From bca7ce804308fdc24404d26a02d2e10116ef6289 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 12:30:20 +0200 Subject: fixed persistent mode shared mem fuzzing --- llvm_mode/afl-llvm-rt.o.c | 44 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 3a0584e4..7a763f1b 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -78,6 +78,8 @@ u8 *__afl_area_ptr = __afl_area_initial; u8 *__afl_dictionary; u8 *__afl_fuzz_ptr; u32 __afl_fuzz_len; +u32 __afl_fuzz_len_dummy; +u32 *__afl_fuzz_len_shmem = &__afl_fuzz_len_dummy; u32 __afl_final_loc; u32 __afl_map_size = MAP_SIZE; @@ -163,6 +165,8 @@ static void __afl_map_shm_fuzz() { exit(1); } + + __afl_fuzz_len_shmem = (u32*) mmap(NULL, sizeof(int), PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); } @@ -443,9 +447,26 @@ static void __afl_start_snapshots(void) { } - __afl_fuzz_len = (was_killed >> 8); + *__afl_fuzz_len_shmem = __afl_fuzz_len = (was_killed >> 8); was_killed = (was_killed & 0xff); +#ifdef _AFL_DOCUMENT_MUTATIONS + if (__afl_fuzz_ptr) { + static uint32_t counter = 0; + char fn[32]; + sprintf(fn, "%09u:forkserver", counter); + s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (fd_doc >= 0) { + if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + fprintf(stderr, "write of mutation file failed: %s\n", fn); + unlink(fn); + } + close(fd_doc); + } + counter++; + } +#endif + /* If we stopped the child in persistent mode, but there was a race condition and afl-fuzz already issued SIGKILL, write off the old process. */ @@ -620,9 +641,26 @@ static void __afl_start_forkserver(void) { } - __afl_fuzz_len = (was_killed >> 8); + *__afl_fuzz_len_shmem = __afl_fuzz_len = (was_killed >> 8); was_killed = (was_killed & 0xff); +#ifdef _AFL_DOCUMENT_MUTATIONS + if (__afl_fuzz_ptr) { + static uint32_t counter = 0; + char fn[32]; + sprintf(fn, "%09u:forkserver", counter); + s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (fd_doc >= 0) { + if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + fprintf(stderr, "write of mutation file failed: %s\n", fn); + unlink(fn); + } + close(fd_doc); + } + counter++; + } +#endif + /* If we stopped the child in persistent mode, but there was a race condition and afl-fuzz already issued SIGKILL, write off the old process. */ @@ -719,6 +757,8 @@ int __afl_persistent_loop(unsigned int max_cnt) { raise(SIGSTOP); + __afl_fuzz_len = *__afl_fuzz_len_shmem; + __afl_area_ptr[0] = 1; memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T)); -- cgit 1.4.1 From 0de25f08ba2e39f680a1440e9b84ee9cf4136f9a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 12:30:55 +0200 Subject: code format --- examples/persistent_demo/test-instr.c | 17 ++++++++++----- llvm_mode/afl-llvm-rt.o.c | 41 +++++++++++++++++++++++++---------- src/afl-fuzz-init.c | 2 -- src/afl-fuzz.c | 6 +---- 4 files changed, 43 insertions(+), 23 deletions(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/examples/persistent_demo/test-instr.c b/examples/persistent_demo/test-instr.c index 069e74dd..cd1c9b0e 100644 --- a/examples/persistent_demo/test-instr.c +++ b/examples/persistent_demo/test-instr.c @@ -24,34 +24,41 @@ int main(int argc, char **argv) { __AFL_INIT(); unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; - - while(__AFL_LOOP(2147483647)) { - + + while (__AFL_LOOP(2147483647)) { + unsigned int len = __AFL_FUZZ_TESTCASE_LEN; #ifdef _AFL_DOCUMENT_MUTATIONS static unsigned int counter = 0; - char fn[32]; + char fn[32]; sprintf(fn, "%09u:test-instr", counter); int fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd_doc >= 0) { + if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + fprintf(stderr, "write of mutation file failed: %s\n", fn); unlink(fn); + } + close(fd_doc); + } + counter++; #endif if (!len) continue; - + if (buf[0] == '0') printf("Looks like a zero to me!\n"); else if (buf[0] == '1') printf("Pretty sure that is a one!\n"); else printf("Neither one or zero? How quaint!\n"); + } return 0; diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 7a763f1b..b96ca7f4 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -74,11 +74,11 @@ u8 __afl_area_initial[MAP_INITIAL_SIZE]; #else u8 __afl_area_initial[MAP_SIZE]; #endif -u8 *__afl_area_ptr = __afl_area_initial; -u8 *__afl_dictionary; -u8 *__afl_fuzz_ptr; -u32 __afl_fuzz_len; -u32 __afl_fuzz_len_dummy; +u8 * __afl_area_ptr = __afl_area_initial; +u8 * __afl_dictionary; +u8 * __afl_fuzz_ptr; +u32 __afl_fuzz_len; +u32 __afl_fuzz_len_dummy; u32 *__afl_fuzz_len_shmem = &__afl_fuzz_len_dummy; u32 __afl_final_loc; @@ -165,8 +165,9 @@ static void __afl_map_shm_fuzz() { exit(1); } - - __afl_fuzz_len_shmem = (u32*) mmap(NULL, sizeof(int), PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); + + __afl_fuzz_len_shmem = (u32 *)mmap(NULL, sizeof(int), PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANONYMOUS, -1, 0); } @@ -450,22 +451,31 @@ static void __afl_start_snapshots(void) { *__afl_fuzz_len_shmem = __afl_fuzz_len = (was_killed >> 8); was_killed = (was_killed & 0xff); -#ifdef _AFL_DOCUMENT_MUTATIONS + #ifdef _AFL_DOCUMENT_MUTATIONS if (__afl_fuzz_ptr) { + static uint32_t counter = 0; - char fn[32]; + char fn[32]; sprintf(fn, "%09u:forkserver", counter); s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd_doc >= 0) { + if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + fprintf(stderr, "write of mutation file failed: %s\n", fn); unlink(fn); + } + close(fd_doc); + } + counter++; + } -#endif + + #endif /* If we stopped the child in persistent mode, but there was a race condition and afl-fuzz already issued SIGKILL, write off the old @@ -646,19 +656,28 @@ static void __afl_start_forkserver(void) { #ifdef _AFL_DOCUMENT_MUTATIONS if (__afl_fuzz_ptr) { + static uint32_t counter = 0; - char fn[32]; + char fn[32]; sprintf(fn, "%09u:forkserver", counter); s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd_doc >= 0) { + if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + fprintf(stderr, "write of mutation file failed: %s\n", fn); unlink(fn); + } + close(fd_doc); + } + counter++; + } + #endif /* If we stopped the child in persistent mode, but there was a race diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 840b57f4..ea281b7b 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1949,7 +1949,6 @@ static void handle_skipreq(int sig) { } - /* Setup shared map for fuzzing with input via sharedmem */ void setup_testcase_shmem(afl_state_t *afl) { @@ -1978,7 +1977,6 @@ void setup_testcase_shmem(afl_state_t *afl) { } - /* Do a PATH search and find target binary to see that it exists and isn't a shell script - a common and painful mistake. We also check for a valid ELF header and for evidence of AFL instrumentation. */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 1c797424..54d59a9b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1179,11 +1179,7 @@ int main(int argc, char **argv_orig, char **envp) { check_binary(afl, argv[optind]); - if (afl->shmem_testcase_mode) { - - setup_testcase_shmem(afl); - - } + if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } afl->start_time = get_cur_time(); -- cgit 1.4.1