From 3e84d6a2ae7df5f6b9073a91ccc6acef50b45aab Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 27 Apr 2023 11:49:00 +0200 Subject: afl++ -> AFL++ --- test/test-dlopen.c | 2 +- test/test-gcc-plugin.sh | 2 +- test/test-performance.sh | 4 ++-- test/test-pre.sh | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) (limited to 'test') diff --git a/test/test-dlopen.c b/test/test-dlopen.c index b81bab13..39442f93 100644 --- a/test/test-dlopen.c +++ b/test/test-dlopen.c @@ -28,7 +28,7 @@ int main(int argc, char **argv) { } - // must use deferred forkserver as otherwise afl++ instrumentation aborts + // must use deferred forkserver as otherwise AFL++ instrumentation aborts // because all dlopen() of instrumented libs must be before the forkserver __AFL_INIT(); diff --git a/test/test-gcc-plugin.sh b/test/test-gcc-plugin.sh index 54e6987f..3690a80a 100755 --- a/test/test-gcc-plugin.sh +++ b/test/test-gcc-plugin.sh @@ -23,7 +23,7 @@ test -e ../afl-gcc-fast -a -e ../afl-compiler-rt.o && { $ECHO "$GREEN[+] gcc_plugin run reported $TUPLES instrumented locations which is fine" } || { $ECHO "$RED[!] gcc_plugin instrumentation produces a weird numbers: $TUPLES" - $ECHO "$YELLOW[-] this is a known issue in gcc, not afl++. It is not flagged as an error because travis builds would all fail otherwise :-(" + $ECHO "$YELLOW[-] this is a known issue in gcc, not AFL++. It is not flagged as an error because travis builds would all fail otherwise :-(" #CODE=1 } test "$TUPLES" -lt 2 && SKIP=1 diff --git a/test/test-performance.sh b/test/test-performance.sh index d61e2f2a..50957141 100755 --- a/test/test-performance.sh +++ b/test/test-performance.sh @@ -7,7 +7,7 @@ FILE=$AFL_PERFORMANCE_FILE test -z "$FILE" && FILE=.afl_performance test -e $FILE || { - echo Warning: This script measure the performance of afl++ and saves the result for future comparisons into $FILE + echo Warning: This script measure the performance of AFL++ and saves the result for future comparisons into $FILE echo Press ENTER to continue or CONTROL-C to abort read IN } @@ -74,7 +74,7 @@ afl-system-config > /dev/null 2>&1 echo Performance settings applied. echo -$ECHO "${RESET}${GREY}[*] starting afl++ performance test framework ..." +$ECHO "${RESET}${GREY}[*] starting AFL++ performance test framework ..." $ECHO "$BLUE[*] Testing: ${AFL_GCC}" GCC=x diff --git a/test/test-pre.sh b/test/test-pre.sh index b8b286e5..1ca9dfb5 100755 --- a/test/test-pre.sh +++ b/test/test-pre.sh @@ -133,7 +133,7 @@ MEM_LIMIT=none export PATH="${PATH}:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" -$ECHO "${RESET}${GREY}[*] starting afl++ test framework ..." +$ECHO "${RESET}${GREY}[*] starting AFL++ test framework ..." test -z "$SYS" && $ECHO "$YELLOW[-] uname -m did not succeed" -- cgit 1.4.1 From 6cad585bdc5c335cc2894c97e9aaf6d5fff88e1f Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 27 Apr 2023 18:57:28 +0200 Subject: nits --- src/afl-showmap.c | 2 +- test/test-llvm.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index d0e01cb1..f60acb2d 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1287,7 +1287,7 @@ int main(int argc, char **argv_orig, char **envp) { break; - case 'Y': // fallthough + case 'Y': // fallthrough #ifdef __linux__ case 'X': /* NYX mode */ diff --git a/test/test-llvm.sh b/test/test-llvm.sh index 0e66cc97..714bda93 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -263,7 +263,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { { mkdir -p in echo 00000000000000000000000000000000 > in/in - AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -m none -V15 -i in -o out -c./test-cmplog -- ./test-c >>errors 2>&1 + AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -m none -V30 -i in -o out -c./test-cmplog -- ./test-c >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/crashes/id:000000* out/default/hangs/id:000000* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with llvm_mode cmplog" -- cgit 1.4.1 From ee2cab73ac6c72095f781da979094f877291a1d6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 6 Jun 2023 16:42:42 +0200 Subject: reduce false positive ci failures --- test/test-cmplog.c | 6 ++---- test/test-llvm.sh | 2 +- 2 files changed, 3 insertions(+), 5 deletions(-) (limited to 'test') diff --git a/test/test-cmplog.c b/test/test-cmplog.c index bd1b73e3..2ab579b0 100644 --- a/test/test-cmplog.c +++ b/test/test-cmplog.c @@ -8,16 +8,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t i) { - if (i < 30) return -1; + if (i < 15) return -1; if (buf[0] != 'A') return 0; if (buf[1] != 'B') return 0; if (buf[2] != 'C') return 0; if (buf[3] != 'D') return 0; int *icmp = (int *)(buf + 4); if (*icmp != 0x69694141) return 0; - if (memcmp(buf + 8, "1234", 4) || memcmp(buf + 12, "EFGH", 4)) return 0; - if (strncmp(buf + 16, "IJKL", 4) == 0 && strcmp(buf + 20, "DEADBEEF") == 0) - abort(); + if (memcmp(buf + 8, "1234EF", 6) == 0) abort(); return 0; } diff --git a/test/test-llvm.sh b/test/test-llvm.sh index 714bda93..19fb7c1a 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -263,7 +263,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { { mkdir -p in echo 00000000000000000000000000000000 > in/in - AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -m none -V30 -i in -o out -c./test-cmplog -- ./test-c >>errors 2>&1 + AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -l 3 -m none -V30 -i in -o out -c ./test-cmplog -- ./test-c >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/crashes/id:000000* out/default/hangs/id:000000* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with llvm_mode cmplog" -- cgit 1.4.1 From 62bacf4fc82194f1f5592d3d487443cef3c2850c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 6 Jun 2023 16:45:20 +0200 Subject: better cmplog ci --- test/test-frida-mode.sh | 2 +- test/test-qemu-mode.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/test/test-frida-mode.sh b/test/test-frida-mode.sh index 3ae84656..8c528da5 100755 --- a/test/test-frida-mode.sh +++ b/test/test-frida-mode.sh @@ -39,7 +39,7 @@ test -e ../afl-frida-trace.so && { test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { $ECHO "$GREY[*] running afl-fuzz for frida_mode cmplog, this will take approx 10 seconds" { - ../afl-fuzz -m none -V07 -O -c 0 -i in -o out -- ./test-compcov >>errors 2>&1 + ../afl-fuzz -m none -V07 -O -c 0 -l 3 -i in -o out -- ./test-compcov >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/queue/id:000003* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with frida_mode cmplog" diff --git a/test/test-qemu-mode.sh b/test/test-qemu-mode.sh index 9e268963..8eb7cb67 100755 --- a/test/test-qemu-mode.sh +++ b/test/test-qemu-mode.sh @@ -88,7 +88,7 @@ test -e ../afl-qemu-trace && { test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { $ECHO "$GREY[*] running afl-fuzz for qemu_mode cmplog, this will take approx 10 seconds" { - ../afl-fuzz -m none -V07 -Q -c 0 -i in -o out -- ./test-compcov >>errors 2>&1 + ../afl-fuzz -m none -V07 -Q -c 0 -l 3 -i in -o out -- ./test-compcov >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/queue/id:000001* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with qemu_mode cmplog" -- cgit 1.4.1 From f0ccca123ad8f9813ad141ebd243e8c7b96824a1 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 6 Jun 2023 17:32:32 +0200 Subject: fix ci --- test/test-llvm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test') diff --git a/test/test-llvm.sh b/test/test-llvm.sh index 19fb7c1a..95e43b1c 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -257,7 +257,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { } rm -f test-compcov test.out instrumentlist.txt AFL_LLVM_CMPLOG=1 ../afl-clang-fast -o test-cmplog test-cmplog.c > /dev/null 2>&1 - ../afl-clang-fast -o test-c test-cmplog.c > /dev/null 2>&1 + ../afl-clang-fast -O0 -o test-c test-cmplog.c > /dev/null 2>&1 test -e test-cmplog && { $ECHO "$GREY[*] running afl-fuzz for llvm_mode cmplog, this will take approx 10 seconds" { -- cgit 1.4.1 From 6e5ca0c78c4b982c6d238f66276a9fc4d43b9663 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 6 Jul 2023 14:28:37 +0200 Subject: higher tuples for afl-clang and afl-gcc in tests --- test/test-basic.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/test/test-basic.sh b/test/test-basic.sh index 5bb2ca28..61ad4b7c 100755 --- a/test/test-basic.sh +++ b/test/test-basic.sh @@ -28,7 +28,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc rm -f test-instr.plain.0 test-instr.plain.1 SKIP= TUPLES=`echo 1|AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'` - test "$TUPLES" -gt 1 -a "$TUPLES" -lt 12 && { + test "$TUPLES" -gt 1 -a "$TUPLES" -lt 22 && { $ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine" } || { $ECHO "$RED[!] ${AFL_GCC} instrumentation produces weird numbers: $TUPLES" @@ -152,7 +152,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc } rm -f test-instr.plain.0 test-instr.plain.1 TUPLES=`echo 1|AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'` - test "$TUPLES" -gt 1 -a "$TUPLES" -lt 12 && { + test "$TUPLES" -gt 1 -a "$TUPLES" -lt 22 && { $ECHO "$GREEN[+] ${AFL_CLANG} run reported $TUPLES instrumented locations which is fine" } || { $ECHO "$RED[!] ${AFL_CLANG} instrumentation produces weird numbers: $TUPLES" -- cgit 1.4.1 From a46d27fad51a8fdd905bb8771bd73eeb2c054895 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 10 Jul 2023 18:29:21 +0200 Subject: nits --- instrumentation/split-compares-pass.so.cc | 2 +- src/afl-common.c | 2 +- src/afl-forkserver.c | 8 ++++---- test/test-libextensions.sh | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) (limited to 'test') diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc index 6eafb332..09463fc5 100644 --- a/instrumentation/split-compares-pass.so.cc +++ b/instrumentation/split-compares-pass.so.cc @@ -1740,7 +1740,7 @@ bool SplitComparesTransform::runOnModule(Module &M) { if (!be_quiet && !debug) { errs() << "Split-floatingpoint-compare-pass: " << count - << " FP comparisons splitted\n"; + << " FP comparisons split\n"; } diff --git a/src/afl-common.c b/src/afl-common.c index 3e1ec09d..a6f83f6d 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -403,7 +403,7 @@ u8 *find_binary(u8 *fname) { FATAL( "Unexpected overflow when processing ENV. This should never " - "happend."); + "happened."); } diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 7322f1ad..ba7cdd66 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -667,13 +667,13 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, switch (fsrv->nyx_handlers->nyx_exec(fsrv->nyx_runner)) { case Abort: - NYX_PRE_FATAL(fsrv, "Error: Nyx abort occured..."); + NYX_PRE_FATAL(fsrv, "Error: Nyx abort occurred..."); break; case IoError: NYX_PRE_FATAL(fsrv, "Error: QEMU-Nyx has died..."); break; case Error: - NYX_PRE_FATAL(fsrv, "Error: Nyx runtime error has occured..."); + NYX_PRE_FATAL(fsrv, "Error: Nyx runtime error has occurred..."); break; default: break; @@ -1581,7 +1581,7 @@ afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, FATAL("FixMe: Nyx InvalidWriteToPayload handler is missing"); break; case Abort: - FATAL("Error: Nyx abort occured..."); + FATAL("Error: Nyx abort occurred..."); case IoError: if (*stop_soon_p) { @@ -1595,7 +1595,7 @@ afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, break; case Error: - FATAL("Error: Nyx runtime error has occured..."); + FATAL("Error: Nyx runtime error has occurred..."); break; } diff --git a/test/test-libextensions.sh b/test/test-libextensions.sh index 40a898c8..f7f86de5 100755 --- a/test/test-libextensions.sh +++ b/test/test-libextensions.sh @@ -5,7 +5,7 @@ test -z "$AFL_CC" && unset AFL_CC $ECHO "$BLUE[*] Testing: shared library extensions" -cc $CFLAGS -o test-compcov test-compcov.c > /dev/null 2>&1 +cc $CFLAGS -O0 -o test-compcov test-compcov.c > /dev/null 2>&1 test -e ../libtokencap.so && { AFL_TOKEN_FILE=token.out LD_PRELOAD=../libtokencap.so DYLD_INSERT_LIBRARIES=../libtokencap.so DYLD_FORCE_FLAT_NAMESPACE=1 ./test-compcov foobar > /dev/null 2>&1 grep -q BUGMENOT token.out > /dev/null 2>&1 && { -- cgit 1.4.1 From bd1648e707b85b79d816fd8737909789d7d2a09c Mon Sep 17 00:00:00 2001 From: mark0 <757410129@qq.com> Date: Fri, 28 Jul 2023 17:32:59 +0800 Subject: fix the file descriptor without determining null --- custom_mutators/aflpp/standalone/aflpp-standalone.c | 1 + src/afl-showmap.c | 1 + test/unittests/unit_rand.c | 1 + 3 files changed, 3 insertions(+) (limited to 'test') diff --git a/custom_mutators/aflpp/standalone/aflpp-standalone.c b/custom_mutators/aflpp/standalone/aflpp-standalone.c index 91bac4a8..361feaba 100644 --- a/custom_mutators/aflpp/standalone/aflpp-standalone.c +++ b/custom_mutators/aflpp/standalone/aflpp-standalone.c @@ -39,6 +39,7 @@ my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) { data->afl = calloc(1, sizeof(afl_state_t)); data->afl->queue_cycle = 1; data->afl->fsrv.dev_urandom_fd = open("/dev/urandom", O_RDONLY); + if (data->afl->fsrv.dev_urandom_fd < 0) { PFATAL("Unable to open /dev/urandom"); } rand_set_seed(data->afl, getpid()); return data; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index b82bcd72..7a639cf6 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1611,6 +1611,7 @@ int main(int argc, char **argv_orig, char **envp) { if (in_dir || in_filelist) { afl->fsrv.dev_urandom_fd = open("/dev/urandom", O_RDONLY); + if (afl->fsrv.dev_urandom_fd < 0) { PFATAL("Unable to open /dev/urandom"); } afl->afl_env.afl_custom_mutator_library = getenv("AFL_CUSTOM_MUTATOR_LIBRARY"); afl->afl_env.afl_python_module = getenv("AFL_PYTHON_MODULE"); diff --git a/test/unittests/unit_rand.c b/test/unittests/unit_rand.c index 1ad02a80..f89b2ab5 100644 --- a/test/unittests/unit_rand.c +++ b/test/unittests/unit_rand.c @@ -67,6 +67,7 @@ static void test_rand_below(void **state) { rand_set_seed(&afl, 1337); afl.fsrv.dev_urandom_fd = open("/dev/urandom", O_RDONLY); + if (afl.fsrv.dev_urandom_fd < 0) { PFATAL("Unable to open /dev/urandom"); } assert(!(rand_below(&afl, 9000) > 9000)); assert_int_equal(rand_below(&afl, 1), 0); -- cgit 1.4.1 From a518c4d75c15e2e0cb8633361a0162eb70c7965b Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 19 Jan 2024 11:53:44 +0100 Subject: macos --- afl-cmin | 6 ++++- docs/Changelog.md | 1 + test/test-basic.sh | 69 ++++++++++++++++++++++++++++++------------------------ test/test-llvm.sh | 28 +++++++++++++--------- 4 files changed, 62 insertions(+), 42 deletions(-) (limited to 'test') diff --git a/afl-cmin b/afl-cmin index 566f157d..4aaf3953 100755 --- a/afl-cmin +++ b/afl-cmin @@ -1,11 +1,15 @@ #!/usr/bin/env sh +SYS=$(uname -s) +test "$SYS" = "Darwin" && { + echo Error: afl-cmin does not work on Apple currently. please use afl-cmin.bash instead. + exit 1 +} export AFL_QUIET=1 export ASAN_OPTIONS=detect_leaks=0 THISPATH=`dirname ${0}` export PATH="${THISPATH}:$PATH" awk -f - -- ${@+"$@"} <<'EOF' #!/usr/bin/awk -f - # awk script to minimize a test corpus of input files # # based on afl-cmin bash script written by Michal Zalewski diff --git a/docs/Changelog.md b/docs/Changelog.md index c681c4e1..ad0f7a5a 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -26,6 +26,7 @@ produces drcov compatible traces for lighthouse/lightkeeper/... thanks to @JRomainG to submitting! - updated the custom grammar mutator + - document afl-cmin does not work on macOS ### Version ++4.09c (release) diff --git a/test/test-basic.sh b/test/test-basic.sh index 61ad4b7c..7005d3ce 100755 --- a/test/test-basic.sh +++ b/test/test-basic.sh @@ -2,6 +2,7 @@ . ./test-pre.sh +OS=$(uname -s) AFL_GCC=afl-gcc $ECHO "$BLUE[*] Testing: ${AFL_GCC}, afl-showmap, afl-fuzz, afl-cmin and afl-tmin" @@ -61,7 +62,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc } # now we want to be sure that afl-fuzz is working # make sure crash reporter is disabled on Mac OS X - (test "$(uname -s)" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { + (test "$OS" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { $ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET" true }) || { @@ -84,16 +85,20 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc } echo 000000000000000000000000 > in/in2 echo 111 > in/in3 - mkdir -p in2 - ../afl-cmin -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null 2>&1 # why is afl-forkserver writing to stderr? - CNT=`ls in2/* 2>/dev/null | wc -l` - case "$CNT" in - *2) $ECHO "$GREEN[+] afl-cmin correctly minimized the number of testcases" ;; - *) $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)" - CODE=1 - ;; - esac - rm -f in2/in* + test "$OS" = "Darwin" && { + $ECHO "$GREY[*] afl-cmin not available on macOS, cannot test afl-cmin" + } || { + mkdir -p in2 + ../afl-cmin -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null 2>&1 # why is afl-forkserver writing to stderr? + CNT=`ls in2/* 2>/dev/null | wc -l` + case "$CNT" in + *2) $ECHO "$GREEN[+] afl-cmin correctly minimized the number of testcases" ;; + *) $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)" + CODE=1 + ;; + esac + rm -f in2/in* + } export AFL_QUIET=1 if command -v bash >/dev/null ; then { ../afl-cmin.bash -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null @@ -182,7 +187,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc } # now we want to be sure that afl-fuzz is working # make sure crash reporter is disabled on Mac OS X - (test "$(uname -s)" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { + (test "$OS" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { $ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET" true }) || { @@ -204,25 +209,29 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc } } echo 000000000000000000000000 > in/in2 - echo AAA > in/in3 - mkdir -p in2 - ../afl-cmin -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null 2>&1 # why is afl-forkserver writing to stderr? - CNT=`ls in2/* 2>/dev/null | wc -l` - case "$CNT" in - *2) $ECHO "$GREEN[+] afl-cmin correctly minimized the number of testcases" ;; - \ *1|1) { # allow leading whitecase for portability - test -s in2/* && $ECHO "$YELLOW[?] afl-cmin did minimize to one testcase. This can be a bug or due compiler optimization." - test -s in2/* || { - $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)" - CODE=1 + echo AAA > in/in2 + test "$OS" = "Darwin" && { + $ECHO "$GREY[*] afl-cmin not available on macOS, cannot test afl-cmin" + } || { + mkdir -p in2 + ../afl-cmin -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null 2>&1 # why is afl-forkserver writing to stderr? + CNT=`ls in2/* 2>/dev/null | wc -l` + case "$CNT" in + *2) $ECHO "$GREEN[+] afl-cmin correctly minimized the number of testcases" ;; + \ *1|1) { # allow leading whitecase for portability + test -s in2/* && $ECHO "$YELLOW[?] afl-cmin did minimize to one testcase. This can be a bug or due compiler optimization." + test -s in2/* || { + $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)" + CODE=1 + } } - } - ;; - *) $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)" - CODE=1 - ;; - esac - rm -f in2/in* + ;; + *) $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)" + CODE=1 + ;; + esac + rm -f in2/in* + } export AFL_QUIET=1 if command -v bash >/dev/null ; then { ../afl-cmin.bash -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null diff --git a/test/test-llvm.sh b/test/test-llvm.sh index 95e43b1c..53bbd7b4 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -2,6 +2,8 @@ . ./test-pre.sh +OS=$(uname -s) + $ECHO "$BLUE[*] Testing: llvm_mode, afl-showmap, afl-fuzz, afl-cmin and afl-tmin" test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { ../afl-clang-fast -o test-instr.plain ../test-instr.c > /dev/null 2>&1 @@ -123,7 +125,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { } # now we want to be sure that afl-fuzz is working # make sure crash reporter is disabled on Mac OS X - (test "$(uname -s)" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { + (test "$OS" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { $ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET" CODE=1 true @@ -146,18 +148,22 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { } } test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" || { + mkdir -p in2 echo 000000000000000000000000 > in/in2 echo 111 > in/in3 - mkdir -p in2 - ../afl-cmin -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null 2>&1 # why is afl-forkserver writing to stderr? - CNT=`ls in2/* 2>/dev/null | wc -l` - case "$CNT" in - *2) $ECHO "$GREEN[+] afl-cmin correctly minimized the number of testcases" ;; - *) $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)" - CODE=1 - ;; - esac - rm -f in2/in* + test "$OS" = "Darwin" && { + $ECHO "$GREY[*] afl-cmin not available on macOS, cannot test afl-cmin" + } || { + ../afl-cmin -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null 2>&1 # why is afl-forkserver writing to stderr? + CNT=`ls in2/* 2>/dev/null | wc -l` + case "$CNT" in + *2) $ECHO "$GREEN[+] afl-cmin correctly minimized the number of testcases" ;; + *) $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)" + CODE=1 + ;; + esac + rm -f in2/in* + } export AFL_QUIET=1 if type bash >/dev/null ; then { ../afl-cmin.bash -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null -- cgit 1.4.1 From de561b730a810dce4589745442474e8ee8024275 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 19 Jan 2024 12:20:33 +0100 Subject: add compiler test script --- test/test-compilers.sh | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100755 test/test-compilers.sh (limited to 'test') diff --git a/test/test-compilers.sh b/test/test-compilers.sh new file mode 100755 index 00000000..628af423 --- /dev/null +++ b/test/test-compilers.sh @@ -0,0 +1,7 @@ +#!/bin/sh +echo Testing compilers ... +for cc in afl-cc afl-gcc afl-clang afl-clang-fast afl-clang-lto afl-gcc-fast; do + test -e ../$cc && { ../$cc -o t ../test-instr.c >/dev/null 2<&1 || echo Failing: $cc ; } || echo Missing: $cc +done +rm -f t +echo Done! -- cgit 1.4.1 From 227c1a7002dcb1042e4a02ec1f060bf408913b8c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 23 Jan 2024 19:55:35 +0100 Subject: improve compiler test script --- test/test-compilers.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test') diff --git a/test/test-compilers.sh b/test/test-compilers.sh index 628af423..b47cf38d 100755 --- a/test/test-compilers.sh +++ b/test/test-compilers.sh @@ -1,7 +1,7 @@ #!/bin/sh echo Testing compilers ... for cc in afl-cc afl-gcc afl-clang afl-clang-fast afl-clang-lto afl-gcc-fast; do - test -e ../$cc && { ../$cc -o t ../test-instr.c >/dev/null 2<&1 || echo Failing: $cc ; } || echo Missing: $cc + test -e ../$cc && { { ../$cc -o t ../test-instr.c >/dev/null 2<&1 && echo Success: $cc ; } || echo Failing: $cc ; } || echo Missing: $cc done rm -f t echo Done! -- cgit 1.4.1 From 9604fe922ede9282a06a89b8d18d4de267aebd54 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 30 Jan 2024 15:06:34 +0100 Subject: nyx test for CI --- src/afl-fuzz-init.c | 6 +++++ src/afl-fuzz.c | 9 +++++++ test/test-all.sh | 2 ++ test/test-nyx-mode.sh | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++ test/test-pre.sh | 2 +- 5 files changed, 87 insertions(+), 1 deletion(-) create mode 100755 test/test-nyx-mode.sh (limited to 'test') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 35932913..8ab44a3b 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -124,6 +124,9 @@ void bind_to_free_cpu(afl_state_t *afl) { } WARNF("Not binding to a CPU core (AFL_NO_AFFINITY set)."); + #ifdef __linux__ + if (afl->fsrv.nyx_mode) { afl->fsrv.nyx_bind_cpu_id = 0; } + #endif return; } @@ -151,6 +154,9 @@ void bind_to_free_cpu(afl_state_t *afl) { } else { OKF("CPU binding request using -b %d successful.", afl->cpu_to_bind); + #ifdef __linux__ + if (afl->fsrv.nyx_mode) { afl->fsrv.nyx_bind_cpu_id = afl->cpu_to_bind; } + #endif } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 5aec072e..8cf6c735 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1915,6 +1915,15 @@ int main(int argc, char **argv_orig, char **envp) { bind_to_free_cpu(afl); #endif /* HAVE_AFFINITY */ + #ifdef __linux__ + if (afl->fsrv.nyx_mode && afl->fsrv.nyx_bind_cpu_id == 0xFFFFFFFF) { + + afl->fsrv.nyx_bind_cpu_id = 0; + + } + + #endif + #ifdef __HAIKU__ /* Prioritizes performance over power saving */ set_scheduler_mode(SCHEDULER_MODE_LOW_LATENCY); diff --git a/test/test-all.sh b/test/test-all.sh index 3cb692ca..65cfb812 100755 --- a/test/test-all.sh +++ b/test/test-all.sh @@ -16,6 +16,8 @@ . ./test-frida-mode.sh +. ./test-nyx-mode.sh + . ./test-unicorn-mode.sh . ./test-custom-mutators.sh diff --git a/test/test-nyx-mode.sh b/test/test-nyx-mode.sh new file mode 100755 index 00000000..913a6d07 --- /dev/null +++ b/test/test-nyx-mode.sh @@ -0,0 +1,69 @@ +#!/bin/sh + +. ./test-pre.sh + +$ECHO "$BLUE[*] Testing: nyx_mode" + +test -e ../libnyx.so && { + ../afl-cc -o test-instr ../test-instr.c >/dev/null 2>&1 + test -e test-instr && { + { + rm -rf nyx-test in out + $ECHO "$GREY[*] running nyx_packer" + python3 ../nyx_mode/packer/packer/nyx_packer.py \ + ./test-instr \ + nyx-test \ + afl \ + instrumentation \ + --fast_reload_mode \ + --purge > /dev/null 2>&1 + + test -e nyx-test/test-instr && { + + $ECHO "$GREY[*] running nyx_config_gen" + python3 ../nyx_mode/packer/packer/nyx_config_gen.py nyx-test Kernel > /dev/null 2>&1 + + test -e nyx-test/config.ron && { + sudo modprobe -r kvm-intel + sudo modprobe -r kvm + sudo modprobe kvm enable_vmware_backdoor=y + sudo modprobe kvm-intel + #cat /sys/module/kvm/parameters/enable_vmware_backdoor + + mkdir -p in + echo 00000 > in/in + $ECHO "$GREY[*] running afl-fuzz for nyx_mode, this will take approx 10 seconds" + { + AFL_DEBUG=1 ../afl-fuzz -i in -o out -V05 -X -- ./nyx-test >>errors 2>&1 + } >>errors 2>&1 + test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && { + $ECHO "$GREEN[+] afl-fuzz is working correctly with nyx_mode" + RUNTIME=`grep execs_done out/default/fuzzer_stats | awk '{print$3}'` + rm -rf errors nyx-test test-instr in out + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with nyx_mode" + CODE=1 + } + } || { + $ECHO "$RED[!] nyx_packer failed, likely install requirements not met." + CODE=1 + } + } || { + $ECHO "$RED[!] nyx_packer failed, likely install requirements not met." + CODE=1 + } + #rm -rf test-instr in out errors nyx-test + } + } || { + $ECHO "$RED[!] afl-cc compilation of test targets failed - what is going on??" + CODE=1 + } +} || { + $ECHO "$YELLOW[-] nyx_mode is not compiled, cannot test" + INCOMPLETE=1 +} + +. ./test-post.sh diff --git a/test/test-pre.sh b/test/test-pre.sh index 1ca9dfb5..ce996415 100755 --- a/test/test-pre.sh +++ b/test/test-pre.sh @@ -20,7 +20,7 @@ echo foobar | grep -qE 'asd|oob' 2>/dev/null || { echo Error: grep command does test -e ./test-all.sh || cd $(dirname $0) || exit 1 test -e ./test-all.sh || { echo Error: you must be in the test/ directory ; exit 1 ; } export AFL_PATH=`pwd`/.. -export AFL_NO_AFFINITY=1 # workaround for travis that fails for no avail cores +export AFL_TRY_AFFINITY=1 # workaround for travis that fails for no avail cores echo 1 > test.1 echo 1 > test.2 -- cgit 1.4.1 From da5d3d63e20d7c522db06d7f8439ad3e386e2006 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 31 Jan 2024 17:00:04 +0100 Subject: test error output --- test/test-nyx-mode.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'test') diff --git a/test/test-nyx-mode.sh b/test/test-nyx-mode.sh index 913a6d07..1d97045b 100755 --- a/test/test-nyx-mode.sh +++ b/test/test-nyx-mode.sh @@ -5,7 +5,7 @@ $ECHO "$BLUE[*] Testing: nyx_mode" test -e ../libnyx.so && { - ../afl-cc -o test-instr ../test-instr.c >/dev/null 2>&1 + ../afl-cc -o test-instr ../test-instr.c > errors 2>&1 test -e test-instr && { { rm -rf nyx-test in out @@ -58,6 +58,9 @@ test -e ../libnyx.so && { #rm -rf test-instr in out errors nyx-test } } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT $ECHO "$RED[!] afl-cc compilation of test targets failed - what is going on??" CODE=1 } -- cgit 1.4.1 From 3768933c92cd03e7810c856cf3c89e2d589b29dd Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 31 Jan 2024 17:43:37 +0100 Subject: debug ci --- test/test-nyx-mode.sh | 3 +++ 1 file changed, 3 insertions(+) (limited to 'test') diff --git a/test/test-nyx-mode.sh b/test/test-nyx-mode.sh index 1d97045b..bfb2e8b7 100755 --- a/test/test-nyx-mode.sh +++ b/test/test-nyx-mode.sh @@ -42,6 +42,9 @@ test -e ../libnyx.so && { rm -rf errors nyx-test test-instr in out } || { echo CUT------------------------------------------------------------------CUT + afl-cc + afl-cc -v + clang -v cat errors echo CUT------------------------------------------------------------------CUT $ECHO "$RED[!] afl-fuzz is not working correctly with nyx_mode" -- cgit 1.4.1 From 970e0b14ce16c04a25ae90be81a933d943a04410 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 1 Feb 2024 08:13:52 +0100 Subject: debug ci --- test/test-nyx-mode.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'test') diff --git a/test/test-nyx-mode.sh b/test/test-nyx-mode.sh index bfb2e8b7..95829828 100755 --- a/test/test-nyx-mode.sh +++ b/test/test-nyx-mode.sh @@ -42,9 +42,8 @@ test -e ../libnyx.so && { rm -rf errors nyx-test test-instr in out } || { echo CUT------------------------------------------------------------------CUT - afl-cc - afl-cc -v - clang -v + ../afl-cc + ../afl-cc -v cat errors echo CUT------------------------------------------------------------------CUT $ECHO "$RED[!] afl-fuzz is not working correctly with nyx_mode" -- cgit 1.4.1 From 5da5d6e0dfe1e3f8a0068d9289ecc34dd8a7b6af Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 1 Feb 2024 08:48:35 +0100 Subject: debug ci --- .github/workflows/ci.yml | 3 +-- test/test-nyx-mode.sh | 3 +++ 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3d20956b..fdf618b9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -33,8 +33,7 @@ jobs: - name: install gcc plugin run: sudo apt-get install -y -m -f --install-suggests $(readlink /usr/bin/gcc)-plugin-dev - name: build afl++ - run: make distrib ASAN_BUILD=1 - # NO_NYX=1 + run: make distrib ASAN_BUILD=1 NO_NYX=1 - name: run tests run: sudo -E ./afl-system-config; make tests # macos: diff --git a/test/test-nyx-mode.sh b/test/test-nyx-mode.sh index 95829828..7cffb321 100755 --- a/test/test-nyx-mode.sh +++ b/test/test-nyx-mode.sh @@ -4,6 +4,9 @@ $ECHO "$BLUE[*] Testing: nyx_mode" +env|grep -E 'NYX|AFL' +ls -al ../libnyx.so +ls -al ../afl-cc ../*.so test -e ../libnyx.so && { ../afl-cc -o test-instr ../test-instr.c > errors 2>&1 test -e test-instr && { -- cgit 1.4.1 From 123ec5d1361e922201e86fd20016c78900b329b8 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 1 Feb 2024 09:06:34 +0100 Subject: debug ci --- Dockerfile | 2 +- test/test-nyx-mode.sh | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'test') diff --git a/Dockerfile b/Dockerfile index 50dcd944..99998a61 100644 --- a/Dockerfile +++ b/Dockerfile @@ -88,7 +88,7 @@ ARG TEST_BUILD RUN sed -i.bak 's/^ -/ /g' GNUmakefile && \ make clean && make distrib && \ - ([ "${TEST_BUILD}" ] || (make install && make clean)) && \ + ([ "${TEST_BUILD}" ] || (make install)) && \ mv GNUmakefile.bak GNUmakefile RUN echo "set encoding=utf-8" > /root/.vimrc && \ diff --git a/test/test-nyx-mode.sh b/test/test-nyx-mode.sh index 7cffb321..f2d217e9 100755 --- a/test/test-nyx-mode.sh +++ b/test/test-nyx-mode.sh @@ -4,9 +4,11 @@ $ECHO "$BLUE[*] Testing: nyx_mode" -env|grep -E 'NYX|AFL' -ls -al ../libnyx.so -ls -al ../afl-cc ../*.so +ls -al ../libnyx.so ../afl-* ../*.so +../afl-cc -h +../afl-clang-fast -h +../afl-clang-fast -v + test -e ../libnyx.so && { ../afl-cc -o test-instr ../test-instr.c > errors 2>&1 test -e test-instr && { -- cgit 1.4.1 From 6e6d91b6b08db7cbcbc1efd0bf7b6f9ed5d85078 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 1 Feb 2024 09:23:01 +0100 Subject: debug ci --- test/test-nyx-mode.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/test/test-nyx-mode.sh b/test/test-nyx-mode.sh index f2d217e9..99267ece 100755 --- a/test/test-nyx-mode.sh +++ b/test/test-nyx-mode.sh @@ -6,9 +6,12 @@ $ECHO "$BLUE[*] Testing: nyx_mode" ls -al ../libnyx.so ../afl-* ../*.so ../afl-cc -h -../afl-clang-fast -h ../afl-clang-fast -v - +echo AFL-CC +AFL_DEBUG=1 ../afl-cc -v -o test-inst ../test-instr.c 2>&1 +echo AFL-CLANG-FAST +AFL_DEBUG=1 ../afl-clang-fast -v -o test-inst ../test-instr.c 2>&1 +ls -l test-instr test -e ../libnyx.so && { ../afl-cc -o test-instr ../test-instr.c > errors 2>&1 test -e test-instr && { -- cgit 1.4.1 From 97ba817aa78888b318a76fa278a6fc4454cec1b7 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 1 Feb 2024 09:56:31 +0100 Subject: debug ci --- src/afl-cc.c | 5 +++++ test/test-nyx-mode.sh | 4 +--- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'test') diff --git a/src/afl-cc.c b/src/afl-cc.c index c300ddfc..5e28ff6f 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -51,6 +51,9 @@ #define MAX_PARAMS_NUM 2048 #endif +#undef LLVM_MAJOR +#define LLVM_MAJOR 10 + /** Global declarations -----BEGIN----- **/ typedef enum { @@ -3452,6 +3455,8 @@ int main(int argc, char **argv, char **envp) { if (aflcc->debug) debugf_args((s32)aflcc->cc_par_cnt, (char **)aflcc->cc_params); + printf("DEBUGXXX: param0=%s aflcc->compiler_mode=%d aflcc->instrument_mode=%d\n", aflcc->cc_params[0], aflcc->compiler_mode, aflcc->instrument_mode); + if (aflcc->passthrough) { argv[0] = aflcc->cc_params[0]; diff --git a/test/test-nyx-mode.sh b/test/test-nyx-mode.sh index 99267ece..5b63d1b7 100755 --- a/test/test-nyx-mode.sh +++ b/test/test-nyx-mode.sh @@ -4,13 +4,11 @@ $ECHO "$BLUE[*] Testing: nyx_mode" +apt-cache search clang|grep -E '^clang-1' ls -al ../libnyx.so ../afl-* ../*.so ../afl-cc -h -../afl-clang-fast -v echo AFL-CC AFL_DEBUG=1 ../afl-cc -v -o test-inst ../test-instr.c 2>&1 -echo AFL-CLANG-FAST -AFL_DEBUG=1 ../afl-clang-fast -v -o test-inst ../test-instr.c 2>&1 ls -l test-instr test -e ../libnyx.so && { ../afl-cc -o test-instr ../test-instr.c > errors 2>&1 -- cgit 1.4.1 From 236fb9b1456d15a0c0962a95db87f3005446f1a0 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 1 Feb 2024 12:03:02 +0100 Subject: debug ci --- .github/workflows/ci.yml | 6 +++--- test/test-nyx-mode.sh | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'test') diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0a18a891..9b2031ae 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,13 +20,13 @@ jobs: AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: 1 steps: - uses: actions/checkout@v3 - - name: debug - run: apt-cache search plugin-dev | grep gcc-; echo; apt-cache search clang-format- | grep clang-format- - name: update run: sudo apt-get update && sudo apt-get upgrade -y + - name: debug + run: apt-cache search plugin-dev | grep gcc-; echo; apt-cache search clang-format- | grep clang-format- - name: install packages #run: sudo apt-get install -y -m -f --install-suggests build-essential git libtool libtool-bin automake bison libglib2.0-0 clang llvm-dev libc++-dev findutils libcmocka-dev python3-dev python3-setuptools ninja-build python3-pip - run: sudo apt-get install -y -m -f build-essential git libtool libtool-bin automake flex bison libglib2.0-0 clang-12 llvm-12-dev libc++-dev findutils libcmocka-dev python3-dev python3-setuptools ninja-build python3-pip + run: sudo apt-get install -y -m -f build-essential gcc-10 g++-10 git libtool libtool-bin automake flex bison libglib2.0-0 clang-12 llvm-12-dev libc++-dev findutils libcmocka-dev python3-dev python3-setuptools ninja-build python3-pip gcc-10-plugin-dev - name: compiler installed run: gcc -v; echo; clang -v - name: install gcc plugin diff --git a/test/test-nyx-mode.sh b/test/test-nyx-mode.sh index 5b63d1b7..4d5f66ff 100755 --- a/test/test-nyx-mode.sh +++ b/test/test-nyx-mode.sh @@ -4,7 +4,10 @@ $ECHO "$BLUE[*] Testing: nyx_mode" +echo AFL_CC=$AFL_CC +unset AFL_CC apt-cache search clang|grep -E '^clang-1' +apt-cache search gcc|grep -E '^gcc-1' ls -al ../libnyx.so ../afl-* ../*.so ../afl-cc -h echo AFL-CC -- cgit 1.4.1 From 5549212d9e87de8f45cf72390cf549e23d7a9f60 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 1 Feb 2024 12:59:37 +0100 Subject: clean test script --- test/test-nyx-mode.sh | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) (limited to 'test') diff --git a/test/test-nyx-mode.sh b/test/test-nyx-mode.sh index 4d5f66ff..494a74f2 100755 --- a/test/test-nyx-mode.sh +++ b/test/test-nyx-mode.sh @@ -4,15 +4,8 @@ $ECHO "$BLUE[*] Testing: nyx_mode" -echo AFL_CC=$AFL_CC unset AFL_CC -apt-cache search clang|grep -E '^clang-1' -apt-cache search gcc|grep -E '^gcc-1' -ls -al ../libnyx.so ../afl-* ../*.so -../afl-cc -h -echo AFL-CC -AFL_DEBUG=1 ../afl-cc -v -o test-inst ../test-instr.c 2>&1 -ls -l test-instr + test -e ../libnyx.so && { ../afl-cc -o test-instr ../test-instr.c > errors 2>&1 test -e test-instr && { -- cgit 1.4.1 From 96ada75bd95741f99987e7bddeea8bde16ebc80c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 1 Feb 2024 14:18:36 +0100 Subject: debug ci --- test/test-nyx-mode.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'test') diff --git a/test/test-nyx-mode.sh b/test/test-nyx-mode.sh index 494a74f2..d30be39f 100755 --- a/test/test-nyx-mode.sh +++ b/test/test-nyx-mode.sh @@ -3,6 +3,7 @@ . ./test-pre.sh $ECHO "$BLUE[*] Testing: nyx_mode" +env unset AFL_CC @@ -44,8 +45,6 @@ test -e ../libnyx.so && { rm -rf errors nyx-test test-instr in out } || { echo CUT------------------------------------------------------------------CUT - ../afl-cc - ../afl-cc -v cat errors echo CUT------------------------------------------------------------------CUT $ECHO "$RED[!] afl-fuzz is not working correctly with nyx_mode" -- cgit 1.4.1 From d8e8d34c4e5d481433d7fa73db1583410a6981cd Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 1 Feb 2024 14:34:07 +0100 Subject: fix ci --- test/test-nyx-mode.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'test') diff --git a/test/test-nyx-mode.sh b/test/test-nyx-mode.sh index d30be39f..6de63f1b 100755 --- a/test/test-nyx-mode.sh +++ b/test/test-nyx-mode.sh @@ -3,7 +3,11 @@ . ./test-pre.sh $ECHO "$BLUE[*] Testing: nyx_mode" -env + +test "$CI" = "true" && { + $ECHO "$YELLOW[-] nyx_mode cannot be tested in the Github CI, skipping ..." + exit 0 +} unset AFL_CC -- cgit 1.4.1 From 5ba66a8860657b21c45480f1d565634cfe38a7dc Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 1 Feb 2024 15:22:51 +0100 Subject: final touches for skipdet --- GNUmakefile.llvm | 2 +- docs/Changelog.md | 2 ++ src/afl-forkserver.c | 4 +++- src/afl-fuzz-state.c | 2 +- src/afl-fuzz.c | 22 ++++++++++++++-------- test/test-custom-mutators.sh | 4 ++-- 6 files changed, 23 insertions(+), 13 deletions(-) (limited to 'test') diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 7437130d..ec8fefe4 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -45,7 +45,7 @@ endif LLVMVER = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/git//' | sed 's/svn//' ) LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/\..*//' ) LLVM_MINOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/.*\.//' | sed 's/git//' | sed 's/svn//' | sed 's/ .*//' ) -LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[0-2]\.|^3.[0-7]\.' && echo 1 || echo 0 ) +LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[0-2]\.|^3.[0-8]\.' && echo 1 || echo 0 ) LLVM_TOO_NEW = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[8-9]|^2[0-9]' && echo 1 || echo 0 ) LLVM_TOO_OLD = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[1-9]\.|^1[012]\.' && echo 1 || echo 0 ) LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[0-9]' && echo 1 || echo 0 ) diff --git a/docs/Changelog.md b/docs/Changelog.md index 720a0689..29081549 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,6 +9,8 @@ explore is slightly better now. - fixed minor issues in the mutation engine, thanks to @futhewo for reporting! + - better deterministic fuzzing is now available, benchmarks have shown + to improve fuzzing. Enable with -D. Thanks to @kdsjZh for the PR! - afl-cc: - large rewrite by @SonicStark which fixes a few corner cases, thanks! - LTO mode now requires llvm 12+ diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 214b4fe9..ded0c21d 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -1019,7 +1019,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (status >= 0x41464c00 && status <= 0x41464cff) { - FATAL("Target uses the new forkserver model, you need to switch to a newer afl-fuzz too!"); + FATAL( + "Target uses the new forkserver model, you need to switch to a newer " + "afl-fuzz too!"); } diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 6cf580ce..b647ac84 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -102,7 +102,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) { afl->stats_update_freq = 1; afl->stats_file_update_freq_msecs = STATS_UPDATE_SEC * 1000; afl->stats_avg_exec = 0; - afl->skip_deterministic = 0; + afl->skip_deterministic = 1; afl->sync_time = SYNC_TIME; afl->cmplog_lvl = 2; afl->min_length = 1; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 7db1aeb3..69064d51 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -170,7 +170,7 @@ static void usage(u8 *argv0, int more_help) { " -g minlength - set min length of generated fuzz input (default: 1)\n" " -G maxlength - set max length of generated fuzz input (default: " "%lu)\n" - " -D - enable deterministic fuzzing (once per queue entry)\n" + " -D - enable (a new) effective deterministic fuzzing\n" " -L minutes - use MOpt(imize) mode and set the time limit for " "entering the\n" " pacemaker mode (minutes of no new finds). 0 = " @@ -955,14 +955,20 @@ int main(int argc, char **argv_orig, char **envp) { break; - case 'D': /* no deterministic */ + case 'D': /* partial deterministic */ - afl->skip_deterministic = 1; + afl->skip_deterministic = 0; break; - case 'd': /* partial deterministic */ + case 'd': /* no deterministic */ - afl->skip_deterministic = 0; + // this is the default and currently a lot of infrastructure enforces + // it (e.g. clusterfuzz, fuzzbench) based on that this feature + // originally was bad performance wise. We now have a better + // implementation, hence if it is activated, we do not want to + // deactivate it by such setups. + + // afl->skip_deterministic = 1; break; case 'B': /* load bitmap */ @@ -1424,11 +1430,11 @@ int main(int argc, char **argv_orig, char **envp) { } #endif + + // silently disable deterministic mutation if custom mutators are used if (!afl->skip_deterministic && afl->afl_env.afl_custom_mutator_only) { - FATAL( - "Using -D determinstic fuzzing is incompatible with " - "AFL_CUSTOM_MUTATOR_ONLY!"); + afl->skip_deterministic = 1; } diff --git a/test/test-custom-mutators.sh b/test/test-custom-mutators.sh index 49feedc0..8c8b0ad3 100755 --- a/test/test-custom-mutators.sh +++ b/test/test-custom-mutators.sh @@ -38,7 +38,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS # Run afl-fuzz w/ the C mutator $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 10 seconds" { - AFL_CUSTOM_MUTATOR_LIBRARY=./libexamplemutator.so AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V07 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 + AFL_CUSTOM_MUTATOR_LIBRARY=./libexamplemutator.so AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V07 -m ${MEM_LIMIT} -i in -o out -d -- ./test-custom-mutator >>errors 2>&1 } >>errors 2>&1 # Check results @@ -58,7 +58,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS # Run afl-fuzz w/ multiple C mutators $ECHO "$GREY[*] running afl-fuzz with multiple custom C mutators, this will take approx 10 seconds" { - AFL_CUSTOM_MUTATOR_LIBRARY="./libexamplemutator.so;./libexamplemutator2.so" AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V07 -m ${MEM_LIMIT} -i in -o out -- ./test-multiple-mutators >>errors 2>&1 + AFL_CUSTOM_MUTATOR_LIBRARY="./libexamplemutator.so;./libexamplemutator2.so" AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V07 -m ${MEM_LIMIT} -i in -o out -d -- ./test-multiple-mutators >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/crashes/id:000000* 2>/dev/null )" && { # TODO: update here -- cgit 1.4.1 From c77709cdd9b50832ed537dfd65d30bc7ffa79e7b Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 4 Feb 2024 16:03:12 +0100 Subject: add U256/32byte support --- include/cmplog.h | 19 ++++----- instrumentation/afl-compiler-rt.o.c | 78 +++++++++++++++++++++++++++---------- src/afl-forkserver.c | 10 +++++ src/afl-fuzz-redqueen.c | 10 ++--- src/afl-fuzz.c | 6 ++- test/test-llvm.sh | 2 +- 6 files changed, 87 insertions(+), 38 deletions(-) (limited to 'test') diff --git a/include/cmplog.h b/include/cmplog.h index 6bfc146b..91c2a665 100644 --- a/include/cmplog.h +++ b/include/cmplog.h @@ -43,13 +43,11 @@ struct cmp_header { - unsigned hits : 24; - unsigned id : 24; - unsigned shape : 5; - unsigned type : 2; - unsigned attribute : 4; - unsigned overflow : 1; - unsigned reserved : 4; + unsigned hits : 6; // up to 63 entries, we have CMP_MAP_H = 32 + unsigned shape : 6; // 63 bytes, we support 32 max + unsigned type : 2; // 4, we use 3: none, rtn, cmp + unsigned attribute : 4; // 16 for arithmetic comparison types + unsigned reserved : 6; } __attribute__((packed)); @@ -59,14 +57,17 @@ struct cmp_operands { u64 v1; u64 v0_128; u64 v1_128; + u64 unused; + u8 unused1; + u8 unused2; } __attribute__((packed)); struct cmpfn_operands { - u8 v0[31]; + u8 v0[32]; u8 v0_len; - u8 v1[31]; + u8 v1[32]; u8 v1_len; } __attribute__((packed)); diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index c342334c..a154bcf7 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -186,6 +186,8 @@ __thread u32 __afl_prev_ctx; struct cmp_map *__afl_cmp_map; struct cmp_map *__afl_cmp_map_backup; +static u8 __afl_cmplog_max_len = 16; + /* Child pid? */ static s32 child_pid; @@ -730,6 +732,12 @@ static void __afl_map_shm(void) { #endif // __AFL_CODE_COVERAGE + if (!__afl_cmp_map && getenv("AFL_CMPLOG_DEBUG")) { + + __afl_cmp_map_backup = __afl_cmp_map = malloc(sizeof(struct cmp_map)); + + } + } /* unmap SHM. */ @@ -1893,7 +1901,8 @@ void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2, uint8_t attr) { void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2, uint8_t attr) { - if (unlikely(!__afl_cmp_map || arg1 == arg2)) return; + if (likely(!__afl_cmp_map)) return; + if (unlikely(arg1 == arg2)) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); @@ -1931,7 +1940,8 @@ void __cmplog_ins_hook4(uint32_t arg1, uint32_t arg2, uint8_t attr) { // fprintf(stderr, "hook4 arg0=%x arg1=%x attr=%u\n", arg1, arg2, attr); - if (unlikely(!__afl_cmp_map || arg1 == arg2)) return; + if (likely(!__afl_cmp_map)) return; + if (unlikely(arg1 == arg2)) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); @@ -1969,7 +1979,8 @@ void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2, uint8_t attr) { // fprintf(stderr, "hook8 arg0=%lx arg1=%lx attr=%u\n", arg1, arg2, attr); - if (unlikely(!__afl_cmp_map || arg1 == arg2)) return; + if (likely(!__afl_cmp_map)) return; + if (unlikely(arg1 == arg2)) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); @@ -2012,7 +2023,8 @@ void __cmplog_ins_hookN(uint128_t arg1, uint128_t arg2, uint8_t attr, // (u64)(arg1 >> 64), (u64)arg1, (u64)(arg2 >> 64), (u64)arg2, size + 1, // attr); - if (unlikely(!__afl_cmp_map || arg1 == arg2)) return; + if (likely(!__afl_cmp_map)) return; + if (unlikely(arg1 == arg2 || size > __afl_cmplog_max_len)) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); @@ -2056,6 +2068,7 @@ void __cmplog_ins_hookN(uint128_t arg1, uint128_t arg2, uint8_t attr, void __cmplog_ins_hook16(uint128_t arg1, uint128_t arg2, uint8_t attr) { if (likely(!__afl_cmp_map)) return; + if (16 > __afl_cmplog_max_len) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); @@ -2249,13 +2262,25 @@ void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u64 len) { // fprintf(stderr, "RTN1 %p %p %u\n", ptr1, ptr2, len); if (likely(!__afl_cmp_map)) return; - if (unlikely(!len)) return; - int len0 = MIN(len, 31); + if (unlikely(!len || len > __afl_cmplog_max_len)) return; + + int len0 = MIN(len, 32); + int len1 = strnlen(ptr1, len0); - if (len1 < 31) len1 = area_is_valid(ptr1, len1 + 1); + if (len1 <= 32) len1 = area_is_valid(ptr1, len1 + 1); + if (len1 > __afl_cmplog_max_len) len1 = 0; + int len2 = strnlen(ptr2, len0); - if (len2 < 31) len2 = area_is_valid(ptr2, len2 + 1); - int l = MAX(len1, len2); + if (len2 <= 32) len2 = area_is_valid(ptr2, len2 + 1); + if (len2 > __afl_cmplog_max_len) len2 = 0; + + int l; + if (!len1) + l = len2; + else if (!len2) + l = len1; + else + l = MAX(len1, len2); if (l < 2) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); @@ -2299,10 +2324,18 @@ void __cmplog_rtn_hook_str(u8 *ptr1, u8 *ptr2) { // fprintf(stderr, "RTN1 %p %p\n", ptr1, ptr2); if (likely(!__afl_cmp_map)) return; if (unlikely(!ptr1 || !ptr2)) return; - int len1 = strnlen(ptr1, 30) + 1; - int len2 = strnlen(ptr2, 30) + 1; - int l = MAX(len1, len2); - if (l < 3) return; + int len1 = strnlen(ptr1, 31) + 1; + int len2 = strnlen(ptr2, 31) + 1; + if (len1 > __afl_cmplog_max_len) len1 = 0; + if (len2 > __afl_cmplog_max_len) len2 = 0; + int l; + if (!len1) + l = len2; + else if (!len2) + l = len1; + else + l = MAX(len1, len2); + if (l < 2) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); @@ -2344,7 +2377,7 @@ void __cmplog_rtn_hook(u8 *ptr1, u8 *ptr2) { /* u32 i; - if (area_is_valid(ptr1, 31) <= 0 || area_is_valid(ptr2, 31) <= 0) return; + if (area_is_valid(ptr1, 32) <= 0 || area_is_valid(ptr2, 32) <= 0) return; fprintf(stderr, "rtn arg0="); for (i = 0; i < 32; i++) fprintf(stderr, "%02x", ptr1[i]); @@ -2357,10 +2390,10 @@ void __cmplog_rtn_hook(u8 *ptr1, u8 *ptr2) { // fprintf(stderr, "RTN1 %p %p\n", ptr1, ptr2); if (likely(!__afl_cmp_map)) return; int l1, l2; - if ((l1 = area_is_valid(ptr1, 31)) <= 0 || - (l2 = area_is_valid(ptr2, 31)) <= 0) + if ((l1 = area_is_valid(ptr1, 32)) <= 0 || + (l2 = area_is_valid(ptr2, 32)) <= 0) return; - int len = MIN(31, MIN(l1, l2)); + int len = MIN(__afl_cmplog_max_len, MIN(l1, l2)); // fprintf(stderr, "RTN2 %u\n", len); uintptr_t k = (uintptr_t)__builtin_return_address(0); @@ -2409,7 +2442,7 @@ void __cmplog_rtn_hook_n(u8 *ptr1, u8 *ptr2, u64 len) { #if 0 /* u32 i; - if (area_is_valid(ptr1, 31) <= 0 || area_is_valid(ptr2, 31) <= 0) return; + if (area_is_valid(ptr1, 32) <= 0 || area_is_valid(ptr2, 32) <= 0) return; fprintf(stderr, "rtn_n len=%u arg0=", len); for (i = 0; i < len; i++) fprintf(stderr, "%02x", ptr1[i]); @@ -2421,12 +2454,15 @@ void __cmplog_rtn_hook_n(u8 *ptr1, u8 *ptr2, u64 len) { // fprintf(stderr, "RTN1 %p %p %u\n", ptr1, ptr2, len); if (likely(!__afl_cmp_map)) return; - if (unlikely(!len)) return; - int l = MIN(31, len); + if (!len) return; + int l = MIN(32, len), l1, l2; - if ((l = area_is_valid(ptr1, l)) <= 0 || (l = area_is_valid(ptr2, l)) <= 0) + if ((l1 = area_is_valid(ptr1, l)) <= 0 || (l2 = area_is_valid(ptr2, l)) <= 0) return; + len = MIN(l1, l2); + if (len > __afl_cmplog_max_len) return; + // fprintf(stderr, "RTN2 %u\n", l); uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index a3a869d7..c5184639 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -1105,6 +1105,10 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, fsrv->map_size = tmp_map_size; + } else { + + fsrv->real_map_size = fsrv->map_size = MAP_SIZE; + } if ((status & FS_NEW_OPT_SHDMEM_FUZZ)) { @@ -1208,6 +1212,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if ((status & FS_OPT_ERROR) == FS_OPT_ERROR) report_error_and_exit(FS_OPT_GET_ERROR(status)); + if (fsrv->cmplog_binary) { + + FATAL("Target was recompiled with outdated CMPLOG, recompile it!\n"); + + } + if ((status & FS_OPT_ENABLED) == FS_OPT_ENABLED) { // workaround for recent AFL++ versions diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index eead7a8b..eb96de68 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -11,7 +11,7 @@ Andrea Fioraldi Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2024 AFLplusplus Project. All rights reserved. + Copyright 2019-2023 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -2219,15 +2219,15 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 entry, } - if (l0 == 0 || l1 == 0 || ol0 == 0 || ol1 == 0 || l0 > 31 || l1 > 31 || - ol0 > 31 || ol1 > 31) { + if (l0 == 0 || l1 == 0 || ol0 == 0 || ol1 == 0 || l0 > 32 || l1 > 32 || + ol0 > 32 || ol1 > 32) { l0 = ol0 = hshape; } u8 lmax = MAX(l0, ol0); - u8 save[40]; + u8 save[80]; u32 saved_idx = idx, pre, from = 0, to = 0, i, j; u32 its_len = MIN(MIN(lmax, hshape), len - idx); its_len = MIN(its_len, taint_len); @@ -2330,7 +2330,7 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 entry, u32 tob64 = 0, fromb64 = 0; u32 from_0 = 0, from_x = 0, from_X = 0, from_slash = 0, from_up = 0; u32 to_0 = 0, to_x = 0, to_slash = 0, to_up = 0; - u8 xor_val[32], arith_val[32], tmp[48]; + u8 xor_val[64], arith_val[64], tmp[64]; idx = saved_idx; its_len = saved_its_len; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index b556b4b6..34268113 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -956,9 +956,11 @@ int main(int argc, char **argv_orig, char **envp) { break; case 'd': - case 'D': /* old deterministic */ + case 'D': /* old deterministic */ - WARNF("Parameters -d and -D are deprecated, a new enhanced deterministic fuzzing is active by default, to disable it use -z"); + WARNF( + "Parameters -d and -D are deprecated, a new enhanced deterministic " + "fuzzing is active by default, to disable it use -z"); break; case 'z': /* no deterministic */ diff --git a/test/test-llvm.sh b/test/test-llvm.sh index 53bbd7b4..aef7a5e2 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -62,7 +62,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { $ECHO "$RED[!] llvm_mode threadsafe instrumentation failed" CODE=1 } - rm -f test-instr.ts.0 test-instr.ts.1 + rm -f test-instr.ts.0 test-instr.ts.1 test-instr.ts } || { $ECHO "$RED[!] llvm_mode (threadsafe) failed" CODE=1 -- cgit 1.4.1 From 07bc202e0ad940e0cc7c8770f69ceb32ed851384 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 9 Feb 2024 13:51:05 +0100 Subject: fixes --- qemu_mode/QEMUAFL_VERSION | 2 +- qemu_mode/qemuafl | 2 +- src/afl-forkserver.c | 2 +- test/test-qemu-mode.sh | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) (limited to 'test') diff --git a/qemu_mode/QEMUAFL_VERSION b/qemu_mode/QEMUAFL_VERSION index b4e764b7..6f2a5979 100644 --- a/qemu_mode/QEMUAFL_VERSION +++ b/qemu_mode/QEMUAFL_VERSION @@ -1 +1 @@ -e63c9af193 +40033af00c diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index e63c9af1..40033af0 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit e63c9af1937c13163cd1bc8bc276101441cbe70a +Subproject commit 40033af00c4c5de172ed4fe60c21b9edbd2c189d diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 1d42adf5..8853458a 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -1222,7 +1222,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (fsrv->cmplog_binary) { - FATAL("Target was recompiled with outdated CMPLOG, recompile it!\n"); + FATAL("Target was compiled with outdated CMPLOG, recompile it!\n"); } diff --git a/test/test-qemu-mode.sh b/test/test-qemu-mode.sh index 8eb7cb67..2ba81d02 100755 --- a/test/test-qemu-mode.sh +++ b/test/test-qemu-mode.sh @@ -63,7 +63,7 @@ test -e ../afl-qemu-trace && { { export AFL_PRELOAD=../libcompcov.so export AFL_COMPCOV_LEVEL=2 - ../afl-fuzz -m ${MEM_LIMIT} -V07 -Q -i in -o out -- ./test-compcov >>errors 2>&1 + AFL_NO_UI=1 ../afl-fuzz -V07 -Q -i in -o out -- ./test-compcov 2>&1 unset AFL_PRELOAD unset AFL_COMPCOV_LEVEL } >>errors 2>&1 @@ -88,7 +88,7 @@ test -e ../afl-qemu-trace && { test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { $ECHO "$GREY[*] running afl-fuzz for qemu_mode cmplog, this will take approx 10 seconds" { - ../afl-fuzz -m none -V07 -Q -c 0 -l 3 -i in -o out -- ./test-compcov >>errors 2>&1 + ../afl-fuzz -V07 -Q -c 0 -l 3 -i in -o out -- ./test-compcov >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/queue/id:000001* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with qemu_mode cmplog" -- cgit 1.4.1 From b282ce999d2ab9428210deb0e838f45a6a534084 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 13 May 2024 13:42:58 +0200 Subject: post_process after trim --- docs/Changelog.md | 1 + docs/custom_mutators.md | 5 ++++ src/afl-fuzz-run.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++ test/test-llvm.sh | 5 ++-- 4 files changed, 71 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/docs/Changelog.md b/docs/Changelog.md index 9a95e343..818010a7 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -7,6 +7,7 @@ * afl-fuzz - added AFL_DISABLE_REDUNDANT for huge queues - fix AFL_PERSISTENT_RECORD + - run custom_post_process after standard trimming - prevent filenames in the queue that have spaces - minor fix for FAST schedules - more frequent stats update when syncing (todo: check performance impact) diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 73e3c802..b7a7032f 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -266,6 +266,11 @@ trimmed input. Here's a quick API description: Omitting any of three trimming methods will cause the trimming to be disabled and trigger a fallback to the built-in default trimming routine. +**IMPORTANT** If you have a custom post process mutator that needs to be run +after trimming, you must call it yourself at the end of your successful +trimming! + + ### Environment Variables Optionally, the following environment variables are supported: diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index ed7cb4ce..2a55da00 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -1028,6 +1028,68 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { if (needs_write) { + // run afl_custom_post_process + + if (unlikely(afl->custom_mutators_count) && + likely(!afl->afl_env.afl_post_process_keep_original)) { + + ssize_t new_size = q->len; + u8 *new_mem = in_buf; + u8 *new_buf = NULL; + + LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { + + if (el->afl_custom_post_process) { + + new_size = el->afl_custom_post_process(el->data, new_mem, new_size, + &new_buf); + + if (unlikely(!new_buf || new_size <= 0)) { + + new_size = 0; + new_buf = new_mem; + + } else { + + new_mem = new_buf; + + } + + } + + }); + + if (unlikely(!new_size)) { + + new_size = q->len; + new_mem = in_buf; + + } + + if (unlikely(new_size < afl->min_length)) { + + new_size = afl->min_length; + + } else if (unlikely(new_size > afl->max_length)) { + + new_size = afl->max_length; + + } + + q->len = new_size; + + if (new_mem != in_buf && new_mem != NULL) { + + new_buf = afl_realloc(AFL_BUF_PARAM(out_scratch), new_size); + if (unlikely(!new_buf)) { PFATAL("alloc"); } + memcpy(new_buf, new_mem, new_size); + + in_buf = new_buf; + + } + + } + s32 fd; if (unlikely(afl->no_unlink)) { diff --git a/test/test-llvm.sh b/test/test-llvm.sh index aef7a5e2..13e1bad1 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -197,7 +197,8 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { for I in char short int long "long long"; do for BITS in 8 16 32 64; do bin="$testcase-split-$I-$BITS.compcov" - AFL_LLVM_INSTRUMENT=AFL AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_COMPARES_BITW=$BITS AFL_LLVM_LAF_SPLIT_COMPARES=1 ../afl-clang-fast -fsigned-char -DINT_TYPE="$I" -o "$bin" "$testcase" > test.out 2>&1; + #AFL_LLVM_INSTRUMENT=AFL + AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_COMPARES_BITW=$BITS AFL_LLVM_LAF_SPLIT_COMPARES=1 ../afl-clang-fast -fsigned-char -DINT_TYPE="$I" -o "$bin" "$testcase" > test.out 2>&1; if ! test -e "$bin"; then cat test.out $ECHO "$RED[!] llvm_mode laf-intel/compcov integer splitting failed! ($testcase with type $I split to $BITS)!"; @@ -269,7 +270,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { { mkdir -p in echo 00000000000000000000000000000000 > in/in - AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -l 3 -m none -V30 -i in -o out -c ./test-cmplog -- ./test-c >>errors 2>&1 + AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -Z -l 3 -m none -V30 -i in -o out -c ./test-cmplog -- ./test-c >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/crashes/id:000000* out/default/hangs/id:000000* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with llvm_mode cmplog" -- cgit 1.4.1 From a87ea969133d9d403fd5207ec08a1ffdc4d8376b Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 14 May 2024 12:58:09 +0200 Subject: make slow systems pass our test suite --- test/test-cmplog.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'test') diff --git a/test/test-cmplog.c b/test/test-cmplog.c index 2ab579b0..0c91b21c 100644 --- a/test/test-cmplog.c +++ b/test/test-cmplog.c @@ -10,12 +10,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t i) { if (i < 15) return -1; if (buf[0] != 'A') return 0; - if (buf[1] != 'B') return 0; - if (buf[2] != 'C') return 0; - if (buf[3] != 'D') return 0; - int *icmp = (int *)(buf + 4); + int *icmp = (int *)(buf + 1); if (*icmp != 0x69694141) return 0; - if (memcmp(buf + 8, "1234EF", 6) == 0) abort(); + if (memcmp(buf + 5, "1234EF", 6) == 0) abort(); return 0; } -- cgit 1.4.1 From 0a16ea74879a935bbeb33e488cd451d6d9a7e19a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 15 May 2024 10:57:46 +0200 Subject: better cmplog ci test for low memory machines --- test/test-llvm.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'test') diff --git a/test/test-llvm.sh b/test/test-llvm.sh index 13e1bad1..4dd35e6e 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -264,13 +264,12 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { } rm -f test-compcov test.out instrumentlist.txt AFL_LLVM_CMPLOG=1 ../afl-clang-fast -o test-cmplog test-cmplog.c > /dev/null 2>&1 - ../afl-clang-fast -O0 -o test-c test-cmplog.c > /dev/null 2>&1 test -e test-cmplog && { $ECHO "$GREY[*] running afl-fuzz for llvm_mode cmplog, this will take approx 10 seconds" { mkdir -p in echo 00000000000000000000000000000000 > in/in - AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -Z -l 3 -m none -V30 -i in -o out -c ./test-cmplog -- ./test-c >>errors 2>&1 + AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -Z -l 3 -m none -V30 -i in -o out -c 0 -- ./test-cmplog >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/crashes/id:000000* out/default/hangs/id:000000* 2>/dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with llvm_mode cmplog" @@ -285,7 +284,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { $ECHO "$YELLOW[-] we cannot test llvm_mode cmplog because it is not present" INCOMPLETE=1 } - rm -rf errors test-cmplog test-c in core.* + rm -rf errors test-cmplog in core.* ../afl-clang-fast -o test-persistent ../utils/persistent_mode/persistent_demo.c > /dev/null 2>&1 test -e test-persistent && { echo foo | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -q -r ./test-persistent && { -- cgit 1.4.1