From 84f0b4f1874a9c3a5f2da4056f974df8273093d9 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 7 Feb 2021 08:27:35 +0100 Subject: persistent replay env setup --- src/afl-forkserver.c | 2 +- src/afl-fuzz-state.c | 7 +++++++ src/afl-fuzz.c | 6 ++++++ 3 files changed, 14 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 9ee59822..7968f69c 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -126,7 +126,7 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) { fsrv_to->last_run_timed_out = 0; fsrv_to->init_child_func = from->init_child_func; - // Note: do not copy ->add_extra_func + // Note: do not copy ->add_extra_func or ->persistent_replay* list_append(&fsrv_list, fsrv_to); diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 5040e3ef..075aef1e 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -292,6 +292,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_autoresume = get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_PERSISTENT_REPLAY", + + afl_environment_variable_len)) { + + afl->afl_env.afl_persistent_replay = + get_afl_env(afl_environment_variables[i]); + } else if (!strncmp(env, "AFL_CYCLE_SCHEDULES", afl_environment_variable_len)) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index a579a8f5..77e6e2ce 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1239,6 +1239,12 @@ int main(int argc, char **argv_orig, char **envp) { } + if (afl->afl_env.afl_persistent_replay) { + + afl->fsrv.persistent_replay = atoi(afl->afl_env.afl_persistent_replay); + + } + if (afl->afl_env.afl_crash_exitcode) { long exitcode = strtol(afl->afl_env.afl_crash_exitcode, NULL, 10); -- cgit 1.4.1 From 81442ba3f953c939e2cde9c16b9cd0d5fe7f12b5 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 6 Mar 2021 15:48:49 +0100 Subject: implementation without testing --- include/forkserver.h | 11 ++++++--- src/afl-forkserver.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++ src/afl-fuzz.c | 3 ++- 3 files changed, 78 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/include/forkserver.h b/include/forkserver.h index a0a60e0f..ddbc36ef 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -55,9 +55,6 @@ typedef struct afl_forkserver { u32 init_tmout; /* Configurable init timeout (ms) */ u32 map_size; /* map size used by the target */ u32 snapshot; /* is snapshot feature used */ - u32 persistent_replay; /* persistent replay setting */ - u32 persistent_replay_idx; /* persistent replay cache ptr */ - u32 persistent_replay_cnt; /* persistent replay counter */ u64 mem_limit; /* Memory cap for child (MB) */ u64 total_execs; /* How often run_target was called */ @@ -97,6 +94,14 @@ typedef struct afl_forkserver { char *cmplog_binary; /* the name of the cmplog binary */ + /* persistent mode replay functionality */ + u32 persistent_replay; /* persistent replay setting */ + u32 persistent_replay_idx; /* persistent replay cache ptr */ + u32 persistent_replay_cnt; /* persistent replay counter */ + u8 * persistent_replay_dir; + u8 ** persistent_replay_data; + u32 **persistent_replay_len; + /* Function to kick off the forkserver child */ void (*init_child_func)(struct afl_forkserver *fsrv, char **argv); diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 7968f69c..05aba2e5 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -364,6 +364,21 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (!be_quiet) { ACTF("Spinning up the fork server..."); } + if (unlikely(fsrv->persistent_replay)) { + + fsrv->persistent_replay_data = + (u8 **)ck_alloc(fsrv->persistent_replay * sizeof(size_t)); + fsrv->persistent_replay_len = + (u32 **)ck_alloc(fsrv->persistent_replay * sizeof(u32)); + + if (!fsrv->persistent_replay_data || !fsrv->persistent_replay_len) { + + FATAL("Unable to allocate memory for persistent replay."); + + } + + } + if (fsrv->use_fauxsrv) { /* TODO: Come up with some nice way to initialize this all */ @@ -998,6 +1013,29 @@ u32 afl_fsrv_get_mapsize(afl_forkserver_t *fsrv, char **argv, void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { + if (unlikely(fsrv->persistent_replay)) { + + *fsrv->persistent_replay_len[fsrv->persistent_replay_idx] = len; + fsrv->persistent_replay_data[fsrv->persistent_replay_idx] = afl_realloc( + (void **)&fsrv->persistent_replay_data[fsrv->persistent_replay_idx], + len); + + if (unlikely(!fsrv->persistent_replay_data[fsrv->persistent_replay_idx])) { + + FATAL("allocating replay memory failed."); + + } + + memcpy(fsrv->persistent_replay_data[fsrv->persistent_replay_idx], buf, len); + + if (unlikely(++fsrv->persistent_replay_idx >= fsrv->persistent_replay)) { + + fsrv->persistent_replay_idx = 0; + + } + + } + if (likely(fsrv->use_shmem_fuzz && fsrv->shmem_fuzz)) { if (unlikely(len > MAX_FILE)) len = MAX_FILE; @@ -1208,6 +1246,36 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, (fsrv->uses_crash_exitcode && WEXITSTATUS(fsrv->child_status) == fsrv->crash_exitcode))) { + if (unlikely(fsrv->persistent_replay)) { + + char fn[4096]; + u32 i, writecnt = 0; + for (i = 0; i < fsrv->persistent_replay; ++i) { + + u32 entry = (i + fsrv->persistent_replay_idx) % fsrv->persistent_replay; + u8 *data = fsrv->persistent_replay_data[entry]; + u32 *len = fsrv->persistent_replay_len[entry]; + if (likely(len && *len && data)) { + + snprintf(fn, sizeof(fn), "%s/replay_%u_%u.bin", + fsrv->persistent_replay_dir, fsrv->persistent_replay_cnt, + writecnt++); + int fd = open(fn, O_WRONLY, 0644); + if (fd >= 0) { + + ck_write(fd, data, *len, fn); + close(fd); + + } + + } + + } + + ++fsrv->persistent_replay_cnt; + + } + /* For a proper crash, set last_kill_signal to WTERMSIG, else set it to 0 */ fsrv->last_kill_signal = WIFSIGNALED(fsrv->child_status) ? WTERMSIG(fsrv->child_status) : 0; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 77e6e2ce..f3aea2c7 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1239,9 +1239,10 @@ int main(int argc, char **argv_orig, char **envp) { } - if (afl->afl_env.afl_persistent_replay) { + if (unlikely(afl->afl_env.afl_persistent_replay)) { afl->fsrv.persistent_replay = atoi(afl->afl_env.afl_persistent_replay); + afl->fsrv.persistent_replay_dir = alloc_printf("%s/crashes", afl->out_dir); } -- cgit 1.4.1 From 4a0d4c50fc8bec11a090156ab970414d4897ea6c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 6 Mar 2021 19:12:25 +0100 Subject: complete implemenation, still no test --- include/afl-fuzz.h | 2 +- include/forkserver.h | 13 ++++++----- src/afl-forkserver.c | 63 +++++++++++++++++++++++++++++++++------------------- src/afl-fuzz-state.c | 4 ++-- src/afl-fuzz.c | 22 +++++++++++++++--- 5 files changed, 69 insertions(+), 35 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 3b6f2285..b1fba884 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -390,7 +390,7 @@ typedef struct afl_env_vars { *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_skip_crashes, *afl_preload, *afl_max_det_extras, *afl_statsd_host, *afl_statsd_port, *afl_crash_exitcode, *afl_statsd_tags_flavor, *afl_testcache_size, - *afl_testcache_entries, *afl_kill_signal, *afl_persistent_replay; + *afl_testcache_entries, *afl_kill_signal, *afl_persistent_record; } afl_env_vars_t; diff --git a/include/forkserver.h b/include/forkserver.h index ddbc36ef..850c5b0d 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -95,12 +95,13 @@ typedef struct afl_forkserver { char *cmplog_binary; /* the name of the cmplog binary */ /* persistent mode replay functionality */ - u32 persistent_replay; /* persistent replay setting */ - u32 persistent_replay_idx; /* persistent replay cache ptr */ - u32 persistent_replay_cnt; /* persistent replay counter */ - u8 * persistent_replay_dir; - u8 ** persistent_replay_data; - u32 **persistent_replay_len; + u32 persistent_record; /* persistent replay setting */ + u32 persistent_record_idx; /* persistent replay cache ptr */ + u32 persistent_record_cnt; /* persistent replay counter */ + u8 * persistent_record_dir; + u8 ** persistent_record_data; + u32 **persistent_record_len; + s32 persistent_record_pid; /* Function to kick off the forkserver child */ void (*init_child_func)(struct afl_forkserver *fsrv, char **argv); diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 05aba2e5..78e5efe7 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -126,7 +126,7 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) { fsrv_to->last_run_timed_out = 0; fsrv_to->init_child_func = from->init_child_func; - // Note: do not copy ->add_extra_func or ->persistent_replay* + // Note: do not copy ->add_extra_func or ->persistent_record* list_append(&fsrv_list, fsrv_to); @@ -364,14 +364,14 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (!be_quiet) { ACTF("Spinning up the fork server..."); } - if (unlikely(fsrv->persistent_replay)) { + if (unlikely(fsrv->persistent_record)) { - fsrv->persistent_replay_data = - (u8 **)ck_alloc(fsrv->persistent_replay * sizeof(size_t)); - fsrv->persistent_replay_len = - (u32 **)ck_alloc(fsrv->persistent_replay * sizeof(u32)); + fsrv->persistent_record_data = + (u8 **)ck_alloc(fsrv->persistent_record * sizeof(size_t)); + fsrv->persistent_record_len = + (u32 **)ck_alloc(fsrv->persistent_record * sizeof(u32)); - if (!fsrv->persistent_replay_data || !fsrv->persistent_replay_len) { + if (!fsrv->persistent_record_data || !fsrv->persistent_record_len) { FATAL("Unable to allocate memory for persistent replay."); @@ -1013,24 +1013,24 @@ u32 afl_fsrv_get_mapsize(afl_forkserver_t *fsrv, char **argv, void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { - if (unlikely(fsrv->persistent_replay)) { + if (unlikely(fsrv->persistent_record)) { - *fsrv->persistent_replay_len[fsrv->persistent_replay_idx] = len; - fsrv->persistent_replay_data[fsrv->persistent_replay_idx] = afl_realloc( - (void **)&fsrv->persistent_replay_data[fsrv->persistent_replay_idx], + *fsrv->persistent_record_len[fsrv->persistent_record_idx] = len; + fsrv->persistent_record_data[fsrv->persistent_record_idx] = afl_realloc( + (void **)&fsrv->persistent_record_data[fsrv->persistent_record_idx], len); - if (unlikely(!fsrv->persistent_replay_data[fsrv->persistent_replay_idx])) { + if (unlikely(!fsrv->persistent_record_data[fsrv->persistent_record_idx])) { FATAL("allocating replay memory failed."); } - memcpy(fsrv->persistent_replay_data[fsrv->persistent_replay_idx], buf, len); + memcpy(fsrv->persistent_record_data[fsrv->persistent_record_idx], buf, len); - if (unlikely(++fsrv->persistent_replay_idx >= fsrv->persistent_replay)) { + if (unlikely(++fsrv->persistent_record_idx >= fsrv->persistent_record)) { - fsrv->persistent_replay_idx = 0; + fsrv->persistent_record_idx = 0; } @@ -1148,6 +1148,23 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, } + // end of persistent loop? + if (unlikely(fsrv->persistent_record && + fsrv->persistent_record_pid != fsrv->child_pid)) { + + fsrv->persistent_record_pid = fsrv->child_pid; + u32 idx, val; + if (unlikely(!fsrv->persistent_record_idx)) + idx = fsrv->persistent_record - 1; + else + idx = fsrv->persistent_record_idx - 1; + val = *fsrv->persistent_record_len[idx]; + memset((void *)fsrv->persistent_record_len, 0, + fsrv->persistent_record * sizeof(u32)); + *fsrv->persistent_record_len[idx] = val; + + } + if (fsrv->child_pid <= 0) { if (*stop_soon_p) { return 0; } @@ -1246,19 +1263,19 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, (fsrv->uses_crash_exitcode && WEXITSTATUS(fsrv->child_status) == fsrv->crash_exitcode))) { - if (unlikely(fsrv->persistent_replay)) { + if (unlikely(fsrv->persistent_record)) { char fn[4096]; u32 i, writecnt = 0; - for (i = 0; i < fsrv->persistent_replay; ++i) { + for (i = 0; i < fsrv->persistent_record; ++i) { - u32 entry = (i + fsrv->persistent_replay_idx) % fsrv->persistent_replay; - u8 *data = fsrv->persistent_replay_data[entry]; - u32 *len = fsrv->persistent_replay_len[entry]; + u32 entry = (i + fsrv->persistent_record_idx) % fsrv->persistent_record; + u8 *data = fsrv->persistent_record_data[entry]; + u32 *len = fsrv->persistent_record_len[entry]; if (likely(len && *len && data)) { - snprintf(fn, sizeof(fn), "%s/replay_%u_%u.bin", - fsrv->persistent_replay_dir, fsrv->persistent_replay_cnt, + snprintf(fn, sizeof(fn), "%s/RECORD:%06u,cnt:%06u", + fsrv->persistent_record_dir, fsrv->persistent_record_cnt, writecnt++); int fd = open(fn, O_WRONLY, 0644); if (fd >= 0) { @@ -1272,7 +1289,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, } - ++fsrv->persistent_replay_cnt; + ++fsrv->persistent_record_cnt; } diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 075aef1e..514414f3 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -292,11 +292,11 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_autoresume = get_afl_env(afl_environment_variables[i]) ? 1 : 0; - } else if (!strncmp(env, "AFL_PERSISTENT_REPLAY", + } else if (!strncmp(env, "AFL_PERSISTENT_RECORD", afl_environment_variable_len)) { - afl->afl_env.afl_persistent_replay = + afl->afl_env.afl_persistent_record = get_afl_env(afl_environment_variables[i]); } else if (!strncmp(env, "AFL_CYCLE_SCHEDULES", diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index f3aea2c7..afaa8f5f 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1239,10 +1239,26 @@ int main(int argc, char **argv_orig, char **envp) { } - if (unlikely(afl->afl_env.afl_persistent_replay)) { + if (unlikely(afl->afl_env.afl_persistent_record)) { - afl->fsrv.persistent_replay = atoi(afl->afl_env.afl_persistent_replay); - afl->fsrv.persistent_replay_dir = alloc_printf("%s/crashes", afl->out_dir); + afl->fsrv.persistent_record = atoi(afl->afl_env.afl_persistent_record); + afl->fsrv.persistent_record_dir = alloc_printf("%s/crashes", afl->out_dir); + + if (afl->fsrv.persistent_record < 2) { + + FATAL( + "AFL_PERSISTENT_RECORD vallue must be be at least 2, recommended is " + "100 or 1000."); + + } + + if (!getenv(PERSIST_ENV_VAR)) { + + FATAL( + "Target binary is not compiled in persistent mode, " + "AFL_PERSISTENT_RECORD makes no sense."); + + } } -- cgit 1.4.1 From 99b4c3f3624db9300c175936aff22535db6eef67 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 6 Mar 2021 22:19:56 +0100 Subject: fix --- src/afl-forkserver.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 78e5efe7..a6128220 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -42,6 +42,7 @@ #include #include #include +#include #include #include #include @@ -367,7 +368,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (unlikely(fsrv->persistent_record)) { fsrv->persistent_record_data = - (u8 **)ck_alloc(fsrv->persistent_record * sizeof(size_t)); + (u8 **)ck_alloc(fsrv->persistent_record * sizeof(u8 *)); fsrv->persistent_record_len = (u32 **)ck_alloc(fsrv->persistent_record * sizeof(u32)); @@ -1265,7 +1266,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, if (unlikely(fsrv->persistent_record)) { - char fn[4096]; + char fn[PATH_MAX]; u32 i, writecnt = 0; for (i = 0; i < fsrv->persistent_record; ++i) { -- cgit 1.4.1 From 7f062524c97ab18306d42e59ab0223e04ff78f24 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 6 Mar 2021 23:01:13 +0100 Subject: fixes --- include/envs.h | 2 +- include/forkserver.h | 2 +- src/afl-forkserver.c | 14 +++++++------- src/afl-fuzz.c | 50 +++++++++++++++++++++++++++----------------------- 4 files changed, 36 insertions(+), 32 deletions(-) (limited to 'src') diff --git a/include/envs.h b/include/envs.h index f82bb803..6ba69f26 100644 --- a/include/envs.h +++ b/include/envs.h @@ -123,7 +123,7 @@ static char *afl_environment_variables[] = { "AFL_MAX_DET_EXTRAS", "AFL_PATH", "AFL_PERFORMANCE_FILE", - "AFL_PERSISTEN_REPLAY", + "AFL_PERSISTENT_RECORD", "AFL_PRELOAD", "AFL_PYTHON_MODULE", "AFL_QEMU_COMPCOV", diff --git a/include/forkserver.h b/include/forkserver.h index 850c5b0d..c894ad80 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -100,7 +100,7 @@ typedef struct afl_forkserver { u32 persistent_record_cnt; /* persistent replay counter */ u8 * persistent_record_dir; u8 ** persistent_record_data; - u32 **persistent_record_len; + u32 * persistent_record_len; s32 persistent_record_pid; /* Function to kick off the forkserver child */ diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index a6128220..e6738a71 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -370,7 +370,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, fsrv->persistent_record_data = (u8 **)ck_alloc(fsrv->persistent_record * sizeof(u8 *)); fsrv->persistent_record_len = - (u32 **)ck_alloc(fsrv->persistent_record * sizeof(u32)); + (u32 *)ck_alloc(fsrv->persistent_record * sizeof(u32)); if (!fsrv->persistent_record_data || !fsrv->persistent_record_len) { @@ -1016,7 +1016,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { if (unlikely(fsrv->persistent_record)) { - *fsrv->persistent_record_len[fsrv->persistent_record_idx] = len; + fsrv->persistent_record_len[fsrv->persistent_record_idx] = len; fsrv->persistent_record_data[fsrv->persistent_record_idx] = afl_realloc( (void **)&fsrv->persistent_record_data[fsrv->persistent_record_idx], len); @@ -1159,10 +1159,10 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, idx = fsrv->persistent_record - 1; else idx = fsrv->persistent_record_idx - 1; - val = *fsrv->persistent_record_len[idx]; + val = fsrv->persistent_record_len[idx]; memset((void *)fsrv->persistent_record_len, 0, fsrv->persistent_record * sizeof(u32)); - *fsrv->persistent_record_len[idx] = val; + fsrv->persistent_record_len[idx] = val; } @@ -1272,8 +1272,8 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, u32 entry = (i + fsrv->persistent_record_idx) % fsrv->persistent_record; u8 *data = fsrv->persistent_record_data[entry]; - u32 *len = fsrv->persistent_record_len[entry]; - if (likely(len && *len && data)) { + u32 len = fsrv->persistent_record_len[entry]; + if (likely(len && data)) { snprintf(fn, sizeof(fn), "%s/RECORD:%06u,cnt:%06u", fsrv->persistent_record_dir, fsrv->persistent_record_cnt, @@ -1281,7 +1281,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, int fd = open(fn, O_WRONLY, 0644); if (fd >= 0) { - ck_write(fd, data, *len, fn); + ck_write(fd, data, len, fn); close(fd); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index afaa8f5f..4ee71120 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -986,6 +986,21 @@ int main(int argc, char **argv_orig, char **envp) { } + if (unlikely(afl->afl_env.afl_persistent_record)) { + + afl->fsrv.persistent_record = atoi(afl->afl_env.afl_persistent_record); + afl->fsrv.persistent_record_dir = alloc_printf("%s/crashes", afl->out_dir); + + if (afl->fsrv.persistent_record < 2) { + + FATAL( + "AFL_PERSISTENT_RECORD value must be be at least 2, recommended is " + "100 or 1000."); + + } + + } + if (afl->fsrv.qemu_mode && getenv("AFL_USE_QASAN")) { u8 *preload = getenv("AFL_PRELOAD"); @@ -1239,29 +1254,6 @@ int main(int argc, char **argv_orig, char **envp) { } - if (unlikely(afl->afl_env.afl_persistent_record)) { - - afl->fsrv.persistent_record = atoi(afl->afl_env.afl_persistent_record); - afl->fsrv.persistent_record_dir = alloc_printf("%s/crashes", afl->out_dir); - - if (afl->fsrv.persistent_record < 2) { - - FATAL( - "AFL_PERSISTENT_RECORD vallue must be be at least 2, recommended is " - "100 or 1000."); - - } - - if (!getenv(PERSIST_ENV_VAR)) { - - FATAL( - "Target binary is not compiled in persistent mode, " - "AFL_PERSISTENT_RECORD makes no sense."); - - } - - } - if (afl->afl_env.afl_crash_exitcode) { long exitcode = strtol(afl->afl_env.afl_crash_exitcode, NULL, 10); @@ -1531,6 +1523,18 @@ int main(int argc, char **argv_orig, char **envp) { check_binary(afl, argv[optind]); + if (unlikely(afl->fsrv.persistent_record)) { + + if (!getenv(PERSIST_ENV_VAR)) { + + FATAL( + "Target binary is not compiled in persistent mode, " + "AFL_PERSISTENT_RECORD makes no sense."); + + } + + } + if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } afl->start_time = get_cur_time(); -- cgit 1.4.1 From 517db1b8dc1b310b82a73e3878285ca03249f3e4 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 6 Mar 2021 23:12:44 +0100 Subject: fixes --- src/afl-forkserver.c | 2 +- src/afl-fuzz.c | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index e6738a71..2ab1304e 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -1278,7 +1278,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, snprintf(fn, sizeof(fn), "%s/RECORD:%06u,cnt:%06u", fsrv->persistent_record_dir, fsrv->persistent_record_cnt, writecnt++); - int fd = open(fn, O_WRONLY, 0644); + int fd = open(fn, O_CREAT | O_TRUNC | O_WRONLY, 0644); if (fd >= 0) { ck_write(fd, data, len, fn); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 4ee71120..267ab075 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -989,7 +989,6 @@ int main(int argc, char **argv_orig, char **envp) { if (unlikely(afl->afl_env.afl_persistent_record)) { afl->fsrv.persistent_record = atoi(afl->afl_env.afl_persistent_record); - afl->fsrv.persistent_record_dir = alloc_printf("%s/crashes", afl->out_dir); if (afl->fsrv.persistent_record < 2) { @@ -1533,6 +1532,8 @@ int main(int argc, char **argv_orig, char **envp) { } + afl->fsrv.persistent_record_dir = alloc_printf("%s/crashes", afl->out_dir); + } if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } -- cgit 1.4.1 From d3f69ab4c6d4f1e2eb3349eec3f1cb9313081151 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 7 Mar 2021 08:43:01 +0100 Subject: documentation for AFL_PERSISTENT_RECORD --- docs/env_variables.md | 9 +++++++++ src/afl-fuzz.c | 1 + 2 files changed, 10 insertions(+) (limited to 'src') diff --git a/docs/env_variables.md b/docs/env_variables.md index 4c3b1cfb..41733f1b 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -400,6 +400,15 @@ checks or alter some of the more exotic semantics of the tool: - Setting `AFL_FORCE_UI` will force painting the UI on the screen even if no valid terminal was detected (for virtual consoles) + - If you are using persistent mode (you should, see [instrumentation/README.persistent_mode.md](instrumentation/README.persistent_mode.md)) + some targets keep inherent state due which a detected crash testcase does + not crash the target again when the testcase is given. To be able to still + re-trigger these crashes you can use the `AFL_PERSISTENT_RECORD` variable + with a value of how many previous fuzz cases to keep prio a crash. + if set to e.g. 10, then the 9 previous inputs are written to + out/default/crashes as RECORD:000000,cnt:000000 to RECORD:000000,cnt:000008 + and RECORD:000000,cnt:000009 being the crash case. + - If you are Jakub, you may need `AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES`. Others need not apply. diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 267ab075..b2c81580 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -218,6 +218,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_PATH: path to AFL support binaries\n" "AFL_PYTHON_MODULE: mutate and trim inputs with the specified Python module\n" "AFL_QUIET: suppress forkserver status messages\n" + "AFL_PERSISTENT_RECORD: record the last X inputs to every crash in out/crashes\n" "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" "AFL_SHUFFLE_QUEUE: reorder the input queue randomly on startup\n" "AFL_SKIP_BIN_CHECK: skip the check, if the target is an executable\n" -- cgit 1.4.1 From 958436be4ba057e8409787e7ff4ddcfa095c46da Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 24 Mar 2021 18:18:05 +0100 Subject: ifdef for record --- include/config.h | 9 +++++++++ src/afl-forkserver.c | 8 ++++++++ src/afl-fuzz.c | 30 +++++++++++++++++++++++------- 3 files changed, 40 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/include/config.h b/include/config.h index 60872785..f6dbfae0 100644 --- a/include/config.h +++ b/include/config.h @@ -60,6 +60,15 @@ /* Now non-cmplog configuration options */ + +/* If a persistent target keeps state and found crashes are not reproducable + then enable this option and set the AFL_PERSISTENT_RECORD env variable + to a number. These number of testcases prior the crash will be kept and + also written to the crash/ directory */ + +#define AFL_PERSISTENT_RECORD + + /* console output colors: There are three ways to configure its behavior * 1. default: colored outputs fixed on: defined USE_COLOR && defined * ALWAYS_COLORED The env var. AFL_NO_COLOR will have no effect diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 2ab1304e..4e4f92d6 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -365,6 +365,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (!be_quiet) { ACTF("Spinning up the fork server..."); } +#ifdef AFL_PERSISTENT_RECORD if (unlikely(fsrv->persistent_record)) { fsrv->persistent_record_data = @@ -379,6 +380,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } } +#endif if (fsrv->use_fauxsrv) { @@ -1014,6 +1016,7 @@ u32 afl_fsrv_get_mapsize(afl_forkserver_t *fsrv, char **argv, void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { +#ifdef AFL_PERSISTENT_RECORD if (unlikely(fsrv->persistent_record)) { fsrv->persistent_record_len[fsrv->persistent_record_idx] = len; @@ -1036,6 +1039,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { } } +#endif if (likely(fsrv->use_shmem_fuzz && fsrv->shmem_fuzz)) { @@ -1149,6 +1153,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, } +#ifdef AFL_PERSISTENT_RECORD // end of persistent loop? if (unlikely(fsrv->persistent_record && fsrv->persistent_record_pid != fsrv->child_pid)) { @@ -1165,6 +1170,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, fsrv->persistent_record_len[idx] = val; } +#endif if (fsrv->child_pid <= 0) { @@ -1264,6 +1270,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, (fsrv->uses_crash_exitcode && WEXITSTATUS(fsrv->child_status) == fsrv->crash_exitcode))) { +#ifdef AFL_PERSISTENT_RECORD if (unlikely(fsrv->persistent_record)) { char fn[PATH_MAX]; @@ -1293,6 +1300,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, ++fsrv->persistent_record_cnt; } +#endif /* For a proper crash, set last_kill_signal to WTERMSIG, else set it to 0 */ fsrv->last_kill_signal = diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index b2c81580..d622db71 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -218,7 +218,9 @@ static void usage(u8 *argv0, int more_help) { "AFL_PATH: path to AFL support binaries\n" "AFL_PYTHON_MODULE: mutate and trim inputs with the specified Python module\n" "AFL_QUIET: suppress forkserver status messages\n" +#ifdef AFL_PERSISTENT_RECORD "AFL_PERSISTENT_RECORD: record the last X inputs to every crash in out/crashes\n" +#endif "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" "AFL_SHUFFLE_QUEUE: reorder the input queue randomly on startup\n" "AFL_SKIP_BIN_CHECK: skip the check, if the target is an executable\n" @@ -249,7 +251,13 @@ static void usage(u8 *argv0, int more_help) { SAYF("Compiled with %s module support, see docs/custom_mutator.md\n", (char *)PYTHON_VERSION); #else - SAYF("Compiled without python module support\n"); + SAYF("Compiled without python module support.\n"); +#endif + +#ifdef AFL_PERSISTENT_RECORD + SAYF("Compiled with AFL_PERSISTENT_RECORD support.\n"); +#else + SAYF("Compiled without AFL_PERSISTENT_RECORD support.\n"); #endif #ifdef USEMMAP @@ -259,27 +267,27 @@ static void usage(u8 *argv0, int more_help) { #endif #ifdef ASAN_BUILD - SAYF("Compiled with ASAN_BUILD\n\n"); + SAYF("Compiled with ASAN_BUILD.\n"); #endif #ifdef NO_SPLICING - SAYF("Compiled with NO_SPLICING\n\n"); + SAYF("Compiled with NO_SPLICING.\n"); #endif #ifdef PROFILING - SAYF("Compiled with PROFILING\n\n"); + SAYF("Compiled with PROFILING.\n"); #endif #ifdef INTROSPECTION - SAYF("Compiled with INTROSPECTION\n\n"); + SAYF("Compiled with INTROSPECTION.\n"); #endif #ifdef _DEBUG - SAYF("Compiled with _DEBUG\n\n"); + SAYF("Compiled with _DEBUG.\n"); #endif #ifdef _AFL_DOCUMENT_MUTATIONS - SAYF("Compiled with _AFL_DOCUMENT_MUTATIONS\n\n"); + SAYF("Compiled with _AFL_DOCUMENT_MUTATIONS.\n"); #endif SAYF("For additional help please consult %s/README.md :)\n\n", doc_path); @@ -989,6 +997,8 @@ int main(int argc, char **argv_orig, char **envp) { if (unlikely(afl->afl_env.afl_persistent_record)) { +#ifdef AFL_PERSISTENT_RECORD + afl->fsrv.persistent_record = atoi(afl->afl_env.afl_persistent_record); if (afl->fsrv.persistent_record < 2) { @@ -999,6 +1009,12 @@ int main(int argc, char **argv_orig, char **envp) { } +#else + + FATAL("afl-fuzz was not compiled with AFL_PERSISTENT_RECORD enabled in config.h!"); + +#endif + } if (afl->fsrv.qemu_mode && getenv("AFL_USE_QASAN")) { -- cgit 1.4.1