From bca7ce804308fdc24404d26a02d2e10116ef6289 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 12:30:20 +0200 Subject: fixed persistent mode shared mem fuzzing --- examples/persistent_demo/test-instr.c | 60 +++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 examples/persistent_demo/test-instr.c (limited to 'examples/persistent_demo/test-instr.c') diff --git a/examples/persistent_demo/test-instr.c b/examples/persistent_demo/test-instr.c new file mode 100644 index 00000000..069e74dd --- /dev/null +++ b/examples/persistent_demo/test-instr.c @@ -0,0 +1,60 @@ +/* + american fuzzy lop++ - a trivial program to test the build + -------------------------------------------------------- + Originally written by Michal Zalewski + Copyright 2014 Google Inc. All rights reserved. + Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include +#include +#include +#include + +__AFL_FUZZ_INIT(); + +int main(int argc, char **argv) { + + __AFL_INIT(); + unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; + + while(__AFL_LOOP(2147483647)) { + + unsigned int len = __AFL_FUZZ_TESTCASE_LEN; + +#ifdef _AFL_DOCUMENT_MUTATIONS + static unsigned int counter = 0; + char fn[32]; + sprintf(fn, "%09u:test-instr", counter); + int fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (fd_doc >= 0) { + if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + fprintf(stderr, "write of mutation file failed: %s\n", fn); + unlink(fn); + } + close(fd_doc); + } + counter++; +#endif + + if (!len) continue; + + if (buf[0] == '0') + printf("Looks like a zero to me!\n"); + else if (buf[0] == '1') + printf("Pretty sure that is a one!\n"); + else + printf("Neither one or zero? How quaint!\n"); + } + + return 0; + +} + -- cgit 1.4.1 From 0de25f08ba2e39f680a1440e9b84ee9cf4136f9a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 12:30:55 +0200 Subject: code format --- examples/persistent_demo/test-instr.c | 17 ++++++++++----- llvm_mode/afl-llvm-rt.o.c | 41 +++++++++++++++++++++++++---------- src/afl-fuzz-init.c | 2 -- src/afl-fuzz.c | 6 +---- 4 files changed, 43 insertions(+), 23 deletions(-) (limited to 'examples/persistent_demo/test-instr.c') diff --git a/examples/persistent_demo/test-instr.c b/examples/persistent_demo/test-instr.c index 069e74dd..cd1c9b0e 100644 --- a/examples/persistent_demo/test-instr.c +++ b/examples/persistent_demo/test-instr.c @@ -24,34 +24,41 @@ int main(int argc, char **argv) { __AFL_INIT(); unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; - - while(__AFL_LOOP(2147483647)) { - + + while (__AFL_LOOP(2147483647)) { + unsigned int len = __AFL_FUZZ_TESTCASE_LEN; #ifdef _AFL_DOCUMENT_MUTATIONS static unsigned int counter = 0; - char fn[32]; + char fn[32]; sprintf(fn, "%09u:test-instr", counter); int fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd_doc >= 0) { + if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + fprintf(stderr, "write of mutation file failed: %s\n", fn); unlink(fn); + } + close(fd_doc); + } + counter++; #endif if (!len) continue; - + if (buf[0] == '0') printf("Looks like a zero to me!\n"); else if (buf[0] == '1') printf("Pretty sure that is a one!\n"); else printf("Neither one or zero? How quaint!\n"); + } return 0; diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 7a763f1b..b96ca7f4 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -74,11 +74,11 @@ u8 __afl_area_initial[MAP_INITIAL_SIZE]; #else u8 __afl_area_initial[MAP_SIZE]; #endif -u8 *__afl_area_ptr = __afl_area_initial; -u8 *__afl_dictionary; -u8 *__afl_fuzz_ptr; -u32 __afl_fuzz_len; -u32 __afl_fuzz_len_dummy; +u8 * __afl_area_ptr = __afl_area_initial; +u8 * __afl_dictionary; +u8 * __afl_fuzz_ptr; +u32 __afl_fuzz_len; +u32 __afl_fuzz_len_dummy; u32 *__afl_fuzz_len_shmem = &__afl_fuzz_len_dummy; u32 __afl_final_loc; @@ -165,8 +165,9 @@ static void __afl_map_shm_fuzz() { exit(1); } - - __afl_fuzz_len_shmem = (u32*) mmap(NULL, sizeof(int), PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); + + __afl_fuzz_len_shmem = (u32 *)mmap(NULL, sizeof(int), PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANONYMOUS, -1, 0); } @@ -450,22 +451,31 @@ static void __afl_start_snapshots(void) { *__afl_fuzz_len_shmem = __afl_fuzz_len = (was_killed >> 8); was_killed = (was_killed & 0xff); -#ifdef _AFL_DOCUMENT_MUTATIONS + #ifdef _AFL_DOCUMENT_MUTATIONS if (__afl_fuzz_ptr) { + static uint32_t counter = 0; - char fn[32]; + char fn[32]; sprintf(fn, "%09u:forkserver", counter); s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd_doc >= 0) { + if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + fprintf(stderr, "write of mutation file failed: %s\n", fn); unlink(fn); + } + close(fd_doc); + } + counter++; + } -#endif + + #endif /* If we stopped the child in persistent mode, but there was a race condition and afl-fuzz already issued SIGKILL, write off the old @@ -646,19 +656,28 @@ static void __afl_start_forkserver(void) { #ifdef _AFL_DOCUMENT_MUTATIONS if (__afl_fuzz_ptr) { + static uint32_t counter = 0; - char fn[32]; + char fn[32]; sprintf(fn, "%09u:forkserver", counter); s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd_doc >= 0) { + if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + fprintf(stderr, "write of mutation file failed: %s\n", fn); unlink(fn); + } + close(fd_doc); + } + counter++; + } + #endif /* If we stopped the child in persistent mode, but there was a race diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 840b57f4..ea281b7b 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1949,7 +1949,6 @@ static void handle_skipreq(int sig) { } - /* Setup shared map for fuzzing with input via sharedmem */ void setup_testcase_shmem(afl_state_t *afl) { @@ -1978,7 +1977,6 @@ void setup_testcase_shmem(afl_state_t *afl) { } - /* Do a PATH search and find target binary to see that it exists and isn't a shell script - a common and painful mistake. We also check for a valid ELF header and for evidence of AFL instrumentation. */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 1c797424..54d59a9b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1179,11 +1179,7 @@ int main(int argc, char **argv_orig, char **envp) { check_binary(afl, argv[optind]); - if (afl->shmem_testcase_mode) { - - setup_testcase_shmem(afl); - - } + if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } afl->start_time = get_cur_time(); -- cgit 1.4.1 From 15c0ad60c530906131fc089d8f5b05710c69f109 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 13:15:16 +0200 Subject: minimal changes to a test --- examples/persistent_demo/Makefile | 2 +- examples/persistent_demo/test-instr.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'examples/persistent_demo/test-instr.c') diff --git a/examples/persistent_demo/Makefile b/examples/persistent_demo/Makefile index ea8fd02a..e2cf97f5 100644 --- a/examples/persistent_demo/Makefile +++ b/examples/persistent_demo/Makefile @@ -4,7 +4,7 @@ all: afl-clang-fast -o test-instr test-instr.c document: - afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c + AFL_DONT_OPTIMIZE=1 afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c clean: rm -f persistent_demo persistent_demo_new test-instr diff --git a/examples/persistent_demo/test-instr.c b/examples/persistent_demo/test-instr.c index cd1c9b0e..4cd07102 100644 --- a/examples/persistent_demo/test-instr.c +++ b/examples/persistent_demo/test-instr.c @@ -36,7 +36,7 @@ int main(int argc, char **argv) { int fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd_doc >= 0) { - if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + if (write(fd_doc, buf, len) != __afl_fuzz_len) { fprintf(stderr, "write of mutation file failed: %s\n", fn); unlink(fn); -- cgit 1.4.1