From adae07d0138d25594efb765dc30e19af32222bee Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Mon, 4 Nov 2019 15:46:49 +0100 Subject: restored big-endian compcov in unicorn --- unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h | 74 +++++++++++++++++++++- 1 file changed, 73 insertions(+), 1 deletion(-) (limited to 'unicorn_mode') diff --git a/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h b/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h index 53ab654c..3603fae0 100644 --- a/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h +++ b/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h @@ -33,6 +33,78 @@ #include "uc_priv.h" #include "afl-unicorn-common.h" +void HELPER(afl_compcov_log_16)(void* uc_ptr, uint64_t cur_loc, uint64_t arg1, + uint64_t arg2) { + + u8* afl_area_ptr = ((struct uc_struct*)uc_ptr)->afl_area_ptr; + + if ((arg1 & 0xff) == (arg2 & 0xff)) { INC_AFL_AREA(cur_loc); } + +} + +void HELPER(afl_compcov_log_32)(void* uc_ptr, uint64_t cur_loc, uint64_t arg1, + uint64_t arg2) { + + u8* afl_area_ptr = ((struct uc_struct*)uc_ptr)->afl_area_ptr; + + if ((arg1 & 0xff) == (arg2 & 0xff)) { + + INC_AFL_AREA(cur_loc); + if ((arg1 & 0xffff) == (arg2 & 0xffff)) { + + INC_AFL_AREA(cur_loc + 1); + if ((arg1 & 0xffffff) == (arg2 & 0xffffff)) { INC_AFL_AREA(cur_loc + 2); } + + } + + } + +} + +void HELPER(afl_compcov_log_64)(void* uc_ptr, uint64_t cur_loc, uint64_t arg1, + uint64_t arg2) { + + u8* afl_area_ptr = ((struct uc_struct*)uc_ptr)->afl_area_ptr; + + if ((arg1 & 0xff) == (arg2 & 0xff)) { + + INC_AFL_AREA(cur_loc); + if ((arg1 & 0xffff) == (arg2 & 0xffff)) { + + INC_AFL_AREA(cur_loc + 1); + if ((arg1 & 0xffffff) == (arg2 & 0xffffff)) { + + INC_AFL_AREA(cur_loc + 2); + if ((arg1 & 0xffffffff) == (arg2 & 0xffffffff)) { + + INC_AFL_AREA(cur_loc + 3); + if ((arg1 & 0xffffffffff) == (arg2 & 0xffffffffff)) { + + INC_AFL_AREA(cur_loc + 4); + if ((arg1 & 0xffffffffffff) == (arg2 & 0xffffffffffff)) { + + INC_AFL_AREA(cur_loc + 5); + if ((arg1 & 0xffffffffffffff) == (arg2 & 0xffffffffffffff)) { + + INC_AFL_AREA(cur_loc + 6); + + } + + } + + } + + } + + } + + } + + } + +} + +/* // Little endian CompCov void HELPER(afl_compcov_log_16)(void* uc_ptr, uint64_t cur_loc, uint64_t arg1, uint64_t arg2) { @@ -99,4 +171,4 @@ void HELPER(afl_compcov_log_64)(void* uc_ptr, uint64_t cur_loc, uint64_t arg1, } } - +*/ -- cgit 1.4.1 From 73cb58726649b860cbea9eef727e90ad14be4b31 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 5 Nov 2019 18:39:16 +0100 Subject: test unicorn && AFL_DISABLE_TRIM env var --- include/afl-fuzz.h | 3 ++- src/afl-fuzz-globals.c | 3 ++- src/afl-fuzz-one.c | 2 +- src/afl-fuzz.c | 3 +++ test/test.sh | 1 + unicorn_mode/samples/compcov_x64/compcov_target.bin | Bin 86 -> 86 bytes unicorn_mode/samples/compcov_x64/compcov_target.c | 4 +--- unicorn_mode/samples/compcov_x64/compcov_target.elf | Bin 5728 -> 5728 bytes 8 files changed, 10 insertions(+), 6 deletions(-) (limited to 'unicorn_mode') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 637c2795..90f3b419 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -315,7 +315,8 @@ extern u8 skip_deterministic, /* Skip deterministic stages? */ deferred_mode, /* Deferred forkserver mode? */ fixed_seed, /* do not reseed */ fast_cal, /* Try to calibrate faster? */ - uses_asan; /* Target uses ASAN? */ + uses_asan, /* Target uses ASAN? */ + disable_trim; /* Never trim in fuzz_one */ extern s32 out_fd, /* Persistent fd for out_file */ #ifndef HAVE_ARC4RANDOM diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index 36ba6e14..06eb06d8 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -122,7 +122,8 @@ u8 skip_deterministic, /* Skip deterministic stages? */ deferred_mode, /* Deferred forkserver mode? */ fixed_seed, /* do not reseed */ fast_cal, /* Try to calibrate faster? */ - uses_asan; /* Target uses ASAN? */ + uses_asan, /* Target uses ASAN? */ + disable_trim; /* Never trim in fuzz_one */ s32 out_fd, /* Persistent fd for out_file */ #ifndef HAVE_ARC4RANDOM diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index bed8d254..8ca219b5 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -449,7 +449,7 @@ u8 fuzz_one_original(char** argv) { * TRIMMING * ************/ - if (!dumb_mode && !queue_cur->trim_done && !custom_mutator) { + if (!dumb_mode && !queue_cur->trim_done && !custom_mutator && !disable_trim) { u8 res = trim_case(argv, queue_cur, in_buf); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 14d7802d..26ed7b61 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -551,6 +551,9 @@ int main(int argc, char** argv) { } + if (getenv("AFL_DISABLE_TRIM")) + disable_trim = 1; + if (getenv("AFL_NO_UI") && getenv("AFL_FORCE_UI")) FATAL("AFL_NO_UI and AFL_FORCE_UI are mutually exclusive"); diff --git a/test/test.sh b/test/test.sh index f954776f..f086ee50 100755 --- a/test/test.sh +++ b/test/test.sh @@ -485,6 +485,7 @@ test -d ../unicorn_mode/unicorn && { } rm -f errors + echo -e '\xbf' > in/in $ECHO "$GREY[*] running afl-fuzz for unicorn_mode compcov, this will take approx 35 seconds" { export AFL_COMPCOV_LEVEL=2 diff --git a/unicorn_mode/samples/compcov_x64/compcov_target.bin b/unicorn_mode/samples/compcov_x64/compcov_target.bin index 091bf1db..30eada89 100644 Binary files a/unicorn_mode/samples/compcov_x64/compcov_target.bin and b/unicorn_mode/samples/compcov_x64/compcov_target.bin differ diff --git a/unicorn_mode/samples/compcov_x64/compcov_target.c b/unicorn_mode/samples/compcov_x64/compcov_target.c index eb1205b1..f4576261 100644 --- a/unicorn_mode/samples/compcov_x64/compcov_target.c +++ b/unicorn_mode/samples/compcov_x64/compcov_target.c @@ -16,11 +16,9 @@ int main(void) { unsigned int *data_buf = (unsigned int *) DATA_ADDRESS; - if (data_buf[0] == 0xabadcafe) { - // Cause an 'invalid read' crash if data[0..3] == '\x01\x02\x03\x04' + if (((unsigned short*)data_buf)[0] == 0xaabb) { unsigned char invalid_read = *(unsigned char *) 0x00000000; } else if (data_buf[1] == data_buf[2] + 0x4141) { - // Cause an 'invalid read' crash if (0x10 < data[0] < 0x20) and data[1] > data[2] unsigned char invalid_read = *(unsigned char *) 0x00000000; } diff --git a/unicorn_mode/samples/compcov_x64/compcov_target.elf b/unicorn_mode/samples/compcov_x64/compcov_target.elf index 7015fb46..9f90f8d2 100755 Binary files a/unicorn_mode/samples/compcov_x64/compcov_target.elf and b/unicorn_mode/samples/compcov_x64/compcov_target.elf differ -- cgit 1.4.1 From 7c99027c3165e2f411ca6caa0c119e7b69a2132c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 6 Nov 2019 13:31:58 +0100 Subject: unicorn libcompcov testcase made easier --- unicorn_mode/samples/compcov_x64/compcov_target.bin | Bin 86 -> 86 bytes unicorn_mode/samples/compcov_x64/compcov_target.c | 4 ++-- unicorn_mode/samples/compcov_x64/compcov_target.elf | Bin 5728 -> 13200 bytes 3 files changed, 2 insertions(+), 2 deletions(-) (limited to 'unicorn_mode') diff --git a/unicorn_mode/samples/compcov_x64/compcov_target.bin b/unicorn_mode/samples/compcov_x64/compcov_target.bin index 30eada89..2874860b 100644 Binary files a/unicorn_mode/samples/compcov_x64/compcov_target.bin and b/unicorn_mode/samples/compcov_x64/compcov_target.bin differ diff --git a/unicorn_mode/samples/compcov_x64/compcov_target.c b/unicorn_mode/samples/compcov_x64/compcov_target.c index f4576261..0c863b25 100644 --- a/unicorn_mode/samples/compcov_x64/compcov_target.c +++ b/unicorn_mode/samples/compcov_x64/compcov_target.c @@ -16,9 +16,9 @@ int main(void) { unsigned int *data_buf = (unsigned int *) DATA_ADDRESS; - if (((unsigned short*)data_buf)[0] == 0xaabb) { + if (((unsigned short*)data_buf)[0] == 0x0100) { unsigned char invalid_read = *(unsigned char *) 0x00000000; - } else if (data_buf[1] == data_buf[2] + 0x4141) { + } else if (data_buf[1] == data_buf[2] + 0xfffe) { unsigned char invalid_read = *(unsigned char *) 0x00000000; } diff --git a/unicorn_mode/samples/compcov_x64/compcov_target.elf b/unicorn_mode/samples/compcov_x64/compcov_target.elf index 9f90f8d2..0f1ad916 100755 Binary files a/unicorn_mode/samples/compcov_x64/compcov_target.elf and b/unicorn_mode/samples/compcov_x64/compcov_target.elf differ -- cgit 1.4.1 From 499f078c3759a22dd5cfd81d2271969f19b75090 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 7 Nov 2019 11:48:39 +0100 Subject: f*ckin travis --- docs/ChangeLog | 2 ++ qemu_mode/build_qemu_support.sh | 5 ++++- unicorn_mode/build_unicorn_support.sh | 5 ++++- 3 files changed, 10 insertions(+), 2 deletions(-) (limited to 'unicorn_mode') diff --git a/docs/ChangeLog b/docs/ChangeLog index 3924226e..7bc6dec4 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -25,6 +25,8 @@ Version ++2.58d (dev): - libcompcov floating point splitting support for qemu and unicorn - Dockerfile by courtesy of devnexen - ripped regex.dictionary from Google afl PR + - qemu and unicorn download scripts now try to download until the full + download succeeded. f*ckin travis fails downloading 40% of the time! - removed unnecessary warnings diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index 6b9f91f9..c3983aa1 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -100,7 +100,10 @@ if [ ! "$CKSUM" = "$QEMU_SHA384" ]; then echo "[*] Downloading QEMU ${VERSION} from the web..." rm -f "$ARCHIVE" - wget -O "$ARCHIVE" -- "$QEMU_URL" || exit 1 + OK= + while [ -z "$OK" ]; do + wget -c -O "$ARCHIVE" -- "$QEMU_URL" && OK=1 + done CKSUM=`sha384sum -- "$ARCHIVE" 2>/dev/null | cut -d' ' -f1` diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index 3bd404b8..fdbcda62 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -106,7 +106,10 @@ if [ ! "$CKSUM" = "$UNICORN_SHA384" ]; then echo "[*] Downloading Unicorn v1.0.1 from the web..." rm -f "$ARCHIVE" - wget -O "$ARCHIVE" -- "$UNICORN_URL" || exit 1 + OK= + while [ -z "$OK" ]; do + wget -c -O "$ARCHIVE" -- "$UNICORN_URL" && OK=1 + done CKSUM=`sha384sum -- "$ARCHIVE" 2>/dev/null | cut -d' ' -f1` -- cgit 1.4.1