From d97c7e42584e2c1e094a7c57fa469bf3b5b46b21 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 3 Oct 2023 11:14:59 +0200 Subject: nits --- GNUmakefile.llvm | 2 +- instrumentation/afl-compiler-rt.o.c | 1 + src/afl-fuzz-stats.c | 11 ++++++----- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 65786d8b..0845ae3a 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -46,7 +46,7 @@ LLVMVER = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/git//' | sed 's LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/\..*//' ) LLVM_MINOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/.*\.//' | sed 's/git//' | sed 's/svn//' | sed 's/ .*//' ) LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[0-2]\.|^3.[0-7]\.' && echo 1 || echo 0 ) -LLVM_TOO_NEW = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[7-9]' && echo 1 || echo 0 ) +LLVM_TOO_NEW = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[8-9]|^2[0-9]' && echo 1 || echo 0 ) LLVM_TOO_OLD = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[1-9]\.|^1[012]\.' && echo 1 || echo 0 ) LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[0-9]' && echo 1 || echo 0 ) LLVM_NEWER_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[6-9]' && echo 1 || echo 0 ) diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 85ee9f71..c3197c8a 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -666,6 +666,7 @@ static void __afl_map_shm(void) { } if (id_str) { + // /dev/null doesn't work so we use /dev/urandom if ((__afl_dummy_fd[1] = open("/dev/urandom", O_WRONLY)) < 0) { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index adf04420..81628a86 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -817,17 +817,18 @@ void show_stats_normal(afl_state_t *afl) { if (afl->fsrv.nyx_mode) { snprintf(banner + banner_pad, sizeof(banner) - banner_pad, - "%s%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s] - Nyx", - afl->crash_mode ? cPIN : cYEL, fuzzer_name, - si, afl->use_banner, afl->power_name); + "%s%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN + "[%s] - Nyx", + afl->crash_mode ? cPIN : cYEL, fuzzer_name, si, afl->use_banner, + afl->power_name); } else { #endif snprintf(banner + banner_pad, sizeof(banner) - banner_pad, "%s%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s]", - afl->crash_mode ? cPIN : cYEL, fuzzer_name, - si, afl->use_banner, afl->power_name); + afl->crash_mode ? cPIN : cYEL, fuzzer_name, si, afl->use_banner, + afl->power_name); #ifdef __linux__ -- cgit 1.4.1 From 8eaa590c59e3694e1fdad0aca7bf3f809f8df727 Mon Sep 17 00:00:00 2001 From: Theodor Arsenij Date: Tue, 3 Oct 2023 13:54:19 +0300 Subject: Use sync_id instead of use_banner while building statsd metric messages --- src/afl-fuzz-statsd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afl-fuzz-statsd.c b/src/afl-fuzz-statsd.c index e835c8ea..2e42ea9b 100644 --- a/src/afl-fuzz-statsd.c +++ b/src/afl-fuzz-statsd.c @@ -223,7 +223,7 @@ int statsd_format_metric(afl_state_t *afl, char *buff, size_t bufflen) { char tags[MAX_TAG_LEN * 2] = {0}; if (afl->statsd_tags_format) { - snprintf(tags, MAX_TAG_LEN * 2, afl->statsd_tags_format, afl->use_banner, + snprintf(tags, MAX_TAG_LEN * 2, afl->statsd_tags_format, afl->sync_id, VERSION); } -- cgit 1.4.1 From c622e4c5652b8a3dca8ad057d8c5c2130f735867 Mon Sep 17 00:00:00 2001 From: coco Date: Wed, 4 Oct 2023 12:29:41 -0700 Subject: Make fuzzer_stats update atomic This writes fuzzer_stats to a temp file and then atomically renames the temp file into fuzzer_stats so that any read on fuzzer_stats will always return a consistent view of the AFL state (otherwise there is a very low change of AFL's write and $tool's reads to race and yield inconsistent results). --- src/afl-fuzz-stats.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 81628a86..66e32e78 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -250,11 +250,13 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, #endif u64 cur_time = get_cur_time(); - u8 fn[PATH_MAX]; + u8 fn_tmp[PATH_MAX]; + u8 fn_final[PATH_MAX]; FILE *f; - snprintf(fn, PATH_MAX, "%s/fuzzer_stats", afl->out_dir); - f = create_ffile(fn); + snprintf(fn_tmp, PATH_MAX, "%s/.fuzzer_stats_tmp", afl->out_dir); + snprintf(fn_final, PATH_MAX, "%s/fuzzer_stats", afl->out_dir); + f = create_ffile(fn_tmp); /* Keep last values in case we're called from another context where exec/sec stats and such are not readily available. */ @@ -412,6 +414,7 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, } fclose(f); + rename(fn_tmp, fn_final); } -- cgit 1.4.1 From 48bff70cdd7fb7aa8333533e01a372205c670a4f Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 6 Oct 2023 18:53:44 +0200 Subject: add AFL_NO_CFG_FUZZING to env list --- TODO.md | 1 + include/envs.h | 1 + 2 files changed, 2 insertions(+) diff --git a/TODO.md b/TODO.md index ac24fe07..12da6026 100644 --- a/TODO.md +++ b/TODO.md @@ -2,6 +2,7 @@ ## Should + - cmplog rtn sanity check on fixed length - afl-showmap -f support - afl-fuzz multicore wrapper script - add value_profile but only enable after 15 minutes without finds diff --git a/include/envs.h b/include/envs.h index 4259d6dd..734b1707 100644 --- a/include/envs.h +++ b/include/envs.h @@ -179,6 +179,7 @@ static char *afl_environment_variables[] = { "AFL_NO_COLOUR", #endif "AFL_NO_CPU_RED", + "AFL_NO_CFG_FUZZING", // afl.rs rust crate option "AFL_NO_CRASH_README", "AFL_NO_FORKSRV", "AFL_NO_UI", -- cgit 1.4.1 From af18f2c7325551e8045a6156cb5b0ed2f4841dbf Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 8 Oct 2023 09:39:10 +0200 Subject: update todos --- TODO.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/TODO.md b/TODO.md index 12da6026..aa435317 100644 --- a/TODO.md +++ b/TODO.md @@ -1,15 +1,19 @@ # TODO list for AFL++ -## Should +## Must - - cmplog rtn sanity check on fixed length + - adapt MOpt to new mutation engine + - Update afl->pending_not_fuzzed for MOpt + - cmplog rtn sanity check on fixed length? - afl-showmap -f support - afl-fuzz multicore wrapper script - - add value_profile but only enable after 15 minutes without finds + +## Should + + - add value_profile but only enable after 15 minutes without finds? - afl-crash-analysis - support persistent and deferred fork server in afl-showmap? - better autodetection of shifting runtime timeout values - - Update afl->pending_not_fuzzed for MOpt - afl-plot to support multiple plot_data - parallel builds for source-only targets - get rid of check_binary, replace with more forkserver communication @@ -28,8 +32,7 @@ QEMU mode/FRIDA mode: - non colliding instrumentation - rename qemu specific envs to AFL_QEMU (AFL_ENTRYPOINT, AFL_CODE_START/END, AFL_COMPCOV_LEVEL?) - - add AFL_QEMU_EXITPOINT (maybe multiple?), maybe pointless as there is - persistent mode + - add AFL_QEMU_EXITPOINT (maybe multiple?) ## Ideas -- cgit 1.4.1 From 9db9cc80e39789a2b4fd11a4631576c9a0cbb0d8 Mon Sep 17 00:00:00 2001 From: toka Date: Sat, 14 Oct 2023 11:14:10 +0200 Subject: EarlyEPCallback for llvm16 --- instrumentation/SanitizerCoveragePCGUARD.so.cc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 98c5973c..4f81ac4f 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -214,7 +214,11 @@ llvmGetPassPluginInfo() { #if LLVM_VERSION_MAJOR == 13 using OptimizationLevel = typename PassBuilder::OptimizationLevel; #endif - PB.registerOptimizerLastEPCallback( +#if LLVM_VERSION_MAJOR >= 16 + PB.registerOptimizerEarlyEPCallback( +#else + PB.registerOptimizerLastEPCallback() +#endif [](ModulePassManager &MPM, OptimizationLevel OL) { MPM.addPass(ModuleSanitizerCoverageAFL()); -- cgit 1.4.1 From 943fa7eb7385376f96073421a1a5d7811dd613ec Mon Sep 17 00:00:00 2001 From: toka Date: Sat, 14 Oct 2023 12:48:58 +0200 Subject: bracket --- instrumentation/SanitizerCoveragePCGUARD.so.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 4f81ac4f..588eb950 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -217,7 +217,7 @@ llvmGetPassPluginInfo() { #if LLVM_VERSION_MAJOR >= 16 PB.registerOptimizerEarlyEPCallback( #else - PB.registerOptimizerLastEPCallback() + PB.registerOptimizerLastEPCallback( #endif [](ModulePassManager &MPM, OptimizationLevel OL) { -- cgit 1.4.1 From 92ac2c228c66d71f0a6e4f3ece3397653d0027a9 Mon Sep 17 00:00:00 2001 From: toka Date: Mon, 16 Oct 2023 16:45:30 +0200 Subject: typo --- instrumentation/afl-llvm-pass.so.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index c59324fd..052488a9 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -552,7 +552,7 @@ bool AFLCoverage::runOnModule(Module &M) { #endif { - // load the context ID of the previous function and write to to a + // load the context ID of the previous function and write to a // local variable on the stack LoadInst *PrevCtxLoad = IRB.CreateLoad( #if LLVM_VERSION_MAJOR >= 14 @@ -634,7 +634,7 @@ bool AFLCoverage::runOnModule(Module &M) { /* There is a problem with Ubuntu 18.04 and llvm 6.0 (see issue #63). The inline function successors() is not inlined and also not found at runtime - :-( As I am unable to detect Ubuntu18.04 heree, the next best thing is to + :-( As I am unable to detect Ubuntu18.04 here, the next best thing is to disable this optional optimization for LLVM 6.0.0 and Linux */ #if !(LLVM_VERSION_MAJOR == 6 && LLVM_VERSION_MINOR == 0) || !defined __linux__ // only instrument if this basic block is the destination of a previous -- cgit 1.4.1 From bfb841d01383a4801a28b007c5f7039f2f28bef9 Mon Sep 17 00:00:00 2001 From: "Christian Holler (:decoder)" Date: Fri, 20 Oct 2023 00:07:35 +0200 Subject: Use proper AFL_NYX_AUX_SIZE for nyx_aux_string --- include/forkserver.h | 1 + src/afl-forkserver.c | 12 +++++++++--- src/afl-fuzz-bitmap.c | 2 +- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/include/forkserver.h b/include/forkserver.h index 5e498c56..f6230fe8 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -197,6 +197,7 @@ typedef struct afl_forkserver { u32 nyx_id; /* nyx runner id (0 -> master) */ u32 nyx_bind_cpu_id; /* nyx runner cpu id */ char *nyx_aux_string; + u32 nyx_aux_string_len; bool nyx_use_tmp_workdir; char *nyx_tmp_workdir_path; s32 nyx_log_fd; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 07f5a1a9..9b710733 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -615,8 +615,10 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (getenv("AFL_NYX_AUX_SIZE") != NULL) { + fsrv->nyx_aux_string_len = atoi(getenv("AFL_NYX_AUX_SIZE")); + if (fsrv->nyx_handlers->nyx_config_set_aux_buffer_size( - nyx_config, atoi(getenv("AFL_NYX_AUX_SIZE"))) != 1) { + nyx_config, fsrv->nyx_aux_string_len) != 1) { NYX_PRE_FATAL(fsrv, "Invalid AFL_NYX_AUX_SIZE value set (must be a multiple " @@ -624,6 +626,10 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } + } else { + + fsrv->nyx_aux_string_len = 0x1000; + } if (getenv("AFL_NYX_REUSE_SNAPSHOT") != NULL) { @@ -697,8 +703,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, fsrv->nyx_handlers->nyx_option_set_timeout(fsrv->nyx_runner, 2, 0); fsrv->nyx_handlers->nyx_option_apply(fsrv->nyx_runner); - fsrv->nyx_aux_string = malloc(0x1000); - memset(fsrv->nyx_aux_string, 0, 0x1000); + fsrv->nyx_aux_string = malloc(fsrv->nyx_aux_string_len); + memset(fsrv->nyx_aux_string, 0, fsrv->nyx_aux_string_len); /* dry run */ fsrv->nyx_handlers->nyx_set_afl_input(fsrv->nyx_runner, "INIT", 4); diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 0429db34..d76158ce 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -866,7 +866,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", fn_log); } u32 nyx_aux_string_len = afl->fsrv.nyx_handlers->nyx_get_aux_string( - afl->fsrv.nyx_runner, afl->fsrv.nyx_aux_string, 0x1000); + afl->fsrv.nyx_runner, afl->fsrv.nyx_aux_string, afl->fsrv.nyx_aux_string_len); ck_write(fd, afl->fsrv.nyx_aux_string, nyx_aux_string_len, fn_log); close(fd); -- cgit 1.4.1 From 389c88c0f3d33974e2efb79114ee2d16b8570102 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 21 Oct 2023 15:28:34 +0200 Subject: update unicorn --- TODO.md | 2 +- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/unicornafl | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/TODO.md b/TODO.md index aa435317..9bdb2c55 100644 --- a/TODO.md +++ b/TODO.md @@ -4,7 +4,7 @@ - adapt MOpt to new mutation engine - Update afl->pending_not_fuzzed for MOpt - - cmplog rtn sanity check on fixed length? + - cmplog rtn sanity check on fixed length? + no length 1 - afl-showmap -f support - afl-fuzz multicore wrapper script diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index 1c8e571f..51878a56 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -f2cede37 +f607118f diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index f2cede37..f607118f 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit f2cede37a75bbd4a9b9438f0277727b5d4620572 +Subproject commit f607118fc10e5225da751385075792e24133a130 -- cgit 1.4.1