From 5a26656ea1095083def4c82918116b2d5cb2e641 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Mon, 13 Jul 2020 10:35:43 +0200 Subject: add floating point test cases. One for fuzzing (test-floatingpoint.c) and one for testing all cases with the instrumented program (test-fp_cases.c) --- test/test-floatingpoint.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 test/test-floatingpoint.c (limited to 'test/test-floatingpoint.c') diff --git a/test/test-floatingpoint.c b/test/test-floatingpoint.c new file mode 100644 index 00000000..f78b5d9f --- /dev/null +++ b/test/test-floatingpoint.c @@ -0,0 +1,18 @@ +#include +#include + +int main(void) +{ + long double magic; + + ssize_t bytes_read = read(STDIN_FILENO, &magic, sizeof(magic)); + if (bytes_read < (ssize_t)sizeof(magic)) { + return 1; + } + + if( (-magic == 15.0 + 0.5 + 0.125 + 0.03125 + 0.0078125) ){ /* 15 + 1/2 + 1/8 + 1/32 + 1/128 */ + abort(); + } + + return 0; +} -- cgit 1.4.1 From 383b280531a92a8b81d112a9acb4e44c08987be0 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 14 Jul 2020 23:26:11 +0200 Subject: added frida gum extension --- examples/afl_frida/Makefile | 23 ++ examples/afl_frida/README.md | 38 +++ examples/afl_frida/afl-frida.c | 312 ++++++++++++++++++++++++ examples/afl_frida/afl-frida.h | 53 ++++ examples/afl_frida/libtestinstr.c | 35 +++ examples/afl_network_proxy/afl-network-client.c | 2 +- src/afl-fuzz.c | 5 +- test/test-floatingpoint.c | 24 +- test/test-fp_cases.c | 73 ++++-- 9 files changed, 525 insertions(+), 40 deletions(-) create mode 100644 examples/afl_frida/Makefile create mode 100644 examples/afl_frida/README.md create mode 100644 examples/afl_frida/afl-frida.c create mode 100644 examples/afl_frida/afl-frida.h create mode 100644 examples/afl_frida/libtestinstr.c (limited to 'test/test-floatingpoint.c') diff --git a/examples/afl_frida/Makefile b/examples/afl_frida/Makefile new file mode 100644 index 00000000..5d482e54 --- /dev/null +++ b/examples/afl_frida/Makefile @@ -0,0 +1,23 @@ +ifdef DEBUG + OPT=-O0 -D_DEBUG=\"1\" +else + OPT=-O3 -funroll-loops +endif + +all: afl-frida libtestinstr.so + +libfrida-gum.a: + @echo Download and extract frida-gum-devkit-VERSION-PLATFORM.tar.xz for your platform from https://github.com/frida/frida/releases/latest + @exit 1 + +afl-frida: afl-frida.c libfrida-gum.a + $(CC) -g $(OPT) -o afl-frida -I. -fpermissive -fPIC afl-frida.c ../../afl-llvm-rt.o libfrida-gum.a -ldl -lresolv -pthread + +libtestinstr.so: libtestinstr.c + $(CC) -g -O0 -fPIC -o libtestinstr.so -shared libtestinstr.c + +clean: + rm -f afl-frida *~ core *.o libtestinstr.so + +deepclean: clean + rm -f libfrida-gum.a frida-gum* diff --git a/examples/afl_frida/README.md b/examples/afl_frida/README.md new file mode 100644 index 00000000..93e8f35a --- /dev/null +++ b/examples/afl_frida/README.md @@ -0,0 +1,38 @@ +# afl-frida - faster fuzzing of binary-only libraries + +## Introduction + +afl-frida is an example skeleton file which can easily be used to fuzz +a closed source library. + +It requires less memory and is x5-10 faster than qemu_mode but does not +provide interesting features like compcov or cmplog. + +## How-to + +### Modify afl-frida.c + +Read and modify afl-frida.c then `make`. +To adapt afl-frida.c to your needs, read the header of the file and then +search and edit the `STEP 1`, `STEP 2` and `STEP 3` locations. + +### Fuzzing + +Example (after modifying afl-frida.c to your needs and compile it): +``` +afl-fuzz -i in -o out -- ./afl-frida +``` +(or even remote via afl-network-proxy). + +### Testing and debugging + +For testing/debugging you can try: +``` +make DEBUG=1 +AFL_DEBUG=1 gdb ./afl-frida +``` +and then you can easily set breakpoints to "breakpoint" and "fuzz". + +# Background + +This code ist copied for a larger part from https://github.com/meme/hotwax diff --git a/examples/afl_frida/afl-frida.c b/examples/afl_frida/afl-frida.c new file mode 100644 index 00000000..c24e05b7 --- /dev/null +++ b/examples/afl_frida/afl-frida.c @@ -0,0 +1,312 @@ +/* + american fuzzy lop++ - afl-frida skeleton example + ------------------------------------------------- + + Copyright 2020 AFLplusplus Project. All rights reserved. + + Written mostly by meme -> https://github.com/meme/hotwax + + Modificationy by Marc Heuse + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + HOW-TO + ====== + + You only need to change the following: + + 1. set the defines and function call parameters. + 2. dl load the library you want to fuzz, lookup the functions you need + and setup the calls to these. + 3. in the while loop you call the functions in the necessary order - + incl the cleanup. the cleanup is important! + + Just look these steps up in the code, look for "// STEP x:" + +*/ + +#include +#include +#include +#include +#include +#include +#include + +#ifndef __APPLE__ + #include +#endif + + +// STEP 1: + +// The presets are for the example libtestinstr.so: + +/* What is the name of the library to fuzz */ +#define TARGET_LIBRARY "libtestinstr.so" + +/* What is the name of the function to fuzz */ +#define TARGET_FUNCTION "testinstr" + +/* here you need to specify the parameter for the target function */ +static void *(*o_function)(uint8_t *, int); + +// END STEP 1 + + +#include "frida-gum.h" + +G_BEGIN_DECLS + +#define GUM_TYPE_FAKE_EVENT_SINK (gum_fake_event_sink_get_type()) +G_DECLARE_FINAL_TYPE(GumFakeEventSink, gum_fake_event_sink, GUM, + FAKE_EVENT_SINK, GObject) + +struct _GumFakeEventSink { + + GObject parent; + GumEventType mask; + +}; + +GumEventSink *gum_fake_event_sink_new(void); +void gum_fake_event_sink_reset(GumFakeEventSink *self); + +G_END_DECLS + +static void gum_fake_event_sink_iface_init(gpointer g_iface, + gpointer iface_data); +static void gum_fake_event_sink_finalize(GObject *obj); +static GumEventType gum_fake_event_sink_query_mask(GumEventSink *sink); +static void gum_fake_event_sink_process(GumEventSink *sink, const GumEvent *ev); +void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, + gpointer user_data); +void afl_setup(void); +void afl_start_forkserver(void); +int __afl_persistent_loop(unsigned int max_cnt); + +static void gum_fake_event_sink_class_init(GumFakeEventSinkClass *klass) { + + GObjectClass *object_class = G_OBJECT_CLASS(klass); + object_class->finalize = gum_fake_event_sink_finalize; + +} + +static void gum_fake_event_sink_iface_init(gpointer g_iface, + gpointer iface_data) { + + GumEventSinkInterface *iface = (GumEventSinkInterface *) g_iface; + iface->query_mask = gum_fake_event_sink_query_mask; + iface->process = gum_fake_event_sink_process; + +} + +G_DEFINE_TYPE_EXTENDED(GumFakeEventSink, gum_fake_event_sink, G_TYPE_OBJECT, 0, + G_IMPLEMENT_INTERFACE(GUM_TYPE_EVENT_SINK, + gum_fake_event_sink_iface_init)) + +#include "../../config.h" + +// Shared memory fuzzing. +int __afl_sharedmem_fuzzing = 1; +extern unsigned int *__afl_fuzz_len; +extern unsigned char *__afl_fuzz_ptr; + +// Notify AFL about persistent mode. +static volatile char AFL_PERSISTENT[] = "##SIG_AFL_PERSISTENT##"; +int __afl_persistent_loop(unsigned int); + +// Notify AFL about deferred forkserver. +static volatile char AFL_DEFER_FORKSVR[] = "##SIG_AFL_DEFER_FORKSRV##"; +void __afl_manual_init(); + +// Because we do our own logging. +extern uint8_t * __afl_area_ptr; + +// Frida stuff below. +typedef struct { + + GumAddress base_address; + guint64 code_start, code_end; + +} range_t; + +inline static void afl_maybe_log(guint64 current_pc) { + + static __thread guint64 previous_pc; + + current_pc = (current_pc >> 4) ^ (current_pc << 8); + current_pc &= MAP_SIZE - 1; + + __afl_area_ptr[current_pc ^ previous_pc]++; + previous_pc = current_pc >> 1; + +} + +static void on_basic_block(GumCpuContext *context, gpointer user_data) { + + afl_maybe_log((guint64)user_data); + +} + +void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, + gpointer user_data) { + + range_t *range = (range_t *)user_data; + + const cs_insn *instr; + gboolean begin = TRUE; + while (gum_stalker_iterator_next(iterator, &instr)) { + + if (begin) { + + guint64 current_pc = instr->address - range->base_address; + gum_stalker_iterator_put_callout(iterator, on_basic_block, + (gpointer)current_pc, NULL); + begin = FALSE; + + } + + gum_stalker_iterator_keep(iterator); + + } + +} + +static void gum_fake_event_sink_init(GumFakeEventSink *self) { } + +static void gum_fake_event_sink_finalize(GObject *obj) { + + G_OBJECT_CLASS(gum_fake_event_sink_parent_class)->finalize(obj); + +} + +GumEventSink *gum_fake_event_sink_new(void) { + + GumFakeEventSink *sink; + sink = (GumFakeEventSink *) g_object_new(GUM_TYPE_FAKE_EVENT_SINK, NULL); + return GUM_EVENT_SINK(sink); + +} + +void gum_fake_event_sink_reset(GumFakeEventSink *self) { } + +static GumEventType gum_fake_event_sink_query_mask(GumEventSink *sink) { + + return 0; + +} + +static void gum_fake_event_sink_process(GumEventSink * sink, + const GumEvent *ev) { } + +/* Because this CAN be called more than once, it will return the LAST range */ +static int enumerate_ranges(const GumRangeDetails *details, + gpointer user_data) { + + GumMemoryRange *code_range = (GumMemoryRange *)user_data; + memcpy(code_range, details->range, sizeof(*code_range)); + return 0; + +} + +int main() { + + // STEP 2: load the library you want to fuzz and lookup the functions, + // inclusive of the cleanup functions. + // If there is just one function, then there is nothing to change + // or add here. + + void *dl = dlopen(TARGET_LIBRARY, RTLD_LAZY); + if (!dl) { + + fprintf(stderr, "Could not load %s\n", TARGET_LIBRARY); + exit(-1); + + } + + if (!(o_function = dlsym(dl, TARGET_FUNCTION))) { + + fprintf(stderr, "Could not find function %s\n", TARGET_FUNCTION); + exit(-1); + + } + + // END STEP 2 + + gum_init_embedded(); + if (!gum_stalker_is_supported()) { + + gum_deinit_embedded(); + return 1; + + } + + GumStalker *stalker = gum_stalker_new(); + + GumAddress base_address = gum_module_find_base_address(TARGET_LIBRARY); + + GumMemoryRange code_range; + gum_module_enumerate_ranges(TARGET_LIBRARY, GUM_PAGE_RX, enumerate_ranges, + &code_range); + guint64 code_start = code_range.base_address - base_address; + guint64 code_end = (code_range.base_address + code_range.size) - base_address; + + range_t instr_range = {base_address, code_start, code_end}; + + GumStalkerTransformer *transformer = + gum_stalker_transformer_make_from_callback(instr_basic_block, + &instr_range, NULL); + + GumEventSink *event_sink = gum_fake_event_sink_new(); + + __afl_manual_init(); + + // + // any expensive target library initialization that has to be done just once + // - put that here + // + + gum_stalker_follow_me(stalker, transformer, event_sink); + + while (__afl_persistent_loop(UINT32_MAX) != 0) { + +#ifdef _DEBUG + fprintf(stderr, "CLIENT crc: %016llx len: %u\n", hash64(__afl_fuzz_ptr, *__a + fprintf(stderr, "RECV:"); + for (int i = 0; i < *__afl_fuzz_len; i++) + fprintf(stderr, "%02x", __afl_fuzz_ptr[i]); + fprintf(stderr,"\n"); +#endif + + // STEP 3: ensure the minimum length is present and setup the target + // function to fuzz. + + if (*__afl_fuzz_len > 0) { + + __afl_fuzz_ptr[*__afl_fuzz_len] = 0; // if you need to null terminate + (*o_function)(__afl_fuzz_ptr, *__afl_fuzz_len); + + } + + // END STEP 3 + + } + + gum_stalker_unfollow_me(stalker); + + while (gum_stalker_garbage_collect(stalker)) + g_usleep(10000); + + g_object_unref(stalker); + g_object_unref(transformer); + g_object_unref(event_sink); + gum_deinit_embedded(); + + return 0; + +} diff --git a/examples/afl_frida/afl-frida.h b/examples/afl_frida/afl-frida.h new file mode 100644 index 00000000..efa3440f --- /dev/null +++ b/examples/afl_frida/afl-frida.h @@ -0,0 +1,53 @@ +extern int is_persistent; + +G_BEGIN_DECLS + +#define GUM_TYPE_FAKE_EVENT_SINK (gum_fake_event_sink_get_type()) + +G_DECLARE_FINAL_TYPE(GumFakeEventSink, gum_fake_event_sink, GUM, + FAKE_EVENT_SINK, GObject) + +struct _GumFakeEventSink { + + GObject parent; + GumEventType mask; + +}; + +GumEventSink *gum_fake_event_sink_new(void); +void gum_fake_event_sink_reset(GumFakeEventSink *self); + +G_END_DECLS + +typedef struct { + + GumAddress base_address; + guint64 code_start, code_end; + +} range_t; + +void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, + gpointer user_data); +#pragma once + +void afl_setup(void); +void afl_start_forkserver(void); +int __afl_persistent_loop(unsigned int max_cnt); + +inline static inline void afl_maybe_log(guint64 current_pc) { + + extern unsigned int afl_instr_rms; + extern uint8_t * afl_area_ptr; + + static __thread guint64 previous_pc; + + current_pc = (current_pc >> 4) ^ (current_pc << 8); + current_pc &= MAP_SIZE - 1; + + if (current_pc >= afl_instr_rms) return; + + afl_area_ptr[current_pc ^ previous_pc]++; + previous_pc = current_pc >> 1; + +} + diff --git a/examples/afl_frida/libtestinstr.c b/examples/afl_frida/libtestinstr.c new file mode 100644 index 00000000..96b1cf21 --- /dev/null +++ b/examples/afl_frida/libtestinstr.c @@ -0,0 +1,35 @@ +/* + american fuzzy lop++ - a trivial program to test the build + -------------------------------------------------------- + Originally written by Michal Zalewski + Copyright 2014 Google Inc. All rights reserved. + Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include +#include +#include +#include + +void testinstr(char *buf, int len) { + + if (len < 1) return; + buf[len] = 0; + + // we support three input cases + if (buf[0] == '0') + printf("Looks like a zero to me!\n"); + else if (buf[0] == '1') + printf("Pretty sure that is a one!\n"); + else + printf("Neither one or zero? How quaint!\n"); + +} + diff --git a/examples/afl_network_proxy/afl-network-client.c b/examples/afl_network_proxy/afl-network-client.c index 7c4d8b35..a2451fdc 100644 --- a/examples/afl_network_proxy/afl-network-client.c +++ b/examples/afl_network_proxy/afl-network-client.c @@ -35,7 +35,7 @@ #include #include #ifndef USEMMAP -#include + #include #endif #include #include diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index f7f247f3..872ed9ae 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -266,6 +266,8 @@ int main(int argc, char **argv_orig, char **envp) { gettimeofday(&tv, &tz); rand_set_seed(afl, tv.tv_sec ^ tv.tv_usec ^ getpid()); + afl->shmem_testcase_mode = 1; // we always try to perform shmem fuzzing + while ((opt = getopt(argc, argv, "+c:i:I:o:f:m:t:T:dDnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:")) > 0) { @@ -563,7 +565,6 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->fsrv.qemu_mode) { FATAL("Multiple -Q options not supported"); } afl->fsrv.qemu_mode = 1; - afl->shmem_testcase_mode = 1; if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_QEMU; } @@ -580,7 +581,6 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->unicorn_mode) { FATAL("Multiple -U options not supported"); } afl->unicorn_mode = 1; - afl->shmem_testcase_mode = 1; if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_UNICORN; } @@ -591,7 +591,6 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->use_wine) { FATAL("Multiple -W options not supported"); } afl->fsrv.qemu_mode = 1; afl->use_wine = 1; - afl->shmem_testcase_mode = 1; if (!mem_limit_given) { afl->fsrv.mem_limit = 0; } diff --git a/test/test-floatingpoint.c b/test/test-floatingpoint.c index f78b5d9f..76cdccf0 100644 --- a/test/test-floatingpoint.c +++ b/test/test-floatingpoint.c @@ -1,18 +1,20 @@ #include #include -int main(void) -{ - long double magic; +int main(void) { - ssize_t bytes_read = read(STDIN_FILENO, &magic, sizeof(magic)); - if (bytes_read < (ssize_t)sizeof(magic)) { - return 1; - } + long double magic; - if( (-magic == 15.0 + 0.5 + 0.125 + 0.03125 + 0.0078125) ){ /* 15 + 1/2 + 1/8 + 1/32 + 1/128 */ - abort(); - } + ssize_t bytes_read = read(STDIN_FILENO, &magic, sizeof(magic)); + if (bytes_read < (ssize_t)sizeof(magic)) { return 1; } + + if ((-magic == 15.0 + 0.5 + 0.125 + 0.03125 + + 0.0078125)) { /* 15 + 1/2 + 1/8 + 1/32 + 1/128 */ + abort(); + + } + + return 0; - return 0; } + diff --git a/test/test-fp_cases.c b/test/test-fp_cases.c index 006ae32f..b0f792bc 100644 --- a/test/test-fp_cases.c +++ b/test/test-fp_cases.c @@ -4,13 +4,14 @@ * or -DFLOAT_TYPE="long double" */ - #include int main() { - volatile FLOAT_TYPE a,b; + + volatile FLOAT_TYPE a, b; /* different values */ - a = -2.1; b = -2; /* signs equal, exp equal, mantissa > */ + a = -2.1; + b = -2; /* signs equal, exp equal, mantissa > */ assert((a < b)); assert((a <= b)); assert(!(a > b)); @@ -18,7 +19,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = 1.8; b = 2.1; /* signs equal, exp differ, mantissa > */ + a = 1.8; + b = 2.1; /* signs equal, exp differ, mantissa > */ assert((a < b)); assert((a <= b)); assert(!(a > b)); @@ -26,7 +28,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = 2; b = 2.1; /* signs equal, exp equal, mantissa < */ + a = 2; + b = 2.1; /* signs equal, exp equal, mantissa < */ assert((a < b)); assert((a <= b)); assert(!(a > b)); @@ -34,7 +37,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = -2; b = -1.8; /* signs equal, exp differ, mantissa < */ + a = -2; + b = -1.8; /* signs equal, exp differ, mantissa < */ assert((a < b)); assert((a <= b)); assert(!(a > b)); @@ -42,7 +46,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = -1; b = 1; /* signs differ, exp equal, mantissa equal */ + a = -1; + b = 1; /* signs differ, exp equal, mantissa equal */ assert((a < b)); assert((a <= b)); assert(!(a > b)); @@ -50,7 +55,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = -1; b = 0; /* signs differ, exp differ, mantissa equal */ + a = -1; + b = 0; /* signs differ, exp differ, mantissa equal */ assert((a < b)); assert((a <= b)); assert(!(a > b)); @@ -58,7 +64,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = -2; b = 2.8; /* signs differ, exp equal, mantissa < */ + a = -2; + b = 2.8; /* signs differ, exp equal, mantissa < */ assert((a < b)); assert((a <= b)); assert(!(a > b)); @@ -66,7 +73,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = -2; b = 1.8; /* signs differ, exp differ, mantissa < */ + a = -2; + b = 1.8; /* signs differ, exp differ, mantissa < */ assert((a < b)); assert((a <= b)); assert(!(a > b)); @@ -74,8 +82,8 @@ int main() { assert((a != b)); assert(!(a == b)); - - a = -2; b = -2.1; /* signs equal, exp equal, mantissa > */ + a = -2; + b = -2.1; /* signs equal, exp equal, mantissa > */ assert((a > b)); assert((a >= b)); assert(!(a < b)); @@ -83,7 +91,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = 2.1; b = 1.8; /* signs equal, exp differ, mantissa > */ + a = 2.1; + b = 1.8; /* signs equal, exp differ, mantissa > */ assert((a > b)); assert((a >= b)); assert(!(a < b)); @@ -91,7 +100,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = 2.1; b = 2; /* signs equal, exp equal, mantissa < */ + a = 2.1; + b = 2; /* signs equal, exp equal, mantissa < */ assert((a > b)); assert((a >= b)); assert(!(a < b)); @@ -99,7 +109,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = -1.8; b = -2; /* signs equal, exp differ, mantissa < */ + a = -1.8; + b = -2; /* signs equal, exp differ, mantissa < */ assert((a > b)); assert((a >= b)); assert(!(a < b)); @@ -107,7 +118,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = 1; b = -1; /* signs differ, exp equal, mantissa equal */ + a = 1; + b = -1; /* signs differ, exp equal, mantissa equal */ assert((a > b)); assert((a >= b)); assert(!(a < b)); @@ -115,7 +127,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = 0; b = -1; /* signs differ, exp differ, mantissa equal */ + a = 0; + b = -1; /* signs differ, exp differ, mantissa equal */ assert((a > b)); assert((a >= b)); assert(!(a < b)); @@ -123,7 +136,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = 2.8; b = -2; /* signs differ, exp equal, mantissa < */ + a = 2.8; + b = -2; /* signs differ, exp equal, mantissa < */ assert((a > b)); assert((a >= b)); assert(!(a < b)); @@ -131,7 +145,8 @@ int main() { assert((a != b)); assert(!(a == b)); - a = 1.8; b = -2; /* signs differ, exp differ, mantissa < */ + a = 1.8; + b = -2; /* signs differ, exp differ, mantissa < */ assert((a > b)); assert((a >= b)); assert(!(a < b)); @@ -140,7 +155,8 @@ int main() { assert(!(a == b)); /* equal values */ - a = 0; b = 0; + a = 0; + b = 0; assert(!(a < b)); assert((a <= b)); assert(!(a > b)); @@ -148,7 +164,8 @@ int main() { assert(!(a != b)); assert((a == b)); - a = -0; b = 0; + a = -0; + b = 0; assert(!(a < b)); assert((a <= b)); assert(!(a > b)); @@ -156,7 +173,8 @@ int main() { assert(!(a != b)); assert((a == b)); - a = 1; b = 1; + a = 1; + b = 1; assert(!(a < b)); assert((a <= b)); assert(!(a > b)); @@ -164,7 +182,8 @@ int main() { assert(!(a != b)); assert((a == b)); - a = 0.5; b = 0.5; + a = 0.5; + b = 0.5; assert(!(a < b)); assert((a <= b)); assert(!(a > b)); @@ -172,7 +191,8 @@ int main() { assert(!(a != b)); assert((a == b)); - a = -1; b = -1; + a = -1; + b = -1; assert(!(a < b)); assert((a <= b)); assert(!(a > b)); @@ -180,11 +200,14 @@ int main() { assert(!(a != b)); assert((a == b)); - a = -0.5; b = -0.5; + a = -0.5; + b = -0.5; assert(!(a < b)); assert((a <= b)); assert(!(a > b)); assert((a >= b)); assert(!(a != b)); assert((a == b)); + } + -- cgit 1.4.1 From c5963f707c9a1b1ec0d869d90fabf09072093e1d Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 14 Jul 2020 23:42:47 +0200 Subject: make fuzzing of test-floatingpoint reproducible --- test/test-floatingpoint.c | 2 +- test/test.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'test/test-floatingpoint.c') diff --git a/test/test-floatingpoint.c b/test/test-floatingpoint.c index 76cdccf0..8f691c2c 100644 --- a/test/test-floatingpoint.c +++ b/test/test-floatingpoint.c @@ -3,7 +3,7 @@ int main(void) { - long double magic; + float magic; ssize_t bytes_read = read(STDIN_FILENO, &magic, sizeof(magic)); if (bytes_read < (ssize_t)sizeof(magic)) { return 1; } diff --git a/test/test.sh b/test/test.sh index e901176e..15082070 100755 --- a/test/test.sh +++ b/test/test.sh @@ -388,10 +388,10 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { AFL_LLVM_INSTRUMENT=AFL AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_COMPARES=1 AFL_LLVM_LAF_SPLIT_FLOATS=1 ../afl-clang-fast -o test-floatingpoint test-floatingpoint.c > test.out 2>&1 test -e test-floatingpoint && { mkdir -p in - echo 0 > in/in + echo ZZ > in/in $ECHO "$GREY[*] running afl-fuzz with floating point splitting, this will take max. 30 seconds" { - AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -V30 -m ${MEM_LIMIT} -i in -o out -- ./test-floatingpoint >>errors 2>&1 + AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -s1 -V30 -m ${MEM_LIMIT} -i in -o out -- ./test-floatingpoint >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/crashes/id:* 2>/dev/null )" && { $ECHO "$GREEN[+] llvm_mode laf-intel floatingpoint splitting feature works correctly" -- cgit 1.4.1 From 131df8bec9dc9dd7cf7a1c03d7189ba72580f6ab Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 25 Jul 2020 16:39:36 +0200 Subject: try to fix travis --- test/test-floatingpoint.c | 24 +++++++++++++++--------- test/test.sh | 4 ++-- 2 files changed, 17 insertions(+), 11 deletions(-) (limited to 'test/test-floatingpoint.c') diff --git a/test/test-floatingpoint.c b/test/test-floatingpoint.c index 8f691c2c..083f0df5 100644 --- a/test/test-floatingpoint.c +++ b/test/test-floatingpoint.c @@ -1,17 +1,23 @@ #include #include +#include +#include -int main(void) { - - float magic; +__AFL_FUZZ_INIT(); - ssize_t bytes_read = read(STDIN_FILENO, &magic, sizeof(magic)); - if (bytes_read < (ssize_t)sizeof(magic)) { return 1; } - - if ((-magic == 15.0 + 0.5 + 0.125 + 0.03125 + - 0.0078125)) { /* 15 + 1/2 + 1/8 + 1/32 + 1/128 */ - abort(); +int main(void) { + ssize_t bytes_read; + + __AFL_INIT(); + float *magic = (float*)__AFL_FUZZ_TESTCASE_BUF; + + while (__AFL_LOOP(INT_MAX)) { + + if (__AFL_FUZZ_TESTCASE_LEN != sizeof(float)) return 1; + /* 15 + 1/2 + 1/8 + 1/32 + 1/128 */ + if ((-*magic == 15.0 + 0.5 + 0.125 + 0.03125 + 0.0078125)) abort(); + } return 0; diff --git a/test/test.sh b/test/test.sh index 15082070..dc85f745 100755 --- a/test/test.sh +++ b/test/test.sh @@ -385,13 +385,13 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { CODE=1 } rm -f test-compcov.compcov test.out - AFL_LLVM_INSTRUMENT=AFL AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_COMPARES=1 AFL_LLVM_LAF_SPLIT_FLOATS=1 ../afl-clang-fast -o test-floatingpoint test-floatingpoint.c > test.out 2>&1 + AFL_LLVM_INSTRUMENT=AFL AFL_DEBUG=1 AFL_NO_UI=1 AFL_LLVM_LAF_ALL=1 ../afl-clang-fast -o test-floatingpoint test-floatingpoint.c > test.out 2>&1 test -e test-floatingpoint && { mkdir -p in echo ZZ > in/in $ECHO "$GREY[*] running afl-fuzz with floating point splitting, this will take max. 30 seconds" { - AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -s1 -V30 -m ${MEM_LIMIT} -i in -o out -- ./test-floatingpoint >>errors 2>&1 + AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -s 123 -V30 -m ${MEM_LIMIT} -i in -o out -- ./test-floatingpoint >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/crashes/id:* 2>/dev/null )" && { $ECHO "$GREEN[+] llvm_mode laf-intel floatingpoint splitting feature works correctly" -- cgit 1.4.1 From 16e362d2b93a60d6c50fca6abfabd9976ca6142d Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 26 Jul 2020 15:55:03 +0200 Subject: add last 60s exec/s stat --- include/afl-fuzz.h | 4 ++ src/afl-fuzz-mutators.c | 3 +- src/afl-fuzz-stats.c | 154 +++++++++++++++++++++++++--------------------- test/test-floatingpoint.c | 8 +-- 4 files changed, 93 insertions(+), 76 deletions(-) (limited to 'test/test-floatingpoint.c') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index cf4254ac..c0c4cfd5 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -581,6 +581,10 @@ typedef struct afl_state { u8 describe_op_buf_256[256]; /* describe_op will use this to return a string up to 256 */ + unsigned long long int last_avg_exec_update; + u32 last_avg_execs; + float last_avg_execs_saved; + /* foreign sync */ #define FOREIGN_SYNCS_MAX 32 u8 foreign_sync_cnt; diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index ed777811..850266c2 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -168,7 +168,8 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { /* "afl_custom_deinit", optional for backward compatibility */ mutator->afl_custom_deinit = dlsym(dh, "afl_custom_deinit"); - if (!mutator->afl_custom_deinit) FATAL("Symbol 'afl_custom_deinit' not found."); + if (!mutator->afl_custom_deinit) + FATAL("Symbol 'afl_custom_deinit' not found."); /* "afl_custom_post_process", optional */ mutator->afl_custom_post_process = dlsym(dh, "afl_custom_post_process"); diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index fc93011b..995f298e 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -39,7 +39,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, u8 fn[PATH_MAX]; s32 fd; FILE * f; - uint32_t t_bytes = count_non_255_bytes(afl, afl->virgin_bits); + u32 t_bytes = count_non_255_bytes(afl, afl->virgin_bits); snprintf(fn, PATH_MAX, "%s/fuzzer_stats", afl->out_dir); @@ -67,89 +67,101 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, } + if ((unlikely(!afl->last_avg_exec_update || + cur_time - afl->last_avg_exec_update >= 60000))) { + + afl->last_avg_execs_saved = + (float)(1000*(afl->fsrv.total_execs - afl->last_avg_execs)) / + (float)(cur_time - afl->last_avg_exec_update); + afl->last_avg_execs = afl->fsrv.total_execs; + afl->last_avg_exec_update = cur_time; + + } + #ifndef __HAIKU__ if (getrusage(RUSAGE_CHILDREN, &rus)) { rus.ru_maxrss = 0; } #endif - fprintf( - f, - "start_time : %llu\n" - "last_update : %llu\n" - "run_time : %llu\n" - "fuzzer_pid : %u\n" - "cycles_done : %llu\n" - "cycles_wo_finds : %llu\n" - "execs_done : %llu\n" - "execs_per_sec : %0.02f\n" - // "real_execs_per_sec: %0.02f\n" // damn the name is too long - "paths_total : %u\n" - "paths_favored : %u\n" - "paths_found : %u\n" - "paths_imported : %u\n" - "max_depth : %u\n" - "cur_path : %u\n" /* Must match find_start_position() */ - "pending_favs : %u\n" - "pending_total : %u\n" - "variable_paths : %u\n" - "stability : %0.02f%%\n" - "bitmap_cvg : %0.02f%%\n" - "unique_crashes : %llu\n" - "unique_hangs : %llu\n" - "last_path : %llu\n" - "last_crash : %llu\n" - "last_hang : %llu\n" - "execs_since_crash : %llu\n" - "exec_timeout : %u\n" - "slowest_exec_ms : %u\n" - "peak_rss_mb : %lu\n" - "cpu_affinity : %d\n" - "edges_found : %u\n" - "var_byte_count : %u\n" - "afl_banner : %s\n" - "afl_version : " VERSION - "\n" - "target_mode : %s%s%s%s%s%s%s%s%s\n" - "command_line : %s\n", - afl->start_time / 1000, cur_time / 1000, - (cur_time - afl->start_time) / 1000, (u32)getpid(), - afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->cycles_wo_finds, - afl->fsrv.total_execs, - afl->fsrv.total_execs / - ((double)(get_cur_time() - afl->start_time) / 1000), - afl->queued_paths, afl->queued_favored, afl->queued_discovered, - afl->queued_imported, afl->max_depth, afl->current_entry, - afl->pending_favored, afl->pending_not_fuzzed, afl->queued_variable, - stability, bitmap_cvg, afl->unique_crashes, afl->unique_hangs, - afl->last_path_time / 1000, afl->last_crash_time / 1000, - afl->last_hang_time / 1000, afl->fsrv.total_execs - afl->last_crash_execs, - afl->fsrv.exec_tmout, afl->slowest_exec_ms, + fprintf(f, + "start_time : %llu\n" + "last_update : %llu\n" + "run_time : %llu\n" + "fuzzer_pid : %u\n" + "cycles_done : %llu\n" + "cycles_wo_finds : %llu\n" + "execs_done : %llu\n" + "execs_per_sec : %0.02f\n" + "execs_ps_last_min : %0.02f\n" + "paths_total : %u\n" + "paths_favored : %u\n" + "paths_found : %u\n" + "paths_imported : %u\n" + "max_depth : %u\n" + "cur_path : %u\n" /* Must match find_start_position() */ + "pending_favs : %u\n" + "pending_total : %u\n" + "variable_paths : %u\n" + "stability : %0.02f%%\n" + "bitmap_cvg : %0.02f%%\n" + "unique_crashes : %llu\n" + "unique_hangs : %llu\n" + "last_path : %llu\n" + "last_crash : %llu\n" + "last_hang : %llu\n" + "execs_since_crash : %llu\n" + "exec_timeout : %u\n" + "slowest_exec_ms : %u\n" + "peak_rss_mb : %lu\n" + "cpu_affinity : %d\n" + "edges_found : %u\n" + "var_byte_count : %u\n" + "afl_banner : %s\n" + "afl_version : " VERSION + "\n" + "target_mode : %s%s%s%s%s%s%s%s%s\n" + "command_line : %s\n", + afl->start_time / 1000, cur_time / 1000, + (cur_time - afl->start_time) / 1000, (u32)getpid(), + afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->cycles_wo_finds, + afl->fsrv.total_execs, + afl->fsrv.total_execs / + ((double)(get_cur_time() - afl->start_time) / 1000), + afl->last_avg_execs_saved, afl->queued_paths, afl->queued_favored, + afl->queued_discovered, afl->queued_imported, afl->max_depth, + afl->current_entry, afl->pending_favored, afl->pending_not_fuzzed, + afl->queued_variable, stability, bitmap_cvg, afl->unique_crashes, + afl->unique_hangs, afl->last_path_time / 1000, + afl->last_crash_time / 1000, afl->last_hang_time / 1000, + afl->fsrv.total_execs - afl->last_crash_execs, afl->fsrv.exec_tmout, + afl->slowest_exec_ms, #ifndef __HAIKU__ #ifdef __APPLE__ - (unsigned long int)(rus.ru_maxrss >> 20), + (unsigned long int)(rus.ru_maxrss >> 20), #else - (unsigned long int)(rus.ru_maxrss >> 10), + (unsigned long int)(rus.ru_maxrss >> 10), #endif #else - -1UL, + -1UL, #endif #ifdef HAVE_AFFINITY - afl->cpu_aff, + afl->cpu_aff, #else - -1, + -1, #endif - t_bytes, afl->var_byte_count, afl->use_banner, - afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "", - afl->non_instrumented_mode ? " non_instrumented " : "", - afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", - afl->persistent_mode ? "persistent " : "", - afl->shmem_testcase_mode ? "shmem_testcase " : "", - afl->deferred_mode ? "deferred " : "", - (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->non_instrumented_mode || - afl->no_forkserver || afl->crash_mode || afl->persistent_mode || - afl->deferred_mode) - ? "" - : "default", - afl->orig_cmdline); + t_bytes, afl->var_byte_count, afl->use_banner, + afl->unicorn_mode ? "unicorn" : "", + afl->fsrv.qemu_mode ? "qemu " : "", + afl->non_instrumented_mode ? " non_instrumented " : "", + afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", + afl->persistent_mode ? "persistent " : "", + afl->shmem_testcase_mode ? "shmem_testcase " : "", + afl->deferred_mode ? "deferred " : "", + (afl->unicorn_mode || afl->fsrv.qemu_mode || + afl->non_instrumented_mode || afl->no_forkserver || + afl->crash_mode || afl->persistent_mode || afl->deferred_mode) + ? "" + : "default", + afl->orig_cmdline); /* ignore errors */ if (afl->debug) { diff --git a/test/test-floatingpoint.c b/test/test-floatingpoint.c index 083f0df5..acecd55a 100644 --- a/test/test-floatingpoint.c +++ b/test/test-floatingpoint.c @@ -8,16 +8,16 @@ __AFL_FUZZ_INIT(); int main(void) { ssize_t bytes_read; - + __AFL_INIT(); - float *magic = (float*)__AFL_FUZZ_TESTCASE_BUF; - + float *magic = (float *)__AFL_FUZZ_TESTCASE_BUF; + while (__AFL_LOOP(INT_MAX)) { if (__AFL_FUZZ_TESTCASE_LEN != sizeof(float)) return 1; /* 15 + 1/2 + 1/8 + 1/32 + 1/128 */ if ((-*magic == 15.0 + 0.5 + 0.125 + 0.03125 + 0.0078125)) abort(); - + } return 0; -- cgit 1.4.1 From 5ce55d87ecf5d3f0e8fbd0e1ce68f74efb0cf528 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 30 Jul 2020 13:46:52 +0200 Subject: make travis green again (floating point testcase), but all laf testcases need AFL_DEBUG=1 (that is another bug) --- test/test-floatingpoint.c | 9 +++++++-- test/test.sh | 7 ++++--- 2 files changed, 11 insertions(+), 5 deletions(-) (limited to 'test/test-floatingpoint.c') diff --git a/test/test-floatingpoint.c b/test/test-floatingpoint.c index acecd55a..d1709b90 100644 --- a/test/test-floatingpoint.c +++ b/test/test-floatingpoint.c @@ -14,8 +14,13 @@ int main(void) { while (__AFL_LOOP(INT_MAX)) { - if (__AFL_FUZZ_TESTCASE_LEN != sizeof(float)) return 1; - /* 15 + 1/2 + 1/8 + 1/32 + 1/128 */ + int len = __AFL_FUZZ_TESTCASE_LEN; + if (len != sizeof(float)) return 1; + + /* 15 + 1/2 = 15.5 */ + /* 15 + 1/2 + 1/8 = 15.625 */ + /* 15 + 1/2 + 1/8 + 1/32 = 15.65625 */ + /* 15 + 1/2 + 1/8 + 1/32 + 1/128 = 15.6640625 */ if ((-*magic == 15.0 + 0.5 + 0.125 + 0.03125 + 0.0078125)) abort(); } diff --git a/test/test.sh b/test/test.sh index 76b089e7..427509a4 100755 --- a/test/test.sh +++ b/test/test.sh @@ -385,17 +385,18 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { CODE=1 } rm -f test-compcov.compcov test.out - AFL_LLVM_INSTRUMENT=AFL AFL_LLVM_LAF_ALL=1 ../afl-clang-fast -o test-floatingpoint test-floatingpoint.c > test.out 2>&1 + AFL_LLVM_INSTRUMENT=AFL AFL_DEBUG=1 AFL_LLVM_LAF_ALL=1 ../afl-clang-fast -o test-floatingpoint test-floatingpoint.c test -e test-floatingpoint && { mkdir -p in - echo ZZ > in/in + echo ZZZZ > in/in $ECHO "$GREY[*] running afl-fuzz with floating point splitting, this will take max. 30 seconds" { - AFL_BENCH_UNTIL_CRASH=1 AFL_NO_UI=1 ../afl-fuzz -s 123 -V30 -m ${MEM_LIMIT} -i in -o out -- ./test-floatingpoint >>errors 2>&1 + AFL_BENCH_UNTIL_CRASH=1 AFL_NO_UI=1 ../afl-fuzz -s 1 -V30 -m ${MEM_LIMIT} -i in -o out -- ./test-floatingpoint >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/crashes/id:* 2>/dev/null )" && { $ECHO "$GREEN[+] llvm_mode laf-intel floatingpoint splitting feature works correctly" } || { + cat errors $ECHO "$RED[!] llvm_mode laf-intel floatingpoint splitting feature failed" CODE=1 } -- cgit 1.4.1 From ea9ba53cdbc6d175f3f055c9a308668ebaacda1e Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 30 Jul 2020 17:09:22 +0200 Subject: fix oob reads, code-format --- examples/aflpp_driver/aflpp_driver.c | 168 ++++++++++++++++++------------ examples/aflpp_driver/aflpp_driver_test.c | 16 +-- src/afl-fuzz-queue.c | 55 +++++----- src/afl-fuzz-redqueen.c | 3 +- test/test-floatingpoint.c | 8 +- 5 files changed, 146 insertions(+), 104 deletions(-) (limited to 'test/test-floatingpoint.c') diff --git a/examples/aflpp_driver/aflpp_driver.c b/examples/aflpp_driver/aflpp_driver.c index eca3dcd1..86c7a69f 100644 --- a/examples/aflpp_driver/aflpp_driver.c +++ b/examples/aflpp_driver/aflpp_driver.c @@ -14,12 +14,15 @@ cat << EOF > test_fuzzer.cc #include #include extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + if (size > 0 && data[0] == 'H') if (size > 1 && data[1] == 'I') if (size > 2 && data[2] == '!') __builtin_trap(); return 0; + } + EOF # Build your target with -fsanitize-coverage=trace-pc-guard using fresh clang. clang -g -fsanitize-coverage=trace-pc-guard test_fuzzer.cc -c @@ -57,46 +60,46 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both. #include "config.h" #ifdef _DEBUG -#include "hash.h" + #include "hash.h" #endif // Platform detection. Copied from FuzzerInternal.h #ifdef __linux__ -#define LIBFUZZER_LINUX 1 -#define LIBFUZZER_APPLE 0 -#define LIBFUZZER_NETBSD 0 -#define LIBFUZZER_FREEBSD 0 -#define LIBFUZZER_OPENBSD 0 + #define LIBFUZZER_LINUX 1 + #define LIBFUZZER_APPLE 0 + #define LIBFUZZER_NETBSD 0 + #define LIBFUZZER_FREEBSD 0 + #define LIBFUZZER_OPENBSD 0 #elif __APPLE__ -#define LIBFUZZER_LINUX 0 -#define LIBFUZZER_APPLE 1 -#define LIBFUZZER_NETBSD 0 -#define LIBFUZZER_FREEBSD 0 -#define LIBFUZZER_OPENBSD 0 + #define LIBFUZZER_LINUX 0 + #define LIBFUZZER_APPLE 1 + #define LIBFUZZER_NETBSD 0 + #define LIBFUZZER_FREEBSD 0 + #define LIBFUZZER_OPENBSD 0 #elif __NetBSD__ -#define LIBFUZZER_LINUX 0 -#define LIBFUZZER_APPLE 0 -#define LIBFUZZER_NETBSD 1 -#define LIBFUZZER_FREEBSD 0 -#define LIBFUZZER_OPENBSD 0 + #define LIBFUZZER_LINUX 0 + #define LIBFUZZER_APPLE 0 + #define LIBFUZZER_NETBSD 1 + #define LIBFUZZER_FREEBSD 0 + #define LIBFUZZER_OPENBSD 0 #elif __FreeBSD__ -#define LIBFUZZER_LINUX 0 -#define LIBFUZZER_APPLE 0 -#define LIBFUZZER_NETBSD 0 -#define LIBFUZZER_FREEBSD 1 -#define LIBFUZZER_OPENBSD 0 + #define LIBFUZZER_LINUX 0 + #define LIBFUZZER_APPLE 0 + #define LIBFUZZER_NETBSD 0 + #define LIBFUZZER_FREEBSD 1 + #define LIBFUZZER_OPENBSD 0 #elif __OpenBSD__ -#define LIBFUZZER_LINUX 0 -#define LIBFUZZER_APPLE 0 -#define LIBFUZZER_NETBSD 0 -#define LIBFUZZER_FREEBSD 0 -#define LIBFUZZER_OPENBSD 1 + #define LIBFUZZER_LINUX 0 + #define LIBFUZZER_APPLE 0 + #define LIBFUZZER_NETBSD 0 + #define LIBFUZZER_FREEBSD 0 + #define LIBFUZZER_OPENBSD 1 #else -#error "Support for your platform has not been implemented" + #error "Support for your platform has not been implemented" #endif -int __afl_sharedmem_fuzzing = 1; -extern unsigned int *__afl_fuzz_len; +int __afl_sharedmem_fuzzing = 1; +extern unsigned int * __afl_fuzz_len; extern unsigned char *__afl_fuzz_ptr; // libFuzzer interface is thin, so we don't include any libFuzzer headers. @@ -105,11 +108,11 @@ __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); // Notify AFL about persistent mode. static volatile char AFL_PERSISTENT[] = "##SIG_AFL_PERSISTENT##"; -int __afl_persistent_loop(unsigned int); +int __afl_persistent_loop(unsigned int); // Notify AFL about deferred forkserver. static volatile char AFL_DEFER_FORKSVR[] = "##SIG_AFL_DEFER_FORKSRV##"; -void __afl_manual_init(); +void __afl_manual_init(); // Use this optionally defined function to output sanitizer messages even if // user asks to close stderr. @@ -122,98 +125,121 @@ static FILE *output_file; // Experimental feature to use afl_driver without AFL's deferred mode. // Needs to run before __afl_auto_init. __attribute__((constructor(0))) static void __decide_deferred_forkserver(void) { + if (getenv("AFL_DRIVER_DONT_DEFER")) { + if (unsetenv("__AFL_DEFER_FORKSRV")) { + perror("Failed to unset __AFL_DEFER_FORKSRV"); abort(); + } + } + } // If the user asks us to duplicate stderr, then do it. static void maybe_duplicate_stderr() { + char *stderr_duplicate_filename = getenv("AFL_DRIVER_STDERR_DUPLICATE_FILENAME"); - if (!stderr_duplicate_filename) - return; + if (!stderr_duplicate_filename) return; FILE *stderr_duplicate_stream = freopen(stderr_duplicate_filename, "a+", stderr); if (!stderr_duplicate_stream) { + fprintf( stderr, "Failed to duplicate stderr to AFL_DRIVER_STDERR_DUPLICATE_FILENAME"); abort(); + } + output_file = stderr_duplicate_stream; + } // Most of these I/O functions were inspired by/copied from libFuzzer's code. static void discard_output(int fd) { + FILE *temp = fopen("/dev/null", "w"); - if (!temp) - abort(); + if (!temp) abort(); dup2(fileno(temp), fd); fclose(temp); + } -static void close_stdout() { discard_output(STDOUT_FILENO); } +static void close_stdout() { + + discard_output(STDOUT_FILENO); + +} // Prevent the targeted code from writing to "stderr" but allow sanitizers and // this driver to do so. static void dup_and_close_stderr() { + int output_fileno = fileno(output_file); int output_fd = dup(output_fileno); - if (output_fd <= 0) - abort(); + if (output_fd <= 0) abort(); FILE *new_output_file = fdopen(output_fd, "w"); - if (!new_output_file) - abort(); - if (!__sanitizer_set_report_fd) - return; - __sanitizer_set_report_fd((void*)output_fd); + if (!new_output_file) abort(); + if (!__sanitizer_set_report_fd) return; + __sanitizer_set_report_fd((void *)output_fd); discard_output(output_fileno); + } // Close stdout and/or stderr if user asks for it. static void maybe_close_fd_mask() { + char *fd_mask_str = getenv("AFL_DRIVER_CLOSE_FD_MASK"); - if (!fd_mask_str) - return; + if (!fd_mask_str) return; int fd_mask = atoi(fd_mask_str); - if (fd_mask & 2) - dup_and_close_stderr(); - if (fd_mask & 1) - close_stdout(); + if (fd_mask & 2) dup_and_close_stderr(); + if (fd_mask & 1) close_stdout(); + } // Define LLVMFuzzerMutate to avoid link failures for targets that use it // with libFuzzer's LLVMFuzzerCustomMutator. size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize) { - //assert(false && "LLVMFuzzerMutate should not be called from afl_driver"); + + // assert(false && "LLVMFuzzerMutate should not be called from afl_driver"); return 0; + } // Execute any files provided as parameters. static int ExecuteFilesOnyByOne(int argc, char **argv) { + unsigned char *buf = malloc(MAX_FILE); for (int i = 1; i < argc; i++) { + int fd = open(argv[i], O_RDONLY); if (fd == -1) continue; ssize_t length = read(fd, buf, MAX_FILE); if (length > 0) { + printf("Reading %zu bytes from %s\n", length, argv[i]); LLVMFuzzerTestOneInput(buf, length); printf("Execution successful.\n"); + } + } + free(buf); return 0; + } int main(int argc, char **argv) { + printf( "======================= INFO =========================\n" "This binary is built for AFL-fuzz.\n" @@ -226,36 +252,39 @@ int main(int argc, char **argv) { "afl-fuzz will run N iterations before " "re-spawning the process (default: 1000)\n" "======================================================\n", - argv[0], argv[0], argv[0]); + argv[0], argv[0], argv[0]); output_file = stderr; maybe_duplicate_stderr(); maybe_close_fd_mask(); - if (LLVMFuzzerInitialize) - LLVMFuzzerInitialize(&argc, &argv); + if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv); // Do any other expensive one-time initialization here. uint8_t dummy_input[64] = {0}; - memcpy(dummy_input, (void*)AFL_PERSISTENT, sizeof(AFL_PERSISTENT)); - memcpy(dummy_input + 32, (void*)AFL_DEFER_FORKSVR, sizeof(AFL_DEFER_FORKSVR)); + memcpy(dummy_input, (void *)AFL_PERSISTENT, sizeof(AFL_PERSISTENT)); + memcpy(dummy_input + 32, (void *)AFL_DEFER_FORKSVR, + sizeof(AFL_DEFER_FORKSVR)); int N = INT_MAX; if (argc == 2 && argv[1][0] == '-') - N = atoi(argv[1] + 1); - else if(argc == 2 && (N = atoi(argv[1])) > 0) - printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N); + N = atoi(argv[1] + 1); + else if (argc == 2 && (N = atoi(argv[1])) > 0) + printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N); else if (argc > 1) { -// if (!getenv("AFL_DRIVER_DONT_DEFER")) { - __afl_sharedmem_fuzzing = 0; - __afl_manual_init(); -// } + + // if (!getenv("AFL_DRIVER_DONT_DEFER")) { + + __afl_sharedmem_fuzzing = 0; + __afl_manual_init(); + // } return ExecuteFilesOnyByOne(argc, argv); exit(0); + } assert(N > 0); -// if (!getenv("AFL_DRIVER_DONT_DEFER")) + // if (!getenv("AFL_DRIVER_DONT_DEFER")) __afl_manual_init(); // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization @@ -264,17 +293,26 @@ int main(int argc, char **argv) { int num_runs = 0; while (__afl_persistent_loop(N)) { + #ifdef _DEBUG - fprintf(stderr, "CLIENT crc: %016llx len: %u\n", hash64(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), *__afl_fuzz_len); + fprintf(stderr, "CLIENT crc: %016llx len: %u\n", + hash64(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), + *__afl_fuzz_len); fprintf(stderr, "RECV:"); for (int i = 0; i < *__afl_fuzz_len; i++) fprintf(stderr, "%02x", __afl_fuzz_ptr[i]); - fprintf(stderr,"\n"); + fprintf(stderr, "\n"); #endif if (*__afl_fuzz_len) { + num_runs++; LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); + } + } + printf("%s: successfully executed %d input(s)\n", argv[0], num_runs); + } + diff --git a/examples/aflpp_driver/aflpp_driver_test.c b/examples/aflpp_driver/aflpp_driver_test.c index 83278f5c..e4567bbf 100644 --- a/examples/aflpp_driver/aflpp_driver_test.c +++ b/examples/aflpp_driver/aflpp_driver_test.c @@ -6,18 +6,20 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - fprintf(stderr, "FUNC crc: %016llx len: %lu\n", hash64((u8*)Data, (unsigned int) Size, (unsigned long long int) 0xa5b35705), Size); - - if (Size < 5) - return 0; + fprintf(stderr, "FUNC crc: %016llx len: %lu\n", + hash64((u8 *)Data, (unsigned int)Size, + (unsigned long long int)0xa5b35705), + Size); + + if (Size < 5) return 0; if (Data[0] == 'F') if (Data[1] == 'A') if (Data[2] == '$') if (Data[3] == '$') - if (Data[4] == '$') - abort(); - + if (Data[4] == '$') abort(); + return 0; } + diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 38e95ac8..71874283 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -139,7 +139,8 @@ static u8 check_if_text(struct queue_entry *q) { // non-overlong 2-byte if (((0xC2 <= buf[offset + 0] && buf[offset + 0] <= 0xDF) && - (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF))) { + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF)) && + len - offset > 1) { offset += 2; utf8++; @@ -149,18 +150,19 @@ static u8 check_if_text(struct queue_entry *q) { } // excluding overlongs - if ((buf[offset + 0] == 0xE0 && - (0xA0 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && - (0x80 <= buf[offset + 2] && - buf[offset + 2] <= 0xBF)) || // straight 3-byte - (((0xE1 <= buf[offset + 0] && buf[offset + 0] <= 0xEC) || - buf[offset + 0] == 0xEE || buf[offset + 0] == 0xEF) && - (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && - (0x80 <= buf[offset + 2] && - buf[offset + 2] <= 0xBF)) || // excluding surrogates - (buf[offset + 0] == 0xED && - (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0x9F) && - (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF))) { + if ((len - offset > 2) && + ((buf[offset + 0] == 0xE0 && + (0xA0 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && + (0x80 <= buf[offset + 2] && + buf[offset + 2] <= 0xBF)) || // straight 3-byte + (((0xE1 <= buf[offset + 0] && buf[offset + 0] <= 0xEC) || + buf[offset + 0] == 0xEE || buf[offset + 0] == 0xEF) && + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && + (0x80 <= buf[offset + 2] && + buf[offset + 2] <= 0xBF)) || // excluding surrogates + (buf[offset + 0] == 0xED && + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0x9F) && + (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF)))) { offset += 3; utf8++; @@ -170,19 +172,20 @@ static u8 check_if_text(struct queue_entry *q) { } // planes 1-3 - if ((buf[offset + 0] == 0xF0 && - (0x90 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && - (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) && - (0x80 <= buf[offset + 3] && - buf[offset + 3] <= 0xBF)) || // planes 4-15 - ((0xF1 <= buf[offset + 0] && buf[offset + 0] <= 0xF3) && - (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && - (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) && - (0x80 <= buf[offset + 3] && buf[offset + 3] <= 0xBF)) || // plane 16 - (buf[offset + 0] == 0xF4 && - (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0x8F) && - (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) && - (0x80 <= buf[offset + 3] && buf[offset + 3] <= 0xBF))) { + if ((len - offset > 3) && + ((buf[offset + 0] == 0xF0 && + (0x90 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && + (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) && + (0x80 <= buf[offset + 3] && + buf[offset + 3] <= 0xBF)) || // planes 4-15 + ((0xF1 <= buf[offset + 0] && buf[offset + 0] <= 0xF3) && + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) && + (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) && + (0x80 <= buf[offset + 3] && buf[offset + 3] <= 0xBF)) || // plane 16 + (buf[offset + 0] == 0xF4 && + (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0x8F) && + (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) && + (0x80 <= buf[offset + 3] && buf[offset + 3] <= 0xBF)))) { offset += 4; utf8++; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 57e60c3d..a2e8f992 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -269,8 +269,7 @@ static long long strntoll(const char *str, size_t sz, char **end, int base) { long long ret; const char *beg = str; - for (; beg && sz && *beg == ' '; beg++, sz--) - ; + for (; beg && sz && *beg == ' '; beg++, sz--) {}; if (!sz || sz >= sizeof(buf)) { diff --git a/test/test-floatingpoint.c b/test/test-floatingpoint.c index d1709b90..3a699595 100644 --- a/test/test-floatingpoint.c +++ b/test/test-floatingpoint.c @@ -17,10 +17,10 @@ int main(void) { int len = __AFL_FUZZ_TESTCASE_LEN; if (len != sizeof(float)) return 1; - /* 15 + 1/2 = 15.5 */ - /* 15 + 1/2 + 1/8 = 15.625 */ - /* 15 + 1/2 + 1/8 + 1/32 = 15.65625 */ - /* 15 + 1/2 + 1/8 + 1/32 + 1/128 = 15.6640625 */ + /* 15 + 1/2 = 15.5 */ + /* 15 + 1/2 + 1/8 = 15.625 */ + /* 15 + 1/2 + 1/8 + 1/32 = 15.65625 */ + /* 15 + 1/2 + 1/8 + 1/32 + 1/128 = 15.6640625 */ if ((-*magic == 15.0 + 0.5 + 0.125 + 0.03125 + 0.0078125)) abort(); } -- cgit 1.4.1 From 486e5365d9e5cb56ffd5b5ade2f81a728de4a175 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 30 Jul 2020 18:01:18 +0200 Subject: fix float splitting if not on a tty --- llvm_mode/split-compares-pass.so.cc | 38 ++++++++++++++++++++++++------------- test/test-floatingpoint.c | 2 +- test/test.sh | 2 +- 3 files changed, 27 insertions(+), 15 deletions(-) (limited to 'test/test-floatingpoint.c') diff --git a/llvm_mode/split-compares-pass.so.cc b/llvm_mode/split-compares-pass.so.cc index 55128ca2..f65adde8 100644 --- a/llvm_mode/split-compares-pass.so.cc +++ b/llvm_mode/split-compares-pass.so.cc @@ -1247,7 +1247,8 @@ size_t SplitComparesTransform::splitIntCompares(Module &M, unsigned bitw) { bool SplitComparesTransform::runOnModule(Module &M) { - int bitw = 64; + int bitw = 64; + size_t count; char *bitw_env = getenv("AFL_LLVM_LAF_SPLIT_COMPARES_BITW"); if (!bitw_env) bitw_env = getenv("LAF_SPLIT_COMPARES_BITW"); @@ -1261,18 +1262,26 @@ bool SplitComparesTransform::runOnModule(Module &M) { errs() << "Split-compare-pass by laf.intel@gmail.com, extended by " "heiko@hexco.de\n"; - if (enableFPSplit) { + } else { + + be_quiet = 1; + + } + + if (enableFPSplit) { - errs() << "Split-floatingpoint-compare-pass: " << splitFPCompares(M) + count = splitFPCompares(M); + + if (!be_quiet) { + + errs() << "Split-floatingpoint-compare-pass: " << count << " FP comparisons splitted\n"; } - } else + simplifyFPCompares(M); - be_quiet = 1; - - if (enableFPSplit) simplifyFPCompares(M); + } simplifyCompares(M); @@ -1281,9 +1290,10 @@ bool SplitComparesTransform::runOnModule(Module &M) { switch (bitw) { case 64: + count = splitIntCompares(M, bitw); if (!be_quiet) - errs() << "Split-integer-compare-pass " << bitw - << "bit: " << splitIntCompares(M, bitw) << " splitted\n"; + errs() << "Split-integer-compare-pass " << bitw << "bit: " << count + << " splitted\n"; bitw >>= 1; #if LLVM_VERSION_MAJOR > 3 || \ @@ -1291,9 +1301,10 @@ bool SplitComparesTransform::runOnModule(Module &M) { [[clang::fallthrough]]; /*FALLTHRU*/ /* FALLTHROUGH */ #endif case 32: + count = splitIntCompares(M, bitw); if (!be_quiet) - errs() << "Split-integer-compare-pass " << bitw - << "bit: " << splitIntCompares(M, bitw) << " splitted\n"; + errs() << "Split-integer-compare-pass " << bitw << "bit: " << count + << " splitted\n"; bitw >>= 1; #if LLVM_VERSION_MAJOR > 3 || \ @@ -1301,9 +1312,10 @@ bool SplitComparesTransform::runOnModule(Module &M) { [[clang::fallthrough]]; /*FALLTHRU*/ /* FALLTHROUGH */ #endif case 16: + count = splitIntCompares(M, bitw); if (!be_quiet) - errs() << "Split-integer-compare-pass " << bitw - << "bit: " << splitIntCompares(M, bitw) << " splitted\n"; + errs() << "Split-integer-compare-pass " << bitw << "bit: " << count + << " splitted\n"; bitw >>= 1; break; diff --git a/test/test-floatingpoint.c b/test/test-floatingpoint.c index 3a699595..66d84411 100644 --- a/test/test-floatingpoint.c +++ b/test/test-floatingpoint.c @@ -15,7 +15,7 @@ int main(void) { while (__AFL_LOOP(INT_MAX)) { int len = __AFL_FUZZ_TESTCASE_LEN; - if (len != sizeof(float)) return 1; + if (len < sizeof(float)) return 1; /* 15 + 1/2 = 15.5 */ /* 15 + 1/2 + 1/8 = 15.625 */ diff --git a/test/test.sh b/test/test.sh index 437a5113..dea9134f 100755 --- a/test/test.sh +++ b/test/test.sh @@ -389,7 +389,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { CODE=1 } rm -f test-compcov.compcov test.out - AFL_LLVM_INSTRUMENT=AFL AFL_LLVM_LAF_SPLIT_FLOATS=1 ../afl-clang-fast -o test-floatingpoint test-floatingpoint.c >errors + AFL_LLVM_INSTRUMENT=AFL AFL_LLVM_LAF_SPLIT_FLOATS=1 ../afl-clang-fast -o test-floatingpoint test-floatingpoint.c >errors 2>&1 test -e test-floatingpoint && { mkdir -p in echo ZZZZ > in/in -- cgit 1.4.1 From 8ea19d4266dab5c6c88336119be40529ed148c8f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 31 Jul 2020 19:37:05 +0200 Subject: easier float test --- test/test-floatingpoint.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'test/test-floatingpoint.c') diff --git a/test/test-floatingpoint.c b/test/test-floatingpoint.c index 66d84411..febfae05 100644 --- a/test/test-floatingpoint.c +++ b/test/test-floatingpoint.c @@ -21,7 +21,9 @@ int main(void) { /* 15 + 1/2 + 1/8 = 15.625 */ /* 15 + 1/2 + 1/8 + 1/32 = 15.65625 */ /* 15 + 1/2 + 1/8 + 1/32 + 1/128 = 15.6640625 */ - if ((-*magic == 15.0 + 0.5 + 0.125 + 0.03125 + 0.0078125)) abort(); + if ((*magic >= 15.0 + 0.5 + 0.125 + 0.03125) && + (*magic <= 15.0 + 0.5 + 0.125 + 0.03125 + 0.0078125)) + abort(); } -- cgit 1.4.1