From 79a69b14efd9cd3befceeddcc844a42bdbfdb47c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 8 Aug 2022 15:30:48 +0200 Subject: 4.03a --- docs/Changelog.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index 957f6206..ec517104 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -8,6 +8,10 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . +### Version ++4.03a (dev) + - ... your PR? :) + + ### Version ++4.02c (release) - afl-cc: - important fix for the default pcguard mode when LLVM IR vector @@ -22,7 +26,6 @@ sending a mail to . - change post_process hook to allow returning NULL and 0 length to tell afl-fuzz to skip this mutated input - ### Version ++4.01c (release) - fixed */build_...sh scripts to work outside of git - new custom_mutator: libafl with token fuzzing :) -- cgit 1.4.1 From 3200e6515b9cc988d0d8dccd27257baccc8df021 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 14 Aug 2022 12:24:42 +0200 Subject: add AFL_NO_STARTUP_CALIBRATION feature --- docs/Changelog.md | 9 ++++++++- docs/env_variables.md | 3 +++ docs/fuzzing_in_depth.md | 7 +++++++ include/afl-fuzz.h | 4 +++- include/envs.h | 1 + src/afl-fuzz-init.c | 24 ++++++++++++++++++++++++ src/afl-fuzz-queue.c | 10 ++++++++-- src/afl-fuzz-state.c | 7 +++++++ src/afl-fuzz.c | 13 ++++++++++++- 9 files changed, 73 insertions(+), 5 deletions(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index ec517104..f5847ade 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,7 +9,14 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . ### Version ++4.03a (dev) - - ... your PR? :) + - afl-fuzz: + - added AFL_NO_STARTUP_CALIBRATION to start fuzzing at once instead + of calibrating all initial seeds first. Good for large queues + and long execution times, especially in CIs. + - qemu_mode: + - added AFL_QEMU_TRACK_UNSTABLE to log the addresses of unstable + edges (together with AFL_DEBUG=1 afl-fuzz). thanks to + worksbutnottested! ### Version ++4.02c (release) diff --git a/docs/env_variables.md b/docs/env_variables.md index 00948fc1..bb54357b 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -462,6 +462,9 @@ checks or alter some of the more exotic semantics of the tool: some basic stats. This behavior is also automatically triggered when the output from afl-fuzz is redirected to a file or to a pipe. + - Setting `AFL_NO_STARTUP_CALIBRATION` will skip the initial calibration + of all starting seeds, and start fuzzing at once. + - In QEMU mode (-Q) and FRIDA mode (-O), `AFL_PATH` will be searched for afl-qemu-trace and afl-frida-trace.so. diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index 37889137..92c9910b 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -626,6 +626,9 @@ from other fuzzers in the campaign first. If you have a large corpus, a corpus from a previous run or are fuzzing in a CI, then also set `export AFL_CMPLOG_ONLY_NEW=1` and `export AFL_FAST_CAL=1`. +If the queue in the CI is huge and/or the execution time is slow then you can +also add `AFL_NO_STARTUP_CALIBRATION=1` to skip the initial queue calibration +phase and start fuzzing at once. You can also use different fuzzers. If you are using AFL spinoffs or AFL conforming fuzzers, then just use the same -o directory and give it a unique @@ -902,6 +905,10 @@ complex file formats. Some notes on continuous integration (CI) fuzzing - this fuzzing is different to normal fuzzing campaigns as these are much shorter runnings. +If the queue in the CI is huge and/or the execution time is slow then you can +also add `AFL_NO_STARTUP_CALIBRATION=1` to skip the initial queue calibration +phase and start fuzzing at once. + 1. Always: * LTO has a much longer compile time which is diametrical to short fuzzing - hence use afl-clang-fast instead. diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 061076ed..822096e8 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -386,7 +386,8 @@ typedef struct afl_env_vars { afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast, afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new, afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems, - afl_keep_timeouts, afl_pizza_mode, afl_no_crash_readme; + afl_keep_timeouts, afl_pizza_mode, afl_no_crash_readme, + afl_no_startup_calibration; u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload, @@ -1122,6 +1123,7 @@ void bind_to_free_cpu(afl_state_t *); void setup_post(afl_state_t *); void read_testcases(afl_state_t *, u8 *); void perform_dry_run(afl_state_t *); +void no_dry_run(afl_state_t *); void pivot_inputs(afl_state_t *); u32 find_start_position(afl_state_t *); void find_timeout(afl_state_t *); diff --git a/include/envs.h b/include/envs.h index 02bd2ece..2204a100 100644 --- a/include/envs.h +++ b/include/envs.h @@ -165,6 +165,7 @@ static char *afl_environment_variables[] = { "AFL_NO_FORKSRV", "AFL_NO_UI", "AFL_NO_PYTHON", + "AFL_NO_STARTUP_CALIBRATION", "AFL_UNTRACER_FILE", "AFL_LLVM_USE_TRACE_PC", "AFL_MAP_SIZE", diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 4ffcfd2b..32e2b7b8 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -850,6 +850,30 @@ void read_testcases(afl_state_t *afl, u8 *directory) { } +/* In case no initial calibration is to be performed (e.g. huge queue and slow +execution time), then setting AFL_NO_STARTUP_CALIBRATION will help getting +initial data. For this to succeed, non-calibrated corpus entries have to look +especially juicy so they are more likely to be selected then a calibrated good +looking one. */ + +void no_dry_run(afl_state_t *afl) { + + struct queue_entry *q; + u32 idx; + + for (idx = 0; idx < afl->queued_items; idx++) { + + q = afl->queue_buf[idx]; + if (unlikely(!q || q->disabled)) { continue; } + + q->exec_us = 1; + q->bitmap_size = MAP_SIZE; + q->tc_ref = MAP_SIZE; + + } + +} + /* Perform dry run of all test cases to confirm that the app is working as expected. This is done only for the initial inputs, and only once. */ diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 02d697ab..d8dbdfbe 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -795,8 +795,14 @@ void cull_queue(afl_state_t *afl) { u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { - u32 avg_exec_us = afl->total_cal_us / afl->total_cal_cycles; - u32 avg_bitmap_size = afl->total_bitmap_size / afl->total_bitmap_entries; + u32 cal_cycles = afl->total_cal_cycles; + u32 bitmap_entries = afl->total_bitmap_entries; + + if (unlikely(!cal_cycles)) { cal_cycles = 1; } + if (unlikely(!bitmap_entries)) { bitmap_entries = 1; } + + u32 avg_exec_us = afl->total_cal_us / cal_cycles; + u32 avg_bitmap_size = afl->total_bitmap_size / bitmap_entries; u32 perf_score = 100; /* Adjust score based on execution speed of this path, compared to the diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index ddfd4b31..6770839a 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -265,6 +265,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_cmplog_only_new = get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_NO_STARTUP_CALIBRATION", + + afl_environment_variable_len)) { + + afl->afl_env.afl_no_startup_calibration = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_NO_UI", afl_environment_variable_len)) { afl->afl_env.afl_no_ui = diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 2e151abb..e3851473 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -273,6 +273,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_NO_CPU_RED: avoid red color for showing very high cpu usage\n" "AFL_NO_FORKSRV: run target via execve instead of using the forkserver\n" "AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)\n" + "AFL_NO_STARTUP_CALIBRATION: no initial seed calibration, start fuzzing at once\n" "AFL_NO_UI: switch status screen off\n" DYN_COLOR @@ -2150,7 +2151,17 @@ int main(int argc, char **argv_orig, char **envp) { memset(afl->virgin_tmout, 255, map_size); memset(afl->virgin_crash, 255, map_size); - perform_dry_run(afl); + if (likely(!afl->afl_env.afl_no_startup_calibration)) { + + perform_dry_run(afl); + + } else { + + ACTF("skipping initial seed calibration due option override"); + usleep(1000); + no_dry_run(afl); + + } if (afl->q_testcase_max_cache_entries) { -- cgit 1.4.1 From 1a3b463c4cceabc38b7de83f67813e841153b536 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 14 Aug 2022 12:55:04 +0200 Subject: add build report --- GNUmakefile | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ TODO.md | 2 -- docs/Changelog.md | 1 + 3 files changed, 53 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/GNUmakefile b/GNUmakefile index a64d511f..70299fc3 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -309,6 +309,17 @@ endif .PHONY: all all: test_x86 test_shm test_python ready $(PROGS) afl-as llvm gcc_plugin test_build all_done -$(MAKE) -C utils/aflpp_driver + @echo + @echo + @echo Build Summary: + @test -e afl-fuzz && echo "[+] afl-fuzz and supporting tools successfully built" || echo "[-] afl-fuzz could not be built, please set CC to a working compiler" + @test -e afl-llvm-pass.so && echo "[+] LLVM basic mode successfully built" || echo "[-] LLVM mode could not be build, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md" + @test -e SanitizerCoveragePCGUARD.so && echo "[+] LLVM mode successfully built" || echo "[-] LLVM mode could not be build, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md" + @test -e SanitizerCoverageLTO.so && echo "[+] LLVM LTO mode successfully built" || echo "[-] LLVM LTO mode could not be build, it is optional, if you want it, please install LLVM 11-14. More information at instrumentation/README.lto.md on how to build it" +ifneq "$(SYS)" "Darwin" + @test -e afl-gcc-pass.so && echo "[+] gcc_mode successfully built" || echo "[-] gcc_mode could not be built, it is optional, install gcc-VERSION-plugin-dev to enable this" +endif + @echo .PHONY: llvm llvm: @@ -674,6 +685,31 @@ endif -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh endif endif + @echo + @echo + @echo Build Summary: + @test -e afl-fuzz && echo "[+] afl-fuzz and supporting tools successfully built" || echo "[-] afl-fuzz could not be built, please set CC to a working compiler" +ifneq "$(SYS)" "Darwin" +ifeq "$(ARCH)" "aarch64" + ifndef NO_CORESIGHT + @test -e afl-cs-proxy && echo "[+] coresight_mode successfully built" || echo "[-] coresight_mode could not be built, it is optional and experimental, see coresight_mode/README.md for what is needed" + endif +endif +ifeq "$(SYS)" "Linux" +ifndef NO_NYX + @test -e libnyx.so && echo "[+] nyx_mode successfully built" || echo "[-] nyx_mode could not be built, it is optional, see nyx_mode/README.md for what is needed" +endif +endif + @test -e afl-qemu-trace && echo "[+] qemu_mode successfully built" || echo "[-] qemu_mode could not be built, see docs/INSTALL.md for what is needed" + ifeq "$(ARCH)" "aarch64" + ifndef NO_UNICORN_ARM64 + @test -e unicorn_mode/unicornafl/build_python/libunicornafl.so && echo "[+] unicorn_mode successfully built" || echo "[-] unicorn_mode could not be built, it is optional, see unicorn_mode/README.md for what is needed" + endif + else + @test -e unicorn_mode/unicornafl/build_python/libunicornafl.so && echo "[+] unicorn_mode successfully built" || echo "[-] unicorn_mode could not be built, it is optional, see unicorn_mode/README.md for what is needed" + endif +endif + @echo .PHONY: source-only source-only: all @@ -689,6 +725,22 @@ ifndef NO_NYX -cd nyx_mode && ./build_nyx_support.sh endif endif + @echo + @echo + @echo Build Summary: + @test -e afl-fuzz && echo "[+] afl-fuzz and supporting tools successfully built" || echo "[-] afl-fuzz could not be built, please set CC to a working compiler" + @test -e afl-llvm-pass.so && echo "[+] LLVM basic mode successfully built" || echo "[-] LLVM mode could not be build, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md" + @test -e SanitizerCoveragePCGUARD.so && echo "[+] LLVM mode successfully built" || echo "[-] LLVM mode could not be build, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md" + @test -e SanitizerCoverageLTO.so && echo "[+] LLVM LTO mode successfully built" || echo "[-] LLVM LTO mode could not be build, it is optional, if you want it, please install LLVM 11-14. More information at instrumentation/README.lto.md on how to build it" +ifneq "$(SYS)" "Darwin" + test -e afl-gcc-pass.so && echo "[+] gcc_mode successfully built" || echo "[-] gcc_mode could not be built, it is optional, install gcc-VERSION-plugin-dev to enable this" +endif +ifeq "$(SYS)" "Linux" +ifndef NO_NYX + @test -e libnyx.so && echo "[+] nyx_mode successfully built" || echo "[-] nyx_mode could not be built, it is optional, see nyx_mode/README.md for what is needed" +endif +endif + @echo %.8: % @echo .TH $* 8 $(BUILD_DATE) "afl++" > $@ diff --git a/TODO.md b/TODO.md index 93f22da4..99d2c419 100644 --- a/TODO.md +++ b/TODO.md @@ -2,8 +2,6 @@ ## Should - - env var to start fuzzing at once instead of calibrating everything first - - makefiles should show provide a build summary success/failure - better documentation for custom mutators - better autodetection of shifting runtime timeout values - Update afl->pending_not_fuzzed for MOpt diff --git a/docs/Changelog.md b/docs/Changelog.md index f5847ade..2ce1d85c 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,6 +9,7 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . ### Version ++4.03a (dev) + - Building now gives a build summary what succeeded and what not - afl-fuzz: - added AFL_NO_STARTUP_CALIBRATION to start fuzzing at once instead of calibrating all initial seeds first. Good for large queues -- cgit 1.4.1 From 4e980713851c522436b6a6813f27dd95dd4e5fae Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 14 Aug 2022 14:40:26 +0200 Subject: better handling of -fsanitize=..,...,.. lists --- docs/Changelog.md | 2 + src/afl-cc.c | 109 +++++++++++++++++++++++++++++++++++++++++++++++------- 2 files changed, 98 insertions(+), 13 deletions(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index 2ce1d85c..d07cef54 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -14,6 +14,8 @@ sending a mail to . - added AFL_NO_STARTUP_CALIBRATION to start fuzzing at once instead of calibrating all initial seeds first. Good for large queues and long execution times, especially in CIs. + - afl-cc: + - better handling of -fsanitize=..,...,.. lists - qemu_mode: - added AFL_QEMU_TRACK_UNSTABLE to log the addresses of unstable edges (together with AFL_DEBUG=1 afl-fuzz). thanks to diff --git a/src/afl-cc.c b/src/afl-cc.c index 6def3ee7..cae6d949 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -51,7 +51,7 @@ static u32 cc_par_cnt = 1; /* Param count, including argv0 */ static u8 clang_mode; /* Invoked as afl-clang*? */ static u8 llvm_fullpath[PATH_MAX]; static u8 instrument_mode, instrument_opt_mode, ngram_size, ctx_k, lto_mode; -static u8 compiler_mode, plusplus_mode, have_instr_env = 0; +static u8 compiler_mode, plusplus_mode, have_instr_env = 0, need_aflpplib = 0; static u8 have_gcc, have_llvm, have_gcc_plugin, have_lto, have_instr_list = 0; static u8 *lto_flag = AFL_CLANG_FLTO, *argvnull; static u8 debug; @@ -310,6 +310,69 @@ static u8 *find_object(u8 *obj, u8 *argv0) { } +void parse_fsanitize(char *string) { + + char *p, *ptr = string + strlen("-fsanitize="); + char *new = malloc(strlen(string) + 1); + char *tmp = malloc(strlen(ptr)); + u32 count = 0, len, ende = 0; + strcpy(new, "-fsanitize="); + + do { + + p = strchr(ptr, ','); + if (!p) { + + p = ptr + strlen(ptr) + 1; + ende = 1; + + } + + len = p - ptr; + if (len) { + + strncpy(tmp, ptr, len); + tmp[len] = 0; + // fprintf(stderr, "Found: %s\n", tmp); + ptr += len + 1; + if (*tmp) { + + u32 copy = 1; + if (!strcmp(tmp, "fuzzer")) { + + need_aflpplib = 1; + copy = 0; + + } else if (!strncmp(tmp, "fuzzer", 6)) { + + copy = 0; + + } + + if (copy) { + + if (count) { strcat(new, ","); } + strcat(new, tmp); + ++count; + + } + + } + + } else { + + ptr++; /*fprintf(stderr, "NO!\n"); */ + + } + + } while (!ende); + + strcpy(string, new); + // fprintf(stderr, "string: %s\n", string); + // fprintf(stderr, "new: %s\n", new); + +} + /* Copy argv to cc_params, making the necessary edits. */ static void edit_params(u32 argc, char **argv, char **envp) { @@ -779,20 +842,35 @@ static void edit_params(u32 argc, char **argv, char **envp) { } - if ((!strncmp(cur, "-fsanitize=fuzzer-", strlen("-fsanitize=fuzzer-")) || - !strncmp(cur, "-fsanitize-coverage", strlen("-fsanitize-coverage"))) && - (strncmp(cur, "sanitize-coverage-allow", - strlen("sanitize-coverage-allow")) && - strncmp(cur, "sanitize-coverage-deny", - strlen("sanitize-coverage-deny")) && - instrument_mode != INSTRUMENT_LLVMNATIVE)) { + if (!strncmp(cur, "-fsanitize-coverage-", 20) && strstr(cur, "list=")) { + + have_instr_list = 1; + + } + + if (!strncmp(cur, "-fsanitize=", strlen("-fsanitize=")) && + strchr(cur, ',')) { + + parse_fsanitize(cur); + if (!cur || strlen(cur) <= strlen("-fsanitize=")) { continue; } + + } else if ((!strncmp(cur, "-fsanitize=fuzzer-", + + strlen("-fsanitize=fuzzer-")) || + !strncmp(cur, "-fsanitize-coverage", + strlen("-fsanitize-coverage"))) && + (strncmp(cur, "sanitize-coverage-allow", + strlen("sanitize-coverage-allow")) && + strncmp(cur, "sanitize-coverage-deny", + strlen("sanitize-coverage-deny")) && + instrument_mode != INSTRUMENT_LLVMNATIVE)) { if (!be_quiet) { WARNF("Found '%s' - stripping!", cur); } continue; } - if (!strcmp(cur, "-fsanitize=fuzzer")) { + if (need_aflpplib || !strcmp(cur, "-fsanitize=fuzzer")) { u8 *afllib = find_object("libAFLDriver.a", argv[0]); @@ -823,7 +901,15 @@ static void edit_params(u32 argc, char **argv, char **envp) { } - continue; + if (need_aflpplib) { + + need_aflpplib = 0; + + } else { + + continue; + + } } @@ -831,9 +917,6 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (!strcmp(cur, "armv7a-linux-androideabi")) bit_mode = 32; if (!strcmp(cur, "-m64")) bit_mode = 64; - if (!strncmp(cur, "-fsanitize-coverage-", 20) && strstr(cur, "list=")) - have_instr_list = 1; - if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory")) asan_set = 1; -- cgit 1.4.1 From ba14c353c07d19ad37916947708a9c26537c6d62 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 15 Aug 2022 18:31:45 +0200 Subject: get map size from binaries within afl-cmin* --- afl-cmin | 17 +++++++++++++---- afl-cmin.bash | 6 ++++++ docs/Changelog.md | 2 ++ instrumentation/afl-compiler-rt.o.c | 18 +++++++++++++++++- 4 files changed, 38 insertions(+), 5 deletions(-) (limited to 'docs') diff --git a/afl-cmin b/afl-cmin index 51835648..44716af1 100755 --- a/afl-cmin +++ b/afl-cmin @@ -291,6 +291,15 @@ BEGIN { target_bin = tnew } + get_map_size = "AFL_DUMP_MAP_SIZE=1 " target_bin + get_map_size | getline mapsize + if (mapsize && mapsize > 65535) { + + AFL_MAP_SIZE = "AFL_MAP_SIZE="mapsize" " + print "[+] Setting "AFL_MAP_SIZE + + } + if (!ENVIRON["AFL_SKIP_BIN_CHECK"] && !qemu_mode && !frida_mode && !unicorn_mode) { if (0 != system( "grep -q __AFL_SHM_ID "target_bin )) { print "[-] Error: binary '"target_bin"' doesn't appear to be instrumented." > "/dev/stderr" @@ -399,10 +408,10 @@ BEGIN { print "[*] Testing the target binary..." if (!stdin_file) { - system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -- \""target_bin"\" "prog_args_string" <\""in_dir"/"first_file"\"") + system(AFL_MAP_SIZE "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -- \""target_bin"\" "prog_args_string" <\""in_dir"/"first_file"\"") } else { system("cp \""in_dir"/"first_file"\" "stdin_file) - system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" /dev/null` +test -n "$MAPSIZE" && { + export AFL_MAP_SIZE=$MAPSIZE + echo "[+] Setting AFL_MAP_SIZE=$MAPSIZE" +} + if [ "$AFL_SKIP_BIN_CHECK" = "" -a "$QEMU_MODE" = "" -a "$FRIDA_MODE" = "" -a "$UNICORN_MODE" = "" ]; then if ! grep -qF "__AFL_SHM_ID" "$TARGET_BIN"; then diff --git a/docs/Changelog.md b/docs/Changelog.md index d07cef54..c5934c4a 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -16,6 +16,8 @@ sending a mail to . and long execution times, especially in CIs. - afl-cc: - better handling of -fsanitize=..,...,.. lists + - obtain the map size of a target with setting AFL_DUMP_MAP_SIZE=1 + note that this will exit the target before main() - qemu_mode: - added AFL_QEMU_TRACK_UNSTABLE to log the addresses of unstable edges (together with AFL_DEBUG=1 afl-fuzz). thanks to diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 97974c4a..1759898e 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -288,11 +288,18 @@ static void __afl_map_shm(void) { __afl_map_size = ++__afl_final_loc; // as we count starting 0 + if (getenv("AFL_DUMP_MAP_SIZE")) { + + printf("%u\n", __afl_map_size); + exit(-1); + + } + if (__afl_final_loc > MAP_SIZE) { char *ptr; u32 val = 0; - if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) val = atoi(ptr); + if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) { val = atoi(ptr); } if (val < __afl_final_loc) { if (__afl_final_loc > FS_OPT_MAX_MAPSIZE) { @@ -325,6 +332,15 @@ static void __afl_map_shm(void) { } + } else { + + if (getenv("AFL_DUMP_MAP_SIZE")) { + + printf("%u\n", MAP_SIZE); + exit(-1); + + } + } if (!id_str && __afl_area_ptr_dummy == __afl_area_initial) { -- cgit 1.4.1 From 843ef46b2128f95b5820a0fe89c7ae57f6fcf65b Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 16 Aug 2022 10:05:52 +0200 Subject: fix docs --- docs/FAQ.md | 15 +++++++++++++++ docs/INSTALL.md | 4 ++-- 2 files changed, 17 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/FAQ.md b/docs/FAQ.md index 1822e46b..4a9080f8 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -255,3 +255,18 @@ If you find an interesting or important question missing, submit it via Solution: `git pull ; make clean install` of AFL++.

+ +
+ AFL++ map size warning.

+ + When you run a large instrumented program stand-alone or via afl-showmap + you might see a warning like the following: + + ``` + Warning: AFL++ tools might need to set AFL_MAP_SIZE to 223723 to be able to run this instrumented program if this crashes! + ``` + + Depending how the target works it might also crash afterwards. + + Solution: just do an `export AFL_MAP_SIZE=(the value in the warning)`. +

diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 4f2b7174..86ba916f 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -21,8 +21,8 @@ development state of AFL++. If you want to build AFL++ yourself, you have many options. The easiest choice is to build and install everything: -NOTE: depending on your Debian/Ubuntu/Kali/... version release `-12` with -whatever llvm version is available! +NOTE: depending on your Debian/Ubuntu/Kali/... release, replace `-12` with +whatever llvm version is available. We recommend llvm 12, 13 or 14. ```shell sudo apt-get update -- cgit 1.4.1 From 7b2145b914ba3c8443437c68ae29458d832b1e35 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 19 Aug 2022 09:16:17 +0200 Subject: shorter calibration --- docs/Changelog.md | 2 ++ include/config.h | 5 +++-- src/afl-fuzz-run.c | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index c5934c4a..e4c59978 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -14,6 +14,8 @@ sending a mail to . - added AFL_NO_STARTUP_CALIBRATION to start fuzzing at once instead of calibrating all initial seeds first. Good for large queues and long execution times, especially in CIs. + - default calibration cycles set to 7 from 8, and only add 5 cycles + to variables queue items instead of 12. - afl-cc: - better handling of -fsanitize=..,...,.. lists - obtain the map size of a target with setting AFL_DUMP_MAP_SIZE=1 diff --git a/include/config.h b/include/config.h index 1689e034..1262668a 100644 --- a/include/config.h +++ b/include/config.h @@ -153,8 +153,9 @@ /* Number of calibration cycles per every new test case (and for test cases that show variable behavior): */ -#define CAL_CYCLES 8U -#define CAL_CYCLES_LONG 20U +#define CAL_CYCLES_FAST 3U +#define CAL_CYCLES 7U +#define CAL_CYCLES_LONG 12U /* Number of subsequent timeouts before abandoning an input file: */ diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index c0e72ae6..ee4a3298 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -363,7 +363,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, ++q->cal_failed; afl->stage_name = "calibration"; - afl->stage_max = afl->afl_env.afl_cal_fast ? 3 : CAL_CYCLES; + afl->stage_max = afl->afl_env.afl_cal_fast ? CAL_CYCLES_FAST : CAL_CYCLES; /* Make sure the forkserver is up before we do anything, and let's not count its spin-up time toward binary calibration. */ -- cgit 1.4.1 From 88ff8aa81e41717abb3d72f8714fdc38591b81a7 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 25 Aug 2022 08:47:30 +0200 Subject: fix gcc_mode cmplog --- docs/Changelog.md | 1 + src/afl-cc.c | 7 ++----- 2 files changed, 3 insertions(+), 5 deletions(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index e4c59978..842b727b 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -18,6 +18,7 @@ sending a mail to . to variables queue items instead of 12. - afl-cc: - better handling of -fsanitize=..,...,.. lists + - fix gcc_mode cmplog - obtain the map size of a target with setting AFL_DUMP_MAP_SIZE=1 note that this will exit the target before main() - qemu_mode: diff --git a/src/afl-cc.c b/src/afl-cc.c index ffd15476..c0449e64 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -498,13 +498,10 @@ static void edit_params(u32 argc, char **argv, char **envp) { alloc_printf("-fplugin=%s/afl-gcc-cmptrs-pass.so", obj_path); cc_params[cc_par_cnt++] = fplugin_arg; - } else { - - fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path); - cc_params[cc_par_cnt++] = fplugin_arg; - } + fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path); + cc_params[cc_par_cnt++] = fplugin_arg; cc_params[cc_par_cnt++] = "-fno-if-conversion"; cc_params[cc_par_cnt++] = "-fno-if-conversion2"; -- cgit 1.4.1