From 4b01d594c40b4e59414413152392963f3cf5247d Mon Sep 17 00:00:00 2001 From: David Melski Date: Thu, 28 May 2020 20:25:30 -0400 Subject: Fix read_timed when accumulating short reads The existing code appears to use 'len_read' in several places where 'total_read' was intended. The function may work if the first 1 or 2 iterations of the loop read the requested 'len' bytes. If the first two reads are "short" and a third read is done, the bytes will be placed over previously read bytes in buf and more than 'len' bytes may be read in total, though buf is never overrun. This commit changes read_timed to (1) correctly append short reads in buf (2) correctly terminate when the sum of the short reads equals the requested 'len' bytes (3) return an error when read() returns -1 or 0 The function also depends on select() decrementing the timeout structure, as it does on Linux. On other platforms, the exec_ms returned is likely incorrect. This patch does not attempt to address this issue. --- src/afl-common.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index 808c9812..22342065 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -885,9 +885,9 @@ u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, timeout.tv_usec = (timeout_ms % 1000) * 1000; size_t read_total = 0; - size_t len_read = 0; + ssize_t len_read = 0; - while (len_read < len) { + while (read_total < len) { /* set exceptfds as well to return when a child exited/closed the pipe. */ int sret = select(fd + 1, &readfds, NULL, NULL, &timeout); @@ -905,8 +905,8 @@ u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, } - len_read = read(fd, ((u8 *)buf) + len_read, len - len_read); - if (!len_read) { return 0; } + len_read = read(fd, ((u8 *)buf) + read_total, len - read_total); + if (len_read <= 0) { return 0; } read_total += len_read; } -- cgit v1.2.3 From 8316425375031cedbf7e3ea6d6b116a376f01589 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20=C3=96sterlund?= Date: Fri, 29 May 2020 11:51:11 +0200 Subject: Add AFL_LLVM_WHITELIST_FNMATCH env var Only enable UNIX pattern matching on the whitelist when AFL_LLVM_WHITELIST_FNMATCH is set. The reason being that we keep backwards compatibility with old whitelists. --- src/afl-common.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index 1bb58a60..c17f9789 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -69,10 +69,11 @@ char *afl_environment_variables[] = { "AFL_LLVM_LAF_SPLIT_FLOATS", "AFL_LLVM_LAF_SPLIT_SWITCHES", "AFL_LLVM_LAF_ALL", "AFL_LLVM_LAF_TRANSFORM_COMPARES", "AFL_LLVM_MAP_ADDR", "AFL_LLVM_MAP_DYNAMIC", "AFL_LLVM_NGRAM_SIZE", "AFL_NGRAM_SIZE", - "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST", "AFL_LLVM_SKIP_NEVERZERO", - "AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID", - "AFL_NO_ARITH", "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", - "AFL_NO_UI", "AFL_NO_PYTHON", "AFL_UNTRACER_FILE", "AFL_LLVM_USE_TRACE_PC", + "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST" , "AFL_LLVM_WHITELIST_FNMATCH", + "AFL_LLVM_SKIP_NEVERZERO", "AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID", + "AFL_LLVM_LTO_DONTWRITEID", "AFL_NO_ARITH", "AFL_NO_BUILTIN", + "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_UI", "AFL_NO_PYTHON", + "AFL_UNTRACER_FILE", "AFL_LLVM_USE_TRACE_PC", "AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_MAP_SIZE", "AFL_MAPSIZE", "AFL_PATH", "AFL_PERFORMANCE_FILE", //"AFL_PERSISTENT", // not implemented anymore, so warn additionally -- cgit v1.2.3 From 84df805ed3e14fb42f0c02420d6ae538a427fa2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20=C3=96sterlund?= Date: Fri, 29 May 2020 12:11:19 +0200 Subject: Do clang-format --- src/afl-common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index c17f9789..6675564e 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -69,7 +69,7 @@ char *afl_environment_variables[] = { "AFL_LLVM_LAF_SPLIT_FLOATS", "AFL_LLVM_LAF_SPLIT_SWITCHES", "AFL_LLVM_LAF_ALL", "AFL_LLVM_LAF_TRANSFORM_COMPARES", "AFL_LLVM_MAP_ADDR", "AFL_LLVM_MAP_DYNAMIC", "AFL_LLVM_NGRAM_SIZE", "AFL_NGRAM_SIZE", - "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST" , "AFL_LLVM_WHITELIST_FNMATCH", + "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST", "AFL_LLVM_WHITELIST_FNMATCH", "AFL_LLVM_SKIP_NEVERZERO", "AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID", "AFL_NO_ARITH", "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_UI", "AFL_NO_PYTHON", -- cgit v1.2.3 From 8bb0232ace731c596e9e4e083a048784e35221cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20=C3=96sterlund?= Date: Fri, 29 May 2020 15:47:34 +0200 Subject: Remove AFL_LLVM_WHITELIST_FNMATCH env variable --- src/afl-common.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index 6675564e..1bb58a60 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -69,11 +69,10 @@ char *afl_environment_variables[] = { "AFL_LLVM_LAF_SPLIT_FLOATS", "AFL_LLVM_LAF_SPLIT_SWITCHES", "AFL_LLVM_LAF_ALL", "AFL_LLVM_LAF_TRANSFORM_COMPARES", "AFL_LLVM_MAP_ADDR", "AFL_LLVM_MAP_DYNAMIC", "AFL_LLVM_NGRAM_SIZE", "AFL_NGRAM_SIZE", - "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST", "AFL_LLVM_WHITELIST_FNMATCH", - "AFL_LLVM_SKIP_NEVERZERO", "AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID", - "AFL_LLVM_LTO_DONTWRITEID", "AFL_NO_ARITH", "AFL_NO_BUILTIN", - "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_UI", "AFL_NO_PYTHON", - "AFL_UNTRACER_FILE", "AFL_LLVM_USE_TRACE_PC", + "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST", "AFL_LLVM_SKIP_NEVERZERO", + "AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID", + "AFL_NO_ARITH", "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", + "AFL_NO_UI", "AFL_NO_PYTHON", "AFL_UNTRACER_FILE", "AFL_LLVM_USE_TRACE_PC", "AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_MAP_SIZE", "AFL_MAPSIZE", "AFL_PATH", "AFL_PERFORMANCE_FILE", //"AFL_PERSISTENT", // not implemented anymore, so warn additionally -- cgit v1.2.3 From 8726d7b0a351fcb16587acd80a4b42b521264692 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 30 May 2020 06:51:51 +0200 Subject: simplified read_timed --- src/afl-common.c | 48 +++++++++++++++++++++++------------------------- 1 file changed, 23 insertions(+), 25 deletions(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index 9fd4bf03..d428c9c5 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -869,53 +869,51 @@ u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms) { } -/* Wrapper for select() and read(), reading exactly len bytes. +/* Wrapper for select() and read(), reading len bytes. + Assumes that all bytes are available on read! Returns the time passed to read. If the wait times out, returns timeout_ms + 1; Returns 0 if an error occurred (fd closed, signal, ...); */ u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, volatile u8 *stop_soon_p) { - struct timeval timeout; fd_set readfds; FD_ZERO(&readfds); FD_SET(fd, &readfds); + struct timeval timeout; timeout.tv_sec = (timeout_ms / 1000); timeout.tv_usec = (timeout_ms % 1000) * 1000; +#if !defined(__linux__) + u64 read_start = get_cur_time_us(); +#endif - size_t read_total = 0; - ssize_t len_read = 0; - - while (read_total < len) { - - /* set exceptfds as well to return when a child exited/closed the pipe. */ - int sret = select(fd + 1, &readfds, NULL, NULL, &timeout); - - if (!sret) { - - // printf("Timeout in sret."); - return timeout_ms + 1; + /* set exceptfds as well to return when a child exited/closed the pipe. */ + int sret = select(fd + 1, &readfds, NULL, NULL, &timeout); - } else if (sret < 0) { + if (!sret) { - /* Retry select for all signals other than than ctrl+c */ - if (errno == EINTR && !*stop_soon_p) { continue; } - return 0; + return timeout_ms + 1; - } + } else if (sret < 0) { - len_read = read(fd, ((u8 *)buf) + read_total, len - read_total); - if (len_read <= 0) { return 0; } - read_total += len_read; + return 0; } - s32 exec_ms = + ssize_t len_read = read(fd, ((u8 *)buf), len); + if (len_read < len) { return 0; } + +#if defined(__linux__) + u32 exec_ms = MIN(timeout_ms, ((u64)timeout_ms - (timeout.tv_sec * 1000 + timeout.tv_usec / 1000))); - return exec_ms > 0 ? exec_ms - : 1; // at least 1 milli must have passed (0 is an error) +#else + u32 exec_ms = get_cur_time_us() - read_start; +#endif + + // ensure to report 1 ms has passed (0 is an error) + return exec_ms > 0 ? exec_ms : 1; } -- cgit v1.2.3 From 38e5c32a55086d36c8b9ee38e4b20c15517fc4b2 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sat, 30 May 2020 11:02:34 +0200 Subject: corrected read_timed for values > 4 --- src/afl-common.c | 82 ++++++++++++++++++++++++++++++++++++---------------- src/afl-forkserver.c | 6 +++- 2 files changed, 62 insertions(+), 26 deletions(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index d428c9c5..793041b2 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -39,6 +39,7 @@ #include #include #include +#include #include #include @@ -869,51 +870,82 @@ u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms) { } -/* Wrapper for select() and read(), reading len bytes. - Assumes that all bytes are available on read! +/* sets a FD to non-blocking mode (used for read_timed) */ +void set_nonblocking(int fd) { + + int ret = 0; + int opt = 1; + ret = ioctl(fd, FIONBIO, &opt); + if (ret == -1) { PFATAL("Could not enable non-blocking mode on fd %d", fd); } + +} + + +/* Wrapper for select() and read(), reading exactly len bytes. + Should be called on non-blocking fds. Returns the time passed to read. If the wait times out, returns timeout_ms + 1; - Returns 0 if an error occurred (fd closed, signal, ...); */ + Returns 0 if an error occurred (fd closed, signal, ...); + */ u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, volatile u8 *stop_soon_p) { + struct timeval timeout; fd_set readfds; FD_ZERO(&readfds); FD_SET(fd, &readfds); - struct timeval timeout; - timeout.tv_sec = (timeout_ms / 1000); - timeout.tv_usec = (timeout_ms % 1000) * 1000; -#if !defined(__linux__) - u64 read_start = get_cur_time_us(); -#endif + size_t read_total = 0; + ssize_t len_read = 0; - /* set exceptfds as well to return when a child exited/closed the pipe. */ - int sret = select(fd + 1, &readfds, NULL, NULL, &timeout); + #if defined(__linux__) + timeout.tv_sec = (timeout_ms / 1000); + timeout.tv_usec = (timeout_ms % 1000) * 1000; + #else + u64 time_start = get_cur_time_us(); + #endif - if (!sret) { + while (read_total < len) { - return timeout_ms + 1; + #if !defined(__linux__) + u64 time_current = get_cur_time_us(); + u64 timeout_current = timeout_ms - (time_current - time_start); + timeout.tv_sec = (timeout_current / 1000); + timeout.tv_usec = (timeout_current % 1000) * 1000; + #endif - } else if (sret < 0) { + /* set exceptfds as well to return when a child exited/closed the pipe. */ + int sret = select(fd + 1, &readfds, NULL, NULL, &timeout); - return 0; + if (!sret) { - } + // printf("Timeout in sret."); + return timeout_ms + 1; + + } else if (sret < 0) { + + /* Retry select for all signals other than than ctrl+c */ + if (errno == EINTR && !*stop_soon_p) { continue; } + return 0; + + } + + len_read = read(fd, ((u8 *)buf) + read_total, len - read_total); + if (len_read <= 0) { return 0; } + read_total += len_read; - ssize_t len_read = read(fd, ((u8 *)buf), len); - if (len_read < len) { return 0; } + } -#if defined(__linux__) - u32 exec_ms = + #if defined(__linux__) + s32 exec_ms = MIN(timeout_ms, ((u64)timeout_ms - (timeout.tv_sec * 1000 + timeout.tv_usec / 1000))); -#else - u32 exec_ms = get_cur_time_us() - read_start; -#endif + #else + u32 exec_ms = get_cur_time_us() - time_start; + #endif - // ensure to report 1 ms has passed (0 is an error) - return exec_ms > 0 ? exec_ms : 1; + return exec_ms > 0 ? exec_ms + : 1; // at least 1 milli must have passed (0 is an error) } diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 137a4f99..01774cd0 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -401,6 +401,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, fsrv->fsrv_ctl_fd = ctl_pipe[1]; fsrv->fsrv_st_fd = st_pipe[0]; + set_nonblocking(fsrv->fsrv_st_fd); + /* Wait for the fork server to come up, but don't wait too long. */ rlen = 0; @@ -853,7 +855,9 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, fsrv->last_run_timed_out = 0; - if ((res = read(fsrv->fsrv_st_fd, &fsrv->child_pid, 4)) != 4) { + res = read_timed(fsrv->fsrv_st_fd, &fsrv->child_pid, 4, timeout, stop_soon_p); + + if (res < 0 || res > timeout) { if (*stop_soon_p) { return 0; } RPFATAL(res, "Unable to request new process from fork server (OOM?)"); -- cgit v1.2.3 From 8f19becb620a6fedd0f8b855b48cdeeab211c2ed Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sat, 30 May 2020 11:05:53 +0200 Subject: code format --- src/afl-common.c | 37 ++++++++++++++++++------------------- 1 file changed, 18 insertions(+), 19 deletions(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index 793041b2..b3933b9c 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -880,7 +880,6 @@ void set_nonblocking(int fd) { } - /* Wrapper for select() and read(), reading exactly len bytes. Should be called on non-blocking fds. Returns the time passed to read. @@ -895,24 +894,24 @@ u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, FD_ZERO(&readfds); FD_SET(fd, &readfds); - size_t read_total = 0; + size_t read_total = 0; ssize_t len_read = 0; - #if defined(__linux__) - timeout.tv_sec = (timeout_ms / 1000); - timeout.tv_usec = (timeout_ms % 1000) * 1000; - #else - u64 time_start = get_cur_time_us(); - #endif +#if defined(__linux__) + timeout.tv_sec = (timeout_ms / 1000); + timeout.tv_usec = (timeout_ms % 1000) * 1000; +#else + u64 time_start = get_cur_time_us(); +#endif while (read_total < len) { - #if !defined(__linux__) - u64 time_current = get_cur_time_us(); - u64 timeout_current = timeout_ms - (time_current - time_start); - timeout.tv_sec = (timeout_current / 1000); - timeout.tv_usec = (timeout_current % 1000) * 1000; - #endif +#if !defined(__linux__) + u64 time_current = get_cur_time_us(); + u64 timeout_current = timeout_ms - (time_current - time_start); + timeout.tv_sec = (timeout_current / 1000); + timeout.tv_usec = (timeout_current % 1000) * 1000; +#endif /* set exceptfds as well to return when a child exited/closed the pipe. */ int sret = select(fd + 1, &readfds, NULL, NULL, &timeout); @@ -936,13 +935,13 @@ u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, } - #if defined(__linux__) - s32 exec_ms = +#if defined(__linux__) + s32 exec_ms = MIN(timeout_ms, ((u64)timeout_ms - (timeout.tv_sec * 1000 + timeout.tv_usec / 1000))); - #else - u32 exec_ms = get_cur_time_us() - time_start; - #endif +#else + u32 exec_ms = get_cur_time_us() - time_start; +#endif return exec_ms > 0 ? exec_ms : 1; // at least 1 milli must have passed (0 is an error) -- cgit v1.2.3 From 4119752f83cbd29f8cca010865423301f2820553 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 30 May 2020 13:37:27 +0200 Subject: fix forkserver change --- src/afl-forkserver.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 01774cd0..1884ff98 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -855,11 +855,8 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, fsrv->last_run_timed_out = 0; - res = read_timed(fsrv->fsrv_st_fd, &fsrv->child_pid, 4, timeout, stop_soon_p); + if ((res = read(fsrv->fsrv_st_fd, &fsrv->child_pid, 4)) != 4) { - if (res < 0 || res > timeout) { - - if (*stop_soon_p) { return 0; } RPFATAL(res, "Unable to request new process from fork server (OOM?)"); } -- cgit v1.2.3 From b16ccb481195d338b3b4a800965ba4054d268886 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sat, 30 May 2020 13:51:29 +0200 Subject: Revert "code format" This reverts commit 8f19becb620a6fedd0f8b855b48cdeeab211c2ed. --- src/afl-common.c | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index b3933b9c..793041b2 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -880,6 +880,7 @@ void set_nonblocking(int fd) { } + /* Wrapper for select() and read(), reading exactly len bytes. Should be called on non-blocking fds. Returns the time passed to read. @@ -894,24 +895,24 @@ u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, FD_ZERO(&readfds); FD_SET(fd, &readfds); - size_t read_total = 0; + size_t read_total = 0; ssize_t len_read = 0; -#if defined(__linux__) - timeout.tv_sec = (timeout_ms / 1000); - timeout.tv_usec = (timeout_ms % 1000) * 1000; -#else - u64 time_start = get_cur_time_us(); -#endif + #if defined(__linux__) + timeout.tv_sec = (timeout_ms / 1000); + timeout.tv_usec = (timeout_ms % 1000) * 1000; + #else + u64 time_start = get_cur_time_us(); + #endif while (read_total < len) { -#if !defined(__linux__) - u64 time_current = get_cur_time_us(); - u64 timeout_current = timeout_ms - (time_current - time_start); - timeout.tv_sec = (timeout_current / 1000); - timeout.tv_usec = (timeout_current % 1000) * 1000; -#endif + #if !defined(__linux__) + u64 time_current = get_cur_time_us(); + u64 timeout_current = timeout_ms - (time_current - time_start); + timeout.tv_sec = (timeout_current / 1000); + timeout.tv_usec = (timeout_current % 1000) * 1000; + #endif /* set exceptfds as well to return when a child exited/closed the pipe. */ int sret = select(fd + 1, &readfds, NULL, NULL, &timeout); @@ -935,13 +936,13 @@ u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, } -#if defined(__linux__) - s32 exec_ms = + #if defined(__linux__) + s32 exec_ms = MIN(timeout_ms, ((u64)timeout_ms - (timeout.tv_sec * 1000 + timeout.tv_usec / 1000))); -#else - u32 exec_ms = get_cur_time_us() - time_start; -#endif + #else + u32 exec_ms = get_cur_time_us() - time_start; + #endif return exec_ms > 0 ? exec_ms : 1; // at least 1 milli must have passed (0 is an error) -- cgit v1.2.3 From 95b46b427887db655b3f2b9a04dae1924e665d27 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sat, 30 May 2020 13:53:00 +0200 Subject: reverted extendended read_timed --- src/afl-common.c | 82 ++++++++++++++++------------------------------------ src/afl-forkserver.c | 3 +- 2 files changed, 26 insertions(+), 59 deletions(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index 793041b2..d428c9c5 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -39,7 +39,6 @@ #include #include #include -#include #include #include @@ -870,82 +869,51 @@ u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms) { } -/* sets a FD to non-blocking mode (used for read_timed) */ -void set_nonblocking(int fd) { - - int ret = 0; - int opt = 1; - ret = ioctl(fd, FIONBIO, &opt); - if (ret == -1) { PFATAL("Could not enable non-blocking mode on fd %d", fd); } - -} - - -/* Wrapper for select() and read(), reading exactly len bytes. - Should be called on non-blocking fds. +/* Wrapper for select() and read(), reading len bytes. + Assumes that all bytes are available on read! Returns the time passed to read. If the wait times out, returns timeout_ms + 1; - Returns 0 if an error occurred (fd closed, signal, ...); - */ + Returns 0 if an error occurred (fd closed, signal, ...); */ u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, volatile u8 *stop_soon_p) { - struct timeval timeout; fd_set readfds; FD_ZERO(&readfds); FD_SET(fd, &readfds); + struct timeval timeout; - size_t read_total = 0; - ssize_t len_read = 0; - - #if defined(__linux__) - timeout.tv_sec = (timeout_ms / 1000); - timeout.tv_usec = (timeout_ms % 1000) * 1000; - #else - u64 time_start = get_cur_time_us(); - #endif - - while (read_total < len) { - - #if !defined(__linux__) - u64 time_current = get_cur_time_us(); - u64 timeout_current = timeout_ms - (time_current - time_start); - timeout.tv_sec = (timeout_current / 1000); - timeout.tv_usec = (timeout_current % 1000) * 1000; - #endif - - /* set exceptfds as well to return when a child exited/closed the pipe. */ - int sret = select(fd + 1, &readfds, NULL, NULL, &timeout); - - if (!sret) { + timeout.tv_sec = (timeout_ms / 1000); + timeout.tv_usec = (timeout_ms % 1000) * 1000; +#if !defined(__linux__) + u64 read_start = get_cur_time_us(); +#endif - // printf("Timeout in sret."); - return timeout_ms + 1; + /* set exceptfds as well to return when a child exited/closed the pipe. */ + int sret = select(fd + 1, &readfds, NULL, NULL, &timeout); - } else if (sret < 0) { + if (!sret) { - /* Retry select for all signals other than than ctrl+c */ - if (errno == EINTR && !*stop_soon_p) { continue; } - return 0; + return timeout_ms + 1; - } + } else if (sret < 0) { - len_read = read(fd, ((u8 *)buf) + read_total, len - read_total); - if (len_read <= 0) { return 0; } - read_total += len_read; + return 0; } - #if defined(__linux__) - s32 exec_ms = + ssize_t len_read = read(fd, ((u8 *)buf), len); + if (len_read < len) { return 0; } + +#if defined(__linux__) + u32 exec_ms = MIN(timeout_ms, ((u64)timeout_ms - (timeout.tv_sec * 1000 + timeout.tv_usec / 1000))); - #else - u32 exec_ms = get_cur_time_us() - time_start; - #endif +#else + u32 exec_ms = get_cur_time_us() - read_start; +#endif - return exec_ms > 0 ? exec_ms - : 1; // at least 1 milli must have passed (0 is an error) + // ensure to report 1 ms has passed (0 is an error) + return exec_ms > 0 ? exec_ms : 1; } diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 1884ff98..137a4f99 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -401,8 +401,6 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, fsrv->fsrv_ctl_fd = ctl_pipe[1]; fsrv->fsrv_st_fd = st_pipe[0]; - set_nonblocking(fsrv->fsrv_st_fd); - /* Wait for the fork server to come up, but don't wait too long. */ rlen = 0; @@ -857,6 +855,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, if ((res = read(fsrv->fsrv_st_fd, &fsrv->child_pid, 4)) != 4) { + if (*stop_soon_p) { return 0; } RPFATAL(res, "Unable to request new process from fork server (OOM?)"); } -- cgit v1.2.3 From 24508194c2fdcc7666acafc1f60fcae06ff00a08 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sat, 30 May 2020 14:03:52 +0200 Subject: removed read_timed --- src/afl-common.c | 49 +------------------------------------------- src/afl-forkserver.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 54 insertions(+), 53 deletions(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index d428c9c5..a3692756 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -869,54 +869,7 @@ u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms) { } -/* Wrapper for select() and read(), reading len bytes. - Assumes that all bytes are available on read! - Returns the time passed to read. - If the wait times out, returns timeout_ms + 1; - Returns 0 if an error occurred (fd closed, signal, ...); */ -u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, - volatile u8 *stop_soon_p) { - - fd_set readfds; - FD_ZERO(&readfds); - FD_SET(fd, &readfds); - struct timeval timeout; - - timeout.tv_sec = (timeout_ms / 1000); - timeout.tv_usec = (timeout_ms % 1000) * 1000; -#if !defined(__linux__) - u64 read_start = get_cur_time_us(); -#endif - - /* set exceptfds as well to return when a child exited/closed the pipe. */ - int sret = select(fd + 1, &readfds, NULL, NULL, &timeout); - - if (!sret) { - - return timeout_ms + 1; - - } else if (sret < 0) { - - return 0; - - } - - ssize_t len_read = read(fd, ((u8 *)buf), len); - if (len_read < len) { return 0; } - -#if defined(__linux__) - u32 exec_ms = - MIN(timeout_ms, - ((u64)timeout_ms - (timeout.tv_sec * 1000 + timeout.tv_usec / 1000))); -#else - u32 exec_ms = get_cur_time_us() - read_start; -#endif - - // ensure to report 1 ms has passed (0 is an error) - return exec_ms > 0 ? exec_ms : 1; - -} - +/* Reads the map size from ENV */ u32 get_map_size(void) { uint32_t map_size = MAP_SIZE; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 137a4f99..880ef0a3 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -119,6 +119,54 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) { } +/* Wrapper for select() and read(), reading a 32 bit var. + Returns the time passed to read. + If the wait times out, returns timeout_ms + 1; + Returns 0 if an error occurred (fd closed, signal, ...); */ +static u32 read_s32_timed(s32 fd, s32 *buf, u32 timeout_ms, + volatile u8 *stop_soon_p) { + + fd_set readfds; + FD_ZERO(&readfds); + FD_SET(fd, &readfds); + struct timeval timeout; + size_t len = 4; + + timeout.tv_sec = (timeout_ms / 1000); + timeout.tv_usec = (timeout_ms % 1000) * 1000; +#if !defined(__linux__) + u64 read_start = get_cur_time_us(); +#endif + + /* set exceptfds as well to return when a child exited/closed the pipe. */ + int sret = select(fd + 1, &readfds, NULL, NULL, &timeout); + + if (!sret) { + + return timeout_ms + 1; + + } else if (sret < 0) { + + return 0; + + } + + ssize_t len_read = read(fd, ((u8 *)buf), len); + if (len_read < len) { return 0; } + +#if defined(__linux__) + u32 exec_ms = + MIN(timeout_ms, + ((u64)timeout_ms - (timeout.tv_sec * 1000 + timeout.tv_usec / 1000))); +#else + u32 exec_ms = MIN(timeout_ms, get_cur_time_us() - read_start); +#endif + + // ensure to report 1 ms has passed (0 is an error) + return exec_ms > 0 ? exec_ms : 1; + +} + /* Internal forkserver for dumb_mode=1 and non-forkserver mode runs. It execvs for each fork, forwarding exit codes and child pids to afl. */ @@ -250,7 +298,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, volatile u8 *stop_soon_p, u8 debug_child_output) { int st_pipe[2], ctl_pipe[2]; - int status; + s32 status; s32 rlen; if (!be_quiet) { ACTF("Spinning up the fork server..."); } @@ -406,8 +454,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, rlen = 0; if (fsrv->exec_tmout) { - u32 time = read_timed(fsrv->fsrv_st_fd, &status, 4, - fsrv->exec_tmout * FORK_WAIT_MULT, stop_soon_p); + u32 time = read_s32_timed(fsrv->fsrv_st_fd, &status, + fsrv->exec_tmout * FORK_WAIT_MULT, stop_soon_p); if (!time) { @@ -862,8 +910,8 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, if (fsrv->child_pid <= 0) { FATAL("Fork server is misbehaving (OOM?)"); } - exec_ms = read_timed(fsrv->fsrv_st_fd, &fsrv->child_status, 4, timeout, - stop_soon_p); + exec_ms = read_s32_timed(fsrv->fsrv_st_fd, &fsrv->child_status, timeout, + stop_soon_p); if (exec_ms > timeout) { -- cgit v1.2.3 From 4a5432890185fdce0fbfde60f507526ae6cf8a04 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 30 May 2020 17:11:45 +0200 Subject: rename var time->time_ms --- src/afl-forkserver.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 880ef0a3..a0e08589 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -454,14 +454,14 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, rlen = 0; if (fsrv->exec_tmout) { - u32 time = read_s32_timed(fsrv->fsrv_st_fd, &status, + u32 time_ms = read_s32_timed(fsrv->fsrv_st_fd, &status, fsrv->exec_tmout * FORK_WAIT_MULT, stop_soon_p); - if (!time) { + if (!time_ms) { kill(fsrv->fsrv_pid, SIGKILL); - } else if (time > fsrv->exec_tmout * FORK_WAIT_MULT) { + } else if (time_ms > fsrv->exec_tmout * FORK_WAIT_MULT) { fsrv->last_run_timed_out = 1; kill(fsrv->fsrv_pid, SIGKILL); -- cgit v1.2.3 From c0ed118ba553846fb80cfed5c02d66e5435b94c5 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sat, 30 May 2020 20:38:01 +0200 Subject: comment --- src/afl-forkserver.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index a0e08589..76674389 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -454,8 +454,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, rlen = 0; if (fsrv->exec_tmout) { - u32 time_ms = read_s32_timed(fsrv->fsrv_st_fd, &status, - fsrv->exec_tmout * FORK_WAIT_MULT, stop_soon_p); + u32 time_ms = + read_s32_timed(fsrv->fsrv_st_fd, &status, + fsrv->exec_tmout * FORK_WAIT_MULT, stop_soon_p); if (!time_ms) { -- cgit v1.2.3 From ee14785f687d1fc99a16c4143a1fec0eba13afed Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sun, 31 May 2020 04:13:41 +0200 Subject: starting shmap support for unicorn --- src/afl-forkserver.c | 12 ++++++------ src/afl-fuzz-init.c | 54 ++++++++++++++++++++++++++++++---------------------- src/afl-fuzz-run.c | 2 +- src/afl-fuzz-stats.c | 3 ++- src/afl-fuzz.c | 7 +++++++ 5 files changed, 47 insertions(+), 31 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 76674389..961748ec 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -286,7 +286,7 @@ static void report_error_and_exit(int error) { } -/* Spins up fork server (instrumented mode only). The idea is explained here: +/* Spins up fork server. The idea is explained here: http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html @@ -305,7 +305,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (fsrv->use_fauxsrv) { - /* TODO: Come up with sone nice way to initalize this all */ + /* TODO: Come up with sone nice way to initialize this all */ if (fsrv->init_child_func != fsrv_exec_child) { @@ -823,10 +823,10 @@ static void afl_fsrv_kill(afl_forkserver_t *fsrv) { void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { - if (fsrv->shdmem_fuzz) { + if (fsrv->shmem_fuzz) { - memcpy(fsrv->shdmem_fuzz, buf, len); - fsrv->shdmem_fuzz_len = len; + memcpy(fsrv->shmem_fuzz, buf, len); + fsrv->shmem_fuzz_len = len; } else { @@ -888,7 +888,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, MEM_BARRIER(); - if (fsrv->shdmem_fuzz_len) write_value += (fsrv->shdmem_fuzz_len << 8); + if (fsrv->shmem_fuzz_len) write_value += (fsrv->shmem_fuzz_len << 8); /* we have the fork server (or faux server) up and running First, tell it if the previous run timed out. */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 9349fefe..840b57f4 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1949,6 +1949,36 @@ static void handle_skipreq(int sig) { } + +/* Setup shared map for fuzzing with input via sharedmem */ + +void setup_testcase_shmem(afl_state_t *afl) { + + afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + + // we need to set the dumb mode to not overwrite the SHM_ENV_VAR + if ((afl->fsrv.shmem_fuzz = afl_shm_init(afl->shm_fuzz, MAX_FILE, 1))) { + +#ifdef USEMMAP + setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1); +#else + u8 *shm_str; + shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id); + setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); + ck_free(shm_str); +#endif + afl->fsrv.support_shdmen_fuzz = 1; + + } else { + + ck_free(afl->shm_fuzz); + afl->shm_fuzz = NULL; + + } + +} + + /* Do a PATH search and find target binary to see that it exists and isn't a shell script - a common and painful mistake. We also check for a valid ELF header and for evidence of AFL instrumentation. */ @@ -2153,30 +2183,8 @@ void check_binary(afl_state_t *afl, u8 *fname) { OKF(cPIN "Persistent mode binary detected."); setenv(PERSIST_ENV_VAR, "1", 1); afl->persistent_mode = 1; - // do not fail if we can not get the fuzzing shared mem - if ((afl->shm_fuzz = calloc(1, sizeof(sharedmem_t)))) { - - // we need to set the dumb mode to not overwrite the SHM_ENV_VAR - if ((afl->fsrv.shdmem_fuzz = afl_shm_init(afl->shm_fuzz, MAX_FILE, 1))) { - -#ifdef USEMMAP - setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1); -#else - u8 *shm_str; - shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id); - setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); - ck_free(shm_str); -#endif - afl->fsrv.support_shdmen_fuzz = 1; - - } else { - - free(afl->shm_fuzz); - afl->shm_fuzz = NULL; - } - - } + afl->shmem_testcase_mode = 1; } else if (getenv("AFL_PERSISTENT")) { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 04450363..982825d8 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -237,7 +237,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, free(afl->shm_fuzz); afl->shm_fuzz = NULL; afl->fsrv.support_shdmen_fuzz = 0; - afl->fsrv.shdmem_fuzz = NULL; + afl->fsrv.shmem_fuzz = NULL; } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 014ed34d..bc75f54e 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -103,7 +103,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, "afl_banner : %s\n" "afl_version : " VERSION "\n" - "target_mode : %s%s%s%s%s%s%s%s\n" + "target_mode : %s%s%s%s%s%s%s%s%s\n" "command_line : %s\n", afl->start_time / 1000, cur_time / 1000, (cur_time - afl->start_time) / 1000, (u32)getpid(), @@ -128,6 +128,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, afl->dumb_mode ? " dumb " : "", afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", afl->persistent_mode ? "persistent " : "", + afl->shmem_testcase_mode ? "shmem_testcase " : "", afl->deferred_mode ? "deferred " : "", (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->dumb_mode || afl->no_forkserver || afl->crash_mode || afl->persistent_mode || diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index e024e9a4..1c797424 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -572,6 +572,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->unicorn_mode) { FATAL("Multiple -U options not supported"); } afl->unicorn_mode = 1; + afl->shmem_testcase_mode = 1; if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_UNICORN; } @@ -1178,6 +1179,12 @@ int main(int argc, char **argv_orig, char **envp) { check_binary(afl, argv[optind]); + if (afl->shmem_testcase_mode) { + + setup_testcase_shmem(afl); + + } + afl->start_time = get_cur_time(); if (afl->fsrv.qemu_mode) { -- cgit v1.2.3 From 0de25f08ba2e39f680a1440e9b84ee9cf4136f9a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 1 Jun 2020 12:30:55 +0200 Subject: code format --- src/afl-fuzz-init.c | 2 -- src/afl-fuzz.c | 6 +----- 2 files changed, 1 insertion(+), 7 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 840b57f4..ea281b7b 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1949,7 +1949,6 @@ static void handle_skipreq(int sig) { } - /* Setup shared map for fuzzing with input via sharedmem */ void setup_testcase_shmem(afl_state_t *afl) { @@ -1978,7 +1977,6 @@ void setup_testcase_shmem(afl_state_t *afl) { } - /* Do a PATH search and find target binary to see that it exists and isn't a shell script - a common and painful mistake. We also check for a valid ELF header and for evidence of AFL instrumentation. */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 1c797424..54d59a9b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1179,11 +1179,7 @@ int main(int argc, char **argv_orig, char **envp) { check_binary(afl, argv[optind]); - if (afl->shmem_testcase_mode) { - - setup_testcase_shmem(afl); - - } + if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } afl->start_time = get_cur_time(); -- cgit v1.2.3 From 62306f5ce87916396f8245db508dff889894f54c Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 2 Jun 2020 14:10:40 +0200 Subject: minor fixes --- src/afl-fuzz.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 1c797424..432784ef 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -842,7 +842,7 @@ int main(int argc, char **argv_orig, char **envp) { } - /* randamsa_init installs some signal hadlers, call it before + /* radamsa_init installs some signal handlers, call it before setup_signal_handlers so that AFL++ can then replace those signal handlers */ radamsa_init_ptr(); @@ -1390,7 +1390,7 @@ stop_fuzzing: if (afl->shm_fuzz) { afl_shm_deinit(afl->shm_fuzz); - free(afl->shm_fuzz); + ck_free(afl->shm_fuzz); } -- cgit v1.2.3 From 83112ed5e0da90634d73a5111892e713cc19733d Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 2 Jun 2020 14:54:24 +0200 Subject: got rid of questionable phrasing --- src/afl-common.c | 4 ++-- src/afl-forkserver.c | 2 +- src/afl-fuzz-bitmap.c | 8 ++++---- src/afl-fuzz-init.c | 22 +++++++++++----------- src/afl-fuzz-one.c | 34 +++++++++++++++++----------------- src/afl-fuzz-queue.c | 2 +- src/afl-fuzz-run.c | 32 ++++++++++++++++---------------- src/afl-fuzz-stats.c | 19 ++++++++++--------- src/afl-fuzz.c | 42 +++++++++++++++++++++--------------------- src/afl-sharedmem.c | 12 ++++++------ 10 files changed, 89 insertions(+), 88 deletions(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index a3692756..c9b4638a 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -253,7 +253,7 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { "binaries that are\n" " instrumented at compile time with afl-gcc. It is also possible to " "use it as a\n" - " traditional \"dumb\" fuzzer by specifying '-n' in the command " + " traditional non-instrumented fuzzer by specifying '-n' in the command " "line.\n"); FATAL("Failed to locate 'afl-qemu-trace'."); @@ -353,7 +353,7 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { "binaries that are\n" " instrumented at compile time with afl-gcc. It is also possible to " "use it as a\n" - " traditional \"dumb\" fuzzer by specifying '-n' in the command " + " traditional non-instrumented fuzzer by specifying '-n' in the command " "line.\n", ncp); diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 961748ec..6601aceb 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -167,7 +167,7 @@ static u32 read_s32_timed(s32 fd, s32 *buf, u32 timeout_ms, } -/* Internal forkserver for dumb_mode=1 and non-forkserver mode runs. +/* Internal forkserver for non_instrumented_mode=1 and non-forkserver mode runs. It execvs for each fork, forwarding exit codes and child pids to afl. */ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index ff078319..5b98be9e 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -623,14 +623,14 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { /* Timeouts are not very interesting, but we're still obliged to keep a handful of samples. We use the presence of new bits in the - hang-specific bitmap as a signal of uniqueness. In "dumb" mode, we - just keep everything. */ + hang-specific bitmap as a signal of uniqueness. In "non-instrumented" + mode, we just keep everything. */ ++afl->total_tmouts; if (afl->unique_hangs >= KEEP_UNIQUE_HANG) { return keeping; } - if (likely(!afl->dumb_mode)) { + if (likely(!afl->non_instrumented_mode)) { #ifdef WORD_SIZE_64 simplify_trace(afl, (u64 *)afl->fsrv.trace_bits); @@ -698,7 +698,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (afl->unique_crashes >= KEEP_UNIQUE_CRASH) { return keeping; } - if (likely(!afl->dumb_mode)) { + if (likely(!afl->non_instrumented_mode)) { #ifdef WORD_SIZE_64 simplify_trace(afl, (u64 *)afl->fsrv.trace_bits); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index ea281b7b..05aa0cc7 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1315,10 +1315,10 @@ dir_cleanup_failed: } -/* If this is a -S slave, ensure a -M master is running, if a master is - running when another master is started then warn */ +/* If this is a -S secondary node, ensure a -M main node is running, + if a main node is running when another main is started, then warn */ -int check_master_exists(afl_state_t *afl) { +int check_main_node_exists(afl_state_t *afl) { DIR * sd; struct dirent *sd_ent; @@ -1337,7 +1337,7 @@ int check_master_exists(afl_state_t *afl) { } - fn = alloc_printf("%s/%s/is_master", afl->sync_dir, sd_ent->d_name); + fn = alloc_printf("%s/%s/is_main_node", afl->sync_dir, sd_ent->d_name); int res = access(fn, F_OK); free(fn); if (res == 0) return 1; @@ -1392,9 +1392,9 @@ void setup_dirs_fds(afl_state_t *afl) { } - if (afl->is_master) { + if (afl->is_main_node) { - u8 *x = alloc_printf("%s/is_master", afl->out_dir); + u8 *x = alloc_printf("%s/is_main_node", afl->out_dir); int fd = open(x, O_CREAT | O_RDWR, 0644); if (fd < 0) FATAL("cannot create %s", x); free(x); @@ -1859,7 +1859,7 @@ void fix_up_sync(afl_state_t *afl) { u8 *x = afl->sync_id; - if (afl->dumb_mode) { FATAL("-S / -M and -n are mutually exclusive"); } + if (afl->non_instrumented_mode) { FATAL("-S / -M and -n are mutually exclusive"); } while (*x) { @@ -1955,7 +1955,7 @@ void setup_testcase_shmem(afl_state_t *afl) { afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t)); - // we need to set the dumb mode to not overwrite the SHM_ENV_VAR + // we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR if ((afl->fsrv.shmem_fuzz = afl_shm_init(afl->shm_fuzz, MAX_FILE, 1))) { #ifdef USEMMAP @@ -2126,7 +2126,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { #endif /* ^!__APPLE__ */ - if (!afl->fsrv.qemu_mode && !afl->unicorn_mode && !afl->dumb_mode && + if (!afl->fsrv.qemu_mode && !afl->unicorn_mode && !afl->non_instrumented_mode && !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { SAYF("\n" cLRD "[-] " cRST @@ -2143,8 +2143,8 @@ void check_binary(afl_state_t *afl, u8 *fname) { " mode support. Consult the README.md for tips on how to enable " "this.\n" - " (It is also possible to use afl-fuzz as a traditional, \"dumb\" " - "fuzzer.\n" + " (It is also possible to use afl-fuzz as a traditional, " + "non-instrumented fuzzer.\n" " For that, you can use the -n option - but expect much worse " "results.)\n", doc_path); diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 56f16b4c..146e30bc 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -415,7 +415,7 @@ u8 fuzz_one_original(afl_state_t *afl) { } - } else if (!afl->dumb_mode && !afl->queue_cur->favored && + } else if (!afl->non_instrumented_mode && !afl->queue_cur->favored && afl->queued_paths > 10) { @@ -512,7 +512,7 @@ u8 fuzz_one_original(afl_state_t *afl) { * TRIMMING * ************/ - if (!afl->dumb_mode && !afl->queue_cur->trim_done && !afl->disable_trim) { + if (!afl->non_instrumented_mode && !afl->queue_cur->trim_done && !afl->disable_trim) { u8 res = trim_case(afl, afl->queue_cur, in_buf); @@ -577,10 +577,10 @@ u8 fuzz_one_original(afl_state_t *afl) { } /* Skip deterministic fuzzing if exec path checksum puts this out of scope - for this master instance. */ + for this main instance. */ - if (afl->master_max && - (afl->queue_cur->exec_cksum % afl->master_max) != afl->master_id - 1) { + if (afl->main_node_max && + (afl->queue_cur->exec_cksum % afl->main_node_max) != afl->main_node_id - 1) { goto custom_mutator_stage; @@ -650,7 +650,7 @@ u8 fuzz_one_original(afl_state_t *afl) { */ - if (!afl->dumb_mode && (afl->stage_cur & 7) == 7) { + if (!afl->non_instrumented_mode && (afl->stage_cur & 7) == 7) { u32 cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); @@ -822,10 +822,10 @@ u8 fuzz_one_original(afl_state_t *afl) { u32 cksum; - /* If in dumb mode or if the file is very short, just flag everything - without wasting time on checksums. */ + /* If in non-instrumented mode or if the file is very short, just flag + everything without wasting time on checksums. */ - if (!afl->dumb_mode && len >= EFF_MIN_LEN) { + if (!afl->non_instrumented_mode && len >= EFF_MIN_LEN) { cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); @@ -2568,7 +2568,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { } - } else if (!afl->dumb_mode && !afl->queue_cur->favored && + } else if (!afl->non_instrumented_mode && !afl->queue_cur->favored && afl->queued_paths > 10) { @@ -2660,7 +2660,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { * TRIMMING * ************/ - if (!afl->dumb_mode && !afl->queue_cur->trim_done) { + if (!afl->non_instrumented_mode && !afl->queue_cur->trim_done) { u8 res = trim_case(afl, afl->queue_cur, in_buf); @@ -2730,10 +2730,10 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { } /* Skip deterministic fuzzing if exec path checksum puts this out of scope - for this master instance. */ + for this main instance. */ - if (afl->master_max && - (afl->queue_cur->exec_cksum % afl->master_max) != afl->master_id - 1) { + if (afl->main_node_max && + (afl->queue_cur->exec_cksum % afl->main_node_max) != afl->main_node_id - 1) { goto havoc_stage; @@ -2803,7 +2803,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { */ - if (!afl->dumb_mode && (afl->stage_cur & 7) == 7) { + if (!afl->non_instrumented_mode && (afl->stage_cur & 7) == 7) { u32 cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); @@ -2975,10 +2975,10 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { u32 cksum; - /* If in dumb mode or if the file is very short, just flag everything + /* If in non-instrumented mode or if the file is very short, just flag everything without wasting time on checksums. */ - if (!afl->dumb_mode && len >= EFF_MIN_LEN) { + if (!afl->non_instrumented_mode && len >= EFF_MIN_LEN) { cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index cfeb6c5e..ea7f57e2 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -303,7 +303,7 @@ void cull_queue(afl_state_t *afl) { u32 i; u8 * temp_v = afl->map_tmp_buf; - if (afl->dumb_mode || !afl->score_changed) { return; } + if (afl->non_instrumented_mode || !afl->score_changed) { return; } afl->score_changed = 0; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 982825d8..ec5ade53 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -234,7 +234,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, if (afl->fsrv.support_shdmen_fuzz && !afl->fsrv.use_shdmen_fuzz) { afl_shm_deinit(afl->shm_fuzz); - free(afl->shm_fuzz); + ck_free(afl->shm_fuzz); afl->shm_fuzz = NULL; afl->fsrv.support_shdmen_fuzz = 0; afl->fsrv.shmem_fuzz = NULL; @@ -272,7 +272,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, if (afl->stop_soon || fault != afl->crash_mode) { goto abort_calibration; } - if (!afl->dumb_mode && !afl->stage_cur && + if (!afl->non_instrumented_mode && !afl->stage_cur && !count_bytes(afl, afl->fsrv.trace_bits)) { fault = FSRV_RUN_NOINST; @@ -337,7 +337,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, parent. This is a non-critical problem, but something to warn the user about. */ - if (!afl->dumb_mode && first_run && !fault && !new_bits) { + if (!afl->non_instrumented_mode && first_run && !fault && !new_bits) { fault = FSRV_RUN_NOBITS; @@ -412,17 +412,17 @@ void sync_fuzzers(afl_state_t *afl) { entries++; - // a slave only syncs from a master, a master syncs from everyone - if (likely(afl->is_slave)) { + // secondary nodes only syncs from main, the main node syncs from everyone + if (likely(afl->is_secondary_node)) { - sprintf(qd_path, "%s/%s/is_master", afl->sync_dir, sd_ent->d_name); + sprintf(qd_path, "%s/%s/is_main_node", afl->sync_dir, sd_ent->d_name); int res = access(qd_path, F_OK); - if (unlikely(afl->is_master)) { // an elected temporary master + if (unlikely(afl->is_main_node)) { // an elected temporary main node - if (likely(res == 0)) { // there is another master? downgrade. + if (likely(res == 0)) { // there is another main node? downgrade. - afl->is_master = 0; - sprintf(qd_path, "%s/is_master", afl->out_dir); + afl->is_main_node = 0; + sprintf(qd_path, "%s/is_main_node", afl->out_dir); unlink(qd_path); } @@ -561,16 +561,16 @@ void sync_fuzzers(afl_state_t *afl) { closedir(sd); - // If we are a slave and no master was found to sync then become the master - if (unlikely(synced == 0) && likely(entries) && likely(afl->is_slave)) { + // If we are a secondary and no main was found to sync then become the main + if (unlikely(synced == 0) && likely(entries) && likely(afl->is_secondary_node)) { - // there is a small race condition here that another slave runs at the same - // time. If so, the first temporary master running again will demote + // there is a small race condition here that another secondary runs at the same + // time. If so, the first temporary main node running again will demote // themselves so this is not an issue u8 path[PATH_MAX]; - afl->is_master = 1; - sprintf(path, "%s/is_master", afl->out_dir); + afl->is_main_node = 1; + sprintf(path, "%s/is_main_node", afl->out_dir); int fd = open(path, O_CREAT | O_RDWR, 0644); if (fd >= 0) { close(fd); } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index bc75f54e..d6bb8b72 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -125,12 +125,13 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, #endif t_bytes, afl->var_byte_count, afl->use_banner, afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "", - afl->dumb_mode ? " dumb " : "", afl->no_forkserver ? "no_fsrv " : "", + afl->non_instrumented_mode ? " non_instrumented " : "", + afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", afl->persistent_mode ? "persistent " : "", afl->shmem_testcase_mode ? "shmem_testcase " : "", afl->deferred_mode ? "deferred " : "", - (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->dumb_mode || + (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->non_instrumented_mode || afl->no_forkserver || afl->crash_mode || afl->persistent_mode || afl->deferred_mode) ? "" @@ -327,7 +328,7 @@ void show_stats(afl_state_t *afl) { /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */ - if (!afl->dumb_mode && afl->cycles_wo_finds > 100 && + if (!afl->non_instrumented_mode && afl->cycles_wo_finds > 100 && !afl->pending_not_fuzzed && afl->afl_env.afl_exit_when_done) { afl->stop_soon = 2; @@ -415,7 +416,7 @@ void show_stats(afl_state_t *afl) { " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA " overall results " bSTG bH2 bH2 bRT "\n"); - if (afl->dumb_mode) { + if (afl->non_instrumented_mode) { strcpy(tmp, cRST); @@ -461,7 +462,7 @@ void show_stats(afl_state_t *afl) { /* We want to warn people about not seeing new paths after a full cycle, except when resuming fuzzing or running in non-instrumented mode. */ - if (!afl->dumb_mode && + if (!afl->non_instrumented_mode && (afl->last_path_time || afl->resuming_fuzz || afl->queue_cycle == 1 || afl->in_bitmap || afl->crash_mode)) { @@ -470,7 +471,7 @@ void show_stats(afl_state_t *afl) { } else { - if (afl->dumb_mode) { + if (afl->non_instrumented_mode) { SAYF(bV bSTOP " last new path : " cPIN "n/a" cRST " (non-instrumented mode) "); @@ -526,7 +527,7 @@ void show_stats(afl_state_t *afl) { SAYF(" map density : %s%-21s" bSTG bV "\n", t_byte_ratio > 70 ? cLRD - : ((t_bytes < 200 && !afl->dumb_mode) ? cPIN : cRST), + : ((t_bytes < 200 && !afl->non_instrumented_mode) ? cPIN : cRST), tmp); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->cur_skipped_paths), @@ -1021,10 +1022,10 @@ void show_init_stats(afl_state_t *afl) { } - /* In dumb mode, re-running every timing out test case with a generous time + /* In non-instrumented mode, re-running every timing out test case with a generous time limit is very expensive, so let's select a more conservative default. */ - if (afl->dumb_mode && !(afl->afl_env.afl_hang_tmout)) { + if (afl->non_instrumented_mode && !(afl->afl_env.afl_hang_tmout)) { afl->hang_tmout = MIN(EXEC_TIMEOUT, afl->fsrv.exec_tmout * 2 + 100); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 69111ea7..ee9c0c67 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -130,7 +130,7 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { " -N - do not unlink the fuzzing input file (only for " "devices etc.!)\n" " -d - quick & dirty mode (skips deterministic steps)\n" - " -n - fuzz without instrumentation (dumb mode)\n" + " -n - fuzz without instrumentation (non-instrumented mode)\n" " -x dir - optional fuzzer dictionary (see README.md, its really " "good!)\n\n" @@ -379,17 +379,17 @@ int main(int argc, char **argv_orig, char **envp) { *c = 0; - if (sscanf(c + 1, "%u/%u", &afl->master_id, &afl->master_max) != 2 || - !afl->master_id || !afl->master_max || - afl->master_id > afl->master_max || afl->master_max > 1000000) { + if (sscanf(c + 1, "%u/%u", &afl->main_node_id, &afl->main_node_max) != 2 || + !afl->main_node_id || !afl->main_node_max || + afl->main_node_id > afl->main_node_max || afl->main_node_max > 1000000) { - FATAL("Bogus master ID passed to -M"); + FATAL("Bogus main node ID passed to -M"); } } - afl->is_master = 1; + afl->is_main_node = 1; } @@ -399,7 +399,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } afl->sync_id = ck_strdup(optarg); - afl->is_slave = 1; + afl->is_secondary_node = 1; afl->skip_deterministic = 1; afl->use_splicing = 1; break; @@ -533,14 +533,14 @@ int main(int argc, char **argv_orig, char **envp) { case 'n': /* dumb mode */ - if (afl->dumb_mode) { FATAL("Multiple -n options not supported"); } + if (afl->non_instrumented_mode) { FATAL("Multiple -n options not supported"); } if (afl->afl_env.afl_dumb_forksrv) { - afl->dumb_mode = 2; + afl->non_instrumented_mode = 2; } else { - afl->dumb_mode = 1; + afl->non_instrumented_mode = 1; } @@ -791,10 +791,10 @@ int main(int argc, char **argv_orig, char **envp) { OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL"); OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL"); - if (afl->sync_id && afl->is_master && afl->afl_env.afl_custom_mutator_only) { + if (afl->sync_id && afl->is_main_node && afl->afl_env.afl_custom_mutator_only) { WARNF( - "Using -M master with the AFL_CUSTOM_MUTATOR_ONLY mutator options will " + "Using -M main node with the AFL_CUSTOM_MUTATOR_ONLY mutator options will " "result in no deterministic mutations being done!"); } @@ -872,7 +872,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (afl->dumb_mode) { + if (afl->non_instrumented_mode) { if (afl->crash_mode) { FATAL("-C and -n are mutually exclusive"); } if (afl->fsrv.qemu_mode) { FATAL("-Q and -n are mutually exclusive"); } @@ -955,13 +955,13 @@ int main(int argc, char **argv_orig, char **envp) { } - if (afl->dumb_mode == 2 && afl->no_forkserver) { + if (afl->non_instrumented_mode == 2 && afl->no_forkserver) { FATAL("AFL_DUMB_FORKSRV and AFL_NO_FORKSRV are mutually exclusive"); } - afl->fsrv.use_fauxsrv = afl->dumb_mode == 1 || afl->no_forkserver; + afl->fsrv.use_fauxsrv = afl->non_instrumented_mode == 1 || afl->no_forkserver; if (getenv("LD_PRELOAD")) { @@ -1058,7 +1058,7 @@ int main(int argc, char **argv_orig, char **envp) { check_cpu_governor(afl); afl->fsrv.trace_bits = - afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->dumb_mode); + afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode); if (!afl->in_bitmap) { memset(afl->virgin_bits, 255, afl->fsrv.map_size); } memset(afl->virgin_tmout, 255, afl->fsrv.map_size); @@ -1066,7 +1066,7 @@ int main(int argc, char **argv_orig, char **envp) { init_count_class16(); - if (afl->is_master && check_master_exists(afl) == 1) { + if (afl->is_main_node && check_main_node_exists(afl) == 1) { WARNF("it is wasteful to run more than one master!"); sleep(1); @@ -1075,9 +1075,9 @@ int main(int argc, char **argv_orig, char **envp) { setup_dirs_fds(afl); - if (afl->is_slave && check_master_exists(afl) == 0) { + if (afl->is_secondary_node && check_main_node_exists(afl) == 0) { - WARNF("no -M master found. You need to run one master!"); + WARNF("no -M main node found. You need to run one main instance!"); sleep(5); } @@ -1369,10 +1369,10 @@ stop_fuzzing: time_spent_working / afl->fsrv.total_execs); #endif - if (afl->is_master) { + if (afl->is_main_node) { u8 path[PATH_MAX]; - sprintf(path, "%s/is_master", afl->out_dir); + sprintf(path, "%s/is_main_node", afl->out_dir); unlink(path); } diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index f5817293..f87c75eb 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -96,7 +96,7 @@ void afl_shm_deinit(sharedmem_t *shm) { Returns a pointer to shm->map for ease of use. */ -u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) { +u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char non_instrumented_mode) { shm->map_size = map_size; @@ -137,12 +137,12 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) { } - /* If somebody is asking us to fuzz instrumented binaries in dumb mode, + /* If somebody is asking us to fuzz instrumented binaries in non-instrumented mode, we don't want them to detect instrumentation, since we won't be sending fork server commands. This should be replaced with better auto-detection later on, perhaps? */ - if (!dumb_mode) setenv(SHM_ENV_VAR, shm->g_shm_file_path, 1); + if (!non_instrumented_mode) setenv(SHM_ENV_VAR, shm->g_shm_file_path, 1); if (shm->map == -1 || !shm->map) PFATAL("mmap() failed"); @@ -164,12 +164,12 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) { shm_str = alloc_printf("%d", shm->shm_id); - /* If somebody is asking us to fuzz instrumented binaries in dumb mode, + /* If somebody is asking us to fuzz instrumented binaries in non-instrumented mode, we don't want them to detect instrumentation, since we won't be sending fork server commands. This should be replaced with better auto-detection later on, perhaps? */ - if (!dumb_mode) { setenv(SHM_ENV_VAR, shm_str, 1); } + if (!non_instrumented_mode) { setenv(SHM_ENV_VAR, shm_str, 1); } ck_free(shm_str); @@ -177,7 +177,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) { shm_str = alloc_printf("%d", shm->cmplog_shm_id); - if (!dumb_mode) { setenv(CMPLOG_SHM_ENV_VAR, shm_str, 1); } + if (!non_instrumented_mode) { setenv(CMPLOG_SHM_ENV_VAR, shm_str, 1); } ck_free(shm_str); -- cgit v1.2.3 From 304a72c1ff84be6c4d217d2bc3f94884425e853e Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 3 Jun 2020 02:00:58 +0200 Subject: added shmem support to unicornafl --- src/afl-forkserver.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 6601aceb..d32e8293 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -522,6 +522,10 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } + } else { + + FATAL("Target requested sharedmem fuzzing, but we failed to enable it."); + } } -- cgit v1.2.3 From 9962de1a4c26d226b15d7bee64b483098fe62b3f Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Wed, 3 Jun 2020 09:57:44 +0200 Subject: shared mem input for qemu persistent hook --- src/afl-fuzz.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index ee9c0c67..aed1e958 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -556,6 +556,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->fsrv.qemu_mode) { FATAL("Multiple -Q options not supported"); } afl->fsrv.qemu_mode = 1; + afl->shmem_testcase_mode = 1; if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_QEMU; } @@ -583,6 +584,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->use_wine) { FATAL("Multiple -W options not supported"); } afl->fsrv.qemu_mode = 1; afl->use_wine = 1; + afl->shmem_testcase_mode = 1; if (!mem_limit_given) { afl->fsrv.mem_limit = 0; } -- cgit v1.2.3 From fc164e4709f1f1c91f9343eb116627417e7f267f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 3 Jun 2020 10:50:49 +0200 Subject: code format --- src/afl-common.c | 6 ++++-- src/afl-forkserver.c | 4 +++- src/afl-fuzz-init.c | 9 +++++++-- src/afl-fuzz-one.c | 15 ++++++++------- src/afl-fuzz-run.c | 7 ++++--- src/afl-fuzz-stats.c | 11 ++++++----- src/afl-fuzz.c | 19 ++++++++++++++----- src/afl-sharedmem.c | 19 ++++++++++--------- 8 files changed, 56 insertions(+), 34 deletions(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index c9b4638a..f4cba573 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -253,7 +253,8 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { "binaries that are\n" " instrumented at compile time with afl-gcc. It is also possible to " "use it as a\n" - " traditional non-instrumented fuzzer by specifying '-n' in the command " + " traditional non-instrumented fuzzer by specifying '-n' in the " + "command " "line.\n"); FATAL("Failed to locate 'afl-qemu-trace'."); @@ -353,7 +354,8 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { "binaries that are\n" " instrumented at compile time with afl-gcc. It is also possible to " "use it as a\n" - " traditional non-instrumented fuzzer by specifying '-n' in the command " + " traditional non-instrumented fuzzer by specifying '-n' in the " + "command " "line.\n", ncp); diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index d32e8293..b5b55713 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -524,7 +524,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } else { - FATAL("Target requested sharedmem fuzzing, but we failed to enable it."); + FATAL( + "Target requested sharedmem fuzzing, but we failed to enable " + "it."); } diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 05aa0cc7..3c3503b1 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1859,7 +1859,11 @@ void fix_up_sync(afl_state_t *afl) { u8 *x = afl->sync_id; - if (afl->non_instrumented_mode) { FATAL("-S / -M and -n are mutually exclusive"); } + if (afl->non_instrumented_mode) { + + FATAL("-S / -M and -n are mutually exclusive"); + + } while (*x) { @@ -2126,7 +2130,8 @@ void check_binary(afl_state_t *afl, u8 *fname) { #endif /* ^!__APPLE__ */ - if (!afl->fsrv.qemu_mode && !afl->unicorn_mode && !afl->non_instrumented_mode && + if (!afl->fsrv.qemu_mode && !afl->unicorn_mode && + !afl->non_instrumented_mode && !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { SAYF("\n" cLRD "[-] " cRST diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 146e30bc..578ac584 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -512,7 +512,8 @@ u8 fuzz_one_original(afl_state_t *afl) { * TRIMMING * ************/ - if (!afl->non_instrumented_mode && !afl->queue_cur->trim_done && !afl->disable_trim) { + if (!afl->non_instrumented_mode && !afl->queue_cur->trim_done && + !afl->disable_trim) { u8 res = trim_case(afl, afl->queue_cur, in_buf); @@ -579,8 +580,8 @@ u8 fuzz_one_original(afl_state_t *afl) { /* Skip deterministic fuzzing if exec path checksum puts this out of scope for this main instance. */ - if (afl->main_node_max && - (afl->queue_cur->exec_cksum % afl->main_node_max) != afl->main_node_id - 1) { + if (afl->main_node_max && (afl->queue_cur->exec_cksum % afl->main_node_max) != + afl->main_node_id - 1) { goto custom_mutator_stage; @@ -2732,8 +2733,8 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { /* Skip deterministic fuzzing if exec path checksum puts this out of scope for this main instance. */ - if (afl->main_node_max && - (afl->queue_cur->exec_cksum % afl->main_node_max) != afl->main_node_id - 1) { + if (afl->main_node_max && (afl->queue_cur->exec_cksum % afl->main_node_max) != + afl->main_node_id - 1) { goto havoc_stage; @@ -2975,8 +2976,8 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { u32 cksum; - /* If in non-instrumented mode or if the file is very short, just flag everything - without wasting time on checksums. */ + /* If in non-instrumented mode or if the file is very short, just flag + everything without wasting time on checksums. */ if (!afl->non_instrumented_mode && len >= EFF_MIN_LEN) { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index ec5ade53..5934690f 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -562,10 +562,11 @@ void sync_fuzzers(afl_state_t *afl) { closedir(sd); // If we are a secondary and no main was found to sync then become the main - if (unlikely(synced == 0) && likely(entries) && likely(afl->is_secondary_node)) { + if (unlikely(synced == 0) && likely(entries) && + likely(afl->is_secondary_node)) { - // there is a small race condition here that another secondary runs at the same - // time. If so, the first temporary main node running again will demote + // there is a small race condition here that another secondary runs at the + // same time. If so, the first temporary main node running again will demote // themselves so this is not an issue u8 path[PATH_MAX]; diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index d6bb8b72..97221572 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -126,8 +126,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, t_bytes, afl->var_byte_count, afl->use_banner, afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "", afl->non_instrumented_mode ? " non_instrumented " : "", - afl->no_forkserver ? "no_fsrv " : "", - afl->crash_mode ? "crash " : "", + afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", afl->persistent_mode ? "persistent " : "", afl->shmem_testcase_mode ? "shmem_testcase " : "", afl->deferred_mode ? "deferred " : "", @@ -526,8 +525,9 @@ void show_stats(afl_state_t *afl) { t_byte_ratio); SAYF(" map density : %s%-21s" bSTG bV "\n", - t_byte_ratio > 70 ? cLRD - : ((t_bytes < 200 && !afl->non_instrumented_mode) ? cPIN : cRST), + t_byte_ratio > 70 + ? cLRD + : ((t_bytes < 200 && !afl->non_instrumented_mode) ? cPIN : cRST), tmp); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->cur_skipped_paths), @@ -1022,7 +1022,8 @@ void show_init_stats(afl_state_t *afl) { } - /* In non-instrumented mode, re-running every timing out test case with a generous time + /* In non-instrumented mode, re-running every timing out test case with a + generous time limit is very expensive, so let's select a more conservative default. */ if (afl->non_instrumented_mode && !(afl->afl_env.afl_hang_tmout)) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index aed1e958..07e1584b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -379,9 +379,11 @@ int main(int argc, char **argv_orig, char **envp) { *c = 0; - if (sscanf(c + 1, "%u/%u", &afl->main_node_id, &afl->main_node_max) != 2 || + if (sscanf(c + 1, "%u/%u", &afl->main_node_id, &afl->main_node_max) != + 2 || !afl->main_node_id || !afl->main_node_max || - afl->main_node_id > afl->main_node_max || afl->main_node_max > 1000000) { + afl->main_node_id > afl->main_node_max || + afl->main_node_max > 1000000) { FATAL("Bogus main node ID passed to -M"); @@ -533,7 +535,12 @@ int main(int argc, char **argv_orig, char **envp) { case 'n': /* dumb mode */ - if (afl->non_instrumented_mode) { FATAL("Multiple -n options not supported"); } + if (afl->non_instrumented_mode) { + + FATAL("Multiple -n options not supported"); + + } + if (afl->afl_env.afl_dumb_forksrv) { afl->non_instrumented_mode = 2; @@ -793,10 +800,12 @@ int main(int argc, char **argv_orig, char **envp) { OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL"); OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL"); - if (afl->sync_id && afl->is_main_node && afl->afl_env.afl_custom_mutator_only) { + if (afl->sync_id && afl->is_main_node && + afl->afl_env.afl_custom_mutator_only) { WARNF( - "Using -M main node with the AFL_CUSTOM_MUTATOR_ONLY mutator options will " + "Using -M main node with the AFL_CUSTOM_MUTATOR_ONLY mutator options " + "will " "result in no deterministic mutations being done!"); } diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index f87c75eb..63013435 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -96,7 +96,8 @@ void afl_shm_deinit(sharedmem_t *shm) { Returns a pointer to shm->map for ease of use. */ -u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char non_instrumented_mode) { +u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, + unsigned char non_instrumented_mode) { shm->map_size = map_size; @@ -137,10 +138,10 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char non_instrument } - /* If somebody is asking us to fuzz instrumented binaries in non-instrumented mode, - we don't want them to detect instrumentation, since we won't be sending - fork server commands. This should be replaced with better auto-detection - later on, perhaps? */ + /* If somebody is asking us to fuzz instrumented binaries in non-instrumented + mode, we don't want them to detect instrumentation, since we won't be + sending fork server commands. This should be replaced with better + auto-detection later on, perhaps? */ if (!non_instrumented_mode) setenv(SHM_ENV_VAR, shm->g_shm_file_path, 1); @@ -164,10 +165,10 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char non_instrument shm_str = alloc_printf("%d", shm->shm_id); - /* If somebody is asking us to fuzz instrumented binaries in non-instrumented mode, - we don't want them to detect instrumentation, since we won't be sending - fork server commands. This should be replaced with better auto-detection - later on, perhaps? */ + /* If somebody is asking us to fuzz instrumented binaries in non-instrumented + mode, we don't want them to detect instrumentation, since we won't be + sending fork server commands. This should be replaced with better + auto-detection later on, perhaps? */ if (!non_instrumented_mode) { setenv(SHM_ENV_VAR, shm_str, 1); } -- cgit v1.2.3 From 686d8823eb8eab3a7cb87f4affec56e0d6e402d1 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Wed, 3 Jun 2020 17:43:33 +0200 Subject: OpenBSD: add missing limits.h header for PATH_MAX --- src/afl-fuzz-run.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 5934690f..bf5defa5 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -27,6 +27,7 @@ #include "afl-fuzz.h" #include #include +#include #include "cmplog.h" -- cgit v1.2.3 From dd0ca7335ff93090def7be7fd0b46e9f71375004 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 3 Jun 2020 15:49:23 +0200 Subject: switch shmem_len to the map --- src/afl-forkserver.c | 6 ++---- src/afl-fuzz-init.c | 6 ++++-- src/afl-fuzz-run.c | 4 ++-- src/afl-fuzz-stats.c | 14 ++++++++++++++ 4 files changed, 22 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index b5b55713..0b53d7c0 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -506,7 +506,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if ((status & FS_OPT_SHDMEM_FUZZ) == FS_OPT_SHDMEM_FUZZ) { - if (fsrv->support_shdmen_fuzz) { + if (fsrv->support_shmem_fuzz) { fsrv->use_shdmen_fuzz = 1; if (!be_quiet) { ACTF("Using SHARED MEMORY FUZZING feature."); } @@ -832,7 +832,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { if (fsrv->shmem_fuzz) { memcpy(fsrv->shmem_fuzz, buf, len); - fsrv->shmem_fuzz_len = len; + *fsrv->shmem_fuzz_len = len; } else { @@ -894,8 +894,6 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, MEM_BARRIER(); - if (fsrv->shmem_fuzz_len) write_value += (fsrv->shmem_fuzz_len << 8); - /* we have the fork server (or faux server) up and running First, tell it if the previous run timed out. */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 3c3503b1..a30bf3f2 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1960,7 +1960,8 @@ void setup_testcase_shmem(afl_state_t *afl) { afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t)); // we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR - if ((afl->fsrv.shmem_fuzz = afl_shm_init(afl->shm_fuzz, MAX_FILE, 1))) { + if ((afl->fsrv.shmem_fuzz = + afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(int), 1))) { #ifdef USEMMAP setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1); @@ -1970,7 +1971,8 @@ void setup_testcase_shmem(afl_state_t *afl) { setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); ck_free(shm_str); #endif - afl->fsrv.support_shdmen_fuzz = 1; + afl->fsrv.support_shmem_fuzz = 1; + afl->fsrv.shmem_fuzz_len = (u32 *)(afl->fsrv.shmem_fuzz + MAX_FILE); } else { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index bf5defa5..91a64fba 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -232,12 +232,12 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child_output); - if (afl->fsrv.support_shdmen_fuzz && !afl->fsrv.use_shdmen_fuzz) { + if (afl->fsrv.support_shmem_fuzz && !afl->fsrv.use_shdmen_fuzz) { afl_shm_deinit(afl->shm_fuzz); ck_free(afl->shm_fuzz); afl->shm_fuzz = NULL; - afl->fsrv.support_shdmen_fuzz = 0; + afl->fsrv.support_shmem_fuzz = 0; afl->fsrv.shmem_fuzz = NULL; } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 97221572..1f5552e0 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -138,6 +138,20 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, afl->orig_cmdline); /* ignore errors */ + if (afl->debug) { + + fprintf(f, "virgin_bytes :"); + for (uint32_t i = 0; i < afl->fsrv.map_size; i++) + if (afl->virgin_bits[i] != 0xff) + fprintf(f, " %d[%02x]", i, afl->virgin_bits[i]); + fprintf(f, "\n"); + fprintf(f, "var_bytes :"); + for (uint32_t i = 0; i < afl->fsrv.map_size; i++) + if (afl->var_bytes[i]) fprintf(f, " %d", i); + fprintf(f, "\n"); + + } + fclose(f); } -- cgit v1.2.3 From 031e4300a581e196961cdc49836c284f23313635 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 3 Jun 2020 16:19:09 +0200 Subject: switch order of shmem fuzz --- src/afl-fuzz-init.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index a30bf3f2..b39fd9b2 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1960,8 +1960,8 @@ void setup_testcase_shmem(afl_state_t *afl) { afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t)); // we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR - if ((afl->fsrv.shmem_fuzz = - afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(int), 1))) { + if ((afl->fsrv.shmem_fuzz_len = + (u32 *)afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(int), 1))) { #ifdef USEMMAP setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1); @@ -1972,7 +1972,7 @@ void setup_testcase_shmem(afl_state_t *afl) { ck_free(shm_str); #endif afl->fsrv.support_shmem_fuzz = 1; - afl->fsrv.shmem_fuzz_len = (u32 *)(afl->fsrv.shmem_fuzz + MAX_FILE); + afl->fsrv.shmem_fuzz = (u8 *)(afl->fsrv.shmem_fuzz + sizeof(int)); } else { -- cgit v1.2.3 From ea91cfdf9aa57f7db10b8c6cb9c6ac41939a274a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 3 Jun 2020 18:09:06 +0200 Subject: fix shmem --- src/afl-fuzz-init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index b39fd9b2..96d4fc46 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1972,7 +1972,7 @@ void setup_testcase_shmem(afl_state_t *afl) { ck_free(shm_str); #endif afl->fsrv.support_shmem_fuzz = 1; - afl->fsrv.shmem_fuzz = (u8 *)(afl->fsrv.shmem_fuzz + sizeof(int)); + afl->fsrv.shmem_fuzz = (u8 *)(afl->fsrv.shmem_fuzz_len + sizeof(int)); } else { -- cgit v1.2.3 From 35ddec7aebaa3fdd454118a31483f9c43e549d6a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 4 Jun 2020 02:37:05 +0200 Subject: fix shmem persistent mode --- src/afl-forkserver.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 0b53d7c0..a5e2db54 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -831,8 +831,9 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { if (fsrv->shmem_fuzz) { - memcpy(fsrv->shmem_fuzz, buf, len); *fsrv->shmem_fuzz_len = len; + memcpy(fsrv->shmem_fuzz, buf, len); + // fprintf(stderr, "test case len: %u\n", *fsrv->shmem_fuzz_len); } else { -- cgit v1.2.3 From 88e83c7322c66ef3df905f21caf8c07505443d50 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 4 Jun 2020 02:53:24 +0200 Subject: code format --- src/afl-fuzz.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 07e1584b..44b91877 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -246,7 +246,7 @@ int main(int argc, char **argv_orig, char **envp) { u64 prev_queued = 0; u32 sync_interval_cnt = 0, seek_to, show_help = 0, map_size = MAP_SIZE; u8 * extras_dir = 0; - u8 mem_limit_given = 0, exit_1 = 0; + u8 mem_limit_given = 0, exit_1 = 0, debug = 0; char **use_argv; struct timeval tv; @@ -257,10 +257,11 @@ int main(int argc, char **argv_orig, char **envp) { afl_state_t *afl = calloc(1, sizeof(afl_state_t)); if (!afl) { FATAL("Could not create afl state"); } - if (get_afl_env("AFL_DEBUG")) { afl->debug = 1; } + if (get_afl_env("AFL_DEBUG")) { debug = afl->debug = 1; } map_size = get_map_size(); afl_state_init(afl, map_size); + afl->debug = debug; afl_fsrv_init(&afl->fsrv); read_afl_environment(afl, envp); -- cgit v1.2.3 From 855ee062478023983e652bed64da174d7a8dd556 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 4 Jun 2020 13:57:16 +0200 Subject: add afl-ld-lto for LTO --- src/afl-common.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index f4cba573..2802cda3 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -61,8 +61,9 @@ char *afl_environment_variables[] = { "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", "AFL_IMPORT_FIRST", "AFL_INST_LIBS", "AFL_INST_RATIO", "AFL_KEEP_TRACES", "AFL_KEEP_ASSEMBLY", "AFL_LD_HARD_FAIL", "AFL_LD_LIMIT_MB", "AFL_LD_NO_CALLOC_OVER", - "AFL_LD_PRELOAD", "AFL_LD_VERBOSE", "AFL_LLVM_CMPLOG", "AFL_LLVM_INSTRIM", - "AFL_LLVM_CTX", "AFL_LLVM_INSTRUMENT", "AFL_LLVM_INSTRIM_LOOPHEAD", + "AFL_LD_PASSTHROUGH", "AFL_REAL_LD", "AFL_LD_PRELOAD", "AFL_LD_VERBOSE", + "AFL_LLVM_CMPLOG", "AFL_LLVM_INSTRIM", "AFL_LLVM_CTX", + "AFL_LLVM_INSTRUMENT", "AFL_LLVM_INSTRIM_LOOPHEAD", "AFL_LLVM_LTO_AUTODICTIONARY", "AFL_LLVM_AUTODICTIONARY", "AFL_LLVM_SKIPSINGLEBLOCK", "AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK", "AFL_LLVM_LAF_SPLIT_COMPARES", "AFL_LLVM_LAF_SPLIT_COMPARES_BITW", -- cgit v1.2.3 From 9a1e22afab096f64abf91daecbe78a9aac638f97 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 4 Jun 2020 15:31:27 +0200 Subject: typo --- src/afl-forkserver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index a5e2db54..c0b6b136 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -276,7 +276,7 @@ static void report_error_and_exit(int error) { break; case FS_ERROR_MMAP: FATAL( - "the fuzzing target reports that the mmap() call to the share memory " + "the fuzzing target reports that the mmap() call to the shared memory " "failed."); break; default: -- cgit v1.2.3 From a9348e0acc1ea7de31858e2832f0a4abccf20599 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 4 Jun 2020 16:31:53 +0200 Subject: fix cmplog for shmem persistent mode --- src/afl-forkserver.c | 6 ++++-- src/afl-fuzz-run.c | 2 +- src/afl-fuzz.c | 3 +++ 3 files changed, 8 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index c0b6b136..7f89f0dc 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -101,6 +101,7 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) { fsrv_to->exec_tmout = from->exec_tmout; fsrv_to->mem_limit = from->mem_limit; fsrv_to->map_size = from->map_size; + fsrv_to->support_shmem_fuzz = from->support_shmem_fuzz; #ifndef HAVE_ARC4RANDOM fsrv_to->dev_urandom_fd = from->dev_urandom_fd; @@ -435,6 +436,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, falling through. */ *(u32 *)fsrv->trace_bits = EXEC_FAIL_SIG; + fprintf(stderr, "Error: execv to target failed\n"); exit(0); } @@ -508,7 +510,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (fsrv->support_shmem_fuzz) { - fsrv->use_shdmen_fuzz = 1; + fsrv->use_shmem_fuzz = 1; if (!be_quiet) { ACTF("Using SHARED MEMORY FUZZING feature."); } if ((status & FS_OPT_AUTODICT) == 0) { @@ -567,7 +569,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (fsrv->function_ptr == NULL || fsrv->function_opt == NULL) { // this is not afl-fuzz - we deny and return - if (fsrv->use_shdmen_fuzz) + if (fsrv->use_shmem_fuzz) status = (FS_OPT_ENABLED | FS_OPT_AUTODICT | FS_OPT_SHDMEM_FUZZ); else status = (FS_OPT_ENABLED | FS_OPT_AUTODICT); diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 91a64fba..a85e00fe 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -232,7 +232,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child_output); - if (afl->fsrv.support_shmem_fuzz && !afl->fsrv.use_shdmen_fuzz) { + if (afl->fsrv.support_shmem_fuzz && !afl->fsrv.use_shmem_fuzz) { afl_shm_deinit(afl->shm_fuzz); ck_free(afl->shm_fuzz); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 44b91877..d5fed9f2 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -792,6 +792,8 @@ int main(int argc, char **argv_orig, char **envp) { } + if (!mem_limit_given && afl->shm.cmplog_mode) afl->fsrv.mem_limit += 260; + OKF("afl++ is maintained by Marc \"van Hauser\" Heuse, Heiko \"hexcoder\" " "Eißfeldt, Andrea Fioraldi and Dominik Maier"); OKF("afl++ is open source, get it at " @@ -1228,6 +1230,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->cmplog_fsrv.init_child_func = cmplog_exec_child; afl_fsrv_start(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child_output); + OKF("Cmplog forkserver successfully started"); } -- cgit v1.2.3 From e01cad2f7de77c4704243d7011de2bff95fd59f7 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 5 Jun 2020 09:42:17 +0200 Subject: qemu debug --- src/afl-forkserver.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 7f89f0dc..505fb7a3 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -277,8 +277,8 @@ static void report_error_and_exit(int error) { break; case FS_ERROR_MMAP: FATAL( - "the fuzzing target reports that the mmap() call to the shared memory " - "failed."); + "the fuzzing target reports that the mmap() call to the shared " + "memory failed."); break; default: FATAL("unknown error code %u from fuzzing target!", error); @@ -488,16 +488,16 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (!be_quiet) { OKF("All right - fork server is up."); } - if ((status & FS_OPT_ERROR) == FS_OPT_ERROR) - report_error_and_exit(FS_OPT_GET_ERROR(status)); + if (getenv("AFL_DEBUG")) { - if ((status & FS_OPT_ENABLED) == FS_OPT_ENABLED) { + ACTF("Extended forkserver functions received (%08x).", status); - if (getenv("AFL_DEBUG")) { + } - ACTF("Extended forkserver functions received (%08x).", status); + if ((status & FS_OPT_ERROR) == FS_OPT_ERROR) + report_error_and_exit(FS_OPT_GET_ERROR(status)); - } + if ((status & FS_OPT_ENABLED) == FS_OPT_ENABLED) { if ((status & FS_OPT_SNAPSHOT) == FS_OPT_SNAPSHOT) { -- cgit v1.2.3 From 92b8c5bb6037cb6626682653eacaa124504c592b Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 9 Jun 2020 03:03:21 +0200 Subject: fixed shmap fuzzing --- src/afl-forkserver.c | 2 +- src/afl-fuzz-init.c | 28 +++++++++++----------------- 2 files changed, 12 insertions(+), 18 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 505fb7a3..36126aa7 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -835,7 +835,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { *fsrv->shmem_fuzz_len = len; memcpy(fsrv->shmem_fuzz, buf, len); - // fprintf(stderr, "test case len: %u\n", *fsrv->shmem_fuzz_len); + //printf("test case len: %u [0]:0x%02x\n", *fsrv->shmem_fuzz_len, buf[0]); fflush(stdout); } else { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 96d4fc46..54d65b9e 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1960,28 +1960,22 @@ void setup_testcase_shmem(afl_state_t *afl) { afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t)); // we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR - if ((afl->fsrv.shmem_fuzz_len = - (u32 *)afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(int), 1))) { + u8 *map = afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(u32), 1); + + if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } #ifdef USEMMAP - setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1); + setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1); #else - u8 *shm_str; - shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id); - setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); - ck_free(shm_str); + u8 *shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id); + setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); + ck_free(shm_str); #endif - afl->fsrv.support_shmem_fuzz = 1; - afl->fsrv.shmem_fuzz = (u8 *)(afl->fsrv.shmem_fuzz_len + sizeof(int)); - - } else { - - ck_free(afl->shm_fuzz); - afl->shm_fuzz = NULL; + afl->fsrv.support_shmem_fuzz = 1; + afl->fsrv.shmem_fuzz_len = (u32 *)map; + afl->fsrv.shmem_fuzz = map + sizeof(u32); - } - -} + } /* Do a PATH search and find target binary to see that it exists and isn't a shell script - a common and painful mistake. We also check for -- cgit v1.2.3 From feffae60dd469b63db45a88204a1e17cc2f41bd3 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 9 Jun 2020 03:48:50 +0200 Subject: code format --- src/afl-forkserver.c | 3 ++- src/afl-fuzz-init.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 36126aa7..78e2b555 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -835,7 +835,8 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { *fsrv->shmem_fuzz_len = len; memcpy(fsrv->shmem_fuzz, buf, len); - //printf("test case len: %u [0]:0x%02x\n", *fsrv->shmem_fuzz_len, buf[0]); fflush(stdout); + // printf("test case len: %u [0]:0x%02x\n", *fsrv->shmem_fuzz_len, buf[0]); + // fflush(stdout); } else { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 54d65b9e..4184fa6b 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1975,7 +1975,7 @@ void setup_testcase_shmem(afl_state_t *afl) { afl->fsrv.shmem_fuzz_len = (u32 *)map; afl->fsrv.shmem_fuzz = map + sizeof(u32); - } +} /* Do a PATH search and find target binary to see that it exists and isn't a shell script - a common and painful mistake. We also check for -- cgit v1.2.3 From 32a40ab5c597914fe0a30c96bad3bf3da0eb4aeb Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 9 Jun 2020 11:22:27 +0200 Subject: add cpu affinity to fuzzer_stats --- src/afl-fuzz-stats.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 1f5552e0..8e364d54 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -98,6 +98,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, "exec_timeout : %u\n" "slowest_exec_ms : %u\n" "peak_rss_mb : %lu\n" + "cpu_affinity : %d\n" "edges_found : %u\n" "var_byte_count : %u\n" "afl_banner : %s\n" @@ -123,7 +124,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, #else (unsigned long int)(rus.ru_maxrss >> 10), #endif - t_bytes, afl->var_byte_count, afl->use_banner, + afl->cpu_aff, t_bytes, afl->var_byte_count, afl->use_banner, afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "", afl->non_instrumented_mode ? " non_instrumented " : "", afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", -- cgit v1.2.3 From 5fa0f8f55b82672315f69853beda3bee71d9991c Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 9 Jun 2020 17:01:41 +0200 Subject: fix debug output in stats --- src/afl-fuzz-stats.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 8e364d54..374b2411 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -141,14 +141,26 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, if (afl->debug) { + uint32_t i = 0; fprintf(f, "virgin_bytes :"); - for (uint32_t i = 0; i < afl->fsrv.map_size; i++) - if (afl->virgin_bits[i] != 0xff) + for (i = 0; i < afl->fsrv.map_size; i++) { + + if (afl->virgin_bits[i] != 0xff) { + fprintf(f, " %d[%02x]", i, afl->virgin_bits[i]); + + } + + } + fprintf(f, "\n"); fprintf(f, "var_bytes :"); - for (uint32_t i = 0; i < afl->fsrv.map_size; i++) - if (afl->var_bytes[i]) fprintf(f, " %d", i); + for (i = 0; i < afl->fsrv.map_size; i++) { + + if (afl->var_bytes[i]) { fprintf(f, " %d", i); } + + } + fprintf(f, "\n"); } -- cgit v1.2.3 From 81829d132bebcb42c0e289bb5788b8f2b29c1599 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 9 Jun 2020 17:09:34 +0200 Subject: always set status --- src/afl-forkserver.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 78e2b555..a549e471 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -144,10 +144,12 @@ static u32 read_s32_timed(s32 fd, s32 *buf, u32 timeout_ms, if (!sret) { + *buf = -1; return timeout_ms + 1; } else if (sret < 0) { + *buf = -1; return 0; } -- cgit v1.2.3