From 3261e86a3a5f5d2078a88b955f2a61cea99d7ed6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 7 Apr 2022 09:43:51 +0200 Subject: save timeouts --- src/afl-fuzz-bitmap.c | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index e4124bf5..cdcc1d4a 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -292,6 +292,15 @@ void minimize_bits(afl_state_t *afl, u8 *dst, u8 *src) { u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) { + u8 is_timeout = 0; + + if (new_bits & 0xf0) { + + new_bits -= 0x80; + is_timeout = 1; + + } + size_t real_max_len = MIN(max_description_len, sizeof(afl->describe_op_buf_256)); u8 *ret = afl->describe_op_buf_256; @@ -325,6 +334,7 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) { ret[len_current] = '\0'; ssize_t size_left = real_max_len - len_current - strlen(",+cov") - 2; + if (is_timeout) { size_left -= strlen(",+tout"); } if (unlikely(size_left <= 0)) FATAL("filename got too long"); const char *custom_description = @@ -370,6 +380,8 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) { } + if (is_timeout) { strcat(ret, ",+tout"); } + if (new_bits == 2) { strcat(ret, ",+cov"); } if (unlikely(strlen(ret) >= max_description_len)) @@ -447,7 +459,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { u8 fn[PATH_MAX]; u8 *queue_fn = ""; - u8 new_bits = 0, keeping = 0, res, classified = 0; + u8 new_bits = 0, keeping = 0, res, classified = 0, is_timeout = 0; s32 fd; u64 cksum = 0; @@ -481,11 +493,14 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { classified = new_bits; + save_to_queue: + #ifndef SIMPLE_FILES - queue_fn = alloc_printf( - "%s/queue/id:%06u,%s", afl->out_dir, afl->queued_items, - describe_op(afl, new_bits, NAME_MAX - strlen("id:000000,"))); + queue_fn = + alloc_printf("%s/queue/id:%06u,%s", afl->out_dir, afl->queued_items, + describe_op(afl, new_bits + is_timeout, + NAME_MAX - strlen("id:000000,"))); #else @@ -597,6 +612,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } ++afl->saved_tmouts; + is_timeout = 0x80; #ifdef INTROSPECTION if (afl->custom_mutators_count && afl->current_custom_fuzz) { @@ -647,7 +663,11 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { return keeping; } + if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { + + goto save_to_queue; + + } } -- cgit 1.4.1 From 891f4d3c8e58ed06b0131673f9c58606f5d99978 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 8 Apr 2022 09:31:39 +0200 Subject: correct counting for tmouts --- src/afl-fuzz-bitmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index cdcc1d4a..0f6f0778 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -611,7 +611,6 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - ++afl->saved_tmouts; is_timeout = 0x80; #ifdef INTROSPECTION if (afl->custom_mutators_count && afl->current_custom_fuzz) { @@ -665,6 +664,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { + ++afl->saved_tmouts; goto save_to_queue; } -- cgit 1.4.1 From e9288bcfad6e350b6f3e85d45a42bae5aea480c1 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 8 Apr 2022 22:44:10 +0200 Subject: add AFL_KEEP_TIMEOUTS --- docs/Changelog.md | 3 +++ docs/env_variables.md | 3 +++ include/afl-fuzz.h | 2 +- include/envs.h | 1 + src/afl-fuzz-bitmap.c | 12 ++++++++++-- src/afl-fuzz-state.c | 7 +++++++ 6 files changed, 25 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/docs/Changelog.md b/docs/Changelog.md index 2406e7ba..689cc94b 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -23,6 +23,9 @@ sending a mail to . - add AFL_EARLY_FORKSERVER to install the forkserver as earliest as possible in the target (for afl-gcc-fast/afl-clang-fast/ afl-clang-lto) + - "saved timeouts" was wrong information, timeouts are still thrown + away by default even if they have new coverage (hangs are always + kept), unless AFL_KEEP_TIMEOUTS are set - document and auto-activate pizza mode on condition - afl-cc: - converted all passed to use the new llvm pass manager for llvm 11+ diff --git a/docs/env_variables.md b/docs/env_variables.md index 9ffb08e7..fe9c6e07 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -349,6 +349,9 @@ checks or alter some of the more exotic semantics of the tool: - Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is usually a bad idea! + - Setting `AFL_KEEP_TIMEOUTS` will keep longer running inputs if they reach + new coverage + - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behavior which does not allow crashes or timeout seeds in the initial -i corpus. diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 4f4d63b2..8bb61e22 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -385,7 +385,7 @@ typedef struct afl_env_vars { afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast, afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new, afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems, - afl_pizza_mode; + afl_keep_timeouts, afl_pizza_mode; u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload, diff --git a/include/envs.h b/include/envs.h index 1746f946..25b792fa 100644 --- a/include/envs.h +++ b/include/envs.h @@ -106,6 +106,7 @@ static char *afl_environment_variables[] = { "AFL_INPUT_LEN_MAX", "AFL_INST_LIBS", "AFL_INST_RATIO", + "AFL_KEEP_TIMEOUTS", "AFL_KILL_SIGNAL", "AFL_KEEP_TRACES", "AFL_KEEP_ASSEMBLY", diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 0f6f0778..7c2b35d6 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -664,8 +664,16 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { - ++afl->saved_tmouts; - goto save_to_queue; + if (afl->afl_env.afl_keep_timeouts) { + + ++afl->saved_tmouts; + goto save_to_queue; + + } else { + + return keeping; + + } } diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 5924dd7b..47e39762 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -222,6 +222,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_hang_tmout = (u8 *)get_afl_env(afl_environment_variables[i]); + } else if (!strncmp(env, "AFL_KEEP_TIMEOUTS", + + afl_environment_variable_len)) { + + afl->afl_env.afl_keep_timeouts = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_SKIP_BIN_CHECK", afl_environment_variable_len)) { -- cgit 1.4.1 From b1da7500b2ef915887322d4a1903fe981d49acb5 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Apr 2022 13:06:13 +0200 Subject: fix msg --- instrumentation/cmplog-instructions-pass.cc | 79 +++++++++++++++++++++++++++-- instrumentation/cmplog-routines-pass.cc | 2 + src/afl-fuzz.c | 2 +- 3 files changed, 79 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index 4d37bcb2..e21289b4 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -32,9 +32,15 @@ #include "llvm/Support/Debug.h" #include "llvm/Support/raw_ostream.h" #if LLVM_MAJOR >= 11 + #include "llvm/Pass.h" + #include "llvm/InitializePasses.h" #include "llvm/Passes/PassPlugin.h" #include "llvm/Passes/PassBuilder.h" #include "llvm/IR/PassManager.h" + #include "llvm/Analysis/EHPersonalities.h" + #include "llvm/Analysis/PostDominators.h" + #include "llvm/Analysis/LoopInfo.h" + #include "llvm/Analysis/LoopPass.h" #else #include "llvm/IR/LegacyPassManager.h" #include "llvm/Transforms/IPO/PassManagerBuilder.h" @@ -64,7 +70,10 @@ using namespace llvm; namespace { +using LoopInfoCallback = function_ref; + #if LLVM_MAJOR >= 11 /* use new pass manager */ + class CmpLogInstructions : public PassInfoMixin { public: @@ -88,6 +97,7 @@ class CmpLogInstructions : public ModulePass { #endif #if LLVM_MAJOR >= 11 /* use new pass manager */ + PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM); #else bool runOnModule(Module &M) override; @@ -106,7 +116,8 @@ class CmpLogInstructions : public ModulePass { #endif private: - bool hookInstrs(Module &M); + bool hookInstrs(Module &M, LoopInfoCallback LCallback); + unsigned int instrumented = 0; }; @@ -153,7 +164,7 @@ Iterator Unique(Iterator first, Iterator last) { } -bool CmpLogInstructions::hookInstrs(Module &M) { +bool CmpLogInstructions::hookInstrs(Module &M, LoopInfoCallback LCallback) { std::vector icomps; LLVMContext & C = M.getContext(); @@ -290,14 +301,62 @@ bool CmpLogInstructions::hookInstrs(Module &M) { if (!isInInstrumentList(&F, MNAME)) continue; + std::vector lcomps; + const LoopInfo * LI = LCallback(F); +#if 0 + for (LoopInfo::iterator I = LI->begin(), E = LI->end(); I != E; ++I) { + Loop * L = *I; + BasicBlock *In, *Out; + bool ok = false ; L->getIncomingAndBackEdge(In, Out); + if (ok) { + + BasicBlock *decisionBB = In->getSingleSuccessor(); + + if (decisionBB) { + + /* + std::string errMsg1; + raw_string_ostream os1(errMsg1); + In->print(os1); + fprintf(stderr, "In: %s\n", os1.str().c_str()); + std::string errMsg2; + raw_string_ostream os2(errMsg2); + Out->print(os2); + fprintf(stderr, "Out: %s\n", os2.str().c_str()); + std::string errMsg3; + raw_string_ostream os3(errMsg3); + decisionBB->print(os3); + fprintf(stderr, "Dec: %s\n", os3.str().c_str()); + */ + lcomps.push_back(decisionBB); + + } + + } + } +#endif + + + // fprintf(stderr, "Loops in %s: %zu\n", F.getName().str().c_str(), + // lcomps.size()); + for (auto &BB : F) { + if (std::find(lcomps.begin(), lcomps.end(), &BB) != lcomps.end()) { + + fprintf(stderr, "skipping: %p %s\n", &BB, BB.getName().str().c_str()); + + continue; + + } + for (auto &IN : BB) { CmpInst *selectcmpInst = nullptr; if ((selectcmpInst = dyn_cast(&IN))) { icomps.push_back(selectcmpInst); + fprintf(stderr, "Found icomp %p in %p\n", selectcmpInst, &BB); } @@ -644,6 +703,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) { break; } + + ++instrumented; } @@ -657,6 +718,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) { } } + + fprintf(stderr, "instrumented: %u (%zu)\n", instrumented, icomps.size()); if (icomps.size()) return true; @@ -678,9 +741,19 @@ bool CmpLogInstructions::runOnModule(Module &M) { printf("Running cmplog-instructions-pass by andreafioraldi@gmail.com\n"); else be_quiet = 1; - hookInstrs(M); + + auto &FAM = MAM.getResult(M).getManager(); + auto LoopCallback = [&FAM](Function &F) -> const LoopInfo * { + + return &FAM.getResult(F); + + }; + + hookInstrs(M, LoopCallback); verifyModule(M); + fprintf(stderr, "done cmplog-instructions-pass\n"); + #if LLVM_MAJOR >= 11 /* use new pass manager */ return PreservedAnalyses::all(); #else diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc index 8205cfb0..708a94bc 100644 --- a/instrumentation/cmplog-routines-pass.cc +++ b/instrumentation/cmplog-routines-pass.cc @@ -761,6 +761,8 @@ bool CmpLogRoutines::runOnModule(Module &M) { #endif verifyModule(M); + fprintf(stderr, "done cmplog-routines-pass\n"); + #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ return PA; #else diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 92243fbb..c5ab364a 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1650,7 +1650,7 @@ int main(int argc, char **argv_orig, char **envp) { } - OKF("Generating fuzz data with a a length of min=%u max=%u", afl->min_length, + OKF("Generating fuzz data with a length of min=%u max=%u", afl->min_length, afl->max_length); u32 min_alloc = MAX(64U, afl->min_length); afl_realloc(AFL_BUF_PARAM(in_scratch), min_alloc); -- cgit 1.4.1 From 630eb943a539dd423d005466520d06e8420fa6ba Mon Sep 17 00:00:00 2001 From: Jesse Schwartzentruber Date: Wed, 20 Apr 2022 15:38:37 -0400 Subject: use passthrough mode for wasm --- src/afl-cc.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index ffdda386..a383dd4e 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -58,6 +58,7 @@ static u8 debug; static u8 cwd[4096]; static u8 cmplog_mode; u8 use_stdin; /* dummy */ +static int passthrough; // static u8 *march_opt = CFLAGS_OPT; enum { @@ -315,7 +316,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { u8 fortify_set = 0, asan_set = 0, x_set = 0, bit_mode = 0, shared_linking = 0, preprocessor_only = 0, have_unroll = 0, have_o = 0, have_pic = 0, - have_c = 0, partial_linking = 0, wasm_linking = 0; + have_c = 0, partial_linking = 0; cc_params = ck_alloc((argc + 128) * sizeof(u8 *)); @@ -826,7 +827,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (!strcmp(cur, "-E")) preprocessor_only = 1; if (!strcmp(cur, "-shared")) shared_linking = 1; if (!strcmp(cur, "-dynamiclib")) shared_linking = 1; - if (!strcmp(cur, "--target=wasm32-wasi")) wasm_linking = 1; + if (!strcmp(cur, "--target=wasm32-wasi")) passthrough = 1; if (!strcmp(cur, "-Wl,-r")) partial_linking = 1; if (!strcmp(cur, "-Wl,-i")) partial_linking = 1; if (!strcmp(cur, "-Wl,--relocatable")) partial_linking = 1; @@ -845,7 +846,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { // e.g. compiled download or compiled from github then its ./lib directory // might not be in the search path. Add it if so. u8 *libdir = strdup(LLVM_LIBDIR); - if (plusplus_mode && !wasm_linking && strlen(libdir) && + if (plusplus_mode && strlen(libdir) && strncmp(libdir, "/usr", 4) && strncmp(libdir, "/lib", 4)) { cc_params[cc_par_cnt++] = "-rpath"; @@ -1093,7 +1094,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { switch (bit_mode) { case 0: - if (!shared_linking && !partial_linking && !wasm_linking) + if (!shared_linking && !partial_linking) cc_params[cc_par_cnt++] = alloc_printf("%s/afl-compiler-rt.o", obj_path); if (lto_mode) @@ -1102,7 +1103,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { break; case 32: - if (!shared_linking && !partial_linking && !wasm_linking) { + if (!shared_linking && !partial_linking) { cc_params[cc_par_cnt++] = alloc_printf("%s/afl-compiler-rt-32.o", obj_path); @@ -1123,7 +1124,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { break; case 64: - if (!shared_linking && !partial_linking && !wasm_linking) { + if (!shared_linking && !partial_linking) { cc_params[cc_par_cnt++] = alloc_printf("%s/afl-compiler-rt-64.o", obj_path); @@ -1146,7 +1147,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } #if !defined(__APPLE__) && !defined(__sun) - if (!shared_linking && !partial_linking && !wasm_linking) + if (!shared_linking && !partial_linking) cc_params[cc_par_cnt++] = alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path); #endif @@ -1179,7 +1180,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { int main(int argc, char **argv, char **envp) { - int i, passthrough = 0; + int i; char *callname = argv[0], *ptr = NULL; if (getenv("AFL_DEBUG")) { -- cgit 1.4.1 From f53e6a6cf2ed621ab1ca0eec271d75405e906ba5 Mon Sep 17 00:00:00 2001 From: Jesse Schwartzentruber Date: Wed, 20 Apr 2022 15:39:28 -0400 Subject: fix instrumentation for -Werror,-Wunused-but-set-variable `used` is so it isn't optimized out. `unused` is to avoid the warning. --- src/afl-cc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index a383dd4e..e8643bf8 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -1035,7 +1035,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-D__AFL_LOOP(_A)=" - "({ static volatile char *_B __attribute__((used)); " + "({ static volatile char *_B __attribute__((used,unused)); " " _B = (char*)\"" PERSIST_SIG "\"; " #ifdef __APPLE__ @@ -1049,7 +1049,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-D__AFL_INIT()=" - "do { static volatile char *_A __attribute__((used)); " + "do { static volatile char *_A __attribute__((used,unused)); " " _A = (char*)\"" DEFER_SIG "\"; " #ifdef __APPLE__ -- cgit 1.4.1 From ee409d18a6678c3f5948f51db8964148cae021dc Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 25 Apr 2022 10:14:04 +0200 Subject: code format --- src/afl-cc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-cc.c b/src/afl-cc.c index e8643bf8..2667ae28 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -846,8 +846,8 @@ static void edit_params(u32 argc, char **argv, char **envp) { // e.g. compiled download or compiled from github then its ./lib directory // might not be in the search path. Add it if so. u8 *libdir = strdup(LLVM_LIBDIR); - if (plusplus_mode && strlen(libdir) && - strncmp(libdir, "/usr", 4) && strncmp(libdir, "/lib", 4)) { + if (plusplus_mode && strlen(libdir) && strncmp(libdir, "/usr", 4) && + strncmp(libdir, "/lib", 4)) { cc_params[cc_par_cnt++] = "-rpath"; cc_params[cc_par_cnt++] = libdir; -- cgit 1.4.1