From eac53afe7b99bdb2729ca01791b4bac92a7ae4d9 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 15 Jul 2024 23:42:55 +0200 Subject: fix autodict --- instrumentation/afl-llvm-dict2file.so.cc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc index b93f61f0..6559bc84 100644 --- a/instrumentation/afl-llvm-dict2file.so.cc +++ b/instrumentation/afl-llvm-dict2file.so.cc @@ -661,6 +661,13 @@ bool AFLdict2filePass::runOnModule(Module &M) { Value *op2 = callInst->getArgOperand(2); ConstantInt *ilen = dyn_cast(op2); + if (!ilen) { + + op2 = callInst->getArgOperand(1); + ilen = dyn_cast(op2); + + } + if (ilen) { uint64_t literalLength = optLen; -- cgit 1.4.1 From bbcb3dd53e0d69972fd10247337b7f1ee03c4abd Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 17 Jul 2024 13:01:39 +0200 Subject: mini performance opt --- instrumentation/afl-compiler-rt.o.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 372b9f5a..6e04ae47 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -872,7 +872,7 @@ static void __afl_start_forkserver(void) { __afl_old_forkserver = 1; status = 0; - if (__afl_final_loc && __afl_final_loc > MAP_SIZE) { + if (__afl_final_loc > MAP_SIZE) { fprintf(stderr, "Warning: AFL_OLD_FORKSERVER is used with a target compiled with " @@ -969,13 +969,13 @@ static void __afl_start_forkserver(void) { /* Wait for parent by reading from the pipe. Abort if read fails. */ - if (already_read_first) { + if (unlikely(already_read_first)) { already_read_first = 0; } else { - if (read(FORKSRV_FD, &was_killed, 4) != 4) { + if (unlikely(read(FORKSRV_FD, &was_killed, 4) != 4)) { write_error("read from AFL++ tool"); _exit(1); @@ -1014,10 +1014,10 @@ static void __afl_start_forkserver(void) { condition and afl-fuzz already issued SIGKILL, write off the old process. */ - if (child_stopped && was_killed) { + if (unlikely(child_stopped && was_killed)) { child_stopped = 0; - if (waitpid(child_pid, &status, 0) < 0) { + if (unlikely(waitpid(child_pid, &status, 0) < 0)) { write_error("child_stopped && was_killed"); _exit(1); @@ -1026,12 +1026,12 @@ static void __afl_start_forkserver(void) { } - if (!child_stopped) { + if (unlikely(!child_stopped)) { /* Once woken up, create a clone of our process. */ child_pid = fork(); - if (child_pid < 0) { + if (unlikely(child_pid < 0)) { write_error("fork"); _exit(1); @@ -1040,7 +1040,7 @@ static void __afl_start_forkserver(void) { /* In child process: close fds, resume execution. */ - if (!child_pid) { + if (unlikely(!child_pid)) { // just to signal afl-fuzz faster //(void)nice(-20); @@ -1065,14 +1065,15 @@ static void __afl_start_forkserver(void) { /* In parent process: write PID to pipe, then wait for child. */ - if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) { + if (unlikely(write(FORKSRV_FD + 1, &child_pid, 4) != 4)) { write_error("write to afl-fuzz"); _exit(1); } - if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0) { + if (unlikely(waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < + 0)) { write_error("waitpid"); _exit(1); @@ -1083,11 +1084,11 @@ static void __afl_start_forkserver(void) { a successful run. In this case, we want to wake it up without forking again. */ - if (WIFSTOPPED(status)) child_stopped = 1; + if (likely(WIFSTOPPED(status))) { child_stopped = 1; } /* Relay wait status to pipe, then loop back. */ - if (write(FORKSRV_FD + 1, &status, 4) != 4) { + if (unlikely(write(FORKSRV_FD + 1, &status, 4) != 4)) { write_error("writing to afl-fuzz"); _exit(1); -- cgit 1.4.1 From 4a6b751b93c135ac524bcad6e9d223e144fe0bd3 Mon Sep 17 00:00:00 2001 From: Giovanni Di Santi Date: Sun, 21 Jul 2024 18:26:13 +0200 Subject: frida_mode: fix fasan operand access order --- frida_mode/src/asan/asan_arm64.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/frida_mode/src/asan/asan_arm64.c b/frida_mode/src/asan/asan_arm64.c index 94729939..c1d5c10f 100644 --- a/frida_mode/src/asan/asan_arm64.c +++ b/frida_mode/src/asan/asan_arm64.c @@ -39,15 +39,15 @@ static void asan_callout(GumCpuContext *ctx, gpointer user_data) { address = base + index + mem->disp; - if ((operand->access & CS_AC_READ) == CS_AC_READ) { + if ((operand->access & CS_AC_WRITE) == CS_AC_WRITE) { - asan_loadN(address, asan_ctx->size); + asan_storeN(address, asan_ctx->size); } - if ((operand->access & CS_AC_WRITE) == CS_AC_WRITE) { + if ((operand->access & CS_AC_READ) == CS_AC_READ) { - asan_storeN(address, asan_ctx->size); + asan_loadN(address, asan_ctx->size); } -- cgit 1.4.1 From 31a1fbae33fc610dc799821afb5ce8572509648d Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 23 Jul 2024 14:06:19 +0200 Subject: Fix LLVM mode build on MacOS --- GNUmakefile.llvm | 10 +++++----- custom_mutators/gramatron/json-c | 2 +- custom_mutators/grammar_mutator/grammar_mutator | 2 +- nyx_mode/QEMU-Nyx | 2 +- nyx_mode/libnyx | 2 +- nyx_mode/packer | 2 +- qemu_mode/qemuafl | 2 +- unicorn_mode/unicornafl | 2 +- 8 files changed, 12 insertions(+), 12 deletions(-) diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 8b4c6054..52ff778c 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -61,7 +61,6 @@ LLVM_HAVE_LTO := $(shell test $(LLVM_MAJOR) -ge 12 && echo 1 || e LLVM_BINDIR := $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) LLVM_LIBDIR := $(shell $(LLVM_CONFIG) --libdir 2>/dev/null) LLVM_STDCXX := gnu++11 -LLVM_APPLE_XCODE := $(shell $(CC) -v 2>&1 | grep -q Apple && echo 1 || echo 0) LLVM_LTO := 0 LLVM_UNSUPPORTED := $(shell echo "$(LLVMVER)" | grep -E -q '^[0-2]\.|^3\.[0-8]\.' && echo 1 || echo 0) # Uncomment to see the values assigned above @@ -112,10 +111,6 @@ ifeq "$(LLVM_LTO)" "0" $(info [+] llvm_mode detected llvm < 12, afl-lto LTO will not be build.) endif -ifeq "$(LLVM_APPLE_XCODE)" "1" - $(warning llvm_mode will not compile with Xcode clang...) -endif - # We were using llvm-config --bindir to get the location of clang, but # this seems to be busted on some distros, so using the one in $PATH is # probably better. @@ -123,6 +118,11 @@ endif CC = $(LLVM_BINDIR)/clang CXX = $(LLVM_BINDIR)/clang++ +LLVM_APPLE_XCODE := $(shell $(CC) -v 2>&1 | grep -q Apple && echo 1 || echo 0) +ifeq "$(LLVM_APPLE_XCODE)" "1" + $(warning llvm_mode will not compile with Xcode clang...) +endif + # llvm-config --bindir may not providing a valid path, so ... ifeq "$(shell test -e $(CC) || echo 1 )" "1" # however we must ensure that this is not a "CC=gcc make" diff --git a/custom_mutators/gramatron/json-c b/custom_mutators/gramatron/json-c index af8dd4a3..11546bfd 160000 --- a/custom_mutators/gramatron/json-c +++ b/custom_mutators/gramatron/json-c @@ -1 +1 @@ -Subproject commit af8dd4a307e7b837f9fa2959549548ace4afe08b +Subproject commit 11546bfd07a575c47416924cb98de3d33a4e6424 diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator index 05d8f537..ff4e5a26 160000 --- a/custom_mutators/grammar_mutator/grammar_mutator +++ b/custom_mutators/grammar_mutator/grammar_mutator @@ -1 +1 @@ -Subproject commit 05d8f537f8d656f0754e7ad5dcc653c42cb4f8ff +Subproject commit ff4e5a265daf5d88c4a636fb6a2c22b1d733db09 diff --git a/nyx_mode/QEMU-Nyx b/nyx_mode/QEMU-Nyx index e5e1c4c2..60c216bc 160000 --- a/nyx_mode/QEMU-Nyx +++ b/nyx_mode/QEMU-Nyx @@ -1 +1 @@ -Subproject commit e5e1c4c21ff9c4dc80e6409d4eab47146c6024cd +Subproject commit 60c216bc9e4c79834716d4099993d8397a3a8fd9 diff --git a/nyx_mode/libnyx b/nyx_mode/libnyx index 6833d236..2da7f08b 160000 --- a/nyx_mode/libnyx +++ b/nyx_mode/libnyx @@ -1 +1 @@ -Subproject commit 6833d236dfe785a8a23d8c8d79e74c99fa635004 +Subproject commit 2da7f08b6e0267ccfe64e1320b24cdb29223459c diff --git a/nyx_mode/packer b/nyx_mode/packer index bcf3e248..202bace8 160000 --- a/nyx_mode/packer +++ b/nyx_mode/packer @@ -1 +1 @@ -Subproject commit bcf3e248b660764f48af54232a3388389a2dfc22 +Subproject commit 202bace888d237e4e8f4507d0eba6791a811554d diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index 847b43ac..b0abbe2e 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit 847b43acb11530e775013dc24b54c6e27406179c +Subproject commit b0abbe2e74ed74ff6ff25b5ea3110d27ba978001 diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 4b4fdab1..63aab0f7 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 4b4fdab161c15529affcc1e785d779e318b882ab +Subproject commit 63aab0f752ba1d40a1c4de6988a78cd1e6dcc1c7 -- cgit 1.4.1 From c0d53a1aa790c5225b5bebd16b7594abe0fc0be1 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 23 Jul 2024 14:42:43 +0200 Subject: oops --- .gitignore | 1 + custom_mutators/gramatron/json-c | 2 +- custom_mutators/grammar_mutator/grammar_mutator | 2 +- nyx_mode/QEMU-Nyx | 2 +- nyx_mode/libnyx | 2 +- nyx_mode/packer | 2 +- qemu_mode/qemuafl | 2 +- unicorn_mode/unicornafl | 2 +- 8 files changed, 8 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index 8e191e29..9ac577d3 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,7 @@ *.pyc *.so *.swp +.DS_Store .sync_tmp .test .test2 diff --git a/custom_mutators/gramatron/json-c b/custom_mutators/gramatron/json-c index 11546bfd..af8dd4a3 160000 --- a/custom_mutators/gramatron/json-c +++ b/custom_mutators/gramatron/json-c @@ -1 +1 @@ -Subproject commit 11546bfd07a575c47416924cb98de3d33a4e6424 +Subproject commit af8dd4a307e7b837f9fa2959549548ace4afe08b diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator index ff4e5a26..05d8f537 160000 --- a/custom_mutators/grammar_mutator/grammar_mutator +++ b/custom_mutators/grammar_mutator/grammar_mutator @@ -1 +1 @@ -Subproject commit ff4e5a265daf5d88c4a636fb6a2c22b1d733db09 +Subproject commit 05d8f537f8d656f0754e7ad5dcc653c42cb4f8ff diff --git a/nyx_mode/QEMU-Nyx b/nyx_mode/QEMU-Nyx index 60c216bc..e5e1c4c2 160000 --- a/nyx_mode/QEMU-Nyx +++ b/nyx_mode/QEMU-Nyx @@ -1 +1 @@ -Subproject commit 60c216bc9e4c79834716d4099993d8397a3a8fd9 +Subproject commit e5e1c4c21ff9c4dc80e6409d4eab47146c6024cd diff --git a/nyx_mode/libnyx b/nyx_mode/libnyx index 2da7f08b..6833d236 160000 --- a/nyx_mode/libnyx +++ b/nyx_mode/libnyx @@ -1 +1 @@ -Subproject commit 2da7f08b6e0267ccfe64e1320b24cdb29223459c +Subproject commit 6833d236dfe785a8a23d8c8d79e74c99fa635004 diff --git a/nyx_mode/packer b/nyx_mode/packer index 202bace8..bcf3e248 160000 --- a/nyx_mode/packer +++ b/nyx_mode/packer @@ -1 +1 @@ -Subproject commit 202bace888d237e4e8f4507d0eba6791a811554d +Subproject commit bcf3e248b660764f48af54232a3388389a2dfc22 diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index b0abbe2e..847b43ac 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit b0abbe2e74ed74ff6ff25b5ea3110d27ba978001 +Subproject commit 847b43acb11530e775013dc24b54c6e27406179c diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 63aab0f7..4b4fdab1 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 63aab0f752ba1d40a1c4de6988a78cd1e6dcc1c7 +Subproject commit 4b4fdab161c15529affcc1e785d779e318b882ab -- cgit 1.4.1 From bb72cc752a1db07144e16bb7ca4020ea6eb62445 Mon Sep 17 00:00:00 2001 From: killerra <25255685+killerra@users.noreply.github.com> Date: Tue, 23 Jul 2024 17:31:13 +0200 Subject: Fixed frida unstable coverage for instances not named "default" --- frida_mode/src/instrument/instrument_coverage.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/frida_mode/src/instrument/instrument_coverage.c b/frida_mode/src/instrument/instrument_coverage.c index ff2f4024..6ab55e0e 100644 --- a/frida_mode/src/instrument/instrument_coverage.c +++ b/frida_mode/src/instrument/instrument_coverage.c @@ -818,6 +818,9 @@ void instrument_coverage_unstable_find_output(void) { GDir *dir = g_dir_open(fds_name, 0, NULL); + gchar *path_tmp = getenv("AFL_CUSTOM_INFO_OUT"); + gchar *instance_name = g_path_get_basename(path_tmp); + FVERBOSE("Coverage Unstable - fds: %s", fds_name); for (const gchar *filename = g_dir_read_name(dir); filename != NULL; @@ -829,7 +832,7 @@ void instrument_coverage_unstable_find_output(void) { if (link == NULL) { FFATAL("Failed to read link: %s", fullname); } gchar *basename = g_path_get_basename(link); - if (g_strcmp0(basename, "default") != 0) { + if (g_strcmp0(basename, instance_name) != 0) { g_free(basename); g_free(link); @@ -849,7 +852,7 @@ void instrument_coverage_unstable_find_output(void) { relative = g_build_path("/", link, NULL); } - + gchar *cmdline = g_build_path("/", relative, "cmdline", NULL); if (!g_file_test(cmdline, G_FILE_TEST_EXISTS)) { -- cgit 1.4.1 From 5bfe0c1a15994c5abaeb2240a187a5e7291ed9dd Mon Sep 17 00:00:00 2001 From: killerra <25255685+killerra@users.noreply.github.com> Date: Tue, 23 Jul 2024 20:52:15 +0100 Subject: added free for new strings --- frida_mode/src/instrument/instrument_coverage.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/frida_mode/src/instrument/instrument_coverage.c b/frida_mode/src/instrument/instrument_coverage.c index 6ab55e0e..a546dc24 100644 --- a/frida_mode/src/instrument/instrument_coverage.c +++ b/frida_mode/src/instrument/instrument_coverage.c @@ -852,7 +852,7 @@ void instrument_coverage_unstable_find_output(void) { relative = g_build_path("/", link, NULL); } - + gchar *cmdline = g_build_path("/", relative, "cmdline", NULL); if (!g_file_test(cmdline, G_FILE_TEST_EXISTS)) { @@ -877,6 +877,8 @@ void instrument_coverage_unstable_find_output(void) { } g_dir_close(dir); + g_free(instance_name); + g_free(path_tmp); g_free(fds_name); if (unstable_coverage_fuzzer_stats == NULL) { -- cgit 1.4.1 From 2f2ddbbd796a552ae19440075244176bb98bfb01 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 24 Jul 2024 10:19:49 +0200 Subject: fix afl-whatup time calc --- afl-whatsup | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/afl-whatsup b/afl-whatsup index 19841755..6fa2dfc2 100755 --- a/afl-whatsup +++ b/afl-whatsup @@ -112,12 +112,12 @@ if [ -z "$NO_COLOR" ]; then fi PLATFORM=`uname -s` -if [ "$PLATFORM" = "Linux" ] ; then - CUR_TIME=`cat /proc/uptime | awk '{printf "%.0f\n", $1}'` -else +#if [ "$PLATFORM" = "Linux" ] ; then +# CUR_TIME=`cat /proc/uptime | awk '{printf "%.0f\n", $1}'` +#else # This will lead to inacurate results but will prevent the script from breaking on platforms other than Linux CUR_TIME=`date +%s` -fi +#fi TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1 trap "rm -f $TMP" 1 2 3 13 15 -- cgit 1.4.1 From 6e37f9b237ed12193688c86b6a527f32793f157e Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 24 Jul 2024 14:48:23 +0200 Subject: new cmplog map --- docs/Changelog.md | 2 ++ include/cmplog.h | 13 ++++++++----- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index d33d3121..3f9f0161 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -13,6 +13,8 @@ - improved seed selection algorithm - added `AFL_CUSTOM_MUTATOR_LATE_SEND=1` to call the custom send() function after the target has been restarted. + - because of bad math and undefined behaviour fixes we have to change + the CMPLOG map. **YOU NEED TO RECOMPILE CMPLOG TARGETS** - frida_mode: - AFL_FRIDA_PERSISTENT_ADDR can now be be any reachable address not just a function entry diff --git a/include/cmplog.h b/include/cmplog.h index a4449a60..9f995da6 100644 --- a/include/cmplog.h +++ b/include/cmplog.h @@ -53,21 +53,24 @@ struct cmp_header { // 16 bit = 2 bytes struct cmp_operands { u64 v0; - u64 v1; u64 v0_128; + u64 v0_256_0; // u256 is unsupported by any compiler for now, so future use + u64 v0_256_1; + u64 v1; u64 v1_128; - u64 unused; - u8 unused1; - u8 unused2; + u64 v1_256_0; + u64 v1_256_1; + u8 unused[8]; } __attribute__((packed)); struct cmpfn_operands { u8 v0[32]; - u8 v0_len; u8 v1[32]; + u8 v0_len; u8 v1_len; + u8 unused[6]; } __attribute__((packed)); -- cgit 1.4.1