From 7b40d7b9420b2e3adb7d9afa88610199718dedba Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 12 May 2020 11:12:25 +0200 Subject: new code formatting + applied --- .clang-format | 1 + examples/afl_network_proxy/afl-network-client.c | 12 +- examples/afl_network_proxy/afl-network-server.c | 4 +- examples/afl_proxy/afl-proxy.c | 2 +- examples/afl_untracer/afl-untracer.c | 42 +-- gcc_plugin/afl-gcc-pass.so.cc | 10 +- gcc_plugin/afl-gcc-rt.o.c | 4 +- include/afl-as.h | 12 +- include/afl-fuzz.h | 88 +++--- include/alloc-inl.h | 347 ++++++++++++------------ include/android-ashmem.h | 42 +-- include/config.h | 26 +- include/debug.h | 204 +++++++------- include/forkserver.h | 18 +- include/hash.h | 4 +- include/types.h | 86 +++--- libdislocator/libdislocator.so.c | 78 +++--- libtokencap/libtokencap.so.c | 46 ++-- llvm_mode/LLVMInsTrim.so.cc | 20 +- llvm_mode/MarkNodes.cc | 4 +- llvm_mode/afl-llvm-common.h | 8 +- llvm_mode/afl-llvm-pass.so.cc | 16 +- llvm_mode/afl-llvm-rt.o.c | 24 +- llvm_mode/cmplog-instructions-pass.cc | 10 +- llvm_mode/cmplog-routines-pass.cc | 10 +- llvm_mode/compare-transform-pass.so.cc | 10 +- llvm_mode/split-compares-pass.so.cc | 10 +- llvm_mode/split-switches-pass.so.cc | 10 +- qbdi_mode/template.cpp | 18 +- qemu_mode/libcompcov/libcompcov.so.c | 4 +- qemu_mode/patches/afl-qemu-common.h | 24 +- qemu_mode/patches/afl-qemu-cpu-inl.h | 2 +- qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 4 +- src/afl-analyze.c | 2 +- src/afl-as.c | 6 +- src/afl-common.c | 2 +- src/afl-fuzz-bitmap.c | 2 +- src/afl-fuzz-init.c | 72 ++--- src/afl-fuzz-python.c | 74 ++--- src/afl-fuzz.c | 12 +- src/afl-gotcpu.c | 56 ++-- src/afl-sharedmem.c | 6 +- src/afl-showmap.c | 2 +- src/afl-tmin.c | 2 +- 44 files changed, 719 insertions(+), 717 deletions(-) diff --git a/.clang-format b/.clang-format index bf15cdc0..478c7a84 100644 --- a/.clang-format +++ b/.clang-format @@ -72,6 +72,7 @@ IncludeCategories: Priority: 3 IncludeIsMainRegex: '([-_](test|unittest))?$' IndentCaseLabels: true +IndentPPDirectives: BeforeHash IndentWidth: 2 IndentWrappedFunctionNames: false JavaScriptQuotes: Leave diff --git a/examples/afl_network_proxy/afl-network-client.c b/examples/afl_network_proxy/afl-network-client.c index cf09b2ad..68bd0706 100644 --- a/examples/afl_network_proxy/afl-network-client.c +++ b/examples/afl_network_proxy/afl-network-client.c @@ -15,7 +15,7 @@ */ #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -42,7 +42,7 @@ #include #ifdef USE_DEFLATE -#include + #include #endif u8 *__afl_area_ptr; @@ -321,7 +321,7 @@ int main(int argc, char *argv[]) { // fprintf(stderr, "Sending testcase with len %u\n", *lenptr); #ifdef USE_DEFLATE -#ifdef COMPRESS_TESTCASES + #ifdef COMPRESS_TESTCASES // we only compress the testcase if it does not fit in the TCP packet if (*lenptr > 1500 - 20 - 32 - 4) { @@ -341,17 +341,17 @@ int main(int argc, char *argv[]) { } else { -#endif + #endif #endif if (send(s, buf, *lenptr + 4, 0) != *lenptr + 4) PFATAL("sending test data failed"); #ifdef USE_DEFLATE -#ifdef COMPRESS_TESTCASES + #ifdef COMPRESS_TESTCASES // fprintf(stderr, "unCOMPRESS (%u)\n", *lenptr); } -#endif + #endif #endif received = 0; diff --git a/examples/afl_network_proxy/afl-network-server.c b/examples/afl_network_proxy/afl-network-server.c index 59064b2c..ab7874fd 100644 --- a/examples/afl_network_proxy/afl-network-server.c +++ b/examples/afl_network_proxy/afl-network-server.c @@ -25,7 +25,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" @@ -62,7 +62,7 @@ #include #ifdef USE_DEFLATE -#include + #include struct libdeflate_compressor * compressor; struct libdeflate_decompressor *decompressor; #endif diff --git a/examples/afl_proxy/afl-proxy.c b/examples/afl_proxy/afl-proxy.c index 36121e17..f2dfeac1 100644 --- a/examples/afl_proxy/afl-proxy.c +++ b/examples/afl_proxy/afl-proxy.c @@ -24,7 +24,7 @@ */ #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" #include "types.h" diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c index af16a6bf..664e691c 100644 --- a/examples/afl_untracer/afl-untracer.c +++ b/examples/afl_untracer/afl-untracer.c @@ -34,7 +34,7 @@ #define _GNU_SOURCE #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -58,14 +58,14 @@ #include #if defined(__linux__) -#include + #include #elif defined(__APPLE__) && defined(__LP64__) -#include + #include #elif defined(__FreeBSD__) -#include -#include + #include + #include #else -#error "Unsupported platform" + #error "Unsupported platform" #endif #define MEMORY_MAP_DECREMENT 0x200000000000 @@ -446,15 +446,15 @@ static void __afl_end_testcase(int status) { } #ifdef __aarch64__ -#define SHADOW(addr) \ - ((uint64_t *)(((uintptr_t)addr & 0xfffffffffffffff8) - \ - MEMORY_MAP_DECREMENT - \ - ((uintptr_t)addr & 0x7) * 0x10000000000)) + #define SHADOW(addr) \ + ((uint64_t *)(((uintptr_t)addr & 0xfffffffffffffff8) - \ + MEMORY_MAP_DECREMENT - \ + ((uintptr_t)addr & 0x7) * 0x10000000000)) #else -#define SHADOW(addr) \ - ((uint32_t *)(((uintptr_t)addr & 0xfffffffffffffffc) - \ - MEMORY_MAP_DECREMENT - \ - ((uintptr_t)addr & 0x3) * 0x10000000000)) + #define SHADOW(addr) \ + ((uint32_t *)(((uintptr_t)addr & 0xfffffffffffffffc) - \ + MEMORY_MAP_DECREMENT - \ + ((uintptr_t)addr & 0x3) * 0x10000000000)) #endif void setup_trap_instrumentation() { @@ -583,7 +583,7 @@ void setup_trap_instrumentation() { #else // this will be ARM and AARCH64 // for ARM we will need to identify if the code is in thumb or ARM -#error "non x86_64/aarch64 not supported yet" + #error "non x86_64/aarch64 not supported yet" //__arm__: // linux thumb: 0xde01 // linux arm: 0xe7f001f0 @@ -622,20 +622,20 @@ static void sigtrap_handler(int signum, siginfo_t *si, void *context) { ctx->uc_mcontext->__ss.__rip -= 1; addr = ctx->uc_mcontext->__ss.__rip; #elif defined(__linux__) -#if defined(__x86_64__) || defined(__i386__) + #if defined(__x86_64__) || defined(__i386__) ctx->uc_mcontext.gregs[REG_RIP] -= 1; addr = ctx->uc_mcontext.gregs[REG_RIP]; -#elif defined(__aarch64__) + #elif defined(__aarch64__) ctx->uc_mcontext.pc -= 4; addr = ctx->uc_mcontext.pc; -#else -#error "Unsupported processor" -#endif + #else + #error "Unsupported processor" + #endif #elif defined(__FreeBSD__) && defined(__LP64__) ctx->uc_mcontext.mc_rip -= 1; addr = ctx->uc_mcontext.mc_rip; #else -#error "Unsupported platform" + #error "Unsupported platform" #endif // fprintf(stderr, "TRAP at context addr = %lx, fault addr = %lx\n", addr, diff --git a/gcc_plugin/afl-gcc-pass.so.cc b/gcc_plugin/afl-gcc-pass.so.cc index 6e4e1335..e6a4a766 100644 --- a/gcc_plugin/afl-gcc-pass.so.cc +++ b/gcc_plugin/afl-gcc-pass.so.cc @@ -55,10 +55,10 @@ /* clear helper macros AFL types pull in, which intervene with gcc-plugin * headers from GCC-8 */ #ifdef likely -#undef likely + #undef likely #endif #ifdef unlikely -#undef unlikely + #undef unlikely #endif #include @@ -295,16 +295,16 @@ static unsigned int inline_instrument(function *fun) { update_stmt(g); #if 1 -#if 0 + #if 0 tree addr = build2(ADDR_EXPR, map_type, map_ptr, area_off); g = gimple_build_assign(map_ptr2, MODIFY_EXPR, addr); gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off update_stmt(g); -#else + #else g = gimple_build_assign(map_ptr2, PLUS_EXPR, map_ptr, area_off); gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off update_stmt(g); -#endif + #endif // gimple_assign tree tmp1 = create_tmp_var_raw(unsigned_char_type_node, "tmp1"); diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index 0a2246e7..f41bea17 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -20,13 +20,13 @@ */ #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "../config.h" #include "../types.h" #ifdef USEMMAP -#include + #include #endif #include #include diff --git a/include/afl-as.h b/include/afl-as.h index a2bf1f9c..e90289d4 100644 --- a/include/afl-as.h +++ b/include/afl-as.h @@ -404,9 +404,9 @@ static const u8 *main_payload_32 = recognize .string. */ #ifdef __APPLE__ -#define CALL_L64(str) "call _" str "\n" + #define CALL_L64(str) "call _" str "\n" #else -#define CALL_L64(str) "call " str "@PLT\n" + #define CALL_L64(str) "call " str "@PLT\n" #endif /* ^__APPLE__ */ static const u8 *main_payload_64 = @@ -744,9 +744,9 @@ static const u8 *main_payload_64 = #ifdef __APPLE__ " .comm __afl_area_ptr, 8\n" -#ifndef COVERAGE_ONLY + #ifndef COVERAGE_ONLY " .comm __afl_prev_loc, 8\n" -#endif /* !COVERAGE_ONLY */ + #endif /* !COVERAGE_ONLY */ " .comm __afl_fork_pid, 4\n" " .comm __afl_temp, 4\n" " .comm __afl_setup_failure, 1\n" @@ -754,9 +754,9 @@ static const u8 *main_payload_64 = #else " .lcomm __afl_area_ptr, 8\n" -#ifndef COVERAGE_ONLY + #ifndef COVERAGE_ONLY " .lcomm __afl_prev_loc, 8\n" -#endif /* !COVERAGE_ONLY */ + #endif /* !COVERAGE_ONLY */ " .lcomm __afl_fork_pid, 4\n" " .lcomm __afl_temp, 4\n" " .lcomm __afl_setup_failure, 1\n" diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 9f306b7e..421413ca 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -31,14 +31,14 @@ #define MESSAGES_TO_STDOUT #ifndef _GNU_SOURCE -#define _GNU_SOURCE 1 + #define _GNU_SOURCE 1 #endif #ifndef _FILE_OFFSET_BITS -#define _FILE_OFFSET_BITS 64 + #define _FILE_OFFSET_BITS 64 #endif #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" @@ -76,7 +76,7 @@ #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \ defined(__NetBSD__) || defined(__DragonFly__) -#include + #include #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ /* For systems that have sched_setaffinity; right now just Linux, but one @@ -84,31 +84,31 @@ #if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || \ defined(__DragonFly__) -#define HAVE_AFFINITY 1 -#if defined(__FreeBSD__) || defined(__DragonFly__) -#include -#if defined(__FreeBSD__) -#include -#endif -#include -#include -#include -#define cpu_set_t cpuset_t -#elif defined(__NetBSD__) -#include -#endif + #define HAVE_AFFINITY 1 + #if defined(__FreeBSD__) || defined(__DragonFly__) + #include + #if defined(__FreeBSD__) + #include + #endif + #include + #include + #include + #define cpu_set_t cpuset_t + #elif defined(__NetBSD__) + #include + #endif #endif /* __linux__ */ #ifdef __APPLE__ -#include + #include #endif #undef LIST_FOREACH /* clashes with FreeBSD */ #include "list.h" #ifndef SIMPLE_FILES -#define CASE_PREFIX "id:" + #define CASE_PREFIX "id:" #else -#define CASE_PREFIX "id_" + #define CASE_PREFIX "id_" #endif /* ^!SIMPLE_FILES */ #define STAGE_BUF_SIZE (64) /* usable size for stage name buf in afl_state */ @@ -231,30 +231,30 @@ enum { /* Python stuff */ #ifdef USE_PYTHON -// because Python sets stuff it should not ... -#ifdef _POSIX_C_SOURCE -#define _SAVE_POSIX_C_SOURCE _POSIX_C_SOURCE -#undef _POSIX_C_SOURCE -#endif -#ifdef _XOPEN_SOURCE -#define _SAVE_XOPEN_SOURCE _XOPEN_SOURCE -#undef _XOPEN_SOURCE -#endif - -#include - -#ifdef _SAVE_POSIX_C_SOURCE -#ifdef _POSIX_C_SOURCE -#undef _POSIX_C_SOURCE -#endif -#define _POSIX_C_SOURCE _SAVE_POSIX_C_SOURCE -#endif -#ifdef _SAVE_XOPEN_SOURCE -#ifdef _XOPEN_SOURCE -#undef _XOPEN_SOURCE -#endif -#define _XOPEN_SOURCE _SAVE_XOPEN_SOURCE -#endif + // because Python sets stuff it should not ... + #ifdef _POSIX_C_SOURCE + #define _SAVE_POSIX_C_SOURCE _POSIX_C_SOURCE + #undef _POSIX_C_SOURCE + #endif + #ifdef _XOPEN_SOURCE + #define _SAVE_XOPEN_SOURCE _XOPEN_SOURCE + #undef _XOPEN_SOURCE + #endif + + #include + + #ifdef _SAVE_POSIX_C_SOURCE + #ifdef _POSIX_C_SOURCE + #undef _POSIX_C_SOURCE + #endif + #define _POSIX_C_SOURCE _SAVE_POSIX_C_SOURCE + #endif + #ifdef _SAVE_XOPEN_SOURCE + #ifdef _XOPEN_SOURCE + #undef _XOPEN_SOURCE + #endif + #define _XOPEN_SOURCE _SAVE_XOPEN_SOURCE + #endif enum { diff --git a/include/alloc-inl.h b/include/alloc-inl.h index 485446de..ca593549 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -41,44 +41,44 @@ // Be careful! _WANT_ORIGINAL_AFL_ALLOC is not compatible with custom mutators #ifndef _WANT_ORIGINAL_AFL_ALLOC -// afl++ stuff without memory corruption checks - for speed + // afl++ stuff without memory corruption checks - for speed -/* User-facing macro to sprintf() to a dynamically allocated buffer. */ + /* User-facing macro to sprintf() to a dynamically allocated buffer. */ -#define alloc_printf(_str...) \ - ({ \ - \ - u8 *_tmp; \ - s32 _len = snprintf(NULL, 0, _str); \ - if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ - _tmp = ck_alloc(_len + 1); \ - snprintf((char *)_tmp, _len + 1, _str); \ - _tmp; \ - \ - }) + #define alloc_printf(_str...) \ + ({ \ + \ + u8 *_tmp; \ + s32 _len = snprintf(NULL, 0, _str); \ + if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ + _tmp = ck_alloc(_len + 1); \ + snprintf((char *)_tmp, _len + 1, _str); \ + _tmp; \ + \ + }) -/* Macro to enforce allocation limits as a last-resort defense against - integer overflows. */ + /* Macro to enforce allocation limits as a last-resort defense against + integer overflows. */ -#define ALLOC_CHECK_SIZE(_s) \ - do { \ - \ - if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \ - \ - } while (0) + #define ALLOC_CHECK_SIZE(_s) \ + do { \ + \ + if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \ + \ + } while (0) -/* Macro to check malloc() failures and the like. */ + /* Macro to check malloc() failures and the like. */ -#define ALLOC_CHECK_RESULT(_r, _s) \ - do { \ - \ - if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \ - \ - } while (0) + #define ALLOC_CHECK_RESULT(_r, _s) \ + do { \ + \ + if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \ + \ + } while (0) -/* Allocator increments for ck_realloc_block(). */ + /* Allocator increments for ck_realloc_block(). */ -#define ALLOC_BLK_INC 256 + #define ALLOC_BLK_INC 256 /* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized requests. */ @@ -214,104 +214,104 @@ static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) { } -/* In non-debug mode, we just do straightforward aliasing of the above - functions to user-visible names such as ck_alloc(). */ + /* In non-debug mode, we just do straightforward aliasing of the above + functions to user-visible names such as ck_alloc(). */ -#define ck_alloc DFL_ck_alloc -#define ck_alloc_nozero DFL_ck_alloc_nozero -#define ck_realloc DFL_ck_realloc -#define ck_realloc_block DFL_ck_realloc_block -#define ck_strdup DFL_ck_strdup -#define ck_memdup DFL_ck_memdup -#define ck_memdup_str DFL_ck_memdup_str -#define ck_free DFL_ck_free + #define ck_alloc DFL_ck_alloc + #define ck_alloc_nozero DFL_ck_alloc_nozero + #define ck_realloc DFL_ck_realloc + #define ck_realloc_block DFL_ck_realloc_block + #define ck_strdup DFL_ck_strdup + #define ck_memdup DFL_ck_memdup + #define ck_memdup_str DFL_ck_memdup_str + #define ck_free DFL_ck_free -#define alloc_report() + #define alloc_report() #else -// This is the original alloc-inl of stock afl - -/* User-facing macro to sprintf() to a dynamically allocated buffer. */ - -#define alloc_printf(_str...) \ - ({ \ - \ - u8 *_tmp; \ - s32 _len = snprintf(NULL, 0, _str); \ - if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ - _tmp = ck_alloc(_len + 1); \ - snprintf((char *)_tmp, _len + 1, _str); \ - _tmp; \ - \ - }) - -/* Macro to enforce allocation limits as a last-resort defense against - integer overflows. */ -#define ALLOC_CHECK_SIZE(_s) \ - do { \ - \ - if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \ - \ - } while (0) - -/* Macro to check malloc() failures and the like. */ - -#define ALLOC_CHECK_RESULT(_r, _s) \ - do { \ - \ - if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \ - \ - } while (0) - -/* Magic tokens used to mark used / freed chunks. */ - -#define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */ -#define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */ -#define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */ - -/* Positions of guard tokens in relation to the user-visible pointer. */ - -#define ALLOC_C1(_ptr) (((u32 *)(_ptr))[-2]) -#define ALLOC_S(_ptr) (((u32 *)(_ptr))[-1]) -#define ALLOC_C2(_ptr) (((u8 *)(_ptr))[ALLOC_S(_ptr)]) - -#define ALLOC_OFF_HEAD 8 -#define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1) - -/* Allocator increments for ck_realloc_block(). */ - -#define ALLOC_BLK_INC 256 - -/* Sanity-checking macros for pointers. */ - -#define CHECK_PTR(_p) \ - do { \ - \ - if (_p) { \ - \ - if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) { \ - \ - if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \ - ABORT("Use after free."); \ - else \ - ABORT("Corrupted head alloc canary."); \ - \ - } \ - if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \ - ABORT("Corrupted tail alloc canary."); \ - \ - } \ - \ - } while (0) - -#define CHECK_PTR_EXPR(_p) \ - ({ \ - \ - typeof(_p) _tmp = (_p); \ - CHECK_PTR(_tmp); \ - _tmp; \ - \ - }) + // This is the original alloc-inl of stock afl + + /* User-facing macro to sprintf() to a dynamically allocated buffer. */ + + #define alloc_printf(_str...) \ + ({ \ + \ + u8 *_tmp; \ + s32 _len = snprintf(NULL, 0, _str); \ + if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ + _tmp = ck_alloc(_len + 1); \ + snprintf((char *)_tmp, _len + 1, _str); \ + _tmp; \ + \ + }) + + /* Macro to enforce allocation limits as a last-resort defense against + integer overflows. */ + #define ALLOC_CHECK_SIZE(_s) \ + do { \ + \ + if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \ + \ + } while (0) + + /* Macro to check malloc() failures and the like. */ + + #define ALLOC_CHECK_RESULT(_r, _s) \ + do { \ + \ + if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \ + \ + } while (0) + + /* Magic tokens used to mark used / freed chunks. */ + + #define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */ + #define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */ + #define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */ + + /* Positions of guard tokens in relation to the user-visible pointer. */ + + #define ALLOC_C1(_ptr) (((u32 *)(_ptr))[-2]) + #define ALLOC_S(_ptr) (((u32 *)(_ptr))[-1]) + #define ALLOC_C2(_ptr) (((u8 *)(_ptr))[ALLOC_S(_ptr)]) + + #define ALLOC_OFF_HEAD 8 + #define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1) + + /* Allocator increments for ck_realloc_block(). */ + + #define ALLOC_BLK_INC 256 + + /* Sanity-checking macros for pointers. */ + + #define CHECK_PTR(_p) \ + do { \ + \ + if (_p) { \ + \ + if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) { \ + \ + if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \ + ABORT("Use after free."); \ + else \ + ABORT("Corrupted head alloc canary."); \ + \ + } \ + if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \ + ABORT("Corrupted tail alloc canary."); \ + \ + } \ + \ + } while (0) + + #define CHECK_PTR_EXPR(_p) \ + ({ \ + \ + typeof(_p) _tmp = (_p); \ + CHECK_PTR(_tmp); \ + _tmp; \ + \ + }) /* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized requests. */ @@ -357,12 +357,12 @@ static inline void DFL_ck_free(void *mem) { if (!mem) return; CHECK_PTR(mem); -#ifdef DEBUG_BUILD + #ifdef DEBUG_BUILD /* Catch pointer issues sooner. */ memset(mem, 0xFF, ALLOC_S(mem)); -#endif /* DEBUG_BUILD */ + #endif /* DEBUG_BUILD */ ALLOC_C1(mem) = ALLOC_MAGIC_F; @@ -377,7 +377,7 @@ static inline void DFL_ck_free(void *mem) { static inline void *DFL_ck_realloc(void *orig, u32 size) { void *ret; - u32 old_size = 0; + u32 old_size = 0; if (!size) { @@ -390,9 +390,9 @@ static inline void *DFL_ck_realloc(void *orig, u32 size) { CHECK_PTR(orig); -#ifndef DEBUG_BUILD + #ifndef DEBUG_BUILD ALLOC_C1(orig) = ALLOC_MAGIC_F; -#endif /* !DEBUG_BUILD */ + #endif /* !DEBUG_BUILD */ old_size = ALLOC_S(orig); orig -= ALLOC_OFF_HEAD; @@ -403,12 +403,12 @@ static inline void *DFL_ck_realloc(void *orig, u32 size) { ALLOC_CHECK_SIZE(size); -#ifndef DEBUG_BUILD + #ifndef DEBUG_BUILD ret = realloc(orig, size + ALLOC_OFF_TOTAL); ALLOC_CHECK_RESULT(ret, size); -#else + #else /* Catch pointer issues sooner: force relocation and make sure that the original buffer is wiped. */ @@ -427,7 +427,7 @@ static inline void *DFL_ck_realloc(void *orig, u32 size) { } -#endif /* ^!DEBUG_BUILD */ + #endif /* ^!DEBUG_BUILD */ ret += ALLOC_OFF_HEAD; @@ -446,7 +446,7 @@ static inline void *DFL_ck_realloc(void *orig, u32 size) { static inline void *DFL_ck_realloc_block(void *orig, u32 size) { -#ifndef DEBUG_BUILD + #ifndef DEBUG_BUILD if (orig) { @@ -458,7 +458,7 @@ static inline void *DFL_ck_realloc_block(void *orig, u32 size) { } -#endif /* !DEBUG_BUILD */ + #endif /* !DEBUG_BUILD */ return DFL_ck_realloc(orig, size); @@ -469,7 +469,7 @@ static inline void *DFL_ck_realloc_block(void *orig, u32 size) { static inline u8 *DFL_ck_strdup(u8 *str) { void *ret; - u32 size; + u32 size; if (!str) return NULL; @@ -538,30 +538,30 @@ static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) { } -#ifndef DEBUG_BUILD + #ifndef DEBUG_BUILD -/* In non-debug mode, we just do straightforward aliasing of the above - functions to user-visible names such as ck_alloc(). */ + /* In non-debug mode, we just do straightforward aliasing of the above + functions to user-visible names such as ck_alloc(). */ -#define ck_alloc DFL_ck_alloc -#define ck_alloc_nozero DFL_ck_alloc_nozero -#define ck_realloc DFL_ck_realloc -#define ck_realloc_block DFL_ck_realloc_block -#define ck_strdup DFL_ck_strdup -#define ck_memdup DFL_ck_memdup -#define ck_memdup_str DFL_ck_memdup_str -#define ck_free DFL_ck_free + #define ck_alloc DFL_ck_alloc + #define ck_alloc_nozero DFL_ck_alloc_nozero + #define ck_realloc DFL_ck_realloc + #define ck_realloc_block DFL_ck_realloc_block + #define ck_strdup DFL_ck_strdup + #define ck_memdup DFL_ck_memdup + #define ck_memdup_str DFL_ck_memdup_str + #define ck_free DFL_ck_free -#define alloc_report() + #define alloc_report() -#else + #else -/* In debugging mode, we also track allocations to detect memory leaks, and - the flow goes through one more layer of indirection. */ + /* In debugging mode, we also track allocations to detect memory leaks, and + the flow goes through one more layer of indirection. */ -/* Alloc tracking data structures: */ + /* Alloc tracking data structures: */ -#define ALLOC_BUCKETS 4096 + #define ALLOC_BUCKETS 4096 struct TRK_obj { @@ -571,25 +571,25 @@ struct TRK_obj { }; -#ifdef AFL_MAIN + #ifdef AFL_MAIN struct TRK_obj *TRK[ALLOC_BUCKETS]; u32 TRK_cnt[ALLOC_BUCKETS]; -#define alloc_report() TRK_report() + #define alloc_report() TRK_report() -#else + #else extern struct TRK_obj *TRK[ALLOC_BUCKETS]; extern u32 TRK_cnt[ALLOC_BUCKETS]; -#define alloc_report() + #define alloc_report() -#endif /* ^AFL_MAIN */ + #endif /* ^AFL_MAIN */ -/* Bucket-assigning function for a given pointer: */ + /* Bucket-assigning function for a given pointer: */ -#define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS) + #define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS) /* Add a new entry to the list of allocated objects. */ @@ -739,29 +739,30 @@ static inline void TRK_ck_free(void *ptr, const char *file, const char *func, } -/* Aliasing user-facing names to tracking functions: */ + /* Aliasing user-facing names to tracking functions: */ -#define ck_alloc(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) + #define ck_alloc(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) -#define ck_alloc_nozero(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) + #define ck_alloc_nozero(_p1) \ + TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) -#define ck_realloc(_p1, _p2) \ - TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) + #define ck_realloc(_p1, _p2) \ + TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -#define ck_realloc_block(_p1, _p2) \ - TRK_ck_realloc_block(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) + #define ck_realloc_block(_p1, _p2) \ + TRK_ck_realloc_block(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -#define ck_strdup(_p1) TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__) + #define ck_strdup(_p1) TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__) -#define ck_memdup(_p1, _p2) \ - TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) + #define ck_memdup(_p1, _p2) \ + TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -#define ck_memdup_str(_p1, _p2) \ - TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) + #define ck_memdup_str(_p1, _p2) \ + TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -#define ck_free(_p1) TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__) + #define ck_free(_p1) TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__) -#endif /* ^!DEBUG_BUILD */ + #endif /* ^!DEBUG_BUILD */ #endif /* _WANT_ORIGINAL_AFL_ALLOC */ diff --git a/include/android-ashmem.h b/include/android-ashmem.h index 77914c35..41d4d2da 100644 --- a/include/android-ashmem.h +++ b/include/android-ashmem.h @@ -28,27 +28,27 @@ #ifdef __ANDROID__ -#include -#include -#include -#include -#include - -#if __ANDROID_API__ >= 26 -#define shmat bionic_shmat -#define shmctl bionic_shmctl -#define shmdt bionic_shmdt -#define shmget bionic_shmget -#endif - -#include -#undef shmat -#undef shmctl -#undef shmdt -#undef shmget -#include - -#define ASHMEM_DEVICE "/dev/ashmem" + #include + #include + #include + #include + #include + + #if __ANDROID_API__ >= 26 + #define shmat bionic_shmat + #define shmctl bionic_shmctl + #define shmdt bionic_shmdt + #define shmget bionic_shmget + #endif + + #include + #undef shmat + #undef shmctl + #undef shmdt + #undef shmget + #include + + #define ASHMEM_DEVICE "/dev/ashmem" static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) { diff --git a/include/config.h b/include/config.h index c21d775a..ff7bc788 100644 --- a/include/config.h +++ b/include/config.h @@ -49,7 +49,7 @@ /* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */ #ifndef ANDROID_DISABLE_FANCY // Fancy boxes are ugly from adb -#define FANCY_BOXES + #define FANCY_BOXES #endif /* Default timeout for fuzzed code (milliseconds). This is the upper bound, @@ -63,20 +63,20 @@ /* 64bit arch MACRO */ #if (defined(__x86_64__) || defined(__arm64__) || defined(__aarch64__)) -#define WORD_SIZE_64 1 + #define WORD_SIZE_64 1 #endif /* Default memory limit for child process (MB): */ #ifndef __NetBSD__ -#ifndef WORD_SIZE_64 -#define MEM_LIMIT 25 -#else -#define MEM_LIMIT 50 -#endif /* ^!WORD_SIZE_64 */ -#else /* NetBSD's kernel needs more space for stack, see discussion for issue \ - #165 */ -#define MEM_LIMIT 200 + #ifndef WORD_SIZE_64 + #define MEM_LIMIT 25 + #else + #define MEM_LIMIT 50 + #endif /* ^!WORD_SIZE_64 */ +#else /* NetBSD's kernel needs more space for stack, see discussion for issue \ + #165 */ + #define MEM_LIMIT 200 #endif /* Default memory limit when running in QEMU mode (MB): */ @@ -395,9 +395,9 @@ /* for *BSD: use ARC4RANDOM and save a file descriptor */ #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) -#ifndef HAVE_ARC4RANDOM -#define HAVE_ARC4RANDOM 1 -#endif + #ifndef HAVE_ARC4RANDOM + #define HAVE_ARC4RANDOM 1 + #endif #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ #endif /* ! _HAVE_CONFIG_H */ diff --git a/include/debug.h b/include/debug.h index 4cce56b5..9dd21ace 100644 --- a/include/debug.h +++ b/include/debug.h @@ -30,7 +30,7 @@ /* __FUNCTION__ is non-iso */ #ifdef __func__ -#define __FUNCTION__ __func__ + #define __FUNCTION__ __func__ #endif /******************* @@ -38,82 +38,82 @@ *******************/ #ifndef MESSAGES_TO_STDOUT -#define MESSAGES_TO_STDOUT + #define MESSAGES_TO_STDOUT #endif #ifdef USE_COLOR -#define cBLK "\x1b[0;30m" -#define cRED "\x1b[0;31m" -#define cGRN "\x1b[0;32m" -#define cBRN "\x1b[0;33m" -#define cBLU "\x1b[0;34m" -#define cMGN "\x1b[0;35m" -#define cCYA "\x1b[0;36m" -#define cLGR "\x1b[0;37m" -#define cGRA "\x1b[1;90m" -#define cLRD "\x1b[1;91m" -#define cLGN "\x1b[1;92m" -#define cYEL "\x1b[1;93m" -#define cLBL "\x1b[1;94m" -#define cPIN "\x1b[1;95m" -#define cLCY "\x1b[1;96m" -#define cBRI "\x1b[1;97m" -#define cRST "\x1b[0m" - -#define bgBLK "\x1b[40m" -#define bgRED "\x1b[41m" -#define bgGRN "\x1b[42m" -#define bgBRN "\x1b[43m" -#define bgBLU "\x1b[44m" -#define bgMGN "\x1b[45m" -#define bgCYA "\x1b[46m" -#define bgLGR "\x1b[47m" -#define bgGRA "\x1b[100m" -#define bgLRD "\x1b[101m" -#define bgLGN "\x1b[102m" -#define bgYEL "\x1b[103m" -#define bgLBL "\x1b[104m" -#define bgPIN "\x1b[105m" -#define bgLCY "\x1b[106m" -#define bgBRI "\x1b[107m" + #define cBLK "\x1b[0;30m" + #define cRED "\x1b[0;31m" + #define cGRN "\x1b[0;32m" + #define cBRN "\x1b[0;33m" + #define cBLU "\x1b[0;34m" + #define cMGN "\x1b[0;35m" + #define cCYA "\x1b[0;36m" + #define cLGR "\x1b[0;37m" + #define cGRA "\x1b[1;90m" + #define cLRD "\x1b[1;91m" + #define cLGN "\x1b[1;92m" + #define cYEL "\x1b[1;93m" + #define cLBL "\x1b[1;94m" + #define cPIN "\x1b[1;95m" + #define cLCY "\x1b[1;96m" + #define cBRI "\x1b[1;97m" + #define cRST "\x1b[0m" + + #define bgBLK "\x1b[40m" + #define bgRED "\x1b[41m" + #define bgGRN "\x1b[42m" + #define bgBRN "\x1b[43m" + #define bgBLU "\x1b[44m" + #define bgMGN "\x1b[45m" + #define bgCYA "\x1b[46m" + #define bgLGR "\x1b[47m" + #define bgGRA "\x1b[100m" + #define bgLRD "\x1b[101m" + #define bgLGN "\x1b[102m" + #define bgYEL "\x1b[103m" + #define bgLBL "\x1b[104m" + #define bgPIN "\x1b[105m" + #define bgLCY "\x1b[106m" + #define bgBRI "\x1b[107m" #else -#define cBLK "" -#define cRED "" -#define cGRN "" -#define cBRN "" -#define cBLU "" -#define cMGN "" -#define cCYA "" -#define cLGR "" -#define cGRA "" -#define cLRD "" -#define cLGN "" -#define cYEL "" -#define cLBL "" -#define cPIN "" -#define cLCY "" -#define cBRI "" -#define cRST "" - -#define bgBLK "" -#define bgRED "" -#define bgGRN "" -#define bgBRN "" -#define bgBLU "" -#define bgMGN "" -#define bgCYA "" -#define bgLGR "" -#define bgGRA "" -#define bgLRD "" -#define bgLGN "" -#define bgYEL "" -#define bgLBL "" -#define bgPIN "" -#define bgLCY "" -#define bgBRI "" + #define cBLK "" + #define cRED "" + #define cGRN "" + #define cBRN "" + #define cBLU "" + #define cMGN "" + #define cCYA "" + #define cLGR "" + #define cGRA "" + #define cLRD "" + #define cLGN "" + #define cYEL "" + #define cLBL "" + #define cPIN "" + #define cLCY "" + #define cBRI "" + #define cRST "" + + #define bgBLK "" + #define bgRED "" + #define bgGRN "" + #define bgBRN "" + #define bgBLU "" + #define bgMGN "" + #define bgCYA "" + #define bgLGR "" + #define bgGRA "" + #define bgLRD "" + #define bgLGN "" + #define bgYEL "" + #define bgLBL "" + #define bgPIN "" + #define bgLCY "" + #define bgBRI "" #endif /* ^USE_COLOR */ @@ -123,39 +123,39 @@ #ifdef FANCY_BOXES -#define SET_G1 "\x1b)0" /* Set G1 for box drawing */ -#define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */ -#define bSTART "\x0e" /* Enter G1 drawing mode */ -#define bSTOP "\x0f" /* Leave G1 drawing mode */ -#define bH "q" /* Horizontal line */ -#define bV "x" /* Vertical line */ -#define bLT "l" /* Left top corner */ -#define bRT "k" /* Right top corner */ -#define bLB "m" /* Left bottom corner */ -#define bRB "j" /* Right bottom corner */ -#define bX "n" /* Cross */ -#define bVR "t" /* Vertical, branch right */ -#define bVL "u" /* Vertical, branch left */ -#define bHT "v" /* Horizontal, branch top */ -#define bHB "w" /* Horizontal, branch bottom */ + #define SET_G1 "\x1b)0" /* Set G1 for box drawing */ + #define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */ + #define bSTART "\x0e" /* Enter G1 drawing mode */ + #define bSTOP "\x0f" /* Leave G1 drawing mode */ + #define bH "q" /* Horizontal line */ + #define bV "x" /* Vertical line */ + #define bLT "l" /* Left top corner */ + #define bRT "k" /* Right top corner */ + #define bLB "m" /* Left bottom corner */ + #define bRB "j" /* Right bottom corner */ + #define bX "n" /* Cross */ + #define bVR "t" /* Vertical, branch right */ + #define bVL "u" /* Vertical, branch left */ + #define bHT "v" /* Horizontal, branch top */ + #define bHB "w" /* Horizontal, branch bottom */ #else -#define SET_G1 "" -#define RESET_G1 "" -#define bSTART "" -#define bSTOP "" -#define bH "-" -#define bV "|" -#define bLT "+" -#define bRT "+" -#define bLB "+" -#define bRB "+" -#define bX "+" -#define bVR "+" -#define bVL "+" -#define bHT "+" -#define bHB "+" + #define SET_G1 "" + #define RESET_G1 "" + #define bSTART "" + #define bSTOP "" + #define bH "-" + #define bV "|" + #define bLT "+" + #define bRT "+" + #define bLB "+" + #define bRB "+" + #define bX "+" + #define bVR "+" + #define bVL "+" + #define bHT "+" + #define bHB "+" #endif /* ^FANCY_BOXES */ @@ -176,9 +176,9 @@ /* Just print stuff to the appropriate stream. */ #ifdef MESSAGES_TO_STDOUT -#define SAYF(x...) printf(x) + #define SAYF(x...) printf(x) #else -#define SAYF(x...) fprintf(stderr, x) + #define SAYF(x...) fprintf(stderr, x) #endif /* ^MESSAGES_TO_STDOUT */ /* Show a prefixed warning. */ diff --git a/include/forkserver.h b/include/forkserver.h index 7e7784f5..e8ac2837 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -110,20 +110,20 @@ void afl_fsrv_killall(void); void afl_fsrv_deinit(afl_forkserver_t *fsrv); #ifdef __APPLE__ -#define MSG_FORK_ON_APPLE \ - " - On MacOS X, the semantics of fork() syscalls are non-standard and " \ - "may\n" \ - " break afl-fuzz performance optimizations when running " \ - "platform-specific\n" \ - " targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" + #define MSG_FORK_ON_APPLE \ + " - On MacOS X, the semantics of fork() syscalls are non-standard and " \ + "may\n" \ + " break afl-fuzz performance optimizations when running " \ + "platform-specific\n" \ + " targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" #else -#define MSG_FORK_ON_APPLE "" + #define MSG_FORK_ON_APPLE "" #endif #ifdef RLIMIT_AS -#define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%llu << 10];" + #define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%llu << 10];" #else -#define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%llu << 10];" + #define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%llu << 10];" #endif /* ^RLIMIT_AS */ #endif diff --git a/include/hash.h b/include/hash.h index 3751ac33..cec51eac 100644 --- a/include/hash.h +++ b/include/hash.h @@ -32,7 +32,7 @@ #ifdef __x86_64__ -#define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r)))) + #define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r)))) static inline u32 hash32(const void *key, u32 len, u32 seed) { @@ -67,7 +67,7 @@ static inline u32 hash32(const void *key, u32 len, u32 seed) { #else -#define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r)))) + #define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r)))) static inline u32 hash32(const void *key, u32 len, u32 seed) { diff --git a/include/types.h b/include/types.h index 72d2ba51..f95c4be2 100644 --- a/include/types.h +++ b/include/types.h @@ -81,23 +81,23 @@ typedef int32_t s32; typedef int64_t s64; #ifndef MIN -#define MIN(a, b) \ - ({ \ - \ - __typeof__(a) _a = (a); \ - __typeof__(b) _b = (b); \ - _a < _b ? _a : _b; \ - \ - }) - -#define MAX(a, b) \ - ({ \ - \ - __typeof__(a) _a = (a); \ - __typeof__(b) _b = (b); \ - _a > _b ? _a : _b; \ - \ - }) + #define MIN(a, b) \ + ({ \ + \ + __typeof__(a) _a = (a); \ + __typeof__(b) _b = (b); \ + _a < _b ? _a : _b; \ + \ + }) + + #define MAX(a, b) \ + ({ \ + \ + __typeof__(a) _a = (a); \ + __typeof__(b) _b = (b); \ + _a > _b ? _a : _b; \ + \ + }) #endif /* !MIN */ @@ -133,21 +133,21 @@ typedef int64_t s64; }) #ifdef AFL_LLVM_PASS -#if defined(__linux__) || !defined(__ANDROID__) -#define AFL_SR(s) (srandom(s)) -#define AFL_R(x) (random() % (x)) -#else -#define AFL_SR(s) ((void)s) -#define AFL_R(x) (arc4random_uniform(x)) -#endif -#else -#if defined(__linux__) || !defined(__ANDROID__) -#define SR(s) (srandom(s)) -#define R(x) (random() % (x)) + #if defined(__linux__) || !defined(__ANDROID__) + #define AFL_SR(s) (srandom(s)) + #define AFL_R(x) (random() % (x)) + #else + #define AFL_SR(s) ((void)s) + #define AFL_R(x) (arc4random_uniform(x)) + #endif #else -#define SR(s) ((void)s) -#define R(x) (arc4random_uniform(x)) -#endif + #if defined(__linux__) || !defined(__ANDROID__) + #define SR(s) (srandom(s)) + #define R(x) (random() % (x)) + #else + #define SR(s) ((void)s) + #define R(x) (arc4random_uniform(x)) + #endif #endif /* ^AFL_LLVM_PASS */ #define STRINGIFY_INTERNAL(x) #x @@ -156,19 +156,19 @@ typedef int64_t s64; #define MEM_BARRIER() __asm__ volatile("" ::: "memory") #if __GNUC__ < 6 -#ifndef likely -#define likely(_x) (_x) -#endif -#ifndef unlikely -#define unlikely(_x) (_x) -#endif + #ifndef likely + #define likely(_x) (_x) + #endif + #ifndef unlikely + #define unlikely(_x) (_x) + #endif #else -#ifndef likely -#define likely(_x) __builtin_expect(!!(_x), 1) -#endif -#ifndef unlikely -#define unlikely(_x) __builtin_expect(!!(_x), 0) -#endif + #ifndef likely + #define likely(_x) __builtin_expect(!!(_x), 1) + #endif + #ifndef unlikely + #define unlikely(_x) __builtin_expect(!!(_x), 0) + #endif #endif #endif /* ! _HAVE_TYPES_H */ diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index 73ddc292..1c22897c 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -30,39 +30,39 @@ #include #ifdef __APPLE__ -#include + #include #endif #ifdef __FreeBSD__ -#include + #include #endif #if defined(__linux__) && !defined(__ANDROID__) -#include -#include -#ifdef __NR_getrandom -#define arc4random_buf(p, l) \ - do { \ - \ - ssize_t rd = syscall(__NR_getrandom, p, l, 0); \ - if (rd != l) DEBUGF("getrandom failed"); \ - \ - } while (0) - -#else -#include -#define arc4random_buf(p, l) \ - do { \ - \ - srand(time(NULL)); \ - u32 i; \ - u8 *ptr = (u8 *)p; \ - for (i = 0; i < l; i++) \ - ptr[i] = rand() % INT_MAX; \ - \ - } while (0) - -#endif + #include + #include + #ifdef __NR_getrandom + #define arc4random_buf(p, l) \ + do { \ + \ + ssize_t rd = syscall(__NR_getrandom, p, l, 0); \ + if (rd != l) DEBUGF("getrandom failed"); \ + \ + } while (0) + + #else + #include + #define arc4random_buf(p, l) \ + do { \ + \ + srand(time(NULL)); \ + u32 i; \ + u8 *ptr = (u8 *)p; \ + for (i = 0; i < l; i++) \ + ptr[i] = rand() % INT_MAX; \ + \ + } while (0) + + #endif #endif #include "config.h" @@ -83,11 +83,11 @@ typedef struct { #define ALLOC_ALIGN_SIZE (_Alignof(max_align_t)) #ifndef PAGE_SIZE -#define PAGE_SIZE 4096 + #define PAGE_SIZE 4096 #endif /* !PAGE_SIZE */ #ifndef MAP_ANONYMOUS -#define MAP_ANONYMOUS MAP_ANON + #define MAP_ANONYMOUS MAP_ANON #endif /* !MAP_ANONYMOUS */ #define SUPER_PAGE_SIZE 1 << 21 @@ -148,8 +148,8 @@ static u8 alloc_verbose, /* Additional debug messages */ align_allocations; /* Force alignment to sizeof(void*) */ #if defined __OpenBSD__ || defined __APPLE__ -#define __thread -#warning no thread support available + #define __thread + #warning no thread support available #endif static __thread size_t total_mem; /* Currently allocated mem */ @@ -192,13 +192,13 @@ static void *__dislocator_alloc(size_t len) { #if defined(USEHUGEPAGE) sp = (rlen >= SUPER_PAGE_SIZE && !(rlen % SUPER_PAGE_SIZE)); -#if defined(__APPLE__) + #if defined(__APPLE__) if (sp) fd = VM_FLAGS_SUPERPAGE_SIZE_2MB; -#elif defined(__linux__) + #elif defined(__linux__) if (sp) flags |= MAP_HUGETLB; -#elif defined(__FreeBSD__) + #elif defined(__FreeBSD__) if (sp) flags |= MAP_ALIGNED_SUPER; -#endif + #endif #else (void)sp; #endif @@ -208,13 +208,13 @@ static void *__dislocator_alloc(size_t len) { /* We try one more time with regular call */ if (ret == MAP_FAILED) { -#if defined(__APPLE__) + #if defined(__APPLE__) fd = -1; -#elif defined(__linux__) + #elif defined(__linux__) flags &= -MAP_HUGETLB; -#elif defined(__FreeBSD__) + #elif defined(__FreeBSD__) flags &= -MAP_ALIGNED_SUPER; -#endif + #endif ret = (u8 *)mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0); } diff --git a/libtokencap/libtokencap.so.c b/libtokencap/libtokencap.so.c index 56b2cd4b..fdfa3e53 100644 --- a/libtokencap/libtokencap.so.c +++ b/libtokencap/libtokencap.so.c @@ -21,7 +21,7 @@ */ #ifndef _GNU_SOURCE -#define _GNU_SOURCE + #define _GNU_SOURCE #endif #include #include @@ -35,20 +35,20 @@ #if !defined __linux__ && !defined __APPLE__ && !defined __FreeBSD__ && \ !defined __OpenBSD__ && !defined __NetBSD__ && !defined __DragonFly__ -#error "Sorry, this library is unsupported in this platform for now!" + #error "Sorry, this library is unsupported in this platform for now!" #endif /* !__linux__ && !__APPLE__ && ! __FreeBSD__ && ! __OpenBSD__ && \ !__NetBSD__*/ #if defined __APPLE__ -#include -#include + #include + #include #elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__ -#include -#include -#if !defined __NetBSD__ -#include -#endif -#include + #include + #include + #if !defined __NetBSD__ + #include + #endif + #include #endif #include @@ -154,25 +154,25 @@ static void __tokencap_load_mappings(void) { #elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__ -#if defined __FreeBSD__ + #if defined __FreeBSD__ int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, __tokencap_pid}; -#elif defined __OpenBSD__ + #elif defined __OpenBSD__ int mib[] = {CTL_KERN, KERN_PROC_VMMAP, __tokencap_pid}; -#elif defined __NetBSD__ + #elif defined __NetBSD__ int mib[] = {CTL_VM, VM_PROC, VM_PROC_MAP, __tokencap_pid, sizeof(struct kinfo_vmentry)}; -#endif + #endif char * buf, *low, *high; size_t miblen = sizeof(mib) / sizeof(mib[0]); size_t len; if (sysctl(mib, miblen, NULL, &len, NULL, 0) == -1) return; -#if defined __FreeBSD__ || defined __NetBSD__ + #if defined __FreeBSD__ || defined __NetBSD__ len = len * 4 / 3; -#elif defined __OpenBSD__ + #elif defined __OpenBSD__ len -= len % sizeof(struct kinfo_vmentry); -#endif + #endif buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANON, -1, 0); if (buf == MAP_FAILED) return; @@ -193,22 +193,22 @@ static void __tokencap_load_mappings(void) { struct kinfo_vmentry *region = (struct kinfo_vmentry *)low; -#if defined __FreeBSD__ || defined __NetBSD__ + #if defined __FreeBSD__ || defined __NetBSD__ -#if defined __FreeBSD__ + #if defined __FreeBSD__ size_t size = region->kve_structsize; if (size == 0) break; -#elif defined __NetBSD__ + #elif defined __NetBSD__ size_t size = sizeof(*region); -#endif + #endif /* We go through the whole mapping of the process and track read-only * addresses */ if ((region->kve_protection & KVME_PROT_READ) && !(region->kve_protection & KVME_PROT_WRITE)) { -#elif defined __OpenBSD__ + #elif defined __OpenBSD__ size_t size = sizeof(*region); @@ -217,7 +217,7 @@ static void __tokencap_load_mappings(void) { if ((region->kve_protection & KVE_PROT_READ) && !(region->kve_protection & KVE_PROT_WRITE)) { -#endif + #endif __tokencap_ro[__tokencap_ro_cnt].st = (void *)region->kve_start; __tokencap_ro[__tokencap_ro_cnt].en = (void *)region->kve_end; diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index 837b093a..4b8f8754 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -12,13 +12,13 @@ typedef long double max_align_t; #include "llvm/ADT/DenseSet.h" #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/CFG.h" -#include "llvm/IR/Dominators.h" -#include "llvm/IR/DebugInfo.h" + #include "llvm/IR/CFG.h" + #include "llvm/IR/Dominators.h" + #include "llvm/IR/DebugInfo.h" #else -#include "llvm/Support/CFG.h" -#include "llvm/Analysis/Dominators.h" -#include "llvm/DebugInfo.h" + #include "llvm/Support/CFG.h" + #include "llvm/Analysis/Dominators.h" + #include "llvm/DebugInfo.h" #endif #include "llvm/IR/IRBuilder.h" #include "llvm/IR/Instructions.h" @@ -97,7 +97,7 @@ struct InsTrim : public ModulePass { #if LLVM_VERSION_MAJOR >= 4 || \ (LLVM_VERSION_MAJOR == 4 && LLVM_VERSION_PATCH >= 1) -#define AFL_HAVE_VECTOR_INTRINSICS 1 + #define AFL_HAVE_VECTOR_INTRINSICS 1 #endif bool runOnModule(Module &M) override { @@ -196,17 +196,17 @@ struct InsTrim : public ModulePass { #ifdef AFL_HAVE_VECTOR_INTRINSICS if (ngram_size) -#ifdef __ANDROID__ + #ifdef __ANDROID__ AFLPrevLoc = new GlobalVariable( M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, /* Initializer */ nullptr, "__afl_prev_loc"); -#else + #else AFLPrevLoc = new GlobalVariable( M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, /* Initializer */ nullptr, "__afl_prev_loc", /* InsertBefore */ nullptr, GlobalVariable::GeneralDynamicTLSModel, /* AddressSpace */ 0, /* IsExternallyInitialized */ false); -#endif + #endif else #endif #ifdef __ANDROID__ diff --git a/llvm_mode/MarkNodes.cc b/llvm_mode/MarkNodes.cc index cff6c90a..20a7df35 100644 --- a/llvm_mode/MarkNodes.cc +++ b/llvm_mode/MarkNodes.cc @@ -15,9 +15,9 @@ typedef long double max_align_t; #include "llvm/IR/BasicBlock.h" #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/CFG.h" + #include "llvm/IR/CFG.h" #else -#include "llvm/Support/CFG.h" + #include "llvm/Support/CFG.h" #endif #include "llvm/IR/Constants.h" #include "llvm/IR/Function.h" diff --git a/llvm_mode/afl-llvm-common.h b/llvm_mode/afl-llvm-common.h index cf14d2e1..50ad3abc 100644 --- a/llvm_mode/afl-llvm-common.h +++ b/llvm_mode/afl-llvm-common.h @@ -25,11 +25,11 @@ typedef long double max_align_t; #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/DebugInfo.h" -#include "llvm/IR/CFG.h" + #include "llvm/IR/DebugInfo.h" + #include "llvm/IR/CFG.h" #else -#include "llvm/DebugInfo.h" -#include "llvm/Support/CFG.h" + #include "llvm/DebugInfo.h" + #include "llvm/Support/CFG.h" #endif char * getBBName(const llvm::BasicBlock *BB); diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index 2d23ad21..f58a7a5e 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -54,11 +54,11 @@ typedef long double max_align_t; #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/DebugInfo.h" -#include "llvm/IR/CFG.h" + #include "llvm/IR/DebugInfo.h" + #include "llvm/IR/CFG.h" #else -#include "llvm/DebugInfo.h" -#include "llvm/Support/CFG.h" + #include "llvm/DebugInfo.h" + #include "llvm/Support/CFG.h" #endif #include "afl-llvm-common.h" @@ -115,7 +115,7 @@ uint64_t PowerOf2Ceil(unsigned in) { /* #if LLVM_VERSION_STRING >= "4.0.1" */ #if LLVM_VERSION_MAJOR >= 4 || \ (LLVM_VERSION_MAJOR == 4 && LLVM_VERSION_PATCH >= 1) -#define AFL_HAVE_VECTOR_INTRINSICS 1 + #define AFL_HAVE_VECTOR_INTRINSICS 1 #endif bool AFLCoverage::runOnModule(Module &M) { @@ -242,17 +242,17 @@ bool AFLCoverage::runOnModule(Module &M) { #ifdef AFL_HAVE_VECTOR_INTRINSICS if (ngram_size) -#ifdef __ANDROID__ + #ifdef __ANDROID__ AFLPrevLoc = new GlobalVariable( M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, /* Initializer */ nullptr, "__afl_prev_loc"); -#else + #else AFLPrevLoc = new GlobalVariable( M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, /* Initializer */ nullptr, "__afl_prev_loc", /* InsertBefore */ nullptr, GlobalVariable::GeneralDynamicTLSModel, /* AddressSpace */ 0, /* IsExternallyInitialized */ false); -#endif + #endif else #endif #ifdef __ANDROID__ diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index ce8df332..c0d1569d 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -21,7 +21,7 @@ */ #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -43,7 +43,7 @@ #include #ifdef __linux__ -#include "snapshot-inl.h" + #include "snapshot-inl.h" #endif /* This is a somewhat ugly hack for the experimental 'trace-pc-guard' mode. @@ -53,7 +53,7 @@ #define CONST_PRIO 5 #ifndef MAP_FIXED_NOREPLACE -#define MAP_FIXED_NOREPLACE MAP_FIXED + #define MAP_FIXED_NOREPLACE MAP_FIXED #endif #include @@ -826,15 +826,15 @@ void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2) { } #if defined(__APPLE__) -#pragma weak __sanitizer_cov_trace_const_cmp1 = __cmplog_ins_hook1 -#pragma weak __sanitizer_cov_trace_const_cmp2 = __cmplog_ins_hook2 -#pragma weak __sanitizer_cov_trace_const_cmp4 = __cmplog_ins_hook4 -#pragma weak __sanitizer_cov_trace_const_cmp8 = __cmplog_ins_hook8 - -#pragma weak __sanitizer_cov_trace_cmp1 = __cmplog_ins_hook1 -#pragma weak __sanitizer_cov_trace_cmp2 = __cmplog_ins_hook2 -#pragma weak __sanitizer_cov_trace_cmp4 = __cmplog_ins_hook4 -#pragma weak __sanitizer_cov_trace_cmp8 = __cmplog_ins_hook8 + #pragma weak __sanitizer_cov_trace_const_cmp1 = __cmplog_ins_hook1 + #pragma weak __sanitizer_cov_trace_const_cmp2 = __cmplog_ins_hook2 + #pragma weak __sanitizer_cov_trace_const_cmp4 = __cmplog_ins_hook4 + #pragma weak __sanitizer_cov_trace_const_cmp8 = __cmplog_ins_hook8 + + #pragma weak __sanitizer_cov_trace_cmp1 = __cmplog_ins_hook1 + #pragma weak __sanitizer_cov_trace_cmp2 = __cmplog_ins_hook2 + #pragma weak __sanitizer_cov_trace_cmp4 = __cmplog_ins_hook4 + #pragma weak __sanitizer_cov_trace_cmp8 = __cmplog_ins_hook8 #else void __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2) __attribute__((alias("__cmplog_ins_hook1"))); diff --git a/llvm_mode/cmplog-instructions-pass.cc b/llvm_mode/cmplog-instructions-pass.cc index 628151c6..b7f3cffa 100644 --- a/llvm_mode/cmplog-instructions-pass.cc +++ b/llvm_mode/cmplog-instructions-pass.cc @@ -38,12 +38,12 @@ #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/Verifier.h" -#include "llvm/IR/DebugInfo.h" + #include "llvm/IR/Verifier.h" + #include "llvm/IR/DebugInfo.h" #else -#include "llvm/Analysis/Verifier.h" -#include "llvm/DebugInfo.h" -#define nullptr 0 + #include "llvm/Analysis/Verifier.h" + #include "llvm/DebugInfo.h" + #define nullptr 0 #endif #include diff --git a/llvm_mode/cmplog-routines-pass.cc b/llvm_mode/cmplog-routines-pass.cc index b74fb712..bb78273a 100644 --- a/llvm_mode/cmplog-routines-pass.cc +++ b/llvm_mode/cmplog-routines-pass.cc @@ -38,12 +38,12 @@ #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/Verifier.h" -#include "llvm/IR/DebugInfo.h" + #include "llvm/IR/Verifier.h" + #include "llvm/IR/DebugInfo.h" #else -#include "llvm/Analysis/Verifier.h" -#include "llvm/DebugInfo.h" -#define nullptr 0 + #include "llvm/Analysis/Verifier.h" + #include "llvm/DebugInfo.h" + #define nullptr 0 #endif #include diff --git a/llvm_mode/compare-transform-pass.so.cc b/llvm_mode/compare-transform-pass.so.cc index 00732dbc..8fadc424 100644 --- a/llvm_mode/compare-transform-pass.so.cc +++ b/llvm_mode/compare-transform-pass.so.cc @@ -38,12 +38,12 @@ #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/Verifier.h" -#include "llvm/IR/DebugInfo.h" + #include "llvm/IR/Verifier.h" + #include "llvm/IR/DebugInfo.h" #else -#include "llvm/Analysis/Verifier.h" -#include "llvm/DebugInfo.h" -#define nullptr 0 + #include "llvm/Analysis/Verifier.h" + #include "llvm/DebugInfo.h" + #define nullptr 0 #endif #include diff --git a/llvm_mode/split-compares-pass.so.cc b/llvm_mode/split-compares-pass.so.cc index 9c91e44f..eb5deb14 100644 --- a/llvm_mode/split-compares-pass.so.cc +++ b/llvm_mode/split-compares-pass.so.cc @@ -37,12 +37,12 @@ #include "llvm/IR/IRBuilder.h" #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/Verifier.h" -#include "llvm/IR/DebugInfo.h" + #include "llvm/IR/Verifier.h" + #include "llvm/IR/DebugInfo.h" #else -#include "llvm/Analysis/Verifier.h" -#include "llvm/DebugInfo.h" -#define nullptr 0 + #include "llvm/Analysis/Verifier.h" + #include "llvm/DebugInfo.h" + #define nullptr 0 #endif using namespace llvm; diff --git a/llvm_mode/split-switches-pass.so.cc b/llvm_mode/split-switches-pass.so.cc index e8639347..6328ea5f 100644 --- a/llvm_mode/split-switches-pass.so.cc +++ b/llvm_mode/split-switches-pass.so.cc @@ -40,12 +40,12 @@ #include "llvm/IR/IRBuilder.h" #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/Verifier.h" -#include "llvm/IR/DebugInfo.h" + #include "llvm/IR/Verifier.h" + #include "llvm/IR/DebugInfo.h" #else -#include "llvm/Analysis/Verifier.h" -#include "llvm/DebugInfo.h" -#define nullptr 0 + #include "llvm/Analysis/Verifier.h" + #include "llvm/DebugInfo.h" + #define nullptr 0 #endif #include diff --git a/qbdi_mode/template.cpp b/qbdi_mode/template.cpp index d4ac25e3..55c5a3f3 100755 --- a/qbdi_mode/template.cpp +++ b/qbdi_mode/template.cpp @@ -11,7 +11,7 @@ #include #ifdef __ANDROID__ -#include "../include/android-ashmem.h" + #include "../include/android-ashmem.h" #endif #include @@ -23,15 +23,15 @@ /* NeverZero */ #if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO) -#define INC_AFL_AREA(loc) \ - asm volatile( \ - "incb (%0, %1, 1)\n" \ - "adcb $0, (%0, %1, 1)\n" \ - : /* no out */ \ - : "r"(afl_area_ptr), "r"(loc) \ - : "memory", "eax") + #define INC_AFL_AREA(loc) \ + asm volatile( \ + "incb (%0, %1, 1)\n" \ + "adcb $0, (%0, %1, 1)\n" \ + : /* no out */ \ + : "r"(afl_area_ptr), "r"(loc) \ + : "memory", "eax") #else -#define INC_AFL_AREA(loc) afl_area_ptr[loc]++ + #define INC_AFL_AREA(loc) afl_area_ptr[loc]++ #endif using namespace QBDI; diff --git a/qemu_mode/libcompcov/libcompcov.so.c b/qemu_mode/libcompcov/libcompcov.so.c index bffdd5d8..23f465a4 100644 --- a/qemu_mode/libcompcov/libcompcov.so.c +++ b/qemu_mode/libcompcov/libcompcov.so.c @@ -20,7 +20,7 @@ */ #ifndef _GNU_SOURCE -#define _GNU_SOURCE + #define _GNU_SOURCE #endif #include #include @@ -36,7 +36,7 @@ #include "pmparser.h" #ifndef __linux__ -#error "Sorry, this library is Linux-specific for now!" + #error "Sorry, this library is Linux-specific for now!" #endif /* !__linux__ */ /* Change this value to tune the compare coverage */ diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h index 94f853cc..dbdb41bc 100644 --- a/qemu_mode/patches/afl-qemu-common.h +++ b/qemu_mode/patches/afl-qemu-common.h @@ -40,27 +40,27 @@ #define PERSISTENT_DEFAULT_MAX_CNT 1000 #ifdef CPU_NB_REGS -#define AFL_REGS_NUM CPU_NB_REGS + #define AFL_REGS_NUM CPU_NB_REGS #elif TARGET_ARM -#define AFL_REGS_NUM 32 + #define AFL_REGS_NUM 32 #elif TARGET_AARCH64 -#define AFL_REGS_NUM 32 + #define AFL_REGS_NUM 32 #else -#define AFL_REGS_NUM 100 + #define AFL_REGS_NUM 100 #endif /* NeverZero */ #if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO) -#define INC_AFL_AREA(loc) \ - asm volatile( \ - "incb (%0, %1, 1)\n" \ - "adcb $0, (%0, %1, 1)\n" \ - : /* no out */ \ - : "r"(afl_area_ptr), "r"(loc) \ - : "memory", "eax") + #define INC_AFL_AREA(loc) \ + asm volatile( \ + "incb (%0, %1, 1)\n" \ + "adcb $0, (%0, %1, 1)\n" \ + : /* no out */ \ + : "r"(afl_area_ptr), "r"(loc) \ + : "memory", "eax") #else -#define INC_AFL_AREA(loc) afl_area_ptr[loc]++ + #define INC_AFL_AREA(loc) afl_area_ptr[loc]++ #endif typedef void (*afl_persistent_hook_fn)(uint64_t *regs, uint64_t guest_base); diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index 78a8f800..e4ebaf88 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -35,7 +35,7 @@ #include "afl-qemu-common.h" #ifndef AFL_QEMU_STATIC_BUILD -#include + #include #endif /*************************** diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index 2e740ad9..083c27e5 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -36,9 +36,9 @@ #include "tcg-op.h" #if TCG_TARGET_REG_BITS == 64 -#define _DEFAULT_MO MO_64 + #define _DEFAULT_MO MO_64 #else -#define _DEFAULT_MO MO_32 + #define _DEFAULT_MO MO_32 #endif static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2, diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 4e973672..900fbeb1 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -27,7 +27,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" #include "types.h" diff --git a/src/afl-as.c b/src/afl-as.c index cf7f8bb6..4809a731 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -79,9 +79,9 @@ static u8 use_64bit = 1; static u8 use_64bit = 0; -#ifdef __APPLE__ -#error "Sorry, 32-bit Apple platforms are not supported." -#endif /* __APPLE__ */ + #ifdef __APPLE__ + #error "Sorry, 32-bit Apple platforms are not supported." + #endif /* __APPLE__ */ #endif /* ^WORD_SIZE_64 */ diff --git a/src/afl-common.c b/src/afl-common.c index d9d57863..5b7f2ff3 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -34,7 +34,7 @@ /* Detect @@ in args. */ #ifndef __glibc__ -#include + #include #endif #include #include diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index d4966889..ff078319 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -442,7 +442,7 @@ u8 *describe_op(afl_state_t *afl, u8 hnb) { sprintf(ret + strlen(ret), "+%06d", afl->splicing_with); } - + sprintf(ret + strlen(ret), ",time:%llu", get_cur_time() - afl->start_time); sprintf(ret + strlen(ret), ",op:%s", afl->stage_short); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 32481887..78b92368 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -33,11 +33,11 @@ void bind_to_free_cpu(afl_state_t *afl) { -#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) + #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) cpu_set_t c; -#elif defined(__NetBSD__) + #elif defined(__NetBSD__) cpuset_t * c; -#endif + #endif u8 cpu_used[4096] = {0}; u32 i; @@ -51,7 +51,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } -#if defined(__linux__) + #if defined(__linux__) DIR * d; struct dirent *de; d = opendir("/proc"); @@ -112,7 +112,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } closedir(d); -#elif defined(__FreeBSD__) || defined(__DragonFly__) + #elif defined(__FreeBSD__) || defined(__DragonFly__) struct kinfo_proc *procs; size_t nprocs; size_t proccount; @@ -133,7 +133,7 @@ void bind_to_free_cpu(afl_state_t *afl) { for (i = 0; i < proccount; i++) { -#if defined(__FreeBSD__) + #if defined(__FreeBSD__) if (!strcmp(procs[i].ki_comm, "idle")) continue; // fix when ki_oncpu = -1 @@ -143,16 +143,16 @@ void bind_to_free_cpu(afl_state_t *afl) { if (oncpu != -1 && oncpu < sizeof(cpu_used) && procs[i].ki_pctcpu > 60) cpu_used[oncpu] = 1; -#elif defined(__DragonFly__) + #elif defined(__DragonFly__) if (procs[i].kp_lwp.kl_cpuid < sizeof(cpu_used) && procs[i].kp_lwp.kl_pctcpu > 10) cpu_used[procs[i].kp_lwp.kl_cpuid] = 1; -#endif + #endif } ck_free(procs); -#elif defined(__NetBSD__) + #elif defined(__NetBSD__) struct kinfo_proc2 *procs; size_t nprocs; size_t proccount; @@ -181,15 +181,15 @@ void bind_to_free_cpu(afl_state_t *afl) { } ck_free(procs); -#else -#warning \ - "For this platform we do not have free CPU binding code yet. If possible, please supply a PR to https://github.com/AFLplusplus/AFLplusplus" -#endif + #else + #warning \ + "For this platform we do not have free CPU binding code yet. If possible, please supply a PR to https://github.com/AFLplusplus/AFLplusplus" + #endif size_t cpu_start = 0; try: -#ifndef __ANDROID__ + #ifndef __ANDROID__ for (i = cpu_start; i < afl->cpu_core_count; i++) { if (!cpu_used[i]) { break; } @@ -198,12 +198,12 @@ void bind_to_free_cpu(afl_state_t *afl) { if (i == afl->cpu_core_count) { -#else + #else for (i = afl->cpu_core_count - cpu_start - 1; i > -1; i--) if (!cpu_used[i]) break; if (i == -1) { -#endif + #endif SAYF("\n" cLRD "[-] " cRST "Uh-oh, looks like all %d CPU cores on your system are allocated to\n" @@ -221,16 +221,16 @@ void bind_to_free_cpu(afl_state_t *afl) { afl->cpu_aff = i; -#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) + #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) CPU_ZERO(&c); CPU_SET(i, &c); -#elif defined(__NetBSD__) + #elif defined(__NetBSD__) c = cpuset_create(); if (c == NULL) PFATAL("cpuset_create failed"); cpuset_set(i, c); -#endif + #endif -#if defined(__linux__) + #if defined(__linux__) if (sched_setaffinity(0, sizeof(c), &c)) { if (cpu_start == afl->cpu_core_count) { @@ -246,7 +246,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } -#elif defined(__FreeBSD__) || defined(__DragonFly__) + #elif defined(__FreeBSD__) || defined(__DragonFly__) if (pthread_setaffinity_np(pthread_self(), sizeof(c), &c)) { if (cpu_start == afl->cpu_core_count) @@ -258,7 +258,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } -#elif defined(__NetBSD__) + #elif defined(__NetBSD__) if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { if (cpu_start == afl->cpu_core_count) @@ -271,10 +271,10 @@ if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { } cpuset_destroy(c); -#else -// this will need something for other platforms -// TODO: Solaris/Illumos has processor_bind ... might worth a try -#endif + #else + // this will need something for other platforms + // TODO: Solaris/Illumos has processor_bind ... might worth a try + #endif } @@ -1565,7 +1565,7 @@ void check_crash_handling(void) { until I get a box to test the code. So, for now, we check for crash reporting the awful way. */ -#if !TARGET_OS_IPHONE + #if !TARGET_OS_IPHONE if (system("launchctl list 2>/dev/null | grep -q '\\.ReportCrash$'")) return; SAYF( @@ -1583,7 +1583,7 @@ void check_crash_handling(void) { " launchctl unload -w ${SL}/LaunchAgents/${PL}.plist\n" " sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist\n"); -#endif + #endif if (!get_afl_env("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) FATAL("Crash reporter detected"); @@ -1778,26 +1778,26 @@ void get_core_count(afl_state_t *afl) { /* On *BSD systems, we can just use a sysctl to get the number of CPUs. */ -#ifdef __APPLE__ + #ifdef __APPLE__ if (sysctlbyname("hw.logicalcpu", &afl->cpu_core_count, &s, NULL, 0) < 0) return; -#else + #else int s_name[2] = {CTL_HW, HW_NCPU}; if (sysctl(s_name, 2, &afl->cpu_core_count, &s, NULL, 0) < 0) return; -#endif /* ^__APPLE__ */ + #endif /* ^__APPLE__ */ #else -#ifdef HAVE_AFFINITY + #ifdef HAVE_AFFINITY afl->cpu_core_count = sysconf(_SC_NPROCESSORS_ONLN); -#else + #else FILE *f = fopen("/proc/stat", "r"); u8 tmp[1024]; @@ -1809,7 +1809,7 @@ void get_core_count(afl_state_t *afl) { fclose(f); -#endif /* ^HAVE_AFFINITY */ + #endif /* ^HAVE_AFFINITY */ #endif /* ^(__APPLE__ || __FreeBSD__ || __OpenBSD__) */ @@ -2102,12 +2102,12 @@ void check_binary(afl_state_t *afl, u8 *fname) { #else -#if !defined(__arm__) && !defined(__arm64__) + #if !defined(__arm__) && !defined(__arm64__) if ((f_data[0] != 0xCF || f_data[1] != 0xFA || f_data[2] != 0xED) && (f_data[0] != 0xCA || f_data[1] != 0xFE || f_data[2] != 0xBA)) FATAL("Program '%s' is not a 64-bit or universal Mach-O binary", afl->fsrv.target_path); -#endif + #endif #endif /* ^!__APPLE__ */ diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 832dba06..1084e4f1 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -35,11 +35,11 @@ static void *unsupported(afl_state_t *afl, unsigned int seed) { } -/* sorry for this makro... -it just fills in `&py_mutator->something_buf, &py_mutator->something_size`. */ -#define BUF_PARAMS(name) \ - (void **)&((py_mutator_t *)py_mutator)->name##_buf, \ - &((py_mutator_t *)py_mutator)->name##_size + /* sorry for this makro... + it just fills in `&py_mutator->something_buf, &py_mutator->something_size`. */ + #define BUF_PARAMS(name) \ + (void **)&((py_mutator_t *)py_mutator)->name##_buf, \ + &((py_mutator_t *)py_mutator)->name##_size static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, u8 *add_buf, size_t add_buf_size, size_t max_size) { @@ -71,12 +71,12 @@ static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, PyTuple_SetItem(py_args, 1, py_value); -/* max_size */ -#if PY_MAJOR_VERSION >= 3 + /* max_size */ + #if PY_MAJOR_VERSION >= 3 py_value = PyLong_FromLong(max_size); -#else + #else py_value = PyInt_FromLong(max_size); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -118,11 +118,11 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { Py_Initialize(); -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 PyObject *py_name = PyUnicode_FromString(module_name); -#else + #else PyObject *py_name = PyString_FromString(module_name); -#endif + #endif py->py_module = PyImport_Import(py_name); Py_DECREF(py_name); @@ -243,11 +243,11 @@ static void init_py(afl_state_t *afl, py_mutator_t *py_mutator, /* Provide the init function a seed for the Python RNG */ py_args = PyTuple_New(1); -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 py_value = PyLong_FromLong(seed); -#else + #else py_value = PyInt_FromLong(seed); -#endif + #endif if (!py_value) { @@ -440,11 +440,11 @@ s32 init_trim_py(void *py_mutator, u8 *buf, size_t buf_size) { if (py_value != NULL) { -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 u32 retcnt = (u32)PyLong_AsLong(py_value); -#else + #else u32 retcnt = PyInt_AsLong(py_value); -#endif + #endif Py_DECREF(py_value); return retcnt; @@ -479,11 +479,11 @@ s32 post_trim_py(void *py_mutator, u8 success) { if (py_value != NULL) { -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 u32 retcnt = (u32)PyLong_AsLong(py_value); -#else + #else u32 retcnt = PyInt_AsLong(py_value); -#endif + #endif Py_DECREF(py_value); return retcnt; @@ -542,12 +542,12 @@ size_t havoc_mutation_py(void *py_mutator, u8 *buf, size_t buf_size, PyTuple_SetItem(py_args, 0, py_value); -/* max_size */ -#if PY_MAJOR_VERSION >= 3 + /* max_size */ + #if PY_MAJOR_VERSION >= 3 py_value = PyLong_FromLong(max_size); -#else + #else py_value = PyInt_FromLong(max_size); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -624,12 +624,12 @@ u8 queue_get_py(void *py_mutator, const u8 *filename) { py_args = PyTuple_New(1); -// File name -#if PY_MAJOR_VERSION >= 3 + // File name + #if PY_MAJOR_VERSION >= 3 py_value = PyUnicode_FromString(filename); -#else + #else py_value = PyString_FromString(filename); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -674,12 +674,12 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, py_args = PyTuple_New(2); -// New queue -#if PY_MAJOR_VERSION >= 3 + // New queue + #if PY_MAJOR_VERSION >= 3 py_value = PyUnicode_FromString(filename_new_queue); -#else + #else py_value = PyString_FromString(filename_new_queue); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -693,11 +693,11 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, py_value = Py_None; if (filename_orig_queue) { -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 py_value = PyUnicode_FromString(filename_orig_queue); -#else + #else py_value = PyString_FromString(filename_orig_queue); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -724,7 +724,7 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, } -#undef BUF_PARAMS + #undef BUF_PARAMS #endif /* USE_PYTHON */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index aaf615e9..8075f03d 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -853,7 +853,7 @@ int main(int argc, char **argv_orig, char **envp) { } -#if defined(__SANITIZE_ADDRESS__) + #if defined(__SANITIZE_ADDRESS__) if (afl->fsrv.mem_limit) { WARNF("in the ASAN build we disable all memory limits"); @@ -861,7 +861,7 @@ int main(int argc, char **argv_orig, char **envp) { } -#endif + #endif setup_signal_handlers(); check_asan_opts(); @@ -1054,9 +1054,9 @@ int main(int argc, char **argv_orig, char **envp) { get_core_count(afl); -#ifdef HAVE_AFFINITY + #ifdef HAVE_AFFINITY bind_to_free_cpu(afl); -#endif /* HAVE_AFFINITY */ + #endif /* HAVE_AFFINITY */ check_crash_handling(); check_cpu_governor(afl); @@ -1352,12 +1352,12 @@ stop_fuzzing: } -#ifdef PROFILING + #ifdef PROFILING SAYF(cYEL "[!] " cRST "Profiling information: %llu ms total work, %llu ns/run\n", time_spent_working / 1000000, time_spent_working / afl->fsrv.total_execs); -#endif + #endif fclose(afl->fsrv.plot_file); destroy_queue(afl); diff --git a/src/afl-gotcpu.c b/src/afl-gotcpu.c index ab7aad5c..43b3196b 100644 --- a/src/afl-gotcpu.c +++ b/src/afl-gotcpu.c @@ -32,11 +32,11 @@ #define AFL_MAIN #ifndef _GNU_SOURCE -#define _GNU_SOURCE + #define _GNU_SOURCE #endif #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include #include @@ -55,22 +55,22 @@ #if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || \ defined(__APPLE__) || defined(__DragonFly__) -#define HAVE_AFFINITY 1 -#if defined(__FreeBSD__) || defined(__DragonFly__) -#include -#include -#if defined(__FreeBSD__) -#include -#endif -#define cpu_set_t cpuset_t -#elif defined(__NetBSD__) -#include -#include -#elif defined(__APPLE__) -#include -#include -#include -#endif + #define HAVE_AFFINITY 1 + #if defined(__FreeBSD__) || defined(__DragonFly__) + #include + #include + #if defined(__FreeBSD__) + #include + #endif + #define cpu_set_t cpuset_t + #elif defined(__NetBSD__) + #include + #include + #elif defined(__APPLE__) + #include + #include + #include + #endif #endif /* __linux__ || __FreeBSD__ || __NetBSD__ || __APPLE__ */ /* Get CPU usage in microseconds. */ @@ -163,46 +163,46 @@ int main(int argc, char **argv) { if (!fr) { u32 util_perc; -#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) + #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) cpu_set_t c; CPU_ZERO(&c); CPU_SET(i, &c); -#elif defined(__NetBSD__) + #elif defined(__NetBSD__) cpuset_t *c; c = cpuset_create(); if (c == NULL) PFATAL("cpuset_create failed"); cpuset_set(i, c); -#elif defined(__APPLE__) + #elif defined(__APPLE__) thread_affinity_policy_data_t c = {i}; thread_port_t native_thread = pthread_mach_thread_np(pthread_self()); if (thread_policy_set(native_thread, THREAD_AFFINITY_POLICY, (thread_policy_t)&c, 1) != KERN_SUCCESS) PFATAL("thread_policy_set failed"); -#endif + #endif -#if defined(__FreeBSD__) || defined(__DragonFly__) + #if defined(__FreeBSD__) || defined(__DragonFly__) if (pthread_setaffinity_np(pthread_self(), sizeof(c), &c)) PFATAL("pthread_setaffinity_np failed"); -#endif + #endif -#if defined(__NetBSD__) + #if defined(__NetBSD__) if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) PFATAL("pthread_setaffinity_np failed"); cpuset_destroy(c); -#endif + #endif -#if defined(__linux__) + #if defined(__linux__) if (sched_setaffinity(0, sizeof(c), &c)) { PFATAL("sched_setaffinity failed for cpu %d", i); } -#endif + #endif util_perc = measure_preemption(CTEST_CORE_TRG_MS); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index e024eb18..f5817293 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -27,7 +27,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -56,8 +56,8 @@ #include #ifndef USEMMAP -#include -#include + #include + #include #endif static list_t shm_list = {.element_prealloc_count = 0}; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index ed59f2f5..560c8cf6 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -32,7 +32,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" #include "types.h" diff --git a/src/afl-tmin.c b/src/afl-tmin.c index e15dc72d..091e5177 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -30,7 +30,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" -- cgit 1.4.1 From 61779547733699dfe6710a74529e02d515364aa4 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 12 May 2020 16:32:40 +0200 Subject: fix custom mutators and add real test cases --- examples/custom_mutators/README.md | 3 ++ examples/custom_mutators/example.py | 1 + examples/custom_mutators/simple_example.c | 74 +++++++++++++++++++++++++++++++ src/afl-fuzz-mutators.c | 25 ++++++----- test/test-multiple-mutators.c | 7 ++- test/test.sh | 21 ++++----- 6 files changed, 107 insertions(+), 24 deletions(-) create mode 100644 examples/custom_mutators/simple_example.c diff --git a/examples/custom_mutators/README.md b/examples/custom_mutators/README.md index 6fc7be6c..99fb9da3 100644 --- a/examples/custom_mutators/README.md +++ b/examples/custom_mutators/README.md @@ -6,6 +6,9 @@ See [docs/custom_mutators.md](../docs/custom_mutators.md) for more information Note that if you compile with python3.7 you must use python3 scripts, and if you use python2.7 to compile python2 scripts! +simple_example.c - most simplest example. generates a random sized buffer + filled with 'A' + example.c - this is a simple example written in C and should be compiled to a shared library. Use make to compile it and produce libexamplemutator.so diff --git a/examples/custom_mutators/example.py b/examples/custom_mutators/example.py index 9e95eed6..3c3fa8c1 100644 --- a/examples/custom_mutators/example.py +++ b/examples/custom_mutators/example.py @@ -21,6 +21,7 @@ COMMANDS = [ b"GET", b"PUT", b"DEL", + b"AAAAAAAAAAAAAAAAA", ] diff --git a/examples/custom_mutators/simple_example.c b/examples/custom_mutators/simple_example.c new file mode 100644 index 00000000..a351d787 --- /dev/null +++ b/examples/custom_mutators/simple_example.c @@ -0,0 +1,74 @@ +// This simple example just creates random buffer <= 100 filled with 'A' +// needs -I /path/to/AFLplusplus/include +#include "custom_mutator_helpers.h" + +#include +#include +#include +#include + +#ifndef _FIXED_CHAR + #define 0x41 +#endif + +typedef struct my_mutator { + + afl_t *afl; + + // Reused buffers: + BUF_VAR(u8, fuzz); + +} my_mutator_t; + +my_mutator_t *afl_custom_init(afl_t *afl, unsigned int seed) { + + srand(seed); + my_mutator_t *data = calloc(1, sizeof(my_mutator_t)); + if (!data) { + + perror("afl_custom_init alloc"); + return NULL; + + } + + data->afl = afl; + + return data; + +} + +size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, + u8 **out_buf, uint8_t *add_buf, + size_t add_buf_size, // add_buf can be NULL + size_t max_size) { + + int size = (rand() % 100) + 1; + if (size > max_size) size = max_size; + u8 *mutated_out = maybe_grow(BUF_PARAMS(data, fuzz), size); + if (!mutated_out) { + + *out_buf = NULL; + perror("custom mutator allocation (maybe_grow)"); + return 0; /* afl-fuzz will very likely error out after this. */ + + } + + memset(mutated_out, _FIXED_CHAR, size); + + *out_buf = mutated_out; + return size; + +} + +/** + * Deinitialize everything + * + * @param data The data ptr from afl_custom_init + */ +void afl_custom_deinit(my_mutator_t *data) { + + free(data->fuzz_buf); + free(data); + +} + diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 027add49..6bd13e2b 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -117,7 +117,7 @@ void destroy_custom_mutators(afl_state_t *afl) { LIST_FOREACH_CLEAR(&afl->custom_mutator_list, struct custom_mutator, { if (!el->data) { FATAL("Deintializing NULL mutator"); } - el->afl_custom_deinit(el->data); + if (el->afl_custom_deinit) el->afl_custom_deinit(el->data); if (el->dh) dlclose(el->dh); if (el->pre_save_buf) { @@ -166,32 +166,37 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { } + /* "afl_custom_deinit", optional for backward compatibility */ + mutator->afl_custom_deinit = dlsym(dh, "afl_custom_deinit"); + if (!mutator->afl_custom_deinit) WARNF("Symbol 'afl_custom_init' not found."); + /* "afl_custom_pre_save", optional */ mutator->afl_custom_pre_save = dlsym(dh, "afl_custom_pre_save"); if (!mutator->afl_custom_pre_save) - WARNF("Symbol 'afl_custom_pre_save' not found."); + ACTF("optional symbol 'afl_custom_pre_save' not found."); u8 notrim = 0; /* "afl_custom_init_trim", optional */ mutator->afl_custom_init_trim = dlsym(dh, "afl_custom_init_trim"); if (!mutator->afl_custom_init_trim) - WARNF("Symbol 'afl_custom_init_trim' not found."); + ACTF("optional symbol 'afl_custom_init_trim' not found."); /* "afl_custom_trim", optional */ mutator->afl_custom_trim = dlsym(dh, "afl_custom_trim"); - if (!mutator->afl_custom_trim) WARNF("Symbol 'afl_custom_trim' not found."); + if (!mutator->afl_custom_trim) + ACTF("optional symbol 'afl_custom_trim' not found."); /* "afl_custom_post_trim", optional */ mutator->afl_custom_post_trim = dlsym(dh, "afl_custom_post_trim"); if (!mutator->afl_custom_post_trim) - WARNF("Symbol 'afl_custom_post_trim' not found."); + ACTF("optional symbol 'afl_custom_post_trim' not found."); if (notrim) { mutator->afl_custom_init_trim = NULL; mutator->afl_custom_trim = NULL; mutator->afl_custom_post_trim = NULL; - WARNF( + ACTF( "Custom mutator does not implement all three trim APIs, standard " "trimming will be used."); @@ -200,23 +205,23 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { /* "afl_custom_havoc_mutation", optional */ mutator->afl_custom_havoc_mutation = dlsym(dh, "afl_custom_havoc_mutation"); if (!mutator->afl_custom_havoc_mutation) - WARNF("Symbol 'afl_custom_havoc_mutation' not found."); + ACTF("optional symbol 'afl_custom_havoc_mutation' not found."); /* "afl_custom_havoc_mutation", optional */ mutator->afl_custom_havoc_mutation_probability = dlsym(dh, "afl_custom_havoc_mutation_probability"); if (!mutator->afl_custom_havoc_mutation_probability) - WARNF("Symbol 'afl_custom_havoc_mutation_probability' not found."); + ACTF("optional symbol 'afl_custom_havoc_mutation_probability' not found."); /* "afl_custom_queue_get", optional */ mutator->afl_custom_queue_get = dlsym(dh, "afl_custom_queue_get"); if (!mutator->afl_custom_queue_get) - WARNF("Symbol 'afl_custom_queue_get' not found."); + ACTF("optional symbol 'afl_custom_queue_get' not found."); /* "afl_custom_queue_new_entry", optional */ mutator->afl_custom_queue_new_entry = dlsym(dh, "afl_custom_queue_new_entry"); if (!mutator->afl_custom_queue_new_entry) - WARNF("Symbol 'afl_custom_queue_new_entry' not found"); + ACTF("optional symbol 'afl_custom_queue_new_entry' not found"); OKF("Custom mutator '%s' installed successfully.", fn); diff --git a/test/test-multiple-mutators.c b/test/test-multiple-mutators.c index 0f6f5c64..dafc817c 100644 --- a/test/test-multiple-mutators.c +++ b/test/test-multiple-mutators.c @@ -12,11 +12,10 @@ int main(int argc, char **argv) { int a = 0; - char s[16]; - memset(s, 0, 16); - read(0, s, 0xa0); + char s[100]; + read(0, s, 100); - if (s[17] != '\x00') { abort(); } + if (s[7] == 'B') { abort(); } return 0; diff --git a/test/test.sh b/test/test.sh index 919d7a9c..1d06780b 100755 --- a/test/test.sh +++ b/test/test.sh @@ -970,16 +970,17 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { } } # Compile the custom mutator - make -C ../examples/custom_mutators libexamplemutator.so > /dev/null 2>&1 - test -e test-custom-mutator -a -e ${CUSTOM_MUTATOR_PATH}/libexamplemutator.so && { + cc -D_FIXED_CHAR=0x41 -g -fPIC -shared -I../include ../examples/custom_mutators/simple_example.c -o libexamplemutator.so > /dev/null 2>&1 + cc -D_FIXED_CHAR=0x42 -g -fPIC -shared -I../include ../examples/custom_mutators/simple_example.c -o libexamplemutator2.so > /dev/null 2>&1 + test -e test-custom-mutator -a -e ./libexamplemutator.so && { # Create input directory mkdir -p in echo "00000" > in/in # Run afl-fuzz w/ the C mutator - $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 10 seconds" + $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 5 seconds" { - AFL_CUSTOM_MUTATOR_LIBRARY=${CUSTOM_MUTATOR_PATH}/libexamplemutator.so ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 + AFL_CUSTOM_MUTATOR_LIBRARY=./libexamplemutator.so AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V1 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 } >>errors 2>&1 # Check results @@ -996,10 +997,10 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { # Clean rm -rf out errors - #Run afl-fuzz w/ multiple C mutators - $ECHO "$GREY[*] running afl-fuzz with multiple custom C mutators, this will take approx 20 seconds" + # Run afl-fuzz w/ multiple C mutators + $ECHO "$GREY[*] running afl-fuzz with multiple custom C mutators, this will take approx 5 seconds" { - AFL_CUSTOM_MUTATOR_LIBRARY="${CUSTOM_MUTATOR_PATH}/libexamplemutator.so;${CUSTOM_MUTATOR_PATH}/libexamplemutator.so" ../afl-fuzz -V20 -m ${MEM_LIMIT} -i in -o out -- ./test-multiple-mutators >>errors 2>&1 + AFL_CUSTOM_MUTATOR_LIBRARY="./libexamplemutator.so;./libexamplemutator2.so" AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V1 -m ${MEM_LIMIT} -i in -o out -- ./test-multiple-mutators >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/crashes/id:000000* 2>/dev/null )" && { # TODO: update here @@ -1016,11 +1017,11 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { rm -rf out errors # Run afl-fuzz w/ the Python mutator - $ECHO "$GREY[*] running afl-fuzz for the Python mutator, this will take approx 10 seconds" + $ECHO "$GREY[*] running afl-fuzz for the Python mutator, this will take approx 5 seconds" { export PYTHONPATH=${CUSTOM_MUTATOR_PATH} export AFL_PYTHON_MODULE=example - ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 + AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V5 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 unset PYTHONPATH unset AFL_PYTHON_MODULE } >>errors 2>&1 @@ -1039,7 +1040,7 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { # Clean rm -rf in out errors rm -rf ${CUSTOM_MUTATOR_PATH}/__pycache__/ - rm -f test-multiple-mutators + rm -f test-multiple-mutators test-custom-mutator libexamplemutator.so libexamplemutator2.so } || { ls . ls ${CUSTOM_MUTATOR_PATH} -- cgit 1.4.1 From 060f4ea320b2417bab2f153779b248698544f536 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 12 May 2020 17:05:12 +0200 Subject: enforce mandatary custom functions --- docs/custom_mutators.md | 22 +++++++++++++++------- src/afl-fuzz-mutators.c | 6 +++--- src/afl-fuzz-python.c | 8 ++++++++ 3 files changed, 26 insertions(+), 10 deletions(-) diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 3cd874b9..c044be0c 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -84,13 +84,16 @@ def queue_new_entry(filename_new_queue, filename_orig_queue): - `queue_get` (optional): - This method determines whether the fuzzer should fuzz the current queue - entry or not + This method determines whether the custom fuzzer should fuzz the current + queue entry or not -- `fuzz` (required): +- `fuzz` (optional): This method performs custom mutations on a given input. It also accepts an additional test case. + Note that this function is optional - but it makes sense to use it. + You would only skip this if `pre_send` is used to fix checksums etc. + so you are using it e.g. as a post processing library. - `havoc_mutation` and `havoc_mutation_probability` (optional): @@ -114,6 +117,13 @@ def queue_new_entry(filename_new_queue, filename_orig_queue): This methods is called after adding a new test case to the queue. +- `deinit`: + + The last method to be called, deinitializing the state. + +Note that there are also three functions for trimming as described in the +next section. + ### Trimming Support The generic trimming routines implemented in AFL++ can easily destroy the @@ -160,10 +170,8 @@ trimmed input. Here's a quick API description: In any case, this method must return the next trim iteration index (from 0 to the maximum amount of steps you returned in `init_trim`). -`deinit` the last method to be called, deinitializing the state. - -Omitting any of three methods will cause the trimming to be disabled and trigger -a fallback to the builtin default trimming routine. +Omitting any of three trimming methods will cause the trimming to be disabled +and trigger a fallback to the builtin default trimming routine. ### Environment Variables diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 6bd13e2b..2c2efc94 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -151,7 +151,7 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { /* Mutator */ /* "afl_custom_init", optional for backward compatibility */ mutator->afl_custom_init = dlsym(dh, "afl_custom_init"); - if (!mutator->afl_custom_init) WARNF("Symbol 'afl_custom_init' not found."); + if (!mutator->afl_custom_init) FATAL("Symbol 'afl_custom_init' not found."); /* "afl_custom_fuzz" or "afl_custom_mutator", required */ mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_fuzz"); @@ -162,13 +162,13 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_mutator"); if (!mutator->afl_custom_fuzz) - FATAL("Symbol 'afl_custom_mutator' not found."); + WARNF("Symbol 'afl_custom_mutator' not found."); } /* "afl_custom_deinit", optional for backward compatibility */ mutator->afl_custom_deinit = dlsym(dh, "afl_custom_deinit"); - if (!mutator->afl_custom_deinit) WARNF("Symbol 'afl_custom_init' not found."); + if (!mutator->afl_custom_deinit) FATAL("Symbol 'afl_custom_init' not found."); /* "afl_custom_pre_save", optional */ mutator->afl_custom_pre_save = dlsym(dh, "afl_custom_pre_save"); diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 1084e4f1..460d6683 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -135,7 +135,13 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { u8 py_notrim = 0, py_idx; /* init, required */ py_functions[PY_FUNC_INIT] = PyObject_GetAttrString(py_module, "init"); + if (!py_functions[PY_FUNC_INIT]) + FATAL("init function not found in python module"); py_functions[PY_FUNC_FUZZ] = PyObject_GetAttrString(py_module, "fuzz"); + if (!py_functions[PY_FUNC_FUZZ]) + py_functions[PY_FUNC_FUZZ] = PyObject_GetAttrString(py_module, "mutate"); + if (!py_functions[PY_FUNC_FUZZ]) + WARNF("fuzz function not found in python module"); py_functions[PY_FUNC_PRE_SAVE] = PyObject_GetAttrString(py_module, "pre_save"); py_functions[PY_FUNC_INIT_TRIM] = @@ -152,6 +158,8 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { py_functions[PY_FUNC_QUEUE_NEW_ENTRY] = PyObject_GetAttrString(py_module, "queue_new_entry"); py_functions[PY_FUNC_DEINIT] = PyObject_GetAttrString(py_module, "deinit"); + if (!py_functions[PY_FUNC_DEINIT]) + FATAL("deinit function not found in python module"); for (py_idx = 0; py_idx < PY_FUNC_COUNT; ++py_idx) { -- cgit 1.4.1 From 72f4a9f678bea33826a40c1586a79b7ef7a6da15 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 12 May 2020 19:40:04 +0200 Subject: missing env var --- docs/custom_mutators.md | 2 +- src/afl-common.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index c044be0c..b15039d4 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -110,7 +110,7 @@ def queue_new_entry(filename_new_queue, filename_orig_queue): protobuf format which corresponds to a given grammar. In order to execute the target, the protobuf data must be converted to the plain-text format expected by the target. In such scenarios, the user can define the - `pre_save` function. This function is then transforms the data into the + `pre_save` function. This function is then transforming the data into the format expected by the API before executing the target. - `queue_new_entry` (optional): diff --git a/src/afl-common.c b/src/afl-common.c index 5b7f2ff3..74fd6b27 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -72,7 +72,7 @@ char *afl_environment_variables[] = { "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST", "AFL_LLVM_SKIP_NEVERZERO", "AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID", "AFL_NO_ARITH", "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", - "AFL_NO_UI", "AFL_NO_PYTHON", "AFL_UNTRACER_FILE", + "AFL_NO_UI", "AFL_NO_PYTHON", "AFL_UNTRACER_FILE", "AFL_LLVM_USE_TRACE_PC", "AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_MAP_SIZE", "AFL_MAPSIZE", "AFL_PATH", "AFL_PERFORMANCE_FILE", //"AFL_PERSISTENT", // not implemented anymore, so warn additionally -- cgit 1.4.1 From 6224ae1c6004d52b230aa6dd6694c7d57dc49627 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 12 May 2020 20:59:48 +0200 Subject: test/test.sh: prefer python3 over python for unicornafl, avoid realpath and readlink dependencies --- test/test.sh | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/test/test.sh b/test/test.sh index 1d06780b..8e6c277f 100755 --- a/test/test.sh +++ b/test/test.sh @@ -883,7 +883,7 @@ test -d ../unicorn_mode/unicornafl && { test -e ../unicorn_mode/samples/simple/simple_target.bin -a -e ../unicorn_mode/samples/compcov_x64/compcov_target.bin && { { # travis workaround - PY=`command -v python` + PY=`command -v python3 || command -v python` test "$PY" = "/opt/pyenv/shims/python" -a -x /usr/bin/python && PY=/usr/bin/python mkdir -p in echo 0 > in/in @@ -942,11 +942,8 @@ test -d ../unicorn_mode/unicornafl && { $ECHO "$BLUE[*] Testing: custom mutator" test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { - test `uname -s` = 'Darwin' && { - CUSTOM_MUTATOR_PATH=$( realpath ../examples/custom_mutators ) - } || { - CUSTOM_MUTATOR_PATH=$( readlink -f ../examples/custom_mutators ) - } + # normalize path + CUSTOM_MUTATOR_PATH=$(cd $(pwd)/../examples/custom_mutators;pwd) test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUSTOM_MUTATOR_PATH}/example.py && { unset AFL_CC # Compile the vulnerable program for single mutator -- cgit 1.4.1 From 0c1c947aaf758368558dadd027b8a6503ba2c20f Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 12 May 2020 22:42:41 +0200 Subject: updated uc ref --- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/unicornafl | 2 +- unicorn_mode/update_uc_ref.sh | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index 336c171b..bb3959ea 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -a5b7900 +5833117 diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index a5b79002..5833117a 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit a5b79002ca18219c83f9aec4e71007917c6be2e0 +Subproject commit 5833117abf55d54c4191ead81312764df03a48bc diff --git a/unicorn_mode/update_uc_ref.sh b/unicorn_mode/update_uc_ref.sh index 486f37d6..21450e69 100755 --- a/unicorn_mode/update_uc_ref.sh +++ b/unicorn_mode/update_uc_ref.sh @@ -24,6 +24,7 @@ cd ./unicornafl || exit 1 git fetch origin master 1>/dev/null || exit 1 git stash 1>/dev/null 2>/dev/null git stash drop 1>/dev/null 2>/dev/null +git checkout master if [ -z "$NEW_VERSION" ]; then # No version provided, take HEAD. -- cgit 1.4.1 From 5273c61cd84fb5db4bd4c97509f60511c7a9bb6d Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 12 May 2020 23:19:51 +0200 Subject: Darwin tests: grep --binary-files=text for laf-intel and skipping of unittests --- GNUmakefile | 11 ++++++++++- test/test.sh | 2 +- unicorn_mode/unicornafl | 2 +- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/GNUmakefile b/GNUmakefile index d3e9275c..95bc1072 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -252,7 +252,7 @@ help: @echo "deepclean: cleans everything including downloads" @echo "code-format: format the code, do this before you commit and send a PR please!" @echo "tests: this runs the test framework. It is more catered for the developers, but if you run into problems this helps pinpointing the problem" - @echo "unit: perform unit tests (based on cmocka)" + @echo "unit: perform unit tests (based on cmocka and GNU linker)" @echo "document: creates afl-fuzz-document which will only do one run and save all manipulated inputs into out/queue/mutations" @echo "help: shows these build options :-)" @echo "==========================================" @@ -385,8 +385,17 @@ unit_preallocable: test/unittests/unit_preallocable.o unit_clean: @rm -f ./test/unittests/unit_preallocable ./test/unittests/unit_list ./test/unittests/unit_maybe_alloc test/unittests/*.o +ifneq "$(shell uname)" "Darwin" + unit: unit_maybe_alloc unit_preallocable unit_list unit_clean +else + +unit: + @echo [-] unit tests are skipped on Darwin \(lacks GNU linker feature --wrap\) + +endif + code-format: ./.custom-format.py -i src/*.c ./.custom-format.py -i include/*.h diff --git a/test/test.sh b/test/test.sh index 8e6c277f..6c05571b 100755 --- a/test/test.sh +++ b/test/test.sh @@ -355,7 +355,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { } AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_SWITCHES=1 AFL_LLVM_LAF_TRANSFORM_COMPARES=1 AFL_LLVM_LAF_SPLIT_COMPARES=1 ../afl-clang-fast -o test-compcov.compcov test-compcov.c > test.out 2>&1 test -e test-compcov.compcov && { - grep -Eq " [ 12][0-9][0-9] location| [3-9][0-9] location" test.out && { + grep --binary-files=text -Eq " [ 12][0-9][0-9] location| [3-9][0-9] location" test.out && { $ECHO "$GREEN[+] llvm_mode laf-intel/compcov feature works correctly" } || { $ECHO "$RED[!] llvm_mode laf-intel/compcov feature failed" diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 5833117a..a5b79002 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 5833117abf55d54c4191ead81312764df03a48bc +Subproject commit a5b79002ca18219c83f9aec4e71007917c6be2e0 -- cgit 1.4.1 From f8b3d34225102158ed585130e3de08772e989b53 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 13 May 2020 00:41:24 +0200 Subject: move has_new_bits for better performance --- src/afl-fuzz-run.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 4a22dad6..468b5fc6 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -191,7 +191,7 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, u32 handicap, u8 from_queue) { - u8 fault = 0, new_bits = 0, var_detected = 0, + u8 fault = 0, new_bits = 0, var_detected = 0, hnb = 0, first_run = (q->exec_cksum == 0); u64 start_us, stop_us; @@ -236,7 +236,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, if (q->exec_cksum) { memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size); - u8 hnb = has_new_bits(afl, afl->virgin_bits); + hnb = has_new_bits(afl, afl->virgin_bits); if (hnb > new_bits) { new_bits = hnb; } } @@ -271,11 +271,11 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, } cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); - u8 hnb = has_new_bits(afl, afl->virgin_bits); - if (hnb > new_bits) { new_bits = hnb; } - if (q->exec_cksum != cksum) { + hnb = has_new_bits(afl, afl->virgin_bits); + if (hnb > new_bits) { new_bits = hnb; } + if (q->exec_cksum) { u32 i; -- cgit 1.4.1 From 9627458ecc61783aa1f8bf76835abe00c4107739 Mon Sep 17 00:00:00 2001 From: rish9101 Date: Wed, 13 May 2020 18:59:12 +0530 Subject: Add post library API as custom mutator and rename pre_save --- docs/custom_mutators.md | 12 ++++++------ examples/custom_mutators/example.c | 24 +++++++++++------------ examples/custom_mutators/example.py | 2 +- examples/post_library/post_library.so.c | 2 +- examples/post_library/post_library_png.so.c | 2 +- include/afl-fuzz.h | 22 ++++++++++----------- src/afl-fuzz-cmplog.c | 11 ----------- src/afl-fuzz-init.c | 24 ++++++++++++++--------- src/afl-fuzz-mutators.c | 18 +++++++++-------- src/afl-fuzz-python.c | 30 ++++++++++++++--------------- src/afl-fuzz-run.c | 20 ++++--------------- src/afl-fuzz-state.c | 1 - 12 files changed, 75 insertions(+), 93 deletions(-) diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index b15039d4..9424af9c 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -33,7 +33,7 @@ C/C++: ```c void *afl_custom_init(afl_t *afl, unsigned int seed); size_t afl_custom_fuzz(void *data, uint8_t *buf, size_t buf_size, u8 **out_buf, uint8_t *add_buf, size_t add_buf_size, size_t max_size); -size_t afl_custom_pre_save(void *data, uint8_t *buf, size_t buf_size, uint8_t **out_buf); +size_t afl_custom_post_process(void *data, uint8_t *buf, size_t buf_size, uint8_t **out_buf); int32_t afl_custom_init_trim(void *data, uint8_t *buf, size_t buf_size); size_t afl_custom_trim(void *data, uint8_t **out_buf); int32_t afl_custom_post_trim(void *data, int success) { @@ -51,7 +51,7 @@ def init(seed): def fuzz(buf, add_buf, max_size): return mutated_out -def pre_save(buf): +def post_process(buf): return out_buf def init_trim(buf): @@ -92,7 +92,7 @@ def queue_new_entry(filename_new_queue, filename_orig_queue): This method performs custom mutations on a given input. It also accepts an additional test case. Note that this function is optional - but it makes sense to use it. - You would only skip this if `pre_send` is used to fix checksums etc. + You would only skip this if `post_process` is used to fix checksums etc. so you are using it e.g. as a post processing library. - `havoc_mutation` and `havoc_mutation_probability` (optional): @@ -102,7 +102,7 @@ def queue_new_entry(filename_new_queue, filename_orig_queue): `havoc_mutation_probability`, returns the probability that `havoc_mutation` is called in havoc. By default, it is 6%. -- `pre_save` (optional): +- `post_process` (optional): For some cases, the format of the mutated data returned from the custom mutator is not suitable to directly execute the target with this input. @@ -110,7 +110,7 @@ def queue_new_entry(filename_new_queue, filename_orig_queue): protobuf format which corresponds to a given grammar. In order to execute the target, the protobuf data must be converted to the plain-text format expected by the target. In such scenarios, the user can define the - `pre_save` function. This function is then transforming the data into the + `post_process` function. This function is then transforming the data into the format expected by the API before executing the target. - `queue_new_entry` (optional): @@ -222,7 +222,7 @@ For C/C++ mutator, the source code must be compiled as a shared object: gcc -shared -Wall -O3 example.c -o example.so ``` Note that if you specify multiple custom mutators, the corresponding functions will -be called in the order in which they are specified. e.g first `pre_save` function of +be called in the order in which they are specified. e.g first `post_process` function of `example_first.so` will be called and then that of `example_second.so` ### Run diff --git a/examples/custom_mutators/example.c b/examples/custom_mutators/example.c index c8200b26..c9be3e0c 100644 --- a/examples/custom_mutators/example.c +++ b/examples/custom_mutators/example.c @@ -38,7 +38,7 @@ typedef struct my_mutator { BUF_VAR(u8, data); BUF_VAR(u8, havoc); BUF_VAR(u8, trim); - BUF_VAR(u8, pre_save); + BUF_VAR(u8, post_process); } my_mutator_t; @@ -139,11 +139,11 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, * @return Size of the output buffer after processing or the needed amount. * A return of 0 indicates an error. */ -size_t afl_custom_pre_save(my_mutator_t *data, uint8_t *buf, size_t buf_size, +size_t afl_custom_post_process(my_mutator_t *data, uint8_t *buf, size_t buf_size, uint8_t **out_buf) { - uint8_t *pre_save_buf = maybe_grow(BUF_PARAMS(data, pre_save), buf_size + 5); - if (!pre_save_buf) { + uint8_t *post_process_buf = maybe_grow(BUF_PARAMS(data, post_process), buf_size + 5); + if (!post_process_buf) { perror("custom mutator realloc failed."); *out_buf = NULL; @@ -151,14 +151,14 @@ size_t afl_custom_pre_save(my_mutator_t *data, uint8_t *buf, size_t buf_size, } - memcpy(pre_save_buf + 5, buf, buf_size); - pre_save_buf[0] = 'A'; - pre_save_buf[1] = 'F'; - pre_save_buf[2] = 'L'; - pre_save_buf[3] = '+'; - pre_save_buf[4] = '+'; + memcpy(post_process_buf + 5, buf, buf_size); + post_process_buf[0] = 'A'; + post_process_buf[1] = 'F'; + post_process_buf[2] = 'L'; + post_process_buf[3] = '+'; + post_process_buf[4] = '+'; - *out_buf = pre_save_buf; + *out_buf = post_process_buf; return buf_size + 5; @@ -364,7 +364,7 @@ void afl_custom_queue_new_entry(my_mutator_t * data, */ void afl_custom_deinit(my_mutator_t *data) { - free(data->pre_save_buf); + free(data->post_process_buf); free(data->havoc_buf); free(data->data_buf); free(data->fuzz_buf); diff --git a/examples/custom_mutators/example.py b/examples/custom_mutators/example.py index 3c3fa8c1..cf659e5a 100644 --- a/examples/custom_mutators/example.py +++ b/examples/custom_mutators/example.py @@ -120,7 +120,7 @@ def fuzz(buf, add_buf, max_size): # # return next_index # -# def pre_save(buf): +# def post_process(buf): # ''' # Called just before the execution to write the test case in the format # expected by the target diff --git a/examples/post_library/post_library.so.c b/examples/post_library/post_library.so.c index 0aa780cb..69fb221e 100644 --- a/examples/post_library/post_library.so.c +++ b/examples/post_library/post_library.so.c @@ -83,7 +83,7 @@ typedef struct post_state { } post_state_t; -void *afl_postprocess_init(void *afl) { +void *afl_postprocess_init(void *afl, unsigned int seed{ post_state_t *state = malloc(sizeof(post_state_t)); if (!state) { diff --git a/examples/post_library/post_library_png.so.c b/examples/post_library/post_library_png.so.c index 41ba4f5e..b29afd62 100644 --- a/examples/post_library/post_library_png.so.c +++ b/examples/post_library/post_library_png.so.c @@ -43,7 +43,7 @@ typedef struct post_state { } post_state_t; -void *afl_postprocess_init(void *afl) { +void *afl_postprocess_init(void *afl, unsigned int seed) { post_state_t *state = malloc(sizeof(post_state_t)); if (!state) { diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 421413ca..057f78c2 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -260,7 +260,7 @@ enum { /* 00 */ PY_FUNC_INIT, /* 01 */ PY_FUNC_FUZZ, - /* 02 */ PY_FUNC_PRE_SAVE, + /* 02 */ PY_FUNC_post_process, /* 03 */ PY_FUNC_INIT_TRIM, /* 04 */ PY_FUNC_POST_TRIM, /* 05 */ PY_FUNC_TRIM, @@ -283,8 +283,8 @@ typedef struct py_mutator { u8 * fuzz_buf; size_t fuzz_size; - u8 * pre_save_buf; - size_t pre_save_size; + u8 * post_process_buf; + size_t post_process_size; u8 * trim_buf; size_t trim_size; @@ -545,11 +545,9 @@ typedef struct afl_state { struct extra_data *a_extras; /* Automatically selected extras */ u32 a_extras_cnt; /* Total number of tokens available */ - /* afl_postprocess API */ - void *(*post_init)(struct afl_state *afl); - size_t (*post_handler)(void *data, u8 *buf, u32 len, u8 **out_buf); - void *(*post_deinit)(void *data); - void *post_data; + /* afl_postprocess API - Now supported via custom mutators */ + + struct custom_mutator * post_library_mutator; /* CmpLog */ @@ -623,8 +621,8 @@ struct custom_mutator { const char *name; void * dh; - u8 * pre_save_buf; - size_t pre_save_size; + u8 * post_process_buf; + size_t post_process_size; u8 stacked_custom_prob, stacked_custom; void *data; /* custom mutator data ptr */ @@ -675,7 +673,7 @@ struct custom_mutator { * It can chose to alter buf in-place, if the space is large enough. * @return Size of the output buffer. */ - size_t (*afl_custom_pre_save)(void *data, u8 *buf, size_t buf_size, + size_t (*afl_custom_post_process)(void *data, u8 *buf, size_t buf_size, u8 **out_buf); /** @@ -825,7 +823,7 @@ u8 trim_case_custom(afl_state_t *, struct queue_entry *q, u8 *in_buf, struct custom_mutator *load_custom_mutator_py(afl_state_t *, char *); void finalize_py_module(void *); -size_t pre_save_py(void *, u8 *, size_t, u8 **); +size_t post_process_py(void *, u8 *, size_t, u8 **); s32 init_trim_py(void *, u8 *, size_t); s32 post_trim_py(void *, u8); size_t trim_py(void *, u8 **); diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 9452fa90..4be6a2c8 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -51,17 +51,6 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { u8 fault; - if (afl->post_handler) { - - u8 *post_buf = NULL; - - size_t post_len = - afl->post_handler(afl->post_data, out_buf, len, &post_buf); - if (!post_buf || !post_len) { return 0; } - out_buf = post_buf; - len = post_len; - - } write_to_testcase(afl, out_buf, len); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 78b92368..2686d014 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -297,12 +297,16 @@ void setup_post(afl_state_t *afl) { dh = dlopen(fn, RTLD_NOW); if (!dh) { FATAL("%s", dlerror()); } - afl->post_handler = dlsym(dh, "afl_postprocess"); - if (!afl->post_handler) { FATAL("Symbol 'afl_postprocess' not found."); } - afl->post_init = dlsym(dh, "afl_postprocess_init"); - if (!afl->post_init) { FATAL("Symbol 'afl_postprocess_init' not found."); } - afl->post_deinit = dlsym(dh, "afl_postprocess_deinit"); - if (!afl->post_deinit) { + struct custom_mutator * mutator; + mutator = ck_alloc(sizeof(struct custom_mutator)); + memset(mutator, 0, sizeof(struct custom_mutator)); + + mutator->afl_custom_post_process = dlsym(dh, "afl_postprocess"); + if (!mutator->afl_custom_post_process) { FATAL("Symbol 'afl_postprocess' not found."); } + mutator->afl_custom_init = dlsym(dh, "afl_postprocess_init"); + if (!mutator->afl_custom_init) { FATAL("Symbol 'afl_postprocess_init' not found."); } + mutator->afl_custom_deinit = dlsym(dh, "afl_postprocess_deinit"); + if (!mutator->afl_custom_post_process) { FATAL("Symbol 'afl_postprocess_deinit' not found."); @@ -311,16 +315,18 @@ void setup_post(afl_state_t *afl) { /* Do a quick test. It's better to segfault now than later =) */ u8 *post_buf = NULL; - afl->post_data = afl->post_init(afl); - if (!afl->post_data) { FATAL("Could not initialize post handler."); } + mutator->data = mutator->afl_custom_init(afl, rand_below(afl, 0xFFFFFFFF)); + if (!mutator->data) { FATAL("Could not initialize post handler."); } - size_t post_len = afl->post_handler(afl->post_data, tbuf, tlen, &post_buf); + size_t post_len = mutator->afl_custom_post_process(mutator->data, tbuf, tlen, &post_buf); if (!post_len || !post_buf) { SAYF("Empty return in test post handler for buf=\"hello\\0\"."); } + afl->post_library_mutator = mutator; + OKF("Postprocessor installed successfully."); } diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 2c2efc94..acc1b12d 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -108,6 +108,8 @@ void setup_custom_mutators(afl_state_t *afl) { #endif + if (afl->post_library_mutator) list_append(&afl->custom_mutator_list, afl->post_library_mutator); + } void destroy_custom_mutators(afl_state_t *afl) { @@ -120,11 +122,11 @@ void destroy_custom_mutators(afl_state_t *afl) { if (el->afl_custom_deinit) el->afl_custom_deinit(el->data); if (el->dh) dlclose(el->dh); - if (el->pre_save_buf) { + if (el->post_process_buf) { - ck_free(el->pre_save_buf); - el->pre_save_buf = NULL; - el->pre_save_size = 0; + ck_free(el->post_process_buf); + el->post_process_buf = NULL; + el->post_process_size = 0; } @@ -170,10 +172,10 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { mutator->afl_custom_deinit = dlsym(dh, "afl_custom_deinit"); if (!mutator->afl_custom_deinit) FATAL("Symbol 'afl_custom_init' not found."); - /* "afl_custom_pre_save", optional */ - mutator->afl_custom_pre_save = dlsym(dh, "afl_custom_pre_save"); - if (!mutator->afl_custom_pre_save) - ACTF("optional symbol 'afl_custom_pre_save' not found."); + /* "afl_custom_post_process", optional */ + mutator->afl_custom_post_process = dlsym(dh, "afl_custom_post_process"); + if (!mutator->afl_custom_post_process) + ACTF("optional symbol 'afl_custom_post_process' not found."); u8 notrim = 0; /* "afl_custom_init_trim", optional */ diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 460d6683..984561fd 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -142,8 +142,8 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { py_functions[PY_FUNC_FUZZ] = PyObject_GetAttrString(py_module, "mutate"); if (!py_functions[PY_FUNC_FUZZ]) WARNF("fuzz function not found in python module"); - py_functions[PY_FUNC_PRE_SAVE] = - PyObject_GetAttrString(py_module, "pre_save"); + py_functions[PY_FUNC_post_process] = + PyObject_GetAttrString(py_module, "post_process"); py_functions[PY_FUNC_INIT_TRIM] = PyObject_GetAttrString(py_module, "init_trim"); py_functions[PY_FUNC_POST_TRIM] = @@ -165,9 +165,9 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { if (!py_functions[py_idx] || !PyCallable_Check(py_functions[py_idx])) { - if (py_idx == PY_FUNC_PRE_SAVE) { + if (py_idx == PY_FUNC_post_process) { - // Implenting the pre_save API is optional for now + // Implenting the post_process API is optional for now if (PyErr_Occurred()) { PyErr_Print(); } } else if (py_idx >= PY_FUNC_INIT_TRIM && py_idx <= PY_FUNC_TRIM) { @@ -309,8 +309,8 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, struct custom_mutator *mutator; mutator = ck_alloc(sizeof(struct custom_mutator)); - mutator->pre_save_buf = NULL; - mutator->pre_save_size = 0; + mutator->post_process_buf = NULL; + mutator->post_process_size = 0; mutator->name = module_name; ACTF("Loading Python mutator library from '%s'...", module_name); @@ -330,9 +330,9 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, is quite different from the custom mutator. */ mutator->afl_custom_fuzz = fuzz_py; - if (py_functions[PY_FUNC_PRE_SAVE]) { + if (py_functions[PY_FUNC_post_process]) { - mutator->afl_custom_pre_save = pre_save_py; + mutator->afl_custom_post_process = post_process_py; } @@ -384,7 +384,7 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, } -size_t pre_save_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) { +size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) { size_t py_out_buf_size; PyObject * py_args, *py_value; @@ -395,14 +395,14 @@ size_t pre_save_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) { if (!py_value) { Py_DECREF(py_args); - FATAL("Failed to convert arguments in custom pre_save"); + FATAL("Failed to convert arguments in custom post_process"); } PyTuple_SetItem(py_args, 0, py_value); py_value = PyObject_CallObject( - ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_PRE_SAVE], py_args); + ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_post_process], py_args); Py_DECREF(py_args); @@ -410,18 +410,18 @@ size_t pre_save_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) { py_out_buf_size = PyByteArray_Size(py_value); - ck_maybe_grow(BUF_PARAMS(pre_save), py_out_buf_size); + ck_maybe_grow(BUF_PARAMS(post_process), py_out_buf_size); - memcpy(py->pre_save_buf, PyByteArray_AsString(py_value), py_out_buf_size); + memcpy(py->post_process_buf, PyByteArray_AsString(py_value), py_out_buf_size); Py_DECREF(py_value); - *out_buf = py->pre_save_buf; + *out_buf = py->post_process_buf; return py_out_buf_size; } else { PyErr_Print(); - FATAL("Python custom mutator: pre_save call failed."); + FATAL("Python custom mutator: post_process call failed."); } diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 468b5fc6..d9adb792 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -97,10 +97,10 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { - if (el->afl_custom_pre_save) { + if (el->afl_custom_post_process) { new_size = - el->afl_custom_pre_save(el->data, new_mem, new_size, &new_buf); + el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf); } @@ -110,7 +110,7 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { if (unlikely(!new_buf && (new_size <= 0))) { - FATAL("Custom_pre_save failed (ret: %lu)", (long unsigned)new_size); + FATAL("Custom_post_process failed (ret: %lu)", (long unsigned)new_size); } else if (likely(new_buf)) { @@ -119,7 +119,7 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { } else { - /* custom mutators do not has a custom_pre_save function */ + /* custom mutators do not has a custom_post_process function */ afl_fsrv_write_to_testcase(&afl->fsrv, mem, len); } @@ -690,18 +690,6 @@ u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { u8 fault; - if (afl->post_handler) { - - u8 *post_buf = NULL; - - size_t post_len = - afl->post_handler(afl->post_data, out_buf, len, &post_buf); - if (!post_buf || !post_len) { return 0; } - out_buf = post_buf; - len = post_len; - - } - write_to_testcase(afl, out_buf, len); fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 4f5389e3..316f9bd9 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -371,7 +371,6 @@ void read_afl_environment(afl_state_t *afl, char **envp) { void afl_state_deinit(afl_state_t *afl) { - if (afl->post_deinit) { afl->post_deinit(afl->post_data); } if (afl->in_place_resume) { ck_free(afl->in_dir); } if (afl->sync_id) { ck_free(afl->out_dir); } if (afl->pass_stats) { ck_free(afl->pass_stats); } -- cgit 1.4.1 From 45bddcd8082eedeeb09500d764c540bc02ec0d74 Mon Sep 17 00:00:00 2001 From: rish9101 Date: Wed, 13 May 2020 19:25:23 +0530 Subject: Fix bugs, remove intial post library test --- examples/post_library/post_library.so.c | 2 +- include/afl-fuzz.h | 2 +- src/afl-fuzz-init.c | 7 ------- 3 files changed, 2 insertions(+), 9 deletions(-) diff --git a/examples/post_library/post_library.so.c b/examples/post_library/post_library.so.c index 69fb221e..d9504b23 100644 --- a/examples/post_library/post_library.so.c +++ b/examples/post_library/post_library.so.c @@ -83,7 +83,7 @@ typedef struct post_state { } post_state_t; -void *afl_postprocess_init(void *afl, unsigned int seed{ +void *afl_postprocess_init(void *afl, unsigned int seed) { post_state_t *state = malloc(sizeof(post_state_t)); if (!state) { diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 057f78c2..cf8ef735 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -260,7 +260,7 @@ enum { /* 00 */ PY_FUNC_INIT, /* 01 */ PY_FUNC_FUZZ, - /* 02 */ PY_FUNC_post_process, + /* 02 */ PY_FUNC_POST_PROCESS, /* 03 */ PY_FUNC_INIT_TRIM, /* 04 */ PY_FUNC_POST_TRIM, /* 05 */ PY_FUNC_TRIM, diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 2686d014..33c00c7a 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -318,13 +318,6 @@ void setup_post(afl_state_t *afl) { mutator->data = mutator->afl_custom_init(afl, rand_below(afl, 0xFFFFFFFF)); if (!mutator->data) { FATAL("Could not initialize post handler."); } - size_t post_len = mutator->afl_custom_post_process(mutator->data, tbuf, tlen, &post_buf); - if (!post_len || !post_buf) { - - SAYF("Empty return in test post handler for buf=\"hello\\0\"."); - - } - afl->post_library_mutator = mutator; OKF("Postprocessor installed successfully."); -- cgit 1.4.1 From 645e331559d01d234be231a7f5076c2ad658b159 Mon Sep 17 00:00:00 2001 From: rish9101 Date: Wed, 13 May 2020 19:46:30 +0530 Subject: Fix previous commit bugs --- src/afl-fuzz-init.c | 1 - src/afl-fuzz-python.c | 8 ++++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 33c00c7a..aea22f48 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -314,7 +314,6 @@ void setup_post(afl_state_t *afl) { /* Do a quick test. It's better to segfault now than later =) */ - u8 *post_buf = NULL; mutator->data = mutator->afl_custom_init(afl, rand_below(afl, 0xFFFFFFFF)); if (!mutator->data) { FATAL("Could not initialize post handler."); } diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 984561fd..2569cdaf 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -142,7 +142,7 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { py_functions[PY_FUNC_FUZZ] = PyObject_GetAttrString(py_module, "mutate"); if (!py_functions[PY_FUNC_FUZZ]) WARNF("fuzz function not found in python module"); - py_functions[PY_FUNC_post_process] = + py_functions[PY_FUNC_POST_PROCESS] = PyObject_GetAttrString(py_module, "post_process"); py_functions[PY_FUNC_INIT_TRIM] = PyObject_GetAttrString(py_module, "init_trim"); @@ -165,7 +165,7 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { if (!py_functions[py_idx] || !PyCallable_Check(py_functions[py_idx])) { - if (py_idx == PY_FUNC_post_process) { + if (py_idx == PY_FUNC_POST_PROCESS) { // Implenting the post_process API is optional for now if (PyErr_Occurred()) { PyErr_Print(); } @@ -330,7 +330,7 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, is quite different from the custom mutator. */ mutator->afl_custom_fuzz = fuzz_py; - if (py_functions[PY_FUNC_post_process]) { + if (py_functions[PY_FUNC_POST_PROCESS]) { mutator->afl_custom_post_process = post_process_py; @@ -402,7 +402,7 @@ size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) PyTuple_SetItem(py_args, 0, py_value); py_value = PyObject_CallObject( - ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_post_process], py_args); + ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_POST_PROCESS], py_args); Py_DECREF(py_args); -- cgit 1.4.1 From 6fdd6004f2b41ebb5bcd97cfaf9d26ec0bba652f Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Wed, 13 May 2020 16:39:25 +0000 Subject: unicornafl build script: fix sed call for OpenBSD, use present python bug fixes: --- unicorn_mode/build_unicorn_support.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index aeb26945..bbfd151c 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -65,7 +65,7 @@ if [ ! -f "../afl-showmap" ]; then fi -PYTHONBIN=python +PYTHONBIN=`command -v python3 || command -v python || echo python` MAKECMD=make EASY_INSTALL='easy_install' TARCMD=tar @@ -111,7 +111,7 @@ if ! command -v $EASY_INSTALL >/dev/null; then # work around for installs with executable easy_install EASY_INSTALL_FOUND=0 - MYPYTHONPATH=`python -v &1 >/dev/null | sed -n -e '/^# \/.*\/os.py/{ s/.*matches //; s/os.py$//; p}'` + MYPYTHONPATH=`${PYTHONBIN} -v &1 >/dev/null | sed -n -e '/^# \/.*\/os.py/{ s/.*matches //; s/os.py$//; p;}'` for PATHCANDIDATE in \ "dist-packages/" \ "site-packages/" -- cgit 1.4.1 From c384a17b4181553d9e7c56fbafd6c8e934e6beed Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Wed, 13 May 2020 16:42:20 +0000 Subject: GNUmakefile: add paths /usr/local/... for OpenBSD, add check for ASAN --- GNUmakefile | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/GNUmakefile b/GNUmakefile index 95bc1072..390c4cfa 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -89,6 +89,11 @@ override CFLAGS += -Wall -g -Wno-pointer-sign -Wmissing-declarations\ -I include/ -Werror -DAFL_PATH=\"$(HELPER_PATH)\" \ -DBIN_PATH=\"$(BIN_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" +ifeq "$(shell uname -s)" "OpenBSD" + override CFLAGS += -I /usr/local/include/ + LDFLAGS += -L /usr/local/lib/ +endif + AFL_FUZZ_FILES = $(wildcard src/afl-fuzz*.c) ifneq "$(shell command -v python3m 2>/dev/null)" "" @@ -200,13 +205,15 @@ ifeq "$(shell svn proplist . 2>/dev/null && echo 1 || echo 0)" "1" IN_REPO=1 endif -ASAN_CFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer -ASAN_LDFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer +ifeq "$(shell echo 'int main() { return 0;}' | $(CC) $(CFLAGS) -fsanitize=address -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1" + ASAN_CFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer + ASAN_LDFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer +endif ifdef ASAN_BUILD - $(info Compiling ASAN version of binaries) - CFLAGS+=$(ASAN_CFLAGS) - LDFLAGS+=$(ASAN_LDFLAGS) + $(info Compiling ASAN version of binaries) + CFLAGS+=$(ASAN_CFLAGS) + LDFLAGS+=$(ASAN_LDFLAGS) endif ifeq "$(shell echo '$(HASH)include @$(HASH)include @int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) $(CFLAGS) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1" -- cgit 1.4.1 From 60a5df52623802ccadd0691b812761b3f4a9120e Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 13 May 2020 16:49:00 +0200 Subject: code-format and slight -S/-M modifications --- examples/custom_mutators/example.c | 7 ++++--- include/afl-fuzz.h | 9 ++++---- src/afl-fuzz-cmplog.c | 1 - src/afl-fuzz-init.c | 42 ++++++++++++++++++++++---------------- src/afl-fuzz-mutators.c | 3 ++- src/afl-fuzz-python.c | 9 +++++--- src/afl-fuzz.c | 14 +++++-------- 7 files changed, 46 insertions(+), 39 deletions(-) diff --git a/examples/custom_mutators/example.c b/examples/custom_mutators/example.c index c9be3e0c..23add128 100644 --- a/examples/custom_mutators/example.c +++ b/examples/custom_mutators/example.c @@ -139,10 +139,11 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, * @return Size of the output buffer after processing or the needed amount. * A return of 0 indicates an error. */ -size_t afl_custom_post_process(my_mutator_t *data, uint8_t *buf, size_t buf_size, - uint8_t **out_buf) { +size_t afl_custom_post_process(my_mutator_t *data, uint8_t *buf, + size_t buf_size, uint8_t **out_buf) { - uint8_t *post_process_buf = maybe_grow(BUF_PARAMS(data, post_process), buf_size + 5); + uint8_t *post_process_buf = + maybe_grow(BUF_PARAMS(data, post_process), buf_size + 5); if (!post_process_buf) { perror("custom mutator realloc failed."); diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index cf8ef735..a1aa58d6 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -407,7 +407,9 @@ typedef struct afl_state { no_unlink, /* do not unlink cur_input */ debug, /* Debug mode */ custom_only, /* Custom mutator only mode */ - python_only; /* Python-only mode */ + python_only, /* Python-only mode */ + is_master, /* if this is a master */ + is_slave; /* if this is a slave */ u32 stats_update_freq; /* Stats update frequency (execs) */ @@ -418,7 +420,6 @@ typedef struct afl_state { size_t (*radamsa_mutate_ptr)(u8 *, size_t, u8 *, size_t, u32); u8 skip_deterministic, /* Skip deterministic stages? */ - force_deterministic, /* Force deterministic stages? */ use_splicing, /* Recombine input files? */ dumb_mode, /* Run in non-instrumented mode? */ score_changed, /* Scoring for favorites changed? */ @@ -547,7 +548,7 @@ typedef struct afl_state { /* afl_postprocess API - Now supported via custom mutators */ - struct custom_mutator * post_library_mutator; + struct custom_mutator *post_library_mutator; /* CmpLog */ @@ -674,7 +675,7 @@ struct custom_mutator { * @return Size of the output buffer. */ size_t (*afl_custom_post_process)(void *data, u8 *buf, size_t buf_size, - u8 **out_buf); + u8 **out_buf); /** * This method is called at the start of each trimming operation and receives diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 4be6a2c8..faf4dcb7 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -51,7 +51,6 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { u8 fault; - write_to_testcase(afl, out_buf, len); fault = fuzz_run_target(afl, &afl->cmplog_fsrv, afl->fsrv.exec_tmout); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index aea22f48..d468f2c8 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -297,14 +297,24 @@ void setup_post(afl_state_t *afl) { dh = dlopen(fn, RTLD_NOW); if (!dh) { FATAL("%s", dlerror()); } - struct custom_mutator * mutator; + struct custom_mutator *mutator; mutator = ck_alloc(sizeof(struct custom_mutator)); memset(mutator, 0, sizeof(struct custom_mutator)); mutator->afl_custom_post_process = dlsym(dh, "afl_postprocess"); - if (!mutator->afl_custom_post_process) { FATAL("Symbol 'afl_postprocess' not found."); } + if (!mutator->afl_custom_post_process) { + + FATAL("Symbol 'afl_postprocess' not found."); + + } + mutator->afl_custom_init = dlsym(dh, "afl_postprocess_init"); - if (!mutator->afl_custom_init) { FATAL("Symbol 'afl_postprocess_init' not found."); } + if (!mutator->afl_custom_init) { + + FATAL("Symbol 'afl_postprocess_init' not found."); + + } + mutator->afl_custom_deinit = dlsym(dh, "afl_postprocess_deinit"); if (!mutator->afl_custom_post_process) { @@ -1373,6 +1383,17 @@ void setup_dirs_fds(afl_state_t *afl) { } +/* + if (afl->is_master) { + + u8 *x = alloc_printf("%s/is_master", afl->sync_dir); + int fd = open(x, O_CREAT | O_RDWR, 0644); + if (fd < 0) FATAL("cannot create %s", x); + close(fd); + + } +*/ + if (mkdir(afl->out_dir, 0700)) { if (errno != EEXIST) { PFATAL("Unable to create '%s'", afl->out_dir); } @@ -1861,14 +1882,6 @@ void fix_up_sync(afl_state_t *afl) { if (afl->dumb_mode) { FATAL("-S / -M and -n are mutually exclusive"); } - if (afl->skip_deterministic) { - - if (afl->force_deterministic) { FATAL("use -S instead of -M -d"); } - // else - // FATAL("-S already implies -d"); - - } - while (*x) { if (!isalnum(*x) && *x != '_' && *x != '-') { @@ -1888,13 +1901,6 @@ void fix_up_sync(afl_state_t *afl) { afl->sync_dir = afl->out_dir; afl->out_dir = x; - if (!afl->force_deterministic) { - - afl->skip_deterministic = 1; - afl->use_splicing = 1; - - } - } /* Handle screen resize (SIGWINCH). */ diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index acc1b12d..87cb86fa 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -108,7 +108,8 @@ void setup_custom_mutators(afl_state_t *afl) { #endif - if (afl->post_library_mutator) list_append(&afl->custom_mutator_list, afl->post_library_mutator); + if (afl->post_library_mutator) + list_append(&afl->custom_mutator_list, afl->post_library_mutator); } diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 2569cdaf..2044c97d 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -384,7 +384,8 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, } -size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) { +size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, + u8 **out_buf) { size_t py_out_buf_size; PyObject * py_args, *py_value; @@ -402,7 +403,8 @@ size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) PyTuple_SetItem(py_args, 0, py_value); py_value = PyObject_CallObject( - ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_POST_PROCESS], py_args); + ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_POST_PROCESS], + py_args); Py_DECREF(py_args); @@ -412,7 +414,8 @@ size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) ck_maybe_grow(BUF_PARAMS(post_process), py_out_buf_size); - memcpy(py->post_process_buf, PyByteArray_AsString(py_value), py_out_buf_size); + memcpy(py->post_process_buf, PyByteArray_AsString(py_value), + py_out_buf_size); Py_DECREF(py_value); *out_buf = py->post_process_buf; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 8075f03d..979ebfa3 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -390,7 +390,7 @@ int main(int argc, char **argv_orig, char **envp) { } - afl->force_deterministic = 1; + afl->is_master = 1; } @@ -400,6 +400,9 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } afl->sync_id = ck_strdup(optarg); + afl->is_slave = 1; + afl->skip_deterministic = 1; + afl->use_splicing = 1; break; case 'f': /* target file */ @@ -500,12 +503,6 @@ int main(int argc, char **argv_orig, char **envp) { case 'd': /* skip deterministic */ - if (afl->skip_deterministic) { - - FATAL("Multiple -d options not supported"); - - } - afl->skip_deterministic = 1; afl->use_splicing = 1; break; @@ -794,8 +791,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL"); OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL"); - if (afl->sync_id && afl->force_deterministic && - afl->afl_env.afl_custom_mutator_only) { + if (afl->sync_id && afl->is_master && afl->afl_env.afl_custom_mutator_only) { WARNF( "Using -M master with the AFL_CUSTOM_MUTATOR_ONLY mutator options will " -- cgit 1.4.1 From b6be9060826a8617378e7ec1ee128057b51d8f85 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Wed, 13 May 2020 17:03:59 +0200 Subject: GNUmakefile: avoid tabs --- GNUmakefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/GNUmakefile b/GNUmakefile index 390c4cfa..eefba857 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -211,9 +211,9 @@ ifeq "$(shell echo 'int main() { return 0;}' | $(CC) $(CFLAGS) -fsanitize=addres endif ifdef ASAN_BUILD - $(info Compiling ASAN version of binaries) - CFLAGS+=$(ASAN_CFLAGS) - LDFLAGS+=$(ASAN_LDFLAGS) + $(info Compiling ASAN version of binaries) + CFLAGS+=$(ASAN_CFLAGS) + LDFLAGS+=$(ASAN_LDFLAGS) endif ifeq "$(shell echo '$(HASH)include @$(HASH)include @int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) $(CFLAGS) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1" -- cgit 1.4.1 From bd94d5fce774e40d874d6efc941998bacad1f933 Mon Sep 17 00:00:00 2001 From: hexcoder Date: Wed, 13 May 2020 17:39:00 +0200 Subject: unicornafl build script: python version is critical --- unicorn_mode/build_unicorn_support.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index bbfd151c..805ac1ea 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -65,7 +65,7 @@ if [ ! -f "../afl-showmap" ]; then fi -PYTHONBIN=`command -v python3 || command -v python || echo python` +PYTHONBIN=`command -v python || command -v python3 || command -v python2 || echo python` MAKECMD=make EASY_INSTALL='easy_install' TARCMD=tar -- cgit 1.4.1 From 8cc54424019d64d5dabd5c53277ddb09542b5a1c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 13 May 2020 18:20:06 +0200 Subject: fix GNUmakefile --- GNUmakefile | 6 +++--- src/afl-fuzz-init.c | 18 ++++++++++-------- src/afl-fuzz-run.c | 14 ++++++++++++++ 3 files changed, 27 insertions(+), 11 deletions(-) diff --git a/GNUmakefile b/GNUmakefile index eefba857..00b61cd2 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -211,9 +211,9 @@ ifeq "$(shell echo 'int main() { return 0;}' | $(CC) $(CFLAGS) -fsanitize=addres endif ifdef ASAN_BUILD - $(info Compiling ASAN version of binaries) - CFLAGS+=$(ASAN_CFLAGS) - LDFLAGS+=$(ASAN_LDFLAGS) + $(info Compiling ASAN version of binaries) + CFLAGS+=$(ASAN_CFLAGS) + LDFLAGS+=$(ASAN_LDFLAGS) endif ifeq "$(shell echo '$(HASH)include @$(HASH)include @int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) $(CFLAGS) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1" diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index d468f2c8..9b7ead29 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1383,16 +1383,18 @@ void setup_dirs_fds(afl_state_t *afl) { } -/* - if (afl->is_master) { + /* + if (afl->is_master) { - u8 *x = alloc_printf("%s/is_master", afl->sync_dir); - int fd = open(x, O_CREAT | O_RDWR, 0644); - if (fd < 0) FATAL("cannot create %s", x); - close(fd); + u8 *x = alloc_printf("%s/%s/is_master", afl->sync_dir, afl->sync_id); + int fd = open(x, O_CREAT | O_RDWR, 0644); + if (fd < 0) FATAL("cannot create %s", x); + free(x); + close(fd); - } -*/ + } + + */ if (mkdir(afl->out_dir, 0700)) { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index d9adb792..bbcd9a99 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -401,6 +401,20 @@ void sync_fuzzers(afl_state_t *afl) { } + /* + // a slave only syncs from a master, a master syncs from everyone + if (likely(afl->is_slave)) { + + u8 x = alloc_printf("%s/%s/is_master", afl->sync_dir, sd_ent->d_name); + int res = access(x, F_OK); + free(x); + if (res != 0) + continue; + + } + + */ + /* Skip anything that doesn't have a queue/ subdirectory. */ qd_path = alloc_printf("%s/%s/queue", afl->sync_dir, sd_ent->d_name); -- cgit 1.4.1 From 4e192db13caa8a6c5234c282986f91c8aaf49e20 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 13 May 2020 18:24:01 +0200 Subject: better clean --- GNUmakefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GNUmakefile b/GNUmakefile index 00b61cd2..6fad5f92 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -455,7 +455,7 @@ all_done: test_build .NOTPARALLEL: clean all clean: - rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable + rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable .afl-* rm -rf out_dir qemu_mode/qemu-3.1.1 *.dSYM */*.dSYM -$(MAKE) -C llvm_mode clean -$(MAKE) -C gcc_plugin clean -- cgit 1.4.1 From 044bd3cb41eac8de33ccc8bbd3001438b637ee55 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 13 May 2020 18:58:32 +0200 Subject: init/deinit need to be optional for post lib --- src/afl-fuzz-init.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 9b7ead29..daaac969 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -311,22 +311,17 @@ void setup_post(afl_state_t *afl) { mutator->afl_custom_init = dlsym(dh, "afl_postprocess_init"); if (!mutator->afl_custom_init) { - FATAL("Symbol 'afl_postprocess_init' not found."); + WARNF("optional symbol 'afl_postprocess_init' not found."); } mutator->afl_custom_deinit = dlsym(dh, "afl_postprocess_deinit"); if (!mutator->afl_custom_post_process) { - FATAL("Symbol 'afl_postprocess_deinit' not found."); + WARNF("optional symbol 'afl_postprocess_deinit' not found."); } - /* Do a quick test. It's better to segfault now than later =) */ - - mutator->data = mutator->afl_custom_init(afl, rand_below(afl, 0xFFFFFFFF)); - if (!mutator->data) { FATAL("Could not initialize post handler."); } - afl->post_library_mutator = mutator; OKF("Postprocessor installed successfully."); -- cgit 1.4.1 From d334093606ff4fb77822f11cde7a80fa880de0c7 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 14 May 2020 01:00:11 +0200 Subject: deprecated AFL_POST_LIBRARY --- README.md | 5 +- docs/Changelog.md | 2 + docs/env_variables.md | 5 +- docs/sister_projects.md | 7 -- examples/post_library/post_library.so.c | 159 ---------------------------- examples/post_library/post_library_png.so.c | 156 --------------------------- include/afl-fuzz.h | 5 +- src/afl-common.c | 2 +- src/afl-fuzz-init.c | 48 --------- src/afl-fuzz-state.c | 6 +- src/afl-fuzz.c | 3 - test/test.sh | 1 - 12 files changed, 14 insertions(+), 385 deletions(-) delete mode 100644 examples/post_library/post_library.so.c delete mode 100644 examples/post_library/post_library_png.so.c diff --git a/README.md b/README.md index 04ead78e..a2c81aa4 100644 --- a/README.md +++ b/README.md @@ -672,8 +672,9 @@ Here are some of the most important caveats for AFL: To work around this, you can comment out the relevant checks (see examples/libpng_no_checksum/ for inspiration); if this is not possible, - you can also write a postprocessor, as explained in - examples/post_library/ (with AFL_POST_LIBRARY) + you can also write a postprocessor, one of the hooks of custom mutators. + See [docs/custom_mutators.md](docs/custom_mutators.md) on how to use + `AFL_CUSTOM_MUTATOR_LIBRARY` - There are some unfortunate trade-offs with ASAN and 64-bit binaries. This isn't due to any specific fault of afl-fuzz; see [docs/notes_for_asan.md](docs/notes_for_asan.md) diff --git a/docs/Changelog.md b/docs/Changelog.md index 0b5c11e8..4b2d7977 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -15,6 +15,8 @@ sending a mail to . - better python detection - an old, old bug in afl that would show negative stability in rare circumstances is now hopefully fixed + - AFL_POST_LIBRARY was deprecated, use AFL_CUSTOM_MUTATOR_LIBRARY + instead (see docs/custom_mutators.md) - llvm_mode: - afl-clang-fast/lto now do not skip single block functions. This behaviour can be reactivated with AFL_LLVM_SKIPSINGLEBLOCK diff --git a/docs/env_variables.md b/docs/env_variables.md index 36e5a432..2668be7d 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -310,9 +310,8 @@ checks or alter some of the more exotic semantics of the tool: else. This makes the "own finds" counter in the UI more accurate. Beyond counter aesthetics, not much else should change. - - Setting AFL_POST_LIBRARY allows you to configure a postprocessor for - mutated files - say, to fix up checksums. See examples/post_library/ - for more. + - Note that AFL_POST_LIBRARY is deprecated, use AFL_CUSTOM_MUTATOR_LIBRARY + instead (see below). - Setting AFL_CUSTOM_MUTATOR_LIBRARY to a shared library with afl_custom_fuzz() creates additional mutations through this library. diff --git a/docs/sister_projects.md b/docs/sister_projects.md index 1625044c..a501ecbd 100644 --- a/docs/sister_projects.md +++ b/docs/sister_projects.md @@ -56,13 +56,6 @@ functionality is now available as the "persistent" feature described in http://llvm.org/docs/LibFuzzer.html -## AFL fixup shim (Ben Nagy) - -Allows AFL_POST_LIBRARY postprocessors to be written in arbitrary languages -that don't have C / .so bindings. Includes examples in Go. - -https://github.com/bnagy/aflfix - ## TriforceAFL (Tim Newsham and Jesse Hertz) Leverages QEMU full system emulation mode to allow AFL to target operating diff --git a/examples/post_library/post_library.so.c b/examples/post_library/post_library.so.c deleted file mode 100644 index d9504b23..00000000 --- a/examples/post_library/post_library.so.c +++ /dev/null @@ -1,159 +0,0 @@ -/* - american fuzzy lop++ - postprocessor library example - -------------------------------------------------- - - Originally written by Michal Zalewski - Edited by Dominik Maier, 2020 - - Copyright 2015 Google Inc. All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Postprocessor libraries can be passed to afl-fuzz to perform final cleanup - of any mutated test cases - for example, to fix up checksums in PNG files. - - Please heed the following warnings: - - 1) In almost all cases, it is more productive to comment out checksum logic - in the targeted binary (as shown in ../libpng_no_checksum/). One possible - exception is the process of fuzzing binary-only software in QEMU mode. - - 2) The use of postprocessors for anything other than checksums is - questionable and may cause more harm than good. AFL is normally pretty good - about dealing with length fields, magic values, etc. - - 3) Postprocessors that do anything non-trivial must be extremely robust to - gracefully handle malformed data and other error conditions - otherwise, - they will crash and take afl-fuzz down with them. Be wary of reading past - *len and of integer overflows when calculating file offsets. - - In other words, THIS IS PROBABLY NOT WHAT YOU WANT - unless you really, - honestly know what you're doing =) - - With that out of the way: the postprocessor library is passed to afl-fuzz - via AFL_POST_LIBRARY. The library must be compiled with: - - gcc -shared -Wall -O3 post_library.so.c -o post_library.so - - AFL will call the afl_postprocess() function for every mutated output buffer. - From there, you have three choices: - - 1) If you don't want to modify the test case, simply set `*out_buf = in_buf` - and return the original `len`. - - 2) If you want to skip this test case altogether and have AFL generate a - new one, return 0 or set `*out_buf = NULL`. - Use this sparingly - it's faster than running the target program - with patently useless inputs, but still wastes CPU time. - - 3) If you want to modify the test case, allocate an appropriately-sized - buffer, move the data into that buffer, make the necessary changes, and - then return the new pointer as out_buf. Return an appropriate len - afterwards. - - Note that the buffer will *not* be freed for you. To avoid memory leaks, - you need to free it or reuse it on subsequent calls (as shown below). - - *** Feel free to reuse the original 'in_buf' BUFFER and return it. *** - - Aight. The example below shows a simple postprocessor that tries to make - sure that all input files start with "GIF89a". - - PS. If you don't like C, you can try out the unix-based wrapper from - Ben Nagy instead: https://github.com/bnagy/aflfix - - */ - -#include -#include -#include - -/* Header that must be present at the beginning of every test case: */ - -#define HEADER "GIF89a" - -typedef struct post_state { - - unsigned char *buf; - size_t size; - -} post_state_t; - -void *afl_postprocess_init(void *afl, unsigned int seed) { - - post_state_t *state = malloc(sizeof(post_state_t)); - if (!state) { - - perror("malloc"); - return NULL; - - } - - state->buf = calloc(sizeof(unsigned char), 4096); - if (!state->buf) { return NULL; } - - return state; - -} - -/* The actual postprocessor routine called by afl-fuzz: */ - -size_t afl_postprocess(post_state_t *data, unsigned char *in_buf, - unsigned int len, unsigned char **out_buf) { - - /* Skip execution altogether for buffers shorter than 6 bytes (just to - show how it's done). We can trust len to be sane. */ - - if (len < strlen(HEADER)) return 0; - - /* Do nothing for buffers that already start with the expected header. */ - - if (!memcmp(in_buf, HEADER, strlen(HEADER))) { - - *out_buf = in_buf; - return len; - - } - - /* Allocate memory for new buffer, reusing previous allocation if - possible. */ - - *out_buf = realloc(data->buf, len); - - /* If we're out of memory, the most graceful thing to do is to return the - original buffer and give up on modifying it. Let AFL handle OOM on its - own later on. */ - - if (!*out_buf) { - - *out_buf = in_buf; - return len; - - } - - /* Copy the original data to the new location. */ - - memcpy(*out_buf, in_buf, len); - - /* Insert the new header. */ - - memcpy(*out_buf, HEADER, strlen(HEADER)); - - /* Return the new len. It hasn't changed, so it's just len. */ - - return len; - -} - -/* Gets called afterwards */ -void afl_postprocess_deinit(post_state_t *data) { - - free(data->buf); - free(data); - -} - diff --git a/examples/post_library/post_library_png.so.c b/examples/post_library/post_library_png.so.c deleted file mode 100644 index b29afd62..00000000 --- a/examples/post_library/post_library_png.so.c +++ /dev/null @@ -1,156 +0,0 @@ -/* - american fuzzy lop++ - postprocessor for PNG - ------------------------------------------ - - Originally written by Michal Zalewski - - Copyright 2015 Google Inc. All rights reserved. - Adapted to the new API, 2020 by Dominik Maier - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - See post_library.so.c for a general discussion of how to implement - postprocessors. This specific postprocessor attempts to fix up PNG - checksums, providing a slightly more complicated example than found - in post_library.so.c. - - Compile with: - - gcc -shared -Wall -O3 post_library_png.so.c -o post_library_png.so -lz - - */ - -#include -#include -#include -#include -#include - -#include - -/* A macro to round an integer up to 4 kB. */ - -#define UP4K(_i) ((((_i) >> 12) + 1) << 12) - -typedef struct post_state { - - unsigned char *buf; - size_t size; - -} post_state_t; - -void *afl_postprocess_init(void *afl, unsigned int seed) { - - post_state_t *state = malloc(sizeof(post_state_t)); - if (!state) { - - perror("malloc"); - return NULL; - - } - - state->buf = calloc(sizeof(unsigned char), 4096); - if (!state->buf) { return NULL; } - - return state; - -} - -size_t afl_postprocess(post_state_t *data, const unsigned char *in_buf, - unsigned int len, const unsigned char **out_buf) { - - unsigned char *new_buf = (unsigned char *)in_buf; - unsigned int pos = 8; - - /* Don't do anything if there's not enough room for the PNG header - (8 bytes). */ - - if (len < 8) { - - *out_buf = in_buf; - return len; - - } - - /* Minimum size of a zero-length PNG chunk is 12 bytes; if we - don't have that, we can bail out. */ - - while (pos + 12 <= len) { - - unsigned int chunk_len, real_cksum, file_cksum; - - /* Chunk length is the first big-endian dword in the chunk. */ - - chunk_len = ntohl(*(uint32_t *)(in_buf + pos)); - - /* Bail out if chunk size is too big or goes past EOF. */ - - if (chunk_len > 1024 * 1024 || pos + 12 + chunk_len > len) break; - - /* Chunk checksum is calculated for chunk ID (dword) and the actual - payload. */ - - real_cksum = htonl(crc32(0, in_buf + pos + 4, chunk_len + 4)); - - /* The in-file checksum is the last dword past the chunk data. */ - - file_cksum = *(uint32_t *)(in_buf + pos + 8 + chunk_len); - - /* If the checksums do not match, we need to fix the file. */ - - if (real_cksum != file_cksum) { - - /* First modification? Make a copy of the input buffer. Round size - up to 4 kB to minimize the number of reallocs needed. */ - - if (new_buf == in_buf) { - - if (len <= data->size) { - - new_buf = data->buf; - - } else { - - new_buf = realloc(data->buf, UP4K(len)); - if (!new_buf) { - - *out_buf = in_buf; - return len; - - } - - data->buf = new_buf; - data->size = UP4K(len); - memcpy(new_buf, in_buf, len); - - } - - } - - *(uint32_t *)(new_buf + pos + 8 + chunk_len) = real_cksum; - - } - - /* Skip the entire chunk and move to the next one. */ - - pos += 12 + chunk_len; - - } - - *out_buf = new_buf; - return len; - -} - -/* Gets called afterwards */ -void afl_postprocess_deinit(post_state_t *data) { - - free(data->buf); - free(data); - -} - diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index a1aa58d6..9907c245 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -323,9 +323,8 @@ typedef struct afl_env_vars { afl_bench_until_crash, afl_debug_child_output, afl_autoresume, afl_cal_fast; - u8 *afl_tmpdir, *afl_post_library, *afl_custom_mutator_library, - *afl_python_module, *afl_path, *afl_hang_tmout, *afl_skip_crashes, - *afl_preload; + u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, + *afl_hang_tmout, *afl_skip_crashes, *afl_preload; } afl_env_vars_t; diff --git a/src/afl-common.c b/src/afl-common.c index 74fd6b27..808c9812 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -76,7 +76,7 @@ char *afl_environment_variables[] = { "AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_MAP_SIZE", "AFL_MAPSIZE", "AFL_PATH", "AFL_PERFORMANCE_FILE", //"AFL_PERSISTENT", // not implemented anymore, so warn additionally - "AFL_POST_LIBRARY", "AFL_PRELOAD", "AFL_PYTHON_MODULE", "AFL_QEMU_COMPCOV", + "AFL_PRELOAD", "AFL_PYTHON_MODULE", "AFL_QEMU_COMPCOV", "AFL_QEMU_COMPCOV_DEBUG", "AFL_QEMU_DEBUG_MAPS", "AFL_QEMU_DISABLE_CACHE", "AFL_QEMU_PERSISTENT_ADDR", "AFL_QEMU_PERSISTENT_CNT", "AFL_QEMU_PERSISTENT_GPR", "AFL_QEMU_PERSISTENT_HOOK", diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index daaac969..0a7941f2 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -280,54 +280,6 @@ cpuset_destroy(c); #endif /* HAVE_AFFINITY */ -/* Load postprocessor, if available. */ - -void setup_post(afl_state_t *afl) { - - void *dh; - u8 * fn = afl->afl_env.afl_post_library; - u8 tbuf[6]; - u32 tlen = 6; - strncpy(tbuf, "hello", tlen); - - if (!fn) { return; } - - ACTF("Loading postprocessor from '%s'...", fn); - - dh = dlopen(fn, RTLD_NOW); - if (!dh) { FATAL("%s", dlerror()); } - - struct custom_mutator *mutator; - mutator = ck_alloc(sizeof(struct custom_mutator)); - memset(mutator, 0, sizeof(struct custom_mutator)); - - mutator->afl_custom_post_process = dlsym(dh, "afl_postprocess"); - if (!mutator->afl_custom_post_process) { - - FATAL("Symbol 'afl_postprocess' not found."); - - } - - mutator->afl_custom_init = dlsym(dh, "afl_postprocess_init"); - if (!mutator->afl_custom_init) { - - WARNF("optional symbol 'afl_postprocess_init' not found."); - - } - - mutator->afl_custom_deinit = dlsym(dh, "afl_postprocess_deinit"); - if (!mutator->afl_custom_post_process) { - - WARNF("optional symbol 'afl_postprocess_deinit' not found."); - - } - - afl->post_library_mutator = mutator; - - OKF("Postprocessor installed successfully."); - -} - /* Shuffle an array of pointers. Might be slightly biased. */ static void shuffle_ptrs(afl_state_t *afl, void **ptrs, u32 cnt) { diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 316f9bd9..99863103 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -313,8 +313,10 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl_environment_variable_len)) { - afl->afl_env.afl_post_library = - (u8 *)get_afl_env(afl_environment_variables[i]); + FATAL( + "AFL_POST_LIBRARY is deprecated, use " + "AFL_CUSTOM_MUTATOR_LIBRARY instead, see " + "docs/custom_mutators.md"); } else if (!strncmp(env, "AFL_CUSTOM_MUTATOR_LIBRARY", diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 979ebfa3..8625c37c 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -187,7 +187,6 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)\n" "AFL_NO_UI: switch status screen off\n" "AFL_PATH: path to AFL support binaries\n" - "AFL_POST_LIBRARY: postprocess generated test cases before use as target input\n" "AFL_PYTHON_MODULE: mutate and trim inputs with the specified Python module\n" "AFL_QUIET: suppress forkserver status messages\n" "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" @@ -1060,8 +1059,6 @@ int main(int argc, char **argv_orig, char **envp) { afl->fsrv.trace_bits = afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->dumb_mode); - setup_post(afl); - if (!afl->in_bitmap) { memset(afl->virgin_bits, 255, afl->fsrv.map_size); } memset(afl->virgin_tmout, 255, afl->fsrv.map_size); memset(afl->virgin_crash, 255, afl->fsrv.map_size); diff --git a/test/test.sh b/test/test.sh index 6c05571b..cb38346d 100755 --- a/test/test.sh +++ b/test/test.sh @@ -60,7 +60,6 @@ unset AFL_QEMU_PERSISTENT_GPR unset AFL_QEMU_PERSISTENT_RET unset AFL_QEMU_PERSISTENT_HOOK unset AFL_QEMU_PERSISTENT_CNT -unset AFL_POST_LIBRARY unset AFL_CUSTOM_MUTATOR_LIBRARY unset AFL_PYTHON_MODULE unset AFL_PRELOAD -- cgit 1.4.1 From 7c9ff4bfe76e078cd469ef909bd3d5d91389763f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 14 May 2020 01:12:00 +0200 Subject: if target crashes add LTO fixed map as a possible reason --- src/afl-forkserver.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index c1623f22..1c0ba349 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -676,12 +676,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } else if (!fsrv->mem_limit) { SAYF("\n" cLRD "[-] " cRST - "Hmm, looks like the target binary terminated " - "before we could complete a\n" - " handshake with the injected code. Perhaps there is a horrible " - "bug in the\n" - " fuzzer. Poke for troubleshooting " - "tips.\n"); + "Hmm, looks like the target binary terminated before we could" + "complete a handshake with the injected code.\n" + "If the target was compiled with afl-clang-lto then recompiling with" + "AFL_LLVM_MAP_DYNAMIC might solve your problem.\n" + "Otherwise there is a horrible bug in the fuzzer.\n" + "Poke for troubleshooting tips.\n"); } else { @@ -708,6 +708,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, " estimate the required amount of virtual memory for the " "binary.\n\n" + " - the target was compiled with afl-clang-lto and a constructor " + "was\n" + " instrumented, recompiling with AFL_LLVM_MAP_DYNAMIC might solve " + "your\n" + " problem\n\n" + " - Less likely, there is a horrible bug in the fuzzer. If other " "options\n" " fail, poke for troubleshooting " -- cgit 1.4.1 From a16e92800d6d44801b02e754329a5da38052f346 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 14 May 2020 01:20:33 +0200 Subject: prefer python3 --- unicorn_mode/build_unicorn_support.sh | 2 +- unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index 805ac1ea..dbe3d009 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -65,7 +65,7 @@ if [ ! -f "../afl-showmap" ]; then fi -PYTHONBIN=`command -v python || command -v python3 || command -v python2 || echo python` +PYTHONBIN=`command -v python3 || command -v python || command -v python2 || echo python3` MAKECMD=make EASY_INSTALL='easy_install' TARCMD=tar diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index a5b79002..94c19769 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit a5b79002ca18219c83f9aec4e71007917c6be2e0 +Subproject commit 94c1976975518691a03602f7ec5a817e2f341183 -- cgit 1.4.1 From 00ad2ffc610a337926943bd566a1a8e85525961a Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 14 May 2020 01:33:03 +0200 Subject: unicornafl version --- unicorn_mode/unicornafl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 94c19769..5833117a 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 94c1976975518691a03602f7ec5a817e2f341183 +Subproject commit 5833117abf55d54c4191ead81312764df03a48bc -- cgit 1.4.1 From 56a86bb9e21bb1d4a081f1c97a60066307e42c60 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 14 May 2020 01:35:35 +0200 Subject: added unicornafl fix info --- docs/Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/Changelog.md b/docs/Changelog.md index 4b2d7977..18ade7cf 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -31,6 +31,8 @@ sending a mail to . - added AFL_LLVM_SKIP_NEVERZERO to skip the never zero coverage counter implementation. For targets with few or no loops or heavily called functions. Gives a small performance boost. + - unicorn_mode: + - validate_crash_callback can now count non-crashing inputs as crash as well - qemu_mode: - add information on PIE/PIC load addresses for 32 bit - better dependency checks -- cgit 1.4.1 From 6b69cd2e574fbcea79b7322c443841292f220d82 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 14 May 2020 09:00:17 +0000 Subject: Makefile: for convenience forward targets to GNUmake --- Makefile | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 0b306dde..08dd29d7 100644 --- a/Makefile +++ b/Makefile @@ -1,2 +1,42 @@ all: - @echo please use GNU make, thanks! + @echo trying to use GNU make... + @gmake all + +source-only: + @gmake source-only + +binary-only: + @gmake binary-only + +distrib: + @gmake distrib + +man: + @gmake man + +install: + @gmake install + +document: + @gmake document + +deepclean: + @gmake deepclean + +code-format: + @gmake code-format + +help: + @gmake help + +tests: + @gmake tests + +unit: + @gmake unit + +unit_clean: + @gmake unit_clean + +clean: + @gmake clean -- cgit 1.4.1 From 682b620922a7d30393e30e23f4c1d7e05a83a6cc Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 14 May 2020 16:25:07 +0200 Subject: fix afl-clang-fast help output --- docs/Changelog.md | 3 +-- llvm_mode/afl-clang-fast.c | 8 ++++---- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 18ade7cf..f3e8dcb3 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -31,14 +31,13 @@ sending a mail to . - added AFL_LLVM_SKIP_NEVERZERO to skip the never zero coverage counter implementation. For targets with few or no loops or heavily called functions. Gives a small performance boost. - - unicorn_mode: - - validate_crash_callback can now count non-crashing inputs as crash as well - qemu_mode: - add information on PIE/PIC load addresses for 32 bit - better dependency checks - gcc_plugin: - better dependency checks - unicorn_mode: + - validate_crash_callback can now count non-crashing inputs as crash as well - better submodule handling - afl-showmap: fix for -Q mode - added examples/afl_network_proxy which allows to fuzz a target over the diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 07754d1d..49dc6c1c 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -844,14 +844,14 @@ int main(int argc, char **argv, char **envp) { "\nafl-clang-fast specific environment variables:\n" "AFL_LLVM_CMPLOG: log operands of comparisons (RedQueen mutator)\n" "AFL_LLVM_INSTRUMENT: set instrumentation mode: DEFAULT, CFG " - "(INSTRIM), LTO, CTX, NGRAM-2 ... NGRAM-16\n" + "(INSTRIM), PCGUARD, LTO, CTX, NGRAM-2 ... NGRAM-16\n" " You can also use the old environment variables instead:" - " AFL_LLVM_CTX: use context sensitive coverage\n" " AFL_LLVM_USE_TRACE_PC: use LLVM trace-pc-guard instrumentation\n" - " AFL_LLVM_NGRAM_SIZE: use ngram prev_loc count coverage\n" " AFL_LLVM_INSTRIM: use light weight instrumentation InsTrim\n" " AFL_LLVM_INSTRIM_LOOPHEAD: optimize loop tracing for speed (sub " - "option to INSTRIM)\n"); + "option to INSTRIM)\n" + " AFL_LLVM_CTX: use context sensitive coverage\n" + " AFL_LLVM_NGRAM_SIZE: use ngram prev_loc count coverage\n"); #ifdef AFL_CLANG_FLTO SAYF( -- cgit 1.4.1 From 460760d7b6aa88d772c8d5075327ffefa06576d7 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 14 May 2020 18:00:48 +0200 Subject: unicornafl build script: find matching python and setuptools --- unicorn_mode/build_unicorn_support.sh | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index 805ac1ea..6c133f21 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -107,11 +107,13 @@ for i in $PYTHONBIN automake autoconf git $MAKECMD $TARCMD; do done -if ! command -v $EASY_INSTALL >/dev/null; then +# some python version should be available now +PYTHONS="`command -v python3` `command -v python` `command -v python2`" +EASY_INSTALL_FOUND=0 +for PYTHON in $PYTHONS ; do # work around for installs with executable easy_install - EASY_INSTALL_FOUND=0 - MYPYTHONPATH=`${PYTHONBIN} -v &1 >/dev/null | sed -n -e '/^# \/.*\/os.py/{ s/.*matches //; s/os.py$//; p;}'` + MYPYTHONPATH=`${PYTHON} -v &1 >/dev/null | sed -n -e '/^# \/.*\/os.py/{ s/.*matches //; s/os.py$//; p;}'` for PATHCANDIDATE in \ "dist-packages/" \ "site-packages/" @@ -119,16 +121,17 @@ if ! command -v $EASY_INSTALL >/dev/null; then if [ -e "${MYPYTHONPATH}/${PATHCANDIDATE}/easy_install.py" ] ; then EASY_INSTALL_FOUND=1 + PYTHONBIN=$PYTHON break fi done - if [ "0" = $EASY_INSTALL_FOUND ]; then - echo "[-] Error: Python setup-tools not found. Run 'sudo apt-get install python-setuptools'." - PREREQ_NOTFOUND=1 +done +if [ "0" = $EASY_INSTALL_FOUND ]; then - fi + echo "[-] Error: Python setup-tools not found. Run 'sudo apt-get install python-setuptools'." + PREREQ_NOTFOUND=1 fi -- cgit 1.4.1 From 9e375179d8bfe1375625258b4fcdf018cd598cfc Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 14 May 2020 18:40:26 +0200 Subject: test.sh: make sure the right python version (with setuptools available) is being used --- test/test.sh | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/test/test.sh b/test/test.sh index 6c05571b..b21563fb 100755 --- a/test/test.sh +++ b/test/test.sh @@ -882,8 +882,35 @@ $ECHO "$BLUE[*] Testing: unicorn_mode" test -d ../unicorn_mode/unicornafl && { test -e ../unicorn_mode/samples/simple/simple_target.bin -a -e ../unicorn_mode/samples/compcov_x64/compcov_target.bin && { { + # some python version should be available now + PYTHONS="`command -v python3` `command -v python` `command -v python2`" + EASY_INSTALL_FOUND=0 + for PYTHON in $PYTHONS ; do + + # work around for installs with executable easy_install + MYPYTHONPATH=`${PYTHON} -v &1 >/dev/null | sed -n -e '/^# \/.*\/os.py/{ s/.*matches //; s/os.py$//; p;}'` + for PATHCANDIDATE in \ + "dist-packages/" \ + "site-packages/" + do + if [ -e "${MYPYTHONPATH}/${PATHCANDIDATE}/easy_install.py" ] ; then + + EASY_INSTALL_FOUND=1 + PY=$PYTHON + break + + fi + done + + done + if [ "0" = $EASY_INSTALL_FOUND ]; then + + echo "[-] Error: Python setup-tools not found. Run 'sudo apt-get install python-setuptools'." + PREREQ_NOTFOUND=1 + + fi + # travis workaround - PY=`command -v python3 || command -v python` test "$PY" = "/opt/pyenv/shims/python" -a -x /usr/bin/python && PY=/usr/bin/python mkdir -p in echo 0 > in/in -- cgit 1.4.1 From fa20eb1de7544fb2213917dee830cb3ea11d7f16 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 14 May 2020 18:47:44 +0200 Subject: GNUmakefile: add standard path for NetBSD, test for git and svn before use --- GNUmakefile | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/GNUmakefile b/GNUmakefile index 6fad5f92..fd43e11a 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -94,6 +94,11 @@ ifeq "$(shell uname -s)" "OpenBSD" LDFLAGS += -L /usr/local/lib/ endif +ifeq "$(shell uname -s)" "NetBSD" + override CFLAGS += -I /usr/pkg/include/ + LDFLAGS += -L /usr/pkg/lib/ +endif + AFL_FUZZ_FILES = $(wildcard src/afl-fuzz*.c) ifneq "$(shell command -v python3m 2>/dev/null)" "" @@ -198,10 +203,10 @@ ifdef NO_PYTHON endif IN_REPO=0 -ifeq "$(shell git status >/dev/null 2>&1 && echo 1 || echo 0)" "1" +ifeq "$(shell command -v git && git status >/dev/null 2>&1 && echo 1 || echo 0)" "1" IN_REPO=1 endif -ifeq "$(shell svn proplist . 2>/dev/null && echo 1 || echo 0)" "1" +ifeq "$(shell command -v svn && svn proplist . 2>/dev/null && echo 1 || echo 0)" "1" IN_REPO=1 endif -- cgit 1.4.1 From 64b80b32012091d07652a9b1bdfdd3013fd15421 Mon Sep 17 00:00:00 2001 From: hexcoder Date: Thu, 14 May 2020 19:23:07 +0200 Subject: unicornafl build script: debugging version for travis --- unicorn_mode/build_unicorn_support.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index 2fa3c2b2..447ec4d8 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -106,7 +106,7 @@ for i in $PYTHONBIN automake autoconf git $MAKECMD $TARCMD; do fi done - +set -x # some python version should be available now PYTHONS="`command -v python3` `command -v python` `command -v python2`" EASY_INSTALL_FOUND=0 @@ -134,7 +134,7 @@ if [ "0" = $EASY_INSTALL_FOUND ]; then PREREQ_NOTFOUND=1 fi - +set +x if echo "$CC" | grep -qF /afl-; then echo "[-] Error: do not use afl-gcc or afl-clang to compile this tool." -- cgit 1.4.1 From 0495ded87dcc112c34037283ec20f5ff6d017a63 Mon Sep 17 00:00:00 2001 From: hexcoder Date: Thu, 14 May 2020 19:58:32 +0200 Subject: unicornafl build script more debug --- unicorn_mode/build_unicorn_support.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index 447ec4d8..eab4f8a2 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -107,6 +107,7 @@ for i in $PYTHONBIN automake autoconf git $MAKECMD $TARCMD; do done set -x +ls -lR ~/.local # some python version should be available now PYTHONS="`command -v python3` `command -v python` `command -v python2`" EASY_INSTALL_FOUND=0 -- cgit 1.4.1 From 4ac06a4eef8462057f2358e3dddd108d4fbaf2dd Mon Sep 17 00:00:00 2001 From: hexcoder Date: Thu, 14 May 2020 20:10:10 +0200 Subject: and more --- unicorn_mode/build_unicorn_support.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index eab4f8a2..b244c29f 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -107,7 +107,8 @@ for i in $PYTHONBIN automake autoconf git $MAKECMD $TARCMD; do done set -x -ls -lR ~/.local +ls -lRa /opt/pyenv +ls -lRa ~/.local # some python version should be available now PYTHONS="`command -v python3` `command -v python` `command -v python2`" EASY_INSTALL_FOUND=0 -- cgit 1.4.1 From a3392007cd7cac492e746e0e7d989355d9ae21dd Mon Sep 17 00:00:00 2001 From: hexcoder Date: Thu, 14 May 2020 20:30:00 +0200 Subject: next try --- unicorn_mode/build_unicorn_support.sh | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index b244c29f..a5b2b274 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -106,28 +106,20 @@ for i in $PYTHONBIN automake autoconf git $MAKECMD $TARCMD; do fi done -set -x -ls -lRa /opt/pyenv -ls -lRa ~/.local + # some python version should be available now PYTHONS="`command -v python3` `command -v python` `command -v python2`" EASY_INSTALL_FOUND=0 for PYTHON in $PYTHONS ; do - # work around for installs with executable easy_install - MYPYTHONPATH=`${PYTHON} -v &1 >/dev/null | sed -n -e '/^# \/.*\/os.py/{ s/.*matches //; s/os.py$//; p;}'` - for PATHCANDIDATE in \ - "dist-packages/" \ - "site-packages/" - do - if [ -e "${MYPYTHONPATH}/${PATHCANDIDATE}/easy_install.py" ] ; then + # slow, but should work + if $PYTHON -c "help('modules');" 2>/dev/null | grep -q easy_install ; then - EASY_INSTALL_FOUND=1 - PYTHONBIN=$PYTHON - break + EASY_INSTALL_FOUND=1 + PYTHONBIN=$PYTHON + break - fi - done + fi done if [ "0" = $EASY_INSTALL_FOUND ]; then @@ -136,7 +128,7 @@ if [ "0" = $EASY_INSTALL_FOUND ]; then PREREQ_NOTFOUND=1 fi -set +x + if echo "$CC" | grep -qF /afl-; then echo "[-] Error: do not use afl-gcc or afl-clang to compile this tool." -- cgit 1.4.1 From 94a1d4d3ac423f8f7252ec6a0e52f18ff0f02d08 Mon Sep 17 00:00:00 2001 From: hexcoder Date: Thu, 14 May 2020 20:32:04 +0200 Subject: test unicornafl: copy from build script --- test/test.sh | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/test/test.sh b/test/test.sh index 24b80f03..bf01cb6e 100755 --- a/test/test.sh +++ b/test/test.sh @@ -886,20 +886,13 @@ test -d ../unicorn_mode/unicornafl && { EASY_INSTALL_FOUND=0 for PYTHON in $PYTHONS ; do - # work around for installs with executable easy_install - MYPYTHONPATH=`${PYTHON} -v &1 >/dev/null | sed -n -e '/^# \/.*\/os.py/{ s/.*matches //; s/os.py$//; p;}'` - for PATHCANDIDATE in \ - "dist-packages/" \ - "site-packages/" - do - if [ -e "${MYPYTHONPATH}/${PATHCANDIDATE}/easy_install.py" ] ; then + if $PYTHON -c "help('modules');" 2>/dev/null | grep -q easy_install ; then EASY_INSTALL_FOUND=1 PY=$PYTHON break - fi - done + fi done if [ "0" = $EASY_INSTALL_FOUND ]; then -- cgit 1.4.1 From 324b44872c4f292594889305886eea0d77208479 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 14 May 2020 21:13:36 +0200 Subject: unicornafl: python/module check with faster method --- test/test.sh | 2 +- unicorn_mode/build_unicorn_support.sh | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/test/test.sh b/test/test.sh index bf01cb6e..88bde564 100755 --- a/test/test.sh +++ b/test/test.sh @@ -886,7 +886,7 @@ test -d ../unicorn_mode/unicornafl && { EASY_INSTALL_FOUND=0 for PYTHON in $PYTHONS ; do - if $PYTHON -c "help('modules');" 2>/dev/null | grep -q easy_install ; then + if $PYTHON -c "help('easy_install');" /dev/null | grep -q easy_install ; then + if $PYTHON -c "help('$EASY_INSTALL');" Date: Thu, 14 May 2020 14:34:01 +0200 Subject: use only python3 in new builds --- Dockerfile | 9 ++++----- README.md | 2 +- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1adc2167..d82228fe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:eoan +FROM ubuntu MAINTAINER David Carlier LABEL "about"="AFLplusplus docker image" RUN apt-get update && apt-get -y install \ @@ -10,8 +10,9 @@ RUN apt-get update && apt-get -y install \ clang-9 \ flex \ git \ - python3.7 \ - python3.7-dev \ + python3 \ + python3-dev \ + python3-setuptools \ gcc-9 \ gcc-9-plugin-dev \ gcc-9-multilib \ @@ -20,8 +21,6 @@ RUN apt-get update && apt-get -y install \ libtool-bin \ libglib2.0-dev \ llvm-9-dev \ - python-setuptools \ - python2.7-dev \ wget \ ca-certificates \ libpixman-1-dev \ diff --git a/README.md b/README.md index a2c81aa4..216fea95 100644 --- a/README.md +++ b/README.md @@ -137,7 +137,7 @@ afl++ has many build options. The easiest is to build and install everything: ```shell -$ sudo apt install build-essential libtool-bin python3 automake flex bison libglib2.0-dev libpixman-1-dev clang python-setuptools llvm +$ sudo apt install build-essential libtool-bin python3-dev automake flex bison libglib2.0-dev libpixman-1-dev clang python3-setuptools llvm $ make distrib $ sudo make install ``` -- cgit 1.4.1 From 00a147b24433396b08eeb23c4dc21c4bc32414ec Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 14 May 2020 21:49:26 +0200 Subject: info about py3 setuptools --- unicorn_mode/build_unicorn_support.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index 0833a71f..ac92c368 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -67,7 +67,6 @@ fi PYTHONBIN=`command -v python3 || command -v python || command -v python2 || echo python3` MAKECMD=make -EASY_INSTALL='easy_install' TARCMD=tar if [ "$PLT" = "Linux" ]; then @@ -123,7 +122,7 @@ for PYTHON in $PYTHONS ; do done if [ "0" = $EASY_INSTALL_FOUND ]; then - echo "[-] Error: Python setup-tools not found. Run 'sudo apt-get install python-setuptools'." + echo "[-] Error: Python setup-tools not found. Run `sudo apt-get install python-setuptools`, or install python3-setuptools, or run `python -m ensurepip`, or create a virtualenv, or ..." PREREQ_NOTFOUND=1 fi -- cgit 1.4.1 From d95c4483fd0a0181092205a31993d90a2cca30d7 Mon Sep 17 00:00:00 2001 From: Ruben ten Hove Date: Thu, 14 May 2020 14:35:09 +0200 Subject: correct binary already chosen before --- unicorn_mode/build_unicorn_support.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index ac92c368..08a2238d 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -76,14 +76,12 @@ fi if [ "$PLT" = "Darwin" ]; then CORES=`sysctl -n hw.ncpu` TARCMD=tar - PYTHONBIN=python3 fi if [ "$PLT" = "FreeBSD" ]; then MAKECMD=gmake CORES=`sysctl -n hw.ncpu` TARCMD=gtar - PYTHONBIN=python3 fi if [ "$PLT" = "NetBSD" ] || [ "$PLT" = "OpenBSD" ]; then -- cgit 1.4.1 From f0aadc3d0b6b181777bc53c61a385820698db889 Mon Sep 17 00:00:00 2001 From: Ruben ten Hove Date: Thu, 14 May 2020 14:36:09 +0200 Subject: qemu build expects python on PATH --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index d82228fe..c8bfaf33 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,6 +13,7 @@ RUN apt-get update && apt-get -y install \ python3 \ python3-dev \ python3-setuptools \ + python-is-python3 \ gcc-9 \ gcc-9-plugin-dev \ gcc-9-multilib \ -- cgit 1.4.1 From 767ed8c5da985601dbd956cd3776abfa3a86cff8 Mon Sep 17 00:00:00 2001 From: Ruben ten Hove Date: Thu, 14 May 2020 16:49:44 +0200 Subject: add python setuptools to travis builds --- .travis.yml | 4 ++-- test/travis/bionic/Dockerfile | 1 + test/travis/trusty/Dockerfile | 1 + test/travis/xenial/Dockerfile | 1 + 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index a360bd42..7933b3e6 100644 --- a/.travis.yml +++ b/.travis.yml @@ -41,8 +41,8 @@ before_install: # export LLVM_DIR=${TRAVIS_BUILD_DIR}/${LLVM_PACKAGE} - echo Testing on $NAME - if [ "$TRAVIS_OS_NAME" = "osx" ]; then wget "$LINK""$NAME".tar.xz ; export LLVM_CONFIG=`pwd`/"$NAME" ; tar xJf "$NAME".tar.xz ; fi - - if [ "$MODERN" = "yes" ]; then sudo apt update ; sudo apt upgrade ; sudo apt install -y git libtool libtool-bin automake bison libglib2.0 build-essential clang gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-"$GCC"-dev findutils libcmocka-dev ; fi - - if [ "$MODERN" = "no" ]; then sudo apt update ; sudo apt install -y git libtool $EXTRA libpixman-1-dev automake bison libglib2.0 build-essential gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-dev findutils libcmocka-dev ; fi + - if [ "$MODERN" = "yes" ]; then sudo apt update ; sudo apt upgrade ; sudo apt install -y git libtool libtool-bin automake bison libglib2.0 build-essential clang gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-"$GCC"-dev findutils libcmocka-dev python3-setuptools ; fi + - if [ "$MODERN" = "no" ]; then sudo apt update ; sudo apt install -y git libtool $EXTRA libpixman-1-dev automake bison libglib2.0 build-essential gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-dev findutils libcmocka-dev python-setuptools ; fi script: - gcc -v diff --git a/test/travis/bionic/Dockerfile b/test/travis/bionic/Dockerfile index 3883f775..d1b53e70 100644 --- a/test/travis/bionic/Dockerfile +++ b/test/travis/bionic/Dockerfile @@ -16,6 +16,7 @@ RUN apt-get update && apt-get -y install \ flex \ git \ python3.7 python3.7-dev \ + python3-setuptools \ libtool libtool-bin \ libglib2.0-dev \ python-setuptools \ diff --git a/test/travis/trusty/Dockerfile b/test/travis/trusty/Dockerfile index 7b86f3e7..0a6f1804 100644 --- a/test/travis/trusty/Dockerfile +++ b/test/travis/trusty/Dockerfile @@ -16,6 +16,7 @@ RUN apt-get update && apt-get -y install \ flex \ git \ python2.7 python2.7-dev \ + python3-setuptools \ libtool \ libglib2.0-dev \ python-setuptools \ diff --git a/test/travis/xenial/Dockerfile b/test/travis/xenial/Dockerfile index a5f8d359..6aa4b1d1 100644 --- a/test/travis/xenial/Dockerfile +++ b/test/travis/xenial/Dockerfile @@ -16,6 +16,7 @@ RUN apt-get update && apt-get -y install \ flex \ git \ python3 python3-dev \ + python3-setuptools \ libtool libtool-bin \ libglib2.0-dev \ python-setuptools \ -- cgit 1.4.1 From 867f948bb22688bc2ca250f3cc28402662cc1b0c Mon Sep 17 00:00:00 2001 From: Ruben ten Hove Date: Thu, 14 May 2020 16:56:40 +0200 Subject: create temp symlink to python3 for qemu mode if python isn't found --- CONTRIBUTING.md | 5 +++++ GNUmakefile | 2 +- qemu_mode/build_qemu_support.sh | 20 +++++++++++++++++++- 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 90049432..bd0a0ed8 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -20,3 +20,8 @@ No camel case at all and use the AFL's macros wherever possible Remember that AFLplusplus has to build and run on many platforms, so generalize your Makefiles (or your patches to our pre-existing Makefiles) to be as much generic as possible. + + +# Local testing + +To try diff --git a/GNUmakefile b/GNUmakefile index fd43e11a..8bdd642e 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -105,7 +105,7 @@ ifneq "$(shell command -v python3m 2>/dev/null)" "" ifneq "$(shell command -v python3m-config 2>/dev/null)" "" PYTHON_INCLUDE ?= $(shell python3m-config --includes) PYTHON_VERSION ?= $(strip $(shell python3m --version 2>&1)) - # Starting with python3.8, we need to pass the `embed` flag. Earier versions didn't know this flag. + # Starting with python3.8, we need to pass the `embed` flag. Earlier versions didn't know this flag. ifeq "$(shell python3m-config --embed --libs 2>/dev/null | grep -q lpython && echo 1 )" "1" PYTHON_LIB ?= $(shell python3m-config --libs --embed --ldflags) else diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index bd18927f..983373ce 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -63,7 +63,7 @@ if [ ! -f "../afl-showmap" ]; then fi PREREQ_NOTFOUND= -for i in libtool wget python automake autoconf sha384sum bison flex iconv patch pkg-config; do +for i in libtool wget automake autoconf sha384sum bison flex iconv patch pkg-config; do T=`command -v "$i" 2>/dev/null` @@ -76,6 +76,18 @@ for i in libtool wget python automake autoconf sha384sum bison flex iconv patch done +PYTHON_TEMP_SYMLINK=0 +if ! command -v python 1>/dev/null; then + if command -v python3 1>/dev/null; then + echo "[*] 'python' not found. 'python3' was found. Creating temporary symlink." + update-alternatives --install /usr/bin/python python "$(command -v python3)" 0 1>/dev/null + PYTHON_TEMP_SYMLINK=1 + else + echo "[-] Error: 'python' not found, please install using 'sudo apt install python3'." + PREREQ_NOTFOUND=1 + fi +fi + if [ ! -d "/usr/include/glib-2.0/" -a ! -d "/usr/local/include/glib-2.0/" ]; then echo "[-] Error: devel version of 'glib2' not found, please install first." @@ -279,6 +291,12 @@ echo "[+] Building libcompcov ..." make -C libcompcov && echo "[+] libcompcov ready" echo "[+] Building unsigaction ..." make -C unsigaction && echo "[+] unsigaction ready" + +if [ "PYTHON_TEMP_SYMLINK" = "1" ]; then + echo "[*] Removing temporary symlink for 'python'" + update-alternatives --remove python /usr/bin/python +fi + echo "[+] All done for qemu_mode, enjoy!" exit 0 -- cgit 1.4.1 From 4081a8f7b6ebbf36f244bdd6aabba7a482abc945 Mon Sep 17 00:00:00 2001 From: Ruben ten Hove Date: Thu, 14 May 2020 17:02:51 +0200 Subject: should install python3 setuptools here too --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 7933b3e6..ca56e474 100644 --- a/.travis.yml +++ b/.travis.yml @@ -42,7 +42,7 @@ before_install: - echo Testing on $NAME - if [ "$TRAVIS_OS_NAME" = "osx" ]; then wget "$LINK""$NAME".tar.xz ; export LLVM_CONFIG=`pwd`/"$NAME" ; tar xJf "$NAME".tar.xz ; fi - if [ "$MODERN" = "yes" ]; then sudo apt update ; sudo apt upgrade ; sudo apt install -y git libtool libtool-bin automake bison libglib2.0 build-essential clang gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-"$GCC"-dev findutils libcmocka-dev python3-setuptools ; fi - - if [ "$MODERN" = "no" ]; then sudo apt update ; sudo apt install -y git libtool $EXTRA libpixman-1-dev automake bison libglib2.0 build-essential gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-dev findutils libcmocka-dev python-setuptools ; fi + - if [ "$MODERN" = "no" ]; then sudo apt update ; sudo apt install -y git libtool $EXTRA libpixman-1-dev automake bison libglib2.0 build-essential gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-dev findutils libcmocka-dev python3-setuptools ; fi script: - gcc -v -- cgit 1.4.1 From efdad526eea9ec449ef0eefbd0da705901bcaf2f Mon Sep 17 00:00:00 2001 From: Ruben ten Hove Date: Thu, 14 May 2020 18:34:33 +0200 Subject: darn IDE --- CONTRIBUTING.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index bd0a0ed8..90049432 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -20,8 +20,3 @@ No camel case at all and use the AFL's macros wherever possible Remember that AFLplusplus has to build and run on many platforms, so generalize your Makefiles (or your patches to our pre-existing Makefiles) to be as much generic as possible. - - -# Local testing - -To try -- cgit 1.4.1 From 4c253aedae6aec48d527668d699d124962d82821 Mon Sep 17 00:00:00 2001 From: Ruben ten Hove Date: Thu, 14 May 2020 19:16:04 +0200 Subject: use --python flag to point to python executable for qemu build --- qemu_mode/build_qemu_support.sh | 28 ++++++++++------------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index 983373ce..1828528e 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -76,18 +76,14 @@ for i in libtool wget automake autoconf sha384sum bison flex iconv patch pkg-con done -PYTHON_TEMP_SYMLINK=0 -if ! command -v python 1>/dev/null; then - if command -v python3 1>/dev/null; then - echo "[*] 'python' not found. 'python3' was found. Creating temporary symlink." - update-alternatives --install /usr/bin/python python "$(command -v python3)" 0 1>/dev/null - PYTHON_TEMP_SYMLINK=1 - else - echo "[-] Error: 'python' not found, please install using 'sudo apt install python3'." - PREREQ_NOTFOUND=1 - fi +PYTHONBIN=`command -v python3 || command -v python || command -v python2` + +if [ "$PYTHONBIN" = "" ]; then + echo "[-] Error: 'python' not found, please install using 'sudo apt install python3'." + PREREQ_NOTFOUND=1 fi + if [ ! -d "/usr/include/glib-2.0/" -a ! -d "/usr/local/include/glib-2.0/" ]; then echo "[-] Error: devel version of 'glib2' not found, please install first." @@ -214,16 +210,17 @@ if [ "$STATIC" = "1" ]; then --disable-libusb --disable-usb-redir --disable-vde --disable-vhost-net --disable-virglrenderer \ --disable-virtfs --disable-vnc --disable-vte --disable-xen --disable-xen-pci-passthrough --disable-xfsctl \ --enable-linux-user --disable-system --disable-blobs --disable-tools --enable-capstone=internal \ - --target-list="${CPU_TARGET}-linux-user" --static --disable-pie --cross-prefix=$CROSS_PREFIX || exit 1 + --target-list="${CPU_TARGET}-linux-user" --static --disable-pie --cross-prefix=$CROSS_PREFIX --python="$PYTHONBIN" \ + || exit 1 else # --enable-pie seems to give a couple of exec's a second performance # improvement, much to my surprise. Not sure how universal this is.. - + ./configure --disable-system \ --enable-linux-user --disable-gtk --disable-sdl --disable-vnc --enable-capstone=internal \ - --target-list="${CPU_TARGET}-linux-user" --enable-pie $CROSS_PREFIX || exit 1 + --target-list="${CPU_TARGET}-linux-user" --enable-pie $CROSS_PREFIX --python="$PYTHONBIN" || exit 1 fi @@ -292,11 +289,6 @@ make -C libcompcov && echo "[+] libcompcov ready" echo "[+] Building unsigaction ..." make -C unsigaction && echo "[+] unsigaction ready" -if [ "PYTHON_TEMP_SYMLINK" = "1" ]; then - echo "[*] Removing temporary symlink for 'python'" - update-alternatives --remove python /usr/bin/python -fi - echo "[+] All done for qemu_mode, enjoy!" exit 0 -- cgit 1.4.1 From 11f3b487eea86c203b9313b8d3c2df0575c65871 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 14 May 2020 21:51:51 +0200 Subject: corrected info about python --- unicorn_mode/build_unicorn_support.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index 08a2238d..4488f795 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -120,7 +120,7 @@ for PYTHON in $PYTHONS ; do done if [ "0" = $EASY_INSTALL_FOUND ]; then - echo "[-] Error: Python setup-tools not found. Run `sudo apt-get install python-setuptools`, or install python3-setuptools, or run `python -m ensurepip`, or create a virtualenv, or ..." + echo "[-] Error: Python setup-tools not found. Run `sudo apt-get install python-setuptools`, or install python3-setuptools, or run `$PYTHONBIN -m ensurepip`, or create a virtualenv, or ..." PREREQ_NOTFOUND=1 fi -- cgit 1.4.1 From 3f621c8ed477caafcebb7067ccb10017b5119703 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 14 May 2020 21:57:32 +0200 Subject: update .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 5a7f9408..37892865 100644 --- a/.gitignore +++ b/.gitignore @@ -48,3 +48,4 @@ core\.* test/unittests/unit_maybe_alloc test/unittests/unit_preallocable test/unittests/unit_list +examples/afl_network_proxy/afl-network-* -- cgit 1.4.1 From 65f9553365557a7ad6deb2cfc01bf1cd39ac3adf Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 14 May 2020 22:25:50 +0200 Subject: unicorn mode may run scripts --- src/afl-fuzz-init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 0a7941f2..7bded5ff 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1996,7 +1996,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { } - if (afl->afl_env.afl_skip_bin_check || afl->use_wine) { return; } + if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode) { return; } /* Check for blatant user errors. */ -- cgit 1.4.1 From 73c2619c33ed1baee9508f43f5ec5a369b454757 Mon Sep 17 00:00:00 2001 From: hexcoder Date: Thu, 14 May 2020 22:30:44 +0200 Subject: .gitignore: better be explicit --- .gitignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 37892865..ab890bf3 100644 --- a/.gitignore +++ b/.gitignore @@ -48,4 +48,5 @@ core\.* test/unittests/unit_maybe_alloc test/unittests/unit_preallocable test/unittests/unit_list -examples/afl_network_proxy/afl-network-* +examples/afl_network_proxy/afl-network-server +examples/afl_network_proxy/afl-network-client -- cgit 1.4.1 From 749c63d3b3b46e8293898155880ff0ce37edd60c Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 14 May 2020 22:39:11 +0200 Subject: removed accidental shell injection --- unicorn_mode/build_unicorn_support.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index 4488f795..0405cbcd 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -120,7 +120,7 @@ for PYTHON in $PYTHONS ; do done if [ "0" = $EASY_INSTALL_FOUND ]; then - echo "[-] Error: Python setup-tools not found. Run `sudo apt-get install python-setuptools`, or install python3-setuptools, or run `$PYTHONBIN -m ensurepip`, or create a virtualenv, or ..." + echo "[-] Error: Python setup-tools not found. Run 'sudo apt-get install python-setuptools', or install python3-setuptools, or run '$PYTHONBIN -m ensurepip', or create a virtualenv, or ..." PREREQ_NOTFOUND=1 fi -- cgit 1.4.1 From 13033034dbd0cd6d18c6dd26eb04d42933493dc7 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 14 May 2020 23:23:55 +0200 Subject: nuicornafl build script fix setuptools check --- unicorn_mode/build_unicorn_support.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index 0405cbcd..79a5a4a9 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -109,7 +109,7 @@ PYTHONS="`command -v python3` `command -v python` `command -v python2`" EASY_INSTALL_FOUND=0 for PYTHON in $PYTHONS ; do - if $PYTHON -c "help('$EASY_INSTALL');" Date: Thu, 14 May 2020 23:54:07 +0200 Subject: adding 20.04 test --- .travis.yml | 3 +++ test/travis/focal/Dockerfile | 44 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 test/travis/focal/Dockerfile diff --git a/.travis.yml b/.travis.yml index ca56e474..88833e1c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,6 +9,9 @@ branches: matrix: include: + - os: linux + dist: focal + env: NAME="focal-amd64" MODERN="yes" GCC="9" - os: linux dist: bionic env: NAME="bionic-amd64" MODERN="yes" GCC="7" diff --git a/test/travis/focal/Dockerfile b/test/travis/focal/Dockerfile new file mode 100644 index 00000000..06f6841e --- /dev/null +++ b/test/travis/focal/Dockerfile @@ -0,0 +1,44 @@ +# This is the Dockerfile for testing problems in Travis build +# configuration #1. +# This needs not to be rebuild everytime, most of the time it needs just to +# be build once and then started when debugging issues and execute: +# cd /AFLplusplus/ +# git pull +# make distrib +# +FROM ubuntu:focal +LABEL "about"="travis image 4" +RUN apt-get update && apt-get -y install \ + automake \ + bison \ + build-essential \ + clang \ + flex \ + git \ + python3 python3-dev \ + python3-setuptools \ + libtool libtool-bin \ + libglib2.0-dev \ + python-setuptools \ + wget \ + ca-certificates \ + libpixman-1-dev \ + gcc-7 gcc-7-plugin-dev libc++-7-dev \ + findutils \ + libcmocka-dev \ + joe nano vim locate \ + && rm -rf /var/lib/apt/lists/* + +ENV AFL_NO_UI=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 + +RUN cd / && \ + git clone https://github.com/AFLplusplus/AFLplusplus && \ + cd AFLplusplus && \ + git checkout dev && \ + cd qemu_mode && wget http://download.qemu-project.org/qemu-3.1.1.tar.xz && \ + cd ../unicorn_mode && git submodule init && git submodule update || true && \ + cd /AFLplusplus && ASAN_BUILD=1 make source-only || true + +WORKDIR /AFLplusplus +CMD ["/bin/bash"] -- cgit 1.4.1 From c084458294031d72b066c28ee4e118fa64899b07 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 15 May 2020 00:51:57 +0200 Subject: updated 20.04 Dockerfile --- test/travis/focal/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/travis/focal/Dockerfile b/test/travis/focal/Dockerfile index 06f6841e..27d994f2 100644 --- a/test/travis/focal/Dockerfile +++ b/test/travis/focal/Dockerfile @@ -8,6 +8,7 @@ # FROM ubuntu:focal LABEL "about"="travis image 4" +ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get -y install \ automake \ bison \ @@ -23,7 +24,7 @@ RUN apt-get update && apt-get -y install \ wget \ ca-certificates \ libpixman-1-dev \ - gcc-7 gcc-7-plugin-dev libc++-7-dev \ + gcc-9 gcc-9-plugin-dev libc++-9-dev \ findutils \ libcmocka-dev \ joe nano vim locate \ -- cgit 1.4.1 From 9637fe8a74e374f8651aa6abf1cb86daebe853fc Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 15 May 2020 00:58:17 +0200 Subject: travis for focal --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 88833e1c..d3b1bd69 100644 --- a/.travis.yml +++ b/.travis.yml @@ -44,7 +44,7 @@ before_install: # export LLVM_DIR=${TRAVIS_BUILD_DIR}/${LLVM_PACKAGE} - echo Testing on $NAME - if [ "$TRAVIS_OS_NAME" = "osx" ]; then wget "$LINK""$NAME".tar.xz ; export LLVM_CONFIG=`pwd`/"$NAME" ; tar xJf "$NAME".tar.xz ; fi - - if [ "$MODERN" = "yes" ]; then sudo apt update ; sudo apt upgrade ; sudo apt install -y git libtool libtool-bin automake bison libglib2.0 build-essential clang gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-"$GCC"-dev findutils libcmocka-dev python3-setuptools ; fi + - if [ "$MODERN" = "yes" ]; then sudo apt update ; sudo apt upgrade ; sudo apt install -y git libtool libtool-bin automake bison libglib2.0-0 build-essential clang gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-"$GCC"-dev findutils libcmocka-dev python3-setuptools ; fi - if [ "$MODERN" = "no" ]; then sudo apt update ; sudo apt install -y git libtool $EXTRA libpixman-1-dev automake bison libglib2.0 build-essential gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-dev findutils libcmocka-dev python3-setuptools ; fi script: -- cgit 1.4.1 From 63e2222af16f9306ef4a182f013f13ec6aab427a Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 15 May 2020 01:24:27 +0200 Subject: code format --- src/afl-fuzz-init.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 7bded5ff..613d1437 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1996,7 +1996,11 @@ void check_binary(afl_state_t *afl, u8 *fname) { } - if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode) { return; } + if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode) { + + return; + + } /* Check for blatant user errors. */ -- cgit 1.4.1 From a55e26959beee4d9c0a6de795a8f7bc9b6ae979b Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 15 May 2020 01:31:02 +0200 Subject: fixed recursive clean --- GNUmakefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/GNUmakefile b/GNUmakefile index 8bdd642e..7d9e6d83 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -203,10 +203,10 @@ ifdef NO_PYTHON endif IN_REPO=0 -ifeq "$(shell command -v git && git status >/dev/null 2>&1 && echo 1 || echo 0)" "1" +ifeq "$(shell command -v git >/dev/null && git status >/dev/null 2>&1 && echo 1 || echo 0)" "1" IN_REPO=1 endif -ifeq "$(shell command -v svn && svn proplist . 2>/dev/null && echo 1 || echo 0)" "1" +ifeq "$(shell command -v svn >/dev/null && svn proplist . 2>/dev/null && echo 1 || echo 0)" "1" IN_REPO=1 endif -- cgit 1.4.1 From 97bddc8cfa5920cd4926a69c09db27c55d70be08 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 15 May 2020 01:52:56 +0200 Subject: added critical whitespace --- docs/custom_mutators.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 9424af9c..464acbee 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -39,7 +39,8 @@ size_t afl_custom_trim(void *data, uint8_t **out_buf); int32_t afl_custom_post_trim(void *data, int success) { size_t afl_custom_havoc_mutation(void *data, u8 *buf, size_t buf_size, u8 **out_buf, size_t max_size); uint8_t afl_custom_havoc_mutation_probability(void *data); -uint8_t afl_custom_queue_get(void *data, const uint8_t *filename); void afl_custom_queue_new_entry(void *data, const uint8_t *filename_new_queue, const uint8_t *filename_orig_queue); +uint8_t afl_custom_queue_get(void *data, const uint8_t *filename); +void afl_custom_queue_new_entry(void *data, const uint8_t *filename_new_queue, const uint8_t *filename_orig_queue); void afl_custom_deinit(void *data); ``` -- cgit 1.4.1 From 182b8a4582c6935507cb8514df09bf2676a78447 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 15 May 2020 01:55:33 +0200 Subject: llvm_mode: lower llvm version reqs to 3.4 (LLInsTrim will not be available) --- llvm_mode/GNUmakefile | 2 +- llvm_mode/LLVMInsTrim.so.cc | 12 ++++++++++++ llvm_mode/afl-llvm-common.cc | 5 ++++- llvm_mode/afl-llvm-pass.so.cc | 11 +++++++++-- llvm_mode/compare-transform-pass.so.cc | 1 - llvm_mode/split-compares-pass.so.cc | 1 - llvm_mode/split-switches-pass.so.cc | 1 - test/test.sh | 23 ++++++++++++++--------- 8 files changed, 40 insertions(+), 16 deletions(-) diff --git a/llvm_mode/GNUmakefile b/llvm_mode/GNUmakefile index ab14e545..01c83787 100644 --- a/llvm_mode/GNUmakefile +++ b/llvm_mode/GNUmakefile @@ -39,7 +39,7 @@ else endif LLVMVER = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/git//' ) -LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^3\.[0-7]|^1[2-9]' && echo 1 || echo 0 ) +LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^3\.[0-3]|^1[2-9]' && echo 1 || echo 0 ) LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[0-9]' && echo 1 || echo 0 ) LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/\..*//') LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index 4b8f8754..7dc96bc3 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -160,9 +160,21 @@ struct InsTrim : public ModulePass { else #else if (ngram_size_str) +#ifdef LLVM_VERSION_STRING FATAL( "Sorry, NGRAM branch coverage is not supported with llvm version %s!", LLVM_VERSION_STRING); +#else +#ifndef LLVM_VERSION_PATCH + FATAL( + "Sorry, NGRAM branch coverage is not supported with llvm version %d.%d.%d!", + LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR, 0); +#else + FATAL( + "Sorry, NGRAM branch coverage is not supported with llvm version %d.%d.%d!", + LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR, LLVM_VERISON_PATCH); +#endif +#endif #endif PrevLocSize = 1; diff --git a/llvm_mode/afl-llvm-common.cc b/llvm_mode/afl-llvm-common.cc index db604e14..35eabbf0 100644 --- a/llvm_mode/afl-llvm-common.cc +++ b/llvm_mode/afl-llvm-common.cc @@ -33,7 +33,10 @@ char *getBBName(const llvm::BasicBlock *BB) { std::string Str; raw_string_ostream OS(Str); +#if LLVM_VERSION_MAJOR >= 4 || \ + (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR >= 7) BB->printAsOperand(OS, false); +#endif name = strdup(OS.str().c_str()); return name; @@ -171,7 +174,7 @@ bool isInWhitelist(llvm::Function *F) { #else if (!Loc.isUnknown()) { - DILocation cDILoc(Loc.getAsMDNode(C)); + DILocation cDILoc(Loc.getAsMDNode(F->getContext())); unsigned int instLine = cDILoc.getLineNumber(); StringRef instFilename = cDILoc.getFilename(); diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index f58a7a5e..5bf705f8 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -211,8 +211,15 @@ bool AFLCoverage::runOnModule(Module &M) { else #else if (ngram_size_str) - FATAL("Sorry, NGRAM branch coverage is not supported with llvm version %s!", - LLVM_VERSION_STRING); +#ifndef LLVM_VERSION_PATCH + FATAL("Sorry, NGRAM branch coverage is not supported with llvm version %d.%d.%d!", + LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR, + 0); +#else + FATAL("Sorry, NGRAM branch coverage is not supported with llvm version %d.%d.%d!", + LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR, + LLVM_VERSION_PATCH); +#endif #endif PrevLocSize = 1; diff --git a/llvm_mode/compare-transform-pass.so.cc b/llvm_mode/compare-transform-pass.so.cc index 8fadc424..1ebc54d7 100644 --- a/llvm_mode/compare-transform-pass.so.cc +++ b/llvm_mode/compare-transform-pass.so.cc @@ -25,7 +25,6 @@ #include "llvm/Config/llvm-config.h" #include "llvm/ADT/Statistic.h" -#include "llvm/IR/DebugInfo.h" #include "llvm/IR/IRBuilder.h" #include "llvm/IR/LegacyPassManager.h" #include "llvm/IR/Module.h" diff --git a/llvm_mode/split-compares-pass.so.cc b/llvm_mode/split-compares-pass.so.cc index eb5deb14..2c4ed71c 100644 --- a/llvm_mode/split-compares-pass.so.cc +++ b/llvm_mode/split-compares-pass.so.cc @@ -27,7 +27,6 @@ #include "llvm/Config/llvm-config.h" #include "llvm/Pass.h" -#include "llvm/IR/DebugInfo.h" #include "llvm/Support/raw_ostream.h" #include "llvm/IR/LegacyPassManager.h" #include "llvm/Transforms/IPO/PassManagerBuilder.h" diff --git a/llvm_mode/split-switches-pass.so.cc b/llvm_mode/split-switches-pass.so.cc index 6328ea5f..4a6ca3d9 100644 --- a/llvm_mode/split-switches-pass.so.cc +++ b/llvm_mode/split-switches-pass.so.cc @@ -26,7 +26,6 @@ #include "llvm/Config/llvm-config.h" #include "llvm/ADT/Statistic.h" -#include "llvm/IR/DebugInfo.h" #include "llvm/IR/IRBuilder.h" #include "llvm/IR/LegacyPassManager.h" #include "llvm/IR/Module.h" diff --git a/test/test.sh b/test/test.sh index 88bde564..2559f058 100755 --- a/test/test.sh +++ b/test/test.sh @@ -338,19 +338,24 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { rm -f test-instr.plain # now for the special llvm_mode things - AFL_LLVM_INSTRIM=1 AFL_LLVM_INSTRIM_LOOPHEAD=1 ../afl-clang-fast -o test-instr.instrim ../test-instr.c > /dev/null 2>test.out - test -e test-instr.instrim && { - TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.instrim 2>&1 | grep Captur | awk '{print$3}'` - test "$TUPLES" -gt 2 -a "$TUPLES" -lt 5 && { - $ECHO "$GREEN[+] llvm_mode InsTrim reported $TUPLES instrumented locations which is fine" + test -e ../libLLVMInsTrim.so && { + AFL_LLVM_INSTRIM=1 AFL_LLVM_INSTRIM_LOOPHEAD=1 ../afl-clang-fast -o test-instr.instrim ../test-instr.c > /dev/null 2>test.out + test -e test-instr.instrim && { + TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.instrim 2>&1 | grep Captur | awk '{print$3}'` + test "$TUPLES" -gt 2 -a "$TUPLES" -lt 5 && { + $ECHO "$GREEN[+] llvm_mode InsTrim reported $TUPLES instrumented locations which is fine" + } || { + $ECHO "$RED[!] llvm_mode InsTrim instrumentation produces weird numbers: $TUPLES" + CODE=1 + } + rm -f test-instr.instrim test.out } || { - $ECHO "$RED[!] llvm_mode InsTrim instrumentation produces weird numbers: $TUPLES" + $ECHO "$RED[!] llvm_mode InsTrim compilation failed" CODE=1 } - rm -f test-instr.instrim test.out } || { - $ECHO "$RED[!] llvm_mode InsTrim compilation failed" - CODE=1 + $ECHO "$YELLOW[-] llvm_mode InsTrim not compiled, cannot test" + INCOMPLETE=1 } AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_SWITCHES=1 AFL_LLVM_LAF_TRANSFORM_COMPARES=1 AFL_LLVM_LAF_SPLIT_COMPARES=1 ../afl-clang-fast -o test-compcov.compcov test-compcov.c > test.out 2>&1 test -e test-compcov.compcov && { -- cgit 1.4.1 From 49bd24144a881f4f55ef1a3db9a7f129a6670488 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 15 May 2020 08:35:46 +0200 Subject: v2.65c --- README.md | 4 ++-- TODO.md | 6 +++--- docs/Changelog.md | 2 +- include/config.h | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 216fea95..253275e2 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,9 @@ ![Travis State](https://api.travis-ci.com/AFLplusplus/AFLplusplus.svg?branch=master) - Release Version: [2.64c](https://github.com/AFLplusplus/AFLplusplus/releases) + Release Version: [2.65c](https://github.com/AFLplusplus/AFLplusplus/releases) - Github Version: 2.64d + Github Version: 2.65d includes all necessary/interesting changes from Google's afl 2.56b diff --git a/TODO.md b/TODO.md index dd88dcc2..d084f6e8 100644 --- a/TODO.md +++ b/TODO.md @@ -2,17 +2,17 @@ ## Roadmap 2.65+ - - InsTrim mode for LTO solution + - sync_fuzzers(): only masters sync from all, slaves only sync from master + (@andrea: be careful, often people run all slaves) - AFL_MAP_SIZE for qemu_mode and unicorn_mode - random crc32 HASH_CONST per run? because with 65536 paths we have collisions - namespace for targets? e.g. network - libradamsa as a custom module? + - focal for travis ## Further down the road afl-fuzz: - - sync_fuzzers(): only masters sync from all, slaves only sync from master - (@andrea: be careful, often people run all slaves) - ascii_only mode for mutation output - or use a custom mutator for this? - setting min_len/max_len/start_offset/end_offset limits for mutation output diff --git a/docs/Changelog.md b/docs/Changelog.md index f3e8dcb3..ef5759c8 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,7 +9,7 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . -### Version ++2.64d (develop): +### Version ++2.65c (release): - afl-fuzz: - AFL_MAP_SIZE was not working correctly - better python detection diff --git a/include/config.h b/include/config.h index ff7bc788..cd6ff641 100644 --- a/include/config.h +++ b/include/config.h @@ -28,7 +28,7 @@ /* Version string: */ // c = release, d = volatile github dev, e = experimental branch -#define VERSION "++2.64d" +#define VERSION "++2.65c" /****************************************************** * * -- cgit 1.4.1