From cfbf1209b532fcaa7d6817d9aac0f161c6819849 Mon Sep 17 00:00:00 2001 From: Jasper Lievisse Adriaanse Date: Thu, 9 Nov 2023 10:08:38 +0000 Subject: Use direct call to write to OpenBSD The linker on OpenBSD emits a warning when linking this file: warning: syscall() may go away, please rewrite code to use direct calls --- instrumentation/afl-compiler-rt.o.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'instrumentation/afl-compiler-rt.o.c') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index c3197c8a..4d7b1229 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -48,7 +48,7 @@ #include #include -#ifndef __HAIKU__ +#if !defined(__HAIKU__) && !defined(__OpenBSD__) #include #endif #ifndef USEMMAP @@ -2253,11 +2253,13 @@ static int area_is_valid(void *ptr, size_t len) { if (unlikely(!ptr || __asan_region_is_poisoned(ptr, len))) { return 0; } -#ifndef __HAIKU__ - long r = syscall(SYS_write, __afl_dummy_fd[1], ptr, len); -#else +#ifdef __HAIKU__ long r = _kern_write(__afl_dummy_fd[1], -1, ptr, len); -#endif // HAIKU +#elif defined(__OpenBSD__) + long r = write(__afl_dummy_fd[1], ptr, len); +#else + long r = syscall(SYS_write, __afl_dummy_fd[1], ptr, len); +#endif // HAIKU, OPENBSD if (r <= 0 || r > len) return 0; -- cgit 1.4.1 From 74f8ca6b468b6d89e8d588e3835486be48184893 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 28 Nov 2023 10:26:37 +0100 Subject: improve cmplog --- docs/Changelog.md | 4 ++- instrumentation/afl-compiler-rt.o.c | 10 ++++++-- instrumentation/cmplog-instructions-pass.cc | 38 +++++++++++++++-------------- src/afl-fuzz-redqueen.c | 4 +++ 4 files changed, 35 insertions(+), 21 deletions(-) (limited to 'instrumentation/afl-compiler-rt.o.c') diff --git a/docs/Changelog.md b/docs/Changelog.md index f7842d59..b2e9fbf6 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -10,7 +10,9 @@ - added AFL_IGNORE_SEED_PROBLEMS to skip over seeds that time out instead of exiting with an error message - allow -S/-M naming up to 50 characters (from 24) - - added scale support to CMPLOG (-l S) + - CMPLOG: + - added scale support (-l S) + - skip unhelpful insertions (u8) - added --version and --help command line parameters - fixed endless loop when reading malformed dictionaries - new custom mutator function: post_run - thanks to yangzao! diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 8ce8bca1..106892e2 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1910,6 +1910,10 @@ void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2, uint8_t attr) { // fprintf(stderr, "hook1 arg0=%02x arg1=%02x attr=%u\n", // (u8) arg1, (u8) arg2, attr); + return; + + /* + if (unlikely(!__afl_cmp_map || arg1 == arg2)) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); @@ -1936,6 +1940,8 @@ void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2, uint8_t attr) { __afl_cmp_map->log[k][hits].v0 = arg1; __afl_cmp_map->log[k][hits].v1 = arg2; + */ + } void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2, uint8_t attr) { @@ -2142,13 +2148,13 @@ void __cmplog_ins_hook16(uint128_t arg1, uint128_t arg2, uint8_t attr) { void __sanitizer_cov_trace_cmp1(uint8_t arg1, uint8_t arg2) { - __cmplog_ins_hook1(arg1, arg2, 0); + //__cmplog_ins_hook1(arg1, arg2, 0); } void __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2) { - __cmplog_ins_hook1(arg1, arg2, 0); + //__cmplog_ins_hook1(arg1, arg2, 0); } diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index 9cd1dc59..8be8c294 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -165,23 +165,25 @@ bool CmpLogInstructions::hookInstrs(Module &M) { IntegerType *Int64Ty = IntegerType::getInt64Ty(C); IntegerType *Int128Ty = IntegerType::getInt128Ty(C); -#if LLVM_VERSION_MAJOR >= 9 - FunctionCallee -#else - Constant * -#endif - c1 = M.getOrInsertFunction("__cmplog_ins_hook1", VoidTy, Int8Ty, Int8Ty, - Int8Ty -#if LLVM_VERSION_MAJOR < 5 - , - NULL -#endif - ); -#if LLVM_VERSION_MAJOR >= 9 - FunctionCallee cmplogHookIns1 = c1; -#else - Function *cmplogHookIns1 = cast(c1); -#endif + /* + #if LLVM_VERSION_MAJOR >= 9 + FunctionCallee + #else + Constant * + #endif + c1 = M.getOrInsertFunction("__cmplog_ins_hook1", VoidTy, Int8Ty, Int8Ty, + Int8Ty + #if LLVM_VERSION_MAJOR < 5 + , + NULL + #endif + ); + #if LLVM_VERSION_MAJOR >= 9 + FunctionCallee cmplogHookIns1 = c1; + #else + Function *cmplogHookIns1 = cast(c1); + #endif + */ #if LLVM_VERSION_MAJOR >= 9 FunctionCallee @@ -619,7 +621,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) { switch (cast_size) { case 8: - IRB.CreateCall(cmplogHookIns1, args); + // IRB.CreateCall(cmplogHookIns1, args); break; case 16: IRB.CreateCall(cmplogHookIns2, args); diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 13f164f5..c0ea5005 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -1906,6 +1906,8 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, #endif + if (hshape < 2) { return 0; } + for (i = 0; i < loggeds; ++i) { struct cmp_operands *o = &afl->shm.cmp_map->log[key][i]; @@ -2698,6 +2700,8 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, hshape = SHAPE_BYTES(h->shape); + if (hshape < 2) { return 0; } + if (h->hits > CMP_MAP_RTN_H) { loggeds = CMP_MAP_RTN_H; -- cgit 1.4.1 From d02036adfd098766ce9576905613cb7911e315d5 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 1 Dec 2023 07:20:00 +0100 Subject: fix --- instrumentation/afl-compiler-rt.o.c | 2 +- utils/aflpp_driver/aflpp_driver.c | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'instrumentation/afl-compiler-rt.o.c') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 106892e2..def59b6b 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -183,7 +183,7 @@ static u8 _is_sancov; /* Debug? */ -static u32 __afl_debug; +/*static*/ u32 __afl_debug; /* Already initialized markers */ diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 1104a81e..3f8e1ef7 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -298,7 +298,8 @@ __attribute__((weak)) int main(int argc, char **argv) { "option\n" "===================================================================\n", argv[0], argv[0]); - if (strncmp(argv[1], "-h", 2) == 0 || strcmp(argv[1], "--help") == 0) { + if (argc == 2 && strncmp(argv[1], "-h", 2) == 0 || + strcmp(argv[1], "--help") == 0) { exit(0); -- cgit 1.4.1