID("nosanitize"), @@ -628,11 +628,21 @@ bool AFLCoverage::runOnModule(Module &M) { /* Load prev_loc */ - LoadInst *PrevLoc = IRB.CreateLoad( + LoadInst *PrevLoc; + + if (ngram_size) { + PrevLoc = IRB.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PrevLocTy, +#endif + AFLPrevLoc); + } else { + PrevLoc = IRB.CreateLoad( #if LLVM_VERSION_MAJOR >= 14 IRB.getInt32Ty(), #endif AFLPrevLoc); + } PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); Value *PrevLocTrans; -- cgit 1.4.1 From 5f70bc54043a47c232be83ca77f53ddb6bb81908 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 16 Dec 2021 10:08:31 +0100 Subject: disable cmplog vector FP cmp hooking --- instrumentation/cmplog-instructions-pass.cc | 63 +++++++++++++++++++++++------ 1 file changed, 51 insertions(+), 12 deletions(-) diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index a521960b..6656bf71 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -41,6 +41,7 @@ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) #include "llvm/IR/Verifier.h" #include "llvm/IR/DebugInfo.h" + #include "llvm/Support/raw_ostream.h" #else #include "llvm/Analysis/Verifier.h" #include "llvm/DebugInfo.h" @@ -285,7 +286,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) { IntegerType *intTyOp0 = NULL; IntegerType *intTyOp1 = NULL; unsigned max_size = 0, cast_size = 0; - unsigned attr = 0, vector_cnt = 0; + unsigned attr = 0, vector_cnt = 0, is_fp = 0; CmpInst * cmpInst = dyn_cast(selectcmpInst); if (!cmpInst) { continue; } @@ -370,6 +371,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) { #endif attr += 8; + is_fp = 1; + // fprintf(stderr, "HAVE FP %u!\n", vector_cnt); } else { @@ -453,6 +456,9 @@ bool CmpLogInstructions::hookInstrs(Module &M) { } + // XXX FIXME BUG TODO + if (is_fp && vector_cnt) { continue; } + uint64_t cur = 0, last_val0 = 0, last_val1 = 0, cur_val; while (1) { @@ -464,21 +470,53 @@ bool CmpLogInstructions::hookInstrs(Module &M) { op0 = IRB.CreateExtractElement(op0_saved, cur); op1 = IRB.CreateExtractElement(op1_saved, cur); - ConstantInt *i0 = dyn_cast(op0); - ConstantInt *i1 = dyn_cast(op1); - if (i0 && i0->uge(0xffffffffffffffff) == false) { + /* + std::string errMsg; + raw_string_ostream os(errMsg); + op0_saved->print(os); + fprintf(stderr, "X: %s\n", os.str().c_str()); + */ + if (is_fp) { - cur_val = i0->getZExtValue(); - if (last_val0 && last_val0 == cur_val) { skip = 1; } - last_val0 = cur_val; + ConstantFP *i0 = dyn_cast(op0); + ConstantFP *i1 = dyn_cast(op1); + // BUG FIXME TODO: this is null ... but why? + // fprintf(stderr, "%p %p\n", i0, i1); + if (i0) { - } + cur_val = (uint64_t)i0->getValue().convertToDouble(); + if (last_val0 && last_val0 == cur_val) { skip = 1; } + last_val0 = cur_val; + + } + + if (i1) { + + cur_val = (uint64_t)i1->getValue().convertToDouble(); + if (last_val1 && last_val1 == cur_val) { skip = 1; } + last_val1 = cur_val; + + } + + } else { + + ConstantInt *i0 = dyn_cast(op0); + ConstantInt *i1 = dyn_cast(op1); + if (i0 && i0->uge(0xffffffffffffffff) == false) { + + cur_val = i0->getZExtValue(); + if (last_val0 && last_val0 == cur_val) { skip = 1; } + last_val0 = cur_val; + + } + + if (i1 && i1->uge(0xffffffffffffffff) == false) { - if (i1 && i1->uge(0xffffffffffffffff) == false) { + cur_val = i1->getZExtValue(); + if (last_val1 && last_val1 == cur_val) { skip = 1; } + last_val1 = cur_val; - cur_val = i1->getZExtValue(); - if (last_val1 && last_val1 == cur_val) { skip = 1; } - last_val1 = cur_val; + } } @@ -557,6 +595,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) { ++cur; if (cur >= vector_cnt) { break; } + skip = 0; } -- cgit 1.4.1 From 3cb7319ccdb98dcc6b023dbead603a4450ac4541 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 16 Dec 2021 10:41:33 +0100 Subject: fix for older llvm --- instrumentation/cmplog-instructions-pass.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index 6656bf71..a2083a33 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -478,6 +478,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) { */ if (is_fp) { +/* ConstantFP *i0 = dyn_cast(op0); ConstantFP *i1 = dyn_cast(op1); // BUG FIXME TODO: this is null ... but why? @@ -497,6 +498,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) { last_val1 = cur_val; } +*/ } else { -- cgit 1.4.1