From 0f7419fc9166b1f719372e1658efc4e3b9c88ac5 Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Fri, 4 Mar 2022 05:41:40 +0100 Subject: write nyx crash logs to AFL++ work directory --- src/afl-fuzz-bitmap.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'src/afl-fuzz-bitmap.c') diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index b963caf8..bce1a195 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -771,6 +771,20 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { ck_write(fd, mem, len, fn); close(fd); + if(afl->fsrv.nyx_mode && fault == FSRV_RUN_CRASH) { + u8 fn_log[PATH_MAX]; + + snprintf(fn_log, PATH_MAX, "%s.log", fn); + + fd = open(fn_log, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", fn_log); } + + u32 nyx_aux_string_len = afl->fsrv.nyx_handlers->nyx_get_aux_string(afl->fsrv.nyx_runner, afl->fsrv.nyx_aux_string, 0x1000); + + ck_write(fd, afl->fsrv.nyx_aux_string, nyx_aux_string_len, fn_log); + close(fd); + } + return keeping; } -- cgit 1.4.1 From 713b069f40094482fb41ef17b44150162c062249 Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Fri, 4 Mar 2022 06:01:49 +0100 Subject: fix compile error on non linux targets --- src/afl-fuzz-bitmap.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src/afl-fuzz-bitmap.c') diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index bce1a195..226dfa5c 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -771,6 +771,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { ck_write(fd, mem, len, fn); close(fd); +#ifdef __linux__ if(afl->fsrv.nyx_mode && fault == FSRV_RUN_CRASH) { u8 fn_log[PATH_MAX]; @@ -784,6 +785,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { ck_write(fd, afl->fsrv.nyx_aux_string, nyx_aux_string_len, fn_log); close(fd); } +#endif return keeping; -- cgit 1.4.1 From 2eeba2dbf085b1c679dc82d59a0ec0ddc2c05429 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 4 Mar 2022 09:41:21 +0100 Subject: code format --- include/forkserver.h | 5 +++-- nyx_mode/custom_harness/example.c | 7 ++++--- src/afl-forkserver.c | 5 ++++- src/afl-fuzz-bitmap.c | 11 +++++++---- src/afl-fuzz.c | 3 +-- 5 files changed, 19 insertions(+), 12 deletions(-) (limited to 'src/afl-fuzz-bitmap.c') diff --git a/include/forkserver.h b/include/forkserver.h index cb68ce4f..5b66e7ec 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -70,7 +70,8 @@ typedef struct { enum NyxReturnValue (*nyx_exec)(void *qemu_process); uint8_t *(*nyx_get_bitmap_buffer)(void *qemu_process); size_t (*nyx_get_bitmap_buffer_size)(void *qemu_process); - uint32_t (*nyx_get_aux_string)(void *nyx_process, uint8_t *buffer, uint32_t size); + uint32_t (*nyx_get_aux_string)(void *nyx_process, uint8_t *buffer, + uint32_t size); } nyx_plugin_handler_t; @@ -174,7 +175,7 @@ typedef struct afl_forkserver { void * nyx_runner; /* nyx runner object */ u32 nyx_id; /* nyx runner id (0 -> master) */ u32 nyx_bind_cpu_id; /* nyx runner cpu id */ - char* nyx_aux_string; + char * nyx_aux_string; #endif } afl_forkserver_t; diff --git a/nyx_mode/custom_harness/example.c b/nyx_mode/custom_harness/example.c index dd268534..a67d42c6 100644 --- a/nyx_mode/custom_harness/example.c +++ b/nyx_mode/custom_harness/example.c @@ -7,7 +7,7 @@ #define TRACE_BUFFER_SIZE (64) #define PAGE_SIZE 0x1000 -#define MMAP_SIZE(x) ((x & ~(PAGE_SIZE-1)) + PAGE_SIZE) +#define MMAP_SIZE(x) ((x & ~(PAGE_SIZE - 1)) + PAGE_SIZE) int main(int argc, char **argv) { @@ -30,8 +30,9 @@ int main(int argc, char **argv) { /* this is our "bitmap" that is later shared with the fuzzer (you can also * pass the pointer of the bitmap used by compile-time instrumentations in * your target) */ - uint8_t *trace_buffer = mmap(NULL, MMAP_SIZE(TRACE_BUFFER_SIZE), PROT_READ | - PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); + uint8_t *trace_buffer = + mmap(NULL, MMAP_SIZE(TRACE_BUFFER_SIZE), PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANONYMOUS, -1, 0); memset(trace_buffer, 0, TRACE_BUFFER_SIZE); // makes sure that the bitmap buffer is already // mapped into the guest's memory (alternatively diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 54f28852..628ff590 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -1257,9 +1257,12 @@ void afl_fsrv_kill(afl_forkserver_t *fsrv) { #ifdef __linux__ if (fsrv->nyx_mode) { + free(fsrv->nyx_aux_string); - fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner); + fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner); + } + #endif } diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 226dfa5c..a7c77aec 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -772,19 +772,22 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { close(fd); #ifdef __linux__ - if(afl->fsrv.nyx_mode && fault == FSRV_RUN_CRASH) { - u8 fn_log[PATH_MAX]; + if (afl->fsrv.nyx_mode && fault == FSRV_RUN_CRASH) { - snprintf(fn_log, PATH_MAX, "%s.log", fn); + u8 fn_log[PATH_MAX]; + snprintf(fn_log, PATH_MAX, "%s.log", fn); fd = open(fn_log, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", fn_log); } - u32 nyx_aux_string_len = afl->fsrv.nyx_handlers->nyx_get_aux_string(afl->fsrv.nyx_runner, afl->fsrv.nyx_aux_string, 0x1000); + u32 nyx_aux_string_len = afl->fsrv.nyx_handlers->nyx_get_aux_string( + afl->fsrv.nyx_runner, afl->fsrv.nyx_aux_string, 0x1000); ck_write(fd, afl->fsrv.nyx_aux_string, nyx_aux_string_len, fn_log); close(fd); + } + #endif return keeping; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index df6e5404..da1c7602 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -468,8 +468,7 @@ nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary) { dlsym(handle, "nyx_get_bitmap_buffer_size"); if (plugin->nyx_get_bitmap_buffer_size == NULL) { goto fail; } - plugin->nyx_get_aux_string = - dlsym(handle, "nyx_get_aux_string"); + plugin->nyx_get_aux_string = dlsym(handle, "nyx_get_aux_string"); if (plugin->nyx_get_aux_string == NULL) { goto fail; } OKF("libnyx plugin is ready!"); -- cgit 1.4.1 From d29773825594e7249e8a3a80b344a69249e7ab9a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 7 Mar 2022 09:37:19 +0100 Subject: nits --- README.md | 2 +- src/afl-fuzz-bitmap.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'src/afl-fuzz-bitmap.c') diff --git a/README.md b/README.md index 66b884e2..a29ce792 100644 --- a/README.md +++ b/README.md @@ -112,7 +112,7 @@ Step-by-step quick start: 5. You will find found crashes and hangs in the subdirectories `crashes/` and `hangs/` in the `-o output_dir` directory. You can replay the crashes by - feeding them to the target, e.g.: + feeding them to the target, e.g. if your target is using stdin: ``` cat output_dir/crashes/id:000000,* | /path/to/tested/program [...program's cmdline...] diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index a7c77aec..971ac494 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -423,10 +423,10 @@ void write_crash_readme(afl_state_t *afl) { "them to a vendor? Check out the afl-tmin that comes with the fuzzer!\n\n" "Found any cool bugs in open-source tools using afl-fuzz? If yes, please " - "drop\n" - "an mail at once the issues are fixed\n\n" - - " https://github.com/AFLplusplus/AFLplusplus\n\n", + "post\n" + "to https://github.com/AFLplusplus/AFLplusplus/issues/286 once the " + "issues\n" + " are fixed :)\n\n", afl->orig_cmdline, stringify_mem_size(val_buf, sizeof(val_buf), -- cgit 1.4.1