From 9a65fe904dd0895b9f7d27aae1fbce22fcb598ef Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 13:37:50 +0200 Subject: small changes to libfuzzer driver --- examples/aflpp_driver/aflpp_driver.cpp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'examples/aflpp_driver/aflpp_driver.cpp') diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index 3dcc8c3c..a6b168cd 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -252,27 +252,27 @@ int main(int argc, char **argv) { else if(argc == 2 && (N = atoi(argv[1])) > 0) Printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N); else if (argc > 1) { - if (!getenv("AFL_DRIVER_DONT_DEFER")) { +// if (!getenv("AFL_DRIVER_DONT_DEFER")) { __afl_sharedmem_fuzzing = 0; __afl_manual_init(); - } +// } return ExecuteFilesOnyByOne(argc, argv); exit(0); } assert(N > 0); - if (!getenv("AFL_DRIVER_DONT_DEFER")) - __afl_manual_init(); - // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization // on the first execution of LLVMFuzzerTestOneInput is ignored. uint8_t dummy_input[1] = {0}; LLVMFuzzerTestOneInput(dummy_input, 1); +// if (!getenv("AFL_DRIVER_DONT_DEFER")) + __afl_manual_init(); + int num_runs = 0; while (__afl_persistent_loop(N)) { - if (__afl_fuzz_len > 0) { + if (__afl_fuzz_len) { num_runs++; LLVMFuzzerTestOneInput(__afl_fuzz_ptr, __afl_fuzz_len); } -- cgit 1.4.1 From adcffce0a083cf32ea41f5631ec0e9d77dfdd115 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 14:57:05 +0200 Subject: fix libfuzzer driver --- examples/aflpp_driver/aflpp_driver.cpp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'examples/aflpp_driver/aflpp_driver.cpp') diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index a6b168cd..1feae1c3 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -262,14 +262,14 @@ int main(int argc, char **argv) { assert(N > 0); - // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization - // on the first execution of LLVMFuzzerTestOneInput is ignored. - uint8_t dummy_input[1] = {0}; - LLVMFuzzerTestOneInput(dummy_input, 1); - // if (!getenv("AFL_DRIVER_DONT_DEFER")) __afl_manual_init(); + // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization + // on the first execution of LLVMFuzzerTestOneInput is ignored. + //uint8_t dummy_input[1] = {0}; + //LLVMFuzzerTestOneInput(dummy_input, 1); + int num_runs = 0; while (__afl_persistent_loop(N)) { if (__afl_fuzz_len) { -- cgit 1.4.1 From 1d15048f2f79bb6836e8a50676a8ecc8cff1e5d0 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 15:30:44 +0200 Subject: hopeful finally change for libfuzzer driver --- examples/aflpp_driver/aflpp_driver.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'examples/aflpp_driver/aflpp_driver.cpp') diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index 1feae1c3..f2c604da 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -267,8 +267,8 @@ int main(int argc, char **argv) { // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization // on the first execution of LLVMFuzzerTestOneInput is ignored. - //uint8_t dummy_input[1] = {0}; - //LLVMFuzzerTestOneInput(dummy_input, 1); + uint8_t dummy_input[1] = {0}; + LLVMFuzzerTestOneInput(dummy_input, 1); int num_runs = 0; while (__afl_persistent_loop(N)) { -- cgit 1.4.1 From 2f73215d4f24d9059546aff2b82d7eef05fbe253 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 4 Jun 2020 08:53:05 +0200 Subject: update libfuzzer driver --- examples/aflpp_driver/aflpp_driver.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'examples/aflpp_driver/aflpp_driver.cpp') diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index f2c604da..e0a90ff9 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -90,7 +90,7 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both. #endif int __afl_sharedmem_fuzzing = 1; -extern unsigned int __afl_fuzz_len; +extern unsigned int *__afl_fuzz_len; extern unsigned char *__afl_fuzz_ptr; // libFuzzer interface is thin, so we don't include any libFuzzer headers. @@ -272,9 +272,9 @@ int main(int argc, char **argv) { int num_runs = 0; while (__afl_persistent_loop(N)) { - if (__afl_fuzz_len) { + if (*__afl_fuzz_len) { num_runs++; - LLVMFuzzerTestOneInput(__afl_fuzz_ptr, __afl_fuzz_len); + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); } } Printf("%s: successfully executed %d input(s)\n", argv[0], num_runs); -- cgit 1.4.1 From 372206e159f4f3d150543411872319fb8fae0b66 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 6 Jun 2020 11:45:08 +0200 Subject: aflpp_debug --- examples/aflpp_driver/GNUmakefile | 10 +++++++++- examples/aflpp_driver/aflpp_driver.cpp | 7 +++++-- examples/aflpp_driver/aflpp_driver_test.cpp | 20 ++++++++++++++++++++ 3 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 examples/aflpp_driver/aflpp_driver_test.cpp (limited to 'examples/aflpp_driver/aflpp_driver.cpp') diff --git a/examples/aflpp_driver/GNUmakefile b/examples/aflpp_driver/GNUmakefile index 988576d5..7ddfc485 100644 --- a/examples/aflpp_driver/GNUmakefile +++ b/examples/aflpp_driver/GNUmakefile @@ -17,6 +17,11 @@ aflpp_driver.o: aflpp_driver.cpp libAFLDriver.a: aflpp_driver.o ar ru libAFLDriver.a aflpp_driver.o +debug: + $(LLVM_BINDIR)clang++ -D_DEBUG=\"1\" $(FLAGS) -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp + ar ru libAFLDriver.a aflpp_driver.o + + aflpp_qemu_driver.o: aflpp_qemu_driver.c $(LLVM_BINDIR)clang $(FLAGS) -O0 -funroll-loops -c aflpp_qemu_driver.c @@ -29,5 +34,8 @@ aflpp_qemu_driver_hook.so: aflpp_qemu_driver_hook.o aflpp_qemu_driver_hook.o: aflpp_qemu_driver_hook.c $(LLVM_BINDIR)clang -fPIC $(FLAGS) -funroll-loops -c aflpp_qemu_driver_hook.c +test: libAFLDriver.a aflpp_driver_test.cpp + afl-clang-fast++ -Wl,--allow-multiple-definition -stdlib=libc++ -funroll-loops -std=c++11 -o aflpp_driver_test aflpp_driver_test.cpp libAFLDriver.a + clean: - rm -f *.o libAFLDriver*.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so *~ core + rm -f *.o libAFLDriver*.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so *~ core aflpp_driver_test diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index e0a90ff9..a60eb264 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -246,7 +246,8 @@ int main(int argc, char **argv) { LLVMFuzzerInitialize(&argc, &argv); // Do any other expensive one-time initialization here. - int N = 1000; + uint8_t dummy_input[1] = {0}; + int N = 100000; if (argc == 2 && argv[1][0] == '-') N = atoi(argv[1] + 1); else if(argc == 2 && (N = atoi(argv[1])) > 0) @@ -267,11 +268,13 @@ int main(int argc, char **argv) { // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization // on the first execution of LLVMFuzzerTestOneInput is ignored. - uint8_t dummy_input[1] = {0}; LLVMFuzzerTestOneInput(dummy_input, 1); int num_runs = 0; while (__afl_persistent_loop(N)) { +#ifdef _DEBUG + fprintf(stderr, "len: %u\n", *__afl_fuzz_len); +#endif if (*__afl_fuzz_len) { num_runs++; LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); diff --git a/examples/aflpp_driver/aflpp_driver_test.cpp b/examples/aflpp_driver/aflpp_driver_test.cpp new file mode 100644 index 00000000..81aa9db4 --- /dev/null +++ b/examples/aflpp_driver/aflpp_driver_test.cpp @@ -0,0 +1,20 @@ +#include +#include +#include + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + + fprintf(stderr, "Received size %lu\n", Size); + + if (Size < 4) + return 0; + + if (Data[0] == 'F') + if (Data[1] == 'A') + if (Data[2] == '$') + if (Data[3] == '$') + abort(); + + return 0; + +} -- cgit 1.4.1