From 6253bea73cdfb9a4ec33fbab66d167ab5dfab7db Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 22 May 2020 12:51:21 +0200 Subject: fix test.sh --- test/test.sh | 1 + 1 file changed, 1 insertion(+) (limited to 'test') diff --git a/test/test.sh b/test/test.sh index 2559f058..37b09968 100755 --- a/test/test.sh +++ b/test/test.sh @@ -68,6 +68,7 @@ unset LD_PRELOAD rm -rf in in2 out export ASAN_OPTIONS=detect_leaks=0:allocator_may_return_null=1:abort_on_error=1:symbolize=0 +export AFL_LLVM_INSTRUMENT=AFL # on OpenBSD we need to work with llvm from /usr/local/bin test -e /usr/local/bin/opt && { -- cgit 1.4.1 From 536397b22fb497bc26675e2141d4364b22876bfb Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 22 May 2020 13:31:16 +0200 Subject: travis debug --- test/test.sh | 1 + 1 file changed, 1 insertion(+) (limited to 'test') diff --git a/test/test.sh b/test/test.sh index 37b09968..37581d5f 100755 --- a/test/test.sh +++ b/test/test.sh @@ -352,6 +352,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { rm -f test-instr.instrim test.out } || { $ECHO "$RED[!] llvm_mode InsTrim compilation failed" + AFL_LLVM_INSTRIM=1 AFL_LLVM_INSTRIM_LOOPHEAD=1 ../afl-clang-fast -o test-instr.instrim ../test-instr.c CODE=1 } } || { -- cgit 1.4.1 From 7d3cfcfd0bbcf8049e0952bbc96939f3f997186a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 22 May 2020 13:49:50 +0200 Subject: more test.sh fixes --- test/test.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/test/test.sh b/test/test.sh index 37581d5f..cf1f1797 100755 --- a/test/test.sh +++ b/test/test.sh @@ -340,7 +340,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { # now for the special llvm_mode things test -e ../libLLVMInsTrim.so && { - AFL_LLVM_INSTRIM=1 AFL_LLVM_INSTRIM_LOOPHEAD=1 ../afl-clang-fast -o test-instr.instrim ../test-instr.c > /dev/null 2>test.out + AFL_LLVM_INSTRUMENT=CFG AFL_LLVM_INSTRIM_LOOPHEAD=1 ../afl-clang-fast -o test-instr.instrim ../test-instr.c > /dev/null 2>test.out test -e test-instr.instrim && { TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.instrim 2>&1 | grep Captur | awk '{print$3}'` test "$TUPLES" -gt 2 -a "$TUPLES" -lt 5 && { @@ -352,13 +352,13 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { rm -f test-instr.instrim test.out } || { $ECHO "$RED[!] llvm_mode InsTrim compilation failed" - AFL_LLVM_INSTRIM=1 AFL_LLVM_INSTRIM_LOOPHEAD=1 ../afl-clang-fast -o test-instr.instrim ../test-instr.c CODE=1 } } || { $ECHO "$YELLOW[-] llvm_mode InsTrim not compiled, cannot test" INCOMPLETE=1 } + AFL_LLVM_INSTRUMENT=CFG AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_SWITCHES=1 AFL_LLVM_LAF_TRANSFORM_COMPARES=1 AFL_LLVM_LAF_SPLIT_COMPARES=1 ../afl-clang-fast -o test-compcov.compcov test-compcov.c > test.out 2>&1 test -e test-compcov.compcov && { grep --binary-files=text -Eq " [ 12][0-9][0-9] location| [3-9][0-9] location" test.out && { -- cgit 1.4.1 From 0f8da71588ecf0de4b7e56754107c2fedd6cbb0f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 22 May 2020 13:50:39 +0200 Subject: more test.sh fixes --- test/test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test') diff --git a/test/test.sh b/test/test.sh index cf1f1797..8d9e7e00 100755 --- a/test/test.sh +++ b/test/test.sh @@ -358,7 +358,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { $ECHO "$YELLOW[-] llvm_mode InsTrim not compiled, cannot test" INCOMPLETE=1 } - AFL_LLVM_INSTRUMENT=CFG + AFL_LLVM_INSTRUMENT=AFL AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_SWITCHES=1 AFL_LLVM_LAF_TRANSFORM_COMPARES=1 AFL_LLVM_LAF_SPLIT_COMPARES=1 ../afl-clang-fast -o test-compcov.compcov test-compcov.c > test.out 2>&1 test -e test-compcov.compcov && { grep --binary-files=text -Eq " [ 12][0-9][0-9] location| [3-9][0-9] location" test.out && { -- cgit 1.4.1 From 68e66fa92090f7acd3555c8d64ee29ff97334f02 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 24 May 2020 01:59:08 +0200 Subject: fix compare-transform for strn?casecmp --- docs/Changelog.md | 2 ++ llvm_mode/afl-clang-fast.c | 24 ++++++++++++++---------- llvm_mode/compare-transform-pass.so.cc | 10 ++++++++-- test/test-compcov.c | 2 ++ 4 files changed, 26 insertions(+), 12 deletions(-) (limited to 'test') diff --git a/docs/Changelog.md b/docs/Changelog.md index ae398b66..4b6e90e5 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -27,6 +27,8 @@ sending a mail to . - added AFL_LLVM_LAF_ALL, sets all laf-intel settings - LTO whitelist functionality rewritten, now main, _init etc functions need not to be whitelisted anymore + - fixed crash in compare-transform-pass when strcasemp/strncasecmp was + tried to be instrumented - fixed afl-gcc/afl-as that could break on fast systems reusing pids in the same second - added lots of dictionaries from oss-fuzz, go-fuzz and Jakub Wilk diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 2aeb0400..8791c5ae 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -220,6 +220,20 @@ static void edit_params(u32 argc, char **argv, char **envp) { afl-clang-lto(++) */ + if (lto_mode) { + + if (getenv("AFL_LLVM_WHITELIST") != NULL) { + + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = "-load"; + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = + alloc_printf("%s/afl-llvm-lto-whitelist.so", obj_path); + + } + + } + // laf if (getenv("LAF_SPLIT_SWITCHES") || getenv("AFL_LLVM_LAF_SPLIT_SWITCHES")) { @@ -289,16 +303,6 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (lto_mode) { - if (getenv("AFL_LLVM_WHITELIST") != NULL) { - - cc_params[cc_par_cnt++] = "-Xclang"; - cc_params[cc_par_cnt++] = "-load"; - cc_params[cc_par_cnt++] = "-Xclang"; - cc_params[cc_par_cnt++] = - alloc_printf("%s/afl-llvm-lto-whitelist.so", obj_path); - - } - cc_params[cc_par_cnt++] = alloc_printf("-fuse-ld=%s", AFL_REAL_LD); cc_params[cc_par_cnt++] = "-Wl,--allow-multiple-definition"; if (instrument_mode == INSTRUMENT_CFG) diff --git a/llvm_mode/compare-transform-pass.so.cc b/llvm_mode/compare-transform-pass.so.cc index 1ebc54d7..2f5eb341 100644 --- a/llvm_mode/compare-transform-pass.so.cc +++ b/llvm_mode/compare-transform-pass.so.cc @@ -438,9 +438,13 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, for (uint64_t i = 0; i < constLen; i++) { - BasicBlock *cur_bb = next_bb; + BasicBlock * cur_bb = next_bb; + unsigned char c; - char c = isCaseInsensitive ? tolower(ConstStr[i]) : ConstStr[i]; + if (isCaseInsensitive) + c = (unsigned char)(tolower((int)ConstStr[i]) & 0xff); + else + c = (unsigned char)ConstStr[i]; BasicBlock::iterator IP = next_bb->getFirstInsertionPt(); IRBuilder<> IRB(&*IP); @@ -448,9 +452,11 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, Value *v = ConstantInt::get(Int64Ty, i); Value *ele = IRB.CreateInBoundsGEP(VarStr, v, "empty"); Value *load = IRB.CreateLoad(ele); + if (isCaseInsensitive) { // load >= 'A' && load <= 'Z' ? load | 0x020 : load + load = IRB.CreateZExt(load, Int32Ty); std::vector args; args.push_back(load); load = IRB.CreateCall(tolowerFn, args, "tmp"); diff --git a/test/test-compcov.c b/test/test-compcov.c index c8dd674e..a2202a22 100644 --- a/test/test-compcov.c +++ b/test/test-compcov.c @@ -39,6 +39,8 @@ int main(int argc, char **argv) { printf("short local var memcmp works!\n"); else if (memcmp(global_cmpval, input, sizeof(global_cmpval)) == 0) printf("global var memcmp works!\n"); + else if (strncasecmp("-h", input, 2) == 0) + printf("this is not the help you are looking for\n"); else printf("I do not know your string\n"); -- cgit 1.4.1 From 7e4c5b36365e0448a7afaaee72e65792a90ab64e Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Fri, 22 May 2020 14:27:53 +0100 Subject: tests: add test of compiled compcov binary's functionality --- test/test-compcov.c | 14 ++++++++++++-- test/test.sh | 26 ++++++++++++++++++++------ 2 files changed, 32 insertions(+), 8 deletions(-) (limited to 'test') diff --git a/test/test-compcov.c b/test/test-compcov.c index a2202a22..4959c39c 100644 --- a/test/test-compcov.c +++ b/test/test-compcov.c @@ -20,9 +20,19 @@ int main(int argc, char **argv) { } if (strcmp(input, "LIBTOKENCAP") == 0) - printf("your string was libtokencap\n"); + printf("your string was LIBTOKENCAP\n"); else if (strcmp(input, "BUGMENOT") == 0) - printf("your string was bugmenot\n"); + printf("your string was BUGMENOT\n"); + else if (strncmp(input, "BANANA", 3) == 0) + printf("your string started with BAN\n"); + else if (strcmp(input, "APRI\0COT") == 0) + printf("your string was APRI\n"); + else if (strcasecmp(input, "Kiwi") == 0) + printf("your string was Kiwi\n"); + else if (strncasecmp(input, "avocado", 9) == 0) + printf("your string was avocado\n"); + else if (strncasecmp(input, "Grapes", argc > 2 ? atoi(argv[2]) : 3) == 0) + printf("your string was a prefix of Grapes\n"); else if (strcmp(input, "BUFFEROVERFLOW") == 0) { buf = (char *)malloc(16); diff --git a/test/test.sh b/test/test.sh index 8d9e7e00..7f1410ea 100755 --- a/test/test.sh +++ b/test/test.sh @@ -22,6 +22,20 @@ else GREPAOPTION= fi +test_compcov_binary_functionality() { + RUN="../afl-showmap -o /dev/null -- $1" + $RUN 'LIBTOKENCAP' | grep 'your string was LIBTOKENCAP' \ + && $RUN 'BUGMENOT' | grep 'your string was BUGMENOT' \ + && $RUN 'BANANA' | grep 'your string started with BAN' \ + && $RUN 'APRI' | grep 'your string was APRI' \ + && $RUN 'kiWI' | grep 'your string was Kiwi' \ + && $RUN 'Avocado' | grep 'your string was avocado' \ + && $RUN 'GRAX' 3 | grep 'your string was a prefix of Grapes' \ + && $RUN 'LOCALVARIABLE' | grep 'local var memcmp works!' \ + && $RUN 'abc' | grep 'short local var memcmp works!' \ + && $RUN 'GLOBALVARIABLE' | grep 'global var memcmp works!' +} > /dev/null + ECHO="printf %b\\n" $ECHO \\101 2>&1 | grep -qE '^A' || { ECHO= @@ -259,7 +273,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { $ECHO "$RED[!] llvm_mode failed" CODE=1 } - test -e test-compcov.harden && { + test -e test-compcov.harden && test_compcov_binary_functionality ./test-compcov.harden && { grep -Eq$GREPAOPTION 'stack_chk_fail|fstack-protector-all|fortified' test-compcov.harden > /dev/null 2>&1 && { $ECHO "$GREEN[+] llvm_mode hardened mode succeeded and is working" } || { @@ -360,8 +374,8 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { } AFL_LLVM_INSTRUMENT=AFL AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_SWITCHES=1 AFL_LLVM_LAF_TRANSFORM_COMPARES=1 AFL_LLVM_LAF_SPLIT_COMPARES=1 ../afl-clang-fast -o test-compcov.compcov test-compcov.c > test.out 2>&1 - test -e test-compcov.compcov && { - grep --binary-files=text -Eq " [ 12][0-9][0-9] location| [3-9][0-9] location" test.out && { + test -e test-compcov.compcov && test_compcov_binary_functionality ./test-compcov.compcov && { + grep --binary-files=text -Eq " [ 123][0-9][0-9] location| [3-9][0-9] location" test.out && { $ECHO "$GREEN[+] llvm_mode laf-intel/compcov feature works correctly" } || { $ECHO "$RED[!] llvm_mode laf-intel/compcov feature failed" @@ -374,7 +388,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { rm -f test-compcov.compcov test.out echo foobar.c > whitelist.txt AFL_DEBUG=1 AFL_LLVM_WHITELIST=whitelist.txt ../afl-clang-fast -o test-compcov test-compcov.c > test.out 2>&1 - test -e test-compcov && { + test -e test-compcov && test_compcov_binary_functionality ./test-compcov && { grep -q "No instrumentation targets found" test.out && { $ECHO "$GREEN[+] llvm_mode whitelist feature works correctly" } || { @@ -513,7 +527,7 @@ test -e ../afl-gcc-fast -a -e ../afl-gcc-rt.o && { CODE=1 } - test -e test-compcov.harden.gccpi && { + test -e test-compcov.harden.gccpi && test_compcov_binary_functionality ./test-compcov.harden.gccpi && { grep -Eq$GREPAOPTION 'stack_chk_fail|fstack-protector-all|fortified' test-compcov.harden.gccpi > /dev/null 2>&1 && { $ECHO "$GREEN[+] gcc_plugin hardened mode succeeded and is working" } || { @@ -558,7 +572,7 @@ test -e ../afl-gcc-fast -a -e ../afl-gcc-rt.o && { # now for the special gcc_plugin things echo foobar.c > whitelist.txt AFL_GCC_WHITELIST=whitelist.txt ../afl-gcc-fast -o test-compcov test-compcov.c > /dev/null 2>&1 - test -e test-compcov && { + test -e test-compcov && test_compcov_binary_functionality ./test-compcov && { echo 1 | ../afl-showmap -m ${MEM_LIMIT} -o - -r -- ./test-compcov 2>&1 | grep -q "Captured 1 tuples" && { $ECHO "$GREEN[+] gcc_plugin whitelist feature works correctly" } || { -- cgit 1.4.1