From 1e679e3cbd23b031f47d1a756763b43acab7e02d Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sat, 15 Feb 2020 16:18:49 +0000 Subject: colorization stage mem leak fix proposal. --- src/afl-fuzz-redqueen.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 296fcd98..4f5d69f7 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -128,7 +128,7 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) { rand_replace(buf + rng->start, s); u32 cksum; - if (unlikely(get_exec_checksum(buf, len, &cksum))) return 1; + if (unlikely(get_exec_checksum(buf, len, &cksum))) goto checksum_fail; if (cksum != exec_cksum) { @@ -149,6 +149,7 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) { new_hit_cnt = queued_paths + unique_crashes; stage_finds[STAGE_COLORIZATION] += new_hit_cnt - orig_hit_cnt; stage_cycles[STAGE_COLORIZATION] += stage_max - stage_cur; + ck_free(backup); while (ranges) { @@ -186,6 +187,19 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) { return 0; +checksum_fail: + ck_free(backup); + + while (ranges) { + + rng = ranges; + ranges = ranges->next; + ck_free(rng); + + } + + return 1; + } ///// Input to State replacement -- cgit 1.4.1 From 37f865ab244e32c2f9307014eb4da0d5561a45bd Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sun, 16 Feb 2020 10:44:53 +0100 Subject: fix UBSAN handling, update docs --- docs/env_variables.md | 5 ++--- docs/notes_for_asan.md | 3 ++- gcc_plugin/afl-gcc-fast.c | 10 +++++----- llvm_mode/afl-clang-fast.c | 10 +++++----- src/afl-gcc.c | 12 ++++-------- 5 files changed, 18 insertions(+), 22 deletions(-) (limited to 'src') diff --git a/docs/env_variables.md b/docs/env_variables.md index ebfe12c2..f2642e56 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -25,9 +25,8 @@ tools make fairly broad use of environmental variables: - see [notes_for_asan.md](notes_for_asan.md). (You can also enable MSAN via AFL_USE_MSAN; ASAN and MSAN come with the - same gotchas; the modes are mutually exclusive. UBSAN and other exotic - sanitizers are not officially supported yet, but are easy to get to work - by hand.) + same gotchas; the modes are mutually exclusive. UBSAN can be enabled + similarly by setting the environment variable AFL_USE_UBSAN=1) - Setting AFL_CC, AFL_CXX, and AFL_AS lets you use alternate downstream compilation tools, rather than the default 'clang', 'gcc', or 'as' binaries diff --git a/docs/notes_for_asan.md b/docs/notes_for_asan.md index c10a9726..9c49dc1f 100644 --- a/docs/notes_for_asan.md +++ b/docs/notes_for_asan.md @@ -136,7 +136,8 @@ istruction that will cause SIGILL (ud2 on x86) when an undefined behaviour is detected. This is the option that you want to use when combining AFL++ and UBSan. -AFL_USE_UBSAN=1 env var will add this compiler flag to afl-clang-fast for you. +AFL_USE_UBSAN=1 env var will add this compiler flag to afl-clang-fast, +afl-gcc-fast and afl-gcc for you. Old versions of UBSAN don't offer a consistent way to abort() on fault conditions or to terminate with a distinctive exit code diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c index 2eef8798..bf89b867 100644 --- a/gcc_plugin/afl-gcc-fast.c +++ b/gcc_plugin/afl-gcc-fast.c @@ -192,13 +192,13 @@ static void edit_params(u32 argc, char** argv) { } - if (getenv("AFL_USE_UBSAN")) { + } - cc_params[cc_par_cnt++] = "-fsanitize=undefined"; - cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error"; - cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all"; + if (getenv("AFL_USE_UBSAN")) { - } + cc_params[cc_par_cnt++] = "-fsanitize=undefined"; + cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error"; + cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all"; } diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 348b5333..a9a86957 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -300,13 +300,13 @@ static void edit_params(u32 argc, char** argv) { } - if (getenv("AFL_USE_UBSAN")) { + } - cc_params[cc_par_cnt++] = "-fsanitize=undefined"; - cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error"; - cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all"; + if (getenv("AFL_USE_UBSAN")) { - } + cc_params[cc_par_cnt++] = "-fsanitize=undefined"; + cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error"; + cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all"; } diff --git a/src/afl-gcc.c b/src/afl-gcc.c index 5ead32fb..03468d3d 100644 --- a/src/afl-gcc.c +++ b/src/afl-gcc.c @@ -282,15 +282,11 @@ static void edit_params(u32 argc, char** argv) { } - if (!asan_set) { + if (getenv("AFL_USE_UBSAN")) { - if (getenv("AFL_USE_UBSAN")) { - - cc_params[cc_par_cnt++] = "-fsanitize=undefined"; - cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error"; - cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all"; - - } + cc_params[cc_par_cnt++] = "-fsanitize=undefined"; + cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error"; + cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all"; } -- cgit 1.4.1