From e8da5f9e2894a89e36f899719e442a897a189f1f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 11 Jun 2020 19:30:28 +0200 Subject: code format and debug --- examples/aflpp_driver/aflpp_driver.cpp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'examples/aflpp_driver/aflpp_driver.cpp') diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index a60eb264..88354912 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -54,6 +54,10 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both. #include #include +#ifdef _DEBUG +#include "hash.h" +#endif + // Platform detection. Copied from FuzzerInternal.h #ifdef __linux__ #define LIBFUZZER_LINUX 1 @@ -273,7 +277,7 @@ int main(int argc, char **argv) { int num_runs = 0; while (__afl_persistent_loop(N)) { #ifdef _DEBUG - fprintf(stderr, "len: %u\n", *__afl_fuzz_len); + fprintf(stderr, "CLIENT crc: %08x len: %u\n", hash32(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), *__afl_fuzz_len); #endif if (*__afl_fuzz_len) { num_runs++; -- cgit 1.4.1 From db2e04361da8f40a7ee99fef1c2a2ed8f08b0501 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 12 Jun 2020 11:57:54 +0200 Subject: shm debug and fixes --- examples/aflpp_driver/GNUmakefile | 5 ++--- examples/aflpp_driver/aflpp_driver.cpp | 10 +++++++++- examples/aflpp_driver/aflpp_driver_test.cpp | 8 +++++--- llvm_mode/afl-llvm-rt.o.c | 4 ++-- src/afl-forkserver.c | 14 ++++++++++++-- 5 files changed, 30 insertions(+), 11 deletions(-) (limited to 'examples/aflpp_driver/aflpp_driver.cpp') diff --git a/examples/aflpp_driver/GNUmakefile b/examples/aflpp_driver/GNUmakefile index 90844a4a..24f959e6 100644 --- a/examples/aflpp_driver/GNUmakefile +++ b/examples/aflpp_driver/GNUmakefile @@ -7,7 +7,7 @@ ifneq "" "$(LLVM_BINDIR)" LLVM_BINDIR := $(LLVM_BINDIR)/ endif -FLAGS=-O3 -funroll-loops +FLAGS=-O2 -funroll-loops all: libAFLDriver.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so @@ -20,7 +20,6 @@ libAFLDriver.a: aflpp_driver.o debug: $(LLVM_BINDIR)clang++ -I../../include -D_DEBUG=\"1\" $(FLAGS) -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp ar ru libAFLDriver.a aflpp_driver.o - aflpp_qemu_driver.o: aflpp_qemu_driver.c $(LLVM_BINDIR)clang $(FLAGS) -O0 -funroll-loops -c aflpp_qemu_driver.c @@ -35,7 +34,7 @@ aflpp_qemu_driver_hook.o: aflpp_qemu_driver_hook.c $(LLVM_BINDIR)clang -fPIC $(FLAGS) -funroll-loops -c aflpp_qemu_driver_hook.c test: libAFLDriver.a aflpp_driver_test.cpp - afl-clang-fast++ -Wl,--allow-multiple-definition -stdlib=libc++ -funroll-loops -std=c++11 -o aflpp_driver_test aflpp_driver_test.cpp libAFLDriver.a + afl-clang-fast++ -I../../include -Wl,--allow-multiple-definition -stdlib=libc++ -funroll-loops -std=c++11 -o aflpp_driver_test aflpp_driver_test.cpp libAFLDriver.a clean: rm -f *.o libAFLDriver*.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so *~ core aflpp_driver_test diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index 88354912..68a1783f 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -230,6 +230,8 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) { } int main(int argc, char **argv) { + unsigned char in_buf[1024000]; + size_t in_buf_len; Printf( "======================= INFO =========================\n" "This binary is built for AFL-fuzz.\n" @@ -278,10 +280,16 @@ int main(int argc, char **argv) { while (__afl_persistent_loop(N)) { #ifdef _DEBUG fprintf(stderr, "CLIENT crc: %08x len: %u\n", hash32(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), *__afl_fuzz_len); + fprintf(stderr, "RECV:"); + for (int i = 0; i < *__afl_fuzz_len; i++) + fprintf(stderr, "%02x", __afl_fuzz_ptr[i]); + fprintf(stderr,"\n"); #endif if (*__afl_fuzz_len) { num_runs++; - LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); + in_buf_len = *__afl_fuzz_len; + memcpy(in_buf, __afl_fuzz_ptr, in_buf_len); + LLVMFuzzerTestOneInput(in_buf, in_buf_len); } } Printf("%s: successfully executed %d input(s)\n", argv[0], num_runs); diff --git a/examples/aflpp_driver/aflpp_driver_test.cpp b/examples/aflpp_driver/aflpp_driver_test.cpp index 81aa9db4..799c743d 100644 --- a/examples/aflpp_driver/aflpp_driver_test.cpp +++ b/examples/aflpp_driver/aflpp_driver_test.cpp @@ -1,19 +1,21 @@ #include #include #include +#include "hash.h" extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - fprintf(stderr, "Received size %lu\n", Size); + fprintf(stderr, "FUNC crc: %08x len: %lu\n", hash32(Data, Size, 0xa5b35705), Size); - if (Size < 4) + if (Size < 5) return 0; if (Data[0] == 'F') if (Data[1] == 'A') if (Data[2] == '$') if (Data[3] == '$') - abort(); + if (Data[4] == '$') + abort(); return 0; diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 702384a3..80ffc19f 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -139,7 +139,7 @@ static void __afl_map_shm_fuzz() { } - map = (u8 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0); + map = (u8 *)mmap(0, MAX_FILE + sizeof(u32), PROT_READ, MAP_SHARED, shm_fd, 0); #else u32 shm_id = atoi(id_str); @@ -157,7 +157,7 @@ static void __afl_map_shm_fuzz() { } __afl_fuzz_len = (u32 *)map; - __afl_fuzz_ptr = (u8 *)(map + sizeof(u32)); + __afl_fuzz_ptr = map + sizeof(u32); if (getenv("AFL_DEBUG")) { diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 330fb1de..edabe5df 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -32,6 +32,7 @@ #include "common.h" #include "list.h" #include "forkserver.h" +#include "hash.h" #include #include @@ -837,8 +838,17 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { *fsrv->shmem_fuzz_len = len; memcpy(fsrv->shmem_fuzz, buf, len); - // fprintf(stderr, "FS crc: %08x len: %u\n", hash32(fsrv->shmem_fuzz, - // *fsrv->shmem_fuzz_len, 0xa5b35705), *fsrv->shmem_fuzz_len); +#ifdef _DEBUG + fprintf(stderr, "FS crc: %08x len: %u\n", hash32(fsrv->shmem_fuzz, + *fsrv->shmem_fuzz_len, 0xa5b35705), *fsrv->shmem_fuzz_len); + fprintf(stderr, "SHM :"); + for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) + fprintf(stderr, "%02x", fsrv->shmem_fuzz[i]); + fprintf(stderr, "\nORIG:"); + for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) + fprintf(stderr, "%02x", buf[i]); + fprintf(stderr, "\n"); +#endif } else { -- cgit 1.4.1 From 6a216b5708a21283c2a8dbc05af6c98c067b9e08 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 15 Jun 2020 21:39:45 +0200 Subject: make aflpp driver performant again --- examples/aflpp_driver/GNUmakefile | 2 +- examples/aflpp_driver/aflpp_driver.cpp | 6 +----- 2 files changed, 2 insertions(+), 6 deletions(-) (limited to 'examples/aflpp_driver/aflpp_driver.cpp') diff --git a/examples/aflpp_driver/GNUmakefile b/examples/aflpp_driver/GNUmakefile index 24f959e6..a4969a88 100644 --- a/examples/aflpp_driver/GNUmakefile +++ b/examples/aflpp_driver/GNUmakefile @@ -7,7 +7,7 @@ ifneq "" "$(LLVM_BINDIR)" LLVM_BINDIR := $(LLVM_BINDIR)/ endif -FLAGS=-O2 -funroll-loops +FLAGS=-O3 -funroll-loops all: libAFLDriver.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index 68a1783f..cf96dc4f 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -230,8 +230,6 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) { } int main(int argc, char **argv) { - unsigned char in_buf[1024000]; - size_t in_buf_len; Printf( "======================= INFO =========================\n" "This binary is built for AFL-fuzz.\n" @@ -287,9 +285,7 @@ int main(int argc, char **argv) { #endif if (*__afl_fuzz_len) { num_runs++; - in_buf_len = *__afl_fuzz_len; - memcpy(in_buf, __afl_fuzz_ptr, in_buf_len); - LLVMFuzzerTestOneInput(in_buf, in_buf_len); + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); } } Printf("%s: successfully executed %d input(s)\n", argv[0], num_runs); -- cgit 1.4.1