From fc7c95e9f4d26ea3ab13543d166ed0dc4d0b81a3 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 12 Sep 2024 10:24:05 +0200 Subject: nits --- src/afl-fuzz-init.c | 29 ++++++++++++++--------------- src/afl-fuzz.c | 2 +- 2 files changed, 15 insertions(+), 16 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index d3085d42..72a765ff 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2443,21 +2443,20 @@ void check_crash_handling(void) { if (read(fd, &fchar, 1) == 1 && fchar == '|') { - SAYF( - "\n" cLRD "[-] " cRST - "Your system is configured to send core dump notifications to an\n" - " external utility. This will cause issues: there will be an " - "extended delay\n" - " between stumbling upon a crash and having this information " - "relayed to the\n" - " fuzzer via the standard waitpid() API.\n" - " If you're just experimenting, set " - "'AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1'.\n\n" - - " To avoid having crashes misinterpreted as timeouts, please \n" - " temporarily modify /proc/sys/kernel/core_pattern, like so:\n\n" - - " echo core | sudo tee /proc/sys/kernel/core_pattern\n"); + SAYF("\n" cLRD "[-] " cRST + "Your system is configured to send core dump notifications to an\n" + " external utility. This will cause issues: there will be an " + "extended delay\n" + " between stumbling upon a crash and having this information " + "relayed to the\n" + " fuzzer via the standard waitpid() API.\n" + " If you're just experimenting, set " + "'AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1'.\n\n" + + " To avoid having crashes misinterpreted as timeouts, please \n" + " temporarily modify /proc/sys/kernel/core_pattern, like so:\n\n" + + " echo core | sudo tee /proc/sys/kernel/core_pattern\n"); if (!getenv("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 726a2260..5ab8d7e9 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1505,7 +1505,7 @@ int main(int argc, char **argv_orig, char **envp) { #ifdef __linux__ if (afl->fsrv.nyx_mode) { - OKF("AFL++ Nyx mode is enabled (developed and mainted by Sergej Schumilo)"); + OKF("AFL++ Nyx mode is enabled (developed and maintained by Sergej Schumilo)"); OKF("Nyx is open source, get it at https://github.com/Nyx-Fuzz"); } -- cgit 1.4.1 From 1d6cd5dd199e0c745aaca05b465286bf63d5ebc2 Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Sat, 14 Sep 2024 03:51:20 +0200 Subject: fix AFL_AUTORESUME=1 for Nyx mode --- include/forkserver.h | 11 ++++++++++- nyx_mode/LIBNYX_VERSION | 2 +- nyx_mode/PACKER_VERSION | 2 +- nyx_mode/libnyx | 2 +- nyx_mode/packer | 2 +- src/afl-forkserver.c | 16 ++++++++++++++++ src/afl-fuzz-stats.c | 11 +++++++++++ src/afl-fuzz.c | 17 ++++++++++++++++- 8 files changed, 57 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/include/forkserver.h b/include/forkserver.h index 6c649528..db1832c4 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -89,11 +89,14 @@ typedef struct { bool (*nyx_config_set_aux_buffer_size)(void *config, uint32_t aux_buffer_size); + uint64_t (*nyx_get_target_hash64)(void *config); + + void (*nyx_config_free)(void *config); + } nyx_plugin_handler_t; /* Imports helper functions to enable Nyx mode (Linux only )*/ nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary); - #endif typedef struct afl_forkserver { @@ -204,6 +207,7 @@ typedef struct afl_forkserver { bool nyx_use_tmp_workdir; char *nyx_tmp_workdir_path; s32 nyx_log_fd; + u64 nyx_target_hash64; #endif #ifdef __AFL_CODE_COVERAGE @@ -241,6 +245,11 @@ void afl_fsrv_killall(void); void afl_fsrv_deinit(afl_forkserver_t *fsrv); void afl_fsrv_kill(afl_forkserver_t *fsrv); +#ifdef __linux__ +void nyx_load_target_hash(afl_forkserver_t *fsrv); +#endif + + #ifdef __APPLE__ #define MSG_FORK_ON_APPLE \ " - On MacOS X, the semantics of fork() syscalls are non-standard and " \ diff --git a/nyx_mode/LIBNYX_VERSION b/nyx_mode/LIBNYX_VERSION index 9aae19be..5f7c9a5b 100644 --- a/nyx_mode/LIBNYX_VERSION +++ b/nyx_mode/LIBNYX_VERSION @@ -1 +1 @@ -6833d23 +ea6ceb9 \ No newline at end of file diff --git a/nyx_mode/PACKER_VERSION b/nyx_mode/PACKER_VERSION index cc20a3b6..0b9e5d4e 100644 --- a/nyx_mode/PACKER_VERSION +++ b/nyx_mode/PACKER_VERSION @@ -1 +1 @@ -bcf3e24 +6067e5c diff --git a/nyx_mode/libnyx b/nyx_mode/libnyx index 6833d236..ea6ceb99 160000 --- a/nyx_mode/libnyx +++ b/nyx_mode/libnyx @@ -1 +1 @@ -Subproject commit 6833d236dfe785a8a23d8c8d79e74c99fa635004 +Subproject commit ea6ceb994ab975b81aea0daaf64b92a3066c1e8d diff --git a/nyx_mode/packer b/nyx_mode/packer index bcf3e248..6067e5c0 160000 --- a/nyx_mode/packer +++ b/nyx_mode/packer @@ -1 +1 @@ -Subproject commit bcf3e248b660764f48af54232a3388389a2dfc22 +Subproject commit 6067e5c0ffb3e9aec35aa3aef29b3e390dd313bd diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index c7c493cf..ae3c7ccc 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -136,6 +136,12 @@ nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary) { dlsym(handle, "nyx_config_set_aux_buffer_size"); if (plugin->nyx_config_set_aux_buffer_size == NULL) { goto fail; } + plugin->nyx_get_target_hash64 = dlsym(handle, "nyx_get_target_hash64"); + if (plugin->nyx_get_target_hash64 == NULL) { goto fail; } + + plugin->nyx_config_free = dlsym(handle, "nyx_config_free"); + if (plugin->nyx_get_target_hash64 == NULL) { goto fail; } + OKF("libnyx plugin is ready!"); return plugin; @@ -224,6 +230,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { fsrv->nyx_use_tmp_workdir = false; fsrv->nyx_tmp_workdir_path = NULL; fsrv->nyx_log_fd = -1; + fsrv->nyx_target_hash64 = 0; #endif // this structure needs default so we initialize it if this was not done @@ -527,6 +534,15 @@ static void report_error_and_exit(int error) { } +#ifdef __linux__ +void nyx_load_target_hash(afl_forkserver_t *fsrv) { + void *nyx_config = fsrv->nyx_handlers->nyx_config_load(fsrv->target_path); + fsrv->nyx_target_hash64 = fsrv->nyx_handlers->nyx_get_target_hash64(nyx_config); + fsrv->nyx_handlers->nyx_config_free(nyx_config); +} +#endif + + /* Spins up fork server. The idea is explained here: https://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 9f5f59c0..b1a84cb6 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -80,7 +80,18 @@ void write_setup_file(afl_state_t *afl, u32 argc, char **argv) { snprintf(fn2, PATH_MAX, "%s/target_hash", afl->out_dir); FILE *f2 = create_ffile(fn2); + +#ifdef __linux__ + if (afl->fsrv.nyx_mode) { + nyx_load_target_hash(&afl->fsrv); + fprintf(f2, "%llx\n", afl->fsrv.nyx_target_hash64); + } + else { + fprintf(f2, "%p\n", (void *)get_binary_hash(afl->fsrv.target_path)); + } +#else fprintf(f2, "%p\n", (void *)get_binary_hash(afl->fsrv.target_path)); +#endif fclose(f2); snprintf(fn, PATH_MAX, "%s/fuzzer_setup", afl->out_dir); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 5ab8d7e9..a2fd4b76 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2225,9 +2225,24 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->in_place_resume && !afl->afl_env.afl_no_fastresume) { +#ifdef __linux__ + u64 target_hash = 0; + if (afl->fsrv.nyx_mode) { + nyx_load_target_hash(&afl->fsrv); + target_hash = afl->fsrv.nyx_target_hash64; + } + else { + target_hash = get_binary_hash(afl->fsrv.target_path); + } +#else u64 target_hash = get_binary_hash(afl->fsrv.target_path); +#endif - if (!target_hash || prev_target_hash != target_hash) { + if ((!target_hash || prev_target_hash != target_hash) +#ifdef __linux__ + || (afl->fsrv.nyx_mode && target_hash == 0) +#endif + ) { ACTF("Target binary is different, cannot perform FAST RESUME!"); -- cgit 1.4.1 From db172473b55584c901c615413a5f1204eb603782 Mon Sep 17 00:00:00 2001 From: nj00001 <42004790+nj00001@users.noreply.github.com> Date: Mon, 23 Sep 2024 15:50:20 +0800 Subject: Save crash log returned by nyx when AFL_CRASHING_SEEDS_AS_NEW_CRASH environment variable is enabled nyx also returns a crash log when reporting a crash, both files are saved in the afl++ fuzzing run, whereas with the AFL_CRASHING_SEEDS_AS_NEW_CRASH setting, only the crash file is saved in the dry run phase if crashes are included in the supplied seeds. This commit adds crash log saving to keep the behavior consistent --- src/afl-fuzz-init.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 72a765ff..e9036985 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1231,6 +1231,23 @@ void perform_dry_run(afl_state_t *afl) { ck_write(fd, use_mem, read_len, crash_fn); close(fd); + if (afl->fsrv.nyx_mode) { + + u8 crash_log_fn[PATH_MAX]; + + snprintf(crash_log_fn, PATH_MAX, "%s.log", crash_fn); + fd = open(crash_log_fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", crash_log_fn); } + + u32 nyx_aux_string_len = afl->fsrv.nyx_handlers->nyx_get_aux_string( + afl->fsrv.nyx_runner, afl->fsrv.nyx_aux_string, + afl->fsrv.nyx_aux_string_len); + + ck_write(fd, afl->fsrv.nyx_aux_string, nyx_aux_string_len, crash_log_fn); + close(fd); + + } + afl->last_crash_time = get_cur_time(); afl->last_crash_execs = afl->fsrv.total_execs; -- cgit 1.4.1 From 8b35dd49be5f846e945f6d6a9414623d195a99cb Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 23 Sep 2024 21:22:17 +0200 Subject: Fix macOS build --- src/afl-fuzz-init.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index e9036985..9eaa661d 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1231,6 +1231,7 @@ void perform_dry_run(afl_state_t *afl) { ck_write(fd, use_mem, read_len, crash_fn); close(fd); +#ifdef __linux__ if (afl->fsrv.nyx_mode) { u8 crash_log_fn[PATH_MAX]; @@ -1247,6 +1248,7 @@ void perform_dry_run(afl_state_t *afl) { close(fd); } +#endif afl->last_crash_time = get_cur_time(); afl->last_crash_execs = afl->fsrv.total_execs; @@ -2882,6 +2884,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { afl->fsrv.target_path = ck_strdup(fname); + #ifdef __linux__ if (afl->fsrv.nyx_mode) { @@ -2902,8 +2905,8 @@ void check_binary(afl_state_t *afl, u8 *fname) { afl->fsrv.target_path); } - #endif + if (stat(afl->fsrv.target_path, &st) || !S_ISREG(st.st_mode) || !(st.st_mode & 0111) || (f_len = st.st_size) < 4) { -- cgit 1.4.1