From a8844eaceb1df92635a327fc4edba082b102a2ff Mon Sep 17 00:00:00 2001 From: Kuang-che Wu Date: Mon, 11 Oct 2021 15:47:20 +0800 Subject: afl-showmap don't create empty "-" file --- src/afl-showmap.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 75b0ff99..a04c1f5b 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -242,9 +242,11 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) { if (cmin_mode && (fsrv->last_run_timed_out || (!caa && child_crashed != cco))) { - // create empty file to prevent error messages in afl-cmin - fd = open(outfile, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); - close(fd); + if (strcmp(outfile, "-")) { + // create empty file to prevent error messages in afl-cmin + fd = open(outfile, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + close(fd); + } return ret; } -- cgit 1.4.1 From 00aa689f40a3c8276af257cf0b54dc655cb0423e Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 11 Oct 2021 14:28:17 +0200 Subject: fix accidental bystander kills --- docs/Changelog.md | 2 ++ qemu_mode/qemuafl | 2 +- src/afl-forkserver.c | 6 +++--- unicorn_mode/unicornafl | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/docs/Changelog.md b/docs/Changelog.md index dad5fee2..1c3830f9 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -18,6 +18,8 @@ sending a mail to . - fix -n dumb mode (nobody should use this) - afl-showmap, afl-tmin and afl-analyze now honor persistent mode for more speed. thanks to dloffre-snl for reporting! + - Prevent accidently killing non-afl/fuzz services when aborting + afl-showmap and other tools. - afl-cc: - fix for shared linking on MacOS - llvm and LTO mode verified to work with new llvm 14-dev diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index 71ed0d20..a6758d1c 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit 71ed0d206fd3d877420dceb4993a1011a4637ae6 +Subproject commit a6758d1cc3e4dde88fca3f0b3a903581b7c8b2e5 diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index c8c94c08..54f510c4 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -610,12 +610,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (!time_ms) { - kill(fsrv->fsrv_pid, fsrv->kill_signal); + if (fsrv->fsrv_pid > 0) { kill(fsrv->fsrv_pid, fsrv->kill_signal); } } else if (time_ms > fsrv->init_tmout) { fsrv->last_run_timed_out = 1; - kill(fsrv->fsrv_pid, fsrv->kill_signal); + if (fsrv->fsrv_pid > 0) { kill(fsrv->fsrv_pid, fsrv->kill_signal); } } else { @@ -1248,7 +1248,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, /* If there was no response from forkserver after timeout seconds, we kill the child. The forkserver should inform us afterwards */ - kill(fsrv->child_pid, fsrv->kill_signal); + if (fsrv->child_pid > 0) { kill(fsrv->child_pid, fsrv->kill_signal); } fsrv->last_run_timed_out = 1; if (read(fsrv->fsrv_st_fd, &fsrv->child_status, 4) < 4) { exec_ms = 0; } diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index f1c85364..c0e03d2c 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit f1c853648a74b0157d233a2ef9f1693cfee78c11 +Subproject commit c0e03d2c6b55a22025324f121746b41b1e756fb8 -- cgit 1.4.1 From 3deca3b09b46130c9e23320c0b98f60543f9b5ba Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 15 Oct 2021 11:25:02 +0200 Subject: fix lto cmplog stability issue --- custom_mutators/grammar_mutator/grammar_mutator | 2 +- docs/Changelog.md | 1 + qemu_mode/qemuafl | 2 +- src/afl-fuzz-run.c | 30 +++++++++++++++++++++++-- unicorn_mode/unicornafl | 2 +- 5 files changed, 32 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator index eedf07dd..b79d51a8 160000 --- a/custom_mutators/grammar_mutator/grammar_mutator +++ b/custom_mutators/grammar_mutator/grammar_mutator @@ -1 +1 @@ -Subproject commit eedf07ddb0fb1f437f5e76b77cfd4064cf6a5d63 +Subproject commit b79d51a8daccbd7a693f9b6765c81ead14f28e26 diff --git a/docs/Changelog.md b/docs/Changelog.md index ea58a386..df4d343a 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -16,6 +16,7 @@ sending a mail to . - fix a regression introduced in 3.10 that resulted in less coverage being detected. thanks to Collin May for reporting! - fix -n dumb mode (nobody should use this) + - fix stability issue with LTO and cmplog - afl-showmap, afl-tmin and afl-analyze now honor persistent mode for more speed. thanks to dloffre-snl for reporting! - Prevent accidently killing non-afl/fuzz services when aborting diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index a6758d1c..71ed0d20 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit a6758d1cc3e4dde88fca3f0b3a903581b7c8b2e5 +Subproject commit 71ed0d206fd3d877420dceb4993a1011a4637ae6 diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 4173f4e1..da6ba7d9 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -291,8 +291,6 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at, u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, u32 handicap, u8 from_queue) { - if (unlikely(afl->shm.cmplog_mode)) { q->exec_cksum = 0; } - u8 fault = 0, new_bits = 0, var_detected = 0, hnb = 0, first_run = (q->exec_cksum == 0); u64 start_us, stop_us, diff_us; @@ -300,6 +298,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, u32 use_tmout = afl->fsrv.exec_tmout; u8 *old_sn = afl->stage_name; + if (unlikely(afl->shm.cmplog_mode)) { q->exec_cksum = 0; } + /* Be a bit more generous about timeouts when resuming sessions, or when trying to calibrate already-added finds. This helps avoid trouble due to intermittent latency. */ @@ -343,6 +343,32 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, } + /* we need a dummy run if this is LTO + cmplog */ + if (unlikely(afl->shm.cmplog_mode)) { + + write_to_testcase(afl, use_mem, q->len); + + fault = fuzz_run_target(afl, &afl->fsrv, use_tmout); + + /* afl->stop_soon is set by the handler for Ctrl+C. When it's pressed, + we want to bail out quickly. */ + + if (afl->stop_soon || fault != afl->crash_mode) { goto abort_calibration; } + + if (!afl->non_instrumented_mode && !afl->stage_cur && + !count_bytes(afl, afl->fsrv.trace_bits)) { + + fault = FSRV_RUN_NOINST; + goto abort_calibration; + + } + +#ifdef INTROSPECTION + if (unlikely(!q->bitsmap_size)) q->bitsmap_size = afl->bitsmap_size; +#endif + + } + if (q->exec_cksum) { memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size); diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index d4915053..f1c85364 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e +Subproject commit f1c853648a74b0157d233a2ef9f1693cfee78c11 -- cgit 1.4.1 From 8bc2b52f6579ab44f536d1ccb818acf37b047ec7 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 17 Oct 2021 13:03:01 +0200 Subject: format --- src/afl-showmap.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index a04c1f5b..5df07bf2 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -243,10 +243,13 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) { (fsrv->last_run_timed_out || (!caa && child_crashed != cco))) { if (strcmp(outfile, "-")) { + // create empty file to prevent error messages in afl-cmin fd = open(outfile, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); close(fd); + } + return ret; } -- cgit 1.4.1 From 45d668a671316821c3f9793381cb54956b535491 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Oct 2021 13:17:07 +0200 Subject: better ui banner --- docs/Changelog.md | 1 + include/afl-fuzz.h | 1 - src/afl-fuzz-init.c | 37 ------------------------------------- src/afl-fuzz-stats.c | 49 +++++++++++++++++++++++++++++-------------------- src/afl-fuzz.c | 17 +++++++++++++---- 5 files changed, 43 insertions(+), 62 deletions(-) (limited to 'src') diff --git a/docs/Changelog.md b/docs/Changelog.md index 6db013cf..63896622 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -17,6 +17,7 @@ sending a mail to . coverage being detected. thanks to Collin May for reporting! - fix -n dumb mode (nobody should use this) - fix stability issue with LTO and cmplog + - better banner - frida_mode: David Carlier added Android support :) - afl-showmap, afl-tmin and afl-analyze now honor persistent mode for more speed. thanks to dloffre-snl for reporting! diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 4b19e698..eaf55fb8 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -1130,7 +1130,6 @@ void get_core_count(afl_state_t *); void fix_up_sync(afl_state_t *); void check_asan_opts(afl_state_t *); void check_binary(afl_state_t *, u8 *); -void fix_up_banner(afl_state_t *, u8 *); void check_if_tty(afl_state_t *); void setup_signal_handlers(void); void save_cmdline(afl_state_t *, u32, char **); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 9bb25785..9c45f08a 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2815,43 +2815,6 @@ void check_binary(afl_state_t *afl, u8 *fname) { } -/* Trim and possibly create a banner for the run. */ - -void fix_up_banner(afl_state_t *afl, u8 *name) { - - if (!afl->use_banner) { - - if (afl->sync_id) { - - afl->use_banner = afl->sync_id; - - } else { - - u8 *trim = strrchr(name, '/'); - if (!trim) { - - afl->use_banner = name; - - } else { - - afl->use_banner = trim + 1; - - } - - } - - } - - if (strlen(afl->use_banner) > 32) { - - u8 *tmp = ck_alloc(36); - sprintf(tmp, "%.32s...", afl->use_banner); - afl->use_banner = tmp; - - } - -} - /* Check if we're on TTY. */ void check_if_tty(afl_state_t *afl) { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 870ba69a..0c06232b 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -441,9 +441,10 @@ void show_stats(afl_state_t *afl) { u64 cur_ms; u32 t_bytes, t_bits; - u32 banner_len, banner_pad; - u8 tmp[256]; - u8 time_tmp[64]; + static u8 banner[128]; + u32 banner_len, banner_pad; + u8 tmp[256]; + u8 time_tmp[64]; u8 val_buf[8][STRINGIFY_VAL_SIZE_MAX]; #define IB(i) (val_buf[(i)]) @@ -656,26 +657,34 @@ void show_stats(afl_state_t *afl) { } /* Let's start by drawing a centered banner. */ + if (unlikely(!banner[0])) { - banner_len = (afl->crash_mode ? 24 : 22) + strlen(VERSION) + - strlen(afl->use_banner) + strlen(afl->power_name) + 3 + 5; - banner_pad = (79 - banner_len) / 2; - memset(tmp, ' ', banner_pad); + char *si = ""; + if (afl->sync_id) { si = afl->sync_id; } + memset(banner, 0, sizeof(banner)); + banner_len = (afl->crash_mode ? 20 : 18) + strlen(VERSION) + strlen(si) + + strlen(afl->power_name) + 4 + 6; -#ifdef HAVE_AFFINITY - sprintf( - tmp + banner_pad, - "%s " cLCY VERSION cLGN " (%s) " cPIN "[%s]" cBLU " {%d}", - afl->crash_mode ? cPIN "peruvian were-rabbit" : cYEL "american fuzzy lop", - afl->use_banner, afl->power_name, afl->cpu_aff); -#else - sprintf( - tmp + banner_pad, "%s " cLCY VERSION cLGN " (%s) " cPIN "[%s]", - afl->crash_mode ? cPIN "peruvian were-rabbit" : cYEL "american fuzzy lop", - afl->use_banner, afl->power_name); -#endif /* HAVE_AFFINITY */ + if (strlen(afl->use_banner) + banner_len > 75) { + + afl->use_banner += (strlen(afl->use_banner) + banner_len) - 76; + memset(afl->use_banner, '.', 3); + + } + + banner_len += strlen(afl->use_banner); + banner_pad = (79 - banner_len) / 2; + memset(banner, ' ', banner_pad); + + sprintf(banner + banner_pad, + "%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s]", + afl->crash_mode ? cPIN "peruvian were-rabbit" + : cYEL "american fuzzy lop", + si, afl->use_banner, afl->power_name); + + } - SAYF("\n%s\n", tmp); + SAYF("\n%s\n", banner); /* "Handy" shortcuts for drawing boxes... */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 92a37697..26886a4f 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1189,7 +1189,17 @@ int main(int argc, char **argv_orig, char **envp) { } - if (afl->sync_id) { fix_up_sync(afl); } + if (afl->sync_id) { + + if (strlen(afl->sync_id) > 24) { + + FATAL("sync_id max length is 24 characters"); + + } + + fix_up_sync(afl); + + } if (!strcmp(afl->in_dir, afl->out_dir)) { @@ -1218,6 +1228,8 @@ int main(int argc, char **argv_orig, char **envp) { if (unlikely(afl->afl_env.afl_statsd)) { statsd_setup_format(afl); } + if (!afl->use_banner) { afl->use_banner = argv[optind]; } + if (strchr(argv[optind], '/') == NULL && !afl->unicorn_mode) { WARNF(cLRD @@ -1486,9 +1498,6 @@ int main(int argc, char **argv_orig, char **envp) { } save_cmdline(afl, argc, argv); - - fix_up_banner(afl, argv[optind]); - check_if_tty(afl); if (afl->afl_env.afl_force_ui) { afl->not_on_tty = 0; } -- cgit 1.4.1