From 9100f3c416707d926fc100d4441cf32bb1da6dd6 Mon Sep 17 00:00:00 2001 From: Akira Moroo Date: Tue, 22 Jun 2021 05:34:20 +0000 Subject: Add initial CoreSight mode support The original code is: https://github.com/RICSecLab/AFLplusplus-cs/tree/retrage/coresight-mode-pr Signed-off-by: Akira Moroo --- src/afl-fuzz.c | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index c08b8fbb..99eebfaa 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -113,6 +113,7 @@ static void usage(u8 *argv0, int more_help) { "maximum.\n" " -m megs - memory limit for child process (%u MB, 0 = no limit " "[default])\n" + " -A - use binary-only instrumentation (CoreSight mode)\n" " -O - use binary-only instrumentation (FRIDA mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" @@ -434,7 +435,8 @@ int main(int argc, char **argv_orig, char **envp) { while ((opt = getopt( argc, argv, - "+b:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNOo:p:RQs:S:t:T:UV:Wx:Z")) > 0) { + "+Ab:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNOo:p:RQs:S:t:T:UV:Wx:Z")) > + 0) { switch (opt) { @@ -825,6 +827,13 @@ int main(int argc, char **argv_orig, char **envp) { afl->use_banner = optarg; break; + case 'A': /* CoreSight mode */ + + if (afl->fsrv.cs_mode) { FATAL("Multiple -A options not supported"); } + afl->fsrv.cs_mode = 1; + + break; + case 'O': /* FRIDA mode */ if (afl->fsrv.frida_mode) { @@ -1212,6 +1221,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->crash_mode) { FATAL("-C and -n are mutually exclusive"); } if (afl->fsrv.frida_mode) { FATAL("-O and -n are mutually exclusive"); } if (afl->fsrv.qemu_mode) { FATAL("-Q and -n are mutually exclusive"); } + if (afl->fsrv.cs_mode) { FATAL("-A and -n are mutually exclusive"); } if (afl->unicorn_mode) { FATAL("-U and -n are mutually exclusive"); } } @@ -1458,6 +1468,8 @@ int main(int argc, char **argv_orig, char **envp) { } else { + /* CoreSight mode uses the default behavior. */ + setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); @@ -1651,7 +1663,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (!afl->fsrv.qemu_mode && !afl->fsrv.frida_mode && + if (!afl->fsrv.qemu_mode && !afl->fsrv.frida_mode && !afl->fsrv.cs_mode && !afl->non_instrumented_mode) { check_binary(afl, afl->cmplog_binary); @@ -1697,6 +1709,11 @@ int main(int argc, char **argv_orig, char **envp) { } + } else if (afl->fsrv.cs_mode) { + + use_argv = get_cs_argv(argv[0], &afl->fsrv.target_path, argc - optind, + argv + optind); + } else { use_argv = argv + optind; @@ -1704,7 +1721,7 @@ int main(int argc, char **argv_orig, char **envp) { } if (afl->non_instrumented_mode || afl->fsrv.qemu_mode || - afl->fsrv.frida_mode || afl->unicorn_mode) { + afl->fsrv.frida_mode || afl->fsrv.cs_mode || afl->unicorn_mode) { map_size = afl->fsrv.real_map_size = afl->fsrv.map_size = MAP_SIZE; afl->virgin_bits = ck_realloc(afl->virgin_bits, map_size); @@ -1724,7 +1741,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode); if (!afl->non_instrumented_mode && !afl->fsrv.qemu_mode && - !afl->unicorn_mode && !afl->fsrv.frida_mode && + !afl->unicorn_mode && !afl->fsrv.frida_mode && !afl->fsrv.cs_mode && !afl->afl_env.afl_skip_bin_check) { if (map_size <= DEFAULT_SHMEM_SIZE) { @@ -1777,6 +1794,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_fsrv_init_dup(&afl->cmplog_fsrv, &afl->fsrv); // TODO: this is semi-nice afl->cmplog_fsrv.trace_bits = afl->fsrv.trace_bits; + afl->cmplog_fsrv.cs_mode = afl->fsrv.cs_mode; afl->cmplog_fsrv.qemu_mode = afl->fsrv.qemu_mode; afl->cmplog_fsrv.frida_mode = afl->fsrv.frida_mode; afl->cmplog_fsrv.cmplog_binary = afl->cmplog_binary; @@ -1785,7 +1803,7 @@ int main(int argc, char **argv_orig, char **envp) { if ((map_size <= DEFAULT_SHMEM_SIZE || afl->cmplog_fsrv.map_size < map_size) && !afl->non_instrumented_mode && !afl->fsrv.qemu_mode && - !afl->fsrv.frida_mode && !afl->unicorn_mode && + !afl->fsrv.frida_mode && !afl->unicorn_mode && !afl->fsrv.cs_mode && !afl->afl_env.afl_skip_bin_check) { afl->cmplog_fsrv.map_size = MAX(map_size, (u32)DEFAULT_SHMEM_SIZE); -- cgit 1.4.1 From d63d69a1f66e00f453e358662527fbd78361147d Mon Sep 17 00:00:00 2001 From: Akira Moroo Date: Fri, 12 Nov 2021 05:33:40 +0000 Subject: Clarify usage message for ARM CoreSight mode REF: https://github.com/AFLplusplus/AFLplusplus/pull/1156#issuecomment-966196217 Signed-off-by: Akira Moroo --- src/afl-analyze.c | 2 +- src/afl-fuzz.c | 2 +- src/afl-showmap.c | 2 +- src/afl-tmin.c | 1 + 4 files changed, 4 insertions(+), 3 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index c8b82428..4872c60d 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -848,7 +848,7 @@ static void usage(u8 *argv0) { " -f file - input file read by the tested program (stdin)\n" " -t msec - timeout for each run (%u ms)\n" " -m megs - memory limit for child process (%u MB)\n" - " -A - use binary-only instrumentation (CoreSight mode)\n" + " -A - use binary-only instrumentation (ARM CoreSight mode)\n" " -O - use binary-only instrumentation (FRIDA mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 99eebfaa..6538e0a0 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -113,7 +113,7 @@ static void usage(u8 *argv0, int more_help) { "maximum.\n" " -m megs - memory limit for child process (%u MB, 0 = no limit " "[default])\n" - " -A - use binary-only instrumentation (CoreSight mode)\n" + " -A - use binary-only instrumentation (ARM CoreSight mode)\n" " -O - use binary-only instrumentation (FRIDA mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" diff --git a/src/afl-showmap.c b/src/afl-showmap.c index daaed767..4c207d62 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -845,7 +845,7 @@ static void usage(u8 *argv0) { " -t msec - timeout for each run (none)\n" " -m megs - memory limit for child process (%u MB)\n" " -O - use binary-only instrumentation (FRIDA mode)\n" - " -P - use binary-only instrumentation (CoreSight mode)\n" + " -P - use binary-only instrumentation (ARM CoreSight mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use Unicorn-based instrumentation (Unicorn mode)\n" " -W - use qemu-based instrumentation with Wine (Wine mode)\n" diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 212b6251..42883404 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -866,6 +866,7 @@ static void usage(u8 *argv0) { " -f file - input file read by the tested program (stdin)\n" " -t msec - timeout for each run (%u ms)\n" " -m megs - memory limit for child process (%u MB)\n" + " -A - use binary-only instrumentation (ARM CoreSight mode)\n" " -O - use binary-only instrumentation (FRIDA mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" -- cgit 1.4.1 From c2feee4ed1b35cc590e2beaa595d710b09e1427c Mon Sep 17 00:00:00 2001 From: Akira Moroo Date: Fri, 12 Nov 2021 06:01:19 +0000 Subject: Add platform check for `-A` CoreSight mode REF: https://github.com/AFLplusplus/AFLplusplus/pull/1156#discussion_r747454306 Signed-off-by: Akira Moroo --- src/afl-analyze.c | 6 ++++++ src/afl-fuzz.c | 7 +++++++ src/afl-showmap.c | 6 ++++++ src/afl-tmin.c | 6 ++++++ 4 files changed, 25 insertions(+) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 4872c60d..6e1a9e7b 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -997,6 +997,12 @@ int main(int argc, char **argv_orig, char **envp) { if (cs_mode) { FATAL("Multiple -A options not supported"); } + if (!(__aarch64__ && __linux__)) { + + FATAL("-A option is not supported on this platform"); + + } + cs_mode = 1; fsrv.cs_mode = cs_mode; break; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 6538e0a0..e6d9508b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -830,6 +830,13 @@ int main(int argc, char **argv_orig, char **envp) { case 'A': /* CoreSight mode */ if (afl->fsrv.cs_mode) { FATAL("Multiple -A options not supported"); } + + if (!(__aarch64__ && __linux__)) { + + FATAL("-A option is not supported on this platform"); + + } + afl->fsrv.cs_mode = 1; break; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 57737562..0e7d9df6 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1069,6 +1069,12 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->cs_mode) { FATAL("Multiple -P options not supported"); } + if (!(__aarch64__ && __linux__)) { + + FATAL("-P option is not supported on this platform"); + + } + fsrv->cs_mode = true; break; diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 42883404..110beed5 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -1040,6 +1040,12 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->cs_mode) { FATAL("Multiple -A options not supported"); } + if (!(__aarch64__ && __linux__)) { + + FATAL("-A option is not supported on this platform"); + + } + fsrv->cs_mode = 1; break; -- cgit 1.4.1 From feff8191ecbde9bb039e2311440f47e8f0325413 Mon Sep 17 00:00:00 2001 From: Akira Moroo Date: Mon, 15 Nov 2021 01:57:36 +0000 Subject: Fix platform check for `-A` CoreSight mode Signed-off-by: Akira Moroo --- src/afl-analyze.c | 10 ++++------ src/afl-fuzz.c | 10 ++++------ src/afl-showmap.c | 10 ++++------ src/afl-tmin.c | 10 ++++------ 4 files changed, 16 insertions(+), 24 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 6e1a9e7b..bc562c15 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -995,13 +995,11 @@ int main(int argc, char **argv_orig, char **envp) { case 'A': /* CoreSight mode */ - if (cs_mode) { FATAL("Multiple -A options not supported"); } - - if (!(__aarch64__ && __linux__)) { - - FATAL("-A option is not supported on this platform"); +#if !defined(__aarch64__) || !defined(__linux__) + FATAL("-A option is not supported on this platform"); +#endif - } + if (cs_mode) { FATAL("Multiple -A options not supported"); } cs_mode = 1; fsrv.cs_mode = cs_mode; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index e6d9508b..44363c2b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -829,13 +829,11 @@ int main(int argc, char **argv_orig, char **envp) { case 'A': /* CoreSight mode */ - if (afl->fsrv.cs_mode) { FATAL("Multiple -A options not supported"); } - - if (!(__aarch64__ && __linux__)) { - - FATAL("-A option is not supported on this platform"); + #if !defined(__aarch64__) || !defined(__linux__) + FATAL("-A option is not supported on this platform"); + #endif - } + if (afl->fsrv.cs_mode) { FATAL("Multiple -A options not supported"); } afl->fsrv.cs_mode = 1; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 0e7d9df6..899baaa0 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1067,13 +1067,11 @@ int main(int argc, char **argv_orig, char **envp) { * undocumenetd feature "Another afl-cmin specific feature." */ case 'P': /* CoreSight mode */ - if (fsrv->cs_mode) { FATAL("Multiple -P options not supported"); } - - if (!(__aarch64__ && __linux__)) { - - FATAL("-P option is not supported on this platform"); +#if !defined(__aarch64__) || !defined(__linux__) + FATAL("-P option is not supported on this platform"); +#endif - } + if (fsrv->cs_mode) { FATAL("Multiple -P options not supported"); } fsrv->cs_mode = true; break; diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 110beed5..22383a4e 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -1038,13 +1038,11 @@ int main(int argc, char **argv_orig, char **envp) { case 'A': /* CoreSight mode */ - if (fsrv->cs_mode) { FATAL("Multiple -A options not supported"); } - - if (!(__aarch64__ && __linux__)) { - - FATAL("-A option is not supported on this platform"); +#if !defined(__aarch64__) || !defined(__linux__) + FATAL("-A option is not supported on this platform"); +#endif - } + if (fsrv->cs_mode) { FATAL("Multiple -A options not supported"); } fsrv->cs_mode = 1; break; -- cgit 1.4.1 From d4a0fd41cd29b5862cac0b99b96b2afc67e33c7d Mon Sep 17 00:00:00 2001 From: Akira Moroo Date: Mon, 15 Nov 2021 02:15:58 +0000 Subject: Check `-M` / `-S` is not specified with `-A` Signed-off-by: Akira Moroo --- src/afl-fuzz.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 44363c2b..dfd62db8 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -565,6 +565,12 @@ int main(int argc, char **argv_orig, char **envp) { } + if (afl->fsrv.cs_mode) { + + FATAL("-M is not supported in ARM CoreSight mode"); + + } + if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } /* sanity check for argument: should not begin with '-' (possible @@ -611,6 +617,12 @@ int main(int argc, char **argv_orig, char **envp) { } + if (afl->fsrv.cs_mode) { + + FATAL("-S is not supported in ARM CoreSight mode"); + + } + if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } /* sanity check for argument: should not begin with '-' (possible @@ -833,6 +845,12 @@ int main(int argc, char **argv_orig, char **envp) { FATAL("-A option is not supported on this platform"); #endif + if (afl->is_main_node || afl->is_secondary_node) { + + FATAL("ARM CoreSight mode is not supported with -M / -S"); + + } + if (afl->fsrv.cs_mode) { FATAL("Multiple -A options not supported"); } afl->fsrv.cs_mode = 1; -- cgit 1.4.1