From cb01d566167b8c0d02a19485d13fdd05c1b8347b Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 7 Sep 2021 15:49:42 +0200 Subject: unicornafl clippy --- unicorn_mode/unicornafl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'unicorn_mode/unicornafl') diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 019b8715..1c47d1eb 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 019b871539fe9ed3f41d882385a8b02c243d49ad +Subproject commit 1c47d1ebc7e904ad4efc1370f23e269fb9ac3f93 -- cgit 1.4.1 From 8af84c203cfe241b5a8321c62387fd107ebf1031 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 7 Sep 2021 19:26:25 +0200 Subject: fix afl-showmap --- src/afl-showmap.c | 2 +- unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'unicorn_mode/unicornafl') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 27b1e14a..e143371e 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1189,7 +1189,7 @@ int main(int argc, char **argv_orig, char **envp) { } - (void)check_binary_signatures(fsrv->target_path); + if (in_dir) { (void)check_binary_signatures(fsrv->target_path); } shm_fuzz = ck_alloc(sizeof(sharedmem_t)); diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 1c47d1eb..019b8715 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 1c47d1ebc7e904ad4efc1370f23e269fb9ac3f93 +Subproject commit 019b871539fe9ed3f41d882385a8b02c243d49ad -- cgit 1.4.1 From 4473904bc0de7011a77309d96f7090a51c8fe768 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 1 Oct 2021 13:25:02 +0200 Subject: fix -n --- docs/Changelog.md | 1 + src/afl-fuzz-stats.c | 5 +++-- src/afl-fuzz.c | 2 +- unicorn_mode/unicornafl | 2 +- 4 files changed, 6 insertions(+), 4 deletions(-) (limited to 'unicorn_mode/unicornafl') diff --git a/docs/Changelog.md b/docs/Changelog.md index de217c2e..dad5fee2 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -15,6 +15,7 @@ sending a mail to . information on how to deal with instrumenting libraries - fix a regression introduced in 3.10 that resulted in less coverage being detected. thanks to Collin May for reporting! + - fix -n dumb mode (nobody should use this) - afl-showmap, afl-tmin and afl-analyze now honor persistent mode for more speed. thanks to dloffre-snl for reporting! - afl-cc: diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index eb1fe2d9..870ba69a 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -560,8 +560,9 @@ void show_stats(afl_state_t *afl) { /* Roughly every minute, update fuzzer stats and save auto tokens. */ - if (unlikely(afl->force_ui_update || - cur_ms - afl->stats_last_stats_ms > STATS_UPDATE_SEC * 1000)) { + if (unlikely(!afl->non_instrumented_mode && + (afl->force_ui_update || + cur_ms - afl->stats_last_stats_ms > STATS_UPDATE_SEC * 1000))) { afl->stats_last_stats_ms = cur_ms; write_stats_file(afl, t_bytes, t_byte_ratio, stab_ratio, diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 8ffc0e77..87da9798 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1918,7 +1918,7 @@ int main(int argc, char **argv_orig, char **envp) { } - write_stats_file(afl, 0, 0, 0, 0); + if (!afl->non_instrumented_mode) { write_stats_file(afl, 0, 0, 0, 0); } maybe_update_plot_file(afl, 0, 0, 0); save_auto(afl); diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 019b8715..c0e03d2c 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 019b871539fe9ed3f41d882385a8b02c243d49ad +Subproject commit c0e03d2c6b55a22025324f121746b41b1e756fb8 -- cgit 1.4.1 From e80131bef50d343e71a08cdf6ae1aa57b4475867 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 2 Oct 2021 22:47:22 +0200 Subject: fix some compiler warnings in 32-bit linux --- frida_mode/src/instrument/instrument_x64.c | 11 +++++++---- frida_mode/src/prefetch.c | 8 +++++--- include/config.h | 4 ++-- src/afl-analyze.c | 2 +- src/afl-fuzz.c | 2 +- src/afl-showmap.c | 2 +- src/afl-tmin.c | 2 +- unicorn_mode/unicornafl | 2 +- 8 files changed, 19 insertions(+), 14 deletions(-) (limited to 'unicorn_mode/unicornafl') diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index 8948c4df..1c2cf113 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -144,7 +144,7 @@ static void instrument_coverate_write_function(GumStalkerOutput *output) { GumX86Writer *cw = output->writer.x86; GumAddress code_addr = 0; afl_log_code code = {0}; - guint64 instrument_hash_zero = 0; + /*guint64 instrument_hash_zero = 0;*/ if (current_log_impl == 0 || !gum_x86_writer_can_branch_directly_between(cw->pc, current_log_impl) || @@ -183,7 +183,8 @@ static void instrument_coverate_write_function(GumStalkerOutput *output) { } - *((gint *)&code.bytes[patch_offset1]) = (gint)current_pc_value1; + gint *dst_pc_value = (gint *)&code.bytes[patch_offset1]; + *dst_pc_value = (gint)current_pc_value1; gssize current_pc_value2 = GPOINTER_TO_SIZE(&instrument_previous_pc) - @@ -200,7 +201,8 @@ static void instrument_coverate_write_function(GumStalkerOutput *output) { } - *((gint *)&code.bytes[patch_offset2]) = (gint)current_pc_value2; + dst_pc_value = (gint *)&code.bytes[patch_offset2]; + *dst_pc_value = (gint)current_pc_value2; gsize afl_area_ptr_value = GPOINTER_TO_SIZE(__afl_area_ptr) - @@ -217,7 +219,8 @@ static void instrument_coverate_write_function(GumStalkerOutput *output) { } - *((gint *)&code.bytes[afl_area_ptr_offset]) = (gint)afl_area_ptr_value; + gint *dst_afl_area_ptr_value = (gint *)&code.bytes[afl_area_ptr_offset]; + *dst_afl_area_ptr_value = (gint)afl_area_ptr_value; gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code)); diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c index 0efbc9bf..c30ca65c 100644 --- a/frida_mode/src/prefetch.c +++ b/frida_mode/src/prefetch.c @@ -44,8 +44,9 @@ static void gum_afl_stalker_backpatcher_notify(GumStalkerObserver *self, sizeof(prefetch_data->backpatch_data) - prefetch_data->backpatch_size; if (sizeof(gsize) + size > remaining) { return; } - *(gsize *)(&prefetch_data->backpatch_data[prefetch_data->backpatch_size]) = - size; + gsize *dst_backpatch_size = (gsize *) + &prefetch_data->backpatch_data[prefetch_data->backpatch_size]; + *dst_backpatch_size = size; prefetch_data->backpatch_size += sizeof(gsize); memcpy(&prefetch_data->backpatch_data[prefetch_data->backpatch_size], @@ -115,7 +116,8 @@ static void prefetch_read_patches(void) { remaining > sizeof(gsize); remaining = prefetch_data->backpatch_size - offset) { - gsize size = *(gsize *)(&prefetch_data->backpatch_data[offset]); + gsize *src_backpatch_data = (gsize *)&prefetch_data->backpatch_data[offset]; + gsize size = *src_backpatch_data; offset += sizeof(gsize); if (prefetch_data->backpatch_size - offset < size) { diff --git a/include/config.h b/include/config.h index da74989e..4630da0c 100644 --- a/include/config.h +++ b/include/config.h @@ -237,11 +237,11 @@ (note that if this value is changed, several areas in afl-cc.c, afl-fuzz.c and afl-fuzz-state.c have to be changed as well! */ -#define MAX_FILE (1 * 1024 * 1024U) +#define MAX_FILE (1 * 1024 * 1024L) /* The same, for the test case minimizer: */ -#define TMIN_MAX_FILE (10 * 1024 * 1024) +#define TMIN_MAX_FILE (10 * 1024 * 1024L) /* Block normalization steps for afl-tmin: */ diff --git a/src/afl-analyze.c b/src/afl-analyze.c index eef08494..8295488d 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -184,7 +184,7 @@ static void read_initial_file(void) { if (st.st_size >= TMIN_MAX_FILE) { - FATAL("Input file is too large (%u MB max)", TMIN_MAX_FILE / 1024 / 1024); + FATAL("Input file is too large (%ld MB max)", TMIN_MAX_FILE / 1024 / 1024); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 87da9798..92a37697 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1348,7 +1348,7 @@ int main(int argc, char **argv_orig, char **envp) { } else if (afl->q_testcase_max_cache_size < 2 * MAX_FILE) { - FATAL("AFL_TESTCACHE_SIZE must be set to %u or more, or 0 to disable", + FATAL("AFL_TESTCACHE_SIZE must be set to %ld or more, or 0 to disable", (2 * MAX_FILE) % 1048576 == 0 ? (2 * MAX_FILE) / 1048576 : 1 + ((2 * MAX_FILE) / 1048576)); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index e143371e..75b0ff99 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -413,7 +413,7 @@ static u32 read_file(u8 *in_file) { if (!be_quiet && !quiet_mode) { - WARNF("Input file '%s' is too large, only reading %u bytes.", in_file, + WARNF("Input file '%s' is too large, only reading %ld bytes.", in_file, MAX_FILE); } diff --git a/src/afl-tmin.c b/src/afl-tmin.c index dff51e84..4f3a6b80 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -221,7 +221,7 @@ static void read_initial_file(void) { if (st.st_size >= TMIN_MAX_FILE) { - FATAL("Input file is too large (%u MB max)", TMIN_MAX_FILE / 1024 / 1024); + FATAL("Input file is too large (%ld MB max)", TMIN_MAX_FILE / 1024 / 1024); } diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index c0e03d2c..1c47d1eb 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit c0e03d2c6b55a22025324f121746b41b1e756fb8 +Subproject commit 1c47d1ebc7e904ad4efc1370f23e269fb9ac3f93 -- cgit 1.4.1 From 46683d651656f1876f6d4aeb24807ed71fa91237 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 4 Oct 2021 08:19:42 +0200 Subject: update docs --- README.md | 20 ++++++++++++++++---- docs/fuzzing_expert.md | 7 ++++++- qemu_mode/qemuafl | 2 +- unicorn_mode/unicornafl | 2 +- 4 files changed, 24 insertions(+), 7 deletions(-) (limited to 'unicorn_mode/unicornafl') diff --git a/README.md b/README.md index db6a70b5..76ef8448 100644 --- a/README.md +++ b/README.md @@ -66,17 +66,29 @@ A common way to do this would be: make clean all 2. Get a small but valid input file that makes sense to the program. -When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in [dictionaries/README.md](../dictionaries/README.md), too. +When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described +in [dictionaries/README.md](../dictionaries/README.md), too. 3. If the program reads from stdin, run `afl-fuzz` like so: - ./afl-fuzz -i testcase_dir -o findings_dir -- \ - /path/to/tested/program [...program's cmdline...] +``` + ./afl-fuzz -i seeds_dir -o output_dir -- \ + /path/to/tested/program [...program's cmdline...] +``` - If the program takes input from a file, you can put `@@` in the program's command line; AFL will put an auto-generated file name in there for you. + To add a dictionary, add `-x /path/to/dictionary.txt` to afl-fuzz. + + If the program takes input from a file, you can put `@@` in the program's + command line; AFL will put an auto-generated file name in there for you. 4. Investigate anything shown in red in the fuzzer UI by promptly consulting [docs/status_screen.md](docs/status_screen.md). +5. You will find found crashes and hangs in the subdirectories `crashes/` and + `hangs/` in the `-o output_dir` directory. You can replay the crashes by + feeding them to the target, e.g.: + `cat output_dir/crashes/id:000000,* | /path/to/tested/program [...program's cmdline...]` + You can generate cores or use gdb directly to follow up the crashes. + ## Contact Questions? Concerns? Bug reports? diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md index 7695e21f..ca884159 100644 --- a/docs/fuzzing_expert.md +++ b/docs/fuzzing_expert.md @@ -540,6 +540,11 @@ To have only the summary use the `-s` switch e.g.: `afl-whatsup -s out/` If you have multiple servers then use the command after a sync, or you have to execute this script per server. +Another tool to inspect the current state and history of a specific instance +is afl-plot, which generates an index.html file and a graphs that show how +the fuzzing instance is performing. +The syntax is `afl-plot instance_dir web_dir`, e.g. `afl-plot out/default /srv/www/htdocs/plot` + #### e) Stopping fuzzing, restarting fuzzing, adding new seeds To stop an afl-fuzz run, simply press Control-C. @@ -620,4 +625,4 @@ This is basically all you need to know to professionally run fuzzing campaigns. If you want to know more, the tons of texts in [docs/](./) will have you covered. Note that there are also a lot of tools out there that help fuzzing with AFL++ -(some might be deprecated or unsupported), see [links_tools.md](links_tools.md). \ No newline at end of file +(some might be deprecated or unsupported), see [links_tools.md](links_tools.md). diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index 86dead4d..a6758d1c 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit 86dead4dcb1aae7181fbf6b5f3706eee9f842e3a +Subproject commit a6758d1cc3e4dde88fca3f0b3a903581b7c8b2e5 diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 1c47d1eb..c0e03d2c 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 1c47d1ebc7e904ad4efc1370f23e269fb9ac3f93 +Subproject commit c0e03d2c6b55a22025324f121746b41b1e756fb8 -- cgit 1.4.1 From 0a88a6c53071e9c203fa602e99e6510de14dacc0 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 7 Oct 2021 15:02:04 +0200 Subject: get rid of i32 need for unicornafl regs in rust --- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/samples/speedtest/rust/src/main.rs | 20 ++++++++++---------- unicorn_mode/unicornafl | 2 +- 3 files changed, 12 insertions(+), 12 deletions(-) (limited to 'unicorn_mode/unicornafl') diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index 0d84243c..cbca63e5 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -1c47d1ebc7e904ad4efc1370f23e269fb9ac3f93 +f1c853648a74b0157d233a2ef9f1693cfee78c11 diff --git a/unicorn_mode/samples/speedtest/rust/src/main.rs b/unicorn_mode/samples/speedtest/rust/src/main.rs index 105ba4b4..77356a67 100644 --- a/unicorn_mode/samples/speedtest/rust/src/main.rs +++ b/unicorn_mode/samples/speedtest/rust/src/main.rs @@ -105,7 +105,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> { // Set the program counter to the start of the code let main_locs = parse_locs("main").unwrap(); //println!("Entry Point: {:x}", main_locs[0]); - uc.reg_write(RegisterX86::RIP as i32, main_locs[0])?; + uc.reg_write(RIP, main_locs[0])?; // Setup the stack. uc.mem_map( @@ -114,14 +114,14 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> { Permission::READ | Permission::WRITE, )?; // Setup the stack pointer, but allocate two pointers for the pointers to input. - uc.reg_write(RSP as i32, STACK_ADDRESS + STACK_SIZE - 16)?; + uc.reg_write(RSP, STACK_ADDRESS + STACK_SIZE - 16)?; // Setup our input space, and push the pointer to it in the function params uc.mem_map(INPUT_ADDRESS, INPUT_MAX as usize, Permission::READ)?; // We have argc = 2 - uc.reg_write(RDI as i32, 2)?; + uc.reg_write(RDI, 2)?; // RSI points to our little 2 QWORD space at the beginning of the stack... - uc.reg_write(RSI as i32, STACK_ADDRESS + STACK_SIZE - 16)?; + uc.reg_write(RSI, STACK_ADDRESS + STACK_SIZE - 16)?; // ... which points to the Input. Write the ptr to mem in little endian. uc.mem_write( STACK_ADDRESS + STACK_SIZE - 16, @@ -139,7 +139,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> { abort(); } // read the first param - let malloc_size = uc.reg_read(RDI as i32).unwrap(); + let malloc_size = uc.reg_read(RDI).unwrap(); if malloc_size > HEAP_SIZE_MAX { println!( "Tried to allocate {} bytes, but we may only allocate up to {}", @@ -147,8 +147,8 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> { ); abort(); } - uc.reg_write(RAX as i32, HEAP_ADDRESS).unwrap(); - uc.reg_write(RIP as i32, addr + size as u64).unwrap(); + uc.reg_write(RAX, HEAP_ADDRESS).unwrap(); + uc.reg_write(RIP, addr + size as u64).unwrap(); already_allocated_malloc.set(true); }; @@ -160,7 +160,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> { abort(); } // read the first param - let free_ptr = uc.reg_read(RDI as i32).unwrap(); + let free_ptr = uc.reg_read(RDI).unwrap(); if free_ptr != HEAP_ADDRESS { println!( "Tried to free wrong mem region {:x} at code loc {:x}", @@ -168,7 +168,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> { ); abort(); } - uc.reg_write(RIP as i32, addr + size as u64).unwrap(); + uc.reg_write(RIP, addr + size as u64).unwrap(); already_allocated_free.set(false); }; @@ -178,7 +178,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> { // This is a fancy print function that we're just going to skip for fuzzing. let hook_magicfn = move |mut uc: UnicornHandle<'_, _>, addr, size| { - uc.reg_write(RIP as i32, addr + size as u64).unwrap(); + uc.reg_write(RIP, addr + size as u64).unwrap(); }; for addr in parse_locs("malloc").unwrap() { diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index c0e03d2c..f1c85364 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit c0e03d2c6b55a22025324f121746b41b1e756fb8 +Subproject commit f1c853648a74b0157d233a2ef9f1693cfee78c11 -- cgit 1.4.1 From 00aa689f40a3c8276af257cf0b54dc655cb0423e Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 11 Oct 2021 14:28:17 +0200 Subject: fix accidental bystander kills --- docs/Changelog.md | 2 ++ qemu_mode/qemuafl | 2 +- src/afl-forkserver.c | 6 +++--- unicorn_mode/unicornafl | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) (limited to 'unicorn_mode/unicornafl') diff --git a/docs/Changelog.md b/docs/Changelog.md index dad5fee2..1c3830f9 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -18,6 +18,8 @@ sending a mail to . - fix -n dumb mode (nobody should use this) - afl-showmap, afl-tmin and afl-analyze now honor persistent mode for more speed. thanks to dloffre-snl for reporting! + - Prevent accidently killing non-afl/fuzz services when aborting + afl-showmap and other tools. - afl-cc: - fix for shared linking on MacOS - llvm and LTO mode verified to work with new llvm 14-dev diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index 71ed0d20..a6758d1c 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit 71ed0d206fd3d877420dceb4993a1011a4637ae6 +Subproject commit a6758d1cc3e4dde88fca3f0b3a903581b7c8b2e5 diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index c8c94c08..54f510c4 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -610,12 +610,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (!time_ms) { - kill(fsrv->fsrv_pid, fsrv->kill_signal); + if (fsrv->fsrv_pid > 0) { kill(fsrv->fsrv_pid, fsrv->kill_signal); } } else if (time_ms > fsrv->init_tmout) { fsrv->last_run_timed_out = 1; - kill(fsrv->fsrv_pid, fsrv->kill_signal); + if (fsrv->fsrv_pid > 0) { kill(fsrv->fsrv_pid, fsrv->kill_signal); } } else { @@ -1248,7 +1248,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, /* If there was no response from forkserver after timeout seconds, we kill the child. The forkserver should inform us afterwards */ - kill(fsrv->child_pid, fsrv->kill_signal); + if (fsrv->child_pid > 0) { kill(fsrv->child_pid, fsrv->kill_signal); } fsrv->last_run_timed_out = 1; if (read(fsrv->fsrv_st_fd, &fsrv->child_status, 4) < 4) { exec_ms = 0; } diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index f1c85364..c0e03d2c 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit f1c853648a74b0157d233a2ef9f1693cfee78c11 +Subproject commit c0e03d2c6b55a22025324f121746b41b1e756fb8 -- cgit 1.4.1 From e0c052cad70b5cf2c86e1bda1d279a2ac1440077 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 12 Oct 2021 23:46:47 +0200 Subject: unicornafl bindings improved --- docs/Changelog.md | 1 + unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/samples/speedtest/rust/src/main.rs | 23 ++++++++++------------- unicorn_mode/unicornafl | 2 +- 4 files changed, 13 insertions(+), 15 deletions(-) (limited to 'unicorn_mode/unicornafl') diff --git a/docs/Changelog.md b/docs/Changelog.md index 1c3830f9..ea58a386 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -34,6 +34,7 @@ sending a mail to . - fix AFL_PRELOAD issues on MacOS - removed utils/afl_frida because frida_mode/ is now so much better - added uninstall target to makefile (todo: update new readme!) + - removed indirections in rust callbacks for unicornafl ### Version ++3.14c (release) diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index cbca63e5..e76da957 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -f1c853648a74b0157d233a2ef9f1693cfee78c11 +d06e3d5113dd96799a765a6514f7f5c45f071ca3 diff --git a/unicorn_mode/samples/speedtest/rust/src/main.rs b/unicorn_mode/samples/speedtest/rust/src/main.rs index 77356a67..89e10833 100644 --- a/unicorn_mode/samples/speedtest/rust/src/main.rs +++ b/unicorn_mode/samples/speedtest/rust/src/main.rs @@ -12,11 +12,11 @@ use std::{ use unicornafl::{ unicorn_const::{uc_error, Arch, Mode, Permission}, - RegisterX86::{self, *}, - Unicorn, UnicornHandle, + RegisterX86::*, + Unicorn, }; -const BINARY: &str = &"../target"; +const BINARY: &str = "../target"; // Memory map for the code to be tested // Arbitrary address where code to test will be loaded @@ -47,7 +47,7 @@ fn read_file(filename: &str) -> Result, io::Error> { fn parse_locs(loc_name: &str) -> Result, io::Error> { let contents = &read_file(&format!("../target.offsets.{}", loc_name))?; //println!("Read: {:?}", contents); - Ok(str_from_u8_unchecked(&contents) + Ok(str_from_u8_unchecked(contents) .split('\n') .map(|x| { //println!("Trying to convert {}", &x[2..]); @@ -87,8 +87,7 @@ fn main() { } fn fuzz(input_file: &str) -> Result<(), uc_error> { - let mut unicorn = Unicorn::new(Arch::X86, Mode::MODE_64, 0)?; - let mut uc: UnicornHandle<'_, _> = unicorn.borrow(); + let mut uc = Unicorn::new(Arch::X86, Mode::MODE_64, 0)?; let binary = read_file(BINARY).unwrap_or_else(|_| panic!("Could not read modem image: {}", BINARY)); @@ -133,7 +132,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> { let already_allocated_malloc = already_allocated.clone(); // We use a very simple malloc/free stub here, // that only works for exactly one allocation at a time. - let hook_malloc = move |mut uc: UnicornHandle<'_, _>, addr: u64, size: u32| { + let hook_malloc = move |uc: &mut Unicorn<'_, _>, addr: u64, size: u32| { if already_allocated_malloc.get() { println!("Double malloc, not supported right now!"); abort(); @@ -154,7 +153,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> { let already_allocated_free = already_allocated; // No real free, just set the "used"-flag to false. - let hook_free = move |mut uc: UnicornHandle<'_, _>, addr, size| { + let hook_free = move |uc: &mut Unicorn<'_, _>, addr, size| { if already_allocated_free.get() { println!("Double free detected. Real bug?"); abort(); @@ -177,7 +176,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> { */ // This is a fancy print function that we're just going to skip for fuzzing. - let hook_magicfn = move |mut uc: UnicornHandle<'_, _>, addr, size| { + let hook_magicfn = move |uc: &mut Unicorn<'_, _>, addr, size| { uc.reg_write(RIP, addr + size as u64).unwrap(); }; @@ -195,7 +194,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> { } let place_input_callback = - |uc: &mut UnicornHandle<'_, _>, afl_input: &mut [u8], _persistent_round| { + |uc: &mut Unicorn<'_, _>, afl_input: &mut [u8], _persistent_round| { // apply constraints to the mutated input if afl_input.len() > INPUT_MAX as usize { //println!("Skipping testcase with leng {}", afl_input.len()); @@ -209,9 +208,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> { // return true if the last run should be counted as crash let crash_validation_callback = - |_uc: &mut UnicornHandle<'_, _>, result, _input: &[u8], _persistent_round| { - result != uc_error::OK - }; + |_uc: &mut Unicorn<'_, _>, result, _input: &[u8], _persistent_round| result != uc_error::OK; let end_addrs = parse_locs("main_ends").unwrap(); diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index c0e03d2c..d06e3d51 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit c0e03d2c6b55a22025324f121746b41b1e756fb8 +Subproject commit d06e3d5113dd96799a765a6514f7f5c45f071ca3 -- cgit 1.4.1 From 17c59de1c2ea73f358ff6d0df4c572c62ee650aa Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 13 Oct 2021 19:53:32 +0200 Subject: updated uc --- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'unicorn_mode/unicornafl') diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index e76da957..cc8d5b34 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -d06e3d5113dd96799a765a6514f7f5c45f071ca3 +d4915053d477dd827b3fe4b494173d3fbf9f456e diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index d06e3d51..d4915053 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit d06e3d5113dd96799a765a6514f7f5c45f071ca3 +Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e -- cgit 1.4.1 From 3deca3b09b46130c9e23320c0b98f60543f9b5ba Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 15 Oct 2021 11:25:02 +0200 Subject: fix lto cmplog stability issue --- custom_mutators/grammar_mutator/grammar_mutator | 2 +- docs/Changelog.md | 1 + qemu_mode/qemuafl | 2 +- src/afl-fuzz-run.c | 30 +++++++++++++++++++++++-- unicorn_mode/unicornafl | 2 +- 5 files changed, 32 insertions(+), 5 deletions(-) (limited to 'unicorn_mode/unicornafl') diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator index eedf07dd..b79d51a8 160000 --- a/custom_mutators/grammar_mutator/grammar_mutator +++ b/custom_mutators/grammar_mutator/grammar_mutator @@ -1 +1 @@ -Subproject commit eedf07ddb0fb1f437f5e76b77cfd4064cf6a5d63 +Subproject commit b79d51a8daccbd7a693f9b6765c81ead14f28e26 diff --git a/docs/Changelog.md b/docs/Changelog.md index ea58a386..df4d343a 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -16,6 +16,7 @@ sending a mail to . - fix a regression introduced in 3.10 that resulted in less coverage being detected. thanks to Collin May for reporting! - fix -n dumb mode (nobody should use this) + - fix stability issue with LTO and cmplog - afl-showmap, afl-tmin and afl-analyze now honor persistent mode for more speed. thanks to dloffre-snl for reporting! - Prevent accidently killing non-afl/fuzz services when aborting diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index a6758d1c..71ed0d20 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit a6758d1cc3e4dde88fca3f0b3a903581b7c8b2e5 +Subproject commit 71ed0d206fd3d877420dceb4993a1011a4637ae6 diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 4173f4e1..da6ba7d9 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -291,8 +291,6 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at, u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, u32 handicap, u8 from_queue) { - if (unlikely(afl->shm.cmplog_mode)) { q->exec_cksum = 0; } - u8 fault = 0, new_bits = 0, var_detected = 0, hnb = 0, first_run = (q->exec_cksum == 0); u64 start_us, stop_us, diff_us; @@ -300,6 +298,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, u32 use_tmout = afl->fsrv.exec_tmout; u8 *old_sn = afl->stage_name; + if (unlikely(afl->shm.cmplog_mode)) { q->exec_cksum = 0; } + /* Be a bit more generous about timeouts when resuming sessions, or when trying to calibrate already-added finds. This helps avoid trouble due to intermittent latency. */ @@ -343,6 +343,32 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, } + /* we need a dummy run if this is LTO + cmplog */ + if (unlikely(afl->shm.cmplog_mode)) { + + write_to_testcase(afl, use_mem, q->len); + + fault = fuzz_run_target(afl, &afl->fsrv, use_tmout); + + /* afl->stop_soon is set by the handler for Ctrl+C. When it's pressed, + we want to bail out quickly. */ + + if (afl->stop_soon || fault != afl->crash_mode) { goto abort_calibration; } + + if (!afl->non_instrumented_mode && !afl->stage_cur && + !count_bytes(afl, afl->fsrv.trace_bits)) { + + fault = FSRV_RUN_NOINST; + goto abort_calibration; + + } + +#ifdef INTROSPECTION + if (unlikely(!q->bitsmap_size)) q->bitsmap_size = afl->bitsmap_size; +#endif + + } + if (q->exec_cksum) { memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size); diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index d4915053..f1c85364 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e +Subproject commit f1c853648a74b0157d233a2ef9f1693cfee78c11 -- cgit 1.4.1 From 8b1910e2689876c8ed4d0b9529296dc144692d35 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 15 Oct 2021 12:55:40 +0200 Subject: fix submodules --- unicorn_mode/unicornafl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'unicorn_mode/unicornafl') diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index f1c85364..d4915053 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit f1c853648a74b0157d233a2ef9f1693cfee78c11 +Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e -- cgit 1.4.1 From b12864b0beb04a3cc75f341ec96050644a252ce0 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sat, 23 Oct 2021 22:20:40 +0200 Subject: updated unicorn bindings --- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'unicorn_mode/unicornafl') diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index cc8d5b34..e03b60c7 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -d4915053d477dd827b3fe4b494173d3fbf9f456e +c347275f5c720aa7cba40fdd6b3b095f65901b76 diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index d4915053..c347275f 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e +Subproject commit c347275f5c720aa7cba40fdd6b3b095f65901b76 -- cgit 1.4.1 From 4dfb7bfe4f0055683d8c0c31ac823537bb5367c8 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sat, 23 Oct 2021 23:11:33 +0200 Subject: updated uc dependencies --- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'unicorn_mode/unicornafl') diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index e03b60c7..d6acbf91 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -c347275f5c720aa7cba40fdd6b3b095f65901b76 +94617f5b diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index c347275f..94617f5b 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit c347275f5c720aa7cba40fdd6b3b095f65901b76 +Subproject commit 94617f5bee0c08a5cbd1a1aa73f59cd973dfb17f -- cgit 1.4.1 From 0f49463edec0c019bd098659fa74c58a2d28c439 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 24 Oct 2021 19:41:06 +0200 Subject: fix --- src/afl-forkserver.c | 2 +- src/afl-showmap.c | 9 ++++++--- unicorn_mode/unicornafl | 2 +- 3 files changed, 8 insertions(+), 5 deletions(-) (limited to 'unicorn_mode/unicornafl') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index c570a2bb..80b295e0 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -1301,7 +1301,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, } - if (!WIFSTOPPED(fsrv->child_status)) { fsrv->child_pid = -1 ; } + if (!WIFSTOPPED(fsrv->child_status)) { fsrv->child_pid = -1; } fsrv->total_execs++; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 3a244c04..3826e385 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -77,7 +77,7 @@ static u32 tcnt, highest; /* tuple content information */ static u32 in_len; /* Input data length */ -static u32 map_size = MAP_SIZE; +static u32 map_size = MAP_SIZE, timed_out = 0; static bool quiet_mode, /* Hide non-essential messages? */ edges_only, /* Ignore hit counts? */ @@ -148,6 +148,7 @@ static const u8 count_class_binary[256] = { static void kill_child() { + timed_out = 1; if (fsrv->child_pid > 0) { kill(fsrv->child_pid, fsrv->kill_signal); @@ -373,9 +374,10 @@ static void showmap_run_target_forkserver(afl_forkserver_t *fsrv, u8 *mem, if (!quiet_mode) { - if (fsrv->last_run_timed_out) { + if (timed_out || fsrv->last_run_timed_out) { SAYF(cLRD "\n+++ Program timed off +++\n" cRST); + timed_out = 0; } else if (stop_soon) { @@ -581,9 +583,10 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) { if (!quiet_mode) { - if (fsrv->last_run_timed_out) { + if (timed_out || fsrv->last_run_timed_out) { SAYF(cLRD "\n+++ Program timed off +++\n" cRST); + timed_out = 0; } else if (stop_soon) { diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 94617f5b..d4915053 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 94617f5bee0c08a5cbd1a1aa73f59cd973dfb17f +Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e -- cgit 1.4.1 From d4ae8fde5deb9aeecb0d8c036c593589161106d0 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 1 Dec 2021 15:45:22 +0100 Subject: New unicornafl rust bindings (#1188) * uc bindings * fixed new uc rust bindings * updated to latest uc1 * updated rust bindings --- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/samples/speedtest/rust/Cargo.toml | 4 ++-- unicorn_mode/samples/speedtest/rust/src/main.rs | 6 ++++-- unicorn_mode/unicornafl | 2 +- unicorn_mode/update_uc_ref.sh | 4 ++-- 5 files changed, 10 insertions(+), 8 deletions(-) (limited to 'unicorn_mode/unicornafl') diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index d6acbf91..dbe3999f 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -94617f5b +9df92d6868e8b219886e4b7458e5e134c48ff2c9 diff --git a/unicorn_mode/samples/speedtest/rust/Cargo.toml b/unicorn_mode/samples/speedtest/rust/Cargo.toml index c19ee0a1..9b81be0b 100644 --- a/unicorn_mode/samples/speedtest/rust/Cargo.toml +++ b/unicorn_mode/samples/speedtest/rust/Cargo.toml @@ -11,5 +11,5 @@ panic = "abort" [dependencies] unicornafl = { path = "../../../unicornafl/bindings/rust/", version="1.0.0" } -capstone="0.6.0" -libc="0.2.66" \ No newline at end of file +capstone="0.10.0" +libc="0.2.66" diff --git a/unicorn_mode/samples/speedtest/rust/src/main.rs b/unicorn_mode/samples/speedtest/rust/src/main.rs index 89e10833..cded1a3c 100644 --- a/unicorn_mode/samples/speedtest/rust/src/main.rs +++ b/unicorn_mode/samples/speedtest/rust/src/main.rs @@ -11,6 +11,7 @@ use std::{ }; use unicornafl::{ + afl::afl_fuzz, unicorn_const::{uc_error, Arch, Mode, Permission}, RegisterX86::*, Unicorn, @@ -87,7 +88,7 @@ fn main() { } fn fuzz(input_file: &str) -> Result<(), uc_error> { - let mut uc = Unicorn::new(Arch::X86, Mode::MODE_64, 0)?; + let mut uc = Unicorn::new(Arch::X86, Mode::MODE_64)?; let binary = read_file(BINARY).unwrap_or_else(|_| panic!("Could not read modem image: {}", BINARY)); @@ -212,7 +213,8 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> { let end_addrs = parse_locs("main_ends").unwrap(); - let ret = uc.afl_fuzz( + let ret = afl_fuzz( + &mut uc, input_file, place_input_callback, &end_addrs, diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index d4915053..9df92d68 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e +Subproject commit 9df92d6868e8b219886e4b7458e5e134c48ff2c9 diff --git a/unicorn_mode/update_uc_ref.sh b/unicorn_mode/update_uc_ref.sh index 7c1c7778..6e809a7b 100755 --- a/unicorn_mode/update_uc_ref.sh +++ b/unicorn_mode/update_uc_ref.sh @@ -21,10 +21,10 @@ fi git submodule init && git submodule update unicornafl || exit 1 cd ./unicornafl || exit 1 -git fetch origin dev 1>/dev/null || exit 1 +git fetch origin uc1 1>/dev/null || exit 1 git stash 1>/dev/null 2>/dev/null git stash drop 1>/dev/null 2>/dev/null -git checkout dev +git checkout uc1 if [ -z "$NEW_VERSION" ]; then # No version provided, take HEAD. -- cgit 1.4.1 From 80d5afa3738c06a376f8a256129537a9cbdd2229 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 1 Dec 2021 16:26:36 +0100 Subject: todo --- TODO.md | 4 ++-- unicorn_mode/unicornafl | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'unicorn_mode/unicornafl') diff --git a/TODO.md b/TODO.md index 7d2339eb..77fb080f 100644 --- a/TODO.md +++ b/TODO.md @@ -1,6 +1,6 @@ # TODO list for AFL++ -## TODO +## Should - better autodetection of shifting runtime timeout values - Update afl->pending_not_fuzzed for MOpt @@ -8,7 +8,7 @@ - parallel builds for source-only targets - get rid of check_binary, replace with more forkserver communication -## Perhaps +## Maybe - afl_custom_fuzz_splice_optin() - afl_custom_splice() diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 9df92d68..d4915053 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 9df92d6868e8b219886e4b7458e5e134c48ff2c9 +Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e -- cgit 1.4.1