From 27c048086659808bc1e6742023d4e89330283e02 Mon Sep 17 00:00:00 2001 From: realmadsci <71108352+realmadsci@users.noreply.github.com> Date: Mon, 15 Mar 2021 13:12:11 -0400 Subject: afl-showmap: Allow @@ to be part of an arg The previous implementation of "@@ handling" in afl-showmap differed greatly from how it was handled in afl-fuzz and how the documentation presented it. It used to require that the @@ be its own argument separated by whitespace and could not be used in situations like "--file=@@". This change standardizes it to use detect_file_args() like everybody else does, so that it will have the expected and documented behavior. --- src/afl-showmap.c | 54 ++++++++++++++++++++++-------------------------------- 1 file changed, 22 insertions(+), 32 deletions(-) (limited to 'src/afl-showmap.c') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 0fc76193..2627f491 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -72,8 +72,7 @@ static u8 *in_data, /* Input data */ static u64 total; /* tuple content information */ static u32 tcnt, highest; /* tuple content information */ -static u32 in_len, /* Input data length */ - arg_offset; /* Total number of execs */ +static u32 in_len; /* Input data length */ static u32 map_size = MAP_SIZE; @@ -738,7 +737,7 @@ int main(int argc, char **argv_orig, char **envp) { // TODO: u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ - s32 opt, i; + s32 opt; u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; char **use_argv; @@ -986,7 +985,7 @@ int main(int argc, char **argv_orig, char **envp) { if (getenv("AFL_DEBUG")) { DEBUGF(""); - for (i = 0; i < argc; i++) + for (int i = 0; i < argc; i++) SAYF(" %s", argv[i]); SAYF("\n"); @@ -1012,12 +1011,30 @@ int main(int argc, char **argv_orig, char **envp) { } + if (in_dir) { - detect_file_args(argv + optind, "", &fsrv->use_stdin); + /* If we don't have a file name chosen yet, use a safe default. */ + u8 *use_dir = "."; + + if (access(use_dir, R_OK | W_OK | X_OK)) { + + use_dir = get_afl_env("TMPDIR"); + if (!use_dir) { use_dir = "/tmp"; } + + } + + stdin_file = at_file ? strdup(at_file) + : (char *)alloc_printf("%s/.afl-showmap-temp-%u", + use_dir, (u32)getpid()); + unlink(stdin_file); + + // If @@ are in the target args, replace them and also set use_stdin=false. + detect_file_args(argv + optind, stdin_file, &fsrv->use_stdin); } else { + // If @@ are in the target args, replace them and also set use_stdin=false. detect_file_args(argv + optind, at_file, &fsrv->use_stdin); } @@ -1042,14 +1059,6 @@ int main(int argc, char **argv_orig, char **envp) { } - i = 0; - while (use_argv[i] != NULL && !arg_offset) { - - if (strcmp(use_argv[i], "@@") == 0) { arg_offset = i; } - i++; - - } - shm_fuzz = ck_alloc(sizeof(sharedmem_t)); /* initialize cmplog_mode */ @@ -1160,30 +1169,11 @@ int main(int argc, char **argv_orig, char **envp) { } - u8 *use_dir = "."; - - if (access(use_dir, R_OK | W_OK | X_OK)) { - - use_dir = get_afl_env("TMPDIR"); - if (!use_dir) { use_dir = "/tmp"; } - - } - - stdin_file = at_file ? strdup(at_file) - : (char *)alloc_printf("%s/.afl-showmap-temp-%u", - use_dir, (u32)getpid()); - unlink(stdin_file); atexit(at_exit_handler); fsrv->out_file = stdin_file; fsrv->out_fd = open(stdin_file, O_RDWR | O_CREAT | O_EXCL, 0600); if (fsrv->out_fd < 0) { PFATAL("Unable to create '%s'", out_file); } - if (arg_offset && use_argv[arg_offset] != stdin_file) { - - use_argv[arg_offset] = strdup(stdin_file); - - } - if (get_afl_env("AFL_DEBUG")) { int j = optind; -- cgit 1.4.1 From 62f067ec71aff384a197511b33142002ca284c66 Mon Sep 17 00:00:00 2001 From: realmadsci <71108352+realmadsci@users.noreply.github.com> Date: Mon, 15 Mar 2021 14:04:10 -0700 Subject: afl-showmap: Unwind a change to keep it pre-C99 compatible --- src/afl-showmap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/afl-showmap.c') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 2627f491..29b8456f 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -737,7 +737,7 @@ int main(int argc, char **argv_orig, char **envp) { // TODO: u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ - s32 opt; + s32 opt, i; u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; char **use_argv; @@ -985,7 +985,7 @@ int main(int argc, char **argv_orig, char **envp) { if (getenv("AFL_DEBUG")) { DEBUGF(""); - for (int i = 0; i < argc; i++) + for (i = 0; i < argc; i++) SAYF(" %s", argv[i]); SAYF("\n"); -- cgit 1.4.1 From e1384b5086e918350426cd0ece7dbe9c451f771f Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 18 Mar 2021 09:11:00 +0000 Subject: Add support for FRIDA mode --- .gitignore | 1 + frida_mode/.gitignore | 5 + frida_mode/Makefile | 310 +++++++++++++++++++++++++++++++++ frida_mode/README.md | 48 ++++++ frida_mode/inc/instrument.h | 7 + frida_mode/inc/interceptor.h | 4 + frida_mode/inc/prefetch.h | 5 + frida_mode/inc/ranges.h | 6 + frida_mode/src/instrument.c | 265 +++++++++++++++++++++++++++++ frida_mode/src/interceptor.c | 16 ++ frida_mode/src/main.c | 149 ++++++++++++++++ frida_mode/src/prefetch.c | 121 +++++++++++++ frida_mode/src/ranges.c | 395 +++++++++++++++++++++++++++++++++++++++++++ frida_mode/test/testinstr.c | 105 ++++++++++++ frida_mode/test/testinstr.py | 32 ++++ include/envs.h | 7 + include/forkserver.h | 2 + src/afl-analyze.c | 50 +++++- src/afl-fuzz-init.c | 7 +- src/afl-fuzz.c | 54 +++++- src/afl-showmap.c | 47 ++++- src/afl-tmin.c | 49 +++++- 22 files changed, 1668 insertions(+), 17 deletions(-) create mode 100644 frida_mode/.gitignore create mode 100644 frida_mode/Makefile create mode 100644 frida_mode/README.md create mode 100644 frida_mode/inc/instrument.h create mode 100644 frida_mode/inc/interceptor.h create mode 100644 frida_mode/inc/prefetch.h create mode 100644 frida_mode/inc/ranges.h create mode 100644 frida_mode/src/instrument.c create mode 100644 frida_mode/src/interceptor.c create mode 100644 frida_mode/src/main.c create mode 100644 frida_mode/src/prefetch.c create mode 100644 frida_mode/src/ranges.c create mode 100644 frida_mode/test/testinstr.c create mode 100755 frida_mode/test/testinstr.py (limited to 'src/afl-showmap.c') diff --git a/.gitignore b/.gitignore index 3f440730..2aaaf9ef 100644 --- a/.gitignore +++ b/.gitignore @@ -82,3 +82,4 @@ libAFLDriver.a libAFLQemuDriver.a test/.afl_performance gmon.out +afl-frida-trace.so diff --git a/frida_mode/.gitignore b/frida_mode/.gitignore new file mode 100644 index 00000000..956b9911 --- /dev/null +++ b/frida_mode/.gitignore @@ -0,0 +1,5 @@ +build/ +frida_test.dat +qemu_test.dat +frida_out/** +qemu_out/** diff --git a/frida_mode/Makefile b/frida_mode/Makefile new file mode 100644 index 00000000..73a4142c --- /dev/null +++ b/frida_mode/Makefile @@ -0,0 +1,310 @@ +PWD:=$(shell pwd)/ +INC_DIR:=$(PWD)inc/ +SRC_DIR:=$(PWD)src/ +INCLUDES:=$(wildcard $(INC_DIR)*.h) +SOURCES:=$(wildcard $(SRC_DIR)*.c) +BUILD_DIR:=$(PWD)build/ +CFLAGS:= $(CFLAGS) \ + -fPIC \ + -D_GNU_SOURCE + +FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/ +FRIDA_TRACE:=$(FRIDA_BUILD_DIR)afl-frida-trace.so + +ARCH=$(shell uname -m) +ifeq "$(ARCH)" "aarch64" +ARCH:=arm64 +TESTINSTR_BASE:=0x0000aaaaaaaaa000 +endif + +ifeq "$(ARCH)" "x86_64" +TESTINSTR_BASE:=0x0000555555554000 +endif + +ifeq "$(shell uname)" "Darwin" +OS:=macos +AFL_FRIDA_INST_RANGES=0x0000000000001000-0xFFFFFFFFFFFFFFFF +CFLAGS:=$(CFLAGS) -Wno-deprecated-declarations +TEST_LDFLAGS:=-undefined dynamic_lookup +endif +ifeq "$(shell uname)" "Linux" +OS:=linux +AFL_FRIDA_INST_RANGES=$(shell $(PWD)test/testinstr.py -f $(BUILD_DIR)testinstr -s .testinstr -b $(TESTINSTR_BASE)) +CFLAGS:=$(CFLAGS) -Wno-prio-ctor-dtor +TEST_LDFLAGS:= +endif + +ifndef OS +$(error "Operating system unsupported") +endif + +VERSION=14.2.13 +GUM_DEVKIT_FILENAME=frida-gum-devkit-$(VERSION)-$(OS)-$(ARCH).tar.xz +GUM_DEVKIT_URL="https://github.com/frida/frida/releases/download/$(VERSION)/$(GUM_DEVKIT_FILENAME)" +GUM_DEVKIT_TARBALL:=$(FRIDA_BUILD_DIR)$(GUM_DEVKIT_FILENAME) +GUM_DEVIT_LIBRARY=$(FRIDA_BUILD_DIR)libfrida-gum.a +GUM_DEVIT_HEADER=$(FRIDA_BUILD_DIR)frida-gum.h + +TEST_BUILD_DIR:=$(BUILD_DIR)test/ + +LIBPNG_FILE:=$(TEST_BUILD_DIR)libpng-1.2.56.tar.gz +LIBPNG_URL:=https://downloads.sourceforge.net/project/libpng/libpng12/older-releases/1.2.56/libpng-1.2.56.tar.gz +LIBPNG_DIR:=$(TEST_BUILD_DIR)libpng-1.2.56/ +LIBPNG_MAKEFILE:=$(LIBPNG_DIR)Makefile +LIBPNG_LIB:=$(LIBPNG_DIR).libs/libpng12.a + +HARNESS_FILE:=$(TEST_BUILD_DIR)StandaloneFuzzTargetMain.c +HARNESS_OBJ:=$(TEST_BUILD_DIR)StandaloneFuzzTargetMain.o +HARNESS_URL:="https://raw.githubusercontent.com/llvm/llvm-project/main/compiler-rt/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c" + +PNGTEST_FILE:=$(TEST_BUILD_DIR)target.cc +PNGTEST_OBJ:=$(TEST_BUILD_DIR)target.o +PNGTEST_URL:="https://raw.githubusercontent.com/google/fuzzbench/master/benchmarks/libpng-1.2.56/target.cc" + +TEST_BIN:=$(TEST_BUILD_DIR)pngtest + +TESTINSTBIN:=$(BUILD_DIR)testinstr +TESTINSTSRC:=$(PWD)test/testinstr.c + +TEST_DATA_DIR:=$(PWD)build/test/libpng-1.2.56/contrib/pngsuite/ + +TESTINSTR_DATA_DIR:=$(BUILD_DIR)testinstr_in/ +TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)test.dat +FRIDA_OUT:=$(PWD)frida_out +QEMU_OUT:=$(PWD)qemu_out + +.PHONY: all frida test clean format test_frida test_qemu compare testinstr test_testinstr standalone + +all: $(FRIDA_TRACE) + +frida: $(FRIDA_TRACE) + +$(BUILD_DIR): + mkdir -p $(BUILD_DIR) + +############################# FRIDA ############################################ +$(FRIDA_BUILD_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(GUM_DEVKIT_TARBALL): | $(FRIDA_BUILD_DIR) + wget -O $@ $(GUM_DEVKIT_URL) + +$(GUM_DEVIT_LIBRARY): | $(GUM_DEVKIT_TARBALL) + tar Jxvf $(GUM_DEVKIT_TARBALL) -C $(FRIDA_BUILD_DIR) + +$(GUM_DEVIT_HEADER): | $(GUM_DEVKIT_TARBALL) + tar Jxvf $(GUM_DEVKIT_TARBALL) -C $(FRIDA_BUILD_DIR) + +$(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(SOURCES) Makefile | $(FRIDA_BUILD_DIR) + $(CC) -shared \ + $(CFLAGS) \ + -o $@ $(SOURCES) \ + $(GUM_DEVIT_LIBRARY) \ + -I $(FRIDA_BUILD_DIR) \ + -I .. \ + -I ../include \ + -I $(INC_DIR) \ + ../instrumentation/afl-compiler-rt.o.c \ + -lpthread -ldl -lresolv + + cp -v $(FRIDA_TRACE) ../ + +############################# TEST ############################################# + +test: $(TEST_BIN) + +$(TEST_BUILD_DIR): $(BUILD_DIR) + mkdir -p $@ + +$(HARNESS_FILE): | $(TEST_BUILD_DIR) + wget -O $@ $(HARNESS_URL) + +$(HARNESS_OBJ): $(HARNESS_FILE) + $(CC) -o $@ -c $< + +$(PNGTEST_FILE): | $(TEST_BUILD_DIR) + wget -O $@ $(PNGTEST_URL) + +$(PNGTEST_OBJ): $(PNGTEST_FILE) | $(LIBPNG_DIR) + $(CXX) -std=c++11 -I $(LIBPNG_DIR) -o $@ -c $< + +$(LIBPNG_FILE): | $(TEST_BUILD_DIR) + wget -O $@ $(LIBPNG_URL) + +$(LIBPNG_DIR): $(LIBPNG_FILE) + tar zxvf $(LIBPNG_FILE) -C $(TEST_BUILD_DIR) + +$(LIBPNG_MAKEFILE): | $(LIBPNG_DIR) + cd $(LIBPNG_DIR) && ./configure + +$(LIBPNG_LIB): $(LIBPNG_MAKEFILE) + make -C $(LIBPNG_DIR) + +$(TEST_BIN): $(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB) + $(CXX) \ + -o $@ \ + $(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB) \ + -lz \ + $(TEST_LDFLAGS) + +############################# TESTINSR ######################################### +$(TESTINSTR_DATA_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR) + echo -n "000" > $@ + +$(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR) + $(CC) -o $@ $< + +testinstr: $(TESTINSTBIN) + +############################# CLEAN ############################################ +clean: + rm -rf $(BUILD_DIR) + +############################# FORMAT ########################################### +format: + cd .. && echo $(SOURCES) | xargs -L1 ./.custom-format.py -i + cd .. && echo $(INCLUDES) | xargs -L1 ./.custom-format.py -i + cd .. && ./.custom-format.py -i $(TESTINSTSRC) + +############################# RUN ############################################# + +# Add the environment variable AFL_DEBUG_CHILD=1 to show printf's from the target + +png_frida: $(FRIDA_TRACE) $(TEST_BIN) + make -C .. + cd .. && \ + ./afl-fuzz \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TEST_BIN) @@ + +png_qemu: $(TEST_BIN) + make -C .. + cd .. && \ + ./afl-fuzz \ + -Q \ + -i $(TEST_DATA_DIR) \ + -o $(QEMU_OUT) \ + -- \ + $(TEST_BIN) @@ + +compare: $(FRIDA_TRACE) $(TEST_BIN) + cd .. && \ + ./afl-fuzz \ + -V30 \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TEST_BIN) @@ + cd .. && \ + ./afl-fuzz \ + -V30 \ + -Q \ + -i $(TEST_DATA_DIR) \ + -o $(QEMU_OUT) \ + -- \ + $(TEST_BIN) @@ + cat frida_out/default/fuzzer_stats + cat qemu_out/default/fuzzer_stats + +testinstr_qemu: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + make -C .. + cd .. && \ + AFL_QEMU_INST_RANGES=$(AFL_FRIDA_INST_RANGES) \ + ./afl-fuzz \ + -Q \ + -i $(TESTINSTR_DATA_DIR) \ + -o $(QEMU_OUT) \ + -- \ + $(TESTINSTBIN) @@ + +testinstr_frida: $(FRIDA_TRACE) $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + make -C .. + cd .. && \ + AFL_FRIDA_INST_RANGES=$(AFL_FRIDA_INST_RANGES) \ + AFL_FRIDA_INST_NO_OPTIMIZE=1 \ + AFL_FRIDA_INST_NO_PREFETCH=1 \ + AFL_FRIDA_INST_STRICT=1 \ + ./afl-fuzz \ + -O \ + -i $(TESTINSTR_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TESTINSTBIN) @@ + +standalone: $(FRIDA_TRACE) $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + cd .. && \ + AFL_FRIDA_INST_RANGES=$(AFL_FRIDA_INST_RANGES) \ + AFL_DEBUG_CHILD=1 \ + AFL_FRIDA_DEBUG_MAPS=1 \ + AFL_FRIDA_INST_NO_OPTIMIZE=1 \ + AFL_FRIDA_INST_NO_PREFETCH=1 \ + AFL_FRIDA_INST_TRACE=1 \ + AFL_FRIDA_INST_STRICT=1 \ + LD_PRELOAD=$(FRIDA_TRACE) \ + DYLD_INSERT_LIBRARIES=$(FRIDA_TRACE) \ + $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + +tmin_qemu: $(TEST_BIN) + make -C .. + cd .. && \ + ./afl-tmin \ + -Q \ + -i $(TEST_DATA_DIR)basn0g01.png \ + -o $(QEMU_OUT)/qemu-min-basn0g01.png \ + -- \ + $(TEST_BIN) @@ + +tmin_frida: $(TEST_BIN) + make -C .. + cd .. && \ + ./afl-tmin \ + -O \ + -i $(TEST_DATA_DIR)basn0g01.png \ + -o $(FRIDA_OUT)/qemu-min-basn0g01.png \ + -- \ + $(TEST_BIN) + +showmap_qemu: $(TEST_BIN) + make -C .. + cd .. && \ + ./afl-showmap \ + -Q \ + -i $(TEST_DATA_DIR) \ + -o $(QEMU_OUT) \ + -- \ + $(TEST_BIN) @@ + +showmap_frida: $(TEST_BIN) + make -C .. + cd .. && \ + ./afl-showmap \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TEST_BIN) @@ + +analyze_qemu: $(TEST_BIN) + make -C .. + cd .. && \ + ./afl-analyze \ + -Q \ + -i $(TEST_DATA_DIR)basn0g01.png \ + -- \ + $(TEST_BIN) @@ + +analyze_frida: $(TEST_BIN) + make -C .. + cd .. && \ + ./afl-analyze \ + -O \ + -i $(TEST_DATA_DIR)basn0g01.png \ + -- \ + $(TEST_BIN) @@ \ No newline at end of file diff --git a/frida_mode/README.md b/frida_mode/README.md new file mode 100644 index 00000000..c5436e8b --- /dev/null +++ b/frida_mode/README.md @@ -0,0 +1,48 @@ +# FRIDA MODE +The purpose of FRIDA mode is to provide an alternative binary only fuzzer for AFL +just like that provided by QEMU mode. The intention is to provide a very similar +user experience, right down to the options provided through environment variables. + +Additionally, the intention is to be able to make a direct performance comparison +between the two approaches. Hopefully, we should also be able to leverage the same +approaches for adding features which QEMU uses, possibly even sharing code. + +## Limitations +The current focus is on x64 support for Intel. Although parts may be architecturally +dependent, the approach itself should remain architecture agnostic. + +## Usage +FRIDA mode requires some small modifications to the afl-fuzz and similar tools in +AFLplusplus. The intention is that it behaves identically to QEMU, but uses the 'O' +switch rather than 'Q'. + +## Design +AFL Frida works by means of a shared library injected into a binary program using +LD_PRELOAD, similar to the way which other fuzzing features are injected into targets. + +## Testing +Alongside the FRIDA mode, we also include a test program for fuzzing. This test +program is built using the libpng benchmark from fuzz-bench and integrating the +StandaloneFuzzTargetMain from the llvm project. This is built and linked without +any special modifications to suit FRIDA or QEMU. However, at present we don't have +a representative corpus. + +## Getting Started +To build everything run `make`. + +To run the benchmark sample with qemu run `make test_qemu`. +To run the benchmark sample with frida run `make test_frida`. + +# Configuration options +* `AFL_FRIDA_DEBUG_MAPS` - See `AFL_QEMU_DEBUG_MAPS` +* `AFL_FRIDA_EXCLUDE_RANGES` - See `AFL_QEMU_EXCLUDE_RANGES` +* `AFL_FRIDA_INST_NO_OPTIMIZE` - Don't use optimized inline assembly coverage instrumentation (the default where available). Required to use `AFL_FRIDA_INST_TRACE`. +* `AFL_FRIDA_INST_NO_PREFETCH` - Disable prefetching. By default the child will report instrumented blocks back to the parent so that it can also instrument them and they be inherited by the next child on fork. +* `AFL_FRIDA_INST_RANGES` - See `AFL_QEMU_INST_RANGES` +* `AFL_FRIDA_INST_STRICT` - Under certain conditions, Stalker may encroach into excluded regions and generate both instrumented blocks and coverage data (e.g. indirect calls on x86). The excluded block is generally honoured as soon as another function is called within the excluded region. The overhead of generating, running and instrumenting these few additional blocks is likely to be fairly small, but it may hinder you when checking that the correct number of paths are found for testing purposes or similar. There is a performance penatly for this option during block compilation where we check the block isn't in a list of excluded ranges. +* `AFL_FRIDA_INST_TRACE` - Generate some logging when running instrumented code. Requires `AFL_FRIDA_INST_NO_OPTIMIZE`. + +# TODO +* Add AARCH64 inline assembly optimization from libFuzz +* Fix issues running on OSX +* Identify cause of erroneous additional paths diff --git a/frida_mode/inc/instrument.h b/frida_mode/inc/instrument.h new file mode 100644 index 00000000..ff71bed4 --- /dev/null +++ b/frida_mode/inc/instrument.h @@ -0,0 +1,7 @@ +#include "frida-gum.h" + +void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, + gpointer user_data); + +void instrument_init(); + diff --git a/frida_mode/inc/interceptor.h b/frida_mode/inc/interceptor.h new file mode 100644 index 00000000..5ed3cf49 --- /dev/null +++ b/frida_mode/inc/interceptor.h @@ -0,0 +1,4 @@ +#include "frida-gum.h" + +void intercept(void *address, gpointer replacement, gpointer user_data); + diff --git a/frida_mode/inc/prefetch.h b/frida_mode/inc/prefetch.h new file mode 100644 index 00000000..b7f25a97 --- /dev/null +++ b/frida_mode/inc/prefetch.h @@ -0,0 +1,5 @@ +void prefetch_init(); +void prefetch_start(GumStalker *stalker); +void prefetch_write(void *addr); +void prefetch_read(GumStalker *stalker); + diff --git a/frida_mode/inc/ranges.h b/frida_mode/inc/ranges.h new file mode 100644 index 00000000..b9394dbc --- /dev/null +++ b/frida_mode/inc/ranges.h @@ -0,0 +1,6 @@ +#include "frida-gum.h" + +void ranges_init(GumStalker *stalker); + +gboolean range_is_excluded(gpointer address); + diff --git a/frida_mode/src/instrument.c b/frida_mode/src/instrument.c new file mode 100644 index 00000000..042fdab8 --- /dev/null +++ b/frida_mode/src/instrument.c @@ -0,0 +1,265 @@ +#include "frida-gum.h" +#include "config.h" +#include "debug.h" +#include "prefetch.h" +#include "ranges.h" +#include "unistd.h" + +extern uint8_t *__afl_area_ptr; +extern u32 __afl_map_size; + +uint64_t __thread previous_pc = 0; +GumAddress current_log_impl = GUM_ADDRESS(0); + +static gboolean tracing = false; +static gboolean optimize = false; +static gboolean strict = false; + +#if defined(__x86_64__) +static const guint8 afl_log_code[] = { + + 0x9c, /* pushfq */ + 0x50, /* push rax */ + 0x51, /* push rcx */ + 0x52, /* push rdx */ + + 0x48, 0x8d, 0x05, 0x27, + 0x00, 0x00, 0x00, /* lea rax, sym._afl_area_ptr_ptr */ + 0x48, 0x8b, 0x00, /* mov rax, qword [rax] */ + 0x48, 0x8b, 0x00, /* mov rax, qword [rax] */ + 0x48, 0x8d, 0x0d, 0x22, + 0x00, 0x00, 0x00, /* lea rcx, sym.previous_pc */ + 0x48, 0x8b, 0x11, /* mov rdx, qword [rcx] */ + 0x48, 0x8b, 0x12, /* mov rdx, qword [rdx] */ + 0x48, 0x31, 0xfa, /* xor rdx, rdi */ + 0xfe, 0x04, 0x10, /* inc byte [rax + rdx] */ + 0x48, 0xd1, 0xef, /* shr rdi, 1 */ + 0x48, 0x8b, 0x01, /* mov rax, qword [rcx] */ + 0x48, 0x89, 0x38, /* mov qword [rax], rdi */ + + 0x5a, /* pop rdx */ + 0x59, /* pop rcx */ + 0x58, /* pop rax */ + 0x9d, /* popfq */ + + 0xc3, /* ret */ + + /* Read-only data goes here: */ + /* uint8_t** afl_area_ptr_ptr */ + /* uint64_t* afl_prev_loc_ptr */ + +}; + +void instrument_coverage_optimize(const cs_insn * instr, + GumStalkerOutput *output) { + + guint64 current_pc = instr->address; + guint64 area_offset = (current_pc >> 4) ^ (current_pc << 8); + area_offset &= MAP_SIZE - 1; + GumX86Writer *cw = output->writer.x86; + + if (current_log_impl == 0 || + !gum_x86_writer_can_branch_directly_between(cw->pc, current_log_impl) || + !gum_x86_writer_can_branch_directly_between(cw->pc + 128, + current_log_impl)) { + + gconstpointer after_log_impl = cw->code + 1; + + gum_x86_writer_put_jmp_near_label(cw, after_log_impl); + + current_log_impl = cw->pc; + gum_x86_writer_put_bytes(cw, afl_log_code, sizeof(afl_log_code)); + + uint8_t **afl_area_ptr_ptr = &__afl_area_ptr; + uint64_t *afl_prev_loc_ptr = &previous_pc; + gum_x86_writer_put_bytes(cw, (const guint8 *)&afl_area_ptr_ptr, + sizeof(afl_area_ptr_ptr)); + gum_x86_writer_put_bytes(cw, (const guint8 *)&afl_prev_loc_ptr, + sizeof(afl_prev_loc_ptr)); + + gum_x86_writer_put_label(cw, after_log_impl); + + } + + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, + -GUM_RED_ZONE_SIZE); + gum_x86_writer_put_push_reg(cw, GUM_REG_RDI); + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RDI, area_offset); + gum_x86_writer_put_call_address(cw, current_log_impl); + gum_x86_writer_put_pop_reg(cw, GUM_REG_RDI); + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, + GUM_RED_ZONE_SIZE); + +} + +#elif defined(__aarch64__) +static const guint8 afl_log_code[] = { + + // __afl_area_ptr[current_pc ^ previous_pc]++; + // previous_pc = current_pc >> 1; + 0xE1, 0x0B, 0xBF, 0xA9, // stp x1, x2, [sp, -0x10]! + 0xE3, 0x13, 0xBF, 0xA9, // stp x3, x4, [sp, -0x10]! + + // x0 = current_pc + 0xc1, 0x01, 0x00, 0x58, // ldr x1, #0x38, =&__afl_area_ptr + 0x21, 0x00, 0x40, 0xf9, // ldr x1, [x1] (=__afl_area_ptr) + + 0xc2, 0x01, 0x00, 0x58, // ldr x2, #0x38, =&previous_pc + 0x42, 0x00, 0x40, 0xf9, // ldr x2, [x2] (=previous_pc) + + // __afl_area_ptr[current_pc ^ previous_pc]++; + 0x42, 0x00, 0x00, 0xca, // eor x2, x2, x0 + 0x23, 0x68, 0x62, 0xf8, // ldr x3, [x1, x2] + 0x63, 0x04, 0x00, 0x91, // add x3, x3, #1 + 0x23, 0x68, 0x22, 0xf8, // str x3, [x1, x2] + + // previous_pc = current_pc >> 1; + 0xe0, 0x07, 0x40, 0x8b, // add x0, xzr, x0, LSR #1 + 0xe2, 0x00, 0x00, 0x58, // ldr x2, #0x1c, =&previous_pc + 0x40, 0x00, 0x00, 0xf9, // str x0, [x2] + + 0xE3, 0x13, 0xc1, 0xA8, // ldp x3, x4, [sp], #0x10 + 0xE1, 0x0B, 0xc1, 0xA8, // ldp x1, x2, [sp], #0x10 + 0xC0, 0x03, 0x5F, 0xD6, // ret + + // &afl_area_ptr_ptr + // &afl_prev_loc_ptr + +}; + +void instrument_coverage_optimize(const cs_insn * instr, + GumStalkerOutput *output) { + + guint64 current_pc = instr->address; + guint64 area_offset = (current_pc >> 4) ^ (current_pc << 8); + area_offset &= MAP_SIZE - 1; + GumArm64Writer *cw = output->writer.arm64; + + if (current_log_impl == 0 || + !gum_arm64_writer_can_branch_directly_between(cw, cw->pc, + current_log_impl) || + !gum_arm64_writer_can_branch_directly_between(cw, cw->pc + 128, + current_log_impl)) { + + gconstpointer after_log_impl = cw->code + 1; + + gum_arm64_writer_put_b_label(cw, after_log_impl); + + current_log_impl = cw->pc; + gum_arm64_writer_put_bytes(cw, afl_log_code, sizeof(afl_log_code)); + + uint8_t **afl_area_ptr_ptr = &__afl_area_ptr; + uint64_t *afl_prev_loc_ptr = &previous_pc; + gum_arm64_writer_put_bytes(cw, (const guint8 *)&afl_area_ptr_ptr, + sizeof(afl_area_ptr_ptr)); + gum_arm64_writer_put_bytes(cw, (const guint8 *)&afl_prev_loc_ptr, + sizeof(afl_prev_loc_ptr)); + + gum_arm64_writer_put_label(cw, after_log_impl); + + } + + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_LR, ARM64_REG_X0, ARM64_REG_SP, -(16 + GUM_RED_ZONE_SIZE), + GUM_INDEX_PRE_ADJUST); + gum_arm64_writer_put_ldr_reg_u64(cw, ARM64_REG_X0, area_offset); + gum_arm64_writer_put_bl_imm(cw, current_log_impl); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_LR, ARM64_REG_X0, ARM64_REG_SP, 16 + GUM_RED_ZONE_SIZE, + GUM_INDEX_POST_ADJUST); + +} + +#endif + +static void on_basic_block(GumCpuContext *context, gpointer user_data) { + + /* Avoid stack operations in potentially performance critical code */ + static char buffer[200]; + int len; + guint64 current_pc = (guint64)user_data; + if (tracing) { + + /* Avoid any functions which may cause an allocation since the target app + * may already be running inside malloc and it isn't designed to be + * re-entrant on a single thread */ + len = snprintf(buffer, sizeof(buffer), + "current_pc: 0x%016" G_GINT64_MODIFIER + "x, previous_pc: 0x%016" G_GINT64_MODIFIER "x\n", + current_pc, previous_pc); + + write(STDOUT_FILENO, buffer, len + 1); + + } + + current_pc = (current_pc >> 4) ^ (current_pc << 8); + current_pc &= MAP_SIZE - 1; + + __afl_area_ptr[current_pc ^ previous_pc]++; + previous_pc = current_pc >> 1; + +} + +void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, + gpointer user_data) { + + const cs_insn *instr; + gboolean begin = TRUE; + while (gum_stalker_iterator_next(iterator, &instr)) { + + if (begin) { + + prefetch_write((void *)instr->address); + if (!strict || !range_is_excluded((void *)instr->address)) { + + if (optimize) { + + instrument_coverage_optimize(instr, output); + + } else { + + gum_stalker_iterator_put_callout(iterator, on_basic_block, + (gpointer)instr->address, NULL); + + } + + } + + begin = FALSE; + + } + + gum_stalker_iterator_keep(iterator); + + } + +} + +void instrument_init() { + + optimize = (getenv("AFL_FRIDA_INST_NO_OPTIMIZE") == NULL); + tracing = (getenv("AFL_FRIDA_INST_TRACE") != NULL); + strict = (getenv("AFL_FRIDA_INST_STRICT") != NULL); + +#if !defined(__x86_64__) && !defined(__aarch64__) + optimize = false; +#endif + + OKF("Instrumentation - optimize [%c]", optimize ? 'X' : ' '); + OKF("Instrumentation - tracing [%c]", tracing ? 'X' : ' '); + OKF("Instrumentation - strict [%c]", strict ? 'X' : ' '); + + if (tracing && optimize) { + + FATAL("AFL_FRIDA_INST_OPTIMIZE and AFL_FRIDA_INST_TRACE are incompatible"); + + } + + if (__afl_map_size != 0x10000) { + + FATAL("Bad map size: 0x%08x", __afl_map_size); + + } + +} + diff --git a/frida_mode/src/interceptor.c b/frida_mode/src/interceptor.c new file mode 100644 index 00000000..ba05a80a --- /dev/null +++ b/frida_mode/src/interceptor.c @@ -0,0 +1,16 @@ +#include "frida-gum.h" +#include "debug.h" + +#include "interceptor.h" + +void intercept(void *address, gpointer replacement, gpointer user_data) { + + GumInterceptor *interceptor = gum_interceptor_obtain(); + gum_interceptor_begin_transaction(interceptor); + GumReplaceReturn ret = + gum_interceptor_replace(interceptor, address, replacement, user_data); + if (ret != GUM_ATTACH_OK) { FATAL("gum_interceptor_attach: %d", ret); } + gum_interceptor_end_transaction(interceptor); + +} + diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c new file mode 100644 index 00000000..444c9583 --- /dev/null +++ b/frida_mode/src/main.c @@ -0,0 +1,149 @@ +#include +#include + +#ifdef __APPLE__ + #include + #include +#else + #include + #include +#endif + +#include "frida-gum.h" +#include "config.h" +#include "debug.h" + +#include "interceptor.h" +#include "instrument.h" +#include "prefetch.h" +#include "ranges.h" + +#ifdef __APPLE__ +extern mach_port_t mach_task_self(); +extern GumAddress gum_darwin_find_entrypoint(mach_port_t task); +#else +extern int __libc_start_main(int *(main)(int, char **, char **), int argc, + char **ubp_av, void (*init)(void), + void (*fini)(void), void (*rtld_fini)(void), + void(*stack_end)); +#endif + +typedef int *(*main_fn_t)(int argc, char **argv, char **envp); + +static main_fn_t main_fn = NULL; +static GumStalker * stalker = NULL; +static GumMemoryRange code_range = {0}; + +extern void __afl_manual_init(); +extern __thread uint64_t previous_pc; + +static int on_fork() { + + prefetch_read(stalker); + return fork(); + +} + +#ifdef __APPLE__ +static void on_main_os(int argc, char **argv, char **envp) { + +} + +#else +static void on_main_os(int argc, char **argv, char **envp) { + + /* Personality doesn't affect the current process, it only takes effect on + * evec */ + int persona = personality(ADDR_NO_RANDOMIZE); + if ((persona & ADDR_NO_RANDOMIZE) == 0) { execvpe(argv[0], argv, envp); } + + GumInterceptor *interceptor = gum_interceptor_obtain(); + + gum_interceptor_begin_transaction(interceptor); + gum_interceptor_revert(interceptor, __libc_start_main); + gum_interceptor_end_transaction(interceptor); + gum_interceptor_flush(interceptor); + +} + +#endif + +static int *on_main(int argc, char **argv, char **envp) { + + on_main_os(argc, argv, envp); + + stalker = gum_stalker_new(); + if (stalker == NULL) { FATAL("Failed to initialize stalker"); } + + gum_stalker_set_trust_threshold(stalker, 0); + + GumStalkerTransformer *transformer = + gum_stalker_transformer_make_from_callback(instr_basic_block, NULL, NULL); + + instrument_init(); + prefetch_init(); + ranges_init(stalker); + + intercept(fork, on_fork, stalker); + + gum_stalker_follow_me(stalker, transformer, NULL); + gum_stalker_deactivate(stalker); + + __afl_manual_init(); + + /* Child here */ + previous_pc = 0; + prefetch_start(stalker); + main_fn(argc, argv, envp); + _exit(0); + +} + +#ifdef __APPLE__ +static void intercept_main() { + + mach_port_t task = mach_task_self(); + OKF("Task Id: %u", task); + GumAddress entry = gum_darwin_find_entrypoint(task); + OKF("Entry Point: 0x%016" G_GINT64_MODIFIER "x", entry); + void *main = GSIZE_TO_POINTER(entry); + main_fn = main; + intercept(main, on_main, NULL); + +} + +#else +static int on_libc_start_main(int *(main)(int, char **, char **), int argc, + char **ubp_av, void (*init)(void), + void (*fini)(void), void (*rtld_fini)(void), + void(*stack_end)) { + + main_fn = main; + intercept(main, on_main, NULL); + return __libc_start_main(main, argc, ubp_av, init, fini, rtld_fini, + stack_end); + +} + +static void intercept_main() { + + intercept(__libc_start_main, on_libc_start_main, NULL); + +} + +#endif + +__attribute__((constructor)) static void init() { + + gum_init_embedded(); + if (!gum_stalker_is_supported()) { + + gum_deinit_embedded(); + FATAL("Failed to initialize embedded"); + + } + + intercept_main(); + +} + diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c new file mode 100644 index 00000000..64633c1c --- /dev/null +++ b/frida_mode/src/prefetch.c @@ -0,0 +1,121 @@ +#include +#include +#include + +#include "frida-gum.h" +#include "prefetch.h" +#include "debug.h" + +#define TRUST 0 +#define PREFETCH_SIZE 65536 +#define PREFETCH_ENTRIES ((PREFETCH_SIZE - sizeof(size_t)) / sizeof(void *)) + +typedef struct { + + size_t count; + void * entry[PREFETCH_ENTRIES]; + +} prefetch_data_t; + +static prefetch_data_t *prefetch_data = NULL; + +static int prefetch_shm_id = -1; + +/* + * We do this from the transformer since we need one anyway for coverage, this + * saves the need to use an event sink. + */ +void prefetch_write(void *addr) { + + /* Bail if we aren't initialized */ + if (prefetch_data == NULL) return; + + /* + * Our shared memory IPC is large enough for about 1000 entries, we can fine + * tune this if we need to. But if we have more new blocks that this in a + * single run then we ignore them and we'll pick them up next time. + */ + if (prefetch_data->count >= PREFETCH_ENTRIES) return; + + /* + * Write the block address to the SHM IPC and increment the number of entries. + */ + + prefetch_data->entry[prefetch_data->count] = addr; + prefetch_data->count++; + +} + +/* + * Read the IPC region one block at the time and prefetch it + */ +void prefetch_read(GumStalker *stalker) { + + if (prefetch_data == NULL) return; + + for (size_t i = 0; i < prefetch_data->count; i++) { + + void *addr = prefetch_data->entry[i]; + gum_stalker_prefetch(stalker, addr, 1); + + } + + /* + * Reset the entry count to indicate we have finished with it and it can be + * refilled by the child. + */ + prefetch_data->count = 0; + +} + +void prefetch_init() { + + g_assert_cmpint(sizeof(prefetch_data_t), ==, PREFETCH_SIZE); + gboolean prefetch = (getenv("AFL_FRIDA_INST_NO_PREFETCH") == NULL); + + OKF("Instrumentation - prefetch [%c]", prefetch ? 'X' : ' '); + + if (!prefetch) { return; } + /* + * Make our shared memory, we can attach before we fork, just like AFL does + * with the coverage bitmap region and fork will take care of ensuring both + * the parent and child see the same consistent memory region. + */ + prefetch_shm_id = + shmget(IPC_PRIVATE, sizeof(prefetch_data_t), IPC_CREAT | IPC_EXCL | 0600); + if (prefetch_shm_id < 0) { + + FATAL("prefetch_shm_id < 0 - errno: %d\n", errno); + + } + + prefetch_data = shmat(prefetch_shm_id, NULL, 0); + g_assert(prefetch_data != MAP_FAILED); + + /* + * Configure the shared memory region to be removed once the process dies. + */ + if (shmctl(prefetch_shm_id, IPC_RMID, NULL) < 0) { + + FATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); + + } + + /* Clear it, not sure it's necessary, just seems like good practice */ + memset(prefetch_data, '\0', sizeof(prefetch_data_t)); + +} + +__attribute__((noinline)) static void prefetch_activation() { + + asm volatile(""); + +} + +void prefetch_start(GumStalker *stalker) { + + gum_stalker_activate(stalker, prefetch_activation); + prefetch_activation(); + +} + diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c new file mode 100644 index 00000000..fc14710f --- /dev/null +++ b/frida_mode/src/ranges.c @@ -0,0 +1,395 @@ +// 0x123-0x321 +// module.so + +#include "ranges.h" +#include "debug.h" + +#define MAX_RANGES 20 + +typedef struct { + + gchar * suffix; + GumMemoryRange *range; + gboolean done; + +} convert_name_ctx_t; + +typedef struct { + + GumStalker *stalker; + GArray * array; + +} include_range_ctx_t; + +GArray * ranges = NULL; +gboolean exclude_ranges = false; + +static void convert_address_token(gchar *token, GumMemoryRange *range) { + + gchar **tokens; + int token_count; + tokens = g_strsplit(token, "-", 2); + for (token_count = 0; tokens[token_count] != NULL; token_count++) + ; + + if (token_count != 2) { + + FATAL("Invalid range (should have two addresses seperated by a '-'): %s\n", + token); + + } + + gchar *from_str = tokens[0]; + gchar *to_str = tokens[1]; + + if (!g_str_has_prefix(from_str, "0x")) { + + FATAL("Invalid range: %s - Start address should have 0x prefix: %s\n", + token, from_str); + + } + + if (!g_str_has_prefix(to_str, "0x")) { + + FATAL("Invalid range: %s - End address should have 0x prefix: %s\n", token, + to_str); + + } + + from_str = &from_str[2]; + to_str = &to_str[2]; + + for (char *c = from_str; *c != '\0'; c++) { + + if (!g_ascii_isxdigit(*c)) { + + FATAL("Invalid range: %s - Start address not formed of hex digits: %s\n", + token, from_str); + + } + + } + + for (char *c = to_str; *c != '\0'; c++) { + + if (!g_ascii_isxdigit(*c)) { + + FATAL("Invalid range: %s - End address not formed of hex digits: %s\n", + token, to_str); + + } + + } + + guint64 from = g_ascii_strtoull(from_str, NULL, 16); + if (from == 0) { + + FATAL("Invalid range: %s - Start failed hex conversion: %s\n", token, + from_str); + + } + + guint64 to = g_ascii_strtoull(to_str, NULL, 16); + if (to == 0) { + + FATAL("Invalid range: %s - End failed hex conversion: %s\n", token, to_str); + + } + + if (from >= to) { + + FATAL("Invalid range: %s - Start (0x%016" G_GINT64_MODIFIER + "x) must be less than end " + "(0x%016" G_GINT64_MODIFIER "x)\n", + token, from, to); + + } + + range->base_address = from; + range->size = to - from; + + g_strfreev(tokens); + +} + +static gboolean convert_name_token_for_module(const GumModuleDetails *details, + gpointer user_data) { + + convert_name_ctx_t *ctx = (convert_name_ctx_t *)user_data; + if (details->path == NULL) { return true; }; + + if (!g_str_has_suffix(details->path, ctx->suffix)) { return true; }; + + OKF("Found module - prefix: %s, 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x %s", + ctx->suffix, details->range->base_address, + details->range->base_address + details->range->size, details->path); + + *ctx->range = *details->range; + ctx->done = true; + return false; + +} + +static void convert_name_token(gchar *token, GumMemoryRange *range) { + + gchar * suffix = g_strconcat("/", token, NULL); + convert_name_ctx_t ctx = {.suffix = suffix, .range = range, .done = false}; + + gum_process_enumerate_modules(convert_name_token_for_module, &ctx); + if (!ctx.done) { FATAL("Failed to resolve module: %s\n", token); } + g_free(suffix); + +} + +static void convert_token(gchar *token, GumMemoryRange *range) { + + if (g_strrstr(token, "-")) { + + convert_address_token(token, range); + + } else { + + convert_name_token(token, range); + + } + + OKF("Converted token: %s -> 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x\n", + token, range->base_address, range->base_address + range->size); + +} + +static gboolean include_ranges(const GumRangeDetails *details, + gpointer user_data) { + + include_range_ctx_t *ctx = (include_range_ctx_t *)user_data; + GArray * array = (GArray *)ctx->array; + GumAddress base = details->range->base_address; + GumAddress limit = details->range->base_address + details->range->size; + + OKF("Range for inclusion 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x", + base, limit); + + for (int i = 0; i < array->len; i++) { + + GumMemoryRange *range = &g_array_index(array, GumMemoryRange, i); + GumAddress range_base = range->base_address; + GumAddress range_limit = range->base_address + range->size; + + /* Before the region */ + if (range_limit < base) { continue; } + + /* After the region */ + if (range_base > limit) { + + GumMemoryRange exclude = {.base_address = base, .size = limit - base}; + OKF("\t Excluding 0x%016" G_GINT64_MODIFIER "x-0x%016" G_GINT64_MODIFIER + "x", + base, limit); + gum_stalker_exclude(ctx->stalker, &exclude); + return true; + + } + + /* Overlap the start of the region */ + if (range_base < base) { + + /* Range contains the region */ + if (range_limit > limit) { + + return true; + + } else { + + base = range_limit; + continue; + + } + + /* Overlap the end of the region */ + + } else { + + GumMemoryRange exclude = {.base_address = base, + .size = range_base - base}; + OKF("\t Excluding 0x%016" G_GINT64_MODIFIER "x-0x%016" G_GINT64_MODIFIER + "x", + base, range_base); + gum_stalker_exclude(ctx->stalker, &exclude); + /* Extend past the end of the region */ + if (range_limit >= limit) { + + return true; + + /* Contained within the region */ + + } else { + + base = range_limit; + continue; + + } + + } + + } + + GumMemoryRange exclude = {.base_address = base, .size = limit - base}; + OKF("\t Excluding 0x%016" G_GINT64_MODIFIER "x-0x%016" G_GINT64_MODIFIER "x", + base, limit); + gum_stalker_exclude(ctx->stalker, &exclude); + return true; + +} + +gint range_sort(gconstpointer a, gconstpointer b) { + + return ((GumMemoryRange *)a)->base_address - + ((GumMemoryRange *)b)->base_address; + +} + +static gboolean print_ranges(const GumRangeDetails *details, + gpointer user_data) { + + if (details->file == NULL) { + + OKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER "X", + details->range->base_address, + details->range->base_address + details->range->size); + + } else { + + OKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER + "X %s(0x%016" G_GINT64_MODIFIER "x)", + details->range->base_address, + details->range->base_address + details->range->size, + details->file->path, details->file->offset); + + } + + return true; + +} + +void ranges_init(GumStalker *stalker) { + + char * showmaps; + char * include; + char * exclude; + char * list; + gchar ** tokens; + int token_count; + GumMemoryRange range; + + int i; + + showmaps = getenv("AFL_FRIDA_DEBUG_MAPS"); + include = getenv("AFL_FRIDA_INST_RANGES"); + exclude = getenv("AFL_FRIDA_EXCLUDE_RANGES"); + + if (showmaps) { + + gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, print_ranges, NULL); + + } + + if (include != NULL && exclude != NULL) { + + FATAL( + "Cannot specifify both AFL_FRIDA_INST_RANGES and " + "AFL_FRIDA_EXCLUDE_RANGES"); + + } + + if (include == NULL && exclude == NULL) { return; } + + list = include == NULL ? exclude : include; + exclude_ranges = include == NULL ? true : false; + + tokens = g_strsplit(list, ",", MAX_RANGES); + + for (token_count = 0; tokens[token_count] != NULL; token_count++) + ; + + ranges = g_array_sized_new(false, false, sizeof(GumMemoryRange), token_count); + + for (i = 0; i < token_count; i++) { + + convert_token(tokens[i], &range); + g_array_append_val(ranges, range); + + } + + g_array_sort(ranges, range_sort); + + /* Check for overlaps */ + for (i = 1; i < token_count; i++) { + + GumMemoryRange *prev = &g_array_index(ranges, GumMemoryRange, i - 1); + GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i); + GumAddress prev_limit = prev->base_address + prev->size; + GumAddress curr_limit = curr->base_address + curr->size; + if (prev_limit > curr->base_address) { + + FATAL("OVerlapping ranges 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x", + prev->base_address, prev_limit, curr->base_address, curr_limit); + + } + + } + + for (i = 0; i < token_count; i++) { + + GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i); + GumAddress curr_limit = curr->base_address + curr->size; + OKF("Range %3d - 0x%016" G_GINT64_MODIFIER "x-0x%016" G_GINT64_MODIFIER "x", + i, curr->base_address, curr_limit); + + } + + if (include == NULL) { + + for (i = 0; i < token_count; i++) { + + gum_stalker_exclude(stalker, &g_array_index(ranges, GumMemoryRange, i)); + + } + + } else { + + include_range_ctx_t ctx = {.stalker = stalker, .array = ranges}; + gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, include_ranges, &ctx); + + } + + g_strfreev(tokens); + +} + +gboolean range_is_excluded(gpointer address) { + + int i; + GumAddress test = GUM_ADDRESS(address); + + if (ranges == NULL) { return false; } + + for (i = 0; i < ranges->len; i++) { + + GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i); + GumAddress curr_limit = curr->base_address + curr->size; + + if (test < curr->base_address) { return !exclude_ranges; } + + if (test < curr_limit) { return exclude_ranges; } + + } + + return !exclude_ranges; + +} + diff --git a/frida_mode/test/testinstr.c b/frida_mode/test/testinstr.c new file mode 100644 index 00000000..2c3d5144 --- /dev/null +++ b/frida_mode/test/testinstr.c @@ -0,0 +1,105 @@ +/* + american fuzzy lop++ - a trivial program to test the build + -------------------------------------------------------- + Originally written by Michal Zalewski + Copyright 2014 Google Inc. All rights reserved. + Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include +#include + +#ifdef __APPLE__ + #define TESTINSTR_SECTION +#else + #define TESTINSTR_SECTION __attribute__((section(".testinstr"))) +#endif + +TESTINSTR_SECTION void testinstr(char *buf, int len) { + + if (len < 1) return; + buf[len] = 0; + + // we support three input cases + if (buf[0] == '0') + printf("Looks like a zero to me!\n"); + else if (buf[0] == '1') + printf("Pretty sure that is a one!\n"); + else + printf("Neither one or zero? How quaint!\n"); + +} + +int main(int argc, char **argv) { + + char * file; + int fd = -1; + off_t len; + char * buf = NULL; + size_t n_read; + int result = -1; + + if (argc != 2) { return 1; } + + do { + + file = argv[1]; + + dprintf(STDERR_FILENO, "Running: %s\n", file); + + fd = open(file, O_RDONLY); + if (fd < 0) { + + perror("open"); + break; + + } + + len = lseek(fd, 0, SEEK_END); + if (len < 0) { + + perror("lseek (SEEK_END)"); + break; + + } + + if (lseek(fd, 0, SEEK_SET) != 0) { + + perror("lseek (SEEK_SET)"); + break; + + } + + buf = malloc(len); + n_read = read(fd, buf, len); + if (n_read != len) { + + perror("read"); + break; + + } + + dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read); + + testinstr(buf, len); + dprintf(STDERR_FILENO, "Done: %s: (%zd bytes)\n", file, n_read); + + result = 0; + + } while (false); + + if (buf != NULL) { free(buf); } + + if (fd != -1) { close(fd); } + + return result; + +} + diff --git a/frida_mode/test/testinstr.py b/frida_mode/test/testinstr.py new file mode 100755 index 00000000..8f5fe886 --- /dev/null +++ b/frida_mode/test/testinstr.py @@ -0,0 +1,32 @@ +#!/usr/bin/python3 +import argparse +from elftools.elf.elffile import ELFFile + +def process_file(file, section, base): + with open(file, 'rb') as f: + for sect in ELFFile(f).iter_sections(): + if (sect.name == section): + start = base + sect.header['sh_offset'] + end = start + sect.header['sh_size'] + print ("0x%016x-0x%016x" % (start, end)) + return + + print ("Section '%s' not found in '%s'" % (section, file)) + +def hex_value(x): + return int(x, 16) + +def main(): + parser = argparse.ArgumentParser(description='Process some integers.') + parser.add_argument('-f', '--file', dest='file', type=str, + help='elf file name', required=True) + parser.add_argument('-s', '--section', dest='section', type=str, + help='elf section name', required=True) + parser.add_argument('-b', '--base', dest='base', type=hex_value, + help='elf base address', required=True) + + args = parser.parse_args() + process_file (args.file, args.section, args.base) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/include/envs.h b/include/envs.h index d7578045..1e383b0c 100644 --- a/include/envs.h +++ b/include/envs.h @@ -50,6 +50,13 @@ static char *afl_environment_variables[] = { "AFL_EXIT_WHEN_DONE", "AFL_FAST_CAL", "AFL_FORCE_UI", + "AFL_FRIDA_DEBUG_MAPS", + "AFL_FRIDA_EXCLUDE_RANGES", + "AFL_FRIDA_INST_NO_OPTIMIZE", + "AFL_FRIDA_INST_NO_PREFETCH", + "AFL_FRIDA_INST_RANGES", + "AFL_FRIDA_INST_STRICT", + "AFL_FRIDA_INST_TRACE", "AFL_FUZZER_ARGS", // oss-fuzz "AFL_GDB", "AFL_GCC_ALLOWLIST", diff --git a/include/forkserver.h b/include/forkserver.h index ac027f81..4709f6a5 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -77,6 +77,8 @@ typedef struct afl_forkserver { bool qemu_mode; /* if running in qemu mode or not */ + bool frida_mode; /* if running in frida mode or not */ + bool use_stdin; /* use stdin for sending data */ bool no_unlink; /* do not unlink cur_input */ diff --git a/src/afl-analyze.c b/src/afl-analyze.c index e106cd31..6ff119ac 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -83,6 +83,7 @@ static volatile u8 stop_soon, /* Ctrl-C pressed? */ child_timed_out; /* Child timed out? */ static u8 *target_path; +static u8 frida_mode; static u8 qemu_mode; static u32 map_size = MAP_SIZE; @@ -717,9 +718,11 @@ static void handle_stop_sig(int sig) { /* Do basic preparations - persistent fds, filenames, etc. */ -static void set_up_environment(void) { +static void set_up_environment(char **argv) { - u8 *x; + u8 * x; + char *afl_preload; + char *frida_afl_preload = NULL; dev_null_fd = open("/dev/null", O_RDWR); if (dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); } @@ -824,6 +827,26 @@ static void set_up_environment(void) { /* afl-qemu-trace takes care of converting AFL_PRELOAD. */ + } else if (frida_mode) { + + afl_preload = getenv("AFL_PRELOAD"); + u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); + if (afl_preload) { + + frida_afl_preload = alloc_printf("%s:%s", afl_preload, frida_binary); + + } else { + + frida_afl_preload = alloc_printf("%s", frida_binary); + + } + + ck_free(frida_binary); + OKF("Frida Mode setting LD_PRELOAD %s", frida_afl_preload); + + setenv("LD_PRELOAD", frida_afl_preload, 1); + setenv("DYLD_INSERT_LIBRARIES", frida_afl_preload, 1); + } else { setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); @@ -831,8 +854,18 @@ static void set_up_environment(void) { } + } else if (frida_mode) { + + u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); + setenv("LD_PRELOAD", frida_binary, 1); + setenv("DYLD_INSERT_LIBRARIES", frida_binary, 1); + OKF("Frida Mode setting LD_PRELOAD %s", frida_binary); + ck_free(frida_binary); + } + if (frida_afl_preload) { ck_free(frida_afl_preload); } + } /* Setup signal handlers, duh. */ @@ -872,6 +905,7 @@ static void usage(u8 *argv0) { " -f file - input file read by the tested program (stdin)\n" " -t msec - timeout for each run (%u ms)\n" " -m megs - memory limit for child process (%u MB)\n" + " -O - use binary-only instrumentation (FRIDA mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" " -W - use qemu-based instrumentation with Wine (Wine " @@ -914,7 +948,7 @@ int main(int argc, char **argv_orig, char **envp) { SAYF(cCYA "afl-analyze" VERSION cRST " by Michal Zalewski\n"); - while ((opt = getopt(argc, argv, "+i:f:m:t:eQUWh")) > 0) { + while ((opt = getopt(argc, argv, "+i:f:m:t:eOQUWh")) > 0) { switch (opt) { @@ -1008,6 +1042,14 @@ int main(int argc, char **argv_orig, char **envp) { break; + case 'O': /* FRIDA mode */ + + if (frida_mode) { FATAL("Multiple -O options not supported"); } + + frida_mode = 1; + + break; + case 'Q': if (qemu_mode) { FATAL("Multiple -Q options not supported"); } @@ -1062,7 +1104,7 @@ int main(int argc, char **argv_orig, char **envp) { atexit(at_exit_handler); setup_signal_handlers(); - set_up_environment(); + set_up_environment(argv); target_path = find_binary(argv[optind]); detect_file_args(argv + optind, prog_in, &use_stdin); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 70a49a6b..cb0190a0 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2692,7 +2692,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { #endif /* ^!__APPLE__ */ - if (!afl->fsrv.qemu_mode && !afl->unicorn_mode && + if (!afl->fsrv.qemu_mode && !afl->fsrv.frida_mode && !afl->unicorn_mode && !afl->non_instrumented_mode && !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { @@ -2720,7 +2720,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { } - if ((afl->fsrv.qemu_mode) && + if ((afl->fsrv.qemu_mode || afl->fsrv.frida_mode) && memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { SAYF("\n" cLRD "[-] " cRST @@ -2757,7 +2757,8 @@ void check_binary(afl_state_t *afl, u8 *fname) { } - if (memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) { + if (afl->fsrv.frida_mode || + memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) { OKF(cPIN "Deferred forkserver binary detected."); setenv(DEFER_ENV_VAR, "1", 1); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index d70ffd31..34e9d420 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -109,6 +109,7 @@ static void usage(u8 *argv0, int more_help) { "maximum.\n" " -m megs - memory limit for child process (%u MB, 0 = no limit " "[default])\n" + " -O - use binary-only instrumentation (FRIDA mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" " -W - use qemu-based instrumentation with Wine (Wine " @@ -320,6 +321,8 @@ int main(int argc, char **argv_orig, char **envp) { u8 *extras_dir[4]; u8 mem_limit_given = 0, exit_1 = 0, debug = 0, extras_dir_cnt = 0 /*, have_p = 0*/; + char * afl_preload; + char * frida_afl_preload = NULL; char **use_argv; struct timeval tv; @@ -363,7 +366,7 @@ int main(int argc, char **argv_orig, char **envp) { while ((opt = getopt( argc, argv, - "+b:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNo:p:RQs:S:t:T:UV:Wx:Z")) > 0) { + "+b:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNOo:p:RQs:S:t:T:UV:Wx:Z")) > 0) { switch (opt) { @@ -755,6 +758,18 @@ int main(int argc, char **argv_orig, char **envp) { afl->use_banner = optarg; break; + case 'O': /* FRIDA mode */ + + if (afl->fsrv.frida_mode) { + + FATAL("Multiple -O options not supported"); + + } + + afl->fsrv.frida_mode = 1; + + break; + case 'Q': /* QEMU mode */ if (afl->fsrv.qemu_mode) { FATAL("Multiple -Q options not supported"); } @@ -1085,6 +1100,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->non_instrumented_mode) { if (afl->crash_mode) { FATAL("-C and -n are mutually exclusive"); } + if (afl->fsrv.frida_mode) { FATAL("-O and -n are mutually exclusive"); } if (afl->fsrv.qemu_mode) { FATAL("-Q and -n are mutually exclusive"); } if (afl->unicorn_mode) { FATAL("-U and -n are mutually exclusive"); } @@ -1289,6 +1305,26 @@ int main(int argc, char **argv_orig, char **envp) { /* afl-qemu-trace takes care of converting AFL_PRELOAD. */ + } else if (afl->fsrv.frida_mode) { + + afl_preload = getenv("AFL_PRELOAD"); + u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); + if (afl_preload) { + + frida_afl_preload = alloc_printf("%s:%s", afl_preload, frida_binary); + + } else { + + frida_afl_preload = alloc_printf("%s", frida_binary); + + } + + ck_free(frida_binary); + OKF("Frida Mode setting LD_PRELOAD %s", frida_afl_preload); + + setenv("LD_PRELOAD", frida_afl_preload, 1); + setenv("DYLD_INSERT_LIBRARIES", frida_afl_preload, 1); + } else { setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); @@ -1296,6 +1332,14 @@ int main(int argc, char **argv_orig, char **envp) { } + } else if (afl->fsrv.frida_mode) { + + u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); + setenv("LD_PRELOAD", frida_binary, 1); + setenv("DYLD_INSERT_LIBRARIES", frida_binary, 1); + OKF("Frida Mode setting LD_PRELOAD %s", frida_binary); + ck_free(frida_binary); + } if (getenv("AFL_LD_PRELOAD")) { @@ -1479,7 +1523,8 @@ int main(int argc, char **argv_orig, char **envp) { } - if (!afl->fsrv.qemu_mode && !afl->non_instrumented_mode) { + if (!afl->fsrv.qemu_mode && !afl->fsrv.frida_mode && + !afl->non_instrumented_mode) { check_binary(afl, afl->cmplog_binary); @@ -1513,7 +1558,8 @@ int main(int argc, char **argv_orig, char **envp) { } - if (afl->non_instrumented_mode || afl->fsrv.qemu_mode || afl->unicorn_mode) { + if (afl->non_instrumented_mode || afl->fsrv.qemu_mode || + afl->fsrv.frida_mode || afl->unicorn_mode) { map_size = afl->fsrv.map_size = MAP_SIZE; afl->virgin_bits = ck_realloc(afl->virgin_bits, map_size); @@ -2074,6 +2120,8 @@ stop_fuzzing: } + if (frida_afl_preload) { ck_free(frida_afl_preload); } + fclose(afl->fsrv.plot_file); destroy_queue(afl); destroy_extras(afl); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 558665a2..aea90b3b 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -555,8 +555,10 @@ static void handle_stop_sig(int sig) { /* Do basic preparations - persistent fds, filenames, etc. */ -static void set_up_environment(afl_forkserver_t *fsrv) { +static void set_up_environment(afl_forkserver_t *fsrv, char **argv) { + char *afl_preload; + char *frida_afl_preload = NULL; setenv("ASAN_OPTIONS", "abort_on_error=1:" "detect_leaks=0:" @@ -600,6 +602,26 @@ static void set_up_environment(afl_forkserver_t *fsrv) { /* afl-qemu-trace takes care of converting AFL_PRELOAD. */ + } else if (fsrv->frida_mode) { + + afl_preload = getenv("AFL_PRELOAD"); + u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); + if (afl_preload) { + + frida_afl_preload = alloc_printf("%s:%s", afl_preload, frida_binary); + + } else { + + frida_afl_preload = alloc_printf("%s", frida_binary); + + } + + ck_free(frida_binary); + OKF("Frida Mode setting LD_PRELOAD %s", frida_afl_preload); + + setenv("LD_PRELOAD", frida_afl_preload, 1); + setenv("DYLD_INSERT_LIBRARIES", frida_afl_preload, 1); + } else { setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); @@ -607,8 +629,18 @@ static void set_up_environment(afl_forkserver_t *fsrv) { } + } else if (fsrv->frida_mode) { + + u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); + setenv("LD_PRELOAD", frida_binary, 1); + setenv("DYLD_INSERT_LIBRARIES", frida_binary, 1); + OKF("Frida Mode setting LD_PRELOAD %s", frida_binary); + ck_free(frida_binary); + } + if (frida_afl_preload) { ck_free(frida_afl_preload); } + } /* Setup signal handlers, duh. */ @@ -655,6 +687,7 @@ static void usage(u8 *argv0) { "Execution control settings:\n" " -t msec - timeout for each run (none)\n" " -m megs - memory limit for child process (%u MB)\n" + " -O - use binary-only instrumentation (FRIDA mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use Unicorn-based instrumentation (Unicorn mode)\n" " -W - use qemu-based instrumentation with Wine (Wine mode)\n" @@ -723,7 +756,7 @@ int main(int argc, char **argv_orig, char **envp) { if (getenv("AFL_QUIET") != NULL) { be_quiet = 1; } - while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZQUWbcrsh")) > 0) { + while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZOQUWbcrsh")) > 0) { switch (opt) { @@ -857,6 +890,14 @@ int main(int argc, char **argv_orig, char **envp) { at_file = optarg; break; + case 'O': /* FRIDA mode */ + + if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); } + + fsrv->frida_mode = 1; + + break; + case 'Q': if (fsrv->qemu_mode) { FATAL("Multiple -Q options not supported"); } @@ -943,7 +984,7 @@ int main(int argc, char **argv_orig, char **envp) { shm.cmplog_mode = 0; setup_signal_handlers(); - set_up_environment(fsrv); + set_up_environment(fsrv, argv); fsrv->target_path = find_binary(argv[optind]); fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index fc974262..68e61109 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -640,9 +640,11 @@ static void handle_stop_sig(int sig) { /* Do basic preparations - persistent fds, filenames, etc. */ -static void set_up_environment(afl_forkserver_t *fsrv) { +static void set_up_environment(afl_forkserver_t *fsrv, char **argv) { - u8 *x; + u8 * x; + char *afl_preload; + char *frida_afl_preload = NULL; fsrv->dev_null_fd = open("/dev/null", O_RDWR); if (fsrv->dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); } @@ -755,6 +757,26 @@ static void set_up_environment(afl_forkserver_t *fsrv) { /* afl-qemu-trace takes care of converting AFL_PRELOAD. */ + } else if (fsrv->frida_mode) { + + afl_preload = getenv("AFL_PRELOAD"); + u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); + if (afl_preload) { + + frida_afl_preload = alloc_printf("%s:%s", afl_preload, frida_binary); + + } else { + + frida_afl_preload = alloc_printf("%s", frida_binary); + + } + + ck_free(frida_binary); + OKF("Frida Mode setting LD_PRELOAD %s", frida_afl_preload); + + setenv("LD_PRELOAD", frida_afl_preload, 1); + setenv("DYLD_INSERT_LIBRARIES", frida_afl_preload, 1); + } else { setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); @@ -762,8 +784,18 @@ static void set_up_environment(afl_forkserver_t *fsrv) { } + } else if (fsrv->frida_mode) { + + u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); + setenv("LD_PRELOAD", frida_binary, 1); + setenv("DYLD_INSERT_LIBRARIES", frida_binary, 1); + OKF("Frida Mode setting LD_PRELOAD %s", frida_binary); + ck_free(frida_binary); + } + if (frida_afl_preload) { ck_free(frida_afl_preload); } + } /* Setup signal handlers, duh. */ @@ -804,6 +836,7 @@ static void usage(u8 *argv0) { " -f file - input file read by the tested program (stdin)\n" " -t msec - timeout for each run (%u ms)\n" " -m megs - memory limit for child process (%u MB)\n" + " -O - use binary-only instrumentation (FRIDA mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" " -W - use qemu-based instrumentation with Wine (Wine " @@ -859,7 +892,7 @@ int main(int argc, char **argv_orig, char **envp) { SAYF(cCYA "afl-tmin" VERSION cRST " by Michal Zalewski\n"); - while ((opt = getopt(argc, argv, "+i:o:f:m:t:B:xeQUWHh")) > 0) { + while ((opt = getopt(argc, argv, "+i:o:f:m:t:B:xeOQUWHh")) > 0) { switch (opt) { @@ -971,6 +1004,14 @@ int main(int argc, char **argv_orig, char **envp) { break; + case 'O': /* FRIDA mode */ + + if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); } + + fsrv->frida_mode = 1; + + break; + case 'Q': if (fsrv->qemu_mode) { FATAL("Multiple -Q options not supported"); } @@ -1054,7 +1095,7 @@ int main(int argc, char **argv_orig, char **envp) { atexit(at_exit_handler); setup_signal_handlers(); - set_up_environment(fsrv); + set_up_environment(fsrv, argv); fsrv->target_path = find_binary(argv[optind]); fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); -- cgit 1.4.1 From 1725e6be316b57e89df2a077710b66b684b55242 Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 25 Mar 2021 17:41:14 +0000 Subject: Fix support for afl-cmin and updated README --- afl-cmin | 11 +++- afl-cmin.bash | 9 +++- frida_mode/Makefile | 40 ++++++++++++++ frida_mode/README.md | 145 ++++++++++++++++++++++++++++++++++++++++----------- src/afl-analyze.c | 2 - src/afl-fuzz.c | 2 - src/afl-showmap.c | 3 -- src/afl-tmin.c | 2 - 8 files changed, 172 insertions(+), 42 deletions(-) (limited to 'src/afl-showmap.c') diff --git a/afl-cmin b/afl-cmin index a1fc6f21..3f3a7517 100755 --- a/afl-cmin +++ b/afl-cmin @@ -106,6 +106,7 @@ function usage() { " -f file - location read by the fuzzed program (stdin)\n" \ " -m megs - memory limit for child process ("mem_limit" MB)\n" \ " -t msec - run time limit for child process (none)\n" \ +" -O - use binary-only instrumentation (FRIDA mode)\n" \ " -Q - use binary-only instrumentation (QEMU mode)\n" \ " -U - use unicorn-based instrumentation (unicorn mode)\n" \ "\n" \ @@ -140,7 +141,7 @@ BEGIN { # process options Opterr = 1 # default is to diagnose Optind = 1 # skip ARGV[0] - while ((_go_c = getopt(ARGC, ARGV, "hi:o:f:m:t:eCQU?")) != -1) { + while ((_go_c = getopt(ARGC, ARGV, "hi:o:f:m:t:eCOQU?")) != -1) { if (_go_c == "i") { if (!Optarg) usage() if (in_dir) { print "Option "_go_c" is only allowed once" > "/dev/stderr"} @@ -180,6 +181,12 @@ BEGIN { extra_par = extra_par " -e" continue } else + if (_go_c == "O") { + if (frida_mode) { print "Option "_go_c" is only allowed once" > "/dev/stderr"} + extra_par = extra_par " -O" + frida_mode = 1 + continue + } else if (_go_c == "Q") { if (qemu_mode) { print "Option "_go_c" is only allowed once" > "/dev/stderr"} extra_par = extra_par " -Q" @@ -275,7 +282,7 @@ BEGIN { target_bin = tnew } - if (!ENVIRON["AFL_SKIP_BIN_CHECK"] && !qemu_mode && !unicorn_mode) { + if (!ENVIRON["AFL_SKIP_BIN_CHECK"] && !qemu_mode && !frida_mode && !unicorn_mode) { if (0 != system( "grep -q __AFL_SHM_ID "target_bin )) { print "[-] Error: binary '"target_bin"' doesn't appear to be instrumented." > "/dev/stderr" exit 1 diff --git a/afl-cmin.bash b/afl-cmin.bash index 5b2c3894..f4bd269d 100755 --- a/afl-cmin.bash +++ b/afl-cmin.bash @@ -53,7 +53,7 @@ unset IN_DIR OUT_DIR STDIN_FILE EXTRA_PAR MEM_LIMIT_GIVEN \ export AFL_QUIET=1 -while getopts "+i:o:f:m:t:eQUCh" opt; do +while getopts "+i:o:f:m:t:eOQUCh" opt; do case "$opt" in @@ -83,6 +83,10 @@ while getopts "+i:o:f:m:t:eQUCh" opt; do "C") export AFL_CMIN_CRASHES_ONLY=1 ;; + "O") + EXTRA_PAR="$EXTRA_PAR -O" + FRIDA_MODE=1 + ;; "Q") EXTRA_PAR="$EXTRA_PAR -Q" QEMU_MODE=1 @@ -118,6 +122,7 @@ Execution control settings: -f file - location read by the fuzzed program (stdin) -m megs - memory limit for child process ($MEM_LIMIT MB) -t msec - run time limit for child process (none) + -O - use binary-only instrumentation (FRIDA mode) -Q - use binary-only instrumentation (QEMU mode) -U - use unicorn-based instrumentation (Unicorn mode) @@ -209,7 +214,7 @@ if [ ! -f "$TARGET_BIN" -o ! -x "$TARGET_BIN" ]; then fi -if [ "$AFL_SKIP_BIN_CHECK" = "" -a "$QEMU_MODE" = "" -a "$UNICORN_MODE" = "" ]; then +if [ "$AFL_SKIP_BIN_CHECK" = "" -a "$QEMU_MODE" = "" -a "$FRIDA_MODE" = "" -a "$UNICORN_MODE" = "" ]; then if ! grep -qF "__AFL_SHM_ID" "$TARGET_BIN"; then echo "[-] Error: binary '$TARGET_BIN' doesn't appear to be instrumented." 1>&2 diff --git a/frida_mode/Makefile b/frida_mode/Makefile index 73a4142c..efae5ebf 100644 --- a/frida_mode/Makefile +++ b/frida_mode/Makefile @@ -306,5 +306,45 @@ analyze_frida: $(TEST_BIN) ./afl-analyze \ -O \ -i $(TEST_DATA_DIR)basn0g01.png \ + -- \ + $(TEST_BIN) @@ + +cmin_qemu: $(TEST_BIN) + make -C .. + cd .. && \ + ./afl-cmin \ + -Q \ + -i $(TEST_DATA_DIR) \ + -o $(QEMU_OUT) \ + -- \ + $(TEST_BIN) @@ + +cmin_frida: $(TEST_BIN) + make -C .. + cd .. && \ + ./afl-cmin \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TEST_BIN) @@ + +cmin_bash_qemu: $(TEST_BIN) + make -C .. + cd .. && \ + ./afl-cmin.bash \ + -Q \ + -i $(TEST_DATA_DIR) \ + -o $(QEMU_OUT) \ + -- \ + $(TEST_BIN) @@ + +cmin_bash_frida: $(TEST_BIN) + make -C .. + cd .. && \ + ./afl-cmin.bash \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ -- \ $(TEST_BIN) @@ \ No newline at end of file diff --git a/frida_mode/README.md b/frida_mode/README.md index c5436e8b..bc260e3e 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -3,46 +3,133 @@ The purpose of FRIDA mode is to provide an alternative binary only fuzzer for AF just like that provided by QEMU mode. The intention is to provide a very similar user experience, right down to the options provided through environment variables. -Additionally, the intention is to be able to make a direct performance comparison -between the two approaches. Hopefully, we should also be able to leverage the same -approaches for adding features which QEMU uses, possibly even sharing code. +Whilst AFLplusplus already has some support for running on FRIDA [here](https://github.com/AFLplusplus/AFLplusplus/tree/stable/utils/afl_frida) +this requires the code to be fuzzed to be provided as a shared library, it +cannot be used to fuzz executables. Additionally, it requires the user to write +a small harness around their target code of interest, FRIDA mode instead takes a +different approach to avoid these limitations. -## Limitations -The current focus is on x64 support for Intel. Although parts may be architecturally -dependent, the approach itself should remain architecture agnostic. +# Current Progress +As FRIDA mode is new, it is missing a lot of features. Most importantly, +persistent mode. The design is such that it should be possible to add these +features in a similar manner to QEMU mode and perhaps leverage some of its +design and implementation. -## Usage -FRIDA mode requires some small modifications to the afl-fuzz and similar tools in -AFLplusplus. The intention is that it behaves identically to QEMU, but uses the 'O' -switch rather than 'Q'. + | Feature/Instrumentation | frida-mode | + | -------------------------|:----------:| + | NeverZero | | + | Persistent Mode | | + | LAF-Intel / CompCov | | + | CmpLog | | + | Selective Instrumentation| x | + | Non-Colliding Coverage | | + | Ngram prev_loc Coverage | | + | Context Coverage | | + | Auto Dictionary | | + | Snapshot LKM Support | | -## Design -AFL Frida works by means of a shared library injected into a binary program using -LD_PRELOAD, similar to the way which other fuzzing features are injected into targets. +# Compatibility +Currently FRIDA mode supports Linux and macOS targets on both x86/x64 +architecture and aarch64. Later releases may add support for aarch32 and Windows +targets as well as embedded linux environments. -## Testing -Alongside the FRIDA mode, we also include a test program for fuzzing. This test -program is built using the libpng benchmark from fuzz-bench and integrating the -StandaloneFuzzTargetMain from the llvm project. This is built and linked without -any special modifications to suit FRIDA or QEMU. However, at present we don't have -a representative corpus. +FRIDA has been used on various embedded targets using both uClibc and musl C +runtime libraries, so porting should be possible. However, the current build +system does not support cross compilation. ## Getting Started To build everything run `make`. -To run the benchmark sample with qemu run `make test_qemu`. -To run the benchmark sample with frida run `make test_frida`. +To run the benchmark sample with qemu run `make png_qemu`. +To run the benchmark sample with frida run `make png_frida`. + +## Usage +FRIDA mode requires some small modifications to the afl-fuzz and similar tools +in AFLplusplus. The intention is that it behaves identically to QEMU, but uses +the 'O' switch rather than 'Q'. Whilst the options 'f', 'F', 's' or 'S' may have +made more sense for a mode powered by FRIDA Stalker, they were all taken, so +instead we use 'O' in homage to the [author](https://github.com/oleavr) of +FRIDA. + +Similarly, the intention is to mimic the use of environment variables used by +QEMU where possible (although replacing `s/QEMU/FRIDA/g`). Accodingly, the +following options are currently supported. -# Configuration options * `AFL_FRIDA_DEBUG_MAPS` - See `AFL_QEMU_DEBUG_MAPS` * `AFL_FRIDA_EXCLUDE_RANGES` - See `AFL_QEMU_EXCLUDE_RANGES` -* `AFL_FRIDA_INST_NO_OPTIMIZE` - Don't use optimized inline assembly coverage instrumentation (the default where available). Required to use `AFL_FRIDA_INST_TRACE`. -* `AFL_FRIDA_INST_NO_PREFETCH` - Disable prefetching. By default the child will report instrumented blocks back to the parent so that it can also instrument them and they be inherited by the next child on fork. * `AFL_FRIDA_INST_RANGES` - See `AFL_QEMU_INST_RANGES` -* `AFL_FRIDA_INST_STRICT` - Under certain conditions, Stalker may encroach into excluded regions and generate both instrumented blocks and coverage data (e.g. indirect calls on x86). The excluded block is generally honoured as soon as another function is called within the excluded region. The overhead of generating, running and instrumenting these few additional blocks is likely to be fairly small, but it may hinder you when checking that the correct number of paths are found for testing purposes or similar. There is a performance penatly for this option during block compilation where we check the block isn't in a list of excluded ranges. -* `AFL_FRIDA_INST_TRACE` - Generate some logging when running instrumented code. Requires `AFL_FRIDA_INST_NO_OPTIMIZE`. + +# Performance + +Additionally, the intention is to be able to make a direct performance +comparison between the two approaches. Accordingly, FRIDA mode includes a test +target based on the [libpng](https://libpng.sourceforge.io/) benchmark used by +[fuzzbench](https://google.github.io/fuzzbench/) and integrated with the +[StandaloneFuzzTargetMain](https://raw.githubusercontent.com/llvm/llvm-project/main/compiler-rt/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c) +from the llvm project. This is built and linked without any special +modifications to suit FRIDA or QEMU. We use the test data provided with libpng +as our corpus. + +Whilst not much performance tuning has been completed to date, performance is +around 30-50% of that of QEMU mode, however, this gap may reduce with the +introduction of persistent mode. Performance can be tested by running +`make compare`, albeit a longer time measurement may be required for move +accurate results. + +Whilst [afl_frida](https://github.com/AFLplusplus/AFLplusplus/tree/stable/utils/afl_frida) +claims a 5-10x performance increase over QEMU, it has not been possible to +reproduce these claims. However, the number of executions per second can vary +dramatically as a result of the randomization of the fuzzer input. Some inputs +may traverse relatively few paths before being rejected as invalid whilst others +may be valid inputs or be subject to much more processing before rejection. +Accordingly, it is recommended that testing be carried out over prolongued +periods to gather timings which are more than indicative. + +# Design +FRIDA mode is supported by using `LD_PRELOAD` (`DYLD_INSERT_LIBRARIES` on macOS) +to inject a shared library (`afl-frida-trace.so`) into the target. This shared +library is built using the [frida-gum](https://github.com/frida/frida-gum) +devkit from the [FRIDA](https://github.com/frida/frida) project. One of the +components of frida-gum is [Stalker](https://medium.com/@oleavr/anatomy-of-a-code-tracer-b081aadb0df8), +this allows the dynamic instrumentation of running code for AARCH32, AARCH64, +x86 and x64 architectutes. Implementation details can be found +[here](https://frida.re/docs/stalker/). + +Dynamic instrumentation is used to augment the target application with similar +coverage information to that inserted by `afl-gcc` or `afl-clang`. The shared +library is also linked to the `compiler-rt` component of AFLplusplus to feedback +this coverage information to AFL and also provide a fork server. It also makes +use of the FRIDA [prefetch](https://github.com/frida/frida-gum/blob/56dd9ba3ee9a5511b4b0c629394bf122775f1ab7/gum/gumstalker.h#L115) +support to feedback instrumented blocks from the child to the parent using a +shared memory region to avoid the need to regenerate instrumented blocks on each +fork. + +Whilst FRIDA allows for a normal C function to be used to augment instrumented +code, to minimize the costs of storing and restoring all of the registers, FRIDA +mode instead makes use of optimized assembly instead on AARCH64 and x86/64 +targets. + +# Advanced configuration options +* `AFL_FRIDA_INST_NO_OPTIMIZE` - Don't use optimized inline assembly coverage +instrumentation (the default where available). Required to use +`AFL_FRIDA_INST_TRACE`. +* `AFL_FRIDA_INST_NO_PREFETCH` - Disable prefetching. By default the child will +report instrumented blocks back to the parent so that it can also instrument +them and they be inherited by the next child on fork. +* `AFL_FRIDA_INST_STRICT` - Under certain conditions, Stalker may encroach into +excluded regions and generate both instrumented blocks and coverage data (e.g. +indirect calls on x86). The excluded block is generally honoured as soon as +another function is called within the excluded region and so such encroachment +is usually of little consequence. This detail may however, hinder you when +checking that the correct number of paths are found for testing purposes or +similar. There is a performance penatly for this option during block compilation +where we check the block isn't in a list of excluded ranges. +* `AFL_FRIDA_INST_TRACE` - Generate some logging when running instrumented code. +Requires `AFL_FRIDA_INST_NO_OPTIMIZE`. # TODO -* Add AARCH64 inline assembly optimization from libFuzz -* Fix issues running on OSX -* Identify cause of erroneous additional paths +As can be seen from the progress section above, there are a number of features +which are missing in its currently form. Chief amongst which is persistent mode. +The intention is to achieve feature parity with QEMU mode in due course. +Contributions are welcome, but please get in touch to ensure that efforts are +deconflicted. \ No newline at end of file diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 6ff119ac..8e5a1772 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -842,7 +842,6 @@ static void set_up_environment(char **argv) { } ck_free(frida_binary); - OKF("Frida Mode setting LD_PRELOAD %s", frida_afl_preload); setenv("LD_PRELOAD", frida_afl_preload, 1); setenv("DYLD_INSERT_LIBRARIES", frida_afl_preload, 1); @@ -859,7 +858,6 @@ static void set_up_environment(char **argv) { u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); setenv("LD_PRELOAD", frida_binary, 1); setenv("DYLD_INSERT_LIBRARIES", frida_binary, 1); - OKF("Frida Mode setting LD_PRELOAD %s", frida_binary); ck_free(frida_binary); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 34e9d420..ba8feb53 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1320,7 +1320,6 @@ int main(int argc, char **argv_orig, char **envp) { } ck_free(frida_binary); - OKF("Frida Mode setting LD_PRELOAD %s", frida_afl_preload); setenv("LD_PRELOAD", frida_afl_preload, 1); setenv("DYLD_INSERT_LIBRARIES", frida_afl_preload, 1); @@ -1337,7 +1336,6 @@ int main(int argc, char **argv_orig, char **envp) { u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); setenv("LD_PRELOAD", frida_binary, 1); setenv("DYLD_INSERT_LIBRARIES", frida_binary, 1); - OKF("Frida Mode setting LD_PRELOAD %s", frida_binary); ck_free(frida_binary); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index aea90b3b..38d03d80 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -617,7 +617,6 @@ static void set_up_environment(afl_forkserver_t *fsrv, char **argv) { } ck_free(frida_binary); - OKF("Frida Mode setting LD_PRELOAD %s", frida_afl_preload); setenv("LD_PRELOAD", frida_afl_preload, 1); setenv("DYLD_INSERT_LIBRARIES", frida_afl_preload, 1); @@ -634,7 +633,6 @@ static void set_up_environment(afl_forkserver_t *fsrv, char **argv) { u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); setenv("LD_PRELOAD", frida_binary, 1); setenv("DYLD_INSERT_LIBRARIES", frida_binary, 1); - OKF("Frida Mode setting LD_PRELOAD %s", frida_binary); ck_free(frida_binary); } @@ -996,7 +994,6 @@ int main(int argc, char **argv_orig, char **envp) { } - if (in_dir) { /* If we don't have a file name chosen yet, use a safe default. */ diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 68e61109..bad5d71b 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -772,7 +772,6 @@ static void set_up_environment(afl_forkserver_t *fsrv, char **argv) { } ck_free(frida_binary); - OKF("Frida Mode setting LD_PRELOAD %s", frida_afl_preload); setenv("LD_PRELOAD", frida_afl_preload, 1); setenv("DYLD_INSERT_LIBRARIES", frida_afl_preload, 1); @@ -789,7 +788,6 @@ static void set_up_environment(afl_forkserver_t *fsrv, char **argv) { u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); setenv("LD_PRELOAD", frida_binary, 1); setenv("DYLD_INSERT_LIBRARIES", frida_binary, 1); - OKF("Frida Mode setting LD_PRELOAD %s", frida_binary); ck_free(frida_binary); } -- cgit 1.4.1 From 920e9402a4d6101bbbed2ef7584d85a3c3de0eaa Mon Sep 17 00:00:00 2001 From: Joshua Rogers Date: Fri, 2 Apr 2021 22:23:11 +0000 Subject: Add support for standalone leak-sanitizer, introducting the environment variable AFL_USE_LSAN. AFL_USE_LSAN introduces the macro __AFL_CHECK_LEAK() which will check for a memory leak when the macro is run. This is especially helpful when using __AFL_LOOP(). If __AFL_LEAK_CHECK() is not used when AFL_USE_LSAN=1 is set, the leak checker will run when the program exits. --- GNUmakefile | 4 ++-- README.md | 2 +- docs/env_variables.md | 20 ++++++++++++++++---- docs/notes_for_asan.md | 7 +++++++ include/config.h | 4 ++++ include/envs.h | 1 + src/afl-analyze.c | 19 +++++++++++++++++++ src/afl-as.c | 7 ++++--- src/afl-cc.c | 16 ++++++++++++++-- src/afl-forkserver.c | 17 +++++++++++++---- src/afl-fuzz-init.c | 17 ++++++++++++++++- src/afl-showmap.c | 4 ++++ src/afl-tmin.c | 18 ++++++++++++++++++ test/test-pre.sh | 1 + 14 files changed, 120 insertions(+), 17 deletions(-) (limited to 'src/afl-showmap.c') diff --git a/GNUmakefile b/GNUmakefile index f885f998..a6314a8b 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -517,7 +517,7 @@ code-format: ifndef AFL_NO_X86 test_build: afl-cc afl-gcc afl-as afl-showmap @echo "[*] Testing the CC wrapper afl-cc and its instrumentation output..." - @unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_ASAN AFL_USE_MSAN; ASAN_OPTIONS=detect_leaks=0 AFL_INST_RATIO=100 AFL_PATH=. ./afl-cc test-instr.c -o test-instr 2>&1 || (echo "Oops, afl-cc failed"; exit 1 ) + @unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_LSAN AFL_USE_ASAN AFL_USE_MSAN; ASAN_OPTIONS=detect_leaks=0 AFL_INST_RATIO=100 AFL_PATH=. ./afl-cc test-instr.c -o test-instr 2>&1 || (echo "Oops, afl-cc failed"; exit 1 ) ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr @rm -f test-instr @@ -525,7 +525,7 @@ test_build: afl-cc afl-gcc afl-as afl-showmap @echo @echo "[+] All right, the instrumentation of afl-cc seems to be working!" # @echo "[*] Testing the CC wrapper afl-gcc and its instrumentation output..." -# @unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_ASAN AFL_USE_MSAN; AFL_CC=$(CC) ASAN_OPTIONS=detect_leaks=0 AFL_INST_RATIO=100 AFL_PATH=. ./afl-gcc test-instr.c -o test-instr 2>&1 || (echo "Oops, afl-gcc failed"; exit 1 ) +# @unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_LSAN AFL_USE_ASAN AFL_USE_MSAN; AFL_CC=$(CC) ASAN_OPTIONS=detect_leaks=0 AFL_INST_RATIO=100 AFL_PATH=. ./afl-gcc test-instr.c -o test-instr 2>&1 || (echo "Oops, afl-gcc failed"; exit 1 ) # ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null # echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr # @rm -f test-instr diff --git a/README.md b/README.md index 2528e1d1..41d55e9c 100644 --- a/README.md +++ b/README.md @@ -601,7 +601,7 @@ Every -M/-S entry needs a unique name (that can be whatever), however the same For every secondary fuzzer there should be a variation, e.g.: * one should fuzz the target that was compiled differently: with sanitizers activated (`export AFL_USE_ASAN=1 ; export AFL_USE_UBSAN=1 ; - export AFL_USE_CFISAN=1 ; ` + export AFL_USE_CFISAN=1 ; export AFL_USE_LSAN`) * one should fuzz the target with CMPLOG/redqueen (see above) * one to three fuzzers should fuzz a target compiled with laf-intel/COMPCOV (see above). Important note: If you run more than one laf-intel/COMPCOV diff --git a/docs/env_variables.md b/docs/env_variables.md index c6ad0aa4..682ab7f1 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -55,7 +55,7 @@ make fairly broad use of environmental variables instead: overridden. - Setting `AFL_USE_ASAN` automatically enables ASAN, provided that your - compiler supports that. Note that fuzzing with ASAN is mildly challenging + compiler supports itt. Note that fuzzing with ASAN is mildly challenging - see [notes_for_asan.md](notes_for_asan.md). (You can also enable MSAN via `AFL_USE_MSAN`; ASAN and MSAN come with the @@ -64,6 +64,13 @@ make fairly broad use of environmental variables instead: there is the Control Flow Integrity sanitizer that can be activated by `AFL_USE_CFISAN=1`) + - Setting `AFL_USE_LSAN` automatically enables Leak-Sanitizer, provided + that your compiler supports it. To perform a leak check within your + program at a certain point (such as at the end of an __AFL_LOOP, + you can run the macro __AFL_CHECK_LEAK(); which will cause + an abort if any memory is leaked (you can combine this with the + LSAN_OPTIONS=suppressions option to supress some known leaks). + - Setting `AFL_CC`, `AFL_CXX`, and `AFL_AS` lets you use alternate downstream compilation tools, rather than the default 'clang', 'gcc', or 'as' binaries in your `$PATH`. @@ -628,7 +635,12 @@ optimal values if not already present in the environment: msan_track_origins=0 allocator_may_return_null=1 ``` - Be sure to include the first one when customizing anything, since some - MSAN versions don't call `abort()` on error, and we need a way to detect - faults. + - Similarly, the default `LSAN_OPTIONS` are set to: +``` + exit_code=86 + fast_unwind_on_malloc=0 +```` + Be sure to include the first ones for LSAN and MSAN when customizing + anything, since some MSAN and LSAN versions don't call `abort()` on + error, and we need a way to detect faults. diff --git a/docs/notes_for_asan.md b/docs/notes_for_asan.md index 2b3bc028..26f34fad 100644 --- a/docs/notes_for_asan.md +++ b/docs/notes_for_asan.md @@ -28,6 +28,13 @@ Note that ASAN is incompatible with -static, so be mindful of that. (You can also use AFL_USE_MSAN=1 to enable MSAN instead.) +When compiling with AFL_USE_LSAN, the leak sanitizer will normally run +when the program exits. In order to utilize this check at different times, +such as at the end of a loop, you may use the macro __AFL_CHECK_LEAK();. +This macro will report a crash in afl-fuzz if any memory is left leaking +at this stage. You can also use LSAN_OPTIONS and a supressions file +for more fine-tuned checking, however make sure you keep exitcode=23. + NOTE: if you run several secondary instances, only one should run the target compiled with ASAN (and UBSAN, CFISAN), the others should run the target with no sanitizers compiled in. diff --git a/include/config.h b/include/config.h index 29225f6b..6490a5fe 100644 --- a/include/config.h +++ b/include/config.h @@ -393,6 +393,10 @@ #define MSAN_ERROR 86 +/* Distinctive exit code used to indicate LSAN trip condition: */ + +#define LSAN_ERROR 23 + /* Designated file descriptors for forkserver commands (the application will use FORKSRV_FD and FORKSRV_FD + 1): */ diff --git a/include/envs.h b/include/envs.h index 2ce50be7..d1856c50 100644 --- a/include/envs.h +++ b/include/envs.h @@ -172,6 +172,7 @@ static char *afl_environment_variables[] = { "AFL_USE_TRACE_PC", "AFL_USE_UBSAN", "AFL_USE_CFISAN", + "AFL_USE_LSAN", "AFL_WINE_PATH", "AFL_NO_SNAPSHOT", "AFL_EXPAND_HAVOC_NOW", diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 86b0f7e9..90305714 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -781,6 +781,19 @@ static void set_up_environment(void) { } + x = get_afl_env("LSAN_OPTIONS"); + + if (x) { + + if (!strstr(x, "exit_code=" STRINGIFY(LSAN_ERROR))) { + + FATAL("Custom LSAN_OPTIONS set without exit_code=" STRINGIFY( + LSAN_ERROR) " - please fix!"); + + } + + } + setenv("ASAN_OPTIONS", "abort_on_error=1:" "detect_leaks=0:" @@ -818,6 +831,12 @@ static void set_up_environment(void) { "handle_sigfpe=0:" "handle_sigill=0", 0); + setenv("LSAN_OPTIONS", + "exitcode=" STRINGIFY(MSAN_ERROR) ":" + "fast_unwind_on_malloc=0", + 0); + + if (get_afl_env("AFL_PRELOAD")) { if (qemu_mode) { diff --git a/src/afl-as.c b/src/afl-as.c index 7de267a3..dfae44f2 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -517,11 +517,12 @@ static void add_instrumentation(void) { } else { char modeline[100]; - snprintf(modeline, sizeof(modeline), "%s%s%s%s", + snprintf(modeline, sizeof(modeline), "%s%s%s%s%s", getenv("AFL_HARDEN") ? "hardened" : "non-hardened", getenv("AFL_USE_ASAN") ? ", ASAN" : "", getenv("AFL_USE_MSAN") ? ", MSAN" : "", - getenv("AFL_USE_UBSAN") ? ", UBSAN" : ""); + getenv("AFL_USE_UBSAN") ? ", UBSAN" : "", + getenv("AFL_USE_LSAN") ? ", LSAN" : ""); OKF("Instrumented %u locations (%s-bit, %s mode, ratio %u%%).", ins_lines, use_64bit ? "64" : "32", modeline, inst_ratio); @@ -585,7 +586,7 @@ int main(int argc, char **argv) { "AFL_QUIET: suppress verbose output\n" "AFL_KEEP_ASSEMBLY: leave instrumented assembly files\n" "AFL_AS_FORCE_INSTRUMENT: force instrumentation for asm sources\n" - "AFL_HARDEN, AFL_USE_ASAN, AFL_USE_MSAN, AFL_USE_UBSAN:\n" + "AFL_HARDEN, AFL_USE_ASAN, AFL_USE_MSAN, AFL_USE_UBSAN, AFL_USE_LSAN:\n" " used in the instrumentation summary message\n", argv[0]); diff --git a/src/afl-cc.c b/src/afl-cc.c index 5251465b..e0478503 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -758,7 +758,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (!strncmp(cur, "-fsanitize-coverage-", 20) && strstr(cur, "list=")) have_instr_list = 1; - if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory")) + if (!(strcmp(cur, "-fsanitize=address") && strcmp(cur, "-fsanitize=memory"))) asan_set = 1; if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1; @@ -817,6 +817,10 @@ static void edit_params(u32 argc, char **argv, char **envp) { } + if (getenv("AFL_USE_LSAN")) { + cc_params[cc_par_cnt++] = "-fsanitize=leak"; + } + if (getenv("AFL_USE_CFISAN")) { if (!lto_mode) { @@ -914,6 +918,13 @@ static void edit_params(u32 argc, char **argv, char **envp) { } + if (getenv("AFL_USE_LSAN")) { + cc_params[cc_par_cnt++] = "-includesanitizer/lsan_interface.h"; + } + + cc_params[cc_par_cnt++] = + "-D__AFL_CHECK_LEAK()=__lsan_do_leak_check()"; + cc_params[cc_par_cnt++] = "-D__AFL_COVERAGE_START_OFF()=int __afl_selective_coverage_start_off = " "1;"; @@ -1740,7 +1751,8 @@ int main(int argc, char **argv, char **envp) { " AFL_USE_ASAN: activate address sanitizer\n" " AFL_USE_CFISAN: activate control flow sanitizer\n" " AFL_USE_MSAN: activate memory sanitizer\n" - " AFL_USE_UBSAN: activate undefined behaviour sanitizer\n"); + " AFL_USE_UBSAN: activate undefined behaviour sanitizer\n" + " AFL_USE_LSAN: activate leak-checker sanitizer\n"); if (have_gcc_plugin) SAYF( diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 68995388..fa89713a 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -483,7 +483,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (!getenv("LD_BIND_LAZY")) { setenv("LD_BIND_NOW", "1", 1); } - /* Set sane defaults for ASAN if nothing else specified. */ + /* Set sane defaults for ASAN if nothing else is specified. */ if (!getenv("ASAN_OPTIONS")) setenv("ASAN_OPTIONS", @@ -500,7 +500,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, "handle_sigill=0", 1); - /* Set sane defaults for UBSAN if nothing else specified. */ + /* Set sane defaults for UBSAN if nothing else is specified. */ if (!getenv("UBSAN_OPTIONS")) setenv("UBSAN_OPTIONS", @@ -538,6 +538,14 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, "handle_sigill=0", 1); + /* LSAN, too, does not support abort_on_error=1. */ + + if (!getenv("LSAN_OPTIONS")) + setenv("LSAN_OPTIONS", + "exitcode=" STRINGIFY(LSAN_ERROR) ":" + "fast_unwind_on_malloc=0", + 1); + fsrv->init_child_func(fsrv, argv); /* Use a distinctive bitmap signature to tell the parent about execv() @@ -1210,8 +1218,9 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, if (unlikely( /* A normal crash/abort */ (WIFSIGNALED(fsrv->child_status)) || - /* special handling for msan */ - (fsrv->uses_asan && WEXITSTATUS(fsrv->child_status) == MSAN_ERROR) || + /* special handling for msan and lsan */ + (fsrv->uses_asan && (WEXITSTATUS(fsrv->child_status) == MSAN_ERROR || + WEXITSTATUS(fsrv->child_status) == LSAN_ERROR)) || /* the custom crash_exitcode was returned by the target */ (fsrv->uses_crash_exitcode && WEXITSTATUS(fsrv->child_status) == fsrv->crash_exitcode))) { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 82c1799e..24f5c5b5 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2466,6 +2466,20 @@ void check_asan_opts(afl_state_t *afl) { } + x = get_afl_env("LSAN_OPTIONS"); + + if (x) { + + if (!strstr(x, "exit_code=" STRINGIFY(LSAN_ERROR))) { + + FATAL("Custom LSAN_OPTIONS set without exit_code=" STRINGIFY( + LSAN_ERROR) " - please fix!"); + + } + + } + + } /* Handle stop signal (Ctrl-C, etc). */ @@ -2711,7 +2725,8 @@ void check_binary(afl_state_t *afl, u8 *fname) { } if (memmem(f_data, f_len, "__asan_init", 11) || - memmem(f_data, f_len, "__msan_init", 11)) { + memmem(f_data, f_len, "__msan_init", 11) || + memmem(f_data, f_len, "__lsan_init", 11)) { afl->fsrv.uses_asan = 1; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 7bf5a9c7..bf076683 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -570,6 +570,10 @@ static void set_up_environment(afl_forkserver_t *fsrv) { "handle_sigfpe=0:" "handle_sigill=0", 0); + setenv("LSAN_OPTIONS", + "exitcode=" STRINGIFY(LSAN_ERROR) ":" + "fast_unwind_on_malloc=0", + 0); setenv("UBSAN_OPTIONS", "halt_on_error=1:" diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 7ef8b9bf..a2741a07 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -712,6 +712,19 @@ static void set_up_environment(afl_forkserver_t *fsrv) { } + x = get_afl_env("LSAN_OPTIONS"); + + if (x) { + + if (!strstr(x, "exit_code=" STRINGIFY(LSAN_ERROR))) { + + FATAL("Custom LSAN_OPTIONS set without exit_code=" STRINGIFY( + LSAN_ERROR) " - please fix!"); + + } + + } + setenv("ASAN_OPTIONS", "abort_on_error=1:" "detect_leaks=0:" @@ -749,6 +762,11 @@ static void set_up_environment(afl_forkserver_t *fsrv) { "handle_sigfpe=0:" "handle_sigill=0", 0); + setenv("LSAN_OPTIONS", + "exitcode=" STRINGIFY(LSAN_ERROR) ":" + "fast_unwind_on_malloc=0", + 0); + if (get_afl_env("AFL_PRELOAD")) { if (fsrv->qemu_mode) { diff --git a/test/test-pre.sh b/test/test-pre.sh index 85ac320b..174f2f7f 100755 --- a/test/test-pre.sh +++ b/test/test-pre.sh @@ -71,6 +71,7 @@ unset AFL_HARDEN unset AFL_USE_ASAN unset AFL_USE_MSAN unset AFL_USE_UBSAN +unset AFL_USE_LSAN unset AFL_TMPDIR unset AFL_CC unset AFL_PRELOAD -- cgit 1.4.1 From afc4da47f78a24d5e441e3815e5b322d1b27fd56 Mon Sep 17 00:00:00 2001 From: Joshua Rogers Date: Sat, 3 Apr 2021 14:50:35 +0000 Subject: Fix typos, Use symbolize=0 for LSAN, Remove syntactic sugar. --- README.md | 2 +- docs/env_variables.md | 3 ++- src/afl-analyze.c | 8 ++++---- src/afl-cc.c | 2 +- src/afl-forkserver.c | 3 ++- src/afl-fuzz-init.c | 5 ++--- src/afl-showmap.c | 4 +++- src/afl-tmin.c | 3 ++- 8 files changed, 17 insertions(+), 13 deletions(-) (limited to 'src/afl-showmap.c') diff --git a/README.md b/README.md index 41d55e9c..4d3f8aa9 100644 --- a/README.md +++ b/README.md @@ -601,7 +601,7 @@ Every -M/-S entry needs a unique name (that can be whatever), however the same For every secondary fuzzer there should be a variation, e.g.: * one should fuzz the target that was compiled differently: with sanitizers activated (`export AFL_USE_ASAN=1 ; export AFL_USE_UBSAN=1 ; - export AFL_USE_CFISAN=1 ; export AFL_USE_LSAN`) + export AFL_USE_CFISAN=1 ; export AFL_USE_LSAN=1`) * one should fuzz the target with CMPLOG/redqueen (see above) * one to three fuzzers should fuzz a target compiled with laf-intel/COMPCOV (see above). Important note: If you run more than one laf-intel/COMPCOV diff --git a/docs/env_variables.md b/docs/env_variables.md index 85c2efd7..5f9233d7 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -639,7 +639,8 @@ optimal values if not already present in the environment: ``` exit_code=23 fast_unwind_on_malloc=0 -```` + symbolize=0 +``` Be sure to include the first ones for LSAN and MSAN when customizing anything, since some MSAN and LSAN versions don't call `abort()` on error, and we need a way to detect faults. diff --git a/src/afl-analyze.c b/src/afl-analyze.c index f961f13a..38a40556 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -785,10 +785,9 @@ static void set_up_environment(void) { if (x) { - if (!strstr(x, "exit_code=" STRINGIFY(LSAN_ERROR))) { + if (!strstr(x, "symbolize=0")) { - FATAL("Custom LSAN_OPTIONS set without exit_code=" STRINGIFY( - LSAN_ERROR) " - please fix!"); + FATAL("Custom LSAN_OPTIONS set without symbolize=0 - please fix!"); } @@ -833,7 +832,8 @@ static void set_up_environment(void) { setenv("LSAN_OPTIONS", "exitcode=" STRINGIFY(LSAN_ERROR) ":" - "fast_unwind_on_malloc=0", + "fast_unwind_on_malloc=0:" + "symbolize=0", 0); diff --git a/src/afl-cc.c b/src/afl-cc.c index 975b28d1..650e4e43 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -758,7 +758,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (!strncmp(cur, "-fsanitize-coverage-", 20) && strstr(cur, "list=")) have_instr_list = 1; - if (!(strcmp(cur, "-fsanitize=address") && strcmp(cur, "-fsanitize=memory"))) + if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory")) asan_set = 1; if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index fa89713a..f102b73b 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -543,7 +543,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (!getenv("LSAN_OPTIONS")) setenv("LSAN_OPTIONS", "exitcode=" STRINGIFY(LSAN_ERROR) ":" - "fast_unwind_on_malloc=0", + "fast_unwind_on_malloc=0:" + "symbolize=0", 1); fsrv->init_child_func(fsrv, argv); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 24f5c5b5..6f663021 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2470,10 +2470,9 @@ void check_asan_opts(afl_state_t *afl) { if (x) { - if (!strstr(x, "exit_code=" STRINGIFY(LSAN_ERROR))) { + if (!strstr(x, "symbolize=0")) { - FATAL("Custom LSAN_OPTIONS set without exit_code=" STRINGIFY( - LSAN_ERROR) " - please fix!"); + FATAL("Custom LSAN_OPTIONS set without symbolize=0 - please fix!"); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index bf076683..2b7d200b 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -570,9 +570,11 @@ static void set_up_environment(afl_forkserver_t *fsrv) { "handle_sigfpe=0:" "handle_sigill=0", 0); + setenv("LSAN_OPTIONS", "exitcode=" STRINGIFY(LSAN_ERROR) ":" - "fast_unwind_on_malloc=0", + "fast_unwind_on_malloc=0:" + "symbolize=0", 0); setenv("UBSAN_OPTIONS", diff --git a/src/afl-tmin.c b/src/afl-tmin.c index a2741a07..c257b67c 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -764,7 +764,8 @@ static void set_up_environment(afl_forkserver_t *fsrv) { setenv("LSAN_OPTIONS", "exitcode=" STRINGIFY(LSAN_ERROR) ":" - "fast_unwind_on_malloc=0", + "fast_unwind_on_malloc=0:" + "symbolize=0", 0); if (get_afl_env("AFL_PRELOAD")) { -- cgit 1.4.1 From 99819cf5d1cbc262810f26098a5796c9d1262bc5 Mon Sep 17 00:00:00 2001 From: Joshua Rogers Date: Sun, 4 Apr 2021 12:45:52 +0000 Subject: Move definition of __AFL_LEAK_CHECK inside ifguards, use LSAN_OPTIONS=print_suppressions=0 --- docs/env_variables.md | 1 + src/afl-analyze.c | 3 ++- src/afl-cc.c | 10 +++------- src/afl-forkserver.c | 3 ++- src/afl-showmap.c | 3 ++- src/afl-tmin.c | 3 ++- 6 files changed, 12 insertions(+), 11 deletions(-) (limited to 'src/afl-showmap.c') diff --git a/docs/env_variables.md b/docs/env_variables.md index 5f9233d7..83bc487f 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -640,6 +640,7 @@ optimal values if not already present in the environment: exit_code=23 fast_unwind_on_malloc=0 symbolize=0 + print_suppressions=0 ``` Be sure to include the first ones for LSAN and MSAN when customizing anything, since some MSAN and LSAN versions don't call `abort()` on diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 38a40556..f4436980 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -833,7 +833,8 @@ static void set_up_environment(void) { setenv("LSAN_OPTIONS", "exitcode=" STRINGIFY(LSAN_ERROR) ":" "fast_unwind_on_malloc=0:" - "symbolize=0", + "symbolize=0:" + "print_suppressions=0", 0); diff --git a/src/afl-cc.c b/src/afl-cc.c index 650e4e43..e2dd06e2 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -819,6 +819,9 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (getenv("AFL_USE_LSAN")) { cc_params[cc_par_cnt++] = "-fsanitize=leak"; + cc_params[cc_par_cnt++] = "-includesanitizer/lsan_interface.h"; + cc_params[cc_par_cnt++] = + "-D__AFL_LEAK_CHECK()=__lsan_do_leak_check()"; } if (getenv("AFL_USE_CFISAN")) { @@ -918,13 +921,6 @@ static void edit_params(u32 argc, char **argv, char **envp) { } - if (getenv("AFL_USE_LSAN")) { - cc_params[cc_par_cnt++] = "-includesanitizer/lsan_interface.h"; - } - - cc_params[cc_par_cnt++] = - "-D__AFL_LEAK_CHECK()=__lsan_do_leak_check()"; - cc_params[cc_par_cnt++] = "-D__AFL_COVERAGE_START_OFF()=int __afl_selective_coverage_start_off = " "1;"; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index f102b73b..ac7a1600 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -544,7 +544,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, setenv("LSAN_OPTIONS", "exitcode=" STRINGIFY(LSAN_ERROR) ":" "fast_unwind_on_malloc=0:" - "symbolize=0", + "symbolize=0:" + "print_suppressions=0", 1); fsrv->init_child_func(fsrv, argv); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 2b7d200b..df91a4c2 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -574,7 +574,8 @@ static void set_up_environment(afl_forkserver_t *fsrv) { setenv("LSAN_OPTIONS", "exitcode=" STRINGIFY(LSAN_ERROR) ":" "fast_unwind_on_malloc=0:" - "symbolize=0", + "symbolize=0:" + "print_suppressions=0", 0); setenv("UBSAN_OPTIONS", diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 3a196e2e..eb5e0dcf 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -764,7 +764,8 @@ static void set_up_environment(afl_forkserver_t *fsrv) { setenv("LSAN_OPTIONS", "exitcode=" STRINGIFY(LSAN_ERROR) ":" "fast_unwind_on_malloc=0:" - "symbolize=0", + "symbolize=0:" + "print_suppressions=0", 0); if (get_afl_env("AFL_PRELOAD")) { -- cgit 1.4.1 From 7b033367c2f49b47d0a5021a9ad9a82b514429de Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 17 May 2021 11:02:28 +0200 Subject: restrict afl-showmap in_file size --- src/afl-showmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/afl-showmap.c') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 946b19cd..5994101e 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -386,7 +386,7 @@ static u32 read_file(u8 *in_file) { } - in_len = st.st_size; + in_len = st.st_size > MAX_FILE ? MAX_FILE : st.st_size; in_data = ck_alloc_nozero(in_len); ck_read(fd, in_data, in_len, in_file); -- cgit 1.4.1 From a3fffac90cb96736395aa9764f4cc5aa20e6cd71 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 17 May 2021 13:11:16 +0200 Subject: add warning for afl-showmap partial read --- src/afl-showmap.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'src/afl-showmap.c') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 5994101e..41a62108 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -386,7 +386,18 @@ static u32 read_file(u8 *in_file) { } - in_len = st.st_size > MAX_FILE ? MAX_FILE : st.st_size; + if (st.st_size > MAX_FILE) { + + WARNF("Input file '%s' is too large, only reading %u bytes.", in_file, + MAX_FILE); + in_len = MAX_FILE; + + } else { + + in_len = st.st_size; + + } + in_data = ck_alloc_nozero(in_len); ck_read(fd, in_data, in_len, in_file); -- cgit 1.4.1 From ccf739f8801c373fe2aa1bb709ffd697cfe2a3e6 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 17 May 2021 18:16:41 +0200 Subject: AFL_PRINT_FILENAMES added --- afl-cmin | 2 ++ docs/Changelog.md | 1 + docs/env_variables.md | 3 ++ src/afl-showmap.c | 82 ++++++++++++++++++++++++++++----------------------- 4 files changed, 51 insertions(+), 37 deletions(-) (limited to 'src/afl-showmap.c') diff --git a/afl-cmin b/afl-cmin index 3f3a7517..adcbb221 100755 --- a/afl-cmin +++ b/afl-cmin @@ -123,6 +123,8 @@ function usage() { "AFL_KEEP_TRACES: leave the temporary /.traces directory\n" \ "AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n" "AFL_PATH: path for the afl-showmap binary if not found anywhere else\n" \ +"AFL_PRINT_FILENAMES: If set, the filename currently processed will be " \ + "printed to stdout\n" \ "AFL_SKIP_BIN_CHECK: skip check for target binary\n" exit 1 } diff --git a/docs/Changelog.md b/docs/Changelog.md index 4fa70bfd..67ab9d5e 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -50,6 +50,7 @@ sending a mail to . MacOS shared memory - updated the grammar custom mutator to the newest version - add -d (add dead fuzzer stats) to afl-whatsup + - added AFL_PRINT_FILENAMES to afl-showmap/cmin to print the current filename ### Version ++3.12c (release) - afl-fuzz: diff --git a/docs/env_variables.md b/docs/env_variables.md index 8879db72..99568146 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -567,6 +567,9 @@ The corpus minimization script offers very little customization: a modest security risk on multi-user systems with rogue users, but should be safe on dedicated fuzzing boxes. + - `AFL_PRINT_FILENAMES` prints each filename to stdout, as it gets processed. + This can help when embedding `afl-cmin` or `afl-showmap` in other scripts scripting. + ## 7) Settings for afl-tmin Virtually nothing to play with. Well, in QEMU mode (`-Q`), `AFL_PATH` will be diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 41a62108..336ac126 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -76,17 +76,18 @@ static u32 in_len; /* Input data length */ static u32 map_size = MAP_SIZE; -static u8 quiet_mode, /* Hide non-essential messages? */ +static bool quiet_mode, /* Hide non-essential messages? */ edges_only, /* Ignore hit counts? */ raw_instr_output, /* Do not apply AFL filters */ cmin_mode, /* Generate output in afl-cmin mode? */ binary_mode, /* Write output as a binary map */ keep_cores, /* Allow coredumps? */ - remove_shm = 1, /* remove shmem? */ + remove_shm = true, /* remove shmem? */ collect_coverage, /* collect coverage */ have_coverage, /* have coverage? */ no_classify, /* do not classify counts */ - debug; /* debug mode */ + debug, /* debug mode */ + print_filenames; /* print the current filename */ static volatile u8 stop_soon, /* Ctrl-C pressed? */ child_crashed; /* Child crashed? */ @@ -320,11 +321,11 @@ static void showmap_run_target_forkserver(afl_forkserver_t *fsrv, u8 *mem, if (fsrv->trace_bits[0] == 1) { fsrv->trace_bits[0] = 0; - have_coverage = 1; + have_coverage = true; } else { - have_coverage = 0; + have_coverage = false; } @@ -335,11 +336,11 @@ static void showmap_run_target_forkserver(afl_forkserver_t *fsrv, u8 *mem, if (!fsrv->last_run_timed_out && !stop_soon && WIFSIGNALED(fsrv->child_status)) { - child_crashed = 1; + child_crashed = true; } else { - child_crashed = 0; + child_crashed = false; } @@ -375,6 +376,8 @@ static void showmap_run_target_forkserver(afl_forkserver_t *fsrv, u8 *mem, static u32 read_file(u8 *in_file) { + if (print_filenames) { SAYF("Processing %s\n", in_file); } + struct stat st; s32 fd = open(in_file, O_RDONLY); @@ -515,11 +518,11 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) { if (fsrv->trace_bits[0] == 1) { fsrv->trace_bits[0] = 0; - have_coverage = 1; + have_coverage = true; } else { - have_coverage = 0; + have_coverage = false; } @@ -529,7 +532,7 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) { if (!fsrv->last_run_timed_out && !stop_soon && WIFSIGNALED(status)) { - child_crashed = 1; + child_crashed = true; } @@ -559,7 +562,7 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) { static void handle_stop_sig(int sig) { (void)sig; - stop_soon = 1; + stop_soon = true; afl_fsrv_killall(); } @@ -742,6 +745,8 @@ static void usage(u8 *argv0) { "AFL_MAP_SIZE: the shared memory size for that target. must be >= the " "size the target was compiled for\n" "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" + "AFL_PRINT_FILENAMES: If set, the filename currently processed will be " + "printed to stdout\n" "AFL_QUIET: do not print extra informational output\n", argv0, MEM_LIMIT, doc_path); @@ -755,14 +760,17 @@ int main(int argc, char **argv_orig, char **envp) { // TODO: u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ - s32 opt, i; - u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; + s32 opt, i; + bool mem_limit_given = false, timeout_given = false, unicorn_mode = false, + use_wine = false; char **use_argv; char **argv = argv_cpy_dup(argc, argv_orig); afl_forkserver_t fsrv_var = {0}; - if (getenv("AFL_DEBUG")) { debug = 1; } + if (getenv("AFL_DEBUG")) { debug = true; } + if (getenv("AFL_PRINT_FILENAMES")) { print_filenames = true; } + fsrv = &fsrv_var; afl_fsrv_init(fsrv); map_size = get_map_size(); @@ -770,19 +778,19 @@ int main(int argc, char **argv_orig, char **envp) { doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; - if (getenv("AFL_QUIET") != NULL) { be_quiet = 1; } + if (getenv("AFL_QUIET") != NULL) { be_quiet = true; } while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZOQUWbcrsh")) > 0) { switch (opt) { case 's': - no_classify = 1; + no_classify = true; break; case 'C': - collect_coverage = 1; - quiet_mode = 1; + collect_coverage = true; + quiet_mode = true; break; case 'i': @@ -801,7 +809,7 @@ int main(int argc, char **argv_orig, char **envp) { u8 suffix = 'M'; if (mem_limit_given) { FATAL("Multiple -m options not supported"); } - mem_limit_given = 1; + mem_limit_given = true; if (!optarg) { FATAL("Wrong usage of -m"); } @@ -862,7 +870,7 @@ int main(int argc, char **argv_orig, char **envp) { case 't': if (timeout_given) { FATAL("Multiple -t options not supported"); } - timeout_given = 1; + timeout_given = true; if (!optarg) { FATAL("Wrong usage of -t"); } @@ -884,12 +892,12 @@ int main(int argc, char **argv_orig, char **envp) { if (edges_only) { FATAL("Multiple -e options not supported"); } if (raw_instr_output) { FATAL("-e and -r are mutually exclusive"); } - edges_only = 1; + edges_only = true; break; case 'q': - quiet_mode = 1; + quiet_mode = true; break; case 'Z': @@ -897,8 +905,8 @@ int main(int argc, char **argv_orig, char **envp) { /* This is an undocumented option to write data in the syntax expected by afl-cmin. Nobody else should have any use for this. */ - cmin_mode = 1; - quiet_mode = 1; + cmin_mode = true; + quiet_mode = true; break; case 'A': @@ -910,7 +918,7 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); } - fsrv->frida_mode = 1; + fsrv->frida_mode = true; break; @@ -918,21 +926,21 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->qemu_mode) { FATAL("Multiple -Q options not supported"); } - fsrv->qemu_mode = 1; + fsrv->qemu_mode = true; break; case 'U': if (unicorn_mode) { FATAL("Multiple -U options not supported"); } - unicorn_mode = 1; + unicorn_mode = true; break; case 'W': /* Wine+QEMU mode */ if (use_wine) { FATAL("Multiple -W options not supported"); } - fsrv->qemu_mode = 1; - use_wine = 1; + fsrv->qemu_mode = true; + use_wine = true; break; @@ -941,20 +949,20 @@ int main(int argc, char **argv_orig, char **envp) { /* Secret undocumented mode. Writes output in raw binary format similar to that dumped by afl-fuzz in cmplog_mode = 0; u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); - shm_fuzz->shmemfuzz_mode = 1; + shm_fuzz->shmemfuzz_mode = true; if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } #ifdef USEMMAP setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1); @@ -1073,7 +1081,7 @@ int main(int argc, char **argv_orig, char **envp) { setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); ck_free(shm_str); #endif - fsrv->support_shmem_fuzz = 1; + fsrv->support_shmem_fuzz = true; fsrv->shmem_fuzz_len = (u32 *)map; fsrv->shmem_fuzz = map + sizeof(u32); @@ -1125,7 +1133,7 @@ int main(int argc, char **argv_orig, char **envp) { struct stat statbuf; #endif - if (getenv("AFL_DEBUG_GDB")) wait_for_gdb = 1; + if (getenv("AFL_DEBUG_GDB")) wait_for_gdb = true; fsrv->dev_null_fd = open("/dev/null", O_RDWR); if (fsrv->dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); } @@ -1164,8 +1172,8 @@ int main(int argc, char **argv_orig, char **envp) { if ((coverage_map = (u8 *)malloc(map_size)) == NULL) FATAL("coult not grab memory"); - edges_only = 0; - raw_instr_output = 1; + edges_only = false; + raw_instr_output = true; } -- cgit 1.4.1 From 9d50ae7468970412177c9e08edf7f32ff9fdf1ce Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 17 May 2021 18:54:24 +0200 Subject: Flushing for AFL_PRINT_FILENAMES --- src/afl-forkserver.c | 2 +- src/afl-showmap.c | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) (limited to 'src/afl-showmap.c') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 0286ab47..3d472b36 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -454,7 +454,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (!fsrv->debug) { r.rlim_max = r.rlim_cur = 0; - setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ + setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 336ac126..10818905 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -376,7 +376,12 @@ static void showmap_run_target_forkserver(afl_forkserver_t *fsrv, u8 *mem, static u32 read_file(u8 *in_file) { - if (print_filenames) { SAYF("Processing %s\n", in_file); } + if (print_filenames) { + + SAYF("Processing %s\n", in_file); + fflush(stdout); + + } struct stat st; s32 fd = open(in_file, O_RDONLY); -- cgit 1.4.1 From cdae3d3d038a28f1096ab6d34128896c19ef4733 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 19 May 2021 22:21:46 +0200 Subject: cleaned up AFL_PRINT_FILENAMES env --- include/envs.h | 1 + src/afl-fuzz.c | 2 +- src/afl-showmap.c | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) (limited to 'src/afl-showmap.c') diff --git a/include/envs.h b/include/envs.h index 4fff1e3a..f1314bad 100644 --- a/include/envs.h +++ b/include/envs.h @@ -193,6 +193,7 @@ static char *afl_environment_variables[] = { "AFL_EXPAND_HAVOC_NOW", "AFL_USE_FASAN", "AFL_USE_QASAN", + "AFL_PRINT_FILENAMES", NULL }; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index eff25c91..5f939115 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1432,7 +1432,7 @@ int main(int argc, char **argv_orig, char **envp) { setenv("LD_PRELOAD", frida_afl_preload, 1); setenv("DYLD_INSERT_LIBRARIES", frida_afl_preload, 1); - + } } else { diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 10818905..9b4d21a5 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -774,7 +774,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_forkserver_t fsrv_var = {0}; if (getenv("AFL_DEBUG")) { debug = true; } - if (getenv("AFL_PRINT_FILENAMES")) { print_filenames = true; } + if (get_afl_env("AFL_PRINT_FILENAMES")) { print_filenames = true; } fsrv = &fsrv_var; afl_fsrv_init(fsrv); -- cgit 1.4.1 From 1edb89be0f7956f964d2d7c9c7a5813250108220 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 21 May 2021 22:40:36 +0200 Subject: showmap passes queue items in alphabetical order --- src/afl-showmap.c | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) (limited to 'src/afl-showmap.c') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 9b4d21a5..9bf84956 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -52,6 +52,7 @@ #include #include +#include #include #include #ifndef USEMMAP @@ -1129,8 +1130,9 @@ int main(int argc, char **argv_orig, char **envp) { if (in_dir) { - DIR * dir_in, *dir_out = NULL; - struct dirent *dir_ent; + DIR * dir_in, *dir_out = NULL; + struct dirent **file_list; + // int done = 0; u8 infile[PATH_MAX], outfile[PATH_MAX]; u8 wait_for_gdb = 0; @@ -1155,12 +1157,6 @@ int main(int argc, char **argv_orig, char **envp) { ck_free(dn); if (!be_quiet) ACTF("Reading from directory '%s'...", in_dir); - if (!(dir_in = opendir(in_dir))) { - - PFATAL("cannot open directory %s", in_dir); - - } - if (!collect_coverage) { if (!(dir_out = opendir(out_file))) { @@ -1246,7 +1242,16 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->support_shmem_fuzz && !fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); - while ((dir_ent = readdir(dir_in))) { + int file_count = scandir(in_dir, &file_list, NULL, alphasort); + if (file_count < 0) { + + PFATAL("Failed to read from input dir at %s\n", in_dir); + + } + + for (int i = 0; i < file_count; i++) { + + struct dirent *dir_ent = file_list[i]; if (dir_ent->d_name[0] == '.') { @@ -1293,9 +1298,11 @@ int main(int argc, char **argv_orig, char **envp) { } + free(file_list); + file_list = NULL; + if (!quiet_mode) { OKF("Processed %llu input files.", fsrv->total_execs); } - closedir(dir_in); if (dir_out) { closedir(dir_out); } if (collect_coverage) { -- cgit 1.4.1 From bc286035e94e43e1e7db1b2a8099210f0e71b88b Mon Sep 17 00:00:00 2001 From: buherator Date: Sun, 23 May 2021 18:26:15 +0200 Subject: Set kill signal before using it in afl-showmap (#935) --- src/afl-showmap.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/afl-showmap.c') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 9bf84956..d7af668c 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1104,6 +1104,9 @@ int main(int argc, char **argv_orig, char **envp) { : 0); be_quiet = save_be_quiet; + fsrv->kill_signal = + parse_afl_kill_signal_env(getenv("AFL_KILL_SIGNAL"), SIGKILL); + if (new_map_size) { // only reinitialize when it makes sense @@ -1211,9 +1214,6 @@ int main(int argc, char **argv_orig, char **envp) { } - fsrv->kill_signal = - parse_afl_kill_signal_env(getenv("AFL_KILL_SIGNAL"), SIGKILL); - if (getenv("AFL_CRASH_EXITCODE")) { long exitcode = strtol(getenv("AFL_CRASH_EXITCODE"), NULL, 10); -- cgit 1.4.1 From c78762e690ff936c2e5394aff87deeb7b6b67a6c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 30 May 2021 02:04:37 +0200 Subject: fix for afl-showmap --- src/afl-showmap.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src/afl-showmap.c') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index d7af668c..96b72dd9 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -235,6 +235,9 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) { if (cmin_mode && (fsrv->last_run_timed_out || (!caa && child_crashed != cco))) { + // create empty file to prevent error messages in afl-cmin + fd = open(outfile, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + close(fd); return ret; } -- cgit 1.4.1 From a6c0b5f7667475336a26197d99ea24f18ffcdbd7 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 16 Jun 2021 11:46:26 +0200 Subject: afl-cmin/afl-cmin.bash/afl-showmap -i descend into subdirectories --- docs/Changelog.md | 2 + src/afl-showmap.c | 159 ++++++++++++++++++++++++++++++++---------------------- 2 files changed, 96 insertions(+), 65 deletions(-) (limited to 'src/afl-showmap.c') diff --git a/docs/Changelog.md b/docs/Changelog.md index 9f70535a..530dd941 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -31,6 +31,8 @@ sending a mail to . - afl_analyze: - fix timeout handling - add forkserver support for better performance + - afl-cmin, afl-cmin.bash and afl-showmap -i do now descend into + subdirectories (like afl-fuzz does) - ensure afl-compiler-rt is built for gcc_module ### Version ++3.13c (release) diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 96b72dd9..03050d91 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -67,6 +67,8 @@ static char *stdin_file; /* stdin file */ static u8 *in_dir = NULL, /* input folder */ *out_file = NULL, *at_file = NULL; /* Substitution string for @@ */ +static u8 outfile[PATH_MAX]; + static u8 *in_data, /* Input data */ *coverage_map; /* Coverage map */ @@ -88,7 +90,8 @@ static bool quiet_mode, /* Hide non-essential messages? */ have_coverage, /* have coverage? */ no_classify, /* do not classify counts */ debug, /* debug mode */ - print_filenames; /* print the current filename */ + print_filenames, /* print the current filename */ + wait_for_gdb; static volatile u8 stop_soon, /* Ctrl-C pressed? */ child_crashed; /* Child crashed? */ @@ -692,6 +695,93 @@ static void setup_signal_handlers(void) { } +u32 execute_testcases(u8 *dir) { + + struct dirent **nl; + s32 nl_cnt, subdirs = 1; + u32 i, done = 0; + u8 val_buf[2][STRINGIFY_VAL_SIZE_MAX]; + + if (!be_quiet) { ACTF("Scanning '%s'...", dir); } + + /* We use scandir() + alphasort() rather than readdir() because otherwise, + the ordering of test cases would vary somewhat randomly and would be + difficult to control. */ + + nl_cnt = scandir(dir, &nl, NULL, alphasort); + + if (nl_cnt < 0) { return 0; } + + for (i = 0; i < (u32)nl_cnt; ++i) { + + struct stat st; + + u8 *fn2 = alloc_printf("%s/%s", dir, nl[i]->d_name); + + if (lstat(fn2, &st) || access(fn2, R_OK)) { + + PFATAL("Unable to access '%s'", fn2); + + } + + /* obviously we want to skip "descending" into . and .. directories, + however it is a good idea to skip also directories that start with + a dot */ + if (subdirs && S_ISDIR(st.st_mode) && nl[i]->d_name[0] != '.') { + + free(nl[i]); /* not tracked */ + done += execute_testcases(fn2); + ck_free(fn2); + continue; + + } + + free(nl[i]); + + if (!S_ISREG(st.st_mode) || !st.st_size) { + + ck_free(fn2); + continue; + + } + + if (st.st_size > MAX_FILE && !be_quiet) { + + WARNF("Test case '%s' is too big (%s, limit is %s), partial reading", fn2, + stringify_mem_size(val_buf[0], sizeof(val_buf[0]), st.st_size), + stringify_mem_size(val_buf[1], sizeof(val_buf[1]), MAX_FILE)); + + } + + // DO + if (read_file(fn2)) { + + if (wait_for_gdb) { + + fprintf(stderr, "exec: gdb -p %d\n", fsrv->child_pid); + fprintf(stderr, "exec: kill -CONT %d\n", getpid()); + kill(0, SIGSTOP); + + } + + showmap_run_target_forkserver(fsrv, in_data, in_len); + ck_free(in_data); + ++done; + + if (collect_coverage) + analyze_results(fsrv); + else + tcnt = write_results_to_file(fsrv, outfile); + + } + + } + + free(nl); /* not tracked */ + return done; + +} + /* Show banner. */ static void show_banner(void) { @@ -1136,15 +1226,7 @@ int main(int argc, char **argv_orig, char **envp) { if (in_dir) { - DIR * dir_in, *dir_out = NULL; - struct dirent **file_list; - - // int done = 0; - u8 infile[PATH_MAX], outfile[PATH_MAX]; - u8 wait_for_gdb = 0; -#if !defined(DT_REG) - struct stat statbuf; -#endif + DIR *dir_in, *dir_out = NULL; if (getenv("AFL_DEBUG_GDB")) wait_for_gdb = true; @@ -1245,65 +1327,12 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->support_shmem_fuzz && !fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); - int file_count = scandir(in_dir, &file_list, NULL, alphasort); - if (file_count < 0) { + if (execute_testcases(in_dir) == 0) { - PFATAL("Failed to read from input dir at %s\n", in_dir); + FATAL("could not read input testcases from %s", in_dir); } - for (int i = 0; i < file_count; i++) { - - struct dirent *dir_ent = file_list[i]; - - if (dir_ent->d_name[0] == '.') { - - continue; // skip anything that starts with '.' - - } - -#if defined(DT_REG) /* Posix and Solaris do not know d_type and DT_REG */ - if (dir_ent->d_type != DT_REG) { - - continue; // only regular files - - } - -#endif - - snprintf(infile, sizeof(infile), "%s/%s", in_dir, dir_ent->d_name); - -#if !defined(DT_REG) /* use stat() */ - if (-1 == stat(infile, &statbuf) || !S_ISREG(statbuf.st_mode)) continue; -#endif - - if (!collect_coverage) - snprintf(outfile, sizeof(outfile), "%s/%s", out_file, dir_ent->d_name); - - if (read_file(infile)) { - - if (wait_for_gdb) { - - fprintf(stderr, "exec: gdb -p %d\n", fsrv->child_pid); - fprintf(stderr, "exec: kill -CONT %d\n", getpid()); - kill(0, SIGSTOP); - - } - - showmap_run_target_forkserver(fsrv, in_data, in_len); - ck_free(in_data); - if (collect_coverage) - analyze_results(fsrv); - else - tcnt = write_results_to_file(fsrv, outfile); - - } - - } - - free(file_list); - file_list = NULL; - if (!quiet_mode) { OKF("Processed %llu input files.", fsrv->total_execs); } if (dir_out) { closedir(dir_out); } -- cgit 1.4.1 From c46f8c1f70918056e95c801b1a81f11c79304b05 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 16 Jun 2021 13:03:42 +0200 Subject: make afl-cmin actually work with subdirectories --- afl-cmin | 42 ++++++++++++++++++-------------- docs/Changelog.md | 4 ++-- instrumentation/afl-compiler-rt.o.c | 2 +- src/afl-showmap.c | 48 +++++++++++++++++++++---------------- 4 files changed, 54 insertions(+), 42 deletions(-) (limited to 'src/afl-showmap.c') diff --git a/afl-cmin b/afl-cmin index 9fa63ec6..e71873d3 100755 --- a/afl-cmin +++ b/afl-cmin @@ -296,13 +296,13 @@ BEGIN { exit 1 } - if (0 == system( "test -d "in_dir"/default" )) { - in_dir = in_dir "/default" - } - - if (0 == system( "test -d "in_dir"/queue" )) { - in_dir = in_dir "/queue" - } + #if (0 == system( "test -d "in_dir"/default" )) { + # in_dir = in_dir "/default" + #} + # + #if (0 == system( "test -d "in_dir"/queue" )) { + # in_dir = in_dir "/queue" + #} system("rm -rf "trace_dir" 2>/dev/null"); system("rm "out_dir"/id[:_]* 2>/dev/null") @@ -355,30 +355,35 @@ BEGIN { } else { stat_format = "-f '%z %N'" # *BSD, MacOS } - cmdline = "(cd "in_dir" && find . \\( ! -name . -a -type d -prune \\) -o -type f -exec stat "stat_format" \\{\\} + | sort -k1n -k2r)" + cmdline = "(cd "in_dir" && find . \\( ! -name \".*\" -a -type d \\) -o -type f -exec stat "stat_format" \\{\\} + | sort -k1n -k2r)" #cmdline = "ls "in_dir" | (cd "in_dir" && xargs stat "stat_format" 2>/dev/null) | sort -k1n -k2r" #cmdline = "(cd "in_dir" && stat "stat_format" *) | sort -k1n -k2r" #cmdline = "(cd "in_dir" && ls | xargs stat "stat_format" ) | sort -k1n -k2r" while (cmdline | getline) { sub(/^[0-9]+ (\.\/)?/,"",$0) - infilesSmallToBig[i++] = $0 + infilesSmallToBigFull[i] = $0 + sub(/.*\//, "", $0) + infilesSmallToBig[i] = $0 + infilesSmallToBigMap[infilesSmallToBig[i]] = infilesSmallToBigFull[i] + infilesSmallToBigFullMap[infilesSmallToBigFull[i]] = infilesSmallToBig[i] + i++ } in_count = i - first_file = infilesSmallToBig[0] + first_file = infilesSmallToBigFull[0] - # Make sure that we're not dealing with a directory. - - if (0 == system("test -d ""\""in_dir"/"first_file"\"")) { - print "[-] Error: The input directory is empty or contains subdirectories - please fix." > "/dev/stderr" - exit 1 - } + #if (0 == system("test -d ""\""in_dir"/"first_file"\"")) { + # print "[-] Error: The input directory is empty or contains subdirectories - please fix." > "/dev/stderr" + # exit 1 + #} - if (0 == system("ln \""in_dir"/"first_file"\" "trace_dir"/.link_test")) { + system(">\""in_dir"/.afl-cmin.test\"") + if (0 == system("ln \""in_dir"/.afl-cmin.test\" "trace_dir"/.link_test")) { cp_tool = "ln" } else { cp_tool = "cp" } + system("rm -f \""in_dir"/.afl-cmin.test\"") if (!ENVIRON["AFL_SKIP_BIN_CHECK"]) { # Make sure that we can actually get anything out of afl-showmap before we @@ -511,7 +516,8 @@ BEGIN { # copy file unless already done if (! (fn in file_already_copied)) { - system(cp_tool" \""in_dir"/"fn"\" \""out_dir"/"fn"\"") + realfile = infilesSmallToBigMap[fn] + system(cp_tool" \""in_dir"/"realfile"\" \""out_dir"/"fn"\"") file_already_copied[fn] = "" ++out_count #printf "tuple nr %d (%d cnt=%d) -> %s\n",tcnt,key,key_count[key],fn > trace_dir"/.log" diff --git a/docs/Changelog.md b/docs/Changelog.md index 530dd941..9fd2a1a9 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -31,8 +31,8 @@ sending a mail to . - afl_analyze: - fix timeout handling - add forkserver support for better performance - - afl-cmin, afl-cmin.bash and afl-showmap -i do now descend into - subdirectories (like afl-fuzz does) + - afl-cmin and afl-showmap -i do now descend into subdirectories + (like afl-fuzz does) - note that afl-cmin.bash does not! - ensure afl-compiler-rt is built for gcc_module ### Version ++3.13c (release) diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 50117012..404b761f 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1019,7 +1019,7 @@ static void __afl_start_forkserver(void) { if (read(FORKSRV_FD, &was_killed, 4) != 4) { - write_error("read from afl-fuzz"); + //write_error("read from afl-fuzz"); _exit(1); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 03050d91..646396ad 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -233,7 +233,11 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) { u8 cco = !!getenv("AFL_CMIN_CRASHES_ONLY"), caa = !!getenv("AFL_CMIN_ALLOW_ANY"); - if (!outfile) { FATAL("Output filename not set (Bug in AFL++?)"); } + if (!outfile || !*outfile) { + + FATAL("Output filename not set (Bug in AFL++?)"); + + } if (cmin_mode && (fsrv->last_run_timed_out || (!caa && child_crashed != cco))) { @@ -753,7 +757,9 @@ u32 execute_testcases(u8 *dir) { } - // DO + if (!collect_coverage) + snprintf(outfile, sizeof(outfile), "%s/%s", out_file, nl[i]->d_name); + if (read_file(fn2)) { if (wait_for_gdb) { @@ -800,31 +806,31 @@ static void usage(u8 *argv0) { "\n%s [ options ] -- /path/to/target_app [ ... ]\n\n" "Required parameters:\n" - " -o file - file to write the trace data to\n\n" + " -o file - file to write the trace data to\n\n" "Execution control settings:\n" - " -t msec - timeout for each run (none)\n" - " -m megs - memory limit for child process (%u MB)\n" - " -O - use binary-only instrumentation (FRIDA mode)\n" - " -Q - use binary-only instrumentation (QEMU mode)\n" - " -U - use Unicorn-based instrumentation (Unicorn mode)\n" - " -W - use qemu-based instrumentation with Wine (Wine mode)\n" - " (Not necessary, here for consistency with other afl-* " + " -t msec - timeout for each run (none)\n" + " -m megs - memory limit for child process (%u MB)\n" + " -O - use binary-only instrumentation (FRIDA mode)\n" + " -Q - use binary-only instrumentation (QEMU mode)\n" + " -U - use Unicorn-based instrumentation (Unicorn mode)\n" + " -W - use qemu-based instrumentation with Wine (Wine mode)\n" + " (Not necessary, here for consistency with other afl-* " "tools)\n\n" "Other settings:\n" - " -i dir - process all files in this directory, must be combined " + " -i dir - process all files below this directory, must be combined " "with -o.\n" - " With -C, -o is a file, without -C it must be a " + " With -C, -o is a file, without -C it must be a " "directory\n" - " and each bitmap will be written there individually.\n" - " -C - collect coverage, writes all edges to -o and gives a " + " and each bitmap will be written there individually.\n" + " -C - collect coverage, writes all edges to -o and gives a " "summary\n" - " Must be combined with -i.\n" - " -q - sink program's output and don't show messages\n" - " -e - show edge coverage only, ignore hit counts\n" - " -r - show real tuple values instead of AFL filter values\n" - " -s - do not classify the map\n" - " -c - allow core dumps\n\n" + " Must be combined with -i.\n" + " -q - sink program's output and don't show messages\n" + " -e - show edge coverage only, ignore hit counts\n" + " -r - show real tuple values instead of AFL filter values\n" + " -s - do not classify the map\n" + " -c - allow core dumps\n\n" "This tool displays raw tuple data captured by AFL instrumentation.\n" "For additional help, consult %s/README.md.\n\n" @@ -1259,7 +1265,7 @@ int main(int argc, char **argv_orig, char **envp) { } else { - if ((coverage_map = (u8 *)malloc(map_size)) == NULL) + if ((coverage_map = (u8 *)malloc(map_size + 64)) == NULL) FATAL("coult not grab memory"); edges_only = false; raw_instr_output = true; -- cgit 1.4.1 From ae50a5067769e2ee4af997c8527de84cf3fdae19 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Wed, 23 Jun 2021 23:35:32 +0200 Subject: fix afl-showmap --- src/afl-showmap.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'src/afl-showmap.c') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 646396ad..936d3bc4 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -740,10 +740,9 @@ u32 execute_testcases(u8 *dir) { } - free(nl[i]); - if (!S_ISREG(st.st_mode) || !st.st_size) { + free(nl[i]); ck_free(fn2); continue; @@ -760,6 +759,8 @@ u32 execute_testcases(u8 *dir) { if (!collect_coverage) snprintf(outfile, sizeof(outfile), "%s/%s", out_file, nl[i]->d_name); + free(nl[i]); + if (read_file(fn2)) { if (wait_for_gdb) { -- cgit 1.4.1 From ec4ad161fc73a457fed1afb7368482df14cdc9a2 Mon Sep 17 00:00:00 2001 From: jhertz Date: Tue, 13 Jul 2021 04:56:55 -0400 Subject: Support AFL_NO_FORKSRV env-var in afl-tmin, afl-showmap, and afl-cmin (#1017) * Support AFL_NO_FORKSRV env-var * format * showmap support * showmap support * help messages now show envar support * formatting * formatting Co-authored-by: Jesse Hertz --- src/afl-showmap.c | 8 +++++++- src/afl-tmin.c | 11 +++++++++-- 2 files changed, 16 insertions(+), 3 deletions(-) (limited to 'src/afl-showmap.c') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 936d3bc4..480de143 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -853,7 +853,8 @@ static void usage(u8 *argv0) { "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" "AFL_PRINT_FILENAMES: If set, the filename currently processed will be " "printed to stdout\n" - "AFL_QUIET: do not print extra informational output\n", + "AFL_QUIET: do not print extra informational output\n" + "AFL_NO_FORKSRV: run target via execve instead of using the forkserver\n", argv0, MEM_LIMIT, doc_path); exit(1); @@ -1097,6 +1098,11 @@ int main(int argc, char **argv_orig, char **envp) { check_environment_vars(envp); + if (getenv("AFL_NO_FORKSRV")) { /* if set, use the fauxserver */ + fsrv->use_fauxsrv = true; + + } + if (getenv("AFL_DEBUG")) { DEBUGF(""); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 6656712a..2d80abe4 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -877,12 +877,13 @@ static void usage(u8 *argv0) { " the target was compiled for\n" "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" "AFL_TMIN_EXACT: require execution paths to match for crashing inputs\n" + "AFL_NO_FORKSRV: run target via execve instead of using the forkserver\n" "ASAN_OPTIONS: custom settings for ASAN\n" " (must contain abort_on_error=1 and symbolize=0)\n" "MSAN_OPTIONS: custom settings for MSAN\n" " (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n" - "TMPDIR: directory to use for temporary input files\n" - , argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); + "TMPDIR: directory to use for temporary input files\n", + argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); exit(1); @@ -1104,6 +1105,12 @@ int main(int argc, char **argv_orig, char **envp) { if (optind == argc || !in_file || !output_file) { usage(argv[0]); } check_environment_vars(envp); + + if (getenv("AFL_NO_FORKSRV")) { /* if set, use the fauxserver */ + fsrv->use_fauxsrv = true; + + } + setenv("AFL_NO_AUTODICT", "1", 1); /* initialize cmplog_mode */ -- cgit 1.4.1 From b13b8c7e55836292330ad661e9a0386f7e0d3a91 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 16 Jul 2021 09:39:40 +0200 Subject: make afl-showmap more silent --- README.md | 5 ++++- src/afl-showmap.c | 17 +++++++++++++---- 2 files changed, 17 insertions(+), 5 deletions(-) (limited to 'src/afl-showmap.c') diff --git a/README.md b/README.md index 4104807c..37fd90e3 100644 --- a/README.md +++ b/README.md @@ -574,6 +574,8 @@ Note that the INPUTFILE argument that the target program would read from has to If the target reads from stdin instead, just omit the `@@` as this is the default. +This step is highly recommended! + #### c) Minimizing all corpus files The shorter the input files that still traverse the same path @@ -589,7 +591,8 @@ for i in *; do done ``` -This step can also be parallelized, e.g. with `parallel` +This step can also be parallelized, e.g. with `parallel`. +Note that this step is rather optional though. #### Done! diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 480de143..5c899e69 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -401,14 +401,23 @@ static u32 read_file(u8 *in_file) { if (fstat(fd, &st) || !st.st_size) { - WARNF("Zero-sized input file '%s'.", in_file); + if (!be_quiet && !quiet_mode) { + + WARNF("Zero-sized input file '%s'.", in_file); + + } } if (st.st_size > MAX_FILE) { - WARNF("Input file '%s' is too large, only reading %u bytes.", in_file, - MAX_FILE); + if (!be_quiet && !quiet_mode) { + + WARNF("Input file '%s' is too large, only reading %u bytes.", in_file, + MAX_FILE); + + } + in_len = MAX_FILE; } else { @@ -748,7 +757,7 @@ u32 execute_testcases(u8 *dir) { } - if (st.st_size > MAX_FILE && !be_quiet) { + if (st.st_size > MAX_FILE && !be_quiet && !quiet_mode) { WARNF("Test case '%s' is too big (%s, limit is %s), partial reading", fn2, stringify_mem_size(val_buf[0], sizeof(val_buf[0]), st.st_size), -- cgit 1.4.1