From 2107ece114e66952f16d2dbc888d46a1061e6faf Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 7 Oct 2022 15:40:04 +0200 Subject: auto shmem fuzzing (#1541) * auto shmem fuzzing * print warning when forcing shmem fuzzing * typos * Shmem always * typo fix * fixes Co-authored-by: Dominik Maier --- utils/aflpp_driver/aflpp_driver.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) (limited to 'utils/aflpp_driver') diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 7e553723..87bd2aa2 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -35,6 +35,7 @@ $AFL_HOME/afl-fuzz -i IN -o OUT ./a.out #include #include #include +#include #include #include #include @@ -68,7 +69,7 @@ __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); int LLVMFuzzerRunDriver(int *argc, char ***argv, int (*callback)(const uint8_t *data, size_t size)); -// Default nop ASan hooks for manual posisoning when not linking the ASan +// Default nop ASan hooks for manual poisoning when not linking the ASan // runtime // https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning __attribute__((weak)) void __asan_poison_memory_region( @@ -290,6 +291,12 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, } + bool in_afl = !(!getenv(SHM_FUZZ_ENV_VAR) || !getenv(SHM_ENV_VAR) || + fcntl(FORKSRV_FD, F_GETFD) == -1 || + fcntl(FORKSRV_FD + 1, F_GETFD) == -1); + + if (!in_afl) { __afl_sharedmem_fuzzing = 0; } + output_file = stderr; maybe_duplicate_stderr(); maybe_close_fd_mask(); @@ -310,23 +317,20 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, int N = INT_MAX; - if (argc == 2 && !strcmp(argv[1], "-")) { + if (!in_afl && argc == 2 && !strcmp(argv[1], "-")) { - __afl_sharedmem_fuzzing = 0; __afl_manual_init(); return ExecuteFilesOnyByOne(argc, argv, callback); - } else if (argc == 2 && argv[1][0] == '-') { + } else if (argc == 2 && argv[1][0] == '-' && argv[1][1]) { N = atoi(argv[1] + 1); - } else if (argc == 2 && (N = atoi(argv[1])) > 0) { + } else if (argc == 2 && argv[1][0] != '-' && (N = atoi(argv[1])) > 0) { printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N); - } else if (argc > 1) { - - __afl_sharedmem_fuzzing = 0; + } else if (!in_afl && argc > 1 && argv[1][0] != '-') { if (argc == 2) { __afl_manual_init(); } -- cgit 1.4.1 From e6e82948bf95fab90466cb2dfa78457c4d2d80a6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 11 Oct 2022 08:53:49 +0200 Subject: fastexit + code format --- GNUmakefile | 1 + docs/Changelog.md | 3 +++ instrumentation/afl-gcc-cmplog-pass.so.cc | 4 ++-- instrumentation/afl-gcc-common.h | 5 +++-- instrumentation/afl-gcc-pass.so.cc | 2 +- qemu_mode/fastexit/Makefile | 30 ++++++++++++++++++++++++++++++ qemu_mode/fastexit/README.md | 5 +++++ qemu_mode/fastexit/fastexit.c | 6 ++++++ src/afl-fuzz.c | 1 + utils/aflpp_driver/aflpp_driver.c | 6 +++--- utils/libdislocator/libdislocator.so.c | 2 +- 11 files changed, 56 insertions(+), 9 deletions(-) create mode 100644 qemu_mode/fastexit/Makefile create mode 100644 qemu_mode/fastexit/README.md create mode 100644 qemu_mode/fastexit/fastexit.c (limited to 'utils/aflpp_driver') diff --git a/GNUmakefile b/GNUmakefile index 70299fc3..d1f28a76 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -592,6 +592,7 @@ clean: -$(MAKE) -C utils/argv_fuzzing clean -$(MAKE) -C utils/plot_ui clean -$(MAKE) -C qemu_mode/unsigaction clean + -$(MAKE) -C qemu_mode/fastexit clean -$(MAKE) -C qemu_mode/libcompcov clean -$(MAKE) -C qemu_mode/libqasan clean -$(MAKE) -C frida_mode clean diff --git a/docs/Changelog.md b/docs/Changelog.md index d4dfb709..b4f758e8 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -8,11 +8,14 @@ - fix gramatron and grammar_mutator build scripts - enhancements to the afl-persistent-config and afl-system-config scripts + - afl-fuzz: + - force writing all stats on exit - afl-cc: - make gcc_mode (afl-gcc-fast) work with gcc down to version 3.6 - qemu_mode: - fixed 10x speed degredation in v4.03c, thanks to @ele7enxxh for reporting! + - added qemu_mode/fastexit helper library - unicorn_mode: - Enabled tricore arch (by @jma-qb) - Updated Capstone version in Rust bindings diff --git a/instrumentation/afl-gcc-cmplog-pass.so.cc b/instrumentation/afl-gcc-cmplog-pass.so.cc index e42e8bc0..3c781fd7 100644 --- a/instrumentation/afl-gcc-cmplog-pass.so.cc +++ b/instrumentation/afl-gcc-cmplog-pass.so.cc @@ -245,7 +245,7 @@ struct afl_cmplog_pass : afl_base_pass { tree s = make_ssa_name(t); gimple g = gimple_build_assign(s, VIEW_CONVERT_EXPR, - build1(VIEW_CONVERT_EXPR, t, lhs)); + build1(VIEW_CONVERT_EXPR, t, lhs)); lhs = s; gsi_insert_before(&gsi, g, GSI_SAME_STMT); @@ -281,7 +281,7 @@ struct afl_cmplog_pass : afl_base_pass { } /* Insert the call. */ - tree att = build_int_cst(t8u, attr); + tree att = build_int_cst(t8u, attr); gimple call; if (pass_n) call = gimple_build_call(fn, 4, lhs, rhs, att, diff --git a/instrumentation/afl-gcc-common.h b/instrumentation/afl-gcc-common.h index 766c0eff..cda3f9d8 100644 --- a/instrumentation/afl-gcc-common.h +++ b/instrumentation/afl-gcc-common.h @@ -501,7 +501,8 @@ struct afl_base_pass : gimple_opt_pass { // compatibility for older gcc versions #if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= \ 60200 /* >= version 6.2.0 */ -#define gimple gimple * + #define gimple gimple * #else -#define gimple gimple + #define gimple gimple #endif + diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc index 2b251075..ea938a7f 100644 --- a/instrumentation/afl-gcc-pass.so.cc +++ b/instrumentation/afl-gcc-pass.so.cc @@ -127,7 +127,7 @@ #include "afl-gcc-common.h" #if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= \ 60200 /* >= version 6.2.0 */ -#include "memmodel.h" + #include "memmodel.h" #endif /* This plugin, being under the same license as GCC, satisfies the diff --git a/qemu_mode/fastexit/Makefile b/qemu_mode/fastexit/Makefile new file mode 100644 index 00000000..80a5ec48 --- /dev/null +++ b/qemu_mode/fastexit/Makefile @@ -0,0 +1,30 @@ +# +# american fuzzy lop++ - fastexit +# -------------------------------- +# +# Written by Andrea Fioraldi +# +# Copyright 2019-2022 Andrea Fioraldi. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# + +TARGETS=fastexit.so fastexit32.so fastexit64.so + +all: $(TARGETS) + +fastexit.so: fastexit.c + @if $(CC) -fPIC -shared fastexit.c -o fastexit.so 2>/dev/null ; then echo "fastexit build success"; else echo "fastexit build failure (that's fine)"; fi + +fastexit32.so: fastexit.c + @if $(CC) -fPIC -m32 -shared fastexit.c -o fastexit32.so 2>/dev/null ; then echo "fastexit32 build success"; else echo "fastexit32 build failure (that's fine)"; fi + +fastexit64.so: fastexit.c + @if $(CC) -fPIC -m64 -shared fastexit.c -o fastexit64.so 2>/dev/null ; then echo "fastexit64 build success"; else echo "fastexit64 build failure (that's fine)"; fi + +clean: + rm -f fastexit.so diff --git a/qemu_mode/fastexit/README.md b/qemu_mode/fastexit/README.md new file mode 100644 index 00000000..f01340c2 --- /dev/null +++ b/qemu_mode/fastexit/README.md @@ -0,0 +1,5 @@ +# fastexit + +This library forces _exit on exit when preloaded to gain speed. + +Gives speed on complex tarets like Android or Wine. diff --git a/qemu_mode/fastexit/fastexit.c b/qemu_mode/fastexit/fastexit.c new file mode 100644 index 00000000..44141af1 --- /dev/null +++ b/qemu_mode/fastexit/fastexit.c @@ -0,0 +1,6 @@ +#include +#include + +void exit(int status) { + _exit(status); +} diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 84ae54ff..d116822a 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2570,6 +2570,7 @@ int main(int argc, char **argv_orig, char **envp) { stop_fuzzing: afl->force_ui_update = 1; // ensure the screen is reprinted + afl->stop_soon = 1; // ensure everything is written show_stats(afl); // print the screen one last time write_bitmap(afl); save_auto(afl); diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 87bd2aa2..a76ba6c2 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -292,10 +292,10 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, } bool in_afl = !(!getenv(SHM_FUZZ_ENV_VAR) || !getenv(SHM_ENV_VAR) || - fcntl(FORKSRV_FD, F_GETFD) == -1 || - fcntl(FORKSRV_FD + 1, F_GETFD) == -1); + fcntl(FORKSRV_FD, F_GETFD) == -1 || + fcntl(FORKSRV_FD + 1, F_GETFD) == -1); - if (!in_afl) { __afl_sharedmem_fuzzing = 0; } + if (!in_afl) { __afl_sharedmem_fuzzing = 0; } output_file = stderr; maybe_duplicate_stderr(); diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index 638735ef..c390d004 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -512,7 +512,7 @@ __attribute__((alloc_size(2, 3))) void *reallocarray(void *ptr, size_t elem_len, int reallocarr(void *ptr, size_t elem_len, size_t elem_cnt) { - void *ret = NULL; + void *ret = NULL; const size_t elem_tot = elem_len * elem_cnt; if (elem_tot == 0) { -- cgit 1.4.1