From a6521e89fc521a07013fd28896ac755f6b8c3a6b Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 10 Aug 2020 01:04:50 +0200 Subject: different driver --- examples/aflpp_driver/aflpp_driver.c | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_driver.c b/examples/aflpp_driver/aflpp_driver.c index 7d388799..35b4f67f 100644 --- a/examples/aflpp_driver/aflpp_driver.c +++ b/examples/aflpp_driver/aflpp_driver.c @@ -106,9 +106,6 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both. #error "Support for your platform has not been implemented" #endif -int __afl_sharedmem_fuzzing = 1; -extern unsigned int * __afl_fuzz_len; -extern unsigned char *__afl_fuzz_ptr; extern unsigned char *__afl_area_ptr; // extern struct cmp_map *__afl_cmp_map; @@ -269,6 +266,7 @@ __attribute__((constructor(1))) void __afl_protect(void) { int main(int argc, char **argv) { fprintf(stderr, "dummy map is at %p\n", __afl_area_ptr); + unsigned char buf[1024000]; printf( "======================= INFO =========================\n" @@ -306,7 +304,6 @@ int main(int argc, char **argv) { printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N); else if (argc > 1) { - __afl_sharedmem_fuzzing = 0; munmap(__afl_area_ptr, MAX_DUMMY_SIZE); // we need to free 0x10000 __afl_area_ptr = NULL; __afl_manual_init(); @@ -328,25 +325,17 @@ int main(int argc, char **argv) { int num_runs = 0; while (__afl_persistent_loop(N)) { -#ifdef _DEBUG - fprintf(stderr, "CLIENT crc: %016llx len: %u\n", - hash64(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), - *__afl_fuzz_len); - fprintf(stderr, "RECV:"); - for (int i = 0; i < *__afl_fuzz_len; i++) - fprintf(stderr, "%02x", __afl_fuzz_ptr[i]); - fprintf(stderr, "\n"); -#endif - if (*__afl_fuzz_len) { + ssize_t n = read(0, buf, sizeof(buf)); + + if (n > 0) { - num_runs++; - LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); + LLVMFuzzerTestOneInput(buf, n); } } - printf("%s: successfully executed %d input(s)\n", argv[0], num_runs); + printf("%s: successfully executed input(s)\n", argv[0]); } -- cgit v1.2.3 From 9945c1648b519b0ef1490ee5eba97665af7f4caf Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 10 Aug 2020 01:34:45 +0200 Subject: fix driver --- examples/aflpp_driver/aflpp_driver.c | 20 -------------------- 1 file changed, 20 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_driver.c b/examples/aflpp_driver/aflpp_driver.c index 35b4f67f..a3a78b4e 100644 --- a/examples/aflpp_driver/aflpp_driver.c +++ b/examples/aflpp_driver/aflpp_driver.c @@ -106,9 +106,6 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both. #error "Support for your platform has not been implemented" #endif -extern unsigned char *__afl_area_ptr; -// extern struct cmp_map *__afl_cmp_map; - // libFuzzer interface is thin, so we don't include any libFuzzer headers. int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); @@ -248,24 +245,11 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) { __attribute__((constructor(1))) void __afl_protect(void) { setenv("__AFL_DEFER_FORKSRV", "1", 1); - __afl_area_ptr = (unsigned char *)mmap( - (void *)0x10000, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, - MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0); - if ((uint64_t)__afl_area_ptr == -1) - __afl_area_ptr = (unsigned char *)mmap((void *)0x10000, MAX_DUMMY_SIZE, - PROT_READ | PROT_WRITE, - MAP_SHARED | MAP_ANONYMOUS, -1, 0); - if ((uint64_t)__afl_area_ptr == -1) - __afl_area_ptr = - (unsigned char *)mmap(NULL, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, - MAP_SHARED | MAP_ANONYMOUS, -1, 0); - // __afl_cmp_map = (struct cmp_map *)__afl_area_ptr; } int main(int argc, char **argv) { - fprintf(stderr, "dummy map is at %p\n", __afl_area_ptr); unsigned char buf[1024000]; printf( @@ -304,8 +288,6 @@ int main(int argc, char **argv) { printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N); else if (argc > 1) { - munmap(__afl_area_ptr, MAX_DUMMY_SIZE); // we need to free 0x10000 - __afl_area_ptr = NULL; __afl_manual_init(); return ExecuteFilesOnyByOne(argc, argv); @@ -314,8 +296,6 @@ int main(int argc, char **argv) { assert(N > 0); // if (!getenv("AFL_DRIVER_DONT_DEFER")) - munmap(__afl_area_ptr, MAX_DUMMY_SIZE); - __afl_area_ptr = NULL; __afl_manual_init(); // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization -- cgit v1.2.3 From 9b71f7e5e49ee5fd9987fadbaca2f0e548680b33 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 10 Aug 2020 08:47:52 +0200 Subject: debug --- examples/aflpp_driver/aflpp_driver.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_driver.c b/examples/aflpp_driver/aflpp_driver.c index a3a78b4e..1e7978b3 100644 --- a/examples/aflpp_driver/aflpp_driver.c +++ b/examples/aflpp_driver/aflpp_driver.c @@ -252,6 +252,8 @@ int main(int argc, char **argv) { unsigned char buf[1024000]; + printf("__afl_area_ptr is at %p\n", __afl_area_ptr); + printf( "======================= INFO =========================\n" "This binary is built for afl++.\n" @@ -297,6 +299,7 @@ int main(int argc, char **argv) { // if (!getenv("AFL_DRIVER_DONT_DEFER")) __afl_manual_init(); + fprintf(stderr, "__afl_area_ptr is now at %p\n", __afl_area_ptr); // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization // on the first execution of LLVMFuzzerTestOneInput is ignored. -- cgit v1.2.3 From 87da1e7af6b91c3e85f8ba0a846ed820713eda5f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 10 Aug 2020 09:16:55 +0200 Subject: fix driver --- examples/aflpp_driver/aflpp_driver.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_driver.c b/examples/aflpp_driver/aflpp_driver.c index 1e7978b3..2a3b7dab 100644 --- a/examples/aflpp_driver/aflpp_driver.c +++ b/examples/aflpp_driver/aflpp_driver.c @@ -118,6 +118,8 @@ int __afl_persistent_loop(unsigned int); static volatile char AFL_DEFER_FORKSVR[] = "##SIG_AFL_DEFER_FORKSRV##"; void __afl_manual_init(); +extern unsigned int *__afl_area_ptr; + // Use this optionally defined function to output sanitizer messages even if // user asks to close stderr. __attribute__((weak)) void __sanitizer_set_report_fd(void *); -- cgit v1.2.3 From 3aa7d8081d20c824aa19c6383637ade7334e8353 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 10 Aug 2020 11:23:33 +0200 Subject: fuzzbench integration --- examples/aflpp_driver/aflpp_driver.c | 41 ++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 11 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_driver.c b/examples/aflpp_driver/aflpp_driver.c index 2a3b7dab..397228ed 100644 --- a/examples/aflpp_driver/aflpp_driver.c +++ b/examples/aflpp_driver/aflpp_driver.c @@ -106,6 +106,10 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both. #error "Support for your platform has not been implemented" #endif +int __afl_sharedmem_fuzzing = 0; +extern unsigned char *__afl_area_ptr; +// extern struct cmp_map *__afl_cmp_map; + // libFuzzer interface is thin, so we don't include any libFuzzer headers. int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); @@ -118,8 +122,6 @@ int __afl_persistent_loop(unsigned int); static volatile char AFL_DEFER_FORKSVR[] = "##SIG_AFL_DEFER_FORKSRV##"; void __afl_manual_init(); -extern unsigned int *__afl_area_ptr; - // Use this optionally defined function to output sanitizer messages even if // user asks to close stderr. __attribute__((weak)) void __sanitizer_set_report_fd(void *); @@ -247,14 +249,24 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) { __attribute__((constructor(1))) void __afl_protect(void) { setenv("__AFL_DEFER_FORKSRV", "1", 1); + __afl_area_ptr = (unsigned char *)mmap( + (void *)0x10000, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, + MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0); + if ((uint64_t)__afl_area_ptr == -1) + __afl_area_ptr = (unsigned char *)mmap((void *)0x10000, MAX_DUMMY_SIZE, + PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANONYMOUS, -1, 0); + if ((uint64_t)__afl_area_ptr == -1) + __afl_area_ptr = + (unsigned char *)mmap(NULL, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANONYMOUS, -1, 0); + // __afl_cmp_map = (struct cmp_map *)__afl_area_ptr; } int main(int argc, char **argv) { - unsigned char buf[1024000]; - - printf("__afl_area_ptr is at %p\n", __afl_area_ptr); + fprintf(stderr, "dummy map is at %p\n", __afl_area_ptr); printf( "======================= INFO =========================\n" @@ -282,6 +294,7 @@ int main(int argc, char **argv) { // Do any other expensive one-time initialization here. uint8_t dummy_input[64] = {0}; + uint8_t buf[1024000]; memcpy(dummy_input, (void *)AFL_PERSISTENT, sizeof(AFL_PERSISTENT)); memcpy(dummy_input + 32, (void *)AFL_DEFER_FORKSVR, sizeof(AFL_DEFER_FORKSVR)); @@ -292,6 +305,9 @@ int main(int argc, char **argv) { printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N); else if (argc > 1) { + __afl_sharedmem_fuzzing = 0; + munmap(__afl_area_ptr, MAX_DUMMY_SIZE); // we need to free 0x10000 + __afl_area_ptr = NULL; __afl_manual_init(); return ExecuteFilesOnyByOne(argc, argv); @@ -299,9 +315,12 @@ int main(int argc, char **argv) { assert(N > 0); - // if (!getenv("AFL_DRIVER_DONT_DEFER")) - __afl_manual_init(); - fprintf(stderr, "__afl_area_ptr is now at %p\n", __afl_area_ptr); + if (!getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) { + munmap(__afl_area_ptr, MAX_DUMMY_SIZE); + __afl_area_ptr = NULL; + __afl_manual_init(); + } + fprintf(stderr, "dummy map is now at %p\n", __afl_area_ptr); // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization // on the first execution of LLVMFuzzerTestOneInput is ignored. @@ -310,11 +329,11 @@ int main(int argc, char **argv) { int num_runs = 0; while (__afl_persistent_loop(N)) { - ssize_t n = read(0, buf, sizeof(buf)); + ssize_t r = read(0, buf, sizeof(buf)); - if (n > 0) { + if (r > 0) { - LLVMFuzzerTestOneInput(buf, n); + LLVMFuzzerTestOneInput(buf, r); } -- cgit v1.2.3 From 464c27082a8c75b400d4387d46a86542630cac45 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 10 Aug 2020 11:45:32 +0200 Subject: fuzzbench integration --- examples/aflpp_driver/aflpp_driver.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_driver.c b/examples/aflpp_driver/aflpp_driver.c index 397228ed..2b7be45f 100644 --- a/examples/aflpp_driver/aflpp_driver.c +++ b/examples/aflpp_driver/aflpp_driver.c @@ -266,7 +266,7 @@ __attribute__((constructor(1))) void __afl_protect(void) { int main(int argc, char **argv) { - fprintf(stderr, "dummy map is at %p\n", __afl_area_ptr); + fprintf(stderr, "map is at %p\n", __afl_area_ptr); printf( "======================= INFO =========================\n" @@ -305,10 +305,11 @@ int main(int argc, char **argv) { printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N); else if (argc > 1) { - __afl_sharedmem_fuzzing = 0; - munmap(__afl_area_ptr, MAX_DUMMY_SIZE); // we need to free 0x10000 - __afl_area_ptr = NULL; - __afl_manual_init(); + if (!getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) { + munmap(__afl_area_ptr, MAX_DUMMY_SIZE); // we need to free 0x10000 + __afl_area_ptr = NULL; + __afl_manual_init(); + } return ExecuteFilesOnyByOne(argc, argv); } @@ -318,9 +319,10 @@ int main(int argc, char **argv) { if (!getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) { munmap(__afl_area_ptr, MAX_DUMMY_SIZE); __afl_area_ptr = NULL; - __afl_manual_init(); + fprintf(stderr, "performing manual init\n"); + __afl_manual_init(); } - fprintf(stderr, "dummy map is now at %p\n", __afl_area_ptr); + fprintf(stderr, "map is now at %p\n", __afl_area_ptr); // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization // on the first execution of LLVMFuzzerTestOneInput is ignored. -- cgit v1.2.3 From 0ba09ee85a65878e70d1a224f9d41fcbac3ff1e5 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 11 Aug 2020 10:24:45 +0200 Subject: enhancements --- examples/aflpp_driver/aflpp_driver.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_driver.c b/examples/aflpp_driver/aflpp_driver.c index 2b7be45f..81782c67 100644 --- a/examples/aflpp_driver/aflpp_driver.c +++ b/examples/aflpp_driver/aflpp_driver.c @@ -306,10 +306,13 @@ int main(int argc, char **argv) { else if (argc > 1) { if (!getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) { + munmap(__afl_area_ptr, MAX_DUMMY_SIZE); // we need to free 0x10000 __afl_area_ptr = NULL; __afl_manual_init(); + } + return ExecuteFilesOnyByOne(argc, argv); } @@ -317,11 +320,14 @@ int main(int argc, char **argv) { assert(N > 0); if (!getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) { + munmap(__afl_area_ptr, MAX_DUMMY_SIZE); __afl_area_ptr = NULL; fprintf(stderr, "performing manual init\n"); - __afl_manual_init(); + __afl_manual_init(); + } + fprintf(stderr, "map is now at %p\n", __afl_area_ptr); // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization @@ -333,11 +339,7 @@ int main(int argc, char **argv) { ssize_t r = read(0, buf, sizeof(buf)); - if (r > 0) { - - LLVMFuzzerTestOneInput(buf, r); - - } + if (r > 0) { LLVMFuzzerTestOneInput(buf, r); } } -- cgit v1.2.3 From b604f5eafcebb816026e198df0ea66ebcbf18421 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 11 Aug 2020 18:06:18 +0200 Subject: finalize first beta! yay! --- examples/aflpp_driver/aflpp_driver.c | 28 ---------------------------- 1 file changed, 28 deletions(-) (limited to 'examples') diff --git a/examples/aflpp_driver/aflpp_driver.c b/examples/aflpp_driver/aflpp_driver.c index 81782c67..8e0b554a 100644 --- a/examples/aflpp_driver/aflpp_driver.c +++ b/examples/aflpp_driver/aflpp_driver.c @@ -107,8 +107,6 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both. #endif int __afl_sharedmem_fuzzing = 0; -extern unsigned char *__afl_area_ptr; -// extern struct cmp_map *__afl_cmp_map; // libFuzzer interface is thin, so we don't include any libFuzzer headers. int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); @@ -246,28 +244,8 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) { } -__attribute__((constructor(1))) void __afl_protect(void) { - - setenv("__AFL_DEFER_FORKSRV", "1", 1); - __afl_area_ptr = (unsigned char *)mmap( - (void *)0x10000, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, - MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0); - if ((uint64_t)__afl_area_ptr == -1) - __afl_area_ptr = (unsigned char *)mmap((void *)0x10000, MAX_DUMMY_SIZE, - PROT_READ | PROT_WRITE, - MAP_SHARED | MAP_ANONYMOUS, -1, 0); - if ((uint64_t)__afl_area_ptr == -1) - __afl_area_ptr = - (unsigned char *)mmap(NULL, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, - MAP_SHARED | MAP_ANONYMOUS, -1, 0); - // __afl_cmp_map = (struct cmp_map *)__afl_area_ptr; - -} - int main(int argc, char **argv) { - fprintf(stderr, "map is at %p\n", __afl_area_ptr); - printf( "======================= INFO =========================\n" "This binary is built for afl++.\n" @@ -307,8 +285,6 @@ int main(int argc, char **argv) { if (!getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) { - munmap(__afl_area_ptr, MAX_DUMMY_SIZE); // we need to free 0x10000 - __afl_area_ptr = NULL; __afl_manual_init(); } @@ -321,15 +297,11 @@ int main(int argc, char **argv) { if (!getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) { - munmap(__afl_area_ptr, MAX_DUMMY_SIZE); - __afl_area_ptr = NULL; fprintf(stderr, "performing manual init\n"); __afl_manual_init(); } - fprintf(stderr, "map is now at %p\n", __afl_area_ptr); - // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization // on the first execution of LLVMFuzzerTestOneInput is ignored. LLVMFuzzerTestOneInput(dummy_input, 1); -- cgit v1.2.3