From b1822f26022c323e4b47198abbb7d5f5ea6a57e5 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 18 Oct 2019 18:01:33 +0200 Subject: reintegrate gcc_plugin --- gcc_plugin/Makefile | 130 +++++++++++ gcc_plugin/README.gcc.md | 162 +++++++++++++ gcc_plugin/README.whitelist.md | 74 ++++++ gcc_plugin/afl-gcc-fast.c | 283 +++++++++++++++++++++++ gcc_plugin/afl-gcc-pass.so.cc | 505 +++++++++++++++++++++++++++++++++++++++++ gcc_plugin/afl-gcc-rt.o.c | 224 ++++++++++++++++++ 6 files changed, 1378 insertions(+) create mode 100644 gcc_plugin/Makefile create mode 100644 gcc_plugin/README.gcc.md create mode 100644 gcc_plugin/README.whitelist.md create mode 100644 gcc_plugin/afl-gcc-fast.c create mode 100644 gcc_plugin/afl-gcc-pass.so.cc create mode 100644 gcc_plugin/afl-gcc-rt.o.c (limited to 'gcc_plugin') diff --git a/gcc_plugin/Makefile b/gcc_plugin/Makefile new file mode 100644 index 00000000..d10eba49 --- /dev/null +++ b/gcc_plugin/Makefile @@ -0,0 +1,130 @@ +# +# american fuzzy lop - GCC plugin instrumentation +# ----------------------------------------------- +# +# Written by Austin Seipp and +# Laszlo Szekeres and +# Michal Zalewski and +# Heiko Eißfeldt +# +# GCC integration design is based on the LLVM design, which comes +# from Laszlo Szekeres. +# +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# + +PREFIX ?= /usr/local +HELPER_PATH = $(PREFIX)/lib/afl +BIN_PATH = $(PREFIX)/bin + +CFLAGS ?= -O3 -g -funroll-loops +CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -Wno-pointer-sign \ + -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \ + +CXXFLAGS ?= -O3 -g -funroll-loops +CXXEFLAGS := $(CXXFLAGS) -Wall -D_FORTIFY_SOURCE=2 + +CC ?= gcc +CXX ?= g++ + +PLUGIN_FLAGS = -fPIC -fno-rtti -I"$(shell $(CC) -print-file-name=plugin)/include" + +PROGS = ../afl-gcc-fast ../afl-gcc-pass.so ../afl-gcc-rt.o + +ifeq "$(shell echo '\#include @\#include @int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 )" "1" + SHMAT_OK=1 +else + SHMAT_OK=0 + CFLAGS+=-DUSEMMAP=1 + LDFLAGS += -lrt +endif + +ifeq "$(TEST_MMAP)" "1" + SHMAT_OK=0 + CFLAGS+=-DUSEMMAP=1 + LDFLAGS += -lrt +endif + + +all: test_shm test_deps $(PROGS) afl-gcc-fast.8 test_build all_done + +ifeq "$(SHMAT_OK)" "1" + +test_shm: + @echo "[+] shmat seems to be working." + @rm -f .test2 + +else + +test_shm: + @echo "[-] shmat seems not to be working, switching to mmap implementation" + +endif + + +test_deps: + @echo "[*] Checking for working '$(CC)'..." + @which $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 ) + @echo "[*] Checking for gcc for plugin support..." + @$(CC) -v 2>&1 | grep -q -- --enable-plugin || ( echo "[-] Oops, this gcc has not been configured with plugin support."; exit 1 ) + @echo "[*] Checking for gcc plugin development header files..." + @test -d `$(CC) -print-file-name=plugin`/include || ( echo "[-] Oops, can't find gcc header files. Be sure to install 'gcc-X-plugin-dev'."; exit 1 ) + @echo "[*] Checking for '../afl-showmap'..." + @test -f ../afl-showmap || ( echo "[-] Oops, can't find '../afl-showmap'. Be sure to compile AFL first."; exit 1 ) + @echo "[+] All set and ready to build." + +../afl-gcc-fast: afl-gcc-fast.c | test_deps + $(CC) $(CFLAGS) $< -o $@ $(LDFLAGS) + ln -sf afl-gcc-fast ../afl-g++-fast + +../afl-gcc-pass.so: afl-gcc-pass.so.cc | test_deps + $(CXX) $(CXXEFLAGS) $(PLUGIN_FLAGS) -shared $< -o $@ + +../afl-gcc-rt.o: afl-gcc-rt.o.c | test_deps + $(CC) $(CFLAGS) -fPIC -c $< -o $@ + +test_build: $(PROGS) + @echo "[*] Testing the CC wrapper and instrumentation output..." + unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. AFL_CC=$(CC) ../afl-gcc-fast $(CFLAGS) ../test-instr.c -o test-instr $(LDFLAGS) +# unset AFL_USE_ASAN AFL_USE_MSAN; AFL_INST_RATIO=100 AFL_PATH=. AFL_CC=$(CC) ../afl-gcc-fast $(CFLAGS) ../test-instr.c -o test-instr $(LDFLAGS) + ../afl-showmap -m none -q -o .test-instr0 ./test-instr ../$@ + @echo .SH NAME >> ../$@ + @echo .B $* >> ../$@ + @echo >> ../$@ + @echo .SH SYNOPSIS >> ../$@ + @../$* -h 2>&1 | head -n 3 | tail -n 1 | sed 's/^\.\///' >> ../$@ + @echo >> ../$@ + @echo .SH OPTIONS >> ../$@ + @echo .nf >> ../$@ + @../$* -h 2>&1 | tail -n +4 >> ../$@ + @echo >> ../$@ + @echo .SH AUTHOR >> ../$@ + @echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse , Heiko \"hexcoder-\" Eissfeldt and Andrea Fioraldi " >> ../$@ + @echo The homepage of afl++ is: https://github.com/vanhauser-thc/AFLplusplus >> ../$@ + @echo >> ../$@ + @echo .SH LICENSE >> ../$@ + @echo Apache License Version 2.0, January 2004 >> ../$@ + ln -sf afl-gcc-fast.8 ../afl-g++-fast.8 + +clean: + rm -f *.o *.so *~ a.out core core.[1-9][0-9]* test-instr .test-instr0 .test-instr1 + rm -f $(PROGS) ../afl-g++-fast ../afl-g*-fast.8 diff --git a/gcc_plugin/README.gcc.md b/gcc_plugin/README.gcc.md new file mode 100644 index 00000000..2e19e911 --- /dev/null +++ b/gcc_plugin/README.gcc.md @@ -0,0 +1,162 @@ +=========================================== +GCC-based instrumentation for afl-fuzz +====================================== + + (See ../docs/README.md for the general instruction manual.) + (See ../llvm_mode/README.md for the LLVM-based instrumentation.) + +!!! TODO items are: +!!! => inline instrumentation has to work! +!!! + + +## 1) Introduction + +The code in this directory allows you to instrument programs for AFL using +true compiler-level instrumentation, instead of the more crude +assembly-level rewriting approach taken by afl-gcc and afl-clang. This has +several interesting properties: + + - The compiler can make many optimizations that are hard to pull off when + manually inserting assembly. As a result, some slow, CPU-bound programs will + run up to around faster. + + The gains are less pronounced for fast binaries, where the speed is limited + chiefly by the cost of creating new processes. In such cases, the gain will + probably stay within 10%. + + - The instrumentation is CPU-independent. At least in principle, you should + be able to rely on it to fuzz programs on non-x86 architectures (after + building afl-fuzz with AFL_NOX86=1). + + - Because the feature relies on the internals of GCC, it is gcc-specific + and will *not* work with LLVM (see ../llvm_mode for an alternative). + +Once this implementation is shown to be sufficiently robust and portable, it +will probably replace afl-gcc. For now, it can be built separately and +co-exists with the original code. + +The idea and much of the implementation comes from Laszlo Szekeres. + +## 2) How to use + +In order to leverage this mechanism, you need to have modern enough GCC +(>= version 4.5.0) and the plugin headers installed on your system. That +should be all you need. On Debian machines, these headers can be acquired by +installing the `gcc--plugin-dev` packages. + +To build the instrumentation itself, type 'make'. This will generate binaries +called afl-gcc-fast and afl-g++-fast in the parent directory. Once this +is done, you can instrument third-party code in a way similar to the standard +operating mode of AFL, e.g.: + + CC=/path/to/afl/afl-gcc-fast ./configure [...options...] + make + +Be sure to also include CXX set to afl-g++-fast for C++ code. + +The tool honors roughly the same environmental variables as afl-gcc (see +../docs/env_variables.txt). This includes AFL_INST_RATIO, AFL_USE_ASAN, +AFL_HARDEN, and AFL_DONT_OPTIMIZE. + +Note: if you want the GCC plugin to be installed on your system for all +users, you need to build it before issuing 'make install' in the parent +directory. + +## 3) Gotchas, feedback, bugs + +This is an early-stage mechanism, so field reports are welcome. You can send bug +reports to . + +## 4) Bonus feature #1: deferred initialization + +AFL tries to optimize performance by executing the targeted binary just once, +stopping it just before main(), and then cloning this "master" process to get +a steady supply of targets to fuzz. + +Although this approach eliminates much of the OS-, linker- and libc-level +costs of executing the program, it does not always help with binaries that +perform other time-consuming initialization steps - say, parsing a large config +file before getting to the fuzzed data. + +In such cases, it's beneficial to initialize the forkserver a bit later, once +most of the initialization work is already done, but before the binary attempts +to read the fuzzed input and parse it; in some cases, this can offer a 10x+ +performance gain. You can implement delayed initialization in LLVM mode in a +fairly simple way. + +First, locate a suitable location in the code where the delayed cloning can +take place. This needs to be done with *extreme* care to avoid breaking the +binary. In particular, the program will probably malfunction if you select +a location after: + + - The creation of any vital threads or child processes - since the forkserver + can't clone them easily. + + - The initialization of timers via setitimer() or equivalent calls. + + - The creation of temporary files, network sockets, offset-sensitive file + descriptors, and similar shared-state resources - but only provided that + their state meaningfully influences the behavior of the program later on. + + - Any access to the fuzzed input, including reading the metadata about its + size. + +With the location selected, add this code in the appropriate spot: + +``` +#ifdef __AFL_HAVE_MANUAL_CONTROL + __AFL_INIT(); +#endif +``` + +You don't need the #ifdef guards, but they will make the program still work as +usual when compiled with a tool other than afl-gcc-fast/afl-clang-fast. + +Finally, recompile the program with afl-gcc-fast (afl-gcc or afl-clang will +*not* generate a deferred-initialization binary) - and you should be all set! + +## 5) Bonus feature #2: persistent mode + +Some libraries provide APIs that are stateless, or whose state can be reset in +between processing different input files. When such a reset is performed, a +single long-lived process can be reused to try out multiple test cases, +eliminating the need for repeated fork() calls and the associated OS overhead. + +The basic structure of the program that does this would be: + +``` + while (__AFL_LOOP(1000)) { + + /* Read input data. */ + /* Call library code to be fuzzed. */ + /* Reset state. */ + + } + + /* Exit normally */ +``` + +The numerical value specified within the loop controls the maximum number +of iterations before AFL will restart the process from scratch. This minimizes +the impact of memory leaks and similar glitches; 1000 is a good starting point. + +A more detailed template is shown in ../experimental/persistent_demo/. +Similarly to the previous mode, the feature works only with afl-gcc-fast or +afl-clang-fast; #ifdef guards can be used to suppress it when using other +compilers. + +Note that as with the previous mode, the feature is easy to misuse; if you +do not reset the critical state fully, you may end up with false positives or +waste a whole lot of CPU power doing nothing useful at all. Be particularly +wary of memory leaks and the state of file descriptors. + +When running in this mode, the execution paths will inherently vary a bit +depending on whether the input loop is being entered for the first time or +executed again. To avoid spurious warnings, the feature implies +AFL_NO_VAR_CHECK and hides the "variable path" warnings in the UI. + +PS. Because there are task switches still involved, the mode isn't as fast as +"pure" in-process fuzzing offered, say, by LLVM's LibFuzzer; but it is a lot +faster than the normal fork() model, and compared to in-process fuzzing, +should be a lot more robust. diff --git a/gcc_plugin/README.whitelist.md b/gcc_plugin/README.whitelist.md new file mode 100644 index 00000000..bcc02693 --- /dev/null +++ b/gcc_plugin/README.whitelist.md @@ -0,0 +1,74 @@ +======================================== +Using afl++ with partial instrumentation +======================================== + + This file describes how you can selectively instrument only the source files + that are interesting to you using the gcc instrumentation provided by + afl++. + + Originally developed by Christian Holler (:decoder) , + adapted to gcc plugin by hexcoder-. + + +## 1) Description and purpose + +When building and testing complex programs where only a part of the program is +the fuzzing target, it often helps to only instrument the necessary parts of +the program, leaving the rest uninstrumented. This helps to focus the fuzzer +on the important parts of the program, avoiding undesired noise and +disturbance by uninteresting code being exercised. + +For this purpose, I have added a "partial instrumentation" support to the gcc +plugin of AFLFuzz that allows you to specify on a source file level which files +should be compiled with or without instrumentation. + + +## 2) Building the gcc plugin + +The new code is part of the existing afl++ gcc plugin in the gcc_plugin/ +subdirectory. There is nothing specifically to do :) + + +## 3) How to use the partial instrumentation mode + +In order to build with partial instrumentation, you need to build with +afl-gcc-fast and afl-g++-fast respectively. The only required change is +that you need to set the environment variable AFL_GCC_WHITELIST when calling +the compiler. + +The environment variable must point to a file containing all the filenames +that should be instrumented. For matching, the filename that is being compiled +must end in the filename entry contained in this whitelist (to avoid breaking +the matching when absolute paths are used during compilation). + +For example if your source tree looks like this: + +``` +project/ +project/feature_a/a1.cpp +project/feature_a/a2.cpp +project/feature_b/b1.cpp +project/feature_b/b2.cpp +``` + +and you only want to test feature_a, then create a whitelist file containing: + +``` +feature_a/a1.cpp +feature_a/a2.cpp +``` + +However if the whitelist file contains only this, it works as well: + +``` +a1.cpp +a2.cpp +``` + +but it might lead to files being unwantedly instrumented if the same filename +exists somewhere else in the project directories. + +The created whitelist file is then set to AFL_GCC_WHITELIST when you compile +your program. For each file that didn't match the whitelist, the compiler will +issue a warning at the end stating that no blocks were instrumented. If you +didn't intend to instrument that file, then you can safely ignore that warning. diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c new file mode 100644 index 00000000..8be05bb5 --- /dev/null +++ b/gcc_plugin/afl-gcc-fast.c @@ -0,0 +1,283 @@ +/* + american fuzzy lop - GCC wrapper for GCC plugin + ------------------------------------------------ + + Written by Austin Seipp and + Laszlo Szekeres and + Michal Zalewski + + GCC integration design is based on the LLVM design, which comes + from Laszlo Szekeres. + + Copyright 2015 Google Inc. All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + This program is a drop-in replacement for gcc, similar in most + respects to ../afl-gcc, but with compiler instrumentation through a + plugin. It tries to figure out compilation mode, adds a bunch of + flags, and then calls the real compiler. + + */ + +#define AFL_MAIN + +#include "../config.h" +#include "../types.h" +#include "../include/debug.h" +#include "../include/alloc-inl.h" + +#include +#include +#include +#include + +static u8* obj_path; /* Path to runtime libraries */ +static u8** cc_params; /* Parameters passed to the real CC */ +static u32 cc_par_cnt = 1; /* Param count, including argv0 */ + + +/* Try to find the runtime libraries. If that fails, abort. */ + +static void find_obj(u8* argv0) { + + u8 *afl_path = getenv("AFL_PATH"); + u8 *slash, *tmp; + + if (afl_path) { + + tmp = alloc_printf("%s/afl-gcc-rt.o", afl_path); + + if (!access(tmp, R_OK)) { + obj_path = afl_path; + ck_free(tmp); + return; + } + + ck_free(tmp); + + } + + slash = strrchr(argv0, '/'); + + if (slash) { + + u8 *dir; + + *slash = 0; + dir = ck_strdup(argv0); + *slash = '/'; + + tmp = alloc_printf("%s/afl-gcc-rt.o", dir); + + if (!access(tmp, R_OK)) { + obj_path = dir; + ck_free(tmp); + return; + } + + ck_free(tmp); + ck_free(dir); + + } + + if (!access(AFL_PATH "/afl-gcc-rt.o", R_OK)) { + obj_path = AFL_PATH; + return; + } + + FATAL("Unable to find 'afl-gcc-rt.o' or 'afl-gcc-pass.so'. Please set AFL_PATH"); +} + + +/* Copy argv to cc_params, making the necessary edits. */ + +static void edit_params(u32 argc, char** argv) { + + u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1; + u8 *name; + + cc_params = ck_alloc((argc + 64) * sizeof(u8*)); + + name = strrchr(argv[0], '/'); + if (!name) name = argv[0]; else name++; + + if (!strcmp(name, "afl-g++-fast")) { + u8* alt_cxx = getenv("AFL_CXX"); + cc_params[0] = alt_cxx ? alt_cxx : (u8*)"g++"; + } else { + u8* alt_cc = getenv("AFL_CC"); + cc_params[0] = alt_cc ? alt_cc : (u8*)"gcc"; + } + + char* fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path); + cc_params[cc_par_cnt++] = fplugin_arg; + + while (--argc) { + u8* cur = *(++argv); + +#if defined(__x86_64__) + if (!strcmp(cur, "-m32")) FATAL("-m32 is not supported"); +#endif + + if (!strcmp(cur, "-x")) x_set = 1; + + if (!strcmp(cur, "-c") || !strcmp(cur, "-S") || !strcmp(cur, "-E") || + !strcmp(cur, "-v")) maybe_linking = 0; + + if (!strcmp(cur, "-fsanitize=address") || + !strcmp(cur, "-fsanitize=memory")) asan_set = 1; + + if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1; + + cc_params[cc_par_cnt++] = cur; + + } + + if (getenv("AFL_HARDEN")) { + + cc_params[cc_par_cnt++] = "-fstack-protector-all"; + + if (!fortify_set) + cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2"; + + } + + if (!asan_set) { + + if (getenv("AFL_USE_ASAN")) { + + cc_params[cc_par_cnt++] = "-fsanitize=address"; + + if (getenv("AFL_USE_MSAN")) + FATAL("ASAN and MSAN are mutually exclusive"); + + } else if (getenv("AFL_USE_MSAN")) { + + cc_params[cc_par_cnt++] = "-fsanitize=memory"; + + if (getenv("AFL_USE_ASAN")) + FATAL("ASAN and MSAN are mutually exclusive"); + + } + + } + + if (!getenv("AFL_DONT_OPTIMIZE")) { + + cc_params[cc_par_cnt++] = "-g"; + cc_params[cc_par_cnt++] = "-O3"; + cc_params[cc_par_cnt++] = "-funroll-loops"; + + } + + cc_params[cc_par_cnt++] = "-D__AFL_HAVE_MANUAL_CONTROL=1"; + + /* When the user tries to use persistent or deferred forkserver modes by + appending a single line to the program, we want to reliably inject a + signature into the binary (to be picked up by afl-fuzz) and we want + to call a function from the runtime .o file. This is unnecessarily + painful for three reasons: + + 1) We need to convince the compiler not to optimize out the signature. + This is done with __attribute__((used)). + + 2) We need to convince the linker, when called with -Wl,--gc-sections, + not to do the same. This is done by forcing an assignment to a + 'volatile' pointer. + + 3) We need to declare __afl_persistent_loop() in the global namespace, + but doing this within a method in a class is hard - :: and extern "C" + are forbidden and __attribute__((alias(...))) doesn't work. Hence the + __asm__ aliasing trick. + + */ + + cc_params[cc_par_cnt++] = "-D__AFL_LOOP(_A)=" + "({ static volatile char *_B __attribute__((used)); " + " _B = (char*)\"" PERSIST_SIG "\"; " +#ifdef __APPLE__ + "int _L(unsigned int) __asm__(\"___afl_persistent_loop\"); " +#else + "int _L(unsigned int) __asm__(\"__afl_persistent_loop\"); " +#endif /* ^__APPLE__ */ + "_L(_A); })"; + + cc_params[cc_par_cnt++] = "-D__AFL_INIT()=" + "do { static volatile char *_A __attribute__((used)); " + " _A = (char*)\"" DEFER_SIG "\"; " +#ifdef __APPLE__ + "void _I(void) __asm__(\"___afl_manual_init\"); " +#else + "void _I(void) __asm__(\"__afl_manual_init\"); " +#endif /* ^__APPLE__ */ + "_I(); } while (0)"; + + if (maybe_linking) { + + if (x_set) { + cc_params[cc_par_cnt++] = "-x"; + cc_params[cc_par_cnt++] = "none"; + } + + cc_params[cc_par_cnt++] = alloc_printf("%s/afl-gcc-rt.o", obj_path); + + } + + cc_params[cc_par_cnt] = NULL; + +} + + +/* Main entry point */ + +int main(int argc, char** argv) { + + if (isatty(2) && !getenv("AFL_QUIET")) { + + SAYF(cCYA "afl-gcc-fast " cBRI VERSION cRST " initially by , maintainer: hexcoder-\n"); + + } + + if (argc < 2) { + + SAYF("\n" + "This is a helper application for afl-fuzz. It serves as a drop-in replacement\n" + "for gcc, letting you recompile third-party code with the required runtime\n" + "instrumentation. A common use pattern would be one of the following:\n\n" + + " CC=%s/afl-gcc-fast ./configure\n" + " CXX=%s/afl-g++-fast ./configure\n\n" + + "In contrast to the traditional afl-gcc tool, this version is implemented as\n" + "a GCC plugin and tends to offer improved performance with slow programs\n" + "(similarly to the LLVM plugin used by afl-clang-fast).\n\n" + + "You can specify custom next-stage toolchain via AFL_CC and AFL_CXX. Setting\n" + "AFL_HARDEN enables hardening optimizations in the compiled code.\n\n", + BIN_PATH, BIN_PATH); + + exit(1); + + } + + + find_obj(argv[0]); + + edit_params(argc, argv); +/*if (isatty(2) && !getenv("AFL_QUIET")) { + printf("Calling \"%s\" with:\n", cc_params[0]); + for(int i=1; i with bits from + Emese Revfy + + Fixed by Heiko Eißfeldt 2019 for AFL++ + + GCC integration design is based on the LLVM design, which comes + from Laszlo Szekeres. Some of the boilerplate code below for + afl_pass to adapt to different GCC versions was taken from Emese + Revfy's Size Overflow plugin for GCC, licensed under the GPLv2/v3. + + (NOTE: this plugin code is under GPLv3, in order to comply with the + GCC runtime library exception, which states that you may distribute + "Target Code" from the compiler under a license of your choice, as + long as the "Compilation Process" is "Eligible", and contains no + GPL-incompatible software in GCC "during the process of + transforming high level code to target code". In this case, the + plugin will be used to generate "Target Code" during the + "Compilation Process", and thus it must be GPLv3 to be "eligible".) + + Copyright (C) 2015 Austin Seipp + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + + */ + +#define BUILD_INLINE_INST + +#include "../config.h" +#include "../include/debug.h" + +/* clear helper AFL types pulls in, which intervene with gcc-plugin geaders from GCC-8 */ +#ifdef likely +#undef likely +#endif +#ifdef unlikely +#undef unlikely +#endif + + +#include +#include +#include + +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* -------------------------------------------------------------------------- */ +/* -- AFL instrumentation pass ---------------------------------------------- */ + +static int be_quiet = 0; +static unsigned int inst_ratio = 100; +static bool inst_ext = true; +static std::list myWhitelist; + +static unsigned int ext_call_instrument(function *fun) { + /* Instrument all the things! */ + basic_block bb; + unsigned finst_blocks = 0; + unsigned fcnt_blocks = 0; + + tree fntype = build_function_type_list( + void_type_node, /* return */ + uint32_type_node, /* args */ + NULL_TREE); /* done */ + tree fndecl = build_fn_decl("__afl_trace", fntype); + TREE_STATIC(fndecl) = 1; /* Defined elsewhere */ + TREE_PUBLIC(fndecl) = 1; /* Public */ + DECL_EXTERNAL(fndecl) = 1; /* External linkage */ + DECL_ARTIFICIAL(fndecl) = 1; /* Injected by compiler */ + + FOR_EACH_BB_FN(bb, fun) { + gimple_seq fcall; + gimple_seq seq = NULL; + gimple_stmt_iterator bentry; + ++fcnt_blocks; + + // only instrument if this basic block is the destination of a previous + // basic block that has multiple successors + // this gets rid of ~5-10% of instrumentations that are unnecessary + // result: a little more speed and less map pollution + + int more_than_one = -1; + edge ep; + edge_iterator eip; + FOR_EACH_EDGE (ep, eip, bb->preds) { + int count = 0; + if (more_than_one == -1) + more_than_one = 0; + + basic_block Pred = ep->src; + edge es; + edge_iterator eis; + FOR_EACH_EDGE (es, eis, Pred->succs) { + basic_block Succ = es->dest; + if (Succ != NULL) count++; + } + if (count > 1) + more_than_one = 1; + } + if (more_than_one != 1) + continue; + + /* Bail on this block if we trip the specified ratio */ + if (R(100) >= inst_ratio) continue; + + /* Make up cur_loc */ + unsigned int rand_loc = R(MAP_SIZE); + tree cur_loc = build_int_cst(uint32_type_node, rand_loc); + + /* Update bitmap via external call */ + /* to quote: + * /+ Trace a basic block with some ID +/ + * void __afl_trace(u32 x); + */ + + fcall = gimple_build_call(fndecl, 1, cur_loc); /* generate the function _call_ to above built reference, with *1* parameter -> the random const for the location */ + gimple_seq_add_stmt(&seq, fcall); /* and insert into a sequence */ + + /* Done - grab the entry to the block and insert sequence */ + bentry = gsi_after_labels(bb); + gsi_insert_seq_before(&bentry, seq, GSI_SAME_STMT); + + ++finst_blocks; + } + + /* Say something nice. */ + if (!be_quiet) { + if (!finst_blocks) + WARNF(G_("No instrumentation targets found in " cBRI "%s" cRST ), + function_name(fun)); + else if (finst_blocks < fcnt_blocks) + OKF(G_("Instrumented %2u /%2u locations in " cBRI "%s" cRST ), + finst_blocks, fcnt_blocks, + function_name(fun)); + else + OKF(G_("Instrumented %2u locations in " cBRI "%s" cRST ), + finst_blocks, + function_name(fun)); + } + + return 0; +} + +static unsigned int inline_instrument(function *fun) { + + /* Instrument all the things! */ + basic_block bb; + unsigned finst_blocks = 0; + unsigned fcnt_blocks = 0; + + /* Set up global type declarations */ + tree map_type = build_pointer_type(unsigned_char_type_node); + tree map_ptr_g = build_decl(UNKNOWN_LOCATION, VAR_DECL, + get_identifier_with_length("__afl_area_ptr", 14), map_type); + TREE_USED(map_ptr_g) = 1; + TREE_STATIC(map_ptr_g) = 1; /* Defined elsewhere */ + DECL_EXTERNAL(map_ptr_g) = 1; /* External linkage */ + DECL_PRESERVE_P(map_ptr_g) = 1; + DECL_ARTIFICIAL(map_ptr_g) = 1; /* Injected by compiler */ + rest_of_decl_compilation(map_ptr_g, 1, 0); + + tree prev_loc_g = build_decl(UNKNOWN_LOCATION, VAR_DECL, + get_identifier_with_length("__afl_prev_loc", 14), uint32_type_node); + TREE_USED(prev_loc_g) = 1; + TREE_STATIC(prev_loc_g) = 1; /* Defined elsewhere */ + DECL_EXTERNAL(prev_loc_g) = 1; /* External linkage */ + DECL_PRESERVE_P(prev_loc_g) = 1; + DECL_ARTIFICIAL(prev_loc_g) = 1; /* Injected by compiler */ + rest_of_decl_compilation(prev_loc_g, 1, 0); + + FOR_EACH_BB_FN(bb, fun) { + gimple_seq seq = NULL; + gimple_stmt_iterator bentry; + ++fcnt_blocks; + + // only instrument if this basic block is the destination of a previous + // basic block that has multiple successors + // this gets rid of ~5-10% of instrumentations that are unnecessary + // result: a little more speed and less map pollution + + int more_than_one = -1; + edge ep; + edge_iterator eip; + FOR_EACH_EDGE (ep, eip, bb->preds) { + int count = 0; + if (more_than_one == -1) + more_than_one = 0; + + basic_block Pred = ep->src; + edge es; + edge_iterator eis; + FOR_EACH_EDGE (es, eis, Pred->succs) { + basic_block Succ = es->dest; + if (Succ != NULL) count++; + } + if (count > 1) + more_than_one = 1; + } + if (more_than_one != 1) + continue; + + /* Bail on this block if we trip the specified ratio */ + if (R(100) >= inst_ratio) continue; + + /* Make up cur_loc */ + + unsigned int rand_loc = R(MAP_SIZE); + tree cur_loc = build_int_cst(uint32_type_node, rand_loc); + + /* Load prev_loc, xor with cur_loc */ + // gimple_assign + tree prev_loc = create_tmp_var_raw(uint32_type_node, "prev_loc"); + gassign *g = gimple_build_assign(prev_loc, VAR_DECL, prev_loc_g); + gimple_seq_add_stmt(&seq, g); // load prev_loc + update_stmt(g); + + // gimple_assign + tree area_off = create_tmp_var_raw(uint32_type_node, "area_off"); + g = gimple_build_assign(area_off, BIT_XOR_EXPR, prev_loc, cur_loc); + gimple_seq_add_stmt(&seq, g); // area_off = prev_loc ^ cur_loc + update_stmt(g); + + /* Update bitmap */ + + tree one = build_int_cst(unsigned_char_type_node, 1); +// tree zero = build_int_cst(unsigned_char_type_node, 0); + + // gimple_assign + tree map_ptr = create_tmp_var(map_type, "map_ptr"); + tree map_ptr2 = create_tmp_var(map_type, "map_ptr2"); + + g = gimple_build_assign(map_ptr, map_ptr_g); + gimple_seq_add_stmt(&seq, g); // map_ptr = __afl_area_ptr + update_stmt(g); + +#if 0 + tree addr = build2(ADDR_EXPR, map_type, map_ptr, area_off); + g = gimple_build_assign(map_ptr2, MODIFY_EXPR, addr); + gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off + update_stmt(g); +#else + g = gimple_build_assign(map_ptr2, PLUS_EXPR, map_ptr, area_off); + gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off + update_stmt(g); +#endif + // gimple_assign + tree tmp1 = create_tmp_var_raw(unsigned_char_type_node, "tmp1"); + g = gimple_build_assign(tmp1, MEM_REF, map_ptr2); + gimple_seq_add_stmt(&seq, g); // tmp1 = *map_ptr2 + update_stmt(g); + + // gimple_assign + tree tmp2 = create_tmp_var_raw(unsigned_char_type_node, "tmp2"); + g = gimple_build_assign(tmp2, PLUS_EXPR, tmp1, one); + gimple_seq_add_stmt(&seq, g); // tmp2 = tmp1 + 1 + update_stmt(g); + + // TODO: neverZero: here we have to check if tmp3 == 0 + // and add 1 if so + + // gimple_assign +// tree map_ptr3 = create_tmp_var_raw(map_type, "map_ptr3"); + g = gimple_build_assign(map_ptr_g, INDIRECT_REF, tmp2); + gimple_seq_add_stmt(&seq, g); // *map_ptr3 = tmp2 + update_stmt(g); + + /* Set prev_loc to cur_loc >> 1 */ + + // gimple_assign + tree shifted_loc = build_int_cst(TREE_TYPE(prev_loc_g), rand_loc >> 1); + tree prev_loc2 = create_tmp_var_raw(uint32_type_node, "prev_loc2"); + g = gimple_build_assign(prev_loc2, shifted_loc); + gimple_seq_add_stmt(&seq, g); // __afl_prev_loc = cur_loc >> 1 + update_stmt(g); + g = gimple_build_assign(prev_loc_g, prev_loc2); + gimple_seq_add_stmt(&seq, g); // __afl_prev_loc = cur_loc >> 1 + update_stmt(g); + + /* Done - grab the entry to the block and insert sequence */ + + bentry = gsi_after_labels(bb); + gsi_insert_seq_before(&bentry, seq, GSI_NEW_STMT); + + ++finst_blocks; + } + + /* Say something nice. */ + if (!be_quiet) { + if (!finst_blocks) + WARNF(G_("No instrumentation targets found in " cBRI "%s" cRST ), + function_name(fun)); + else if (finst_blocks < fcnt_blocks) + OKF(G_("Instrumented %2u /%2u locations in " cBRI "%s" cRST ), + finst_blocks, fcnt_blocks, + function_name(fun)); + else + OKF(G_("Instrumented %2u locations in " cBRI "%s" cRST ), + finst_blocks, + function_name(fun)); + } + + + return 0; +} + +/* -------------------------------------------------------------------------- */ +/* -- Boilerplate and initialization ---------------------------------------- */ + +static const struct pass_data afl_pass_data = { + + .type = GIMPLE_PASS, + .name = "afl-inst", + .optinfo_flags = OPTGROUP_NONE, + + .tv_id = TV_NONE, + .properties_required = 0, + .properties_provided = 0, + .properties_destroyed = 0, + .todo_flags_start = 0, + // NOTE(aseipp): it's very, very important to include + // at least 'TODO_update_ssa' here so that GCC will + // properly update the resulting SSA form, e.g., to + // include new PHI nodes for newly added symbols or + // names. Do not remove this. Do not taunt Happy Fun + // Ball. + .todo_flags_finish = TODO_update_ssa | TODO_verify_il | TODO_cleanup_cfg, +}; + +namespace { + +class afl_pass : public gimple_opt_pass { +private: + bool do_ext_call; + +public: + afl_pass(bool ext_call, gcc::context *g) : gimple_opt_pass(afl_pass_data, g), do_ext_call(ext_call) {} + + virtual unsigned int execute(function *fun) { + + if (!myWhitelist.empty()) { + bool instrumentBlock = false; + + /* EXPR_FILENAME + This macro returns the name of the file in which the entity was declared, as + a char*. For an entity declared implicitly by the compiler (like __builtin_ + memcpy), this will be the string "". + */ + const char *fname = DECL_SOURCE_FILE(fun->decl); + + if (0 != strncmp("", fname, 10) + && 0 != strncmp("", fname, 10)) + { + std::string instFilename(fname); + + /* Continue only if we know where we actually are */ + if (!instFilename.empty()) { + for (std::list::iterator it = myWhitelist.begin(); it != myWhitelist.end(); ++it) { + /* We don't check for filename equality here because + * filenames might actually be full paths. Instead we + * check that the actual filename ends in the filename + * specified in the list. */ + if (instFilename.length() >= it->length()) { + if (instFilename.compare(instFilename.length() - it->length(), it->length(), *it) == 0) { + instrumentBlock = true; + break; + } + } + } + } + } + + /* Either we couldn't figure out our location or the location is + * not whitelisted, so we skip instrumentation. */ + if (!instrumentBlock) return 0;; + } + + return do_ext_call ? ext_call_instrument(fun) : inline_instrument(fun); + } +}; /* class afl_pass */ + +} /* anon namespace */ + +static struct opt_pass *make_afl_pass(bool ext_call, gcc::context *ctxt) { + return new afl_pass(ext_call, ctxt); +} + +/* -------------------------------------------------------------------------- */ +/* -- Initialization -------------------------------------------------------- */ + +int plugin_is_GPL_compatible = 1; + +static struct plugin_info afl_plugin_info = { + .version = "20191015", + .help = "AFL++ gcc plugin\n", +}; + +int plugin_init(struct plugin_name_args *plugin_info, + struct plugin_gcc_version *version) { + + struct register_pass_info afl_pass_info; + struct timeval tv; + struct timezone tz; + u32 rand_seed; + + /* Setup random() so we get Actually Random(TM) outputs from R() */ + gettimeofday(&tv, &tz); + rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); + srandom(rand_seed); + + /* Pass information */ + afl_pass_info.pass = make_afl_pass(inst_ext, g); + afl_pass_info.reference_pass_name = "ssa"; + afl_pass_info.ref_pass_instance_number = 1; + afl_pass_info.pos_op = PASS_POS_INSERT_AFTER; + + if (!plugin_default_version_check(version, &gcc_version)) { + FATAL(G_("Incompatible gcc/plugin versions!")); + } + + /* Show a banner */ + if (isatty(2) && !getenv("AFL_QUIET")) { + SAYF(G_(cCYA "afl-gcc-pass " cBRI VERSION cRST " initially by , maintainer: hexcoder-\n")); + } else + be_quiet = 1; + + /* Decide instrumentation ratio */ + char* inst_ratio_str = getenv("AFL_INST_RATIO"); + + if (inst_ratio_str) { + if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || !inst_ratio || inst_ratio > 100) + FATAL(G_("Bad value of AFL_INST_RATIO (must be between 1 and 100)")); + else { + if (!be_quiet) + ACTF(G_("%s instrumentation at ratio of %u%% in %s mode."), + inst_ext ? G_("Call-based") : G_("Inline"), + inst_ratio, + getenv("AFL_HARDEN") ? G_("hardened") : G_("non-hardened")); + } + } + + char* instWhiteListFilename = getenv("AFL_GCC_WHITELIST"); + if (instWhiteListFilename) { + std::string line; + std::ifstream fileStream; + fileStream.open(instWhiteListFilename); + if (!fileStream) + fatal_error(0, "Unable to open AFL_GCC_WHITELIST"); + getline(fileStream, line); + while (fileStream) { + myWhitelist.push_back(line); + getline(fileStream, line); + } + } else if (!be_quiet && getenv("AFL_LLVM_WHITELIST")) + SAYF(cYEL "[-] " cRST "AFL_LLVM_WHITELIST environment variable detected - did you mean AFL_GCC_WHITELIST?\n"); + + /* Go go gadget */ + register_callback(plugin_info->base_name, PLUGIN_INFO, NULL, &afl_plugin_info); + register_callback(plugin_info->base_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &afl_pass_info); + return 0; +} diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c new file mode 100644 index 00000000..8e72e108 --- /dev/null +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -0,0 +1,224 @@ +/* + american fuzzy lop - GCC plugin instrumentation bootstrap + --------------------------------------------------------- + + Written by Austin Seipp and + Laszlo Szekeres and + Michal Zalewski + + GCC integration design is based on the LLVM design, which comes + from Laszlo Szekeres. + + Copyright 2015 Google Inc. All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + This code is the rewrite of afl-as.h's main_payload. + +*/ + +#include "../config.h" +#include "../types.h" + +#include +#include +#include +#include + +#include +#include +#include +#include + + +/* Globals needed by the injected instrumentation. The __afl_area_initial region + is used for instrumentation output before __afl_map_shm() has a chance to run. + It will end up as .comm, so it shouldn't be too wasteful. */ + +u8 __afl_area_initial[MAP_SIZE]; +u8* __afl_area_ptr = __afl_area_initial; +u32 __afl_prev_loc; + + +/* Running in persistent mode? */ + +static u8 is_persistent; + +/* Trace a basic block with some ID */ +void __afl_trace(u32 x) { + u32 l = __afl_prev_loc; + u32 n = l ^ x; + *(__afl_area_ptr+n) += 1; + __afl_prev_loc = (x >> 1); + return; +} + +/* SHM setup. */ + +static void __afl_map_shm(void) { + + u8 *id_str = getenv(SHM_ENV_VAR); + + /* If we're running under AFL, attach to the appropriate region, replacing the + early-stage __afl_area_initial region that is needed to allow some really + hacky .init code to work correctly in projects such as OpenSSL. */ + + if (id_str) { + + u32 shm_id = atoi(id_str); + + __afl_area_ptr = shmat(shm_id, NULL, 0); + + /* Whooooops. */ + + if (__afl_area_ptr == (void *)-1) exit(1); + + /* Write something into the bitmap so that even with low AFL_INST_RATIO, + our parent doesn't give up on us. */ + + __afl_area_ptr[0] = 1; + + } + +} + + +/* Fork server logic. */ + +static void __afl_start_forkserver(void) { + + static u8 tmp[4]; + s32 child_pid; + + u8 child_stopped = 0; + + /* Phone home and tell the parent that we're OK. If parent isn't there, + assume we're not running in forkserver mode and just execute program. */ + + if (write(FORKSRV_FD + 1, tmp, 4) != 4) return; + + while (1) { + + u32 was_killed; + int status; + + /* Wait for parent by reading from the pipe. Abort if read fails. */ + + if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(1); + + /* If we stopped the child in persistent mode, but there was a race + condition and afl-fuzz already issued SIGKILL, write off the old + process. */ + + if (child_stopped && was_killed) { + child_stopped = 0; + if (waitpid(child_pid, &status, 0) < 0) exit(1); + } + + if (!child_stopped) { + + /* Once woken up, create a clone of our process. */ + + child_pid = fork(); + if (child_pid < 0) exit(1); + + /* In child process: close fds, resume execution. */ + + if (!child_pid) { + + close(FORKSRV_FD); + close(FORKSRV_FD + 1); + return; + + } + + } else { + + /* Special handling for persistent mode: if the child is alive but + currently stopped, simply restart it with SIGCONT. */ + + kill(child_pid, SIGCONT); + child_stopped = 0; + + } + + /* In parent process: write PID to pipe, then wait for child. */ + + if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) exit(1); + + if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0) + exit(1); + + /* In persistent mode, the child stops itself with SIGSTOP to indicate + a successful run. In this case, we want to wake it up without forking + again. */ + + if (WIFSTOPPED(status)) child_stopped = 1; + + /* Relay wait status to pipe, then loop back. */ + + if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(1); + + } + +} + + +/* A simplified persistent mode handler, used as explained in README.llvm. */ + +int __afl_persistent_loop(unsigned int max_cnt) { + + static u8 first_pass = 1; + static u32 cycle_cnt; + + if (first_pass) { + + cycle_cnt = max_cnt; + first_pass = 0; + return 1; + + } + + if (is_persistent && --cycle_cnt) { + + raise(SIGSTOP); + return 1; + + } else return 0; + +} + + +/* This one can be called from user code when deferred forkserver mode + is enabled. */ + +void __afl_manual_init(void) { + + static u8 init_done; + + if (!init_done) { + + __afl_map_shm(); + __afl_start_forkserver(); + init_done = 1; + + } + +} + + +/* Proper initialization routine. */ + +__attribute__((constructor(101))) void __afl_auto_init(void) { + + is_persistent = !!getenv(PERSIST_ENV_VAR); + + if (getenv(DEFER_ENV_VAR)) return; + + __afl_manual_init(); + +} -- cgit v1.2.3 From e7ab8be0cd97f9a18e6ca2f855afa69768322dfb Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 18 Oct 2019 19:53:10 +0200 Subject: sync afl-fast-gcc with afl-clang-fast, add tests for gcc_plugin --- gcc_plugin/afl-gcc-fast.c | 50 +++++++++++++++++++++++++++++-------------- gcc_plugin/afl-gcc-pass.so.cc | 4 ++-- 2 files changed, 36 insertions(+), 18 deletions(-) (limited to 'gcc_plugin') diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c index 8be05bb5..25ecf310 100644 --- a/gcc_plugin/afl-gcc-fast.c +++ b/gcc_plugin/afl-gcc-fast.c @@ -104,7 +104,7 @@ static void edit_params(u32 argc, char** argv) { cc_params = ck_alloc((argc + 64) * sizeof(u8*)); name = strrchr(argv[0], '/'); - if (!name) name = argv[0]; else name++; + if (!name) name = argv[0]; else ++name; if (!strcmp(name, "afl-g++-fast")) { u8* alt_cxx = getenv("AFL_CXX"); @@ -114,9 +114,15 @@ static void edit_params(u32 argc, char** argv) { cc_params[0] = alt_cc ? alt_cc : (u8*)"gcc"; } + + char* fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path); cc_params[cc_par_cnt++] = fplugin_arg; + /* Detect stray -v calls from ./configure scripts. */ + + if (argc == 1 && !strcmp(argv[1], "-v")) maybe_linking = 0; + while (--argc) { u8* cur = *(++argv); @@ -134,6 +140,8 @@ static void edit_params(u32 argc, char** argv) { if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1; + if (!strcmp(cur, "-shared")) maybe_linking = 0; + cc_params[cc_par_cnt++] = cur; } @@ -151,17 +159,23 @@ static void edit_params(u32 argc, char** argv) { if (getenv("AFL_USE_ASAN")) { - cc_params[cc_par_cnt++] = "-fsanitize=address"; + if (getenv("AFL_USE_MSAN")) FATAL("ASAN and MSAN are mutually exclusive"); + + if (getenv("AFL_HARDEN")) + FATAL("ASAN and AFL_HARDEN are mutually exclusive"); - if (getenv("AFL_USE_MSAN")) - FATAL("ASAN and MSAN are mutually exclusive"); + cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; + cc_params[cc_par_cnt++] = "-fsanitize=address"; } else if (getenv("AFL_USE_MSAN")) { - cc_params[cc_par_cnt++] = "-fsanitize=memory"; + if (getenv("AFL_USE_ASAN")) FATAL("ASAN and MSAN are mutually exclusive"); + + if (getenv("AFL_HARDEN")) + FATAL("MSAN and AFL_HARDEN are mutually exclusive"); - if (getenv("AFL_USE_ASAN")) - FATAL("ASAN and MSAN are mutually exclusive"); + cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; + cc_params[cc_par_cnt++] = "-fsanitize=memory"; } @@ -175,7 +189,13 @@ static void edit_params(u32 argc, char** argv) { } +#ifdef USEMMAP + cc_params[cc_par_cnt++] = "-lrt"; +#endif + cc_params[cc_par_cnt++] = "-D__AFL_HAVE_MANUAL_CONTROL=1"; + cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1"; + cc_params[cc_par_cnt++] = "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1"; /* When the user tries to use persistent or deferred forkserver modes by appending a single line to the program, we want to reliably inject a @@ -237,15 +257,10 @@ static void edit_params(u32 argc, char** argv) { int main(int argc, char** argv) { - if (isatty(2) && !getenv("AFL_QUIET")) { - - SAYF(cCYA "afl-gcc-fast " cBRI VERSION cRST " initially by , maintainer: hexcoder-\n"); - - } - - if (argc < 2) { + if (argc < 2 || strcmp(argv[1], "-h") == 0) { - SAYF("\n" + printf(cCYA "afl-gcc-fast" VERSION cRST " initially by , maintainer: hexcoder-\n" + "\n" "This is a helper application for afl-fuzz. It serves as a drop-in replacement\n" "for gcc, letting you recompile third-party code with the required runtime\n" "instrumentation. A common use pattern would be one of the following:\n\n" @@ -263,8 +278,11 @@ int main(int argc, char** argv) { exit(1); - } + } else if (isatty(2) && !getenv("AFL_QUIET")) { + SAYF(cCYA "afl-gcc-fast" VERSION cRST " initially by , maintainer: hexcoder-\n"); + + } find_obj(argv[0]); diff --git a/gcc_plugin/afl-gcc-pass.so.cc b/gcc_plugin/afl-gcc-pass.so.cc index f0f5b30b..a44f5a74 100644 --- a/gcc_plugin/afl-gcc-pass.so.cc +++ b/gcc_plugin/afl-gcc-pass.so.cc @@ -416,7 +416,7 @@ public: /* Either we couldn't figure out our location or the location is * not whitelisted, so we skip instrumentation. */ - if (!instrumentBlock) return 0;; + if (!instrumentBlock) return 0; } return do_ext_call ? ext_call_instrument(fun) : inline_instrument(fun); @@ -464,7 +464,7 @@ int plugin_init(struct plugin_name_args *plugin_info, /* Show a banner */ if (isatty(2) && !getenv("AFL_QUIET")) { - SAYF(G_(cCYA "afl-gcc-pass " cBRI VERSION cRST " initially by , maintainer: hexcoder-\n")); + SAYF(G_(cCYA "afl-gcc-pass" VERSION cRST " initially by , maintainer: hexcoder-\n")); } else be_quiet = 1; -- cgit v1.2.3 From 8a786377196fbaafeecbca17fad66ea1e76c7de2 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 19 Oct 2019 16:19:46 +0200 Subject: add gcc_plugin to code formatter and run it --- gcc_plugin/afl-gcc-fast.c | 144 +++++--- gcc_plugin/afl-gcc-pass.so.cc | 768 +++++++++++++++++++++++------------------- gcc_plugin/afl-gcc-rt.o.c | 32 +- 3 files changed, 518 insertions(+), 426 deletions(-) (limited to 'gcc_plugin') diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c index 25ecf310..73709321 100644 --- a/gcc_plugin/afl-gcc-fast.c +++ b/gcc_plugin/afl-gcc-fast.c @@ -36,16 +36,15 @@ #include #include -static u8* obj_path; /* Path to runtime libraries */ -static u8** cc_params; /* Parameters passed to the real CC */ -static u32 cc_par_cnt = 1; /* Param count, including argv0 */ - +static u8* obj_path; /* Path to runtime libraries */ +static u8** cc_params; /* Parameters passed to the real CC */ +static u32 cc_par_cnt = 1; /* Param count, including argv0 */ /* Try to find the runtime libraries. If that fails, abort. */ static void find_obj(u8* argv0) { - u8 *afl_path = getenv("AFL_PATH"); + u8* afl_path = getenv("AFL_PATH"); u8 *slash, *tmp; if (afl_path) { @@ -53,9 +52,11 @@ static void find_obj(u8* argv0) { tmp = alloc_printf("%s/afl-gcc-rt.o", afl_path); if (!access(tmp, R_OK)) { + obj_path = afl_path; ck_free(tmp); return; + } ck_free(tmp); @@ -66,7 +67,7 @@ static void find_obj(u8* argv0) { if (slash) { - u8 *dir; + u8* dir; *slash = 0; dir = ck_strdup(argv0); @@ -75,9 +76,11 @@ static void find_obj(u8* argv0) { tmp = alloc_printf("%s/afl-gcc-rt.o", dir); if (!access(tmp, R_OK)) { + obj_path = dir; ck_free(tmp); return; + } ck_free(tmp); @@ -86,35 +89,44 @@ static void find_obj(u8* argv0) { } if (!access(AFL_PATH "/afl-gcc-rt.o", R_OK)) { + obj_path = AFL_PATH; return; + } - FATAL("Unable to find 'afl-gcc-rt.o' or 'afl-gcc-pass.so'. Please set AFL_PATH"); -} + FATAL( + "Unable to find 'afl-gcc-rt.o' or 'afl-gcc-pass.so'. Please set " + "AFL_PATH"); +} /* Copy argv to cc_params, making the necessary edits. */ static void edit_params(u32 argc, char** argv) { - u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1; - u8 *name; + u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1; + u8* name; cc_params = ck_alloc((argc + 64) * sizeof(u8*)); name = strrchr(argv[0], '/'); - if (!name) name = argv[0]; else ++name; + if (!name) + name = argv[0]; + else + ++name; if (!strcmp(name, "afl-g++-fast")) { + u8* alt_cxx = getenv("AFL_CXX"); cc_params[0] = alt_cxx ? alt_cxx : (u8*)"g++"; + } else { + u8* alt_cc = getenv("AFL_CC"); cc_params[0] = alt_cc ? alt_cc : (u8*)"gcc"; - } - + } char* fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path); cc_params[cc_par_cnt++] = fplugin_arg; @@ -124,6 +136,7 @@ static void edit_params(u32 argc, char** argv) { if (argc == 1 && !strcmp(argv[1], "-v")) maybe_linking = 0; while (--argc) { + u8* cur = *(++argv); #if defined(__x86_64__) @@ -133,10 +146,11 @@ static void edit_params(u32 argc, char** argv) { if (!strcmp(cur, "-x")) x_set = 1; if (!strcmp(cur, "-c") || !strcmp(cur, "-S") || !strcmp(cur, "-E") || - !strcmp(cur, "-v")) maybe_linking = 0; + !strcmp(cur, "-v")) + maybe_linking = 0; - if (!strcmp(cur, "-fsanitize=address") || - !strcmp(cur, "-fsanitize=memory")) asan_set = 1; + if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory")) + asan_set = 1; if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1; @@ -150,8 +164,7 @@ static void edit_params(u32 argc, char** argv) { cc_params[cc_par_cnt++] = "-fstack-protector-all"; - if (!fortify_set) - cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2"; + if (!fortify_set) cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2"; } @@ -217,31 +230,37 @@ static void edit_params(u32 argc, char** argv) { */ - cc_params[cc_par_cnt++] = "-D__AFL_LOOP(_A)=" - "({ static volatile char *_B __attribute__((used)); " - " _B = (char*)\"" PERSIST_SIG "\"; " + cc_params[cc_par_cnt++] = + "-D__AFL_LOOP(_A)=" + "({ static volatile char *_B __attribute__((used)); " + " _B = (char*)\"" PERSIST_SIG + "\"; " #ifdef __APPLE__ - "int _L(unsigned int) __asm__(\"___afl_persistent_loop\"); " + "int _L(unsigned int) __asm__(\"___afl_persistent_loop\"); " #else - "int _L(unsigned int) __asm__(\"__afl_persistent_loop\"); " -#endif /* ^__APPLE__ */ - "_L(_A); })"; - - cc_params[cc_par_cnt++] = "-D__AFL_INIT()=" - "do { static volatile char *_A __attribute__((used)); " - " _A = (char*)\"" DEFER_SIG "\"; " + "int _L(unsigned int) __asm__(\"__afl_persistent_loop\"); " +#endif /* ^__APPLE__ */ + "_L(_A); })"; + + cc_params[cc_par_cnt++] = + "-D__AFL_INIT()=" + "do { static volatile char *_A __attribute__((used)); " + " _A = (char*)\"" DEFER_SIG + "\"; " #ifdef __APPLE__ - "void _I(void) __asm__(\"___afl_manual_init\"); " + "void _I(void) __asm__(\"___afl_manual_init\"); " #else - "void _I(void) __asm__(\"__afl_manual_init\"); " -#endif /* ^__APPLE__ */ - "_I(); } while (0)"; + "void _I(void) __asm__(\"__afl_manual_init\"); " +#endif /* ^__APPLE__ */ + "_I(); } while (0)"; if (maybe_linking) { if (x_set) { + cc_params[cc_par_cnt++] = "-x"; cc_params[cc_par_cnt++] = "none"; + } cc_params[cc_par_cnt++] = alloc_printf("%s/afl-gcc-rt.o", obj_path); @@ -252,46 +271,58 @@ static void edit_params(u32 argc, char** argv) { } - /* Main entry point */ int main(int argc, char** argv) { if (argc < 2 || strcmp(argv[1], "-h") == 0) { - printf(cCYA "afl-gcc-fast" VERSION cRST " initially by , maintainer: hexcoder-\n" - "\n" - "This is a helper application for afl-fuzz. It serves as a drop-in replacement\n" - "for gcc, letting you recompile third-party code with the required runtime\n" - "instrumentation. A common use pattern would be one of the following:\n\n" - - " CC=%s/afl-gcc-fast ./configure\n" - " CXX=%s/afl-g++-fast ./configure\n\n" - - "In contrast to the traditional afl-gcc tool, this version is implemented as\n" - "a GCC plugin and tends to offer improved performance with slow programs\n" - "(similarly to the LLVM plugin used by afl-clang-fast).\n\n" - - "You can specify custom next-stage toolchain via AFL_CC and AFL_CXX. Setting\n" - "AFL_HARDEN enables hardening optimizations in the compiled code.\n\n", - BIN_PATH, BIN_PATH); + printf( + cCYA + "afl-gcc-fast" VERSION cRST + " initially by , maintainer: hexcoder-\n" + "\n" + "This is a helper application for afl-fuzz. It serves as a drop-in " + "replacement\n" + "for gcc, letting you recompile third-party code with the required " + "runtime\n" + "instrumentation. A common use pattern would be one of the " + "following:\n\n" + + " CC=%s/afl-gcc-fast ./configure\n" + " CXX=%s/afl-g++-fast ./configure\n\n" + + "In contrast to the traditional afl-gcc tool, this version is " + "implemented as\n" + "a GCC plugin and tends to offer improved performance with slow " + "programs\n" + "(similarly to the LLVM plugin used by afl-clang-fast).\n\n" + + "You can specify custom next-stage toolchain via AFL_CC and AFL_CXX. " + "Setting\n" + "AFL_HARDEN enables hardening optimizations in the compiled code.\n\n", + BIN_PATH, BIN_PATH); exit(1); } else if (isatty(2) && !getenv("AFL_QUIET")) { - SAYF(cCYA "afl-gcc-fast" VERSION cRST " initially by , maintainer: hexcoder-\n"); + SAYF(cCYA "afl-gcc-fast" VERSION cRST + " initially by , maintainer: hexcoder-\n"); } find_obj(argv[0]); edit_params(argc, argv); -/*if (isatty(2) && !getenv("AFL_QUIET")) { - printf("Calling \"%s\" with:\n", cc_params[0]); - for(int i=1; i #include #include @@ -92,191 +92,206 @@ /* -------------------------------------------------------------------------- */ /* -- AFL instrumentation pass ---------------------------------------------- */ -static int be_quiet = 0; -static unsigned int inst_ratio = 100; -static bool inst_ext = true; +static int be_quiet = 0; +static unsigned int inst_ratio = 100; +static bool inst_ext = true; static std::list myWhitelist; static unsigned int ext_call_instrument(function *fun) { - /* Instrument all the things! */ - basic_block bb; - unsigned finst_blocks = 0; - unsigned fcnt_blocks = 0; - - tree fntype = build_function_type_list( - void_type_node, /* return */ - uint32_type_node, /* args */ - NULL_TREE); /* done */ - tree fndecl = build_fn_decl("__afl_trace", fntype); - TREE_STATIC(fndecl) = 1; /* Defined elsewhere */ - TREE_PUBLIC(fndecl) = 1; /* Public */ - DECL_EXTERNAL(fndecl) = 1; /* External linkage */ - DECL_ARTIFICIAL(fndecl) = 1; /* Injected by compiler */ - - FOR_EACH_BB_FN(bb, fun) { - gimple_seq fcall; - gimple_seq seq = NULL; - gimple_stmt_iterator bentry; - ++fcnt_blocks; - - // only instrument if this basic block is the destination of a previous - // basic block that has multiple successors - // this gets rid of ~5-10% of instrumentations that are unnecessary - // result: a little more speed and less map pollution - - int more_than_one = -1; - edge ep; - edge_iterator eip; - FOR_EACH_EDGE (ep, eip, bb->preds) { - int count = 0; - if (more_than_one == -1) - more_than_one = 0; - - basic_block Pred = ep->src; - edge es; - edge_iterator eis; - FOR_EACH_EDGE (es, eis, Pred->succs) { - basic_block Succ = es->dest; - if (Succ != NULL) count++; - } - if (count > 1) - more_than_one = 1; - } - if (more_than_one != 1) - continue; - - /* Bail on this block if we trip the specified ratio */ - if (R(100) >= inst_ratio) continue; - - /* Make up cur_loc */ - unsigned int rand_loc = R(MAP_SIZE); - tree cur_loc = build_int_cst(uint32_type_node, rand_loc); - - /* Update bitmap via external call */ - /* to quote: - * /+ Trace a basic block with some ID +/ - * void __afl_trace(u32 x); - */ - - fcall = gimple_build_call(fndecl, 1, cur_loc); /* generate the function _call_ to above built reference, with *1* parameter -> the random const for the location */ - gimple_seq_add_stmt(&seq, fcall); /* and insert into a sequence */ - - /* Done - grab the entry to the block and insert sequence */ - bentry = gsi_after_labels(bb); - gsi_insert_seq_before(&bentry, seq, GSI_SAME_STMT); - - ++finst_blocks; - } - - /* Say something nice. */ - if (!be_quiet) { - if (!finst_blocks) - WARNF(G_("No instrumentation targets found in " cBRI "%s" cRST ), - function_name(fun)); - else if (finst_blocks < fcnt_blocks) - OKF(G_("Instrumented %2u /%2u locations in " cBRI "%s" cRST ), - finst_blocks, fcnt_blocks, - function_name(fun)); - else - OKF(G_("Instrumented %2u locations in " cBRI "%s" cRST ), - finst_blocks, - function_name(fun)); - } - - return 0; + + /* Instrument all the things! */ + basic_block bb; + unsigned finst_blocks = 0; + unsigned fcnt_blocks = 0; + + tree fntype = build_function_type_list(void_type_node, /* return */ + uint32_type_node, /* args */ + NULL_TREE); /* done */ + tree fndecl = build_fn_decl("__afl_trace", fntype); + TREE_STATIC(fndecl) = 1; /* Defined elsewhere */ + TREE_PUBLIC(fndecl) = 1; /* Public */ + DECL_EXTERNAL(fndecl) = 1; /* External linkage */ + DECL_ARTIFICIAL(fndecl) = 1; /* Injected by compiler */ + + FOR_EACH_BB_FN(bb, fun) { + + gimple_seq fcall; + gimple_seq seq = NULL; + gimple_stmt_iterator bentry; + ++fcnt_blocks; + + // only instrument if this basic block is the destination of a previous + // basic block that has multiple successors + // this gets rid of ~5-10% of instrumentations that are unnecessary + // result: a little more speed and less map pollution + + int more_than_one = -1; + edge ep; + edge_iterator eip; + FOR_EACH_EDGE(ep, eip, bb->preds) { + + int count = 0; + if (more_than_one == -1) more_than_one = 0; + + basic_block Pred = ep->src; + edge es; + edge_iterator eis; + FOR_EACH_EDGE(es, eis, Pred->succs) { + + basic_block Succ = es->dest; + if (Succ != NULL) count++; + + } + + if (count > 1) more_than_one = 1; + + } + + if (more_than_one != 1) continue; + + /* Bail on this block if we trip the specified ratio */ + if (R(100) >= inst_ratio) continue; + + /* Make up cur_loc */ + unsigned int rand_loc = R(MAP_SIZE); + tree cur_loc = build_int_cst(uint32_type_node, rand_loc); + + /* Update bitmap via external call */ + /* to quote: + * /+ Trace a basic block with some ID +/ + * void __afl_trace(u32 x); + */ + + fcall = gimple_build_call( + fndecl, 1, + cur_loc); /* generate the function _call_ to above built reference, with + *1* parameter -> the random const for the location */ + gimple_seq_add_stmt(&seq, fcall); /* and insert into a sequence */ + + /* Done - grab the entry to the block and insert sequence */ + bentry = gsi_after_labels(bb); + gsi_insert_seq_before(&bentry, seq, GSI_SAME_STMT); + + ++finst_blocks; + + } + + /* Say something nice. */ + if (!be_quiet) { + + if (!finst_blocks) + WARNF(G_("No instrumentation targets found in " cBRI "%s" cRST), + function_name(fun)); + else if (finst_blocks < fcnt_blocks) + OKF(G_("Instrumented %2u /%2u locations in " cBRI "%s" cRST), + finst_blocks, fcnt_blocks, function_name(fun)); + else + OKF(G_("Instrumented %2u locations in " cBRI "%s" cRST), finst_blocks, + function_name(fun)); + + } + + return 0; + } static unsigned int inline_instrument(function *fun) { - /* Instrument all the things! */ - basic_block bb; - unsigned finst_blocks = 0; - unsigned fcnt_blocks = 0; - - /* Set up global type declarations */ - tree map_type = build_pointer_type(unsigned_char_type_node); - tree map_ptr_g = build_decl(UNKNOWN_LOCATION, VAR_DECL, - get_identifier_with_length("__afl_area_ptr", 14), map_type); - TREE_USED(map_ptr_g) = 1; - TREE_STATIC(map_ptr_g) = 1; /* Defined elsewhere */ - DECL_EXTERNAL(map_ptr_g) = 1; /* External linkage */ - DECL_PRESERVE_P(map_ptr_g) = 1; - DECL_ARTIFICIAL(map_ptr_g) = 1; /* Injected by compiler */ - rest_of_decl_compilation(map_ptr_g, 1, 0); - - tree prev_loc_g = build_decl(UNKNOWN_LOCATION, VAR_DECL, - get_identifier_with_length("__afl_prev_loc", 14), uint32_type_node); - TREE_USED(prev_loc_g) = 1; - TREE_STATIC(prev_loc_g) = 1; /* Defined elsewhere */ - DECL_EXTERNAL(prev_loc_g) = 1; /* External linkage */ - DECL_PRESERVE_P(prev_loc_g) = 1; - DECL_ARTIFICIAL(prev_loc_g) = 1; /* Injected by compiler */ - rest_of_decl_compilation(prev_loc_g, 1, 0); - - FOR_EACH_BB_FN(bb, fun) { - gimple_seq seq = NULL; - gimple_stmt_iterator bentry; - ++fcnt_blocks; - - // only instrument if this basic block is the destination of a previous - // basic block that has multiple successors - // this gets rid of ~5-10% of instrumentations that are unnecessary - // result: a little more speed and less map pollution - - int more_than_one = -1; - edge ep; - edge_iterator eip; - FOR_EACH_EDGE (ep, eip, bb->preds) { - int count = 0; - if (more_than_one == -1) - more_than_one = 0; - - basic_block Pred = ep->src; - edge es; - edge_iterator eis; - FOR_EACH_EDGE (es, eis, Pred->succs) { - basic_block Succ = es->dest; - if (Succ != NULL) count++; - } - if (count > 1) - more_than_one = 1; - } - if (more_than_one != 1) - continue; - - /* Bail on this block if we trip the specified ratio */ - if (R(100) >= inst_ratio) continue; - - /* Make up cur_loc */ - - unsigned int rand_loc = R(MAP_SIZE); - tree cur_loc = build_int_cst(uint32_type_node, rand_loc); - - /* Load prev_loc, xor with cur_loc */ - // gimple_assign - tree prev_loc = create_tmp_var_raw(uint32_type_node, "prev_loc"); - gassign *g = gimple_build_assign(prev_loc, VAR_DECL, prev_loc_g); - gimple_seq_add_stmt(&seq, g); // load prev_loc - update_stmt(g); + /* Instrument all the things! */ + basic_block bb; + unsigned finst_blocks = 0; + unsigned fcnt_blocks = 0; - // gimple_assign - tree area_off = create_tmp_var_raw(uint32_type_node, "area_off"); - g = gimple_build_assign(area_off, BIT_XOR_EXPR, prev_loc, cur_loc); - gimple_seq_add_stmt(&seq, g); // area_off = prev_loc ^ cur_loc - update_stmt(g); + /* Set up global type declarations */ + tree map_type = build_pointer_type(unsigned_char_type_node); + tree map_ptr_g = + build_decl(UNKNOWN_LOCATION, VAR_DECL, + get_identifier_with_length("__afl_area_ptr", 14), map_type); + TREE_USED(map_ptr_g) = 1; + TREE_STATIC(map_ptr_g) = 1; /* Defined elsewhere */ + DECL_EXTERNAL(map_ptr_g) = 1; /* External linkage */ + DECL_PRESERVE_P(map_ptr_g) = 1; + DECL_ARTIFICIAL(map_ptr_g) = 1; /* Injected by compiler */ + rest_of_decl_compilation(map_ptr_g, 1, 0); - /* Update bitmap */ + tree prev_loc_g = build_decl(UNKNOWN_LOCATION, VAR_DECL, + get_identifier_with_length("__afl_prev_loc", 14), + uint32_type_node); + TREE_USED(prev_loc_g) = 1; + TREE_STATIC(prev_loc_g) = 1; /* Defined elsewhere */ + DECL_EXTERNAL(prev_loc_g) = 1; /* External linkage */ + DECL_PRESERVE_P(prev_loc_g) = 1; + DECL_ARTIFICIAL(prev_loc_g) = 1; /* Injected by compiler */ + rest_of_decl_compilation(prev_loc_g, 1, 0); - tree one = build_int_cst(unsigned_char_type_node, 1); -// tree zero = build_int_cst(unsigned_char_type_node, 0); + FOR_EACH_BB_FN(bb, fun) { - // gimple_assign - tree map_ptr = create_tmp_var(map_type, "map_ptr"); - tree map_ptr2 = create_tmp_var(map_type, "map_ptr2"); + gimple_seq seq = NULL; + gimple_stmt_iterator bentry; + ++fcnt_blocks; - g = gimple_build_assign(map_ptr, map_ptr_g); - gimple_seq_add_stmt(&seq, g); // map_ptr = __afl_area_ptr - update_stmt(g); + // only instrument if this basic block is the destination of a previous + // basic block that has multiple successors + // this gets rid of ~5-10% of instrumentations that are unnecessary + // result: a little more speed and less map pollution + + int more_than_one = -1; + edge ep; + edge_iterator eip; + FOR_EACH_EDGE(ep, eip, bb->preds) { + + int count = 0; + if (more_than_one == -1) more_than_one = 0; + + basic_block Pred = ep->src; + edge es; + edge_iterator eis; + FOR_EACH_EDGE(es, eis, Pred->succs) { + + basic_block Succ = es->dest; + if (Succ != NULL) count++; + + } + + if (count > 1) more_than_one = 1; + + } + + if (more_than_one != 1) continue; + + /* Bail on this block if we trip the specified ratio */ + if (R(100) >= inst_ratio) continue; + + /* Make up cur_loc */ + + unsigned int rand_loc = R(MAP_SIZE); + tree cur_loc = build_int_cst(uint32_type_node, rand_loc); + + /* Load prev_loc, xor with cur_loc */ + // gimple_assign + tree prev_loc = create_tmp_var_raw(uint32_type_node, "prev_loc"); + gassign *g = gimple_build_assign(prev_loc, VAR_DECL, prev_loc_g); + gimple_seq_add_stmt(&seq, g); // load prev_loc + update_stmt(g); + + // gimple_assign + tree area_off = create_tmp_var_raw(uint32_type_node, "area_off"); + g = gimple_build_assign(area_off, BIT_XOR_EXPR, prev_loc, cur_loc); + gimple_seq_add_stmt(&seq, g); // area_off = prev_loc ^ cur_loc + update_stmt(g); + + /* Update bitmap */ + + tree one = build_int_cst(unsigned_char_type_node, 1); + // tree zero = build_int_cst(unsigned_char_type_node, 0); + + // gimple_assign + tree map_ptr = create_tmp_var(map_type, "map_ptr"); + tree map_ptr2 = create_tmp_var(map_type, "map_ptr2"); + + g = gimple_build_assign(map_ptr, map_ptr_g); + gimple_seq_add_stmt(&seq, g); // map_ptr = __afl_area_ptr + update_stmt(g); #if 0 tree addr = build2(ADDR_EXPR, map_type, map_ptr, area_off); @@ -284,68 +299,69 @@ static unsigned int inline_instrument(function *fun) { gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off update_stmt(g); #else - g = gimple_build_assign(map_ptr2, PLUS_EXPR, map_ptr, area_off); - gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off - update_stmt(g); + g = gimple_build_assign(map_ptr2, PLUS_EXPR, map_ptr, area_off); + gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off + update_stmt(g); #endif - // gimple_assign - tree tmp1 = create_tmp_var_raw(unsigned_char_type_node, "tmp1"); - g = gimple_build_assign(tmp1, MEM_REF, map_ptr2); - gimple_seq_add_stmt(&seq, g); // tmp1 = *map_ptr2 - update_stmt(g); + // gimple_assign + tree tmp1 = create_tmp_var_raw(unsigned_char_type_node, "tmp1"); + g = gimple_build_assign(tmp1, MEM_REF, map_ptr2); + gimple_seq_add_stmt(&seq, g); // tmp1 = *map_ptr2 + update_stmt(g); - // gimple_assign - tree tmp2 = create_tmp_var_raw(unsigned_char_type_node, "tmp2"); - g = gimple_build_assign(tmp2, PLUS_EXPR, tmp1, one); - gimple_seq_add_stmt(&seq, g); // tmp2 = tmp1 + 1 - update_stmt(g); + // gimple_assign + tree tmp2 = create_tmp_var_raw(unsigned_char_type_node, "tmp2"); + g = gimple_build_assign(tmp2, PLUS_EXPR, tmp1, one); + gimple_seq_add_stmt(&seq, g); // tmp2 = tmp1 + 1 + update_stmt(g); - // TODO: neverZero: here we have to check if tmp3 == 0 - // and add 1 if so + // TODO: neverZero: here we have to check if tmp3 == 0 + // and add 1 if so - // gimple_assign -// tree map_ptr3 = create_tmp_var_raw(map_type, "map_ptr3"); - g = gimple_build_assign(map_ptr_g, INDIRECT_REF, tmp2); - gimple_seq_add_stmt(&seq, g); // *map_ptr3 = tmp2 - update_stmt(g); + // gimple_assign + // tree map_ptr3 = create_tmp_var_raw(map_type, "map_ptr3"); + g = gimple_build_assign(map_ptr_g, INDIRECT_REF, tmp2); + gimple_seq_add_stmt(&seq, g); // *map_ptr3 = tmp2 + update_stmt(g); - /* Set prev_loc to cur_loc >> 1 */ + /* Set prev_loc to cur_loc >> 1 */ - // gimple_assign - tree shifted_loc = build_int_cst(TREE_TYPE(prev_loc_g), rand_loc >> 1); - tree prev_loc2 = create_tmp_var_raw(uint32_type_node, "prev_loc2"); - g = gimple_build_assign(prev_loc2, shifted_loc); - gimple_seq_add_stmt(&seq, g); // __afl_prev_loc = cur_loc >> 1 - update_stmt(g); - g = gimple_build_assign(prev_loc_g, prev_loc2); - gimple_seq_add_stmt(&seq, g); // __afl_prev_loc = cur_loc >> 1 - update_stmt(g); + // gimple_assign + tree shifted_loc = build_int_cst(TREE_TYPE(prev_loc_g), rand_loc >> 1); + tree prev_loc2 = create_tmp_var_raw(uint32_type_node, "prev_loc2"); + g = gimple_build_assign(prev_loc2, shifted_loc); + gimple_seq_add_stmt(&seq, g); // __afl_prev_loc = cur_loc >> 1 + update_stmt(g); + g = gimple_build_assign(prev_loc_g, prev_loc2); + gimple_seq_add_stmt(&seq, g); // __afl_prev_loc = cur_loc >> 1 + update_stmt(g); + + /* Done - grab the entry to the block and insert sequence */ + + bentry = gsi_after_labels(bb); + gsi_insert_seq_before(&bentry, seq, GSI_NEW_STMT); + + ++finst_blocks; - /* Done - grab the entry to the block and insert sequence */ + } - bentry = gsi_after_labels(bb); - gsi_insert_seq_before(&bentry, seq, GSI_NEW_STMT); + /* Say something nice. */ + if (!be_quiet) { - ++finst_blocks; - } + if (!finst_blocks) + WARNF(G_("No instrumentation targets found in " cBRI "%s" cRST), + function_name(fun)); + else if (finst_blocks < fcnt_blocks) + OKF(G_("Instrumented %2u /%2u locations in " cBRI "%s" cRST), + finst_blocks, fcnt_blocks, function_name(fun)); + else + OKF(G_("Instrumented %2u locations in " cBRI "%s" cRST), finst_blocks, + function_name(fun)); - /* Say something nice. */ - if (!be_quiet) { - if (!finst_blocks) - WARNF(G_("No instrumentation targets found in " cBRI "%s" cRST ), - function_name(fun)); - else if (finst_blocks < fcnt_blocks) - OKF(G_("Instrumented %2u /%2u locations in " cBRI "%s" cRST ), - finst_blocks, fcnt_blocks, - function_name(fun)); - else - OKF(G_("Instrumented %2u locations in " cBRI "%s" cRST ), - finst_blocks, - function_name(fun)); - } + } + return 0; - return 0; } /* -------------------------------------------------------------------------- */ @@ -353,80 +369,102 @@ static unsigned int inline_instrument(function *fun) { static const struct pass_data afl_pass_data = { - .type = GIMPLE_PASS, - .name = "afl-inst", - .optinfo_flags = OPTGROUP_NONE, - - .tv_id = TV_NONE, - .properties_required = 0, - .properties_provided = 0, - .properties_destroyed = 0, - .todo_flags_start = 0, - // NOTE(aseipp): it's very, very important to include - // at least 'TODO_update_ssa' here so that GCC will - // properly update the resulting SSA form, e.g., to - // include new PHI nodes for newly added symbols or - // names. Do not remove this. Do not taunt Happy Fun - // Ball. - .todo_flags_finish = TODO_update_ssa | TODO_verify_il | TODO_cleanup_cfg, + .type = GIMPLE_PASS, + .name = "afl-inst", + .optinfo_flags = OPTGROUP_NONE, + + .tv_id = TV_NONE, + .properties_required = 0, + .properties_provided = 0, + .properties_destroyed = 0, + .todo_flags_start = 0, + // NOTE(aseipp): it's very, very important to include + // at least 'TODO_update_ssa' here so that GCC will + // properly update the resulting SSA form, e.g., to + // include new PHI nodes for newly added symbols or + // names. Do not remove this. Do not taunt Happy Fun + // Ball. + .todo_flags_finish = TODO_update_ssa | TODO_verify_il | TODO_cleanup_cfg, + }; namespace { class afl_pass : public gimple_opt_pass { -private: - bool do_ext_call; - -public: - afl_pass(bool ext_call, gcc::context *g) : gimple_opt_pass(afl_pass_data, g), do_ext_call(ext_call) {} - - virtual unsigned int execute(function *fun) { - - if (!myWhitelist.empty()) { - bool instrumentBlock = false; - - /* EXPR_FILENAME - This macro returns the name of the file in which the entity was declared, as - a char*. For an entity declared implicitly by the compiler (like __builtin_ - memcpy), this will be the string "". - */ - const char *fname = DECL_SOURCE_FILE(fun->decl); - - if (0 != strncmp("", fname, 10) - && 0 != strncmp("", fname, 10)) - { - std::string instFilename(fname); - - /* Continue only if we know where we actually are */ - if (!instFilename.empty()) { - for (std::list::iterator it = myWhitelist.begin(); it != myWhitelist.end(); ++it) { - /* We don't check for filename equality here because - * filenames might actually be full paths. Instead we - * check that the actual filename ends in the filename - * specified in the list. */ - if (instFilename.length() >= it->length()) { - if (instFilename.compare(instFilename.length() - it->length(), it->length(), *it) == 0) { - instrumentBlock = true; - break; - } - } - } - } - } - - /* Either we couldn't figure out our location or the location is - * not whitelisted, so we skip instrumentation. */ - if (!instrumentBlock) return 0; - } - - return do_ext_call ? ext_call_instrument(fun) : inline_instrument(fun); - } -}; /* class afl_pass */ - -} /* anon namespace */ + + private: + bool do_ext_call; + + public: + afl_pass(bool ext_call, gcc::context *g) + : gimple_opt_pass(afl_pass_data, g), do_ext_call(ext_call) { + + } + + virtual unsigned int execute(function *fun) { + + if (!myWhitelist.empty()) { + + bool instrumentBlock = false; + + /* EXPR_FILENAME + This macro returns the name of the file in which the entity was declared, + as a char*. For an entity declared implicitly by the compiler (like + __builtin_ memcpy), this will be the string "". + */ + const char *fname = DECL_SOURCE_FILE(fun->decl); + + if (0 != strncmp("", fname, 10) && + 0 != strncmp("", fname, 10)) { + + std::string instFilename(fname); + + /* Continue only if we know where we actually are */ + if (!instFilename.empty()) { + + for (std::list::iterator it = myWhitelist.begin(); + it != myWhitelist.end(); ++it) { + + /* We don't check for filename equality here because + * filenames might actually be full paths. Instead we + * check that the actual filename ends in the filename + * specified in the list. */ + if (instFilename.length() >= it->length()) { + + if (instFilename.compare(instFilename.length() - it->length(), + it->length(), *it) == 0) { + + instrumentBlock = true; + break; + + } + + } + + } + + } + + } + + /* Either we couldn't figure out our location or the location is + * not whitelisted, so we skip instrumentation. */ + if (!instrumentBlock) return 0; + + } + + return do_ext_call ? ext_call_instrument(fun) : inline_instrument(fun); + + } + +}; /* class afl_pass */ + +} // namespace static struct opt_pass *make_afl_pass(bool ext_call, gcc::context *ctxt) { - return new afl_pass(ext_call, ctxt); + + return new afl_pass(ext_call, ctxt); + } /* -------------------------------------------------------------------------- */ @@ -435,71 +473,93 @@ static struct opt_pass *make_afl_pass(bool ext_call, gcc::context *ctxt) { int plugin_is_GPL_compatible = 1; static struct plugin_info afl_plugin_info = { - .version = "20191015", - .help = "AFL++ gcc plugin\n", + + .version = "20191015", + .help = "AFL++ gcc plugin\n", + }; -int plugin_init(struct plugin_name_args *plugin_info, +int plugin_init(struct plugin_name_args * plugin_info, struct plugin_gcc_version *version) { - struct register_pass_info afl_pass_info; - struct timeval tv; - struct timezone tz; - u32 rand_seed; - - /* Setup random() so we get Actually Random(TM) outputs from R() */ - gettimeofday(&tv, &tz); - rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); - srandom(rand_seed); - - /* Pass information */ - afl_pass_info.pass = make_afl_pass(inst_ext, g); - afl_pass_info.reference_pass_name = "ssa"; - afl_pass_info.ref_pass_instance_number = 1; - afl_pass_info.pos_op = PASS_POS_INSERT_AFTER; - - if (!plugin_default_version_check(version, &gcc_version)) { - FATAL(G_("Incompatible gcc/plugin versions!")); - } - - /* Show a banner */ - if (isatty(2) && !getenv("AFL_QUIET")) { - SAYF(G_(cCYA "afl-gcc-pass" VERSION cRST " initially by , maintainer: hexcoder-\n")); - } else - be_quiet = 1; - - /* Decide instrumentation ratio */ - char* inst_ratio_str = getenv("AFL_INST_RATIO"); - - if (inst_ratio_str) { - if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || !inst_ratio || inst_ratio > 100) - FATAL(G_("Bad value of AFL_INST_RATIO (must be between 1 and 100)")); - else { - if (!be_quiet) - ACTF(G_("%s instrumentation at ratio of %u%% in %s mode."), - inst_ext ? G_("Call-based") : G_("Inline"), - inst_ratio, - getenv("AFL_HARDEN") ? G_("hardened") : G_("non-hardened")); - } - } - - char* instWhiteListFilename = getenv("AFL_GCC_WHITELIST"); - if (instWhiteListFilename) { - std::string line; - std::ifstream fileStream; - fileStream.open(instWhiteListFilename); - if (!fileStream) - fatal_error(0, "Unable to open AFL_GCC_WHITELIST"); - getline(fileStream, line); - while (fileStream) { - myWhitelist.push_back(line); - getline(fileStream, line); - } - } else if (!be_quiet && getenv("AFL_LLVM_WHITELIST")) - SAYF(cYEL "[-] " cRST "AFL_LLVM_WHITELIST environment variable detected - did you mean AFL_GCC_WHITELIST?\n"); + struct register_pass_info afl_pass_info; + struct timeval tv; + struct timezone tz; + u32 rand_seed; + + /* Setup random() so we get Actually Random(TM) outputs from R() */ + gettimeofday(&tv, &tz); + rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); + srandom(rand_seed); + + /* Pass information */ + afl_pass_info.pass = make_afl_pass(inst_ext, g); + afl_pass_info.reference_pass_name = "ssa"; + afl_pass_info.ref_pass_instance_number = 1; + afl_pass_info.pos_op = PASS_POS_INSERT_AFTER; + + if (!plugin_default_version_check(version, &gcc_version)) { + + FATAL(G_("Incompatible gcc/plugin versions!")); + + } + + /* Show a banner */ + if (isatty(2) && !getenv("AFL_QUIET")) { + + SAYF(G_(cCYA "afl-gcc-pass" VERSION cRST + " initially by , maintainer: hexcoder-\n")); + + } else + + be_quiet = 1; + + /* Decide instrumentation ratio */ + char *inst_ratio_str = getenv("AFL_INST_RATIO"); + + if (inst_ratio_str) { + + if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || !inst_ratio || + inst_ratio > 100) + FATAL(G_("Bad value of AFL_INST_RATIO (must be between 1 and 100)")); + else { + + if (!be_quiet) + ACTF(G_("%s instrumentation at ratio of %u%% in %s mode."), + inst_ext ? G_("Call-based") : G_("Inline"), inst_ratio, + getenv("AFL_HARDEN") ? G_("hardened") : G_("non-hardened")); + + } + + } + + char *instWhiteListFilename = getenv("AFL_GCC_WHITELIST"); + if (instWhiteListFilename) { + + std::string line; + std::ifstream fileStream; + fileStream.open(instWhiteListFilename); + if (!fileStream) fatal_error(0, "Unable to open AFL_GCC_WHITELIST"); + getline(fileStream, line); + while (fileStream) { + + myWhitelist.push_back(line); + getline(fileStream, line); + + } + + } else if (!be_quiet && getenv("AFL_LLVM_WHITELIST")) + + SAYF(cYEL "[-] " cRST + "AFL_LLVM_WHITELIST environment variable detected - did you mean " + "AFL_GCC_WHITELIST?\n"); + + /* Go go gadget */ + register_callback(plugin_info->base_name, PLUGIN_INFO, NULL, + &afl_plugin_info); + register_callback(plugin_info->base_name, PLUGIN_PASS_MANAGER_SETUP, NULL, + &afl_pass_info); + return 0; - /* Go go gadget */ - register_callback(plugin_info->base_name, PLUGIN_INFO, NULL, &afl_plugin_info); - register_callback(plugin_info->base_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &afl_pass_info); - return 0; } + diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index 8e72e108..f6754bd4 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -34,27 +34,27 @@ #include #include - /* Globals needed by the injected instrumentation. The __afl_area_initial region - is used for instrumentation output before __afl_map_shm() has a chance to run. - It will end up as .comm, so it shouldn't be too wasteful. */ + is used for instrumentation output before __afl_map_shm() has a chance to + run. It will end up as .comm, so it shouldn't be too wasteful. */ u8 __afl_area_initial[MAP_SIZE]; -u8* __afl_area_ptr = __afl_area_initial; +u8 *__afl_area_ptr = __afl_area_initial; u32 __afl_prev_loc; - /* Running in persistent mode? */ static u8 is_persistent; /* Trace a basic block with some ID */ void __afl_trace(u32 x) { + u32 l = __afl_prev_loc; u32 n = l ^ x; - *(__afl_area_ptr+n) += 1; + *(__afl_area_ptr + n) += 1; __afl_prev_loc = (x >> 1); return; + } /* SHM setup. */ @@ -86,15 +86,14 @@ static void __afl_map_shm(void) { } - /* Fork server logic. */ static void __afl_start_forkserver(void) { static u8 tmp[4]; - s32 child_pid; + s32 child_pid; - u8 child_stopped = 0; + u8 child_stopped = 0; /* Phone home and tell the parent that we're OK. If parent isn't there, assume we're not running in forkserver mode and just execute program. */ @@ -115,8 +114,10 @@ static void __afl_start_forkserver(void) { process. */ if (child_stopped && was_killed) { + child_stopped = 0; if (waitpid(child_pid, &status, 0) < 0) exit(1); + } if (!child_stopped) { @@ -150,8 +151,7 @@ static void __afl_start_forkserver(void) { if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) exit(1); - if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0) - exit(1); + if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0) exit(1); /* In persistent mode, the child stops itself with SIGSTOP to indicate a successful run. In this case, we want to wake it up without forking @@ -167,7 +167,6 @@ static void __afl_start_forkserver(void) { } - /* A simplified persistent mode handler, used as explained in README.llvm. */ int __afl_persistent_loop(unsigned int max_cnt) { @@ -177,7 +176,7 @@ int __afl_persistent_loop(unsigned int max_cnt) { if (first_pass) { - cycle_cnt = max_cnt; + cycle_cnt = max_cnt; first_pass = 0; return 1; @@ -188,10 +187,11 @@ int __afl_persistent_loop(unsigned int max_cnt) { raise(SIGSTOP); return 1; - } else return 0; + } else -} + return 0; +} /* This one can be called from user code when deferred forkserver mode is enabled. */ @@ -210,7 +210,6 @@ void __afl_manual_init(void) { } - /* Proper initialization routine. */ __attribute__((constructor(101))) void __afl_auto_init(void) { @@ -222,3 +221,4 @@ __attribute__((constructor(101))) void __afl_auto_init(void) { __afl_manual_init(); } + -- cgit v1.2.3 From c83e8e1e6255374b085292ba8673efdca7388d76 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 19 Oct 2019 18:23:01 +0200 Subject: Remove lcamtuf's old email from Google (not valid anymore), also remove maintainance from him. --- gcc_plugin/Makefile | 2 +- gcc_plugin/afl-gcc-fast.c | 2 +- gcc_plugin/afl-gcc-rt.o.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) (limited to 'gcc_plugin') diff --git a/gcc_plugin/Makefile b/gcc_plugin/Makefile index d10eba49..a603df78 100644 --- a/gcc_plugin/Makefile +++ b/gcc_plugin/Makefile @@ -4,7 +4,7 @@ # # Written by Austin Seipp and # Laszlo Szekeres and -# Michal Zalewski and +# Michal Zalewski and # Heiko Eißfeldt # # GCC integration design is based on the LLVM design, which comes diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c index 73709321..b0461584 100644 --- a/gcc_plugin/afl-gcc-fast.c +++ b/gcc_plugin/afl-gcc-fast.c @@ -4,7 +4,7 @@ Written by Austin Seipp and Laszlo Szekeres and - Michal Zalewski + Michal Zalewski GCC integration design is based on the LLVM design, which comes from Laszlo Szekeres. diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index f6754bd4..dd79a0ec 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -4,7 +4,7 @@ Written by Austin Seipp and Laszlo Szekeres and - Michal Zalewski + Michal Zalewski GCC integration design is based on the LLVM design, which comes from Laszlo Szekeres. -- cgit v1.2.3 From be6bc155ebd891eebd21eac8982784e7f2be4f41 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 21 Oct 2019 11:28:32 +0200 Subject: v2.58c --- gcc_plugin/README.gcc.md | 4 ---- gcc_plugin/README.whitelist.md | 3 +-- 2 files changed, 1 insertion(+), 6 deletions(-) (limited to 'gcc_plugin') diff --git a/gcc_plugin/README.gcc.md b/gcc_plugin/README.gcc.md index 2e19e911..676ef427 100644 --- a/gcc_plugin/README.gcc.md +++ b/gcc_plugin/README.gcc.md @@ -156,7 +156,3 @@ depending on whether the input loop is being entered for the first time or executed again. To avoid spurious warnings, the feature implies AFL_NO_VAR_CHECK and hides the "variable path" warnings in the UI. -PS. Because there are task switches still involved, the mode isn't as fast as -"pure" in-process fuzzing offered, say, by LLVM's LibFuzzer; but it is a lot -faster than the normal fork() model, and compared to in-process fuzzing, -should be a lot more robust. diff --git a/gcc_plugin/README.whitelist.md b/gcc_plugin/README.whitelist.md index bcc02693..8ad2068d 100644 --- a/gcc_plugin/README.whitelist.md +++ b/gcc_plugin/README.whitelist.md @@ -6,8 +6,7 @@ Using afl++ with partial instrumentation that are interesting to you using the gcc instrumentation provided by afl++. - Originally developed by Christian Holler (:decoder) , - adapted to gcc plugin by hexcoder-. + Plugin by hexcoder-. ## 1) Description and purpose -- cgit v1.2.3 From a033364d55332530b15f2a0f2863b3448bb2bab9 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Mon, 21 Oct 2019 23:07:05 +0200 Subject: implement neverZero counter for __afl_trace() --- gcc_plugin/afl-gcc-rt.o.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'gcc_plugin') diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index dd79a0ec..6cf9f167 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -50,8 +50,10 @@ static u8 is_persistent; void __afl_trace(u32 x) { u32 l = __afl_prev_loc; - u32 n = l ^ x; - *(__afl_area_ptr + n) += 1; + const u32 n = l ^ x; + u8 *const bitmap_ptr = __afl_area_ptr + n; + *bitmap_ptr += 1 + (*bitmap_ptr == (u8)~0); /* neverZero */ + __afl_prev_loc = (x >> 1); return; -- cgit v1.2.3 From 9a5882a2909c663b58f1e36b4298eeb09ecc3bf4 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Mon, 21 Oct 2019 23:35:09 +0200 Subject: sync afl-gcc-rt.o.c from its more current llvm cousin --- gcc_plugin/afl-gcc-rt.o.c | 90 ++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 82 insertions(+), 8 deletions(-) (limited to 'gcc_plugin') diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index 6cf9f167..1dfca9e3 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -21,12 +21,16 @@ */ +#ifdef __ANDROID__ +#include "android-ashmem.h" +#endif #include "../config.h" #include "../types.h" #include #include #include +#include #include #include @@ -34,17 +38,21 @@ #include #include +#include +#include + /* Globals needed by the injected instrumentation. The __afl_area_initial region is used for instrumentation output before __afl_map_shm() has a chance to run. It will end up as .comm, so it shouldn't be too wasteful. */ u8 __afl_area_initial[MAP_SIZE]; u8 *__afl_area_ptr = __afl_area_initial; -u32 __afl_prev_loc; - -/* Running in persistent mode? */ -static u8 is_persistent; +#ifdef __ANDROID__ +u32 __afl_prev_loc; +#else +__thread u32 __afl_prev_loc; +#endif /* Trace a basic block with some ID */ void __afl_trace(u32 x) { @@ -59,6 +67,10 @@ void __afl_trace(u32 x) { } +/* Running in persistent mode? */ + +static u8 is_persistent; + /* SHM setup. */ static void __afl_map_shm(void) { @@ -71,9 +83,38 @@ static void __afl_map_shm(void) { if (id_str) { +#ifdef USEMMAP + const char* shm_file_path = id_str; + int shm_fd = -1; + unsigned char* shm_base = NULL; + + /* create the shared memory segment as if it was a file */ + shm_fd = shm_open(shm_file_path, O_RDWR, 0600); + if (shm_fd == -1) { + + printf("shm_open() failed\n"); + exit(1); + + } + + /* map the shared memory segment to the address space of the process */ + shm_base = mmap(0, MAP_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, shm_fd, 0); + if (shm_base == MAP_FAILED) { + + close(shm_fd); + shm_fd = -1; + + printf("mmap() failed\n"); + exit(2); + + } + + __afl_area_ptr = shm_base; +#else u32 shm_id = atoi(id_str); __afl_area_ptr = shmat(shm_id, NULL, 0); +#endif /* Whooooops. */ @@ -97,6 +138,8 @@ static void __afl_start_forkserver(void) { u8 child_stopped = 0; + void (*old_sigchld_handler)(int) = signal(SIGCHLD, SIG_DFL); + /* Phone home and tell the parent that we're OK. If parent isn't there, assume we're not running in forkserver mode and just execute program. */ @@ -133,6 +176,8 @@ static void __afl_start_forkserver(void) { if (!child_pid) { + signal(SIGCHLD, old_sigchld_handler); + close(FORKSRV_FD); close(FORKSRV_FD + 1); return; @@ -178,18 +223,47 @@ int __afl_persistent_loop(unsigned int max_cnt) { if (first_pass) { + /* Make sure that every iteration of __AFL_LOOP() starts with a clean slate. + On subsequent calls, the parent will take care of that, but on the first + iteration, it's our job to erase any trace of whatever happened + before the loop. */ + + if (is_persistent) { + + memset(__afl_area_ptr, 0, MAP_SIZE); + __afl_area_ptr[0] = 1; + __afl_prev_loc = 0; + + } + cycle_cnt = max_cnt; first_pass = 0; return 1; } - if (is_persistent && --cycle_cnt) { + if (is_persistent) { - raise(SIGSTOP); - return 1; + if (--cycle_cnt) { + + raise(SIGSTOP); - } else + __afl_area_ptr[0] = 1; + __afl_prev_loc = 0; + + return 1; + + } else { + + /* When exiting __AFL_LOOP(), make sure that the subsequent code that + follows the loop is not traced. We do that by pivoting back to the + dummy output region. */ + + __afl_area_ptr = __afl_area_initial; + + } + + } return 0; -- cgit v1.2.3 From 3ec1baee65553d83e03cd42d08a6151775b25665 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 22 Oct 2019 20:21:04 +0200 Subject: gcc_plugin adaptions Makefile help, man page SYNOPSIS --- gcc_plugin/Makefile | 6 +++--- gcc_plugin/afl-gcc-fast.c | 2 ++ 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'gcc_plugin') diff --git a/gcc_plugin/Makefile b/gcc_plugin/Makefile index a603df78..287b6545 100644 --- a/gcc_plugin/Makefile +++ b/gcc_plugin/Makefile @@ -27,7 +27,7 @@ CFLAGS ?= -O3 -g -funroll-loops CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -Wno-pointer-sign \ -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \ -CXXFLAGS ?= -O3 -g -funroll-loops +CXXFLAGS ?= -O3 -g -funroll-loops CXXEFLAGS := $(CXXFLAGS) -Wall -D_FORTIFY_SOURCE=2 CC ?= gcc @@ -35,8 +35,6 @@ CXX ?= g++ PLUGIN_FLAGS = -fPIC -fno-rtti -I"$(shell $(CC) -print-file-name=plugin)/include" -PROGS = ../afl-gcc-fast ../afl-gcc-pass.so ../afl-gcc-rt.o - ifeq "$(shell echo '\#include @\#include @int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 )" "1" SHMAT_OK=1 else @@ -51,6 +49,8 @@ ifeq "$(TEST_MMAP)" "1" LDFLAGS += -lrt endif +PROGS = ../afl-gcc-fast ../afl-gcc-pass.so ../afl-gcc-rt.o + all: test_shm test_deps $(PROGS) afl-gcc-fast.8 test_build all_done diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c index b0461584..093249a0 100644 --- a/gcc_plugin/afl-gcc-fast.c +++ b/gcc_plugin/afl-gcc-fast.c @@ -282,6 +282,8 @@ int main(int argc, char** argv) { "afl-gcc-fast" VERSION cRST " initially by , maintainer: hexcoder-\n" "\n" + "afl-gcc-fast [options]\n" + "\n" "This is a helper application for afl-fuzz. It serves as a drop-in " "replacement\n" "for gcc, letting you recompile third-party code with the required " -- cgit v1.2.3 From 1398d8d5a64b11a62e8ed25732e2114a5dc47564 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 23 Oct 2019 03:23:14 +0200 Subject: gcc sucks --- gcc_plugin/afl-gcc-rt.o.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'gcc_plugin') diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index 1dfca9e3..47049167 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -58,10 +58,11 @@ __thread u32 __afl_prev_loc; void __afl_trace(u32 x) { u32 l = __afl_prev_loc; - const u32 n = l ^ x; - u8 *const bitmap_ptr = __afl_area_ptr + n; - *bitmap_ptr += 1 + (*bitmap_ptr == (u8)~0); /* neverZero */ - + __afl_area_ptr[l ^ x]++; + /* // neverZero is disable as gcc creates non-performant code. shame on you gcc + if (__afl_area_ptr[l ^ x] == 0) + __afl_area_ptr[l ^ x]++; + */ __afl_prev_loc = (x >> 1); return; -- cgit v1.2.3 From 7d9eed0ed5a57f16b15fe2576da4aec79e0909c9 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Wed, 23 Oct 2019 11:33:20 +0200 Subject: no functional change, avoid conditional jump --- gcc_plugin/afl-gcc-rt.o.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'gcc_plugin') diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index 47049167..5b70a247 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -58,11 +58,14 @@ __thread u32 __afl_prev_loc; void __afl_trace(u32 x) { u32 l = __afl_prev_loc; - __afl_area_ptr[l ^ x]++; - /* // neverZero is disable as gcc creates non-performant code. shame on you gcc - if (__afl_area_ptr[l ^ x] == 0) - __afl_area_ptr[l ^ x]++; - */ + +#if 0 /* enable for neverZero feature. By default disabled since too inefficient :-( */ + /* @Marc: avoid conditional jumps here */ + __afl_area_ptr[l ^ x] += 1 + (__afl_area_ptr[l ^ x] == (u8)~0); +#else + ++__afl_area_ptr[l ^ x]; +#endif + __afl_prev_loc = (x >> 1); return; -- cgit v1.2.3 From 15c920a6126e3a0b5ac5a7293188c3d7a523bbde Mon Sep 17 00:00:00 2001 From: David Carlier Date: Fri, 25 Oct 2019 14:25:37 +0100 Subject: Little compiler plugins rework regarding block location picked up. --- gcc_plugin/afl-gcc-pass.so.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'gcc_plugin') diff --git a/gcc_plugin/afl-gcc-pass.so.cc b/gcc_plugin/afl-gcc-pass.so.cc index 633dedcb..84e02cb8 100644 --- a/gcc_plugin/afl-gcc-pass.so.cc +++ b/gcc_plugin/afl-gcc-pass.so.cc @@ -490,7 +490,7 @@ int plugin_init(struct plugin_name_args * plugin_info, /* Setup random() so we get Actually Random(TM) outputs from R() */ gettimeofday(&tv, &tz); rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); - srandom(rand_seed); + SR(rand_seed); /* Pass information */ afl_pass_info.pass = make_afl_pass(inst_ext, g); -- cgit v1.2.3 From 67533cf7c35c8e9e6cb8dfdde9c704187b1970da Mon Sep 17 00:00:00 2001 From: David Carlier Date: Tue, 29 Oct 2019 15:35:54 +0000 Subject: copying LLVM mode no builtins. --- gcc_plugin/afl-gcc-fast.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'gcc_plugin') diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c index 093249a0..057b44cc 100644 --- a/gcc_plugin/afl-gcc-fast.c +++ b/gcc_plugin/afl-gcc-fast.c @@ -108,7 +108,7 @@ static void edit_params(u32 argc, char** argv) { u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1; u8* name; - cc_params = ck_alloc((argc + 64) * sizeof(u8*)); + cc_params = ck_alloc((argc + 128) * sizeof(u8*)); name = strrchr(argv[0], '/'); if (!name) @@ -202,6 +202,19 @@ static void edit_params(u32 argc, char** argv) { } + if (getenv("AFL_NO_BUILTIN")) { + + cc_params[cc_par_cnt++] = "-fno-builtin-strcmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-strncmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-memcmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-bcmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-strstr"; + cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr"; + + } + #ifdef USEMMAP cc_params[cc_par_cnt++] = "-lrt"; #endif -- cgit v1.2.3 From b22145d0c4d81651f25d912bb7ea5f7fed958873 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sat, 9 Nov 2019 10:37:44 +0000 Subject: gcc plugin llittle update proposal to match better LLVM's --- gcc_plugin/afl-gcc-pass.so.cc | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) (limited to 'gcc_plugin') diff --git a/gcc_plugin/afl-gcc-pass.so.cc b/gcc_plugin/afl-gcc-pass.so.cc index 84e02cb8..0fa07774 100644 --- a/gcc_plugin/afl-gcc-pass.so.cc +++ b/gcc_plugin/afl-gcc-pass.so.cc @@ -401,11 +401,13 @@ class afl_pass : public gimple_opt_pass { } - virtual unsigned int execute(function *fun) { + unsigned int execute(function *fun) override { if (!myWhitelist.empty()) { bool instrumentBlock = false; + std::string instFilename; + unsigned int instLine = 0; /* EXPR_FILENAME This macro returns the name of the file in which the entity was declared, @@ -417,7 +419,8 @@ class afl_pass : public gimple_opt_pass { if (0 != strncmp("", fname, 10) && 0 != strncmp("", fname, 10)) { - std::string instFilename(fname); + instFilename = fname; + instLine = DECL_SOURCE_LINE(fun->decl); /* Continue only if we know where we actually are */ if (!instFilename.empty()) { @@ -449,7 +452,17 @@ class afl_pass : public gimple_opt_pass { /* Either we couldn't figure out our location or the location is * not whitelisted, so we skip instrumentation. */ - if (!instrumentBlock) return 0; + if (!instrumentBlock) { + + if (!be_quiet) { + if (!instFilename.empty()) + SAYF(cYEL "[!] " cBRI "Not in whitelist, skipping %s line %u...\n", + instFilename.c_str(), instLine); + else + SAYF(cYEL "[!] " cBRI "No filename information found, skipping it"); + } + return 0; + } } -- cgit v1.2.3