Merge branch 'master' of github.com:vanhauser-thc/AFLplusplus

AFLplusplus · Sep 22, 2019 · 9aefe7a · 9aefe7a
2 parents 17bb517 5044bb0
commit 9aefe7a
Show file tree

Hide file tree

Showing 19 changed files with 841 additions and 113 deletions.
diff --git a/Makefile b/Makefile
@@ -80,6 80,8 @@ endif
 
 all: test_x86 test_shm test_python27 ready $(PROGS) afl-as test_build all_done
 
 tests: source-only
  @cd test ; ./test.sh
 
 help:
  @echo "HELP --- the following make targets exist:"
@@ -90,6 92,8 @@ help:
  @echo "distrib: everything (for both binary-only and source code fuzzing)"
  @echo "install: installs everything you have compiled with the build option above"
  @echo "clean: cleans everything. for qemu_mode and unicorn_mode it means it deletes all downloads as well"
  @echo "tests: this runs the test framework. It is more catered for the developers, but if you run into problems this helps pinpointing the problem"
  @echo "document: creates afl-fuzz-document which will only do one run and save all manipulated inputs into out/queue/mutations"
  @echo "help: shows these build options :-)"
  @echo "=========================================="
  @echo "Recommended: \"distrib\" or \"source-only\", then \"install\""
@@ -149,31 153,36 @@ afl-as: src/afl-as.c include/afl-as.h $(COMM_HDR) | test_x86
  $(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS)
  ln -sf afl-as as
 
-afl-common.o : src/afl-common.c include/common.h
- $(CC) $(CFLAGS) -c src/afl-common.c
 src/afl-common.o : src/afl-common.c include/common.h
  $(CC) $(CFLAGS) -c src/afl-common.c -o src/afl-common.o
 
-afl-forkserver.o : src/afl-forkserver.c include/forkserver.h
- $(CC) $(CFLAGS) -c src/afl-forkserver.c
 src/afl-forkserver.o : src/afl-forkserver.c include/forkserver.h
  $(CC) $(CFLAGS) -c src/afl-forkserver.c -o src/afl-forkserver.o
 
-afl-sharedmem.o : src/afl-sharedmem.c include/sharedmem.h
- $(CC) $(CFLAGS) -c src/afl-sharedmem.c
 src/afl-sharedmem.o : src/afl-sharedmem.c include/sharedmem.h
  $(CC) $(CFLAGS) -c src/afl-sharedmem.c -o src/afl-sharedmem.o
 
-afl-fuzz: include/afl-fuzz.h $(AFL_FUZZ_FILES) afl-common.o afl-sharedmem.o afl-forkserver.o $(COMM_HDR) | test_x86
- $(CC) $(CFLAGS) $(AFL_FUZZ_FILES) afl-common.o afl-sharedmem.o afl-forkserver.o -o $@ $(LDFLAGS) $(PYFLAGS)
 afl-fuzz: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
  $(CC) $(CFLAGS) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(LDFLAGS) $(PYFLAGS)
 
-afl-showmap: src/afl-showmap.c afl-common.o afl-sharedmem.o $(COMM_HDR) | test_x86
- $(CC) $(CFLAGS) src/$@.c afl-common.o afl-sharedmem.o -o $@ $(LDFLAGS)
 afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o $(COMM_HDR) | test_x86
  $(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o -o $@ $(LDFLAGS)
 
-afl-tmin: src/afl-tmin.c afl-common.o afl-sharedmem.o afl-forkserver.o $(COMM_HDR) | test_x86
- $(CC) $(CFLAGS) src/$@.c afl-common.o afl-sharedmem.o afl-forkserver.o -o $@ $(LDFLAGS)
 afl-tmin: src/afl-tmin.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
  $(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(LDFLAGS)
 
-afl-analyze: src/afl-analyze.c afl-common.o afl-sharedmem.o $(COMM_HDR) | test_x86
- $(CC) $(CFLAGS) src/$@.c afl-common.o afl-sharedmem.o -o $@ $(LDFLAGS)
 afl-analyze: src/afl-analyze.c src/afl-common.o src/afl-sharedmem.o $(COMM_HDR) | test_x86
  $(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o -o $@ $(LDFLAGS)
 
 afl-gotcpu: src/afl-gotcpu.c $(COMM_HDR) | test_x86
  $(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS)
 
 
 # document all mutations and only do one run (use with only one input file!)
 document: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
  $(CC) $(CFLAGS) $(AFL_FUZZ_FILES) -D_AFL_DOCUMENT_MUTATIONS src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o afl-fuzz-document $(LDFLAGS) $(PYFLAGS)
 
 
 code-format:
  ./.custom-format.py -i src/*.c
  ./.custom-format.py -i include/*.h
@@ -219,7 228,7 @@ all_done: test_build
 .NOTPARALLEL: clean
 
 clean:
- rm -f $(PROGS) afl-as as afl-g afl-clang afl-clang *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g -fast *.so unicorn_mode/24f55a7973278f20f0de21b904851d99d4716263.tar.gz *.8
  rm -f $(PROGS) afl-as as afl-g afl-clang afl-clang *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g -fast *.so unicorn_mode/24f55a7973278f20f0de21b904851d99d4716263.tar.gz *.8
  rm -rf out_dir qemu_mode/qemu-3.1.1 unicorn_mode/unicorn
  $(MAKE) -C llvm_mode clean
  $(MAKE) -C libdislocator clean
@@ -280,6 289,8 @@ endif
  if [ -f compare-transform-pass.so ]; then set -e; install -m 755 compare-transform-pass.so $${DESTDIR}$(HELPER_PATH); fi
  if [ -f split-compares-pass.so ]; then set -e; install -m 755 split-compares-pass.so $${DESTDIR}$(HELPER_PATH); fi
  if [ -f split-switches-pass.so ]; then set -e; install -m 755 split-switches-pass.so $${DESTDIR}$(HELPER_PATH); fi
  if [ -f libdislocator.so ]; then set -e; install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH); fi
  if [ -f libtokencap.so ]; then set -e; install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH); fi
  if [ -f libcompcov.so ]; then set -e; install -m 755 libcompcov.so $${DESTDIR}$(HELPER_PATH); fi
 
  set -e; ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-g 
@@ -294,7 305,7 @@ endif
  cp -r testcases/ $${DESTDIR}$(MISC_PATH)
  cp -r dictionaries/ $${DESTDIR}$(MISC_PATH)
 
-publish: clean
 #publish: clean
 # test "`basename $$PWD`" = "afl" || exit 1
 # test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0" ]; then echo; echo "Change program version in config.h, mmkay?"; echo; exit 1; fi
 # cd ..; rm -rf $(PROGNAME)-$(VERSION); cp -pr $(PROGNAME) $(PROGNAME)-$(VERSION); \

diff --git a/TODO b/TODO
@@ -1,14 1,3 @@
-Roadmap 2.54d:
-==============
-
-afl-fuzz:
- - enable python mutator for MOpt
- - enable custom mutator for MOpt
- - add superion?
-
-remote feature
-
-
 
 Roadmap 2.55d:
 ==============
@@ -26,6 15,9 @@ qemu_mode:
  Idea: The static analyzer outputs a map in which each edge that must be
  skipped is marked with 1. QEMU loads it at startup in the parent process.
 
 custom_mutators:
  - rip what Superion is doing into custom mutators for js, php, etc.
 
 unit testing / or large testcase campaign
 
 

diff --git a/docs/ChangeLog b/docs/ChangeLog
@@ -22,6 22,15 @@ Version 2.54d (dev):
  add AFL_CUSTOM_MUTATOR_ONLY (that will trigger the previous behaviour)
  - no more unlinking the input file, this way the input file can also be a
  FIFO or disk partition
  - setting LLVM_CONFIG for llvm_mode will now again switch to the selected
  llvm version. If you setup is correct.
  - fuzzing strategy yields for custom mutator were missing from the UI, added them :)
  - added "make tests" which will perform checks to see that all functionality
  is working as expected. this is currently the starting point, its not complete :)
  - added mutation documentation feature ("make document"), creates afl-fuzz-document
  and saves all mutations of the first run on the first file into out/queue/mutations
  - libtokencap and libdislocator now compile to the afl_root directory and are
  installed to the .../lib/afl directory when present during make install
  - reducing duplicate code in afl-fuzz
  - added "make help"
  - removed compile warnings from python internal stuff

diff --git a/docs/env_variables.txt b/docs/env_variables.txt
@@ -97,7 97,8 @@ Then there are a few specific features that are only available in llvm_mode:
 
  - Setting AFL_LLVM_LAF_TRANSFORM_COMPARES will split string compare functions
 
- - Setting AFL_LLVM_LAF_SPLIT_COMPARES will split > 8 bit CMP instructions
  - Setting AFL_LLVM_LAF_SPLIT_COMPARES will split all floating point and
  64, 32 and 16 bit integer CMP instructions
 
  See llvm_mode/README.laf-intel for more information. 
 

diff --git a/experimental/persistent_demo/persistent_demo.c b/experimental/persistent_demo/persistent_demo.c
@@ -33,6 33,7 @@
 
 int main(int argc, char** argv) {
 
  ssize_t len; /* how much input did we read? */
  char buf[100]; /* Example-only buffer, you'd replace it with other global or
  local variables appropriate for your use case. */
 
@@ -57,11 58,15 @@ int main(int argc, char** argv) {
  Beware of reading from buffered FILE* objects such as stdin. Use
  raw file descriptors or call fopen() / fdopen() in every pass. */
 
- read(0, buf, 100);
  len = read(0, buf, 100);
 
  /* STEP 3: This is where we'd call the tested library on the read data.
  We just have some trivial inline code that faults on 'foo!'. */
 
  /* do we have enough data? */
  if (len < 4)
  return 0;
 
  if (buf[0] == 'f') {
  printf("one\n");
  if (buf[1] == 'o') {

diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
@@ -682,5 682,10 @@ static u64 get_cur_time_us(void) {
 
 }
 
 #ifdef _AFL_DOCUMENT_MUTATIONS
  extern u8 do_document;
  extern u32 document_counter;
 #endif
 
 #endif
 
diff --git a/libdislocator/Makefile b/libdislocator/Makefile
@@ -24,15 24,15 @@ CFLAGS = -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign
 all: libdislocator.so
 
 libdislocator.so: libdislocator.so.c ../config.h
- $(CC) $(CFLAGS) -shared -fPIC $< -o $@ $(LDFLAGS)
  $(CC) $(CFLAGS) -shared -fPIC $< -o ../$@ $(LDFLAGS)
 
 .NOTPARALLEL: clean
 
 clean:
  rm -f *.o *.so *~ a.out core core.[1-9][0-9]*
- rm -f libdislocator.so
  rm -f ../libdislocator.so
 
 install: all
- install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH)
  install -m 755 ../libdislocator.so $${DESTDIR}$(HELPER_PATH)
  install -m 644 README.dislocator $${DESTDIR}$(HELPER_PATH)
 
diff --git a/libtokencap/Makefile b/libtokencap/Makefile
@@ -24,15 24,15 @@ CFLAGS = -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign
 all: libtokencap.so
 
 libtokencap.so: libtokencap.so.c ../config.h
- $(CC) $(CFLAGS) -shared -fPIC $< -o $@ $(LDFLAGS)
  $(CC) $(CFLAGS) -shared -fPIC $< -o ../$@ $(LDFLAGS)
 
 .NOTPARALLEL: clean
 
 clean:
  rm -f *.o *.so *~ a.out core core.[1-9][0-9]*
- rm -f libtokencap.so
  rm -f ../libtokencap.so
 
 install: all
- install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH)
  install -m 755 ../libtokencap.so $${DESTDIR}$(HELPER_PATH)
  install -m 644 README.tokencap $${DESTDIR}$(HELPER_PATH)
 
diff --git a/llvm_mode/Makefile b/llvm_mode/Makefile
@@ -37,7 37,8 @@ endif
 
 LLVMVER = $(shell $(LLVM_CONFIG) --version)
 LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version | egrep -q '^[12]|^3\.0|^1[0-9]' && echo 1 || echo 0 )
-LLVM_MAJOR = ($shell $(LLVM_CONFIG) --version | sed 's/\..*//')
 LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version | sed 's/\..*//')
 LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir)
 
 ifeq "$(LLVM_UNSUPPORTED)" "1"
  $(warn llvm_mode only supports versions 3.8.0 up to 9)
@@ -77,11 78,18 @@ endif
 # this seems to be busted on some distros, so using the one in $PATH is
 # probably better.
 
-ifeq "$(origin CC)" "default"
- ifeq "$(shell uname)" "OpenBSD"
- CC = $(BIN_PATH)/clang
- CXX = $(BIN_PATH)/clang 
 CC = $(LLVM_BINDIR)/clang
 CXX = $(LLVM_BINDIR)/clang 
 
 ifeq "$(shell test -e $(CC) || echo 1 )" "1"
  # llvm-config --bindir is not providing a valid path, so ...
  ifeq "$(shell test -e "$(BIN_DIR)/clang" && echo 1)" "1"
  # we found one in the local install directory, lets use these
  CC = $(BIN_DIR)/clang
  CXX = $(BIN_DIR)/clang 
  else
  # hope for the best
  $(warn we have trouble finding clang/clang - llvm-config is not helping us)
  CC = clang
  CXX = clang 
  endif

diff --git a/llvm_mode/README.md b/llvm_mode/README.md
@@ -41,6 41,10 @@ In order to leverage this mechanism, you need to have clang installed on your
 system. You should also make sure that the llvm-config tool is in your path
 (or pointed to via LLVM_CONFIG in the environment).
 
 Note that if you have several LLVM versions installed, pointing LLVM_CONFIG
 to the version you want to use will switch compiling to this specific
 version - if you installation is set up correctly :-)
 
 Unfortunately, some systems that do have clang come without llvm-config or the
 LLVM development headers; one example of this is FreeBSD. FreeBSD users will
 also run into problems with clang being built statically and not being able to

diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc
@@ -105,9 105,7 @@ bool AFLCoverage::runOnModule(Module &M) {
 
  SAYF(cCYA "afl-llvm-pass" VERSION cRST " by <[email protected]>\n");
 
- } else
-
- be_quiet = 1;
  } else if (getenv("AFL_QUIET")) be_quiet = 1;
 
  /* Decide instrumentation ratio */