From 37d9afc5ccf0b37edc6744a5edf7753e52d1e103 Mon Sep 17 00:00:00 2001 From: Richard Barnes Date: Mon, 1 Jul 2024 06:59:37 -0700 Subject: Make fallthroughs explicit in afl-fuzz-extras.c Using `__attribute__((fallthrough))` makes fallthroughs explicit in a way the compiler can understand. This allows the enablement of `-Wimplicit-fallthrough`. --- src/afl-fuzz-extras.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c index 55b6be04..da996602 100644 --- a/src/afl-fuzz-extras.c +++ b/src/afl-fuzz-extras.c @@ -455,13 +455,13 @@ void deunicode_extras(afl_state_t *afl) { case 2: if (!afl->extras[i].data[j]) { ++z3; } - // fall through + __attribute__((fallthrough)); case 0: if (!afl->extras[i].data[j]) { ++z1; } break; case 3: if (!afl->extras[i].data[j]) { ++z4; } - // fall through + __attribute__((fallthrough)); case 1: if (!afl->extras[i].data[j]) { ++z2; } break; -- cgit v1.2.3 From 02f4f755263bac8a5568e5b65aba940a3e506292 Mon Sep 17 00:00:00 2001 From: Takuya Shimizu Date: Wed, 10 Jul 2024 21:39:04 +0900 Subject: Fix missed updates of alias table when INTROSPECTION is on In src/afl-fuzz.c `prev_queued_items` is used to decide whether the alias table should be recreated through the comparison with `afl->queued_items`. https://github.com/AFLplusplus/AFLplusplus/blob/43f462c91b3699b66e4aa1c5703b30f5189b5618/src/afl-fuzz.c#L3103-L3117 However, this variable is also updated to `afl->queued_items` when INTROSPECTION is enabled and the `fuzz_one` appends seeds. https://github.com/AFLplusplus/AFLplusplus/blob/43f462c91b3699b66e4aa1c5703b30f5189b5618/src/afl-fuzz.c#L3135-L3140 Due to the update of `prev_queued_items` when INTROSPECTION is on, alias table may not be recreated when it actually should be. This can lead to potential heap buffer-overflow in `select_next_queue_entry` due to the lack of `afl_realloc` called in `create_alias_table`. This patch fixes this bug by utilizing another variable for the INTROSPECTION part like other variables such as `prev_saved_tmouts`. --- src/afl-fuzz.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 8a84d447..8d85aec5 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2815,7 +2815,7 @@ int main(int argc, char **argv_orig, char **envp) { // (void)nice(-20); // does not improve the speed #ifdef INTROSPECTION - u32 prev_saved_crashes = 0, prev_saved_tmouts = 0; + u32 prev_saved_crashes = 0, prev_saved_tmouts = 0, stat_prev_queued_items = 0; #endif u32 prev_queued_items = 0, runs_in_current_cycle = (u32)-1; u8 skipped_fuzz; @@ -3132,10 +3132,11 @@ int main(int argc, char **argv_orig, char **envp) { } else { - if (unlikely(afl->queued_items > prev_queued_items)) { + if (unlikely(afl->queued_items > stat_prev_queued_items)) { - afl->queue_cur->stats_finds += afl->queued_items - prev_queued_items; - prev_queued_items = afl->queued_items; + afl->queue_cur->stats_finds += + afl->queued_items - stat_prev_queued_items; + stat_prev_queued_items = afl->queued_items; } -- cgit v1.2.3 From ea42feb06a41fdc888891ec21400d2d15ca45ebc Mon Sep 17 00:00:00 2001 From: "Christian Holler (:decoder)" Date: Fri, 12 Jul 2024 20:08:52 +0200 Subject: Initialize max_length in afl_fsrv_init #2155 --- src/afl-forkserver.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index cec91f76..6366f473 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -241,6 +241,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { fsrv->mem_limit = MEM_LIMIT; fsrv->out_file = NULL; fsrv->child_kill_signal = SIGKILL; + fsrv->max_length = MAX_FILE; /* exec related stuff */ fsrv->child_pid = -1; -- cgit v1.2.3 From bd83eb0f424528bc156ef5bb0d025a8d20e85a6c Mon Sep 17 00:00:00 2001 From: William Tan <1284324+Ninja3047@users.noreply.github.com> Date: Fri, 12 Jul 2024 16:10:40 -0400 Subject: check the sync_id length once --- src/afl-fuzz-init.c | 6 +++++- src/afl-fuzz.c | 12 +----------- 2 files changed, 6 insertions(+), 12 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 98de26dd..4f366b0d 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2717,7 +2717,11 @@ void fix_up_sync(afl_state_t *afl) { } - if (strlen(afl->sync_id) > 32) { FATAL("Fuzzer ID too long"); } + if (strlen(afl->sync_id) > 50) { + + FATAL("sync_id max length is 50 characters"); + + } x = alloc_printf("%s/%s", afl->out_dir, afl->sync_id); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 8d85aec5..9867eba3 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1610,17 +1610,7 @@ int main(int argc, char **argv_orig, char **envp) { #endif - if (afl->sync_id) { - - if (strlen(afl->sync_id) > 50) { - - FATAL("sync_id max length is 50 characters"); - - } - - fix_up_sync(afl); - - } + if (afl->sync_id) { fix_up_sync(afl); } if (!strcmp(afl->in_dir, afl->out_dir)) { -- cgit v1.2.3 From 7c380a6612f00e4a7ed02364dc2b3769e8edc8f8 Mon Sep 17 00:00:00 2001 From: carpintero-de-c <175505615+carpintero-de-c@users.noreply.github.com> Date: Sun, 14 Jul 2024 03:55:58 +0530 Subject: Replace gettimeofday with clock_gettime (#2159) --- src/afl-as.c | 8 +++----- src/afl-common.c | 15 ++++++--------- src/afl-fuzz.c | 7 +++---- 3 files changed, 12 insertions(+), 18 deletions(-) (limited to 'src') diff --git a/src/afl-as.c b/src/afl-as.c index d4ddb94d..df487cbc 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -52,7 +52,6 @@ #include #include -#include static u8 **as_params; /* Parameters passed to the real 'as' */ @@ -557,8 +556,7 @@ int main(int argc, char **argv) { int status; u8 *inst_ratio_str = getenv("AFL_INST_RATIO"); - struct timeval tv; - struct timezone tz; + struct timespec spec; clang_mode = !!getenv(CLANG_ENV_VAR); @@ -609,9 +607,9 @@ int main(int argc, char **argv) { } - gettimeofday(&tv, &tz); + clock_gettime(CLOCK_REALTIME, &spec); - rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); + rand_seed = spec.tv_sec ^ spec.tv_nsec ^ getpid(); // in fast systems where pids can repeat in the same seconds we need this for (i = 1; (s32)i < argc; i++) for (j = 0; j < strlen(argv[i]); j++) diff --git a/src/afl-common.c b/src/afl-common.c index efdb5d60..62432158 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -976,12 +976,11 @@ void read_bitmap(u8 *fname, u8 *map, size_t len) { inline u64 get_cur_time(void) { - struct timeval tv; - struct timezone tz; + struct timespec spec; - gettimeofday(&tv, &tz); + clock_gettime(CLOCK_REALTIME, &spec); - return (tv.tv_sec * 1000ULL) + (tv.tv_usec / 1000); + return (spec.tv_sec * 1000ULL) + (spec.tv_nsec / 1000000ULL); } @@ -989,19 +988,17 @@ inline u64 get_cur_time(void) { inline u64 get_cur_time_us(void) { - struct timeval tv; - struct timezone tz; + struct timespec spec; - gettimeofday(&tv, &tz); + clock_gettime(CLOCK_REALTIME, &spec); - return (tv.tv_sec * 1000000ULL) + tv.tv_usec; + return (spec.tv_sec * 1000000ULL) + (spec.tv_nsec / 1000ULL); } /* Describe integer. The buf should be at least 6 bytes to fit all ints we randomly see. Will return buf for convenience. */ - u8 *stringify_int(u8 *buf, size_t len, u64 val) { \ #define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 9867eba3..0f84b79b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -555,8 +555,7 @@ int main(int argc, char **argv_orig, char **envp) { char *frida_afl_preload = NULL; char **use_argv; - struct timeval tv; - struct timezone tz; + struct timespec spec; doc_path = access(DOC_PATH, F_OK) != 0 ? (u8 *)"docs" : (u8 *)DOC_PATH; @@ -603,8 +602,8 @@ int main(int argc, char **argv_orig, char **envp) { SAYF(cCYA "afl-fuzz" VERSION cRST " based on afl by Michal Zalewski and a large online community\n"); - gettimeofday(&tv, &tz); - rand_set_seed(afl, tv.tv_sec ^ tv.tv_usec ^ getpid()); + clock_gettime(CLOCK_REALTIME, &spec); + rand_set_seed(afl, spec.tv_sec ^ spec.tv_nsec ^ getpid()); afl->shmem_testcase_mode = 1; // we always try to perform shmem fuzzing -- cgit v1.2.3 From ccb952dde8dbf2165a0d84308e558cd68679fb13 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 14 Jul 2024 10:18:23 +0200 Subject: Revert "Replace gettimeofday with clock_gettime (#2159)" This reverts commit 7c380a6612f00e4a7ed02364dc2b3769e8edc8f8. --- src/afl-as.c | 8 +++++--- src/afl-common.c | 15 +++++++++------ src/afl-fuzz.c | 7 ++++--- 3 files changed, 18 insertions(+), 12 deletions(-) (limited to 'src') diff --git a/src/afl-as.c b/src/afl-as.c index df487cbc..d4ddb94d 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -52,6 +52,7 @@ #include #include +#include static u8 **as_params; /* Parameters passed to the real 'as' */ @@ -556,7 +557,8 @@ int main(int argc, char **argv) { int status; u8 *inst_ratio_str = getenv("AFL_INST_RATIO"); - struct timespec spec; + struct timeval tv; + struct timezone tz; clang_mode = !!getenv(CLANG_ENV_VAR); @@ -607,9 +609,9 @@ int main(int argc, char **argv) { } - clock_gettime(CLOCK_REALTIME, &spec); + gettimeofday(&tv, &tz); - rand_seed = spec.tv_sec ^ spec.tv_nsec ^ getpid(); + rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); // in fast systems where pids can repeat in the same seconds we need this for (i = 1; (s32)i < argc; i++) for (j = 0; j < strlen(argv[i]); j++) diff --git a/src/afl-common.c b/src/afl-common.c index 62432158..efdb5d60 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -976,11 +976,12 @@ void read_bitmap(u8 *fname, u8 *map, size_t len) { inline u64 get_cur_time(void) { - struct timespec spec; + struct timeval tv; + struct timezone tz; - clock_gettime(CLOCK_REALTIME, &spec); + gettimeofday(&tv, &tz); - return (spec.tv_sec * 1000ULL) + (spec.tv_nsec / 1000000ULL); + return (tv.tv_sec * 1000ULL) + (tv.tv_usec / 1000); } @@ -988,17 +989,19 @@ inline u64 get_cur_time(void) { inline u64 get_cur_time_us(void) { - struct timespec spec; + struct timeval tv; + struct timezone tz; - clock_gettime(CLOCK_REALTIME, &spec); + gettimeofday(&tv, &tz); - return (spec.tv_sec * 1000000ULL) + (spec.tv_nsec / 1000ULL); + return (tv.tv_sec * 1000000ULL) + tv.tv_usec; } /* Describe integer. The buf should be at least 6 bytes to fit all ints we randomly see. Will return buf for convenience. */ + u8 *stringify_int(u8 *buf, size_t len, u64 val) { \ #define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 0f84b79b..9867eba3 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -555,7 +555,8 @@ int main(int argc, char **argv_orig, char **envp) { char *frida_afl_preload = NULL; char **use_argv; - struct timespec spec; + struct timeval tv; + struct timezone tz; doc_path = access(DOC_PATH, F_OK) != 0 ? (u8 *)"docs" : (u8 *)DOC_PATH; @@ -602,8 +603,8 @@ int main(int argc, char **argv_orig, char **envp) { SAYF(cCYA "afl-fuzz" VERSION cRST " based on afl by Michal Zalewski and a large online community\n"); - clock_gettime(CLOCK_REALTIME, &spec); - rand_set_seed(afl, spec.tv_sec ^ spec.tv_nsec ^ getpid()); + gettimeofday(&tv, &tz); + rand_set_seed(afl, tv.tv_sec ^ tv.tv_usec ^ getpid()); afl->shmem_testcase_mode = 1; // we always try to perform shmem fuzzing -- cgit v1.2.3 From 69a596c0898e3ae295c4f606857ed2ca6d8d0605 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 14 Jul 2024 10:20:53 +0200 Subject: ensure this does not happen again --- src/afl-common.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index efdb5d60..04a984cb 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -979,6 +979,7 @@ inline u64 get_cur_time(void) { struct timeval tv; struct timezone tz; + // TO NOT REPLACE WITH clock_gettime!!! gettimeofday(&tv, &tz); return (tv.tv_sec * 1000ULL) + (tv.tv_usec / 1000); @@ -992,6 +993,7 @@ inline u64 get_cur_time_us(void) { struct timeval tv; struct timezone tz; + // TO NOT REPLACE WITH clock_gettime!!! gettimeofday(&tv, &tz); return (tv.tv_sec * 1000000ULL) + tv.tv_usec; -- cgit v1.2.3