diff options
| author | van Hauser <vh@thc.org> | 2024-05-11 09:16:21 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-05-11 09:16:21 +0200 |
| commit | 90fbf59bf16f057e50132b81be759414787ce1a3 (patch) | |
| tree | e57ec2ff73da06776f6cf9c20eb907a8c5aebf05 | |
| parent | ad0d0c77fb313e6edfee111fecf2bcd16d8f915e (diff) | |
| parent | 93c7cbd49603c1a256caf3ab6e971c9f4e40bab4 (diff) | |
| download | AFLplusplus-upstream-stable.tar.gz | |
Merge pull request #2084 from AFLplusplus/devupstream-stable
push to stable
| -rwxr-xr-x | afl-whatsup | 8 | ||||
| -rw-r--r-- | docs/Changelog.md | 4 | ||||
| -rw-r--r-- | docs/env_variables.md | 3 | ||||
| -rw-r--r-- | include/afl-fuzz.h | 2 | ||||
| -rw-r--r-- | include/envs.h | 3 | ||||
| -rw-r--r-- | instrumentation/SanitizerCoverageLTO.so.cc | 2 | ||||
| -rw-r--r-- | qemu_mode/QEMUAFL_VERSION | 2 | ||||
| m--------- | qemu_mode/qemuafl | 0 | ||||
| -rw-r--r-- | src/afl-cc.c | 10 | ||||
| -rw-r--r-- | src/afl-common.c | 7 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 16 | ||||
| -rw-r--r-- | src/afl-fuzz-queue.c | 1 | ||||
| -rw-r--r-- | src/afl-fuzz-redqueen.c | 8 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 3 | ||||
| -rw-r--r-- | src/afl-fuzz-state.c | 7 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 1 | ||||
| -rw-r--r-- | unicorn_mode/UNICORNAFL_VERSION | 2 | ||||
| m--------- | unicorn_mode/unicornafl | 0 |
18 files changed, 61 insertions, 18 deletions
diff --git a/afl-whatsup b/afl-whatsup index 55ef2473..19841755 100755 --- a/afl-whatsup +++ b/afl-whatsup @@ -111,7 +111,13 @@ if [ -z "$NO_COLOR" ]; then RESET="$NC" fi -CUR_TIME=`date +%s` +PLATFORM=`uname -s` +if [ "$PLATFORM" = "Linux" ] ; then + CUR_TIME=`cat /proc/uptime | awk '{printf "%.0f\n", $1}'` +else + # This will lead to inacurate results but will prevent the script from breaking on platforms other than Linux + CUR_TIME=`date +%s` +fi TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1 trap "rm -f $TMP" 1 2 3 13 15 diff --git a/docs/Changelog.md b/docs/Changelog.md index c1b2f62a..aa142274 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -5,14 +5,18 @@ ### Version ++4.21a (dev) * afl-fuzz + - added AFL_DISABLE_REDUNDANT for huge queues - fix AFL_PERSISTENT_RECORD - prevent filenames in the queue that have spaces - minor fix for FAST schedules + - more frequent stats update when syncing (todo: check performance impact) * afl-cc: + - re-enable i386 support that was accidently disabled - fixes for LTO and outdated afl-gcc mode - ensure shared memory variables are visible in weird build setups * afl-cmin - work with input files that have a space + * enhanced the ASAN configuration ### Version ++4.20c (release) diff --git a/docs/env_variables.md b/docs/env_variables.md index 1e4fc7ba..01904aea 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -381,6 +381,9 @@ checks or alter some of the more exotic semantics of the tool: - Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is usually a bad idea! + - Setting `AFL_DISABLE_REDUNDANT` disables any queue items that are redundant. + This can be useful with huge queues. + - Setting `AFL_KEEP_TIMEOUTS` will keep longer running inputs if they reach new coverage diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index c813ae7e..1a958006 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -452,7 +452,7 @@ typedef struct afl_env_vars { afl_keep_timeouts, afl_no_crash_readme, afl_ignore_timeouts, afl_no_startup_calibration, afl_no_warn_instability, afl_post_process_keep_original, afl_crashing_seeds_as_new_crash, - afl_final_sync, afl_ignore_seed_problems; + afl_final_sync, afl_ignore_seed_problems, afl_disable_redundant; u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload, diff --git a/include/envs.h b/include/envs.h index 56a4916c..c895f726 100644 --- a/include/envs.h +++ b/include/envs.h @@ -26,7 +26,8 @@ static char *afl_environment_variables[] = { "AFL_CUSTOM_MUTATOR_ONLY", "AFL_CUSTOM_INFO_PROGRAM", "AFL_CUSTOM_INFO_PROGRAM_ARGV", "AFL_CUSTOM_INFO_PROGRAM_INPUT", "AFL_CUSTOM_INFO_OUT", "AFL_CXX", "AFL_CYCLE_SCHEDULES", "AFL_DEBUG", - "AFL_DEBUG_CHILD", "AFL_DEBUG_GDB", "AFL_DEBUG_UNICORN", "AFL_DISABLE_TRIM", + "AFL_DEBUG_CHILD", "AFL_DEBUG_GDB", "AFL_DEBUG_UNICORN", + "AFL_DISABLE_REDUNDANT", "AFL_DISABLE_TRIM", "AFL_DISABLE_LLVM_INSTRUMENTATION", "AFL_DONT_OPTIMIZE", "AFL_DRIVER_STDERR_DUPLICATE_FILENAME", "AFL_DUMB_FORKSRV", "AFL_EARLY_FORKSERVER", "AFL_ENTRYPOINT", "AFL_EXIT_WHEN_DONE", diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 14482deb..a09f28a9 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -486,7 +486,7 @@ bool ModuleSanitizerCoverageLTO::instrumentModule( if ((ptr = getenv("AFL_LLVM_DOCUMENT_IDS")) != NULL) { dFile.open(ptr, std::ofstream::out | std::ofstream::app); - if (dFile.is_open()) WARNF("Cannot access document file %s", ptr); + if (!dFile.is_open()) WARNF("Cannot access document file %s", ptr); } diff --git a/qemu_mode/QEMUAFL_VERSION b/qemu_mode/QEMUAFL_VERSION index 6f2a5979..296745f9 100644 --- a/qemu_mode/QEMUAFL_VERSION +++ b/qemu_mode/QEMUAFL_VERSION @@ -1 +1 @@ -40033af00c +a6f0632a65 diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl -Subproject 40033af00c4c5de172ed4fe60c21b9edbd2c189 +Subproject a6f0632a65e101e680dd72643a6128dd180dff7 diff --git a/src/afl-cc.c b/src/afl-cc.c index 15a5bd8e..7acee8e4 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -525,7 +525,7 @@ void find_built_deps(aflcc_state_t *aflcc) { char *ptr = NULL; -#if defined(__x86_64__) +#if defined(__x86_64__) || defined(__i386__) if ((ptr = find_object(aflcc, "afl-as")) != NULL) { #ifndef __APPLE__ @@ -1911,7 +1911,13 @@ void add_sanitizers(aflcc_state_t *aflcc, char **envp) { } add_defs_fortify(aflcc, 0); - if (!aflcc->have_asan) { insert_param(aflcc, "-fsanitize=address"); } + if (!aflcc->have_asan) { + + insert_param(aflcc, "-fsanitize=address"); + insert_param(aflcc, "-fno-common"); + + } + aflcc->have_asan = 1; } else if (getenv("AFL_USE_MSAN") || aflcc->have_msan) { diff --git a/src/afl-common.c b/src/afl-common.c index d86b431b..9a27824d 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -108,9 +108,10 @@ void set_sanitizer_defaults() { u8 *have_lsan_options = getenv("LSAN_OPTIONS"); u8 have_san_options = 0; u8 default_options[1024] = - "detect_odr_violation=0:abort_on_error=1:symbolize=0:allocator_may_" - "return_null=1:handle_segv=0:handle_sigbus=0:handle_abort=0:handle_" - "sigfpe=0:handle_sigill=0:"; + "detect_odr_violation=0:abort_on_error=1:symbolize=0:" + "allocator_may_return_null=1:handle_segv=0:handle_sigbus=0:" + "handle_abort=0:handle_sigfpe=0:handle_sigill=0:" + "detect_stack_use_after_return=0:check_initialization_order=0:"; if (have_asan_options || have_ubsan_options || have_msan_options || have_lsan_options) { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 2d540eb1..01d0730d 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -577,6 +577,8 @@ void read_foreign_testcases(afl_state_t *afl, int first) { afl->stage_cur = 0; afl->stage_max = 0; + show_stats(afl); + for (i = 0; i < (u32)nl_cnt; ++i) { struct stat st; @@ -655,7 +657,12 @@ void read_foreign_testcases(afl_state_t *afl, int first) { munmap(mem, st.st_size); close(fd); - if (st.st_mtime > mtime_max) mtime_max = st.st_mtime; + if (st.st_mtime > mtime_max) { + + mtime_max = st.st_mtime; + show_stats(afl); + + } } @@ -933,10 +940,13 @@ void perform_dry_run(afl_state_t *afl) { res = calibrate_case(afl, q, use_mem, 0, 1); /* For AFLFast schedules we update the queue entry */ - if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE) && likely(q->exec_cksum)) { + if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE) && + likely(q->exec_cksum)) { + q->n_fuzz_entry = q->exec_cksum % N_FUZZ_SIZE; + } - + if (afl->stop_soon) { return; } if (res == afl->crash_mode || res == FSRV_RUN_NOBITS) { diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index df4e7d79..5987ad0c 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -370,6 +370,7 @@ void mark_as_redundant(afl_state_t *afl, struct queue_entry *q, u8 state) { s32 fd; + if (unlikely(afl->afl_env.afl_disable_redundant)) { q->disabled = 1; } fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); if (fd < 0) { PFATAL("Unable to create '%s'", fn); } close(fd); diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 100b0dd6..9316da71 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -2764,15 +2764,15 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, #ifdef _DEBUG u32 j; struct cmp_header *hh = &afl->orig_cmp_map->headers[key]; - fprintf(stderr, "RTN N hits=%u id=%u shape=%u attr=%u v0=", h->hits, h->id, - hshape, h->attribute); + fprintf(stderr, "RTN N hits=%u shape=%u attr=%u v0=", h->hits, hshape, + h->attribute); for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v0[j]); fprintf(stderr, " v1="); for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v1[j]); - fprintf(stderr, "\nRTN O hits=%u id=%u shape=%u attr=%u o0=", hh->hits, - hh->id, hshape, hh->attribute); + fprintf(stderr, "\nRTN O hits=%u shape=%u attr=%u o0=", hh->hits, hshape, + hh->attribute); for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v0[j]); fprintf(stderr, " o1="); diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index ab96c778..ed7cb4ce 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -771,6 +771,8 @@ void sync_fuzzers(afl_state_t *afl) { afl->stage_cur = 0; afl->stage_max = 0; + show_stats(afl); + /* For every file queued by this fuzzer, parse ID and see if we have looked at it before; exec a test case if not. */ @@ -830,6 +832,7 @@ void sync_fuzzers(afl_state_t *afl) { afl->syncing_party = sd_ent->d_name; afl->queued_imported += save_if_interesting(afl, mem, new_len, fault); + show_stats(afl); afl->syncing_party = 0; munmap(mem, st.st_size); diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index c21ae6be..543fdc1c 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -293,6 +293,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_cmplog_only_new = get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_DISABLE_REDUNDANT", + + afl_environment_variable_len)) { + + afl->afl_env.afl_disable_redundant = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_NO_STARTUP_CALIBRATION", afl_environment_variable_len)) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 00d24ab1..329ce942 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -264,6 +264,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_CYCLE_SCHEDULES: after completing a cycle, switch to a different -p schedule\n" "AFL_DEBUG: extra debugging output for Python mode trimming\n" "AFL_DEBUG_CHILD: do not suppress stdout/stderr from target\n" + "AFL_DISABLE_REDUNDANT: disable any queue item that is redundant\n" "AFL_DISABLE_TRIM: disable the trimming of test cases\n" "AFL_DUMB_FORKSRV: use fork server without feedback from target\n" "AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found\n" diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index 7f09adb1..da17452d 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -63aab0f +764b66b2 diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl -Subproject 63aab0f752ba1d40a1c4de6988a78cd1e6dcc1c +Subproject 764b66b21cd4a8124a5b6c9cc98d1214b203719 |