From 23d9649aec7a7d74082debdb9f6fa2f5ffca7268 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 28 Mar 2020 09:31:30 +0100 Subject: making 'CFLAGS="-m32" make source-only tests' work --- test/test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test') diff --git a/test/test.sh b/test/test.sh index 8434aaf1..ec4e71d0 100755 --- a/test/test.sh +++ b/test/test.sh @@ -580,7 +580,7 @@ test -e ../afl-gcc-fast -a -e ../afl-gcc-rt.o && { } $ECHO "$BLUE[*] Testing: shared library extensions" -cc -o test-compcov test-compcov.c > /dev/null 2>&1 +cc $CFLAGS -o test-compcov test-compcov.c > /dev/null 2>&1 test -e ../libtokencap.so && { AFL_TOKEN_FILE=token.out LD_PRELOAD=../libtokencap.so DYLD_INSERT_LIBRARIES=../libtokencap.so DYLD_FORCE_FLAT_NAMESPACE=1 ./test-compcov foobar > /dev/null 2>&1 grep -q BUGMENOT token.out > /dev/null 2>&1 && { -- cgit 1.4.1 From 7c383094d92af16cf610a7c58cc0e7fbd701ff40 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 30 Mar 2020 16:01:29 +0200 Subject: added unittest for unit_maybe_alloc --- Makefile | 19 ++++-- include/alloc-inl.h | 31 +++++++++ test/unittests/unit_maybe_alloc.c | 140 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 184 insertions(+), 6 deletions(-) create mode 100644 test/unittests/unit_maybe_alloc.c (limited to 'test') diff --git a/Makefile b/Makefile index fed33d57..2e4a6570 100644 --- a/Makefile +++ b/Makefile @@ -3,13 +3,13 @@ # ----------------------------- # # Originally written by Michal Zalewski -# +# # Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved. -# +# # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at: -# +# # http://www.apache.org/licenses/LICENSE-2.0 # @@ -311,13 +311,20 @@ afl-gotcpu: src/afl-gotcpu.c $(COMM_HDR) | test_x86 document: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o | test_x86 $(CC) -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o afl-fuzz-document $(PYFLAGS) $(LDFLAGS) +test/unittests/unit_maybe_alloc.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_maybe_alloc.c $(AFL_FUZZ_FILES) + $(CC) $(CFLAGS) $(CFLAGS_FLTO) -c test/unittests/unit_maybe_alloc.c -o test/unittests/unit_maybe_alloc.o + +unit_maybe_alloc: test/unittests/unit_maybe_alloc.o + $(CC) $(CFLAGS) -lcmocka -Wl,--wrap=exit -Wl,--wrap=printf $(LDFLAGS) test/unittests/unit_maybe_alloc.o -o test/unittests/unit_maybe_alloc + ./test/unittests/unit_maybe_alloc +unit: unit_maybe_alloc code-format: ./.custom-format.py -i src/*.c ./.custom-format.py -i include/*.h - ./.custom-format.py -i libdislocator/*.c - ./.custom-format.py -i libtokencap/*.c + ./.custom-format.py -i libdislocator/*.c + ./.custom-format.py -i libtokencap/*.c ./.custom-format.py -i llvm_mode/*.c ./.custom-format.py -i llvm_mode/*.h ./.custom-format.py -i llvm_mode/*.cc @@ -364,7 +371,7 @@ all_done: test_build .NOTPARALLEL: clean clean: - rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast ld *.so *.8 + rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc rm -rf out_dir qemu_mode/qemu-3.1.1 *.dSYM */*.dSYM -$(MAKE) -C llvm_mode clean -$(MAKE) -C gcc_plugin clean diff --git a/include/alloc-inl.h b/include/alloc-inl.h index 4211e398..47a16bb8 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -784,6 +784,35 @@ static inline size_t next_pow2(size_t in) { } +/* This function makes sure *size is > size_needed after call. + It will realloc *buf otherwise. + *size will grow exponentially as per: + https://blog.mozilla.org/nnethercote/2014/11/04/please-grow-your-buffers-exponentially/ + Will return NULL and free *buf if size_needed is <1 or realloc failed. + @return For convenience, this function returns *buf. + */ +static inline void *maybe_grow(void **buf, size_t *size, size_t size_needed) { + + /* No need to realloc */ + if (likely(size_needed && *size >= size_needed)) return *buf; + + /* No initial size was set */ + if (size_needed < INITIAL_GROWTH_SIZE) size_needed = INITIAL_GROWTH_SIZE; + + /* grow exponentially */ + size_t next_size = next_pow2(size_needed); + + /* handle overflow and zero size_needed */ + if (!next_size) { next_size = size_needed; } + + /* alloc */ + *buf = realloc(*buf, next_size); + *size = *buf ? next_size : 0; + + return *buf; + +} + /* This function makes sure *size is > size_needed after call. It will realloc *buf otherwise. *size will grow exponentially as per: @@ -817,6 +846,8 @@ static inline void *ck_maybe_grow(void **buf, size_t *size, } + + /* Swaps buf1 ptr and buf2 ptr, as well as their sizes */ static inline void swap_bufs(void **buf1, size_t *size1, void **buf2, size_t *size2) { diff --git a/test/unittests/unit_maybe_alloc.c b/test/unittests/unit_maybe_alloc.c new file mode 100644 index 00000000..93f10889 --- /dev/null +++ b/test/unittests/unit_maybe_alloc.c @@ -0,0 +1,140 @@ +#include +#include +#include +#include +#include + +extern void mock_assert(const int result, const char* const expression, + const char * const file, const int line); +#undef assert +#define assert(expression) \ + mock_assert((int)(expression), #expression, __FILE__, __LINE__); +#include "alloc-inl.h" + +/* remap exit -> assert, then use cmocka's mock_assert + (compile with `--wrap=exit`) */ +extern void exit(int status); +extern void __real_exit(int status); +void __wrap_exit(int status) { + assert(0); +} + +/* ignore all printfs */ +extern int printf(const char *format, ...); +extern int __real_printf(const char *format, ...); +int __wrap_printf(const char *format, ...) { + return 1; +} + +#define BUF_PARAMS (void **)&buf, &size + +static int setup(void **state) { + + return 0; + +} + +static void test_null_allocs(void **state) { + + void *buf = NULL; + size_t size = 0; + void *ptr = ck_maybe_grow(BUF_PARAMS, 100); + assert_true(buf == ptr); + assert_true(size >= 100); + ck_free(ptr); + +} + +static void test_nonpow2_size(void **state) { + + char *buf = ck_alloc(150); + size_t size = 150; + buf[140] = '5'; + char *ptr = ck_maybe_grow(BUF_PARAMS, 160); + assert_ptr_equal(buf, ptr); + assert_true(size >= 160); + assert_true(buf[140] == '5'); + ck_free(ptr); + +} + +static void test_zero_size() { + + char *buf = NULL; + size_t size = 0; + //assert_non_null(maybe_grow(BUF_PARAMS, 0)); + free(buf); + buf = NULL; + size = 0; + + char *ptr = ck_maybe_grow(BUF_PARAMS, 100); + assert_non_null(ptr); + assert_ptr_equal(buf, ptr); + assert_true(size >= 100); + + expect_assert_failure(ck_maybe_grow(BUF_PARAMS, 0)); + +} + +static void test_unchanged_size(void **state) { + + void *buf = ck_alloc(100); + size_t size = 100; + void *buf_before = buf; + void *buf_after = ck_maybe_grow(BUF_PARAMS, 100); + assert_ptr_equal(buf, buf_after); + assert_ptr_equal(buf_after, buf_before); + ck_free(buf); + +} + +static void test_grow_multiple(void **state) { + + char *buf = NULL; + size_t size = 0; + + char *ptr = ck_maybe_grow(BUF_PARAMS, 100); + assert_ptr_equal(ptr, buf); + assert_true(size >= 100); + assert_int_equal(size, next_pow2(size)); + buf[50] = '5'; + + ptr = (char *)ck_maybe_grow(BUF_PARAMS, 1000); + assert_ptr_equal(ptr, buf); + assert_true(size >= 100); + assert_int_equal(size, next_pow2(size)); + buf[500] = '5'; + + ptr = (char *)ck_maybe_grow(BUF_PARAMS, 10000); + assert_ptr_equal(ptr, buf); + assert_true(size >= 10000); + assert_int_equal(size, next_pow2(size)); + buf[5000] = '5'; + + assert_int_equal(buf[50], '5'); + assert_int_equal(buf[500], '5'); + assert_int_equal(buf[5000], '5'); + + ck_free(buf); + +} + +static int teardown(void **state) { + + return 0; + +} + +int main(int argc, char **argv) { + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_null_allocs), + cmocka_unit_test(test_nonpow2_size), + cmocka_unit_test(test_zero_size), + cmocka_unit_test(test_unchanged_size), + cmocka_unit_test(test_grow_multiple), + }; + + return cmocka_run_group_tests (tests, setup, teardown); + +} \ No newline at end of file -- cgit 1.4.1 From 245304f5938a700e93a3403b30509dea55a6549e Mon Sep 17 00:00:00 2001 From: h1994st Date: Fri, 27 Mar 2020 02:03:20 -0400 Subject: Add a test case for the custom mutator - Update the Makefile in examples/custom_mutators - Add a test program for testing the custom mutator - Update test.sh for testing the custom mutator - [TODO] Update the result checking criterias of the custom mutator in test.sh --- examples/custom_mutators/Makefile | 7 ++- test/test-custom-mutator.c | 20 ++++++ test/test.sh | 128 ++++++++++++++++++++++++++++++-------- 3 files changed, 127 insertions(+), 28 deletions(-) create mode 100644 test/test-custom-mutator.c (limited to 'test') diff --git a/examples/custom_mutators/Makefile b/examples/custom_mutators/Makefile index a83e87fe..463cefb1 100644 --- a/examples/custom_mutators/Makefile +++ b/examples/custom_mutators/Makefile @@ -1,2 +1,7 @@ -all: +all: libexamplemutator.so + +libexamplemutator.so: $(CC) $(CFLAGS) -fPIC -shared -g -I ../../include example.c -o libexamplemutator.so + +clean: + rm -rf libexamplemutator.so diff --git a/test/test-custom-mutator.c b/test/test-custom-mutator.c new file mode 100644 index 00000000..b44c3634 --- /dev/null +++ b/test/test-custom-mutator.c @@ -0,0 +1,20 @@ +/** + * Reference: https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/blob/master/4_libprotobuf_aflpp_custom_mutator/vuln.c + */ + +#include +#include +#include +#include +#include + +int main(int argc, char *argv[]) +{ + char str[100]={ }; + read(0, str, 100); + int *ptr = NULL; + if( str[0] == 'P') { + *ptr = 123; + } + return 0; +} diff --git a/test/test.sh b/test/test.sh index ec4e71d0..725ae9e4 100755 --- a/test/test.sh +++ b/test/test.sh @@ -60,8 +60,8 @@ unset AFL_QEMU_PERSISTENT_GPR unset AFL_QEMU_PERSISTENT_RET unset AFL_QEMU_PERSISTENT_HOOK unset AFL_QEMU_PERSISTENT_CNT -unset AFL_POST_LIBRARY -unset AFL_CUSTOM_MUTATOR_LIBRARY + +export unset AFL_CUSTOM_MUTATOR_LIBRARY=unset AFL_POST_LIBRARY unset AFL_PYTHON_MODULE unset AFL_PRELOAD unset LD_PRELOAD @@ -73,7 +73,7 @@ export ASAN_OPTIONS=detect_leaks=0:allocator_may_return_null=1:abort_on_error=1: # on OpenBSD we need to work with llvm from /usr/local/bin test -e /usr/local/bin/opt && { export PATH=/usr/local/bin:${PATH} -} +} # on MacOS X we prefer afl-clang over afl-gcc, because # afl-gcc does not work there test `uname -s` = 'Darwin' -o `uname -s` = 'FreeBSD' && { @@ -142,11 +142,11 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc CODE=1 } rm -f test-compcov.harden - } || { + } || { $ECHO "$RED[!] ${AFL_GCC} hardened mode compilation failed" CODE=1 } - # now we want to be sure that afl-fuzz is working + # now we want to be sure that afl-fuzz is working # make sure core_pattern is set to core on linux (test "$(uname -s)" = "Linux" && test "$(sysctl kernel.core_pattern)" != "kernel.core_pattern = core" && { $ECHO "$YELLOW[-] we should not run afl-fuzz with enabled core dumps. Run 'sudo sh afl-system-config'.$RESET" @@ -210,13 +210,13 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc unset AFL_QUIET } rm -f test-instr.plain - } || { + } || { $ECHO "$YELLOW[-] afl is not compiled, cannot test" INCOMPLETE=1 } -} || { +} || { $ECHO "$YELLOW[-] not an intel platform, cannot test afl-gcc" -} +} $ECHO "$BLUE[*] Testing: llvm_mode, afl-showmap, afl-fuzz, afl-cmin and afl-tmin" test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { @@ -248,7 +248,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { CODE=1 } } - } || { + } || { $ECHO "$RED[!] llvm_mode instrumentation failed" CODE=1 } @@ -265,11 +265,11 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { CODE=1 } rm -f test-compcov.harden - } || { + } || { $ECHO "$RED[!] llvm_mode hardened mode compilation failed" CODE=1 } - # now we want to be sure that afl-fuzz is working + # now we want to be sure that afl-fuzz is working (test "$(uname -s)" = "Linux" && test "$(sysctl kernel.core_pattern)" != "kernel.core_pattern = core" && { $ECHO "$YELLOW[-] we should not run afl-fuzz with enabled core dumps. Run 'sudo sh afl-system-config'.$RESET" true @@ -373,7 +373,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { $ECHO "$RED[!] llvm_mode whitelist feature failed" CODE=1 } - } || { + } || { $ECHO "$RED[!] llvm_mode whitelist feature compilation failed" CODE=1 } @@ -426,7 +426,7 @@ test -e ../afl-clang-lto -a -e ../afl-llvm-lto-instrumentation.so && { CODE=1 } } - } || { + } || { $ECHO "$RED[!] llvm_mode LTO instrumentation failed" CODE=1 } @@ -447,7 +447,7 @@ test -e ../afl-clang-lto -a -e ../afl-llvm-lto-instrumentation.so && { # $ECHO "$RED[!] llvm_mode LTO whitelist feature failed" # CODE=1 # } -# } || { +# } || { # $ECHO "$RED[!] llvm_mode LTO whitelist feature compilation failed" # CODE=1 # } @@ -483,7 +483,7 @@ test -e ../afl-gcc-fast -a -e ../afl-gcc-rt.o && { diff test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { $ECHO "$RED[!] gcc_plugin instrumentation should be different on different input but is not" CODE=1 - } || { + } || { $ECHO "$GREEN[+] gcc_plugin instrumentation present and working correctly" TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain.gccpi 2>&1 | grep Captur | awk '{print$3}'` test "$TUPLES" -gt 3 -a "$TUPLES" -lt 7 && { @@ -516,7 +516,7 @@ test -e ../afl-gcc-fast -a -e ../afl-gcc-rt.o && { $ECHO "$RED[!] gcc_plugin hardened mode compilation failed" CODE=1 } - # now we want to be sure that afl-fuzz is working + # now we want to be sure that afl-fuzz is working (test "$(uname -s)" = "Linux" && test "$(sysctl kernel.core_pattern)" != "kernel.core_pattern = core" && { $ECHO "$YELLOW[-] we should not run afl-fuzz with enabled core dumps. Run 'sudo sh afl-system-config'.$RESET" true @@ -552,11 +552,11 @@ test -e ../afl-gcc-fast -a -e ../afl-gcc-rt.o && { test -e test-compcov && { echo 1 | ../afl-showmap -m ${MEM_LIMIT} -o - -r -- ./test-compcov 2>&1 | grep -q "Captured 1 tuples" && { $ECHO "$GREEN[+] gcc_plugin whitelist feature works correctly" - } || { + } || { $ECHO "$RED[!] gcc_plugin whitelist feature failed" CODE=1 } - } || { + } || { $ECHO "$RED[!] gcc_plugin whitelist feature compilation failed" CODE=1 } @@ -585,7 +585,7 @@ test -e ../libtokencap.so && { AFL_TOKEN_FILE=token.out LD_PRELOAD=../libtokencap.so DYLD_INSERT_LIBRARIES=../libtokencap.so DYLD_FORCE_FLAT_NAMESPACE=1 ./test-compcov foobar > /dev/null 2>&1 grep -q BUGMENOT token.out > /dev/null 2>&1 && { $ECHO "$GREEN[+] libtokencap did successfully capture tokens" - } || { + } || { $ECHO "$RED[!] libtokencap did not capture tokens" CODE=1 } @@ -604,7 +604,7 @@ test -e ../libdislocator.so && { $ECHO "$RED[!] libdislocator did not detect the memory corruption" CODE=1 } || { - $ECHO "$GREEN[+] libdislocator did successfully detect the memory corruption" + $ECHO "$GREEN[+] libdislocator did successfully detect the memory corruption" } rm -f test.out core test-compcov.core core.test-compcov } || { @@ -700,7 +700,7 @@ test -e ../afl-qemu-trace && { test -e ../libcompcov.so && { $ECHO "$GREY[*] running afl-fuzz for qemu_mode compcov, this will take approx 10 seconds" { - export AFL_PRELOAD=../libcompcov.so + export AFL_PRELOAD=../libcompcov.so export AFL_COMPCOV_LEVEL=2 ../afl-fuzz -m ${MEM_LIMIT} -V10 -Q -i in -o out -- ./test-compcov >>errors 2>&1 unset AFL_PRELOAD @@ -720,10 +720,10 @@ test -e ../afl-qemu-trace && { INCOMPLETE=1 } rm -f errors - } || { + } || { $ECHO "$YELLOW[-] not an intel or arm platform, cannot test qemu_mode compcov" } - + test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { $ECHO "$GREY[*] running afl-fuzz for persistent qemu_mode, this will take approx 10 seconds" { @@ -757,9 +757,9 @@ test -e ../afl-qemu-trace && { exit 1 } rm -rf in out errors - } || { + } || { $ECHO "$YELLOW[-] not an intel or arm platform, cannot test persistent qemu_mode" - } + } test -e ../qemu_mode/unsigaction/unsigaction32.so && { ${AFL_CC} -o test-unsigaction32 -m32 test-unsigaction.c >> errors 2>&1 && { @@ -824,7 +824,7 @@ test -e ../afl-qemu-trace && { $ECHO "$RED[!] gcc compilation of test targets failed - what is going on??" CODE=1 } - + rm -f test-instr test-compcov } || { $ECHO "$YELLOW[-] qemu_mode is not compiled, cannot test" @@ -887,12 +887,86 @@ test -d ../unicorn_mode/unicornafl && { $ECHO "$RED[!] missing sample binaries in unicorn_mode/samples/ - what is going on??" CODE=1 } - + } || { $ECHO "$YELLOW[-] unicorn_mode is not compiled, cannot test" INCOMPLETE=1 } +$ECHO "$BLUE[*] Testing: custom mutator" +unset AFL_CC # Line 474 sets AFL_CC to "gcc". We reset it to use the default compiler +CUSTOM_MUTATOR_PATH=../examples/custom_mutators +test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c && { + # Compile the vulnerable program + ../afl-clang-fast -o test-custom-mutator test-custom-mutator.c + # Compile the custom mutator + make -C ../examples/custom_mutators libexamplemutator.so + test -e test-custom-mutator -a -e ${CUSTOM_MUTATOR_PATH}/libexamplemutator.so && { + # Create input directory + mkdir -p in + echo 00000 > in/in + + # Run afl-fuzz w/ the C mutator + $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 10 seconds" + { + export AFL_CUSTOM_MUTATOR_LIBRARY=${CUSTOM_MUTATOR_PATH}/libexamplemutator.so + ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator + unset AFL_CUSTOM_MUTATOR_LIBRARY + } >>errors 2>&1 + + # Check results + test -n "$( ls out/queue/id:000001* 2>/dev/null )" && { # TODO: update here + $ECHO "$GREEN[+] afl-fuzz is working correctly with the C mutator" + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with the C mutator" + CODE=1 + } + + # Clean + rm -rf out errors + + # Run afl-fuzz w/ the Python mutator + $ECHO "$GREY[*] running afl-fuzz for the Python mutator, this will take approx 10 seconds" + { + export PYTHONPATH=${CUSTOM_MUTATOR_PATH} + export AFL_PYTHON_MODULE=example + ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator + unset PYTHONPATH + unset AFL_PYTHON_MODULE + } >>errors 2>&1 + + # Check results + test -n "$( ls out/queue/id:000001* 2>/dev/null )" && { # TODO: update here + $ECHO "$GREEN[+] afl-fuzz is working correctly with the Python mutator" + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with the Python mutator" + CODE=1 + } + + # Clean + rm -rf in out errors + rm -rf ${CUSTOM_MUTATOR_PATH}/__pycache__/ + } || { + ls . + ls ${CUSTOM_MUTATOR_PATH} + $ECHO "$RED[!] cannot compile the test program or the custom mutator" + CODE=1 + } + + make -C ../examples/custom_mutators clean > /dev/null 2>&1 + rm -f test-custom-mutator +} || { + $ECHO "$YELLOW[-] no custom mutators in $CUSTOM_MUTATOR_PATH, cannot test" + INCOMPLETE=1 +} +unset CUSTOM_MUTATOR_PATH + $ECHO "$GREY[*] all test cases completed.$RESET" test "$INCOMPLETE" = "0" && $ECHO "$GREEN[+] all test cases executed" test "$INCOMPLETE" = "1" && $ECHO "$YELLOW[-] not all test cases were executed" -- cgit 1.4.1 From 1e290542bb77f35d1e7bb340077f1c28c0b03b81 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 30 Mar 2020 16:46:50 +0200 Subject: rebase --- src/afl-fuzz-mutators.c | 4 ++-- test/test.sh | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'test') diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 754b2190..1a5528a2 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -193,8 +193,8 @@ void load_custom_mutator(afl_state_t *afl, const char *fn) { /* Initialize the custom mutator */ if (afl->mutator->afl_custom_init) - afl->mutator->data = - afl->mutator->afl_custom_init(afl, rand_below(afl, 0xFFFFFFFF)); + afl->mutator->data = afl->mutator->afl_custom_init( + afl, rand_below(afl, 0xFFFFFFFF)); } diff --git a/test/test.sh b/test/test.sh index 725ae9e4..0d3c7199 100755 --- a/test/test.sh +++ b/test/test.sh @@ -895,12 +895,12 @@ test -d ../unicorn_mode/unicornafl && { $ECHO "$BLUE[*] Testing: custom mutator" unset AFL_CC # Line 474 sets AFL_CC to "gcc". We reset it to use the default compiler -CUSTOM_MUTATOR_PATH=../examples/custom_mutators +CUSTOM_MUTATOR_PATH=$( realpath ../examples/custom_mutators ) test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c && { # Compile the vulnerable program - ../afl-clang-fast -o test-custom-mutator test-custom-mutator.c + ../afl-clang-fast -o test-custom-mutator test-custom-mutator.c > /dev/null 2>&1 # Compile the custom mutator - make -C ../examples/custom_mutators libexamplemutator.so + make -C ../examples/custom_mutators libexamplemutator.so > /dev/null 2>&1 test -e test-custom-mutator -a -e ${CUSTOM_MUTATOR_PATH}/libexamplemutator.so && { # Create input directory mkdir -p in -- cgit 1.4.1 From d568559f01b1a7609f8a0c4f7afea513375725e4 Mon Sep 17 00:00:00 2001 From: h1994st Date: Fri, 27 Mar 2020 21:03:06 -0400 Subject: Fix typo --- examples/custom_mutators/example.py | 3 +-- test/test.sh | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) (limited to 'test') diff --git a/examples/custom_mutators/example.py b/examples/custom_mutators/example.py index 6bacfa05..6b58188e 100644 --- a/examples/custom_mutators/example.py +++ b/examples/custom_mutators/example.py @@ -164,11 +164,10 @@ def fuzz(buf, add_buf, max_size): # ''' # Called after adding a new test case to the queue # -# @type filename_new_queue: str +# @type filename_new_queue: str # @param filename_new_queue: File name of the new queue entry # # @type filename_orig_queue: str # @param filename_orig_queue: File name of the original queue entry # ''' # pass - diff --git a/test/test.sh b/test/test.sh index 0d3c7199..11c4be25 100755 --- a/test/test.sh +++ b/test/test.sh @@ -60,8 +60,8 @@ unset AFL_QEMU_PERSISTENT_GPR unset AFL_QEMU_PERSISTENT_RET unset AFL_QEMU_PERSISTENT_HOOK unset AFL_QEMU_PERSISTENT_CNT - -export unset AFL_CUSTOM_MUTATOR_LIBRARY=unset AFL_POST_LIBRARY +unset AFL_POST_LIBRARY +unset AFL_CUSTOM_MUTATOR_LIBRARY unset AFL_PYTHON_MODULE unset AFL_PRELOAD unset LD_PRELOAD -- cgit 1.4.1 From 64e1d3a975b5d4f017fabdc921cb59128db1c18a Mon Sep 17 00:00:00 2001 From: h1994st Date: Sun, 29 Mar 2020 01:22:44 -0400 Subject: test.sh: "trusty-amd64" does not work well with "realpath". Use "readlink -f" for Ubuntu instead. --- examples/custom_mutators/example.py | 12 ++++++++++-- test/test.sh | 16 ++++++++++------ 2 files changed, 20 insertions(+), 8 deletions(-) (limited to 'test') diff --git a/examples/custom_mutators/example.py b/examples/custom_mutators/example.py index 7919d3d3..9e95eed6 100644 --- a/examples/custom_mutators/example.py +++ b/examples/custom_mutators/example.py @@ -17,6 +17,13 @@ file, You can obtain one at http://mozilla.org/MPL/2.0/. import random +COMMANDS = [ + b"GET", + b"PUT", + b"DEL", +] + + def init(seed): ''' Called once when AFLFuzz starts up. Used to seed our RNG. @@ -48,8 +55,9 @@ def fuzz(buf, add_buf, max_size): @rtype: bytearray @return: A new bytearray containing the mutated data ''' - ret = bytearray(buf) - # Do something interesting with ret + ret = bytearray(100) + + ret[:3] = random.choice(COMMANDS) return ret diff --git a/test/test.sh b/test/test.sh index 11c4be25..c9ce3489 100755 --- a/test/test.sh +++ b/test/test.sh @@ -894,9 +894,13 @@ test -d ../unicorn_mode/unicornafl && { } $ECHO "$BLUE[*] Testing: custom mutator" -unset AFL_CC # Line 474 sets AFL_CC to "gcc". We reset it to use the default compiler -CUSTOM_MUTATOR_PATH=$( realpath ../examples/custom_mutators ) -test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c && { +unset AFL_CC # Test case "gcc_plugin" sets AFL_CC to "gcc". We reset it to use the default compiler +test `uname -s` = 'Darwin' && { + CUSTOM_MUTATOR_PATH=$( realpath ../examples/custom_mutators ) +} || { + CUSTOM_MUTATOR_PATH=$( readlink -f ../examples/custom_mutators ) +} +test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUSTOM_MUTATOR_PATH}/example.py && { # Compile the vulnerable program ../afl-clang-fast -o test-custom-mutator test-custom-mutator.c > /dev/null 2>&1 # Compile the custom mutator @@ -904,7 +908,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS test -e test-custom-mutator -a -e ${CUSTOM_MUTATOR_PATH}/libexamplemutator.so && { # Create input directory mkdir -p in - echo 00000 > in/in + echo "00000" > in/in # Run afl-fuzz w/ the C mutator $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 10 seconds" @@ -915,7 +919,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS } >>errors 2>&1 # Check results - test -n "$( ls out/queue/id:000001* 2>/dev/null )" && { # TODO: update here + test -n "$( ls out/crashes/id:000000* 2>/dev/null )" && { # TODO: update here $ECHO "$GREEN[+] afl-fuzz is working correctly with the C mutator" } || { echo CUT------------------------------------------------------------------CUT @@ -939,7 +943,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS } >>errors 2>&1 # Check results - test -n "$( ls out/queue/id:000001* 2>/dev/null )" && { # TODO: update here + test -n "$( ls out/crashes/id:000000* 2>/dev/null )" && { # TODO: update here $ECHO "$GREEN[+] afl-fuzz is working correctly with the Python mutator" } || { echo CUT------------------------------------------------------------------CUT -- cgit 1.4.1 From ea954539756722e84f65e0f3a6638bb3dc50d8db Mon Sep 17 00:00:00 2001 From: h1994st Date: Mon, 30 Mar 2020 05:28:30 -0400 Subject: test.sh: redirect command line output --- test/test.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/test/test.sh b/test/test.sh index c9ce3489..25aaad58 100755 --- a/test/test.sh +++ b/test/test.sh @@ -914,7 +914,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 10 seconds" { export AFL_CUSTOM_MUTATOR_LIBRARY=${CUSTOM_MUTATOR_PATH}/libexamplemutator.so - ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator + ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 unset AFL_CUSTOM_MUTATOR_LIBRARY } >>errors 2>&1 @@ -937,7 +937,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS { export PYTHONPATH=${CUSTOM_MUTATOR_PATH} export AFL_PYTHON_MODULE=example - ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator + ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 unset PYTHONPATH unset AFL_PYTHON_MODULE } >>errors 2>&1 -- cgit 1.4.1 From 710a29a1e0b8c874cdba43a16879f7f77e917713 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 30 Mar 2020 18:20:20 +0200 Subject: fixed testcase --- test/test-custom-mutator.c | 7 +++---- test/test.sh | 4 +--- 2 files changed, 4 insertions(+), 7 deletions(-) (limited to 'test') diff --git a/test/test-custom-mutator.c b/test/test-custom-mutator.c index b44c3634..83baafab 100644 --- a/test/test-custom-mutator.c +++ b/test/test-custom-mutator.c @@ -10,11 +10,10 @@ int main(int argc, char *argv[]) { - char str[100]={ }; + char str[100]; read(0, str, 100); - int *ptr = NULL; - if( str[0] == 'P') { - *ptr = 123; + if( str[6] == 'A') { + abort(); } return 0; } diff --git a/test/test.sh b/test/test.sh index 25aaad58..3e1b6c43 100755 --- a/test/test.sh +++ b/test/test.sh @@ -913,9 +913,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS # Run afl-fuzz w/ the C mutator $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 10 seconds" { - export AFL_CUSTOM_MUTATOR_LIBRARY=${CUSTOM_MUTATOR_PATH}/libexamplemutator.so - ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 - unset AFL_CUSTOM_MUTATOR_LIBRARY + AFL_CUSTOM_MUTATOR_LIBRARY=${CUSTOM_MUTATOR_PATH}/libexamplemutator.so ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 } >>errors 2>&1 # Check results -- cgit 1.4.1 From 9cab515e5880b7f61e395dd3fa612d88c1db671f Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 30 Mar 2020 18:37:16 +0200 Subject: added unittests to test.sh --- .travis.yml | 4 ++-- test/test.sh | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/.travis.yml b/.travis.yml index 2c8c8bea..92c8f5a2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -41,8 +41,8 @@ before_install: # export LLVM_DIR=${TRAVIS_BUILD_DIR}/${LLVM_PACKAGE} - echo Testing on $NAME - if [ "$TRAVIS_OS_NAME" = "osx" ]; then wget "$LINK""$NAME".tar.xz ; export LLVM_CONFIG=`pwd`/"$NAME" ; tar xJf "$NAME".tar.xz ; fi - - if [ "$MODERN" = "yes" ]; then sudo apt update ; sudo apt upgrade ; sudo apt install -y libtool libtool-bin automake bison libglib2.0 build-essential clang gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-"$GCC"-dev findutils ; fi - - if [ "$MODERN" = "no" ]; then sudo apt update ; sudo apt install -y libtool $EXTRA libpixman-1-dev automake bison libglib2.0 build-essential gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-dev findutils ; fi + - if [ "$MODERN" = "yes" ]; then sudo apt update ; sudo apt upgrade ; sudo apt install -y libtool libtool-bin automake bison libglib2.0 build-essential clang gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-"$GCC"-dev findutils cmocka ; fi + - if [ "$MODERN" = "no" ]; then sudo apt update ; sudo apt install -y libtool $EXTRA libpixman-1-dev automake bison libglib2.0 build-essential gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-dev findutils cmocka ; fi script: - gcc -v diff --git a/test/test.sh b/test/test.sh index 3e1b6c43..de730c15 100755 --- a/test/test.sh +++ b/test/test.sh @@ -969,6 +969,10 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS } unset CUSTOM_MUTATOR_PATH +$ECHO "$BLUE[*] Execution cmocka Unit-Tests $GREY" +unset AFL_CC +make -C .. unit || "$CODE" = "1" + $ECHO "$GREY[*] all test cases completed.$RESET" test "$INCOMPLETE" = "0" && $ECHO "$GREEN[+] all test cases executed" test "$INCOMPLETE" = "1" && $ECHO "$YELLOW[-] not all test cases were executed" -- cgit 1.4.1 From 0b8a5cb4bb8c1d940557b02d58f9ea653c8e9443 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 31 Mar 2020 07:37:30 +0200 Subject: travis: dont fail on custom mutator - currently --- test/test.sh | 2 ++ 1 file changed, 2 insertions(+) (limited to 'test') diff --git a/test/test.sh b/test/test.sh index de730c15..0dc58cc8 100755 --- a/test/test.sh +++ b/test/test.sh @@ -961,6 +961,8 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS CODE=1 } + test "$CODE" = 1 && { $ECHO "$YELLOW[!] custom mutator tests currently will not fail travis" ; CODE=0 ; } + make -C ../examples/custom_mutators clean > /dev/null 2>&1 rm -f test-custom-mutator } || { -- cgit 1.4.1 From c8bdf0790f7d19078d9ec5705fc04eefd8615988 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 31 Mar 2020 14:01:22 +0200 Subject: reenabled custom mutator report --- examples/custom_mutators/Makefile | 2 +- llvm_mode/afl-clang-fast.c | 1 - src/afl-fuzz-one.c | 1 + test/test.sh | 2 +- 4 files changed, 3 insertions(+), 3 deletions(-) (limited to 'test') diff --git a/examples/custom_mutators/Makefile b/examples/custom_mutators/Makefile index 463cefb1..9849f3f4 100644 --- a/examples/custom_mutators/Makefile +++ b/examples/custom_mutators/Makefile @@ -1,7 +1,7 @@ all: libexamplemutator.so libexamplemutator.so: - $(CC) $(CFLAGS) -fPIC -shared -g -I ../../include example.c -o libexamplemutator.so + $(CC) $(CFLAGS) -D_FORTIFY_SOURCE=2 -O3 -fPIC -shared -g -I ../../include example.c -o libexamplemutator.so clean: rm -rf libexamplemutator.so diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 99bc8d03..de8d3410 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -48,7 +48,6 @@ static u8 debug; static u8 cwd[4096]; static u8 cmplog_mode; u8 use_stdin = 0; /* dummy */ -u8 be_quiet = 0; u8 *getthecwd() { diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 2e49e19b..b20bde90 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -1648,6 +1648,7 @@ custom_mutator_stage: } /* `(afl->)out_buf` may have been changed by the call to custom_fuzz */ + /* TODO: Only do this when `mutated_buf` == `out_buf`? Branch vs Memcpy. */ memcpy(out_buf, in_buf, len); } diff --git a/test/test.sh b/test/test.sh index 0dc58cc8..a04df384 100755 --- a/test/test.sh +++ b/test/test.sh @@ -961,7 +961,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS CODE=1 } - test "$CODE" = 1 && { $ECHO "$YELLOW[!] custom mutator tests currently will not fail travis" ; CODE=0 ; } + #test "$CODE" = 1 && { $ECHO "$YELLOW[!] custom mutator tests currently will not fail travis" ; CODE=0 ; } make -C ../examples/custom_mutators clean > /dev/null 2>&1 rm -f test-custom-mutator -- cgit 1.4.1 From eca55be4fb961bc65cf8c3531fe2e2eb2b7ca614 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 1 Apr 2020 01:55:13 +0200 Subject: minor changes --- afl-whatsup | 4 ++-- src/afl-fuzz-init.c | 2 +- test/unittests/unit_maybe_alloc.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) (limited to 'test') diff --git a/afl-whatsup b/afl-whatsup index c3017689..1a276964 100755 --- a/afl-whatsup +++ b/afl-whatsup @@ -171,8 +171,8 @@ for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do TOTAL_CRASHES=$((TOTAL_CRASHES + unique_crashes)) TOTAL_PENDING=$((TOTAL_PENDING + pending_total)) TOTAL_PFAV=$((TOTAL_PFAV + pending_favs)) - - if [ "$last_path" -gt "$TOTAL_LAST_PATH" ]; then + + if [ "$last_path" -gt "$TOTAL_LAST_PATH" ]; then TOTAL_LAST_PATH=$last_path fi diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index fe2be4d2..e2495524 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -391,7 +391,7 @@ void read_testcases(afl_state_t *afl) { if (!S_ISREG(st.st_mode) || !st.st_size || strstr(fn2, "/README.txt")) { - free(fn2); + ck_free(fn2); continue; } diff --git a/test/unittests/unit_maybe_alloc.c b/test/unittests/unit_maybe_alloc.c index 93f10889..25b41d46 100644 --- a/test/unittests/unit_maybe_alloc.c +++ b/test/unittests/unit_maybe_alloc.c @@ -137,4 +137,4 @@ int main(int argc, char **argv) { return cmocka_run_group_tests (tests, setup, teardown); -} \ No newline at end of file +} -- cgit 1.4.1 From 6392a349cee77edb98b38d4988b0696ea3213c84 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 1 Apr 2020 02:28:54 +0200 Subject: add assert_ptr_equal fallback --- test/unittests/unit_maybe_alloc.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'test') diff --git a/test/unittests/unit_maybe_alloc.c b/test/unittests/unit_maybe_alloc.c index 25b41d46..985e28f7 100644 --- a/test/unittests/unit_maybe_alloc.c +++ b/test/unittests/unit_maybe_alloc.c @@ -4,6 +4,14 @@ #include #include +/* Apparently not supported in very old cmocka versions */ +#ifndef assert_ptr_equal +#define assert_ptr_equal(a, b) \ + _assert_int_equal(cast_ptr_to_largest_integral_type(a), \ + cast_ptr_to_largest_integral_type(b), \ + __FILE__, __LINE__) +#endif + extern void mock_assert(const int result, const char* const expression, const char * const file, const int line); #undef assert -- cgit 1.4.1 From 77d68bc7bd4a693844ffb3dfe33ce4923e4a74ba Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 1 Apr 2020 02:59:19 +0200 Subject: old cmocka is old --- test/unittests/unit_maybe_alloc.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'test') diff --git a/test/unittests/unit_maybe_alloc.c b/test/unittests/unit_maybe_alloc.c index 985e28f7..8fa986d8 100644 --- a/test/unittests/unit_maybe_alloc.c +++ b/test/unittests/unit_maybe_alloc.c @@ -2,15 +2,17 @@ #include #include #include -#include - -/* Apparently not supported in very old cmocka versions */ +/* cmocka < 1.0 didn't support these features we need */ #ifndef assert_ptr_equal #define assert_ptr_equal(a, b) \ _assert_int_equal(cast_ptr_to_largest_integral_type(a), \ cast_ptr_to_largest_integral_type(b), \ __FILE__, __LINE__) +#define CMUnitTest UnitTest +#define cmocka_unit_test unit_test #endif +#include + extern void mock_assert(const int result, const char* const expression, const char * const file, const int line); -- cgit 1.4.1 From 35c817ccd09187a1e712fb5f3ac78eb8441a7b05 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 1 Apr 2020 03:20:22 +0200 Subject: mocking cmocka 1 for cmocka 0.x --- test/unittests/unit_maybe_alloc.c | 1 + 1 file changed, 1 insertion(+) (limited to 'test') diff --git a/test/unittests/unit_maybe_alloc.c b/test/unittests/unit_maybe_alloc.c index 8fa986d8..dcab5baf 100644 --- a/test/unittests/unit_maybe_alloc.c +++ b/test/unittests/unit_maybe_alloc.c @@ -10,6 +10,7 @@ __FILE__, __LINE__) #define CMUnitTest UnitTest #define cmocka_unit_test unit_test +#define cmocka_run_group_tests(t, setup, teardown) run_tests(t) #endif #include -- cgit 1.4.1 From b9783e44a3941e3ea381ae47ed1e2fc90bc2ef92 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 1 Apr 2020 03:39:36 +0200 Subject: cmocka mocks --- test/unittests/unit_maybe_alloc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'test') diff --git a/test/unittests/unit_maybe_alloc.c b/test/unittests/unit_maybe_alloc.c index dcab5baf..7c6cfaaa 100644 --- a/test/unittests/unit_maybe_alloc.c +++ b/test/unittests/unit_maybe_alloc.c @@ -39,11 +39,13 @@ int __wrap_printf(const char *format, ...) { #define BUF_PARAMS (void **)&buf, &size +/* static int setup(void **state) { return 0; } +*/ static void test_null_allocs(void **state) { @@ -130,11 +132,13 @@ static void test_grow_multiple(void **state) { } +/* static int teardown(void **state) { return 0; } +*/ int main(int argc, char **argv) { @@ -146,6 +150,7 @@ int main(int argc, char **argv) { cmocka_unit_test(test_grow_multiple), }; - return cmocka_run_group_tests (tests, setup, teardown); + //return cmocka_run_group_tests (tests, setup, teardown); + return cmocka_run_group_tests (tests, NULL, NULL); } -- cgit 1.4.1 From effa766d4abfc1901585e306609f3571a268796e Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Wed, 1 Apr 2020 09:42:40 +0200 Subject: fix cmocka fixup --- test/unittests/unit_maybe_alloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test') diff --git a/test/unittests/unit_maybe_alloc.c b/test/unittests/unit_maybe_alloc.c index 7c6cfaaa..6a165dd4 100644 --- a/test/unittests/unit_maybe_alloc.c +++ b/test/unittests/unit_maybe_alloc.c @@ -2,6 +2,7 @@ #include #include #include +#include /* cmocka < 1.0 didn't support these features we need */ #ifndef assert_ptr_equal #define assert_ptr_equal(a, b) \ @@ -12,7 +13,6 @@ #define cmocka_unit_test unit_test #define cmocka_run_group_tests(t, setup, teardown) run_tests(t) #endif -#include extern void mock_assert(const int result, const char* const expression, -- cgit 1.4.1 From 9c1c1062be9e919c6f0dda8867ff9904f4fffc06 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 1 Apr 2020 15:55:16 +0200 Subject: added prealloc testcase --- test/unittests/unit_preallocable.c | 111 +++++++++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 test/unittests/unit_preallocable.c (limited to 'test') diff --git a/test/unittests/unit_preallocable.c b/test/unittests/unit_preallocable.c new file mode 100644 index 00000000..8cd36165 --- /dev/null +++ b/test/unittests/unit_preallocable.c @@ -0,0 +1,111 @@ +#include +#include +#include +#include +#include +/* cmocka < 1.0 didn't support these features we need */ +#ifndef assert_ptr_equal +#define assert_ptr_equal(a, b) \ + _assert_int_equal(cast_ptr_to_largest_integral_type(a), \ + cast_ptr_to_largest_integral_type(b), \ + __FILE__, __LINE__) +#define CMUnitTest UnitTest +#define cmocka_unit_test unit_test +#define cmocka_run_group_tests(t, setup, teardown) run_tests(t) +#endif + + +extern void mock_assert(const int result, const char* const expression, + const char * const file, const int line); +#undef assert +#define assert(expression) \ + mock_assert((int)(expression), #expression, __FILE__, __LINE__); + +#include "afl-prealloc.h" + +/* remap exit -> assert, then use cmocka's mock_assert + (compile with `--wrap=exit`) */ +extern void exit(int status); +extern void __real_exit(int status); +void __wrap_exit(int status) { + assert(0); +} + +/* ignore all printfs */ +extern int printf(const char *format, ...); +extern int __real_printf(const char *format, ...); +int __wrap_printf(const char *format, ...) { + return 1; +} + +typedef struct prealloc_me +{ + PREALLOCABLE; + + u8 *content[128]; + +} prealloc_me_t; + +#define PREALLOCED_BUF_SIZE (64) +prealloc_me_t prealloc_me_buf[PREALLOCED_BUF_SIZE]; +size_t prealloc_me_size = 0; + +static void test_alloc_free(void **state) { + + prealloc_me_t *prealloced = NULL; + PRE_ALLOC(prealloced, prealloc_me_buf, PREALLOCED_BUF_SIZE, prealloc_me_size); + assert_non_null(prealloced); + PRE_FREE(prealloced, prealloc_me_size); + +} + +static void test_prealloc_overflow(void **state) { + + u32 i = 0; + prealloc_me_t *prealloced[PREALLOCED_BUF_SIZE + 10]; + + for (i = 0; i < PREALLOCED_BUF_SIZE + 10; i++) { + + PRE_ALLOC(prealloced[i], prealloc_me_buf, PREALLOCED_BUF_SIZE, prealloc_me_size); + assert_non_null(prealloced[i]); + + } + assert_int_equal(prealloced[0]->pre_status, PRE_STATUS_USED); + assert_int_equal(prealloced[PREALLOCED_BUF_SIZE]->pre_status, PRE_STATUS_MALLOC); + + PRE_FREE(prealloced[20], prealloc_me_size); + PRE_ALLOC(prealloced[20], prealloc_me_buf, PREALLOCED_BUF_SIZE, prealloc_me_size); + assert_non_null(prealloced[20]); + assert_int_equal(prealloced[20]->pre_status, PRE_STATUS_USED); + + PRE_FREE(prealloced[PREALLOCED_BUF_SIZE], prealloc_me_size); + PRE_FREE(prealloced[0], prealloc_me_size); + PRE_ALLOC(prealloced[PREALLOCED_BUF_SIZE], prealloc_me_buf, PREALLOCED_BUF_SIZE, prealloc_me_size); + assert_non_null(prealloced[PREALLOCED_BUF_SIZE]); + /* there should be space now! */ + assert_int_equal(prealloced[PREALLOCED_BUF_SIZE]->pre_status, PRE_STATUS_USED); + + PRE_ALLOC(prealloced[0], prealloc_me_buf, PREALLOCED_BUF_SIZE, prealloc_me_size); + assert_non_null(prealloced[0]); + /* no more space */ + assert_int_equal(prealloced[0]->pre_status, PRE_STATUS_MALLOC); + + for (i = 0; i < PREALLOCED_BUF_SIZE + 10; i++) { + + PRE_FREE(prealloced[i], prealloc_me_size); + + } + +} + +int main(int argc, char **argv) { + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_alloc_free), + cmocka_unit_test(test_prealloc_overflow), + }; + + //return cmocka_run_group_tests (tests, setup, teardown); + return cmocka_run_group_tests (tests, NULL, NULL); + +} -- cgit 1.4.1 From 0fac7bd373ea2b578ea7d821f06f15ba3dcb0bad Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 1 Apr 2020 15:56:17 +0200 Subject: added (broken) list test --- Makefile | 13 ++++- test/unittests/unit_list.c | 127 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 138 insertions(+), 2 deletions(-) create mode 100644 test/unittests/unit_list.c (limited to 'test') diff --git a/Makefile b/Makefile index 841384e0..ab94beff 100644 --- a/Makefile +++ b/Makefile @@ -322,12 +322,21 @@ unit_maybe_alloc: test/unittests/unit_maybe_alloc.o $(CC) $(CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_maybe_alloc.o -o test/unittests/unit_maybe_alloc $(LDFLAGS) -lcmocka ./test/unittests/unit_maybe_alloc +test/unittests/unit_list.o : $(COMM_HDR) include/list.h test/unittests/unit_list.c $(AFL_FUZZ_FILES) + $(CC) $(CFLAGS) $(CFLAGS_FLTO) -c test/unittests/unit_list.c -o test/unittests/unit_list.o + +unit_list: test/unittests/unit_list.o + $(CC) $(CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf $(LDFLAGS) test/unittests/unit_list.o -o test/unittests/unit_list -ldl -lcmocka + ./test/unittests/unit_list + +test/unittests/preallocable.o : $(COMM_HDR) include/afl-prealloc.h test/unittests/preallocable.c $(AFL_FUZZ_FILES) + $(CC) $(CFLAGS) $(CFLAGS_FLTO) -c test/unittests/preallocable.c -o test/unittests/preallocable.o + unit_preallocable: test/unittests/unit_preallocable.o $(CC) $(CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_preallocable.o -o test/unittests/unit_preallocable $(LDFLAGS) -lcmocka ./test/unittests/unit_preallocable - -unit: unit_maybe_alloc unit_preallocable +unit: unit_maybe_alloc unit_preallocable unit_list code-format: ./.custom-format.py -i src/*.c diff --git a/test/unittests/unit_list.c b/test/unittests/unit_list.c new file mode 100644 index 00000000..6e0be7b6 --- /dev/null +++ b/test/unittests/unit_list.c @@ -0,0 +1,127 @@ +#include +#include +#include +#include +#include +/* cmocka < 1.0 didn't support these features we need */ +#ifndef assert_ptr_equal +#define assert_ptr_equal(a, b) \ + _assert_int_equal(cast_ptr_to_largest_integral_type(a), \ + cast_ptr_to_largest_integral_type(b), \ + __FILE__, __LINE__) +#define CMUnitTest UnitTest +#define cmocka_unit_test unit_test +#define cmocka_run_group_tests(t, setup, teardown) run_tests(t) +#endif + + +extern void mock_assert(const int result, const char* const expression, + const char * const file, const int line); +#undef assert +#define assert(expression) \ + mock_assert((int)(expression), #expression, __FILE__, __LINE__); + +#include "list.h" + +/* remap exit -> assert, then use cmocka's mock_assert + (compile with `--wrap=exit`) */ +extern void exit(int status); +extern void __real_exit(int status); +void __wrap_exit(int status) { + assert(0); +} + +/* ignore all printfs */ +extern int printf(const char *format, ...); +extern int __real_printf(const char *format, ...); +int __wrap_printf(const char *format, ...) { + return 1; +} + +list_t testlist; + +static void test_contains(void **state) { + + u32 one = 1; + u32 two = 2; + + list_append(&testlist, &one); + assert_true(list_contains(&testlist, &one)); + assert_false(list_contains(&testlist, &two)); + list_remove(&testlist, &one); + assert_false(list_contains(&testlist, &one)); +} + +static void test_foreach(void **state) { + + u32 one = 1; + u32 two = 2; + u32 result = 0; + + list_append(&testlist, &one); + list_append(&testlist, &two); + list_append(&testlist, &one); + + /* The list is for pointers, so int doesn't work as type directly */ + LIST_FOREACH(&testlist, u32, { + result += *el; + }); + + assert_int_equal(result, 4); + +} + +static void test_long_list(void **state) { + + u32 result1 = 0; + u32 result2 = 0; + u32 i; + + u32 vals[100]; + + for (i = 0; i < 100; i++) { + vals[i] = i; + } + + for (i = 0; i < 100; i++) { + list_append(&testlist, &vals[i]); + } + LIST_FOREACH(&testlist, u32, { + result1 += *el; + }); + printf("removing %d\n", vals[50]); + list_remove(&testlist, &vals[50]); + + LIST_FOREACH(&testlist, u32, { + printf("var: %d\n", *el); + result2 += *el; + }); + assert_int_not_equal(result1, result2); + assert_int_equal(result1 + 50, result2); + + result1 = 0; + LIST_FOREACH_CLEAR(&testlist, u32, { + result1 += *el; + }); + assert_int_equal(result1, result2); + + result1 = 0; + LIST_FOREACH(&testlist, u32, { + result1 += *el; + }); + assert_int_equal(result1, 0); + +} + +int main(int argc, char **argv) { + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_contains), + cmocka_unit_test(test_foreach), + cmocka_unit_test(test_long_list), + }; + + //return cmocka_run_group_tests (tests, setup, teardown); + return cmocka_run_group_tests (tests, NULL, NULL); + +} -- cgit 1.4.1 From b5c5496b2fa9703bcdf7ab685499ae976a9107f6 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 1 Apr 2020 18:19:43 +0200 Subject: list testcase added --- .gitignore | 2 ++ Makefile | 26 ++++++++++++++------------ include/list.h | 3 ++- test/unittests/unit_list.c | 2 +- test/unittests/unit_maybe_alloc.c | 4 +++- 5 files changed, 22 insertions(+), 15 deletions(-) (limited to 'test') diff --git a/.gitignore b/.gitignore index 2687f959..c8a92b7d 100644 --- a/.gitignore +++ b/.gitignore @@ -47,3 +47,5 @@ unicorn_mode/samples/*/\.test-* unicorn_mode/samples/*/output/ core\.* test/unittests/unit_maybe_alloc +test/unittests/unit_preallocable +test/unittests/unit_list diff --git a/Makefile b/Makefile index 23fcaeca..a193f357 100644 --- a/Makefile +++ b/Makefile @@ -64,8 +64,8 @@ ifneq "$(shell uname -m)" "x86_64" endif endif -CFLAGS ?= -O3 -funroll-loops $(CFLAGS_OPT) -override CFLAGS += -Wall -g -Wno-pointer-sign -D_FORTIFY_SOURCE=2 \ +CFLAGS ?= -O2 -funroll-loops $(CFLAGS_OPT) -D_FORTIFY_SOURCE=2 +override CFLAGS += -Wall -g -Wno-pointer-sign \ -I include/ -Werror -DAFL_PATH=\"$(HELPER_PATH)\" \ -DBIN_PATH=\"$(BIN_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" @@ -151,10 +151,13 @@ ifdef STATIC LDFLAGS += -lm -lpthread -lz -lutil endif +ASAN_CFLAGS=-fsanitize=address -fstack-protector-all +ASAN_LDFLAGS+=-fsanitize=address -fstack-protector-all + ifdef ASAN_BUILD $(info Compiling ASAN version of binaries) - CFLAGS+=-fsanitize=address -fstack-protector-all - LDFLAGS+=-fsanitize=address -fstack-protector-all + CFLAGS+="$ASAN_CFLAGS" + LDFLAGS+="$ASAN_LDFLAGS" endif ifdef PROFILING @@ -313,27 +316,27 @@ document: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/ $(CC) -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o afl-fuzz-document $(PYFLAGS) $(LDFLAGS) test/unittests/unit_maybe_alloc.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_maybe_alloc.c $(AFL_FUZZ_FILES) - $(CC) $(CFLAGS) -c test/unittests/unit_maybe_alloc.c -o test/unittests/unit_maybe_alloc.o + $(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_maybe_alloc.c -o test/unittests/unit_maybe_alloc.o test/unittests/unit_preallocable.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_preallocable.c $(AFL_FUZZ_FILES) - $(CC) $(CFLAGS) -c test/unittests/unit_preallocable.c -o test/unittests/unit_preallocable.o + $(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_preallocable.c -o test/unittests/unit_preallocable.o unit_maybe_alloc: test/unittests/unit_maybe_alloc.o - $(CC) $(CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_maybe_alloc.o -o test/unittests/unit_maybe_alloc $(LDFLAGS) -lcmocka + $(CC) $(CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_maybe_alloc.o -o test/unittests/unit_maybe_alloc $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka ./test/unittests/unit_maybe_alloc test/unittests/unit_list.o : $(COMM_HDR) include/list.h test/unittests/unit_list.c $(AFL_FUZZ_FILES) - $(CC) $(CFLAGS) -c test/unittests/unit_list.c -o test/unittests/unit_list.o + $(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_list.c -o test/unittests/unit_list.o unit_list: test/unittests/unit_list.o - $(CC) $(CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_list.o -o test/unittests/unit_list $(LDFLAGS) -lcmocka + $(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_list.o -o test/unittests/unit_list $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka ./test/unittests/unit_list test/unittests/preallocable.o : $(COMM_HDR) include/afl-prealloc.h test/unittests/preallocable.c $(AFL_FUZZ_FILES) - $(CC) $(CFLAGS) $(CFLAGS_FLTO) -c test/unittests/preallocable.c -o test/unittests/preallocable.o + $(CC) $(CFLAGS) $(ASAN_CFLAGS) $(CFLAGS_FLTO) -c test/unittests/preallocable.c -o test/unittests/preallocable.o unit_preallocable: test/unittests/unit_preallocable.o - $(CC) $(CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_preallocable.o -o test/unittests/unit_preallocable $(LDFLAGS) -lcmocka + $(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_preallocable.o -o test/unittests/unit_preallocable $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka ./test/unittests/unit_preallocable unit: unit_maybe_alloc unit_preallocable unit_list @@ -472,4 +475,3 @@ install: all $(MANPAGES) install -m 644 docs/*.md $${DESTDIR}$(DOC_PATH) cp -r testcases/ $${DESTDIR}$(MISC_PATH) cp -r dictionaries/ $${DESTDIR}$(MISC_PATH) - diff --git a/include/list.h b/include/list.h index c67b24b2..a0f23c85 100644 --- a/include/list.h +++ b/include/list.h @@ -56,7 +56,8 @@ typedef struct list { static inline element_t *get_head(list_t *list) { - return &list->element_prealloc_buf[0]; + /* The first element is the head */ + return list->element_prealloc_buf; } diff --git a/test/unittests/unit_list.c b/test/unittests/unit_list.c index 6e0be7b6..7e8ef363 100644 --- a/test/unittests/unit_list.c +++ b/test/unittests/unit_list.c @@ -93,7 +93,7 @@ static void test_long_list(void **state) { list_remove(&testlist, &vals[50]); LIST_FOREACH(&testlist, u32, { - printf("var: %d\n", *el); + // printf("var: %d\n", *el); result2 += *el; }); assert_int_not_equal(result1, result2); diff --git a/test/unittests/unit_maybe_alloc.c b/test/unittests/unit_maybe_alloc.c index 6a165dd4..a856fa08 100644 --- a/test/unittests/unit_maybe_alloc.c +++ b/test/unittests/unit_maybe_alloc.c @@ -75,7 +75,7 @@ static void test_zero_size() { char *buf = NULL; size_t size = 0; - //assert_non_null(maybe_grow(BUF_PARAMS, 0)); + assert_non_null(maybe_grow(BUF_PARAMS, 0)); free(buf); buf = NULL; size = 0; @@ -87,6 +87,8 @@ static void test_zero_size() { expect_assert_failure(ck_maybe_grow(BUF_PARAMS, 0)); + ck_free(ptr); + } static void test_unchanged_size(void **state) { -- cgit 1.4.1 From 1cce581ffe071c027d5af665cf9909e77886332e Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Wed, 1 Apr 2020 20:37:13 +0200 Subject: fix unit test case for long list --- test/unittests/unit_list.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'test') diff --git a/test/unittests/unit_list.c b/test/unittests/unit_list.c index 7e8ef363..03217112 100644 --- a/test/unittests/unit_list.c +++ b/test/unittests/unit_list.c @@ -83,6 +83,7 @@ static void test_long_list(void **state) { vals[i] = i; } + LIST_FOREACH_CLEAR(&testlist, void, {}); for (i = 0; i < 100; i++) { list_append(&testlist, &vals[i]); } @@ -97,7 +98,7 @@ static void test_long_list(void **state) { result2 += *el; }); assert_int_not_equal(result1, result2); - assert_int_equal(result1 + 50, result2); + assert_int_equal(result1, result2 + 50); result1 = 0; LIST_FOREACH_CLEAR(&testlist, u32, { -- cgit 1.4.1