From 51d6f863f5b3c51effb723f7ba88c4aecff36534 Mon Sep 17 00:00:00 2001 From: jhertz Date: Mon, 27 Dec 2021 12:12:02 -0500 Subject: fix imports to build on Mac (#1231) Co-authored-by: Jesse Hertz <> --- src/afl-fuzz.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index f59bb47c..f52637f5 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -37,6 +37,7 @@ #ifdef __APPLE__ #include + #include #endif #ifdef PROFILING -- cgit 1.4.1 From 41291d8c72f91f5c4544de384e8dc5c2817364f0 Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Tue, 28 Dec 2021 15:51:43 +0100 Subject: add Nyx mode --- .gitmodules | 9 +++ GNUmakefile | 3 +- include/forkserver.h | 45 ++++++++++++ nyx_mode/QEMU-Nyx | 1 + nyx_mode/build_nyx_support.sh | 69 +++++++++++++++++++ nyx_mode/libnyx | 1 + nyx_mode/packer | 1 + src/afl-forkserver.c | 140 ++++++++++++++++++++++++++++++++++++- src/afl-fuzz-init.c | 32 ++++++++- src/afl-fuzz-stats.c | 23 +++++-- src/afl-fuzz.c | 157 +++++++++++++++++++++++++++++++++++++++++- 11 files changed, 471 insertions(+), 10 deletions(-) create mode 160000 nyx_mode/QEMU-Nyx create mode 100644 nyx_mode/build_nyx_support.sh create mode 160000 nyx_mode/libnyx create mode 160000 nyx_mode/packer (limited to 'src/afl-fuzz.c') diff --git a/.gitmodules b/.gitmodules index 6569c0b1..8ba1c39d 100644 --- a/.gitmodules +++ b/.gitmodules @@ -19,3 +19,12 @@ [submodule "coresight_mode/coresight-trace"] path = coresight_mode/coresight-trace url = https://github.com/RICSecLab/coresight-trace.git +[submodule "nyx_mode/libnyx"] + path = nyx_mode/libnyx + url = https://github.com/nyx-fuzz/libnyx.git +[submodule "nyx_mode/QEMU-Nyx"] + path = nyx_mode/QEMU-Nyx + url = https://github.com/nyx-fuzz/qemu-nyx.git +[submodule "nyx_mode/packer"] + path = nyx_mode/packer + url = https://github.com/nyx-fuzz/packer.git diff --git a/GNUmakefile b/GNUmakefile index a2c80261..fc1d2768 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -346,7 +346,7 @@ help: @echo "HELP --- the following make targets exist:" @echo "==========================================" @echo "all: the main afl++ binaries and llvm/gcc instrumentation" - @echo "binary-only: everything for binary-only fuzzing: frida_mode, qemu_mode, frida_mode, unicorn_mode, coresight_mode, libdislocator, libtokencap" + @echo "binary-only: everything for binary-only fuzzing: frida_mode, nyx_mode, qemu_mode, frida_mode, unicorn_mode, coresight_mode, libdislocator, libtokencap" @echo "source-only: everything for source code fuzzing: libdislocator, libtokencap" @echo "distrib: everything (for both binary-only and source code fuzzing)" @echo "man: creates simple man pages from the help option of the programs" @@ -636,6 +636,7 @@ ifeq "$(ARCH)" "aarch64" endif -cd qemu_mode && sh ./build_qemu_support.sh -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh + -cd nyx_mode && sh ./build_nyx_support.sh endif .PHONY: source-only diff --git a/include/forkserver.h b/include/forkserver.h index 464f208d..227f75c1 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -33,6 +33,40 @@ #include "types.h" +#ifdef __linux__ +/** + * Nyx related typedefs taken from libnyx.h + */ + +typedef enum NyxReturnValue { + Normal, + Crash, + Asan, + Timout, + InvalidWriteToPayload, + Error, + IoError, + Abort, +} NyxReturnValue; + +typedef struct{ + void* (*nyx_new)(const char *sharedir, + const char *workdir, + uint32_t worker_id, + uint32_t cpu_id, + bool create_snapshot); + void (*nyx_shutdown)(void *qemu_process); + void (*nyx_option_set_reload_mode)(void *qemu_process, bool enable); + void (*nyx_option_set_timeout)(void *qemu_process, uint8_t timeout_sec, uint32_t timeout_usec); + void (*nyx_option_apply)(void *qemu_process); + void (*nyx_set_afl_input)(void *qemu_process, uint8_t *buffer, uint32_t size); + enum NyxReturnValue (*nyx_exec)(void *qemu_process); + uint8_t* (*nyx_get_bitmap_buffer)(void *qemu_process); + size_t (*nyx_get_bitmap_buffer_size)(void *qemu_process); +} nyx_plugin_handler_t; + +#endif + typedef struct afl_forkserver { /* a program that includes afl-forkserver needs to define these */ @@ -121,6 +155,17 @@ typedef struct afl_forkserver { u8 kill_signal; +#ifdef __linux__ + nyx_plugin_handler_t* nyx_handlers; + char *out_dir_path; /* path to the output directory */ + u8 nyx_mode; /* if running in nyx mode or not */ + bool nyx_parent; /* create initial snapshot */ + bool nyx_standalone; /* don't serialize the snapshot */ + void* nyx_runner; /* nyx runner object */ + u32 nyx_id; /* nyx runner id (0 -> master) */ + u32 nyx_bind_cpu_id; /* nyx runner cpu id */ +#endif + } afl_forkserver_t; typedef enum fsrv_run_result { diff --git a/nyx_mode/QEMU-Nyx b/nyx_mode/QEMU-Nyx new file mode 160000 index 00000000..acc90e46 --- /dev/null +++ b/nyx_mode/QEMU-Nyx @@ -0,0 +1 @@ +Subproject commit acc90e462b45fab15bb6b28c064e9f78808cb347 diff --git a/nyx_mode/build_nyx_support.sh b/nyx_mode/build_nyx_support.sh new file mode 100644 index 00000000..67e38117 --- /dev/null +++ b/nyx_mode/build_nyx_support.sh @@ -0,0 +1,69 @@ +#!/bin/bash +set -e + +echo "=================================================" +echo " Nyx build script" +echo "=================================================" +echo + +echo "[*] Performing basic sanity checks..." + +if [ ! "`uname -s`" = "Linux" ]; then + + echo "[-] Error: Nyx mode is only available on Linux." + exit 0 + +fi + +echo "[*] Making sure all Nyx is checked out" + +git status 1>/dev/null 2>/dev/null +if [ $? -eq 0 ]; then + git submodule init || exit 1 + echo "[*] initializing QEMU-Nyx submodule" + git submodule update ./QEMU-Nyx 2>/dev/null # ignore errors + echo "[*] initializing packer submodule" + git submodule update ./packer 2>/dev/null # ignore errors + echo "[*] initializing libnyx submodule" + git submodule update ./libnyx 2>/dev/null # ignore errors + +else + echo "[ ] not a git repo..." + exit 1 +fi + +test -d QEMU-Nyx || { echo "[-] Not checked out, please install git or check your internet connection." ; exit 1 ; } +test -d packer || { echo "[-] Not checked out, please install git or check your internet connection." ; exit 1 ; } +test -d libnyx || { echo "[-] Not checked out, please install git or check your internet connection." ; exit 1 ; } + +echo "[*] checking packer init.cpio.gz ..." +if [ ! -f "packer/linux_initramfs/init.cpio.gz" ]; then + cd packer/linux_initramfs/ + sh pack.sh + cd ../../ +fi + +echo "[*] Checking libnyx ..." +if [ ! -f "libnyx/libnyx/target/release/liblibnyx.a" ]; then + cd libnyx/libnyx + cargo build --release + cd ../../ +fi + +echo "[*] Checking QEMU-Nyx ..." +if [ ! -f "QEMU-Nyx/x86_64-softmmu/qemu-system-x86_64" ]; then + cd QEMU-Nyx/ + ./compile_qemu_nyx.sh + cd .. +fi + +echo "[*] Checking libnyx.so ..." +if [ -f "libnyx/libnyx/target/release/liblibnyx.so" ]; then + cp libnyx/libnyx/target/release/liblibnyx.so libnyx.so +else + echo "[ ] libnyx.so not found..." + exit 1 +fi +echo "[+] All done for nyx_mode, enjoy!" + +exit 0 \ No newline at end of file diff --git a/nyx_mode/libnyx b/nyx_mode/libnyx new file mode 160000 index 00000000..ecbcb2d7 --- /dev/null +++ b/nyx_mode/libnyx @@ -0,0 +1 @@ +Subproject commit ecbcb2d7234fef0b5e1db8ca6019e6137ee0582d diff --git a/nyx_mode/packer b/nyx_mode/packer new file mode 160000 index 00000000..87837335 --- /dev/null +++ b/nyx_mode/packer @@ -0,0 +1 @@ +Subproject commit 87837335d6a9834516aacf4121cbe0e2b9692125 diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index b871ea8c..6604de3a 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -71,6 +71,17 @@ static void fsrv_exec_child(afl_forkserver_t *fsrv, char **argv) { void afl_fsrv_init(afl_forkserver_t *fsrv) { +#ifdef __linux__ + fsrv->nyx_handlers = NULL; + fsrv->out_dir_path = NULL; + fsrv->nyx_mode = 0; + fsrv->nyx_parent = false; + fsrv->nyx_standalone = false; + fsrv->nyx_runner = NULL; + fsrv->nyx_id = 0xFFFFFFFF; + fsrv->nyx_bind_cpu_id = 0xFFFFFFFF; +#endif + // this structure needs default so we initialize it if this was not done // already fsrv->out_fd = -1; @@ -375,6 +386,72 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, s32 rlen; char *ignore_autodict = getenv("AFL_NO_AUTODICT"); +#ifdef __linux__ + if (fsrv->nyx_mode) { + + if(fsrv->nyx_runner != NULL){ + return; + } + + if (!be_quiet) { ACTF("Spinning up the NYX backend..."); } + + if(fsrv->out_dir_path == NULL){ + FATAL("Nyx workdir path not found..."); + } + + char *x = alloc_printf("%s/workdir", fsrv->out_dir_path); + + if(fsrv->nyx_id == 0xFFFFFFFF){ + FATAL("Nyx ID is not set..."); + } + + if(fsrv->nyx_bind_cpu_id == 0xFFFFFFFF){ + FATAL("Nyx CPU ID is not set..."); + } + + if (fsrv->nyx_parent){ + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new(fsrv->target_path, x, fsrv->nyx_id, fsrv->nyx_bind_cpu_id, !fsrv->nyx_standalone); + } + else{ + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new(fsrv->target_path, x, fsrv->nyx_id, fsrv->nyx_bind_cpu_id, true); + } + + if(fsrv->nyx_runner == NULL){ + FATAL("Something went wrong ..."); + } + + fsrv->map_size = fsrv->nyx_handlers->nyx_get_bitmap_buffer_size(fsrv->nyx_runner);; + fsrv->real_map_size = fsrv->map_size; + + fsrv->trace_bits = fsrv->nyx_handlers->nyx_get_bitmap_buffer(fsrv->nyx_runner); + + fsrv->nyx_handlers->nyx_option_set_reload_mode(fsrv->nyx_runner, getenv("NYX_DISABLE_SNAPSHOT_MODE") == NULL); + fsrv->nyx_handlers->nyx_option_apply(fsrv->nyx_runner); + + fsrv->nyx_handlers->nyx_option_set_timeout(fsrv->nyx_runner, 2, 0); + fsrv->nyx_handlers->nyx_option_apply(fsrv->nyx_runner); + + /* dry run */ + fsrv->nyx_handlers->nyx_set_afl_input(fsrv->nyx_runner, "INIT", 4); + switch(fsrv->nyx_handlers->nyx_exec(fsrv->nyx_runner)){ + case Abort: + fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner); + FATAL("Error: Nyx abort occured..."); + break; + case IoError: + FATAL("Error: QEMU-Nyx has died..."); + break; + case Error: + fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner); + FATAL("Error: Nyx runtime error has occured..."); + break; + default: + break; + } + return; + } +#endif + if (!be_quiet) { ACTF("Spinning up the fork server..."); } #ifdef AFL_PERSISTENT_RECORD @@ -1085,6 +1162,11 @@ void afl_fsrv_kill(afl_forkserver_t *fsrv) { fsrv->fsrv_pid = -1; fsrv->child_pid = -1; +#ifdef __linux__ + if(fsrv->nyx_mode){ + fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner); + } +#endif } /* Get the map size from the target forkserver */ @@ -1101,6 +1183,12 @@ u32 afl_fsrv_get_mapsize(afl_forkserver_t *fsrv, char **argv, void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { +#ifdef __linux__ + if(fsrv->nyx_mode){ + fsrv->nyx_handlers->nyx_set_afl_input(fsrv->nyx_runner, buf, len); + return; + } +#endif #ifdef AFL_PERSISTENT_RECORD if (unlikely(fsrv->persistent_record)) { @@ -1214,12 +1302,62 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, u32 exec_ms; u32 write_value = fsrv->last_run_timed_out; +#ifdef __linux__ + if(fsrv->nyx_mode){ + + static uint32_t last_timeout_value = 0; + + if (last_timeout_value != timeout){ + fsrv->nyx_handlers->nyx_option_set_timeout(fsrv->nyx_runner, timeout/1000, (timeout%1000) * 1000); + fsrv->nyx_handlers->nyx_option_apply(fsrv->nyx_runner); + last_timeout_value = timeout; + } + + enum NyxReturnValue ret_val = fsrv->nyx_handlers->nyx_exec(fsrv->nyx_runner); + + fsrv->total_execs++; + + switch(ret_val){ + case Normal: + return FSRV_RUN_OK; + case Crash: + case Asan: + return FSRV_RUN_CRASH; + case Timout: + return FSRV_RUN_TMOUT; + case InvalidWriteToPayload: + /* ??? */ + FATAL("FixMe: Nyx InvalidWriteToPayload handler is missing"); + break; + case Abort: + fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner); + FATAL("Error: Nyx abort occured..."); + case IoError: + if (*stop_soon_p){ + return 0; + } + else{ + FATAL("Error: QEMU-Nyx has died..."); + } + break; + case Error: + FATAL("Error: Nyx runtime error has occured..."); + break; + } + return FSRV_RUN_OK; + } +#endif /* After this memset, fsrv->trace_bits[] are effectively volatile, so we must prevent any earlier operations from venturing into that territory. */ +#ifdef __linux__ + if(!fsrv->nyx_mode){ + memset(fsrv->trace_bits, 0, fsrv->map_size); + } +#else memset(fsrv->trace_bits, 0, fsrv->map_size); - +#endif MEM_BARRIER(); /* we have the fork server (or faux server) up and running diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 7a8bd674..b6de3712 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -411,7 +411,11 @@ void bind_to_free_cpu(afl_state_t *afl) { OKF("Found a free CPU core, try binding to #%u.", i); if (bind_cpu(afl, i)) { - +#ifdef __linux__ + if(afl->fsrv.nyx_mode){ + afl->fsrv.nyx_bind_cpu_id = i; + } +#endif /* Success :) */ break; @@ -1090,6 +1094,11 @@ void perform_dry_run(afl_state_t *afl) { FATAL("Unable to execute target application ('%s')", afl->argv[0]); case FSRV_RUN_NOINST: +#ifdef __linux__ + if(afl->fsrv.nyx_mode && afl->fsrv.nyx_runner != NULL){ + afl->fsrv.nyx_handlers->nyx_shutdown(afl->fsrv.nyx_runner); + } +#endif FATAL("No instrumentation detected"); case FSRV_RUN_NOBITS: @@ -2443,6 +2452,11 @@ void fix_up_sync(afl_state_t *afl) { x = alloc_printf("%s/%s", afl->out_dir, afl->sync_id); +#ifdef __linux__ + if(afl->fsrv.nyx_mode){ + afl->fsrv.out_dir_path = afl->out_dir; + } +#endif afl->sync_dir = afl->out_dir; afl->out_dir = x; @@ -2580,6 +2594,19 @@ void check_binary(afl_state_t *afl, u8 *fname) { if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { afl->fsrv.target_path = ck_strdup(fname); +#ifdef __linux__ + if(afl->fsrv.nyx_mode){ + /* check if target_path is a nyx sharedir */ + if (stat(afl->fsrv.target_path, &st) || S_ISDIR(st.st_mode)){ + char* tmp = alloc_printf("%s/config.ron", afl->fsrv.target_path); + if (stat(tmp, &st) || S_ISREG(st.st_mode)){ + free(tmp); + return; + } + } + FATAL("Directory '%s' not found or is not a nyx share directory", afl->fsrv.target_path); + } +#endif if (stat(afl->fsrv.target_path, &st) || !S_ISREG(st.st_mode) || !(st.st_mode & 0111) || (f_len = st.st_size) < 4) { @@ -2719,6 +2746,9 @@ void check_binary(afl_state_t *afl, u8 *fname) { #endif /* ^!__APPLE__ */ if (!afl->fsrv.qemu_mode && !afl->fsrv.frida_mode && !afl->unicorn_mode && +#ifdef __linux__ + !afl->fsrv.nyx_mode && +#endif !afl->fsrv.cs_mode && !afl->non_instrumented_mode && !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 289f7e09..5f035762 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -679,12 +679,25 @@ void show_stats(afl_state_t *afl) { banner_pad = (79 - banner_len) / 2; memset(banner, ' ', banner_pad); - sprintf(banner + banner_pad, - "%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s]", - afl->crash_mode ? cPIN "peruvian were-rabbit" - : cYEL "american fuzzy lop", - si, afl->use_banner, afl->power_name); +#ifdef __linux__ + if(afl->fsrv.nyx_mode){ + sprintf(banner + banner_pad, + "%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s] - Nyx", + afl->crash_mode ? cPIN "peruvian were-rabbit" + : cYEL "american fuzzy lop", + si, afl->use_banner, afl->power_name); + } + else{ +#endif + sprintf(banner + banner_pad, + "%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s]", + afl->crash_mode ? cPIN "peruvian were-rabbit" + : cYEL "american fuzzy lop", + si, afl->use_banner, afl->power_name); +#ifdef __linux__ + } +#endif } SAYF("\n%s\n", banner); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index f52637f5..7ab2c60e 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -124,6 +124,8 @@ static void usage(u8 *argv0, int more_help) { " -W - use qemu-based instrumentation with Wine (Wine " "mode)\n" #endif + " -X - use VM fuzzing (NYX mode)\n" + " -Y - use VM fuzzing (NYX mode - Multiprocessing)\n" "\n" "Mutator settings:\n" @@ -385,6 +387,75 @@ static void fasan_check_afl_preload(char *afl_preload) { } +#ifdef __linux__ +#include + +nyx_plugin_handler_t* afl_load_libnyx_plugin(u8* libnyx_binary){ + void *handle; + nyx_plugin_handler_t* plugin = calloc(1, sizeof(nyx_plugin_handler_t)); + + ACTF("Trying to load libnyx.so plugin..."); + handle = dlopen((char*) libnyx_binary, RTLD_NOW); + if (!handle) { + goto fail; + } + + plugin->nyx_new = dlsym(handle, "nyx_new"); + if (plugin->nyx_new == NULL){ + goto fail; + } + + plugin->nyx_shutdown = dlsym(handle, "nyx_shutdown"); + if (plugin->nyx_shutdown == NULL){ + goto fail; + } + + plugin->nyx_option_set_reload_mode = dlsym(handle, "nyx_option_set_reload_mode"); + if (plugin->nyx_option_set_reload_mode == NULL){ + goto fail; + } + + plugin->nyx_option_set_timeout = dlsym(handle, "nyx_option_set_timeout"); + if (plugin->nyx_option_set_timeout == NULL){ + goto fail; + } + + plugin->nyx_option_apply = dlsym(handle, "nyx_option_apply"); + if (plugin->nyx_option_apply == NULL){ + goto fail; + } + + plugin->nyx_set_afl_input = dlsym(handle, "nyx_set_afl_input"); + if (plugin->nyx_set_afl_input == NULL){ + goto fail; + } + + plugin->nyx_exec = dlsym(handle, "nyx_exec"); + if (plugin->nyx_exec == NULL){ + goto fail; + } + + plugin->nyx_get_bitmap_buffer = dlsym(handle, "nyx_get_bitmap_buffer"); + if (plugin->nyx_get_bitmap_buffer == NULL){ + goto fail; + } + + plugin->nyx_get_bitmap_buffer_size = dlsym(handle, "nyx_get_bitmap_buffer_size"); + if (plugin->nyx_get_bitmap_buffer_size == NULL){ + goto fail; + } + + OKF("libnyx plugin is ready!"); + return plugin; + + fail: + + FATAL("failed to load libnyx: %s\n", dlerror()); + free(plugin); + return NULL; +} +#endif + /* Main entry point */ int main(int argc, char **argv_orig, char **envp) { @@ -441,7 +512,7 @@ int main(int argc, char **argv_orig, char **envp) { while ((opt = getopt( argc, argv, - "+Ab:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNOo:p:RQs:S:t:T:UV:Wx:Z")) > + "+Ab:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNOXYo:p:RQs:S:t:T:UV:Wx:Z")) > 0) { switch (opt) { @@ -845,6 +916,36 @@ int main(int argc, char **argv_orig, char **envp) { afl->use_banner = optarg; break; +#ifdef __linux__ + case 'X': /* NYX mode */ + + if (afl->fsrv.nyx_mode) { + FATAL("Multiple -X options not supported"); + + } + + afl->fsrv.nyx_parent = true; + afl->fsrv.nyx_standalone = true; + afl->fsrv.nyx_mode = 1; + afl->fsrv.nyx_id = 0; + + break; + + case 'Y': /* NYX distributed mode */ + if (afl->fsrv.nyx_mode) { + + FATAL("Multiple -X options not supported"); + + } + afl->fsrv.nyx_mode = 1; + + break; +#else + case 'X': + case 'Y': + FATAL("Nyx mode is only availabe on linux..."); + break; +#endif case 'A': /* CoreSight mode */ #if !defined(__aarch64__) || !defined(__linux__) @@ -1185,6 +1286,13 @@ int main(int argc, char **argv_orig, char **envp) { OKF("NOTE: This is v3.x which changes defaults and behaviours - see " "README.md"); +#ifdef __linux__ + if (afl->fsrv.nyx_mode){ + OKF("afl++ Nyx mode is enabled (developed and mainted by Sergej Schumilo)"); + OKF("Nyx is open source, get it at " + "https://github.com/Nyx-Fuzz"); + } +#endif if (afl->sync_id && afl->is_main_node && afl->afl_env.afl_custom_mutator_only) { @@ -1227,6 +1335,33 @@ int main(int argc, char **argv_orig, char **envp) { } +#ifdef __linux__ + if (afl->fsrv.nyx_mode) { + + if (afl->fsrv.nyx_standalone && strncmp(afl->sync_id, "default", strlen("default")) != 0){ + FATAL("distributed fuzzing is not supported in this Nyx mode (use -Y instead)"); + } + + if (!afl->fsrv.nyx_standalone){ + if (afl->is_main_node){ + if(strncmp("0", afl->sync_id, strlen("0") != 0)){ + FATAL("afl->sync_id has to be 0 in Nyx mode (-M 0)"); + } + afl->fsrv.nyx_id = 0; + } + + if (afl->is_secondary_node){ + long nyx_id = strtol(afl->sync_id, NULL, 10); + + if (nyx_id == 0 || nyx_id == LONG_MAX){ + FATAL("afl->sync_id has to be numberic and >= 1 (-S id)"); + } + afl->fsrv.nyx_id = nyx_id; + } + } + } +#endif + if (afl->sync_id) { if (strlen(afl->sync_id) > 24) { @@ -1450,8 +1585,22 @@ int main(int argc, char **argv_orig, char **envp) { afl->fsrv.use_fauxsrv = afl->non_instrumented_mode == 1 || afl->no_forkserver; +#ifdef __linux__ + if (!afl->fsrv.nyx_mode){ + check_crash_handling(); + check_cpu_governor(afl); + } + else{ + u8* libnyx_binary = find_afl_binary(argv[0], "nyx_mode/libnyx.so"); + afl->fsrv.nyx_handlers = afl_load_libnyx_plugin(libnyx_binary); + if(afl->fsrv.nyx_handlers == NULL){ + FATAL("failed to initialize libnyx.so..."); + } + } +#else check_crash_handling(); check_cpu_governor(afl); +#endif if (getenv("LD_PRELOAD")) { @@ -1934,7 +2083,11 @@ int main(int argc, char **argv_orig, char **envp) { if (!afl->queue_buf[entry]->disabled) { ++valid_seeds; } if (!afl->pending_not_fuzzed || !valid_seeds) { - +#ifdef __linux__ + if(afl->fsrv.nyx_mode){ + afl->fsrv.nyx_handlers->nyx_shutdown(afl->fsrv.nyx_runner); + } +#endif FATAL("We need at least one valid input seed that does not crash!"); } -- cgit 1.4.1 From f511ebd125e968f9d49bb38cea18d7c1596db10b Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 28 Dec 2021 17:25:46 +0100 Subject: nyx nits --- src/afl-forkserver.c | 3 ++- src/afl-fuzz.c | 12 +++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 6604de3a..16f684be 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -1354,11 +1354,12 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, #ifdef __linux__ if(!fsrv->nyx_mode){ memset(fsrv->trace_bits, 0, fsrv->map_size); + MEM_BARRIER(); } #else memset(fsrv->trace_bits, 0, fsrv->map_size); -#endif MEM_BARRIER(); +#endif /* we have the fork server (or faux server) up and running First, tell it if the previous run timed out. */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 7ab2c60e..5b568aa4 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -124,8 +124,10 @@ static void usage(u8 *argv0, int more_help) { " -W - use qemu-based instrumentation with Wine (Wine " "mode)\n" #endif - " -X - use VM fuzzing (NYX mode)\n" - " -Y - use VM fuzzing (NYX mode - Multiprocessing)\n" +#if defined(__linux__) + " -X - use VM fuzzing (NYX mode - standalone mode)\n" + " -Y - use VM fuzzing (NYX mode - multiple instances mode)\n" +#endif "\n" "Mutator settings:\n" @@ -934,7 +936,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'Y': /* NYX distributed mode */ if (afl->fsrv.nyx_mode) { - FATAL("Multiple -X options not supported"); + FATAL("Multiple -Y options not supported"); } afl->fsrv.nyx_mode = 1; @@ -1345,7 +1347,7 @@ int main(int argc, char **argv_orig, char **envp) { if (!afl->fsrv.nyx_standalone){ if (afl->is_main_node){ if(strncmp("0", afl->sync_id, strlen("0") != 0)){ - FATAL("afl->sync_id has to be 0 in Nyx mode (-M 0)"); + FATAL("for Nyx -Y mode, the Main (-M) parameter has to be set to 0 (-M 0)"); } afl->fsrv.nyx_id = 0; } @@ -1354,7 +1356,7 @@ int main(int argc, char **argv_orig, char **envp) { long nyx_id = strtol(afl->sync_id, NULL, 10); if (nyx_id == 0 || nyx_id == LONG_MAX){ - FATAL("afl->sync_id has to be numberic and >= 1 (-S id)"); + FATAL("for Nyx -Y mode, the Secondary (-S) parameter has to be a numeric value and >= 1 (e.g. -S 1)"); } afl->fsrv.nyx_id = nyx_id; } -- cgit 1.4.1 From 8b8aaa93bd2fdc5b973e94568f02eec411ca86fb Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 28 Dec 2021 17:26:54 +0100 Subject: nyx code format --- include/forkserver.h | 34 +++++---- src/afl-forkserver.c | 101 +++++++++++++++--------- src/afl-fuzz-init.c | 37 +++++---- src/afl-fuzz-stats.c | 11 ++- src/afl-fuzz.c | 212 +++++++++++++++++++++++++++------------------------ src/afl-showmap.c | 11 +-- 6 files changed, 228 insertions(+), 178 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/include/forkserver.h b/include/forkserver.h index 227f75c1..2418381f 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -39,6 +39,7 @@ */ typedef enum NyxReturnValue { + Normal, Crash, Asan, @@ -47,22 +48,23 @@ typedef enum NyxReturnValue { Error, IoError, Abort, + } NyxReturnValue; -typedef struct{ - void* (*nyx_new)(const char *sharedir, - const char *workdir, - uint32_t worker_id, - uint32_t cpu_id, - bool create_snapshot); +typedef struct { + + void *(*nyx_new)(const char *sharedir, const char *workdir, + uint32_t worker_id, uint32_t cpu_id, bool create_snapshot); void (*nyx_shutdown)(void *qemu_process); void (*nyx_option_set_reload_mode)(void *qemu_process, bool enable); - void (*nyx_option_set_timeout)(void *qemu_process, uint8_t timeout_sec, uint32_t timeout_usec); + void (*nyx_option_set_timeout)(void *qemu_process, uint8_t timeout_sec, + uint32_t timeout_usec); void (*nyx_option_apply)(void *qemu_process); void (*nyx_set_afl_input)(void *qemu_process, uint8_t *buffer, uint32_t size); enum NyxReturnValue (*nyx_exec)(void *qemu_process); - uint8_t* (*nyx_get_bitmap_buffer)(void *qemu_process); + uint8_t *(*nyx_get_bitmap_buffer)(void *qemu_process); size_t (*nyx_get_bitmap_buffer_size)(void *qemu_process); + } nyx_plugin_handler_t; #endif @@ -156,14 +158,14 @@ typedef struct afl_forkserver { u8 kill_signal; #ifdef __linux__ - nyx_plugin_handler_t* nyx_handlers; - char *out_dir_path; /* path to the output directory */ - u8 nyx_mode; /* if running in nyx mode or not */ - bool nyx_parent; /* create initial snapshot */ - bool nyx_standalone; /* don't serialize the snapshot */ - void* nyx_runner; /* nyx runner object */ - u32 nyx_id; /* nyx runner id (0 -> master) */ - u32 nyx_bind_cpu_id; /* nyx runner cpu id */ + nyx_plugin_handler_t *nyx_handlers; + char * out_dir_path; /* path to the output directory */ + u8 nyx_mode; /* if running in nyx mode or not */ + bool nyx_parent; /* create initial snapshot */ + bool nyx_standalone; /* don't serialize the snapshot */ + void * nyx_runner; /* nyx runner object */ + u32 nyx_id; /* nyx runner id (0 -> master) */ + u32 nyx_bind_cpu_id; /* nyx runner cpu id */ #endif } afl_forkserver_t; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 16f684be..d34f9ce2 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -389,43 +389,47 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, #ifdef __linux__ if (fsrv->nyx_mode) { - if(fsrv->nyx_runner != NULL){ - return; - } + if (fsrv->nyx_runner != NULL) { return; } if (!be_quiet) { ACTF("Spinning up the NYX backend..."); } - if(fsrv->out_dir_path == NULL){ - FATAL("Nyx workdir path not found..."); - } + if (fsrv->out_dir_path == NULL) { FATAL("Nyx workdir path not found..."); } char *x = alloc_printf("%s/workdir", fsrv->out_dir_path); - if(fsrv->nyx_id == 0xFFFFFFFF){ - FATAL("Nyx ID is not set..."); - } + if (fsrv->nyx_id == 0xFFFFFFFF) { FATAL("Nyx ID is not set..."); } - if(fsrv->nyx_bind_cpu_id == 0xFFFFFFFF){ - FATAL("Nyx CPU ID is not set..."); - } + if (fsrv->nyx_bind_cpu_id == 0xFFFFFFFF) { + + FATAL("Nyx CPU ID is not set..."); - if (fsrv->nyx_parent){ - fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new(fsrv->target_path, x, fsrv->nyx_id, fsrv->nyx_bind_cpu_id, !fsrv->nyx_standalone); - } - else{ - fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new(fsrv->target_path, x, fsrv->nyx_id, fsrv->nyx_bind_cpu_id, true); } - if(fsrv->nyx_runner == NULL){ - FATAL("Something went wrong ..."); + if (fsrv->nyx_parent) { + + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new( + fsrv->target_path, x, fsrv->nyx_id, fsrv->nyx_bind_cpu_id, + !fsrv->nyx_standalone); + + } else { + + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new( + fsrv->target_path, x, fsrv->nyx_id, fsrv->nyx_bind_cpu_id, true); + } - fsrv->map_size = fsrv->nyx_handlers->nyx_get_bitmap_buffer_size(fsrv->nyx_runner);; + if (fsrv->nyx_runner == NULL) { FATAL("Something went wrong ..."); } + + fsrv->map_size = + fsrv->nyx_handlers->nyx_get_bitmap_buffer_size(fsrv->nyx_runner); + ; fsrv->real_map_size = fsrv->map_size; - fsrv->trace_bits = fsrv->nyx_handlers->nyx_get_bitmap_buffer(fsrv->nyx_runner); + fsrv->trace_bits = + fsrv->nyx_handlers->nyx_get_bitmap_buffer(fsrv->nyx_runner); - fsrv->nyx_handlers->nyx_option_set_reload_mode(fsrv->nyx_runner, getenv("NYX_DISABLE_SNAPSHOT_MODE") == NULL); + fsrv->nyx_handlers->nyx_option_set_reload_mode( + fsrv->nyx_runner, getenv("NYX_DISABLE_SNAPSHOT_MODE") == NULL); fsrv->nyx_handlers->nyx_option_apply(fsrv->nyx_runner); fsrv->nyx_handlers->nyx_option_set_timeout(fsrv->nyx_runner, 2, 0); @@ -433,7 +437,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, /* dry run */ fsrv->nyx_handlers->nyx_set_afl_input(fsrv->nyx_runner, "INIT", 4); - switch(fsrv->nyx_handlers->nyx_exec(fsrv->nyx_runner)){ + switch (fsrv->nyx_handlers->nyx_exec(fsrv->nyx_runner)) { + case Abort: fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner); FATAL("Error: Nyx abort occured..."); @@ -447,9 +452,13 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, break; default: break; + } + return; + } + #endif if (!be_quiet) { ACTF("Spinning up the fork server..."); } @@ -1163,10 +1172,9 @@ void afl_fsrv_kill(afl_forkserver_t *fsrv) { fsrv->child_pid = -1; #ifdef __linux__ - if(fsrv->nyx_mode){ - fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner); - } + if (fsrv->nyx_mode) { fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner); } #endif + } /* Get the map size from the target forkserver */ @@ -1184,10 +1192,13 @@ u32 afl_fsrv_get_mapsize(afl_forkserver_t *fsrv, char **argv, void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { #ifdef __linux__ - if(fsrv->nyx_mode){ + if (fsrv->nyx_mode) { + fsrv->nyx_handlers->nyx_set_afl_input(fsrv->nyx_runner, buf, len); return; + } + #endif #ifdef AFL_PERSISTENT_RECORD if (unlikely(fsrv->persistent_record)) { @@ -1303,21 +1314,26 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, u32 write_value = fsrv->last_run_timed_out; #ifdef __linux__ - if(fsrv->nyx_mode){ + if (fsrv->nyx_mode) { static uint32_t last_timeout_value = 0; - if (last_timeout_value != timeout){ - fsrv->nyx_handlers->nyx_option_set_timeout(fsrv->nyx_runner, timeout/1000, (timeout%1000) * 1000); + if (last_timeout_value != timeout) { + + fsrv->nyx_handlers->nyx_option_set_timeout( + fsrv->nyx_runner, timeout / 1000, (timeout % 1000) * 1000); fsrv->nyx_handlers->nyx_option_apply(fsrv->nyx_runner); last_timeout_value = timeout; + } - enum NyxReturnValue ret_val = fsrv->nyx_handlers->nyx_exec(fsrv->nyx_runner); + enum NyxReturnValue ret_val = + fsrv->nyx_handlers->nyx_exec(fsrv->nyx_runner); fsrv->total_execs++; - switch(ret_val){ + switch (ret_val) { + case Normal: return FSRV_RUN_OK; case Crash: @@ -1333,29 +1349,40 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner); FATAL("Error: Nyx abort occured..."); case IoError: - if (*stop_soon_p){ + if (*stop_soon_p) { + return 0; - } - else{ + + } else { + FATAL("Error: QEMU-Nyx has died..."); + } + break; case Error: FATAL("Error: Nyx runtime error has occured..."); break; + } + return FSRV_RUN_OK; - } + + } + #endif /* After this memset, fsrv->trace_bits[] are effectively volatile, so we must prevent any earlier operations from venturing into that territory. */ #ifdef __linux__ - if(!fsrv->nyx_mode){ + if (!fsrv->nyx_mode) { + memset(fsrv->trace_bits, 0, fsrv->map_size); MEM_BARRIER(); + } + #else memset(fsrv->trace_bits, 0, fsrv->map_size); MEM_BARRIER(); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index b6de3712..dc18f1a9 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -411,11 +411,10 @@ void bind_to_free_cpu(afl_state_t *afl) { OKF("Found a free CPU core, try binding to #%u.", i); if (bind_cpu(afl, i)) { -#ifdef __linux__ - if(afl->fsrv.nyx_mode){ - afl->fsrv.nyx_bind_cpu_id = i; - } -#endif + + #ifdef __linux__ + if (afl->fsrv.nyx_mode) { afl->fsrv.nyx_bind_cpu_id = i; } + #endif /* Success :) */ break; @@ -1095,9 +1094,12 @@ void perform_dry_run(afl_state_t *afl) { case FSRV_RUN_NOINST: #ifdef __linux__ - if(afl->fsrv.nyx_mode && afl->fsrv.nyx_runner != NULL){ + if (afl->fsrv.nyx_mode && afl->fsrv.nyx_runner != NULL) { + afl->fsrv.nyx_handlers->nyx_shutdown(afl->fsrv.nyx_runner); + } + #endif FATAL("No instrumentation detected"); @@ -2453,9 +2455,7 @@ void fix_up_sync(afl_state_t *afl) { x = alloc_printf("%s/%s", afl->out_dir, afl->sync_id); #ifdef __linux__ - if(afl->fsrv.nyx_mode){ - afl->fsrv.out_dir_path = afl->out_dir; - } + if (afl->fsrv.nyx_mode) { afl->fsrv.out_dir_path = afl->out_dir; } #endif afl->sync_dir = afl->out_dir; afl->out_dir = x; @@ -2595,17 +2595,26 @@ void check_binary(afl_state_t *afl, u8 *fname) { afl->fsrv.target_path = ck_strdup(fname); #ifdef __linux__ - if(afl->fsrv.nyx_mode){ + if (afl->fsrv.nyx_mode) { + /* check if target_path is a nyx sharedir */ - if (stat(afl->fsrv.target_path, &st) || S_ISDIR(st.st_mode)){ - char* tmp = alloc_printf("%s/config.ron", afl->fsrv.target_path); - if (stat(tmp, &st) || S_ISREG(st.st_mode)){ + if (stat(afl->fsrv.target_path, &st) || S_ISDIR(st.st_mode)) { + + char *tmp = alloc_printf("%s/config.ron", afl->fsrv.target_path); + if (stat(tmp, &st) || S_ISREG(st.st_mode)) { + free(tmp); return; + } + } - FATAL("Directory '%s' not found or is not a nyx share directory", afl->fsrv.target_path); + + FATAL("Directory '%s' not found or is not a nyx share directory", + afl->fsrv.target_path); + } + #endif if (stat(afl->fsrv.target_path, &st) || !S_ISREG(st.st_mode) || !(st.st_mode & 0111) || (f_len = st.st_size) < 4) { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 5f035762..ba8faaf0 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -680,14 +680,16 @@ void show_stats(afl_state_t *afl) { memset(banner, ' ', banner_pad); #ifdef __linux__ - if(afl->fsrv.nyx_mode){ + if (afl->fsrv.nyx_mode) { + sprintf(banner + banner_pad, "%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s] - Nyx", afl->crash_mode ? cPIN "peruvian were-rabbit" : cYEL "american fuzzy lop", si, afl->use_banner, afl->power_name); - } - else{ + + } else { + #endif sprintf(banner + banner_pad, "%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s]", @@ -696,8 +698,11 @@ void show_stats(afl_state_t *afl) { si, afl->use_banner, afl->power_name); #ifdef __linux__ + } + #endif + } SAYF("\n%s\n", banner); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 5b568aa4..01d2096b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -389,74 +389,59 @@ static void fasan_check_afl_preload(char *afl_preload) { } -#ifdef __linux__ -#include + #ifdef __linux__ + #include -nyx_plugin_handler_t* afl_load_libnyx_plugin(u8* libnyx_binary){ - void *handle; - nyx_plugin_handler_t* plugin = calloc(1, sizeof(nyx_plugin_handler_t)); +nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary) { - ACTF("Trying to load libnyx.so plugin..."); - handle = dlopen((char*) libnyx_binary, RTLD_NOW); - if (!handle) { - goto fail; - } + void * handle; + nyx_plugin_handler_t *plugin = calloc(1, sizeof(nyx_plugin_handler_t)); - plugin->nyx_new = dlsym(handle, "nyx_new"); - if (plugin->nyx_new == NULL){ - goto fail; - } - - plugin->nyx_shutdown = dlsym(handle, "nyx_shutdown"); - if (plugin->nyx_shutdown == NULL){ - goto fail; - } - - plugin->nyx_option_set_reload_mode = dlsym(handle, "nyx_option_set_reload_mode"); - if (plugin->nyx_option_set_reload_mode == NULL){ - goto fail; - } - - plugin->nyx_option_set_timeout = dlsym(handle, "nyx_option_set_timeout"); - if (plugin->nyx_option_set_timeout == NULL){ - goto fail; - } - - plugin->nyx_option_apply = dlsym(handle, "nyx_option_apply"); - if (plugin->nyx_option_apply == NULL){ - goto fail; - } - - plugin->nyx_set_afl_input = dlsym(handle, "nyx_set_afl_input"); - if (plugin->nyx_set_afl_input == NULL){ - goto fail; - } + ACTF("Trying to load libnyx.so plugin..."); + handle = dlopen((char *)libnyx_binary, RTLD_NOW); + if (!handle) { goto fail; } - plugin->nyx_exec = dlsym(handle, "nyx_exec"); - if (plugin->nyx_exec == NULL){ - goto fail; - } + plugin->nyx_new = dlsym(handle, "nyx_new"); + if (plugin->nyx_new == NULL) { goto fail; } - plugin->nyx_get_bitmap_buffer = dlsym(handle, "nyx_get_bitmap_buffer"); - if (plugin->nyx_get_bitmap_buffer == NULL){ - goto fail; - } + plugin->nyx_shutdown = dlsym(handle, "nyx_shutdown"); + if (plugin->nyx_shutdown == NULL) { goto fail; } - plugin->nyx_get_bitmap_buffer_size = dlsym(handle, "nyx_get_bitmap_buffer_size"); - if (plugin->nyx_get_bitmap_buffer_size == NULL){ - goto fail; - } - - OKF("libnyx plugin is ready!"); - return plugin; + plugin->nyx_option_set_reload_mode = + dlsym(handle, "nyx_option_set_reload_mode"); + if (plugin->nyx_option_set_reload_mode == NULL) { goto fail; } - fail: + plugin->nyx_option_set_timeout = dlsym(handle, "nyx_option_set_timeout"); + if (plugin->nyx_option_set_timeout == NULL) { goto fail; } + + plugin->nyx_option_apply = dlsym(handle, "nyx_option_apply"); + if (plugin->nyx_option_apply == NULL) { goto fail; } + + plugin->nyx_set_afl_input = dlsym(handle, "nyx_set_afl_input"); + if (plugin->nyx_set_afl_input == NULL) { goto fail; } + + plugin->nyx_exec = dlsym(handle, "nyx_exec"); + if (plugin->nyx_exec == NULL) { goto fail; } + + plugin->nyx_get_bitmap_buffer = dlsym(handle, "nyx_get_bitmap_buffer"); + if (plugin->nyx_get_bitmap_buffer == NULL) { goto fail; } + + plugin->nyx_get_bitmap_buffer_size = + dlsym(handle, "nyx_get_bitmap_buffer_size"); + if (plugin->nyx_get_bitmap_buffer_size == NULL) { goto fail; } + + OKF("libnyx plugin is ready!"); + return plugin; + +fail: + + FATAL("failed to load libnyx: %s\n", dlerror()); + free(plugin); + return NULL; - FATAL("failed to load libnyx: %s\n", dlerror()); - free(plugin); - return NULL; } -#endif + + #endif /* Main entry point */ @@ -918,13 +903,10 @@ int main(int argc, char **argv_orig, char **envp) { afl->use_banner = optarg; break; -#ifdef __linux__ - case 'X': /* NYX mode */ + #ifdef __linux__ + case 'X': /* NYX mode */ - if (afl->fsrv.nyx_mode) { - FATAL("Multiple -X options not supported"); - - } + if (afl->fsrv.nyx_mode) { FATAL("Multiple -X options not supported"); } afl->fsrv.nyx_parent = true; afl->fsrv.nyx_standalone = true; @@ -933,21 +915,17 @@ int main(int argc, char **argv_orig, char **envp) { break; - case 'Y': /* NYX distributed mode */ - if (afl->fsrv.nyx_mode) { - - FATAL("Multiple -Y options not supported"); - - } + case 'Y': /* NYX distributed mode */ + if (afl->fsrv.nyx_mode) { FATAL("Multiple -Y options not supported"); } afl->fsrv.nyx_mode = 1; break; -#else + #else case 'X': case 'Y': FATAL("Nyx mode is only availabe on linux..."); break; -#endif + #endif case 'A': /* CoreSight mode */ #if !defined(__aarch64__) || !defined(__linux__) @@ -1288,13 +1266,16 @@ int main(int argc, char **argv_orig, char **envp) { OKF("NOTE: This is v3.x which changes defaults and behaviours - see " "README.md"); -#ifdef __linux__ - if (afl->fsrv.nyx_mode){ + #ifdef __linux__ + if (afl->fsrv.nyx_mode) { + OKF("afl++ Nyx mode is enabled (developed and mainted by Sergej Schumilo)"); OKF("Nyx is open source, get it at " - "https://github.com/Nyx-Fuzz"); + "https://github.com/Nyx-Fuzz"); + } -#endif + + #endif if (afl->sync_id && afl->is_main_node && afl->afl_env.afl_custom_mutator_only) { @@ -1337,32 +1318,55 @@ int main(int argc, char **argv_orig, char **envp) { } -#ifdef __linux__ + #ifdef __linux__ if (afl->fsrv.nyx_mode) { - if (afl->fsrv.nyx_standalone && strncmp(afl->sync_id, "default", strlen("default")) != 0){ - FATAL("distributed fuzzing is not supported in this Nyx mode (use -Y instead)"); + if (afl->fsrv.nyx_standalone && + strncmp(afl->sync_id, "default", strlen("default")) != 0) { + + FATAL( + "distributed fuzzing is not supported in this Nyx mode (use -Y " + "instead)"); + } - if (!afl->fsrv.nyx_standalone){ - if (afl->is_main_node){ - if(strncmp("0", afl->sync_id, strlen("0") != 0)){ - FATAL("for Nyx -Y mode, the Main (-M) parameter has to be set to 0 (-M 0)"); + if (!afl->fsrv.nyx_standalone) { + + if (afl->is_main_node) { + + if (strncmp("0", afl->sync_id, strlen("0") != 0)) { + + FATAL( + "for Nyx -Y mode, the Main (-M) parameter has to be set to 0 (-M " + "0)"); + } + afl->fsrv.nyx_id = 0; + } - if (afl->is_secondary_node){ + if (afl->is_secondary_node) { + long nyx_id = strtol(afl->sync_id, NULL, 10); - if (nyx_id == 0 || nyx_id == LONG_MAX){ - FATAL("for Nyx -Y mode, the Secondary (-S) parameter has to be a numeric value and >= 1 (e.g. -S 1)"); + if (nyx_id == 0 || nyx_id == LONG_MAX) { + + FATAL( + "for Nyx -Y mode, the Secondary (-S) parameter has to be a " + "numeric value and >= 1 (e.g. -S 1)"); + } + afl->fsrv.nyx_id = nyx_id; + } + } + } -#endif + + #endif if (afl->sync_id) { @@ -1587,22 +1591,28 @@ int main(int argc, char **argv_orig, char **envp) { afl->fsrv.use_fauxsrv = afl->non_instrumented_mode == 1 || afl->no_forkserver; -#ifdef __linux__ - if (!afl->fsrv.nyx_mode){ + #ifdef __linux__ + if (!afl->fsrv.nyx_mode) { + check_crash_handling(); check_cpu_governor(afl); - } - else{ - u8* libnyx_binary = find_afl_binary(argv[0], "nyx_mode/libnyx.so"); + + } else { + + u8 *libnyx_binary = find_afl_binary(argv[0], "nyx_mode/libnyx.so"); afl->fsrv.nyx_handlers = afl_load_libnyx_plugin(libnyx_binary); - if(afl->fsrv.nyx_handlers == NULL){ + if (afl->fsrv.nyx_handlers == NULL) { + FATAL("failed to initialize libnyx.so..."); + } + } -#else + + #else check_crash_handling(); check_cpu_governor(afl); -#endif + #endif if (getenv("LD_PRELOAD")) { @@ -2085,11 +2095,15 @@ int main(int argc, char **argv_orig, char **envp) { if (!afl->queue_buf[entry]->disabled) { ++valid_seeds; } if (!afl->pending_not_fuzzed || !valid_seeds) { -#ifdef __linux__ - if(afl->fsrv.nyx_mode){ + + #ifdef __linux__ + if (afl->fsrv.nyx_mode) { + afl->fsrv.nyx_handlers->nyx_shutdown(afl->fsrv.nyx_runner); + } -#endif + + #endif FATAL("We need at least one valid input seed that does not crash!"); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 115f9f2a..e30819b3 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -105,15 +105,8 @@ static sharedmem_t * shm_fuzz; static const u8 count_class_human[256] = { - [0] = 0, - [1] = 1, - [2] = 2, - [3] = 3, - [4] = 4, - [8] = 5, - [16] = 6, - [32] = 7, - [128] = 8 + [0] = 0, [1] = 1, [2] = 2, [3] = 3, [4] = 4, + [8] = 5, [16] = 6, [32] = 7, [128] = 8 }; -- cgit 1.4.1 From b5cb99f6fe84603d4bc896a2d56b9ad1e86779f6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 28 Dec 2021 20:30:52 +0100 Subject: fix nyx lib loading --- src/afl-fuzz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 01d2096b..e19d3c15 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1599,7 +1599,7 @@ int main(int argc, char **argv_orig, char **envp) { } else { - u8 *libnyx_binary = find_afl_binary(argv[0], "nyx_mode/libnyx.so"); + u8 *libnyx_binary = find_afl_binary(argv[0], "libnyx.so"); afl->fsrv.nyx_handlers = afl_load_libnyx_plugin(libnyx_binary); if (afl->fsrv.nyx_handlers == NULL) { -- cgit 1.4.1 From 0792cab5661271250218f6b83b2298e491191e67 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 29 Dec 2021 10:57:37 +0100 Subject: add power schedule info --- docs/FAQ.md | 21 +++++++++++++++++++++ docs/fuzzing_in_depth.md | 3 ++- src/afl-fuzz.c | 2 +- 3 files changed, 24 insertions(+), 2 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/docs/FAQ.md b/docs/FAQ.md index f1cffe00..3d3dce20 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -180,6 +180,27 @@ If you find an interesting or important question missing, submit it via [best_practices.md#improving-stability](best_practices.md#improving-stability).

+
+ What are power schedules?

+ + Not every item in our queue/corpus is the same, some are more interesting, + others provide little value. + A power schedule measures how "interesting" a value is, and depending on + the calculated value spends more or less time mutating it. + + AFL++ comes with several power schedules, initially ported from [AFLFast](https://github.com/mboehme/aflfast) + however modified to be more effective and several more modes added. + + The most effective modes are '-p fast` (default) and `-p explore`. + + If you fuzz with several parallel afl-fuzz instances, then it is beneficial + to assign a different schedule to each instance, however the majority should + be `fast` and `explore`. + + It does not make sense to explain the details of the calculation and + reasoning behind all of the schedules. If you are interested, read the source + code and the AFLFast paper. + ## Troubleshooting

diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index 2db6cfda..760d780e 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -562,7 +562,8 @@ All other secondaries should be used like this: * a quarter to a third with the MOpt mutator enabled: `-L 0` * run with a different power schedule, recommended are: `fast (default), explore, coe, lin, quad, exploit and rare` which you can set - with, e.g., `-p explore` + with the `-p` option, e.g., `-p explore`. See the [FAQ](FAQ.md#what-are-power-schedules) + for details. * a few instances should use the old queue cycling with `-Z` Also, it is recommended to set `export AFL_IMPORT_FIRST=1` to load test cases diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index e19d3c15..5c62262e 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -105,7 +105,7 @@ static void usage(u8 *argv0, int more_help) { " -p schedule - power schedules compute a seed's performance score:\n" " fast(default), explore, exploit, seek, rare, mmopt, " "coe, lin\n" - " quad -- see docs/power_schedules.md\n" + " quad -- see docs/FAQ.md for more information\n" " -f file - location read by the fuzzed program (default: stdin " "or @@)\n" " -t msec - timeout for each run (auto-scaled, default %u ms). " -- cgit 1.4.1 From e1082f2548a2497690d48a23b366362d478afdb6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 1 Jan 2022 00:49:17 +0100 Subject: welcome 2022 --- GNUmakefile.gcc_plugin | 2 +- afl-whatsup | 2 +- frida_mode/Scripting.md | 2 +- include/afl-as.h | 2 +- include/afl-fuzz.h | 2 +- include/afl-prealloc.h | 2 +- include/alloc-inl.h | 2 +- include/cmplog.h | 2 +- include/common.h | 2 +- include/config.h | 2 +- include/debug.h | 2 +- include/forkserver.h | 2 +- include/hash.h | 2 +- include/list.h | 2 +- include/sharedmem.h | 2 +- include/snapshot-inl.h | 2 +- include/types.h | 2 +- include/xxhash.h | 2 +- instrumentation/afl-compiler-rt.o.c | 2 +- instrumentation/afl-gcc-pass.so.cc | 4 ++-- instrumentation/afl-llvm-dict2file.so.cc | 2 +- instrumentation/afl-llvm-lto-instrumentlist.so.cc | 2 +- instrumentation/afl-llvm-pass.so.cc | 2 +- instrumentation/cmplog-instructions-pass.cc | 2 +- instrumentation/cmplog-routines-pass.cc | 2 +- instrumentation/cmplog-switches-pass.cc | 2 +- qemu_mode/build_qemu_support.sh | 2 +- src/afl-analyze.c | 2 +- src/afl-as.c | 2 +- src/afl-cc.c | 2 +- src/afl-common.c | 2 +- src/afl-forkserver.c | 2 +- src/afl-fuzz-bitmap.c | 2 +- src/afl-fuzz-cmplog.c | 2 +- src/afl-fuzz-extras.c | 2 +- src/afl-fuzz-init.c | 2 +- src/afl-fuzz-mutators.c | 2 +- src/afl-fuzz-one.c | 2 +- src/afl-fuzz-python.c | 2 +- src/afl-fuzz-queue.c | 2 +- src/afl-fuzz-redqueen.c | 10 +++++----- src/afl-fuzz-run.c | 2 +- src/afl-fuzz-state.c | 2 +- src/afl-fuzz-stats.c | 2 +- src/afl-fuzz.c | 2 +- src/afl-gotcpu.c | 2 +- src/afl-ld-lto.c | 2 +- src/afl-sharedmem.c | 2 +- src/afl-showmap.c | 2 +- src/afl-tmin.c | 2 +- test-instr.c | 2 +- unicorn_mode/build_unicorn_support.sh | 2 +- 52 files changed, 57 insertions(+), 57 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/GNUmakefile.gcc_plugin b/GNUmakefile.gcc_plugin index ed2725d7..63b22017 100644 --- a/GNUmakefile.gcc_plugin +++ b/GNUmakefile.gcc_plugin @@ -11,7 +11,7 @@ # from Laszlo Szekeres. # # Copyright 2015 Google Inc. All rights reserved. -# Copyright 2019-2020 AFLplusplus Project. All rights reserved. +# Copyright 2019-2022 AFLplusplus Project. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/afl-whatsup b/afl-whatsup index c9abbe91..160a8c74 100755 --- a/afl-whatsup +++ b/afl-whatsup @@ -6,7 +6,7 @@ # Originally written by Michal Zalewski # # Copyright 2015 Google Inc. All rights reserved. -# Copyright 2019-2020 AFLplusplus Project. All rights reserved. +# Copyright 2019-2022 AFLplusplus Project. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/frida_mode/Scripting.md b/frida_mode/Scripting.md index e9788131..8634860b 100644 --- a/frida_mode/Scripting.md +++ b/frida_mode/Scripting.md @@ -390,7 +390,7 @@ Consider the [following](test/js/test2.c) test code... -------------------------------------------------------- Originally written by Michal Zalewski Copyright 2014 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at: diff --git a/include/afl-as.h b/include/afl-as.h index 2a2e8ad7..bbbd5582 100644 --- a/include/afl-as.h +++ b/include/afl-as.h @@ -10,7 +10,7 @@ Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index e59b3781..e225211f 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -10,7 +10,7 @@ Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/include/afl-prealloc.h b/include/afl-prealloc.h index 87bbb1cc..bdf0d87f 100644 --- a/include/afl-prealloc.h +++ b/include/afl-prealloc.h @@ -10,7 +10,7 @@ Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/include/alloc-inl.h b/include/alloc-inl.h index 0c540330..6c2bafff 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -10,7 +10,7 @@ Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/include/cmplog.h b/include/cmplog.h index 8778a4b6..c6d2957e 100644 --- a/include/cmplog.h +++ b/include/cmplog.h @@ -12,7 +12,7 @@ Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/include/common.h b/include/common.h index 6c8e3b3a..896c5fb2 100644 --- a/include/common.h +++ b/include/common.h @@ -10,7 +10,7 @@ Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/include/config.h b/include/config.h index b787152f..99cacc40 100644 --- a/include/config.h +++ b/include/config.h @@ -10,7 +10,7 @@ Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2021 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/include/debug.h b/include/debug.h index feb7f52d..31ebd0f2 100644 --- a/include/debug.h +++ b/include/debug.h @@ -10,7 +10,7 @@ Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/include/forkserver.h b/include/forkserver.h index 2418381f..48db2e26 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -12,7 +12,7 @@ Dominik Maier > Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/include/hash.h b/include/hash.h index 9bb34ff8..d8fef70c 100644 --- a/include/hash.h +++ b/include/hash.h @@ -15,7 +15,7 @@ Other code written by Michal Zalewski Copyright 2016 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/include/list.h b/include/list.h index d49e56da..a6223564 100644 --- a/include/list.h +++ b/include/list.h @@ -10,7 +10,7 @@ Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/include/sharedmem.h b/include/sharedmem.h index 93080d0f..e646b73f 100644 --- a/include/sharedmem.h +++ b/include/sharedmem.h @@ -12,7 +12,7 @@ Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/include/snapshot-inl.h b/include/snapshot-inl.h index 7234bbaa..8d2f41ff 100644 --- a/include/snapshot-inl.h +++ b/include/snapshot-inl.h @@ -12,7 +12,7 @@ Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/include/types.h b/include/types.h index bbcc2f81..4a68b1b0 100644 --- a/include/types.h +++ b/include/types.h @@ -10,7 +10,7 @@ Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/include/xxhash.h b/include/xxhash.h index 8cf4a345..4f101003 100644 --- a/include/xxhash.h +++ b/include/xxhash.h @@ -1,7 +1,7 @@ /* * xxHash - Extremely Fast Hash algorithm * Header File - * Copyright (C) 2012-2020 Yann Collet + * Copyright (C) 2012-2022 Yann Collet * * BSD 2-Clause License (https://www.opensource.org/licenses/bsd-license.php) * diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index fe701b7a..1b9fdee3 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -3,7 +3,7 @@ ------------------------------------------------ Copyright 2015, 2016 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc index df2b6f2a..734fa170 100644 --- a/instrumentation/afl-gcc-pass.so.cc +++ b/instrumentation/afl-gcc-pass.so.cc @@ -2,7 +2,7 @@ Copyright 2014-2019 Free Software Foundation, Inc Copyright 2015, 2016 Google Inc. All rights reserved. - Copyright 2019-2020 AdaCore + Copyright 2019-2022 AdaCore Written by Alexandre Oliva , based on the AFL LLVM pass by Laszlo Szekeres and Michal @@ -901,7 +901,7 @@ struct afl_pass : gimple_opt_pass { static struct plugin_info afl_plugin = { - .version = "20200907", + .version = "20220907", .help = G_("AFL gcc plugin\n\ \n\ Set AFL_QUIET in the environment to silence it.\n\ diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc index 5e7faba7..39124660 100644 --- a/instrumentation/afl-llvm-dict2file.so.cc +++ b/instrumentation/afl-llvm-dict2file.so.cc @@ -4,7 +4,7 @@ Written by Marc Heuse - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/instrumentation/afl-llvm-lto-instrumentlist.so.cc b/instrumentation/afl-llvm-lto-instrumentlist.so.cc index bac02977..35ba9c5a 100644 --- a/instrumentation/afl-llvm-lto-instrumentlist.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentlist.so.cc @@ -9,7 +9,7 @@ from afl-as.c are Michal's fault. Copyright 2015, 2016 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 18c0294e..899734f8 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -12,7 +12,7 @@ NGRAM previous location coverage comes from Adrian Herrera. Copyright 2015, 2016 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index a2083a33..a0b386d5 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -5,7 +5,7 @@ Written by Andrea Fioraldi Copyright 2015, 2016 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc index 076d2779..2af01a7a 100644 --- a/instrumentation/cmplog-routines-pass.cc +++ b/instrumentation/cmplog-routines-pass.cc @@ -5,7 +5,7 @@ Written by Andrea Fioraldi Copyright 2015, 2016 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/instrumentation/cmplog-switches-pass.cc b/instrumentation/cmplog-switches-pass.cc index 8501d514..068650ce 100644 --- a/instrumentation/cmplog-switches-pass.cc +++ b/instrumentation/cmplog-switches-pass.cc @@ -5,7 +5,7 @@ Written by Andrea Fioraldi Copyright 2015, 2016 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index 71453a71..86ebb4d4 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -13,7 +13,7 @@ # counters by Andrea Fioraldi # # Copyright 2015, 2016, 2017 Google Inc. All rights reserved. -# Copyright 2019-2020 AFLplusplus Project. All rights reserved. +# Copyright 2019-2022 AFLplusplus Project. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 86278c31..fc868603 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -9,7 +9,7 @@ Andrea Fioraldi Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-as.c b/src/afl-as.c index b644b82a..1edc8cca 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -9,7 +9,7 @@ Andrea Fioraldi Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-cc.c b/src/afl-cc.c index 9e5eed93..49000877 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -5,7 +5,7 @@ Written by Michal Zalewski, Laszlo Szekeres and Marc Heuse Copyright 2015, 2016 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-common.c b/src/afl-common.c index 9973ac08..7ba3bb74 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -9,7 +9,7 @@ Andrea Fioraldi Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 4d57b95d..eebbb7c8 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -13,7 +13,7 @@ Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 7a236005..8d044959 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -9,7 +9,7 @@ Andrea Fioraldi Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 28a3ae3f..ce8f1a83 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -11,7 +11,7 @@ Andrea Fioraldi Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c index 0f0fe331..535ffdc3 100644 --- a/src/afl-fuzz-extras.c +++ b/src/afl-fuzz-extras.c @@ -9,7 +9,7 @@ Andrea Fioraldi Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index dc18f1a9..5449460e 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -9,7 +9,7 @@ Andrea Fioraldi Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index e0dfd6b0..51a43dbd 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -10,7 +10,7 @@ Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 34711940..26a01948 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -9,7 +9,7 @@ Andrea Fioraldi Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 6484768b..65501c8c 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -9,7 +9,7 @@ Andrea Fioraldi Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 2d76e4d2..9ca89944 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -9,7 +9,7 @@ Andrea Fioraldi Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at: diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index e363dffd..982fcf09 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -11,7 +11,7 @@ Andrea Fioraldi Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -989,10 +989,10 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } - // test for to lowercase, eg. "new_val = (user_val | 0x2020) ..." + // test for to lowercase, eg. "new_val = (user_val | 0x2022) ..." if (*status != 1) { - if ((b_val | (0x2020202020202020 & mask)) == (pattern & mask)) { + if ((b_val | (0x2022202020202020 & mask)) == (pattern & mask)) { diff = 1; @@ -1002,7 +1002,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } - if ((o_b_val | (0x2020202020202020 & mask)) == (o_pattern & mask)) { + if ((o_b_val | (0x2022202020202020 & mask)) == (o_pattern & mask)) { o_diff = 1; @@ -1070,7 +1070,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, // this could be a lower to upper - u64 new_repl = (repl | (0x2020202020202020 & mask)); + u64 new_repl = (repl | (0x2022202020202020 & mask)); // fprintf(stderr, "SAME DIFF %llx->%llx\n", repl, new_repl); if (unlikely(cmp_extend_encoding( diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index d730876a..eaa82b19 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -10,7 +10,7 @@ Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 737a49a7..69ffa8cf 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -9,7 +9,7 @@ Andrea Fioraldi Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index ba8faaf0..1170bdb8 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -9,7 +9,7 @@ Andrea Fioraldi Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 5c62262e..1030dfdf 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -9,7 +9,7 @@ Andrea Fioraldi Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-gotcpu.c b/src/afl-gotcpu.c index f8466680..539206ce 100644 --- a/src/afl-gotcpu.c +++ b/src/afl-gotcpu.c @@ -9,7 +9,7 @@ Andrea Fioraldi Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-ld-lto.c b/src/afl-ld-lto.c index 1dcdb176..9b58125f 100644 --- a/src/afl-ld-lto.c +++ b/src/afl-ld-lto.c @@ -9,7 +9,7 @@ Andrea Fioraldi Dominik Maier - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index c1d4ff03..8d58bb3e 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -11,7 +11,7 @@ Andrea Fioraldi Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-showmap.c b/src/afl-showmap.c index e30819b3..3fdbe8fe 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -12,7 +12,7 @@ Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/src/afl-tmin.c b/src/afl-tmin.c index b5b015ce..1bf4af38 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -12,7 +12,7 @@ Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/test-instr.c b/test-instr.c index eaae50ef..b2caa1fe 100644 --- a/test-instr.c +++ b/test-instr.c @@ -3,7 +3,7 @@ -------------------------------------------------------- Originally written by Michal Zalewski Copyright 2014 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Copyright 2019-2022 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at: diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index f9c0be7f..340ac77c 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -14,7 +14,7 @@ # # # Copyright 2017 Battelle Memorial Institute. All rights reserved. -# Copyright 2019-2020 AFLplusplus Project. All rights reserved. +# Copyright 2019-2022 AFLplusplus Project. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. -- cgit 1.4.1