From ca4a8c0f920f83c86aeb599b94b50fce2af68389 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 19 Jul 2022 12:24:03 +0200 Subject: post_process 0/NULL return support --- docs/Changelog.md | 3 +++ docs/custom_mutators.md | 4 ++++ 2 files changed, 7 insertions(+) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index ff3907f0..c7414ff2 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,6 +9,9 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . ### Version ++4.02a (dev) + - afl-fuzz: + - change post_process hook to allow returning NULL and 0 length to + tell afl-fuzz to skip this mutated input - gcc_plugin: - Adacore submitted CMPLOG support to the gcc_plugin! :-) - llvm_mode: diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 7b4e0516..d84e4e02 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -159,6 +159,10 @@ def deinit(): # optional for Python This can return any python object that implements the buffer protocol and supports PyBUF_SIMPLE. These include bytes, bytearray, etc. + You can decide in the post_process mutator to not send the mutated data + to the target, e.g. if it is too short, too corrupted, etc. If so, + return a NULL buffer and zero length (or a 0 length string in Python). + - `queue_new_entry` (optional): This methods is called after adding a new test case to the queue. If the -- cgit 1.4.1 From 0373628adf2e27079b84048c474db1c8cbea49ed Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 19 Jul 2022 17:28:57 +0200 Subject: fix custom mutator examples --- custom_mutators/examples/example.c | 2 +- custom_mutators/examples/post_library_gif.so.c | 13 ++++--- custom_mutators/examples/post_library_png.so.c | 48 +++++++++----------------- docs/custom_mutators.md | 5 +++ 4 files changed, 31 insertions(+), 37 deletions(-) (limited to 'docs') diff --git a/custom_mutators/examples/example.c b/custom_mutators/examples/example.c index 5c174e10..3f299508 100644 --- a/custom_mutators/examples/example.c +++ b/custom_mutators/examples/example.c @@ -352,7 +352,7 @@ uint8_t afl_custom_queue_get(my_mutator_t *data, const uint8_t *filename) { * @return if the file contents was modified return 1 (True), 0 (False) * otherwise */ -uint8_t afl_custom_queue_new_entry(my_mutator_t * data, +uint8_t afl_custom_queue_new_entry(my_mutator_t *data, const uint8_t *filename_new_queue, const uint8_t *filename_orig_queue) { diff --git a/custom_mutators/examples/post_library_gif.so.c b/custom_mutators/examples/post_library_gif.so.c index aec05720..9cd224f4 100644 --- a/custom_mutators/examples/post_library_gif.so.c +++ b/custom_mutators/examples/post_library_gif.so.c @@ -72,6 +72,7 @@ #include #include #include +#include "alloc-inl.h" /* Header that must be present at the beginning of every test case: */ @@ -127,9 +128,11 @@ size_t afl_custom_post_process(post_state_t *data, unsigned char *in_buf, } /* Allocate memory for new buffer, reusing previous allocation if - possible. */ + possible. Note we have to use afl-fuzz's own realloc! + Note that you should only do this if you need to grow the buffer, + otherwise work with in_buf, and assign it to *out_buf instead. */ - *out_buf = realloc(data->buf, len); + *out_buf = afl_realloc(out_buf, len); /* If we're out of memory, the most graceful thing to do is to return the original buffer and give up on modifying it. Let AFL handle OOM on its @@ -142,9 +145,9 @@ size_t afl_custom_post_process(post_state_t *data, unsigned char *in_buf, } - /* Copy the original data to the new location. */ - - memcpy(*out_buf, in_buf, len); + if (len > strlen(HEADER)) + memcpy(*out_buf + strlen(HEADER), in_buf + strlen(HEADER), + len - strlen(HEADER)); /* Insert the new header. */ diff --git a/custom_mutators/examples/post_library_png.so.c b/custom_mutators/examples/post_library_png.so.c index 941f7e55..cd65b1bc 100644 --- a/custom_mutators/examples/post_library_png.so.c +++ b/custom_mutators/examples/post_library_png.so.c @@ -29,8 +29,8 @@ #include #include #include - #include +#include "alloc-inl.h" /* A macro to round an integer up to 4 kB. */ @@ -70,9 +70,6 @@ size_t afl_custom_post_process(post_state_t *data, const unsigned char *in_buf, unsigned int len, const unsigned char **out_buf) { - unsigned char *new_buf = (unsigned char *)in_buf; - unsigned int pos = 8; - /* Don't do anything if there's not enough room for the PNG header (8 bytes). */ @@ -83,6 +80,22 @@ size_t afl_custom_post_process(post_state_t *data, const unsigned char *in_buf, } + /* This is not a good way to do it, if you do not need to grow the buffer + then just work with in_buf instead for speed reasons. + But we want to show how to grow a buffer, so this is how it's done: */ + + unsigned int pos = 8; + unsigned char *new_buf = afl_realloc(out_buf, UP4K(len)); + + if (!new_buf) { + + *out_buf = in_buf; + return len; + + } + + memcpy(new_buf, in_buf, len); + /* Minimum size of a zero-length PNG chunk is 12 bytes; if we don't have that, we can bail out. */ @@ -111,33 +124,6 @@ size_t afl_custom_post_process(post_state_t *data, const unsigned char *in_buf, if (real_cksum != file_cksum) { - /* First modification? Make a copy of the input buffer. Round size - up to 4 kB to minimize the number of reallocs needed. */ - - if (new_buf == in_buf) { - - if (len <= data->size) { - - new_buf = data->buf; - - } else { - - new_buf = realloc(data->buf, UP4K(len)); - if (!new_buf) { - - *out_buf = in_buf; - return len; - - } - - data->buf = new_buf; - data->size = UP4K(len); - memcpy(new_buf, in_buf, len); - - } - - } - *(uint32_t *)(new_buf + pos + 8 + chunk_len) = real_cksum; } diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index d84e4e02..6f3353ec 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -38,6 +38,11 @@ performed with the custom mutator. ## 2) APIs +**IMPORTANT NOTE**: If you use our C/C++ API and you want to increase the size +of an **out_buf buffer, you have to use `afl_realloc()` for this, so include +`include/alloc-inl.h` - otherwise afl-fuzz will crash when trying to free +your buffers. + C/C++: ```c -- cgit 1.4.1 From 67fabcb0be1f48f671a061fd26dd321fdc3425a0 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 25 Jul 2022 11:15:14 +0200 Subject: update compile options --- GNUmakefile | 5 ++++- docs/INSTALL.md | 10 +++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) (limited to 'docs') diff --git a/GNUmakefile b/GNUmakefile index b6865f0c..04d1411d 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -367,13 +367,16 @@ help: @echo Known build environment options: @echo "==========================================" @echo STATIC - compile AFL++ static - @echo ASAN_BUILD - compiles with memory sanitizer for debug purposes + @echo ASAN_BUILD - compiles AFL++ with memory sanitizer for debug purposes + @echo UBSAN_BUILD - compiles AFL++ tools with undefined behaviour sanitizer for debug purposes @echo DEBUG - no optimization, -ggdb3, all warnings and -Werror @echo PROFILING - compile afl-fuzz with profiling information @echo INTROSPECTION - compile afl-fuzz with mutation introspection @echo NO_PYTHON - disable python support @echo NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing @echo NO_NYX - disable building nyx mode dependencies + @echo "NO_CORESIGHT - disable building coresight (arm64 only)" + @echo NO_UNICORN_ARM64 - disable building unicorn on arm64 @echo AFL_NO_X86 - if compiling on non-intel/amd platforms @echo "LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g. Debian)" @echo "==========================================" diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 312b41e9..c60e3ada 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -79,17 +79,21 @@ make STATIC=1 These build options exist: * STATIC - compile AFL++ static -* ASAN_BUILD - compiles with memory sanitizer for debug purposes +* ASAN_BUILD - compiles AFL++ with memory sanitizer for debug purposes +* UBSAN_BUILD - compiles AFL++ tools with undefined behaviour sanitizer for + debug purposes * DEBUG - no optimization, -ggdb3, all warnings and -Werror -* PROFILING - compile with profiling information (gprof) +* PROFILING - compile afl-fuzz with profiling information * INTROSPECTION - compile afl-fuzz with mutation introspection * NO_PYTHON - disable python support * NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing * NO_NYX - disable building nyx mode dependencies +* NO_CORESIGHT - disable building coresight (arm64 only) +* NO_UNICORN_ARM64 - disable building unicorn on arm64 * AFL_NO_X86 - if compiling on non-intel/amd platforms * LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config - (e.g., Debian) + (e.g. Debian) e.g.: `make ASAN_BUILD=1` -- cgit 1.4.1 From c6af98bc355dbd828e2e6b332ab743a6c2f4ce4c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 25 Jul 2022 11:49:49 +0200 Subject: fix --- GNUmakefile | 2 +- docs/INSTALL.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/GNUmakefile b/GNUmakefile index 04d1411d..a64d511f 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -378,7 +378,7 @@ help: @echo "NO_CORESIGHT - disable building coresight (arm64 only)" @echo NO_UNICORN_ARM64 - disable building unicorn on arm64 @echo AFL_NO_X86 - if compiling on non-intel/amd platforms - @echo "LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g. Debian)" + @echo "LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g., Debian)" @echo "==========================================" @echo e.g.: make ASAN_BUILD=1 diff --git a/docs/INSTALL.md b/docs/INSTALL.md index c60e3ada..4f2b7174 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -93,9 +93,9 @@ These build options exist: * NO_UNICORN_ARM64 - disable building unicorn on arm64 * AFL_NO_X86 - if compiling on non-intel/amd platforms * LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config - (e.g. Debian) + (e.g., Debian) -e.g.: `make ASAN_BUILD=1` +e.g.: `make LLVM_CONFIG=llvm-config-14` ## MacOS X on x86 and arm64 (M1) -- cgit 1.4.1 From 6056d4b140f0665c6a701cada9166379be3435ac Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 3 Aug 2022 10:06:52 +0200 Subject: fix pcguard vector select instrumentation --- docs/Changelog.md | 3 +++ instrumentation/SanitizerCoveragePCGUARD.so.cc | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index c7414ff2..05bbe827 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -12,6 +12,9 @@ sending a mail to . - afl-fuzz: - change post_process hook to allow returning NULL and 0 length to tell afl-fuzz to skip this mutated input + - afl-cc: + - important fix for the default pcguard mode when LLVM IR vector + selects are produced, thanks to @juppytt for reporting! - gcc_plugin: - Adacore submitted CMPLOG support to the gcc_plugin! :-) - llvm_mode: diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index f8ced8fc..e22c9ead 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -902,7 +902,7 @@ bool ModuleSanitizerCoverageAFL::InjectCoverage( if (tt) { cnt_sel++; - cnt_sel_inc += tt->getElementCount().getKnownMinValue(); + cnt_sel_inc += (tt->getElementCount().getKnownMinValue() * 2); } -- cgit 1.4.1