From d9ff84e39ecad47deec8808ea127fd90d9f5e8ef Mon Sep 17 00:00:00 2001 From: Heiko Eißfeldt Date: Sun, 30 Jun 2019 10:06:20 +0200 Subject: Refactor to use an alternative method for shared memory. If USEMMAP is defined, the shared memory segment is created/attached etc. now by shm_open() and mmap(). This API is hopefully more often available (at least for iOS). In order to reduce code duplication I have added new files sharedmem.[ch] which now encapsulate the shared memory method. This is based on the work of Proteas to support iOS fuzzing (thanks). https://github.com/Proteas/afl-ios/commit/866af8ad1cb230d5d753b546380a4af1e55d6946 Currently this is in an experimental status yet. Please report whether this variant works on 32 and 64 bit and on the supported platforms. This branch enables USEMMAP and has been tested on Linux. There is no auto detection for the mmap API yet. --- afl-as.h | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) (limited to 'afl-as.h') diff --git a/afl-as.h b/afl-as.h index ebd57109..90944614 100644 --- a/afl-as.h +++ b/afl-as.h @@ -220,6 +220,29 @@ static const u8* main_payload_32 = " testl %eax, %eax\n" " je __afl_setup_abort\n" "\n" +#ifdef USEMMAP + " pushl $384 /* shm_open mode 0600 */\n" + " pushl $2 /* flags O_RDWR */\n" + " pushl %eax /* SHM file path */\n" + " call shm_open\n" + " addl $12, %esp\n" + "\n" + " cmpl $-1, %eax\n" + " je __afl_setup_abort\n" + "\n" + " pushl $0 /* mmap off */\n" + " pushl %eax /* shm fd */\n" + " pushl $1 /* mmap flags */\n" + " pushl $3 /* mmap prot */\n" + " pushl $"STRINGIFY(MAP_SIZE)" /* mmap len */\n" + " pushl $0 /* mmap addr */\n" + " call mmap\n" + " addl $12, %esp\n" + "\n" + " cmpl $-1, %eax\n" + " je __afl_setup_abort\n" + "\n" +#else " pushl %eax\n" " call atoi\n" " addl $4, %esp\n" @@ -233,6 +256,7 @@ static const u8* main_payload_32 = " cmpl $-1, %eax\n" " je __afl_setup_abort\n" "\n" +#endif " /* Store the address of the SHM region. */\n" "\n" " movl %eax, __afl_area_ptr\n" @@ -501,6 +525,27 @@ static const u8* main_payload_64 = " testq %rax, %rax\n" " je __afl_setup_abort\n" "\n" +#ifdef USEMMAP + " movl $384, %edx /* shm_open mode 0600 */\n" + " movl $2, %esi /* flags O_RDWR */\n" + " movq %rax, %rdi /* SHM file path */\n" + CALL_L64("shm_open") + "\n" + " cmpq $-1, %rax\n" + " je __afl_setup_abort\n" + "\n" + " movl $0, %r9d\n" + " movl %eax, %r8d\n" + " movl $1, %ecx\n" + " movl $3, %edx\n" + " movl $"STRINGIFY(MAP_SIZE)", %esi\n" + " movl $0, %edi\n" + CALL_L64("mmap") + "\n" + " cmpq $-1, %rax\n" + " je __afl_setup_abort\n" + "\n" +#else " movq %rax, %rdi\n" CALL_L64("atoi") "\n" @@ -512,6 +557,7 @@ static const u8* main_payload_64 = " cmpq $-1, %rax\n" " je __afl_setup_abort\n" "\n" +#endif " /* Store the address of the SHM region. */\n" "\n" " movq %rax, %rdx\n" -- cgit 1.4.1 From 04c92c84705af4c602f134ed9a63b82be5ef75c9 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 3 Jul 2019 19:10:48 +0200 Subject: notzero for afl-gcc --- afl-as.h | 2 ++ llvm_mode/afl-llvm-pass.so.cc | 10 ++++++++++ 2 files changed, 12 insertions(+) (limited to 'afl-as.h') diff --git a/afl-as.h b/afl-as.h index ebd57109..2c84f9f3 100644 --- a/afl-as.h +++ b/afl-as.h @@ -189,6 +189,7 @@ static const u8* main_payload_32 = " orb $1, (%edx, %edi, 1)\n" #else " incb (%edx, %edi, 1)\n" + " adcb $0, (%edx, %edi, 1)\n" #endif /* ^SKIP_COUNTS */ "\n" "__afl_return:\n" @@ -417,6 +418,7 @@ static const u8* main_payload_64 = " orb $1, (%rdx, %rcx, 1)\n" #else " incb (%rdx, %rcx, 1)\n" + " adcb $0, (%rdx, %rcx, 1)\n" #endif /* ^SKIP_COUNTS */ "\n" "__afl_return:\n" diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index b77835c5..6b2232f2 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -287,6 +287,16 @@ bool AFLCoverage::runOnModule(Module &M) { Value *HowMuch = IRB.CreateAdd(ConstantInt::get(Int8Ty, 1), cf); Incr = IRB.CreateAdd(Counter, HowMuch); + } else if (neverZero_counters_str[0] == '5') { + auto cf = IRB.CreateICmpEQ(Incr, ConstantInt::get(Int8Ty, 0)); + auto carry = IRB.CreateZExt(cf, Int8Ty); + Incr = IRB.CreateAdd(Incr, carry); + + } else if (neverZero_counters_str[0] == '6') { + auto cf = IRB.CreateICmpULT(Incr, ConstantInt::get(Int8Ty, 1)); + auto carry = IRB.CreateZExt(cf, Int8Ty); + Incr = IRB.CreateAdd(Incr, carry); + // no other implementations yet } else { fprintf(stderr, "Error: unknown value for AFL_NZERO_COUNTS: %s (valid is 1-4)\n", neverZero_counters_str); -- cgit 1.4.1 From 0d6cddda4daa5f38029c34dc005b2e40a5898ea4 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 5 Jul 2019 13:29:26 +0200 Subject: comment never_zero for afl-as --- afl-as.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'afl-as.h') diff --git a/afl-as.h b/afl-as.h index 2c84f9f3..9e91375d 100644 --- a/afl-as.h +++ b/afl-as.h @@ -189,7 +189,7 @@ static const u8* main_payload_32 = " orb $1, (%edx, %edi, 1)\n" #else " incb (%edx, %edi, 1)\n" - " adcb $0, (%edx, %edi, 1)\n" + " adcb $0, (%edx, %edi, 1)\n" // never zero counter implementation. slightly better path discovery and little performance impact #endif /* ^SKIP_COUNTS */ "\n" "__afl_return:\n" @@ -418,7 +418,7 @@ static const u8* main_payload_64 = " orb $1, (%rdx, %rcx, 1)\n" #else " incb (%rdx, %rcx, 1)\n" - " adcb $0, (%rdx, %rcx, 1)\n" + " adcb $0, (%rdx, %rcx, 1)\n" // never zero counter implementation. slightly better path discovery and little performance impact #endif /* ^SKIP_COUNTS */ "\n" "__afl_return:\n" -- cgit 1.4.1