From e8da5f9e2894a89e36f899719e442a897a189f1f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 11 Jun 2020 19:30:28 +0200 Subject: code format and debug --- examples/aflpp_driver/GNUmakefile | 2 +- examples/aflpp_driver/aflpp_driver.cpp | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/GNUmakefile b/examples/aflpp_driver/GNUmakefile index 7ddfc485..90844a4a 100644 --- a/examples/aflpp_driver/GNUmakefile +++ b/examples/aflpp_driver/GNUmakefile @@ -18,7 +18,7 @@ libAFLDriver.a: aflpp_driver.o ar ru libAFLDriver.a aflpp_driver.o debug: - $(LLVM_BINDIR)clang++ -D_DEBUG=\"1\" $(FLAGS) -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp + $(LLVM_BINDIR)clang++ -I../../include -D_DEBUG=\"1\" $(FLAGS) -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp ar ru libAFLDriver.a aflpp_driver.o diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index a60eb264..88354912 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -54,6 +54,10 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both. #include #include +#ifdef _DEBUG +#include "hash.h" +#endif + // Platform detection. Copied from FuzzerInternal.h #ifdef __linux__ #define LIBFUZZER_LINUX 1 @@ -273,7 +277,7 @@ int main(int argc, char **argv) { int num_runs = 0; while (__afl_persistent_loop(N)) { #ifdef _DEBUG - fprintf(stderr, "len: %u\n", *__afl_fuzz_len); + fprintf(stderr, "CLIENT crc: %08x len: %u\n", hash32(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), *__afl_fuzz_len); #endif if (*__afl_fuzz_len) { num_runs++; -- cgit 1.4.1 From db2e04361da8f40a7ee99fef1c2a2ed8f08b0501 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 12 Jun 2020 11:57:54 +0200 Subject: shm debug and fixes --- examples/aflpp_driver/GNUmakefile | 5 ++--- examples/aflpp_driver/aflpp_driver.cpp | 10 +++++++++- examples/aflpp_driver/aflpp_driver_test.cpp | 8 +++++--- llvm_mode/afl-llvm-rt.o.c | 4 ++-- src/afl-forkserver.c | 14 ++++++++++++-- 5 files changed, 30 insertions(+), 11 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/GNUmakefile b/examples/aflpp_driver/GNUmakefile index 90844a4a..24f959e6 100644 --- a/examples/aflpp_driver/GNUmakefile +++ b/examples/aflpp_driver/GNUmakefile @@ -7,7 +7,7 @@ ifneq "" "$(LLVM_BINDIR)" LLVM_BINDIR := $(LLVM_BINDIR)/ endif -FLAGS=-O3 -funroll-loops +FLAGS=-O2 -funroll-loops all: libAFLDriver.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so @@ -20,7 +20,6 @@ libAFLDriver.a: aflpp_driver.o debug: $(LLVM_BINDIR)clang++ -I../../include -D_DEBUG=\"1\" $(FLAGS) -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp ar ru libAFLDriver.a aflpp_driver.o - aflpp_qemu_driver.o: aflpp_qemu_driver.c $(LLVM_BINDIR)clang $(FLAGS) -O0 -funroll-loops -c aflpp_qemu_driver.c @@ -35,7 +34,7 @@ aflpp_qemu_driver_hook.o: aflpp_qemu_driver_hook.c $(LLVM_BINDIR)clang -fPIC $(FLAGS) -funroll-loops -c aflpp_qemu_driver_hook.c test: libAFLDriver.a aflpp_driver_test.cpp - afl-clang-fast++ -Wl,--allow-multiple-definition -stdlib=libc++ -funroll-loops -std=c++11 -o aflpp_driver_test aflpp_driver_test.cpp libAFLDriver.a + afl-clang-fast++ -I../../include -Wl,--allow-multiple-definition -stdlib=libc++ -funroll-loops -std=c++11 -o aflpp_driver_test aflpp_driver_test.cpp libAFLDriver.a clean: rm -f *.o libAFLDriver*.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so *~ core aflpp_driver_test diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index 88354912..68a1783f 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -230,6 +230,8 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) { } int main(int argc, char **argv) { + unsigned char in_buf[1024000]; + size_t in_buf_len; Printf( "======================= INFO =========================\n" "This binary is built for AFL-fuzz.\n" @@ -278,10 +280,16 @@ int main(int argc, char **argv) { while (__afl_persistent_loop(N)) { #ifdef _DEBUG fprintf(stderr, "CLIENT crc: %08x len: %u\n", hash32(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), *__afl_fuzz_len); + fprintf(stderr, "RECV:"); + for (int i = 0; i < *__afl_fuzz_len; i++) + fprintf(stderr, "%02x", __afl_fuzz_ptr[i]); + fprintf(stderr,"\n"); #endif if (*__afl_fuzz_len) { num_runs++; - LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); + in_buf_len = *__afl_fuzz_len; + memcpy(in_buf, __afl_fuzz_ptr, in_buf_len); + LLVMFuzzerTestOneInput(in_buf, in_buf_len); } } Printf("%s: successfully executed %d input(s)\n", argv[0], num_runs); diff --git a/examples/aflpp_driver/aflpp_driver_test.cpp b/examples/aflpp_driver/aflpp_driver_test.cpp index 81aa9db4..799c743d 100644 --- a/examples/aflpp_driver/aflpp_driver_test.cpp +++ b/examples/aflpp_driver/aflpp_driver_test.cpp @@ -1,19 +1,21 @@ #include #include #include +#include "hash.h" extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - fprintf(stderr, "Received size %lu\n", Size); + fprintf(stderr, "FUNC crc: %08x len: %lu\n", hash32(Data, Size, 0xa5b35705), Size); - if (Size < 4) + if (Size < 5) return 0; if (Data[0] == 'F') if (Data[1] == 'A') if (Data[2] == '$') if (Data[3] == '$') - abort(); + if (Data[4] == '$') + abort(); return 0; diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 702384a3..80ffc19f 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -139,7 +139,7 @@ static void __afl_map_shm_fuzz() { } - map = (u8 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0); + map = (u8 *)mmap(0, MAX_FILE + sizeof(u32), PROT_READ, MAP_SHARED, shm_fd, 0); #else u32 shm_id = atoi(id_str); @@ -157,7 +157,7 @@ static void __afl_map_shm_fuzz() { } __afl_fuzz_len = (u32 *)map; - __afl_fuzz_ptr = (u8 *)(map + sizeof(u32)); + __afl_fuzz_ptr = map + sizeof(u32); if (getenv("AFL_DEBUG")) { diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 330fb1de..edabe5df 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -32,6 +32,7 @@ #include "common.h" #include "list.h" #include "forkserver.h" +#include "hash.h" #include #include @@ -837,8 +838,17 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { *fsrv->shmem_fuzz_len = len; memcpy(fsrv->shmem_fuzz, buf, len); - // fprintf(stderr, "FS crc: %08x len: %u\n", hash32(fsrv->shmem_fuzz, - // *fsrv->shmem_fuzz_len, 0xa5b35705), *fsrv->shmem_fuzz_len); +#ifdef _DEBUG + fprintf(stderr, "FS crc: %08x len: %u\n", hash32(fsrv->shmem_fuzz, + *fsrv->shmem_fuzz_len, 0xa5b35705), *fsrv->shmem_fuzz_len); + fprintf(stderr, "SHM :"); + for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) + fprintf(stderr, "%02x", fsrv->shmem_fuzz[i]); + fprintf(stderr, "\nORIG:"); + for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) + fprintf(stderr, "%02x", buf[i]); + fprintf(stderr, "\n"); +#endif } else { -- cgit 1.4.1 From 6a216b5708a21283c2a8dbc05af6c98c067b9e08 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 15 Jun 2020 21:39:45 +0200 Subject: make aflpp driver performant again --- examples/aflpp_driver/GNUmakefile | 2 +- examples/aflpp_driver/aflpp_driver.cpp | 6 +----- 2 files changed, 2 insertions(+), 6 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/GNUmakefile b/examples/aflpp_driver/GNUmakefile index 24f959e6..a4969a88 100644 --- a/examples/aflpp_driver/GNUmakefile +++ b/examples/aflpp_driver/GNUmakefile @@ -7,7 +7,7 @@ ifneq "" "$(LLVM_BINDIR)" LLVM_BINDIR := $(LLVM_BINDIR)/ endif -FLAGS=-O2 -funroll-loops +FLAGS=-O3 -funroll-loops all: libAFLDriver.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index 68a1783f..cf96dc4f 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -230,8 +230,6 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) { } int main(int argc, char **argv) { - unsigned char in_buf[1024000]; - size_t in_buf_len; Printf( "======================= INFO =========================\n" "This binary is built for AFL-fuzz.\n" @@ -287,9 +285,7 @@ int main(int argc, char **argv) { #endif if (*__afl_fuzz_len) { num_runs++; - in_buf_len = *__afl_fuzz_len; - memcpy(in_buf, __afl_fuzz_ptr, in_buf_len); - LLVMFuzzerTestOneInput(in_buf, in_buf_len); + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); } } Printf("%s: successfully executed %d input(s)\n", argv[0], num_runs); -- cgit 1.4.1 From 910b9f3f25c03d64a5e80726fe5724e95571dc33 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 28 Jun 2020 16:53:31 +0200 Subject: O2 instead of O3 for .o target files --- examples/aflpp_driver/GNUmakefile | 2 +- llvm_mode/GNUmakefile | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/GNUmakefile b/examples/aflpp_driver/GNUmakefile index a4969a88..02d08bfc 100644 --- a/examples/aflpp_driver/GNUmakefile +++ b/examples/aflpp_driver/GNUmakefile @@ -7,7 +7,7 @@ ifneq "" "$(LLVM_BINDIR)" LLVM_BINDIR := $(LLVM_BINDIR)/ endif -FLAGS=-O3 -funroll-loops +FLAGS=-O2 -g all: libAFLDriver.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so diff --git a/llvm_mode/GNUmakefile b/llvm_mode/GNUmakefile index 4cc55d92..ed0afb0c 100644 --- a/llvm_mode/GNUmakefile +++ b/llvm_mode/GNUmakefile @@ -376,15 +376,15 @@ document: @$(CLANG_BIN) -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS_SAFE) -O3 -Wno-unused-result -m64 -fPIC -c afl-llvm-rt.o.c -o ../afl-llvm-rt-64.o 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi ../afl-llvm-rt.o: afl-llvm-rt.o.c | test_deps - $(CLANG_BIN) $(CFLAGS_SAFE) -O3 -Wno-unused-result -fPIC -c $< -o $@ + $(CLANG_BIN) $(CFLAGS_SAFE) -O2 -Wno-unused-result -fPIC -c $< -o $@ ../afl-llvm-rt-32.o: afl-llvm-rt.o.c | test_deps @printf "[*] Building 32-bit variant of the runtime (-m32)... " - @$(CLANG_BIN) $(CFLAGS_SAFE) -O3 -Wno-unused-result -m32 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi + @$(CLANG_BIN) $(CFLAGS_SAFE) -O2 -Wno-unused-result -m32 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi ../afl-llvm-rt-64.o: afl-llvm-rt.o.c | test_deps @printf "[*] Building 64-bit variant of the runtime (-m64)... " - @$(CLANG_BIN) $(CFLAGS_SAFE) -O3 -Wno-unused-result -m64 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi + @$(CLANG_BIN) $(CFLAGS_SAFE) -O2 -Wno-unused-result -m64 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi test_build: $(PROGS) @echo "[*] Testing the CC wrapper and instrumentation output..." -- cgit 1.4.1 From 81974c4d5e63211744153f2ebcfb246046edbc5b Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 28 Jun 2020 22:50:18 +0200 Subject: debug code --- examples/aflpp_driver/GNUmakefile | 6 +++--- examples/aflpp_driver/aflpp_driver.cpp | 2 +- llvm_mode/GNUmakefile | 6 +++--- src/afl-common.c | 1 + src/afl-showmap.c | 9 +++++++++ 5 files changed, 17 insertions(+), 7 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/GNUmakefile b/examples/aflpp_driver/GNUmakefile index 02d08bfc..bd568224 100644 --- a/examples/aflpp_driver/GNUmakefile +++ b/examples/aflpp_driver/GNUmakefile @@ -7,18 +7,18 @@ ifneq "" "$(LLVM_BINDIR)" LLVM_BINDIR := $(LLVM_BINDIR)/ endif -FLAGS=-O2 -g +FLAGS=-O3 -funroll-loops -g all: libAFLDriver.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so aflpp_driver.o: aflpp_driver.cpp - $(LLVM_BINDIR)clang++ $(FLAGS) -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp + $(LLVM_BINDIR)clang++ $(FLAGS) -stdlib=libc++ -std=c++11 -c aflpp_driver.cpp libAFLDriver.a: aflpp_driver.o ar ru libAFLDriver.a aflpp_driver.o debug: - $(LLVM_BINDIR)clang++ -I../../include -D_DEBUG=\"1\" $(FLAGS) -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp + $(LLVM_BINDIR)clang++ -I../../include -D_DEBUG=\"1\" -g -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp ar ru libAFLDriver.a aflpp_driver.o aflpp_qemu_driver.o: aflpp_qemu_driver.c diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index cf96dc4f..a1eab178 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -277,7 +277,7 @@ int main(int argc, char **argv) { int num_runs = 0; while (__afl_persistent_loop(N)) { #ifdef _DEBUG - fprintf(stderr, "CLIENT crc: %08x len: %u\n", hash32(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), *__afl_fuzz_len); + fprintf(stderr, "CLIENT crc: %08x len: %u\n", hash64(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), *__afl_fuzz_len); fprintf(stderr, "RECV:"); for (int i = 0; i < *__afl_fuzz_len; i++) fprintf(stderr, "%02x", __afl_fuzz_ptr[i]); diff --git a/llvm_mode/GNUmakefile b/llvm_mode/GNUmakefile index ed0afb0c..4cc55d92 100644 --- a/llvm_mode/GNUmakefile +++ b/llvm_mode/GNUmakefile @@ -376,15 +376,15 @@ document: @$(CLANG_BIN) -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS_SAFE) -O3 -Wno-unused-result -m64 -fPIC -c afl-llvm-rt.o.c -o ../afl-llvm-rt-64.o 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi ../afl-llvm-rt.o: afl-llvm-rt.o.c | test_deps - $(CLANG_BIN) $(CFLAGS_SAFE) -O2 -Wno-unused-result -fPIC -c $< -o $@ + $(CLANG_BIN) $(CFLAGS_SAFE) -O3 -Wno-unused-result -fPIC -c $< -o $@ ../afl-llvm-rt-32.o: afl-llvm-rt.o.c | test_deps @printf "[*] Building 32-bit variant of the runtime (-m32)... " - @$(CLANG_BIN) $(CFLAGS_SAFE) -O2 -Wno-unused-result -m32 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi + @$(CLANG_BIN) $(CFLAGS_SAFE) -O3 -Wno-unused-result -m32 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi ../afl-llvm-rt-64.o: afl-llvm-rt.o.c | test_deps @printf "[*] Building 64-bit variant of the runtime (-m64)... " - @$(CLANG_BIN) $(CFLAGS_SAFE) -O2 -Wno-unused-result -m64 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi + @$(CLANG_BIN) $(CFLAGS_SAFE) -O3 -Wno-unused-result -m64 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi test_build: $(PROGS) @echo "[*] Testing the CC wrapper and instrumentation output..." diff --git a/src/afl-common.c b/src/afl-common.c index 2802cda3..79d419cd 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -54,6 +54,7 @@ char *afl_environment_variables[] = { "AFL_CMIN_CRASHES_ONLY", "AFL_CODE_END", "AFL_CODE_START", "AFL_COMPCOV_BINNAME", "AFL_COMPCOV_LEVEL", "AFL_CUSTOM_MUTATOR_LIBRARY", "AFL_CUSTOM_MUTATOR_ONLY", "AFL_CXX", "AFL_DEBUG", "AFL_DEBUG_CHILD_OUTPUT", + "AFL_DEBUG_GDB", //"AFL_DEFER_FORKSRV", // not implemented anymore, so warn additionally "AFL_DISABLE_TRIM", "AFL_DONT_OPTIMIZE", "AFL_DUMB_FORKSRV", "AFL_ENTRYPOINT", "AFL_EXIT_WHEN_DONE", "AFL_FAST_CAL", "AFL_FORCE_UI", diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 24e83721..994d80eb 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -890,10 +890,13 @@ int main(int argc, char **argv_orig, char **envp) { struct dirent *dir_ent; int done = 0; u8 infile[PATH_MAX], outfile[PATH_MAX]; + u8 wait_for_gdb = 0; #if !defined(DT_REG) struct stat statbuf; #endif + if (getenv("AFL_DEBUG_GDB")) wait_for_gdb = 1; + fsrv->dev_null_fd = open("/dev/null", O_RDWR); if (fsrv->dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); } @@ -982,6 +985,12 @@ int main(int argc, char **argv_orig, char **envp) { if (read_file(infile)) { + if (wait_for_gdb) { + fprintf(stderr, "exec: gdb -p %d\n", fsrv->child_pid); + fprintf(stderr, "exec: kill -CONT %d\n", getpid()); + kill(0, SIGSTOP); + } + showmap_run_target_forkserver(fsrv, use_argv, in_data, in_len); ck_free(in_data); tcnt = write_results_to_file(fsrv, outfile); -- cgit 1.4.1 From c25a602a0370f484e32adbf186290d2504cf3f12 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 28 Jun 2020 23:47:57 +0200 Subject: less problematic definitions --- examples/aflpp_driver/GNUmakefile | 10 +++++++--- examples/aflpp_driver/aflpp_driver.cpp | 2 +- examples/aflpp_driver/aflpp_driver_test.cpp | 2 +- include/afl-prealloc.h | 2 +- include/alloc-inl.h | 6 +++--- include/hash.h | 4 ++-- src/afl-performance.c | 10 +++++++--- 7 files changed, 22 insertions(+), 14 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/GNUmakefile b/examples/aflpp_driver/GNUmakefile index bd568224..a993c8a9 100644 --- a/examples/aflpp_driver/GNUmakefile +++ b/examples/aflpp_driver/GNUmakefile @@ -18,8 +18,11 @@ libAFLDriver.a: aflpp_driver.o ar ru libAFLDriver.a aflpp_driver.o debug: + $(LLVM_BINDIR)clang++ -Wno-deprecated -I../../include $(FLAGS) -D_DEBUG=\"1\" -c -o afl-performance.o ../../src/afl-performance.c $(LLVM_BINDIR)clang++ -I../../include -D_DEBUG=\"1\" -g -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp - ar ru libAFLDriver.a aflpp_driver.o + #$(LLVM_BINDIR)clang++ -S -emit-llvm -Wno-deprecated -I../../include $(FLAGS) -D_DEBUG=\"1\" -c -o afl-performance.ll ../../src/afl-performance.c + #$(LLVM_BINDIR)clang++ -S -emit-llvm -I../../include -D_DEBUG=\"1\" -g -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp + ar ru libAFLDriver.a afl-performance.o aflpp_driver.o aflpp_qemu_driver.o: aflpp_qemu_driver.c $(LLVM_BINDIR)clang $(FLAGS) -O0 -funroll-loops -c aflpp_qemu_driver.c @@ -33,8 +36,9 @@ aflpp_qemu_driver_hook.so: aflpp_qemu_driver_hook.o aflpp_qemu_driver_hook.o: aflpp_qemu_driver_hook.c $(LLVM_BINDIR)clang -fPIC $(FLAGS) -funroll-loops -c aflpp_qemu_driver_hook.c -test: libAFLDriver.a aflpp_driver_test.cpp - afl-clang-fast++ -I../../include -Wl,--allow-multiple-definition -stdlib=libc++ -funroll-loops -std=c++11 -o aflpp_driver_test aflpp_driver_test.cpp libAFLDriver.a +test: debug + #clang++ -S -emit-llvm -D_DEBUG=\"1\" -I../../include -Wl,--allow-multiple-definition -stdlib=libc++ -funroll-loops -std=c++11 -o aflpp_driver_test.ll aflpp_driver_test.cpp + afl-clang-fast++ -D_DEBUG=\"1\" -I../../include -Wl,--allow-multiple-definition -stdlib=libc++ -funroll-loops -std=c++11 -o aflpp_driver_test aflpp_driver_test.cpp libAFLDriver.a clean: rm -f *.o libAFLDriver*.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so *~ core aflpp_driver_test diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index a1eab178..d6163bdf 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -277,7 +277,7 @@ int main(int argc, char **argv) { int num_runs = 0; while (__afl_persistent_loop(N)) { #ifdef _DEBUG - fprintf(stderr, "CLIENT crc: %08x len: %u\n", hash64(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), *__afl_fuzz_len); + fprintf(stderr, "CLIENT crc: %016llx len: %u\n", hash64(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), *__afl_fuzz_len); fprintf(stderr, "RECV:"); for (int i = 0; i < *__afl_fuzz_len; i++) fprintf(stderr, "%02x", __afl_fuzz_ptr[i]); diff --git a/examples/aflpp_driver/aflpp_driver_test.cpp b/examples/aflpp_driver/aflpp_driver_test.cpp index 799c743d..13dc09b9 100644 --- a/examples/aflpp_driver/aflpp_driver_test.cpp +++ b/examples/aflpp_driver/aflpp_driver_test.cpp @@ -5,7 +5,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - fprintf(stderr, "FUNC crc: %08x len: %lu\n", hash32(Data, Size, 0xa5b35705), Size); + fprintf(stderr, "FUNC crc: %016llx len: %lu\n", hash64((u8*)Data, (unsigned int) Size, (unsigned long long int) 0xa5b35705), Size); if (Size < 5) return 0; diff --git a/include/afl-prealloc.h b/include/afl-prealloc.h index 5e5d7b85..a9de3ba2 100644 --- a/include/afl-prealloc.h +++ b/include/afl-prealloc.h @@ -60,7 +60,7 @@ typedef enum prealloc_status { \ if ((prealloc_counter) >= (prealloc_size)) { \ \ - el_ptr = malloc(sizeof(*el_ptr)); \ + el_ptr = (element_t *) malloc(sizeof(*el_ptr)); \ if (!el_ptr) { FATAL("error in list.h -> out of memory for element!"); } \ el_ptr->pre_status = PRE_STATUS_MALLOC; \ \ diff --git a/include/alloc-inl.h b/include/alloc-inl.h index ca593549..decc2d43 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -170,10 +170,10 @@ static inline u8 *DFL_ck_strdup(u8 *str) { size = strlen((char *)str) + 1; ALLOC_CHECK_SIZE(size); - ret = malloc(size); + ret = (u8*) malloc(size); ALLOC_CHECK_RESULT(ret, size); - return memcpy(ret, str, size); + return (u8*)memcpy(ret, str, size); } @@ -204,7 +204,7 @@ static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) { if (!mem || !size) { return NULL; } ALLOC_CHECK_SIZE(size); - ret = malloc(size + 1); + ret = (u8*) malloc(size + 1); ALLOC_CHECK_RESULT(ret, size); memcpy(ret, mem, size); diff --git a/include/hash.h b/include/hash.h index 6910e0e2..9d42e44b 100644 --- a/include/hash.h +++ b/include/hash.h @@ -30,8 +30,8 @@ #include "types.h" -u32 hash32(const void *key, u32 len, u32 seed); -u64 hash64(const void *key, u32 len, u64 seed); +u32 hash32(u8 *key, u32 len, u32 seed); +u64 hash64(u8 *key, u32 len, u64 seed); #if 0 diff --git a/src/afl-performance.c b/src/afl-performance.c index a3febdbf..b3d30cbd 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -37,7 +37,7 @@ void rand_set_seed(afl_state_t *afl, s64 init_seed) { afl->init_seed = init_seed; afl->rand_seed[0] = - hash64((void *)&afl->init_seed, sizeof(afl->init_seed), HASH_CONST); + hash64((u8 *)&afl->init_seed, sizeof(afl->init_seed), HASH_CONST); afl->rand_seed[1] = afl->rand_seed[0] ^ 0x1234567890abcdef; afl->rand_seed[2] = afl->rand_seed[0] & 0x0123456789abcdef; afl->rand_seed[3] = afl->rand_seed[0] | 0x01abcde43f567908; @@ -141,13 +141,17 @@ void long_jump(afl_state_t *afl) { /* we switch from afl's murmur implementation to xxh3 as it is 30% faster - and get 64 bit hashes instead of just 32 bit. Less collisions! :-) */ -u32 inline hash32(const void *key, u32 len, u32 seed) { +u32 inline hash32(void *key, u32 len, u32 seed) { return (u32)XXH64(key, len, seed); } -u64 inline hash64(const void *key, u32 len, u64 seed) { +#ifdef _DEBUG +u64 hash64(u8 *key, u32 len, u64 seed) { +#else +u64 inline hash64(u8 *key, u32 len, u64 seed) { +#endif return XXH64(key, len, seed); -- cgit 1.4.1 From e5e485fcdb039fc77842b0753a4adf42d6063388 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 29 Jun 2020 00:58:05 +0200 Subject: fix autodict --- GNUmakefile | 4 +-- examples/persistent_demo/persistent_demo_new.c | 4 +++ include/afl-prealloc.h | 2 +- include/alloc-inl.h | 6 ++--- llvm_mode/afl-llvm-rt.o.c | 6 +++++ src/afl-forkserver.c | 36 ++++++++++++++++---------- src/afl-fuzz-run.c | 26 ++++++++++++------- src/afl-performance.c | 4 +++ src/afl-showmap.c | 4 ++- 9 files changed, 62 insertions(+), 30 deletions(-) (limited to 'examples') diff --git a/GNUmakefile b/GNUmakefile index d95eaab1..748cd73c 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -394,8 +394,8 @@ afl-gotcpu: src/afl-gotcpu.c src/afl-common.o $(COMM_HDR) | test_x86 # document all mutations and only do one run (use with only one input file!) -document: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o | test_x86 - $(CC) -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o afl-fuzz-document $(PYFLAGS) $(LDFLAGS) +document: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-performance.o | test_x86 + $(CC) -D_DEBUG=\"1\" -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.c src/afl-performance.o -o afl-fuzz-document $(PYFLAGS) $(LDFLAGS) test/unittests/unit_maybe_alloc.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_maybe_alloc.c $(AFL_FUZZ_FILES) @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_maybe_alloc.c -o test/unittests/unit_maybe_alloc.o diff --git a/examples/persistent_demo/persistent_demo_new.c b/examples/persistent_demo/persistent_demo_new.c index 98909442..e4e328b0 100644 --- a/examples/persistent_demo/persistent_demo_new.c +++ b/examples/persistent_demo/persistent_demo_new.c @@ -49,9 +49,13 @@ int main(int argc, char **argv) { len = __AFL_FUZZ_TESTCASE_LEN; + fprintf(stderr, "input: %zd \"%s\"\n", len, buf); + /* do we have enough data? */ if (len < 8) continue; + if (strcmp((char *)buf, "thisisateststring") == 0) printf("teststring\n"); + if (buf[0] == 'f') { printf("one\n"); diff --git a/include/afl-prealloc.h b/include/afl-prealloc.h index a9de3ba2..fa6c9b70 100644 --- a/include/afl-prealloc.h +++ b/include/afl-prealloc.h @@ -60,7 +60,7 @@ typedef enum prealloc_status { \ if ((prealloc_counter) >= (prealloc_size)) { \ \ - el_ptr = (element_t *) malloc(sizeof(*el_ptr)); \ + el_ptr = (element_t *)malloc(sizeof(*el_ptr)); \ if (!el_ptr) { FATAL("error in list.h -> out of memory for element!"); } \ el_ptr->pre_status = PRE_STATUS_MALLOC; \ \ diff --git a/include/alloc-inl.h b/include/alloc-inl.h index decc2d43..832b2de4 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -170,10 +170,10 @@ static inline u8 *DFL_ck_strdup(u8 *str) { size = strlen((char *)str) + 1; ALLOC_CHECK_SIZE(size); - ret = (u8*) malloc(size); + ret = (u8 *)malloc(size); ALLOC_CHECK_RESULT(ret, size); - return (u8*)memcpy(ret, str, size); + return (u8 *)memcpy(ret, str, size); } @@ -204,7 +204,7 @@ static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) { if (!mem || !size) { return NULL; } ALLOC_CHECK_SIZE(size); - ret = (u8*) malloc(size + 1); + ret = (u8 *)malloc(size + 1); ALLOC_CHECK_RESULT(ret, size); memcpy(ret, mem, size); diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 184dcd0f..f81d13ee 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -395,6 +395,9 @@ static void __afl_start_snapshots(void) { if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1); + if (getenv("AFL_DEBUG")) + fprintf(stderr, "target forkserver recv: %08x\n", was_killed); + if ((was_killed & (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) == (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) { @@ -594,6 +597,9 @@ static void __afl_start_forkserver(void) { if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1); + if (getenv("AFL_DEBUG")) + fprintf(stderr, "target forkserver recv: %08x\n", was_killed); + if ((was_killed & (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) == (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) { diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index bb7a6797..c5709b33 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -596,9 +596,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, // this is not afl-fuzz - we deny and return if (fsrv->use_shmem_fuzz) - status = (FS_OPT_ENABLED | FS_OPT_AUTODICT | FS_OPT_SHDMEM_FUZZ); + status = (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ); else - status = (FS_OPT_ENABLED | FS_OPT_AUTODICT); + status = (FS_OPT_ENABLED); if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) { FATAL("Writing to forkserver failed."); @@ -610,7 +610,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } if (!be_quiet) { ACTF("Using AUTODICT feature."); } - status = (FS_OPT_ENABLED | FS_OPT_AUTODICT); + + if (fsrv->use_shmem_fuzz) + status = (FS_OPT_ENABLED | FS_OPT_AUTODICT | FS_OPT_SHDMEM_FUZZ); + else + status = (FS_OPT_ENABLED | FS_OPT_AUTODICT); + if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) { FATAL("Writing to forkserver failed."); @@ -862,16 +867,21 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { *fsrv->shmem_fuzz_len = len; memcpy(fsrv->shmem_fuzz, buf, len); #ifdef _DEBUG - fprintf(stderr, "FS crc: %08x len: %u\n", - hash64(fsrv->shmem_fuzz, *fsrv->shmem_fuzz_len, 0xa5b35705), - *fsrv->shmem_fuzz_len); - fprintf(stderr, "SHM :"); - for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) - fprintf(stderr, "%02x", fsrv->shmem_fuzz[i]); - fprintf(stderr, "\nORIG:"); - for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) - fprintf(stderr, "%02x", buf[i]); - fprintf(stderr, "\n"); + if (getenv("AFL_DEBUG")) { + + fprintf(stderr, "FS crc: %016llx len: %u\n", + hash64(fsrv->shmem_fuzz, *fsrv->shmem_fuzz_len, 0xa5b35705), + *fsrv->shmem_fuzz_len); + fprintf(stderr, "SHM :"); + for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) + fprintf(stderr, "%02x", fsrv->shmem_fuzz[i]); + fprintf(stderr, "\nORIG:"); + for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) + fprintf(stderr, "%02x", buf[i]); + fprintf(stderr, "\n"); + + } + #endif } else { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 52931a39..2a1664e2 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -156,16 +156,22 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, *afl->fsrv.shmem_fuzz_len = len - skip_len; #ifdef _DEBUG - fprintf(stderr, "FS crc: %08x len: %u\n", - hash64(fsrv->shmem_fuzz, *fsrv->shmem_fuzz_len, 0xa5b35705), - *fsrv->shmem_fuzz_len); - fprintf(stderr, "SHM :"); - for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) - fprintf(stderr, "%02x", fsrv->shmem_fuzz[i]); - fprintf(stderr, "\nORIG:"); - for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) - fprintf(stderr, "%02x", buf[i]); - fprintf(stderr, "\n"); + if (afl->debug) { + + fprintf( + stderr, "FS crc: %16llx len: %u\n", + hash64(afl->fsrv.shmem_fuzz, *afl->fsrv.shmem_fuzz_len, 0xa5b35705), + *afl->fsrv.shmem_fuzz_len); + fprintf(stderr, "SHM :"); + for (int i = 0; i < *afl->fsrv.shmem_fuzz_len; i++) + fprintf(stderr, "%02x", afl->fsrv.shmem_fuzz[i]); + fprintf(stderr, "\nORIG:"); + for (int i = 0; i < *afl->fsrv.shmem_fuzz_len; i++) + fprintf(stderr, "%02x", (u8)((u8 *)mem)[i]); + fprintf(stderr, "\n"); + + } + #endif return; diff --git a/src/afl-performance.c b/src/afl-performance.c index 0832dc39..0c1697a8 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -143,8 +143,10 @@ void long_jump(afl_state_t *afl) { #ifdef _DEBUG u32 hash32(u8 *key, u32 len, u32 seed) { + #else u32 inline hash32(u8 *key, u32 len, u32 seed) { + #endif return (u32)XXH64(key, len, seed); @@ -153,8 +155,10 @@ u32 inline hash32(u8 *key, u32 len, u32 seed) { #ifdef _DEBUG u64 hash64(u8 *key, u32 len, u64 seed) { + #else u64 inline hash64(u8 *key, u32 len, u64 seed) { + #endif return XXH64(key, len, seed); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 994d80eb..883398ff 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -985,10 +985,12 @@ int main(int argc, char **argv_orig, char **envp) { if (read_file(infile)) { - if (wait_for_gdb) { + if (wait_for_gdb) { + fprintf(stderr, "exec: gdb -p %d\n", fsrv->child_pid); fprintf(stderr, "exec: kill -CONT %d\n", getpid()); kill(0, SIGSTOP); + } showmap_run_target_forkserver(fsrv, use_argv, in_data, in_len); -- cgit 1.4.1