From f807d7cefbc3c0e71cac6aad5cc28006f6a253be Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 24 Feb 2020 02:45:17 +0100 Subject: important InsTrim fixes! --- docs/Changelog.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'docs/Changelog.md') diff --git a/docs/Changelog.md b/docs/Changelog.md index 5d781545..0d67e807 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -17,6 +17,7 @@ sending a mail to . - the memory safety checks are now disabled for a little more speed during fuzzing (only affects creating queue entries), can be toggled in config.h - afl-fuzz: + - MOpt out of bounds writing crash fixed - now prints the real python version support compiled in - set stronger performance compile options and little tweaks - Android: prefer bigcores when selecting a CPU @@ -28,7 +29,12 @@ sending a mail to . - bugfix for dictionary insert stage count (fix via Google repo PR) - added warning if -M is used together with custom mutators with _ONLY option - AFL_TMPDIR checks are now later and better explained if they fail - - llvm_mode InsTrim: no pointless instrumentation of 1 block functions + - llvm_mode + - InsTrim: three bug fixes: + 1. (minor) no pointless instrumentation of 1 block functions + 2. (medium) path bug that leads a few blocks not instrumented that + should be + 3. (major) incorrect prev_loc was written, fixed! - afl-clang-fast: - show in the help output for which llvm version it was compiled for - now does not need to be recompiled between trace-pc and pass -- cgit 1.4.1 From 3f6bfbd98148f7decb5ca8a049d334d05c560c09 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 24 Feb 2020 17:24:06 +0100 Subject: v2.61c --- README.md | 4 ++-- docs/Changelog.md | 2 +- include/config.h | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) (limited to 'docs/Changelog.md') diff --git a/README.md b/README.md index b61cbfd0..4c305412 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,9 @@ ![Travis State](https://api.travis-ci.com/vanhauser-thc/AFLplusplus.svg?branch=master) - Release Version: 2.60c + Release Version: 2.61c - Github Version: 2.60d + Github Version: 2.61d includes all necessary/interesting changes from Google's afl 2.56b diff --git a/docs/Changelog.md b/docs/Changelog.md index 0d67e807..5019a0a7 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,7 +9,7 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . -### Version ++2.60d (develop): +### Version ++2.61c (release): - use -march=native if available - most tools now check for mistyped environment variables diff --git a/include/config.h b/include/config.h index 12e2d092..d1b40245 100644 --- a/include/config.h +++ b/include/config.h @@ -27,7 +27,7 @@ /* Version string: */ // c = release, d = volatile github dev, e = experimental branch -#define VERSION "++2.60d" +#define VERSION "++2.61c" /****************************************************** * * -- cgit 1.4.1 From 9cc8ebd35123ee67ae0533f2cf03d725d402868b Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 24 Feb 2020 17:26:02 +0100 Subject: 2.61d init --- docs/Changelog.md | 5 +++++ include/config.h | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) (limited to 'docs/Changelog.md') diff --git a/docs/Changelog.md b/docs/Changelog.md index 5019a0a7..4e99bcac 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,6 +9,11 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . +### Version ++2.61d (develop): + + - ... + + ### Version ++2.61c (release): - use -march=native if available diff --git a/include/config.h b/include/config.h index d1b40245..59a476c9 100644 --- a/include/config.h +++ b/include/config.h @@ -27,7 +27,7 @@ /* Version string: */ // c = release, d = volatile github dev, e = experimental branch -#define VERSION "++2.61c" +#define VERSION "++2.61d" /****************************************************** * * -- cgit 1.4.1 From 891b568678848f17e2502758569781f78b4fc0a2 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 25 Feb 2020 08:34:44 +0100 Subject: fix references to README docs --- afl-cmin.bash | 2 +- docs/Changelog.md | 18 +++++++++--------- docs/QuickStartGuide.md | 2 +- docs/env_variables.md | 2 +- docs/life_pro_tips.md | 4 ++-- docs/notes_for_asan.md | 2 +- docs/parallel_fuzzing.md | 2 +- docs/perf_tips.md | 4 ++-- docs/sister_projects.md | 4 ++-- docs/status_screen.md | 2 +- docs/technical_details.md | 4 ++-- gcc_plugin/afl-gcc-rt.o.c | 2 +- libdislocator/README.md | 2 +- libtokencap/README.md | 2 +- llvm_mode/README.md | 2 +- llvm_mode/afl-llvm-rt.o.c | 4 ++-- qemu_mode/README.md | 4 ++-- qemu_mode/libcompcov/libcompcov.so.c | 2 +- qemu_mode/patches/afl-qemu-cpu-inl.h | 2 +- src/afl-analyze.c | 2 +- src/afl-common.c | 4 ++-- src/afl-fuzz-init.c | 4 ++-- src/afl-fuzz.c | 6 +++--- src/afl-showmap.c | 2 +- 24 files changed, 42 insertions(+), 42 deletions(-) (limited to 'docs/Changelog.md') diff --git a/afl-cmin.bash b/afl-cmin.bash index 948e0655..b1378eb5 100755 --- a/afl-cmin.bash +++ b/afl-cmin.bash @@ -126,7 +126,7 @@ Minimization settings: -C - keep crashing inputs, reject everything else -e - solve for edge coverage only, ignore hit counts -For additional tips, please consult docs/README. +For additional tips, please consult docs/README.md. Environment variables used: AFL_KEEP_TRACES: leave the temporary \.traces directory diff --git a/docs/Changelog.md b/docs/Changelog.md index 4e99bcac..2f8674c8 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -1,7 +1,7 @@ # Changelog This is the list of all noteworthy changes made in every public release of - the tool. See README for the general instruction manual. + the tool. See README.md for the general instruction manual. ## Staying informed @@ -45,7 +45,7 @@ sending a mail to . - now does not need to be recompiled between trace-pc and pass instrumentation. compile normally and set AFL_LLVM_USE_TRACE_PC :) - LLVM 11 is supported - - CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog) + - CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog.md) - afl-gcc, afl-clang-fast, afl-gcc-fast: - experimental support for undefined behaviour sanitizer UBSAN (set AFL_USE_UBSAN=1) @@ -189,7 +189,7 @@ sending a mail to . - fix llvm_mode AFL_TRACE_PC with modern llvm - fix a crash in qemu_mode which also exists in stock afl - added libcompcov, a laf-intel implementation for qemu! :) - see qemu_mode/libcompcov/README.libcompcov + see qemu_mode/libcompcov/README.libcompcov.md - afl-fuzz now displays the selected core in the status screen (blue {#}) - updated afl-fuzz and afl-system-config for new scaling governor location in modern kernels @@ -198,8 +198,8 @@ sending a mail to . - if llvm_mode was compiled, afl-clang/afl-clang++ will point to these instead of afl-gcc - added instrim, a much faster llvm_mode instrumentation at the cost of - path discovery. See llvm_mode/README.instrim (https://github.com/csienslab/instrim) - - added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt + path discovery. See llvm_mode/README.instrim.md (https://github.com/csienslab/instrim) + - added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt.md - added code to make it more portable to other platforms than Intel Linux - added never zero counters for afl-gcc and optionally (because of an optimization issue in llvm < 9) for llvm_mode (AFL_LLVM_NEVER_ZERO=1) @@ -229,11 +229,11 @@ sending a mail to . LLVM and Qemu modes are now faster. Important changes: afl-fuzz: -e EXTENSION commandline option - llvm_mode: LAF-intel performance (needs activation, see llvm/README.laf-intel) - a few new environment variables for afl-fuzz, llvm and qemu, see docs/env_variables.txt + llvm_mode: LAF-intel performance (needs activation, see llvm/README.laf-intel.md) + a few new environment variables for afl-fuzz, llvm and qemu, see docs/env_variables.md - Added the power schedules of AFLfast by Marcel Boehme, but set the default to the AFL schedule, not to the FAST schedule. So nothing changes unless - you use the new -p option :-) - see docs/power_schedules.txt + you use the new -p option :-) - see docs/power_schedules.md - added afl-system-config script to set all system performance options for fuzzing - llvm_mode works with llvm 3.9 up to including 8 ! - qemu_mode got upgraded from 2.1 to 3.1 - incorporated from @@ -476,7 +476,7 @@ sending a mail to . - Added libtokencap, a simple feature to intercept strcmp / memcmp and generate dictionary entries that can help extend coverage. - - Moved libdislocator to its own dir, added README. + - Moved libdislocator to its own dir, added README.md. - The demo in examples/instrumented_cmp is no more. diff --git a/docs/QuickStartGuide.md b/docs/QuickStartGuide.md index f9e3b256..1e1d60b7 100644 --- a/docs/QuickStartGuide.md +++ b/docs/QuickStartGuide.md @@ -27,7 +27,7 @@ how to hit the ground running: 4) Get a small but valid input file that makes sense to the program. When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in - dictionaries/README.dictionaries, too. + dictionaries/README.md, too. 5) If the program reads from stdin, run 'afl-fuzz' like so: diff --git a/docs/env_variables.md b/docs/env_variables.md index c60821dc..9fc60187 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -2,7 +2,7 @@ This document discusses the environment variables used by American Fuzzy Lop++ to expose various exotic functions that may be (rarely) useful for power - users or for some types of custom fuzzing setups. See README for the general + users or for some types of custom fuzzing setups. See README.md for the general instruction manual. ## 1) Settings for afl-gcc, afl-clang, and afl-as - and gcc_plugin afl-gcc-fast diff --git a/docs/life_pro_tips.md b/docs/life_pro_tips.md index a0d90659..0724e83c 100644 --- a/docs/life_pro_tips.md +++ b/docs/life_pro_tips.md @@ -62,7 +62,7 @@ Specify `AFL_HARDEN=1` in the environment to enable hardening flags. ## Bumping into problems with non-reproducible crashes? It happens, but usually -isn't hard to diagnose. See section #7 in README for tips. +isn't hard to diagnose. See section #7 in README.md for tips. ## Fuzzing is not just about memory corruption issues in the codebase. Add some @@ -87,4 +87,4 @@ use a postprocessor! See examples/post_library/ for more. ## Dealing with a very slow target or hoping for instant results? -Specify `-d` when calling afl-fuzz! \ No newline at end of file +Specify `-d` when calling afl-fuzz! diff --git a/docs/notes_for_asan.md b/docs/notes_for_asan.md index 9c49dc1f..feac49f9 100644 --- a/docs/notes_for_asan.md +++ b/docs/notes_for_asan.md @@ -1,7 +1,7 @@ # Notes for using ASAN with afl-fuzz This file discusses some of the caveats for fuzzing under ASAN, and suggests - a handful of alternatives. See README for the general instruction manual. + a handful of alternatives. See README.md for the general instruction manual. ## 1) Short version diff --git a/docs/parallel_fuzzing.md b/docs/parallel_fuzzing.md index 0a2863fe..8b39df04 100644 --- a/docs/parallel_fuzzing.md +++ b/docs/parallel_fuzzing.md @@ -1,7 +1,7 @@ # Tips for parallel fuzzing This document talks about synchronizing afl-fuzz jobs on a single machine - or across a fleet of systems. See README for the general instruction manual. + or across a fleet of systems. See README.md for the general instruction manual. ## 1) Introduction diff --git a/docs/perf_tips.md b/docs/perf_tips.md index 41d74447..fcd03db7 100644 --- a/docs/perf_tips.md +++ b/docs/perf_tips.md @@ -1,7 +1,7 @@ ## Tips for performance optimization This file provides tips for troubleshooting slow or wasteful fuzzing jobs. - See README for the general instruction manual. + See README.md for the general instruction manual. ## 1. Keep your test cases small @@ -221,4 +221,4 @@ early on, you can always resort to the `-d` mode. The mode causes `afl-fuzz` to skip all the deterministic fuzzing steps, which makes output a lot less neat and can ultimately make the testing a bit less in-depth, but it will give you an experience more familiar from other fuzzing -tools. \ No newline at end of file +tools. diff --git a/docs/sister_projects.md b/docs/sister_projects.md index ecc3b924..1625044c 100644 --- a/docs/sister_projects.md +++ b/docs/sister_projects.md @@ -1,7 +1,7 @@ # Sister projects This doc lists some of the projects that are inspired by, derived from, -designed for, or meant to integrate with AFL. See README for the general +designed for, or meant to integrate with AFL. See README.md for the general instruction manual. !!! @@ -252,7 +252,7 @@ https://code.google.com/p/address-sanitizer/wiki/AsanCoverage#Coverage_counters ### AFL JS (Han Choongwoo) One-off optimizations to speed up the fuzzing of JavaScriptCore (now likely -superseded by LLVM deferred forkserver init - see llvm_mode/README.llvm). +superseded by LLVM deferred forkserver init - see llvm_mode/README.md). https://github.com/tunz/afl-fuzz-js diff --git a/docs/status_screen.md b/docs/status_screen.md index 066c2c07..0bc636c4 100644 --- a/docs/status_screen.md +++ b/docs/status_screen.md @@ -1,7 +1,7 @@ # Understanding the status screen This document provides an overview of the status screen - plus tips for -troubleshooting any warnings and red text shown in the UI. See README for +troubleshooting any warnings and red text shown in the UI. See README.md for the general instruction manual. ## A note about colors diff --git a/docs/technical_details.md b/docs/technical_details.md index d53b30e3..996bf162 100644 --- a/docs/technical_details.md +++ b/docs/technical_details.md @@ -1,7 +1,7 @@ # Technical "whitepaper" for afl-fuzz This document provides a quick overview of the guts of American Fuzzy Lop. -See README for the general instruction manual; and for a discussion of +See README.md for the general instruction manual; and for a discussion of motivations and design goals behind AFL, see historical_notes.md. ## 0. Design statement @@ -542,4 +542,4 @@ It uses the following classification scheme: takes place. - "Magic value section" - a generic token where changes cause the type of binary behavior outlined earlier, but that doesn't meet any of the - other criteria. May be an atomically compared keyword or so. \ No newline at end of file + other criteria. May be an atomically compared keyword or so. diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index 1831f935..356d0b6d 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -214,7 +214,7 @@ static void __afl_start_forkserver(void) { } -/* A simplified persistent mode handler, used as explained in README.llvm. */ +/* A simplified persistent mode handler, used as explained in README.md. */ int __afl_persistent_loop(unsigned int max_cnt) { diff --git a/libdislocator/README.md b/libdislocator/README.md index 4a11c138..873d8806 100644 --- a/libdislocator/README.md +++ b/libdislocator/README.md @@ -1,6 +1,6 @@ # libdislocator, an abusive allocator - (See ../docs/README for the general instruction manual.) + (See ../docs/README.md for the general instruction manual.) This is a companion library that can be used as a drop-in replacement for the libc allocator in the fuzzed binaries. It improves the odds of bumping into diff --git a/libtokencap/README.md b/libtokencap/README.md index 8aae38bf..0a3591eb 100644 --- a/libtokencap/README.md +++ b/libtokencap/README.md @@ -1,6 +1,6 @@ # strcmp() / memcmp() token capture library - (See ../docs/README for the general instruction manual.) + (See ../docs/README.md for the general instruction manual.) This companion library allows you to instrument `strcmp()`, `memcmp()`, and related functions to automatically extract syntax tokens passed to any of diff --git a/llvm_mode/README.md b/llvm_mode/README.md index ee6e51b5..e6c47c9c 100644 --- a/llvm_mode/README.md +++ b/llvm_mode/README.md @@ -2,7 +2,7 @@ (See [../README](../README.md) for the general instruction manual.) - (See [../gcc_plugin/README.gcc](../gcc_plugin/README.gcc.md) for the GCC-based instrumentation.) + (See [../gcc_plugin/README](../gcc_plugin/README.md) for the GCC-based instrumentation.) ## 1) Introduction diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 93b03bb2..b3561cb2 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -260,7 +260,7 @@ static void __afl_start_forkserver(void) { } -/* A simplified persistent mode handler, used as explained in README.llvm. */ +/* A simplified persistent mode handler, used as explained in llvm_mode/README.md. */ int __afl_persistent_loop(unsigned int max_cnt) { @@ -346,7 +346,7 @@ __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) { /* The following stuff deals with supporting -fsanitize-coverage=trace-pc-guard. It remains non-operational in the traditional, plugin-backed LLVM mode. - For more info about 'trace-pc-guard', see README.llvm. + For more info about 'trace-pc-guard', see llvm_mode/README.md. The first function (__sanitizer_cov_trace_pc_guard) is called back on every edge (as opposed to every basic block). */ diff --git a/qemu_mode/README.md b/qemu_mode/README.md index 0759f4fb..71a3ada7 100644 --- a/qemu_mode/README.md +++ b/qemu_mode/README.md @@ -1,6 +1,6 @@ # High-performance binary-only instrumentation for afl-fuzz - (See ../docs/README for the general instruction manual.) + (See ../docs/README.md for the general instruction manual.) ## 1) Introduction @@ -60,7 +60,7 @@ binary on x86_64) use QEMU_LD_PREFIX. ## 3) Bonus feature #1: deferred initialization -As for LLVM mode (refer to its README for mode details) QEMU mode supports +As for LLVM mode (refer to its README.md for mode details) QEMU mode supports the deferred initialization. This can be enabled setting the environment variable AFL_ENTRYPOINT which allows diff --git a/qemu_mode/libcompcov/libcompcov.so.c b/qemu_mode/libcompcov/libcompcov.so.c index ceb0a041..8e2c279b 100644 --- a/qemu_mode/libcompcov/libcompcov.so.c +++ b/qemu_mode/libcompcov/libcompcov.so.c @@ -15,7 +15,7 @@ This Linux-only companion library allows you to instrument strcmp(), memcmp(), and related functions to get compare coverage. - See README.compcov for more info. + See README.md for more info. */ diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index d4ae4b8d..63869898 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -407,7 +407,7 @@ void afl_forkserver(CPUState *cpu) { } -/* A simplified persistent mode handler, used as explained in README.llvm. */ +/* A simplified persistent mode handler, used as explained in llvm_mode/README.md. */ void afl_persistent_loop(void) { diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 6816f6c8..3b91285c 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -798,7 +798,7 @@ static void usage(u8* argv0) { " -e - look for edge coverage only, ignore hit counts\n\n" - "For additional tips, please consult %s/README.\n\n", + "For additional tips, please consult %s/README.md.\n\n", argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); diff --git a/src/afl-common.c b/src/afl-common.c index 330b1497..0f8094be 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -163,7 +163,7 @@ char** get_qemu_argv(u8* own_loc, char** argv, int argc) { SAYF("\n" cLRD "[-] " cRST "Oops, unable to find the 'afl-qemu-trace' binary. The binary must be " "built\n" - " separately by following the instructions in qemu_mode/README.qemu. " + " separately by following the instructions in qemu_mode/README.md. " "If you\n" " already have the binary installed, you may need to specify " "AFL_PATH in the\n" @@ -259,7 +259,7 @@ char** get_wine_argv(u8* own_loc, char** argv, int argc) { SAYF("\n" cLRD "[-] " cRST "Oops, unable to find the '%s' binary. The binary must be " "built\n" - " separately by following the instructions in qemu_mode/README.qemu. " + " separately by following the instructions in qemu_mode/README.md. " "If you\n" " already have the binary installed, you may need to specify " "AFL_PATH in the\n" diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 93ecfe99..1858fabd 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1980,11 +1980,11 @@ void check_binary(u8* fname) { "while\n" " mutating the input data. For more information, and for tips on " "how to\n" - " instrument binaries, please see %s/README.\n\n" + " instrument binaries, please see %s/README.md.\n\n" " When source code is not available, you may be able to leverage " "QEMU\n" - " mode support. Consult the README for tips on how to enable this.\n" + " mode support. Consult the README.md for tips on how to enable this.\n" " (It is also possible to use afl-fuzz as a traditional, \"dumb\" " "fuzzer.\n" diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 5fa737d7..cc895f74 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -112,7 +112,7 @@ static void usage(u8* argv0) { "entering the\n" " pacemaker mode (minutes of no new paths, 0 = " "immediately).\n" - " a recommended value is 10-60. see docs/README.MOpt\n" + " a recommended value is 10-60. see docs/README.MOpt.md\n" " -c program - enable CmpLog by specifying a binary compiled for " "it.\n" " if using QEMU, just use -c 0.\n\n" @@ -121,7 +121,7 @@ static void usage(u8* argv0) { " -N - do not unlink the fuzzing input file\n" " -d - quick & dirty mode (skips deterministic steps)\n" " -n - fuzz without instrumentation (dumb mode)\n" - " -x dir - optional fuzzer dictionary (see README, its really " + " -x dir - optional fuzzer dictionary (see README.md, its really " "good!)\n\n" "Testing settings:\n" @@ -1087,7 +1087,7 @@ stop_fuzzing: SAYF("\n" cYEL "[!] " cRST "Stopped during the first cycle, results may be incomplete.\n" - " (For info on resuming, see %s/README)\n", + " (For info on resuming, see %s/README.md)\n", doc_path); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 5ea164f8..2f6a263f 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -647,7 +647,7 @@ static void usage(u8* argv0) { " -c - allow core dumps\n\n" "This tool displays raw tuple data captured by AFL instrumentation.\n" - "For additional help, consult %s/README.\n\n" cRST, + "For additional help, consult %s/README.md.\n\n" cRST, argv0, MEM_LIMIT, doc_path); -- cgit 1.4.1