From 139665c01dce7b85941d6e1b61aaebd06e316cba Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Fri, 3 Jul 2020 10:20:10 +0200 Subject: ubsan options --- src/afl-analyze.c | 29 ++++++++++++++++++++++++++--- src/afl-forkserver.c | 29 +++++++++++++++++++++++++++-- src/afl-showmap.c | 29 ++++++++++++++++++++++++++--- src/afl-tmin.c | 29 ++++++++++++++++++++++++++--- 4 files changed, 105 insertions(+), 11 deletions(-) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 56284f6f..e6dd0fca 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -772,15 +772,38 @@ static void set_up_environment(void) { setenv("ASAN_OPTIONS", "abort_on_error=1:" "detect_leaks=0:" + "allocator_may_return_null=1:" "symbolize=0:" - "allocator_may_return_null=1", + "handle_segv=0:" + "handle_sigbus=0:" + "handle_abort=0:" + "handle_sigfpe=0:" + "handle_sigill=0", + 0); + + setenv("UBSAN_OPTIONS", + "halt_on_error=1:" + "abort_on_error=1:" + "malloc_context_size=0:" + "allocator_may_return_null=1:" + "symbolize=0:" + "handle_segv=0:" + "handle_sigbus=0:" + "handle_abort=0:" + "handle_sigfpe=0:" + "handle_sigill=0", 0); setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" - "symbolize=0:" "abort_on_error=1:" + "msan_track_origins=0" "allocator_may_return_null=1:" - "msan_track_origins=0", 0); + "symbolize=0:" + "handle_segv=0:" + "handle_sigbus=0:" + "handle_abort=0:" + "handle_sigfpe=0:" + "handle_sigill=0", 0); if (get_afl_env("AFL_PRELOAD")) { diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 419ce28e..47493eba 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -434,7 +434,27 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, "detect_leaks=0:" "malloc_context_size=0:" "symbolize=0:" - "allocator_may_return_null=1", + "allocator_may_return_null=1:" + "handle_segv=0:" + "handle_sigbus=0:" + "handle_abort=0:" + "handle_sigfpe=0:" + "handle_sigill=0", + 0); + + /* Set sane defaults for UBSAN if nothing else specified. */ + + setenv("UBSAN_OPTIONS", + "halt_on_error=1:" + "abort_on_error=1:" + "malloc_context_size=0:" + "allocator_may_return_null=1:" + "symbolize=0:" + "handle_segv=0:" + "handle_sigbus=0:" + "handle_abort=0:" + "handle_sigfpe=0:" + "handle_sigill=0", 0); /* MSAN is tricky, because it doesn't support abort_on_error=1 at this @@ -446,7 +466,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, "abort_on_error=1:" "malloc_context_size=0:" "allocator_may_return_null=1:" - "msan_track_origins=0", + "msan_track_origins=0:" + "handle_segv=0:" + "handle_sigbus=0:" + "handle_abort=0:" + "handle_sigfpe=0:" + "handle_sigill=0", 0); fsrv->init_child_func(fsrv, argv); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 883398ff..71e975a1 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -456,15 +456,38 @@ static void set_up_environment(afl_forkserver_t *fsrv) { setenv("ASAN_OPTIONS", "abort_on_error=1:" "detect_leaks=0:" + "allocator_may_return_null=1:" "symbolize=0:" - "allocator_may_return_null=1", + "handle_segv=0:" + "handle_sigbus=0:" + "handle_abort=0:" + "handle_sigfpe=0:" + "handle_sigill=0", + 0); + + setenv("UBSAN_OPTIONS", + "halt_on_error=1:" + "abort_on_error=1:" + "malloc_context_size=0:" + "allocator_may_return_null=1:" + "symbolize=0:" + "handle_segv=0:" + "handle_sigbus=0:" + "handle_abort=0:" + "handle_sigfpe=0:" + "handle_sigill=0", 0); setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" - "symbolize=0:" "abort_on_error=1:" + "msan_track_origins=0" "allocator_may_return_null=1:" - "msan_track_origins=0", 0); + "symbolize=0:" + "handle_segv=0:" + "handle_sigbus=0:" + "handle_abort=0:" + "handle_sigfpe=0:" + "handle_sigill=0", 0); if (get_afl_env("AFL_PRELOAD")) { diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 2db1eae7..68fcdd14 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -701,15 +701,38 @@ static void set_up_environment(afl_forkserver_t *fsrv) { setenv("ASAN_OPTIONS", "abort_on_error=1:" "detect_leaks=0:" + "allocator_may_return_null=1:" "symbolize=0:" - "allocator_may_return_null=1", + "handle_segv=0:" + "handle_sigbus=0:" + "handle_abort=0:" + "handle_sigfpe=0:" + "handle_sigill=0", + 0); + + setenv("UBSAN_OPTIONS", + "halt_on_error=1:" + "abort_on_error=1:" + "malloc_context_size=0:" + "allocator_may_return_null=1:" + "symbolize=0:" + "handle_segv=0:" + "handle_sigbus=0:" + "handle_abort=0:" + "handle_sigfpe=0:" + "handle_sigill=0", 0); setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" - "symbolize=0:" "abort_on_error=1:" + "msan_track_origins=0" "allocator_may_return_null=1:" - "msan_track_origins=0", 0); + "symbolize=0:" + "handle_segv=0:" + "handle_sigbus=0:" + "handle_abort=0:" + "handle_sigfpe=0:" + "handle_sigill=0", 0); if (get_afl_env("AFL_PRELOAD")) { -- cgit 1.4.1 From 75fa1ac3b00a01a0ae02addcedae0e09d674930e Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 6 Jul 2020 14:10:14 +0200 Subject: warn rather than fail if AFL_MAP_SIZE is set and not understood by instrumenter --- TODO.md | 5 +++++ gcc_plugin/afl-gcc-fast.c | 2 +- llvm_mode/afl-clang-fast.c | 2 +- src/afl-gcc.c | 2 +- 4 files changed, 8 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/TODO.md b/TODO.md index 8085bc07..d8ad6183 100644 --- a/TODO.md +++ b/TODO.md @@ -21,6 +21,11 @@ gcc_plugin: - laf-intel - better instrumentation (seems to be better with gcc-9+) +better documentation: + - flow graph + - short intro + - faq (how to increase stability, speed, many parallel ...) + qemu_mode: - update to 5.x (if the performance bug if gone) - non colliding instrumentation diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c index af0beca7..fa1c70d7 100644 --- a/gcc_plugin/afl-gcc-fast.c +++ b/gcc_plugin/afl-gcc-fast.c @@ -379,7 +379,7 @@ int main(int argc, char **argv, char **envp) { u32 map_size = atoi(ptr); if (map_size != MAP_SIZE) - FATAL("AFL_MAP_SIZE is not supported by afl-gcc-fast"); + WARN("AFL_MAP_SIZE is not supported by afl-gcc-fast"); } diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 07c3c07c..f634a05c 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -939,7 +939,7 @@ int main(int argc, char **argv, char **envp) { u32 map_size = atoi(ptr2); if (map_size != MAP_SIZE) - FATAL("AFL_MAP_SIZE is not supported by afl-clang-fast"); + WARN("AFL_MAP_SIZE is not supported by afl-clang-fast"); } diff --git a/src/afl-gcc.c b/src/afl-gcc.c index b8ff7e77..2482869e 100644 --- a/src/afl-gcc.c +++ b/src/afl-gcc.c @@ -465,7 +465,7 @@ int main(int argc, char **argv) { u32 map_size = atoi(ptr); if (map_size != MAP_SIZE) { - FATAL("AFL_MAP_SIZE is not supported by afl-gcc"); + WARN("AFL_MAP_SIZE is not supported by afl-gcc"); } -- cgit 1.4.1 From 0aed549df102cde6a60dc9ef57524413e978814f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 6 Jul 2020 14:11:21 +0200 Subject: warn rather than fail if AFL_MAP_SIZE is set and not understood by instrumenter --- gcc_plugin/afl-gcc-fast.c | 2 +- llvm_mode/afl-clang-fast.c | 2 +- src/afl-gcc.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c index fa1c70d7..b1bacfbd 100644 --- a/gcc_plugin/afl-gcc-fast.c +++ b/gcc_plugin/afl-gcc-fast.c @@ -379,7 +379,7 @@ int main(int argc, char **argv, char **envp) { u32 map_size = atoi(ptr); if (map_size != MAP_SIZE) - WARN("AFL_MAP_SIZE is not supported by afl-gcc-fast"); + WARNF("AFL_MAP_SIZE is not supported by afl-gcc-fast"); } diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index f634a05c..72262c1e 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -939,7 +939,7 @@ int main(int argc, char **argv, char **envp) { u32 map_size = atoi(ptr2); if (map_size != MAP_SIZE) - WARN("AFL_MAP_SIZE is not supported by afl-clang-fast"); + WARNF("AFL_MAP_SIZE is not supported by afl-clang-fast"); } diff --git a/src/afl-gcc.c b/src/afl-gcc.c index 2482869e..8d91164b 100644 --- a/src/afl-gcc.c +++ b/src/afl-gcc.c @@ -465,7 +465,7 @@ int main(int argc, char **argv) { u32 map_size = atoi(ptr); if (map_size != MAP_SIZE) { - WARN("AFL_MAP_SIZE is not supported by afl-gcc"); + WARNF("AFL_MAP_SIZE is not supported by afl-gcc"); } -- cgit 1.4.1 From 83790d65afb52a055d093451a50ce55690a25002 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 8 Jul 2020 11:16:39 +0200 Subject: eliminate race condition for cpu affinity on -M/-S --- docs/Changelog.md | 4 ++- include/config.h | 4 +++ src/afl-fuzz-init.c | 97 ++++++++++++++++++++++++++++++++++++++++++++++------- src/afl-fuzz.c | 24 +++++++------ 4 files changed, 105 insertions(+), 24 deletions(-) (limited to 'src') diff --git a/docs/Changelog.md b/docs/Changelog.md index 57b2b4a2..18e4e97e 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -10,7 +10,9 @@ sending a mail to . ### Version ++2.66d (devel) - - ... ? + - afl-fuzz: + - eliminated CPU affinity race condition for -S/-M runs + - small fixes to afl-plot, afl-whatsup and man page creation ### Version ++2.66c (release) diff --git a/include/config.h b/include/config.h index 7de74009..4503c3e9 100644 --- a/include/config.h +++ b/include/config.h @@ -380,6 +380,10 @@ #define CMPLOG_SHM_ENV_VAR "__AFL_CMPLOG_SHM_ID" +/* CPU Affinity lockfile env var */ + +#define CPU_AFFINITY_ENV_VAR "__AFL_LOCKFILE" + /* Uncomment this to use inferior block-coverage-based instrumentation. Note that you need to recompile the target binary for this to have any effect: */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index a2e849dc..e51b4729 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -36,14 +36,11 @@ void bind_to_free_cpu(afl_state_t *afl) { #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) cpu_set_t c; #elif defined(__NetBSD__) - cpuset_t * c; + cpuset_t *c; #elif defined(__sun) - psetid_t c; + psetid_t c; #endif - u8 cpu_used[4096] = {0}; - u32 i; - if (afl->cpu_core_count < 2) { return; } if (afl->afl_env.afl_no_affinity) { @@ -53,13 +50,46 @@ void bind_to_free_cpu(afl_state_t *afl) { } + u8 cpu_used[4096] = {0}, lockfile[PATH_MAX] = ""; + u32 i; + + if (afl->sync_id) { + + s32 lockfd, first = 1; + + snprintf(lockfile, sizeof(lockfile), "%s/.affinity_lock", afl->sync_dir); + setenv(CPU_AFFINITY_ENV_VAR, lockfile, 1); + + do { + + if ((lockfd = open(lockfile, O_RDWR | O_CREAT | O_EXCL, 0600)) < 0) { + + if (first) { + + WARNF("CPU affinity lock file present, waiting ..."); + first = 0; + + } + + usleep(1000); + + } + + } while (lockfd < 0); + + close(lockfd); + + } + #if defined(__linux__) + DIR * d; struct dirent *de; d = opendir("/proc"); if (!d) { + if (lockfile[0]) unlink(lockfile); WARNF("Unable to access /proc - can't scan for free CPU cores."); return; @@ -67,11 +97,6 @@ void bind_to_free_cpu(afl_state_t *afl) { ACTF("Checking CPU core loadout..."); - /* Introduce some jitter, in case multiple AFL tasks are doing the same - thing at the same time... */ - - usleep(R(1000) * 250); - /* Scan all /proc//status entries, checking for Cpus_allowed_list. Flag all processes bound to a specific CPU using cpu_used[]. This will fail for some exotic binding setups, but is likely good enough in almost @@ -114,20 +139,29 @@ void bind_to_free_cpu(afl_state_t *afl) { } closedir(d); + #elif defined(__FreeBSD__) || defined(__DragonFly__) + struct kinfo_proc *procs; size_t nprocs; size_t proccount; int s_name[] = {CTL_KERN, KERN_PROC, KERN_PROC_ALL}; size_t s_name_l = sizeof(s_name) / sizeof(s_name[0]); - if (sysctl(s_name, s_name_l, NULL, &nprocs, NULL, 0) != 0) return; + if (sysctl(s_name, s_name_l, NULL, &nprocs, NULL, 0) != 0) { + + if (lockfile[0]) unlink(lockfile); + return; + + } + proccount = nprocs / sizeof(*procs); nprocs = nprocs * 4 / 3; procs = ck_alloc(nprocs); if (sysctl(s_name, s_name_l, procs, &nprocs, NULL, 0) != 0) { + if (lockfile[0]) unlink(lockfile); ck_free(procs); return; @@ -136,6 +170,7 @@ void bind_to_free_cpu(afl_state_t *afl) { for (i = 0; i < proccount; i++) { #if defined(__FreeBSD__) + if (!strcmp(procs[i].ki_comm, "idle")) continue; // fix when ki_oncpu = -1 @@ -145,16 +180,21 @@ void bind_to_free_cpu(afl_state_t *afl) { if (oncpu != -1 && oncpu < sizeof(cpu_used) && procs[i].ki_pctcpu > 60) cpu_used[oncpu] = 1; + #elif defined(__DragonFly__) + if (procs[i].kp_lwp.kl_cpuid < sizeof(cpu_used) && procs[i].kp_lwp.kl_pctcpu > 10) cpu_used[procs[i].kp_lwp.kl_cpuid] = 1; + #endif } ck_free(procs); + #elif defined(__NetBSD__) + struct kinfo_proc2 *procs; size_t nprocs; size_t proccount; @@ -163,13 +203,20 @@ void bind_to_free_cpu(afl_state_t *afl) { CTL_KERN, KERN_PROC2, KERN_PROC_ALL, 0, sizeof(struct kinfo_proc2), 0}; size_t s_name_l = sizeof(s_name) / sizeof(s_name[0]); - if (sysctl(s_name, s_name_l, NULL, &nprocs, NULL, 0) != 0) return; + if (sysctl(s_name, s_name_l, NULL, &nprocs, NULL, 0) != 0) { + + if (lockfile[0]) unlink(lockfile); + return; + + } + proccount = nprocs / sizeof(struct kinfo_proc2); procs = ck_alloc(nprocs * sizeof(struct kinfo_proc2)); s_name[5] = proccount; if (sysctl(s_name, s_name_l, procs, &nprocs, NULL, 0) != 0) { + if (lockfile[0]) unlink(lockfile); ck_free(procs); return; @@ -183,7 +230,9 @@ void bind_to_free_cpu(afl_state_t *afl) { } ck_free(procs); + #elif defined(__sun) + kstat_named_t *n; kstat_ctl_t * m; kstat_t * k; @@ -198,6 +247,7 @@ void bind_to_free_cpu(afl_state_t *afl) { if (!k) { + if (lockfile[0]) unlink(lockfile); kstat_close(m); return; @@ -205,6 +255,7 @@ void bind_to_free_cpu(afl_state_t *afl) { if (kstat_read(m, k, NULL)) { + if (lockfile[0]) unlink(lockfile); kstat_close(m); return; @@ -220,6 +271,7 @@ void bind_to_free_cpu(afl_state_t *afl) { k = kstat_lookup(m, "cpu_stat", i, NULL); if (kstat_read(m, k, &cs)) { + if (lockfile[0]) unlink(lockfile); kstat_close(m); return; @@ -233,6 +285,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } kstat_close(m); + #else #warning \ "For this platform we do not have free CPU binding code yet. If possible, please supply a PR to https://github.com/AFLplusplus/AFLplusplus" @@ -241,7 +294,9 @@ void bind_to_free_cpu(afl_state_t *afl) { size_t cpu_start = 0; try: + #if !defined(__ANDROID__) + for (i = cpu_start; i < afl->cpu_core_count; i++) { if (!cpu_used[i]) { break; } @@ -251,6 +306,7 @@ void bind_to_free_cpu(afl_state_t *afl) { if (i == afl->cpu_core_count) { #else + for (i = afl->cpu_core_count - cpu_start - 1; i > -1; i--) if (!cpu_used[i]) break; if (i == -1) { @@ -274,18 +330,25 @@ void bind_to_free_cpu(afl_state_t *afl) { afl->cpu_aff = i; #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) + CPU_ZERO(&c); CPU_SET(i, &c); + #elif defined(__NetBSD__) + c = cpuset_create(); if (c == NULL) PFATAL("cpuset_create failed"); cpuset_set(i, c); + #elif defined(__sun) + pset_create(&c); if (pset_assign(c, i, NULL)) PFATAL("pset_assign failed"); + #endif #if defined(__linux__) + if (sched_setaffinity(0, sizeof(c), &c)) { if (cpu_start == afl->cpu_core_count) { @@ -302,6 +365,7 @@ if (pset_assign(c, i, NULL)) PFATAL("pset_assign failed"); } #elif defined(__FreeBSD__) || defined(__DragonFly__) + if (pthread_setaffinity_np(pthread_self(), sizeof(c), &c)) { if (cpu_start == afl->cpu_core_count) @@ -314,6 +378,7 @@ if (pset_assign(c, i, NULL)) PFATAL("pset_assign failed"); } #elif defined(__NetBSD__) + if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { if (cpu_start == afl->cpu_core_count) @@ -326,7 +391,9 @@ if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { } cpuset_destroy(c); + #elif defined(__sun) + if (pset_bind(c, P_PID, getpid(), NULL)) { if (cpu_start == afl->cpu_core_count) @@ -339,11 +406,17 @@ if (pset_bind(c, P_PID, getpid(), NULL)) { } pset_destroy(c); + #else + // this will need something for other platforms // TODO: Solaris/Illumos has processor_bind ... might worth a try + #endif + if (lockfile[0]) unlink(lockfile); + // we leave the environment variable to ensure a cleanup for other processes + } #endif /* HAVE_AFFINITY */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index e4e2669c..f7f247f3 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -42,19 +42,21 @@ static void at_exit() { int i; char *list[4] = {SHM_ENV_VAR, SHM_FUZZ_ENV_VAR, CMPLOG_SHM_ENV_VAR, NULL}; - char *ptr = getenv("__AFL_TARGET_PID1"); + char *ptr; + ptr = getenv(CPU_AFFINITY_ENV_VAR); + if (ptr && *ptr) unlink(ptr); + + ptr = getenv("__AFL_TARGET_PID1"); if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL); ptr = getenv("__AFL_TARGET_PID2"); - if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL); i = 0; while (list[i] != NULL) { ptr = getenv(list[i]); - if (ptr && *ptr) { #ifdef USEMMAP @@ -1011,17 +1013,19 @@ int main(int argc, char **argv_orig, char **envp) { } + check_crash_handling(); + check_cpu_governor(afl); + get_core_count(afl); + atexit(at_exit); + + setup_dirs_fds(afl); + #ifdef HAVE_AFFINITY bind_to_free_cpu(afl); #endif /* HAVE_AFFINITY */ - check_crash_handling(); - check_cpu_governor(afl); - - atexit(at_exit); - afl->fsrv.trace_bits = afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode); @@ -1038,12 +1042,10 @@ int main(int argc, char **argv_orig, char **envp) { } - setup_dirs_fds(afl); - if (afl->is_secondary_node && check_main_node_exists(afl) == 0) { WARNF("no -M main node found. You need to run one main instance!"); - sleep(5); + sleep(3); } -- cgit 1.4.1 From 90adc2cb853482ae058a4b09719502ec6c3c22b8 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Thu, 9 Jul 2020 15:43:05 +0100 Subject: illumos littlefixes: little typo for cpu binding and even tough gcc plugin less good than LLVM, clang is more buggy on this os. --- gcc_plugin/GNUmakefile | 7 ++++++- src/afl-fuzz-init.c | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/gcc_plugin/GNUmakefile b/gcc_plugin/GNUmakefile index bf5c53e0..002437cb 100644 --- a/gcc_plugin/GNUmakefile +++ b/gcc_plugin/GNUmakefile @@ -70,9 +70,14 @@ ifeq "$(TEST_MMAP)" "1" endif ifneq "$(shell uname -s)" "Haiku" - LDFLAGS += -lrt + LDFLAGS += -lrt endif +ifeq "$(shell uname -s)" "SunOS" + PLUGIN_FLAGS += -I/usr/include/gmp +endif + + PROGS = ../afl-gcc-fast ../afl-gcc-pass.so ../afl-gcc-rt.o diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index e51b4729..e95ae95f 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -398,7 +398,7 @@ if (pset_bind(c, P_PID, getpid(), NULL)) { if (cpu_start == afl->cpu_core_count) PFATAL("pset_bind failed for cpu %d, exit", i); - WARNF("pthread_setaffinity failed to CPU %d, trying next CPU", i); + WARNF("pset_bind failed to CPU %d, trying next CPU", i); cpu_start++; goto try ; -- cgit 1.4.1 From 383b280531a92a8b81d112a9acb4e44c08987be0 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 14 Jul 2020 23:26:11 +0200 Subject: added frida gum extension --- examples/afl_frida/Makefile | 23 ++ examples/afl_frida/README.md | 38 +++ examples/afl_frida/afl-frida.c | 312 ++++++++++++++++++++++++ examples/afl_frida/afl-frida.h | 53 ++++ examples/afl_frida/libtestinstr.c | 35 +++ examples/afl_network_proxy/afl-network-client.c | 2 +- src/afl-fuzz.c | 5 +- test/test-floatingpoint.c | 24 +- test/test-fp_cases.c | 73 ++++-- 9 files changed, 525 insertions(+), 40 deletions(-) create mode 100644 examples/afl_frida/Makefile create mode 100644 examples/afl_frida/README.md create mode 100644 examples/afl_frida/afl-frida.c create mode 100644 examples/afl_frida/afl-frida.h create mode 100644 examples/afl_frida/libtestinstr.c (limited to 'src') diff --git a/examples/afl_frida/Makefile b/examples/afl_frida/Makefile new file mode 100644 index 00000000..5d482e54 --- /dev/null +++ b/examples/afl_frida/Makefile @@ -0,0 +1,23 @@ +ifdef DEBUG + OPT=-O0 -D_DEBUG=\"1\" +else + OPT=-O3 -funroll-loops +endif + +all: afl-frida libtestinstr.so + +libfrida-gum.a: + @echo Download and extract frida-gum-devkit-VERSION-PLATFORM.tar.xz for your platform from https://github.com/frida/frida/releases/latest + @exit 1 + +afl-frida: afl-frida.c libfrida-gum.a + $(CC) -g $(OPT) -o afl-frida -I. -fpermissive -fPIC afl-frida.c ../../afl-llvm-rt.o libfrida-gum.a -ldl -lresolv -pthread + +libtestinstr.so: libtestinstr.c + $(CC) -g -O0 -fPIC -o libtestinstr.so -shared libtestinstr.c + +clean: + rm -f afl-frida *~ core *.o libtestinstr.so + +deepclean: clean + rm -f libfrida-gum.a frida-gum* diff --git a/examples/afl_frida/README.md b/examples/afl_frida/README.md new file mode 100644 index 00000000..93e8f35a --- /dev/null +++ b/examples/afl_frida/README.md @@ -0,0 +1,38 @@ +# afl-frida - faster fuzzing of binary-only libraries + +## Introduction + +afl-frida is an example skeleton file which can easily be used to fuzz +a closed source library. + +It requires less memory and is x5-10 faster than qemu_mode but does not +provide interesting features like compcov or cmplog. + +## How-to + +### Modify afl-frida.c + +Read and modify afl-frida.c then `make`. +To adapt afl-frida.c to your needs, read the header of the file and then +search and edit the `STEP 1`, `STEP 2` and `STEP 3` locations. + +### Fuzzing + +Example (after modifying afl-frida.c to your needs and compile it): +``` +afl-fuzz -i in -o out -- ./afl-frida +``` +(or even remote via afl-network-proxy). + +### Testing and debugging + +For testing/debugging you can try: +``` +make DEBUG=1 +AFL_DEBUG=1 gdb ./afl-frida +``` +and then you can easily set breakpoints to "breakpoint" and "fuzz". + +# Background + +This code ist copied for a larger part from https://github.com/meme/hotwax diff --git a/examples/afl_frida/afl-frida.c b/examples/afl_frida/afl-frida.c new file mode 100644 index 00000000..c24e05b7 --- /dev/null +++ b/examples/afl_frida/afl-frida.c @@ -0,0 +1,312 @@ +/* + american fuzzy lop++ - afl-frida skeleton example + ------------------------------------------------- + + Copyright 2020 AFLplusplus Project. All rights reserved. + + Written mostly by meme -> https://github.com/meme/hotwax + + Modificationy by Marc Heuse + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + HOW-TO + ====== + + You only need to change the following: + + 1. set the defines and function call parameters. + 2. dl load the library you want to fuzz, lookup the functions you need + and setup the calls to these. + 3. in the while loop you call the functions in the necessary order - + incl the cleanup. the cleanup is important! + + Just look these steps up in the code, look for "// STEP x:" + +*/ + +#include +#include +#include +#include +#include +#include +#include + +#ifndef __APPLE__ + #include +#endif + + +// STEP 1: + +// The presets are for the example libtestinstr.so: + +/* What is the name of the library to fuzz */ +#define TARGET_LIBRARY "libtestinstr.so" + +/* What is the name of the function to fuzz */ +#define TARGET_FUNCTION "testinstr" + +/* here you need to specify the parameter for the target function */ +static void *(*o_function)(uint8_t *, int); + +// END STEP 1 + + +#include "frida-gum.h" + +G_BEGIN_DECLS + +#define GUM_TYPE_FAKE_EVENT_SINK (gum_fake_event_sink_get_type()) +G_DECLARE_FINAL_TYPE(GumFakeEventSink, gum_fake_event_sink, GUM, + FAKE_EVENT_SINK, GObject) + +struct _GumFakeEventSink { + + GObject parent; + GumEventType mask; + +}; + +GumEventSink *gum_fake_event_sink_new(void); +void gum_fake_event_sink_reset(GumFakeEventSink *self); + +G_END_DECLS + +static void gum_fake_event_sink_iface_init(gpointer g_iface, + gpointer iface_data); +static void gum_fake_event_sink_finalize(GObject *obj); +static GumEventType gum_fake_event_sink_query_mask(GumEventSink *sink); +static void gum_fake_event_sink_process(GumEventSink *sink, const GumEvent *ev); +void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, + gpointer user_data); +void afl_setup(void); +void afl_start_forkserver(void); +int __afl_persistent_loop(unsigned int max_cnt); + +static void gum_fake_event_sink_class_init(GumFakeEventSinkClass *klass) { + + GObjectClass *object_class = G_OBJECT_CLASS(klass); + object_class->finalize = gum_fake_event_sink_finalize; + +} + +static void gum_fake_event_sink_iface_init(gpointer g_iface, + gpointer iface_data) { + + GumEventSinkInterface *iface = (GumEventSinkInterface *) g_iface; + iface->query_mask = gum_fake_event_sink_query_mask; + iface->process = gum_fake_event_sink_process; + +} + +G_DEFINE_TYPE_EXTENDED(GumFakeEventSink, gum_fake_event_sink, G_TYPE_OBJECT, 0, + G_IMPLEMENT_INTERFACE(GUM_TYPE_EVENT_SINK, + gum_fake_event_sink_iface_init)) + +#include "../../config.h" + +// Shared memory fuzzing. +int __afl_sharedmem_fuzzing = 1; +extern unsigned int *__afl_fuzz_len; +extern unsigned char *__afl_fuzz_ptr; + +// Notify AFL about persistent mode. +static volatile char AFL_PERSISTENT[] = "##SIG_AFL_PERSISTENT##"; +int __afl_persistent_loop(unsigned int); + +// Notify AFL about deferred forkserver. +static volatile char AFL_DEFER_FORKSVR[] = "##SIG_AFL_DEFER_FORKSRV##"; +void __afl_manual_init(); + +// Because we do our own logging. +extern uint8_t * __afl_area_ptr; + +// Frida stuff below. +typedef struct { + + GumAddress base_address; + guint64 code_start, code_end; + +} range_t; + +inline static void afl_maybe_log(guint64 current_pc) { + + static __thread guint64 previous_pc; + + current_pc = (current_pc >> 4) ^ (current_pc << 8); + current_pc &= MAP_SIZE - 1; + + __afl_area_ptr[current_pc ^ previous_pc]++; + previous_pc = current_pc >> 1; + +} + +static void on_basic_block(GumCpuContext *context, gpointer user_data) { + + afl_maybe_log((guint64)user_data); + +} + +void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, + gpointer user_data) { + + range_t *range = (range_t *)user_data; + + const cs_insn *instr; + gboolean begin = TRUE; + while (gum_stalker_iterator_next(iterator, &instr)) { + + if (begin) { + + guint64 current_pc = instr->address - range->base_address; + gum_stalker_iterator_put_callout(iterator, on_basic_block, + (gpointer)current_pc, NULL); + begin = FALSE; + + } + + gum_stalker_iterator_keep(iterator); + + } + +} + +static void gum_fake_event_sink_init(GumFakeEventSink *self) { } + +static void gum_fake_event_sink_finalize(GObject *obj) { + + G_OBJECT_CLASS(gum_fake_event_sink_parent_class)->finalize(obj); + +} + +GumEventSink *gum_fake_event_sink_new(void) { + + GumFakeEventSink *sink; + sink = (GumFakeEventSink *) g_object_new(GUM_TYPE_FAKE_EVENT_SINK, NULL); + return GUM_EVENT_SINK(sink); + +} + +void gum_fake_event_sink_reset(GumFakeEventSink *self) { } + +static GumEventType gum_fake_event_sink_query_mask(GumEventSink *sink) { + + return 0; + +} + +static void gum_fake_event_sink_process(GumEventSink * sink, + const GumEvent *ev) { } + +/* Because this CAN be called more than once, it will return the LAST range */ +static int enumerate_ranges(const GumRangeDetails *details, + gpointer user_data) { + + GumMemoryRange *code_range = (GumMemoryRange *)user_data; + memcpy(code_range, details->range, sizeof(*code_range)); + return 0; + +} + +int main() { + + // STEP 2: load the library you want to fuzz and lookup the functions, + // inclusive of the cleanup functions. + // If there is just one function, then there is nothing to change + // or add here. + + void *dl = dlopen(TARGET_LIBRARY, RTLD_LAZY); + if (!dl) { + + fprintf(stderr, "Could not load %s\n", TARGET_LIBRARY); + exit(-1); + + } + + if (!(o_function = dlsym(dl, TARGET_FUNCTION))) { + + fprintf(stderr, "Could not find function %s\n", TARGET_FUNCTION); + exit(-1); + + } + + // END STEP 2 + + gum_init_embedded(); + if (!gum_stalker_is_supported()) { + + gum_deinit_embedded(); + return 1; + + } + + GumStalker *stalker = gum_stalker_new(); + + GumAddress base_address = gum_module_find_base_address(TARGET_LIBRARY); + + GumMemoryRange code_range; + gum_module_enumerate_ranges(TARGET_LIBRARY, GUM_PAGE_RX, enumerate_ranges, + &code_range); + guint64 code_start = code_range.base_address - base_address; + guint64 code_end = (code_range.base_address + code_range.size) - base_address; + + range_t instr_range = {base_address, code_start, code_end}; + + GumStalkerTransformer *transformer = + gum_stalker_transformer_make_from_callback(instr_basic_block, + &instr_range, NULL); + + GumEventSink *event_sink = gum_fake_event_sink_new(); + + __afl_manual_init(); + + // + // any expensive target library initialization that has to be done just once + // - put that here + // + + gum_stalker_follow_me(stalker, transformer, event_sink); + + while (__afl_persistent_loop(UINT32_MAX) != 0) { + +#ifdef _DEBUG + fprintf(stderr, "CLIENT crc: %016llx len: %u\n", hash64(__afl_fuzz_ptr, *__a + fprintf(stderr, "RECV:"); + for (int i = 0; i < *__afl_fuzz_len; i++) + fprintf(stderr, "%02x", __afl_fuzz_ptr[i]); + fprintf(stderr,"\n"); +#endif + + // STEP 3: ensure the minimum length is present and setup the target + // function to fuzz. + + if (*__afl_fuzz_len > 0) { + + __afl_fuzz_ptr[*__afl_fuzz_len] = 0; // if you need to null terminate + (*o_function)(__afl_fuzz_ptr, *__afl_fuzz_len); + + } + + // END STEP 3 + + } + + gum_stalker_unfollow_me(stalker); + + while (gum_stalker_garbage_collect(stalker)) + g_usleep(10000); + + g_object_unref(stalker); + g_object_unref(transformer); + g_object_unref(event_sink); + gum_deinit_embedded(); + + return 0; + +} diff --git a/examples/afl_frida/afl-frida.h b/examples/afl_frida/afl-frida.h new file mode 100644 index 00000000..efa3440f --- /dev/null +++ b/examples/afl_frida/afl-frida.h @@ -0,0 +1,53 @@ +extern int is_persistent; + +G_BEGIN_DECLS + +#define GUM_TYPE_FAKE_EVENT_SINK (gum_fake_event_sink_get_type()) + +G_DECLARE_FINAL_TYPE(GumFakeEventSink, gum_fake_event_sink, GUM, + FAKE_EVENT_SINK, GObject) + +struct _GumFakeEventSink { + + GObject parent; + GumEventType mask; + +}; + +GumEventSink *gum_fake_event_sink_new(void); +void gum_fake_event_sink_reset(GumFakeEventSink *self); + +G_END_DECLS + +typedef struct { + + GumAddress base_address; + guint64 code_start, code_end; + +} range_t; + +void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, + gpointer user_data); +#pragma once + +void afl_setup(void); +void afl_start_forkserver(void); +int __afl_persistent_loop(unsigned int max_cnt); + +inline static inline void afl_maybe_log(guint64 current_pc) { + + extern unsigned int afl_instr_rms; + extern uint8_t * afl_area_ptr; + + static __thread guint64 previous_pc; + + current_pc = (current_pc >> 4) ^ (current_pc << 8); + current_pc &= MAP_SIZE - 1; + + if (current_pc >= afl_instr_rms) return; + + afl_area_ptr[current_pc ^ previous_pc]++; + previous_pc = current_pc >> 1; + +} + diff --git a/examples/afl_frida/libtestinstr.c b/examples/afl_frida/libtestinstr.c new file mode 100644 index 00000000..96b1cf21 --- /dev/null +++ b/examples/afl_frida/libtestinstr.c @@ -0,0 +1,35 @@ +/* + american fuzzy lop++ - a trivial program to test the build + -------------------------------------------------------- + Originally written by Michal Zalewski + Copyright 2014 Google Inc. All rights reserved. + Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include +#include +#include +#include + +void testinstr(char *buf, int len) { + + if (len < 1) return; + buf[len] = 0; + + // we support three input cases + if (buf[0] == '0') + printf("Looks like a zero to me!\n"); + else if (buf[0] == '1') + printf("Pretty sure that is a one!\n"); + else + printf("Neither one or zero? How quaint!\n"); + +} + diff --git a/examples/afl_network_proxy/afl-network-client.c b/examples/afl_network_proxy/afl-network-client.c index 7c4d8b35..a2451fdc 100644 --- a/examples/afl_network_proxy/afl-network-client.c +++ b/examples/afl_network_proxy/afl-network-client.c @@ -35,7 +35,7 @@ #include #include #ifndef USEMMAP -#include + #include #endif #include #include diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index f7f247f3..872ed9ae 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -266,6 +266,8 @@ int main(int argc, char **argv_orig, char **envp) { gettimeofday(&tv, &tz); rand_set_seed(afl, tv.tv_sec ^ tv.tv_usec ^ getpid()); + afl->shmem_testcase_mode = 1; // we always try to perform shmem fuzzing + while ((opt = getopt(argc, argv, "+c:i:I:o:f:m:t:T:dDnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:")) > 0) { @@ -563,7 +565,6 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->fsrv.qemu_mode) { FATAL("Multiple -Q options not supported"); } afl->fsrv.qemu_mode = 1; - afl->shmem_testcase_mode = 1; if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_QEMU; } @@ -580,7 +581,6 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->unicorn_mode) { FATAL("Multiple -U options not supported"); } afl->unicorn_mode = 1; - afl->shmem_testcase_mode = 1; if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_UNICORN; } @@ -591,7 +591,6 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->use_wine) { FATAL("Multiple -W options not supported"); } afl->fsrv.qemu_mode = 1; afl->use_wine = 1; - afl->shmem_testcase_mode = 1; if (!mem_limit_given) { afl->fsrv.mem_limit = 0; } diff --git a/test/test-floatingpoint.c b/test/test-floatingpoint.c index f78b5d9f..76cdccf0 100644 --- a/test/test-floatingpoint.c +++ b/test/test-floatingpoint.c @@ -1,18 +1,20 @@ #include #include -int main(void) -{ - long double magic; +int main(void) { - ssize_t bytes_read = read(STDIN_FILENO, &magic, sizeof(magic)); - if (bytes_read < (ssize_t)sizeof(magic)) { - return 1; - } + long double magic; - if( (-magic == 15.0 + 0.5 + 0.125 + 0.03125 + 0.0078125) ){ /* 15 + 1/2 + 1/8 + 1/32 + 1/128 */ - abort(); - } + ssize_t bytes_read = read(STDIN_FILENO, &magic, sizeof(magic)); + if (bytes_read < (ssize_t)sizeof(magic)) { return 1; } + + if ((-magic == 15.0 + 0.5 + 0.125 + 0.03125 + + 0.0078125)) { /* 15 + 1/2 + 1/8 + 1/32 + 1/128 */ + abort(); + + } + + return 0; - return 0; } + diff --git a/test/test-fp_cases.c b/test/test-fp_cases.c index 006ae32f..b0f792bc 100644 --- a/test/test-fp_cases.c +++ b/test/test-fp_cases.c @@ -4,13 +4,14 @@ * or -DFLOAT_TYPE="long double" */ - #include int main() { - volatile FLOAT_TYPE a,b; + + volatile FLOAT_TYPE a, b; /* different values */ - a = -2.1; b = -2; /* signs equal, exp equal, mantissa > */ + a = -2.1; + b = -2; /* signs equal, exp equal, mantissa > */ assert((a < b)); assert((a <= b)); assert(!(a > b)); @@ -18,7 +19,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = 1.8; b = 2.1; /* signs equal, exp differ, mantissa > */ + a = 1.8; + b = 2.1; /* signs equal, exp differ, mantissa > */ assert((a < b)); assert((a <= b)); assert(!(a > b)); @@ -26,7 +28,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = 2; b = 2.1; /* signs equal, exp equal, mantissa < */ + a = 2; + b = 2.1; /* signs equal, exp equal, mantissa < */ assert((a < b)); assert((a <= b)); assert(!(a > b)); @@ -34,7 +37,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = -2; b = -1.8; /* signs equal, exp differ, mantissa < */ + a = -2; + b = -1.8; /* signs equal, exp differ, mantissa < */ assert((a < b)); assert((a <= b)); assert(!(a > b)); @@ -42,7 +46,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = -1; b = 1; /* signs differ, exp equal, mantissa equal */ + a = -1; + b = 1; /* signs differ, exp equal, mantissa equal */ assert((a < b)); assert((a <= b)); assert(!(a > b)); @@ -50,7 +55,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = -1; b = 0; /* signs differ, exp differ, mantissa equal */ + a = -1; + b = 0; /* signs differ, exp differ, mantissa equal */ assert((a < b)); assert((a <= b)); assert(!(a > b)); @@ -58,7 +64,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = -2; b = 2.8; /* signs differ, exp equal, mantissa < */ + a = -2; + b = 2.8; /* signs differ, exp equal, mantissa < */ assert((a < b)); assert((a <= b)); assert(!(a > b)); @@ -66,7 +73,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = -2; b = 1.8; /* signs differ, exp differ, mantissa < */ + a = -2; + b = 1.8; /* signs differ, exp differ, mantissa < */ assert((a < b)); assert((a <= b)); assert(!(a > b)); @@ -74,8 +82,8 @@ int main() { assert((a != b)); assert(!(a == b)); - - a = -2; b = -2.1; /* signs equal, exp equal, mantissa > */ + a = -2; + b = -2.1; /* signs equal, exp equal, mantissa > */ assert((a > b)); assert((a >= b)); assert(!(a < b)); @@ -83,7 +91,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = 2.1; b = 1.8; /* signs equal, exp differ, mantissa > */ + a = 2.1; + b = 1.8; /* signs equal, exp differ, mantissa > */ assert((a > b)); assert((a >= b)); assert(!(a < b)); @@ -91,7 +100,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = 2.1; b = 2; /* signs equal, exp equal, mantissa < */ + a = 2.1; + b = 2; /* signs equal, exp equal, mantissa < */ assert((a > b)); assert((a >= b)); assert(!(a < b)); @@ -99,7 +109,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = -1.8; b = -2; /* signs equal, exp differ, mantissa < */ + a = -1.8; + b = -2; /* signs equal, exp differ, mantissa < */ assert((a > b)); assert((a >= b)); assert(!(a < b)); @@ -107,7 +118,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = 1; b = -1; /* signs differ, exp equal, mantissa equal */ + a = 1; + b = -1; /* signs differ, exp equal, mantissa equal */ assert((a > b)); assert((a >= b)); assert(!(a < b)); @@ -115,7 +127,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = 0; b = -1; /* signs differ, exp differ, mantissa equal */ + a = 0; + b = -1; /* signs differ, exp differ, mantissa equal */ assert((a > b)); assert((a >= b)); assert(!(a < b)); @@ -123,7 +136,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = 2.8; b = -2; /* signs differ, exp equal, mantissa < */ + a = 2.8; + b = -2; /* signs differ, exp equal, mantissa < */ assert((a > b)); assert((a >= b)); assert(!(a < b)); @@ -131,7 +145,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = 1.8; b = -2; /* signs differ, exp differ, mantissa < */ + a = 1.8; + b = -2; /* signs differ, exp differ, mantissa < */ assert((a > b)); assert((a >= b)); assert(!(a < b)); @@ -140,7 +155,8 @@ int main() { assert(!(a == b)); /* equal values */ - a = 0; b = 0; + a = 0; + b = 0; assert(!(a < b)); assert((a <= b)); assert(!(a > b)); @@ -148,7 +164,8 @@ int main() { assert(!(a != b)); assert((a == b)); - a = -0; b = 0; + a = -0; + b = 0; assert(!(a < b)); assert((a <= b)); assert(!(a > b)); @@ -156,7 +173,8 @@ int main() { assert(!(a != b)); assert((a == b)); - a = 1; b = 1; + a = 1; + b = 1; assert(!(a < b)); assert((a <= b)); assert(!(a > b)); @@ -164,7 +182,8 @@ int main() { assert(!(a != b)); assert((a == b)); - a = 0.5; b = 0.5; + a = 0.5; + b = 0.5; assert(!(a < b)); assert((a <= b)); assert(!(a > b)); @@ -172,7 +191,8 @@ int main() { assert(!(a != b)); assert((a == b)); - a = -1; b = -1; + a = -1; + b = -1; assert(!(a < b)); assert((a <= b)); assert(!(a > b)); @@ -180,11 +200,14 @@ int main() { assert(!(a != b)); assert((a == b)); - a = -0.5; b = -0.5; + a = -0.5; + b = -0.5; assert(!(a < b)); assert((a <= b)); assert(!(a > b)); assert((a >= b)); assert(!(a != b)); assert((a == b)); + } + -- cgit 1.4.1 From ee77fe4094273f6b618aa72b2aa0d79efd8bd31e Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Wed, 15 Jul 2020 10:35:38 +0200 Subject: improve len encoding in redqueen --- src/afl-fuzz-redqueen.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 724da407..a42e1b52 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -277,9 +277,9 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u8 * o_buf_8 = &orig_buf[idx]; u32 its_len = len - idx; - *status = 0; + // *status = 0; - if (SHAPE_BYTES(h->shape) == 8) { + if (SHAPE_BYTES(h->shape) >= 8) { if (its_len >= 8 && *buf_64 == pattern && *o_buf_64 == o_pattern) { @@ -290,7 +290,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } // reverse encoding - if (do_reverse) { + if (do_reverse && *status != 1) { if (unlikely(cmp_extend_encoding(afl, h, SWAP64(pattern), SWAP64(repl), SWAP64(o_pattern), idx, orig_buf, buf, @@ -304,7 +304,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } - if (SHAPE_BYTES(h->shape) == 4 || *status == 2) { + if (SHAPE_BYTES(h->shape) >= 4 && *status != 1) { if (its_len >= 4 && *buf_32 == (u32)pattern && *o_buf_32 == (u32)o_pattern) { @@ -316,7 +316,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } // reverse encoding - if (do_reverse) { + if (do_reverse && *status != 1) { if (unlikely(cmp_extend_encoding(afl, h, SWAP32(pattern), SWAP32(repl), SWAP32(o_pattern), idx, orig_buf, buf, @@ -330,7 +330,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } - if (SHAPE_BYTES(h->shape) == 2 || *status == 2) { + if (SHAPE_BYTES(h->shape) >= 2 && *status != 1) { if (its_len >= 2 && *buf_16 == (u16)pattern && *o_buf_16 == (u16)o_pattern) { @@ -342,7 +342,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } // reverse encoding - if (do_reverse) { + if (do_reverse && *status != 1) { if (unlikely(cmp_extend_encoding(afl, h, SWAP16(pattern), SWAP16(repl), SWAP16(o_pattern), idx, orig_buf, buf, @@ -356,7 +356,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } - if (SHAPE_BYTES(h->shape) == 1 || *status == 2) { + if (SHAPE_BYTES(h->shape) >= 1 && *status != 1) { if (its_len >= 1 && *buf_8 == (u8)pattern && *o_buf_8 == (u8)o_pattern) { @@ -482,6 +482,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { for (idx = 0; idx < len && fails < 8; ++idx) { + status = 0; if (unlikely(cmp_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx, orig_buf, buf, len, 1, &status))) { @@ -499,6 +500,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { } + status = 0; if (unlikely(cmp_extend_encoding(afl, h, o->v1, o->v0, orig_o->v1, idx, orig_buf, buf, len, 1, &status))) { -- cgit 1.4.1 From 1ec2615a3ed98b991315a40217407136514b53f1 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Jul 2020 00:53:08 +0200 Subject: tiny fixes --- .gitignore | 4 ++++ examples/afl_frida/afl-frida.c | 4 ++-- src/afl-gcc.c | 3 +++ 3 files changed, 9 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/.gitignore b/.gitignore index 1000cc6f..1b7904ed 100644 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1,10 @@ .test .test2 +.sync_tmp *.o *.so *.pyc +*.dSYM afl-analyze afl-as afl-clang @@ -55,3 +57,5 @@ test/unittests/unit_rand test/unittests/unit_hash examples/afl_network_proxy/afl-network-server examples/afl_network_proxy/afl-network-client +in +out diff --git a/examples/afl_frida/afl-frida.c b/examples/afl_frida/afl-frida.c index 7038e1bd..2ad5a72a 100644 --- a/examples/afl_frida/afl-frida.c +++ b/examples/afl_frida/afl-frida.c @@ -126,8 +126,8 @@ static volatile char AFL_DEFER_FORKSVR[] = "##SIG_AFL_DEFER_FORKSRV##"; void __afl_manual_init(); // Because we do our own logging. -extern uint8_t *__afl_area_ptr; - static __thread guint64 previous_pc; +extern uint8_t * __afl_area_ptr; +static __thread guint64 previous_pc; // Frida stuff below. typedef struct { diff --git a/src/afl-gcc.c b/src/afl-gcc.c index 8d91164b..22e6be8e 100644 --- a/src/afl-gcc.c +++ b/src/afl-gcc.c @@ -132,6 +132,9 @@ static void edit_params(u32 argc, char **argv) { name = argv[0]; + /* This should never happen but fixes a scan-build warning */ + if (!name) { FATAL("Empty argv set"); } + } else { ++name; -- cgit 1.4.1 From a84c958647a97ec9f43c2e534715d85213075778 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Jul 2020 01:00:39 +0200 Subject: fixed mem leak in redqueen --- src/afl-fuzz-redqueen.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index a42e1b52..3f5fc23a 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -177,6 +177,9 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u64 exec_cksum) { afl->stage_cycles[STAGE_COLORIZATION] += afl->stage_cur; ck_free(backup); + ck_free(rng); + rng = NULL; + while (ranges) { rng = ranges; @@ -185,10 +188,6 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u64 exec_cksum) { rng = NULL; } - - ck_free(rng); - rng = NULL; - // save the input with the high entropy if (needs_write) { -- cgit 1.4.1 From 4314e59af9a2224443fa38ac8145eba305189d97 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Jul 2020 02:03:52 +0200 Subject: code format --- src/afl-fuzz-redqueen.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 3f5fc23a..c53e0e06 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -188,6 +188,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u64 exec_cksum) { rng = NULL; } + // save the input with the high entropy if (needs_write) { -- cgit 1.4.1 From c2b04bdf6c596f5d220f27caead20d09452ed42d Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Thu, 16 Jul 2020 14:32:41 +0200 Subject: queue buffer and new splice havoc mutation --- include/afl-fuzz.h | 4 ++ src/afl-fuzz-one.c | 111 +++++++++++++++++++++++++++++++++++++++++++-------- src/afl-fuzz-queue.c | 5 +++ src/afl-fuzz-state.c | 1 + 4 files changed, 104 insertions(+), 17 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index c9f84c61..adab8155 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -546,6 +546,10 @@ typedef struct afl_state { *queue_top, /* Top of the list */ *q_prev100; /* Previous 100 marker */ + // growing buf + struct queue_entry **queue_buf; + size_t queue_size; + struct queue_entry **top_rated; /* Top entries for bitmap bytes */ struct extra_data *extras; /* Extra tokens to fuzz with */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 72383727..399bfcab 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -1897,7 +1897,7 @@ havoc_stage: } switch (rand_below( - afl, 15 + ((afl->extras_cnt + afl->a_extras_cnt) ? 2 : 0))) { + afl, 16 + ((afl->extras_cnt + afl->a_extras_cnt) ? 2 : 0))) { case 0: @@ -2190,12 +2190,102 @@ havoc_stage: break; + } + + case 15: { + + /* Overwrite bytes with a randomly selected chunk from another + testcase or insert that chunk. */ + + if (afl->queued_paths < 2) break; + + /* Pick a random queue entry and seek to it. */ + + u32 tid; + do + tid = rand_below(afl, afl->queued_paths); + while (tid == afl->current_entry); + + struct queue_entry* target = afl->queue_buf[tid]; + + /* Make sure that the target has a reasonable length. */ + + while (target && (target->len < 2 || target == afl->queue_cur)) + target = target->next; + + if (!target) break; + + /* Read the testcase into a new buffer. */ + + fd = open(target->fname, O_RDONLY); + + if (unlikely(fd < 0)) { PFATAL("Unable to open '%s'", target->fname); } + + u32 new_len = target->len; + u8 * new_buf = ck_maybe_grow(BUF_PARAMS(in_scratch), new_len); + + ck_read(fd, new_buf, new_len, target->fname); + + close(fd); + + u8 overwrite = 0; + if (temp_len >= 2 && rand_below(afl, 2)) + overwrite = 1; + else if (temp_len + HAVOC_BLK_XL >= MAX_FILE) { + if (temp_len >= 2) overwrite = 1; + else break; + } + + if (overwrite) { + + u32 copy_from, copy_to, copy_len; + + copy_len = choose_block_len(afl, new_len - 1); + if (copy_len > temp_len) copy_len = temp_len; + + copy_from = rand_below(afl, new_len - copy_len + 1); + copy_to = rand_below(afl, temp_len - copy_len + 1); + + memmove(out_buf + copy_to, new_buf + copy_from, copy_len); + + } else { + + u32 clone_from, clone_to, clone_len; + + clone_len = choose_block_len(afl, new_len); + clone_from = rand_below(afl, new_len - clone_len + 1); + + clone_to = rand_below(afl, temp_len); + + u8 * temp_buf = + ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + clone_len); + + /* Head */ + + memcpy(temp_buf, out_buf, clone_to); + + /* Inserted part */ + + memcpy(temp_buf + clone_to, new_buf + clone_from, clone_len); + + /* Tail */ + memcpy(temp_buf + clone_to + clone_len, out_buf + clone_to, + temp_len - clone_to); + + swap_bufs(BUF_PARAMS(out), BUF_PARAMS(out_scratch)); + out_buf = temp_buf; + temp_len += clone_len; + + } + + break; + } /* Values 15 and 16 can be selected only if there are any extras present in the dictionaries. */ - case 15: { + case 16: { /* Overwrite bytes with an extra. */ @@ -2233,7 +2323,7 @@ havoc_stage: } - case 16: { + case 17: { u32 use_extra, extra_len, insert_at = rand_below(afl, temp_len + 1); u8 *ptr; @@ -2357,20 +2447,7 @@ retry_splicing: } while (tid == afl->current_entry); afl->splicing_with = tid; - target = afl->queue; - - while (tid >= 100) { - - target = target->next_100; - tid -= 100; - - } - - while (tid--) { - - target = target->next; - - } + target = afl->queue_buf[tid]; /* Make sure that the target has a reasonable length. */ diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 7afdd9f1..a96995e5 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -25,6 +25,8 @@ #include "afl-fuzz.h" #include +#define BUF_PARAMS(name) (void **)&afl->name##_buf, &afl->name##_size + /* Mark deterministic checks as done for a particular queue entry. We use the .state file to avoid repeating deterministic fuzzing when resuming aborted scans. */ @@ -137,6 +139,9 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) { afl->q_prev100 = q; } + + struct queue_entry** queue_buf = ck_maybe_grow(BUF_PARAMS(queue), afl->queued_paths * sizeof(struct queue_entry*)); + queue_buf[afl->queued_paths -1] = q; afl->last_path_time = get_cur_time(); diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index e0e43f54..e56d122a 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -405,6 +405,7 @@ void afl_state_deinit(afl_state_t *afl) { if (afl->pass_stats) { ck_free(afl->pass_stats); } if (afl->orig_cmp_map) { ck_free(afl->orig_cmp_map); } + if (afl->queue_buf) { free(afl->queue_buf); } if (afl->out_buf) { free(afl->out_buf); } if (afl->out_scratch_buf) { free(afl->out_scratch_buf); } if (afl->eff_buf) { free(afl->eff_buf); } -- cgit 1.4.1 From 5e10f660e80abab73b334322bdea29a28d43bf53 Mon Sep 17 00:00:00 2001 From: h1994st Date: Sat, 18 Jul 2020 02:16:04 -0400 Subject: Allow the fuzzer to write empty buffer (i.e., len == 0) to the file --- src/afl-fuzz-run.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 2a1664e2..f1da9c65 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -109,7 +109,7 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { }); - if (unlikely(!new_buf && (new_size <= 0))) { + if (unlikely(!new_buf && (new_size < 0))) { FATAL("Custom_post_process failed (ret: %lu)", (long unsigned)new_size); -- cgit 1.4.1 From 67d2e6319bed90c06cf54b5d9a7a4bae51df317d Mon Sep 17 00:00:00 2001 From: h1994st Date: Sat, 18 Jul 2020 23:20:32 -0400 Subject: Skip the empty test case generated by the custom trimming --- src/afl-fuzz-mutators.c | 11 +++++++++++ src/afl-fuzz-run.c | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 9fc77ffe..f6b36843 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -286,6 +286,15 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf, "Trimmed data returned by custom mutator is larger than original " "data"); + } else if (unlikely(retlen == 0)) { + + /* Do not run the empty test case on the target. To keep the custom + trimming function running, we simply treat the empty test case as an + unsuccessful trimming and skip it, instead of aborting the trimming. */ + + ++afl->trim_execs; + goto unsuccessful_trimming; + } write_to_testcase(afl, retbuf, retlen); @@ -325,6 +334,8 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf, } else { +unsuccessful_trimming: + /* Tell the custom mutator that the trimming was unsuccessful */ afl->stage_cur = mutator->afl_custom_post_trim(mutator->data, 0); if (unlikely(afl->stage_cur < 0)) { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index f1da9c65..2a1664e2 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -109,7 +109,7 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { }); - if (unlikely(!new_buf && (new_size < 0))) { + if (unlikely(!new_buf && (new_size <= 0))) { FATAL("Custom_post_process failed (ret: %lu)", (long unsigned)new_size); -- cgit 1.4.1 From 6c163910eec79058bdaf3a358e75d579da1f9112 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 20 Jul 2020 12:08:31 +0200 Subject: debug test for rng --- src/afl-fuzz-mutators.c | 2 +- src/afl-fuzz.c | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index f6b36843..0fb34ab7 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -334,7 +334,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf, } else { -unsuccessful_trimming: + unsuccessful_trimming: /* Tell the custom mutator that the trimming was unsuccessful */ afl->stage_cur = mutator->afl_custom_post_trim(mutator->data, 0); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 872ed9ae..df2896d2 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1048,6 +1048,12 @@ int main(int argc, char **argv_orig, char **envp) { } + #ifdef RAND_TEST_VALUES + u32 counter; + for (counter = 0; counter < 100000; counter++) + printf("DEBUG: rand %06d is %u\n", counter, rand_below(afl, 65536)); + #endif + setup_custom_mutators(afl); setup_cmdline_file(afl, argv + optind); -- cgit 1.4.1 From ce9b4698fec5222e0af1b62d68c4105e6364771e Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 21 Jul 2020 20:53:51 +0200 Subject: added andrea's splicing, added cycle_schedules --- GNUmakefile | 2 +- include/afl-fuzz.h | 11 +- include/config.h | 24 ++ include/envs.h | 1 + src/afl-fuzz-one.c | 719 +++++++++++++++++++++++++++++++++++++++++++-------- src/afl-fuzz-queue.c | 112 +++++++- src/afl-fuzz-state.c | 7 + src/afl-fuzz.c | 80 +++++- 8 files changed, 834 insertions(+), 122 deletions(-) (limited to 'src') diff --git a/GNUmakefile b/GNUmakefile index f44ef95e..86d6a947 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -455,7 +455,7 @@ code-format: ./.custom-format.py -i llvm_mode/*.h ./.custom-format.py -i llvm_mode/*.cc ./.custom-format.py -i gcc_plugin/*.c - #./.custom-format.py -i gcc_plugin/*.h + @#./.custom-format.py -i gcc_plugin/*.h ./.custom-format.py -i gcc_plugin/*.cc ./.custom-format.py -i custom_mutators/*/*.c ./.custom-format.py -i custom_mutators/*/*.h diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index adab8155..96d3d9f4 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -139,7 +139,8 @@ struct queue_entry { var_behavior, /* Variable behavior? */ favored, /* Currently favored? */ fs_redundant, /* Marked as redundant in the fs? */ - fully_colorized; /* Do not run redqueen stage again */ + fully_colorized, /* Do not run redqueen stage again */ + is_ascii; /* Is the input just ascii text? */ u32 bitmap_size, /* Number of bits set in bitmap */ fuzz_level; /* Number of fuzzing iterations */ @@ -333,7 +334,7 @@ typedef struct afl_env_vars { afl_dumb_forksrv, afl_import_first, afl_custom_mutator_only, afl_no_ui, afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one, afl_bench_until_crash, afl_debug_child_output, afl_autoresume, - afl_cal_fast; + afl_cal_fast, afl_cycle_schedules; u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_skip_crashes, *afl_preload; @@ -454,7 +455,9 @@ typedef struct afl_state { fixed_seed, /* do not reseed */ fast_cal, /* Try to calibrate faster? */ disable_trim, /* Never trim in fuzz_one */ - shmem_testcase_mode; /* If sharedmem testcases are used */ + shmem_testcase_mode, /* If sharedmem testcases are used */ + expand_havoc, /* perform expensive havoc after no find */ + cycle_schedules; /* cycle power schedules ? */ u8 *virgin_bits, /* Regions yet untouched by fuzzing */ *virgin_tmout, /* Bits we haven't seen in tmouts */ @@ -548,7 +551,7 @@ typedef struct afl_state { // growing buf struct queue_entry **queue_buf; - size_t queue_size; + size_t queue_size; struct queue_entry **top_rated; /* Top entries for bitmap bytes */ diff --git a/include/config.h b/include/config.h index 4503c3e9..9710cd1f 100644 --- a/include/config.h +++ b/include/config.h @@ -401,5 +401,29 @@ // #define IGNORE_FINDS +/* Text mutations */ + +/* What is the minimum length of a queue input to be evaluated for "is_ascii"? ++ */ + +#define AFL_TXT_MIN_LEN 12 + +/* What is the minimum percentage of ascii characters present to be classifed + as "is_ascii"? */ + +#define AFL_TXT_MIN_PERCENT 95 + +/* How often to perform ASCII mutations 0 = disable, 1-8 are good values */ + +#define AFL_TXT_BIAS 6 + +/* Maximum length of a string to tamper with */ + +#define AFL_TXT_STRING_MAX_LEN 1024 + +/* Maximum mutations on a string */ + +#define AFL_TXT_STRING_MAX_MUTATIONS 8 + #endif /* ! _HAVE_CONFIG_H */ diff --git a/include/envs.h b/include/envs.h index 86222418..cb3c183e 100644 --- a/include/envs.h +++ b/include/envs.h @@ -34,6 +34,7 @@ static char *afl_environment_variables[] = { "AFL_CUSTOM_MUTATOR_LIBRARY", "AFL_CUSTOM_MUTATOR_ONLY", "AFL_CXX", + "AFL_CYCLE_SCHEDULES", "AFL_DEBUG", "AFL_DEBUG_CHILD_OUTPUT", "AFL_DEBUG_GDB", diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 399bfcab..250409da 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -24,6 +24,11 @@ */ #include "afl-fuzz.h" +#include + +static u8 *strnstr(const u8 *s, const u8 *find, size_t slen); +static u32 string_replace(u8 **out_buf, s32 *temp_len, u32 pos, u8 *from, + u8 *to); /* MOpt */ @@ -362,6 +367,450 @@ static void locate_diffs(u8 *ptr1, u8 *ptr2, u32 len, s32 *first, s32 *last) { #endif /* !IGNORE_FINDS */ +#define BUF_PARAMS(name) (void **)&afl->name##_buf, &afl->name##_size + +/* search a string */ + +static u8 *strnstr(const u8 *s, const u8 *find, size_t slen) { + + char c, sc; + size_t len; + + if ((c = *find++) != '\0') { + + len = strlen(find); + do { + + do { + + if (slen-- < 1 || (sc = *s++) == '\0') return (NULL); + + } while (sc != c); + + if (len > slen) return (NULL); + + } while (strncmp(s, find, len) != 0); + + s--; + + } + + return ((u8 *)s); + +} + +/* replace between deliminators, if rep == NULL, then we will duplicate the + * target */ + +static u32 delim_replace(u8 **out_buf, s32 *temp_len, size_t pos, + const u8 *ldelim, const u8 *rdelim, u8 *rep) { + + u8 *end_buf = *out_buf + *temp_len; + u8 *ldelim_start = strnstr(*out_buf + pos, ldelim, *temp_len - pos); + + if (ldelim_start != NULL) { + + u32 max = (end_buf - ldelim_start - 1 > AFL_TXT_STRING_MAX_LEN + ? AFL_TXT_STRING_MAX_LEN + : end_buf - ldelim_start - 1); + + if (max > 0) { + + u8 *rdelim_end = strnstr(ldelim_start + 1, rdelim, max); + + if (rdelim_end != NULL) { + + u32 rep_len, delim_space_len = rdelim_end - ldelim_start - 1, xtra = 0; + + if (rep != NULL) { + + rep_len = (u32)strlen(rep); + + } else { // NULL? then we copy the value in between the delimiters + + rep_len = delim_space_len; + delim_space_len = 0; + rep = ldelim_start + 1; + xtra = rep_len; + + } + + if (rep_len != delim_space_len) { + + memmove(ldelim_start + rep_len + xtra + 1, rdelim_end, + *temp_len - (rdelim_end - *out_buf)); + + } + + memcpy(ldelim_start + 1, rep, rep_len); + *temp_len = (*temp_len - delim_space_len + rep_len); + + return 1; + + } + + } + + } + + return 0; + +} + +static u32 delim_swap(u8 **out_buf, s32 *temp_len, size_t pos, const u8 *ldelim, + const u8 *mdelim, const u8 *rdelim) { + + u8 *out_buf_end = *out_buf + *temp_len; + u32 max = (*temp_len - pos > AFL_TXT_STRING_MAX_LEN ? AFL_TXT_STRING_MAX_LEN + : *temp_len - pos); + u8 *ldelim_start = strnstr(*out_buf + pos, ldelim, max); + + if (ldelim_start != NULL) { + + max = (out_buf_end - ldelim_start - 1 > AFL_TXT_STRING_MAX_LEN + ? AFL_TXT_STRING_MAX_LEN + : out_buf_end - ldelim_start - 1); + if (max > 1) { + + u8 *mdelim_pos = strnstr(ldelim_start + 1, mdelim, max); + + if (mdelim_pos != NULL) { + + max = (out_buf_end - mdelim_pos - 1 > AFL_TXT_STRING_MAX_LEN + ? AFL_TXT_STRING_MAX_LEN + : out_buf_end - mdelim_pos - 1); + if (max > 0) { + + u8 *rdelim_end = strnstr(mdelim + 1, rdelim, max); + + if (rdelim_end != NULL) { + + u32 first_len = mdelim_pos - ldelim_start - 1; + u32 second_len = rdelim_end - mdelim_pos - 1; + u8 scratch[AFL_TXT_STRING_MAX_LEN]; + + memcpy(scratch, ldelim_start + 1, first_len); + + if (first_len != second_len) { + + memmove(ldelim_start + second_len + 1, mdelim_pos, + out_buf_end - mdelim_pos); + + } + + memcpy(ldelim_start + 1, mdelim_pos + 1, second_len); + + if (first_len != second_len) { + + memmove(mdelim_pos + first_len + 1, rdelim_end, + out_buf_end - rdelim_end); + + } + + memcpy(mdelim_pos + 1, scratch, first_len); + + return 1; + + } + + } + + } + + } + + } + + return 0; + +} + +/* replace a string */ + +static u32 string_replace(u8 **out_buf, s32 *temp_len, u32 pos, u8 *from, + u8 *to) { + + u8 *start = strnstr(*out_buf + pos, from, *temp_len - pos); + + if (start) { + + u32 from_len = strlen(from); + u32 to_len = strlen(to); + + if (from_len != to_len) { + + memmove(start + to_len, start + from_len, + *temp_len - from_len - (start - *out_buf)); + + } + + memcpy(start, to, to_len); + *temp_len = (*temp_len - from_len + to_len); + + return 1; + + } + + return 0; + +} + +/* Returns 1 if a mutant was generated and placed in out_buf, 0 if none + * generated. */ + +static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { + + s32 temp_len; + u32 pos, yes = 0, + mutations = rand_below(afl, AFL_TXT_STRING_MAX_MUTATIONS) + 1; + u8 *new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), + *orig_temp_len + AFL_TXT_STRING_MAX_MUTATIONS); + temp_len = *orig_temp_len; + memcpy(new_buf, *out_buf, temp_len); + + for (u32 i = 0; i < mutations; i++) { + + if (temp_len < AFL_TXT_MIN_LEN) { return 0; } + + pos = rand_below(afl, temp_len - 1); + int choice = rand_below(afl, 72); + switch (choice) { + + case 0: /* Semantic statement deletion */ + yes += string_replace(out_buf, &temp_len, pos, "\n", "#"); + break; + case 1: + yes += string_replace(out_buf, &temp_len, pos, "(", "(!"); + break; + case 2: + yes += string_replace(out_buf, &temp_len, pos, "==", "!="); + break; + case 3: + yes += string_replace(out_buf, &temp_len, pos, "!=", "=="); + break; + case 4: + yes += string_replace(out_buf, &temp_len, pos, "==", "<"); + break; + case 5: + yes += string_replace(out_buf, &temp_len, pos, "<", "=="); + break; + case 6: + yes += string_replace(out_buf, &temp_len, pos, "==", ">"); + break; + case 7: + yes += string_replace(out_buf, &temp_len, pos, ">", "=="); + break; + case 8: + yes += string_replace(out_buf, &temp_len, pos, "=", "<"); + break; + case 9: + yes += string_replace(out_buf, &temp_len, pos, "=", ">"); + break; + case 10: + yes += string_replace(out_buf, &temp_len, pos, "<", ">"); + break; + case 11: + yes += string_replace(out_buf, &temp_len, pos, ">", "<"); + break; + case 12: + yes += string_replace(out_buf, &temp_len, pos, "++", "--"); + break; + case 13: + yes += string_replace(out_buf, &temp_len, pos, "--", "++"); + break; + case 14: + yes += string_replace(out_buf, &temp_len, pos, "+", "-"); + break; + case 15: + yes += string_replace(out_buf, &temp_len, pos, "+", "*"); + break; + case 16: + yes += string_replace(out_buf, &temp_len, pos, "+", "/"); + break; + case 17: + yes += string_replace(out_buf, &temp_len, pos, "+", "%"); + break; + case 18: + yes += string_replace(out_buf, &temp_len, pos, "*", "-"); + break; + case 19: + yes += string_replace(out_buf, &temp_len, pos, "*", "+"); + break; + case 20: + yes += string_replace(out_buf, &temp_len, pos, "*", "/"); + break; + case 21: + yes += string_replace(out_buf, &temp_len, pos, "*", "%"); + break; + case 22: + yes += string_replace(out_buf, &temp_len, pos, "-", "+"); + break; + case 23: + yes += string_replace(out_buf, &temp_len, pos, "-", "*"); + break; + case 24: + yes += string_replace(out_buf, &temp_len, pos, "-", "/"); + break; + case 25: + yes += string_replace(out_buf, &temp_len, pos, "-", "%"); + break; + case 26: + yes += string_replace(out_buf, &temp_len, pos, "/", "-"); + break; + case 27: + yes += string_replace(out_buf, &temp_len, pos, "/", "*"); + break; + case 28: + yes += string_replace(out_buf, &temp_len, pos, "/", "+"); + break; + case 29: + yes += string_replace(out_buf, &temp_len, pos, "/", "%"); + break; + case 30: + yes += string_replace(out_buf, &temp_len, pos, "%", "-"); + break; + case 31: + yes += string_replace(out_buf, &temp_len, pos, "%", "*"); + break; + case 32: + yes += string_replace(out_buf, &temp_len, pos, "%", "/"); + break; + case 33: + yes += string_replace(out_buf, &temp_len, pos, "%", "+"); + break; + case 34: + yes += string_replace(out_buf, &temp_len, pos, " ", "|"); + break; + case 35: + yes += string_replace(out_buf, &temp_len, pos, " ", "$"); + break; + case 36: + yes += string_replace(out_buf, &temp_len, pos, "0", "1"); + break; + case 37: + yes += string_replace(out_buf, &temp_len, pos, "1", "0"); + break; + case 38: + yes += string_replace(out_buf, &temp_len, pos, " ", "`"); + break; + case 39: + yes += string_replace(out_buf, &temp_len, pos, " ", "\""); + break; + case 40: + yes += string_replace(out_buf, &temp_len, pos, ";", " "); + break; + case 41: + yes += string_replace(out_buf, &temp_len, pos, "&&", "||"); + break; + case 42: + yes += string_replace(out_buf, &temp_len, pos, "||", "&&"); + break; + case 43: + yes += string_replace(out_buf, &temp_len, pos, "!", ""); + break; + case 44: + yes += string_replace(out_buf, &temp_len, pos, "==", "="); + break; + case 45: + yes += string_replace(out_buf, &temp_len, pos, "--", ""); + break; + case 46: + yes += string_replace(out_buf, &temp_len, pos, "<<", "<"); + break; + case 47: + yes += string_replace(out_buf, &temp_len, pos, ">>", ">"); + break; + case 48: + yes += string_replace(out_buf, &temp_len, pos, "<", "<<"); + break; + case 49: + yes += string_replace(out_buf, &temp_len, pos, ">", ">>"); + break; + case 50: + yes += string_replace(out_buf, &temp_len, pos, "\"", "'"); + break; + case 51: + yes += string_replace(out_buf, &temp_len, pos, "'", "\""); + break; + case 52: + yes += string_replace(out_buf, &temp_len, pos, "(", "\""); + break; + case 53: /* Remove a semicolon delimited statement after a semicolon */ + yes += delim_replace(out_buf, &temp_len, pos, ";", ";", ";"); + break; + case 54: /* Remove a semicolon delimited statement after a left curly + brace */ + yes += delim_replace(out_buf, &temp_len, pos, "}", ";", "}"); + break; + case 55: /* Remove a curly brace construct */ + yes += delim_replace(out_buf, &temp_len, pos, "{", "}", ""); + break; + case 56: /* Replace a curly brace construct with an empty one */ + yes += delim_replace(out_buf, &temp_len, pos, "{", "}", "{}"); + break; + case 57: + yes += delim_swap(out_buf, &temp_len, pos, ";", ";", ";"); + break; + case 58: + yes += delim_swap(out_buf, &temp_len, pos, "}", ";", ";"); + break; + case 59: /* Swap comma delimited things case 1 */ + yes += delim_swap(out_buf, &temp_len, pos, "(", ",", ")"); + break; + case 60: /* Swap comma delimited things case 2 */ + yes += delim_swap(out_buf, &temp_len, pos, "(", ",", ","); + break; + case 61: /* Swap comma delimited things case 3 */ + yes += delim_swap(out_buf, &temp_len, pos, ",", ",", ","); + break; + case 62: /* Swap comma delimited things case 4 */ + yes += delim_swap(out_buf, &temp_len, pos, ",", ",", ")"); + break; + case 63: /* Just delete a line */ + yes += delim_replace(out_buf, &temp_len, pos, "\n", "\n", ""); + break; + case 64: /* Delete something like "const" case 1 */ + yes += delim_replace(out_buf, &temp_len, pos, " ", " ", ""); + break; + case 65: /* Delete something like "const" case 2 */ + yes += delim_replace(out_buf, &temp_len, pos, "\n", " ", ""); + break; + case 66: /* Delete something like "const" case 3 */ + yes += delim_replace(out_buf, &temp_len, pos, "(", " ", ""); + break; + case 67: /* Swap space delimited things case 1 */ + yes += delim_swap(out_buf, &temp_len, pos, " ", " ", " "); + break; + case 68: /* Swap space delimited things case 2 */ + yes += delim_swap(out_buf, &temp_len, pos, " ", " ", ")"); + break; + case 69: /* Swap space delimited things case 3 */ + yes += delim_swap(out_buf, &temp_len, pos, "(", " ", " "); + break; + case 70: /* Swap space delimited things case 4 */ + yes += delim_swap(out_buf, &temp_len, pos, "(", " ", ")"); + break; + case 71: /* Duplicate a single line of code */ + yes += delim_replace(out_buf, &temp_len, pos, "\n", "\n", NULL); + break; + case 72: /* Duplicate a construct (most often, a non-nested for loop */ + yes += delim_replace(out_buf, &temp_len, pos, "\n", "}", NULL); + break; + + } + + } + + if (yes == 0 || temp_len <= 0) { return 0; } + + swap_bufs(BUF_PARAMS(out), BUF_PARAMS(out_scratch)); + *out_buf = new_buf; + *orig_temp_len = temp_len; + + return 1; + +} + /* Take the current entry from the queue, fuzz it for a while. This function is a tad too long... returns 0 if fuzzed successfully, 1 if skipped or bailed out. */ @@ -1854,6 +2303,22 @@ havoc_stage: /* We essentially just do several thousand runs (depending on perf_score) where we take the input file and make random stacked tweaks. */ + u32 r_max, r; + + if (unlikely(afl->expand_havoc)) { + + /* add expensive havoc cases here, they are activated after a full + cycle without finds happened */ + + r_max = 16 + ((afl->extras_cnt + afl->a_extras_cnt) ? 2 : 0) + + (afl->queue_cur->is_ascii ? AFL_TXT_BIAS : 0); + + } else { + + r_max = 15 + ((afl->extras_cnt + afl->a_extras_cnt) ? 2 : 0); + + } + for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) { u32 use_stacking = 1 << (1 + rand_below(afl, HAVOC_STACK_POW2)); @@ -1896,8 +2361,9 @@ havoc_stage: } - switch (rand_below( - afl, 16 + ((afl->extras_cnt + afl->a_extras_cnt) ? 2 : 0))) { + retry_havoc: + + switch ((r = rand_below(afl, r_max))) { case 0: @@ -2191,176 +2657,203 @@ havoc_stage: break; } - - case 15: { - /* Overwrite bytes with a randomly selected chunk from another - testcase or insert that chunk. */ + default: - if (afl->queued_paths < 2) break; + if (likely(r <= 16 && (afl->extras_cnt || afl->a_extras_cnt))) { - /* Pick a random queue entry and seek to it. */ + /* Values 15 and 16 can be selected only if there are any extras + present in the dictionaries. */ - u32 tid; - do - tid = rand_below(afl, afl->queued_paths); - while (tid == afl->current_entry); + if (r == 15) { - struct queue_entry* target = afl->queue_buf[tid]; + /* Overwrite bytes with an extra. */ - /* Make sure that the target has a reasonable length. */ + if (!afl->extras_cnt || + (afl->a_extras_cnt && rand_below(afl, 2))) { - while (target && (target->len < 2 || target == afl->queue_cur)) - target = target->next; + /* No user-specified extras or odds in our favor. Let's use an + auto-detected one. */ - if (!target) break; + u32 use_extra = rand_below(afl, afl->a_extras_cnt); + u32 extra_len = afl->a_extras[use_extra].len; + u32 insert_at; - /* Read the testcase into a new buffer. */ + if (extra_len > temp_len) { break; } - fd = open(target->fname, O_RDONLY); + insert_at = rand_below(afl, temp_len - extra_len + 1); + memcpy(out_buf + insert_at, afl->a_extras[use_extra].data, + extra_len); - if (unlikely(fd < 0)) { PFATAL("Unable to open '%s'", target->fname); } + } else { - u32 new_len = target->len; - u8 * new_buf = ck_maybe_grow(BUF_PARAMS(in_scratch), new_len); + /* No auto extras or odds in our favor. Use the dictionary. */ - ck_read(fd, new_buf, new_len, target->fname); + u32 use_extra = rand_below(afl, afl->extras_cnt); + u32 extra_len = afl->extras[use_extra].len; + u32 insert_at; - close(fd); + if (extra_len > temp_len) { break; } - u8 overwrite = 0; - if (temp_len >= 2 && rand_below(afl, 2)) - overwrite = 1; - else if (temp_len + HAVOC_BLK_XL >= MAX_FILE) { - if (temp_len >= 2) overwrite = 1; - else break; - } + insert_at = rand_below(afl, temp_len - extra_len + 1); + memcpy(out_buf + insert_at, afl->extras[use_extra].data, + extra_len); - if (overwrite) { + } - u32 copy_from, copy_to, copy_len; + break; - copy_len = choose_block_len(afl, new_len - 1); - if (copy_len > temp_len) copy_len = temp_len; + } else { // case 16 - copy_from = rand_below(afl, new_len - copy_len + 1); - copy_to = rand_below(afl, temp_len - copy_len + 1); + u32 use_extra, extra_len, + insert_at = rand_below(afl, temp_len + 1); + u8 *ptr; - memmove(out_buf + copy_to, new_buf + copy_from, copy_len); + /* Insert an extra. Do the same dice-rolling stuff as for the + previous case. */ - } else { - - u32 clone_from, clone_to, clone_len; - - clone_len = choose_block_len(afl, new_len); - clone_from = rand_below(afl, new_len - clone_len + 1); - - clone_to = rand_below(afl, temp_len); + if (!afl->extras_cnt || + (afl->a_extras_cnt && rand_below(afl, 2))) { - u8 * temp_buf = - ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + clone_len); + use_extra = rand_below(afl, afl->a_extras_cnt); + extra_len = afl->a_extras[use_extra].len; + ptr = afl->a_extras[use_extra].data; - /* Head */ + } else { - memcpy(temp_buf, out_buf, clone_to); + use_extra = rand_below(afl, afl->extras_cnt); + extra_len = afl->extras[use_extra].len; + ptr = afl->extras[use_extra].data; - /* Inserted part */ + } - memcpy(temp_buf + clone_to, new_buf + clone_from, clone_len); + if (temp_len + extra_len >= MAX_FILE) { break; } - /* Tail */ - memcpy(temp_buf + clone_to + clone_len, out_buf + clone_to, - temp_len - clone_to); + out_buf = ck_maybe_grow(BUF_PARAMS(out), temp_len + extra_len); - swap_bufs(BUF_PARAMS(out), BUF_PARAMS(out_scratch)); - out_buf = temp_buf; - temp_len += clone_len; - - } + /* Tail */ + memmove(out_buf + insert_at + extra_len, out_buf + insert_at, + temp_len - insert_at); - break; + /* Inserted part */ + memcpy(out_buf + insert_at, ptr, extra_len); - } + temp_len += extra_len; - /* Values 15 and 16 can be selected only if there are any extras - present in the dictionaries. */ + break; - case 16: { + } - /* Overwrite bytes with an extra. */ + } else - if (!afl->extras_cnt || (afl->a_extras_cnt && rand_below(afl, 2))) { + switch (r) { - /* No user-specified extras or odds in our favor. Let's use an - auto-detected one. */ + case 15: // fall through + case 17: { - u32 use_extra = rand_below(afl, afl->a_extras_cnt); - u32 extra_len = afl->a_extras[use_extra].len; - u32 insert_at; + /* Overwrite bytes with a randomly selected chunk from another + testcase or insert that chunk. */ - if (extra_len > temp_len) { break; } + if (afl->queued_paths < 2) break; - insert_at = rand_below(afl, temp_len - extra_len + 1); - memcpy(out_buf + insert_at, afl->a_extras[use_extra].data, - extra_len); + /* Pick a random queue entry and seek to it. */ - } else { + u32 tid; + do + tid = rand_below(afl, afl->queued_paths); + while (tid == afl->current_entry); - /* No auto extras or odds in our favor. Use the dictionary. */ + struct queue_entry *target = afl->queue_buf[tid]; - u32 use_extra = rand_below(afl, afl->extras_cnt); - u32 extra_len = afl->extras[use_extra].len; - u32 insert_at; + /* Make sure that the target has a reasonable length. */ - if (extra_len > temp_len) { break; } + while (target && (target->len < 2 || target == afl->queue_cur)) + target = target->next; - insert_at = rand_below(afl, temp_len - extra_len + 1); - memcpy(out_buf + insert_at, afl->extras[use_extra].data, extra_len); + if (!target) break; - } + /* Read the testcase into a new buffer. */ - break; + fd = open(target->fname, O_RDONLY); - } + if (unlikely(fd < 0)) { + + PFATAL("Unable to open '%s'", target->fname); - case 17: { + } - u32 use_extra, extra_len, insert_at = rand_below(afl, temp_len + 1); - u8 *ptr; + u32 new_len = target->len; + u8 *new_buf = ck_maybe_grow(BUF_PARAMS(in_scratch), new_len); - /* Insert an extra. Do the same dice-rolling stuff as for the - previous case. */ + ck_read(fd, new_buf, new_len, target->fname); - if (!afl->extras_cnt || (afl->a_extras_cnt && rand_below(afl, 2))) { + close(fd); - use_extra = rand_below(afl, afl->a_extras_cnt); - extra_len = afl->a_extras[use_extra].len; - ptr = afl->a_extras[use_extra].data; + u8 overwrite = 0; + if (temp_len >= 2 && rand_below(afl, 2)) + overwrite = 1; + else if (temp_len + HAVOC_BLK_XL >= MAX_FILE) { - } else { + if (temp_len >= 2) + overwrite = 1; + else + break; - use_extra = rand_below(afl, afl->extras_cnt); - extra_len = afl->extras[use_extra].len; - ptr = afl->extras[use_extra].data; + } - } + if (overwrite) { - if (temp_len + extra_len >= MAX_FILE) { break; } + u32 copy_from, copy_to, copy_len; - out_buf = ck_maybe_grow(BUF_PARAMS(out), temp_len + extra_len); + copy_len = choose_block_len(afl, new_len - 1); + if (copy_len > temp_len) copy_len = temp_len; - /* Tail */ - memmove(out_buf + insert_at + extra_len, out_buf + insert_at, - temp_len - insert_at); + copy_from = rand_below(afl, new_len - copy_len + 1); + copy_to = rand_below(afl, temp_len - copy_len + 1); - /* Inserted part */ - memcpy(out_buf + insert_at, ptr, extra_len); + memmove(out_buf + copy_to, new_buf + copy_from, copy_len); - temp_len += extra_len; + } else { - break; + u32 clone_from, clone_to, clone_len; - } + clone_len = choose_block_len(afl, new_len); + clone_from = rand_below(afl, new_len - clone_len + 1); + + clone_to = rand_below(afl, temp_len); + + u8 *temp_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), + temp_len + clone_len); + + /* Head */ + + memcpy(temp_buf, out_buf, clone_to); + + /* Inserted part */ + + memcpy(temp_buf + clone_to, new_buf + clone_from, clone_len); + + /* Tail */ + memcpy(temp_buf + clone_to + clone_len, out_buf + clone_to, + temp_len - clone_to); + + swap_bufs(BUF_PARAMS(out), BUF_PARAMS(out_scratch)); + out_buf = temp_buf; + temp_len += clone_len; + + } + + break; + + } + + default: + + // perform ascii mutations + if (text_mutation(afl, &out_buf, &temp_len) == 0) + goto retry_havoc; + + } // end default: switch(r) } @@ -4827,7 +5320,7 @@ u8 fuzz_one(afl_state_t *afl) { return (key_val_lv_1 | key_val_lv_2); -#undef BUF_PARAMS - } +#undef BUF_PARAMS + diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index a96995e5..56073b0a 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -24,6 +24,7 @@ #include "afl-fuzz.h" #include +#include #define BUF_PARAMS(name) (void **)&afl->name##_buf, &afl->name##_size @@ -102,6 +103,108 @@ void mark_as_redundant(afl_state_t *afl, struct queue_entry *q, u8 state) { } +/* check if ascii or UTF-8 */ + +static u8 check_if_text(struct queue_entry *q) { + + if (q->len < AFL_TXT_MIN_LEN) return 0; + + u8 buf[MAX_FILE]; + s32 fd, len = q->len, offset = 0, ascii = 0, utf8 = 0, comp; + + if ((fd = open(q->fname, O_RDONLY)) < 0) return 0; + if ((comp = read(fd, buf, len)) != len) return 0; + close(fd); + + while (offset < len) { + + // ASCII: <= 0x7F to allow ASCII control characters + if ((buf[offset + 0] == 0x09 || buf[offset + 0] == 0x0A || + buf[offset + 0] == 0x0D || + (0x20 <= buf[offset + 0] && buf[offset + 0] <= 0x7E))) { + + offset++; + utf8++; + ascii++; + continue; + + } + + if (isascii((int)buf[offset]) || isprint((int)buf[offset])) { + + ascii++; + // we continue though as it can also be a valid utf8 + + } + + // non-overlong 2-byte + if (((0xC2 <= buf[offset + 0] && buf[offset + 0] <= 0xDF) && + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF))) { + + offset += 2; + utf8++; + comp--; + continue; + + } + + // excluding overlongs + if ((buf[offset + 0] == 0xE0 && + (0xA0 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && + (0x80 <= buf[offset + 2] && + buf[offset + 2] <= 0xBF)) || // straight 3-byte + (((0xE1 <= buf[offset + 0] && buf[offset + 0] <= 0xEC) || + buf[offset + 0] == 0xEE || buf[offset + 0] == 0xEF) && + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && + (0x80 <= buf[offset + 2] && + buf[offset + 2] <= 0xBF)) || // excluding surrogates + (buf[offset + 0] == 0xED && + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0x9F) && + (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF))) { + + offset += 3; + utf8++; + comp -= 2; + continue; + + } + + // planes 1-3 + if ((buf[offset + 0] == 0xF0 && + (0x90 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && + (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) && + (0x80 <= buf[offset + 3] && + buf[offset + 3] <= 0xBF)) || // planes 4-15 + ((0xF1 <= buf[offset + 0] && buf[offset + 0] <= 0xF3) && + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && + (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) && + (0x80 <= buf[offset + 3] && buf[offset + 3] <= 0xBF)) || // plane 16 + (buf[offset + 0] == 0xF4 && + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0x8F) && + (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) && + (0x80 <= buf[offset + 3] && buf[offset + 3] <= 0xBF))) { + + offset += 4; + utf8++; + comp -= 3; + continue; + + } + + offset++; + + } + + u32 percent_utf8 = (utf8 * 100) / comp; + u32 percent_ascii = (ascii * 100) / len; + + if (percent_utf8 >= percent_ascii && percent_utf8 >= AFL_TXT_MIN_PERCENT) + return 2; + if (percent_ascii >= AFL_TXT_MIN_PERCENT) return 1; + return 0; + +} + /* Append new test case to the queue. */ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) { @@ -139,9 +242,10 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) { afl->q_prev100 = q; } - - struct queue_entry** queue_buf = ck_maybe_grow(BUF_PARAMS(queue), afl->queued_paths * sizeof(struct queue_entry*)); - queue_buf[afl->queued_paths -1] = q; + + struct queue_entry **queue_buf = ck_maybe_grow( + BUF_PARAMS(queue), afl->queued_paths * sizeof(struct queue_entry *)); + queue_buf[afl->queued_paths - 1] = q; afl->last_path_time = get_cur_time(); @@ -164,6 +268,8 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) { } + q->is_ascii = check_if_text(q); + } /* Destroy the entire queue. */ diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index e56d122a..f68a79e8 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -293,6 +293,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_autoresume = get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_CYCLE_SCHEDULES", + + afl_environment_variable_len)) { + + afl->cycle_schedules = afl->afl_env.afl_cycle_schedules = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_CAL_FAST", afl_environment_variable_len)) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index df2896d2..88f8e902 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1252,11 +1252,42 @@ int main(int argc, char **argv_orig, char **envp) { /* If we had a full queue cycle with no new finds, try recombination strategies next. */ - if (afl->queued_paths == prev_queued) { + if (afl->queued_paths == prev_queued && + (get_cur_time() - afl->start_time) >= 3600) { if (afl->use_splicing) { ++afl->cycles_wo_finds; + switch (afl->expand_havoc) { + + case 0: + afl->expand_havoc = 1; + break; + case 1: + if (afl->limit_time_sig == 0) { + + afl->limit_time_sig = -1; + afl->limit_time_puppet = 0; + + } + + afl->expand_havoc = 2; + break; + case 2: + afl->cycle_schedules = 1; + afl->expand_havoc = 3; + break; + case 3: + // nothing else currently + break; + + } + + if (afl->expand_havoc) { + + } else + + afl->expand_havoc = 1; } else { @@ -1270,6 +1301,53 @@ int main(int argc, char **argv_orig, char **envp) { } + if (afl->cycle_schedules) { + + /* we cannot mix non-AFLfast schedules with others */ + + switch (afl->schedule) { + + case EXPLORE: + afl->schedule = EXPLOIT; + break; + case EXPLOIT: + afl->schedule = MMOPT; + break; + case MMOPT: + afl->schedule = SEEK; + break; + case SEEK: + afl->schedule = EXPLORE; + break; + case FAST: + afl->schedule = COE; + break; + case COE: + afl->schedule = LIN; + break; + case LIN: + afl->schedule = QUAD; + break; + case QUAD: + afl->schedule = RARE; + break; + case RARE: + afl->schedule = FAST; + break; + + } + + struct queue_entry *q = afl->queue; + // we must recalculate the scores of all queue entries + while (q) { + + update_bitmap_score(afl, q); + q = q->next; + + } + + } + prev_queued = afl->queued_paths; if (afl->sync_id && afl->queue_cycle == 1 && -- cgit 1.4.1 From d90328f6be726190e013f83df37e49383be1c5e4 Mon Sep 17 00:00:00 2001 From: Shengtuo Hu Date: Tue, 21 Jul 2020 18:00:21 -0400 Subject: Allow the custom mutator to generate larger trimmed data (#463) --- src/afl-fuzz-mutators.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 0fb34ab7..17a68ff8 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -282,9 +282,23 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf, } else if (unlikely(retlen > orig_len)) { - FATAL( - "Trimmed data returned by custom mutator is larger than original " - "data"); + /* Do not exit the fuzzer, even if the trimmed data returned by the custom + mutator is larger than the original data. For some use cases, like the + grammar mutator, the definition of "size" may have different meanings. + For example, the trimming function in a grammar mutator aims at + reducing the objects in a grammar structure, but does not guarantee to + generate a smaller binary buffer. + + Thus, we allow the custom mutator to generate the trimmed data that is + larger than the original data. */ + + if (afl->not_on_tty && afl->debug) { + + WARNF( + "Trimmed data returned by custom mutator is larger than original " + "data"); + + } } else if (unlikely(retlen == 0)) { -- cgit 1.4.1 From 44928a0265f08021b41568651f0bca6cd1aacc7c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 22 Jul 2020 02:41:19 +0200 Subject: write expand havoc value to fuzzer_stats --- src/afl-fuzz-stats.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index fc93011b..f53205fb 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -105,6 +105,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, "cpu_affinity : %d\n" "edges_found : %u\n" "var_byte_count : %u\n" + "havoc_expansion : %u\n" "afl_banner : %s\n" "afl_version : " VERSION "\n" @@ -137,7 +138,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, #else -1, #endif - t_bytes, afl->var_byte_count, afl->use_banner, + t_bytes, afl->var_byte_count, afl->expand_havoc, afl->use_banner, afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "", afl->non_instrumented_mode ? " non_instrumented " : "", afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", -- cgit 1.4.1 From b015e4f07aabb39e1683406704f2aae1f7dcde4a Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Wed, 22 Jul 2020 16:15:16 +0200 Subject: epand havoc now env --- include/envs.h | 1 + src/afl-fuzz-one.c | 211 ++++++++++++++++++++++++++++++++++------------------- src/afl-fuzz.c | 1 + 3 files changed, 138 insertions(+), 75 deletions(-) (limited to 'src') diff --git a/include/envs.h b/include/envs.h index cb3c183e..c1c7d387 100644 --- a/include/envs.h +++ b/include/envs.h @@ -130,6 +130,7 @@ static char *afl_environment_variables[] = { "AFL_USE_CFISAN", "AFL_WINE_PATH", "AFL_NO_SNAPSHOT", + "AFL_EXPAND_HAVOC_NOW", NULL }; diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 250409da..a0ecb7a9 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -564,238 +564,299 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { u32 pos, yes = 0, mutations = rand_below(afl, AFL_TXT_STRING_MAX_MUTATIONS) + 1; u8 *new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), - *orig_temp_len + AFL_TXT_STRING_MAX_MUTATIONS); + *orig_temp_len + AFL_TXT_STRING_MAX_MUTATIONS +1); temp_len = *orig_temp_len; memcpy(new_buf, *out_buf, temp_len); + new_buf[temp_len] = 0; for (u32 i = 0; i < mutations; i++) { if (temp_len < AFL_TXT_MIN_LEN) { return 0; } pos = rand_below(afl, temp_len - 1); - int choice = rand_below(afl, 72); + int choice = rand_below(afl, 80); switch (choice) { case 0: /* Semantic statement deletion */ - yes += string_replace(out_buf, &temp_len, pos, "\n", "#"); + yes += string_replace(&new_buf, &temp_len, pos, "\n", "#"); break; case 1: - yes += string_replace(out_buf, &temp_len, pos, "(", "(!"); + yes += string_replace(&new_buf, &temp_len, pos, "(", "(!"); break; case 2: - yes += string_replace(out_buf, &temp_len, pos, "==", "!="); + yes += string_replace(&new_buf, &temp_len, pos, "==", "!="); break; case 3: - yes += string_replace(out_buf, &temp_len, pos, "!=", "=="); + yes += string_replace(&new_buf, &temp_len, pos, "!=", "=="); break; case 4: - yes += string_replace(out_buf, &temp_len, pos, "==", "<"); + yes += string_replace(&new_buf, &temp_len, pos, "==", "<"); break; case 5: - yes += string_replace(out_buf, &temp_len, pos, "<", "=="); + yes += string_replace(&new_buf, &temp_len, pos, "<", "=="); break; case 6: - yes += string_replace(out_buf, &temp_len, pos, "==", ">"); + yes += string_replace(&new_buf, &temp_len, pos, "==", ">"); break; case 7: - yes += string_replace(out_buf, &temp_len, pos, ">", "=="); + yes += string_replace(&new_buf, &temp_len, pos, ">", "=="); break; case 8: - yes += string_replace(out_buf, &temp_len, pos, "=", "<"); + yes += string_replace(&new_buf, &temp_len, pos, "=", "<"); break; case 9: - yes += string_replace(out_buf, &temp_len, pos, "=", ">"); + yes += string_replace(&new_buf, &temp_len, pos, "=", ">"); break; case 10: - yes += string_replace(out_buf, &temp_len, pos, "<", ">"); + yes += string_replace(&new_buf, &temp_len, pos, "<", ">"); break; case 11: - yes += string_replace(out_buf, &temp_len, pos, ">", "<"); + yes += string_replace(&new_buf, &temp_len, pos, ">", "<"); break; case 12: - yes += string_replace(out_buf, &temp_len, pos, "++", "--"); + yes += string_replace(&new_buf, &temp_len, pos, "++", "--"); break; case 13: - yes += string_replace(out_buf, &temp_len, pos, "--", "++"); + yes += string_replace(&new_buf, &temp_len, pos, "--", "++"); break; case 14: - yes += string_replace(out_buf, &temp_len, pos, "+", "-"); + yes += string_replace(&new_buf, &temp_len, pos, "+", "-"); break; case 15: - yes += string_replace(out_buf, &temp_len, pos, "+", "*"); + yes += string_replace(&new_buf, &temp_len, pos, "+", "*"); break; case 16: - yes += string_replace(out_buf, &temp_len, pos, "+", "/"); + yes += string_replace(&new_buf, &temp_len, pos, "+", "/"); break; case 17: - yes += string_replace(out_buf, &temp_len, pos, "+", "%"); + yes += string_replace(&new_buf, &temp_len, pos, "+", "%"); break; case 18: - yes += string_replace(out_buf, &temp_len, pos, "*", "-"); + yes += string_replace(&new_buf, &temp_len, pos, "*", "-"); break; case 19: - yes += string_replace(out_buf, &temp_len, pos, "*", "+"); + yes += string_replace(&new_buf, &temp_len, pos, "*", "+"); break; case 20: - yes += string_replace(out_buf, &temp_len, pos, "*", "/"); + yes += string_replace(&new_buf, &temp_len, pos, "*", "/"); break; case 21: - yes += string_replace(out_buf, &temp_len, pos, "*", "%"); + yes += string_replace(&new_buf, &temp_len, pos, "*", "%"); break; case 22: - yes += string_replace(out_buf, &temp_len, pos, "-", "+"); + yes += string_replace(&new_buf, &temp_len, pos, "-", "+"); break; case 23: - yes += string_replace(out_buf, &temp_len, pos, "-", "*"); + yes += string_replace(&new_buf, &temp_len, pos, "-", "*"); break; case 24: - yes += string_replace(out_buf, &temp_len, pos, "-", "/"); + yes += string_replace(&new_buf, &temp_len, pos, "-", "/"); break; case 25: - yes += string_replace(out_buf, &temp_len, pos, "-", "%"); + yes += string_replace(&new_buf, &temp_len, pos, "-", "%"); break; case 26: - yes += string_replace(out_buf, &temp_len, pos, "/", "-"); + yes += string_replace(&new_buf, &temp_len, pos, "/", "-"); break; case 27: - yes += string_replace(out_buf, &temp_len, pos, "/", "*"); + yes += string_replace(&new_buf, &temp_len, pos, "/", "*"); break; case 28: - yes += string_replace(out_buf, &temp_len, pos, "/", "+"); + yes += string_replace(&new_buf, &temp_len, pos, "/", "+"); break; case 29: - yes += string_replace(out_buf, &temp_len, pos, "/", "%"); + yes += string_replace(&new_buf, &temp_len, pos, "/", "%"); break; case 30: - yes += string_replace(out_buf, &temp_len, pos, "%", "-"); + yes += string_replace(&new_buf, &temp_len, pos, "%", "-"); break; case 31: - yes += string_replace(out_buf, &temp_len, pos, "%", "*"); + yes += string_replace(&new_buf, &temp_len, pos, "%", "*"); break; case 32: - yes += string_replace(out_buf, &temp_len, pos, "%", "/"); + yes += string_replace(&new_buf, &temp_len, pos, "%", "/"); break; case 33: - yes += string_replace(out_buf, &temp_len, pos, "%", "+"); + yes += string_replace(&new_buf, &temp_len, pos, "%", "+"); break; case 34: - yes += string_replace(out_buf, &temp_len, pos, " ", "|"); + yes += string_replace(&new_buf, &temp_len, pos, " ", "|"); break; case 35: - yes += string_replace(out_buf, &temp_len, pos, " ", "$"); + yes += string_replace(&new_buf, &temp_len, pos, " ", "$"); break; case 36: - yes += string_replace(out_buf, &temp_len, pos, "0", "1"); + yes += string_replace(&new_buf, &temp_len, pos, "0", "1"); break; case 37: - yes += string_replace(out_buf, &temp_len, pos, "1", "0"); + yes += string_replace(&new_buf, &temp_len, pos, "1", "0"); break; case 38: - yes += string_replace(out_buf, &temp_len, pos, " ", "`"); + yes += string_replace(&new_buf, &temp_len, pos, " ", "`"); break; case 39: - yes += string_replace(out_buf, &temp_len, pos, " ", "\""); + yes += string_replace(&new_buf, &temp_len, pos, " ", "\""); break; case 40: - yes += string_replace(out_buf, &temp_len, pos, ";", " "); + yes += string_replace(&new_buf, &temp_len, pos, ";", " "); break; case 41: - yes += string_replace(out_buf, &temp_len, pos, "&&", "||"); + yes += string_replace(&new_buf, &temp_len, pos, "&&", "||"); break; case 42: - yes += string_replace(out_buf, &temp_len, pos, "||", "&&"); + yes += string_replace(&new_buf, &temp_len, pos, "||", "&&"); break; case 43: - yes += string_replace(out_buf, &temp_len, pos, "!", ""); + yes += string_replace(&new_buf, &temp_len, pos, "!", ""); break; case 44: - yes += string_replace(out_buf, &temp_len, pos, "==", "="); + yes += string_replace(&new_buf, &temp_len, pos, "==", "="); break; case 45: - yes += string_replace(out_buf, &temp_len, pos, "--", ""); + yes += string_replace(&new_buf, &temp_len, pos, "--", ""); break; case 46: - yes += string_replace(out_buf, &temp_len, pos, "<<", "<"); + yes += string_replace(&new_buf, &temp_len, pos, "<<", "<"); break; case 47: - yes += string_replace(out_buf, &temp_len, pos, ">>", ">"); + yes += string_replace(&new_buf, &temp_len, pos, ">>", ">"); break; case 48: - yes += string_replace(out_buf, &temp_len, pos, "<", "<<"); + yes += string_replace(&new_buf, &temp_len, pos, "<", "<<"); break; case 49: - yes += string_replace(out_buf, &temp_len, pos, ">", ">>"); + yes += string_replace(&new_buf, &temp_len, pos, ">", ">>"); break; case 50: - yes += string_replace(out_buf, &temp_len, pos, "\"", "'"); + yes += string_replace(&new_buf, &temp_len, pos, "\"", "'"); break; case 51: - yes += string_replace(out_buf, &temp_len, pos, "'", "\""); + yes += string_replace(&new_buf, &temp_len, pos, "'", "\""); break; case 52: - yes += string_replace(out_buf, &temp_len, pos, "(", "\""); + yes += string_replace(&new_buf, &temp_len, pos, "(", "\""); break; case 53: /* Remove a semicolon delimited statement after a semicolon */ - yes += delim_replace(out_buf, &temp_len, pos, ";", ";", ";"); + yes += delim_replace(&new_buf, &temp_len, pos, ";", ";", ";"); break; case 54: /* Remove a semicolon delimited statement after a left curly brace */ - yes += delim_replace(out_buf, &temp_len, pos, "}", ";", "}"); + yes += delim_replace(&new_buf, &temp_len, pos, "}", ";", "}"); break; case 55: /* Remove a curly brace construct */ - yes += delim_replace(out_buf, &temp_len, pos, "{", "}", ""); + yes += delim_replace(&new_buf, &temp_len, pos, "{", "}", ""); break; case 56: /* Replace a curly brace construct with an empty one */ - yes += delim_replace(out_buf, &temp_len, pos, "{", "}", "{}"); + yes += delim_replace(&new_buf, &temp_len, pos, "{", "}", "{}"); break; case 57: - yes += delim_swap(out_buf, &temp_len, pos, ";", ";", ";"); + yes += delim_swap(&new_buf, &temp_len, pos, ";", ";", ";"); break; case 58: - yes += delim_swap(out_buf, &temp_len, pos, "}", ";", ";"); + yes += delim_swap(&new_buf, &temp_len, pos, "}", ";", ";"); break; case 59: /* Swap comma delimited things case 1 */ - yes += delim_swap(out_buf, &temp_len, pos, "(", ",", ")"); + yes += delim_swap(&new_buf, &temp_len, pos, "(", ",", ")"); break; case 60: /* Swap comma delimited things case 2 */ - yes += delim_swap(out_buf, &temp_len, pos, "(", ",", ","); + yes += delim_swap(&new_buf, &temp_len, pos, "(", ",", ","); break; case 61: /* Swap comma delimited things case 3 */ - yes += delim_swap(out_buf, &temp_len, pos, ",", ",", ","); + yes += delim_swap(&new_buf, &temp_len, pos, ",", ",", ","); break; case 62: /* Swap comma delimited things case 4 */ - yes += delim_swap(out_buf, &temp_len, pos, ",", ",", ")"); + yes += delim_swap(&new_buf, &temp_len, pos, ",", ",", ")"); break; case 63: /* Just delete a line */ - yes += delim_replace(out_buf, &temp_len, pos, "\n", "\n", ""); + yes += delim_replace(&new_buf, &temp_len, pos, "\n", "\n", ""); break; case 64: /* Delete something like "const" case 1 */ - yes += delim_replace(out_buf, &temp_len, pos, " ", " ", ""); + yes += delim_replace(&new_buf, &temp_len, pos, " ", " ", ""); break; case 65: /* Delete something like "const" case 2 */ - yes += delim_replace(out_buf, &temp_len, pos, "\n", " ", ""); + yes += delim_replace(&new_buf, &temp_len, pos, "\n", " ", ""); break; case 66: /* Delete something like "const" case 3 */ - yes += delim_replace(out_buf, &temp_len, pos, "(", " ", ""); + yes += delim_replace(&new_buf, &temp_len, pos, "(", " ", ""); break; case 67: /* Swap space delimited things case 1 */ - yes += delim_swap(out_buf, &temp_len, pos, " ", " ", " "); + yes += delim_swap(&new_buf, &temp_len, pos, " ", " ", " "); break; case 68: /* Swap space delimited things case 2 */ - yes += delim_swap(out_buf, &temp_len, pos, " ", " ", ")"); + yes += delim_swap(&new_buf, &temp_len, pos, " ", " ", ")"); break; case 69: /* Swap space delimited things case 3 */ - yes += delim_swap(out_buf, &temp_len, pos, "(", " ", " "); + yes += delim_swap(&new_buf, &temp_len, pos, "(", " ", " "); break; case 70: /* Swap space delimited things case 4 */ - yes += delim_swap(out_buf, &temp_len, pos, "(", " ", ")"); + yes += delim_swap(&new_buf, &temp_len, pos, "(", " ", ")"); break; case 71: /* Duplicate a single line of code */ - yes += delim_replace(out_buf, &temp_len, pos, "\n", "\n", NULL); + yes += delim_replace(&new_buf, &temp_len, pos, "\n", "\n", NULL); break; case 72: /* Duplicate a construct (most often, a non-nested for loop */ - yes += delim_replace(out_buf, &temp_len, pos, "\n", "}", NULL); + yes += delim_replace(&new_buf, &temp_len, pos, "\n", "}", NULL); break; + default: { + + for (u32 j = pos; j < temp_len; ++j) { + if (isdigit(new_buf[j])) { + + u8* endptr; + unsigned long long num = strtoull(new_buf +j, (char**)&endptr, 0); + + switch (rand_below(afl, 8)) { + case 0: + num = rand_below(afl, INT_MAX); + break; + case 1: + num = rand_next(afl); + break; + case 2: + num += 1 + rand_below(afl, 255); + break; + case 3: + num -= 1 + rand_below(afl, 255); + break; + case 4: + num *= 1 + rand_below(afl, 255); + break; + case 5: + num /= 1 + rand_below(afl, 255); + break; + case 6: + num /= 1 + rand_below(afl, 255); + break; + case 7: + num = ~num; + break; + } + + const char* fmt = "%llu"; + if (rand_below(afl, 5) == 0) // add - sign with 1/5 probability + fmt = "-%llu"; + + size_t num_len = snprintf(NULL, 0, fmt, num); + size_t old_len = endptr - (new_buf +j); + if (num_len < old_len) { + memmove(new_buf +j +num_len, endptr, temp_len - (endptr - new_buf)); + snprintf(new_buf +j, num_len, fmt, num); + temp_len -= old_len - num_len; + } else if (num_len == old_len) { + snprintf(new_buf +j, num_len, fmt, num); + } else { + new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + (num_len - old_len)); + memmove(new_buf +j +num_len, endptr, temp_len - (endptr - new_buf)); + snprintf(new_buf +j, num_len, fmt, num); + temp_len += num_len - old_len; + } + + yes += 1; + + } + } + + } } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 88f8e902..8220b41b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -900,6 +900,7 @@ int main(int argc, char **argv_orig, char **envp) { if (get_afl_env("AFL_NO_ARITH")) { afl->no_arith = 1; } if (get_afl_env("AFL_SHUFFLE_QUEUE")) { afl->shuffle_queue = 1; } if (get_afl_env("AFL_FAST_CAL")) { afl->fast_cal = 1; } + if (get_afl_env("AFL_EXPAND_HAVOC_NOW")) { afl->expand_havoc = 1; } if (afl->afl_env.afl_autoresume) { -- cgit 1.4.1 From a46a733dbee6defce6770d79e8e001430e76fe18 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Wed, 22 Jul 2020 17:04:57 +0200 Subject: fix bugs --- src/afl-fuzz-one.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index a0ecb7a9..69671f71 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -802,6 +802,8 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { for (u32 j = pos; j < temp_len; ++j) { if (isdigit(new_buf[j])) { + new_buf[temp_len] = 0; // should be safe thanks to the initial grow + u8* endptr; unsigned long long num = strtoull(new_buf +j, (char**)&endptr, 0); @@ -839,19 +841,20 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { size_t num_len = snprintf(NULL, 0, fmt, num); size_t old_len = endptr - (new_buf +j); if (num_len < old_len) { - memmove(new_buf +j +num_len, endptr, temp_len - (endptr - new_buf)); + memmove(new_buf +j +num_len, new_buf +j +old_len, temp_len - (j + old_len)); snprintf(new_buf +j, num_len, fmt, num); temp_len -= old_len - num_len; } else if (num_len == old_len) { snprintf(new_buf +j, num_len, fmt, num); } else { - new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + (num_len - old_len)); - memmove(new_buf +j +num_len, endptr, temp_len - (endptr - new_buf)); + new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + (num_len - old_len) + AFL_TXT_STRING_MAX_MUTATIONS +1); + memmove(new_buf +j +num_len, new_buf +j +old_len, temp_len - (j + old_len)); snprintf(new_buf +j, num_len, fmt, num); temp_len += num_len - old_len; } yes += 1; + break; } } @@ -859,7 +862,7 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { } } - + } if (yes == 0 || temp_len <= 0) { return 0; } @@ -867,7 +870,7 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { swap_bufs(BUF_PARAMS(out), BUF_PARAMS(out_scratch)); *out_buf = new_buf; *orig_temp_len = temp_len; - + return 1; } -- cgit 1.4.1 From af10c05ac3d81c5d170cf0542cbcff5817dac10b Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Wed, 22 Jul 2020 18:22:31 +0200 Subject: ascii redqueen --- src/afl-fuzz-redqueen.c | 97 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 95 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index c53e0e06..55b88bf8 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -262,6 +262,54 @@ static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) { } +static long long strntoll(const char *str, size_t sz, char **end, int base) { + char buf[64]; + long long ret; + const char *beg = str; + + for (; beg && sz && *beg == ' '; beg++, sz--) + ; + + if (!sz || sz >= sizeof(buf)) { + if (end) + *end = (char *)str; + return 0; + } + + memcpy(buf, beg, sz); + buf[sz] = '\0'; + ret = strtoll(buf, end, base); + if (ret == LLONG_MIN || ret == LLONG_MAX) + return ret; + if (end) + *end = (char *)beg + (*end - buf); + return ret; +} + +static unsigned long long strntoull(const char *str, size_t sz, char **end, int base) { + char buf[64]; + unsigned long long ret; + const char *beg = str; + + for (; beg && sz && *beg == ' '; beg++, sz--) + ; + + if (!sz || sz >= sizeof(buf)) { + if (end) + *end = (char *)str; + return 0; + } + + memcpy(buf, beg, sz); + buf[sz] = '\0'; + ret = strtoull(buf, end, base); + if (end) + *end = (char *)beg + (*end - buf); + return ret; +} + +#define BUF_PARAMS(name) (void **)&afl->name##_buf, &afl->name##_size + static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u64 pattern, u64 repl, u64 o_pattern, u32 idx, u8 *orig_buf, u8 *buf, u32 len, u8 do_reverse, @@ -279,7 +327,52 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u32 its_len = len - idx; // *status = 0; - if (SHAPE_BYTES(h->shape) >= 8) { + u8 *endptr; + u8 use_num = 0, use_unum = 0; + unsigned long long unum; + long long num; + if (afl->queue_cur->is_ascii) { + + endptr = buf_8; + num = strntoll(buf_8, len - idx, (char**)&endptr, 0); + if (endptr == buf_8) { + unum = strntoull(buf_8, len - idx, (char**)&endptr, 0); + if (endptr == buf_8) + use_unum = 1; + } else + use_num = 1; + + } + + if (use_num && num == pattern) { + + size_t old_len = endptr - buf_8; + size_t num_len = snprintf(NULL, 0, "%lld", num); + + u8* new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), len + num_len); + memcpy(new_buf, buf, idx); + + snprintf(new_buf +idx, num_len, "%lld", num); + memcpy(new_buf +idx +num_len, buf_8 + old_len, len - idx - old_len); + + if (unlikely(its_fuzz(afl, new_buf, len, status))) { return 1; } + + } else if (use_unum && unum == pattern) { + + size_t old_len = endptr - buf_8; + size_t num_len = snprintf(NULL, 0, "%llu", unum); + + u8* new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), len + num_len); + memcpy(new_buf, buf, idx); + + snprintf(new_buf +idx, num_len, "%llu", unum); + memcpy(new_buf +idx +num_len, buf_8 + old_len, len - idx - old_len); + + if (unlikely(its_fuzz(afl, new_buf, len, status))) { return 1; } + + } + + if (SHAPE_BYTES(h->shape) >= 8 && *status != 1) { if (its_len >= 8 && *buf_64 == pattern && *o_buf_64 == o_pattern) { @@ -288,7 +381,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, *buf_64 = pattern; } - + // reverse encoding if (do_reverse && *status != 1) { -- cgit 1.4.1 From 1ddb70e0d9ec0c71a09c5c62f435a2b63ddfee53 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 23 Jul 2020 05:08:20 +0200 Subject: fix compilation --- src/afl-fuzz-one.c | 1 + src/afl-fuzz-redqueen.c | 1 + 2 files changed, 2 insertions(+) (limited to 'src') diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 69671f71..7f96c2c6 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -25,6 +25,7 @@ #include "afl-fuzz.h" #include +#include static u8 *strnstr(const u8 *s, const u8 *find, size_t slen); static u32 string_replace(u8 **out_buf, s32 *temp_len, u32 pos, u8 *from, diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 55b88bf8..de3adb2d 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -24,6 +24,7 @@ */ +#include #include "afl-fuzz.h" #include "cmplog.h" -- cgit 1.4.1 From 2ba88dcd8a9829612eb06eb130d688685a76a847 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 23 Jul 2020 14:17:29 +0200 Subject: skip large files, dont bail --- TODO.md | 2 ++ src/afl-fuzz-init.c | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/TODO.md b/TODO.md index 2723657a..341f2c78 100644 --- a/TODO.md +++ b/TODO.md @@ -2,6 +2,8 @@ ## Roadmap 2.67+ + - pre_save custom module example to save away test cases + - expand on AFL_LLVM_INSTRUMENT_FILE to also support sancov allowlist format - allow to sync against honggfuzz and libfuzzer - AFL_MAP_SIZE for qemu_mode and unicorn_mode - namespace for targets? e.g. network diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index e95ae95f..609e16ba 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -466,7 +466,7 @@ void read_testcases(afl_state_t *afl) { ACTF("Scanning '%s'...", afl->in_dir); /* We use scandir() + alphasort() rather than readdir() because otherwise, - the ordering of test cases would vary somewhat randomly and would be + the ordering of test cases would vary somewhat randomly and would be difficult to control. */ nl_cnt = scandir(afl->in_dir, &nl, NULL, alphasort); @@ -527,9 +527,10 @@ void read_testcases(afl_state_t *afl) { if (st.st_size > MAX_FILE) { - FATAL("Test case '%s' is too big (%s, limit is %s)", fn2, + WARNF("Test case '%s' is too big (%s, limit is %s), skipping", fn2, stringify_mem_size(val_buf[0], sizeof(val_buf[0]), st.st_size), stringify_mem_size(val_buf[1], sizeof(val_buf[1]), MAX_FILE)); + continue; } -- cgit 1.4.1 From 3e04dbd5a1048ed3dd245c9db70d8a8d3b7d7135 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 23 Jul 2020 16:43:25 +0200 Subject: no cycle on expand --- src/afl-fuzz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 8220b41b..553300e9 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1275,7 +1275,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->expand_havoc = 2; break; case 2: - afl->cycle_schedules = 1; + //afl->cycle_schedules = 1; afl->expand_havoc = 3; break; case 3: -- cgit 1.4.1 From 4898db80cb7539a06e234c65aaaac85883209e38 Mon Sep 17 00:00:00 2001 From: rish9101 Date: Mon, 20 Jul 2020 01:12:28 +0530 Subject: Add post-process functionality in write_with_gap --- src/afl-fuzz-run.c | 61 +++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 51 insertions(+), 10 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 2a1664e2..f8317863 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -142,18 +142,58 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, s32 fd = afl->fsrv.out_fd; u32 tail_len = len - skip_at - skip_len; + /* We first copy the mem into a new memory region removing the gaps + and then carry out any post-processing work on them. Then copy them out to + shared-mem or write to file */ + + void *mem_trimmed = + ck_alloc(skip_at + tail_len + + 1); // 1 extra size allocated to remove chance of overflow + + if (skip_at) { memcpy(mem_trimmed, mem, skip_at); } + + if (tail_len) { + + memcpy(mem_trimmed + skip_at, (u8 *)mem + skip_at + skip_len, tail_len); + + } + + ssize_t new_size = skip_at + tail_len; + void * new_mem = mem_trimmed; + u8 * new_buf = NULL; + + if (unlikely(afl->custom_mutators_count)) { + + LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { + + if (el->afl_custom_post_process) { + + new_size = + el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf); + + } + + new_mem = new_buf; + + }); + + } + if (afl->fsrv.shmem_fuzz) { - if (skip_at) { memcpy(afl->fsrv.shmem_fuzz, mem, skip_at); } + if ((new_buf)) { + + memcpy(afl->fsrv.shmem_fuzz, new_buf, new_size); + + } - if (tail_len) { + else { - memcpy(afl->fsrv.shmem_fuzz + skip_at, (u8 *)mem + skip_at + skip_len, - tail_len); + memcpy(afl->fsrv.shmem_fuzz, mem_trimmed, new_size); } - *afl->fsrv.shmem_fuzz_len = len - skip_len; + *afl->fsrv.shmem_fuzz_len = new_size; #ifdef _DEBUG if (afl->debug) { @@ -197,18 +237,19 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, } - if (skip_at) { ck_write(fd, mem, skip_at, afl->fsrv.out_file); } + if (new_buf) { - u8 *memu8 = mem; - if (tail_len) { + ck_write(fd, new_buf, new_size, afl->fsrv.out_file); + + } else { - ck_write(fd, memu8 + skip_at + skip_len, tail_len, afl->fsrv.out_file); + ck_write(fd, mem_trimmed, new_size, afl->fsrv.out_file); } if (!afl->fsrv.out_file) { - if (ftruncate(fd, len - skip_len)) { PFATAL("ftruncate() failed"); } + if (ftruncate(fd, new_size)) { PFATAL("ftruncate() failed"); } lseek(fd, 0, SEEK_SET); } else { -- cgit 1.4.1 From 2fa31dab60e76ee1a4b77d2d98d58e0e35455880 Mon Sep 17 00:00:00 2001 From: rish9101 Date: Thu, 23 Jul 2020 23:48:26 +0530 Subject: Remove reduntant copying from write_with_gap function --- src/afl-fuzz-run.c | 66 +++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 46 insertions(+), 20 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index f8317863..7d68083d 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -142,35 +142,55 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, s32 fd = afl->fsrv.out_fd; u32 tail_len = len - skip_at - skip_len; - /* We first copy the mem into a new memory region removing the gaps - and then carry out any post-processing work on them. Then copy them out to - shared-mem or write to file */ - - void *mem_trimmed = - ck_alloc(skip_at + tail_len + - 1); // 1 extra size allocated to remove chance of overflow - - if (skip_at) { memcpy(mem_trimmed, mem, skip_at); } - - if (tail_len) { - - memcpy(mem_trimmed + skip_at, (u8 *)mem + skip_at + skip_len, tail_len); - - } + /* + This memory is used to carry out the post_processing(if present) after copying + the testcase by removing the gaps + */ + u8 mem_trimmed[skip_at + tail_len + + 1]; // 1 extra size to remove chance of overflow ssize_t new_size = skip_at + tail_len; - void * new_mem = mem_trimmed; + void * new_mem = mem; u8 * new_buf = NULL; + bool post_process_skipped = true; + if (unlikely(afl->custom_mutators_count)) { + new_mem = mem_trimmed; + LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { if (el->afl_custom_post_process) { + // We copy into the mem_trimmed only if we actually have custom mutators + // *with* post_processing installed + + if (post_process_skipped) { + + if (skip_at) { memcpy(mem_trimmed, (u8 *)mem, skip_at); } + + if (tail_len) { + + memcpy(mem_trimmed + skip_at, (u8 *)mem + skip_at + skip_len, + tail_len); + + } + + post_process_skipped = false; + + } + new_size = el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf); + if (unlikely(!new_buf && (new_size <= 0))) { + + FATAL("Custom_post_process failed (ret: %lu)", + (long unsigned)new_size); + + } + } new_mem = new_buf; @@ -181,7 +201,9 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, if (afl->fsrv.shmem_fuzz) { - if ((new_buf)) { + if (!post_process_skipped) { + + // If we did post_processing, copy directly from the new_buf bufer memcpy(afl->fsrv.shmem_fuzz, new_buf, new_size); @@ -189,7 +211,9 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, else { - memcpy(afl->fsrv.shmem_fuzz, mem_trimmed, new_size); + memcpy(afl->fsrv.shmem_fuzz, mem, skip_at); + + memcpy(afl->fsrv.shmem_fuzz, mem + skip_at + skip_len, tail_len); } @@ -237,13 +261,15 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, } - if (new_buf) { + if (!post_process_skipped) { ck_write(fd, new_buf, new_size, afl->fsrv.out_file); } else { - ck_write(fd, mem_trimmed, new_size, afl->fsrv.out_file); + ck_write(fd, mem, skip_at, afl->fsrv.out_file); + + ck_write(fd, mem + skip_at + skip_len, tail_len, afl->fsrv.out_file); } -- cgit 1.4.1 From 9cddbc04206bd8d1399e5a5311c98fff5be80731 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 24 Jul 2020 12:26:52 +0200 Subject: add -F option to sync to foreign fuzzer queues --- GNUmakefile | 4 +- README.md | 20 +++--- TODO.md | 2 - docs/Changelog.md | 2 + docs/parallel_fuzzing.md | 14 ++++- include/afl-fuzz.h | 13 ++++ src/afl-fuzz-init.c | 154 +++++++++++++++++++++++++++++++++++++++++++++++ src/afl-fuzz-run.c | 2 + src/afl-fuzz.c | 22 ++++++- 9 files changed, 211 insertions(+), 22 deletions(-) (limited to 'src') diff --git a/GNUmakefile b/GNUmakefile index f44ef95e..ab9144b8 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -455,10 +455,10 @@ code-format: ./.custom-format.py -i llvm_mode/*.h ./.custom-format.py -i llvm_mode/*.cc ./.custom-format.py -i gcc_plugin/*.c - #./.custom-format.py -i gcc_plugin/*.h + @#./.custom-format.py -i gcc_plugin/*.h ./.custom-format.py -i gcc_plugin/*.cc ./.custom-format.py -i custom_mutators/*/*.c - ./.custom-format.py -i custom_mutators/*/*.h + @#./.custom-format.py -i custom_mutators/*/*.h # destroys input.h :-( ./.custom-format.py -i examples/*/*.c ./.custom-format.py -i examples/*/*.h ./.custom-format.py -i test/*.c diff --git a/README.md b/README.md index 4e83021d..b2f41315 100644 --- a/README.md +++ b/README.md @@ -366,9 +366,9 @@ If you find other good ones, please send them to us :-) ## Power schedules -The power schedules were copied from Marcel Böhme's excellent AFLfast -implementation and expand on the ability to discover new paths and -therefore may increase the code coverage. +The power schedules were copied from Marcel Böhme's AFLfast implementation and +measure differently which queue entries to prefer and therefore may find +different paths faster for large queues. The available schedules are: @@ -382,16 +382,10 @@ The available schedules are: - mmopt (afl++ experimental) - seek (afl++ experimental) -In parallel mode (-M/-S, several instances with the shared queue), we suggest to -run the main node using the explore or fast schedule (-p explore) and the secondary -nodes with a combination of cut-off-exponential (-p coe), exponential (-p fast), -explore (-p explore) and mmopt (-p mmopt) schedules. If a schedule does -not perform well for a target, restart the secondary nodes with a different schedule. - -In single mode, using -p fast is usually slightly more beneficial than the -default explore mode. -(We don't want to change the default behavior of afl, so "fast" has not been -made the default mode). +In parallel mode (-M/-S, several instances with the shared queue), we suggest +to run the main node using the default explore schedule (`-p explore`) and the +secondary nodes with different schedules. If a schedule does not perform well +for a target, restart the secondary nodes with a different schedule. More details can be found in the paper published at the 23rd ACM Conference on Computer and Communications Security [CCS'16](https://www.sigsac.org/ccs/CCS2016/accepted-papers/) diff --git a/TODO.md b/TODO.md index ad3ef83e..ad743b6b 100644 --- a/TODO.md +++ b/TODO.md @@ -3,9 +3,7 @@ ## Roadmap 2.67+ - -i - + foreign fuzzer sync support: scandir with time sort - - pre_save custom module example to save away test cases - expand on AFL_LLVM_INSTRUMENT_FILE to also support sancov allowlist format - - allow to sync against honggfuzz and libfuzzer - AFL_MAP_SIZE for qemu_mode and unicorn_mode - namespace for targets? e.g. network - learn from honggfuzz (mutations, maybe ptrace?) diff --git a/docs/Changelog.md b/docs/Changelog.md index a25cc43c..bec87d65 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -11,6 +11,8 @@ sending a mail to . ### Version ++2.66d (devel) - afl-fuzz: + - added -F option to allow -M main fuzzers to sync to foreign fuzzers, + e.g. honggfuzz or libfuzzer - eliminated CPU affinity race condition for -S/-M runs - llvm_mode: - fixes for laf-intel float splitting (thanks to mark-griffin for diff --git a/docs/parallel_fuzzing.md b/docs/parallel_fuzzing.md index 271f8369..2ab1466c 100644 --- a/docs/parallel_fuzzing.md +++ b/docs/parallel_fuzzing.md @@ -99,7 +99,15 @@ example may be: This is not a concern if you use @@ without -f and let afl-fuzz come up with the file name. -## 3) Multi-system parallelization +## 3) Syncing with non-afl fuzzers or independant instances + +A -M main node can be told with the `-F other_fuzzer_queue_directory` option +to sync results from other fuzzers, e.g. libfuzzer or honggfuzz. + +Only the specified directory will by synced into afl, not subdirectories. +The specified directories do not need to exist yet at the start of afl. + +## 4) Multi-system parallelization The basic operating principle for multi-system parallelization is similar to the mechanism explained in section 2. The key difference is that you need to @@ -176,7 +184,7 @@ It is *not* advisable to skip the synchronization script and run the fuzzers directly on a network filesystem; unexpected latency and unkillable processes in I/O wait state can mess things up. -## 4) Remote monitoring and data collection +## 5) Remote monitoring and data collection You can use screen, nohup, tmux, or something equivalent to run remote instances of afl-fuzz. If you redirect the program's output to a file, it will @@ -200,7 +208,7 @@ Keep in mind that crashing inputs are *not* automatically propagated to the main instance, so you may still want to monitor for crashes fleet-wide from within your synchronization or health checking scripts (see afl-whatsup). -## 5) Asymmetric setups +## 6) Asymmetric setups It is perhaps worth noting that all of the following is permitted: diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index c9f84c61..cf4254ac 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -347,6 +347,13 @@ struct afl_pass_stat { }; +struct foreign_sync { + + u8 * dir; + time_t ctime; + +}; + typedef struct afl_state { /* Position of this state in the global states list */ @@ -574,6 +581,11 @@ typedef struct afl_state { u8 describe_op_buf_256[256]; /* describe_op will use this to return a string up to 256 */ +/* foreign sync */ +#define FOREIGN_SYNCS_MAX 32 + u8 foreign_sync_cnt; + struct foreign_sync foreign_syncs[FOREIGN_SYNCS_MAX]; + #ifdef _AFL_DOCUMENT_MUTATIONS u8 do_document; u32 document_counter; @@ -937,6 +949,7 @@ void fix_up_banner(afl_state_t *, u8 *); void check_if_tty(afl_state_t *); void setup_signal_handlers(void); void save_cmdline(afl_state_t *, u32, char **); +void read_foreign_testcases(afl_state_t *, int); /* CmpLog */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 609e16ba..65ad0c9f 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -438,6 +438,159 @@ static void shuffle_ptrs(afl_state_t *afl, void **ptrs, u32 cnt) { } +/* Read all testcases from foreign input directories, then queue them for + testing. Called at startup and at sync intervals. + Does not descend into subdirectories! */ + +void read_foreign_testcases(afl_state_t *afl, int first) { + + if (!afl->foreign_sync_cnt) return; + + struct dirent **nl; + s32 nl_cnt; + u32 i, iter; + + u8 val_buf[2][STRINGIFY_VAL_SIZE_MAX]; + + for (iter = 0; iter < afl->foreign_sync_cnt; iter++) { + + if (afl->foreign_syncs[iter].dir != NULL && + afl->foreign_syncs[iter].dir[0] != 0) { + + if (first) ACTF("Scanning '%s'...", afl->foreign_syncs[iter].dir); + time_t ctime_max = 0; + + /* We use scandir() + alphasort() rather than readdir() because otherwise, + the ordering of test cases would vary somewhat randomly and would be + difficult to control. */ + + nl_cnt = scandir(afl->foreign_syncs[iter].dir, &nl, NULL, NULL); + + if (nl_cnt < 0) { + + if (first) { + + WARNF("Unable to open directory '%s'", afl->foreign_syncs[iter].dir); + sleep(1); + + } + + continue; + + } + + if (nl_cnt == 0) { + + if (first) + WARNF("directory %s is currently empty", + afl->foreign_syncs[iter].dir); + continue; + + } + + /* Show stats */ + + snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "foreign sync %u", iter); + + afl->stage_name = afl->stage_name_buf; + afl->stage_cur = 0; + afl->stage_max = 0; + + for (i = 0; i < nl_cnt; ++i) { + + struct stat st; + + u8 *fn2 = + alloc_printf("%s/%s", afl->foreign_syncs[iter].dir, nl[i]->d_name); + + free(nl[i]); /* not tracked */ + + if (unlikely(lstat(fn2, &st) || access(fn2, R_OK))) { + + if (first) PFATAL("Unable to access '%s'", fn2); + continue; + + } + + /* we detect new files by their ctime */ + if (likely(st.st_ctime <= afl->foreign_syncs[iter].ctime)) { + + ck_free(fn2); + continue; + + } + + /* This also takes care of . and .. */ + + if (!S_ISREG(st.st_mode) || !st.st_size || strstr(fn2, "/README.txt")) { + + ck_free(fn2); + continue; + + } + + if (st.st_size > MAX_FILE) { + + if (first) + WARNF( + "Test case '%s' is too big (%s, limit is %s), skipping", fn2, + stringify_mem_size(val_buf[0], sizeof(val_buf[0]), st.st_size), + stringify_mem_size(val_buf[1], sizeof(val_buf[1]), MAX_FILE)); + ck_free(fn2); + continue; + + } + + // lets do not use add_to_queue(afl, fn2, st.st_size, 0); + // as this could add duplicates of the startup input corpus + + int fd = open(fn2, O_RDONLY); + if (fd < 0) { + + ck_free(fn2); + continue; + + } + + u8 fault; + u8 *mem = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); + + if (mem == MAP_FAILED) { + + ck_free(fn2); + continue; + + } + + write_to_testcase(afl, mem, st.st_size); + fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); + afl->syncing_party = "foreign"; + afl->queued_imported += + save_if_interesting(afl, mem, st.st_size, fault); + afl->syncing_party = 0; + munmap(mem, st.st_size); + close(fd); + + if (st.st_ctime > ctime_max) ctime_max = st.st_ctime; + + } + + afl->foreign_syncs[iter].ctime = ctime_max; + free(nl); /* not tracked */ + + } + + } + + if (first) { + + afl->last_path_time = 0; + afl->queued_at_start = afl->queued_paths; + + } + +} + /* Read all testcases from the input directory, then queue them for testing. Called at startup. */ @@ -530,6 +683,7 @@ void read_testcases(afl_state_t *afl) { WARNF("Test case '%s' is too big (%s, limit is %s), skipping", fn2, stringify_mem_size(val_buf[0], sizeof(val_buf[0]), st.st_size), stringify_mem_size(val_buf[1], sizeof(val_buf[1]), MAX_FILE)); + ck_free(fn2); continue; } diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 2a1664e2..6e3be72b 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -612,6 +612,8 @@ void sync_fuzzers(afl_state_t *afl) { } + if (afl->foreign_sync_cnt) read_foreign_testcases(afl, 0); + } /* Trim all new test cases to save cycles when doing deterministic checks. The diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index df2896d2..f03c545d 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -131,10 +131,13 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "executions.\n\n" "Other stuff:\n" - " -T text - text banner to show on the screen\n" " -M/-S id - distributed mode (see docs/parallel_fuzzing.md)\n" " use -D to force -S secondary to perform deterministic " "fuzzing\n" + " -F path - sync to a foreign fuzzer queue directory (requires " + "-M, can\n" + " be specified up to %u times)\n" + " -T text - text banner to show on the screen\n" " -I command - execute this command/script when a new crash is " "found\n" //" -B bitmap.txt - mutate a specific test case, use the out/fuzz_bitmap @@ -142,7 +145,7 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { " -C - crash exploration mode (the peruvian rabbit thing)\n" " -e ext - file extension for the fuzz test input file (if " "needed)\n\n", - argv0, EXEC_TIMEOUT, MEM_LIMIT); + argv0, EXEC_TIMEOUT, MEM_LIMIT, FOREIGN_SYNCS_MAX); if (more_help > 1) { @@ -403,6 +406,19 @@ int main(int argc, char **argv_orig, char **envp) { afl->use_splicing = 1; break; + case 'F': /* foreign sync dir */ + + if (!afl->is_main_node) + FATAL( + "Option -F can only be specified after the -M option for the " + "main fuzzer of a fuzzing campaign"); + if (afl->foreign_sync_cnt >= FOREIGN_SYNCS_MAX) + FATAL("Maximum %u entried of -F option can be specified", + FOREIGN_SYNCS_MAX); + afl->foreign_syncs[afl->foreign_sync_cnt].dir = optarg; + afl->foreign_sync_cnt++; + break; + case 'f': /* target file */ if (afl->fsrv.out_file) { FATAL("Multiple -f options not supported"); } @@ -1059,6 +1075,8 @@ int main(int argc, char **argv_orig, char **envp) { setup_cmdline_file(afl, argv + optind); read_testcases(afl); + // read_foreign_testcases(afl, 1); for the moment dont do this + load_auto(afl); pivot_inputs(afl); -- cgit 1.4.1 From 30c09915432af7a9e98f9b4d8b09566731e0cca9 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 24 Jul 2020 13:26:07 +0200 Subject: better text mutation --- include/afl-fuzz.h | 2 +- include/config.h | 7 +- src/afl-fuzz-one.c | 341 +++++++++++++++++++++++++----------------------- src/afl-fuzz-redqueen.c | 142 ++++++++++---------- src/afl-fuzz-state.c | 7 + src/afl-fuzz.c | 2 +- 6 files changed, 261 insertions(+), 240 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 96d3d9f4..0e2b7458 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -334,7 +334,7 @@ typedef struct afl_env_vars { afl_dumb_forksrv, afl_import_first, afl_custom_mutator_only, afl_no_ui, afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one, afl_bench_until_crash, afl_debug_child_output, afl_autoresume, - afl_cal_fast, afl_cycle_schedules; + afl_cal_fast, afl_cycle_schedules, afl_expand_havoc; u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_skip_crashes, *afl_preload; diff --git a/include/config.h b/include/config.h index 9710cd1f..344a368f 100644 --- a/include/config.h +++ b/include/config.h @@ -403,15 +403,14 @@ /* Text mutations */ -/* What is the minimum length of a queue input to be evaluated for "is_ascii"? -+ */ +/* Minimum length of a queue input to be evaluated for "is_ascii"? */ #define AFL_TXT_MIN_LEN 12 /* What is the minimum percentage of ascii characters present to be classifed as "is_ascii"? */ -#define AFL_TXT_MIN_PERCENT 95 +#define AFL_TXT_MIN_PERCENT 94 /* How often to perform ASCII mutations 0 = disable, 1-8 are good values */ @@ -423,7 +422,7 @@ /* Maximum mutations on a string */ -#define AFL_TXT_STRING_MAX_MUTATIONS 8 +#define AFL_TXT_STRING_MAX_MUTATIONS 6 #endif /* ! _HAVE_CONFIG_H */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 7f96c2c6..dc19150d 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -559,13 +559,25 @@ static u32 string_replace(u8 **out_buf, s32 *temp_len, u32 pos, u8 *from, /* Returns 1 if a mutant was generated and placed in out_buf, 0 if none * generated. */ +static const uint8_t text_mutation_special_chars[] = { + + '\t', '\n', '\r', ' ', '!', '"', '$', '%', '&', '\'', '(', ')', '*', + '+', ',', '-', '.', '/', ':', ';', '<', '=', '>', '?', '@', '[', + '\\', ']', '^', '_', '`', '{', '|', '}', '~', ' ' // space is here twice + +}; + static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { + if (*orig_temp_len < AFL_TXT_MIN_LEN) { return 0; } + s32 temp_len; u32 pos, yes = 0, - mutations = rand_below(afl, AFL_TXT_STRING_MAX_MUTATIONS) + 1; - u8 *new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), - *orig_temp_len + AFL_TXT_STRING_MAX_MUTATIONS +1); + mutations = rand_below(afl, AFL_TXT_STRING_MAX_MUTATIONS) + 16; + u8 *new_buf = + ck_maybe_grow(BUF_PARAMS(out_scratch), + *orig_temp_len + AFL_TXT_STRING_MAX_MUTATIONS + 16); + u8 fromc[2] = {0, 0}, toc[2] = {0, 0}; temp_len = *orig_temp_len; memcpy(new_buf, *out_buf, temp_len); new_buf[temp_len] = 0; @@ -575,9 +587,12 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { if (temp_len < AFL_TXT_MIN_LEN) { return 0; } pos = rand_below(afl, temp_len - 1); - int choice = rand_below(afl, 80); + int choice = rand_below(afl, 100); + switch (choice) { + /* 50% -> fixed replacements */ + case 0: /* Semantic statement deletion */ yes += string_replace(&new_buf, &temp_len, pos, "\n", "#"); break; @@ -624,246 +639,240 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { yes += string_replace(&new_buf, &temp_len, pos, "+", "-"); break; case 15: - yes += string_replace(&new_buf, &temp_len, pos, "+", "*"); + yes += string_replace(&new_buf, &temp_len, pos, "-", "+"); break; case 16: - yes += string_replace(&new_buf, &temp_len, pos, "+", "/"); + yes += string_replace(&new_buf, &temp_len, pos, "0", "1"); break; case 17: - yes += string_replace(&new_buf, &temp_len, pos, "+", "%"); + yes += string_replace(&new_buf, &temp_len, pos, "1", "0"); break; case 18: - yes += string_replace(&new_buf, &temp_len, pos, "*", "-"); + yes += string_replace(&new_buf, &temp_len, pos, "&&", "||"); break; case 19: - yes += string_replace(&new_buf, &temp_len, pos, "*", "+"); + yes += string_replace(&new_buf, &temp_len, pos, "||", "&&"); break; case 20: - yes += string_replace(&new_buf, &temp_len, pos, "*", "/"); + yes += string_replace(&new_buf, &temp_len, pos, "!", ""); break; case 21: - yes += string_replace(&new_buf, &temp_len, pos, "*", "%"); + yes += string_replace(&new_buf, &temp_len, pos, "==", "="); break; case 22: - yes += string_replace(&new_buf, &temp_len, pos, "-", "+"); + yes += string_replace(&new_buf, &temp_len, pos, "=", "=="); break; case 23: - yes += string_replace(&new_buf, &temp_len, pos, "-", "*"); + yes += string_replace(&new_buf, &temp_len, pos, "--", ""); break; case 24: - yes += string_replace(&new_buf, &temp_len, pos, "-", "/"); + yes += string_replace(&new_buf, &temp_len, pos, "<<", "<"); break; case 25: - yes += string_replace(&new_buf, &temp_len, pos, "-", "%"); + yes += string_replace(&new_buf, &temp_len, pos, ">>", ">"); break; case 26: - yes += string_replace(&new_buf, &temp_len, pos, "/", "-"); + yes += string_replace(&new_buf, &temp_len, pos, "<", "<<"); break; case 27: - yes += string_replace(&new_buf, &temp_len, pos, "/", "*"); + yes += string_replace(&new_buf, &temp_len, pos, ">", ">>"); break; case 28: - yes += string_replace(&new_buf, &temp_len, pos, "/", "+"); + yes += string_replace(&new_buf, &temp_len, pos, "'", "\""); break; case 29: - yes += string_replace(&new_buf, &temp_len, pos, "/", "%"); - break; - case 30: - yes += string_replace(&new_buf, &temp_len, pos, "%", "-"); - break; - case 31: - yes += string_replace(&new_buf, &temp_len, pos, "%", "*"); - break; - case 32: - yes += string_replace(&new_buf, &temp_len, pos, "%", "/"); - break; - case 33: - yes += string_replace(&new_buf, &temp_len, pos, "%", "+"); - break; - case 34: - yes += string_replace(&new_buf, &temp_len, pos, " ", "|"); - break; - case 35: - yes += string_replace(&new_buf, &temp_len, pos, " ", "$"); - break; - case 36: - yes += string_replace(&new_buf, &temp_len, pos, "0", "1"); - break; - case 37: - yes += string_replace(&new_buf, &temp_len, pos, "1", "0"); - break; - case 38: - yes += string_replace(&new_buf, &temp_len, pos, " ", "`"); - break; - case 39: - yes += string_replace(&new_buf, &temp_len, pos, " ", "\""); - break; - case 40: - yes += string_replace(&new_buf, &temp_len, pos, ";", " "); - break; - case 41: - yes += string_replace(&new_buf, &temp_len, pos, "&&", "||"); - break; - case 42: - yes += string_replace(&new_buf, &temp_len, pos, "||", "&&"); - break; - case 43: - yes += string_replace(&new_buf, &temp_len, pos, "!", ""); - break; - case 44: - yes += string_replace(&new_buf, &temp_len, pos, "==", "="); - break; - case 45: - yes += string_replace(&new_buf, &temp_len, pos, "--", ""); - break; - case 46: - yes += string_replace(&new_buf, &temp_len, pos, "<<", "<"); - break; - case 47: - yes += string_replace(&new_buf, &temp_len, pos, ">>", ">"); - break; - case 48: - yes += string_replace(&new_buf, &temp_len, pos, "<", "<<"); - break; - case 49: - yes += string_replace(&new_buf, &temp_len, pos, ">", ">>"); - break; - case 50: yes += string_replace(&new_buf, &temp_len, pos, "\"", "'"); break; - case 51: - yes += string_replace(&new_buf, &temp_len, pos, "'", "\""); - break; - case 52: - yes += string_replace(&new_buf, &temp_len, pos, "(", "\""); - break; - case 53: /* Remove a semicolon delimited statement after a semicolon */ + case 30: /* Remove a semicolon delimited statement after a semicolon */ yes += delim_replace(&new_buf, &temp_len, pos, ";", ";", ";"); break; - case 54: /* Remove a semicolon delimited statement after a left curly + case 31: /* Remove a semicolon delimited statement after a left curly brace */ yes += delim_replace(&new_buf, &temp_len, pos, "}", ";", "}"); break; - case 55: /* Remove a curly brace construct */ + case 32: /* Remove a curly brace construct */ yes += delim_replace(&new_buf, &temp_len, pos, "{", "}", ""); break; - case 56: /* Replace a curly brace construct with an empty one */ + case 33: /* Replace a curly brace construct with an empty one */ yes += delim_replace(&new_buf, &temp_len, pos, "{", "}", "{}"); break; - case 57: + case 34: yes += delim_swap(&new_buf, &temp_len, pos, ";", ";", ";"); break; - case 58: + case 35: yes += delim_swap(&new_buf, &temp_len, pos, "}", ";", ";"); break; - case 59: /* Swap comma delimited things case 1 */ + case 36: /* Swap comma delimited things case 1 */ yes += delim_swap(&new_buf, &temp_len, pos, "(", ",", ")"); break; - case 60: /* Swap comma delimited things case 2 */ + case 37: /* Swap comma delimited things case 2 */ yes += delim_swap(&new_buf, &temp_len, pos, "(", ",", ","); break; - case 61: /* Swap comma delimited things case 3 */ + case 38: /* Swap comma delimited things case 3 */ yes += delim_swap(&new_buf, &temp_len, pos, ",", ",", ","); break; - case 62: /* Swap comma delimited things case 4 */ + case 39: /* Swap comma delimited things case 4 */ yes += delim_swap(&new_buf, &temp_len, pos, ",", ",", ")"); break; - case 63: /* Just delete a line */ + case 40: /* Just delete a line */ yes += delim_replace(&new_buf, &temp_len, pos, "\n", "\n", ""); break; - case 64: /* Delete something like "const" case 1 */ + case 41: /* Delete something like "const" case 1 */ yes += delim_replace(&new_buf, &temp_len, pos, " ", " ", ""); break; - case 65: /* Delete something like "const" case 2 */ + case 42: /* Delete something like "const" case 2 */ yes += delim_replace(&new_buf, &temp_len, pos, "\n", " ", ""); break; - case 66: /* Delete something like "const" case 3 */ + case 43: /* Delete something like "const" case 3 */ yes += delim_replace(&new_buf, &temp_len, pos, "(", " ", ""); break; - case 67: /* Swap space delimited things case 1 */ + case 44: /* Swap space delimited things case 1 */ yes += delim_swap(&new_buf, &temp_len, pos, " ", " ", " "); break; - case 68: /* Swap space delimited things case 2 */ + case 45: /* Swap space delimited things case 2 */ yes += delim_swap(&new_buf, &temp_len, pos, " ", " ", ")"); break; - case 69: /* Swap space delimited things case 3 */ + case 46: /* Swap space delimited things case 3 */ yes += delim_swap(&new_buf, &temp_len, pos, "(", " ", " "); break; - case 70: /* Swap space delimited things case 4 */ + case 47: /* Swap space delimited things case 4 */ yes += delim_swap(&new_buf, &temp_len, pos, "(", " ", ")"); break; - case 71: /* Duplicate a single line of code */ + case 48: /* Duplicate a single line of code */ yes += delim_replace(&new_buf, &temp_len, pos, "\n", "\n", NULL); break; - case 72: /* Duplicate a construct (most often, a non-nested for loop */ + case 49: /* Duplicate a construct (most often, a non-nested for loop */ yes += delim_replace(&new_buf, &temp_len, pos, "\n", "}", NULL); break; default: { - - for (u32 j = pos; j < temp_len; ++j) { - if (isdigit(new_buf[j])) { - - new_buf[temp_len] = 0; // should be safe thanks to the initial grow - - u8* endptr; - unsigned long long num = strtoull(new_buf +j, (char**)&endptr, 0); - - switch (rand_below(afl, 8)) { - case 0: - num = rand_below(afl, INT_MAX); - break; - case 1: - num = rand_next(afl); - break; - case 2: - num += 1 + rand_below(afl, 255); - break; - case 3: - num -= 1 + rand_below(afl, 255); - break; - case 4: - num *= 1 + rand_below(afl, 255); - break; - case 5: - num /= 1 + rand_below(afl, 255); - break; - case 6: - num /= 1 + rand_below(afl, 255); - break; - case 7: - num = ~num; - break; - } - - const char* fmt = "%llu"; - if (rand_below(afl, 5) == 0) // add - sign with 1/5 probability - fmt = "-%llu"; - - size_t num_len = snprintf(NULL, 0, fmt, num); - size_t old_len = endptr - (new_buf +j); - if (num_len < old_len) { - memmove(new_buf +j +num_len, new_buf +j +old_len, temp_len - (j + old_len)); - snprintf(new_buf +j, num_len, fmt, num); - temp_len -= old_len - num_len; - } else if (num_len == old_len) { - snprintf(new_buf +j, num_len, fmt, num); - } else { - new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + (num_len - old_len) + AFL_TXT_STRING_MAX_MUTATIONS +1); - memmove(new_buf +j +num_len, new_buf +j +old_len, temp_len - (j + old_len)); - snprintf(new_buf +j, num_len, fmt, num); - temp_len += num_len - old_len; + + /* 10% is transforming ascii numbers */ + + if (choice < 60) { + + for (u32 j = pos; j < temp_len; ++j) { + + if (isdigit(new_buf[j])) { + + new_buf[temp_len] = + 0; // should be safe thanks to the initial grow + + u8 * endptr; + unsigned long long num = + strtoull(new_buf + j, (char **)&endptr, 0); + + switch (rand_below(afl, 8)) { + + case 0: + num = rand_below(afl, INT_MAX); + break; + case 1: + num = rand_next(afl); + break; + case 2: + num += 1 + rand_below(afl, 255); + break; + case 3: + num -= 1 + rand_below(afl, 255); + break; + case 4: + num *= 1 + rand_below(afl, 255); + break; + case 5: + num /= 1 + rand_below(afl, 255); + break; + case 6: + num /= 1 + rand_below(afl, 255); + break; + case 7: + num = ~num; + break; + + } + + const char *fmt = "%llu"; + if (rand_below(afl, 5) == 0) // add - sign with 1/5 probability + fmt = "-%llu"; + + size_t num_len = snprintf(NULL, 0, fmt, num); + size_t old_len = endptr - (new_buf + j); + if (num_len < old_len) { + + memmove(new_buf + j + num_len, new_buf + j + old_len, + temp_len - (j + old_len)); + snprintf(new_buf + j, num_len, fmt, num); + temp_len -= old_len - num_len; + + } else if (num_len == old_len) { + + snprintf(new_buf + j, num_len, fmt, num); + + } else { + + new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), + temp_len + (num_len - old_len) + + AFL_TXT_STRING_MAX_MUTATIONS + 1); + memmove(new_buf + j + num_len, new_buf + j + old_len, + temp_len - (j + old_len)); + snprintf(new_buf + j, num_len, fmt, num); + temp_len += num_len - old_len; + + } + + yes += 1; + break; + } - yes += 1; - break; - } + + } else if (choice < 90) { + + /* 30% is special character transform */ + + fromc[0] = text_mutation_special_chars[rand_below( + afl, sizeof(text_mutation_special_chars))]; + + do { + + toc[0] = text_mutation_special_chars[rand_below( + afl, sizeof(text_mutation_special_chars))]; + + } while (toc[0] == fromc[0]); + + yes += string_replace(&new_buf, &temp_len, pos, fromc, toc); + break; + + } else { + + /* 10% is random text character transform */ + + u32 iter, cnt, loc, prev_loc = temp_len; + if (temp_len > 32) { + + cnt = 1 + rand_below(afl, 5); + + } else { + + cnt = rand_below(afl, 2); + + } + + for (iter = 0; iter <= cnt; iter++) { + + while ((loc = rand_below(afl, temp_len)) == prev_loc) + ; + new_buf[loc] = 32 + rand_below(afl, 'z' - ' ' + 1); + prev_loc = loc; + + } + } - + } } - + } if (yes == 0 || temp_len <= 0) { return 0; } @@ -871,7 +880,7 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { swap_bufs(BUF_PARAMS(out), BUF_PARAMS(out_scratch)); *out_buf = new_buf; *orig_temp_len = temp_len; - + return 1; } diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index de3adb2d..57e60c3d 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -264,49 +264,53 @@ static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) { } static long long strntoll(const char *str, size_t sz, char **end, int base) { - char buf[64]; - long long ret; - const char *beg = str; - - for (; beg && sz && *beg == ' '; beg++, sz--) - ; - - if (!sz || sz >= sizeof(buf)) { - if (end) - *end = (char *)str; - return 0; - } - - memcpy(buf, beg, sz); - buf[sz] = '\0'; - ret = strtoll(buf, end, base); - if (ret == LLONG_MIN || ret == LLONG_MAX) - return ret; - if (end) - *end = (char *)beg + (*end - buf); - return ret; + + char buf[64]; + long long ret; + const char *beg = str; + + for (; beg && sz && *beg == ' '; beg++, sz--) + ; + + if (!sz || sz >= sizeof(buf)) { + + if (end) *end = (char *)str; + return 0; + + } + + memcpy(buf, beg, sz); + buf[sz] = '\0'; + ret = strtoll(buf, end, base); + if (ret == LLONG_MIN || ret == LLONG_MAX) return ret; + if (end) *end = (char *)beg + (*end - buf); + return ret; + } -static unsigned long long strntoull(const char *str, size_t sz, char **end, int base) { - char buf[64]; - unsigned long long ret; - const char *beg = str; - - for (; beg && sz && *beg == ' '; beg++, sz--) - ; - - if (!sz || sz >= sizeof(buf)) { - if (end) - *end = (char *)str; - return 0; - } - - memcpy(buf, beg, sz); - buf[sz] = '\0'; - ret = strtoull(buf, end, base); - if (end) - *end = (char *)beg + (*end - buf); - return ret; +static unsigned long long strntoull(const char *str, size_t sz, char **end, + int base) { + + char buf[64]; + unsigned long long ret; + const char * beg = str; + + for (; beg && sz && *beg == ' '; beg++, sz--) + ; + + if (!sz || sz >= sizeof(buf)) { + + if (end) *end = (char *)str; + return 0; + + } + + memcpy(buf, beg, sz); + buf[sz] = '\0'; + ret = strtoull(buf, end, base); + if (end) *end = (char *)beg + (*end - buf); + return ret; + } #define BUF_PARAMS(name) (void **)&afl->name##_buf, &afl->name##_size @@ -328,49 +332,51 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u32 its_len = len - idx; // *status = 0; - u8 *endptr; - u8 use_num = 0, use_unum = 0; + u8 * endptr; + u8 use_num = 0, use_unum = 0; unsigned long long unum; - long long num; + long long num; if (afl->queue_cur->is_ascii) { - + endptr = buf_8; - num = strntoll(buf_8, len - idx, (char**)&endptr, 0); + num = strntoll(buf_8, len - idx, (char **)&endptr, 0); if (endptr == buf_8) { - unum = strntoull(buf_8, len - idx, (char**)&endptr, 0); - if (endptr == buf_8) - use_unum = 1; + + unum = strntoull(buf_8, len - idx, (char **)&endptr, 0); + if (endptr == buf_8) use_unum = 1; + } else + use_num = 1; - + } - + if (use_num && num == pattern) { - + size_t old_len = endptr - buf_8; size_t num_len = snprintf(NULL, 0, "%lld", num); - - u8* new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), len + num_len); + + u8 *new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), len + num_len); memcpy(new_buf, buf, idx); - - snprintf(new_buf +idx, num_len, "%lld", num); - memcpy(new_buf +idx +num_len, buf_8 + old_len, len - idx - old_len); - + + snprintf(new_buf + idx, num_len, "%lld", num); + memcpy(new_buf + idx + num_len, buf_8 + old_len, len - idx - old_len); + if (unlikely(its_fuzz(afl, new_buf, len, status))) { return 1; } - + } else if (use_unum && unum == pattern) { - + size_t old_len = endptr - buf_8; size_t num_len = snprintf(NULL, 0, "%llu", unum); - - u8* new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), len + num_len); + + u8 *new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), len + num_len); memcpy(new_buf, buf, idx); - - snprintf(new_buf +idx, num_len, "%llu", unum); - memcpy(new_buf +idx +num_len, buf_8 + old_len, len - idx - old_len); - + + snprintf(new_buf + idx, num_len, "%llu", unum); + memcpy(new_buf + idx + num_len, buf_8 + old_len, len - idx - old_len); + if (unlikely(its_fuzz(afl, new_buf, len, status))) { return 1; } - + } if (SHAPE_BYTES(h->shape) >= 8 && *status != 1) { @@ -382,7 +388,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, *buf_64 = pattern; } - + // reverse encoding if (do_reverse && *status != 1) { diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index f68a79e8..66280ed1 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -300,6 +300,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->cycle_schedules = afl->afl_env.afl_cycle_schedules = get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_EXPAND_HAVOC_NOW", + + afl_environment_variable_len)) { + + afl->expand_havoc = afl->afl_env.afl_expand_havoc = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_CAL_FAST", afl_environment_variable_len)) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 553300e9..c014035e 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1275,7 +1275,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->expand_havoc = 2; break; case 2: - //afl->cycle_schedules = 1; + // afl->cycle_schedules = 1; afl->expand_havoc = 3; break; case 3: -- cgit 1.4.1 From ecb0601bc1e90b3379030644556a0d8d51182c0d Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 24 Jul 2020 13:42:39 +0200 Subject: massage chances --- src/afl-fuzz-one.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index dc19150d..98d9875e 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -746,9 +746,9 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { break; default: { - /* 10% is transforming ascii numbers */ + /* 5% is transforming ascii numbers */ - if (choice < 60) { + if (choice < 55) { for (u32 j = pos; j < temp_len; ++j) { @@ -826,7 +826,7 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { } - } else if (choice < 90) { + } else if (choice < 85) { /* 30% is special character transform */ @@ -845,7 +845,7 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { } else { - /* 10% is random text character transform */ + /* 15% is random text character transform */ u32 iter, cnt, loc, prev_loc = temp_len; if (temp_len > 32) { -- cgit 1.4.1 From 7e4703c3282af86641d59a196fccb06df4ab6316 Mon Sep 17 00:00:00 2001 From: HAPPY Date: Sun, 26 Jul 2020 20:10:24 +0800 Subject: Fix typo for afl_custom_deinit (#470) --- src/afl-fuzz-mutators.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 17a68ff8..ed777811 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -168,7 +168,7 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { /* "afl_custom_deinit", optional for backward compatibility */ mutator->afl_custom_deinit = dlsym(dh, "afl_custom_deinit"); - if (!mutator->afl_custom_deinit) FATAL("Symbol 'afl_custom_init' not found."); + if (!mutator->afl_custom_deinit) FATAL("Symbol 'afl_custom_deinit' not found."); /* "afl_custom_post_process", optional */ mutator->afl_custom_post_process = dlsym(dh, "afl_custom_post_process"); -- cgit 1.4.1 From ff107714f1af1bd908a35ce54701da1eca8ce25d Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 26 Jul 2020 15:00:44 +0200 Subject: remove test input mutation in havoc --- src/afl-fuzz-one.c | 153 ++++++++++++++++++++++++++++------------------------- 1 file changed, 80 insertions(+), 73 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 98d9875e..f8680100 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -27,9 +27,9 @@ #include #include -static u8 *strnstr(const u8 *s, const u8 *find, size_t slen); +/* static u8 *strnstr(const u8 *s, const u8 *find, size_t slen); static u32 string_replace(u8 **out_buf, s32 *temp_len, u32 pos, u8 *from, - u8 *to); + u8 *to); */ /* MOpt */ @@ -370,6 +370,7 @@ static void locate_diffs(u8 *ptr1, u8 *ptr2, u32 len, s32 *first, s32 *last) { #define BUF_PARAMS(name) (void **)&afl->name##_buf, &afl->name##_size +#if 0 /* search a string */ static u8 *strnstr(const u8 *s, const u8 *find, size_t slen) { @@ -591,7 +592,7 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { switch (choice) { - /* 50% -> fixed replacements */ + /* 50% -> fixed replacements */ case 0: /* Semantic statement deletion */ yes += string_replace(&new_buf, &temp_len, pos, "\n", "#"); @@ -885,6 +886,8 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { } +#endif /* if 0 */ + /* Take the current entry from the queue, fuzz it for a while. This function is a tad too long... returns 0 if fuzzed successfully, 1 if skipped or bailed out. */ @@ -2384,8 +2387,8 @@ havoc_stage: /* add expensive havoc cases here, they are activated after a full cycle without finds happened */ - r_max = 16 + ((afl->extras_cnt + afl->a_extras_cnt) ? 2 : 0) + - (afl->queue_cur->is_ascii ? AFL_TXT_BIAS : 0); + r_max = 16 + ((afl->extras_cnt + afl->a_extras_cnt) ? 2 : 0); + /* + (afl->queue_cur->is_ascii ? AFL_TXT_BIAS : 0); */ } else { @@ -2435,7 +2438,7 @@ havoc_stage: } - retry_havoc: + // retry_havoc: switch ((r = rand_below(afl, r_max))) { @@ -2818,116 +2821,120 @@ havoc_stage: } - } else + } else { - switch (r) { + /* + switch (r) { - case 15: // fall through - case 17: { + case 15: // fall through + case 16: + case 17: {*/ - /* Overwrite bytes with a randomly selected chunk from another - testcase or insert that chunk. */ + /* Overwrite bytes with a randomly selected chunk from another + testcase or insert that chunk. */ - if (afl->queued_paths < 2) break; + if (afl->queued_paths < 4) break; - /* Pick a random queue entry and seek to it. */ + /* Pick a random queue entry and seek to it. */ - u32 tid; - do - tid = rand_below(afl, afl->queued_paths); - while (tid == afl->current_entry); + u32 tid; + do + tid = rand_below(afl, afl->queued_paths); + while (tid == afl->current_entry); - struct queue_entry *target = afl->queue_buf[tid]; + struct queue_entry *target = afl->queue_buf[tid]; - /* Make sure that the target has a reasonable length. */ + /* Make sure that the target has a reasonable length. */ - while (target && (target->len < 2 || target == afl->queue_cur)) - target = target->next; + while (target && (target->len < 2 || target == afl->queue_cur)) + target = target->next; - if (!target) break; + if (!target) break; - /* Read the testcase into a new buffer. */ + /* Read the testcase into a new buffer. */ - fd = open(target->fname, O_RDONLY); + fd = open(target->fname, O_RDONLY); - if (unlikely(fd < 0)) { + if (unlikely(fd < 0)) { - PFATAL("Unable to open '%s'", target->fname); + PFATAL("Unable to open '%s'", target->fname); - } + } - u32 new_len = target->len; - u8 *new_buf = ck_maybe_grow(BUF_PARAMS(in_scratch), new_len); + u32 new_len = target->len; + u8 *new_buf = ck_maybe_grow(BUF_PARAMS(in_scratch), new_len); - ck_read(fd, new_buf, new_len, target->fname); + ck_read(fd, new_buf, new_len, target->fname); - close(fd); + close(fd); - u8 overwrite = 0; - if (temp_len >= 2 && rand_below(afl, 2)) - overwrite = 1; - else if (temp_len + HAVOC_BLK_XL >= MAX_FILE) { + u8 overwrite = 0; + if (temp_len >= 2 && rand_below(afl, 2)) + overwrite = 1; + else if (temp_len + HAVOC_BLK_XL >= MAX_FILE) { - if (temp_len >= 2) - overwrite = 1; - else - break; + if (temp_len >= 2) + overwrite = 1; + else + break; - } + } - if (overwrite) { + if (overwrite) { - u32 copy_from, copy_to, copy_len; + u32 copy_from, copy_to, copy_len; - copy_len = choose_block_len(afl, new_len - 1); - if (copy_len > temp_len) copy_len = temp_len; + copy_len = choose_block_len(afl, new_len - 1); + if (copy_len > temp_len) copy_len = temp_len; - copy_from = rand_below(afl, new_len - copy_len + 1); - copy_to = rand_below(afl, temp_len - copy_len + 1); + copy_from = rand_below(afl, new_len - copy_len + 1); + copy_to = rand_below(afl, temp_len - copy_len + 1); - memmove(out_buf + copy_to, new_buf + copy_from, copy_len); + memmove(out_buf + copy_to, new_buf + copy_from, copy_len); - } else { + } else { - u32 clone_from, clone_to, clone_len; + u32 clone_from, clone_to, clone_len; - clone_len = choose_block_len(afl, new_len); - clone_from = rand_below(afl, new_len - clone_len + 1); + clone_len = choose_block_len(afl, new_len); + clone_from = rand_below(afl, new_len - clone_len + 1); - clone_to = rand_below(afl, temp_len); + clone_to = rand_below(afl, temp_len); - u8 *temp_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), - temp_len + clone_len); + u8 *temp_buf = + ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + clone_len); - /* Head */ + /* Head */ - memcpy(temp_buf, out_buf, clone_to); + memcpy(temp_buf, out_buf, clone_to); - /* Inserted part */ + /* Inserted part */ - memcpy(temp_buf + clone_to, new_buf + clone_from, clone_len); + memcpy(temp_buf + clone_to, new_buf + clone_from, clone_len); - /* Tail */ - memcpy(temp_buf + clone_to + clone_len, out_buf + clone_to, - temp_len - clone_to); + /* Tail */ + memcpy(temp_buf + clone_to + clone_len, out_buf + clone_to, + temp_len - clone_to); - swap_bufs(BUF_PARAMS(out), BUF_PARAMS(out_scratch)); - out_buf = temp_buf; - temp_len += clone_len; + swap_bufs(BUF_PARAMS(out), BUF_PARAMS(out_scratch)); + out_buf = temp_buf; + temp_len += clone_len; - } + } - break; + break; - } + } + + /* default: - default: + // perform ascii mutations + if (text_mutation(afl, &out_buf, &temp_len) == 0) + goto retry_havoc; - // perform ascii mutations - if (text_mutation(afl, &out_buf, &temp_len) == 0) - goto retry_havoc; + } // end default: switch(r) - } // end default: switch(r) + */ } -- cgit 1.4.1 From 16e362d2b93a60d6c50fca6abfabd9976ca6142d Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 26 Jul 2020 15:55:03 +0200 Subject: add last 60s exec/s stat --- include/afl-fuzz.h | 4 ++ src/afl-fuzz-mutators.c | 3 +- src/afl-fuzz-stats.c | 154 +++++++++++++++++++++++++--------------------- test/test-floatingpoint.c | 8 +-- 4 files changed, 93 insertions(+), 76 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index cf4254ac..c0c4cfd5 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -581,6 +581,10 @@ typedef struct afl_state { u8 describe_op_buf_256[256]; /* describe_op will use this to return a string up to 256 */ + unsigned long long int last_avg_exec_update; + u32 last_avg_execs; + float last_avg_execs_saved; + /* foreign sync */ #define FOREIGN_SYNCS_MAX 32 u8 foreign_sync_cnt; diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index ed777811..850266c2 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -168,7 +168,8 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { /* "afl_custom_deinit", optional for backward compatibility */ mutator->afl_custom_deinit = dlsym(dh, "afl_custom_deinit"); - if (!mutator->afl_custom_deinit) FATAL("Symbol 'afl_custom_deinit' not found."); + if (!mutator->afl_custom_deinit) + FATAL("Symbol 'afl_custom_deinit' not found."); /* "afl_custom_post_process", optional */ mutator->afl_custom_post_process = dlsym(dh, "afl_custom_post_process"); diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index fc93011b..995f298e 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -39,7 +39,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, u8 fn[PATH_MAX]; s32 fd; FILE * f; - uint32_t t_bytes = count_non_255_bytes(afl, afl->virgin_bits); + u32 t_bytes = count_non_255_bytes(afl, afl->virgin_bits); snprintf(fn, PATH_MAX, "%s/fuzzer_stats", afl->out_dir); @@ -67,89 +67,101 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, } + if ((unlikely(!afl->last_avg_exec_update || + cur_time - afl->last_avg_exec_update >= 60000))) { + + afl->last_avg_execs_saved = + (float)(1000*(afl->fsrv.total_execs - afl->last_avg_execs)) / + (float)(cur_time - afl->last_avg_exec_update); + afl->last_avg_execs = afl->fsrv.total_execs; + afl->last_avg_exec_update = cur_time; + + } + #ifndef __HAIKU__ if (getrusage(RUSAGE_CHILDREN, &rus)) { rus.ru_maxrss = 0; } #endif - fprintf( - f, - "start_time : %llu\n" - "last_update : %llu\n" - "run_time : %llu\n" - "fuzzer_pid : %u\n" - "cycles_done : %llu\n" - "cycles_wo_finds : %llu\n" - "execs_done : %llu\n" - "execs_per_sec : %0.02f\n" - // "real_execs_per_sec: %0.02f\n" // damn the name is too long - "paths_total : %u\n" - "paths_favored : %u\n" - "paths_found : %u\n" - "paths_imported : %u\n" - "max_depth : %u\n" - "cur_path : %u\n" /* Must match find_start_position() */ - "pending_favs : %u\n" - "pending_total : %u\n" - "variable_paths : %u\n" - "stability : %0.02f%%\n" - "bitmap_cvg : %0.02f%%\n" - "unique_crashes : %llu\n" - "unique_hangs : %llu\n" - "last_path : %llu\n" - "last_crash : %llu\n" - "last_hang : %llu\n" - "execs_since_crash : %llu\n" - "exec_timeout : %u\n" - "slowest_exec_ms : %u\n" - "peak_rss_mb : %lu\n" - "cpu_affinity : %d\n" - "edges_found : %u\n" - "var_byte_count : %u\n" - "afl_banner : %s\n" - "afl_version : " VERSION - "\n" - "target_mode : %s%s%s%s%s%s%s%s%s\n" - "command_line : %s\n", - afl->start_time / 1000, cur_time / 1000, - (cur_time - afl->start_time) / 1000, (u32)getpid(), - afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->cycles_wo_finds, - afl->fsrv.total_execs, - afl->fsrv.total_execs / - ((double)(get_cur_time() - afl->start_time) / 1000), - afl->queued_paths, afl->queued_favored, afl->queued_discovered, - afl->queued_imported, afl->max_depth, afl->current_entry, - afl->pending_favored, afl->pending_not_fuzzed, afl->queued_variable, - stability, bitmap_cvg, afl->unique_crashes, afl->unique_hangs, - afl->last_path_time / 1000, afl->last_crash_time / 1000, - afl->last_hang_time / 1000, afl->fsrv.total_execs - afl->last_crash_execs, - afl->fsrv.exec_tmout, afl->slowest_exec_ms, + fprintf(f, + "start_time : %llu\n" + "last_update : %llu\n" + "run_time : %llu\n" + "fuzzer_pid : %u\n" + "cycles_done : %llu\n" + "cycles_wo_finds : %llu\n" + "execs_done : %llu\n" + "execs_per_sec : %0.02f\n" + "execs_ps_last_min : %0.02f\n" + "paths_total : %u\n" + "paths_favored : %u\n" + "paths_found : %u\n" + "paths_imported : %u\n" + "max_depth : %u\n" + "cur_path : %u\n" /* Must match find_start_position() */ + "pending_favs : %u\n" + "pending_total : %u\n" + "variable_paths : %u\n" + "stability : %0.02f%%\n" + "bitmap_cvg : %0.02f%%\n" + "unique_crashes : %llu\n" + "unique_hangs : %llu\n" + "last_path : %llu\n" + "last_crash : %llu\n" + "last_hang : %llu\n" + "execs_since_crash : %llu\n" + "exec_timeout : %u\n" + "slowest_exec_ms : %u\n" + "peak_rss_mb : %lu\n" + "cpu_affinity : %d\n" + "edges_found : %u\n" + "var_byte_count : %u\n" + "afl_banner : %s\n" + "afl_version : " VERSION + "\n" + "target_mode : %s%s%s%s%s%s%s%s%s\n" + "command_line : %s\n", + afl->start_time / 1000, cur_time / 1000, + (cur_time - afl->start_time) / 1000, (u32)getpid(), + afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->cycles_wo_finds, + afl->fsrv.total_execs, + afl->fsrv.total_execs / + ((double)(get_cur_time() - afl->start_time) / 1000), + afl->last_avg_execs_saved, afl->queued_paths, afl->queued_favored, + afl->queued_discovered, afl->queued_imported, afl->max_depth, + afl->current_entry, afl->pending_favored, afl->pending_not_fuzzed, + afl->queued_variable, stability, bitmap_cvg, afl->unique_crashes, + afl->unique_hangs, afl->last_path_time / 1000, + afl->last_crash_time / 1000, afl->last_hang_time / 1000, + afl->fsrv.total_execs - afl->last_crash_execs, afl->fsrv.exec_tmout, + afl->slowest_exec_ms, #ifndef __HAIKU__ #ifdef __APPLE__ - (unsigned long int)(rus.ru_maxrss >> 20), + (unsigned long int)(rus.ru_maxrss >> 20), #else - (unsigned long int)(rus.ru_maxrss >> 10), + (unsigned long int)(rus.ru_maxrss >> 10), #endif #else - -1UL, + -1UL, #endif #ifdef HAVE_AFFINITY - afl->cpu_aff, + afl->cpu_aff, #else - -1, + -1, #endif - t_bytes, afl->var_byte_count, afl->use_banner, - afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "", - afl->non_instrumented_mode ? " non_instrumented " : "", - afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", - afl->persistent_mode ? "persistent " : "", - afl->shmem_testcase_mode ? "shmem_testcase " : "", - afl->deferred_mode ? "deferred " : "", - (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->non_instrumented_mode || - afl->no_forkserver || afl->crash_mode || afl->persistent_mode || - afl->deferred_mode) - ? "" - : "default", - afl->orig_cmdline); + t_bytes, afl->var_byte_count, afl->use_banner, + afl->unicorn_mode ? "unicorn" : "", + afl->fsrv.qemu_mode ? "qemu " : "", + afl->non_instrumented_mode ? " non_instrumented " : "", + afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", + afl->persistent_mode ? "persistent " : "", + afl->shmem_testcase_mode ? "shmem_testcase " : "", + afl->deferred_mode ? "deferred " : "", + (afl->unicorn_mode || afl->fsrv.qemu_mode || + afl->non_instrumented_mode || afl->no_forkserver || + afl->crash_mode || afl->persistent_mode || afl->deferred_mode) + ? "" + : "default", + afl->orig_cmdline); /* ignore errors */ if (afl->debug) { diff --git a/test/test-floatingpoint.c b/test/test-floatingpoint.c index 083f0df5..acecd55a 100644 --- a/test/test-floatingpoint.c +++ b/test/test-floatingpoint.c @@ -8,16 +8,16 @@ __AFL_FUZZ_INIT(); int main(void) { ssize_t bytes_read; - + __AFL_INIT(); - float *magic = (float*)__AFL_FUZZ_TESTCASE_BUF; - + float *magic = (float *)__AFL_FUZZ_TESTCASE_BUF; + while (__AFL_LOOP(INT_MAX)) { if (__AFL_FUZZ_TESTCASE_LEN != sizeof(float)) return 1; /* 15 + 1/2 + 1/8 + 1/32 + 1/128 */ if ((-*magic == 15.0 + 0.5 + 0.125 + 0.03125 + 0.0078125)) abort(); - + } return 0; -- cgit 1.4.1 From 2323c30b5b655e207bfb143fec34621052ea4e90 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 26 Jul 2020 22:05:14 +0200 Subject: fix honggfuzz dict --- custom_mutators/honggfuzz/honggfuzz.c | 4 +++- src/afl-fuzz-stats.c | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/custom_mutators/honggfuzz/honggfuzz.c b/custom_mutators/honggfuzz/honggfuzz.c index 368741c1..bde922c6 100644 --- a/custom_mutators/honggfuzz/honggfuzz.c +++ b/custom_mutators/honggfuzz/honggfuzz.c @@ -68,6 +68,8 @@ void afl_custom_queue_new_entry(my_mutator_t * data, const uint8_t *filename_new_queue, const uint8_t *filename_orig_queue) { + if (run.global->mutate.dictionaryCnt >= 1024) return; + while (data->extras_cnt < data->afl->extras_cnt && run.global->mutate.dictionaryCnt < 1024) { @@ -81,7 +83,7 @@ void afl_custom_queue_new_entry(my_mutator_t * data, } - while (data->extras_cnt < data->afl->a_extras_cnt && + while (data->a_extras_cnt < data->afl->a_extras_cnt && run.global->mutate.dictionaryCnt < 1024) { memcpy(run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].val, diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 995f298e..2546a57a 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -71,7 +71,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, cur_time - afl->last_avg_exec_update >= 60000))) { afl->last_avg_execs_saved = - (float)(1000*(afl->fsrv.total_execs - afl->last_avg_execs)) / + (float)(1000 * (afl->fsrv.total_execs - afl->last_avg_execs)) / (float)(cur_time - afl->last_avg_exec_update); afl->last_avg_execs = afl->fsrv.total_execs; afl->last_avg_exec_update = cur_time; -- cgit 1.4.1 From 1bbeef48e154389cb5ac5adcb7a55f5b78c2bac6 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 27 Jul 2020 09:10:48 +0200 Subject: update readme, renice -20 --- GNUmakefile | 2 +- README.md | 595 +++++++++++++++++++++++----- README_new.md | 1065 --------------------------------------------------- docs/screenshot.png | Bin 0 -> 117199 bytes src/afl-fuzz.c | 1 + 5 files changed, 500 insertions(+), 1163 deletions(-) delete mode 100644 README_new.md create mode 100644 docs/screenshot.png (limited to 'src') diff --git a/GNUmakefile b/GNUmakefile index ab9144b8..e2d7314f 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -96,7 +96,7 @@ ifneq "$(shell uname -m)" "x86_64" endif CFLAGS ?= -O3 -funroll-loops $(CFLAGS_OPT) -override CFLAGS += -Wall -g -Wno-pointer-sign -Wmissing-declarations\ +override CFLAGS += -Wall -g -Wno-pointer-sign -Wmissing-declarations -Wno-unused-result \ -I include/ -DAFL_PATH=\"$(HELPER_PATH)\" \ -DBIN_PATH=\"$(BIN_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" diff --git a/README.md b/README.md index 9c802285..97fa99b7 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# american fuzzy lop plus plus (afl++) +# American Fuzzy Lop plus plus (afl++) AFL++ Logo @@ -8,61 +8,36 @@ Github Version: 2.66d - includes all necessary/interesting changes from Google's afl 2.56b - - Originally developed by Michal "lcamtuf" Zalewski. - Repository: [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) afl++ is maintained by: - * Marc "van Hauser" Heuse , - * Heiko "hexcoder-" Eißfeldt , - * Andrea Fioraldi and - * Dominik Maier . - - Note that although afl now has a Google afl repository [https://github.com/Google/afl](https://github.com/Google/afl), - it is unlikely to receive any notable enhancements: [https://twitter.com/Dor3s/status/1154737061787660288](https://twitter.com/Dor3s/status/1154737061787660288) - -## The enhancements compared to the original stock afl - - Many improvements were made over the official afl release - which did not - get any feature improvements since November 2017. - - Among other changes afl++ has a more performant llvm_mode, supports - llvm up to version 12, QEMU 3.1, more speed and crashfixes for QEMU, - better *BSD and Android support and much, much more. - Additionally the following features and patches have been integrated: - - * AFLfast's power schedules by Marcel Böhme: [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast) - - * The new excellent MOpt mutator: [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL) - - * InsTrim, a very effective CFG llvm_mode instrumentation implementation for large targets: [https://github.com/csienslab/instrim](https://github.com/csienslab/instrim) - - * C. Holler's afl-fuzz Python mutator module and llvm_mode instrument file support: [https://github.com/choller/afl](https://github.com/choller/afl) + * Marc "van Hauser" Heuse , + * Heiko "hexcoder-" Eißfeldt , + * Andrea Fioraldi and + * Dominik Maier . - * Custom mutator by a library (instead of Python) by kyakdan - - * Unicorn mode which allows fuzzing of binaries from completely different platforms (integration provided by domenukk) - - * LAF-Intel or CompCov support for llvm_mode, qemu_mode and unicorn_mode - - * NeverZero patch for afl-gcc, llvm_mode, qemu_mode and unicorn_mode which prevents a wrapping map value to zero, increases coverage - - * Persistent mode and deferred forkserver for qemu_mode - - * Win32 PE binary-only fuzzing with QEMU and Wine + Originally developed by Michal "lcamtuf" Zalewski. - * Radamsa mutator (as a custom mutator). + afl++ is a superiour fork to Google's afl - more speed, more and better + mutations, more and better instrumentation, custom module support, etc. - * QBDI mode to fuzz android native libraries via QBDI framework +## Contents - * The new CmpLog instrumentation for LLVM and QEMU inspired by [Redqueen](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2018/12/17/NDSS19-Redqueen.pdf) + 1. [Features](#important-features-of-afl) + 2. [How to compile and install afl++](#building-and-installing-afl) + 3. [How to fuzz a target](#how-to-fuzz-with-afl) + 4. [Fuzzing binary-only targets](#fuzzing-binary-only-targets) + 5. [Good examples and writeups of afl++ usages](#good-examples-and-writeups) + 6. [Branches](#branches) + 7. [Want to help?](#help-wanted) + 8. [Detailed help and description of afl++](#challenges-of-guided-fuzzing) - * LLVM mode Ngram coverage by Adrian Herrera [https://github.com/adrianherrera/afl-ngram-pass](https://github.com/adrianherrera/afl-ngram-pass) +## Important features of afl++ - A more thorough list is available in the [PATCHES](docs/PATCHES.md) file. + afl++ supports llvm up to version 12, very fast binary fuzzing with QEMU 3.1 + with laf-intel and redqueen, unicorn mode, gcc plugin, full *BSD, Solaris and + Android support and much, much, much more. | Feature/Instrumentation | afl-gcc | llvm_mode | gcc_plugin | qemu_mode | unicorn_mode | | ----------------------- |:-------:|:---------:|:----------:|:----------------:|:------------:| @@ -75,6 +50,7 @@ | InsTrim | | x | | | | | Ngram prev_loc coverage | | x(6) | | | | | Context coverage | | x | | | | + | Auto dictionary | | x(7) | | | | | Snapshot LKM support | | x | | (x)(5) | | neverZero: @@ -85,11 +61,45 @@ (3) partially via AFL_CODE_START/AFL_CODE_END - (4) Only for LLVM >= 11 and not all targets compile + (4) with pcguard mode and LTO mode for LLVM >= 11 (5) upcoming, development in the branch (6) not compatible with LTO instrumentation and needs at least LLVM >= 4.1 + + (7) only in LTO mode with LLVM >= 11 + + Among others, the following features and patches have been integrated: + + * NeverZero patch for afl-gcc, llvm_mode, qemu_mode and unicorn_mode which prevents a wrapping map value to zero, increases coverage + + * Persistent mode and deferred forkserver for qemu_mode + + * Unicorn mode which allows fuzzing of binaries from completely different platforms (integration provided by domenukk) + + * The new CmpLog instrumentation for LLVM and QEMU inspired by [Redqueen](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2018/12/17/NDSS19-Redqueen.pdf) + + * Win32 PE binary-only fuzzing with QEMU and Wine + + * AFLfast's power schedules by Marcel Böhme: [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast) + + * The MOpt mutator: [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL) + + * LLVM mode Ngram coverage by Adrian Herrera [https://github.com/adrianherrera/afl-ngram-pass](https://github.com/adrianherrera/afl-ngram-pass) + + * InsTrim, an effective CFG llvm_mode instrumentation implementation for large targets: [https://github.com/csienslab/instrim](https://github.com/csienslab/instrim) + + * C. Holler's afl-fuzz Python mutator module and llvm_mode instrument file support: [https://github.com/choller/afl](https://github.com/choller/afl) + + * Custom mutator by a library (instead of Python) by kyakdan + + * LAF-Intel/CompCov support for llvm_mode, qemu_mode and unicorn_mode (with enhanced capabilities) + + * Radamsa and hongfuzz mutators (as custom mutators). + + * QBDI mode to fuzz android native libraries via QBDI framework + + A more thorough list is available in the [PATCHES](docs/PATCHES.md) file. So all in all this is the best-of afl that is currently out there :-) @@ -115,7 +125,7 @@ For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab. -## Google Summer of Code 2020 (and any other students and enthusiast developers) +## Help wanted We are happy to be part of [Google Summer of Code 2020](https://summerofcode.withgoogle.com/organizations/5100744400699392/)! :-) @@ -140,7 +150,7 @@ hence afl-clang-lto is available!) or just pull directly from the docker hub: docker pull aflplusplus/aflplusplus docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus ``` -This container is automatically generated when a push to master happens. +This image is automatically generated when a push to master happens. You will find your target source code in /src in the container. If you want to build afl++ yourself you have many options. @@ -151,7 +161,7 @@ sudo apt install build-essential libtool-bin python3-dev automake flex bison lib make distrib sudo make install ``` -It is recommended to install the newest available gcc and clang and llvm-dev +It is recommended to install the newest available gcc, clang and llvm-dev possible in your distribution! Note that "make distrib" also builds llvm_mode, qemu_mode, unicorn_mode and @@ -197,6 +207,444 @@ These build options exist: e.g.: make ASAN_BUILD=1 +## Good examples and writeups + +Here are some good writeups to show how to effectively use AFL++: + + * [https://aflplus.plus/docs/tutorials/libxml2_tutorial/](https://aflplus.plus/docs/tutorials/libxml2_tutorial/) + * [https://bananamafia.dev/post/gb-fuzz/](https://bananamafia.dev/post/gb-fuzz/) + * [https://securitylab.github.com/research/fuzzing-challenges-solutions-1](https://securitylab.github.com/research/fuzzing-challenges-solutions-1) + * [https://securitylab.github.com/research/fuzzing-sockets-FTP](https://securitylab.github.com/research/fuzzing-sockets-FTP) + +If you are interested in fuzzing structured data (where you define what the +structure is), these links have you covered: + * Superion for afl++: [https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator) + * libprotobuf raw: [https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator](https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator) + * libprotobuf for old afl++ API: [https://github.com/thebabush/afl-libprotobuf-mutator](https://github.com/thebabush/afl-libprotobuf-mutator) + +If you find other good ones, please send them to us :-) + +## How to fuzz with afl++ + +The following describes how to fuzz with a target if source code is available. +If you have a binary-only target please skip to [#Instrumenting binary-only apps](#Instrumenting binary-only apps) + +Fuzzing source code is a two step process. + +1. compile the target with a special compiler that prepares the target to be + fuzzed efficiently. This step is called "instrumenting a target". +2. Prepare the fuzzing by selecting and optimizing the input corpus for the + target. +3. perform the fuzzing of the target by randomly mutating input and assessing + if a generated input was processed in a new path in the target binary + +### 1. Instrumenting that target + +#### a) Selecting the best afl++ compiler for instrumenting the target + +afl++ comes with different compilers and instrumentation options. +The following evaluation flow will help you to select the best possible. + +It is highly recommended to have the newest llvm version possible installed, +anything below 9 is not recommended. + +``` ++--------------------------------+ +| clang/clang++ 11+ is available | --> use afl-clang-lto and afl-clang-lto++ ++--------------------------------+ see [llvm/README.lto.md](llvm/README.lto.md) + | + | if not, or if the target fails with with afl-clang-lto/++ + | + v ++---------------------------------+ +| clang/clang++ 3.3+ is available | --> use afl-clang-fast and afl-clang-fast++ ++---------------------------------+ see [llvm/README.md](llvm/README.md) + | + | if not, or if the target fails with afl-clang-fast/++ + | + v + +--------------------------------+ + | if you want to instrument only | -> use afl-gcc-fast and afl-gcc-fast++ + | parts of the target | see [gcc_plugin/README.md](gcc_plugin/README.md) and + +--------------------------------+ [gcc_plugin/README.instrument_file.md](gcc_plugin/README.instrument_file.md) + | + | if not, or if you do not have a gcc with plugin support + | + v + use afl-gcc and afl-g++ +``` + +#### b) Selecting instrumentation options + +The following options are available when you instrument with afl-clang-fast or +afl-clang-lto: + + * Splitting integer, string, float and switch compares so afl++ can easier + solve these. This is an important option if you do not have a very good + good and large input corpus. This technique is called laf-intel or COMPCOV. + To use this set the following environment variable before compiling the + target: `export AFL_LLVM_LAF_ALL=1` + You can read more about this in [llvm/README.laf-intel.md](llvm/README.laf-intel.md) + * A different technique is to instrument the target so that any compare values + in the target are sent to afl++ which then tries to put this value into the + fuzzing data at different locations. This technique is very fast and good - + if the target does not transform input data before comparison. Therefore + technique is called `input to state` or `redqueen`. + If you want to use this technique, then you have to compile the target + twice, once specifically with/for this mode. + You can read more about this in [llvm_mode/README.cmplog.md](llvm_mode/README.cmplog.md) + +If you use afl-clang-fast, afl-clang-lto or afl-gcc-fast you have the option to +selectivly only instrument parts of the target that you are interested in: + + * To instrument only those parts of the target that you are interested in + create a file with all the filenames of the source code that should be + instrumented. + For afl-clang-lto and afl-gcc-fast - or afl-clang-fast if either the clang + version is < 7 or the CLASSIC instrumentation is used - just put one + filename per line, no directory information necessary, and set + `export AFL_LLVM_INSTRUMENT_FILE=yourfile.txt` + see [llvm_mode/README.instrument_file.md](llvm_mode/README.instrument_file.md) + For afl-clang-fast > 6.0 or if PCGUARD instrumentation is used then use the + llvm sancov allow-list feature: [http://clang.llvm.org/docs/SanitizerCoverage.html](http://clang.llvm.org/docs/SanitizerCoverage.html) + +There are many more options and modes available however these are most of the +time less effective. See: + * [llvm_mode/README.ctx.md](llvm_mode/README.ctx.md) + * [llvm_mode/README.ngram.md](llvm_mode/README.ngram.md) + * [llvm_mode/README.instrim.md](llvm_mode/README.instrim.md) + * [llvm_mode/README.neverzero.md](llvm_mode/README.neverzero.md) + +#### c) Modify the target + +If the target has features that makes fuzzing more difficult, e.g. +checksums, HMAC etc. then modify the source code so that this is +removed. +This can even be done for productional source code be eliminating +these checks within this specific defines: + +``` +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + // say that the checksum or HMAC was fine - or whatever is required + // to eliminate the need for the fuzzer to guess the right checksum + return 0; +#endif +``` + +#### d) Instrument the target + +In this step the target source code is compiled so that it can be fuzzed. + +Basically you have to tell the target build system that the selected afl++ +compiler is used. Also - if possible - you should always configure the +build system that the target is compiled statically and not dynamically. +How to do this is described below. + +Then build the target. (Usually with `make`) + +##### configure + +For `configure` build systems this is usually done by: +`CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --disable-shared` + +Note that if you using the (better) afl-clang-lto compiler you also have to +AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as it is +described in [llvm/README.lto.md](llvm/README.lto.md) + +##### cmake + +For `configure` build systems this is usually done by: +`mkdir build; cd build; CC=afl-clang-fast CXX=afl-clang-fast++ cmake ..` + +Note that if you using the (better) afl-clang-lto compiler you also have to +AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as it is +described in [llvm/README.lto.md](llvm/README.lto.md) + +##### other build systems or if configure/cmake didn't work + +Sometimes cmake and configure do not pick up the afl compiler, or the ranlib/ar +that is needed - because this was just not foreseen by the developer of the +target. Or they have non-standard options. Figure out if there is a +non-standard way to set this, otherwise set the build normally and edit the +generated build environment afterwards by hand to point to the right compiler +(and/or ranlib and ar). + +#### d) Better instrumentation + +If you just fuzz a target program as-is you are wasting a great opportunity for +much more fuzzing speed. + +This requires the usage of afl-clang-lto or afl-clang-fast + +This is the so-called `persistent mode`, which is much, much faster but +requires that you code a source file that is specifically calling the target +functions that you want to fuzz, plus a few specific afl++ functions around +it. See [llvm_mode/README.persistent_mode.md](llvm_mode/README.persistent_mode.md) for details. + +Basically if you do not fuzz a target in persistent mode then you are just +doing it for a hobby and not professionally :-) + +### 2. Preparing the fuzzing + +As you fuzz the target with mutated input, having as diverse inputs for the +target as possible improves the efficiency a lot. + +#### a) Collect inputs +Try to gather valid inputs for the target from wherever you can. E.g. if it +the PNG picture format try to find as many png files as possible, e.g. from +reported bugs, test suites, random downloads from the internet, unit test +case data - from all kind of PNG software. + +If the input is not known files, you can also modify a target program to write +away normal data it receives and processes to a file and use these. + +#### b) Making the input corpus unique + +Use the afl++ tool `afl-cmin` to remove inputs from the corpus that do not +use a different paths in the target. +Put all files from step a) into one directory, e.g. INPUTS. + +Put all the files from step a) + +If the target program is to be called by fuzzing as `bin/target -d INPUTFILE` +the run afl-cmin like this: +`afl-cmin -i INPUTS -o INPUTS_UNIQUE -- bin/target -d @@` +Note that the INPUTFILE that the target program would read has to be set as `@@`. + +If the target reads from stdin instead, just omit the `@@` as this is the +default. + +#### b) Minimizing all corpus files + +The shorter the input files are so that they still traverse the same path +within the target, the better the fuzzing will be. This is done with `afl-tmin` +however it is a long processes as this has to be done for every file: + +``` +mkdir input +cd INPUTS_UNIQUE +for i in *; do + afl-tmin -i "$i" -o "../input/$i" -- bin/target -d @@ +done +``` + +This can also be parallelized, e.g. with `parallel` + +#### c) done! + +The INPUTS_UNIQUE/ directory from step a) - or even better if you minimized the +corpus in step b) then the files in input/ is then the input corpus directory +to be used in fuzzing! :-) + +### Fuzzing the target + +In this final step we fuzz the target. +There are not that many useful options to run the target - unless you want to +use many CPU cores for the fuzzing, which will make the fuzzing much more useful. + +If you just use one CPU for fuzzing, then you are fuzzing just for fun and not +seriously :-) + +#### a) running afl-fuzz + +Before to do even a test run of afl-fuzz execute `sudo afl-system-config` (on +the host if you execute afl-fuzz in a docker container). This reconfigured the +system for optimal speed - which afl-fuzz checks and bails otherwise. +Set `export AFL_SKIP_CPUFREQ=1` for afl-fuzz to skip this if you cannot run +afl-system-config with root privileges on the host for whatever reason. + +If you have an input corpus from step 2 then specify this directory with the `-i` +option. Otherwise create a new directory and create a file with any content +in there. + +If you do not want anything special, the defaults are already the usual best, +hence all you need (from the example in 2a): +`afl-fuzz -i input -o output -- bin/target -d @@` +Note that the directory specified with -o will be created if it does not exist. + +If you need to stop and re-start the fuzzing, use the same command line option +and switch the input directory with a dash (`-`): +`afl-fuzz -i - -o output -- bin/target -d @@` + +Adding a dictionary helpful. See the [dictionaries/](dictionaries/) if +something is already included for your data format, and tell afl-fuzz to load +that dictionary by adding `-x dicationaries/FORMAT.dict`. With afl-clang-lto +you have an autodictionary generation for which you need to do nothing except +to use afl-clang-lto as the compiler. You also have the option to generate +a dictionary yourself, see [libtokencap/README.md](libtokencap/README.md) + +afl-fuzz never stops fuzzing. To terminate afl++ simply press Control-C. + +When you start afl-fuzz you will see a user interface that shows what the status +is: +![docs/screenshot.png](docs/screenshot.png) +All the entries are explained in [docs/status_screen.md](docs/status_screen.md) + +#### b) Using multiple cores + +If you want to seriously fuzz then use as many cores as possible to fuzz your +target. + +On the same machine - due to the nature how afl++ works - there is a maximum +number of CPU cores that are useful, more and the overall performance degrades +instead. This value depends on the target and the limit is between 24 and 64 +cores per machine. + +There should be one main fuzzer (`-M main` option) and as many secondary +fuzzers (eg `-S variant1`) as you cores that you use. +Every -M/-S entry needs a unique name (that can be whatever), however the same +-o output directory location has to be used for all. + +For every secondary there should be a variation, e.g.: + * one should fuzz the target that was compiled differently: with sanitizers + activated (`export AFL_USE_ASAN=1 ; export AFL_USE_UBSAN=1 ; + export AFL_USE_CFISAN=1 ; ` + * one should fuzz the target with CMPLOG/redqueen (see above) + * At 1-2 should fuzz a target compiled with laf-intel/COMPCOV (see above). + +All other secondaries should be: + * 1/2 with MOpt option enabled: `-L 0` + * run with a different power schedule, available are: + `explore (default), fast, coe, lin, quad, exploit, mmopt, rare, seek` + which you can set with e.g. `-p seek` + +You can also use different fuzzers. +If you are afl-spinoffs or afl conforming, then just use the same -o directory +and give it a unique `-S` name. +Examples are e.g.: + * [Angora](https://github.com/AngoraFuzzer/Angora) + * [Untracer](https://github.com/FoRTE-Research/UnTracer-AFL) + * [AFLsmart](https://github.com/aflsmart/aflsmart) + * [FairFuzz](https://github.com/carolemieux/afl-rb) + * [Neuzz](https://github.com/Dongdongshe/neuzz) +A long list can be found at [https://github.com/Microsvuln/Awesome-AFL](https://github.com/Microsvuln/Awesome-AFL) + +However you can also sync afl++ with honggfuzz, libfuzzer, entropic, etc. +Just show the main fuzzer (-M) with the `-F` option where the queue +directory of these other fuzzers are, e.g. `-F /src/target/honggfuzz` + +#### c) The status of the fuzz campaign + +afl++ comes with the `afl-whatsup` script to show the status of fuzzing +campaign. + +Just supply the directory that afl-fuzz is given with the -o option and +you will see a detailed status of every fuzzer in that campaign plus +a summary. + +To have only the summary use the `-s` switch e.g.: `afl-whatsup -s output/` + +#### d) Checking the coverage of the fuzzing + +The `paths found` value is a bad indicator how good the coverage is. +It is better to check out the exact lines of code that have been reached - +and which have not been found so far. + +An "easy" helper script for this is [afl-cov](https://github.com/vanhauser-thc/afl-cov), +just follow the README of that seperate project. + +If you see that an important area or a feature has not been covered so far then +try to find an input that is able to reach that and start a new secondary in +that fuzzing campaign with that seed as input, let it run for a few minutes, +then terminate it. The main node will pick it up and make it available to the +other secondary nodes over time. Set `export AFL_NO_AFFINITY=1` if you have no +free core. + +#### e) How long to fuzz a target? + +This is a difficult question. +Basically if no new path is found for a long time (e.g. for a day or a week) +then you can expect that your fuzzing won't be fruitful anymore. +However often this just means that you should switch out secondaries for +others, e.g. custom mutator modules, sync to very different fuzzers, etc. + +### The End + +This is basically all you need to know to professionally run fuzzing campaigns. +If you want to know more, the rest of this README and the tons of texts in +[docs/](docs/) will have you covered. + +Note that there are also a lot of tools out there that help fuzzing with afl++ +(some might be deprecated or unsupported): + +Minimization of test cases: + * [afl-pytmin](https://github.com/ilsani/afl-pytmin) - a wrapper for afl-tmin that tries to speed up the process of the minimization of test case by using many CPU cores. + * [afl-ddmin-mod](https://github.com/MarkusTeufelberger/afl-ddmin-mod) - a variation of afl-tmin based on the ddmin algorithm. + * [halfempty](https://github.com/googleprojectzero/halfempty) - is a fast utility for minimizing test cases by Tavis Ormandy based on parallelization. + +Distributed execution: + * [disfuzz-afl](https://github.com/MartijnB/disfuzz-afl) - distributed fuzzing for AFL. + * [AFLDFF](https://github.com/quantumvm/AFLDFF) - AFL distributed fuzzing framework. + * [afl-launch](https://github.com/bnagy/afl-launch) - a tool for the execution of many AFL instances. + * [afl-mothership](https://github.com/afl-mothership/afl-mothership) - management and execution of many synchronized AFL fuzzers on AWS cloud. + * [afl-in-the-cloud](https://github.com/abhisek/afl-in-the-cloud) - another script for running AFL in AWS. + +Deployment, management, monitoring, reporting + * [afl-other-arch](https://github.com/shellphish/afl-other-arch) - is a set of patches and scripts for easily adding support for various non-x86 architectures for AFL. + * [afl-trivia](https://github.com/bnagy/afl-trivia) - a few small scripts to simplify the management of AFL. + * [afl-monitor](https://github.com/reflare/afl-monitor) - a script for monitoring AFL. + * [afl-manager](https://github.com/zx1340/afl-manager) - a web server on Python for managing multi-afl. + * [afl-remote](https://github.com/block8437/afl-remote) - a web server for the remote management of AFL instances. + +Crash processing + * [afl-utils](https://gitlab.com/rc0r/afl-utils) - a set of utilities for automatic processing/analysis of crashes and reducing the number of test cases. + * [afl-crash-analyzer](https://github.com/floyd-fuh/afl-crash-analyzer) - another crash analyzer for AFL. + * [fuzzer-utils](https://github.com/ThePatrickStar/fuzzer-utils) - a set of scripts for the analysis of results. + * [atriage](https://github.com/Ayrx/atriage) - a simple triage tool. + * [afl-kit](https://github.com/kcwu/afl-kit) - afl-cmin on Python. + * [AFLize](https://github.com/d33tah/aflize) - a tool that automatically generates builds of debian packages suitable for AFL. + * [afl-fid](https://github.com/FoRTE-Research/afl-fid) - a set of tools for working with input data. + +## Fuzzing binary-only targets + +When source code is *NOT* available, afl++ offers various support for fast, +on-the-fly instrumentation of black-box binaries. + +### QEMU + +For linux programs and it's libraries this is accomplished with a version of +QEMU running in the lesser-known "user space emulation" mode. +QEMU is a project separate from AFL, but you can conveniently build the +feature by doing: +```shell +cd qemu_mode +./build_qemu_support.sh +``` +For additional instructions and caveats, see [qemu_mode/README.md](qemu_mode/README.md). +If possible you should use the persistent mode, see [qemu_mode/README.persistent.md](qemu_mode/README.persistent.md). +The mode is approximately 2-5x slower than compile-time instrumentation, and is +less conducive to parallelization. + +If [afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst) works for +your binary, then you can use afl-fuzz normally and it will have twice +the speed compared to qemu_mode (but slower than persistent mode). + +### Unicorn + +For non-Linux binaries you can use afl++'s unicorn mode which can emulate +anything you want - for the price of speed and the user writing scripts. +See [unicorn_mode](unicorn_mode/README.md). + +It can be easily build by: +```shell +cd unicorn_mode +./build_unicorn_support.sh +``` + +### Shared libraries + +If the goal is to fuzz a dynamic library then there are two options available. +For both you need to write a small hardness that loads and calls the library. +Faster is the frida solution: [examples/afl_frida/README.md](examples/afl_frida/README.md) + +Another, less precise and slower option is using ptrace with debugger interrupt +instrumentation: [examples/afl_untracer/README.md](examples/afl_untracer/README.md) + +### More + +A more comprehensive description of these and other options can be found in +[docs/binaryonly_fuzzing.md](docs/binaryonly_fuzzing.md) + ## Challenges of guided fuzzing Fuzzing is one of the most powerful and proven strategies for identifying @@ -262,7 +710,6 @@ closed-source tools. The fuzzer is thoroughly tested to deliver out-of-the-box performance far superior to blind fuzzing or coverage-only tools. - ## Instrumenting programs for use with AFL PLEASE NOTE: llvm_mode compilation with afl-clang-fast/afl-clang-fast++ @@ -318,52 +765,6 @@ simple memory bugs. Libdislocator, a helper library included with AFL (see PS. ASAN users are advised to review [docs/notes_for_asan.md](docs/notes_for_asan.md) file for important caveats. - -## Instrumenting binary-only apps - -When source code is *NOT* available, the fuzzer offers experimental support for -fast, on-the-fly instrumentation of black-box binaries. This is accomplished -with a version of QEMU running in the lesser-known "user space emulation" mode. - -QEMU is a project separate from AFL, but you can conveniently build the -feature by doing: - -```shell -cd qemu_mode -./build_qemu_support.sh -``` - -For additional instructions and caveats, see [qemu_mode/README.md](qemu_mode/README.md). - -If possible you should use the persistent mode, see [qemu_mode/README.persistent.md](qemu_mode/README.persistent.md). - -The mode is approximately 2-5x slower than compile-time instrumentation, is -less conducive to parallelization, and may have some other quirks. - -If [afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst) works for -your binary, then you can use afl-fuzz normally and it will have twice -the speed compared to qemu_mode. - -A more comprehensive description of these and other options can be found in -[docs/binaryonly_fuzzing.md](docs/binaryonly_fuzzing.md) - -## Good examples and writeups - -Here are some good writeups to show how to effectively use AFL++: - - * [https://aflplus.plus/docs/tutorials/libxml2_tutorial/](https://aflplus.plus/docs/tutorials/libxml2_tutorial/) - * [https://bananamafia.dev/post/gb-fuzz/](https://bananamafia.dev/post/gb-fuzz/) - * [https://securitylab.github.com/research/fuzzing-challenges-solutions-1](https://securitylab.github.com/research/fuzzing-challenges-solutions-1) - * [https://securitylab.github.com/research/fuzzing-sockets-FTP](https://securitylab.github.com/research/fuzzing-sockets-FTP) - -If you are interested in fuzzing structured data (where you define what the -structure is), these links have you covered: - * Superion for afl++: [https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator) - * libprotobuf raw: [https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator](https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator) - * libprotobuf for old afl++ API: [https://github.com/thebabush/afl-libprotobuf-mutator](https://github.com/thebabush/afl-libprotobuf-mutator) - -If you find other good ones, please send them to us :-) - ## Power schedules The power schedules were copied from Marcel Böhme's AFLfast implementation and diff --git a/README_new.md b/README_new.md deleted file mode 100644 index 9b8c1014..00000000 --- a/README_new.md +++ /dev/null @@ -1,1065 +0,0 @@ -# american fuzzy lop plus plus (afl++) - - AFL++ Logo - - ![Travis State](https://api.travis-ci.com/AFLplusplus/AFLplusplus.svg?branch=stable) - - Release Version: [2.66c](https://github.com/AFLplusplus/AFLplusplus/releases) - - Github Version: 2.66d - - Repository: [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) - - afl++ is maintained by: - - * Marc "van Hauser" Heuse , - * Heiko "hexcoder-" Eißfeldt , - * Andrea Fioraldi and - * Dominik Maier . - - Originally developed by Michal "lcamtuf" Zalewski. - - afl++ is superiour to Google's afl in any way - more speed, more and better - mutations, more and better instrumentation, etc. etc. - -## Contents - - 1. [Features](#important-features-of-afl) - 2. [How to compile and install afl++](#building-and-installing-afl) - 3. [How to fuzz a target](#how-to-fuzz-with-afl) - 4. [Fuzzing binary-only targets](#fuzzing-binary-only-targets) - 5. [Good examples and writeups of afl++ usages](#good-examples-and-writeups) - 6. [Branches](#branches) - 7. [Want to help?](#help-wanted) - 8. [Detailed help and description of afl++](#challenges-of-guided-fuzzing) - -## Important features of afl++ - - afl++ supports llvm up to version 12, very fast binary fuzzing with QEMU 3.1 - with laf-intel and redqueen, unicorn mode, gcc plugin, full *BSD, Solaris and - Android support and much, much, much more. - - | Feature/Instrumentation | afl-gcc | llvm_mode | gcc_plugin | qemu_mode | unicorn_mode | - | ----------------------- |:-------:|:---------:|:----------:|:----------------:|:------------:| - | NeverZero | x | x(1) | (2) | x | x | - | Persistent mode | | x | x | x86[_64]/arm[64] | x | - | LAF-Intel / CompCov | | x | | x86[_64]/arm[64] | x86[_64]/arm | - | CmpLog | | x | | x86[_64]/arm[64] | | - | Instrument file list | | x | x | (x)(3) | | - | Non-colliding coverage | | x(4) | | (x)(5) | | - | InsTrim | | x | | | | - | Ngram prev_loc coverage | | x(6) | | | | - | Context coverage | | x | | | | - | Auto dictionary | | x(7) | | | | - | Snapshot LKM support | | x | | (x)(5) | | - - neverZero: - - (1) default for LLVM >= 9.0, env var for older version due an efficiency bug in llvm <= 8 - - (2) GCC creates non-performant code, hence it is disabled in gcc_plugin - - (3) partially via AFL_CODE_START/AFL_CODE_END - - (4) with pcguard mode and LTO mode for LLVM >= 11 - - (5) upcoming, development in the branch - - (6) not compatible with LTO instrumentation and needs at least LLVM >= 4.1 - - (7) only in LTO mode with LLVM >= 11 - - Among others, the following features and patches have been integrated: - - * NeverZero patch for afl-gcc, llvm_mode, qemu_mode and unicorn_mode which prevents a wrapping map value to zero, increases coverage - - * Persistent mode and deferred forkserver for qemu_mode - - * Unicorn mode which allows fuzzing of binaries from completely different platforms (integration provided by domenukk) - - * The new CmpLog instrumentation for LLVM and QEMU inspired by [Redqueen](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2018/12/17/NDSS19-Redqueen.pdf) - - * Win32 PE binary-only fuzzing with QEMU and Wine - - * AFLfast's power schedules by Marcel Böhme: [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast) - - * The MOpt mutator: [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL) - - * LLVM mode Ngram coverage by Adrian Herrera [https://github.com/adrianherrera/afl-ngram-pass](https://github.com/adrianherrera/afl-ngram-pass) - - * InsTrim, an effective CFG llvm_mode instrumentation implementation for large targets: [https://github.com/csienslab/instrim](https://github.com/csienslab/instrim) - - * C. Holler's afl-fuzz Python mutator module and llvm_mode instrument file support: [https://github.com/choller/afl](https://github.com/choller/afl) - - * Custom mutator by a library (instead of Python) by kyakdan - - * LAF-Intel/CompCov support for llvm_mode, qemu_mode and unicorn_mode (with enhanced capabilities) - - * Radamsa and hongfuzz mutators (as custom mutators). - - * QBDI mode to fuzz android native libraries via QBDI framework - - A more thorough list is available in the [PATCHES](docs/PATCHES.md) file. - - So all in all this is the best-of afl that is currently out there :-) - - For new versions and additional information, check out: - [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) - - To compare notes with other users or get notified about major new features, - send a mail to . - - See [docs/QuickStartGuide.md](docs/QuickStartGuide.md) if you don't have time to - read this file. - -## Branches - - The following branches exist: - - * [master/trunk](https://github.com/AFLplusplus/AFLplusplus/) : stable state of afl++ - it is synced from dev from time to - time when we are satisfied with it's stability - * [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev) : development state of afl++ - bleeding edge and you might catch a - checkout which does not compile or has a bug. *We only accept PRs in dev!!* - * (any other) : experimental branches to work on specific features or testing - new functionality or changes. - - For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab. - -## Help wanted - -We are happy to be part of [Google Summer of Code 2020](https://summerofcode.withgoogle.com/organizations/5100744400699392/)! :-) - -We have several ideas we would like to see in AFL++ to make it even better. -However, we already work on so many things that we do not have the time for -all the big ideas. - -This can be your way to support and contribute to AFL++ - extend it to -something cool. - -We have an idea list in [docs/ideas.md](docs/ideas.md). - -For everyone who wants to contribute (and send pull requests) please read -[CONTRIBUTING.md](CONTRIBUTING.md) before your submit. - -## Building and installing afl++ - -An easy way to install afl++ with everything compiled is available via docker: -You can use the [Dockerfile](Dockerfile) (which has gcc-10 and clang-11 - -hence afl-clang-lto is available!) or just pull directly from the docker hub: -```shell -docker pull aflplusplus/aflplusplus -docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus -``` -This image is automatically generated when a push to master happens. -You will find your target source code in /src in the container. - -If you want to build afl++ yourself you have many options. -The easiest is to build and install everything: - -```shell -sudo apt install build-essential libtool-bin python3-dev automake flex bison libglib2.0-dev libpixman-1-dev clang python3-setuptools llvm -make distrib -sudo make install -``` -It is recommended to install the newest available gcc, clang and llvm-dev -possible in your distribution! - -Note that "make distrib" also builds llvm_mode, qemu_mode, unicorn_mode and -more. If you just want plain afl then do "make all", however compiling and -using at least llvm_mode is highly recommended for much better results - -hence in this case - -```shell -make source-only -``` -is what you should choose. - -These build targets exist: - -* all: just the main afl++ binaries -* binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap -* source-only: everything for source code fuzzing: llvm_mode, libdislocator, libtokencap -* distrib: everything (for both binary-only and source code fuzzing) -* man: creates simple man pages from the help option of the programs -* install: installs everything you have compiled with the build options above -* clean: cleans everything compiled, not downloads (unless not on a checkout) -* deepclean: cleans everything including downloads -* code-format: format the code, do this before you commit and send a PR please! -* tests: runs test cases to ensure that all features are still working as they should -* unit: perform unit tests (based on cmocka) -* help: shows these build options - -[Unless you are on Mac OS X](https://developer.apple.com/library/archive/qa/qa1118/_index.html) you can also build statically linked versions of the -afl++ binaries by passing the STATIC=1 argument to make: - -```shell -make all STATIC=1 -``` - -These build options exist: - -* STATIC - compile AFL++ static -* ASAN_BUILD - compiles with memory sanitizer for debug purposes -* PROFILING - compile with profiling information (gprof) -* NO_PYTHON - disable python support -* AFL_NO_X86 - if compiling on non-intel/amd platforms -* LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g. Debian) - -e.g.: make ASAN_BUILD=1 - -## Good examples and writeups - -Here are some good writeups to show how to effectively use AFL++: - - * [https://aflplus.plus/docs/tutorials/libxml2_tutorial/](https://aflplus.plus/docs/tutorials/libxml2_tutorial/) - * [https://bananamafia.dev/post/gb-fuzz/](https://bananamafia.dev/post/gb-fuzz/) - * [https://securitylab.github.com/research/fuzzing-challenges-solutions-1](https://securitylab.github.com/research/fuzzing-challenges-solutions-1) - * [https://securitylab.github.com/research/fuzzing-sockets-FTP](https://securitylab.github.com/research/fuzzing-sockets-FTP) - -If you are interested in fuzzing structured data (where you define what the -structure is), these links have you covered: - * Superion for afl++: [https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator) - * libprotobuf raw: [https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator](https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator) - * libprotobuf for old afl++ API: [https://github.com/thebabush/afl-libprotobuf-mutator](https://github.com/thebabush/afl-libprotobuf-mutator) - -If you find other good ones, please send them to us :-) - -## How to fuzz with afl++ - -The following describes how to fuzz with a target if source code is available. -If you have a binary-only target please skip to [#Instrumenting binary-only apps](#Instrumenting binary-only apps) - -Fuzzing source code is a two step process. - -1. compile the target with a special compiler that prepares the target to be - fuzzed efficiently. This step is called "instrumenting a target". -2. Prepare the fuzzing by selecting and optimizing the input corpus for the - target. -3. perform the fuzzing of the target by randomly mutating input and assessing - if a generated input was processed in a new path in the target binary - -### 1. Instrumenting that target - -#### a) Selecting the best afl++ compiler for instrumenting the target - -afl++ comes with different compilers and instrumentation options. -The following evaluation flow will help you to select the best possible. - -It is highly recommended to have the newest llvm version possible installed, -anything below 9 is not recommended. - -``` -+--------------------------------+ -| clang/clang++ 11+ is available | --> use afl-clang-lto and afl-clang-lto++ -+--------------------------------+ see [llvm/README.lto.md](llvm/README.lto.md) - | - | if not, or if the target fails with with afl-clang-lto/++ - | - v -+---------------------------------+ -| clang/clang++ 3.3+ is available | --> use afl-clang-fast and afl-clang-fast++ -+---------------------------------+ see [llvm/README.md](llvm/README.md) - | - | if not, or if the target fails with afl-clang-fast/++ - | - v - +--------------------------------+ - | if you want to instrument only | -> use afl-gcc-fast and afl-gcc-fast++ - | parts of the target | see [gcc_plugin/README.md](gcc_plugin/README.md) and - +--------------------------------+ [gcc_plugin/README.instrument_file.md](gcc_plugin/README.instrument_file.md) - | - | if not, or if you do not have a gcc with plugin support - | - v - use afl-gcc and afl-g++ -``` - -#### b) Selecting instrumentation options - -The following options are available when you instrument with afl-clang-fast or -afl-clang-lto: - - * Splitting integer, string, float and switch compares so afl++ can easier - solve these. This is an important option if you do not have a very good - good and large input corpus. This technique is called laf-intel or COMPCOV. - To use this set the following environment variable before compiling the - target: `export AFL_LLVM_LAF_ALL=1` - You can read more about this in [llvm/README.laf-intel.md](llvm/README.laf-intel.md) - * A different technique is to instrument the target so that any compare values - in the target are sent to afl++ which then tries to put this value into the - fuzzing data at different locations. This technique is very fast and good - - if the target does not transform input data before comparison. Therefore - technique is called `input to state` or `redqueen`. - If you want to use this technique, then you have to compile the target - twice, once specifically with/for this mode. - You can read more about this in [llvm_mode/README.cmplog.md](llvm_mode/README.cmplog.md) - -If you use afl-clang-fast, afl-clang-lto or afl-gcc-fast you have the option to -selectivly only instrument parts of the target that you are interested in: - - * To instrument only those parts of the target that you are interested in - create a file with all the filenames of the source code that should be - instrumented. - For afl-clang-lto and afl-gcc-fast - or afl-clang-fast if either the clang - version is < 7 or the CLASSIC instrumentation is used - just put one - filename per line, no directory information necessary, and set - `export AFL_LLVM_INSTRUMENT_FILE=yourfile.txt` - see [llvm_mode/README.instrument_file.md](llvm_mode/README.instrument_file.md) - For afl-clang-fast > 6.0 or if PCGUARD instrumentation is used then use the - llvm sancov allow-list feature: [http://clang.llvm.org/docs/SanitizerCoverage.html](http://clang.llvm.org/docs/SanitizerCoverage.html) - -There are many more options and modes available however these are most of the -time less effective. See: - * [llvm_mode/README.ctx.md](llvm_mode/README.ctx.md) - * [llvm_mode/README.ngram.md](llvm_mode/README.ngram.md) - * [llvm_mode/README.instrim.md](llvm_mode/README.instrim.md) - * [llvm_mode/README.neverzero.md](llvm_mode/README.neverzero.md) - -#### c) Modify the target - -If the target has features that makes fuzzing more difficult, e.g. -checksums, HMAC etc. then modify the source code so that this is -removed. -This can even be done for productional source code be eliminating -these checks within this specific defines: - -``` -#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION - // say that the checksum or HMAC was fine - or whatever is required - // to eliminate the need for the fuzzer to guess the right checksum - return 0; -#endif -``` - -#### d) Instrument the target - -In this step the target source code is compiled so that it can be fuzzed. - -Basically you have to tell the target build system that the selected afl++ -compiler is used. Also - if possible - you should always configure the -build system that the target is compiled statically and not dynamically. -How to do this is described below. - -Then build the target. (Usually with `make`) - -##### configure - -For `configure` build systems this is usually done by: -`CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --disable-shared` - -Note that if you using the (better) afl-clang-lto compiler you also have to -AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as it is -described in [llvm/README.lto.md](llvm/README.lto.md) - -##### cmake - -For `configure` build systems this is usually done by: -`mkdir build; cd build; CC=afl-clang-fast CXX=afl-clang-fast++ cmake ..` - -Note that if you using the (better) afl-clang-lto compiler you also have to -AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as it is -described in [llvm/README.lto.md](llvm/README.lto.md) - -##### other build systems or if configure/cmake didn't work - -Sometimes cmake and configure do not pick up the afl compiler, or the ranlib/ar -that is needed - because this was just not foreseen by the developer of the -target. Or they have non-standard options. Figure out if there is a -non-standard way to set this, otherwise set the build normally and edit the -generated build environment afterwards by hand to point to the right compiler -(and/or ranlib and ar). - -#### d) Better instrumentation - -If you just fuzz a target program as-is you are wasting a great opportunity for -much more fuzzing speed. - -This requires the usage of afl-clang-lto or afl-clang-fast - -This is the so-called `persistent mode`, which is much, much faster but -requires that you code a source file that is specifically calling the target -functions that you want to fuzz, plus a few specific afl++ functions around -it. See [llvm_mode/README.persistent_mode.md](llvm_mode/README.persistent_mode.md) for details. - -Basically if you do not fuzz a target in persistent mode then you are just -doing it for a hobby and not professionally :-) - -### 2. Preparing the fuzzing - -As you fuzz the target with mutated input, having as diverse inputs for the -target as possible improves the efficiency a lot. - -#### a) Collect inputs -Try to gather valid inputs for the target from wherever you can. E.g. if it -the PNG picture format try to find as many png files as possible, e.g. from -reported bugs, test suites, random downloads from the internet, unit test -case data - from all kind of PNG software. - -If the input is not known files, you can also modify a target program to write -away normal data it receives and processes to a file and use these. - -#### b) Making the input corpus unique - -Use the afl++ tool `afl-cmin` to remove inputs from the corpus that do not -use a different paths in the target. -Put all files from step a) into one directory, e.g. INPUTS. - -Put all the files from step a) - -If the target program is to be called by fuzzing as `bin/target -d INPUTFILE` -the run afl-cmin like this: -`afl-cmin -i INPUTS -o INPUTS_UNIQUE -- bin/target -d @@` -Note that the INPUTFILE that the target program would read has to be set as `@@`. - -If the target reads from stdin instead, just omit the `@@` as this is the -default. - -#### b) Minimizing all corpus files - -The shorter the input files are so that they still traverse the same path -within the target, the better the fuzzing will be. This is done with `afl-tmin` -however it is a long processes as this has to be done for every file: - -``` -mkdir input -cd INPUTS_UNIQUE -for i in *; do - afl-tmin -i "$i" -o "../input/$i" -- bin/target -d @@ -done -``` - -This can also be parallelized, e.g. with `parallel` - -#### c) done! - -The INPUTS_UNIQUE/ directory from step a) - or even better if you minimized the -corpus in step b) then the files in input/ is then the input corpus directory -to be used in fuzzing! :-) - -### Fuzzing the target - -In this final step we fuzz the target. -There are not that many useful options to run the target - unless you want to -use many CPU cores for the fuzzing, which will make the fuzzing much more useful. - -If you just use one CPU for fuzzing, then you are fuzzing just for fun and not -seriously :-) - -#### a) running afl-fuzz - -If you have an input corpus from step 2 then specify this directory with the `-i` -option. Otherwise create a new directory and create a file with any content -in there. - -If you do not want anything special, the defaults are already the usual best, -hence all you need (from the example in 2a): -`afl-fuzz -i input -o output -- bin/target -d @@` -Note that the directory specified with -o will be created if it does not exist. - -If you need to stop and re-start the fuzzing, use the same command line option -and switch the input directory with a dash (`-`): -`afl-fuzz -i - -o output -- bin/target -d @@` - -afl-fuzz never stops fuzzing. To terminate afl++ simply press Control-C. - -When you start afl-fuzz you will see a user interface that shows what the status -is: -[docs/screenshot.png](docs/screenshot.png) -All the entries are explained in [docs/status_screen.md](docs/status_screen.md) - -#### b) Using multiple cores - -If you want to seriously fuzz then use as many cores as possible to fuzz your -target. - -On the same machine - due to the nature how afl++ works - there is a maximum -number of CPU cores that are useful, more and the overall performance degrades -instead. This value depends on the target and the limit is between 24 and 64 -cores per machine. - -There should be one main fuzzer (`-M main` option) and as many secondary -fuzzers (eg `-S variant1`) as you cores that you use. -Every -M/-S entry needs a unique name (that can be whatever), however the same --o output directory location has to be used for all. - -For every secondary there should be a variation, e.g.: - * one should fuzz the target that was compiled differently: with sanitizers - activated (`export AFL_USE_ASAN=1 ; export AFL_USE_UBSAN=1 ; - export AFL_USE_CFISAN=1 ; ` - * one should fuzz the target with CMPLOG/redqueen (see above) - * At 1-2 should fuzz a target compiled with laf-intel/COMPCOV (see above). - -All other secondaries should be: - * 1/2 with MOpt option enabled: `-L 0` - * run with a different power schedule, available are: - `explore (default), fast, coe, lin, quad, exploit, mmopt, rare, seek` - which you can set with e.g. `-p seek` - -You can also use different fuzzers. -If you are afl-spinoffs or afl conforming, then just use the same -o directory -and give it a unique `-S` name. -Examples are e.g.: - * - * - * - -However you can also sync afl++ with honggfuzz, libfuzzer, entropic, etc. -Just show the main fuzzer (-M) with the `-F` option where the queue -directory of these other fuzzers are, e.g. `-F /src/target/honggfuzz` - -#### c) How long to fuzz a target? - -This is a difficult question. -Basically if no new path is found for a long time (e.g. for a day or a week) -then you can expect that your fuzzing won't be fruitful anymore. -However often this just means that you should switch out secondaries for -others, e.g. custom mutator modules, sync to very different fuzzers, etc. - -### The End - -This is basically all you need to know to professionally run fuzzing campaigns. -If you want to know more, the rest of this README and the tons of texts in -[docs/](docs/) will have you covered. - -## Challenges of guided fuzzing - -Fuzzing is one of the most powerful and proven strategies for identifying -security issues in real-world software; it is responsible for the vast -majority of remote code execution and privilege escalation bugs found to date -in security-critical software. - -Unfortunately, fuzzing is also relatively shallow; blind, random mutations -make it very unlikely to reach certain code paths in the tested code, leaving -some vulnerabilities firmly outside the reach of this technique. - -There have been numerous attempts to solve this problem. One of the early -approaches - pioneered by Tavis Ormandy - is corpus distillation. The method -relies on coverage signals to select a subset of interesting seeds from a -massive, high-quality corpus of candidate files, and then fuzz them by -traditional means. The approach works exceptionally well but requires such -a corpus to be readily available. In addition, block coverage measurements -provide only a very simplistic understanding of the program state and are less -useful for guiding the fuzzing effort in the long haul. - -Other, more sophisticated research has focused on techniques such as program -flow analysis ("concolic execution"), symbolic execution, or static analysis. -All these methods are extremely promising in experimental settings, but tend -to suffer from reliability and performance problems in practical uses - and -currently do not offer a viable alternative to "dumb" fuzzing techniques. - - -## The afl-fuzz approach - -American Fuzzy Lop is a brute-force fuzzer coupled with an exceedingly simple -but rock-solid instrumentation-guided genetic algorithm. It uses a modified -form of edge coverage to effortlessly pick up subtle, local-scale changes to -program control flow. - -Simplifying a bit, the overall algorithm can be summed up as: - - 1) Load user-supplied initial test cases into the queue, - - 2) Take the next input file from the queue, - - 3) Attempt to trim the test case to the smallest size that doesn't alter - the measured behavior of the program, - - 4) Repeatedly mutate the file using a balanced and well-researched variety - of traditional fuzzing strategies, - - 5) If any of the generated mutations resulted in a new state transition - recorded by the instrumentation, add mutated output as a new entry in the - queue. - - 6) Go to 2. - -The discovered test cases are also periodically culled to eliminate ones that -have been obsoleted by newer, higher-coverage finds; and undergo several other -instrumentation-driven effort minimization steps. - -As a side result of the fuzzing process, the tool creates a small, -self-contained corpus of interesting test cases. These are extremely useful -for seeding other, labor- or resource-intensive testing regimes - for example, -for stress-testing browsers, office applications, graphics suites, or -closed-source tools. - -The fuzzer is thoroughly tested to deliver out-of-the-box performance far -superior to blind fuzzing or coverage-only tools. - - -## Instrumenting programs for use with AFL - -PLEASE NOTE: llvm_mode compilation with afl-clang-fast/afl-clang-fast++ -instead of afl-gcc/afl-g++ is much faster and has many cool features. -See llvm_mode/ - however few code does not compile with llvm. -We support llvm versions 3.4 to 12. - -When source code is available, instrumentation can be injected by a companion -tool that works as a drop-in replacement for gcc or clang in any standard build -process for third-party code. - -The instrumentation has a fairly modest performance impact; in conjunction with -other optimizations implemented by afl-fuzz, most programs can be fuzzed as fast -or even faster than possible with traditional tools. - -The correct way to recompile the target program may vary depending on the -specifics of the build process, but a nearly-universal approach would be: - -```shell -CC=/path/to/afl/afl-gcc ./configure -make clean all -``` - -For C++ programs, you'd would also want to set `CXX=/path/to/afl/afl-g++`. - -The clang wrappers (afl-clang and afl-clang++) can be used in the same way; -clang users may also opt to leverage a higher-performance instrumentation mode, -as described in [llvm_mode/README.md](llvm_mode/README.md). -Clang/LLVM has a much better performance and works with LLVM version 3.4 to 12. - -Using the LAF Intel performance enhancements are also recommended, see -[llvm_mode/README.laf-intel.md](llvm_mode/README.laf-intel.md) - -Using partial instrumentation is also recommended, see -[llvm_mode/README.instrument_file.md](llvm_mode/README.instrument_file.md) - -When testing libraries, you need to find or write a simple program that reads -data from stdin or from a file and passes it to the tested library. In such a -case, it is essential to link this executable against a static version of the -instrumented library or to make sure that the correct .so file is loaded at -runtime (usually by setting `LD_LIBRARY_PATH`). The simplest option is a static -build, usually possible via: - -```shell -CC=/path/to/afl/afl-gcc ./configure --disable-shared -``` - -Setting `AFL_HARDEN=1` when calling 'make' will cause the CC wrapper to -automatically enable code hardening options that make it easier to detect -simple memory bugs. Libdislocator, a helper library included with AFL (see -[libdislocator/README.md](libdislocator/README.md)) can help uncover heap corruption issues, too. - -PS. ASAN users are advised to review [docs/notes_for_asan.md](docs/notes_for_asan.md) -file for important caveats. - - -## Fuzzing binary-only targets - -When source code is *NOT* available, the fuzzer offers experimental support for -fast, on-the-fly instrumentation of black-box binaries. This is accomplished -with a version of QEMU running in the lesser-known "user space emulation" mode. - -QEMU is a project separate from AFL, but you can conveniently build the -feature by doing: - -```shell -cd qemu_mode -./build_qemu_support.sh -``` - -For additional instructions and caveats, see [qemu_mode/README.md](qemu_mode/README.md). - -If possible you should use the persistent mode, see [qemu_mode/README.persistent.md](qemu_mode/README.persistent.md). - -The mode is approximately 2-5x slower than compile-time instrumentation, is -less conducive to parallelization, and may have some other quirks. - -If [afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst) works for -your binary, then you can use afl-fuzz normally and it will have twice -the speed compared to qemu_mode. - -A more comprehensive description of these and other options can be found in -[docs/binaryonly_fuzzing.md](docs/binaryonly_fuzzing.md) - -## Power schedules - -The power schedules were copied from Marcel Böhme's AFLfast implementation and -measure differently which queue entries to prefer and therefore may find -different paths faster for large queues. - -The available schedules are: - - - explore (default, original AFL) - - exploit (original AFL) - - fast (AFLfast) - - coe (AFLfast) - - quad (AFLfast) - - lin (AFLfast) - - rare (afl++ experimental) - - mmopt (afl++ experimental) - - seek (afl++ experimental) - -In parallel mode (-M/-S, several instances with the shared queue), we suggest -to run the main node using the default explore schedule (`-p explore`) and the -secondary nodes with different schedules. If a schedule does not perform well -for a target, restart the secondary nodes with a different schedule. - -More details can be found in the paper published at the 23rd ACM Conference on -Computer and Communications Security [CCS'16](https://www.sigsac.org/ccs/CCS2016/accepted-papers/) - -## Choosing initial test cases - -To operate correctly, the fuzzer requires one or more starting file that -contains a good example of the input data normally expected by the targeted -application. There are two basic rules: - - - Keep the files small. Under 1 kB is ideal, although not strictly necessary. - For a discussion of why size matters, see [perf_tips.md](docs/perf_tips.md). - - - Use multiple test cases only if they are functionally different from - each other. There is no point in using fifty different vacation photos - to fuzz an image library. - -You can find many good examples of starting files in the testcases/ subdirectory -that comes with this tool. - -PS. If a large corpus of data is available for screening, you may want to use -the afl-cmin utility to identify a subset of functionally distinct files that -exercise different code paths in the target binary. - - -## Fuzzing binaries - -The fuzzing process itself is carried out by the afl-fuzz utility. This program -requires a read-only directory with initial test cases, a separate place to -store its findings, plus a path to the binary to test. - -For target binaries that accept input directly from stdin, the usual syntax is: - -```shell -./afl-fuzz -i testcase_dir -o findings_dir /path/to/program [...params...] -``` - -For programs that take input from a file, use '@@' to mark the location in -the target's command line where the input file name should be placed. The -fuzzer will substitute this for you: - -```shell -./afl-fuzz -i testcase_dir -o findings_dir /path/to/program @@ -``` - -You can also use the -f option to have the mutated data written to a specific -file. This is useful if the program expects a particular file extension or so. - -Non-instrumented binaries can be fuzzed in the QEMU mode (add -Q in the command -line) or in a traditional, blind-fuzzer mode (specify -n). - -You can use -t and -m to override the default timeout and memory limit for the -executed process; rare examples of targets that may need these settings touched -include compilers and video decoders. - -Tips for optimizing fuzzing performance are discussed in [perf_tips.md](docs/perf_tips.md). - -Note that afl-fuzz starts by performing an array of deterministic fuzzing -steps, which can take several days, but tend to produce neat test cases. If you -want quick & dirty results right away - akin to zzuf and other traditional -fuzzers - add the -d option to the command line. - -## Interpreting output - -See the [docs/status_screen.md](docs/status_screen.md) file for information on -how to interpret the displayed stats and monitor the health of the process. Be -sure to consult this file especially if any UI elements are highlighted in red. - -The fuzzing process will continue until you press Ctrl-C. At a minimum, you want -to allow the fuzzer to complete one queue cycle, which may take anywhere from a -couple of hours to a week or so. - -There are three subdirectories created within the output directory and updated -in real-time: - - - queue/ - test cases for every distinctive execution path, plus all the - starting files given by the user. This is the synthesized corpus - mentioned in section 2. - - Before using this corpus for any other purposes, you can shrink - it to a smaller size using the afl-cmin tool. The tool will find - a smaller subset of files offering equivalent edge coverage. - - - crashes/ - unique test cases that cause the tested program to receive a - fatal signal (e.g., SIGSEGV, SIGILL, SIGABRT). The entries are - grouped by the received signal. - - - hangs/ - unique test cases that cause the tested program to time out. The - default time limit before something is classified as a hang is - the larger of 1 second and the value of the -t parameter. - The value can be fine-tuned by setting AFL_HANG_TMOUT, but this - is rarely necessary. - -Crashes and hangs are considered "unique" if the associated execution paths -involve any state transitions not seen in previously-recorded faults. If a -single bug can be reached in multiple ways, there will be some count inflation -early in the process, but this should quickly taper off. - -The file names for crashes and hangs are correlated with the parent, non-faulting -queue entries. This should help with debugging. - -When you can't reproduce a crash found by afl-fuzz, the most likely cause is -that you are not setting the same memory limit as used by the tool. Try: - -```shell -LIMIT_MB=50 -( ulimit -Sv $[LIMIT_MB << 10]; /path/to/tested_binary ... ) -``` - -Change LIMIT_MB to match the -m parameter passed to afl-fuzz. On OpenBSD, -also change -Sv to -Sd. - -Any existing output directory can be also used to resume aborted jobs; try: - -```shell -./afl-fuzz -i- -o existing_output_dir [...etc...] -``` - -If you have gnuplot installed, you can also generate some pretty graphs for any -active fuzzing task using afl-plot. For an example of how this looks like, -see [http://lcamtuf.coredump.cx/afl/plot/](http://lcamtuf.coredump.cx/afl/plot/). - -## Parallelized fuzzing - -Every instance of afl-fuzz takes up roughly one core. This means that on -multi-core systems, parallelization is necessary to fully utilize the hardware. -For tips on how to fuzz a common target on multiple cores or multiple networked -machines, please refer to [docs/parallel_fuzzing.md](docs/parallel_fuzzing.md). - -The parallel fuzzing mode also offers a simple way for interfacing AFL to other -fuzzers, to symbolic or concolic execution engines, and so forth; again, see the -last section of [docs/parallel_fuzzing.md](docs/parallel_fuzzing.md) for tips. - -## Fuzzer dictionaries - -By default, afl-fuzz mutation engine is optimized for compact data formats - -say, images, multimedia, compressed data, regular expression syntax, or shell -scripts. It is somewhat less suited for languages with particularly verbose and -redundant verbiage - notably including HTML, SQL, or JavaScript. - -To avoid the hassle of building syntax-aware tools, afl-fuzz provides a way to -seed the fuzzing process with an optional dictionary of language keywords, -magic headers, or other special tokens associated with the targeted data type --- and use that to reconstruct the underlying grammar on the go: - - [http://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html](http://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html) - -To use this feature, you first need to create a dictionary in one of the two -formats discussed in [dictionaries/README.md](dictionaries/README.md); -and then point the fuzzer to it via the -x option in the command line. - -(Several common dictionaries are already provided in that subdirectory, too.) - -There is no way to provide more structured descriptions of the underlying -syntax, but the fuzzer will likely figure out some of this based on the -instrumentation feedback alone. This actually works in practice, say: - - [http://lcamtuf.blogspot.com/2015/04/finding-bugs-in-sqlite-easy-way.html](http://lcamtuf.blogspot.com/2015/04/finding-bugs-in-sqlite-easy-way.html) - -PS. Even when no explicit dictionary is given, afl-fuzz will try to extract -existing syntax tokens in the input corpus by watching the instrumentation -very closely during deterministic byte flips. This works for some types of -parsers and grammars but isn't nearly as good as the -x mode. - -If a dictionary is really hard to come by, another option is to let AFL run -for a while and then use the token capture library that comes as a companion -utility with AFL. For that, see [libtokencap/README.md](libtokencap/README.tokencap.md). - -## Crash triage - -The coverage-based grouping of crashes usually produces a small data set that -can be quickly triaged manually or with a very simple GDB or Valgrind script. -Every crash is also traceable to its parent non-crashing test case in the -queue, making it easier to diagnose faults. - -Having said that, it's important to acknowledge that some fuzzing crashes can be -difficult to quickly evaluate for exploitability without a lot of debugging and -code analysis work. To assist with this task, afl-fuzz supports a very unique -"crash exploration" mode enabled with the -C flag. - -In this mode, the fuzzer takes one or more crashing test cases as the input -and uses its feedback-driven fuzzing strategies to very quickly enumerate all -code paths that can be reached in the program while keeping it in the -crashing state. - -Mutations that do not result in a crash are rejected; so are any changes that -do not affect the execution path. - -The output is a small corpus of files that can be very rapidly examined to see -what degree of control the attacker has over the faulting address, or whether -it is possible to get past an initial out-of-bounds read - and see what lies -beneath. - -Oh, one more thing: for test case minimization, give afl-tmin a try. The tool -can be operated in a very simple way: - -```shell -./afl-tmin -i test_case -o minimized_result -- /path/to/program [...] -``` - -The tool works with crashing and non-crashing test cases alike. In the crash -mode, it will happily accept instrumented and non-instrumented binaries. In the -non-crashing mode, the minimizer relies on standard AFL instrumentation to make -the file simpler without altering the execution path. - -The minimizer accepts the -m, -t, -f and @@ syntax in a manner compatible with -afl-fuzz. - -Another recent addition to AFL is the afl-analyze tool. It takes an input -file, attempts to sequentially flip bytes, and observes the behavior of the -tested program. It then color-codes the input based on which sections appear to -be critical, and which are not; while not bulletproof, it can often offer quick -insights into complex file formats. More info about its operation can be found -near the end of [docs/technical_details.md](docs/technical_details.md). - -## Going beyond crashes - -Fuzzing is a wonderful and underutilized technique for discovering non-crashing -design and implementation errors, too. Quite a few interesting bugs have been -found by modifying the target programs to call abort() when say: - - - Two bignum libraries produce different outputs when given the same - fuzzer-generated input, - - - An image library produces different outputs when asked to decode the same - input image several times in a row, - - - A serialization / deserialization library fails to produce stable outputs - when iteratively serializing and deserializing fuzzer-supplied data, - - - A compression library produces an output inconsistent with the input file - when asked to compress and then decompress a particular blob. - -Implementing these or similar sanity checks usually takes very little time; -if you are the maintainer of a particular package, you can make this code -conditional with `#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` (a flag also -shared with libfuzzer) or `#ifdef __AFL_COMPILER` (this one is just for AFL). - -## Common-sense risks - -Please keep in mind that, similarly to many other computationally-intensive -tasks, fuzzing may put a strain on your hardware and on the OS. In particular: - - - Your CPU will run hot and will need adequate cooling. In most cases, if - cooling is insufficient or stops working properly, CPU speeds will be - automatically throttled. That said, especially when fuzzing on less - suitable hardware (laptops, smartphones, etc), it's not entirely impossible - for something to blow up. - - - Targeted programs may end up erratically grabbing gigabytes of memory or - filling up disk space with junk files. AFL tries to enforce basic memory - limits, but can't prevent each and every possible mishap. The bottom line - is that you shouldn't be fuzzing on systems where the prospect of data loss - is not an acceptable risk. - - - Fuzzing involves billions of reads and writes to the filesystem. On modern - systems, this will be usually heavily cached, resulting in fairly modest - "physical" I/O - but there are many factors that may alter this equation. - It is your responsibility to monitor for potential trouble; with very heavy - I/O, the lifespan of many HDDs and SSDs may be reduced. - - A good way to monitor disk I/O on Linux is the 'iostat' command: - -```shell - $ iostat -d 3 -x -k [...optional disk ID...] -``` - -## Known limitations & areas for improvement - -Here are some of the most important caveats for AFL: - - - AFL detects faults by checking for the first spawned process dying due to - a signal (SIGSEGV, SIGABRT, etc). Programs that install custom handlers for - these signals may need to have the relevant code commented out. In the same - vein, faults in child processes spawned by the fuzzed target may evade - detection unless you manually add some code to catch that. - - - As with any other brute-force tool, the fuzzer offers limited coverage if - encryption, checksums, cryptographic signatures, or compression are used to - wholly wrap the actual data format to be tested. - - To work around this, you can comment out the relevant checks (see - examples/libpng_no_checksum/ for inspiration); if this is not possible, - you can also write a postprocessor, one of the hooks of custom mutators. - See [docs/custom_mutators.md](docs/custom_mutators.md) on how to use - `AFL_CUSTOM_MUTATOR_LIBRARY` - - - There are some unfortunate trade-offs with ASAN and 64-bit binaries. This - isn't due to any specific fault of afl-fuzz; see [docs/notes_for_asan.md](docs/notes_for_asan.md) - for tips. - - - There is no direct support for fuzzing network services, background - daemons, or interactive apps that require UI interaction to work. You may - need to make simple code changes to make them behave in a more traditional - way. Preeny may offer a relatively simple option, too - see: - [https://github.com/zardus/preeny](https://github.com/zardus/preeny) - - Some useful tips for modifying network-based services can be also found at: - [https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop](https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop) - - - AFL doesn't output human-readable coverage data. If you want to monitor - coverage, use afl-cov from Michael Rash: [https://github.com/mrash/afl-cov](https://github.com/mrash/afl-cov) - - - Occasionally, sentient machines rise against their creators. If this - happens to you, please consult [http://lcamtuf.coredump.cx/prep/](http://lcamtuf.coredump.cx/prep/). - -Beyond this, see INSTALL for platform-specific tips. - -## Special thanks - -Many of the improvements to the original afl and afl++ wouldn't be possible -without feedback, bug reports, or patches from: - -``` - Jann Horn Hanno Boeck - Felix Groebert Jakub Wilk - Richard W. M. Jones Alexander Cherepanov - Tom Ritter Hovik Manucharyan - Sebastian Roschke Eberhard Mattes - Padraig Brady Ben Laurie - @dronesec Luca Barbato - Tobias Ospelt Thomas Jarosch - Martin Carpenter Mudge Zatko - Joe Zbiciak Ryan Govostes - Michael Rash William Robinet - Jonathan Gray Filipe Cabecinhas - Nico Weber Jodie Cunningham - Andrew Griffiths Parker Thompson - Jonathan Neuschaefer Tyler Nighswander - Ben Nagy Samir Aguiar - Aidan Thornton Aleksandar Nikolich - Sam Hakim Laszlo Szekeres - David A. Wheeler Turo Lamminen - Andreas Stieger Richard Godbee - Louis Dassy teor2345 - Alex Moneger Dmitry Vyukov - Keegan McAllister Kostya Serebryany - Richo Healey Martijn Bogaard - rc0r Jonathan Foote - Christian Holler Dominique Pelle - Jacek Wielemborek Leo Barnes - Jeremy Barnes Jeff Trull - Guillaume Endignoux ilovezfs - Daniel Godas-Lopez Franjo Ivancic - Austin Seipp Daniel Komaromy - Daniel Binderman Jonathan Metzman - Vegard Nossum Jan Kneschke - Kurt Roeckx Marcel Boehme - Van-Thuan Pham Abhik Roychoudhury - Joshua J. Drake Toby Hutton - Rene Freingruber Sergey Davidoff - Sami Liedes Craig Young - Andrzej Jackowski Daniel Hodson - Nathan Voss Dominik Maier - Andrea Biondo Vincent Le Garrec - Khaled Yakdan Kuang-che Wu - Josephine Calliotte Konrad Welc -``` - -Thank you! -(For people sending pull requests - please add yourself to this list :-) - -## Contact - -Questions? Concerns? Bug reports? The contributors can be reached via -[https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) - -There is also a mailing list for the afl project; to join, send a mail to -. Or, if you prefer to browse -archives first, try: [https://groups.google.com/group/afl-users](https://groups.google.com/group/afl-users) diff --git a/docs/screenshot.png b/docs/screenshot.png new file mode 100644 index 00000000..7b4dd7e4 Binary files /dev/null and b/docs/screenshot.png differ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index f03c545d..39e4f32d 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1234,6 +1234,7 @@ int main(int argc, char **argv_orig, char **envp) { } + (void)nice(-20); // real start time, we reset, so this works correctly with -V afl->start_time = get_cur_time(); -- cgit 1.4.1 From 7944009a65da71fab7c722182bf1ac630bdde226 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 27 Jul 2020 13:07:55 +0200 Subject: unrenice --- src/afl-fuzz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 39e4f32d..103c9b2a 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1234,7 +1234,7 @@ int main(int argc, char **argv_orig, char **envp) { } - (void)nice(-20); + // (void)nice(-20); // does not improve the speed // real start time, we reset, so this works correctly with -V afl->start_time = get_cur_time(); -- cgit 1.4.1 From 23718e51984f61992ae213144f39a1c95638800b Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 28 Jul 2020 09:52:28 +0200 Subject: forgot getopt --- src/afl-fuzz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 103c9b2a..eb4b6a87 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -272,7 +272,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->shmem_testcase_mode = 1; // we always try to perform shmem fuzzing while ((opt = getopt(argc, argv, - "+c:i:I:o:f:m:t:T:dDnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:")) > + "+c:i:I:o:f:F:m:t:T:dDnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:")) > 0) { switch (opt) { -- cgit 1.4.1 From 952e5b47ebaa0e1813e42ad7e7b524a519135d46 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 28 Jul 2020 16:02:15 +0200 Subject: allow custom mut with mopt if -L is -1 --- src/afl-fuzz-mutators.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 850266c2..b288cf9f 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -40,7 +40,7 @@ void setup_custom_mutators(afl_state_t *afl) { if (fn) { - if (afl->limit_time_sig) + if (afl->limit_time_sig && afl->limit_time_sig != -1) FATAL( "MOpt and custom mutator are mutually exclusive. We accept pull " "requests that integrates MOpt with the optional mutators " -- cgit 1.4.1 From 565da10a8f46e9910ac5edecb1c5e68ee8c66b0d Mon Sep 17 00:00:00 2001 From: Rishi Ranjan Date: Wed, 29 Jul 2020 01:05:05 +0530 Subject: Minor change to write_with_gap --- src/afl-fuzz-run.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 7d68083d..e4ddab1b 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -144,12 +144,12 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, /* This memory is used to carry out the post_processing(if present) after copying - the testcase by removing the gaps + the testcase by removing the gaps. This can break though */ - u8 mem_trimmed[skip_at + tail_len + + u8 mem_trimmed[len - skip_len + 1]; // 1 extra size to remove chance of overflow - ssize_t new_size = skip_at + tail_len; + ssize_t new_size = len - skip_len; void * new_mem = mem; u8 * new_buf = NULL; -- cgit 1.4.1 From 6cfa27d78ab9fb178a1678bdcc36cb62a555f7a4 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 29 Jul 2020 11:47:32 +0200 Subject: remove dead code, code-format --- docs/Changelog.md | 4 +- src/afl-fuzz-one.c | 532 +-------------------------------------------------- src/afl-fuzz-stats.c | 134 ++++++------- 3 files changed, 71 insertions(+), 599 deletions(-) (limited to 'src') diff --git a/docs/Changelog.md b/docs/Changelog.md index cadfcb04..d3d5063b 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -14,6 +14,8 @@ sending a mail to . - added -F option to allow -M main fuzzers to sync to foreign fuzzers, e.g. honggfuzz or libfuzzer - eliminated CPU affinity race condition for -S/-M runs + - expanded havoc mode added, on no cycle finds add extra splicing and + MOpt into the mix - llvm_mode: - now supports llvm 12! - fixes for laf-intel float splitting (thanks to mark-griffin for @@ -21,7 +23,7 @@ sending a mail to . - LTO: autodictionary mode is a default - LTO: instrim instrumentation disabled, only classic support used as it is always better - - added honggfuzz mangle as a custom mutator in custom_mutators/honggfuzz :) + - added honggfuzz mangle as a custom mutator in custom_mutators/honggfuzz - added afl-frida gum solution to examples/afl_frida (mostly imported from https://github.com/meme/hotwax/) - small fixes to afl-plot, afl-whatsup and man page creation diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index f8680100..a42bb0fc 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -27,10 +27,6 @@ #include #include -/* static u8 *strnstr(const u8 *s, const u8 *find, size_t slen); -static u32 string_replace(u8 **out_buf, s32 *temp_len, u32 pos, u8 *from, - u8 *to); */ - /* MOpt */ static int select_algorithm(afl_state_t *afl) { @@ -370,524 +366,6 @@ static void locate_diffs(u8 *ptr1, u8 *ptr2, u32 len, s32 *first, s32 *last) { #define BUF_PARAMS(name) (void **)&afl->name##_buf, &afl->name##_size -#if 0 -/* search a string */ - -static u8 *strnstr(const u8 *s, const u8 *find, size_t slen) { - - char c, sc; - size_t len; - - if ((c = *find++) != '\0') { - - len = strlen(find); - do { - - do { - - if (slen-- < 1 || (sc = *s++) == '\0') return (NULL); - - } while (sc != c); - - if (len > slen) return (NULL); - - } while (strncmp(s, find, len) != 0); - - s--; - - } - - return ((u8 *)s); - -} - -/* replace between deliminators, if rep == NULL, then we will duplicate the - * target */ - -static u32 delim_replace(u8 **out_buf, s32 *temp_len, size_t pos, - const u8 *ldelim, const u8 *rdelim, u8 *rep) { - - u8 *end_buf = *out_buf + *temp_len; - u8 *ldelim_start = strnstr(*out_buf + pos, ldelim, *temp_len - pos); - - if (ldelim_start != NULL) { - - u32 max = (end_buf - ldelim_start - 1 > AFL_TXT_STRING_MAX_LEN - ? AFL_TXT_STRING_MAX_LEN - : end_buf - ldelim_start - 1); - - if (max > 0) { - - u8 *rdelim_end = strnstr(ldelim_start + 1, rdelim, max); - - if (rdelim_end != NULL) { - - u32 rep_len, delim_space_len = rdelim_end - ldelim_start - 1, xtra = 0; - - if (rep != NULL) { - - rep_len = (u32)strlen(rep); - - } else { // NULL? then we copy the value in between the delimiters - - rep_len = delim_space_len; - delim_space_len = 0; - rep = ldelim_start + 1; - xtra = rep_len; - - } - - if (rep_len != delim_space_len) { - - memmove(ldelim_start + rep_len + xtra + 1, rdelim_end, - *temp_len - (rdelim_end - *out_buf)); - - } - - memcpy(ldelim_start + 1, rep, rep_len); - *temp_len = (*temp_len - delim_space_len + rep_len); - - return 1; - - } - - } - - } - - return 0; - -} - -static u32 delim_swap(u8 **out_buf, s32 *temp_len, size_t pos, const u8 *ldelim, - const u8 *mdelim, const u8 *rdelim) { - - u8 *out_buf_end = *out_buf + *temp_len; - u32 max = (*temp_len - pos > AFL_TXT_STRING_MAX_LEN ? AFL_TXT_STRING_MAX_LEN - : *temp_len - pos); - u8 *ldelim_start = strnstr(*out_buf + pos, ldelim, max); - - if (ldelim_start != NULL) { - - max = (out_buf_end - ldelim_start - 1 > AFL_TXT_STRING_MAX_LEN - ? AFL_TXT_STRING_MAX_LEN - : out_buf_end - ldelim_start - 1); - if (max > 1) { - - u8 *mdelim_pos = strnstr(ldelim_start + 1, mdelim, max); - - if (mdelim_pos != NULL) { - - max = (out_buf_end - mdelim_pos - 1 > AFL_TXT_STRING_MAX_LEN - ? AFL_TXT_STRING_MAX_LEN - : out_buf_end - mdelim_pos - 1); - if (max > 0) { - - u8 *rdelim_end = strnstr(mdelim + 1, rdelim, max); - - if (rdelim_end != NULL) { - - u32 first_len = mdelim_pos - ldelim_start - 1; - u32 second_len = rdelim_end - mdelim_pos - 1; - u8 scratch[AFL_TXT_STRING_MAX_LEN]; - - memcpy(scratch, ldelim_start + 1, first_len); - - if (first_len != second_len) { - - memmove(ldelim_start + second_len + 1, mdelim_pos, - out_buf_end - mdelim_pos); - - } - - memcpy(ldelim_start + 1, mdelim_pos + 1, second_len); - - if (first_len != second_len) { - - memmove(mdelim_pos + first_len + 1, rdelim_end, - out_buf_end - rdelim_end); - - } - - memcpy(mdelim_pos + 1, scratch, first_len); - - return 1; - - } - - } - - } - - } - - } - - return 0; - -} - -/* replace a string */ - -static u32 string_replace(u8 **out_buf, s32 *temp_len, u32 pos, u8 *from, - u8 *to) { - - u8 *start = strnstr(*out_buf + pos, from, *temp_len - pos); - - if (start) { - - u32 from_len = strlen(from); - u32 to_len = strlen(to); - - if (from_len != to_len) { - - memmove(start + to_len, start + from_len, - *temp_len - from_len - (start - *out_buf)); - - } - - memcpy(start, to, to_len); - *temp_len = (*temp_len - from_len + to_len); - - return 1; - - } - - return 0; - -} - -/* Returns 1 if a mutant was generated and placed in out_buf, 0 if none - * generated. */ - -static const uint8_t text_mutation_special_chars[] = { - - '\t', '\n', '\r', ' ', '!', '"', '$', '%', '&', '\'', '(', ')', '*', - '+', ',', '-', '.', '/', ':', ';', '<', '=', '>', '?', '@', '[', - '\\', ']', '^', '_', '`', '{', '|', '}', '~', ' ' // space is here twice - -}; - -static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { - - if (*orig_temp_len < AFL_TXT_MIN_LEN) { return 0; } - - s32 temp_len; - u32 pos, yes = 0, - mutations = rand_below(afl, AFL_TXT_STRING_MAX_MUTATIONS) + 16; - u8 *new_buf = - ck_maybe_grow(BUF_PARAMS(out_scratch), - *orig_temp_len + AFL_TXT_STRING_MAX_MUTATIONS + 16); - u8 fromc[2] = {0, 0}, toc[2] = {0, 0}; - temp_len = *orig_temp_len; - memcpy(new_buf, *out_buf, temp_len); - new_buf[temp_len] = 0; - - for (u32 i = 0; i < mutations; i++) { - - if (temp_len < AFL_TXT_MIN_LEN) { return 0; } - - pos = rand_below(afl, temp_len - 1); - int choice = rand_below(afl, 100); - - switch (choice) { - - /* 50% -> fixed replacements */ - - case 0: /* Semantic statement deletion */ - yes += string_replace(&new_buf, &temp_len, pos, "\n", "#"); - break; - case 1: - yes += string_replace(&new_buf, &temp_len, pos, "(", "(!"); - break; - case 2: - yes += string_replace(&new_buf, &temp_len, pos, "==", "!="); - break; - case 3: - yes += string_replace(&new_buf, &temp_len, pos, "!=", "=="); - break; - case 4: - yes += string_replace(&new_buf, &temp_len, pos, "==", "<"); - break; - case 5: - yes += string_replace(&new_buf, &temp_len, pos, "<", "=="); - break; - case 6: - yes += string_replace(&new_buf, &temp_len, pos, "==", ">"); - break; - case 7: - yes += string_replace(&new_buf, &temp_len, pos, ">", "=="); - break; - case 8: - yes += string_replace(&new_buf, &temp_len, pos, "=", "<"); - break; - case 9: - yes += string_replace(&new_buf, &temp_len, pos, "=", ">"); - break; - case 10: - yes += string_replace(&new_buf, &temp_len, pos, "<", ">"); - break; - case 11: - yes += string_replace(&new_buf, &temp_len, pos, ">", "<"); - break; - case 12: - yes += string_replace(&new_buf, &temp_len, pos, "++", "--"); - break; - case 13: - yes += string_replace(&new_buf, &temp_len, pos, "--", "++"); - break; - case 14: - yes += string_replace(&new_buf, &temp_len, pos, "+", "-"); - break; - case 15: - yes += string_replace(&new_buf, &temp_len, pos, "-", "+"); - break; - case 16: - yes += string_replace(&new_buf, &temp_len, pos, "0", "1"); - break; - case 17: - yes += string_replace(&new_buf, &temp_len, pos, "1", "0"); - break; - case 18: - yes += string_replace(&new_buf, &temp_len, pos, "&&", "||"); - break; - case 19: - yes += string_replace(&new_buf, &temp_len, pos, "||", "&&"); - break; - case 20: - yes += string_replace(&new_buf, &temp_len, pos, "!", ""); - break; - case 21: - yes += string_replace(&new_buf, &temp_len, pos, "==", "="); - break; - case 22: - yes += string_replace(&new_buf, &temp_len, pos, "=", "=="); - break; - case 23: - yes += string_replace(&new_buf, &temp_len, pos, "--", ""); - break; - case 24: - yes += string_replace(&new_buf, &temp_len, pos, "<<", "<"); - break; - case 25: - yes += string_replace(&new_buf, &temp_len, pos, ">>", ">"); - break; - case 26: - yes += string_replace(&new_buf, &temp_len, pos, "<", "<<"); - break; - case 27: - yes += string_replace(&new_buf, &temp_len, pos, ">", ">>"); - break; - case 28: - yes += string_replace(&new_buf, &temp_len, pos, "'", "\""); - break; - case 29: - yes += string_replace(&new_buf, &temp_len, pos, "\"", "'"); - break; - case 30: /* Remove a semicolon delimited statement after a semicolon */ - yes += delim_replace(&new_buf, &temp_len, pos, ";", ";", ";"); - break; - case 31: /* Remove a semicolon delimited statement after a left curly - brace */ - yes += delim_replace(&new_buf, &temp_len, pos, "}", ";", "}"); - break; - case 32: /* Remove a curly brace construct */ - yes += delim_replace(&new_buf, &temp_len, pos, "{", "}", ""); - break; - case 33: /* Replace a curly brace construct with an empty one */ - yes += delim_replace(&new_buf, &temp_len, pos, "{", "}", "{}"); - break; - case 34: - yes += delim_swap(&new_buf, &temp_len, pos, ";", ";", ";"); - break; - case 35: - yes += delim_swap(&new_buf, &temp_len, pos, "}", ";", ";"); - break; - case 36: /* Swap comma delimited things case 1 */ - yes += delim_swap(&new_buf, &temp_len, pos, "(", ",", ")"); - break; - case 37: /* Swap comma delimited things case 2 */ - yes += delim_swap(&new_buf, &temp_len, pos, "(", ",", ","); - break; - case 38: /* Swap comma delimited things case 3 */ - yes += delim_swap(&new_buf, &temp_len, pos, ",", ",", ","); - break; - case 39: /* Swap comma delimited things case 4 */ - yes += delim_swap(&new_buf, &temp_len, pos, ",", ",", ")"); - break; - case 40: /* Just delete a line */ - yes += delim_replace(&new_buf, &temp_len, pos, "\n", "\n", ""); - break; - case 41: /* Delete something like "const" case 1 */ - yes += delim_replace(&new_buf, &temp_len, pos, " ", " ", ""); - break; - case 42: /* Delete something like "const" case 2 */ - yes += delim_replace(&new_buf, &temp_len, pos, "\n", " ", ""); - break; - case 43: /* Delete something like "const" case 3 */ - yes += delim_replace(&new_buf, &temp_len, pos, "(", " ", ""); - break; - case 44: /* Swap space delimited things case 1 */ - yes += delim_swap(&new_buf, &temp_len, pos, " ", " ", " "); - break; - case 45: /* Swap space delimited things case 2 */ - yes += delim_swap(&new_buf, &temp_len, pos, " ", " ", ")"); - break; - case 46: /* Swap space delimited things case 3 */ - yes += delim_swap(&new_buf, &temp_len, pos, "(", " ", " "); - break; - case 47: /* Swap space delimited things case 4 */ - yes += delim_swap(&new_buf, &temp_len, pos, "(", " ", ")"); - break; - case 48: /* Duplicate a single line of code */ - yes += delim_replace(&new_buf, &temp_len, pos, "\n", "\n", NULL); - break; - case 49: /* Duplicate a construct (most often, a non-nested for loop */ - yes += delim_replace(&new_buf, &temp_len, pos, "\n", "}", NULL); - break; - default: { - - /* 5% is transforming ascii numbers */ - - if (choice < 55) { - - for (u32 j = pos; j < temp_len; ++j) { - - if (isdigit(new_buf[j])) { - - new_buf[temp_len] = - 0; // should be safe thanks to the initial grow - - u8 * endptr; - unsigned long long num = - strtoull(new_buf + j, (char **)&endptr, 0); - - switch (rand_below(afl, 8)) { - - case 0: - num = rand_below(afl, INT_MAX); - break; - case 1: - num = rand_next(afl); - break; - case 2: - num += 1 + rand_below(afl, 255); - break; - case 3: - num -= 1 + rand_below(afl, 255); - break; - case 4: - num *= 1 + rand_below(afl, 255); - break; - case 5: - num /= 1 + rand_below(afl, 255); - break; - case 6: - num /= 1 + rand_below(afl, 255); - break; - case 7: - num = ~num; - break; - - } - - const char *fmt = "%llu"; - if (rand_below(afl, 5) == 0) // add - sign with 1/5 probability - fmt = "-%llu"; - - size_t num_len = snprintf(NULL, 0, fmt, num); - size_t old_len = endptr - (new_buf + j); - if (num_len < old_len) { - - memmove(new_buf + j + num_len, new_buf + j + old_len, - temp_len - (j + old_len)); - snprintf(new_buf + j, num_len, fmt, num); - temp_len -= old_len - num_len; - - } else if (num_len == old_len) { - - snprintf(new_buf + j, num_len, fmt, num); - - } else { - - new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), - temp_len + (num_len - old_len) + - AFL_TXT_STRING_MAX_MUTATIONS + 1); - memmove(new_buf + j + num_len, new_buf + j + old_len, - temp_len - (j + old_len)); - snprintf(new_buf + j, num_len, fmt, num); - temp_len += num_len - old_len; - - } - - yes += 1; - break; - - } - - } - - } else if (choice < 85) { - - /* 30% is special character transform */ - - fromc[0] = text_mutation_special_chars[rand_below( - afl, sizeof(text_mutation_special_chars))]; - - do { - - toc[0] = text_mutation_special_chars[rand_below( - afl, sizeof(text_mutation_special_chars))]; - - } while (toc[0] == fromc[0]); - - yes += string_replace(&new_buf, &temp_len, pos, fromc, toc); - break; - - } else { - - /* 15% is random text character transform */ - - u32 iter, cnt, loc, prev_loc = temp_len; - if (temp_len > 32) { - - cnt = 1 + rand_below(afl, 5); - - } else { - - cnt = rand_below(afl, 2); - - } - - for (iter = 0; iter <= cnt; iter++) { - - while ((loc = rand_below(afl, temp_len)) == prev_loc) - ; - new_buf[loc] = 32 + rand_below(afl, 'z' - ' ' + 1); - prev_loc = loc; - - } - - } - - } - - } - - } - - if (yes == 0 || temp_len <= 0) { return 0; } - - swap_bufs(BUF_PARAMS(out), BUF_PARAMS(out_scratch)); - *out_buf = new_buf; - *orig_temp_len = temp_len; - - return 1; - -} - -#endif /* if 0 */ - /* Take the current entry from the queue, fuzz it for a while. This function is a tad too long... returns 0 if fuzzed successfully, 1 if skipped or bailed out. */ @@ -2926,15 +2404,7 @@ havoc_stage: } - /* default: - - // perform ascii mutations - if (text_mutation(afl, &out_buf, &temp_len) == 0) - goto retry_havoc; - - } // end default: switch(r) - - */ + // end of default: } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 9b16c226..7b30b5ea 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -82,60 +82,59 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, if (getrusage(RUSAGE_CHILDREN, &rus)) { rus.ru_maxrss = 0; } #endif - fprintf( - f, - "start_time : %llu\n" - "last_update : %llu\n" - "run_time : %llu\n" - "fuzzer_pid : %u\n" - "cycles_done : %llu\n" - "cycles_wo_finds : %llu\n" - "execs_done : %llu\n" - "execs_per_sec : %0.02f\n" - "execs_ps_last_min : %0.02f\n" - "paths_total : %u\n" - "paths_favored : %u\n" - "paths_found : %u\n" - "paths_imported : %u\n" - "max_depth : %u\n" - "cur_path : %u\n" /* Must match find_start_position() */ - "pending_favs : %u\n" - "pending_total : %u\n" - "variable_paths : %u\n" - "stability : %0.02f%%\n" - "bitmap_cvg : %0.02f%%\n" - "unique_crashes : %llu\n" - "unique_hangs : %llu\n" - "last_path : %llu\n" - "last_crash : %llu\n" - "last_hang : %llu\n" - "execs_since_crash : %llu\n" - "exec_timeout : %u\n" - "slowest_exec_ms : %u\n" - "peak_rss_mb : %lu\n" - "cpu_affinity : %d\n" - "edges_found : %u\n" - "var_byte_count : %u\n" - "havoc_expansion : %u\n" - "afl_banner : %s\n" - "afl_version : " VERSION - "\n" - "target_mode : %s%s%s%s%s%s%s%s%s\n" - "command_line : %s\n", - afl->start_time / 1000, cur_time / 1000, - (cur_time - afl->start_time) / 1000, (u32)getpid(), - afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->cycles_wo_finds, - afl->fsrv.total_execs, - afl->fsrv.total_execs / - ((double)(get_cur_time() - afl->start_time) / 1000), - afl->last_avg_execs_saved, - afl->queued_paths, afl->queued_favored, afl->queued_discovered, - afl->queued_imported, afl->max_depth, afl->current_entry, - afl->pending_favored, afl->pending_not_fuzzed, afl->queued_variable, - stability, bitmap_cvg, afl->unique_crashes, afl->unique_hangs, - afl->last_path_time / 1000, afl->last_crash_time / 1000, - afl->last_hang_time / 1000, afl->fsrv.total_execs - afl->last_crash_execs, - afl->fsrv.exec_tmout, afl->slowest_exec_ms, + fprintf(f, + "start_time : %llu\n" + "last_update : %llu\n" + "run_time : %llu\n" + "fuzzer_pid : %u\n" + "cycles_done : %llu\n" + "cycles_wo_finds : %llu\n" + "execs_done : %llu\n" + "execs_per_sec : %0.02f\n" + "execs_ps_last_min : %0.02f\n" + "paths_total : %u\n" + "paths_favored : %u\n" + "paths_found : %u\n" + "paths_imported : %u\n" + "max_depth : %u\n" + "cur_path : %u\n" /* Must match find_start_position() */ + "pending_favs : %u\n" + "pending_total : %u\n" + "variable_paths : %u\n" + "stability : %0.02f%%\n" + "bitmap_cvg : %0.02f%%\n" + "unique_crashes : %llu\n" + "unique_hangs : %llu\n" + "last_path : %llu\n" + "last_crash : %llu\n" + "last_hang : %llu\n" + "execs_since_crash : %llu\n" + "exec_timeout : %u\n" + "slowest_exec_ms : %u\n" + "peak_rss_mb : %lu\n" + "cpu_affinity : %d\n" + "edges_found : %u\n" + "var_byte_count : %u\n" + "havoc_expansion : %u\n" + "afl_banner : %s\n" + "afl_version : " VERSION + "\n" + "target_mode : %s%s%s%s%s%s%s%s%s\n" + "command_line : %s\n", + afl->start_time / 1000, cur_time / 1000, + (cur_time - afl->start_time) / 1000, (u32)getpid(), + afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->cycles_wo_finds, + afl->fsrv.total_execs, + afl->fsrv.total_execs / + ((double)(get_cur_time() - afl->start_time) / 1000), + afl->last_avg_execs_saved, afl->queued_paths, afl->queued_favored, + afl->queued_discovered, afl->queued_imported, afl->max_depth, + afl->current_entry, afl->pending_favored, afl->pending_not_fuzzed, + afl->queued_variable, stability, bitmap_cvg, afl->unique_crashes, + afl->unique_hangs, afl->last_path_time / 1000, + afl->last_crash_time / 1000, afl->last_hang_time / 1000, + afl->fsrv.total_execs - afl->last_crash_execs, afl->fsrv.exec_tmout, + afl->slowest_exec_ms, #ifndef __HAIKU__ #ifdef __APPLE__ (unsigned long int)(rus.ru_maxrss >> 20), @@ -150,19 +149,20 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, #else -1, #endif - t_bytes, afl->var_byte_count, afl->expand_havoc, afl->use_banner, - afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "", - afl->non_instrumented_mode ? " non_instrumented " : "", - afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", - afl->persistent_mode ? "persistent " : "", - afl->shmem_testcase_mode ? "shmem_testcase " : "", - afl->deferred_mode ? "deferred " : "", - (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->non_instrumented_mode || - afl->no_forkserver || afl->crash_mode || afl->persistent_mode || - afl->deferred_mode) - ? "" - : "default", - afl->orig_cmdline); + t_bytes, afl->var_byte_count, afl->expand_havoc, afl->use_banner, + afl->unicorn_mode ? "unicorn" : "", + afl->fsrv.qemu_mode ? "qemu " : "", + afl->non_instrumented_mode ? " non_instrumented " : "", + afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", + afl->persistent_mode ? "persistent " : "", + afl->shmem_testcase_mode ? "shmem_testcase " : "", + afl->deferred_mode ? "deferred " : "", + (afl->unicorn_mode || afl->fsrv.qemu_mode || + afl->non_instrumented_mode || afl->no_forkserver || + afl->crash_mode || afl->persistent_mode || afl->deferred_mode) + ? "" + : "default", + afl->orig_cmdline); /* ignore errors */ if (afl->debug) { -- cgit 1.4.1 From f32811922ec8f363bdf46a019d984058dbeb06bf Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 29 Jul 2020 11:56:38 +0200 Subject: minor opt --- src/afl-fuzz-one.c | 3 --- src/afl-fuzz-queue.c | 3 ++- 2 files changed, 2 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index a42bb0fc..1f0bf30e 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -1866,7 +1866,6 @@ havoc_stage: cycle without finds happened */ r_max = 16 + ((afl->extras_cnt + afl->a_extras_cnt) ? 2 : 0); - /* + (afl->queue_cur->is_ascii ? AFL_TXT_BIAS : 0); */ } else { @@ -1916,8 +1915,6 @@ havoc_stage: } - // retry_havoc: - switch ((r = rand_below(afl, r_max))) { case 0: diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 56073b0a..38e95ac8 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -268,7 +268,8 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) { } - q->is_ascii = check_if_text(q); + /* only redqueen currently uses is_ascii */ + if (afl->shm.cmplog_mode) q->is_ascii = check_if_text(q); } -- cgit 1.4.1 From 35a448ee921158c586177ff8fe0cd82da4345f68 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 30 Jul 2020 09:20:22 +0200 Subject: enhance for custom trim buffer --- src/afl-fuzz-run.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 01963f8f..691d32f8 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -134,6 +134,8 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { } +#define BUF_PARAMS(name) (void **)&afl->name##_buf, &afl->name##_size + /* The same, but with an adjustable gap. Used for trimming. */ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, @@ -146,8 +148,7 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, This memory is used to carry out the post_processing(if present) after copying the testcase by removing the gaps. This can break though */ - u8 mem_trimmed[len - skip_len + - 1]; // 1 extra size to remove chance of overflow + u8 *mem_trimmed = ck_maybe_grow(BUF_PARAMS(out_scratch), len - skip_len + 1); ssize_t new_size = len - skip_len; void * new_mem = mem; @@ -286,6 +287,8 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, } +#undef BUF_PARAMS + /* Calibrate a new test case. This is done when processing the input directory to warn about flaky or otherwise problematic test cases early on; and when new paths are discovered to detect variable behavior and so on. */ -- cgit 1.4.1 From fc401f1acc61b73f328a16ac10bed268134c495e Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 30 Jul 2020 11:51:13 +0200 Subject: fix post process check --- src/afl-fuzz-run.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 691d32f8..44d3c522 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -185,7 +185,7 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, new_size = el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf); - if (unlikely(!new_buf && (new_size <= 0))) { + if (unlikely(!new_buf || (new_size <= 0))) { FATAL("Custom_post_process failed (ret: %lu)", (long unsigned)new_size); -- cgit 1.4.1 From ea9ba53cdbc6d175f3f055c9a308668ebaacda1e Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 30 Jul 2020 17:09:22 +0200 Subject: fix oob reads, code-format --- examples/aflpp_driver/aflpp_driver.c | 168 ++++++++++++++++++------------ examples/aflpp_driver/aflpp_driver_test.c | 16 +-- src/afl-fuzz-queue.c | 55 +++++----- src/afl-fuzz-redqueen.c | 3 +- test/test-floatingpoint.c | 8 +- 5 files changed, 146 insertions(+), 104 deletions(-) (limited to 'src') diff --git a/examples/aflpp_driver/aflpp_driver.c b/examples/aflpp_driver/aflpp_driver.c index eca3dcd1..86c7a69f 100644 --- a/examples/aflpp_driver/aflpp_driver.c +++ b/examples/aflpp_driver/aflpp_driver.c @@ -14,12 +14,15 @@ cat << EOF > test_fuzzer.cc #include #include extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + if (size > 0 && data[0] == 'H') if (size > 1 && data[1] == 'I') if (size > 2 && data[2] == '!') __builtin_trap(); return 0; + } + EOF # Build your target with -fsanitize-coverage=trace-pc-guard using fresh clang. clang -g -fsanitize-coverage=trace-pc-guard test_fuzzer.cc -c @@ -57,46 +60,46 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both. #include "config.h" #ifdef _DEBUG -#include "hash.h" + #include "hash.h" #endif // Platform detection. Copied from FuzzerInternal.h #ifdef __linux__ -#define LIBFUZZER_LINUX 1 -#define LIBFUZZER_APPLE 0 -#define LIBFUZZER_NETBSD 0 -#define LIBFUZZER_FREEBSD 0 -#define LIBFUZZER_OPENBSD 0 + #define LIBFUZZER_LINUX 1 + #define LIBFUZZER_APPLE 0 + #define LIBFUZZER_NETBSD 0 + #define LIBFUZZER_FREEBSD 0 + #define LIBFUZZER_OPENBSD 0 #elif __APPLE__ -#define LIBFUZZER_LINUX 0 -#define LIBFUZZER_APPLE 1 -#define LIBFUZZER_NETBSD 0 -#define LIBFUZZER_FREEBSD 0 -#define LIBFUZZER_OPENBSD 0 + #define LIBFUZZER_LINUX 0 + #define LIBFUZZER_APPLE 1 + #define LIBFUZZER_NETBSD 0 + #define LIBFUZZER_FREEBSD 0 + #define LIBFUZZER_OPENBSD 0 #elif __NetBSD__ -#define LIBFUZZER_LINUX 0 -#define LIBFUZZER_APPLE 0 -#define LIBFUZZER_NETBSD 1 -#define LIBFUZZER_FREEBSD 0 -#define LIBFUZZER_OPENBSD 0 + #define LIBFUZZER_LINUX 0 + #define LIBFUZZER_APPLE 0 + #define LIBFUZZER_NETBSD 1 + #define LIBFUZZER_FREEBSD 0 + #define LIBFUZZER_OPENBSD 0 #elif __FreeBSD__ -#define LIBFUZZER_LINUX 0 -#define LIBFUZZER_APPLE 0 -#define LIBFUZZER_NETBSD 0 -#define LIBFUZZER_FREEBSD 1 -#define LIBFUZZER_OPENBSD 0 + #define LIBFUZZER_LINUX 0 + #define LIBFUZZER_APPLE 0 + #define LIBFUZZER_NETBSD 0 + #define LIBFUZZER_FREEBSD 1 + #define LIBFUZZER_OPENBSD 0 #elif __OpenBSD__ -#define LIBFUZZER_LINUX 0 -#define LIBFUZZER_APPLE 0 -#define LIBFUZZER_NETBSD 0 -#define LIBFUZZER_FREEBSD 0 -#define LIBFUZZER_OPENBSD 1 + #define LIBFUZZER_LINUX 0 + #define LIBFUZZER_APPLE 0 + #define LIBFUZZER_NETBSD 0 + #define LIBFUZZER_FREEBSD 0 + #define LIBFUZZER_OPENBSD 1 #else -#error "Support for your platform has not been implemented" + #error "Support for your platform has not been implemented" #endif -int __afl_sharedmem_fuzzing = 1; -extern unsigned int *__afl_fuzz_len; +int __afl_sharedmem_fuzzing = 1; +extern unsigned int * __afl_fuzz_len; extern unsigned char *__afl_fuzz_ptr; // libFuzzer interface is thin, so we don't include any libFuzzer headers. @@ -105,11 +108,11 @@ __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); // Notify AFL about persistent mode. static volatile char AFL_PERSISTENT[] = "##SIG_AFL_PERSISTENT##"; -int __afl_persistent_loop(unsigned int); +int __afl_persistent_loop(unsigned int); // Notify AFL about deferred forkserver. static volatile char AFL_DEFER_FORKSVR[] = "##SIG_AFL_DEFER_FORKSRV##"; -void __afl_manual_init(); +void __afl_manual_init(); // Use this optionally defined function to output sanitizer messages even if // user asks to close stderr. @@ -122,98 +125,121 @@ static FILE *output_file; // Experimental feature to use afl_driver without AFL's deferred mode. // Needs to run before __afl_auto_init. __attribute__((constructor(0))) static void __decide_deferred_forkserver(void) { + if (getenv("AFL_DRIVER_DONT_DEFER")) { + if (unsetenv("__AFL_DEFER_FORKSRV")) { + perror("Failed to unset __AFL_DEFER_FORKSRV"); abort(); + } + } + } // If the user asks us to duplicate stderr, then do it. static void maybe_duplicate_stderr() { + char *stderr_duplicate_filename = getenv("AFL_DRIVER_STDERR_DUPLICATE_FILENAME"); - if (!stderr_duplicate_filename) - return; + if (!stderr_duplicate_filename) return; FILE *stderr_duplicate_stream = freopen(stderr_duplicate_filename, "a+", stderr); if (!stderr_duplicate_stream) { + fprintf( stderr, "Failed to duplicate stderr to AFL_DRIVER_STDERR_DUPLICATE_FILENAME"); abort(); + } + output_file = stderr_duplicate_stream; + } // Most of these I/O functions were inspired by/copied from libFuzzer's code. static void discard_output(int fd) { + FILE *temp = fopen("/dev/null", "w"); - if (!temp) - abort(); + if (!temp) abort(); dup2(fileno(temp), fd); fclose(temp); + } -static void close_stdout() { discard_output(STDOUT_FILENO); } +static void close_stdout() { + + discard_output(STDOUT_FILENO); + +} // Prevent the targeted code from writing to "stderr" but allow sanitizers and // this driver to do so. static void dup_and_close_stderr() { + int output_fileno = fileno(output_file); int output_fd = dup(output_fileno); - if (output_fd <= 0) - abort(); + if (output_fd <= 0) abort(); FILE *new_output_file = fdopen(output_fd, "w"); - if (!new_output_file) - abort(); - if (!__sanitizer_set_report_fd) - return; - __sanitizer_set_report_fd((void*)output_fd); + if (!new_output_file) abort(); + if (!__sanitizer_set_report_fd) return; + __sanitizer_set_report_fd((void *)output_fd); discard_output(output_fileno); + } // Close stdout and/or stderr if user asks for it. static void maybe_close_fd_mask() { + char *fd_mask_str = getenv("AFL_DRIVER_CLOSE_FD_MASK"); - if (!fd_mask_str) - return; + if (!fd_mask_str) return; int fd_mask = atoi(fd_mask_str); - if (fd_mask & 2) - dup_and_close_stderr(); - if (fd_mask & 1) - close_stdout(); + if (fd_mask & 2) dup_and_close_stderr(); + if (fd_mask & 1) close_stdout(); + } // Define LLVMFuzzerMutate to avoid link failures for targets that use it // with libFuzzer's LLVMFuzzerCustomMutator. size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize) { - //assert(false && "LLVMFuzzerMutate should not be called from afl_driver"); + + // assert(false && "LLVMFuzzerMutate should not be called from afl_driver"); return 0; + } // Execute any files provided as parameters. static int ExecuteFilesOnyByOne(int argc, char **argv) { + unsigned char *buf = malloc(MAX_FILE); for (int i = 1; i < argc; i++) { + int fd = open(argv[i], O_RDONLY); if (fd == -1) continue; ssize_t length = read(fd, buf, MAX_FILE); if (length > 0) { + printf("Reading %zu bytes from %s\n", length, argv[i]); LLVMFuzzerTestOneInput(buf, length); printf("Execution successful.\n"); + } + } + free(buf); return 0; + } int main(int argc, char **argv) { + printf( "======================= INFO =========================\n" "This binary is built for AFL-fuzz.\n" @@ -226,36 +252,39 @@ int main(int argc, char **argv) { "afl-fuzz will run N iterations before " "re-spawning the process (default: 1000)\n" "======================================================\n", - argv[0], argv[0], argv[0]); + argv[0], argv[0], argv[0]); output_file = stderr; maybe_duplicate_stderr(); maybe_close_fd_mask(); - if (LLVMFuzzerInitialize) - LLVMFuzzerInitialize(&argc, &argv); + if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv); // Do any other expensive one-time initialization here. uint8_t dummy_input[64] = {0}; - memcpy(dummy_input, (void*)AFL_PERSISTENT, sizeof(AFL_PERSISTENT)); - memcpy(dummy_input + 32, (void*)AFL_DEFER_FORKSVR, sizeof(AFL_DEFER_FORKSVR)); + memcpy(dummy_input, (void *)AFL_PERSISTENT, sizeof(AFL_PERSISTENT)); + memcpy(dummy_input + 32, (void *)AFL_DEFER_FORKSVR, + sizeof(AFL_DEFER_FORKSVR)); int N = INT_MAX; if (argc == 2 && argv[1][0] == '-') - N = atoi(argv[1] + 1); - else if(argc == 2 && (N = atoi(argv[1])) > 0) - printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N); + N = atoi(argv[1] + 1); + else if (argc == 2 && (N = atoi(argv[1])) > 0) + printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N); else if (argc > 1) { -// if (!getenv("AFL_DRIVER_DONT_DEFER")) { - __afl_sharedmem_fuzzing = 0; - __afl_manual_init(); -// } + + // if (!getenv("AFL_DRIVER_DONT_DEFER")) { + + __afl_sharedmem_fuzzing = 0; + __afl_manual_init(); + // } return ExecuteFilesOnyByOne(argc, argv); exit(0); + } assert(N > 0); -// if (!getenv("AFL_DRIVER_DONT_DEFER")) + // if (!getenv("AFL_DRIVER_DONT_DEFER")) __afl_manual_init(); // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization @@ -264,17 +293,26 @@ int main(int argc, char **argv) { int num_runs = 0; while (__afl_persistent_loop(N)) { + #ifdef _DEBUG - fprintf(stderr, "CLIENT crc: %016llx len: %u\n", hash64(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), *__afl_fuzz_len); + fprintf(stderr, "CLIENT crc: %016llx len: %u\n", + hash64(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), + *__afl_fuzz_len); fprintf(stderr, "RECV:"); for (int i = 0; i < *__afl_fuzz_len; i++) fprintf(stderr, "%02x", __afl_fuzz_ptr[i]); - fprintf(stderr,"\n"); + fprintf(stderr, "\n"); #endif if (*__afl_fuzz_len) { + num_runs++; LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); + } + } + printf("%s: successfully executed %d input(s)\n", argv[0], num_runs); + } + diff --git a/examples/aflpp_driver/aflpp_driver_test.c b/examples/aflpp_driver/aflpp_driver_test.c index 83278f5c..e4567bbf 100644 --- a/examples/aflpp_driver/aflpp_driver_test.c +++ b/examples/aflpp_driver/aflpp_driver_test.c @@ -6,18 +6,20 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - fprintf(stderr, "FUNC crc: %016llx len: %lu\n", hash64((u8*)Data, (unsigned int) Size, (unsigned long long int) 0xa5b35705), Size); - - if (Size < 5) - return 0; + fprintf(stderr, "FUNC crc: %016llx len: %lu\n", + hash64((u8 *)Data, (unsigned int)Size, + (unsigned long long int)0xa5b35705), + Size); + + if (Size < 5) return 0; if (Data[0] == 'F') if (Data[1] == 'A') if (Data[2] == '$') if (Data[3] == '$') - if (Data[4] == '$') - abort(); - + if (Data[4] == '$') abort(); + return 0; } + diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 38e95ac8..71874283 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -139,7 +139,8 @@ static u8 check_if_text(struct queue_entry *q) { // non-overlong 2-byte if (((0xC2 <= buf[offset + 0] && buf[offset + 0] <= 0xDF) && - (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF))) { + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF)) && + len - offset > 1) { offset += 2; utf8++; @@ -149,18 +150,19 @@ static u8 check_if_text(struct queue_entry *q) { } // excluding overlongs - if ((buf[offset + 0] == 0xE0 && - (0xA0 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && - (0x80 <= buf[offset + 2] && - buf[offset + 2] <= 0xBF)) || // straight 3-byte - (((0xE1 <= buf[offset + 0] && buf[offset + 0] <= 0xEC) || - buf[offset + 0] == 0xEE || buf[offset + 0] == 0xEF) && - (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && - (0x80 <= buf[offset + 2] && - buf[offset + 2] <= 0xBF)) || // excluding surrogates - (buf[offset + 0] == 0xED && - (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0x9F) && - (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF))) { + if ((len - offset > 2) && + ((buf[offset + 0] == 0xE0 && + (0xA0 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && + (0x80 <= buf[offset + 2] && + buf[offset + 2] <= 0xBF)) || // straight 3-byte + (((0xE1 <= buf[offset + 0] && buf[offset + 0] <= 0xEC) || + buf[offset + 0] == 0xEE || buf[offset + 0] == 0xEF) && + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && + (0x80 <= buf[offset + 2] && + buf[offset + 2] <= 0xBF)) || // excluding surrogates + (buf[offset + 0] == 0xED && + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0x9F) && + (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF)))) { offset += 3; utf8++; @@ -170,19 +172,20 @@ static u8 check_if_text(struct queue_entry *q) { } // planes 1-3 - if ((buf[offset + 0] == 0xF0 && - (0x90 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && - (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) && - (0x80 <= buf[offset + 3] && - buf[offset + 3] <= 0xBF)) || // planes 4-15 - ((0xF1 <= buf[offset + 0] && buf[offset + 0] <= 0xF3) && - (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && - (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) && - (0x80 <= buf[offset + 3] && buf[offset + 3] <= 0xBF)) || // plane 16 - (buf[offset + 0] == 0xF4 && - (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0x8F) && - (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) && - (0x80 <= buf[offset + 3] && buf[offset + 3] <= 0xBF))) { + if ((len - offset > 3) && + ((buf[offset + 0] == 0xF0 && + (0x90 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && + (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) && + (0x80 <= buf[offset + 3] && + buf[offset + 3] <= 0xBF)) || // planes 4-15 + ((0xF1 <= buf[offset + 0] && buf[offset + 0] <= 0xF3) && + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && + (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) && + (0x80 <= buf[offset + 3] && buf[offset + 3] <= 0xBF)) || // plane 16 + (buf[offset + 0] == 0xF4 && + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0x8F) && + (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) && + (0x80 <= buf[offset + 3] && buf[offset + 3] <= 0xBF)))) { offset += 4; utf8++; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 57e60c3d..a2e8f992 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -269,8 +269,7 @@ static long long strntoll(const char *str, size_t sz, char **end, int base) { long long ret; const char *beg = str; - for (; beg && sz && *beg == ' '; beg++, sz--) - ; + for (; beg && sz && *beg == ' '; beg++, sz--) {}; if (!sz || sz >= sizeof(buf)) { diff --git a/test/test-floatingpoint.c b/test/test-floatingpoint.c index d1709b90..3a699595 100644 --- a/test/test-floatingpoint.c +++ b/test/test-floatingpoint.c @@ -17,10 +17,10 @@ int main(void) { int len = __AFL_FUZZ_TESTCASE_LEN; if (len != sizeof(float)) return 1; - /* 15 + 1/2 = 15.5 */ - /* 15 + 1/2 + 1/8 = 15.625 */ - /* 15 + 1/2 + 1/8 + 1/32 = 15.65625 */ - /* 15 + 1/2 + 1/8 + 1/32 + 1/128 = 15.6640625 */ + /* 15 + 1/2 = 15.5 */ + /* 15 + 1/2 + 1/8 = 15.625 */ + /* 15 + 1/2 + 1/8 + 1/32 = 15.65625 */ + /* 15 + 1/2 + 1/8 + 1/32 + 1/128 = 15.6640625 */ if ((-*magic == 15.0 + 0.5 + 0.125 + 0.03125 + 0.0078125)) abort(); } -- cgit 1.4.1 From 8e809d8593d9230c123aa22c8cd0b695e54d7c68 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 30 Jul 2020 17:51:32 +0200 Subject: added NULL check --- src/afl-common.c | 6 ++++-- src/afl-fuzz-redqueen.c | 2 ++ 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index c023789b..367dec72 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -145,7 +145,8 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { char **new_argv = ck_alloc(sizeof(char *) * (argc + 4)); u8 * tmp, *cp = NULL, *rsl, *own_copy; - memcpy(new_argv + 3, argv + 1, (int)(sizeof(char *)) * argc); + memcpy(&new_argv[3], &argv[1], (int)(sizeof(char *)) * (argc - 1)); + new_argv[argc - 1] = NULL; new_argv[2] = *target_path_p; new_argv[1] = "--"; @@ -226,7 +227,8 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { char **new_argv = ck_alloc(sizeof(char *) * (argc + 3)); u8 * tmp, *cp = NULL, *rsl, *own_copy; - memcpy(new_argv + 2, argv + 1, (int)(sizeof(char *)) * argc); + memcpy(&new_argv[2], &argv[1], (int)(sizeof(char *)) * (argc - 1)); + new_argv[argc - 1] = NULL; new_argv[1] = *target_path_p; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index a2e8f992..d86190a6 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -319,6 +319,8 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u8 *orig_buf, u8 *buf, u32 len, u8 do_reverse, u8 *status) { + if (!buf) { FATAL("BUG: buf was NULL. Please report this.\n"); } + u64 *buf_64 = (u64 *)&buf[idx]; u32 *buf_32 = (u32 *)&buf[idx]; u16 *buf_16 = (u16 *)&buf[idx]; -- cgit 1.4.1 From 320f26d26f7e0cbe093e6f5af5f27f180bc31a1b Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 30 Jul 2020 19:00:41 +0200 Subject: add -b option to afl-fuzz --- docs/Changelog.md | 1 + include/afl-fuzz.h | 3 ++- src/afl-fuzz-init.c | 22 +++++++++++++++++----- src/afl-fuzz-state.c | 1 + src/afl-fuzz.c | 19 ++++++++++++++++--- 5 files changed, 37 insertions(+), 9 deletions(-) (limited to 'src') diff --git a/docs/Changelog.md b/docs/Changelog.md index 1e7a1c1d..dcaf64a7 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -15,6 +15,7 @@ sending a mail to . - afl-fuzz: - added -F option to allow -M main fuzzers to sync to foreign fuzzers, e.g. honggfuzz or libfuzzer + - added -b option to bind to a specific CPU - eliminated CPU affinity race condition for -S/-M runs - expanded havoc mode added, on no cycle finds add extra splicing and MOpt into the mix diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 1c1be711..bc3f65b6 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -545,7 +545,8 @@ typedef struct afl_state { u64 total_bitmap_size, /* Total bit count for all bitmaps */ total_bitmap_entries; /* Number of bitmaps counted */ - s32 cpu_core_count; /* CPU core count */ + s32 cpu_core_count, /* CPU core count */ + cpu_to_bind; /* bind to specific CPU */ #ifdef HAVE_AFFINITY s32 cpu_aff; /* Selected CPU core */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 65ad0c9f..ad92dff6 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -53,6 +53,13 @@ void bind_to_free_cpu(afl_state_t *afl) { u8 cpu_used[4096] = {0}, lockfile[PATH_MAX] = ""; u32 i; + if (afl->cpu_to_bind != -1) { + + i = afl->cpu_to_bind; + goto set_cpu; + + } + if (afl->sync_id) { s32 lockfd, first = 1; @@ -295,20 +302,23 @@ void bind_to_free_cpu(afl_state_t *afl) { try: + if (afl->cpu_to_bind != -1) + FATAL("bind to CPU #%d failed!", afl->cpu_to_bind); + #if !defined(__ANDROID__) - for (i = cpu_start; i < afl->cpu_core_count; i++) { + for (i = cpu_start; i < afl->cpu_core_count; i++) { - if (!cpu_used[i]) { break; } + if (!cpu_used[i]) { break; } - } + } if (i == afl->cpu_core_count) { #else - for (i = afl->cpu_core_count - cpu_start - 1; i > -1; i--) - if (!cpu_used[i]) break; + for (i = afl->cpu_core_count - cpu_start - 1; i > -1; i--) + if (!cpu_used[i]) break; if (i == -1) { #endif @@ -327,6 +337,8 @@ void bind_to_free_cpu(afl_state_t *afl) { OKF("Found a free CPU core, try binding to #%u.", i); +set_cpu: + afl->cpu_aff = i; #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 66280ed1..e2d62bc6 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -94,6 +94,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) { afl->havoc_div = 1; /* Cycle count divisor for havoc */ afl->stage_name = "init"; /* Name of the current fuzz stage */ afl->splicing_with = -1; /* Splicing with which test case? */ + afl->cpu_to_bind = -1; #ifdef HAVE_AFFINITY afl->cpu_aff = -1; /* Selected CPU core */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 5bedf6e1..e33a4bbd 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -143,6 +143,8 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { //" -B bitmap.txt - mutate a specific test case, use the out/fuzz_bitmap //" "file\n" " -C - crash exploration mode (the peruvian rabbit thing)\n" + " -b cpu_id - bind the fuzzing process to the specified CPU core " + "(0-...)\n" " -e ext - file extension for the fuzz test input file (if " "needed)\n\n", argv0, EXEC_TIMEOUT, MEM_LIMIT, FOREIGN_SYNCS_MAX); @@ -271,9 +273,9 @@ int main(int argc, char **argv_orig, char **envp) { afl->shmem_testcase_mode = 1; // we always try to perform shmem fuzzing - while ((opt = getopt(argc, argv, - "+c:i:I:o:f:F:m:t:T:dDnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:")) > - 0) { + while ((opt = getopt( + argc, argv, + "+b:c:i:I:o:f:F:m:t:T:dDnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:")) > 0) { switch (opt) { @@ -281,6 +283,17 @@ int main(int argc, char **argv_orig, char **envp) { afl->infoexec = optarg; break; + case 'b': { /* bind CPU core */ + + if (afl->cpu_to_bind != -1) FATAL("Multiple -b options not supported"); + + if (sscanf(optarg, "%u", &afl->cpu_to_bind) < 0 || optarg[0] == '-') + FATAL("Bad syntax used for -b"); + + break; + + } + case 'c': { afl->shm.cmplog_mode = 1; -- cgit 1.4.1 From cd576fa59d1b413433beef1009668f4d9b22c965 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 31 Jul 2020 10:42:43 +0200 Subject: fixes --- docs/binaryonly_fuzzing.md | 4 ++-- examples/afl_frida/GNUmakefile | 23 +++++++++++++++++++++++ examples/afl_frida/Makefile | 25 ++----------------------- examples/defork/forking_target | Bin 19520 -> 0 bytes src/afl-fuzz.c | 2 ++ 5 files changed, 29 insertions(+), 25 deletions(-) create mode 100644 examples/afl_frida/GNUmakefile delete mode 100755 examples/defork/forking_target (limited to 'src') diff --git a/docs/binaryonly_fuzzing.md b/docs/binaryonly_fuzzing.md index 111147e2..a3d3330f 100644 --- a/docs/binaryonly_fuzzing.md +++ b/docs/binaryonly_fuzzing.md @@ -15,9 +15,9 @@ high enough. Otherwise try retrowrite, afl-dyninst and if these fail too then standard qemu_mode with AFL_ENTRYPOINT to where you need it. - If your a target is library use examples/afl_frida/. + If your target is a library use examples/afl_frida/. - If your target is non-linux then use unicorn_mode/ + If your target is non-linux then use unicorn_mode/. ## QEMU diff --git a/examples/afl_frida/GNUmakefile b/examples/afl_frida/GNUmakefile new file mode 100644 index 00000000..c154f3a4 --- /dev/null +++ b/examples/afl_frida/GNUmakefile @@ -0,0 +1,23 @@ +ifdef DEBUG + OPT=-O0 -D_DEBUG=\"1\" +else + OPT=-O3 -funroll-loops +endif + +all: afl-frida libtestinstr.so + +libfrida-gum.a: + @echo Download and extract frida-gum-devkit-VERSION-PLATFORM.tar.xz for your platform from https://github.com/frida/frida/releases/latest + @exit 1 + +afl-frida: afl-frida.c libfrida-gum.a + $(CC) -g $(OPT) -o afl-frida -Wno-format -Wno-pointer-sign -I. -fpermissive -fPIC afl-frida.c ../../afl-llvm-rt.o libfrida-gum.a -ldl -lresolv -pthread + +libtestinstr.so: libtestinstr.c + $(CC) -g -O0 -fPIC -o libtestinstr.so -shared libtestinstr.c + +clean: + rm -f afl-frida *~ core *.o libtestinstr.so + +deepclean: clean + rm -f libfrida-gum.a frida-gum* diff --git a/examples/afl_frida/Makefile b/examples/afl_frida/Makefile index c154f3a4..0b306dde 100644 --- a/examples/afl_frida/Makefile +++ b/examples/afl_frida/Makefile @@ -1,23 +1,2 @@ -ifdef DEBUG - OPT=-O0 -D_DEBUG=\"1\" -else - OPT=-O3 -funroll-loops -endif - -all: afl-frida libtestinstr.so - -libfrida-gum.a: - @echo Download and extract frida-gum-devkit-VERSION-PLATFORM.tar.xz for your platform from https://github.com/frida/frida/releases/latest - @exit 1 - -afl-frida: afl-frida.c libfrida-gum.a - $(CC) -g $(OPT) -o afl-frida -Wno-format -Wno-pointer-sign -I. -fpermissive -fPIC afl-frida.c ../../afl-llvm-rt.o libfrida-gum.a -ldl -lresolv -pthread - -libtestinstr.so: libtestinstr.c - $(CC) -g -O0 -fPIC -o libtestinstr.so -shared libtestinstr.c - -clean: - rm -f afl-frida *~ core *.o libtestinstr.so - -deepclean: clean - rm -f libfrida-gum.a frida-gum* +all: + @echo please use GNU make, thanks! diff --git a/examples/defork/forking_target b/examples/defork/forking_target deleted file mode 100755 index 0f7a04fc..00000000 Binary files a/examples/defork/forking_target and /dev/null differ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index e33a4bbd..54db1efb 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -163,11 +163,13 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "AFL_BENCH_UNTIL_CRASH: exit soon when the first crashing input has been found\n" "AFL_CUSTOM_MUTATOR_LIBRARY: lib with afl_custom_fuzz() to mutate inputs\n" "AFL_CUSTOM_MUTATOR_ONLY: avoid AFL++'s internal mutators\n" + "AFL_CYCLE_SCHEDULES: after completing a cycle, switch to a different -p schedule\n" "AFL_DEBUG: extra debugging output for Python mode trimming\n" "AFL_DEBUG_CHILD_OUTPUT: do not suppress stdout/stderr from target\n" "AFL_DISABLE_TRIM: disable the trimming of test cases\n" "AFL_DUMB_FORKSRV: use fork server without feedback from target\n" "AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found\n" + "AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60 minutes and a cycle without finds)\n" "AFL_FAST_CAL: limit the calibration stage to three cycles for speedup\n" "AFL_FORCE_UI: force showing the status screen (for virtual consoles)\n" "AFL_HANG_TMOUT: override timeout value (in milliseconds)\n" -- cgit 1.4.1 From 630d2a934b2b7a9978452fb79aa36b51e0cce315 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 31 Jul 2020 14:36:58 +0200 Subject: less gotos --- src/afl-fuzz-mutators.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index b288cf9f..b30106a0 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -308,20 +308,23 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf, unsuccessful trimming and skip it, instead of aborting the trimming. */ ++afl->trim_execs; - goto unsuccessful_trimming; } - write_to_testcase(afl, retbuf, retlen); + if (likely(retlen)) { - fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); - ++afl->trim_execs; + write_to_testcase(afl, retbuf, retlen); - if (afl->stop_soon || fault == FSRV_RUN_ERROR) { goto abort_trimming; } + fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); + ++afl->trim_execs; + + if (afl->stop_soon || fault == FSRV_RUN_ERROR) { goto abort_trimming; } - cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); - if (cksum == q->exec_cksum) { + } + + if (likely(retlen && cksum == q->exec_cksum)) { q->len = retlen; memcpy(in_buf, retbuf, retlen); @@ -349,8 +352,6 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf, } else { - unsuccessful_trimming: - /* Tell the custom mutator that the trimming was unsuccessful */ afl->stage_cur = mutator->afl_custom_post_trim(mutator->data, 0); if (unlikely(afl->stage_cur < 0)) { -- cgit 1.4.1 From 729445b64f8156560ce1158a582d9528b0a39bf9 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 31 Jul 2020 18:17:03 +0200 Subject: Bind cpu (#480) * silence compiletime warning * refactored cpu binding * formatted code --- llvm_mode/compare-transform-pass.so.cc | 2 +- src/afl-fuzz-init.c | 223 ++++++++++++++++----------------- 2 files changed, 111 insertions(+), 114 deletions(-) (limited to 'src') diff --git a/llvm_mode/compare-transform-pass.so.cc b/llvm_mode/compare-transform-pass.so.cc index 2f165ea6..d389651c 100644 --- a/llvm_mode/compare-transform-pass.so.cc +++ b/llvm_mode/compare-transform-pass.so.cc @@ -358,7 +358,7 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, Value * VarStr; bool HasStr1 = getConstantStringInfo(Str1P, Str1); bool HasStr2 = getConstantStringInfo(Str2P, Str2); - uint64_t constStrLen, constSizedLen, unrollLen; + uint64_t constStrLen, unrollLen, constSizedLen = 0; bool isMemcmp = !callInst->getCalledFunction()->getName().compare(StringRef("memcmp")); bool isSizedcmp = isMemcmp || diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index ad92dff6..1e4f8dee 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -28,10 +28,9 @@ #ifdef HAVE_AFFINITY -/* Build a list of processes bound to specific cores. Returns -1 if nothing - can be found. Assumes an upper bound of 4k CPUs. */ +/* bind process to a specific cpu. Returns 0 on failure. */ -void bind_to_free_cpu(afl_state_t *afl) { +static u8 bind_cpu(afl_state_t *afl, s32 cpuid) { #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) cpu_set_t c; @@ -41,25 +40,108 @@ void bind_to_free_cpu(afl_state_t *afl) { psetid_t c; #endif - if (afl->cpu_core_count < 2) { return; } + afl->cpu_aff = cpuid; + + #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) + + CPU_ZERO(&c); + CPU_SET(cpuid, &c); + + #elif defined(__NetBSD__) + + c = cpuset_create(); + if (c == NULL) { PFATAL("cpuset_create failed"); } + cpuset_set(cpuid, c); + + #elif defined(__sun) + + pset_create(&c); + if (pset_assign(c, cpuid, NULL)) { PFATAL("pset_assign failed"); } + + #endif + + #if defined(__linux__) + + return (sched_setaffinity(0, sizeof(c), &c) == 0); + + #elif defined(__FreeBSD__) || defined(__DragonFly__) + + return (pthread_setaffinity_np(pthread_self(), sizeof(c), &c) == 0); + + #elif defined(__NetBSD__) + + if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { + + cpuset_destroy(c); + return 0; + + } + + cpuset_destroy(c); + return 1; + + #elif defined(__sun) + + if (pset_bind(c, P_PID, getpid(), NULL)) { + + pset_destroy(c); + return 0; + + } + + pset_destroy(c); + return 1; + + #else + + // this will need something for other platforms + // TODO: Solaris/Illumos has processor_bind ... might worth a try + WARNF("Cannot bind to CPU yet on this platform."); + return 1; + + #endif + +} + +/* Build a list of processes bound to specific cores. Returns -1 if nothing + can be found. Assumes an upper bound of 4k CPUs. */ + +void bind_to_free_cpu(afl_state_t *afl) { + + u8 cpu_used[4096] = {0}; + u8 lockfile[PATH_MAX] = ""; + u32 i; if (afl->afl_env.afl_no_affinity) { + if (afl->cpu_to_bind != -1) { + + FATAL("-b and AFL_NO_AFFINITY are mututally exclusive."); + + } + WARNF("Not binding to a CPU core (AFL_NO_AFFINITY set)."); return; } - u8 cpu_used[4096] = {0}, lockfile[PATH_MAX] = ""; - u32 i; - if (afl->cpu_to_bind != -1) { - i = afl->cpu_to_bind; - goto set_cpu; + if (!bind_cpu(afl, afl->cpu_to_bind)) { + + FATAL( + "Could not bind to requested CPU %d! Make sure you passed a valid " + "-b.", + afl->cpu_to_bind); + + } + + return; } + if (afl->cpu_core_count < 2) { return; } + if (afl->sync_id) { s32 lockfd, first = 1; @@ -300,135 +382,50 @@ void bind_to_free_cpu(afl_state_t *afl) { size_t cpu_start = 0; - try: - - if (afl->cpu_to_bind != -1) - FATAL("bind to CPU #%d failed!", afl->cpu_to_bind); - #if !defined(__ANDROID__) for (i = cpu_start; i < afl->cpu_core_count; i++) { - if (!cpu_used[i]) { break; } - - } - - if (i == afl->cpu_core_count) { - #else - for (i = afl->cpu_core_count - cpu_start - 1; i > -1; i--) - if (!cpu_used[i]) break; - if (i == -1) { - - #endif - - SAYF("\n" cLRD "[-] " cRST - "Uh-oh, looks like all %d CPU cores on your system are allocated to\n" - " other instances of afl-fuzz (or similar CPU-locked tasks). " - "Starting\n" - " another fuzzer on this machine is probably a bad plan, but if " - "you are\n" - " absolutely sure, you can set AFL_NO_AFFINITY and try again.\n", - afl->cpu_core_count); - FATAL("No more free CPU cores"); - - } - - OKF("Found a free CPU core, try binding to #%u.", i); - -set_cpu: + /* for some reason Android goes backwards */ - afl->cpu_aff = i; - - #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) - - CPU_ZERO(&c); - CPU_SET(i, &c); - - #elif defined(__NetBSD__) - - c = cpuset_create(); - if (c == NULL) PFATAL("cpuset_create failed"); - cpuset_set(i, c); - - #elif defined(__sun) - -pset_create(&c); -if (pset_assign(c, i, NULL)) PFATAL("pset_assign failed"); + for (i = afl->cpu_core_count - 1; i > -1; i--) { #endif - #if defined(__linux__) + if (!cpu_used[i]) { continue; } - if (sched_setaffinity(0, sizeof(c), &c)) { + OKF("Found a free CPU core, try binding to #%u.", i); - if (cpu_start == afl->cpu_core_count) { + if (bind_cpu(afl, i)) { - PFATAL("sched_setaffinity failed for CPU %d, exit", i); + /* Success :) */ + break; } - WARNF("sched_setaffinity failed to CPU %d, trying next CPU", i); + WARNF("setaffinity failed to CPU %d, trying next CPU", i); cpu_start++; - goto try - ; } - #elif defined(__FreeBSD__) || defined(__DragonFly__) + if (lockfile[0]) unlink(lockfile); - if (pthread_setaffinity_np(pthread_self(), sizeof(c), &c)) { + if (i == afl->cpu_core_count || i == -1) { - if (cpu_start == afl->cpu_core_count) - PFATAL("pthread_setaffinity failed for cpu %d, exit", i); - WARNF("pthread_setaffinity failed to CPU %d, trying next CPU", i); - cpu_start++; - goto try - ; + SAYF("\n" cLRD "[-] " cRST + "Uh-oh, looks like all %d CPU cores on your system are allocated to\n" + " other instances of afl-fuzz (or similar CPU-locked tasks). " + "Starting\n" + " another fuzzer on this machine is probably a bad plan, but if " + "you are\n" + " absolutely sure, you can set AFL_NO_AFFINITY and try again.\n", + afl->cpu_core_count); + FATAL("No more free CPU cores"); } - #elif defined(__NetBSD__) - -if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { - - if (cpu_start == afl->cpu_core_count) - PFATAL("pthread_setaffinity failed for cpu %d, exit", i); - WARNF("pthread_setaffinity failed to CPU %d, trying next CPU", i); - cpu_start++; - goto try - ; - -} - -cpuset_destroy(c); - - #elif defined(__sun) - -if (pset_bind(c, P_PID, getpid(), NULL)) { - - if (cpu_start == afl->cpu_core_count) - PFATAL("pset_bind failed for cpu %d, exit", i); - WARNF("pset_bind failed to CPU %d, trying next CPU", i); - cpu_start++; - goto try - ; - -} - -pset_destroy(c); - - #else - - // this will need something for other platforms - // TODO: Solaris/Illumos has processor_bind ... might worth a try - - #endif - - if (lockfile[0]) unlink(lockfile); - // we leave the environment variable to ensure a cleanup for other processes - } #endif /* HAVE_AFFINITY */ -- cgit 1.4.1 From 16b674c6523e151368443948b27c5e4aa6a3c7ee Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 31 Jul 2020 18:35:43 +0200 Subject: fix find free cpu --- src/afl-fuzz-init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 1e4f8dee..396a20f0 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -394,7 +394,7 @@ void bind_to_free_cpu(afl_state_t *afl) { #endif - if (!cpu_used[i]) { continue; } + if (cpu_used[i]) { continue; } OKF("Found a free CPU core, try binding to #%u.", i); -- cgit 1.4.1 From 54d96685808bd7b47de30f5028727d94b5369962 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Fri, 31 Jul 2020 17:21:17 +0000 Subject: Haiku set explicitly to performance. No command line to set through afl-system-config (the only one is a GUI). --- include/afl-fuzz.h | 5 +++++ src/afl-fuzz.c | 5 +++++ 2 files changed, 10 insertions(+) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index bc3f65b6..b82ddb4a 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -82,6 +82,11 @@ #include #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ +#if defined(__HAIKU__) + #include + #include +#endif + /* For systems that have sched_setaffinity; right now just Linux, but one can hope... */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 54db1efb..326ccc1c 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1057,6 +1057,11 @@ int main(int argc, char **argv_orig, char **envp) { bind_to_free_cpu(afl); #endif /* HAVE_AFFINITY */ + #ifdef __HAIKU__ + /* Prioritizes performance over power saving */ + set_scheduler_mode(SCHEDULER_MODE_LOW_LATENCY); + #endif + afl->fsrv.trace_bits = afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode); -- cgit 1.4.1 From 491cee669f858bfea2b0db2fe540200b0f2625e6 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Mon, 3 Aug 2020 11:15:12 +0200 Subject: fix #483 --- src/afl-fuzz-redqueen.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index d86190a6..b58c8537 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -673,14 +673,15 @@ static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h, for (i = 0; i < its_len; ++i) { - if (pattern[idx + i] != buf[idx + i] || - o_pattern[idx + i] != orig_buf[idx + i] || *status == 1) { + if (pattern[i] != buf[idx + i] || + o_pattern[i] != orig_buf[idx + i] || *status == 1) { break; } - buf[idx + i] = repl[idx + i]; + buf[idx + i] = repl[i]; + if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } } @@ -726,7 +727,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { } for (idx = 0; idx < len && fails < 8; ++idx) { - + if (unlikely(rtn_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx, orig_buf, buf, len, &status))) { -- cgit 1.4.1 From 409e4ae945ab5aeb31b1e3a1497ce5fc65226f07 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 3 Aug 2020 13:13:32 +0200 Subject: fix expand havoc for ..._only modes --- docs/Changelog.md | 1 + examples/persistent_demo/persistent_demo_new.c | 4 +-- llvm_mode/afl-llvm-rt.o.c | 48 +++++++++++++++----------- src/afl-fuzz-redqueen.c | 8 ++--- src/afl-fuzz.c | 3 +- test/test-cmplog.c | 22 +++++------- 6 files changed, 46 insertions(+), 40 deletions(-) (limited to 'src') diff --git a/docs/Changelog.md b/docs/Changelog.md index 8ab3fdf4..ae7377f2 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -19,6 +19,7 @@ sending a mail to . - eliminated CPU affinity race condition for -S/-M runs - expanded havoc mode added, on no cycle finds add extra splicing and MOpt into the mix + - fixed a bug in redqueen for strings - llvm_mode: - now supports llvm 12! - fixes for laf-intel float splitting (thanks to mark-griffin for diff --git a/examples/persistent_demo/persistent_demo_new.c b/examples/persistent_demo/persistent_demo_new.c index 5f347667..7f878c0c 100644 --- a/examples/persistent_demo/persistent_demo_new.c +++ b/examples/persistent_demo/persistent_demo_new.c @@ -31,8 +31,8 @@ /* this lets the source compile without afl-clang-fast/lto */ #ifndef __AFL_FUZZ_TESTCASE_LEN - ssize_t fuzz_len; - unsigned char fuzz_buf[1024000]; +ssize_t fuzz_len; +unsigned char fuzz_buf[1024000]; #define __AFL_FUZZ_TESTCASE_LEN fuzz_len #define __AFL_FUZZ_TESTCASE_BUF fuzz_buf diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index c2859d9c..88abcbe0 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -859,26 +859,34 @@ __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) { void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { - // For stability analysis, if you want to know to which function unstable - // edge IDs belong to - uncomment, recompile+install llvm_mode, recompile - // the target. libunwind and libbacktrace are better solutions. - // Set AFL_DEBUG_CHILD_OUTPUT=1 and run afl-fuzz with 2>file to capture - // the backtrace output - /* - uint32_t unstable[] = { ... unstable edge IDs }; - uint32_t idx; - char bt[1024]; - for (idx = 0; i < sizeof(unstable)/sizeof(uint32_t); i++) { - if (unstable[idx] == __afl_area_ptr[*guard]) { - int bt_size = backtrace(bt, 256); - if (bt_size > 0) { - char **bt_syms = backtrace_symbols(bt, bt_size); - if (bt_syms) - fprintf(stderr, "DEBUG: edge=%u caller=%s\n", unstable[idx], bt_syms[0]); - } - } - } - */ + // For stability analysis, if you want to know to which function unstable + // edge IDs belong to - uncomment, recompile+install llvm_mode, recompile + // the target. libunwind and libbacktrace are better solutions. + // Set AFL_DEBUG_CHILD_OUTPUT=1 and run afl-fuzz with 2>file to capture + // the backtrace output + /* + uint32_t unstable[] = { ... unstable edge IDs }; + uint32_t idx; + char bt[1024]; + for (idx = 0; i < sizeof(unstable)/sizeof(uint32_t); i++) { + + if (unstable[idx] == __afl_area_ptr[*guard]) { + + int bt_size = backtrace(bt, 256); + if (bt_size > 0) { + + char **bt_syms = backtrace_symbols(bt, bt_size); + if (bt_syms) + fprintf(stderr, "DEBUG: edge=%u caller=%s\n", unstable[idx], + bt_syms[0]); + + } + + } + + } + + */ __afl_area_ptr[*guard]++; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index b58c8537..cb4c78df 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -673,15 +673,15 @@ static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h, for (i = 0; i < its_len; ++i) { - if (pattern[i] != buf[idx + i] || - o_pattern[i] != orig_buf[idx + i] || *status == 1) { + if (pattern[i] != buf[idx + i] || o_pattern[i] != orig_buf[idx + i] || + *status == 1) { break; } buf[idx + i] = repl[i]; - + if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } } @@ -727,7 +727,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { } for (idx = 0; idx < len && fails < 8; ++idx) { - + if (unlikely(rtn_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx, orig_buf, buf, len, &status))) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 326ccc1c..da30797c 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1304,7 +1304,8 @@ int main(int argc, char **argv_orig, char **envp) { afl->expand_havoc = 1; break; case 1: - if (afl->limit_time_sig == 0) { + if (afl->limit_time_sig == 0 && !afl->custom_only && + !afl->python_only) { afl->limit_time_sig = -1; afl->limit_time_puppet = 0; diff --git a/test/test-cmplog.c b/test/test-cmplog.c index 75efd887..b077e3ab 100644 --- a/test/test-cmplog.c +++ b/test/test-cmplog.c @@ -5,23 +5,19 @@ #include #include int main(int argc, char *argv[]) { - char buf[1024]; + + char buf[1024]; ssize_t i; - if ((i = read(0, buf, sizeof(buf) - 1)) < 24) - return 0; + if ((i = read(0, buf, sizeof(buf) - 1)) < 24) return 0; buf[i] = 0; - if (buf[0] != 'A') - return 0; - if (buf[1] != 'B') - return 0; - if (buf[2] != 'C') - return 0; - if (buf[3] != 'D') - return 0; - if (memcmp(buf + 4, "1234", 4) || memcmp(buf + 8, "EFGH", 4)) - return 0; + if (buf[0] != 'A') return 0; + if (buf[1] != 'B') return 0; + if (buf[2] != 'C') return 0; + if (buf[3] != 'D') return 0; + if (memcmp(buf + 4, "1234", 4) || memcmp(buf + 8, "EFGH", 4)) return 0; if (strncmp(buf + 12, "IJKL", 4) == 0 && strcmp(buf + 16, "DEADBEEF") == 0) abort(); return 0; + } -- cgit 1.4.1