From 9d3e6a869e9474c1a3927a319b6ec2142130f5d3 Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Fri, 21 Jan 2022 07:21:43 +0100 Subject: add LTO support in nyx_mode --- src/afl-forkserver.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'src/afl-forkserver.c') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index eebbb7c8..1f03cfd3 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -405,24 +405,27 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } - if (fsrv->nyx_parent) { - + if (fsrv->nyx_standalone){ fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new( - fsrv->target_path, x, fsrv->nyx_id, fsrv->nyx_bind_cpu_id, - !fsrv->nyx_standalone); - - } else { + fsrv->target_path, x, fsrv->nyx_bind_cpu_id, 0x10000, true); + } + else{ + if (fsrv->nyx_parent) { + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new_parent( + fsrv->target_path, x, fsrv->nyx_bind_cpu_id, MAX_FILE, true); - fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new( - fsrv->target_path, x, fsrv->nyx_id, fsrv->nyx_bind_cpu_id, true); + } else { + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new_child( + fsrv->target_path, x, fsrv->nyx_bind_cpu_id, fsrv->nyx_id); + } } if (fsrv->nyx_runner == NULL) { FATAL("Something went wrong ..."); } u32 tmp_map_size = fsrv->nyx_handlers->nyx_get_bitmap_buffer_size(fsrv->nyx_runner); - fsrv->real_map_size = fsrv->map_size; + fsrv->real_map_size = tmp_map_size; fsrv->map_size = (((tmp_map_size + 63) >> 6) << 6); if (!be_quiet) { ACTF("Target map size: %u", fsrv->real_map_size); } -- cgit 1.4.1 From 6ce736aa913363647760d088ef0cb3610a765ff4 Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Fri, 21 Jan 2022 08:13:33 +0100 Subject: use MAX_FILE as maximum size in Nyx mode --- src/afl-forkserver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/afl-forkserver.c') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 1f03cfd3..ffcb30c3 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -407,7 +407,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (fsrv->nyx_standalone){ fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new( - fsrv->target_path, x, fsrv->nyx_bind_cpu_id, 0x10000, true); + fsrv->target_path, x, fsrv->nyx_bind_cpu_id, MAX_FILE, true); } else{ if (fsrv->nyx_parent) { -- cgit 1.4.1 From 61d79f85c5f1f0d80bb7ab2d10d502fbd637ee83 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 23 Jan 2022 19:20:32 +0100 Subject: code format --- docs/Changelog.md | 23 ++++++++++++----------- include/forkserver.h | 12 ++++++------ src/afl-forkserver.c | 11 ++++++++--- src/afl-fuzz.c | 2 +- 4 files changed, 27 insertions(+), 21 deletions(-) (limited to 'src/afl-forkserver.c') diff --git a/docs/Changelog.md b/docs/Changelog.md index 687232a0..e25b43da 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -1,7 +1,7 @@ # Changelog - This is the list of all noteworthy changes made in every public release of - the tool. See README.md for the general instruction manual. + This is the list of all noteworthy changes made in every public + release of the tool. See README.md for the general instruction manual. ## Staying informed @@ -9,7 +9,8 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . ### Version ++3.15a (dev) - - documentation restructuring, made possible by Google Season of Docs + - complete documentation restructuring, made possible by Google Season + of Docs :) thank you Jana! - we renamed several UI and fuzzer_stat entries to be more precise, e.g. "unique crashes" -> "saved crashes", "total paths" -> "corpus count", "current path" -> "current item". @@ -17,14 +18,14 @@ sending a mail to . - Nyx mode (full system emulation with snapshot capability) has been added - thanks to @schumilo and @eqv! - unicorn_mode: - - Moved to unicorn2! By Ziqiao Kong (@lazymio) - - Faster, more accurate emulation (newer QEMU base), riscv support + - Moved to unicorn2! by Ziqiao Kong (@lazymio) + - Faster, more accurate emulation (newer QEMU base), risc-v support - removed indirections in rust callbacks - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :) thanks to RICSecLab submitting! - if instrumented libaries are dlopen()'ed after the forkserver you - will now see crashes. before you would have colliding coverage. - we changed this to force fixing a broken setup rather then allowing + will now see a crash. Before you would have colliding coverage. + We changed this to force fixing a broken setup rather then allowing ineffective fuzzing. See docs/best_practices.md how to fix such setups. - afl-fuzz: @@ -35,7 +36,7 @@ sending a mail to . - added AFL_IGNORE_PROBLEMS, plus checks to identify and abort on incorrect LTO usage setups and enhanced the READMEs for better information on how to deal with instrumenting libraries - - fix -n dumb mode (nobody should use this) + - fix -n dumb mode (nobody should use this mode though) - fix stability issue with LTO and cmplog - better banner - more effective cmplog mode @@ -63,7 +64,7 @@ sending a mail to . - fixed a potential crash in targets for LAF string handling - fixed a bad assert in LAF split switches - added AFL_USE_TSAN thread sanitizer support - - llvm and LTO mode modified to work with new llvm 14-dev (again. again.) + - llvm and LTO mode modified to work with new llvm 14-dev (again.) - fix for AFL_REAL_LD - more -z defs filtering - make -v without options work @@ -74,7 +75,7 @@ sending a mail to . - added afl-persistent-config script to set perform permanent system configuration settings for fuzzing, for Linux and Macos. thanks to jhertz! - - added xml, curl and exotic string functions to llvm dictionary features + - added xml, curl & exotic string functions to llvm dictionary feature - fix AFL_PRELOAD issues on MacOS - removed utils/afl_frida because frida_mode/ is now so much better - added uninstall target to makefile (todo: update new readme!) @@ -97,7 +98,7 @@ sending a mail to . - Fix to instrument global namespace functions in c++ - Fix for llvm 13 - support partial linking - - do honor AFL_LLVM_{ALLOW/DENY}LIST for LTO autodictionary and DICT2FILE + - do honor AFL_LLVM_{ALLOW/DENY}LIST for LTO autodictionary andDICT2FILE - We do support llvm versions from 3.8 to 5.0 again - frida_mode: - several fixes for cmplog diff --git a/include/forkserver.h b/include/forkserver.h index 4a05b17e..01f45587 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -53,14 +53,14 @@ typedef enum NyxReturnValue { typedef struct { - void *(*nyx_new)(const char *sharedir, const char *workdir, - uint32_t cpu_id, uint32_t input_buffer_size, - bool input_buffer_write_protection); + void *(*nyx_new)(const char *sharedir, const char *workdir, uint32_t cpu_id, + uint32_t input_buffer_size, + bool input_buffer_write_protection); void *(*nyx_new_parent)(const char *sharedir, const char *workdir, - uint32_t cpu_id, uint32_t input_buffer_size, - bool input_buffer_write_protection); + uint32_t cpu_id, uint32_t input_buffer_size, + bool input_buffer_write_protection); void *(*nyx_new_child)(const char *sharedir, const char *workdir, - uint32_t cpu_id, uint32_t worker_id); + uint32_t cpu_id, uint32_t worker_id); void (*nyx_shutdown)(void *qemu_process); void (*nyx_option_set_reload_mode)(void *qemu_process, bool enable); void (*nyx_option_set_timeout)(void *qemu_process, uint8_t timeout_sec, diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index ffcb30c3..62110ad5 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -405,20 +405,25 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } - if (fsrv->nyx_standalone){ + if (fsrv->nyx_standalone) { + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new( fsrv->target_path, x, fsrv->nyx_bind_cpu_id, MAX_FILE, true); - } - else{ + + } else { + if (fsrv->nyx_parent) { + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new_parent( fsrv->target_path, x, fsrv->nyx_bind_cpu_id, MAX_FILE, true); } else { + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new_child( fsrv->target_path, x, fsrv->nyx_bind_cpu_id, fsrv->nyx_id); } + } if (fsrv->nyx_runner == NULL) { FATAL("Something went wrong ..."); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 50874f47..e322ee57 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1346,7 +1346,7 @@ int main(int argc, char **argv_orig, char **envp) { "0)"); } - + afl->fsrv.nyx_parent = true; afl->fsrv.nyx_id = 0; -- cgit 1.4.1 From 026096ccf3b3e7e83cd332e95701e2269764e223 Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Tue, 25 Jan 2022 19:13:26 +0100 Subject: add AFL autodict capability to Nyx mode --- nyx_mode/PACKER_VERSION | 2 +- nyx_mode/packer | 2 +- src/afl-forkserver.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 58 insertions(+), 2 deletions(-) (limited to 'src/afl-forkserver.c') diff --git a/nyx_mode/PACKER_VERSION b/nyx_mode/PACKER_VERSION index 0c9db1e3..43488114 100644 --- a/nyx_mode/PACKER_VERSION +++ b/nyx_mode/PACKER_VERSION @@ -1 +1 @@ -8842549 +76100c5 diff --git a/nyx_mode/packer b/nyx_mode/packer index 8842549b..76100c52 160000 --- a/nyx_mode/packer +++ b/nyx_mode/packer @@ -1 +1 @@ -Subproject commit 8842549b5612a890258dcef812276cfdb62b76c7 +Subproject commit 76100c52db96429350693a6c7284c5c6cbcb6b08 diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 62110ad5..031c8fd4 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -425,6 +425,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } } + ck_free(x); if (fsrv->nyx_runner == NULL) { FATAL("Something went wrong ..."); } @@ -464,6 +465,61 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } + /* autodict in Nyx mode */ + if (!ignore_autodict) { + x = alloc_printf("%s/workdir/dump/afl_autodict.txt", fsrv->out_dir_path); + int nyx_autodict_fd = open(x, O_RDONLY); + ck_free(x); + + if (nyx_autodict_fd >= 0) { + struct stat st; + if (fstat(nyx_autodict_fd, &st) >= 0) { + u32 f_len = st.st_size; + u8 *dict = ck_alloc(f_len); + if (dict == NULL) { + FATAL("Could not allocate %u bytes of autodictionary memory", f_len); + } + + u32 offset = 0, count = 0; + u32 len = f_len; + + while (len != 0) { + + rlen = read(nyx_autodict_fd, dict + offset, len); + if (rlen > 0) { + + len -= rlen; + offset += rlen; + + } else { + + FATAL( + "Reading autodictionary fail at position %u with %u bytes " + "left.", + offset, len); + } + + } + close(nyx_autodict_fd); + + offset = 0; + while (offset < (u32)f_len && + (u8)dict[offset] + offset < (u32)f_len) { + + fsrv->add_extra_func(fsrv->afl_ptr, dict + offset + 1, + (u8)dict[offset]); + offset += (1 + dict[offset]); + count++; + + } + + if (!be_quiet) { ACTF("Loaded %u autodictionary entries", count); } + ck_free(dict); + + } + } + } + return; } -- cgit 1.4.1 From 615a8ff986e2d456a4afa546f8b9418bf77c8792 Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Tue, 25 Jan 2022 19:33:47 +0100 Subject: close autodict file even if fstat fails (Nyx mode) --- src/afl-forkserver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/afl-forkserver.c') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 031c8fd4..6a1fe858 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -500,7 +500,6 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } } - close(nyx_autodict_fd); offset = 0; while (offset < (u32)f_len && @@ -517,6 +516,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, ck_free(dict); } + close(nyx_autodict_fd); } } -- cgit 1.4.1 From 016bdc36bb7186e6c74e10aada9a5b73ff1ff5bc Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 25 Jan 2022 19:54:46 +0100 Subject: code-format --- nyx_mode/README.md | 4 ++++ src/afl-forkserver.c | 25 ++++++++++++++++++------- 2 files changed, 22 insertions(+), 7 deletions(-) (limited to 'src/afl-forkserver.c') diff --git a/nyx_mode/README.md b/nyx_mode/README.md index b75f1793..09421f27 100644 --- a/nyx_mode/README.md +++ b/nyx_mode/README.md @@ -43,6 +43,10 @@ requires an Intel processor (6th generation onwards) and a special 5.10 kernel ## Preparing to fuzz a target with Nyx mode +For source instrumented fuzzing you can use any afl-cc mode, with LTO even +auto-dictionary is supported. +Note the CMPLOG is currently not supported (yet). + Nyx uses full system emulation hence your fuzzing targets have to be especially packaged. diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 6a1fe858..ce554170 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -425,6 +425,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } } + ck_free(x); if (fsrv->nyx_runner == NULL) { FATAL("Something went wrong ..."); } @@ -467,17 +468,23 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, /* autodict in Nyx mode */ if (!ignore_autodict) { + x = alloc_printf("%s/workdir/dump/afl_autodict.txt", fsrv->out_dir_path); int nyx_autodict_fd = open(x, O_RDONLY); ck_free(x); - if (nyx_autodict_fd >= 0) { + if (nyx_autodict_fd >= 0) { + struct stat st; - if (fstat(nyx_autodict_fd, &st) >= 0) { + if (fstat(nyx_autodict_fd, &st) >= 0) { + u32 f_len = st.st_size; u8 *dict = ck_alloc(f_len); if (dict == NULL) { - FATAL("Could not allocate %u bytes of autodictionary memory", f_len); + + FATAL("Could not allocate %u bytes of autodictionary memory", + f_len); + } u32 offset = 0, count = 0; @@ -497,16 +504,17 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, "Reading autodictionary fail at position %u with %u bytes " "left.", offset, len); + } } - + offset = 0; while (offset < (u32)f_len && - (u8)dict[offset] + offset < (u32)f_len) { + (u8)dict[offset] + offset < (u32)f_len) { fsrv->add_extra_func(fsrv->afl_ptr, dict + offset + 1, - (u8)dict[offset]); + (u8)dict[offset]); offset += (1 + dict[offset]); count++; @@ -516,10 +524,13 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, ck_free(dict); } + close(nyx_autodict_fd); + } + } - + return; } -- cgit 1.4.1