From 08bcaa135f6fc9282a947e1c73ef0866cb4cf2d0 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 6 Aug 2020 18:44:12 +0200 Subject: dummy mem test --- examples/aflpp_driver/aflpp_driver.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'examples/aflpp_driver/aflpp_driver.c') diff --git a/examples/aflpp_driver/aflpp_driver.c b/examples/aflpp_driver/aflpp_driver.c index 86c7a69f..eab6b52c 100644 --- a/examples/aflpp_driver/aflpp_driver.c +++ b/examples/aflpp_driver/aflpp_driver.c @@ -56,6 +56,7 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both. #include #include #include +#include #include "config.h" @@ -101,6 +102,7 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both. int __afl_sharedmem_fuzzing = 1; extern unsigned int * __afl_fuzz_len; extern unsigned char *__afl_fuzz_ptr; +extern unsigned char *__afl_area_ptr; // libFuzzer interface is thin, so we don't include any libFuzzer headers. int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); @@ -240,6 +242,10 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) { int main(int argc, char **argv) { + uint8_t *dummy = (uint8_t*) mmap((void *)0x1000,250000, PROT_READ | PROT_WRITE, + MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0); + __afl_area_ptr = dummy; + printf( "======================= INFO =========================\n" "This binary is built for AFL-fuzz.\n" @@ -275,6 +281,7 @@ int main(int argc, char **argv) { // if (!getenv("AFL_DRIVER_DONT_DEFER")) { __afl_sharedmem_fuzzing = 0; + munmap(dummy, 256000); __afl_manual_init(); // } return ExecuteFilesOnyByOne(argc, argv); @@ -285,6 +292,7 @@ int main(int argc, char **argv) { assert(N > 0); // if (!getenv("AFL_DRIVER_DONT_DEFER")) + munmap(dummy, 256000); __afl_manual_init(); // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization -- cgit 1.4.1 From 8190436f8f78d0bef799461447ddd37e9290c0aa Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 6 Aug 2020 18:51:16 +0200 Subject: fix --- examples/aflpp_driver/aflpp_driver.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'examples/aflpp_driver/aflpp_driver.c') diff --git a/examples/aflpp_driver/aflpp_driver.c b/examples/aflpp_driver/aflpp_driver.c index eab6b52c..b9c1e7b3 100644 --- a/examples/aflpp_driver/aflpp_driver.c +++ b/examples/aflpp_driver/aflpp_driver.c @@ -64,6 +64,10 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both. #include "hash.h" #endif +#ifndef MAP_FIXED_NOREPLACE +#define MAP_FIXED_NOREPLACE 0x100000 +#endif + // Platform detection. Copied from FuzzerInternal.h #ifdef __linux__ #define LIBFUZZER_LINUX 1 @@ -245,6 +249,7 @@ int main(int argc, char **argv) { uint8_t *dummy = (uint8_t*) mmap((void *)0x1000,250000, PROT_READ | PROT_WRITE, MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0); __afl_area_ptr = dummy; + fprintf(stderr, "dummy: %p\n", __afl_area_ptr); printf( "======================= INFO =========================\n" -- cgit 1.4.1 From 51f3a81037ccbd8cf00ef6b47a2e04201e1ed301 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 6 Aug 2020 19:05:57 +0200 Subject: fix --- examples/aflpp_driver/aflpp_driver.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'examples/aflpp_driver/aflpp_driver.c') diff --git a/examples/aflpp_driver/aflpp_driver.c b/examples/aflpp_driver/aflpp_driver.c index b9c1e7b3..adda48f1 100644 --- a/examples/aflpp_driver/aflpp_driver.c +++ b/examples/aflpp_driver/aflpp_driver.c @@ -248,27 +248,32 @@ int main(int argc, char **argv) { uint8_t *dummy = (uint8_t*) mmap((void *)0x1000,250000, PROT_READ | PROT_WRITE, MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0); + if ((uint64_t)dummy == -1) + dummy = (uint8_t*) mmap((void *)0x1000,250000, PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANONYMOUS, -1, 0); __afl_area_ptr = dummy; fprintf(stderr, "dummy: %p\n", __afl_area_ptr); printf( "======================= INFO =========================\n" - "This binary is built for AFL-fuzz.\n" + "This binary is built for afl++.\n" "To run the target function on individual input(s) execute this:\n" - " %s < INPUT_FILE\n" - "or\n" " %s INPUT_FILE1 [INPUT_FILE2 ... ]\n" "To fuzz with afl-fuzz execute this:\n" - " afl-fuzz [afl-flags] %s [-N]\n" + " afl-fuzz [afl-flags] -- %s [-N]\n" "afl-fuzz will run N iterations before " "re-spawning the process (default: 1000)\n" "======================================================\n", - argv[0], argv[0], argv[0]); + argv[0], argv[0]); output_file = stderr; maybe_duplicate_stderr(); maybe_close_fd_mask(); - if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv); + if (LLVMFuzzerInitialize) { + fprintf(stderr, "Running LLVMFuzzerInitialize ...\n"); + LLVMFuzzerInitialize(&argc, &argv); + fprintf(stderr, "continue...\n"); + } // Do any other expensive one-time initialization here. -- cgit 1.4.1 From 970d75d681208ed7e6d56343a99698ba76c04f68 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 6 Aug 2020 19:07:52 +0200 Subject: fix --- examples/aflpp_driver/aflpp_driver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'examples/aflpp_driver/aflpp_driver.c') diff --git a/examples/aflpp_driver/aflpp_driver.c b/examples/aflpp_driver/aflpp_driver.c index adda48f1..8446b34c 100644 --- a/examples/aflpp_driver/aflpp_driver.c +++ b/examples/aflpp_driver/aflpp_driver.c @@ -246,10 +246,10 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) { int main(int argc, char **argv) { - uint8_t *dummy = (uint8_t*) mmap((void *)0x1000,250000, PROT_READ | PROT_WRITE, + uint8_t *dummy = (uint8_t*) mmap((void *)0x1000, 256000, PROT_READ | PROT_WRITE, MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0); if ((uint64_t)dummy == -1) - dummy = (uint8_t*) mmap((void *)0x1000,250000, PROT_READ | PROT_WRITE, + dummy = (uint8_t*) mmap(0, 256000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); __afl_area_ptr = dummy; fprintf(stderr, "dummy: %p\n", __afl_area_ptr); -- cgit 1.4.1 From e048d95660821c8b463dbdd85abe0ef8f0cf9df7 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 6 Aug 2020 19:13:04 +0200 Subject: fix --- examples/aflpp_driver/aflpp_driver.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'examples/aflpp_driver/aflpp_driver.c') diff --git a/examples/aflpp_driver/aflpp_driver.c b/examples/aflpp_driver/aflpp_driver.c index 8446b34c..892e0779 100644 --- a/examples/aflpp_driver/aflpp_driver.c +++ b/examples/aflpp_driver/aflpp_driver.c @@ -68,6 +68,8 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both. #define MAP_FIXED_NOREPLACE 0x100000 #endif +#define MAX_DUMMY_SIZE 256000 + // Platform detection. Copied from FuzzerInternal.h #ifdef __linux__ #define LIBFUZZER_LINUX 1 @@ -246,10 +248,10 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) { int main(int argc, char **argv) { - uint8_t *dummy = (uint8_t*) mmap((void *)0x1000, 256000, PROT_READ | PROT_WRITE, + uint8_t *dummy = (uint8_t*) mmap((void *)0x1000, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0); if ((uint64_t)dummy == -1) - dummy = (uint8_t*) mmap(0, 256000, PROT_READ | PROT_WRITE, + dummy = (uint8_t*) mmap(0, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); __afl_area_ptr = dummy; fprintf(stderr, "dummy: %p\n", __afl_area_ptr); @@ -261,8 +263,7 @@ int main(int argc, char **argv) { " %s INPUT_FILE1 [INPUT_FILE2 ... ]\n" "To fuzz with afl-fuzz execute this:\n" " afl-fuzz [afl-flags] -- %s [-N]\n" - "afl-fuzz will run N iterations before " - "re-spawning the process (default: 1000)\n" + "afl-fuzz will run N iterations before re-spawning the process (default: 1000)\n" "======================================================\n", argv[0], argv[0]); @@ -291,7 +292,7 @@ int main(int argc, char **argv) { // if (!getenv("AFL_DRIVER_DONT_DEFER")) { __afl_sharedmem_fuzzing = 0; - munmap(dummy, 256000); + munmap(dummy, MAX_DUMMY_SIZE); __afl_manual_init(); // } return ExecuteFilesOnyByOne(argc, argv); @@ -302,7 +303,7 @@ int main(int argc, char **argv) { assert(N > 0); // if (!getenv("AFL_DRIVER_DONT_DEFER")) - munmap(dummy, 256000); + munmap(dummy, MAX_DUMMY_SIZE); __afl_manual_init(); // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization -- cgit 1.4.1 From bbfff7d472cbe4a1c593c8340c99dde6c31a4a35 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 6 Aug 2020 19:37:13 +0200 Subject: fix --- examples/aflpp_driver/aflpp_driver.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) (limited to 'examples/aflpp_driver/aflpp_driver.c') diff --git a/examples/aflpp_driver/aflpp_driver.c b/examples/aflpp_driver/aflpp_driver.c index 892e0779..2b35a46f 100644 --- a/examples/aflpp_driver/aflpp_driver.c +++ b/examples/aflpp_driver/aflpp_driver.c @@ -246,15 +246,21 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) { } -int main(int argc, char **argv) { - - uint8_t *dummy = (uint8_t*) mmap((void *)0x1000, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, +__attribute__((constructor(10))) void __afl_protect(void) { + __afl_area_ptr = (unsigned char*) mmap((void *)0x10000, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0); - if ((uint64_t)dummy == -1) - dummy = (uint8_t*) mmap(0, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, + if ((uint64_t)__afl_area_ptr == -1) + __afl_area_ptr = (unsigned char*) mmap((void *)0x10000, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); - __afl_area_ptr = dummy; - fprintf(stderr, "dummy: %p\n", __afl_area_ptr); + if ((uint64_t)__afl_area_ptr == -1) + __afl_area_ptr = (unsigned char*) mmap(NULL, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANONYMOUS, -1, 0); +} + + +int main(int argc, char **argv) { + + fprintf(stderr, "dummy map is at %p\n", __afl_area_ptr); printf( "======================= INFO =========================\n" @@ -292,7 +298,7 @@ int main(int argc, char **argv) { // if (!getenv("AFL_DRIVER_DONT_DEFER")) { __afl_sharedmem_fuzzing = 0; - munmap(dummy, MAX_DUMMY_SIZE); + munmap(__afl_area_ptr, MAX_DUMMY_SIZE); __afl_manual_init(); // } return ExecuteFilesOnyByOne(argc, argv); @@ -303,7 +309,7 @@ int main(int argc, char **argv) { assert(N > 0); // if (!getenv("AFL_DRIVER_DONT_DEFER")) - munmap(dummy, MAX_DUMMY_SIZE); + munmap(__afl_area_ptr, MAX_DUMMY_SIZE); __afl_manual_init(); // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization -- cgit 1.4.1 From cb3631a3223806210a781f1138508b37d4f6d761 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 6 Aug 2020 20:02:47 +0200 Subject: add cmplog map to aflpp driver --- examples/aflpp_driver/aflpp_driver.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'examples/aflpp_driver/aflpp_driver.c') diff --git a/examples/aflpp_driver/aflpp_driver.c b/examples/aflpp_driver/aflpp_driver.c index 2b35a46f..6ec37cda 100644 --- a/examples/aflpp_driver/aflpp_driver.c +++ b/examples/aflpp_driver/aflpp_driver.c @@ -59,6 +59,7 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both. #include #include "config.h" +#include "cmplog.h" #ifdef _DEBUG #include "hash.h" @@ -109,6 +110,7 @@ int __afl_sharedmem_fuzzing = 1; extern unsigned int * __afl_fuzz_len; extern unsigned char *__afl_fuzz_ptr; extern unsigned char *__afl_area_ptr; +extern struct cmp_map *__afl_cmp_map; // libFuzzer interface is thin, so we don't include any libFuzzer headers. int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); @@ -255,6 +257,7 @@ __attribute__((constructor(10))) void __afl_protect(void) { if ((uint64_t)__afl_area_ptr == -1) __afl_area_ptr = (unsigned char*) mmap(NULL, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); + __afl_cmp_map = (struct cmp_map *) __afl_area_ptr; } -- cgit 1.4.1