From f760e80729412a2cd44a12e76b81ccb433626e60 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 7 Sep 2021 17:15:54 +0200 Subject: add check_binary_signatures for afl-* utils --- src/afl-analyze.c | 1 + src/afl-common.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ src/afl-showmap.c | 2 ++ src/afl-tmin.c | 1 + 4 files changed, 68 insertions(+) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index e19df3ce..eef08494 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -1093,6 +1093,7 @@ int main(int argc, char **argv_orig, char **envp) { parse_afl_kill_signal_env(getenv("AFL_KILL_SIGNAL"), SIGKILL); read_initial_file(); + (void)check_binary_signatures(fsrv.target_path); ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", mem_limit, exec_tmout, edges_only ? ", edges only" : ""); diff --git a/src/afl-common.c b/src/afl-common.c index 9ca2b3e8..db19f0a7 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -25,8 +25,12 @@ #include #include +#define _GNU_SOURCE +#define __USE_GNU +#include #include #include +#include #include "debug.h" #include "alloc-inl.h" @@ -51,6 +55,66 @@ u8 last_intr = 0; #define AFL_PATH "/usr/local/lib/afl/" #endif +u32 check_binary_signatures(u8 *fn) { + + int ret = 0, fd = open(fn, O_RDONLY); + if (fd < 0) { PFATAL("Unable to open '%s'", fn); } + struct stat st; + if (fstat(fd, &st) < 0) { PFATAL("Unable to fstat '%s'", fn); } + u32 f_len = st.st_size; + u8 *f_data = mmap(0, f_len, PROT_READ, MAP_PRIVATE, fd, 0); + if (f_data == MAP_FAILED) { PFATAL("Unable to mmap file '%s'", fn); } + close(fd); + + if (memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1)) { + + if (!be_quiet) { OKF(cPIN "Persistent mode binary detected."); } + setenv(PERSIST_ENV_VAR, "1", 1); + ret = 1; + + } else if (getenv("AFL_PERSISTENT")) { + + if (!be_quiet) { + + WARNF("AFL_PERSISTENT is no longer supported and may misbehave!"); + + } + + } else if (getenv("AFL_FRIDA_PERSISTENT_ADDR")) { + + if (!be_quiet) { + + OKF("FRIDA Persistent mode configuration options detected."); + + } + + setenv(PERSIST_ENV_VAR, "1", 1); + ret = 1; + + } + + if (memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) { + + if (!be_quiet) { OKF(cPIN "Deferred forkserver binary detected."); } + setenv(DEFER_ENV_VAR, "1", 1); + ret += 2; + + } else if (getenv("AFL_DEFER_FORKSRV")) { + + if (!be_quiet) { + + WARNF("AFL_DEFER_FORKSRV is no longer supported and may misbehave!"); + + } + + } + + if (munmap(f_data, f_len)) { PFATAL("unmap() failed"); } + + return ret; + +} + void detect_file_args(char **argv, u8 *prog_in, bool *use_stdin) { u32 i = 0; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 9122cd25..27b1e14a 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1189,6 +1189,8 @@ int main(int argc, char **argv_orig, char **envp) { } + (void)check_binary_signatures(fsrv->target_path); + shm_fuzz = ck_alloc(sizeof(sharedmem_t)); /* initialize cmplog_mode */ diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 792770e0..dff51e84 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -1209,6 +1209,7 @@ int main(int argc, char **argv_orig, char **envp) { fsrv->shmem_fuzz = map + sizeof(u32); read_initial_file(); + (void)check_binary_signatures(fsrv->target_path); if (!fsrv->qemu_mode && !unicorn_mode) { -- cgit v1.2.3 From 8af84c203cfe241b5a8321c62387fd107ebf1031 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 7 Sep 2021 19:26:25 +0200 Subject: fix afl-showmap --- src/afl-showmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 27b1e14a..e143371e 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1189,7 +1189,7 @@ int main(int argc, char **argv_orig, char **envp) { } - (void)check_binary_signatures(fsrv->target_path); + if (in_dir) { (void)check_binary_signatures(fsrv->target_path); } shm_fuzz = ck_alloc(sizeof(sharedmem_t)); -- cgit v1.2.3 From 4473904bc0de7011a77309d96f7090a51c8fe768 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 1 Oct 2021 13:25:02 +0200 Subject: fix -n --- src/afl-fuzz-stats.c | 5 +++-- src/afl-fuzz.c | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index eb1fe2d9..870ba69a 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -560,8 +560,9 @@ void show_stats(afl_state_t *afl) { /* Roughly every minute, update fuzzer stats and save auto tokens. */ - if (unlikely(afl->force_ui_update || - cur_ms - afl->stats_last_stats_ms > STATS_UPDATE_SEC * 1000)) { + if (unlikely(!afl->non_instrumented_mode && + (afl->force_ui_update || + cur_ms - afl->stats_last_stats_ms > STATS_UPDATE_SEC * 1000))) { afl->stats_last_stats_ms = cur_ms; write_stats_file(afl, t_bytes, t_byte_ratio, stab_ratio, diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 8ffc0e77..87da9798 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1918,7 +1918,7 @@ int main(int argc, char **argv_orig, char **envp) { } - write_stats_file(afl, 0, 0, 0, 0); + if (!afl->non_instrumented_mode) { write_stats_file(afl, 0, 0, 0, 0); } maybe_update_plot_file(afl, 0, 0, 0); save_auto(afl); -- cgit v1.2.3 From e80131bef50d343e71a08cdf6ae1aa57b4475867 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 2 Oct 2021 22:47:22 +0200 Subject: fix some compiler warnings in 32-bit linux --- src/afl-analyze.c | 2 +- src/afl-fuzz.c | 2 +- src/afl-showmap.c | 2 +- src/afl-tmin.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index eef08494..8295488d 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -184,7 +184,7 @@ static void read_initial_file(void) { if (st.st_size >= TMIN_MAX_FILE) { - FATAL("Input file is too large (%u MB max)", TMIN_MAX_FILE / 1024 / 1024); + FATAL("Input file is too large (%ld MB max)", TMIN_MAX_FILE / 1024 / 1024); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 87da9798..92a37697 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1348,7 +1348,7 @@ int main(int argc, char **argv_orig, char **envp) { } else if (afl->q_testcase_max_cache_size < 2 * MAX_FILE) { - FATAL("AFL_TESTCACHE_SIZE must be set to %u or more, or 0 to disable", + FATAL("AFL_TESTCACHE_SIZE must be set to %ld or more, or 0 to disable", (2 * MAX_FILE) % 1048576 == 0 ? (2 * MAX_FILE) / 1048576 : 1 + ((2 * MAX_FILE) / 1048576)); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index e143371e..75b0ff99 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -413,7 +413,7 @@ static u32 read_file(u8 *in_file) { if (!be_quiet && !quiet_mode) { - WARNF("Input file '%s' is too large, only reading %u bytes.", in_file, + WARNF("Input file '%s' is too large, only reading %ld bytes.", in_file, MAX_FILE); } diff --git a/src/afl-tmin.c b/src/afl-tmin.c index dff51e84..4f3a6b80 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -221,7 +221,7 @@ static void read_initial_file(void) { if (st.st_size >= TMIN_MAX_FILE) { - FATAL("Input file is too large (%u MB max)", TMIN_MAX_FILE / 1024 / 1024); + FATAL("Input file is too large (%ld MB max)", TMIN_MAX_FILE / 1024 / 1024); } -- cgit v1.2.3 From a8844eaceb1df92635a327fc4edba082b102a2ff Mon Sep 17 00:00:00 2001 From: Kuang-che Wu Date: Mon, 11 Oct 2021 15:47:20 +0800 Subject: afl-showmap don't create empty "-" file --- src/afl-showmap.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 75b0ff99..a04c1f5b 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -242,9 +242,11 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) { if (cmin_mode && (fsrv->last_run_timed_out || (!caa && child_crashed != cco))) { - // create empty file to prevent error messages in afl-cmin - fd = open(outfile, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); - close(fd); + if (strcmp(outfile, "-")) { + // create empty file to prevent error messages in afl-cmin + fd = open(outfile, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + close(fd); + } return ret; } -- cgit v1.2.3 From 00aa689f40a3c8276af257cf0b54dc655cb0423e Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 11 Oct 2021 14:28:17 +0200 Subject: fix accidental bystander kills --- src/afl-forkserver.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index c8c94c08..54f510c4 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -610,12 +610,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (!time_ms) { - kill(fsrv->fsrv_pid, fsrv->kill_signal); + if (fsrv->fsrv_pid > 0) { kill(fsrv->fsrv_pid, fsrv->kill_signal); } } else if (time_ms > fsrv->init_tmout) { fsrv->last_run_timed_out = 1; - kill(fsrv->fsrv_pid, fsrv->kill_signal); + if (fsrv->fsrv_pid > 0) { kill(fsrv->fsrv_pid, fsrv->kill_signal); } } else { @@ -1248,7 +1248,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, /* If there was no response from forkserver after timeout seconds, we kill the child. The forkserver should inform us afterwards */ - kill(fsrv->child_pid, fsrv->kill_signal); + if (fsrv->child_pid > 0) { kill(fsrv->child_pid, fsrv->kill_signal); } fsrv->last_run_timed_out = 1; if (read(fsrv->fsrv_st_fd, &fsrv->child_status, 4) < 4) { exec_ms = 0; } -- cgit v1.2.3 From 8e662898095ed6ba283a87119e383948b83b8d75 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 12 Oct 2021 19:04:35 +0200 Subject: adapt compiler driver to laod new pass manager passes --- src/afl-cc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index e49addc4..f8621d72 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -500,11 +500,12 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { - cc_params[cc_par_cnt++] = "-Xclang"; - cc_params[cc_par_cnt++] = "-load"; - cc_params[cc_par_cnt++] = "-Xclang"; +// cc_params[cc_par_cnt++] = "-Xclang"; +// cc_params[cc_par_cnt++] = "-load"; +// cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; cc_params[cc_par_cnt++] = - alloc_printf("%s/split-compares-pass.so", obj_path); + alloc_printf("-fpass-plugin=%s/split-compares-pass.so", obj_path); } @@ -548,7 +549,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { #if LLVM_MAJOR >= 13 // fuck you llvm 13 - cc_params[cc_par_cnt++] = "-fno-experimental-new-pass-manager"; +// cc_params[cc_par_cnt++] = "-fno-experimental-new-pass-manager"; #endif if (lto_mode && !have_c) { -- cgit v1.2.3 From 544a65db5470359c18436eca123282d74fa47f2e Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 12 Oct 2021 23:02:15 +0200 Subject: converted afl-llvm-pass to new pass manager --- src/afl-cc.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index f8621d72..bbe548d9 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -500,12 +500,10 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { -// cc_params[cc_par_cnt++] = "-Xclang"; -// cc_params[cc_par_cnt++] = "-load"; -// cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; cc_params[cc_par_cnt++] = alloc_printf("-fpass-plugin=%s/split-compares-pass.so", obj_path); +// cc_params[cc_par_cnt++] = "-fno-experimental-new-pass-manager"; } @@ -629,10 +627,8 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { - cc_params[cc_par_cnt++] = "-Xclang"; - cc_params[cc_par_cnt++] = "-load"; - cc_params[cc_par_cnt++] = "-Xclang"; - cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path); + cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; + cc_params[cc_par_cnt++] = alloc_printf("-fpass-plugin=%s/afl-llvm-pass.so", obj_path); } -- cgit v1.2.3 From 6e08e809074763a9c4b35b65805e628689a2d562 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 12 Oct 2021 23:24:28 +0200 Subject: converted compare-transform-pass to new pass manager --- src/afl-cc.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index bbe548d9..a51632a2 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -480,11 +480,9 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { - cc_params[cc_par_cnt++] = "-Xclang"; - cc_params[cc_par_cnt++] = "-load"; - cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; cc_params[cc_par_cnt++] = - alloc_printf("%s/compare-transform-pass.so", obj_path); + alloc_printf("-fpass-plugin=%s/compare-transform-pass.so", obj_path); } -- cgit v1.2.3 From 379c5806580dd58824df0f4fb7d215841d1bd459 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 12 Oct 2021 23:40:05 +0200 Subject: converted split-switches-pass to new pass manager --- src/afl-cc.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index a51632a2..e8584d50 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -460,11 +460,9 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { - cc_params[cc_par_cnt++] = "-Xclang"; - cc_params[cc_par_cnt++] = "-load"; - cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; cc_params[cc_par_cnt++] = - alloc_printf("%s/split-switches-pass.so", obj_path); + alloc_printf("-fpass-plugin=%s/split-switches-pass.so", obj_path); } @@ -531,11 +529,9 @@ static void edit_params(u32 argc, char **argv, char **envp) { alloc_printf("%s/cmplog-switches-pass.so", obj_path); // reuse split switches from laf - cc_params[cc_par_cnt++] = "-Xclang"; - cc_params[cc_par_cnt++] = "-load"; - cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; cc_params[cc_par_cnt++] = - alloc_printf("%s/split-switches-pass.so", obj_path); + alloc_printf("-fpass-plugin=%s/split-switches-pass.so", obj_path); } -- cgit v1.2.3 From 3deca3b09b46130c9e23320c0b98f60543f9b5ba Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 15 Oct 2021 11:25:02 +0200 Subject: fix lto cmplog stability issue --- src/afl-fuzz-run.c | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 4173f4e1..da6ba7d9 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -291,8 +291,6 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at, u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, u32 handicap, u8 from_queue) { - if (unlikely(afl->shm.cmplog_mode)) { q->exec_cksum = 0; } - u8 fault = 0, new_bits = 0, var_detected = 0, hnb = 0, first_run = (q->exec_cksum == 0); u64 start_us, stop_us, diff_us; @@ -300,6 +298,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, u32 use_tmout = afl->fsrv.exec_tmout; u8 *old_sn = afl->stage_name; + if (unlikely(afl->shm.cmplog_mode)) { q->exec_cksum = 0; } + /* Be a bit more generous about timeouts when resuming sessions, or when trying to calibrate already-added finds. This helps avoid trouble due to intermittent latency. */ @@ -343,6 +343,32 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, } + /* we need a dummy run if this is LTO + cmplog */ + if (unlikely(afl->shm.cmplog_mode)) { + + write_to_testcase(afl, use_mem, q->len); + + fault = fuzz_run_target(afl, &afl->fsrv, use_tmout); + + /* afl->stop_soon is set by the handler for Ctrl+C. When it's pressed, + we want to bail out quickly. */ + + if (afl->stop_soon || fault != afl->crash_mode) { goto abort_calibration; } + + if (!afl->non_instrumented_mode && !afl->stage_cur && + !count_bytes(afl, afl->fsrv.trace_bits)) { + + fault = FSRV_RUN_NOINST; + goto abort_calibration; + + } + +#ifdef INTROSPECTION + if (unlikely(!q->bitsmap_size)) q->bitsmap_size = afl->bitsmap_size; +#endif + + } + if (q->exec_cksum) { memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size); -- cgit v1.2.3 From 1f2fa22dad4440bf053e24811b5ece89ca276afc Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 16 Oct 2021 14:37:54 +0200 Subject: make new pass manager interface compiler version dependent (>=7) --- src/afl-cc.c | 43 ++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 40 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index e8584d50..7549e17b 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -460,10 +460,17 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { +#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */ cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; cc_params[cc_par_cnt++] = alloc_printf("-fpass-plugin=%s/split-switches-pass.so", obj_path); - +#else + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = "-load"; + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = + alloc_printf("%s/split-switches-pass.so", obj_path); +#endif } } @@ -478,9 +485,17 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { +#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */ cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; cc_params[cc_par_cnt++] = alloc_printf("-fpass-plugin=%s/compare-transform-pass.so", obj_path); +#else + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = "-load"; + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = + alloc_printf("%s/compare-transform-pass.so", obj_path); +#endif } @@ -496,10 +511,18 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { +#if LLVM_MAJOR >= 7 cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; cc_params[cc_par_cnt++] = alloc_printf("-fpass-plugin=%s/split-compares-pass.so", obj_path); // cc_params[cc_par_cnt++] = "-fno-experimental-new-pass-manager"; +#else + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = "-load"; + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = + alloc_printf("%s/split-compares-pass.so", obj_path); +#endif } @@ -529,9 +552,17 @@ static void edit_params(u32 argc, char **argv, char **envp) { alloc_printf("%s/cmplog-switches-pass.so", obj_path); // reuse split switches from laf +#if LLVM_MAJOR >= 7 cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; cc_params[cc_par_cnt++] = alloc_printf("-fpass-plugin=%s/split-switches-pass.so", obj_path); +#else + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = "-load"; + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = + alloc_printf("%s/split-switches-pass.so", obj_path); +#endif } @@ -541,7 +572,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { #if LLVM_MAJOR >= 13 // fuck you llvm 13 -// cc_params[cc_par_cnt++] = "-fno-experimental-new-pass-manager"; + cc_params[cc_par_cnt++] = "-fno-experimental-new-pass-manager"; #endif if (lto_mode && !have_c) { @@ -621,9 +652,15 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { +#if LLVM_MAJOR >= 7 cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; cc_params[cc_par_cnt++] = alloc_printf("-fpass-plugin=%s/afl-llvm-pass.so", obj_path); - +#else + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = "-load"; + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path); +#endif } } -- cgit v1.2.3 From 8bc2b52f6579ab44f536d1ccb818acf37b047ec7 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 17 Oct 2021 13:03:01 +0200 Subject: format --- src/afl-showmap.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index a04c1f5b..5df07bf2 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -243,10 +243,13 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) { (fsrv->last_run_timed_out || (!caa && child_crashed != cco))) { if (strcmp(outfile, "-")) { + // create empty file to prevent error messages in afl-cmin fd = open(outfile, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); close(fd); + } + return ret; } -- cgit v1.2.3 From ed10f3783bd8fab33ab5750f56bf87ed008f28ed Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 17 Oct 2021 13:05:33 +0200 Subject: new rtn cmplog: instrumentation side + supporting functions --- src/afl-fuzz-one.c | 25 +++++++++++---- src/afl-fuzz-queue.c | 91 +++++++++++++++++++++++++++++++++++++++++++++++++++- src/afl-fuzz-stats.c | 3 +- src/afl-fuzz.c | 14 ++++++++ 4 files changed, 125 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 17749601..3217fb0f 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -448,11 +448,11 @@ u8 fuzz_one_original(afl_state_t *afl) { ACTF( "Fuzzing test case #%u (%u total, %llu uniq crashes found, " - "perf_score=%0.0f, exec_us=%llu, hits=%u, map=%u)...", + "perf_score=%0.0f, exec_us=%llu, hits=%u, map=%u, ascii=%u)...", afl->current_entry, afl->queued_paths, afl->unique_crashes, afl->queue_cur->perf_score, afl->queue_cur->exec_us, likely(afl->n_fuzz) ? afl->n_fuzz[afl->queue_cur->n_fuzz_entry] : 0, - afl->queue_cur->bitmap_size); + afl->queue_cur->bitmap_size, afl->queue_cur->is_ascii); fflush(stdout); } @@ -2003,11 +2003,16 @@ havoc_stage: where we take the input file and make random stacked tweaks. */ #define MAX_HAVOC_ENTRY 59 /* 55 to 60 */ +#define MUTATE_ASCII_DICT 64 u32 r_max, r; r_max = (MAX_HAVOC_ENTRY + 1) + (afl->extras_cnt ? 4 : 0) + - (afl->a_extras_cnt ? 4 : 0); + (afl->a_extras_cnt + ? (unlikely(afl->cmplog_binary && afl->queue_cur->is_ascii) + ? MUTATE_ASCII_DICT + : 4) + : 0); if (unlikely(afl->expand_havoc && afl->ready_for_splicing_count > 1)) { @@ -2592,7 +2597,15 @@ havoc_stage: if (afl->a_extras_cnt) { - if (r < 2) { + u32 r_cmp = 2; + + if (unlikely(afl->cmplog_binary && afl->queue_cur->is_ascii)) { + + r_cmp = MUTATE_ASCII_DICT >> 1; + + } + + if (r < r_cmp) { /* Use the dictionary. */ @@ -2612,7 +2625,7 @@ havoc_stage: break; - } else if (r < 4) { + } else if (r < (r_cmp << 1)) { u32 use_extra = rand_below(afl, afl->a_extras_cnt); u32 extra_len = afl->a_extras[use_extra].len; @@ -2641,7 +2654,7 @@ havoc_stage: } else { - r -= 4; + r -= (r_cmp << 1); } diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 16af2c6b..718f7cb6 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -315,7 +315,96 @@ void mark_as_redundant(afl_state_t *afl, struct queue_entry *q, u8 state) { } -/* check if ascii or UTF-8 */ +/* check if pointer is ascii or UTF-8 */ + +u8 check_if_text_buf(u8 *buf, u32 len) { + + u32 offset = 0, ascii = 0, utf8 = 0; + + while (offset < len) { + + // ASCII: <= 0x7F to allow ASCII control characters + if ((buf[offset + 0] == 0x09 || buf[offset + 0] == 0x0A || + buf[offset + 0] == 0x0D || + (0x20 <= buf[offset + 0] && buf[offset + 0] <= 0x7E))) { + + offset++; + utf8++; + ascii++; + continue; + + } + + if (isascii((int)buf[offset]) || isprint((int)buf[offset])) { + + ascii++; + // we continue though as it can also be a valid utf8 + + } + + // non-overlong 2-byte + if (len - offset > 1 && + ((0xC2 <= buf[offset + 0] && buf[offset + 0] <= 0xDF) && + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF))) { + + offset += 2; + utf8++; + continue; + + } + + // excluding overlongs + if ((len - offset > 2) && + ((buf[offset + 0] == 0xE0 && + (0xA0 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && + (0x80 <= buf[offset + 2] && + buf[offset + 2] <= 0xBF)) || // straight 3-byte + (((0xE1 <= buf[offset + 0] && buf[offset + 0] <= 0xEC) || + buf[offset + 0] == 0xEE || buf[offset + 0] == 0xEF) && + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && + (0x80 <= buf[offset + 2] && + buf[offset + 2] <= 0xBF)) || // excluding surrogates + (buf[offset + 0] == 0xED && + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0x9F) && + (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF)))) { + + offset += 3; + utf8++; + continue; + + } + + // planes 1-3 + if ((len - offset > 3) && + ((buf[offset + 0] == 0xF0 && + (0x90 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && + (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) && + (0x80 <= buf[offset + 3] && + buf[offset + 3] <= 0xBF)) || // planes 4-15 + ((0xF1 <= buf[offset + 0] && buf[offset + 0] <= 0xF3) && + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && + (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) && + (0x80 <= buf[offset + 3] && buf[offset + 3] <= 0xBF)) || // plane 16 + (buf[offset + 0] == 0xF4 && + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0x8F) && + (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) && + (0x80 <= buf[offset + 3] && buf[offset + 3] <= 0xBF)))) { + + offset += 4; + utf8++; + continue; + + } + + offset++; + + } + + return (utf8 > ascii ? utf8 : ascii); + +} + +/* check if queue entry is ascii or UTF-8 */ static u8 check_if_text(afl_state_t *afl, struct queue_entry *q) { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 870ba69a..7796036b 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -278,6 +278,7 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, "total_edges : %u\n" "var_byte_count : %u\n" "havoc_expansion : %u\n" + "auto_dict_entries : %u\n" "testcache_size : %llu\n" "testcache_count : %u\n" "testcache_evict : %u\n" @@ -316,7 +317,7 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, -1, #endif t_bytes, afl->fsrv.real_map_size, afl->var_byte_count, - afl->expand_havoc, afl->q_testcase_cache_size, + afl->expand_havoc, afl->a_extras_cnt, afl->q_testcase_cache_size, afl->q_testcase_cache_count, afl->q_testcase_evictions, afl->use_banner, afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "", diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 92a37697..6ec033b2 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2261,6 +2261,20 @@ stop_fuzzing: } + if (afl->not_on_tty) { + + u32 t_bytes = count_non_255_bytes(afl, afl->virgin_bits); + u8 time_tmp[64]; + u_stringify_time_diff(time_tmp, get_cur_time(), afl->start_time); + ACTF( + "Statistics: %u new paths found, %.02f%% coverage achieved, %llu " + "crashes found, %llu timeouts found, total runtime %s", + afl->queued_discovered, + ((double)t_bytes * 100) / afl->fsrv.real_map_size, afl->unique_crashes, + afl->unique_hangs, time_tmp); + + } + #ifdef PROFILING SAYF(cYEL "[!] " cRST "Profiling information: %llu ms total work, %llu ns/run\n", -- cgit v1.2.3 From 2363a047500c133996e40808f1974e4aa97ed5bf Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 17 Oct 2021 14:21:08 +0200 Subject: simplify SHAPE_BYTES(h->shape) --- src/afl-fuzz-redqueen.c | 97 ++++++++++++++++++++++++++----------------------- 1 file changed, 51 insertions(+), 46 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 268f726c..2d610132 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -64,6 +64,8 @@ struct range { }; +static u32 hshape; + static struct range *add_range(struct range *ranges, u32 start, u32 end) { struct range *r = ck_alloc_nozero(sizeof(struct range)); @@ -763,7 +765,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, // "Encode: %llx->%llx into %llx(<-%llx) at idx=%u " // "taint_len=%u shape=%u attr=%u\n", // o_pattern, pattern, repl, changed_val, idx, taint_len, - // h->shape + 1, attr); + // hshape, attr); //#ifdef CMPLOG_SOLVE_TRANSFORM // reverse atoi()/strnu?toll() is expensive, so we only to it in lvl 3 @@ -845,7 +847,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u64 b_val, o_b_val, mask; u8 bytes; - switch (SHAPE_BYTES(h->shape)) { + switch (hshape) { case 0: case 1: @@ -924,7 +926,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, s64 diff = pattern - b_val; s64 o_diff = o_pattern - o_b_val; /* fprintf(stderr, "DIFF1 idx=%03u shape=%02u %llx-%llx=%lx\n", idx, - h->shape + 1, o_pattern, o_b_val, o_diff); + hshape, o_pattern, o_b_val, o_diff); fprintf(stderr, "DIFF1 %016llx %llx-%llx=%lx\n", repl, pattern, b_val, diff); */ if (diff == o_diff && diff) { @@ -953,7 +955,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, s64 o_diff = o_pattern ^ o_b_val; /* fprintf(stderr, "DIFF2 idx=%03u shape=%02u %llx-%llx=%lx\n", - idx, h->shape + 1, o_pattern, o_b_val, o_diff); + idx, hshape, o_pattern, o_b_val, o_diff); fprintf(stderr, "DIFF2 %016llx %llx-%llx=%lx\n", repl, pattern, b_val, diff); */ @@ -1002,7 +1004,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } /* fprintf(stderr, "DIFF3 idx=%03u shape=%02u %llx-%llx=%lx\n", - idx, h->shape + 1, o_pattern, o_b_val, o_diff); + idx, hshape, o_pattern, o_b_val, o_diff); fprintf(stderr, "DIFF3 %016llx %llx-%llx=%lx\n", repl, pattern, b_val, diff); */ @@ -1051,7 +1053,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } /* fprintf(stderr, "DIFF4 idx=%03u shape=%02u %llx-%llx=%lx\n", - idx, h->shape + 1, o_pattern, o_b_val, o_diff); + idx, hshape, o_pattern, o_b_val, o_diff); fprintf(stderr, "DIFF4 %016llx %llx-%llx=%lx\n", repl, pattern, b_val, diff); */ @@ -1089,7 +1091,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, if ((lvl & LVL1) || attr >= IS_FP_MOD) { - if (SHAPE_BYTES(h->shape) >= 8 && *status != 1) { + if (hshape >= 8 && *status != 1) { // if (its_len >= 8) // fprintf(stderr, @@ -1132,7 +1134,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } - if (SHAPE_BYTES(h->shape) >= 4 && *status != 1) { + if (hshape >= 4 && *status != 1) { // if (its_len >= 4 && (attr <= 1 || attr >= 8)) // fprintf(stderr, @@ -1173,7 +1175,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } - if (SHAPE_BYTES(h->shape) >= 2 && *status != 1) { + if (hshape >= 2 && *status != 1) { if (its_len >= 2 && ((*buf_16 == (u16)pattern && *o_buf_16 == (u16)o_pattern) || @@ -1244,7 +1246,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } - if (!(attr & (IS_GREATER | IS_LESSER)) || SHAPE_BYTES(h->shape) < 4) { + if (!(attr & (IS_GREATER | IS_LESSER)) || hshape < 4) { return 0; @@ -1272,7 +1274,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, if (attr & IS_GREATER) { - if (SHAPE_BYTES(h->shape) == 4 && its_len >= 4) { + if (hshape == 4 && its_len >= 4) { float *f = (float *)&repl; float g = *f; @@ -1280,7 +1282,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u32 *r = (u32 *)&g; repl_new = (u32)*r; - } else if (SHAPE_BYTES(h->shape) == 8 && its_len >= 8) { + } else if (hshape == 8 && its_len >= 8) { double *f = (double *)&repl; double g = *f; @@ -1307,7 +1309,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } else { - if (SHAPE_BYTES(h->shape) == 4) { + if (hshape == 4) { float *f = (float *)&repl; float g = *f; @@ -1315,7 +1317,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u32 *r = (u32 *)&g; repl_new = (u32)*r; - } else if (SHAPE_BYTES(h->shape) == 8) { + } else if (hshape == 8) { double *f = (double *)&repl; double g = *f; @@ -1342,7 +1344,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } // transform double to float, llvm likes to do that internally ... - if (SHAPE_BYTES(h->shape) == 8 && its_len >= 4) { + if (hshape == 8 && its_len >= 4) { double *f = (double *)&repl; float g = (float)*f; @@ -1353,7 +1355,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, memcpy(((char *)&repl_new) + 4, (char *)&g, 4); #endif changed_val = repl_new; - h->shape = 3; // modify shape + hshape = 4; // modify shape // fprintf(stderr, "DOUBLE2FLOAT %llx\n", repl_new); @@ -1361,12 +1363,12 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, afl, h, pattern, repl_new, o_pattern, changed_val, 16, idx, taint_len, orig_buf, buf, cbuf, len, 1, lvl, status))) { - h->shape = 7; // recover shape + hshape = 8; // recover shape return 1; } - h->shape = 7; // recover shape + hshape = 7; // recover shape } @@ -1428,14 +1430,13 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h, u8 *r = (u8 *)&repl; u8 backup[16]; u32 its_len = MIN(len - idx, taint_len); - u32 shape = h->shape + 1; #if (__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) size_t off = 0; #else - size_t off = 16 - shape; + size_t off = 16 - hshape; #endif - if (its_len >= shape) { + if (its_len >= hshape) { #ifdef _DEBUG fprintf(stderr, "TestUN: %u>=%u (len=%u idx=%u attr=%u off=%lu) (%u) ", @@ -1462,18 +1463,18 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h, fprintf(stderr, "\n"); #endif - if (!memcmp(ptr, p + off, shape) && !memcmp(o_ptr, o_p + off, shape)) { + if (!memcmp(ptr, p + off, hshape) && !memcmp(o_ptr, o_p + off, hshape)) { - memcpy(backup, ptr, shape); - memcpy(ptr, r + off, shape); + memcpy(backup, ptr, hshape); + memcpy(ptr, r + off, hshape); if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } #ifdef CMPLOG_COMBINE - if (*status == 1) { memcpy(cbuf + idx, r, shape); } + if (*status == 1) { memcpy(cbuf + idx, r, hshape); } #endif - memcpy(ptr, backup, shape); + memcpy(ptr, backup, hshape); #ifdef _DEBUG fprintf(stderr, "Status=%u\n", *status); @@ -1485,8 +1486,8 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h, if (do_reverse && *status != 1) { if (unlikely(cmp_extend_encodingN( - afl, h, SWAPN(pattern, (shape << 3)), SWAPN(repl, (shape << 3)), - SWAPN(o_pattern, (shape << 3)), SWAPN(changed_val, (shape << 3)), + afl, h, SWAPN(pattern, (hshape << 3)), SWAPN(repl, (hshape << 3)), + SWAPN(o_pattern, (hshape << 3)), SWAPN(changed_val, (hshape << 3)), attr, idx, taint_len, orig_buf, buf, cbuf, len, 0, lvl, status))) { @@ -1615,6 +1616,8 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, u8 s_v0_inc = 1, s_v1_inc = 1; u8 s_v0_dec = 1, s_v1_dec = 1; + hshape = SHAPE_BYTES(h->shape); + if (h->hits > CMP_MAP_H) { loggeds = CMP_MAP_H; @@ -1626,7 +1629,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } #ifdef WORD_SIZE_64 - switch (SHAPE_BYTES(h->shape)) { + switch (hshape) { case 1: case 2: @@ -1680,7 +1683,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, #ifdef _DEBUG fprintf(stderr, "Handling: %llx->%llx vs %llx->%llx attr=%u shape=%u\n", orig_o->v0, o->v0, orig_o->v1, o->v1, h->attribute, - SHAPE_BYTES(h->shape)); + hshape); #endif t = taint; @@ -1830,7 +1833,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, "END: %llx->%llx vs %llx->%llx attr=%u i=%u found=%u " "isN=%u size=%u\n", orig_o->v0, o->v0, orig_o->v1, o->v1, h->attribute, i, found_one, - is_n, SHAPE_BYTES(h->shape)); + is_n, hshape); #endif // If failed, add to dictionary @@ -1841,16 +1844,16 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, #ifdef WORD_SIZE_64 if (unlikely(is_n)) { - try_to_add_to_dictN(afl, s128_v0, SHAPE_BYTES(h->shape)); - try_to_add_to_dictN(afl, s128_v1, SHAPE_BYTES(h->shape)); + try_to_add_to_dictN(afl, s128_v0, hshape); + try_to_add_to_dictN(afl, s128_v1, hshape); } else #endif { - try_to_add_to_dict(afl, o->v0, SHAPE_BYTES(h->shape)); - try_to_add_to_dict(afl, o->v1, SHAPE_BYTES(h->shape)); + try_to_add_to_dict(afl, o->v0, hshape); + try_to_add_to_dict(afl, o->v1, hshape); } @@ -2322,6 +2325,8 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, u32 i, j, idx, have_taint = 1, taint_len, loggeds; u8 status = 0, found_one = 0; + hshape = SHAPE_BYTES(h->shape); + if (h->hits > CMP_MAP_RTN_H) { loggeds = CMP_MAP_RTN_H; @@ -2355,12 +2360,12 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, /* struct cmp_header *hh = &afl->orig_cmp_map->headers[key]; fprintf(stderr, "RTN N hits=%u id=%u shape=%u attr=%u v0=", h->hits, - h->id, h->shape, h->attribute); + h->id, hshape, h->attribute); for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v0[j]); fprintf(stderr, " v1="); for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v1[j]); fprintf(stderr, "\nRTN O hits=%u id=%u shape=%u attr=%u o0=", - hh->hits, hh->id, hh->shape, hh->attribute); + hh->hits, hh->id, hshape, hh->attribute); for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v0[j]); fprintf(stderr, " o1="); for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v1[j]); @@ -2401,23 +2406,23 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, #ifdef _DEBUG int w; fprintf(stderr, "key=%u idx=%u len=%u o0=", key, idx, - SHAPE_BYTES(h->shape)); - for (w = 0; w < SHAPE_BYTES(h->shape); ++w) + hshape); + for (w = 0; w < hshape; ++w) fprintf(stderr, "%02x", orig_o->v0[w]); fprintf(stderr, " v0="); - for (w = 0; w < SHAPE_BYTES(h->shape); ++w) + for (w = 0; w < hshape; ++w) fprintf(stderr, "%02x", o->v0[w]); fprintf(stderr, " o1="); - for (w = 0; w < SHAPE_BYTES(h->shape); ++w) + for (w = 0; w < hshape; ++w) fprintf(stderr, "%02x", orig_o->v1[w]); fprintf(stderr, " v1="); - for (w = 0; w < SHAPE_BYTES(h->shape); ++w) + for (w = 0; w < hshape; ++w) fprintf(stderr, "%02x", o->v1[w]); fprintf(stderr, "\n"); #endif if (unlikely(rtn_extend_encoding( - afl, o->v0, o->v1, orig_o->v0, orig_o->v1, SHAPE_BYTES(h->shape), + afl, o->v0, o->v1, orig_o->v0, orig_o->v1, hshape, idx, taint_len, orig_buf, buf, cbuf, len, lvl, &status))) { return 1; @@ -2434,7 +2439,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, status = 0; if (unlikely(rtn_extend_encoding( - afl, o->v1, o->v0, orig_o->v1, orig_o->v0, SHAPE_BYTES(h->shape), + afl, o->v1, o->v0, orig_o->v1, orig_o->v0, hshape, idx, taint_len, orig_buf, buf, cbuf, len, lvl, &status))) { return 1; @@ -2455,8 +2460,8 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, if (unlikely(!afl->pass_stats[key].total)) { - maybe_add_auto(afl, o->v0, SHAPE_BYTES(h->shape)); - maybe_add_auto(afl, o->v1, SHAPE_BYTES(h->shape)); + maybe_add_auto(afl, o->v0, hshape); + maybe_add_auto(afl, o->v1, hshape); } -- cgit v1.2.3 From bf0fbc24ad32b0ec5421f4d2090c85d87aeceee3 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 17 Oct 2021 15:44:48 +0200 Subject: new cmplog add dict strategy --- src/afl-fuzz-redqueen.c | 170 +++++++++++++++++++++++++++++++++++++----------- 1 file changed, 131 insertions(+), 39 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 2d610132..30de12c1 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -45,6 +45,23 @@ enum { }; +// add to dictionary enum +// DEFAULT = 1, notTXT = 2, FOUND = 4, notSAME = 8 +enum { + + DICT_ADD_NEVER = 0, + DICT_ADD_NOTFOUND_SAME_TXT = 1, + DICT_ADD_NOTFOUND_SAME = 3, + DICT_ADD_FOUND_SAME_TXT = 5, + DICT_ADD_FOUND_SAME = 7, + DICT_ADD_NOTFOUND_TXT = 9, + DICT_ADD_NOTFOUND = 11, + DICT_ADD_FOUND_TXT = 13, + DICT_ADD_FOUND = 15, + DICT_ADD_ANY = DICT_ADD_FOUND + +}; + // CMPLOG LVL enum { @@ -54,6 +71,8 @@ enum { }; +#define DICT_ADD_STRATEGY DICT_ADD_FOUND_SAME + struct range { u32 start; @@ -1246,11 +1265,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } - if (!(attr & (IS_GREATER | IS_LESSER)) || hshape < 4) { - - return 0; - - } + if (!(attr & (IS_GREATER | IS_LESSER)) || hshape < 4) { return 0; } // transform >= to < and <= to > if ((attr & IS_EQUAL) && (attr & (IS_GREATER | IS_LESSER))) { @@ -1487,9 +1502,9 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h, if (unlikely(cmp_extend_encodingN( afl, h, SWAPN(pattern, (hshape << 3)), SWAPN(repl, (hshape << 3)), - SWAPN(o_pattern, (hshape << 3)), SWAPN(changed_val, (hshape << 3)), - attr, idx, taint_len, orig_buf, buf, cbuf, len, 0, lvl, - status))) { + SWAPN(o_pattern, (hshape << 3)), + SWAPN(changed_val, (hshape << 3)), attr, idx, taint_len, orig_buf, + buf, cbuf, len, 0, lvl, status))) { return 1; @@ -1682,8 +1697,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, #ifdef _DEBUG fprintf(stderr, "Handling: %llx->%llx vs %llx->%llx attr=%u shape=%u\n", - orig_o->v0, o->v0, orig_o->v1, o->v1, h->attribute, - hshape); + orig_o->v0, o->v0, orig_o->v1, o->v1, h->attribute, hshape); #endif t = taint; @@ -1836,26 +1850,39 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, is_n, hshape); #endif - // If failed, add to dictionary - if (!found_one) { - - if (afl->pass_stats[key].total == 0) { + u8 same0 = 0, same1 = 0, result = 1 + 2 + (found_one << 2); + if (o->v0 != orig_o->v0) { same0 = 8; } + if (o->v1 != orig_o->v1) { same1 = 8; } #ifdef WORD_SIZE_64 - if (unlikely(is_n)) { + if (unlikely(is_n)) { - try_to_add_to_dictN(afl, s128_v0, hshape); - try_to_add_to_dictN(afl, s128_v1, hshape); + if (DICT_ADD_STRATEGY >= same0 + result) { - } else + try_to_add_to_dictN(afl, s128_v0, hshape); + + } + + if (DICT_ADD_STRATEGY >= same1 + result) { + + try_to_add_to_dictN(afl, s128_v1, hshape); + + } + + } else #endif - { + { - try_to_add_to_dict(afl, o->v0, hshape); - try_to_add_to_dict(afl, o->v1, hshape); + if (DICT_ADD_STRATEGY >= same0 + result) { - } + try_to_add_to_dict(afl, o->v0, hshape); + + } + + if (DICT_ADD_STRATEGY >= same1 + result) { + + try_to_add_to_dict(afl, o->v1, hshape); } @@ -1885,8 +1912,9 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } -static u8 rtn_extend_encoding(afl_state_t *afl, u8 *pattern, u8 *repl, - u8 *o_pattern, u8 *changed_val, u8 plen, u32 idx, +static u8 rtn_extend_encoding(afl_state_t *afl, u8 entry, + struct cmpfn_operands *o, + struct cmpfn_operands *orig_o, u32 idx, u32 taint_len, u8 *orig_buf, u8 *buf, u8 *cbuf, u32 len, u8 lvl, u8 *status) { @@ -1897,9 +1925,50 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 *pattern, u8 *repl, // (void)(changed_val); //#endif + u8 *pattern, *repl, *o_pattern, *changed_val; + u8 l0, l1, ol0, ol1; + + if (entry == 0) { + + pattern = o->v0; + repl = o->v1; + o_pattern = orig_o->v0; + changed_val = orig_o->v1; + l0 = o->v0_len; + ol0 = orig_o->v0_len; + l1 = o->v1_len; + ol1 = orig_o->v1_len; + + } else { + + pattern = o->v1; + repl = o->v0; + o_pattern = orig_o->v1; + changed_val = orig_o->v0; + l0 = o->v1_len; + ol0 = orig_o->v1_len; + l1 = o->v0_len; + ol1 = orig_o->v0_len; + + } + + if (l0 >= 0x80) { + + l0 -= 0x80; + l1 -= 0x80; + ol0 -= 0x80; + ol1 -= 0x80; + + } else if (l0 == 0 || l1 == 0 || ol0 == 0 || ol1 == 0) { + + l0 = l1 = ol0 = ol1 = hshape; + + } + + u8 lmax = MAX(l0, ol0); u8 save[40]; u32 saved_idx = idx, pre, from = 0, to = 0, i, j; - u32 its_len = MIN((u32)plen, len - idx); + u32 its_len = MIN(MIN(lmax, hshape), len - idx); its_len = MIN(its_len, taint_len); u32 saved_its_len = its_len; @@ -1915,7 +1984,8 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 *pattern, u8 *repl, (void)(j); #ifdef _DEBUG - fprintf(stderr, "RTN T idx=%u lvl=%02x ", idx, lvl); + fprintf(stderr, "RTN T idx=%u lvl=%02x is_txt=%u shape=%u/%u ", idx, lvl, + o->v0_len >= 0x80 ? 1 : 0, hshape, l0); for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_buf[idx + j]); fprintf(stderr, " -> "); @@ -2405,8 +2475,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, #ifdef _DEBUG int w; - fprintf(stderr, "key=%u idx=%u len=%u o0=", key, idx, - hshape); + fprintf(stderr, "key=%u idx=%u len=%u o0=", key, idx, hshape); for (w = 0; w < hshape; ++w) fprintf(stderr, "%02x", orig_o->v0[w]); fprintf(stderr, " v0="); @@ -2421,9 +2490,9 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, fprintf(stderr, "\n"); #endif - if (unlikely(rtn_extend_encoding( - afl, o->v0, o->v1, orig_o->v0, orig_o->v1, hshape, - idx, taint_len, orig_buf, buf, cbuf, len, lvl, &status))) { + if (unlikely(rtn_extend_encoding(afl, 0, o, orig_o, idx, taint_len, + orig_buf, buf, cbuf, len, lvl, + &status))) { return 1; @@ -2438,9 +2507,9 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, status = 0; - if (unlikely(rtn_extend_encoding( - afl, o->v1, o->v0, orig_o->v1, orig_o->v0, hshape, - idx, taint_len, orig_buf, buf, cbuf, len, lvl, &status))) { + if (unlikely(rtn_extend_encoding(afl, 1, o, orig_o, idx, taint_len, + orig_buf, buf, cbuf, len, lvl, + &status))) { return 1; @@ -2455,13 +2524,36 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } - // If failed, add to dictionary - if (!found_one && (lvl & LVL1)) { + // if (unlikely(!afl->pass_stats[key].total)) { + + if (lvl & LVL1) { + + u8 is_txt = 0, l0 = o->v0_len, ol0 = orig_o->v0_len, l1 = o->v1_len, + ol1 = orig_o->v1_len; + if (l0 >= 0x80) { + + is_txt = 1; + l0 -= 0x80; + l1 -= 0x80; + ol0 -= 0x80; + ol1 -= 0x80; + + } + + u8 same0 = 0, same1 = 0, result = 1 + (found_one << 2); + if (!is_txt) result += 2; + if (l0 != ol0 || memcmp(o->v0, orig_o->v0, l0) != 0) { same0 = 8; } + if (l1 != ol1 || memcmp(o->v1, orig_o->v1, l1) != 0) { same1 = 8; } + + if (DICT_ADD_STRATEGY >= same0 + result) { + + maybe_add_auto(afl, o->v0, l0); + + } - if (unlikely(!afl->pass_stats[key].total)) { + if (DICT_ADD_STRATEGY >= same1 + result) { - maybe_add_auto(afl, o->v0, hshape); - maybe_add_auto(afl, o->v1, hshape); + maybe_add_auto(afl, o->v1, l1); } -- cgit v1.2.3 From 462149de642451024199557c7a7bb7ea76e5b8fa Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 17 Oct 2021 20:31:02 +0200 Subject: fix --- src/afl-fuzz-redqueen.c | 87 +++++++++++++++++++++++++++++-------------------- 1 file changed, 51 insertions(+), 36 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 30de12c1..65d21b0a 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -1455,25 +1455,25 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h, #ifdef _DEBUG fprintf(stderr, "TestUN: %u>=%u (len=%u idx=%u attr=%u off=%lu) (%u) ", - its_len, shape, len, idx, attr, off, do_reverse); + its_len, hshape, len, idx, attr, off, do_reverse); u32 i; u8 *o_r = (u8 *)&changed_val; - for (i = 0; i < shape; i++) + for (i = 0; i < hshape; i++) fprintf(stderr, "%02x", ptr[i]); fprintf(stderr, "=="); - for (i = 0; i < shape; i++) + for (i = 0; i < hshape; i++) fprintf(stderr, "%02x", p[off + i]); fprintf(stderr, " "); - for (i = 0; i < shape; i++) + for (i = 0; i < hshape; i++) fprintf(stderr, "%02x", o_ptr[i]); fprintf(stderr, "=="); - for (i = 0; i < shape; i++) + for (i = 0; i < hshape; i++) fprintf(stderr, "%02x", o_p[off + i]); fprintf(stderr, " <= "); - for (i = 0; i < shape; i++) + for (i = 0; i < hshape; i++) fprintf(stderr, "%02x", r[off + i]); fprintf(stderr, "<-"); - for (i = 0; i < shape; i++) + for (i = 0; i < hshape; i++) fprintf(stderr, "%02x", o_r[off + i]); fprintf(stderr, "\n"); #endif @@ -1850,39 +1850,46 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, is_n, hshape); #endif - u8 same0 = 0, same1 = 0, result = 1 + 2 + (found_one << 2); - if (o->v0 != orig_o->v0) { same0 = 8; } - if (o->v1 != orig_o->v1) { same1 = 8; } + // we only learn 16 bit + + if (hshape > 1) { + + u8 same0 = 0, same1 = 0, result = 1 + 2 + (found_one << 2); + if (o->v0 != orig_o->v0) { same0 = 8; } + if (o->v1 != orig_o->v1) { same1 = 8; } #ifdef WORD_SIZE_64 - if (unlikely(is_n)) { + if (unlikely(is_n)) { - if (DICT_ADD_STRATEGY >= same0 + result) { + if (DICT_ADD_STRATEGY >= same0 + result) { - try_to_add_to_dictN(afl, s128_v0, hshape); + try_to_add_to_dictN(afl, s128_v0, hshape); - } + } - if (DICT_ADD_STRATEGY >= same1 + result) { + if (DICT_ADD_STRATEGY >= same1 + result) { - try_to_add_to_dictN(afl, s128_v1, hshape); + try_to_add_to_dictN(afl, s128_v1, hshape); - } + } - } else + } else #endif - { + { - if (DICT_ADD_STRATEGY >= same0 + result) { + if (DICT_ADD_STRATEGY >= same0 + result) { - try_to_add_to_dict(afl, o->v0, hshape); + // fprintf(stderr, "add v0 0x%llx\n", o->v0); + try_to_add_to_dict(afl, o->v0, hshape); - } + } - if (DICT_ADD_STRATEGY >= same1 + result) { + if (DICT_ADD_STRATEGY >= same1 + result) { - try_to_add_to_dict(afl, o->v1, hshape); + // fprintf(stderr, "add v1 0x%llx\n", o->v1); + try_to_add_to_dict(afl, o->v1, hshape); + + } } @@ -2428,18 +2435,22 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } /* - struct cmp_header *hh = &afl->orig_cmp_map->headers[key]; - fprintf(stderr, "RTN N hits=%u id=%u shape=%u attr=%u v0=", h->hits, - h->id, hshape, h->attribute); - for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v0[j]); - fprintf(stderr, " v1="); - for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v1[j]); - fprintf(stderr, "\nRTN O hits=%u id=%u shape=%u attr=%u o0=", - hh->hits, hh->id, hshape, hh->attribute); - for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v0[j]); - fprintf(stderr, " o1="); - for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v1[j]); - fprintf(stderr, "\n"); + struct cmp_header *hh = &afl->orig_cmp_map->headers[key]; + fprintf(stderr, "RTN N hits=%u id=%u shape=%u attr=%u v0=", h->hits, h->id, + hshape, h->attribute); + for (j = 0; j < 8; j++) + fprintf(stderr, "%02x", o->v0[j]); + fprintf(stderr, " v1="); + for (j = 0; j < 8; j++) + fprintf(stderr, "%02x", o->v1[j]); + fprintf(stderr, "\nRTN O hits=%u id=%u shape=%u attr=%u o0=", hh->hits, + hh->id, hshape, hh->attribute); + for (j = 0; j < 8; j++) + fprintf(stderr, "%02x", orig_o->v0[j]); + fprintf(stderr, " o1="); + for (j = 0; j < 8; j++) + fprintf(stderr, "%02x", orig_o->v1[j]); + fprintf(stderr, "\n"); */ t = taint; @@ -2547,12 +2558,14 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, if (DICT_ADD_STRATEGY >= same0 + result) { + // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0); maybe_add_auto(afl, o->v0, l0); } if (DICT_ADD_STRATEGY >= same1 + result) { + // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1); maybe_add_auto(afl, o->v1, l1); } @@ -2727,11 +2740,13 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) { + // fprintf(stderr, "INS %u\n", k); afl->stage_max += MIN((u32)(afl->shm.cmp_map->headers[k].hits), (u32)CMP_MAP_H); } else { + // fprintf(stderr, "RTN %u\n", k); afl->stage_max += MIN((u32)(afl->shm.cmp_map->headers[k].hits), (u32)CMP_MAP_RTN_H); -- cgit v1.2.3 From 72d10fee407f32d4041573d1906a047a67277eff Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Oct 2021 10:03:39 +0200 Subject: dict enhancement --- src/afl-fuzz-redqueen.c | 64 ++++++++++++++++++++++++++++++------------------- 1 file changed, 39 insertions(+), 25 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 65d21b0a..10bcd63d 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -1853,41 +1853,48 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, // we only learn 16 bit + if (hshape > 1) { - u8 same0 = 0, same1 = 0, result = 1 + 2 + (found_one << 2); + u8 same0 = 0, same1 = 0, same2 = 0, same3 = 0, + result = 1 + 2 + (found_one << 2); if (o->v0 != orig_o->v0) { same0 = 8; } if (o->v1 != orig_o->v1) { same1 = 8; } + if (o->v0 != o->v1) { same2 = 8; } + if (orig_o->v0 != orig_o->v1) { same3 = 8; } + + if (!(same0 && same1) && !same2 && !same3) { #ifdef WORD_SIZE_64 - if (unlikely(is_n)) { + if (unlikely(is_n)) { - if (DICT_ADD_STRATEGY >= same0 + result) { + if (DICT_ADD_STRATEGY >= same0 + result) { - try_to_add_to_dictN(afl, s128_v0, hshape); + try_to_add_to_dictN(afl, s128_v0, hshape); - } + } - if (DICT_ADD_STRATEGY >= same1 + result) { + if (DICT_ADD_STRATEGY >= same1 + result) { - try_to_add_to_dictN(afl, s128_v1, hshape); + try_to_add_to_dictN(afl, s128_v1, hshape); - } + } - } else + } else #endif - { + { - if (DICT_ADD_STRATEGY >= same0 + result) { + if (DICT_ADD_STRATEGY >= same0 + result) { - // fprintf(stderr, "add v0 0x%llx\n", o->v0); - try_to_add_to_dict(afl, o->v0, hshape); + // fprintf(stderr, "add v0 0x%llx\n", o->v0); + try_to_add_to_dict(afl, o->v0, hshape); - } + } - if (DICT_ADD_STRATEGY >= same1 + result) { + if (DICT_ADD_STRATEGY >= same1 + result) { + + // fprintf(stderr, "add v1 0x%llx\n", o->v1); + try_to_add_to_dict(afl, o->v1, hshape); - // fprintf(stderr, "add v1 0x%llx\n", o->v1); - try_to_add_to_dict(afl, o->v1, hshape); + } } @@ -2551,22 +2558,29 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } - u8 same0 = 0, same1 = 0, result = 1 + (found_one << 2); + u8 same0 = 0, same1 = 0, same2 = 0, same3 = 0, + result = 1 + (found_one << 2); if (!is_txt) result += 2; if (l0 != ol0 || memcmp(o->v0, orig_o->v0, l0) != 0) { same0 = 8; } if (l1 != ol1 || memcmp(o->v1, orig_o->v1, l1) != 0) { same1 = 8; } + if (l0 != l1 || memcmp(o->v0, o->v1, l0) != 0) { same2 = 8; } + if (ol0 != ol1 || memcmp(orig_o->v0, orig_o->v1, l0) != 0) { same3 = 8; } - if (DICT_ADD_STRATEGY >= same0 + result) { + if (!(same0 && same1) && !same2 && !same3) { - // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0); - maybe_add_auto(afl, o->v0, l0); + if (DICT_ADD_STRATEGY >= same0 + result) { - } + // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0); + maybe_add_auto(afl, o->v0, l0); - if (DICT_ADD_STRATEGY >= same1 + result) { + } + + if (DICT_ADD_STRATEGY >= same1 + result) { - // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1); - maybe_add_auto(afl, o->v1, l1); + // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1); + maybe_add_auto(afl, o->v1, l1); + + } } -- cgit v1.2.3 From 699df8f8ce4cc5de56510f72ebff611d26710557 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Oct 2021 11:11:56 +0200 Subject: fix --- src/afl-fuzz-redqueen.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 10bcd63d..30bad557 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -1860,18 +1860,18 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, if (o->v0 != o->v1) { same2 = 8; } if (orig_o->v0 != orig_o->v1) { same3 = 8; } - if (!(same0 && same1) && !same2 && !same3) { + if (!same2 && !same3) { #ifdef WORD_SIZE_64 if (unlikely(is_n)) { - if (DICT_ADD_STRATEGY >= same0 + result) { + if (!(!same0 && same1) && DICT_ADD_STRATEGY >= same0 + result) { try_to_add_to_dictN(afl, s128_v0, hshape); } - if (DICT_ADD_STRATEGY >= same1 + result) { + if (!(same0 && !same1) && DICT_ADD_STRATEGY >= same1 + result) { try_to_add_to_dictN(afl, s128_v1, hshape); @@ -2566,16 +2566,16 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, if (l0 != l1 || memcmp(o->v0, o->v1, l0) != 0) { same2 = 8; } if (ol0 != ol1 || memcmp(orig_o->v0, orig_o->v1, l0) != 0) { same3 = 8; } - if (!(same0 && same1) && !same2 && !same3) { + if (!same2 && !same3) { - if (DICT_ADD_STRATEGY >= same0 + result) { + if (!(same0 && !same1) && DICT_ADD_STRATEGY >= same0 + result) { // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0); maybe_add_auto(afl, o->v0, l0); } - if (DICT_ADD_STRATEGY >= same1 + result) { + if (!(!same0 && same1) && DICT_ADD_STRATEGY >= same1 + result) { // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1); maybe_add_auto(afl, o->v1, l1); -- cgit v1.2.3 From 45d668a671316821c3f9793381cb54956b535491 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Oct 2021 13:17:07 +0200 Subject: better ui banner --- src/afl-fuzz-init.c | 37 ------------------------------------- src/afl-fuzz-stats.c | 49 +++++++++++++++++++++++++++++-------------------- src/afl-fuzz.c | 17 +++++++++++++---- 3 files changed, 42 insertions(+), 61 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 9bb25785..9c45f08a 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2815,43 +2815,6 @@ void check_binary(afl_state_t *afl, u8 *fname) { } -/* Trim and possibly create a banner for the run. */ - -void fix_up_banner(afl_state_t *afl, u8 *name) { - - if (!afl->use_banner) { - - if (afl->sync_id) { - - afl->use_banner = afl->sync_id; - - } else { - - u8 *trim = strrchr(name, '/'); - if (!trim) { - - afl->use_banner = name; - - } else { - - afl->use_banner = trim + 1; - - } - - } - - } - - if (strlen(afl->use_banner) > 32) { - - u8 *tmp = ck_alloc(36); - sprintf(tmp, "%.32s...", afl->use_banner); - afl->use_banner = tmp; - - } - -} - /* Check if we're on TTY. */ void check_if_tty(afl_state_t *afl) { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 870ba69a..0c06232b 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -441,9 +441,10 @@ void show_stats(afl_state_t *afl) { u64 cur_ms; u32 t_bytes, t_bits; - u32 banner_len, banner_pad; - u8 tmp[256]; - u8 time_tmp[64]; + static u8 banner[128]; + u32 banner_len, banner_pad; + u8 tmp[256]; + u8 time_tmp[64]; u8 val_buf[8][STRINGIFY_VAL_SIZE_MAX]; #define IB(i) (val_buf[(i)]) @@ -656,26 +657,34 @@ void show_stats(afl_state_t *afl) { } /* Let's start by drawing a centered banner. */ + if (unlikely(!banner[0])) { - banner_len = (afl->crash_mode ? 24 : 22) + strlen(VERSION) + - strlen(afl->use_banner) + strlen(afl->power_name) + 3 + 5; - banner_pad = (79 - banner_len) / 2; - memset(tmp, ' ', banner_pad); + char *si = ""; + if (afl->sync_id) { si = afl->sync_id; } + memset(banner, 0, sizeof(banner)); + banner_len = (afl->crash_mode ? 20 : 18) + strlen(VERSION) + strlen(si) + + strlen(afl->power_name) + 4 + 6; -#ifdef HAVE_AFFINITY - sprintf( - tmp + banner_pad, - "%s " cLCY VERSION cLGN " (%s) " cPIN "[%s]" cBLU " {%d}", - afl->crash_mode ? cPIN "peruvian were-rabbit" : cYEL "american fuzzy lop", - afl->use_banner, afl->power_name, afl->cpu_aff); -#else - sprintf( - tmp + banner_pad, "%s " cLCY VERSION cLGN " (%s) " cPIN "[%s]", - afl->crash_mode ? cPIN "peruvian were-rabbit" : cYEL "american fuzzy lop", - afl->use_banner, afl->power_name); -#endif /* HAVE_AFFINITY */ + if (strlen(afl->use_banner) + banner_len > 75) { + + afl->use_banner += (strlen(afl->use_banner) + banner_len) - 76; + memset(afl->use_banner, '.', 3); + + } + + banner_len += strlen(afl->use_banner); + banner_pad = (79 - banner_len) / 2; + memset(banner, ' ', banner_pad); + + sprintf(banner + banner_pad, + "%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s]", + afl->crash_mode ? cPIN "peruvian were-rabbit" + : cYEL "american fuzzy lop", + si, afl->use_banner, afl->power_name); + + } - SAYF("\n%s\n", tmp); + SAYF("\n%s\n", banner); /* "Handy" shortcuts for drawing boxes... */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 92a37697..26886a4f 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1189,7 +1189,17 @@ int main(int argc, char **argv_orig, char **envp) { } - if (afl->sync_id) { fix_up_sync(afl); } + if (afl->sync_id) { + + if (strlen(afl->sync_id) > 24) { + + FATAL("sync_id max length is 24 characters"); + + } + + fix_up_sync(afl); + + } if (!strcmp(afl->in_dir, afl->out_dir)) { @@ -1218,6 +1228,8 @@ int main(int argc, char **argv_orig, char **envp) { if (unlikely(afl->afl_env.afl_statsd)) { statsd_setup_format(afl); } + if (!afl->use_banner) { afl->use_banner = argv[optind]; } + if (strchr(argv[optind], '/') == NULL && !afl->unicorn_mode) { WARNF(cLRD @@ -1486,9 +1498,6 @@ int main(int argc, char **argv_orig, char **envp) { } save_cmdline(afl, argc, argv); - - fix_up_banner(afl, argv[optind]); - check_if_tty(afl); if (afl->afl_env.afl_force_ui) { afl->not_on_tty = 0; } -- cgit v1.2.3 From 77a63d8ccfd4b409c35227e174f1d6e809256e41 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 19 Oct 2021 13:59:31 +0200 Subject: execs field in filenames --- src/afl-fuzz-bitmap.c | 5 +++-- src/afl-fuzz-init.c | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 0ae4d607..316067e4 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -317,8 +317,9 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) { } - sprintf(ret + strlen(ret), ",time:%llu", - get_cur_time() + afl->prev_run_time - afl->start_time); + sprintf(ret + strlen(ret), ",time:%llu,execs:%llu", + get_cur_time() + afl->prev_run_time - afl->start_time, + afl->fsrv.total_execs); if (afl->current_custom_fuzz && afl->current_custom_fuzz->afl_custom_describe) { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 9bb25785..0fa8e6ec 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1325,8 +1325,8 @@ void pivot_inputs(afl_state_t *afl) { } - nfn = alloc_printf("%s/queue/id:%06u,time:0,orig:%s", afl->out_dir, id, - use_name); + nfn = alloc_printf("%s/queue/id:%06u,time:0,execs:%llu,orig:%s", afl->out_dir, id, + afl->fsrv.total_execs, use_name); #else -- cgit v1.2.3 From 0bc3367b55b2f08c7c2588576af27567044dc0b6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 19 Oct 2021 14:46:15 +0200 Subject: remove race condition --- src/afl-forkserver.c | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 54f510c4..94ca3009 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -610,12 +610,24 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (!time_ms) { - if (fsrv->fsrv_pid > 0) { kill(fsrv->fsrv_pid, fsrv->kill_signal); } + s32 tmp_pid = fsrv->fsrv_pid; + if (tmp_pid > 0) { + + kill(tmp_pid, fsrv->kill_signal); + fsrv->fsrv_pid = 1; + + } } else if (time_ms > fsrv->init_tmout) { fsrv->last_run_timed_out = 1; - if (fsrv->fsrv_pid > 0) { kill(fsrv->fsrv_pid, fsrv->kill_signal); } + s32 tmp_pid = fsrv->fsrv_pid; + if (tmp_pid > 0) { + + kill(tmp_pid, fsrv->kill_signal); + fsrv->fsrv_pid = 1; + + } } else { @@ -1248,7 +1260,14 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, /* If there was no response from forkserver after timeout seconds, we kill the child. The forkserver should inform us afterwards */ - if (fsrv->child_pid > 0) { kill(fsrv->child_pid, fsrv->kill_signal); } + s32 tmp_pid = srv->child_pid; + if (tmp_pid > 0) { + + kill(tmp_pid, fsrv->kill_signal); + fsrv->child_pid = -1 + + } + fsrv->last_run_timed_out = 1; if (read(fsrv->fsrv_st_fd, &fsrv->child_status, 4) < 4) { exec_ms = 0; } -- cgit v1.2.3 From 90786e2ce9970c52e661c0fe290cb78a1a063004 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 19 Oct 2021 15:20:59 +0200 Subject: fix --- src/afl-forkserver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 94ca3009..71667262 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -1260,11 +1260,11 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, /* If there was no response from forkserver after timeout seconds, we kill the child. The forkserver should inform us afterwards */ - s32 tmp_pid = srv->child_pid; + s32 tmp_pid = fsrv->child_pid; if (tmp_pid > 0) { kill(tmp_pid, fsrv->kill_signal); - fsrv->child_pid = -1 + fsrv->child_pid = -1; } -- cgit v1.2.3 From e03897a0703673aa0de7772185a5b5230641cb6a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 23 Oct 2021 20:54:24 +0200 Subject: fix timeout bug in afl tools --- src/afl-analyze.c | 12 ++++++++++++ src/afl-fuzz-init.c | 4 ++-- src/afl-showmap.c | 13 +++++++++++++ src/afl-tmin.c | 12 ++++++++++++ 4 files changed, 39 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 8295488d..09b01541 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -120,6 +120,17 @@ static u8 count_class_lookup[256] = { #undef TIMES8 #undef TIMES4 +static void kill_child() { + + if (fsrv.child_pid > 0) { + + kill(fsrv.child_pid, fsrv.kill_signal); + fsrv.child_pid = -1; + + } + +} + static void classify_counts(u8 *mem) { u32 i = map_size; @@ -1053,6 +1064,7 @@ int main(int argc, char **argv_orig, char **envp) { fsrv.target_path = find_binary(argv[optind]); fsrv.trace_bits = afl_shm_init(&shm, map_size, 0); detect_file_args(argv + optind, fsrv.out_file, &use_stdin); + signal(SIGALRM, kill_child); if (qemu_mode) { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index f0e1a80d..1170715f 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1325,8 +1325,8 @@ void pivot_inputs(afl_state_t *afl) { } - nfn = alloc_printf("%s/queue/id:%06u,time:0,execs:%llu,orig:%s", afl->out_dir, id, - afl->fsrv.total_execs, use_name); + nfn = alloc_printf("%s/queue/id:%06u,time:0,execs:%llu,orig:%s", + afl->out_dir, id, afl->fsrv.total_execs, use_name); #else diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 5df07bf2..3a244c04 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -146,6 +146,17 @@ static const u8 count_class_binary[256] = { #undef TIMES8 #undef TIMES4 +static void kill_child() { + + if (fsrv->child_pid > 0) { + + kill(fsrv->child_pid, fsrv->kill_signal); + fsrv->child_pid = -1; + + } + +} + static void classify_counts(afl_forkserver_t *fsrv) { u8 * mem = fsrv->trace_bits; @@ -526,6 +537,8 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) { } + signal(SIGALRM, kill_child); + setitimer(ITIMER_REAL, &it, NULL); if (waitpid(fsrv->child_pid, &status, 0) <= 0) { FATAL("waitpid() failed"); } diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 4f3a6b80..ce2a0b8f 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -120,6 +120,17 @@ static const u8 count_class_lookup[256] = { #undef TIMES8 #undef TIMES4 +static void kill_child() { + + if (fsrv->child_pid > 0) { + + kill(fsrv->child_pid, fsrv->kill_signal); + fsrv->child_pid = -1; + + } + +} + static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, sharedmem_t * shm_fuzz) { @@ -1125,6 +1136,7 @@ int main(int argc, char **argv_orig, char **envp) { fsrv->target_path = find_binary(argv[optind]); fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); detect_file_args(argv + optind, out_file, &fsrv->use_stdin); + signal(SIGALRM, kill_child); if (fsrv->qemu_mode) { -- cgit v1.2.3 From a7ee11a1747347847b06a4226f2800dd780f7c16 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 24 Oct 2021 19:35:58 +0200 Subject: fix --- src/afl-forkserver.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 71667262..c570a2bb 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -603,7 +603,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, /* Wait for the fork server to come up, but don't wait too long. */ rlen = 0; - if (fsrv->exec_tmout) { + if (fsrv->init_tmout) { u32 time_ms = read_s32_timed(fsrv->fsrv_st_fd, &status, fsrv->init_tmout, stop_soon_p); @@ -614,7 +614,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (tmp_pid > 0) { kill(tmp_pid, fsrv->kill_signal); - fsrv->fsrv_pid = 1; + fsrv->fsrv_pid = -1; } @@ -625,7 +625,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (tmp_pid > 0) { kill(tmp_pid, fsrv->kill_signal); - fsrv->fsrv_pid = 1; + fsrv->fsrv_pid = -1; } @@ -1301,7 +1301,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, } - if (!WIFSTOPPED(fsrv->child_status)) { fsrv->child_pid = 0; } + if (!WIFSTOPPED(fsrv->child_status)) { fsrv->child_pid = -1 ; } fsrv->total_execs++; -- cgit v1.2.3 From 0f49463edec0c019bd098659fa74c58a2d28c439 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 24 Oct 2021 19:41:06 +0200 Subject: fix --- src/afl-forkserver.c | 2 +- src/afl-showmap.c | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index c570a2bb..80b295e0 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -1301,7 +1301,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, } - if (!WIFSTOPPED(fsrv->child_status)) { fsrv->child_pid = -1 ; } + if (!WIFSTOPPED(fsrv->child_status)) { fsrv->child_pid = -1; } fsrv->total_execs++; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 3a244c04..3826e385 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -77,7 +77,7 @@ static u32 tcnt, highest; /* tuple content information */ static u32 in_len; /* Input data length */ -static u32 map_size = MAP_SIZE; +static u32 map_size = MAP_SIZE, timed_out = 0; static bool quiet_mode, /* Hide non-essential messages? */ edges_only, /* Ignore hit counts? */ @@ -148,6 +148,7 @@ static const u8 count_class_binary[256] = { static void kill_child() { + timed_out = 1; if (fsrv->child_pid > 0) { kill(fsrv->child_pid, fsrv->kill_signal); @@ -373,9 +374,10 @@ static void showmap_run_target_forkserver(afl_forkserver_t *fsrv, u8 *mem, if (!quiet_mode) { - if (fsrv->last_run_timed_out) { + if (timed_out || fsrv->last_run_timed_out) { SAYF(cLRD "\n+++ Program timed off +++\n" cRST); + timed_out = 0; } else if (stop_soon) { @@ -581,9 +583,10 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) { if (!quiet_mode) { - if (fsrv->last_run_timed_out) { + if (timed_out || fsrv->last_run_timed_out) { SAYF(cLRD "\n+++ Program timed off +++\n" cRST); + timed_out = 0; } else if (stop_soon) { -- cgit v1.2.3 From 0348ede4bc47264473efdac86415b9c805bdda40 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 24 Oct 2021 19:53:07 +0200 Subject: fix gcc warning --- src/afl-cc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index e49addc4..77407a98 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -1007,7 +1007,11 @@ static void edit_params(u32 argc, char **argv, char **envp) { } // prevent unnecessary build errors - cc_params[cc_par_cnt++] = "-Wno-unused-command-line-argument"; + if (compiler_mode != GCC_PLUGIN && compiler_mode != GCC) { + + cc_params[cc_par_cnt++] = "-Wno-unused-command-line-argument"; + + } if (preprocessor_only || have_c) { -- cgit v1.2.3 From efec2b5a99d8f229eec4123e28c79a15389fe6bb Mon Sep 17 00:00:00 2001 From: lazymio Date: Mon, 25 Oct 2021 16:05:58 +0200 Subject: Update real_map_size when doing a realloc --- src/afl-fuzz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 26886a4f..34f3377b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1706,7 +1706,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->non_instrumented_mode || afl->fsrv.qemu_mode || afl->fsrv.frida_mode || afl->unicorn_mode) { - map_size = afl->fsrv.map_size = MAP_SIZE; + map_size = afl->fsrv.real_map_size = afl->fsrv.map_size = MAP_SIZE; afl->virgin_bits = ck_realloc(afl->virgin_bits, map_size); afl->virgin_tmout = ck_realloc(afl->virgin_tmout, map_size); afl->virgin_crash = ck_realloc(afl->virgin_crash, map_size); -- cgit v1.2.3 From b4e328803c4e61c81fdf0e0412f013fcf0e72e0d Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 26 Oct 2021 18:10:57 +0200 Subject: variants --- src/afl-fuzz-redqueen.c | 93 ++++++++++++++++++++++++++++++++++++------------- 1 file changed, 69 insertions(+), 24 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 30bad557..6002703e 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -28,6 +28,8 @@ #include "afl-fuzz.h" #include "cmplog.h" +#define VARIANT 0 + //#define _DEBUG //#define CMPLOG_INTROSPECTION @@ -461,10 +463,10 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, fprintf( f, "Colorization: fname=%s len=%u ms=%llu result=%u execs=%u found=%llu " - "taint=%u\n", + "taint=%u ascii=%u auto_extra_before=%u\n", afl->queue_cur->fname, len, get_cur_time() - start_time, afl->queue_cur->colorized, afl->stage_cur, new_hit_cnt - orig_hit_cnt, - positions); + positions, afl->queue_cur->is_ascii ? 1 : 0, afl->a_extras_cnt); #ifndef _DEBUG if (afl->not_on_tty) { fclose(f); } @@ -1854,24 +1856,34 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, if (hshape > 1) { u8 same0 = 0, same1 = 0, same2 = 0, same3 = 0, - result = 1 + 2 + (found_one << 2); + result = 1 + (found_one << 2); if (o->v0 != orig_o->v0) { same0 = 8; } if (o->v1 != orig_o->v1) { same1 = 8; } if (o->v0 != o->v1) { same2 = 8; } if (orig_o->v0 != orig_o->v1) { same3 = 8; } + if (check_if_text_buf((u8 *)o->v0, hshape) < hshape) same0 += 2; + if (check_if_text_buf((u8 *)o->v1, hshape) < hshape) same1 += 2; if (!same2 && !same3) { #ifdef WORD_SIZE_64 if (unlikely(is_n)) { - if (!(!same0 && same1) && DICT_ADD_STRATEGY >= same0 + result) { + if ( + #if VARIANT == 1 + !(!same0 && same1) && + #endif + DICT_ADD_STRATEGY >= same0 + result) { try_to_add_to_dictN(afl, s128_v0, hshape); } - if (!(same0 && !same1) && DICT_ADD_STRATEGY >= same1 + result) { + if ( + #if VARIANT == 1 + !(same0 && !same1) && + #endif + DICT_ADD_STRATEGY >= same1 + result) { try_to_add_to_dictN(afl, s128_v1, hshape); @@ -1882,14 +1894,22 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, #endif { - if (DICT_ADD_STRATEGY >= same0 + result) { + if ( +#if VARIANT == 1 + !(!same0 && same1) && +#endif + DICT_ADD_STRATEGY >= same0 + result) { // fprintf(stderr, "add v0 0x%llx\n", o->v0); try_to_add_to_dict(afl, o->v0, hshape); } - if (DICT_ADD_STRATEGY >= same1 + result) { + if ( +#if VARIANT == 1 + !(same0 && !same1) && +#endif + DICT_ADD_STRATEGY >= same1 + result) { // fprintf(stderr, "add v1 0x%llx\n", o->v1); try_to_add_to_dict(afl, o->v1, hshape); @@ -1966,14 +1986,17 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 entry, } - if (l0 >= 0x80) { + if (l0 >= 0x80 || ol0 >= 0x80) { l0 -= 0x80; l1 -= 0x80; ol0 -= 0x80; ol1 -= 0x80; - } else if (l0 == 0 || l1 == 0 || ol0 == 0 || ol1 == 0) { + } + + if (l0 == 0 || l1 == 0 || ol0 == 0 || ol1 == 0 || l0 > 31 || l1 > 31 || + ol0 > 31 || ol1 > 31) { l0 = l1 = ol0 = ol1 = hshape; @@ -2059,10 +2082,10 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 entry, } - //#ifdef CMPLOG_SOLVE_TRANSFORM - if (*status == 1) return 0; + // transform solving + if (afl->cmplog_enable_transform && (lvl & LVL3)) { u32 toupper = 0, tolower = 0, xor = 0, arith = 0, tohex = 0, fromhex = 0; @@ -2548,7 +2571,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, u8 is_txt = 0, l0 = o->v0_len, ol0 = orig_o->v0_len, l1 = o->v1_len, ol1 = orig_o->v1_len; - if (l0 >= 0x80) { + if (l0 >= 0x80 || ol0 >= 0x80) { is_txt = 1; l0 -= 0x80; @@ -2558,29 +2581,51 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } + if (l0 == 0 || l1 == 0 || ol0 == 0 || ol1 == 0 || l0 > 31 || l1 > 31 || + ol0 > 31 || ol1 > 31) { + + l0 = l1 = ol0 = ol1 = hshape; + + } + u8 same0 = 0, same1 = 0, same2 = 0, same3 = 0, result = 1 + (found_one << 2); - if (!is_txt) result += 2; if (l0 != ol0 || memcmp(o->v0, orig_o->v0, l0) != 0) { same0 = 8; } if (l1 != ol1 || memcmp(o->v1, orig_o->v1, l1) != 0) { same1 = 8; } if (l0 != l1 || memcmp(o->v0, o->v1, l0) != 0) { same2 = 8; } if (ol0 != ol1 || memcmp(orig_o->v0, orig_o->v1, l0) != 0) { same3 = 8; } + if (!is_txt && check_if_text_buf((u8 *)&o->v0, l0) < l0) { same0 += 2; } + if (!is_txt && check_if_text_buf((u8 *)&o->v1, l1) < l1) { same1 += 2; } - if (!same2 && !same3) { - - if (!(same0 && !same1) && DICT_ADD_STRATEGY >= same0 + result) { + if ( +#if VARIANT < 3 + !(same0 && !same1) && +#endif +#if VARIANT == 4 + (!same2 && same3) +#else + (DICT_ADD_STRATEGY >= same0 + result) +#endif + ) { - // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0); - maybe_add_auto(afl, o->v0, l0); + // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0); + maybe_add_auto(afl, o->v0, l0); - } - - if (!(!same0 && same1) && DICT_ADD_STRATEGY >= same1 + result) { + } - // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1); - maybe_add_auto(afl, o->v1, l1); + if ( +#if VARIANT < 3 + !(!same0 && same1) && +#endif +#if VARIANT == 4 + (same2 && !same3) +#else + (DICT_ADD_STRATEGY >= same1 + result) +#endif + ) { - } + // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1); + maybe_add_auto(afl, o->v1, l1); } -- cgit v1.2.3 From 245e91eb27f1572e00c6664477d588c540c30ed6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 26 Oct 2021 21:30:08 +0200 Subject: fix --- src/afl-fuzz-redqueen.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 6002703e..800a0753 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -28,7 +28,7 @@ #include "afl-fuzz.h" #include "cmplog.h" -#define VARIANT 0 +#define VARIANT 4 //#define _DEBUG //#define CMPLOG_INTROSPECTION @@ -1861,8 +1861,8 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, if (o->v1 != orig_o->v1) { same1 = 8; } if (o->v0 != o->v1) { same2 = 8; } if (orig_o->v0 != orig_o->v1) { same3 = 8; } - if (check_if_text_buf((u8 *)o->v0, hshape) < hshape) same0 += 2; - if (check_if_text_buf((u8 *)o->v1, hshape) < hshape) same1 += 2; + if (check_if_text_buf((u8 *)&o->v0, hshape) < hshape) same0 += 2; + if (check_if_text_buf((u8 *)&o->v1, hshape) < hshape) same1 += 2; if (!same2 && !same3) { -- cgit v1.2.3 From 9a11c8ac24f8b2c2dcd78aa3a27e5416a717ce4f Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 26 Oct 2021 22:06:01 +0200 Subject: fix --- src/afl-fuzz-redqueen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 800a0753..928cab59 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -28,7 +28,7 @@ #include "afl-fuzz.h" #include "cmplog.h" -#define VARIANT 4 +#define VARIANT 0 //#define _DEBUG //#define CMPLOG_INTROSPECTION -- cgit v1.2.3 From e2ca7a63972ef3c245395bea7bb89d873ad757af Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 28 Oct 2021 18:02:57 +0200 Subject: variant 6 --- src/afl-fuzz-redqueen.c | 126 +++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 103 insertions(+), 23 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 928cab59..b5dc23c2 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -28,7 +28,7 @@ #include "afl-fuzz.h" #include "cmplog.h" -#define VARIANT 0 +#define VARIANT 6 //#define _DEBUG //#define CMPLOG_INTROSPECTION @@ -1855,6 +1855,43 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, // we only learn 16 bit + if (hshape > 1) { +#if VARIANT == 6 + if (!found_one || afl->queue_cur->is_ascii) { + + #ifdef WORD_SIZE_64 + if (unlikely(is_n)) { + + if (!found_one || + check_if_text_buf((u8 *)&s128_v0, SHAPE_BYTES(h->shape)) == + SHAPE_BYTES(h->shape)) + try_to_add_to_dictN(afl, s128_v0, SHAPE_BYTES(h->shape)); + if (!found_one || + check_if_text_buf((u8 *)&s128_v1, SHAPE_BYTES(h->shape)) == + SHAPE_BYTES(h->shape)) + try_to_add_to_dictN(afl, s128_v1, SHAPE_BYTES(h->shape)); + + } else + + #endif + { + + if (!memcmp((u8 *)&o->v0, (u8 *)&orig_o->v0, SHAPE_BYTES(h->shape)) && + (!found_one || + check_if_text_buf((u8 *)&o->v0, SHAPE_BYTES(h->shape)) == + SHAPE_BYTES(h->shape))) + try_to_add_to_dict(afl, o->v0, SHAPE_BYTES(h->shape)); + if (!memcmp((u8 *)&o->v1, (u8 *)&orig_o->v1, SHAPE_BYTES(h->shape)) && + (!found_one || + check_if_text_buf((u8 *)&o->v1, SHAPE_BYTES(h->shape)) == + SHAPE_BYTES(h->shape))) + try_to_add_to_dict(afl, o->v1, SHAPE_BYTES(h->shape)); + + } + + } + +#else + u8 same0 = 0, same1 = 0, same2 = 0, same3 = 0, result = 1 + (found_one << 2); if (o->v0 != orig_o->v0) { same0 = 8; } @@ -1866,13 +1903,13 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, if (!same2 && !same3) { -#ifdef WORD_SIZE_64 + #ifdef WORD_SIZE_64 if (unlikely(is_n)) { if ( - #if VARIANT == 1 + #if VARIANT == 1 !(!same0 && same1) && - #endif + #endif DICT_ADD_STRATEGY >= same0 + result) { try_to_add_to_dictN(afl, s128_v0, hshape); @@ -1880,9 +1917,9 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } if ( - #if VARIANT == 1 + #if VARIANT == 1 !(same0 && !same1) && - #endif + #endif DICT_ADD_STRATEGY >= same1 + result) { try_to_add_to_dictN(afl, s128_v1, hshape); @@ -1891,13 +1928,13 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } else -#endif + #endif { if ( -#if VARIANT == 1 + #if VARIANT == 1 !(!same0 && same1) && -#endif + #endif DICT_ADD_STRATEGY >= same0 + result) { // fprintf(stderr, "add v0 0x%llx\n", o->v0); @@ -1906,9 +1943,9 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } if ( -#if VARIANT == 1 + #if VARIANT == 1 !(same0 && !same1) && -#endif + #endif DICT_ADD_STRATEGY >= same1 + result) { // fprintf(stderr, "add v1 0x%llx\n", o->v1); @@ -1920,6 +1957,8 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } +#endif + } cmp_fuzz_next_iter: @@ -2567,6 +2606,44 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, // if (unlikely(!afl->pass_stats[key].total)) { +#if VARIANT == 6 + if ((!found_one && (lvl & LVL1)) || afl->queue_cur->is_ascii) { + + // if (unlikely(!afl->pass_stats[key].total)) { + + u32 shape_len = SHAPE_BYTES(h->shape); + u32 v0_len = shape_len, v1_len = shape_len; + if (afl->queue_cur->is_ascii || + check_if_text_buf((u8 *)&o->v0, shape_len) == shape_len) { + + if (strlen(o->v0)) v0_len = strlen(o->v0); + + } + + if (afl->queue_cur->is_ascii || + check_if_text_buf((u8 *)&o->v1, shape_len) == shape_len) { + + if (strlen(o->v1)) v1_len = strlen(o->v1); + + } + + // fprintf(stderr, "SHOULD: found:%u ascii:%u text?%u:%u %u:%s %u:%s \n", + // found_one, afl->queue_cur->is_ascii, check_if_text_buf((u8 *)&o->v0, + // shape_len), check_if_text_buf((u8 *)&o->v1, shape_len), v0_len, + // o->v0, v1_len, o->v1); + + if (!memcmp(o->v0, orig_o->v0, v0_len) || + (!found_one || check_if_text_buf((u8 *)&o->v0, v0_len) == v0_len)) + maybe_add_auto(afl, o->v0, v0_len); + if (!memcmp(o->v1, orig_o->v1, v1_len) || + (!found_one || check_if_text_buf((u8 *)&o->v1, v1_len) == v1_len)) + maybe_add_auto(afl, o->v1, v1_len); + + //} + + } + +#else if (lvl & LVL1) { u8 is_txt = 0, l0 = o->v0_len, ol0 = orig_o->v0_len, l1 = o->v1_len, @@ -2598,14 +2675,14 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, if (!is_txt && check_if_text_buf((u8 *)&o->v1, l1) < l1) { same1 += 2; } if ( -#if VARIANT < 3 + #if VARIANT < 3 !(same0 && !same1) && -#endif -#if VARIANT == 4 + #endif + #if VARIANT == 4 (!same2 && same3) -#else + #else (DICT_ADD_STRATEGY >= same0 + result) -#endif + #endif ) { // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0); @@ -2614,14 +2691,14 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } if ( -#if VARIANT < 3 + #if VARIANT < 3 !(!same0 && same1) && -#endif -#if VARIANT == 4 + #endif + #if VARIANT == 4 (same2 && !same3) -#else + #else (DICT_ADD_STRATEGY >= same1 + result) -#endif + #endif ) { // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1); @@ -2631,6 +2708,8 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } +#endif + rtn_fuzz_next_iter: afl->stage_cur++; @@ -2966,9 +3045,10 @@ exit_its: if (f) { fprintf(f, - "Cmplog: fname=%s len=%u ms=%llu result=%u finds=%llu entries=%u\n", + "Cmplog: fname=%s len=%u ms=%llu result=%u finds=%llu entries=%u " + "auto_extra_after=%u\n", afl->queue_cur->fname, len, get_cur_time() - start_time, r, - new_hit_cnt - orig_hit_cnt, cmp_locations); + new_hit_cnt - orig_hit_cnt, cmp_locations, afl->a_extras_cnt); #ifndef _DEBUG if (afl->not_on_tty) { fclose(f); } -- cgit v1.2.3 From 36d8f979724de64ad986acd3b9fe8933e99950c4 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 28 Oct 2021 15:38:50 +0200 Subject: gcc instrumentation opt --- src/afl-cc.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index 77407a98..ed6390ce 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -423,6 +423,8 @@ static void edit_params(u32 argc, char **argv, char **envp) { char *fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path); cc_params[cc_par_cnt++] = fplugin_arg; + cc_params[cc_par_cnt++] = "-fno-if-conversion"; + cc_params[cc_par_cnt++] = "-fno-if-conversion2"; } -- cgit v1.2.3 From c64735df9e87f2ee15ea32208be85e481c78814b Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 31 Oct 2021 11:55:36 +0100 Subject: help gcc --- src/afl-cc.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index ed6390ce..e7f08aac 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -737,6 +737,14 @@ static void edit_params(u32 argc, char **argv, char **envp) { } + if ((compiler_mode == GCC || compiler_mode == GCC_PLUGIN) && + !strncmp(cur, "-stdlib=", 8)) { + + if (!be_quiet) { WARNF("Found '%s' - stripping!", cur); } + continue; + + } + if ((!strncmp(cur, "-fsanitize=fuzzer-", strlen("-fsanitize=fuzzer-")) || !strncmp(cur, "-fsanitize-coverage", strlen("-fsanitize-coverage"))) && (strncmp(cur, "sanitize-coverage-allow", -- cgit v1.2.3 From 639d108512027bda6e7baf4a96f9d4e058e3c1d3 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 31 Oct 2021 12:29:45 +0100 Subject: add cmplog compatability check --- src/afl-forkserver.c | 11 ++++ src/afl-fuzz-redqueen.c | 144 +----------------------------------------------- 2 files changed, 13 insertions(+), 142 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 54f510c4..da036d2f 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -342,6 +342,11 @@ static void report_error_and_exit(int error) { "the fuzzing target reports that the mmap() call to the shared " "memory failed."); break; + case FS_ERROR_OLD_CMPLOG: + FATAL( + "the -c cmplog target was instrumented with an too old afl++ " + "version, you need to recompile it."); + break; default: FATAL("unknown error code %d from fuzzing target!", error); @@ -651,6 +656,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if ((status & FS_OPT_OLD_AFLPP_WORKAROUND) == FS_OPT_OLD_AFLPP_WORKAROUND) status = (status & 0xf0ffffff); + if ((status & FS_OPT_NEWCMPLOG) == 0 && fsrv->cmplog_binary) { + + report_error_and_exit(FS_ERROR_OLD_CMPLOG); + + } + if ((status & FS_OPT_SNAPSHOT) == FS_OPT_SNAPSHOT) { fsrv->snapshot = 1; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index b5dc23c2..c97080c7 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -28,8 +28,6 @@ #include "afl-fuzz.h" #include "cmplog.h" -#define VARIANT 6 - //#define _DEBUG //#define CMPLOG_INTROSPECTION @@ -1855,10 +1853,9 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, // we only learn 16 bit + if (hshape > 1) { -#if VARIANT == 6 if (!found_one || afl->queue_cur->is_ascii) { - #ifdef WORD_SIZE_64 +#ifdef WORD_SIZE_64 if (unlikely(is_n)) { if (!found_one || @@ -1872,7 +1869,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } else - #endif +#endif { if (!memcmp((u8 *)&o->v0, (u8 *)&orig_o->v0, SHAPE_BYTES(h->shape)) && @@ -1890,75 +1887,6 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } -#else - - u8 same0 = 0, same1 = 0, same2 = 0, same3 = 0, - result = 1 + (found_one << 2); - if (o->v0 != orig_o->v0) { same0 = 8; } - if (o->v1 != orig_o->v1) { same1 = 8; } - if (o->v0 != o->v1) { same2 = 8; } - if (orig_o->v0 != orig_o->v1) { same3 = 8; } - if (check_if_text_buf((u8 *)&o->v0, hshape) < hshape) same0 += 2; - if (check_if_text_buf((u8 *)&o->v1, hshape) < hshape) same1 += 2; - - if (!same2 && !same3) { - - #ifdef WORD_SIZE_64 - if (unlikely(is_n)) { - - if ( - #if VARIANT == 1 - !(!same0 && same1) && - #endif - DICT_ADD_STRATEGY >= same0 + result) { - - try_to_add_to_dictN(afl, s128_v0, hshape); - - } - - if ( - #if VARIANT == 1 - !(same0 && !same1) && - #endif - DICT_ADD_STRATEGY >= same1 + result) { - - try_to_add_to_dictN(afl, s128_v1, hshape); - - } - - } else - - #endif - { - - if ( - #if VARIANT == 1 - !(!same0 && same1) && - #endif - DICT_ADD_STRATEGY >= same0 + result) { - - // fprintf(stderr, "add v0 0x%llx\n", o->v0); - try_to_add_to_dict(afl, o->v0, hshape); - - } - - if ( - #if VARIANT == 1 - !(same0 && !same1) && - #endif - DICT_ADD_STRATEGY >= same1 + result) { - - // fprintf(stderr, "add v1 0x%llx\n", o->v1); - try_to_add_to_dict(afl, o->v1, hshape); - - } - - } - - } - -#endif - } cmp_fuzz_next_iter: @@ -2606,7 +2534,6 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, // if (unlikely(!afl->pass_stats[key].total)) { -#if VARIANT == 6 if ((!found_one && (lvl & LVL1)) || afl->queue_cur->is_ascii) { // if (unlikely(!afl->pass_stats[key].total)) { @@ -2643,73 +2570,6 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } -#else - if (lvl & LVL1) { - - u8 is_txt = 0, l0 = o->v0_len, ol0 = orig_o->v0_len, l1 = o->v1_len, - ol1 = orig_o->v1_len; - if (l0 >= 0x80 || ol0 >= 0x80) { - - is_txt = 1; - l0 -= 0x80; - l1 -= 0x80; - ol0 -= 0x80; - ol1 -= 0x80; - - } - - if (l0 == 0 || l1 == 0 || ol0 == 0 || ol1 == 0 || l0 > 31 || l1 > 31 || - ol0 > 31 || ol1 > 31) { - - l0 = l1 = ol0 = ol1 = hshape; - - } - - u8 same0 = 0, same1 = 0, same2 = 0, same3 = 0, - result = 1 + (found_one << 2); - if (l0 != ol0 || memcmp(o->v0, orig_o->v0, l0) != 0) { same0 = 8; } - if (l1 != ol1 || memcmp(o->v1, orig_o->v1, l1) != 0) { same1 = 8; } - if (l0 != l1 || memcmp(o->v0, o->v1, l0) != 0) { same2 = 8; } - if (ol0 != ol1 || memcmp(orig_o->v0, orig_o->v1, l0) != 0) { same3 = 8; } - if (!is_txt && check_if_text_buf((u8 *)&o->v0, l0) < l0) { same0 += 2; } - if (!is_txt && check_if_text_buf((u8 *)&o->v1, l1) < l1) { same1 += 2; } - - if ( - #if VARIANT < 3 - !(same0 && !same1) && - #endif - #if VARIANT == 4 - (!same2 && same3) - #else - (DICT_ADD_STRATEGY >= same0 + result) - #endif - ) { - - // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0); - maybe_add_auto(afl, o->v0, l0); - - } - - if ( - #if VARIANT < 3 - !(!same0 && same1) && - #endif - #if VARIANT == 4 - (same2 && !same3) - #else - (DICT_ADD_STRATEGY >= same1 + result) - #endif - ) { - - // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1); - maybe_add_auto(afl, o->v1, l1); - - } - - } - -#endif - rtn_fuzz_next_iter: afl->stage_cur++; -- cgit v1.2.3 From 701997a2a5226c731c15f8d3f512cd8c91df1612 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 3 Nov 2021 13:33:59 +0100 Subject: fix --- src/afl-fuzz-redqueen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index c97080c7..a9c5625f 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -1383,7 +1383,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } - hshape = 7; // recover shape + hshape = 8; // recover shape } -- cgit v1.2.3 From 3670412d2e6841f2cee26e3624a02c08a24671c8 Mon Sep 17 00:00:00 2001 From: yuan Date: Wed, 3 Nov 2021 23:44:37 +0800 Subject: Fix request size & remove redundant code (#1139) * fix request size * fix null terminator index * remove redundant code --- src/afl-common.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index db19f0a7..26a0d54b 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -217,11 +217,10 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { } - char **new_argv = ck_alloc(sizeof(char *) * (argc + 4)); + char **new_argv = ck_alloc(sizeof(char *) * (argc + 3)); if (unlikely(!new_argv)) { FATAL("Illegal amount of arguments specified"); } memcpy(&new_argv[3], &argv[1], (int)(sizeof(char *)) * (argc - 1)); - new_argv[argc + 3] = NULL; new_argv[2] = *target_path_p; new_argv[1] = "--"; @@ -237,11 +236,10 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { - char **new_argv = ck_alloc(sizeof(char *) * (argc + 3)); + char **new_argv = ck_alloc(sizeof(char *) * (argc + 2)); if (unlikely(!new_argv)) { FATAL("Illegal amount of arguments specified"); } memcpy(&new_argv[2], &argv[1], (int)(sizeof(char *)) * (argc - 1)); - new_argv[argc + 2] = NULL; new_argv[1] = *target_path_p; -- cgit v1.2.3 From afc84438c60f7a70464ddc353216e0d9fb0c0b49 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 3 Nov 2021 21:23:03 +0100 Subject: move bitmap and saveauto --- src/afl-fuzz.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 6ec033b2..e06060ab 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2226,13 +2226,12 @@ int main(int argc, char **argv_orig, char **envp) { } - write_bitmap(afl); - save_auto(afl); - stop_fuzzing: afl->force_ui_update = 1; // ensure the screen is reprinted show_stats(afl); // print the screen one last time + write_bitmap(afl); + save_auto(afl); SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing aborted %s +++\n" cRST, afl->stop_soon == 2 ? "programmatically" : "by user"); -- cgit v1.2.3 From 6ce3d7fede6b32b522b6cc4403f7c0101cf4a4bc Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 4 Nov 2021 15:53:17 +0100 Subject: add AFL_USE_TSAN --- src/afl-as.c | 1 + src/afl-cc.c | 9 +++++++++ 2 files changed, 10 insertions(+) (limited to 'src') diff --git a/src/afl-as.c b/src/afl-as.c index 7119d630..774340ac 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -521,6 +521,7 @@ static void add_instrumentation(void) { getenv("AFL_HARDEN") ? "hardened" : "non-hardened", getenv("AFL_USE_ASAN") ? ", ASAN" : "", getenv("AFL_USE_MSAN") ? ", MSAN" : "", + getenv("AFL_USE_TSAN") ? ", TSAN" : "", getenv("AFL_USE_UBSAN") ? ", UBSAN" : "", getenv("AFL_USE_LSAN") ? ", LSAN" : ""); diff --git a/src/afl-cc.c b/src/afl-cc.c index e7f08aac..3837459b 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -857,6 +857,14 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-fsanitize=undefined"; cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error"; cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all"; + cc_params[cc_par_cnt++] = "-fno-omit-frame-pointer"; + + } + + if (getenv("AFL_USE_TSAN")) { + + cc_params[cc_par_cnt++] = "-fsanitize=thread"; + cc_params[cc_par_cnt++] = "-fno-omit-frame-pointer"; } @@ -1814,6 +1822,7 @@ int main(int argc, char **argv, char **envp) { " AFL_USE_CFISAN: activate control flow sanitizer\n" " AFL_USE_MSAN: activate memory sanitizer\n" " AFL_USE_UBSAN: activate undefined behaviour sanitizer\n" + " AFL_USE_TSAN: activate thread sanitizer\n" " AFL_USE_LSAN: activate leak-checker sanitizer\n"); if (have_gcc_plugin) -- cgit v1.2.3 From b34bc6c426a53d8ba9c4f472218be80f1cbf79b5 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Thu, 4 Nov 2021 16:21:26 +0000 Subject: afl-as: missing one format spec (for tsan perharps) --- src/afl-as.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-as.c b/src/afl-as.c index 774340ac..9af272f2 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -517,7 +517,7 @@ static void add_instrumentation(void) { } else { char modeline[100]; - snprintf(modeline, sizeof(modeline), "%s%s%s%s%s", + snprintf(modeline, sizeof(modeline), "%s%s%s%s%s%s", getenv("AFL_HARDEN") ? "hardened" : "non-hardened", getenv("AFL_USE_ASAN") ? ", ASAN" : "", getenv("AFL_USE_MSAN") ? ", MSAN" : "", -- cgit v1.2.3 From 95067729842c4e3d798dc5fda01138ffb552f494 Mon Sep 17 00:00:00 2001 From: yuawn Date: Fri, 5 Nov 2021 03:09:39 +0000 Subject: unify output format --- src/afl-cc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index 3837459b..5f77b097 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -2057,7 +2057,7 @@ int main(int argc, char **argv, char **envp) { if ((isatty(2) && !be_quiet) || debug) { SAYF(cCYA - "afl-cc " VERSION cRST + "afl-cc" VERSION cRST " by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: %s-%s\n", compiler_mode_string[compiler_mode], ptr); -- cgit v1.2.3 From 9325a4fcbb8eb4ed1d71f93de5301bf1a9a68253 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 6 Nov 2021 10:28:22 +0100 Subject: http->https --- src/afl-analyze.c | 2 +- src/afl-as.c | 4 ++-- src/afl-cc.c | 2 +- src/afl-common.c | 2 +- src/afl-forkserver.c | 8 ++++---- src/afl-fuzz-bitmap.c | 2 +- src/afl-fuzz-cmplog.c | 2 +- src/afl-fuzz-extras.c | 2 +- src/afl-fuzz-init.c | 4 ++-- src/afl-fuzz-mutators.c | 2 +- src/afl-fuzz-one.c | 2 +- src/afl-fuzz-python.c | 2 +- src/afl-fuzz-queue.c | 2 +- src/afl-fuzz-redqueen.c | 2 +- src/afl-fuzz-run.c | 2 +- src/afl-fuzz-state.c | 2 +- src/afl-fuzz-stats.c | 2 +- src/afl-fuzz.c | 2 +- src/afl-gotcpu.c | 2 +- src/afl-ld-lto.c | 2 +- src/afl-performance.c | 2 +- src/afl-sharedmem.c | 2 +- src/afl-showmap.c | 2 +- src/afl-tmin.c | 2 +- 24 files changed, 29 insertions(+), 29 deletions(-) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 09b01541..60cb1434 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -15,7 +15,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 A nifty utility that grabs an input file and takes a stab at explaining its structure by observing how changes to it affect the execution path. diff --git a/src/afl-as.c b/src/afl-as.c index 9af272f2..b644b82a 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -15,7 +15,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 The sole purpose of this wrapper is to preprocess assembly files generated by GCC / clang and inject the instrumentation bits included from afl-as.h. It @@ -101,7 +101,7 @@ static void edit_params(int argc, char **argv) { /* On MacOS X, the Xcode cctool 'as' driver is a bit stale and does not work with the code generated by newer versions of clang that are hand-built - by the user. See the thread here: http://goo.gl/HBWDtn. + by the user. See the thread here: https://goo.gl/HBWDtn. To work around this, when using clang and running without AFL_AS specified, we will actually call 'clang -c' instead of 'as -q' to diff --git a/src/afl-cc.c b/src/afl-cc.c index 5f77b097..8ff241ba 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -11,7 +11,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 */ diff --git a/src/afl-common.c b/src/afl-common.c index 26a0d54b..ec3b2f3f 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -15,7 +15,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 Gather some functions common to multiple executables diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 80b295e0..b1769bfb 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -19,7 +19,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 Shared code that implements a forkserver. This is used by the fuzzer as well the other components like afl-tmin. @@ -351,7 +351,7 @@ static void report_error_and_exit(int error) { /* Spins up fork server. The idea is explained here: - http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html + https://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html In essence, the instrumentation allows us to skip execve(), and just keep cloning a stopped child. So, we just execute once, and then send commands @@ -917,7 +917,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, MSG_ULIMIT_USAGE " /path/to/fuzzed_app )\n\n" - " Tip: you can use http://jwilk.net/software/recidivm to " + " Tip: you can use https://jwilk.net/software/recidivm to " "quickly\n" " estimate the required amount of virtual memory for the " "binary.\n\n" @@ -1017,7 +1017,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, MSG_ULIMIT_USAGE " /path/to/fuzzed_app )\n\n" - " Tip: you can use http://jwilk.net/software/recidivm to quickly\n" + " Tip: you can use https://jwilk.net/software/recidivm to quickly\n" " estimate the required amount of virtual memory for the " "binary.\n\n" diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 316067e4..f7b59f25 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -15,7 +15,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 This is the real deal: the program takes an instrumented binary and attempts a variety of basic fuzzing tricks, paying close attention to diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index c2e9c80f..6fc926f0 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -17,7 +17,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 Shared code to handle the shared memory. This is used by the fuzzer as well the other components like afl-tmin, afl-showmap, etc... diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c index 584241d4..0f0fe331 100644 --- a/src/afl-fuzz-extras.c +++ b/src/afl-fuzz-extras.c @@ -15,7 +15,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 This is the real deal: the program takes an instrumented binary and attempts a variety of basic fuzzing tricks, paying close attention to diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 1170715f..9262d718 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -15,7 +15,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 This is the real deal: the program takes an instrumented binary and attempts a variety of basic fuzzing tricks, paying close attention to @@ -974,7 +974,7 @@ void perform_dry_run(afl_state_t *afl) { MSG_ULIMIT_USAGE " /path/to/binary [...] . + See . This is xoshiro256++ 1.0, one of our all-purpose, rock-solid generators. It has excellent (sub-ns) speed, a state (256 bits) that is large diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 22fe5a62..7fb8f821 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -17,7 +17,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 Shared code to handle the shared memory. This is used by the fuzzer as well the other components like afl-tmin, afl-showmap, etc... diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 3826e385..23ec0df0 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -18,7 +18,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 A very simple tool that runs the targeted binary and displays the contents of the trace bitmap in a human-readable form. Useful in diff --git a/src/afl-tmin.c b/src/afl-tmin.c index ce2a0b8f..8ce4bdd5 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -18,7 +18,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 A simple test case minimizer that takes an input file and tries to remove as much data as possible while keeping the binary in a crashing state -- cgit v1.2.3 From 61039b410c98cb971daff5778b1591d0e5cbfd3e Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 6 Nov 2021 14:29:16 +0100 Subject: better error report for old qemu/frida cmplog --- src/afl-forkserver.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 93fd19e1..94c90701 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -347,6 +347,11 @@ static void report_error_and_exit(int error) { "the -c cmplog target was instrumented with an too old afl++ " "version, you need to recompile it."); break; + case FS_ERROR_OLD_CMPLOG_QEMU: + FATAL( + "The AFL++ QEMU/FRIDA loaders are from an older version, for -c you " + "need to recompile it.\n"); + break; default: FATAL("unknown error code %d from fuzzing target!", error); @@ -670,7 +675,15 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if ((status & FS_OPT_NEWCMPLOG) == 0 && fsrv->cmplog_binary) { - report_error_and_exit(FS_ERROR_OLD_CMPLOG); + if (fsrv->qemu_mode || fsrv->frida_mode) { + + report_error_and_exit(FS_ERROR_OLD_CMPLOG_QEMU); + + } else { + + report_error_and_exit(FS_ERROR_OLD_CMPLOG); + + } } -- cgit v1.2.3 From 64704403ca957886b3ad0b55efebaf29906712b8 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 6 Nov 2021 14:54:53 +0100 Subject: better screen update --- src/afl-fuzz-redqueen.c | 70 +++++++++++++++++++++++++++++-------------------- 1 file changed, 41 insertions(+), 29 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index a9c5625f..4fa62059 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -84,6 +84,8 @@ struct range { }; static u32 hshape; +static u64 screen_update; +static u64 last_update; static struct range *add_range(struct range *ranges, u32 start, u32 end) { @@ -273,7 +275,6 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u64 start_time = get_cur_time(); #endif - u32 screen_update; u64 orig_hit_cnt, new_hit_cnt, exec_cksum; orig_hit_cnt = afl->queued_paths + afl->unique_crashes; @@ -282,24 +283,6 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, afl->stage_max = (len << 1); afl->stage_cur = 0; - if (likely(afl->queue_cur->exec_us)) { - - if (likely((100000 / 2) >= afl->queue_cur->exec_us)) { - - screen_update = 100000 / afl->queue_cur->exec_us; - - } else { - - screen_update = 1; - - } - - } else { - - screen_update = 100000; - - } - // in colorization we do not classify counts, hence we have to calculate // the original checksum. if (unlikely(get_exec_checksum(afl, buf, len, &exec_cksum))) { @@ -369,7 +352,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, } - if (++afl->stage_cur % screen_update) { show_stats(afl); }; + if (++afl->stage_cur % screen_update == 0) { show_stats(afl); }; } @@ -780,6 +763,13 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u32 its_len = MIN(len - idx, taint_len); + if (afl->fsrv.total_execs - last_update > screen_update) { + + show_stats(afl); + last_update = afl->fsrv.total_execs; + + } + // fprintf(stderr, // "Encode: %llx->%llx into %llx(<-%llx) at idx=%u " // "taint_len=%u shape=%u attr=%u\n", @@ -1438,6 +1428,13 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h, u32 taint_len, u8 *orig_buf, u8 *buf, u8 *cbuf, u32 len, u8 do_reverse, u8 lvl, u8 *status) { + if (afl->fsrv.total_execs - last_update > screen_update) { + + show_stats(afl); + last_update = afl->fsrv.total_execs; + + } + u8 *ptr = (u8 *)&buf[idx]; u8 *o_ptr = (u8 *)&orig_buf[idx]; u8 *p = (u8 *)&pattern; @@ -1926,6 +1923,13 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 entry, // (void)(changed_val); //#endif + if (afl->fsrv.total_execs - last_update > screen_update) { + + show_stats(afl); + last_update = afl->fsrv.total_execs; + + } + u8 *pattern, *repl, *o_pattern, *changed_val; u8 l0, l1, ol0, ol1; @@ -2600,6 +2604,23 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { } struct tainted *taint = NULL; + if (likely(afl->queue_cur->exec_us)) { + + if (likely((100000 / 2) >= afl->queue_cur->exec_us)) { + + screen_update = 100000 / afl->queue_cur->exec_us; + + } else { + + screen_update = 1; + + } + + } else { + + screen_update = 100000; + + } if (!afl->queue_cur->taint || !afl->queue_cur->cmplog_colorinput) { @@ -2700,8 +2721,6 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { u64 orig_hit_cnt, new_hit_cnt; u64 orig_execs = afl->fsrv.total_execs; orig_hit_cnt = afl->queued_paths + afl->unique_crashes; - u64 screen_update = 100000 / afl->queue_cur->exec_us, - execs = afl->fsrv.total_execs; afl->stage_name = "input-to-state"; afl->stage_short = "its"; @@ -2783,13 +2802,6 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { } - if (afl->fsrv.total_execs - execs > screen_update) { - - execs = afl->fsrv.total_execs; - show_stats(afl); - - } - } r = 0; -- cgit v1.2.3 From 2ddbaa439ca78b0ae8cc6691d9657f5783b2d5e8 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 6 Nov 2021 16:22:38 +0100 Subject: 30% faster hashing speed --- src/afl-performance.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-performance.c b/src/afl-performance.c index 89b170eb..ff8dfeb6 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -90,7 +90,8 @@ inline u32 hash32(u8 *key, u32 len, u32 seed) { #endif - return (u32)XXH64(key, len, seed); + (void)seed; + return (u32)XXH3_64bits(key, len); } @@ -102,7 +103,8 @@ inline u64 hash64(u8 *key, u32 len, u64 seed) { #endif - return XXH64(key, len, seed); + (void)seed; + return XXH3_64bits(key, len); } -- cgit v1.2.3 From 92c91f25f0abc2eb4b8eccbe9b89f433a08eeaba Mon Sep 17 00:00:00 2001 From: tl455047 Date: Sun, 7 Nov 2021 20:28:03 +0800 Subject: Fix index of cmp_map->log[key]. --- src/afl-fuzz-redqueen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index f6a7f3e6..a1d6e021 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -1669,7 +1669,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, for (j = 0; j < i; ++j) { if (afl->shm.cmp_map->log[key][j].v0 == o->v0 && - afl->shm.cmp_map->log[key][i].v1 == o->v1) { + afl->shm.cmp_map->log[key][j].v1 == o->v1) { goto cmp_fuzz_next_iter; -- cgit v1.2.3 From 93852a23128d24ebb15e3afdbeee07f8664da4ec Mon Sep 17 00:00:00 2001 From: tl455047 Date: Sun, 7 Nov 2021 20:56:40 +0800 Subject: code-format --- src/afl-forkserver.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index b1769bfb..44b6c6f9 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -1017,7 +1017,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, MSG_ULIMIT_USAGE " /path/to/fuzzed_app )\n\n" - " Tip: you can use https://jwilk.net/software/recidivm to quickly\n" + " Tip: you can use https://jwilk.net/software/recidivm to " + "quickly\n" " estimate the required amount of virtual memory for the " "binary.\n\n" -- cgit v1.2.3 From 75821d2943ee207a6d862440ac1c466b96a52861 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 9 Nov 2021 14:37:14 +0100 Subject: fix afl- tools for new frida --- src/afl-analyze.c | 2 +- src/afl-showmap.c | 2 +- src/afl-tmin.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 60cb1434..d52a6d6e 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -995,7 +995,7 @@ int main(int argc, char **argv_orig, char **envp) { frida_mode = 1; fsrv.frida_mode = frida_mode; - setenv("AFL_FRIDA_INST_SEED", "0x0", 1); + setenv("AFL_FRIDA_INST_SEED", "1", 1); break; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 23ec0df0..6c06c476 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1056,7 +1056,7 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); } fsrv->frida_mode = true; - setenv("AFL_FRIDA_INST_SEED", "0x0", 1); + setenv("AFL_FRIDA_INST_SEED", "1", 1); break; diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 8ce4bdd5..3f6f14f9 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -1038,7 +1038,7 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); } fsrv->frida_mode = 1; - setenv("AFL_FRIDA_INST_SEED", "0x0", 1); + setenv("AFL_FRIDA_INST_SEED", "1", 1); break; -- cgit v1.2.3 From 9100f3c416707d926fc100d4441cf32bb1da6dd6 Mon Sep 17 00:00:00 2001 From: Akira Moroo Date: Tue, 22 Jun 2021 05:34:20 +0000 Subject: Add initial CoreSight mode support The original code is: https://github.com/RICSecLab/AFLplusplus-cs/tree/retrage/coresight-mode-pr Signed-off-by: Akira Moroo --- src/afl-analyze.c | 18 +++++++++++++++++- src/afl-common.c | 29 +++++++++++++++++++++++++++++ src/afl-fuzz-init.c | 5 +++-- src/afl-fuzz-stats.c | 9 ++++++--- src/afl-fuzz.c | 28 +++++++++++++++++++++++----- src/afl-showmap.c | 22 ++++++++++++++++++++-- src/afl-tmin.c | 16 +++++++++++++++- 7 files changed, 113 insertions(+), 14 deletions(-) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index d52a6d6e..c8b82428 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -77,6 +77,7 @@ static volatile u8 stop_soon; /* Ctrl-C pressed? */ static u8 *target_path; static u8 frida_mode; static u8 qemu_mode; +static u8 cs_mode; static u32 map_size = MAP_SIZE; static afl_forkserver_t fsrv = {0}; /* The forkserver */ @@ -790,6 +791,8 @@ static void set_up_environment(char **argv) { } else { + /* CoreSight mode uses the default behavior. */ + setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); @@ -845,6 +848,7 @@ static void usage(u8 *argv0) { " -f file - input file read by the tested program (stdin)\n" " -t msec - timeout for each run (%u ms)\n" " -m megs - memory limit for child process (%u MB)\n" + " -A - use binary-only instrumentation (CoreSight mode)\n" " -O - use binary-only instrumentation (FRIDA mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" @@ -890,7 +894,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_fsrv_init(&fsrv); - while ((opt = getopt(argc, argv, "+i:f:m:t:eOQUWh")) > 0) { + while ((opt = getopt(argc, argv, "+i:f:m:t:eAOQUWh")) > 0) { switch (opt) { @@ -989,6 +993,14 @@ int main(int argc, char **argv_orig, char **envp) { break; + case 'A': /* CoreSight mode */ + + if (cs_mode) { FATAL("Multiple -A options not supported"); } + + cs_mode = 1; + fsrv.cs_mode = cs_mode; + break; + case 'O': /* FRIDA mode */ if (frida_mode) { FATAL("Multiple -O options not supported"); } @@ -1080,6 +1092,10 @@ int main(int argc, char **argv_orig, char **envp) { } + } else if (cs_mode) { + + use_argv = get_cs_argv(argv[0], &target_path, argc - optind, argv + optind); + } else { use_argv = argv + optind; diff --git a/src/afl-common.c b/src/afl-common.c index ec3b2f3f..6c2d0753 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -204,6 +204,35 @@ void argv_cpy_free(char **argv) { } +/* Rewrite argv for CoreSight process tracer. */ + +char **get_cs_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { + + if (unlikely(getenv("AFL_CS_CUSTOM_BIN"))) { + + WARNF( + "AFL_CS_CUSTOM_BIN is enabled. " + "You must run your target under afl-cs-proxy on your own!"); + return argv; + + } + + char **new_argv = ck_alloc(sizeof(char *) * (argc + 4)); + if (unlikely(!new_argv)) { FATAL("Illegal amount of arguments specified"); } + + memcpy(&new_argv[3], &argv[1], (int)(sizeof(char *)) * (argc - 1)); + new_argv[argc + 3] = NULL; + + new_argv[2] = *target_path_p; + new_argv[1] = "--"; + + /* Now we need to actually find the cs-proxy binary to put in argv[0]. */ + + *target_path_p = new_argv[0] = find_afl_binary(own_loc, "afl-cs-proxy"); + return new_argv; + +} + /* Rewrite argv for QEMU. */ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 9262d718..e5a4d3d1 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2645,6 +2645,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode || (afl->fsrv.qemu_mode && getenv("AFL_QEMU_CUSTOM_BIN")) || + (afl->fsrv.cs_mode && getenv("AFL_CS_CUSTOM_BIN")) || afl->non_instrumented_mode) { return; @@ -2721,7 +2722,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { #endif /* ^!__APPLE__ */ if (!afl->fsrv.qemu_mode && !afl->fsrv.frida_mode && !afl->unicorn_mode && - !afl->non_instrumented_mode && + !afl->fsrv.cs_mode && !afl->non_instrumented_mode && !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { SAYF("\n" cLRD "[-] " cRST @@ -2752,7 +2753,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { } - if ((afl->fsrv.qemu_mode || afl->fsrv.frida_mode) && + if ((afl->fsrv.cs_mode || afl->fsrv.qemu_mode || afl->fsrv.frida_mode) && memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { SAYF("\n" cLRD "[-] " cRST diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 808bf258..426580d2 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -285,7 +285,7 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, "afl_banner : %s\n" "afl_version : " VERSION "\n" - "target_mode : %s%s%s%s%s%s%s%s%s\n" + "target_mode : %s%s%s%s%s%s%s%s%s%s\n" "command_line : %s\n", (afl->start_time - afl->prev_run_time) / 1000, cur_time / 1000, (afl->prev_run_time + cur_time - afl->start_time) / 1000, @@ -321,12 +321,13 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, afl->q_testcase_cache_count, afl->q_testcase_evictions, afl->use_banner, afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "", + afl->fsrv.cs_mode ? "coresight" : "", afl->non_instrumented_mode ? " non_instrumented " : "", afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", afl->persistent_mode ? "persistent " : "", afl->shmem_testcase_mode ? "shmem_testcase " : "", afl->deferred_mode ? "deferred " : "", - (afl->unicorn_mode || afl->fsrv.qemu_mode || + (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->fsrv.cs_mode || afl->non_instrumented_mode || afl->no_forkserver || afl->crash_mode || afl->persistent_mode || afl->deferred_mode) ? "" @@ -1238,7 +1239,9 @@ void show_init_stats(afl_state_t *afl) { // SAYF("\n"); - if (avg_us > ((afl->fsrv.qemu_mode || afl->unicorn_mode) ? 50000 : 10000)) { + if (avg_us > ((afl->fsrv.cs_mode || afl->fsrv.qemu_mode || afl->unicorn_mode) + ? 50000 + : 10000)) { WARNF(cLRD "The target binary is pretty slow! See %s/perf_tips.md.", doc_path); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index c08b8fbb..99eebfaa 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -113,6 +113,7 @@ static void usage(u8 *argv0, int more_help) { "maximum.\n" " -m megs - memory limit for child process (%u MB, 0 = no limit " "[default])\n" + " -A - use binary-only instrumentation (CoreSight mode)\n" " -O - use binary-only instrumentation (FRIDA mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" @@ -434,7 +435,8 @@ int main(int argc, char **argv_orig, char **envp) { while ((opt = getopt( argc, argv, - "+b:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNOo:p:RQs:S:t:T:UV:Wx:Z")) > 0) { + "+Ab:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNOo:p:RQs:S:t:T:UV:Wx:Z")) > + 0) { switch (opt) { @@ -825,6 +827,13 @@ int main(int argc, char **argv_orig, char **envp) { afl->use_banner = optarg; break; + case 'A': /* CoreSight mode */ + + if (afl->fsrv.cs_mode) { FATAL("Multiple -A options not supported"); } + afl->fsrv.cs_mode = 1; + + break; + case 'O': /* FRIDA mode */ if (afl->fsrv.frida_mode) { @@ -1212,6 +1221,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->crash_mode) { FATAL("-C and -n are mutually exclusive"); } if (afl->fsrv.frida_mode) { FATAL("-O and -n are mutually exclusive"); } if (afl->fsrv.qemu_mode) { FATAL("-Q and -n are mutually exclusive"); } + if (afl->fsrv.cs_mode) { FATAL("-A and -n are mutually exclusive"); } if (afl->unicorn_mode) { FATAL("-U and -n are mutually exclusive"); } } @@ -1458,6 +1468,8 @@ int main(int argc, char **argv_orig, char **envp) { } else { + /* CoreSight mode uses the default behavior. */ + setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); @@ -1651,7 +1663,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (!afl->fsrv.qemu_mode && !afl->fsrv.frida_mode && + if (!afl->fsrv.qemu_mode && !afl->fsrv.frida_mode && !afl->fsrv.cs_mode && !afl->non_instrumented_mode) { check_binary(afl, afl->cmplog_binary); @@ -1697,6 +1709,11 @@ int main(int argc, char **argv_orig, char **envp) { } + } else if (afl->fsrv.cs_mode) { + + use_argv = get_cs_argv(argv[0], &afl->fsrv.target_path, argc - optind, + argv + optind); + } else { use_argv = argv + optind; @@ -1704,7 +1721,7 @@ int main(int argc, char **argv_orig, char **envp) { } if (afl->non_instrumented_mode || afl->fsrv.qemu_mode || - afl->fsrv.frida_mode || afl->unicorn_mode) { + afl->fsrv.frida_mode || afl->fsrv.cs_mode || afl->unicorn_mode) { map_size = afl->fsrv.real_map_size = afl->fsrv.map_size = MAP_SIZE; afl->virgin_bits = ck_realloc(afl->virgin_bits, map_size); @@ -1724,7 +1741,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode); if (!afl->non_instrumented_mode && !afl->fsrv.qemu_mode && - !afl->unicorn_mode && !afl->fsrv.frida_mode && + !afl->unicorn_mode && !afl->fsrv.frida_mode && !afl->fsrv.cs_mode && !afl->afl_env.afl_skip_bin_check) { if (map_size <= DEFAULT_SHMEM_SIZE) { @@ -1777,6 +1794,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_fsrv_init_dup(&afl->cmplog_fsrv, &afl->fsrv); // TODO: this is semi-nice afl->cmplog_fsrv.trace_bits = afl->fsrv.trace_bits; + afl->cmplog_fsrv.cs_mode = afl->fsrv.cs_mode; afl->cmplog_fsrv.qemu_mode = afl->fsrv.qemu_mode; afl->cmplog_fsrv.frida_mode = afl->fsrv.frida_mode; afl->cmplog_fsrv.cmplog_binary = afl->cmplog_binary; @@ -1785,7 +1803,7 @@ int main(int argc, char **argv_orig, char **envp) { if ((map_size <= DEFAULT_SHMEM_SIZE || afl->cmplog_fsrv.map_size < map_size) && !afl->non_instrumented_mode && !afl->fsrv.qemu_mode && - !afl->fsrv.frida_mode && !afl->unicorn_mode && + !afl->fsrv.frida_mode && !afl->unicorn_mode && !afl->fsrv.cs_mode && !afl->afl_env.afl_skip_bin_check) { afl->cmplog_fsrv.map_size = MAX(map_size, (u32)DEFAULT_SHMEM_SIZE); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 6c06c476..daaed767 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -690,6 +690,8 @@ static void set_up_environment(afl_forkserver_t *fsrv, char **argv) { } else { + /* CoreSight mode uses the default behavior. */ + setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); @@ -843,6 +845,7 @@ static void usage(u8 *argv0) { " -t msec - timeout for each run (none)\n" " -m megs - memory limit for child process (%u MB)\n" " -O - use binary-only instrumentation (FRIDA mode)\n" + " -P - use binary-only instrumentation (CoreSight mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use Unicorn-based instrumentation (Unicorn mode)\n" " -W - use qemu-based instrumentation with Wine (Wine mode)\n" @@ -917,7 +920,7 @@ int main(int argc, char **argv_orig, char **envp) { if (getenv("AFL_QUIET") != NULL) { be_quiet = true; } - while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZOQUWbcrsh")) > 0) { + while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZOPQUWbcrsh")) > 0) { switch (opt) { @@ -1060,6 +1063,15 @@ int main(int argc, char **argv_orig, char **envp) { break; + /* FIXME: We want to use -P for consistency, but it is already unsed for + * undocumenetd feature "Another afl-cmin specific feature." */ + case 'P': /* CoreSight mode */ + + if (fsrv->cs_mode) { FATAL("Multiple -P options not supported"); } + + fsrv->cs_mode = true; + break; + case 'Q': if (fsrv->qemu_mode) { FATAL("Multiple -Q options not supported"); } @@ -1124,6 +1136,7 @@ int main(int argc, char **argv_orig, char **envp) { } + if (fsrv->cs_mode && !mem_limit_given) { fsrv->mem_limit = MEM_LIMIT; } if (fsrv->qemu_mode && !mem_limit_given) { fsrv->mem_limit = MEM_LIMIT_QEMU; } if (unicorn_mode && !mem_limit_given) { fsrv->mem_limit = MEM_LIMIT_UNICORN; } @@ -1204,6 +1217,11 @@ int main(int argc, char **argv_orig, char **envp) { } + } else if (fsrv->cs_mode) { + + use_argv = + get_cs_argv(argv[0], &fsrv->target_path, argc - optind, argv + optind); + } else { use_argv = argv + optind; @@ -1230,7 +1248,7 @@ int main(int argc, char **argv_orig, char **envp) { fsrv->shmem_fuzz_len = (u32 *)map; fsrv->shmem_fuzz = map + sizeof(u32); - if (!fsrv->qemu_mode && !unicorn_mode) { + if (!fsrv->cs_mode && !fsrv->qemu_mode && !unicorn_mode) { u32 save_be_quiet = be_quiet; be_quiet = !debug; diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 3f6f14f9..212b6251 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -808,6 +808,8 @@ static void set_up_environment(afl_forkserver_t *fsrv, char **argv) { } else { + /* CoreSight mode uses the default behavior. */ + setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); @@ -921,7 +923,7 @@ int main(int argc, char **argv_orig, char **envp) { SAYF(cCYA "afl-tmin" VERSION cRST " by Michal Zalewski\n"); - while ((opt = getopt(argc, argv, "+i:o:f:m:t:B:xeOQUWHh")) > 0) { + while ((opt = getopt(argc, argv, "+i:o:f:m:t:B:xeAOQUWHh")) > 0) { switch (opt) { @@ -1033,6 +1035,13 @@ int main(int argc, char **argv_orig, char **envp) { break; + case 'A': /* CoreSight mode */ + + if (fsrv->cs_mode) { FATAL("Multiple -A options not supported"); } + + fsrv->cs_mode = 1; + break; + case 'O': /* FRIDA mode */ if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); } @@ -1152,6 +1161,11 @@ int main(int argc, char **argv_orig, char **envp) { } + } else if (fsrv->cs_mode) { + + use_argv = + get_cs_argv(argv[0], &fsrv->target_path, argc - optind, argv + optind); + } else { use_argv = argv + optind; -- cgit v1.2.3 From d63d69a1f66e00f453e358662527fbd78361147d Mon Sep 17 00:00:00 2001 From: Akira Moroo Date: Fri, 12 Nov 2021 05:33:40 +0000 Subject: Clarify usage message for ARM CoreSight mode REF: https://github.com/AFLplusplus/AFLplusplus/pull/1156#issuecomment-966196217 Signed-off-by: Akira Moroo --- src/afl-analyze.c | 2 +- src/afl-fuzz.c | 2 +- src/afl-showmap.c | 2 +- src/afl-tmin.c | 1 + 4 files changed, 4 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index c8b82428..4872c60d 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -848,7 +848,7 @@ static void usage(u8 *argv0) { " -f file - input file read by the tested program (stdin)\n" " -t msec - timeout for each run (%u ms)\n" " -m megs - memory limit for child process (%u MB)\n" - " -A - use binary-only instrumentation (CoreSight mode)\n" + " -A - use binary-only instrumentation (ARM CoreSight mode)\n" " -O - use binary-only instrumentation (FRIDA mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 99eebfaa..6538e0a0 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -113,7 +113,7 @@ static void usage(u8 *argv0, int more_help) { "maximum.\n" " -m megs - memory limit for child process (%u MB, 0 = no limit " "[default])\n" - " -A - use binary-only instrumentation (CoreSight mode)\n" + " -A - use binary-only instrumentation (ARM CoreSight mode)\n" " -O - use binary-only instrumentation (FRIDA mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" diff --git a/src/afl-showmap.c b/src/afl-showmap.c index daaed767..4c207d62 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -845,7 +845,7 @@ static void usage(u8 *argv0) { " -t msec - timeout for each run (none)\n" " -m megs - memory limit for child process (%u MB)\n" " -O - use binary-only instrumentation (FRIDA mode)\n" - " -P - use binary-only instrumentation (CoreSight mode)\n" + " -P - use binary-only instrumentation (ARM CoreSight mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use Unicorn-based instrumentation (Unicorn mode)\n" " -W - use qemu-based instrumentation with Wine (Wine mode)\n" diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 212b6251..42883404 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -866,6 +866,7 @@ static void usage(u8 *argv0) { " -f file - input file read by the tested program (stdin)\n" " -t msec - timeout for each run (%u ms)\n" " -m megs - memory limit for child process (%u MB)\n" + " -A - use binary-only instrumentation (ARM CoreSight mode)\n" " -O - use binary-only instrumentation (FRIDA mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" -- cgit v1.2.3 From cf0fd0ff3342fe1b9a028dca95b750f730e2afd6 Mon Sep 17 00:00:00 2001 From: Akira Moroo Date: Fri, 12 Nov 2021 05:34:39 +0000 Subject: Remove unnecessary mem_limit in afl-showmap Signed-off-by: Akira Moroo --- src/afl-showmap.c | 1 - 1 file changed, 1 deletion(-) (limited to 'src') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 4c207d62..57737562 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1136,7 +1136,6 @@ int main(int argc, char **argv_orig, char **envp) { } - if (fsrv->cs_mode && !mem_limit_given) { fsrv->mem_limit = MEM_LIMIT; } if (fsrv->qemu_mode && !mem_limit_given) { fsrv->mem_limit = MEM_LIMIT_QEMU; } if (unicorn_mode && !mem_limit_given) { fsrv->mem_limit = MEM_LIMIT_UNICORN; } -- cgit v1.2.3 From c2feee4ed1b35cc590e2beaa595d710b09e1427c Mon Sep 17 00:00:00 2001 From: Akira Moroo Date: Fri, 12 Nov 2021 06:01:19 +0000 Subject: Add platform check for `-A` CoreSight mode REF: https://github.com/AFLplusplus/AFLplusplus/pull/1156#discussion_r747454306 Signed-off-by: Akira Moroo --- src/afl-analyze.c | 6 ++++++ src/afl-fuzz.c | 7 +++++++ src/afl-showmap.c | 6 ++++++ src/afl-tmin.c | 6 ++++++ 4 files changed, 25 insertions(+) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 4872c60d..6e1a9e7b 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -997,6 +997,12 @@ int main(int argc, char **argv_orig, char **envp) { if (cs_mode) { FATAL("Multiple -A options not supported"); } + if (!(__aarch64__ && __linux__)) { + + FATAL("-A option is not supported on this platform"); + + } + cs_mode = 1; fsrv.cs_mode = cs_mode; break; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 6538e0a0..e6d9508b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -830,6 +830,13 @@ int main(int argc, char **argv_orig, char **envp) { case 'A': /* CoreSight mode */ if (afl->fsrv.cs_mode) { FATAL("Multiple -A options not supported"); } + + if (!(__aarch64__ && __linux__)) { + + FATAL("-A option is not supported on this platform"); + + } + afl->fsrv.cs_mode = 1; break; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 57737562..0e7d9df6 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1069,6 +1069,12 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->cs_mode) { FATAL("Multiple -P options not supported"); } + if (!(__aarch64__ && __linux__)) { + + FATAL("-P option is not supported on this platform"); + + } + fsrv->cs_mode = true; break; diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 42883404..110beed5 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -1040,6 +1040,12 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->cs_mode) { FATAL("Multiple -A options not supported"); } + if (!(__aarch64__ && __linux__)) { + + FATAL("-A option is not supported on this platform"); + + } + fsrv->cs_mode = 1; break; -- cgit v1.2.3 From feff8191ecbde9bb039e2311440f47e8f0325413 Mon Sep 17 00:00:00 2001 From: Akira Moroo Date: Mon, 15 Nov 2021 01:57:36 +0000 Subject: Fix platform check for `-A` CoreSight mode Signed-off-by: Akira Moroo --- src/afl-analyze.c | 10 ++++------ src/afl-fuzz.c | 10 ++++------ src/afl-showmap.c | 10 ++++------ src/afl-tmin.c | 10 ++++------ 4 files changed, 16 insertions(+), 24 deletions(-) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 6e1a9e7b..bc562c15 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -995,13 +995,11 @@ int main(int argc, char **argv_orig, char **envp) { case 'A': /* CoreSight mode */ - if (cs_mode) { FATAL("Multiple -A options not supported"); } - - if (!(__aarch64__ && __linux__)) { - - FATAL("-A option is not supported on this platform"); +#if !defined(__aarch64__) || !defined(__linux__) + FATAL("-A option is not supported on this platform"); +#endif - } + if (cs_mode) { FATAL("Multiple -A options not supported"); } cs_mode = 1; fsrv.cs_mode = cs_mode; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index e6d9508b..44363c2b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -829,13 +829,11 @@ int main(int argc, char **argv_orig, char **envp) { case 'A': /* CoreSight mode */ - if (afl->fsrv.cs_mode) { FATAL("Multiple -A options not supported"); } - - if (!(__aarch64__ && __linux__)) { - - FATAL("-A option is not supported on this platform"); + #if !defined(__aarch64__) || !defined(__linux__) + FATAL("-A option is not supported on this platform"); + #endif - } + if (afl->fsrv.cs_mode) { FATAL("Multiple -A options not supported"); } afl->fsrv.cs_mode = 1; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 0e7d9df6..899baaa0 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1067,13 +1067,11 @@ int main(int argc, char **argv_orig, char **envp) { * undocumenetd feature "Another afl-cmin specific feature." */ case 'P': /* CoreSight mode */ - if (fsrv->cs_mode) { FATAL("Multiple -P options not supported"); } - - if (!(__aarch64__ && __linux__)) { - - FATAL("-P option is not supported on this platform"); +#if !defined(__aarch64__) || !defined(__linux__) + FATAL("-P option is not supported on this platform"); +#endif - } + if (fsrv->cs_mode) { FATAL("Multiple -P options not supported"); } fsrv->cs_mode = true; break; diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 110beed5..22383a4e 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -1038,13 +1038,11 @@ int main(int argc, char **argv_orig, char **envp) { case 'A': /* CoreSight mode */ - if (fsrv->cs_mode) { FATAL("Multiple -A options not supported"); } - - if (!(__aarch64__ && __linux__)) { - - FATAL("-A option is not supported on this platform"); +#if !defined(__aarch64__) || !defined(__linux__) + FATAL("-A option is not supported on this platform"); +#endif - } + if (fsrv->cs_mode) { FATAL("Multiple -A options not supported"); } fsrv->cs_mode = 1; break; -- cgit v1.2.3 From d4a0fd41cd29b5862cac0b99b96b2afc67e33c7d Mon Sep 17 00:00:00 2001 From: Akira Moroo Date: Mon, 15 Nov 2021 02:15:58 +0000 Subject: Check `-M` / `-S` is not specified with `-A` Signed-off-by: Akira Moroo --- src/afl-fuzz.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 44363c2b..dfd62db8 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -565,6 +565,12 @@ int main(int argc, char **argv_orig, char **envp) { } + if (afl->fsrv.cs_mode) { + + FATAL("-M is not supported in ARM CoreSight mode"); + + } + if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } /* sanity check for argument: should not begin with '-' (possible @@ -611,6 +617,12 @@ int main(int argc, char **argv_orig, char **envp) { } + if (afl->fsrv.cs_mode) { + + FATAL("-S is not supported in ARM CoreSight mode"); + + } + if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } /* sanity check for argument: should not begin with '-' (possible @@ -833,6 +845,12 @@ int main(int argc, char **argv_orig, char **envp) { FATAL("-A option is not supported on this platform"); #endif + if (afl->is_main_node || afl->is_secondary_node) { + + FATAL("ARM CoreSight mode is not supported with -M / -S"); + + } + if (afl->fsrv.cs_mode) { FATAL("Multiple -A options not supported"); } afl->fsrv.cs_mode = 1; -- cgit v1.2.3 From 268339a683aab00f8487eac1ca31ef5d6c6abc4b Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 16 Nov 2021 11:03:53 +0100 Subject: showmap -A -> -H, accurate help output --- src/afl-analyze.c | 7 ++++++- src/afl-fuzz-bitmap.c | 6 ++---- src/afl-fuzz.c | 7 ++++++- src/afl-showmap.c | 19 ++++++++++++------- src/afl-tmin.c | 7 ++++++- 5 files changed, 32 insertions(+), 14 deletions(-) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index bc562c15..ac5a324c 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -848,12 +848,17 @@ static void usage(u8 *argv0) { " -f file - input file read by the tested program (stdin)\n" " -t msec - timeout for each run (%u ms)\n" " -m megs - memory limit for child process (%u MB)\n" +#if defined(__linux__) && defined(__aarch64__) " -A - use binary-only instrumentation (ARM CoreSight mode)\n" +#endif " -O - use binary-only instrumentation (FRIDA mode)\n" +#if defined(__linux__) " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" " -W - use qemu-based instrumentation with Wine (Wine " - "mode)\n\n" + "mode)\n" +#endif + "\n" "Analysis settings:\n" diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index f7b59f25..a204e374 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -452,14 +452,12 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (unlikely(len == 0)) { return 0; } + u8 fn[PATH_MAX]; u8 *queue_fn = ""; - u8 new_bits = '\0'; + u8 new_bits = 0, keeping = 0, res, classified = 0; s32 fd; - u8 keeping = 0, res, classified = 0; u64 cksum = 0; - u8 fn[PATH_MAX]; - /* Update path frequency. */ /* Generating a hash on every input is super expensive. Bad idea and should diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index dfd62db8..195366bd 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -113,12 +113,17 @@ static void usage(u8 *argv0, int more_help) { "maximum.\n" " -m megs - memory limit for child process (%u MB, 0 = no limit " "[default])\n" +#if defined(__linux__) && defined(__aarch64__) " -A - use binary-only instrumentation (ARM CoreSight mode)\n" +#endif " -O - use binary-only instrumentation (FRIDA mode)\n" +#if defined(__linux__) " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" " -W - use qemu-based instrumentation with Wine (Wine " - "mode)\n\n" + "mode)\n" +#endif + "\n" "Mutator settings:\n" " -D - enable deterministic fuzzing (once per queue entry)\n" diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 899baaa0..0ba265ab 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -844,13 +844,18 @@ static void usage(u8 *argv0) { "Execution control settings:\n" " -t msec - timeout for each run (none)\n" " -m megs - memory limit for child process (%u MB)\n" +#if defined(__linux__) && defined(__aarch64__) + " -A - use binary-only instrumentation (ARM CoreSight mode)\n" +#endif " -O - use binary-only instrumentation (FRIDA mode)\n" - " -P - use binary-only instrumentation (ARM CoreSight mode)\n" +#if defined(__linux__) " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use Unicorn-based instrumentation (Unicorn mode)\n" " -W - use qemu-based instrumentation with Wine (Wine mode)\n" " (Not necessary, here for consistency with other afl-* " - "tools)\n\n" + "tools)\n" +#endif + "\n" "Other settings:\n" " -i dir - process all files below this directory, must be combined " "with -o.\n" @@ -920,7 +925,7 @@ int main(int argc, char **argv_orig, char **envp) { if (getenv("AFL_QUIET") != NULL) { be_quiet = true; } - while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZOPQUWbcrsh")) > 0) { + while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZOHQUWbcrsh")) > 0) { switch (opt) { @@ -1049,7 +1054,7 @@ int main(int argc, char **argv_orig, char **envp) { quiet_mode = true; break; - case 'A': + case 'H': /* Another afl-cmin specific feature. */ at_file = optarg; break; @@ -1065,13 +1070,13 @@ int main(int argc, char **argv_orig, char **envp) { /* FIXME: We want to use -P for consistency, but it is already unsed for * undocumenetd feature "Another afl-cmin specific feature." */ - case 'P': /* CoreSight mode */ + case 'A': /* CoreSight mode */ #if !defined(__aarch64__) || !defined(__linux__) - FATAL("-P option is not supported on this platform"); + FATAL("-A option is not supported on this platform"); #endif - if (fsrv->cs_mode) { FATAL("Multiple -P options not supported"); } + if (fsrv->cs_mode) { FATAL("Multiple -A options not supported"); } fsrv->cs_mode = true; break; diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 22383a4e..89546c45 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -866,14 +866,19 @@ static void usage(u8 *argv0) { " -f file - input file read by the tested program (stdin)\n" " -t msec - timeout for each run (%u ms)\n" " -m megs - memory limit for child process (%u MB)\n" +#if defined(__linux__) && defined(__aarch64__) " -A - use binary-only instrumentation (ARM CoreSight mode)\n" +#endif " -O - use binary-only instrumentation (FRIDA mode)\n" +#if defined(__linux__) " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" " -W - use qemu-based instrumentation with Wine (Wine " "mode)\n" " (Not necessary, here for consistency with other afl-* " - "tools)\n\n" + "tools)\n" +#endif + "\n" "Minimization settings:\n" -- cgit v1.2.3 From 1a8d3f82f289d248aa70ce6877b66c7387f77fc9 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 16 Nov 2021 13:01:02 +0100 Subject: fix afl-showmap --- src/afl-showmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 0ba265ab..236553ce 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -925,7 +925,7 @@ int main(int argc, char **argv_orig, char **envp) { if (getenv("AFL_QUIET") != NULL) { be_quiet = true; } - while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZOHQUWbcrsh")) > 0) { + while ((opt = getopt(argc, argv, "+i:o:f:m:t:AeqCZOH:QUWbcrsh")) > 0) { switch (opt) { -- cgit v1.2.3 From 6f5ba59d99056fabace9a4f1ef8f7706ad3b9386 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 23 Nov 2021 19:18:26 +0100 Subject: further fixes for new pass manager --- src/afl-cc.c | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index 58d978ea..ca413417 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -462,7 +462,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { -#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */ +#if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; cc_params[cc_par_cnt++] = alloc_printf("-fpass-plugin=%s/split-switches-pass.so", obj_path); @@ -473,6 +473,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = alloc_printf("%s/split-switches-pass.so", obj_path); #endif + } } @@ -487,10 +488,10 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { -#if LLVM_VERSION_MAJOR >= 7 /* use new pass manager */ +#if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; - cc_params[cc_par_cnt++] = - alloc_printf("-fpass-plugin=%s/compare-transform-pass.so", obj_path); + cc_params[cc_par_cnt++] = alloc_printf( + "-fpass-plugin=%s/compare-transform-pass.so", obj_path); #else cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; @@ -513,7 +514,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { -#if LLVM_MAJOR >= 7 +#if LLVM_MAJOR >= 11 cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; cc_params[cc_par_cnt++] = alloc_printf("-fpass-plugin=%s/split-compares-pass.so", obj_path); @@ -554,7 +555,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { alloc_printf("%s/cmplog-switches-pass.so", obj_path); // reuse split switches from laf -#if LLVM_MAJOR >= 7 +#if LLVM_MAJOR >= 11 cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; cc_params[cc_par_cnt++] = alloc_printf("-fpass-plugin=%s/split-switches-pass.so", obj_path); @@ -590,15 +591,8 @@ static void edit_params(u32 argc, char **argv, char **envp) { free(ld_path); cc_params[cc_par_cnt++] = "-Wl,--allow-multiple-definition"; - - if (instrument_mode == INSTRUMENT_CFG || - instrument_mode == INSTRUMENT_PCGUARD) - cc_params[cc_par_cnt++] = alloc_printf( - "-Wl,-mllvm=-load=%s/SanitizerCoverageLTO.so", obj_path); - else - - cc_params[cc_par_cnt++] = alloc_printf( - "-Wl,-mllvm=-load=%s/afl-llvm-lto-instrumentation.so", obj_path); + cc_params[cc_par_cnt++] = + alloc_printf("-Wl,-mllvm=-load=%s/SanitizerCoverageLTO.so", obj_path); cc_params[cc_par_cnt++] = lto_flag; } else { @@ -654,15 +648,17 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { -#if LLVM_MAJOR >= 7 +#if LLVM_MAJOR >= 11 cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; - cc_params[cc_par_cnt++] = alloc_printf("-fpass-plugin=%s/afl-llvm-pass.so", obj_path); + cc_params[cc_par_cnt++] = + alloc_printf("-fpass-plugin=%s/afl-llvm-pass.so", obj_path); #else cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path); #endif + } } -- cgit v1.2.3 From 1fbb7cb2fa0ad10c09f8515124989d119558121d Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 23 Nov 2021 21:07:11 +0100 Subject: fix switch to new pass manager --- src/afl-cc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index ca413417..9173fc4b 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -462,7 +462,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { -#if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ +#if LLVM_MAJOR >= 11 /* use new pass manager */ cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; cc_params[cc_par_cnt++] = alloc_printf("-fpass-plugin=%s/split-switches-pass.so", obj_path); @@ -488,7 +488,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { -#if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ +#if LLVM_MAJOR >= 11 /* use new pass manager */ cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; cc_params[cc_par_cnt++] = alloc_printf( "-fpass-plugin=%s/compare-transform-pass.so", obj_path); -- cgit v1.2.3 From 91f1c17c8f00a40d3e975b0a6e8c98677acef4a3 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Wed, 24 Nov 2021 00:05:15 +0100 Subject: transform cmplog-instructions pass to new pass manager --- src/afl-cc.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index 9173fc4b..c70f193c 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -573,10 +573,6 @@ static void edit_params(u32 argc, char **argv, char **envp) { } -#if LLVM_MAJOR >= 13 - // fuck you llvm 13 - cc_params[cc_par_cnt++] = "-fno-experimental-new-pass-manager"; -#endif if (lto_mode && !have_c) { @@ -616,6 +612,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { + cc_params[cc_par_cnt++] = "-fno-experimental-new-pass-manager"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; @@ -674,11 +671,17 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { +#if LLVM_MAJOR >= 11 + cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; + cc_params[cc_par_cnt++] = + alloc_printf("-fpass-plugin=%s/cmplog-instructions-pass.so", obj_path); +#else cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/cmplog-instructions-pass.so", obj_path); +#endif cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; -- cgit v1.2.3 From 55ed2a443c5c61baba37415d4087164454d8a2a8 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 26 Nov 2021 15:30:46 +0100 Subject: remove new llvm pass manager :( --- src/afl-cc.c | 42 ++++-------------------------------------- 1 file changed, 4 insertions(+), 38 deletions(-) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index c70f193c..9c6e9b3e 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -462,17 +462,11 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { -#if LLVM_MAJOR >= 11 /* use new pass manager */ - cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; - cc_params[cc_par_cnt++] = - alloc_printf("-fpass-plugin=%s/split-switches-pass.so", obj_path); -#else cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/split-switches-pass.so", obj_path); -#endif } @@ -488,17 +482,11 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { -#if LLVM_MAJOR >= 11 /* use new pass manager */ - cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; - cc_params[cc_par_cnt++] = alloc_printf( - "-fpass-plugin=%s/compare-transform-pass.so", obj_path); -#else cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/compare-transform-pass.so", obj_path); -#endif } @@ -514,18 +502,11 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { -#if LLVM_MAJOR >= 11 - cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; - cc_params[cc_par_cnt++] = - alloc_printf("-fpass-plugin=%s/split-compares-pass.so", obj_path); -// cc_params[cc_par_cnt++] = "-fno-experimental-new-pass-manager"; -#else cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/split-compares-pass.so", obj_path); -#endif } @@ -555,17 +536,11 @@ static void edit_params(u32 argc, char **argv, char **envp) { alloc_printf("%s/cmplog-switches-pass.so", obj_path); // reuse split switches from laf -#if LLVM_MAJOR >= 11 - cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; - cc_params[cc_par_cnt++] = - alloc_printf("-fpass-plugin=%s/split-switches-pass.so", obj_path); -#else cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/split-switches-pass.so", obj_path); -#endif } @@ -573,6 +548,10 @@ static void edit_params(u32 argc, char **argv, char **envp) { } +#if LLVM_MAJOR >= 13 + // fuck you llvm 13 + cc_params[cc_par_cnt++] = "-fno-experimental-new-pass-manager"; +#endif if (lto_mode && !have_c) { @@ -612,7 +591,6 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { - cc_params[cc_par_cnt++] = "-fno-experimental-new-pass-manager"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; @@ -645,16 +623,10 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { -#if LLVM_MAJOR >= 11 - cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; - cc_params[cc_par_cnt++] = - alloc_printf("-fpass-plugin=%s/afl-llvm-pass.so", obj_path); -#else cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path); -#endif } @@ -671,17 +643,11 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { -#if LLVM_MAJOR >= 11 - cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; - cc_params[cc_par_cnt++] = - alloc_printf("-fpass-plugin=%s/cmplog-instructions-pass.so", obj_path); -#else cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/cmplog-instructions-pass.so", obj_path); -#endif cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; -- cgit v1.2.3 From 655b63d2b289035c951dad744f1aa68aa61d0f50 Mon Sep 17 00:00:00 2001 From: eternalsakura Date: Sun, 28 Nov 2021 22:28:38 +0800 Subject: [fix] Custom mutator does not implement all three trim APIs, standard trimming will be used, but now the actual implementation does not match the description, fix this problem --- src/afl-fuzz-mutators.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src') diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 5332b9fe..c1d3a683 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -255,6 +255,7 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { mutator->afl_custom_init_trim = dlsym(dh, "afl_custom_init_trim"); if (!mutator->afl_custom_init_trim) { + notrim = 1; ACTF("optional symbol 'afl_custom_init_trim' not found."); } @@ -263,6 +264,7 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { mutator->afl_custom_trim = dlsym(dh, "afl_custom_trim"); if (!mutator->afl_custom_trim) { + notrim = 1; ACTF("optional symbol 'afl_custom_trim' not found."); } @@ -271,6 +273,7 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { mutator->afl_custom_post_trim = dlsym(dh, "afl_custom_post_trim"); if (!mutator->afl_custom_post_trim) { + notrim = 1; ACTF("optional symbol 'afl_custom_post_trim' not found."); } -- cgit v1.2.3 From 22827e807035a50394bac6a37406b19109fc655f Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 1 Dec 2021 11:38:55 +0100 Subject: unify LLVM_VERSION_... usage --- src/afl-cc.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index 9c6e9b3e..6bdb9572 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -574,7 +574,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (instrument_mode == INSTRUMENT_PCGUARD) { -#if LLVM_MAJOR > 10 || (LLVM_MAJOR == 10 && LLVM_MINOR > 0) +#if LLVM_MAJOR >= 11 || (LLVM_MAJOR == 10 && LLVM_MINOR >= 1) #if defined __ANDROID__ || ANDROID cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard"; instrument_mode = INSTRUMENT_LLVMNATIVE; @@ -1167,7 +1167,7 @@ int main(int argc, char **argv, char **envp) { } -#if (LLVM_MAJOR > 2) +#if (LLVM_MAJOR >= 3) if ((ptr = find_object("SanitizerCoverageLTO.so", argv[0])) != NULL) { @@ -1196,7 +1196,7 @@ int main(int argc, char **argv, char **envp) { } -#if (LLVM_MAJOR > 2) +#if (LLVM_MAJOR >= 3) if (strncmp(callname, "afl-clang-fast", 14) == 0) { @@ -1724,8 +1724,8 @@ int main(int argc, char **argv, char **envp) { compiler_mode == LTO ? " [SELECTED]" : "", have_llvm ? "AVAILABLE" : "unavailable!", compiler_mode == LLVM ? " [SELECTED]" : "", - LLVM_MAJOR > 6 ? "DEFAULT" : " ", - LLVM_MAJOR > 6 ? " " : "DEFAULT", + LLVM_MAJOR >= 7 ? "DEFAULT" : " ", + LLVM_MAJOR >= 7 ? " " : "DEFAULT", have_gcc_plugin ? "AVAILABLE" : "unavailable!", compiler_mode == GCC_PLUGIN ? " [SELECTED]" : "", have_gcc ? "AVAILABLE" : "unavailable!", @@ -1826,12 +1826,12 @@ int main(int argc, char **argv, char **envp) { " AFL_GCC_INSTRUMENT_FILE: enable selective instrumentation by " "filename\n"); -#if LLVM_MAJOR < 9 +#if LLVM_MAJOR >= 9 #define COUNTER_BEHAVIOUR \ - " AFL_LLVM_NOT_ZERO: use cycling trace counters that skip zero\n" + " AFL_LLVM_SKIP_NEVERZERO: do not skip zero on trace counters\n" #else #define COUNTER_BEHAVIOUR \ - " AFL_LLVM_SKIP_NEVERZERO: do not skip zero on trace counters\n" + " AFL_LLVM_NOT_ZERO: use cycling trace counters that skip zero\n" #endif if (have_llvm) SAYF( @@ -1905,7 +1905,7 @@ int main(int argc, char **argv, char **envp) { "consult the README.md, especially section 3.1 about instrumenting " "targets.\n\n"); -#if (LLVM_MAJOR > 2) +#if (LLVM_MAJOR >= 3) if (have_lto) SAYF("afl-cc LTO with ld=%s %s\n", AFL_REAL_LD, AFL_CLANG_FLTO); if (have_llvm) @@ -1967,9 +1967,7 @@ int main(int argc, char **argv, char **envp) { if (instrument_mode == 0 && compiler_mode < GCC_PLUGIN) { -#if LLVM_MAJOR <= 6 - instrument_mode = INSTRUMENT_AFL; -#else +#if LLVM_MAJOR >= 7 #if LLVM_MAJOR < 11 && (LLVM_MAJOR < 10 || LLVM_MINOR < 1) if (have_instr_env) { @@ -1984,6 +1982,8 @@ int main(int argc, char **argv, char **envp) { #endif instrument_mode = INSTRUMENT_PCGUARD; +#else + instrument_mode = INSTRUMENT_AFL; #endif } -- cgit v1.2.3 From 78b0e108a6b57739ff97927f15126c784bb03773 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 1 Dec 2021 12:01:00 +0100 Subject: remove quickly --- src/afl-forkserver.c | 6 ++---- src/afl-fuzz-init.c | 3 +-- 2 files changed, 3 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 6320a26b..b871ea8c 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -941,8 +941,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, MSG_ULIMIT_USAGE " /path/to/fuzzed_app )\n\n" - " Tip: you can use https://jwilk.net/software/recidivm to " - "quickly\n" + " Tip: you can use https://jwilk.net/software/recidivm to\n" " estimate the required amount of virtual memory for the " "binary.\n\n" @@ -1041,8 +1040,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, MSG_ULIMIT_USAGE " /path/to/fuzzed_app )\n\n" - " Tip: you can use https://jwilk.net/software/recidivm to " - "quickly\n" + " Tip: you can use https://jwilk.net/software/recidivm to\n" " estimate the required amount of virtual memory for the " "binary.\n\n" diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index e5a4d3d1..4c030c0a 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -974,8 +974,7 @@ void perform_dry_run(afl_state_t *afl) { MSG_ULIMIT_USAGE " /path/to/binary [...] Date: Thu, 2 Dec 2021 10:41:24 +0100 Subject: fixes --- src/afl-fuzz-bitmap.c | 16 ++++++++-------- src/afl-fuzz-stats.c | 6 ++++-- src/afl-showmap.c | 6 +++--- 3 files changed, 15 insertions(+), 13 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index a204e374..fa413dcf 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -58,7 +58,7 @@ void write_bitmap(afl_state_t *afl) { u32 count_bits(afl_state_t *afl, u8 *mem) { u32 *ptr = (u32 *)mem; - u32 i = (afl->fsrv.map_size >> 2); + u32 i = ((afl->fsrv.real_map_size + 3) >> 2); u32 ret = 0; while (i--) { @@ -68,7 +68,7 @@ u32 count_bits(afl_state_t *afl, u8 *mem) { /* This gets called on the inverse, virgin bitmap; optimize for sparse data. */ - if (v == 0xffffffff) { + if (likely(v == 0xffffffff)) { ret += 32; continue; @@ -92,14 +92,14 @@ u32 count_bits(afl_state_t *afl, u8 *mem) { u32 count_bytes(afl_state_t *afl, u8 *mem) { u32 *ptr = (u32 *)mem; - u32 i = (afl->fsrv.map_size >> 2); + u32 i = ((afl->fsrv.real_map_size + 3) >> 2); u32 ret = 0; while (i--) { u32 v = *(ptr++); - if (!v) { continue; } + if (likely(!v)) { continue; } if (v & 0x000000ffU) { ++ret; } if (v & 0x0000ff00U) { ++ret; } if (v & 0x00ff0000U) { ++ret; } @@ -117,7 +117,7 @@ u32 count_bytes(afl_state_t *afl, u8 *mem) { u32 count_non_255_bytes(afl_state_t *afl, u8 *mem) { u32 *ptr = (u32 *)mem; - u32 i = (afl->fsrv.map_size >> 2); + u32 i = ((afl->fsrv.real_map_size + 3) >> 2); u32 ret = 0; while (i--) { @@ -127,7 +127,7 @@ u32 count_non_255_bytes(afl_state_t *afl, u8 *mem) { /* This is called on the virgin bitmap, so optimize for the most likely case. */ - if (v == 0xffffffffU) { continue; } + if (likely(v == 0xffffffffU)) { continue; } if ((v & 0x000000ffU) != 0x000000ffU) { ++ret; } if ((v & 0x0000ff00U) != 0x0000ff00U) { ++ret; } if ((v & 0x00ff0000U) != 0x00ff0000U) { ++ret; } @@ -216,14 +216,14 @@ inline u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { u64 *current = (u64 *)afl->fsrv.trace_bits; u64 *virgin = (u64 *)virgin_map; - u32 i = (afl->fsrv.map_size >> 3); + u32 i = ((afl->fsrv.real_map_size + 7) >> 3); #else u32 *current = (u32 *)afl->fsrv.trace_bits; u32 *virgin = (u32 *)virgin_map; - u32 i = (afl->fsrv.map_size >> 2); + u32 i = ((afl->fsrv.real_map_size + 3) >> 2); #endif /* ^WORD_SIZE_64 */ diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 426580d2..152bebe9 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -543,9 +543,11 @@ void show_stats(afl_state_t *afl) { FATAL( "Incorrect fuzzing setup detected. Your target seems to have loaded " - "incorrectly instrumented shared libraries. If you use LTO mode " + "incorrectly instrumented shared libraries (%u of %u/%u). If you use " + "LTO mode " "please see instrumentation/README.lto.md. To ignore this problem " - "and continue fuzzing just set 'AFL_IGNORE_PROBLEMS=1'.\n"); + "and continue fuzzing just set 'AFL_IGNORE_PROBLEMS=1'.\n", + t_bytes, afl->fsrv.real_map_size, afl->fsrv.map_size); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 236553ce..8cddcb32 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1435,9 +1435,9 @@ int main(int argc, char **argv_orig, char **envp) { if (!quiet_mode || collect_coverage) { if (!tcnt && !have_coverage) { FATAL("No instrumentation detected" cRST); } - OKF("Captured %u tuples (highest value %u, total values %llu) in " - "'%s'." cRST, - tcnt, highest, total, out_file); + OKF("Captured %u tuples (map size %u, highest value %u, total values %llu) " + "in '%s'." cRST, + tcnt, fsrv->real_map_size, highest, total, out_file); if (collect_coverage) OKF("A coverage of %u edges were achieved out of %u existing (%.02f%%) " "with %llu input files.", -- cgit v1.2.3 From e46adb0be7c5e1a0a1d49723678a9df20dfbe400 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 8 Dec 2021 11:28:33 +0100 Subject: fix AFL_REAL_LD for afl-cc --- src/afl-cc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index 6bdb9572..1448d8ae 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -555,7 +555,8 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (lto_mode && !have_c) { - u8 *ld_path = strdup(AFL_REAL_LD); + u8 *ld_path = NULL; + if (getenv("AFL_REAL_LD")) { ld_path = strdup(getenv("AFL_REAL_LD")); } if (!ld_path || !*ld_path) { ld_path = strdup("ld.lld"); } if (!ld_path) { PFATAL("Could not allocate mem for ld_path"); } #if defined(AFL_CLANG_LDPATH) && LLVM_MAJOR >= 12 -- cgit v1.2.3