From 61779547733699dfe6710a74529e02d515364aa4 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 12 May 2020 16:32:40 +0200 Subject: fix custom mutators and add real test cases --- test/test.sh | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) (limited to 'test/test.sh') diff --git a/test/test.sh b/test/test.sh index 919d7a9c..1d06780b 100755 --- a/test/test.sh +++ b/test/test.sh @@ -970,16 +970,17 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { } } # Compile the custom mutator - make -C ../examples/custom_mutators libexamplemutator.so > /dev/null 2>&1 - test -e test-custom-mutator -a -e ${CUSTOM_MUTATOR_PATH}/libexamplemutator.so && { + cc -D_FIXED_CHAR=0x41 -g -fPIC -shared -I../include ../examples/custom_mutators/simple_example.c -o libexamplemutator.so > /dev/null 2>&1 + cc -D_FIXED_CHAR=0x42 -g -fPIC -shared -I../include ../examples/custom_mutators/simple_example.c -o libexamplemutator2.so > /dev/null 2>&1 + test -e test-custom-mutator -a -e ./libexamplemutator.so && { # Create input directory mkdir -p in echo "00000" > in/in # Run afl-fuzz w/ the C mutator - $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 10 seconds" + $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 5 seconds" { - AFL_CUSTOM_MUTATOR_LIBRARY=${CUSTOM_MUTATOR_PATH}/libexamplemutator.so ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 + AFL_CUSTOM_MUTATOR_LIBRARY=./libexamplemutator.so AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V1 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 } >>errors 2>&1 # Check results @@ -996,10 +997,10 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { # Clean rm -rf out errors - #Run afl-fuzz w/ multiple C mutators - $ECHO "$GREY[*] running afl-fuzz with multiple custom C mutators, this will take approx 20 seconds" + # Run afl-fuzz w/ multiple C mutators + $ECHO "$GREY[*] running afl-fuzz with multiple custom C mutators, this will take approx 5 seconds" { - AFL_CUSTOM_MUTATOR_LIBRARY="${CUSTOM_MUTATOR_PATH}/libexamplemutator.so;${CUSTOM_MUTATOR_PATH}/libexamplemutator.so" ../afl-fuzz -V20 -m ${MEM_LIMIT} -i in -o out -- ./test-multiple-mutators >>errors 2>&1 + AFL_CUSTOM_MUTATOR_LIBRARY="./libexamplemutator.so;./libexamplemutator2.so" AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V1 -m ${MEM_LIMIT} -i in -o out -- ./test-multiple-mutators >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/crashes/id:000000* 2>/dev/null )" && { # TODO: update here @@ -1016,11 +1017,11 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { rm -rf out errors # Run afl-fuzz w/ the Python mutator - $ECHO "$GREY[*] running afl-fuzz for the Python mutator, this will take approx 10 seconds" + $ECHO "$GREY[*] running afl-fuzz for the Python mutator, this will take approx 5 seconds" { export PYTHONPATH=${CUSTOM_MUTATOR_PATH} export AFL_PYTHON_MODULE=example - ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 + AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V5 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 unset PYTHONPATH unset AFL_PYTHON_MODULE } >>errors 2>&1 @@ -1039,7 +1040,7 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { # Clean rm -rf in out errors rm -rf ${CUSTOM_MUTATOR_PATH}/__pycache__/ - rm -f test-multiple-mutators + rm -f test-multiple-mutators test-custom-mutator libexamplemutator.so libexamplemutator2.so } || { ls . ls ${CUSTOM_MUTATOR_PATH} -- cgit 1.4.1 From 6224ae1c6004d52b230aa6dd6694c7d57dc49627 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 12 May 2020 20:59:48 +0200 Subject: test/test.sh: prefer python3 over python for unicornafl, avoid realpath and readlink dependencies --- test/test.sh | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'test/test.sh') diff --git a/test/test.sh b/test/test.sh index 1d06780b..8e6c277f 100755 --- a/test/test.sh +++ b/test/test.sh @@ -883,7 +883,7 @@ test -d ../unicorn_mode/unicornafl && { test -e ../unicorn_mode/samples/simple/simple_target.bin -a -e ../unicorn_mode/samples/compcov_x64/compcov_target.bin && { { # travis workaround - PY=`command -v python` + PY=`command -v python3 || command -v python` test "$PY" = "/opt/pyenv/shims/python" -a -x /usr/bin/python && PY=/usr/bin/python mkdir -p in echo 0 > in/in @@ -942,11 +942,8 @@ test -d ../unicorn_mode/unicornafl && { $ECHO "$BLUE[*] Testing: custom mutator" test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { - test `uname -s` = 'Darwin' && { - CUSTOM_MUTATOR_PATH=$( realpath ../examples/custom_mutators ) - } || { - CUSTOM_MUTATOR_PATH=$( readlink -f ../examples/custom_mutators ) - } + # normalize path + CUSTOM_MUTATOR_PATH=$(cd $(pwd)/../examples/custom_mutators;pwd) test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUSTOM_MUTATOR_PATH}/example.py && { unset AFL_CC # Compile the vulnerable program for single mutator -- cgit 1.4.1 From 5273c61cd84fb5db4bd4c97509f60511c7a9bb6d Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 12 May 2020 23:19:51 +0200 Subject: Darwin tests: grep --binary-files=text for laf-intel and skipping of unittests --- GNUmakefile | 11 ++++++++++- test/test.sh | 2 +- unicorn_mode/unicornafl | 2 +- 3 files changed, 12 insertions(+), 3 deletions(-) (limited to 'test/test.sh') diff --git a/GNUmakefile b/GNUmakefile index d3e9275c..95bc1072 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -252,7 +252,7 @@ help: @echo "deepclean: cleans everything including downloads" @echo "code-format: format the code, do this before you commit and send a PR please!" @echo "tests: this runs the test framework. It is more catered for the developers, but if you run into problems this helps pinpointing the problem" - @echo "unit: perform unit tests (based on cmocka)" + @echo "unit: perform unit tests (based on cmocka and GNU linker)" @echo "document: creates afl-fuzz-document which will only do one run and save all manipulated inputs into out/queue/mutations" @echo "help: shows these build options :-)" @echo "==========================================" @@ -385,8 +385,17 @@ unit_preallocable: test/unittests/unit_preallocable.o unit_clean: @rm -f ./test/unittests/unit_preallocable ./test/unittests/unit_list ./test/unittests/unit_maybe_alloc test/unittests/*.o +ifneq "$(shell uname)" "Darwin" + unit: unit_maybe_alloc unit_preallocable unit_list unit_clean +else + +unit: + @echo [-] unit tests are skipped on Darwin \(lacks GNU linker feature --wrap\) + +endif + code-format: ./.custom-format.py -i src/*.c ./.custom-format.py -i include/*.h diff --git a/test/test.sh b/test/test.sh index 8e6c277f..6c05571b 100755 --- a/test/test.sh +++ b/test/test.sh @@ -355,7 +355,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { } AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_SWITCHES=1 AFL_LLVM_LAF_TRANSFORM_COMPARES=1 AFL_LLVM_LAF_SPLIT_COMPARES=1 ../afl-clang-fast -o test-compcov.compcov test-compcov.c > test.out 2>&1 test -e test-compcov.compcov && { - grep -Eq " [ 12][0-9][0-9] location| [3-9][0-9] location" test.out && { + grep --binary-files=text -Eq " [ 12][0-9][0-9] location| [3-9][0-9] location" test.out && { $ECHO "$GREEN[+] llvm_mode laf-intel/compcov feature works correctly" } || { $ECHO "$RED[!] llvm_mode laf-intel/compcov feature failed" diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 5833117a..a5b79002 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 5833117abf55d54c4191ead81312764df03a48bc +Subproject commit a5b79002ca18219c83f9aec4e71007917c6be2e0 -- cgit 1.4.1 From d334093606ff4fb77822f11cde7a80fa880de0c7 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 14 May 2020 01:00:11 +0200 Subject: deprecated AFL_POST_LIBRARY --- README.md | 5 +- docs/Changelog.md | 2 + docs/env_variables.md | 5 +- docs/sister_projects.md | 7 -- examples/post_library/post_library.so.c | 159 ---------------------------- examples/post_library/post_library_png.so.c | 156 --------------------------- include/afl-fuzz.h | 5 +- src/afl-common.c | 2 +- src/afl-fuzz-init.c | 48 --------- src/afl-fuzz-state.c | 6 +- src/afl-fuzz.c | 3 - test/test.sh | 1 - 12 files changed, 14 insertions(+), 385 deletions(-) delete mode 100644 examples/post_library/post_library.so.c delete mode 100644 examples/post_library/post_library_png.so.c (limited to 'test/test.sh') diff --git a/README.md b/README.md index 04ead78e..a2c81aa4 100644 --- a/README.md +++ b/README.md @@ -672,8 +672,9 @@ Here are some of the most important caveats for AFL: To work around this, you can comment out the relevant checks (see examples/libpng_no_checksum/ for inspiration); if this is not possible, - you can also write a postprocessor, as explained in - examples/post_library/ (with AFL_POST_LIBRARY) + you can also write a postprocessor, one of the hooks of custom mutators. + See [docs/custom_mutators.md](docs/custom_mutators.md) on how to use + `AFL_CUSTOM_MUTATOR_LIBRARY` - There are some unfortunate trade-offs with ASAN and 64-bit binaries. This isn't due to any specific fault of afl-fuzz; see [docs/notes_for_asan.md](docs/notes_for_asan.md) diff --git a/docs/Changelog.md b/docs/Changelog.md index 0b5c11e8..4b2d7977 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -15,6 +15,8 @@ sending a mail to . - better python detection - an old, old bug in afl that would show negative stability in rare circumstances is now hopefully fixed + - AFL_POST_LIBRARY was deprecated, use AFL_CUSTOM_MUTATOR_LIBRARY + instead (see docs/custom_mutators.md) - llvm_mode: - afl-clang-fast/lto now do not skip single block functions. This behaviour can be reactivated with AFL_LLVM_SKIPSINGLEBLOCK diff --git a/docs/env_variables.md b/docs/env_variables.md index 36e5a432..2668be7d 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -310,9 +310,8 @@ checks or alter some of the more exotic semantics of the tool: else. This makes the "own finds" counter in the UI more accurate. Beyond counter aesthetics, not much else should change. - - Setting AFL_POST_LIBRARY allows you to configure a postprocessor for - mutated files - say, to fix up checksums. See examples/post_library/ - for more. + - Note that AFL_POST_LIBRARY is deprecated, use AFL_CUSTOM_MUTATOR_LIBRARY + instead (see below). - Setting AFL_CUSTOM_MUTATOR_LIBRARY to a shared library with afl_custom_fuzz() creates additional mutations through this library. diff --git a/docs/sister_projects.md b/docs/sister_projects.md index 1625044c..a501ecbd 100644 --- a/docs/sister_projects.md +++ b/docs/sister_projects.md @@ -56,13 +56,6 @@ functionality is now available as the "persistent" feature described in http://llvm.org/docs/LibFuzzer.html -## AFL fixup shim (Ben Nagy) - -Allows AFL_POST_LIBRARY postprocessors to be written in arbitrary languages -that don't have C / .so bindings. Includes examples in Go. - -https://github.com/bnagy/aflfix - ## TriforceAFL (Tim Newsham and Jesse Hertz) Leverages QEMU full system emulation mode to allow AFL to target operating diff --git a/examples/post_library/post_library.so.c b/examples/post_library/post_library.so.c deleted file mode 100644 index d9504b23..00000000 --- a/examples/post_library/post_library.so.c +++ /dev/null @@ -1,159 +0,0 @@ -/* - american fuzzy lop++ - postprocessor library example - -------------------------------------------------- - - Originally written by Michal Zalewski - Edited by Dominik Maier, 2020 - - Copyright 2015 Google Inc. All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Postprocessor libraries can be passed to afl-fuzz to perform final cleanup - of any mutated test cases - for example, to fix up checksums in PNG files. - - Please heed the following warnings: - - 1) In almost all cases, it is more productive to comment out checksum logic - in the targeted binary (as shown in ../libpng_no_checksum/). One possible - exception is the process of fuzzing binary-only software in QEMU mode. - - 2) The use of postprocessors for anything other than checksums is - questionable and may cause more harm than good. AFL is normally pretty good - about dealing with length fields, magic values, etc. - - 3) Postprocessors that do anything non-trivial must be extremely robust to - gracefully handle malformed data and other error conditions - otherwise, - they will crash and take afl-fuzz down with them. Be wary of reading past - *len and of integer overflows when calculating file offsets. - - In other words, THIS IS PROBABLY NOT WHAT YOU WANT - unless you really, - honestly know what you're doing =) - - With that out of the way: the postprocessor library is passed to afl-fuzz - via AFL_POST_LIBRARY. The library must be compiled with: - - gcc -shared -Wall -O3 post_library.so.c -o post_library.so - - AFL will call the afl_postprocess() function for every mutated output buffer. - From there, you have three choices: - - 1) If you don't want to modify the test case, simply set `*out_buf = in_buf` - and return the original `len`. - - 2) If you want to skip this test case altogether and have AFL generate a - new one, return 0 or set `*out_buf = NULL`. - Use this sparingly - it's faster than running the target program - with patently useless inputs, but still wastes CPU time. - - 3) If you want to modify the test case, allocate an appropriately-sized - buffer, move the data into that buffer, make the necessary changes, and - then return the new pointer as out_buf. Return an appropriate len - afterwards. - - Note that the buffer will *not* be freed for you. To avoid memory leaks, - you need to free it or reuse it on subsequent calls (as shown below). - - *** Feel free to reuse the original 'in_buf' BUFFER and return it. *** - - Aight. The example below shows a simple postprocessor that tries to make - sure that all input files start with "GIF89a". - - PS. If you don't like C, you can try out the unix-based wrapper from - Ben Nagy instead: https://github.com/bnagy/aflfix - - */ - -#include -#include -#include - -/* Header that must be present at the beginning of every test case: */ - -#define HEADER "GIF89a" - -typedef struct post_state { - - unsigned char *buf; - size_t size; - -} post_state_t; - -void *afl_postprocess_init(void *afl, unsigned int seed) { - - post_state_t *state = malloc(sizeof(post_state_t)); - if (!state) { - - perror("malloc"); - return NULL; - - } - - state->buf = calloc(sizeof(unsigned char), 4096); - if (!state->buf) { return NULL; } - - return state; - -} - -/* The actual postprocessor routine called by afl-fuzz: */ - -size_t afl_postprocess(post_state_t *data, unsigned char *in_buf, - unsigned int len, unsigned char **out_buf) { - - /* Skip execution altogether for buffers shorter than 6 bytes (just to - show how it's done). We can trust len to be sane. */ - - if (len < strlen(HEADER)) return 0; - - /* Do nothing for buffers that already start with the expected header. */ - - if (!memcmp(in_buf, HEADER, strlen(HEADER))) { - - *out_buf = in_buf; - return len; - - } - - /* Allocate memory for new buffer, reusing previous allocation if - possible. */ - - *out_buf = realloc(data->buf, len); - - /* If we're out of memory, the most graceful thing to do is to return the - original buffer and give up on modifying it. Let AFL handle OOM on its - own later on. */ - - if (!*out_buf) { - - *out_buf = in_buf; - return len; - - } - - /* Copy the original data to the new location. */ - - memcpy(*out_buf, in_buf, len); - - /* Insert the new header. */ - - memcpy(*out_buf, HEADER, strlen(HEADER)); - - /* Return the new len. It hasn't changed, so it's just len. */ - - return len; - -} - -/* Gets called afterwards */ -void afl_postprocess_deinit(post_state_t *data) { - - free(data->buf); - free(data); - -} - diff --git a/examples/post_library/post_library_png.so.c b/examples/post_library/post_library_png.so.c deleted file mode 100644 index b29afd62..00000000 --- a/examples/post_library/post_library_png.so.c +++ /dev/null @@ -1,156 +0,0 @@ -/* - american fuzzy lop++ - postprocessor for PNG - ------------------------------------------ - - Originally written by Michal Zalewski - - Copyright 2015 Google Inc. All rights reserved. - Adapted to the new API, 2020 by Dominik Maier - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - See post_library.so.c for a general discussion of how to implement - postprocessors. This specific postprocessor attempts to fix up PNG - checksums, providing a slightly more complicated example than found - in post_library.so.c. - - Compile with: - - gcc -shared -Wall -O3 post_library_png.so.c -o post_library_png.so -lz - - */ - -#include -#include -#include -#include -#include - -#include - -/* A macro to round an integer up to 4 kB. */ - -#define UP4K(_i) ((((_i) >> 12) + 1) << 12) - -typedef struct post_state { - - unsigned char *buf; - size_t size; - -} post_state_t; - -void *afl_postprocess_init(void *afl, unsigned int seed) { - - post_state_t *state = malloc(sizeof(post_state_t)); - if (!state) { - - perror("malloc"); - return NULL; - - } - - state->buf = calloc(sizeof(unsigned char), 4096); - if (!state->buf) { return NULL; } - - return state; - -} - -size_t afl_postprocess(post_state_t *data, const unsigned char *in_buf, - unsigned int len, const unsigned char **out_buf) { - - unsigned char *new_buf = (unsigned char *)in_buf; - unsigned int pos = 8; - - /* Don't do anything if there's not enough room for the PNG header - (8 bytes). */ - - if (len < 8) { - - *out_buf = in_buf; - return len; - - } - - /* Minimum size of a zero-length PNG chunk is 12 bytes; if we - don't have that, we can bail out. */ - - while (pos + 12 <= len) { - - unsigned int chunk_len, real_cksum, file_cksum; - - /* Chunk length is the first big-endian dword in the chunk. */ - - chunk_len = ntohl(*(uint32_t *)(in_buf + pos)); - - /* Bail out if chunk size is too big or goes past EOF. */ - - if (chunk_len > 1024 * 1024 || pos + 12 + chunk_len > len) break; - - /* Chunk checksum is calculated for chunk ID (dword) and the actual - payload. */ - - real_cksum = htonl(crc32(0, in_buf + pos + 4, chunk_len + 4)); - - /* The in-file checksum is the last dword past the chunk data. */ - - file_cksum = *(uint32_t *)(in_buf + pos + 8 + chunk_len); - - /* If the checksums do not match, we need to fix the file. */ - - if (real_cksum != file_cksum) { - - /* First modification? Make a copy of the input buffer. Round size - up to 4 kB to minimize the number of reallocs needed. */ - - if (new_buf == in_buf) { - - if (len <= data->size) { - - new_buf = data->buf; - - } else { - - new_buf = realloc(data->buf, UP4K(len)); - if (!new_buf) { - - *out_buf = in_buf; - return len; - - } - - data->buf = new_buf; - data->size = UP4K(len); - memcpy(new_buf, in_buf, len); - - } - - } - - *(uint32_t *)(new_buf + pos + 8 + chunk_len) = real_cksum; - - } - - /* Skip the entire chunk and move to the next one. */ - - pos += 12 + chunk_len; - - } - - *out_buf = new_buf; - return len; - -} - -/* Gets called afterwards */ -void afl_postprocess_deinit(post_state_t *data) { - - free(data->buf); - free(data); - -} - diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index a1aa58d6..9907c245 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -323,9 +323,8 @@ typedef struct afl_env_vars { afl_bench_until_crash, afl_debug_child_output, afl_autoresume, afl_cal_fast; - u8 *afl_tmpdir, *afl_post_library, *afl_custom_mutator_library, - *afl_python_module, *afl_path, *afl_hang_tmout, *afl_skip_crashes, - *afl_preload; + u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, + *afl_hang_tmout, *afl_skip_crashes, *afl_preload; } afl_env_vars_t; diff --git a/src/afl-common.c b/src/afl-common.c index 74fd6b27..808c9812 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -76,7 +76,7 @@ char *afl_environment_variables[] = { "AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_MAP_SIZE", "AFL_MAPSIZE", "AFL_PATH", "AFL_PERFORMANCE_FILE", //"AFL_PERSISTENT", // not implemented anymore, so warn additionally - "AFL_POST_LIBRARY", "AFL_PRELOAD", "AFL_PYTHON_MODULE", "AFL_QEMU_COMPCOV", + "AFL_PRELOAD", "AFL_PYTHON_MODULE", "AFL_QEMU_COMPCOV", "AFL_QEMU_COMPCOV_DEBUG", "AFL_QEMU_DEBUG_MAPS", "AFL_QEMU_DISABLE_CACHE", "AFL_QEMU_PERSISTENT_ADDR", "AFL_QEMU_PERSISTENT_CNT", "AFL_QEMU_PERSISTENT_GPR", "AFL_QEMU_PERSISTENT_HOOK", diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index daaac969..0a7941f2 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -280,54 +280,6 @@ cpuset_destroy(c); #endif /* HAVE_AFFINITY */ -/* Load postprocessor, if available. */ - -void setup_post(afl_state_t *afl) { - - void *dh; - u8 * fn = afl->afl_env.afl_post_library; - u8 tbuf[6]; - u32 tlen = 6; - strncpy(tbuf, "hello", tlen); - - if (!fn) { return; } - - ACTF("Loading postprocessor from '%s'...", fn); - - dh = dlopen(fn, RTLD_NOW); - if (!dh) { FATAL("%s", dlerror()); } - - struct custom_mutator *mutator; - mutator = ck_alloc(sizeof(struct custom_mutator)); - memset(mutator, 0, sizeof(struct custom_mutator)); - - mutator->afl_custom_post_process = dlsym(dh, "afl_postprocess"); - if (!mutator->afl_custom_post_process) { - - FATAL("Symbol 'afl_postprocess' not found."); - - } - - mutator->afl_custom_init = dlsym(dh, "afl_postprocess_init"); - if (!mutator->afl_custom_init) { - - WARNF("optional symbol 'afl_postprocess_init' not found."); - - } - - mutator->afl_custom_deinit = dlsym(dh, "afl_postprocess_deinit"); - if (!mutator->afl_custom_post_process) { - - WARNF("optional symbol 'afl_postprocess_deinit' not found."); - - } - - afl->post_library_mutator = mutator; - - OKF("Postprocessor installed successfully."); - -} - /* Shuffle an array of pointers. Might be slightly biased. */ static void shuffle_ptrs(afl_state_t *afl, void **ptrs, u32 cnt) { diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 316f9bd9..99863103 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -313,8 +313,10 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl_environment_variable_len)) { - afl->afl_env.afl_post_library = - (u8 *)get_afl_env(afl_environment_variables[i]); + FATAL( + "AFL_POST_LIBRARY is deprecated, use " + "AFL_CUSTOM_MUTATOR_LIBRARY instead, see " + "docs/custom_mutators.md"); } else if (!strncmp(env, "AFL_CUSTOM_MUTATOR_LIBRARY", diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 979ebfa3..8625c37c 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -187,7 +187,6 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)\n" "AFL_NO_UI: switch status screen off\n" "AFL_PATH: path to AFL support binaries\n" - "AFL_POST_LIBRARY: postprocess generated test cases before use as target input\n" "AFL_PYTHON_MODULE: mutate and trim inputs with the specified Python module\n" "AFL_QUIET: suppress forkserver status messages\n" "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" @@ -1060,8 +1059,6 @@ int main(int argc, char **argv_orig, char **envp) { afl->fsrv.trace_bits = afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->dumb_mode); - setup_post(afl); - if (!afl->in_bitmap) { memset(afl->virgin_bits, 255, afl->fsrv.map_size); } memset(afl->virgin_tmout, 255, afl->fsrv.map_size); memset(afl->virgin_crash, 255, afl->fsrv.map_size); diff --git a/test/test.sh b/test/test.sh index 6c05571b..cb38346d 100755 --- a/test/test.sh +++ b/test/test.sh @@ -60,7 +60,6 @@ unset AFL_QEMU_PERSISTENT_GPR unset AFL_QEMU_PERSISTENT_RET unset AFL_QEMU_PERSISTENT_HOOK unset AFL_QEMU_PERSISTENT_CNT -unset AFL_POST_LIBRARY unset AFL_CUSTOM_MUTATOR_LIBRARY unset AFL_PYTHON_MODULE unset AFL_PRELOAD -- cgit 1.4.1 From 9e375179d8bfe1375625258b4fcdf018cd598cfc Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 14 May 2020 18:40:26 +0200 Subject: test.sh: make sure the right python version (with setuptools available) is being used --- test/test.sh | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) (limited to 'test/test.sh') diff --git a/test/test.sh b/test/test.sh index 6c05571b..b21563fb 100755 --- a/test/test.sh +++ b/test/test.sh @@ -882,8 +882,35 @@ $ECHO "$BLUE[*] Testing: unicorn_mode" test -d ../unicorn_mode/unicornafl && { test -e ../unicorn_mode/samples/simple/simple_target.bin -a -e ../unicorn_mode/samples/compcov_x64/compcov_target.bin && { { + # some python version should be available now + PYTHONS="`command -v python3` `command -v python` `command -v python2`" + EASY_INSTALL_FOUND=0 + for PYTHON in $PYTHONS ; do + + # work around for installs with executable easy_install + MYPYTHONPATH=`${PYTHON} -v &1 >/dev/null | sed -n -e '/^# \/.*\/os.py/{ s/.*matches //; s/os.py$//; p;}'` + for PATHCANDIDATE in \ + "dist-packages/" \ + "site-packages/" + do + if [ -e "${MYPYTHONPATH}/${PATHCANDIDATE}/easy_install.py" ] ; then + + EASY_INSTALL_FOUND=1 + PY=$PYTHON + break + + fi + done + + done + if [ "0" = $EASY_INSTALL_FOUND ]; then + + echo "[-] Error: Python setup-tools not found. Run 'sudo apt-get install python-setuptools'." + PREREQ_NOTFOUND=1 + + fi + # travis workaround - PY=`command -v python3 || command -v python` test "$PY" = "/opt/pyenv/shims/python" -a -x /usr/bin/python && PY=/usr/bin/python mkdir -p in echo 0 > in/in -- cgit 1.4.1 From 94a1d4d3ac423f8f7252ec6a0e52f18ff0f02d08 Mon Sep 17 00:00:00 2001 From: hexcoder Date: Thu, 14 May 2020 20:32:04 +0200 Subject: test unicornafl: copy from build script --- test/test.sh | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) (limited to 'test/test.sh') diff --git a/test/test.sh b/test/test.sh index 24b80f03..bf01cb6e 100755 --- a/test/test.sh +++ b/test/test.sh @@ -886,20 +886,13 @@ test -d ../unicorn_mode/unicornafl && { EASY_INSTALL_FOUND=0 for PYTHON in $PYTHONS ; do - # work around for installs with executable easy_install - MYPYTHONPATH=`${PYTHON} -v &1 >/dev/null | sed -n -e '/^# \/.*\/os.py/{ s/.*matches //; s/os.py$//; p;}'` - for PATHCANDIDATE in \ - "dist-packages/" \ - "site-packages/" - do - if [ -e "${MYPYTHONPATH}/${PATHCANDIDATE}/easy_install.py" ] ; then + if $PYTHON -c "help('modules');" 2>/dev/null | grep -q easy_install ; then EASY_INSTALL_FOUND=1 PY=$PYTHON break - fi - done + fi done if [ "0" = $EASY_INSTALL_FOUND ]; then -- cgit 1.4.1 From 324b44872c4f292594889305886eea0d77208479 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 14 May 2020 21:13:36 +0200 Subject: unicornafl: python/module check with faster method --- test/test.sh | 2 +- unicorn_mode/build_unicorn_support.sh | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) (limited to 'test/test.sh') diff --git a/test/test.sh b/test/test.sh index bf01cb6e..88bde564 100755 --- a/test/test.sh +++ b/test/test.sh @@ -886,7 +886,7 @@ test -d ../unicorn_mode/unicornafl && { EASY_INSTALL_FOUND=0 for PYTHON in $PYTHONS ; do - if $PYTHON -c "help('modules');" 2>/dev/null | grep -q easy_install ; then + if $PYTHON -c "help('easy_install');" /dev/null | grep -q easy_install ; then + if $PYTHON -c "help('$EASY_INSTALL');" Date: Fri, 15 May 2020 01:55:33 +0200 Subject: llvm_mode: lower llvm version reqs to 3.4 (LLInsTrim will not be available) --- llvm_mode/GNUmakefile | 2 +- llvm_mode/LLVMInsTrim.so.cc | 12 ++++++++++++ llvm_mode/afl-llvm-common.cc | 5 ++++- llvm_mode/afl-llvm-pass.so.cc | 11 +++++++++-- llvm_mode/compare-transform-pass.so.cc | 1 - llvm_mode/split-compares-pass.so.cc | 1 - llvm_mode/split-switches-pass.so.cc | 1 - test/test.sh | 23 ++++++++++++++--------- 8 files changed, 40 insertions(+), 16 deletions(-) (limited to 'test/test.sh') diff --git a/llvm_mode/GNUmakefile b/llvm_mode/GNUmakefile index ab14e545..01c83787 100644 --- a/llvm_mode/GNUmakefile +++ b/llvm_mode/GNUmakefile @@ -39,7 +39,7 @@ else endif LLVMVER = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/git//' ) -LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^3\.[0-7]|^1[2-9]' && echo 1 || echo 0 ) +LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^3\.[0-3]|^1[2-9]' && echo 1 || echo 0 ) LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[0-9]' && echo 1 || echo 0 ) LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/\..*//') LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index 4b8f8754..7dc96bc3 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -160,9 +160,21 @@ struct InsTrim : public ModulePass { else #else if (ngram_size_str) +#ifdef LLVM_VERSION_STRING FATAL( "Sorry, NGRAM branch coverage is not supported with llvm version %s!", LLVM_VERSION_STRING); +#else +#ifndef LLVM_VERSION_PATCH + FATAL( + "Sorry, NGRAM branch coverage is not supported with llvm version %d.%d.%d!", + LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR, 0); +#else + FATAL( + "Sorry, NGRAM branch coverage is not supported with llvm version %d.%d.%d!", + LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR, LLVM_VERISON_PATCH); +#endif +#endif #endif PrevLocSize = 1; diff --git a/llvm_mode/afl-llvm-common.cc b/llvm_mode/afl-llvm-common.cc index db604e14..35eabbf0 100644 --- a/llvm_mode/afl-llvm-common.cc +++ b/llvm_mode/afl-llvm-common.cc @@ -33,7 +33,10 @@ char *getBBName(const llvm::BasicBlock *BB) { std::string Str; raw_string_ostream OS(Str); +#if LLVM_VERSION_MAJOR >= 4 || \ + (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR >= 7) BB->printAsOperand(OS, false); +#endif name = strdup(OS.str().c_str()); return name; @@ -171,7 +174,7 @@ bool isInWhitelist(llvm::Function *F) { #else if (!Loc.isUnknown()) { - DILocation cDILoc(Loc.getAsMDNode(C)); + DILocation cDILoc(Loc.getAsMDNode(F->getContext())); unsigned int instLine = cDILoc.getLineNumber(); StringRef instFilename = cDILoc.getFilename(); diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index f58a7a5e..5bf705f8 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -211,8 +211,15 @@ bool AFLCoverage::runOnModule(Module &M) { else #else if (ngram_size_str) - FATAL("Sorry, NGRAM branch coverage is not supported with llvm version %s!", - LLVM_VERSION_STRING); +#ifndef LLVM_VERSION_PATCH + FATAL("Sorry, NGRAM branch coverage is not supported with llvm version %d.%d.%d!", + LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR, + 0); +#else + FATAL("Sorry, NGRAM branch coverage is not supported with llvm version %d.%d.%d!", + LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR, + LLVM_VERSION_PATCH); +#endif #endif PrevLocSize = 1; diff --git a/llvm_mode/compare-transform-pass.so.cc b/llvm_mode/compare-transform-pass.so.cc index 8fadc424..1ebc54d7 100644 --- a/llvm_mode/compare-transform-pass.so.cc +++ b/llvm_mode/compare-transform-pass.so.cc @@ -25,7 +25,6 @@ #include "llvm/Config/llvm-config.h" #include "llvm/ADT/Statistic.h" -#include "llvm/IR/DebugInfo.h" #include "llvm/IR/IRBuilder.h" #include "llvm/IR/LegacyPassManager.h" #include "llvm/IR/Module.h" diff --git a/llvm_mode/split-compares-pass.so.cc b/llvm_mode/split-compares-pass.so.cc index eb5deb14..2c4ed71c 100644 --- a/llvm_mode/split-compares-pass.so.cc +++ b/llvm_mode/split-compares-pass.so.cc @@ -27,7 +27,6 @@ #include "llvm/Config/llvm-config.h" #include "llvm/Pass.h" -#include "llvm/IR/DebugInfo.h" #include "llvm/Support/raw_ostream.h" #include "llvm/IR/LegacyPassManager.h" #include "llvm/Transforms/IPO/PassManagerBuilder.h" diff --git a/llvm_mode/split-switches-pass.so.cc b/llvm_mode/split-switches-pass.so.cc index 6328ea5f..4a6ca3d9 100644 --- a/llvm_mode/split-switches-pass.so.cc +++ b/llvm_mode/split-switches-pass.so.cc @@ -26,7 +26,6 @@ #include "llvm/Config/llvm-config.h" #include "llvm/ADT/Statistic.h" -#include "llvm/IR/DebugInfo.h" #include "llvm/IR/IRBuilder.h" #include "llvm/IR/LegacyPassManager.h" #include "llvm/IR/Module.h" diff --git a/test/test.sh b/test/test.sh index 88bde564..2559f058 100755 --- a/test/test.sh +++ b/test/test.sh @@ -338,19 +338,24 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { rm -f test-instr.plain # now for the special llvm_mode things - AFL_LLVM_INSTRIM=1 AFL_LLVM_INSTRIM_LOOPHEAD=1 ../afl-clang-fast -o test-instr.instrim ../test-instr.c > /dev/null 2>test.out - test -e test-instr.instrim && { - TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.instrim 2>&1 | grep Captur | awk '{print$3}'` - test "$TUPLES" -gt 2 -a "$TUPLES" -lt 5 && { - $ECHO "$GREEN[+] llvm_mode InsTrim reported $TUPLES instrumented locations which is fine" + test -e ../libLLVMInsTrim.so && { + AFL_LLVM_INSTRIM=1 AFL_LLVM_INSTRIM_LOOPHEAD=1 ../afl-clang-fast -o test-instr.instrim ../test-instr.c > /dev/null 2>test.out + test -e test-instr.instrim && { + TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.instrim 2>&1 | grep Captur | awk '{print$3}'` + test "$TUPLES" -gt 2 -a "$TUPLES" -lt 5 && { + $ECHO "$GREEN[+] llvm_mode InsTrim reported $TUPLES instrumented locations which is fine" + } || { + $ECHO "$RED[!] llvm_mode InsTrim instrumentation produces weird numbers: $TUPLES" + CODE=1 + } + rm -f test-instr.instrim test.out } || { - $ECHO "$RED[!] llvm_mode InsTrim instrumentation produces weird numbers: $TUPLES" + $ECHO "$RED[!] llvm_mode InsTrim compilation failed" CODE=1 } - rm -f test-instr.instrim test.out } || { - $ECHO "$RED[!] llvm_mode InsTrim compilation failed" - CODE=1 + $ECHO "$YELLOW[-] llvm_mode InsTrim not compiled, cannot test" + INCOMPLETE=1 } AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_SWITCHES=1 AFL_LLVM_LAF_TRANSFORM_COMPARES=1 AFL_LLVM_LAF_SPLIT_COMPARES=1 ../afl-clang-fast -o test-compcov.compcov test-compcov.c > test.out 2>&1 test -e test-compcov.compcov && { -- cgit 1.4.1