From 9e4137a3ebdda76d7cfa3da03ae2f4b1317be012 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 3 Oct 2022 22:58:21 +0200 Subject: Enabled tricore arch for unicornafl --- docs/Changelog.md | 3 +++ 1 file changed, 3 insertions(+) (limited to 'docs/Changelog.md') diff --git a/docs/Changelog.md b/docs/Changelog.md index 9503f493..732c5218 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -10,6 +10,9 @@ scripts - afl-cc: - make gcc_mode (afl-gcc-fast) work with gcc down to version 3.6 + - unicornafl: + - Enabled tricore arch (by @jma-qb) + - Updated Capstone version in Rust bindings ### Version ++4.03c (release) -- cgit 1.4.1 From 5e04c9693b19038871f3aa93544cac187785bc1a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 4 Oct 2022 08:39:07 +0200 Subject: fix qemu_mode speed bug --- docs/Changelog.md | 5 ++++- qemu_mode/QEMUAFL_VERSION | 2 +- qemu_mode/qemuafl | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) (limited to 'docs/Changelog.md') diff --git a/docs/Changelog.md b/docs/Changelog.md index 732c5218..33dc9466 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -10,7 +10,10 @@ scripts - afl-cc: - make gcc_mode (afl-gcc-fast) work with gcc down to version 3.6 - - unicornafl: + - qemu_mode: + - fixed 10x speed degredation in v4.03c, thanks to @ele7enxxh for + reporting! + - unicorn_mode: - Enabled tricore arch (by @jma-qb) - Updated Capstone version in Rust bindings diff --git a/qemu_mode/QEMUAFL_VERSION b/qemu_mode/QEMUAFL_VERSION index 412dbf45..8f4db04a 100644 --- a/qemu_mode/QEMUAFL_VERSION +++ b/qemu_mode/QEMUAFL_VERSION @@ -1 +1 @@ -dc19175a0b +ff9de4fbeb diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index dc19175a..ff9de4fb 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit dc19175a0bf4cf34e19944d084d92f33f26df93d +Subproject commit ff9de4fbeb33088b0273f9bb05ecf374a749222f -- cgit 1.4.1 From 2107ece114e66952f16d2dbc888d46a1061e6faf Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 7 Oct 2022 15:40:04 +0200 Subject: auto shmem fuzzing (#1541) * auto shmem fuzzing * print warning when forcing shmem fuzzing * typos * Shmem always * typo fix * fixes Co-authored-by: Dominik Maier --- docs/Changelog.md | 5 ++++- instrumentation/afl-compiler-rt.o.c | 27 +++++++++++++++++++++------ src/afl-cc.c | 2 +- src/afl-fuzz.c | 14 ++++++++++++++ src/afl-showmap.c | 2 +- src/afl-tmin.c | 2 +- utils/aflpp_driver/aflpp_driver.c | 20 ++++++++++++-------- 7 files changed, 54 insertions(+), 18 deletions(-) (limited to 'docs/Changelog.md') diff --git a/docs/Changelog.md b/docs/Changelog.md index 33dc9466..d4dfb709 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -5,7 +5,7 @@ ### Version ++4.04a (dev) - - fix gramatron and grammar_mutatur build scripts + - fix gramatron and grammar_mutator build scripts - enhancements to the afl-persistent-config and afl-system-config scripts - afl-cc: @@ -16,6 +16,9 @@ - unicorn_mode: - Enabled tricore arch (by @jma-qb) - Updated Capstone version in Rust bindings + - llvm-mode: + - AFL runtime will always pass inputs via shared memory, when possible, + ignoring the command line. ### Version ++4.03c (release) diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 194d49b0..20069824 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -97,6 +97,7 @@ u8 *__afl_dictionary; u8 *__afl_fuzz_ptr; static u32 __afl_fuzz_len_dummy; u32 *__afl_fuzz_len = &__afl_fuzz_len_dummy; +int __afl_sharedmem_fuzzing __attribute__((weak)); u32 __afl_final_loc; u32 __afl_map_size = MAP_SIZE; @@ -119,8 +120,6 @@ __thread PREV_LOC_T __afl_prev_caller[CTX_MAX_K]; __thread u32 __afl_prev_ctx; #endif -int __afl_sharedmem_fuzzing __attribute__((weak)); - struct cmp_map *__afl_cmp_map; struct cmp_map *__afl_cmp_map_backup; @@ -347,6 +346,22 @@ static void __afl_map_shm(void) { } + if (__afl_sharedmem_fuzzing && (!id_str || !getenv(SHM_FUZZ_ENV_VAR) || + fcntl(FORKSRV_FD, F_GETFD) == -1 || + fcntl(FORKSRV_FD + 1, F_GETFD) == -1)) { + + if (__afl_debug) { + + fprintf(stderr, + "DEBUG: running not inside afl-fuzz, disabling shared memory " + "testcases\n"); + + } + + __afl_sharedmem_fuzzing = 0; + + } + if (!id_str) { u32 val = 0; @@ -543,7 +558,7 @@ static void __afl_map_shm(void) { if (!__afl_area_ptr_dummy) { fprintf(stderr, - "Error: AFL++ could not aquire %u bytes of memory, exiting!\n", + "Error: AFL++ could not acquire %u bytes of memory, exiting!\n", __afl_final_loc); exit(-1); @@ -757,10 +772,10 @@ static void __afl_start_snapshots(void) { assume we're not running in forkserver mode and just execute program. */ status |= (FS_OPT_ENABLED | FS_OPT_SNAPSHOT | FS_OPT_NEWCMPLOG); - if (__afl_sharedmem_fuzzing != 0) status |= FS_OPT_SHDMEM_FUZZ; + if (__afl_sharedmem_fuzzing) { status |= FS_OPT_SHDMEM_FUZZ; } if (__afl_map_size <= FS_OPT_MAX_MAPSIZE) status |= (FS_OPT_SET_MAPSIZE(__afl_map_size) | FS_OPT_MAPSIZE); - if (__afl_dictionary_len && __afl_dictionary) status |= FS_OPT_AUTODICT; + if (__afl_dictionary_len && __afl_dictionary) { status |= FS_OPT_AUTODICT; } memcpy(tmp, &status, 4); if (write(FORKSRV_FD + 1, tmp, 4) != 4) { return; } @@ -1021,7 +1036,7 @@ static void __afl_start_forkserver(void) { } - if (__afl_sharedmem_fuzzing != 0) { status_for_fsrv |= FS_OPT_SHDMEM_FUZZ; } + if (__afl_sharedmem_fuzzing) { status_for_fsrv |= FS_OPT_SHDMEM_FUZZ; } if (status_for_fsrv) { status_for_fsrv |= (FS_OPT_ENABLED | FS_OPT_NEWCMPLOG); diff --git a/src/afl-cc.c b/src/afl-cc.c index 53fba1e7..469aa825 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -317,7 +317,7 @@ void parse_fsanitize(char *string) { char *tmp = malloc(strlen(ptr)); u32 count = 0, len, ende = 0; - if (!new || !tmp) { FATAL("could not aquire memory"); } + if (!new || !tmp) { FATAL("could not acquire memory"); } strcpy(new, "-fsanitize="); do { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 294c42f6..84ae54ff 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2132,6 +2132,20 @@ int main(int argc, char **argv_orig, char **envp) { } + if (afl->fsrv.out_file && afl->fsrv.use_shmem_fuzz) { + + afl->fsrv.out_file = NULL; + afl->fsrv.use_stdin = 0; + if (!afl->unicorn_mode && !afl->fsrv.use_stdin) { + + WARNF( + "You specified -f or @@ on the command line but the target harness " + "specified fuzz cases via shmem, switching to shmem!"); + + } + + } + deunicode_extras(afl); dedup_extras(afl); if (afl->extras_cnt) { OKF("Loaded a total of %u extras.", afl->extras_cnt); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index b0b21011..0b724758 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1268,7 +1268,7 @@ int main(int argc, char **argv_orig, char **envp) { (new_map_size > map_size && new_map_size - map_size > MAP_SIZE)) { if (!be_quiet) - ACTF("Aquired new map size for target: %u bytes\n", new_map_size); + ACTF("Acquired new map size for target: %u bytes\n", new_map_size); afl_shm_deinit(&shm); afl_fsrv_kill(fsrv); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 78537f9f..694c9c21 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -1252,7 +1252,7 @@ int main(int argc, char **argv_orig, char **envp) { (new_map_size > map_size && new_map_size - map_size > MAP_SIZE)) { if (!be_quiet) - ACTF("Aquired new map size for target: %u bytes\n", new_map_size); + ACTF("Acquired new map size for target: %u bytes\n", new_map_size); afl_shm_deinit(&shm); afl_fsrv_kill(fsrv); diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 7e553723..87bd2aa2 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -35,6 +35,7 @@ $AFL_HOME/afl-fuzz -i IN -o OUT ./a.out #include #include #include +#include #include #include #include @@ -68,7 +69,7 @@ __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); int LLVMFuzzerRunDriver(int *argc, char ***argv, int (*callback)(const uint8_t *data, size_t size)); -// Default nop ASan hooks for manual posisoning when not linking the ASan +// Default nop ASan hooks for manual poisoning when not linking the ASan // runtime // https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning __attribute__((weak)) void __asan_poison_memory_region( @@ -290,6 +291,12 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, } + bool in_afl = !(!getenv(SHM_FUZZ_ENV_VAR) || !getenv(SHM_ENV_VAR) || + fcntl(FORKSRV_FD, F_GETFD) == -1 || + fcntl(FORKSRV_FD + 1, F_GETFD) == -1); + + if (!in_afl) { __afl_sharedmem_fuzzing = 0; } + output_file = stderr; maybe_duplicate_stderr(); maybe_close_fd_mask(); @@ -310,23 +317,20 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, int N = INT_MAX; - if (argc == 2 && !strcmp(argv[1], "-")) { + if (!in_afl && argc == 2 && !strcmp(argv[1], "-")) { - __afl_sharedmem_fuzzing = 0; __afl_manual_init(); return ExecuteFilesOnyByOne(argc, argv, callback); - } else if (argc == 2 && argv[1][0] == '-') { + } else if (argc == 2 && argv[1][0] == '-' && argv[1][1]) { N = atoi(argv[1] + 1); - } else if (argc == 2 && (N = atoi(argv[1])) > 0) { + } else if (argc == 2 && argv[1][0] != '-' && (N = atoi(argv[1])) > 0) { printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N); - } else if (argc > 1) { - - __afl_sharedmem_fuzzing = 0; + } else if (!in_afl && argc > 1 && argv[1][0] != '-') { if (argc == 2) { __afl_manual_init(); } -- cgit 1.4.1 From e6e82948bf95fab90466cb2dfa78457c4d2d80a6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 11 Oct 2022 08:53:49 +0200 Subject: fastexit + code format --- GNUmakefile | 1 + docs/Changelog.md | 3 +++ instrumentation/afl-gcc-cmplog-pass.so.cc | 4 ++-- instrumentation/afl-gcc-common.h | 5 +++-- instrumentation/afl-gcc-pass.so.cc | 2 +- qemu_mode/fastexit/Makefile | 30 ++++++++++++++++++++++++++++++ qemu_mode/fastexit/README.md | 5 +++++ qemu_mode/fastexit/fastexit.c | 6 ++++++ src/afl-fuzz.c | 1 + utils/aflpp_driver/aflpp_driver.c | 6 +++--- utils/libdislocator/libdislocator.so.c | 2 +- 11 files changed, 56 insertions(+), 9 deletions(-) create mode 100644 qemu_mode/fastexit/Makefile create mode 100644 qemu_mode/fastexit/README.md create mode 100644 qemu_mode/fastexit/fastexit.c (limited to 'docs/Changelog.md') diff --git a/GNUmakefile b/GNUmakefile index 70299fc3..d1f28a76 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -592,6 +592,7 @@ clean: -$(MAKE) -C utils/argv_fuzzing clean -$(MAKE) -C utils/plot_ui clean -$(MAKE) -C qemu_mode/unsigaction clean + -$(MAKE) -C qemu_mode/fastexit clean -$(MAKE) -C qemu_mode/libcompcov clean -$(MAKE) -C qemu_mode/libqasan clean -$(MAKE) -C frida_mode clean diff --git a/docs/Changelog.md b/docs/Changelog.md index d4dfb709..b4f758e8 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -8,11 +8,14 @@ - fix gramatron and grammar_mutator build scripts - enhancements to the afl-persistent-config and afl-system-config scripts + - afl-fuzz: + - force writing all stats on exit - afl-cc: - make gcc_mode (afl-gcc-fast) work with gcc down to version 3.6 - qemu_mode: - fixed 10x speed degredation in v4.03c, thanks to @ele7enxxh for reporting! + - added qemu_mode/fastexit helper library - unicorn_mode: - Enabled tricore arch (by @jma-qb) - Updated Capstone version in Rust bindings diff --git a/instrumentation/afl-gcc-cmplog-pass.so.cc b/instrumentation/afl-gcc-cmplog-pass.so.cc index e42e8bc0..3c781fd7 100644 --- a/instrumentation/afl-gcc-cmplog-pass.so.cc +++ b/instrumentation/afl-gcc-cmplog-pass.so.cc @@ -245,7 +245,7 @@ struct afl_cmplog_pass : afl_base_pass { tree s = make_ssa_name(t); gimple g = gimple_build_assign(s, VIEW_CONVERT_EXPR, - build1(VIEW_CONVERT_EXPR, t, lhs)); + build1(VIEW_CONVERT_EXPR, t, lhs)); lhs = s; gsi_insert_before(&gsi, g, GSI_SAME_STMT); @@ -281,7 +281,7 @@ struct afl_cmplog_pass : afl_base_pass { } /* Insert the call. */ - tree att = build_int_cst(t8u, attr); + tree att = build_int_cst(t8u, attr); gimple call; if (pass_n) call = gimple_build_call(fn, 4, lhs, rhs, att, diff --git a/instrumentation/afl-gcc-common.h b/instrumentation/afl-gcc-common.h index 766c0eff..cda3f9d8 100644 --- a/instrumentation/afl-gcc-common.h +++ b/instrumentation/afl-gcc-common.h @@ -501,7 +501,8 @@ struct afl_base_pass : gimple_opt_pass { // compatibility for older gcc versions #if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= \ 60200 /* >= version 6.2.0 */ -#define gimple gimple * + #define gimple gimple * #else -#define gimple gimple + #define gimple gimple #endif + diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc index 2b251075..ea938a7f 100644 --- a/instrumentation/afl-gcc-pass.so.cc +++ b/instrumentation/afl-gcc-pass.so.cc @@ -127,7 +127,7 @@ #include "afl-gcc-common.h" #if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= \ 60200 /* >= version 6.2.0 */ -#include "memmodel.h" + #include "memmodel.h" #endif /* This plugin, being under the same license as GCC, satisfies the diff --git a/qemu_mode/fastexit/Makefile b/qemu_mode/fastexit/Makefile new file mode 100644 index 00000000..80a5ec48 --- /dev/null +++ b/qemu_mode/fastexit/Makefile @@ -0,0 +1,30 @@ +# +# american fuzzy lop++ - fastexit +# -------------------------------- +# +# Written by Andrea Fioraldi +# +# Copyright 2019-2022 Andrea Fioraldi. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# + +TARGETS=fastexit.so fastexit32.so fastexit64.so + +all: $(TARGETS) + +fastexit.so: fastexit.c + @if $(CC) -fPIC -shared fastexit.c -o fastexit.so 2>/dev/null ; then echo "fastexit build success"; else echo "fastexit build failure (that's fine)"; fi + +fastexit32.so: fastexit.c + @if $(CC) -fPIC -m32 -shared fastexit.c -o fastexit32.so 2>/dev/null ; then echo "fastexit32 build success"; else echo "fastexit32 build failure (that's fine)"; fi + +fastexit64.so: fastexit.c + @if $(CC) -fPIC -m64 -shared fastexit.c -o fastexit64.so 2>/dev/null ; then echo "fastexit64 build success"; else echo "fastexit64 build failure (that's fine)"; fi + +clean: + rm -f fastexit.so diff --git a/qemu_mode/fastexit/README.md b/qemu_mode/fastexit/README.md new file mode 100644 index 00000000..f01340c2 --- /dev/null +++ b/qemu_mode/fastexit/README.md @@ -0,0 +1,5 @@ +# fastexit + +This library forces _exit on exit when preloaded to gain speed. + +Gives speed on complex tarets like Android or Wine. diff --git a/qemu_mode/fastexit/fastexit.c b/qemu_mode/fastexit/fastexit.c new file mode 100644 index 00000000..44141af1 --- /dev/null +++ b/qemu_mode/fastexit/fastexit.c @@ -0,0 +1,6 @@ +#include +#include + +void exit(int status) { + _exit(status); +} diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 84ae54ff..d116822a 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2570,6 +2570,7 @@ int main(int argc, char **argv_orig, char **envp) { stop_fuzzing: afl->force_ui_update = 1; // ensure the screen is reprinted + afl->stop_soon = 1; // ensure everything is written show_stats(afl); // print the screen one last time write_bitmap(afl); save_auto(afl); diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 87bd2aa2..a76ba6c2 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -292,10 +292,10 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, } bool in_afl = !(!getenv(SHM_FUZZ_ENV_VAR) || !getenv(SHM_ENV_VAR) || - fcntl(FORKSRV_FD, F_GETFD) == -1 || - fcntl(FORKSRV_FD + 1, F_GETFD) == -1); + fcntl(FORKSRV_FD, F_GETFD) == -1 || + fcntl(FORKSRV_FD + 1, F_GETFD) == -1); - if (!in_afl) { __afl_sharedmem_fuzzing = 0; } + if (!in_afl) { __afl_sharedmem_fuzzing = 0; } output_file = stderr; maybe_duplicate_stderr(); diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index 638735ef..c390d004 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -512,7 +512,7 @@ __attribute__((alloc_size(2, 3))) void *reallocarray(void *ptr, size_t elem_len, int reallocarr(void *ptr, size_t elem_len, size_t elem_cnt) { - void *ret = NULL; + void *ret = NULL; const size_t elem_tot = elem_len * elem_cnt; if (elem_tot == 0) { -- cgit 1.4.1 From bac6ba89074019e0f095774ecebc435970f4940d Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 11 Oct 2022 15:39:27 +0200 Subject: v4.04c --- README.md | 2 +- docs/Changelog.md | 2 +- include/config.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) (limited to 'docs/Changelog.md') diff --git a/README.md b/README.md index 935c71ce..fd92a8c0 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ AFL++ logo -Release version: [4.03c](https://github.com/AFLplusplus/AFLplusplus/releases) +Release version: [4.04c](https://github.com/AFLplusplus/AFLplusplus/releases) GitHub version: 4.04a diff --git a/docs/Changelog.md b/docs/Changelog.md index b4f758e8..ef721bb1 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -4,7 +4,7 @@ release of the tool. See README.md for the general instruction manual. -### Version ++4.04a (dev) +### Version ++4.04c (release) - fix gramatron and grammar_mutator build scripts - enhancements to the afl-persistent-config and afl-system-config scripts diff --git a/include/config.h b/include/config.h index 21701515..6b1e1e26 100644 --- a/include/config.h +++ b/include/config.h @@ -26,7 +26,7 @@ /* Version string: */ // c = release, a = volatile github dev, e = experimental branch -#define VERSION "++4.04a" +#define VERSION "++4.04c" /****************************************************** * * -- cgit 1.4.1