From 8fedf4998449d5b6b909a1118fc2e152e4d2e6e7 Mon Sep 17 00:00:00 2001 From: Davide Quarta Date: Tue, 23 Jan 2024 19:36:49 +0100 Subject: replay mode support --- utils/persistent_mode/Makefile | 3 ++- utils/persistent_mode/persistent_demo_new.c | 15 ++++----------- 2 files changed, 6 insertions(+), 12 deletions(-) (limited to 'utils') diff --git a/utils/persistent_mode/Makefile b/utils/persistent_mode/Makefile index e348c46c..64de82a7 100644 --- a/utils/persistent_mode/Makefile +++ b/utils/persistent_mode/Makefile @@ -1,10 +1,11 @@ all: ../../afl-clang-fast -o persistent_demo persistent_demo.c ../../afl-clang-fast -o persistent_demo_new persistent_demo_new.c + gcc -g -I ../../include -o persistent_demo_new_compat persistent_demo_new.c AFL_DONT_OPTIMIZE=1 ../../afl-clang-fast -o test-instr test-instr.c document: AFL_DONT_OPTIMIZE=1 ../../afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c clean: - rm -f persistent_demo persistent_demo_new test-instr + rm -f persistent_demo persistent_demo_new persistent_demo_new_compat test-instr diff --git a/utils/persistent_mode/persistent_demo_new.c b/utils/persistent_mode/persistent_demo_new.c index 285f50aa..40ada9e1 100644 --- a/utils/persistent_mode/persistent_demo_new.c +++ b/utils/persistent_mode/persistent_demo_new.c @@ -31,17 +31,8 @@ /* this lets the source compile without afl-clang-fast/lto */ #ifndef __AFL_FUZZ_TESTCASE_LEN - -ssize_t fuzz_len; -unsigned char fuzz_buf[1024000]; - - #define __AFL_FUZZ_TESTCASE_LEN fuzz_len - #define __AFL_FUZZ_TESTCASE_BUF fuzz_buf - #define __AFL_FUZZ_INIT() void sync(void); - #define __AFL_LOOP(x) \ - ((fuzz_len = read(0, fuzz_buf, sizeof(fuzz_buf))) > 0 ? 1 : 0) - #define __AFL_INIT() sync() - +#define AFL_COMPAT +#include "persistent_replay.h" #endif __AFL_FUZZ_INIT(); @@ -95,6 +86,8 @@ int main(int argc, char **argv) { if (buf[5] == '!') { printf("six\n"); + char *nullo = NULL+1; + *nullo = 'p'; abort(); } -- cgit v1.2.3 From 023fc19ce04bffcbd623e27a1f2d1810c3ec0c3c Mon Sep 17 00:00:00 2001 From: Davide Quarta Date: Mon, 5 Feb 2024 18:26:46 +0100 Subject: better replay mode error handling, added replay mode documentation, code formatting --- utils/persistent_mode/persistent_demo_new.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'utils') diff --git a/utils/persistent_mode/persistent_demo_new.c b/utils/persistent_mode/persistent_demo_new.c index 40ada9e1..3d9d90a6 100644 --- a/utils/persistent_mode/persistent_demo_new.c +++ b/utils/persistent_mode/persistent_demo_new.c @@ -31,8 +31,8 @@ /* this lets the source compile without afl-clang-fast/lto */ #ifndef __AFL_FUZZ_TESTCASE_LEN -#define AFL_COMPAT -#include "persistent_replay.h" + #define AFL_COMPAT + #include "persistent_replay.h" #endif __AFL_FUZZ_INIT(); @@ -86,8 +86,6 @@ int main(int argc, char **argv) { if (buf[5] == '!') { printf("six\n"); - char *nullo = NULL+1; - *nullo = 'p'; abort(); } -- cgit v1.2.3 From 58aa181d012698471d003983aaf9e67cf92961d2 Mon Sep 17 00:00:00 2001 From: Davide Quarta Date: Tue, 6 Feb 2024 14:00:37 +0100 Subject: revert persistent_demo_new.c to b99bbf671b7469a5aad29898fe28489004c4cbe7 --- utils/persistent_mode/persistent_demo_new.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'utils') diff --git a/utils/persistent_mode/persistent_demo_new.c b/utils/persistent_mode/persistent_demo_new.c index 3d9d90a6..285f50aa 100644 --- a/utils/persistent_mode/persistent_demo_new.c +++ b/utils/persistent_mode/persistent_demo_new.c @@ -31,8 +31,17 @@ /* this lets the source compile without afl-clang-fast/lto */ #ifndef __AFL_FUZZ_TESTCASE_LEN - #define AFL_COMPAT - #include "persistent_replay.h" + +ssize_t fuzz_len; +unsigned char fuzz_buf[1024000]; + + #define __AFL_FUZZ_TESTCASE_LEN fuzz_len + #define __AFL_FUZZ_TESTCASE_BUF fuzz_buf + #define __AFL_FUZZ_INIT() void sync(void); + #define __AFL_LOOP(x) \ + ((fuzz_len = read(0, fuzz_buf, sizeof(fuzz_buf))) > 0 ? 1 : 0) + #define __AFL_INIT() sync() + #endif __AFL_FUZZ_INIT(); -- cgit v1.2.3 From e405e721fad46e594b633147a6940cfdd602e4c2 Mon Sep 17 00:00:00 2001 From: Davide Quarta Date: Tue, 6 Feb 2024 18:19:52 +0100 Subject: reuse first_pass aux var in persistent loop for record replay mode, keep area ptr and loc logic intact in record replay mode, move replay record example to own dir in utils, update docs, move record compat layer to separate header file --- utils/persistent_mode/Makefile | 1 - utils/replay_record/Makefile | 8 ++ utils/replay_record/persistent_demo_replay.c | 148 +++++++++++++++++++++++++++ 3 files changed, 156 insertions(+), 1 deletion(-) create mode 100644 utils/replay_record/Makefile create mode 100644 utils/replay_record/persistent_demo_replay.c (limited to 'utils') diff --git a/utils/persistent_mode/Makefile b/utils/persistent_mode/Makefile index 64de82a7..498aa3f8 100644 --- a/utils/persistent_mode/Makefile +++ b/utils/persistent_mode/Makefile @@ -1,7 +1,6 @@ all: ../../afl-clang-fast -o persistent_demo persistent_demo.c ../../afl-clang-fast -o persistent_demo_new persistent_demo_new.c - gcc -g -I ../../include -o persistent_demo_new_compat persistent_demo_new.c AFL_DONT_OPTIMIZE=1 ../../afl-clang-fast -o test-instr test-instr.c document: diff --git a/utils/replay_record/Makefile b/utils/replay_record/Makefile new file mode 100644 index 00000000..0d1cba92 --- /dev/null +++ b/utils/replay_record/Makefile @@ -0,0 +1,8 @@ +all: + test `grep '//[\s\t ]*#define[\s\t ]*AFL_PERSISTENT_RECORD' ../../include/config.h | wc -l` -eq 0 || (echo "AFL_PERSISTENT_RECORD must be enabled in config.h"; exit 1) + ../../afl-clang-fast -o persistent_demo_replay persistent_demo_replay.c + ${CC} -I ../../include -o persistent_demo_replay_compat persistent_demo_replay.c + ${CC} -g -I ../../include -DAFL_PERSISTENT_REPLAY_ARGPARSE -o persistent_demo_replay_argparse persistent_demo_replay.c + +clean: + rm -f persistent_demo_replay persistent_demo_replay_argparse persistent_demo_replay_compat diff --git a/utils/replay_record/persistent_demo_replay.c b/utils/replay_record/persistent_demo_replay.c new file mode 100644 index 00000000..6f6648f1 --- /dev/null +++ b/utils/replay_record/persistent_demo_replay.c @@ -0,0 +1,148 @@ +/* + american fuzzy lop++ - persistent mode example + -------------------------------------------- + + Originally written by Michal Zalewski + + Copyright 2015 Google Inc. All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + This file demonstrates the high-performance "persistent mode" that may be + suitable for fuzzing certain fast and well-behaved libraries, provided that + they are stateless or that their internal state can be easily reset + across runs. + + To make this work, the library and this shim need to be compiled in LLVM + mode using afl-clang-fast (other compiler wrappers will *not* work). + + */ + +#include +#include +#include +#include +#include +#include + +#ifdef AFL_PERSISTENT_REPLAY_ARGPARSE + #include + #include +#endif + +/* this lets the source compile without afl-clang-fast/lto */ +#ifndef __AFL_FUZZ_TESTCASE_LEN + #include "afl-record-compat.h" +#endif + +__AFL_FUZZ_INIT(); + +/* Main entry point. */ + +/* To ensure checks are not optimized out it is recommended to disable + code optimization for the fuzzer harness main() */ +#pragma clang optimize off +#pragma GCC optimize("O0") + +int main(int argc, char **argv) { + + ssize_t len; /* how much input did we read? */ + unsigned char *buf; /* test case buffer pointer */ + +#ifdef AFL_PERSISTENT_REPLAY_ARGPARSE + int fd; + + if (argc < 2) { printf("Need an input file!"); } +#endif + + /* The number passed to __AFL_LOOP() controls the maximum number of + iterations before the loop exits and the program is allowed to + terminate normally. This limits the impact of accidental memory leaks + and similar hiccups. */ + + __AFL_INIT(); + +#ifdef AFL_PERSISTENT_REPLAY_ARGPARSE + buf = malloc(1000); +#else + buf = __AFL_FUZZ_TESTCASE_BUF; // this must be assigned before __AFL_LOOP! +#endif + + while (__AFL_LOOP(UINT_MAX)) { // increase if you have good stability + +#ifdef AFL_PERSISTENT_REPLAY_ARGPARSE + fd = open(argv[1], O_RDONLY); + len = read(fd, buf, 1000); + close(fd); +#else + len = __AFL_FUZZ_TESTCASE_LEN; // do not use the macro directly in a call! +#endif + + // fprintf(stderr, "input: %zd \"%s\"\n", len, buf); + + /* do we have enough data? */ + if (len < 8) continue; + + if (strcmp((char *)buf, "thisisateststring") == 0) printf("teststring\n"); + + if (buf[0] == 'f') { + + printf("one\n"); + if (buf[1] == 'o') { + + printf("two\n"); + if (buf[2] == 'o') { + + printf("three\n"); + if (buf[3] == '!') { + + printf("four\n"); + if (buf[4] == '!') { + + printf("five\n"); + if (buf[5] == '!') { + + printf("six\n"); + abort(); + + } else { + + if (buf[5] == 'O') { + + // hang + while (1) { + + continue; + + }; + + } + + } + + } + + } + + } + + } + + } + + /*** END PLACEHOLDER CODE ***/ + + } + + /* Once the loop is exited, terminate normally - AFL will restart the process + when this happens, with a clean slate when it comes to allocated memory, + leftover file descriptors, etc. */ + + return 0; + +} + -- cgit v1.2.3 From 8e4bd0314e0ee2cd4b758e96591b0338a534623a Mon Sep 17 00:00:00 2001 From: Davide Quarta Date: Tue, 6 Feb 2024 21:34:56 +0100 Subject: added README.md to utils/replay_record --- utils/replay_record/README.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 utils/replay_record/README.md (limited to 'utils') diff --git a/utils/replay_record/README.md b/utils/replay_record/README.md new file mode 100644 index 00000000..f015850d --- /dev/null +++ b/utils/replay_record/README.md @@ -0,0 +1,9 @@ +# AFL++ persistent record replay + +Persistent demo replay showcases the `AFL_PERSISTENT_RECORD` replay functionality. +The Makefile will produce three binaries: + + persistent_demo_replay: uses afl-cc and makes use of the replay functionality included in the compiler runtime library + + persistent_demo_replay_compat: uses the [afl-record-compat.h](../../include/afl-record-compat.h) compatibility header to compile the same example without `afl-cc` + + persistent_demo_replay_argparse: makes use of `afl-record-compat.h`, and the Makefile defines `AFL_PERSISTENT_REPLAY_ARGPARSE` to test the replay functionality but parses the input file via a command-line argument (`@@`-style harness). + +For more information see [README.persistent_mode.md](../../instrumentation/README.persistent_mode.md). \ No newline at end of file -- cgit v1.2.3 From 956fa95d77ac3cbc43cd44b56bffc605e2a2090e Mon Sep 17 00:00:00 2001 From: Davide Quarta Date: Wed, 7 Feb 2024 12:00:11 +0100 Subject: updated readme --- utils/replay_record/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'utils') diff --git a/utils/replay_record/README.md b/utils/replay_record/README.md index f015850d..6d72ca97 100644 --- a/utils/replay_record/README.md +++ b/utils/replay_record/README.md @@ -1,7 +1,8 @@ # AFL++ persistent record replay -Persistent demo replay showcases the `AFL_PERSISTENT_RECORD` replay functionality. -The Makefile will produce three binaries: +This persistent record replay demo showcases the `AFL_PERSISTENT_RECORD` replay functionality. + +The [Makefile](Makefile) will produce three binaries: + persistent_demo_replay: uses afl-cc and makes use of the replay functionality included in the compiler runtime library + persistent_demo_replay_compat: uses the [afl-record-compat.h](../../include/afl-record-compat.h) compatibility header to compile the same example without `afl-cc` + persistent_demo_replay_argparse: makes use of `afl-record-compat.h`, and the Makefile defines `AFL_PERSISTENT_REPLAY_ARGPARSE` to test the replay functionality but parses the input file via a command-line argument (`@@`-style harness). -- cgit v1.2.3 From 038fef962c3d85fe7e37fcd8717270654f927881 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 8 Feb 2024 12:46:00 +0100 Subject: performance --- utils/bench/Makefile | 8 ++++++++ utils/bench/README.md | 2 ++ utils/bench/hash.c | 42 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 52 insertions(+) create mode 100644 utils/bench/Makefile create mode 100644 utils/bench/README.md create mode 100644 utils/bench/hash.c (limited to 'utils') diff --git a/utils/bench/Makefile b/utils/bench/Makefile new file mode 100644 index 00000000..e7d2f3a1 --- /dev/null +++ b/utils/bench/Makefile @@ -0,0 +1,8 @@ +all: hash + +hash: hash.c + gcc -O3 -mavx2 -march=native -I../../include -o hash hash.c + +clean: + rm -f hash + diff --git a/utils/bench/README.md b/utils/bench/README.md new file mode 100644 index 00000000..772c117b --- /dev/null +++ b/utils/bench/README.md @@ -0,0 +1,2 @@ +# Internal AFL++ benchmarking + diff --git a/utils/bench/hash.c b/utils/bench/hash.c new file mode 100644 index 00000000..013a5321 --- /dev/null +++ b/utils/bench/hash.c @@ -0,0 +1,42 @@ +#include +#include +#include + +#define T1HA0_AESNI_AVAILABLE 1 +#define T1HA_USE_FAST_ONESHOT_READ 1 +#define T1HA_USE_INDIRECT_FUNCTIONS 1 +#define T1HA_IA32AES_NAME t1ha0_ia32aes +#include "t1ha0_ia32aes_b.h" + +#define XXH_INLINE_ALL +#include "xxhash.h" +#undef XXH_INLINE_ALL + +int main() { + char *data = malloc(4097); + struct timespec start, end; + long long duration; + int i; + uint64_t res; + + clock_gettime(CLOCK_MONOTONIC, &start); + for (i = 0; i < 100000000; ++i) { + res = XXH3_64bits(data, 4097); + memcpy(data + 16, (char*)&res, 8); + } + clock_gettime(CLOCK_MONOTONIC, &end); + duration = (end.tv_sec - start.tv_sec) * 1000000000LL + (end.tv_nsec - start.tv_nsec); + printf("xxh3 duration: %lld ns\n", duration); + + memset(data, 0, 4097); + clock_gettime(CLOCK_MONOTONIC, &start); + for (i = 0; i < 100000000; ++i) { + res = t1ha0_ia32aes(data, 4097); + memcpy(data + 16, (char*)&res, 8); + } + clock_gettime(CLOCK_MONOTONIC, &end); + duration = (end.tv_sec - start.tv_sec) * 1000000000LL + (end.tv_nsec - start.tv_nsec); + printf("t1ha0_ia32aes duration: %lld ns\n", duration); + + return 0; +} -- cgit v1.2.3 From 369fce9c85bf3b850a7109e4604fee71f694d2cb Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 8 Feb 2024 15:13:46 +0100 Subject: code format --- utils/bench/hash.c | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) (limited to 'utils') diff --git a/utils/bench/hash.c b/utils/bench/hash.c index 013a5321..d4be0ab4 100644 --- a/utils/bench/hash.c +++ b/utils/bench/hash.c @@ -13,30 +13,41 @@ #undef XXH_INLINE_ALL int main() { - char *data = malloc(4097); + + char *data = malloc(4097); struct timespec start, end; - long long duration; - int i; - uint64_t res; + long long duration; + int i; + uint64_t res; clock_gettime(CLOCK_MONOTONIC, &start); for (i = 0; i < 100000000; ++i) { - res = XXH3_64bits(data, 4097); - memcpy(data + 16, (char*)&res, 8); + + res = XXH3_64bits(data, 4097); + memcpy(data + 16, (char *)&res, 8); + } + clock_gettime(CLOCK_MONOTONIC, &end); - duration = (end.tv_sec - start.tv_sec) * 1000000000LL + (end.tv_nsec - start.tv_nsec); + duration = (end.tv_sec - start.tv_sec) * 1000000000LL + + (end.tv_nsec - start.tv_nsec); printf("xxh3 duration: %lld ns\n", duration); memset(data, 0, 4097); clock_gettime(CLOCK_MONOTONIC, &start); for (i = 0; i < 100000000; ++i) { - res = t1ha0_ia32aes(data, 4097); - memcpy(data + 16, (char*)&res, 8); + + res = t1ha0_ia32aes(data, 4097); + memcpy(data + 16, (char *)&res, 8); + } + clock_gettime(CLOCK_MONOTONIC, &end); - duration = (end.tv_sec - start.tv_sec) * 1000000000LL + (end.tv_nsec - start.tv_nsec); + duration = (end.tv_sec - start.tv_sec) * 1000000000LL + + (end.tv_nsec - start.tv_nsec); printf("t1ha0_ia32aes duration: %lld ns\n", duration); return 0; + } + -- cgit v1.2.3 From 8fcd404352a0bcf1084c518e779fe042c61d2b9e Mon Sep 17 00:00:00 2001 From: Joachim Hyrathon Date: Tue, 27 Feb 2024 15:34:42 +0800 Subject: Update GNUmakefile The linker flags lacks a -ldl so the dlopen series of func symbols can't be found --- utils/afl_network_proxy/GNUmakefile | 1 + 1 file changed, 1 insertion(+) (limited to 'utils') diff --git a/utils/afl_network_proxy/GNUmakefile b/utils/afl_network_proxy/GNUmakefile index 7c8c22ff..47d9a7d3 100644 --- a/utils/afl_network_proxy/GNUmakefile +++ b/utils/afl_network_proxy/GNUmakefile @@ -10,6 +10,7 @@ PROGRAMS = afl-network-client afl-network-server HASH=\# CFLAGS += -Wno-pointer-sign +LDFLAGS += -ldl ifdef STATIC CFLAGS += -static -- cgit v1.2.3