From b33a6addcc9e52a3050a0e25b93dce10fd4cc644 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Fri, 11 Oct 2019 21:09:24 +0100 Subject: NetBSD binding to cpu, ignore sleeping processes. --- src/afl-fuzz-init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 127f5217..91d4c727 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -166,7 +166,7 @@ void bind_to_free_cpu(void) { for (i = 0; i < proccount; i++) { - if (procs[i].p_cpuid < sizeof(cpu_used)) cpu_used[procs[i].p_cpuid] = 1; + if (procs[i].p_cpuid < sizeof(cpu_used) && procs[i].p_pctcpu > 0) cpu_used[procs[i].p_cpuid] = 1; } -- cgit 1.4.1 From 33281b04e7d043d30a1a9d60c3e7ec75f9709366 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Fri, 11 Oct 2019 22:21:25 +0100 Subject: FreeBSD making more tolerant the cpu binding at init time --- src/afl-fuzz-init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 91d4c727..18ce0a2f 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -138,7 +138,7 @@ void bind_to_free_cpu(void) { for (i = 0; i < proccount; i++) { - if (procs[i].ki_oncpu < sizeof(cpu_used)) cpu_used[procs[i].ki_oncpu] = 1; + if (procs[i].ki_oncpu < sizeof(cpu_used) && procs[i].ki_pctcpu > 0) cpu_used[procs[i].ki_oncpu] = 1; } -- cgit 1.4.1 From 99f2abfd711f0cdfe56f08b63b8ee2effe58cbed Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 12 Oct 2019 01:58:45 +0200 Subject: fine tuning cpu percentage limit to be detected as bound cpu on FreeBSD --- src/afl-fuzz-init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 18ce0a2f..a54c53d8 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -138,7 +138,7 @@ void bind_to_free_cpu(void) { for (i = 0; i < proccount; i++) { - if (procs[i].ki_oncpu < sizeof(cpu_used) && procs[i].ki_pctcpu > 0) cpu_used[procs[i].ki_oncpu] = 1; + if (procs[i].ki_oncpu < sizeof(cpu_used) && procs[i].ki_pctcpu > 2) cpu_used[procs[i].ki_oncpu] = 1; } -- cgit 1.4.1 From 73da639654aa4e91220eb0adcbe380800b06a768 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 18 Oct 2019 08:25:43 +0200 Subject: revert patch --- docs/ChangeLog | 7 +++++++ src/afl-fuzz-run.c | 8 ++++---- 2 files changed, 11 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/docs/ChangeLog b/docs/ChangeLog index 8c799c44..f073123c 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -13,6 +13,13 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . +---------------------- +Version ++2.57d (dev): +---------------------- + + - revertedd patch to not unlink and recreate the input file, it resulted in performance loss + + -------------------------------- Version ++2.54d-2.57c (release): -------------------------------- diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 46d12423..fc235b27 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -288,10 +288,10 @@ void write_to_testcase(void* mem, u32 len) { if (out_file) { - // unlink(out_file); /* Ignore errors. + unlink(out_file); /* Ignore errors. // */ - fd = open(out_file, O_WRONLY | O_CREAT | O_TRUNC, 0600); + fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); if (fd < 0) PFATAL("Unable to create '%s'", out_file); @@ -331,10 +331,10 @@ void write_with_gap(void* mem, u32 len, u32 skip_at, u32 skip_len) { if (out_file) { - // unlink(out_file); /* Ignore errors. + unlink(out_file); /* Ignore errors. // */ - fd = open(out_file, O_WRONLY | O_CREAT | O_TRUNC, 0600); + fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); if (fd < 0) PFATAL("Unable to create '%s'", out_file); -- cgit 1.4.1 From e7ab8be0cd97f9a18e6ca2f855afa69768322dfb Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 18 Oct 2019 19:53:10 +0200 Subject: sync afl-fast-gcc with afl-clang-fast, add tests for gcc_plugin --- gcc_plugin/afl-gcc-fast.c | 50 +++++++++++++++++++++---------- gcc_plugin/afl-gcc-pass.so.cc | 4 +-- llvm_mode/afl-clang-fast.c | 4 +-- src/afl-gcc.c | 2 +- test/test.sh | 69 +++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 108 insertions(+), 21 deletions(-) (limited to 'src') diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c index 8be05bb5..25ecf310 100644 --- a/gcc_plugin/afl-gcc-fast.c +++ b/gcc_plugin/afl-gcc-fast.c @@ -104,7 +104,7 @@ static void edit_params(u32 argc, char** argv) { cc_params = ck_alloc((argc + 64) * sizeof(u8*)); name = strrchr(argv[0], '/'); - if (!name) name = argv[0]; else name++; + if (!name) name = argv[0]; else ++name; if (!strcmp(name, "afl-g++-fast")) { u8* alt_cxx = getenv("AFL_CXX"); @@ -114,9 +114,15 @@ static void edit_params(u32 argc, char** argv) { cc_params[0] = alt_cc ? alt_cc : (u8*)"gcc"; } + + char* fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path); cc_params[cc_par_cnt++] = fplugin_arg; + /* Detect stray -v calls from ./configure scripts. */ + + if (argc == 1 && !strcmp(argv[1], "-v")) maybe_linking = 0; + while (--argc) { u8* cur = *(++argv); @@ -134,6 +140,8 @@ static void edit_params(u32 argc, char** argv) { if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1; + if (!strcmp(cur, "-shared")) maybe_linking = 0; + cc_params[cc_par_cnt++] = cur; } @@ -151,17 +159,23 @@ static void edit_params(u32 argc, char** argv) { if (getenv("AFL_USE_ASAN")) { - cc_params[cc_par_cnt++] = "-fsanitize=address"; + if (getenv("AFL_USE_MSAN")) FATAL("ASAN and MSAN are mutually exclusive"); + + if (getenv("AFL_HARDEN")) + FATAL("ASAN and AFL_HARDEN are mutually exclusive"); - if (getenv("AFL_USE_MSAN")) - FATAL("ASAN and MSAN are mutually exclusive"); + cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; + cc_params[cc_par_cnt++] = "-fsanitize=address"; } else if (getenv("AFL_USE_MSAN")) { - cc_params[cc_par_cnt++] = "-fsanitize=memory"; + if (getenv("AFL_USE_ASAN")) FATAL("ASAN and MSAN are mutually exclusive"); + + if (getenv("AFL_HARDEN")) + FATAL("MSAN and AFL_HARDEN are mutually exclusive"); - if (getenv("AFL_USE_ASAN")) - FATAL("ASAN and MSAN are mutually exclusive"); + cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; + cc_params[cc_par_cnt++] = "-fsanitize=memory"; } @@ -175,7 +189,13 @@ static void edit_params(u32 argc, char** argv) { } +#ifdef USEMMAP + cc_params[cc_par_cnt++] = "-lrt"; +#endif + cc_params[cc_par_cnt++] = "-D__AFL_HAVE_MANUAL_CONTROL=1"; + cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1"; + cc_params[cc_par_cnt++] = "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1"; /* When the user tries to use persistent or deferred forkserver modes by appending a single line to the program, we want to reliably inject a @@ -237,15 +257,10 @@ static void edit_params(u32 argc, char** argv) { int main(int argc, char** argv) { - if (isatty(2) && !getenv("AFL_QUIET")) { - - SAYF(cCYA "afl-gcc-fast " cBRI VERSION cRST " initially by , maintainer: hexcoder-\n"); - - } - - if (argc < 2) { + if (argc < 2 || strcmp(argv[1], "-h") == 0) { - SAYF("\n" + printf(cCYA "afl-gcc-fast" VERSION cRST " initially by , maintainer: hexcoder-\n" + "\n" "This is a helper application for afl-fuzz. It serves as a drop-in replacement\n" "for gcc, letting you recompile third-party code with the required runtime\n" "instrumentation. A common use pattern would be one of the following:\n\n" @@ -263,8 +278,11 @@ int main(int argc, char** argv) { exit(1); - } + } else if (isatty(2) && !getenv("AFL_QUIET")) { + SAYF(cCYA "afl-gcc-fast" VERSION cRST " initially by , maintainer: hexcoder-\n"); + + } find_obj(argv[0]); diff --git a/gcc_plugin/afl-gcc-pass.so.cc b/gcc_plugin/afl-gcc-pass.so.cc index f0f5b30b..a44f5a74 100644 --- a/gcc_plugin/afl-gcc-pass.so.cc +++ b/gcc_plugin/afl-gcc-pass.so.cc @@ -416,7 +416,7 @@ public: /* Either we couldn't figure out our location or the location is * not whitelisted, so we skip instrumentation. */ - if (!instrumentBlock) return 0;; + if (!instrumentBlock) return 0; } return do_ext_call ? ext_call_instrument(fun) : inline_instrument(fun); @@ -464,7 +464,7 @@ int plugin_init(struct plugin_name_args *plugin_info, /* Show a banner */ if (isatty(2) && !getenv("AFL_QUIET")) { - SAYF(G_(cCYA "afl-gcc-pass " cBRI VERSION cRST " initially by , maintainer: hexcoder-\n")); + SAYF(G_(cCYA "afl-gcc-pass" VERSION cRST " initially by , maintainer: hexcoder-\n")); } else be_quiet = 1; diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 142d6331..54f9e6e9 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -112,7 +112,7 @@ static void edit_params(u32 argc, char** argv) { if (!name) name = argv[0]; else - name++; + ++name; if (!strcmp(name, "afl-clang-fast++")) { @@ -128,7 +128,7 @@ static void edit_params(u32 argc, char** argv) { /* There are three ways to compile with afl-clang-fast. In the traditional mode, we use afl-llvm-pass.so, then there is libLLVMInsTrim.so which is - much faster but has less coverage. Finally tere is the experimental + much faster but has less coverage. Finally there is the experimental 'trace-pc-guard' mode, we use native LLVM instrumentation callbacks instead. For trace-pc-guard see: http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs-with-guards diff --git a/src/afl-gcc.c b/src/afl-gcc.c index 8982ca97..dd7ba4d6 100644 --- a/src/afl-gcc.c +++ b/src/afl-gcc.c @@ -131,7 +131,7 @@ static void edit_params(u32 argc, char** argv) { if (!name) name = argv[0]; else - name++; + ++name; if (!strncmp(name, "afl-clang", 9)) { diff --git a/test/test.sh b/test/test.sh index ab2985fe..1c5cdda6 100755 --- a/test/test.sh +++ b/test/test.sh @@ -200,6 +200,75 @@ test -e ../afl-clang-fast && { rm -f test-persistent } || $ECHO "$YELLOW[-] llvm_mode not compiled, cannot test" +$ECHO "$BLUE[*] Testing: gcc_plugin" +export AFL_CC=`which gcc` +test -e ../afl-gcc-fast && { + ../afl-gcc-fast -o test-instr.plain.gccpi ../test-instr.c > /dev/null 2>&1 + AFL_HARDEN=1 ../afl-gcc-fast -o test-compcov.harden.gccpi test-compcov.c > /dev/null 2>&1 + test -e test-instr.plain.gccpi && { + $ECHO "$GREEN[+] gcc_plugin compilation succeeded" + echo 0 | ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain.gccpi > /dev/null 2>&1 + ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain.gccpi < /dev/null > /dev/null 2>&1 + test -e test-instr.plain.0 -a -e test-instr.plain.1 && { + diff -q test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { + $ECHO "$RED[!] gcc_plugin instrumentation should be different on different input but is not" + } || $ECHO "$GREEN[+] gcc_plugin instrumentation present and working correctly" + } || $ECHO "$RED[!] gcc_plugin instrumentation failed" + rm -f test-instr.plain.0 test-instr.plain.1 + } || $ECHO "$RED[!] gcc_plugin failed" + + test -e test-compcov.harden.gccpi && { + grep -Eqa 'stack_chk_fail|fstack-protector-all|fortified' test-compcov.harden.gccpi > /dev/null 2>&1 && { + $ECHO "$GREEN[+] gcc_plugin hardened mode succeeded and is working" + } || $ECHO "$RED[!] gcc_plugin hardened mode is not hardened" + rm -f test-compcov.harden.gccpi + } || $ECHO "$RED[!] gcc_plugin hardened mode compilation failed" + # now we want to be sure that afl-fuzz is working + (test "$(uname -s)" = "Linux" && test "$(sysctl kernel.core_pattern)" != "kernel.core_pattern = core" && { + $ECHO "$RED[!] we cannot run afl-fuzz with enabled core dumps. Run 'sudo sh afl-system-config'.$RESET" + true + }) || + # make sure crash reporter is disabled on Mac OS X + (test "$(uname -s)" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { + $ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET" + true + }) || { + mkdir -p in + echo 0 > in/in + $ECHO "$GREY[*] running afl-fuzz for gcc_plugin, this will take approx 10 seconds" + { + ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-instr.plain.gccpi >>errors 2>&1 + } >>errors 2>&1 + test -n "$( ls out/queue/id:000002* 2> /dev/null )" && { + $ECHO "$GREEN[+] afl-fuzz is working correctly with gcc_plugin" + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with gcc_plugin" + } + rm -rf in out errors + } + rm -f test-instr.plain.gccpi + + # now for the special gcc_plugin things + echo foobar.c > whitelist.txt + AFL_GCC_WHITELIST=whitelist.txt ../afl-gcc-fast -o test-compcov test-compcov.c > /dev/null 2>&1 + test -e test-compcov && { + echo 1 | ../afl-showmap -m ${MEM_LIMIT} -o - -r -- ./test-compcov 2>&1 | grep -q "Captured 1 tuples" && { + $ECHO "$GREEN[+] gcc_plugin whitelist feature works correctly" + } || $ECHO "$RED[!] gcc_plugin whitelist feature failed" + } || $ECHO "$RED[!] gcc_plugin whitelist feature compilation failed" + rm -f test-compcov test.out whitelist.txt + ../afl-gcc-fast -o test-persistent ../experimental/persistent_demo/persistent_demo.c > /dev/null 2>&1 + test -e test-persistent && { + echo foo | ../afl-showmap -o /dev/null -q -r ./test-persistent && { + $ECHO "$GREEN[+] gcc_plugin persistent mode feature works correctly" + } || $ECHO "$RED[!] gcc_plugin persistent mode feature failed to work" + } || $ECHO "$RED[!] gcc_plugin persistent mode feature compilation failed" + rm -f test-persistent +} || $ECHO "$YELLOW[-] gcc_plugin not compiled, cannot test" + $ECHO "$BLUE[*] Testing: shared library extensions" gcc -o test-compcov test-compcov.c > /dev/null 2>&1 test -e ../libtokencap.so && { -- cgit 1.4.1 From 1fdb75068d6b815baf9736e63e3545b66de688c5 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sat, 19 Oct 2019 11:44:09 +0100 Subject: afl-gotcpu: porting to Darwin using mach API. --- src/afl-gotcpu.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-gotcpu.c b/src/afl-gotcpu.c index bdb727de..dc938b65 100644 --- a/src/afl-gotcpu.c +++ b/src/afl-gotcpu.c @@ -52,7 +52,7 @@ #include "types.h" #include "debug.h" -#if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) +#if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || defined(__APPLE__) #define HAVE_AFFINITY 1 #if defined(__FreeBSD__) #include @@ -62,8 +62,12 @@ #elif defined(__NetBSD__) #include #include +#elif defined(__APPLE__) +#include +#include +#include #endif -#endif /* __linux__ || __FreeBSD__ || __NetBSD__ */ +#endif /* __linux__ || __FreeBSD__ || __NetBSD__ || __APPLE__ */ /* Get unix time in microseconds. */ @@ -176,6 +180,12 @@ int main(int argc, char** argv) { if (c == NULL) PFATAL("cpuset_create failed"); cpuset_set(i, c); +#elif defined(__APPLE__) + thread_affinity_policy_data_t c = { i }; + thread_port_t native_thread = pthread_mach_thread_np(pthread_self()); + if (thread_policy_set(native_thread, THREAD_AFFINITY_POLICY, + (thread_policy_t)&c, 1) != KERN_SUCCESS) + PFATAL("thread_policy_set failed"); #endif #if defined(__FreeBSD__) -- cgit 1.4.1 From 8a786377196fbaafeecbca17fad66ea1e76c7de2 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 19 Oct 2019 16:19:46 +0200 Subject: add gcc_plugin to code formatter and run it --- Makefile | 3 + gcc_plugin/afl-gcc-fast.c | 144 ++-- gcc_plugin/afl-gcc-pass.so.cc | 768 +++++++++++---------- gcc_plugin/afl-gcc-rt.o.c | 32 +- include/afl-fuzz.h | 2 +- src/afl-fuzz-bitmap.c | 8 +- src/afl-fuzz-globals.c | 4 +- src/afl-fuzz-init.c | 6 +- src/afl-fuzz-run.c | 6 +- src/afl-fuzz-stats.c | 18 +- src/afl-fuzz.c | 8 +- test-instr.c | 4 +- unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h | 10 +- 13 files changed, 553 insertions(+), 460 deletions(-) (limited to 'src') diff --git a/Makefile b/Makefile index 7e3764a8..ce0d6781 100644 --- a/Makefile +++ b/Makefile @@ -213,6 +213,9 @@ code-format: ./.custom-format.py -i llvm_mode/*.c ./.custom-format.py -i llvm_mode/*.h ./.custom-format.py -i llvm_mode/*.cc + ./.custom-format.py -i gcc_plugin/*.c + ./.custom-format.py -i gcc_plugin/*.h + ./.custom-format.py -i gcc_plugin/*.cc ./.custom-format.py -i qemu_mode/patches/*.h ./.custom-format.py -i qemu_mode/libcompcov/*.c ./.custom-format.py -i qemu_mode/libcompcov/*.cc diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c index 25ecf310..73709321 100644 --- a/gcc_plugin/afl-gcc-fast.c +++ b/gcc_plugin/afl-gcc-fast.c @@ -36,16 +36,15 @@ #include #include -static u8* obj_path; /* Path to runtime libraries */ -static u8** cc_params; /* Parameters passed to the real CC */ -static u32 cc_par_cnt = 1; /* Param count, including argv0 */ - +static u8* obj_path; /* Path to runtime libraries */ +static u8** cc_params; /* Parameters passed to the real CC */ +static u32 cc_par_cnt = 1; /* Param count, including argv0 */ /* Try to find the runtime libraries. If that fails, abort. */ static void find_obj(u8* argv0) { - u8 *afl_path = getenv("AFL_PATH"); + u8* afl_path = getenv("AFL_PATH"); u8 *slash, *tmp; if (afl_path) { @@ -53,9 +52,11 @@ static void find_obj(u8* argv0) { tmp = alloc_printf("%s/afl-gcc-rt.o", afl_path); if (!access(tmp, R_OK)) { + obj_path = afl_path; ck_free(tmp); return; + } ck_free(tmp); @@ -66,7 +67,7 @@ static void find_obj(u8* argv0) { if (slash) { - u8 *dir; + u8* dir; *slash = 0; dir = ck_strdup(argv0); @@ -75,9 +76,11 @@ static void find_obj(u8* argv0) { tmp = alloc_printf("%s/afl-gcc-rt.o", dir); if (!access(tmp, R_OK)) { + obj_path = dir; ck_free(tmp); return; + } ck_free(tmp); @@ -86,35 +89,44 @@ static void find_obj(u8* argv0) { } if (!access(AFL_PATH "/afl-gcc-rt.o", R_OK)) { + obj_path = AFL_PATH; return; + } - FATAL("Unable to find 'afl-gcc-rt.o' or 'afl-gcc-pass.so'. Please set AFL_PATH"); -} + FATAL( + "Unable to find 'afl-gcc-rt.o' or 'afl-gcc-pass.so'. Please set " + "AFL_PATH"); +} /* Copy argv to cc_params, making the necessary edits. */ static void edit_params(u32 argc, char** argv) { - u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1; - u8 *name; + u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1; + u8* name; cc_params = ck_alloc((argc + 64) * sizeof(u8*)); name = strrchr(argv[0], '/'); - if (!name) name = argv[0]; else ++name; + if (!name) + name = argv[0]; + else + ++name; if (!strcmp(name, "afl-g++-fast")) { + u8* alt_cxx = getenv("AFL_CXX"); cc_params[0] = alt_cxx ? alt_cxx : (u8*)"g++"; + } else { + u8* alt_cc = getenv("AFL_CC"); cc_params[0] = alt_cc ? alt_cc : (u8*)"gcc"; - } - + } char* fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path); cc_params[cc_par_cnt++] = fplugin_arg; @@ -124,6 +136,7 @@ static void edit_params(u32 argc, char** argv) { if (argc == 1 && !strcmp(argv[1], "-v")) maybe_linking = 0; while (--argc) { + u8* cur = *(++argv); #if defined(__x86_64__) @@ -133,10 +146,11 @@ static void edit_params(u32 argc, char** argv) { if (!strcmp(cur, "-x")) x_set = 1; if (!strcmp(cur, "-c") || !strcmp(cur, "-S") || !strcmp(cur, "-E") || - !strcmp(cur, "-v")) maybe_linking = 0; + !strcmp(cur, "-v")) + maybe_linking = 0; - if (!strcmp(cur, "-fsanitize=address") || - !strcmp(cur, "-fsanitize=memory")) asan_set = 1; + if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory")) + asan_set = 1; if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1; @@ -150,8 +164,7 @@ static void edit_params(u32 argc, char** argv) { cc_params[cc_par_cnt++] = "-fstack-protector-all"; - if (!fortify_set) - cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2"; + if (!fortify_set) cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2"; } @@ -217,31 +230,37 @@ static void edit_params(u32 argc, char** argv) { */ - cc_params[cc_par_cnt++] = "-D__AFL_LOOP(_A)=" - "({ static volatile char *_B __attribute__((used)); " - " _B = (char*)\"" PERSIST_SIG "\"; " + cc_params[cc_par_cnt++] = + "-D__AFL_LOOP(_A)=" + "({ static volatile char *_B __attribute__((used)); " + " _B = (char*)\"" PERSIST_SIG + "\"; " #ifdef __APPLE__ - "int _L(unsigned int) __asm__(\"___afl_persistent_loop\"); " + "int _L(unsigned int) __asm__(\"___afl_persistent_loop\"); " #else - "int _L(unsigned int) __asm__(\"__afl_persistent_loop\"); " -#endif /* ^__APPLE__ */ - "_L(_A); })"; - - cc_params[cc_par_cnt++] = "-D__AFL_INIT()=" - "do { static volatile char *_A __attribute__((used)); " - " _A = (char*)\"" DEFER_SIG "\"; " + "int _L(unsigned int) __asm__(\"__afl_persistent_loop\"); " +#endif /* ^__APPLE__ */ + "_L(_A); })"; + + cc_params[cc_par_cnt++] = + "-D__AFL_INIT()=" + "do { static volatile char *_A __attribute__((used)); " + " _A = (char*)\"" DEFER_SIG + "\"; " #ifdef __APPLE__ - "void _I(void) __asm__(\"___afl_manual_init\"); " + "void _I(void) __asm__(\"___afl_manual_init\"); " #else - "void _I(void) __asm__(\"__afl_manual_init\"); " -#endif /* ^__APPLE__ */ - "_I(); } while (0)"; + "void _I(void) __asm__(\"__afl_manual_init\"); " +#endif /* ^__APPLE__ */ + "_I(); } while (0)"; if (maybe_linking) { if (x_set) { + cc_params[cc_par_cnt++] = "-x"; cc_params[cc_par_cnt++] = "none"; + } cc_params[cc_par_cnt++] = alloc_printf("%s/afl-gcc-rt.o", obj_path); @@ -252,46 +271,58 @@ static void edit_params(u32 argc, char** argv) { } - /* Main entry point */ int main(int argc, char** argv) { if (argc < 2 || strcmp(argv[1], "-h") == 0) { - printf(cCYA "afl-gcc-fast" VERSION cRST " initially by , maintainer: hexcoder-\n" - "\n" - "This is a helper application for afl-fuzz. It serves as a drop-in replacement\n" - "for gcc, letting you recompile third-party code with the required runtime\n" - "instrumentation. A common use pattern would be one of the following:\n\n" - - " CC=%s/afl-gcc-fast ./configure\n" - " CXX=%s/afl-g++-fast ./configure\n\n" - - "In contrast to the traditional afl-gcc tool, this version is implemented as\n" - "a GCC plugin and tends to offer improved performance with slow programs\n" - "(similarly to the LLVM plugin used by afl-clang-fast).\n\n" - - "You can specify custom next-stage toolchain via AFL_CC and AFL_CXX. Setting\n" - "AFL_HARDEN enables hardening optimizations in the compiled code.\n\n", - BIN_PATH, BIN_PATH); + printf( + cCYA + "afl-gcc-fast" VERSION cRST + " initially by , maintainer: hexcoder-\n" + "\n" + "This is a helper application for afl-fuzz. It serves as a drop-in " + "replacement\n" + "for gcc, letting you recompile third-party code with the required " + "runtime\n" + "instrumentation. A common use pattern would be one of the " + "following:\n\n" + + " CC=%s/afl-gcc-fast ./configure\n" + " CXX=%s/afl-g++-fast ./configure\n\n" + + "In contrast to the traditional afl-gcc tool, this version is " + "implemented as\n" + "a GCC plugin and tends to offer improved performance with slow " + "programs\n" + "(similarly to the LLVM plugin used by afl-clang-fast).\n\n" + + "You can specify custom next-stage toolchain via AFL_CC and AFL_CXX. " + "Setting\n" + "AFL_HARDEN enables hardening optimizations in the compiled code.\n\n", + BIN_PATH, BIN_PATH); exit(1); } else if (isatty(2) && !getenv("AFL_QUIET")) { - SAYF(cCYA "afl-gcc-fast" VERSION cRST " initially by , maintainer: hexcoder-\n"); + SAYF(cCYA "afl-gcc-fast" VERSION cRST + " initially by , maintainer: hexcoder-\n"); } find_obj(argv[0]); edit_params(argc, argv); -/*if (isatty(2) && !getenv("AFL_QUIET")) { - printf("Calling \"%s\" with:\n", cc_params[0]); - for(int i=1; i #include #include @@ -92,191 +92,206 @@ /* -------------------------------------------------------------------------- */ /* -- AFL instrumentation pass ---------------------------------------------- */ -static int be_quiet = 0; -static unsigned int inst_ratio = 100; -static bool inst_ext = true; +static int be_quiet = 0; +static unsigned int inst_ratio = 100; +static bool inst_ext = true; static std::list myWhitelist; static unsigned int ext_call_instrument(function *fun) { - /* Instrument all the things! */ - basic_block bb; - unsigned finst_blocks = 0; - unsigned fcnt_blocks = 0; - - tree fntype = build_function_type_list( - void_type_node, /* return */ - uint32_type_node, /* args */ - NULL_TREE); /* done */ - tree fndecl = build_fn_decl("__afl_trace", fntype); - TREE_STATIC(fndecl) = 1; /* Defined elsewhere */ - TREE_PUBLIC(fndecl) = 1; /* Public */ - DECL_EXTERNAL(fndecl) = 1; /* External linkage */ - DECL_ARTIFICIAL(fndecl) = 1; /* Injected by compiler */ - - FOR_EACH_BB_FN(bb, fun) { - gimple_seq fcall; - gimple_seq seq = NULL; - gimple_stmt_iterator bentry; - ++fcnt_blocks; - - // only instrument if this basic block is the destination of a previous - // basic block that has multiple successors - // this gets rid of ~5-10% of instrumentations that are unnecessary - // result: a little more speed and less map pollution - - int more_than_one = -1; - edge ep; - edge_iterator eip; - FOR_EACH_EDGE (ep, eip, bb->preds) { - int count = 0; - if (more_than_one == -1) - more_than_one = 0; - - basic_block Pred = ep->src; - edge es; - edge_iterator eis; - FOR_EACH_EDGE (es, eis, Pred->succs) { - basic_block Succ = es->dest; - if (Succ != NULL) count++; - } - if (count > 1) - more_than_one = 1; - } - if (more_than_one != 1) - continue; - - /* Bail on this block if we trip the specified ratio */ - if (R(100) >= inst_ratio) continue; - - /* Make up cur_loc */ - unsigned int rand_loc = R(MAP_SIZE); - tree cur_loc = build_int_cst(uint32_type_node, rand_loc); - - /* Update bitmap via external call */ - /* to quote: - * /+ Trace a basic block with some ID +/ - * void __afl_trace(u32 x); - */ - - fcall = gimple_build_call(fndecl, 1, cur_loc); /* generate the function _call_ to above built reference, with *1* parameter -> the random const for the location */ - gimple_seq_add_stmt(&seq, fcall); /* and insert into a sequence */ - - /* Done - grab the entry to the block and insert sequence */ - bentry = gsi_after_labels(bb); - gsi_insert_seq_before(&bentry, seq, GSI_SAME_STMT); - - ++finst_blocks; - } - - /* Say something nice. */ - if (!be_quiet) { - if (!finst_blocks) - WARNF(G_("No instrumentation targets found in " cBRI "%s" cRST ), - function_name(fun)); - else if (finst_blocks < fcnt_blocks) - OKF(G_("Instrumented %2u /%2u locations in " cBRI "%s" cRST ), - finst_blocks, fcnt_blocks, - function_name(fun)); - else - OKF(G_("Instrumented %2u locations in " cBRI "%s" cRST ), - finst_blocks, - function_name(fun)); - } - - return 0; + + /* Instrument all the things! */ + basic_block bb; + unsigned finst_blocks = 0; + unsigned fcnt_blocks = 0; + + tree fntype = build_function_type_list(void_type_node, /* return */ + uint32_type_node, /* args */ + NULL_TREE); /* done */ + tree fndecl = build_fn_decl("__afl_trace", fntype); + TREE_STATIC(fndecl) = 1; /* Defined elsewhere */ + TREE_PUBLIC(fndecl) = 1; /* Public */ + DECL_EXTERNAL(fndecl) = 1; /* External linkage */ + DECL_ARTIFICIAL(fndecl) = 1; /* Injected by compiler */ + + FOR_EACH_BB_FN(bb, fun) { + + gimple_seq fcall; + gimple_seq seq = NULL; + gimple_stmt_iterator bentry; + ++fcnt_blocks; + + // only instrument if this basic block is the destination of a previous + // basic block that has multiple successors + // this gets rid of ~5-10% of instrumentations that are unnecessary + // result: a little more speed and less map pollution + + int more_than_one = -1; + edge ep; + edge_iterator eip; + FOR_EACH_EDGE(ep, eip, bb->preds) { + + int count = 0; + if (more_than_one == -1) more_than_one = 0; + + basic_block Pred = ep->src; + edge es; + edge_iterator eis; + FOR_EACH_EDGE(es, eis, Pred->succs) { + + basic_block Succ = es->dest; + if (Succ != NULL) count++; + + } + + if (count > 1) more_than_one = 1; + + } + + if (more_than_one != 1) continue; + + /* Bail on this block if we trip the specified ratio */ + if (R(100) >= inst_ratio) continue; + + /* Make up cur_loc */ + unsigned int rand_loc = R(MAP_SIZE); + tree cur_loc = build_int_cst(uint32_type_node, rand_loc); + + /* Update bitmap via external call */ + /* to quote: + * /+ Trace a basic block with some ID +/ + * void __afl_trace(u32 x); + */ + + fcall = gimple_build_call( + fndecl, 1, + cur_loc); /* generate the function _call_ to above built reference, with + *1* parameter -> the random const for the location */ + gimple_seq_add_stmt(&seq, fcall); /* and insert into a sequence */ + + /* Done - grab the entry to the block and insert sequence */ + bentry = gsi_after_labels(bb); + gsi_insert_seq_before(&bentry, seq, GSI_SAME_STMT); + + ++finst_blocks; + + } + + /* Say something nice. */ + if (!be_quiet) { + + if (!finst_blocks) + WARNF(G_("No instrumentation targets found in " cBRI "%s" cRST), + function_name(fun)); + else if (finst_blocks < fcnt_blocks) + OKF(G_("Instrumented %2u /%2u locations in " cBRI "%s" cRST), + finst_blocks, fcnt_blocks, function_name(fun)); + else + OKF(G_("Instrumented %2u locations in " cBRI "%s" cRST), finst_blocks, + function_name(fun)); + + } + + return 0; + } static unsigned int inline_instrument(function *fun) { - /* Instrument all the things! */ - basic_block bb; - unsigned finst_blocks = 0; - unsigned fcnt_blocks = 0; - - /* Set up global type declarations */ - tree map_type = build_pointer_type(unsigned_char_type_node); - tree map_ptr_g = build_decl(UNKNOWN_LOCATION, VAR_DECL, - get_identifier_with_length("__afl_area_ptr", 14), map_type); - TREE_USED(map_ptr_g) = 1; - TREE_STATIC(map_ptr_g) = 1; /* Defined elsewhere */ - DECL_EXTERNAL(map_ptr_g) = 1; /* External linkage */ - DECL_PRESERVE_P(map_ptr_g) = 1; - DECL_ARTIFICIAL(map_ptr_g) = 1; /* Injected by compiler */ - rest_of_decl_compilation(map_ptr_g, 1, 0); - - tree prev_loc_g = build_decl(UNKNOWN_LOCATION, VAR_DECL, - get_identifier_with_length("__afl_prev_loc", 14), uint32_type_node); - TREE_USED(prev_loc_g) = 1; - TREE_STATIC(prev_loc_g) = 1; /* Defined elsewhere */ - DECL_EXTERNAL(prev_loc_g) = 1; /* External linkage */ - DECL_PRESERVE_P(prev_loc_g) = 1; - DECL_ARTIFICIAL(prev_loc_g) = 1; /* Injected by compiler */ - rest_of_decl_compilation(prev_loc_g, 1, 0); - - FOR_EACH_BB_FN(bb, fun) { - gimple_seq seq = NULL; - gimple_stmt_iterator bentry; - ++fcnt_blocks; - - // only instrument if this basic block is the destination of a previous - // basic block that has multiple successors - // this gets rid of ~5-10% of instrumentations that are unnecessary - // result: a little more speed and less map pollution - - int more_than_one = -1; - edge ep; - edge_iterator eip; - FOR_EACH_EDGE (ep, eip, bb->preds) { - int count = 0; - if (more_than_one == -1) - more_than_one = 0; - - basic_block Pred = ep->src; - edge es; - edge_iterator eis; - FOR_EACH_EDGE (es, eis, Pred->succs) { - basic_block Succ = es->dest; - if (Succ != NULL) count++; - } - if (count > 1) - more_than_one = 1; - } - if (more_than_one != 1) - continue; - - /* Bail on this block if we trip the specified ratio */ - if (R(100) >= inst_ratio) continue; - - /* Make up cur_loc */ - - unsigned int rand_loc = R(MAP_SIZE); - tree cur_loc = build_int_cst(uint32_type_node, rand_loc); - - /* Load prev_loc, xor with cur_loc */ - // gimple_assign - tree prev_loc = create_tmp_var_raw(uint32_type_node, "prev_loc"); - gassign *g = gimple_build_assign(prev_loc, VAR_DECL, prev_loc_g); - gimple_seq_add_stmt(&seq, g); // load prev_loc - update_stmt(g); + /* Instrument all the things! */ + basic_block bb; + unsigned finst_blocks = 0; + unsigned fcnt_blocks = 0; - // gimple_assign - tree area_off = create_tmp_var_raw(uint32_type_node, "area_off"); - g = gimple_build_assign(area_off, BIT_XOR_EXPR, prev_loc, cur_loc); - gimple_seq_add_stmt(&seq, g); // area_off = prev_loc ^ cur_loc - update_stmt(g); + /* Set up global type declarations */ + tree map_type = build_pointer_type(unsigned_char_type_node); + tree map_ptr_g = + build_decl(UNKNOWN_LOCATION, VAR_DECL, + get_identifier_with_length("__afl_area_ptr", 14), map_type); + TREE_USED(map_ptr_g) = 1; + TREE_STATIC(map_ptr_g) = 1; /* Defined elsewhere */ + DECL_EXTERNAL(map_ptr_g) = 1; /* External linkage */ + DECL_PRESERVE_P(map_ptr_g) = 1; + DECL_ARTIFICIAL(map_ptr_g) = 1; /* Injected by compiler */ + rest_of_decl_compilation(map_ptr_g, 1, 0); - /* Update bitmap */ + tree prev_loc_g = build_decl(UNKNOWN_LOCATION, VAR_DECL, + get_identifier_with_length("__afl_prev_loc", 14), + uint32_type_node); + TREE_USED(prev_loc_g) = 1; + TREE_STATIC(prev_loc_g) = 1; /* Defined elsewhere */ + DECL_EXTERNAL(prev_loc_g) = 1; /* External linkage */ + DECL_PRESERVE_P(prev_loc_g) = 1; + DECL_ARTIFICIAL(prev_loc_g) = 1; /* Injected by compiler */ + rest_of_decl_compilation(prev_loc_g, 1, 0); - tree one = build_int_cst(unsigned_char_type_node, 1); -// tree zero = build_int_cst(unsigned_char_type_node, 0); + FOR_EACH_BB_FN(bb, fun) { - // gimple_assign - tree map_ptr = create_tmp_var(map_type, "map_ptr"); - tree map_ptr2 = create_tmp_var(map_type, "map_ptr2"); + gimple_seq seq = NULL; + gimple_stmt_iterator bentry; + ++fcnt_blocks; - g = gimple_build_assign(map_ptr, map_ptr_g); - gimple_seq_add_stmt(&seq, g); // map_ptr = __afl_area_ptr - update_stmt(g); + // only instrument if this basic block is the destination of a previous + // basic block that has multiple successors + // this gets rid of ~5-10% of instrumentations that are unnecessary + // result: a little more speed and less map pollution + + int more_than_one = -1; + edge ep; + edge_iterator eip; + FOR_EACH_EDGE(ep, eip, bb->preds) { + + int count = 0; + if (more_than_one == -1) more_than_one = 0; + + basic_block Pred = ep->src; + edge es; + edge_iterator eis; + FOR_EACH_EDGE(es, eis, Pred->succs) { + + basic_block Succ = es->dest; + if (Succ != NULL) count++; + + } + + if (count > 1) more_than_one = 1; + + } + + if (more_than_one != 1) continue; + + /* Bail on this block if we trip the specified ratio */ + if (R(100) >= inst_ratio) continue; + + /* Make up cur_loc */ + + unsigned int rand_loc = R(MAP_SIZE); + tree cur_loc = build_int_cst(uint32_type_node, rand_loc); + + /* Load prev_loc, xor with cur_loc */ + // gimple_assign + tree prev_loc = create_tmp_var_raw(uint32_type_node, "prev_loc"); + gassign *g = gimple_build_assign(prev_loc, VAR_DECL, prev_loc_g); + gimple_seq_add_stmt(&seq, g); // load prev_loc + update_stmt(g); + + // gimple_assign + tree area_off = create_tmp_var_raw(uint32_type_node, "area_off"); + g = gimple_build_assign(area_off, BIT_XOR_EXPR, prev_loc, cur_loc); + gimple_seq_add_stmt(&seq, g); // area_off = prev_loc ^ cur_loc + update_stmt(g); + + /* Update bitmap */ + + tree one = build_int_cst(unsigned_char_type_node, 1); + // tree zero = build_int_cst(unsigned_char_type_node, 0); + + // gimple_assign + tree map_ptr = create_tmp_var(map_type, "map_ptr"); + tree map_ptr2 = create_tmp_var(map_type, "map_ptr2"); + + g = gimple_build_assign(map_ptr, map_ptr_g); + gimple_seq_add_stmt(&seq, g); // map_ptr = __afl_area_ptr + update_stmt(g); #if 0 tree addr = build2(ADDR_EXPR, map_type, map_ptr, area_off); @@ -284,68 +299,69 @@ static unsigned int inline_instrument(function *fun) { gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off update_stmt(g); #else - g = gimple_build_assign(map_ptr2, PLUS_EXPR, map_ptr, area_off); - gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off - update_stmt(g); + g = gimple_build_assign(map_ptr2, PLUS_EXPR, map_ptr, area_off); + gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off + update_stmt(g); #endif - // gimple_assign - tree tmp1 = create_tmp_var_raw(unsigned_char_type_node, "tmp1"); - g = gimple_build_assign(tmp1, MEM_REF, map_ptr2); - gimple_seq_add_stmt(&seq, g); // tmp1 = *map_ptr2 - update_stmt(g); + // gimple_assign + tree tmp1 = create_tmp_var_raw(unsigned_char_type_node, "tmp1"); + g = gimple_build_assign(tmp1, MEM_REF, map_ptr2); + gimple_seq_add_stmt(&seq, g); // tmp1 = *map_ptr2 + update_stmt(g); - // gimple_assign - tree tmp2 = create_tmp_var_raw(unsigned_char_type_node, "tmp2"); - g = gimple_build_assign(tmp2, PLUS_EXPR, tmp1, one); - gimple_seq_add_stmt(&seq, g); // tmp2 = tmp1 + 1 - update_stmt(g); + // gimple_assign + tree tmp2 = create_tmp_var_raw(unsigned_char_type_node, "tmp2"); + g = gimple_build_assign(tmp2, PLUS_EXPR, tmp1, one); + gimple_seq_add_stmt(&seq, g); // tmp2 = tmp1 + 1 + update_stmt(g); - // TODO: neverZero: here we have to check if tmp3 == 0 - // and add 1 if so + // TODO: neverZero: here we have to check if tmp3 == 0 + // and add 1 if so - // gimple_assign -// tree map_ptr3 = create_tmp_var_raw(map_type, "map_ptr3"); - g = gimple_build_assign(map_ptr_g, INDIRECT_REF, tmp2); - gimple_seq_add_stmt(&seq, g); // *map_ptr3 = tmp2 - update_stmt(g); + // gimple_assign + // tree map_ptr3 = create_tmp_var_raw(map_type, "map_ptr3"); + g = gimple_build_assign(map_ptr_g, INDIRECT_REF, tmp2); + gimple_seq_add_stmt(&seq, g); // *map_ptr3 = tmp2 + update_stmt(g); - /* Set prev_loc to cur_loc >> 1 */ + /* Set prev_loc to cur_loc >> 1 */ - // gimple_assign - tree shifted_loc = build_int_cst(TREE_TYPE(prev_loc_g), rand_loc >> 1); - tree prev_loc2 = create_tmp_var_raw(uint32_type_node, "prev_loc2"); - g = gimple_build_assign(prev_loc2, shifted_loc); - gimple_seq_add_stmt(&seq, g); // __afl_prev_loc = cur_loc >> 1 - update_stmt(g); - g = gimple_build_assign(prev_loc_g, prev_loc2); - gimple_seq_add_stmt(&seq, g); // __afl_prev_loc = cur_loc >> 1 - update_stmt(g); + // gimple_assign + tree shifted_loc = build_int_cst(TREE_TYPE(prev_loc_g), rand_loc >> 1); + tree prev_loc2 = create_tmp_var_raw(uint32_type_node, "prev_loc2"); + g = gimple_build_assign(prev_loc2, shifted_loc); + gimple_seq_add_stmt(&seq, g); // __afl_prev_loc = cur_loc >> 1 + update_stmt(g); + g = gimple_build_assign(prev_loc_g, prev_loc2); + gimple_seq_add_stmt(&seq, g); // __afl_prev_loc = cur_loc >> 1 + update_stmt(g); + + /* Done - grab the entry to the block and insert sequence */ + + bentry = gsi_after_labels(bb); + gsi_insert_seq_before(&bentry, seq, GSI_NEW_STMT); + + ++finst_blocks; - /* Done - grab the entry to the block and insert sequence */ + } - bentry = gsi_after_labels(bb); - gsi_insert_seq_before(&bentry, seq, GSI_NEW_STMT); + /* Say something nice. */ + if (!be_quiet) { - ++finst_blocks; - } + if (!finst_blocks) + WARNF(G_("No instrumentation targets found in " cBRI "%s" cRST), + function_name(fun)); + else if (finst_blocks < fcnt_blocks) + OKF(G_("Instrumented %2u /%2u locations in " cBRI "%s" cRST), + finst_blocks, fcnt_blocks, function_name(fun)); + else + OKF(G_("Instrumented %2u locations in " cBRI "%s" cRST), finst_blocks, + function_name(fun)); - /* Say something nice. */ - if (!be_quiet) { - if (!finst_blocks) - WARNF(G_("No instrumentation targets found in " cBRI "%s" cRST ), - function_name(fun)); - else if (finst_blocks < fcnt_blocks) - OKF(G_("Instrumented %2u /%2u locations in " cBRI "%s" cRST ), - finst_blocks, fcnt_blocks, - function_name(fun)); - else - OKF(G_("Instrumented %2u locations in " cBRI "%s" cRST ), - finst_blocks, - function_name(fun)); - } + } + return 0; - return 0; } /* -------------------------------------------------------------------------- */ @@ -353,80 +369,102 @@ static unsigned int inline_instrument(function *fun) { static const struct pass_data afl_pass_data = { - .type = GIMPLE_PASS, - .name = "afl-inst", - .optinfo_flags = OPTGROUP_NONE, - - .tv_id = TV_NONE, - .properties_required = 0, - .properties_provided = 0, - .properties_destroyed = 0, - .todo_flags_start = 0, - // NOTE(aseipp): it's very, very important to include - // at least 'TODO_update_ssa' here so that GCC will - // properly update the resulting SSA form, e.g., to - // include new PHI nodes for newly added symbols or - // names. Do not remove this. Do not taunt Happy Fun - // Ball. - .todo_flags_finish = TODO_update_ssa | TODO_verify_il | TODO_cleanup_cfg, + .type = GIMPLE_PASS, + .name = "afl-inst", + .optinfo_flags = OPTGROUP_NONE, + + .tv_id = TV_NONE, + .properties_required = 0, + .properties_provided = 0, + .properties_destroyed = 0, + .todo_flags_start = 0, + // NOTE(aseipp): it's very, very important to include + // at least 'TODO_update_ssa' here so that GCC will + // properly update the resulting SSA form, e.g., to + // include new PHI nodes for newly added symbols or + // names. Do not remove this. Do not taunt Happy Fun + // Ball. + .todo_flags_finish = TODO_update_ssa | TODO_verify_il | TODO_cleanup_cfg, + }; namespace { class afl_pass : public gimple_opt_pass { -private: - bool do_ext_call; - -public: - afl_pass(bool ext_call, gcc::context *g) : gimple_opt_pass(afl_pass_data, g), do_ext_call(ext_call) {} - - virtual unsigned int execute(function *fun) { - - if (!myWhitelist.empty()) { - bool instrumentBlock = false; - - /* EXPR_FILENAME - This macro returns the name of the file in which the entity was declared, as - a char*. For an entity declared implicitly by the compiler (like __builtin_ - memcpy), this will be the string "". - */ - const char *fname = DECL_SOURCE_FILE(fun->decl); - - if (0 != strncmp("", fname, 10) - && 0 != strncmp("", fname, 10)) - { - std::string instFilename(fname); - - /* Continue only if we know where we actually are */ - if (!instFilename.empty()) { - for (std::list::iterator it = myWhitelist.begin(); it != myWhitelist.end(); ++it) { - /* We don't check for filename equality here because - * filenames might actually be full paths. Instead we - * check that the actual filename ends in the filename - * specified in the list. */ - if (instFilename.length() >= it->length()) { - if (instFilename.compare(instFilename.length() - it->length(), it->length(), *it) == 0) { - instrumentBlock = true; - break; - } - } - } - } - } - - /* Either we couldn't figure out our location or the location is - * not whitelisted, so we skip instrumentation. */ - if (!instrumentBlock) return 0; - } - - return do_ext_call ? ext_call_instrument(fun) : inline_instrument(fun); - } -}; /* class afl_pass */ - -} /* anon namespace */ + + private: + bool do_ext_call; + + public: + afl_pass(bool ext_call, gcc::context *g) + : gimple_opt_pass(afl_pass_data, g), do_ext_call(ext_call) { + + } + + virtual unsigned int execute(function *fun) { + + if (!myWhitelist.empty()) { + + bool instrumentBlock = false; + + /* EXPR_FILENAME + This macro returns the name of the file in which the entity was declared, + as a char*. For an entity declared implicitly by the compiler (like + __builtin_ memcpy), this will be the string "". + */ + const char *fname = DECL_SOURCE_FILE(fun->decl); + + if (0 != strncmp("", fname, 10) && + 0 != strncmp("", fname, 10)) { + + std::string instFilename(fname); + + /* Continue only if we know where we actually are */ + if (!instFilename.empty()) { + + for (std::list::iterator it = myWhitelist.begin(); + it != myWhitelist.end(); ++it) { + + /* We don't check for filename equality here because + * filenames might actually be full paths. Instead we + * check that the actual filename ends in the filename + * specified in the list. */ + if (instFilename.length() >= it->length()) { + + if (instFilename.compare(instFilename.length() - it->length(), + it->length(), *it) == 0) { + + instrumentBlock = true; + break; + + } + + } + + } + + } + + } + + /* Either we couldn't figure out our location or the location is + * not whitelisted, so we skip instrumentation. */ + if (!instrumentBlock) return 0; + + } + + return do_ext_call ? ext_call_instrument(fun) : inline_instrument(fun); + + } + +}; /* class afl_pass */ + +} // namespace static struct opt_pass *make_afl_pass(bool ext_call, gcc::context *ctxt) { - return new afl_pass(ext_call, ctxt); + + return new afl_pass(ext_call, ctxt); + } /* -------------------------------------------------------------------------- */ @@ -435,71 +473,93 @@ static struct opt_pass *make_afl_pass(bool ext_call, gcc::context *ctxt) { int plugin_is_GPL_compatible = 1; static struct plugin_info afl_plugin_info = { - .version = "20191015", - .help = "AFL++ gcc plugin\n", + + .version = "20191015", + .help = "AFL++ gcc plugin\n", + }; -int plugin_init(struct plugin_name_args *plugin_info, +int plugin_init(struct plugin_name_args * plugin_info, struct plugin_gcc_version *version) { - struct register_pass_info afl_pass_info; - struct timeval tv; - struct timezone tz; - u32 rand_seed; - - /* Setup random() so we get Actually Random(TM) outputs from R() */ - gettimeofday(&tv, &tz); - rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); - srandom(rand_seed); - - /* Pass information */ - afl_pass_info.pass = make_afl_pass(inst_ext, g); - afl_pass_info.reference_pass_name = "ssa"; - afl_pass_info.ref_pass_instance_number = 1; - afl_pass_info.pos_op = PASS_POS_INSERT_AFTER; - - if (!plugin_default_version_check(version, &gcc_version)) { - FATAL(G_("Incompatible gcc/plugin versions!")); - } - - /* Show a banner */ - if (isatty(2) && !getenv("AFL_QUIET")) { - SAYF(G_(cCYA "afl-gcc-pass" VERSION cRST " initially by , maintainer: hexcoder-\n")); - } else - be_quiet = 1; - - /* Decide instrumentation ratio */ - char* inst_ratio_str = getenv("AFL_INST_RATIO"); - - if (inst_ratio_str) { - if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || !inst_ratio || inst_ratio > 100) - FATAL(G_("Bad value of AFL_INST_RATIO (must be between 1 and 100)")); - else { - if (!be_quiet) - ACTF(G_("%s instrumentation at ratio of %u%% in %s mode."), - inst_ext ? G_("Call-based") : G_("Inline"), - inst_ratio, - getenv("AFL_HARDEN") ? G_("hardened") : G_("non-hardened")); - } - } - - char* instWhiteListFilename = getenv("AFL_GCC_WHITELIST"); - if (instWhiteListFilename) { - std::string line; - std::ifstream fileStream; - fileStream.open(instWhiteListFilename); - if (!fileStream) - fatal_error(0, "Unable to open AFL_GCC_WHITELIST"); - getline(fileStream, line); - while (fileStream) { - myWhitelist.push_back(line); - getline(fileStream, line); - } - } else if (!be_quiet && getenv("AFL_LLVM_WHITELIST")) - SAYF(cYEL "[-] " cRST "AFL_LLVM_WHITELIST environment variable detected - did you mean AFL_GCC_WHITELIST?\n"); + struct register_pass_info afl_pass_info; + struct timeval tv; + struct timezone tz; + u32 rand_seed; + + /* Setup random() so we get Actually Random(TM) outputs from R() */ + gettimeofday(&tv, &tz); + rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); + srandom(rand_seed); + + /* Pass information */ + afl_pass_info.pass = make_afl_pass(inst_ext, g); + afl_pass_info.reference_pass_name = "ssa"; + afl_pass_info.ref_pass_instance_number = 1; + afl_pass_info.pos_op = PASS_POS_INSERT_AFTER; + + if (!plugin_default_version_check(version, &gcc_version)) { + + FATAL(G_("Incompatible gcc/plugin versions!")); + + } + + /* Show a banner */ + if (isatty(2) && !getenv("AFL_QUIET")) { + + SAYF(G_(cCYA "afl-gcc-pass" VERSION cRST + " initially by , maintainer: hexcoder-\n")); + + } else + + be_quiet = 1; + + /* Decide instrumentation ratio */ + char *inst_ratio_str = getenv("AFL_INST_RATIO"); + + if (inst_ratio_str) { + + if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || !inst_ratio || + inst_ratio > 100) + FATAL(G_("Bad value of AFL_INST_RATIO (must be between 1 and 100)")); + else { + + if (!be_quiet) + ACTF(G_("%s instrumentation at ratio of %u%% in %s mode."), + inst_ext ? G_("Call-based") : G_("Inline"), inst_ratio, + getenv("AFL_HARDEN") ? G_("hardened") : G_("non-hardened")); + + } + + } + + char *instWhiteListFilename = getenv("AFL_GCC_WHITELIST"); + if (instWhiteListFilename) { + + std::string line; + std::ifstream fileStream; + fileStream.open(instWhiteListFilename); + if (!fileStream) fatal_error(0, "Unable to open AFL_GCC_WHITELIST"); + getline(fileStream, line); + while (fileStream) { + + myWhitelist.push_back(line); + getline(fileStream, line); + + } + + } else if (!be_quiet && getenv("AFL_LLVM_WHITELIST")) + + SAYF(cYEL "[-] " cRST + "AFL_LLVM_WHITELIST environment variable detected - did you mean " + "AFL_GCC_WHITELIST?\n"); + + /* Go go gadget */ + register_callback(plugin_info->base_name, PLUGIN_INFO, NULL, + &afl_plugin_info); + register_callback(plugin_info->base_name, PLUGIN_PASS_MANAGER_SETUP, NULL, + &afl_pass_info); + return 0; - /* Go go gadget */ - register_callback(plugin_info->base_name, PLUGIN_INFO, NULL, &afl_plugin_info); - register_callback(plugin_info->base_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &afl_pass_info); - return 0; } + diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index 8e72e108..f6754bd4 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -34,27 +34,27 @@ #include #include - /* Globals needed by the injected instrumentation. The __afl_area_initial region - is used for instrumentation output before __afl_map_shm() has a chance to run. - It will end up as .comm, so it shouldn't be too wasteful. */ + is used for instrumentation output before __afl_map_shm() has a chance to + run. It will end up as .comm, so it shouldn't be too wasteful. */ u8 __afl_area_initial[MAP_SIZE]; -u8* __afl_area_ptr = __afl_area_initial; +u8 *__afl_area_ptr = __afl_area_initial; u32 __afl_prev_loc; - /* Running in persistent mode? */ static u8 is_persistent; /* Trace a basic block with some ID */ void __afl_trace(u32 x) { + u32 l = __afl_prev_loc; u32 n = l ^ x; - *(__afl_area_ptr+n) += 1; + *(__afl_area_ptr + n) += 1; __afl_prev_loc = (x >> 1); return; + } /* SHM setup. */ @@ -86,15 +86,14 @@ static void __afl_map_shm(void) { } - /* Fork server logic. */ static void __afl_start_forkserver(void) { static u8 tmp[4]; - s32 child_pid; + s32 child_pid; - u8 child_stopped = 0; + u8 child_stopped = 0; /* Phone home and tell the parent that we're OK. If parent isn't there, assume we're not running in forkserver mode and just execute program. */ @@ -115,8 +114,10 @@ static void __afl_start_forkserver(void) { process. */ if (child_stopped && was_killed) { + child_stopped = 0; if (waitpid(child_pid, &status, 0) < 0) exit(1); + } if (!child_stopped) { @@ -150,8 +151,7 @@ static void __afl_start_forkserver(void) { if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) exit(1); - if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0) - exit(1); + if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0) exit(1); /* In persistent mode, the child stops itself with SIGSTOP to indicate a successful run. In this case, we want to wake it up without forking @@ -167,7 +167,6 @@ static void __afl_start_forkserver(void) { } - /* A simplified persistent mode handler, used as explained in README.llvm. */ int __afl_persistent_loop(unsigned int max_cnt) { @@ -177,7 +176,7 @@ int __afl_persistent_loop(unsigned int max_cnt) { if (first_pass) { - cycle_cnt = max_cnt; + cycle_cnt = max_cnt; first_pass = 0; return 1; @@ -188,10 +187,11 @@ int __afl_persistent_loop(unsigned int max_cnt) { raise(SIGSTOP); return 1; - } else return 0; + } else -} + return 0; +} /* This one can be called from user code when deferred forkserver mode is enabled. */ @@ -210,7 +210,6 @@ void __afl_manual_init(void) { } - /* Proper initialization routine. */ __attribute__((constructor(101))) void __afl_auto_init(void) { @@ -222,3 +221,4 @@ __attribute__((constructor(101))) void __afl_auto_init(void) { __afl_manual_init(); } + diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 5da41a3e..7e9ced46 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -252,7 +252,7 @@ extern u8 *in_dir, /* Input directory with test cases */ *file_extension, /* File extension */ *orig_cmdline, /* Original command line */ *doc_path, /* Path to documentation dir */ - *infoexec, /* Command to execute on a new crash */ + *infoexec, /* Command to execute on a new crash */ *out_file; /* File to fuzz, if any */ extern u32 exec_tmout; /* Configurable exec timeout (ms) */ diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 746fc982..d001dbee 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -683,10 +683,12 @@ u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { #endif /* ^!SIMPLE_FILES */ ++unique_crashes; - - if (infoexec) // if the user wants to be informed on new crashes - do that + + if (infoexec) // if the user wants to be informed on new crashes - do + // that if (system(infoexec) == -1) - hnb += 0; // we dont care if system errors, but we dont want a compiler warning either + hnb += 0; // we dont care if system errors, but we dont want a + // compiler warning either last_crash_time = get_cur_time(); last_crash_execs = total_execs; diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index a5ccfdf9..8340394a 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -74,8 +74,8 @@ u8 *in_dir, /* Input directory with test cases */ *file_extension, /* File extension */ *orig_cmdline; /* Original command line */ u8 *doc_path, /* Path to documentation dir */ - *infoexec, /* Command to execute on a new crash */ - *out_file; /* File to fuzz, if any */ + *infoexec, /* Command to execute on a new crash */ + *out_file; /* File to fuzz, if any */ u32 exec_tmout = EXEC_TIMEOUT; /* Configurable exec timeout (ms) */ u32 hang_tmout = EXEC_TIMEOUT; /* Timeout used for hang det (ms) */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index a54c53d8..a37ce8ba 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -138,7 +138,8 @@ void bind_to_free_cpu(void) { for (i = 0; i < proccount; i++) { - if (procs[i].ki_oncpu < sizeof(cpu_used) && procs[i].ki_pctcpu > 2) cpu_used[procs[i].ki_oncpu] = 1; + if (procs[i].ki_oncpu < sizeof(cpu_used) && procs[i].ki_pctcpu > 2) + cpu_used[procs[i].ki_oncpu] = 1; } @@ -166,7 +167,8 @@ void bind_to_free_cpu(void) { for (i = 0; i < proccount; i++) { - if (procs[i].p_cpuid < sizeof(cpu_used) && procs[i].p_pctcpu > 0) cpu_used[procs[i].p_cpuid] = 1; + if (procs[i].p_cpuid < sizeof(cpu_used) && procs[i].p_pctcpu > 0) + cpu_used[procs[i].p_cpuid] = 1; } diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index fc235b27..5211921f 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -288,8 +288,7 @@ void write_to_testcase(void* mem, u32 len) { if (out_file) { - unlink(out_file); /* Ignore errors. - // */ + unlink(out_file); /* Ignore errors. */ fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); @@ -331,8 +330,7 @@ void write_with_gap(void* mem, u32 len, u32 skip_at, u32 skip_len) { if (out_file) { - unlink(out_file); /* Ignore errors. - // */ + unlink(out_file); /* Ignore errors. */ fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index f1bc1c8a..7e8639f2 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -334,9 +334,9 @@ void show_stats(void) { /* Lord, forgive me this. */ - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA - " overall results " bSTG bH2 bH2 bRT "\n"); + " overall results " bSTG bH2 bH2 bRT "\n"); if (dumb_mode) { @@ -413,9 +413,9 @@ void show_stats(void) { " uniq hangs : " cRST "%-6s" bSTG bV "\n", DTD(cur_ms, last_hang_time), tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA - " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); + " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -443,9 +443,9 @@ void show_stats(void) { SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA - " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); + " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", DI(queued_favored), ((double)queued_favored) * 100 / queued_paths); @@ -514,7 +514,7 @@ void show_stats(void) { /* Aaaalmost there... hold on! */ - SAYF(bVR bH cCYA bSTOP + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); @@ -633,13 +633,13 @@ void show_stats(void) { sprintf(tmp, "%s/%s", DI(stage_finds[STAGE_CUSTOM_MUTATOR]), DI(stage_cycles[STAGE_CUSTOM_MUTATOR])); SAYF(bV bSTOP " custom mut. : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB - "\n" bLB bH30 bH20 bH2 bH bRB bSTOP cRST RESET_G1, + "\n" bLB bH30 bH20 bH2 bH bRB bSTOP cRST RESET_G1, tmp); } else { SAYF(bV bSTOP " trim : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB - "\n" bLB bH30 bH20 bH2 bRB bSTOP cRST RESET_G1, + "\n" bLB bH30 bH20 bH2 bRB bSTOP cRST RESET_G1, tmp); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 3460f91d..44037ce8 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -76,7 +76,8 @@ static void usage(u8* argv0) { "Other stuff:\n" " -T text - text banner to show on the screen\n" " -M / -S id - distributed mode (see parallel_fuzzing.txt)\n" - " -I command - execute this command/script when a new crash is found\n" + " -I command - execute this command/script when a new crash is " + "found\n" " -B bitmap.txt - mutate a specific test case, use the out/fuzz_bitmap " "file\n" " -C - crash exploration mode (the peruvian rabbit thing)\n" @@ -138,10 +139,7 @@ int main(int argc, char** argv) { switch (opt) { - case 'I': - - infoexec = optarg; - break; + case 'I': infoexec = optarg; break; case 's': { diff --git a/test-instr.c b/test-instr.c index 3750b1b5..2450dbf4 100644 --- a/test-instr.c +++ b/test-instr.c @@ -35,7 +35,8 @@ int main(int argc, char** argv) { } - // we support three input cases (plus a 4th if stdin is used but there is no input) + // we support three input cases (plus a 4th if stdin is used but there is no + // input) if (buf[0] == '0') printf("Looks like a zero to me!\n"); else if (buf[0] == '1') @@ -46,3 +47,4 @@ int main(int argc, char** argv) { return 0; } + diff --git a/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h b/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h index 12e33b2f..3031d3a6 100644 --- a/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h +++ b/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h @@ -49,7 +49,7 @@ void HELPER(afl_compcov_log_32)(void* uc_ptr, uint64_t cur_loc, uint64_t arg1, if ((arg1 & 0xff000000) == (arg2 & 0xff000000)) { - INC_AFL_AREA(cur_loc +2); + INC_AFL_AREA(cur_loc + 2); if ((arg1 & 0xff0000) == (arg2 & 0xff0000)) { INC_AFL_AREA(cur_loc + 1); @@ -68,7 +68,7 @@ void HELPER(afl_compcov_log_64)(void* uc_ptr, uint64_t cur_loc, uint64_t arg1, if ((arg1 & 0xff00000000000000) == (arg2 & 0xff00000000000000)) { - INC_AFL_AREA(cur_loc +6); + INC_AFL_AREA(cur_loc + 6); if ((arg1 & 0xff000000000000) == (arg2 & 0xff000000000000)) { INC_AFL_AREA(cur_loc + 5); @@ -84,11 +84,7 @@ void HELPER(afl_compcov_log_64)(void* uc_ptr, uint64_t cur_loc, uint64_t arg1, if ((arg1 & 0xff0000) == (arg2 & 0xff0000)) { INC_AFL_AREA(cur_loc + 1); - if ((arg1 & 0xff00) == (arg2 & 0xff00)) { - - INC_AFL_AREA(cur_loc); - - } + if ((arg1 & 0xff00) == (arg2 & 0xff00)) { INC_AFL_AREA(cur_loc); } } -- cgit 1.4.1 From c83e8e1e6255374b085292ba8673efdca7388d76 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 19 Oct 2019 18:23:01 +0200 Subject: Remove lcamtuf's old email from Google (not valid anymore), also remove maintainance from him. --- Makefile | 2 +- afl-cmin | 4 ++-- afl-plot | 4 ++-- afl-whatsup | 4 ++-- dictionaries/gif.dict | 2 +- dictionaries/html_tags.dict | 2 +- dictionaries/jpeg.dict | 2 +- dictionaries/js.dict | 2 +- dictionaries/png.dict | 2 +- dictionaries/sql.dict | 2 +- dictionaries/tiff.dict | 2 +- dictionaries/webp.dict | 2 +- dictionaries/xml.dict | 2 +- docs/power_schedules.txt | 2 +- experimental/argv_fuzzing/argv-fuzz-inl.h | 2 +- experimental/asan_cgroups/limit_memory.sh | 2 +- experimental/canvas_harness/canvas_harness.html | 2 +- experimental/clang_asm_normalize/as | 2 +- experimental/crash_triage/triage_crashes.sh | 4 ++-- experimental/distributed_fuzzing/sync_script.sh | 2 +- experimental/persistent_demo/persistent_demo.c | 2 +- experimental/post_library/post_library.so.c | 2 +- experimental/post_library/post_library_png.so.c | 2 +- gcc_plugin/Makefile | 2 +- gcc_plugin/afl-gcc-fast.c | 2 +- gcc_plugin/afl-gcc-rt.o.c | 2 +- include/afl-as.h | 2 +- include/afl-fuzz.h | 2 +- include/alloc-inl.h | 2 +- include/android-ashmem.h | 2 +- include/common.h | 2 +- include/config.h | 2 +- include/debug.h | 2 +- include/forkserver.h | 2 +- include/hash.h | 2 +- include/sharedmem.h | 2 +- include/types.h | 2 +- libdislocator/Makefile | 2 +- libdislocator/libdislocator.so.c | 2 +- libtokencap/Makefile | 2 +- libtokencap/libtokencap.so.c | 2 +- llvm_mode/Makefile | 2 +- llvm_mode/afl-clang-fast.c | 2 +- llvm_mode/afl-llvm-pass.so.cc | 2 +- llvm_mode/afl-llvm-rt.o.c | 2 +- qemu_mode/build_qemu_support.sh | 2 +- qemu_mode/patches/afl-qemu-common.h | 2 +- qemu_mode/patches/afl-qemu-cpu-inl.h | 2 +- qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 2 +- qemu_mode/patches/afl-qemu-tcg-inl.h | 2 +- qemu_mode/patches/afl-qemu-translate-inl.h | 2 +- src/afl-analyze.c | 4 ++-- src/afl-as.c | 4 ++-- src/afl-common.c | 2 +- src/afl-forkserver.c | 2 +- src/afl-fuzz-bitmap.c | 2 +- src/afl-fuzz-extras.c | 2 +- src/afl-fuzz-globals.c | 2 +- src/afl-fuzz-init.c | 2 +- src/afl-fuzz-misc.c | 2 +- src/afl-fuzz-one.c | 2 +- src/afl-fuzz-python.c | 2 +- src/afl-fuzz-queue.c | 2 +- src/afl-fuzz-run.c | 2 +- src/afl-fuzz-stats.c | 2 +- src/afl-fuzz.c | 4 ++-- src/afl-gcc.c | 6 +++--- src/afl-gotcpu.c | 8 ++++---- src/afl-sharedmem.c | 2 +- src/afl-showmap.c | 4 ++-- src/afl-tmin.c | 4 ++-- test-instr.c | 2 +- unicorn_mode/build_unicorn_support.sh | 2 +- unicorn_mode/patches/afl-unicorn-common.h | 2 +- unicorn_mode/patches/afl-unicorn-cpu-inl.h | 2 +- unicorn_mode/patches/afl-unicorn-cpu-translate-inl.h | 2 +- unicorn_mode/patches/afl-unicorn-tcg-op-inl.h | 2 +- unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h | 2 +- 78 files changed, 92 insertions(+), 92 deletions(-) (limited to 'src') diff --git a/Makefile b/Makefile index ce0d6781..cfcd0890 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ # american fuzzy lop - makefile # ----------------------------- # -# Written and maintained by Michal Zalewski +# Written by Michal Zalewski # # Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved. # diff --git a/afl-cmin b/afl-cmin index 88635550..e4e0fd85 100755 --- a/afl-cmin +++ b/afl-cmin @@ -3,7 +3,7 @@ # american fuzzy lop - corpus minimization tool # --------------------------------------------- # -# Written and maintained by Michal Zalewski +# Written by Michal Zalewski # # Copyright 2014, 2015 Google Inc. All rights reserved. # @@ -36,7 +36,7 @@ # array sizes. # -echo "corpus minimization tool for afl-fuzz by " +echo "corpus minimization tool for afl-fuzz by Michal Zalewski" echo ######### diff --git a/afl-plot b/afl-plot index bc86fb85..b6108a09 100755 --- a/afl-plot +++ b/afl-plot @@ -3,7 +3,7 @@ # american fuzzy lop - Advanced Persistent Graphing # ------------------------------------------------- # -# Written and maintained by Michal Zalewski +# Written by Michal Zalewski # Based on a design & prototype by Michael Rash. # # Copyright 2014, 2015 Google Inc. All rights reserved. @@ -15,7 +15,7 @@ # http://www.apache.org/licenses/LICENSE-2.0 # -echo "progress plotting utility for afl-fuzz by " +echo "progress plotting utility for afl-fuzz by Michal Zalewski" echo if [ ! "$#" = "2" ]; then diff --git a/afl-whatsup b/afl-whatsup index 505f7eba..2666d208 100755 --- a/afl-whatsup +++ b/afl-whatsup @@ -3,7 +3,7 @@ # american fuzzy lop - status check tool # -------------------------------------- # -# Written and maintained by Michal Zalewski +# Written by Michal Zalewski # # Copyright 2015 Google Inc. All rights reserved. # @@ -17,7 +17,7 @@ # instances of afl-fuzz. # -echo "status check tool for afl-fuzz by " +echo "status check tool for afl-fuzz by Michal Zalewski" echo test "$1" = "-h" && { echo $0 diff --git a/dictionaries/gif.dict b/dictionaries/gif.dict index 71148937..441b3b8d 100644 --- a/dictionaries/gif.dict +++ b/dictionaries/gif.dict @@ -2,7 +2,7 @@ # AFL dictionary for GIF images # ----------------------------- # -# Created by Michal Zalewski +# Created by Michal Zalewski # header_87a="87a" diff --git a/dictionaries/html_tags.dict b/dictionaries/html_tags.dict index ba946df3..2805de90 100644 --- a/dictionaries/html_tags.dict +++ b/dictionaries/html_tags.dict @@ -5,7 +5,7 @@ # A basic collection of HTML tags likely to matter to HTML parsers. Does *not* # include any attributes or attribute values. # -# Created by Michal Zalewski +# Created by Michal Zalewski # tag_a="" diff --git a/dictionaries/jpeg.dict b/dictionaries/jpeg.dict index 15efede7..40282f1a 100644 --- a/dictionaries/jpeg.dict +++ b/dictionaries/jpeg.dict @@ -2,7 +2,7 @@ # AFL dictionary for JPEG images # ------------------------------ # -# Created by Michal Zalewski +# Created by Michal Zalewski # header_jfif="JFIF\x00" diff --git a/dictionaries/js.dict b/dictionaries/js.dict index 9db37bfe..7926364c 100644 --- a/dictionaries/js.dict +++ b/dictionaries/js.dict @@ -4,7 +4,7 @@ # # Contains basic reserved keywords and syntax building blocks. # -# Created by Michal Zalewski +# Created by Michal Zalewski # keyword_arguments="arguments" diff --git a/dictionaries/png.dict b/dictionaries/png.dict index ea12d19e..ad9ea328 100644 --- a/dictionaries/png.dict +++ b/dictionaries/png.dict @@ -5,7 +5,7 @@ # Just the basic, standard-originating sections; does not include vendor # extensions. # -# Created by Michal Zalewski +# Created by Michal Zalewski # header_png="\x89PNG\x0d\x0a\x1a\x0a" diff --git a/dictionaries/sql.dict b/dictionaries/sql.dict index 58342473..efa44ba8 100644 --- a/dictionaries/sql.dict +++ b/dictionaries/sql.dict @@ -11,7 +11,7 @@ # standpoint, because they are usually not allowed in non-privileged # contexts). # -# Created by Michal Zalewski +# Created by Michal Zalewski # function_abs=" abs(1)" diff --git a/dictionaries/tiff.dict b/dictionaries/tiff.dict index 8f04b5af..720e56ce 100644 --- a/dictionaries/tiff.dict +++ b/dictionaries/tiff.dict @@ -5,7 +5,7 @@ # Just the basic, standard-originating sections; does not include vendor # extensions. # -# Created by Michal Zalewski +# Created by Michal Zalewski # header_ii="II*\x00" diff --git a/dictionaries/webp.dict b/dictionaries/webp.dict index 8a70e73b..53aa28c7 100644 --- a/dictionaries/webp.dict +++ b/dictionaries/webp.dict @@ -2,7 +2,7 @@ # AFL dictionary for WebP images # ------------------------------ # -# Created by Michal Zalewski +# Created by Michal Zalewski # header_RIFF="RIFF" diff --git a/dictionaries/xml.dict b/dictionaries/xml.dict index 8127aa28..d8375452 100644 --- a/dictionaries/xml.dict +++ b/dictionaries/xml.dict @@ -4,7 +4,7 @@ # # Several basic syntax elements and attributes, modeled on libxml2. # -# Created by Michal Zalewski +# Created by Michal Zalewski # attr_encoding=" encoding=\"1\"" diff --git a/docs/power_schedules.txt b/docs/power_schedules.txt index f5f66bd6..7b9d34c4 100644 --- a/docs/power_schedules.txt +++ b/docs/power_schedules.txt @@ -2,7 +2,7 @@ afl++'s power schedules based on AFLfast Power schedules implemented by Marcel Böhme \. -AFLFast is an extension of AFL which was written by Michal Zalewski \. +AFLFast is an extension of AFL which was written by Michal Zalewski. AFLfast has helped in the success of Team Codejitsu at the finals of the DARPA Cyber Grand Challenge where their bot Galactica took **2nd place** in terms of #POVs proven (see red bar at https://www.cybergrandchallenge.com/event#results). AFLFast exposed several previously unreported CVEs that could not be exposed by AFL in 24 hours and otherwise exposed vulnerabilities significantly faster than AFL while generating orders of magnitude more unique crashes. diff --git a/experimental/argv_fuzzing/argv-fuzz-inl.h b/experimental/argv_fuzzing/argv-fuzz-inl.h index b042d38c..5d411046 100644 --- a/experimental/argv_fuzzing/argv-fuzz-inl.h +++ b/experimental/argv_fuzzing/argv-fuzz-inl.h @@ -2,7 +2,7 @@ american fuzzy lop - sample argv fuzzing wrapper ------------------------------------------------ - Written by Michal Zalewski + Written by Michal Zalewski Copyright 2015 Google Inc. All rights reserved. diff --git a/experimental/asan_cgroups/limit_memory.sh b/experimental/asan_cgroups/limit_memory.sh index b0c77d15..97950410 100755 --- a/experimental/asan_cgroups/limit_memory.sh +++ b/experimental/asan_cgroups/limit_memory.sh @@ -7,7 +7,7 @@ # David A. Wheeler # # Edits to bring the script in line with afl-cmin and other companion scripts -# by Michal Zalewski . All bugs are my fault. +# by Michal Zalewski. All bugs are my fault. # # Copyright 2015 Institute for Defense Analyses. # diff --git a/experimental/canvas_harness/canvas_harness.html b/experimental/canvas_harness/canvas_harness.html index 19293667..7b31d8b4 100644 --- a/experimental/canvas_harness/canvas_harness.html +++ b/experimental/canvas_harness/canvas_harness.html @@ -4,7 +4,7 @@ american fuzzy lop - harness ------------------------------------- - Written and maintained by Michal Zalewski + Written by Michal Zalewski Copyright 2013, 2014 Google Inc. All rights reserved. diff --git a/experimental/clang_asm_normalize/as b/experimental/clang_asm_normalize/as index 4ee07e69..bd83c4ff 100755 --- a/experimental/clang_asm_normalize/as +++ b/experimental/clang_asm_normalize/as @@ -3,7 +3,7 @@ # american fuzzy lop - clang assembly normalizer # ---------------------------------------------- # -# Written and maintained by Michal Zalewski +# Written by Michal Zalewski # The idea for this wrapper comes from Ryan Govostes. # # Copyright 2013, 2014 Google Inc. All rights reserved. diff --git a/experimental/crash_triage/triage_crashes.sh b/experimental/crash_triage/triage_crashes.sh index 5894a4d6..205bc143 100755 --- a/experimental/crash_triage/triage_crashes.sh +++ b/experimental/crash_triage/triage_crashes.sh @@ -3,7 +3,7 @@ # american fuzzy lop - crash triage utility # ----------------------------------------- # -# Written and maintained by Michal Zalewski +# Written by Michal Zalewski # # Copyright 2013, 2014, 2017 Google Inc. All rights reserved. # @@ -22,7 +22,7 @@ # necessary. # -echo "crash triage utility for afl-fuzz by " +echo "crash triage utility for afl-fuzz by Michal Zalewski" echo ulimit -v 100000 2>/dev/null diff --git a/experimental/distributed_fuzzing/sync_script.sh b/experimental/distributed_fuzzing/sync_script.sh index 2d5e0635..31b0e436 100755 --- a/experimental/distributed_fuzzing/sync_script.sh +++ b/experimental/distributed_fuzzing/sync_script.sh @@ -3,7 +3,7 @@ # american fuzzy lop - fuzzer synchronization tool # ------------------------------------------------ # -# Written and maintained by Michal Zalewski +# Written by Michal Zalewski # # Copyright 2014 Google Inc. All rights reserved. # diff --git a/experimental/persistent_demo/persistent_demo.c b/experimental/persistent_demo/persistent_demo.c index d091febe..a94c8374 100644 --- a/experimental/persistent_demo/persistent_demo.c +++ b/experimental/persistent_demo/persistent_demo.c @@ -2,7 +2,7 @@ american fuzzy lop - persistent mode example -------------------------------------------- - Written and maintained by Michal Zalewski + Written by Michal Zalewski Copyright 2015 Google Inc. All rights reserved. diff --git a/experimental/post_library/post_library.so.c b/experimental/post_library/post_library.so.c index 72620ff0..048eea70 100644 --- a/experimental/post_library/post_library.so.c +++ b/experimental/post_library/post_library.so.c @@ -2,7 +2,7 @@ american fuzzy lop - postprocessor library example -------------------------------------------------- - Written and maintained by Michal Zalewski + Written by Michal Zalewski Copyright 2015 Google Inc. All rights reserved. diff --git a/experimental/post_library/post_library_png.so.c b/experimental/post_library/post_library_png.so.c index 080a6938..6ba95c1a 100644 --- a/experimental/post_library/post_library_png.so.c +++ b/experimental/post_library/post_library_png.so.c @@ -2,7 +2,7 @@ american fuzzy lop - postprocessor for PNG ------------------------------------------ - Written and maintained by Michal Zalewski + Written by Michal Zalewski Copyright 2015 Google Inc. All rights reserved. diff --git a/gcc_plugin/Makefile b/gcc_plugin/Makefile index d10eba49..a603df78 100644 --- a/gcc_plugin/Makefile +++ b/gcc_plugin/Makefile @@ -4,7 +4,7 @@ # # Written by Austin Seipp and # Laszlo Szekeres and -# Michal Zalewski and +# Michal Zalewski and # Heiko Eißfeldt # # GCC integration design is based on the LLVM design, which comes diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c index 73709321..b0461584 100644 --- a/gcc_plugin/afl-gcc-fast.c +++ b/gcc_plugin/afl-gcc-fast.c @@ -4,7 +4,7 @@ Written by Austin Seipp and Laszlo Szekeres and - Michal Zalewski + Michal Zalewski GCC integration design is based on the LLVM design, which comes from Laszlo Szekeres. diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index f6754bd4..dd79a0ec 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -4,7 +4,7 @@ Written by Austin Seipp and Laszlo Szekeres and - Michal Zalewski + Michal Zalewski GCC integration design is based on the LLVM design, which comes from Laszlo Szekeres. diff --git a/include/afl-as.h b/include/afl-as.h index 048866db..f0263312 100644 --- a/include/afl-as.h +++ b/include/afl-as.h @@ -2,7 +2,7 @@ american fuzzy lop++ - injectable parts --------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 7e9ced46..1e6140dd 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -2,7 +2,7 @@ american fuzzy lop++ - fuzzer header ------------------------------------ - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/include/alloc-inl.h b/include/alloc-inl.h index b0815ab1..f5bb7246 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -2,7 +2,7 @@ american fuzzy lop++ - error-checking, memory-zeroing alloc routines -------------------------------------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/include/android-ashmem.h b/include/android-ashmem.h index 6c7a98db..f4d31739 100644 --- a/include/android-ashmem.h +++ b/include/android-ashmem.h @@ -2,7 +2,7 @@ american fuzzy lop++ - android shared memory compatibility layer ---------------------------------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/include/common.h b/include/common.h index e13bf0a0..7c3d4517 100644 --- a/include/common.h +++ b/include/common.h @@ -2,7 +2,7 @@ american fuzzy lop++ - common routines header --------------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/include/config.h b/include/config.h index 396224fb..2e993a42 100644 --- a/include/config.h +++ b/include/config.h @@ -2,7 +2,7 @@ american fuzzy lop++ - vaguely configurable bits ------------------------------------------------ - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/include/debug.h b/include/debug.h index cccfc284..ed6c29e9 100644 --- a/include/debug.h +++ b/include/debug.h @@ -2,7 +2,7 @@ american fuzzy lop++ - debug / error handling macros ---------------------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/include/forkserver.h b/include/forkserver.h index 9a099888..9cabe58e 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -2,7 +2,7 @@ american fuzzy lop++ - forkserver header ---------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Forkserver design by Jann Horn diff --git a/include/hash.h b/include/hash.h index 7085df32..1a8ac252 100644 --- a/include/hash.h +++ b/include/hash.h @@ -12,7 +12,7 @@ Austin's original code is public domain. - Other code written and maintained by Michal Zalewski + Other code written by Michal Zalewski Copyright 2016 Google Inc. All rights reserved. diff --git a/include/sharedmem.h b/include/sharedmem.h index 18e4ee9f..cec6c025 100644 --- a/include/sharedmem.h +++ b/include/sharedmem.h @@ -2,7 +2,7 @@ american fuzzy lop++ - shared memory related header --------------------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Forkserver design by Jann Horn diff --git a/include/types.h b/include/types.h index 07fc7e91..c34bf522 100644 --- a/include/types.h +++ b/include/types.h @@ -2,7 +2,7 @@ american fuzzy lop++ - type definitions and minor macros -------------------------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/libdislocator/Makefile b/libdislocator/Makefile index cbaa05ea..91efba07 100644 --- a/libdislocator/Makefile +++ b/libdislocator/Makefile @@ -2,7 +2,7 @@ # american fuzzy lop - libdislocator # ---------------------------------- # -# Written by Michal Zalewski +# Written by Michal Zalewski # # Copyright 2016 Google Inc. All rights reserved. # diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index 8834a1fc..57607210 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -3,7 +3,7 @@ american fuzzy lop - dislocator, an abusive allocator ----------------------------------------------------- - Written and maintained by Michal Zalewski + Written by Michal Zalewski Copyright 2016 Google Inc. All rights reserved. diff --git a/libtokencap/Makefile b/libtokencap/Makefile index 3fd01b2c..91933140 100644 --- a/libtokencap/Makefile +++ b/libtokencap/Makefile @@ -2,7 +2,7 @@ # american fuzzy lop - libtokencap # -------------------------------- # -# Written by Michal Zalewski +# Written by Michal Zalewski # # Copyright 2016 Google Inc. All rights reserved. # diff --git a/libtokencap/libtokencap.so.c b/libtokencap/libtokencap.so.c index 17b6190c..39095beb 100644 --- a/libtokencap/libtokencap.so.c +++ b/libtokencap/libtokencap.so.c @@ -3,7 +3,7 @@ american fuzzy lop - extract tokens passed to strcmp / memcmp ------------------------------------------------------------- - Written and maintained by Michal Zalewski + Written by Michal Zalewski Copyright 2016 Google Inc. All rights reserved. diff --git a/llvm_mode/Makefile b/llvm_mode/Makefile index 0360bfbe..7cfbe92d 100644 --- a/llvm_mode/Makefile +++ b/llvm_mode/Makefile @@ -3,7 +3,7 @@ # ----------------------------------------- # # Written by Laszlo Szekeres and -# Michal Zalewski +# Michal Zalewski # # LLVM integration design comes from Laszlo Szekeres. # diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 54f9e6e9..a7f6acdc 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -3,7 +3,7 @@ ------------------------------------------------ Written by Laszlo Szekeres and - Michal Zalewski + Michal Zalewski LLVM integration design comes from Laszlo Szekeres. diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index 3ca5ccc4..475a3f33 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -3,7 +3,7 @@ --------------------------------------------------- Written by Laszlo Szekeres and - Michal Zalewski + Michal Zalewski LLVM integration design comes from Laszlo Szekeres. C bits copied-and-pasted from afl-as.c are Michal's fault. diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 20b34336..5740fe42 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -3,7 +3,7 @@ --------------------------------------------------- Written by Laszlo Szekeres and - Michal Zalewski + Michal Zalewski LLVM integration design comes from Laszlo Szekeres. diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index 55d72e0d..f18cbdf3 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -4,7 +4,7 @@ # -------------------------------------- # # Originally written by Andrew Griffiths and -# Michal Zalewski +# Michal Zalewski # # TCG instrumentation and block chaining support by Andrea Biondo # diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h index c86b5b45..1da3359d 100644 --- a/qemu_mode/patches/afl-qemu-common.h +++ b/qemu_mode/patches/afl-qemu-common.h @@ -3,7 +3,7 @@ ------------------------------------------------------------------- Originally written by Andrew Griffiths and - Michal Zalewski + Michal Zalewski TCG instrumentation and block chaining support by Andrea Biondo diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index 262a7dab..7358fc3b 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -3,7 +3,7 @@ ------------------------------------------------------------------- Originally written by Andrew Griffiths and - Michal Zalewski + Michal Zalewski TCG instrumentation and block chaining support by Andrea Biondo diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index b6d3da1f..62858724 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -3,7 +3,7 @@ ------------------------------------------------------------------- Originally written by Andrew Griffiths and - Michal Zalewski + Michal Zalewski TCG instrumentation and block chaining support by Andrea Biondo diff --git a/qemu_mode/patches/afl-qemu-tcg-inl.h b/qemu_mode/patches/afl-qemu-tcg-inl.h index d7a25695..e3de09d8 100644 --- a/qemu_mode/patches/afl-qemu-tcg-inl.h +++ b/qemu_mode/patches/afl-qemu-tcg-inl.h @@ -3,7 +3,7 @@ ------------------------------------------------------------------- Originally written by Andrew Griffiths and - Michal Zalewski + Michal Zalewski TCG instrumentation and block chaining support by Andrea Biondo diff --git a/qemu_mode/patches/afl-qemu-translate-inl.h b/qemu_mode/patches/afl-qemu-translate-inl.h index 5f61d7c9..881dbc8d 100644 --- a/qemu_mode/patches/afl-qemu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-translate-inl.h @@ -3,7 +3,7 @@ ------------------------------------------------------------------- Originally written by Andrew Griffiths and - Michal Zalewski + Michal Zalewski TCG instrumentation and block chaining support by Andrea Biondo diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 2d13621b..5555a262 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -2,7 +2,7 @@ american fuzzy lop++ - file format analyzer ------------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and @@ -841,7 +841,7 @@ int main(int argc, char** argv) { doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; - SAYF(cCYA "afl-analyze" VERSION cRST " by \n"); + SAYF(cCYA "afl-analyze" VERSION cRST " by Michal Zalewski\n"); while ((opt = getopt(argc, argv, "+i:f:m:t:eQUWh")) > 0) diff --git a/src/afl-as.c b/src/afl-as.c index b5a5ed58..2b023432 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -2,7 +2,7 @@ american fuzzy lop++ - wrapper for GNU as ----------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and @@ -501,7 +501,7 @@ int main(int argc, char** argv) { if (isatty(2) && !getenv("AFL_QUIET")) { - SAYF(cCYA "afl-as" VERSION cRST " by \n"); + SAYF(cCYA "afl-as" VERSION cRST " by Michal Zalewski\n"); } else diff --git a/src/afl-common.c b/src/afl-common.c index e753e797..ec010c2d 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -2,7 +2,7 @@ american fuzzy lop++ - common routines -------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index d9f67da5..b11ee5ce 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -2,7 +2,7 @@ american fuzzy lop++ - forkserver code -------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Forkserver design by Jann Horn diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index d001dbee..22876626 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -2,7 +2,7 @@ american fuzzy lop++ - bitmap related routines ---------------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c index 1a0e2eff..23b2c235 100644 --- a/src/afl-fuzz-extras.c +++ b/src/afl-fuzz-extras.c @@ -2,7 +2,7 @@ american fuzzy lop++ - extras relates routines ---------------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index 8340394a..36ba6e14 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -2,7 +2,7 @@ american fuzzy lop++ - globals declarations ------------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index a37ce8ba..a77904b5 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2,7 +2,7 @@ american fuzzy lop++ - initialization related routines ------------------------------------------------------ - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/src/afl-fuzz-misc.c b/src/afl-fuzz-misc.c index a7372b7d..f45642f4 100644 --- a/src/afl-fuzz-misc.c +++ b/src/afl-fuzz-misc.c @@ -2,7 +2,7 @@ american fuzzy lop++ - misc stuffs from Mordor ---------------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 31d58a10..bed8d254 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -2,7 +2,7 @@ american fuzzy lop++ - fuzze_one routines in different flavours --------------------------------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 1a28f603..1a8b7f9d 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -2,7 +2,7 @@ american fuzzy lop++ - python extension routines ------------------------------------------------ - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 905fd931..9f036186 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -2,7 +2,7 @@ american fuzzy lop++ - queue relates routines --------------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 5211921f..e12b06eb 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -2,7 +2,7 @@ american fuzzy lop++ - target execution related routines -------------------------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 7e8639f2..2ea03e94 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -2,7 +2,7 @@ american fuzzy lop++ - stats related routines --------------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 44037ce8..bb342112 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2,7 +2,7 @@ american fuzzy lop - fuzzer code -------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and @@ -127,7 +127,7 @@ int main(int argc, char** argv) { SAYF(cCYA "afl-fuzz" VERSION cRST - " based on afl by and a big online community\n"); + " based on afl by Michal Zalewski and a big online community\n"); doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; diff --git a/src/afl-gcc.c b/src/afl-gcc.c index dd7ba4d6..740442dc 100644 --- a/src/afl-gcc.c +++ b/src/afl-gcc.c @@ -2,7 +2,7 @@ american fuzzy lop++ - wrapper for GCC and clang ------------------------------------------------ - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and @@ -335,7 +335,7 @@ int main(int argc, char** argv) { if (argc == 2 && strcmp(argv[1], "-h") == 0) { - printf("afl-cc" VERSION " by \n\n"); + printf("afl-cc" VERSION " by Michal Zalewski\n\n"); printf("%s \n\n", argv[0]); printf("afl-gcc has no command line options\n"); printf( @@ -347,7 +347,7 @@ int main(int argc, char** argv) { if (isatty(2) && !getenv("AFL_QUIET")) { - SAYF(cCYA "afl-cc" VERSION cRST " by \n"); + SAYF(cCYA "afl-cc" VERSION cRST " by Michal Zalewski\n"); SAYF(cYEL "[!] " cBRI "NOTE: " cRST "afl-gcc is deprecated, llvm_mode is much faster and has more " "options\n"); diff --git a/src/afl-gotcpu.c b/src/afl-gotcpu.c index dc938b65..850943dd 100644 --- a/src/afl-gotcpu.c +++ b/src/afl-gotcpu.c @@ -2,7 +2,7 @@ american fuzzy lop - free CPU gizmo ----------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Now maintained by by Marc Heuse , Heiko Eißfeldt and @@ -142,7 +142,7 @@ int main(int argc, char** argv) { if (argc > 1) { - printf("afl-gotcpu" VERSION " by \n"); + printf("afl-gotcpu" VERSION " by Michal Zalewski\n"); printf("\n%s \n\n", argv[0]); printf("afl-gotcpu does not have command line options\n"); printf("afl-gotcpu prints out which CPUs are available\n"); @@ -154,7 +154,7 @@ int main(int argc, char** argv) { u32 cpu_cnt = sysconf(_SC_NPROCESSORS_ONLN), idle_cpus = 0, maybe_cpus = 0, i; - SAYF(cCYA "afl-gotcpu" VERSION cRST " by \n"); + SAYF(cCYA "afl-gotcpu" VERSION cRST " by Michal Zalewski\n"); ACTF("Measuring per-core preemption rate (this will take %0.02f sec)...", ((double)CTEST_CORE_TRG_MS) / 1000); @@ -275,7 +275,7 @@ int main(int argc, char** argv) { u32 util_perc; - SAYF(cCYA "afl-gotcpu" VERSION cRST " by \n"); + SAYF(cCYA "afl-gotcpu" VERSION cRST " by Michal Zalewski\n"); /* Run a busy loop for CTEST_TARGET_MS. */ diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 0bd1ff2f..d94100a3 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -2,7 +2,7 @@ american fuzzy lop++ - shared memory related code ------------------------------------------------- - Originally written by Michal Zalewski + Originally written by Michal Zalewski Forkserver design by Jann Horn diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 31f12856..b54ac2b0 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -2,7 +2,7 @@ american fuzzy lop++ - map display utility ------------------------------------------ - Originally written by Michal Zalewski + Originally written by Michal Zalewski Forkserver design by Jann Horn @@ -395,7 +395,7 @@ static void setup_signal_handlers(void) { static void show_banner(void) { - SAYF(cCYA "afl-showmap" VERSION cRST " by \n"); + SAYF(cCYA "afl-showmap" VERSION cRST " by Michal Zalewski\n"); } diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 7f354727..a72e1dda 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -2,7 +2,7 @@ american fuzzy lop++ - test case minimizer ------------------------------------------ - Originally written by Michal Zalewski + Originally written by Michal Zalewski Forkserver design by Jann Horn @@ -1032,7 +1032,7 @@ int main(int argc, char** argv) { doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; - SAYF(cCYA "afl-tmin" VERSION cRST " by \n"); + SAYF(cCYA "afl-tmin" VERSION cRST " by Michal Zalewski\n"); while ((opt = getopt(argc, argv, "+i:o:f:m:t:B:xeQUWh")) > 0) diff --git a/test-instr.c b/test-instr.c index 2450dbf4..161bdb8e 100644 --- a/test-instr.c +++ b/test-instr.c @@ -2,7 +2,7 @@ american fuzzy lop - a trivial program to test the build -------------------------------------------------------- - Written and maintained by Michal Zalewski + Written by Michal Zalewski Copyright 2014 Google Inc. All rights reserved. diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index 1575f66c..3bd404b8 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -6,7 +6,7 @@ # Originally written by Nathan Voss # # Adapted from code by Andrew Griffiths and -# Michal Zalewski +# Michal Zalewski # # Adapted for AFLplusplus by Dominik Maier # diff --git a/unicorn_mode/patches/afl-unicorn-common.h b/unicorn_mode/patches/afl-unicorn-common.h index fd88e21b..66d03803 100644 --- a/unicorn_mode/patches/afl-unicorn-common.h +++ b/unicorn_mode/patches/afl-unicorn-common.h @@ -3,7 +3,7 @@ ---------------------------------------------- Originally written by Andrew Griffiths and - Michal Zalewski + Michal Zalewski Adapted for afl-unicorn by Dominik Maier diff --git a/unicorn_mode/patches/afl-unicorn-cpu-inl.h b/unicorn_mode/patches/afl-unicorn-cpu-inl.h index 082d6d68..72092e29 100644 --- a/unicorn_mode/patches/afl-unicorn-cpu-inl.h +++ b/unicorn_mode/patches/afl-unicorn-cpu-inl.h @@ -3,7 +3,7 @@ ---------------------------------------------- Originally written by Andrew Griffiths and - Michal Zalewski + Michal Zalewski Adapted for afl-unicorn by Dominik Maier diff --git a/unicorn_mode/patches/afl-unicorn-cpu-translate-inl.h b/unicorn_mode/patches/afl-unicorn-cpu-translate-inl.h index 7c84058f..70472a72 100644 --- a/unicorn_mode/patches/afl-unicorn-cpu-translate-inl.h +++ b/unicorn_mode/patches/afl-unicorn-cpu-translate-inl.h @@ -3,7 +3,7 @@ ---------------------------------------------- Originally written by Andrew Griffiths and - Michal Zalewski + Michal Zalewski Adapted for afl-unicorn by Dominik Maier diff --git a/unicorn_mode/patches/afl-unicorn-tcg-op-inl.h b/unicorn_mode/patches/afl-unicorn-tcg-op-inl.h index d21bbcc7..8f4a8748 100644 --- a/unicorn_mode/patches/afl-unicorn-tcg-op-inl.h +++ b/unicorn_mode/patches/afl-unicorn-tcg-op-inl.h @@ -3,7 +3,7 @@ ---------------------------------------------- Originally written by Andrew Griffiths and - Michal Zalewski + Michal Zalewski Adapted for afl-unicorn by Dominik Maier diff --git a/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h b/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h index 3031d3a6..53ab654c 100644 --- a/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h +++ b/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h @@ -3,7 +3,7 @@ ---------------------------------------------- Originally written by Andrew Griffiths and - Michal Zalewski + Michal Zalewski Adapted for afl-unicorn by Dominik Maier -- cgit 1.4.1 From bc3ce26e0ecbf97751c6eb444df8e5bf31dcafd7 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 21 Oct 2019 17:18:41 +0200 Subject: -V/-E not precise --- TODO | 1 + src/afl-fuzz.c | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/TODO b/TODO index f2642b1a..05c89679 100644 --- a/TODO +++ b/TODO @@ -3,6 +3,7 @@ Roadmap 2.60: ============= afl-fuzz: + - change -T to use alarm() instead - radamsa mutator - test the libmutator actually works and does not run infinite (need an example though) diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index bb342112..25f606fa 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -71,7 +71,9 @@ static void usage(u8* argv0) { " -V seconds - fuzz for a maximum total time of seconds then " "terminate\n" " -E execs - fuzz for a maximum number of total executions then " - "terminate\n\n" + "terminate\n" + "Note: -V/-E are not precise, they are checked after a queue entry is " + "done which\n can be many minutes/execs later\n\n" "Other stuff:\n" " -T text - text banner to show on the screen\n" -- cgit 1.4.1 From 374f6610270a0434afe4931077e49efd9284e013 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 22 Oct 2019 13:23:00 +0200 Subject: help output adjustment --- src/afl-fuzz.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 25f606fa..877df0d3 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -72,8 +72,8 @@ static void usage(u8* argv0) { "terminate\n" " -E execs - fuzz for a maximum number of total executions then " "terminate\n" - "Note: -V/-E are not precise, they are checked after a queue entry is " - "done which\n can be many minutes/execs later\n\n" + " Note: -V/-E are not precise, they are checked after a queue entry " + "is done\n which can be many minutes/execs later\n\n" "Other stuff:\n" " -T text - text banner to show on the screen\n" -- cgit 1.4.1 From 644efa290582e76a9fb1dc42a7cfc782d628d3fe Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Fri, 25 Oct 2019 14:02:30 +0200 Subject: remove redundand setenv of SHM_ENV_VAR --- src/afl-sharedmem.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'src') diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index d94100a3..e11221a4 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -153,8 +153,6 @@ void setup_shm(unsigned char dumb_mode) { shm_str = alloc_printf("%d", shm_id); - setenv(SHM_ENV_VAR, shm_str, 1); - /* If somebody is asking us to fuzz instrumented binaries in dumb mode, we don't want them to detect instrumentation, since we won't be sending fork server commands. This should be replaced with better auto-detection -- cgit 1.4.1 From c66633ccc54f98829e7035b981ad4916f14d1e70 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sun, 20 Oct 2019 04:45:50 +0200 Subject: no longer warns on python as path for unicorn --- src/afl-fuzz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 877df0d3..14d7802d 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -554,7 +554,7 @@ int main(int argc, char** argv) { if (getenv("AFL_NO_UI") && getenv("AFL_FORCE_UI")) FATAL("AFL_NO_UI and AFL_FORCE_UI are mutually exclusive"); - if (strchr(argv[optind], '/') == NULL) + if (strchr(argv[optind], '/') == NULL && !unicorn_mode) WARNF(cLRD "Target binary called without a prefixed path, make sure you are " "fuzzing the right binary: " cRST "%s", -- cgit 1.4.1 From f2b3f01759b7b5b4d74967ee39a6752c668e698e Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Sat, 26 Oct 2019 09:24:09 +0200 Subject: make initial inputs names consistent with others using time:0 --- src/afl-fuzz-init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index a77904b5..e3c2e259 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -729,7 +729,7 @@ void pivot_inputs(void) { use_name += 6; else use_name = rsl; - nfn = alloc_printf("%s/queue/id:%06u,orig:%s", out_dir, id, use_name); + nfn = alloc_printf("%s/queue/id:%06u,time:0,orig:%s", out_dir, id, use_name); #else -- cgit 1.4.1 From cfd7b906cbc961892646aee9f307f6ffd4eb2253 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sat, 26 Oct 2019 08:39:13 +0100 Subject: Porting cpu affinity to DragonFly. Thanks their API is very similar in this area. --- include/afl-fuzz.h | 9 ++++++--- src/afl-fuzz-init.c | 19 ++++++++++++------- src/afl-gotcpu.c | 10 ++++++---- 3 files changed, 24 insertions(+), 14 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 1e6140dd..637c2795 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -72,18 +72,21 @@ #include #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \ - defined(__NetBSD__) + defined(__NetBSD__) || defined(__DragonFly__) #include #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ /* For systems that have sched_setaffinity; right now just Linux, but one can hope... */ -#if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) +#if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || \ + defined(__DragonFly__) #define HAVE_AFFINITY 1 -#if defined(__FreeBSD__) +#if defined(__FreeBSD__) || defined(__DragonFly__) #include +#if defined(__FreeBSD__) #include +#endif #include #include #include diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index a77904b5..f9525c82 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -32,7 +32,7 @@ void bind_to_free_cpu(void) { -#if defined(__linux__) || defined(__FreeBSD__) +#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) cpu_set_t c; #elif defined(__NetBSD__) cpuset_t* c; @@ -117,7 +117,7 @@ void bind_to_free_cpu(void) { } closedir(d); -#elif defined(__FreeBSD__) +#elif defined(__FreeBSD__) || defined(__DragonFly__) struct kinfo_proc* procs; size_t nprocs; size_t proccount; @@ -138,8 +138,13 @@ void bind_to_free_cpu(void) { for (i = 0; i < proccount; i++) { +#if defined(__FreeBSD__) if (procs[i].ki_oncpu < sizeof(cpu_used) && procs[i].ki_pctcpu > 2) cpu_used[procs[i].ki_oncpu] = 1; +#elif defined(__DragonFly__) + if (procs[i].kp_lwp.kl_cpuid < sizeof(cpu_used) && procs[i].kp_lwp.kl_pctcpu > 2) + cpu_used[procs[i].kp_lwp.kl_cpuid] = 1; +#endif } @@ -200,7 +205,7 @@ void bind_to_free_cpu(void) { cpu_aff = i; -#if defined(__linux__) || defined(__FreeBSD__) +#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) CPU_ZERO(&c); CPU_SET(i, &c); #elif defined(__NetBSD__) @@ -212,7 +217,7 @@ void bind_to_free_cpu(void) { #if defined(__linux__) if (sched_setaffinity(0, sizeof(c), &c)) PFATAL("sched_setaffinity failed"); -#elif defined(__FreeBSD__) +#elif defined(__FreeBSD__) || defined(__DragonFly__) if (pthread_setaffinity_np(pthread_self(), sizeof(c), &c)) PFATAL("pthread_setaffinity failed"); #elif defined(__NetBSD__) @@ -871,7 +876,7 @@ double get_runnable_processes(void) { static double res; #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \ - defined(__NetBSD__) + defined(__NetBSD__) || defined(__DragonFly__) /* I don't see any portable sysctl or so that would quickly give us the number of runnable processes; the 1-minute load average can be a @@ -1605,7 +1610,7 @@ void check_cpu_governor(void) { void get_core_count(void) { -#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) +#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__DragonFly__) size_t s = sizeof(cpu_core_count); @@ -1651,7 +1656,7 @@ void get_core_count(void) { cur_runnable = (u32)get_runnable_processes(); -#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) +#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__DragonFly__) /* Add ourselves, since the 1-minute average doesn't include that yet. */ diff --git a/src/afl-gotcpu.c b/src/afl-gotcpu.c index 850943dd..fe5d035f 100644 --- a/src/afl-gotcpu.c +++ b/src/afl-gotcpu.c @@ -52,12 +52,14 @@ #include "types.h" #include "debug.h" -#if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || defined(__APPLE__) +#if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || defined(__APPLE__) || defined(__DragonFly__) #define HAVE_AFFINITY 1 -#if defined(__FreeBSD__) +#if defined(__FreeBSD__) || defined(__DragonFly__) #include #include +#if defined(__FreeBSD__) #include +#endif #define cpu_set_t cpuset_t #elif defined(__NetBSD__) #include @@ -168,7 +170,7 @@ int main(int argc, char** argv) { if (!fr) { u32 util_perc; -#if defined(__linux__) || defined(__FreeBSD__) +#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) cpu_set_t c; CPU_ZERO(&c); @@ -188,7 +190,7 @@ int main(int argc, char** argv) { PFATAL("thread_policy_set failed"); #endif -#if defined(__FreeBSD__) +#if defined(__FreeBSD__) || defined(__DragonFly__) if (pthread_setaffinity_np(pthread_self(), sizeof(c), &c)) PFATAL("pthread_setaffinity_np failed"); #endif -- cgit 1.4.1 From 64fa11d204c13ad32f9fe0dbb9abbfedc00ebb3d Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 28 Oct 2019 11:52:31 +0100 Subject: updated changelog, afl-analyze AFL_SKIP_BIN_CHECK support --- docs/ChangeLog | 13 +++++++++++++ src/afl-analyze.c | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/docs/ChangeLog b/docs/ChangeLog index c2d46e4d..4c51502b 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -13,6 +13,19 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . +---------------------- +Version ++2.58d (dev): +---------------------- + + - afl-analyze: added AFL_SKIP_BIN_CHECK support + - better random numbers for gcc_plugin and llvm_mode (thanks to devnexen) + - afl-fuzz: CPU affinity support for DragonFly + - llvm_mode: float splitting is now configured via AFL_LLVM_LAF_SPLIT_FLOATS + - libtokencap: support for *BSD/OSX added + - libcompcov floating point splitting support for qemu and unicorn + - removed unnecessary warnings + + -------------------------- Version ++2.58c (release): -------------------------- diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 5555a262..ee281af8 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -987,7 +987,7 @@ int main(int argc, char** argv) { if (child_timed_out) FATAL("Target binary times out (adjusting -t may help)."); - if (!anything_set()) FATAL("No instrumentation detected."); + if (getenv("AFL_SKIP_BIN_CHECK") == NULL && !anything_set()) FATAL("No instrumentation detected."); analyze(use_argv); -- cgit 1.4.1 From c87210820c1566c74bf08ab4345679598cabd71b Mon Sep 17 00:00:00 2001 From: David Carlier Date: Tue, 29 Oct 2019 15:06:20 +0000 Subject: libtokencap update proposal - bcmp interception. - FreeBSD using default argument to get current pid for the mapping data gathering, getpid seems to cause some issues under certain conditions (getenv call). --- libtokencap/libtokencap.so.c | 28 ++++++++++++++++++++++++---- llvm_mode/afl-clang-fast.c | 3 +++ src/afl-gcc.c | 1 + 3 files changed, 28 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/libtokencap/libtokencap.so.c b/libtokencap/libtokencap.so.c index 7e55963c..2fe9ae63 100644 --- a/libtokencap/libtokencap.so.c +++ b/libtokencap/libtokencap.so.c @@ -115,7 +115,7 @@ static void __tokencap_load_mappings(void) { #elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__ #if defined __FreeBSD__ - int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, getpid()}; + int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, -1}; #elif defined __OpenBSD__ int mib[] = {CTL_KERN, KERN_PROC_VMMAP, getpid()}; #elif defined __NetBSD__ @@ -134,9 +134,7 @@ static void __tokencap_load_mappings(void) { #endif buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANON, -1, 0); - if (!buf) { - return; - } + if (buf == MAP_FAILED) return; if (sysctl(mib, miblen, buf, &len, NULL, 0) == -1) { @@ -354,6 +352,28 @@ int memcmp(const void* mem1, const void* mem2, size_t len) { } +#undef bcmp + +int bcmp(const void* mem1, const void* mem2, size_t len) { + + if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0); + if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0); + + const char *strmem1 = (const char *)mem1; + const char *strmem2 = (const char *)mem2; + + while (len--) { + + int diff = *strmem1 ^ *strmem2; + if (diff != 0) return 1; + strmem1++; + strmem2++; + + } + + return 0; +} + #undef strstr char* strstr(const char* haystack, const char* needle) { diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index a7f6acdc..1acf8856 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -273,6 +273,9 @@ static void edit_params(u32 argc, char** argv) { cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp"; cc_params[cc_par_cnt++] = "-fno-builtin-memcmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-bcmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-strstr"; + cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr"; } diff --git a/src/afl-gcc.c b/src/afl-gcc.c index 740442dc..e0706a5f 100644 --- a/src/afl-gcc.c +++ b/src/afl-gcc.c @@ -320,6 +320,7 @@ static void edit_params(u32 argc, char** argv) { cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp"; cc_params[cc_par_cnt++] = "-fno-builtin-memcmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-bcmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strstr"; cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr"; -- cgit 1.4.1 From 73cb58726649b860cbea9eef727e90ad14be4b31 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 5 Nov 2019 18:39:16 +0100 Subject: test unicorn && AFL_DISABLE_TRIM env var --- include/afl-fuzz.h | 3 ++- src/afl-fuzz-globals.c | 3 ++- src/afl-fuzz-one.c | 2 +- src/afl-fuzz.c | 3 +++ test/test.sh | 1 + unicorn_mode/samples/compcov_x64/compcov_target.bin | Bin 86 -> 86 bytes unicorn_mode/samples/compcov_x64/compcov_target.c | 4 +--- unicorn_mode/samples/compcov_x64/compcov_target.elf | Bin 5728 -> 5728 bytes 8 files changed, 10 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 637c2795..90f3b419 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -315,7 +315,8 @@ extern u8 skip_deterministic, /* Skip deterministic stages? */ deferred_mode, /* Deferred forkserver mode? */ fixed_seed, /* do not reseed */ fast_cal, /* Try to calibrate faster? */ - uses_asan; /* Target uses ASAN? */ + uses_asan, /* Target uses ASAN? */ + disable_trim; /* Never trim in fuzz_one */ extern s32 out_fd, /* Persistent fd for out_file */ #ifndef HAVE_ARC4RANDOM diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index 36ba6e14..06eb06d8 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -122,7 +122,8 @@ u8 skip_deterministic, /* Skip deterministic stages? */ deferred_mode, /* Deferred forkserver mode? */ fixed_seed, /* do not reseed */ fast_cal, /* Try to calibrate faster? */ - uses_asan; /* Target uses ASAN? */ + uses_asan, /* Target uses ASAN? */ + disable_trim; /* Never trim in fuzz_one */ s32 out_fd, /* Persistent fd for out_file */ #ifndef HAVE_ARC4RANDOM diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index bed8d254..8ca219b5 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -449,7 +449,7 @@ u8 fuzz_one_original(char** argv) { * TRIMMING * ************/ - if (!dumb_mode && !queue_cur->trim_done && !custom_mutator) { + if (!dumb_mode && !queue_cur->trim_done && !custom_mutator && !disable_trim) { u8 res = trim_case(argv, queue_cur, in_buf); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 14d7802d..26ed7b61 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -551,6 +551,9 @@ int main(int argc, char** argv) { } + if (getenv("AFL_DISABLE_TRIM")) + disable_trim = 1; + if (getenv("AFL_NO_UI") && getenv("AFL_FORCE_UI")) FATAL("AFL_NO_UI and AFL_FORCE_UI are mutually exclusive"); diff --git a/test/test.sh b/test/test.sh index f954776f..f086ee50 100755 --- a/test/test.sh +++ b/test/test.sh @@ -485,6 +485,7 @@ test -d ../unicorn_mode/unicorn && { } rm -f errors + echo -e '\xbf' > in/in $ECHO "$GREY[*] running afl-fuzz for unicorn_mode compcov, this will take approx 35 seconds" { export AFL_COMPCOV_LEVEL=2 diff --git a/unicorn_mode/samples/compcov_x64/compcov_target.bin b/unicorn_mode/samples/compcov_x64/compcov_target.bin index 091bf1db..30eada89 100644 Binary files a/unicorn_mode/samples/compcov_x64/compcov_target.bin and b/unicorn_mode/samples/compcov_x64/compcov_target.bin differ diff --git a/unicorn_mode/samples/compcov_x64/compcov_target.c b/unicorn_mode/samples/compcov_x64/compcov_target.c index eb1205b1..f4576261 100644 --- a/unicorn_mode/samples/compcov_x64/compcov_target.c +++ b/unicorn_mode/samples/compcov_x64/compcov_target.c @@ -16,11 +16,9 @@ int main(void) { unsigned int *data_buf = (unsigned int *) DATA_ADDRESS; - if (data_buf[0] == 0xabadcafe) { - // Cause an 'invalid read' crash if data[0..3] == '\x01\x02\x03\x04' + if (((unsigned short*)data_buf)[0] == 0xaabb) { unsigned char invalid_read = *(unsigned char *) 0x00000000; } else if (data_buf[1] == data_buf[2] + 0x4141) { - // Cause an 'invalid read' crash if (0x10 < data[0] < 0x20) and data[1] > data[2] unsigned char invalid_read = *(unsigned char *) 0x00000000; } diff --git a/unicorn_mode/samples/compcov_x64/compcov_target.elf b/unicorn_mode/samples/compcov_x64/compcov_target.elf index 7015fb46..9f90f8d2 100755 Binary files a/unicorn_mode/samples/compcov_x64/compcov_target.elf and b/unicorn_mode/samples/compcov_x64/compcov_target.elf differ -- cgit 1.4.1 From a3932d7f002b840887475482934d93ae3efdad5b Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 8 Nov 2019 04:39:22 +0100 Subject: raise limit for free core detection on FreeBSD and dragonFlyBSD --- src/afl-fuzz-init.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 64b24087..82ba6f8a 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -139,10 +139,10 @@ void bind_to_free_cpu(void) { for (i = 0; i < proccount; i++) { #if defined(__FreeBSD__) - if (procs[i].ki_oncpu < sizeof(cpu_used) && procs[i].ki_pctcpu > 2) + if (procs[i].ki_oncpu < sizeof(cpu_used) && procs[i].ki_pctcpu > 10) cpu_used[procs[i].ki_oncpu] = 1; #elif defined(__DragonFly__) - if (procs[i].kp_lwp.kl_cpuid < sizeof(cpu_used) && procs[i].kp_lwp.kl_pctcpu > 2) + if (procs[i].kp_lwp.kl_cpuid < sizeof(cpu_used) && procs[i].kp_lwp.kl_pctcpu > 10) cpu_used[procs[i].kp_lwp.kl_cpuid] = 1; #endif -- cgit 1.4.1 From 7a20cc2f58d2709a6b26c98bb6a931dfe5e186b6 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 8 Nov 2019 19:27:25 +0100 Subject: additional test, if afl-as is called by afl-gcc/afl-clang (seen in OpenIndiana) --- Makefile | 4 +++- src/afl-as.c | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/Makefile b/Makefile index c4269d6b..4d77b6cf 100644 --- a/Makefile +++ b/Makefile @@ -131,6 +131,8 @@ help: ifndef AFL_NO_X86 test_x86: + @echo "[*] Checking for the default compiler cc..." + @which $(CC) >/dev/null || ( echo; echo "Oops, looks like there is no compiler '"$(CC)"' in your path."; echo; echo "Don't panic! You can restart with '"$(_)" CC='."; echo; exit 1 ) @echo "[*] Checking for the ability to compile x86 code..." @echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test1 || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 ) @rm -f .test1 @@ -236,7 +238,7 @@ ifndef AFL_NO_X86 test_build: afl-gcc afl-as afl-showmap @echo "[*] Testing the CC wrapper and instrumentation output..." - unset AFL_USE_ASAN AFL_USE_MSAN AFL_CC; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS) + @unset AFL_USE_ASAN AFL_USE_MSAN AFL_CC; AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS) 2>&1 | grep 'afl-as' >/dev/null || (echo "Oops, afl-as did not get called from "$(TEST_CC)". This is normally achieved by "$(CC)" honoring the -B option."; exit 1 ) ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr @rm -f test-instr diff --git a/src/afl-as.c b/src/afl-as.c index 2b023432..312ae0a7 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -499,7 +499,7 @@ int main(int argc, char** argv) { clang_mode = !!getenv(CLANG_ENV_VAR); - if (isatty(2) && !getenv("AFL_QUIET")) { + if (!getenv("AFL_QUIET")) { SAYF(cCYA "afl-as" VERSION cRST " by Michal Zalewski\n"); -- cgit 1.4.1