From a3f8fc5d1ccabc455e28157ee86211f0c11c81a3 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 26 Apr 2021 16:03:08 +0200 Subject: moved custom_mutator examples --- test/test-custom-mutators.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/test/test-custom-mutators.sh b/test/test-custom-mutators.sh index bae4220f..a5d666ff 100755 --- a/test/test-custom-mutators.sh +++ b/test/test-custom-mutators.sh @@ -29,8 +29,8 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { } } # Compile the custom mutator - cc -D_FIXED_CHAR=0x41 -g -fPIC -shared -I../include ../utils/custom_mutators/simple_example.c -o libexamplemutator.so > /dev/null 2>&1 - cc -D_FIXED_CHAR=0x42 -g -fPIC -shared -I../include ../utils/custom_mutators/simple_example.c -o libexamplemutator2.so > /dev/null 2>&1 + cc -D_FIXED_CHAR=0x41 -g -fPIC -shared -I../include ../custom_mutators/examples/simple_example.c -o libexamplemutator.so > /dev/null 2>&1 + cc -D_FIXED_CHAR=0x42 -g -fPIC -shared -I../include ../custom_mutators/examples/simple_example.c -o libexamplemutator2.so > /dev/null 2>&1 test -e test-custom-mutator -a -e ./libexamplemutator.so && { # Create input directory mkdir -p in -- cgit 1.4.1 From 361dd6e36185f6ea28db42a462da27f281692074 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Mon, 3 May 2021 21:42:04 +0200 Subject: add new test for frida_mode (please review) --- test/test-all.sh | 2 + test/test-frida-mode.sh | 100 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+) create mode 100755 test/test-frida-mode.sh (limited to 'test') diff --git a/test/test-all.sh b/test/test-all.sh index 8df4bef9..0c189727 100755 --- a/test/test-all.sh +++ b/test/test-all.sh @@ -14,6 +14,8 @@ . ./test-qemu-mode.sh +. ./test-frida-mode.sh + . ./test-unicorn-mode.sh . ./test-custom-mutators.sh diff --git a/test/test-frida-mode.sh b/test/test-frida-mode.sh new file mode 100755 index 00000000..8a22454b --- /dev/null +++ b/test/test-frida-mode.sh @@ -0,0 +1,100 @@ +#!/bin/sh + +. ./test-pre.sh + +$ECHO "$BLUE[*] Testing: frida_mode" +test -z "$AFL_CC" && { + if type gcc >/dev/null; then + export AFL_CC=gcc + else + if type clang >/dev/null; then + export AFL_CC=clang + fi + fi +} + +test -e ../afl-frida-trace.so && { + cc -pie -fPIE -o test-instr ../test-instr.c + cc -o test-compcov test-compcov.c + test -e test-instr -a -e test-compcov && { + { + mkdir -p in + echo 00000 > in/in + $ECHO "$GREY[*] running afl-fuzz for frida_mode, this will take approx 10 seconds" + { + ../afl-fuzz -m ${MEM_LIMIT} -V10 -O -i in -o out -- ./test-instr >>errors 2>&1 + } >>errors 2>&1 + test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && { + $ECHO "$GREEN[+] afl-fuzz is working correctly with frida_mode" + RUNTIME=`grep execs_done out/default/fuzzer_stats | awk '{print$3}'` + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with frida_mode" + CODE=1 + } + rm -f errors + + test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { + $ECHO "$GREY[*] running afl-fuzz for frida_mode cmplog, this will take approx 10 seconds" + { + ../afl-fuzz -m none -V10 -O -c 0 -i in -o out -- ./test-compcov >>errors 2>&1 + } >>errors 2>&1 + test -n "$( ls out/default/queue/id:000001* 2>/dev/null )" && { + $ECHO "$GREEN[+] afl-fuzz is working correctly with frida_mode cmplog" + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with frida_mode cmplog" + CODE=1 + } + rm -f errors + } || { + $ECHO "$YELLOW[-] not an intel or arm platform, cannot test frida_mode cmplog" + } + + test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { + $ECHO "$GREY[*] running afl-fuzz for persistent frida_mode, this will take approx 10 seconds" + { + ../afl-fuzz -m ${MEM_LIMIT} -V10 -O -i in -o out -- ./test-instr + } >>errors 2>&1 + test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && { + $ECHO "$GREEN[+] afl-fuzz is working correctly with persistent frida_mode" + RUNTIMEP=`grep execs_done out/default/fuzzer_stats | awk '{print$3}'` + test -n "$RUNTIME" -a -n "$RUNTIMEP" && { + DIFF=`expr $RUNTIMEP / $RUNTIME` + test "$DIFF" -gt 1 && { # must be at least twice as fast + $ECHO "$GREEN[+] persistent frida_mode was noticeable faster than standard frida_mode" + } || { + $ECHO "$YELLOW[-] persistent frida_mode was not noticeable faster than standard frida_mode" + } + } || { + $ECHO "$YELLOW[-] we got no data on executions performed? weird!" + } + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with persistent frida_mode" + CODE=1 + } + rm -rf in out errors + } || { + $ECHO "$YELLOW[-] not an intel or arm platform, cannot test persistent frida_mode" + } + + } + } || { + $ECHO "$RED[!] gcc compilation of test targets failed - what is going on??" + CODE=1 + } + + rm -f test-instr test-compcov +} || { + $ECHO "$YELLOW[-] frida_mode is not compiled, cannot test" + INCOMPLETE=1 +} + +. ./test-post.sh -- cgit 1.4.1 From b35e6deb09c813fbcbd6d5faf84f5b3e395458d0 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 4 May 2021 20:42:24 +0200 Subject: fix persistent mode (64-bit) --- test/test-frida-mode.sh | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/test/test-frida-mode.sh b/test/test-frida-mode.sh index 8a22454b..63b9e162 100755 --- a/test/test-frida-mode.sh +++ b/test/test-frida-mode.sh @@ -14,7 +14,7 @@ test -z "$AFL_CC" && { } test -e ../afl-frida-trace.so && { - cc -pie -fPIE -o test-instr ../test-instr.c + cc -no-pie -o test-instr ../test-instr.c cc -o test-compcov test-compcov.c test -e test-instr -a -e test-compcov && { { @@ -41,7 +41,7 @@ test -e ../afl-frida-trace.so && { { ../afl-fuzz -m none -V10 -O -c 0 -i in -o out -- ./test-compcov >>errors 2>&1 } >>errors 2>&1 - test -n "$( ls out/default/queue/id:000001* 2>/dev/null )" && { + test -n "$( ls out/default/queue/id:000003* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with frida_mode cmplog" } || { echo CUT------------------------------------------------------------------CUT @@ -58,7 +58,15 @@ test -e ../afl-frida-trace.so && { test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { $ECHO "$GREY[*] running afl-fuzz for persistent frida_mode, this will take approx 10 seconds" { + if file test-instr | grep -q "32-bit"; then + else + export AFL_FRIDA_PERSISTENT_ADDR=0x`nm test-instr | grep "T main" | awk '{print $1}'` + fi + $ECHO "Info: AFL_FRIDA_PERSISTENT_ADDR=$AFL_FRIDA_PERSISTENT_ADDR <= $(nm test-instr | grep "T main" | awk '{print $1}')" + env|grep AFL_|sort + file test-instr ../afl-fuzz -m ${MEM_LIMIT} -V10 -O -i in -o out -- ./test-instr + unset AFL_FRIDA_PERSISTENT_ADDR } >>errors 2>&1 test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with persistent frida_mode" -- cgit 1.4.1 From c695a031b86fd99605379c4cd241931685f0d3a1 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 4 May 2021 21:34:32 +0200 Subject: prepare for 32-bit support (later) --- test/test-frida-mode.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'test') diff --git a/test/test-frida-mode.sh b/test/test-frida-mode.sh index 63b9e162..b47d016a 100755 --- a/test/test-frida-mode.sh +++ b/test/test-frida-mode.sh @@ -58,10 +58,10 @@ test -e ../afl-frida-trace.so && { test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { $ECHO "$GREY[*] running afl-fuzz for persistent frida_mode, this will take approx 10 seconds" { - if file test-instr | grep -q "32-bit"; then - else - export AFL_FRIDA_PERSISTENT_ADDR=0x`nm test-instr | grep "T main" | awk '{print $1}'` - fi + #if file test-instr | grep -q "32-bit"; then + #else + #fi + export AFL_FRIDA_PERSISTENT_ADDR=0x`nm test-instr | grep "T main" | awk '{print $1}'` $ECHO "Info: AFL_FRIDA_PERSISTENT_ADDR=$AFL_FRIDA_PERSISTENT_ADDR <= $(nm test-instr | grep "T main" | awk '{print $1}')" env|grep AFL_|sort file test-instr -- cgit 1.4.1 From 069e61dfc67050154b649ba286552b563b27e9ba Mon Sep 17 00:00:00 2001 From: "Roman M. Iudichev" Date: Fri, 7 May 2021 18:32:17 +0300 Subject: Exit on time (#904) * Variable AFL_EXIT_ON_TIME description has been added. Variables AFL_EXIT_ON_TIME and afl_exit_on_time has been added. afl->exit_on_time variable initialization has been added. The asignment of a value to the afl->afl_env.afl_exit_on_time variable from environment variables has been added. Code to exit on timeout if new path not found has been added. * Type of afl_exit_on_time variable has been changed. Variable exit_on_time has been added to the afl_state_t structure. * Command `export AFL_EXIT_WHEN_DONE=1` has been added. * Millisecond to second conversion has been added. Call get_cur_time() has been added. * Revert to using the saved current time value. * Useless check has been removed. --- docs/env_variables.md | 4 ++++ include/afl-fuzz.h | 5 +++-- include/envs.h | 1 + src/afl-fuzz-state.c | 8 ++++++++ src/afl-fuzz-stats.c | 10 ++++++++++ src/afl-fuzz.c | 8 ++++++++ test/test-performance.sh | 1 + test/test-pre.sh | 1 + 8 files changed, 36 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/docs/env_variables.md b/docs/env_variables.md index 0100ffac..8879db72 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -284,6 +284,10 @@ checks or alter some of the more exotic semantics of the tool: normally indicated by the cycle counter in the UI turning green. May be convenient for some types of automated jobs. + - `AFL_EXIT_ON_TIME` Causes afl-fuzz to terminate if no new paths were + found within a specified period of time. May be convenient for some + types of automated jobs. + - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behaviour which does not allow crashes or timeout seeds in the initial -i corpus. diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index f201782a..a09d6f79 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -392,7 +392,7 @@ typedef struct afl_env_vars { *afl_max_det_extras, *afl_statsd_host, *afl_statsd_port, *afl_crash_exitcode, *afl_statsd_tags_flavor, *afl_testcache_size, *afl_testcache_entries, *afl_kill_signal, *afl_target_env, - *afl_persistent_record; + *afl_persistent_record, *afl_exit_on_time; } afl_env_vars_t; @@ -575,7 +575,8 @@ typedef struct afl_state { last_sync_cycle, /* Cycle no. of the last sync */ last_path_time, /* Time for most recent path (ms) */ last_crash_time, /* Time for most recent crash (ms) */ - last_hang_time; /* Time for most recent hang (ms) */ + last_hang_time, /* Time for most recent hang (ms) */ + exit_on_time; /* Delay to exit if no new paths */ u32 slowest_exec_ms, /* Slowest testcase non hang in ms */ subseq_tmouts; /* Number of timeouts in a row */ diff --git a/include/envs.h b/include/envs.h index cd23ca3f..9175005e 100644 --- a/include/envs.h +++ b/include/envs.h @@ -49,6 +49,7 @@ static char *afl_environment_variables[] = { "AFL_DUMB_FORKSRV", "AFL_ENTRYPOINT", "AFL_EXIT_WHEN_DONE", + "AFL_EXIT_ON_TIME", "AFL_EXIT_ON_SEED_ISSUES", "AFL_FAST_CAL", "AFL_FORCE_UI", diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 28d3339a..73ba7a52 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -99,6 +99,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) { afl->cal_cycles = CAL_CYCLES; afl->cal_cycles_long = CAL_CYCLES_LONG; afl->hang_tmout = EXEC_TIMEOUT; + afl->exit_on_time = 0; afl->stats_update_freq = 1; afl->stats_avg_exec = 0; afl->skip_deterministic = 1; @@ -187,6 +188,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_exit_when_done = get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_EXIT_ON_TIME", + + afl_environment_variable_len)) { + + afl->afl_env.afl_exit_on_time = + (u8 *) get_afl_env(afl_environment_variables[i]); + } else if (!strncmp(env, "AFL_NO_AFFINITY", afl_environment_variable_len)) { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index fd9af5e4..ee8bd2da 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -574,6 +574,16 @@ void show_stats(afl_state_t *afl) { } + /* AFL_EXIT_ON_TIME. */ + + if (unlikely(afl->last_path_time && !afl->non_instrumented_mode && + afl->afl_env.afl_exit_on_time && + (cur_ms - afl->last_path_time) > afl->exit_on_time)) { + + afl->stop_soon = 2; + + } + if (unlikely(afl->total_crashes && afl->afl_env.afl_bench_until_crash)) { afl->stop_soon = 2; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 8c3ba575..8de3ed6b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -204,6 +204,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_DISABLE_TRIM: disable the trimming of test cases\n" "AFL_DUMB_FORKSRV: use fork server without feedback from target\n" "AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found\n" + "AFL_EXIT_ON_TIME: exit when no new paths are found within the specified time period\n" "AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60 minutes and a cycle without finds)\n" "AFL_FAST_CAL: limit the calibration stage to three cycles for speedup\n" "AFL_FORCE_UI: force showing the status screen (for virtual consoles)\n" @@ -1246,6 +1247,13 @@ int main(int argc, char **argv_orig, char **envp) { } + if (afl->afl_env.afl_exit_on_time) { + + u64 exit_on_time = atoi(afl->afl_env.afl_exit_on_time); + afl->exit_on_time = (u64)exit_on_time * 1000; + + } + if (afl->afl_env.afl_max_det_extras) { s32 max_det_extras = atoi(afl->afl_env.afl_max_det_extras); diff --git a/test/test-performance.sh b/test/test-performance.sh index cd9f6caf..d61e2f2a 100755 --- a/test/test-performance.sh +++ b/test/test-performance.sh @@ -18,6 +18,7 @@ export AFL_QUIET=1 export AFL_PATH=`pwd`/.. unset AFL_EXIT_WHEN_DONE +unset AFL_EXIT_ON_TIME unset AFL_SKIP_CPUFREQ unset AFL_DEBUG unset AFL_HARDEN diff --git a/test/test-pre.sh b/test/test-pre.sh index 174f2f7f..7819da47 100755 --- a/test/test-pre.sh +++ b/test/test-pre.sh @@ -62,6 +62,7 @@ $ECHO \\101 2>&1 | grep -qE '^A' || { test -z "$ECHO" && { printf Error: printf command does not support octal character codes ; exit 1 ; } export AFL_EXIT_WHEN_DONE=1 +export AFL_EXIT_ON_TIME=60 export AFL_SKIP_CPUFREQ=1 export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 unset AFL_NO_X86 -- cgit 1.4.1 From 62d5bf5f414193f1893900f58b4507b915b67865 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 8 May 2021 10:16:44 +0200 Subject: fix new path to custom-mutators --- test/test-custom-mutators.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test') diff --git a/test/test-custom-mutators.sh b/test/test-custom-mutators.sh index a5d666ff..5d679a82 100755 --- a/test/test-custom-mutators.sh +++ b/test/test-custom-mutators.sh @@ -5,7 +5,7 @@ $ECHO "$BLUE[*] Testing: custom mutator" test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { # normalize path - CUSTOM_MUTATOR_PATH=$(cd $(pwd)/../utils/custom_mutators;pwd) + CUSTOM_MUTATOR_PATH=$(cd $(pwd)/../custom_mutators/examples;pwd) test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUSTOM_MUTATOR_PATH}/example.py && { unset AFL_CC # Compile the vulnerable program for single mutator -- cgit 1.4.1