From a632c00b0d023b8a40d09839fbb2662da1cb5d37 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 12 Jun 2020 16:08:49 +0200 Subject: switch to faster and better hash + random --- src/afl-performance.c | 135 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 135 insertions(+) create mode 100644 src/afl-performance.c (limited to 'src/afl-performance.c') diff --git a/src/afl-performance.c b/src/afl-performance.c new file mode 100644 index 00000000..a2eca8c9 --- /dev/null +++ b/src/afl-performance.c @@ -0,0 +1,135 @@ +/* Written in 2019 by David Blackman and Sebastiano Vigna (vigna@acm.org) + +To the extent possible under law, the author has dedicated all copyright +and related and neighboring rights to this software to the public domain +worldwide. This software is distributed without any warranty. + +See . + + This is xoshiro256++ 1.0, one of our all-purpose, rock-solid generators. + It has excellent (sub-ns) speed, a state (256 bits) that is large + enough for any parallel application, and it passes all tests we are + aware of. + + For generating just floating-point numbers, xoshiro256+ is even faster. + + The state must be seeded so that it is not everywhere zero. If you have + a 64-bit seed, we suggest to seed a splitmix64 generator and use its + output to fill s. */ + +#include +#include "afl-fuzz.h" +#include "types.h" +#include "xxh3.h" + +static inline uint64_t rotl(const uint64_t x, int k) { + + return (x << k) | (x >> (64 - k)); + +} + +uint64_t rand_next(afl_state_t *afl) { + + const uint64_t result = + rotl(afl->rand_seed[0] + afl->rand_seed[3], 23) + afl->rand_seed[0]; + + const uint64_t t = afl->rand_seed[1] << 17; + + afl->rand_seed[2] ^= afl->rand_seed[0]; + afl->rand_seed[3] ^= afl->rand_seed[1]; + afl->rand_seed[1] ^= afl->rand_seed[2]; + afl->rand_seed[0] ^= afl->rand_seed[3]; + + afl->rand_seed[2] ^= t; + + afl->rand_seed[3] = rotl(afl->rand_seed[3], 45); + + return result; + +} + +/* This is the jump function for the generator. It is equivalent + to 2^128 calls to rand_next(); it can be used to generate 2^128 + non-overlapping subsequences for parallel computations. */ + +void jump(afl_state_t *afl) { + + static const uint64_t JUMP[] = {0x180ec6d33cfd0aba, 0xd5a61266f0c9392c, + 0xa9582618e03fc9aa, 0x39abdc4529b1661c}; + + uint64_t s0 = 0; + uint64_t s1 = 0; + uint64_t s2 = 0; + uint64_t s3 = 0; + for (int i = 0; i < sizeof JUMP / sizeof *JUMP; i++) + for (int b = 0; b < 64; b++) { + + if (JUMP[i] & UINT64_C(1) << b) { + + s0 ^= afl->rand_seed[0]; + s1 ^= afl->rand_seed[1]; + s2 ^= afl->rand_seed[2]; + s3 ^= afl->rand_seed[3]; + + } + + rand_next(afl); + + } + + afl->rand_seed[0] = s0; + afl->rand_seed[1] = s1; + afl->rand_seed[2] = s2; + afl->rand_seed[3] = s3; + +} + +/* This is the long-jump function for the generator. It is equivalent to + 2^192 calls to rand_next(); it can be used to generate 2^64 starting points, + from each of which jump() will generate 2^64 non-overlapping + subsequences for parallel distributed computations. */ + +void long_jump(afl_state_t *afl) { + + static const uint64_t LONG_JUMP[] = {0x76e15d3efefdcbbf, 0xc5004e441c522fb3, + 0x77710069854ee241, 0x39109bb02acbe635}; + + uint64_t s0 = 0; + uint64_t s1 = 0; + uint64_t s2 = 0; + uint64_t s3 = 0; + for (int i = 0; i < sizeof LONG_JUMP / sizeof *LONG_JUMP; i++) + for (int b = 0; b < 64; b++) { + + if (LONG_JUMP[i] & UINT64_C(1) << b) { + + s0 ^= afl->rand_seed[0]; + s1 ^= afl->rand_seed[1]; + s2 ^= afl->rand_seed[2]; + s3 ^= afl->rand_seed[3]; + + } + + rand_next(afl); + + } + + afl->rand_seed[0] = s0; + afl->rand_seed[1] = s1; + afl->rand_seed[2] = s2; + afl->rand_seed[3] = s3; + +} + +u32 hash32(const void *key, u32 len, u32 seed) { + + return XXH64(key, len, seed) % 0x100000000; + +} + +u64 hash64(const void *key, u32 len, u64 seed) { + + return XXH64(key, len, seed); + +} + -- cgit 1.4.1 From ce1af1bc9c0b58aea653abec8fb42f9714d4308f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 12 Jun 2020 16:57:33 +0200 Subject: code-format killed the compilation --- include/xxhash.h | 8 ++++++-- src/afl-performance.c | 19 ++++++++++--------- 2 files changed, 16 insertions(+), 11 deletions(-) (limited to 'src/afl-performance.c') diff --git a/include/xxhash.h b/include/xxhash.h index 296fc856..826f39bd 100644 --- a/include/xxhash.h +++ b/include/xxhash.h @@ -1371,7 +1371,9 @@ static xxh_u32 XXH32_avalanche(xxh_u32 h32) { static xxh_u32 XXH32_finalize(xxh_u32 h32, const xxh_u8 *ptr, size_t len, XXH_alignment align) { -\ + + /* dummy comment */ + #define XXH_PROCESS1 \ do { \ \ @@ -1978,7 +1980,9 @@ static xxh_u64 XXH64_avalanche(xxh_u64 h64) { static xxh_u64 XXH64_finalize(xxh_u64 h64, const xxh_u8 *ptr, size_t len, XXH_alignment align) { -\ + + /* dummy comment */ + #define XXH_PROCESS1_64 \ do { \ \ diff --git a/src/afl-performance.c b/src/afl-performance.c index a2eca8c9..7a911ffd 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -56,13 +56,13 @@ void jump(afl_state_t *afl) { static const uint64_t JUMP[] = {0x180ec6d33cfd0aba, 0xd5a61266f0c9392c, 0xa9582618e03fc9aa, 0x39abdc4529b1661c}; - - uint64_t s0 = 0; - uint64_t s1 = 0; - uint64_t s2 = 0; - uint64_t s3 = 0; - for (int i = 0; i < sizeof JUMP / sizeof *JUMP; i++) - for (int b = 0; b < 64; b++) { + int i, b; + uint64_t s0 = 0; + uint64_t s1 = 0; + uint64_t s2 = 0; + uint64_t s3 = 0; + for (i = 0; i < sizeof JUMP / sizeof *JUMP; i++) + for (b = 0; b < 64; b++) { if (JUMP[i] & UINT64_C(1) << b) { @@ -94,12 +94,13 @@ void long_jump(afl_state_t *afl) { static const uint64_t LONG_JUMP[] = {0x76e15d3efefdcbbf, 0xc5004e441c522fb3, 0x77710069854ee241, 0x39109bb02acbe635}; + int i, b; uint64_t s0 = 0; uint64_t s1 = 0; uint64_t s2 = 0; uint64_t s3 = 0; - for (int i = 0; i < sizeof LONG_JUMP / sizeof *LONG_JUMP; i++) - for (int b = 0; b < 64; b++) { + for (i = 0; i < sizeof LONG_JUMP / sizeof *LONG_JUMP; i++) + for (b = 0; b < 64; b++) { if (LONG_JUMP[i] & UINT64_C(1) << b) { -- cgit 1.4.1 From 1542c7f49c00cd7d701869f951b9a2a126a7b960 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 13 Jun 2020 10:58:30 +0200 Subject: fix typos --- docs/Changelog.md | 27 ++++++++++++++------------- include/hash.h | 2 +- src/afl-performance.c | 20 ++++++++++++++------ 3 files changed, 29 insertions(+), 20 deletions(-) (limited to 'src/afl-performance.c') diff --git a/docs/Changelog.md b/docs/Changelog.md index 751dd707..caf262fc 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -11,13 +11,13 @@ sending a mail to . ### Version ++2.65d (dev) - afl-fuzz: - - -S secondary nodes now only sync from the main node to increase performance, - the -M main node still syncs from everyone. Added checks that ensure - exactly one main node is present and warn otherwise - - If no main node is present at a sync one secondary node automatically becomes - a temporary main node until a real main nodes shows up - - switched murmur2 hashing and random() for xxh3 and xoshiro256**, giving up to 5.5% speed - increase + - -S secondary nodes now only sync from the main node to increase + performance, the -M main node still syncs from everyone. Added checks + that ensure exactly one main node is present and warn otherwise + - If no main node is present at a sync one secondary node automatically + becomes a temporary main node until a real main nodes shows up + - switched murmur2 hashing and random() for xxh3 and xoshiro256**, + resulting in an up to 5.5% speed increase - Resizing the window does not crash afl-fuzz anymore - fix/update to MOpt (thanks to arnow117) - added MOpt dictionary support from repo @@ -26,10 +26,10 @@ sending a mail to . better coverage. The original afl instrumentation can be set via AFL_LLVM_INSTRUMENT=AFL. This is automatically done when the WHITELIST feature is used. - - some targets want a ld variant for LD that is not gcc/clang but ld, added - afl-ld-lto to solve this - - lowered minimum required llvm version to 3.4 (except LLVMInsTrim, - which needs 3.8.0) + - some targets want a ld variant for LD that is not gcc/clang but ld, + added afl-ld-lto to solve this + - lowered minimum required llvm version to 3.4 (except LLVMInsTrim, which + needs 3.8.0) - WHITELIST feature now supports wildcards (thanks to sirmc) - small change to cmplog to make it work with current llvm 11-dev - added AFL_LLVM_LAF_ALL, sets all laf-intel settings @@ -41,6 +41,7 @@ sending a mail to . - enable snapshot lkm also for persistent mode - Unicornafl - Added powerPC support from unicorn/next + - rust bindings! - persistent mode shared memory testcase handover (instead of via files/stdin) - 10-100% performance increase - General support for 64 bit PowerPC, RiscV, Sparc etc. @@ -49,8 +50,8 @@ sending a mail to . the same second - added lots of dictionaries from oss-fuzz, go-fuzz and Jakub Wilk - added former post_library examples to examples/custom_mutators/ - - Dockerfile upgraded to Ubuntu 20.04 Focal and installing llvm 11 and gcc 10 - so afl-clang-lto can be build + - Dockerfile upgraded to Ubuntu 20.04 Focal and installing llvm 11 and + gcc 10 so afl-clang-lto can be build ### Version ++2.65c (release): diff --git a/include/hash.h b/include/hash.h index 09dabb59..6910e0e2 100644 --- a/include/hash.h +++ b/include/hash.h @@ -35,7 +35,7 @@ u64 hash64(const void *key, u32 len, u64 seed); #if 0 -The following code is disabled because xxh3 with a 32 bit resukt is 30% faster +The following code is disabled because xxh3 is 30% faster #ifdef __x86_64__ diff --git a/src/afl-performance.c b/src/afl-performance.c index 7a911ffd..28564eb8 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -1,10 +1,11 @@ -/* Written in 2019 by David Blackman and Sebastiano Vigna (vigna@acm.org) +/* + Written in 2019 by David Blackman and Sebastiano Vigna (vigna@acm.org) -To the extent possible under law, the author has dedicated all copyright -and related and neighboring rights to this software to the public domain -worldwide. This software is distributed without any warranty. + To the extent possible under law, the author has dedicated all copyright + and related and neighboring rights to this software to the public domain + worldwide. This software is distributed without any warranty. -See . + See . This is xoshiro256++ 1.0, one of our all-purpose, rock-solid generators. It has excellent (sub-ns) speed, a state (256 bits) that is large @@ -15,13 +16,17 @@ See . The state must be seeded so that it is not everywhere zero. If you have a 64-bit seed, we suggest to seed a splitmix64 generator and use its - output to fill s. */ + output to fill s[]. +*/ #include #include "afl-fuzz.h" #include "types.h" #include "xxh3.h" +/* we use xoshiro256** instead of rand/random because it is 10x faster and has + better randomness properties. */ + static inline uint64_t rotl(const uint64_t x, int k) { return (x << k) | (x >> (64 - k)); @@ -122,6 +127,9 @@ void long_jump(afl_state_t *afl) { } +/* we switch from afl's murmur implementation to xxh3 as it is 30% faster - + and get 64 bit hashes instead of just 32 bit. Less collisions! :-) */ + u32 hash32(const void *key, u32 len, u32 seed) { return XXH64(key, len, seed) % 0x100000000; -- cgit 1.4.1 From 246444dd5765ee467b6fc090dc078cac3ce2074a Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 15 Jun 2020 21:40:30 +0200 Subject: tidied hash32, unicorn --- src/afl-performance.c | 6 +++--- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/unicornafl | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) (limited to 'src/afl-performance.c') diff --git a/src/afl-performance.c b/src/afl-performance.c index 28564eb8..9c842312 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -130,13 +130,13 @@ void long_jump(afl_state_t *afl) { /* we switch from afl's murmur implementation to xxh3 as it is 30% faster - and get 64 bit hashes instead of just 32 bit. Less collisions! :-) */ -u32 hash32(const void *key, u32 len, u32 seed) { +u32 inline hash32(const void *key, u32 len, u32 seed) { - return XXH64(key, len, seed) % 0x100000000; + return XXH32(key, len, seed); } -u64 hash64(const void *key, u32 len, u64 seed) { +u64 inline hash64(const void *key, u32 len, u64 seed) { return XXH64(key, len, seed); diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index 589e3db2..c03c4529 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -09e8e8ad +04765d30 diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 09e8e8ad..04765d30 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 09e8e8adec97482d9937dd15f73f78611de19bc3 +Subproject commit 04765d30ac3c3d31d83520f35237a52d18002c83 -- cgit 1.4.1 From 6804065a8d4864755af866c5c800dde0b4445155 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 15 Jun 2020 22:03:01 +0200 Subject: using XX64 for 32 bit hash --- src/afl-performance.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/afl-performance.c') diff --git a/src/afl-performance.c b/src/afl-performance.c index 9c842312..437df963 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -132,7 +132,7 @@ void long_jump(afl_state_t *afl) { u32 inline hash32(const void *key, u32 len, u32 seed) { - return XXH32(key, len, seed); + return (u32) XXH64(key, len, seed); } -- cgit 1.4.1 From 9c293b5b7b941d8046e77989f100d084a516d029 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 15 Jun 2020 22:05:37 +0200 Subject: code format --- src/afl-performance.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/afl-performance.c') diff --git a/src/afl-performance.c b/src/afl-performance.c index 437df963..8efefcd8 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -132,7 +132,7 @@ void long_jump(afl_state_t *afl) { u32 inline hash32(const void *key, u32 len, u32 seed) { - return (u32) XXH64(key, len, seed); + return (u32)XXH64(key, len, seed); } -- cgit 1.4.1 From 7119bf5d860657dab7afb60fab8b7ad5dc0ef222 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 22 Jun 2020 21:58:16 +0200 Subject: Added rand, hash unittests --- .gitignore | 2 ++ GNUmakefile | 23 +++++++++---- include/afl-fuzz.h | 8 +++-- src/afl-fuzz-one.c | 2 +- src/afl-fuzz.c | 9 ++--- src/afl-performance.c | 10 ++++++ test/unittests/unit_hash.c | 75 +++++++++++++++++++++++++++++++++++++++++ test/unittests/unit_rand.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 197 insertions(+), 16 deletions(-) create mode 100644 test/unittests/unit_hash.c create mode 100644 test/unittests/unit_rand.c (limited to 'src/afl-performance.c') diff --git a/.gitignore b/.gitignore index 505a4ecb..8448c8f6 100644 --- a/.gitignore +++ b/.gitignore @@ -49,5 +49,7 @@ core\.* test/unittests/unit_maybe_alloc test/unittests/unit_preallocable test/unittests/unit_list +test/unittests/unit_rand +test/unittests/unit_hash examples/afl_network_proxy/afl-network-server examples/afl_network_proxy/afl-network-client diff --git a/GNUmakefile b/GNUmakefile index a171e916..5a739ad8 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -403,13 +403,24 @@ document: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/ test/unittests/unit_maybe_alloc.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_maybe_alloc.c $(AFL_FUZZ_FILES) @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_maybe_alloc.c -o test/unittests/unit_maybe_alloc.o -test/unittests/unit_preallocable.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_preallocable.c $(AFL_FUZZ_FILES) - @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_preallocable.c -o test/unittests/unit_preallocable.o - unit_maybe_alloc: test/unittests/unit_maybe_alloc.o @$(CC) $(CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_maybe_alloc.o -o test/unittests/unit_maybe_alloc $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka ./test/unittests/unit_maybe_alloc +test/unittests/unit_hash.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_hash.c $(AFL_FUZZ_FILES) src/afl-performance.o + @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_hash.c -o test/unittests/unit_hash.o + +unit_hash: test/unittests/unit_hash.o src/afl-performance.o + @$(CC) $(CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf $^ -o test/unittests/unit_hash $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka + ./test/unittests/unit_hash + +test/unittests/unit_rand.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_rand.c $(AFL_FUZZ_FILES) src/afl-performance.o + @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_rand.c -o test/unittests/unit_rand.o + +unit_rand: test/unittests/unit_rand.o src/afl-common.o src/afl-performance.o + @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf $^ -o test/unittests/unit_rand $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka + ./test/unittests/unit_rand + test/unittests/unit_list.o : $(COMM_HDR) include/list.h test/unittests/unit_list.c $(AFL_FUZZ_FILES) @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_list.c -o test/unittests/unit_list.o @@ -417,8 +428,8 @@ unit_list: test/unittests/unit_list.o @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_list.o -o test/unittests/unit_list $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka ./test/unittests/unit_list -test/unittests/preallocable.o : $(COMM_HDR) include/afl-prealloc.h test/unittests/preallocable.c $(AFL_FUZZ_FILES) - @$(CC) $(CFLAGS) $(ASAN_CFLAGS) $(CFLAGS_FLTO) -c test/unittests/preallocable.c -o test/unittests/preallocable.o +test/unittests/unit_preallocable.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_preallocable.c $(AFL_FUZZ_FILES) + @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_preallocable.c -o test/unittests/unit_preallocable.o unit_preallocable: test/unittests/unit_preallocable.o @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_preallocable.o -o test/unittests/unit_preallocable $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka @@ -429,7 +440,7 @@ unit_clean: ifneq "$(shell uname)" "Darwin" -unit: unit_maybe_alloc unit_preallocable unit_list unit_clean +unit: unit_maybe_alloc unit_preallocable unit_list unit_clean unit_rand unit_hash else diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index e7b52d56..16f7d717 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -49,6 +49,7 @@ #include "sharedmem.h" #include "forkserver.h" #include "common.h" +#include "hash.h" #include #include @@ -971,13 +972,16 @@ static inline u32 rand_below(afl_state_t *afl, u32 limit) { } -static inline u32 get_rand_seed(afl_state_t *afl) { +static inline s64 rand_get_seed(afl_state_t *afl) { - if (unlikely(afl->fixed_seed)) { return (u32)afl->init_seed; } + if (unlikely(afl->fixed_seed)) { return afl->init_seed; } return afl->rand_seed[0]; } +/* initialize randomness with a given seed. Can be called again at any time. */ +void rand_set_seed(afl_state_t *afl, s64 init_seed); + /* Find first power of two greater or equal to val (assuming val under 2^63). */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index e42a323d..60db9777 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -2458,7 +2458,7 @@ radamsa_stage: for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) { u32 new_len = afl->radamsa_mutate_ptr(save_buf, len, new_buf, max_len, - get_rand_seed(afl)); + rand_get_seed(afl)); if (new_len) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index bfd7cb33..c8083f71 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -289,7 +289,7 @@ int main(int argc, char **argv_orig, char **envp) { doc_path = access(DOC_PATH, F_OK) != 0 ? (u8 *)"docs" : (u8 *)DOC_PATH; gettimeofday(&tv, &tz); - afl->init_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); + rand_set_seed(afl, tv.tv_sec ^ tv.tv_usec ^ getpid()); while ((opt = getopt(argc, argv, "+c:i:I:o:f:m:t:T:dnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:")) > @@ -311,7 +311,7 @@ int main(int argc, char **argv_orig, char **envp) { case 's': { - afl->init_seed = strtoul(optarg, 0L, 10); + rand_set_seed(afl, strtoul(optarg, 0L, 10)); afl->fixed_seed = 1; break; @@ -833,11 +833,6 @@ int main(int argc, char **argv_orig, char **envp) { } - afl->rand_seed[0] = hash64((void *)&afl->init_seed, sizeof(u32), HASH_CONST); - afl->rand_seed[1] = afl->rand_seed[0] ^ 0x1234567890abcdef; - afl->rand_seed[2] = afl->rand_seed[0] & 0x0123456789abcdef; - afl->rand_seed[3] = afl->rand_seed[0] | 0x01abcde43f567908; - if (afl->use_radamsa) { if (afl->limit_time_sig > 0) { diff --git a/src/afl-performance.c b/src/afl-performance.c index 8efefcd8..757bbe1e 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -33,6 +33,16 @@ static inline uint64_t rotl(const uint64_t x, int k) { } +void rand_set_seed(afl_state_t *afl, s64 init_seed) { + + afl->init_seed = init_seed; + afl->rand_seed[0] = hash64((void *)&afl->init_seed, sizeof(afl->init_seed), HASH_CONST); + afl->rand_seed[1] = afl->rand_seed[0] ^ 0x1234567890abcdef; + afl->rand_seed[2] = afl->rand_seed[0] & 0x0123456789abcdef; + afl->rand_seed[3] = afl->rand_seed[0] | 0x01abcde43f567908; + +} + uint64_t rand_next(afl_state_t *afl) { const uint64_t result = diff --git a/test/unittests/unit_hash.c b/test/unittests/unit_hash.c new file mode 100644 index 00000000..041d107a --- /dev/null +++ b/test/unittests/unit_hash.c @@ -0,0 +1,75 @@ +#include +#include +#include +#include +#include +/* cmocka < 1.0 didn't support these features we need */ +#ifndef assert_ptr_equal +#define assert_ptr_equal(a, b) \ + _assert_int_equal(cast_ptr_to_largest_integral_type(a), \ + cast_ptr_to_largest_integral_type(b), \ + __FILE__, __LINE__) +#define CMUnitTest UnitTest +#define cmocka_unit_test unit_test +#define cmocka_run_group_tests(t, setup, teardown) run_tests(t) +#endif + + +extern void mock_assert(const int result, const char* const expression, + const char * const file, const int line); +#undef assert +#define assert(expression) \ + mock_assert((int)(expression), #expression, __FILE__, __LINE__); + +#include "afl-fuzz.h" +#include "hash.h" + +/* remap exit -> assert, then use cmocka's mock_assert + (compile with `--wrap=exit`) */ +extern void exit(int status); +extern void __real_exit(int status); +void __wrap_exit(int status); +void __wrap_exit(int status) { + assert(0); +} + +/* ignore all printfs */ +#undef printf +extern int printf(const char *format, ...); +extern int __real_printf(const char *format, ...); +int __wrap_printf(const char *format, ...); +int __wrap_printf(const char *format, ...) { + return 1; +} + +/* Rand with 0 seed would broke in the past */ +static void test_hash(void **state) { + + char bitmap[64] = {0}; + u64 hash0 = hash64(bitmap, sizeof(bitmap), 0xa5b35705); + + bitmap[10] = 1; + u64 hash1 = hash64(bitmap, sizeof(bitmap), 0xa5b35705); + + assert_int_not_equal(hash0, hash1); + + bitmap[10] = 0; + assert_int_equal(hash0, hash64(bitmap, sizeof(bitmap), 0xa5b35705)); + + bitmap[10] = 1; + assert_int_equal(hash1, hash64(bitmap, sizeof(bitmap), 0xa5b35705)); + +} + +int main(int argc, char **argv) { + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_hash) + }; + + //return cmocka_run_group_tests (tests, setup, teardown); + __real_exit( cmocka_run_group_tests (tests, NULL, NULL) ); + + // fake return for dumb compilers + return 0; +} diff --git a/test/unittests/unit_rand.c b/test/unittests/unit_rand.c new file mode 100644 index 00000000..0a90d8d1 --- /dev/null +++ b/test/unittests/unit_rand.c @@ -0,0 +1,84 @@ +#include +#include +#include +#include +#include +#include +#include +/* cmocka < 1.0 didn't support these features we need */ +#ifndef assert_ptr_equal +#define assert_ptr_equal(a, b) \ + _assert_int_equal(cast_ptr_to_largest_integral_type(a), \ + cast_ptr_to_largest_integral_type(b), \ + __FILE__, __LINE__) +#define CMUnitTest UnitTest +#define cmocka_unit_test unit_test +#define cmocka_run_group_tests(t, setup, teardown) run_tests(t) +#endif + + +extern void mock_assert(const int result, const char* const expression, + const char * const file, const int line); +#undef assert +#define assert(expression) \ + mock_assert((int)(expression), #expression, __FILE__, __LINE__); + +#include "afl-fuzz.h" + +/* remap exit -> assert, then use cmocka's mock_assert + (compile with `--wrap=exit`) */ +extern void exit(int status); +extern void __real_exit(int status); +void __wrap_exit(int status); +void __wrap_exit(int status) { + assert(0); +} + +/* ignore all printfs */ +#undef printf +extern int printf(const char *format, ...); +extern int __real_printf(const char *format, ...); +int __wrap_printf(const char *format, ...); +int __wrap_printf(const char *format, ...) { + return 1; +} + +/* Rand with 0 seed would broke in the past */ +static void test_rand_0(void **state) { + + afl_state_t afl = {0}; + rand_set_seed(&afl, 0); + + /* give this one chance to retry */ + assert_int_not_equal( + (rand_next(&afl) != rand_next(&afl) + || rand_next(&afl) != rand_next(&afl)) + , 0); + +} + +static void test_rand_below(void **state) { + + afl_state_t afl = {0}; + rand_set_seed(&afl, 1337); + + afl.fsrv.dev_urandom_fd = open("/dev/urandom", O_RDONLY); + + assert(!(rand_below(&afl, 9000) > 9000)); + assert_int_equal(rand_below(&afl, 1), 0); + +} + +int main(int argc, char **argv) { + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_rand_0), + cmocka_unit_test(test_rand_below) + }; + + //return cmocka_run_group_tests (tests, setup, teardown); + __real_exit( cmocka_run_group_tests (tests, NULL, NULL) ); + + // fake return for dumb compilers + return 0; +} -- cgit 1.4.1 From 49a769ac06c78b90882a646f1bcf60248e584b5f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 23 Jun 2020 21:23:10 +0200 Subject: lto whitelist in test.sh --- libdislocator/libdislocator.so.c | 4 ++-- libtokencap/libtokencap.so.c | 13 ++++++------ llvm_mode/LLVMInsTrim.so.cc | 1 + llvm_mode/afl-llvm-lto-instrim.so.cc | 2 ++ llvm_mode/afl-llvm-lto-instrumentation.so.cc | 3 ++- llvm_mode/afl-llvm-lto-whitelist.so.cc | 1 + llvm_mode/afl-llvm-pass.so.cc | 1 + src/afl-performance.c | 3 ++- test/test.sh | 31 ++++++++++++++-------------- 9 files changed, 33 insertions(+), 26 deletions(-) (limited to 'src/afl-performance.c') diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index 063e3590..7a70fd15 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -40,8 +40,8 @@ #if (defined(__linux__) && !defined(__ANDROID__)) || defined(__HAIKU__) #include #ifdef __linux__ - #include - #include + #include + #include #endif #ifdef __NR_getrandom #define arc4random_buf(p, l) \ diff --git a/libtokencap/libtokencap.so.c b/libtokencap/libtokencap.so.c index 88b5c041..600d2a5d 100644 --- a/libtokencap/libtokencap.so.c +++ b/libtokencap/libtokencap.so.c @@ -33,7 +33,7 @@ #include "../types.h" #include "../config.h" -#if !defined __linux__ && !defined __APPLE__ && !defined __FreeBSD__ && \ +#if !defined __linux__ && !defined __APPLE__ && !defined __FreeBSD__ && \ !defined __OpenBSD__ && !defined __NetBSD__ && !defined __DragonFly__ && \ !defined(__HAIKU__) #error "Sorry, this library is unsupported in this platform for now!" @@ -233,18 +233,19 @@ static void __tokencap_load_mappings(void) { } munmap(buf, len); - #elif defined __HAIKU__ +#elif defined __HAIKU__ image_info ii; - int32_t group = 0; + int32_t group = 0; while (get_next_image_info(0, &group, &ii) == B_OK) { - __tokencap_ro[__tokencap_ro_cnt].st = ii.text; - __tokencap_ro[__tokencap_ro_cnt].en = ((char *)ii.text) + ii.text_size; + __tokencap_ro[__tokencap_ro_cnt].st = ii.text; + __tokencap_ro[__tokencap_ro_cnt].en = ((char *)ii.text) + ii.text_size; - if (++__tokencap_ro_cnt == MAX_MAPPINGS) break; + if (++__tokencap_ro_cnt == MAX_MAPPINGS) break; } + #endif } diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index ced1f383..991127a7 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -103,6 +103,7 @@ struct InsTrim : public ModulePass { bool runOnModule(Module &M) override { char be_quiet = 0; + setvbuf(stdout, NULL, _IONBF, 0); if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { diff --git a/llvm_mode/afl-llvm-lto-instrim.so.cc b/llvm_mode/afl-llvm-lto-instrim.so.cc index 27504e8d..5f9731c2 100644 --- a/llvm_mode/afl-llvm-lto-instrim.so.cc +++ b/llvm_mode/afl-llvm-lto-instrim.so.cc @@ -113,6 +113,8 @@ struct InsTrimLTO : public ModulePass { char be_quiet = 0; char *ptr; + setvbuf(stdout, NULL, _IONBF, 0); + if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { SAYF(cCYA "InsTrimLTO" VERSION cRST diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index cbe68171..0d3015d7 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -109,6 +109,7 @@ bool AFLLTOPass::runOnModule(Module &M) { IntegerType *Int64Ty = IntegerType::getInt64Ty(C); /* Show a banner */ + setvbuf(stdout, NULL, _IONBF, 0); if ((isatty(2) && !getenv("AFL_QUIET")) || debug) { @@ -162,7 +163,7 @@ bool AFLLTOPass::runOnModule(Module &M) { } - if (debug) { fprintf(stderr, "map address is %lu\n", map_addr); } + if (debug) { fprintf(stderr, "map address is 0x%lx\n", map_addr); } /* Get/set the globals for the SHM region. */ diff --git a/llvm_mode/afl-llvm-lto-whitelist.so.cc b/llvm_mode/afl-llvm-lto-whitelist.so.cc index 33d40da8..b1f791f4 100644 --- a/llvm_mode/afl-llvm-lto-whitelist.so.cc +++ b/llvm_mode/afl-llvm-lto-whitelist.so.cc @@ -111,6 +111,7 @@ bool AFLwhitelist::runOnModule(Module &M) { /* Show a banner */ char be_quiet = 0; + setvbuf(stdout, NULL, _IONBF, 0); if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index 82dece75..7997df51 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -140,6 +140,7 @@ bool AFLCoverage::runOnModule(Module &M) { /* Show a banner */ char be_quiet = 0; + setvbuf(stdout, NULL, _IONBF, 0); if (getenv("AFL_DEBUG")) debug = 1; diff --git a/src/afl-performance.c b/src/afl-performance.c index 757bbe1e..a3febdbf 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -36,7 +36,8 @@ static inline uint64_t rotl(const uint64_t x, int k) { void rand_set_seed(afl_state_t *afl, s64 init_seed) { afl->init_seed = init_seed; - afl->rand_seed[0] = hash64((void *)&afl->init_seed, sizeof(afl->init_seed), HASH_CONST); + afl->rand_seed[0] = + hash64((void *)&afl->init_seed, sizeof(afl->init_seed), HASH_CONST); afl->rand_seed[1] = afl->rand_seed[0] ^ 0x1234567890abcdef; afl->rand_seed[2] = afl->rand_seed[0] & 0x0123456789abcdef; afl->rand_seed[3] = afl->rand_seed[0] | 0x01abcde43f567908; diff --git a/test/test.sh b/test/test.sh index 109f21cc..0cf796be 100755 --- a/test/test.sh +++ b/test/test.sh @@ -459,24 +459,23 @@ test -e ../afl-clang-lto -a -e ../afl-llvm-lto-instrumentation.so && { } rm -f test-instr.plain -# Disabled whitelist until I have a different solution -mh -# echo foobar.c > whitelist.txt -# AFL_LLVM_WHITELIST=whitelist.txt ../afl-clang-lto -o test-compcov test-compcov.c > test.out 2>&1 -# test -e test-compcov && { -# grep -q "No instrumentation targets found" test.out && { -# $ECHO "$GREEN[+] llvm_mode LTO whitelist feature works correctly" -# } || { -# $ECHO "$RED[!] llvm_mode LTO whitelist feature failed" -# CODE=1 -# } -# } || { -# $ECHO "$RED[!] llvm_mode LTO whitelist feature compilation failed" -# CODE=1 -# } -# rm -f test-compcov test.out whitelist.txt + echo foobar.c > whitelist.txt + AFL_DEBUG=1 AFL_LLVM_WHITELIST=whitelist.txt ../afl-clang-lto -o test-compcov test-compcov.c > test.out 2>&1 + test -e test-compcov && { + grep -q "No instrumentation targets found" test.out && { + $ECHO "$GREEN[+] llvm_mode LTO whitelist feature works correctly" + } || { + $ECHO "$RED[!] llvm_mode LTO whitelist feature failed" + CODE=1 + } + } || { + $ECHO "$RED[!] llvm_mode LTO whitelist feature compilation failed" + CODE=1 + } + rm -f test-compcov test.out whitelist.txt ../afl-clang-lto -o test-persistent ../examples/persistent_demo/persistent_demo.c > /dev/null 2>&1 test -e test-persistent && { - echo foo | ../afl-showmap -o /dev/null -q -r ./test-persistent && { + echo foo | ../afl-showmap -m none -o /dev/null -q -r ./test-persistent && { $ECHO "$GREEN[+] llvm_mode LTO persistent mode feature works correctly" } || { $ECHO "$RED[!] llvm_mode LTO persistent mode feature failed to work" -- cgit 1.4.1 From c25a602a0370f484e32adbf186290d2504cf3f12 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 28 Jun 2020 23:47:57 +0200 Subject: less problematic definitions --- examples/aflpp_driver/GNUmakefile | 10 +++++++--- examples/aflpp_driver/aflpp_driver.cpp | 2 +- examples/aflpp_driver/aflpp_driver_test.cpp | 2 +- include/afl-prealloc.h | 2 +- include/alloc-inl.h | 6 +++--- include/hash.h | 4 ++-- src/afl-performance.c | 10 +++++++--- 7 files changed, 22 insertions(+), 14 deletions(-) (limited to 'src/afl-performance.c') diff --git a/examples/aflpp_driver/GNUmakefile b/examples/aflpp_driver/GNUmakefile index bd568224..a993c8a9 100644 --- a/examples/aflpp_driver/GNUmakefile +++ b/examples/aflpp_driver/GNUmakefile @@ -18,8 +18,11 @@ libAFLDriver.a: aflpp_driver.o ar ru libAFLDriver.a aflpp_driver.o debug: + $(LLVM_BINDIR)clang++ -Wno-deprecated -I../../include $(FLAGS) -D_DEBUG=\"1\" -c -o afl-performance.o ../../src/afl-performance.c $(LLVM_BINDIR)clang++ -I../../include -D_DEBUG=\"1\" -g -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp - ar ru libAFLDriver.a aflpp_driver.o + #$(LLVM_BINDIR)clang++ -S -emit-llvm -Wno-deprecated -I../../include $(FLAGS) -D_DEBUG=\"1\" -c -o afl-performance.ll ../../src/afl-performance.c + #$(LLVM_BINDIR)clang++ -S -emit-llvm -I../../include -D_DEBUG=\"1\" -g -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp + ar ru libAFLDriver.a afl-performance.o aflpp_driver.o aflpp_qemu_driver.o: aflpp_qemu_driver.c $(LLVM_BINDIR)clang $(FLAGS) -O0 -funroll-loops -c aflpp_qemu_driver.c @@ -33,8 +36,9 @@ aflpp_qemu_driver_hook.so: aflpp_qemu_driver_hook.o aflpp_qemu_driver_hook.o: aflpp_qemu_driver_hook.c $(LLVM_BINDIR)clang -fPIC $(FLAGS) -funroll-loops -c aflpp_qemu_driver_hook.c -test: libAFLDriver.a aflpp_driver_test.cpp - afl-clang-fast++ -I../../include -Wl,--allow-multiple-definition -stdlib=libc++ -funroll-loops -std=c++11 -o aflpp_driver_test aflpp_driver_test.cpp libAFLDriver.a +test: debug + #clang++ -S -emit-llvm -D_DEBUG=\"1\" -I../../include -Wl,--allow-multiple-definition -stdlib=libc++ -funroll-loops -std=c++11 -o aflpp_driver_test.ll aflpp_driver_test.cpp + afl-clang-fast++ -D_DEBUG=\"1\" -I../../include -Wl,--allow-multiple-definition -stdlib=libc++ -funroll-loops -std=c++11 -o aflpp_driver_test aflpp_driver_test.cpp libAFLDriver.a clean: rm -f *.o libAFLDriver*.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so *~ core aflpp_driver_test diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp index a1eab178..d6163bdf 100644 --- a/examples/aflpp_driver/aflpp_driver.cpp +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -277,7 +277,7 @@ int main(int argc, char **argv) { int num_runs = 0; while (__afl_persistent_loop(N)) { #ifdef _DEBUG - fprintf(stderr, "CLIENT crc: %08x len: %u\n", hash64(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), *__afl_fuzz_len); + fprintf(stderr, "CLIENT crc: %016llx len: %u\n", hash64(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), *__afl_fuzz_len); fprintf(stderr, "RECV:"); for (int i = 0; i < *__afl_fuzz_len; i++) fprintf(stderr, "%02x", __afl_fuzz_ptr[i]); diff --git a/examples/aflpp_driver/aflpp_driver_test.cpp b/examples/aflpp_driver/aflpp_driver_test.cpp index 799c743d..13dc09b9 100644 --- a/examples/aflpp_driver/aflpp_driver_test.cpp +++ b/examples/aflpp_driver/aflpp_driver_test.cpp @@ -5,7 +5,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - fprintf(stderr, "FUNC crc: %08x len: %lu\n", hash32(Data, Size, 0xa5b35705), Size); + fprintf(stderr, "FUNC crc: %016llx len: %lu\n", hash64((u8*)Data, (unsigned int) Size, (unsigned long long int) 0xa5b35705), Size); if (Size < 5) return 0; diff --git a/include/afl-prealloc.h b/include/afl-prealloc.h index 5e5d7b85..a9de3ba2 100644 --- a/include/afl-prealloc.h +++ b/include/afl-prealloc.h @@ -60,7 +60,7 @@ typedef enum prealloc_status { \ if ((prealloc_counter) >= (prealloc_size)) { \ \ - el_ptr = malloc(sizeof(*el_ptr)); \ + el_ptr = (element_t *) malloc(sizeof(*el_ptr)); \ if (!el_ptr) { FATAL("error in list.h -> out of memory for element!"); } \ el_ptr->pre_status = PRE_STATUS_MALLOC; \ \ diff --git a/include/alloc-inl.h b/include/alloc-inl.h index ca593549..decc2d43 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -170,10 +170,10 @@ static inline u8 *DFL_ck_strdup(u8 *str) { size = strlen((char *)str) + 1; ALLOC_CHECK_SIZE(size); - ret = malloc(size); + ret = (u8*) malloc(size); ALLOC_CHECK_RESULT(ret, size); - return memcpy(ret, str, size); + return (u8*)memcpy(ret, str, size); } @@ -204,7 +204,7 @@ static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) { if (!mem || !size) { return NULL; } ALLOC_CHECK_SIZE(size); - ret = malloc(size + 1); + ret = (u8*) malloc(size + 1); ALLOC_CHECK_RESULT(ret, size); memcpy(ret, mem, size); diff --git a/include/hash.h b/include/hash.h index 6910e0e2..9d42e44b 100644 --- a/include/hash.h +++ b/include/hash.h @@ -30,8 +30,8 @@ #include "types.h" -u32 hash32(const void *key, u32 len, u32 seed); -u64 hash64(const void *key, u32 len, u64 seed); +u32 hash32(u8 *key, u32 len, u32 seed); +u64 hash64(u8 *key, u32 len, u64 seed); #if 0 diff --git a/src/afl-performance.c b/src/afl-performance.c index a3febdbf..b3d30cbd 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -37,7 +37,7 @@ void rand_set_seed(afl_state_t *afl, s64 init_seed) { afl->init_seed = init_seed; afl->rand_seed[0] = - hash64((void *)&afl->init_seed, sizeof(afl->init_seed), HASH_CONST); + hash64((u8 *)&afl->init_seed, sizeof(afl->init_seed), HASH_CONST); afl->rand_seed[1] = afl->rand_seed[0] ^ 0x1234567890abcdef; afl->rand_seed[2] = afl->rand_seed[0] & 0x0123456789abcdef; afl->rand_seed[3] = afl->rand_seed[0] | 0x01abcde43f567908; @@ -141,13 +141,17 @@ void long_jump(afl_state_t *afl) { /* we switch from afl's murmur implementation to xxh3 as it is 30% faster - and get 64 bit hashes instead of just 32 bit. Less collisions! :-) */ -u32 inline hash32(const void *key, u32 len, u32 seed) { +u32 inline hash32(void *key, u32 len, u32 seed) { return (u32)XXH64(key, len, seed); } -u64 inline hash64(const void *key, u32 len, u64 seed) { +#ifdef _DEBUG +u64 hash64(u8 *key, u32 len, u64 seed) { +#else +u64 inline hash64(u8 *key, u32 len, u64 seed) { +#endif return XXH64(key, len, seed); -- cgit 1.4.1 From 6d0f086d9cb1b8eedbeb4c9654f9e44870460e8d Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 28 Jun 2020 23:50:25 +0200 Subject: less problematic definitions --- include/hash.h | 2 +- src/afl-performance.c | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'src/afl-performance.c') diff --git a/include/hash.h b/include/hash.h index 9d42e44b..9319ab95 100644 --- a/include/hash.h +++ b/include/hash.h @@ -41,7 +41,7 @@ The following code is disabled because xxh3 is 30% faster #define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r)))) -static inline u32 hash32(const void *key, u32 len, u32 seed) { +static inline u32 hash32(u8 *key, u32 len, u32 seed) { const u64 *data = (u64 *)key; u64 h1 = seed ^ len; diff --git a/src/afl-performance.c b/src/afl-performance.c index b3d30cbd..0832dc39 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -141,7 +141,11 @@ void long_jump(afl_state_t *afl) { /* we switch from afl's murmur implementation to xxh3 as it is 30% faster - and get 64 bit hashes instead of just 32 bit. Less collisions! :-) */ -u32 inline hash32(void *key, u32 len, u32 seed) { +#ifdef _DEBUG +u32 hash32(u8 *key, u32 len, u32 seed) { +#else +u32 inline hash32(u8 *key, u32 len, u32 seed) { +#endif return (u32)XXH64(key, len, seed); -- cgit 1.4.1 From e5e485fcdb039fc77842b0753a4adf42d6063388 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 29 Jun 2020 00:58:05 +0200 Subject: fix autodict --- GNUmakefile | 4 +-- examples/persistent_demo/persistent_demo_new.c | 4 +++ include/afl-prealloc.h | 2 +- include/alloc-inl.h | 6 ++--- llvm_mode/afl-llvm-rt.o.c | 6 +++++ src/afl-forkserver.c | 36 ++++++++++++++++---------- src/afl-fuzz-run.c | 26 ++++++++++++------- src/afl-performance.c | 4 +++ src/afl-showmap.c | 4 ++- 9 files changed, 62 insertions(+), 30 deletions(-) (limited to 'src/afl-performance.c') diff --git a/GNUmakefile b/GNUmakefile index d95eaab1..748cd73c 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -394,8 +394,8 @@ afl-gotcpu: src/afl-gotcpu.c src/afl-common.o $(COMM_HDR) | test_x86 # document all mutations and only do one run (use with only one input file!) -document: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o | test_x86 - $(CC) -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o afl-fuzz-document $(PYFLAGS) $(LDFLAGS) +document: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-performance.o | test_x86 + $(CC) -D_DEBUG=\"1\" -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.c src/afl-performance.o -o afl-fuzz-document $(PYFLAGS) $(LDFLAGS) test/unittests/unit_maybe_alloc.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_maybe_alloc.c $(AFL_FUZZ_FILES) @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_maybe_alloc.c -o test/unittests/unit_maybe_alloc.o diff --git a/examples/persistent_demo/persistent_demo_new.c b/examples/persistent_demo/persistent_demo_new.c index 98909442..e4e328b0 100644 --- a/examples/persistent_demo/persistent_demo_new.c +++ b/examples/persistent_demo/persistent_demo_new.c @@ -49,9 +49,13 @@ int main(int argc, char **argv) { len = __AFL_FUZZ_TESTCASE_LEN; + fprintf(stderr, "input: %zd \"%s\"\n", len, buf); + /* do we have enough data? */ if (len < 8) continue; + if (strcmp((char *)buf, "thisisateststring") == 0) printf("teststring\n"); + if (buf[0] == 'f') { printf("one\n"); diff --git a/include/afl-prealloc.h b/include/afl-prealloc.h index a9de3ba2..fa6c9b70 100644 --- a/include/afl-prealloc.h +++ b/include/afl-prealloc.h @@ -60,7 +60,7 @@ typedef enum prealloc_status { \ if ((prealloc_counter) >= (prealloc_size)) { \ \ - el_ptr = (element_t *) malloc(sizeof(*el_ptr)); \ + el_ptr = (element_t *)malloc(sizeof(*el_ptr)); \ if (!el_ptr) { FATAL("error in list.h -> out of memory for element!"); } \ el_ptr->pre_status = PRE_STATUS_MALLOC; \ \ diff --git a/include/alloc-inl.h b/include/alloc-inl.h index decc2d43..832b2de4 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -170,10 +170,10 @@ static inline u8 *DFL_ck_strdup(u8 *str) { size = strlen((char *)str) + 1; ALLOC_CHECK_SIZE(size); - ret = (u8*) malloc(size); + ret = (u8 *)malloc(size); ALLOC_CHECK_RESULT(ret, size); - return (u8*)memcpy(ret, str, size); + return (u8 *)memcpy(ret, str, size); } @@ -204,7 +204,7 @@ static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) { if (!mem || !size) { return NULL; } ALLOC_CHECK_SIZE(size); - ret = (u8*) malloc(size + 1); + ret = (u8 *)malloc(size + 1); ALLOC_CHECK_RESULT(ret, size); memcpy(ret, mem, size); diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 184dcd0f..f81d13ee 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -395,6 +395,9 @@ static void __afl_start_snapshots(void) { if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1); + if (getenv("AFL_DEBUG")) + fprintf(stderr, "target forkserver recv: %08x\n", was_killed); + if ((was_killed & (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) == (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) { @@ -594,6 +597,9 @@ static void __afl_start_forkserver(void) { if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1); + if (getenv("AFL_DEBUG")) + fprintf(stderr, "target forkserver recv: %08x\n", was_killed); + if ((was_killed & (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) == (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) { diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index bb7a6797..c5709b33 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -596,9 +596,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, // this is not afl-fuzz - we deny and return if (fsrv->use_shmem_fuzz) - status = (FS_OPT_ENABLED | FS_OPT_AUTODICT | FS_OPT_SHDMEM_FUZZ); + status = (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ); else - status = (FS_OPT_ENABLED | FS_OPT_AUTODICT); + status = (FS_OPT_ENABLED); if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) { FATAL("Writing to forkserver failed."); @@ -610,7 +610,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } if (!be_quiet) { ACTF("Using AUTODICT feature."); } - status = (FS_OPT_ENABLED | FS_OPT_AUTODICT); + + if (fsrv->use_shmem_fuzz) + status = (FS_OPT_ENABLED | FS_OPT_AUTODICT | FS_OPT_SHDMEM_FUZZ); + else + status = (FS_OPT_ENABLED | FS_OPT_AUTODICT); + if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) { FATAL("Writing to forkserver failed."); @@ -862,16 +867,21 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { *fsrv->shmem_fuzz_len = len; memcpy(fsrv->shmem_fuzz, buf, len); #ifdef _DEBUG - fprintf(stderr, "FS crc: %08x len: %u\n", - hash64(fsrv->shmem_fuzz, *fsrv->shmem_fuzz_len, 0xa5b35705), - *fsrv->shmem_fuzz_len); - fprintf(stderr, "SHM :"); - for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) - fprintf(stderr, "%02x", fsrv->shmem_fuzz[i]); - fprintf(stderr, "\nORIG:"); - for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) - fprintf(stderr, "%02x", buf[i]); - fprintf(stderr, "\n"); + if (getenv("AFL_DEBUG")) { + + fprintf(stderr, "FS crc: %016llx len: %u\n", + hash64(fsrv->shmem_fuzz, *fsrv->shmem_fuzz_len, 0xa5b35705), + *fsrv->shmem_fuzz_len); + fprintf(stderr, "SHM :"); + for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) + fprintf(stderr, "%02x", fsrv->shmem_fuzz[i]); + fprintf(stderr, "\nORIG:"); + for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) + fprintf(stderr, "%02x", buf[i]); + fprintf(stderr, "\n"); + + } + #endif } else { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 52931a39..2a1664e2 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -156,16 +156,22 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, *afl->fsrv.shmem_fuzz_len = len - skip_len; #ifdef _DEBUG - fprintf(stderr, "FS crc: %08x len: %u\n", - hash64(fsrv->shmem_fuzz, *fsrv->shmem_fuzz_len, 0xa5b35705), - *fsrv->shmem_fuzz_len); - fprintf(stderr, "SHM :"); - for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) - fprintf(stderr, "%02x", fsrv->shmem_fuzz[i]); - fprintf(stderr, "\nORIG:"); - for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) - fprintf(stderr, "%02x", buf[i]); - fprintf(stderr, "\n"); + if (afl->debug) { + + fprintf( + stderr, "FS crc: %16llx len: %u\n", + hash64(afl->fsrv.shmem_fuzz, *afl->fsrv.shmem_fuzz_len, 0xa5b35705), + *afl->fsrv.shmem_fuzz_len); + fprintf(stderr, "SHM :"); + for (int i = 0; i < *afl->fsrv.shmem_fuzz_len; i++) + fprintf(stderr, "%02x", afl->fsrv.shmem_fuzz[i]); + fprintf(stderr, "\nORIG:"); + for (int i = 0; i < *afl->fsrv.shmem_fuzz_len; i++) + fprintf(stderr, "%02x", (u8)((u8 *)mem)[i]); + fprintf(stderr, "\n"); + + } + #endif return; diff --git a/src/afl-performance.c b/src/afl-performance.c index 0832dc39..0c1697a8 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -143,8 +143,10 @@ void long_jump(afl_state_t *afl) { #ifdef _DEBUG u32 hash32(u8 *key, u32 len, u32 seed) { + #else u32 inline hash32(u8 *key, u32 len, u32 seed) { + #endif return (u32)XXH64(key, len, seed); @@ -153,8 +155,10 @@ u32 inline hash32(u8 *key, u32 len, u32 seed) { #ifdef _DEBUG u64 hash64(u8 *key, u32 len, u64 seed) { + #else u64 inline hash64(u8 *key, u32 len, u64 seed) { + #endif return XXH64(key, len, seed); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 994d80eb..883398ff 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -985,10 +985,12 @@ int main(int argc, char **argv_orig, char **envp) { if (read_file(infile)) { - if (wait_for_gdb) { + if (wait_for_gdb) { + fprintf(stderr, "exec: gdb -p %d\n", fsrv->child_pid); fprintf(stderr, "exec: kill -CONT %d\n", getpid()); kill(0, SIGSTOP); + } showmap_run_target_forkserver(fsrv, use_argv, in_data, in_len); -- cgit 1.4.1