From fa3c0d8a3756c1d80356690796877d94959f305c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 5 Feb 2022 10:36:37 +0100 Subject: change -y to -g/-G and add env var alternatives --- docs/env_variables.md | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'docs/env_variables.md') diff --git a/docs/env_variables.md b/docs/env_variables.md index 2a8fbcb7..f7ad4ff9 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -400,6 +400,10 @@ checks or alter some of the more exotic semantics of the tool: This makes the "own finds" counter in the UI more accurate. Beyond counter aesthetics, not much else should change. + - Setting `AFL_INPUT_LEN_MIN` and `AFL_INPUT_LEN_MAX` are an alternative to + the afl-fuzz -g/-G command line option to control the minimum/maximum + of fuzzing input generated. + - `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes on timeout. Unless you implement your own targets or instrumentation, you likely don't have to set it. By default, on timeout and on exit, `SIGKILL` -- cgit 1.4.1 From cf853fb2494912a1c4b531ffcf302843266639b7 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 8 Feb 2022 20:15:48 +0100 Subject: reintroduce AFL_PERSISTENT and AFL_DEFER_FORKSRV --- docs/Changelog.md | 3 +++ docs/env_variables.md | 10 +++++++--- frida_mode/src/entry.c | 1 + src/afl-common.c | 22 ++++++++-------------- src/afl-fuzz-init.c | 10 ++++++++-- src/afl-fuzz-state.c | 8 ++++---- src/afl-fuzz.c | 24 ++---------------------- 7 files changed, 33 insertions(+), 45 deletions(-) (limited to 'docs/env_variables.md') diff --git a/docs/Changelog.md b/docs/Changelog.md index bdb2dda3..142b85b3 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -14,6 +14,9 @@ sending a mail to . - afl-fuzz: - new commandline options -g/G to set min/max length of generated fuzz inputs + - reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow + persistent mode and manual forkserver support if these are not + in the target binary (e.g. are in a shared library) - frida_mode: - update to new frida release, handles now c++ throw/catch diff --git a/docs/env_variables.md b/docs/env_variables.md index f7ad4ff9..06c08f31 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -532,9 +532,13 @@ checks or alter some of the more exotic semantics of the tool: - Setting `AFL_TRY_AFFINITY` tries to attempt binding to a specific CPU core on Linux systems, but will not terminate if that fails. - - Outdated environment variables that are not supported anymore: - - `AFL_DEFER_FORKSRV` - - `AFL_PERSISTENT` + - The following environment variables are only needed if you implemented + your own forkserver or persistent mode, or if __AFL_LOOP or __AFL_INIT + are in a shared library and not the main binary: + - `AFL_DEFER_FORKSRV` enforces a deferred forkserver even if none was + detected in the target binary + - `AFL_PERSISTENT` enforces persistent mode even if none was detected + in the target binary ## 5) Settings for afl-qemu-trace diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c index 5d9bcaaf..05af7ebb 100644 --- a/frida_mode/src/entry.c +++ b/frida_mode/src/entry.c @@ -84,6 +84,7 @@ void entry_start(void) { stalker_trust(); } + if (entry_point == 0) { entry_launch(); } } diff --git a/src/afl-common.c b/src/afl-common.c index e684302a..7c074acc 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -63,8 +63,7 @@ u32 check_binary_signatures(u8 *fn) { if (f_data == MAP_FAILED) { PFATAL("Unable to mmap file '%s'", fn); } close(fd); - if (memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1) || - getenv(PERSIST_ENV_VAR)) { + if (memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1)) { if (!be_quiet) { OKF(cPIN "Persistent mode binary detected."); } setenv(PERSIST_ENV_VAR, "1", 1); @@ -72,11 +71,9 @@ u32 check_binary_signatures(u8 *fn) { } else if (getenv("AFL_PERSISTENT")) { - if (!be_quiet) { - - WARNF("AFL_PERSISTENT is no longer supported and may misbehave!"); - - } + if (!be_quiet) { OKF(cPIN "Persistent mode enforced."); } + setenv(PERSIST_ENV_VAR, "1", 1); + ret = 1; } else if (getenv("AFL_FRIDA_PERSISTENT_ADDR")) { @@ -91,8 +88,7 @@ u32 check_binary_signatures(u8 *fn) { } - if (memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1) || - getenv(DEFER_ENV_VAR)) { + if (memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) { if (!be_quiet) { OKF(cPIN "Deferred forkserver binary detected."); } setenv(DEFER_ENV_VAR, "1", 1); @@ -100,11 +96,9 @@ u32 check_binary_signatures(u8 *fn) { } else if (getenv("AFL_DEFER_FORKSRV")) { - if (!be_quiet) { - - WARNF("AFL_DEFER_FORKSRV is no longer supported and may misbehave!"); - - } + if (!be_quiet) { OKF(cPIN "Deferred forkserver enforced."); } + setenv(DEFER_ENV_VAR, "1", 1); + ret += 2; } diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 45f28d4b..05a654c8 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2822,7 +2822,11 @@ void check_binary(afl_state_t *afl, u8 *fname) { } else if (getenv("AFL_PERSISTENT")) { - WARNF("AFL_PERSISTENT is no longer supported and may misbehave!"); + OKF(cPIN "Persistent mode enforced."); + setenv(PERSIST_ENV_VAR, "1", 1); + afl->persistent_mode = 1; + afl->fsrv.persistent_mode = 1; + afl->shmem_testcase_mode = 1; } else if (getenv("AFL_FRIDA_PERSISTENT_ADDR")) { @@ -2843,7 +2847,9 @@ void check_binary(afl_state_t *afl, u8 *fname) { } else if (getenv("AFL_DEFER_FORKSRV")) { - WARNF("AFL_DEFER_FORKSRV is no longer supported and may misbehave!"); + OKF(cPIN "Deferred forkserver enforced."); + setenv(DEFER_ENV_VAR, "1", 1); + afl->deferred_mode = 1; } diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 115e62de..129e4c8b 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -486,15 +486,15 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl_environment_variable_len)) { - afl->min_length = atoi( - (u8 *)get_afl_env(afl_environment_variables[i])); + afl->min_length = + atoi((u8 *)get_afl_env(afl_environment_variables[i])); } else if (!strncmp(env, "AFL_INPUT_LEN_MAX", afl_environment_variable_len)) { - afl->max_length = atoi( - (u8 *)get_afl_env(afl_environment_variables[i])); + afl->max_length = + atoi((u8 *)get_afl_env(afl_environment_variables[i])); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 7e3b3c94..c923cc9d 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -294,8 +294,8 @@ static void usage(u8 *argv0, int more_help) { " 'signalfx' and 'influxdb'\n" "AFL_TESTCACHE_SIZE: use a cache for testcases, improves performance (in MB)\n" "AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)\n" - //"AFL_PERSISTENT: not supported anymore -> no effect, just a warning\n" - //"AFL_DEFER_FORKSRV: not supported anymore -> no effect, just a warning\n" + "AFL_PERSISTENT: enforce persistent mode (if __AFL_LOOP is in a shared lib\n" + "AFL_DEFER_FORKSRV: enforced deferred forkserver (__AFL_INIT is in a .so\n" "\n" ); @@ -1920,26 +1920,6 @@ int main(int argc, char **argv_orig, char **envp) { check_binary(afl, argv[optind]); - if (getenv(PERSIST_ENV_VAR) && !afl->persistent_mode) { - - WARNF( - "Persistent mode environment variable detected, forcing persistent " - "mode!"); - afl->persistent_mode = 1; - afl->fsrv.persistent_mode = 1; - afl->shmem_testcase_mode = 1; - - } - - if (getenv(DEFER_ENV_VAR) && !afl->deferred_mode) { - - WARNF( - "Deferred forkserver mode environment variable detected, forcing " - "deferred forkserver!"); - afl->deferred_mode = 1; - - } - #ifdef AFL_PERSISTENT_RECORD if (unlikely(afl->fsrv.persistent_record)) { -- cgit 1.4.1 From 056ebbff15bb6ebef6664776dee05217cebdc7fe Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 8 Feb 2022 20:36:06 +0100 Subject: add AFL_EARLY_FORKSERVER support --- docs/Changelog.md | 3 +++ docs/env_variables.md | 4 ++++ include/envs.h | 1 + instrumentation/afl-compiler-rt.o.c | 14 ++++++++++++++ src/afl-fuzz.c | 2 ++ 5 files changed, 24 insertions(+) (limited to 'docs/env_variables.md') diff --git a/docs/Changelog.md b/docs/Changelog.md index 142b85b3..f4ae0e43 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -17,6 +17,9 @@ sending a mail to . - reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow persistent mode and manual forkserver support if these are not in the target binary (e.g. are in a shared library) + - add AFL_EARY_FORKSERVER to install the forkserver as earliest as + possible in the target (for afl-gcc-fast/afl-clang-fast/ + afl-clang-lto) - frida_mode: - update to new frida release, handles now c++ throw/catch diff --git a/docs/env_variables.md b/docs/env_variables.md index 06c08f31..4fa3f051 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -540,6 +540,10 @@ checks or alter some of the more exotic semantics of the tool: - `AFL_PERSISTENT` enforces persistent mode even if none was detected in the target binary + - If you need an early forkserver in your target because of early + constructors in your target you can set `AFL_EARLY_FORKSERVER`. + Note that is is not a compile time option but a runtime option :-) + ## 5) Settings for afl-qemu-trace The QEMU wrapper used to instrument binary-only code supports several settings: diff --git a/include/envs.h b/include/envs.h index 538ea3a8..f4327d8c 100644 --- a/include/envs.h +++ b/include/envs.h @@ -47,6 +47,7 @@ static char *afl_environment_variables[] = { "AFL_DONT_OPTIMIZE", "AFL_DRIVER_STDERR_DUPLICATE_FILENAME", "AFL_DUMB_FORKSRV", + "AFL_EARLY_FORKSERVER", "AFL_ENTRYPOINT", "AFL_EXIT_WHEN_DONE", "AFL_EXIT_ON_TIME", diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 9a12831e..db7ac7b0 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -68,6 +68,7 @@ #endif #define CTOR_PRIO 3 +#define EARLY_FS_PRIO 5 #include #include @@ -145,6 +146,7 @@ u32 __afl_already_initialized_shm; u32 __afl_already_initialized_forkserver; u32 __afl_already_initialized_first; u32 __afl_already_initialized_second; +u32 __afl_already_initialized_init; /* Dummy pipe for area_is_valid() */ @@ -1253,6 +1255,8 @@ void __afl_manual_init(void) { __attribute__((constructor())) void __afl_auto_init(void) { + if (__afl_already_initialized_init) { return; } + #ifdef __ANDROID__ // Disable handlers in linker/debuggerd, check include/debuggerd/handler.h signal(SIGABRT, SIG_DFL); @@ -1265,6 +1269,8 @@ __attribute__((constructor())) void __afl_auto_init(void) { signal(SIGTRAP, SIG_DFL); #endif + __afl_already_initialized_init = 1; + if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; if (getenv(DEFER_ENV_VAR)) return; @@ -1273,6 +1279,14 @@ __attribute__((constructor())) void __afl_auto_init(void) { } +/* Optionally run an early forkserver */ + +__attribute__((constructor(EARLY_FS_PRIO))) void __early_forkserver(void) { + + if (getenv("AFL_EARLY_FORKSERVER")) { __afl_auto_init(); } + +} + /* Initialization of the shmem - earliest possible because of LTO fixed mem. */ __attribute__((constructor(CTOR_PRIO))) void __afl_auto_early(void) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index c923cc9d..c73ab38b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -294,6 +294,8 @@ static void usage(u8 *argv0, int more_help) { " 'signalfx' and 'influxdb'\n" "AFL_TESTCACHE_SIZE: use a cache for testcases, improves performance (in MB)\n" "AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)\n" + "AFL_EARLY_FORKSERVER: force an early forkserver in an afl-clang-fast/\n" + " afl-clang-lto/afl-gcc-fast target\n" "AFL_PERSISTENT: enforce persistent mode (if __AFL_LOOP is in a shared lib\n" "AFL_DEFER_FORKSRV: enforced deferred forkserver (__AFL_INIT is in a .so\n" "\n" -- cgit 1.4.1 From de7058b75b629011246be12b4ae7df1e504925b1 Mon Sep 17 00:00:00 2001 From: hexcoder Date: Thu, 10 Feb 2022 10:40:11 +0100 Subject: typo --- docs/env_variables.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/env_variables.md') diff --git a/docs/env_variables.md b/docs/env_variables.md index 4fa3f051..4626a9b6 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -542,7 +542,7 @@ checks or alter some of the more exotic semantics of the tool: - If you need an early forkserver in your target because of early constructors in your target you can set `AFL_EARLY_FORKSERVER`. - Note that is is not a compile time option but a runtime option :-) + Note that this is not a compile time option but a runtime option :-) ## 5) Settings for afl-qemu-trace -- cgit 1.4.1