From c96238d85f4a784402db6cbf16630b977617eb1a Mon Sep 17 00:00:00 2001 From: Daniil Kuts <13482580+apach301@users.noreply.github.com> Date: Fri, 27 May 2022 13:52:31 +0300 Subject: Add AFL_SYNC_TIME variable for synchronization time tuning (#1425) * Add AFL_SYNC_TIME variable for synchronization time tuning * Documentation for AFL_SYNC_TIME variable --- src/afl-fuzz-state.c | 12 ++++++++++++ src/afl-fuzz.c | 5 +++-- 2 files changed, 15 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 98217438..cbe32c75 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -101,6 +101,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) { afl->stats_update_freq = 1; afl->stats_avg_exec = 0; afl->skip_deterministic = 1; + afl->sync_time = SYNC_TIME; afl->cmplog_lvl = 2; afl->min_length = 1; afl->max_length = MAX_FILE; @@ -519,6 +520,17 @@ void read_afl_environment(afl_state_t *afl, char **envp) { } + } else if (!strncmp(env, "AFL_SYNC_TIME", + + afl_environment_variable_len)) { + + int time = atoi((u8 *)get_afl_env(afl_environment_variables[i])); + if (time > 0) { + afl->sync_time = time * (60 * 1000LL); + } else { + WARNF("incorrect value for AFL_SYNC_TIME environment variable, " + "used default value %lld instead.", afl->sync_time / 60 / 1000); + } } } else { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index c5ab364a..7c33ba29 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -295,6 +295,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_STATSD_TAGS_FLAVOR: set statsd tags format (default: disable tags)\n" " Supported formats are: 'dogstatsd', 'librato',\n" " 'signalfx' and 'influxdb'\n" + "AFL_SYNC_TIME: sync time between fuzzing instances (in minutes)\n" "AFL_TESTCACHE_SIZE: use a cache for testcases, improves performance (in MB)\n" "AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)\n" "AFL_EARLY_FORKSERVER: force an early forkserver in an afl-clang-fast/\n" @@ -2511,7 +2512,7 @@ int main(int argc, char **argv_orig, char **envp) { if (unlikely(afl->is_main_node)) { if (unlikely(get_cur_time() > - (SYNC_TIME >> 1) + afl->last_sync_time)) { + (afl->sync_time >> 1) + afl->last_sync_time)) { if (!(sync_interval_cnt++ % (SYNC_INTERVAL / 3))) { @@ -2523,7 +2524,7 @@ int main(int argc, char **argv_orig, char **envp) { } else { - if (unlikely(get_cur_time() > SYNC_TIME + afl->last_sync_time)) { + if (unlikely(get_cur_time() > afl->sync_time + afl->last_sync_time)) { if (!(sync_interval_cnt++ % SYNC_INTERVAL)) { sync_fuzzers(afl); } -- cgit 1.4.1 From 066d65d8469ca504ab86771bd8e5e608efec9517 Mon Sep 17 00:00:00 2001 From: Luca Di Bartolomeo Date: Fri, 27 May 2022 17:55:21 +0200 Subject: Fix wrong memchr size in android (#1429) Need to fix this otherwise ASAN will always complain about heap buffer overflows and refuse to run. Co-authored-by: van Hauser --- src/afl-fuzz-stats.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 5b237748..3e034b83 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -59,7 +59,7 @@ void write_setup_file(afl_state_t *afl, u32 argc, char **argv) { if (i) fprintf(f, " "); #ifdef __ANDROID__ - if (memchr(argv[i], '\'', sizeof(argv[i]))) { + if (memchr(argv[i], '\'', strlen(argv[i]))) { #else if (index(argv[i], '\'')) { -- cgit 1.4.1 From 83f32c5248c8a8a1e69ca2f6f392c27c1736eef1 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 8 Jun 2022 10:56:11 +0200 Subject: honor AFL_MAP_SIZE well outside of afl++ --- instrumentation/afl-compiler-rt.o.c | 31 +++++++++++++++++++++++++++++-- src/afl-fuzz-run.c | 6 +----- src/afl-fuzz-state.c | 13 ++++++++++--- utils/libdislocator/libdislocator.so.c | 1 + 4 files changed, 41 insertions(+), 10 deletions(-) (limited to 'src') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index db7ac7b0..b94e3dc9 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -327,6 +327,31 @@ static void __afl_map_shm(void) { } + if (!id_str) { + + u32 val = 0; + u8 *ptr; + + if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) val = atoi(ptr); + + if (val > MAP_INITIAL_SIZE) { + + __afl_map_size = val; + __afl_final_loc = val; + __afl_area_ptr_dummy = malloc(__afl_map_size); + if (!__afl_area_ptr_dummy) { + + fprintf(stderr, + "Error: AFL++ could not aquire %u bytes of memory, exiting!\n", + __afl_map_size); + exit(-1); + + } + + } + + } + /* If we're running under AFL, attach to the appropriate region, replacing the early-stage __afl_area_initial region that is needed to allow some really hacky .init code to work correctly in projects such as OpenSSL. */ @@ -465,7 +490,9 @@ static void __afl_map_shm(void) { } - } else if (_is_sancov && __afl_area_ptr != __afl_area_initial) { + } else if (_is_sancov && __afl_area_ptr != __afl_area_initial && + + __afl_area_ptr != __afl_area_ptr_dummy) { free(__afl_area_ptr); __afl_area_ptr = NULL; @@ -487,7 +514,7 @@ static void __afl_map_shm(void) { fprintf(stderr, "DEBUG: (2) id_str %s, __afl_area_ptr %p, __afl_area_initial %p, " "__afl_area_ptr_dummy %p, __afl_map_addr 0x%llx, MAP_SIZE " - "%u, __afl_final_loc %u, __afl_map_size %u," + "%u, __afl_final_loc %u, __afl_map_size %u, " "max_size_forkserver %u/0x%x\n", id_str == NULL ? "" : id_str, __afl_area_ptr, __afl_area_initial, __afl_area_ptr_dummy, __afl_map_addr, MAP_SIZE, diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 09e773f0..5703a66a 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -130,11 +130,7 @@ write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) { } - if (new_mem != *mem) { - - *mem = new_mem; - - } + if (new_mem != *mem) { *mem = new_mem; } /* everything as planned. use the potentially new data. */ afl_fsrv_write_to_testcase(&afl->fsrv, *mem, new_size); diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index cbe32c75..8334af75 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -526,11 +526,18 @@ void read_afl_environment(afl_state_t *afl, char **envp) { int time = atoi((u8 *)get_afl_env(afl_environment_variables[i])); if (time > 0) { - afl->sync_time = time * (60 * 1000LL); + + afl->sync_time = time * (60 * 1000LL); + } else { - WARNF("incorrect value for AFL_SYNC_TIME environment variable, " - "used default value %lld instead.", afl->sync_time / 60 / 1000); + + WARNF( + "incorrect value for AFL_SYNC_TIME environment variable, " + "used default value %lld instead.", + afl->sync_time / 60 / 1000); + } + } } else { diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index fecf3bc6..c821a8f7 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -526,6 +526,7 @@ size_t malloc_good_size(size_t len) { return (len & ~(ALLOC_ALIGN_SIZE - 1)) + ALLOC_ALIGN_SIZE; } + #endif __attribute__((constructor)) void __dislocator_init(void) { -- cgit 1.4.1 From b595727f2fe42dcd2e85a733fd2f2c321920b0d2 Mon Sep 17 00:00:00 2001 From: Tobias Scharnowski Date: Fri, 10 Jun 2022 18:38:37 +0200 Subject: Fix Byte Decrement Havoc Mutation While looking at the source code of the havoc mutations I realized that there seems to be a typo / copy+paste error with the SUBBYTE_ mutation. It is currently incrementing, instead of decrementing the value. Alternative Fix: Change the documentation to "/* Decrease byte by minus 1. */" to make it work as documented :-P --- src/afl-fuzz-one.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 19f41ebe..ef80524f 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -2585,7 +2585,7 @@ havoc_stage: snprintf(afl->m_tmp, sizeof(afl->m_tmp), " SUBBYTE_"); strcat(afl->mutation, afl->m_tmp); #endif - out_buf[rand_below(afl, temp_len)]++; + out_buf[rand_below(afl, temp_len)]--; break; } -- cgit 1.4.1 From 47d894747169692362eb0266017753e0838ecc2c Mon Sep 17 00:00:00 2001 From: Ruben ten Hove Date: Fri, 17 Jun 2022 12:10:11 -0400 Subject: require value in env --- src/afl-fuzz-init.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 6a653a00..aedbd996 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -113,7 +113,7 @@ void bind_to_free_cpu(afl_state_t *afl) { u8 lockfile[PATH_MAX] = ""; s32 i; - if (afl->afl_env.afl_no_affinity && !afl->afl_env.afl_try_affinity) { + if (afl->afl_env.afl_no_affinity = 1 && afl->afl_env.afl_try_affinity != 1) { if (afl->cpu_to_bind != -1) { @@ -130,7 +130,7 @@ void bind_to_free_cpu(afl_state_t *afl) { if (!bind_cpu(afl, afl->cpu_to_bind)) { - if (afl->afl_env.afl_try_affinity) { + if (afl->afl_env.afl_try_affinity = 1) { WARNF( "Could not bind to requested CPU %d! Make sure you passed a valid " @@ -2957,4 +2957,3 @@ void save_cmdline(afl_state_t *afl, u32 argc, char **argv) { *buf = 0; } - -- cgit 1.4.1 From 3d1a57deed63bdff6c817e1b1a8098df94ea5eac Mon Sep 17 00:00:00 2001 From: Ruben ten Hove Date: Fri, 17 Jun 2022 21:03:46 +0200 Subject: feat: allow to skip readme creation on crash --- docs/env_variables.md | 4 ++++ include/afl-fuzz.h | 3 +-- include/envs.h | 2 +- src/afl-fuzz-bitmap.c | 3 +-- src/afl-fuzz-state.c | 9 ++++++++- 5 files changed, 15 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/docs/env_variables.md b/docs/env_variables.md index a63aad10..0598a809 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -619,6 +619,10 @@ The QEMU wrapper used to instrument binary-only code supports several settings: emulation" variables (e.g., `QEMU_STACK_SIZE`), but there should be no reason to touch them. + - Normally a `README.txt` is written to the `crashes/` directory when a first + crash is found. Setting `AFL_NO_CRASH_README` will prevent this. Useful when + counting crashes based on a file count in that directory. + ## 7) Settings for afl-frida-trace The FRIDA wrapper used to instrument binary-only code supports many of the same diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 24af426f..b78d0b98 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -386,7 +386,7 @@ typedef struct afl_env_vars { afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast, afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new, afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems, - afl_keep_timeouts, afl_pizza_mode; + afl_keep_timeouts, afl_pizza_mode, afl_no_crash_readme; u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload, @@ -1267,4 +1267,3 @@ void queue_testcase_store_mem(afl_state_t *afl, struct queue_entry *q, u8 *mem); #endif #endif - diff --git a/include/envs.h b/include/envs.h index f4cccc96..4105ac6d 100644 --- a/include/envs.h +++ b/include/envs.h @@ -159,6 +159,7 @@ static char *afl_environment_variables[] = { "AFL_NO_COLOUR", #endif "AFL_NO_CPU_RED", + "AFL_NO_CRASH_README", "AFL_NO_FORKSRV", "AFL_NO_UI", "AFL_NO_PYTHON", @@ -234,4 +235,3 @@ static char *afl_environment_variables[] = { extern char *afl_environment_variables[]; #endif - diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 26e70d81..fffcef89 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -720,7 +720,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - if (unlikely(!afl->saved_crashes)) { write_crash_readme(afl); } + if (unlikely(!afl->saved_crashes) && (afl->afl_env.afl_no_crash_readme != 1)) { write_crash_readme(afl); } #ifndef SIMPLE_FILES @@ -821,4 +821,3 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { return keeping; } - diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 8334af75..4d16811f 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -510,6 +510,14 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_pizza_mode = atoi((u8 *)get_afl_env(afl_environment_variables[i])); + + } else if (!strncmp(env, "AFL_NO_CRASH_README", + + afl_environment_variable_len)) { + + afl->afl_env.afl_no_crash_readme = + atoi((u8 *)get_afl_env(afl_environment_variables[i])); + if (afl->afl_env.afl_pizza_mode == 0) { afl->afl_env.afl_pizza_mode = 1; @@ -665,4 +673,3 @@ void afl_states_request_skip(void) { LIST_FOREACH(&afl_states, afl_state_t, { el->skip_requested = 1; }); } - -- cgit 1.4.1 From 499082384094e9cb3ff4fe18ee068e302e550aa3 Mon Sep 17 00:00:00 2001 From: Ruben ten Hove Date: Fri, 17 Jun 2022 21:08:37 +0200 Subject: formatting --- include/afl-fuzz.h | 1 + include/envs.h | 1 + src/afl-fuzz-bitmap.c | 8 +++++++- src/afl-fuzz-state.c | 1 + 4 files changed, 10 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index b78d0b98..ce42a107 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -1267,3 +1267,4 @@ void queue_testcase_store_mem(afl_state_t *afl, struct queue_entry *q, u8 *mem); #endif #endif + diff --git a/include/envs.h b/include/envs.h index 4105ac6d..9b8917f9 100644 --- a/include/envs.h +++ b/include/envs.h @@ -235,3 +235,4 @@ static char *afl_environment_variables[] = { extern char *afl_environment_variables[]; #endif + diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index fffcef89..089f7bb5 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -720,7 +720,12 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - if (unlikely(!afl->saved_crashes) && (afl->afl_env.afl_no_crash_readme != 1)) { write_crash_readme(afl); } + if (unlikely(!afl->saved_crashes) && + (afl->afl_env.afl_no_crash_readme != 1)) { + + write_crash_readme(afl); + + } #ifndef SIMPLE_FILES @@ -821,3 +826,4 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { return keeping; } + diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 4d16811f..cc4138ae 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -673,3 +673,4 @@ void afl_states_request_skip(void) { LIST_FOREACH(&afl_states, afl_state_t, { el->skip_requested = 1; }); } + -- cgit 1.4.1 From 0dd1c39b5a011c34c02c4c2ae3a975ffaa01ca75 Mon Sep 17 00:00:00 2001 From: Ruben ten Hove Date: Sat, 18 Jun 2022 02:35:31 +0200 Subject: check for empty env var as well --- src/afl-common.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index eca7d272..abf7e70a 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -715,17 +715,23 @@ char *get_afl_env(char *env) { char *val; - if ((val = getenv(env)) != NULL) { + if ((val = getenv(env))) { - if (!be_quiet) { + if (*val) { + + if (!be_quiet) { + + OKF("Loaded environment variable %s with value %s", env, val); - OKF("Loaded environment variable %s with value %s", env, val); + } + + return val; } } - return val; + return NULL; } @@ -1243,4 +1249,3 @@ s32 create_file(u8 *fn) { return fd; } - -- cgit 1.4.1 From fc3b483450280f01c214853db5c4d30aa1eff1c1 Mon Sep 17 00:00:00 2001 From: Ruben ten Hove Date: Sat, 18 Jun 2022 02:35:40 +0200 Subject: revert previous changes --- src/afl-fuzz-init.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index aedbd996..6a653a00 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -113,7 +113,7 @@ void bind_to_free_cpu(afl_state_t *afl) { u8 lockfile[PATH_MAX] = ""; s32 i; - if (afl->afl_env.afl_no_affinity = 1 && afl->afl_env.afl_try_affinity != 1) { + if (afl->afl_env.afl_no_affinity && !afl->afl_env.afl_try_affinity) { if (afl->cpu_to_bind != -1) { @@ -130,7 +130,7 @@ void bind_to_free_cpu(afl_state_t *afl) { if (!bind_cpu(afl, afl->cpu_to_bind)) { - if (afl->afl_env.afl_try_affinity = 1) { + if (afl->afl_env.afl_try_affinity) { WARNF( "Could not bind to requested CPU %d! Make sure you passed a valid " @@ -2957,3 +2957,4 @@ void save_cmdline(afl_state_t *afl, u32 argc, char **argv) { *buf = 0; } + -- cgit 1.4.1 From bf6a0159a934b750d22cc34210544fdb3418df7f Mon Sep 17 00:00:00 2001 From: Ruben ten Hove Date: Sat, 18 Jun 2022 02:37:11 +0200 Subject: formatting --- src/afl-common.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index abf7e70a..cbf20fba 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -1249,3 +1249,4 @@ s32 create_file(u8 *fn) { return fd; } + -- cgit 1.4.1 From 0c3ba7d22719c694dafe1f053a9c8f8bad3993a7 Mon Sep 17 00:00:00 2001 From: Ruben ten Hove Date: Sat, 18 Jun 2022 07:23:06 -0400 Subject: clarity --- src/afl-common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index cbf20fba..b232b445 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -721,7 +721,7 @@ char *get_afl_env(char *env) { if (!be_quiet) { - OKF("Loaded environment variable %s with value %s", env, val); + OKF("Enabled environment variable %s with value %s", env, val); } -- cgit 1.4.1 From 1a4c0d2ecd428c8d3e6be8509738971861ddb5f2 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 20 Jun 2022 17:59:14 +0200 Subject: nits --- Android.bp | 1 + src/afl-cc.c | 2 +- src/afl-common.c | 10 +++++++--- 3 files changed, 9 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/Android.bp b/Android.bp index ac1d5cb6..dfbfd281 100644 --- a/Android.bp +++ b/Android.bp @@ -76,6 +76,7 @@ cc_binary { srcs: [ "src/afl-fuzz*.c", "src/afl-common.c", + "src/afl-forkserver.c", "src/afl-sharedmem.c", "src/afl-forkserver.c", "src/afl-performance.c", diff --git a/src/afl-cc.c b/src/afl-cc.c index 2667ae28..4a56169f 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -396,7 +396,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang", LLVM_BINDIR); else - snprintf(llvm_fullpath, sizeof(llvm_fullpath), CLANG_BIN); + snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s", CLANG_BIN); alt_cc = llvm_fullpath; } diff --git a/src/afl-common.c b/src/afl-common.c index b232b445..7f482e7d 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -25,8 +25,12 @@ #include #include -#define _GNU_SOURCE -#define __USE_GNU +#ifndef _GNU_SOURCE + #define _GNU_SOURCE +#endif +#ifndef __USE_GNU + #define __USE_GNU +#endif #include #include #include @@ -718,7 +722,7 @@ char *get_afl_env(char *env) { if ((val = getenv(env))) { if (*val) { - + if (!be_quiet) { OKF("Enabled environment variable %s with value %s", env, val); -- cgit 1.4.1 From 6705953a491e43880c57aa670b475b52c716f216 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 28 Jun 2022 10:23:20 +0200 Subject: Python mutators: Gracious error handling for illegal return type (#1464) * python types error handling * reverted example change * more python * format --- .gitignore | 1 + src/afl-fuzz-python.c | 93 +++++++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 80 insertions(+), 14 deletions(-) (limited to 'src') diff --git a/.gitignore b/.gitignore index 22ee6bf1..8b0f0a7f 100644 --- a/.gitignore +++ b/.gitignore @@ -97,3 +97,4 @@ utils/persistent_mode/persistent_demo_new utils/persistent_mode/test-instr !coresight_mode !coresight_mode/coresight-trace +vuln_prog \ No newline at end of file diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 65501c8c..5909cd52 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -28,6 +28,36 @@ /* Python stuff */ #ifdef USE_PYTHON +// Tries to cast a python bytearray or bytes to a char ptr +static inline bool py_bytes(PyObject *py_value, /* out */ char **bytes, + /* out */ size_t *size) { + + if (!py_value) { return false; } + + *bytes = PyByteArray_AsString(py_value); + if (*bytes) { + + // we got a bytearray + *size = PyByteArray_Size(py_value); + + } else { + + *bytes = PyBytes_AsString(py_value); + if (!*bytes) { + + // No valid type returned. + return false; + + } + + *size = PyBytes_Size(py_value); + + } + + return true; + +} + static void *unsupported(afl_state_t *afl, unsigned int seed) { (void)afl; @@ -93,12 +123,22 @@ static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, if (py_value != NULL) { - mutated_size = PyByteArray_Size(py_value); + char *bytes; + if (!py_bytes(py_value, &bytes, &mutated_size)) { + + FATAL("Python mutator fuzz() should return a bytearray or bytes"); + + } + + if (mutated_size) { + + *out_buf = afl_realloc(BUF_PARAMS(fuzz), mutated_size); + if (unlikely(!*out_buf)) { PFATAL("alloc"); } - *out_buf = afl_realloc(BUF_PARAMS(fuzz), mutated_size); - if (unlikely(!*out_buf)) { PFATAL("alloc"); } + memcpy(*out_buf, bytes, mutated_size); + + } - memcpy(*out_buf, PyByteArray_AsString(py_value), mutated_size); Py_DECREF(py_value); return mutated_size; @@ -625,7 +665,7 @@ s32 post_trim_py(void *py_mutator, u8 success) { size_t trim_py(void *py_mutator, u8 **out_buf) { PyObject *py_args, *py_value; - size_t ret; + size_t trimmed_size; py_args = PyTuple_New(0); py_value = PyObject_CallObject( @@ -634,10 +674,21 @@ size_t trim_py(void *py_mutator, u8 **out_buf) { if (py_value != NULL) { - ret = PyByteArray_Size(py_value); - *out_buf = afl_realloc(BUF_PARAMS(trim), ret); - if (unlikely(!*out_buf)) { PFATAL("alloc"); } - memcpy(*out_buf, PyByteArray_AsString(py_value), ret); + char *bytes; + if (!py_bytes(py_value, &bytes, &trimmed_size)) { + + FATAL("Python mutator fuzz() should return a bytearray"); + + } + + if (trimmed_size) { + + *out_buf = afl_realloc(BUF_PARAMS(trim), trimmed_size); + if (unlikely(!*out_buf)) { PFATAL("alloc"); } + memcpy(*out_buf, bytes, trimmed_size); + + } + Py_DECREF(py_value); } else { @@ -647,7 +698,7 @@ size_t trim_py(void *py_mutator, u8 **out_buf) { } - return ret; + return trimmed_size; } @@ -692,7 +743,13 @@ size_t havoc_mutation_py(void *py_mutator, u8 *buf, size_t buf_size, if (py_value != NULL) { - mutated_size = PyByteArray_Size(py_value); + char *bytes; + if (!py_bytes(py_value, &bytes, &mutated_size)) { + + FATAL("Python mutator fuzz() should return a bytearray"); + + } + if (mutated_size <= buf_size) { /* We reuse the input buf here. */ @@ -706,8 +763,6 @@ size_t havoc_mutation_py(void *py_mutator, u8 *buf, size_t buf_size, } - memcpy(*out_buf, PyByteArray_AsString(py_value), mutated_size); - Py_DECREF(py_value); return mutated_size; @@ -762,7 +817,17 @@ const char *introspection_py(void *py_mutator) { } else { - return PyByteArray_AsString(py_value); + char * ret; + size_t len; + if (!py_bytes(py_value, &ret, &len)) { + + FATAL( + "Python mutator introspection call returned illegal type (expected " + "bytes or bytearray)"); + + } + + return ret; } -- cgit 1.4.1 From bb509765dfb96b38d5ed781843bfca1660ed9bf5 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 28 Jun 2022 11:45:22 +0200 Subject: added back missing memcpy to python mutators --- src/afl-fuzz-python.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src') diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 5909cd52..0231d2cd 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -763,6 +763,8 @@ size_t havoc_mutation_py(void *py_mutator, u8 *buf, size_t buf_size, } + if (mutated_size) { memcpy(*out_buf, bytes, mutated_size); } + Py_DECREF(py_value); return mutated_size; -- cgit 1.4.1 From 92352951d7a8485bd2413009fcd052e85dc398fb Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 28 Jun 2022 11:52:05 +0200 Subject: nits --- TODO.md | 1 + src/afl-fuzz.c | 1 + 2 files changed, 2 insertions(+) (limited to 'src') diff --git a/TODO.md b/TODO.md index 99d2c419..c64c1236 100644 --- a/TODO.md +++ b/TODO.md @@ -2,6 +2,7 @@ ## Should + - makefiles should show provide a build summary success/failure - better documentation for custom mutators - better autodetection of shifting runtime timeout values - Update afl->pending_not_fuzzed for MOpt diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 7c33ba29..b23cef37 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -296,6 +296,7 @@ static void usage(u8 *argv0, int more_help) { " Supported formats are: 'dogstatsd', 'librato',\n" " 'signalfx' and 'influxdb'\n" "AFL_SYNC_TIME: sync time between fuzzing instances (in minutes)\n" + "AFL_NO_CRASH_README: do not create a README in the crashes directory\n" "AFL_TESTCACHE_SIZE: use a cache for testcases, improves performance (in MB)\n" "AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)\n" "AFL_EARLY_FORKSERVER: force an early forkserver in an afl-clang-fast/\n" -- cgit 1.4.1