From 599f78a4bd9657f28a9ab0baeb9c001dbbba49a9 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 4 Feb 2020 20:14:36 +0100 Subject: afl-showmap -i with stdin --- src/afl-showmap.c | 41 +++++++++++++++++++++++++++++++++++------ 1 file changed, 35 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 5061ca31..a0bcbb4c 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -67,7 +67,7 @@ s32 forksrv_pid, /* PID of the fork server */ s32 fsrv_ctl_fd, /* Fork server control pipe (write) */ fsrv_st_fd; /* Fork server status pipe (read) */ -s32 out_fd; /* Persistent fd for out_file */ +s32 out_fd; /* Persistent fd for stdin_file */ s32 dev_null_fd = -1; /* FD to /dev/null */ s32 out_fd = -1, out_dir_fd = -1, dev_urandom_fd = -1; @@ -77,6 +77,7 @@ u8 uses_asan; u8* trace_bits; /* SHM with instrumentation bitmap */ u8 *out_file, /* Trace output file */ + *stdin_file, /* stdin file */ *in_dir, /* input folder */ *doc_path, /* Path to docs */ *at_file; /* Substitution string for @@ */ @@ -158,6 +159,14 @@ static void classify_counts(u8* mem, const u8* map) { } +/* Get rid of temp files (atexit handler). */ + +static void at_exit_handler(void) { + + if (out_file) unlink(out_file); /* Ignore errors */ + +} + /* Write results. */ static u32 write_results_to_file(u8 *out_file) { @@ -265,12 +274,12 @@ static void write_to_testcase(void* mem, u32 len) { if (use_stdin) { - lseek(0, 0, SEEK_SET); + lseek(out_fd, 0, SEEK_SET); - ck_write(0, mem, len, out_file); + ck_write(out_fd, mem, len, out_file); - if (ftruncate(0, len)) PFATAL("ftruncate() failed"); - lseek(0, 0, SEEK_SET); + if (ftruncate(out_fd, len)) PFATAL("ftruncate() failed"); + lseek(out_fd, 0, SEEK_SET); } @@ -887,7 +896,7 @@ int main(int argc, char** argv) { if (!quiet_mode) { show_banner(); - ACTF("Executing '%s'...\n", target_path); + ACTF("Executing '%s'...", target_path); } @@ -932,6 +941,24 @@ int main(int argc, char** argv) { PFATAL("cannot create output directory %s", out_file); if (arg_offset) argv[arg_offset] = infile; + else { + + u8* use_dir = "."; + + if (access(use_dir, R_OK | W_OK | X_OK)) { + + use_dir = getenv("TMPDIR"); + if (!use_dir) use_dir = "/tmp"; + + } + + stdin_file = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, getpid()); + unlink(stdin_file); + atexit(at_exit_handler); + out_fd = open(stdin_file, O_RDWR | O_CREAT | O_EXCL, 0600); + if (out_fd < 0) PFATAL("Unable to create '%s'", out_file); + + } init_forkserver(use_argv); @@ -950,6 +977,8 @@ int main(int argc, char** argv) { } } + + if (!quiet_mode) OKF("Processed %u input files.", total_execs); } else { -- cgit 1.4.1 From 1edc392194ee6fad60057dce4aa2c9b5e2099451 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 5 Feb 2020 17:33:02 +0100 Subject: afl-showmap fix --- afl-cmin | 2 +- libdislocator/libdislocator.so.c | 8 +++- llvm_mode/afl-clang-fast.c | 6 +-- src/afl-common.c | 28 ++++++----- src/afl-fuzz-stats.c | 18 +++---- src/afl-showmap.c | 100 +++++++++++++++++++++------------------ 6 files changed, 90 insertions(+), 72 deletions(-) (limited to 'src') diff --git a/afl-cmin b/afl-cmin index 182376c9..f15e3cb4 100755 --- a/afl-cmin +++ b/afl-cmin @@ -397,7 +397,7 @@ BEGIN { system( "AFL_CMIN_ALLOW_ANY=1 \""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/"fn"\" -Z "extra_par" -- \""target_bin"\" "prog_args_string" <\""in_dir"/"fn"\"") } } else { - printf " Processing "in_count" files (forkserver mode)..." + printf " Processing "in_count" files (forkserver mode)...\n" system( "AFL_CMIN_ALLOW_ANY=1 \""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string" 10 * 1024) - WARNF("Some test cases are big (%s) - see %s/perf_tips.md.", - DMS(max_len), doc_path); + WARNF("Some test cases are big (%s) - see %s/perf_tips.md.", DMS(max_len), + doc_path); if (useless_at_start && !in_bitmap) WARNF(cLRD "Some test cases look useless. Consider using a smaller set."); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index a0bcbb4c..9c146771 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -77,7 +77,7 @@ u8 uses_asan; u8* trace_bits; /* SHM with instrumentation bitmap */ u8 *out_file, /* Trace output file */ - *stdin_file, /* stdin file */ + *stdin_file, /* stdin file */ *in_dir, /* input folder */ *doc_path, /* Path to docs */ *at_file; /* Substitution string for @@ */ @@ -89,8 +89,7 @@ u32 exec_tmout; /* Exec timeout (ms) */ static u32 total, highest; /* tuple content information */ static u32 in_len, /* Input data length */ - arg_offset, - total_execs; /* Total number of execs */ + arg_offset, total_execs; /* Total number of execs */ u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ @@ -169,7 +168,7 @@ static void at_exit_handler(void) { /* Write results. */ -static u32 write_results_to_file(u8 *out_file) { +static u32 write_results_to_file(u8* out_file) { s32 fd; u32 i, ret = 0; @@ -243,7 +242,7 @@ static u32 write_results_to_file(u8 *out_file) { static u32 write_results(void) { return write_results_to_file(out_file); - + } /* Write output file. */ @@ -272,16 +271,10 @@ static s32 write_to_file(u8* path, u8* mem, u32 len) { static void write_to_testcase(void* mem, u32 len) { - if (use_stdin) { - - lseek(out_fd, 0, SEEK_SET); - - ck_write(out_fd, mem, len, out_file); - - if (ftruncate(out_fd, len)) PFATAL("ftruncate() failed"); - lseek(out_fd, 0, SEEK_SET); - - } + lseek(out_fd, 0, SEEK_SET); + ck_write(out_fd, mem, len, out_file); + if (ftruncate(out_fd, len)) PFATAL("ftruncate() failed"); + lseek(out_fd, 0, SEEK_SET); } @@ -383,14 +376,15 @@ static u8 run_target_forkserver(char** argv, u8* mem, u32 len) { /* Read initial file. */ -u32 read_file(u8 *in_file) { +u32 read_file(u8* in_file) { struct stat st; s32 fd = open(in_file, O_RDONLY); if (fd < 0) WARNF("Unable to open '%s'", in_file); - if (fstat(fd, &st) || !st.st_size) WARNF("Zero-sized input file '%s'.", in_file); + if (fstat(fd, &st) || !st.st_size) + WARNF("Zero-sized input file '%s'.", in_file); in_len = st.st_size; in_data = ck_alloc_nozero(in_len); @@ -399,9 +393,10 @@ u32 read_file(u8 *in_file) { close(fd); - //OKF("Read %u byte%s from '%s'.", in_len, in_len == 1 ? "" : "s", in_file); + // OKF("Read %u byte%s from '%s'.", in_len, in_len == 1 ? "" : "s", in_file); return in_len; + } /* Execute target application. */ @@ -643,7 +638,8 @@ static void usage(u8* argv0) { "Other settings:\n\n" - " -i dir - process all files in this directory, -o must be a directory\n" + " -i dir - process all files in this directory, -o must be a " + "directory\n" " and each bitmap will be written there individually.\n" " -q - sink program's output and don't show messages\n" " -e - show edge coverage only, ignore hit counts\n" @@ -900,18 +896,17 @@ int main(int argc, char** argv) { } - if (in_dir) { - + if (in_dir) { + if (at_file) PFATAL("Options -A and -i are mutually exclusive"); at_file = "@@"; - + } - detect_file_args(argv + optind, at_file); - + detect_file_args(argv + optind, ""); + for (i = optind; i < argc; i++) - if (strcmp(argv[i], "@@") == 0) - arg_offset = i; + if (strcmp(argv[i], "@@") == 0) arg_offset = i; if (qemu_mode) { @@ -926,10 +921,10 @@ int main(int argc, char** argv) { if (in_dir) { - DIR *dir_in, *dir_out; + DIR * dir_in, *dir_out; struct dirent* dir_ent; - int done = 0; - u8 infile[4096], outfile[4096]; + int done = 0; + u8 infile[4096], outfile[4096]; dev_null_fd = open("/dev/null", O_RDWR); if (dev_null_fd < 0) PFATAL("Unable to open /dev/null"); @@ -940,44 +935,56 @@ int main(int argc, char** argv) { if (mkdir(out_file, 0700)) PFATAL("cannot create output directory %s", out_file); - if (arg_offset) argv[arg_offset] = infile; - else { - - u8* use_dir = "."; + u8* use_dir = "."; - if (access(use_dir, R_OK | W_OK | X_OK)) { + if (access(use_dir, R_OK | W_OK | X_OK)) { - use_dir = getenv("TMPDIR"); - if (!use_dir) use_dir = "/tmp"; + use_dir = getenv("TMPDIR"); + if (!use_dir) use_dir = "/tmp"; - } + } + + stdin_file = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, getpid()); + unlink(stdin_file); + atexit(at_exit_handler); + out_fd = open(stdin_file, O_RDWR | O_CREAT | O_EXCL, 0600); + if (out_fd < 0) PFATAL("Unable to create '%s'", out_file); + + if (arg_offset) argv[arg_offset] = stdin_file; + + if (getenv("AFL_DEBUG")) { + + int i = optind; + SAYF(cMGN "[D]" cRST " %s:", target_path); + while (argv[i] != NULL) + SAYF(" \"%s\"", argv[i++]); + SAYF("\n"); + SAYF(cMGN "[D]" cRST " %d - %d = %d, %s\n", arg_offset, optind, + arg_offset - optind, infile); - stdin_file = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, getpid()); - unlink(stdin_file); - atexit(at_exit_handler); - out_fd = open(stdin_file, O_RDWR | O_CREAT | O_EXCL, 0600); - if (out_fd < 0) PFATAL("Unable to create '%s'", out_file); - } init_forkserver(use_argv); while (done == 0 && (dir_ent = readdir(dir_in))) { - if (dir_ent->d_name[0] == '.') continue; // skip anything that starts with '.' - if (dir_ent->d_type != DT_REG) continue; // only regular files + if (dir_ent->d_name[0] == '.') + continue; // skip anything that starts with '.' + if (dir_ent->d_type != DT_REG) continue; // only regular files snprintf(infile, sizeof(infile), "%s/%s", in_dir, dir_ent->d_name); snprintf(outfile, sizeof(outfile), "%s/%s", out_file, dir_ent->d_name); if (read_file(infile)) { + run_target_forkserver(use_argv, in_data, in_len); ck_free(in_data); tcnt = write_results_to_file(outfile); + } } - + if (!quiet_mode) OKF("Processed %u input files.", total_execs); } else { @@ -998,3 +1005,4 @@ int main(int argc, char** argv) { exit(child_crashed * 2 + child_timed_out); } + -- cgit 1.4.1 From e5972efa41c6371a6d1fed14492418ad0a756eae Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Thu, 6 Feb 2020 21:43:50 +0100 Subject: cmplog for qemu mode --- qemu_mode/patches/afl-qemu-common.h | 6 ++ qemu_mode/patches/afl-qemu-cpu-inl.h | 22 +++++- qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 96 ++++++++++++++++++++++---- src/afl-fuzz-cmplog.c | 12 ++-- 4 files changed, 117 insertions(+), 19 deletions(-) (limited to 'src') diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h index 4d651385..18c36f73 100644 --- a/qemu_mode/patches/afl-qemu-common.h +++ b/qemu_mode/patches/afl-qemu-common.h @@ -35,6 +35,9 @@ #define __AFL_QEMU_COMMON #include "../../config.h" +#include "../../include/cmplog.h" + +#define PERSISTENT_DEFAULT_MAX_CNT 1000 #ifndef CPU_NB_REGS #define AFL_REGS_NUM 1000 @@ -74,6 +77,9 @@ extern int persisent_retaddr_offset; extern __thread abi_ulong afl_prev_loc; +extern struct cmp_map* __afl_cmp_map; +extern __thread u32 __afl_cmp_counter; + void afl_debug_dump_saved_regs(); void afl_persistent_loop(); diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index ac847371..0ae6364b 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -32,11 +32,8 @@ */ #include -#include "../../config.h" #include "afl-qemu-common.h" -#define PERSISTENT_DEFAULT_MAX_CNT 1000 - /*************************** * VARIOUS AUXILIARY STUFF * ***************************/ @@ -81,6 +78,9 @@ u8 afl_compcov_level; __thread abi_ulong afl_prev_loc; +struct cmp_map* __afl_cmp_map; +__thread u32 __afl_cmp_counter; + /* Set in the child process in forkserver mode: */ static int forkserver_installed = 0; @@ -181,6 +181,22 @@ static void afl_setup(void) { if (inst_r) afl_area_ptr[0] = 1; } + + if (getenv("___AFL_EINS_ZWEI_POLIZEI___")) { // CmpLog forkserver + + id_str = getenv(CMPLOG_SHM_ENV_VAR); + + if (id_str) { + + u32 shm_id = atoi(id_str); + + __afl_cmp_map = shmat(shm_id, NULL, 0); + + if (__afl_cmp_map == (void*)-1) _exit(1); + + } + + } if (getenv("AFL_INST_LIBS")) { diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index 6d42bf3d..9f032feb 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -102,31 +102,103 @@ static void afl_compcov_log_64(target_ulong cur_loc, target_ulong arg1, } +static void afl_cmplog_16(target_ulong cur_loc, target_ulong arg1, + target_ulong arg2) { + + register uintptr_t k = (uintptr_t)cur_loc; + + u32 hits = __afl_cmp_map->headers[k].hits; + __afl_cmp_map->headers[k].hits = hits + 1; + // if (!__afl_cmp_map->headers[k].cnt) + // __afl_cmp_map->headers[k].cnt = __afl_cmp_counter++; + + __afl_cmp_map->headers[k].shape = 1; + //__afl_cmp_map->headers[k].type = CMP_TYPE_INS; + + hits &= CMP_MAP_H - 1; + __afl_cmp_map->log[k][hits].v0 = arg1; + __afl_cmp_map->log[k][hits].v1 = arg2; + +} + +static void afl_cmplog_32(target_ulong cur_loc, target_ulong arg1, + target_ulong arg2) { + + register uintptr_t k = (uintptr_t)cur_loc; + + u32 hits = __afl_cmp_map->headers[k].hits; + __afl_cmp_map->headers[k].hits = hits + 1; + + __afl_cmp_map->headers[k].shape = 3; + + hits &= CMP_MAP_H - 1; + __afl_cmp_map->log[k][hits].v0 = arg1; + __afl_cmp_map->log[k][hits].v1 = arg2; + +} + +static void afl_cmplog_64(target_ulong cur_loc, target_ulong arg1, + target_ulong arg2) { + + register uintptr_t k = (uintptr_t)cur_loc; + + u32 hits = __afl_cmp_map->headers[k].hits; + __afl_cmp_map->headers[k].hits = hits + 1; + + __afl_cmp_map->headers[k].shape = 7; + + hits &= CMP_MAP_H - 1; + __afl_cmp_map->log[k][hits].v0 = arg1; + __afl_cmp_map->log[k][hits].v1 = arg2; + +} + + static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2, TCGMemOp ot, int is_imm) { void *func; - if (!afl_compcov_level || cur_loc > afl_end_code || cur_loc < afl_start_code) + if (cur_loc > afl_end_code || cur_loc < afl_start_code) return; - if (!is_imm && afl_compcov_level < 2) return; + if (__afl_cmp_map) { + + cur_loc = (cur_loc >> 4) ^ (cur_loc << 8); + cur_loc &= CMP_MAP_W - 1; - switch (ot) { + switch (ot) { - case MO_64: func = &afl_compcov_log_64; break; - case MO_32: func = &afl_compcov_log_32; break; - case MO_16: func = &afl_compcov_log_16; break; - default: return; + case MO_64: func = &afl_cmplog_64; break; + case MO_32: func = &afl_cmplog_32; break; + case MO_16: func = &afl_cmplog_16; break; + default: return; - } + } + + tcg_gen_afl_compcov_log_call(func, cur_loc, arg1, arg2); + + } else if (afl_compcov_level) { + + if (!is_imm && afl_compcov_level < 2) return; + + cur_loc = (cur_loc >> 4) ^ (cur_loc << 8); + cur_loc &= MAP_SIZE - 7; - cur_loc = (cur_loc >> 4) ^ (cur_loc << 8); - cur_loc &= MAP_SIZE - 7; + if (cur_loc >= afl_inst_rms) return; + + switch (ot) { - if (cur_loc >= afl_inst_rms) return; + case MO_64: func = &afl_compcov_log_64; break; + case MO_32: func = &afl_compcov_log_32; break; + case MO_16: func = &afl_compcov_log_16; break; + default: return; - tcg_gen_afl_compcov_log_call(func, cur_loc, arg1, arg2); + } + + tcg_gen_afl_compcov_log_call(func, cur_loc, arg1, arg2); + + } } diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 92bac4ab..69efcffa 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -150,8 +150,10 @@ void init_cmplog_forkserver(char** argv) { "msan_track_origins=0", 0); - argv[0] = cmplog_binary; - execv(cmplog_binary, argv); + setenv("___AFL_EINS_ZWEI_POLIZEI___", "1", 1); + + if (!qemu_mode) argv[0] = cmplog_binary; + execv(argv[0], argv); /* Use a distinctive bitmap signature to tell the parent about execv() falling through. */ @@ -440,9 +442,11 @@ u8 run_cmplog_target(char** argv, u32 timeout) { setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" "symbolize=0:" "msan_track_origins=0", 0); + + setenv("___AFL_EINS_ZWEI_POLIZEI___", "1", 1); - argv[0] = cmplog_binary; - execv(cmplog_binary, argv); + if (!qemu_mode) argv[0] = cmplog_binary; + execv(argv[0], argv); /* Use a distinctive bitmap value to tell the parent about execv() falling through. */ -- cgit 1.4.1 From 0d8f70423ac97c521d6c2c070d65e802825b8679 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Thu, 6 Feb 2020 22:35:14 +0100 Subject: save input with high entropy after colorization --- src/afl-fuzz-redqueen.c | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index c21c973f..6fb1964f 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -108,6 +108,8 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) { struct range* ranges = add_range(NULL, 0, len); u8* backup = ck_alloc_nozero(len); + u8 needs_write = 0; + u64 orig_hit_cnt, new_hit_cnt; orig_hit_cnt = queued_paths + unique_crashes; @@ -132,7 +134,7 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) { ranges = add_range(ranges, rng->start + s / 2 + 1, rng->end); memcpy(buf + rng->start, backup, s); - } + } else needs_write = 1; ck_free(rng); --stage_cur; @@ -150,6 +152,32 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) { ck_free(rng); } + + // save the input with the high entropy + + if (needs_write) { + + s32 fd; + + if (no_unlink) { + + fd = open(queue_cur->fname, O_WRONLY | O_CREAT | O_TRUNC, 0600); + + } else { + + unlink(queue_cur->fname); /* ignore errors */ + fd = open(queue_cur->fname, O_WRONLY | O_CREAT | O_EXCL, 0600); + + } + + if (fd < 0) PFATAL("Unable to create '%s'", queue_cur->fname); + + ck_write(fd, buf, len, queue_cur->fname); + queue_cur->len = len; // no-op, just to be 100% safe + + close(fd); + + } return 0; @@ -362,7 +390,7 @@ u8 input_to_state_stage(char** argv, u8* orig_buf, u8* buf, u32 len, } - memcpy(buf, orig_buf, len); + memcpy(orig_buf, buf, len); new_hit_cnt = queued_paths + unique_crashes; stage_finds[STAGE_ITS] += new_hit_cnt - orig_hit_cnt; -- cgit 1.4.1 From ea37d8cef9648dfbe317517959be3d4eb9cb6cc7 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Fri, 7 Feb 2020 16:04:43 +0100 Subject: redqueen auto extras --- src/afl-fuzz-redqueen.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 6fb1964f..d46d2b19 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -298,6 +298,44 @@ u8 cmp_extend_encoding(struct cmp_header* h, u64 pattern, u64 repl, u32 idx, } +void try_to_add_to_dict(u64 v, u8 shape) { + + u8* b = (u8*)&v; + + u32 k; + u8 cons_ff = 0, cons_0 = 0; + for (k = 0; k < shape; ++k) { + + if (b[k] == 0) ++cons_0; + else if (b[k] == 0xff) ++cons_0; + else cons_0 = cons_ff = 0; + + if (cons_0 > 1 || cons_ff > 1) + return; + + } + + maybe_add_auto((u8*)&v, shape); + + u64 rev; + switch (shape) { + case 1: break; + case 2: + rev = SWAP16((u16)v); + maybe_add_auto((u8*)&rev, shape); + break; + case 4: + rev = SWAP32((u32)v); + maybe_add_auto((u8*)&rev, shape); + break; + case 8: + rev = SWAP64(v); + maybe_add_auto((u8*)&rev, shape); + break; + } + +} + u8 cmp_fuzz(u32 key, u8* orig_buf, u8* buf, u32 len) { struct cmp_header* h = &cmp_map->headers[key]; @@ -338,6 +376,14 @@ u8 cmp_fuzz(u32 key, u8* orig_buf, u8* buf, u32 len) { break; } + + // If failed, add to dictionary + if (fails == 8) { + + try_to_add_to_dict(o->v0, SHAPE_BYTES(h->shape)); + try_to_add_to_dict(o->v1, SHAPE_BYTES(h->shape)); + + } cmp_fuzz_next_iter: stage_cur++; -- cgit 1.4.1 From 1e10e452aaa366c3d06e7eda9f56f127fbf25319 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Fri, 7 Feb 2020 17:00:11 +0100 Subject: fix empty range bug in colorization --- Makefile | 2 +- qemu_mode/patches/afl-qemu-cpu-inl.h | 4 +++- src/afl-fuzz-redqueen.c | 4 ++++ 3 files changed, 8 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/Makefile b/Makefile index 13be4ec9..70eac6b9 100644 --- a/Makefile +++ b/Makefile @@ -57,7 +57,7 @@ ifneq "$(shell uname -m)" "x86_64" endif CFLAGS ?= -O3 -funroll-loops $(CFLAGS_OPT) -CFLAGS += -Wall -g -Wno-pointer-sign -I include/ \ +override CFLAGS += -Wall -g -Wno-pointer-sign -I include/ \ -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \ -DDOC_PATH=\"$(DOC_PATH)\" -Wno-unused-function diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index 0ae6364b..9a98fde3 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -368,8 +368,10 @@ static void afl_forkserver(CPUState *cpu) { if (WIFSTOPPED(status)) child_stopped = 1; - else if (unlikely(first_run && is_persistent)) + else if (unlikely(first_run && is_persistent)) { + fprintf(stderr, "[AFL] ERROR: no persistent iteration executed\n"); exit(12); // Persistent is wrong + } first_run = 0; if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(7); diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index d46d2b19..bac7357e 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -122,6 +122,9 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) { while ((rng = pop_biggest_range(&ranges)) != NULL && stage_cur) { u32 s = rng->end - rng->start; + if (s == 0) + goto empty_range; + memcpy(backup, buf + rng->start, s); rand_replace(buf + rng->start, s); @@ -136,6 +139,7 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) { } else needs_write = 1; +empty_range: ck_free(rng); --stage_cur; -- cgit 1.4.1 From e360726730aa9e4e54548f20f76da7de368fa35f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 7 Feb 2020 19:41:48 +0100 Subject: todo update --- TODO | 3 +++ src/afl-fuzz.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/TODO b/TODO index d153f1b4..b9c209f8 100644 --- a/TODO +++ b/TODO @@ -18,6 +18,9 @@ qemu_mode: - instrim for QEMU mode via static analysis (with r2pipe? or angr?) Idea: The static analyzer outputs a map in which each edge that must be skipped is marked with 1. QEMU loads it at startup in the parent process. + - rename qemu specific envs to AFL_QEMU (espec. AFL_ENTRYPOINT) + - add AFL_QEMU_EXITPOINT (maybe multiple?) + - add/implement AFL_QEMU_INST_LIBLIST and AFL_QEMU_NOINST_PROGRAM custom_mutators: - rip what Superion is doing into custom mutators for js, php, etc. diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 8833244d..63d2b997 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -100,7 +100,7 @@ static void usage(u8* argv0) { " -f file - location read by the fuzzed program (stdin)\n" " -t msec - timeout for each run (auto-scaled, 50-%d ms)\n" " -m megs - memory limit for child process (%d MB)\n" - " -c program - enable CmpLog specifying a binary compiled for it\n" + " -c program - enable CmpLog by specifying a binary compiled for it\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" " -W - use qemu-based instrumentation with Wine (Wine " -- cgit 1.4.1 From f2f6be5e999632b05ce92b4934ee97531d546a44 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Fri, 7 Feb 2020 20:43:17 +0100 Subject: afl qemu persistent hook --- examples/qemu_persistent_hook/README.md | 20 +++++ examples/qemu_persistent_hook/read_into_rdi.c | 42 ++++++++++ examples/qemu_persistent_hook/test.c | 34 ++++++++ include/afl-fuzz.h | 2 +- qemu_mode/build_qemu_support.sh | 10 ++- qemu_mode/patches/afl-qemu-common.h | 6 +- qemu_mode/patches/afl-qemu-cpu-inl.h | 35 +++++++- qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 112 ++++++++++++++----------- qemu_mode/patches/configure.diff | 26 ++++++ src/afl-fuzz-cmplog.c | 2 +- src/afl-fuzz-globals.c | 2 +- src/afl-fuzz-init.c | 2 + src/afl-fuzz.c | 2 + 13 files changed, 235 insertions(+), 60 deletions(-) create mode 100644 examples/qemu_persistent_hook/README.md create mode 100644 examples/qemu_persistent_hook/read_into_rdi.c create mode 100644 examples/qemu_persistent_hook/test.c create mode 100644 qemu_mode/patches/configure.diff (limited to 'src') diff --git a/examples/qemu_persistent_hook/README.md b/examples/qemu_persistent_hook/README.md new file mode 100644 index 00000000..3278b60c --- /dev/null +++ b/examples/qemu_persistent_hook/README.md @@ -0,0 +1,20 @@ +# QEMU persistent hook example + +Compile the test binary and the library: + +``` +gcc -no-pie test.c -o test +gcc -fPIC -shared read_into_rdi.c -o read_into_rdi.so +``` + +Fuzz with: + +``` +export AFL_QEMU_PERSISTENT_ADDR=0x$(nm test | grep "T target_func" | awk '{print $1}') +export AFL_QEMU_PERSISTENT_HOOK=./read_into_rdi.so + +mkdir in +echo 0000 > in/in + +../../afl-fuzz -Q -i in -o out -- ./test +``` diff --git a/examples/qemu_persistent_hook/read_into_rdi.c b/examples/qemu_persistent_hook/read_into_rdi.c new file mode 100644 index 00000000..4c5119e0 --- /dev/null +++ b/examples/qemu_persistent_hook/read_into_rdi.c @@ -0,0 +1,42 @@ +#include +#include +#include + +#define g2h(x) ((void *)((unsigned long)(x) + guest_base)) +#define h2g(x) ((uint64_t)(x) - guest_base) + +enum { + R_EAX = 0, + R_ECX = 1, + R_EDX = 2, + R_EBX = 3, + R_ESP = 4, + R_EBP = 5, + R_ESI = 6, + R_EDI = 7, + R_R8 = 8, + R_R9 = 9, + R_R10 = 10, + R_R11 = 11, + R_R12 = 12, + R_R13 = 13, + R_R14 = 14, + R_R15 = 15, + + R_AL = 0, + R_CL = 1, + R_DL = 2, + R_BL = 3, + R_AH = 4, + R_CH = 5, + R_DH = 6, + R_BH = 7, +}; + +void afl_persistent_hook(uint64_t* regs, uint64_t guest_base) { + + printf("reading into %p\n", regs[R_EDI]); + size_t r = read(0, g2h(regs[R_EDI]), 1024); + printf("readed %ld bytes\n", r); + +} diff --git a/examples/qemu_persistent_hook/test.c b/examples/qemu_persistent_hook/test.c new file mode 100644 index 00000000..079d2be4 --- /dev/null +++ b/examples/qemu_persistent_hook/test.c @@ -0,0 +1,34 @@ +#include + +int target_func(char *buf, int size) { + + printf("buffer:%p, size:%p\n", buf, size); + switch (buf[0]) { + + case 1: + if (buf[1] == '\x44') { + puts("a"); + } + break; + case 0xff: + if (buf[2] == '\xff') { + if (buf[1] == '\x44') { + puts("b"); + } + } + break; + default: break; + + } + + return 1; + +} + +char data[1024]; + +int main() { + + target_func(data, 1024); + +} diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 751bd93c..c62fcc84 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -455,7 +455,7 @@ u8* (*post_handler)(u8* buf, u32* len); /* CmpLog */ extern u8* cmplog_binary; -extern s32 cmplog_forksrv_pid; +extern s32 cmplog_child_pid, cmplog_forksrv_pid; /* hooks for the custom mutator function */ /** diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index 6f2bc448..0413228c 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -156,16 +156,18 @@ patch -p1 <../patches/arm-translate.diff || exit 1 patch -p1 <../patches/i386-ops_sse.diff || exit 1 patch -p1 <../patches/i386-fpu_helper.diff || exit 1 patch -p1 <../patches/softfloat.diff || exit 1 +patch -p1 <../patches/configure.diff || exit 1 echo "[+] Patching done." if [ "$STATIC" = "1" ]; then - CFLAGS="-O3 -ggdb" ./configure --disable-bsd-user --disable-guest-agent --disable-strip --disable-werror \ + ./configure --extra-cflags="-O3 -ggdb -DAFL_QEMU_STATIC_BUILD=1" \ + --disable-bsd-user --disable-guest-agent --disable-strip --disable-werror \ --disable-gcrypt --disable-debug-info --disable-debug-tcg --disable-tcg-interpreter \ --enable-attr --disable-brlapi --disable-linux-aio --disable-bzip2 --disable-bluez --disable-cap-ng \ --disable-curl --disable-fdt --disable-glusterfs --disable-gnutls --disable-nettle --disable-gtk \ - --disable-rdma --disable-libiscsi --disable-vnc-jpeg --enable-kvm --disable-lzo --disable-curses \ + --disable-rdma --disable-libiscsi --disable-vnc-jpeg --disable-lzo --disable-curses \ --disable-libnfs --disable-numa --disable-opengl --disable-vnc-png --disable-rbd --disable-vnc-sasl \ --disable-sdl --disable-seccomp --disable-smartcard --disable-snappy --disable-spice --disable-libssh2 \ --disable-libusb --disable-usb-redir --disable-vde --disable-vhost-net --disable-virglrenderer \ @@ -178,9 +180,9 @@ else # --enable-pie seems to give a couple of exec's a second performance # improvement, much to my surprise. Not sure how universal this is.. - CFLAGS="-O3 -ggdb" ./configure --disable-system \ + ./configure --disable-system \ --enable-linux-user --disable-gtk --disable-sdl --disable-vnc \ - --target-list="${CPU_TARGET}-linux-user" --enable-pie --enable-kvm $CROSS_PREFIX || exit 1 + --target-list="${CPU_TARGET}-linux-user" --enable-pie $CROSS_PREFIX || exit 1 fi diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h index 18c36f73..de6c7b73 100644 --- a/qemu_mode/patches/afl-qemu-common.h +++ b/qemu_mode/patches/afl-qemu-common.h @@ -59,6 +59,8 @@ #define INC_AFL_AREA(loc) afl_area_ptr[loc]++ #endif +typedef void (*afl_persistent_hook_fn)(uint64_t* regs, uint64_t guest_base); + /* Declared in afl-qemu-cpu-inl.h */ extern unsigned char *afl_area_ptr; @@ -72,9 +74,11 @@ extern unsigned char is_persistent; extern target_long persistent_stack_offset; extern unsigned char persistent_first_pass; extern unsigned char persistent_save_gpr; -extern target_ulong persistent_saved_gpr[AFL_REGS_NUM]; +extern uint64_t persistent_saved_gpr[AFL_REGS_NUM]; extern int persisent_retaddr_offset; +extern afl_persistent_hook_fn afl_persistent_hook_ptr; + extern __thread abi_ulong afl_prev_loc; extern struct cmp_map* __afl_cmp_map; diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index 9a98fde3..7ef54d78 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -34,6 +34,10 @@ #include #include "afl-qemu-common.h" +#ifndef AFL_QEMU_STATIC_BUILD +#include +#endif + /*************************** * VARIOUS AUXILIARY STUFF * ***************************/ @@ -95,6 +99,8 @@ unsigned char persistent_save_gpr; target_ulong persistent_saved_gpr[AFL_REGS_NUM]; int persisent_retaddr_offset; +afl_persistent_hook_fn afl_persistent_hook_ptr; + /* Instrumentation ratio: */ unsigned int afl_inst_rms = MAP_SIZE; /* Exported for afl_gen_trace */ @@ -192,7 +198,7 @@ static void afl_setup(void) { __afl_cmp_map = shmat(shm_id, NULL, 0); - if (__afl_cmp_map == (void*)-1) _exit(1); + if (__afl_cmp_map == (void*)-1) exit(1); } @@ -240,6 +246,33 @@ static void afl_setup(void) { if (getenv("AFL_QEMU_PERSISTENT_GPR")) persistent_save_gpr = 1; + if (getenv("AFL_QEMU_PERSISTENT_HOOK")) { + +#ifdef AFL_QEMU_STATIC_BUILD + + fprintf(stderr, "[AFL] ERROR: you cannot use AFL_QEMU_PERSISTENT_HOOK when afl-qemu-trace is static\n"); + exit(1); + +#else + + persistent_save_gpr = 1; + + void* plib = dlopen(getenv("AFL_QEMU_PERSISTENT_HOOK"), RTLD_NOW); + if (!plib) { + fprintf(stderr, "[AFL] ERROR: invalid AFL_QEMU_PERSISTENT_HOOK=%s\n", getenv("AFL_QEMU_PERSISTENT_HOOK")); + exit(1); + } + + afl_persistent_hook_ptr = dlsym(plib, "afl_persistent_hook"); + if (!afl_persistent_hook_ptr) { + fprintf(stderr, "[AFL] ERROR: failed to find the function \"afl_persistent_hook\" in %s\n", getenv("AFL_QEMU_PERSISTENT_HOOK")); + exit(1); + } + +#endif + + } + if (getenv("AFL_QEMU_PERSISTENT_RETADDR_OFFSET")) persisent_retaddr_offset = strtoll(getenv("AFL_QEMU_PERSISTENT_RETADDR_OFFSET"), NULL, 0); diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index 9f032feb..d081060f 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -254,62 +254,71 @@ static void log_x86_sp_content(void) { }*/ -#define I386_RESTORE_STATE_FOR_PERSISTENT \ - do { \ - \ - if (persistent_save_gpr) { \ - \ - int i; \ - TCGv_ptr gpr_sv; \ - \ - TCGv_ptr first_pass_ptr = tcg_const_ptr(&persistent_first_pass); \ - TCGv first_pass = tcg_temp_local_new(); \ - TCGv one = tcg_const_tl(1); \ - tcg_gen_ld8u_tl(first_pass, first_pass_ptr, 0); \ - \ - TCGLabel *lbl_save_gpr = gen_new_label(); \ - TCGLabel *lbl_finish_restore_gpr = gen_new_label(); \ - tcg_gen_brcond_tl(TCG_COND_EQ, first_pass, one, lbl_save_gpr); \ - \ - for (i = 0; i < CPU_NB_REGS; ++i) { \ - \ - gpr_sv = tcg_const_ptr(&persistent_saved_gpr[i]); \ - tcg_gen_ld_tl(cpu_regs[i], gpr_sv, 0); \ - \ - } \ - \ - tcg_gen_br(lbl_finish_restore_gpr); \ - \ - gen_set_label(lbl_save_gpr); \ - \ - for (i = 0; i < CPU_NB_REGS; ++i) { \ - \ - gpr_sv = tcg_const_ptr(&persistent_saved_gpr[i]); \ - tcg_gen_st_tl(cpu_regs[i], gpr_sv, 0); \ - \ - } \ - \ - gen_set_label(lbl_finish_restore_gpr); \ - tcg_temp_free(first_pass); \ - \ - } else if (afl_persistent_ret_addr == 0) { \ - \ - TCGv_ptr stack_off_ptr = tcg_const_ptr(&persistent_stack_offset); \ - TCGv stack_off = tcg_temp_new(); \ - tcg_gen_ld_tl(stack_off, stack_off_ptr, 0); \ - tcg_gen_sub_tl(cpu_regs[R_ESP], cpu_regs[R_ESP], stack_off); \ - tcg_temp_free(stack_off); \ - \ - } \ - \ - } while (0) + +static void callback_to_persistent_hook(void) { + + afl_persistent_hook_ptr(persistent_saved_gpr, guest_base); + +} + +static void i386_restore_state_for_persistent(TCGv* cpu_regs) { + + if (persistent_save_gpr) { + + int i; + TCGv_ptr gpr_sv; + + TCGv_ptr first_pass_ptr = tcg_const_ptr(&persistent_first_pass); + TCGv first_pass = tcg_temp_local_new(); + TCGv one = tcg_const_tl(1); + tcg_gen_ld8u_tl(first_pass, first_pass_ptr, 0); + + TCGLabel *lbl_restore_gpr = gen_new_label(); + tcg_gen_brcond_tl(TCG_COND_NE, first_pass, one, lbl_restore_gpr); + + // save GRP registers + for (i = 0; i < CPU_NB_REGS; ++i) { + + gpr_sv = tcg_const_ptr(&persistent_saved_gpr[i]); + tcg_gen_st_tl(cpu_regs[i], gpr_sv, 0); + + } + + gen_set_label(lbl_restore_gpr); + + tcg_gen_afl_call0(&afl_persistent_loop); + + if (afl_persistent_hook_ptr) + tcg_gen_afl_call0(callback_to_persistent_hook); + + // restore GRP registers + for (i = 0; i < CPU_NB_REGS; ++i) { + + gpr_sv = tcg_const_ptr(&persistent_saved_gpr[i]); + tcg_gen_ld_tl(cpu_regs[i], gpr_sv, 0); + + } + + tcg_temp_free(first_pass); + + } else if (afl_persistent_ret_addr == 0) { + + TCGv_ptr stack_off_ptr = tcg_const_ptr(&persistent_stack_offset); + TCGv stack_off = tcg_temp_new(); + tcg_gen_ld_tl(stack_off, stack_off_ptr, 0); + tcg_gen_sub_tl(cpu_regs[R_ESP], cpu_regs[R_ESP], stack_off); + tcg_temp_free(stack_off); + + } + +} #define AFL_QEMU_TARGET_i386_SNIPPET \ if (is_persistent) { \ \ if (s->pc == afl_persistent_addr) { \ \ - I386_RESTORE_STATE_FOR_PERSISTENT; \ + i386_restore_state_for_persistent(cpu_regs); \ /*tcg_gen_afl_call0(log_x86_saved_gpr); \ tcg_gen_afl_call0(log_x86_sp_content);*/ \ \ @@ -319,7 +328,8 @@ static void log_x86_sp_content(void) { tcg_gen_st_tl(paddr, cpu_regs[R_ESP], persisent_retaddr_offset); \ \ } \ - tcg_gen_afl_call0(&afl_persistent_loop); \ + \ + if (!persistent_save_gpr) tcg_gen_afl_call0(&afl_persistent_loop); \ /*tcg_gen_afl_call0(log_x86_sp_content);*/ \ \ } else if (afl_persistent_ret_addr && s->pc == afl_persistent_ret_addr) { \ diff --git a/qemu_mode/patches/configure.diff b/qemu_mode/patches/configure.diff new file mode 100644 index 00000000..acb96294 --- /dev/null +++ b/qemu_mode/patches/configure.diff @@ -0,0 +1,26 @@ +diff --git a/configure b/configure +index 1c9f609..3edc9a7 100755 +--- a/configure ++++ b/configure +@@ -4603,6 +4603,21 @@ if test "$darwin" != "yes" -a "$mingw32" != "yes" -a "$solaris" != yes -a \ + libs_softmmu="-lutil $libs_softmmu" + fi + ++########################################## ++cat > $TMPC << EOF ++#include ++#include ++int main(int argc, char **argv) { return dlopen("libc.so", RTLD_NOW) != NULL; } ++EOF ++if compile_prog "" "" ; then ++ : ++elif compile_prog "" "-ldl" ; then ++ LIBS="-ldl $LIBS" ++ libs_qga="-ldl $libs_qga" ++else ++ error_exit "libdl check failed" ++fi ++ + ########################################## + # spice probe + if test "$spice" != "no" ; then diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 69efcffa..709abefe 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -27,7 +27,7 @@ #include "afl-fuzz.h" #include "cmplog.h" -static s32 cmplog_child_pid, cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd; +static s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd; void init_cmplog_forkserver(char** argv) { diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index 154f281e..d5d70542 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -252,7 +252,7 @@ u32 a_extras_cnt; /* Total number of tokens available */ u8 *(*post_handler)(u8 *buf, u32 *len); u8 *cmplog_binary; -s32 cmplog_forksrv_pid; +s32 cmplog_child_pid, cmplog_forksrv_pid; /* hooks for the custom mutator function */ size_t (*custom_mutator)(u8 *data, size_t size, u8 *mutated_out, diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 9265e4a5..fc3e1140 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1822,6 +1822,8 @@ static void handle_stop_sig(int sig) { if (child_pid > 0) kill(child_pid, SIGKILL); if (forksrv_pid > 0) kill(forksrv_pid, SIGKILL); + if (cmplog_child_pid > 0) kill(cmplog_child_pid, SIGKILL); + if (cmplog_forksrv_pid > 0) kill(cmplog_forksrv_pid, SIGKILL); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 8833244d..5f453a27 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1017,6 +1017,8 @@ int main(int argc, char** argv) { if (child_pid > 0) kill(child_pid, SIGKILL); if (forksrv_pid > 0) kill(forksrv_pid, SIGKILL); + if (cmplog_child_pid > 0) kill(cmplog_child_pid, SIGKILL); + if (cmplog_forksrv_pid > 0) kill(cmplog_forksrv_pid, SIGKILL); /* Now that we've killed the forkserver, we wait for it to be able to get * rusage stats. */ if (waitpid(forksrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); } -- cgit 1.4.1 From aa2cb66ea23884eb03cb0220dcfafbdd7343f54d Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Fri, 7 Feb 2020 20:44:36 +0100 Subject: code format --- examples/qemu_persistent_hook/read_into_rdi.c | 57 ++++++++------- examples/qemu_persistent_hook/test.c | 12 ++-- qemu_mode/patches/afl-qemu-common.h | 4 +- qemu_mode/patches/afl-qemu-cpu-inl.h | 43 +++++++---- qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 98 ++++++++++++-------------- src/afl-fuzz-cmplog.c | 2 +- src/afl-fuzz-redqueen.c | 55 ++++++++------- src/afl-fuzz-stats.c | 14 ++-- 8 files changed, 151 insertions(+), 134 deletions(-) (limited to 'src') diff --git a/examples/qemu_persistent_hook/read_into_rdi.c b/examples/qemu_persistent_hook/read_into_rdi.c index 4c5119e0..fd4c9000 100644 --- a/examples/qemu_persistent_hook/read_into_rdi.c +++ b/examples/qemu_persistent_hook/read_into_rdi.c @@ -2,35 +2,37 @@ #include #include -#define g2h(x) ((void *)((unsigned long)(x) + guest_base)) -#define h2g(x) ((uint64_t)(x) - guest_base) +#define g2h(x) ((void*)((unsigned long)(x) + guest_base)) +#define h2g(x) ((uint64_t)(x)-guest_base) enum { - R_EAX = 0, - R_ECX = 1, - R_EDX = 2, - R_EBX = 3, - R_ESP = 4, - R_EBP = 5, - R_ESI = 6, - R_EDI = 7, - R_R8 = 8, - R_R9 = 9, - R_R10 = 10, - R_R11 = 11, - R_R12 = 12, - R_R13 = 13, - R_R14 = 14, - R_R15 = 15, - - R_AL = 0, - R_CL = 1, - R_DL = 2, - R_BL = 3, - R_AH = 4, - R_CH = 5, - R_DH = 6, - R_BH = 7, + + R_EAX = 0, + R_ECX = 1, + R_EDX = 2, + R_EBX = 3, + R_ESP = 4, + R_EBP = 5, + R_ESI = 6, + R_EDI = 7, + R_R8 = 8, + R_R9 = 9, + R_R10 = 10, + R_R11 = 11, + R_R12 = 12, + R_R13 = 13, + R_R14 = 14, + R_R15 = 15, + + R_AL = 0, + R_CL = 1, + R_DL = 2, + R_BL = 3, + R_AH = 4, + R_CH = 5, + R_DH = 6, + R_BH = 7, + }; void afl_persistent_hook(uint64_t* regs, uint64_t guest_base) { @@ -40,3 +42,4 @@ void afl_persistent_hook(uint64_t* regs, uint64_t guest_base) { printf("readed %ld bytes\n", r); } + diff --git a/examples/qemu_persistent_hook/test.c b/examples/qemu_persistent_hook/test.c index 079d2be4..83001545 100644 --- a/examples/qemu_persistent_hook/test.c +++ b/examples/qemu_persistent_hook/test.c @@ -6,16 +6,15 @@ int target_func(char *buf, int size) { switch (buf[0]) { case 1: - if (buf[1] == '\x44') { - puts("a"); - } + if (buf[1] == '\x44') { puts("a"); } break; case 0xff: if (buf[2] == '\xff') { - if (buf[1] == '\x44') { - puts("b"); - } + + if (buf[1] == '\x44') { puts("b"); } + } + break; default: break; @@ -32,3 +31,4 @@ int main() { target_func(data, 1024); } + diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h index de6c7b73..da3d563e 100644 --- a/qemu_mode/patches/afl-qemu-common.h +++ b/qemu_mode/patches/afl-qemu-common.h @@ -59,7 +59,7 @@ #define INC_AFL_AREA(loc) afl_area_ptr[loc]++ #endif -typedef void (*afl_persistent_hook_fn)(uint64_t* regs, uint64_t guest_base); +typedef void (*afl_persistent_hook_fn)(uint64_t *regs, uint64_t guest_base); /* Declared in afl-qemu-cpu-inl.h */ @@ -81,7 +81,7 @@ extern afl_persistent_hook_fn afl_persistent_hook_ptr; extern __thread abi_ulong afl_prev_loc; -extern struct cmp_map* __afl_cmp_map; +extern struct cmp_map *__afl_cmp_map; extern __thread u32 __afl_cmp_counter; void afl_debug_dump_saved_regs(); diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index 7ef54d78..5e155c74 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -82,7 +82,7 @@ u8 afl_compcov_level; __thread abi_ulong afl_prev_loc; -struct cmp_map* __afl_cmp_map; +struct cmp_map *__afl_cmp_map; __thread u32 __afl_cmp_counter; /* Set in the child process in forkserver mode: */ @@ -187,9 +187,9 @@ static void afl_setup(void) { if (inst_r) afl_area_ptr[0] = 1; } - - if (getenv("___AFL_EINS_ZWEI_POLIZEI___")) { // CmpLog forkserver - + + if (getenv("___AFL_EINS_ZWEI_POLIZEI___")) { // CmpLog forkserver + id_str = getenv(CMPLOG_SHM_ENV_VAR); if (id_str) { @@ -198,10 +198,10 @@ static void afl_setup(void) { __afl_cmp_map = shmat(shm_id, NULL, 0); - if (__afl_cmp_map == (void*)-1) exit(1); + if (__afl_cmp_map == (void *)-1) exit(1); } - + } if (getenv("AFL_INST_LIBS")) { @@ -247,32 +247,42 @@ static void afl_setup(void) { if (getenv("AFL_QEMU_PERSISTENT_GPR")) persistent_save_gpr = 1; if (getenv("AFL_QEMU_PERSISTENT_HOOK")) { - + #ifdef AFL_QEMU_STATIC_BUILD - fprintf(stderr, "[AFL] ERROR: you cannot use AFL_QEMU_PERSISTENT_HOOK when afl-qemu-trace is static\n"); + fprintf(stderr, + "[AFL] ERROR: you cannot use AFL_QEMU_PERSISTENT_HOOK when " + "afl-qemu-trace is static\n"); exit(1); #else - + persistent_save_gpr = 1; - - void* plib = dlopen(getenv("AFL_QEMU_PERSISTENT_HOOK"), RTLD_NOW); + + void *plib = dlopen(getenv("AFL_QEMU_PERSISTENT_HOOK"), RTLD_NOW); if (!plib) { - fprintf(stderr, "[AFL] ERROR: invalid AFL_QEMU_PERSISTENT_HOOK=%s\n", getenv("AFL_QEMU_PERSISTENT_HOOK")); + + fprintf(stderr, "[AFL] ERROR: invalid AFL_QEMU_PERSISTENT_HOOK=%s\n", + getenv("AFL_QEMU_PERSISTENT_HOOK")); exit(1); + } - + afl_persistent_hook_ptr = dlsym(plib, "afl_persistent_hook"); if (!afl_persistent_hook_ptr) { - fprintf(stderr, "[AFL] ERROR: failed to find the function \"afl_persistent_hook\" in %s\n", getenv("AFL_QEMU_PERSISTENT_HOOK")); + + fprintf(stderr, + "[AFL] ERROR: failed to find the function " + "\"afl_persistent_hook\" in %s\n", + getenv("AFL_QEMU_PERSISTENT_HOOK")); exit(1); + } #endif } - + if (getenv("AFL_QEMU_PERSISTENT_RETADDR_OFFSET")) persisent_retaddr_offset = strtoll(getenv("AFL_QEMU_PERSISTENT_RETADDR_OFFSET"), NULL, 0); @@ -402,9 +412,12 @@ static void afl_forkserver(CPUState *cpu) { if (WIFSTOPPED(status)) child_stopped = 1; else if (unlikely(first_run && is_persistent)) { + fprintf(stderr, "[AFL] ERROR: no persistent iteration executed\n"); exit(12); // Persistent is wrong + } + first_run = 0; if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(7); diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index d081060f..3c230c30 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -153,17 +153,15 @@ static void afl_cmplog_64(target_ulong cur_loc, target_ulong arg1, } - static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2, TCGMemOp ot, int is_imm) { void *func; - if (cur_loc > afl_end_code || cur_loc < afl_start_code) - return; + if (cur_loc > afl_end_code || cur_loc < afl_start_code) return; if (__afl_cmp_map) { - + cur_loc = (cur_loc >> 4) ^ (cur_loc << 8); cur_loc &= CMP_MAP_W - 1; @@ -177,16 +175,16 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2, } tcg_gen_afl_compcov_log_call(func, cur_loc, arg1, arg2); - + } else if (afl_compcov_level) { - + if (!is_imm && afl_compcov_level < 2) return; cur_loc = (cur_loc >> 4) ^ (cur_loc << 8); cur_loc &= MAP_SIZE - 7; if (cur_loc >= afl_inst_rms) return; - + switch (ot) { case MO_64: func = &afl_compcov_log_64; break; @@ -197,7 +195,7 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2, } tcg_gen_afl_compcov_log_call(func, cur_loc, arg1, arg2); - + } } @@ -254,62 +252,60 @@ static void log_x86_sp_content(void) { }*/ - static void callback_to_persistent_hook(void) { afl_persistent_hook_ptr(persistent_saved_gpr, guest_base); - + } -static void i386_restore_state_for_persistent(TCGv* cpu_regs) { - - if (persistent_save_gpr) { - - int i; - TCGv_ptr gpr_sv; - - TCGv_ptr first_pass_ptr = tcg_const_ptr(&persistent_first_pass); - TCGv first_pass = tcg_temp_local_new(); - TCGv one = tcg_const_tl(1); - tcg_gen_ld8u_tl(first_pass, first_pass_ptr, 0); - - TCGLabel *lbl_restore_gpr = gen_new_label(); - tcg_gen_brcond_tl(TCG_COND_NE, first_pass, one, lbl_restore_gpr); - +static void i386_restore_state_for_persistent(TCGv *cpu_regs) { + + if (persistent_save_gpr) { + + int i; + TCGv_ptr gpr_sv; + + TCGv_ptr first_pass_ptr = tcg_const_ptr(&persistent_first_pass); + TCGv first_pass = tcg_temp_local_new(); + TCGv one = tcg_const_tl(1); + tcg_gen_ld8u_tl(first_pass, first_pass_ptr, 0); + + TCGLabel *lbl_restore_gpr = gen_new_label(); + tcg_gen_brcond_tl(TCG_COND_NE, first_pass, one, lbl_restore_gpr); + // save GRP registers - for (i = 0; i < CPU_NB_REGS; ++i) { - - gpr_sv = tcg_const_ptr(&persistent_saved_gpr[i]); - tcg_gen_st_tl(cpu_regs[i], gpr_sv, 0); - + for (i = 0; i < CPU_NB_REGS; ++i) { + + gpr_sv = tcg_const_ptr(&persistent_saved_gpr[i]); + tcg_gen_st_tl(cpu_regs[i], gpr_sv, 0); + } gen_set_label(lbl_restore_gpr); - + tcg_gen_afl_call0(&afl_persistent_loop); - - if (afl_persistent_hook_ptr) - tcg_gen_afl_call0(callback_to_persistent_hook); - - // restore GRP registers - for (i = 0; i < CPU_NB_REGS; ++i) { - - gpr_sv = tcg_const_ptr(&persistent_saved_gpr[i]); - tcg_gen_ld_tl(cpu_regs[i], gpr_sv, 0); - + + if (afl_persistent_hook_ptr) tcg_gen_afl_call0(callback_to_persistent_hook); + + // restore GRP registers + for (i = 0; i < CPU_NB_REGS; ++i) { + + gpr_sv = tcg_const_ptr(&persistent_saved_gpr[i]); + tcg_gen_ld_tl(cpu_regs[i], gpr_sv, 0); + } - - tcg_temp_free(first_pass); - + + tcg_temp_free(first_pass); + } else if (afl_persistent_ret_addr == 0) { - + TCGv_ptr stack_off_ptr = tcg_const_ptr(&persistent_stack_offset); - TCGv stack_off = tcg_temp_new(); - tcg_gen_ld_tl(stack_off, stack_off_ptr, 0); - tcg_gen_sub_tl(cpu_regs[R_ESP], cpu_regs[R_ESP], stack_off); - tcg_temp_free(stack_off); - - } + TCGv stack_off = tcg_temp_new(); + tcg_gen_ld_tl(stack_off, stack_off_ptr, 0); + tcg_gen_sub_tl(cpu_regs[R_ESP], cpu_regs[R_ESP], stack_off); + tcg_temp_free(stack_off); + + } } diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 709abefe..3d34bf71 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -442,7 +442,7 @@ u8 run_cmplog_target(char** argv, u32 timeout) { setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" "symbolize=0:" "msan_track_origins=0", 0); - + setenv("___AFL_EINS_ZWEI_POLIZEI___", "1", 1); if (!qemu_mode) argv[0] = cmplog_binary; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index bac7357e..296fcd98 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -122,9 +122,8 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) { while ((rng = pop_biggest_range(&ranges)) != NULL && stage_cur) { u32 s = rng->end - rng->start; - if (s == 0) - goto empty_range; - + if (s == 0) goto empty_range; + memcpy(backup, buf + rng->start, s); rand_replace(buf + rng->start, s); @@ -137,9 +136,11 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) { ranges = add_range(ranges, rng->start + s / 2 + 1, rng->end); memcpy(buf + rng->start, backup, s); - } else needs_write = 1; + } else + + needs_write = 1; -empty_range: + empty_range: ck_free(rng); --stage_cur; @@ -156,9 +157,9 @@ empty_range: ck_free(rng); } - + // save the input with the high entropy - + if (needs_write) { s32 fd; @@ -169,7 +170,7 @@ empty_range: } else { - unlink(queue_cur->fname); /* ignore errors */ + unlink(queue_cur->fname); /* ignore errors */ fd = open(queue_cur->fname, O_WRONLY | O_CREAT | O_EXCL, 0600); } @@ -177,10 +178,10 @@ empty_range: if (fd < 0) PFATAL("Unable to create '%s'", queue_cur->fname); ck_write(fd, buf, len, queue_cur->fname); - queue_cur->len = len; // no-op, just to be 100% safe - + queue_cur->len = len; // no-op, just to be 100% safe + close(fd); - + } return 0; @@ -305,24 +306,27 @@ u8 cmp_extend_encoding(struct cmp_header* h, u64 pattern, u64 repl, u32 idx, void try_to_add_to_dict(u64 v, u8 shape) { u8* b = (u8*)&v; - + u32 k; - u8 cons_ff = 0, cons_0 = 0; + u8 cons_ff = 0, cons_0 = 0; for (k = 0; k < shape; ++k) { - if (b[k] == 0) ++cons_0; - else if (b[k] == 0xff) ++cons_0; - else cons_0 = cons_ff = 0; - - if (cons_0 > 1 || cons_ff > 1) - return; + if (b[k] == 0) + ++cons_0; + else if (b[k] == 0xff) + ++cons_0; + else + cons_0 = cons_ff = 0; + + if (cons_0 > 1 || cons_ff > 1) return; } - + maybe_add_auto((u8*)&v, shape); - + u64 rev; switch (shape) { + case 1: break; case 2: rev = SWAP16((u16)v); @@ -336,8 +340,9 @@ void try_to_add_to_dict(u64 v, u8 shape) { rev = SWAP64(v); maybe_add_auto((u8*)&rev, shape); break; + } - + } u8 cmp_fuzz(u32 key, u8* orig_buf, u8* buf, u32 len) { @@ -380,13 +385,13 @@ u8 cmp_fuzz(u32 key, u8* orig_buf, u8* buf, u32 len) { break; } - + // If failed, add to dictionary if (fails == 8) { - + try_to_add_to_dict(o->v0, SHAPE_BYTES(h->shape)); try_to_add_to_dict(o->v1, SHAPE_BYTES(h->shape)); - + } cmp_fuzz_next_iter: diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 1b7e5226..d09b4fe6 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -334,9 +334,9 @@ void show_stats(void) { /* Lord, forgive me this. */ - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA - " overall results " bSTG bH2 bH2 bRT "\n"); + " overall results " bSTG bH2 bH2 bRT "\n"); if (dumb_mode) { @@ -413,9 +413,9 @@ void show_stats(void) { " uniq hangs : " cRST "%-6s" bSTG bV "\n", DTD(cur_ms, last_hang_time), tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA - " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); + " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -443,9 +443,9 @@ void show_stats(void) { SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA - " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); + " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", DI(queued_favored), ((double)queued_favored) * 100 / queued_paths); @@ -514,7 +514,7 @@ void show_stats(void) { /* Aaaalmost there... hold on! */ - SAYF(bVR bH cCYA bSTOP + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); -- cgit 1.4.1 From 312732bdbe50e67ad900ae5e4fe7696c7b3f753c Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 8 Feb 2020 18:11:57 +0100 Subject: more portability for (solaris-based OpenIndiana) --- src/afl-showmap.c | 12 ++++++++++++ src/third_party/libradamsa/libradamsa.c | 6 +++++- test/test.sh | 22 +++++++++++----------- 3 files changed, 28 insertions(+), 12 deletions(-) (limited to 'src') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 9c146771..1686a750 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -925,6 +925,9 @@ int main(int argc, char** argv) { struct dirent* dir_ent; int done = 0; u8 infile[4096], outfile[4096]; +#if !defined(DT_REG) + struct stat statbuf; +#endif dev_null_fd = open("/dev/null", O_RDWR); if (dev_null_fd < 0) PFATAL("Unable to open /dev/null"); @@ -970,9 +973,18 @@ int main(int argc, char** argv) { if (dir_ent->d_name[0] == '.') continue; // skip anything that starts with '.' + +#if defined(DT_REG) /* Posix and Solaris do not know d_type and DT_REG */ if (dir_ent->d_type != DT_REG) continue; // only regular files +#endif snprintf(infile, sizeof(infile), "%s/%s", in_dir, dir_ent->d_name); + +#if !defined(DT_REG) /* use stat() */ + if (-1 == stat(infile, &statbuf) + || !S_ISREG(statbuf.st_mode)) continue; +#endif + snprintf(outfile, sizeof(outfile), "%s/%s", out_file, dir_ent->d_name); if (read_file(infile)) { diff --git a/src/third_party/libradamsa/libradamsa.c b/src/third_party/libradamsa/libradamsa.c index be3050b1..f3677fa7 100644 --- a/src/third_party/libradamsa/libradamsa.c +++ b/src/third_party/libradamsa/libradamsa.c @@ -2405,7 +2405,11 @@ static word prim_sys(word op, word a, word b, word c) { EOPNOTSUPP, EOVERFLOW, EOWNERDEAD, EPERM, EPIPE, EPROTO, EPROTONOSUPPORT, EPROTOTYPE, ERANGE, EROFS, ESPIPE, ESRCH, ESTALE, ETIME, ETIMEDOUT, ETXTBSY, EWOULDBLOCK, EXDEV, SEEK_SET, SEEK_CUR, SEEK_END, O_EXEC, O_RDONLY, O_RDWR, - O_SEARCH, O_WRONLY, O_APPEND, O_CLOEXEC, O_CREAT, O_DIRECTORY, O_DSYNC, O_EXCL, + O_SEARCH, O_WRONLY, O_APPEND, O_CLOEXEC, O_CREAT, +#if defined O_DIRECTORY + O_DIRECTORY, +#endif + O_DSYNC, O_EXCL, O_NOCTTY, O_NOFOLLOW, O_NONBLOCK, O_RSYNC, O_SYNC, O_TRUNC, O_TTY_INIT, O_ACCMODE, FD_CLOEXEC, F_DUPFD, F_DUPFD_CLOEXEC, F_GETFD, F_SETFD, F_GETFL, F_SETFL, F_GETOWN, F_SETOWN, F_GETLK, F_SETLK, F_SETLKW, F_RDLCK, F_UNLCK, F_WRLCK, CLOCK_MONOTONIC, diff --git a/test/test.sh b/test/test.sh index db197cf2..d9374f96 100755 --- a/test/test.sh +++ b/test/test.sh @@ -1,18 +1,18 @@ #!/bin/sh # -# Ensure we have: test, type, diff -q, grep -aqE +# Ensure we have: test, type, diff, grep -qE # test -z "" 2> /dev/null || { echo Error: test command not found ; exit 1 ; } GREP=`type grep > /dev/null 2>&1 && echo OK` test "$GREP" = OK || { echo Error: grep command not found ; exit 1 ; } -echo foobar | grep -aqE 'asd|oob' 2> /dev/null || { echo Error: grep command does not support -q, -a and/or -E option ; exit 1 ; } +echo foobar | grep -qE 'asd|oob' 2> /dev/null || { echo Error: grep command does not support -q and/or -E option ; exit 1 ; } echo 1 > test.1 echo 1 > test.2 OK=OK -diff -q test.1 test.2 >/dev/null 2>&1 || OK= +diff test.1 test.2 >/dev/null 2>&1 || OK= rm -f test.1 test.2 -test -z "$OK" && { echo Error: diff -q is not working ; exit 1 ; } +test -z "$OK" && { echo Error: diff is not working ; exit 1 ; } test -z "$LLVM_CONFIG" && LLVM_CONFIG=llvm-config @@ -21,7 +21,7 @@ $ECHO \\101 2>&1 | grep -qE '^A' || { ECHO= test -e /bin/printf && { ECHO="/bin/printf %b\\n" - $ECHO '\\101' 2>&1 | grep -qE '^A' || ECHO= + $ECHO "\\101" 2>&1 | grep -qE '^A' || ECHO= } } test -z "$ECHO" && { printf Error: printf command does not support octal character codes ; exit 1 ; } @@ -84,7 +84,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc echo 0 | ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain > /dev/null 2>&1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain < /dev/null > /dev/null 2>&1 test -e test-instr.plain.0 -a -e test-instr.plain.1 && { - diff -q test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { + diff test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { $ECHO "$RED[!] ${AFL_GCC} instrumentation should be different on different input but is not" CODE=1 } || { @@ -111,7 +111,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc CODE=1 } test -e test-compcov.harden && { - grep -Eqa 'stack_chk_fail|fstack-protector-all|fortified' test-compcov.harden > /dev/null 2>&1 && { + grep -Eq 'stack_chk_fail|fstack-protector-all|fortified' test-compcov.harden > /dev/null 2>&1 && { $ECHO "$GREEN[+] ${AFL_GCC} hardened mode succeeded and is working" } || { $ECHO "$RED[!] ${AFL_GCC} hardened mode is not hardened" @@ -203,7 +203,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { echo 0 | ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain > /dev/null 2>&1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain < /dev/null > /dev/null 2>&1 test -e test-instr.plain.0 -a -e test-instr.plain.1 && { - diff -q test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { + diff test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { $ECHO "$RED[!] llvm_mode instrumentation should be different on different input but is not" CODE=1 } || { @@ -226,7 +226,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { CODE=1 } test -e test-compcov.harden && { - grep -Eqa 'stack_chk_fail|fstack-protector-all|fortified' test-compcov.harden > /dev/null 2>&1 && { + grep -Eq 'stack_chk_fail|fstack-protector-all|fortified' test-compcov.harden > /dev/null 2>&1 && { $ECHO "$GREEN[+] llvm_mode hardened mode succeeded and is working" } || { $ECHO "$RED[!] llvm_mode hardened mode is not hardened" @@ -366,7 +366,7 @@ test -e ../afl-gcc-fast -a -e ../afl-gcc-rt.o && { echo 0 | ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain.gccpi > /dev/null 2>&1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain.gccpi < /dev/null > /dev/null 2>&1 test -e test-instr.plain.0 -a -e test-instr.plain.1 && { - diff -q test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { + diff test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { $ECHO "$RED[!] gcc_plugin instrumentation should be different on different input but is not" CODE=1 } || { @@ -391,7 +391,7 @@ test -e ../afl-gcc-fast -a -e ../afl-gcc-rt.o && { } test -e test-compcov.harden.gccpi && { - grep -Eqa 'stack_chk_fail|fstack-protector-all|fortified' test-compcov.harden.gccpi > /dev/null 2>&1 && { + grep -Eq 'stack_chk_fail|fstack-protector-all|fortified' test-compcov.harden.gccpi > /dev/null 2>&1 && { $ECHO "$GREEN[+] gcc_plugin hardened mode succeeded and is working" } || { $ECHO "$RED[!] gcc_plugin hardened mode is not hardened" -- cgit 1.4.1 From e2ef2428986f45add509a6402de76678ca75b5da Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 9 Feb 2020 09:43:33 +0100 Subject: fuzzer_stat eps is now overall not current, clang-format fixed to v8 --- .custom-format.py | 32 ++++---- docs/Changelog.md | 2 + docs/status_screen.md | 2 +- libdislocator/libdislocator.so.c | 3 +- qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 50 ++++++------ src/afl-fuzz-stats.c | 103 +++++++++++++------------ src/afl-showmap.c | 9 +-- 7 files changed, 104 insertions(+), 97 deletions(-) (limited to 'src') diff --git a/.custom-format.py b/.custom-format.py index f493a2d9..e3779b68 100755 --- a/.custom-format.py +++ b/.custom-format.py @@ -29,27 +29,29 @@ CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN") if CLANG_FORMAT_BIN is None: o = 0 try: - p = subprocess.Popen(["clang-format", "--version"], stdout=subprocess.PIPE) + p = subprocess.Popen(["clang-format-8", "--version"], stdout=subprocess.PIPE) o, _ = p.communicate() o = str(o, "utf-8") o = o[len("clang-format version "):].strip() o = o[:o.find(".")] o = int(o) - except: pass - if o < 7: - if subprocess.call(['which', 'clang-format-7'], stdout=subprocess.PIPE) == 0: - CLANG_FORMAT_BIN = 'clang-format-7' - elif subprocess.call(['which', 'clang-format-8'], stdout=subprocess.PIPE) == 0: - CLANG_FORMAT_BIN = 'clang-format-8' - elif subprocess.call(['which', 'clang-format-9'], stdout=subprocess.PIPE) == 0: - CLANG_FORMAT_BIN = 'clang-format-9' - elif subprocess.call(['which', 'clang-format-10'], stdout=subprocess.PIPE) == 0: - CLANG_FORMAT_BIN = 'clang-format-10' - else: - print ("clang-format 7 or above is needed. Aborted.") - exit(1) + except: + print ("clang-format-8 is needed. Aborted.") + exit(1) + #if o < 7: + # if subprocess.call(['which', 'clang-format-7'], stdout=subprocess.PIPE) == 0: + # CLANG_FORMAT_BIN = 'clang-format-7' + # elif subprocess.call(['which', 'clang-format-8'], stdout=subprocess.PIPE) == 0: + # CLANG_FORMAT_BIN = 'clang-format-8' + # elif subprocess.call(['which', 'clang-format-9'], stdout=subprocess.PIPE) == 0: + # CLANG_FORMAT_BIN = 'clang-format-9' + # elif subprocess.call(['which', 'clang-format-10'], stdout=subprocess.PIPE) == 0: + # CLANG_FORMAT_BIN = 'clang-format-10' + # else: + # print ("clang-format 7 or above is needed. Aborted.") + # exit(1) else: - CLANG_FORMAT_BIN = 'clang-format' + CLANG_FORMAT_BIN = 'clang-format-8' COLUMN_LIMIT = 80 for line in fmt.split("\n"): diff --git a/docs/Changelog.md b/docs/Changelog.md index 8b56603f..751b051a 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -19,6 +19,8 @@ sending a mail to . - CmpLog forkserver - Redqueen input-2-state mutator (cmp instructions only ATM) - all Python 2+3 versions supported now + - changed execs_per_sec in fuzzer_stats from "current" execs per second + (which is pointless) to total execs per second - afl-clang-fast: - show in the help output for which llvm version it was compiled for - now does not need to be recompiled between trace-pc and pass diff --git a/docs/status_screen.md b/docs/status_screen.md index 1ea98415..066c2c07 100644 --- a/docs/status_screen.md +++ b/docs/status_screen.md @@ -377,7 +377,7 @@ directory. This includes: - `fuzzer_pid` - PID of the fuzzer process - `cycles_done` - queue cycles completed so far - `execs_done` - number of execve() calls attempted - - `execs_per_sec` - current number of execs per second + - `execs_per_sec` - overall number of execs per second - `paths_total` - total number of entries in the queue - `paths_found` - number of entries discovered through local fuzzing - `paths_imported` - number of entries imported from other instances diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index bb767495..a0795c87 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -68,7 +68,8 @@ #include "config.h" #include "types.h" -#if __STDC_VERSION__ < 201112L || (defined(__FreeBSD__) && __FreeBSD_version < 1200000) +#if __STDC_VERSION__ < 201112L || \ + (defined(__FreeBSD__) && __FreeBSD_version < 1200000) // use this hack if not C11 typedef struct { diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index 2b9472b8..6f526d92 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -67,7 +67,7 @@ static void afl_compcov_log_64(target_ulong cur_loc, target_ulong arg1, target_ulong arg2) { register uintptr_t idx = cur_loc; - + if ((arg1 & 0xff00000000000000) == (arg2 & 0xff00000000000000)) { INC_AFL_AREA(idx + 6); @@ -299,7 +299,6 @@ static void gpr_saving(TCGv *cpu_regs, int regs_num) { } - static void restore_state_for_persistent(TCGv *cpu_regs, int regs_num, int sp) { if (persistent_save_gpr) { @@ -349,29 +348,29 @@ static void restore_state_for_persistent(TCGv *cpu_regs, int regs_num, int sp) { // SP = 13, LINK = 14 -#define AFL_QEMU_TARGET_ARM_SNIPPET \ - if (is_persistent) { \ - \ - if (dc->pc == afl_persistent_addr) { \ - \ - if (persistent_save_gpr) gpr_saving(cpu_R, AFL_REGS_NUM); \ - \ - if (afl_persistent_ret_addr == 0) { \ - \ - TCGv_ptr paddr = tcg_const_ptr(afl_persistent_addr); \ - tcg_gen_mov_i32(cpu_R[14], paddr); \ - tcg_temp_free_ptr(paddr); \ - \ - } \ - \ - if (!persistent_save_gpr) tcg_gen_afl_call0(&afl_persistent_loop); \ - \ - } else if (afl_persistent_ret_addr && dc->pc == afl_persistent_ret_addr) {\ - \ - gen_bx_im(dc, afl_persistent_addr); \ - \ - } \ - \ +#define AFL_QEMU_TARGET_ARM_SNIPPET \ + if (is_persistent) { \ + \ + if (dc->pc == afl_persistent_addr) { \ + \ + if (persistent_save_gpr) gpr_saving(cpu_R, AFL_REGS_NUM); \ + \ + if (afl_persistent_ret_addr == 0) { \ + \ + TCGv_ptr paddr = tcg_const_ptr(afl_persistent_addr); \ + tcg_gen_mov_i32(cpu_R[14], paddr); \ + tcg_temp_free_ptr(paddr); \ + \ + } \ + \ + if (!persistent_save_gpr) tcg_gen_afl_call0(&afl_persistent_loop); \ + \ + } else if (afl_persistent_ret_addr && dc->pc == afl_persistent_ret_addr) { \ + \ + gen_bx_im(dc, afl_persistent_addr); \ + \ + } \ + \ } // SP = 31, LINK = 30 @@ -400,3 +399,4 @@ static void restore_state_for_persistent(TCGv *cpu_regs, int regs_num, int sp) { } \ \ } + diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index d09b4fe6..344e0abf 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -65,59 +65,62 @@ void write_stats_file(double bitmap_cvg, double stability, double eps) { if (getrusage(RUSAGE_CHILDREN, &rus)) rus.ru_maxrss = 0; - fprintf(f, - "start_time : %llu\n" - "last_update : %llu\n" - "fuzzer_pid : %d\n" - "cycles_done : %llu\n" - "execs_done : %llu\n" - "execs_per_sec : %0.02f\n" - "paths_total : %u\n" - "paths_favored : %u\n" - "paths_found : %u\n" - "paths_imported : %u\n" - "max_depth : %u\n" - "cur_path : %u\n" /* Must match find_start_position() */ - "pending_favs : %u\n" - "pending_total : %u\n" - "variable_paths : %u\n" - "stability : %0.02f%%\n" - "bitmap_cvg : %0.02f%%\n" - "unique_crashes : %llu\n" - "unique_hangs : %llu\n" - "last_path : %llu\n" - "last_crash : %llu\n" - "last_hang : %llu\n" - "execs_since_crash : %llu\n" - "exec_timeout : %u\n" - "slowest_exec_ms : %llu\n" - "peak_rss_mb : %lu\n" - "afl_banner : %s\n" - "afl_version : " VERSION - "\n" - "target_mode : %s%s%s%s%s%s%s%s\n" - "command_line : %s\n", - start_time / 1000, get_cur_time() / 1000, getpid(), - queue_cycle ? (queue_cycle - 1) : 0, total_execs, eps, queued_paths, - queued_favored, queued_discovered, queued_imported, max_depth, - current_entry, pending_favored, pending_not_fuzzed, queued_variable, - stability, bitmap_cvg, unique_crashes, unique_hangs, - last_path_time / 1000, last_crash_time / 1000, last_hang_time / 1000, - total_execs - last_crash_execs, exec_tmout, slowest_exec_ms, + fprintf( + f, + "start_time : %llu\n" + "last_update : %llu\n" + "fuzzer_pid : %d\n" + "cycles_done : %llu\n" + "execs_done : %llu\n" + "execs_per_sec : %0.02f\n" + // "real_execs_per_sec: %0.02f\n" // damn the name is too long + "paths_total : %u\n" + "paths_favored : %u\n" + "paths_found : %u\n" + "paths_imported : %u\n" + "max_depth : %u\n" + "cur_path : %u\n" /* Must match find_start_position() */ + "pending_favs : %u\n" + "pending_total : %u\n" + "variable_paths : %u\n" + "stability : %0.02f%%\n" + "bitmap_cvg : %0.02f%%\n" + "unique_crashes : %llu\n" + "unique_hangs : %llu\n" + "last_path : %llu\n" + "last_crash : %llu\n" + "last_hang : %llu\n" + "execs_since_crash : %llu\n" + "exec_timeout : %u\n" + "slowest_exec_ms : %llu\n" + "peak_rss_mb : %lu\n" + "afl_banner : %s\n" + "afl_version : " VERSION + "\n" + "target_mode : %s%s%s%s%s%s%s%s\n" + "command_line : %s\n", + start_time / 1000, get_cur_time() / 1000, getpid(), + queue_cycle ? (queue_cycle - 1) : 0, total_execs, + /*eps,*/ total_execs / ((double)(get_cur_time() - start_time) / 1000), + queued_paths, queued_favored, queued_discovered, queued_imported, + max_depth, current_entry, pending_favored, pending_not_fuzzed, + queued_variable, stability, bitmap_cvg, unique_crashes, unique_hangs, + last_path_time / 1000, last_crash_time / 1000, last_hang_time / 1000, + total_execs - last_crash_execs, exec_tmout, slowest_exec_ms, #ifdef __APPLE__ - (unsigned long int)(rus.ru_maxrss >> 20), + (unsigned long int)(rus.ru_maxrss >> 20), #else - (unsigned long int)(rus.ru_maxrss >> 10), + (unsigned long int)(rus.ru_maxrss >> 10), #endif - use_banner, unicorn_mode ? "unicorn" : "", qemu_mode ? "qemu " : "", - dumb_mode ? " dumb " : "", no_forkserver ? "no_forksrv " : "", - crash_mode ? "crash " : "", persistent_mode ? "persistent " : "", - deferred_mode ? "deferred " : "", - (unicorn_mode || qemu_mode || dumb_mode || no_forkserver || - crash_mode || persistent_mode || deferred_mode) - ? "" - : "default", - orig_cmdline); + use_banner, unicorn_mode ? "unicorn" : "", qemu_mode ? "qemu " : "", + dumb_mode ? " dumb " : "", no_forkserver ? "no_forksrv " : "", + crash_mode ? "crash " : "", persistent_mode ? "persistent " : "", + deferred_mode ? "deferred " : "", + (unicorn_mode || qemu_mode || dumb_mode || no_forkserver || crash_mode || + persistent_mode || deferred_mode) + ? "" + : "default", + orig_cmdline); /* ignore errors */ fclose(f); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 1686a750..1fd425a2 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -926,7 +926,7 @@ int main(int argc, char** argv) { int done = 0; u8 infile[4096], outfile[4096]; #if !defined(DT_REG) - struct stat statbuf; + struct stat statbuf; #endif dev_null_fd = open("/dev/null", O_RDWR); @@ -974,15 +974,14 @@ int main(int argc, char** argv) { if (dir_ent->d_name[0] == '.') continue; // skip anything that starts with '.' -#if defined(DT_REG) /* Posix and Solaris do not know d_type and DT_REG */ +#if defined(DT_REG) /* Posix and Solaris do not know d_type and DT_REG */ if (dir_ent->d_type != DT_REG) continue; // only regular files #endif snprintf(infile, sizeof(infile), "%s/%s", in_dir, dir_ent->d_name); -#if !defined(DT_REG) /* use stat() */ - if (-1 == stat(infile, &statbuf) - || !S_ISREG(statbuf.st_mode)) continue; +#if !defined(DT_REG) /* use stat() */ + if (-1 == stat(infile, &statbuf) || !S_ISREG(statbuf.st_mode)) continue; #endif snprintf(outfile, sizeof(outfile), "%s/%s", out_file, dir_ent->d_name); -- cgit 1.4.1