1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
|
#!/bin/sh
. ./test-pre.sh
OS=$(uname -s)
$ECHO "$BLUE[*] Testing: llvm_mode, afl-showmap, afl-fuzz, afl-cmin and afl-tmin"
test -e ../afl-clang-fast -a -e ../split-switches-pass.so && {
../afl-clang-fast -o test-instr.plain ../test-instr.c > /dev/null 2>&1
AFL_HARDEN=1 ../afl-clang-fast -o test-compcov.harden test-compcov.c > /dev/null 2>&1
test -e test-instr.plain && {
$ECHO "$GREEN[ ] llvm_mode compilation succeeded"
echo 0 | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain > /dev/null 2>&1
AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain < /dev/null > /dev/null 2>&1
test -e test-instr.plain.0 -a -e test-instr.plain.1 && {
diff test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && {
$ECHO "$RED[!] llvm_mode instrumentation should be different on different input but is not"
CODE=1
} || {
$ECHO "$GREEN[ ] llvm_mode instrumentation present and working correctly"
TUPLES=`echo 0|AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'`
test "$TUPLES" -gt 2 -a "$TUPLES" -lt 8 && {
$ECHO "$GREEN[ ] llvm_mode run reported $TUPLES instrumented locations which is fine"
} || {
$ECHO "$RED[!] llvm_mode instrumentation produces weird numbers: $TUPLES"
CODE=1
}
test "$TUPLES" -lt 3 && SKIP=1
true
}
} || {
$ECHO "$RED[!] llvm_mode instrumentation failed"
CODE=1
}
rm -f test-instr.plain.0 test-instr.plain.1
} || {
$ECHO "$RED[!] llvm_mode failed"
CODE=1
}
AFL_LLVM_INSTRUMENT=CLASSIC AFL_LLVM_THREADSAFE_INST=1 ../afl-clang-fast -o test-instr.ts ../test-instr.c > /dev/null 2>&1
test -e test-instr.ts && {
$ECHO "$GREEN[ ] llvm_mode threadsafe compilation succeeded"
echo 0 | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.ts.0 -r -- ./test-instr.ts > /dev/null 2>&1
AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.ts.1 -r -- ./test-instr.ts < /dev/null > /dev/null 2>&1
test -e test-instr.ts.0 -a -e test-instr.ts.1 && {
diff test-instr.ts.0 test-instr.ts.1 > /dev/null 2>&1 && {
$ECHO "$RED[!] llvm_mode threadsafe instrumentation should be different on different input but is not"
CODE=1
} || {
$ECHO "$GREEN[ ] llvm_mode threadsafe instrumentation present and working correctly"
TUPLES=`echo 0|AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.ts 2>&1 | grep Captur | awk '{print$3}'`
test "$TUPLES" -gt 2 -a "$TUPLES" -lt 8 && {
$ECHO "$GREEN[ ] llvm_mode run reported $TUPLES threadsafe instrumented locations which is fine"
} || {
$ECHO "$RED[!] llvm_mode threadsafe instrumentation produces weird numbers: $TUPLES"
CODE=1
}
test "$TUPLES" -lt 3 && SKIP=1
true
}
} || {
$ECHO "$RED[!] llvm_mode threadsafe instrumentation failed"
CODE=1
}
rm -f test-instr.ts.0 test-instr.ts.1 test-instr.ts
} || {
$ECHO "$RED[!] llvm_mode (threadsafe) failed"
CODE=1
}
../afl-clang-fast -DTEST_SHARED_OBJECT=1 -z defs -fPIC -shared -o test-instr.so ../test-instr.c > /dev/null 2>&1
test -e test-instr.so && {
$ECHO "$GREEN[ ] llvm_mode shared object with -z defs compilation succeeded"
test `uname -s` = 'Linux' && LIBS=-ldl
../afl-clang-fast -o test-dlopen.plain test-dlopen.c ${LIBS} > /dev/null 2>&1
test -e test-dlopen.plain && {
$ECHO "$GREEN[ ] llvm_mode test-dlopen compilation succeeded"
echo 0 | DYLD_INSERT_LIBRARIES=./test-instr.so LD_PRELOAD=./test-instr.so TEST_DLOPEN_TARGET=./test-instr.so AFL_QUIET=1 ./test-dlopen.plain > /dev/null 2>&1
if [ $? -ne 0 ]; then
$ECHO "$RED[!] llvm_mode test-dlopen exits with an error"
CODE=1
fi
echo 0 | AFL_PRELOAD=./test-instr.so TEST_DLOPEN_TARGET=./test-instr.so AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-dlopen.plain.0 -r -- ./test-dlopen.plain > /dev/null 2>&1
AFL_PRELOAD=./test-instr.so TEST_DLOPEN_TARGET=./test-instr.so AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-dlopen.plain.1 -r -- ./test-dlopen.plain < /dev/null > /dev/null 2>&1
test -e test-dlopen.plain.0 -a -e test-dlopen.plain.1 && {
diff test-dlopen.plain.0 test-dlopen.plain.1 > /dev/null 2>&1 && {
$ECHO "$RED[!] llvm_mode test-dlopen instrumentation should be different on different input but is not"
CODE=1
} || {
$ECHO "$GREEN[ ] llvm_mode test-dlopen instrumentation present and working correctly"
TUPLES=`echo 0|AFL_PRELOAD=./test-instr.so TEST_DLOPEN_TARGET=./test-instr.so AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-dlopen.plain 2>&1 | grep Captur | awk '{print$3}'`
test "$TUPLES" -gt 3 -a "$TUPLES" -lt 12 && {
$ECHO "$GREEN[ ] llvm_mode test-dlopen run reported $TUPLES instrumented locations which is fine"
} || {
$ECHO "$RED[!] llvm_mode test-dlopen instrumentation produces weird numbers: $TUPLES"
CODE=1
}
test "$TUPLES" -lt 3 && SKIP=1
true
}
} || {
$ECHO "$RED[!] llvm_mode test-dlopen instrumentation failed"
CODE=1
}
} || {
$ECHO "$RED[!] llvm_mode test-dlopen compilation failed"
CODE=1
}
rm -f test-dlopen.plain test-dlopen.plain.0 test-dlopen.plain.1 test-instr.so
unset LIBS
} || {
$ECHO "$RED[!] llvm_mode shared object with -z defs compilation failed"
CODE=1
}
test -e test-compcov.harden && test_compcov_binary_functionality ./test-compcov.harden && {
nm test-compcov.harden | grep -Eq 'stack_chk_fail|fstack-protector-all|fortified' > /dev/null 2>&1 && {
$ECHO "$GREEN[ ] llvm_mode hardened mode succeeded and is working"
} || {
$ECHO "$RED[!] llvm_mode hardened mode is not hardened"
CODE=1
}
rm -f test-compcov.harden
} || {
$ECHO "$RED[!] llvm_mode hardened mode compilation failed"
CODE=1
}
# now we want to be sure that afl-fuzz is working
# make sure crash reporter is disabled on Mac OS X
(test "$OS" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && {
$ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET"
CODE=1
true
}) || {
mkdir -p in
echo 0 > in/in
test -z "$SKIP" && {
$ECHO "$GREY[*] running afl-fuzz for llvm_mode, this will take approx 10 seconds"
{
../afl-fuzz -V07 -m ${MEM_LIMIT} -i in -o out -- ./test-instr.plain >>errors 2>&1
} >>errors 2>&1
test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && {
$ECHO "$GREEN[ ] afl-fuzz is working correctly with llvm_mode"
} || {
echo CUT------------------------------------------------------------------CUT
cat errors
echo CUT------------------------------------------------------------------CUT
$ECHO "$RED[!] afl-fuzz is not working correctly with llvm_mode"
CODE=1
}
}
test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" || {
mkdir -p in2
echo 000000000000000000000000 > in/in2
echo 111 > in/in3
test "$OS" = "Darwin" && {
$ECHO "$GREY[*] afl-cmin not available on macOS, cannot test afl-cmin"
} || {
../afl-cmin -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null 2>&1 # why is afl-forkserver writing to stderr?
CNT=`ls in2/* 2>/dev/null | wc -l`
case "$CNT" in
*2) $ECHO "$GREEN[ ] afl-cmin correctly minimized the number of testcases" ;;
*) $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)"
CODE=1
;;
esac
rm -f in2/in*
}
export AFL_QUIET=1
if type bash >/dev/null ; then {
../afl-cmin.bash -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null
CNT=`ls in2/* 2>/dev/null | wc -l`
case "$CNT" in
*2) $ECHO "$GREEN[ ] afl-cmin.bash correctly minimized the number of testcases" ;;
*) $ECHO "$RED[!] afl-cmin.bash did not correctly minimize the number of testcases ($CNT)"
CODE=1
;;
esac
} else {
$ECHO "$YELLOW[-] no bash available, cannot test afl-cmin.bash"
INCOMPLETE=1
}
fi
../afl-tmin -m ${MEM_LIMIT} -i in/in2 -o in2/in2 -- ./test-instr.plain > /dev/null 2>&1
SIZE=`ls -l in2/in2 2>/dev/null | awk '{print$5}'`
test "$SIZE" = 1 && $ECHO "$GREEN[ ] afl-tmin correctly minimized the testcase"
test "$SIZE" = 1 || {
$ECHO "$RED[!] afl-tmin did incorrectly minimize the testcase to $SIZE"
CODE=1
}
rm -rf in2
}
rm -rf in out errors
}
rm -f test-instr.plain
$ECHO "$GREY[*] llvm_mode laf-intel/compcov testing splitting integer types (this might take some time)"
for testcase in ./test-int_cases.c ./test-uint_cases.c; do
for I in char short int long "long long"; do
for BITS in 8 16 32 64; do
bin="$testcase-split-$I-$BITS.compcov"
#AFL_LLVM_INSTRUMENT=AFL
AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_COMPARES_BITW=$BITS AFL_LLVM_LAF_SPLIT_COMPARES=1 ../afl-clang-fast -fsigned-char -DINT_TYPE="$I" -o "$bin" "$testcase" > test.out 2>&1;
if ! test -e "$bin"; then
cat test.out
$ECHO "$RED[!] llvm_mode laf-intel/compcov integer splitting failed! ($testcase with type $I split to $BITS)!";
CODE=1
break
fi
if ! "$bin"; then
$ECHO "$RED[!] llvm_mode laf-intel/compcov integer splitting resulted in miscompilation (type $I split to $BITS)!";
CODE=1
break
fi
rm -f "$bin" test.out || true
done
done
done
rm -f test-int-split*.compcov test.out
AFL_LLVM_INSTRUMENT=AFL AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_SWITCHES=1 AFL_LLVM_LAF_TRANSFORM_COMPARES=1 AFL_LLVM_LAF_SPLIT_COMPARES=1 ../afl-clang-fast -o test-compcov.compcov test-compcov.c > test.out 2>&1
test -e test-compcov.compcov && test_compcov_binary_functionality ./test-compcov.compcov && {
grep --binary-files=text -Eq " [ 123][0-9][0-9] location| [3-9][0-9] location" test.out && {
$ECHO "$GREEN[ ] llvm_mode laf-intel/compcov feature works correctly"
} || {
$ECHO "$RED[!] llvm_mode laf-intel/compcov feature failed"
CODE=1
}
} || {
$ECHO "$RED[!] llvm_mode laf-intel/compcov feature compilation failed"
if test $(dpkg --print-architecture) = s390x; then
$ECHO " ignoring test failure, cf. https://github.com/AFLplusplus/AFLplusplus/issues/2097"
else
CODE=1
fi
}
rm -f test-compcov.compcov test.out
AFL_LLVM_INSTRUMENT=AFL AFL_LLVM_LAF_SPLIT_FLOATS=1 ../afl-clang-fast -o test-floatingpoint test-floatingpoint.c >errors 2>&1
test -e test-floatingpoint && {
mkdir -p in
echo ZZZZ > in/in
$ECHO "$GREY[*] running afl-fuzz with floating point splitting, this will take max. 45 seconds"
{
AFL_BENCH_UNTIL_CRASH=1 AFL_NO_UI=1 ../afl-fuzz -Z -s 123 -V15 -m ${MEM_LIMIT} -i in -o out -- ./test-floatingpoint >>errors 2>&1
} >>errors 2>&1
test -n "$( ls out/default/crashes/id:* 2>/dev/null )" && {
$ECHO "$GREEN[ ] llvm_mode laf-intel floatingpoint splitting feature works correctly"
} || {
cat errors
$ECHO "$RED[!] llvm_mode laf-intel floatingpoint splitting feature failed"
CODE=1
}
} || {
$ECHO "$RED[!] llvm_mode laf-intel floatingpoint splitting feature compilation failed"
CODE=1
}
rm -f test-floatingpoint test.out in/in errors core.*
echo foobar.c > instrumentlist.txt
AFL_DEBUG=1 AFL_LLVM_INSTRUMENT_FILE=instrumentlist.txt ../afl-clang-fast -o test-compcov test-compcov.c > test.out 2>&1
test -e test-compcov && test_compcov_binary_functionality ./test-compcov && {
grep -q "No instrumentation targets found" test.out && {
$ECHO "$GREEN[ ] llvm_mode instrumentlist feature works correctly"
} || {
$ECHO "$RED[!] llvm_mode instrumentlist feature failed"
CODE=1
}
} || {
$ECHO "$RED[!] llvm_mode instrumentlist feature compilation failed"
CODE=1
}
rm -f test-compcov test.out instrumentlist.txt
AFL_LLVM_CMPLOG=1 ../afl-clang-fast -o test-cmplog test-cmplog.c > /dev/null 2>&1
test -e test-cmplog && {
$ECHO "$GREY[*] running afl-fuzz for llvm_mode cmplog, this will take approx 10 seconds"
{
mkdir -p in
echo 00000000000000000000000000000000 > in/in
AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -Z -l 3 -m none -V30 -i in -o out -c 0 -- ./test-cmplog >>errors 2>&1
} >>errors 2>&1
test -n "$( ls out/default/crashes/id:000000* out/default/hangs/id:000000* 2>/dev/null )" && {
$ECHO "$GREEN[ ] afl-fuzz is working correctly with llvm_mode cmplog"
} || {
echo CUT------------------------------------------------------------------CUT
cat errors
echo CUT------------------------------------------------------------------CUT
$ECHO "$RED[!] afl-fuzz is not working correctly with llvm_mode cmplog"
CODE=1
}
} || {
$ECHO "$YELLOW[-] we cannot test llvm_mode cmplog because it is not present"
INCOMPLETE=1
}
rm -rf errors test-cmplog in core.*
../afl-clang-fast -o test-persistent ../utils/persistent_mode/persistent_demo.c > /dev/null 2>&1
test -e test-persistent && {
echo foo | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -q -r ./test-persistent && {
$ECHO "$GREEN[ ] llvm_mode persistent mode feature works correctly"
} || {
$ECHO "$RED[!] llvm_mode persistent mode feature failed to work"
CODE=1
}
} || {
$ECHO "$RED[!] llvm_mode persistent mode feature compilation failed"
CODE=1
}
rm -f test-persistent
} || {
$ECHO "$YELLOW[-] llvm_mode not compiled, cannot test"
INCOMPLETE=1
}
. ./test-post.sh
|
