Skip to content
Snippets Groups Projects
Commit de9d1ff4 authored by vanhauser-thc's avatar vanhauser-thc
Browse files

doc fixes

parent e6e82948
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
qemu_mode/README.md
+ 4
11
View file @ de9d1ff4
...@@ -13,8 +13,8 @@ afl-cc. ...@@ -13,8 +13,8 @@ afl-cc.
The usual performance cost is 2-5x, which is considerably better than seen so The usual performance cost is 2-5x, which is considerably better than seen so
far in experiments with tools such as DynamoRIO and PIN. far in experiments with tools such as DynamoRIO and PIN.
The idea and much of the initial implementation comes from Andrew Griffiths. The The idea and much of the initial implementation comes from Andrew Griffiths.
actual implementation on current QEMU (shipped as qemuafl) is from Andrea The actual implementation on current QEMU (shipped as qemuafl) is from Andrea
Fioraldi. Special thanks to abiondo that re-enabled TCG chaining. Fioraldi. Special thanks to abiondo that re-enabled TCG chaining.
## 2) How to use QEMU mode ## 2) How to use QEMU mode
...@@ -30,17 +30,13 @@ glib2-devel). ...@@ -30,17 +30,13 @@ glib2-devel).
Once the binaries are compiled, you can leverage the QEMU tool by calling Once the binaries are compiled, you can leverage the QEMU tool by calling
afl-fuzz and all the related utilities with `-Q` in the command line. afl-fuzz and all the related utilities with `-Q` in the command line.
Note that QEMU requires a generous memory limit to run; somewhere around 200 MB
is a good starting point, but considerably more may be needed for more complex
programs. The default `-m` limit will be automatically bumped up to 200 MB when
specifying `-Q` to afl-fuzz; be careful when overriding this.
In principle, if you set `CPU_TARGET` before calling ./build_qemu_support.sh, In principle, if you set `CPU_TARGET` before calling ./build_qemu_support.sh,
you should get a build capable of running non-native binaries (say, you can try you should get a build capable of running non-native binaries (say, you can try
`CPU_TARGET=arm`). This is also necessary for running 32-bit binaries on a `CPU_TARGET=arm`). This is also necessary for running 32-bit binaries on a
64-bit system (`CPU_TARGET=i386`). If you're trying to run QEMU on a different 64-bit system (`CPU_TARGET=i386`). If you're trying to run QEMU on a different
architecture, you can also set `HOST` to the cross-compiler prefix to use (for architecture, you can also set `HOST` to the cross-compiler prefix to use (for
example `HOST=arm-linux-gnueabi` to use arm-linux-gnueabi-gcc). example `HOST=arm-linux-gnueabi` to use arm-linux-gnueabi-gcc).
Another common target is `CPU_TARGET=aarch64`.
You can also compile statically-linked binaries by setting `STATIC=1`. This can You can also compile statically-linked binaries by setting `STATIC=1`. This can
be useful when compiling QEMU on a different system than the one you're planning be useful when compiling QEMU on a different system than the one you're planning
...@@ -219,9 +215,6 @@ program may be utilizing. In particular, it does not appear to have full support ...@@ -219,9 +215,6 @@ program may be utilizing. In particular, it does not appear to have full support
for AVX2/FMA3. Using binaries for older CPUs or recompiling them with for AVX2/FMA3. Using binaries for older CPUs or recompiling them with
`-march=core2`, can help. `-march=core2`, can help.
Beyond that, this is an early-stage mechanism, so fields reports are welcome.
You can send them to <afl-users@googlegroups.com>.
## 14) Alternatives: static rewriting ## 14) Alternatives: static rewriting
Statically rewriting binaries just once, instead of attempting to translate them Statically rewriting binaries just once, instead of attempting to translate them
...@@ -230,4 +223,4 @@ with peril, because it depends on being able to properly and fully model program ...@@ -230,4 +223,4 @@ with peril, because it depends on being able to properly and fully model program
control flow without actually executing each and every code path. control flow without actually executing each and every code path.
For more information and hints, check out For more information and hints, check out
[docs/fuzzing_binary-only_targets.md](../docs/fuzzing_binary-only_targets.md). [docs/fuzzing_binary-only_targets.md](../docs/fuzzing_binary-only_targets.md).
\ No newline at end of file
qemu_mode/README.persistent.md
+ 6
5
View file @ de9d1ff4
...@@ -27,11 +27,12 @@ function and will patch the return address (on stack or in the link register) to ...@@ -27,11 +27,12 @@ function and will patch the return address (on stack or in the link register) to
return to START (like WinAFL). return to START (like WinAFL).
*Note:* If the target is compiled with position independent code (PIE/PIC) qemu *Note:* If the target is compiled with position independent code (PIE/PIC) qemu
loads these to a specific base address. For 64 bit you have to add 0x4000000000 loads these to a specific base address. For amd64 bit you have to add
(9 zeroes) and for 32 bit 0x40000000 (7 zeroes) to the address. On strange 0x4000000000 (9 zeroes) and for 32 bit 0x40000000 (7 zeroes) to the address.
setups the base address set by QEMU for PIE executable may change. You can check For aarch64 it is usually 0x5500000000.
it printing the process map using `AFL_QEMU_DEBUG_MAPS=1 afl-qemu-trace On strange setups the base address set by QEMU for PIE executable may change.
TARGET-BINARY`. You can check it printing the process map using
`AFL_QEMU_DEBUG_MAPS=1 afl-qemu-trace TARGET-BINARY`.
If this address is not valid, afl-fuzz will error during startup with the If this address is not valid, afl-fuzz will error during startup with the
message that the forkserver was not found. message that the forkserver was not found.
......
qemu_mode/build_qemu_support.sh
+ 3
1
View file @ de9d1ff4
...@@ -360,8 +360,10 @@ if ! command -v "$CROSS" > /dev/null ; then ...@@ -360,8 +360,10 @@ if ! command -v "$CROSS" > /dev/null ; then
make -C libcompcov && echo "[+] libcompcov ready" make -C libcompcov && echo "[+] libcompcov ready"
echo "[+] Building unsigaction ..." echo "[+] Building unsigaction ..."
make -C unsigaction && echo "[+] unsigaction ready" make -C unsigaction && echo "[+] unsigaction ready"
echo "[+] Building fastexit ..."
make -C fastexit && echo "[+] fastexit ready"
echo "[+] Building libqasan ..." echo "[+] Building libqasan ..."
make -C libqasan && echo "[+] unsigaction ready" make -C libqasan && echo "[+] libqasan ready"
echo "[+] Building qemu libfuzzer helpers ..." echo "[+] Building qemu libfuzzer helpers ..."
make -C ../utils/aflpp_driver make -C ../utils/aflpp_driver
else else
......
qemu_mode/fastexit/README.md
+ 1
1
View file @ de9d1ff4
...@@ -2,4 +2,4 @@ ...@@ -2,4 +2,4 @@
This library forces _exit on exit when preloaded to gain speed. This library forces _exit on exit when preloaded to gain speed.
Gives speed on complex tarets like Android or Wine. Gives speed on complex targets like Android or Wine.
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment