From 724d4ec3de2e8452ebc36b13747013575c49ca21 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sun, 19 Apr 2020 00:37:23 +0200 Subject: fix some gcc dependencies and build problems on debian 32-Bit, adapted qemu_mode AFL_ENTRYPOINT test case for 32 bit --- test/test.sh | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) (limited to 'test') diff --git a/test/test.sh b/test/test.sh index 9a53825b..5af35ec3 100755 --- a/test/test.sh +++ b/test/test.sh @@ -81,6 +81,8 @@ test `uname -s` = 'Darwin' -o `uname -s` = 'FreeBSD' && { } || { AFL_GCC=afl-gcc } +command -v gcc || AFL_GCC=afl-clang + SYS=`uname -m` GREY="\\033[1;90m" @@ -666,8 +668,8 @@ test -z "$AFL_CC" && { $ECHO "$BLUE[*] Testing: qemu_mode" test -e ../afl-qemu-trace && { - gcc -pie -fPIE -o test-instr ../test-instr.c - gcc -o test-compcov test-compcov.c + cc -pie -fPIE -o test-instr ../test-instr.c + cc -o test-compcov test-compcov.c test -e test-instr -a -e test-compcov && { { mkdir -p in @@ -691,7 +693,14 @@ test -e ../afl-qemu-trace && { $ECHO "$GREY[*] running afl-fuzz for qemu_mode AFL_ENTRYPOINT, this will take approx 6 seconds" { { - export AFL_ENTRYPOINT=`expr 0x4$(nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.......//' )` + if file test-instr | grep -q "32-bit"; then + # for 32-bit reduce 8 nibbles to the lower 7 nibbles + ADDR_LOWER_PART=`nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.//'` + else + # for 64-bit reduce 16 nibbles to the lower 9 nibbles + ADDR_LOWER_PART=`nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.......//'` + fi + export AFL_ENTRYPOINT=`expr 0x4${ADDR_LOWER_PART}` $ECHO AFL_ENTRYPOINT=$AFL_ENTRYPOINT - $(nm test-instr | grep "T main") - $(file ./test-instr) ../afl-fuzz -m ${MEM_LIMIT} -V2 -Q -i in -o out -- ./test-instr unset AFL_ENTRYPOINT @@ -759,7 +768,14 @@ test -e ../afl-qemu-trace && { test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { $ECHO "$GREY[*] running afl-fuzz for persistent qemu_mode, this will take approx 10 seconds" { - export AFL_QEMU_PERSISTENT_ADDR=`expr 0x4$(nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.......//' )` + if file test-instr | grep -q "32-bit"; then + # for 32-bit reduce 8 nibbles to the lower 7 nibbles + ADDR_LOWER_PART=`nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.//'` + else + # for 64-bit reduce 16 nibbles to the lower 9 nibbles + ADDR_LOWER_PART=`nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.......//'` + fi + export AFL_QEMU_PERSISTENT_ADDR=`expr 0x4${ADDR_LOWER_PART}` export AFL_QEMU_PERSISTENT_GPR=1 $ECHO "Info: AFL_QEMU_PERSISTENT_ADDR=$AFL_QEMU_PERSISTENT_ADDR <= $(nm test-instr | grep "T main" | awk '{print $1}')" env|grep AFL_|sort -- cgit 1.4.1 From dcba2c36421315be1cca78c9ca78a2e15311cdef Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Wed, 22 Apr 2020 08:02:46 +0200 Subject: test.sh: custom mutator test; make it compilable with available instrumenting compiler --- test/test.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'test') diff --git a/test/test.sh b/test/test.sh index 5af35ec3..b8d4208f 100755 --- a/test/test.sh +++ b/test/test.sh @@ -951,7 +951,15 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUSTOM_MUTATOR_PATH}/example.py && { unset AFL_CC # Compile the vulnerable program - ../afl-clang-fast -o test-custom-mutator test-custom-mutator.c > /dev/null 2>&1 + test -e ../afl-clang-fast && { + ../afl-clang-fast -o test-custom-mutator test-custom-mutator.c > /dev/null 2>&1 + } || { + test -e ../afl-gcc-fast && { + ../afl-gcc-fast -o test-custom-mutator test-custom-mutator.c > /dev/null 2>&1 + } || { + ../afl-gcc -o test-custom-mutator test-custom-mutator.c > /dev/null 2>&1 + } + } # Compile the custom mutator make -C ../examples/custom_mutators libexamplemutator.so > /dev/null 2>&1 test -e test-custom-mutator -a -e ${CUSTOM_MUTATOR_PATH}/libexamplemutator.so && { -- cgit 1.4.1 From b6f9f4c436bc8c63f9039847d2a7b6e13da3515e Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 23 Apr 2020 16:08:36 +0200 Subject: minor changes --- README.md | 2 +- test/test-compcov.c | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) (limited to 'test') diff --git a/README.md b/README.md index 9ec7b6e7..222afab7 100644 --- a/README.md +++ b/README.md @@ -137,7 +137,7 @@ afl++ has many build options. The easiest is to build and install everything: ```shell -$ sudo apt install build-essential libtool-bin python3 automake bison libglib2.0-dev libpixman-1-dev clang python-setuptools +$ sudo apt install build-essential libtool-bin python3 automake bison libglib2.0-dev libpixman-1-dev clang python-setuptools llvm $ make distrib $ sudo make install ``` diff --git a/test/test-compcov.c b/test/test-compcov.c index f1743265..5278af93 100644 --- a/test/test-compcov.c +++ b/test/test-compcov.c @@ -25,11 +25,10 @@ int main(int argc, char **argv) { printf("your string was bugmenot\n"); else if (strcmp(input, "BUFFEROVERFLOW") == 0) { - buf = malloc(16); + buf = (char*)malloc(16); strcpy(buf, "TEST"); strcat(buf, input); printf("This will only crash with libdislocator: %s\n", buf); - return 0; } else if (*(unsigned int *)input == 0xabadcafe) -- cgit 1.4.1 From 766085293da050f84a397161e7a84384620956a2 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 24 Apr 2020 12:09:25 +0200 Subject: variable map size fix, error reporting through forkserver, code format --- docs/Changelog.md | 12 ++- include/config.h | 16 +++- llvm_mode/afl-llvm-lto-instrumentation.so.cc | 22 ++--- llvm_mode/afl-llvm-rt.o.c | 122 +++++++++++++++++++-------- src/afl-common.c | 3 +- src/afl-forkserver.c | 53 ++++++++++-- src/afl-fuzz-state.c | 10 ++- src/afl-gcc.c | 17 ++-- test/test-compcov.c | 2 +- 9 files changed, 192 insertions(+), 65 deletions(-) (limited to 'test') diff --git a/docs/Changelog.md b/docs/Changelog.md index ea669eed..e1ca4a10 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -10,6 +10,13 @@ sending a mail to . ### Version ++2.64d (develop): + - afl-fuzz: + - AFL_MAP_SIZE was not working correctly + - llvm_mode: + - if LLVM 11 is installed the posix shm_open+mmap is used and a fixed + address for the shared memory map is used as this increases the + fuzzing speed + - fixes to LTO mode if instrumented edges > MAP_SIZE - qemu_mode: - add information on PIE/PIC load addresses for 32 bit - better dependency checks @@ -17,11 +24,8 @@ sending a mail to . - better dependency checks - unicorn_mode: - better submodule handling - - llvm_mode: - - if LLVM 11 is installed the posix shm_open+mmap is used and a fixed - address for the shared memory map is used as this increases the - fuzzing speed - all: + - forkserver communication now also used for error reporting - fix 32 bit build options - make clean now leaves qemu-3.1.1.tar.xz and the unicornafl directory intact if in a git/svn checkout - unless "deepclean" is used diff --git a/include/config.h b/include/config.h index f11ac919..dca5a8f0 100644 --- a/include/config.h +++ b/include/config.h @@ -402,12 +402,26 @@ /* Extended forkserver option values */ +/* Reporting errors */ +#define FS_OPT_ERROR 0xf800008f +#define FS_OPT_GET_ERROR(x) ((x & 0x00ffff00) >> 8) +#define FS_OPT_SET_ERROR(x) ((x & 0x0000ffff) << 8) +#define FS_ERROR_MAP_SIZE 1 +#define FS_ERROR_MAP_ADDR 2 +#define FS_ERROR_SHM_OPEN 4 +#define FS_ERROR_SHMAT 8 +#define FS_ERROR_MMAP 16 + +/* Reporting options */ #define FS_OPT_ENABLED 0x8f000001 #define FS_OPT_MAPSIZE 0x40000000 #define FS_OPT_SNAPSHOT 0x20000000 #define FS_OPT_AUTODICT 0x10000000 +// FS_OPT_MAX_MAPSIZE is 8388608 = 0x800000 = 2^23 = 1 << 22 +#define FS_OPT_MAX_MAPSIZE ((0x00fffffe >> 1) + 1) #define FS_OPT_GET_MAPSIZE(x) (((x & 0x00fffffe) >> 1) + 1) -#define FS_OPT_SET_MAPSIZE(x) (x <= 1 || x > 0x1000000 ? 0 : ((x - 1) << 1)) +#define FS_OPT_SET_MAPSIZE(x) \ + (x <= 1 || x > FS_OPT_MAX_MAPSIZE ? 0 : ((x - 1) << 1)) #endif /* ! _HAVE_CONFIG_H */ diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index dbd4a26e..eefac629 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -679,7 +679,8 @@ bool AFLLTOPass::runOnModule(Module &M) { // save highest location ID to global variable // do this after each function to fail faster - if (!be_quiet && afl_global_id > MAP_SIZE) { + if (!be_quiet && afl_global_id > MAP_SIZE && + afl_global_id > FS_OPT_MAX_MAPSIZE) { uint32_t pow2map = 1, map = afl_global_id; while ((map = map >> 1)) @@ -741,18 +742,13 @@ bool AFLLTOPass::runOnModule(Module &M) { if (afl_global_id % 8) write_loc = (((afl_global_id + 8) >> 3) << 3); - if (write_loc <= MAP_SIZE && write_loc <= 0x800000) { - - GlobalVariable *AFLFinalLoc = new GlobalVariable( - M, Int32Ty, true, GlobalValue::ExternalLinkage, 0, - "__afl_final_loc", 0, GlobalVariable::GeneralDynamicTLSModel, 0, - false); - ConstantInt *const_loc = ConstantInt::get(Int32Ty, write_loc); - StoreInst * StoreFinalLoc = IRB.CreateStore(const_loc, AFLFinalLoc); - StoreFinalLoc->setMetadata(M.getMDKindID("nosanitize"), - MDNode::get(C, None)); - - } + GlobalVariable *AFLFinalLoc = new GlobalVariable( + M, Int32Ty, true, GlobalValue::ExternalLinkage, 0, "__afl_final_loc", + 0, GlobalVariable::GeneralDynamicTLSModel, 0, false); + ConstantInt *const_loc = ConstantInt::get(Int32Ty, write_loc); + StoreInst * StoreFinalLoc = IRB.CreateStore(const_loc, AFLFinalLoc); + StoreFinalLoc->setMetadata(M.getMDKindID("nosanitize"), + MDNode::get(C, None)); } diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 6da41192..8867ae36 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -52,9 +52,9 @@ #define CONST_PRIO 5 -//#ifndef MAP_FIXED_NOREPLACE -//#define MAP_FIXED_NOREPLACE MAP_FIXED -//#endif +#ifndef MAP_FIXED_NOREPLACE +#define MAP_FIXED_NOREPLACE MAP_FIXED +#endif #include #include @@ -73,6 +73,7 @@ u32 __afl_final_loc; u32 __afl_prev_ctx; u32 __afl_cmp_counter; u32 __afl_dictionary_len; +u32 __afl_map_size = MAP_SIZE; u64 __afl_map_addr; #else __thread PREV_LOC_T __afl_prev_loc[NGRAM_SIZE_MAX]; @@ -80,6 +81,7 @@ __thread u32 __afl_final_loc; __thread u32 __afl_prev_ctx; __thread u32 __afl_cmp_counter; __thread u32 __afl_dictionary_len; +__thread u32 __afl_map_size = MAP_SIZE; __thread u64 __afl_map_addr; #endif @@ -89,20 +91,72 @@ struct cmp_map *__afl_cmp_map; static u8 is_persistent; +/* Error reporting to forkserver controller */ + +void send_forkserver_error(int error) { + + u32 status; + if (!error || error > 0xffff) return; + status = (FS_OPT_ERROR | FS_OPT_SET_ERROR(error)); + if (write(FORKSRV_FD + 1, (char *)&status, 4) != 4) return; + +} + /* SHM setup. */ static void __afl_map_shm(void) { - u8 * id_str = getenv(SHM_ENV_VAR); - unsigned int map_size = MAP_SIZE; + char *id_str = getenv(SHM_ENV_VAR); + + if (__afl_final_loc) { + + __afl_map_size = __afl_final_loc; + if (__afl_final_loc > MAP_SIZE) { + + char *ptr; + u32 val = 0; + if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) val = atoi(ptr); + if (val < __afl_final_loc) { + + if (__afl_final_loc > FS_OPT_MAX_MAPSIZE) { + + fprintf(stderr, + "Error: AFL++ tools *require* to set AFL_MAP_SIZE to %u to " + "be able to run this instrumented program!\n", + __afl_final_loc); + if (id_str) { + + send_forkserver_error(FS_ERROR_MAP_SIZE); + exit(-1); + + } + + } else { + + fprintf(stderr, + "Warning: AFL++ tools will need to set AFL_MAP_SIZE to %u to " + "be able to run this instrumented program!\n", + __afl_final_loc); + + } + + } + + } - if (__afl_final_loc > 1 && __afl_final_loc < MAP_SIZE) - map_size = __afl_final_loc; + } /* If we're running under AFL, attach to the appropriate region, replacing the early-stage __afl_area_initial region that is needed to allow some really hacky .init code to work correctly in projects such as OpenSSL. */ + if (getenv("AFL_DEBUG")) + fprintf(stderr, + "DEBUG: id_str %s, __afl_map_addr 0x%x, MAP_SIZE %u, " + "__afl_final_loc %u, max_size_forkserver %u/0x%x\n", + id_str == NULL ? "" : id_str, __afl_map_addr, MAP_SIZE, + __afl_final_loc, FS_OPT_MAX_MAPSIZE, FS_OPT_MAX_MAPSIZE); + if (id_str) { #ifdef USEMMAP @@ -115,6 +169,7 @@ static void __afl_map_shm(void) { if (shm_fd == -1) { fprintf(stderr, "shm_open() failed\n"); + send_forkserver_error(FS_ERROR_SHM_OPEN); exit(1); } @@ -122,13 +177,14 @@ static void __afl_map_shm(void) { /* map the shared memory segment to the address space of the process */ if (__afl_map_addr) { - shm_base = mmap((void *)__afl_map_addr, map_size, PROT_READ | PROT_WRITE, - MAP_FIXED | MAP_SHARED, shm_fd, 0); + shm_base = + mmap((void *)__afl_map_addr, __afl_map_size, PROT_READ | PROT_WRITE, + MAP_FIXED_NOREPLACE | MAP_SHARED, shm_fd, 0); } else { - shm_base = - mmap(0, map_size, PROT_READ | PROT_WRITE, MAP_SHARED, shm_fd, 0); + shm_base = mmap(0, __afl_map_size, PROT_READ | PROT_WRITE, MAP_SHARED, + shm_fd, 0); } @@ -138,6 +194,10 @@ static void __afl_map_shm(void) { shm_fd = -1; fprintf(stderr, "mmap() failed\n"); + if (__afl_map_addr) + send_forkserver_error(FS_ERROR_MAP_ADDR); + else + send_forkserver_error(FS_ERROR_MMAP); exit(2); } @@ -152,7 +212,15 @@ static void __afl_map_shm(void) { /* Whooooops. */ - if (__afl_area_ptr == (void *)-1) _exit(1); + if (__afl_area_ptr == (void *)-1) { + + if (__afl_map_addr) + send_forkserver_error(FS_ERROR_MAP_ADDR); + else + send_forkserver_error(FS_ERROR_SHMAT); + _exit(1); + + } /* Write something into the bitmap so that even with low AFL_INST_RATIO, our parent doesn't give up on us. */ @@ -162,8 +230,8 @@ static void __afl_map_shm(void) { } else if (__afl_map_addr) { __afl_area_ptr = - mmap((void *)__afl_map_addr, map_size, PROT_READ | PROT_WRITE, - MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0); + mmap((void *)__afl_map_addr, __afl_map_size, PROT_READ | PROT_WRITE, + MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0); if (__afl_area_ptr == MAP_FAILED) { fprintf(stderr, "can not aquire mmap for address %p\n", @@ -224,13 +292,9 @@ static void __afl_start_snapshots(void) { static u8 tmp[4] = {0, 0, 0, 0}; s32 child_pid; u32 status = 0; - u32 map_size = MAP_SIZE; u32 already_read_first = 0; u32 was_killed; - if (__afl_final_loc > 1 && __afl_final_loc < MAP_SIZE) - map_size = __afl_final_loc; - u8 child_stopped = 0; void (*old_sigchld_handler)(int) = 0; // = signal(SIGCHLD, SIG_DFL); @@ -239,8 +303,8 @@ static void __afl_start_snapshots(void) { assume we're not running in forkserver mode and just execute program. */ status |= (FS_OPT_ENABLED | FS_OPT_SNAPSHOT); - if (map_size <= 0x800000) - status |= (FS_OPT_SET_MAPSIZE(map_size) | FS_OPT_MAPSIZE); + if (__afl_map_size <= FS_OPT_MAX_MAPSIZE) + status |= (FS_OPT_SET_MAPSIZE(__afl_map_size) | FS_OPT_MAPSIZE); if (__afl_dictionary_len > 0 && __afl_dictionary) status |= FS_OPT_AUTODICT; memcpy(tmp, &status, 4); @@ -393,19 +457,15 @@ static void __afl_start_forkserver(void) { u8 tmp[4] = {0, 0, 0, 0}; s32 child_pid; u32 status = 0; - u32 map_size = MAP_SIZE; u32 already_read_first = 0; u32 was_killed; - if (__afl_final_loc > 1 && __afl_final_loc < MAP_SIZE) - map_size = __afl_final_loc; - u8 child_stopped = 0; void (*old_sigchld_handler)(int) = 0; // = signal(SIGCHLD, SIG_DFL); - if (map_size <= 0x800000) - status |= (FS_OPT_SET_MAPSIZE(map_size) | FS_OPT_MAPSIZE); + if (__afl_map_size <= FS_OPT_MAX_MAPSIZE) + status |= (FS_OPT_SET_MAPSIZE(__afl_map_size) | FS_OPT_MAPSIZE); if (__afl_dictionary_len > 0 && __afl_dictionary) status |= FS_OPT_AUTODICT; if (status) status |= (FS_OPT_ENABLED); memcpy(tmp, &status, 4); @@ -543,12 +603,8 @@ static void __afl_start_forkserver(void) { int __afl_persistent_loop(unsigned int max_cnt) { - static u8 first_pass = 1; - static u32 cycle_cnt; - unsigned int map_size = MAP_SIZE; - - if (__afl_final_loc > 1 && __afl_final_loc < MAP_SIZE) - map_size = __afl_final_loc; + static u8 first_pass = 1; + static u32 cycle_cnt; if (first_pass) { @@ -559,7 +615,7 @@ int __afl_persistent_loop(unsigned int max_cnt) { if (is_persistent) { - memset(__afl_area_ptr, 0, map_size); + memset(__afl_area_ptr, 0, __afl_map_size); __afl_area_ptr[0] = 1; memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T)); diff --git a/src/afl-common.c b/src/afl-common.c index 8d444876..8ae03113 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -928,7 +928,8 @@ u32 get_map_size() { map_size = atoi(ptr); if (map_size < 8 || map_size > (1 << 29)) { - FATAL("illegal AFL_MAP_SIZE %u, must be between 2^3 and 2^30", map_size); + FATAL("illegal AFL_MAP_SIZE %u, must be between %u and %u", map_size, 8, + 1 << 29); } diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 0c795f9c..555b82a4 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -55,6 +55,8 @@ list_t fsrv_list = {.element_prealloc_count = 0}; +void report_error_and_exit(int error); + static void fsrv_exec_child(afl_forkserver_t *fsrv, char **argv) { execv(fsrv->target_path, argv); @@ -67,7 +69,6 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { // this structure needs default so we initialize it if this was not done // already - fsrv->out_fd = -1; fsrv->out_dir_fd = -1; fsrv->dev_null_fd = -1; @@ -83,7 +84,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { /* exec related stuff */ fsrv->child_pid = -1; - fsrv->map_size = MAP_SIZE; + fsrv->map_size = get_map_size(); fsrv->use_fauxsrv = 0; fsrv->last_run_timed_out = 0; @@ -201,6 +202,44 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { } +/* Report on the error received via the forkserver controller and exit */ +void report_error_and_exit(int error) { + + switch (error) { + + case FS_ERROR_MAP_SIZE: + FATAL( + "AFL_MAP_SIZE is not set and fuzzing target reports that the " + "required size is very large. Solution: Run the fuzzing target " + "stand-alone with the environment variable AFL_DEBUG=1 set and set " + "the value for __afl_final_loc in the AFL_MAP_SIZE environment " + "variable for afl-fuzz."); + break; + case FS_ERROR_MAP_ADDR: + FATAL( + "the fuzzing target reports that hardcoded map address might be the " + "reason the mmap of the shared memory failed. Solution: recompile " + "the target with either afl-clang-lto and the environment variable " + "AFL_LLVM_MAP_DYNAMIC set or recompile with afl-clang-fast."); + break; + case FS_ERROR_SHM_OPEN: + FATAL("the fuzzing target reports that the shm_open() call failed."); + break; + case FS_ERROR_SHMAT: + FATAL("the fuzzing target reports that the shmat() call failed."); + break; + case FS_ERROR_MMAP: + FATAL( + "the fuzzing target reports that the mmap() call to the share memory " + "failed."); + break; + default: + FATAL("unknown error code %u from fuzzing target!", error); + + } + +} + /* Spins up fork server (instrumented mode only). The idea is explained here: http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html @@ -400,6 +439,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (!be_quiet) { OKF("All right - fork server is up."); } + if ((status & FS_OPT_ERROR) == FS_OPT_ERROR) + report_error_and_exit(FS_OPT_GET_ERROR(status)); + if ((status & FS_OPT_ENABLED) == FS_OPT_ENABLED) { if (!be_quiet && getenv("AFL_DEBUG")) { @@ -434,9 +476,10 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, FATAL( "Target's coverage map size of %u is larger than the one this " - "afl++ is set with (%u) (change MAP_SIZE_POW2 in config.h and " - "recompile or set AFL_MAP_SIZE)\n", - tmp_map_size, fsrv->map_size); + "afl++ is set with (%u). Either set AFL_MAP_SIZE=%u and restart " + " afl-fuzz, or change MAP_SIZE_POW2 in config.h and recompile " + "afl-fuzz", + tmp_map_size, fsrv->map_size, tmp_map_size); } diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index b38c9ec5..9f48182b 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -81,7 +81,15 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) { and out_size are NULL/0 by default. */ memset(afl, 0, sizeof(afl_state_t)); - if (!map_size) { afl->shm.map_size = MAP_SIZE; } + if (!map_size) { + + afl->shm.map_size = MAP_SIZE; + + } else { + + afl->shm.map_size = map_size; + + } afl->w_init = 0.9; afl->w_end = 0.3; diff --git a/src/afl-gcc.c b/src/afl-gcc.c index ac6fdd62..7eb01c0c 100644 --- a/src/afl-gcc.c +++ b/src/afl-gcc.c @@ -157,8 +157,7 @@ static void edit_params(u32 argc, char **argv) { } else { fprintf(stderr, "Name of the binary: %s\n", argv[0]); - FATAL( - "Name of the binary is not a known name, expected afl-clang(++)"); + FATAL("Name of the binary is not a known name, expected afl-clang(++)"); } @@ -173,15 +172,22 @@ static void edit_params(u32 argc, char **argv) { #ifdef __APPLE__ if (!strcmp(name, "afl-g++")) { + cc_params[0] = getenv("AFL_CXX"); + } else if (!strcmp(name, "afl-gcj")) { + cc_params[0] = getenv("AFL_GCJ"); + } else if (!strcmp(name, "afl-gcc")) { + cc_params[0] = getenv("AFL_CC"); + } else { + fprintf(stderr, "Name of the binary: %s\n", argv[0]); - FATAL( - "Name of the binary is not a known name, expected afl-gcc/g++/gcj"); + FATAL("Name of the binary is not a known name, expected afl-gcc/g++/gcj"); + } if (!cc_params[0]) { @@ -218,8 +224,7 @@ static void edit_params(u32 argc, char **argv) { } else { fprintf(stderr, "Name of the binary: %s\n", argv[0]); - FATAL( - "Name of the binary is not a known name, expected afl-gcc/g++/gcj"); + FATAL("Name of the binary is not a known name, expected afl-gcc/g++/gcj"); } diff --git a/test/test-compcov.c b/test/test-compcov.c index 5278af93..c8dd674e 100644 --- a/test/test-compcov.c +++ b/test/test-compcov.c @@ -25,7 +25,7 @@ int main(int argc, char **argv) { printf("your string was bugmenot\n"); else if (strcmp(input, "BUFFEROVERFLOW") == 0) { - buf = (char*)malloc(16); + buf = (char *)malloc(16); strcpy(buf, "TEST"); strcat(buf, input); printf("This will only crash with libdislocator: %s\n", buf); -- cgit 1.4.1 From 5c017d7071c458193101ee864e055e68a13ed03d Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 25 Apr 2020 12:48:48 +0200 Subject: travis Dockerfiles for testing and debugging --- test/travis/bionic/Dockerfile | 43 ++++++++++++++++++++++++++++++++++++++ test/travis/trusty/Dockerfile | 48 +++++++++++++++++++++++++++++++++++++++++++ test/travis/xenial/Dockerfile | 45 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 136 insertions(+) create mode 100644 test/travis/bionic/Dockerfile create mode 100644 test/travis/trusty/Dockerfile create mode 100644 test/travis/xenial/Dockerfile (limited to 'test') diff --git a/test/travis/bionic/Dockerfile b/test/travis/bionic/Dockerfile new file mode 100644 index 00000000..3883f775 --- /dev/null +++ b/test/travis/bionic/Dockerfile @@ -0,0 +1,43 @@ +# This is the Dockerfile for testing problems in Travis build +# configuration #1. +# This needs not to be rebuild everytime, most of the time it needs just to +# be build once and then started when debugging issues and execute: +# cd /AFLplusplus/ +# git pull +# make distrib +# +FROM ubuntu:bionic +LABEL "about"="travis image 1" +RUN apt-get update && apt-get -y install \ + automake \ + bison \ + build-essential \ + clang \ + flex \ + git \ + python3.7 python3.7-dev \ + libtool libtool-bin \ + libglib2.0-dev \ + python-setuptools \ + wget \ + ca-certificates \ + libpixman-1-dev \ + gcc-7 gcc-7-plugin-dev libc++-7-dev \ + findutils \ + libcmocka-dev \ + joe nano vim locate \ + && rm -rf /var/lib/apt/lists/* + +ENV AFL_NO_UI=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 + +RUN cd / && \ + git clone https://github.com/AFLplusplus/AFLplusplus && \ + cd AFLplusplus && \ + git checkout dev && \ + cd qemu_mode && wget http://download.qemu-project.org/qemu-3.1.1.tar.xz && \ + cd ../unicorn_mode && git submodule init && git submodule update || true && \ + cd /AFLplusplus && ASAN_BUILD=1 make source-only || true + +WORKDIR /AFLplusplus +CMD ["/bin/bash"] diff --git a/test/travis/trusty/Dockerfile b/test/travis/trusty/Dockerfile new file mode 100644 index 00000000..7b86f3e7 --- /dev/null +++ b/test/travis/trusty/Dockerfile @@ -0,0 +1,48 @@ +# This is the Dockerfile for testing problems in Travis builds +# configuration #3. +# This needs not to be rebuild everytime, most of the time it needs just to +# be build once and then started when debugging issues and execute: +# cd /AFLplusplus/ +# git pull +# make distrib +# +FROM ubuntu:trusty +LABEL "about"="travis image 3" +RUN apt-get update && apt-get -y install \ + automake \ + bison \ + build-essential \ + clang \ + flex \ + git \ + python2.7 python2.7-dev \ + libtool \ + libglib2.0-dev \ + python-setuptools \ + wget \ + ca-certificates \ + libpixman-1-dev \ + gcc-4.8 gcc-4.8-plugin-dev \ + libc++-dev \ + findutils \ + libcmocka-dev \ + joe nano vim locate \ + && rm -rf /var/lib/apt/lists/* + +ENV TERM linux +ENV DEBIAN_FRONTEND noninteractive +ENV LLVM_CONFIG=llvm-config-3.4 +ENV AFL_NO_UI=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 + +RUN cd / && \ + git clone https://github.com/AFLplusplus/AFLplusplus && \ + cd AFLplusplus && \ + git checkout dev && \ + cd qemu_mode && wget http://download.qemu-project.org/qemu-3.1.1.tar.xz && \ + cd ../unicorn_mode && git submodule init && git submodule update || true && \ + cd /AFLplusplus && ASAN_BUILD=1 make source-only || true + +WORKDIR /AFLplusplus +CMD ["/bin/bash"] + diff --git a/test/travis/xenial/Dockerfile b/test/travis/xenial/Dockerfile new file mode 100644 index 00000000..a5f8d359 --- /dev/null +++ b/test/travis/xenial/Dockerfile @@ -0,0 +1,45 @@ +# This is the Dockerfile for testing problems in Travis builds +# configuration #2. +# This needs not to be rebuild everytime, most of the time it needs just to +# be build once and then started when debugging issues and execute: +# cd /AFLplusplus/ +# git pull +# make distrib +# +FROM ubuntu:xenial +LABEL "about"="travis image 2" +RUN apt-get update && apt-get -y install \ + automake \ + bison \ + build-essential \ + clang-6.0 \ + flex \ + git \ + python3 python3-dev \ + libtool libtool-bin \ + libglib2.0-dev \ + python-setuptools \ + wget \ + ca-certificates \ + libpixman-1-dev \ + gcc-5 gcc-5-plugin-dev \ + libc++-dev \ + findutils \ + libcmocka-dev \ + joe nano vim locate \ + && rm -rf /var/lib/apt/lists/* + +ENV LLVM_CONFIG=llvm-config-6.0 +ENV AFL_NO_UI=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 + +RUN cd / && \ + git clone https://github.com/AFLplusplus/AFLplusplus && \ + cd AFLplusplus && \ + git checkout dev && \ + cd qemu_mode && wget http://download.qemu-project.org/qemu-3.1.1.tar.xz && \ + cd ../unicorn_mode && git submodule init && git submodule update || true && \ + cd /AFLplusplus && ASAN_BUILD=1 make source-only || true + +WORKDIR /AFLplusplus +CMD ["/bin/bash"] -- cgit 1.4.1 From 66eee34709be9b91808601c7e3e638ffacb858db Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sun, 26 Apr 2020 02:32:09 +0200 Subject: refactored global lists --- include/afl-fuzz.h | 13 ++++++++----- include/common.h | 2 +- src/afl-common.c | 2 +- src/afl-fuzz-init.c | 13 +++---------- src/afl-fuzz-state.c | 33 ++++++++++++++++++++++++++++++++- test/unittests/unit_list.c | 2 +- 6 files changed, 46 insertions(+), 19 deletions(-) (limited to 'test') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 428bfa8e..2203cfdf 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -614,11 +614,6 @@ typedef struct afl_state { } afl_state_t; -/* A global pointer to all instances is needed (for now) for signals to arrive - */ - -extern list_t afl_states; - struct custom_mutator { const char *name; @@ -800,6 +795,14 @@ struct custom_mutator { void afl_state_init(afl_state_t *, uint32_t map_size); void afl_state_deinit(afl_state_t *); + +/* Set stop_soon flag on all childs, kill all childs */ +void afl_states_stop(void); +/* Set clear_screen flag on all states */ +void afl_states_clear_screen(void); +/* Sets the skip flag on all states */ +void afl_states_request_skip(void); + void read_afl_environment(afl_state_t *, char **); /**** Prototypes ****/ diff --git a/include/common.h b/include/common.h index 70ff0744..4aed9572 100644 --- a/include/common.h +++ b/include/common.h @@ -115,7 +115,7 @@ u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms); u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, volatile u8 *stop_soon_p); -u32 get_map_size(); +u32 get_map_size(void); #endif diff --git a/src/afl-common.c b/src/afl-common.c index 8ae03113..dda62219 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -918,7 +918,7 @@ u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, } -u32 get_map_size() { +u32 get_map_size(void) { uint32_t map_size = MAP_SIZE; char * ptr; diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 4dd31ac9..32481887 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1903,7 +1903,7 @@ void fix_up_sync(afl_state_t *afl) { static void handle_resize(int sig) { - LIST_FOREACH(&afl_states, afl_state_t, { el->clear_screen = 1; }); + afl_states_clear_screen(); } @@ -1954,14 +1954,7 @@ void check_asan_opts(void) { static void handle_stop_sig(int sig) { - LIST_FOREACH(&afl_states, afl_state_t, { - - el->stop_soon = 1; - - if (el->fsrv.child_pid > 0) kill(el->fsrv.child_pid, SIGKILL); - if (el->fsrv.fsrv_pid > 0) kill(el->fsrv.fsrv_pid, SIGKILL); - - }); + afl_states_stop(); } @@ -1969,7 +1962,7 @@ static void handle_stop_sig(int sig) { static void handle_skipreq(int sig) { - LIST_FOREACH(&afl_states, afl_state_t, { el->skip_requested = 1; }); + afl_states_request_skip(); } diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index af6fc11f..4f5389e3 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -71,7 +71,7 @@ static void init_mopt_globals(afl_state_t *afl) { /* A global pointer to all instances is needed (for now) for signals to arrive */ -list_t afl_states = {.element_prealloc_count = 0}; +static list_t afl_states = {.element_prealloc_count = 0}; /* Initializes an afl_state_t. */ @@ -398,3 +398,34 @@ void afl_state_deinit(afl_state_t *afl) { } +void afl_states_stop(void) { + + /* We may be inside a signal handler. + Set flags first, send kill signals to child proceses later. */ + LIST_FOREACH(&afl_states, afl_state_t, { + + el->stop_soon = 1; + + }); + + LIST_FOREACH(&afl_states, afl_state_t, { + + if (el->fsrv.child_pid > 0) kill(el->fsrv.child_pid, SIGKILL); + if (el->fsrv.fsrv_pid > 0) kill(el->fsrv.fsrv_pid, SIGKILL); + + }); + +} + +void afl_states_clear_screen(void) { + + LIST_FOREACH(&afl_states, afl_state_t, { el->clear_screen = 1; }); + +} + +void afl_states_request_skip(void) { + + LIST_FOREACH(&afl_states, afl_state_t, { el->skip_requested = 1; }); + +} + diff --git a/test/unittests/unit_list.c b/test/unittests/unit_list.c index 90700a11..df4864e4 100644 --- a/test/unittests/unit_list.c +++ b/test/unittests/unit_list.c @@ -40,7 +40,7 @@ int __wrap_printf(const char *format, ...) { return 1; } -list_t testlist; +static list_t testlist = {.element_prealloc_count = 0}; static void test_contains(void **state) { -- cgit 1.4.1