From 07346cb06d7c31e7fc7443490797192cafc90705 Mon Sep 17 00:00:00 2001 From: Jesse Hertz Date: Tue, 27 Jul 2021 23:47:23 -0400 Subject: fix check again clang asan lib to work on mac and linux by removing a character --- src/afl-fuzz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 0c7b6e42..b6da5a72 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -339,7 +339,7 @@ static void fasan_check_afl_preload(char *afl_preload) { char * separator = strchr(afl_preload, ':'); size_t first_preload_len = PATH_MAX; char * basename; - char clang_runtime_prefix[] = "libclang_rt.asan-"; + char clang_runtime_prefix[] = "libclang_rt.asan"; if (separator != NULL && (separator - afl_preload) < PATH_MAX) { -- cgit 1.4.1 From 8ad6e7c1404be214ea25692cbd9093aad3dff9ae Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 2 Aug 2021 10:15:13 +0200 Subject: fix afl_preload issues on macos --- docs/Changelog.md | 1 + docs/INSTALL.md | 2 +- src/afl-fuzz.c | 5 +++-- 3 files changed, 5 insertions(+), 3 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/docs/Changelog.md b/docs/Changelog.md index 10d25754..d397a764 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -17,6 +17,7 @@ sending a mail to . configuration settings for fuzzing, for Linux and Macos. thanks to jhertz! - added xml, curl and exotic string functions to llvm dictionary features + - fix AFL_PRELOAD issues on MacOS - removed utils/afl_frida because frida_mode/ is now so much better diff --git a/docs/INSTALL.md b/docs/INSTALL.md index b3f9fb96..17af532a 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -74,7 +74,7 @@ and depend mostly on user feedback. To build AFL, install llvm (and perhaps gcc) from brew and follow the general instructions for Linux. If possible avoid Xcode at all cost. -`brew install wget git make cmake llvm` +`brew install wget git make cmake llvm gdb` Be sure to setup PATH to point to the correct clang binaries and use the freshly installed clang, clang++ and gmake, e.g.: diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index b6da5a72..c97427e1 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1398,6 +1398,9 @@ int main(int argc, char **argv_orig, char **envp) { afl->fsrv.use_fauxsrv = afl->non_instrumented_mode == 1 || afl->no_forkserver; + check_crash_handling(); + check_cpu_governor(afl); + if (getenv("LD_PRELOAD")) { WARNF( @@ -1498,8 +1501,6 @@ int main(int argc, char **argv_orig, char **envp) { } - check_crash_handling(); - check_cpu_governor(afl); get_core_count(afl); -- cgit 1.4.1 From 5700b3c7500204d386d2f9e0f696b4604f0416a8 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 10 Aug 2021 10:02:50 +0200 Subject: remove outdated references --- src/afl-forkserver.c | 7 ++----- src/afl-fuzz-init.c | 4 ++-- src/afl-fuzz-python.c | 2 +- src/afl-fuzz.c | 1 - src/afl-sharedmem.c | 7 ++++++- 5 files changed, 11 insertions(+), 10 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 26a9aaed..c8c94c08 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -845,9 +845,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, " from the fuzzer! Since it seems to be built with ASAN and you " "have a\n" " restrictive memory limit configured, this is expected; please " - "read\n" - " %s/notes_for_asan.md for help and run with '-m 0'.\n", - doc_path); + "run with '-m 0'.\n"); } else if (!fsrv->mem_limit) { @@ -946,8 +944,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, "with ASAN and\n" " you have a restrictive memory limit configured, this is " "expected; please\n" - " read %s/notes_for_asan.md for help and run with '-m 0'.\n", - doc_path); + " run with '-m 0'.\n"); } else if (!fsrv->mem_limit) { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index faa45a4e..9bb25785 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -978,7 +978,7 @@ void perform_dry_run(afl_state_t *afl) { "quickly\n" " estimate the required amount of virtual memory for the " "binary. Also,\n" - " if you are using ASAN, see %s/notes_for_asan.md.\n\n" + " if you are using ASAN, set '-m 0'.\n\n" " - In QEMU persistent mode the selected address(es) for the " "loop are not\n" @@ -994,7 +994,7 @@ void perform_dry_run(afl_state_t *afl) { "troubleshooting tips.\n", stringify_mem_size(val_buf, sizeof(val_buf), afl->fsrv.mem_limit << 20), - afl->fsrv.mem_limit - 1, doc_path); + afl->fsrv.mem_limit - 1); } else { diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index e1c879f4..065977c0 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -445,7 +445,7 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, /* Initialize the custom mutator */ init_py(afl, py_mutator, rand_below(afl, 0xFFFFFFFF)); - + mutator->stacked_custom = (mutator && mutator->afl_custom_havoc_mutation); mutator->stacked_custom_prob = 6; // like one of the default mutations in havoc diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index c97427e1..9b9e01a4 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1501,7 +1501,6 @@ int main(int argc, char **argv_orig, char **envp) { } - get_core_count(afl); atexit(at_exit); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index b2cdac9b..22fe5a62 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -244,7 +244,11 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, shm->shm_id = shmget(IPC_PRIVATE, map_size, IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION); - if (shm->shm_id < 0) { PFATAL("shmget() failed, try running afl-system-config"); } + if (shm->shm_id < 0) { + + PFATAL("shmget() failed, try running afl-system-config"); + + } if (shm->cmplog_mode) { @@ -325,3 +329,4 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, return shm->map; } + -- cgit 1.4.1 From c775f40ebf935ec85619fa3903af7a20a38baf98 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 12 Aug 2021 14:32:44 +0200 Subject: AFL_IGNORE_PROBLEMS + library checks and documentation --- README.md | 7 +++++++ docs/Changelog.md | 4 ++++ docs/env_variables.md | 4 ++++ include/afl-fuzz.h | 2 +- include/envs.h | 1 + instrumentation/README.lto.md | 28 ++++++++++++++++++++++++++++ src/afl-fuzz-state.c | 7 +++++++ src/afl-fuzz-stats.c | 14 ++++++++++++++ src/afl-fuzz.c | 1 + 9 files changed, 67 insertions(+), 1 deletion(-) (limited to 'src/afl-fuzz.c') diff --git a/README.md b/README.md index 438f9425..b3e464e1 100644 --- a/README.md +++ b/README.md @@ -473,6 +473,13 @@ compiler is used. Also - if possible - you should always configure the build system such that the target is compiled statically and not dynamically. How to do this is described below. +The #1 rule when instrumenting a target is: avoid instrumenting shared +libraries at all cost. You would need to set LD_LIBRARY_PATH to point to +these, you could accidently type "make install" and install them system wide - +so don't. Really don't. +**Always compile libraries you want to have instrumented as static and link +these to the target program!** + Then build the target. (Usually with `make`) **NOTES** diff --git a/docs/Changelog.md b/docs/Changelog.md index c5ff8adb..daa014e4 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,6 +9,10 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . ### Version ++3.15a (dev) + - afl-fuzz: + added AFL_IGNORE_PROBLEMS plus checks to identify and abort on + incorrect LTO usage setups and enhanced the READMEs for better + information on how to deal with instrumenting libraries - added the very good grammar mutator "GramaTron" to the custom_mutators - added optimin, a faster and better corpus minimizer by diff --git a/docs/env_variables.md b/docs/env_variables.md index cceffa68..0686f1a8 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -432,6 +432,10 @@ checks or alter some of the more exotic semantics of the tool: and RECORD:000000,cnt:000009 being the crash case. NOTE: This option needs to be enabled in config.h first! + - If afl-fuzz encounters an incorrect fuzzing setup during a fuzzing session + (not at startup), it will terminate. If you do not want this then you can + set `AFL_IGNORE_PROBLEMS`. + - If you are Jakub, you may need `AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES`. Others need not apply, unless they also want to disable the `/proc/sys/kernel/core_pattern` check. diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 3d528bc4..4b19e698 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -384,7 +384,7 @@ typedef struct afl_env_vars { afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one, afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast, afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new, - afl_exit_on_seed_issues, afl_try_affinity; + afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems; u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload, diff --git a/include/envs.h b/include/envs.h index 26cc250f..49605330 100644 --- a/include/envs.h +++ b/include/envs.h @@ -88,6 +88,7 @@ static char *afl_environment_variables[] = { "AFL_HARDEN", "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", "AFL_IGNORE_UNKNOWN_ENVS", + "AFL_IGNORE_PROBLEMS", "AFL_IMPORT_FIRST", "AFL_INST_LIBS", "AFL_INST_RATIO", diff --git a/instrumentation/README.lto.md b/instrumentation/README.lto.md index 626bc9cb..38252308 100644 --- a/instrumentation/README.lto.md +++ b/instrumentation/README.lto.md @@ -138,6 +138,34 @@ make NOTE: some targets also need to set the linker, try both `afl-clang-lto` and `afl-ld-lto` for `LD=` before `configure`. +## Instrumenting shared libraries + +Note: this is highly discouraged! Try to compile to static libraries with +afl-clang-lto instead of shared libraries! + +To make instrumented shared libraries work with afl-clang-lto you have to do +quite some extra steps. + +Every shared library you want to instrument has to be individually compiled- +The environment variable `AFL_LLVM_LTO_DONTWRITEID=1` has to be set during +compilation. +Additionally the environment variable `AFL_LLVM_LTO_STARTID` has to be set to +the combined edge values of all previous compiled instrumented shared +libraries for that target. +E.g. for the first shared library this would be `AFL_LLVM_LTO_STARTID=0` and +afl-clang-lto will then report how many edges have been instrumented (let's say +it reported 1000 instrumented edges). +The second shared library then has to be set to that value +(`AFL_LLVM_LTO_STARTID=1000` in our example), the third to all previous +combined, etc. + +The final program compilation step then may *not* have `AFL_LLVM_LTO_DONTWRITEID` +set, and `AFL_LLVM_LTO_STARTID` must be set to all combined edges of all shared +libaries it will be linked to. + +This is quite some hands-on work, so better stay away from instrumenting +shared libraries :-) + ## AUTODICTIONARY feature While compiling, a dictionary based on string comparisons is automatically diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index b832c11e..24ccc108 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -267,6 +267,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_force_ui = get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_IGNORE_PROBLEMS", + + afl_environment_variable_len)) { + + afl->afl_env.afl_ignore_problems = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", afl_environment_variable_len)) { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index ead65b1d..a9deb22d 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -534,6 +534,20 @@ void show_stats(afl_state_t *afl) { t_bytes = count_non_255_bytes(afl, afl->virgin_bits); t_byte_ratio = ((double)t_bytes * 100) / afl->fsrv.real_map_size; + if (unlikely(t_bytes > afl->fsrv.real_map_size)) { + + if (unlikely(!afl->afl_env.afl_ignore_problems)) { + + FATAL( + "Incorrect fuzzing setup detected. Your target seems to have loaded " + "incorrectly instrumented shared libraries. If you use LTO mode " + "please see instrumentation/README.lto.md. To ignore this problem " + "and continue fuzzing just set 'AFL_IGNORE_PROBLEMS=1'.\n"); + + } + + } + if (likely(t_bytes) && unlikely(afl->var_byte_count)) { stab_ratio = 100 - (((double)afl->var_byte_count * 100) / t_bytes); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 9b9e01a4..8ffc0e77 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -216,6 +216,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_HANG_TMOUT: override timeout value (in milliseconds)\n" "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers\n" "AFL_IGNORE_UNKNOWN_ENVS: don't warn on unknown env vars\n" + "AFL_IGNORE_PROBLEMS: do not abort fuzzing if an incorrect setup is detected during a run\n" "AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n" "AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n" "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n" -- cgit 1.4.1