diff --git a/afl-persistent-config b/afl-persistent-config index 927f0062b8b3981f033f5fabea3c4e0f57676806..6d96c19650140fe71ee8d6062c1aaf6695fd4589 100755 --- a/afl-persistent-config +++ b/afl-persistent-config @@ -113,10 +113,10 @@ EOF grep -E -q '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub 2>/dev/null || echo Error: /etc/default/grub with GRUB_CMDLINE_LINUX_DEFAULT is not present, cannot set boot options grep -E -q '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub 2>/dev/null && { - grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | grep -E -q hardened_usercopy=off || { + grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | grep -E -q 'noibrs pcid nopti' || { echo "Configuring performance boot options" LINE=`grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | sed 's/^GRUB_CMDLINE_LINUX_DEFAULT=//' | tr -d '"'` - OPTIONS="$LINE ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx=on tsx_async_abort=off mitigations=off audit=0 hardened_usercopy=off ssbd=force-off" + OPTIONS="$LINE ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs pcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=on pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx=on tsx_async_abort=off mitigations=off audit=0 hardened_usercopy=off ssbd=force-off" echo Setting boot options in /etc/default/grub to GRUB_CMDLINE_LINUX_DEFAULT=\"$OPTIONS\" sed -i "s|^GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT=\"$OPTIONS\"|" /etc/default/grub } diff --git a/afl-system-config b/afl-system-config index faa6448704dc3fc0759af9770594636a8eb90dbd..bf6397faa6d2ed38e4790657317de5f03fb51b1e 100755 --- a/afl-system-config +++ b/afl-system-config @@ -47,9 +47,9 @@ if [ "$PLATFORM" = "Linux" ] ; then } > /dev/null echo Settings applied. echo - dmesg | grep -E -q 'nospectre_v2|spectre_v2=off' || { + dmesg | grep -E -q 'noibrs pcid nopti' || { echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this: - echo ' /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=0 l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx_async_abort=off arm64.nopauth audit=0 hardened_usercopy=off ssbd=force-off"' + echo ' /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=0 l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs pcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=on pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx_async_abort=off arm64.nopauth audit=0 hardened_usercopy=off ssbd=force-off"' echo } echo If you run fuzzing instances in docker, run them with \"--security-opt seccomp=unconfined\" for more speed. diff --git a/custom_mutators/gramatron/build_gramatron_mutator.sh b/custom_mutators/gramatron/build_gramatron_mutator.sh index 9952e7f50cf40eb7bd81051b749c37b65928cf8b..ff88ff2696e5d400bd30bb46565a994de304ffe0 100755 --- a/custom_mutators/gramatron/build_gramatron_mutator.sh +++ b/custom_mutators/gramatron/build_gramatron_mutator.sh @@ -125,7 +125,7 @@ else } fi -test -d json-c/.git || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; } +test -e json-c/.git || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; } echo "[+] Got json-c." test -e json-c/.libs/libjson-c.a || { diff --git a/custom_mutators/gramatron/json-c b/custom_mutators/gramatron/json-c index 11546bfd07a575c47416924cb98de3d33a4e6424..af8dd4a307e7b837f9fa2959549548ace4afe08b 160000 --- a/custom_mutators/gramatron/json-c +++ b/custom_mutators/gramatron/json-c @@ -1 +1 @@ -Subproject commit 11546bfd07a575c47416924cb98de3d33a4e6424 +Subproject commit af8dd4a307e7b837f9fa2959549548ace4afe08b diff --git a/custom_mutators/grammar_mutator/build_grammar_mutator.sh b/custom_mutators/grammar_mutator/build_grammar_mutator.sh index 5121b07f450481bcfbc43b57cd19116f6cfeb161..74cae8aaf8502f689a6aa66a93d5b9444ed47b0e 100755 --- a/custom_mutators/grammar_mutator/build_grammar_mutator.sh +++ b/custom_mutators/grammar_mutator/build_grammar_mutator.sh @@ -119,7 +119,7 @@ else } fi -test -f grammar_mutator/.git || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; } +test -e grammar_mutator/.git || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; } echo "[+] Got grammar mutator." cd "grammar_mutator" || exit 1 diff --git a/docs/Changelog.md b/docs/Changelog.md index 7d34d364bf8367de5ded8b37c2fa691a499a36e1..9503f493960be10e00581db29d23d935d6683491 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -4,6 +4,14 @@ release of the tool. See README.md for the general instruction manual. +### Version ++4.04a (dev) + - fix gramatron and grammar_mutatur build scripts + - enhancements to the afl-persistent-config and afl-system-config + scripts + - afl-cc: + - make gcc_mode (afl-gcc-fast) work with gcc down to version 3.6 + + ### Version ++4.03c (release) - Building now gives a build summary what succeeded and what not - afl-fuzz: diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 6f3353ec1fc85aaff5de6353c04aaf2c4ad81266..6b72430a67e3eb0a4f98fbbd166c07b0fb23c1ef 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -68,7 +68,7 @@ Python: def init(seed): pass -def fuzz_count(buf, add_buf, max_size): +def fuzz_count(buf): return cnt def fuzz(buf, add_buf, max_size): diff --git a/include/config.h b/include/config.h index 2882c9dedd51a041fa0ab5d7c90978202a740b82..21701515db974c2e619fab44c4c74b203a49d251 100644 --- a/include/config.h +++ b/include/config.h @@ -26,7 +26,7 @@ /* Version string: */ // c = release, a = volatile github dev, e = experimental branch -#define VERSION "++4.03c" +#define VERSION "++4.04a" /****************************************************** * * diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 1759898e3be7414ad95e182bf6876acc39a67ee4..194d49b0b40f6f35d51e462d3fbe8d955f2437c8 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -102,6 +102,7 @@ u32 __afl_final_loc; u32 __afl_map_size = MAP_SIZE; u32 __afl_dictionary_len; u64 __afl_map_addr; +u32 __afl_first_final_loc; // for the __AFL_COVERAGE_ON/__AFL_COVERAGE_OFF features to work: int __afl_selective_coverage __attribute__((weak)); @@ -319,13 +320,16 @@ static void __afl_map_shm(void) { } else { - if (!getenv("AFL_QUIET")) + if (__afl_final_loc > MAP_INITIAL_SIZE && !getenv("AFL_QUIET")) { + fprintf(stderr, "Warning: AFL++ tools might need to set AFL_MAP_SIZE to %u " "to be able to run this instrumented program if this " "crashes!\n", __afl_final_loc); + } + } } @@ -343,29 +347,35 @@ static void __afl_map_shm(void) { } - if (!id_str && __afl_area_ptr_dummy == __afl_area_initial) { + if (!id_str) { u32 val = 0; u8 *ptr; - if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) val = atoi(ptr); + if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) { val = atoi(ptr); } if (val > MAP_INITIAL_SIZE) { __afl_map_size = val; - __afl_area_ptr_dummy = malloc(__afl_map_size); - if (!__afl_area_ptr_dummy) { - fprintf(stderr, - "Error: AFL++ could not aquire %u bytes of memory, exiting!\n", - __afl_map_size); - exit(-1); + } else { + + if (__afl_first_final_loc > MAP_INITIAL_SIZE) { + + // done in second stage constructor + __afl_map_size = __afl_first_final_loc; + + } else { + + __afl_map_size = MAP_INITIAL_SIZE; } - } else { + } + + if (__afl_map_size > MAP_INITIAL_SIZE && __afl_final_loc < __afl_map_size) { - __afl_map_size = MAP_INITIAL_SIZE; + __afl_final_loc = __afl_map_size; } @@ -516,7 +526,9 @@ static void __afl_map_shm(void) { } - } else if (__afl_final_loc > __afl_map_size) { + } else if (__afl_final_loc > MAP_INITIAL_SIZE && + + __afl_final_loc > __afl_first_final_loc) { if (__afl_area_initial != __afl_area_ptr_dummy) { @@ -537,7 +549,7 @@ static void __afl_map_shm(void) { } - } + } // else: nothing to be done __afl_area_ptr_backup = __afl_area_ptr; @@ -1375,21 +1387,24 @@ __attribute__((constructor(1))) void __afl_auto_second(void) { if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; u8 *ptr; - if (__afl_final_loc) { + if (__afl_final_loc > MAP_INITIAL_SIZE) { + + __afl_first_final_loc = __afl_final_loc + 1; if (__afl_area_ptr && __afl_area_ptr != __afl_area_initial) free(__afl_area_ptr); if (__afl_map_addr) - ptr = (u8 *)mmap((void *)__afl_map_addr, __afl_final_loc, + ptr = (u8 *)mmap((void *)__afl_map_addr, __afl_first_final_loc, PROT_READ | PROT_WRITE, MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0); else - ptr = (u8 *)malloc(__afl_final_loc); + ptr = (u8 *)malloc(__afl_first_final_loc); if (ptr && (ssize_t)ptr != -1) { __afl_area_ptr = ptr; + __afl_area_ptr_dummy = __afl_area_ptr; __afl_area_ptr_backup = __afl_area_ptr; } @@ -1407,14 +1422,18 @@ __attribute__((constructor(0))) void __afl_auto_first(void) { __afl_already_initialized_first = 1; if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; - u8 *ptr = (u8 *)malloc(MAP_INITIAL_SIZE); - if (ptr && (ssize_t)ptr != -1) { + /* + u8 *ptr = (u8 *)malloc(MAP_INITIAL_SIZE); - __afl_area_ptr = ptr; - __afl_area_ptr_backup = __afl_area_ptr; + if (ptr && (ssize_t)ptr != -1) { - } + __afl_area_ptr = ptr; + __afl_area_ptr_backup = __afl_area_ptr; + + } + + */ } // ptr memleak report is a false positive diff --git a/instrumentation/afl-gcc-cmplog-pass.so.cc b/instrumentation/afl-gcc-cmplog-pass.so.cc index 5e5792c3d6167f4c4431b724c690efe7f9602be9..e42e8bc01de12cfa845650c8a7b8a41868c12b43 100644 --- a/instrumentation/afl-gcc-cmplog-pass.so.cc +++ b/instrumentation/afl-gcc-cmplog-pass.so.cc @@ -243,8 +243,8 @@ struct afl_cmplog_pass : afl_base_pass { tree t = build_nonstandard_integer_type(sz, 1); - tree s = make_ssa_name(t); - gimple *g = gimple_build_assign(s, VIEW_CONVERT_EXPR, + tree s = make_ssa_name(t); + gimple g = gimple_build_assign(s, VIEW_CONVERT_EXPR, build1(VIEW_CONVERT_EXPR, t, lhs)); lhs = s; gsi_insert_before(&gsi, g, GSI_SAME_STMT); @@ -263,8 +263,8 @@ struct afl_cmplog_pass : afl_base_pass { lhs = fold_convert_loc(UNKNOWN_LOCATION, t, lhs); if (!is_gimple_val(lhs)) { - tree s = make_ssa_name(t); - gimple *g = gimple_build_assign(s, lhs); + tree s = make_ssa_name(t); + gimple g = gimple_build_assign(s, lhs); lhs = s; gsi_insert_before(&gsi, g, GSI_SAME_STMT); @@ -273,8 +273,8 @@ struct afl_cmplog_pass : afl_base_pass { rhs = fold_convert_loc(UNKNOWN_LOCATION, t, rhs); if (!is_gimple_val(rhs)) { - tree s = make_ssa_name(t); - gimple *g = gimple_build_assign(s, rhs); + tree s = make_ssa_name(t); + gimple g = gimple_build_assign(s, rhs); rhs = s; gsi_insert_before(&gsi, g, GSI_SAME_STMT); @@ -282,7 +282,7 @@ struct afl_cmplog_pass : afl_base_pass { /* Insert the call. */ tree att = build_int_cst(t8u, attr); - gimple *call; + gimple call; if (pass_n) call = gimple_build_call(fn, 4, lhs, rhs, att, build_int_cst(t8u, sz / 8 - 1)); @@ -305,7 +305,7 @@ struct afl_cmplog_pass : afl_base_pass { gimple_stmt_iterator gsi = gsi_last_bb(bb); if (gsi_end_p(gsi)) continue; - gimple *stmt = gsi_stmt(gsi); + gimple stmt = gsi_stmt(gsi); if (gimple_code(stmt) == GIMPLE_COND) { diff --git a/instrumentation/afl-gcc-cmptrs-pass.so.cc b/instrumentation/afl-gcc-cmptrs-pass.so.cc index e9e2fe0d7f81783db8da9780b765696578029a66..0ddbac15ed01a1ab9c7f83d0e4a800df10a747c1 100644 --- a/instrumentation/afl-gcc-cmptrs-pass.so.cc +++ b/instrumentation/afl-gcc-cmptrs-pass.so.cc @@ -241,7 +241,7 @@ struct afl_cmptrs_pass : afl_base_pass { for (gimple_stmt_iterator gsi = gsi_after_labels(bb); !gsi_end_p(gsi); gsi_next(&gsi)) { - gimple *stmt = gsi_stmt(gsi); + gimple stmt = gsi_stmt(gsi); /* We're only interested in GIMPLE_CALLs. */ if (gimple_code(stmt) != GIMPLE_CALL) continue; @@ -291,8 +291,8 @@ struct afl_cmptrs_pass : afl_base_pass { tree c = fold_convert_loc(UNKNOWN_LOCATION, tp8u, arg[i]); if (!is_gimple_val(c)) { - tree s = make_ssa_name(tp8u); - gimple *g = gimple_build_assign(s, c); + tree s = make_ssa_name(tp8u); + gimple g = gimple_build_assign(s, c); c = s; gsi_insert_before(&gsi, g, GSI_SAME_STMT); @@ -302,7 +302,7 @@ struct afl_cmptrs_pass : afl_base_pass { } - gimple *call = gimple_build_call(fn, 2, arg[0], arg[1]); + gimple call = gimple_build_call(fn, 2, arg[0], arg[1]); gsi_insert_before(&gsi, call, GSI_SAME_STMT); } diff --git a/instrumentation/afl-gcc-common.h b/instrumentation/afl-gcc-common.h index 2b71bd22bfb0b28d319607dd77d91a748f54ecf4..766c0eff487bf62cc8097d4dcbd94056ef8fce1a 100644 --- a/instrumentation/afl-gcc-common.h +++ b/instrumentation/afl-gcc-common.h @@ -498,3 +498,10 @@ struct afl_base_pass : gimple_opt_pass { } // namespace +// compatibility for older gcc versions +#if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= \ + 60200 /* >= version 6.2.0 */ +#define gimple gimple * +#else +#define gimple gimple +#endif diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc index 052b3159c91c96a7551f50d063a20d8eee1dcfd5..2b251075f0e3c82f44eef0437c4c04ad7c1a3b46 100644 --- a/instrumentation/afl-gcc-pass.so.cc +++ b/instrumentation/afl-gcc-pass.so.cc @@ -125,7 +125,10 @@ */ #include "afl-gcc-common.h" +#if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= \ + 60200 /* >= version 6.2.0 */ #include "memmodel.h" +#endif /* This plugin, being under the same license as GCC, satisfies the "GPL-compatible Software" definition in the GCC RUNTIME LIBRARY