From 34c090a31db7939558bf0047f0f1693bbde76c1f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 27 Mar 2020 12:09:06 +0100 Subject: add CFI sanitizer --- docs/Changelog.md | 1 + 1 file changed, 1 insertion(+) (limited to 'docs/Changelog.md') diff --git a/docs/Changelog.md b/docs/Changelog.md index 6af269ce..198909d1 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -31,6 +31,7 @@ sending a mail to . the last 5 queue entries - rare: puts focus on queue entries that hits rare branches, also ignores runtime + - llvm_mode: added Control Flow Integrity sanatizer (AFL_USE_CFISAN) - LTO collision free instrumented added in llvm_mode with afl-clang-lto - note that this mode is amazing, but quite some targets won't compile - Added llvm_mode NGRAM prev_loc coverage by Adrean Herrera -- cgit 1.4.1 From 452067ffca0de664fa4a11211c54f34c3842f20e Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 30 Mar 2020 00:50:04 +0200 Subject: added read_timed --- docs/Changelog.md | 6 +++-- include/common.h | 50 ++++++++++++++++++++++++++++++++++++ include/types.h | 18 +++++++++++-- src/afl-forkserver.c | 24 ++++++------------ src/afl-fuzz-cmplog.c | 67 ++++++++++++++++++------------------------------- src/afl-fuzz-redqueen.c | 5 ++-- src/afl-fuzz-run.c | 23 ++++++----------- 7 files changed, 112 insertions(+), 81 deletions(-) (limited to 'docs/Changelog.md') diff --git a/docs/Changelog.md b/docs/Changelog.md index 198909d1..407a3324 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -16,12 +16,14 @@ sending a mail to . ! development and acceptance of PRs now happen only in the dev branch and only occasionally when everything is fine we PR to master - all: - - big code changes to make afl-fuzz thread-safe so afl-fuzz can spawn + - big code changes to make afl-fuzz thread-safe so afl-fuzz can spawn multiple fuzzing threads in the future or even become a library - afl basic tools now report on the environment variables picked up - more tools get environment variable usage info in the help output - force all output to stdout (some OK/SAY/WARN messages were sent to stdout, some to stderr) + - uninstrumented mode uses an internal forkserver ("fauxserver") + - reduced number of (de)allocations - afl-fuzz: - python mutator modules and custom mutator modules now use the same interface and hence the API changed @@ -38,7 +40,7 @@ sending a mail to . (https://github.com/adrianherrera/afl-ngram-pass/), activate by setting AFL_LLVM_NGRAM_SIZE - llvm_mode InsTrim mode: - - removed workaround for bug where paths were not instrumented and + - removed workaround for bug where paths were not instrumented and imported fix by author - made skipping 1 block functions an option and is disable by default, set AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK=1 to re-enable this diff --git a/include/common.h b/include/common.h index 8b21b55f..e8558e24 100644 --- a/include/common.h +++ b/include/common.h @@ -29,6 +29,7 @@ #include #include +#include #include #include "types.h" #include "stdbool.h" @@ -390,5 +391,54 @@ static u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms) { } +/* Wrapper for select() and read(), reading exactly len bytes. + Returns the time passed to read. + If the wait times out, returns timeout_ms + 1; + Returns 0 if an error occurred (fd closed, signal, ...); */ +static inline u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms) { + + struct timeval timeout; + fd_set readfds; + FD_ZERO(&readfds); + FD_SET(fd, &readfds); + + timeout.tv_sec = (timeout_ms / 1000); + timeout.tv_usec = (timeout_ms % 1000) * 1000; + + size_t read_total = 0; + size_t len_read = 0; + + while (len_read < len) { + + /* set exceptfds as well to return when a child exited/closed the pipe. */ + int sret = select(fd + 1, &readfds, NULL, NULL, &timeout); + + if (!sret) { + + // printf("Timeout in sret."); + return timeout_ms + 1; + + } else if (sret < 0) { + + // perror("sret malloc"); + // TODO: catch other (errno == EINTR) than ctrl+c? + return 0; + + } + + len_read = read(fd, buf + len_read, len - len_read); + if (!len_read) { return 0; } + read_total += len_read; + + } + + s32 exec_ms = + MIN(timeout_ms, + ((u64)timeout_ms - (timeout.tv_sec * 1000 + timeout.tv_usec / 1000))); + return exec_ms > 0 ? exec_ms + : 1; // at least 1 milli must have passed (0 is an error) + +} + #endif diff --git a/include/types.h b/include/types.h index ebc561f7..da95cb39 100644 --- a/include/types.h +++ b/include/types.h @@ -58,8 +58,22 @@ typedef int32_t s32; typedef int64_t s64; #ifndef MIN -#define MIN(_a, _b) ((_a) > (_b) ? (_b) : (_a)) -#define MAX(_a, _b) ((_a) > (_b) ? (_a) : (_b)) +#define MIN(a, b) \ + ({ \ + \ + __typeof__(a) _a = (a); \ + __typeof__(b) _b = (b); \ + _a < _b ? _a : _b; \ + \ + }) +#define MAX(a, b) \ + ({ \ + \ + __typeof__(a) _a = (a); \ + __typeof__(b) _b = (b); \ + _a > _b ? _a : _b; \ + \ + }) #endif /* !MIN */ #define SWAP16(_x) \ diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 2dd7a9f0..01a606c3 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -164,10 +164,9 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv) { - struct timeval timeout; - int st_pipe[2], ctl_pipe[2]; - int status; - s32 rlen; + int st_pipe[2], ctl_pipe[2]; + int status; + s32 rlen; if (fsrv->use_fauxsrv) ACTF("Using Fauxserver:"); @@ -318,24 +317,15 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv) { rlen = 0; if (fsrv->exec_tmout) { - fd_set readfds; + rlen = 4; + u32 time = read_timed(fsrv->fsrv_st_fd, &status, rlen, + fsrv->exec_tmout * FORK_WAIT_MULT); - FD_ZERO(&readfds); - FD_SET(fsrv->fsrv_st_fd, &readfds); - timeout.tv_sec = ((fsrv->exec_tmout * FORK_WAIT_MULT) / 1000); - timeout.tv_usec = ((fsrv->exec_tmout * FORK_WAIT_MULT) % 1000) * 1000; - - int sret = select(fsrv->fsrv_st_fd + 1, &readfds, NULL, NULL, &timeout); - - if (sret == 0) { + if (!time) { fsrv->child_timed_out = 1; kill(fsrv->child_pid, SIGKILL); - } else { - - rlen = read(fsrv->fsrv_st_fd, &status, 4); - } } else { diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 7c398507..08ac15c7 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -31,10 +31,9 @@ void init_cmplog_forkserver(afl_state_t *afl) { - struct timeval timeout; - int st_pipe[2], ctl_pipe[2]; - int status; - s32 rlen; + int st_pipe[2], ctl_pipe[2]; + int status; + s32 rlen; ACTF("Spinning up the cmplog fork server..."); @@ -185,21 +184,19 @@ void init_cmplog_forkserver(afl_state_t *afl) { rlen = 0; if (afl->fsrv.exec_tmout) { - fd_set readfds; - FD_ZERO(&readfds); - FD_SET(afl->cmplog_fsrv_st_fd, &readfds); - timeout.tv_sec = ((afl->fsrv.exec_tmout * FORK_WAIT_MULT) / 1000); - timeout.tv_usec = ((afl->fsrv.exec_tmout * FORK_WAIT_MULT) % 1000) * 1000; + rlen = 4; + u32 timeout_ms = afl->fsrv.exec_tmout * FORK_WAIT_MULT; + /* Reuse readfds as exceptfds to see when the child closed the pipe */ + u32 time_ms = read_timed(afl->cmplog_fsrv_st_fd, &status, rlen, timeout_ms); - int sret = - select(afl->cmplog_fsrv_st_fd + 1, &readfds, NULL, NULL, &timeout); + if (!time_ms) { - if (sret == 0) { + PFATAL("Error in timed read"); - kill(afl->cmplog_fsrv_pid, SIGKILL); - - } else { + } else if (time_ms > timeout_ms) { + afl->fsrv.child_timed_out = 1; + kill(afl->cmplog_fsrv_pid, SIGKILL); rlen = read(afl->cmplog_fsrv_st_fd, &status, 4); } @@ -213,6 +210,11 @@ void init_cmplog_forkserver(afl_state_t *afl) { /* If we have a four-byte "hello" message from the server, we're all set. Otherwise, try to figure out what went wrong. */ + if (afl->fsrv.child_timed_out) + FATAL( + "Timeout while initializing cmplog fork server (adjusting -t may " + "help)"); + if (rlen == 4) { OKF("All right - fork server is up."); @@ -220,11 +222,6 @@ void init_cmplog_forkserver(afl_state_t *afl) { } - if (afl->fsrv.child_timed_out) - FATAL( - "Timeout while initializing cmplog fork server (adjusting -t may " - "help)"); - if (waitpid(afl->cmplog_fsrv_pid, &status, 0) <= 0) PFATAL("waitpid() failed"); @@ -379,16 +376,12 @@ void init_cmplog_forkserver(afl_state_t *afl) { u8 run_cmplog_target(afl_state_t *afl, u32 timeout) { - struct timeval it; - int status = 0; - int sret; - u64 exec_ms; + int status = 0; + u64 exec_ms; u32 tb4; s32 res; - fd_set readfds; - afl->fsrv.child_timed_out = 0; /* After this memset, afl->fsrv.trace_bits[] are effectively volatile, so we @@ -423,18 +416,9 @@ u8 run_cmplog_target(afl_state_t *afl, u32 timeout) { /* Configure timeout, as requested by user, then wait for child to terminate. */ + u32 time_ms = read_timed(afl->cmplog_fsrv_st_fd, &status, 4, timeout); - it.tv_sec = (timeout / 1000); - it.tv_usec = (timeout % 1000) * 1000; - - FD_ZERO(&readfds); - FD_SET(afl->cmplog_fsrv_st_fd, &readfds); - it.tv_sec = ((timeout) / 1000); - it.tv_usec = ((timeout) % 1000) * 1000; - - sret = select(afl->cmplog_fsrv_st_fd + 1, &readfds, NULL, NULL, &it); - - if (sret == 0) { + if (time_ms > timeout) { /* If there was no response from forkserver after timeout seconds, we kill the child. The forkserver should inform us afterwards */ @@ -442,9 +426,12 @@ u8 run_cmplog_target(afl_state_t *afl, u32 timeout) { kill(afl->cmplog_child_pid, SIGKILL); afl->fsrv.child_timed_out = 1; + /* After killing the child, the forkserver should tell us */ + if (!read(afl->cmplog_fsrv_st_fd, &status, 4)) time_ms = 0; + } - if ((res = read(afl->cmplog_fsrv_st_fd, &status, 4)) != 4) { + if (!time_ms) { // Something went wrong. if (afl->stop_soon) return 0; SAYF("\n" cLRD "[-] " cRST @@ -467,12 +454,8 @@ u8 run_cmplog_target(afl_state_t *afl, u32 timeout) { if (!WIFSTOPPED(status)) afl->cmplog_child_pid = 0; - exec_ms = (u64)timeout - (it.tv_sec * 1000 + it.tv_usec / 1000); if (afl->slowest_exec_ms < exec_ms) afl->slowest_exec_ms = exec_ms; - it.tv_sec = 0; - it.tv_usec = 0; - ++afl->total_execs; /* Any subsequent operations on afl->fsrv.trace_bits must not be moved by the diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index b069fa77..4acc204b 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -529,9 +529,10 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, if (!afl->shm.cmp_map->headers[k].hits) continue; if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) - afl->stage_max += MIN(afl->shm.cmp_map->headers[k].hits, CMP_MAP_H); + afl->stage_max += MIN((u32)afl->shm.cmp_map->headers[k].hits, CMP_MAP_H); else - afl->stage_max += MIN(afl->shm.cmp_map->headers[k].hits, CMP_MAP_RTN_H); + afl->stage_max += + MIN((u32)afl->shm.cmp_map->headers[k].hits, CMP_MAP_RTN_H); } diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 90cb2ed5..f58e1a33 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -33,13 +33,10 @@ u8 run_target(afl_state_t *afl, u32 timeout) { s32 res; - int sret; + u32 time_ms; - fd_set readfds; - - struct timeval it; - int status = 0; - u32 tb4; + int status = 0; + u32 tb4; afl->fsrv.child_timed_out = 0; @@ -70,26 +67,20 @@ u8 run_target(afl_state_t *afl, u32 timeout) { if (afl->fsrv.child_pid <= 0) FATAL("Fork server is misbehaving (OOM?)"); - /* use select to monitor the forkserver for timeouts. */ - - FD_ZERO(&readfds); - FD_SET(afl->fsrv.fsrv_st_fd, &readfds); - it.tv_sec = ((timeout) / 1000); - it.tv_usec = ((timeout) % 1000) * 1000; - - sret = select(afl->fsrv.fsrv_st_fd + 1, &readfds, NULL, NULL, &it); + time_ms = read_timed(afl->fsrv.fsrv_st_fd, &status, 4, timeout); - if (sret == 0) { + if (time_ms > timeout) { /* If there was no response from forkserver after timeout seconds, we kill the child. The forkserver should inform us afterwards */ kill(afl->fsrv.child_pid, SIGKILL); afl->fsrv.child_timed_out = 1; + if (read(afl->fsrv.fsrv_st_fd, &status, 4) < 4) time_ms = 0; } - if ((res = read(afl->fsrv.fsrv_st_fd, &status, 4)) != 4) { + if (!time_ms) { if (afl->stop_soon) return 0; SAYF("\n" cLRD "[-] " cRST -- cgit 1.4.1 From 5bc6dccbbd6167b556af751755f0ae02c1ca2a8f Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 31 Mar 2020 03:41:51 +0200 Subject: src doku is now markdown --- Makefile | 2 +- docs/Changelog.md | 5 +- include/common.h | 1 + qbdi_mode/build.sh | 2 +- src/README.md | 24 ++++ src/README.src | 22 --- src/afl-common.c | 5 +- src/afl-fuzz-globals.c | 364 ------------------------------------------------- src/afl-fuzz-state.c | 364 +++++++++++++++++++++++++++++++++++++++++++++++++ 9 files changed, 397 insertions(+), 392 deletions(-) create mode 100644 src/README.md delete mode 100644 src/README.src delete mode 100644 src/afl-fuzz-globals.c create mode 100644 src/afl-fuzz-state.c (limited to 'docs/Changelog.md') diff --git a/Makefile b/Makefile index cbef4b7c..b45cf9d3 100644 --- a/Makefile +++ b/Makefile @@ -66,7 +66,7 @@ endif CFLAGS ?= -O3 -funroll-loops $(CFLAGS_OPT) override CFLAGS += -Wall -g -Wno-pointer-sign -D_FORTIFY_SOURCE=2 \ - -I include/ -DAFL_PATH=\"$(HELPER_PATH)\" \ + -I include/ -Werror -DAFL_PATH=\"$(HELPER_PATH)\" \ -DBIN_PATH=\"$(BIN_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" AFL_FUZZ_FILES = $(wildcard src/afl-fuzz*.c) diff --git a/docs/Changelog.md b/docs/Changelog.md index 407a3324..1b97812c 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -23,7 +23,8 @@ sending a mail to . - force all output to stdout (some OK/SAY/WARN messages were sent to stdout, some to stderr) - uninstrumented mode uses an internal forkserver ("fauxserver") - - reduced number of (de)allocations + - now builds with `-D_FORTIFY_SOURCE=2` + - drastically reduced number of (de)allocations during fuzzing - afl-fuzz: - python mutator modules and custom mutator modules now use the same interface and hence the API changed @@ -205,7 +206,7 @@ sending a mail to . - big code refactoring: * all includes are now in include/ - * all afl sources are now in src/ - see src/README.src + * all afl sources are now in src/ - see src/README.md * afl-fuzz was splitted up in various individual files for including functionality in other programs (e.g. forkserver, memory map, etc.) for better readability. diff --git a/include/common.h b/include/common.h index db92e32d..c26740ed 100644 --- a/include/common.h +++ b/include/common.h @@ -101,3 +101,4 @@ u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms); u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms); #endif + diff --git a/qbdi_mode/build.sh b/qbdi_mode/build.sh index c2912e94..e3786f40 100755 --- a/qbdi_mode/build.sh +++ b/qbdi_mode/build.sh @@ -52,6 +52,6 @@ ${compiler_prefix}${CC} -shared -o libdemo.so demo-so.c -w -g echo "[+] Building afl-fuzz for Android" # build afl-fuzz cd .. -${compiler_prefix}${CC} -DANDROID_DISABLE_FANCY=1 -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I include/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -Wno-unused-function src/afl-fuzz-misc.c src/afl-fuzz-extras.c src/afl-fuzz-queue.c src/afl-fuzz-one.c src/afl-fuzz-python.c src/afl-fuzz-stats.c src/afl-fuzz-init.c src/afl-fuzz.c src/afl-fuzz-bitmap.c src/afl-fuzz-run.c src/afl-fuzz-globals.c src/afl-common.c src/afl-sharedmem.c src/afl-forkserver.c -o qbdi_mode/afl-fuzz -ldl -w +${compiler_prefix}${CC} -DANDROID_DISABLE_FANCY=1 -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I include/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -Wno-unused-function src/afl-fuzz-misc.c src/afl-fuzz-extras.c src/afl-fuzz-queue.c src/afl-fuzz-one.c src/afl-fuzz-python.c src/afl-fuzz-stats.c src/afl-fuzz-init.c src/afl-fuzz.c src/afl-fuzz-bitmap.c src/afl-fuzz-run.c src/afl-fuzz-state.c src/afl-common.c src/afl-sharedmem.c src/afl-forkserver.c -o qbdi_mode/afl-fuzz -ldl -w echo "[+] All done. Enjoy!" diff --git a/src/README.md b/src/README.md new file mode 100644 index 00000000..6da534c3 --- /dev/null +++ b/src/README.md @@ -0,0 +1,24 @@ +# Source Folder + +Quick explanation about the files here: + +- `afl-analyze.c` - afl-analyze binary tool +- `afl-as.c` - afl-as binary tool +- `afl-gotcpu.c` - afl-gotcpu binary tool +- `afl-showmap.c` - afl-showmap binary tool +- `afl-tmin.c` - afl-tmin binary tool +- `afl-fuzz.c` - afl-fuzz binary tool (just main() and usage()) +- `afl-fuzz-bitmap.c` - afl-fuzz bitmap handling +- `afl-fuzz-extras.c` - afl-fuzz the *extra* function calls +- `afl-fuzz-state.c` - afl-fuzz state and globals +- `afl-fuzz-init.c` - afl-fuzz initialization +- `afl-fuzz-misc.c` - afl-fuzz misc functions +- `afl-fuzz-one.c` - afl-fuzz fuzzer_one big loop, this is where the mutation is happening +- `afl-fuzz-python.c` - afl-fuzz the python mutator extension +- `afl-fuzz-queue.c` - afl-fuzz handling the queue +- `afl-fuzz-run.c` - afl-fuzz running the target +- `afl-fuzz-stats.c` - afl-fuzz writing the statistics file +- `afl-gcc.c` - afl-gcc binary tool (deprecated) +- `afl-common.c` - common functions, used by afl-analyze, afl-fuzz, afl-showmap and afl-tmin +- `afl-forkserver.c` - forkserver implementation, used by afl-fuzz and afl-tmin +afl-sharedmem.c - sharedmem implementation, used by afl-fuzz and afl-tmin diff --git a/src/README.src b/src/README.src deleted file mode 100644 index 244f5ddd..00000000 --- a/src/README.src +++ /dev/null @@ -1,22 +0,0 @@ -Quick explanation about the files here: - -afl-analyze.c - afl-analyze binary tool -afl-as.c - afl-as binary tool -afl-gotcpu.c - afl-gotcpu binary tool -afl-showmap.c - afl-showmap binary tool -afl-tmin.c - afl-tmin binary tool -afl-fuzz.c - afl-fuzz binary tool (just main() and usage()) -afl-fuzz-bitmap.c - afl-fuzz bitmap handling -afl-fuzz-extras.c - afl-fuzz the *extra* function calls -afl-fuzz-globals.c - afl-fuzz global variables -afl-fuzz-init.c - afl-fuzz initialization -afl-fuzz-misc.c - afl-fuzz misc functions -afl-fuzz-one.c - afl-fuzz fuzzer_one big loop, this is where the mutation is happening -afl-fuzz-python.c - afl-fuzz the python mutator extension -afl-fuzz-queue.c - afl-fuzz handling the queue -afl-fuzz-run.c - afl-fuzz running the target -afl-fuzz-stats.c - afl-fuzz writing the statistics file -afl-gcc.c - afl-gcc binary tool (deprecated) -afl-common.c - common functions, used by afl-analyze, afl-fuzz, afl-showmap and afl-tmin -afl-forkserver.c - forkserver implementation, used by afl-fuzz and afl-tmin -afl-sharedmem.c - sharedmem implementation, used by afl-fuzz and afl-tmin diff --git a/src/afl-common.c b/src/afl-common.c index 785d7c4c..c73d8725 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -423,7 +423,7 @@ u64 get_cur_time_us(void) { Will return buf for convenience. */ u8 *stringify_int(u8 *buf, size_t len, u64 val) { - +\ #define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ do { \ \ @@ -583,7 +583,7 @@ u8 *stringify_time_diff(u8 *buf, size_t len, u64 cur_ms, u64 event_ms) { Will return buf for convenience. */ u8 *u_stringify_int(u8 *buf, u64 val) { - +\ #define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ do { \ \ @@ -783,3 +783,4 @@ u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms) { : 1; // at least 1 milli must have passed (0 is an error) } + diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c deleted file mode 100644 index 1d99e1fa..00000000 --- a/src/afl-fuzz-globals.c +++ /dev/null @@ -1,364 +0,0 @@ -/* - american fuzzy lop++ - globals declarations - ------------------------------------------- - - Originally written by Michal Zalewski - - Now maintained by Marc Heuse , - Heiko Eißfeldt and - Andrea Fioraldi - - Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - This is the real deal: the program takes an instrumented binary and - attempts a variety of basic fuzzing tricks, paying close attention to - how they affect the execution path. - - */ - -#include "afl-fuzz.h" -#include "envs.h" - -s8 interesting_8[] = {INTERESTING_8}; -s16 interesting_16[] = {INTERESTING_8, INTERESTING_16}; -s32 interesting_32[] = {INTERESTING_8, INTERESTING_16, INTERESTING_32}; - -char *power_names[POWER_SCHEDULES_NUM] = { - - "explore", "fast", "coe", "lin", "quad", "exploit", "mmopt", "rare"}; - -u8 *doc_path = NULL; /* gath to documentation dir */ - -/* Initialize MOpt "globals" for this afl state */ - -static void init_mopt_globals(afl_state_t *afl) { - - MOpt_globals_t *core = &afl->mopt_globals_core; - core->finds = afl->core_operator_finds_puppet; - core->finds_v2 = afl->core_operator_finds_puppet_v2; - core->cycles = afl->core_operator_cycles_puppet; - core->cycles_v2 = afl->core_operator_cycles_puppet_v2; - core->cycles_v3 = afl->core_operator_cycles_puppet_v3; - core->is_pilot_mode = 0; - core->pTime = &afl->tmp_core_time; - core->period = period_core; - core->havoc_stagename = "MOpt-core-havoc"; - core->splice_stageformat = "MOpt-core-splice %u"; - core->havoc_stagenameshort = "MOpt_core_havoc"; - core->splice_stagenameshort = "MOpt_core_splice"; - - MOpt_globals_t *pilot = &afl->mopt_globals_pilot; - pilot->finds = afl->stage_finds_puppet[0]; - pilot->finds_v2 = afl->stage_finds_puppet_v2[0]; - pilot->cycles = afl->stage_cycles_puppet[0]; - pilot->cycles_v2 = afl->stage_cycles_puppet_v2[0]; - pilot->cycles_v3 = afl->stage_cycles_puppet_v3[0]; - pilot->is_pilot_mode = 1; - pilot->pTime = &afl->tmp_pilot_time; - pilot->period = period_pilot; - pilot->havoc_stagename = "MOpt-havoc"; - pilot->splice_stageformat = "MOpt-splice %u"; - pilot->havoc_stagenameshort = "MOpt_havoc"; - pilot->splice_stagenameshort = "MOpt_splice"; - -} - -/* A global pointer to all instances is needed (for now) for signals to arrive - */ - -list_t afl_states = {.element_prealloc_count = 0}; - -/* Initializes an afl_state_t. */ - -void afl_state_init(afl_state_t *afl) { - - /* thanks to this memset, growing vars like out_buf - and out_size are NULL/0 by default. */ - memset(afl, 0, sizeof(afl_state_t)); - - afl->w_init = 0.9; - afl->w_end = 0.3; - afl->g_max = 5000; - afl->period_pilot_tmp = 5000.0; - afl->schedule = EXPLORE; /* Power schedule (default: EXPLORE)*/ - afl->havoc_max_mult = HAVOC_MAX_MULT; - - afl->clear_screen = 1; /* Window resized? */ - afl->havoc_div = 1; /* Cycle count divisor for havoc */ - afl->stage_name = "init"; /* Name of the current fuzz stage */ - afl->splicing_with = -1; /* Splicing with which test case? */ - -#ifdef HAVE_AFFINITY - afl->cpu_aff = -1; /* Selected CPU core */ -#endif /* HAVE_AFFINITY */ - - afl->fsrv.use_stdin = 1; - - afl->cal_cycles = CAL_CYCLES; - afl->cal_cycles_long = CAL_CYCLES_LONG; - - afl->fsrv.exec_tmout = EXEC_TIMEOUT; - afl->hang_tmout = EXEC_TIMEOUT; - - afl->fsrv.mem_limit = MEM_LIMIT; - - afl->stats_update_freq = 1; - -#ifndef HAVE_ARC4RANDOM - afl->fsrv.dev_urandom_fd = -1; -#endif - afl->fsrv.dev_null_fd = -1; - - afl->fsrv.child_pid = -1; - afl->fsrv.out_dir_fd = -1; - - afl->cmplog_prev_timed_out = 0; - - /* statis file */ - afl->last_bitmap_cvg = 0; - afl->last_stability = 0; - afl->last_eps = 0; - - /* plot file saves from last run */ - afl->plot_prev_qp = 0; - afl->plot_prev_pf = 0; - afl->plot_prev_pnf = 0; - afl->plot_prev_ce = 0; - afl->plot_prev_md = 0; - afl->plot_prev_qc = 0; - afl->plot_prev_uc = 0; - afl->plot_prev_uh = 0; - - afl->stats_last_stats_ms = 0; - afl->stats_last_plot_ms = 0; - afl->stats_last_ms = 0; - afl->stats_last_execs = 0; - afl->stats_avg_exec = -1; - - init_mopt_globals(afl); - - list_append(&afl_states, afl); - -} - -/*This sets up the environment variables for afl-fuzz into the afl_state - * struct*/ - -void read_afl_environment(afl_state_t *afl, char **envp) { - - int index = 0, found = 0; - char *env; - while ((env = envp[index++]) != NULL) { - - if (strncmp(env, "ALF_", 4) == 0) { - - WARNF("Potentially mistyped AFL environment variable: %s", env); - found++; - - } else if (strncmp(env, "AFL_", 4) == 0) { - - int i = 0, match = 0; - while (match == 0 && afl_environment_variables[i] != NULL) { - - size_t afl_environment_variable_len = - strlen(afl_environment_variables[i]); - if (strncmp(env, afl_environment_variables[i], - afl_environment_variable_len) == 0 && - env[afl_environment_variable_len] == '=') { - - match = 1; - if (!strncmp(env, "AFL_SKIP_CPUFREQ", afl_environment_variable_len)) { - - afl->afl_env.afl_skip_cpufreq = - get_afl_env(afl_environment_variables[i]) ? 1 : 0; - - } else if (!strncmp(env, "AFL_EXIT_WHEN_DONE", - - afl_environment_variable_len)) { - - afl->afl_env.afl_exit_when_done = - get_afl_env(afl_environment_variables[i]) ? 1 : 0; - - } else if (!strncmp(env, "AFL_NO_AFFINITY", - - afl_environment_variable_len)) { - - afl->afl_env.afl_no_affinity = - get_afl_env(afl_environment_variables[i]) ? 1 : 0; - - } else if (!strncmp(env, "AFL_SKIP_CRASHES", - - afl_environment_variable_len)) { - - afl->afl_env.afl_skip_crashes = - (u8 *)get_afl_env(afl_environment_variables[i]); - - } else if (!strncmp(env, "AFL_HANG_TMOUT", - - afl_environment_variable_len)) { - - afl->afl_env.afl_hang_tmout = - (u8 *)get_afl_env(afl_environment_variables[i]); - - } else if (!strncmp(env, "AFL_SKIP_BIN_CHECK", - - afl_environment_variable_len)) { - - afl->afl_env.afl_skip_bin_check = - get_afl_env(afl_environment_variables[i]) ? 1 : 0; - - } else if (!strncmp(env, "AFL_DUMB_FORKSRV", - - afl_environment_variable_len)) { - - afl->afl_env.afl_dumb_forksrv = - get_afl_env(afl_environment_variables[i]) ? 1 : 0; - - } else if (!strncmp(env, "AFL_IMPORT_FIRST", - - afl_environment_variable_len)) { - - afl->afl_env.afl_import_first = - get_afl_env(afl_environment_variables[i]) ? 1 : 0; - - } else if (!strncmp(env, "AFL_CUSTOM_MUTATOR_ONLY", - - afl_environment_variable_len)) { - - afl->afl_env.afl_custom_mutator_only = - get_afl_env(afl_environment_variables[i]) ? 1 : 0; - - } else if (!strncmp(env, "AFL_NO_UI", afl_environment_variable_len)) { - - afl->afl_env.afl_no_ui = - get_afl_env(afl_environment_variables[i]) ? 1 : 0; - - } else if (!strncmp(env, "AFL_FORCE_UI", - - afl_environment_variable_len)) { - - afl->afl_env.afl_force_ui = - get_afl_env(afl_environment_variables[i]) ? 1 : 0; - - } else if (!strncmp(env, "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", - - afl_environment_variable_len)) { - - afl->afl_env.afl_i_dont_care_about_missing_crashes = - get_afl_env(afl_environment_variables[i]) ? 1 : 0; - - } else if (!strncmp(env, "AFL_BENCH_JUST_ONE", - - afl_environment_variable_len)) { - - afl->afl_env.afl_bench_just_one = - get_afl_env(afl_environment_variables[i]) ? 1 : 0; - - } else if (!strncmp(env, "AFL_BENCH_UNTIL_CRASH", - - afl_environment_variable_len)) { - - afl->afl_env.afl_bench_until_crash = - get_afl_env(afl_environment_variables[i]) ? 1 : 0; - - } else if (!strncmp(env, "AFL_DEBUG_CHILD_OUTPUT", - - afl_environment_variable_len)) { - - afl->afl_env.afl_debug_child_output = - get_afl_env(afl_environment_variables[i]) ? 1 : 0; - - } else if (!strncmp(env, "AFL_AUTORESUME", - - afl_environment_variable_len)) { - - afl->afl_env.afl_autoresume = - get_afl_env(afl_environment_variables[i]) ? 1 : 0; - - } else if (!strncmp(env, "AFL_TMPDIR", - - afl_environment_variable_len)) { - - afl->afl_env.afl_tmpdir = - (u8 *)get_afl_env(afl_environment_variables[i]); - - } else if (!strncmp(env, "AFL_POST_LIBRARY", - - afl_environment_variable_len)) { - - afl->afl_env.afl_post_library = - (u8 *)get_afl_env(afl_environment_variables[i]); - - } else if (!strncmp(env, "AFL_CUSTOM_MUTATOR_LIBRARY", - - afl_environment_variable_len)) { - - afl->afl_env.afl_custom_mutator_library = - (u8 *)get_afl_env(afl_environment_variables[i]); - - } else if (!strncmp(env, "AFL_PYTHON_MODULE", - - afl_environment_variable_len)) { - - afl->afl_env.afl_python_module = - (u8 *)get_afl_env(afl_environment_variables[i]); - - } else if (!strncmp(env, "AFL_PATH", afl_environment_variable_len)) { - - afl->afl_env.afl_path = - (u8 *)get_afl_env(afl_environment_variables[i]); - - } else if (!strncmp(env, "AFL_PRELOAD", - - afl_environment_variable_len)) { - - afl->afl_env.afl_preload = - (u8 *)get_afl_env(afl_environment_variables[i]); - - } - - } else - - i++; - - } - - if (match == 0) { - - WARNF("Mistyped AFL environment variable: %s", env); - found++; - - } - - } - - } - - if (found) sleep(2); - -} - -/* Removes this afl_state instance and frees it. */ - -void afl_state_deinit(afl_state_t *afl) { - - if (afl->post_deinit) afl->post_deinit(afl->post_data); - - free(afl->out_buf); - free(afl->out_scratch_buf); - free(afl->eff_buf); - free(afl->in_buf); - free(afl->in_scratch_buf); - free(afl->ex_buf); - - list_remove(&afl_states, afl); - -} - diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c new file mode 100644 index 00000000..1d99e1fa --- /dev/null +++ b/src/afl-fuzz-state.c @@ -0,0 +1,364 @@ +/* + american fuzzy lop++ - globals declarations + ------------------------------------------- + + Originally written by Michal Zalewski + + Now maintained by Marc Heuse , + Heiko Eißfeldt and + Andrea Fioraldi + + Copyright 2016, 2017 Google Inc. All rights reserved. + Copyright 2019-2020 AFLplusplus Project. All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + This is the real deal: the program takes an instrumented binary and + attempts a variety of basic fuzzing tricks, paying close attention to + how they affect the execution path. + + */ + +#include "afl-fuzz.h" +#include "envs.h" + +s8 interesting_8[] = {INTERESTING_8}; +s16 interesting_16[] = {INTERESTING_8, INTERESTING_16}; +s32 interesting_32[] = {INTERESTING_8, INTERESTING_16, INTERESTING_32}; + +char *power_names[POWER_SCHEDULES_NUM] = { + + "explore", "fast", "coe", "lin", "quad", "exploit", "mmopt", "rare"}; + +u8 *doc_path = NULL; /* gath to documentation dir */ + +/* Initialize MOpt "globals" for this afl state */ + +static void init_mopt_globals(afl_state_t *afl) { + + MOpt_globals_t *core = &afl->mopt_globals_core; + core->finds = afl->core_operator_finds_puppet; + core->finds_v2 = afl->core_operator_finds_puppet_v2; + core->cycles = afl->core_operator_cycles_puppet; + core->cycles_v2 = afl->core_operator_cycles_puppet_v2; + core->cycles_v3 = afl->core_operator_cycles_puppet_v3; + core->is_pilot_mode = 0; + core->pTime = &afl->tmp_core_time; + core->period = period_core; + core->havoc_stagename = "MOpt-core-havoc"; + core->splice_stageformat = "MOpt-core-splice %u"; + core->havoc_stagenameshort = "MOpt_core_havoc"; + core->splice_stagenameshort = "MOpt_core_splice"; + + MOpt_globals_t *pilot = &afl->mopt_globals_pilot; + pilot->finds = afl->stage_finds_puppet[0]; + pilot->finds_v2 = afl->stage_finds_puppet_v2[0]; + pilot->cycles = afl->stage_cycles_puppet[0]; + pilot->cycles_v2 = afl->stage_cycles_puppet_v2[0]; + pilot->cycles_v3 = afl->stage_cycles_puppet_v3[0]; + pilot->is_pilot_mode = 1; + pilot->pTime = &afl->tmp_pilot_time; + pilot->period = period_pilot; + pilot->havoc_stagename = "MOpt-havoc"; + pilot->splice_stageformat = "MOpt-splice %u"; + pilot->havoc_stagenameshort = "MOpt_havoc"; + pilot->splice_stagenameshort = "MOpt_splice"; + +} + +/* A global pointer to all instances is needed (for now) for signals to arrive + */ + +list_t afl_states = {.element_prealloc_count = 0}; + +/* Initializes an afl_state_t. */ + +void afl_state_init(afl_state_t *afl) { + + /* thanks to this memset, growing vars like out_buf + and out_size are NULL/0 by default. */ + memset(afl, 0, sizeof(afl_state_t)); + + afl->w_init = 0.9; + afl->w_end = 0.3; + afl->g_max = 5000; + afl->period_pilot_tmp = 5000.0; + afl->schedule = EXPLORE; /* Power schedule (default: EXPLORE)*/ + afl->havoc_max_mult = HAVOC_MAX_MULT; + + afl->clear_screen = 1; /* Window resized? */ + afl->havoc_div = 1; /* Cycle count divisor for havoc */ + afl->stage_name = "init"; /* Name of the current fuzz stage */ + afl->splicing_with = -1; /* Splicing with which test case? */ + +#ifdef HAVE_AFFINITY + afl->cpu_aff = -1; /* Selected CPU core */ +#endif /* HAVE_AFFINITY */ + + afl->fsrv.use_stdin = 1; + + afl->cal_cycles = CAL_CYCLES; + afl->cal_cycles_long = CAL_CYCLES_LONG; + + afl->fsrv.exec_tmout = EXEC_TIMEOUT; + afl->hang_tmout = EXEC_TIMEOUT; + + afl->fsrv.mem_limit = MEM_LIMIT; + + afl->stats_update_freq = 1; + +#ifndef HAVE_ARC4RANDOM + afl->fsrv.dev_urandom_fd = -1; +#endif + afl->fsrv.dev_null_fd = -1; + + afl->fsrv.child_pid = -1; + afl->fsrv.out_dir_fd = -1; + + afl->cmplog_prev_timed_out = 0; + + /* statis file */ + afl->last_bitmap_cvg = 0; + afl->last_stability = 0; + afl->last_eps = 0; + + /* plot file saves from last run */ + afl->plot_prev_qp = 0; + afl->plot_prev_pf = 0; + afl->plot_prev_pnf = 0; + afl->plot_prev_ce = 0; + afl->plot_prev_md = 0; + afl->plot_prev_qc = 0; + afl->plot_prev_uc = 0; + afl->plot_prev_uh = 0; + + afl->stats_last_stats_ms = 0; + afl->stats_last_plot_ms = 0; + afl->stats_last_ms = 0; + afl->stats_last_execs = 0; + afl->stats_avg_exec = -1; + + init_mopt_globals(afl); + + list_append(&afl_states, afl); + +} + +/*This sets up the environment variables for afl-fuzz into the afl_state + * struct*/ + +void read_afl_environment(afl_state_t *afl, char **envp) { + + int index = 0, found = 0; + char *env; + while ((env = envp[index++]) != NULL) { + + if (strncmp(env, "ALF_", 4) == 0) { + + WARNF("Potentially mistyped AFL environment variable: %s", env); + found++; + + } else if (strncmp(env, "AFL_", 4) == 0) { + + int i = 0, match = 0; + while (match == 0 && afl_environment_variables[i] != NULL) { + + size_t afl_environment_variable_len = + strlen(afl_environment_variables[i]); + if (strncmp(env, afl_environment_variables[i], + afl_environment_variable_len) == 0 && + env[afl_environment_variable_len] == '=') { + + match = 1; + if (!strncmp(env, "AFL_SKIP_CPUFREQ", afl_environment_variable_len)) { + + afl->afl_env.afl_skip_cpufreq = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + + } else if (!strncmp(env, "AFL_EXIT_WHEN_DONE", + + afl_environment_variable_len)) { + + afl->afl_env.afl_exit_when_done = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + + } else if (!strncmp(env, "AFL_NO_AFFINITY", + + afl_environment_variable_len)) { + + afl->afl_env.afl_no_affinity = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + + } else if (!strncmp(env, "AFL_SKIP_CRASHES", + + afl_environment_variable_len)) { + + afl->afl_env.afl_skip_crashes = + (u8 *)get_afl_env(afl_environment_variables[i]); + + } else if (!strncmp(env, "AFL_HANG_TMOUT", + + afl_environment_variable_len)) { + + afl->afl_env.afl_hang_tmout = + (u8 *)get_afl_env(afl_environment_variables[i]); + + } else if (!strncmp(env, "AFL_SKIP_BIN_CHECK", + + afl_environment_variable_len)) { + + afl->afl_env.afl_skip_bin_check = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + + } else if (!strncmp(env, "AFL_DUMB_FORKSRV", + + afl_environment_variable_len)) { + + afl->afl_env.afl_dumb_forksrv = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + + } else if (!strncmp(env, "AFL_IMPORT_FIRST", + + afl_environment_variable_len)) { + + afl->afl_env.afl_import_first = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + + } else if (!strncmp(env, "AFL_CUSTOM_MUTATOR_ONLY", + + afl_environment_variable_len)) { + + afl->afl_env.afl_custom_mutator_only = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + + } else if (!strncmp(env, "AFL_NO_UI", afl_environment_variable_len)) { + + afl->afl_env.afl_no_ui = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + + } else if (!strncmp(env, "AFL_FORCE_UI", + + afl_environment_variable_len)) { + + afl->afl_env.afl_force_ui = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + + } else if (!strncmp(env, "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", + + afl_environment_variable_len)) { + + afl->afl_env.afl_i_dont_care_about_missing_crashes = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + + } else if (!strncmp(env, "AFL_BENCH_JUST_ONE", + + afl_environment_variable_len)) { + + afl->afl_env.afl_bench_just_one = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + + } else if (!strncmp(env, "AFL_BENCH_UNTIL_CRASH", + + afl_environment_variable_len)) { + + afl->afl_env.afl_bench_until_crash = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + + } else if (!strncmp(env, "AFL_DEBUG_CHILD_OUTPUT", + + afl_environment_variable_len)) { + + afl->afl_env.afl_debug_child_output = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + + } else if (!strncmp(env, "AFL_AUTORESUME", + + afl_environment_variable_len)) { + + afl->afl_env.afl_autoresume = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + + } else if (!strncmp(env, "AFL_TMPDIR", + + afl_environment_variable_len)) { + + afl->afl_env.afl_tmpdir = + (u8 *)get_afl_env(afl_environment_variables[i]); + + } else if (!strncmp(env, "AFL_POST_LIBRARY", + + afl_environment_variable_len)) { + + afl->afl_env.afl_post_library = + (u8 *)get_afl_env(afl_environment_variables[i]); + + } else if (!strncmp(env, "AFL_CUSTOM_MUTATOR_LIBRARY", + + afl_environment_variable_len)) { + + afl->afl_env.afl_custom_mutator_library = + (u8 *)get_afl_env(afl_environment_variables[i]); + + } else if (!strncmp(env, "AFL_PYTHON_MODULE", + + afl_environment_variable_len)) { + + afl->afl_env.afl_python_module = + (u8 *)get_afl_env(afl_environment_variables[i]); + + } else if (!strncmp(env, "AFL_PATH", afl_environment_variable_len)) { + + afl->afl_env.afl_path = + (u8 *)get_afl_env(afl_environment_variables[i]); + + } else if (!strncmp(env, "AFL_PRELOAD", + + afl_environment_variable_len)) { + + afl->afl_env.afl_preload = + (u8 *)get_afl_env(afl_environment_variables[i]); + + } + + } else + + i++; + + } + + if (match == 0) { + + WARNF("Mistyped AFL environment variable: %s", env); + found++; + + } + + } + + } + + if (found) sleep(2); + +} + +/* Removes this afl_state instance and frees it. */ + +void afl_state_deinit(afl_state_t *afl) { + + if (afl->post_deinit) afl->post_deinit(afl->post_data); + + free(afl->out_buf); + free(afl->out_scratch_buf); + free(afl->eff_buf); + free(afl->in_buf); + free(afl->in_scratch_buf); + free(afl->ex_buf); + + list_remove(&afl_states, afl); + +} + -- cgit 1.4.1 From 4489dd24a81a61c051438c8dea575267ea9a7014 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 1 Apr 2020 02:09:33 +0200 Subject: typo fix --- docs/Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/Changelog.md') diff --git a/docs/Changelog.md b/docs/Changelog.md index 1b97812c..72336b11 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -34,7 +34,7 @@ sending a mail to . the last 5 queue entries - rare: puts focus on queue entries that hits rare branches, also ignores runtime - - llvm_mode: added Control Flow Integrity sanatizer (AFL_USE_CFISAN) + - llvm_mode: added Control Flow Integrity sanitizer (AFL_USE_CFISAN) - LTO collision free instrumented added in llvm_mode with afl-clang-lto - note that this mode is amazing, but quite some targets won't compile - Added llvm_mode NGRAM prev_loc coverage by Adrean Herrera -- cgit 1.4.1