From bca7ce804308fdc24404d26a02d2e10116ef6289 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 12:30:20 +0200 Subject: fixed persistent mode shared mem fuzzing --- examples/persistent_demo/Makefile | 6 ++- examples/persistent_demo/persistent_demo.c | 1 + examples/persistent_demo/persistent_demo_new.c | 1 + examples/persistent_demo/test-instr.c | 60 ++++++++++++++++++++++++++ 4 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 examples/persistent_demo/test-instr.c (limited to 'examples') diff --git a/examples/persistent_demo/Makefile b/examples/persistent_demo/Makefile index cbbb7239..ea8fd02a 100644 --- a/examples/persistent_demo/Makefile +++ b/examples/persistent_demo/Makefile @@ -1,6 +1,10 @@ all: afl-clang-fast -o persistent_demo persistent_demo.c afl-clang-fast -o persistent_demo_new persistent_demo_new.c + afl-clang-fast -o test-instr test-instr.c + +document: + afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c clean: - rm -f persistent_demo persistent_demo_new + rm -f persistent_demo persistent_demo_new test-instr diff --git a/examples/persistent_demo/persistent_demo.c b/examples/persistent_demo/persistent_demo.c index 2da49bb0..4cedc32c 100644 --- a/examples/persistent_demo/persistent_demo.c +++ b/examples/persistent_demo/persistent_demo.c @@ -41,6 +41,7 @@ int main(int argc, char **argv) { terminate normally. This limits the impact of accidental memory leaks and similar hiccups. */ + __AFL_INIT(); while (__AFL_LOOP(1000)) { /*** PLACEHOLDER CODE ***/ diff --git a/examples/persistent_demo/persistent_demo_new.c b/examples/persistent_demo/persistent_demo_new.c index 36411e13..69468bdd 100644 --- a/examples/persistent_demo/persistent_demo_new.c +++ b/examples/persistent_demo/persistent_demo_new.c @@ -42,6 +42,7 @@ int main(int argc, char **argv) { terminate normally. This limits the impact of accidental memory leaks and similar hiccups. */ + __AFL_INIT(); buf = __AFL_FUZZ_TESTCASE_BUF; while (__AFL_LOOP(1000)) { diff --git a/examples/persistent_demo/test-instr.c b/examples/persistent_demo/test-instr.c new file mode 100644 index 00000000..069e74dd --- /dev/null +++ b/examples/persistent_demo/test-instr.c @@ -0,0 +1,60 @@ +/* + american fuzzy lop++ - a trivial program to test the build + -------------------------------------------------------- + Originally written by Michal Zalewski + Copyright 2014 Google Inc. All rights reserved. + Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include +#include +#include +#include + +__AFL_FUZZ_INIT(); + +int main(int argc, char **argv) { + + __AFL_INIT(); + unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; + + while(__AFL_LOOP(2147483647)) { + + unsigned int len = __AFL_FUZZ_TESTCASE_LEN; + +#ifdef _AFL_DOCUMENT_MUTATIONS + static unsigned int counter = 0; + char fn[32]; + sprintf(fn, "%09u:test-instr", counter); + int fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (fd_doc >= 0) { + if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + fprintf(stderr, "write of mutation file failed: %s\n", fn); + unlink(fn); + } + close(fd_doc); + } + counter++; +#endif + + if (!len) continue; + + if (buf[0] == '0') + printf("Looks like a zero to me!\n"); + else if (buf[0] == '1') + printf("Pretty sure that is a one!\n"); + else + printf("Neither one or zero? How quaint!\n"); + } + + return 0; + +} + -- cgit v1.2.3 From 0de25f08ba2e39f680a1440e9b84ee9cf4136f9a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 12:30:55 +0200 Subject: code format --- examples/persistent_demo/test-instr.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'examples') diff --git a/examples/persistent_demo/test-instr.c b/examples/persistent_demo/test-instr.c index 069e74dd..cd1c9b0e 100644 --- a/examples/persistent_demo/test-instr.c +++ b/examples/persistent_demo/test-instr.c @@ -24,34 +24,41 @@ int main(int argc, char **argv) { __AFL_INIT(); unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; - - while(__AFL_LOOP(2147483647)) { - + + while (__AFL_LOOP(2147483647)) { + unsigned int len = __AFL_FUZZ_TESTCASE_LEN; #ifdef _AFL_DOCUMENT_MUTATIONS static unsigned int counter = 0; - char fn[32]; + char fn[32]; sprintf(fn, "%09u:test-instr", counter); int fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd_doc >= 0) { + if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + fprintf(stderr, "write of mutation file failed: %s\n", fn); unlink(fn); + } + close(fd_doc); + } + counter++; #endif if (!len) continue; - + if (buf[0] == '0') printf("Looks like a zero to me!\n"); else if (buf[0] == '1') printf("Pretty sure that is a one!\n"); else printf("Neither one or zero? How quaint!\n"); + } return 0; -- cgit v1.2.3 From 15c0ad60c530906131fc089d8f5b05710c69f109 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 13:15:16 +0200 Subject: minimal changes to a test --- examples/persistent_demo/Makefile | 2 +- examples/persistent_demo/test-instr.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'examples') diff --git a/examples/persistent_demo/Makefile b/examples/persistent_demo/Makefile index ea8fd02a..e2cf97f5 100644 --- a/examples/persistent_demo/Makefile +++ b/examples/persistent_demo/Makefile @@ -4,7 +4,7 @@ all: afl-clang-fast -o test-instr test-instr.c document: - afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c + AFL_DONT_OPTIMIZE=1 afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c clean: rm -f persistent_demo persistent_demo_new test-instr diff --git a/examples/persistent_demo/test-instr.c b/examples/persistent_demo/test-instr.c index cd1c9b0e..4cd07102 100644 --- a/examples/persistent_demo/test-instr.c +++ b/examples/persistent_demo/test-instr.c @@ -36,7 +36,7 @@ int main(int argc, char **argv) { int fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd_doc >= 0) { - if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + if (write(fd_doc, buf, len) != __afl_fuzz_len) { fprintf(stderr, "write of mutation file failed: %s\n", fn); unlink(fn); -- cgit v1.2.3 From ac998e9222c5a7572716cd2ec1affd00d7a45e3d Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 13:15:34 +0200 Subject: minimal changes to a test --- examples/persistent_demo/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples') diff --git a/examples/persistent_demo/Makefile b/examples/persistent_demo/Makefile index e2cf97f5..6fa1c30e 100644 --- a/examples/persistent_demo/Makefile +++ b/examples/persistent_demo/Makefile @@ -1,7 +1,7 @@ all: afl-clang-fast -o persistent_demo persistent_demo.c afl-clang-fast -o persistent_demo_new persistent_demo_new.c - afl-clang-fast -o test-instr test-instr.c + AFL_DONT_OPTIMIZE=1 afl-clang-fast -o test-instr test-instr.c document: AFL_DONT_OPTIMIZE=1 afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c -- cgit v1.2.3 From 9a65fe904dd0895b9f7d27aae1fbce22fcb598ef Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 13:37:50 +0200 Subject: small changes to libfuzzer driver --- examples/aflpp_driver/aflpp_driver.cpp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index 3dcc8c3c..a6b168cd 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -252,27 +252,27 @@ int main(int argc, char **argv) { else if(argc == 2 && (N = atoi(argv[1])) > 0) Printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N); else if (argc > 1) { - if (!getenv("AFL_DRIVER_DONT_DEFER")) { +// if (!getenv("AFL_DRIVER_DONT_DEFER")) { __afl_sharedmem_fuzzing = 0; __afl_manual_init(); - } +// } return ExecuteFilesOnyByOne(argc, argv); exit(0); } assert(N > 0); - if (!getenv("AFL_DRIVER_DONT_DEFER")) - __afl_manual_init(); - // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization // on the first execution of LLVMFuzzerTestOneInput is ignored. uint8_t dummy_input[1] = {0}; LLVMFuzzerTestOneInput(dummy_input, 1); +// if (!getenv("AFL_DRIVER_DONT_DEFER")) + __afl_manual_init(); + int num_runs = 0; while (__afl_persistent_loop(N)) { - if (__afl_fuzz_len > 0) { + if (__afl_fuzz_len) { num_runs++; LLVMFuzzerTestOneInput(__afl_fuzz_ptr, __afl_fuzz_len); } -- cgit v1.2.3 From adcffce0a083cf32ea41f5631ec0e9d77dfdd115 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 14:57:05 +0200 Subject: fix libfuzzer driver --- examples/aflpp_driver/aflpp_driver.cpp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index a6b168cd..1feae1c3 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -262,14 +262,14 @@ int main(int argc, char **argv) { assert(N > 0); - // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization - // on the first execution of LLVMFuzzerTestOneInput is ignored. - uint8_t dummy_input[1] = {0}; - LLVMFuzzerTestOneInput(dummy_input, 1); - // if (!getenv("AFL_DRIVER_DONT_DEFER")) __afl_manual_init(); + // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization + // on the first execution of LLVMFuzzerTestOneInput is ignored. + //uint8_t dummy_input[1] = {0}; + //LLVMFuzzerTestOneInput(dummy_input, 1); + int num_runs = 0; while (__afl_persistent_loop(N)) { if (__afl_fuzz_len) { -- cgit v1.2.3 From 1d15048f2f79bb6836e8a50676a8ecc8cff1e5d0 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 15:30:44 +0200 Subject: hopeful finally change for libfuzzer driver --- examples/aflpp_driver/aflpp_driver.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index 1feae1c3..f2c604da 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -267,8 +267,8 @@ int main(int argc, char **argv) { // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization // on the first execution of LLVMFuzzerTestOneInput is ignored. - //uint8_t dummy_input[1] = {0}; - //LLVMFuzzerTestOneInput(dummy_input, 1); + uint8_t dummy_input[1] = {0}; + LLVMFuzzerTestOneInput(dummy_input, 1); int num_runs = 0; while (__afl_persistent_loop(N)) { -- cgit v1.2.3 From 9962de1a4c26d226b15d7bee64b483098fe62b3f Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Wed, 3 Jun 2020 09:57:44 +0200 Subject: shared mem input for qemu persistent hook --- examples/qemu_persistent_hook/read_into_rdi.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) (limited to 'examples') diff --git a/examples/qemu_persistent_hook/read_into_rdi.c b/examples/qemu_persistent_hook/read_into_rdi.c index 6cf66ddf..29087962 100644 --- a/examples/qemu_persistent_hook/read_into_rdi.c +++ b/examples/qemu_persistent_hook/read_into_rdi.c @@ -35,16 +35,25 @@ enum { }; -void afl_persistent_hook(uint64_t *regs, uint64_t guest_base) { +void afl_persistent_hook(uint64_t *regs, uint64_t guest_base, + uint8_t* input_buf, uint32_t input_len) { // In this example the register RDI is pointing to the memory location // of the target buffer, and the length of the input is in RSI. // This can be seen with a debugger, e.g. gdb (and "disass main") - printf("reading into %p\n", regs[R_EDI]); - size_t r = read(0, g2h(regs[R_EDI]), 1024); - regs[R_ESI] = r; - printf("read %ld bytes\n", r); + printf("placing input into %p\n", regs[R_EDI]); + + if (input_len > 1024) + input_len = 1024; + memcpy(g2h(regs[R_EDI]), input_buf, input_len); + regs[R_ESI] = input_len; } +int afl_persistent_hook_init(void) { + + // 1 for shared memory input (faster), 0 for normal input (you have to use read(), input_buf will be NULL) + return 1; + +} -- cgit v1.2.3 From 1c95e2e8e0674b69bf38e3e097948c6db9f07493 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Wed, 3 Jun 2020 10:34:29 +0200 Subject: aflpp libfuzzer driver for qemu mode --- examples/aflpp_driver/GNUmakefile | 16 ++++++++++++++-- examples/aflpp_driver/aflpp_qemu_driver.c | 17 +++++++++++++++++ examples/aflpp_driver/aflpp_qemu_driver_hook.c | 21 +++++++++++++++++++++ 3 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 examples/aflpp_driver/aflpp_qemu_driver.c create mode 100644 examples/aflpp_driver/aflpp_qemu_driver_hook.c (limited to 'examples') diff --git a/examples/aflpp_driver/GNUmakefile b/examples/aflpp_driver/GNUmakefile index a681d2cf..05ddebb0 100644 --- a/examples/aflpp_driver/GNUmakefile +++ b/examples/aflpp_driver/GNUmakefile @@ -9,7 +9,7 @@ endif FLAGS=-O3 -funroll-loops -all: libAFLDriver.a +all: libAFLDriver.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so aflpp_driver.o: aflpp_driver.cpp $(LLVM_BINDIR)clang++ $(FLAGS) -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp @@ -17,5 +17,17 @@ aflpp_driver.o: aflpp_driver.cpp libAFLDriver.a: aflpp_driver.o ar ru libAFLDriver.a aflpp_driver.o +aflpp_qemu_driver.o: aflpp_qemu_driver.c + $(LLVM_BINDIR)clang $(FLAGS) -funroll-loops -c aflpp_qemu_driver.c + +libAFLQemuDriver.a: aflpp_qemu_driver.o + ar ru libAFLQemuDriver.a aflpp_qemu_driver.o + +aflpp_qemu_driver_hook.so: aflpp_qemu_driver_hook.o + $(LLVM_BINDIR)clang -shared aflpp_qemu_driver_hook.o -o aflpp_qemu_driver_hook.so + +aflpp_qemu_driver_hook.o: aflpp_qemu_driver_hook.c + $(LLVM_BINDIR)clang -fPIC $(FLAGS) -funroll-loops -c aflpp_qemu_driver_hook.c + clean: - rm -f *.o libAFLDriver*.a *~ core + rm -f *.o libAFLDriver*.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so *~ core diff --git a/examples/aflpp_driver/aflpp_qemu_driver.c b/examples/aflpp_driver/aflpp_qemu_driver.c new file mode 100644 index 00000000..dd272408 --- /dev/null +++ b/examples/aflpp_driver/aflpp_qemu_driver.c @@ -0,0 +1,17 @@ +#include +#include + +// libFuzzer interface is thin, so we don't include any libFuzzer headers. +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); +__attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); + +int main(int argc, char **argv) { + if (LLVMFuzzerInitialize) + LLVMFuzzerInitialize(&argc, &argv); + // Do any other expensive one-time initialization here. + + uint8_t dummy_input[1] = {0}; + LLVMFuzzerTestOneInput(dummy_input, 1); + + return 0; +} diff --git a/examples/aflpp_driver/aflpp_qemu_driver_hook.c b/examples/aflpp_driver/aflpp_qemu_driver_hook.c new file mode 100644 index 00000000..17a84668 --- /dev/null +++ b/examples/aflpp_driver/aflpp_qemu_driver_hook.c @@ -0,0 +1,21 @@ +#include +#include + +#define g2h(x) ((void *)((unsigned long)(x) + guest_base)) + +#define REGS_RDI 7 +#define REGS_RSI 6 + +void afl_persistent_hook(uint64_t *regs, uint64_t guest_base, + uint8_t* input_buf, uint32_t input_len) { + + memcpy(g2h(regs[REGS_RDI]), input_buf, input_len); + regs[REGS_RSI] = input_len; + +} + +int afl_persistent_hook_init(void) { + + return 1; + +} -- cgit v1.2.3 From fc164e4709f1f1c91f9343eb116627417e7f267f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 3 Jun 2020 10:50:49 +0200 Subject: code format --- examples/aflpp_driver/aflpp_qemu_driver.c | 8 +++++--- examples/aflpp_driver/aflpp_qemu_driver_hook.c | 5 +++-- examples/qemu_persistent_hook/read_into_rdi.c | 11 ++++++----- 3 files changed, 14 insertions(+), 10 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_qemu_driver.c b/examples/aflpp_driver/aflpp_qemu_driver.c index dd272408..d8862316 100644 --- a/examples/aflpp_driver/aflpp_qemu_driver.c +++ b/examples/aflpp_driver/aflpp_qemu_driver.c @@ -6,12 +6,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); int main(int argc, char **argv) { - if (LLVMFuzzerInitialize) - LLVMFuzzerInitialize(&argc, &argv); + + if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv); // Do any other expensive one-time initialization here. uint8_t dummy_input[1] = {0}; LLVMFuzzerTestOneInput(dummy_input, 1); - + return 0; + } + diff --git a/examples/aflpp_driver/aflpp_qemu_driver_hook.c b/examples/aflpp_driver/aflpp_qemu_driver_hook.c index 17a84668..823cc42d 100644 --- a/examples/aflpp_driver/aflpp_qemu_driver_hook.c +++ b/examples/aflpp_driver/aflpp_qemu_driver_hook.c @@ -7,9 +7,9 @@ #define REGS_RSI 6 void afl_persistent_hook(uint64_t *regs, uint64_t guest_base, - uint8_t* input_buf, uint32_t input_len) { + uint8_t *input_buf, uint32_t input_len) { - memcpy(g2h(regs[REGS_RDI]), input_buf, input_len); + memcpy(g2h(regs[REGS_RDI]), input_buf, input_len); regs[REGS_RSI] = input_len; } @@ -19,3 +19,4 @@ int afl_persistent_hook_init(void) { return 1; } + diff --git a/examples/qemu_persistent_hook/read_into_rdi.c b/examples/qemu_persistent_hook/read_into_rdi.c index 29087962..180d9f00 100644 --- a/examples/qemu_persistent_hook/read_into_rdi.c +++ b/examples/qemu_persistent_hook/read_into_rdi.c @@ -36,7 +36,7 @@ enum { }; void afl_persistent_hook(uint64_t *regs, uint64_t guest_base, - uint8_t* input_buf, uint32_t input_len) { + uint8_t *input_buf, uint32_t input_len) { // In this example the register RDI is pointing to the memory location // of the target buffer, and the length of the input is in RSI. @@ -44,16 +44,17 @@ void afl_persistent_hook(uint64_t *regs, uint64_t guest_base, printf("placing input into %p\n", regs[R_EDI]); - if (input_len > 1024) - input_len = 1024; - memcpy(g2h(regs[R_EDI]), input_buf, input_len); + if (input_len > 1024) input_len = 1024; + memcpy(g2h(regs[R_EDI]), input_buf, input_len); regs[R_ESI] = input_len; } int afl_persistent_hook_init(void) { - // 1 for shared memory input (faster), 0 for normal input (you have to use read(), input_buf will be NULL) + // 1 for shared memory input (faster), 0 for normal input (you have to use + // read(), input_buf will be NULL) return 1; } + -- cgit v1.2.3 From f1192b2d16116fb6c8dc2673e37ec426b7792312 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Wed, 3 Jun 2020 11:38:44 +0200 Subject: AFL_QEMU_DRIVER_NO_HOOK --- examples/aflpp_driver/aflpp_qemu_driver.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_qemu_driver.c b/examples/aflpp_driver/aflpp_qemu_driver.c index dd272408..0944148e 100644 --- a/examples/aflpp_driver/aflpp_qemu_driver.c +++ b/examples/aflpp_driver/aflpp_qemu_driver.c @@ -1,17 +1,36 @@ #include #include +#include // libFuzzer interface is thin, so we don't include any libFuzzer headers. int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); +static const size_t kMaxAflInputSize = 1 << 20; +static uint8_t AflInputBuf[kMaxAflInputSize]; + +void afl_qemu_driver_stdin_input(void) { + + size_t l = read(0, AflInputBuf, kMaxAflInputSize); + LLVMFuzzerTestOneInput(AflInputBuf, l); + +} + int main(int argc, char **argv) { if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv); // Do any other expensive one-time initialization here. - uint8_t dummy_input[1] = {0}; - LLVMFuzzerTestOneInput(dummy_input, 1); + if (getenv("AFL_QEMU_DRIVER_NO_HOOK")) { + + afl_qemu_driver_stdin_input(); + + } else { + + uint8_t dummy_input[1] = {0}; + LLVMFuzzerTestOneInput(dummy_input, 1); + + } return 0; } -- cgit v1.2.3 From 177db9cf7941975d31e2d1ff8304659d14561568 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Wed, 3 Jun 2020 11:51:35 +0200 Subject: no inline in qemu driver --- examples/aflpp_driver/aflpp_qemu_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_qemu_driver.c b/examples/aflpp_driver/aflpp_qemu_driver.c index 404ce84c..ea4dab95 100644 --- a/examples/aflpp_driver/aflpp_qemu_driver.c +++ b/examples/aflpp_driver/aflpp_qemu_driver.c @@ -9,7 +9,7 @@ __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); static const size_t kMaxAflInputSize = 1 << 20; static uint8_t AflInputBuf[kMaxAflInputSize]; -void afl_qemu_driver_stdin_input(void) { +void __attribute__ ((noinline)) afl_qemu_driver_stdin_input(void) { size_t l = read(0, AflInputBuf, kMaxAflInputSize); LLVMFuzzerTestOneInput(AflInputBuf, l); -- cgit v1.2.3 From dd0ca7335ff93090def7be7fd0b46e9f71375004 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 3 Jun 2020 15:49:23 +0200 Subject: switch shmem_len to the map --- examples/aflpp_driver/aflpp_qemu_driver.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_qemu_driver.c b/examples/aflpp_driver/aflpp_qemu_driver.c index ea4dab95..604feb91 100644 --- a/examples/aflpp_driver/aflpp_qemu_driver.c +++ b/examples/aflpp_driver/aflpp_qemu_driver.c @@ -7,9 +7,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); static const size_t kMaxAflInputSize = 1 << 20; -static uint8_t AflInputBuf[kMaxAflInputSize]; +static uint8_t AflInputBuf[kMaxAflInputSize]; -void __attribute__ ((noinline)) afl_qemu_driver_stdin_input(void) { +void __attribute__((noinline)) afl_qemu_driver_stdin_input(void) { size_t l = read(0, AflInputBuf, kMaxAflInputSize); LLVMFuzzerTestOneInput(AflInputBuf, l); @@ -31,7 +31,7 @@ int main(int argc, char **argv) { LLVMFuzzerTestOneInput(dummy_input, 1); } - + return 0; } -- cgit v1.2.3 From 35ddec7aebaa3fdd454118a31483f9c43e549d6a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 4 Jun 2020 02:37:05 +0200 Subject: fix shmem persistent mode --- examples/persistent_demo/persistent_demo_new.c | 2 +- examples/persistent_demo/test-instr.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'examples') diff --git a/examples/persistent_demo/persistent_demo_new.c b/examples/persistent_demo/persistent_demo_new.c index 69468bdd..98909442 100644 --- a/examples/persistent_demo/persistent_demo_new.c +++ b/examples/persistent_demo/persistent_demo_new.c @@ -45,7 +45,7 @@ int main(int argc, char **argv) { __AFL_INIT(); buf = __AFL_FUZZ_TESTCASE_BUF; - while (__AFL_LOOP(1000)) { + while (__AFL_LOOP(1000)) { // increase if you have good stability len = __AFL_FUZZ_TESTCASE_LEN; diff --git a/examples/persistent_demo/test-instr.c b/examples/persistent_demo/test-instr.c index 4cd07102..f7512790 100644 --- a/examples/persistent_demo/test-instr.c +++ b/examples/persistent_demo/test-instr.c @@ -25,7 +25,7 @@ int main(int argc, char **argv) { __AFL_INIT(); unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; - while (__AFL_LOOP(2147483647)) { + while (__AFL_LOOP(2147483647)) { // MAX_INT if you have 100% stability unsigned int len = __AFL_FUZZ_TESTCASE_LEN; @@ -50,6 +50,8 @@ int main(int argc, char **argv) { counter++; #endif + fprintf(stderr, "len: %u\n", len); + if (!len) continue; if (buf[0] == '0') -- cgit v1.2.3 From 88e83c7322c66ef3df905f21caf8c07505443d50 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 4 Jun 2020 02:53:24 +0200 Subject: code format --- examples/persistent_demo/test-instr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples') diff --git a/examples/persistent_demo/test-instr.c b/examples/persistent_demo/test-instr.c index f7512790..a6188b22 100644 --- a/examples/persistent_demo/test-instr.c +++ b/examples/persistent_demo/test-instr.c @@ -50,7 +50,7 @@ int main(int argc, char **argv) { counter++; #endif - fprintf(stderr, "len: %u\n", len); + // fprintf(stderr, "len: %u\n", len); if (!len) continue; -- cgit v1.2.3 From 2f73215d4f24d9059546aff2b82d7eef05fbe253 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 4 Jun 2020 08:53:05 +0200 Subject: update libfuzzer driver --- examples/aflpp_driver/aflpp_driver.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index f2c604da..e0a90ff9 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -90,7 +90,7 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both. #endif int __afl_sharedmem_fuzzing = 1; -extern unsigned int __afl_fuzz_len; +extern unsigned int *__afl_fuzz_len; extern unsigned char *__afl_fuzz_ptr; // libFuzzer interface is thin, so we don't include any libFuzzer headers. @@ -272,9 +272,9 @@ int main(int argc, char **argv) { int num_runs = 0; while (__afl_persistent_loop(N)) { - if (__afl_fuzz_len) { + if (*__afl_fuzz_len) { num_runs++; - LLVMFuzzerTestOneInput(__afl_fuzz_ptr, __afl_fuzz_len); + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); } } Printf("%s: successfully executed %d input(s)\n", argv[0], num_runs); -- cgit v1.2.3 From f1ad9bdaea754cd08581b7b41bac7f404763fde7 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 4 Jun 2020 09:10:58 +0200 Subject: fix --- examples/aflpp_driver/GNUmakefile | 2 +- examples/aflpp_driver/aflpp_qemu_driver.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/GNUmakefile b/examples/aflpp_driver/GNUmakefile index 05ddebb0..988576d5 100644 --- a/examples/aflpp_driver/GNUmakefile +++ b/examples/aflpp_driver/GNUmakefile @@ -18,7 +18,7 @@ libAFLDriver.a: aflpp_driver.o ar ru libAFLDriver.a aflpp_driver.o aflpp_qemu_driver.o: aflpp_qemu_driver.c - $(LLVM_BINDIR)clang $(FLAGS) -funroll-loops -c aflpp_qemu_driver.c + $(LLVM_BINDIR)clang $(FLAGS) -O0 -funroll-loops -c aflpp_qemu_driver.c libAFLQemuDriver.a: aflpp_qemu_driver.o ar ru libAFLQemuDriver.a aflpp_qemu_driver.o diff --git a/examples/aflpp_driver/aflpp_qemu_driver.c b/examples/aflpp_driver/aflpp_qemu_driver.c index 604feb91..ee7dde10 100644 --- a/examples/aflpp_driver/aflpp_qemu_driver.c +++ b/examples/aflpp_driver/aflpp_qemu_driver.c @@ -27,7 +27,7 @@ int main(int argc, char **argv) { } else { - uint8_t dummy_input[1] = {0}; + uint8_t dummy_input[1024000] = {0}; LLVMFuzzerTestOneInput(dummy_input, 1); } -- cgit v1.2.3 From e01cad2f7de77c4704243d7011de2bff95fd59f7 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 5 Jun 2020 09:42:17 +0200 Subject: qemu debug --- examples/aflpp_driver/aflpp_qemu_driver.c | 2 +- examples/qemu_persistent_hook/read_into_rdi.c | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_qemu_driver.c b/examples/aflpp_driver/aflpp_qemu_driver.c index ee7dde10..4f3e5f71 100644 --- a/examples/aflpp_driver/aflpp_qemu_driver.c +++ b/examples/aflpp_driver/aflpp_qemu_driver.c @@ -6,7 +6,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); -static const size_t kMaxAflInputSize = 1 << 20; +static const size_t kMaxAflInputSize = 1 * 1024 * 1024; static uint8_t AflInputBuf[kMaxAflInputSize]; void __attribute__((noinline)) afl_qemu_driver_stdin_input(void) { diff --git a/examples/qemu_persistent_hook/read_into_rdi.c b/examples/qemu_persistent_hook/read_into_rdi.c index 180d9f00..bd6d3f45 100644 --- a/examples/qemu_persistent_hook/read_into_rdi.c +++ b/examples/qemu_persistent_hook/read_into_rdi.c @@ -1,6 +1,7 @@ #include #include #include +#include #define g2h(x) ((void *)((unsigned long)(x) + guest_base)) #define h2g(x) ((uint64_t)(x)-guest_base) -- cgit v1.2.3 From 372206e159f4f3d150543411872319fb8fae0b66 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 6 Jun 2020 11:45:08 +0200 Subject: aflpp_debug --- examples/aflpp_driver/GNUmakefile | 10 +++++++++- examples/aflpp_driver/aflpp_driver.cpp | 7 +++++-- examples/aflpp_driver/aflpp_driver_test.cpp | 20 ++++++++++++++++++++ 3 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 examples/aflpp_driver/aflpp_driver_test.cpp (limited to 'examples') diff --git a/examples/aflpp_driver/GNUmakefile b/examples/aflpp_driver/GNUmakefile index 988576d5..7ddfc485 100644 --- a/examples/aflpp_driver/GNUmakefile +++ b/examples/aflpp_driver/GNUmakefile @@ -17,6 +17,11 @@ aflpp_driver.o: aflpp_driver.cpp libAFLDriver.a: aflpp_driver.o ar ru libAFLDriver.a aflpp_driver.o +debug: + $(LLVM_BINDIR)clang++ -D_DEBUG=\"1\" $(FLAGS) -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp + ar ru libAFLDriver.a aflpp_driver.o + + aflpp_qemu_driver.o: aflpp_qemu_driver.c $(LLVM_BINDIR)clang $(FLAGS) -O0 -funroll-loops -c aflpp_qemu_driver.c @@ -29,5 +34,8 @@ aflpp_qemu_driver_hook.so: aflpp_qemu_driver_hook.o aflpp_qemu_driver_hook.o: aflpp_qemu_driver_hook.c $(LLVM_BINDIR)clang -fPIC $(FLAGS) -funroll-loops -c aflpp_qemu_driver_hook.c +test: libAFLDriver.a aflpp_driver_test.cpp + afl-clang-fast++ -Wl,--allow-multiple-definition -stdlib=libc++ -funroll-loops -std=c++11 -o aflpp_driver_test aflpp_driver_test.cpp libAFLDriver.a + clean: - rm -f *.o libAFLDriver*.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so *~ core + rm -f *.o libAFLDriver*.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so *~ core aflpp_driver_test diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index e0a90ff9..a60eb264 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -246,7 +246,8 @@ int main(int argc, char **argv) { LLVMFuzzerInitialize(&argc, &argv); // Do any other expensive one-time initialization here. - int N = 1000; + uint8_t dummy_input[1] = {0}; + int N = 100000; if (argc == 2 && argv[1][0] == '-') N = atoi(argv[1] + 1); else if(argc == 2 && (N = atoi(argv[1])) > 0) @@ -267,11 +268,13 @@ int main(int argc, char **argv) { // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization // on the first execution of LLVMFuzzerTestOneInput is ignored. - uint8_t dummy_input[1] = {0}; LLVMFuzzerTestOneInput(dummy_input, 1); int num_runs = 0; while (__afl_persistent_loop(N)) { +#ifdef _DEBUG + fprintf(stderr, "len: %u\n", *__afl_fuzz_len); +#endif if (*__afl_fuzz_len) { num_runs++; LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); diff --git a/examples/aflpp_driver/aflpp_driver_test.cpp b/examples/aflpp_driver/aflpp_driver_test.cpp new file mode 100644 index 00000000..81aa9db4 --- /dev/null +++ b/examples/aflpp_driver/aflpp_driver_test.cpp @@ -0,0 +1,20 @@ +#include +#include +#include + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + + fprintf(stderr, "Received size %lu\n", Size); + + if (Size < 4) + return 0; + + if (Data[0] == 'F') + if (Data[1] == 'A') + if (Data[2] == '$') + if (Data[3] == '$') + abort(); + + return 0; + +} -- cgit v1.2.3