From 23d9649aec7a7d74082debdb9f6fa2f5ffca7268 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 28 Mar 2020 09:31:30 +0100 Subject: making 'CFLAGS="-m32" make source-only tests' work --- test/test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/test.sh') diff --git a/test/test.sh b/test/test.sh index 8434aaf1..ec4e71d0 100755 --- a/test/test.sh +++ b/test/test.sh @@ -580,7 +580,7 @@ test -e ../afl-gcc-fast -a -e ../afl-gcc-rt.o && { } $ECHO "$BLUE[*] Testing: shared library extensions" -cc -o test-compcov test-compcov.c > /dev/null 2>&1 +cc $CFLAGS -o test-compcov test-compcov.c > /dev/null 2>&1 test -e ../libtokencap.so && { AFL_TOKEN_FILE=token.out LD_PRELOAD=../libtokencap.so DYLD_INSERT_LIBRARIES=../libtokencap.so DYLD_FORCE_FLAT_NAMESPACE=1 ./test-compcov foobar > /dev/null 2>&1 grep -q BUGMENOT token.out > /dev/null 2>&1 && { -- cgit 1.4.1 From 245304f5938a700e93a3403b30509dea55a6549e Mon Sep 17 00:00:00 2001 From: h1994st Date: Fri, 27 Mar 2020 02:03:20 -0400 Subject: Add a test case for the custom mutator - Update the Makefile in examples/custom_mutators - Add a test program for testing the custom mutator - Update test.sh for testing the custom mutator - [TODO] Update the result checking criterias of the custom mutator in test.sh --- examples/custom_mutators/Makefile | 7 ++- test/test-custom-mutator.c | 20 ++++++ test/test.sh | 128 ++++++++++++++++++++++++++++++-------- 3 files changed, 127 insertions(+), 28 deletions(-) create mode 100644 test/test-custom-mutator.c (limited to 'test/test.sh') diff --git a/examples/custom_mutators/Makefile b/examples/custom_mutators/Makefile index a83e87fe..463cefb1 100644 --- a/examples/custom_mutators/Makefile +++ b/examples/custom_mutators/Makefile @@ -1,2 +1,7 @@ -all: +all: libexamplemutator.so + +libexamplemutator.so: $(CC) $(CFLAGS) -fPIC -shared -g -I ../../include example.c -o libexamplemutator.so + +clean: + rm -rf libexamplemutator.so diff --git a/test/test-custom-mutator.c b/test/test-custom-mutator.c new file mode 100644 index 00000000..b44c3634 --- /dev/null +++ b/test/test-custom-mutator.c @@ -0,0 +1,20 @@ +/** + * Reference: https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/blob/master/4_libprotobuf_aflpp_custom_mutator/vuln.c + */ + +#include +#include +#include +#include +#include + +int main(int argc, char *argv[]) +{ + char str[100]={ }; + read(0, str, 100); + int *ptr = NULL; + if( str[0] == 'P') { + *ptr = 123; + } + return 0; +} diff --git a/test/test.sh b/test/test.sh index ec4e71d0..725ae9e4 100755 --- a/test/test.sh +++ b/test/test.sh @@ -60,8 +60,8 @@ unset AFL_QEMU_PERSISTENT_GPR unset AFL_QEMU_PERSISTENT_RET unset AFL_QEMU_PERSISTENT_HOOK unset AFL_QEMU_PERSISTENT_CNT -unset AFL_POST_LIBRARY -unset AFL_CUSTOM_MUTATOR_LIBRARY + +export unset AFL_CUSTOM_MUTATOR_LIBRARY=unset AFL_POST_LIBRARY unset AFL_PYTHON_MODULE unset AFL_PRELOAD unset LD_PRELOAD @@ -73,7 +73,7 @@ export ASAN_OPTIONS=detect_leaks=0:allocator_may_return_null=1:abort_on_error=1: # on OpenBSD we need to work with llvm from /usr/local/bin test -e /usr/local/bin/opt && { export PATH=/usr/local/bin:${PATH} -} +} # on MacOS X we prefer afl-clang over afl-gcc, because # afl-gcc does not work there test `uname -s` = 'Darwin' -o `uname -s` = 'FreeBSD' && { @@ -142,11 +142,11 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc CODE=1 } rm -f test-compcov.harden - } || { + } || { $ECHO "$RED[!] ${AFL_GCC} hardened mode compilation failed" CODE=1 } - # now we want to be sure that afl-fuzz is working + # now we want to be sure that afl-fuzz is working # make sure core_pattern is set to core on linux (test "$(uname -s)" = "Linux" && test "$(sysctl kernel.core_pattern)" != "kernel.core_pattern = core" && { $ECHO "$YELLOW[-] we should not run afl-fuzz with enabled core dumps. Run 'sudo sh afl-system-config'.$RESET" @@ -210,13 +210,13 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc unset AFL_QUIET } rm -f test-instr.plain - } || { + } || { $ECHO "$YELLOW[-] afl is not compiled, cannot test" INCOMPLETE=1 } -} || { +} || { $ECHO "$YELLOW[-] not an intel platform, cannot test afl-gcc" -} +} $ECHO "$BLUE[*] Testing: llvm_mode, afl-showmap, afl-fuzz, afl-cmin and afl-tmin" test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { @@ -248,7 +248,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { CODE=1 } } - } || { + } || { $ECHO "$RED[!] llvm_mode instrumentation failed" CODE=1 } @@ -265,11 +265,11 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { CODE=1 } rm -f test-compcov.harden - } || { + } || { $ECHO "$RED[!] llvm_mode hardened mode compilation failed" CODE=1 } - # now we want to be sure that afl-fuzz is working + # now we want to be sure that afl-fuzz is working (test "$(uname -s)" = "Linux" && test "$(sysctl kernel.core_pattern)" != "kernel.core_pattern = core" && { $ECHO "$YELLOW[-] we should not run afl-fuzz with enabled core dumps. Run 'sudo sh afl-system-config'.$RESET" true @@ -373,7 +373,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { $ECHO "$RED[!] llvm_mode whitelist feature failed" CODE=1 } - } || { + } || { $ECHO "$RED[!] llvm_mode whitelist feature compilation failed" CODE=1 } @@ -426,7 +426,7 @@ test -e ../afl-clang-lto -a -e ../afl-llvm-lto-instrumentation.so && { CODE=1 } } - } || { + } || { $ECHO "$RED[!] llvm_mode LTO instrumentation failed" CODE=1 } @@ -447,7 +447,7 @@ test -e ../afl-clang-lto -a -e ../afl-llvm-lto-instrumentation.so && { # $ECHO "$RED[!] llvm_mode LTO whitelist feature failed" # CODE=1 # } -# } || { +# } || { # $ECHO "$RED[!] llvm_mode LTO whitelist feature compilation failed" # CODE=1 # } @@ -483,7 +483,7 @@ test -e ../afl-gcc-fast -a -e ../afl-gcc-rt.o && { diff test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { $ECHO "$RED[!] gcc_plugin instrumentation should be different on different input but is not" CODE=1 - } || { + } || { $ECHO "$GREEN[+] gcc_plugin instrumentation present and working correctly" TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain.gccpi 2>&1 | grep Captur | awk '{print$3}'` test "$TUPLES" -gt 3 -a "$TUPLES" -lt 7 && { @@ -516,7 +516,7 @@ test -e ../afl-gcc-fast -a -e ../afl-gcc-rt.o && { $ECHO "$RED[!] gcc_plugin hardened mode compilation failed" CODE=1 } - # now we want to be sure that afl-fuzz is working + # now we want to be sure that afl-fuzz is working (test "$(uname -s)" = "Linux" && test "$(sysctl kernel.core_pattern)" != "kernel.core_pattern = core" && { $ECHO "$YELLOW[-] we should not run afl-fuzz with enabled core dumps. Run 'sudo sh afl-system-config'.$RESET" true @@ -552,11 +552,11 @@ test -e ../afl-gcc-fast -a -e ../afl-gcc-rt.o && { test -e test-compcov && { echo 1 | ../afl-showmap -m ${MEM_LIMIT} -o - -r -- ./test-compcov 2>&1 | grep -q "Captured 1 tuples" && { $ECHO "$GREEN[+] gcc_plugin whitelist feature works correctly" - } || { + } || { $ECHO "$RED[!] gcc_plugin whitelist feature failed" CODE=1 } - } || { + } || { $ECHO "$RED[!] gcc_plugin whitelist feature compilation failed" CODE=1 } @@ -585,7 +585,7 @@ test -e ../libtokencap.so && { AFL_TOKEN_FILE=token.out LD_PRELOAD=../libtokencap.so DYLD_INSERT_LIBRARIES=../libtokencap.so DYLD_FORCE_FLAT_NAMESPACE=1 ./test-compcov foobar > /dev/null 2>&1 grep -q BUGMENOT token.out > /dev/null 2>&1 && { $ECHO "$GREEN[+] libtokencap did successfully capture tokens" - } || { + } || { $ECHO "$RED[!] libtokencap did not capture tokens" CODE=1 } @@ -604,7 +604,7 @@ test -e ../libdislocator.so && { $ECHO "$RED[!] libdislocator did not detect the memory corruption" CODE=1 } || { - $ECHO "$GREEN[+] libdislocator did successfully detect the memory corruption" + $ECHO "$GREEN[+] libdislocator did successfully detect the memory corruption" } rm -f test.out core test-compcov.core core.test-compcov } || { @@ -700,7 +700,7 @@ test -e ../afl-qemu-trace && { test -e ../libcompcov.so && { $ECHO "$GREY[*] running afl-fuzz for qemu_mode compcov, this will take approx 10 seconds" { - export AFL_PRELOAD=../libcompcov.so + export AFL_PRELOAD=../libcompcov.so export AFL_COMPCOV_LEVEL=2 ../afl-fuzz -m ${MEM_LIMIT} -V10 -Q -i in -o out -- ./test-compcov >>errors 2>&1 unset AFL_PRELOAD @@ -720,10 +720,10 @@ test -e ../afl-qemu-trace && { INCOMPLETE=1 } rm -f errors - } || { + } || { $ECHO "$YELLOW[-] not an intel or arm platform, cannot test qemu_mode compcov" } - + test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { $ECHO "$GREY[*] running afl-fuzz for persistent qemu_mode, this will take approx 10 seconds" { @@ -757,9 +757,9 @@ test -e ../afl-qemu-trace && { exit 1 } rm -rf in out errors - } || { + } || { $ECHO "$YELLOW[-] not an intel or arm platform, cannot test persistent qemu_mode" - } + } test -e ../qemu_mode/unsigaction/unsigaction32.so && { ${AFL_CC} -o test-unsigaction32 -m32 test-unsigaction.c >> errors 2>&1 && { @@ -824,7 +824,7 @@ test -e ../afl-qemu-trace && { $ECHO "$RED[!] gcc compilation of test targets failed - what is going on??" CODE=1 } - + rm -f test-instr test-compcov } || { $ECHO "$YELLOW[-] qemu_mode is not compiled, cannot test" @@ -887,12 +887,86 @@ test -d ../unicorn_mode/unicornafl && { $ECHO "$RED[!] missing sample binaries in unicorn_mode/samples/ - what is going on??" CODE=1 } - + } || { $ECHO "$YELLOW[-] unicorn_mode is not compiled, cannot test" INCOMPLETE=1 } +$ECHO "$BLUE[*] Testing: custom mutator" +unset AFL_CC # Line 474 sets AFL_CC to "gcc". We reset it to use the default compiler +CUSTOM_MUTATOR_PATH=../examples/custom_mutators +test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c && { + # Compile the vulnerable program + ../afl-clang-fast -o test-custom-mutator test-custom-mutator.c + # Compile the custom mutator + make -C ../examples/custom_mutators libexamplemutator.so + test -e test-custom-mutator -a -e ${CUSTOM_MUTATOR_PATH}/libexamplemutator.so && { + # Create input directory + mkdir -p in + echo 00000 > in/in + + # Run afl-fuzz w/ the C mutator + $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 10 seconds" + { + export AFL_CUSTOM_MUTATOR_LIBRARY=${CUSTOM_MUTATOR_PATH}/libexamplemutator.so + ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator + unset AFL_CUSTOM_MUTATOR_LIBRARY + } >>errors 2>&1 + + # Check results + test -n "$( ls out/queue/id:000001* 2>/dev/null )" && { # TODO: update here + $ECHO "$GREEN[+] afl-fuzz is working correctly with the C mutator" + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with the C mutator" + CODE=1 + } + + # Clean + rm -rf out errors + + # Run afl-fuzz w/ the Python mutator + $ECHO "$GREY[*] running afl-fuzz for the Python mutator, this will take approx 10 seconds" + { + export PYTHONPATH=${CUSTOM_MUTATOR_PATH} + export AFL_PYTHON_MODULE=example + ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator + unset PYTHONPATH + unset AFL_PYTHON_MODULE + } >>errors 2>&1 + + # Check results + test -n "$( ls out/queue/id:000001* 2>/dev/null )" && { # TODO: update here + $ECHO "$GREEN[+] afl-fuzz is working correctly with the Python mutator" + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with the Python mutator" + CODE=1 + } + + # Clean + rm -rf in out errors + rm -rf ${CUSTOM_MUTATOR_PATH}/__pycache__/ + } || { + ls . + ls ${CUSTOM_MUTATOR_PATH} + $ECHO "$RED[!] cannot compile the test program or the custom mutator" + CODE=1 + } + + make -C ../examples/custom_mutators clean > /dev/null 2>&1 + rm -f test-custom-mutator +} || { + $ECHO "$YELLOW[-] no custom mutators in $CUSTOM_MUTATOR_PATH, cannot test" + INCOMPLETE=1 +} +unset CUSTOM_MUTATOR_PATH + $ECHO "$GREY[*] all test cases completed.$RESET" test "$INCOMPLETE" = "0" && $ECHO "$GREEN[+] all test cases executed" test "$INCOMPLETE" = "1" && $ECHO "$YELLOW[-] not all test cases were executed" -- cgit 1.4.1 From 1e290542bb77f35d1e7bb340077f1c28c0b03b81 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 30 Mar 2020 16:46:50 +0200 Subject: rebase --- src/afl-fuzz-mutators.c | 4 ++-- test/test.sh | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'test/test.sh') diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 754b2190..1a5528a2 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -193,8 +193,8 @@ void load_custom_mutator(afl_state_t *afl, const char *fn) { /* Initialize the custom mutator */ if (afl->mutator->afl_custom_init) - afl->mutator->data = - afl->mutator->afl_custom_init(afl, rand_below(afl, 0xFFFFFFFF)); + afl->mutator->data = afl->mutator->afl_custom_init( + afl, rand_below(afl, 0xFFFFFFFF)); } diff --git a/test/test.sh b/test/test.sh index 725ae9e4..0d3c7199 100755 --- a/test/test.sh +++ b/test/test.sh @@ -895,12 +895,12 @@ test -d ../unicorn_mode/unicornafl && { $ECHO "$BLUE[*] Testing: custom mutator" unset AFL_CC # Line 474 sets AFL_CC to "gcc". We reset it to use the default compiler -CUSTOM_MUTATOR_PATH=../examples/custom_mutators +CUSTOM_MUTATOR_PATH=$( realpath ../examples/custom_mutators ) test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c && { # Compile the vulnerable program - ../afl-clang-fast -o test-custom-mutator test-custom-mutator.c + ../afl-clang-fast -o test-custom-mutator test-custom-mutator.c > /dev/null 2>&1 # Compile the custom mutator - make -C ../examples/custom_mutators libexamplemutator.so + make -C ../examples/custom_mutators libexamplemutator.so > /dev/null 2>&1 test -e test-custom-mutator -a -e ${CUSTOM_MUTATOR_PATH}/libexamplemutator.so && { # Create input directory mkdir -p in -- cgit 1.4.1 From d568559f01b1a7609f8a0c4f7afea513375725e4 Mon Sep 17 00:00:00 2001 From: h1994st Date: Fri, 27 Mar 2020 21:03:06 -0400 Subject: Fix typo --- examples/custom_mutators/example.py | 3 +-- test/test.sh | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) (limited to 'test/test.sh') diff --git a/examples/custom_mutators/example.py b/examples/custom_mutators/example.py index 6bacfa05..6b58188e 100644 --- a/examples/custom_mutators/example.py +++ b/examples/custom_mutators/example.py @@ -164,11 +164,10 @@ def fuzz(buf, add_buf, max_size): # ''' # Called after adding a new test case to the queue # -# @type filename_new_queue: str +# @type filename_new_queue: str # @param filename_new_queue: File name of the new queue entry # # @type filename_orig_queue: str # @param filename_orig_queue: File name of the original queue entry # ''' # pass - diff --git a/test/test.sh b/test/test.sh index 0d3c7199..11c4be25 100755 --- a/test/test.sh +++ b/test/test.sh @@ -60,8 +60,8 @@ unset AFL_QEMU_PERSISTENT_GPR unset AFL_QEMU_PERSISTENT_RET unset AFL_QEMU_PERSISTENT_HOOK unset AFL_QEMU_PERSISTENT_CNT - -export unset AFL_CUSTOM_MUTATOR_LIBRARY=unset AFL_POST_LIBRARY +unset AFL_POST_LIBRARY +unset AFL_CUSTOM_MUTATOR_LIBRARY unset AFL_PYTHON_MODULE unset AFL_PRELOAD unset LD_PRELOAD -- cgit 1.4.1 From 64e1d3a975b5d4f017fabdc921cb59128db1c18a Mon Sep 17 00:00:00 2001 From: h1994st Date: Sun, 29 Mar 2020 01:22:44 -0400 Subject: test.sh: "trusty-amd64" does not work well with "realpath". Use "readlink -f" for Ubuntu instead. --- examples/custom_mutators/example.py | 12 ++++++++++-- test/test.sh | 16 ++++++++++------ 2 files changed, 20 insertions(+), 8 deletions(-) (limited to 'test/test.sh') diff --git a/examples/custom_mutators/example.py b/examples/custom_mutators/example.py index 7919d3d3..9e95eed6 100644 --- a/examples/custom_mutators/example.py +++ b/examples/custom_mutators/example.py @@ -17,6 +17,13 @@ file, You can obtain one at http://mozilla.org/MPL/2.0/. import random +COMMANDS = [ + b"GET", + b"PUT", + b"DEL", +] + + def init(seed): ''' Called once when AFLFuzz starts up. Used to seed our RNG. @@ -48,8 +55,9 @@ def fuzz(buf, add_buf, max_size): @rtype: bytearray @return: A new bytearray containing the mutated data ''' - ret = bytearray(buf) - # Do something interesting with ret + ret = bytearray(100) + + ret[:3] = random.choice(COMMANDS) return ret diff --git a/test/test.sh b/test/test.sh index 11c4be25..c9ce3489 100755 --- a/test/test.sh +++ b/test/test.sh @@ -894,9 +894,13 @@ test -d ../unicorn_mode/unicornafl && { } $ECHO "$BLUE[*] Testing: custom mutator" -unset AFL_CC # Line 474 sets AFL_CC to "gcc". We reset it to use the default compiler -CUSTOM_MUTATOR_PATH=$( realpath ../examples/custom_mutators ) -test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c && { +unset AFL_CC # Test case "gcc_plugin" sets AFL_CC to "gcc". We reset it to use the default compiler +test `uname -s` = 'Darwin' && { + CUSTOM_MUTATOR_PATH=$( realpath ../examples/custom_mutators ) +} || { + CUSTOM_MUTATOR_PATH=$( readlink -f ../examples/custom_mutators ) +} +test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUSTOM_MUTATOR_PATH}/example.py && { # Compile the vulnerable program ../afl-clang-fast -o test-custom-mutator test-custom-mutator.c > /dev/null 2>&1 # Compile the custom mutator @@ -904,7 +908,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS test -e test-custom-mutator -a -e ${CUSTOM_MUTATOR_PATH}/libexamplemutator.so && { # Create input directory mkdir -p in - echo 00000 > in/in + echo "00000" > in/in # Run afl-fuzz w/ the C mutator $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 10 seconds" @@ -915,7 +919,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS } >>errors 2>&1 # Check results - test -n "$( ls out/queue/id:000001* 2>/dev/null )" && { # TODO: update here + test -n "$( ls out/crashes/id:000000* 2>/dev/null )" && { # TODO: update here $ECHO "$GREEN[+] afl-fuzz is working correctly with the C mutator" } || { echo CUT------------------------------------------------------------------CUT @@ -939,7 +943,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS } >>errors 2>&1 # Check results - test -n "$( ls out/queue/id:000001* 2>/dev/null )" && { # TODO: update here + test -n "$( ls out/crashes/id:000000* 2>/dev/null )" && { # TODO: update here $ECHO "$GREEN[+] afl-fuzz is working correctly with the Python mutator" } || { echo CUT------------------------------------------------------------------CUT -- cgit 1.4.1 From ea954539756722e84f65e0f3a6638bb3dc50d8db Mon Sep 17 00:00:00 2001 From: h1994st Date: Mon, 30 Mar 2020 05:28:30 -0400 Subject: test.sh: redirect command line output --- test/test.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'test/test.sh') diff --git a/test/test.sh b/test/test.sh index c9ce3489..25aaad58 100755 --- a/test/test.sh +++ b/test/test.sh @@ -914,7 +914,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 10 seconds" { export AFL_CUSTOM_MUTATOR_LIBRARY=${CUSTOM_MUTATOR_PATH}/libexamplemutator.so - ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator + ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 unset AFL_CUSTOM_MUTATOR_LIBRARY } >>errors 2>&1 @@ -937,7 +937,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS { export PYTHONPATH=${CUSTOM_MUTATOR_PATH} export AFL_PYTHON_MODULE=example - ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator + ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 unset PYTHONPATH unset AFL_PYTHON_MODULE } >>errors 2>&1 -- cgit 1.4.1 From 710a29a1e0b8c874cdba43a16879f7f77e917713 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 30 Mar 2020 18:20:20 +0200 Subject: fixed testcase --- test/test-custom-mutator.c | 7 +++---- test/test.sh | 4 +--- 2 files changed, 4 insertions(+), 7 deletions(-) (limited to 'test/test.sh') diff --git a/test/test-custom-mutator.c b/test/test-custom-mutator.c index b44c3634..83baafab 100644 --- a/test/test-custom-mutator.c +++ b/test/test-custom-mutator.c @@ -10,11 +10,10 @@ int main(int argc, char *argv[]) { - char str[100]={ }; + char str[100]; read(0, str, 100); - int *ptr = NULL; - if( str[0] == 'P') { - *ptr = 123; + if( str[6] == 'A') { + abort(); } return 0; } diff --git a/test/test.sh b/test/test.sh index 25aaad58..3e1b6c43 100755 --- a/test/test.sh +++ b/test/test.sh @@ -913,9 +913,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS # Run afl-fuzz w/ the C mutator $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 10 seconds" { - export AFL_CUSTOM_MUTATOR_LIBRARY=${CUSTOM_MUTATOR_PATH}/libexamplemutator.so - ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 - unset AFL_CUSTOM_MUTATOR_LIBRARY + AFL_CUSTOM_MUTATOR_LIBRARY=${CUSTOM_MUTATOR_PATH}/libexamplemutator.so ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 } >>errors 2>&1 # Check results -- cgit 1.4.1 From 9cab515e5880b7f61e395dd3fa612d88c1db671f Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 30 Mar 2020 18:37:16 +0200 Subject: added unittests to test.sh --- .travis.yml | 4 ++-- test/test.sh | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'test/test.sh') diff --git a/.travis.yml b/.travis.yml index 2c8c8bea..92c8f5a2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -41,8 +41,8 @@ before_install: # export LLVM_DIR=${TRAVIS_BUILD_DIR}/${LLVM_PACKAGE} - echo Testing on $NAME - if [ "$TRAVIS_OS_NAME" = "osx" ]; then wget "$LINK""$NAME".tar.xz ; export LLVM_CONFIG=`pwd`/"$NAME" ; tar xJf "$NAME".tar.xz ; fi - - if [ "$MODERN" = "yes" ]; then sudo apt update ; sudo apt upgrade ; sudo apt install -y libtool libtool-bin automake bison libglib2.0 build-essential clang gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-"$GCC"-dev findutils ; fi - - if [ "$MODERN" = "no" ]; then sudo apt update ; sudo apt install -y libtool $EXTRA libpixman-1-dev automake bison libglib2.0 build-essential gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-dev findutils ; fi + - if [ "$MODERN" = "yes" ]; then sudo apt update ; sudo apt upgrade ; sudo apt install -y libtool libtool-bin automake bison libglib2.0 build-essential clang gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-"$GCC"-dev findutils cmocka ; fi + - if [ "$MODERN" = "no" ]; then sudo apt update ; sudo apt install -y libtool $EXTRA libpixman-1-dev automake bison libglib2.0 build-essential gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-dev findutils cmocka ; fi script: - gcc -v diff --git a/test/test.sh b/test/test.sh index 3e1b6c43..de730c15 100755 --- a/test/test.sh +++ b/test/test.sh @@ -969,6 +969,10 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS } unset CUSTOM_MUTATOR_PATH +$ECHO "$BLUE[*] Execution cmocka Unit-Tests $GREY" +unset AFL_CC +make -C .. unit || "$CODE" = "1" + $ECHO "$GREY[*] all test cases completed.$RESET" test "$INCOMPLETE" = "0" && $ECHO "$GREEN[+] all test cases executed" test "$INCOMPLETE" = "1" && $ECHO "$YELLOW[-] not all test cases were executed" -- cgit 1.4.1 From 0b8a5cb4bb8c1d940557b02d58f9ea653c8e9443 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 31 Mar 2020 07:37:30 +0200 Subject: travis: dont fail on custom mutator - currently --- test/test.sh | 2 ++ 1 file changed, 2 insertions(+) (limited to 'test/test.sh') diff --git a/test/test.sh b/test/test.sh index de730c15..0dc58cc8 100755 --- a/test/test.sh +++ b/test/test.sh @@ -961,6 +961,8 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS CODE=1 } + test "$CODE" = 1 && { $ECHO "$YELLOW[!] custom mutator tests currently will not fail travis" ; CODE=0 ; } + make -C ../examples/custom_mutators clean > /dev/null 2>&1 rm -f test-custom-mutator } || { -- cgit 1.4.1 From c8bdf0790f7d19078d9ec5705fc04eefd8615988 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 31 Mar 2020 14:01:22 +0200 Subject: reenabled custom mutator report --- examples/custom_mutators/Makefile | 2 +- llvm_mode/afl-clang-fast.c | 1 - src/afl-fuzz-one.c | 1 + test/test.sh | 2 +- 4 files changed, 3 insertions(+), 3 deletions(-) (limited to 'test/test.sh') diff --git a/examples/custom_mutators/Makefile b/examples/custom_mutators/Makefile index 463cefb1..9849f3f4 100644 --- a/examples/custom_mutators/Makefile +++ b/examples/custom_mutators/Makefile @@ -1,7 +1,7 @@ all: libexamplemutator.so libexamplemutator.so: - $(CC) $(CFLAGS) -fPIC -shared -g -I ../../include example.c -o libexamplemutator.so + $(CC) $(CFLAGS) -D_FORTIFY_SOURCE=2 -O3 -fPIC -shared -g -I ../../include example.c -o libexamplemutator.so clean: rm -rf libexamplemutator.so diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 99bc8d03..de8d3410 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -48,7 +48,6 @@ static u8 debug; static u8 cwd[4096]; static u8 cmplog_mode; u8 use_stdin = 0; /* dummy */ -u8 be_quiet = 0; u8 *getthecwd() { diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 2e49e19b..b20bde90 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -1648,6 +1648,7 @@ custom_mutator_stage: } /* `(afl->)out_buf` may have been changed by the call to custom_fuzz */ + /* TODO: Only do this when `mutated_buf` == `out_buf`? Branch vs Memcpy. */ memcpy(out_buf, in_buf, len); } diff --git a/test/test.sh b/test/test.sh index 0dc58cc8..a04df384 100755 --- a/test/test.sh +++ b/test/test.sh @@ -961,7 +961,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS CODE=1 } - test "$CODE" = 1 && { $ECHO "$YELLOW[!] custom mutator tests currently will not fail travis" ; CODE=0 ; } + #test "$CODE" = 1 && { $ECHO "$YELLOW[!] custom mutator tests currently will not fail travis" ; CODE=0 ; } make -C ../examples/custom_mutators clean > /dev/null 2>&1 rm -f test-custom-mutator -- cgit 1.4.1