From a22f4dd1ac1fe12bc5b81c3311524bc175a2eed0 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 28 Jul 2020 16:13:32 +0200 Subject: new snapshot api --- include/snapshot-inl.h | 63 ++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 54 insertions(+), 9 deletions(-) (limited to 'include/snapshot-inl.h') diff --git a/include/snapshot-inl.h b/include/snapshot-inl.h index b73a001e..55251db5 100644 --- a/include/snapshot-inl.h +++ b/include/snapshot-inl.h @@ -25,35 +25,80 @@ // From AFL-Snapshot-LKM/include/afl_snapshot.h (must be kept synced) #include -#include -#include +#include #include #define AFL_SNAPSHOT_FILE_NAME "/dev/afl_snapshot" #define AFL_SNAPSHOT_IOCTL_MAGIC 44313 -#define AFL_SNAPSHOT_IOCTL_DO _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 1) -#define AFL_SNAPSHOT_IOCTL_CLEAN _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 2) +#define AFL_SNAPSHOT_EXCLUDE_VMRANGE _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 1, struct afl_snapshot_vmrange_args*) +#define AFL_SNAPSHOT_INCLUDE_VMRANGE _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 2, struct afl_snapshot_vmrange_args*) +#define AFL_SNAPSHOT_IOCTL_TAKE _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 3, int) +#define AFL_SNAPSHOT_IOCTL_RESTORE _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 4) +#define AFL_SNAPSHOT_IOCTL_CLEAN _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 5) + +// Trace new mmaped ares and unmap them on restore. +#define AFL_SNAPSHOT_MMAP 1 +// Do not snapshot any page (by default all writeable not-shared pages +// are shanpshotted. +#define AFL_SNAPSHOT_BLOCK 2 +// Snapshot file descriptor state, close newly opened descriptors +#define AFL_SNAPSHOT_FDS 4 +// Snapshot registers state +#define AFL_SNAPSHOT_REGS 8 +// Perform a restore when exit_group is invoked +#define AFL_SNAPSHOT_EXIT 16 +// TODO(andrea) allow not COW snapshots (high perf on small processes) +// Disable COW, restore all the snapshotted pages +#define AFL_SNAPSHOT_NOCOW 32 +// Do not snapshot Stack pages +#define AFL_SNAPSHOT_NOSTACK 64 + +struct afl_snapshot_vmrange_args { + + unsigned long start, end; + +}; static int afl_snapshot_dev_fd; -static int afl_snapshot_init(void) { +static int afl_snapshot_init() { afl_snapshot_dev_fd = open(AFL_SNAPSHOT_FILE_NAME, 0); return afl_snapshot_dev_fd; } -static int afl_snapshot_do() { +static void afl_snapshot_exclude_vmrange(void* start, void* end) { - return ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_DO); + struct afl_snapshot_vmrange_args args = {(unsigned long)start, (unsigned long)end}; + ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_EXCLUDE_VMRANGE, &args); } -static int afl_snapshot_clean(void) { +static void afl_snapshot_include_vmrange(void* start, void* end) { - return ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_CLEAN); + struct afl_snapshot_vmrange_args args = {(unsigned long)start, (unsigned long)end}; + ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_INCLUDE_VMRANGE, &args); + +} + +static int afl_snapshot_take(int config) { + + return ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_TAKE, config); + +} + +static void afl_snapshot_restore(void) { + + ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_RESTORE); + +} + +static void afl_snapshot_clean(void) { + + ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_CLEAN); } -- cgit 1.4.1 From d64c0e888751a3747d945702bc3e732c94db0cc9 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 28 Jul 2020 16:31:07 +0200 Subject: lkm new api --- include/snapshot-inl.h | 37 ++++++++++++++++++++++++------------- llvm_mode/afl-llvm-rt.o.c | 7 ++++++- 2 files changed, 30 insertions(+), 14 deletions(-) (limited to 'include/snapshot-inl.h') diff --git a/include/snapshot-inl.h b/include/snapshot-inl.h index 55251db5..263a4b63 100644 --- a/include/snapshot-inl.h +++ b/include/snapshot-inl.h @@ -32,23 +32,26 @@ #define AFL_SNAPSHOT_IOCTL_MAGIC 44313 -#define AFL_SNAPSHOT_EXCLUDE_VMRANGE _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 1, struct afl_snapshot_vmrange_args*) -#define AFL_SNAPSHOT_INCLUDE_VMRANGE _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 2, struct afl_snapshot_vmrange_args*) -#define AFL_SNAPSHOT_IOCTL_TAKE _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 3, int) -#define AFL_SNAPSHOT_IOCTL_RESTORE _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 4) -#define AFL_SNAPSHOT_IOCTL_CLEAN _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 5) +#define AFL_SNAPSHOT_IOCTL_DO _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 1) +#define AFL_SNAPSHOT_IOCTL_CLEAN _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 2) +#define AFL_SNAPSHOT_EXCLUDE_VMRANGE \ + _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 3, struct afl_snapshot_vmrange_args *) +#define AFL_SNAPSHOT_INCLUDE_VMRANGE \ + _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 4, struct afl_snapshot_vmrange_args *) +#define AFL_SNAPSHOT_IOCTL_TAKE _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 5, int) +#define AFL_SNAPSHOT_IOCTL_RESTORE _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 6) // Trace new mmaped ares and unmap them on restore. -#define AFL_SNAPSHOT_MMAP 1 +#define AFL_SNAPSHOT_MMAP 1 // Do not snapshot any page (by default all writeable not-shared pages // are shanpshotted. #define AFL_SNAPSHOT_BLOCK 2 // Snapshot file descriptor state, close newly opened descriptors -#define AFL_SNAPSHOT_FDS 4 +#define AFL_SNAPSHOT_FDS 4 // Snapshot registers state -#define AFL_SNAPSHOT_REGS 8 +#define AFL_SNAPSHOT_REGS 8 // Perform a restore when exit_group is invoked -#define AFL_SNAPSHOT_EXIT 16 +#define AFL_SNAPSHOT_EXIT 16 // TODO(andrea) allow not COW snapshots (high perf on small processes) // Disable COW, restore all the snapshotted pages #define AFL_SNAPSHOT_NOCOW 32 @@ -70,16 +73,18 @@ static int afl_snapshot_init() { } -static void afl_snapshot_exclude_vmrange(void* start, void* end) { +static void afl_snapshot_exclude_vmrange(void *start, void *end) { - struct afl_snapshot_vmrange_args args = {(unsigned long)start, (unsigned long)end}; + struct afl_snapshot_vmrange_args args = {(unsigned long)start, + (unsigned long)end}; ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_EXCLUDE_VMRANGE, &args); } -static void afl_snapshot_include_vmrange(void* start, void* end) { +static void afl_snapshot_include_vmrange(void *start, void *end) { - struct afl_snapshot_vmrange_args args = {(unsigned long)start, (unsigned long)end}; + struct afl_snapshot_vmrange_args args = {(unsigned long)start, + (unsigned long)end}; ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_INCLUDE_VMRANGE, &args); } @@ -90,6 +95,12 @@ static int afl_snapshot_take(int config) { } +static int afl_snapshot_take(void) { + + return ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_DO); + +} + static void afl_snapshot_restore(void) { ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_RESTORE); diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 25be0d5a..c0ed1bcf 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -521,7 +521,12 @@ static void __afl_start_snapshots(void) { close(FORKSRV_FD); close(FORKSRV_FD + 1); - if (!afl_snapshot_take(AFL_SNAPSHOT_MMAP | AFL_SNAPSHOT_FDS | AFL_SNAPSHOT_REGS | AFL_SNAPSHOT_EXIT)) { raise(SIGSTOP); } + if (!afl_snapshot_take(AFL_SNAPSHOT_MMAP | AFL_SNAPSHOT_FDS | + AFL_SNAPSHOT_REGS | AFL_SNAPSHOT_EXIT)) { + + raise(SIGSTOP); + + } __afl_area_ptr[0] = 1; memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T)); -- cgit 1.4.1 From ffe5619a9d0934f9088ef32ddbd507a0ddbde321 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 29 Jul 2020 14:30:22 +0200 Subject: fix snapshot include --- README.md | 11 ++++++----- docs/Changelog.md | 2 ++ include/snapshot-inl.h | 2 +- 3 files changed, 9 insertions(+), 6 deletions(-) (limited to 'include/snapshot-inl.h') diff --git a/README.md b/README.md index c6893fa0..d747ea00 100644 --- a/README.md +++ b/README.md @@ -272,11 +272,12 @@ afl-clang-lto: To use this set the following environment variable before compiling the target: `export AFL_LLVM_LAF_ALL=1` You can read more about this in [llvm/README.laf-intel.md](llvm/README.laf-intel.md) - * A different technique is to instrument the target so that any compare values - in the target are sent to afl++ which then tries to put this value into the - fuzzing data at different locations. This technique is very fast and good - - if the target does not transform input data before comparison. Therefore - technique is called `input to state` or `redqueen`. + * A different technique (and usually a bit better than laf-intel) is to + instrument the target so that any compare values in the target are sent to + afl++ which then tries to put this value into the fuzzing data at different + locations. This technique is very fast and good - if the target does not + transform input data before comparison. Therefore this technique is called + `input to state` or `redqueen`. If you want to use this technique, then you have to compile the target twice, once specifically with/for this mode. You can read more about this in [llvm_mode/README.cmplog.md](llvm_mode/README.cmplog.md) diff --git a/docs/Changelog.md b/docs/Changelog.md index 7efab1e6..1e7a1c1d 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -10,6 +10,8 @@ sending a mail to . ### Version ++2.66d (devel) + - Support for improved afl++ snapshot module: + https://github.com/AFLplusplus/AFL-Snapshot-LKM - afl-fuzz: - added -F option to allow -M main fuzzers to sync to foreign fuzzers, e.g. honggfuzz or libfuzzer diff --git a/include/snapshot-inl.h b/include/snapshot-inl.h index 263a4b63..a75d69c0 100644 --- a/include/snapshot-inl.h +++ b/include/snapshot-inl.h @@ -95,7 +95,7 @@ static int afl_snapshot_take(int config) { } -static int afl_snapshot_take(void) { +static int afl_snapshot_do(void) { return ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_DO); -- cgit 1.4.1 From c661587128fd84847e88bb1b66e8403b81d0d296 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 30 Jul 2020 18:06:25 +0200 Subject: cdecl void --- examples/afl_untracer/afl-untracer.c | 10 +++++----- include/snapshot-inl.h | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'include/snapshot-inl.h') diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c index 68658bfd..77b15eb8 100644 --- a/examples/afl_untracer/afl-untracer.c +++ b/examples/afl_untracer/afl-untracer.c @@ -115,10 +115,10 @@ static library_list_t liblist[MAX_LIB_COUNT]; static u32 liblist_cnt; static void sigtrap_handler(int signum, siginfo_t *si, void *context); -static void fuzz(); +static void fuzz(void); /* read the library information */ -void read_library_information() { +void read_library_information(void) { #if defined(__linux__) FILE *f; @@ -284,7 +284,7 @@ library_list_t *find_library(char *name) { // this seems to work for clang too. nice :) requires gcc 4.4+ #pragma GCC push_options #pragma GCC optimize("O0") -void breakpoint() { +void breakpoint(void) { if (debug) fprintf(stderr, "Breakpoint function \"breakpoint\" reached.\n"); @@ -461,7 +461,7 @@ inline static void __afl_end_testcase(int status) { ((uintptr_t)addr & 0x3) * 0x10000000000)) #endif -void setup_trap_instrumentation() { +void setup_trap_instrumentation(void) { library_list_t *lib_base = NULL; size_t lib_size = 0; @@ -748,7 +748,7 @@ int main(int argc, char *argv[]) { inline #endif static void - fuzz() { + fuzz(void) { // STEP 3: call the function to fuzz, also the functions you might // need to call to prepare the function and - important! - diff --git a/include/snapshot-inl.h b/include/snapshot-inl.h index a75d69c0..a18187ef 100644 --- a/include/snapshot-inl.h +++ b/include/snapshot-inl.h @@ -66,7 +66,7 @@ struct afl_snapshot_vmrange_args { static int afl_snapshot_dev_fd; -static int afl_snapshot_init() { +static int afl_snapshot_init(void) { afl_snapshot_dev_fd = open(AFL_SNAPSHOT_FILE_NAME, 0); return afl_snapshot_dev_fd; -- cgit 1.4.1