From 9d3e6a869e9474c1a3927a319b6ec2142130f5d3 Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Fri, 21 Jan 2022 07:21:43 +0100 Subject: add LTO support in nyx_mode --- src/afl-fuzz.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 1edf82f4..50874f47 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -404,6 +404,12 @@ nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary) { plugin->nyx_new = dlsym(handle, "nyx_new"); if (plugin->nyx_new == NULL) { goto fail; } + plugin->nyx_new_parent = dlsym(handle, "nyx_new_parent"); + if (plugin->nyx_new_parent == NULL) { goto fail; } + + plugin->nyx_new_child = dlsym(handle, "nyx_new_child"); + if (plugin->nyx_new_child == NULL) { goto fail; } + plugin->nyx_shutdown = dlsym(handle, "nyx_shutdown"); if (plugin->nyx_shutdown == NULL) { goto fail; } @@ -1340,7 +1346,8 @@ int main(int argc, char **argv_orig, char **envp) { "0)"); } - + + afl->fsrv.nyx_parent = true; afl->fsrv.nyx_id = 0; } -- cgit 1.4.1 From 61d79f85c5f1f0d80bb7ab2d10d502fbd637ee83 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 23 Jan 2022 19:20:32 +0100 Subject: code format --- docs/Changelog.md | 23 ++++++++++++----------- include/forkserver.h | 12 ++++++------ src/afl-forkserver.c | 11 ++++++++--- src/afl-fuzz.c | 2 +- 4 files changed, 27 insertions(+), 21 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/docs/Changelog.md b/docs/Changelog.md index 687232a0..e25b43da 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -1,7 +1,7 @@ # Changelog - This is the list of all noteworthy changes made in every public release of - the tool. See README.md for the general instruction manual. + This is the list of all noteworthy changes made in every public + release of the tool. See README.md for the general instruction manual. ## Staying informed @@ -9,7 +9,8 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . ### Version ++3.15a (dev) - - documentation restructuring, made possible by Google Season of Docs + - complete documentation restructuring, made possible by Google Season + of Docs :) thank you Jana! - we renamed several UI and fuzzer_stat entries to be more precise, e.g. "unique crashes" -> "saved crashes", "total paths" -> "corpus count", "current path" -> "current item". @@ -17,14 +18,14 @@ sending a mail to . - Nyx mode (full system emulation with snapshot capability) has been added - thanks to @schumilo and @eqv! - unicorn_mode: - - Moved to unicorn2! By Ziqiao Kong (@lazymio) - - Faster, more accurate emulation (newer QEMU base), riscv support + - Moved to unicorn2! by Ziqiao Kong (@lazymio) + - Faster, more accurate emulation (newer QEMU base), risc-v support - removed indirections in rust callbacks - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :) thanks to RICSecLab submitting! - if instrumented libaries are dlopen()'ed after the forkserver you - will now see crashes. before you would have colliding coverage. - we changed this to force fixing a broken setup rather then allowing + will now see a crash. Before you would have colliding coverage. + We changed this to force fixing a broken setup rather then allowing ineffective fuzzing. See docs/best_practices.md how to fix such setups. - afl-fuzz: @@ -35,7 +36,7 @@ sending a mail to . - added AFL_IGNORE_PROBLEMS, plus checks to identify and abort on incorrect LTO usage setups and enhanced the READMEs for better information on how to deal with instrumenting libraries - - fix -n dumb mode (nobody should use this) + - fix -n dumb mode (nobody should use this mode though) - fix stability issue with LTO and cmplog - better banner - more effective cmplog mode @@ -63,7 +64,7 @@ sending a mail to . - fixed a potential crash in targets for LAF string handling - fixed a bad assert in LAF split switches - added AFL_USE_TSAN thread sanitizer support - - llvm and LTO mode modified to work with new llvm 14-dev (again. again.) + - llvm and LTO mode modified to work with new llvm 14-dev (again.) - fix for AFL_REAL_LD - more -z defs filtering - make -v without options work @@ -74,7 +75,7 @@ sending a mail to . - added afl-persistent-config script to set perform permanent system configuration settings for fuzzing, for Linux and Macos. thanks to jhertz! - - added xml, curl and exotic string functions to llvm dictionary features + - added xml, curl & exotic string functions to llvm dictionary feature - fix AFL_PRELOAD issues on MacOS - removed utils/afl_frida because frida_mode/ is now so much better - added uninstall target to makefile (todo: update new readme!) @@ -97,7 +98,7 @@ sending a mail to . - Fix to instrument global namespace functions in c++ - Fix for llvm 13 - support partial linking - - do honor AFL_LLVM_{ALLOW/DENY}LIST for LTO autodictionary and DICT2FILE + - do honor AFL_LLVM_{ALLOW/DENY}LIST for LTO autodictionary andDICT2FILE - We do support llvm versions from 3.8 to 5.0 again - frida_mode: - several fixes for cmplog diff --git a/include/forkserver.h b/include/forkserver.h index 4a05b17e..01f45587 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -53,14 +53,14 @@ typedef enum NyxReturnValue { typedef struct { - void *(*nyx_new)(const char *sharedir, const char *workdir, - uint32_t cpu_id, uint32_t input_buffer_size, - bool input_buffer_write_protection); + void *(*nyx_new)(const char *sharedir, const char *workdir, uint32_t cpu_id, + uint32_t input_buffer_size, + bool input_buffer_write_protection); void *(*nyx_new_parent)(const char *sharedir, const char *workdir, - uint32_t cpu_id, uint32_t input_buffer_size, - bool input_buffer_write_protection); + uint32_t cpu_id, uint32_t input_buffer_size, + bool input_buffer_write_protection); void *(*nyx_new_child)(const char *sharedir, const char *workdir, - uint32_t cpu_id, uint32_t worker_id); + uint32_t cpu_id, uint32_t worker_id); void (*nyx_shutdown)(void *qemu_process); void (*nyx_option_set_reload_mode)(void *qemu_process, bool enable); void (*nyx_option_set_timeout)(void *qemu_process, uint8_t timeout_sec, diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index ffcb30c3..62110ad5 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -405,20 +405,25 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } - if (fsrv->nyx_standalone){ + if (fsrv->nyx_standalone) { + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new( fsrv->target_path, x, fsrv->nyx_bind_cpu_id, MAX_FILE, true); - } - else{ + + } else { + if (fsrv->nyx_parent) { + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new_parent( fsrv->target_path, x, fsrv->nyx_bind_cpu_id, MAX_FILE, true); } else { + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new_child( fsrv->target_path, x, fsrv->nyx_bind_cpu_id, fsrv->nyx_id); } + } if (fsrv->nyx_runner == NULL) { FATAL("Something went wrong ..."); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 50874f47..e322ee57 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1346,7 +1346,7 @@ int main(int argc, char **argv_orig, char **envp) { "0)"); } - + afl->fsrv.nyx_parent = true; afl->fsrv.nyx_id = 0; -- cgit 1.4.1 From 7270cbe756113c4adf64a89dab364c32c6f6e55a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 24 Jan 2022 10:28:48 +0100 Subject: try fix --- qemu_mode/qemuafl | 2 +- src/afl-fuzz.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index ce65a734..8809a2b2 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit ce65a7349e7156e052b37a660422cad8346764d0 +Subproject commit 8809a2b2ebf089d3427dd8f6a0044bcc2e13b389 diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index e322ee57..06bff2be 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -50,14 +50,14 @@ static void at_exit() { char *list[4] = {SHM_ENV_VAR, SHM_FUZZ_ENV_VAR, CMPLOG_SHM_ENV_VAR, NULL}; char *ptr; - ptr = getenv(CPU_AFFINITY_ENV_VAR); - if (ptr && *ptr) unlink(ptr); + ptr = getenv("__AFL_TARGET_PID2"); + if (ptr && *ptr && (pid2 = atoi(ptr)) > 0) kill(pid2, SIGTERM); ptr = getenv("__AFL_TARGET_PID1"); if (ptr && *ptr && (pid1 = atoi(ptr)) > 0) kill(pid1, SIGTERM); - ptr = getenv("__AFL_TARGET_PID2"); - if (ptr && *ptr && (pid2 = atoi(ptr)) > 0) kill(pid2, SIGTERM); + ptr = getenv(CPU_AFFINITY_ENV_VAR); + if (ptr && *ptr) unlink(ptr); i = 0; while (list[i] != NULL) { -- cgit 1.4.1 From d9ed7842987f221eee068c0b61cf890d5ed6aff7 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 25 Jan 2022 14:51:02 +0100 Subject: ensure all fuzz targets are killed on exit --- docs/Changelog.md | 1 + src/afl-fuzz.c | 57 ++++++++++++++++++++++++++++++++++++++++++++----------- 2 files changed, 47 insertions(+), 11 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/docs/Changelog.md b/docs/Changelog.md index e25b43da..e89a0761 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -33,6 +33,7 @@ sending a mail to . (it is better!) - fix a regression introduced in 3.10 that resulted in less coverage being detected. thanks to Collin May for reporting! + - ensure all spawned targets are killed on exit - added AFL_IGNORE_PROBLEMS, plus checks to identify and abort on incorrect LTO usage setups and enhanced the READMEs for better information on how to deal with instrumenting libraries diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 06bff2be..d34cc6b4 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -46,15 +46,31 @@ extern u64 time_spent_working; static void at_exit() { - s32 i, pid1 = 0, pid2 = 0; + s32 i, pid1 = 0, pid2 = 0, pgrp = -1; char *list[4] = {SHM_ENV_VAR, SHM_FUZZ_ENV_VAR, CMPLOG_SHM_ENV_VAR, NULL}; char *ptr; ptr = getenv("__AFL_TARGET_PID2"); - if (ptr && *ptr && (pid2 = atoi(ptr)) > 0) kill(pid2, SIGTERM); + if (ptr && *ptr && (pid2 = atoi(ptr)) > 0) { + +#if defined(__linux__) + pgrp = getpgid(pid2); +#endif + if (pgrp > 0) { killpg(pgrp, SIGTERM); } + kill(pid2, SIGTERM); + + } ptr = getenv("__AFL_TARGET_PID1"); - if (ptr && *ptr && (pid1 = atoi(ptr)) > 0) kill(pid1, SIGTERM); + if (ptr && *ptr && (pid1 = atoi(ptr)) > 0) { + +#if defined(__linux__) + pgrp = getpgid(pid1); +#endif + if (pgrp > 0) { killpg(pgrp, SIGTERM); } + kill(pid1, SIGTERM); + + } ptr = getenv(CPU_AFFINITY_ENV_VAR); if (ptr && *ptr) unlink(ptr); @@ -85,8 +101,25 @@ static void at_exit() { /* AFL_KILL_SIGNAL should already be a valid int at this point */ if ((ptr = getenv("AFL_KILL_SIGNAL"))) { kill_signal = atoi(ptr); } - if (pid1 > 0) { kill(pid1, kill_signal); } - if (pid2 > 0) { kill(pid2, kill_signal); } + if (pid1 > 0) { + +#if defined(__linux__) + pgrp = getpgid(pid1); +#endif + if (pgrp > 0) { killpg(pgrp, kill_signal); } + kill(pid1, kill_signal); + + } + + if (pid2 > 0) { + +#if defined(__linux__) + pgrp = getpgid(pid1); +#endif + if (pgrp > 0) { killpg(pgrp, kill_signal); } + kill(pid2, kill_signal); + + } } @@ -121,8 +154,7 @@ static void usage(u8 *argv0, int more_help) { #if defined(__linux__) " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" - " -W - use qemu-based instrumentation with Wine (Wine " - "mode)\n" + " -W - use qemu-based instrumentation with Wine (Wine mode)\n" #endif #if defined(__linux__) " -X - use VM fuzzing (NYX mode - standalone mode)\n" @@ -173,8 +205,8 @@ static void usage(u8 *argv0, int more_help) { " -T text - text banner to show on the screen\n" " -I command - execute this command/script when a new crash is " "found\n" - //" -B bitmap.txt - mutate a specific test case, use the out/fuzz_bitmap - //" "file\n" + //" -B bitmap.txt - mutate a specific test case, use the + //out/default/fuzz_bitmap file\n" " -C - crash exploration mode (the peruvian rabbit thing)\n" " -b cpu_id - bind the fuzzing process to the specified CPU core " "(0-...)\n" @@ -744,6 +776,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'f': /* target file */ if (afl->fsrv.out_file) { FATAL("Multiple -f options not supported"); } + afl->fsrv.out_file = ck_strdup(optarg); afl->fsrv.use_stdin = 0; break; @@ -923,6 +956,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'Y': /* NYX distributed mode */ if (afl->fsrv.nyx_mode) { FATAL("Multiple -Y options not supported"); } + afl->fsrv.nyx_mode = 1; break; @@ -966,6 +1000,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'Q': /* QEMU mode */ if (afl->fsrv.qemu_mode) { FATAL("Multiple -Q options not supported"); } + afl->fsrv.qemu_mode = 1; if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_QEMU; } @@ -1076,6 +1111,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'L': { /* MOpt mode */ if (afl->limit_time_sig) { FATAL("Multiple -L options not supported"); } + afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT; if (sscanf(optarg, "%d", &afl->limit_time_puppet) < 1) { @@ -1276,8 +1312,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->fsrv.nyx_mode) { OKF("afl++ Nyx mode is enabled (developed and mainted by Sergej Schumilo)"); - OKF("Nyx is open source, get it at " - "https://github.com/Nyx-Fuzz"); + OKF("Nyx is open source, get it at https://github.com/Nyx-Fuzz"); } -- cgit 1.4.1 From b0758ac8db0a2ec833b5ef7a60ab2d04cc7f6a9a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 26 Jan 2022 09:55:12 +0100 Subject: 4.00c readiness --- README.md | 4 ++-- coresight_mode/coresight-trace | 2 +- custom_mutators/grammar_mutator/grammar_mutator | 2 +- docs/Changelog.md | 2 +- include/config.h | 2 +- src/afl-fuzz.c | 2 +- test/test-unicorn-mode.sh | 4 ++-- 7 files changed, 9 insertions(+), 9 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/README.md b/README.md index f050728c..049518f8 100644 --- a/README.md +++ b/README.md @@ -2,9 +2,9 @@ AFL++ logo -Release version: [3.14c](https://github.com/AFLplusplus/AFLplusplus/releases) +Release version: [4.00c](https://github.com/AFLplusplus/AFLplusplus/releases) -GitHub version: 3.15a +GitHub version: 4.00c Repository: [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) diff --git a/coresight_mode/coresight-trace b/coresight_mode/coresight-trace index ec0fd610..fe8b26ea 160000 --- a/coresight_mode/coresight-trace +++ b/coresight_mode/coresight-trace @@ -1 +1 @@ -Subproject commit ec0fd6104720ac0b59967616363dc18209adc02e +Subproject commit fe8b26ea4b07fafa6f24e77c84dad0f3925d47d8 diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator index 6ca490c6..cbe5e327 160000 --- a/custom_mutators/grammar_mutator/grammar_mutator +++ b/custom_mutators/grammar_mutator/grammar_mutator @@ -1 +1 @@ -Subproject commit 6ca490c66b949db20d8c861ebc8fb2e6ca725ead +Subproject commit cbe5e32752773945e0142fac9f1b7a0ccb5dcdff diff --git a/docs/Changelog.md b/docs/Changelog.md index e89a0761..7f539556 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -8,7 +8,7 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . -### Version ++3.15a (dev) +### Version ++4.00c (release) - complete documentation restructuring, made possible by Google Season of Docs :) thank you Jana! - we renamed several UI and fuzzer_stat entries to be more precise, diff --git a/include/config.h b/include/config.h index 99cacc40..66a646b1 100644 --- a/include/config.h +++ b/include/config.h @@ -26,7 +26,7 @@ /* Version string: */ // c = release, a = volatile github dev, e = experimental branch -#define VERSION "++3.15a" +#define VERSION "++4.00c" /****************************************************** * * diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index d34cc6b4..a96dee97 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -315,7 +315,7 @@ static void usage(u8 *argv0, int more_help) { SAYF("Compiled with %s module support, see docs/custom_mutator.md\n", (char *)PYTHON_VERSION); #else - SAYF("Compiled without python module support.\n"); + SAYF("Compiled without Python module support.\n"); #endif #ifdef AFL_PERSISTENT_RECORD diff --git a/test/test-unicorn-mode.sh b/test/test-unicorn-mode.sh index e197e226..182958d6 100755 --- a/test/test-unicorn-mode.sh +++ b/test/test-unicorn-mode.sh @@ -4,7 +4,7 @@ $ECHO "$BLUE[*] Testing: unicorn_mode" test -d ../unicorn_mode/unicornafl -a -e ../unicorn_mode/unicornafl/samples/shellcode && { - test -e ../unicorn_mode/samples/simple/simple_target.bin -a -e ../unicorn_mode/samples/compcov_x64/compcov_target.bin && { + test -e ../unicorn_mode/samples/python_simple/simple_target.bin -a -e ../unicorn_mode/samples/compcov_x64/compcov_target.bin && { { # We want to see python errors etc. in logs, in case something doesn't work export AFL_DEBUG_CHILD=1 @@ -61,7 +61,7 @@ test -d ../unicorn_mode/unicornafl -a -e ../unicorn_mode/unicornafl/samples/shel { $ECHO "$GREY[*] running afl-fuzz for unicorn_mode in python, this will take approx 25 seconds" { - ../afl-fuzz -m ${MEM_LIMIT} -V25 -U -i in -o out -d -- "$PY" ../unicorn_mode/samples/simple/simple_test_harness.py @@ >>errors 2>&1 + ../afl-fuzz -m ${MEM_LIMIT} -V25 -U -i in -o out -d -- "$PY" ../unicorn_mode/samples/python_simple/simple_test_harness.py @@ >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with unicorn_mode" -- cgit 1.4.1