From c83e8e1e6255374b085292ba8673efdca7388d76 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 19 Oct 2019 18:23:01 +0200 Subject: Remove lcamtuf's old email from Google (not valid anymore), also remove maintainance from him. --- libdislocator/libdislocator.so.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'libdislocator/libdislocator.so.c') diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index 8834a1fc..57607210 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -3,7 +3,7 @@ american fuzzy lop - dislocator, an abusive allocator ----------------------------------------------------- - Written and maintained by Michal Zalewski + Written by Michal Zalewski Copyright 2016 Google Inc. All rights reserved. -- cgit 1.4.1 From a282ae22afec0e5d5a8455c7aaa3e472839788e4 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sun, 20 Oct 2019 03:34:46 +0200 Subject: In OpenBSD initial thread local storage is allocated with calloc(), which leads to locked mutexes and a stall. So no thread support (and no tls) here. --- libdislocator/libdislocator.so.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'libdislocator/libdislocator.so.c') diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index 57607210..f3f02c8b 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -88,6 +88,10 @@ static u8 alloc_verbose, /* Additional debug messages */ hard_fail, /* abort() when max_mem exceeded? */ no_calloc_over; /* abort() on calloc() overflows? */ +#ifdef __OpenBSD__ +#define __thread +#warning no thread support available +#endif static __thread size_t total_mem; /* Currently allocated mem */ static __thread u32 call_depth; /* To avoid recursion via fprintf() */ -- cgit 1.4.1 From b9bc81544a438868529fbe040f4734256dce7a1d Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Wed, 23 Oct 2019 14:53:05 +0200 Subject: debugged and fixed libdislocator malfunction on MacOSX --- libdislocator/libdislocator.so.c | 4 ++-- test/test.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'libdislocator/libdislocator.so.c') diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index f3f02c8b..7f44071a 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -88,7 +88,7 @@ static u8 alloc_verbose, /* Additional debug messages */ hard_fail, /* abort() when max_mem exceeded? */ no_calloc_over; /* abort() on calloc() overflows? */ -#ifdef __OpenBSD__ +#if defined __OpenBSD__ || defined __APPLE__ #define __thread #warning no thread support available #endif @@ -121,7 +121,7 @@ static void* __dislocator_alloc(size_t len) { ret = mmap(NULL, (1 + PG_COUNT(len + 8)) * PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); - if (ret == (void*)-1) { + if (ret == MAP_FAILED) { if (hard_fail) FATAL("mmap() failed on alloc (OOM?)"); diff --git a/test/test.sh b/test/test.sh index d1be014f..598fb502 100755 --- a/test/test.sh +++ b/test/test.sh @@ -281,8 +281,8 @@ test -e ../libtokencap.so && { test -e ../libdislocator.so && { { ulimit -c 1 - # DYLD_INSERT_LIBRARIES is used on Darwin/MacOSX - LD_PRELOAD=../libdislocator.so DYLD_INSERT_LIBRARIES=../libdislocator.so ./test-compcov BUFFEROVERFLOW > test.out 2> /dev/null + # DYLD_INSERT_LIBRARIES and DYLD_FORCE_FLAT_NAMESPACE is used on Darwin/MacOSX + LD_PRELOAD=../libdislocator.so DYLD_INSERT_LIBRARIES=../libdislocator.so DYLD_FORCE_FLAT_NAMESPACE=1 ./test-compcov BUFFEROVERFLOW > test.out 2> /dev/null } > /dev/null 2>&1 grep -q BUFFEROVERFLOW test.out > /dev/null 2>&1 && { $ECHO "$RED[!] libdislocator did not detect the memory corruption" -- cgit 1.4.1 From 10af76a50c1ff8ffe66c4358ad08bab87d23f98e Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sun, 27 Oct 2019 08:12:01 +0100 Subject: added a TODO item for posix_memalign wrapper --- libdislocator/libdislocator.so.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'libdislocator/libdislocator.so.c') diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index 7f44071a..d172f7a2 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -188,6 +188,10 @@ void* calloc(size_t elem_len, size_t elem_cnt) { } +/* TODO: add a wrapper for posix_memalign, otherwise apps who use it, + will fail when freeing the memory. +*/ + /* The wrapper for malloc(). Roughly the same, also clobbers the returned memory (unlike calloc(), malloc() is not guaranteed to return zeroed memory). */ -- cgit 1.4.1 From fbb131da737fdabe4908558bd839c468410ab3fc Mon Sep 17 00:00:00 2001 From: David Carlier Date: Mon, 28 Oct 2019 14:44:28 +0000 Subject: memalign/posix_memalign proposal for libdislocator --- libdislocator/libdislocator.so.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (limited to 'libdislocator/libdislocator.so.c') diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index d172f7a2..f1972797 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -264,6 +264,36 @@ void* realloc(void* ptr, size_t len) { } +/* posix_memalign we mainly check the proper alignment argument + if the requested size fits within the alignment we do + a normal request */ + +int posix_memalign(void** ptr, size_t align, size_t len) { + if (!ptr) FATAL("null pointer on posix_memalign()"); + if ((align % 2) || (align % sizeof(void *))) FATAL("bad alignment on posix_memalign()"); + if (align >= 4 * sizeof(size_t)) { + + len += align -1; + + } + + *ptr = malloc(len); + + DEBUGF("posix_memalign(%p %zu, %zu)", ptr, len, align); + + return 0; +} + +/* just the non-posix fashion */ + +void *memalign(size_t align, size_t len) { + void* ret; + + posix_memalign(&ret, align, len); + + return ret; +} + __attribute__((constructor)) void __dislocator_init(void) { u8* tmp = getenv("AFL_LD_LIMIT_MB"); -- cgit 1.4.1 From 80359685167309639562ece25a77782cb6ccfd54 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Mon, 28 Oct 2019 16:32:26 +0100 Subject: silence some compiler warnings --- libdislocator/libdislocator.so.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'libdislocator/libdislocator.so.c') diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index f1972797..5246af40 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -279,7 +279,7 @@ int posix_memalign(void** ptr, size_t align, size_t len) { *ptr = malloc(len); - DEBUGF("posix_memalign(%p %zu, %zu)", ptr, len, align); + DEBUGF("posix_memalign(%p %zu, %zu)", ptr, align, len); return 0; } @@ -287,9 +287,11 @@ int posix_memalign(void** ptr, size_t align, size_t len) { /* just the non-posix fashion */ void *memalign(size_t align, size_t len) { - void* ret; + void* ret = NULL; - posix_memalign(&ret, align, len); + if (posix_memalign(&ret, align, len)) { + DEBUGF("memalign(%zu, %zu) failed", align, len); + } return ret; } -- cgit 1.4.1 From 6238df88a26d8498b4a821897f030a866dafdc24 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 28 Oct 2019 22:36:29 +0100 Subject: fixed warning and return --- libdislocator/libdislocator.so.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) (limited to 'libdislocator/libdislocator.so.c') diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index 5246af40..b3a90366 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -269,13 +269,11 @@ void* realloc(void* ptr, size_t len) { a normal request */ int posix_memalign(void** ptr, size_t align, size_t len) { - if (!ptr) FATAL("null pointer on posix_memalign()"); - if ((align % 2) || (align % sizeof(void *))) FATAL("bad alignment on posix_memalign()"); - if (align >= 4 * sizeof(size_t)) { - - len += align -1; - - } + if ((char*)ptr == NULL || *ptr == NULL) + return -1; // why would we do: FATAL("null pointer on posix_memalign()"); + if ((align % 2) || (align % sizeof(void *))) + return -1; // why would we do: FATAL("bad alignment on posix_memalign()"); + if (align >= 4 * sizeof(size_t)) len += align -1; *ptr = malloc(len); -- cgit 1.4.1 From 87b599f4a8b875c0ff8c81aff39ebecfd34e29fc Mon Sep 17 00:00:00 2001 From: David Carlier Date: Tue, 29 Oct 2019 08:09:43 +0000 Subject: adding aligned_alloc + little changes proposal for posix_memalign --- libdislocator/libdislocator.so.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) (limited to 'libdislocator/libdislocator.so.c') diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index b3a90366..e27efc0f 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -23,6 +23,7 @@ #include #include #include +#include #include #include "config.h" @@ -272,7 +273,11 @@ int posix_memalign(void** ptr, size_t align, size_t len) { if ((char*)ptr == NULL || *ptr == NULL) return -1; // why would we do: FATAL("null pointer on posix_memalign()"); if ((align % 2) || (align % sizeof(void *))) - return -1; // why would we do: FATAL("bad alignment on posix_memalign()"); + return EINVAL; // why would we do: FATAL("bad alignment on posix_memalign()"); + if (len == 0) { + *ptr = NULL; + return 0; + } if (align >= 4 * sizeof(size_t)) len += align -1; *ptr = malloc(len); @@ -294,6 +299,20 @@ void *memalign(size_t align, size_t len) { return ret; } +/* sort of C11 alias of memalign only more severe, alignment-wise */ + +void *aligned_alloc(size_t align, size_t len) { + void *ret = NULL; + + if ((len % align)) return NULL; + + if (posix_memalign(&ret, align, len)) { + DEBUGF("aligned_alloc(%zu, %zu) failed", align, len); + } + + return ret; +} + __attribute__((constructor)) void __dislocator_init(void) { u8* tmp = getenv("AFL_LD_LIMIT_MB"); -- cgit 1.4.1 From ccbb0d37b33a83a0ea1bdb6128cb6c8900802944 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 29 Oct 2019 10:44:57 +0100 Subject: removed warning --- libdislocator/libdislocator.so.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'libdislocator/libdislocator.so.c') diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index e27efc0f..7fe40afa 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -270,10 +270,10 @@ void* realloc(void* ptr, size_t len) { a normal request */ int posix_memalign(void** ptr, size_t align, size_t len) { - if ((char*)ptr == NULL || *ptr == NULL) - return -1; // why would we do: FATAL("null pointer on posix_memalign()"); + if (*ptr == NULL) + return EINVAL; if ((align % 2) || (align % sizeof(void *))) - return EINVAL; // why would we do: FATAL("bad alignment on posix_memalign()"); + return EINVAL; if (len == 0) { *ptr = NULL; return 0; -- cgit 1.4.1 From b33bb0943ac4957eaf7b16ef694a4e4b4a538212 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Thu, 31 Oct 2019 15:50:58 +0000 Subject: libtokencap/libdislocator README rename proposals and fixing the install tasks in the process. --- README.md | 2 +- docs/notes_for_asan.txt | 2 +- libdislocator/Makefile | 2 +- libdislocator/README.dislocator.md | 60 +++++++++++++++++++++++++++++++++++ libdislocator/README.md | 60 ----------------------------------- libdislocator/libdislocator.so.c | 2 +- libtokencap/Makefile | 2 +- libtokencap/README.md | 64 -------------------------------------- libtokencap/README.tokencap.md | 64 ++++++++++++++++++++++++++++++++++++++ libtokencap/libtokencap.so.c | 2 +- 10 files changed, 130 insertions(+), 130 deletions(-) create mode 100644 libdislocator/README.dislocator.md delete mode 100644 libdislocator/README.md delete mode 100644 libtokencap/README.md create mode 100644 libtokencap/README.tokencap.md (limited to 'libdislocator/libdislocator.so.c') diff --git a/README.md b/README.md index 88a86aaa..e8d4e6a8 100644 --- a/README.md +++ b/README.md @@ -457,7 +457,7 @@ parsers and grammars, but isn't nearly as good as the -x mode. If a dictionary is really hard to come by, another option is to let AFL run for a while, and then use the token capture library that comes as a companion -utility with AFL. For that, see [libtokencap/README.md](libtokencap/README.md). +utility with AFL. For that, see [libtokencap/README.md](libtokencap/README.tokencap.md). ## 11) Crash triage diff --git a/docs/notes_for_asan.txt b/docs/notes_for_asan.txt index 972ca909..09ca172e 100644 --- a/docs/notes_for_asan.txt +++ b/docs/notes_for_asan.txt @@ -34,7 +34,7 @@ Note that ASAN is incompatible with -static, so be mindful of that. There is also the option of generating a corpus using a non-ASAN binary, and then feeding it to an ASAN-instrumented one to check for bugs. This is faster, and can give you somewhat comparable results. You can also try using -libdislocator (see libdislocator/README.dislocator in the parent directory) as a +libdislocator (see libdislocator/README.dislocator.md in the parent directory) as a lightweight and hassle-free (but less thorough) alternative. 2) Long version diff --git a/libdislocator/Makefile b/libdislocator/Makefile index 91efba07..05ba26b3 100644 --- a/libdislocator/Makefile +++ b/libdislocator/Makefile @@ -34,5 +34,5 @@ clean: install: all install -m 755 ../libdislocator.so $${DESTDIR}$(HELPER_PATH) - install -m 644 README.dislocator $${DESTDIR}$(HELPER_PATH) + install -m 644 README.dislocator.md $${DESTDIR}$(HELPER_PATH) diff --git a/libdislocator/README.dislocator.md b/libdislocator/README.dislocator.md new file mode 100644 index 00000000..5d5a1464 --- /dev/null +++ b/libdislocator/README.dislocator.md @@ -0,0 +1,60 @@ +# libdislocator, an abusive allocator + + (See ../docs/README for the general instruction manual.) + +This is a companion library that can be used as a drop-in replacement for the +libc allocator in the fuzzed binaries. It improves the odds of bumping into +heap-related security bugs in several ways: + + - It allocates all buffers so that they are immediately adjacent to a + subsequent PROT_NONE page, causing most off-by-one reads and writes to + immediately segfault, + + - It adds a canary immediately below the allocated buffer, to catch writes + to negative offsets (won't catch reads, though), + + - It sets the memory returned by malloc() to garbage values, improving the + odds of crashing when the target accesses uninitialized data, + + - It sets freed memory to PROT_NONE and does not actually reuse it, causing + most use-after-free bugs to segfault right away, + + - It forces all realloc() calls to return a new address - and sets + PROT_NONE on the original block. This catches use-after-realloc bugs, + + - It checks for calloc() overflows and can cause soft or hard failures + of alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB, + AFL_LD_HARD_FAIL). + +Basically, it is inspired by some of the non-default options available for the +OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is +also somewhat similar to several other debugging libraries, such as gmalloc +and DUMA - but is simple, plug-and-play, and designed specifically for fuzzing +jobs. + +Note that it does nothing for stack-based memory handling errors. The +-fstack-protector-all setting for GCC / clang, enabled when using AFL_HARDEN, +can catch some subset of that. + +The allocator is slow and memory-intensive (even the tiniest allocation uses up +4 kB of physical memory and 8 kB of virtual mem), making it completely unsuitable +for "production" uses; but it can be faster and more hassle-free than ASAN / MSAN +when fuzzing small, self-contained binaries. + +To use this library, run AFL like so: + +``` +AFL_PRELOAD=/path/to/libdislocator.so ./afl-fuzz [...other params...] +``` + +You *have* to specify path, even if it's just ./libdislocator.so or +$PWD/libdislocator.so. + +Similarly to afl-tmin, the library is not "proprietary" and can be used with +other fuzzers or testing tools without the need for any code tweaks. It does not +require AFL-instrumented binaries to work. + +Note that the AFL_PRELOAD approach (which AFL internally maps to LD_PRELOAD or +DYLD_INSERT_LIBRARIES, depending on the OS) works only if the target binary is +dynamically linked. Otherwise, attempting to use the library will have no +effect. diff --git a/libdislocator/README.md b/libdislocator/README.md deleted file mode 100644 index 5d5a1464..00000000 --- a/libdislocator/README.md +++ /dev/null @@ -1,60 +0,0 @@ -# libdislocator, an abusive allocator - - (See ../docs/README for the general instruction manual.) - -This is a companion library that can be used as a drop-in replacement for the -libc allocator in the fuzzed binaries. It improves the odds of bumping into -heap-related security bugs in several ways: - - - It allocates all buffers so that they are immediately adjacent to a - subsequent PROT_NONE page, causing most off-by-one reads and writes to - immediately segfault, - - - It adds a canary immediately below the allocated buffer, to catch writes - to negative offsets (won't catch reads, though), - - - It sets the memory returned by malloc() to garbage values, improving the - odds of crashing when the target accesses uninitialized data, - - - It sets freed memory to PROT_NONE and does not actually reuse it, causing - most use-after-free bugs to segfault right away, - - - It forces all realloc() calls to return a new address - and sets - PROT_NONE on the original block. This catches use-after-realloc bugs, - - - It checks for calloc() overflows and can cause soft or hard failures - of alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB, - AFL_LD_HARD_FAIL). - -Basically, it is inspired by some of the non-default options available for the -OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is -also somewhat similar to several other debugging libraries, such as gmalloc -and DUMA - but is simple, plug-and-play, and designed specifically for fuzzing -jobs. - -Note that it does nothing for stack-based memory handling errors. The --fstack-protector-all setting for GCC / clang, enabled when using AFL_HARDEN, -can catch some subset of that. - -The allocator is slow and memory-intensive (even the tiniest allocation uses up -4 kB of physical memory and 8 kB of virtual mem), making it completely unsuitable -for "production" uses; but it can be faster and more hassle-free than ASAN / MSAN -when fuzzing small, self-contained binaries. - -To use this library, run AFL like so: - -``` -AFL_PRELOAD=/path/to/libdislocator.so ./afl-fuzz [...other params...] -``` - -You *have* to specify path, even if it's just ./libdislocator.so or -$PWD/libdislocator.so. - -Similarly to afl-tmin, the library is not "proprietary" and can be used with -other fuzzers or testing tools without the need for any code tweaks. It does not -require AFL-instrumented binaries to work. - -Note that the AFL_PRELOAD approach (which AFL internally maps to LD_PRELOAD or -DYLD_INSERT_LIBRARIES, depending on the OS) works only if the target binary is -dynamically linked. Otherwise, attempting to use the library will have no -effect. diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index 7fe40afa..106b44f4 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -14,7 +14,7 @@ http://www.apache.org/licenses/LICENSE-2.0 This is a companion library that can be used as a drop-in replacement - for the libc allocator in the fuzzed binaries. See README.dislocator for + for the libc allocator in the fuzzed binaries. See README.dislocator.md for more info. */ diff --git a/libtokencap/Makefile b/libtokencap/Makefile index df2426ed..6e1319d8 100644 --- a/libtokencap/Makefile +++ b/libtokencap/Makefile @@ -49,5 +49,5 @@ clean: install: all install -m 755 ../libtokencap.so $${DESTDIR}$(HELPER_PATH) - install -m 644 README.tokencap $${DESTDIR}$(HELPER_PATH) + install -m 644 README.tokencap.md $${DESTDIR}$(HELPER_PATH) diff --git a/libtokencap/README.md b/libtokencap/README.md deleted file mode 100644 index 8aae38bf..00000000 --- a/libtokencap/README.md +++ /dev/null @@ -1,64 +0,0 @@ -# strcmp() / memcmp() token capture library - - (See ../docs/README for the general instruction manual.) - -This companion library allows you to instrument `strcmp()`, `memcmp()`, -and related functions to automatically extract syntax tokens passed to any of -these libcalls. The resulting list of tokens may be then given as a starting -dictionary to afl-fuzz (the -x option) to improve coverage on subsequent -fuzzing runs. - -This may help improving coverage in some targets, and do precisely nothing in -others. In some cases, it may even make things worse: if libtokencap picks up -syntax tokens that are not used to process the input data, but that are a part -of - say - parsing a config file... well, you're going to end up wasting a lot -of CPU time on trying them out in the input stream. In other words, use this -feature with care. Manually screening the resulting dictionary is almost -always a necessity. - -As for the actual operation: the library stores tokens, without any deduping, -by appending them to a file specified via AFL_TOKEN_FILE. If the variable is not -set, the tool uses stderr (which is probably not what you want). - -Similarly to afl-tmin, the library is not "proprietary" and can be used with -other fuzzers or testing tools without the need for any code tweaks. It does not -require AFL-instrumented binaries to work. - -To use the library, you *need* to make sure that your fuzzing target is compiled -with -fno-builtin and is linked dynamically. If you wish to automate the first -part without mucking with CFLAGS in Makefiles, you can set AFL_NO_BUILTIN=1 -when using afl-gcc. This setting specifically adds the following flags: - -``` - -fno-builtin-strcmp -fno-builtin-strncmp -fno-builtin-strcasecmp - -fno-builtin-strcasencmp -fno-builtin-memcmp -fno-builtin-strstr - -fno-builtin-strcasestr -``` - -The next step is simply loading this library via LD_PRELOAD. The optimal usage -pattern is to allow afl-fuzz to fuzz normally for a while and build up a corpus, -and then fire off the target binary, with libtokencap.so loaded, on every file -found by AFL in that earlier run. This demonstrates the basic principle: - -``` - export AFL_TOKEN_FILE=$PWD/temp_output.txt - - for i in /queue/id*; do - LD_PRELOAD=/path/to/libtokencap.so \ - /path/to/target/program [...params, including $i...] - done - - sort -u temp_output.txt >afl_dictionary.txt -``` - -If you don't get any results, the target library is probably not using strcmp() -and memcmp() to parse input; or you haven't compiled it with -fno-builtin; or -the whole thing isn't dynamically linked, and LD_PRELOAD is having no effect. - -Portability hints: There is probably no particularly portable and non-invasive -way to distinguish between read-only and read-write memory mappings. -The `__tokencap_load_mappings()` function is the only thing that would -need to be changed for other OSes. - -Current supported OSes are: Linux, Darwin, FreeBSD (thanks to @devnexen) - diff --git a/libtokencap/README.tokencap.md b/libtokencap/README.tokencap.md new file mode 100644 index 00000000..8aae38bf --- /dev/null +++ b/libtokencap/README.tokencap.md @@ -0,0 +1,64 @@ +# strcmp() / memcmp() token capture library + + (See ../docs/README for the general instruction manual.) + +This companion library allows you to instrument `strcmp()`, `memcmp()`, +and related functions to automatically extract syntax tokens passed to any of +these libcalls. The resulting list of tokens may be then given as a starting +dictionary to afl-fuzz (the -x option) to improve coverage on subsequent +fuzzing runs. + +This may help improving coverage in some targets, and do precisely nothing in +others. In some cases, it may even make things worse: if libtokencap picks up +syntax tokens that are not used to process the input data, but that are a part +of - say - parsing a config file... well, you're going to end up wasting a lot +of CPU time on trying them out in the input stream. In other words, use this +feature with care. Manually screening the resulting dictionary is almost +always a necessity. + +As for the actual operation: the library stores tokens, without any deduping, +by appending them to a file specified via AFL_TOKEN_FILE. If the variable is not +set, the tool uses stderr (which is probably not what you want). + +Similarly to afl-tmin, the library is not "proprietary" and can be used with +other fuzzers or testing tools without the need for any code tweaks. It does not +require AFL-instrumented binaries to work. + +To use the library, you *need* to make sure that your fuzzing target is compiled +with -fno-builtin and is linked dynamically. If you wish to automate the first +part without mucking with CFLAGS in Makefiles, you can set AFL_NO_BUILTIN=1 +when using afl-gcc. This setting specifically adds the following flags: + +``` + -fno-builtin-strcmp -fno-builtin-strncmp -fno-builtin-strcasecmp + -fno-builtin-strcasencmp -fno-builtin-memcmp -fno-builtin-strstr + -fno-builtin-strcasestr +``` + +The next step is simply loading this library via LD_PRELOAD. The optimal usage +pattern is to allow afl-fuzz to fuzz normally for a while and build up a corpus, +and then fire off the target binary, with libtokencap.so loaded, on every file +found by AFL in that earlier run. This demonstrates the basic principle: + +``` + export AFL_TOKEN_FILE=$PWD/temp_output.txt + + for i in /queue/id*; do + LD_PRELOAD=/path/to/libtokencap.so \ + /path/to/target/program [...params, including $i...] + done + + sort -u temp_output.txt >afl_dictionary.txt +``` + +If you don't get any results, the target library is probably not using strcmp() +and memcmp() to parse input; or you haven't compiled it with -fno-builtin; or +the whole thing isn't dynamically linked, and LD_PRELOAD is having no effect. + +Portability hints: There is probably no particularly portable and non-invasive +way to distinguish between read-only and read-write memory mappings. +The `__tokencap_load_mappings()` function is the only thing that would +need to be changed for other OSes. + +Current supported OSes are: Linux, Darwin, FreeBSD (thanks to @devnexen) + diff --git a/libtokencap/libtokencap.so.c b/libtokencap/libtokencap.so.c index 2fe9ae63..7495180d 100644 --- a/libtokencap/libtokencap.so.c +++ b/libtokencap/libtokencap.so.c @@ -15,7 +15,7 @@ This Linux-only companion library allows you to instrument strcmp(), memcmp(), and related functions to automatically extract tokens. - See README.tokencap for more info. + See README.tokencap.md for more info. */ -- cgit 1.4.1 From cc301c18d569dac3486a0466cdf5c70ff6685bc8 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Wed, 6 Nov 2019 22:27:04 +0000 Subject: libdislocator, optional huge pages support. --- libdislocator/libdislocator.so.c | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) (limited to 'libdislocator/libdislocator.so.c') diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index 106b44f4..eb8e9de3 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -26,6 +26,10 @@ #include #include +#ifdef __APPLE__ +#include +#endif + #include "config.h" #include "types.h" @@ -37,6 +41,8 @@ #define MAP_ANONYMOUS MAP_ANON #endif /* !MAP_ANONYMOUS */ +#define SUPER_PAGE_SIZE 1<<21 + /* Error / message handling: */ #define DEBUGF(_x...) \ @@ -105,6 +111,7 @@ static __thread u32 call_depth; /* To avoid recursion via fprintf() */ static void* __dislocator_alloc(size_t len) { void* ret; + int flags, fd, sp; if (total_mem + len > max_mem || total_mem + len < total_mem) { @@ -116,11 +123,27 @@ static void* __dislocator_alloc(size_t len) { } + flags = MAP_PRIVATE | MAP_ANONYMOUS; + fd = -1; +#if defined(USEHUGEPAGE) + sp = (len >= SUPER_PAGE_SIZE && !(len % SUPER_PAGE_SIZE)); + +#if defined(__APPLE__) + if (sp) fd = VM_FLAGS_SUPERPAGE_SIZE_2MB; +#elif defined(__linux__) + if (sp) flags |= MAP_HUGETLB; +#elif defined(__FreeBSD__) + if (sp) flags |= MAP_ALIGNED_SUPER; +#endif +#else + (void)sp; +#endif + /* We will also store buffer length and a canary below the actual buffer, so let's add 8 bytes for that. */ ret = mmap(NULL, (1 + PG_COUNT(len + 8)) * PAGE_SIZE, PROT_READ | PROT_WRITE, - MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + flags, fd, 0); if (ret == MAP_FAILED) { @@ -315,11 +338,11 @@ void *aligned_alloc(size_t align, size_t len) { __attribute__((constructor)) void __dislocator_init(void) { - u8* tmp = getenv("AFL_LD_LIMIT_MB"); + u8* tmp = (u8 *)getenv("AFL_LD_LIMIT_MB"); if (tmp) { - max_mem = atoi(tmp) * 1024 * 1024; + max_mem = atoi((char *)tmp) * 1024 * 1024; if (!max_mem) FATAL("Bad value for AFL_LD_LIMIT_MB"); } -- cgit 1.4.1 From 3ce808688f793a72bcd28b31d0766fc90304c622 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Thu, 7 Nov 2019 04:56:57 +0000 Subject: Little additions from feedback --- libdislocator/Makefile | 4 ++++ libdislocator/README.dislocator.md | 2 ++ libdislocator/libdislocator.so.c | 18 +++++++++++++++++- 3 files changed, 23 insertions(+), 1 deletion(-) (limited to 'libdislocator/libdislocator.so.c') diff --git a/libdislocator/Makefile b/libdislocator/Makefile index 05ba26b3..216d2862 100644 --- a/libdislocator/Makefile +++ b/libdislocator/Makefile @@ -21,6 +21,10 @@ VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2) CFLAGS ?= -O3 -funroll-loops -I ../include/ CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign +ifdef USEHUGEPAGE + CFLAGS += -DUSEHUGEPAGE +endif + all: libdislocator.so libdislocator.so: libdislocator.so.c ../config.h diff --git a/libdislocator/README.dislocator.md b/libdislocator/README.dislocator.md index 5d5a1464..77626901 100644 --- a/libdislocator/README.dislocator.md +++ b/libdislocator/README.dislocator.md @@ -25,6 +25,8 @@ heap-related security bugs in several ways: - It checks for calloc() overflows and can cause soft or hard failures of alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB, AFL_LD_HARD_FAIL). + - Optionally, in platforms supporting it, huge pages can be used by passing + USEHUGEPAGE=1 to make. Basically, it is inspired by some of the non-default options available for the OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index eb8e9de3..0268cc52 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -111,6 +111,7 @@ static __thread u32 call_depth; /* To avoid recursion via fprintf() */ static void* __dislocator_alloc(size_t len) { void* ret; + size_t tlen; int flags, fd, sp; if (total_mem + len > max_mem || total_mem + len < total_mem) { @@ -123,6 +124,7 @@ static void* __dislocator_alloc(size_t len) { } + tlen = (1 + PG_COUNT(len + 8)) * PAGE_SIZE; flags = MAP_PRIVATE | MAP_ANONYMOUS; fd = -1; #if defined(USEHUGEPAGE) @@ -142,8 +144,22 @@ static void* __dislocator_alloc(size_t len) { /* We will also store buffer length and a canary below the actual buffer, so let's add 8 bytes for that. */ - ret = mmap(NULL, (1 + PG_COUNT(len + 8)) * PAGE_SIZE, PROT_READ | PROT_WRITE, + ret = mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0); +#if defined(USEHUGEPAGE) + /* We try one more time with regular call */ + if (ret == MAP_FAILED) { +#if defined(__APPLE__) + fd = -1; +#elif defined(__linux__) + flags &= -MAP_HUGETLB; +#elif defined(__FreeBSD__) + flags &= -MAP_ALIGNED_SUPER; +#endif + ret = mmap(NULL, tlen, PROT_READ | PROT_WRITE, + flags, fd, 0); + } +#endif if (ret == MAP_FAILED) { -- cgit 1.4.1