From bca7ce804308fdc24404d26a02d2e10116ef6289 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 12:30:20 +0200 Subject: fixed persistent mode shared mem fuzzing --- examples/persistent_demo/Makefile | 6 ++- examples/persistent_demo/persistent_demo.c | 1 + examples/persistent_demo/persistent_demo_new.c | 1 + examples/persistent_demo/test-instr.c | 60 ++++++++++++++++++++++++++ 4 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 examples/persistent_demo/test-instr.c (limited to 'examples') diff --git a/examples/persistent_demo/Makefile b/examples/persistent_demo/Makefile index cbbb7239..ea8fd02a 100644 --- a/examples/persistent_demo/Makefile +++ b/examples/persistent_demo/Makefile @@ -1,6 +1,10 @@ all: afl-clang-fast -o persistent_demo persistent_demo.c afl-clang-fast -o persistent_demo_new persistent_demo_new.c + afl-clang-fast -o test-instr test-instr.c + +document: + afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c clean: - rm -f persistent_demo persistent_demo_new + rm -f persistent_demo persistent_demo_new test-instr diff --git a/examples/persistent_demo/persistent_demo.c b/examples/persistent_demo/persistent_demo.c index 2da49bb0..4cedc32c 100644 --- a/examples/persistent_demo/persistent_demo.c +++ b/examples/persistent_demo/persistent_demo.c @@ -41,6 +41,7 @@ int main(int argc, char **argv) { terminate normally. This limits the impact of accidental memory leaks and similar hiccups. */ + __AFL_INIT(); while (__AFL_LOOP(1000)) { /*** PLACEHOLDER CODE ***/ diff --git a/examples/persistent_demo/persistent_demo_new.c b/examples/persistent_demo/persistent_demo_new.c index 36411e13..69468bdd 100644 --- a/examples/persistent_demo/persistent_demo_new.c +++ b/examples/persistent_demo/persistent_demo_new.c @@ -42,6 +42,7 @@ int main(int argc, char **argv) { terminate normally. This limits the impact of accidental memory leaks and similar hiccups. */ + __AFL_INIT(); buf = __AFL_FUZZ_TESTCASE_BUF; while (__AFL_LOOP(1000)) { diff --git a/examples/persistent_demo/test-instr.c b/examples/persistent_demo/test-instr.c new file mode 100644 index 00000000..069e74dd --- /dev/null +++ b/examples/persistent_demo/test-instr.c @@ -0,0 +1,60 @@ +/* + american fuzzy lop++ - a trivial program to test the build + -------------------------------------------------------- + Originally written by Michal Zalewski + Copyright 2014 Google Inc. All rights reserved. + Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include +#include +#include +#include + +__AFL_FUZZ_INIT(); + +int main(int argc, char **argv) { + + __AFL_INIT(); + unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; + + while(__AFL_LOOP(2147483647)) { + + unsigned int len = __AFL_FUZZ_TESTCASE_LEN; + +#ifdef _AFL_DOCUMENT_MUTATIONS + static unsigned int counter = 0; + char fn[32]; + sprintf(fn, "%09u:test-instr", counter); + int fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (fd_doc >= 0) { + if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + fprintf(stderr, "write of mutation file failed: %s\n", fn); + unlink(fn); + } + close(fd_doc); + } + counter++; +#endif + + if (!len) continue; + + if (buf[0] == '0') + printf("Looks like a zero to me!\n"); + else if (buf[0] == '1') + printf("Pretty sure that is a one!\n"); + else + printf("Neither one or zero? How quaint!\n"); + } + + return 0; + +} + -- cgit 1.4.1 From 0de25f08ba2e39f680a1440e9b84ee9cf4136f9a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 12:30:55 +0200 Subject: code format --- examples/persistent_demo/test-instr.c | 17 ++++++++++----- llvm_mode/afl-llvm-rt.o.c | 41 +++++++++++++++++++++++++---------- src/afl-fuzz-init.c | 2 -- src/afl-fuzz.c | 6 +---- 4 files changed, 43 insertions(+), 23 deletions(-) (limited to 'examples') diff --git a/examples/persistent_demo/test-instr.c b/examples/persistent_demo/test-instr.c index 069e74dd..cd1c9b0e 100644 --- a/examples/persistent_demo/test-instr.c +++ b/examples/persistent_demo/test-instr.c @@ -24,34 +24,41 @@ int main(int argc, char **argv) { __AFL_INIT(); unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; - - while(__AFL_LOOP(2147483647)) { - + + while (__AFL_LOOP(2147483647)) { + unsigned int len = __AFL_FUZZ_TESTCASE_LEN; #ifdef _AFL_DOCUMENT_MUTATIONS static unsigned int counter = 0; - char fn[32]; + char fn[32]; sprintf(fn, "%09u:test-instr", counter); int fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd_doc >= 0) { + if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + fprintf(stderr, "write of mutation file failed: %s\n", fn); unlink(fn); + } + close(fd_doc); + } + counter++; #endif if (!len) continue; - + if (buf[0] == '0') printf("Looks like a zero to me!\n"); else if (buf[0] == '1') printf("Pretty sure that is a one!\n"); else printf("Neither one or zero? How quaint!\n"); + } return 0; diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 7a763f1b..b96ca7f4 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -74,11 +74,11 @@ u8 __afl_area_initial[MAP_INITIAL_SIZE]; #else u8 __afl_area_initial[MAP_SIZE]; #endif -u8 *__afl_area_ptr = __afl_area_initial; -u8 *__afl_dictionary; -u8 *__afl_fuzz_ptr; -u32 __afl_fuzz_len; -u32 __afl_fuzz_len_dummy; +u8 * __afl_area_ptr = __afl_area_initial; +u8 * __afl_dictionary; +u8 * __afl_fuzz_ptr; +u32 __afl_fuzz_len; +u32 __afl_fuzz_len_dummy; u32 *__afl_fuzz_len_shmem = &__afl_fuzz_len_dummy; u32 __afl_final_loc; @@ -165,8 +165,9 @@ static void __afl_map_shm_fuzz() { exit(1); } - - __afl_fuzz_len_shmem = (u32*) mmap(NULL, sizeof(int), PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); + + __afl_fuzz_len_shmem = (u32 *)mmap(NULL, sizeof(int), PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANONYMOUS, -1, 0); } @@ -450,22 +451,31 @@ static void __afl_start_snapshots(void) { *__afl_fuzz_len_shmem = __afl_fuzz_len = (was_killed >> 8); was_killed = (was_killed & 0xff); -#ifdef _AFL_DOCUMENT_MUTATIONS + #ifdef _AFL_DOCUMENT_MUTATIONS if (__afl_fuzz_ptr) { + static uint32_t counter = 0; - char fn[32]; + char fn[32]; sprintf(fn, "%09u:forkserver", counter); s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd_doc >= 0) { + if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + fprintf(stderr, "write of mutation file failed: %s\n", fn); unlink(fn); + } + close(fd_doc); + } + counter++; + } -#endif + + #endif /* If we stopped the child in persistent mode, but there was a race condition and afl-fuzz already issued SIGKILL, write off the old @@ -646,19 +656,28 @@ static void __afl_start_forkserver(void) { #ifdef _AFL_DOCUMENT_MUTATIONS if (__afl_fuzz_ptr) { + static uint32_t counter = 0; - char fn[32]; + char fn[32]; sprintf(fn, "%09u:forkserver", counter); s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd_doc >= 0) { + if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + fprintf(stderr, "write of mutation file failed: %s\n", fn); unlink(fn); + } + close(fd_doc); + } + counter++; + } + #endif /* If we stopped the child in persistent mode, but there was a race diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 840b57f4..ea281b7b 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1949,7 +1949,6 @@ static void handle_skipreq(int sig) { } - /* Setup shared map for fuzzing with input via sharedmem */ void setup_testcase_shmem(afl_state_t *afl) { @@ -1978,7 +1977,6 @@ void setup_testcase_shmem(afl_state_t *afl) { } - /* Do a PATH search and find target binary to see that it exists and isn't a shell script - a common and painful mistake. We also check for a valid ELF header and for evidence of AFL instrumentation. */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 1c797424..54d59a9b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1179,11 +1179,7 @@ int main(int argc, char **argv_orig, char **envp) { check_binary(afl, argv[optind]); - if (afl->shmem_testcase_mode) { - - setup_testcase_shmem(afl); - - } + if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } afl->start_time = get_cur_time(); -- cgit 1.4.1 From 15c0ad60c530906131fc089d8f5b05710c69f109 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 13:15:16 +0200 Subject: minimal changes to a test --- examples/persistent_demo/Makefile | 2 +- examples/persistent_demo/test-instr.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'examples') diff --git a/examples/persistent_demo/Makefile b/examples/persistent_demo/Makefile index ea8fd02a..e2cf97f5 100644 --- a/examples/persistent_demo/Makefile +++ b/examples/persistent_demo/Makefile @@ -4,7 +4,7 @@ all: afl-clang-fast -o test-instr test-instr.c document: - afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c + AFL_DONT_OPTIMIZE=1 afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c clean: rm -f persistent_demo persistent_demo_new test-instr diff --git a/examples/persistent_demo/test-instr.c b/examples/persistent_demo/test-instr.c index cd1c9b0e..4cd07102 100644 --- a/examples/persistent_demo/test-instr.c +++ b/examples/persistent_demo/test-instr.c @@ -36,7 +36,7 @@ int main(int argc, char **argv) { int fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd_doc >= 0) { - if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + if (write(fd_doc, buf, len) != __afl_fuzz_len) { fprintf(stderr, "write of mutation file failed: %s\n", fn); unlink(fn); -- cgit 1.4.1 From ac998e9222c5a7572716cd2ec1affd00d7a45e3d Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 13:15:34 +0200 Subject: minimal changes to a test --- examples/persistent_demo/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples') diff --git a/examples/persistent_demo/Makefile b/examples/persistent_demo/Makefile index e2cf97f5..6fa1c30e 100644 --- a/examples/persistent_demo/Makefile +++ b/examples/persistent_demo/Makefile @@ -1,7 +1,7 @@ all: afl-clang-fast -o persistent_demo persistent_demo.c afl-clang-fast -o persistent_demo_new persistent_demo_new.c - afl-clang-fast -o test-instr test-instr.c + AFL_DONT_OPTIMIZE=1 afl-clang-fast -o test-instr test-instr.c document: AFL_DONT_OPTIMIZE=1 afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c -- cgit 1.4.1 From 9a65fe904dd0895b9f7d27aae1fbce22fcb598ef Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 13:37:50 +0200 Subject: small changes to libfuzzer driver --- examples/aflpp_driver/aflpp_driver.cpp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index 3dcc8c3c..a6b168cd 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -252,27 +252,27 @@ int main(int argc, char **argv) { else if(argc == 2 && (N = atoi(argv[1])) > 0) Printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N); else if (argc > 1) { - if (!getenv("AFL_DRIVER_DONT_DEFER")) { +// if (!getenv("AFL_DRIVER_DONT_DEFER")) { __afl_sharedmem_fuzzing = 0; __afl_manual_init(); - } +// } return ExecuteFilesOnyByOne(argc, argv); exit(0); } assert(N > 0); - if (!getenv("AFL_DRIVER_DONT_DEFER")) - __afl_manual_init(); - // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization // on the first execution of LLVMFuzzerTestOneInput is ignored. uint8_t dummy_input[1] = {0}; LLVMFuzzerTestOneInput(dummy_input, 1); +// if (!getenv("AFL_DRIVER_DONT_DEFER")) + __afl_manual_init(); + int num_runs = 0; while (__afl_persistent_loop(N)) { - if (__afl_fuzz_len > 0) { + if (__afl_fuzz_len) { num_runs++; LLVMFuzzerTestOneInput(__afl_fuzz_ptr, __afl_fuzz_len); } -- cgit 1.4.1 From adcffce0a083cf32ea41f5631ec0e9d77dfdd115 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 14:57:05 +0200 Subject: fix libfuzzer driver --- examples/aflpp_driver/aflpp_driver.cpp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index a6b168cd..1feae1c3 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -262,14 +262,14 @@ int main(int argc, char **argv) { assert(N > 0); - // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization - // on the first execution of LLVMFuzzerTestOneInput is ignored. - uint8_t dummy_input[1] = {0}; - LLVMFuzzerTestOneInput(dummy_input, 1); - // if (!getenv("AFL_DRIVER_DONT_DEFER")) __afl_manual_init(); + // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization + // on the first execution of LLVMFuzzerTestOneInput is ignored. + //uint8_t dummy_input[1] = {0}; + //LLVMFuzzerTestOneInput(dummy_input, 1); + int num_runs = 0; while (__afl_persistent_loop(N)) { if (__afl_fuzz_len) { -- cgit 1.4.1 From 1d15048f2f79bb6836e8a50676a8ecc8cff1e5d0 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 15:30:44 +0200 Subject: hopeful finally change for libfuzzer driver --- examples/aflpp_driver/aflpp_driver.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index 1feae1c3..f2c604da 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -267,8 +267,8 @@ int main(int argc, char **argv) { // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization // on the first execution of LLVMFuzzerTestOneInput is ignored. - //uint8_t dummy_input[1] = {0}; - //LLVMFuzzerTestOneInput(dummy_input, 1); + uint8_t dummy_input[1] = {0}; + LLVMFuzzerTestOneInput(dummy_input, 1); int num_runs = 0; while (__afl_persistent_loop(N)) { -- cgit 1.4.1 From 9962de1a4c26d226b15d7bee64b483098fe62b3f Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Wed, 3 Jun 2020 09:57:44 +0200 Subject: shared mem input for qemu persistent hook --- examples/qemu_persistent_hook/read_into_rdi.c | 19 ++++-- qemu_mode/patches/afl-qemu-common.h | 9 ++- qemu_mode/patches/afl-qemu-cpu-inl.h | 82 ++++++++++++++++++++++---- qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 3 +- src/afl-fuzz.c | 2 + 5 files changed, 96 insertions(+), 19 deletions(-) (limited to 'examples') diff --git a/examples/qemu_persistent_hook/read_into_rdi.c b/examples/qemu_persistent_hook/read_into_rdi.c index 6cf66ddf..29087962 100644 --- a/examples/qemu_persistent_hook/read_into_rdi.c +++ b/examples/qemu_persistent_hook/read_into_rdi.c @@ -35,16 +35,25 @@ enum { }; -void afl_persistent_hook(uint64_t *regs, uint64_t guest_base) { +void afl_persistent_hook(uint64_t *regs, uint64_t guest_base, + uint8_t* input_buf, uint32_t input_len) { // In this example the register RDI is pointing to the memory location // of the target buffer, and the length of the input is in RSI. // This can be seen with a debugger, e.g. gdb (and "disass main") - printf("reading into %p\n", regs[R_EDI]); - size_t r = read(0, g2h(regs[R_EDI]), 1024); - regs[R_ESI] = r; - printf("read %ld bytes\n", r); + printf("placing input into %p\n", regs[R_EDI]); + + if (input_len > 1024) + input_len = 1024; + memcpy(g2h(regs[R_EDI]), input_buf, input_len); + regs[R_ESI] = input_len; } +int afl_persistent_hook_init(void) { + + // 1 for shared memory input (faster), 0 for normal input (you have to use read(), input_buf will be NULL) + return 1; + +} diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h index 057e1b62..5812596a 100644 --- a/qemu_mode/patches/afl-qemu-common.h +++ b/qemu_mode/patches/afl-qemu-common.h @@ -63,7 +63,10 @@ #define INC_AFL_AREA(loc) afl_area_ptr[loc]++ #endif -typedef void (*afl_persistent_hook_fn)(uint64_t *regs, uint64_t guest_base); +typedef void (*afl_persistent_hook_fn)(uint64_t *regs, + uint64_t guest_base, + uint8_t* input_buf, + uint32_t input_buf_len); /* Declared in afl-qemu-cpu-inl.h */ @@ -81,6 +84,10 @@ extern unsigned char persistent_save_gpr; extern uint64_t persistent_saved_gpr[AFL_REGS_NUM]; extern int persisent_retaddr_offset; +extern u8 *shared_buf; +extern u32 shared_buf_len; +extern u8 sharedmem_fuzzing; + extern afl_persistent_hook_fn afl_persistent_hook_ptr; extern __thread abi_ulong afl_prev_loc; diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index e4ebaf88..dc18ea95 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -83,6 +83,10 @@ unsigned char persistent_save_gpr; uint64_t persistent_saved_gpr[AFL_REGS_NUM]; int persisent_retaddr_offset; +u8 *shared_buf; +u32 shared_buf_len; +u8 sharedmem_fuzzing; + afl_persistent_hook_fn afl_persistent_hook_ptr; /* Instrumentation ratio: */ @@ -128,6 +132,7 @@ static inline TranslationBlock *tb_find(CPUState *, TranslationBlock *, int, static inline void tb_add_jump(TranslationBlock *tb, int n, TranslationBlock *tb_next); int open_self_maps(void *cpu_env, int fd); +static void afl_map_shm_fuzz(void); /************************* * ACTUAL IMPLEMENTATION * @@ -135,6 +140,36 @@ int open_self_maps(void *cpu_env, int fd); /* Set up SHM region and initialize other stuff. */ +static void afl_map_shm_fuzz(void) { + + char *id_str = getenv(SHM_FUZZ_ENV_VAR); + + if (id_str) { + + u32 shm_id = atoi(id_str); + shared_buf = shmat(shm_id, NULL, 0); + + /* Whooooops. */ + + if (shared_buf == (void *)-1) { + + fprintf(stderr, "[AFL] ERROR: could not access fuzzing shared memory\n"); + exit(1); + + } + + if (getenv("AFL_DEBUG")) + fprintf(stderr, "[AFL] DEBUG: successfully got fuzzing shared memory\n"); + + } else { + + fprintf(stderr, "[AFL] ERROR: variable for fuzzing shared memory is not set\n"); + exit(1); + + } + +} + void afl_setup(void) { char *id_str = getenv(SHM_ENV_VAR), *inst_r = getenv("AFL_INST_RATIO"); @@ -247,6 +282,11 @@ void afl_setup(void) { exit(1); } + + int (*afl_persistent_hook_init_ptr)(void) = dlsym(plib, + "afl_persistent_hook_init"); + if (afl_persistent_hook_init_ptr) + sharedmem_fuzzing = afl_persistent_hook_init_ptr(); afl_persistent_hook_ptr = dlsym(plib, "afl_persistent_hook"); if (!afl_persistent_hook_ptr) { @@ -262,7 +302,7 @@ void afl_setup(void) { #endif } - + if (getenv("AFL_QEMU_PERSISTENT_RETADDR_OFFSET")) persisent_retaddr_offset = strtoll(getenv("AFL_QEMU_PERSISTENT_RETADDR_OFFSET"), NULL, 0); @@ -278,7 +318,7 @@ void afl_setup(void) { void afl_forkserver(CPUState *cpu) { - u32 map_size = 0; + //u32 map_size = 0; unsigned char tmp[4] = {0}; if (forkserver_installed == 1) return; @@ -291,15 +331,15 @@ void afl_forkserver(CPUState *cpu) { pid_t child_pid; int t_fd[2]; u8 child_stopped = 0; + u32 was_killed; + int status; - // if in the future qemu has non-collding coverage then switch MAP_SIZE // with the max ID value - if (MAP_SIZE <= 0x800000) { - - map_size = (FS_OPT_ENABLED | FS_OPT_MAPSIZE | FS_OPT_SET_MAPSIZE(MAP_SIZE)); - memcpy(tmp, &map_size, 4); - - } + if (MAP_SIZE <= FS_OPT_MAX_MAPSIZE) + status |= (FS_OPT_SET_MAPSIZE(MAP_SIZE) | FS_OPT_MAPSIZE); + if (sharedmem_fuzzing != 0) status |= FS_OPT_SHDMEM_FUZZ; + if (status) status |= (FS_OPT_ENABLED); + memcpy(tmp, &status, 4); /* Tell the parent that we're alive. If the parent doesn't want to talk, assume that we're not running in forkserver mode. */ @@ -309,17 +349,34 @@ void afl_forkserver(CPUState *cpu) { afl_forksrv_pid = getpid(); int first_run = 1; + + if (sharedmem_fuzzing) { + + if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(2); + + if ((was_killed & (0xffffffff & (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ))) == + (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) + afl_map_shm_fuzz(); + else { + + fprintf(stderr, "[AFL] ERROR: afl-fuzz is old and does not support" + " shmem input"); + exit(1); + + } + + } /* All right, let's await orders... */ while (1) { - int status; - u32 was_killed; - /* Whoops, parent dead? */ if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(2); + + shared_buf_len = (was_killed >> 8); + was_killed = (was_killed & 0xff); /* If we stopped the child in persistent mode, but there was a race condition and afl-fuzz already issued SIGKILL, write off the old @@ -402,6 +459,7 @@ void afl_forkserver(CPUState *cpu) { } + /* A simplified persistent mode handler, used as explained in * llvm_mode/README.md. */ diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index 083c27e5..15d5c91c 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -161,7 +161,8 @@ static void log_x86_sp_content(void) { static void callback_to_persistent_hook(void) { - afl_persistent_hook_ptr(persistent_saved_gpr, guest_base); + afl_persistent_hook_ptr(persistent_saved_gpr, guest_base, shared_buf, + shared_buf_len); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index ee9c0c67..aed1e958 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -556,6 +556,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->fsrv.qemu_mode) { FATAL("Multiple -Q options not supported"); } afl->fsrv.qemu_mode = 1; + afl->shmem_testcase_mode = 1; if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_QEMU; } @@ -583,6 +584,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->use_wine) { FATAL("Multiple -W options not supported"); } afl->fsrv.qemu_mode = 1; afl->use_wine = 1; + afl->shmem_testcase_mode = 1; if (!mem_limit_given) { afl->fsrv.mem_limit = 0; } -- cgit 1.4.1 From 1c95e2e8e0674b69bf38e3e097948c6db9f07493 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Wed, 3 Jun 2020 10:34:29 +0200 Subject: aflpp libfuzzer driver for qemu mode --- examples/aflpp_driver/GNUmakefile | 16 ++++++++++++++-- examples/aflpp_driver/aflpp_qemu_driver.c | 17 +++++++++++++++++ examples/aflpp_driver/aflpp_qemu_driver_hook.c | 21 +++++++++++++++++++++ 3 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 examples/aflpp_driver/aflpp_qemu_driver.c create mode 100644 examples/aflpp_driver/aflpp_qemu_driver_hook.c (limited to 'examples') diff --git a/examples/aflpp_driver/GNUmakefile b/examples/aflpp_driver/GNUmakefile index a681d2cf..05ddebb0 100644 --- a/examples/aflpp_driver/GNUmakefile +++ b/examples/aflpp_driver/GNUmakefile @@ -9,7 +9,7 @@ endif FLAGS=-O3 -funroll-loops -all: libAFLDriver.a +all: libAFLDriver.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so aflpp_driver.o: aflpp_driver.cpp $(LLVM_BINDIR)clang++ $(FLAGS) -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp @@ -17,5 +17,17 @@ aflpp_driver.o: aflpp_driver.cpp libAFLDriver.a: aflpp_driver.o ar ru libAFLDriver.a aflpp_driver.o +aflpp_qemu_driver.o: aflpp_qemu_driver.c + $(LLVM_BINDIR)clang $(FLAGS) -funroll-loops -c aflpp_qemu_driver.c + +libAFLQemuDriver.a: aflpp_qemu_driver.o + ar ru libAFLQemuDriver.a aflpp_qemu_driver.o + +aflpp_qemu_driver_hook.so: aflpp_qemu_driver_hook.o + $(LLVM_BINDIR)clang -shared aflpp_qemu_driver_hook.o -o aflpp_qemu_driver_hook.so + +aflpp_qemu_driver_hook.o: aflpp_qemu_driver_hook.c + $(LLVM_BINDIR)clang -fPIC $(FLAGS) -funroll-loops -c aflpp_qemu_driver_hook.c + clean: - rm -f *.o libAFLDriver*.a *~ core + rm -f *.o libAFLDriver*.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so *~ core diff --git a/examples/aflpp_driver/aflpp_qemu_driver.c b/examples/aflpp_driver/aflpp_qemu_driver.c new file mode 100644 index 00000000..dd272408 --- /dev/null +++ b/examples/aflpp_driver/aflpp_qemu_driver.c @@ -0,0 +1,17 @@ +#include +#include + +// libFuzzer interface is thin, so we don't include any libFuzzer headers. +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); +__attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); + +int main(int argc, char **argv) { + if (LLVMFuzzerInitialize) + LLVMFuzzerInitialize(&argc, &argv); + // Do any other expensive one-time initialization here. + + uint8_t dummy_input[1] = {0}; + LLVMFuzzerTestOneInput(dummy_input, 1); + + return 0; +} diff --git a/examples/aflpp_driver/aflpp_qemu_driver_hook.c b/examples/aflpp_driver/aflpp_qemu_driver_hook.c new file mode 100644 index 00000000..17a84668 --- /dev/null +++ b/examples/aflpp_driver/aflpp_qemu_driver_hook.c @@ -0,0 +1,21 @@ +#include +#include + +#define g2h(x) ((void *)((unsigned long)(x) + guest_base)) + +#define REGS_RDI 7 +#define REGS_RSI 6 + +void afl_persistent_hook(uint64_t *regs, uint64_t guest_base, + uint8_t* input_buf, uint32_t input_len) { + + memcpy(g2h(regs[REGS_RDI]), input_buf, input_len); + regs[REGS_RSI] = input_len; + +} + +int afl_persistent_hook_init(void) { + + return 1; + +} -- cgit 1.4.1 From fc164e4709f1f1c91f9343eb116627417e7f267f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 3 Jun 2020 10:50:49 +0200 Subject: code format --- examples/aflpp_driver/aflpp_qemu_driver.c | 8 ++++--- examples/aflpp_driver/aflpp_qemu_driver_hook.c | 5 ++-- examples/qemu_persistent_hook/read_into_rdi.c | 11 +++++---- qemu_mode/patches/afl-qemu-common.h | 7 +++--- qemu_mode/patches/afl-qemu-cpu-inl.h | 33 +++++++++++++------------- src/afl-common.c | 6 +++-- src/afl-forkserver.c | 4 +++- src/afl-fuzz-init.c | 9 +++++-- src/afl-fuzz-one.c | 15 ++++++------ src/afl-fuzz-run.c | 7 +++--- src/afl-fuzz-stats.c | 11 +++++---- src/afl-fuzz.c | 19 +++++++++++---- src/afl-sharedmem.c | 19 ++++++++------- 13 files changed, 90 insertions(+), 64 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_qemu_driver.c b/examples/aflpp_driver/aflpp_qemu_driver.c index dd272408..d8862316 100644 --- a/examples/aflpp_driver/aflpp_qemu_driver.c +++ b/examples/aflpp_driver/aflpp_qemu_driver.c @@ -6,12 +6,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); int main(int argc, char **argv) { - if (LLVMFuzzerInitialize) - LLVMFuzzerInitialize(&argc, &argv); + + if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv); // Do any other expensive one-time initialization here. uint8_t dummy_input[1] = {0}; LLVMFuzzerTestOneInput(dummy_input, 1); - + return 0; + } + diff --git a/examples/aflpp_driver/aflpp_qemu_driver_hook.c b/examples/aflpp_driver/aflpp_qemu_driver_hook.c index 17a84668..823cc42d 100644 --- a/examples/aflpp_driver/aflpp_qemu_driver_hook.c +++ b/examples/aflpp_driver/aflpp_qemu_driver_hook.c @@ -7,9 +7,9 @@ #define REGS_RSI 6 void afl_persistent_hook(uint64_t *regs, uint64_t guest_base, - uint8_t* input_buf, uint32_t input_len) { + uint8_t *input_buf, uint32_t input_len) { - memcpy(g2h(regs[REGS_RDI]), input_buf, input_len); + memcpy(g2h(regs[REGS_RDI]), input_buf, input_len); regs[REGS_RSI] = input_len; } @@ -19,3 +19,4 @@ int afl_persistent_hook_init(void) { return 1; } + diff --git a/examples/qemu_persistent_hook/read_into_rdi.c b/examples/qemu_persistent_hook/read_into_rdi.c index 29087962..180d9f00 100644 --- a/examples/qemu_persistent_hook/read_into_rdi.c +++ b/examples/qemu_persistent_hook/read_into_rdi.c @@ -36,7 +36,7 @@ enum { }; void afl_persistent_hook(uint64_t *regs, uint64_t guest_base, - uint8_t* input_buf, uint32_t input_len) { + uint8_t *input_buf, uint32_t input_len) { // In this example the register RDI is pointing to the memory location // of the target buffer, and the length of the input is in RSI. @@ -44,16 +44,17 @@ void afl_persistent_hook(uint64_t *regs, uint64_t guest_base, printf("placing input into %p\n", regs[R_EDI]); - if (input_len > 1024) - input_len = 1024; - memcpy(g2h(regs[R_EDI]), input_buf, input_len); + if (input_len > 1024) input_len = 1024; + memcpy(g2h(regs[R_EDI]), input_buf, input_len); regs[R_ESI] = input_len; } int afl_persistent_hook_init(void) { - // 1 for shared memory input (faster), 0 for normal input (you have to use read(), input_buf will be NULL) + // 1 for shared memory input (faster), 0 for normal input (you have to use + // read(), input_buf will be NULL) return 1; } + diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h index 5812596a..f7ffa56a 100644 --- a/qemu_mode/patches/afl-qemu-common.h +++ b/qemu_mode/patches/afl-qemu-common.h @@ -63,9 +63,8 @@ #define INC_AFL_AREA(loc) afl_area_ptr[loc]++ #endif -typedef void (*afl_persistent_hook_fn)(uint64_t *regs, - uint64_t guest_base, - uint8_t* input_buf, +typedef void (*afl_persistent_hook_fn)(uint64_t *regs, uint64_t guest_base, + uint8_t *input_buf, uint32_t input_buf_len); /* Declared in afl-qemu-cpu-inl.h */ @@ -86,7 +85,7 @@ extern int persisent_retaddr_offset; extern u8 *shared_buf; extern u32 shared_buf_len; -extern u8 sharedmem_fuzzing; +extern u8 sharedmem_fuzzing; extern afl_persistent_hook_fn afl_persistent_hook_ptr; diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index dc18ea95..7836e2cf 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -85,7 +85,7 @@ int persisent_retaddr_offset; u8 *shared_buf; u32 shared_buf_len; -u8 sharedmem_fuzzing; +u8 sharedmem_fuzzing; afl_persistent_hook_fn afl_persistent_hook_ptr; @@ -163,7 +163,8 @@ static void afl_map_shm_fuzz(void) { } else { - fprintf(stderr, "[AFL] ERROR: variable for fuzzing shared memory is not set\n"); + fprintf(stderr, + "[AFL] ERROR: variable for fuzzing shared memory is not set\n"); exit(1); } @@ -282,9 +283,9 @@ void afl_setup(void) { exit(1); } - - int (*afl_persistent_hook_init_ptr)(void) = dlsym(plib, - "afl_persistent_hook_init"); + + int (*afl_persistent_hook_init_ptr)(void) = + dlsym(plib, "afl_persistent_hook_init"); if (afl_persistent_hook_init_ptr) sharedmem_fuzzing = afl_persistent_hook_init_ptr(); @@ -302,7 +303,7 @@ void afl_setup(void) { #endif } - + if (getenv("AFL_QEMU_PERSISTENT_RETADDR_OFFSET")) persisent_retaddr_offset = strtoll(getenv("AFL_QEMU_PERSISTENT_RETADDR_OFFSET"), NULL, 0); @@ -318,7 +319,7 @@ void afl_setup(void) { void afl_forkserver(CPUState *cpu) { - //u32 map_size = 0; + // u32 map_size = 0; unsigned char tmp[4] = {0}; if (forkserver_installed == 1) return; @@ -331,8 +332,8 @@ void afl_forkserver(CPUState *cpu) { pid_t child_pid; int t_fd[2]; u8 child_stopped = 0; - u32 was_killed; - int status; + u32 was_killed; + int status; // with the max ID value if (MAP_SIZE <= FS_OPT_MAX_MAPSIZE) @@ -349,7 +350,7 @@ void afl_forkserver(CPUState *cpu) { afl_forksrv_pid = getpid(); int first_run = 1; - + if (sharedmem_fuzzing) { if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(2); @@ -358,11 +359,12 @@ void afl_forkserver(CPUState *cpu) { (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) afl_map_shm_fuzz(); else { - - fprintf(stderr, "[AFL] ERROR: afl-fuzz is old and does not support" - " shmem input"); + + fprintf(stderr, + "[AFL] ERROR: afl-fuzz is old and does not support" + " shmem input"); exit(1); - + } } @@ -374,7 +376,7 @@ void afl_forkserver(CPUState *cpu) { /* Whoops, parent dead? */ if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(2); - + shared_buf_len = (was_killed >> 8); was_killed = (was_killed & 0xff); @@ -459,7 +461,6 @@ void afl_forkserver(CPUState *cpu) { } - /* A simplified persistent mode handler, used as explained in * llvm_mode/README.md. */ diff --git a/src/afl-common.c b/src/afl-common.c index c9b4638a..f4cba573 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -253,7 +253,8 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { "binaries that are\n" " instrumented at compile time with afl-gcc. It is also possible to " "use it as a\n" - " traditional non-instrumented fuzzer by specifying '-n' in the command " + " traditional non-instrumented fuzzer by specifying '-n' in the " + "command " "line.\n"); FATAL("Failed to locate 'afl-qemu-trace'."); @@ -353,7 +354,8 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { "binaries that are\n" " instrumented at compile time with afl-gcc. It is also possible to " "use it as a\n" - " traditional non-instrumented fuzzer by specifying '-n' in the command " + " traditional non-instrumented fuzzer by specifying '-n' in the " + "command " "line.\n", ncp); diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index d32e8293..b5b55713 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -524,7 +524,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } else { - FATAL("Target requested sharedmem fuzzing, but we failed to enable it."); + FATAL( + "Target requested sharedmem fuzzing, but we failed to enable " + "it."); } diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 05aa0cc7..3c3503b1 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1859,7 +1859,11 @@ void fix_up_sync(afl_state_t *afl) { u8 *x = afl->sync_id; - if (afl->non_instrumented_mode) { FATAL("-S / -M and -n are mutually exclusive"); } + if (afl->non_instrumented_mode) { + + FATAL("-S / -M and -n are mutually exclusive"); + + } while (*x) { @@ -2126,7 +2130,8 @@ void check_binary(afl_state_t *afl, u8 *fname) { #endif /* ^!__APPLE__ */ - if (!afl->fsrv.qemu_mode && !afl->unicorn_mode && !afl->non_instrumented_mode && + if (!afl->fsrv.qemu_mode && !afl->unicorn_mode && + !afl->non_instrumented_mode && !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { SAYF("\n" cLRD "[-] " cRST diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 146e30bc..578ac584 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -512,7 +512,8 @@ u8 fuzz_one_original(afl_state_t *afl) { * TRIMMING * ************/ - if (!afl->non_instrumented_mode && !afl->queue_cur->trim_done && !afl->disable_trim) { + if (!afl->non_instrumented_mode && !afl->queue_cur->trim_done && + !afl->disable_trim) { u8 res = trim_case(afl, afl->queue_cur, in_buf); @@ -579,8 +580,8 @@ u8 fuzz_one_original(afl_state_t *afl) { /* Skip deterministic fuzzing if exec path checksum puts this out of scope for this main instance. */ - if (afl->main_node_max && - (afl->queue_cur->exec_cksum % afl->main_node_max) != afl->main_node_id - 1) { + if (afl->main_node_max && (afl->queue_cur->exec_cksum % afl->main_node_max) != + afl->main_node_id - 1) { goto custom_mutator_stage; @@ -2732,8 +2733,8 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { /* Skip deterministic fuzzing if exec path checksum puts this out of scope for this main instance. */ - if (afl->main_node_max && - (afl->queue_cur->exec_cksum % afl->main_node_max) != afl->main_node_id - 1) { + if (afl->main_node_max && (afl->queue_cur->exec_cksum % afl->main_node_max) != + afl->main_node_id - 1) { goto havoc_stage; @@ -2975,8 +2976,8 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { u32 cksum; - /* If in non-instrumented mode or if the file is very short, just flag everything - without wasting time on checksums. */ + /* If in non-instrumented mode or if the file is very short, just flag + everything without wasting time on checksums. */ if (!afl->non_instrumented_mode && len >= EFF_MIN_LEN) { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index ec5ade53..5934690f 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -562,10 +562,11 @@ void sync_fuzzers(afl_state_t *afl) { closedir(sd); // If we are a secondary and no main was found to sync then become the main - if (unlikely(synced == 0) && likely(entries) && likely(afl->is_secondary_node)) { + if (unlikely(synced == 0) && likely(entries) && + likely(afl->is_secondary_node)) { - // there is a small race condition here that another secondary runs at the same - // time. If so, the first temporary main node running again will demote + // there is a small race condition here that another secondary runs at the + // same time. If so, the first temporary main node running again will demote // themselves so this is not an issue u8 path[PATH_MAX]; diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index d6bb8b72..97221572 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -126,8 +126,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, t_bytes, afl->var_byte_count, afl->use_banner, afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "", afl->non_instrumented_mode ? " non_instrumented " : "", - afl->no_forkserver ? "no_fsrv " : "", - afl->crash_mode ? "crash " : "", + afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", afl->persistent_mode ? "persistent " : "", afl->shmem_testcase_mode ? "shmem_testcase " : "", afl->deferred_mode ? "deferred " : "", @@ -526,8 +525,9 @@ void show_stats(afl_state_t *afl) { t_byte_ratio); SAYF(" map density : %s%-21s" bSTG bV "\n", - t_byte_ratio > 70 ? cLRD - : ((t_bytes < 200 && !afl->non_instrumented_mode) ? cPIN : cRST), + t_byte_ratio > 70 + ? cLRD + : ((t_bytes < 200 && !afl->non_instrumented_mode) ? cPIN : cRST), tmp); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->cur_skipped_paths), @@ -1022,7 +1022,8 @@ void show_init_stats(afl_state_t *afl) { } - /* In non-instrumented mode, re-running every timing out test case with a generous time + /* In non-instrumented mode, re-running every timing out test case with a + generous time limit is very expensive, so let's select a more conservative default. */ if (afl->non_instrumented_mode && !(afl->afl_env.afl_hang_tmout)) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index aed1e958..07e1584b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -379,9 +379,11 @@ int main(int argc, char **argv_orig, char **envp) { *c = 0; - if (sscanf(c + 1, "%u/%u", &afl->main_node_id, &afl->main_node_max) != 2 || + if (sscanf(c + 1, "%u/%u", &afl->main_node_id, &afl->main_node_max) != + 2 || !afl->main_node_id || !afl->main_node_max || - afl->main_node_id > afl->main_node_max || afl->main_node_max > 1000000) { + afl->main_node_id > afl->main_node_max || + afl->main_node_max > 1000000) { FATAL("Bogus main node ID passed to -M"); @@ -533,7 +535,12 @@ int main(int argc, char **argv_orig, char **envp) { case 'n': /* dumb mode */ - if (afl->non_instrumented_mode) { FATAL("Multiple -n options not supported"); } + if (afl->non_instrumented_mode) { + + FATAL("Multiple -n options not supported"); + + } + if (afl->afl_env.afl_dumb_forksrv) { afl->non_instrumented_mode = 2; @@ -793,10 +800,12 @@ int main(int argc, char **argv_orig, char **envp) { OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL"); OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL"); - if (afl->sync_id && afl->is_main_node && afl->afl_env.afl_custom_mutator_only) { + if (afl->sync_id && afl->is_main_node && + afl->afl_env.afl_custom_mutator_only) { WARNF( - "Using -M main node with the AFL_CUSTOM_MUTATOR_ONLY mutator options will " + "Using -M main node with the AFL_CUSTOM_MUTATOR_ONLY mutator options " + "will " "result in no deterministic mutations being done!"); } diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index f87c75eb..63013435 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -96,7 +96,8 @@ void afl_shm_deinit(sharedmem_t *shm) { Returns a pointer to shm->map for ease of use. */ -u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char non_instrumented_mode) { +u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, + unsigned char non_instrumented_mode) { shm->map_size = map_size; @@ -137,10 +138,10 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char non_instrument } - /* If somebody is asking us to fuzz instrumented binaries in non-instrumented mode, - we don't want them to detect instrumentation, since we won't be sending - fork server commands. This should be replaced with better auto-detection - later on, perhaps? */ + /* If somebody is asking us to fuzz instrumented binaries in non-instrumented + mode, we don't want them to detect instrumentation, since we won't be + sending fork server commands. This should be replaced with better + auto-detection later on, perhaps? */ if (!non_instrumented_mode) setenv(SHM_ENV_VAR, shm->g_shm_file_path, 1); @@ -164,10 +165,10 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char non_instrument shm_str = alloc_printf("%d", shm->shm_id); - /* If somebody is asking us to fuzz instrumented binaries in non-instrumented mode, - we don't want them to detect instrumentation, since we won't be sending - fork server commands. This should be replaced with better auto-detection - later on, perhaps? */ + /* If somebody is asking us to fuzz instrumented binaries in non-instrumented + mode, we don't want them to detect instrumentation, since we won't be + sending fork server commands. This should be replaced with better + auto-detection later on, perhaps? */ if (!non_instrumented_mode) { setenv(SHM_ENV_VAR, shm_str, 1); } -- cgit 1.4.1 From f1192b2d16116fb6c8dc2673e37ec426b7792312 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Wed, 3 Jun 2020 11:38:44 +0200 Subject: AFL_QEMU_DRIVER_NO_HOOK --- examples/aflpp_driver/aflpp_qemu_driver.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_qemu_driver.c b/examples/aflpp_driver/aflpp_qemu_driver.c index dd272408..0944148e 100644 --- a/examples/aflpp_driver/aflpp_qemu_driver.c +++ b/examples/aflpp_driver/aflpp_qemu_driver.c @@ -1,17 +1,36 @@ #include #include +#include // libFuzzer interface is thin, so we don't include any libFuzzer headers. int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); +static const size_t kMaxAflInputSize = 1 << 20; +static uint8_t AflInputBuf[kMaxAflInputSize]; + +void afl_qemu_driver_stdin_input(void) { + + size_t l = read(0, AflInputBuf, kMaxAflInputSize); + LLVMFuzzerTestOneInput(AflInputBuf, l); + +} + int main(int argc, char **argv) { if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv); // Do any other expensive one-time initialization here. - uint8_t dummy_input[1] = {0}; - LLVMFuzzerTestOneInput(dummy_input, 1); + if (getenv("AFL_QEMU_DRIVER_NO_HOOK")) { + + afl_qemu_driver_stdin_input(); + + } else { + + uint8_t dummy_input[1] = {0}; + LLVMFuzzerTestOneInput(dummy_input, 1); + + } return 0; } -- cgit 1.4.1 From 177db9cf7941975d31e2d1ff8304659d14561568 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Wed, 3 Jun 2020 11:51:35 +0200 Subject: no inline in qemu driver --- examples/aflpp_driver/aflpp_qemu_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_qemu_driver.c b/examples/aflpp_driver/aflpp_qemu_driver.c index 404ce84c..ea4dab95 100644 --- a/examples/aflpp_driver/aflpp_qemu_driver.c +++ b/examples/aflpp_driver/aflpp_qemu_driver.c @@ -9,7 +9,7 @@ __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); static const size_t kMaxAflInputSize = 1 << 20; static uint8_t AflInputBuf[kMaxAflInputSize]; -void afl_qemu_driver_stdin_input(void) { +void __attribute__ ((noinline)) afl_qemu_driver_stdin_input(void) { size_t l = read(0, AflInputBuf, kMaxAflInputSize); LLVMFuzzerTestOneInput(AflInputBuf, l); -- cgit 1.4.1 From dd0ca7335ff93090def7be7fd0b46e9f71375004 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 3 Jun 2020 15:49:23 +0200 Subject: switch shmem_len to the map --- examples/aflpp_driver/aflpp_qemu_driver.c | 6 +++--- include/forkserver.h | 4 ++-- llvm_mode/afl-llvm-rt.o.c | 9 +-------- qemu_mode/patches/afl-qemu-common.h | 6 +++--- qemu_mode/patches/afl-qemu-cpu-inl.h | 10 ++++------ qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 2 +- src/afl-forkserver.c | 6 ++---- src/afl-fuzz-init.c | 6 ++++-- src/afl-fuzz-run.c | 4 ++-- src/afl-fuzz-stats.c | 14 ++++++++++++++ 10 files changed, 36 insertions(+), 31 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_qemu_driver.c b/examples/aflpp_driver/aflpp_qemu_driver.c index ea4dab95..604feb91 100644 --- a/examples/aflpp_driver/aflpp_qemu_driver.c +++ b/examples/aflpp_driver/aflpp_qemu_driver.c @@ -7,9 +7,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); static const size_t kMaxAflInputSize = 1 << 20; -static uint8_t AflInputBuf[kMaxAflInputSize]; +static uint8_t AflInputBuf[kMaxAflInputSize]; -void __attribute__ ((noinline)) afl_qemu_driver_stdin_input(void) { +void __attribute__((noinline)) afl_qemu_driver_stdin_input(void) { size_t l = read(0, AflInputBuf, kMaxAflInputSize); LLVMFuzzerTestOneInput(AflInputBuf, l); @@ -31,7 +31,7 @@ int main(int argc, char **argv) { LLVMFuzzerTestOneInput(dummy_input, 1); } - + return 0; } diff --git a/include/forkserver.h b/include/forkserver.h index 840ab509..fa132837 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -75,13 +75,13 @@ typedef struct afl_forkserver { u8 use_shdmen_fuzz; /* use shared mem for test cases */ - u8 support_shdmen_fuzz; /* set by afl-fuzz */ + u8 support_shmem_fuzz; /* set by afl-fuzz */ u8 use_fauxsrv; /* Fauxsrv for non-forking targets? */ u8 qemu_mode; /* if running in qemu mode or not */ - u32 shmem_fuzz_len; /* length of the fuzzing test case */ + u32 *shmem_fuzz_len; /* length of the fuzzing test case */ u8 *shmem_fuzz; /* allocated memory for fuzzing */ diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index f739691a..963de6e6 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -166,8 +166,7 @@ static void __afl_map_shm_fuzz() { } - __afl_fuzz_len_shmem = (u32 *)mmap(NULL, sizeof(int), PROT_READ | PROT_WRITE, - MAP_SHARED | MAP_ANONYMOUS, -1, 0); + __afl_fuzz_len_shmem = (u32 *)(__afl_fuzz_ptr + MAX_FILE); } @@ -448,9 +447,6 @@ static void __afl_start_snapshots(void) { } - *__afl_fuzz_len_shmem = __afl_fuzz_len = (was_killed >> 8); - was_killed = (was_killed & 0xff); - #ifdef _AFL_DOCUMENT_MUTATIONS if (__afl_fuzz_ptr) { @@ -651,9 +647,6 @@ static void __afl_start_forkserver(void) { } - *__afl_fuzz_len_shmem = __afl_fuzz_len = (was_killed >> 8); - was_killed = (was_killed & 0xff); - #ifdef _AFL_DOCUMENT_MUTATIONS if (__afl_fuzz_ptr) { diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h index f7ffa56a..92c33b50 100644 --- a/qemu_mode/patches/afl-qemu-common.h +++ b/qemu_mode/patches/afl-qemu-common.h @@ -83,9 +83,9 @@ extern unsigned char persistent_save_gpr; extern uint64_t persistent_saved_gpr[AFL_REGS_NUM]; extern int persisent_retaddr_offset; -extern u8 *shared_buf; -extern u32 shared_buf_len; -extern u8 sharedmem_fuzzing; +extern u8 * shared_buf; +extern u32 *shared_buf_len; +extern u8 sharedmem_fuzzing; extern afl_persistent_hook_fn afl_persistent_hook_ptr; diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index 7836e2cf..78f607aa 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -83,9 +83,9 @@ unsigned char persistent_save_gpr; uint64_t persistent_saved_gpr[AFL_REGS_NUM]; int persisent_retaddr_offset; -u8 *shared_buf; -u32 shared_buf_len; -u8 sharedmem_fuzzing; +u8 * shared_buf; +u32 *shared_buf_len; +u8 sharedmem_fuzzing; afl_persistent_hook_fn afl_persistent_hook_ptr; @@ -148,6 +148,7 @@ static void afl_map_shm_fuzz(void) { u32 shm_id = atoi(id_str); shared_buf = shmat(shm_id, NULL, 0); + shared_buf_len = (u32 *)(shared_buf + MAX_FILE); /* Whooooops. */ @@ -377,9 +378,6 @@ void afl_forkserver(CPUState *cpu) { if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(2); - shared_buf_len = (was_killed >> 8); - was_killed = (was_killed & 0xff); - /* If we stopped the child in persistent mode, but there was a race condition and afl-fuzz already issued SIGKILL, write off the old process. */ diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index 15d5c91c..8553f194 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -162,7 +162,7 @@ static void log_x86_sp_content(void) { static void callback_to_persistent_hook(void) { afl_persistent_hook_ptr(persistent_saved_gpr, guest_base, shared_buf, - shared_buf_len); + *shared_buf_len); } diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index b5b55713..0b53d7c0 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -506,7 +506,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if ((status & FS_OPT_SHDMEM_FUZZ) == FS_OPT_SHDMEM_FUZZ) { - if (fsrv->support_shdmen_fuzz) { + if (fsrv->support_shmem_fuzz) { fsrv->use_shdmen_fuzz = 1; if (!be_quiet) { ACTF("Using SHARED MEMORY FUZZING feature."); } @@ -832,7 +832,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { if (fsrv->shmem_fuzz) { memcpy(fsrv->shmem_fuzz, buf, len); - fsrv->shmem_fuzz_len = len; + *fsrv->shmem_fuzz_len = len; } else { @@ -894,8 +894,6 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, MEM_BARRIER(); - if (fsrv->shmem_fuzz_len) write_value += (fsrv->shmem_fuzz_len << 8); - /* we have the fork server (or faux server) up and running First, tell it if the previous run timed out. */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 3c3503b1..a30bf3f2 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1960,7 +1960,8 @@ void setup_testcase_shmem(afl_state_t *afl) { afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t)); // we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR - if ((afl->fsrv.shmem_fuzz = afl_shm_init(afl->shm_fuzz, MAX_FILE, 1))) { + if ((afl->fsrv.shmem_fuzz = + afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(int), 1))) { #ifdef USEMMAP setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1); @@ -1970,7 +1971,8 @@ void setup_testcase_shmem(afl_state_t *afl) { setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); ck_free(shm_str); #endif - afl->fsrv.support_shdmen_fuzz = 1; + afl->fsrv.support_shmem_fuzz = 1; + afl->fsrv.shmem_fuzz_len = (u32 *)(afl->fsrv.shmem_fuzz + MAX_FILE); } else { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index bf5defa5..91a64fba 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -232,12 +232,12 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child_output); - if (afl->fsrv.support_shdmen_fuzz && !afl->fsrv.use_shdmen_fuzz) { + if (afl->fsrv.support_shmem_fuzz && !afl->fsrv.use_shdmen_fuzz) { afl_shm_deinit(afl->shm_fuzz); ck_free(afl->shm_fuzz); afl->shm_fuzz = NULL; - afl->fsrv.support_shdmen_fuzz = 0; + afl->fsrv.support_shmem_fuzz = 0; afl->fsrv.shmem_fuzz = NULL; } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 97221572..1f5552e0 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -138,6 +138,20 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, afl->orig_cmdline); /* ignore errors */ + if (afl->debug) { + + fprintf(f, "virgin_bytes :"); + for (uint32_t i = 0; i < afl->fsrv.map_size; i++) + if (afl->virgin_bits[i] != 0xff) + fprintf(f, " %d[%02x]", i, afl->virgin_bits[i]); + fprintf(f, "\n"); + fprintf(f, "var_bytes :"); + for (uint32_t i = 0; i < afl->fsrv.map_size; i++) + if (afl->var_bytes[i]) fprintf(f, " %d", i); + fprintf(f, "\n"); + + } + fclose(f); } -- cgit 1.4.1 From 35ddec7aebaa3fdd454118a31483f9c43e549d6a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 4 Jun 2020 02:37:05 +0200 Subject: fix shmem persistent mode --- examples/persistent_demo/persistent_demo_new.c | 2 +- examples/persistent_demo/test-instr.c | 4 +++- llvm_mode/afl-clang-fast.c | 4 ++-- llvm_mode/afl-llvm-rt.o.c | 17 +++++++---------- src/afl-forkserver.c | 3 ++- 5 files changed, 15 insertions(+), 15 deletions(-) (limited to 'examples') diff --git a/examples/persistent_demo/persistent_demo_new.c b/examples/persistent_demo/persistent_demo_new.c index 69468bdd..98909442 100644 --- a/examples/persistent_demo/persistent_demo_new.c +++ b/examples/persistent_demo/persistent_demo_new.c @@ -45,7 +45,7 @@ int main(int argc, char **argv) { __AFL_INIT(); buf = __AFL_FUZZ_TESTCASE_BUF; - while (__AFL_LOOP(1000)) { + while (__AFL_LOOP(1000)) { // increase if you have good stability len = __AFL_FUZZ_TESTCASE_LEN; diff --git a/examples/persistent_demo/test-instr.c b/examples/persistent_demo/test-instr.c index 4cd07102..f7512790 100644 --- a/examples/persistent_demo/test-instr.c +++ b/examples/persistent_demo/test-instr.c @@ -25,7 +25,7 @@ int main(int argc, char **argv) { __AFL_INIT(); unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; - while (__AFL_LOOP(2147483647)) { + while (__AFL_LOOP(2147483647)) { // MAX_INT if you have 100% stability unsigned int len = __AFL_FUZZ_TESTCASE_LEN; @@ -50,6 +50,8 @@ int main(int argc, char **argv) { counter++; #endif + fprintf(stderr, "len: %u\n", len); + if (!len) continue; if (buf[0] == '0') diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 47347893..75504ea5 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -495,14 +495,14 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-D__AFL_FUZZ_INIT()=" "int __afl_sharedmem_fuzzing = 1;" - "extern unsigned int __afl_fuzz_len;" + "extern unsigned int *__afl_fuzz_len;" "extern unsigned char *__afl_fuzz_ptr;" "unsigned char *__afl_fuzz_alt_ptr;"; cc_params[cc_par_cnt++] = "-D__AFL_FUZZ_TESTCASE_BUF=(__afl_fuzz_ptr ? __afl_fuzz_ptr : " "(__afl_fuzz_alt_ptr = malloc(1 * 1024 * 1024)))"; cc_params[cc_par_cnt++] = - "-D__AFL_FUZZ_TESTCASE_LEN=(__afl_fuzz_ptr ? __afl_fuzz_len : read(0, " + "-D__AFL_FUZZ_TESTCASE_LEN=(__afl_fuzz_ptr ? *__afl_fuzz_len : read(0, " "__afl_fuzz_alt_ptr, 1 * 1024 * 1024))"; cc_params[cc_par_cnt++] = diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index c6b49e36..e37ecfd7 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -77,9 +77,8 @@ u8 __afl_area_initial[MAP_SIZE]; u8 * __afl_area_ptr = __afl_area_initial; u8 * __afl_dictionary; u8 * __afl_fuzz_ptr; -u32 __afl_fuzz_len; u32 __afl_fuzz_len_dummy; -u32 *__afl_fuzz_len_shmem = &__afl_fuzz_len_dummy; +u32 *__afl_fuzz_len = &__afl_fuzz_len_dummy; u32 __afl_final_loc; u32 __afl_map_size = MAP_SIZE; @@ -138,19 +137,19 @@ static void __afl_map_shm_fuzz() { } - __afl_fuzz_len_shmem = + __afl_fuzz_len = (u32 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0); #else u32 shm_id = atoi(id_str); - __afl_fuzz_len_shmem = (u32 *)shmat(shm_id, NULL, 0); + __afl_fuzz_len = (u32 *)shmat(shm_id, NULL, 0); #endif /* Whooooops. */ - if (__afl_fuzz_len_shmem == (void *)-1) { + if (__afl_fuzz_len == (void *)-1) { fprintf(stderr, "Error: could not access fuzzing shared memory\n"); exit(1); @@ -167,7 +166,7 @@ static void __afl_map_shm_fuzz() { } - __afl_fuzz_ptr = (u8 *)(__afl_fuzz_len_shmem + sizeof(int)); + __afl_fuzz_ptr = (u8 *)(__afl_fuzz_len + sizeof(int)); } @@ -457,7 +456,7 @@ static void __afl_start_snapshots(void) { s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd_doc >= 0) { - if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + if (write(fd_doc, __afl_fuzz_ptr, *__afl_fuzz_len) != *__afl_fuzz_len) { fprintf(stderr, "write of mutation file failed: %s\n", fn); unlink(fn); @@ -657,7 +656,7 @@ static void __afl_start_forkserver(void) { s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd_doc >= 0) { - if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + if (write(fd_doc, __afl_fuzz_ptr, *__afl_fuzz_len) != *__afl_fuzz_len) { fprintf(stderr, "write of mutation file failed: %s\n", fn); unlink(fn); @@ -770,8 +769,6 @@ int __afl_persistent_loop(unsigned int max_cnt) { raise(SIGSTOP); - __afl_fuzz_len = *__afl_fuzz_len_shmem; - __afl_area_ptr[0] = 1; memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T)); diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 0b53d7c0..a5e2db54 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -831,8 +831,9 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { if (fsrv->shmem_fuzz) { - memcpy(fsrv->shmem_fuzz, buf, len); *fsrv->shmem_fuzz_len = len; + memcpy(fsrv->shmem_fuzz, buf, len); + // fprintf(stderr, "test case len: %u\n", *fsrv->shmem_fuzz_len); } else { -- cgit 1.4.1 From 88e83c7322c66ef3df905f21caf8c07505443d50 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 4 Jun 2020 02:53:24 +0200 Subject: code format --- examples/persistent_demo/test-instr.c | 2 +- llvm_mode/afl-llvm-rt.o.c | 3 +-- src/afl-fuzz.c | 5 +++-- 3 files changed, 5 insertions(+), 5 deletions(-) (limited to 'examples') diff --git a/examples/persistent_demo/test-instr.c b/examples/persistent_demo/test-instr.c index f7512790..a6188b22 100644 --- a/examples/persistent_demo/test-instr.c +++ b/examples/persistent_demo/test-instr.c @@ -50,7 +50,7 @@ int main(int argc, char **argv) { counter++; #endif - fprintf(stderr, "len: %u\n", len); + // fprintf(stderr, "len: %u\n", len); if (!len) continue; diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index e37ecfd7..4bca3d37 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -137,8 +137,7 @@ static void __afl_map_shm_fuzz() { } - __afl_fuzz_len = - (u32 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0); + __afl_fuzz_len = (u32 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0); #else u32 shm_id = atoi(id_str); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 07e1584b..44b91877 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -246,7 +246,7 @@ int main(int argc, char **argv_orig, char **envp) { u64 prev_queued = 0; u32 sync_interval_cnt = 0, seek_to, show_help = 0, map_size = MAP_SIZE; u8 * extras_dir = 0; - u8 mem_limit_given = 0, exit_1 = 0; + u8 mem_limit_given = 0, exit_1 = 0, debug = 0; char **use_argv; struct timeval tv; @@ -257,10 +257,11 @@ int main(int argc, char **argv_orig, char **envp) { afl_state_t *afl = calloc(1, sizeof(afl_state_t)); if (!afl) { FATAL("Could not create afl state"); } - if (get_afl_env("AFL_DEBUG")) { afl->debug = 1; } + if (get_afl_env("AFL_DEBUG")) { debug = afl->debug = 1; } map_size = get_map_size(); afl_state_init(afl, map_size); + afl->debug = debug; afl_fsrv_init(&afl->fsrv); read_afl_environment(afl, envp); -- cgit 1.4.1 From 2f73215d4f24d9059546aff2b82d7eef05fbe253 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 4 Jun 2020 08:53:05 +0200 Subject: update libfuzzer driver --- examples/aflpp_driver/aflpp_driver.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index f2c604da..e0a90ff9 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -90,7 +90,7 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both. #endif int __afl_sharedmem_fuzzing = 1; -extern unsigned int __afl_fuzz_len; +extern unsigned int *__afl_fuzz_len; extern unsigned char *__afl_fuzz_ptr; // libFuzzer interface is thin, so we don't include any libFuzzer headers. @@ -272,9 +272,9 @@ int main(int argc, char **argv) { int num_runs = 0; while (__afl_persistent_loop(N)) { - if (__afl_fuzz_len) { + if (*__afl_fuzz_len) { num_runs++; - LLVMFuzzerTestOneInput(__afl_fuzz_ptr, __afl_fuzz_len); + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); } } Printf("%s: successfully executed %d input(s)\n", argv[0], num_runs); -- cgit 1.4.1 From f1ad9bdaea754cd08581b7b41bac7f404763fde7 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 4 Jun 2020 09:10:58 +0200 Subject: fix --- examples/aflpp_driver/GNUmakefile | 2 +- examples/aflpp_driver/aflpp_qemu_driver.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/GNUmakefile b/examples/aflpp_driver/GNUmakefile index 05ddebb0..988576d5 100644 --- a/examples/aflpp_driver/GNUmakefile +++ b/examples/aflpp_driver/GNUmakefile @@ -18,7 +18,7 @@ libAFLDriver.a: aflpp_driver.o ar ru libAFLDriver.a aflpp_driver.o aflpp_qemu_driver.o: aflpp_qemu_driver.c - $(LLVM_BINDIR)clang $(FLAGS) -funroll-loops -c aflpp_qemu_driver.c + $(LLVM_BINDIR)clang $(FLAGS) -O0 -funroll-loops -c aflpp_qemu_driver.c libAFLQemuDriver.a: aflpp_qemu_driver.o ar ru libAFLQemuDriver.a aflpp_qemu_driver.o diff --git a/examples/aflpp_driver/aflpp_qemu_driver.c b/examples/aflpp_driver/aflpp_qemu_driver.c index 604feb91..ee7dde10 100644 --- a/examples/aflpp_driver/aflpp_qemu_driver.c +++ b/examples/aflpp_driver/aflpp_qemu_driver.c @@ -27,7 +27,7 @@ int main(int argc, char **argv) { } else { - uint8_t dummy_input[1] = {0}; + uint8_t dummy_input[1024000] = {0}; LLVMFuzzerTestOneInput(dummy_input, 1); } -- cgit 1.4.1 From e01cad2f7de77c4704243d7011de2bff95fd59f7 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 5 Jun 2020 09:42:17 +0200 Subject: qemu debug --- examples/aflpp_driver/aflpp_qemu_driver.c | 2 +- examples/qemu_persistent_hook/read_into_rdi.c | 1 + qemu_mode/patches/afl-qemu-cpu-inl.h | 2 ++ src/afl-forkserver.c | 16 ++++++++-------- 4 files changed, 12 insertions(+), 9 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_qemu_driver.c b/examples/aflpp_driver/aflpp_qemu_driver.c index ee7dde10..4f3e5f71 100644 --- a/examples/aflpp_driver/aflpp_qemu_driver.c +++ b/examples/aflpp_driver/aflpp_qemu_driver.c @@ -6,7 +6,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); -static const size_t kMaxAflInputSize = 1 << 20; +static const size_t kMaxAflInputSize = 1 * 1024 * 1024; static uint8_t AflInputBuf[kMaxAflInputSize]; void __attribute__((noinline)) afl_qemu_driver_stdin_input(void) { diff --git a/examples/qemu_persistent_hook/read_into_rdi.c b/examples/qemu_persistent_hook/read_into_rdi.c index 180d9f00..bd6d3f45 100644 --- a/examples/qemu_persistent_hook/read_into_rdi.c +++ b/examples/qemu_persistent_hook/read_into_rdi.c @@ -1,6 +1,7 @@ #include #include #include +#include #define g2h(x) ((void *)((unsigned long)(x) + guest_base)) #define h2g(x) ((uint64_t)(x)-guest_base) diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index d3893066..8feb7613 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -341,6 +341,8 @@ void afl_forkserver(CPUState *cpu) { status |= (FS_OPT_SET_MAPSIZE(MAP_SIZE) | FS_OPT_MAPSIZE); if (sharedmem_fuzzing != 0) status |= FS_OPT_SHDMEM_FUZZ; if (status) status |= (FS_OPT_ENABLED); + if (getenv("AFL_DEBUG")) + fprintf(stderr, "Debug: Sending status %08x\n", status); memcpy(tmp, &status, 4); /* Tell the parent that we're alive. If the parent doesn't want diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 7f89f0dc..505fb7a3 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -277,8 +277,8 @@ static void report_error_and_exit(int error) { break; case FS_ERROR_MMAP: FATAL( - "the fuzzing target reports that the mmap() call to the shared memory " - "failed."); + "the fuzzing target reports that the mmap() call to the shared " + "memory failed."); break; default: FATAL("unknown error code %u from fuzzing target!", error); @@ -488,16 +488,16 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (!be_quiet) { OKF("All right - fork server is up."); } - if ((status & FS_OPT_ERROR) == FS_OPT_ERROR) - report_error_and_exit(FS_OPT_GET_ERROR(status)); + if (getenv("AFL_DEBUG")) { - if ((status & FS_OPT_ENABLED) == FS_OPT_ENABLED) { + ACTF("Extended forkserver functions received (%08x).", status); - if (getenv("AFL_DEBUG")) { + } - ACTF("Extended forkserver functions received (%08x).", status); + if ((status & FS_OPT_ERROR) == FS_OPT_ERROR) + report_error_and_exit(FS_OPT_GET_ERROR(status)); - } + if ((status & FS_OPT_ENABLED) == FS_OPT_ENABLED) { if ((status & FS_OPT_SNAPSHOT) == FS_OPT_SNAPSHOT) { -- cgit 1.4.1 From 372206e159f4f3d150543411872319fb8fae0b66 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 6 Jun 2020 11:45:08 +0200 Subject: aflpp_debug --- examples/aflpp_driver/GNUmakefile | 10 +++++++++- examples/aflpp_driver/aflpp_driver.cpp | 7 +++++-- examples/aflpp_driver/aflpp_driver_test.cpp | 20 ++++++++++++++++++++ 3 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 examples/aflpp_driver/aflpp_driver_test.cpp (limited to 'examples') diff --git a/examples/aflpp_driver/GNUmakefile b/examples/aflpp_driver/GNUmakefile index 988576d5..7ddfc485 100644 --- a/examples/aflpp_driver/GNUmakefile +++ b/examples/aflpp_driver/GNUmakefile @@ -17,6 +17,11 @@ aflpp_driver.o: aflpp_driver.cpp libAFLDriver.a: aflpp_driver.o ar ru libAFLDriver.a aflpp_driver.o +debug: + $(LLVM_BINDIR)clang++ -D_DEBUG=\"1\" $(FLAGS) -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp + ar ru libAFLDriver.a aflpp_driver.o + + aflpp_qemu_driver.o: aflpp_qemu_driver.c $(LLVM_BINDIR)clang $(FLAGS) -O0 -funroll-loops -c aflpp_qemu_driver.c @@ -29,5 +34,8 @@ aflpp_qemu_driver_hook.so: aflpp_qemu_driver_hook.o aflpp_qemu_driver_hook.o: aflpp_qemu_driver_hook.c $(LLVM_BINDIR)clang -fPIC $(FLAGS) -funroll-loops -c aflpp_qemu_driver_hook.c +test: libAFLDriver.a aflpp_driver_test.cpp + afl-clang-fast++ -Wl,--allow-multiple-definition -stdlib=libc++ -funroll-loops -std=c++11 -o aflpp_driver_test aflpp_driver_test.cpp libAFLDriver.a + clean: - rm -f *.o libAFLDriver*.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so *~ core + rm -f *.o libAFLDriver*.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so *~ core aflpp_driver_test diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index e0a90ff9..a60eb264 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -246,7 +246,8 @@ int main(int argc, char **argv) { LLVMFuzzerInitialize(&argc, &argv); // Do any other expensive one-time initialization here. - int N = 1000; + uint8_t dummy_input[1] = {0}; + int N = 100000; if (argc == 2 && argv[1][0] == '-') N = atoi(argv[1] + 1); else if(argc == 2 && (N = atoi(argv[1])) > 0) @@ -267,11 +268,13 @@ int main(int argc, char **argv) { // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization // on the first execution of LLVMFuzzerTestOneInput is ignored. - uint8_t dummy_input[1] = {0}; LLVMFuzzerTestOneInput(dummy_input, 1); int num_runs = 0; while (__afl_persistent_loop(N)) { +#ifdef _DEBUG + fprintf(stderr, "len: %u\n", *__afl_fuzz_len); +#endif if (*__afl_fuzz_len) { num_runs++; LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); diff --git a/examples/aflpp_driver/aflpp_driver_test.cpp b/examples/aflpp_driver/aflpp_driver_test.cpp new file mode 100644 index 00000000..81aa9db4 --- /dev/null +++ b/examples/aflpp_driver/aflpp_driver_test.cpp @@ -0,0 +1,20 @@ +#include +#include +#include + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + + fprintf(stderr, "Received size %lu\n", Size); + + if (Size < 4) + return 0; + + if (Data[0] == 'F') + if (Data[1] == 'A') + if (Data[2] == '$') + if (Data[3] == '$') + abort(); + + return 0; + +} -- cgit 1.4.1