From f70760896c7a5d5f2b286d9ea71c8b6d90e98625 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 1 Mar 2022 19:21:31 +0100 Subject: Revert "Merge branch 'newpm2' into dev" This reverts commit fee1acf7e6096533f1aa8cd74035bed21c90fdf6, reversing changes made to 675d17d737ee5dee88766d9c181567771592c94c. --- src/afl-cc.c | 39 ++------------------------------------- 1 file changed, 2 insertions(+), 37 deletions(-) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index 3e67085e..bacd9de9 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -462,17 +462,11 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { -#if LLVM_MAJOR >= 11 /* use new pass manager */ - cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; - cc_params[cc_par_cnt++] = - alloc_printf("-fpass-plugin=%s/split-switches-pass.so", obj_path); -#else cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/split-switches-pass.so", obj_path); -#endif } @@ -488,17 +482,11 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { -#if LLVM_MAJOR >= 11 /* use new pass manager */ - cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; - cc_params[cc_par_cnt++] = alloc_printf( - "-fpass-plugin=%s/compare-transform-pass.so", obj_path); -#else cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/compare-transform-pass.so", obj_path); -#endif } @@ -514,16 +502,11 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { -#if LLVM_MAJOR >= 11 - cc_params[cc_par_cnt++] = - alloc_printf("-fpass-plugin=%s/split-compares-pass.so", obj_path); -#else cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/split-compares-pass.so", obj_path); -#endif } @@ -553,17 +536,11 @@ static void edit_params(u32 argc, char **argv, char **envp) { alloc_printf("%s/cmplog-switches-pass.so", obj_path); // reuse split switches from laf -#if LLVM_MAJOR >= 11 - cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; - cc_params[cc_par_cnt++] = - alloc_printf("-fpass-plugin=%s/split-switches-pass.so", obj_path); -#else cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/split-switches-pass.so", obj_path); -#endif } @@ -571,8 +548,8 @@ static void edit_params(u32 argc, char **argv, char **envp) { } -#if LLVM_MAJOR == 13 // TODO: set to 14 when done FIXME - // Use the old pass manager in LLVM 13 which the afl++ passes still use. +#if LLVM_MAJOR >= 13 + // Use the old pass manager in LLVM 14 which the afl++ passes still use. cc_params[cc_par_cnt++] = "-flegacy-pass-manager"; #endif @@ -656,16 +633,10 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { -#if LLVM_MAJOR >= 11 - cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; - cc_params[cc_par_cnt++] = - alloc_printf("-fpass-plugin=%s/afl-llvm-pass.so", obj_path); -#else cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path); -#endif } @@ -682,17 +653,11 @@ static void edit_params(u32 argc, char **argv, char **envp) { } else { -#if LLVM_MAJOR >= 11 - cc_params[cc_par_cnt++] = "-fexperimental-new-pass-manager"; - cc_params[cc_par_cnt++] = - alloc_printf("-fpass-plugin=%s/cmplog-instructions-pass.so", obj_path); -#else cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = alloc_printf("%s/cmplog-instructions-pass.so", obj_path); -#endif cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; -- cgit 1.4.1 From d84a8da1e9b68f03597f17a9c6c53503551fcb51 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 1 Mar 2022 19:30:17 +0100 Subject: allow for -c0 also for src targets --- docs/Changelog.md | 3 +++ docs/fuzzing_binary-only_targets.md | 9 +++++---- src/afl-fuzz.c | 9 ++++++++- 3 files changed, 16 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/docs/Changelog.md b/docs/Changelog.md index f4ae0e43..549d5e4a 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -12,6 +12,9 @@ sending a mail to . - fix */build_...sh scripts to work outside of git - new custom_mutator: libafl with token fuzzing :) - afl-fuzz: + - when you just want to compile once and set CMPLOG, then just + set -c 0 to tell afl-fuzz that the fuzzing binary is also for + CMPLOG. - new commandline options -g/G to set min/max length of generated fuzz inputs - reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index 1a2b27c7..c97af1b9 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -48,11 +48,12 @@ The following setup to use QEMU mode is recommended: Then run as many instances as you have cores left with either -Q mode or - even better - use a binary rewriter like Dyninst, RetroWrite, ZAFL, etc. +The binary rewriters all have their own advantages and caveats. +ZAFL is the best but cannot be used in a business/commercial context. -If [afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst) works for your -binary, then you can use afl-fuzz normally and it will have twice the speed -compared to QEMU mode (but slower than QEMU persistent mode). Note that several -other binary rewriters exist, all with their advantages and caveats. +If a binary rewriter works for your target then you can use afl-fuzz normally +and it will have twice the speed compared to QEMU mode (but slower than QEMU +persistent mode). The speed decrease of QEMU mode is at about 50%. However, various options exist to increase the speed: diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index c73ab38b..6b177274 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -167,7 +167,8 @@ static void usage(u8 *argv0, int more_help) { " See docs/README.MOpt.md\n" " -c program - enable CmpLog by specifying a binary compiled for " "it.\n" - " if using QEMU, just use -c 0.\n" + " if using QEMU/FRIDA or if you the fuzzing target is compiled" + " for CmpLog then just use -c 0.\n" " -l cmplog_opts - CmpLog configuration values (e.g. \"2AT\"):\n" " 1=small files, 2=larger files (default), 3=all " "files,\n" @@ -1458,6 +1459,12 @@ int main(int argc, char **argv_orig, char **envp) { if (!afl->use_banner) { afl->use_banner = argv[optind]; } + if (afl->shm.cmplog_mode && (!strcmp("-", afl->cmplog_binary) || !strcmp("0", afl->cmplog_binary))) { + + afl->cmplog_binary = argv[optind]; + + } + if (strchr(argv[optind], '/') == NULL && !afl->unicorn_mode) { WARNF(cLRD -- cgit 1.4.1 From 7e67545b9de14ae6e425d184581bec93ccf84c6a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 1 Mar 2022 20:01:12 +0100 Subject: code format --- instrumentation/compare-transform-pass.so.cc | 21 +++++++++++++-------- src/afl-fuzz.c | 6 ++++-- 2 files changed, 17 insertions(+), 10 deletions(-) (limited to 'src') diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc index 969a2ef4..c668ba95 100644 --- a/instrumentation/compare-transform-pass.so.cc +++ b/instrumentation/compare-transform-pass.so.cc @@ -63,20 +63,25 @@ class CompareTransform : public ModulePass { } #if LLVM_MAJOR < 11 -#if LLVM_VERSION_MAJOR >= 4 + #if LLVM_VERSION_MAJOR >= 4 StringRef getPassName() const override { -#else + + #else const char *getPassName() const override { -#endif + + #endif return "transforms compare functions"; + } + #endif -//#if LLVM_MAJOR >= 11 /* use new pass manager */ -// PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM); -//#else + //#if LLVM_MAJOR >= 11 /* use new pass manager + / /*/ + // PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM); + //#else bool runOnModule(Module &M) override; -//#endif + //#endif private: bool transformCmps(Module &M, const bool processStrcmp, @@ -106,7 +111,7 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, #if LLVM_VERSION_MAJOR >= 9 FunctionCallee tolowerFn; #else - Function * tolowerFn; + Function *tolowerFn; #endif { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 6b177274..a3f57c1e 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -167,7 +167,8 @@ static void usage(u8 *argv0, int more_help) { " See docs/README.MOpt.md\n" " -c program - enable CmpLog by specifying a binary compiled for " "it.\n" - " if using QEMU/FRIDA or if you the fuzzing target is compiled" + " if using QEMU/FRIDA or if you the fuzzing target is " + "compiled" " for CmpLog then just use -c 0.\n" " -l cmplog_opts - CmpLog configuration values (e.g. \"2AT\"):\n" " 1=small files, 2=larger files (default), 3=all " @@ -1459,7 +1460,8 @@ int main(int argc, char **argv_orig, char **envp) { if (!afl->use_banner) { afl->use_banner = argv[optind]; } - if (afl->shm.cmplog_mode && (!strcmp("-", afl->cmplog_binary) || !strcmp("0", afl->cmplog_binary))) { + if (afl->shm.cmplog_mode && + (!strcmp("-", afl->cmplog_binary) || !strcmp("0", afl->cmplog_binary))) { afl->cmplog_binary = argv[optind]; -- cgit 1.4.1 From 0f7419fc9166b1f719372e1658efc4e3b9c88ac5 Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Fri, 4 Mar 2022 05:41:40 +0100 Subject: write nyx crash logs to AFL++ work directory --- include/forkserver.h | 2 ++ src/afl-forkserver.c | 8 +++++++- src/afl-fuzz-bitmap.c | 14 ++++++++++++++ src/afl-fuzz.c | 4 ++++ 4 files changed, 27 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/include/forkserver.h b/include/forkserver.h index fd4d283c..cb68ce4f 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -70,6 +70,7 @@ typedef struct { enum NyxReturnValue (*nyx_exec)(void *qemu_process); uint8_t *(*nyx_get_bitmap_buffer)(void *qemu_process); size_t (*nyx_get_bitmap_buffer_size)(void *qemu_process); + uint32_t (*nyx_get_aux_string)(void *nyx_process, uint8_t *buffer, uint32_t size); } nyx_plugin_handler_t; @@ -173,6 +174,7 @@ typedef struct afl_forkserver { void * nyx_runner; /* nyx runner object */ u32 nyx_id; /* nyx runner id (0 -> master) */ u32 nyx_bind_cpu_id; /* nyx runner cpu id */ + char* nyx_aux_string; #endif } afl_forkserver_t; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 8997781d..54f28852 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -450,6 +450,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, fsrv->nyx_handlers->nyx_option_set_timeout(fsrv->nyx_runner, 2, 0); fsrv->nyx_handlers->nyx_option_apply(fsrv->nyx_runner); + fsrv->nyx_aux_string = malloc(0x1000); + memset(fsrv->nyx_aux_string, 0, 0x1000); + /* dry run */ fsrv->nyx_handlers->nyx_set_afl_input(fsrv->nyx_runner, "INIT", 4); switch (fsrv->nyx_handlers->nyx_exec(fsrv->nyx_runner)) { @@ -1253,7 +1256,10 @@ void afl_fsrv_kill(afl_forkserver_t *fsrv) { fsrv->child_pid = -1; #ifdef __linux__ - if (fsrv->nyx_mode) { fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner); } + if (fsrv->nyx_mode) { + free(fsrv->nyx_aux_string); + fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner); + } #endif } diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index b963caf8..bce1a195 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -771,6 +771,20 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { ck_write(fd, mem, len, fn); close(fd); + if(afl->fsrv.nyx_mode && fault == FSRV_RUN_CRASH) { + u8 fn_log[PATH_MAX]; + + snprintf(fn_log, PATH_MAX, "%s.log", fn); + + fd = open(fn_log, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", fn_log); } + + u32 nyx_aux_string_len = afl->fsrv.nyx_handlers->nyx_get_aux_string(afl->fsrv.nyx_runner, afl->fsrv.nyx_aux_string, 0x1000); + + ck_write(fd, afl->fsrv.nyx_aux_string, nyx_aux_string_len, fn_log); + close(fd); + } + return keeping; } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index a3f57c1e..df6e5404 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -468,6 +468,10 @@ nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary) { dlsym(handle, "nyx_get_bitmap_buffer_size"); if (plugin->nyx_get_bitmap_buffer_size == NULL) { goto fail; } + plugin->nyx_get_aux_string = + dlsym(handle, "nyx_get_aux_string"); + if (plugin->nyx_get_aux_string == NULL) { goto fail; } + OKF("libnyx plugin is ready!"); return plugin; -- cgit 1.4.1 From 713b069f40094482fb41ef17b44150162c062249 Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Fri, 4 Mar 2022 06:01:49 +0100 Subject: fix compile error on non linux targets --- src/afl-fuzz-bitmap.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src') diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index bce1a195..226dfa5c 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -771,6 +771,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { ck_write(fd, mem, len, fn); close(fd); +#ifdef __linux__ if(afl->fsrv.nyx_mode && fault == FSRV_RUN_CRASH) { u8 fn_log[PATH_MAX]; @@ -784,6 +785,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { ck_write(fd, afl->fsrv.nyx_aux_string, nyx_aux_string_len, fn_log); close(fd); } +#endif return keeping; -- cgit 1.4.1 From 2eeba2dbf085b1c679dc82d59a0ec0ddc2c05429 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 4 Mar 2022 09:41:21 +0100 Subject: code format --- include/forkserver.h | 5 +++-- nyx_mode/custom_harness/example.c | 7 ++++--- src/afl-forkserver.c | 5 ++++- src/afl-fuzz-bitmap.c | 11 +++++++---- src/afl-fuzz.c | 3 +-- 5 files changed, 19 insertions(+), 12 deletions(-) (limited to 'src') diff --git a/include/forkserver.h b/include/forkserver.h index cb68ce4f..5b66e7ec 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -70,7 +70,8 @@ typedef struct { enum NyxReturnValue (*nyx_exec)(void *qemu_process); uint8_t *(*nyx_get_bitmap_buffer)(void *qemu_process); size_t (*nyx_get_bitmap_buffer_size)(void *qemu_process); - uint32_t (*nyx_get_aux_string)(void *nyx_process, uint8_t *buffer, uint32_t size); + uint32_t (*nyx_get_aux_string)(void *nyx_process, uint8_t *buffer, + uint32_t size); } nyx_plugin_handler_t; @@ -174,7 +175,7 @@ typedef struct afl_forkserver { void * nyx_runner; /* nyx runner object */ u32 nyx_id; /* nyx runner id (0 -> master) */ u32 nyx_bind_cpu_id; /* nyx runner cpu id */ - char* nyx_aux_string; + char * nyx_aux_string; #endif } afl_forkserver_t; diff --git a/nyx_mode/custom_harness/example.c b/nyx_mode/custom_harness/example.c index dd268534..a67d42c6 100644 --- a/nyx_mode/custom_harness/example.c +++ b/nyx_mode/custom_harness/example.c @@ -7,7 +7,7 @@ #define TRACE_BUFFER_SIZE (64) #define PAGE_SIZE 0x1000 -#define MMAP_SIZE(x) ((x & ~(PAGE_SIZE-1)) + PAGE_SIZE) +#define MMAP_SIZE(x) ((x & ~(PAGE_SIZE - 1)) + PAGE_SIZE) int main(int argc, char **argv) { @@ -30,8 +30,9 @@ int main(int argc, char **argv) { /* this is our "bitmap" that is later shared with the fuzzer (you can also * pass the pointer of the bitmap used by compile-time instrumentations in * your target) */ - uint8_t *trace_buffer = mmap(NULL, MMAP_SIZE(TRACE_BUFFER_SIZE), PROT_READ | - PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); + uint8_t *trace_buffer = + mmap(NULL, MMAP_SIZE(TRACE_BUFFER_SIZE), PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANONYMOUS, -1, 0); memset(trace_buffer, 0, TRACE_BUFFER_SIZE); // makes sure that the bitmap buffer is already // mapped into the guest's memory (alternatively diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 54f28852..628ff590 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -1257,9 +1257,12 @@ void afl_fsrv_kill(afl_forkserver_t *fsrv) { #ifdef __linux__ if (fsrv->nyx_mode) { + free(fsrv->nyx_aux_string); - fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner); + fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner); + } + #endif } diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 226dfa5c..a7c77aec 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -772,19 +772,22 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { close(fd); #ifdef __linux__ - if(afl->fsrv.nyx_mode && fault == FSRV_RUN_CRASH) { - u8 fn_log[PATH_MAX]; + if (afl->fsrv.nyx_mode && fault == FSRV_RUN_CRASH) { - snprintf(fn_log, PATH_MAX, "%s.log", fn); + u8 fn_log[PATH_MAX]; + snprintf(fn_log, PATH_MAX, "%s.log", fn); fd = open(fn_log, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", fn_log); } - u32 nyx_aux_string_len = afl->fsrv.nyx_handlers->nyx_get_aux_string(afl->fsrv.nyx_runner, afl->fsrv.nyx_aux_string, 0x1000); + u32 nyx_aux_string_len = afl->fsrv.nyx_handlers->nyx_get_aux_string( + afl->fsrv.nyx_runner, afl->fsrv.nyx_aux_string, 0x1000); ck_write(fd, afl->fsrv.nyx_aux_string, nyx_aux_string_len, fn_log); close(fd); + } + #endif return keeping; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index df6e5404..da1c7602 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -468,8 +468,7 @@ nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary) { dlsym(handle, "nyx_get_bitmap_buffer_size"); if (plugin->nyx_get_bitmap_buffer_size == NULL) { goto fail; } - plugin->nyx_get_aux_string = - dlsym(handle, "nyx_get_aux_string"); + plugin->nyx_get_aux_string = dlsym(handle, "nyx_get_aux_string"); if (plugin->nyx_get_aux_string == NULL) { goto fail; } OKF("libnyx plugin is ready!"); -- cgit 1.4.1 From 70cc32dc6ddac78b686a5b7d16bfd9ede3daa81a Mon Sep 17 00:00:00 2001 From: mchesser Date: Mon, 7 Mar 2022 14:28:45 +1030 Subject: Fix issue with trim in shared memory mode --- src/afl-fuzz-run.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 5da0e583..2a9d186b 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -232,7 +232,7 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at, memcpy(afl->fsrv.shmem_fuzz, mem, skip_at); - memcpy(afl->fsrv.shmem_fuzz, mem + skip_at + skip_len, tail_len); + memcpy(afl->fsrv.shmem_fuzz + skip_at, mem + skip_at + skip_len, tail_len); } -- cgit 1.4.1 From c2229b506e045bba1864e8b2f8140c8dc6e83a4d Mon Sep 17 00:00:00 2001 From: mchesser Date: Mon, 7 Mar 2022 14:35:25 +1030 Subject: Fix off by one bounds check `is_hex` reads two bytes but caller previously only ensured that one byte was in bounds. --- src/afl-fuzz-redqueen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 1e4b1b3c..66df5c6f 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -2136,7 +2136,7 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 entry, if ((i % 2)) { - if (len > idx + i && is_hex(orig_buf + idx + i)) { + if (len > idx + i + 1 && is_hex(orig_buf + idx + i)) { fromhex += 2; -- cgit 1.4.1 From 2a00f32666a847b7babb160bb7c27db59cec9561 Mon Sep 17 00:00:00 2001 From: mchesser Date: Mon, 7 Mar 2022 14:39:36 +1030 Subject: Fix buffer overrun in `rtn_extended_encoding` `idx + i` can range from `0` to `buf.len`, but the memcpy may try and write to offsets from `idx + i` to `idx + 2 * i`. --- src/afl-fuzz-redqueen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 66df5c6f..2f32ef1e 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -2323,7 +2323,7 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 entry, if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } // fprintf(stderr, "RTN ATTEMPT fromhex %u result %u\n", fromhex, // *status); - memcpy(buf + idx + i, save + i, i + 1 + off); + memcpy(buf + idx, save, i + 1 + off); } -- cgit 1.4.1 From d29773825594e7249e8a3a80b344a69249e7ab9a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 7 Mar 2022 09:37:19 +0100 Subject: nits --- README.md | 2 +- src/afl-fuzz-bitmap.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/README.md b/README.md index 66b884e2..a29ce792 100644 --- a/README.md +++ b/README.md @@ -112,7 +112,7 @@ Step-by-step quick start: 5. You will find found crashes and hangs in the subdirectories `crashes/` and `hangs/` in the `-o output_dir` directory. You can replay the crashes by - feeding them to the target, e.g.: + feeding them to the target, e.g. if your target is using stdin: ``` cat output_dir/crashes/id:000000,* | /path/to/tested/program [...program's cmdline...] diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index a7c77aec..971ac494 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -423,10 +423,10 @@ void write_crash_readme(afl_state_t *afl) { "them to a vendor? Check out the afl-tmin that comes with the fuzzer!\n\n" "Found any cool bugs in open-source tools using afl-fuzz? If yes, please " - "drop\n" - "an mail at once the issues are fixed\n\n" - - " https://github.com/AFLplusplus/AFLplusplus\n\n", + "post\n" + "to https://github.com/AFLplusplus/AFLplusplus/issues/286 once the " + "issues\n" + " are fixed :)\n\n", afl->orig_cmdline, stringify_mem_size(val_buf, sizeof(val_buf), -- cgit 1.4.1 From c08304ad3d649df5033bd69a2096d454a28c36fc Mon Sep 17 00:00:00 2001 From: cd80 Date: Thu, 17 Mar 2022 14:36:41 +0900 Subject: fix typo for error message when using LD_PRELOAD --- src/afl-fuzz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index c73ab38b..eac01c9a 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1675,7 +1675,7 @@ int main(int argc, char **argv_orig, char **envp) { if (getenv("LD_PRELOAD")) { WARNF( - "LD_PRELOAD is set, are you sure that is what to you want to do " + "LD_PRELOAD is set, are you sure that is what you want to do " "instead of using AFL_PRELOAD?"); } -- cgit 1.4.1