From 0fe39e47680c8997ee9149bdc71acdf6b1af1b53 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 5 Sep 2022 13:57:28 +0200 Subject: egrep -> grep -e --- utils/analysis_scripts/queue2csv.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'utils') diff --git a/utils/analysis_scripts/queue2csv.sh b/utils/analysis_scripts/queue2csv.sh index 2528b438..47141efe 100755 --- a/utils/analysis_scripts/queue2csv.sh +++ b/utils/analysis_scripts/queue2csv.sh @@ -92,14 +92,14 @@ mkdir "$DIR" || exit 1 if [ -n "$3" -a -s "$DIR/../edges.txt" ]; then - cat "$DIR/"* | sed 's/:.*//' | sort -n | uniq -c | egrep '^[ \t]*1 ' | awk '{print$2}' > $DIR/../unique.txt + cat "$DIR/"* | sed 's/:.*//' | sort -n | uniq -c | grep -E '^[ \t]*1 ' | awk '{print$2}' > $DIR/../unique.txt if [ -s "$DIR/../unique.txt" ]; then ls "$DIR/id:"* | grep -v ",sync:" |sed 's/.*\/id:/id:/g' | while read file; do CNT=$(sed 's/:.*//' "$DIR/$file" | tee "$DIR/../tmp.txt" | wc -l) - DIFF=$(diff -u "$DIR/../tmp.txt" "$DIR/../unique.txt" | egrep '^-[0-9]' | wc -l) + DIFF=$(diff -u "$DIR/../tmp.txt" "$DIR/../unique.txt" | grep -E '^-[0-9]' | wc -l) UNIQUE=$(($CNT - $DIFF)) sed -i "s/;UNIQUE$file/;$UNIQUE/" "$DIR/../queue.csv" "$2" -- cgit v1.2.3 From 258f4ee5291854fd450b2f2600ab9b611c9f4669 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sat, 10 Sep 2022 11:43:19 +0100 Subject: libdislocator apply few attributes for few compiler optimisations. --- utils/libdislocator/libdislocator.so.c | 110 ++++++--------------------------- 1 file changed, 20 insertions(+), 90 deletions(-) (limited to 'utils') diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index 149b910e..03eb12a9 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -47,7 +47,6 @@ #ifdef __NR_getrandom #define arc4random_buf(p, l) \ do { \ - \ ssize_t rd = syscall(__NR_getrandom, p, l, 0); \ if (rd != l) DEBUGF("getrandom failed"); \ \ @@ -57,7 +56,6 @@ #include #define arc4random_buf(p, l) \ do { \ - \ srand(time(NULL)); \ u32 i; \ u8 *ptr = (u8 *)p; \ @@ -80,7 +78,6 @@ (defined(__FreeBSD__) && __FreeBSD_version < 1200000) // use this hack if not C11 typedef struct { - long long __ll; long double __ld; @@ -92,11 +89,11 @@ typedef struct { #ifndef PAGE_SIZE #define PAGE_SIZE 4096 -#endif /* !PAGE_SIZE */ +#endif /* !PAGE_SIZE */ #ifndef MAP_ANONYMOUS #define MAP_ANONYMOUS MAP_ANON -#endif /* !MAP_ANONYMOUS */ +#endif /* !MAP_ANONYMOUS */ #define SUPER_PAGE_SIZE 1 << 21 @@ -104,30 +101,22 @@ typedef struct { #define DEBUGF(_x...) \ do { \ - \ if (alloc_verbose) { \ - \ if (++call_depth == 1) { \ - \ fprintf(stderr, "[AFL] " _x); \ fprintf(stderr, "\n"); \ - \ } \ call_depth--; \ - \ } \ \ } while (0) #define FATAL(_x...) \ do { \ - \ if (++call_depth == 1) { \ - \ fprintf(stderr, "*** [AFL] " _x); \ fprintf(stderr, " ***\n"); \ abort(); \ - \ } \ call_depth--; \ \ @@ -149,19 +138,19 @@ typedef struct { /* Configurable stuff (use AFL_LD_* to set): */ -static size_t max_mem = MAX_ALLOC; /* Max heap usage to permit */ -static u8 alloc_verbose, /* Additional debug messages */ - hard_fail, /* abort() when max_mem exceeded? */ - no_calloc_over, /* abort() on calloc() overflows? */ - align_allocations; /* Force alignment to sizeof(void*) */ +static size_t max_mem = MAX_ALLOC; /* Max heap usage to permit */ +static u8 alloc_verbose, /* Additional debug messages */ + hard_fail, /* abort() when max_mem exceeded? */ + no_calloc_over, /* abort() on calloc() overflows? */ + align_allocations; /* Force alignment to sizeof(void*) */ #if defined __OpenBSD__ || defined __APPLE__ #define __thread #warning no thread support available #endif -static _Atomic size_t total_mem; /* Currently allocated mem */ +static _Atomic size_t total_mem; /* Currently allocated mem */ -static __thread u32 call_depth; /* To avoid recursion via fprintf() */ +static __thread u32 call_depth; /* To avoid recursion via fprintf() */ static u32 alloc_canary; /* This is the main alloc function. It allocates one page more than necessary, @@ -170,19 +159,16 @@ static u32 alloc_canary; the returned memory will be zeroed. */ static void *__dislocator_alloc(size_t len) { - u8 *ret, *base; size_t tlen; int flags, protflags, fd, sp; if (total_mem + len > max_mem || total_mem + len < total_mem) { - if (hard_fail) FATAL("total allocs exceed %zu MB", max_mem / 1024 / 1024); DEBUGF("total allocs exceed %zu MB, returning NULL", max_mem / 1024 / 1024); return NULL; - } size_t rlen; @@ -215,10 +201,8 @@ static void *__dislocator_alloc(size_t len) { if (sp) flags |= MAP_ALIGNED_SUPER; #elif defined(__sun) if (sp) { - base = (void *)(caddr_t)(1 << 21); flags |= MAP_ALIGN; - } #endif @@ -230,7 +214,6 @@ static void *__dislocator_alloc(size_t len) { #if defined(USEHUGEPAGE) /* We try one more time with regular call */ if (ret == MAP_FAILED) { - #if defined(__APPLE__) fd = -1; #elif defined(__linux__) @@ -241,19 +224,16 @@ static void *__dislocator_alloc(size_t len) { flags &= -MAP_ALIGN; #endif ret = (u8 *)mmap(NULL, tlen, protflags, flags, fd, 0); - } #endif if (ret == MAP_FAILED) { - if (hard_fail) FATAL("mmap() failed on alloc (OOM?)"); DEBUGF("mmap() failed on alloc (OOM?)"); return NULL; - } #if defined(USENAMEDPAGE) @@ -262,9 +242,7 @@ static void *__dislocator_alloc(size_t len) { // `- ---p 00000000 00:00 0 [anon:libdislocator]` if (prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, (unsigned long)ret, tlen, (unsigned long)"libdislocator") < 0) { - DEBUGF("prctl() failed"); - } #endif @@ -290,22 +268,19 @@ static void *__dislocator_alloc(size_t len) { total_mem += len; if (rlen != len) { - size_t i; for (i = len; i < rlen; ++i) ret[i] = TAIL_ALLOC_CANARY; - } return ret; - } /* The "user-facing" wrapper for calloc(). This just checks for overflows and displays debug messages if requested. */ -void *calloc(size_t elem_len, size_t elem_cnt) { - +__attribute__((malloc)) __attribute__((alloc_size(1, 2))) void *calloc( + size_t elem_len, size_t elem_cnt) { void *ret; size_t len = elem_len * elem_cnt; @@ -313,17 +288,13 @@ void *calloc(size_t elem_len, size_t elem_cnt) { /* Perform some sanity checks to detect obvious issues... */ if (elem_cnt && len / elem_cnt != elem_len) { - if (no_calloc_over) { - DEBUGF("calloc(%zu, %zu) would overflow, returning NULL", elem_len, elem_cnt); return NULL; - } FATAL("calloc(%zu, %zu) would overflow", elem_len, elem_cnt); - } ret = __dislocator_alloc(len); @@ -332,15 +303,14 @@ void *calloc(size_t elem_len, size_t elem_cnt) { total_mem); return ret; - } /* The wrapper for malloc(). Roughly the same, also clobbers the returned memory (unlike calloc(), malloc() is not guaranteed to return zeroed memory). */ -void *malloc(size_t len) { - +__attribute__((malloc)) __attribute__((alloc_size(1))) void *malloc( + size_t len) { void *ret; ret = __dislocator_alloc(len); @@ -350,7 +320,6 @@ void *malloc(size_t len) { if (ret && len) memset(ret, ALLOC_CLOBBER, len); return ret; - } /* The wrapper for free(). This simply marks the entire region as PROT_NONE. @@ -358,7 +327,6 @@ void *malloc(size_t len) { read the canary. Not very graceful, but works, right? */ void free(void *ptr) { - u32 len; DEBUGF("free(%p)", ptr); @@ -373,12 +341,10 @@ void free(void *ptr) { u8 *ptr_ = ptr; if (align_allocations && (len & (ALLOC_ALIGN_SIZE - 1))) { - size_t rlen = (len & ~(ALLOC_ALIGN_SIZE - 1)) + ALLOC_ALIGN_SIZE; for (; len < rlen; ++len) if (ptr_[len] != TAIL_ALLOC_CANARY) FATAL("bad tail allocator canary on free()"); - } /* Protect everything. Note that the extra page at the end is already @@ -392,32 +358,27 @@ void free(void *ptr) { ptr = ptr_; /* Keep the mapping; this is wasteful, but prevents ptr reuse. */ - } /* Realloc is pretty straightforward, too. We forcibly reallocate the buffer, move data, and then free (aka mprotect()) the original one. */ -void *realloc(void *ptr, size_t len) { - +__attribute__((alloc_size(2))) void *realloc(void *ptr, size_t len) { void *ret; ret = malloc(len); if (ret && ptr) { - if (PTR_C(ptr) != alloc_canary) FATAL("bad allocator canary on realloc()"); // Here the tail canary check is delayed to free() memcpy(ret, ptr, MIN(len, PTR_L(ptr))); free(ptr); - } DEBUGF("realloc(%p, %zu) = %p [%zu total]", ptr, len, ret, total_mem); return ret; - } /* posix_memalign we mainly check the proper alignment argument @@ -425,14 +386,11 @@ void *realloc(void *ptr, size_t len) { a normal request */ int posix_memalign(void **ptr, size_t align, size_t len) { - // if (*ptr == NULL) return EINVAL; // (andrea) Why? I comment it out for now if ((align % 2) || (align % sizeof(void *))) return EINVAL; if (len == 0) { - *ptr = NULL; return 0; - } size_t rem = len % align; @@ -445,69 +403,57 @@ int posix_memalign(void **ptr, size_t align, size_t len) { DEBUGF("posix_memalign(%p %zu, %zu) [*ptr = %p]", ptr, align, len, *ptr); return 0; - } /* just the non-posix fashion */ -void *memalign(size_t align, size_t len) { - +__attribute__((malloc)) __attribute__((alloc_size(2))) void *memalign( + size_t align, size_t len) { void *ret = NULL; if (posix_memalign(&ret, align, len)) { - DEBUGF("memalign(%zu, %zu) failed", align, len); - } return ret; - } /* sort of C11 alias of memalign only more severe, alignment-wise */ -void *aligned_alloc(size_t align, size_t len) { - +__attribute__((malloc)) __attribute__((alloc_size(2))) void *aligned_alloc( + size_t align, size_t len) { void *ret = NULL; if ((len % align)) return NULL; if (posix_memalign(&ret, align, len)) { - DEBUGF("aligned_alloc(%zu, %zu) failed", align, len); - } return ret; - } /* specific BSD api mainly checking possible overflow for the size */ -void *reallocarray(void *ptr, size_t elem_len, size_t elem_cnt) { - +__attribute__((alloc_size(2, 3))) void *reallocarray(void *ptr, size_t elem_len, + size_t elem_cnt) { const size_t elem_lim = 1UL << (sizeof(size_t) * 4); const size_t elem_tot = elem_len * elem_cnt; void *ret = NULL; if ((elem_len >= elem_lim || elem_cnt >= elem_lim) && elem_len > 0 && elem_cnt > (SIZE_MAX / elem_len)) { - DEBUGF("reallocarray size overflow (%zu)", elem_tot); } else { - ret = realloc(ptr, elem_tot); - } return ret; - } #if defined(__APPLE__) size_t malloc_size(const void *ptr) { - #elif !defined(__ANDROID__) size_t malloc_usable_size(void *ptr) { @@ -517,30 +463,24 @@ size_t malloc_usable_size(const void *ptr) { #endif return ptr ? PTR_L(ptr) : 0; - } #if defined(__APPLE__) size_t malloc_good_size(size_t len) { - return (len & ~(ALLOC_ALIGN_SIZE - 1)) + ALLOC_ALIGN_SIZE; - } #endif __attribute__((constructor)) void __dislocator_init(void) { - char *tmp = getenv("AFL_LD_LIMIT_MB"); if (tmp) { - char *tok; unsigned long long mmem = strtoull(tmp, &tok, 10); if (*tok != '\0' || errno == ERANGE || mmem > SIZE_MAX / 1024 / 1024) FATAL("Bad value for AFL_LD_LIMIT_MB"); max_mem = mmem * 1024 * 1024; - } alloc_canary = ALLOC_CANARY; @@ -552,33 +492,23 @@ __attribute__((constructor)) void __dislocator_init(void) { hard_fail = !!getenv("AFL_LD_HARD_FAIL"); no_calloc_over = !!getenv("AFL_LD_NO_CALLOC_OVER"); align_allocations = !!getenv("AFL_ALIGNED_ALLOC"); - } /* NetBSD fault handler specific api subset */ void (*esetfunc(void (*fn)(int, const char *, ...)))(int, const char *, ...) { - /* Might not be meaningful to implement; upper calls already report errors */ return NULL; - } void *emalloc(size_t len) { - return malloc(len); - } void *ecalloc(size_t elem_len, size_t elem_cnt) { - return calloc(elem_len, elem_cnt); - } void *erealloc(void *ptr, size_t len) { - return realloc(ptr, len); - } - -- cgit v1.2.3 From 08f44f4e5d1bcf78070d5213a0b8bdbd709981c3 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 10 Sep 2022 19:09:32 +0200 Subject: code format --- utils/libdislocator/libdislocator.so.c | 93 ++++++++++++++++++++++++++++++---- utils/libtokencap/libtokencap.so.c | 16 +++--- 2 files changed, 94 insertions(+), 15 deletions(-) (limited to 'utils') diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index 03eb12a9..a6d8ecfd 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -47,6 +47,7 @@ #ifdef __NR_getrandom #define arc4random_buf(p, l) \ do { \ + \ ssize_t rd = syscall(__NR_getrandom, p, l, 0); \ if (rd != l) DEBUGF("getrandom failed"); \ \ @@ -56,6 +57,7 @@ #include #define arc4random_buf(p, l) \ do { \ + \ srand(time(NULL)); \ u32 i; \ u8 *ptr = (u8 *)p; \ @@ -78,6 +80,7 @@ (defined(__FreeBSD__) && __FreeBSD_version < 1200000) // use this hack if not C11 typedef struct { + long long __ll; long double __ld; @@ -89,11 +92,11 @@ typedef struct { #ifndef PAGE_SIZE #define PAGE_SIZE 4096 -#endif /* !PAGE_SIZE */ +#endif /* !PAGE_SIZE */ #ifndef MAP_ANONYMOUS #define MAP_ANONYMOUS MAP_ANON -#endif /* !MAP_ANONYMOUS */ +#endif /* !MAP_ANONYMOUS */ #define SUPER_PAGE_SIZE 1 << 21 @@ -101,22 +104,30 @@ typedef struct { #define DEBUGF(_x...) \ do { \ + \ if (alloc_verbose) { \ + \ if (++call_depth == 1) { \ + \ fprintf(stderr, "[AFL] " _x); \ fprintf(stderr, "\n"); \ + \ } \ call_depth--; \ + \ } \ \ } while (0) #define FATAL(_x...) \ do { \ + \ if (++call_depth == 1) { \ + \ fprintf(stderr, "*** [AFL] " _x); \ fprintf(stderr, " ***\n"); \ abort(); \ + \ } \ call_depth--; \ \ @@ -138,19 +149,19 @@ typedef struct { /* Configurable stuff (use AFL_LD_* to set): */ -static size_t max_mem = MAX_ALLOC; /* Max heap usage to permit */ -static u8 alloc_verbose, /* Additional debug messages */ - hard_fail, /* abort() when max_mem exceeded? */ - no_calloc_over, /* abort() on calloc() overflows? */ - align_allocations; /* Force alignment to sizeof(void*) */ +static size_t max_mem = MAX_ALLOC; /* Max heap usage to permit */ +static u8 alloc_verbose, /* Additional debug messages */ + hard_fail, /* abort() when max_mem exceeded? */ + no_calloc_over, /* abort() on calloc() overflows? */ + align_allocations; /* Force alignment to sizeof(void*) */ #if defined __OpenBSD__ || defined __APPLE__ #define __thread #warning no thread support available #endif -static _Atomic size_t total_mem; /* Currently allocated mem */ +static _Atomic size_t total_mem; /* Currently allocated mem */ -static __thread u32 call_depth; /* To avoid recursion via fprintf() */ +static __thread u32 call_depth; /* To avoid recursion via fprintf() */ static u32 alloc_canary; /* This is the main alloc function. It allocates one page more than necessary, @@ -159,16 +170,19 @@ static u32 alloc_canary; the returned memory will be zeroed. */ static void *__dislocator_alloc(size_t len) { + u8 *ret, *base; size_t tlen; int flags, protflags, fd, sp; if (total_mem + len > max_mem || total_mem + len < total_mem) { + if (hard_fail) FATAL("total allocs exceed %zu MB", max_mem / 1024 / 1024); DEBUGF("total allocs exceed %zu MB, returning NULL", max_mem / 1024 / 1024); return NULL; + } size_t rlen; @@ -201,8 +215,10 @@ static void *__dislocator_alloc(size_t len) { if (sp) flags |= MAP_ALIGNED_SUPER; #elif defined(__sun) if (sp) { + base = (void *)(caddr_t)(1 << 21); flags |= MAP_ALIGN; + } #endif @@ -214,6 +230,7 @@ static void *__dislocator_alloc(size_t len) { #if defined(USEHUGEPAGE) /* We try one more time with regular call */ if (ret == MAP_FAILED) { + #if defined(__APPLE__) fd = -1; #elif defined(__linux__) @@ -224,16 +241,19 @@ static void *__dislocator_alloc(size_t len) { flags &= -MAP_ALIGN; #endif ret = (u8 *)mmap(NULL, tlen, protflags, flags, fd, 0); + } #endif if (ret == MAP_FAILED) { + if (hard_fail) FATAL("mmap() failed on alloc (OOM?)"); DEBUGF("mmap() failed on alloc (OOM?)"); return NULL; + } #if defined(USENAMEDPAGE) @@ -242,7 +262,9 @@ static void *__dislocator_alloc(size_t len) { // `- ---p 00000000 00:00 0 [anon:libdislocator]` if (prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, (unsigned long)ret, tlen, (unsigned long)"libdislocator") < 0) { + DEBUGF("prctl() failed"); + } #endif @@ -268,12 +290,15 @@ static void *__dislocator_alloc(size_t len) { total_mem += len; if (rlen != len) { + size_t i; for (i = len; i < rlen; ++i) ret[i] = TAIL_ALLOC_CANARY; + } return ret; + } /* The "user-facing" wrapper for calloc(). This just checks for overflows and @@ -281,6 +306,7 @@ static void *__dislocator_alloc(size_t len) { __attribute__((malloc)) __attribute__((alloc_size(1, 2))) void *calloc( size_t elem_len, size_t elem_cnt) { + void *ret; size_t len = elem_len * elem_cnt; @@ -288,13 +314,17 @@ __attribute__((malloc)) __attribute__((alloc_size(1, 2))) void *calloc( /* Perform some sanity checks to detect obvious issues... */ if (elem_cnt && len / elem_cnt != elem_len) { + if (no_calloc_over) { + DEBUGF("calloc(%zu, %zu) would overflow, returning NULL", elem_len, elem_cnt); return NULL; + } FATAL("calloc(%zu, %zu) would overflow", elem_len, elem_cnt); + } ret = __dislocator_alloc(len); @@ -303,6 +333,7 @@ __attribute__((malloc)) __attribute__((alloc_size(1, 2))) void *calloc( total_mem); return ret; + } /* The wrapper for malloc(). Roughly the same, also clobbers the returned @@ -311,6 +342,7 @@ __attribute__((malloc)) __attribute__((alloc_size(1, 2))) void *calloc( __attribute__((malloc)) __attribute__((alloc_size(1))) void *malloc( size_t len) { + void *ret; ret = __dislocator_alloc(len); @@ -320,6 +352,7 @@ __attribute__((malloc)) __attribute__((alloc_size(1))) void *malloc( if (ret && len) memset(ret, ALLOC_CLOBBER, len); return ret; + } /* The wrapper for free(). This simply marks the entire region as PROT_NONE. @@ -327,6 +360,7 @@ __attribute__((malloc)) __attribute__((alloc_size(1))) void *malloc( read the canary. Not very graceful, but works, right? */ void free(void *ptr) { + u32 len; DEBUGF("free(%p)", ptr); @@ -341,10 +375,12 @@ void free(void *ptr) { u8 *ptr_ = ptr; if (align_allocations && (len & (ALLOC_ALIGN_SIZE - 1))) { + size_t rlen = (len & ~(ALLOC_ALIGN_SIZE - 1)) + ALLOC_ALIGN_SIZE; for (; len < rlen; ++len) if (ptr_[len] != TAIL_ALLOC_CANARY) FATAL("bad tail allocator canary on free()"); + } /* Protect everything. Note that the extra page at the end is already @@ -358,27 +394,32 @@ void free(void *ptr) { ptr = ptr_; /* Keep the mapping; this is wasteful, but prevents ptr reuse. */ + } /* Realloc is pretty straightforward, too. We forcibly reallocate the buffer, move data, and then free (aka mprotect()) the original one. */ __attribute__((alloc_size(2))) void *realloc(void *ptr, size_t len) { + void *ret; ret = malloc(len); if (ret && ptr) { + if (PTR_C(ptr) != alloc_canary) FATAL("bad allocator canary on realloc()"); // Here the tail canary check is delayed to free() memcpy(ret, ptr, MIN(len, PTR_L(ptr))); free(ptr); + } DEBUGF("realloc(%p, %zu) = %p [%zu total]", ptr, len, ret, total_mem); return ret; + } /* posix_memalign we mainly check the proper alignment argument @@ -386,11 +427,14 @@ __attribute__((alloc_size(2))) void *realloc(void *ptr, size_t len) { a normal request */ int posix_memalign(void **ptr, size_t align, size_t len) { + // if (*ptr == NULL) return EINVAL; // (andrea) Why? I comment it out for now if ((align % 2) || (align % sizeof(void *))) return EINVAL; if (len == 0) { + *ptr = NULL; return 0; + } size_t rem = len % align; @@ -403,57 +447,72 @@ int posix_memalign(void **ptr, size_t align, size_t len) { DEBUGF("posix_memalign(%p %zu, %zu) [*ptr = %p]", ptr, align, len, *ptr); return 0; + } /* just the non-posix fashion */ __attribute__((malloc)) __attribute__((alloc_size(2))) void *memalign( size_t align, size_t len) { + void *ret = NULL; if (posix_memalign(&ret, align, len)) { + DEBUGF("memalign(%zu, %zu) failed", align, len); + } return ret; + } /* sort of C11 alias of memalign only more severe, alignment-wise */ __attribute__((malloc)) __attribute__((alloc_size(2))) void *aligned_alloc( size_t align, size_t len) { + void *ret = NULL; if ((len % align)) return NULL; if (posix_memalign(&ret, align, len)) { + DEBUGF("aligned_alloc(%zu, %zu) failed", align, len); + } return ret; + } /* specific BSD api mainly checking possible overflow for the size */ __attribute__((alloc_size(2, 3))) void *reallocarray(void *ptr, size_t elem_len, size_t elem_cnt) { + const size_t elem_lim = 1UL << (sizeof(size_t) * 4); const size_t elem_tot = elem_len * elem_cnt; void *ret = NULL; if ((elem_len >= elem_lim || elem_cnt >= elem_lim) && elem_len > 0 && elem_cnt > (SIZE_MAX / elem_len)) { + DEBUGF("reallocarray size overflow (%zu)", elem_tot); } else { + ret = realloc(ptr, elem_tot); + } return ret; + } #if defined(__APPLE__) size_t malloc_size(const void *ptr) { + #elif !defined(__ANDROID__) size_t malloc_usable_size(void *ptr) { @@ -463,24 +522,30 @@ size_t malloc_usable_size(const void *ptr) { #endif return ptr ? PTR_L(ptr) : 0; + } #if defined(__APPLE__) size_t malloc_good_size(size_t len) { + return (len & ~(ALLOC_ALIGN_SIZE - 1)) + ALLOC_ALIGN_SIZE; + } #endif __attribute__((constructor)) void __dislocator_init(void) { + char *tmp = getenv("AFL_LD_LIMIT_MB"); if (tmp) { + char *tok; unsigned long long mmem = strtoull(tmp, &tok, 10); if (*tok != '\0' || errno == ERANGE || mmem > SIZE_MAX / 1024 / 1024) FATAL("Bad value for AFL_LD_LIMIT_MB"); max_mem = mmem * 1024 * 1024; + } alloc_canary = ALLOC_CANARY; @@ -492,23 +557,33 @@ __attribute__((constructor)) void __dislocator_init(void) { hard_fail = !!getenv("AFL_LD_HARD_FAIL"); no_calloc_over = !!getenv("AFL_LD_NO_CALLOC_OVER"); align_allocations = !!getenv("AFL_ALIGNED_ALLOC"); + } /* NetBSD fault handler specific api subset */ void (*esetfunc(void (*fn)(int, const char *, ...)))(int, const char *, ...) { + /* Might not be meaningful to implement; upper calls already report errors */ return NULL; + } void *emalloc(size_t len) { + return malloc(len); + } void *ecalloc(size_t elem_len, size_t elem_cnt) { + return calloc(elem_len, elem_cnt); + } void *erealloc(void *ptr, size_t len) { + return realloc(ptr, len); + } + diff --git a/utils/libtokencap/libtokencap.so.c b/utils/libtokencap/libtokencap.so.c index 5dcb8f4c..07d81d59 100644 --- a/utils/libtokencap/libtokencap.so.c +++ b/utils/libtokencap/libtokencap.so.c @@ -378,7 +378,8 @@ __attribute__((hot)) int strcmp(const char *str1, const char *str2) { #undef strncmp -__attribute__((hot)) int strncmp(const char *str1, const char *str2, size_t len) { +__attribute__((hot)) int strncmp(const char *str1, const char *str2, + size_t len) { if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1); if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1); @@ -428,7 +429,8 @@ __attribute__((hot)) int strcasecmp(const char *str1, const char *str2) { #undef strncasecmp -__attribute__((hot)) int strncasecmp(const char *str1, const char *str2, size_t len) { +__attribute__((hot)) int strncasecmp(const char *str1, const char *str2, + size_t len) { if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1); if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1); @@ -454,7 +456,8 @@ __attribute__((hot)) int strncasecmp(const char *str1, const char *str2, size_t #undef memcmp -__attribute__((hot)) int memcmp(const void *mem1, const void *mem2, size_t len) { +__attribute__((hot)) int memcmp(const void *mem1, const void *mem2, + size_t len) { if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0); if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0); @@ -537,7 +540,8 @@ __attribute__((hot)) char *strstr(const char *haystack, const char *needle) { #undef strcasestr -__attribute__((hot)) char *strcasestr(const char *haystack, const char *needle) { +__attribute__((hot)) char *strcasestr(const char *haystack, + const char *needle) { if (__tokencap_is_ro(haystack)) __tokencap_dump(haystack, strlen(haystack), 1); @@ -566,8 +570,8 @@ __attribute__((hot)) char *strcasestr(const char *haystack, const char *needle) #undef memmem -__attribute__((hot)) void *memmem(const void *haystack, size_t haystack_len, const void *needle, - size_t needle_len) { +__attribute__((hot)) void *memmem(const void *haystack, size_t haystack_len, + const void *needle, size_t needle_len) { if (__tokencap_is_ro(haystack)) __tokencap_dump(haystack, haystack_len, 1); -- cgit v1.2.3 From b7a2c7e6988f519f45e2305f2745355f6c3dd4ae Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 15 Sep 2022 10:13:46 +0200 Subject: try LLVMFuzzerRunDriver support --- utils/aflpp_driver/aflpp_driver.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 4e4ea129..69379061 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -64,6 +64,8 @@ extern unsigned char *__afl_fuzz_ptr; // libFuzzer interface is thin, so we don't include any libFuzzer headers. int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); +int LLVMFuzzerRunDriver(int *argc, char ***argv, + int (*callback)(const uint8_t *data, size_t size)); // Default nop ASan hooks for manual posisoning when not linking the ASan // runtime @@ -245,7 +247,7 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) { } -int main(int argc, char **argv) { +__attribute__((weak)) int main(int argc, char **argv) { if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) printf( @@ -265,6 +267,16 @@ int main(int argc, char **argv) { "===================================================================\n", argv[0], argv[0]); + return LLVMFuzzerRunDriver(&argc, &argv, LLVMFuzzerTestOneInput); + +} + +int LLVMFuzzerRunDriver(int *argcp, char ***argvp, + int (*callback)(const uint8_t *data, size_t size)) { + + int argc = *argcp; + char **argv = *argvp; + if (getenv("AFL_GDB")) { char cmd[64]; -- cgit v1.2.3 From 636025df9a583541168ae1dea3d412c8168fe0f9 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 15 Sep 2022 10:32:34 +0200 Subject: forgot correct callback --- utils/aflpp_driver/aflpp_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 69379061..f2d07190 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -364,7 +364,7 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, } prev_length = length; - LLVMFuzzerTestOneInput(__afl_fuzz_ptr, length); + (void)callback(__afl_fuzz_ptr, length); } -- cgit v1.2.3 From af5e8370af3b8a1e1077ca735b0748f7c5b988bb Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 16 Sep 2022 10:57:13 +0200 Subject: fix LLVMFuzzerRunDriver --- utils/aflpp_driver/aflpp_driver.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index f2d07190..52b98f41 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -62,7 +62,8 @@ extern unsigned int *__afl_fuzz_len; extern unsigned char *__afl_fuzz_ptr; // libFuzzer interface is thin, so we don't include any libFuzzer headers. -int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); +__attribute__((weak)) int LLVMFuzzerTestOneInput(const uint8_t *Data, + size_t Size); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); int LLVMFuzzerRunDriver(int *argc, char ***argv, int (*callback)(const uint8_t *data, size_t size)); -- cgit v1.2.3 From 02db8685f10246bd458dcf324b6a179b0dbfaf5d Mon Sep 17 00:00:00 2001 From: Laszlo Szekeres Date: Fri, 16 Sep 2022 23:04:47 -0400 Subject: Fix null pointers. --- utils/aflpp_driver/aflpp_driver.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'utils') diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 52b98f41..3961b401 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -198,7 +198,8 @@ size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize) { } // Execute any files provided as parameters. -static int ExecuteFilesOnyByOne(int argc, char **argv) { +static int ExecuteFilesOnyByOne(int argc, char **argv, + int (*callback)(const uint8_t *data, size_t size)) { unsigned char *buf = (unsigned char *)malloc(MAX_FILE); @@ -234,7 +235,7 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) { prev_length = length; printf("Reading %zu bytes from %s\n", length, argv[i]); - LLVMFuzzerTestOneInput(buf, length); + callback(buf, length); printf("Execution successful.\n"); } @@ -312,7 +313,7 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, __afl_sharedmem_fuzzing = 0; __afl_manual_init(); - return ExecuteFilesOnyByOne(argc, argv); + return ExecuteFilesOnyByOne(argc, argv, callback); } else if (argc == 2 && argv[1][0] == '-') { @@ -328,7 +329,7 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, if (argc == 2) { __afl_manual_init(); } - return ExecuteFilesOnyByOne(argc, argv); + return ExecuteFilesOnyByOne(argc, argv, callback); } @@ -338,7 +339,7 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization // on the first execution of LLVMFuzzerTestOneInput is ignored. - LLVMFuzzerTestOneInput(dummy_input, 4); + callback(dummy_input, 4); __asan_poison_memory_region(__afl_fuzz_ptr, MAX_FILE); size_t prev_length = 0; @@ -375,7 +376,7 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, while (__afl_persistent_loop(N)) { - LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); + callback(__afl_fuzz_ptr, *__afl_fuzz_len); } -- cgit v1.2.3 From 0623a73a5cb8a0c2cff32413df9f4c5c69b8e339 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 17 Sep 2022 11:56:39 +0200 Subject: fix docs --- utils/aflpp_driver/aflpp_driver.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'utils') diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 3961b401..7e553723 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -198,8 +198,9 @@ size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize) { } // Execute any files provided as parameters. -static int ExecuteFilesOnyByOne(int argc, char **argv, - int (*callback)(const uint8_t *data, size_t size)) { +static int ExecuteFilesOnyByOne(int argc, char **argv, + int (*callback)(const uint8_t *data, + size_t size)) { unsigned char *buf = (unsigned char *)malloc(MAX_FILE); -- cgit v1.2.3 From 0eeddda2c84b13158bfda1505e5ff2467dec08f0 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sat, 1 Oct 2022 16:10:09 +0100 Subject: libdislocator adding netbsd's reallocarr --- utils/libdislocator/libdislocator.so.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'utils') diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index a6d8ecfd..638735ef 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -510,6 +510,24 @@ __attribute__((alloc_size(2, 3))) void *reallocarray(void *ptr, size_t elem_len, } +int reallocarr(void *ptr, size_t elem_len, size_t elem_cnt) { + + void *ret = NULL; + const size_t elem_tot = elem_len * elem_cnt; + + if (elem_tot == 0) { + + void **h = &ptr; + *h = ret; + return 0; + + } + + ret = reallocarray(ptr, elem_len, elem_cnt); + return ret ? 0 : -1; + +} + #if defined(__APPLE__) size_t malloc_size(const void *ptr) { -- cgit v1.2.3 From 9c6aebba059bd3d4477d2560cb771effca74a82f Mon Sep 17 00:00:00 2001 From: hexcoder Date: Mon, 3 Oct 2022 11:04:23 +0200 Subject: typos --- utils/libdislocator/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'utils') diff --git a/utils/libdislocator/README.md b/utils/libdislocator/README.md index e4934b5d..d0e45fff 100644 --- a/utils/libdislocator/README.md +++ b/utils/libdislocator/README.md @@ -34,8 +34,8 @@ heap-related security bugs in several ways: - Size alignment to `max_align_t` can be enforced with `AFL_ALIGNED_ALLOC=1`. In this case, a tail canary is inserted in the padding bytes at the end of the - allocated zone. This reduce the ability of libdislocator to detect - off-by-one bugs but also it make slibdislocator compliant to the C standard. + allocated zone. This reduces the ability of libdislocator to detect + off-by-one bugs but also it makes libdislocator compliant to the C standard. Basically, it is inspired by some of the non-default options available for the OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is -- cgit v1.2.3 From 2107ece114e66952f16d2dbc888d46a1061e6faf Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 7 Oct 2022 15:40:04 +0200 Subject: auto shmem fuzzing (#1541) * auto shmem fuzzing * print warning when forcing shmem fuzzing * typos * Shmem always * typo fix * fixes Co-authored-by: Dominik Maier --- utils/aflpp_driver/aflpp_driver.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) (limited to 'utils') diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 7e553723..87bd2aa2 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -35,6 +35,7 @@ $AFL_HOME/afl-fuzz -i IN -o OUT ./a.out #include #include #include +#include #include #include #include @@ -68,7 +69,7 @@ __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); int LLVMFuzzerRunDriver(int *argc, char ***argv, int (*callback)(const uint8_t *data, size_t size)); -// Default nop ASan hooks for manual posisoning when not linking the ASan +// Default nop ASan hooks for manual poisoning when not linking the ASan // runtime // https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning __attribute__((weak)) void __asan_poison_memory_region( @@ -290,6 +291,12 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, } + bool in_afl = !(!getenv(SHM_FUZZ_ENV_VAR) || !getenv(SHM_ENV_VAR) || + fcntl(FORKSRV_FD, F_GETFD) == -1 || + fcntl(FORKSRV_FD + 1, F_GETFD) == -1); + + if (!in_afl) { __afl_sharedmem_fuzzing = 0; } + output_file = stderr; maybe_duplicate_stderr(); maybe_close_fd_mask(); @@ -310,23 +317,20 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, int N = INT_MAX; - if (argc == 2 && !strcmp(argv[1], "-")) { + if (!in_afl && argc == 2 && !strcmp(argv[1], "-")) { - __afl_sharedmem_fuzzing = 0; __afl_manual_init(); return ExecuteFilesOnyByOne(argc, argv, callback); - } else if (argc == 2 && argv[1][0] == '-') { + } else if (argc == 2 && argv[1][0] == '-' && argv[1][1]) { N = atoi(argv[1] + 1); - } else if (argc == 2 && (N = atoi(argv[1])) > 0) { + } else if (argc == 2 && argv[1][0] != '-' && (N = atoi(argv[1])) > 0) { printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N); - } else if (argc > 1) { - - __afl_sharedmem_fuzzing = 0; + } else if (!in_afl && argc > 1 && argv[1][0] != '-') { if (argc == 2) { __afl_manual_init(); } -- cgit v1.2.3 From e6e82948bf95fab90466cb2dfa78457c4d2d80a6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 11 Oct 2022 08:53:49 +0200 Subject: fastexit + code format --- utils/aflpp_driver/aflpp_driver.c | 6 +++--- utils/libdislocator/libdislocator.so.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'utils') diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 87bd2aa2..a76ba6c2 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -292,10 +292,10 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, } bool in_afl = !(!getenv(SHM_FUZZ_ENV_VAR) || !getenv(SHM_ENV_VAR) || - fcntl(FORKSRV_FD, F_GETFD) == -1 || - fcntl(FORKSRV_FD + 1, F_GETFD) == -1); + fcntl(FORKSRV_FD, F_GETFD) == -1 || + fcntl(FORKSRV_FD + 1, F_GETFD) == -1); - if (!in_afl) { __afl_sharedmem_fuzzing = 0; } + if (!in_afl) { __afl_sharedmem_fuzzing = 0; } output_file = stderr; maybe_duplicate_stderr(); diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index 638735ef..c390d004 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -512,7 +512,7 @@ __attribute__((alloc_size(2, 3))) void *reallocarray(void *ptr, size_t elem_len, int reallocarr(void *ptr, size_t elem_len, size_t elem_cnt) { - void *ret = NULL; + void *ret = NULL; const size_t elem_tot = elem_len * elem_cnt; if (elem_tot == 0) { -- cgit v1.2.3 From a6a26d8153a177782f999f20d33b4cfc5f9e3790 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 25 Oct 2022 22:13:31 +0200 Subject: fix usecase --- utils/aflpp_driver/aflpp_driver.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'utils') diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index a76ba6c2..03376b6a 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -336,6 +336,10 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, return ExecuteFilesOnyByOne(argc, argv, callback); + } else { + + N = INT_MAX; + } assert(N > 0); -- cgit v1.2.3 From c5f8869778b237f89cc4c12c1961a9ef559179b8 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 11 Nov 2022 10:46:45 +0100 Subject: afl_custom_fuzz_send added --- utils/afl_proxy/README.md | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'utils') diff --git a/utils/afl_proxy/README.md b/utils/afl_proxy/README.md index 3c768a19..7965659d 100644 --- a/utils/afl_proxy/README.md +++ b/utils/afl_proxy/README.md @@ -7,3 +7,8 @@ You only need to change the while() loop of the main() to send the data of buf[] with length len to the target and write the coverage information to __afl_area_ptr[__afl_map_size] +UPDATE: you can also use [custom mutators](../../docs/custom_mutators.md) with +afl_custom_fuzz_send to send data to a target, which is much more efficient! +But you can only use this feature if you start the target via afl-fuzz and +a forkserver is active (e.g. via -Q qemu_mode or source compiled). + -- cgit v1.2.3 From 903b5607bc0eea01aa9872a2a53221a953c7a559 Mon Sep 17 00:00:00 2001 From: Eli Kobrin Date: Wed, 16 Nov 2022 18:19:50 +0300 Subject: Fix argv-fuzz. --- utils/argv_fuzzing/argv-fuzz-inl.h | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index c15c0271..68a0c93d 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -34,6 +34,7 @@ #ifndef _HAVE_ARGV_FUZZ_INL #define _HAVE_ARGV_FUZZ_INL +#include #include #define AFL_INIT_ARGV() \ @@ -63,22 +64,22 @@ static char **afl_init_argv(int *argc) { char *ptr = in_buf; int rc = 0; - if (read(0, in_buf, MAX_CMDLINE_LEN - 2) < 0) {} - - while (*ptr && rc < MAX_CMDLINE_PAR) { + ssize_t num = 0; + if ((num = read(0, in_buf, MAX_CMDLINE_LEN - 2)) < 0) {} + if (in_buf[num - 1] == '\n') { + in_buf[num - 1] = 0; + } - ret[rc] = ptr; + char delim = ' '; + char *curarg = strtok(ptr, &delim); + while (curarg && rc < MAX_CMDLINE_PAR) { + ret[rc] = curarg; if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++; rc++; - - while (*ptr) - ptr++; - ptr++; - + curarg = strtok(NULL, &delim); } *argc = rc; - return ret; } @@ -87,4 +88,3 @@ static char **afl_init_argv(int *argc) { #undef MAX_CMDLINE_PAR #endif /* !_HAVE_ARGV_FUZZ_INL */ - -- cgit v1.2.3 From 3d07f0ab791565feb904f5897b22ef924fc06a48 Mon Sep 17 00:00:00 2001 From: Eli Kobrin Date: Thu, 17 Nov 2022 14:14:11 +0300 Subject: Handle empty input. --- utils/argv_fuzzing/argv-fuzz-inl.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index 68a0c93d..2ec433e1 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -65,7 +65,10 @@ static char **afl_init_argv(int *argc) { int rc = 0; ssize_t num = 0; - if ((num = read(0, in_buf, MAX_CMDLINE_LEN - 2)) < 0) {} + if ((num = read(0, in_buf, MAX_CMDLINE_LEN - 2)) <= 0) { + *argc = 0; + return ret; + } if (in_buf[num - 1] == '\n') { in_buf[num - 1] = 0; } -- cgit v1.2.3 From 8f9726d4a901880808d46706cdb9024c5d08bb7e Mon Sep 17 00:00:00 2001 From: Eli Kobrin Date: Thu, 17 Nov 2022 17:27:13 +0300 Subject: Fix delim. --- utils/argv_fuzzing/argv-fuzz-inl.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index 2ec433e1..94d4c123 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -73,13 +73,12 @@ static char **afl_init_argv(int *argc) { in_buf[num - 1] = 0; } - char delim = ' '; - char *curarg = strtok(ptr, &delim); + char *curarg = strtok(ptr, " "); while (curarg && rc < MAX_CMDLINE_PAR) { ret[rc] = curarg; if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++; rc++; - curarg = strtok(NULL, &delim); + curarg = strtok(NULL, " "); } *argc = rc; -- cgit v1.2.3 From ba788591dc50ba01088a9e0ed76ae29878eedbdd Mon Sep 17 00:00:00 2001 From: Eli Kobrin Date: Thu, 17 Nov 2022 17:38:45 +0300 Subject: Handle read() error. --- utils/argv_fuzzing/argv-fuzz-inl.h | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index 94d4c123..917c6222 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -34,7 +34,7 @@ #ifndef _HAVE_ARGV_FUZZ_INL #define _HAVE_ARGV_FUZZ_INL -#include +#include #include #define AFL_INIT_ARGV() \ @@ -64,24 +64,27 @@ static char **afl_init_argv(int *argc) { char *ptr = in_buf; int rc = 0; - ssize_t num = 0; - if ((num = read(0, in_buf, MAX_CMDLINE_LEN - 2)) <= 0) { - *argc = 0; - return ret; - } - if (in_buf[num - 1] == '\n') { - in_buf[num - 1] = 0; + ssize_t num = read(0, in_buf, MAX_CMDLINE_LEN - 2); + if (num < 0) { + abort(); } + in_buf[num] = '\0'; + in_buf[num + 1] = '\0'; + + while (*ptr && rc < MAX_CMDLINE_PAR) { - char *curarg = strtok(ptr, " "); - while (curarg && rc < MAX_CMDLINE_PAR) { - ret[rc] = curarg; + ret[rc] = ptr; if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++; rc++; - curarg = strtok(NULL, " "); + + while (*ptr) + ptr++; + ptr++; + } *argc = rc; + return ret; } @@ -90,3 +93,4 @@ static char **afl_init_argv(int *argc) { #undef MAX_CMDLINE_PAR #endif /* !_HAVE_ARGV_FUZZ_INL */ + -- cgit v1.2.3 From d7e788a3c0138637147621cc4d6ab8087e0af956 Mon Sep 17 00:00:00 2001 From: kobrineli Date: Fri, 18 Nov 2022 13:35:51 +0300 Subject: Exit on read error. --- utils/argv_fuzzing/argv-fuzz-inl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index 917c6222..e350dd4e 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -66,7 +66,7 @@ static char **afl_init_argv(int *argc) { ssize_t num = read(0, in_buf, MAX_CMDLINE_LEN - 2); if (num < 0) { - abort(); + exit(1); } in_buf[num] = '\0'; in_buf[num + 1] = '\0'; -- cgit v1.2.3 From 32a331ab43095c2493514a9066c30ae7665433e4 Mon Sep 17 00:00:00 2001 From: a-shvedov <60114847+a-shvedov@users.noreply.github.com> Date: Sat, 26 Nov 2022 10:34:14 +0300 Subject: Update README.md --- utils/libtokencap/README.md | 2 ++ 1 file changed, 2 insertions(+) (limited to 'utils') diff --git a/utils/libtokencap/README.md b/utils/libtokencap/README.md index 50104291..8705452c 100644 --- a/utils/libtokencap/README.md +++ b/utils/libtokencap/README.md @@ -47,9 +47,11 @@ by AFL++ in that earlier run. This demonstrates the basic principle: ``` export AFL_TOKEN_FILE=$PWD/temp_output.txt + timeout_sec="5" for i in /queue/id*; do LD_PRELOAD=/path/to/libtokencap.so \ + timeout -s SIGKILL ${timeout_sec} \ /path/to/target/program [...params, including $i...] done -- cgit v1.2.3 From e26c173041b185d7ea37aa923cca3ec4aed51b1b Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 13 Dec 2022 09:13:52 +0100 Subject: code format --- utils/argv_fuzzing/argv-fuzz-inl.h | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index e350dd4e..ec22c53b 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -65,9 +65,7 @@ static char **afl_init_argv(int *argc) { int rc = 0; ssize_t num = read(0, in_buf, MAX_CMDLINE_LEN - 2); - if (num < 0) { - exit(1); - } + if (num < 1) { _exit(1); } in_buf[num] = '\0'; in_buf[num + 1] = '\0'; -- cgit v1.2.3 From 401811a97d39362cd52f38c0fd935b1ef6c043e7 Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Fri, 23 Dec 2022 12:06:40 +0000 Subject: afl-untracer freebsd 13.1 and above update. with the new kern.elf*.allow_wx setting, we try to make sure we still can make the maps w/x, fixing few build warnings while at it. --- utils/afl_untracer/afl-untracer.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) (limited to 'utils') diff --git a/utils/afl_untracer/afl-untracer.c b/utils/afl_untracer/afl-untracer.c index ed7047a4..6bee067c 100644 --- a/utils/afl_untracer/afl-untracer.c +++ b/utils/afl_untracer/afl-untracer.c @@ -156,7 +156,7 @@ void read_library_information(void) { *e = 0; if (n[strlen(n) - 1] == '\n') n[strlen(n) - 1] = 0; - liblist[liblist_cnt].name = strdup(n); + liblist[liblist_cnt].name = (u8 *)strdup((char *)n); liblist[liblist_cnt].addr_start = strtoull(b, NULL, 16); liblist[liblist_cnt].addr_end = strtoull(m, NULL, 16); if (debug) @@ -210,16 +210,16 @@ void read_library_information(void) { !(region->kve_protection & KVME_PROT_EXEC)) { liblist[liblist_cnt].name = - region->kve_path[0] != '\0' ? strdup(region->kve_path) : 0; + region->kve_path[0] != '\0' ? (u8 *)strdup(region->kve_path) : 0; liblist[liblist_cnt].addr_start = region->kve_start; liblist[liblist_cnt].addr_end = region->kve_end; if (debug) { - fprintf(stderr, "%s:%x (%lx-%lx)\n", liblist[liblist_cnt].name, - liblist[liblist_cnt].addr_end - liblist[liblist_cnt].addr_start, - liblist[liblist_cnt].addr_start, - liblist[liblist_cnt].addr_end - 1); + fprintf(stderr, "%s:%lx (%lx-%lx)\n", liblist[liblist_cnt].name, + (unsigned long)(liblist[liblist_cnt].addr_end - liblist[liblist_cnt].addr_start), + (unsigned long)liblist[liblist_cnt].addr_start, + (unsigned long)(liblist[liblist_cnt].addr_end - 1)); } @@ -488,6 +488,12 @@ void setup_trap_instrumentation(void) { uint32_t bitmap_index = 0; #endif +#if defined(__FreeBSD__) && __FreeBSD_version >= 1301000 + // We try to allow W/X pages despite kern.elf32/64.allow_wx system settings + int allow_wx = PROC_WX_MAPPINGS_PERMIT; + (void)procctl(P_PID, 0, PROC_WXMAP_CTL, &allow_wx); +#endif + while ((nread = getline(&line, &len, patches)) != -1) { char *end = line + len; @@ -699,7 +705,7 @@ int main(int argc, char *argv[]) { if (argc > 1) { use_stdin = 0; - inputfile = argv[1]; + inputfile = (u8 *)argv[1]; } @@ -732,7 +738,7 @@ int main(int argc, char *argv[]) { if (pid) { u32 status; - if (waitpid(pid, &status, 0) < 0) exit(1); + if (waitpid(pid, (int *)&status, 0) < 0) exit(1); /* report the test case is done and wait for the next */ __afl_end_testcase(status); -- cgit v1.2.3 From 6fe38b2138ed993f3af28fc5ab92fda8f7542ef7 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 15:39:47 +0100 Subject: argv fuzz persistent --- utils/argv_fuzzing/argv-fuzz-inl.h | 43 ++++++++++++++++++++++++++ utils/argv_fuzzing/argv_fuzz_demo.c | 16 ++++++++++ utils/argv_fuzzing/argv_fuzz_persistent_demo.c | 28 +++++++++++++++++ 3 files changed, 87 insertions(+) create mode 100644 utils/argv_fuzzing/argv_fuzz_demo.c create mode 100644 utils/argv_fuzzing/argv_fuzz_persistent_demo.c (limited to 'utils') diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index ec22c53b..d3440799 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -29,6 +29,10 @@ If you would like to always preserve argv[0], use this instead: AFL_INIT_SET0("prog_name"); + To enable persistent fuzzing, use the AFL_INIT_ARGV_PERSISTENT macro with + buf as argument, or use AFL_INIT_SET0_PERSISTENT("prog_name", buf) + to preserver argv[0]. buf should be defined as: + unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; */ #ifndef _HAVE_ARGV_FUZZ_INL @@ -53,6 +57,20 @@ \ } while (0) +#define AFL_INIT_ARGV_PERSISTENT(persistent_buff) \ + do { \ + argv = afl_init_argv_persistent(&argc, persistent_buff); \ + } while (0) + +#define AFL_INIT_SET0_PERSISTENT(_p, persistent_buff) \ + do { \ + \ + argv = afl_init_argv_persistent(&argc, persistent_buff); \ + argv[0] = (_p); \ + if (!argc) argc = 1; \ + \ + } while (0) + #define MAX_CMDLINE_LEN 100000 #define MAX_CMDLINE_PAR 50000 @@ -87,6 +105,31 @@ static char **afl_init_argv(int *argc) { } +static char **afl_init_argv_persistent(int *argc, unsigned char *persistent_buff) { + + static char *ret[MAX_CMDLINE_PAR]; + + unsigned char *ptr = persistent_buff; + int rc = 0; + + while (*ptr && rc < MAX_CMDLINE_PAR) { + + ret[rc] = (char *)ptr; + if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++; + rc++; + + while (*ptr) + ptr++; + ptr++; + + } + + *argc = rc; + + return ret; + +} + #undef MAX_CMDLINE_LEN #undef MAX_CMDLINE_PAR diff --git a/utils/argv_fuzzing/argv_fuzz_demo.c b/utils/argv_fuzzing/argv_fuzz_demo.c new file mode 100644 index 00000000..f4375316 --- /dev/null +++ b/utils/argv_fuzzing/argv_fuzz_demo.c @@ -0,0 +1,16 @@ +#include +#include +#include "argv-fuzz-inl.h" + +int main(int argc, char **argv) { +AFL_INIT_ARGV(); + if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { + if (strcmp(argv[2], "TEST2") == 0) { + abort(); + } + } else { + printf("Bad number of arguments!\n"); + } + + return 0; +} \ No newline at end of file diff --git a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c new file mode 100644 index 00000000..5ecda22b --- /dev/null +++ b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c @@ -0,0 +1,28 @@ +#include +#include +#include "argv-fuzz-inl.h" + +__AFL_FUZZ_INIT(); + +int main(int argc, char **argv) { +#ifdef __AFL_HAVE_MANUAL_CONTROL + __AFL_INIT(); +#endif + unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; + + while (__AFL_LOOP(100000)) { + int len = __AFL_FUZZ_TESTCASE_LEN; + + if (len < 8) continue; + + AFL_INIT_ARGV_P(buf); + + if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { + if (strcmp(argv[2], "TEST2") == 0) { abort(); } + } else { + printf("Bad number of arguments!\n"); + } + } + + return 0; +} \ No newline at end of file -- cgit v1.2.3 From a0eee2bd92cb819758e54bbac9b8d8ec7daa0764 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 15:44:49 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index 183f6bf8..dfdd0f8e 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -56,3 +56,7 @@ install: argvfuzz32.so argvfuzz64.so clean: rm -f argvfuzz32.so argvfuzz64.so + +demo: + ../../afl-clang-fast -o argv_fuzz_demo argv_fuzz.c + ../../afl-clang-fast -o argv_fuzz_persistent_demo argv_fuzz_persistent_demo.c \ No newline at end of file -- cgit v1.2.3 From 0062a14aa32ffbf38c10a15b3cae97a63a6b3272 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 15:48:06 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index dfdd0f8e..bf4ae81d 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -58,5 +58,5 @@ clean: rm -f argvfuzz32.so argvfuzz64.so demo: - ../../afl-clang-fast -o argv_fuzz_demo argv_fuzz.c + ../../afl-clang-fast -o argv_fuzz_demo argv_fuzz_demo.c ../../afl-clang-fast -o argv_fuzz_persistent_demo argv_fuzz_persistent_demo.c \ No newline at end of file -- cgit v1.2.3 From 67ae1d583902a7e0a8a39c2b17321ffde045cd6d Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 15:49:22 +0100 Subject: makefile update --- utils/argv_fuzzing/argv_fuzz_persistent_demo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c index 5ecda22b..1e96ade1 100644 --- a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c @@ -15,7 +15,7 @@ int main(int argc, char **argv) { if (len < 8) continue; - AFL_INIT_ARGV_P(buf); + AFL_INIT_ARGV_PERSISTENT(buf); if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { if (strcmp(argv[2], "TEST2") == 0) { abort(); } -- cgit v1.2.3 From 6e5c08b653d7d55c5d544601d9fb19fcc16edfd6 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 15:50:53 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index bf4ae81d..140a53de 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -55,7 +55,7 @@ install: argvfuzz32.so argvfuzz64.so if [ -f argvfuzz64.so ]; then set -e; install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi clean: - rm -f argvfuzz32.so argvfuzz64.so + rm -f argvfuzz32.so argvfuzz64.so argv_fuzz_demo argv_fuzz_persistent_demo demo: ../../afl-clang-fast -o argv_fuzz_demo argv_fuzz_demo.c -- cgit v1.2.3 From 3a134edd889ed1bf4f8d11e8e37ebba31460fb3e Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 15:51:50 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index 140a53de..3ebde54b 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -41,7 +41,7 @@ __M32FLAG=$(_M32FLAG:00=-mbe32) ___M32FLAG=$(__M32FLAG:$(CC_IS_GCC)$(CC_IS_ARMCOMPILER)=-m32) M32FLAG=$(___M32FLAG) -all: argvfuzz32.so argvfuzz64.so +all: argvfuzz32.so argvfuzz64.so demo argvfuzz32.so: argvfuzz.c -@$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ 2>/dev/null || echo "argvfuzz32 build failure (that's fine)" -- cgit v1.2.3 From 3d031f93a6366ee157cfd9a27fbb6d485d328d8e Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 16:15:52 +0100 Subject: update --- utils/argv_fuzzing/argv_fuzz_demo.c | 9 ++++++++- utils/argv_fuzzing/argv_fuzz_persistent_demo.c | 23 ++++++++++++++++++++++- 2 files changed, 30 insertions(+), 2 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/argv_fuzz_demo.c b/utils/argv_fuzzing/argv_fuzz_demo.c index f4375316..5fe4d704 100644 --- a/utils/argv_fuzzing/argv_fuzz_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_demo.c @@ -3,7 +3,14 @@ #include "argv-fuzz-inl.h" int main(int argc, char **argv) { -AFL_INIT_ARGV(); + // Initialize the argv array for use with the AFL (American Fuzzy Lop) tool + AFL_INIT_ARGV(); + + /* Check the number of command line arguments and + compare the values of the first two arguments to specific strings. + If the number of arguments is not correct or the values do not match, + an error message is printed. If the values do match, the program + calls the abort() function. */ if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { if (strcmp(argv[2], "TEST2") == 0) { abort(); diff --git a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c index 1e96ade1..a96cf1fe 100644 --- a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c @@ -1,28 +1,49 @@ +/* +This file contains a simple fuzzer for testing command line argument parsing +using persistent mode. +*/ + #include #include #include "argv-fuzz-inl.h" __AFL_FUZZ_INIT(); +/* The main function is an entry point for a program. + The argc parameter is an integer that indicates the number of arguments + passed to the program. The argv parameter is an array of character pointers, + with each element pointing to a null-terminated string that represents + one of the arguments. + */ int main(int argc, char **argv) { #ifdef __AFL_HAVE_MANUAL_CONTROL __AFL_INIT(); #endif unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; + /* __AFL_LOOP() limits the maximum number of iterations before exiting + the loop and allowing the program to terminate. It protects against + accidental memory leaks and similar issues. */ while (__AFL_LOOP(100000)) { int len = __AFL_FUZZ_TESTCASE_LEN; + // Check that the length of the test case is at least 8 bytes if (len < 8) continue; + // Initialize the command line arguments using the testcase buffer AFL_INIT_ARGV_PERSISTENT(buf); + /* Check if the first argument is "XYZ" and the second argument is "TEST2" + If so, call the "abort" function to terminate the program. + Otherwise, print an error message. */ if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { if (strcmp(argv[2], "TEST2") == 0) { abort(); } } else { printf("Bad number of arguments!\n"); } } - + /* Exiting the loop allows the program to terminate normally. AFL will restart + the process with a clean slate for allocated memory, file descriptors, etc. + */ return 0; } \ No newline at end of file -- cgit v1.2.3 From b189640a927e9ed17347b26f6579b0e41dcdda38 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 16:54:36 +0100 Subject: cleanup --- utils/argv_fuzzing/README.md | 4 ++-- utils/argv_fuzzing/argv-fuzz-inl.h | 31 ++++++++++++++------------ utils/argv_fuzzing/argv_fuzz_demo.c | 13 +++++++---- utils/argv_fuzzing/argv_fuzz_persistent_demo.c | 11 ++++++++- 4 files changed, 38 insertions(+), 21 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/README.md b/utils/argv_fuzzing/README.md index e9224995..bcf388c7 100644 --- a/utils/argv_fuzzing/README.md +++ b/utils/argv_fuzzing/README.md @@ -1,4 +1,4 @@ -# argvfuzz +#argvfuzz AFL++ supports fuzzing file inputs or stdin. When source is available, `argv-fuzz-inl.h` can be used to change `main()` to build argv from stdin. @@ -13,4 +13,4 @@ A few conditions need to be fulfilled for this mechanism to work correctly: 2. If the target binary does not use the default libc's `_start` implementation (crt1.o), the hook may not run. 3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. If the - target binary expects argv to be living on the stack, things may go wrong. \ No newline at end of file + target binary expects argv to be living on the stack, things may go wrong. diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index d3440799..bb8f2813 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -57,18 +57,20 @@ \ } while (0) -#define AFL_INIT_ARGV_PERSISTENT(persistent_buff) \ - do { \ - argv = afl_init_argv_persistent(&argc, persistent_buff); \ - } while (0) - -#define AFL_INIT_SET0_PERSISTENT(_p, persistent_buff) \ - do { \ - \ - argv = afl_init_argv_persistent(&argc, persistent_buff); \ - argv[0] = (_p); \ - if (!argc) argc = 1; \ - \ +#define AFL_INIT_ARGV_PERSISTENT(persistent_buff) \ + do { \ + \ + argv = afl_init_argv_persistent(&argc, persistent_buff); \ + \ + } while (0) + +#define AFL_INIT_SET0_PERSISTENT(_p, persistent_buff) \ + do { \ + \ + argv = afl_init_argv_persistent(&argc, persistent_buff); \ + argv[0] = (_p); \ + if (!argc) argc = 1; \ + \ } while (0) #define MAX_CMDLINE_LEN 100000 @@ -105,12 +107,13 @@ static char **afl_init_argv(int *argc) { } -static char **afl_init_argv_persistent(int *argc, unsigned char *persistent_buff) { +static char **afl_init_argv_persistent(int *argc, + unsigned char *persistent_buff) { static char *ret[MAX_CMDLINE_PAR]; unsigned char *ptr = persistent_buff; - int rc = 0; + int rc = 0; while (*ptr && rc < MAX_CMDLINE_PAR) { diff --git a/utils/argv_fuzzing/argv_fuzz_demo.c b/utils/argv_fuzzing/argv_fuzz_demo.c index 5fe4d704..6ab1e2e5 100644 --- a/utils/argv_fuzzing/argv_fuzz_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_demo.c @@ -3,6 +3,7 @@ #include "argv-fuzz-inl.h" int main(int argc, char **argv) { + // Initialize the argv array for use with the AFL (American Fuzzy Lop) tool AFL_INIT_ARGV(); @@ -12,12 +13,16 @@ int main(int argc, char **argv) { an error message is printed. If the values do match, the program calls the abort() function. */ if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { - if (strcmp(argv[2], "TEST2") == 0) { - abort(); - } + + if (strcmp(argv[2], "TEST2") == 0) { abort(); } + } else { + printf("Bad number of arguments!\n"); + } return 0; -} \ No newline at end of file + +} + diff --git a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c index a96cf1fe..08a62c62 100644 --- a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c @@ -16,6 +16,7 @@ __AFL_FUZZ_INIT(); one of the arguments. */ int main(int argc, char **argv) { + #ifdef __AFL_HAVE_MANUAL_CONTROL __AFL_INIT(); #endif @@ -25,6 +26,7 @@ int main(int argc, char **argv) { the loop and allowing the program to terminate. It protects against accidental memory leaks and similar issues. */ while (__AFL_LOOP(100000)) { + int len = __AFL_FUZZ_TESTCASE_LEN; // Check that the length of the test case is at least 8 bytes @@ -37,13 +39,20 @@ int main(int argc, char **argv) { If so, call the "abort" function to terminate the program. Otherwise, print an error message. */ if (argc > 1 && strcmp(argv[1], "XYZ") == 0) { + if (strcmp(argv[2], "TEST2") == 0) { abort(); } + } else { + printf("Bad number of arguments!\n"); + } + } + /* Exiting the loop allows the program to terminate normally. AFL will restart the process with a clean slate for allocated memory, file descriptors, etc. */ return 0; -} \ No newline at end of file + +} -- cgit v1.2.3 From 3188cac1d074352e9110d83c7ad5c3d5684d90f8 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Tue, 27 Dec 2022 16:57:30 +0100 Subject: cleanup --- utils/argv_fuzzing/README.md | 2 +- utils/argv_fuzzing/argv-fuzz-inl.h | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/README.md b/utils/argv_fuzzing/README.md index bcf388c7..ca90f26c 100644 --- a/utils/argv_fuzzing/README.md +++ b/utils/argv_fuzzing/README.md @@ -1,4 +1,4 @@ -#argvfuzz +# argvfuzz feature AFL++ supports fuzzing file inputs or stdin. When source is available, `argv-fuzz-inl.h` can be used to change `main()` to build argv from stdin. diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index bb8f2813..abe86d3c 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -29,10 +29,10 @@ If you would like to always preserve argv[0], use this instead: AFL_INIT_SET0("prog_name"); - To enable persistent fuzzing, use the AFL_INIT_ARGV_PERSISTENT macro with - buf as argument, or use AFL_INIT_SET0_PERSISTENT("prog_name", buf) - to preserver argv[0]. buf should be defined as: - unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; + To enable persistent fuzzing, use the AFL_INIT_ARGV_PERSISTENT macro with + buf as argument, or use AFL_INIT_SET0_PERSISTENT("prog_name", buf) + to preserver argv[0]. buf should be defined as: + unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; */ #ifndef _HAVE_ARGV_FUZZ_INL -- cgit v1.2.3 From 51e0707d4d5b65cf4245b7350986c66bf639f3cd Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 09:27:22 +0100 Subject: readme update --- utils/argv_fuzzing/README.md | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/README.md b/utils/argv_fuzzing/README.md index ca90f26c..e22fbe4e 100644 --- a/utils/argv_fuzzing/README.md +++ b/utils/argv_fuzzing/README.md @@ -1,15 +1,37 @@ -# argvfuzz feature +# argv_fuzzing feature +AFL++ supports fuzzing file inputs or stdin. The argv_fuzzing feature allows for fuzzing of arguments passed to a program from the command line interface, rather than from standard input. -AFL++ supports fuzzing file inputs or stdin. When source is available, -`argv-fuzz-inl.h` can be used to change `main()` to build argv from stdin. +## With source code +When source is available, a macro from the `argv-fuzz-inl.h` header file can be used to change the program's behavior to build argv from STDIN. +### Without persistent mode +Conditions needed to use the argv_fuzzing feature: +1. Include `argv-fuzz-inl.h` header file (`#include "argv-fuzz-inl.h"`) +2. Identify your main function that parses arguments (for example, `int main(int argc, char **argv)`) +3. Use the one of the following macros (near the beginning of the main function) to initialize argv with the fuzzer's input: + - `AFL_INIT_ARGV();` or + - `AFL_INIT_SET0("prog_name");` to preserve `argv[0]` (the name of the program being executed) + +see: [argv_fuzz_demo.c](argv_fuzz_demo.c) + +### With persistent mode +Conditions needed to use the argv_fuzzing feature with persistent mode: +1. Ensure your target can handle persistent mode fuzzing +2. Follow instructions in the [llvm_mode persistent mode](https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.persistent_mode.md) +3. Use the one of the following macro near the beginning of the main function and after the buffer initialization (`unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF`): + - `AFL_INIT_ARGV_PERSISTENT(buf)`, if you want to + - `AFL_INIT_SET0_PERSISTENT("name_of_binary", buf)` + +see: [argv_fuzz_persistent_demo.c](argv_fuzz_persistent_demo.c) + +## Binary only `argvfuzz` tries to provide the same functionality for binaries. When loaded using `LD_PRELOAD`, it will hook the call to `__libc_start_main` and replace argv using the same logic of `argv-fuzz-inl.h`. A few conditions need to be fulfilled for this mechanism to work correctly: -1. As it relies on hooking the loader, it cannot work on static binaries. +1. As it relies on hooking the loader, it cannot work on static binaries 2. If the target binary does not use the default libc's `_start` implementation (crt1.o), the hook may not run. 3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. If the -- cgit v1.2.3 From f28f6adbce0b803b80938518ca9c559e428ef9cf Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 09:41:22 +0100 Subject: update --- utils/argv_fuzzing/Makefile | 8 +++++--- utils/argv_fuzzing/README.md | 15 +++++++++------ 2 files changed, 14 insertions(+), 9 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index 3ebde54b..fca46b09 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -11,7 +11,7 @@ # http://www.apache.org/licenses/LICENSE-2.0 # -.PHONY: all install clean +.PHONY: all install clean demo PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin @@ -58,5 +58,7 @@ clean: rm -f argvfuzz32.so argvfuzz64.so argv_fuzz_demo argv_fuzz_persistent_demo demo: - ../../afl-clang-fast -o argv_fuzz_demo argv_fuzz_demo.c - ../../afl-clang-fast -o argv_fuzz_persistent_demo argv_fuzz_persistent_demo.c \ No newline at end of file + CC = afl-clang-fast + CFLAGS = -fsanitize=address + -@$(CC) $(CFLAGS) -o argv_fuzz_demo argv_fuzz_demo.c + -@$(CC) $(CFLAGS) -o argv_fuzz_persistent_demo argv_fuzz_persistent_demo.c \ No newline at end of file diff --git a/utils/argv_fuzzing/README.md b/utils/argv_fuzzing/README.md index e22fbe4e..d248cf93 100644 --- a/utils/argv_fuzzing/README.md +++ b/utils/argv_fuzzing/README.md @@ -1,14 +1,16 @@ # argv_fuzzing feature -AFL++ supports fuzzing file inputs or stdin. The argv_fuzzing feature allows for fuzzing of arguments passed to a program from the command line interface, rather than from standard input. +AFL++ supports fuzzing file inputs or stdin. The argv_fuzzing feature allows for the fuzzing of arguments +passed to a program from the command line interface rather than from standard input. ## With source code -When source is available, a macro from the `argv-fuzz-inl.h` header file can be used to change the program's behavior to build argv from STDIN. +When the source code is available, a specific macro from the `argv-fuzz-inl.h` header file can be used to change +the program's behavior to build argv from STDIN. ### Without persistent mode Conditions needed to use the argv_fuzzing feature: 1. Include `argv-fuzz-inl.h` header file (`#include "argv-fuzz-inl.h"`) 2. Identify your main function that parses arguments (for example, `int main(int argc, char **argv)`) -3. Use the one of the following macros (near the beginning of the main function) to initialize argv with the fuzzer's input: +3. Use one of the following macros (near the beginning of the main function) to initialize argv with the fuzzer's input: - `AFL_INIT_ARGV();` or - `AFL_INIT_SET0("prog_name");` to preserve `argv[0]` (the name of the program being executed) @@ -18,7 +20,8 @@ see: [argv_fuzz_demo.c](argv_fuzz_demo.c) Conditions needed to use the argv_fuzzing feature with persistent mode: 1. Ensure your target can handle persistent mode fuzzing 2. Follow instructions in the [llvm_mode persistent mode](https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.persistent_mode.md) -3. Use the one of the following macro near the beginning of the main function and after the buffer initialization (`unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF`): +3. Use one of the following macros near the beginning of the main function and after +the buffer initialization (`unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF`): - `AFL_INIT_ARGV_PERSISTENT(buf)`, if you want to - `AFL_INIT_SET0_PERSISTENT("name_of_binary", buf)` @@ -34,5 +37,5 @@ A few conditions need to be fulfilled for this mechanism to work correctly: 1. As it relies on hooking the loader, it cannot work on static binaries 2. If the target binary does not use the default libc's `_start` implementation (crt1.o), the hook may not run. -3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. If the - target binary expects argv to be living on the stack, things may go wrong. +3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. +Things may go wrong if the target binary expects argv to live on the stack. -- cgit v1.2.3 From c0c985a2781f84313db80eea3662ec88fb264292 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 09:48:10 +0100 Subject: minor changes --- utils/argv_fuzzing/argv-fuzz-inl.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index abe86d3c..cb0af2bc 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -31,7 +31,8 @@ To enable persistent fuzzing, use the AFL_INIT_ARGV_PERSISTENT macro with buf as argument, or use AFL_INIT_SET0_PERSISTENT("prog_name", buf) - to preserver argv[0]. buf should be defined as: + to preserver argv[0]. buf is a pointer to a buffer containing + the input data for the current test case being processed defined as: unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; */ -- cgit v1.2.3 From 86ec1b9d71d1d2679f85676c65947324779016b3 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 09:55:14 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index fca46b09..ba811de6 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -11,7 +11,7 @@ # http://www.apache.org/licenses/LICENSE-2.0 # -.PHONY: all install clean demo +.PHONY: all install clean argv_fuzz_persistent_demo argv_fuzz_demo PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin @@ -41,7 +41,7 @@ __M32FLAG=$(_M32FLAG:00=-mbe32) ___M32FLAG=$(__M32FLAG:$(CC_IS_GCC)$(CC_IS_ARMCOMPILER)=-m32) M32FLAG=$(___M32FLAG) -all: argvfuzz32.so argvfuzz64.so demo +all: argvfuzz32.so argvfuzz64.so argv_fuzz_persistent_demo argv_fuzz_demo argvfuzz32.so: argvfuzz.c -@$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ 2>/dev/null || echo "argvfuzz32 build failure (that's fine)" @@ -57,8 +57,8 @@ install: argvfuzz32.so argvfuzz64.so clean: rm -f argvfuzz32.so argvfuzz64.so argv_fuzz_demo argv_fuzz_persistent_demo -demo: - CC = afl-clang-fast - CFLAGS = -fsanitize=address - -@$(CC) $(CFLAGS) -o argv_fuzz_demo argv_fuzz_demo.c - -@$(CC) $(CFLAGS) -o argv_fuzz_persistent_demo argv_fuzz_persistent_demo.c \ No newline at end of file +argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c + $(CC) $(CFLAGS) -o $@ $^ + +argv_fuzz_demo: argv_fuzz_demo.c + $(CC) $(CFLAGS) -o $@ $^ \ No newline at end of file -- cgit v1.2.3 From 4ff37da70923196f6986d64eafdda82590b92207 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 10:34:56 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index ba811de6..b6630175 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -13,11 +13,20 @@ .PHONY: all install clean argv_fuzz_persistent_demo argv_fuzz_demo +CC ?= afl-clang-fast +CFLAGS ?= -fsanitize=address + +argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c + $(CC) $(CFLAGS) -o $@ $^ + +argv_fuzz_demo: argv_fuzz_demo.c + $(CC) $(CFLAGS) -o $@ $^ + PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin HELPER_PATH = $(PREFIX)/lib/afl -CFLAGS = -fPIC -Wall -Wextra +CFLAGS += -fPIC -Wall -Wextra LDFLAGS = -shared UNAME_SAYS_LINUX=$(shell uname | grep -E '^Linux|^GNU' >/dev/null; echo $$?) @@ -57,8 +66,3 @@ install: argvfuzz32.so argvfuzz64.so clean: rm -f argvfuzz32.so argvfuzz64.so argv_fuzz_demo argv_fuzz_persistent_demo -argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c - $(CC) $(CFLAGS) -o $@ $^ - -argv_fuzz_demo: argv_fuzz_demo.c - $(CC) $(CFLAGS) -o $@ $^ \ No newline at end of file -- cgit v1.2.3 From 107ebb7d49aefe87bd9b610b5b6a82c85d740ab7 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 10:40:17 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index b6630175..ef719e9a 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -22,6 +22,8 @@ argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c argv_fuzz_demo: argv_fuzz_demo.c $(CC) $(CFLAGS) -o $@ $^ +demo: argv_fuzz_persistent_demo argv_fuzz_demo + PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin HELPER_PATH = $(PREFIX)/lib/afl @@ -50,7 +52,7 @@ __M32FLAG=$(_M32FLAG:00=-mbe32) ___M32FLAG=$(__M32FLAG:$(CC_IS_GCC)$(CC_IS_ARMCOMPILER)=-m32) M32FLAG=$(___M32FLAG) -all: argvfuzz32.so argvfuzz64.so argv_fuzz_persistent_demo argv_fuzz_demo +all: argvfuzz32.so argvfuzz64.so demo argvfuzz32.so: argvfuzz.c -@$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ 2>/dev/null || echo "argvfuzz32 build failure (that's fine)" -- cgit v1.2.3 From c090abb00d93e60a0643f6fb9c42816bc75846e3 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 10:44:02 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index ef719e9a..2b30b18c 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -13,14 +13,14 @@ .PHONY: all install clean argv_fuzz_persistent_demo argv_fuzz_demo -CC ?= afl-clang-fast -CFLAGS ?= -fsanitize=address +#CC ?= afl-clang-fast +#CFLAGS ?= -fsanitize=address argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c - $(CC) $(CFLAGS) -o $@ $^ + CC=afl-clang-fast CFLAGS=-fsanitize=address $(CC) $(CFLAGS) -o $@ $^ argv_fuzz_demo: argv_fuzz_demo.c - $(CC) $(CFLAGS) -o $@ $^ + CC=afl-clang-fast CFLAGS=-fsanitize=address $(CC) $(CFLAGS) -o $@ $^ demo: argv_fuzz_persistent_demo argv_fuzz_demo -- cgit v1.2.3 From 0710e4f17ca9224beaf3424c2cc6f07083ab7c1e Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 10:47:08 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index 2b30b18c..dce092d6 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -11,18 +11,11 @@ # http://www.apache.org/licenses/LICENSE-2.0 # -.PHONY: all install clean argv_fuzz_persistent_demo argv_fuzz_demo +.PHONY: all install clean argv_fuzz_persistent_demo argv_fuzz_demo demo -#CC ?= afl-clang-fast -#CFLAGS ?= -fsanitize=address -argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c - CC=afl-clang-fast CFLAGS=-fsanitize=address $(CC) $(CFLAGS) -o $@ $^ -argv_fuzz_demo: argv_fuzz_demo.c - CC=afl-clang-fast CFLAGS=-fsanitize=address $(CC) $(CFLAGS) -o $@ $^ -demo: argv_fuzz_persistent_demo argv_fuzz_demo PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin @@ -65,6 +58,14 @@ install: argvfuzz32.so argvfuzz64.so if [ -f argvfuzz32.so ]; then set -e; install -m 755 argvfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi if [ -f argvfuzz64.so ]; then set -e; install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi +argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c + afl-clang-fast -fsanitize=address -g -o $@ $^ + +argv_fuzz_demo: argv_fuzz_demo.c + afl-clang-fast -fsanitize=address -g -o $@ $^ + +demo: argv_fuzz_persistent_demo argv_fuzz_demo + clean: rm -f argvfuzz32.so argvfuzz64.so argv_fuzz_demo argv_fuzz_persistent_demo -- cgit v1.2.3 From 489f2d4d97c8497d6e259e9e50c27628ad075126 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 10:49:31 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index dce092d6..1bc6b223 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -13,10 +13,6 @@ .PHONY: all install clean argv_fuzz_persistent_demo argv_fuzz_demo demo - - - - PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin HELPER_PATH = $(PREFIX)/lib/afl @@ -59,10 +55,10 @@ install: argvfuzz32.so argvfuzz64.so if [ -f argvfuzz64.so ]; then set -e; install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c - afl-clang-fast -fsanitize=address -g -o $@ $^ + CC=afl-clang-fast $(CC) -o $@ $^ argv_fuzz_demo: argv_fuzz_demo.c - afl-clang-fast -fsanitize=address -g -o $@ $^ + CC=afl-clang-fast $(CC) -o $@ $^ demo: argv_fuzz_persistent_demo argv_fuzz_demo -- cgit v1.2.3 From 209527907ff9a843fe9d353ec1a1602f88579982 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 10:50:05 +0100 Subject: makefile update --- utils/argv_fuzzing/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index 1bc6b223..7e706180 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -55,10 +55,10 @@ install: argvfuzz32.so argvfuzz64.so if [ -f argvfuzz64.so ]; then set -e; install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c - CC=afl-clang-fast $(CC) -o $@ $^ + afl-clang-fast -fsanitize=address -g -o $@ $^ argv_fuzz_demo: argv_fuzz_demo.c - CC=afl-clang-fast $(CC) -o $@ $^ + afl-clang-fast -fsanitize=address -g -o $@ $^ demo: argv_fuzz_persistent_demo argv_fuzz_demo -- cgit v1.2.3 From 99c67defb4414c1f207123e2930d0500d338c6b8 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 10:58:44 +0100 Subject: readme cleanup --- utils/argv_fuzzing/README.md | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/README.md b/utils/argv_fuzzing/README.md index d248cf93..14fe5e2d 100644 --- a/utils/argv_fuzzing/README.md +++ b/utils/argv_fuzzing/README.md @@ -1,18 +1,22 @@ # argv_fuzzing feature -AFL++ supports fuzzing file inputs or stdin. The argv_fuzzing feature allows for the fuzzing of arguments -passed to a program from the command line interface rather than from standard input. +AFL++ supports fuzzing file inputs or stdin. The argv_fuzzing feature +allows for the fuzzing of arguments passed to a program from the command line +interface rather than from standard input. ## With source code -When the source code is available, a specific macro from the `argv-fuzz-inl.h` header file can be used to change -the program's behavior to build argv from STDIN. +When the source code is available, a specific macro from the `argv-fuzz-inl.h` +header file can be used to change the program's behavior to build argv from STDIN. ### Without persistent mode Conditions needed to use the argv_fuzzing feature: 1. Include `argv-fuzz-inl.h` header file (`#include "argv-fuzz-inl.h"`) -2. Identify your main function that parses arguments (for example, `int main(int argc, char **argv)`) -3. Use one of the following macros (near the beginning of the main function) to initialize argv with the fuzzer's input: +2. Identify your main function that parses arguments +(for example, `int main(int argc, char **argv)`) +3. Use one of the following macros (near the beginning of the main function) +to initialize argv with the fuzzer's input: - `AFL_INIT_ARGV();` or - - `AFL_INIT_SET0("prog_name");` to preserve `argv[0]` (the name of the program being executed) + - `AFL_INIT_SET0("prog_name");` to preserve `argv[0]` + (the name of the program being executed) see: [argv_fuzz_demo.c](argv_fuzz_demo.c) -- cgit v1.2.3 From 5670c847bd2cc619a9d4a11e9f7ccb1f4004a0b0 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 11:00:14 +0100 Subject: readme update --- utils/argv_fuzzing/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/README.md b/utils/argv_fuzzing/README.md index 14fe5e2d..a085c098 100644 --- a/utils/argv_fuzzing/README.md +++ b/utils/argv_fuzzing/README.md @@ -1,7 +1,7 @@ # argv_fuzzing feature -AFL++ supports fuzzing file inputs or stdin. The argv_fuzzing feature +AFL++ supports fuzzing file inputs or standard input. The argv_fuzzing feature allows for the fuzzing of arguments passed to a program from the command line -interface rather than from standard input. +interface rather than from STDIN. ## With source code When the source code is available, a specific macro from the `argv-fuzz-inl.h` -- cgit v1.2.3 From fd27b2c9be442c429c215fe57bd5893121795b42 Mon Sep 17 00:00:00 2001 From: Maciej Domanski Date: Wed, 28 Dec 2022 11:04:53 +0100 Subject: makefile cleanup --- utils/argv_fuzzing/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index 7e706180..f016c5a7 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -17,7 +17,7 @@ PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin HELPER_PATH = $(PREFIX)/lib/afl -CFLAGS += -fPIC -Wall -Wextra +CFLAGS = -fPIC -Wall -Wextra LDFLAGS = -shared UNAME_SAYS_LINUX=$(shell uname | grep -E '^Linux|^GNU' >/dev/null; echo $$?) -- cgit v1.2.3 From 35f09e11a4373b0fb42c690d23127c144f72f73c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 3 Jan 2023 09:38:00 +0100 Subject: welcome 2023 --- utils/afl_network_proxy/afl-network-client.c | 2 +- utils/afl_network_proxy/afl-network-server.c | 2 +- utils/afl_proxy/afl-proxy.c | 2 +- utils/afl_untracer/afl-untracer.c | 2 +- utils/afl_untracer/libtestinstr.c | 2 +- utils/argv_fuzzing/Makefile | 2 +- utils/argv_fuzzing/argvfuzz.c | 2 +- utils/distributed_fuzzing/sync_script.sh | 2 +- utils/libdislocator/libdislocator.so.c | 2 +- utils/libtokencap/libtokencap.so.c | 2 +- utils/persistent_mode/test-instr.c | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) (limited to 'utils') diff --git a/utils/afl_network_proxy/afl-network-client.c b/utils/afl_network_proxy/afl-network-client.c index 89ca6c4e..0416f0f9 100644 --- a/utils/afl_network_proxy/afl-network-client.c +++ b/utils/afl_network_proxy/afl-network-client.c @@ -4,7 +4,7 @@ Written by Marc Heuse - Copyright 2019-2022 AFLplusplus Project. All rights reserved. + Copyright 2019-2023 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/utils/afl_network_proxy/afl-network-server.c b/utils/afl_network_proxy/afl-network-server.c index 8f0e9df9..2ae4c165 100644 --- a/utils/afl_network_proxy/afl-network-server.c +++ b/utils/afl_network_proxy/afl-network-server.c @@ -12,7 +12,7 @@ Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. - Copyright 2019-2022 AFLplusplus Project. All rights reserved. + Copyright 2019-2023 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/utils/afl_proxy/afl-proxy.c b/utils/afl_proxy/afl-proxy.c index afd0e5d2..531a97a2 100644 --- a/utils/afl_proxy/afl-proxy.c +++ b/utils/afl_proxy/afl-proxy.c @@ -4,7 +4,7 @@ Written by Marc Heuse - Copyright 2019-2022 AFLplusplus Project. All rights reserved. + Copyright 2019-2023 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/utils/afl_untracer/afl-untracer.c b/utils/afl_untracer/afl-untracer.c index 6bee067c..ee40d252 100644 --- a/utils/afl_untracer/afl-untracer.c +++ b/utils/afl_untracer/afl-untracer.c @@ -4,7 +4,7 @@ Written by Marc Heuse - Copyright 2019-2022 AFLplusplus Project. All rights reserved. + Copyright 2019-2023 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/utils/afl_untracer/libtestinstr.c b/utils/afl_untracer/libtestinstr.c index a3f5acc8..b7afc325 100644 --- a/utils/afl_untracer/libtestinstr.c +++ b/utils/afl_untracer/libtestinstr.c @@ -3,7 +3,7 @@ -------------------------------------------------------- Originally written by Michal Zalewski Copyright 2014 Google Inc. All rights reserved. - Copyright 2019-2022 AFLplusplus Project. All rights reserved. + Copyright 2019-2023 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at: diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index f016c5a7..3a4ce084 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -2,7 +2,7 @@ # american fuzzy lop++ - argvfuzz # -------------------------------- # -# Copyright 2019-2022 Kjell Braden +# Copyright 2019-2023 Kjell Braden # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/utils/argv_fuzzing/argvfuzz.c b/utils/argv_fuzzing/argvfuzz.c index e7cc6b72..41eead0c 100644 --- a/utils/argv_fuzzing/argvfuzz.c +++ b/utils/argv_fuzzing/argvfuzz.c @@ -2,7 +2,7 @@ american fuzzy lop++ - LD_PRELOAD for fuzzing argv in binaries ------------------------------------------------------------ - Copyright 2019-2022 Kjell Braden + Copyright 2019-2023 Kjell Braden Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/utils/distributed_fuzzing/sync_script.sh b/utils/distributed_fuzzing/sync_script.sh index 251ae4e6..b22816f1 100755 --- a/utils/distributed_fuzzing/sync_script.sh +++ b/utils/distributed_fuzzing/sync_script.sh @@ -6,7 +6,7 @@ # Originally written by Michal Zalewski # # Copyright 2014 Google Inc. All rights reserved. -# Copyright 2019-2022 AFLplusplus Project. All rights reserved. +# Copyright 2019-2023 AFLplusplus Project. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index c390d004..1cd7abc6 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -6,7 +6,7 @@ Originally written by Michal Zalewski Copyright 2016 Google Inc. All rights reserved. - Copyright 2019-2022 AFLplusplus Project. All rights reserved. + Copyright 2019-2023 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/utils/libtokencap/libtokencap.so.c b/utils/libtokencap/libtokencap.so.c index 07d81d59..299056ab 100644 --- a/utils/libtokencap/libtokencap.so.c +++ b/utils/libtokencap/libtokencap.so.c @@ -6,7 +6,7 @@ Originally written by Michal Zalewski Copyright 2016 Google Inc. All rights reserved. - Copyright 2019-2022 AFLplusplus Project. All rights reserved. + Copyright 2019-2023 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/utils/persistent_mode/test-instr.c b/utils/persistent_mode/test-instr.c index 168aa429..4ead6577 100644 --- a/utils/persistent_mode/test-instr.c +++ b/utils/persistent_mode/test-instr.c @@ -3,7 +3,7 @@ -------------------------------------------------------- Originally written by Michal Zalewski Copyright 2014 Google Inc. All rights reserved. - Copyright 2019-2022 AFLplusplus Project. All rights reserved. + Copyright 2019-2023 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at: -- cgit v1.2.3 From 081c480e36fa6af63f8211e70fa109b56fa5131d Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 4 Jan 2023 15:18:14 +0100 Subject: fix --- utils/argv_fuzzing/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index 3a4ce084..9d1fc969 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -55,10 +55,10 @@ install: argvfuzz32.so argvfuzz64.so if [ -f argvfuzz64.so ]; then set -e; install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c - afl-clang-fast -fsanitize=address -g -o $@ $^ + ../../afl-cc -fsanitize=address -g -o $@ $^ argv_fuzz_demo: argv_fuzz_demo.c - afl-clang-fast -fsanitize=address -g -o $@ $^ + ../../afl-cc -fsanitize=address -g -o $@ $^ demo: argv_fuzz_persistent_demo argv_fuzz_demo -- cgit v1.2.3 From 1c91d8ca79e8177b0a0d08527a29a28a2fc86522 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 4 Jan 2023 17:08:29 +0100 Subject: code format --- utils/afl_untracer/afl-untracer.c | 3 ++- utils/argv_fuzzing/argv_fuzz_persistent_demo.c | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/afl_untracer/afl-untracer.c b/utils/afl_untracer/afl-untracer.c index ee40d252..a18e314e 100644 --- a/utils/afl_untracer/afl-untracer.c +++ b/utils/afl_untracer/afl-untracer.c @@ -217,7 +217,8 @@ void read_library_information(void) { if (debug) { fprintf(stderr, "%s:%lx (%lx-%lx)\n", liblist[liblist_cnt].name, - (unsigned long)(liblist[liblist_cnt].addr_end - liblist[liblist_cnt].addr_start), + (unsigned long)(liblist[liblist_cnt].addr_end - + liblist[liblist_cnt].addr_start), (unsigned long)liblist[liblist_cnt].addr_start, (unsigned long)(liblist[liblist_cnt].addr_end - 1)); diff --git a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c index 08a62c62..016c3d35 100644 --- a/utils/argv_fuzzing/argv_fuzz_persistent_demo.c +++ b/utils/argv_fuzzing/argv_fuzz_persistent_demo.c @@ -56,3 +56,4 @@ int main(int argc, char **argv) { return 0; } + -- cgit v1.2.3 From c3d7612c97db8f6629aff2348d043286f8436227 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 12 Jan 2023 09:56:35 +0100 Subject: fix macos ci --- utils/argv_fuzzing/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'utils') diff --git a/utils/argv_fuzzing/Makefile b/utils/argv_fuzzing/Makefile index 9d1fc969..6786467a 100644 --- a/utils/argv_fuzzing/Makefile +++ b/utils/argv_fuzzing/Makefile @@ -55,10 +55,10 @@ install: argvfuzz32.so argvfuzz64.so if [ -f argvfuzz64.so ]; then set -e; install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi argv_fuzz_persistent_demo: argv_fuzz_persistent_demo.c - ../../afl-cc -fsanitize=address -g -o $@ $^ + ../../afl-cc -g -o $@ $^ argv_fuzz_demo: argv_fuzz_demo.c - ../../afl-cc -fsanitize=address -g -o $@ $^ + ../../afl-cc -g -o $@ $^ demo: argv_fuzz_persistent_demo argv_fuzz_demo -- cgit v1.2.3 From c5a84a124c56a9478cf779b5aea7369a4eed07ed Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 25 Jan 2023 13:33:02 +0100 Subject: fixes --- utils/aflpp_driver/GNUmakefile | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) (limited to 'utils') diff --git a/utils/aflpp_driver/GNUmakefile b/utils/aflpp_driver/GNUmakefile index 234a1c31..b973f96a 100644 --- a/utils/aflpp_driver/GNUmakefile +++ b/utils/aflpp_driver/GNUmakefile @@ -8,9 +8,14 @@ ifeq "$(shell uname -s)" "Darwin" LDFLAGS += $(SDK_LD) endif +ifeq "" "$(LLVM_CONFIG)" + LLVM_CONFIG := llvm-config +endif LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) ifneq "" "$(LLVM_BINDIR)" - LLVM_BINDIR := $(LLVM_BINDIR)/ + ifeq "$(shell test -x $(LLVM_BINDIR)/clang && echo 1)" "1" + CC := $(LLVM_BINDIR)/clang + endif endif CFLAGS := -O3 -funroll-loops -g -fPIC @@ -18,31 +23,31 @@ CFLAGS := -O3 -funroll-loops -g -fPIC all: libAFLDriver.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so aflpp_driver.o: aflpp_driver.c - -$(LLVM_BINDIR)clang -I. -I../../include $(CFLAGS) -c aflpp_driver.c + -$(CC) -I. -I../../include $(CFLAGS) -c aflpp_driver.c libAFLDriver.a: aflpp_driver.o @ar rc libAFLDriver.a aflpp_driver.o @cp -vf libAFLDriver.a ../../ debug: - $(LLVM_BINDIR)clang -Wno-deprecated -I../../include $(CFLAGS) -D_DEBUG=\"1\" -c -o afl-performance.o ../../src/afl-performance.c - $(LLVM_BINDIR)clang -I../../include -D_DEBUG=\"1\" -g -funroll-loops -c aflpp_driver.c - #$(LLVM_BINDIR)clang -S -emit-llvm -Wno-deprecated -I../../include $(CFLAGS) -D_DEBUG=\"1\" -c -o afl-performance.ll ../../src/afl-performance.c - #$(LLVM_BINDIR)clang -S -emit-llvm -I../../include -D_DEBUG=\"1\" -g -funroll-loops -c aflpp_driver.c + $(CC) -Wno-deprecated -I../../include $(CFLAGS) -D_DEBUG=\"1\" -c -o afl-performance.o ../../src/afl-performance.c + $(CC) -I../../include -D_DEBUG=\"1\" -g -funroll-loops -c aflpp_driver.c + #$(CC) -S -emit-llvm -Wno-deprecated -I../../include $(CFLAGS) -D_DEBUG=\"1\" -c -o afl-performance.ll ../../src/afl-performance.c + #$(CC) -S -emit-llvm -I../../include -D_DEBUG=\"1\" -g -funroll-loops -c aflpp_driver.c ar rc libAFLDriver.a afl-performance.o aflpp_driver.o aflpp_qemu_driver.o: aflpp_qemu_driver.c - -$(LLVM_BINDIR)clang $(CFLAGS) -O0 -funroll-loops -c aflpp_qemu_driver.c + -$(CC) $(CFLAGS) -O0 -funroll-loops -c aflpp_qemu_driver.c libAFLQemuDriver.a: aflpp_qemu_driver.o @-ar rc libAFLQemuDriver.a aflpp_qemu_driver.o @-cp -vf libAFLQemuDriver.a ../../ aflpp_qemu_driver_hook.so: aflpp_qemu_driver_hook.o - @-test -e aflpp_qemu_driver_hook.o && $(LLVM_BINDIR)clang $(LDFLAGS) -shared aflpp_qemu_driver_hook.o -o aflpp_qemu_driver_hook.so || echo "Note: Optional aflpp_qemu_driver_hook.so not built." + @-test -e aflpp_qemu_driver_hook.o && $(CC) $(LDFLAGS) -shared aflpp_qemu_driver_hook.o -o aflpp_qemu_driver_hook.so || echo "Note: Optional aflpp_qemu_driver_hook.so not built." aflpp_qemu_driver_hook.o: aflpp_qemu_driver_hook.c - @-test -e ../../qemu_mode/qemuafl/qemuafl/api.h && $(LLVM_BINDIR)clang $(CFLAGS) -funroll-loops -c aflpp_qemu_driver_hook.c || echo "Note: Optional aflpp_qemu_driver_hook.o not built." + @-test -e ../../qemu_mode/qemuafl/qemuafl/api.h && $(CC) $(CFLAGS) -funroll-loops -c aflpp_qemu_driver_hook.c || echo "Note: Optional aflpp_qemu_driver_hook.o not built." test: debug #clang -S -emit-llvm -D_DEBUG=\"1\" -I../../include -Wl,--allow-multiple-definition -funroll-loops -o aflpp_driver_test.ll aflpp_driver_test.c -- cgit v1.2.3 From f4a13585a1a205798093291fd04659a4158b4d50 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 26 Jan 2023 12:21:47 +0100 Subject: better asan defaults everwhere --- utils/afl_network_proxy/afl-network-server.c | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) (limited to 'utils') diff --git a/utils/afl_network_proxy/afl-network-server.c b/utils/afl_network_proxy/afl-network-server.c index 2ae4c165..04309ada 100644 --- a/utils/afl_network_proxy/afl-network-server.c +++ b/utils/afl_network_proxy/afl-network-server.c @@ -194,7 +194,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) { } - if (!strstr(x, "symbolize=0")) { + if (!getenv("AFL_DEBUG") && !strstr(x, "symbolize=0")) { FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!"); @@ -213,7 +213,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) { } - if (!strstr(x, "symbolize=0")) { + if (!getenv("AFL_DEBUG") && !strstr(x, "symbolize=0")) { FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!"); @@ -221,18 +221,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) { } - setenv("ASAN_OPTIONS", - "abort_on_error=1:" - "detect_leaks=0:" - "symbolize=0:" - "allocator_may_return_null=1", - 0); - - setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" - "symbolize=0:" - "abort_on_error=1:" - "allocator_may_return_null=1:" - "msan_track_origins=0", 0); + set_sanitizer_defaults(); if (get_afl_env("AFL_PRELOAD")) { -- cgit v1.2.3 From e0866f51c7984c28866e7acdb153b5304c5cf7da Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 9 Mar 2023 13:57:03 +0100 Subject: support LLVMFuzzerTestOneInput -1 return --- utils/aflpp_driver/aflpp_driver.c | 13 ++++++++++++- utils/aflpp_driver/aflpp_driver_test.c | 13 ++++++++----- 2 files changed, 20 insertions(+), 6 deletions(-) (limited to 'utils') diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 03376b6a..f08c9864 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -58,10 +58,15 @@ $AFL_HOME/afl-fuzz -i IN -o OUT ./a.out #include "hash.h" #endif +// AFL++ shared memory fuzz cases int __afl_sharedmem_fuzzing = 1; extern unsigned int *__afl_fuzz_len; extern unsigned char *__afl_fuzz_ptr; +// AFL++ coverage map +extern unsigned char *__afl_area_ptr; +extern unsigned int __afl_map_size; + // libFuzzer interface is thin, so we don't include any libFuzzer headers. __attribute__((weak)) int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); @@ -375,7 +380,13 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp, } prev_length = length; - (void)callback(__afl_fuzz_ptr, length); + + if (unlikely(callback(__afl_fuzz_ptr, length) == -1)) { + + memset(__afl_area_ptr, 0, __afl_map_size); + __afl_area_ptr[0] = 1; + + } } diff --git a/utils/aflpp_driver/aflpp_driver_test.c b/utils/aflpp_driver/aflpp_driver_test.c index 527ba57b..7cffa4a1 100644 --- a/utils/aflpp_driver/aflpp_driver_test.c +++ b/utils/aflpp_driver/aflpp_driver_test.c @@ -2,9 +2,9 @@ #include #include -void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { +int __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { - if (Size < 5) return; + if (Size < 5) return -1; if (Data[0] == 'F') if (Data[1] == 'A') @@ -12,13 +12,16 @@ void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { if (Data[3] == '$') if (Data[4] == '$') abort(); + return 0; + } int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - if (Size) crashme(Data, Size); - - return 0; + if (Size) + return crashme(Data, Size); + else + return -1; } -- cgit v1.2.3 From 9bc5abc4eca13996fccc05b4ad08b7ac5a217e25 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 25 Mar 2023 12:14:08 +0100 Subject: reduce CI resources --- utils/aflpp_driver/aflpp_driver_test.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/aflpp_driver/aflpp_driver_test.c b/utils/aflpp_driver/aflpp_driver_test.c index 7cffa4a1..32119485 100644 --- a/utils/aflpp_driver/aflpp_driver_test.c +++ b/utils/aflpp_driver/aflpp_driver_test.c @@ -2,6 +2,8 @@ #include #include +char *foo = NULL; + int __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { if (Size < 5) return -1; @@ -10,7 +12,7 @@ int __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { if (Data[1] == 'A') if (Data[2] == '$') if (Data[3] == '$') - if (Data[4] == '$') abort(); + if (Data[4] == '$') *foo = 1; return 0; -- cgit v1.2.3 From dbdf2d79f235d475eb8e085a7dbace757c9ac361 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 29 Mar 2023 10:57:57 +0200 Subject: magma support --- utils/aflpp_driver/GNUmakefile | 4 ++++ utils/aflpp_driver/aflpp_driver.c | 8 ++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) (limited to 'utils') diff --git a/utils/aflpp_driver/GNUmakefile b/utils/aflpp_driver/GNUmakefile index b973f96a..409789cb 100644 --- a/utils/aflpp_driver/GNUmakefile +++ b/utils/aflpp_driver/GNUmakefile @@ -20,6 +20,10 @@ endif CFLAGS := -O3 -funroll-loops -g -fPIC +ifdef MAGMA_PATCH + CFLAGS += -DMAGMA_PATCH +endif + all: libAFLDriver.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so aflpp_driver.o: aflpp_driver.c diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index f08c9864..b92e68e9 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -58,8 +58,12 @@ $AFL_HOME/afl-fuzz -i IN -o OUT ./a.out #include "hash.h" #endif +#ifdef MAGMA_PATCH +int __afl_sharedmem_fuzzing = 0; +#else // AFL++ shared memory fuzz cases int __afl_sharedmem_fuzzing = 1; +#endif extern unsigned int *__afl_fuzz_len; extern unsigned char *__afl_fuzz_ptr; @@ -97,10 +101,10 @@ __attribute__((weak)) void *__asan_region_is_poisoned(void *beg, size_t size); // Notify AFL about persistent mode. static volatile char AFL_PERSISTENT[] = "##SIG_AFL_PERSISTENT##"; -int __afl_persistent_loop(unsigned int); - // Notify AFL about deferred forkserver. static volatile char AFL_DEFER_FORKSVR[] = "##SIG_AFL_DEFER_FORKSRV##"; + +int __afl_persistent_loop(unsigned int); void __afl_manual_init(); // Use this optionally defined function to output sanitizer messages even if -- cgit v1.2.3 From a061e1304da4f300699b059fe200602457661e5e Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 30 Mar 2023 10:18:45 +0200 Subject: further magma adaption --- utils/aflpp_driver/aflpp_driver.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) (limited to 'utils') diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index b92e68e9..05e23642 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -59,10 +59,10 @@ $AFL_HOME/afl-fuzz -i IN -o OUT ./a.out #endif #ifdef MAGMA_PATCH -int __afl_sharedmem_fuzzing = 0; +int __afl_sharedmem_fuzzing = 0; #else // AFL++ shared memory fuzz cases -int __afl_sharedmem_fuzzing = 1; +int __afl_sharedmem_fuzzing = 1; #endif extern unsigned int *__afl_fuzz_len; extern unsigned char *__afl_fuzz_ptr; @@ -75,8 +75,8 @@ extern unsigned int __afl_map_size; __attribute__((weak)) int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); -int LLVMFuzzerRunDriver(int *argc, char ***argv, - int (*callback)(const uint8_t *data, size_t size)); +__attribute__((weak)) int LLVMFuzzerRunDriver( + int *argc, char ***argv, int (*callback)(const uint8_t *data, size_t size)); // Default nop ASan hooks for manual poisoning when not linking the ASan // runtime @@ -99,13 +99,15 @@ __attribute__((weak)) void __asan_unpoison_memory_region( __attribute__((weak)) void *__asan_region_is_poisoned(void *beg, size_t size); +#ifndef MAGMA_PATCH // Notify AFL about persistent mode. static volatile char AFL_PERSISTENT[] = "##SIG_AFL_PERSISTENT##"; // Notify AFL about deferred forkserver. static volatile char AFL_DEFER_FORKSVR[] = "##SIG_AFL_DEFER_FORKSRV##"; +#endif -int __afl_persistent_loop(unsigned int); -void __afl_manual_init(); +int __afl_persistent_loop(unsigned int); +void __afl_manual_init(); // Use this optionally defined function to output sanitizer messages even if // user asks to close stderr. @@ -200,7 +202,8 @@ static void maybe_close_fd_mask() { // Define LLVMFuzzerMutate to avoid link failures for targets that use it // with libFuzzer's LLVMFuzzerCustomMutator. -size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize) { +__attribute__((weak)) size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, + size_t MaxSize) { // assert(false && "LLVMFuzzerMutate should not be called from afl_driver"); return 0; @@ -284,8 +287,9 @@ __attribute__((weak)) int main(int argc, char **argv) { } -int LLVMFuzzerRunDriver(int *argcp, char ***argvp, - int (*callback)(const uint8_t *data, size_t size)) { +__attribute__((weak)) int LLVMFuzzerRunDriver( + int *argcp, char ***argvp, + int (*callback)(const uint8_t *data, size_t size)) { int argc = *argcp; char **argv = *argvp; -- cgit v1.2.3 From 2d0d1e267eac4723c24997116c959472aae7027f Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 30 Mar 2023 14:07:33 +0200 Subject: better aflpp driver --- utils/aflpp_driver/aflpp_driver.c | 39 ++++++++++++++++----------------------- 1 file changed, 16 insertions(+), 23 deletions(-) (limited to 'utils') diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 05e23642..5fef4730 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -1,12 +1,14 @@ -//===- afl_driver.cpp - a glue between AFL++ and libFuzzer ------*- C++ -* ===// -//===----------------------------------------------------------------------===// +// +// afl_driver.cpp - a glue between AFL++ and libFuzzer +// /* This file allows to fuzz libFuzzer-style target functions (LLVMFuzzerTestOneInput) with AFL++ using persistent in-memory fuzzing. Usage: -################################################################################ -cat << EOF > test_fuzzer.cc + +# Example target: +$ cat << EOF > test_fuzzer.cc #include #include extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { @@ -20,16 +22,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { } EOF -# Build your target with -fsanitize-coverage=trace-pc-guard using fresh clang. -clang -c aflpp_driver.c -# Build afl-compiler-rt.o.c from the AFL distribution. -clang -c $AFL_HOME/instrumentation/afl-compiler-rt.o.c -# Build this file, link it with afl-compiler-rt.o.o and the target code. -afl-clang-fast -o test_fuzzer test_fuzzer.cc afl-compiler-rt.o aflpp_driver.o + +# Build your target with afl-cc -fsanitize=fuzzer +$ afl-c++ -fsanitize=fuzzer -o test_fuzzer test_fuzzer.cc # Run AFL: -rm -rf IN OUT; mkdir IN OUT; echo z > IN/z; -$AFL_HOME/afl-fuzz -i IN -o OUT ./a.out -################################################################################ +$ rm -rf in out; mkdir in out; echo z > in/foo; +$ afl-fuzz -i in -o out -- ./test_fuzzer + */ #include @@ -58,12 +57,8 @@ $AFL_HOME/afl-fuzz -i IN -o OUT ./a.out #include "hash.h" #endif -#ifdef MAGMA_PATCH -int __afl_sharedmem_fuzzing = 0; -#else // AFL++ shared memory fuzz cases -int __afl_sharedmem_fuzzing = 1; -#endif +int __afl_sharedmem_fuzzing = 1; extern unsigned int *__afl_fuzz_len; extern unsigned char *__afl_fuzz_ptr; @@ -99,15 +94,13 @@ __attribute__((weak)) void __asan_unpoison_memory_region( __attribute__((weak)) void *__asan_region_is_poisoned(void *beg, size_t size); -#ifndef MAGMA_PATCH // Notify AFL about persistent mode. static volatile char AFL_PERSISTENT[] = "##SIG_AFL_PERSISTENT##"; +int __afl_persistent_loop(unsigned int); + // Notify AFL about deferred forkserver. static volatile char AFL_DEFER_FORKSVR[] = "##SIG_AFL_DEFER_FORKSRV##"; -#endif - -int __afl_persistent_loop(unsigned int); -void __afl_manual_init(); +void __afl_manual_init(); // Use this optionally defined function to output sanitizer messages even if // user asks to close stderr. -- cgit v1.2.3 From 743ae507756db0707a213cd8272b219b0de0f514 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 12 Apr 2023 10:53:23 +0200 Subject: nits --- utils/aflpp_driver/GNUmakefile | 4 ---- utils/aflpp_driver/aflpp_driver.c | 8 +++++--- 2 files changed, 5 insertions(+), 7 deletions(-) (limited to 'utils') diff --git a/utils/aflpp_driver/GNUmakefile b/utils/aflpp_driver/GNUmakefile index 409789cb..b973f96a 100644 --- a/utils/aflpp_driver/GNUmakefile +++ b/utils/aflpp_driver/GNUmakefile @@ -20,10 +20,6 @@ endif CFLAGS := -O3 -funroll-loops -g -fPIC -ifdef MAGMA_PATCH - CFLAGS += -DMAGMA_PATCH -endif - all: libAFLDriver.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so aflpp_driver.o: aflpp_driver.c diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 5fef4730..ec304c8c 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -1,8 +1,10 @@ // -// afl_driver.cpp - a glue between AFL++ and libFuzzer +// afl_driver.cpp - a glue between AFL++ and LLVMFuzzerTestOneInput harnesses // -/* This file allows to fuzz libFuzzer-style target functions +/* + + This file allows to fuzz libFuzzer-style target functions (LLVMFuzzerTestOneInput) with AFL++ using persistent in-memory fuzzing. Usage: @@ -26,7 +28,7 @@ EOF # Build your target with afl-cc -fsanitize=fuzzer $ afl-c++ -fsanitize=fuzzer -o test_fuzzer test_fuzzer.cc # Run AFL: -$ rm -rf in out; mkdir in out; echo z > in/foo; +$ mkdir -p in ; echo z > in/foo; $ afl-fuzz -i in -o out -- ./test_fuzzer */ -- cgit v1.2.3 From 2adf5aac0fcf9b9263bfe3dd93e4d860e3668ae4 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 13 Apr 2023 15:32:06 +0200 Subject: libfuzzer driver nits --- utils/aflpp_driver/aflpp_driver.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'utils') diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index ec304c8c..19f0d9da 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -33,6 +33,11 @@ $ afl-fuzz -i in -o out -- ./test_fuzzer */ +#ifdef __cplusplus +extern "C" { + +#endif + #include #include #include @@ -260,6 +265,13 @@ static int ExecuteFilesOnyByOne(int argc, char **argv, __attribute__((weak)) int main(int argc, char **argv) { + if (!LLVMFuzzerTestOneInput) { + + fprintf(stderr, "Error: function LLVMFuzzerTestOneInput() not found!\n"); + abort(); + + } + if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) printf( "============================== INFO ================================\n" @@ -409,3 +421,9 @@ __attribute__((weak)) int LLVMFuzzerRunDriver( } +#ifdef __cplusplus + +} + +#endif + -- cgit v1.2.3 From 0c4f0dd4c483ec3cf481958c6b22c2b43b365cef Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 14 Apr 2023 16:09:55 +0200 Subject: oss-fuzz fix for LLVMFuzzerTestOneInput driver --- utils/aflpp_driver/aflpp_driver.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 19f0d9da..00a94b9c 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -74,7 +74,10 @@ extern unsigned char *__afl_area_ptr; extern unsigned int __afl_map_size; // libFuzzer interface is thin, so we don't include any libFuzzer headers. -__attribute__((weak)) int LLVMFuzzerTestOneInput(const uint8_t *Data, +/* Using the weak attributed on LLVMFuzzerTestOneInput() breaks oss-fuzz but + on the other hand this is what Google needs to make LLVMFuzzerRunDriver() + work. Choose your poison Google! */ +/*__attribute__((weak))*/ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); __attribute__((weak)) int LLVMFuzzerRunDriver( -- cgit v1.2.3 From 97644836935020b9f42688bb6530f08f536644a9 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 14 Apr 2023 16:27:32 +0200 Subject: remove warning --- utils/aflpp_driver/aflpp_driver.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'utils') diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 00a94b9c..34294809 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -268,12 +268,15 @@ static int ExecuteFilesOnyByOne(int argc, char **argv, __attribute__((weak)) int main(int argc, char **argv) { +// Enable if LLVMFuzzerTestOneInput() has the weak attribute +/* if (!LLVMFuzzerTestOneInput) { fprintf(stderr, "Error: function LLVMFuzzerTestOneInput() not found!\n"); abort(); } +*/ if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) printf( -- cgit v1.2.3 From 56f7e3aa088e715b054f10c01b6b5a7e5acf8931 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 16 Apr 2023 12:42:32 +0200 Subject: hidden -Y option for nyx, code format --- utils/aflpp_driver/aflpp_driver.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) (limited to 'utils') diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 34294809..4e8f466d 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -78,10 +78,10 @@ extern unsigned int __afl_map_size; on the other hand this is what Google needs to make LLVMFuzzerRunDriver() work. Choose your poison Google! */ /*__attribute__((weak))*/ int LLVMFuzzerTestOneInput(const uint8_t *Data, - size_t Size); -__attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); -__attribute__((weak)) int LLVMFuzzerRunDriver( - int *argc, char ***argv, int (*callback)(const uint8_t *data, size_t size)); + size_t Size); +__attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); +__attribute__((weak)) int LLVMFuzzerRunDriver( + int *argc, char ***argv, int (*callback)(const uint8_t *data, size_t size)); // Default nop ASan hooks for manual poisoning when not linking the ASan // runtime @@ -268,15 +268,16 @@ static int ExecuteFilesOnyByOne(int argc, char **argv, __attribute__((weak)) int main(int argc, char **argv) { -// Enable if LLVMFuzzerTestOneInput() has the weak attribute -/* - if (!LLVMFuzzerTestOneInput) { + // Enable if LLVMFuzzerTestOneInput() has the weak attribute + /* + if (!LLVMFuzzerTestOneInput) { - fprintf(stderr, "Error: function LLVMFuzzerTestOneInput() not found!\n"); - abort(); + fprintf(stderr, "Error: function LLVMFuzzerTestOneInput() not found!\n"); + abort(); - } -*/ + } + + */ if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) printf( -- cgit v1.2.3