From e1d5009229fb5cea5845cd08e0abdc8fe440ee86 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 9 Jul 2021 10:32:14 +0200 Subject: fixes --- src/afl-fuzz-python.c | 20 +++++++++++++++++--- src/afl-fuzz-queue.c | 22 +++++++++++++++++++++- 2 files changed, 38 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 3aa97635..bb4eabcc 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -813,8 +813,8 @@ u8 queue_get_py(void *py_mutator, const u8 *filename) { } -void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, - const u8 *filename_orig_queue) { +u8 queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, + const u8 *filename_orig_queue) { PyObject *py_args, *py_value; @@ -861,7 +861,21 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, py_args); Py_DECREF(py_args); - if (py_value == NULL) { + if (py_value != NULL) { + + int ret = PyObject_IsTrue(py_value); + Py_DECREF(py_value); + + if (ret == -1) { + + PyErr_Print(); + FATAL("Failed to convert return value"); + + } + + return (u8)ret & 0xFF; + + } else { PyErr_Print(); FATAL("Call failed"); diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index d2689c94..48794e95 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -474,6 +474,8 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) { if (afl->custom_mutators_count) { + u8 updated = 0; + LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { if (el->afl_custom_queue_new_entry) { @@ -487,12 +489,30 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) { } - el->afl_custom_queue_new_entry(el->data, fname, fname_orig); + if (el->afl_custom_queue_new_entry(el->data, fname, fname_orig)) { + + updated = 1; + + } } }); + if (updated) { + + struct stat st; + if (stat(fname, &st)) { PFATAL("File %s is gone!", fname); } + if (!st.st_size) { + + FATAL("File %s became empty in custom mutator!", fname); + + } + + q->len = st.st_size; + + } + } /* only redqueen currently uses is_ascii */ -- cgit 1.4.1 From d354ec2586a3a31c87a8b95433c2886f04c44a03 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 9 Jul 2021 11:39:25 +0200 Subject: more fixes --- custom_mutators/gramatron/README.md | 4 +- custom_mutators/gramatron/gramfuzz-util.c | 70 +++++++++++++++++++++++++------ custom_mutators/gramatron/gramfuzz.c | 28 +++++++------ custom_mutators/gramatron/gramfuzz.h | 29 ++++++------- custom_mutators/gramatron/uthash.h | 25 +++++++++-- include/afl-fuzz.h | 2 + src/afl-fuzz-init.c | 12 +++--- src/afl-fuzz-mutators.c | 39 +++++++++++++++++ src/afl-fuzz-queue.c | 38 ++--------------- 9 files changed, 162 insertions(+), 85 deletions(-) (limited to 'src') diff --git a/custom_mutators/gramatron/README.md b/custom_mutators/gramatron/README.md index 7f73cf2c..6659cb95 100644 --- a/custom_mutators/gramatron/README.md +++ b/custom_mutators/gramatron/README.md @@ -23,8 +23,8 @@ You have to set the grammar file to use with `GRAMMATRON_AUTOMATION`: ``` export AFL_DISABLE_TRIM=1 export AFL_CUSTOM_MUTATOR_ONLY=1 -export AFL_CUSTOM_MUTATOR_LIBRARY=./grammatron.so -export GRAMMATRON_AUTOMATION=grammars/ruby/source_automata.json +export AFL_CUSTOM_MUTATOR_LIBRARY=./gramatron.so +export GRAMATRON_AUTOMATION=grammars/ruby/source_automata.json afl-fuzz -i in -o out -- ./target ``` diff --git a/custom_mutators/gramatron/gramfuzz-util.c b/custom_mutators/gramatron/gramfuzz-util.c index cb2e1b59..41ffd86d 100644 --- a/custom_mutators/gramatron/gramfuzz-util.c +++ b/custom_mutators/gramatron/gramfuzz-util.c @@ -4,6 +4,11 @@ #include #include "afl-fuzz.h" #include "gramfuzz.h" +#ifdef _GNU_SOURCE + #undef _GNU_SOURCE +#endif +#define _GNU_SOURCE +#include /* Dynamic Array for adding to the input repr * */ @@ -178,7 +183,7 @@ void write_input(Array *input, u8 *fn) { // If the input has already been flushed, then skip silently if (fp == NULL) { - printf("\n File could not be open, exiting"); + fprintf(stderr, "\n File '%s' could not be open, exiting\n", fn); exit(1); } @@ -196,22 +201,13 @@ void write_input(Array *input, u8 *fn) { } -// Read the input representation into memory -Array *read_input(state *pda, u8 *fn) { +Array *parse_input(state *pda, FILE *fp) { - FILE * fp; terminal *term; state * state_ptr; trigger * trigger; int trigger_idx; Array * input = (Array *)calloc(1, sizeof(Array)); - fp = fopen(fn, "rb"); - if (fp == NULL) { - - printf("\nFile:%s does not exist..exiting", fn); - exit(1); - - } // Read the length parameters fread(&input->used, sizeof(size_t), 1, fp); @@ -219,6 +215,12 @@ Array *read_input(state *pda, u8 *fn) { fread(&input->inputlen, sizeof(size_t), 1, fp); terminal *start_ptr = (terminal *)calloc(input->size, sizeof(terminal)); + if (!start_ptr) { + + fprintf(stderr, "alloc failed!\n"); + return NULL; + + } // Read the dynamic array to memory fread(start_ptr, input->size * sizeof(terminal), 1, fp); @@ -242,9 +244,51 @@ Array *read_input(state *pda, u8 *fn) { // printf("\nUsed:%zu Size:%zu Inputlen:%zu", input->used, input->size, // input->inputlen); - fclose(fp); - return input; } +Array *open_input(state *pda, u8 *data, size_t len) { + + int fd = memfd_create("foo", O_RDWR); + if (fd < 0) { + + fprintf(stderr, "Error: memfd_create failed\n"); + return NULL; + + } + + ck_write(fd, data, len, "memfd_create"); + lseek(fd, 0, SEEK_SET); + FILE *f = fdopen(fd, "rb"); + if (!f) { + + fprintf(stderr, "Error: fdopen failed\n"); + return NULL; + + } + + Array *res = parse_input(pda, f); + fclose(f); + return res; + +} + +// Read the input representation into memory +Array *read_input(state *pda, u8 *fn) { + + FILE *fp; + fp = fopen(fn, "rb"); + if (fp == NULL) { + + fprintf(stderr, "\n File '%s' does not exist, exiting\n", fn); + exit(1); + + } + + Array *res = parse_input(pda, fp); + fclose(fp); + return res; + +} + diff --git a/custom_mutators/gramatron/gramfuzz.c b/custom_mutators/gramatron/gramfuzz.c index 5c96ddce..55b631e6 100644 --- a/custom_mutators/gramatron/gramfuzz.c +++ b/custom_mutators/gramatron/gramfuzz.c @@ -159,7 +159,7 @@ my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) { // u32 recur_len = 0; // The number of recursive features // data->mutator_buf = NULL; - char *automaton_file = getenv("GRAMMATRON_AUTOMATION"); + char *automaton_file = getenv("GRAMATRON_AUTOMATION"); if (automaton_file) { pda = create_pda(automaton_file); @@ -168,7 +168,7 @@ my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) { fprintf(stderr, "\nError: GrammaTron needs an automation json file set in " - "AFL_GRAMMATRON_AUTOMATON\n"); + "AFL_GRAMATRON_AUTOMATON\n"); exit(-1); } @@ -208,18 +208,18 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, doMult(data->orig_walk, data->recurIdx, data->recurlen); data->mut_alloced = 1; - } else if (data->mut_idx == 2) { // Perform splice mutation + /*} else if (data->mut_idx == 2) { // Perform splice mutation - // Read the input representation for the splice candidate - u8 * automaton_fn = alloc_printf("%s.aut", add_buf); - Array *spliceCandidate = read_input(pda, automaton_fn); + // Read the input representation for the splice candidate + //u8 * automaton_fn = alloc_printf("%s.aut", add_buf); + Array *spliceCandidate = open_input(pda, add_buf, add_buf_size); - data->mutated_walk = - performSpliceOne(data->orig_walk, data->statemap, spliceCandidate); - data->mut_alloced = 1; - free(spliceCandidate->start); - free(spliceCandidate); - ck_free(automaton_fn); + data->mutated_walk = + performSpliceOne(data->orig_walk, data->statemap, spliceCandidate); + data->mut_alloced = 1; + free(spliceCandidate->start); + free(spliceCandidate); + //ck_free(automaton_fn);*/ } else { // Generate an input from scratch @@ -262,6 +262,10 @@ u8 afl_custom_queue_new_entry(my_mutator_t * data, automaton_fn = alloc_printf("%s.aut", filename_new_queue); // Check if this method is being called during initialization + + // fprintf(stderr, "new: %s, old: %s, auto: %s\n", + // filename_new_queue,filename_orig_queue,automaton_fn); + if (filename_orig_queue) { write_input(data->mutated_walk, automaton_fn); diff --git a/custom_mutators/gramatron/gramfuzz.h b/custom_mutators/gramatron/gramfuzz.h index 811e0af7..46cde8ec 100644 --- a/custom_mutators/gramatron/gramfuzz.h +++ b/custom_mutators/gramatron/gramfuzz.h @@ -1,27 +1,27 @@ #ifndef _GRAMFUZZ_H - #define _GRAMFUZZ_H +#define _GRAMFUZZ_H - #include - #include - #include "hashmap.h" - #include "uthash.h" - #include "utarray.h" +#include +#include +#include "hashmap.h" +#include "uthash.h" +#include "utarray.h" - #define INIT_INPUTS 100 // No. of initial inputs to be generated +#define INIT_INPUTS 100 // No. of initial inputs to be generated // Set this as `numstates` + 1 where `numstates` is retrieved from gen automata // json #define STATES 63 - #define INIT_SIZE 100 // Initial size of the dynamic array holding the input +#define INIT_SIZE 100 // Initial size of the dynamic array holding the input - #define SPLICE_CORPUS 10000 - #define RECUR_THRESHOLD 6 - #define SIZE_THRESHOLD 2048 +#define SPLICE_CORPUS 10000 +#define RECUR_THRESHOLD 6 +#define SIZE_THRESHOLD 2048 - #define FLUSH_INTERVAL \ - 3600 // Inputs that gave new coverage will be dumped every FLUSH_INTERVAL - // seconds +#define FLUSH_INTERVAL \ + 3600 // Inputs that gave new coverage will be dumped every FLUSH_INTERVAL + // seconds typedef struct trigger { @@ -199,6 +199,7 @@ Array *performSpliceGF(state *, Array *, afl_state_t *); void dump_input(u8 *, char *, int *); void write_input(Array *, u8 *); Array *read_input(state *, u8 *); +Array *open_input(state *, u8 *, size_t); state *pda; // // AFL-specific struct diff --git a/custom_mutators/gramatron/uthash.h b/custom_mutators/gramatron/uthash.h index 5957899a..05c8abe6 100644 --- a/custom_mutators/gramatron/uthash.h +++ b/custom_mutators/gramatron/uthash.h @@ -59,6 +59,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. *_da_dst = (char *)(src); \ \ } while (0) + #else #define DECLTYPE_ASSIGN(dst, src) \ do { \ @@ -66,6 +67,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. (dst) = DECLTYPE(dst)(src); \ \ } while (0) + #endif /* a number of the hash function use uint32_t which isn't defined on Pre VS2010 @@ -138,6 +140,7 @@ typedef unsigned char uint8_t; (oomed) = 1; \ \ } while (0) +\ #define IF_HASH_NONFATAL_OOM(x) x #else @@ -153,10 +156,11 @@ typedef unsigned char uint8_t; #endif /* initial number of buckets */ -#define HASH_INITIAL_NUM_BUCKETS 32U /* initial number of buckets */ -#define HASH_INITIAL_NUM_BUCKETS_LOG2 5U /* lg2 of initial number of buckets \ - */ -#define HASH_BKT_CAPACITY_THRESH 10U /* expand when bucket count reaches */ +#define HASH_INITIAL_NUM_BUCKETS 32U /* initial number of buckets */ +#define HASH_INITIAL_NUM_BUCKETS_LOG2 \ + 5U /* lg2 of initial number of buckets \ + */ +#define HASH_BKT_CAPACITY_THRESH 10U /* expand when bucket count reaches */ /* calculate the element whose hash handle address is hhp */ #define ELMT_FROM_HH(tbl, hhp) ((void *)(((char *)(hhp)) - ((tbl)->hho))) @@ -376,6 +380,8 @@ typedef unsigned char uint8_t; \ } while ((_hs_iter = HH_FROM_ELMT((head)->hh.tbl, _hs_iter)->next)); \ \ + \ + \ } while (0) #ifdef NO_DECLTYPE @@ -397,6 +403,8 @@ typedef unsigned char uint8_t; \ } while ((_hs_iter = HH_FROM_ELMT((head)->hh.tbl, _hs_iter)->next)); \ \ + \ + \ } while (0) #endif @@ -639,6 +647,7 @@ typedef unsigned char uint8_t; HASH_FIND(hh, head, findstr, _uthash_hfstr_keylen, out); \ \ } while (0) +\ #define HASH_ADD_STR(head, strfield, add) \ do { \ \ @@ -646,6 +655,7 @@ typedef unsigned char uint8_t; HASH_ADD(hh, head, strfield[0], _uthash_hastr_keylen, add); \ \ } while (0) +\ #define HASH_REPLACE_STR(head, strfield, add, replaced) \ do { \ \ @@ -653,6 +663,7 @@ typedef unsigned char uint8_t; HASH_REPLACE(hh, head, strfield[0], _uthash_hrstr_keylen, add, replaced); \ \ } while (0) +\ #define HASH_FIND_INT(head, findint, out) \ HASH_FIND(hh, head, findint, sizeof(int), out) #define HASH_ADD_INT(head, intfield, add) \ @@ -679,6 +690,7 @@ typedef unsigned char uint8_t; exit(-1); \ \ } while (0) +\ #define HASH_FSCK(hh, head, where) \ do { \ \ @@ -748,6 +760,7 @@ typedef unsigned char uint8_t; } \ \ } while (0) + #else #define HASH_FSCK(hh, head, where) #endif @@ -764,6 +777,7 @@ typedef unsigned char uint8_t; write(HASH_EMIT_KEYS, keyptr, (unsigned long)fieldlen); \ \ } while (0) + #else #define HASH_EMIT_KEY(hh, head, keyptr, fieldlen) #endif @@ -806,6 +820,7 @@ typedef unsigned char uint8_t; } \ \ } while (0) + /* FNV-1a variation */ #define HASH_FNV(key, keylen, hashv) \ do { \ @@ -1098,6 +1113,7 @@ typedef unsigned char uint8_t; hashv = _mur_h1; \ \ } while (0) + #endif /* HASH_USING_NO_STRICT_ALIASING */ /* iterate over items in a known bucket to find desired item */ @@ -1335,6 +1351,7 @@ typedef unsigned char uint8_t; _hs_psize--; \ \ } else if ((cmpfcn(DECLTYPE(head)( \ + \ ELMT_FROM_HH((head)->hh.tbl, _hs_p)), \ DECLTYPE(head)(ELMT_FROM_HH((head)->hh.tbl, \ _hs_q)))) <= 0) { \ diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 70d9473e..16409892 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -1005,6 +1005,8 @@ void setup_custom_mutators(afl_state_t *); void destroy_custom_mutators(afl_state_t *); u8 trim_case_custom(afl_state_t *, struct queue_entry *q, u8 *in_buf, struct custom_mutator *mutator); +void run_afl_custom_queue_new_entry(afl_state_t *, struct queue_entry *, u8 *, + u8 *); /* Python */ #ifdef USE_PYTHON diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 5e4f1585..faa45a4e 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -881,11 +881,7 @@ void perform_dry_run(afl_state_t *afl) { u32 read_len = MIN(q->len, (u32)MAX_FILE); use_mem = afl_realloc(AFL_BUF_PARAM(in), read_len); - if (read(fd, use_mem, read_len) != (ssize_t)read_len) { - - FATAL("Short read from '%s'", q->fname); - - } + ck_read(fd, use_mem, read_len, q->fname); close(fd); @@ -1350,6 +1346,12 @@ void pivot_inputs(afl_state_t *afl) { if (q->passed_det) { mark_as_det_done(afl, q); } + if (afl->custom_mutators_count) { + + run_afl_custom_queue_new_entry(afl, q, q->fname, NULL); + + } + ++id; } diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index e27d6fae..91bae48e 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -31,6 +31,45 @@ struct custom_mutator *load_custom_mutator(afl_state_t *, const char *); struct custom_mutator *load_custom_mutator_py(afl_state_t *, char *); #endif +void run_afl_custom_queue_new_entry(afl_state_t *afl, struct queue_entry *q, + u8 *fname, u8 *mother_fname) { + + if (afl->custom_mutators_count) { + + u8 updated = 0; + + LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { + + if (el->afl_custom_queue_new_entry) { + + if (el->afl_custom_queue_new_entry(el->data, fname, mother_fname)) { + + updated = 1; + + } + + } + + }); + + if (updated) { + + struct stat st; + if (stat(fname, &st)) { PFATAL("File %s is gone!", fname); } + if (!st.st_size) { + + FATAL("File %s became empty in custom mutator!", fname); + + } + + q->len = st.st_size; + + } + + } + +} + void setup_custom_mutators(afl_state_t *afl) { /* Try mutator library first */ diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 48794e95..8080775f 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -474,42 +474,10 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) { if (afl->custom_mutators_count) { - u8 updated = 0; + /* At the initialization stage, queue_cur is NULL */ + if (afl->queue_cur && !afl->syncing_party) { - LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { - - if (el->afl_custom_queue_new_entry) { - - u8 *fname_orig = NULL; - - /* At the initialization stage, queue_cur is NULL */ - if (afl->queue_cur && !afl->syncing_party) { - - fname_orig = afl->queue_cur->fname; - - } - - if (el->afl_custom_queue_new_entry(el->data, fname, fname_orig)) { - - updated = 1; - - } - - } - - }); - - if (updated) { - - struct stat st; - if (stat(fname, &st)) { PFATAL("File %s is gone!", fname); } - if (!st.st_size) { - - FATAL("File %s became empty in custom mutator!", fname); - - } - - q->len = st.st_size; + run_afl_custom_queue_new_entry(afl, q, fname, afl->queue_cur->fname); } -- cgit 1.4.1 From 699a1b0120aaa2ccd2ab09262adf6dc9b2830006 Mon Sep 17 00:00:00 2001 From: yuawn Date: Wed, 21 Jul 2021 10:37:54 +0000 Subject: remove unneeded assignment --- src/afl-fuzz-bitmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 0a9242a5..59b1d279 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -560,7 +560,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } /* due to classify counts we have to recalculate the checksum */ - cksum = afl->queue_top->exec_cksum = + afl->queue_top->exec_cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); /* Try to calibrate inline; this also calls update_bitmap_score() when -- cgit 1.4.1 From dc0fed6e0c13702fa36fab66631fb5bbca6d64de Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 23 Jul 2021 10:34:51 +0200 Subject: handle single seed with perf_score 0 --- src/afl-fuzz-one.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 7274f679..a92cef7a 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -547,7 +547,11 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->queue_cur->perf_score = orig_perf = perf_score = calculate_score(afl, afl->queue_cur); - if (unlikely(perf_score <= 0)) { goto abandon_entry; } + if (unlikely(perf_score <= 0 && afl->active_paths > 1)) { + + goto abandon_entry; + + } if (unlikely(afl->shm.cmplog_mode && afl->queue_cur->colorized < afl->cmplog_lvl && @@ -3047,7 +3051,11 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { else orig_perf = perf_score = calculate_score(afl, afl->queue_cur); - if (unlikely(perf_score <= 0)) { goto abandon_entry; } + if (unlikely(perf_score <= 0 && afl->active_paths > 1)) { + + goto abandon_entry; + + } if (unlikely(afl->shm.cmplog_mode && afl->queue_cur->colorized < afl->cmplog_lvl && -- cgit 1.4.1 From bab487f4b58e597e0d8f8db59d2913c87a4a0986 Mon Sep 17 00:00:00 2001 From: yuawn Date: Fri, 23 Jul 2021 12:34:47 +0000 Subject: remove redundant if statement --- src/afl-cc.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index 9899f973..244b46d1 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -1921,9 +1921,7 @@ int main(int argc, char **argv, char **envp) { // ptr = instrument_mode_string[instrument_mode]; // } - } else if (instrument_mode == INSTRUMENT_LTO || - - instrument_mode == INSTRUMENT_CLASSIC) { + } else if (instrument_mode == INSTRUMENT_CLASSIC) { lto_mode = 1; -- cgit 1.4.1 From 9d3816abff6c3dafa07490aa9bc7199c66f690aa Mon Sep 17 00:00:00 2001 From: yuawn Date: Sun, 25 Jul 2021 16:25:37 +0000 Subject: remove unused code --- src/afl-fuzz-one.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index a92cef7a..17749601 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -5249,7 +5249,6 @@ pacemaker_fuzzing: } afl->temp_puppet_find = afl->total_puppet_find; - u64 temp_stage_finds_puppet = 0; for (i = 0; i < operator_num; ++i) { if (MOpt_globals.is_pilot_mode) { @@ -5275,7 +5274,6 @@ pacemaker_fuzzing: MOpt_globals.finds[i] = MOpt_globals.finds_v2[i]; MOpt_globals.cycles[i] = MOpt_globals.cycles_v2[i]; - temp_stage_finds_puppet += MOpt_globals.finds[i]; } /* for i = 0; i < operator_num */ @@ -5337,7 +5335,6 @@ pacemaker_fuzzing: afl->core_operator_finds_puppet_v2[i]; afl->core_operator_cycles_puppet[i] = afl->core_operator_cycles_puppet_v2[i]; - temp_stage_finds_puppet += afl->core_operator_finds_puppet[i]; } -- cgit 1.4.1 From 07346cb06d7c31e7fc7443490797192cafc90705 Mon Sep 17 00:00:00 2001 From: Jesse Hertz Date: Tue, 27 Jul 2021 23:47:23 -0400 Subject: fix check again clang asan lib to work on mac and linux by removing a character --- src/afl-fuzz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 0c7b6e42..b6da5a72 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -339,7 +339,7 @@ static void fasan_check_afl_preload(char *afl_preload) { char * separator = strchr(afl_preload, ':'); size_t first_preload_len = PATH_MAX; char * basename; - char clang_runtime_prefix[] = "libclang_rt.asan-"; + char clang_runtime_prefix[] = "libclang_rt.asan"; if (separator != NULL && (separator - afl_preload) < PATH_MAX) { -- cgit 1.4.1 From 8b66d9503854ab40f7c1fadb26e0a7523ac327e9 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 30 Jul 2021 07:12:53 +0200 Subject: frida tool fix --- src/afl-analyze.c | 1 + src/afl-showmap.c | 1 + src/afl-tmin.c | 1 + utils/aflpp_driver/aflpp_driver_test.c | 2 -- 4 files changed, 3 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index dbf2920f..a429a64e 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -984,6 +984,7 @@ int main(int argc, char **argv_orig, char **envp) { frida_mode = 1; fsrv.frida_mode = frida_mode; + setenv("AFL_FRIDA_INST_SEED", "1", 1); break; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 5c899e69..79b1afed 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1035,6 +1035,7 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); } fsrv->frida_mode = true; + setenv("AFL_FRIDA_INST_SEED", "1", 1); break; diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 2d80abe4..351b2f60 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -1027,6 +1027,7 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); } fsrv->frida_mode = 1; + setenv("AFL_FRIDA_INST_SEED", "1", 1); break; diff --git a/utils/aflpp_driver/aflpp_driver_test.c b/utils/aflpp_driver/aflpp_driver_test.c index fe05b4f8..527ba57b 100644 --- a/utils/aflpp_driver/aflpp_driver_test.c +++ b/utils/aflpp_driver/aflpp_driver_test.c @@ -2,8 +2,6 @@ #include #include -#include "hash.h" - void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { if (Size < 5) return; -- cgit 1.4.1 From bcdb69289f4a5304b1aee641d5f5a32437b91729 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 30 Jul 2021 07:25:44 +0200 Subject: frida tool fix --- src/afl-analyze.c | 2 +- src/afl-showmap.c | 2 +- src/afl-tmin.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index a429a64e..e19df3ce 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -984,7 +984,7 @@ int main(int argc, char **argv_orig, char **envp) { frida_mode = 1; fsrv.frida_mode = frida_mode; - setenv("AFL_FRIDA_INST_SEED", "1", 1); + setenv("AFL_FRIDA_INST_SEED", "0x0", 1); break; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 79b1afed..9122cd25 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1035,7 +1035,7 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); } fsrv->frida_mode = true; - setenv("AFL_FRIDA_INST_SEED", "1", 1); + setenv("AFL_FRIDA_INST_SEED", "0x0", 1); break; diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 351b2f60..792770e0 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -1027,7 +1027,7 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); } fsrv->frida_mode = 1; - setenv("AFL_FRIDA_INST_SEED", "1", 1); + setenv("AFL_FRIDA_INST_SEED", "0x0", 1); break; -- cgit 1.4.1 From 2702a713d7bbc54c68ad1ba2ab0b12088fdc5cdc Mon Sep 17 00:00:00 2001 From: Cornelius Aschermann Date: Fri, 30 Jul 2021 12:43:23 +0200 Subject: improved error message --- src/afl-sharedmem.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index fbb8e65d..b2cdac9b 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -244,7 +244,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, shm->shm_id = shmget(IPC_PRIVATE, map_size, IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION); - if (shm->shm_id < 0) { PFATAL("shmget() failed"); } + if (shm->shm_id < 0) { PFATAL("shmget() failed, try running afl-system-config"); } if (shm->cmplog_mode) { @@ -254,7 +254,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, if (shm->cmplog_shm_id < 0) { shmctl(shm->shm_id, IPC_RMID, NULL); // do not leak shmem - PFATAL("shmget() failed"); + PFATAL("shmget() failed, try running afl-system-config"); } @@ -325,4 +325,3 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, return shm->map; } - -- cgit 1.4.1 From 08080e70a618ef543615434d323ac35afb8dbf05 Mon Sep 17 00:00:00 2001 From: yuawn Date: Sat, 31 Jul 2021 08:09:47 +0000 Subject: use HASH_CONST --- src/afl-forkserver.c | 2 +- src/afl-fuzz-run.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 5e8fb9b5..26a9aaed 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -1105,7 +1105,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { if (getenv("AFL_DEBUG")) { fprintf(stderr, "FS crc: %016llx len: %u\n", - hash64(fsrv->shmem_fuzz, *fsrv->shmem_fuzz_len, 0xa5b35705), + hash64(fsrv->shmem_fuzz, *fsrv->shmem_fuzz_len, HASH_CONST), *fsrv->shmem_fuzz_len); fprintf(stderr, "SHM :"); for (u32 i = 0; i < *fsrv->shmem_fuzz_len; i++) diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index e876beea..4173f4e1 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -220,7 +220,7 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at, fprintf( stderr, "FS crc: %16llx len: %u\n", - hash64(afl->fsrv.shmem_fuzz, *afl->fsrv.shmem_fuzz_len, 0xa5b35705), + hash64(afl->fsrv.shmem_fuzz, *afl->fsrv.shmem_fuzz_len, HASH_CONST), *afl->fsrv.shmem_fuzz_len); fprintf(stderr, "SHM :"); for (u32 i = 0; i < *afl->fsrv.shmem_fuzz_len; i++) -- cgit 1.4.1 From 8ad6e7c1404be214ea25692cbd9093aad3dff9ae Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 2 Aug 2021 10:15:13 +0200 Subject: fix afl_preload issues on macos --- docs/Changelog.md | 1 + docs/INSTALL.md | 2 +- src/afl-fuzz.c | 5 +++-- 3 files changed, 5 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/docs/Changelog.md b/docs/Changelog.md index 10d25754..d397a764 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -17,6 +17,7 @@ sending a mail to . configuration settings for fuzzing, for Linux and Macos. thanks to jhertz! - added xml, curl and exotic string functions to llvm dictionary features + - fix AFL_PRELOAD issues on MacOS - removed utils/afl_frida because frida_mode/ is now so much better diff --git a/docs/INSTALL.md b/docs/INSTALL.md index b3f9fb96..17af532a 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -74,7 +74,7 @@ and depend mostly on user feedback. To build AFL, install llvm (and perhaps gcc) from brew and follow the general instructions for Linux. If possible avoid Xcode at all cost. -`brew install wget git make cmake llvm` +`brew install wget git make cmake llvm gdb` Be sure to setup PATH to point to the correct clang binaries and use the freshly installed clang, clang++ and gmake, e.g.: diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index b6da5a72..c97427e1 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1398,6 +1398,9 @@ int main(int argc, char **argv_orig, char **envp) { afl->fsrv.use_fauxsrv = afl->non_instrumented_mode == 1 || afl->no_forkserver; + check_crash_handling(); + check_cpu_governor(afl); + if (getenv("LD_PRELOAD")) { WARNF( @@ -1498,8 +1501,6 @@ int main(int argc, char **argv_orig, char **envp) { } - check_crash_handling(); - check_cpu_governor(afl); get_core_count(afl); -- cgit 1.4.1 From 50fc76faa86c7e2cc6523af141f3596bc2af2364 Mon Sep 17 00:00:00 2001 From: wxyxsx Date: Tue, 10 Aug 2021 11:14:55 +0800 Subject: Update afl-fuzz-python.c Fix havoc_mutations not working in python version --- src/afl-fuzz-python.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src') diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 3aa97635..bc481b49 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -445,6 +445,10 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, /* Initialize the custom mutator */ init_py(afl, py_mutator, rand_below(afl, 0xFFFFFFFF)); + + mutator->stacked_custom = (mutator && mutator->afl_custom_havoc_mutation); + mutator->stacked_custom_prob = + 6; // like one of the default mutations in havoc return mutator; -- cgit 1.4.1 From 5700b3c7500204d386d2f9e0f696b4604f0416a8 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 10 Aug 2021 10:02:50 +0200 Subject: remove outdated references --- src/afl-forkserver.c | 7 ++----- src/afl-fuzz-init.c | 4 ++-- src/afl-fuzz-python.c | 2 +- src/afl-fuzz.c | 1 - src/afl-sharedmem.c | 7 ++++++- 5 files changed, 11 insertions(+), 10 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 26a9aaed..c8c94c08 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -845,9 +845,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, " from the fuzzer! Since it seems to be built with ASAN and you " "have a\n" " restrictive memory limit configured, this is expected; please " - "read\n" - " %s/notes_for_asan.md for help and run with '-m 0'.\n", - doc_path); + "run with '-m 0'.\n"); } else if (!fsrv->mem_limit) { @@ -946,8 +944,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, "with ASAN and\n" " you have a restrictive memory limit configured, this is " "expected; please\n" - " read %s/notes_for_asan.md for help and run with '-m 0'.\n", - doc_path); + " run with '-m 0'.\n"); } else if (!fsrv->mem_limit) { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index faa45a4e..9bb25785 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -978,7 +978,7 @@ void perform_dry_run(afl_state_t *afl) { "quickly\n" " estimate the required amount of virtual memory for the " "binary. Also,\n" - " if you are using ASAN, see %s/notes_for_asan.md.\n\n" + " if you are using ASAN, set '-m 0'.\n\n" " - In QEMU persistent mode the selected address(es) for the " "loop are not\n" @@ -994,7 +994,7 @@ void perform_dry_run(afl_state_t *afl) { "troubleshooting tips.\n", stringify_mem_size(val_buf, sizeof(val_buf), afl->fsrv.mem_limit << 20), - afl->fsrv.mem_limit - 1, doc_path); + afl->fsrv.mem_limit - 1); } else { diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index e1c879f4..065977c0 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -445,7 +445,7 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, /* Initialize the custom mutator */ init_py(afl, py_mutator, rand_below(afl, 0xFFFFFFFF)); - + mutator->stacked_custom = (mutator && mutator->afl_custom_havoc_mutation); mutator->stacked_custom_prob = 6; // like one of the default mutations in havoc diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index c97427e1..9b9e01a4 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1501,7 +1501,6 @@ int main(int argc, char **argv_orig, char **envp) { } - get_core_count(afl); atexit(at_exit); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index b2cdac9b..22fe5a62 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -244,7 +244,11 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, shm->shm_id = shmget(IPC_PRIVATE, map_size, IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION); - if (shm->shm_id < 0) { PFATAL("shmget() failed, try running afl-system-config"); } + if (shm->shm_id < 0) { + + PFATAL("shmget() failed, try running afl-system-config"); + + } if (shm->cmplog_mode) { @@ -325,3 +329,4 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, return shm->map; } + -- cgit 1.4.1 From b4c96d686f16320eea609197a8914437ac5eb552 Mon Sep 17 00:00:00 2001 From: mqf20 Date: Tue, 10 Aug 2021 16:26:44 +0800 Subject: Warn if "paths_total" property from stats file is inconsistent --- src/afl-fuzz-stats.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index e0930234..ead65b1d 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -147,8 +147,19 @@ void load_stats_file(afl_state_t *afl) { afl->fsrv.total_execs = strtoull(lptr, &nptr, 10); break; case 10: - if (!strcmp(keystring, "paths_total ")) - afl->queued_paths = strtoul(lptr, &nptr, 10); + if (!strcmp(keystring, "paths_total ")) { + + u32 paths_total = strtoul(lptr, &nptr, 10); + if (paths_total != afl->queued_paths) { + + WARNF( + "queue/ has been modified -- things might not work, you're " + "on your own!"); + + } + + } + break; case 12: if (!strcmp(keystring, "paths_found ")) -- cgit 1.4.1 From c775f40ebf935ec85619fa3903af7a20a38baf98 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 12 Aug 2021 14:32:44 +0200 Subject: AFL_IGNORE_PROBLEMS + library checks and documentation --- README.md | 7 +++++++ docs/Changelog.md | 4 ++++ docs/env_variables.md | 4 ++++ include/afl-fuzz.h | 2 +- include/envs.h | 1 + instrumentation/README.lto.md | 28 ++++++++++++++++++++++++++++ src/afl-fuzz-state.c | 7 +++++++ src/afl-fuzz-stats.c | 14 ++++++++++++++ src/afl-fuzz.c | 1 + 9 files changed, 67 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/README.md b/README.md index 438f9425..b3e464e1 100644 --- a/README.md +++ b/README.md @@ -473,6 +473,13 @@ compiler is used. Also - if possible - you should always configure the build system such that the target is compiled statically and not dynamically. How to do this is described below. +The #1 rule when instrumenting a target is: avoid instrumenting shared +libraries at all cost. You would need to set LD_LIBRARY_PATH to point to +these, you could accidently type "make install" and install them system wide - +so don't. Really don't. +**Always compile libraries you want to have instrumented as static and link +these to the target program!** + Then build the target. (Usually with `make`) **NOTES** diff --git a/docs/Changelog.md b/docs/Changelog.md index c5ff8adb..daa014e4 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,6 +9,10 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . ### Version ++3.15a (dev) + - afl-fuzz: + added AFL_IGNORE_PROBLEMS plus checks to identify and abort on + incorrect LTO usage setups and enhanced the READMEs for better + information on how to deal with instrumenting libraries - added the very good grammar mutator "GramaTron" to the custom_mutators - added optimin, a faster and better corpus minimizer by diff --git a/docs/env_variables.md b/docs/env_variables.md index cceffa68..0686f1a8 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -432,6 +432,10 @@ checks or alter some of the more exotic semantics of the tool: and RECORD:000000,cnt:000009 being the crash case. NOTE: This option needs to be enabled in config.h first! + - If afl-fuzz encounters an incorrect fuzzing setup during a fuzzing session + (not at startup), it will terminate. If you do not want this then you can + set `AFL_IGNORE_PROBLEMS`. + - If you are Jakub, you may need `AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES`. Others need not apply, unless they also want to disable the `/proc/sys/kernel/core_pattern` check. diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 3d528bc4..4b19e698 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -384,7 +384,7 @@ typedef struct afl_env_vars { afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one, afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast, afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new, - afl_exit_on_seed_issues, afl_try_affinity; + afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems; u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload, diff --git a/include/envs.h b/include/envs.h index 26cc250f..49605330 100644 --- a/include/envs.h +++ b/include/envs.h @@ -88,6 +88,7 @@ static char *afl_environment_variables[] = { "AFL_HARDEN", "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", "AFL_IGNORE_UNKNOWN_ENVS", + "AFL_IGNORE_PROBLEMS", "AFL_IMPORT_FIRST", "AFL_INST_LIBS", "AFL_INST_RATIO", diff --git a/instrumentation/README.lto.md b/instrumentation/README.lto.md index 626bc9cb..38252308 100644 --- a/instrumentation/README.lto.md +++ b/instrumentation/README.lto.md @@ -138,6 +138,34 @@ make NOTE: some targets also need to set the linker, try both `afl-clang-lto` and `afl-ld-lto` for `LD=` before `configure`. +## Instrumenting shared libraries + +Note: this is highly discouraged! Try to compile to static libraries with +afl-clang-lto instead of shared libraries! + +To make instrumented shared libraries work with afl-clang-lto you have to do +quite some extra steps. + +Every shared library you want to instrument has to be individually compiled- +The environment variable `AFL_LLVM_LTO_DONTWRITEID=1` has to be set during +compilation. +Additionally the environment variable `AFL_LLVM_LTO_STARTID` has to be set to +the combined edge values of all previous compiled instrumented shared +libraries for that target. +E.g. for the first shared library this would be `AFL_LLVM_LTO_STARTID=0` and +afl-clang-lto will then report how many edges have been instrumented (let's say +it reported 1000 instrumented edges). +The second shared library then has to be set to that value +(`AFL_LLVM_LTO_STARTID=1000` in our example), the third to all previous +combined, etc. + +The final program compilation step then may *not* have `AFL_LLVM_LTO_DONTWRITEID` +set, and `AFL_LLVM_LTO_STARTID` must be set to all combined edges of all shared +libaries it will be linked to. + +This is quite some hands-on work, so better stay away from instrumenting +shared libraries :-) + ## AUTODICTIONARY feature While compiling, a dictionary based on string comparisons is automatically diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index b832c11e..24ccc108 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -267,6 +267,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_force_ui = get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_IGNORE_PROBLEMS", + + afl_environment_variable_len)) { + + afl->afl_env.afl_ignore_problems = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", afl_environment_variable_len)) { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index ead65b1d..a9deb22d 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -534,6 +534,20 @@ void show_stats(afl_state_t *afl) { t_bytes = count_non_255_bytes(afl, afl->virgin_bits); t_byte_ratio = ((double)t_bytes * 100) / afl->fsrv.real_map_size; + if (unlikely(t_bytes > afl->fsrv.real_map_size)) { + + if (unlikely(!afl->afl_env.afl_ignore_problems)) { + + FATAL( + "Incorrect fuzzing setup detected. Your target seems to have loaded " + "incorrectly instrumented shared libraries. If you use LTO mode " + "please see instrumentation/README.lto.md. To ignore this problem " + "and continue fuzzing just set 'AFL_IGNORE_PROBLEMS=1'.\n"); + + } + + } + if (likely(t_bytes) && unlikely(afl->var_byte_count)) { stab_ratio = 100 - (((double)afl->var_byte_count * 100) / t_bytes); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 9b9e01a4..8ffc0e77 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -216,6 +216,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_HANG_TMOUT: override timeout value (in milliseconds)\n" "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers\n" "AFL_IGNORE_UNKNOWN_ENVS: don't warn on unknown env vars\n" + "AFL_IGNORE_PROBLEMS: do not abort fuzzing if an incorrect setup is detected during a run\n" "AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n" "AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n" "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n" -- cgit 1.4.1 From 2a68d37b4f545698d745086077db5ca9d25dc5dd Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 17 Aug 2021 14:37:59 +0200 Subject: fix typo --- src/afl-fuzz-stats.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index a9deb22d..1d32d966 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -1339,7 +1339,7 @@ void show_init_stats(afl_state_t *afl) { } - ACTF("No -t option specified, so I'll use exec timeout of %u ms.", + ACTF("No -t option specified, so I'll use exec an timeout of %u ms.", afl->fsrv.exec_tmout); afl->timeout_given = 1; -- cgit 1.4.1 From 1959812e83becb0895b924d0398d634055cd0c10 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 18 Aug 2021 15:46:01 +0200 Subject: more partial linking --- src/afl-cc.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index 244b46d1..a61635a2 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -794,6 +794,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (!strcmp(cur, "-E")) preprocessor_only = 1; if (!strcmp(cur, "-shared")) shared_linking = 1; if (!strcmp(cur, "-Wl,-r")) partial_linking = 1; + if (!strcmp(cur, "-Wl,-i")) partial_linking = 1; if (!strcmp(cur, "-Wl,--relocatable")) partial_linking = 1; if (!strcmp(cur, "-r")) partial_linking = 1; if (!strcmp(cur, "--relocatable")) partial_linking = 1; -- cgit 1.4.1 From 591d6c59c758d1043f8690e4e9dda22dbbefbc1c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 19 Aug 2021 17:02:17 +0200 Subject: fix shared linking on macos --- docs/Changelog.md | 8 +++++--- instrumentation/afl-compiler-rt.o.c | 7 ++++++- src/afl-cc.c | 13 +++++++++++++ 3 files changed, 24 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/docs/Changelog.md b/docs/Changelog.md index 3a2658f0..7ccae7c2 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -10,9 +10,11 @@ sending a mail to . ### Version ++3.15a (dev) - afl-fuzz: - added AFL_IGNORE_PROBLEMS plus checks to identify and abort on - incorrect LTO usage setups and enhanced the READMEs for better - information on how to deal with instrumenting libraries + - added AFL_IGNORE_PROBLEMS plus checks to identify and abort on + incorrect LTO usage setups and enhanced the READMEs for better + information on how to deal with instrumenting libraries + - afl-cc: + - fix for shared linking on MacOS - added the very good grammar mutator "GramaTron" to the custom_mutators - added optimin, a faster and better corpus minimizer by diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 18b0a55b..9acab4e7 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1273,7 +1273,12 @@ __attribute__((constructor(1))) void __afl_auto_second(void) { if (__afl_already_initialized_second) return; __afl_already_initialized_second = 1; - if (getenv("AFL_DEBUG")) { __afl_debug = 1; } + if (getenv("AFL_DEBUG")) { + + __afl_debug = 1; + fprintf(stderr, "DEBUG: debug enabled\n"); + + } if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; u8 *ptr; diff --git a/src/afl-cc.c b/src/afl-cc.c index a61635a2..e49addc4 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -793,6 +793,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (!strcmp(cur, "-x")) x_set = 1; if (!strcmp(cur, "-E")) preprocessor_only = 1; if (!strcmp(cur, "-shared")) shared_linking = 1; + if (!strcmp(cur, "-dynamiclib")) shared_linking = 1; if (!strcmp(cur, "-Wl,-r")) partial_linking = 1; if (!strcmp(cur, "-Wl,-i")) partial_linking = 1; if (!strcmp(cur, "-Wl,--relocatable")) partial_linking = 1; @@ -1085,6 +1086,18 @@ static void edit_params(u32 argc, char **argv, char **envp) { alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path); #endif + #if defined(__APPLE__) + if (shared_linking || partial_linking) { + + cc_params[cc_par_cnt++] = "-Wl,-U"; + cc_params[cc_par_cnt++] = "-Wl,___afl_area_ptr"; + cc_params[cc_par_cnt++] = "-Wl,-U"; + cc_params[cc_par_cnt++] = "-Wl,___sanitizer_cov_trace_pc_guard_init"; + + } + + #endif + } #if defined(USEMMAP) && !defined(__HAIKU__) -- cgit 1.4.1 From f189668dd6b223317e6f9f4d98b9d8929e695fa5 Mon Sep 17 00:00:00 2001 From: hexcoder Date: Fri, 20 Aug 2021 13:00:51 +0200 Subject: fix typo fix --- src/afl-fuzz-stats.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 1d32d966..eb1fe2d9 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -1339,7 +1339,7 @@ void show_init_stats(afl_state_t *afl) { } - ACTF("No -t option specified, so I'll use exec an timeout of %u ms.", + ACTF("No -t option specified, so I'll use an exec timeout of %u ms.", afl->fsrv.exec_tmout); afl->timeout_given = 1; -- cgit 1.4.1