From aaa810c64a7d54d21df6c74c3f7b77fb06d273fe Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 3 Jul 2019 12:11:02 +0200 Subject: add -lrt with afl-gcc/clang automatically in mmap mode --- afl-gcc.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'afl-gcc.c') diff --git a/afl-gcc.c b/afl-gcc.c index 8d3988c7..467a9bc1 100644 --- a/afl-gcc.c +++ b/afl-gcc.c @@ -252,6 +252,10 @@ static void edit_params(u32 argc, char** argv) { } +#ifdef USEMMAP + cc_params[cc_par_cnt++] = "-lrt"; +#endif + if (!getenv("AFL_DONT_OPTIMIZE")) { #if defined(__FreeBSD__) && defined(__x86_64__) -- cgit 1.4.1 From 995eb0cd7972e2179ea9fe727d3c89d0b552c111 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 16 Jul 2019 08:51:00 +0200 Subject: deprecate afl-gcc --- afl-gcc.c | 2 ++ docs/ChangeLog | 4 +++- llvm_mode/README.llvm | 3 ++- types.h | 9 +++++++-- 4 files changed, 14 insertions(+), 4 deletions(-) (limited to 'afl-gcc.c') diff --git a/afl-gcc.c b/afl-gcc.c index 467a9bc1..2e3c4f76 100644 --- a/afl-gcc.c +++ b/afl-gcc.c @@ -311,6 +311,8 @@ int main(int argc, char** argv) { } else be_quiet = 1; + SAYF(cYEL "[!] " cBRI "WARNING: " cRST "afl-gcc is deprecated, gcc_plugin is faster, llvm_mode even faster\n"); + if (argc < 2) { SAYF("\n" diff --git a/docs/ChangeLog b/docs/ChangeLog index 8c1aa994..735653c0 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -17,10 +17,12 @@ sending a mail to . Version ++2.52d (tbd): ----------------------------- + - Using the old ineffective afl-gcc will now show a deprecation warning - if llvm_mode was compiled, afl-clang/afl-clang++ will point to these instead of afl-gcc - added gcc_plugin which is like llvm_mode but for gcc. This version - supports gcc version 5 to 8. See gcc_plugin/README (https://github.com/T12z/afl) + supports gcc version 5 to 8. See gcc_plugin/README.gcc + (https://github.com/T12z/afl) - added instrim, a much faster llvm_mode instrumentation at the cost of path discovery. See llvm_mode/README.instrim (https://github.com/csienslab/instrim) - added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt diff --git a/llvm_mode/README.llvm b/llvm_mode/README.llvm index 779ff47c..aaa7b81f 100644 --- a/llvm_mode/README.llvm +++ b/llvm_mode/README.llvm @@ -3,6 +3,7 @@ Fast LLVM-based instrumentation for afl-fuzz ============================================ (See ../docs/README for the general instruction manual.) + (See ../gcc_plugin/README.gcc for the GCC-based instrumentation.) 1) Introduction --------------- @@ -30,7 +31,7 @@ several interesting properties: - The instrumentation can cope a bit better with multi-threaded targets. - Because the feature relies on the internals of LLVM, it is clang-specific - and will *not* work with GCC. + and will *not* work with GCC (see ../gcc_plugin/ for an alternative). Once this implementation is shown to be sufficiently robust and portable, it will probably replace afl-clang. For now, it can be built separately and diff --git a/types.h b/types.h index 784d3a7a..3497bb2b 100644 --- a/types.h +++ b/types.h @@ -80,7 +80,12 @@ typedef int64_t s64; #define MEM_BARRIER() \ asm volatile("" ::: "memory") -#define likely(_x) __builtin_expect(!!(_x), 1) -#define unlikely(_x) __builtin_expect(!!(_x), 0) +#if __GNUC__ < 6 + #define likely(_x) (_x) + #define unlikely(_x) (_x) +#else + #define likely(_x) __builtin_expect(!!(_x), 1) + #define unlikely(_x) __builtin_expect(!!(_x), 0) +#endif #endif /* ! _HAVE_TYPES_H */ -- cgit 1.4.1 From 5fa19f28012e7f3ccb4fdc04d9a33d9d35bed2c9 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 18 Jul 2019 10:17:50 +0200 Subject: cpu scaling updated for newer kernels --- afl-fuzz.c | 30 ++++++++++++++++++++---------- afl-gcc.c | 3 +-- afl-system-config | 5 ++++- docs/ChangeLog | 4 +++- 4 files changed, 28 insertions(+), 14 deletions(-) (limited to 'afl-gcc.c') diff --git a/afl-fuzz.c b/afl-fuzz.c index e8c2f263..1bf3d11f 100644 --- a/afl-fuzz.c +++ b/afl-fuzz.c @@ -11531,8 +11531,22 @@ static void check_cpu_governor(void) { if (getenv("AFL_SKIP_CPUFREQ")) return; + if (cpu_aff > 0) + snprintf(tmp, sizeof(tmp), "%s%d%s", "/sys/devices/system/cpu/cpu", cpu_aff, "/cpufreq/scaling_governor"); + else + snprintf(tmp, sizeof(tmp), "%s", "/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor"); f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor", "r"); - if (!f) return; + if (!f) { + if (cpu_aff > 0) + snprintf(tmp, sizeof(tmp), "%s%d%s", "/sys/devices/system/cpu/cpufreq/policy", cpu_aff, "/scaling_governor"); + else + snprintf(tmp, sizeof(tmp), "%s", "/sys/devices/system/cpu/cpufreq/policy0/scaling_governor"); + f = fopen(tmp, "r"); + } + if (!f) { + WARNF("Could not check CPU scaling governor"); + return; + } ACTF("Checking CPU scaling governor..."); @@ -12158,15 +12172,13 @@ int main(int argc, char** argv) { int tmp_swarm = 0; if (g_now > g_max) g_now = 0; - w_now = (w_init - w_end)*(g_max - g_now) / (g_max)+w_end; + w_now = (w_init - w_end)*(g_max - g_now) / (g_max)+w_end; - for (tmp_swarm = 0; tmp_swarm < swarm_num; tmp_swarm++) - { + for (tmp_swarm = 0; tmp_swarm < swarm_num; tmp_swarm++) { double total_puppet_temp = 0.0; swarm_fitness[tmp_swarm] = 0.0; - for (i = 0; i < operator_num; i++) - { + for (i = 0; i < operator_num; i++) { stage_finds_puppet[tmp_swarm][i] = 0; probability_now[tmp_swarm][i] = 0.0; x_now[tmp_swarm][i] = ((double)(random() % 7000)*0.0001 + 0.1); @@ -12186,8 +12198,7 @@ int main(int argc, char** argv) { double x_temp = 0.0; - for (i = 0; i < operator_num; i++) - { + for (i = 0; i < operator_num; i++) { probability_now[tmp_swarm][i] = 0.0; v_now[tmp_swarm][i] = w_now * v_now[tmp_swarm][i] + RAND_C * (L_best[tmp_swarm][i] - x_now[tmp_swarm][i]) + RAND_C * (G_best[i] - x_now[tmp_swarm][i]); @@ -12201,8 +12212,7 @@ int main(int argc, char** argv) { x_temp += x_now[tmp_swarm][i]; } - for (i = 0; i < operator_num; i++) - { + for (i = 0; i < operator_num; i++) { x_now[tmp_swarm][i] = x_now[tmp_swarm][i] / x_temp; if (likely(i != 0)) probability_now[tmp_swarm][i] = probability_now[tmp_swarm][i - 1] + x_now[tmp_swarm][i]; diff --git a/afl-gcc.c b/afl-gcc.c index 2e3c4f76..d109f6e2 100644 --- a/afl-gcc.c +++ b/afl-gcc.c @@ -308,11 +308,10 @@ int main(int argc, char** argv) { if (isatty(2) && !getenv("AFL_QUIET")) { SAYF(cCYA "afl-cc" VERSION cRST " by \n"); + SAYF(cYEL "[!] " cBRI "WARNING: " cRST "afl-gcc is deprecated, gcc_plugin is faster, llvm_mode even faster\n"); } else be_quiet = 1; - SAYF(cYEL "[!] " cBRI "WARNING: " cRST "afl-gcc is deprecated, gcc_plugin is faster, llvm_mode even faster\n"); - if (argc < 2) { SAYF("\n" diff --git a/afl-system-config b/afl-system-config index 7538bc29..fa24d473 100755 --- a/afl-system-config +++ b/afl-system-config @@ -7,8 +7,11 @@ sysctl -w kernel.sched_autogroup_enabled=1 sysctl -w kernel.sched_migration_cost_ns=50000000 sysctl -w kernel.sched_latency_ns=250000000 echo never > /sys/kernel/mm/transparent_hugepage/enabled -echo performance | tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor > /dev/null +test -e /sys/devices/system/cpu/cpufreq/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpufreq/scaling_governor +test -e /sys/devices/system/cpu/cpufreq/policy0/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpufreq/policy*/scaling_governor +test -e /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor test -e /sys/devices/system/cpu/intel_pstate/no_turbo && echo 0 > /sys/devices/system/cpu/intel_pstate/no_turbo +test -e /sys/devices/system/cpu/cpufreq/boost && echo 1 > /sys/devices/system/cpu/cpufreq/boost echo echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this: echo '/etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"' diff --git a/docs/ChangeLog b/docs/ChangeLog index adf5ef75..f2709877 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -17,7 +17,9 @@ sending a mail to . Version ++2.52d (tbd): ----------------------------- - - Using the old ineffective afl-gcc will now show a deprecation warning + - updated afl-fuzz and afl-system-config for new scaling governor location + in modern kernels + - using the old ineffective afl-gcc will now show a deprecation warning - all queue, hang and crash files now have their discovery time in their name - if llvm_mode was compiled, afl-clang/afl-clang++ will point to these instead of afl-gcc -- cgit 1.4.1 From f697752b52e619bdda2a5b629568e56c8f28fe47 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 21 Jul 2019 20:24:40 +0200 Subject: moved gcc_plugin to a branch, it is nowhere near "ok" --- Makefile | 2 +- afl-gcc.c | 2 +- docs/ChangeLog | 3 --- docs/PATCHES | 1 - docs/README | 3 +-- 5 files changed, 3 insertions(+), 8 deletions(-) (limited to 'afl-gcc.c') diff --git a/Makefile b/Makefile index 69bd7535..d2840848 100644 --- a/Makefile +++ b/Makefile @@ -193,7 +193,7 @@ install: all install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH) rm -f $${DESTDIR}$(BIN_PATH)/afl-as if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi - if [ -f afl-gcc-fast ]; then set e; install -m 755 afl-gcc-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-gcc-fast $${DESTDIR}$(BIN_PATH)/afl-g++-fast; install -m 755 afl-gcc-pass.so afl-gcc-rt.o $${DESTDIR}$(HELPER_PATH); fi + #if [ -f afl-gcc-fast ]; then set e; install -m 755 afl-gcc-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-gcc-fast $${DESTDIR}$(BIN_PATH)/afl-g++-fast; install -m 755 afl-gcc-pass.so afl-gcc-rt.o $${DESTDIR}$(HELPER_PATH); fi ifndef AFL_TRACE_PC if [ -f afl-clang-fast -a -f libLLVMInsTrim.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 libLLVMInsTrim.so afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi else diff --git a/afl-gcc.c b/afl-gcc.c index d109f6e2..f6ededeb 100644 --- a/afl-gcc.c +++ b/afl-gcc.c @@ -308,7 +308,7 @@ int main(int argc, char** argv) { if (isatty(2) && !getenv("AFL_QUIET")) { SAYF(cCYA "afl-cc" VERSION cRST " by \n"); - SAYF(cYEL "[!] " cBRI "WARNING: " cRST "afl-gcc is deprecated, gcc_plugin is faster, llvm_mode even faster\n"); + SAYF(cYEL "[!] " cBRI "NOTE: " cRST "afl-gcc is deprecated, llvm_mode is much faster and has more options\n"); } else be_quiet = 1; diff --git a/docs/ChangeLog b/docs/ChangeLog index 44eb4012..120893d9 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -24,9 +24,6 @@ Version ++2.52d (tbd): - all queue, hang and crash files now have their discovery time in their name - if llvm_mode was compiled, afl-clang/afl-clang++ will point to these instead of afl-gcc - - added gcc_plugin which is like llvm_mode but for gcc. This version - supports gcc version 5 to 8. See gcc_plugin/README.gcc - (https://github.com/T12z/afl) - added instrim, a much faster llvm_mode instrumentation at the cost of path discovery. See llvm_mode/README.instrim (https://github.com/csienslab/instrim) - added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt diff --git a/docs/PATCHES b/docs/PATCHES index 78050208..f6ca9284 100644 --- a/docs/PATCHES +++ b/docs/PATCHES @@ -17,7 +17,6 @@ afl-qemu-optimize-entrypoint.diff by mh(at)mh-sec(dot)de afl-qemu-speed.diff by abiondo on github afl-qemu-optimize-map.diff by mh(at)mh-sec(dot)de -+ gcc_plugin (https://github.com/T12z/afl) + instrim (https://github.com/csienslab/instrim) was integrated + MOpt (github.com/puppet-meteor/MOpt-AFL) was imported + AFLfast additions (github.com/mboehme/aflfast) were incorporated. diff --git a/docs/README b/docs/README index a8ec715b..b606f6cf 100644 --- a/docs/README +++ b/docs/README @@ -10,6 +10,7 @@ american fuzzy lop plus plus and Andrea Fioraldi as there have been no updates to afl since November 2017. + Many improvements were made, e.g. more performant llvm_mode, supporting llvm up to version 8, Qemu 3.1, more speed for Qemu, etc. @@ -25,8 +26,6 @@ american fuzzy lop plus plus Also newly integrated is instrim, a very effective CFG llvm_mode instrumentation implementation from https://github.com/csienslab/instrim - Similar to llvm_mode a gcc_plugin that supports versions 5 to 8 is - now available (from https://github.com/T12z/afl) A more thorough list is available in the PATCHES file. -- cgit 1.4.1