diff --git a/afl-persistent-config b/afl-persistent-config
index 927f0062b8b3981f033f5fabea3c4e0f57676806..6d96c19650140fe71ee8d6062c1aaf6695fd4589 100755
--- a/afl-persistent-config
+++ b/afl-persistent-config
@@ -113,10 +113,10 @@ EOF
grep -E -q '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub 2>/dev/null || echo Error: /etc/default/grub with GRUB_CMDLINE_LINUX_DEFAULT is not present, cannot set boot options
grep -E -q '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub 2>/dev/null && {
- grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | grep -E -q hardened_usercopy=off || {
+ grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | grep -E -q 'noibrs pcid nopti' || {
echo "Configuring performance boot options"
LINE=`grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | sed 's/^GRUB_CMDLINE_LINUX_DEFAULT=//' | tr -d '"'`
- OPTIONS="$LINE ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx=on tsx_async_abort=off mitigations=off audit=0 hardened_usercopy=off ssbd=force-off"
+ OPTIONS="$LINE ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs pcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=on pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx=on tsx_async_abort=off mitigations=off audit=0 hardened_usercopy=off ssbd=force-off"
echo Setting boot options in /etc/default/grub to GRUB_CMDLINE_LINUX_DEFAULT=\"$OPTIONS\"
sed -i "s|^GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT=\"$OPTIONS\"|" /etc/default/grub
}
diff --git a/afl-system-config b/afl-system-config
index faa6448704dc3fc0759af9770594636a8eb90dbd..bf6397faa6d2ed38e4790657317de5f03fb51b1e 100755
--- a/afl-system-config
+++ b/afl-system-config
@@ -47,9 +47,9 @@ if [ "$PLATFORM" = "Linux" ] ; then
} > /dev/null
echo Settings applied.
echo
- dmesg | grep -E -q 'nospectre_v2|spectre_v2=off' || {
+ dmesg | grep -E -q 'noibrs pcid nopti' || {
echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this:
- echo ' /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=0 l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx_async_abort=off arm64.nopauth audit=0 hardened_usercopy=off ssbd=force-off"'
+ echo ' /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=0 l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs pcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=on pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx_async_abort=off arm64.nopauth audit=0 hardened_usercopy=off ssbd=force-off"'
echo
}
echo If you run fuzzing instances in docker, run them with \"--security-opt seccomp=unconfined\" for more speed.
diff --git a/custom_mutators/gramatron/build_gramatron_mutator.sh b/custom_mutators/gramatron/build_gramatron_mutator.sh
index 9952e7f50cf40eb7bd81051b749c37b65928cf8b..ff88ff2696e5d400bd30bb46565a994de304ffe0 100755
--- a/custom_mutators/gramatron/build_gramatron_mutator.sh
+++ b/custom_mutators/gramatron/build_gramatron_mutator.sh
@@ -125,7 +125,7 @@ else
}
fi
-test -d json-c/.git || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; }
+test -e json-c/.git || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; }
echo "[+] Got json-c."
test -e json-c/.libs/libjson-c.a || {
diff --git a/custom_mutators/gramatron/json-c b/custom_mutators/gramatron/json-c
index 11546bfd07a575c47416924cb98de3d33a4e6424..af8dd4a307e7b837f9fa2959549548ace4afe08b 160000
--- a/custom_mutators/gramatron/json-c
+++ b/custom_mutators/gramatron/json-c
@@ -1 +1 @@
-Subproject commit 11546bfd07a575c47416924cb98de3d33a4e6424
+Subproject commit af8dd4a307e7b837f9fa2959549548ace4afe08b
diff --git a/custom_mutators/grammar_mutator/build_grammar_mutator.sh b/custom_mutators/grammar_mutator/build_grammar_mutator.sh
index 5121b07f450481bcfbc43b57cd19116f6cfeb161..74cae8aaf8502f689a6aa66a93d5b9444ed47b0e 100755
--- a/custom_mutators/grammar_mutator/build_grammar_mutator.sh
+++ b/custom_mutators/grammar_mutator/build_grammar_mutator.sh
@@ -119,7 +119,7 @@ else
}
fi
-test -f grammar_mutator/.git || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; }
+test -e grammar_mutator/.git || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; }
echo "[+] Got grammar mutator."
cd "grammar_mutator" || exit 1
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 7d34d364bf8367de5ded8b37c2fa691a499a36e1..9503f493960be10e00581db29d23d935d6683491 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -4,6 +4,14 @@
release of the tool. See README.md for the general instruction manual.
+### Version ++4.04a (dev)
+ - fix gramatron and grammar_mutatur build scripts
+ - enhancements to the afl-persistent-config and afl-system-config
+ scripts
+ - afl-cc:
+ - make gcc_mode (afl-gcc-fast) work with gcc down to version 3.6
+
+
### Version ++4.03c (release)
- Building now gives a build summary what succeeded and what not
- afl-fuzz:
diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md
index 6f3353ec1fc85aaff5de6353c04aaf2c4ad81266..6b72430a67e3eb0a4f98fbbd166c07b0fb23c1ef 100644
--- a/docs/custom_mutators.md
+++ b/docs/custom_mutators.md
@@ -68,7 +68,7 @@ Python:
def init(seed):
pass
-def fuzz_count(buf, add_buf, max_size):
+def fuzz_count(buf):
return cnt
def fuzz(buf, add_buf, max_size):
diff --git a/include/config.h b/include/config.h
index 2882c9dedd51a041fa0ab5d7c90978202a740b82..21701515db974c2e619fab44c4c74b203a49d251 100644
--- a/include/config.h
+++ b/include/config.h
@@ -26,7 +26,7 @@
/* Version string: */
// c = release, a = volatile github dev, e = experimental branch
-#define VERSION "++4.03c"
+#define VERSION "++4.04a"
/******************************************************
* *
diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c
index 1759898e3be7414ad95e182bf6876acc39a67ee4..194d49b0b40f6f35d51e462d3fbe8d955f2437c8 100644
--- a/instrumentation/afl-compiler-rt.o.c
+++ b/instrumentation/afl-compiler-rt.o.c
@@ -102,6 +102,7 @@ u32 __afl_final_loc;
u32 __afl_map_size = MAP_SIZE;
u32 __afl_dictionary_len;
u64 __afl_map_addr;
+u32 __afl_first_final_loc;
// for the __AFL_COVERAGE_ON/__AFL_COVERAGE_OFF features to work:
int __afl_selective_coverage __attribute__((weak));
@@ -319,13 +320,16 @@ static void __afl_map_shm(void) {
} else {
- if (!getenv("AFL_QUIET"))
+ if (__afl_final_loc > MAP_INITIAL_SIZE && !getenv("AFL_QUIET")) {
+
fprintf(stderr,
"Warning: AFL++ tools might need to set AFL_MAP_SIZE to %u "
"to be able to run this instrumented program if this "
"crashes!\n",
__afl_final_loc);
+ }
+
}
}
@@ -343,29 +347,35 @@ static void __afl_map_shm(void) {
}
- if (!id_str && __afl_area_ptr_dummy == __afl_area_initial) {
+ if (!id_str) {
u32 val = 0;
u8 *ptr;
- if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) val = atoi(ptr);
+ if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) { val = atoi(ptr); }
if (val > MAP_INITIAL_SIZE) {
__afl_map_size = val;
- __afl_area_ptr_dummy = malloc(__afl_map_size);
- if (!__afl_area_ptr_dummy) {
- fprintf(stderr,
- "Error: AFL++ could not aquire %u bytes of memory, exiting!\n",
- __afl_map_size);
- exit(-1);
+ } else {
+
+ if (__afl_first_final_loc > MAP_INITIAL_SIZE) {
+
+ // done in second stage constructor
+ __afl_map_size = __afl_first_final_loc;
+
+ } else {
+
+ __afl_map_size = MAP_INITIAL_SIZE;
}
- } else {
+ }
+
+ if (__afl_map_size > MAP_INITIAL_SIZE && __afl_final_loc < __afl_map_size) {
- __afl_map_size = MAP_INITIAL_SIZE;
+ __afl_final_loc = __afl_map_size;
}
@@ -516,7 +526,9 @@ static void __afl_map_shm(void) {
}
- } else if (__afl_final_loc > __afl_map_size) {
+ } else if (__afl_final_loc > MAP_INITIAL_SIZE &&
+
+ __afl_final_loc > __afl_first_final_loc) {
if (__afl_area_initial != __afl_area_ptr_dummy) {
@@ -537,7 +549,7 @@ static void __afl_map_shm(void) {
}
- }
+ } // else: nothing to be done
__afl_area_ptr_backup = __afl_area_ptr;
@@ -1375,21 +1387,24 @@ __attribute__((constructor(1))) void __afl_auto_second(void) {
if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return;
u8 *ptr;
- if (__afl_final_loc) {
+ if (__afl_final_loc > MAP_INITIAL_SIZE) {
+
+ __afl_first_final_loc = __afl_final_loc + 1;
if (__afl_area_ptr && __afl_area_ptr != __afl_area_initial)
free(__afl_area_ptr);
if (__afl_map_addr)
- ptr = (u8 *)mmap((void *)__afl_map_addr, __afl_final_loc,
+ ptr = (u8 *)mmap((void *)__afl_map_addr, __afl_first_final_loc,
PROT_READ | PROT_WRITE,
MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
else
- ptr = (u8 *)malloc(__afl_final_loc);
+ ptr = (u8 *)malloc(__afl_first_final_loc);
if (ptr && (ssize_t)ptr != -1) {
__afl_area_ptr = ptr;
+ __afl_area_ptr_dummy = __afl_area_ptr;
__afl_area_ptr_backup = __afl_area_ptr;
}
@@ -1407,14 +1422,18 @@ __attribute__((constructor(0))) void __afl_auto_first(void) {
__afl_already_initialized_first = 1;
if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return;
- u8 *ptr = (u8 *)malloc(MAP_INITIAL_SIZE);
- if (ptr && (ssize_t)ptr != -1) {
+ /*
+ u8 *ptr = (u8 *)malloc(MAP_INITIAL_SIZE);
- __afl_area_ptr = ptr;
- __afl_area_ptr_backup = __afl_area_ptr;
+ if (ptr && (ssize_t)ptr != -1) {
- }
+ __afl_area_ptr = ptr;
+ __afl_area_ptr_backup = __afl_area_ptr;
+
+ }
+
+ */
} // ptr memleak report is a false positive
diff --git a/instrumentation/afl-gcc-cmplog-pass.so.cc b/instrumentation/afl-gcc-cmplog-pass.so.cc
index 5e5792c3d6167f4c4431b724c690efe7f9602be9..e42e8bc01de12cfa845650c8a7b8a41868c12b43 100644
--- a/instrumentation/afl-gcc-cmplog-pass.so.cc
+++ b/instrumentation/afl-gcc-cmplog-pass.so.cc
@@ -243,8 +243,8 @@ struct afl_cmplog_pass : afl_base_pass {
tree t = build_nonstandard_integer_type(sz, 1);
- tree s = make_ssa_name(t);
- gimple *g = gimple_build_assign(s, VIEW_CONVERT_EXPR,
+ tree s = make_ssa_name(t);
+ gimple g = gimple_build_assign(s, VIEW_CONVERT_EXPR,
build1(VIEW_CONVERT_EXPR, t, lhs));
lhs = s;
gsi_insert_before(&gsi, g, GSI_SAME_STMT);
@@ -263,8 +263,8 @@ struct afl_cmplog_pass : afl_base_pass {
lhs = fold_convert_loc(UNKNOWN_LOCATION, t, lhs);
if (!is_gimple_val(lhs)) {
- tree s = make_ssa_name(t);
- gimple *g = gimple_build_assign(s, lhs);
+ tree s = make_ssa_name(t);
+ gimple g = gimple_build_assign(s, lhs);
lhs = s;
gsi_insert_before(&gsi, g, GSI_SAME_STMT);
@@ -273,8 +273,8 @@ struct afl_cmplog_pass : afl_base_pass {
rhs = fold_convert_loc(UNKNOWN_LOCATION, t, rhs);
if (!is_gimple_val(rhs)) {
- tree s = make_ssa_name(t);
- gimple *g = gimple_build_assign(s, rhs);
+ tree s = make_ssa_name(t);
+ gimple g = gimple_build_assign(s, rhs);
rhs = s;
gsi_insert_before(&gsi, g, GSI_SAME_STMT);
@@ -282,7 +282,7 @@ struct afl_cmplog_pass : afl_base_pass {
/* Insert the call. */
tree att = build_int_cst(t8u, attr);
- gimple *call;
+ gimple call;
if (pass_n)
call = gimple_build_call(fn, 4, lhs, rhs, att,
build_int_cst(t8u, sz / 8 - 1));
@@ -305,7 +305,7 @@ struct afl_cmplog_pass : afl_base_pass {
gimple_stmt_iterator gsi = gsi_last_bb(bb);
if (gsi_end_p(gsi)) continue;
- gimple *stmt = gsi_stmt(gsi);
+ gimple stmt = gsi_stmt(gsi);
if (gimple_code(stmt) == GIMPLE_COND) {
diff --git a/instrumentation/afl-gcc-cmptrs-pass.so.cc b/instrumentation/afl-gcc-cmptrs-pass.so.cc
index e9e2fe0d7f81783db8da9780b765696578029a66..0ddbac15ed01a1ab9c7f83d0e4a800df10a747c1 100644
--- a/instrumentation/afl-gcc-cmptrs-pass.so.cc
+++ b/instrumentation/afl-gcc-cmptrs-pass.so.cc
@@ -241,7 +241,7 @@ struct afl_cmptrs_pass : afl_base_pass {
for (gimple_stmt_iterator gsi = gsi_after_labels(bb); !gsi_end_p(gsi);
gsi_next(&gsi)) {
- gimple *stmt = gsi_stmt(gsi);
+ gimple stmt = gsi_stmt(gsi);
/* We're only interested in GIMPLE_CALLs. */
if (gimple_code(stmt) != GIMPLE_CALL) continue;
@@ -291,8 +291,8 @@ struct afl_cmptrs_pass : afl_base_pass {
tree c = fold_convert_loc(UNKNOWN_LOCATION, tp8u, arg[i]);
if (!is_gimple_val(c)) {
- tree s = make_ssa_name(tp8u);
- gimple *g = gimple_build_assign(s, c);
+ tree s = make_ssa_name(tp8u);
+ gimple g = gimple_build_assign(s, c);
c = s;
gsi_insert_before(&gsi, g, GSI_SAME_STMT);
@@ -302,7 +302,7 @@ struct afl_cmptrs_pass : afl_base_pass {
}
- gimple *call = gimple_build_call(fn, 2, arg[0], arg[1]);
+ gimple call = gimple_build_call(fn, 2, arg[0], arg[1]);
gsi_insert_before(&gsi, call, GSI_SAME_STMT);
}
diff --git a/instrumentation/afl-gcc-common.h b/instrumentation/afl-gcc-common.h
index 2b71bd22bfb0b28d319607dd77d91a748f54ecf4..766c0eff487bf62cc8097d4dcbd94056ef8fce1a 100644
--- a/instrumentation/afl-gcc-common.h
+++ b/instrumentation/afl-gcc-common.h
@@ -498,3 +498,10 @@ struct afl_base_pass : gimple_opt_pass {
} // namespace
+// compatibility for older gcc versions
+#if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= \
+ 60200 /* >= version 6.2.0 */
+#define gimple gimple *
+#else
+#define gimple gimple
+#endif
diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc
index 052b3159c91c96a7551f50d063a20d8eee1dcfd5..2b251075f0e3c82f44eef0437c4c04ad7c1a3b46 100644
--- a/instrumentation/afl-gcc-pass.so.cc
+++ b/instrumentation/afl-gcc-pass.so.cc
@@ -125,7 +125,10 @@
*/
#include "afl-gcc-common.h"
+#if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= \
+ 60200 /* >= version 6.2.0 */
#include "memmodel.h"
+#endif
/* This plugin, being under the same license as GCC, satisfies the
"GPL-compatible Software" definition in the GCC RUNTIME LIBRARY