From 7a6867e2f8e8b698c08366f79d0c8751b09ce431 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 12 Aug 2020 16:06:30 +0200 Subject: split up __afl_manual_init, added internal AFL_DISABLE_LLVM_INSTRUMENTATION, skipping ctor+ifunc functions for all llvm, code-format --- llvm_mode/afl-llvm-rt.o.c | 38 +++++++++++++++++++++++++++++++++----- 1 file changed, 33 insertions(+), 5 deletions(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index a567593e..dacc46a6 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -35,6 +35,8 @@ #include #include #include +#include +#include #include #include @@ -842,9 +844,22 @@ void __afl_manual_init(void) { static u8 init_done; + if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) { + + init_done = 1; + is_persistent = 0; + __afl_sharedmem_fuzzing = 0; + if (__afl_area_ptr == NULL) __afl_area_ptr = __afl_area_initial; + + if (getenv("AFL_DEBUG")) + fprintf(stderr, + "DEBUG: disabled instrumenation because of " + "AFL_DISABLE_LLVM_INSTRUMENTATION\n"); + + } + if (!init_done) { - __afl_map_shm(); __afl_start_forkserver(); init_done = 1; @@ -852,11 +867,11 @@ void __afl_manual_init(void) { } -/* Proper initialization routine. */ +/* Initialization of the forkserver - latest possible */ -__attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) { +__attribute__((constructor())) void __afl_auto_init(void) { - is_persistent = !!getenv(PERSIST_ENV_VAR); + if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; if (getenv(DEFER_ENV_VAR)) return; @@ -864,6 +879,18 @@ __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) { } +/* Initialization of the shmem - earliest possible because of LTO fixed mem. */ + +__attribute__((constructor(0))) void __afl_auto_early(void) { + + if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; + + is_persistent = !!getenv(PERSIST_ENV_VAR); + + __afl_map_shm(); + +} + /* The following stuff deals with supporting -fsanitize-coverage=trace-pc-guard. It remains non-operational in the traditional, plugin-backed LLVM mode. For more info about 'trace-pc-guard', see llvm_mode/README.md. @@ -912,7 +939,8 @@ void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { #else - __afl_area_ptr[*guard] = __afl_area_ptr[*guard] + 1 + (__afl_area_ptr[*guard] == 255 ? 1 : 0); + __afl_area_ptr[*guard] = + __afl_area_ptr[*guard] + 1 + (__afl_area_ptr[*guard] == 255 ? 1 : 0); #endif -- cgit 1.4.1 From 47faf3dd33bb2335702fcbb67b3a64650c4344b3 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 13 Aug 2020 15:44:03 +0200 Subject: code review: fixed some typos --- llvm_mode/README.instrument_list.md | 18 +++++++++--------- llvm_mode/afl-llvm-common.cc | 12 ++++++------ llvm_mode/afl-llvm-rt.o.c | 4 ++-- 3 files changed, 17 insertions(+), 17 deletions(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/llvm_mode/README.instrument_list.md b/llvm_mode/README.instrument_list.md index d4739dda..1fc06414 100644 --- a/llvm_mode/README.instrument_list.md +++ b/llvm_mode/README.instrument_list.md @@ -14,13 +14,13 @@ disturbance by uninteresting code being exercised. For this purpose, a "partial instrumentation" support en par with llvm sancov is provided by afl++ that allows you to specify on a source file and function -level which should be compiled with or without instrumentation. +level which function should be compiled with or without instrumentation. Note: When using PCGUARD mode - and have llvm 12+ - you can use this instead: https://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation -the llvm sancov list format is fully supported by afl++, however afl++ has -more flexbility. +The llvm sancov list format is fully supported by afl++, however afl++ has +more flexibility. ## 2) Building the LLVM module @@ -35,13 +35,13 @@ The only required change is that you need to set either the environment variable AFL_LLVM_ALLOWLIST or AFL_LLVM_DENYLIST set with a filename. That file then contains the filenames or functions that should be instrumented -(AFL_LLVM_ALLOWLIST) or should specifically NOT instrumentd (AFL_LLVM_DENYLIST). +(AFL_LLVM_ALLOWLIST) or should specifically NOT be instrumented (AFL_LLVM_DENYLIST). For matching, the function/filename that is being compiled must end in the -function/filename entry contained in this the instrument file list (to avoid +function/filename entry contained in this instrument file list (to avoid breaking the matching when absolute paths are used during compilation). -**NOTE:** In optimization functions might be inlined and then not match! +**NOTE:** In builds with optimization enabled functions might be inlined and would not match! For example if your source tree looks like this: ``` @@ -52,7 +52,7 @@ project/feature_b/b1.cpp project/feature_b/b2.cpp ``` -and you only want to test feature_a, then create a the instrument file list file containing: +and you only want to test feature_a, then create a instrument file list file containing: ``` feature_a/a1.cpp feature_a/a2.cpp @@ -69,7 +69,7 @@ exists somewhere else in the project directories. You can also specify function names. Note that for C++ the function names must be mangled to match! -afl++ is intelligent to identify if an entry is a filename or a function. +afl++ is able to identify if an entry is a filename or a function. However if you want to be sure (and compliant to the sancov allow/blocklist format), you can specify source file entries like this: ``` @@ -79,7 +79,7 @@ and function entries like this: ``` fun: MallocFoo ``` -Note that whitespace is ignored and comments (`# foo`) supported. +Note that whitespace is ignored and comments (`# foo`) are supported. ## 4) UNIX-style pattern matching You can add UNIX-style pattern matching in the the instrument file list entries. diff --git a/llvm_mode/afl-llvm-common.cc b/llvm_mode/afl-llvm-common.cc index f12bbe31..7a73a174 100644 --- a/llvm_mode/afl-llvm-common.cc +++ b/llvm_mode/afl-llvm-common.cc @@ -331,8 +331,8 @@ bool isInInstrumentList(llvm::Function *F) { bool return_default = true; - // is this a function with code? If it is external we dont instrument it - // anyway and cant be in the the instrument file list. Or if it is ignored. + // is this a function with code? If it is external we don't instrument it + // anyway and it can't be in the instrument file list. Or if it is it is ignored. if (!F->size() || isIgnoreFunction(F)) return false; if (!denyListFiles.empty() || !denyListFunctions.empty()) { @@ -476,7 +476,7 @@ bool isInInstrumentList(llvm::Function *F) { else { // we could not find out the location. in this case we say it is not - // in the the instrument file list + // in the instrument file list if (!be_quiet) WARNF( "No debug information found for function %s, will be " @@ -489,7 +489,7 @@ bool isInInstrumentList(llvm::Function *F) { } - // if we do not have a the instrument file list return true + // if we do not have a instrument file list return true if (!allowListFiles.empty() || !allowListFunctions.empty()) { return_default = false; @@ -632,8 +632,8 @@ bool isInInstrumentList(llvm::Function *F) { #endif else { - // we could not find out the location. in this case we say it is not - // in the the instrument file list + // we could not find out the location. In this case we say it is not + // in the instrument file list if (!be_quiet) WARNF( "No debug information found for function %s, will not be " diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index dacc46a6..78e1c160 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -853,7 +853,7 @@ void __afl_manual_init(void) { if (getenv("AFL_DEBUG")) fprintf(stderr, - "DEBUG: disabled instrumenation because of " + "DEBUG: disabled instrumentation because of " "AFL_DISABLE_LLVM_INSTRUMENTATION\n"); } @@ -901,7 +901,7 @@ __attribute__((constructor(0))) void __afl_auto_early(void) { void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { // For stability analysis, if you want to know to which function unstable - // edge IDs belong to - uncomment, recompile+install llvm_mode, recompile + // edge IDs belong - uncomment, recompile+install llvm_mode, recompile // the target. libunwind and libbacktrace are better solutions. // Set AFL_DEBUG_CHILD_OUTPUT=1 and run afl-fuzz with 2>file to capture // the backtrace output -- cgit 1.4.1 From 8e984c2aa0100e6244fe6f215c88dd8b3bf3abc2 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 13 Aug 2020 18:24:36 +0200 Subject: fix for sancov --- llvm_mode/afl-llvm-common.cc | 3 ++- llvm_mode/afl-llvm-rt.o.c | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/llvm_mode/afl-llvm-common.cc b/llvm_mode/afl-llvm-common.cc index da01b094..4b864cf7 100644 --- a/llvm_mode/afl-llvm-common.cc +++ b/llvm_mode/afl-llvm-common.cc @@ -387,7 +387,8 @@ bool isInInstrumentList(llvm::Function *F) { bool return_default = true; // is this a function with code? If it is external we don't instrument it - // anyway and it can't be in the instrument file list. Or if it is it is ignored. + // anyway and it can't be in the instrument file list. Or if it is it is + // ignored. if (!F->size() || isIgnoreFunction(F)) return false; if (!denyListFiles.empty() || !denyListFunctions.empty()) { diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 78e1c160..99012ee1 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -64,6 +64,8 @@ #endif #endif +#define CTOR_PRIO 3 + #include #include @@ -881,7 +883,7 @@ __attribute__((constructor())) void __afl_auto_init(void) { /* Initialization of the shmem - earliest possible because of LTO fixed mem. */ -__attribute__((constructor(0))) void __afl_auto_early(void) { +__attribute__((constructor(CTOR_PRIO))) void __afl_auto_early(void) { if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; -- cgit 1.4.1 From d86b13384fd8aed10a19e2f517d7315a358bc1f5 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 14 Aug 2020 11:25:13 +0200 Subject: remove unnecessary code, increase init map size --- llvm_mode/afl-llvm-rt.o.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 99012ee1..206a9878 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -74,16 +74,12 @@ run. It will end up as .comm, so it shouldn't be too wasteful. */ #if MAP_SIZE <= 65536 - #define MAP_INITIAL_SIZE 256000 + #define MAP_INITIAL_SIZE 512000 #else #define MAP_INITIAL_SIZE MAP_SIZE #endif -#ifdef AFL_REAL_LD u8 __afl_area_initial[MAP_INITIAL_SIZE]; -#else -u8 __afl_area_initial[MAP_SIZE]; -#endif u8 * __afl_area_ptr = __afl_area_initial; u8 * __afl_dictionary; u8 * __afl_fuzz_ptr; -- cgit 1.4.1 From 9ff9ff2ad2a8b4f66a64f47a3252d13803774cd2 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 14 Aug 2020 11:40:26 +0200 Subject: more secure way to work with a dynamic map --- llvm_mode/afl-llvm-rt.o.c | 35 ++++++++++++++++++++++++++++++----- 1 file changed, 30 insertions(+), 5 deletions(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 206a9878..5479c3da 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -54,8 +54,6 @@ Basically, we need to make sure that the forkserver is initialized after the LLVM-generated runtime initialization pass, not before. */ -#define CONST_PRIO 5 - #ifndef MAP_FIXED_NOREPLACE #ifdef MAP_EXCL #define MAP_FIXED_NOREPLACE MAP_EXCL | MAP_FIXED @@ -74,12 +72,12 @@ run. It will end up as .comm, so it shouldn't be too wasteful. */ #if MAP_SIZE <= 65536 - #define MAP_INITIAL_SIZE 512000 + #define MAP_INITIAL_SIZE 256000 #else #define MAP_INITIAL_SIZE MAP_SIZE #endif -u8 __afl_area_initial[MAP_INITIAL_SIZE]; +u8 __afl_area_initial[MAP_INITIAL_SIZE]; u8 * __afl_area_ptr = __afl_area_initial; u8 * __afl_dictionary; u8 * __afl_fuzz_ptr; @@ -186,12 +184,21 @@ static void __afl_map_shm_fuzz() { static void __afl_map_shm(void) { // we we are not running in afl ensure the map exists - if (!__afl_area_ptr) __afl_area_ptr = __afl_area_initial; + if (!__afl_area_ptr) { __afl_area_ptr = __afl_area_initial; } char *id_str = getenv(SHM_ENV_VAR); if (__afl_final_loc) { + if (__afl_area_ptr && __afl_final_loc && + __afl_final_loc > MAP_INITIAL_SIZE && + __afl_area_ptr != __afl_area_initial) { + + munmap(__afl_area_ptr, __afl_final_loc); + __afl_area_ptr = __afl_area_initial; + + } + if (__afl_final_loc % 8) __afl_final_loc = (((__afl_final_loc + 7) >> 3) << 3); @@ -889,6 +896,24 @@ __attribute__((constructor(CTOR_PRIO))) void __afl_auto_early(void) { } +/* preset __afl_area_ptr */ + +__attribute__((constructor(0))) void __afl_auto_first(void) { + + if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; + u8 *ptr; + + if (__afl_final_loc > MAP_INITIAL_SIZE) { + + ptr = (u8 *)mmap(NULL, __afl_final_loc, PROT_READ | PROT_WRITE, MAP_PRIVATE, + -1, 0); + + if (ptr && (ssize_t)ptr != -1) { __afl_area_ptr = ptr; } + + } + +} + /* The following stuff deals with supporting -fsanitize-coverage=trace-pc-guard. It remains non-operational in the traditional, plugin-backed LLVM mode. For more info about 'trace-pc-guard', see llvm_mode/README.md. -- cgit 1.4.1 From 0a251f93e0842c92755e9bcba61e520669a6c2e6 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 15 Aug 2020 13:34:51 +0200 Subject: increase initial memory sized --- docs/Changelog.md | 2 ++ examples/aflpp_driver/aflpp_driver.c | 1 - include/config.h | 10 +++++----- llvm_mode/afl-llvm-rt.o.c | 12 ++++-------- 4 files changed, 11 insertions(+), 14 deletions(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/docs/Changelog.md b/docs/Changelog.md index 3c28ff98..ea7c7caf 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -12,6 +12,8 @@ sending a mail to . ### Version ++2.66d (devel) - Support for improved afl++ snapshot module: https://github.com/AFLplusplus/AFL-Snapshot-LKM + - Due to the instrumentation needing more memory, the initial memory sizes + for -m have been increased - afl-fuzz: - added -F option to allow -M main fuzzers to sync to foreign fuzzers, e.g. honggfuzz or libfuzzer diff --git a/examples/aflpp_driver/aflpp_driver.c b/examples/aflpp_driver/aflpp_driver.c index b764338e..ff5446e9 100644 --- a/examples/aflpp_driver/aflpp_driver.c +++ b/examples/aflpp_driver/aflpp_driver.c @@ -109,7 +109,6 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both. int __afl_sharedmem_fuzzing = 1; extern unsigned int * __afl_fuzz_len; extern unsigned char *__afl_fuzz_ptr; -// extern struct cmp_map *__afl_cmp_map; // libFuzzer interface is thin, so we don't include any libFuzzer headers. int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); diff --git a/include/config.h b/include/config.h index 344a368f..a978a27c 100644 --- a/include/config.h +++ b/include/config.h @@ -70,21 +70,21 @@ #ifndef __NetBSD__ #ifndef WORD_SIZE_64 - #define MEM_LIMIT 25 - #else #define MEM_LIMIT 50 + #else + #define MEM_LIMIT 75 #endif /* ^!WORD_SIZE_64 */ #else /* NetBSD's kernel needs more space for stack, see discussion for issue \ #165 */ - #define MEM_LIMIT 200 + #define MEM_LIMIT 250 #endif /* Default memory limit when running in QEMU mode (MB): */ -#define MEM_LIMIT_QEMU 200 +#define MEM_LIMIT_QEMU 250 /* Default memory limit when running in Unicorn mode (MB): */ -#define MEM_LIMIT_UNICORN 200 +#define MEM_LIMIT_UNICORN 250 /* Number of calibration cycles per every new test case (and for test cases that show variable behavior): */ diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 5479c3da..a56b54b2 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -902,15 +902,11 @@ __attribute__((constructor(0))) void __afl_auto_first(void) { if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; u8 *ptr; + u32 get_size = __afl_final_loc ? __afl_final_loc : 1024000; - if (__afl_final_loc > MAP_INITIAL_SIZE) { - - ptr = (u8 *)mmap(NULL, __afl_final_loc, PROT_READ | PROT_WRITE, MAP_PRIVATE, - -1, 0); - - if (ptr && (ssize_t)ptr != -1) { __afl_area_ptr = ptr; } - - } + ptr = (u8 *)mmap(NULL, __afl_final_loc, PROT_READ | PROT_WRITE, MAP_PRIVATE, + -1, 0); + if (ptr && (ssize_t)ptr != -1) { __afl_area_ptr = ptr; } } -- cgit 1.4.1 From 73a629d6f20d8aa33a902a9aa4ae4b6d1608be35 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 15 Aug 2020 18:14:44 +0200 Subject: important bugfix for large covmaps --- llvm_mode/afl-llvm-rt.o.c | 54 +++++++++++++++++++++++++++++------------------ 1 file changed, 34 insertions(+), 20 deletions(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index a56b54b2..103fb3d8 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -107,6 +107,10 @@ struct cmp_map *__afl_cmp_map; static u8 is_persistent; +/* Are we in sancov mode? */ + +static u8 _is_sancov; + /* Error reporting to forkserver controller */ void send_forkserver_error(int error) { @@ -190,19 +194,10 @@ static void __afl_map_shm(void) { if (__afl_final_loc) { - if (__afl_area_ptr && __afl_final_loc && - __afl_final_loc > MAP_INITIAL_SIZE && - __afl_area_ptr != __afl_area_initial) { - - munmap(__afl_area_ptr, __afl_final_loc); - __afl_area_ptr = __afl_area_initial; - - } - if (__afl_final_loc % 8) __afl_final_loc = (((__afl_final_loc + 7) >> 3) << 3); - __afl_map_size = __afl_final_loc; + if (__afl_final_loc > MAP_SIZE) { char *ptr; @@ -212,10 +207,12 @@ static void __afl_map_shm(void) { if (__afl_final_loc > FS_OPT_MAX_MAPSIZE) { - fprintf(stderr, - "Error: AFL++ tools *require* to set AFL_MAP_SIZE to %u to " - "be able to run this instrumented program!\n", - __afl_final_loc); + if (!getenv("AFL_QUIET")) + fprintf(stderr, + "Error: AFL++ tools *require* to set AFL_MAP_SIZE to %u " + "to be able to run this instrumented program!\n", + __afl_final_loc); + if (id_str) { send_forkserver_error(FS_ERROR_MAP_SIZE); @@ -225,10 +222,11 @@ static void __afl_map_shm(void) { } else { - fprintf(stderr, - "Warning: AFL++ tools will need to set AFL_MAP_SIZE to %u to " - "be able to run this instrumented program!\n", - __afl_final_loc); + if (!getenv("AFL_QUIET")) + fprintf(stderr, + "Warning: AFL++ tools will need to set AFL_MAP_SIZE to %u " + "to be able to run this instrumented program!\n", + __afl_final_loc); } @@ -251,6 +249,13 @@ static void __afl_map_shm(void) { if (id_str) { + if (__afl_area_ptr && __afl_area_ptr != __afl_area_initial) { + + free(__afl_area_ptr); + __afl_area_ptr = __afl_area_initial; + + } + #ifdef USEMMAP const char * shm_file_path = id_str; int shm_fd = -1; @@ -332,6 +337,14 @@ static void __afl_map_shm(void) { } + } else if (_is_sancov && __afl_area_ptr != __afl_area_initial) { + + free(__afl_area_ptr); + __afl_area_ptr = NULL; + if (__afl_final_loc > MAP_INITIAL_SIZE) + __afl_area_ptr = malloc(__afl_final_loc); + if (!__afl_area_ptr) __afl_area_ptr = __afl_area_initial; + } id_str = getenv(CMPLOG_SHM_ENV_VAR); @@ -904,8 +917,7 @@ __attribute__((constructor(0))) void __afl_auto_first(void) { u8 *ptr; u32 get_size = __afl_final_loc ? __afl_final_loc : 1024000; - ptr = (u8 *)mmap(NULL, __afl_final_loc, PROT_READ | PROT_WRITE, MAP_PRIVATE, - -1, 0); + ptr = (u8 *)malloc(get_size); if (ptr && (ssize_t)ptr != -1) { __afl_area_ptr = ptr; } } @@ -974,6 +986,8 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { u32 inst_ratio = 100; char *x; + _is_sancov = 1; + if (getenv("AFL_DEBUG")) { fprintf(stderr, "Running __sanitizer_cov_trace_pc_guard_init: %p-%p\n", -- cgit 1.4.1 From 266b51a842ccb001a4a9babab5fc8650e36f94ce Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 16 Aug 2020 10:53:38 +0200 Subject: final afl-llvm-rt.o.c that takes care of all eventualities --- llvm_mode/afl-llvm-rt.o.c | 57 +++++++++++++++++++++++++++++++++++++---------- 1 file changed, 45 insertions(+), 12 deletions(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 103fb3d8..e5ff7b19 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -242,16 +242,21 @@ static void __afl_map_shm(void) { if (getenv("AFL_DEBUG")) fprintf(stderr, - "DEBUG: id_str %s, __afl_map_addr 0x%llx, MAP_SIZE %u, " - "__afl_final_loc %u, max_size_forkserver %u/0x%x\n", - id_str == NULL ? "" : id_str, __afl_map_addr, MAP_SIZE, - __afl_final_loc, FS_OPT_MAX_MAPSIZE, FS_OPT_MAX_MAPSIZE); + "DEBUG: id_str %s, __afl_area_ptr %p, __afl_area_initial %p, " + "__afl_map_addr 0x%llx, MAP_SIZE %u, __afl_final_loc %u, " + "max_size_forkserver %u/0x%x\n", + id_str == NULL ? "" : id_str, __afl_area_ptr, + __afl_area_initial, __afl_map_addr, MAP_SIZE, __afl_final_loc, + FS_OPT_MAX_MAPSIZE, FS_OPT_MAX_MAPSIZE); if (id_str) { if (__afl_area_ptr && __afl_area_ptr != __afl_area_initial) { - free(__afl_area_ptr); + if (__afl_map_addr) + munmap((void *)__afl_map_addr, __afl_final_loc); + else + free(__afl_area_ptr); __afl_area_ptr = __afl_area_initial; } @@ -324,11 +329,13 @@ static void __afl_map_shm(void) { __afl_area_ptr[0] = 1; - } else if (__afl_map_addr) { + } else if (__afl_map_addr && + (!__afl_area_ptr || __afl_area_ptr == __afl_area_initial)) { __afl_area_ptr = mmap((void *)__afl_map_addr, __afl_map_size, PROT_READ | PROT_WRITE, MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0); + if (__afl_area_ptr == MAP_FAILED) { fprintf(stderr, "can not aquire mmap for address %p\n", @@ -901,24 +908,50 @@ __attribute__((constructor())) void __afl_auto_init(void) { __attribute__((constructor(CTOR_PRIO))) void __afl_auto_early(void) { - if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; - is_persistent = !!getenv(PERSIST_ENV_VAR); + if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; + __afl_map_shm(); } -/* preset __afl_area_ptr */ +/* preset __afl_area_ptr #2 */ + +__attribute__((constructor(1))) void __afl_auto_second(void) { + + if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; + u8 *ptr; + + if (__afl_final_loc) { + + if (__afl_area_ptr && __afl_area_ptr != __afl_area_initial) + free(__afl_area_ptr); + + if (__afl_map_addr) + ptr = (u8 *)mmap((void *)__afl_map_addr, __afl_final_loc, + PROT_READ | PROT_WRITE, + MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0); + else + ptr = (u8 *)malloc(__afl_final_loc); + + if (ptr && (ssize_t)ptr != -1) __afl_area_ptr = ptr; + + } + +} + +/* preset __afl_area_ptr #1 - at constructor level 0 global variables have + not been set */ __attribute__((constructor(0))) void __afl_auto_first(void) { if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; u8 *ptr; - u32 get_size = __afl_final_loc ? __afl_final_loc : 1024000; - ptr = (u8 *)malloc(get_size); - if (ptr && (ssize_t)ptr != -1) { __afl_area_ptr = ptr; } + ptr = (u8 *)malloc(1024000); + + if (ptr && (ssize_t)ptr != -1) __afl_area_ptr = ptr; } -- cgit 1.4.1 From 1d56de6c1d24e6ed24bf7193df18110da753c6b2 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 16 Aug 2020 13:29:24 +0200 Subject: fix lto autodict for long strings --- docs/Changelog.md | 1 + llvm_mode/afl-llvm-lto-instrumentation.so.cc | 33 ++++++++++++++++++---------- llvm_mode/afl-llvm-rt.o.c | 5 +++-- 3 files changed, 25 insertions(+), 14 deletions(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/docs/Changelog.md b/docs/Changelog.md index ead4ff26..55b0c7dd 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -37,6 +37,7 @@ sending a mail to . for a fixed map address (eg. 0x10000) - LTO: improved stability for persistent mode, no other instrumentation has that advantage + - LTO: fixed autodict for long strings - LTO: laf-intel and redqueen/cmplog are now applied at link time to prevent llvm optimizing away the splits - LTO: autodictionary mode is a default diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index 2b99d4c6..5320df09 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -291,14 +291,14 @@ bool AFLLTOPass::runOnModule(Module &M) { if ((callInst = dyn_cast(&IN))) { - bool isStrcmp = true; - bool isMemcmp = true; - bool isStrncmp = true; - bool isStrcasecmp = true; - bool isStrncasecmp = true; - bool isIntMemcpy = true; - bool addedNull = false; - uint8_t optLen = 0; + bool isStrcmp = true; + bool isMemcmp = true; + bool isStrncmp = true; + bool isStrcasecmp = true; + bool isStrncasecmp = true; + bool isIntMemcpy = true; + bool addedNull = false; + size_t optLen = 0; Function *Callee = callInst->getCalledFunction(); if (!Callee) continue; @@ -546,17 +546,26 @@ bool AFLLTOPass::runOnModule(Module &M) { // add null byte if this is a string compare function and a null // was not already added - if (addedNull == false && !isMemcmp) { + if (!isMemcmp) { - thestring.append("\0", 1); // add null byte - optLen++; + if (addedNull == false) { + + thestring.append("\0", 1); // add null byte + optLen++; + + } + + // ensure we do not have garbage + size_t offset = thestring.find('\0', 0); + if (offset + 1 < optLen) optLen = offset + 1; + thestring = thestring.substr(0, optLen); } if (!be_quiet) { std::string outstring; - fprintf(stderr, "%s: length %u/%u \"", FuncName.c_str(), optLen, + fprintf(stderr, "%s: length %zu/%zu \"", FuncName.c_str(), optLen, (unsigned int)thestring.length()); for (uint8_t i = 0; i < thestring.length(); i++) { diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index e5ff7b19..d00fd26f 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -329,8 +329,9 @@ static void __afl_map_shm(void) { __afl_area_ptr[0] = 1; - } else if (__afl_map_addr && - (!__afl_area_ptr || __afl_area_ptr == __afl_area_initial)) { + } else if ((!__afl_area_ptr || __afl_area_ptr == __afl_area_initial) && + + __afl_map_addr) { __afl_area_ptr = mmap((void *)__afl_map_addr, __afl_map_size, PROT_READ | PROT_WRITE, -- cgit 1.4.1