From 396de6fc9c49e6865b3130489ed39c7ea47540d1 Mon Sep 17 00:00:00 2001 From: Marc Poulhiès Date: Thu, 3 Mar 2022 13:05:17 +0100 Subject: Fix GCC plugin crash when using deny/allow list The provided function declaration F may not have valid location information. Return an empty string in this case as the two callers are already using this convention to filter out functions from being instrumented when deny/allow list are used. --- instrumentation/afl-gcc-pass.so.cc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc index 734fa170..bb5483fc 100644 --- a/instrumentation/afl-gcc-pass.so.cc +++ b/instrumentation/afl-gcc-pass.so.cc @@ -714,9 +714,11 @@ struct afl_pass : gimple_opt_pass { } + /* Returns the source file name attached to the function declaration F. If + there is no source location information, returns an empty string. */ std::string getSourceName(function *F) { - return DECL_SOURCE_FILE(F->decl); + return DECL_SOURCE_FILE(F->decl) ? DECL_SOURCE_FILE(F->decl) : ""; } -- cgit 1.4.1 From ce1fc4b27d6fd7e6068eb8501309bbb097e6a136 Mon Sep 17 00:00:00 2001 From: Cornul11 Date: Mon, 11 Apr 2022 19:30:06 +0200 Subject: updated citation --- CITATION.cff | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CITATION.cff b/CITATION.cff index efd6cad8..45658ac2 100644 --- a/CITATION.cff +++ b/CITATION.cff @@ -14,9 +14,9 @@ authors: family-names: Meier email: mail@dmnk.co title: "AFL++" -version: 3.14 +version: 4.00c type: software -date-released: 2021-07-19 +date-released: 2022-01-26 url: "https://github.com/AFLplusplus/AFLplusplus" keywords: - fuzzing -- cgit 1.4.1 From 57db3e7f4f814c7b32a0aff7367057ffb0d12ebd Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 13 Apr 2022 13:11:17 +0200 Subject: afl-cmin: quote program arguments Quote the program arguments in the system() function to allow them to contain spaces. --- afl-cmin | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/afl-cmin b/afl-cmin index 879aead2..853c9398 100755 --- a/afl-cmin +++ b/afl-cmin @@ -217,7 +217,7 @@ BEGIN { for (; Optind < ARGC; Optind++) { prog_args[i++] = ARGV[Optind] if (i > 1) - prog_args_string = prog_args_string" "ARGV[Optind] + prog_args_string = prog_args_string" '"ARGV[Optind]"'" } # sanity checks -- cgit 1.4.1 From 8971c9a5ce5bebd235caa4e785b019ae057c0722 Mon Sep 17 00:00:00 2001 From: yuawn Date: Thu, 14 Apr 2022 11:26:54 +0000 Subject: update llvm version in INSTALL.md --- docs/INSTALL.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 348b681e..01343b7f 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -21,8 +21,8 @@ is to build and install everything: ```shell sudo apt-get update sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools -# try to install llvm 11 and install the distro default if that fails -sudo apt-get install -y lld-11 llvm-11 llvm-11-dev clang-11 || sudo apt-get install -y lld llvm llvm-dev clang +# try to install llvm 12 and install the distro default if that fails +sudo apt-get install -y lld-12 llvm-12 llvm-12-dev clang-12 || sudo apt-get install -y lld llvm llvm-dev clang sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev sudo apt-get install -y ninja-build # for QEMU mode git clone https://github.com/AFLplusplus/AFLplusplus -- cgit 1.4.1 From 6e790552fe7a1f34e584160ceef051b6f66b7ce4 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Fri, 15 Apr 2022 17:34:19 +0100 Subject: libdislocator, new option to name an anonymous address range. For performance matter tough, disabled by default. --- unicorn_mode/unicornafl | 2 +- utils/libdislocator/Makefile | 3 ++- utils/libdislocator/README.md | 5 ++++- utils/libdislocator/libdislocator.so.c | 18 ++++++++++++++++++ 4 files changed, 25 insertions(+), 3 deletions(-) diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index d4915053..a44fa944 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e +Subproject commit a44fa94488d01aba60401ccf81f8bebcce685bf2 diff --git a/utils/libdislocator/Makefile b/utils/libdislocator/Makefile index f0b4bb72..6bfb79ec 100644 --- a/utils/libdislocator/Makefile +++ b/utils/libdislocator/Makefile @@ -19,9 +19,10 @@ HELPER_PATH = $(PREFIX)/lib/afl VERSION = $(shell grep '^\#define VERSION ' ../../config.h | cut -d '"' -f2) CFLAGS ?= -O3 -funroll-loops -D_FORTIFY_SOURCE=2 -override CFLAGS += -I ../../include/ -Wall -g -Wno-pointer-sign +CFLAGS += -I ../../include/ -Wall -g -Wno-pointer-sign CFLAGS_ADD=$(USEHUGEPAGE:1=-DUSEHUGEPAGE) +CFLAGS_ADD += $(USENAMEDPAGE:1=-DUSENAMEDPAGE) CFLAGS += $(CFLAGS_ADD) all: libdislocator.so diff --git a/utils/libdislocator/README.md b/utils/libdislocator/README.md index 68ac9143..e4934b5d 100644 --- a/utils/libdislocator/README.md +++ b/utils/libdislocator/README.md @@ -29,6 +29,9 @@ heap-related security bugs in several ways: - Optionally, in platforms supporting it, huge pages can be used by passing `USEHUGEPAGE=1` to make. + - Optionally, in platforms supporting it, `named` pages can be used by passing + `USENAMEDPAGE=1` to make. + - Size alignment to `max_align_t` can be enforced with `AFL_ALIGNED_ALLOC=1`. In this case, a tail canary is inserted in the padding bytes at the end of the allocated zone. This reduce the ability of libdislocator to detect @@ -64,4 +67,4 @@ require AFL-instrumented binaries to work. Note that the AFL_PRELOAD approach (which AFL++ internally maps to LD_PRELOAD or DYLD_INSERT_LIBRARIES, depending on the OS) works only if the target binary is dynamically linked. Otherwise, attempting to use the library will have no -effect. \ No newline at end of file +effect. diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index 103da9d5..72fafa4b 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -39,6 +39,7 @@ #if (defined(__linux__) && !defined(__ANDROID__)) || defined(__HAIKU__) #include + #include #ifdef __linux__ #include #include @@ -66,6 +67,10 @@ } while (0) #endif + #ifndef PR_SET_VMA + #define PR_SET_VMA 0x53564d41 + #define PR_SET_VMA_ANON_NAME 0 + #endif #endif #include "config.h" @@ -251,6 +256,19 @@ static void *__dislocator_alloc(size_t len) { } +#if defined(USENAMEDPAGE) +#if defined(__linux__) + // in the /proc//maps file, the anonymous page appears as + // `- ---p 00000000 00:00 0 [anon:libdislocator]` + if (prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, + (unsigned long)ret, tlen, (unsigned long)"libdislocator") < 0) { + + DEBUGF("prctl() failed"); + + } +#endif +#endif + /* Set PROT_NONE on the last page. */ if (mprotect(ret + PG_COUNT(rlen + 8) * PAGE_SIZE, PAGE_SIZE, PROT_NONE)) -- cgit 1.4.1 From b1da7500b2ef915887322d4a1903fe981d49acb5 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Apr 2022 13:06:13 +0200 Subject: fix msg --- instrumentation/cmplog-instructions-pass.cc | 79 +++++++++++++++++++++++++++-- instrumentation/cmplog-routines-pass.cc | 2 + src/afl-fuzz.c | 2 +- 3 files changed, 79 insertions(+), 4 deletions(-) diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index 4d37bcb2..e21289b4 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -32,9 +32,15 @@ #include "llvm/Support/Debug.h" #include "llvm/Support/raw_ostream.h" #if LLVM_MAJOR >= 11 + #include "llvm/Pass.h" + #include "llvm/InitializePasses.h" #include "llvm/Passes/PassPlugin.h" #include "llvm/Passes/PassBuilder.h" #include "llvm/IR/PassManager.h" + #include "llvm/Analysis/EHPersonalities.h" + #include "llvm/Analysis/PostDominators.h" + #include "llvm/Analysis/LoopInfo.h" + #include "llvm/Analysis/LoopPass.h" #else #include "llvm/IR/LegacyPassManager.h" #include "llvm/Transforms/IPO/PassManagerBuilder.h" @@ -64,7 +70,10 @@ using namespace llvm; namespace { +using LoopInfoCallback = function_ref; + #if LLVM_MAJOR >= 11 /* use new pass manager */ + class CmpLogInstructions : public PassInfoMixin { public: @@ -88,6 +97,7 @@ class CmpLogInstructions : public ModulePass { #endif #if LLVM_MAJOR >= 11 /* use new pass manager */ + PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM); #else bool runOnModule(Module &M) override; @@ -106,7 +116,8 @@ class CmpLogInstructions : public ModulePass { #endif private: - bool hookInstrs(Module &M); + bool hookInstrs(Module &M, LoopInfoCallback LCallback); + unsigned int instrumented = 0; }; @@ -153,7 +164,7 @@ Iterator Unique(Iterator first, Iterator last) { } -bool CmpLogInstructions::hookInstrs(Module &M) { +bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { std::vector icomps; LLVMContext & C = M.getContext(); @@ -290,14 +301,62 @@ bool CmpLogInstructions::hookInstrs(Module &M) { if (!isInInstrumentList(&F, MNAME)) continue; + std::vector lcomps; + const LoopInfo * LI = LCallback(F); +#if 0 + for (LoopInfo::iterator I = LI->begin(), E = LI->end(); I != E; ++I) { + Loop * L = *I; + BasicBlock *In, *Out; + bool ok = false ; L->getIncomingAndBackEdge(In, Out); + if (ok) { + + BasicBlock *decisionBB = In->getSingleSuccessor(); + + if (decisionBB) { + + /* + std::string errMsg1; + raw_string_ostream os1(errMsg1); + In->print(os1); + fprintf(stderr, "In: %s\n", os1.str().c_str()); + std::string errMsg2; + raw_string_ostream os2(errMsg2); + Out->print(os2); + fprintf(stderr, "Out: %s\n", os2.str().c_str()); + std::string errMsg3; + raw_string_ostream os3(errMsg3); + decisionBB->print(os3); + fprintf(stderr, "Dec: %s\n", os3.str().c_str()); + */ + lcomps.push_back(decisionBB); + + } + + } + } +#endif + + + // fprintf(stderr, "Loops in %s: %zu\n", F.getName().str().c_str(), + // lcomps.size()); + for (auto &BB : F) { + if (std::find(lcomps.begin(), lcomps.end(), &BB) != lcomps.end()) { + + fprintf(stderr, "skipping: %p %s\n", &BB, BB.getName().str().c_str()); + + continue; + + } + for (auto &IN : BB) { CmpInst *selectcmpInst = nullptr; if ((selectcmpInst = dyn_cast(&IN))) { icomps.push_back(selectcmpInst); + fprintf(stderr, "Found icomp %p in %p\n", selectcmpInst, &BB); } @@ -644,6 +703,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) { break; } + + ++instrumented; } @@ -657,6 +718,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) { } } + + fprintf(stderr, "instrumented: %u (%zu)\n", instrumented, icomps.size()); if (icomps.size()) return true; @@ -678,9 +741,19 @@ bool CmpLogInstructions::runOnModule(Module &M) { printf("Running cmplog-instructions-pass by andreafioraldi@gmail.com\n"); else be_quiet = 1; - hookInstrs(M); + + auto &FAM = MAM.getResult(M).getManager(); + auto LoopCallback = [&FAM](Function &F) -> const LoopInfo * { + + return &FAM.getResult(F); + + }; + + hookInstrs(M, LoopCallback); verifyModule(M); + fprintf(stderr, "done cmplog-instructions-pass\n"); + #if LLVM_MAJOR >= 11 /* use new pass manager */ return PreservedAnalyses::all(); #else diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc index 8205cfb0..708a94bc 100644 --- a/instrumentation/cmplog-routines-pass.cc +++ b/instrumentation/cmplog-routines-pass.cc @@ -761,6 +761,8 @@ bool CmpLogRoutines::runOnModule(Module &M) { #endif verifyModule(M); + fprintf(stderr, "done cmplog-routines-pass\n"); + #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ return PA; #else diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 92243fbb..c5ab364a 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1650,7 +1650,7 @@ int main(int argc, char **argv_orig, char **envp) { } - OKF("Generating fuzz data with a a length of min=%u max=%u", afl->min_length, + OKF("Generating fuzz data with a length of min=%u max=%u", afl->min_length, afl->max_length); u32 min_alloc = MAX(64U, afl->min_length); afl_realloc(AFL_BUF_PARAM(in_scratch), min_alloc); -- cgit 1.4.1 From 1d00bde6c508ed86366e4a7d3730e6d1203bcb60 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Apr 2022 13:11:19 +0200 Subject: code format --- custom_mutators/symcc/README.md | 5 ++++- frida_mode/src/instrument/instrument_arm64.c | 4 ++-- frida_mode/src/instrument/instrument_x64.c | 3 ++- instrumentation/cmplog-instructions-pass.cc | 10 ++++++---- utils/libdislocator/libdislocator.so.c | 9 +++++---- 5 files changed, 19 insertions(+), 12 deletions(-) diff --git a/custom_mutators/symcc/README.md b/custom_mutators/symcc/README.md index 337362ae..364a348e 100644 --- a/custom_mutators/symcc/README.md +++ b/custom_mutators/symcc/README.md @@ -1,6 +1,9 @@ # custum mutator: symcc -This uses the excellent symcc to find new paths into the target. +This uses the symcc to find new paths into the target. + +Note that this is a just a proof of concept example! It is better to use +the fuzzing helpers of symcc, symqemu, Fuzzolic, etc. rather than this. To use this custom mutator follow the steps in the symcc repository [https://github.com/eurecom-s3/symcc/](https://github.com/eurecom-s3/symcc/) diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index e6251cb4..2bc8f8aa 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -18,8 +18,8 @@ #if defined(__aarch64__) -gboolean instrument_cache_enabled = FALSE; -gsize instrument_cache_size = 0; +gboolean instrument_cache_enabled = FALSE; +gsize instrument_cache_size = 0; static GHashTable *coverage_blocks = NULL; __attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[MAP_SIZE]; diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index d54c8353..f02c971e 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -336,7 +336,8 @@ void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output) { GumX86Writer *cw = output->writer.x86; - /* guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address)); */ + /* guint64 area_offset = + * instrument_get_offset_hash(GUM_ADDRESS(instr->address)); */ if (instrument_previous_pc_addr == NULL) { GumAddressSpec spec = {.near_address = cw->code, diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index e21289b4..85d48835 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -116,7 +116,7 @@ class CmpLogInstructions : public ModulePass { #endif private: - bool hookInstrs(Module &M, LoopInfoCallback LCallback); + bool hookInstrs(Module &M, LoopInfoCallback LCallback); unsigned int instrumented = 0; }; @@ -305,6 +305,7 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { const LoopInfo * LI = LCallback(F); #if 0 for (LoopInfo::iterator I = LI->begin(), E = LI->end(); I != E; ++I) { + Loop * L = *I; BasicBlock *In, *Out; bool ok = false ; L->getIncomingAndBackEdge(In, Out); @@ -333,9 +334,10 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { } } + } -#endif +#endif // fprintf(stderr, "Loops in %s: %zu\n", F.getName().str().c_str(), // lcomps.size()); @@ -703,7 +705,7 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { break; } - + ++instrumented; } @@ -718,7 +720,7 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { } } - + fprintf(stderr, "instrumented: %u (%zu)\n", instrumented, icomps.size()); if (icomps.size()) diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index 72fafa4b..bd08a678 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -257,16 +257,17 @@ static void *__dislocator_alloc(size_t len) { } #if defined(USENAMEDPAGE) -#if defined(__linux__) + #if defined(__linux__) // in the /proc//maps file, the anonymous page appears as // `- ---p 00000000 00:00 0 [anon:libdislocator]` - if (prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, - (unsigned long)ret, tlen, (unsigned long)"libdislocator") < 0) { + if (prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, (unsigned long)ret, tlen, + (unsigned long)"libdislocator") < 0) { DEBUGF("prctl() failed"); } -#endif + + #endif #endif /* Set PROT_NONE on the last page. */ -- cgit 1.4.1 From 4f42ecd8150f9b72e0fef37292572b7ad3ef6870 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Apr 2022 13:16:10 +0200 Subject: remove WIP code --- custom_mutators/grammar_mutator/grammar_mutator | 2 +- instrumentation/cmplog-instructions-pass.cc | 81 +------------------------ instrumentation/cmplog-routines-pass.cc | 2 - unicorn_mode/unicornafl | 2 +- 4 files changed, 5 insertions(+), 82 deletions(-) diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator index ff4e5a26..cbe5e327 160000 --- a/custom_mutators/grammar_mutator/grammar_mutator +++ b/custom_mutators/grammar_mutator/grammar_mutator @@ -1 +1 @@ -Subproject commit ff4e5a265daf5d88c4a636fb6a2c22b1d733db09 +Subproject commit cbe5e32752773945e0142fac9f1b7a0ccb5dcdff diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index 85d48835..4d37bcb2 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -32,15 +32,9 @@ #include "llvm/Support/Debug.h" #include "llvm/Support/raw_ostream.h" #if LLVM_MAJOR >= 11 - #include "llvm/Pass.h" - #include "llvm/InitializePasses.h" #include "llvm/Passes/PassPlugin.h" #include "llvm/Passes/PassBuilder.h" #include "llvm/IR/PassManager.h" - #include "llvm/Analysis/EHPersonalities.h" - #include "llvm/Analysis/PostDominators.h" - #include "llvm/Analysis/LoopInfo.h" - #include "llvm/Analysis/LoopPass.h" #else #include "llvm/IR/LegacyPassManager.h" #include "llvm/Transforms/IPO/PassManagerBuilder.h" @@ -70,10 +64,7 @@ using namespace llvm; namespace { -using LoopInfoCallback = function_ref; - #if LLVM_MAJOR >= 11 /* use new pass manager */ - class CmpLogInstructions : public PassInfoMixin { public: @@ -97,7 +88,6 @@ class CmpLogInstructions : public ModulePass { #endif #if LLVM_MAJOR >= 11 /* use new pass manager */ - PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM); #else bool runOnModule(Module &M) override; @@ -116,8 +106,7 @@ class CmpLogInstructions : public ModulePass { #endif private: - bool hookInstrs(Module &M, LoopInfoCallback LCallback); - unsigned int instrumented = 0; + bool hookInstrs(Module &M); }; @@ -164,7 +153,7 @@ Iterator Unique(Iterator first, Iterator last) { } -bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { +bool CmpLogInstructions::hookInstrs(Module &M) { std::vector icomps; LLVMContext & C = M.getContext(); @@ -301,64 +290,14 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { if (!isInInstrumentList(&F, MNAME)) continue; - std::vector lcomps; - const LoopInfo * LI = LCallback(F); -#if 0 - for (LoopInfo::iterator I = LI->begin(), E = LI->end(); I != E; ++I) { - - Loop * L = *I; - BasicBlock *In, *Out; - bool ok = false ; L->getIncomingAndBackEdge(In, Out); - if (ok) { - - BasicBlock *decisionBB = In->getSingleSuccessor(); - - if (decisionBB) { - - /* - std::string errMsg1; - raw_string_ostream os1(errMsg1); - In->print(os1); - fprintf(stderr, "In: %s\n", os1.str().c_str()); - std::string errMsg2; - raw_string_ostream os2(errMsg2); - Out->print(os2); - fprintf(stderr, "Out: %s\n", os2.str().c_str()); - std::string errMsg3; - raw_string_ostream os3(errMsg3); - decisionBB->print(os3); - fprintf(stderr, "Dec: %s\n", os3.str().c_str()); - */ - lcomps.push_back(decisionBB); - - } - - } - - } - -#endif - - // fprintf(stderr, "Loops in %s: %zu\n", F.getName().str().c_str(), - // lcomps.size()); - for (auto &BB : F) { - if (std::find(lcomps.begin(), lcomps.end(), &BB) != lcomps.end()) { - - fprintf(stderr, "skipping: %p %s\n", &BB, BB.getName().str().c_str()); - - continue; - - } - for (auto &IN : BB) { CmpInst *selectcmpInst = nullptr; if ((selectcmpInst = dyn_cast(&IN))) { icomps.push_back(selectcmpInst); - fprintf(stderr, "Found icomp %p in %p\n", selectcmpInst, &BB); } @@ -706,8 +645,6 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { } - ++instrumented; - } /* else fprintf(stderr, "skipped\n"); */ @@ -721,8 +658,6 @@ bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { } - fprintf(stderr, "instrumented: %u (%zu)\n", instrumented, icomps.size()); - if (icomps.size()) return true; else @@ -743,19 +678,9 @@ bool CmpLogInstructions::runOnModule(Module &M) { printf("Running cmplog-instructions-pass by andreafioraldi@gmail.com\n"); else be_quiet = 1; - - auto &FAM = MAM.getResult(M).getManager(); - auto LoopCallback = [&FAM](Function &F) -> const LoopInfo * { - - return &FAM.getResult(F); - - }; - - hookInstrs(M, LoopCallback); + hookInstrs(M); verifyModule(M); - fprintf(stderr, "done cmplog-instructions-pass\n"); - #if LLVM_MAJOR >= 11 /* use new pass manager */ return PreservedAnalyses::all(); #else diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc index 708a94bc..8205cfb0 100644 --- a/instrumentation/cmplog-routines-pass.cc +++ b/instrumentation/cmplog-routines-pass.cc @@ -761,8 +761,6 @@ bool CmpLogRoutines::runOnModule(Module &M) { #endif verifyModule(M); - fprintf(stderr, "done cmplog-routines-pass\n"); - #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ return PA; #else diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index a44fa944..d4915053 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit a44fa94488d01aba60401ccf81f8bebcce685bf2 +Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e -- cgit 1.4.1 From 630eb943a539dd423d005466520d06e8420fa6ba Mon Sep 17 00:00:00 2001 From: Jesse Schwartzentruber Date: Wed, 20 Apr 2022 15:38:37 -0400 Subject: use passthrough mode for wasm --- src/afl-cc.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/src/afl-cc.c b/src/afl-cc.c index ffdda386..a383dd4e 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -58,6 +58,7 @@ static u8 debug; static u8 cwd[4096]; static u8 cmplog_mode; u8 use_stdin; /* dummy */ +static int passthrough; // static u8 *march_opt = CFLAGS_OPT; enum { @@ -315,7 +316,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { u8 fortify_set = 0, asan_set = 0, x_set = 0, bit_mode = 0, shared_linking = 0, preprocessor_only = 0, have_unroll = 0, have_o = 0, have_pic = 0, - have_c = 0, partial_linking = 0, wasm_linking = 0; + have_c = 0, partial_linking = 0; cc_params = ck_alloc((argc + 128) * sizeof(u8 *)); @@ -826,7 +827,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (!strcmp(cur, "-E")) preprocessor_only = 1; if (!strcmp(cur, "-shared")) shared_linking = 1; if (!strcmp(cur, "-dynamiclib")) shared_linking = 1; - if (!strcmp(cur, "--target=wasm32-wasi")) wasm_linking = 1; + if (!strcmp(cur, "--target=wasm32-wasi")) passthrough = 1; if (!strcmp(cur, "-Wl,-r")) partial_linking = 1; if (!strcmp(cur, "-Wl,-i")) partial_linking = 1; if (!strcmp(cur, "-Wl,--relocatable")) partial_linking = 1; @@ -845,7 +846,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { // e.g. compiled download or compiled from github then its ./lib directory // might not be in the search path. Add it if so. u8 *libdir = strdup(LLVM_LIBDIR); - if (plusplus_mode && !wasm_linking && strlen(libdir) && + if (plusplus_mode && strlen(libdir) && strncmp(libdir, "/usr", 4) && strncmp(libdir, "/lib", 4)) { cc_params[cc_par_cnt++] = "-rpath"; @@ -1093,7 +1094,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { switch (bit_mode) { case 0: - if (!shared_linking && !partial_linking && !wasm_linking) + if (!shared_linking && !partial_linking) cc_params[cc_par_cnt++] = alloc_printf("%s/afl-compiler-rt.o", obj_path); if (lto_mode) @@ -1102,7 +1103,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { break; case 32: - if (!shared_linking && !partial_linking && !wasm_linking) { + if (!shared_linking && !partial_linking) { cc_params[cc_par_cnt++] = alloc_printf("%s/afl-compiler-rt-32.o", obj_path); @@ -1123,7 +1124,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { break; case 64: - if (!shared_linking && !partial_linking && !wasm_linking) { + if (!shared_linking && !partial_linking) { cc_params[cc_par_cnt++] = alloc_printf("%s/afl-compiler-rt-64.o", obj_path); @@ -1146,7 +1147,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } #if !defined(__APPLE__) && !defined(__sun) - if (!shared_linking && !partial_linking && !wasm_linking) + if (!shared_linking && !partial_linking) cc_params[cc_par_cnt++] = alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path); #endif @@ -1179,7 +1180,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { int main(int argc, char **argv, char **envp) { - int i, passthrough = 0; + int i; char *callname = argv[0], *ptr = NULL; if (getenv("AFL_DEBUG")) { -- cgit 1.4.1 From f53e6a6cf2ed621ab1ca0eec271d75405e906ba5 Mon Sep 17 00:00:00 2001 From: Jesse Schwartzentruber Date: Wed, 20 Apr 2022 15:39:28 -0400 Subject: fix instrumentation for -Werror,-Wunused-but-set-variable `used` is so it isn't optimized out. `unused` is to avoid the warning. --- src/afl-cc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/afl-cc.c b/src/afl-cc.c index a383dd4e..e8643bf8 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -1035,7 +1035,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-D__AFL_LOOP(_A)=" - "({ static volatile char *_B __attribute__((used)); " + "({ static volatile char *_B __attribute__((used,unused)); " " _B = (char*)\"" PERSIST_SIG "\"; " #ifdef __APPLE__ @@ -1049,7 +1049,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-D__AFL_INIT()=" - "do { static volatile char *_A __attribute__((used)); " + "do { static volatile char *_A __attribute__((used,unused)); " " _A = (char*)\"" DEFER_SIG "\"; " #ifdef __APPLE__ -- cgit 1.4.1 From 7f26d133458f5034499f40129e9a5517cee21cce Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 22 Apr 2022 10:28:14 +0200 Subject: try repeating write --- GNUmakefile | 2 +- custom_mutators/grammar_mutator/grammar_mutator | 2 +- include/debug.h | 47 +++++++++++++++++-------- unicorn_mode/unicornafl | 2 +- 4 files changed, 36 insertions(+), 17 deletions(-) diff --git a/GNUmakefile b/GNUmakefile index ec81cbac..8b09c51a 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -145,7 +145,7 @@ else CFLAGS ?= -O2 $(CFLAGS_OPT) # -funroll-loops is slower on modern compilers endif -override CFLAGS += -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wpointer-arith \ +override CFLAGS += -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wno-pointer-arith \ -fPIC -I include/ -DAFL_PATH=\"$(HELPER_PATH)\" \ -DBIN_PATH=\"$(BIN_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" # -fstack-protector diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator index cbe5e327..ff4e5a26 160000 --- a/custom_mutators/grammar_mutator/grammar_mutator +++ b/custom_mutators/grammar_mutator/grammar_mutator @@ -1 +1 @@ -Subproject commit cbe5e32752773945e0142fac9f1b7a0ccb5dcdff +Subproject commit ff4e5a265daf5d88c4a636fb6a2c22b1d733db09 diff --git a/include/debug.h b/include/debug.h index 31ebd0f2..e2ee16a8 100644 --- a/include/debug.h +++ b/include/debug.h @@ -355,20 +355,39 @@ static inline const char *colorfilter(const char *x) { /* Error-checking versions of read() and write() that call RPFATAL() as appropriate. */ -#define ck_write(fd, buf, len, fn) \ - do { \ - \ - int _fd = (fd); \ - \ - s32 _len = (s32)(len); \ - s32 _res = write(_fd, (buf), _len); \ - if (_res != _len) { \ - \ - RPFATAL(_res, "Short write to %s, fd %d (%d of %d bytes)", fn, _fd, \ - _res, _len); \ - \ - } \ - \ +#define ck_write(fd, buf, len, fn) \ + do { \ + \ + if (len <= 0) break; \ + int _fd = (fd); \ + s32 _written = 0, _off = 0, _len = (s32)(len); \ + \ + do { \ + \ + s32 _res = write(_fd, (buf) + _off, _len); \ + if (_res != _len && (_res > 0 && _written + _res != _len)) { \ + \ + if (_res > 0) { \ + \ + _written += _res; \ + _len -= _res; \ + _off += _res; \ + \ + } else { \ + \ + RPFATAL(_res, "Short write to %s, fd %d (%d of %d bytes)", fn, _fd, \ + _res, _len); \ + \ + } \ + \ + } else { \ + \ + break; \ + \ + } \ + \ + } while (1); \ + \ } while (0) #define ck_read(fd, buf, len, fn) \ diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index d4915053..a44fa944 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e +Subproject commit a44fa94488d01aba60401ccf81f8bebcce685bf2 -- cgit 1.4.1 From b2c96f66eef42a58d2b62f98a5cec6f5f483dbde Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 22 Apr 2022 10:29:56 +0200 Subject: unicorn --- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index fe7be8e1..77fc69b5 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -a44fa94488d01aba60401ccf81f8bebcce685bf2 +c3e15a7d diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index a44fa944..c3e15a7d 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit a44fa94488d01aba60401ccf81f8bebcce685bf2 +Subproject commit c3e15a7d44101ff288abe114b7954ce6cfa070b1 -- cgit 1.4.1