From a632c00b0d023b8a40d09839fbb2662da1cb5d37 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 12 Jun 2020 16:08:49 +0200 Subject: switch to faster and better hash + random --- src/afl-fuzz-run.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src/afl-fuzz-run.c') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index a85e00fe..b45d0b8a 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -256,7 +256,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) { - u32 cksum; + u64 cksum; if (!first_run && !(afl->stage_cur % afl->stats_update_freq)) { @@ -281,7 +281,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, } - cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); if (q->exec_cksum != cksum) { hnb = has_new_bits(afl, afl->virgin_bits); @@ -646,7 +646,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { while (remove_pos < q->len) { u32 trim_avail = MIN(remove_len, q->len - remove_pos); - u32 cksum; + u64 cksum; write_with_gap(afl, in_buf, q->len, remove_pos, trim_avail); @@ -658,7 +658,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { /* Note that we don't keep track of crashes or hangs here; maybe TODO? */ - cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); /* If the deletion had no impact on the trace, make it permanent. This isn't perfect for variable-path inputs, but we're just making a -- cgit 1.4.1 From fc26001b50d27a276d2d50af1dbcd4dfa3886de5 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 13 Jun 2020 13:47:43 +0200 Subject: fix shmem --- src/afl-fuzz-run.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) (limited to 'src/afl-fuzz-run.c') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index b45d0b8a..cae48ce6 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -142,7 +142,34 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, s32 fd = afl->fsrv.out_fd; u32 tail_len = len - skip_at - skip_len; - if (afl->fsrv.out_file) { + if (afl->fsrv.shmem_fuzz) { + + if (skip_at) { memcpy(afl->fsrv.shmem_fuzz, mem, skip_at); } + + if (tail_len) { + + memcpy(afl->fsrv.shmem_fuzz + skip_at, (u8*)mem + skip_at + skip_len, tail_len); + + } + + *afl->fsrv.shmem_fuzz_len = len - skip_len; + +#ifdef _DEBUG + fprintf(stderr, "FS crc: %08x len: %u\n", + hash64(fsrv->shmem_fuzz, *fsrv->shmem_fuzz_len, 0xa5b35705), + *fsrv->shmem_fuzz_len); + fprintf(stderr, "SHM :"); + for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) + fprintf(stderr, "%02x", fsrv->shmem_fuzz[i]); + fprintf(stderr, "\nORIG:"); + for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) + fprintf(stderr, "%02x", buf[i]); + fprintf(stderr, "\n"); +#endif + + return; + + } else if (afl->fsrv.out_file) { if (afl->no_unlink) { -- cgit 1.4.1 From bfe5b88e782ffd3f97c2a25da60b0b36552a6a64 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 13 Jun 2020 14:28:42 +0200 Subject: code format --- src/afl-fuzz-run.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/afl-fuzz-run.c') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index cae48ce6..a1e8417f 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -148,7 +148,8 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, if (tail_len) { - memcpy(afl->fsrv.shmem_fuzz + skip_at, (u8*)mem + skip_at + skip_len, tail_len); + memcpy(afl->fsrv.shmem_fuzz + skip_at, (u8 *)mem + skip_at + skip_len, + tail_len); } -- cgit 1.4.1 From 5cad92e57ecda270753cf70311a7ac1ff6fdcc9e Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 21 Jun 2020 18:07:30 +0200 Subject: fix unicorn mode for CFLAGS --- GNUmakefile | 4 ++-- src/afl-fuzz-run.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'src/afl-fuzz-run.c') diff --git a/GNUmakefile b/GNUmakefile index 555fa9cf..a171e916 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -524,7 +524,7 @@ distrib: all radamsa $(MAKE) -C examples/socket_fuzzing $(MAKE) -C examples/argv_fuzzing -cd qemu_mode && sh ./build_qemu_support.sh - cd unicorn_mode && sh ./build_unicorn_support.sh + cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh binary-only: all radamsa $(MAKE) -C libdislocator @@ -533,7 +533,7 @@ binary-only: all radamsa $(MAKE) -C examples/socket_fuzzing $(MAKE) -C examples/argv_fuzzing -cd qemu_mode && sh ./build_qemu_support.sh - cd unicorn_mode && sh ./build_unicorn_support.sh + cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh source-only: all radamsa -$(MAKE) -C llvm_mode diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index a1e8417f..a355ae0f 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -413,7 +413,7 @@ void sync_fuzzers(afl_state_t *afl) { DIR * sd; struct dirent *sd_ent; u32 sync_cnt = 0, synced = 0, entries = 0; - u8 path[PATH_MAX]; + u8 path[PATH_MAX + 256]; sd = opendir(afl->sync_dir); if (!sd) { PFATAL("Unable to open '%s'", afl->sync_dir); } @@ -533,7 +533,7 @@ void sync_fuzzers(afl_state_t *afl) { s32 fd; struct stat st; - sprintf(path, "%s/%s", qd_path, namelist[o]->d_name); + snprintf(path, sizeof (path), "%s/%s", qd_path, namelist[o]->d_name); afl->syncing_case = next_min_accept; next_min_accept++; o--; -- cgit 1.4.1 From a49b5ef072011cc840c37653d6f6469dc3671968 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 22 Jun 2020 07:16:24 +0200 Subject: allow /tmp --- afl-cmin.bash | 47 +++++++++++++++++++++++------------------------ afl-plot | 35 ++++++++++++++++------------------- docs/Changelog.md | 1 + src/afl-fuzz-init.c | 15 +++++++++------ src/afl-fuzz-run.c | 2 +- 5 files changed, 50 insertions(+), 50 deletions(-) (limited to 'src/afl-fuzz-run.c') diff --git a/afl-cmin.bash b/afl-cmin.bash index 1f23f6bc..bdef1edc 100755 --- a/afl-cmin.bash +++ b/afl-cmin.bash @@ -134,7 +134,6 @@ Environment variables used: AFL_KEEP_TRACES: leave the temporary \.traces directory AFL_PATH: path for the afl-showmap binary AFL_SKIP_BIN_CHECK: skip check for target binary -AFL_ALLOW_TMP: allow unsafe use of input/output directories under {/var}/tmp _EOF_ exit 1 fi @@ -142,29 +141,29 @@ fi # Do a sanity check to discourage the use of /tmp, since we can't really # handle this safely from a shell script. -if [ "$AFL_ALLOW_TMP" = "" ]; then - - echo "$IN_DIR" | grep -qE '^(/var)?/tmp/' - T1="$?" - - echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/' - T2="$?" - - echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/' - T3="$?" - - echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/' - T4="$?" - - echo "$PWD" | grep -qE '^(/var)?/tmp/' - T5="$?" - - if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then - echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2 - exit 1 - fi - -fi +#if [ "$AFL_ALLOW_TMP" = "" ]; then +# +# echo "$IN_DIR" | grep -qE '^(/var)?/tmp/' +# T1="$?" +# +# echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/' +# T2="$?" +# +# echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/' +# T3="$?" +# +# echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/' +# T4="$?" +# +# echo "$PWD" | grep -qE '^(/var)?/tmp/' +# T5="$?" +# +# if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then +# echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2 +# exit 1 +# fi +# +#fi # If @@ is specified, but there's no -f, let's come up with a temporary input # file name. diff --git a/afl-plot b/afl-plot index 55745e93..de344eaa 100755 --- a/afl-plot +++ b/afl-plot @@ -35,9 +35,6 @@ an empty directory where this tool can write the resulting plots to. The program will put index.html and three PNG images in the output directory; you should be able to view it with any web browser of your choice. - -Environment variables used: -AFL_ALLOW_TMP: allow /var/tmp or /tmp for input and output directories _EOF_ exit 1 @@ -47,22 +44,22 @@ fi inputdir=`get_abs_path "$1"` outputdir=`get_abs_path "$2"` -if [ "$AFL_ALLOW_TMP" = "" ]; then - - echo "$inputdir" | grep -qE '^(/var)?/tmp/' - T1="$?" - - echo "$outputdir" | grep -qE '^(/var)?/tmp/' - T2="$?" - - if [ "$T1" = "0" -o "$T2" = "0" ]; then - - echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2 - exit 1 - - fi - -fi +#if [ "$AFL_ALLOW_TMP" = "" ]; then +# +# echo "$inputdir" | grep -qE '^(/var)?/tmp/' +# T1="$?" +# +# echo "$outputdir" | grep -qE '^(/var)?/tmp/' +# T2="$?" +# +# if [ "$T1" = "0" -o "$T2" = "0" ]; then +# +# echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2 +# exit 1 +# +# fi +# +#fi if [ ! -f "$inputdir/plot_data" ]; then diff --git a/docs/Changelog.md b/docs/Changelog.md index efc18ab5..bc91f2ee 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -44,6 +44,7 @@ sending a mail to . - Unicornafl - Added powerPC support from unicorn/next - rust bindings! + - Allow running in /tmp (only unsafe with umask 0) - persistent mode shared memory testcase handover (instead of via files/stdin) - 10-100% performance increase - General support for 64 bit PowerPC, RiscV, Sparc etc. diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index ee96c73c..a2e849dc 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2128,14 +2128,17 @@ void check_binary(afl_state_t *afl, u8 *fname) { /* Check for blatant user errors. */ - if ((!strncmp(afl->fsrv.target_path, "/tmp/", 5) && - !strchr(afl->fsrv.target_path + 5, '/')) || - (!strncmp(afl->fsrv.target_path, "/var/tmp/", 9) && - !strchr(afl->fsrv.target_path + 9, '/'))) { + /* disabled. not a real-worl scenario where this is a problem. + if ((!strncmp(afl->fsrv.target_path, "/tmp/", 5) && + !strchr(afl->fsrv.target_path + 5, '/')) || + (!strncmp(afl->fsrv.target_path, "/var/tmp/", 9) && + !strchr(afl->fsrv.target_path + 9, '/'))) { - FATAL("Please don't keep binaries in /tmp or /var/tmp"); + FATAL("Please don't keep binaries in /tmp or /var/tmp"); - } + } + + */ fd = open(afl->fsrv.target_path, O_RDONLY); diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index a355ae0f..eb562c60 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -533,7 +533,7 @@ void sync_fuzzers(afl_state_t *afl) { s32 fd; struct stat st; - snprintf(path, sizeof (path), "%s/%s", qd_path, namelist[o]->d_name); + snprintf(path, sizeof(path), "%s/%s", qd_path, namelist[o]->d_name); afl->syncing_case = next_min_accept; next_min_accept++; o--; -- cgit 1.4.1