From 7b40d7b9420b2e3adb7d9afa88610199718dedba Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 12 May 2020 11:12:25 +0200 Subject: new code formatting + applied --- src/afl-fuzz.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index aaf615e9..8075f03d 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -853,7 +853,7 @@ int main(int argc, char **argv_orig, char **envp) { } -#if defined(__SANITIZE_ADDRESS__) + #if defined(__SANITIZE_ADDRESS__) if (afl->fsrv.mem_limit) { WARNF("in the ASAN build we disable all memory limits"); @@ -861,7 +861,7 @@ int main(int argc, char **argv_orig, char **envp) { } -#endif + #endif setup_signal_handlers(); check_asan_opts(); @@ -1054,9 +1054,9 @@ int main(int argc, char **argv_orig, char **envp) { get_core_count(afl); -#ifdef HAVE_AFFINITY + #ifdef HAVE_AFFINITY bind_to_free_cpu(afl); -#endif /* HAVE_AFFINITY */ + #endif /* HAVE_AFFINITY */ check_crash_handling(); check_cpu_governor(afl); @@ -1352,12 +1352,12 @@ stop_fuzzing: } -#ifdef PROFILING + #ifdef PROFILING SAYF(cYEL "[!] " cRST "Profiling information: %llu ms total work, %llu ns/run\n", time_spent_working / 1000000, time_spent_working / afl->fsrv.total_execs); -#endif + #endif fclose(afl->fsrv.plot_file); destroy_queue(afl); -- cgit 1.4.1 From 60a5df52623802ccadd0691b812761b3f4a9120e Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 13 May 2020 16:49:00 +0200 Subject: code-format and slight -S/-M modifications --- examples/custom_mutators/example.c | 7 ++++--- include/afl-fuzz.h | 9 ++++---- src/afl-fuzz-cmplog.c | 1 - src/afl-fuzz-init.c | 42 ++++++++++++++++++++++---------------- src/afl-fuzz-mutators.c | 3 ++- src/afl-fuzz-python.c | 9 +++++--- src/afl-fuzz.c | 14 +++++-------- 7 files changed, 46 insertions(+), 39 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/examples/custom_mutators/example.c b/examples/custom_mutators/example.c index c9be3e0c..23add128 100644 --- a/examples/custom_mutators/example.c +++ b/examples/custom_mutators/example.c @@ -139,10 +139,11 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, * @return Size of the output buffer after processing or the needed amount. * A return of 0 indicates an error. */ -size_t afl_custom_post_process(my_mutator_t *data, uint8_t *buf, size_t buf_size, - uint8_t **out_buf) { +size_t afl_custom_post_process(my_mutator_t *data, uint8_t *buf, + size_t buf_size, uint8_t **out_buf) { - uint8_t *post_process_buf = maybe_grow(BUF_PARAMS(data, post_process), buf_size + 5); + uint8_t *post_process_buf = + maybe_grow(BUF_PARAMS(data, post_process), buf_size + 5); if (!post_process_buf) { perror("custom mutator realloc failed."); diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index cf8ef735..a1aa58d6 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -407,7 +407,9 @@ typedef struct afl_state { no_unlink, /* do not unlink cur_input */ debug, /* Debug mode */ custom_only, /* Custom mutator only mode */ - python_only; /* Python-only mode */ + python_only, /* Python-only mode */ + is_master, /* if this is a master */ + is_slave; /* if this is a slave */ u32 stats_update_freq; /* Stats update frequency (execs) */ @@ -418,7 +420,6 @@ typedef struct afl_state { size_t (*radamsa_mutate_ptr)(u8 *, size_t, u8 *, size_t, u32); u8 skip_deterministic, /* Skip deterministic stages? */ - force_deterministic, /* Force deterministic stages? */ use_splicing, /* Recombine input files? */ dumb_mode, /* Run in non-instrumented mode? */ score_changed, /* Scoring for favorites changed? */ @@ -547,7 +548,7 @@ typedef struct afl_state { /* afl_postprocess API - Now supported via custom mutators */ - struct custom_mutator * post_library_mutator; + struct custom_mutator *post_library_mutator; /* CmpLog */ @@ -674,7 +675,7 @@ struct custom_mutator { * @return Size of the output buffer. */ size_t (*afl_custom_post_process)(void *data, u8 *buf, size_t buf_size, - u8 **out_buf); + u8 **out_buf); /** * This method is called at the start of each trimming operation and receives diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 4be6a2c8..faf4dcb7 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -51,7 +51,6 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { u8 fault; - write_to_testcase(afl, out_buf, len); fault = fuzz_run_target(afl, &afl->cmplog_fsrv, afl->fsrv.exec_tmout); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index aea22f48..d468f2c8 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -297,14 +297,24 @@ void setup_post(afl_state_t *afl) { dh = dlopen(fn, RTLD_NOW); if (!dh) { FATAL("%s", dlerror()); } - struct custom_mutator * mutator; + struct custom_mutator *mutator; mutator = ck_alloc(sizeof(struct custom_mutator)); memset(mutator, 0, sizeof(struct custom_mutator)); mutator->afl_custom_post_process = dlsym(dh, "afl_postprocess"); - if (!mutator->afl_custom_post_process) { FATAL("Symbol 'afl_postprocess' not found."); } + if (!mutator->afl_custom_post_process) { + + FATAL("Symbol 'afl_postprocess' not found."); + + } + mutator->afl_custom_init = dlsym(dh, "afl_postprocess_init"); - if (!mutator->afl_custom_init) { FATAL("Symbol 'afl_postprocess_init' not found."); } + if (!mutator->afl_custom_init) { + + FATAL("Symbol 'afl_postprocess_init' not found."); + + } + mutator->afl_custom_deinit = dlsym(dh, "afl_postprocess_deinit"); if (!mutator->afl_custom_post_process) { @@ -1373,6 +1383,17 @@ void setup_dirs_fds(afl_state_t *afl) { } +/* + if (afl->is_master) { + + u8 *x = alloc_printf("%s/is_master", afl->sync_dir); + int fd = open(x, O_CREAT | O_RDWR, 0644); + if (fd < 0) FATAL("cannot create %s", x); + close(fd); + + } +*/ + if (mkdir(afl->out_dir, 0700)) { if (errno != EEXIST) { PFATAL("Unable to create '%s'", afl->out_dir); } @@ -1861,14 +1882,6 @@ void fix_up_sync(afl_state_t *afl) { if (afl->dumb_mode) { FATAL("-S / -M and -n are mutually exclusive"); } - if (afl->skip_deterministic) { - - if (afl->force_deterministic) { FATAL("use -S instead of -M -d"); } - // else - // FATAL("-S already implies -d"); - - } - while (*x) { if (!isalnum(*x) && *x != '_' && *x != '-') { @@ -1888,13 +1901,6 @@ void fix_up_sync(afl_state_t *afl) { afl->sync_dir = afl->out_dir; afl->out_dir = x; - if (!afl->force_deterministic) { - - afl->skip_deterministic = 1; - afl->use_splicing = 1; - - } - } /* Handle screen resize (SIGWINCH). */ diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index acc1b12d..87cb86fa 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -108,7 +108,8 @@ void setup_custom_mutators(afl_state_t *afl) { #endif - if (afl->post_library_mutator) list_append(&afl->custom_mutator_list, afl->post_library_mutator); + if (afl->post_library_mutator) + list_append(&afl->custom_mutator_list, afl->post_library_mutator); } diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 2569cdaf..2044c97d 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -384,7 +384,8 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, } -size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) { +size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, + u8 **out_buf) { size_t py_out_buf_size; PyObject * py_args, *py_value; @@ -402,7 +403,8 @@ size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) PyTuple_SetItem(py_args, 0, py_value); py_value = PyObject_CallObject( - ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_POST_PROCESS], py_args); + ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_POST_PROCESS], + py_args); Py_DECREF(py_args); @@ -412,7 +414,8 @@ size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) ck_maybe_grow(BUF_PARAMS(post_process), py_out_buf_size); - memcpy(py->post_process_buf, PyByteArray_AsString(py_value), py_out_buf_size); + memcpy(py->post_process_buf, PyByteArray_AsString(py_value), + py_out_buf_size); Py_DECREF(py_value); *out_buf = py->post_process_buf; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 8075f03d..979ebfa3 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -390,7 +390,7 @@ int main(int argc, char **argv_orig, char **envp) { } - afl->force_deterministic = 1; + afl->is_master = 1; } @@ -400,6 +400,9 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } afl->sync_id = ck_strdup(optarg); + afl->is_slave = 1; + afl->skip_deterministic = 1; + afl->use_splicing = 1; break; case 'f': /* target file */ @@ -500,12 +503,6 @@ int main(int argc, char **argv_orig, char **envp) { case 'd': /* skip deterministic */ - if (afl->skip_deterministic) { - - FATAL("Multiple -d options not supported"); - - } - afl->skip_deterministic = 1; afl->use_splicing = 1; break; @@ -794,8 +791,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL"); OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL"); - if (afl->sync_id && afl->force_deterministic && - afl->afl_env.afl_custom_mutator_only) { + if (afl->sync_id && afl->is_master && afl->afl_env.afl_custom_mutator_only) { WARNF( "Using -M master with the AFL_CUSTOM_MUTATOR_ONLY mutator options will " -- cgit 1.4.1 From d334093606ff4fb77822f11cde7a80fa880de0c7 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 14 May 2020 01:00:11 +0200 Subject: deprecated AFL_POST_LIBRARY --- README.md | 5 +- docs/Changelog.md | 2 + docs/env_variables.md | 5 +- docs/sister_projects.md | 7 -- examples/post_library/post_library.so.c | 159 ---------------------------- examples/post_library/post_library_png.so.c | 156 --------------------------- include/afl-fuzz.h | 5 +- src/afl-common.c | 2 +- src/afl-fuzz-init.c | 48 --------- src/afl-fuzz-state.c | 6 +- src/afl-fuzz.c | 3 - test/test.sh | 1 - 12 files changed, 14 insertions(+), 385 deletions(-) delete mode 100644 examples/post_library/post_library.so.c delete mode 100644 examples/post_library/post_library_png.so.c (limited to 'src/afl-fuzz.c') diff --git a/README.md b/README.md index 04ead78e..a2c81aa4 100644 --- a/README.md +++ b/README.md @@ -672,8 +672,9 @@ Here are some of the most important caveats for AFL: To work around this, you can comment out the relevant checks (see examples/libpng_no_checksum/ for inspiration); if this is not possible, - you can also write a postprocessor, as explained in - examples/post_library/ (with AFL_POST_LIBRARY) + you can also write a postprocessor, one of the hooks of custom mutators. + See [docs/custom_mutators.md](docs/custom_mutators.md) on how to use + `AFL_CUSTOM_MUTATOR_LIBRARY` - There are some unfortunate trade-offs with ASAN and 64-bit binaries. This isn't due to any specific fault of afl-fuzz; see [docs/notes_for_asan.md](docs/notes_for_asan.md) diff --git a/docs/Changelog.md b/docs/Changelog.md index 0b5c11e8..4b2d7977 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -15,6 +15,8 @@ sending a mail to . - better python detection - an old, old bug in afl that would show negative stability in rare circumstances is now hopefully fixed + - AFL_POST_LIBRARY was deprecated, use AFL_CUSTOM_MUTATOR_LIBRARY + instead (see docs/custom_mutators.md) - llvm_mode: - afl-clang-fast/lto now do not skip single block functions. This behaviour can be reactivated with AFL_LLVM_SKIPSINGLEBLOCK diff --git a/docs/env_variables.md b/docs/env_variables.md index 36e5a432..2668be7d 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -310,9 +310,8 @@ checks or alter some of the more exotic semantics of the tool: else. This makes the "own finds" counter in the UI more accurate. Beyond counter aesthetics, not much else should change. - - Setting AFL_POST_LIBRARY allows you to configure a postprocessor for - mutated files - say, to fix up checksums. See examples/post_library/ - for more. + - Note that AFL_POST_LIBRARY is deprecated, use AFL_CUSTOM_MUTATOR_LIBRARY + instead (see below). - Setting AFL_CUSTOM_MUTATOR_LIBRARY to a shared library with afl_custom_fuzz() creates additional mutations through this library. diff --git a/docs/sister_projects.md b/docs/sister_projects.md index 1625044c..a501ecbd 100644 --- a/docs/sister_projects.md +++ b/docs/sister_projects.md @@ -56,13 +56,6 @@ functionality is now available as the "persistent" feature described in http://llvm.org/docs/LibFuzzer.html -## AFL fixup shim (Ben Nagy) - -Allows AFL_POST_LIBRARY postprocessors to be written in arbitrary languages -that don't have C / .so bindings. Includes examples in Go. - -https://github.com/bnagy/aflfix - ## TriforceAFL (Tim Newsham and Jesse Hertz) Leverages QEMU full system emulation mode to allow AFL to target operating diff --git a/examples/post_library/post_library.so.c b/examples/post_library/post_library.so.c deleted file mode 100644 index d9504b23..00000000 --- a/examples/post_library/post_library.so.c +++ /dev/null @@ -1,159 +0,0 @@ -/* - american fuzzy lop++ - postprocessor library example - -------------------------------------------------- - - Originally written by Michal Zalewski - Edited by Dominik Maier, 2020 - - Copyright 2015 Google Inc. All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Postprocessor libraries can be passed to afl-fuzz to perform final cleanup - of any mutated test cases - for example, to fix up checksums in PNG files. - - Please heed the following warnings: - - 1) In almost all cases, it is more productive to comment out checksum logic - in the targeted binary (as shown in ../libpng_no_checksum/). One possible - exception is the process of fuzzing binary-only software in QEMU mode. - - 2) The use of postprocessors for anything other than checksums is - questionable and may cause more harm than good. AFL is normally pretty good - about dealing with length fields, magic values, etc. - - 3) Postprocessors that do anything non-trivial must be extremely robust to - gracefully handle malformed data and other error conditions - otherwise, - they will crash and take afl-fuzz down with them. Be wary of reading past - *len and of integer overflows when calculating file offsets. - - In other words, THIS IS PROBABLY NOT WHAT YOU WANT - unless you really, - honestly know what you're doing =) - - With that out of the way: the postprocessor library is passed to afl-fuzz - via AFL_POST_LIBRARY. The library must be compiled with: - - gcc -shared -Wall -O3 post_library.so.c -o post_library.so - - AFL will call the afl_postprocess() function for every mutated output buffer. - From there, you have three choices: - - 1) If you don't want to modify the test case, simply set `*out_buf = in_buf` - and return the original `len`. - - 2) If you want to skip this test case altogether and have AFL generate a - new one, return 0 or set `*out_buf = NULL`. - Use this sparingly - it's faster than running the target program - with patently useless inputs, but still wastes CPU time. - - 3) If you want to modify the test case, allocate an appropriately-sized - buffer, move the data into that buffer, make the necessary changes, and - then return the new pointer as out_buf. Return an appropriate len - afterwards. - - Note that the buffer will *not* be freed for you. To avoid memory leaks, - you need to free it or reuse it on subsequent calls (as shown below). - - *** Feel free to reuse the original 'in_buf' BUFFER and return it. *** - - Aight. The example below shows a simple postprocessor that tries to make - sure that all input files start with "GIF89a". - - PS. If you don't like C, you can try out the unix-based wrapper from - Ben Nagy instead: https://github.com/bnagy/aflfix - - */ - -#include -#include -#include - -/* Header that must be present at the beginning of every test case: */ - -#define HEADER "GIF89a" - -typedef struct post_state { - - unsigned char *buf; - size_t size; - -} post_state_t; - -void *afl_postprocess_init(void *afl, unsigned int seed) { - - post_state_t *state = malloc(sizeof(post_state_t)); - if (!state) { - - perror("malloc"); - return NULL; - - } - - state->buf = calloc(sizeof(unsigned char), 4096); - if (!state->buf) { return NULL; } - - return state; - -} - -/* The actual postprocessor routine called by afl-fuzz: */ - -size_t afl_postprocess(post_state_t *data, unsigned char *in_buf, - unsigned int len, unsigned char **out_buf) { - - /* Skip execution altogether for buffers shorter than 6 bytes (just to - show how it's done). We can trust len to be sane. */ - - if (len < strlen(HEADER)) return 0; - - /* Do nothing for buffers that already start with the expected header. */ - - if (!memcmp(in_buf, HEADER, strlen(HEADER))) { - - *out_buf = in_buf; - return len; - - } - - /* Allocate memory for new buffer, reusing previous allocation if - possible. */ - - *out_buf = realloc(data->buf, len); - - /* If we're out of memory, the most graceful thing to do is to return the - original buffer and give up on modifying it. Let AFL handle OOM on its - own later on. */ - - if (!*out_buf) { - - *out_buf = in_buf; - return len; - - } - - /* Copy the original data to the new location. */ - - memcpy(*out_buf, in_buf, len); - - /* Insert the new header. */ - - memcpy(*out_buf, HEADER, strlen(HEADER)); - - /* Return the new len. It hasn't changed, so it's just len. */ - - return len; - -} - -/* Gets called afterwards */ -void afl_postprocess_deinit(post_state_t *data) { - - free(data->buf); - free(data); - -} - diff --git a/examples/post_library/post_library_png.so.c b/examples/post_library/post_library_png.so.c deleted file mode 100644 index b29afd62..00000000 --- a/examples/post_library/post_library_png.so.c +++ /dev/null @@ -1,156 +0,0 @@ -/* - american fuzzy lop++ - postprocessor for PNG - ------------------------------------------ - - Originally written by Michal Zalewski - - Copyright 2015 Google Inc. All rights reserved. - Adapted to the new API, 2020 by Dominik Maier - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - See post_library.so.c for a general discussion of how to implement - postprocessors. This specific postprocessor attempts to fix up PNG - checksums, providing a slightly more complicated example than found - in post_library.so.c. - - Compile with: - - gcc -shared -Wall -O3 post_library_png.so.c -o post_library_png.so -lz - - */ - -#include -#include -#include -#include -#include - -#include - -/* A macro to round an integer up to 4 kB. */ - -#define UP4K(_i) ((((_i) >> 12) + 1) << 12) - -typedef struct post_state { - - unsigned char *buf; - size_t size; - -} post_state_t; - -void *afl_postprocess_init(void *afl, unsigned int seed) { - - post_state_t *state = malloc(sizeof(post_state_t)); - if (!state) { - - perror("malloc"); - return NULL; - - } - - state->buf = calloc(sizeof(unsigned char), 4096); - if (!state->buf) { return NULL; } - - return state; - -} - -size_t afl_postprocess(post_state_t *data, const unsigned char *in_buf, - unsigned int len, const unsigned char **out_buf) { - - unsigned char *new_buf = (unsigned char *)in_buf; - unsigned int pos = 8; - - /* Don't do anything if there's not enough room for the PNG header - (8 bytes). */ - - if (len < 8) { - - *out_buf = in_buf; - return len; - - } - - /* Minimum size of a zero-length PNG chunk is 12 bytes; if we - don't have that, we can bail out. */ - - while (pos + 12 <= len) { - - unsigned int chunk_len, real_cksum, file_cksum; - - /* Chunk length is the first big-endian dword in the chunk. */ - - chunk_len = ntohl(*(uint32_t *)(in_buf + pos)); - - /* Bail out if chunk size is too big or goes past EOF. */ - - if (chunk_len > 1024 * 1024 || pos + 12 + chunk_len > len) break; - - /* Chunk checksum is calculated for chunk ID (dword) and the actual - payload. */ - - real_cksum = htonl(crc32(0, in_buf + pos + 4, chunk_len + 4)); - - /* The in-file checksum is the last dword past the chunk data. */ - - file_cksum = *(uint32_t *)(in_buf + pos + 8 + chunk_len); - - /* If the checksums do not match, we need to fix the file. */ - - if (real_cksum != file_cksum) { - - /* First modification? Make a copy of the input buffer. Round size - up to 4 kB to minimize the number of reallocs needed. */ - - if (new_buf == in_buf) { - - if (len <= data->size) { - - new_buf = data->buf; - - } else { - - new_buf = realloc(data->buf, UP4K(len)); - if (!new_buf) { - - *out_buf = in_buf; - return len; - - } - - data->buf = new_buf; - data->size = UP4K(len); - memcpy(new_buf, in_buf, len); - - } - - } - - *(uint32_t *)(new_buf + pos + 8 + chunk_len) = real_cksum; - - } - - /* Skip the entire chunk and move to the next one. */ - - pos += 12 + chunk_len; - - } - - *out_buf = new_buf; - return len; - -} - -/* Gets called afterwards */ -void afl_postprocess_deinit(post_state_t *data) { - - free(data->buf); - free(data); - -} - diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index a1aa58d6..9907c245 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -323,9 +323,8 @@ typedef struct afl_env_vars { afl_bench_until_crash, afl_debug_child_output, afl_autoresume, afl_cal_fast; - u8 *afl_tmpdir, *afl_post_library, *afl_custom_mutator_library, - *afl_python_module, *afl_path, *afl_hang_tmout, *afl_skip_crashes, - *afl_preload; + u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, + *afl_hang_tmout, *afl_skip_crashes, *afl_preload; } afl_env_vars_t; diff --git a/src/afl-common.c b/src/afl-common.c index 74fd6b27..808c9812 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -76,7 +76,7 @@ char *afl_environment_variables[] = { "AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_MAP_SIZE", "AFL_MAPSIZE", "AFL_PATH", "AFL_PERFORMANCE_FILE", //"AFL_PERSISTENT", // not implemented anymore, so warn additionally - "AFL_POST_LIBRARY", "AFL_PRELOAD", "AFL_PYTHON_MODULE", "AFL_QEMU_COMPCOV", + "AFL_PRELOAD", "AFL_PYTHON_MODULE", "AFL_QEMU_COMPCOV", "AFL_QEMU_COMPCOV_DEBUG", "AFL_QEMU_DEBUG_MAPS", "AFL_QEMU_DISABLE_CACHE", "AFL_QEMU_PERSISTENT_ADDR", "AFL_QEMU_PERSISTENT_CNT", "AFL_QEMU_PERSISTENT_GPR", "AFL_QEMU_PERSISTENT_HOOK", diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index daaac969..0a7941f2 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -280,54 +280,6 @@ cpuset_destroy(c); #endif /* HAVE_AFFINITY */ -/* Load postprocessor, if available. */ - -void setup_post(afl_state_t *afl) { - - void *dh; - u8 * fn = afl->afl_env.afl_post_library; - u8 tbuf[6]; - u32 tlen = 6; - strncpy(tbuf, "hello", tlen); - - if (!fn) { return; } - - ACTF("Loading postprocessor from '%s'...", fn); - - dh = dlopen(fn, RTLD_NOW); - if (!dh) { FATAL("%s", dlerror()); } - - struct custom_mutator *mutator; - mutator = ck_alloc(sizeof(struct custom_mutator)); - memset(mutator, 0, sizeof(struct custom_mutator)); - - mutator->afl_custom_post_process = dlsym(dh, "afl_postprocess"); - if (!mutator->afl_custom_post_process) { - - FATAL("Symbol 'afl_postprocess' not found."); - - } - - mutator->afl_custom_init = dlsym(dh, "afl_postprocess_init"); - if (!mutator->afl_custom_init) { - - WARNF("optional symbol 'afl_postprocess_init' not found."); - - } - - mutator->afl_custom_deinit = dlsym(dh, "afl_postprocess_deinit"); - if (!mutator->afl_custom_post_process) { - - WARNF("optional symbol 'afl_postprocess_deinit' not found."); - - } - - afl->post_library_mutator = mutator; - - OKF("Postprocessor installed successfully."); - -} - /* Shuffle an array of pointers. Might be slightly biased. */ static void shuffle_ptrs(afl_state_t *afl, void **ptrs, u32 cnt) { diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 316f9bd9..99863103 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -313,8 +313,10 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl_environment_variable_len)) { - afl->afl_env.afl_post_library = - (u8 *)get_afl_env(afl_environment_variables[i]); + FATAL( + "AFL_POST_LIBRARY is deprecated, use " + "AFL_CUSTOM_MUTATOR_LIBRARY instead, see " + "docs/custom_mutators.md"); } else if (!strncmp(env, "AFL_CUSTOM_MUTATOR_LIBRARY", diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 979ebfa3..8625c37c 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -187,7 +187,6 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)\n" "AFL_NO_UI: switch status screen off\n" "AFL_PATH: path to AFL support binaries\n" - "AFL_POST_LIBRARY: postprocess generated test cases before use as target input\n" "AFL_PYTHON_MODULE: mutate and trim inputs with the specified Python module\n" "AFL_QUIET: suppress forkserver status messages\n" "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" @@ -1060,8 +1059,6 @@ int main(int argc, char **argv_orig, char **envp) { afl->fsrv.trace_bits = afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->dumb_mode); - setup_post(afl); - if (!afl->in_bitmap) { memset(afl->virgin_bits, 255, afl->fsrv.map_size); } memset(afl->virgin_tmout, 255, afl->fsrv.map_size); memset(afl->virgin_crash, 255, afl->fsrv.map_size); diff --git a/test/test.sh b/test/test.sh index 6c05571b..cb38346d 100755 --- a/test/test.sh +++ b/test/test.sh @@ -60,7 +60,6 @@ unset AFL_QEMU_PERSISTENT_GPR unset AFL_QEMU_PERSISTENT_RET unset AFL_QEMU_PERSISTENT_HOOK unset AFL_QEMU_PERSISTENT_CNT -unset AFL_POST_LIBRARY unset AFL_CUSTOM_MUTATOR_LIBRARY unset AFL_PYTHON_MODULE unset AFL_PRELOAD -- cgit 1.4.1