From 4721d869ad70241953cd74bcc391f794bed72eb7 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Thu, 20 Jan 2022 17:33:17 +0100 Subject: Poison with ASan the remaining unused input buffer in aflpp_driver.c --- utils/aflpp_driver/aflpp_driver.c | 57 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 55 insertions(+), 2 deletions(-) (limited to 'utils/aflpp_driver') diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index ff42f3b9..65b8de06 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -62,6 +62,25 @@ extern unsigned char *__afl_fuzz_ptr; int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); +// Default nop ASan hooks for manual posisoning when not linking the ASan +// runtime +// https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning +__attribute__((weak)) void __asan_poison_memory_region( + void const volatile *addr, size_t size) { + + (void)addr; + (void)size; + +} + +__attribute__((weak)) void __asan_unpoison_memory_region( + void const volatile *addr, size_t size) { + + (void)addr; + (void)size; + +} + // Notify AFL about persistent mode. static volatile char AFL_PERSISTENT[] = "##SIG_AFL_PERSISTENT##"; int __afl_persistent_loop(unsigned int); @@ -175,6 +194,9 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) { unsigned char *buf = (unsigned char *)malloc(MAX_FILE); + __asan_poison_memory_region(buf, MAX_FILE); + ssize_t prev_length = 0; + for (int i = 1; i < argc; i++) { int fd = 0; @@ -187,6 +209,18 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) { if (length > 0) { + if (length < prev_length) { + + __asan_poison_memory_region(buf + length, prev_length - length); + + } else { + + __asan_unpoison_memory_region(buf + prev_length, length - prev_length); + + } + + prev_length = length; + printf("Reading %zu bytes from %s\n", length, argv[i]); LLVMFuzzerTestOneInput(buf, length); printf("Execution successful.\n"); @@ -284,9 +318,14 @@ int main(int argc, char **argv) { // on the first execution of LLVMFuzzerTestOneInput is ignored. LLVMFuzzerTestOneInput(dummy_input, 1); + __asan_poison_memory_region(__afl_fuzz_ptr, MAX_FILE); + size_t prev_length = 0; + int num_runs = 0; while (__afl_persistent_loop(N)) { + size_t length = *__afl_fuzz_len; + #ifdef _DEBUG fprintf(stderr, "CLIENT crc: %016llx len: %u\n", hash64(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), @@ -297,10 +336,24 @@ int main(int argc, char **argv) { fprintf(stderr, "\n"); #endif - if (*__afl_fuzz_len) { + if (length) { + + if (length < prev_length) { + + __asan_poison_memory_region(__afl_fuzz_ptr + length, + prev_length - length); + + } else { + + __asan_unpoison_memory_region(__afl_fuzz_ptr + prev_length, + length - prev_length); + + } + + prev_length = length; num_runs++; - LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, length); } -- cgit 1.4.1 From a9d549ca073ca3fc37b63c1fa454c575bba174b9 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Thu, 20 Jan 2022 17:41:38 +0100 Subject: Raw read syscall in aflpp_driver.c to bypass ASan checks --- utils/aflpp_driver/aflpp_driver.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'utils/aflpp_driver') diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 65b8de06..547b78fb 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -45,6 +45,9 @@ $AFL_HOME/afl-fuzz -i IN -o OUT ./a.out #include #include #include +#ifndef __HAIKU__ + #include +#endif #include "config.h" #include "types.h" @@ -205,7 +208,11 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) { if (fd == -1) { continue; } - ssize_t length = read(fd, buf, MAX_FILE); +#ifndef __HAIKU__ + ssize_t length = syscall(SYS_read, fd, buf, MAX_FILE); +#else + ssize_t length = _kern_read(fd, buf, MAX_FILE); +#endif // HAIKU if (length > 0) { -- cgit 1.4.1 From 22da04f077d2a5b16ffb48acbd668f29d21e6b64 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 21 Jan 2022 10:13:37 +0100 Subject: fix --- nyx_mode/QEMU-Nyx | 2 +- nyx_mode/libnyx | 2 +- nyx_mode/packer | 2 +- src/afl-cc.c | 8 +++---- utils/aflpp_driver/aflpp_driver.c | 48 ++++++++++++++++++++------------------- 5 files changed, 31 insertions(+), 31 deletions(-) (limited to 'utils/aflpp_driver') diff --git a/nyx_mode/QEMU-Nyx b/nyx_mode/QEMU-Nyx index 902306be..d5a7011a 160000 --- a/nyx_mode/QEMU-Nyx +++ b/nyx_mode/QEMU-Nyx @@ -1 +1 @@ -Subproject commit 902306beb01d858dcbcbaf0e1be26ce9dd0f293f +Subproject commit d5a7011ad20ba5ba91f1371f9d40154035d5d768 diff --git a/nyx_mode/libnyx b/nyx_mode/libnyx index a5ae4c13..ecbcb2d7 160000 --- a/nyx_mode/libnyx +++ b/nyx_mode/libnyx @@ -1 +1 @@ -Subproject commit a5ae4c13e11de776779444eb69932802e102d7c4 +Subproject commit ecbcb2d7234fef0b5e1db8ca6019e6137ee0582d diff --git a/nyx_mode/packer b/nyx_mode/packer index 8842549b..f91742ce 160000 --- a/nyx_mode/packer +++ b/nyx_mode/packer @@ -1 +1 @@ -Subproject commit 8842549b5612a890258dcef812276cfdb62b76c7 +Subproject commit f91742ce6c51eee133b5675edd68f39202785db1 diff --git a/src/afl-cc.c b/src/afl-cc.c index 974b1d2a..9197c74b 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -767,15 +767,13 @@ static void edit_params(u32 argc, char **argv, char **envp) { u8 *afllib = find_object("libAFLDriver.a", argv[0]); if (!be_quiet) - WARNF( - "Found erroneous '-fsanitize=fuzzer', trying to replace with " - "libAFLDriver.a"); + OKF("Found '-fsanitize=fuzzer', replacing with libAFLDriver.a"); if (!afllib) { WARNF( - "Cannot find 'libAFLDriver.a' to replace a wrong " - "'-fsanitize=fuzzer' in the flags - this will fail!"); + "Cannot find 'libAFLDriver.a' to replace '-fsanitize=fuzzer' in " + "the flags - this will fail!"); } else { diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 547b78fb..c648674a 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -84,6 +84,8 @@ __attribute__((weak)) void __asan_unpoison_memory_region( } +__attribute__((weak)) void *__asan_region_is_poisoned(void *beg, size_t size); + // Notify AFL about persistent mode. static volatile char AFL_PERSISTENT[] = "##SIG_AFL_PERSISTENT##"; int __afl_persistent_loop(unsigned int); @@ -328,45 +330,45 @@ int main(int argc, char **argv) { __asan_poison_memory_region(__afl_fuzz_ptr, MAX_FILE); size_t prev_length = 0; - int num_runs = 0; - while (__afl_persistent_loop(N)) { + // for speed only insert asan functions if the target is linked with asan + if (__asan_region_is_poisoned) { - size_t length = *__afl_fuzz_len; + while (__afl_persistent_loop(N)) { -#ifdef _DEBUG - fprintf(stderr, "CLIENT crc: %016llx len: %u\n", - hash64(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), - *__afl_fuzz_len); - fprintf(stderr, "RECV:"); - for (int i = 0; i < *__afl_fuzz_len; i++) - fprintf(stderr, "%02x", __afl_fuzz_ptr[i]); - fprintf(stderr, "\n"); -#endif + size_t length = *__afl_fuzz_len; - if (length) { + if (likely(length)) { - if (length < prev_length) { + if (length < prev_length) { - __asan_poison_memory_region(__afl_fuzz_ptr + length, - prev_length - length); + __asan_poison_memory_region(__afl_fuzz_ptr + length, + prev_length - length); - } else { + } else if (length > prev_length) { + + __asan_unpoison_memory_region(__afl_fuzz_ptr + prev_length, + length - prev_length); - __asan_unpoison_memory_region(__afl_fuzz_ptr + prev_length, - length - prev_length); + } + + prev_length = length; + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, length); } - prev_length = length; + } - num_runs++; - LLVMFuzzerTestOneInput(__afl_fuzz_ptr, length); + } else { + + while (__afl_persistent_loop(N)) { + + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); } } - printf("%s: successfully executed %d input(s)\n", argv[0], num_runs); + return 0; } -- cgit 1.4.1 From 0b5ad8ee84b237923738a5db104e612b039113bb Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 25 Jan 2022 09:44:12 +0100 Subject: nits --- GNUmakefile | 40 +++++++++++++++++++-------------------- utils/aflpp_driver/aflpp_driver.c | 10 +++++----- 2 files changed, 25 insertions(+), 25 deletions(-) (limited to 'utils/aflpp_driver') diff --git a/GNUmakefile b/GNUmakefile index 9efb22c2..68ca17d0 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -567,16 +567,16 @@ clean: rm -rf $(PROGS) afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-cs-proxy afl-qemu-trace afl-gcc-fast afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable .afl-* afl-gcc afl-g++ afl-clang afl-clang++ test/unittests/unit_hash test/unittests/unit_rand *.dSYM -$(MAKE) -f GNUmakefile.llvm clean -$(MAKE) -f GNUmakefile.gcc_plugin clean - $(MAKE) -C utils/libdislocator clean - $(MAKE) -C utils/libtokencap clean + -$(MAKE) -C utils/libdislocator clean + -$(MAKE) -C utils/libtokencap clean $(MAKE) -C utils/aflpp_driver clean - $(MAKE) -C utils/afl_network_proxy clean - $(MAKE) -C utils/socket_fuzzing clean - $(MAKE) -C utils/argv_fuzzing clean + -$(MAKE) -C utils/afl_network_proxy clean + -$(MAKE) -C utils/socket_fuzzing clean + -$(MAKE) -C utils/argv_fuzzing clean -$(MAKE) -C utils/plot_ui clean - $(MAKE) -C qemu_mode/unsigaction clean - $(MAKE) -C qemu_mode/libcompcov clean - $(MAKE) -C qemu_mode/libqasan clean + -$(MAKE) -C qemu_mode/unsigaction clean + -$(MAKE) -C qemu_mode/libcompcov clean + -$(MAKE) -C qemu_mode/libqasan clean -$(MAKE) -C frida_mode clean rm -rf nyx_mode/packer/linux_initramfs/init.cpio.gz nyx_mode/libnyx/libnyx/target/release/* nyx_mode/QEMU-Nyx/x86_64-softmmu/qemu-system-x86_64 ifeq "$(IN_REPO)" "1" @@ -611,11 +611,11 @@ distrib: all ifneq "$(SYS)" "Darwin" -$(MAKE) -f GNUmakefile.gcc_plugin endif - $(MAKE) -C utils/libdislocator - $(MAKE) -C utils/libtokencap - $(MAKE) -C utils/afl_network_proxy - $(MAKE) -C utils/socket_fuzzing - $(MAKE) -C utils/argv_fuzzing + -$(MAKE) -C utils/libdislocator + -$(MAKE) -C utils/libtokencap + -$(MAKE) -C utils/afl_network_proxy + -$(MAKE) -C utils/socket_fuzzing + -$(MAKE) -C utils/argv_fuzzing # -$(MAKE) -C utils/plot_ui -$(MAKE) -C frida_mode ifneq "$(SYS)" "Darwin" @@ -631,11 +631,11 @@ endif .PHONY: binary-only binary-only: test_shm test_python ready $(PROGS) - $(MAKE) -C utils/libdislocator - $(MAKE) -C utils/libtokencap - $(MAKE) -C utils/afl_network_proxy - $(MAKE) -C utils/socket_fuzzing - $(MAKE) -C utils/argv_fuzzing + -$(MAKE) -C utils/libdislocator + -$(MAKE) -C utils/libtokencap + -$(MAKE) -C utils/afl_network_proxy + -$(MAKE) -C utils/socket_fuzzing + -$(MAKE) -C utils/argv_fuzzing # -$(MAKE) -C utils/plot_ui -$(MAKE) -C frida_mode ifneq "$(SYS)" "Darwin" @@ -655,8 +655,8 @@ source-only: all ifneq "$(SYS)" "Darwin" -$(MAKE) -f GNUmakefile.gcc_plugin endif - $(MAKE) -C utils/libdislocator - $(MAKE) -C utils/libtokencap + -$(MAKE) -C utils/libdislocator + -$(MAKE) -C utils/libtokencap # -$(MAKE) -C utils/plot_ui ifeq "$(SYS)" "Linux" -cd nyx_mode && ./build_nyx_support.sh diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index c648674a..7289c845 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -251,17 +251,17 @@ int main(int argc, char **argv) { printf( "============================== INFO ================================\n" "This binary is built for afl++.\n" - "To use with afl-cmin or afl-cmin.bash pass '-' as single command line " - "option\n" - "To run the target function on individual input(s) execute this:\n" + "To run the target function on individual input(s) execute:\n" " %s INPUT_FILE1 [INPUT_FILE2 ... ]\n" - "To fuzz with afl-fuzz execute this:\n" + "To fuzz with afl-fuzz execute:\n" " afl-fuzz [afl-flags] -- %s [-N]\n" "afl-fuzz will run N iterations before re-spawning the process " "(default: " "INT_MAX)\n" "For stdin input processing, pass '-' as single command line option.\n" "For file input processing, pass '@@' as single command line option.\n" + "To use with afl-cmin or afl-cmin.bash pass '-' as single command line " + "option\n" "===================================================================\n", argv[0], argv[0]); @@ -325,7 +325,7 @@ int main(int argc, char **argv) { // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization // on the first execution of LLVMFuzzerTestOneInput is ignored. - LLVMFuzzerTestOneInput(dummy_input, 1); + LLVMFuzzerTestOneInput(dummy_input, 4); __asan_poison_memory_region(__afl_fuzz_ptr, MAX_FILE); size_t prev_length = 0; -- cgit 1.4.1