From 7884e0f449f2b937bbc332bfe5b805570aa6558b Mon Sep 17 00:00:00 2001 From: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com> Date: Tue, 11 Jan 2022 15:06:14 +0100 Subject: Fix two typos. --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 62b928e4..9e41a088 100644 --- a/README.md +++ b/README.md @@ -149,7 +149,7 @@ The following branches exist: stability * [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev): development state of AFL++ - bleeding edge and you might catch a checkout which does not compile - or has a bug. **We only accept PRs (push requests) for the 'dev' branch!** + or has a bug. **We only accept PRs (pull requests) for the 'dev' branch!** * (any other): experimental branches to work on specific features or testing new functionality or changes. @@ -163,7 +163,7 @@ This can be your way to support and contribute to AFL++ - extend it to do something cool. For everyone who wants to contribute (and send pull requests), please read our -[contributing guidelines](CONTRIBUTING.md) before your submit. +[contributing guidelines](CONTRIBUTING.md) before you submit. ## Special thanks @@ -223,7 +223,7 @@ Thank you! (For people sending pull requests - please add yourself to this list Josephine Calliotte Konrad Welc Thomas Rooijakkers David Carlier Ruben ten Hove Joey Jiao - fuzzah + fuzzah @intrigus-lgtm ``` -- cgit 1.4.1 From 179b118bc93c9b3308f62deeebd13db528d8349d Mon Sep 17 00:00:00 2001 From: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com> Date: Tue, 11 Jan 2022 15:13:04 +0100 Subject: Fix some typos and wrong words. --- docs/important_changes.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/important_changes.md b/docs/important_changes.md index 040a086d..39fe56b9 100644 --- a/docs/important_changes.md +++ b/docs/important_changes.md @@ -12,11 +12,11 @@ With AFL++ 4.00, we introduced the following changes from previous behaviors: * better naming for several fields in the UI With AFL++ 3.15, we introduced the following changes from previous behaviors: - * afl-cmin and afl-showmap -Ci now descent into subdirectories like afl-fuzz + * afl-cmin and afl-showmap -Ci now descend into subdirectories like afl-fuzz -i does (but note that afl-cmin.bash does not) With AFL++ 3.14, we introduced the following changes from previous behaviors: - * afl-fuzz: deterministic fuzzing it not a default for -M main anymore + * afl-fuzz: deterministic fuzzing is not a default for -M main anymore * afl-cmin/afl-showmap -i now descends into subdirectories (afl-cmin.bash, however, does not) @@ -44,9 +44,9 @@ behaviors and defaults: * if neither -M or -S is specified, `-S default` is assumed, so more fuzzers can easily be added later * `-i` input directory option now descends into subdirectories. It also does - not fatal on crashes and too large files, instead it skips them and uses + not fail on crashes and too large files, instead it skips them and uses them for splicing mutations - * -m none is now default, set memory limits (in MB) with, e.g., -m 250 + * -m none is now the default, set memory limits (in MB) with, e.g., -m 250 * deterministic fuzzing is now disabled by default (unless using -M) and can be enabled with -D * a caching of test cases can now be performed and can be modified by -- cgit 1.4.1 From add85f34d1f1b6a0a9850537f908316db73cf6de Mon Sep 17 00:00:00 2001 From: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com> Date: Tue, 11 Jan 2022 15:26:30 +0100 Subject: Format some terms as code. --- docs/INSTALL.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/INSTALL.md b/docs/INSTALL.md index efec0d8b..2c1eaeb9 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -12,7 +12,7 @@ docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus ``` This image is automatically generated when a push to the stable repo happens. -You will find your target source code in /src in the container. +You will find your target source code in `/src` in the container. If you want to build AFL++ yourself, you have many options. The easiest choice is to build and install everything: @@ -33,8 +33,8 @@ sudo make install It is recommended to install the newest available gcc, clang and llvm-dev possible in your distribution! -Note that "make distrib" also builds FRIDA mode, QEMU mode, unicorn_mode -and more. If you just want plain AFL++, then do "make all". If you want +Note that `make distrib` also builds FRIDA mode, QEMU mode, unicorn_mode +and more. If you just want plain AFL++, then do `make all`. If you want some assisting tooling compiled but are not interested in binary-only targets then instead choose: -- cgit 1.4.1 From 30666cb81eca8b36b7f95ee569ec3fd85ae616b5 Mon Sep 17 00:00:00 2001 From: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com> Date: Tue, 11 Jan 2022 16:59:37 +0100 Subject: Highlight what a basic block is. Highlight the different parts that characterize what a basic block is. This makes it slightly easier to read/understand IMHO. --- docs/FAQ.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/FAQ.md b/docs/FAQ.md index 3d3dce20..7ca7b178 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -58,10 +58,10 @@ If you find an interesting or important question missing, submit it via A program contains `functions`, `functions` contain the compiled machine code. The compiled machine code in a `function` can be in a single or many `basic - blocks`. A `basic block` is the largest possible number of subsequent machine - code instructions that has exactly one entry point (which can be be entered by - multiple other basic blocks) and runs linearly without branching or jumping to - other addresses (except at the end). + blocks`. A `basic block` is the **largest possible number of subsequent machine + code instructions** that has **exactly one entry point** (which can be be entered by + multiple other basic blocks) and runs linearly **without branching or jumping to + other addresses** (except at the end). ``` function() { @@ -225,4 +225,4 @@ If you find an interesting or important question missing, submit it via package and because of that the AFL++ llvm plugins do not match anymore. Solution: `git pull ; make clean install` of AFL++. -

\ No newline at end of file +

-- cgit 1.4.1 From 6a7f184c4e27796734a1d8408c8f8abdfc04cad5 Mon Sep 17 00:00:00 2001 From: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com> Date: Tue, 11 Jan 2022 17:00:26 +0100 Subject: Fix broken `code` formatting --- docs/FAQ.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/FAQ.md b/docs/FAQ.md index 7ca7b178..90cae453 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -191,7 +191,7 @@ If you find an interesting or important question missing, submit it via AFL++ comes with several power schedules, initially ported from [AFLFast](https://github.com/mboehme/aflfast) however modified to be more effective and several more modes added. - The most effective modes are '-p fast` (default) and `-p explore`. + The most effective modes are `-p fast` (default) and `-p explore`. If you fuzz with several parallel afl-fuzz instances, then it is beneficial to assign a different schedule to each instance, however the majority should -- cgit 1.4.1 From d8920e31f861501156f366a54f80f9a9f9368df7 Mon Sep 17 00:00:00 2001 From: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com> Date: Tue, 11 Jan 2022 17:13:25 +0100 Subject: Add a comma to make sentence easier to understand. --- docs/best_practices.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/best_practices.md b/docs/best_practices.md index 96c6e3c2..133c645e 100644 --- a/docs/best_practices.md +++ b/docs/best_practices.md @@ -116,7 +116,7 @@ allows you to define network state with different type of data packets. ### Improving stability -For fuzzing a 100% stable target that covers all edges is the best case. A 90% +For fuzzing, a 100% stable target that covers all edges is the best case. A 90% stable target that covers all edges is, however, better than a 100% stable target that ignores 10% of the edges. @@ -189,4 +189,4 @@ coding and/or disassembly and is effectively possible only with `afl-clang-fast` Recompile, fuzz it, be happy :) This link explains this process for - [Fuzzbench](https://github.com/google/fuzzbench/issues/677). \ No newline at end of file + [Fuzzbench](https://github.com/google/fuzzbench/issues/677). -- cgit 1.4.1 From 091fa09e5eb8b69108933bac268fbc214cb49a65 Mon Sep 17 00:00:00 2001 From: Majid Salehi <64958231+pwnforce@users.noreply.github.com> Date: Tue, 11 Jan 2022 17:42:38 +0100 Subject: Update fuzzing_binary-only_targets.md Fixing some parts in the description of Retrowrite. --- docs/fuzzing_binary-only_targets.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index 855d7756..3d3e0ddb 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -198,8 +198,8 @@ afl-clang-fast's. ### RetroWrite -If you have an x86/x86_64 binary that still has its symbols, is compiled with -position independent code (PIC/PIE), and does not use most of the C++ features, +If you have an x86_64 binary that still has its symbols (i.e., not stripped binary), is compiled with +position independent code (PIC/PIE), and does not contain C++ exceptions, then the RetroWrite solution might be for you. It decompiles to ASM files which can then be instrumented with afl-gcc. @@ -302,4 +302,4 @@ some are very hard to set-up... ## Closing words -That's it! News, corrections, updates? Send an email to vh@thc.org. \ No newline at end of file +That's it! News, corrections, updates? Send an email to vh@thc.org. -- cgit 1.4.1 From 2342c85db4669c1d130249dcc4f68a7db9d68ff1 Mon Sep 17 00:00:00 2001 From: Majid Salehi <64958231+pwnforce@users.noreply.github.com> Date: Tue, 11 Jan 2022 18:08:52 +0100 Subject: Update fuzzing_binary-only_targets.md --- docs/fuzzing_binary-only_targets.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index 3d3e0ddb..874cf068 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -198,12 +198,15 @@ afl-clang-fast's. ### RetroWrite -If you have an x86_64 binary that still has its symbols (i.e., not stripped binary), is compiled with -position independent code (PIC/PIE), and does not contain C++ exceptions, +RetroWrite is a static binary rewriter that can be combined with AFL++. +If you have an x86_64 binary that still has its symbols (i.e., not stripped binary), +is compiled with position independent code (PIC/PIE), and does not contain C++ exceptions, then the RetroWrite solution might be for you. It decompiles to ASM files which can then be instrumented with afl-gcc. -It is at about 80-85% performance. +Binaries that are statically instrumented for fuzzing using RetroWrite are identical +in performance to compiler-instrumented binaries and outperform +the QEMU-based instrumentation by 4.5x. [https://github.com/HexHive/retrowrite](https://github.com/HexHive/retrowrite) -- cgit 1.4.1 From 0ed1cb4d31b3eeb1b38297b2fb14747f8d4a8f27 Mon Sep 17 00:00:00 2001 From: tokatoka Date: Wed, 12 Jan 2022 04:42:47 +0900 Subject: change --- unicorn_mode/README.md | 4 ++-- utils/libdislocator/README.md | 4 ++-- utils/libtokencap/README.md | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/unicorn_mode/README.md b/unicorn_mode/README.md index ee4a7b22..0f28cf96 100644 --- a/unicorn_mode/README.md +++ b/unicorn_mode/README.md @@ -96,9 +96,9 @@ As for the QEMU-based instrumentation, unicornafl comes with a sub-instruction b The options that enable Unicorn CompareCoverage are the same used for QEMU. This will split up each multi-byte compare to give feedback for each correct byte. -AFL_COMPCOV_LEVEL=1 is to instrument comparisons with only immediate values. +`AFL_COMPCOV_LEVEL=1` is to instrument comparisons with only immediate values. -AFL_COMPCOV_LEVEL=2 instruments all comparison instructions. +`AFL_COMPCOV_LEVEL=2` instruments all comparison instructions. Comparison instructions are currently instrumented only for the x86, x86_64 and ARM targets. diff --git a/utils/libdislocator/README.md b/utils/libdislocator/README.md index 116a22ba..68ac9143 100644 --- a/utils/libdislocator/README.md +++ b/utils/libdislocator/README.md @@ -27,9 +27,9 @@ heap-related security bugs in several ways: AFL_LD_HARD_FAIL). - Optionally, in platforms supporting it, huge pages can be used by passing - USEHUGEPAGE=1 to make. + `USEHUGEPAGE=1` to make. - - Size alignment to `max_align_t` can be enforced with AFL_ALIGNED_ALLOC=1. In + - Size alignment to `max_align_t` can be enforced with `AFL_ALIGNED_ALLOC=1`. In this case, a tail canary is inserted in the padding bytes at the end of the allocated zone. This reduce the ability of libdislocator to detect off-by-one bugs but also it make slibdislocator compliant to the C standard. diff --git a/utils/libtokencap/README.md b/utils/libtokencap/README.md index 4e7ed1d1..50104291 100644 --- a/utils/libtokencap/README.md +++ b/utils/libtokencap/README.md @@ -31,7 +31,7 @@ require AFL-instrumented binaries to work. To use the library, you *need* to make sure that your fuzzing target is compiled with -fno-builtin and is linked dynamically. If you wish to automate the first -part without mucking with CFLAGS in Makefiles, you can set AFL_NO_BUILTIN=1 +part without mucking with CFLAGS in Makefiles, you can set `AFL_NO_BUILTIN=1` when using afl-gcc. This setting specifically adds the following flags: ``` -- cgit 1.4.1 From 8764375357df2a37d97de4bdb509781cec661923 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 12 Jan 2022 10:36:22 +0100 Subject: test svg background --- docs/resources/0_fuzzing_process_overview.drawio.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/resources/0_fuzzing_process_overview.drawio.svg b/docs/resources/0_fuzzing_process_overview.drawio.svg index 0cccee6f..dff9f351 100644 --- a/docs/resources/0_fuzzing_process_overview.drawio.svg +++ b/docs/resources/0_fuzzing_process_overview.drawio.svg @@ -1,4 +1,4 @@ -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file -- cgit 1.4.1 From b7ddde636be70caf84bf2ab910b021dbe0044098 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 12 Jan 2022 10:42:40 +0100 Subject: svg test --- docs/resources/0_fuzzing_process_overview.drawio.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/resources/0_fuzzing_process_overview.drawio.svg b/docs/resources/0_fuzzing_process_overview.drawio.svg index dff9f351..aca85185 100644 --- a/docs/resources/0_fuzzing_process_overview.drawio.svg +++ b/docs/resources/0_fuzzing_process_overview.drawio.svg @@ -1,4 +1,4 @@ -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file -- cgit 1.4.1 From e663897a8a07e4631ca6d3eccac7e6717be9a4dd Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 12 Jan 2022 11:27:19 +0100 Subject: fix --- docs/resources/0_fuzzing_process_overview.drawio.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/resources/0_fuzzing_process_overview.drawio.svg b/docs/resources/0_fuzzing_process_overview.drawio.svg index aca85185..0cccee6f 100644 --- a/docs/resources/0_fuzzing_process_overview.drawio.svg +++ b/docs/resources/0_fuzzing_process_overview.drawio.svg @@ -1,4 +1,4 @@ -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file -- cgit 1.4.1 From 5e478294627aa7ab58dc1545805e5141be44ac3c Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Wed, 12 Jan 2022 20:27:09 +0100 Subject: Add white background to SVG files --- docs/resources/0_fuzzing_process_overview.drawio.svg | 2 +- docs/resources/1_instrument_target.drawio.svg | 2 +- docs/resources/2_prepare_campaign.drawio.svg | 2 +- docs/resources/3_fuzz_target.drawio.svg | 2 +- docs/resources/4_manage_campaign.drawio.svg | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/resources/0_fuzzing_process_overview.drawio.svg b/docs/resources/0_fuzzing_process_overview.drawio.svg index 0cccee6f..d4ae9cab 100644 --- a/docs/resources/0_fuzzing_process_overview.drawio.svg +++ b/docs/resources/0_fuzzing_process_overview.drawio.svg @@ -1,4 +1,4 @@ -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/1_instrument_target.drawio.svg b/docs/resources/1_instrument_target.drawio.svg index 9e2d8734..90c52760 100644 --- a/docs/resources/1_instrument_target.drawio.svg +++ b/docs/resources/1_instrument_target.drawio.svg @@ -1,4 +1,4 @@ -
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LTO)

CmpLog
(only LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Select one sanitizer
per instance:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

All AFL++ compilers
do this automatically.
Modify target...Viewer does not support full SVG 1.1 \ No newline at end of file +
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LTO)

CmpLog
(only LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Select one sanitizer
per instance:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

All AFL++ compilers
do this automatically.
Modify target...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/2_prepare_campaign.drawio.svg b/docs/resources/2_prepare_campaign.drawio.svg index 92cc61c0..aaf50758 100644 --- a/docs/resources/2_prepare_campaign.drawio.svg +++ b/docs/resources/2_prepare_campaign.drawio.svg @@ -1,4 +1,4 @@ -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Make input corpus unique


Use afl-cmin on input corpus.
Make input corpus unique...
Minimize corpus file


Use afl-tmin on input files.
Minimize corpus file...
Collect inputs


Collect one or more input files.
Collect inputs...Viewer does not support full SVG 1.1 \ No newline at end of file +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Make input corpus unique


Use afl-cmin on input corpus.
Make input corpus unique...
Minimize corpus file


Use afl-tmin on input files.
Minimize corpus file...
Collect inputs


Collect one or more input files.
Collect inputs...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/3_fuzz_target.drawio.svg b/docs/resources/3_fuzz_target.drawio.svg index a4e5c940..9a30a57c 100644 --- a/docs/resources/3_fuzz_target.drawio.svg +++ b/docs/resources/3_fuzz_target.drawio.svg @@ -1,4 +1,4 @@ -
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1

Use up to 32/64 cores
on each machine.

Cache test cases.
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...Viewer does not support full SVG 1.1 \ No newline at end of file +
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1

Use up to 32/64 cores
on each machine.

Cache test cases.
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/4_manage_campaign.drawio.svg b/docs/resources/4_manage_campaign.drawio.svg index dae9fbf9..b8296257 100644 --- a/docs/resources/4_manage_campaign.drawio.svg +++ b/docs/resources/4_manage_campaign.drawio.svg @@ -1,4 +1,4 @@ -
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use afl-analyze to find
critical sections in test cases.
Triage crashes...
Start new campaign

Stop instances without
crashes.

Start new instances with
different options.

Select new test cases
based on insights.
Start new campaign...Viewer does not support full SVG 1.1 \ No newline at end of file +
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use afl-analyze to find
critical sections in test cases.
Triage crashes...
Start new campaign

Stop instances without
crashes.

Start new instances with
different options.

Select new test cases
based on insights.
Start new campaign...Viewer does not support full SVG 1.1 \ No newline at end of file -- cgit 1.4.1 From e7ddd15fa50d58a02523dd079f33246cb2fa21c5 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Wed, 12 Jan 2022 20:46:37 +0100 Subject: Incorporate feedback --- docs/resources/1_instrument_target.drawio.svg | 2 +- docs/resources/3_fuzz_target.drawio.svg | 2 +- docs/resources/4_manage_campaign.drawio.svg | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/resources/1_instrument_target.drawio.svg b/docs/resources/1_instrument_target.drawio.svg index 90c52760..5dcc8525 100644 --- a/docs/resources/1_instrument_target.drawio.svg +++ b/docs/resources/1_instrument_target.drawio.svg @@ -1,4 +1,4 @@ -
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LTO)

CmpLog
(only LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Select one sanitizer
per instance:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

All AFL++ compilers
do this automatically.
Modify target...Viewer does not support full SVG 1.1 \ No newline at end of file +
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LLVM & LTO)

CmpLog
(only LLVM & LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Max. one sanitizer type each
in a fuzzing campaign:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

Create a fuzzing harness
by hand for better efficiency.
Modify target...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/3_fuzz_target.drawio.svg b/docs/resources/3_fuzz_target.drawio.svg index 9a30a57c..8c97b8e2 100644 --- a/docs/resources/3_fuzz_target.drawio.svg +++ b/docs/resources/3_fuzz_target.drawio.svg @@ -1,4 +1,4 @@ -
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1

Use up to 32/64 cores
on each machine.

Cache test cases.
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...Viewer does not support full SVG 1.1 \ No newline at end of file +
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main-$HOSTNAME

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/4_manage_campaign.drawio.svg b/docs/resources/4_manage_campaign.drawio.svg index b8296257..969f47fd 100644 --- a/docs/resources/4_manage_campaign.drawio.svg +++ b/docs/resources/4_manage_campaign.drawio.svg @@ -1,4 +1,4 @@ -
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use afl-analyze to find
critical sections in test cases.
Triage crashes...
Start new campaign

Stop instances without
crashes.

Start new instances with
different options.

Select new test cases
based on insights.
Start new campaign...Viewer does not support full SVG 1.1 \ No newline at end of file +
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use gdb or third-party
exploitable tools to analyze crashes.
Triage crashes...
Optimize campaign

Stop instances that are not performing well.

Start new instances with
different options.

Select new test cases
based on insights.
Optimize campaign...Viewer does not support full SVG 1.1 \ No newline at end of file -- cgit 1.4.1 From 21ebfec79c75f99c938ebfc453e76eb82328d12e Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 12 Jan 2022 21:59:31 +0100 Subject: better ignore problem handling --- instrumentation/afl-compiler-rt.o.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 1b9fdee3..a84f31e3 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1433,9 +1433,12 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { } else { + static u32 offset = 4; + while (start < stop) { - *(start++) = 4; + *(start++) = offset; + if (unlikely(++offset >= __afl_final_loc)) { offset = 4; } } @@ -1444,7 +1447,7 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { } x = getenv("AFL_INST_RATIO"); - if (x) inst_ratio = (u32)atoi(x); + if (x) { inst_ratio = (u32)atoi(x); } if (!inst_ratio || inst_ratio > 100) { -- cgit 1.4.1 From 110cc27632c8f2018b79f95cbff9c9daa3f509f7 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 13 Jan 2022 10:09:35 +0100 Subject: fix laf-intel split switches --- instrumentation/split-switches-pass.so.cc | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/instrumentation/split-switches-pass.so.cc b/instrumentation/split-switches-pass.so.cc index 85a35c2a..9f9e7eca 100644 --- a/instrumentation/split-switches-pass.so.cc +++ b/instrumentation/split-switches-pass.so.cc @@ -118,8 +118,6 @@ BasicBlock *SplitSwitchesTransform::switchConvert( std::vector setSizes; std::vector > byteSets(BytesInValue, std::set()); - assert(ValTypeBitWidth >= 8 && ValTypeBitWidth <= 64); - /* for each of the possible cases we iterate over all bytes of the values * build a set of possible values at each byte position in byteSets */ for (CaseExpr &Case : Cases) { @@ -350,9 +348,9 @@ bool SplitSwitchesTransform::splitSwitches(Module &M) { /* If there is only the default destination or the condition checks 8 bit or * less, don't bother with the code below. */ - if (!SI->getNumCases() || bitw <= 8) { + if (SI->getNumCases() < 2 || bitw % 8 || bitw > 64) { - // if (!be_quiet) errs() << "skip trivial switch..\n"; + // if (!be_quiet) errs() << "skip switch..\n"; continue; } -- cgit 1.4.1 From bedd812e7b626052016cdcd52f2161788bb5b190 Mon Sep 17 00:00:00 2001 From: Damiano Melotti Date: Thu, 13 Jan 2022 10:11:43 +0100 Subject: Fixed wrong delete operator and added mutator's destructor --- .../libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.cc | 2 +- .../libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.h | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.cc b/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.cc index ecbfdd1c..03e8e35c 100644 --- a/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.cc +++ b/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.cc @@ -100,7 +100,7 @@ extern "C" size_t afl_custom_fuzz(MyMutator *mutator, // return value from afl_c // Copy to a new buffer ( mutated_out ) size_t mutated_size = s.size() <= max_size ? s.size() : max_size; // check if raw data's size is larger than max_size - delete mutator->mutated_out; + delete[] mutator->mutated_out; mutator->mutated_out = new uint8_t[mutated_size+1]; memcpy(mutator->mutated_out, s.c_str(), mutated_size); // copy the mutated data // Assign the mutated data and return mutated_size diff --git a/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.h b/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.h index 0f5484ca..cfd4ce3f 100644 --- a/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.h +++ b/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.h @@ -4,4 +4,7 @@ class MyMutator : public protobuf_mutator::Mutator { public: uint8_t *mutated_out = nullptr; + ~MyMutator() { + delete[] mutated_out; + } }; -- cgit 1.4.1 From c8e6a59e7dcc475de4ce1ceb44aa41c4dd4b611d Mon Sep 17 00:00:00 2001 From: Damiano Melotti Date: Thu, 13 Jan 2022 10:12:23 +0100 Subject: Removed unused byte in allocation --- .../libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.cc b/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.cc index 03e8e35c..5a940db3 100644 --- a/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.cc +++ b/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.cc @@ -101,7 +101,7 @@ extern "C" size_t afl_custom_fuzz(MyMutator *mutator, // return value from afl_c size_t mutated_size = s.size() <= max_size ? s.size() : max_size; // check if raw data's size is larger than max_size delete[] mutator->mutated_out; - mutator->mutated_out = new uint8_t[mutated_size+1]; + mutator->mutated_out = new uint8_t[mutated_size]; memcpy(mutator->mutated_out, s.c_str(), mutated_size); // copy the mutated data // Assign the mutated data and return mutated_size *out_buf = mutator->mutated_out; -- cgit 1.4.1 From 9e38c43686dad2feb2db30a065bda570421e217a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 13 Jan 2022 10:32:47 +0100 Subject: update changelog --- docs/Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/Changelog.md b/docs/Changelog.md index c4786bf3..6ab1794c 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -56,6 +56,7 @@ sending a mail to . - better selective instrumentation AFL_LLVM_{ALLOW|DENY}LIST on filename matching (requires llvm 11 or newer) - fixed a potential crash in targets for LAF string handling + - fixed a bad assert in LAF split switches - added AFL_USE_TSAN thread sanitizer support - llvm and LTO mode modified to work with new llvm 14-dev (again. again.) - fix for AFL_REAL_LD -- cgit 1.4.1 From 8f7e584b82e14eced00e7bd3f8c0eaf041263e12 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 13 Jan 2022 12:15:19 +0100 Subject: more faq --- docs/FAQ.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/docs/FAQ.md b/docs/FAQ.md index 90cae453..73328d6e 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -203,6 +203,31 @@ If you find an interesting or important question missing, submit it via ## Troubleshooting +
+ FATAL: forkserver is already up but an instrumented dlopen library loaded afterwards

+ + It can happen that you see this error on startup when fuzzing a target: + + ``` + [-] FATAL: forkserver is already up, but an instrumented dlopen() library + loaded afterwards. You must AFL_PRELOAD such libraries to be able + to fuzz them or LD_PRELOAD to run outside of afl-fuzz. + To ignore this set AFL_IGNORE_PROBLEMS=1. + ``` + + As the error describes, a dlopen() call is happening in the target that is loading an instrumented library after the forkserver is already in place, + This is a problem for afl-fuzz because when the forkserver is started we must know the map size already and it can't be changed later. + + The best solution is to simply set `AFL_PRELOAD=foo.so` the libraries that + are dlopen'ed (e.g. use `strace` to see which), or to set a manual forkserver + after the final dlopen(). + + If this is not a viable option you can set `AFL_IGNORE_PROBLEMS=1` but then + the existing map will be used also for the newly loaded libraries, which + allows it to work, however the efficiency of the fuzzing will be partially + degraded. +

+
I got a weird compile error from clang.

-- cgit 1.4.1 From 4c07e37eae093687169245fd473ad01cc3a37736 Mon Sep 17 00:00:00 2001 From: Majid Salehi <64958231+pwnforce@users.noreply.github.com> Date: Thu, 13 Jan 2022 14:48:05 +0100 Subject: Update fuzzing_binary-only_targets.md --- docs/fuzzing_binary-only_targets.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index 874cf068..32e6c6c2 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -204,9 +204,9 @@ is compiled with position independent code (PIC/PIE), and does not contain C++ e then the RetroWrite solution might be for you. It decompiles to ASM files which can then be instrumented with afl-gcc. -Binaries that are statically instrumented for fuzzing using RetroWrite are identical +Binaries that are statically instrumented for fuzzing using RetroWrite are close in performance to compiler-instrumented binaries and outperform -the QEMU-based instrumentation by 4.5x. +the QEMU-based instrumentation. [https://github.com/HexHive/retrowrite](https://github.com/HexHive/retrowrite) -- cgit 1.4.1 From 27ab84fbf1a0497c363e3f06c7e7d41ab019c191 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 13 Jan 2022 16:38:18 +0100 Subject: fix skipping unfavored fuzzed entries --- src/afl-fuzz-one.c | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 26a01948..b28ee80a 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -413,8 +413,7 @@ u8 fuzz_one_original(afl_state_t *afl) { possibly skip to them at the expense of already-fuzzed or non-favored cases. */ - if (((afl->queue_cur->was_fuzzed > 0 || afl->queue_cur->fuzz_level > 0) || - !afl->queue_cur->favored) && + if ((afl->queue_cur->fuzz_level || !afl->queue_cur->favored) && likely(rand_below(afl, 100) < SKIP_TO_NEW_PROB)) { return 1; @@ -429,8 +428,7 @@ u8 fuzz_one_original(afl_state_t *afl) { The odds of skipping stuff are higher for already-fuzzed inputs and lower for never-fuzzed entries. */ - if (afl->queue_cycle > 1 && - (afl->queue_cur->fuzz_level == 0 || afl->queue_cur->was_fuzzed)) { + if (afl->queue_cycle > 1 && !afl->queue_cur->fuzz_level) { if (likely(rand_below(afl, 100) < SKIP_NFAV_NEW_PROB)) { return 1; } @@ -2961,17 +2959,12 @@ abandon_entry: cycle and have not seen this entry before. */ if (!afl->stop_soon && !afl->queue_cur->cal_failed && - (afl->queue_cur->was_fuzzed == 0 || afl->queue_cur->fuzz_level == 0) && - !afl->queue_cur->disabled) { + !afl->queue_cur->was_fuzzed && !afl->queue_cur->disabled) { - if (!afl->queue_cur->was_fuzzed) { - - --afl->pending_not_fuzzed; - afl->queue_cur->was_fuzzed = 1; - afl->reinit_table = 1; - if (afl->queue_cur->favored) { --afl->pending_favored; } - - } + --afl->pending_not_fuzzed; + afl->queue_cur->was_fuzzed = 1; + afl->reinit_table = 1; + if (afl->queue_cur->favored) { --afl->pending_favored; } } @@ -3024,8 +3017,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { possibly skip to them at the expense of already-fuzzed or non-favored cases. */ - if (((afl->queue_cur->was_fuzzed > 0 || afl->queue_cur->fuzz_level > 0) || - !afl->queue_cur->favored) && + if ((afl->queue_cur->fuzz_level || !afl->queue_cur->favored) && rand_below(afl, 100) < SKIP_TO_NEW_PROB) { return 1; @@ -3040,8 +3032,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { The odds of skipping stuff are higher for already-fuzzed inputs and lower for never-fuzzed entries. */ - if (afl->queue_cycle > 1 && - (afl->queue_cur->fuzz_level == 0 || afl->queue_cur->was_fuzzed)) { + if (afl->queue_cycle > 1 && !afl->queue_cur->fuzz_level) { if (likely(rand_below(afl, 100) < SKIP_NFAV_NEW_PROB)) { return 1; } -- cgit 1.4.1 From 1ca33174253ab430c9327927f6116458d6f1b793 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Fri, 14 Jan 2022 11:22:16 +0100 Subject: Add link to image --- docs/resources/4_manage_campaign.drawio.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/resources/4_manage_campaign.drawio.svg b/docs/resources/4_manage_campaign.drawio.svg index 969f47fd..6c531388 100644 --- a/docs/resources/4_manage_campaign.drawio.svg +++ b/docs/resources/4_manage_campaign.drawio.svg @@ -1,4 +1,4 @@ -
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use gdb or third-party
exploitable tools to analyze crashes.
Triage crashes...
Optimize campaign

Stop instances that are not performing well.

Start new instances with
different options.

Select new test cases
based on insights.
Optimize campaign...Viewer does not support full SVG 1.1 \ No newline at end of file +
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use gdb or third-party
exploitable tools to analyze crashes.
Triage crashes...
Optimize campaign

Stop instances that are not performing well.

Start new instances with
different options.

Select new test cases
based on insights.
Optimize campaign...Viewer does not support full SVG 1.1 \ No newline at end of file -- cgit 1.4.1 From f42c0047c8c5a988123f7b66bad4e33234680ebc Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 14 Jan 2022 15:01:05 +0100 Subject: nits --- README.md | 1 + docs/docs.md | 122 -------------------------------------------------- docs/docs2.md | 124 --------------------------------------------------- src/afl-fuzz-queue.c | 7 ++- 4 files changed, 4 insertions(+), 250 deletions(-) delete mode 100644 docs/docs.md delete mode 100644 docs/docs2.md diff --git a/README.md b/README.md index 9e41a088..f7d5e40d 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ AFL++ is maintained by: * Heiko "hexcoder-" Eißfeldt , * Andrea Fioraldi and * Dominik Maier . +* Documentation: Jana Aydinbas Originally developed by Michał "lcamtuf" Zalewski. diff --git a/docs/docs.md b/docs/docs.md deleted file mode 100644 index aa8a4d48..00000000 --- a/docs/docs.md +++ /dev/null @@ -1,122 +0,0 @@ -# Restructure AFL++'s documentation - -## About us - -We are dedicated to everything around fuzzing, our main and most well known -contribution is the fuzzer `AFL++` which is part of all major Unix -distributions (e.g. Debian, Arch, FreeBSD, etc.) and is deployed on Google's -oss-fuzz and clusterfuzz. It is rated the top fuzzer on Google's fuzzbench. - -We are four individuals from Europe supported by a large community. - -All our tools are open source. - -## About the AFL++ fuzzer project - -AFL++ inherited it's documentation from the original Google AFL project. -Since then it has been massively improved - feature and performance wise - -and although the documenation has likewise been continued it has grown out -of proportion. -The documentation is done by non-natives to the English language, plus -none of us has a writer background. - -We see questions on AFL++ usage on mailing lists (e.g. afl-users), discord -channels, web forums and as issues in our repository. - -This only increases as AFL++ has been on the top of Google's fuzzbench -statistics (which measures the performance of fuzzers) and is now being -integrated in Google's oss-fuzz and clusterfuzz - and is in many Unix -packaging repositories, e.g. Debian, FreeBSD, etc. - -AFL++ now has 44 (!) documentation files with 13k total lines of content. -This is way too much. - -Hence AFL++ needs a complete overhaul of it's documentation, both on a -organisation/structural level as well as the content. - -Overall the following actions have to be performed: - * Create a better structure of documentation so it is easier to find the - information that is being looked for, combining and/or splitting up the - existing documents as needed. - * Rewrite some documentation to remove duplication. Several information is - present several times in the documentation. These should be removed to - where needed so that we have as little bloat as possible. - * The documents have been written and modified by a lot of different people, - most of them non-native English speaker. Hence an overall review where - parts should be rewritten has to be performed and then the rewrite done. - * Create a cheat-sheet for a very short best-setup build and run of AFL++ - * Pictures explain more than 1000 words. We need at least 4 images that - explain the workflow with AFL++: - - the build workflow - - the fuzzing workflow - - the fuzzing campaign management workflow - - the overall workflow that is an overview of the above - - maybe more? where the technical writes seems it necessary for - understanding. - -Requirements: - * Documentation has to be in Markdown format - * Images have to be either in SVG or PNG format. - * All documentation should be (moved) in(to) docs/ - -The project does not require writing new documentation or tutorials beside the -cheat sheet. The technical information for the cheat sheet will be provided by -us. - -## Metrics - -AFL++ is a the highest performant fuzzer publicly available - but is also the -most feature rich and complex. With the publicity of AFL++' success and -deployment in Google projects internally and externally and availability as -a package on most Linux distributions we see more and more issues being -created and help requests on our Discord channel that would not be -necessary if people would have read through all our documentation - which -is unrealistic. - -We expect the the new documenation after this project to be cleaner, easier -accessible and lighter to digest by our users, resulting in much less -help requests. On the other hand the amount of users using AFL++ should -increase as well as it will be more accessible which would also increase -questions again - but overall resulting in a reduction of help requests. - -In numbers: we currently have per week on average 5 issues on Github, -10 questions on discord and 1 on mailing lists that would not be necessary -with perfect documentation and perfect people. - -We would consider this project a success if afterwards we only have -2 issues on Github and 3 questions on discord anymore that would be answered -by reading the documentation. The mailing list is usually used by the most -novice users and we don't expect any less questions there. - -## Project Budget - -We have zero experience with technical writers, so this is very hard for us -to calculate. We expect it to be a lot of work though because of the amount -of documentation we have that needs to be restructured and partially rewritten -(44 documents with 13k total lines of content). - -We assume the daily rate of a very good and experienced technical writer in -times of a pandemic to be ~500$ (according to web research), and calculate -the overall amout of work to be around 20 days for everything incl. the -graphics (but again - this is basically just guessing). - -Technical Writer 10000$ -Volunteer stipends 0$ (waved) -T-Shirts for the top 10 contributors and helpers to this documentation project: - 10 AFL++ logo t-shirts 20$ each 200$ - 10 shipping cost of t-shirts 10$ each 100$ - -Total: 10.300$ -(in the submission form 10.280$ was entered) - -## Additional Information - -We have participated in Google Summer of Code in 2020 and hope to be selected -again in 2021. - -We have no experience with a technical writer, but we will support that person -with video calls, chats, emails and messaging, provide all necessary information -and write technical contents that is required for the success of this project. -It is clear to us that a technical writer knows how to write, but cannot know -the technical details in a complex tooling like in AFL++. This guidance, input, -etc. has to come from us. diff --git a/docs/docs2.md b/docs/docs2.md deleted file mode 100644 index 23ef61c5..00000000 --- a/docs/docs2.md +++ /dev/null @@ -1,124 +0,0 @@ -# Restructure AFL++'s documentation - Case Study - -## Problem statement - -AFL++ inherited it's documentation from the original Google AFL project. -Since then it has been massively improved - feature and performance wise - -and although the documenation has likewise been continued it has grown out -of proportion. -The documentation is done by non-natives to the English language, plus -none of us has a writer background. - -We see questions on AFL++ usage on mailing lists (e.g. afl-users), discord -channels, web forums and as issues in our repository. -Most of them could be answered if people would read through all the -documentation. - -This only increases as AFL++ has been on the top of Google's fuzzbench -statistics (which measures the performance of fuzzers) and has been -integrated in Google's oss-fuzz and clusterfuzz - and is in many Unix -packaging repositories, e.g. Debian, FreeBSD, etc. - -AFL++ had 44 (!) documentation files with 13k total lines of content. -This was way too much. - -## Proposal abstract - -AFL++'s documentatin needs a complete overhaul, both on a -organisation/structural level as well as the content. - -Overall the following actions have to be performed: - * Create a better structure of documentation so it is easier to find the - information that is being looked for, combining and/or splitting up the - existing documents as needed. - * Rewrite some documentation to remove duplication. Several information is - present several times in the documentation. These should be removed to - where needed so that we have as little bloat as possible. - * The documents have been written and modified by a lot of different people, - most of them non-native English speaker. Hence an overall review where - parts should be rewritten has to be performed and then the rewrite done. - * Create a cheat-sheet for a very short best-setup build and run of AFL++ - * Pictures explain more than 1000 words. We need at least 4 images that - explain the workflow with AFL++: - - the build workflow - - the fuzzing workflow - - the fuzzing campaign management workflow - - the overall workflow that is an overview of the above - - maybe more? where the technical writes seems it necessary for - understanding. - -Requirements: - * Documentation has to be in Markdown format - * Images have to be either in SVG or PNG format. - * All documentation should be (moved) in(to) docs/ - -## Project description - -We created our proposal by discussing in the team what the issues are and -what was needed to fix it. -This resulted in the [project proposal](https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/docs.md). - -We did not want to be selected by a writer but select a writer ourselves, so -we combed through the list and reviewed every single one of them. -We were not looking for coders writing technical documentation, but rather -someone who is an experienced writer and has documented experience with -structuring documentation. -Few fit that profile and we sent out messages to 6 people. -We finally decided on Jana because she had a strong background in technical -documentation and structuring information. -She had no technical experience in fuzzing whatsoever, but we saw that as -a plus - of course this made the whole process longer to explain details, -but overall ensured that the documentation can be read by (mostly) everyone. - -We communicated via video calls every few weeks and she kept a public kanban -board about her todos, additional we used a Signal channel. -Her changes were imported via PRs where we discussed details. - -The project was off to a good start, but then Jana got pregnant with serious -side effects that made working impossible for her for a longer time, hence -the schedule was thrown back. -She offered to rescind the payment and we select a new writer, but we saw -little opportunity in that, as that would mean a new selection of a writer, -someone else with a different vision on how the result should look like so -basically a full restart of the project and a large impact on our own time. -So we agreed on - after discussion with the Google GSoD team - that she -continues the project after the GSoD completion deadline as best as she can. - -End of November she took one week off from work and fully dedicated her time -for the documenation which brought the project a big step forward. - -Originally the project should have been ended begin of October, but now - at -nearing the end of November, we are at about 85% completion, with the end -being expected around mid of December. - -## Metrics - -We merged most of the changes in our development branch and are getting -close to a state where the user documentation part is completed and we -can create a new release. Only then the new documentatin is actually visible -to users. Therefore no metrics could be collected so far. - -We plan on a user-assisted QA review end of November/begin of December. - -The documentation was reviewed by a few test users so far however who gave -it a thumbs up. - -## Summary - -The GSoD project itself is great. It helps to get the documentation back in -line. -It was and is a larger time investment from our side, but we expected that. -When the project is done, the documentation will be more accessible by users -and also need less maintenance by us. -There is still follow-up work to be done by us afterwards (web site for the -docs, etc.). - -Not sure what we would do differently next time. I think we prepared best as -possible and reacted best as possible to the unexpected. - -Recommendations for other organizations who would like to participate in GSoD: - - expect the process to take a larger part of your time. the writer needs - your full support. - - have someone dedicated from the dev/org side to support, educate and - supervice the writer - - set clear goals and expectations diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 9ca89944..fc8a0d55 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -769,8 +769,7 @@ void cull_queue(afl_state_t *afl) { afl->top_rated[i]->favored = 1; ++afl->queued_favored; - if (afl->top_rated[i]->fuzz_level == 0 || - !afl->top_rated[i]->was_fuzzed) { + if (!afl->top_rated[i]->was_fuzzed) { ++afl->pending_favored; @@ -936,7 +935,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { n_items = 0; // Don't modify perf_score for unfuzzed seeds - if (q->fuzz_level == 0) break; + if (!q->fuzz_level) break; u32 i; for (i = 0; i < afl->queued_items; i++) { @@ -967,7 +966,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { case FAST: // Don't modify unfuzzed seeds - if (q->fuzz_level == 0) break; + if (!q->fuzz_level) break; switch ((u32)log2(afl->n_fuzz[q->n_fuzz_entry])) { -- cgit 1.4.1 From 8c58bdb5045ceea92fd11ca5f3f8946cd416695d Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Fri, 14 Jan 2022 15:17:25 +0100 Subject: Add margin to images --- docs/resources/0_fuzzing_process_overview.drawio.svg | 2 +- docs/resources/1_instrument_target.drawio.svg | 2 +- docs/resources/2_prepare_campaign.drawio.svg | 2 +- docs/resources/3_fuzz_target.drawio.svg | 2 +- docs/resources/4_manage_campaign.drawio.svg | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/resources/0_fuzzing_process_overview.drawio.svg b/docs/resources/0_fuzzing_process_overview.drawio.svg index d4ae9cab..fa596e21 100644 --- a/docs/resources/0_fuzzing_process_overview.drawio.svg +++ b/docs/resources/0_fuzzing_process_overview.drawio.svg @@ -1,4 +1,4 @@ -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/1_instrument_target.drawio.svg b/docs/resources/1_instrument_target.drawio.svg index 5dcc8525..af6ac397 100644 --- a/docs/resources/1_instrument_target.drawio.svg +++ b/docs/resources/1_instrument_target.drawio.svg @@ -1,4 +1,4 @@ -
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LLVM & LTO)

CmpLog
(only LLVM & LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Max. one sanitizer type each
in a fuzzing campaign:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

Create a fuzzing harness
by hand for better efficiency.
Modify target...Viewer does not support full SVG 1.1 \ No newline at end of file +
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LLVM & LTO)

CmpLog
(only LLVM & LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Max. one sanitizer type each
in a fuzzing campaign:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

Create a fuzzing harness
by hand for better efficiency.
Modify target...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/2_prepare_campaign.drawio.svg b/docs/resources/2_prepare_campaign.drawio.svg index aaf50758..f4de62b9 100644 --- a/docs/resources/2_prepare_campaign.drawio.svg +++ b/docs/resources/2_prepare_campaign.drawio.svg @@ -1,4 +1,4 @@ -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Make input corpus unique


Use afl-cmin on input corpus.
Make input corpus unique...
Minimize corpus file


Use afl-tmin on input files.
Minimize corpus file...
Collect inputs


Collect one or more input files.
Collect inputs...Viewer does not support full SVG 1.1 \ No newline at end of file +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Make input corpus unique


Use afl-cmin on input corpus.
Make input corpus unique...
Minimize corpus file


Use afl-tmin on input files.
Minimize corpus file...
Collect inputs


Collect one or more input files.
Collect inputs...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/3_fuzz_target.drawio.svg b/docs/resources/3_fuzz_target.drawio.svg index 8c97b8e2..de5982ed 100644 --- a/docs/resources/3_fuzz_target.drawio.svg +++ b/docs/resources/3_fuzz_target.drawio.svg @@ -1,4 +1,4 @@ -
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main-$HOSTNAME

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...Viewer does not support full SVG 1.1 \ No newline at end of file +
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main-$HOSTNAME

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/4_manage_campaign.drawio.svg b/docs/resources/4_manage_campaign.drawio.svg index 6c531388..041a2a23 100644 --- a/docs/resources/4_manage_campaign.drawio.svg +++ b/docs/resources/4_manage_campaign.drawio.svg @@ -1,4 +1,4 @@ -
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use gdb or third-party
exploitable tools to analyze crashes.
Triage crashes...
Optimize campaign

Stop instances that are not performing well.

Start new instances with
different options.

Select new test cases
based on insights.
Optimize campaign...Viewer does not support full SVG 1.1 \ No newline at end of file +
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use gdb or third-party
exploitable tools to analyze crashes.
Triage crashes...
Optimize campaign

Stop instances that are not performing well.

Start new instances with
different options.

Select new test cases
based on insights.
Optimize campaign...Viewer does not support full SVG 1.1 \ No newline at end of file -- cgit 1.4.1 From 20177151e6c7d510b8f0ed39cca72151068ffa28 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 14 Jan 2022 15:56:44 +0100 Subject: add email --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f7d5e40d..5c2262cf 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ AFL++ is maintained by: * Heiko "hexcoder-" Eißfeldt , * Andrea Fioraldi and * Dominik Maier . -* Documentation: Jana Aydinbas +* Documentation: Jana Aydinbas Originally developed by MichaÅ‚ "lcamtuf" Zalewski. -- cgit 1.4.1 From 4217a6606c92f6a88ab577ae8f91823dd731562d Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 15 Jan 2022 13:58:17 +0100 Subject: fix classify counts --- include/afl-fuzz.h | 1 + include/coverage-32.h | 33 +++++++++++++++---- include/coverage-64.h | 51 ++++++++++++++++++++++------- instrumentation/afl-llvm-common.h | 16 ++++----- instrumentation/afl-llvm-pass.so.cc | 13 +++++--- instrumentation/cmplog-instructions-pass.cc | 33 ++++++++++--------- src/afl-cc.c | 5 +-- src/afl-fuzz-bitmap.c | 7 ++-- src/afl-fuzz-queue.c | 6 +--- 9 files changed, 108 insertions(+), 57 deletions(-) diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index e225211f..1340d9ef 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -1046,6 +1046,7 @@ u32 count_bytes(afl_state_t *, u8 *); u32 count_non_255_bytes(afl_state_t *, u8 *); void simplify_trace(afl_state_t *, u8 *); void classify_counts(afl_forkserver_t *); +void classify_counts_off(afl_forkserver_t *, u32); #ifdef WORD_SIZE_64 void discover_word(u8 *ret, u64 *current, u64 *virgin); #else diff --git a/include/coverage-32.h b/include/coverage-32.h index ca36c29f..d213db12 100644 --- a/include/coverage-32.h +++ b/include/coverage-32.h @@ -62,6 +62,23 @@ inline void classify_counts(afl_forkserver_t *fsrv) { } +inline void classify_counts_off(afl_forkserver_t *fsrv, u32 off) { + + u32 *mem = (u32 *)(fsrv->trace_bits + off); + u32 i = ((fsrv->map_size - off) >> 2); + + while (i--) { + + /* Optimize for sparse bitmaps. */ + + if (unlikely(*mem)) { *mem = classify_word(*mem); } + + mem++; + + } + +} + /* Updates the virgin bits, then reflects whether a new count or a new tuple is * seen in ret. */ inline void discover_word(u8 *ret, u32 *current, u32 *virgin) { @@ -70,7 +87,7 @@ inline void discover_word(u8 *ret, u32 *current, u32 *virgin) { that have not been already cleared from the virgin map - since this will almost always be the case. */ - if (*current & *virgin) { + if (unlikely(*current & *virgin)) { if (likely(*ret < 2)) { @@ -80,8 +97,8 @@ inline void discover_word(u8 *ret, u32 *current, u32 *virgin) { /* Looks like we have not found any new bytes yet; see if any non-zero bytes in current[] are pristine in virgin[]. */ - if ((cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || - (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff)) + if (unlikely((cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || + (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff))) *ret = 2; else *ret = 1; @@ -97,12 +114,14 @@ inline void discover_word(u8 *ret, u32 *current, u32 *virgin) { #define PACK_SIZE 16 inline u32 skim(const u32 *virgin, const u32 *current, const u32 *current_end) { + u32 *save = (u32*) current; + for (; current < current_end; virgin += 4, current += 4) { - if (current[0] && classify_word(current[0]) & virgin[0]) return 1; - if (current[1] && classify_word(current[1]) & virgin[1]) return 1; - if (current[2] && classify_word(current[2]) & virgin[2]) return 1; - if (current[3] && classify_word(current[3]) & virgin[3]) return 1; + if (unlikely(current[0] && classify_word(current[0]) & virgin[0])) return (u32)(¤t[1] - save); + if (unlikely(current[1] && classify_word(current[1]) & virgin[1])) return (u32)(¤t[2] - save); + if (unlikely(current[2] && classify_word(current[2]) & virgin[2])) return (u32)(¤t[3] - save); + if (unlikely(current[3] && classify_word(current[3]) & virgin[3])) return (u32)(¤t[4] - save); } diff --git a/include/coverage-64.h b/include/coverage-64.h index 54fe9d33..ab29506c 100644 --- a/include/coverage-64.h +++ b/include/coverage-64.h @@ -72,6 +72,23 @@ inline void classify_counts(afl_forkserver_t *fsrv) { } +inline void classify_counts_off(afl_forkserver_t *fsrv, u32 off) { + + u64 *mem = (u64 *)(fsrv->trace_bits + off); + u32 i = ((fsrv->map_size - off) >> 3); + + while (i--) { + + /* Optimize for sparse bitmaps. */ + + if (unlikely(*mem)) { *mem = classify_word(*mem); } + + mem++; + + } + +} + /* Updates the virgin bits, then reflects whether a new count or a new tuple is * seen in ret. */ inline void discover_word(u8 *ret, u64 *current, u64 *virgin) { @@ -110,17 +127,20 @@ inline void discover_word(u8 *ret, u64 *current, u64 *virgin) { #define PACK_SIZE 64 inline u32 skim(const u64 *virgin, const u64 *current, const u64 *current_end) { + u64 *save = (u64*) current; + for (; current != current_end; virgin += 8, current += 8) { __m512i value = *(__m512i *)current; __mmask8 mask = _mm512_testn_epi64_mask(value, value); /* All bytes are zero. */ - if (mask == 0xff) continue; + if (likely(mask == 0xff)) continue; /* Look for nonzero bytes and check for new bits. */ - #define UNROLL(x) \ - if (!(mask & (1 << x)) && classify_word(current[x]) & virgin[x]) return 1 + #define UNROLL(x) \ + if (unlikely(!(mask & (1 << x)) && classify_word(current[x]) & virgin[x])) \ + return (u32)(¤t[x + 1] - save) UNROLL(0); UNROLL(1); UNROLL(2); @@ -143,6 +163,7 @@ inline u32 skim(const u64 *virgin, const u64 *current, const u64 *current_end) { #define PACK_SIZE 32 inline u32 skim(const u64 *virgin, const u64 *current, const u64 *current_end) { + u64 *save = (u64*) current; __m256i zeroes = _mm256_setzero_si256(); for (; current < current_end; virgin += 4, current += 4) { @@ -152,13 +173,17 @@ inline u32 skim(const u64 *virgin, const u64 *current, const u64 *current_end) { u32 mask = _mm256_movemask_epi8(cmp); /* All bytes are zero. */ - if (mask == (u32)-1) continue; + if (likely(mask == (u32)-1)) continue; /* Look for nonzero bytes and check for new bits. */ - if (!(mask & 0xff) && classify_word(current[0]) & virgin[0]) return 1; - if (!(mask & 0xff00) && classify_word(current[1]) & virgin[1]) return 1; - if (!(mask & 0xff0000) && classify_word(current[2]) & virgin[2]) return 1; - if (!(mask & 0xff000000) && classify_word(current[3]) & virgin[3]) return 1; + if (unlikely(!(mask & 0xff) && classify_word(current[0]) & virgin[0])) + return (u32)(¤t[1] - save); + if (unlikely(!(mask & 0xff00) && classify_word(current[1]) & virgin[1])) + return (u32)(¤t[2] - save); + if (unlikely(!(mask & 0xff0000) && classify_word(current[2]) & virgin[2])) + return (u32)(¤t[3] - save); + if (unlikely(!(mask & 0xff000000) && classify_word(current[3]) & virgin[3])) + return (u32)(¤t[4] - save); } @@ -172,12 +197,14 @@ inline u32 skim(const u64 *virgin, const u64 *current, const u64 *current_end) { #define PACK_SIZE 32 inline u32 skim(const u64 *virgin, const u64 *current, const u64 *current_end) { + u64 *save = (u64*) current; + for (; current < current_end; virgin += 4, current += 4) { - if (current[0] && classify_word(current[0]) & virgin[0]) return 1; - if (current[1] && classify_word(current[1]) & virgin[1]) return 1; - if (current[2] && classify_word(current[2]) & virgin[2]) return 1; - if (current[3] && classify_word(current[3]) & virgin[3]) return 1; + if (unlikely(current[0] && classify_word(current[0]) & virgin[0])) return (u32)(¤t[1] - save); + if (unlikely(current[1] && classify_word(current[1]) & virgin[1])) return (u32)(¤t[2] - save); + if (unlikely(current[2] && classify_word(current[2]) & virgin[2])) return (u32)(¤t[3] - save); + if (unlikely(current[3] && classify_word(current[3]) & virgin[3])) return (u32)(¤t[4] - save); } diff --git a/instrumentation/afl-llvm-common.h b/instrumentation/afl-llvm-common.h index bd424e21..dee5f9fc 100644 --- a/instrumentation/afl-llvm-common.h +++ b/instrumentation/afl-llvm-common.h @@ -33,17 +33,17 @@ typedef long double max_align_t; #endif #if LLVM_VERSION_MAJOR >= 11 - #define MNAME M.getSourceFileName() - #define FMNAME F.getParent()->getSourceFileName() + #define MNAME M.getSourceFileName() + #define FMNAME F.getParent()->getSourceFileName() #else - #define MNAME std::string("") - #define FMNAME std::string("") + #define MNAME std::string("") + #define FMNAME std::string("") #endif -char * getBBName(const llvm::BasicBlock *BB); -bool isIgnoreFunction(const llvm::Function *F); -void initInstrumentList(); -bool isInInstrumentList(llvm::Function *F, std::string Filename); +char *getBBName(const llvm::BasicBlock *BB); +bool isIgnoreFunction(const llvm::Function *F); +void initInstrumentList(); +bool isInInstrumentList(llvm::Function *F, std::string Filename); unsigned long long int calculateCollisions(uint32_t edges); void scanForDangerousFunctions(llvm::Module *M); diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 899734f8..5246ba08 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -631,18 +631,23 @@ bool AFLCoverage::runOnModule(Module &M) { LoadInst *PrevLoc; if (ngram_size) { + PrevLoc = IRB.CreateLoad( #if LLVM_VERSION_MAJOR >= 14 - PrevLocTy, + PrevLocTy, #endif - AFLPrevLoc); + AFLPrevLoc); + } else { + PrevLoc = IRB.CreateLoad( #if LLVM_VERSION_MAJOR >= 14 - IRB.getInt32Ty(), + IRB.getInt32Ty(), #endif - AFLPrevLoc); + AFLPrevLoc); + } + PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); Value *PrevLocTrans; diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index a0b386d5..310f5585 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -478,27 +478,28 @@ bool CmpLogInstructions::hookInstrs(Module &M) { */ if (is_fp) { -/* - ConstantFP *i0 = dyn_cast(op0); - ConstantFP *i1 = dyn_cast(op1); - // BUG FIXME TODO: this is null ... but why? - // fprintf(stderr, "%p %p\n", i0, i1); - if (i0) { + /* + ConstantFP *i0 = dyn_cast(op0); + ConstantFP *i1 = dyn_cast(op1); + // BUG FIXME TODO: this is null ... but why? + // fprintf(stderr, "%p %p\n", i0, i1); + if (i0) { - cur_val = (uint64_t)i0->getValue().convertToDouble(); - if (last_val0 && last_val0 == cur_val) { skip = 1; } - last_val0 = cur_val; + cur_val = (uint64_t)i0->getValue().convertToDouble(); + if (last_val0 && last_val0 == cur_val) { skip = 1; } + last_val0 = cur_val; - } + } - if (i1) { + if (i1) { - cur_val = (uint64_t)i1->getValue().convertToDouble(); - if (last_val1 && last_val1 == cur_val) { skip = 1; } - last_val1 = cur_val; + cur_val = (uint64_t)i1->getValue().convertToDouble(); + if (last_val1 && last_val1 == cur_val) { skip = 1; } + last_val1 = cur_val; - } -*/ + } + + */ } else { diff --git a/src/afl-cc.c b/src/afl-cc.c index 49000877..974b1d2a 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -876,11 +876,12 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-fsanitize=leak"; cc_params[cc_par_cnt++] = "-includesanitizer/lsan_interface.h"; - cc_params[cc_par_cnt++] = "-D__AFL_LEAK_CHECK()={if(__lsan_do_recoverable_leak_check() > 0) _exit(23); }"; + cc_params[cc_par_cnt++] = + "-D__AFL_LEAK_CHECK()={if(__lsan_do_recoverable_leak_check() > 0) " + "_exit(23); }"; cc_params[cc_par_cnt++] = "-D__AFL_LSAN_OFF()=__lsan_disable();"; cc_params[cc_par_cnt++] = "-D__AFL_LSAN_ON()=__lsan_enable();"; - } if (getenv("AFL_USE_CFISAN")) { diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 8d044959..98a705a5 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -250,20 +250,21 @@ inline u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { inline u8 has_new_bits_unclassified(afl_state_t *afl, u8 *virgin_map) { /* Handle the hot path first: no new coverage */ + u32 off; u8 *end = afl->fsrv.trace_bits + afl->fsrv.map_size; #ifdef WORD_SIZE_64 - if (!skim((u64 *)virgin_map, (u64 *)afl->fsrv.trace_bits, (u64 *)end)) + if (!(off = skim((u64 *)virgin_map, (u64 *)afl->fsrv.trace_bits, (u64 *)end))) return 0; #else - if (!skim((u32 *)virgin_map, (u32 *)afl->fsrv.trace_bits, (u32 *)end)) + if (!(off = skim((u32 *)virgin_map, (u32 *)afl->fsrv.trace_bits, (u32 *)end))) return 0; #endif /* ^WORD_SIZE_64 */ - classify_counts(&afl->fsrv); + classify_counts_off(&afl->fsrv, off); return has_new_bits(afl, virgin_map); } diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index fc8a0d55..713c7447 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -769,11 +769,7 @@ void cull_queue(afl_state_t *afl) { afl->top_rated[i]->favored = 1; ++afl->queued_favored; - if (!afl->top_rated[i]->was_fuzzed) { - - ++afl->pending_favored; - - } + if (!afl->top_rated[i]->was_fuzzed) { ++afl->pending_favored; } } -- cgit 1.4.1 From d51ec57d91e8f4b80f8970268abdeda7e5c7c0fe Mon Sep 17 00:00:00 2001 From: 0xsanz <0xsanz@pm.com> Date: Sat, 15 Jan 2022 15:19:29 -0500 Subject: more welcome 2022 --- frida_mode/test/cmplog/cmplog.c | 2 +- qemu_mode/libcompcov/Makefile | 2 +- qemu_mode/libcompcov/compcovtest.cc | 2 +- qemu_mode/libqasan/Makefile | 2 +- qemu_mode/libqasan/hooks.c | 2 +- qemu_mode/libqasan/libqasan.c | 2 +- qemu_mode/libqasan/libqasan.h | 2 +- qemu_mode/libqasan/malloc.c | 2 +- qemu_mode/libqasan/patch.c | 2 +- qemu_mode/libqasan/string.c | 2 +- qemu_mode/libqasan/uninstrument.c | 2 +- qemu_mode/unsigaction/Makefile | 2 +- utils/argv_fuzzing/Makefile | 2 +- utils/argv_fuzzing/argvfuzz.c | 2 +- 14 files changed, 14 insertions(+), 14 deletions(-) diff --git a/frida_mode/test/cmplog/cmplog.c b/frida_mode/test/cmplog/cmplog.c index ce5cf20e..7c047ed6 100644 --- a/frida_mode/test/cmplog/cmplog.c +++ b/frida_mode/test/cmplog/cmplog.c @@ -2,7 +2,7 @@ // // Author: Mateusz Jurczyk (mjurczyk@google.com) // -// Copyright 2019-2020 Google LLC +// Copyright 2019-2022 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. diff --git a/qemu_mode/libcompcov/Makefile b/qemu_mode/libcompcov/Makefile index c2880b99..cc591393 100644 --- a/qemu_mode/libcompcov/Makefile +++ b/qemu_mode/libcompcov/Makefile @@ -4,7 +4,7 @@ # # Written by Andrea Fioraldi # -# Copyright 2019-2020 Andrea Fioraldi. All rights reserved. +# Copyright 2019-2022 Andrea Fioraldi. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/qemu_mode/libcompcov/compcovtest.cc b/qemu_mode/libcompcov/compcovtest.cc index 3c975e15..b2d64f8d 100644 --- a/qemu_mode/libcompcov/compcovtest.cc +++ b/qemu_mode/libcompcov/compcovtest.cc @@ -2,7 +2,7 @@ // // Author: Mateusz Jurczyk (mjurczyk@google.com) // -// Copyright 2019-2020 Google LLC +// Copyright 2019-2022 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. diff --git a/qemu_mode/libqasan/Makefile b/qemu_mode/libqasan/Makefile index f91debb6..79c3ab70 100644 --- a/qemu_mode/libqasan/Makefile +++ b/qemu_mode/libqasan/Makefile @@ -4,7 +4,7 @@ # # Written by Andrea Fioraldi # -# Copyright 2019-2020 Andrea Fioraldi. All rights reserved. +# Copyright 2019-2022 Andrea Fioraldi. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/qemu_mode/libqasan/hooks.c b/qemu_mode/libqasan/hooks.c index c542521c..7f20e848 100644 --- a/qemu_mode/libqasan/hooks.c +++ b/qemu_mode/libqasan/hooks.c @@ -1,5 +1,5 @@ /******************************************************************************* -Copyright (c) 2019-2020, Andrea Fioraldi +Copyright (c) 2019-2022, Andrea Fioraldi Redistribution and use in source and binary forms, with or without diff --git a/qemu_mode/libqasan/libqasan.c b/qemu_mode/libqasan/libqasan.c index 6ea24f08..13e48c75 100644 --- a/qemu_mode/libqasan/libqasan.c +++ b/qemu_mode/libqasan/libqasan.c @@ -1,5 +1,5 @@ /******************************************************************************* -Copyright (c) 2019-2020, Andrea Fioraldi +Copyright (c) 2019-2022, Andrea Fioraldi Redistribution and use in source and binary forms, with or without diff --git a/qemu_mode/libqasan/libqasan.h b/qemu_mode/libqasan/libqasan.h index 43b7adb5..a1ed946e 100644 --- a/qemu_mode/libqasan/libqasan.h +++ b/qemu_mode/libqasan/libqasan.h @@ -1,5 +1,5 @@ /******************************************************************************* -Copyright (c) 2019-2020, Andrea Fioraldi +Copyright (c) 2019-2022, Andrea Fioraldi Redistribution and use in source and binary forms, with or without diff --git a/qemu_mode/libqasan/malloc.c b/qemu_mode/libqasan/malloc.c index 5893a4e5..ad42d03b 100644 --- a/qemu_mode/libqasan/malloc.c +++ b/qemu_mode/libqasan/malloc.c @@ -1,5 +1,5 @@ /******************************************************************************* -Copyright (c) 2019-2020, Andrea Fioraldi +Copyright (c) 2019-2022, Andrea Fioraldi Redistribution and use in source and binary forms, with or without diff --git a/qemu_mode/libqasan/patch.c b/qemu_mode/libqasan/patch.c index fbc09c99..ee928ab3 100644 --- a/qemu_mode/libqasan/patch.c +++ b/qemu_mode/libqasan/patch.c @@ -1,5 +1,5 @@ /******************************************************************************* -Copyright (c) 2019-2020, Andrea Fioraldi +Copyright (c) 2019-2022, Andrea Fioraldi Redistribution and use in source and binary forms, with or without diff --git a/qemu_mode/libqasan/string.c b/qemu_mode/libqasan/string.c index 4be01279..4704c204 100644 --- a/qemu_mode/libqasan/string.c +++ b/qemu_mode/libqasan/string.c @@ -1,5 +1,5 @@ /******************************************************************************* -Copyright (c) 2019-2020, Andrea Fioraldi +Copyright (c) 2019-2022, Andrea Fioraldi Redistribution and use in source and binary forms, with or without diff --git a/qemu_mode/libqasan/uninstrument.c b/qemu_mode/libqasan/uninstrument.c index 5bf841a3..1686a015 100644 --- a/qemu_mode/libqasan/uninstrument.c +++ b/qemu_mode/libqasan/uninstrument.c @@ -7,7 +7,7 @@ for some strange reason. */ /******************************************************************************* -Copyright (c) 2019-2020, Andrea Fioraldi +Copyright (c) 2019-2022, Andrea Fioraldi Redistribution and use in source and binary forms, with or without diff --git a/qemu_mode/unsigaction/Makefile b/qemu_mode/unsigaction/Makefile index c5d2de31..eabe6c77 100644 --- a/qemu_mode/unsigaction/Makefile +++ b/qemu_mode/unsigaction/Makefile @@ -4,7 +4,7 @@ # # Written by Andrea Fioraldi # -# Copyright 2019-2020 Andrea Fioraldi. All rights reserved. +# Copyright 2019-2022 Andrea Fioraldi. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index 5a0ac6e6..183f6bf8 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -2,7 +2,7 @@ # american fuzzy lop++ - argvfuzz # -------------------------------- # -# Copyright 2019-2020 Kjell Braden +# Copyright 2019-2022 Kjell Braden # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/utils/argv_fuzzing/argvfuzz.c b/utils/argv_fuzzing/argvfuzz.c index 4251ca4c..e7cc6b72 100644 --- a/utils/argv_fuzzing/argvfuzz.c +++ b/utils/argv_fuzzing/argvfuzz.c @@ -2,7 +2,7 @@ american fuzzy lop++ - LD_PRELOAD for fuzzing argv in binaries ------------------------------------------------------------ - Copyright 2019-2020 Kjell Braden + Copyright 2019-2022 Kjell Braden Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. -- cgit 1.4.1 From c8061e5b3531498df94524900bcb5e1c6cf8bb59 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 17 Jan 2022 17:16:52 +0100 Subject: fix nyx -M --- src/afl-fuzz.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 1030dfdf..207a46af 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1322,7 +1322,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->fsrv.nyx_mode) { if (afl->fsrv.nyx_standalone && - strncmp(afl->sync_id, "default", strlen("default")) != 0) { + strcmp(afl->sync_id, "default") != 0) { FATAL( "distributed fuzzing is not supported in this Nyx mode (use -Y " @@ -1334,7 +1334,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->is_main_node) { - if (strncmp("0", afl->sync_id, strlen("0") != 0)) { + if (strcmp("0", afl->sync_id) != 0) { FATAL( "for Nyx -Y mode, the Main (-M) parameter has to be set to 0 (-M " -- cgit 1.4.1 From 0e2c832499d88c9040779737d33fc47f29fb2357 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 17 Jan 2022 19:35:49 +0100 Subject: fix laf transform for strcmp like functions --- instrumentation/compare-transform-pass.so.cc | 54 +++++++++++++++++++++++----- 1 file changed, 45 insertions(+), 9 deletions(-) diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc index 3f6a6763..c3a4ee34 100644 --- a/instrumentation/compare-transform-pass.so.cc +++ b/instrumentation/compare-transform-pass.so.cc @@ -383,17 +383,56 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, bool isMemcmp = false; bool isSizedcmp = false; bool isCaseInsensitive = false; + bool needs_null = false; Function * Callee = callInst->getCalledFunction(); if (Callee) { - isMemcmp = Callee->getName().compare("memcmp") == 0; - isSizedcmp = isMemcmp || Callee->getName().compare("strncmp") == 0 || - Callee->getName().compare("strncasecmp") == 0; - isCaseInsensitive = Callee->getName().compare("strcasecmp") == 0 || - Callee->getName().compare("strncasecmp") == 0; + if (!Callee->getName().compare("memcmp") || + !Callee->getName().compare("bcmp") || + !Callee->getName().compare("CRYPTO_memcmp") || + !Callee->getName().compare("OPENSSL_memcmp") || + !Callee->getName().compare("memcmp_const_time") || + !Callee->getName().compare("memcmpct") || + !Callee->getName().compare("llvm.memcpy.p0i8.p0i8.i64")) + isMemcmp = true; + + if (isMemcmp || !Callee->getName().compare("strncmp") || + !Callee->getName().compare("xmlStrncmp") || + !Callee->getName().compare("curl_strnequal") || + !Callee->getName().compare("strncasecmp") || + !Callee->getName().compare("strnicmp") || + !Callee->getName().compare("ap_cstr_casecmpn") || + !Callee->getName().compare("OPENSSL_strncasecmp") || + !Callee->getName().compare("xmlStrncasecmp") || + !Callee->getName().compare("g_ascii_strncasecmp") || + !Callee->getName().compare("Curl_strncasecompare") || + !Callee->getName().compare("g_strncasecmp")) + isSizedcmp = true; + + if (!Callee->getName().compare("strcasecmp") || + !Callee->getName().compare("stricmp") || + !Callee->getName().compare("ap_cstr_casecmp") || + !Callee->getName().compare("OPENSSL_strcasecmp") || + !Callee->getName().compare("xmlStrcasecmp") || + !Callee->getName().compare("g_strcasecmp") || + !Callee->getName().compare("g_ascii_strcasecmp") || + !Callee->getName().compare("Curl_strcasecompare") || + !Callee->getName().compare("Curl_safe_strcasecompare") || + !Callee->getName().compare("cmsstrcasecmp") || + !Callee->getName().compare("strncasecmp") || + !Callee->getName().compare("strnicmp") || + !Callee->getName().compare("ap_cstr_casecmpn") || + !Callee->getName().compare("OPENSSL_strncasecmp") || + !Callee->getName().compare("xmlStrncasecmp") || + !Callee->getName().compare("g_ascii_strncasecmp") || + !Callee->getName().compare("Curl_strncasecompare") || + !Callee->getName().compare("g_strncasecmp")) + isCaseInsensitive = true; } + if (!isSizedcmp) needs_null = true; + Value *sizedValue = isSizedcmp ? callInst->getArgOperand(2) : NULL; bool isConstSized = sizedValue && isa(sizedValue); @@ -447,17 +486,14 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, // the following is in general OK, but strncmp is sometimes used in binary // data structures and this can result in crashes :( so it is commented out - /* // add null termination character implicit in c strings - if (!isMemcmp && TmpConstStr[TmpConstStr.length() - 1]) { + if (needs_null && TmpConstStr[TmpConstStr.length() - 1] != 0) { TmpConstStr.append("\0", 1); } - */ - // in the unusual case the const str has embedded null // characters, the string comparison functions should terminate // at the first null -- cgit 1.4.1 From c5117b42cab9f47448a7f3cfe3edae6708d32528 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 17 Jan 2022 20:15:27 +0100 Subject: fix iselect instrumentation --- instrumentation/SanitizerCoverageLTO.so.cc | 3 +-- instrumentation/SanitizerCoveragePCGUARD.so.cc | 1 - 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 597a24b1..6a4a071f 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1275,7 +1275,7 @@ void ModuleSanitizerCoverage::instrumentFunction( const DominatorTree * DT = DTCallback(F); const PostDominatorTree *PDT = PDTCallback(F); bool IsLeafFunc = true; - uint32_t skip_next = 0, local_selects = 0; + uint32_t skip_next = 0; for (auto &BB : F) { @@ -1385,7 +1385,6 @@ void ModuleSanitizerCoverage::instrumentFunction( } - local_selects++; uint32_t vector_cur = 0; /* Load SHM pointer */ LoadInst *MapPtr = diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index c422d858..e4ffeb50 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -1054,7 +1054,6 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } - local_selects++; uint32_t vector_cur = 0; /* Load SHM pointer */ -- cgit 1.4.1 From 861bd5e04b5030b3fc345c1022c46e92eb52a312 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 17 Jan 2022 20:31:08 +0100 Subject: update macos path info --- docs/INSTALL.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 2c1eaeb9..3c96a4fd 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -96,11 +96,16 @@ brew install wget git make cmake llvm gdb coreutils ``` Be sure to setup `PATH` to point to the correct clang binaries and use the -freshly installed clang, clang++, gmake and coreutils, e.g.: +freshly installed clang, clang++, llvm-config, gmake and coreutils, e.g.: ```shell -export -PATH="/usr/local/Cellar/llvm/13.0.0_2/bin/:/usr/local/opt/coreutils/libexec/gnubin:/usr/local/bin:$PATH" +# Depending on your MacOS system + brew version it is either +export PATH="/opt/homebrew/opt/llvm/bin:$PATH" +# or +export PATH="/usr/local/opt/llvm/bin:$PATH" +# you can check with "brew info llvm" + +export PATH="/usr/local/opt/coreutils/libexec/gnubin:/usr/local/bin:$PATH" export CC=clang export CXX=clang++ gmake -- cgit 1.4.1 From 56ce081ac7a247b64e0ed77c0353d11fd279dc9f Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Tue, 18 Jan 2022 18:53:18 +0000 Subject: afl-untracer, disable ASLR on FreeBSD. --- utils/afl_untracer/afl-untracer.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/utils/afl_untracer/afl-untracer.c b/utils/afl_untracer/afl-untracer.c index d2cb4bcf..fd4c3b8c 100644 --- a/utils/afl_untracer/afl-untracer.c +++ b/utils/afl_untracer/afl-untracer.c @@ -65,6 +65,7 @@ #elif defined(__FreeBSD__) #include #include + #include #else #error "Unsupported platform" #endif @@ -685,6 +686,9 @@ int main(int argc, char *argv[]) { #if defined(__linux__) (void)personality(ADDR_NO_RANDOMIZE); // disable ASLR +#elif defined(__FreeBSD__) && __FreeBSD_version >= 1200000 + int no_randomize = PROC_ASLR_FORCE_DISABLE; + (void)procctl(P_PID, 0, PROC_ASLR_CTL, &no_randomize); #endif pid = getpid(); -- cgit 1.4.1 From 1e5699ccaabe627380b5c868dd93bc420aeb0af3 Mon Sep 17 00:00:00 2001 From: Hardik Shah Date: Wed, 19 Jan 2022 19:36:29 +0530 Subject: Update tutorials.md --- docs/tutorials.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/tutorials.md b/docs/tutorials.md index 0a44602d..81f0ea6a 100644 --- a/docs/tutorials.md +++ b/docs/tutorials.md @@ -28,4 +28,13 @@ structure is), these links have you covered: * Superion for AFL++: [https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator) -If you find other good ones, please send them to us :-) \ No newline at end of file +# Video Tutorials +* [How Fuzzing with AFL works!](https://www.youtube.com/watch?v=COHUWuLTbdk) +* [WOOT '20 - AFL++ : Combining Incremental Steps of Fuzzing Research](https://www.youtube.com/watch?v=cZidm6I7KWU) +* [[Fuzzing with AFLplusplus] Installing AFLPlusplus and fuzzing a simple C program](https://www.youtube.com/watch?v=9wRVo0kYSlc) +* [[Fuzzing with AFLplusplus] How to fuzz a binary with no source code on Linux in persistent mode](https://www.youtube.com/watch?v=LGPJdEO02p4) +* [Blackbox Fuzzing #1: Start Binary-Only Fuzzing using AFL++ QEMU mode](https://www.youtube.com/watch?v=sjLFf9q2NRc) +* [Install AFL++ Ubuntu](https://www.youtube.com/watch?v=5dCvhkbi3RA) +* [HOPE 2020 (2020): Hunting Bugs in Your Sleep - How to Fuzz (Almost) Anything With AFL/AFL++](https://www.youtube.com/watch?v=A8ex1hqaQ7E) + +If you find other good ones, please send them to us :-) -- cgit 1.4.1 From a3cf7c1224da802d1bfbea95883a91dadb1551f0 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 19 Jan 2022 15:22:03 +0100 Subject: change video order --- docs/tutorials.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/tutorials.md b/docs/tutorials.md index 81f0ea6a..9d4f50eb 100644 --- a/docs/tutorials.md +++ b/docs/tutorials.md @@ -29,12 +29,12 @@ structure is), these links have you covered: [https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator) # Video Tutorials -* [How Fuzzing with AFL works!](https://www.youtube.com/watch?v=COHUWuLTbdk) -* [WOOT '20 - AFL++ : Combining Incremental Steps of Fuzzing Research](https://www.youtube.com/watch?v=cZidm6I7KWU) +* [Install AFL++ Ubuntu](https://www.youtube.com/watch?v=5dCvhkbi3RA) * [[Fuzzing with AFLplusplus] Installing AFLPlusplus and fuzzing a simple C program](https://www.youtube.com/watch?v=9wRVo0kYSlc) * [[Fuzzing with AFLplusplus] How to fuzz a binary with no source code on Linux in persistent mode](https://www.youtube.com/watch?v=LGPJdEO02p4) * [Blackbox Fuzzing #1: Start Binary-Only Fuzzing using AFL++ QEMU mode](https://www.youtube.com/watch?v=sjLFf9q2NRc) -* [Install AFL++ Ubuntu](https://www.youtube.com/watch?v=5dCvhkbi3RA) * [HOPE 2020 (2020): Hunting Bugs in Your Sleep - How to Fuzz (Almost) Anything With AFL/AFL++](https://www.youtube.com/watch?v=A8ex1hqaQ7E) +* [How Fuzzing with AFL works!](https://www.youtube.com/watch?v=COHUWuLTbdk) +* [WOOT '20 - AFL++ : Combining Incremental Steps of Fuzzing Research](https://www.youtube.com/watch?v=cZidm6I7KWU) If you find other good ones, please send them to us :-) -- cgit 1.4.1 From 5b06078a41a7e312fbec5a63ef7753f76bcde8f1 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 19 Jan 2022 18:22:27 +0000 Subject: Changes to support variations in the mapsize --- frida_mode/GNUmakefile | 2 +- frida_mode/src/instrument/instrument.c | 6 ------ frida_mode/src/instrument/instrument_x64.c | 6 ++++-- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index 254c82db..010c12d9 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -259,7 +259,7 @@ endif ############################## AFL ############################################# -$(AFL_COMPILER_RT_OBJ): $(AFL_COMPILER_RT_SRC) +$(AFL_COMPILER_RT_OBJ): $(AFL_COMPILER_RT_SRC) $(ROOT)include/config.h $(TARGET_CC) \ $(CFLAGS) \ $(AFL_CFLAGS) \ diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index 46ed1a34..418b35e8 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -318,12 +318,6 @@ void instrument_init(void) { if (instrument_unique) { instrument_tracing = TRUE; } - if (__afl_map_size != 0x10000) { - - FATAL("Bad map size: 0x%08x", __afl_map_size); - - } - transformer = gum_stalker_transformer_make_from_callback( instrument_basic_block, NULL, NULL); diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index 0ea4f7f0..217c8c9b 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -216,6 +216,8 @@ static gboolean instrument_coverage_find_low(const GumRangeDetails *details, static GumAddress last_limit = (64ULL << 10); gpointer * address = (gpointer *)user_data; + last_limit = GUM_ALIGN_SIZE (last_limit, __afl_map_size); + if ((details->range->base_address - last_limit) > __afl_map_size) { *address = GSIZE_TO_POINTER(last_limit); @@ -235,7 +237,7 @@ static gboolean instrument_coverage_find_low(const GumRangeDetails *details, * current block ID. */ last_limit = GUM_ALIGN_SIZE( - details->range->base_address + details->range->size, (64ULL << 10)); + details->range->base_address + details->range->size, __afl_map_size); return TRUE; } @@ -326,7 +328,7 @@ void instrument_coverage_optimize_init(void) { FVERBOSE("Low address: %p", low_address); if (low_address == 0 || - GPOINTER_TO_SIZE(low_address) > ((2UL << 20) - __afl_map_size)) { + GPOINTER_TO_SIZE(low_address) > ((2UL << 30) - __afl_map_size)) { FATAL("Invalid low_address: %p", low_address); -- cgit 1.4.1 From d9fefafae771c02f0071d953d4871204cefd1af5 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 19 Jan 2022 22:10:29 +0100 Subject: move to unicorn2 --- docs/Changelog.md | 5 ++++- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/unicornafl | 2 +- unicorn_mode/update_uc_ref.sh | 2 +- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 6ab1794c..fe2ce06d 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -47,7 +47,7 @@ sending a mail to . - fix bug where targets are not killed on timeouts - moved hidden afl-showmap -A option to -H to be used for coresight_mode - - Prevent accidently killing non-afl/fuzz services when aborting + - Prevent accidentaly killing non-afl/fuzz services when aborting afl-showmap and other tools. - afl-cc: - new cmplog mode (incompatible with older afl++ versions) @@ -101,6 +101,9 @@ sending a mail to . - less coverage collision - feature parity of aarch64 with intel now (persistent, cmplog, in-memory testcases, asan) + - unicorn_mode: + - Moved to unicorn2! By Ziqiao Kong (@lazymio) + - Faster, more accurate emulation (newer QEMU base), riscv support - afl-cmin and afl-showmap -i do now descend into subdirectories (like afl-fuzz does) - note that afl-cmin.bash does not! - afl_analyze: diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index dbe3999f..7d435717 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -9df92d6868e8b219886e4b7458e5e134c48ff2c9 +6c7392fb5a607c0ad53b3082fa6cbfae9720306a diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 9df92d68..6c7392fb 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 9df92d6868e8b219886e4b7458e5e134c48ff2c9 +Subproject commit 6c7392fb5a607c0ad53b3082fa6cbfae9720306a diff --git a/unicorn_mode/update_uc_ref.sh b/unicorn_mode/update_uc_ref.sh index 6e809a7b..85c4c7ef 100755 --- a/unicorn_mode/update_uc_ref.sh +++ b/unicorn_mode/update_uc_ref.sh @@ -24,7 +24,7 @@ cd ./unicornafl || exit 1 git fetch origin uc1 1>/dev/null || exit 1 git stash 1>/dev/null 2>/dev/null git stash drop 1>/dev/null 2>/dev/null -git checkout uc1 +git checkout main if [ -z "$NEW_VERSION" ]; then # No version provided, take HEAD. -- cgit 1.4.1 From 409a6517c1e60e91b6d6154496b5f77fdce2186a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 19 Jan 2022 22:12:14 +0100 Subject: update changelog --- docs/Changelog.md | 1 + unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index fe2ce06d..9c0a6be5 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -16,6 +16,7 @@ sending a mail to . This might need changing custom scripting! - Nyx mode (full system emulation with snapshot capability) has been added - thanks to @schumilo and @eqv! + - unicorn_mode got upgraded to Unicorn 2! More speed! - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :) thanks to RICSecLab submitting! - if instrumented libaries are dlopen()'ed after the forkserver you diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 6c7392fb..9df92d68 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 6c7392fb5a607c0ad53b3082fa6cbfae9720306a +Subproject commit 9df92d6868e8b219886e4b7458e5e134c48ff2c9 -- cgit 1.4.1 From 4bcb177f62695da4f76f3e74393c8018d52f8a7c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 19 Jan 2022 22:17:36 +0100 Subject: Revert "fix classify counts" This reverts commit 4217a6606c92f6a88ab577ae8f91823dd731562d. --- include/afl-fuzz.h | 1 - include/coverage-32.h | 33 ++++--------------- include/coverage-64.h | 51 +++++++---------------------- instrumentation/afl-llvm-common.h | 16 ++++----- instrumentation/afl-llvm-pass.so.cc | 13 +++----- instrumentation/cmplog-instructions-pass.cc | 33 +++++++++---------- src/afl-cc.c | 5 ++- src/afl-fuzz-bitmap.c | 7 ++-- src/afl-fuzz-queue.c | 6 +++- 9 files changed, 57 insertions(+), 108 deletions(-) diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 1340d9ef..e225211f 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -1046,7 +1046,6 @@ u32 count_bytes(afl_state_t *, u8 *); u32 count_non_255_bytes(afl_state_t *, u8 *); void simplify_trace(afl_state_t *, u8 *); void classify_counts(afl_forkserver_t *); -void classify_counts_off(afl_forkserver_t *, u32); #ifdef WORD_SIZE_64 void discover_word(u8 *ret, u64 *current, u64 *virgin); #else diff --git a/include/coverage-32.h b/include/coverage-32.h index d213db12..ca36c29f 100644 --- a/include/coverage-32.h +++ b/include/coverage-32.h @@ -62,23 +62,6 @@ inline void classify_counts(afl_forkserver_t *fsrv) { } -inline void classify_counts_off(afl_forkserver_t *fsrv, u32 off) { - - u32 *mem = (u32 *)(fsrv->trace_bits + off); - u32 i = ((fsrv->map_size - off) >> 2); - - while (i--) { - - /* Optimize for sparse bitmaps. */ - - if (unlikely(*mem)) { *mem = classify_word(*mem); } - - mem++; - - } - -} - /* Updates the virgin bits, then reflects whether a new count or a new tuple is * seen in ret. */ inline void discover_word(u8 *ret, u32 *current, u32 *virgin) { @@ -87,7 +70,7 @@ inline void discover_word(u8 *ret, u32 *current, u32 *virgin) { that have not been already cleared from the virgin map - since this will almost always be the case. */ - if (unlikely(*current & *virgin)) { + if (*current & *virgin) { if (likely(*ret < 2)) { @@ -97,8 +80,8 @@ inline void discover_word(u8 *ret, u32 *current, u32 *virgin) { /* Looks like we have not found any new bytes yet; see if any non-zero bytes in current[] are pristine in virgin[]. */ - if (unlikely((cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || - (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff))) + if ((cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || + (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff)) *ret = 2; else *ret = 1; @@ -114,14 +97,12 @@ inline void discover_word(u8 *ret, u32 *current, u32 *virgin) { #define PACK_SIZE 16 inline u32 skim(const u32 *virgin, const u32 *current, const u32 *current_end) { - u32 *save = (u32*) current; - for (; current < current_end; virgin += 4, current += 4) { - if (unlikely(current[0] && classify_word(current[0]) & virgin[0])) return (u32)(¤t[1] - save); - if (unlikely(current[1] && classify_word(current[1]) & virgin[1])) return (u32)(¤t[2] - save); - if (unlikely(current[2] && classify_word(current[2]) & virgin[2])) return (u32)(¤t[3] - save); - if (unlikely(current[3] && classify_word(current[3]) & virgin[3])) return (u32)(¤t[4] - save); + if (current[0] && classify_word(current[0]) & virgin[0]) return 1; + if (current[1] && classify_word(current[1]) & virgin[1]) return 1; + if (current[2] && classify_word(current[2]) & virgin[2]) return 1; + if (current[3] && classify_word(current[3]) & virgin[3]) return 1; } diff --git a/include/coverage-64.h b/include/coverage-64.h index ab29506c..54fe9d33 100644 --- a/include/coverage-64.h +++ b/include/coverage-64.h @@ -72,23 +72,6 @@ inline void classify_counts(afl_forkserver_t *fsrv) { } -inline void classify_counts_off(afl_forkserver_t *fsrv, u32 off) { - - u64 *mem = (u64 *)(fsrv->trace_bits + off); - u32 i = ((fsrv->map_size - off) >> 3); - - while (i--) { - - /* Optimize for sparse bitmaps. */ - - if (unlikely(*mem)) { *mem = classify_word(*mem); } - - mem++; - - } - -} - /* Updates the virgin bits, then reflects whether a new count or a new tuple is * seen in ret. */ inline void discover_word(u8 *ret, u64 *current, u64 *virgin) { @@ -127,20 +110,17 @@ inline void discover_word(u8 *ret, u64 *current, u64 *virgin) { #define PACK_SIZE 64 inline u32 skim(const u64 *virgin, const u64 *current, const u64 *current_end) { - u64 *save = (u64*) current; - for (; current != current_end; virgin += 8, current += 8) { __m512i value = *(__m512i *)current; __mmask8 mask = _mm512_testn_epi64_mask(value, value); /* All bytes are zero. */ - if (likely(mask == 0xff)) continue; + if (mask == 0xff) continue; /* Look for nonzero bytes and check for new bits. */ - #define UNROLL(x) \ - if (unlikely(!(mask & (1 << x)) && classify_word(current[x]) & virgin[x])) \ - return (u32)(¤t[x + 1] - save) + #define UNROLL(x) \ + if (!(mask & (1 << x)) && classify_word(current[x]) & virgin[x]) return 1 UNROLL(0); UNROLL(1); UNROLL(2); @@ -163,7 +143,6 @@ inline u32 skim(const u64 *virgin, const u64 *current, const u64 *current_end) { #define PACK_SIZE 32 inline u32 skim(const u64 *virgin, const u64 *current, const u64 *current_end) { - u64 *save = (u64*) current; __m256i zeroes = _mm256_setzero_si256(); for (; current < current_end; virgin += 4, current += 4) { @@ -173,17 +152,13 @@ inline u32 skim(const u64 *virgin, const u64 *current, const u64 *current_end) { u32 mask = _mm256_movemask_epi8(cmp); /* All bytes are zero. */ - if (likely(mask == (u32)-1)) continue; + if (mask == (u32)-1) continue; /* Look for nonzero bytes and check for new bits. */ - if (unlikely(!(mask & 0xff) && classify_word(current[0]) & virgin[0])) - return (u32)(¤t[1] - save); - if (unlikely(!(mask & 0xff00) && classify_word(current[1]) & virgin[1])) - return (u32)(¤t[2] - save); - if (unlikely(!(mask & 0xff0000) && classify_word(current[2]) & virgin[2])) - return (u32)(¤t[3] - save); - if (unlikely(!(mask & 0xff000000) && classify_word(current[3]) & virgin[3])) - return (u32)(¤t[4] - save); + if (!(mask & 0xff) && classify_word(current[0]) & virgin[0]) return 1; + if (!(mask & 0xff00) && classify_word(current[1]) & virgin[1]) return 1; + if (!(mask & 0xff0000) && classify_word(current[2]) & virgin[2]) return 1; + if (!(mask & 0xff000000) && classify_word(current[3]) & virgin[3]) return 1; } @@ -197,14 +172,12 @@ inline u32 skim(const u64 *virgin, const u64 *current, const u64 *current_end) { #define PACK_SIZE 32 inline u32 skim(const u64 *virgin, const u64 *current, const u64 *current_end) { - u64 *save = (u64*) current; - for (; current < current_end; virgin += 4, current += 4) { - if (unlikely(current[0] && classify_word(current[0]) & virgin[0])) return (u32)(¤t[1] - save); - if (unlikely(current[1] && classify_word(current[1]) & virgin[1])) return (u32)(¤t[2] - save); - if (unlikely(current[2] && classify_word(current[2]) & virgin[2])) return (u32)(¤t[3] - save); - if (unlikely(current[3] && classify_word(current[3]) & virgin[3])) return (u32)(¤t[4] - save); + if (current[0] && classify_word(current[0]) & virgin[0]) return 1; + if (current[1] && classify_word(current[1]) & virgin[1]) return 1; + if (current[2] && classify_word(current[2]) & virgin[2]) return 1; + if (current[3] && classify_word(current[3]) & virgin[3]) return 1; } diff --git a/instrumentation/afl-llvm-common.h b/instrumentation/afl-llvm-common.h index dee5f9fc..bd424e21 100644 --- a/instrumentation/afl-llvm-common.h +++ b/instrumentation/afl-llvm-common.h @@ -33,17 +33,17 @@ typedef long double max_align_t; #endif #if LLVM_VERSION_MAJOR >= 11 - #define MNAME M.getSourceFileName() - #define FMNAME F.getParent()->getSourceFileName() + #define MNAME M.getSourceFileName() + #define FMNAME F.getParent()->getSourceFileName() #else - #define MNAME std::string("") - #define FMNAME std::string("") + #define MNAME std::string("") + #define FMNAME std::string("") #endif -char *getBBName(const llvm::BasicBlock *BB); -bool isIgnoreFunction(const llvm::Function *F); -void initInstrumentList(); -bool isInInstrumentList(llvm::Function *F, std::string Filename); +char * getBBName(const llvm::BasicBlock *BB); +bool isIgnoreFunction(const llvm::Function *F); +void initInstrumentList(); +bool isInInstrumentList(llvm::Function *F, std::string Filename); unsigned long long int calculateCollisions(uint32_t edges); void scanForDangerousFunctions(llvm::Module *M); diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 5246ba08..899734f8 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -631,23 +631,18 @@ bool AFLCoverage::runOnModule(Module &M) { LoadInst *PrevLoc; if (ngram_size) { - PrevLoc = IRB.CreateLoad( #if LLVM_VERSION_MAJOR >= 14 - PrevLocTy, + PrevLocTy, #endif - AFLPrevLoc); - + AFLPrevLoc); } else { - PrevLoc = IRB.CreateLoad( #if LLVM_VERSION_MAJOR >= 14 - IRB.getInt32Ty(), + IRB.getInt32Ty(), #endif - AFLPrevLoc); - + AFLPrevLoc); } - PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); Value *PrevLocTrans; diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index 310f5585..a0b386d5 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -478,28 +478,27 @@ bool CmpLogInstructions::hookInstrs(Module &M) { */ if (is_fp) { - /* - ConstantFP *i0 = dyn_cast(op0); - ConstantFP *i1 = dyn_cast(op1); - // BUG FIXME TODO: this is null ... but why? - // fprintf(stderr, "%p %p\n", i0, i1); - if (i0) { - - cur_val = (uint64_t)i0->getValue().convertToDouble(); - if (last_val0 && last_val0 == cur_val) { skip = 1; } - last_val0 = cur_val; +/* + ConstantFP *i0 = dyn_cast(op0); + ConstantFP *i1 = dyn_cast(op1); + // BUG FIXME TODO: this is null ... but why? + // fprintf(stderr, "%p %p\n", i0, i1); + if (i0) { - } + cur_val = (uint64_t)i0->getValue().convertToDouble(); + if (last_val0 && last_val0 == cur_val) { skip = 1; } + last_val0 = cur_val; - if (i1) { + } - cur_val = (uint64_t)i1->getValue().convertToDouble(); - if (last_val1 && last_val1 == cur_val) { skip = 1; } - last_val1 = cur_val; + if (i1) { - } + cur_val = (uint64_t)i1->getValue().convertToDouble(); + if (last_val1 && last_val1 == cur_val) { skip = 1; } + last_val1 = cur_val; - */ + } +*/ } else { diff --git a/src/afl-cc.c b/src/afl-cc.c index 974b1d2a..49000877 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -876,12 +876,11 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-fsanitize=leak"; cc_params[cc_par_cnt++] = "-includesanitizer/lsan_interface.h"; - cc_params[cc_par_cnt++] = - "-D__AFL_LEAK_CHECK()={if(__lsan_do_recoverable_leak_check() > 0) " - "_exit(23); }"; + cc_params[cc_par_cnt++] = "-D__AFL_LEAK_CHECK()={if(__lsan_do_recoverable_leak_check() > 0) _exit(23); }"; cc_params[cc_par_cnt++] = "-D__AFL_LSAN_OFF()=__lsan_disable();"; cc_params[cc_par_cnt++] = "-D__AFL_LSAN_ON()=__lsan_enable();"; + } if (getenv("AFL_USE_CFISAN")) { diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 98a705a5..8d044959 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -250,21 +250,20 @@ inline u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { inline u8 has_new_bits_unclassified(afl_state_t *afl, u8 *virgin_map) { /* Handle the hot path first: no new coverage */ - u32 off; u8 *end = afl->fsrv.trace_bits + afl->fsrv.map_size; #ifdef WORD_SIZE_64 - if (!(off = skim((u64 *)virgin_map, (u64 *)afl->fsrv.trace_bits, (u64 *)end))) + if (!skim((u64 *)virgin_map, (u64 *)afl->fsrv.trace_bits, (u64 *)end)) return 0; #else - if (!(off = skim((u32 *)virgin_map, (u32 *)afl->fsrv.trace_bits, (u32 *)end))) + if (!skim((u32 *)virgin_map, (u32 *)afl->fsrv.trace_bits, (u32 *)end)) return 0; #endif /* ^WORD_SIZE_64 */ - classify_counts_off(&afl->fsrv, off); + classify_counts(&afl->fsrv); return has_new_bits(afl, virgin_map); } diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 713c7447..fc8a0d55 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -769,7 +769,11 @@ void cull_queue(afl_state_t *afl) { afl->top_rated[i]->favored = 1; ++afl->queued_favored; - if (!afl->top_rated[i]->was_fuzzed) { ++afl->pending_favored; } + if (!afl->top_rated[i]->was_fuzzed) { + + ++afl->pending_favored; + + } } -- cgit 1.4.1 From 25c8336c0c45e44c569997627b133491cbc4d252 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 19 Jan 2022 22:23:25 +0100 Subject: tidy up unicornafl, changelog --- docs/Changelog.md | 9 ++++----- unicorn_mode/unicornafl | 2 +- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 9c0a6be5..bdd6c405 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -16,7 +16,10 @@ sending a mail to . This might need changing custom scripting! - Nyx mode (full system emulation with snapshot capability) has been added - thanks to @schumilo and @eqv! - - unicorn_mode got upgraded to Unicorn 2! More speed! + - unicorn_mode: + - Moved to unicorn2! By Ziqiao Kong (@lazymio) + - Faster, more accurate emulation (newer QEMU base), riscv support + - removed indirections in rust callbacks - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :) thanks to RICSecLab submitting! - if instrumented libaries are dlopen()'ed after the forkserver you @@ -74,7 +77,6 @@ sending a mail to . - fix AFL_PRELOAD issues on MacOS - removed utils/afl_frida because frida_mode/ is now so much better - added uninstall target to makefile (todo: update new readme!) - - removed indirections in rust callbacks for unicornafl ### Version ++3.14c (release) - afl-fuzz: @@ -102,9 +104,6 @@ sending a mail to . - less coverage collision - feature parity of aarch64 with intel now (persistent, cmplog, in-memory testcases, asan) - - unicorn_mode: - - Moved to unicorn2! By Ziqiao Kong (@lazymio) - - Faster, more accurate emulation (newer QEMU base), riscv support - afl-cmin and afl-showmap -i do now descend into subdirectories (like afl-fuzz does) - note that afl-cmin.bash does not! - afl_analyze: diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 9df92d68..6c7392fb 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 9df92d6868e8b219886e4b7458e5e134c48ff2c9 +Subproject commit 6c7392fb5a607c0ad53b3082fa6cbfae9720306a -- cgit 1.4.1 From 550ba4d77294e61597a5259d00769c61281e0042 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 19 Jan 2022 22:26:52 +0100 Subject: nits and code format --- frida_mode/src/instrument/instrument_x64.c | 2 +- include/coverage-32.h | 14 ++++++------ include/coverage-64.h | 29 ++++++++++++++----------- instrumentation/afl-llvm-common.h | 16 +++++++------- instrumentation/afl-llvm-pass.so.cc | 13 ++++++++---- instrumentation/cmplog-instructions-pass.cc | 33 +++++++++++++++-------------- src/afl-cc.c | 5 +++-- src/afl-fuzz-queue.c | 6 +----- src/afl-fuzz.c | 3 +-- unicorn_mode/unicornafl | 2 +- 10 files changed, 65 insertions(+), 58 deletions(-) diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index 217c8c9b..fb84d6d2 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -216,7 +216,7 @@ static gboolean instrument_coverage_find_low(const GumRangeDetails *details, static GumAddress last_limit = (64ULL << 10); gpointer * address = (gpointer *)user_data; - last_limit = GUM_ALIGN_SIZE (last_limit, __afl_map_size); + last_limit = GUM_ALIGN_SIZE(last_limit, __afl_map_size); if ((details->range->base_address - last_limit) > __afl_map_size) { diff --git a/include/coverage-32.h b/include/coverage-32.h index ca36c29f..89c08cdf 100644 --- a/include/coverage-32.h +++ b/include/coverage-32.h @@ -70,7 +70,7 @@ inline void discover_word(u8 *ret, u32 *current, u32 *virgin) { that have not been already cleared from the virgin map - since this will almost always be the case. */ - if (*current & *virgin) { + if (unlikely(*current & *virgin)) { if (likely(*ret < 2)) { @@ -80,8 +80,8 @@ inline void discover_word(u8 *ret, u32 *current, u32 *virgin) { /* Looks like we have not found any new bytes yet; see if any non-zero bytes in current[] are pristine in virgin[]. */ - if ((cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || - (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff)) + if (unlikely((cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || + (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff))) *ret = 2; else *ret = 1; @@ -99,10 +99,10 @@ inline u32 skim(const u32 *virgin, const u32 *current, const u32 *current_end) { for (; current < current_end; virgin += 4, current += 4) { - if (current[0] && classify_word(current[0]) & virgin[0]) return 1; - if (current[1] && classify_word(current[1]) & virgin[1]) return 1; - if (current[2] && classify_word(current[2]) & virgin[2]) return 1; - if (current[3] && classify_word(current[3]) & virgin[3]) return 1; + if (unlikely(current[0] && classify_word(current[0]) & virgin[0])) return 1; + if (unlikely(current[1] && classify_word(current[1]) & virgin[1])) return 1; + if (unlikely(current[2] && classify_word(current[2]) & virgin[2])) return 1; + if (unlikely(current[3] && classify_word(current[3]) & virgin[3])) return 1; } diff --git a/include/coverage-64.h b/include/coverage-64.h index 54fe9d33..aab79d79 100644 --- a/include/coverage-64.h +++ b/include/coverage-64.h @@ -116,11 +116,12 @@ inline u32 skim(const u64 *virgin, const u64 *current, const u64 *current_end) { __mmask8 mask = _mm512_testn_epi64_mask(value, value); /* All bytes are zero. */ - if (mask == 0xff) continue; + if (likely(mask == 0xff)) continue; /* Look for nonzero bytes and check for new bits. */ - #define UNROLL(x) \ - if (!(mask & (1 << x)) && classify_word(current[x]) & virgin[x]) return 1 + #define UNROLL(x) \ + if (unlikely(!(mask & (1 << x)) && classify_word(current[x]) & virgin[x])) \ + return 1 UNROLL(0); UNROLL(1); UNROLL(2); @@ -152,13 +153,17 @@ inline u32 skim(const u64 *virgin, const u64 *current, const u64 *current_end) { u32 mask = _mm256_movemask_epi8(cmp); /* All bytes are zero. */ - if (mask == (u32)-1) continue; + if (likely(mask == (u32)-1)) continue; /* Look for nonzero bytes and check for new bits. */ - if (!(mask & 0xff) && classify_word(current[0]) & virgin[0]) return 1; - if (!(mask & 0xff00) && classify_word(current[1]) & virgin[1]) return 1; - if (!(mask & 0xff0000) && classify_word(current[2]) & virgin[2]) return 1; - if (!(mask & 0xff000000) && classify_word(current[3]) & virgin[3]) return 1; + if (unlikely(!(mask & 0xff) && classify_word(current[0]) & virgin[0])) + return 1; + if (unlikely(!(mask & 0xff00) && classify_word(current[1]) & virgin[1])) + return 1; + if (unlikely(!(mask & 0xff0000) && classify_word(current[2]) & virgin[2])) + return 1; + if (unlikely(!(mask & 0xff000000) && classify_word(current[3]) & virgin[3])) + return 1; } @@ -174,10 +179,10 @@ inline u32 skim(const u64 *virgin, const u64 *current, const u64 *current_end) { for (; current < current_end; virgin += 4, current += 4) { - if (current[0] && classify_word(current[0]) & virgin[0]) return 1; - if (current[1] && classify_word(current[1]) & virgin[1]) return 1; - if (current[2] && classify_word(current[2]) & virgin[2]) return 1; - if (current[3] && classify_word(current[3]) & virgin[3]) return 1; + if (unlikely(current[0] && classify_word(current[0]) & virgin[0])) return 1; + if (unlikely(current[1] && classify_word(current[1]) & virgin[1])) return 1; + if (unlikely(current[2] && classify_word(current[2]) & virgin[2])) return 1; + if (unlikely(current[3] && classify_word(current[3]) & virgin[3])) return 1; } diff --git a/instrumentation/afl-llvm-common.h b/instrumentation/afl-llvm-common.h index bd424e21..dee5f9fc 100644 --- a/instrumentation/afl-llvm-common.h +++ b/instrumentation/afl-llvm-common.h @@ -33,17 +33,17 @@ typedef long double max_align_t; #endif #if LLVM_VERSION_MAJOR >= 11 - #define MNAME M.getSourceFileName() - #define FMNAME F.getParent()->getSourceFileName() + #define MNAME M.getSourceFileName() + #define FMNAME F.getParent()->getSourceFileName() #else - #define MNAME std::string("") - #define FMNAME std::string("") + #define MNAME std::string("") + #define FMNAME std::string("") #endif -char * getBBName(const llvm::BasicBlock *BB); -bool isIgnoreFunction(const llvm::Function *F); -void initInstrumentList(); -bool isInInstrumentList(llvm::Function *F, std::string Filename); +char *getBBName(const llvm::BasicBlock *BB); +bool isIgnoreFunction(const llvm::Function *F); +void initInstrumentList(); +bool isInInstrumentList(llvm::Function *F, std::string Filename); unsigned long long int calculateCollisions(uint32_t edges); void scanForDangerousFunctions(llvm::Module *M); diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 899734f8..5246ba08 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -631,18 +631,23 @@ bool AFLCoverage::runOnModule(Module &M) { LoadInst *PrevLoc; if (ngram_size) { + PrevLoc = IRB.CreateLoad( #if LLVM_VERSION_MAJOR >= 14 - PrevLocTy, + PrevLocTy, #endif - AFLPrevLoc); + AFLPrevLoc); + } else { + PrevLoc = IRB.CreateLoad( #if LLVM_VERSION_MAJOR >= 14 - IRB.getInt32Ty(), + IRB.getInt32Ty(), #endif - AFLPrevLoc); + AFLPrevLoc); + } + PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); Value *PrevLocTrans; diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index a0b386d5..310f5585 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -478,27 +478,28 @@ bool CmpLogInstructions::hookInstrs(Module &M) { */ if (is_fp) { -/* - ConstantFP *i0 = dyn_cast(op0); - ConstantFP *i1 = dyn_cast(op1); - // BUG FIXME TODO: this is null ... but why? - // fprintf(stderr, "%p %p\n", i0, i1); - if (i0) { + /* + ConstantFP *i0 = dyn_cast(op0); + ConstantFP *i1 = dyn_cast(op1); + // BUG FIXME TODO: this is null ... but why? + // fprintf(stderr, "%p %p\n", i0, i1); + if (i0) { - cur_val = (uint64_t)i0->getValue().convertToDouble(); - if (last_val0 && last_val0 == cur_val) { skip = 1; } - last_val0 = cur_val; + cur_val = (uint64_t)i0->getValue().convertToDouble(); + if (last_val0 && last_val0 == cur_val) { skip = 1; } + last_val0 = cur_val; - } + } - if (i1) { + if (i1) { - cur_val = (uint64_t)i1->getValue().convertToDouble(); - if (last_val1 && last_val1 == cur_val) { skip = 1; } - last_val1 = cur_val; + cur_val = (uint64_t)i1->getValue().convertToDouble(); + if (last_val1 && last_val1 == cur_val) { skip = 1; } + last_val1 = cur_val; - } -*/ + } + + */ } else { diff --git a/src/afl-cc.c b/src/afl-cc.c index 49000877..974b1d2a 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -876,11 +876,12 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-fsanitize=leak"; cc_params[cc_par_cnt++] = "-includesanitizer/lsan_interface.h"; - cc_params[cc_par_cnt++] = "-D__AFL_LEAK_CHECK()={if(__lsan_do_recoverable_leak_check() > 0) _exit(23); }"; + cc_params[cc_par_cnt++] = + "-D__AFL_LEAK_CHECK()={if(__lsan_do_recoverable_leak_check() > 0) " + "_exit(23); }"; cc_params[cc_par_cnt++] = "-D__AFL_LSAN_OFF()=__lsan_disable();"; cc_params[cc_par_cnt++] = "-D__AFL_LSAN_ON()=__lsan_enable();"; - } if (getenv("AFL_USE_CFISAN")) { diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index fc8a0d55..713c7447 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -769,11 +769,7 @@ void cull_queue(afl_state_t *afl) { afl->top_rated[i]->favored = 1; ++afl->queued_favored; - if (!afl->top_rated[i]->was_fuzzed) { - - ++afl->pending_favored; - - } + if (!afl->top_rated[i]->was_fuzzed) { ++afl->pending_favored; } } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 207a46af..1edf82f4 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1321,8 +1321,7 @@ int main(int argc, char **argv_orig, char **envp) { #ifdef __linux__ if (afl->fsrv.nyx_mode) { - if (afl->fsrv.nyx_standalone && - strcmp(afl->sync_id, "default") != 0) { + if (afl->fsrv.nyx_standalone && strcmp(afl->sync_id, "default") != 0) { FATAL( "distributed fuzzing is not supported in this Nyx mode (use -Y " diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 6c7392fb..9df92d68 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 6c7392fb5a607c0ad53b3082fa6cbfae9720306a +Subproject commit 9df92d6868e8b219886e4b7458e5e134c48ff2c9 -- cgit 1.4.1 From 7afad147d17a7e7bfb7fa3235187277056f2bae3 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 19 Jan 2022 22:59:36 +0100 Subject: update uc2 ref --- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index 7d435717..5dcaf66b 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -6c7392fb5a607c0ad53b3082fa6cbfae9720306a +566bc3dd5942a5f8779026ca80eb313d5517e778 diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 6c7392fb..566bc3dd 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 6c7392fb5a607c0ad53b3082fa6cbfae9720306a +Subproject commit 566bc3dd5942a5f8779026ca80eb313d5517e778 -- cgit 1.4.1 From 5deae7924f0b93c56cd5ac343cbd6d6b4c65e090 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 20 Jan 2022 12:06:15 +0100 Subject: insert android.bp outdated statement --- Android.bp | 18 +++++++++++++++--- unicorn_mode/unicornafl | 2 +- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/Android.bp b/Android.bp index bf37757d..ac1d5cb6 100644 --- a/Android.bp +++ b/Android.bp @@ -1,3 +1,11 @@ +// +// NOTE: This file is outdated. None of the AFL++ team uses Android hence +// we need users to keep this updated. +// In the current state it will likely fail, please send fixes! +// Also, this should build frida_mode. +// + + cc_defaults { name: "afl-defaults", @@ -175,7 +183,7 @@ cc_binary_host { } cc_library_static { - name: "afl-llvm-rt", + name: "afl-compiler-rt", compile_multilib: "64", vendor_available: true, host_supported: true, @@ -225,6 +233,7 @@ cc_library_headers { ], } +/* cc_prebuilt_library_static { name: "libfrida-gum", compile_multilib: "64", @@ -272,7 +281,7 @@ cc_binary { ], static_libs: [ - "afl-llvm-rt", + "afl-compiler-rt", "libfrida-gum", ], @@ -290,6 +299,7 @@ cc_binary { "utils/afl_frida/android", ], } +*/ cc_binary { name: "afl-fuzz-32", @@ -346,7 +356,7 @@ cc_binary_host { } cc_library_static { - name: "afl-llvm-rt-32", + name: "afl-compiler-rt-32", compile_multilib: "32", vendor_available: true, host_supported: true, @@ -385,6 +395,7 @@ cc_library_static { ], } +/* cc_prebuilt_library_static { name: "libfrida-gum-32", compile_multilib: "32", @@ -400,6 +411,7 @@ cc_prebuilt_library_static { "utils/afl_frida/android/arm", ], } +*/ subdirs = [ "custom_mutators", diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 566bc3dd..9df92d68 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 566bc3dd5942a5f8779026ca80eb313d5517e778 +Subproject commit 9df92d6868e8b219886e4b7458e5e134c48ff2c9 -- cgit 1.4.1 From d1de12d6175cd84357eadbf204e15b184b22ae42 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 20 Jan 2022 16:14:58 +0100 Subject: updated uc ref --- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index 5dcaf66b..8b9c9fc0 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -566bc3dd5942a5f8779026ca80eb313d5517e778 +7b0c61f25042ebed910b88da2ca42778b858b852 diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 9df92d68..7b0c61f2 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 9df92d6868e8b219886e4b7458e5e134c48ff2c9 +Subproject commit 7b0c61f25042ebed910b88da2ca42778b858b852 -- cgit 1.4.1