From d4c01c057bb8e6741e6652567f168e9bdd00f9cd Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 4 Feb 2022 12:09:07 +0100 Subject: test support for forced persistent mode --- include/forkserver.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/forkserver.h b/include/forkserver.h index 01f45587..fd4d283c 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -162,6 +162,7 @@ typedef struct afl_forkserver { void (*add_extra_func)(void *afl_ptr, u8 *mem, u32 len); u8 kill_signal; + u8 persistent_mode; #ifdef __linux__ nyx_plugin_handler_t *nyx_handlers; -- cgit 1.4.1 From d5b9cd4b73253c2fbbc7da88015ae0eac303eb32 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 5 Feb 2022 08:27:17 +0100 Subject: add afl-fuzz -y fuzz length support --- docs/Changelog.md | 3 +++ include/afl-fuzz.h | 9 ++++++--- src/afl-fuzz-bitmap.c | 2 +- src/afl-fuzz-cmplog.c | 2 +- src/afl-fuzz-init.c | 5 ++--- src/afl-fuzz-mutators.c | 2 +- src/afl-fuzz-run.c | 35 +++++++++++++++++++++++++++++------ src/afl-fuzz-state.c | 2 ++ src/afl-fuzz.c | 42 ++++++++++++++++++++++++++++++++++++++++-- 9 files changed, 85 insertions(+), 17 deletions(-) (limited to 'include') diff --git a/docs/Changelog.md b/docs/Changelog.md index 94e854e4..153369b7 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -11,6 +11,9 @@ sending a mail to . ### Version ++4.01a (dev) - fix */build_...sh scripts to work outside of git - new custom_mutator: libafl with token fuzzing :) + - afl-fuzz: + - new commandline option -y to set min and max length of generated + fuzz inputs - frida_mode: - update to new frida release, handles now c++ throw/catch diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index e225211f..3712fc4f 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -726,6 +726,9 @@ typedef struct afl_state { /* queue entries ready for splicing count (len > 4) */ u32 ready_for_splicing_count; + /* min/max length for generated fuzzing inputs */ + u32 min_length, max_length; + /* This is the user specified maximum size to use for the testcase cache */ u64 q_testcase_max_cache_size; @@ -1090,12 +1093,12 @@ int statsd_format_metric(afl_state_t *afl, char *buff, size_t bufflen); /* Run */ -fsrv_run_result_t fuzz_run_target(afl_state_t *, afl_forkserver_t *fsrv, u32); -void write_to_testcase(afl_state_t *, void *, u32); -u8 calibrate_case(afl_state_t *, struct queue_entry *, u8 *, u32, u8); void sync_fuzzers(afl_state_t *); +u32 write_to_testcase(afl_state_t *, void *, u32, u32); +u8 calibrate_case(afl_state_t *, struct queue_entry *, u8 *, u32, u8); u8 trim_case(afl_state_t *, struct queue_entry *, u8 *); u8 common_fuzz_stuff(afl_state_t *, u8 *, u32); +fsrv_run_result_t fuzz_run_target(afl_state_t *, afl_forkserver_t *fsrv, u32); /* Fuzz one */ diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 8d044959..b963caf8 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -633,7 +633,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (afl->fsrv.exec_tmout < afl->hang_tmout) { u8 new_fault; - write_to_testcase(afl, mem, len); + len = write_to_testcase(afl, mem, len, 0); new_fault = fuzz_run_target(afl, &afl->fsrv, afl->hang_tmout); classify_counts(&afl->fsrv); diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index ce8f1a83..1a8052a0 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -49,7 +49,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { u8 fault; - write_to_testcase(afl, out_buf, len); + len = write_to_testcase(afl, out_buf, len, 0); fault = fuzz_run_target(afl, &afl->cmplog_fsrv, afl->fsrv.exec_tmout); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index eb73b120..45f28d4b 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -617,11 +617,10 @@ void read_foreign_testcases(afl_state_t *afl, int first) { } - write_to_testcase(afl, mem, st.st_size); + u32 len = write_to_testcase(afl, mem, st.st_size, 1); fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); afl->syncing_party = foreign_name; - afl->queued_imported += - save_if_interesting(afl, mem, st.st_size, fault); + afl->queued_imported += save_if_interesting(afl, mem, len, fault); afl->syncing_party = 0; munmap(mem, st.st_size); close(fd); diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 51a43dbd..e78e2dc4 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -428,7 +428,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf, if (likely(retlen)) { - write_to_testcase(afl, retbuf, retlen); + retlen = write_to_testcase(afl, retbuf, retlen, 0); fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); ++afl->trim_execs; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index eaa82b19..5da0e583 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -73,8 +73,8 @@ fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { old file is unlinked and a new one is created. Otherwise, afl->fsrv.out_fd is rewound and truncated. */ -void __attribute__((hot)) -write_to_testcase(afl_state_t *afl, void *mem, u32 len) { +u32 __attribute__((hot)) +write_to_testcase(afl_state_t *afl, void *mem, u32 len, u32 fix) { #ifdef _AFL_DOCUMENT_MUTATIONS s32 doc_fd; @@ -120,16 +120,39 @@ write_to_testcase(afl_state_t *afl, void *mem, u32 len) { }); + if (unlikely(new_size < afl->min_length && !fix)) { + + new_size = afl->min_length; + + } else if (unlikely(new_size > afl->max_length)) { + + new_size = afl->max_length; + + } + /* everything as planned. use the potentially new data. */ afl_fsrv_write_to_testcase(&afl->fsrv, new_mem, new_size); + len = new_size; } else { + if (unlikely(len < afl->min_length && !fix)) { + + len = afl->min_length; + + } else if (unlikely(len > afl->max_length)) { + + len = afl->max_length; + + } + /* boring uncustom. */ afl_fsrv_write_to_testcase(&afl->fsrv, mem, len); } + return len; + } /* The same, but with an adjustable gap. Used for trimming. */ @@ -346,7 +369,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, /* we need a dummy run if this is LTO + cmplog */ if (unlikely(afl->shm.cmplog_mode)) { - write_to_testcase(afl, use_mem, q->len); + (void)write_to_testcase(afl, use_mem, q->len, 1); fault = fuzz_run_target(afl, &afl->fsrv, use_tmout); @@ -389,7 +412,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, u64 cksum; - write_to_testcase(afl, use_mem, q->len); + (void)write_to_testcase(afl, use_mem, q->len, 1); fault = fuzz_run_target(afl, &afl->fsrv, use_tmout); @@ -700,7 +723,7 @@ void sync_fuzzers(afl_state_t *afl) { /* See what happens. We rely on save_if_interesting() to catch major errors and save the test case. */ - write_to_testcase(afl, mem, st.st_size); + (void)write_to_testcase(afl, mem, st.st_size, 1); fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); @@ -943,7 +966,7 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { u8 fault; - write_to_testcase(afl, out_buf, len); + len = write_to_testcase(afl, out_buf, len, 0); fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 69ffa8cf..24bd28dd 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -102,6 +102,8 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) { afl->stats_avg_exec = 0; afl->skip_deterministic = 1; afl->cmplog_lvl = 2; + afl->min_length = 1; + afl->max_length = MAX_FILE; #ifndef NO_SPLICING afl->use_splicing = 1; #endif diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 7a74fc7e..6ca9be33 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -155,6 +155,9 @@ static void usage(u8 *argv0, int more_help) { "\n" "Mutator settings:\n" + " -y [min-]max - set minimum and maximum length of generated fuzzing " + "input.\n" + " default: 1-%lu\n" " -D - enable deterministic fuzzing (once per queue entry)\n" " -L minutes - use MOpt(imize) mode and set the time limit for " "entering the\n" @@ -204,7 +207,7 @@ static void usage(u8 *argv0, int more_help) { "(0-...)\n" " -e ext - file extension for the fuzz test input file (if " "needed)\n\n", - argv0, EXEC_TIMEOUT, MEM_LIMIT, FOREIGN_SYNCS_MAX); + argv0, EXEC_TIMEOUT, MEM_LIMIT, MAX_FILE, FOREIGN_SYNCS_MAX); if (more_help > 1) { @@ -529,11 +532,36 @@ int main(int argc, char **argv_orig, char **envp) { while ((opt = getopt( argc, argv, - "+Ab:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNOXYo:p:RQs:S:t:T:UV:Wx:Z")) > + "+Ab:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNOo:p:RQs:S:t:T:UV:WXx:Yy:Z")) > 0) { switch (opt) { + case 'y': { + + u8 *sep; + if (!(sep = strchr(optarg, '-')) && !(sep = strchr(optarg, ':'))) { + + afl->max_length = atoi(optarg); + + } else { + + afl->min_length = atoi(optarg); + afl->max_length = atoi(sep + 1); + + } + + if (afl->min_length < 1 || afl->max_length > MAX_FILE || + afl->min_length > afl->max_length) { + + FATAL("Illegal min/max length values: %s", optarg); + + } + + break; + + } + case 'Z': afl->old_seed_selection = 1; break; @@ -1622,6 +1650,16 @@ int main(int argc, char **argv_orig, char **envp) { } + OKF("Generating fuzz data with a a length of min=%u max=%u", afl->min_length, + afl->max_length); + u32 min_alloc = MAX(64U, afl->min_length); + afl_realloc(AFL_BUF_PARAM(in_scratch), min_alloc); + afl_realloc(AFL_BUF_PARAM(in), min_alloc); + afl_realloc(AFL_BUF_PARAM(out_scratch), min_alloc); + afl_realloc(AFL_BUF_PARAM(out), min_alloc); + afl_realloc(AFL_BUF_PARAM(eff), min_alloc); + afl_realloc(AFL_BUF_PARAM(ex), min_alloc); + afl->fsrv.use_fauxsrv = afl->non_instrumented_mode == 1 || afl->no_forkserver; #ifdef __linux__ -- cgit 1.4.1 From fa3c0d8a3756c1d80356690796877d94959f305c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 5 Feb 2022 10:36:37 +0100 Subject: change -y to -g/-G and add env var alternatives --- docs/env_variables.md | 4 ++++ include/envs.h | 2 ++ src/afl-fuzz-state.c | 14 ++++++++++++++ src/afl-fuzz.c | 43 ++++++++++++++----------------------------- 4 files changed, 34 insertions(+), 29 deletions(-) (limited to 'include') diff --git a/docs/env_variables.md b/docs/env_variables.md index 2a8fbcb7..f7ad4ff9 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -400,6 +400,10 @@ checks or alter some of the more exotic semantics of the tool: This makes the "own finds" counter in the UI more accurate. Beyond counter aesthetics, not much else should change. + - Setting `AFL_INPUT_LEN_MIN` and `AFL_INPUT_LEN_MAX` are an alternative to + the afl-fuzz -g/-G command line option to control the minimum/maximum + of fuzzing input generated. + - `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes on timeout. Unless you implement your own targets or instrumentation, you likely don't have to set it. By default, on timeout and on exit, `SIGKILL` diff --git a/include/envs.h b/include/envs.h index 3bacc380..538ea3a8 100644 --- a/include/envs.h +++ b/include/envs.h @@ -98,6 +98,8 @@ static char *afl_environment_variables[] = { "AFL_IGNORE_PROBLEMS", "AFL_IGNORE_UNKNOWN_ENVS", "AFL_IMPORT_FIRST", + "AFL_INPUT_LEN_MIN", + "AFL_INPUT_LEN_MAX", "AFL_INST_LIBS", "AFL_INST_RATIO", "AFL_KILL_SIGNAL", diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 24bd28dd..115e62de 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -482,6 +482,20 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_target_env = (u8 *)get_afl_env(afl_environment_variables[i]); + } else if (!strncmp(env, "AFL_INPUT_LEN_MIN", + + afl_environment_variable_len)) { + + afl->min_length = atoi( + (u8 *)get_afl_env(afl_environment_variables[i])); + + } else if (!strncmp(env, "AFL_INPUT_LEN_MAX", + + afl_environment_variable_len)) { + + afl->max_length = atoi( + (u8 *)get_afl_env(afl_environment_variables[i])); + } } else { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 6ca9be33..ffa991ae 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -155,9 +155,9 @@ static void usage(u8 *argv0, int more_help) { "\n" "Mutator settings:\n" - " -y [min-]max - set minimum and maximum length of generated fuzzing " - "input.\n" - " default: 1-%lu\n" + " -g minlength - set min length of generated fuzz input (default: 1)\n" + " -G minlength - set max length of generated fuzz input (default: " + "%lu)\n" " -D - enable deterministic fuzzing (once per queue entry)\n" " -L minutes - use MOpt(imize) mode and set the time limit for " "entering the\n" @@ -256,6 +256,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_IGNORE_UNKNOWN_ENVS: don't warn on unknown env vars\n" "AFL_IGNORE_PROBLEMS: do not abort fuzzing if an incorrect setup is detected during a run\n" "AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n" + "AFL_INPUT_LEN_MIN/AFL_INPUT_LEN_MAX: like -g/-G set min/max fuzz length produced\n" "AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n" "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n" " the target was compiled for\n" @@ -530,37 +531,21 @@ int main(int argc, char **argv_orig, char **envp) { afl->shmem_testcase_mode = 1; // we always try to perform shmem fuzzing - while ((opt = getopt( - argc, argv, - "+Ab:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNOo:p:RQs:S:t:T:UV:WXx:Yy:Z")) > - 0) { + while ( + (opt = getopt( + argc, argv, + "+Ab:B:c:CdDe:E:hi:I:f:F:g:G:l:L:m:M:nNOo:p:RQs:S:t:T:UV:WXx:YZ")) > + 0) { switch (opt) { - case 'y': { - - u8 *sep; - if (!(sep = strchr(optarg, '-')) && !(sep = strchr(optarg, ':'))) { - - afl->max_length = atoi(optarg); - - } else { - - afl->min_length = atoi(optarg); - afl->max_length = atoi(sep + 1); - - } - - if (afl->min_length < 1 || afl->max_length > MAX_FILE || - afl->min_length > afl->max_length) { - - FATAL("Illegal min/max length values: %s", optarg); - - } - + case 'g': + afl->min_length = atoi(optarg); break; - } + case 'G': + afl->max_length = atoi(optarg); + break; case 'Z': afl->old_seed_selection = 1; -- cgit 1.4.1 From 056ebbff15bb6ebef6664776dee05217cebdc7fe Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 8 Feb 2022 20:36:06 +0100 Subject: add AFL_EARLY_FORKSERVER support --- docs/Changelog.md | 3 +++ docs/env_variables.md | 4 ++++ include/envs.h | 1 + instrumentation/afl-compiler-rt.o.c | 14 ++++++++++++++ src/afl-fuzz.c | 2 ++ 5 files changed, 24 insertions(+) (limited to 'include') diff --git a/docs/Changelog.md b/docs/Changelog.md index 142b85b3..f4ae0e43 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -17,6 +17,9 @@ sending a mail to . - reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow persistent mode and manual forkserver support if these are not in the target binary (e.g. are in a shared library) + - add AFL_EARY_FORKSERVER to install the forkserver as earliest as + possible in the target (for afl-gcc-fast/afl-clang-fast/ + afl-clang-lto) - frida_mode: - update to new frida release, handles now c++ throw/catch diff --git a/docs/env_variables.md b/docs/env_variables.md index 06c08f31..4fa3f051 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -540,6 +540,10 @@ checks or alter some of the more exotic semantics of the tool: - `AFL_PERSISTENT` enforces persistent mode even if none was detected in the target binary + - If you need an early forkserver in your target because of early + constructors in your target you can set `AFL_EARLY_FORKSERVER`. + Note that is is not a compile time option but a runtime option :-) + ## 5) Settings for afl-qemu-trace The QEMU wrapper used to instrument binary-only code supports several settings: diff --git a/include/envs.h b/include/envs.h index 538ea3a8..f4327d8c 100644 --- a/include/envs.h +++ b/include/envs.h @@ -47,6 +47,7 @@ static char *afl_environment_variables[] = { "AFL_DONT_OPTIMIZE", "AFL_DRIVER_STDERR_DUPLICATE_FILENAME", "AFL_DUMB_FORKSRV", + "AFL_EARLY_FORKSERVER", "AFL_ENTRYPOINT", "AFL_EXIT_WHEN_DONE", "AFL_EXIT_ON_TIME", diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 9a12831e..db7ac7b0 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -68,6 +68,7 @@ #endif #define CTOR_PRIO 3 +#define EARLY_FS_PRIO 5 #include #include @@ -145,6 +146,7 @@ u32 __afl_already_initialized_shm; u32 __afl_already_initialized_forkserver; u32 __afl_already_initialized_first; u32 __afl_already_initialized_second; +u32 __afl_already_initialized_init; /* Dummy pipe for area_is_valid() */ @@ -1253,6 +1255,8 @@ void __afl_manual_init(void) { __attribute__((constructor())) void __afl_auto_init(void) { + if (__afl_already_initialized_init) { return; } + #ifdef __ANDROID__ // Disable handlers in linker/debuggerd, check include/debuggerd/handler.h signal(SIGABRT, SIG_DFL); @@ -1265,6 +1269,8 @@ __attribute__((constructor())) void __afl_auto_init(void) { signal(SIGTRAP, SIG_DFL); #endif + __afl_already_initialized_init = 1; + if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; if (getenv(DEFER_ENV_VAR)) return; @@ -1273,6 +1279,14 @@ __attribute__((constructor())) void __afl_auto_init(void) { } +/* Optionally run an early forkserver */ + +__attribute__((constructor(EARLY_FS_PRIO))) void __early_forkserver(void) { + + if (getenv("AFL_EARLY_FORKSERVER")) { __afl_auto_init(); } + +} + /* Initialization of the shmem - earliest possible because of LTO fixed mem. */ __attribute__((constructor(CTOR_PRIO))) void __afl_auto_early(void) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index c923cc9d..c73ab38b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -294,6 +294,8 @@ static void usage(u8 *argv0, int more_help) { " 'signalfx' and 'influxdb'\n" "AFL_TESTCACHE_SIZE: use a cache for testcases, improves performance (in MB)\n" "AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)\n" + "AFL_EARLY_FORKSERVER: force an early forkserver in an afl-clang-fast/\n" + " afl-clang-lto/afl-gcc-fast target\n" "AFL_PERSISTENT: enforce persistent mode (if __AFL_LOOP is in a shared lib\n" "AFL_DEFER_FORKSRV: enforced deferred forkserver (__AFL_INIT is in a .so\n" "\n" -- cgit 1.4.1