test/test-qemu-mode.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214

#!/bin/sh

. ./test-pre.sh

$ECHO "$BLUE[*] Testing: qemu_mode"
test -z "$AFL_CC" && {
  if type gcc >/dev/null; then
    export AFL_CC=gcc
  else
    if type clang >/dev/null; then
      export AFL_CC=clang
    fi
  fi
}

test -e ../afl-qemu-trace && {
  cc -pie -fPIE -o test-instr ../test-instr.c
  cc -o test-compcov test-compcov.c
  test -e test-instr -a -e test-compcov && {
    {
      mkdir -p in
      echo 00000 > in/in
      $ECHO "$GREY[*] running afl-fuzz for qemu_mode, this will take approx 10 seconds"
      {
        ../afl-fuzz -m ${MEM_LIMIT} -V10 -Q -i in -o out -- ./test-instr >>errors 2>&1
      } >>errors 2>&1
      test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && {
        $ECHO "$GREEN[+] afl-fuzz is working correctly with qemu_mode"
        RUNTIME=`grep execs_done out/default/fuzzer_stats | awk '{print$3}'`
      } || {
        echo CUT------------------------------------------------------------------CUT
        cat errors
        echo CUT------------------------------------------------------------------CUT
        $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode"
        CODE=1
      }
      rm -f errors

      $ECHO "$GREY[*] running afl-fuzz for qemu_mode AFL_ENTRYPOINT, this will take approx 6 seconds"
      {
        {
          export AFL_ENTRYPOINT=`printf 1 | AFL_DEBUG=1 ../afl-qemu-trace ./test-instr 2>&1 >/dev/null | awk '/forkserver/{print $4; exit}'`
          $ECHO AFL_ENTRYPOINT=$AFL_ENTRYPOINT - $(nm test-instr | grep "T main") - $(file ./test-instr)
          ../afl-fuzz -m ${MEM_LIMIT} -V2 -Q -i in -o out -- ./test-instr
          unset AFL_ENTRYPOINT
        } >>errors 2>&1
      } >>errors 2>&1
      test -n "$( ls out/default/queue/id:000001* 2>/dev/null )" && {
        $ECHO "$GREEN[+] afl-fuzz is working correctly with qemu_mode AFL_ENTRYPOINT"
        RUNTIME=`grep execs_done out/default/fuzzer_stats | awk '{print$3}'`
      } || {
        echo CUT------------------------------------------------------------------CUT
        cat errors
        echo CUT------------------------------------------------------------------CUT
        $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode AFL_ENTRYPOINT"
        CODE=1
      }
      rm -f errors

      test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && {
        test -e ../libcompcov.so && {
          $ECHO "$GREY[*] running afl-fuzz for qemu_mode compcov, this will take approx 10 seconds"
          {
            export AFL_PRELOAD=../libcompcov.so
            export AFL_COMPCOV_LEVEL=2
            ../afl-fuzz -m ${MEM_LIMIT} -V10 -Q -i in -o out -- ./test-compcov >>errors 2>&1
            unset AFL_PRELOAD
            unset AFL_COMPCOV_LEVEL
          } >>errors 2>&1
          test -n "$( ls out/default/queue/id:000001* 2>/dev/null )" && {
            $ECHO "$GREEN[+] afl-fuzz is working correctly with qemu_mode compcov"
          } || {
            echo CUT------------------------------------------------------------------CUT
            cat errors
            echo CUT------------------------------------------------------------------CUT
            $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode compcov"
            CODE=1
          }
        } || {
          $ECHO "$YELLOW[-] we cannot test qemu_mode compcov because it is not present"
          INCOMPLETE=1
        }
        rm -f errors
      } || {
       $ECHO "$YELLOW[-] not an intel or arm platform, cannot test qemu_mode compcov"
      }
      
      test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && {
        $ECHO "$GREY[*] running afl-fuzz for qemu_mode cmplog, this will take approx 10 seconds"
        {
          ../afl-fuzz -m none -V10 -Q -c 0 -i in -o out -- ./test-compcov >>errors 2>&1
        } >>errors 2>&1
        test -n "$( ls out/default/queue/id:000001* 2>/dev/null )" && {
          $ECHO "$GREEN[+] afl-fuzz is working correctly with qemu_mode cmplog"
        } || {
          echo CUT------------------------------------------------------------------CUT
          cat errors
          echo CUT------------------------------------------------------------------CUT
          $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode cmplog"
          CODE=1
        }
        rm -f errors
      } || {
       $ECHO "$YELLOW[-] not an intel or arm platform, cannot test qemu_mode cmplog"
      }

      test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && {
        $ECHO "$GREY[*] running afl-fuzz for persistent qemu_mode, this will take approx 10 seconds"
        {
          if file test-instr | grep -q "32-bit"; then
            # for 32-bit reduce 8 nibbles to the lower 7 nibbles
	    ADDR_LOWER_PART=`nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.//'`
          else
            # for 64-bit reduce 16 nibbles to the lower 9 nibbles
	    ADDR_LOWER_PART=`nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.......//'`
          fi
          export AFL_QEMU_PERSISTENT_ADDR=`expr 0x4${ADDR_LOWER_PART}`
          export AFL_QEMU_PERSISTENT_GPR=1
          $ECHO "Info: AFL_QEMU_PERSISTENT_ADDR=$AFL_QEMU_PERSISTENT_ADDR <= $(nm test-instr | grep "T main" | awk '{print $1}')"
          env|grep AFL_|sort
          file test-instr
          ../afl-fuzz -m ${MEM_LIMIT} -V10 -Q -i in -o out -- ./test-instr
          unset AFL_QEMU_PERSISTENT_ADDR
        } >>errors 2>&1
        test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && {
          $ECHO "$GREEN[+] afl-fuzz is working correctly with persistent qemu_mode"
          RUNTIMEP=`grep execs_done out/default/fuzzer_stats | awk '{print$3}'`
          test -n "$RUNTIME" -a -n "$RUNTIMEP" && {
            DIFF=`expr $RUNTIMEP / $RUNTIME`
            test "$DIFF" -gt 1 && { # must be at least twice as fast
              $ECHO "$GREEN[+] persistent qemu_mode was noticeable faster than standard qemu_mode"
            } || {
              $ECHO "$YELLOW[-] persistent qemu_mode was not noticeable faster than standard qemu_mode"
            }
          } || {
            $ECHO "$YELLOW[-] we got no data on executions performed? weird!"
          }
        } || {
          echo CUT------------------------------------------------------------------CUT
          cat errors
          echo CUT------------------------------------------------------------------CUT
          $ECHO "$RED[!] afl-fuzz is not working correctly with persistent qemu_mode"
          CODE=1
        }
        rm -rf in out errors
      } || {
       $ECHO "$YELLOW[-] not an intel or arm platform, cannot test persistent qemu_mode"
      }

      test -e ../qemu_mode/unsigaction/unsigaction32.so && {
        ${AFL_CC} -o test-unsigaction32 -m32 test-unsigaction.c >> errors 2>&1 && {
	  ./test-unsigaction32
          RETVAL_NORMAL32=$?
	  LD_PRELOAD=../qemu_mode/unsigaction/unsigaction32.so ./test-unsigaction32
          RETVAL_LIBUNSIGACTION32=$?
	  test $RETVAL_NORMAL32 = "2" -a $RETVAL_LIBUNSIGACTION32 = "0" && {
            $ECHO "$GREEN[+] qemu_mode unsigaction library (32 bit) ignores signals"
	  } || {
	    test $RETVAL_NORMAL32 != "2" && {
	      $ECHO "$RED[!] cannot trigger signal in test program (32 bit)"
	    }
	    test $RETVAL_LIBUNSIGACTION32 != "0" && {
	      $ECHO "$RED[!] signal in test program (32 bit) is not ignored with unsigaction"
	    }
            CODE=1
          }
        } || {
	  $ECHO "$YELLOW[-] cannot compile test program (32 bit) for unsigaction library"
          INCOMPLETE=1
        }
      } || {
        $ECHO "$YELLOW[-] we cannot test qemu_mode unsigaction library (32 bit) because it is not present"
        INCOMPLETE=1
      }
      test -e ../qemu_mode/unsigaction/unsigaction64.so && {
        ${AFL_CC} -o test-unsigaction64 -m64 test-unsigaction.c >> errors 2>&1 && {
	  ./test-unsigaction64
          RETVAL_NORMAL64=$?
	  LD_PRELOAD=../qemu_mode/unsigaction/unsigaction64.so ./test-unsigaction64
          RETVAL_LIBUNSIGACTION64=$?
	  test $RETVAL_NORMAL64 = "2" -a $RETVAL_LIBUNSIGACTION64 = "0" && {
            $ECHO "$GREEN[+] qemu_mode unsigaction library (64 bit) ignores signals"
	  } || {
	    test $RETVAL_NORMAL64 != "2" && {
	      $ECHO "$RED[!] cannot trigger signal in test program (64 bit)"
	    }
	    test $RETVAL_LIBUNSIGACTION64 != "0" && {
	      $ECHO "$RED[!] signal in test program (64 bit) is not ignored with unsigaction"
	    }
            CODE=1
          }
          unset LD_PRELOAD
        } || {
	  $ECHO "$YELLOW[-] cannot compile test program (64 bit) for unsigaction library"
          INCOMPLETE=1
        }
      } || {
        $ECHO "$YELLOW[-] we cannot test qemu_mode unsigaction library (64 bit) because it is not present"
        INCOMPLETE=1
      }
      rm -rf errors test-unsigaction32 test-unsigaction64
    }
  } || {
    $ECHO "$RED[!] gcc compilation of test targets failed - what is going on??"
    CODE=1
  }

  rm -f test-instr test-compcov
} || {
  $ECHO "$YELLOW[-] qemu_mode is not compiled, cannot test"
  INCOMPLETE=1
}

. ./test-post.sh