From 686a595df36a52f43ab43572b28683f8db09ac11 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Thu, 20 Jan 2022 20:48:09 +0100 Subject: Fix typo --- src/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/README.md b/src/README.md index 35af6ab9..3f332280 100644 --- a/src/README.md +++ b/src/README.md @@ -18,7 +18,7 @@ Quick explanation about the files here: - `afl-fuzz-performance.c` - hash64 and rand functions - `afl-fuzz-python.c` - afl-fuzz the python mutator extension - `afl-fuzz-queue.c` - afl-fuzz handling the queue -- `afl-fuzz-redqueen.c` - afl-fuzz redqueen implemention +- `afl-fuzz-redqueen.c` - afl-fuzz redqueen implementation - `afl-fuzz-run.c` - afl-fuzz running the target - `afl-fuzz-state.c` - afl-fuzz state and globals - `afl-fuzz-stats.c` - afl-fuzz writing the statistics file -- cgit 1.4.1 From 9d3e6a869e9474c1a3927a319b6ec2142130f5d3 Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Fri, 21 Jan 2022 07:21:43 +0100 Subject: add LTO support in nyx_mode --- include/forkserver.h | 8 +++++++- src/afl-forkserver.c | 21 ++++++++++++--------- src/afl-fuzz.c | 9 ++++++++- 3 files changed, 27 insertions(+), 11 deletions(-) (limited to 'src') diff --git a/include/forkserver.h b/include/forkserver.h index 48db2e26..4a05b17e 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -54,7 +54,13 @@ typedef enum NyxReturnValue { typedef struct { void *(*nyx_new)(const char *sharedir, const char *workdir, - uint32_t worker_id, uint32_t cpu_id, bool create_snapshot); + uint32_t cpu_id, uint32_t input_buffer_size, + bool input_buffer_write_protection); + void *(*nyx_new_parent)(const char *sharedir, const char *workdir, + uint32_t cpu_id, uint32_t input_buffer_size, + bool input_buffer_write_protection); + void *(*nyx_new_child)(const char *sharedir, const char *workdir, + uint32_t cpu_id, uint32_t worker_id); void (*nyx_shutdown)(void *qemu_process); void (*nyx_option_set_reload_mode)(void *qemu_process, bool enable); void (*nyx_option_set_timeout)(void *qemu_process, uint8_t timeout_sec, diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index eebbb7c8..1f03cfd3 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -405,24 +405,27 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } - if (fsrv->nyx_parent) { - + if (fsrv->nyx_standalone){ fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new( - fsrv->target_path, x, fsrv->nyx_id, fsrv->nyx_bind_cpu_id, - !fsrv->nyx_standalone); - - } else { + fsrv->target_path, x, fsrv->nyx_bind_cpu_id, 0x10000, true); + } + else{ + if (fsrv->nyx_parent) { + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new_parent( + fsrv->target_path, x, fsrv->nyx_bind_cpu_id, MAX_FILE, true); - fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new( - fsrv->target_path, x, fsrv->nyx_id, fsrv->nyx_bind_cpu_id, true); + } else { + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new_child( + fsrv->target_path, x, fsrv->nyx_bind_cpu_id, fsrv->nyx_id); + } } if (fsrv->nyx_runner == NULL) { FATAL("Something went wrong ..."); } u32 tmp_map_size = fsrv->nyx_handlers->nyx_get_bitmap_buffer_size(fsrv->nyx_runner); - fsrv->real_map_size = fsrv->map_size; + fsrv->real_map_size = tmp_map_size; fsrv->map_size = (((tmp_map_size + 63) >> 6) << 6); if (!be_quiet) { ACTF("Target map size: %u", fsrv->real_map_size); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 1edf82f4..50874f47 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -404,6 +404,12 @@ nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary) { plugin->nyx_new = dlsym(handle, "nyx_new"); if (plugin->nyx_new == NULL) { goto fail; } + plugin->nyx_new_parent = dlsym(handle, "nyx_new_parent"); + if (plugin->nyx_new_parent == NULL) { goto fail; } + + plugin->nyx_new_child = dlsym(handle, "nyx_new_child"); + if (plugin->nyx_new_child == NULL) { goto fail; } + plugin->nyx_shutdown = dlsym(handle, "nyx_shutdown"); if (plugin->nyx_shutdown == NULL) { goto fail; } @@ -1340,7 +1346,8 @@ int main(int argc, char **argv_orig, char **envp) { "0)"); } - + + afl->fsrv.nyx_parent = true; afl->fsrv.nyx_id = 0; } -- cgit 1.4.1 From 6ce736aa913363647760d088ef0cb3610a765ff4 Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Fri, 21 Jan 2022 08:13:33 +0100 Subject: use MAX_FILE as maximum size in Nyx mode --- src/afl-forkserver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 1f03cfd3..ffcb30c3 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -407,7 +407,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (fsrv->nyx_standalone){ fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new( - fsrv->target_path, x, fsrv->nyx_bind_cpu_id, 0x10000, true); + fsrv->target_path, x, fsrv->nyx_bind_cpu_id, MAX_FILE, true); } else{ if (fsrv->nyx_parent) { -- cgit 1.4.1 From 22da04f077d2a5b16ffb48acbd668f29d21e6b64 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 21 Jan 2022 10:13:37 +0100 Subject: fix --- nyx_mode/QEMU-Nyx | 2 +- nyx_mode/libnyx | 2 +- nyx_mode/packer | 2 +- src/afl-cc.c | 8 +++---- utils/aflpp_driver/aflpp_driver.c | 48 ++++++++++++++++++++------------------- 5 files changed, 31 insertions(+), 31 deletions(-) (limited to 'src') diff --git a/nyx_mode/QEMU-Nyx b/nyx_mode/QEMU-Nyx index 902306be..d5a7011a 160000 --- a/nyx_mode/QEMU-Nyx +++ b/nyx_mode/QEMU-Nyx @@ -1 +1 @@ -Subproject commit 902306beb01d858dcbcbaf0e1be26ce9dd0f293f +Subproject commit d5a7011ad20ba5ba91f1371f9d40154035d5d768 diff --git a/nyx_mode/libnyx b/nyx_mode/libnyx index a5ae4c13..ecbcb2d7 160000 --- a/nyx_mode/libnyx +++ b/nyx_mode/libnyx @@ -1 +1 @@ -Subproject commit a5ae4c13e11de776779444eb69932802e102d7c4 +Subproject commit ecbcb2d7234fef0b5e1db8ca6019e6137ee0582d diff --git a/nyx_mode/packer b/nyx_mode/packer index 8842549b..f91742ce 160000 --- a/nyx_mode/packer +++ b/nyx_mode/packer @@ -1 +1 @@ -Subproject commit 8842549b5612a890258dcef812276cfdb62b76c7 +Subproject commit f91742ce6c51eee133b5675edd68f39202785db1 diff --git a/src/afl-cc.c b/src/afl-cc.c index 974b1d2a..9197c74b 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -767,15 +767,13 @@ static void edit_params(u32 argc, char **argv, char **envp) { u8 *afllib = find_object("libAFLDriver.a", argv[0]); if (!be_quiet) - WARNF( - "Found erroneous '-fsanitize=fuzzer', trying to replace with " - "libAFLDriver.a"); + OKF("Found '-fsanitize=fuzzer', replacing with libAFLDriver.a"); if (!afllib) { WARNF( - "Cannot find 'libAFLDriver.a' to replace a wrong " - "'-fsanitize=fuzzer' in the flags - this will fail!"); + "Cannot find 'libAFLDriver.a' to replace '-fsanitize=fuzzer' in " + "the flags - this will fail!"); } else { diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 547b78fb..c648674a 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -84,6 +84,8 @@ __attribute__((weak)) void __asan_unpoison_memory_region( } +__attribute__((weak)) void *__asan_region_is_poisoned(void *beg, size_t size); + // Notify AFL about persistent mode. static volatile char AFL_PERSISTENT[] = "##SIG_AFL_PERSISTENT##"; int __afl_persistent_loop(unsigned int); @@ -328,45 +330,45 @@ int main(int argc, char **argv) { __asan_poison_memory_region(__afl_fuzz_ptr, MAX_FILE); size_t prev_length = 0; - int num_runs = 0; - while (__afl_persistent_loop(N)) { + // for speed only insert asan functions if the target is linked with asan + if (__asan_region_is_poisoned) { - size_t length = *__afl_fuzz_len; + while (__afl_persistent_loop(N)) { -#ifdef _DEBUG - fprintf(stderr, "CLIENT crc: %016llx len: %u\n", - hash64(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), - *__afl_fuzz_len); - fprintf(stderr, "RECV:"); - for (int i = 0; i < *__afl_fuzz_len; i++) - fprintf(stderr, "%02x", __afl_fuzz_ptr[i]); - fprintf(stderr, "\n"); -#endif + size_t length = *__afl_fuzz_len; - if (length) { + if (likely(length)) { - if (length < prev_length) { + if (length < prev_length) { - __asan_poison_memory_region(__afl_fuzz_ptr + length, - prev_length - length); + __asan_poison_memory_region(__afl_fuzz_ptr + length, + prev_length - length); - } else { + } else if (length > prev_length) { + + __asan_unpoison_memory_region(__afl_fuzz_ptr + prev_length, + length - prev_length); - __asan_unpoison_memory_region(__afl_fuzz_ptr + prev_length, - length - prev_length); + } + + prev_length = length; + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, length); } - prev_length = length; + } - num_runs++; - LLVMFuzzerTestOneInput(__afl_fuzz_ptr, length); + } else { + + while (__afl_persistent_loop(N)) { + + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); } } - printf("%s: successfully executed %d input(s)\n", argv[0], num_runs); + return 0; } -- cgit 1.4.1 From 61d79f85c5f1f0d80bb7ab2d10d502fbd637ee83 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 23 Jan 2022 19:20:32 +0100 Subject: code format --- docs/Changelog.md | 23 ++++++++++++----------- include/forkserver.h | 12 ++++++------ src/afl-forkserver.c | 11 ++++++++--- src/afl-fuzz.c | 2 +- 4 files changed, 27 insertions(+), 21 deletions(-) (limited to 'src') diff --git a/docs/Changelog.md b/docs/Changelog.md index 687232a0..e25b43da 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -1,7 +1,7 @@ # Changelog - This is the list of all noteworthy changes made in every public release of - the tool. See README.md for the general instruction manual. + This is the list of all noteworthy changes made in every public + release of the tool. See README.md for the general instruction manual. ## Staying informed @@ -9,7 +9,8 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . ### Version ++3.15a (dev) - - documentation restructuring, made possible by Google Season of Docs + - complete documentation restructuring, made possible by Google Season + of Docs :) thank you Jana! - we renamed several UI and fuzzer_stat entries to be more precise, e.g. "unique crashes" -> "saved crashes", "total paths" -> "corpus count", "current path" -> "current item". @@ -17,14 +18,14 @@ sending a mail to . - Nyx mode (full system emulation with snapshot capability) has been added - thanks to @schumilo and @eqv! - unicorn_mode: - - Moved to unicorn2! By Ziqiao Kong (@lazymio) - - Faster, more accurate emulation (newer QEMU base), riscv support + - Moved to unicorn2! by Ziqiao Kong (@lazymio) + - Faster, more accurate emulation (newer QEMU base), risc-v support - removed indirections in rust callbacks - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :) thanks to RICSecLab submitting! - if instrumented libaries are dlopen()'ed after the forkserver you - will now see crashes. before you would have colliding coverage. - we changed this to force fixing a broken setup rather then allowing + will now see a crash. Before you would have colliding coverage. + We changed this to force fixing a broken setup rather then allowing ineffective fuzzing. See docs/best_practices.md how to fix such setups. - afl-fuzz: @@ -35,7 +36,7 @@ sending a mail to . - added AFL_IGNORE_PROBLEMS, plus checks to identify and abort on incorrect LTO usage setups and enhanced the READMEs for better information on how to deal with instrumenting libraries - - fix -n dumb mode (nobody should use this) + - fix -n dumb mode (nobody should use this mode though) - fix stability issue with LTO and cmplog - better banner - more effective cmplog mode @@ -63,7 +64,7 @@ sending a mail to . - fixed a potential crash in targets for LAF string handling - fixed a bad assert in LAF split switches - added AFL_USE_TSAN thread sanitizer support - - llvm and LTO mode modified to work with new llvm 14-dev (again. again.) + - llvm and LTO mode modified to work with new llvm 14-dev (again.) - fix for AFL_REAL_LD - more -z defs filtering - make -v without options work @@ -74,7 +75,7 @@ sending a mail to . - added afl-persistent-config script to set perform permanent system configuration settings for fuzzing, for Linux and Macos. thanks to jhertz! - - added xml, curl and exotic string functions to llvm dictionary features + - added xml, curl & exotic string functions to llvm dictionary feature - fix AFL_PRELOAD issues on MacOS - removed utils/afl_frida because frida_mode/ is now so much better - added uninstall target to makefile (todo: update new readme!) @@ -97,7 +98,7 @@ sending a mail to . - Fix to instrument global namespace functions in c++ - Fix for llvm 13 - support partial linking - - do honor AFL_LLVM_{ALLOW/DENY}LIST for LTO autodictionary and DICT2FILE + - do honor AFL_LLVM_{ALLOW/DENY}LIST for LTO autodictionary andDICT2FILE - We do support llvm versions from 3.8 to 5.0 again - frida_mode: - several fixes for cmplog diff --git a/include/forkserver.h b/include/forkserver.h index 4a05b17e..01f45587 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -53,14 +53,14 @@ typedef enum NyxReturnValue { typedef struct { - void *(*nyx_new)(const char *sharedir, const char *workdir, - uint32_t cpu_id, uint32_t input_buffer_size, - bool input_buffer_write_protection); + void *(*nyx_new)(const char *sharedir, const char *workdir, uint32_t cpu_id, + uint32_t input_buffer_size, + bool input_buffer_write_protection); void *(*nyx_new_parent)(const char *sharedir, const char *workdir, - uint32_t cpu_id, uint32_t input_buffer_size, - bool input_buffer_write_protection); + uint32_t cpu_id, uint32_t input_buffer_size, + bool input_buffer_write_protection); void *(*nyx_new_child)(const char *sharedir, const char *workdir, - uint32_t cpu_id, uint32_t worker_id); + uint32_t cpu_id, uint32_t worker_id); void (*nyx_shutdown)(void *qemu_process); void (*nyx_option_set_reload_mode)(void *qemu_process, bool enable); void (*nyx_option_set_timeout)(void *qemu_process, uint8_t timeout_sec, diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index ffcb30c3..62110ad5 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -405,20 +405,25 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } - if (fsrv->nyx_standalone){ + if (fsrv->nyx_standalone) { + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new( fsrv->target_path, x, fsrv->nyx_bind_cpu_id, MAX_FILE, true); - } - else{ + + } else { + if (fsrv->nyx_parent) { + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new_parent( fsrv->target_path, x, fsrv->nyx_bind_cpu_id, MAX_FILE, true); } else { + fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new_child( fsrv->target_path, x, fsrv->nyx_bind_cpu_id, fsrv->nyx_id); } + } if (fsrv->nyx_runner == NULL) { FATAL("Something went wrong ..."); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 50874f47..e322ee57 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1346,7 +1346,7 @@ int main(int argc, char **argv_orig, char **envp) { "0)"); } - + afl->fsrv.nyx_parent = true; afl->fsrv.nyx_id = 0; -- cgit 1.4.1 From 7270cbe756113c4adf64a89dab364c32c6f6e55a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 24 Jan 2022 10:28:48 +0100 Subject: try fix --- qemu_mode/qemuafl | 2 +- src/afl-fuzz.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index ce65a734..8809a2b2 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit ce65a7349e7156e052b37a660422cad8346764d0 +Subproject commit 8809a2b2ebf089d3427dd8f6a0044bcc2e13b389 diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index e322ee57..06bff2be 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -50,14 +50,14 @@ static void at_exit() { char *list[4] = {SHM_ENV_VAR, SHM_FUZZ_ENV_VAR, CMPLOG_SHM_ENV_VAR, NULL}; char *ptr; - ptr = getenv(CPU_AFFINITY_ENV_VAR); - if (ptr && *ptr) unlink(ptr); + ptr = getenv("__AFL_TARGET_PID2"); + if (ptr && *ptr && (pid2 = atoi(ptr)) > 0) kill(pid2, SIGTERM); ptr = getenv("__AFL_TARGET_PID1"); if (ptr && *ptr && (pid1 = atoi(ptr)) > 0) kill(pid1, SIGTERM); - ptr = getenv("__AFL_TARGET_PID2"); - if (ptr && *ptr && (pid2 = atoi(ptr)) > 0) kill(pid2, SIGTERM); + ptr = getenv(CPU_AFFINITY_ENV_VAR); + if (ptr && *ptr) unlink(ptr); i = 0; while (list[i] != NULL) { -- cgit 1.4.1 From d9ed7842987f221eee068c0b61cf890d5ed6aff7 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 25 Jan 2022 14:51:02 +0100 Subject: ensure all fuzz targets are killed on exit --- docs/Changelog.md | 1 + src/afl-fuzz.c | 57 ++++++++++++++++++++++++++++++++++++++++++++----------- 2 files changed, 47 insertions(+), 11 deletions(-) (limited to 'src') diff --git a/docs/Changelog.md b/docs/Changelog.md index e25b43da..e89a0761 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -33,6 +33,7 @@ sending a mail to . (it is better!) - fix a regression introduced in 3.10 that resulted in less coverage being detected. thanks to Collin May for reporting! + - ensure all spawned targets are killed on exit - added AFL_IGNORE_PROBLEMS, plus checks to identify and abort on incorrect LTO usage setups and enhanced the READMEs for better information on how to deal with instrumenting libraries diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 06bff2be..d34cc6b4 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -46,15 +46,31 @@ extern u64 time_spent_working; static void at_exit() { - s32 i, pid1 = 0, pid2 = 0; + s32 i, pid1 = 0, pid2 = 0, pgrp = -1; char *list[4] = {SHM_ENV_VAR, SHM_FUZZ_ENV_VAR, CMPLOG_SHM_ENV_VAR, NULL}; char *ptr; ptr = getenv("__AFL_TARGET_PID2"); - if (ptr && *ptr && (pid2 = atoi(ptr)) > 0) kill(pid2, SIGTERM); + if (ptr && *ptr && (pid2 = atoi(ptr)) > 0) { + +#if defined(__linux__) + pgrp = getpgid(pid2); +#endif + if (pgrp > 0) { killpg(pgrp, SIGTERM); } + kill(pid2, SIGTERM); + + } ptr = getenv("__AFL_TARGET_PID1"); - if (ptr && *ptr && (pid1 = atoi(ptr)) > 0) kill(pid1, SIGTERM); + if (ptr && *ptr && (pid1 = atoi(ptr)) > 0) { + +#if defined(__linux__) + pgrp = getpgid(pid1); +#endif + if (pgrp > 0) { killpg(pgrp, SIGTERM); } + kill(pid1, SIGTERM); + + } ptr = getenv(CPU_AFFINITY_ENV_VAR); if (ptr && *ptr) unlink(ptr); @@ -85,8 +101,25 @@ static void at_exit() { /* AFL_KILL_SIGNAL should already be a valid int at this point */ if ((ptr = getenv("AFL_KILL_SIGNAL"))) { kill_signal = atoi(ptr); } - if (pid1 > 0) { kill(pid1, kill_signal); } - if (pid2 > 0) { kill(pid2, kill_signal); } + if (pid1 > 0) { + +#if defined(__linux__) + pgrp = getpgid(pid1); +#endif + if (pgrp > 0) { killpg(pgrp, kill_signal); } + kill(pid1, kill_signal); + + } + + if (pid2 > 0) { + +#if defined(__linux__) + pgrp = getpgid(pid1); +#endif + if (pgrp > 0) { killpg(pgrp, kill_signal); } + kill(pid2, kill_signal); + + } } @@ -121,8 +154,7 @@ static void usage(u8 *argv0, int more_help) { #if defined(__linux__) " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" - " -W - use qemu-based instrumentation with Wine (Wine " - "mode)\n" + " -W - use qemu-based instrumentation with Wine (Wine mode)\n" #endif #if defined(__linux__) " -X - use VM fuzzing (NYX mode - standalone mode)\n" @@ -173,8 +205,8 @@ static void usage(u8 *argv0, int more_help) { " -T text - text banner to show on the screen\n" " -I command - execute this command/script when a new crash is " "found\n" - //" -B bitmap.txt - mutate a specific test case, use the out/fuzz_bitmap - //" "file\n" + //" -B bitmap.txt - mutate a specific test case, use the + //out/default/fuzz_bitmap file\n" " -C - crash exploration mode (the peruvian rabbit thing)\n" " -b cpu_id - bind the fuzzing process to the specified CPU core " "(0-...)\n" @@ -744,6 +776,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'f': /* target file */ if (afl->fsrv.out_file) { FATAL("Multiple -f options not supported"); } + afl->fsrv.out_file = ck_strdup(optarg); afl->fsrv.use_stdin = 0; break; @@ -923,6 +956,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'Y': /* NYX distributed mode */ if (afl->fsrv.nyx_mode) { FATAL("Multiple -Y options not supported"); } + afl->fsrv.nyx_mode = 1; break; @@ -966,6 +1000,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'Q': /* QEMU mode */ if (afl->fsrv.qemu_mode) { FATAL("Multiple -Q options not supported"); } + afl->fsrv.qemu_mode = 1; if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_QEMU; } @@ -1076,6 +1111,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'L': { /* MOpt mode */ if (afl->limit_time_sig) { FATAL("Multiple -L options not supported"); } + afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT; if (sscanf(optarg, "%d", &afl->limit_time_puppet) < 1) { @@ -1276,8 +1312,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->fsrv.nyx_mode) { OKF("afl++ Nyx mode is enabled (developed and mainted by Sergej Schumilo)"); - OKF("Nyx is open source, get it at " - "https://github.com/Nyx-Fuzz"); + OKF("Nyx is open source, get it at https://github.com/Nyx-Fuzz"); } -- cgit 1.4.1 From 026096ccf3b3e7e83cd332e95701e2269764e223 Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Tue, 25 Jan 2022 19:13:26 +0100 Subject: add AFL autodict capability to Nyx mode --- nyx_mode/PACKER_VERSION | 2 +- nyx_mode/packer | 2 +- src/afl-forkserver.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 58 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/nyx_mode/PACKER_VERSION b/nyx_mode/PACKER_VERSION index 0c9db1e3..43488114 100644 --- a/nyx_mode/PACKER_VERSION +++ b/nyx_mode/PACKER_VERSION @@ -1 +1 @@ -8842549 +76100c5 diff --git a/nyx_mode/packer b/nyx_mode/packer index 8842549b..76100c52 160000 --- a/nyx_mode/packer +++ b/nyx_mode/packer @@ -1 +1 @@ -Subproject commit 8842549b5612a890258dcef812276cfdb62b76c7 +Subproject commit 76100c52db96429350693a6c7284c5c6cbcb6b08 diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 62110ad5..031c8fd4 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -425,6 +425,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } } + ck_free(x); if (fsrv->nyx_runner == NULL) { FATAL("Something went wrong ..."); } @@ -464,6 +465,61 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } + /* autodict in Nyx mode */ + if (!ignore_autodict) { + x = alloc_printf("%s/workdir/dump/afl_autodict.txt", fsrv->out_dir_path); + int nyx_autodict_fd = open(x, O_RDONLY); + ck_free(x); + + if (nyx_autodict_fd >= 0) { + struct stat st; + if (fstat(nyx_autodict_fd, &st) >= 0) { + u32 f_len = st.st_size; + u8 *dict = ck_alloc(f_len); + if (dict == NULL) { + FATAL("Could not allocate %u bytes of autodictionary memory", f_len); + } + + u32 offset = 0, count = 0; + u32 len = f_len; + + while (len != 0) { + + rlen = read(nyx_autodict_fd, dict + offset, len); + if (rlen > 0) { + + len -= rlen; + offset += rlen; + + } else { + + FATAL( + "Reading autodictionary fail at position %u with %u bytes " + "left.", + offset, len); + } + + } + close(nyx_autodict_fd); + + offset = 0; + while (offset < (u32)f_len && + (u8)dict[offset] + offset < (u32)f_len) { + + fsrv->add_extra_func(fsrv->afl_ptr, dict + offset + 1, + (u8)dict[offset]); + offset += (1 + dict[offset]); + count++; + + } + + if (!be_quiet) { ACTF("Loaded %u autodictionary entries", count); } + ck_free(dict); + + } + } + } + return; } -- cgit 1.4.1 From 615a8ff986e2d456a4afa546f8b9418bf77c8792 Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Tue, 25 Jan 2022 19:33:47 +0100 Subject: close autodict file even if fstat fails (Nyx mode) --- src/afl-forkserver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 031c8fd4..6a1fe858 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -500,7 +500,6 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } } - close(nyx_autodict_fd); offset = 0; while (offset < (u32)f_len && @@ -517,6 +516,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, ck_free(dict); } + close(nyx_autodict_fd); } } -- cgit 1.4.1 From 016bdc36bb7186e6c74e10aada9a5b73ff1ff5bc Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 25 Jan 2022 19:54:46 +0100 Subject: code-format --- nyx_mode/README.md | 4 ++++ src/afl-forkserver.c | 25 ++++++++++++++++++------- 2 files changed, 22 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/nyx_mode/README.md b/nyx_mode/README.md index b75f1793..09421f27 100644 --- a/nyx_mode/README.md +++ b/nyx_mode/README.md @@ -43,6 +43,10 @@ requires an Intel processor (6th generation onwards) and a special 5.10 kernel ## Preparing to fuzz a target with Nyx mode +For source instrumented fuzzing you can use any afl-cc mode, with LTO even +auto-dictionary is supported. +Note the CMPLOG is currently not supported (yet). + Nyx uses full system emulation hence your fuzzing targets have to be especially packaged. diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 6a1fe858..ce554170 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -425,6 +425,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } } + ck_free(x); if (fsrv->nyx_runner == NULL) { FATAL("Something went wrong ..."); } @@ -467,17 +468,23 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, /* autodict in Nyx mode */ if (!ignore_autodict) { + x = alloc_printf("%s/workdir/dump/afl_autodict.txt", fsrv->out_dir_path); int nyx_autodict_fd = open(x, O_RDONLY); ck_free(x); - if (nyx_autodict_fd >= 0) { + if (nyx_autodict_fd >= 0) { + struct stat st; - if (fstat(nyx_autodict_fd, &st) >= 0) { + if (fstat(nyx_autodict_fd, &st) >= 0) { + u32 f_len = st.st_size; u8 *dict = ck_alloc(f_len); if (dict == NULL) { - FATAL("Could not allocate %u bytes of autodictionary memory", f_len); + + FATAL("Could not allocate %u bytes of autodictionary memory", + f_len); + } u32 offset = 0, count = 0; @@ -497,16 +504,17 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, "Reading autodictionary fail at position %u with %u bytes " "left.", offset, len); + } } - + offset = 0; while (offset < (u32)f_len && - (u8)dict[offset] + offset < (u32)f_len) { + (u8)dict[offset] + offset < (u32)f_len) { fsrv->add_extra_func(fsrv->afl_ptr, dict + offset + 1, - (u8)dict[offset]); + (u8)dict[offset]); offset += (1 + dict[offset]); count++; @@ -516,10 +524,13 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, ck_free(dict); } + close(nyx_autodict_fd); + } + } - + return; } -- cgit 1.4.1 From b0758ac8db0a2ec833b5ef7a60ab2d04cc7f6a9a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 26 Jan 2022 09:55:12 +0100 Subject: 4.00c readiness --- README.md | 4 ++-- coresight_mode/coresight-trace | 2 +- custom_mutators/grammar_mutator/grammar_mutator | 2 +- docs/Changelog.md | 2 +- include/config.h | 2 +- src/afl-fuzz.c | 2 +- test/test-unicorn-mode.sh | 4 ++-- 7 files changed, 9 insertions(+), 9 deletions(-) (limited to 'src') diff --git a/README.md b/README.md index f050728c..049518f8 100644 --- a/README.md +++ b/README.md @@ -2,9 +2,9 @@ AFL++ logo -Release version: [3.14c](https://github.com/AFLplusplus/AFLplusplus/releases) +Release version: [4.00c](https://github.com/AFLplusplus/AFLplusplus/releases) -GitHub version: 3.15a +GitHub version: 4.00c Repository: [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) diff --git a/coresight_mode/coresight-trace b/coresight_mode/coresight-trace index ec0fd610..fe8b26ea 160000 --- a/coresight_mode/coresight-trace +++ b/coresight_mode/coresight-trace @@ -1 +1 @@ -Subproject commit ec0fd6104720ac0b59967616363dc18209adc02e +Subproject commit fe8b26ea4b07fafa6f24e77c84dad0f3925d47d8 diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator index 6ca490c6..cbe5e327 160000 --- a/custom_mutators/grammar_mutator/grammar_mutator +++ b/custom_mutators/grammar_mutator/grammar_mutator @@ -1 +1 @@ -Subproject commit 6ca490c66b949db20d8c861ebc8fb2e6ca725ead +Subproject commit cbe5e32752773945e0142fac9f1b7a0ccb5dcdff diff --git a/docs/Changelog.md b/docs/Changelog.md index e89a0761..7f539556 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -8,7 +8,7 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . -### Version ++3.15a (dev) +### Version ++4.00c (release) - complete documentation restructuring, made possible by Google Season of Docs :) thank you Jana! - we renamed several UI and fuzzer_stat entries to be more precise, diff --git a/include/config.h b/include/config.h index 99cacc40..66a646b1 100644 --- a/include/config.h +++ b/include/config.h @@ -26,7 +26,7 @@ /* Version string: */ // c = release, a = volatile github dev, e = experimental branch -#define VERSION "++3.15a" +#define VERSION "++4.00c" /****************************************************** * * diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index d34cc6b4..a96dee97 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -315,7 +315,7 @@ static void usage(u8 *argv0, int more_help) { SAYF("Compiled with %s module support, see docs/custom_mutator.md\n", (char *)PYTHON_VERSION); #else - SAYF("Compiled without python module support.\n"); + SAYF("Compiled without Python module support.\n"); #endif #ifdef AFL_PERSISTENT_RECORD diff --git a/test/test-unicorn-mode.sh b/test/test-unicorn-mode.sh index e197e226..182958d6 100755 --- a/test/test-unicorn-mode.sh +++ b/test/test-unicorn-mode.sh @@ -4,7 +4,7 @@ $ECHO "$BLUE[*] Testing: unicorn_mode" test -d ../unicorn_mode/unicornafl -a -e ../unicorn_mode/unicornafl/samples/shellcode && { - test -e ../unicorn_mode/samples/simple/simple_target.bin -a -e ../unicorn_mode/samples/compcov_x64/compcov_target.bin && { + test -e ../unicorn_mode/samples/python_simple/simple_target.bin -a -e ../unicorn_mode/samples/compcov_x64/compcov_target.bin && { { # We want to see python errors etc. in logs, in case something doesn't work export AFL_DEBUG_CHILD=1 @@ -61,7 +61,7 @@ test -d ../unicorn_mode/unicornafl -a -e ../unicorn_mode/unicornafl/samples/shel { $ECHO "$GREY[*] running afl-fuzz for unicorn_mode in python, this will take approx 25 seconds" { - ../afl-fuzz -m ${MEM_LIMIT} -V25 -U -i in -o out -d -- "$PY" ../unicorn_mode/samples/simple/simple_test_harness.py @@ >>errors 2>&1 + ../afl-fuzz -m ${MEM_LIMIT} -V25 -U -i in -o out -d -- "$PY" ../unicorn_mode/samples/python_simple/simple_test_harness.py @@ >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with unicorn_mode" -- cgit 1.4.1