From 641c551ba05bcd602bd351cb705b14cd652e0dda Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Thu, 3 Aug 2023 13:46:54 +0200 Subject: update Nyx submodules --- nyx_mode/LIBNYX_VERSION | 2 +- nyx_mode/PACKER_VERSION | 2 +- nyx_mode/QEMU-Nyx | 2 +- nyx_mode/QEMU_NYX_VERSION | 2 +- nyx_mode/libnyx | 2 +- nyx_mode/packer | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) (limited to 'nyx_mode') diff --git a/nyx_mode/LIBNYX_VERSION b/nyx_mode/LIBNYX_VERSION index ed88ec10..a4ffd230 100644 --- a/nyx_mode/LIBNYX_VERSION +++ b/nyx_mode/LIBNYX_VERSION @@ -1 +1 @@ -c8a72dc +8291ef4 diff --git a/nyx_mode/PACKER_VERSION b/nyx_mode/PACKER_VERSION index 7db88233..cc20a3b6 100644 --- a/nyx_mode/PACKER_VERSION +++ b/nyx_mode/PACKER_VERSION @@ -1 +1 @@ -202bace +bcf3e24 diff --git a/nyx_mode/QEMU-Nyx b/nyx_mode/QEMU-Nyx index 60c216bc..a09d3ae2 160000 --- a/nyx_mode/QEMU-Nyx +++ b/nyx_mode/QEMU-Nyx @@ -1 +1 @@ -Subproject commit 60c216bc9e4c79834716d4099993d8397a3a8fd9 +Subproject commit a09d3ae2e66cfe82884a227ea872e48dd2c2ad25 diff --git a/nyx_mode/QEMU_NYX_VERSION b/nyx_mode/QEMU_NYX_VERSION index 98cb134f..75dcbe83 100644 --- a/nyx_mode/QEMU_NYX_VERSION +++ b/nyx_mode/QEMU_NYX_VERSION @@ -1 +1 @@ -60c216bc9e +a09d3ae2e6 diff --git a/nyx_mode/libnyx b/nyx_mode/libnyx index 2da7f08b..8291ef4c 160000 --- a/nyx_mode/libnyx +++ b/nyx_mode/libnyx @@ -1 +1 @@ -Subproject commit 2da7f08b6e0267ccfe64e1320b24cdb29223459c +Subproject commit 8291ef4cb4f1d4bfe3026fe198167fd5c98e3a15 diff --git a/nyx_mode/packer b/nyx_mode/packer index 202bace8..bcf3e248 160000 --- a/nyx_mode/packer +++ b/nyx_mode/packer @@ -1 +1 @@ -Subproject commit 202bace888d237e4e8f4507d0eba6791a811554d +Subproject commit bcf3e248b660764f48af54232a3388389a2dfc22 -- cgit 1.4.1 From 5d78a6f592fff853ff722f2722a6576b0f565abd Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Thu, 3 Aug 2023 14:43:16 +0200 Subject: update nyx mode readme (NYX_AUX_BUFFER_SIZE) --- nyx_mode/README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'nyx_mode') diff --git a/nyx_mode/README.md b/nyx_mode/README.md index eee7d363..605bc103 100644 --- a/nyx_mode/README.md +++ b/nyx_mode/README.md @@ -313,6 +313,27 @@ command: If you want to disable fast snapshots (except for crashes), you can simply set the `NYX_DISABLE_SNAPSHOT_MODE` environment variable. +### Nyx crash reports + +If the Nyx agent detects a crash in the target application, it can pass +additional information on that crash to AFL++ (assuming that the agent +implements this feature). For each saved crashing input AFL++ will also create +an additional file in the `crashes` directory with a `.log` file extension. +Crash reports generated by the default agent shipped with the Nyx packer will +contain information such as the faulting address and signal number. +Additionally, if the target is compiled with AddressSanitizer, the crash report +will also contain the entire ASan report. + +From a technical perspective, the crash report is passed from QEMU-Nyx to AFL++ +via a shared memory region called Nyx Auxiliary Buffer which is by default 4096 +bytes in size. In this shared memory region a specific amount is reserved for +the header (1408 bytes) and the remaining bytes can be used to transfer crash +reports (also the `hprintf` feature utilizes the very same shared memory for +transferring data). By default a crash report will be truncated to 2688 bytes. +However, if you want to increase the size of the shared memory region, you can +set the `NYX_AUX_BUFFER_SIZE` environment variable to a higher value (keep in +mind that this value must be a multiple of 4096). + ### Run AFL++Nyx with a custom agent Most of the common use-cases for linux userland targets are already handled by -- cgit 1.4.1 From 4f3aa90a5f2b8bb53f2e1de964d54ec7f9be0578 Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Fri, 4 Aug 2023 11:52:39 +0200 Subject: update QEMU-Nyx submodule --- nyx_mode/QEMU-Nyx | 2 +- nyx_mode/QEMU_NYX_VERSION | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'nyx_mode') diff --git a/nyx_mode/QEMU-Nyx b/nyx_mode/QEMU-Nyx index a09d3ae2..874fa033 160000 --- a/nyx_mode/QEMU-Nyx +++ b/nyx_mode/QEMU-Nyx @@ -1 +1 @@ -Subproject commit a09d3ae2e66cfe82884a227ea872e48dd2c2ad25 +Subproject commit 874fa033d117a3e9931245cb9e82836a4abc0425 diff --git a/nyx_mode/QEMU_NYX_VERSION b/nyx_mode/QEMU_NYX_VERSION index 75dcbe83..d0a435a4 100644 --- a/nyx_mode/QEMU_NYX_VERSION +++ b/nyx_mode/QEMU_NYX_VERSION @@ -1 +1 @@ -a09d3ae2e6 +874fa033d1 -- cgit 1.4.1 From 1fd1f0d8ce0db7e5ccee4462c85c264dcfca328d Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Fri, 4 Aug 2023 11:54:58 +0200 Subject: fix typo in nyx_mode/README.md --- nyx_mode/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nyx_mode') diff --git a/nyx_mode/README.md b/nyx_mode/README.md index 605bc103..0565331b 100644 --- a/nyx_mode/README.md +++ b/nyx_mode/README.md @@ -331,7 +331,7 @@ the header (1408 bytes) and the remaining bytes can be used to transfer crash reports (also the `hprintf` feature utilizes the very same shared memory for transferring data). By default a crash report will be truncated to 2688 bytes. However, if you want to increase the size of the shared memory region, you can -set the `NYX_AUX_BUFFER_SIZE` environment variable to a higher value (keep in +set the `AFL_NYX_AUX_SIZE` environment variable to a higher value (keep in mind that this value must be a multiple of 4096). ### Run AFL++Nyx with a custom agent -- cgit 1.4.1 From 08a6fd7c29489f5477f50b94d7a0e425f64fef34 Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Fri, 4 Aug 2023 12:13:06 +0200 Subject: update the old nyx env var naming scheme (to have a more consistent naming overall) --- include/envs.h | 2 ++ nyx_mode/README.md | 6 +++--- src/afl-forkserver.c | 27 ++++++++++++++------------- src/afl-fuzz.c | 3 ++- 4 files changed, 21 insertions(+), 17 deletions(-) (limited to 'nyx_mode') diff --git a/include/envs.h b/include/envs.h index 0ef331ae..ff303387 100644 --- a/include/envs.h +++ b/include/envs.h @@ -190,6 +190,8 @@ static char *afl_environment_variables[] = { "AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_NOOPT", "AFL_NYX_AUX_SIZE", + "AFL_NYX_DISABLE_SNAPSHOT_MODE", + "AFL_NYX_REUSE_SNAPSHOT", "AFL_PASSTHROUGH", "AFL_PATH", "AFL_PERFORMANCE_FILE", diff --git a/nyx_mode/README.md b/nyx_mode/README.md index 0565331b..aee9879e 100644 --- a/nyx_mode/README.md +++ b/nyx_mode/README.md @@ -150,12 +150,12 @@ afl-cmin -i in_dir -o out_dir -X -- ./PACKAGE-DIRECTORY On each program startup of one the AFL++ tools in Nyx mode, a Nyx VM is spawned, and a bootstrapping procedure is performed inside the VM to prepare the target environment. As a consequence, due to the bootstrapping procedure, the launch performance is much slower compared to other modes. However, this can be optimized by reusing an existing fuzzing snapshot to avoid the slow re-execution of the bootstrap procedure. -A fuzzing snapshot is automatically created and stored in the output directory at `out_dir/workdir/snapshot/` by the first parent process of `afl-fuzz` if parallel mode is used. To enable this feature, set the path to an existing snapshot directory in the `NYX_REUSE_SNAPSHOT` environment variable and use the tools as usual: +A fuzzing snapshot is automatically created and stored in the output directory at `out_dir/workdir/snapshot/` by the first parent process of `afl-fuzz` if parallel mode is used. To enable this feature, set the path to an existing snapshot directory in the `AFL_NYX_REUSE_SNAPSHOT` environment variable and use the tools as usual: ```shell afl-fuzz -i ./in_dir -o ./out_dir -Y -M 0 ./PACKAGE-DIRECTORY -NYX_REUSE_SNAPSHOT=./out_dir/workdir/snapshot/ afl-analyze -i in_file -X -- ./PACKAGE-DIRECTORY +AFL_NYX_REUSE_SNAPSHOT=./out_dir/workdir/snapshot/ afl-analyze -i in_file -X -- ./PACKAGE-DIRECTORY ``` @@ -311,7 +311,7 @@ command: ``` If you want to disable fast snapshots (except for crashes), you can simply set -the `NYX_DISABLE_SNAPSHOT_MODE` environment variable. +the `AFL_NYX_DISABLE_SNAPSHOT_MODE` environment variable. ### Nyx crash reports diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index e90ea460..717898d1 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -606,23 +606,23 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } - if (getenv("NYX_REUSE_SNAPSHOT") != NULL) { + if (getenv("AFL_NYX_REUSE_SNAPSHOT") != NULL) { - if (access(getenv("NYX_REUSE_SNAPSHOT"), F_OK) == -1) { + if (access(getenv("AFL_NYX_REUSE_SNAPSHOT"), F_OK) == -1) { - NYX_PRE_FATAL(fsrv, "NYX_REUSE_SNAPSHOT path does not exist"); + NYX_PRE_FATAL(fsrv, "AFL_NYX_REUSE_SNAPSHOT path does not exist"); } /* stupid sanity check to avoid passing an empty or invalid snapshot * directory */ char *snapshot_file_path = - alloc_printf("%s/global.state", getenv("NYX_REUSE_SNAPSHOT")); + alloc_printf("%s/global.state", getenv("AFL_NYX_REUSE_SNAPSHOT")); if (access(snapshot_file_path, R_OK) == -1) { - NYX_PRE_FATAL( - fsrv, - "NYX_REUSE_SNAPSHOT path does not contain a valid Nyx snapshot"); + NYX_PRE_FATAL(fsrv, + "AFL_NYX_REUSE_SNAPSHOT path does not contain a valid " + "Nyx snapshot"); } @@ -634,13 +634,14 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, char *workdir_snapshot_path = alloc_printf("%s/workdir/snapshot", outdir_path_absolute); char *reuse_snapshot_path_real = - realpath(getenv("NYX_REUSE_SNAPSHOT"), NULL); + realpath(getenv("AFL_NYX_REUSE_SNAPSHOT"), NULL); if (strcmp(workdir_snapshot_path, reuse_snapshot_path_real) == 0) { - NYX_PRE_FATAL(fsrv, - "NYX_REUSE_SNAPSHOT path is located in current workdir " - "(use another output directory)"); + NYX_PRE_FATAL( + fsrv, + "AFL_NYX_REUSE_SNAPSHOT path is located in current workdir " + "(use another output directory)"); } @@ -648,7 +649,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, ck_free(workdir_snapshot_path); fsrv->nyx_handlers->nyx_config_set_reuse_snapshot_path( - nyx_config, getenv("NYX_REUSE_SNAPSHOT")); + nyx_config, getenv("AFL_NYX_REUSE_SNAPSHOT")); } @@ -670,7 +671,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, fsrv->nyx_handlers->nyx_get_bitmap_buffer(fsrv->nyx_runner); fsrv->nyx_handlers->nyx_option_set_reload_mode( - fsrv->nyx_runner, getenv("NYX_DISABLE_SNAPSHOT_MODE") == NULL); + fsrv->nyx_runner, getenv("AFL_NYX_DISABLE_SNAPSHOT_MODE") == NULL); fsrv->nyx_handlers->nyx_option_apply(fsrv->nyx_runner); fsrv->nyx_handlers->nyx_option_set_timeout(fsrv->nyx_runner, 2, 0); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 29659013..3d7adf41 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -302,7 +302,8 @@ static void usage(u8 *argv0, int more_help) { "AFL_NYX_AUX_SIZE: size of the Nyx auxiliary buffer. Must be a multiple of 4096.\n" " Increase this value in case the crash reports are truncated.\n" " Default value is 4096.\n" - + "AFL_NYX_DISABLE_SNAPSHOT_MODE: disable snapshot mode (must be supported by the agent)\n" + "AFL_NYX_REUSE_SNAPSHOT: reuse an existing Nyx root snapshot\n" DYN_COLOR "AFL_PATH: path to AFL support binaries\n" -- cgit 1.4.1