├── README ├── QuickStartGuide.txt ├── dsa ├── lib │ ├── DSA │ │ ├── test.cpp │ │ ├── Makefile.org │ │ ├── README │ │ ├── Makefile │ │ ├── AddressTakenAnalysis.cpp │ │ ├── LICENSE.TXT │ │ └── Basic.cpp │ └── AssistDS │ │ ├── Makefile.org │ │ ├── Makefile │ │ ├── FuncSimplify.cpp │ │ ├── SimplifyLoad.cpp │ │ └── LICENSE.TXT ├── README.md ├── include │ ├── assistDS │ │ ├── SimplifyLoad.h │ │ ├── SimplifyExtractValue.h │ │ ├── SimplifyInsertValue.h │ │ ├── FuncSimplify.h │ │ ├── MergeGEP.h │ │ ├── StructReturnToPointer.h │ │ ├── GEPExprArgs.h │ │ ├── SimplifyGEP.h │ │ ├── IndCloner.h │ │ ├── ArgCast.h │ │ ├── FuncSpec.h │ │ ├── Int2PtrCmp.h │ │ ├── LoadArgs.h │ │ ├── TypeChecksOpt.h │ │ ├── DSNodeEquivs.h │ │ ├── Devirt.h │ │ └── LICENSE.TXT │ └── dsa │ │ ├── super_set.h │ │ ├── stl_util.h │ │ ├── AddressTakenAnalysis.h │ │ ├── EntryPointAnalysis.h │ │ ├── Steensgaard.hh │ │ ├── AllocatorIdentification.h │ │ ├── CallTargets.h │ │ ├── TypeSafety.h │ │ └── LICENSE.TXT └── LICENSE.TXT ├── testcases ├── others │ ├── text │ │ └── hello_world.txt │ ├── js │ │ └── small_script.js │ ├── xml │ │ └── small_document.xml │ ├── rtf │ │ └── small_document.rtf │ ├── elf │ │ └── small_exec.elf │ ├── sql │ │ └── simple_queries.sql │ ├── pcap │ │ └── small_capture.pcap │ └── pdf │ │ └── small.pdf ├── images │ ├── bmp │ │ └── not_kitty.bmp │ ├── gif │ │ └── not_kitty.gif │ ├── ico │ │ └── not_kitty.ico │ ├── jp2 │ │ └── not_kitty.jp2 │ ├── jxr │ │ └── not_kitty.jxr │ ├── png │ │ ├── not_kitty.png │ │ ├── not_kitty_icc.png │ │ ├── not_kitty_alpha.png │ │ └── not_kitty_gamma.png │ ├── jpeg │ │ └── not_kitty.jpg │ ├── tiff │ │ └── not_kitty.tiff │ └── webp │ │ └── not_kitty.webp ├── multimedia │ └── h264 │ │ └── small_movie.mp4 ├── archives │ ├── common │ │ ├── xz │ │ │ └── small_archive.xz │ │ ├── bzip2 │ │ │ └── small_archive.bz2 │ │ ├── cab │ │ │ └── small_archive.cab │ │ ├── cpio │ │ │ └── small_archive.cpio │ │ ├── gzip │ │ │ └── small_archive.gz │ │ ├── lzo │ │ │ └── small_archive.lzo │ │ ├── rar │ │ │ └── small_archive.rar │ │ ├── zip │ │ │ └── small_archive.zip │ │ ├── compress │ │ │ └── small_archive.Z │ │ ├── ar │ │ │ └── small_archive.a │ │ └── tar │ │ │ └── small_archive.tar │ └── exotic │ │ ├── arj │ │ └── small_archive.arj │ │ ├── lha │ │ └── small_archive.lha │ │ ├── lrzip │ │ └── small_archive.lrz │ │ ├── lzip │ │ └── small_archive.lz │ │ ├── lzma │ │ └── small_archive.lzma │ │ ├── rzip │ │ └── small_archive.rz │ │ └── zoo │ │ └── small_archive.zoo └── README.testcases ├── docs ├── vuln_samples │ ├── bash-cmd-exec.var │ ├── sqlite-null-ptr4.sql │ ├── bash-uninit-mem.var │ ├── sqlite-null-ptr10.sql │ ├── sqlite-null-ptr11.sql │ ├── sqlite-null-ptr3.sql │ ├── sqlite-null-ptr5.sql │ ├── sqlite-null-ptr2.sql │ ├── sqlite-null-ptr7.sql │ ├── sqlite-bad-ptr.sql │ ├── sqlite-null-ptr8.sql │ ├── sqlite-stack-exhaustion.sql │ ├── sqlite-null-ptr1.sql │ ├── sqlite-null-ptr12.sql │ ├── sqlite-null-ptr13.sql │ ├── sqlite-unint-mem.sql │ ├── jxrlib-crash.jxr │ ├── libxml2-bad-read.xml │ ├── jxrlib-crash2.jxr │ ├── jxrlib-crash3.jxr │ ├── jxrlib-crash4.jxr │ ├── msie-dht-leak.jpg │ ├── msie-zlib-dos.png │ ├── firefox-bmp-leak.bmp │ ├── firefox-gif-leak.gif │ ├── firefox-gif-leak2.gif │ ├── libjpeg-sos-leak.jpg │ ├── libtiff-bad-write.tif │ ├── msie-jxr-mem-leak.jxr │ ├── msie-png-mem-leak.png │ ├── openssl-null-ptr.der │ ├── openssl-null-ptr2.der │ ├── sqlite-null-ptr6.sql │ ├── sqlite-null-ptr9.sql │ ├── sqlite-oob-read.sql │ ├── file-fpu-exception.elf │ ├── firefox-chrome-leak.jpg │ ├── libtiff-uninit-mem.tif │ ├── libtiff-uninit-mem2.tif │ ├── libtiff-uninit-mem3.tif │ ├── libtiff-uninit-mem4.tif │ ├── msie-tiff-mem-leak.tif │ ├── photoshop-mem-leak.jpg │ ├── sqlite-bad-free.sql │ ├── strings-bfd-badptr.elf │ ├── strings-bfd-badptr2.elf │ ├── strings-stack-overflow │ ├── tcpdump-arp-crash.pcap │ ├── tcpdump-ppp-crash.pcap │ ├── ffmpeg-h264-bad-read.mp4 │ ├── libjpeg-turbo-dht-leak.jpg │ ├── strings-unchecked-ctr.elf │ ├── unrtf-arbitrary-read.rtf │ ├── unzip-t-mem-corruption.zip │ ├── ffmpeg-h264-bad-ptr-800m.mp4 │ ├── lesspipe-cpio-bad-write.cpio │ ├── ffmpeg-h264-call-stack-overflow.mp4 │ ├── sqlite-bad-ptr2.sql │ ├── sqlite-stack-buf-overflow.sql │ ├── sqlite-null-ptr15.sql │ ├── sqlite-bad-ptr3.sql │ ├── sqlite-heap-overflow.sql │ ├── sqlite-use-after-free.sql │ ├── sqlite-oob-write.sql │ ├── sqlite-null-ptr14.sql │ └── sqlite-negative-memset.sql ├── visualization │ └── afl_gzip.png └── QuickStartGuide.txt ├── afl-fuzz ├── gllvm ├── examples │ ├── issue19 │ │ ├── test.c │ │ └── Makefile │ ├── linux-kernel │ │ ├── convert-thin-archive.sh │ │ ├── make-script.sh │ │ ├── make-script-clang.sh │ │ ├── bootable-kernel.sh │ │ ├── bash_profile │ │ ├── install-kernel.sh │ │ ├── build_linux_wllvm_git.sh │ │ ├── build_linux_wllvm_tarball.sh │ │ ├── build_linux_gllvm_git.sh │ │ ├── build_linux_gllvm_tarball.sh │ │ ├── bootstrap.sh │ │ ├── Vagrantfile │ │ ├── build_linux_gllvm.sh │ │ ├── init_script.sh │ │ ├── full-script.sh │ │ ├── parse-bi.py │ │ ├── handle-bi.sh │ │ ├── copy-native-bi.sh │ │ ├── copy-missing-o.sh │ │ └── copy.sh │ ├── README.md │ └── tor_and_its_dependencies │ │ └── Makefile ├── ians-notes.txt ├── LICENSE ├── cmd │ ├── gsanity-check │ │ └── main.go │ ├── get-bc │ │ └── main.go │ ├── gclang++ │ │ └── main.go │ └── gclang │ │ └── main.go └── shared │ ├── constants.go │ └── utils.go ├── python_libs ├── __init__.py ├── c2s.py ├── logger.py ├── storage.py └── statistics.py ├── clang_rewriters ├── common.h └── Makefile ├── dictionaries ├── gif.dict ├── webp.dict ├── jpeg.dict ├── json.dict ├── png.dict ├── tiff.dict ├── xml.dict ├── README.dictionaries └── js.dict ├── experimental ├── libpng_no_checksum │ └── libpng-nocrc.patch ├── README.experiments ├── clang_asm_normalize │ └── as ├── bash_shellshock │ └── shellshock-fuzz.diff ├── argv_fuzzing │ └── argv-fuzz-inl.h ├── distributed_fuzzing │ └── sync_script.sh ├── persistent_demo │ └── persistent_demo.c └── crash_triage │ └── triage_crashes.sh ├── afl-config.sh ├── test-instr.c ├── llvm_mode ├── testcases.txt └── afl-llvm-pass-parent.h ├── qemu_mode └── patches │ ├── cpu-exec.diff │ ├── syscall.diff │ └── elfload.diff ├── libtokencap ├── Makefile └── README.tokencap ├── utils.h ├── libdislocator ├── Makefile └── README.dislocator ├── make_autodict.sh ├── setup-aflc-gclang.sh ├── library.sh ├── aflc-link-bc ├── hash.h ├── types.h ├── backup.py ├── plotone2one.py └── clang_format_fixes └── clang └── License.txt /README: -------------------------------------------------------------------------------- 1 | docs/README -------------------------------------------------------------------------------- /QuickStartGuide.txt: -------------------------------------------------------------------------------- 1 | docs/QuickStartGuide.txt -------------------------------------------------------------------------------- /dsa/lib/DSA/test.cpp: -------------------------------------------------------------------------------- 1 | int foo() { return 3; } 2 | -------------------------------------------------------------------------------- /testcases/others/text/hello_world.txt: -------------------------------------------------------------------------------- 1 | hello 2 | -------------------------------------------------------------------------------- /testcases/others/js/small_script.js: -------------------------------------------------------------------------------- 1 | if (1==1) eval('1'); -------------------------------------------------------------------------------- /testcases/others/xml/small_document.xml: -------------------------------------------------------------------------------- 1 | d 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/bash-cmd-exec.var: -------------------------------------------------------------------------------- 1 | () { _; } >_[$($())] { id; } -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr4.sql: -------------------------------------------------------------------------------- 1 | select n()AND+#00; 2 | -------------------------------------------------------------------------------- /testcases/others/rtf/small_document.rtf: -------------------------------------------------------------------------------- 1 | {\rtf1\pard Test\par} -------------------------------------------------------------------------------- /afl-fuzz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/afl-fuzz -------------------------------------------------------------------------------- /docs/vuln_samples/bash-uninit-mem.var: -------------------------------------------------------------------------------- 1 | () { x() { _; }; x() { _; } < 2 | int main(void) { 3 | printf("test\n"); 4 | } 5 | -------------------------------------------------------------------------------- /docs/visualization/afl_gzip.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/docs/visualization/afl_gzip.png -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr12.sql: -------------------------------------------------------------------------------- 1 | PRAGMA e;select lower(0);select lower(0)"a",""GROUP BY a ORDER BY a; 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr13.sql: -------------------------------------------------------------------------------- 1 | WITH x AS(SELECT*FROM t)SELECT""EXCEPT SELECT 0 ORDER BY 0 COLLATE""; 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-unint-mem.sql: -------------------------------------------------------------------------------- 1 | REATE VIRTUAL TABLE t0 USING fts4(prefix=0);INSERT INTO t0 VALUES(0); 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/jxrlib-crash.jxr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/docs/vuln_samples/jxrlib-crash.jxr -------------------------------------------------------------------------------- /docs/vuln_samples/libxml2-bad-read.xml: -------------------------------------------------------------------------------- 1 | O));insert into t0 2 | select randomblob(0)-trim(0); 3 | -------------------------------------------------------------------------------- /docs/vuln_samples/strings-bfd-badptr.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/docs/vuln_samples/strings-bfd-badptr.elf -------------------------------------------------------------------------------- /docs/vuln_samples/strings-bfd-badptr2.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/docs/vuln_samples/strings-bfd-badptr2.elf -------------------------------------------------------------------------------- /docs/vuln_samples/strings-stack-overflow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/docs/vuln_samples/strings-stack-overflow -------------------------------------------------------------------------------- /docs/vuln_samples/tcpdump-arp-crash.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/docs/vuln_samples/tcpdump-arp-crash.pcap -------------------------------------------------------------------------------- /docs/vuln_samples/tcpdump-ppp-crash.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/docs/vuln_samples/tcpdump-ppp-crash.pcap -------------------------------------------------------------------------------- /testcases/images/png/not_kitty_alpha.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/images/png/not_kitty_alpha.png -------------------------------------------------------------------------------- /testcases/images/png/not_kitty_gamma.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/images/png/not_kitty_gamma.png -------------------------------------------------------------------------------- /testcases/multimedia/h264/small_movie.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/multimedia/h264/small_movie.mp4 -------------------------------------------------------------------------------- /testcases/others/pcap/small_capture.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/others/pcap/small_capture.pcap -------------------------------------------------------------------------------- /docs/vuln_samples/ffmpeg-h264-bad-read.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/docs/vuln_samples/ffmpeg-h264-bad-read.mp4 -------------------------------------------------------------------------------- /docs/vuln_samples/libjpeg-turbo-dht-leak.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/docs/vuln_samples/libjpeg-turbo-dht-leak.jpg -------------------------------------------------------------------------------- /docs/vuln_samples/strings-unchecked-ctr.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/docs/vuln_samples/strings-unchecked-ctr.elf -------------------------------------------------------------------------------- /docs/vuln_samples/unrtf-arbitrary-read.rtf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/docs/vuln_samples/unrtf-arbitrary-read.rtf -------------------------------------------------------------------------------- /docs/vuln_samples/unzip-t-mem-corruption.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/docs/vuln_samples/unzip-t-mem-corruption.zip -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/convert-thin-archive.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | for lib in $*; 3 | do ar -t $lib |xargs ar rvs $lib.new; 4 | done -------------------------------------------------------------------------------- /python_libs/__init__.py: -------------------------------------------------------------------------------- 1 | import os, pkgutil 2 | __all__ = list(module for _, module, _ in pkgutil.iter_modules([os.path.dirname(__file__)])) -------------------------------------------------------------------------------- /docs/vuln_samples/ffmpeg-h264-bad-ptr-800m.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/docs/vuln_samples/ffmpeg-h264-bad-ptr-800m.mp4 -------------------------------------------------------------------------------- /docs/vuln_samples/lesspipe-cpio-bad-write.cpio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/docs/vuln_samples/lesspipe-cpio-bad-write.cpio -------------------------------------------------------------------------------- /testcases/archives/common/xz/small_archive.xz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/archives/common/xz/small_archive.xz -------------------------------------------------------------------------------- /testcases/archives/common/bzip2/small_archive.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/archives/common/bzip2/small_archive.bz2 -------------------------------------------------------------------------------- /testcases/archives/common/cab/small_archive.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/archives/common/cab/small_archive.cab -------------------------------------------------------------------------------- /testcases/archives/common/cpio/small_archive.cpio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/archives/common/cpio/small_archive.cpio -------------------------------------------------------------------------------- /testcases/archives/common/gzip/small_archive.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/archives/common/gzip/small_archive.gz -------------------------------------------------------------------------------- /testcases/archives/common/lzo/small_archive.lzo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/archives/common/lzo/small_archive.lzo -------------------------------------------------------------------------------- /testcases/archives/common/rar/small_archive.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/archives/common/rar/small_archive.rar -------------------------------------------------------------------------------- /testcases/archives/common/zip/small_archive.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/archives/common/zip/small_archive.zip -------------------------------------------------------------------------------- /testcases/archives/exotic/arj/small_archive.arj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/archives/exotic/arj/small_archive.arj -------------------------------------------------------------------------------- /testcases/archives/exotic/lha/small_archive.lha: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/archives/exotic/lha/small_archive.lha -------------------------------------------------------------------------------- /testcases/archives/exotic/lrzip/small_archive.lrz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/archives/exotic/lrzip/small_archive.lrz -------------------------------------------------------------------------------- /testcases/archives/exotic/lzip/small_archive.lz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/archives/exotic/lzip/small_archive.lz -------------------------------------------------------------------------------- /testcases/archives/exotic/lzma/small_archive.lzma: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/archives/exotic/lzma/small_archive.lzma -------------------------------------------------------------------------------- /testcases/archives/exotic/rzip/small_archive.rz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/archives/exotic/rzip/small_archive.rz -------------------------------------------------------------------------------- /testcases/archives/exotic/zoo/small_archive.zoo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/archives/exotic/zoo/small_archive.zoo -------------------------------------------------------------------------------- /testcases/archives/common/compress/small_archive.Z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/testcases/archives/common/compress/small_archive.Z -------------------------------------------------------------------------------- /docs/vuln_samples/ffmpeg-h264-call-stack-overflow.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Samsung/afl_cc/HEAD/docs/vuln_samples/ffmpeg-h264-call-stack-overflow.mp4 -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-bad-ptr2.sql: -------------------------------------------------------------------------------- 1 | PRAGMA foreign_keys=1;CREATE TABLE t1("""0"PRIMARY KEy REFERENCES t1 ON DELETE SET NULL);REPLACE INTO t1 SELECT(0); 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-stack-buf-overflow.sql: -------------------------------------------------------------------------------- 1 | SELECT printf('%*.*f',90000||006000000&6600000000,00000000000000000909000000000000.0000000000000000)""WHERE"">""; 2 | -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/make-script.sh: -------------------------------------------------------------------------------- 1 | #to avoid random missing files errors when building 2 | while [ ! -e "vmlinux" ]; do 3 | make vmlinux CC=gclang HOSTCC=gclang 4 | done -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/make-script-clang.sh: -------------------------------------------------------------------------------- 1 | #to avoid random missing files errors when building with clang 2 | while [ ! -e "vmlinux" ]; do 3 | make vmlinux CC=clang HOSTCC=clang 4 | done -------------------------------------------------------------------------------- /testcases/others/pdf/small.pdf: -------------------------------------------------------------------------------- 1 | %PDF-1.0 2 | 1 0 obj<>endobj 2 0 obj<>endobj 3 0 obj<>endobj trailer<> -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr15.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE t4 USING fts4(0,b,c,notindexed=0);INSERT INTO t4 VALUES('','','0');BEGIN;INSERT INTO t4 VALUES('','','0');INSERT INTO t4(t4)VALUES('integrity-check'); 2 | -------------------------------------------------------------------------------- /dsa/README.md: -------------------------------------------------------------------------------- 1 | # llvm-dsa # 2 | 3 | DSA fork for SeaHorn. 4 | Based on the DSA for in [SMACK](https://github.com/smackers/smack). 5 | Originally from [PoolAlloc](https://llvm.org/svn/llvm-project/poolalloc/). 6 | LLVM version is 3.8. 7 | -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/bootable-kernel.sh: -------------------------------------------------------------------------------- 1 | cd $HOME 2 | tar xf linux-4.14.39.tar.xz 3 | mv linux-4.14.39 bootable-linux 4 | 5 | cp /vagrant/make-script-clang.sh bootable-linux/ 6 | cd bootable-linux 7 | bash make-script-clang.sh 8 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-bad-ptr3.sql: -------------------------------------------------------------------------------- 1 | create table t(l);PRAGMA writable_schema=ON; 2 | UPDATE sqlite_master SET sql='00000000000000000000000000000000000000000000000000000000000000000000000000000000[%S';PRAGMA t;SAVEPOINT x;ROLLBACK;VACUUM; 3 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-heap-overflow.sql: -------------------------------------------------------------------------------- 1 | DROP TABLE IF EXISTS t;CREATE VIRTUAL TABLE t0 USING fts4();insert into t0 select zeroblob(0);SAVEPOINT O;insert into t0 2 | select(0);SAVEPOINT E;insert into t0 SELECT 0 UNION SELECT 0'x'ORDER BY x; 3 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-use-after-free.sql: -------------------------------------------------------------------------------- 1 | create table t(s);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql='ANALYZE;CREATE VIRTUAL TABLE t USING fts3;DROP TABLE t;DROP TABLE EXISTS t';PRAGMA r;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t; 2 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-oob-write.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE t0 USING fts4(x,order=DESC); 2 | INSERT INTO t0(docid,x)VALUES(-1E0,'0(o'); 3 | INSERT INTO t0 VALUES(''); 4 | INSERT INTO t0 VALUES(''); 5 | INSeRT INTO t0 VALUES('o'); 6 | SELECT docid FROM t0 WHERE t0 MATCH'"0*o"'; 7 | -------------------------------------------------------------------------------- /gllvm/examples/README.md: -------------------------------------------------------------------------------- 1 | # Examples of using GLLVM 2 | 3 | 4 | A simple set of instructions for building apache in a vagrant Ubuntu 14.04 can be found 5 | [here,](tutorial.md) and for Ubuntu 16.04 [here.](tutorial-ubuntu-16.04.md) 6 | 7 | The big example here though is the [linux kernel.](linux-kernel) 8 | 9 | -------------------------------------------------------------------------------- /clang_rewriters/common.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | #define __FILENAME__ (strrchr(__FILE__, '/') ? strrchr(__FILE__, '/') + 1 : __FILE__) 7 | #define ASSERT(x) if (!(x)) {errs() << "assert( " << #x << " ) failed in file " << __FILENAME__ << " at line " << __LINE__ << "\n"; exit(-1); } -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-null-ptr14.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE x USING fts4();VALUES(0,0),(0,0),(0,0),(0,0);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql=''WHERE name='';UPDATE sqlite_master SET sql='CREATE table t(d CHECK(T(#0)';SAVEPOINT K;SAVEPOINT T;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t; 2 | -------------------------------------------------------------------------------- /testcases/archives/common/ar/small_archive.a: -------------------------------------------------------------------------------- 1 | ! 2 | limerick/ 1415337776 500 500 100640 191 ` 3 | There was a young man from Japan 4 | Whose limericks never would scan. 5 | When asked why that was, 6 | He replied "It's because 7 | I always try to cram as many words into the last line as I possibly can." 8 | 9 | -------------------------------------------------------------------------------- /gllvm/examples/issue19/Makefile: -------------------------------------------------------------------------------- 1 | 2 | all: test 3 | 4 | #one: 5 | # ${CC} test.c -dead_strip -fsanitize=address -o test 6 | 7 | 8 | test.o: 9 | ${CC} -c test.c -fsanitize=address 10 | 11 | 12 | test: test.o 13 | ${CC} test.o -dead_strip -fsanitize=address -o test 14 | 15 | 16 | 17 | clean: 18 | rm -f test.o test .test* *~ 19 | -------------------------------------------------------------------------------- /dictionaries/gif.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for GIF images 3 | # ----------------------------- 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_87a="87a" 9 | header_89a="89a" 10 | header_gif="GIF" 11 | 12 | marker_2c="," 13 | marker_3b=";" 14 | 15 | section_2101="!\x01\x12" 16 | section_21f9="!\xf9\x04" 17 | section_21fe="!\xfe" 18 | section_21ff="!\xff\x11" 19 | -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/bash_profile: -------------------------------------------------------------------------------- 1 | #### /vagrant/bash_profile 2 | 3 | #### llvm 4 | export LLVM_HOME=/usr/lib/llvm-5.0 5 | export GOPATH=/vagrant/go 6 | 7 | ######## gllvm/wllvm configuration ############# 8 | 9 | export LLVM_COMPILER=clang 10 | export WLLVM_OUTPUT_LEVEL=WARNING 11 | export WLLVM_OUTPUT_FILE=/vagrant/wrapper-logs/wrapper.log 12 | export PATH=${GOPATH}/bin:${LLVM_HOME}/bin:${PATH} 13 | -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/install-kernel.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ### Copy vmlinux into the bootable linux folder and install the new kernel 4 | cp $HOME/standalone-build/vmlinux $HOME/linux-stable/ 5 | 6 | cd $HOME/linux-stable 7 | 8 | scripts/sortextable vmlinux 9 | nm -n vmlinux | grep -v '\( [aNUw] \)\|\(__crc_\)\|\( \$[adt]\)\|\( .L\)' > System.map 10 | make CC=gclang HOSTCC=gclang 11 | sudo make modules_install install 12 | -------------------------------------------------------------------------------- /python_libs/c2s.py: -------------------------------------------------------------------------------- 1 | import os, sys, inspect 2 | currentdir = os.path.dirname(os.path.abspath(inspect.getfile(inspect.currentframe()))) 3 | parentdir = os.path.dirname(currentdir) 4 | sys.path.insert(0, parentdir) 5 | 6 | import storage 7 | 8 | def read(fn): 9 | d = dict() 10 | lines = storage.read_file(fn, True) 11 | for line in lines: 12 | edgeid = int(line.split("=")[0]) 13 | d[edgeid] = line[:-1].split("=")[1].split(",") 14 | return d -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/build_linux_wllvm_git.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ### building from a git clone with wllvm 4 | 5 | sudo pip install wllvm 6 | 7 | cd ${HOME} 8 | git clone git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git 9 | 10 | cd linux-stable 11 | git checkout tags/v4.14.39 12 | cp /vagrant/tinyconfig64 .config 13 | 14 | 15 | make CC=wllvm HOSTCC=wllvm 16 | 17 | extract-bc -m -b built-in.o 18 | extract-bc -m vmlinux 19 | -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/build_linux_wllvm_tarball.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ### building from a tarball with wllvm 4 | 5 | sudo pip install wllvm 6 | 7 | cd ${HOME} 8 | wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.14.39.tar.xz 9 | tar xvf linux-4.14.39.tar.xz 10 | cd linux-4.14.39 11 | 12 | cp /vagrant/tinyconfig64 .config 13 | 14 | 15 | make CC=wllvm HOSTCC=wllvm 16 | 17 | extract-bc -m -b built-in.o 18 | extract-bc -m vmlinux 19 | -------------------------------------------------------------------------------- /dictionaries/webp.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for WebP images 3 | # ------------------------------ 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_RIFF="RIFF" 9 | header_WEBP="WEBP" 10 | 11 | section_ALPH="ALPH" 12 | section_ANIM="ANIM" 13 | section_ANMF="ANMF" 14 | section_EXIF="EXIF" 15 | section_FRGM="FRGM" 16 | section_ICCP="ICCP" 17 | section_VP8="VP8 " 18 | section_VP8L="VP8L" 19 | section_VP8X="VP8X" 20 | section_XMP="XMP " 21 | -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/build_linux_gllvm_git.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ### building from a git clone with gllvm 4 | 5 | go get github.com/SRI-CSL/gllvm/cmd/... 6 | 7 | cd ${HOME} 8 | git clone git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git 9 | 10 | cd linux-stable 11 | git checkout tags/v4.14.39 12 | cp /vagrant/tinyconfig64 .config 13 | 14 | make CC=gclang HOSTCC=gclang 15 | 16 | get-bc -m -b built-in.o 17 | get-bc -m vmlinux 18 | -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/build_linux_gllvm_tarball.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ### building from a tarball with gllvm 4 | 5 | go get github.com/SRI-CSL/gllvm/cmd/... 6 | 7 | cd ${HOME} 8 | wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.14.39.tar.xz 9 | tar xvf linux-4.14.39.tar.xz 10 | cd linux-4.14.39 11 | 12 | cp /vagrant/tinyconfig64 .config 13 | 14 | make CC=gclang HOSTCC=gclang 15 | 16 | get-bc -m -b built-in.o 17 | get-bc -m vmlinux 18 | -------------------------------------------------------------------------------- /python_libs/logger.py: -------------------------------------------------------------------------------- 1 | import os, sys, inspect 2 | currentdir = os.path.dirname(os.path.abspath(inspect.getfile(inspect.currentframe()))) 3 | parentdir = os.path.dirname(currentdir) 4 | sys.path.insert(0, parentdir) 5 | 6 | import logging 7 | logging.basicConfig(format='%(levelname)s:\t%(message)s') 8 | 9 | # https://docs.python.org/2/howto/logging-cookbook.html 10 | def get(name): 11 | logger = logging.getLogger(name) 12 | logger.setLevel(logging.INFO) 13 | return logger -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/bootstrap.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # vagrant bootstrapping file 4 | 5 | sudo apt-get update 6 | 7 | sudo apt-get install -y emacs24 dbus-x11 8 | sudo apt-get install -y git 9 | sudo apt-get install -y llvm-5.0 libclang-5.0-dev clang-5.0 10 | sudo apt-get install -y python-pip golang-go 11 | sudo apt-get install -y flex bison bc libncurses5-dev 12 | sudo apt-get install -y libelf-dev libssl-dev 13 | 14 | echo ". /vagrant/bash_profile" >> /home/vagrant/.bashrc 15 | -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/Vagrantfile: -------------------------------------------------------------------------------- 1 | # -*- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | 4 | 5 | Vagrant.configure("2") do |config| 6 | 7 | config.vm.box = "ubuntu/xenial64" 8 | config.vm.provision :shell, path: "bootstrap.sh" 9 | 10 | config.vm.provider "virtualbox" do |vb| 11 | vb.memory = "4096" 12 | vb.customize ["modifyvm", :id, "--ioapic", "on"] 13 | vb.customize ["modifyvm", :id, "--memory", "4096"] 14 | vb.customize ["modifyvm", :id, "--cpus", "2"] 15 | end 16 | 17 | end -------------------------------------------------------------------------------- /gllvm/ians-notes.txt: -------------------------------------------------------------------------------- 1 | To edit the code locally use the repository here: 2 | 3 | ~/go/src/github.com/SRI-CSL/gllvm 4 | 5 | Then do: 6 | 7 | go install github.com/SRI-CSL/gllvm/cmd/... 8 | 9 | 10 | To format for the badge: 11 | 12 | gofmt -s -w shared/*.go cmd/*/*.go 13 | 14 | 15 | For linting: 16 | 17 | https://github.com/alecthomas/gometalinter 18 | 19 | gometalinter.v2 ./... 20 | 21 | 22 | For keeping up with the Jones: 23 | 24 | clang -cc1 --help 25 | 26 | https://clang.llvm.org/docs/ClangCommandLineReference.html 27 | -------------------------------------------------------------------------------- /experimental/libpng_no_checksum/libpng-nocrc.patch: -------------------------------------------------------------------------------- 1 | --- pngrutil.c.orig 2014-06-12 03:35:16.000000000 +0200 2 | +++ pngrutil.c 2014-07-01 05:08:31.000000000 +0200 3 | @@ -268,7 +268,11 @@ 4 | if (need_crc != 0) 5 | { 6 | crc = png_get_uint_32(crc_bytes); 7 | - return ((int)(crc != png_ptr->crc)); 8 | + 9 | + if (crc != png_ptr->crc) 10 | + fprintf(stderr, "NOTE: CRC in the file is 0x%08x, change to 0x%08x\n", crc, png_ptr->crc); 11 | + 12 | + return ((int)(1 != 1)); 13 | } 14 | 15 | else 16 | -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/build_linux_gllvm.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ### building from a tarball with gllvm 4 | 5 | go get github.com/SRI-CSL/gllvm/cmd/... 6 | 7 | cd ${HOME} 8 | wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.14.39.tar.xz 9 | tar xf linux-4.14.39.tar.xz 10 | mv linux-4.14.39 linux-stable 11 | cd linux-stable 12 | 13 | cp /vagrant/link-vmlinux.sh scripts/ #to retain a copy of kallsyms.o 14 | cp /vagrant/parse-bi.py . 15 | cp /vagrant/make-script.sh . 16 | 17 | make defconfig 18 | bash make-script.sh 19 | -------------------------------------------------------------------------------- /docs/vuln_samples/sqlite-negative-memset.sql: -------------------------------------------------------------------------------- 1 | SELECT*from(select"",zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(150000000),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0)),(select"",zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),(0),zeroblob(150000000),(0),zeroblob(0),(0)EXCEPT select zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0)); 2 | -------------------------------------------------------------------------------- /dictionaries/jpeg.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for JPEG images 3 | # ------------------------------ 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_jfif="JFIF\x00" 9 | header_jfxx="JFXX\x00" 10 | 11 | section_ffc0="\xff\xc0" 12 | section_ffc2="\xff\xc2" 13 | section_ffc4="\xff\xc4" 14 | section_ffd0="\xff\xd0" 15 | section_ffd8="\xff\xd8" 16 | section_ffd9="\xff\xd9" 17 | section_ffda="\xff\xda" 18 | section_ffdb="\xff\xdb" 19 | section_ffdd="\xff\xdd" 20 | section_ffe0="\xff\xe0" 21 | section_ffe1="\xff\xe1" 22 | section_fffe="\xff\xfe" 23 | -------------------------------------------------------------------------------- /dsa/lib/AssistDS/Makefile.org: -------------------------------------------------------------------------------- 1 | ##===- lib/AssistDS/Makefile -------------------------------*- Makefile -*-===## 2 | # 3 | # The LLVM Compiler Infrastructure 4 | # 5 | # This file was developed by the LLVM research group and is distributed under 6 | # the University of Illinois Open Source License. See LICENSE.TXT for details. 7 | # 8 | ##===----------------------------------------------------------------------===## 9 | 10 | LEVEL = ../.. 11 | LIBRARYNAME = AssistDS 12 | BUILD_ARCHIVE=1 13 | 14 | include $(LEVEL)/Makefile.common 15 | 16 | CFlags += -Wno-deprecated 17 | -------------------------------------------------------------------------------- /dsa/lib/DSA/Makefile.org: -------------------------------------------------------------------------------- 1 | ##===- lib/DSA/Makefile ------------------------------------*- Makefile -*-===## 2 | # 3 | # The LLVM Compiler Infrastructure 4 | # 5 | # This file was developed by the LLVM research group and is distributed under 6 | # the University of Illinois Open Source License. See LICENSE.TXT for details. 7 | # 8 | ##===----------------------------------------------------------------------===## 9 | 10 | LEVEL = ../.. 11 | LIBRARYNAME = LLVMDataStructure 12 | BUILD_ARCHIVE=1 13 | 14 | include $(LEVEL)/Makefile.common 15 | 16 | CFlags += -Wno-deprecated 17 | 18 | -------------------------------------------------------------------------------- /dictionaries/json.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for JSON 3 | # ----------------------- 4 | # 5 | # Just the very basics. 6 | # 7 | # Inspired by a dictionary by Jakub Wilk 8 | # 9 | 10 | "0" 11 | ",0" 12 | ":0" 13 | "0:" 14 | "-1.2e+3" 15 | 16 | "true" 17 | "false" 18 | "null" 19 | 20 | "\"\"" 21 | ",\"\"" 22 | ":\"\"" 23 | "\"\":" 24 | 25 | "{}" 26 | ",{}" 27 | ":{}" 28 | "{\"\":0}" 29 | "{{}}" 30 | 31 | "[]" 32 | ",[]" 33 | ":[]" 34 | "[0]" 35 | "[[]]" 36 | 37 | "''" 38 | "\\" 39 | "\\b" 40 | "\\f" 41 | "\\n" 42 | "\\r" 43 | "\\t" 44 | "\\u0000" 45 | "\\x00" 46 | "\\0" 47 | "\\uD800\\uDC00" 48 | "\\uDBFF\\uDFFF" 49 | 50 | "\"\":0" 51 | "//" 52 | "/**/" 53 | -------------------------------------------------------------------------------- /afl-config.sh: -------------------------------------------------------------------------------- 1 | if [ -z "$LLVM_CONFIG" ]; then 2 | fatal "LLVM_CONFIG not defined" 3 | fi 4 | 5 | OPT=`$LLVM_CONFIG --bindir`/opt 6 | LLVM_AS=`$LLVM_CONFIG --bindir`/llvm-as 7 | LLVM_AR=`$LLVM_CONFIG --bindir`/llvm-ar 8 | LLVM_LINK=`$LLVM_CONFIG --bindir`/llvm-link 9 | 10 | OPT_ARGS="-internalize -internalize-public-api-list=main -globaldce -deadargelim -dse -die -argpromotion -disable-simplify-libcalls -inline -instcombine -loop-deletion -loop-unswitch -lowerswitch -memcpyopt -mem2reg -mergereturn" 11 | OPT_ARGS_ARCHIVE="-globaldce -deadargelim -dse -die -argpromotion -disable-simplify-libcalls -inline -instcombine -loop-deletion -loop-unswitch -lowerswitch -memcpyopt -mem2reg -mergereturn" 12 | -------------------------------------------------------------------------------- /dsa/lib/DSA/README: -------------------------------------------------------------------------------- 1 | DSA is changed since PLDI07 in (at least) the following ways: 2 | 3 | 1) DSA tracks types per offset. 4 | 2) DSA does not assume that all clients will want to collapse a node if types 5 | conflict. Many clients don't care that an offset is used as an int or a 6 | double, they just care about the points-to result. 7 | 8 | In Progress: 9 | 10 | 1) DSA handles multiple entry points in a module. 11 | 2) Optional assumption that only legal targets are called at indirect call sites 12 | 3) Positional arguments, rather than pointer relative arguments. This handles 13 | the case where pointer and ints are assumed compatible and function pointers 14 | containing them are cast freely. 15 | 16 | -------------------------------------------------------------------------------- /dsa/include/assistDS/SimplifyLoad.h: -------------------------------------------------------------------------------- 1 | //===--------------- SimplifyLoad.cpp - Simplify load insts ---------------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // Derived from InstCombine 11 | // 12 | //===----------------------------------------------------------------------===// 13 | 14 | #include "llvm/IR/Instructions.h" 15 | #include "llvm/IR/Module.h" 16 | #include "llvm/Pass.h" 17 | 18 | namespace llvm { 19 | // 20 | // Class: SimplifyLoad 21 | // 22 | class SimplifyLoad : public ModulePass { 23 | public: 24 | static char ID; 25 | SimplifyLoad() : ModulePass(ID) {} 26 | virtual bool runOnModule(Module& M); 27 | }; 28 | } 29 | 30 | -------------------------------------------------------------------------------- /testcases/README.testcases: -------------------------------------------------------------------------------- 1 | ======================= 2 | AFL starting test cases 3 | ======================= 4 | 5 | (See ../docs/README for the general instruction manual.) 6 | 7 | The archives/, images/, multimedia/, and others/ subdirectories contain small, 8 | standalone files that can be used to seed afl-fuzz when testing parsers for a 9 | variety of common data formats. 10 | 11 | There is probably not much to be said about these files, except that they were 12 | optimized for size and stripped of any non-essential fluff. Some directories 13 | contain several examples that exercise various features of the underlying format. 14 | For example, there is a PNG file with and without a color profile. 15 | 16 | Additional test cases are always welcome. 17 | 18 | In addition to well-chosen starting files, many fuzzing jobs benefit from a 19 | small and concise dictionary. See ../dictionaries/README.dictionaries for more. 20 | -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/init_script.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ### creating the folder architecture necessary for the kernel build 4 | 5 | cd $HOME 6 | mkdir standalone-build 7 | sudo cp /vagrant/convert-thin-archive.sh /usr/bin/ 8 | 9 | cd standalone-build 10 | cp /vagrant/copy-missing-o.sh . 11 | cp /vagrant/copy-native-bi.sh . 12 | cp /vagrant/handle-bi.sh . 13 | cp /vagrant/copy.sh . 14 | 15 | mkdir -p arch/x86/lib 16 | mkdir -p arch/x86/kernel 17 | 18 | mkdir -p built-ins/objects/lib_assembly_objects 19 | mkdir -p built-ins/objects/arch_assembly_objects 20 | mkdir -p built-ins/objects/xlib_assembly_objects 21 | mkdir -p built-ins/objects/pow_assembly_objects 22 | mkdir -p built-ins/objects/ker_objects 23 | mkdir -p built-ins/objects/libx_objects 24 | 25 | mkdir -p built-ins/fs/objects 26 | 27 | mkdir lib/ 28 | 29 | bash /vagrant/build_linux_gllvm.sh 30 | 31 | bash copy.sh 32 | 33 | #bash /vagrant/bootable-kernel.sh 34 | -------------------------------------------------------------------------------- /dsa/include/assistDS/SimplifyExtractValue.h: -------------------------------------------------------------------------------- 1 | //===-- SimplifyExtractValue.cpp - Remove extraneous extractvalue insts----===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // Simplify extractvalue 11 | // 12 | // Derived from InstCombine 13 | // 14 | //===----------------------------------------------------------------------===// 15 | 16 | #include "llvm/IR/Instructions.h" 17 | #include "llvm/IR/Module.h" 18 | #include "llvm/Pass.h" 19 | 20 | namespace llvm { 21 | // 22 | // Class: SimplifyEV 23 | // 24 | class SimplifyEV : public ModulePass { 25 | public: 26 | static char ID; 27 | SimplifyEV() : ModulePass(ID) {} 28 | virtual bool runOnModule(Module& M); 29 | }; 30 | } 31 | 32 | -------------------------------------------------------------------------------- /dictionaries/png.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for PNG images 3 | # ----------------------------- 4 | # 5 | # Just the basic, standard-originating sections; does not include vendor 6 | # extensions. 7 | # 8 | # Created by Michal Zalewski 9 | # 10 | 11 | header_png="\x89PNG\x0d\x0a\x1a\x0a" 12 | 13 | section_IDAT="IDAT" 14 | section_IEND="IEND" 15 | section_IHDR="IHDR" 16 | section_PLTE="PLTE" 17 | section_bKGD="bKGD" 18 | section_cHRM="cHRM" 19 | section_fRAc="fRAc" 20 | section_gAMA="gAMA" 21 | section_gIFg="gIFg" 22 | section_gIFt="gIFt" 23 | section_gIFx="gIFx" 24 | section_hIST="hIST" 25 | section_iCCP="iCCP" 26 | section_iTXt="iTXt" 27 | section_oFFs="oFFs" 28 | section_pCAL="pCAL" 29 | section_pHYs="pHYs" 30 | section_sBIT="sBIT" 31 | section_sCAL="sCAL" 32 | section_sPLT="sPLT" 33 | section_sRGB="sRGB" 34 | section_sTER="sTER" 35 | section_tEXt="tEXt" 36 | section_tIME="tIME" 37 | section_tRNS="tRNS" 38 | section_zTXt="zTXt" 39 | -------------------------------------------------------------------------------- /dsa/include/assistDS/SimplifyInsertValue.h: -------------------------------------------------------------------------------- 1 | //===-- SimplifyInsertValue.cpp - Remove extraneous insertvalue insts------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // Simplify insertvalue 11 | // Replace insertvalue by storess where possible 12 | // 13 | //===----------------------------------------------------------------------===// 14 | 15 | #include "llvm/IR/Instructions.h" 16 | #include "llvm/IR/Module.h" 17 | #include "llvm/Pass.h" 18 | 19 | namespace llvm { 20 | // 21 | // Class: SimplifyIV 22 | // 23 | class SimplifyIV : public ModulePass { 24 | public: 25 | static char ID; 26 | SimplifyIV() : ModulePass(ID) {} 27 | virtual bool runOnModule(Module& M); 28 | }; 29 | } 30 | 31 | -------------------------------------------------------------------------------- /dsa/include/assistDS/FuncSimplify.h: -------------------------------------------------------------------------------- 1 | //===-------- ArgCast.cpp - Cast Arguments to Calls -----------------------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | //===----------------------------------------------------------------------===// 10 | 11 | #include "llvm/IR/Instructions.h" 12 | #include "llvm/IR/Module.h" 13 | #include "llvm/Pass.h" 14 | 15 | namespace llvm { 16 | // 17 | // Class: FuncSimplify 18 | // 19 | // Description: 20 | // Replace all internal aliases with the 21 | // aliasee value 22 | // 23 | class FuncSimplify : public ModulePass { 24 | public: 25 | static char ID; 26 | FuncSimplify() : ModulePass(ID) {} 27 | virtual bool runOnModule(Module& M); 28 | }; 29 | } 30 | 31 | -------------------------------------------------------------------------------- /dsa/include/assistDS/MergeGEP.h: -------------------------------------------------------------------------------- 1 | //===-- MergeGEP.cpp - Merge GEPs for indexing in arrays ------------------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // Merge chained GEPs; Specially useful for arrays inside structs 11 | // 12 | //===----------------------------------------------------------------------===// 13 | 14 | #include "llvm/IR/DataLayout.h" 15 | #include "llvm/IR/Instructions.h" 16 | #include "llvm/IR/Module.h" 17 | #include "llvm/Pass.h" 18 | 19 | namespace llvm { 20 | // 21 | // Class: MergeArrayGEP 22 | // 23 | class MergeArrayGEP : public ModulePass { 24 | public: 25 | static char ID; 26 | MergeArrayGEP() : ModulePass(ID) {} 27 | virtual bool runOnModule(Module& M); 28 | }; 29 | } 30 | 31 | -------------------------------------------------------------------------------- /dsa/include/assistDS/StructReturnToPointer.h: -------------------------------------------------------------------------------- 1 | //===-------- StructReturnToPointer.cpp ------------------------------------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // For functions that return structures, 11 | // transform them to return a pointer to the structure instead. 12 | // 13 | //===----------------------------------------------------------------------===// 14 | 15 | #include "llvm/IR/Instructions.h" 16 | #include "llvm/IR/Module.h" 17 | #include "llvm/Pass.h" 18 | 19 | namespace llvm { 20 | // 21 | // Class: StructRet 22 | // 23 | class StructRet : public ModulePass { 24 | public: 25 | static char ID; 26 | StructRet() : ModulePass(ID) {} 27 | virtual bool runOnModule(Module& M); 28 | }; 29 | } 30 | 31 | -------------------------------------------------------------------------------- /dsa/include/assistDS/GEPExprArgs.h: -------------------------------------------------------------------------------- 1 | 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // Identify GEPs used as arguments to call sites. 11 | // 12 | //===----------------------------------------------------------------------===// 13 | 14 | #include "llvm/IR/Instructions.h" 15 | #include "llvm/IR/Module.h" 16 | #include "llvm/Pass.h" 17 | 18 | namespace llvm { 19 | // 20 | // Class: GEPExprArgs 21 | // 22 | // Description: 23 | // Implement an LLVM pass that clones functions which are passed GEPs 24 | // as an argument 25 | // 26 | // 27 | class GEPExprArgs : public ModulePass { 28 | public: 29 | static char ID; 30 | GEPExprArgs() : ModulePass(ID) {} 31 | virtual bool runOnModule(Module& M); 32 | }; 33 | } 34 | 35 | -------------------------------------------------------------------------------- /test-instr.c: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop - a trivial program to test the build 3 | -------------------------------------------------------- 4 | 5 | Written and maintained by Michal Zalewski 6 | 7 | Copyright 2014 Google Inc. All rights reserved. 8 | 9 | Licensed under the Apache License, Version 2.0 (the "License"); 10 | you may not use this file except in compliance with the License. 11 | You may obtain a copy of the License at: 12 | 13 | http://www.apache.org/licenses/LICENSE-2.0 14 | 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | uint32_t __afl_area_size; 22 | 23 | int main(int argc, char** argv) { 24 | 25 | char buf[8]; 26 | 27 | if (read(0, buf, 8) < 1) { 28 | printf("Hum?\n"); 29 | exit(1); 30 | } 31 | 32 | if (buf[0] == '0') 33 | printf("Looks like a zero to me!\n"); 34 | else 35 | printf("A non-zero value? How quaint!\n"); 36 | 37 | exit(0); 38 | 39 | } 40 | -------------------------------------------------------------------------------- /dsa/include/dsa/super_set.h: -------------------------------------------------------------------------------- 1 | /* 2 | * File: super_set.h 3 | * Author: andrew 4 | * 5 | * Created on March 10, 2010, 2:04 PM 6 | */ 7 | 8 | #ifndef _SUPER_SET_H 9 | #define _SUPER_SET_H 10 | 11 | #include "dsa/svset.h" 12 | #include 13 | 14 | // Contains stable references to a set 15 | // The sets can be grown. 16 | 17 | template 18 | class SuperSet { 19 | //std::set provides stable iterators, and that matters a lot 20 | typedef svset InnerSetTy; 21 | typedef std::set OuterSetTy; 22 | OuterSetTy container; 23 | public: 24 | typedef const typename OuterSetTy::value_type* setPtr; 25 | 26 | setPtr getOrCreate(svset& S) { 27 | if (S.empty()) return 0; 28 | return &(*container.insert(S).first); 29 | } 30 | 31 | setPtr getOrCreate(setPtr P, Ty t) { 32 | svset s; 33 | if (P) 34 | s.insert(P->begin(), P->end()); 35 | s.insert(t); 36 | return getOrCreate(s); 37 | } 38 | }; 39 | 40 | 41 | 42 | #endif /* _SUPER_SET_H */ 43 | 44 | -------------------------------------------------------------------------------- /llvm_mode/testcases.txt: -------------------------------------------------------------------------------- 1 | - mem2reg should work 2 | - array {} of any size *not* 1,2,4,8 should be added to dictionary if followed by memcmp/strcmp/etc 3 | - array {} of size 1,2,4,8 should work 4 | example: unsigned char arr[] = {0xAA, 0xAA, 0xCC, 0xDD, 0xEE, 0xFF, 0x00 }; 5 | if ( !memcmp(hello, arr, sizeof(arr)) ) 6 | 7 | -> handled in strcompare-to-unit.so.cc 8 | 9 | - 0,1 magic values should not be broken down into small comparison for equalities 10 | - 0,1,-1 should not be broekn blabla for ine and call results 11 | - u8 a == 0xCC 12 | -> dictionary should have 1-byte value, not 4 bytes because of integer promotion 13 | handled by -instcombine 14 | -> should not be broken down because of integer prmotion 15 | handle by -instcombine 16 | - switch statement 17 | handled by -lowerswitch 18 | - libs strcat, etc should be able to *not* be added to dictionary 19 | handled in strcompare-to-unit.so.cc 20 | handled by -disable-simplify-libcalls to not optimize this into memcpy() 21 | TODO: add memcmpy() ad test again -------------------------------------------------------------------------------- /qemu_mode/patches/cpu-exec.diff: -------------------------------------------------------------------------------- 1 | --- qemu-2.10.0-rc3-clean/accel/tcg/cpu-exec.c 2017-08-15 11:39:41.000000000 -0700 2 | +++ qemu-2.10.0-rc3/accel/tcg/cpu-exec.c 2017-08-22 14:34:55.868730680 -0700 3 | @@ -36,6 +36,8 @@ 4 | #include "sysemu/cpus.h" 5 | #include "sysemu/replay.h" 6 | 7 | +#include "../patches/afl-qemu-cpu-inl.h" 8 | + 9 | /* -icount align implementation. */ 10 | 11 | typedef struct SyncClocks { 12 | @@ -144,6 +146,8 @@ 13 | int tb_exit; 14 | uint8_t *tb_ptr = itb->tc_ptr; 15 | 16 | + AFL_QEMU_CPU_SNIPPET2; 17 | + 18 | qemu_log_mask_and_addr(CPU_LOG_EXEC, itb->pc, 19 | "Trace %p [%d: " TARGET_FMT_lx "] %s\n", 20 | itb->tc_ptr, cpu->cpu_index, itb->pc, 21 | @@ -365,6 +369,7 @@ 22 | if (!tb) { 23 | /* if no translated code available, then translate it now */ 24 | tb = tb_gen_code(cpu, pc, cs_base, flags, 0); 25 | + AFL_QEMU_CPU_SNIPPET1; 26 | } 27 | 28 | mmap_unlock(); 29 | -------------------------------------------------------------------------------- /dsa/include/assistDS/SimplifyGEP.h: -------------------------------------------------------------------------------- 1 | //===--------------- SimplifyGEP.cpp - Simplify GEPs types ---------------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // Simplify GEPs with bitcasts (mostly cloned from InstCombine) 11 | // 12 | //===----------------------------------------------------------------------===// 13 | 14 | #include "llvm/IR/DataLayout.h" 15 | #include "llvm/IR/Instructions.h" 16 | #include "llvm/IR/Module.h" 17 | #include "llvm/Pass.h" 18 | 19 | namespace llvm { 20 | // 21 | // Class: SimplifyGEP 22 | // 23 | class SimplifyGEP : public ModulePass { 24 | private: 25 | const DataLayout * TD; 26 | public: 27 | static char ID; 28 | SimplifyGEP() : ModulePass(ID) {} 29 | virtual bool runOnModule(Module& M); 30 | virtual void getAnalysisUsage(AnalysisUsage &AU) const {} 31 | }; 32 | } 33 | 34 | -------------------------------------------------------------------------------- /dsa/include/assistDS/IndCloner.h: -------------------------------------------------------------------------------- 1 | //===-- IndCloner.h - Clone Indirectly Called Functions -------------------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // This code defines a pass which clones functions which could potentially be 11 | // used in indirect function calls. 12 | // 13 | //===----------------------------------------------------------------------===// 14 | 15 | #include "llvm/IR/Instructions.h" 16 | #include "llvm/IR/Module.h" 17 | #include "llvm/Pass.h" 18 | 19 | namespace llvm { 20 | // 21 | // Class: IndClone 22 | // 23 | // Description: 24 | // Implement an LLVM pass that clones functions which could be used for 25 | // indirect function calls. 26 | // 27 | class IndClone : public ModulePass { 28 | public: 29 | static char ID; 30 | IndClone() : ModulePass(ID) {} 31 | virtual bool runOnModule(Module& M); 32 | }; 33 | } 34 | 35 | -------------------------------------------------------------------------------- /qemu_mode/patches/syscall.diff: -------------------------------------------------------------------------------- 1 | --- qemu-2.10.0-rc3-clean/linux-user/syscall.c 2017-08-15 11:39:41.000000000 -0700 2 | +++ qemu-2.10.0-rc3/linux-user/syscall.c 2017-08-22 14:34:03.193088186 -0700 3 | @@ -116,6 +116,8 @@ 4 | 5 | #include "qemu.h" 6 | 7 | +extern unsigned int afl_forksrv_pid; 8 | + 9 | #ifndef CLONE_IO 10 | #define CLONE_IO 0x80000000 /* Clone io context */ 11 | #endif 12 | @@ -11688,8 +11690,21 @@ 13 | break; 14 | 15 | case TARGET_NR_tgkill: 16 | - ret = get_errno(safe_tgkill((int)arg1, (int)arg2, 17 | - target_to_host_signal(arg3))); 18 | + 19 | + { 20 | + int pid = (int)arg1, 21 | + tgid = (int)arg2, 22 | + sig = (int)arg3; 23 | + 24 | + /* Not entirely sure if the below is correct for all architectures. */ 25 | + 26 | + if(afl_forksrv_pid && afl_forksrv_pid == pid && sig == SIGABRT) 27 | + pid = tgid = getpid(); 28 | + 29 | + ret = get_errno(safe_tgkill(pid, tgid, target_to_host_signal(sig))); 30 | + 31 | + } 32 | + 33 | break; 34 | 35 | #ifdef TARGET_NR_set_robust_list 36 | -------------------------------------------------------------------------------- /dsa/include/assistDS/ArgCast.h: -------------------------------------------------------------------------------- 1 | //===-------- ArgCast.cpp - Cast Arguments to Calls -----------------------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // Convert 10 | // call(bitcast (.., T1 arg, ...)F to(..., T2 arg, ...))(..., T2 val, ...) 11 | // to 12 | // val1 = bitcast T2 val to T1 13 | // call F (..., T1 val1, ...) 14 | //===----------------------------------------------------------------------===// 15 | 16 | #include "llvm/IR/Instructions.h" 17 | #include "llvm/IR/Constants.h" 18 | #include "llvm/IR/Module.h" 19 | #include "llvm/Pass.h" 20 | 21 | namespace llvm { 22 | // 23 | // Class: ArgCast 24 | // 25 | // Description: 26 | // Implement an LLVM pass that cleans up call sites that take casted args 27 | // 28 | class ArgCast : public ModulePass { 29 | public: 30 | static char ID; 31 | ArgCast() : ModulePass(ID) {} 32 | virtual bool runOnModule(Module& M); 33 | }; 34 | } 35 | 36 | -------------------------------------------------------------------------------- /libtokencap/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop - libtokencap 3 | # -------------------------------- 4 | # 5 | # Written by Michal Zalewski 6 | # 7 | # Copyright 2016 Google Inc. All rights reserved. 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at: 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | 16 | PREFIX ?= /usr/local 17 | HELPER_PATH = $(PREFIX)/lib/afl 18 | 19 | VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2) 20 | 21 | CFLAGS ?= -O3 -funroll-loops 22 | CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign 23 | 24 | all: libtokencap.so 25 | 26 | libtokencap.so: libtokencap.so.c ../config.h 27 | $(CC) $(CFLAGS) -shared -fPIC $< -o $@ $(LDFLAGS) 28 | 29 | .NOTPARALLEL: clean 30 | 31 | clean: 32 | rm -f *.o *.so *~ a.out core core.[1-9][0-9]* 33 | rm -f libtokencap.so 34 | 35 | install: all 36 | install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH) 37 | install -m 644 README.tokencap $${DESTDIR}$(HELPER_PATH) 38 | 39 | -------------------------------------------------------------------------------- /dsa/include/assistDS/FuncSpec.h: -------------------------------------------------------------------------------- 1 | //===-- FuncSpec.cpp - Clone Functions With Constant Function Ptr Args ----===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // This pass clones functions that take constant function pointers as arguments 11 | // from some call sites. It changes those call sites to call cloned functions. 12 | // 13 | //===----------------------------------------------------------------------===// 14 | 15 | #include "llvm/IR/Instructions.h" 16 | #include "llvm/IR/Module.h" 17 | #include "llvm/Pass.h" 18 | 19 | namespace llvm { 20 | // 21 | // Class: FuncSpec 22 | // 23 | // Description: 24 | // Implement an LLVM pass that clones functions which are passed 25 | // as an argument 26 | // 27 | // 28 | class FuncSpec : public ModulePass { 29 | public: 30 | static char ID; 31 | FuncSpec() : ModulePass(ID) {} 32 | virtual bool runOnModule(Module& M); 33 | }; 34 | } 35 | 36 | -------------------------------------------------------------------------------- /dsa/include/assistDS/Int2PtrCmp.h: -------------------------------------------------------------------------------- 1 | //===-- Int2PtrCmp.cpp - Merge inttoptr/ptrtoint --------------------------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // Remove unnecessary inttoptr casts 11 | // Specially ones used in just compares 12 | // Most cases derived from InstCombine 13 | // 14 | //===----------------------------------------------------------------------===// 15 | 16 | #include "llvm/IR/DataLayout.h" 17 | #include "llvm/IR/Instructions.h" 18 | #include "llvm/IR/Module.h" 19 | #include "llvm/Pass.h" 20 | 21 | 22 | namespace llvm { 23 | // 24 | // Class: Int2PtrCmp 25 | // 26 | // 27 | class Int2PtrCmp : public ModulePass { 28 | private: 29 | const DataLayout * TD; 30 | public: 31 | static char ID; 32 | Int2PtrCmp() : ModulePass(ID) {} 33 | virtual bool runOnModule(Module& M); 34 | virtual void getAnalysisUsage(AnalysisUsage &AU) const {} 35 | 36 | }; 37 | } 38 | 39 | -------------------------------------------------------------------------------- /dsa/include/assistDS/LoadArgs.h: -------------------------------------------------------------------------------- 1 | //===-- LoadArgs.cpp - Promote args if they came from loads ---------------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // Identify calls, that are passed arguemtns that are LoadInsts. 11 | // Pass the original pointer instead. Helps improve some 12 | // context sensitivity. 13 | // 14 | //===----------------------------------------------------------------------===// 15 | 16 | #include "llvm/IR/Instructions.h" 17 | #include "llvm/IR/Module.h" 18 | #include "llvm/Pass.h" 19 | 20 | namespace llvm { 21 | // 22 | // Class: LoadArgs 23 | // 24 | // Description: 25 | // Implement an LLVM pass that clones functions which are passed loads 26 | // as an argument 27 | // 28 | // 29 | class LoadArgs : public ModulePass { 30 | public: 31 | static char ID; 32 | LoadArgs() : ModulePass(ID) {} 33 | virtual bool runOnModule(Module& M); 34 | }; 35 | } 36 | 37 | -------------------------------------------------------------------------------- /utils.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef AFL_LLVM_RT 4 | # define __FILENAME__ (strrchr(__FILE__, '/') ? strrchr(__FILE__, '/') + 1 : __FILE__) 5 | # define ASSERT(x) if (!(x)) { printf("assert( " #x " ) failed in file %s at line %u\n", __FILENAME__, __LINE__); exit(-1); } 6 | #endif 7 | 8 | static inline u32 get_bbmap_size(u32 size) { 9 | return (((size - 1) / 8) + 1); 10 | } 11 | 12 | static inline u32 get_map_size(u32 size) { 13 | ASSERT(size); 14 | size = (((size - 1) / 8) + 1); 15 | ASSERT((size <= (u32)(-1) / 8) && "Map size too large"); 16 | return size * 8; 17 | } 18 | 19 | static inline void set_bit_from_bb_id(u8 * bb_trace_map, u32 trace_map_size, u32 bb_id) { 20 | u32 byte_n = bb_id / 8; 21 | u32 bit = (bb_id & 7); 22 | ASSERT(byte_n < trace_map_size); /* Sanity check things work as expected... */ 23 | bb_trace_map[byte_n] |= (1 << bit); 24 | } 25 | 26 | static inline u8 get_bit_from_bb_id(u8 * bb_trace_map, u32 trace_map_size, u32 bb_id) { 27 | u32 byte_n = bb_id / 8; 28 | u32 bit = (bb_id & 7); 29 | ASSERT(byte_n < trace_map_size); /* Sanity check things work as expected... */ 30 | return !!(bb_trace_map[byte_n] & (1 << bit)); 31 | } 32 | -------------------------------------------------------------------------------- /libdislocator/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop - libdislocator 3 | # ---------------------------------- 4 | # 5 | # Written by Michal Zalewski 6 | # 7 | # Copyright 2016 Google Inc. All rights reserved. 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at: 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | 16 | PREFIX ?= /usr/local 17 | HELPER_PATH = $(PREFIX)/lib/afl 18 | 19 | VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2) 20 | 21 | CFLAGS ?= -O3 -funroll-loops 22 | CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign 23 | 24 | all: libdislocator.so 25 | 26 | libdislocator.so: libdislocator.so.c ../config.h 27 | $(CC) $(CFLAGS) -shared -fPIC $< -o $@ $(LDFLAGS) 28 | 29 | .NOTPARALLEL: clean 30 | 31 | clean: 32 | rm -f *.o *.so *~ a.out core core.[1-9][0-9]* 33 | rm -f libdislocator.so 34 | 35 | install: all 36 | install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH) 37 | install -m 644 README.dislocator $${DESTDIR}$(HELPER_PATH) 38 | 39 | -------------------------------------------------------------------------------- /qemu_mode/patches/elfload.diff: -------------------------------------------------------------------------------- 1 | --- qemu-2.10.0-rc3-clean/linux-user/elfload.c 2017-08-15 11:39:41.000000000 -0700 2 | +++ qemu-2.10.0-rc3/linux-user/elfload.c 2017-08-22 14:33:57.397127516 -0700 3 | @@ -20,6 +20,8 @@ 4 | 5 | #define ELF_OSABI ELFOSABI_SYSV 6 | 7 | +extern abi_ulong afl_entry_point, afl_start_code, afl_end_code; 8 | + 9 | /* from personality.h */ 10 | 11 | /* 12 | @@ -2085,6 +2087,8 @@ 13 | info->brk = 0; 14 | info->elf_flags = ehdr->e_flags; 15 | 16 | + if (!afl_entry_point) afl_entry_point = info->entry; 17 | + 18 | for (i = 0; i < ehdr->e_phnum; i++) { 19 | struct elf_phdr *eppnt = phdr + i; 20 | if (eppnt->p_type == PT_LOAD) { 21 | @@ -2118,9 +2122,11 @@ 22 | if (elf_prot & PROT_EXEC) { 23 | if (vaddr < info->start_code) { 24 | info->start_code = vaddr; 25 | + if (!afl_start_code) afl_start_code = vaddr; 26 | } 27 | if (vaddr_ef > info->end_code) { 28 | info->end_code = vaddr_ef; 29 | + if (!afl_end_code) afl_end_code = vaddr_ef; 30 | } 31 | } 32 | if (elf_prot & PROT_WRITE) { 33 | -------------------------------------------------------------------------------- /make_autodict.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # objdump -d "${1}" | grep -Eo '\$0x[0-9a-f]+' | cut -c 2- | sort -u | while read const; do echo $const | python -c 'import sys, struct; sys.stdout.write("".join(struct.pack(" testcases/$const; done 4 | # i=0; strings "${1}"| while read line; do echo -n "$line" > testcases/string_${i} ; i=$[ $i + 1 ] ; done 5 | 6 | if [ "$#" -ne 1 ]; then 7 | echo "Illegal number of parameters" 8 | echo "$0 /path/to/executable" 9 | echo "Example: $0 /bin/ls" 10 | exit 1 11 | fi 12 | 13 | EXE="$1" 14 | DICT=$EXE-auto.dict 15 | rm $DICT 2>/dev/null 16 | 17 | 18 | L=$(objdump -d $EXE | grep -Eo '\$0x[0-9a-f]+' | cut -c 2- | sort -u) 19 | 20 | echo "length:" $(echo $L | wc -w) ... Be patient 21 | i=0 22 | 23 | # this adds a 0 in front if the value is does not contain an even number of characters 24 | # it also transforms 0x into \x 25 | for v in $L 26 | do 27 | v=$(echo $v | sed "s/0x//g") 28 | length=$(echo -n $v | wc -c) 29 | if [ $((length%2)) -eq 1 ]; then 30 | v="0${v}" 31 | fi 32 | 33 | v="\\x${v}" 34 | echo auto_value=\"$v\" >> $DICT 35 | 36 | i=$((i+1)) 37 | i=$(expr $i % 1000) 38 | if [ $i -eq 0 ]; then 39 | echo -n . 40 | fi 41 | done 42 | 43 | -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/full-script.sh: -------------------------------------------------------------------------------- 1 | export home=/home/pn/perso/bcfull 2 | export ker=/home/pn/perso/linux-stable 3 | 4 | cd $ker 5 | python parse-bi.py fs/built-in.o fs/out.sh ../bcfull/instrfs 999 6 | 7 | cd $home 8 | bash copy.sh 9 | 10 | ld --build-id -T ./arch/x86/kernel/vmlinux.lds --whole-archive built-ins/sep_objs/ker_objects/head_64.o \ 11 | built-ins/sep_objs/ker_objects/head64.o built-ins/sep_objs/ker_objects/ebda.o built-ins/sep_objs/ker_objects/platform-quirks.o\ 12 | built-ins/inibibc.o built-ins/sep_objs/ker_objects/initramfs_data.o built-ins/arcbibc.o built-ins/sep_objs/arch_assembly_objects/* \ 13 | built-ins/kerbibc.o built-ins/mmbibc.o \@instrfs built-ins/ipcbibc.o built-ins/secbibc.o built-ins/cptbibc.o built-ins/blkbibc.o \ 14 | built-ins/libbibc.o built-ins/sep_objs/lib_assembly_objects/* built-ins/xlibbibc.o built-ins/sep_objs/xlib_assembly_objects/* \ 15 | built-ins/dribi.o built-ins/sndbibc.o built-ins/pcibibc.o built-ins/powbibc.o built-ins/sep_objs/pow_assembly_objects/* \ 16 | built-ins/vidbibc.o built-ins/netbibc.o --no-whole-archive --start-group lib/lib.a.o arch/x86/lib/lib.a.o \ 17 | built-ins/sep_objs/libx_objects/* .tmp_kallsyms2.o --end-group -o vmlinux 18 | 19 | cp vmlinux ../linux-stable-clang/ 20 | cd ../linux-stable-clang 21 | ./install.sh 22 | sudo reboot 23 | -------------------------------------------------------------------------------- /dictionaries/tiff.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for TIFF images 3 | # ------------------------------ 4 | # 5 | # Just the basic, standard-originating sections; does not include vendor 6 | # extensions. 7 | # 8 | # Created by Michal Zalewski 9 | # 10 | 11 | header_ii="II*\x00" 12 | header_mm="MM\x00*" 13 | 14 | section_100="\x00\x01" 15 | section_101="\x01\x01" 16 | section_102="\x02\x01" 17 | section_103="\x03\x01" 18 | section_106="\x06\x01" 19 | section_107="\x07\x01" 20 | section_10D="\x0d\x01" 21 | section_10E="\x0e\x01" 22 | section_10F="\x0f\x01" 23 | section_110="\x10\x01" 24 | section_111="\x11\x01" 25 | section_112="\x12\x01" 26 | section_115="\x15\x01" 27 | section_116="\x16\x01" 28 | section_117="\x17\x01" 29 | section_11A="\x1a\x01" 30 | section_11B="\x1b\x01" 31 | section_11C="\x1c\x01" 32 | section_11D="\x1d\x01" 33 | section_11E="\x1e\x01" 34 | section_11F="\x1f\x01" 35 | section_122="\"\x01" 36 | section_123="#\x01" 37 | section_124="$\x01" 38 | section_125="%\x01" 39 | section_128="(\x01" 40 | section_129=")\x01" 41 | section_12D="-\x01" 42 | section_131="1\x01" 43 | section_132="2\x01" 44 | section_13B=";\x01" 45 | section_13C="<\x01" 46 | section_13D="=\x01" 47 | section_13E=">\x01" 48 | section_13F="?\x01" 49 | section_140="@\x01" 50 | section_FE="\xfe\x00" 51 | section_FF="\xff\x00" 52 | -------------------------------------------------------------------------------- /dsa/include/dsa/stl_util.h: -------------------------------------------------------------------------------- 1 | #ifndef _DSA_STL_UTIL_H_ 2 | #define _DSA_STL_UTIL_H_ 3 | 4 | #include "llvm/ADT/ilist.h" 5 | #include 6 | #include 7 | #include 8 | 9 | namespace llvm { 10 | 11 | // Splicing one container into another as efficiently as we can 12 | template 13 | inline void splice(std::list& Dst, std::list& Src) { 14 | Dst.splice(Dst.end(), Src); 15 | } 16 | template 17 | inline void splice(ilist& Dst, ilist& Src) { 18 | Dst.splice(Dst.end(), Src); 19 | } 20 | 21 | template 22 | static void splice(std::vector& Dst, std::vector& Src) { 23 | if (Dst.empty()) 24 | Dst.swap(Src); 25 | else { 26 | Dst.insert(Dst.end(), Src.begin(), Src.end()); 27 | Src.clear(); 28 | } 29 | } 30 | 31 | template 32 | inline void splice(std::map& Dst, std::map& Src) { 33 | if (Dst.empty()) 34 | Dst.swap(Src); 35 | else { 36 | Dst.insert(Src.begin(), Src.end()); 37 | Src.clear(); 38 | } 39 | } 40 | 41 | // Efficient sort 42 | template 43 | inline void sort(std::vector& L) { 44 | std::sort(L.begin(), L.end()); 45 | } 46 | 47 | template 48 | inline void sort(std::list& L) { 49 | L.sort(); 50 | } 51 | 52 | } // end namespace llvm 53 | #endif // _DSA_STL_UTIL_H_ 54 | 55 | -------------------------------------------------------------------------------- /setup-aflc-gclang.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | LIB_DIR="$( cd "$(dirname "$0")" ; pwd -P )" 4 | . $LIB_DIR/library.sh 5 | 6 | DIR=$LIB_DIR 7 | 8 | # # SETUP_DIR="`dirname \"$0\"`" 9 | # # SETUP_DIR="`( cd \"${SETUP_DIR}\" && pwd )`" 10 | SUDO= 11 | EUID="$(id -u)" 12 | if [ "$EUID" != "0" ]; then 13 | SUDO=sudo 14 | fi 15 | run_command "Installing go" $SUDO add-apt-repository -y ppa:gophers/archive && $SUDO apt-get update && $SUDO apt-get -y install golang-1.10-go 16 | 17 | run_command "cd $DIR" cd $DIR 18 | 19 | # note: we could also use wllvm which is the python version available at https://github.com/SRI-CSL/whole-program-llvm 20 | # i use the go version because it's supposed to be faster... available at https://github.com/SRI-CSL/gllvm.git 21 | # run_command "Cloning repo gclang" git clone https://github.com/SRI-CSL/gllvm.git 22 | 23 | # compile the .go files 24 | GO=/usr/lib/go-1.10/bin/go 25 | if [ ! -f $GO ]; then 26 | fatal "Cannot find go binary." 27 | fi 28 | 29 | 30 | run_command "Compiling go gclang" $GO build -o gclang $LIB_DIR/gllvm/cmd/gclang/main.go 31 | 32 | run_command "Compiling go gclang++" $GO build -o gclang++ $LIB_DIR/gllvm/cmd/gclang++/main.go 33 | 34 | run_command "Compiling go get-bc" $GO build -o get-bc $LIB_DIR/gllvm/cmd/get-bc/main.go 35 | 36 | run_command "Compiling go gsanity-check" $GO build -o gsanity-check $LIB_DIR/gllvm/cmd/gsanity-check/main.go 37 | 38 | exit 0 39 | 40 | -------------------------------------------------------------------------------- /dsa/include/assistDS/TypeChecksOpt.h: -------------------------------------------------------------------------------- 1 | //===---------- TypeChecksOpt.h - Remove safe runtime type checks ---------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file was developed by the LLVM research group and is distributed under 6 | // the University of Illinois Open Source License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // This pass removes type checks that are statically proven safe 11 | // 12 | //===----------------------------------------------------------------------===// 13 | 14 | #ifndef TYPE_CHECKS_OPT_H 15 | #define TYPE_CHECKS_OPT_H 16 | 17 | #include "dsa/TypeSafety.h" 18 | 19 | #include "llvm/Pass.h" 20 | #include "llvm/IR/DataLayout.h" 21 | #include "llvm/IR/Instructions.h" 22 | #include "llvm/IR/CallSite.h" 23 | 24 | #include 25 | 26 | namespace llvm { 27 | 28 | class Type; 29 | class Value; 30 | 31 | class TypeChecksOpt : public ModulePass { 32 | 33 | private: 34 | 35 | // Analysis from other passes. 36 | dsa::TypeSafety *TS; 37 | std::list toDelete; 38 | 39 | public: 40 | static char ID; 41 | TypeChecksOpt() : ModulePass(ID) {} 42 | virtual bool runOnModule(Module &M); 43 | 44 | virtual void getAnalysisUsage(AnalysisUsage &AU) const { 45 | AU.addRequired >(); 46 | } 47 | 48 | }; 49 | 50 | } // End llvm namespace 51 | 52 | #endif 53 | -------------------------------------------------------------------------------- /llvm_mode/afl-llvm-pass-parent.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "utils.h" 4 | 5 | #include "llvm/IR/Module.h" 6 | 7 | typedef enum { 8 | DICT_NORMAL = 0, 9 | DICT_OPTIMIZED 10 | } DICT_TYPE; 11 | 12 | typedef enum { 13 | BUILD_FUZZING = 0, 14 | BUILD_COVERAGE 15 | } BUILD_TYPE; 16 | 17 | 18 | class AFLPassParent { 19 | 20 | public: 21 | 22 | AFLPassParent(); 23 | virtual ~AFLPassParent() {} 24 | 25 | protected: 26 | typedef std::set< std::pair > CoverageInfo_t; 27 | 28 | void createAreaSizeFunction(llvm::Module& M, uint32_t Size); 29 | void createBBAreaSizeFunction(llvm::Module& M, uint32_t Size); 30 | bool isDictRecordedToBB(llvm::BasicBlock & BB); 31 | void recordToDict(utils::DictElt2 elmt, utils::Dict2_t & dict, unsigned id); 32 | void recordDictToEdgeMapping(llvm::BasicBlock & BB, utils::Dict2_t & dict, unsigned id); 33 | uint64_t generateBuildID(void); 34 | void writeMapSizeToFile(uint32_t size); 35 | void writeBBSizeToFile(uint32_t size); 36 | void writeBuildIDToFile(uint64_t buildID); 37 | void writeDictToFile(utils::Dict2_t & dict, uint64_t buildID, BUILD_TYPE buildType, DICT_TYPE dictType); 38 | void writeSrcToEdgeMappingToFile(CoverageInfo_t & coverageInfo); 39 | DICT_TYPE getDictType(void); 40 | BUILD_TYPE getBuildType(void); 41 | 42 | private: 43 | void _writeSizeToFile(uint32_t size, const char * env); 44 | void _createAreaSizeFunction(llvm::Module& M, uint32_t Size, const char * fName); 45 | }; 46 | -------------------------------------------------------------------------------- /dsa/include/dsa/AddressTakenAnalysis.h: -------------------------------------------------------------------------------- 1 | //===-- AddressTakenAnalysis.h - Identify address Taken Values-------------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file was developed by the LLVM research group and is distributed under 6 | // the University of Illinois Open Source License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // This pass helps find which functions are address taken in a module. 11 | // Functions are considered to be address taken if they are either stored, 12 | // or passed as arguments to functions. 13 | // 14 | //===----------------------------------------------------------------------===// 15 | 16 | #ifndef _ADDRESSTAKENANALYSIS_H 17 | #define _ADDRESSTAKENANALYSIS_H 18 | 19 | #include "llvm/Pass.h" 20 | 21 | #include 22 | #include 23 | 24 | namespace llvm { 25 | class Function; 26 | class Module; 27 | class Instruction; 28 | 29 | class AddressTakenAnalysis : public llvm::ModulePass { 30 | std::set addressTakenFunctions; 31 | public: 32 | static char ID; 33 | AddressTakenAnalysis() : ModulePass (ID) {} 34 | virtual ~AddressTakenAnalysis(); 35 | 36 | bool runOnModule(llvm::Module&); 37 | 38 | virtual void getAnalysisUsage(llvm::AnalysisUsage &Info) const; 39 | 40 | bool hasAddressTaken(llvm::Function *); 41 | 42 | }; 43 | 44 | extern char &AddressTakenAnalysisID; 45 | 46 | } 47 | 48 | #endif /* _ADDRESSTAKENANALYSIS_H */ 49 | 50 | -------------------------------------------------------------------------------- /python_libs/storage.py: -------------------------------------------------------------------------------- 1 | import cPickle as pickle 2 | import os, glob 3 | import errno 4 | 5 | def save_object(fn, data): 6 | with open(fn, "wb") as output_file: 7 | pickle.dump( data, output_file ) 8 | 9 | def read_object(fn): 10 | with open(fn, "rb") as input_file: 11 | return pickle.load(input_file) 12 | 13 | def read_file(fn, byline): 14 | if byline: 15 | with open(fn, 'r') as f: 16 | return f.readlines() 17 | else: 18 | with open(fn, 'rb') as f: 19 | return f.read() 20 | return None 21 | 22 | def removedir(thedir): 23 | if os.path.isdir(thedir): 24 | import shutil 25 | shutil.rmtree(thedir, ignore_errors=True) 26 | 27 | 28 | def silentmkdir(dirname): 29 | try: 30 | os.makedirs(dirname) 31 | except OSError as e: 32 | if e.errno != errno.EEXIST: 33 | raise 34 | 35 | def new_mkdir(dirname): 36 | removedir(dirname) 37 | silentmkdir(dirname) 38 | 39 | def silent_rmfile(filename): 40 | try: 41 | os.remove(filename) 42 | except OSError as e: # this would be "except OSError, e:" before Python 2.6 43 | if e.errno != errno.ENOENT: # errno.ENOENT = no such file or directory 44 | raise # re-raise exception if a different error occurred 45 | 46 | def file_endswith(infolder, end): 47 | allFiles = [] 48 | os.chdir(infolder) 49 | return glob.glob("*" + end) 50 | 51 | def isdir(fn): 52 | return os.path.isdir(fn) 53 | 54 | def dir_exists(fn): 55 | return isdir(fn) 56 | 57 | def isfile(fn): 58 | return os.path.isfile(fn) 59 | 60 | def file_exists(fn): 61 | return isfile(fn) 62 | 63 | -------------------------------------------------------------------------------- /dsa/lib/AssistDS/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop - LLVM instrumentation 3 | # ----------------------------------------- 4 | # 5 | # Written by Laszlo Szekeres and 6 | # Michal Zalewski 7 | # 8 | # LLVM integration design comes from Laszlo Szekeres. 9 | # 10 | # Copyright 2015, 2016 Google Inc. All rights reserved. 11 | # 12 | # Licensed under the Apache License, Version 2.0 (the "License"); 13 | # you may not use this file except in compliance with the License. 14 | # You may obtain a copy of the License at: 15 | # 16 | # http://www.apache.org/licenses/LICENSE-2.0 17 | # 18 | 19 | ifeq ($(LLVM_CONFIG),) 20 | $(error LLVM_CONFIG is not set) 21 | endif 22 | 23 | 24 | CLANG_CFL = `$(LLVM_CONFIG) --cxxflags` $(CXXFLAGS) 25 | CLANG_LFL = `$(LLVM_CONFIG) --ldflags` $(LDFLAGS) 26 | LLVM_VERSION = `$(LLVM_CONFIG) --version` 27 | 28 | 29 | ifeq "$(origin CC)" "default" 30 | CC = `$(LLVM_CONFIG) --bindir`/clang 31 | CXX = `$(LLVM_CONFIG) --bindir`/clang++ 32 | endif 33 | 34 | 35 | INCLUDES = -I../../include 36 | SOURCES = $(shell find . -type f -name '*.cpp') 37 | OBJECTS = $(SOURCES:.cpp=.o) 38 | 39 | SHARED_LIB = ../../AssistDS.so 40 | 41 | 42 | all: $(SHARED_LIB) 43 | 44 | 45 | $(SHARED_LIB): $(OBJECTS) 46 | $(CXX) $(INCLUDES) $(CLANG_CFL) -shared $^ -o $@ $(CLANG_LFL) 47 | 48 | %.o: %.cpp 49 | $(CXX) $(INCLUDES) $(CLANG_CFL) -c $< -o $@ 50 | 51 | # %.o: %.cpp 52 | # $(CXX) -c $(CPPFLAGS) $< -o $@ 53 | 54 | clean: 55 | rm -f *.o *.so *~ 56 | rm -f $(SHARED_LIB) 57 | -------------------------------------------------------------------------------- /dsa/lib/DSA/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop - LLVM instrumentation 3 | # ----------------------------------------- 4 | # 5 | # Written by Laszlo Szekeres and 6 | # Michal Zalewski 7 | # 8 | # LLVM integration design comes from Laszlo Szekeres. 9 | # 10 | # Copyright 2015, 2016 Google Inc. All rights reserved. 11 | # 12 | # Licensed under the Apache License, Version 2.0 (the "License"); 13 | # you may not use this file except in compliance with the License. 14 | # You may obtain a copy of the License at: 15 | # 16 | # http://www.apache.org/licenses/LICENSE-2.0 17 | # 18 | 19 | ifeq ($(LLVM_CONFIG),) 20 | $(error LLVM_CONFIG is not set) 21 | endif 22 | 23 | 24 | CLANG_CFL = `$(LLVM_CONFIG) --cxxflags` $(CXXFLAGS) 25 | CLANG_LFL = `$(LLVM_CONFIG) --ldflags` $(LDFLAGS) 26 | LLVM_VERSION = `$(LLVM_CONFIG) --version` 27 | 28 | 29 | ifeq "$(origin CC)" "default" 30 | CC = `$(LLVM_CONFIG) --bindir`/clang 31 | CXX = `$(LLVM_CONFIG) --bindir`/clang++ 32 | endif 33 | 34 | 35 | INCLUDES = -I../../include 36 | SOURCES = $(shell find . -type f -name '*.cpp') 37 | OBJECTS = $(SOURCES:.cpp=.o) 38 | 39 | SHARED_LIB = ../../LLVMDataStructure.so 40 | 41 | 42 | all: $(SHARED_LIB) 43 | 44 | 45 | $(SHARED_LIB): $(OBJECTS) 46 | $(CXX) $(INCLUDES) $(CLANG_CFL) -shared $^ -o $@ $(CLANG_LFL) 47 | 48 | %.o: %.cpp 49 | $(CXX) $(INCLUDES) $(CLANG_CFL) -c $< -o $@ 50 | 51 | # %.o: %.cpp 52 | # $(CXX) -c $(CPPFLAGS) $< -o $@ 53 | 54 | clean: 55 | rm -f *.o *.so *~ 56 | rm -f $(SHARED_LIB) 57 | -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/parse-bi.py: -------------------------------------------------------------------------------- 1 | import sys 2 | arbi = sys.argv[1] 3 | outs= sys.argv[2] 4 | outlists = sys.argv[3] 5 | bc_pos= int(sys.argv[4]) 6 | 7 | arg1 = arbi.split('/') 8 | folder = arg1[0] 9 | bi = open(arbi,"r") 10 | out= open(outs,"w") 11 | outlist= open (outlists,"w") 12 | 13 | dir_set = [] 14 | for line in bi.readlines(): 15 | line_words = line.split('/') 16 | if line_words[0] not in dir_set: 17 | dir_set.append(line_words[0]) 18 | 19 | out.writelines("export build_home=$HOME/standalone-build\n") 20 | 21 | for direc in dir_set[2:-1]: 22 | if direc[-2:] == ".o": 23 | out.writelines("get-bc -b "+direc+"\n") 24 | out.writelines("cp "+ direc+".bc $build_home/built-ins/"+folder+"/objects \n") 25 | out.writelines("cp "+ direc+" $build_home/built-ins/"+folder+"/objects \n \n") 26 | else: 27 | out.writelines("convert-thin-archive.sh "+direc+"/built-in.o \n") 28 | out.writelines("get-bc -b "+direc+"/built-in.o \n") 29 | out.writelines("cp "+ direc+"/built-in.o.a.bc $build_home/built-ins/"+folder+"/"+direc+"bi.o.bc \n") 30 | out.writelines("cp "+ direc+"/built-in.o.new $build_home/built-ins/"+folder+"/"+direc+"bi.o \n \n") 31 | n=0 32 | for direc in dir_set[2:-1]: 33 | outlist.writelines("built-ins/"+folder+"/") 34 | 35 | if direc[-2:] == ".o": 36 | 37 | outlist.writelines("objects/") 38 | outlist.writelines(direc[:-2] + "bc.o ") 39 | else: 40 | if (bc_pos==-1 or n<=bc_pos) and n!=7: 41 | outlist.writelines(direc + "bibc.o ") 42 | else: 43 | outlist.writelines(direc + "bi.o ") 44 | n+=1 45 | 46 | -------------------------------------------------------------------------------- /dsa/include/dsa/EntryPointAnalysis.h: -------------------------------------------------------------------------------- 1 | //===-- EntryPointAnalysis.h - Entry point Finding Pass -------------------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file was developed by the LLVM research group and is distributed under 6 | // the University of Illinois Open Source License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // This is a general way of finding entry points in a system. Simple programs 11 | // will use the main version. Libraries and OS kernels can have more 12 | // specialized versions. 13 | // 14 | //===----------------------------------------------------------------------===// 15 | 16 | #ifndef _ENTRYPOINTANALYSIS_H 17 | #define _ENTRYPOINTANALYSIS_H 18 | 19 | namespace llvm { 20 | class Function; 21 | class Module; 22 | } 23 | 24 | #include 25 | #include "llvm/Pass.h" 26 | 27 | class EntryPointAnalysis : public llvm::ModulePass { 28 | std::set names; 29 | bool haveNames; 30 | public: 31 | static char ID; 32 | EntryPointAnalysis(); 33 | virtual ~EntryPointAnalysis(); 34 | 35 | /// print - Print out the analysis results... 36 | /// 37 | void print(llvm::raw_ostream &O, const llvm::Module *M) const; 38 | 39 | bool runOnModule(llvm::Module&); 40 | 41 | virtual void getAnalysisUsage(llvm::AnalysisUsage &Info) const; 42 | 43 | bool isEntryPoint(const llvm::Function* F) const; 44 | 45 | void findEntryPoints(const llvm::Module& M, 46 | std::vector& dest) const; 47 | 48 | }; 49 | 50 | 51 | 52 | #endif /* _ENTRYPOINTANALYSIS_H */ 53 | 54 | -------------------------------------------------------------------------------- /gllvm/LICENSE: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- 2 | Redistribution and use in source and binary forms, with or without modification, 3 | are permitted provided that the following conditions are met: 4 | 5 | * Redistributions of source code must retain the above copyright notice, this 6 | list of conditions and the following disclaimer. 7 | 8 | * Redistributions in binary form must reproduce the above copyright notice, this 9 | list of conditions and the following disclaimer in the documentation and/or 10 | other materials provided with the distribution. 11 | 12 | * Neither the name of SRI International nor the names of its contributors may be 13 | used to endorse or promote products derived from this software without 14 | specific prior written permission. 15 | 16 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 17 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 20 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 23 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 25 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- /dsa/include/dsa/Steensgaard.hh: -------------------------------------------------------------------------------- 1 | #ifndef __STEENSGAARD_HH_ 2 | #define __STEENSGAARD_HH_ 3 | #include "dsa/DataStructure.h" 4 | 5 | namespace llvm 6 | { 7 | /// SteensgaardsDataStructures - Analysis that computes a context-insensitive 8 | /// data structure graphs for the whole program. 9 | /// 10 | class SteensgaardDataStructures : public DataStructures { 11 | DSGraph * ResultGraph; 12 | DataStructures * DS; 13 | void ResolveFunctionCall (const Function *F, const DSCallSite &Call, 14 | DSNodeHandle &RetVal); 15 | bool runOnModuleInternal(Module &M); 16 | 17 | public: 18 | static char ID; 19 | SteensgaardDataStructures() : 20 | DataStructures(ID, "steensgaard."), 21 | ResultGraph(NULL) {} 22 | virtual ~SteensgaardDataStructures() {} 23 | virtual bool runOnModule(Module &M); 24 | virtual void releaseMemory(); 25 | 26 | virtual void getAnalysisUsage(AnalysisUsage &AU) const 27 | { 28 | AU.addRequired(); 29 | AU.setPreservesAll(); 30 | } 31 | 32 | /// getDSGraph - Return the data structure graph for the specified function. 33 | /// 34 | virtual DSGraph *getDSGraph(const Function& F) const 35 | { 36 | return F.isDeclaration () ? NULL : getResultGraph(); 37 | } 38 | 39 | virtual bool hasDSGraph(const Function& F) const {return !F.isDeclaration ();} 40 | virtual DSGraph* getOrCreateGraph (const Function *F) {return getResultGraph ();} 41 | 42 | 43 | /// getDSGraph - Return the data structure graph for the whole program. 44 | /// 45 | DSGraph *getResultGraph() const {return ResultGraph;} 46 | 47 | void print(llvm::raw_ostream &O, const Module *M) const; 48 | }; 49 | 50 | extern char &SteensgaardDataStructuresID; 51 | } 52 | 53 | 54 | #endif 55 | -------------------------------------------------------------------------------- /gllvm/cmd/gsanity-check/main.go: -------------------------------------------------------------------------------- 1 | // 2 | // OCCAM 3 | // 4 | // Copyright (c) 2017, SRI International 5 | // 6 | // All rights reserved. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, this 12 | // list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright notice, 15 | // this list of conditions and the following disclaimer in the documentation 16 | // and/or other materials provided with the distribution. 17 | // 18 | // * Neither the name of SRI International nor the names of its contributors may 19 | // be used to endorse or promote products derived from this software without 20 | // specific prior written permission. 21 | // 22 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 23 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 25 | // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 26 | // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 | // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 28 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 29 | // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 30 | // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 31 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 | // 33 | 34 | package main 35 | 36 | import "../../shared" 37 | 38 | func main() { 39 | 40 | shared.SanityCheck() 41 | 42 | } 43 | -------------------------------------------------------------------------------- /dsa/include/dsa/AllocatorIdentification.h: -------------------------------------------------------------------------------- 1 | //===-- AllocatorIdentification.h - Identify alloc wrappers --------------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file was developed by the LLVM research group and is distributed under 6 | // the University of Illinois Open Source License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // Identify malloc/free wrappers. 10 | //===----------------------------------------------------------------------===// 11 | 12 | #ifndef _ALLOCATORIDENTIFICATION_H 13 | #define _ALLOCATORIDENTIFICATION_H 14 | 15 | #include 16 | #include "llvm/Pass.h" 17 | #include "llvm/IR/Value.h" 18 | 19 | namespace llvm { 20 | class Function; 21 | class Module; 22 | class Instruction; 23 | 24 | class AllocIdentify : public llvm::ModulePass { 25 | protected: 26 | std::set allocators; 27 | std::set deallocators; 28 | bool flowsFrom(Value *Dest,Value *Src); 29 | 30 | public: 31 | std::set::iterator alloc_begin() { 32 | return allocators.begin(); 33 | } 34 | std::set::iterator alloc_end() { 35 | return allocators.end(); 36 | } 37 | std::set::iterator dealloc_begin() { 38 | return deallocators.begin(); 39 | } 40 | std::set::iterator dealloc_end() { 41 | return deallocators.end(); 42 | } 43 | static char ID; 44 | AllocIdentify(); 45 | virtual ~AllocIdentify(); 46 | bool runOnModule(llvm::Module&); 47 | virtual void getAnalysisUsage(llvm::AnalysisUsage &Info) const; 48 | virtual const char * getPassName() const { 49 | return "Allocator Identification Analysis (find malloc/free wrappers)"; 50 | } 51 | }; 52 | 53 | extern char &AllocIdentifyID; 54 | } 55 | 56 | #endif /* _ALLOCATORIDENTIFICATION_H */ 57 | 58 | -------------------------------------------------------------------------------- /dictionaries/xml.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for XML 3 | # ---------------------- 4 | # 5 | # Several basic syntax elements and attributes, modeled on libxml2. 6 | # 7 | # Created by Michal Zalewski 8 | # 9 | 10 | attr_encoding=" encoding=\"1\"" 11 | attr_generic=" a=\"1\"" 12 | attr_href=" href=\"1\"" 13 | attr_standalone=" standalone=\"no\"" 14 | attr_version=" version=\"1\"" 15 | attr_xml_base=" xml:base=\"1\"" 16 | attr_xml_id=" xml:id=\"1\"" 17 | attr_xml_lang=" xml:lang=\"1\"" 18 | attr_xml_space=" xml:space=\"1\"" 19 | attr_xmlns=" xmlns=\"1\"" 20 | 21 | entity_builtin="<" 22 | entity_decimal="" 23 | entity_external="&a;" 24 | entity_hex="" 25 | 26 | string_any="ANY" 27 | string_brackets="[]" 28 | string_cdata="CDATA" 29 | string_col_fallback=":fallback" 30 | string_col_generic=":a" 31 | string_col_include=":include" 32 | string_dashes="--" 33 | string_empty="EMPTY" 34 | string_empty_dblquotes="\"\"" 35 | string_empty_quotes="''" 36 | string_entities="ENTITIES" 37 | string_entity="ENTITY" 38 | string_fixed="#FIXED" 39 | string_id="ID" 40 | string_idref="IDREF" 41 | string_idrefs="IDREFS" 42 | string_implied="#IMPLIED" 43 | string_nmtoken="NMTOKEN" 44 | string_nmtokens="NMTOKENS" 45 | string_notation="NOTATION" 46 | string_parentheses="()" 47 | string_pcdata="#PCDATA" 48 | string_percent="%a" 49 | string_public="PUBLIC" 50 | string_required="#REQUIRED" 51 | string_schema=":schema" 52 | string_system="SYSTEM" 53 | string_ucs4="UCS-4" 54 | string_utf16="UTF-16" 55 | string_utf8="UTF-8" 56 | string_xmlns="xmlns:" 57 | 58 | tag_attlist="" 61 | tag_doctype="" 68 | tag_open_close="" 69 | tag_open_exclamation="" 72 | tag_xml_q="" 73 | -------------------------------------------------------------------------------- /experimental/README.experiments: -------------------------------------------------------------------------------- 1 | Here's a quick overview of the stuff you can find in this directory: 2 | 3 | - argv_fuzzing - a simple wrapper to allow cmdline to be fuzzed 4 | (e.g., to test setuid programs). 5 | 6 | - asan_cgroups - a contributed script to simplify fuzzing ASAN 7 | binaries with robust memory limits on Linux. 8 | 9 | - bash_shellshock - a simple hack used to find a bunch of 10 | post-Shellshock bugs in bash. 11 | 12 | - canvas_harness - a test harness used to find browser bugs with a 13 | corpus generated using simple image parsing 14 | binaries & afl-fuzz. 15 | 16 | - clang_asm_normalize - a script that makes it easy to instrument 17 | hand-written assembly, provided that you have clang. 18 | 19 | - crash_triage - a very rudimentary example of how to annotate crashes 20 | with additional gdb metadata. 21 | 22 | - distributed_fuzzing - a sample script for synchronizing fuzzer instances 23 | across multiple machines (see parallel_fuzzing.txt). 24 | 25 | - libpng_no_checksum - a sample patch for removing CRC checks in libpng. 26 | 27 | - persistent_demo - an example of how to use the LLVM persistent process 28 | mode to speed up certain fuzzing jobs. 29 | 30 | - post_library - an example of how to build postprocessors for AFL. 31 | 32 | Note that the minimize_corpus.sh tool has graduated from the experimental/ 33 | directory and is now available as ../afl-cmin. The LLVM mode has likewise 34 | graduated to ../llvm_mode/*. 35 | 36 | Most of the tools in this directory are meant chiefly as examples that need to 37 | be tweaked for your specific needs. They come with some basic documentation, 38 | but are not necessarily production-grade. 39 | -------------------------------------------------------------------------------- /experimental/clang_asm_normalize/as: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # american fuzzy lop - clang assembly normalizer 4 | # ---------------------------------------------- 5 | # 6 | # Written and maintained by Michal Zalewski 7 | # The idea for this wrapper comes from Ryan Govostes. 8 | # 9 | # Copyright 2013, 2014 Google Inc. All rights reserved. 10 | # 11 | # Licensed under the Apache License, Version 2.0 (the "License"); 12 | # you may not use this file except in compliance with the License. 13 | # You may obtain a copy of the License at: 14 | # 15 | # http://www.apache.org/licenses/LICENSE-2.0 16 | # 17 | # This 'as' wrapper should allow you to instrument unruly, hand-written 18 | # assembly with afl-as. 19 | # 20 | # Usage: 21 | # 22 | # export AFL_REAL_PATH=/path/to/directory/with/afl-as/ 23 | # AFL_PATH=/path/to/this/directory/ make clean all 24 | 25 | if [ "$#" -lt "2" ]; then 26 | echo "[-] Error: this utility can't be called directly." 1>&2 27 | exit 1 28 | fi 29 | 30 | if [ "$AFL_REAL_PATH" = "" ]; then 31 | echo "[-] Error: AFL_REAL_PATH not set!" 1>&2 32 | exit 1 33 | fi 34 | 35 | if [ ! -x "$AFL_REAL_PATH/afl-as" ]; then 36 | echo "[-] Error: AFL_REAL_PATH does not contain the 'afl-as' binary." 1>&2 37 | exit 1 38 | fi 39 | 40 | unset __AFL_AS_CMDLINE __AFL_FNAME 41 | 42 | while [ ! "$#" = "0" ]; do 43 | 44 | if [ "$#" = "1" ]; then 45 | __AFL_FNAME="$1" 46 | else 47 | __AFL_AS_CMDLINE="${__AFL_AS_CMDLINE} $1" 48 | fi 49 | 50 | shift 51 | 52 | done 53 | 54 | test "$TMPDIR" = "" && TMPDIR=/tmp 55 | 56 | TMPFILE=`mktemp $TMPDIR/.afl-XXXXXXXXXX.s` 57 | 58 | test "$TMPFILE" = "" && exit 1 59 | 60 | clang -cc1as -filetype asm -output-asm-variant 0 "${__AFL_FNAME}" >"$TMPFILE" 61 | 62 | ERR="$?" 63 | 64 | if [ ! "$ERR" = "0" ]; then 65 | rm -f "$TMPFILE" 66 | exit $ERR 67 | fi 68 | 69 | "$AFL_REAL_PATH/afl-as" ${__AFL_AS_CMDLINE} "$TMPFILE" 70 | 71 | ERR="$?" 72 | 73 | rm -f "$TMPFILE" 74 | 75 | exit "$ERR" 76 | -------------------------------------------------------------------------------- /clang_rewriters/Makefile: -------------------------------------------------------------------------------- 1 | SOURCES = normalize_rewriter.cpp CompilationDb.cpp 2 | EXECUTABLES = normalize_rewriter 3 | 4 | OBJECTS = $(SOURCES:.cpp=.o) 5 | 6 | 7 | ifeq ($(strip $(LLVM_CONFIG)),) 8 | $(error LLVM_CONFIG is not set) 9 | endif 10 | 11 | # LLVM 12 | SRC_LLVM_DIR := $(shell $(LLVM_CONFIG) --src-root) 13 | LLVM_CXXFLAGS := $(shell $(LLVM_CONFIG) --cxxflags) #-fno-rtti 14 | LLVM_LDFLAGS := $(shell $(LLVM_CONFIG) --ldflags) 15 | LLVM_LIBS := $(shell $(LLVM_CONFIG) --libs --system-libs) 16 | LLVM_INC_DIR := $(shell $(LLVM_CONFIG) --includedir) 17 | LLVM_LIB_DIR := $(shell $(LLVM_CONFIG) --libdir) 18 | LLVM_BIN_DIR := $(shell $(LLVM_CONFIG) --bindir) 19 | LLVM_SRC_DIR := $(shell $(LLVM_CONFIG) --src-root) 20 | LLVM_BUILD_DIR := $(LLVM_SRC_DIR)/build 21 | 22 | # Clang. Note: tools is hardcoded 23 | CLANG_INCS := -I$(LLVM_SRC_DIR)/tools/clang/include/ \ 24 | -I$(LLVM_BUILD_DIR)/tools/clang/include/ 25 | 26 | 27 | CXX := $(LLVM_BIN_DIR)/clang++ 28 | CXXFLAGS := $(LLVM_CXXFLAGS) -I$(LLVM_INC_DIR) $(CLANG_INCS) -Wall -Werror -Wno-error=unknown-warning-option #-Wextra 29 | LDFLAGS := $(LLVM_LDFLAGS) $(LLVM_LIBS) 30 | 31 | # is there a way to get these programmatically? 32 | CLANG_LIBS = -Wl,--start-group \ 33 | -lclangTooling\ 34 | -lclangFrontendTool\ 35 | -lclangFrontend\ 36 | -lclangDriver\ 37 | -lclangSerialization\ 38 | -lclangCodeGen\ 39 | -lclangParse\ 40 | -lclangSema\ 41 | -lclangStaticAnalyzerFrontend\ 42 | -lclangStaticAnalyzerCheckers\ 43 | -lclangStaticAnalyzerCore\ 44 | -lclangAnalysis\ 45 | -lclangARCMigrate\ 46 | -lclangRewrite\ 47 | -lclangRewriteFrontend\ 48 | -lclangEdit\ 49 | -lclangAST\ 50 | -lclangLex\ 51 | -lclangBasic\ 52 | -Wl,--end-group 53 | 54 | all: $(EXECUTABLES) 55 | 56 | normalize_rewriter: normalize_rewriter.o CompilationDb.o 57 | $(CXX) $(CXXFLAGS) -o $@ $^ $(CLANG_LIBS) $(LDFLAGS) 58 | 59 | %.o: %.cpp 60 | $(CXX) -c $(CXXFLAGS) $< -o $@ 61 | 62 | clean: 63 | -rm -f $(EXECUTABLE) $(OBJECTS) *~ 64 | -------------------------------------------------------------------------------- /dictionaries/README.dictionaries: -------------------------------------------------------------------------------- 1 | ================ 2 | AFL dictionaries 3 | ================ 4 | 5 | (See ../docs/README for the general instruction manual.) 6 | 7 | This subdirectory contains a set of dictionaries that can be used in 8 | conjunction with the -x option to allow the fuzzer to effortlessly explore the 9 | grammar of some of the more verbose data formats or languages. The basic 10 | principle behind the operation of fuzzer dictionaries is outlined in section 9 11 | of the "main" README for the project. 12 | 13 | Custom dictionaries can be added at will. They should consist of a 14 | reasonably-sized set of rudimentary syntax units that the fuzzer will then try 15 | to clobber together in various ways. Snippets between 2 and 16 bytes are usually 16 | the sweet spot. 17 | 18 | Custom dictionaries can be created in two ways: 19 | 20 | - By creating a new directory and placing each token in a separate file, in 21 | which case, there is no need to escape or otherwise format the data. 22 | 23 | - By creating a flat text file where tokens are listed one per line in the 24 | format of name="value". The alphanumeric name is ignored and can be omitted, 25 | although it is a convenient way to document the meaning of a particular 26 | token. The value must appear in quotes, with hex escaping (\xNN) applied to 27 | all non-printable, high-bit, or otherwise problematic characters (\\ and \" 28 | shorthands are recognized, too). 29 | 30 | The fuzzer auto-selects the appropriate mode depending on whether the -x 31 | parameter is a file or a directory. 32 | 33 | In the file mode, every name field can be optionally followed by @, e.g.: 34 | 35 | keyword_foo@1 = "foo" 36 | 37 | Such entries will be loaded only if the requested dictionary level is equal or 38 | higher than this number. The default level is zero; a higher value can be set 39 | by appending @ to the dictionary file name, like so: 40 | 41 | -x path/to/dictionary.dct@2 42 | 43 | Good examples of dictionaries can be found in xml.dict and png.dict. 44 | -------------------------------------------------------------------------------- /testcases/archives/common/tar/small_archive.tar: -------------------------------------------------------------------------------- 1 | limerick0000640000076400007640000000027712427053460012465 0ustar lcamtuflcamtufThere was a young man from Japan 2 | Whose limericks never would scan. 3 | When asked why that was, 4 | He replied "It's because 5 | I always try to cram as many words into the last line as I possibly can." 6 | -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/handle-bi.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ### converts the built-in.o files from the different folders into bitcode and copies them to the build folder 4 | 5 | export build_home=$HOME/standalone-build 6 | export ker=$HOME/linux-stable 7 | 8 | bash copy-native-bi.sh 9 | 10 | cd $ker 11 | get-bc -b arch/x86/built-in.o 12 | get-bc -b arch/x86/lib/built-in.o 13 | get-bc -b drivers/built-in.o 14 | get-bc -b fs/built-in.o 15 | get-bc -b kernel/built-in.o 16 | get-bc -b lib/built-in.o 17 | get-bc -b mm/built-in.o 18 | get-bc -b security/built-in.o 19 | get-bc -b init/built-in.o 20 | get-bc -b sound/built-in.o 21 | get-bc -b net/built-in.o 22 | get-bc -b ipc/built-in.o 23 | get-bc -b crypto/built-in.o 24 | get-bc -b block/built-in.o 25 | get-bc -b lib/lib.a 26 | get-bc -b arch/x86/lib/lib.a 27 | get-bc -b arch/x86/pci/built-in.o 28 | get-bc -b arch/x86/video/built-in.o 29 | get-bc -b arch/x86/power/built-in.o 30 | 31 | 32 | cd $build_home 33 | cp $ker/arch/x86/built-in.o.a.bc ./built-ins/arcbi.o.bc 34 | cp $ker/arch/x86/lib/built-in.o.a.bc ./built-ins/xlibbi.o.bc 35 | cp $ker/drivers/built-in.o.a.bc ./built-ins/dribi.o.bc 36 | cp $ker/fs/built-in.o.a.bc ./built-ins/fsbi.o.bc 37 | cp $ker/kernel/built-in.o.a.bc ./built-ins/kerbi.o.bc 38 | cp $ker/lib/built-in.o.a.bc ./built-ins/libbi.o.bc 39 | cp $ker/init/built-in.o.a.bc ./built-ins/inibi.o.bc 40 | cp $ker/mm/built-in.o.a.bc ./built-ins/mmbi.o.bc 41 | cp $ker/security/built-in.o.a.bc ./built-ins/secbi.o.bc 42 | cp $ker/sound/built-in.o.a.bc ./built-ins/sndbi.o.bc 43 | cp $ker/net/built-in.o.a.bc ./built-ins/netbi.o.bc 44 | cp $ker/ipc/built-in.o.a.bc ./built-ins/ipcbi.o.bc 45 | cp $ker/crypto/built-in.o.a.bc ./built-ins/cptbi.o.bc 46 | cp $ker/block/built-in.o.a.bc ./built-ins/blkbi.o.bc 47 | cp $ker/lib/lib.a.bc ./lib/lib.a.bc 48 | cp $ker/arch/x86/lib/lib.a.bc arch/x86/lib/lib.a.bc 49 | cp $ker/arch/x86/pci/built-in.o.a.bc ./built-ins/pcibi.o.bc 50 | cp $ker/arch/x86/video/built-in.o.a.bc ./built-ins/vidbi.o.bc 51 | cp $ker/arch/x86/power/built-in.o.a.bc ./built-ins/powbi.o.bc 52 | 53 | bash copy-missing-o.sh -------------------------------------------------------------------------------- /gllvm/cmd/get-bc/main.go: -------------------------------------------------------------------------------- 1 | // 2 | // OCCAM 3 | // 4 | // Copyright (c) 2017, SRI International 5 | // 6 | // All rights reserved. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, this 12 | // list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright notice, 15 | // this list of conditions and the following disclaimer in the documentation 16 | // and/or other materials provided with the distribution. 17 | // 18 | // * Neither the name of SRI International nor the names of its contributors may 19 | // be used to endorse or promote products derived from this software without 20 | // specific prior written permission. 21 | // 22 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 23 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 25 | // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 26 | // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 | // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 28 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 29 | // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 30 | // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 31 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 | // 33 | 34 | package main 35 | 36 | import ( 37 | "../../shared" 38 | "os" 39 | ) 40 | 41 | func main() { 42 | // Parse command line 43 | var args = os.Args 44 | 45 | shared.Extract(args) 46 | 47 | shared.LogInfo("Calling %v DID NOT TELL US WHAT HAPPENED\n", os.Args) 48 | 49 | // could be more honest about our success here 50 | os.Exit(0) 51 | 52 | } 53 | -------------------------------------------------------------------------------- /library.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | 4 | # colors https://stackoverflow.com/questions/5947742/how-to-change-the-output-color-of-echo-in-linux 5 | GREEN='\033[1;32m' 6 | RED='\033[1;31m' 7 | ORANGE='\033[1;33m' 8 | BLUE='\033[1;34m' 9 | CYAN='\033[1;36m' 10 | NC='\033[0m' # No Color 11 | 12 | err() 13 | { 14 | msg=$@ 15 | echo "${RED}ERROR${NC}: $msg" 16 | } 17 | 18 | fatal() 19 | { 20 | msg=$@ 21 | echo "${RED}FATAL${NC}: $msg" 22 | exit 1 23 | } 24 | 25 | info() 26 | { 27 | msg=$@ 28 | echo "${BLUE}INFO${NC}: $msg" 29 | } 30 | 31 | warn() 32 | { 33 | msg=$@ 34 | echo "${ORANGE}WARNING${NC}: $msg" 35 | } 36 | 37 | debug() 38 | { 39 | msg=$@ 40 | echo "${CYAN}DEBUG${NC}: $msg" 41 | } 42 | 43 | ok() 44 | { 45 | echo "${GREEN}[OK]${NC}" 46 | } 47 | 48 | progress() 49 | { 50 | echo -n "$@" 51 | } 52 | 53 | ok_echo() 54 | { 55 | echo "${GREEN}$@${NC}" 56 | } 57 | 58 | run_command() 59 | { 60 | msg=$1 61 | shift 62 | cmd="${@}" # remainning args 63 | progress "$msg ...\t" 64 | result=$($cmd 2>&1) || { echo; fatal $result; } 65 | ok 66 | } 67 | 68 | run() 69 | { 70 | cmd="${@}" 71 | result=$($cmd 2>&1) || { echo; fatal $result; } 72 | ok 73 | } 74 | 75 | 76 | get_run() 77 | { 78 | cmd="${@}" 79 | result=$($cmd 2>&1) || { echo; fatal $result; } 80 | echo $result 81 | } 82 | 83 | get_dir_of_file() 84 | { 85 | get_run "echo $(cd $(dirname $1) && pwd -P)" 86 | } 87 | 88 | get_full_path_of_file() 89 | { 90 | get_run "echo $(get_dir_of_file "$1")/$(get_fn_from_file "$1")" 91 | } 92 | 93 | get_fn_from_file() 94 | { 95 | get_run "echo $(basename $1)" 96 | } 97 | 98 | get_pid() 99 | { 100 | echo "$$" 101 | } 102 | 103 | folder_exists() 104 | { 105 | if [ ! -d $1 ]; then 106 | false 107 | else 108 | true 109 | fi 110 | } 111 | 112 | regular_file_exists() 113 | { 114 | if [ ! -f $1 ]; then 115 | false 116 | else 117 | true 118 | fi 119 | } 120 | 121 | file_exists() 122 | { 123 | if [ ! -e $1 ]; then 124 | false 125 | else 126 | true 127 | fi 128 | } -------------------------------------------------------------------------------- /dsa/lib/AssistDS/FuncSimplify.cpp: -------------------------------------------------------------------------------- 1 | //===-------- FuncSimplify.cpp - Replace Global Aliases -------------------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | //===----------------------------------------------------------------------===// 10 | #define DEBUG_TYPE "func-simplify" 11 | 12 | #include "assistDS/FuncSimplify.h" 13 | #include "llvm/IR/Attributes.h" 14 | #include "llvm/Transforms/Utils/Cloning.h" 15 | #include "llvm/ADT/Statistic.h" 16 | #include "llvm/Support/FormattedStream.h" 17 | #include "llvm/Support/Debug.h" 18 | 19 | #include 20 | #include 21 | #include 22 | 23 | using namespace llvm; 24 | 25 | // Pass statistics 26 | STATISTIC(numChanged, "Number of aliases deleted"); 27 | 28 | // 29 | // Method: runOnModule() 30 | // 31 | // Description: 32 | // Entry point for this LLVM pass. 33 | // Replace all internal aliases with the 34 | // aliasee value 35 | // 36 | // Inputs: 37 | // M - A reference to the LLVM module to transform 38 | // 39 | // Outputs: 40 | // M - The transformed LLVM module. 41 | // 42 | // Return value: 43 | // true - The module was modified. 44 | // false - The module was not modified. 45 | // 46 | bool FuncSimplify::runOnModule(Module& M) { 47 | 48 | std::vector toDelete; 49 | for (Module::alias_iterator I = M.alias_begin(); I != M.alias_end(); ++I) { 50 | if(!I->hasInternalLinkage()) 51 | continue; 52 | I->replaceAllUsesWith(I->getAliasee()); 53 | toDelete.push_back(&*I); 54 | } 55 | numChanged += toDelete.size(); 56 | 57 | while(!toDelete.empty()) { 58 | GlobalAlias *I = toDelete.back(); 59 | toDelete.pop_back(); 60 | I->eraseFromParent(); 61 | } 62 | 63 | 64 | return true; 65 | } 66 | 67 | // Pass ID variable 68 | char FuncSimplify::ID = 0; 69 | 70 | // Register the pass 71 | static RegisterPass 72 | X("func-simplify", "Delete Aliases"); 73 | -------------------------------------------------------------------------------- /experimental/bash_shellshock/shellshock-fuzz.diff: -------------------------------------------------------------------------------- 1 | This patch shows a very simple way to find post-Shellshock bugs in bash, as 2 | discussed here: 3 | 4 | http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html 5 | 6 | In essence, it shows a way to fuzz environmental variables. Instructions: 7 | 8 | 1) Download bash 4.3, apply this patch, compile with: 9 | 10 | CC=/path/to/afl-gcc ./configure 11 | make clean all 12 | 13 | Note that the harness puts the fuzzed output in $TEST_VARIABLE. With 14 | Florian's Shellshock patch (bash43-028), this is no longer passed down 15 | to the parser. 16 | 17 | 2) Create and cd to an empty directory, put the compiled bash binary in 18 | there, and run these commands: 19 | 20 | mkdir in_dir 21 | echo -n '() { a() { a; }; : >b; }' >in_dir/script.txt 22 | 23 | 3) Run the fuzzer with: 24 | 25 | /path/to/afl-fuzz -d -i in_dir -o out_dir ./bash -c : 26 | 27 | The -d parameter is advisable only if the tested shell is fairly slow 28 | or if you are in a hurry; will cover more ground faster, but 29 | less systematically. 30 | 31 | 4) Watch for crashes in out_dir/crashes/. Also watch for any new files 32 | created in cwd if you're interested in non-crash RCEs (files will be 33 | created whenever the shell executes "foo>bar" or something like 34 | that). You can correlate their creation date with new entries in 35 | out_dir/queue/. 36 | 37 | You can also modify the bash binary to directly check for more subtle 38 | fault conditions, or use the synthesized entries in out_dir/queue/ 39 | as a seed for other, possibly slower or more involved testing regimes. 40 | 41 | Expect several hours to get decent coverage. 42 | 43 | --- bash-4.3/shell.c.orig 2014-01-14 14:04:32.000000000 +0100 44 | +++ bash-4.3/shell.c 2015-04-30 05:56:46.000000000 +0200 45 | @@ -371,6 +371,14 @@ 46 | env = environ; 47 | #endif /* __OPENNT */ 48 | 49 | + { 50 | + 51 | + static char val[1024 * 16]; 52 | + read(0, val, sizeof(val) - 1); 53 | + setenv("TEST_VARIABLE", val, 1); 54 | + 55 | + } 56 | + 57 | USE_VAR(argc); 58 | USE_VAR(argv); 59 | USE_VAR(env); 60 | -------------------------------------------------------------------------------- /gllvm/cmd/gclang++/main.go: -------------------------------------------------------------------------------- 1 | // 2 | // OCCAM 3 | // 4 | // Copyright (c) 2017, SRI International 5 | // 6 | // All rights reserved. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, this 12 | // list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright notice, 15 | // this list of conditions and the following disclaimer in the documentation 16 | // and/or other materials provided with the distribution. 17 | // 18 | // * Neither the name of SRI International nor the names of its contributors may 19 | // be used to endorse or promote products derived from this software without 20 | // specific prior written permission. 21 | // 22 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 23 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 25 | // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 26 | // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 | // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 28 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 29 | // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 30 | // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 31 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 | // 33 | 34 | package main 35 | 36 | import ( 37 | "../../shared" 38 | "os" 39 | ) 40 | 41 | func main() { 42 | // Parse command line 43 | shared.LogInfo("Entering %v\n", os.Args) 44 | 45 | args := os.Args 46 | args = args[1:] 47 | 48 | exitCode := shared.Compile(args, "clang++") 49 | 50 | shared.LogInfo("Calling %v returned %v\n", os.Args, exitCode) 51 | 52 | //important to pretend to look like the actual wrapped command 53 | os.Exit(exitCode) 54 | 55 | } 56 | -------------------------------------------------------------------------------- /gllvm/cmd/gclang/main.go: -------------------------------------------------------------------------------- 1 | // 2 | // OCCAM 3 | // 4 | // Copyright (c) 2017, SRI International 5 | // 6 | // All rights reserved. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, this 12 | // list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright notice, 15 | // this list of conditions and the following disclaimer in the documentation 16 | // and/or other materials provided with the distribution. 17 | // 18 | // * Neither the name of SRI International nor the names of its contributors may 19 | // be used to endorse or promote products derived from this software without 20 | // specific prior written permission. 21 | // 22 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 23 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 25 | // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 26 | // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 | // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 28 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 29 | // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 30 | // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 31 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 | // 33 | 34 | package main 35 | 36 | import ( 37 | "../../shared" 38 | "os" 39 | ) 40 | 41 | func main() { 42 | shared.LogInfo("Entering CC %v\n", os.Args[1:]) 43 | // Parse command line 44 | args := os.Args 45 | args = args[1:] 46 | 47 | exitCode := shared.Compile(args, "clang") 48 | 49 | shared.LogDebug("Calling %v returned %v\n", os.Args, exitCode) 50 | 51 | //important to pretend to look like the actual wrapped command 52 | os.Exit(exitCode) 53 | 54 | } 55 | -------------------------------------------------------------------------------- /docs/QuickStartGuide.txt: -------------------------------------------------------------------------------- 1 | ===================== 2 | AFL quick start guide 3 | ===================== 4 | 5 | You should read docs/README. It's pretty short. If you really can't, here's 6 | how to hit the ground running: 7 | 8 | 1) Compile AFL with 'make'. If build fails, see docs/INSTALL for tips. 9 | 10 | 2) Find or write a reasonably fast and simple program that takes data from 11 | a file or stdin, processes it in a test-worthy way, then exits cleanly. 12 | If testing a network service, modify it to run in the foreground and read 13 | from stdin. When fuzzing a format that uses checksums, comment out the 14 | checksum verification code, too. 15 | 16 | The program must crash properly when a fault is encountered. Watch out for 17 | custom SIGSEGV or SIGABRT handlers and background processes. For tips on 18 | detecting non-crashing flaws, see section 11 in docs/README. 19 | 20 | 3) Compile the program / library to be fuzzed using afl-gcc. A common way to 21 | do this would be: 22 | 23 | CC=/path/to/afl-gcc CXX=/path/to/afl-g++ ./configure --disable-shared 24 | make clean all 25 | 26 | If program build fails, ping . 27 | 28 | 4) Get a small but valid input file that makes sense to the program. When 29 | fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in 30 | dictionaries/README.dictionaries, too. 31 | 32 | 5) If the program reads from stdin, run 'afl-fuzz' like so: 33 | 34 | ./afl-fuzz -i testcase_dir -o findings_dir -- \ 35 | /path/to/tested/program [...program's cmdline...] 36 | 37 | If the program takes input from a file, you can put @@ in the program's 38 | command line; AFL will put an auto-generated file name in there for you. 39 | 40 | 6) Investigate anything shown in red in the fuzzer UI by promptly consulting 41 | docs/status_screen.txt. 42 | 43 | That's it. Sit back, relax, and - time permitting - try to skim through the 44 | following files: 45 | 46 | - docs/README - A general introduction to AFL, 47 | - docs/perf_tips.txt - Simple tips on how to fuzz more quickly, 48 | - docs/status_screen.txt - An explanation of the tidbits shown in the UI, 49 | - docs/parallel_fuzzing.txt - Advice on running AFL on multiple cores. 50 | -------------------------------------------------------------------------------- /experimental/argv_fuzzing/argv-fuzz-inl.h: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop - sample argv fuzzing wrapper 3 | ------------------------------------------------ 4 | 5 | Written by Michal Zalewski 6 | 7 | Copyright 2015 Google Inc. All rights reserved. 8 | 9 | Licensed under the Apache License, Version 2.0 (the "License"); 10 | you may not use this file except in compliance with the License. 11 | You may obtain a copy of the License at: 12 | 13 | http://www.apache.org/licenses/LICENSE-2.0 14 | 15 | This file shows a simple way to fuzz command-line parameters with stock 16 | afl-fuzz. To use, add: 17 | 18 | #include "/path/to/argv-fuzz-inl.h" 19 | 20 | ...to the file containing main(), ideally placing it after all the 21 | standard includes. Next, put AFL_INIT_ARGV(); near the very beginning of 22 | main(). 23 | 24 | This will cause the program to read NUL-delimited input from stdin and 25 | put it in argv[]. Two subsequent NULs terminate the array. Empty 26 | params are encoded as a lone 0x02. Lone 0x02 can't be generated, but 27 | that shouldn't matter in real life. 28 | 29 | If you would like to always preserve argv[0], use this instead: 30 | AFL_INIT_SET0("prog_name"); 31 | 32 | */ 33 | 34 | #ifndef _HAVE_ARGV_FUZZ_INL 35 | #define _HAVE_ARGV_FUZZ_INL 36 | 37 | #include 38 | 39 | #define AFL_INIT_ARGV() do { argv = afl_init_argv(&argc); } while (0) 40 | 41 | #define AFL_INIT_SET0(_p) do { \ 42 | argv = afl_init_argv(&argc); \ 43 | argv[0] = (_p); \ 44 | if (!argc) argc = 1; \ 45 | } while (0) 46 | 47 | #define MAX_CMDLINE_LEN 100000 48 | #define MAX_CMDLINE_PAR 1000 49 | 50 | static char** afl_init_argv(int* argc) { 51 | 52 | static char in_buf[MAX_CMDLINE_LEN]; 53 | static char* ret[MAX_CMDLINE_PAR]; 54 | 55 | char* ptr = in_buf; 56 | int rc = 0; 57 | 58 | if (read(0, in_buf, MAX_CMDLINE_LEN - 2) < 0); 59 | 60 | while (*ptr) { 61 | 62 | ret[rc] = ptr; 63 | if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++; 64 | rc++; 65 | 66 | while (*ptr) ptr++; 67 | ptr++; 68 | 69 | } 70 | 71 | *argc = rc; 72 | 73 | return ret; 74 | 75 | } 76 | 77 | #undef MAX_CMDLINE_LEN 78 | #undef MAX_CMDLINE_PAR 79 | 80 | #endif /* !_HAVE_ARGV_FUZZ_INL */ 81 | -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/copy-native-bi.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ### copy the libraries compiled by clang to the build folder. 4 | ### currently we are only using the driver built-in.o, so this is mostly unnecessary 5 | export build_home=$HOME/standalone-build 6 | export ker=$HOME/linux-stable 7 | 8 | convert-thin-archive.sh $ker/arch/x86/built-in.o 9 | convert-thin-archive.sh $ker/arch/x86/lib/built-in.o 10 | convert-thin-archive.sh $ker/drivers/built-in.o 11 | convert-thin-archive.sh $ker/fs/built-in.o 12 | convert-thin-archive.sh $ker/kernel/built-in.o 13 | convert-thin-archive.sh $ker/lib/built-in.o 14 | convert-thin-archive.sh $ker/mm/built-in.o 15 | convert-thin-archive.sh $ker/security/built-in.o 16 | convert-thin-archive.sh $ker/init/built-in.o 17 | convert-thin-archive.sh $ker/sound/built-in.o 18 | convert-thin-archive.sh $ker/net/built-in.o 19 | convert-thin-archive.sh $ker/ipc/built-in.o 20 | convert-thin-archive.sh $ker/crypto/built-in.o 21 | convert-thin-archive.sh $ker/block/built-in.o 22 | convert-thin-archive.sh $ker/lib/lib.a 23 | convert-thin-archive.sh $ker/arch/x86/lib/lib.a 24 | convert-thin-archive.sh $ker/arch/x86/pci/built-in.o 25 | convert-thin-archive.sh $ker/arch/x86/video/built-in.o 26 | convert-thin-archive.sh $ker/arch/x86/power/built-in.o 27 | 28 | 29 | 30 | cp $ker/arch/x86/built-in.o.new ./built-ins/arcbi.o 31 | cp $ker/arch/x86/lib/built-in.o.new ./built-ins/xlibbi.o 32 | cp $ker/drivers/built-in.o.new ./built-ins/dribi.o 33 | cp $ker/fs/built-in.o.new ./built-ins/fsbi.o 34 | cp $ker/kernel/built-in.o.new ./built-ins/kerbi.o 35 | cp $ker/lib/built-in.o.new ./built-ins/libbi.o 36 | cp $ker/init/built-in.o.new ./built-ins/inibi.o 37 | cp $ker/mm/built-in.o.new ./built-ins/mmbi.o 38 | cp $ker/security/built-in.o.new ./built-ins/secbi.o 39 | cp $ker/sound/built-in.o.new ./built-ins/sndbi.o 40 | cp $ker/net/built-in.o.new ./built-ins/netbi.o 41 | cp $ker/ipc/built-in.o.new ./built-ins/ipcbi.o 42 | cp $ker/crypto/built-in.o.new ./built-ins/cptbi.o 43 | cp $ker/block/built-in.o.new ./built-ins/blkbi.o 44 | cp $ker/lib/lib.a.new ./lib/lib.a 45 | cp $ker/arch/x86/lib/lib.a.new arch/x86/lib/lib.a 46 | cp $ker/arch/x86/pci/built-in.o.new ./built-ins/pcibi.o 47 | cp $ker/arch/x86/video/built-in.o.new ./built-ins/vidbi.o 48 | cp $ker/arch/x86/power/built-in.o.new ./built-ins/powbi.o 49 | -------------------------------------------------------------------------------- /dsa/include/assistDS/DSNodeEquivs.h: -------------------------------------------------------------------------------- 1 | //===- DSNodeEquivs.h - Build DSNode equivalence classes ------------------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file was developed by the LLVM research group and is distributed under 6 | // the University of Illinois Open Source License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // This pass computes equivalence classes of DSNodes across DSGraphs. 11 | // 12 | //===----------------------------------------------------------------------===// 13 | 14 | #ifndef DSNODEEQUIVS_H 15 | #define DSNODEEQUIVS_H 16 | 17 | #include "dsa/DataStructure.h" 18 | #include "dsa/DSGraph.h" 19 | #include "dsa/DSNode.h" 20 | 21 | #include "llvm/ADT/EquivalenceClasses.h" 22 | 23 | #include 24 | 25 | namespace llvm { 26 | 27 | typedef std::vector FunctionList; 28 | typedef FunctionList::iterator FunctionList_it; 29 | 30 | class DSNodeEquivs : public ModulePass { 31 | private: 32 | EquivalenceClasses Classes; 33 | 34 | void buildDSNodeEquivs(Module &M); 35 | 36 | void addNodesFromGraph(DSGraph *G); 37 | FunctionList getCallees(CallSite &CS); 38 | void equivNodesThroughCallsite(CallInst *CI); 39 | void equivNodesToGlobals(DSGraph *G); 40 | void equivNodeMapping(DSGraph::NodeMapTy & NM); 41 | 42 | public: 43 | static char ID; 44 | 45 | DSNodeEquivs() : ModulePass(ID) {} 46 | 47 | void getAnalysisUsage(AnalysisUsage &AU) const { 48 | AU.addRequiredTransitive(); 49 | AU.setPreservesAll(); 50 | } 51 | 52 | bool runOnModule(Module &M); 53 | 54 | // Returns the computed equivalence classes. Two DSNodes in the same 55 | // equivalence class may alias. DSNodes may also alias if they have the 56 | // Incomplete, Unknown, or External flags set (even if they are in different 57 | // equivalence classes). 58 | const EquivalenceClasses &getEquivalenceClasses(); 59 | 60 | // Returns a DSNode for the specified value. Note that two nodes may alias 61 | // even if they have different DSNodes (because the DSNodes may belong to 62 | // different DSGraphs). 63 | const DSNode *getMemberForValue(const Value *V); 64 | }; 65 | 66 | } 67 | 68 | #endif // DSNODEEQUIVS_H 69 | -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/copy-missing-o.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ### Add the object files generated from assembly to the build folder 4 | 5 | export build_home=$HOME/standalone-build 6 | export ker=$HOME/linux-stable 7 | 8 | #asm files 9 | export lib_obj_path=./built-ins/objects/lib_assembly_objects 10 | export arch_obj_path=./built-ins/objects/arch_assembly_objects 11 | export xlib_obj_path=./built-ins/objects/xlib_assembly_objects 12 | export pow_obj_path=./built-ins/objects/pow_assembly_objects 13 | 14 | cp $ker/arch/x86/entry/entry_64.o $arch_obj_path 15 | cp $ker/arch/x86/entry/thunk_64.o $arch_obj_path 16 | cp $ker/arch/x86/entry/vsyscall/vsyscall_emu_64.o $arch_obj_path 17 | cp $ker/arch/x86/entry/entry_64_compat.o $arch_obj_path 18 | cp $ker/arch/x86/realmode/rmpiggy.o $arch_obj_path 19 | cp $ker/arch/x86/kernel/acpi/wakeup_64.o $arch_obj_path 20 | cp $ker/arch/x86/kernel/relocate_kernel_64.o $arch_obj_path 21 | cp $ker/arch/x86/platform/efi/efi_stub_64.o $arch_obj_path 22 | 23 | cp $ker/lib/lib-ksyms.o $lib_obj_path 24 | 25 | cp $ker/arch/x86/lib/iomap_copy_64.o $xlib_obj_path 26 | cp $ker/arch/x86/lib/hweight.o $xlib_obj_path 27 | cp $ker/arch/x86/lib/msr-reg.o $xlib_obj_path 28 | cp $ker/arch/x86/lib/lib-ksyms.o $xlib_obj_path 29 | 30 | cp $ker/arch/x86/power/hibernate_asm_64.o $pow_obj_path 31 | 32 | #kernel obj files 33 | export ker_objs_path=./built-ins/objects/ker_objects 34 | cp $ker/arch/x86/kernel/head64.o $ker_objs_path 35 | cp $ker/arch/x86/kernel/head_64.o $ker_objs_path 36 | cp $ker/arch/x86/kernel/platform-quirks.o $ker_objs_path 37 | cp $ker/arch/x86/kernel/ebda.o $ker_objs_path 38 | cp $ker/usr/initramfs_data.o $ker_objs_path 39 | 40 | #arch lib asm 41 | export libx_obj_path=./built-ins/objects/libx_objects 42 | cp $ker/arch/x86/lib/memset_64.o $libx_obj_path 43 | cp $ker/arch/x86/lib/getuser.o $libx_obj_path 44 | cp $ker/arch/x86/lib/rwsem.o $libx_obj_path 45 | cp $ker/arch/x86/lib/memcpy_64.o $libx_obj_path 46 | cp $ker/arch/x86/lib/memmove_64.o $libx_obj_path 47 | cp $ker/arch/x86/lib/copy_user_64.o $libx_obj_path 48 | cp $ker/arch/x86/lib/putuser.o $libx_obj_path 49 | cp $ker/arch/x86/lib/csum-copy_64.o $libx_obj_path 50 | cp $ker/arch/x86/lib/clear_page_64.o $libx_obj_path 51 | cp $ker/arch/x86/lib/copy_page_64.o $libx_obj_path 52 | cp $ker/arch/x86/lib/cmpxchg16b_emu.o $libx_obj_path 53 | cp $ker/arch/x86/lib/retpoline.o $libx_obj_path -------------------------------------------------------------------------------- /aflc-link-bc: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | LIB_DIR="$( cd "$(dirname "$0")" ; pwd -P )" 4 | . $LIB_DIR/library.sh 5 | . $LIB_DIR/afl-config.sh 6 | 7 | if [ -z "$LLVM_CONFIG" ]; then 8 | fatal "LLVM_CONFIG not defined" 9 | fi 10 | 11 | VERSION=$($LLVM_CONFIG --version) 12 | VERSION_38=$(echo $VERSION | grep '3\.8') 13 | if [ -z "$VERSION_38" ]; then 14 | fatal "LLVM_VERSION points to wrong version:\n${VERSION}\n\nWe need version 3.8" 15 | fi 16 | 17 | ARGS=$@ 18 | ARGS=`echo $ARGS | sed -e 's/-O[^ ]*/-O0/g'` 19 | 20 | 21 | # get the output name 22 | prev_is_o=0 23 | out_fn_bc="" 24 | list_files="" 25 | for arg in $ARGS; do 26 | if [ $arg = "-o" ]; then 27 | prev_is_o=1 28 | elif [ $prev_is_o -eq 1 ]; then 29 | out_fn_bc=$arg 30 | elif file_exists $arg; then 31 | 32 | last_four_character=$(echo -n "$arg" | tail -c 4) 33 | if [ "$last_four_character" = ".bca" ]; then 34 | 35 | list=$($LLVM_AR tv $arg| awk '{print $6}') 36 | if [ -z "$list" ]; then 37 | fatal "the archive is empty" 38 | fi 39 | 40 | 41 | for fn in $list; do 42 | 43 | # check there is no duplicated files in different archives 44 | for fm in $list_files; do 45 | if [ "$fm" = "$fn" ]; then 46 | fatal "Duplicated files '$fm'" 47 | fi 48 | done 49 | # delete the file 50 | rm $fn >/dev/null 51 | done 52 | 53 | $LLVM_AR x $arg 54 | 55 | # sanity check the files are extracted 56 | for fn in $list; do 57 | if ! file_exists $fn; then 58 | fatal "file $fn does not exist" 59 | fi 60 | done 61 | 62 | list_files="$list_files $list" 63 | else 64 | list_files="$list_files $arg" 65 | fi 66 | fi 67 | done 68 | 69 | if [ -z "$out_fn_bc" ]; then 70 | fatal "output file is missing" 71 | fi 72 | 73 | last_three_character=$(echo -n "$out_fn_bc" | tail -c 3) 74 | if [ "$last_three_character" != ".bc" ]; then 75 | fatal "Invalid output file ($out_fn_bc). Must end in .bc" 76 | fi 77 | 78 | 79 | # link 80 | run_command "Linking..." $LLVM_LINK $list_files -o $out_fn_bc 81 | 82 | # run opt on the entire program 83 | run_command "Running opt..." $OPT $OPT_ARGS $out_fn_bc -o $out_fn_bc 84 | 85 | 86 | length=$(echo -n $out_fn_bc | wc -c) 87 | length=$((length-3)) 88 | out_fn=$(echo -n $out_fn_bc | head -c $length) 89 | 90 | echo 91 | ok_echo "Success :)" 92 | echo -n "Run:" 93 | ok_echo " /path/to/afl/aflc-clang-fast $out_fn_bc -o $out_fn " 94 | -------------------------------------------------------------------------------- /dsa/include/dsa/CallTargets.h: -------------------------------------------------------------------------------- 1 | //=- llvm/Analysis/CallTargets.h - Resolve Indirect Call Targets --*- C++ -*-=// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file was developed by the LLVM research group and is distributed under 6 | // the University of Illinois Open Source License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // This pass uses DSA to map targets of all calls, and reports on if it 11 | // thinks it knows all targets of a given call. 12 | // 13 | //===----------------------------------------------------------------------===// 14 | 15 | #ifndef LLVM_ANALYSIS_CALLTARGETS_H 16 | #define LLVM_ANALYSIS_CALLTARGETS_H 17 | 18 | #include "llvm/Pass.h" 19 | #include "llvm/IR/CallSite.h" 20 | #include "dsa/DataStructure.h" 21 | 22 | #include 23 | #include 24 | #include 25 | 26 | using namespace llvm; 27 | namespace dsa{ 28 | 29 | template 30 | class CallTargetFinder : public ModulePass { 31 | std::map > IndMap; 32 | std::set CompleteSites; 33 | std::list AllSites; 34 | 35 | void findIndTargets(Module &M); 36 | public: 37 | static char ID; 38 | CallTargetFinder() : ModulePass(ID) {} 39 | 40 | virtual bool runOnModule(Module &M); 41 | 42 | virtual void getAnalysisUsage(AnalysisUsage &AU) const; 43 | 44 | virtual void print(llvm::raw_ostream &O, const Module *M) const; 45 | 46 | virtual void saveTargets(const Module *M) const; 47 | 48 | // Given a CallSite, get an iterator of callees 49 | std::vector::iterator begin(CallSite cs){ 50 | return IndMap[cs].begin(); 51 | } 52 | std::vector::iterator end(CallSite cs){ 53 | return IndMap[cs].end(); 54 | } 55 | unsigned size(CallSite cs){ 56 | return IndMap[cs].size(); 57 | } 58 | 59 | // Iterate over CallSites in program 60 | std::list::iterator cs_begin(){ 61 | return AllSites.begin(); 62 | } 63 | std::list::iterator cs_end(){ 64 | return AllSites.end(); 65 | } 66 | 67 | // Do we think we have complete knowledge of this site? 68 | // That is, do we think there are no missing callees 69 | bool isComplete(CallSite cs) const { 70 | return CompleteSites.find(cs) != CompleteSites.end(); 71 | } 72 | }; 73 | 74 | } 75 | 76 | #endif 77 | -------------------------------------------------------------------------------- /hash.h: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop - hashing function 3 | ------------------------------------- 4 | 5 | The hash32() function is a variant of MurmurHash3, a good 6 | non-cryptosafe hashing function developed by Austin Appleby. 7 | 8 | For simplicity, this variant does *NOT* accept buffer lengths 9 | that are not divisible by 8 bytes. The 32-bit version is otherwise 10 | similar to the original; the 64-bit one is a custom hack with 11 | mostly-unproven properties. 12 | 13 | Austin's original code is public domain. 14 | 15 | Other code written and maintained by Michal Zalewski 16 | 17 | Copyright 2016 Google Inc. All rights reserved. 18 | 19 | Licensed under the Apache License, Version 2.0 (the "License"); 20 | you may not use this file except in compliance with the License. 21 | You may obtain a copy of the License at: 22 | 23 | http://www.apache.org/licenses/LICENSE-2.0 24 | 25 | */ 26 | 27 | #ifndef _HAVE_HASH_H 28 | #define _HAVE_HASH_H 29 | 30 | #include "types.h" 31 | 32 | #ifdef __x86_64__ 33 | 34 | #define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r)))) 35 | 36 | static inline u32 hash32(const void* key, u32 len, u32 seed) { 37 | 38 | const u64* data = (u64*)key; 39 | u64 h1 = seed ^ len; 40 | 41 | len >>= 3; 42 | 43 | while (len--) { 44 | 45 | u64 k1 = *data++; 46 | 47 | k1 *= 0x87c37b91114253d5ULL; 48 | k1 = ROL64(k1, 31); 49 | k1 *= 0x4cf5ad432745937fULL; 50 | 51 | h1 ^= k1; 52 | h1 = ROL64(h1, 27); 53 | h1 = h1 * 5 + 0x52dce729; 54 | 55 | } 56 | 57 | h1 ^= h1 >> 33; 58 | h1 *= 0xff51afd7ed558ccdULL; 59 | h1 ^= h1 >> 33; 60 | h1 *= 0xc4ceb9fe1a85ec53ULL; 61 | h1 ^= h1 >> 33; 62 | 63 | return h1; 64 | 65 | } 66 | 67 | #else 68 | 69 | #define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r)))) 70 | 71 | static inline u32 hash32(const void* key, u32 len, u32 seed) { 72 | 73 | const u32* data = (u32*)key; 74 | u32 h1 = seed ^ len; 75 | 76 | len >>= 2; 77 | 78 | while (len--) { 79 | 80 | u32 k1 = *data++; 81 | 82 | k1 *= 0xcc9e2d51; 83 | k1 = ROL32(k1, 15); 84 | k1 *= 0x1b873593; 85 | 86 | h1 ^= k1; 87 | h1 = ROL32(h1, 13); 88 | h1 = h1 * 5 + 0xe6546b64; 89 | 90 | } 91 | 92 | h1 ^= h1 >> 16; 93 | h1 *= 0x85ebca6b; 94 | h1 ^= h1 >> 13; 95 | h1 *= 0xc2b2ae35; 96 | h1 ^= h1 >> 16; 97 | 98 | return h1; 99 | 100 | } 101 | 102 | #endif /* ^__x86_64__ */ 103 | 104 | #endif /* !_HAVE_HASH_H */ 105 | -------------------------------------------------------------------------------- /dsa/include/dsa/TypeSafety.h: -------------------------------------------------------------------------------- 1 | //===- TypeSafety.h - Find Type-Safe Pointers ---------------------*- C++ -*--// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file was developed by the LLVM research group and is distributed under 6 | // the University of Illinois Open Source License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // This analysis pass determines which pointers within a program are used in 11 | // a type-safe fashion. It uses DSA to determine type-consistency and 12 | // abstracts the details of interpreting DSA's results. 13 | // 14 | //===----------------------------------------------------------------------===// 15 | 16 | #ifndef DSA_TYPESAFETY_H 17 | #define DSA_TYPESAFETY_H 18 | 19 | #include "dsa/DataStructure.h" 20 | #include "dsa/DSGraph.h" 21 | 22 | #include "llvm/Pass.h" 23 | 24 | #include 25 | 26 | using namespace llvm; 27 | 28 | namespace dsa { 29 | 30 | // 31 | // Pass: TypeSafety 32 | // 33 | // Description: 34 | // This pass determines which pointers within a function are type-safe. It is 35 | // used to abstract away the interpretation of the DSNode flags and fields 36 | // for clients. 37 | // 38 | // Template parameters: 39 | // dsa - The name of the DSA Pass which this pass should use. 40 | // 41 | template 42 | struct TypeSafety : public ModulePass { 43 | protected: 44 | // Methods 45 | DSNodeHandle getDSNodeHandle (const Value * V, const Function * F); 46 | DSNodeHandle getDSNodeHandle (const GlobalValue * V); 47 | void findTypeSafeDSNodes (const DSGraph * Graph); 48 | bool isTypeSafe (const DSNode * N); 49 | bool typeFieldsOverlap (const DSNode * N); 50 | 51 | // Pointers to prerequisite passes 52 | const DataLayout * TD; 53 | dsa * dsaPass; 54 | 55 | // Data structures 56 | std::set TypeSafeNodes; 57 | 58 | public: 59 | static char ID; 60 | TypeSafety() : ModulePass(ID) {} 61 | virtual bool runOnModule (Module & M); 62 | 63 | const char *getPassName() const { 64 | return "DSA Type-Safety Analysis"; 65 | } 66 | 67 | virtual void getAnalysisUsage(AnalysisUsage &AU) const { 68 | AU.addRequired(); 69 | AU.setPreservesAll(); 70 | } 71 | 72 | virtual void releaseMemory () { 73 | TypeSafeNodes.clear(); 74 | return; 75 | } 76 | 77 | // Methods for clients to use 78 | virtual bool isTypeSafe (const Value * V, const Function * F); 79 | virtual bool isTypeSafe (const GlobalValue * V); 80 | }; 81 | 82 | } 83 | #endif 84 | 85 | -------------------------------------------------------------------------------- /types.h: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop - type definitions and minor macros 3 | ------------------------------------------------------ 4 | 5 | Written and maintained by Michal Zalewski 6 | 7 | Copyright 2013, 2014, 2015 Google Inc. All rights reserved. 8 | 9 | Licensed under the Apache License, Version 2.0 (the "License"); 10 | you may not use this file except in compliance with the License. 11 | You may obtain a copy of the License at: 12 | 13 | http://www.apache.org/licenses/LICENSE-2.0 14 | 15 | */ 16 | 17 | #ifndef _HAVE_TYPES_H 18 | #define _HAVE_TYPES_H 19 | 20 | #include 21 | #include 22 | 23 | typedef uint8_t u8; 24 | typedef uint16_t u16; 25 | typedef uint32_t u32; 26 | 27 | /* 28 | 29 | Ugh. There is an unintended compiler / glibc #include glitch caused by 30 | combining the u64 type an %llu in format strings, necessitating a workaround. 31 | 32 | In essence, the compiler is always looking for 'unsigned long long' for %llu. 33 | On 32-bit systems, the u64 type (aliased to uint64_t) is expanded to 34 | 'unsigned long long' in , so everything checks out. 35 | 36 | But on 64-bit systems, it is #ifdef'ed in the same file as 'unsigned long'. 37 | Now, it only happens in circumstances where the type happens to have the 38 | expected bit width, *but* the compiler does not know that... and complains 39 | about 'unsigned long' being unsafe to pass to %llu. 40 | 41 | */ 42 | 43 | #ifdef __x86_64__ 44 | typedef unsigned long long u64; 45 | #else 46 | typedef uint64_t u64; 47 | #endif /* ^__x86_64__ */ 48 | 49 | typedef int8_t s8; 50 | typedef int16_t s16; 51 | typedef int32_t s32; 52 | typedef int64_t s64; 53 | 54 | #ifndef MIN 55 | # define MIN(_a,_b) ((_a) > (_b) ? (_b) : (_a)) 56 | # define MAX(_a,_b) ((_a) > (_b) ? (_a) : (_b)) 57 | #endif /* !MIN */ 58 | 59 | #define SWAP16(_x) ({ \ 60 | u16 _ret = (_x); \ 61 | (u16)((_ret << 8) | (_ret >> 8)); \ 62 | }) 63 | 64 | #define SWAP32(_x) ({ \ 65 | u32 _ret = (_x); \ 66 | (u32)((_ret << 24) | (_ret >> 24) | \ 67 | ((_ret << 8) & 0x00FF0000) | \ 68 | ((_ret >> 8) & 0x0000FF00)); \ 69 | }) 70 | 71 | #ifdef AFL_LLVM_PASS 72 | # define AFL_R(x) (random() % (x)) 73 | #else 74 | # define R(x) (random() % (x)) 75 | #endif /* ^AFL_LLVM_PASS */ 76 | 77 | #define STRINGIFY_INTERNAL(x) #x 78 | #define STRINGIFY(x) STRINGIFY_INTERNAL(x) 79 | 80 | #define MEM_BARRIER() \ 81 | asm volatile("" ::: "memory") 82 | 83 | #define likely(_x) __builtin_expect(!!(_x), 1) 84 | #define unlikely(_x) __builtin_expect(!!(_x), 0) 85 | 86 | #endif /* ! _HAVE_TYPES_H */ 87 | -------------------------------------------------------------------------------- /gllvm/shared/constants.go: -------------------------------------------------------------------------------- 1 | // 2 | // OCCAM 3 | // 4 | // Copyright (c) 2017, SRI International 5 | // 6 | // All rights reserved. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, this 12 | // list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright notice, 15 | // this list of conditions and the following disclaimer in the documentation 16 | // and/or other materials provided with the distribution. 17 | // 18 | // * Neither the name of SRI International nor the names of its contributors may 19 | // be used to endorse or promote products derived from this software without 20 | // specific prior written permission. 21 | // 22 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 23 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 25 | // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 26 | // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 | // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 28 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 29 | // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 30 | // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 31 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 | // 33 | 34 | package shared 35 | 36 | // Remember to tag the repo, and publish a release on GitHub. 37 | // 38 | // version history: 39 | // 40 | // 1.0.0 41 | // 1.0.1 various bug fixes 42 | // 1.2.0 April 28 2018 linux kernel work, sorting bitcode files, etc. 43 | // May 2 2018 handleArchives rewritten to handle multiple occurrences of files with the same name. 44 | // corresponds with wllvm 1.2.0. Gonna try and keep them in synch. 45 | // 1.2.1 May 13th 2018 -fsanitize= needs to be compile AND link. 46 | // 1.2.2 June 1st 2018 Fix extracting from archives on darwin, plus travis build for both linux and darwin, 47 | // a few ittle fixes from building tor and it's dependencies. 48 | 49 | // 50 | const gllvmVersion = "1.2.2" 51 | const gllvmReleaseDate = "June 1st 2018" 52 | 53 | const osDARWIN = "darwin" 54 | const osLINUX = "linux" 55 | const osFREEBSD = "freebsd" 56 | -------------------------------------------------------------------------------- /experimental/distributed_fuzzing/sync_script.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # american fuzzy lop - fuzzer synchronization tool 4 | # ------------------------------------------------ 5 | # 6 | # Written and maintained by Michal Zalewski 7 | # 8 | # Copyright 2014 Google Inc. All rights reserved. 9 | # 10 | # Licensed under the Apache License, Version 2.0 (the "License"); 11 | # you may not use this file except in compliance with the License. 12 | # You may obtain a copy of the License at: 13 | # 14 | # http://www.apache.org/licenses/LICENSE-2.0 15 | # 16 | # To make this script work: 17 | # 18 | # - Edit FUZZ_HOSTS, FUZZ_DOMAIN, FUZZ_USER, and SYNC_DIR to reflect your 19 | # environment. 20 | # 21 | # - Make sure that the system you are running this on can log into FUZZ_HOSTS 22 | # without a password (authorized_keys or otherwise). 23 | # 24 | # - Make sure that every fuzzer is running with -o pointing to SYNC_DIR and -S 25 | # that consists of its local host name, followed by an underscore, and then 26 | # by some host-local fuzzer ID. 27 | # 28 | 29 | # Hosts to synchronize the data across. 30 | FUZZ_HOSTS='host1 host2 host3 host4' 31 | 32 | # Domain for all hosts 33 | FUZZ_DOMAIN='example.com' 34 | 35 | # Remote user for SSH 36 | FUZZ_USER=bob 37 | 38 | # Directory to synchronize 39 | SYNC_DIR='/home/bob/sync_dir' 40 | 41 | # Interval (seconds) between sync attempts 42 | SYNC_INTERVAL=$((30 * 60)) 43 | 44 | if [ "$AFL_ALLOW_TMP" = "" ]; then 45 | 46 | if [ "$PWD" = "/tmp" -o "$PWD" = "/var/tmp" ]; then 47 | echo "[-] Error: do not use shared /tmp or /var/tmp directories with this script." 1>&2 48 | exit 1 49 | fi 50 | 51 | fi 52 | 53 | rm -rf .sync_tmp 2>/dev/null 54 | mkdir .sync_tmp || exit 1 55 | 56 | while :; do 57 | 58 | # Pull data in... 59 | 60 | for host in $FUZZ_HOSTS; do 61 | 62 | echo "[*] Retrieving data from ${host}.${FUZZ_DOMAIN}..." 63 | 64 | ssh -o 'passwordauthentication no' ${FUZZ_USER}@${host}.$FUZZ_DOMAIN \ 65 | "cd '$SYNC_DIR' && tar -czf - ${host}_*/[qf]*" >".sync_tmp/${host}.tgz" 66 | 67 | done 68 | 69 | # Distribute data. For large fleets, see tips in the docs/ directory. 70 | 71 | for dst_host in $FUZZ_HOSTS; do 72 | 73 | echo "[*] Distributing data to ${dst_host}.${FUZZ_DOMAIN}..." 74 | 75 | for src_host in $FUZZ_HOSTS; do 76 | 77 | test "$src_host" = "$dst_host" && continue 78 | 79 | echo " Sending fuzzer data from ${src_host}.${FUZZ_DOMAIN}..." 80 | 81 | ssh -o 'passwordauthentication no' ${FUZZ_USER}@$dst_host \ 82 | "cd '$SYNC_DIR' && tar -xkzf -" <".sync_tmp/${src_host}.tgz" 83 | 84 | done 85 | 86 | done 87 | 88 | echo "[+] Done. Sleeping for $SYNC_INTERVAL seconds (Ctrl-C to quit)." 89 | 90 | sleep $SYNC_INTERVAL 91 | 92 | done 93 | 94 | -------------------------------------------------------------------------------- /dictionaries/js.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for JavaScript 3 | # ----------------------------- 4 | # 5 | # Contains basic reserved keywords and syntax building blocks. 6 | # 7 | # Created by Michal Zalewski 8 | # 9 | 10 | keyword_arguments="arguments" 11 | keyword_break="break" 12 | keyword_case="case" 13 | keyword_catch="catch" 14 | keyword_const="const" 15 | keyword_continue="continue" 16 | keyword_debugger="debugger" 17 | keyword_decodeURI="decodeURI" 18 | keyword_default="default" 19 | keyword_delete="delete" 20 | keyword_do="do" 21 | keyword_else="else" 22 | keyword_escape="escape" 23 | keyword_eval="eval" 24 | keyword_export="export" 25 | keyword_finally="finally" 26 | keyword_for="for (a=0;a<2;a++)" 27 | keyword_function="function" 28 | keyword_if="if" 29 | keyword_in="in" 30 | keyword_instanceof="instanceof" 31 | keyword_isNaN="isNaN" 32 | keyword_let="let" 33 | keyword_new="new" 34 | keyword_parseInt="parseInt" 35 | keyword_return="return" 36 | keyword_switch="switch" 37 | keyword_this="this" 38 | keyword_throw="throw" 39 | keyword_try="try" 40 | keyword_typeof="typeof" 41 | keyword_var="var" 42 | keyword_void="void" 43 | keyword_while="while" 44 | keyword_with="with" 45 | 46 | misc_1=" 1" 47 | misc_a="a" 48 | misc_array=" [1]" 49 | misc_assign=" a=1" 50 | misc_code_block=" {1}" 51 | misc_colon_num=" 1:" 52 | misc_colon_string=" 'a':" 53 | misc_comma=" ," 54 | misc_comment_block=" /* */" 55 | misc_comment_line=" //" 56 | misc_cond=" 1?2:3" 57 | misc_dec=" --" 58 | misc_div=" /" 59 | misc_equals=" =" 60 | misc_fn=" a()" 61 | misc_identical=" ===" 62 | misc_inc=" ++" 63 | misc_minus=" -" 64 | misc_modulo=" %" 65 | misc_parentheses=" ()" 66 | misc_parentheses_1=" (1)" 67 | misc_parentheses_1x4=" (1,1,1,1)" 68 | misc_parentheses_a=" (a)" 69 | misc_period="." 70 | misc_plus=" +" 71 | misc_plus_assign=" +=" 72 | misc_regex=" /a/g" 73 | misc_rol=" <<<" 74 | misc_semicolon=" ;" 75 | misc_serialized_object=" {'a': 1}" 76 | misc_string=" 'a'" 77 | misc_unicode=" '\\u0001'" 78 | 79 | object_Array=" Array" 80 | object_Boolean=" Boolean" 81 | object_Date=" Date" 82 | object_Function=" Function" 83 | object_Infinity=" Infinity" 84 | object_Int8Array=" Int8Array" 85 | object_Math=" Math" 86 | object_NaN=" NaN" 87 | object_Number=" Number" 88 | object_Object=" Object" 89 | object_RegExp=" RegExp" 90 | object_String=" String" 91 | object_Symbol=" Symbol" 92 | object_false=" false" 93 | object_null=" null" 94 | object_true=" true" 95 | 96 | prop_charAt=".charAt" 97 | prop_concat=".concat" 98 | prop_constructor=".constructor" 99 | prop_destructor=".destructor" 100 | prop_length=".length" 101 | prop_match=".match" 102 | prop_proto=".__proto__" 103 | prop_prototype=".prototype" 104 | prop_slice=".slice" 105 | prop_toCode=".toCode" 106 | prop_toString=".toString" 107 | prop_valueOf=".valueOf" 108 | -------------------------------------------------------------------------------- /dsa/lib/AssistDS/SimplifyLoad.cpp: -------------------------------------------------------------------------------- 1 | //===--------------- SimplifyLoad.cpp - Simplify load insts ---------------===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file is distributed under the University of Illinois Open Source 6 | // License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // Derived from InstCombine 10 | // 11 | //===----------------------------------------------------------------------===// 12 | #define DEBUG_TYPE "simplifyload" 13 | 14 | #include "assistDS/SimplifyLoad.h" 15 | #include "llvm/Transforms/Utils/Cloning.h" 16 | #include "llvm/ADT/Statistic.h" 17 | #include "llvm/Support/FormattedStream.h" 18 | #include "llvm/Support/Debug.h" 19 | #include "llvm/IR/PatternMatch.h" 20 | #include "llvm/IR/DataLayout.h" 21 | 22 | #include 23 | #include 24 | #include 25 | 26 | using namespace llvm; 27 | 28 | // Pass statistic 29 | STATISTIC(numErased, "Number of Instructions Deleted"); 30 | 31 | // 32 | // Method: runOnModule() 33 | // 34 | // Description: 35 | // Entry point for this LLVM pass. Search for insert/extractvalue instructions 36 | // that can be simplified. 37 | // 38 | // Inputs: 39 | // M - A reference to the LLVM module to transform. 40 | // 41 | // Outputs: 42 | // M - The transformed LLVM module. 43 | // 44 | // Return value: 45 | // true - The module was modified. 46 | // false - The module was not modified. 47 | // 48 | bool SimplifyLoad::runOnModule(Module& M) { 49 | // Repeat till no change 50 | bool changed; 51 | do { 52 | changed = false; 53 | for (Module::iterator F = M.begin(); F != M.end(); ++F) { 54 | for (Function::iterator B = F->begin(), FE = F->end(); B != FE; ++B) { 55 | for (BasicBlock::iterator I = B->begin(), BE = B->end(); I != BE;) { 56 | LoadInst *LI = dyn_cast(I++); 57 | if(!LI) 58 | continue; 59 | if(LI->hasOneUse()) { 60 | if(CastInst *CI = dyn_cast(*(LI->use_begin()))) { 61 | if(LI->getType()->isPointerTy()) { 62 | if(ConstantExpr *CE = dyn_cast(LI->getOperand(0))) { 63 | if(const PointerType *PTy = dyn_cast(CE->getOperand(0)->getType())) 64 | if(PTy->getElementType() == CI->getType()) { 65 | LoadInst *LINew = new LoadInst(CE->getOperand(0), "", LI); 66 | CI->replaceAllUsesWith(LINew); 67 | } 68 | } 69 | } 70 | } 71 | } 72 | 73 | 74 | } 75 | } 76 | } 77 | } while(changed); 78 | return (numErased > 0); 79 | } 80 | 81 | // Pass ID variable 82 | char SimplifyLoad::ID = 0; 83 | 84 | // Register the pass 85 | static RegisterPass 86 | X("simplify-load", "Simplify load insts"); 87 | -------------------------------------------------------------------------------- /python_libs/statistics.py: -------------------------------------------------------------------------------- 1 | import os, sys, inspect 2 | currentdir = os.path.dirname(os.path.abspath(inspect.getfile(inspect.currentframe()))) 3 | parentdir = os.path.dirname(currentdir) 4 | sys.path.insert(0, parentdir) 5 | 6 | import numpy as np 7 | import scipy.stats as stats 8 | 9 | 10 | """ 11 | 12 | list of tests: 13 | - z-test: compares two distribution, assumes normal distribution but for small sets 14 | - t-test: same as above but with lager samples 15 | - Mann Whitney U test: compares two distribution, , no assumption on being normal distribution 16 | - Kolmorov-Smirnov: compare distrib.. what assumption on distrib? 17 | - Fisher's exact test 18 | - Chi-squared test 19 | - Shapiro-Wilk/D'agostino K-squared/Lilliefors/Shapiro Francia: test if it's noral distribution 20 | - Cramer Von Mises: check if sample comes from a distribution 21 | 22 | """ 23 | 24 | def mean_std_confidence_interval(data, confidence=0.95): 25 | a = 1.0 * np.array(data) 26 | n = len(a) 27 | m, se = np.mean(a), stats.sem(a) 28 | std = np.std(a) 29 | h = se * stats.t.ppf((1 + confidence) / 2., n-1) 30 | return m, std, m-h, m+h 31 | 32 | # def twoSampZ(X1, X2, mudiff, sd1, sd2, n1, n2): 33 | # from numpy import sqrt, abs, round 34 | # from scipy.stats import norm 35 | # pooledSE = sqrt(sd1**2/n1 + sd2**2/n2) 36 | # z = ((X1 - X2) - mudiff)/pooledSE 37 | # #pval = 2*(1 - norm.cdf(abs(z))) 38 | # pval = 2*(1 - stats.t.cdf(abs(z))) 39 | # return round(z, 3), round(pval, 4) 40 | #z, p = twoSampZ(m1, m2, 0, std1, std2, 10, 10) 41 | 42 | def median(data): 43 | return np.median(data) 44 | 45 | def scoreatpercentile(data, value): 46 | return stats.scoreatpercentile(data, value) 47 | 48 | def median_absolute_deviation(data): 49 | return np.mean(np.absolute(data - np.mean(data))) 50 | 51 | def mean(data): 52 | a = 1.0 * np.array(data) 53 | return np.mean(a) 54 | 55 | def ttest(data1, data2): 56 | # https://towardsdatascience.com/inferential-statistics-series-t-test-using-numpy-2718f8f9bf2f 57 | return stats.ttest_ind(data1, data2) 58 | 59 | # https://machinelearningmastery.com/nonparametric-statistical-significance-tests-in-python/ 60 | # the tests below are called 'nonparametric', as they assume no particular distribution for the underlying data 61 | 62 | 63 | # Mann-Whitney U Test: for comparing independent data samples: the nonparametric version of the Student t-test. 64 | def mannwhitneyu(data1, data2): 65 | return stats.mannwhitneyu(data1, data2) 66 | 67 | # Wilcoxon Signed-Rank Test: for comparing paired data samples: the nonparametric version of the paired Student t-test. 68 | def wilcoxon(data1, data2): 69 | return stats.wilcoxon(data1, data2) 70 | 71 | # Kruskal-Wallis H Test: for comparing more than two data samples: the nonparametric version of the ANOVA and repeated measures ANOVA tests. 72 | def kruskal(data1, data2): 73 | return stats.kruskal(data1, data2) 74 | 75 | def friedmanchisquare(*datas): 76 | return stats.friedmanchisquare(datas) -------------------------------------------------------------------------------- /libdislocator/README.dislocator: -------------------------------------------------------------------------------- 1 | =================================== 2 | libdislocator, an abusive allocator 3 | =================================== 4 | 5 | (See ../docs/README for the general instruction manual.) 6 | 7 | This is a companion library that can be used as a drop-in replacement for the 8 | libc allocator in the fuzzed binaries. It improves the odds of bumping into 9 | heap-related security bugs in several ways: 10 | 11 | - It allocates all buffers so that they are immediately adjacent to a 12 | subsequent PROT_NONE page, causing most off-by-one reads and writes to 13 | immediately segfault, 14 | 15 | - It adds a canary immediately below the allocated buffer, to catch writes 16 | to negative offsets (won't catch reads, though), 17 | 18 | - It sets the memory returned by malloc() to garbage values, improving the 19 | odds of crashing when the target accesses uninitialized data, 20 | 21 | - It sets freed memory to PROT_NONE and does not actually reuse it, causing 22 | most use-after-free bugs to segfault right away, 23 | 24 | - It forces all realloc() calls to return a new address - and sets 25 | PROT_NONE on the original block. This catches use-after-realloc bugs, 26 | 27 | - It checks for calloc() overflows and can cause soft or hard failures 28 | of alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB, 29 | AFL_LD_HARD_FAIL). 30 | 31 | Basically, it is inspired by some of the non-default options available for the 32 | OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is 33 | also somewhat similar to several other debugging libraries, such as gmalloc 34 | and DUMA - but is simple, plug-and-play, and designed specifically for fuzzing 35 | jobs. 36 | 37 | Note that it does nothing for stack-based memory handling errors. The 38 | -fstack-protector-all setting for GCC / clang, enabled when using AFL_HARDEN, 39 | can catch some subset of that. 40 | 41 | The allocator is slow and memory-intensive (even the tiniest allocation uses up 42 | 4 kB of physical memory and 8 kB of virtual mem), making it completely unsuitable 43 | for "production" uses; but it can be faster and more hassle-free than ASAN / MSAN 44 | when fuzzing small, self-contained binaries. 45 | 46 | To use this library, run AFL like so: 47 | 48 | AFL_PRELOAD=/path/to/libdislocator.so ./afl-fuzz [...other params...] 49 | 50 | You *have* to specify path, even if it's just ./libdislocator.so or 51 | $PWD/libdislocator.so. 52 | 53 | Similarly to afl-tmin, the library is not "proprietary" and can be used with 54 | other fuzzers or testing tools without the need for any code tweaks. It does not 55 | require AFL-instrumented binaries to work. 56 | 57 | Note that the AFL_PRELOAD approach (which AFL internally maps to LD_PRELOAD or 58 | DYLD_INSERT_LIBRARIES, depending on the OS) works only if the target binary is 59 | dynamically linked. Otherwise, attempting to use the library will have no 60 | effect. 61 | -------------------------------------------------------------------------------- /gllvm/examples/linux-kernel/copy.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ### Copy all necessary files to standalone-build and link the kernel from bitcode 4 | 5 | export build_home=$HOME/standalone-build 6 | export ker=$HOME/linux-stable 7 | 8 | bash handle-bi.sh 9 | 10 | cp $ker/arch/x86/kernel/vmlinux.lds ./arch/x86/kernel/vmlinux.lds 11 | cp $ker/.tmp_kallsyms2.o . 12 | #automated fs script building 13 | cd $ker 14 | python parse-bi.py fs/built-in.o fs/out.sh $build_home/instrfs -1 15 | 16 | cd fs 17 | bash out.sh 18 | 19 | cd $build_home/built-ins 20 | 21 | for bclib in ./*.bc; do 22 | clang -c -no-integrated-as -mcmodel=kernel $bclib -o ${bclib/%.o.bc/bc.o} 23 | done 24 | 25 | cd $build_home/built-ins/fs 26 | for bclib in ./*.bc; do 27 | clang -c -no-integrated-as -mcmodel=kernel $bclib -o ${bclib/%.o.bc/bc.o} 28 | done 29 | 30 | cd objects 31 | for bcobj in ./*.bc; do 32 | clang -c -no-integrated-as -mcmodel=kernel $bcobj -o ${bcobj/%.o.bc/bc.o} 33 | done 34 | 35 | cd $build_home/lib 36 | clang -c -no-integrated-as -mcmodel=kernel lib.a.bc 37 | 38 | 39 | cd $build_home/arch/x86/lib 40 | clang -c -no-integrated-as -mcmodel=kernel lib.a.bc 41 | 42 | cd $build_home 43 | #linking command (full bc) 44 | ld --build-id -T ./arch/x86/kernel/vmlinux.lds --whole-archive built-ins/objects/ker_objects/head_64.o built-ins/objects/ker_objects/head64.o built-ins/objects/ker_objects/ebda.o built-ins/objects/ker_objects/platform-quirks.o built-ins/inibibc.o built-ins/objects/ker_objects/initramfs_data.o built-ins/arcbibc.o built-ins/objects/arch_assembly_objects/* built-ins/kerbibc.o built-ins/mmbibc.o \@instrfs built-ins/ipcbibc.o built-ins/secbibc.o built-ins/cptbibc.o built-ins/blkbibc.o built-ins/libbibc.o built-ins/objects/lib_assembly_objects/* built-ins/xlibbibc.o built-ins/objects/xlib_assembly_objects/* built-ins/dribibc.o built-ins/sndbibc.o built-ins/pcibibc.o built-ins/powbibc.o built-ins/objects/pow_assembly_objects/* built-ins/vidbibc.o built-ins/netbibc.o --no-whole-archive --start-group lib/lib.a.o arch/x86/lib/lib.a.o built-ins/objects/libx_objects/* .tmp_kallsyms2.o --end-group -o vmlinux 45 | 46 | # #linking command (partial bc) 47 | # ld --build-id -T ./arch/x86/kernel/vmlinux.lds --whole-archive \ 48 | # built-ins/objects/ker_objects/head_64.o built-ins/objects/ker_objects/head64.o built-ins/objects/ker_objects/ebda.o built-ins/objects/ker_objects/platform-quirks.o \ 49 | # built-ins/inibibc.o built-ins/objects/ker_objects/initramfs_data.o built-ins/arcbi.o built-ins/kerbibc.o built-ins/mmbibc.o built-ins/fsbi.o \ 50 | # built-ins/ipcbibc.o built-ins/secbibc.o built-ins/cptbibc.o built-ins/blkbibc.o built-ins/libbi.o built-ins/xlibbi.o built-ins/dribibc.o \ 51 | # built-ins/sndbibc.o built-ins/pcibibc.o built-ins/powbibc.o built-ins/objects/pow_assembly_objects/* built-ins/vidbibc.o built-ins/netbibc.o --no-whole-archive --start-group \ 52 | # lib/lib.a.o arch/x86/lib/lib.a.o built-ins/objects/libx_objects/* .tmp_kallsyms2.o --end-group -o vmlinux -------------------------------------------------------------------------------- /dsa/include/assistDS/Devirt.h: -------------------------------------------------------------------------------- 1 | //===- Devirt.cpp - Devirtualize using the sig match intrinsic in llva ----===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file was developed by the LLVM research group and is distributed under 6 | // the University of Illinois Open Source License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // This file defines an LLVM transform that converts indirect function calls 11 | // into direct function calls. 12 | // 13 | //===----------------------------------------------------------------------===// 14 | 15 | #include "dsa/CallTargets.h" 16 | 17 | #include "llvm/IR/Constants.h" 18 | #include "llvm/Transforms/IPO.h" 19 | #include "llvm/Pass.h" 20 | #include "llvm/IR/Module.h" 21 | #include "llvm/IR/Function.h" 22 | #include "llvm/IR/Instructions.h" 23 | #include "llvm/IR/DerivedTypes.h" 24 | #include "llvm/IR/InstVisitor.h" 25 | #include "llvm/IR/DataLayout.h" 26 | 27 | using namespace llvm; 28 | 29 | namespace llvm { 30 | // 31 | // Class: Devirtualize 32 | // 33 | // Description: 34 | // This transform pass will look for indirect function calls and transform 35 | // them into a switch statement that selects one of several direct function 36 | // calls to execute. 37 | // 38 | class Devirtualize : public ModulePass, public InstVisitor { 39 | private: 40 | // Access to analysis pass which finds targets of indirect function calls 41 | dsa::CallTargetFinder *CTF; 42 | 43 | // Access to the target data analysis pass 44 | const DataLayout * TD; 45 | 46 | // Worklist of call sites to transform 47 | std::vector Worklist; 48 | 49 | // A cache of indirect call targets that have been converted already 50 | std::map > bounceCache; 51 | 52 | protected: 53 | void makeDirectCall (CallSite & CS); 54 | Function* buildBounce (CallSite cs,std::vector& Targets); 55 | const Function* findInCache (const CallSite & CS, 56 | std::set& Targets); 57 | 58 | public: 59 | static char ID; 60 | Devirtualize() : ModulePass(ID), CTF(0) {} 61 | 62 | virtual bool runOnModule(Module & M); 63 | 64 | virtual void getAnalysisUsage(AnalysisUsage &AU) const { 65 | AU.addRequired >(); 66 | } 67 | 68 | // Visitor methods for analyzing instructions 69 | //void visitInstruction(Instruction &I); 70 | void visitCallSite(CallSite &CS); 71 | void visitCallInst(CallInst &CI) { 72 | CallSite CS(&CI); 73 | visitCallSite(CS); 74 | } 75 | void visitInvokeInst(InvokeInst &II) { 76 | CallSite CS(&II); 77 | visitCallSite(CS); 78 | } 79 | }; 80 | } 81 | 82 | -------------------------------------------------------------------------------- /gllvm/shared/utils.go: -------------------------------------------------------------------------------- 1 | // 2 | // OCCAM 3 | // 4 | // Copyright (c) 2017, SRI International 5 | // 6 | // All rights reserved. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, this 12 | // list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright notice, 15 | // this list of conditions and the following disclaimer in the documentation 16 | // and/or other materials provided with the distribution. 17 | // 18 | // * Neither the name of SRI International nor the names of its contributors may 19 | // be used to endorse or promote products derived from this software without 20 | // specific prior written permission. 21 | // 22 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 23 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 25 | // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 26 | // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 | // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 28 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 29 | // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 30 | // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 31 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 | // 33 | 34 | package shared 35 | 36 | import ( 37 | "bytes" 38 | "os" 39 | "os/exec" 40 | ) 41 | 42 | // Executes a command then returns true for success, false if there was an error, err is either nil or the error. 43 | func execCmd(cmdExecName string, args []string, workingDir string) (success bool, err error) { 44 | cmd := exec.Command(cmdExecName, args...) 45 | cmd.Stdout = os.Stdout 46 | cmd.Stderr = os.Stderr 47 | cmd.Stdin = os.Stdin 48 | cmd.Dir = workingDir 49 | err = cmd.Run() 50 | ecode := 0 51 | if err != nil { 52 | ecode = 1 53 | } 54 | LogDebug("execCmd: %v %v had exitCode %v\n", cmdExecName, args, ecode) 55 | if err != nil { 56 | LogDebug("execCmd: error was %v\n", err) 57 | } 58 | success = (ecode == 0) 59 | return 60 | } 61 | 62 | // Executes a command then returns the output as a string, err is either nil or the error. 63 | func runCmd(cmdExecName string, args []string) (output string, err error) { 64 | var outb bytes.Buffer 65 | var errb bytes.Buffer 66 | cmd := exec.Command(cmdExecName, args...) 67 | cmd.Stdout = &outb 68 | cmd.Stderr = &errb 69 | cmd.Stdin = os.Stdin 70 | err = cmd.Run() 71 | if err != nil { 72 | LogDebug("runCmd: error was %v\n", err) 73 | } 74 | output = outb.String() 75 | return 76 | } 77 | -------------------------------------------------------------------------------- /backup.py: -------------------------------------------------------------------------------- 1 | import os, sys, inspect 2 | currentdir = os.path.dirname(os.path.abspath(inspect.getfile(inspect.currentframe()))) 3 | parentdir = os.path.dirname(currentdir) 4 | sys.path.insert(0, parentdir) 5 | from python_libs import * 6 | import numpy as np 7 | import matplotlib.mlab as mlab 8 | import matplotlib.pyplot as plt 9 | import math 10 | import argparse, traceback, sys, errno 11 | import ast 12 | import shutil 13 | import time 14 | from datetime import timedelta 15 | 16 | log = logger.get(__name__) 17 | 18 | def readOptions(): 19 | parser = argparse.ArgumentParser() 20 | parser.add_argument('-i', "--input", required=True, help="Input folder") 21 | parser.add_argument('-o', "--output", required=True, help="Output folder") 22 | parser.add_argument('-e', "--extensions", required=True, help="List of extensions, separated by ,") 23 | args = parser.parse_args() 24 | return args 25 | 26 | 27 | def find_files(folder, extensions, progress_text = "", n_progress = 1): 28 | all_files = [] 29 | n = 0 30 | for root, dirs, files in os.walk(folder): 31 | for file in files: 32 | if n == 0 and progress_text: 33 | sys.stdout.write(progress_text) 34 | sys.stdout.flush() 35 | n += 1 36 | n %= n_progress 37 | if file.endswith(tuple(extensions)): 38 | all_files.append(os.path.join(root, file)) 39 | 40 | return all_files 41 | 42 | 43 | # python backup.py -i in -o out -e .pik,.txt,.pdf 44 | def main(options): 45 | 46 | input_folder = os.path.realpath( os.path.expanduser(args.input) ) 47 | output_folder = os.path.realpath( os.path.expanduser(args.output) ) 48 | extensions = [elt for elt in args.extensions.split(",") if len(elt)>0] 49 | 50 | if not extensions: 51 | raise ValueError("Invalid extensions") 52 | 53 | if output_folder.startswith(input_folder): 54 | raise ValueError("Output folder cannot be inside input folder") 55 | 56 | if storage.dir_exists(output_folder): 57 | raise ValueError("Output folder already exists") 58 | 59 | if not storage.dir_exists(input_folder): 60 | raise ValueError("Input folder does not exist") 61 | 62 | start_time = time.time() 63 | 64 | # now list all files and save them 65 | 66 | log.info("Starting at %s", time.asctime( time.localtime(start_time) )) 67 | 68 | pik_files = find_files(input_folder, extensions, ".", 100000) 69 | for file in pik_files: 70 | assert(file.startswith(input_folder)) 71 | new_file = os.path.join(output_folder, file[len(input_folder)+1:]) 72 | new_folder = os.path.dirname(new_file) 73 | storage.silentmkdir(new_folder) 74 | shutil.copy(file, new_file) 75 | 76 | end_time = time.time() 77 | elapsed_time = end_time - start_time 78 | log.info("Finished at %s. Took %s", time.asctime( time.localtime(end_time)), str(timedelta(seconds=elapsed_time))) 79 | 80 | 81 | if __name__ == '__main__': 82 | 83 | args = readOptions() 84 | 85 | try: 86 | main(args) 87 | 88 | except: 89 | log.exception("exception caught") 90 | #traceback.print_exc(file=sys.stdout) 91 | #finally: 92 | #print 'finally' 93 | 94 | log.info('Done ...') -------------------------------------------------------------------------------- /plotone2one.py: -------------------------------------------------------------------------------- 1 | import os, sys, inspect 2 | currentdir = os.path.dirname(os.path.abspath(inspect.getfile(inspect.currentframe()))) 3 | parentdir = os.path.dirname(currentdir) 4 | sys.path.insert(0, parentdir) 5 | from python_libs import * 6 | import numpy as np 7 | import matplotlib.mlab as mlab 8 | import matplotlib.pyplot as plt 9 | import math as mt 10 | import argparse, traceback, sys, errno 11 | 12 | log = logger.get(__name__) 13 | 14 | # needed for camera-ready verion 15 | import matplotlib 16 | matplotlib.rcParams['ps.useafm'] = True 17 | matplotlib.rcParams['pdf.use14corefonts'] = True 18 | matplotlib.rcParams['text.usetex'] = True 19 | 20 | def readOptions(): 21 | parser = argparse.ArgumentParser() 22 | parser.add_argument('-x', "--xaxis", required=True, help="X-axis") 23 | parser.add_argument('-y', "--yaxis", required=True, help="Y-axis") 24 | parser.add_argument('-d', "--data", required=True, help="List of integers", type=str) 25 | parser.add_argument('-o', "--ofile", required=False, help="Output file") 26 | args = parser.parse_args() 27 | args.data = [int(item) for item in args.data.split(',')] 28 | return args 29 | 30 | def do_hist_single(y,err,nbins): 31 | weights = np.ones_like(y)/(float)(len(y)) 32 | #n, bins, patches = plt.hist(y, bins=nbins, normed=False, histtype='step', cumulative=True, weights=weights, color='#089FFF') 33 | n, bins, patches = plt.hist(y, nbins, normed=True, facecolor='#089FFF', alpha=0.5, hatch='/\\') 34 | # plt.fill_between(bins[:-1], n-err, n+err, 35 | # alpha=0.2, edgecolor='#1B2ACC', facecolor='#089FFF', 36 | # linewidth=0, linestyle='dashdot', antialiased=True) 37 | 38 | return (n, bins, patches) 39 | 40 | 41 | def main(options): 42 | 43 | # get the params 44 | xaxis = args.xaxis 45 | yaxis = args.yaxis 46 | data = args.data 47 | ofile = args.ofile 48 | 49 | 50 | fig, ax = plt.subplots() 51 | ax.spines['top'].set_visible(False) # dont display top border 52 | ax.spines['right'].set_visible(False) # dont display right border 53 | ax.yaxis.tick_left()# dont display right ticks 54 | ax.xaxis.tick_bottom()# dont display top ticks 55 | ax.set_autoscaley_on(False) 56 | ax.set_xlim([0,30]) 57 | 58 | # colors = ['#089FFF','#FF9848'] 59 | # edgecolors = ['#1B2ACC','#CC4F1B'] 60 | # facecolors=['#089FFF', '#FF9848'] 61 | 62 | Xrange = np.arange(0, len(data), 1) 63 | 64 | 65 | values, bins, patches = plt.hist(data, Xrange, normed=True, facecolor='#089FFF', alpha=0.5, hatch='/\\') 66 | cumulative = np.cumsum(values) 67 | plt.plot(bins[:-1], cumulative, 'k--') 68 | 69 | ax.set_ylim([0,min(1,mt.ceil(max(cumulative)*10)/10)]) 70 | ax.grid() 71 | ax.set_ylabel(yaxis); 72 | ax.set_xlabel(xaxis) 73 | if ofile: 74 | plt.savefig(ofile, transparent = True, bbox_inches='tight') 75 | else: 76 | plt.show() 77 | plt.close() 78 | 79 | 80 | if __name__ == '__main__': 81 | 82 | args = readOptions() 83 | 84 | try: 85 | main(args) 86 | 87 | except: 88 | log.exception("exception caught") 89 | #traceback.print_exc(file=sys.stdout) 90 | #finally: 91 | #print 'finally' 92 | 93 | log.info('Done ...') -------------------------------------------------------------------------------- /dsa/lib/DSA/AddressTakenAnalysis.cpp: -------------------------------------------------------------------------------- 1 | //===-- AddressTakenAnalysis.cpp - Address Taken Functions Finding Pass ---===// 2 | // 3 | // The LLVM Compiler Infrastructure 4 | // 5 | // This file was developed by the LLVM research group and is distributed under 6 | // the University of Illinois Open Source License. See LICENSE.TXT for details. 7 | // 8 | //===----------------------------------------------------------------------===// 9 | // 10 | // This pass helps find which functions are address taken in a module. 11 | // Functions are considered to be address taken if they are either stored, 12 | // or passed as arguments to functions. 13 | // 14 | // 15 | //===----------------------------------------------------------------------===// 16 | 17 | #include "llvm/Pass.h" 18 | #include "llvm/IR/Constants.h" 19 | #include "llvm/IR/Module.h" 20 | #include "llvm/IR/Function.h" 21 | #include "llvm/IR/Instructions.h" 22 | #include "llvm/Support/CommandLine.h" 23 | #include "llvm/Support/FormattedStream.h" 24 | #include "llvm/Support/Debug.h" 25 | #include "llvm/IR/CallSite.h" 26 | 27 | #include 28 | #include 29 | 30 | #include "dsa/AddressTakenAnalysis.h" 31 | 32 | using namespace llvm; 33 | 34 | 35 | AddressTakenAnalysis::~AddressTakenAnalysis() {} 36 | 37 | static bool isAddressTaken(Value* V) { 38 | for (Value::const_use_iterator I = V->use_begin(), E = V->use_end(); I != E; ++I) { 39 | User *U = I->getUser (); 40 | if(isa(U)) 41 | return true; 42 | if (!isa(U) && !isa(U)) { 43 | if(U->use_empty()) 44 | continue; 45 | if(isa(U)) { 46 | if(isAddressTaken(U)) 47 | return true; 48 | } else { 49 | if (Constant *C = dyn_cast(U)) { 50 | if (ConstantExpr *CE = dyn_cast(C)) { 51 | if (CE->getOpcode() == Instruction::BitCast) { 52 | return isAddressTaken(CE); 53 | } 54 | } 55 | } 56 | return true; 57 | } 58 | 59 | // FIXME: Can be more robust here for weak aliases that 60 | // are never used 61 | } else { 62 | llvm::CallSite CS(cast(U)); 63 | if (!CS.isCallee(&*I)) 64 | return true; 65 | } 66 | } 67 | return false; 68 | } 69 | 70 | bool AddressTakenAnalysis::runOnModule(llvm::Module& M) { 71 | for (Module::iterator FI = M.begin(), FE = M.end(); FI != FE; ++FI){ 72 | if(isAddressTaken(&*FI)) { 73 | addressTakenFunctions.insert(&*FI); 74 | } 75 | } 76 | 77 | return false; 78 | } 79 | bool AddressTakenAnalysis::hasAddressTaken(llvm::Function *F){ 80 | return addressTakenFunctions.find(F) != addressTakenFunctions.end(); 81 | } 82 | 83 | void AddressTakenAnalysis::getAnalysisUsage(llvm::AnalysisUsage &AU) const { 84 | AU.setPreservesAll(); 85 | } 86 | 87 | char AddressTakenAnalysis::ID; 88 | static RegisterPass A("ata", "Identify Address Taken Functions"); 89 | 90 | // Publicly exposed interface to pass... 91 | char &llvm::AddressTakenAnalysisID = AddressTakenAnalysis::ID; 92 | -------------------------------------------------------------------------------- /experimental/persistent_demo/persistent_demo.c: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop - persistent mode example 3 | -------------------------------------------- 4 | 5 | Written and maintained by Michal Zalewski 6 | 7 | Copyright 2015 Google Inc. All rights reserved. 8 | 9 | Licensed under the Apache License, Version 2.0 (the "License"); 10 | you may not use this file except in compliance with the License. 11 | You may obtain a copy of the License at: 12 | 13 | http://www.apache.org/licenses/LICENSE-2.0 14 | 15 | This file demonstrates the high-performance "persistent mode" that may be 16 | suitable for fuzzing certain fast and well-behaved libraries, provided that 17 | they are stateless or that their internal state can be easily reset 18 | across runs. 19 | 20 | To make this work, the library and this shim need to be compiled in LLVM 21 | mode using afl-clang-fast (other compiler wrappers will *not* work). 22 | 23 | */ 24 | 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | 31 | 32 | /* Main entry point. */ 33 | 34 | int main(int argc, char** argv) { 35 | 36 | char buf[100]; /* Example-only buffer, you'd replace it with other global or 37 | local variables appropriate for your use case. */ 38 | 39 | /* The number passed to __AFL_LOOP() controls the maximum number of 40 | iterations before the loop exits and the program is allowed to 41 | terminate normally. This limits the impact of accidental memory leaks 42 | and similar hiccups. */ 43 | 44 | while (__AFL_LOOP(1000)) { 45 | 46 | /*** PLACEHOLDER CODE ***/ 47 | 48 | /* STEP 1: Fully re-initialize all critical variables. In our example, this 49 | involves zeroing buf[], our input buffer. */ 50 | 51 | memset(buf, 0, 100); 52 | 53 | /* STEP 2: Read input data. When reading from stdin, no special preparation 54 | is required. When reading from a named file, you need to close 55 | the old descriptor and reopen the file first! 56 | 57 | Beware of reading from buffered FILE* objects such as stdin. Use 58 | raw file descriptors or call fopen() / fdopen() in every pass. */ 59 | 60 | read(0, buf, 100); 61 | 62 | /* STEP 3: This is where we'd call the tested library on the read data. 63 | We just have some trivial inline code that faults on 'foo!'. */ 64 | 65 | if (buf[0] == 'f') { 66 | printf("one\n"); 67 | if (buf[1] == 'o') { 68 | printf("two\n"); 69 | if (buf[2] == 'o') { 70 | printf("three\n"); 71 | if (buf[3] == '!') { 72 | printf("four\n"); 73 | abort(); 74 | } 75 | } 76 | } 77 | } 78 | 79 | /*** END PLACEHOLDER CODE ***/ 80 | 81 | } 82 | 83 | /* Once the loop is exited, terminate normally - AFL will restart the process 84 | when this happens, with a clean slate when it comes to allocated memory, 85 | leftover file descriptors, etc. */ 86 | 87 | return 0; 88 | 89 | } 90 | -------------------------------------------------------------------------------- /dsa/LICENSE.TXT: -------------------------------------------------------------------------------- 1 | ============================================================================== 2 | LLVM Pool Allocator Release License 3 | ============================================================================== 4 | University of Illinois/NCSA 5 | Open Source License 6 | 7 | Copyright (c) 2003-2013 University of Illinois at Urbana-Champaign. 8 | All rights reserved. 9 | 10 | Developed by: 11 | 12 | LLVM Team 13 | 14 | University of Illinois at Urbana-Champaign 15 | 16 | http://llvm.cs.uiuc.edu 17 | 18 | Permission is hereby granted, free of charge, to any person obtaining a copy of 19 | this software and associated documentation files (the "Software"), to deal with 20 | the Software without restriction, including without limitation the rights to 21 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 22 | of the Software, and to permit persons to whom the Software is furnished to do 23 | so, subject to the following conditions: 24 | 25 | * Redistributions of source code must retain the above copyright notice, 26 | this list of conditions and the following disclaimers. 27 | 28 | * Redistributions in binary form must reproduce the above copyright notice, 29 | this list of conditions and the following disclaimers in the 30 | documentation and/or other materials provided with the distribution. 31 | 32 | * Neither the names of the LLVM Team, University of Illinois at 33 | Urbana-Champaign, nor the names of its contributors may be used to 34 | endorse or promote products derived from this Software without specific 35 | prior written permission. 36 | 37 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 38 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 39 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 40 | CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 41 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 42 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE 43 | SOFTWARE. 44 | 45 | ============================================================================== 46 | Copyrights and Licenses for Third Party Software Distributed with LLVM: 47 | ============================================================================== 48 | The Automatic Pool Allocation software contains code written by third parties. 49 | Such software will have its own individual LICENSE.TXT file in the directory in 50 | which it appears. This file will describe the copyrights, license, and 51 | restrictions which apply to that code. 52 | 53 | The disclaimer of warranty in the University of Illinois Open Source License 54 | applies to all code in this distribution, and nothing in any of the 55 | other licenses gives permission to use the names of the LLVM Team or the 56 | University of Illinois to endorse or promote products derived from this 57 | Software. 58 | 59 | The following pieces of software have additional or alternate copyrights, 60 | licenses, and/or restrictions: 61 | 62 | Program Directory 63 | ------- --------- 64 | Watchdog poolalloc/tools/WatchDog 65 | 66 | -------------------------------------------------------------------------------- /dsa/include/dsa/LICENSE.TXT: -------------------------------------------------------------------------------- 1 | ============================================================================== 2 | LLVM Pool Allocator Release License 3 | ============================================================================== 4 | University of Illinois/NCSA 5 | Open Source License 6 | 7 | Copyright (c) 2003-2013 University of Illinois at Urbana-Champaign. 8 | All rights reserved. 9 | 10 | Developed by: 11 | 12 | LLVM Team 13 | 14 | University of Illinois at Urbana-Champaign 15 | 16 | http://llvm.cs.uiuc.edu 17 | 18 | Permission is hereby granted, free of charge, to any person obtaining a copy of 19 | this software and associated documentation files (the "Software"), to deal with 20 | the Software without restriction, including without limitation the rights to 21 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 22 | of the Software, and to permit persons to whom the Software is furnished to do 23 | so, subject to the following conditions: 24 | 25 | * Redistributions of source code must retain the above copyright notice, 26 | this list of conditions and the following disclaimers. 27 | 28 | * Redistributions in binary form must reproduce the above copyright notice, 29 | this list of conditions and the following disclaimers in the 30 | documentation and/or other materials provided with the distribution. 31 | 32 | * Neither the names of the LLVM Team, University of Illinois at 33 | Urbana-Champaign, nor the names of its contributors may be used to 34 | endorse or promote products derived from this Software without specific 35 | prior written permission. 36 | 37 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 38 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 39 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 40 | CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 41 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 42 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE 43 | SOFTWARE. 44 | 45 | ============================================================================== 46 | Copyrights and Licenses for Third Party Software Distributed with LLVM: 47 | ============================================================================== 48 | The Automatic Pool Allocation software contains code written by third parties. 49 | Such software will have its own individual LICENSE.TXT file in the directory in 50 | which it appears. This file will describe the copyrights, license, and 51 | restrictions which apply to that code. 52 | 53 | The disclaimer of warranty in the University of Illinois Open Source License 54 | applies to all code in this distribution, and nothing in any of the 55 | other licenses gives permission to use the names of the LLVM Team or the 56 | University of Illinois to endorse or promote products derived from this 57 | Software. 58 | 59 | The following pieces of software have additional or alternate copyrights, 60 | licenses, and/or restrictions: 61 | 62 | Program Directory 63 | ------- --------- 64 | Watchdog poolalloc/tools/WatchDog 65 | 66 | -------------------------------------------------------------------------------- /dsa/lib/DSA/LICENSE.TXT: -------------------------------------------------------------------------------- 1 | ============================================================================== 2 | LLVM Pool Allocator Release License 3 | ============================================================================== 4 | University of Illinois/NCSA 5 | Open Source License 6 | 7 | Copyright (c) 2003-2013 University of Illinois at Urbana-Champaign. 8 | All rights reserved. 9 | 10 | Developed by: 11 | 12 | LLVM Team 13 | 14 | University of Illinois at Urbana-Champaign 15 | 16 | http://llvm.cs.uiuc.edu 17 | 18 | Permission is hereby granted, free of charge, to any person obtaining a copy of 19 | this software and associated documentation files (the "Software"), to deal with 20 | the Software without restriction, including without limitation the rights to 21 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 22 | of the Software, and to permit persons to whom the Software is furnished to do 23 | so, subject to the following conditions: 24 | 25 | * Redistributions of source code must retain the above copyright notice, 26 | this list of conditions and the following disclaimers. 27 | 28 | * Redistributions in binary form must reproduce the above copyright notice, 29 | this list of conditions and the following disclaimers in the 30 | documentation and/or other materials provided with the distribution. 31 | 32 | * Neither the names of the LLVM Team, University of Illinois at 33 | Urbana-Champaign, nor the names of its contributors may be used to 34 | endorse or promote products derived from this Software without specific 35 | prior written permission. 36 | 37 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 38 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 39 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 40 | CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 41 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 42 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE 43 | SOFTWARE. 44 | 45 | ============================================================================== 46 | Copyrights and Licenses for Third Party Software Distributed with LLVM: 47 | ============================================================================== 48 | The Automatic Pool Allocation software contains code written by third parties. 49 | Such software will have its own individual LICENSE.TXT file in the directory in 50 | which it appears. This file will describe the copyrights, license, and 51 | restrictions which apply to that code. 52 | 53 | The disclaimer of warranty in the University of Illinois Open Source License 54 | applies to all code in this distribution, and nothing in any of the 55 | other licenses gives permission to use the names of the LLVM Team or the 56 | University of Illinois to endorse or promote products derived from this 57 | Software. 58 | 59 | The following pieces of software have additional or alternate copyrights, 60 | licenses, and/or restrictions: 61 | 62 | Program Directory 63 | ------- --------- 64 | Watchdog poolalloc/tools/WatchDog 65 | 66 | -------------------------------------------------------------------------------- /dsa/include/assistDS/LICENSE.TXT: -------------------------------------------------------------------------------- 1 | ============================================================================== 2 | LLVM Pool Allocator Release License 3 | ============================================================================== 4 | University of Illinois/NCSA 5 | Open Source License 6 | 7 | Copyright (c) 2003-2013 University of Illinois at Urbana-Champaign. 8 | All rights reserved. 9 | 10 | Developed by: 11 | 12 | LLVM Team 13 | 14 | University of Illinois at Urbana-Champaign 15 | 16 | http://llvm.cs.uiuc.edu 17 | 18 | Permission is hereby granted, free of charge, to any person obtaining a copy of 19 | this software and associated documentation files (the "Software"), to deal with 20 | the Software without restriction, including without limitation the rights to 21 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 22 | of the Software, and to permit persons to whom the Software is furnished to do 23 | so, subject to the following conditions: 24 | 25 | * Redistributions of source code must retain the above copyright notice, 26 | this list of conditions and the following disclaimers. 27 | 28 | * Redistributions in binary form must reproduce the above copyright notice, 29 | this list of conditions and the following disclaimers in the 30 | documentation and/or other materials provided with the distribution. 31 | 32 | * Neither the names of the LLVM Team, University of Illinois at 33 | Urbana-Champaign, nor the names of its contributors may be used to 34 | endorse or promote products derived from this Software without specific 35 | prior written permission. 36 | 37 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 38 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 39 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 40 | CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 41 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 42 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE 43 | SOFTWARE. 44 | 45 | ============================================================================== 46 | Copyrights and Licenses for Third Party Software Distributed with LLVM: 47 | ============================================================================== 48 | The Automatic Pool Allocation software contains code written by third parties. 49 | Such software will have its own individual LICENSE.TXT file in the directory in 50 | which it appears. This file will describe the copyrights, license, and 51 | restrictions which apply to that code. 52 | 53 | The disclaimer of warranty in the University of Illinois Open Source License 54 | applies to all code in this distribution, and nothing in any of the 55 | other licenses gives permission to use the names of the LLVM Team or the 56 | University of Illinois to endorse or promote products derived from this 57 | Software. 58 | 59 | The following pieces of software have additional or alternate copyrights, 60 | licenses, and/or restrictions: 61 | 62 | Program Directory 63 | ------- --------- 64 | Watchdog poolalloc/tools/WatchDog 65 | 66 | -------------------------------------------------------------------------------- /dsa/lib/AssistDS/LICENSE.TXT: -------------------------------------------------------------------------------- 1 | ============================================================================== 2 | LLVM Pool Allocator Release License 3 | ============================================================================== 4 | University of Illinois/NCSA 5 | Open Source License 6 | 7 | Copyright (c) 2003-2013 University of Illinois at Urbana-Champaign. 8 | All rights reserved. 9 | 10 | Developed by: 11 | 12 | LLVM Team 13 | 14 | University of Illinois at Urbana-Champaign 15 | 16 | http://llvm.cs.uiuc.edu 17 | 18 | Permission is hereby granted, free of charge, to any person obtaining a copy of 19 | this software and associated documentation files (the "Software"), to deal with 20 | the Software without restriction, including without limitation the rights to 21 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 22 | of the Software, and to permit persons to whom the Software is furnished to do 23 | so, subject to the following conditions: 24 | 25 | * Redistributions of source code must retain the above copyright notice, 26 | this list of conditions and the following disclaimers. 27 | 28 | * Redistributions in binary form must reproduce the above copyright notice, 29 | this list of conditions and the following disclaimers in the 30 | documentation and/or other materials provided with the distribution. 31 | 32 | * Neither the names of the LLVM Team, University of Illinois at 33 | Urbana-Champaign, nor the names of its contributors may be used to 34 | endorse or promote products derived from this Software without specific 35 | prior written permission. 36 | 37 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 38 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 39 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 40 | CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 41 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 42 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE 43 | SOFTWARE. 44 | 45 | ============================================================================== 46 | Copyrights and Licenses for Third Party Software Distributed with LLVM: 47 | ============================================================================== 48 | The Automatic Pool Allocation software contains code written by third parties. 49 | Such software will have its own individual LICENSE.TXT file in the directory in 50 | which it appears. This file will describe the copyrights, license, and 51 | restrictions which apply to that code. 52 | 53 | The disclaimer of warranty in the University of Illinois Open Source License 54 | applies to all code in this distribution, and nothing in any of the 55 | other licenses gives permission to use the names of the LLVM Team or the 56 | University of Illinois to endorse or promote products derived from this 57 | Software. 58 | 59 | The following pieces of software have additional or alternate copyrights, 60 | licenses, and/or restrictions: 61 | 62 | Program Directory 63 | ------- --------- 64 | Watchdog poolalloc/tools/WatchDog 65 | 66 | -------------------------------------------------------------------------------- /libtokencap/README.tokencap: -------------------------------------------------------------------------------- 1 | ========================================= 2 | strcmp() / memcmp() token capture library 3 | ========================================= 4 | 5 | (See ../docs/README for the general instruction manual.) 6 | 7 | This Linux-only companion library allows you to instrument strcmp(), memcmp(), 8 | and related functions to automatically extract syntax tokens passed to any of 9 | these libcalls. The resulting list of tokens may be then given as a starting 10 | dictionary to afl-fuzz (the -x option) to improve coverage on subsequent 11 | fuzzing runs. 12 | 13 | This may help improving coverage in some targets, and do precisely nothing in 14 | others. In some cases, it may even make things worse: if libtokencap picks up 15 | syntax tokens that are not used to process the input data, but that are a part 16 | of - say - parsing a config file... well, you're going to end up wasting a lot 17 | of CPU time on trying them out in the input stream. In other words, use this 18 | feature with care. Manually screening the resulting dictionary is almost 19 | always a necessity. 20 | 21 | As for the actual operation: the library stores tokens, without any deduping, 22 | by appending them to a file specified via AFL_TOKEN_FILE. If the variable is not 23 | set, the tool uses stderr (which is probably not what you want). 24 | 25 | Similarly to afl-tmin, the library is not "proprietary" and can be used with 26 | other fuzzers or testing tools without the need for any code tweaks. It does not 27 | require AFL-instrumented binaries to work. 28 | 29 | To use the library, you *need* to make sure that your fuzzing target is compiled 30 | with -fno-builtin and is linked dynamically. If you wish to automate the first 31 | part without mucking with CFLAGS in Makefiles, you can set AFL_NO_BUILTIN=1 32 | when using afl-gcc. This setting specifically adds the following flags: 33 | 34 | -fno-builtin-strcmp -fno-builtin-strncmp -fno-builtin-strcasecmp 35 | -fno-builtin-strcasencmp -fno-builtin-memcmp -fno-builtin-strstr 36 | -fno-builtin-strcasestr 37 | 38 | The next step is simply loading this library via LD_PRELOAD. The optimal usage 39 | pattern is to allow afl-fuzz to fuzz normally for a while and build up a corpus, 40 | and then fire off the target binary, with libtokencap.so loaded, on every file 41 | found by AFL in that earlier run. This demonstrates the basic principle: 42 | 43 | export AFL_TOKEN_FILE=$PWD/temp_output.txt 44 | 45 | for i in /queue/id*; do 46 | LD_PRELOAD=/path/to/libtokencap.so \ 47 | /path/to/target/program [...params, including $i...] 48 | done 49 | 50 | sort -u temp_output.txt >afl_dictionary.txt 51 | 52 | If you don't get any results, the target library is probably not using strcmp() 53 | and memcmp() to parse input; or you haven't compiled it with -fno-builtin; or 54 | the whole thing isn't dynamically linked, and LD_PRELOAD is having no effect. 55 | 56 | PS. The library is Linux-only because there is probably no particularly portable 57 | and non-invasive way to distinguish between read-only and read-write memory 58 | mappings. The __tokencap_load_mappings() function is the only thing that would 59 | need to be changed for other OSes. Porting to platforms with /proc//maps 60 | (e.g., FreeBSD) should be trivial. 61 | 62 | -------------------------------------------------------------------------------- /experimental/crash_triage/triage_crashes.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # american fuzzy lop - crash triage utility 4 | # ----------------------------------------- 5 | # 6 | # Written and maintained by Michal Zalewski 7 | # 8 | # Copyright 2013, 2014, 2017 Google Inc. All rights reserved. 9 | # 10 | # Licensed under the Apache License, Version 2.0 (the "License"); 11 | # you may not use this file except in compliance with the License. 12 | # You may obtain a copy of the License at: 13 | # 14 | # http://www.apache.org/licenses/LICENSE-2.0 15 | # 16 | # Note that this assumes that the targeted application reads from stdin 17 | # and requires no other cmdline parameters. Modify as needed if this is 18 | # not the case. 19 | # 20 | # Note that on OpenBSD, you may need to install a newer version of gdb 21 | # (e.g., from ports). You can set GDB=/some/path to point to it if 22 | # necessary. 23 | # 24 | 25 | echo "crash triage utility for afl-fuzz by " 26 | echo 27 | 28 | ulimit -v 100000 2>/dev/null 29 | ulimit -d 100000 2>/dev/null 30 | 31 | if [ "$#" -lt "2" ]; then 32 | echo "Usage: $0 /path/to/afl_output_dir /path/to/tested_binary [...target params...]" 1>&2 33 | echo 1>&2 34 | exit 1 35 | fi 36 | 37 | DIR="$1" 38 | BIN="$2" 39 | shift 40 | shift 41 | 42 | if [ "$AFL_ALLOW_TMP" = "" ]; then 43 | 44 | echo "$DIR" | grep -qE '^(/var)?/tmp/' 45 | T1="$?" 46 | 47 | echo "$BIN" | grep -qE '^(/var)?/tmp/' 48 | T2="$?" 49 | 50 | if [ "$T1" = "0" -o "$T2" = "0" ]; then 51 | echo "[-] Error: do not use shared /tmp or /var/tmp directories with this script." 1>&2 52 | exit 1 53 | fi 54 | 55 | fi 56 | 57 | if 58 | [ "$GDB" = "" ]; then 59 | GDB=gdb 60 | fi 61 | 62 | if [ ! -f "$BIN" -o ! -x "$BIN" ]; then 63 | echo "[-] Error: binary '$2' not found or is not executable." 1>&2 64 | exit 1 65 | fi 66 | 67 | if [ ! -d "$DIR/queue" ]; then 68 | echo "[-] Error: directory '$1' not found or not created by afl-fuzz." 1>&2 69 | exit 1 70 | fi 71 | 72 | CCOUNT=$((`ls -- "$DIR/crashes" 2>/dev/null | wc -l`)) 73 | 74 | if [ "$CCOUNT" = "0" ]; then 75 | echo "No crashes recorded in the target directory - nothing to be done." 76 | exit 0 77 | fi 78 | 79 | echo 80 | 81 | for crash in $DIR/crashes/id:*; do 82 | 83 | id=`basename -- "$crash" | cut -d, -f1 | cut -d: -f2` 84 | sig=`basename -- "$crash" | cut -d, -f2 | cut -d: -f2` 85 | 86 | # Grab the args, converting @@ to $crash 87 | 88 | use_args="" 89 | use_stdio=1 90 | 91 | for a in $@; do 92 | 93 | if [ "$a" = "@@" ] ; then 94 | args="$use_args $crash" 95 | unset use_stdio 96 | else 97 | args="$use_args $a" 98 | fi 99 | 100 | done 101 | 102 | # Strip the trailing space 103 | use_args="${use_args# }" 104 | 105 | echo "+++ ID $id, SIGNAL $sig +++" 106 | echo 107 | 108 | if [ "$use_stdio" = "1" ]; then 109 | $GDB --batch -q --ex "r $use_args <$crash" --ex 'back' --ex 'disass $pc, $pc+16' --ex 'info reg' --ex 'quit' "$BIN" 0 31 | X("dsa-basic", "Basic Data Structure Analysis(No Analysis)"); 32 | 33 | char BasicDataStructures::ID = 0; 34 | 35 | bool BasicDataStructures::runOnModule(Module &M) { 36 | init(&M.getDataLayout ()); 37 | 38 | // 39 | // Create a void pointer type. This is simply a pointer to an 8 bit value. 40 | // 41 | 42 | DSNode * GVNodeInternal = new DSNode(GlobalsGraph); 43 | DSNode * GVNodeExternal = new DSNode(GlobalsGraph); 44 | for (Module::global_iterator I = M.global_begin(), E = M.global_end(); 45 | I != E; ++I) { 46 | if (I->isDeclaration() || (!(I->hasInternalLinkage()))) { 47 | GlobalsGraph->getNodeForValue(&*I).mergeWith(GVNodeExternal); 48 | } else { 49 | GlobalsGraph->getNodeForValue(&*I).mergeWith(GVNodeInternal); 50 | } 51 | } 52 | 53 | GVNodeInternal->foldNodeCompletely(); 54 | GVNodeInternal->maskNodeTypes(DSNode::IncompleteNode); 55 | 56 | GVNodeExternal->foldNodeCompletely(); 57 | GVNodeExternal->setExternalMarker(); 58 | 59 | // Next step, iterate through the nodes in the globals graph, unioning 60 | // together the globals into equivalence classes. 61 | formGlobalECs(); 62 | 63 | for (Module::iterator F = M.begin(), E = M.end(); F != E; ++F) { 64 | if (!F->isDeclaration()) { 65 | DSGraph* G = new DSGraph(GlobalECs, getDataLayout(), *TypeSS, GlobalsGraph); 66 | DSNode * Node = new DSNode(G); 67 | 68 | if (!F->hasInternalLinkage()) 69 | Node->setExternalMarker(); 70 | 71 | // Create scalar nodes for all pointer arguments... 72 | for (Function::arg_iterator I = F->arg_begin(), E = F->arg_end(); 73 | I != E; ++I) { 74 | if (isa(I->getType())) { 75 | G->getNodeForValue(&*I).mergeWith(Node); 76 | } 77 | } 78 | 79 | for (inst_iterator I = inst_begin(&*F), E = inst_end(&*F); I != E; ++I) { 80 | G->getNodeForValue(&*I).mergeWith(Node); 81 | } 82 | 83 | Node->foldNodeCompletely(); 84 | Node->maskNodeTypes(DSNode::IncompleteNode); 85 | 86 | setDSGraph(*F, G); 87 | } 88 | } 89 | 90 | return false; 91 | } 92 | -------------------------------------------------------------------------------- /gllvm/examples/tor_and_its_dependencies/Makefile: -------------------------------------------------------------------------------- 1 | #iam wrote this monstrosity 2 | 3 | THISDIR= $(shell pwd) 4 | 5 | 6 | ZLIB=zlib-1.2.11 7 | ZLIB_TARBALL=${ZLIB}.tar.gz 8 | ZLIB_URL=https://zlib.net/${ZLIB_TARBALL} 9 | ZLIB_INSTALL=${THISDIR}/install/zlib 10 | 11 | LIBEVENT=libevent-2.1.8-stable 12 | LIBEVENT_TARBALL=${LIBEVENT}.tar.gz 13 | LIBEVENT_URL=https://github.com/libevent/libevent/releases/download/release-2.1.8-stable/${LIBEVENT_TARBALL} 14 | LIBEVENT_INSTALL=${THISDIR}/install/libevent 15 | 16 | OPENSSL=openssl-1.1.0h 17 | OPENSSL_TARBALL=${OPENSSL}.tar.gz 18 | OPENSSL_URL=https://www.openssl.org/source/${OPENSSL_TARBALL} 19 | OPENSSL_INSTALL=${THISDIR}/install/openssl 20 | 21 | 22 | TOR=tor-0.3.3.6 23 | TOR_TARBALL=${TOR}.tar.gz 24 | TOR_URL=https://www.torproject.org/dist/${TOR_TARBALL} 25 | TOR_INSTALL=${THISDIR}/install/tor 26 | 27 | 28 | #LLVMCC=wllvm 29 | #LLVMGET=extract-bc 30 | 31 | LLVMCC=gclang 32 | LLVMGET=get-bc 33 | 34 | BITCODE = libz.a.bc libssl.a.bc libevent.a.bc tor.bc 35 | 36 | all: tor.bc 37 | 38 | 39 | #${BITCODE} 40 | 41 | ${TOR_TARBALL}: 42 | wget ${TOR_URL} 43 | 44 | ${TOR}: ${TOR_TARBALL} 45 | tar xvfz ${TOR_TARBALL} 46 | 47 | ${TOR_INSTALL}/bin/tor: ${TOR} 48 | cd ${TOR}; CC=${LLVMCC} ./configure; make && make install 49 | #on linux we should try this: 50 | # cd ${TOR}; CC=${LLVMCC} ./configure --disable-dependency-tracking --enable-static-tor --with-openssl-dir=${OPENSSL_INSTALL} --with-libevent-dir=${LIBEVENT_INSTALL}/lib --with-zlib-dir=${ZLIB_INSTALL} --prefix=${TOR_INSTALL}; make && make install 51 | 52 | tor.bc: ${TOR_INSTALL}/bin/tor 53 | cd ${TOR_INSTALL}/bin; ${LLVMGET} tor; mv tor.bc ${THISDIR} 54 | 55 | 56 | ${ZLIB_TARBALL}: 57 | wget ${ZLIB_URL} 58 | 59 | ${ZLIB}: ${ZLIB_TARBALL} 60 | tar xvfz ${ZLIB_TARBALL} 61 | 62 | ${ZLIB_INSTALL}/lib/libz.a: ${ZLIB} 63 | cd ${ZLIB}; CC=${LLVMCC} ./configure --prefix=${ZLIB_INSTALL}; make && make install 64 | 65 | libz.a.bc: ${ZLIB_INSTALL}/lib/libz.a 66 | cd ${ZLIB_INSTALL}/lib; ${LLVMGET} -b libz.a; mv libz.a.bc ${THISDIR} 67 | 68 | 69 | ${OPENSSL_TARBALL}: 70 | wget ${OPENSSL_URL} 71 | 72 | ${OPENSSL}: ${OPENSSL_TARBALL} 73 | tar xvfz ${OPENSSL_TARBALL} 74 | 75 | ${OPENSSL_INSTALL}/lib/libssl.a: ${OPENSSL} 76 | cd ${OPENSSL}; CC=${LLVMCC} ./config --prefix=${OPENSSL_INSTALL} --openssldir=${OPENSSL_INSTALL}; make && make install 77 | 78 | libssl.a.bc: ${OPENSSL_INSTALL}/lib/libssl.a 79 | cd ${OPENSSL_INSTALL}/lib; ${LLVMGET} -b libssl.a; mv libssl.a.bc ${THISDIR} 80 | 81 | 82 | ${LIBEVENT_TARBALL}: 83 | wget ${LIBEVENT_URL} 84 | 85 | ${LIBEVENT}: ${LIBEVENT_TARBALL} 86 | tar xvfz ${LIBEVENT_TARBALL} 87 | 88 | ${LIBEVENT_INSTALL}/lib/libevent.a: ${LIBEVENT} 89 | cd ${LIBEVENT}; CC=${LLVMCC} CFLAGS="-I${OPENSSL_INSTALL}/include" LDFLAGS="-L${OPENSSL_INSTALL}/lib" ./configure --prefix=${LIBEVENT_INSTALL}; make && make install 90 | 91 | libevent.a.bc: ${LIBEVENT_INSTALL}/lib/libevent.a 92 | cd ${LIBEVENT_INSTALL}/lib; ${LLVMGET} -b libevent.a; mv libevent.a.bc ${THISDIR} 93 | 94 | 95 | 96 | clean: 97 | rm ${BITCODE} 98 | make -C ${ZLIB} clean 99 | make -C ${LIBEVENT} clean 100 | make -C ${OPENSSL} clean 101 | make -C ${TOR} clean 102 | 103 | very_clean: clean 104 | rm -rf install ${TOR} ${ZLIB} ${OPENSSL} ${LIBEVENT} 105 | 106 | spotless: very_clean 107 | rm -rf ${TOR_TARBALL} ${ZLIB_TARBALL} ${OPENSSL_TARBALL} ${LIBEVENT_TARBALL} 108 | -------------------------------------------------------------------------------- /clang_format_fixes/clang/License.txt: -------------------------------------------------------------------------------- 1 | ============================================================================== 2 | LLVM Release License 3 | ============================================================================== 4 | University of Illinois/NCSA 5 | Open Source License 6 | 7 | Copyright (c) 2003-2018 University of Illinois at Urbana-Champaign. 8 | All rights reserved. 9 | 10 | Developed by: 11 | 12 | LLVM Team 13 | 14 | University of Illinois at Urbana-Champaign 15 | 16 | http://llvm.org 17 | 18 | Permission is hereby granted, free of charge, to any person obtaining a copy of 19 | this software and associated documentation files (the "Software"), to deal with 20 | the Software without restriction, including without limitation the rights to 21 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 22 | of the Software, and to permit persons to whom the Software is furnished to do 23 | so, subject to the following conditions: 24 | 25 | * Redistributions of source code must retain the above copyright notice, 26 | this list of conditions and the following disclaimers. 27 | 28 | * Redistributions in binary form must reproduce the above copyright notice, 29 | this list of conditions and the following disclaimers in the 30 | documentation and/or other materials provided with the distribution. 31 | 32 | * Neither the names of the LLVM Team, University of Illinois at 33 | Urbana-Champaign, nor the names of its contributors may be used to 34 | endorse or promote products derived from this Software without specific 35 | prior written permission. 36 | 37 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 38 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 39 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 40 | CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 41 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 42 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE 43 | SOFTWARE. 44 | 45 | ============================================================================== 46 | Copyrights and Licenses for Third Party Software Distributed with LLVM: 47 | ============================================================================== 48 | The LLVM software contains code written by third parties. Such software will 49 | have its own individual LICENSE.TXT file in the directory in which it appears. 50 | This file will describe the copyrights, license, and restrictions which apply 51 | to that code. 52 | 53 | The disclaimer of warranty in the University of Illinois Open Source License 54 | applies to all code in the LLVM Distribution, and nothing in any of the 55 | other licenses gives permission to use the names of the LLVM Team or the 56 | University of Illinois to endorse or promote products derived from this 57 | Software. 58 | 59 | The following pieces of software have additional or alternate copyrights, 60 | licenses, and/or restrictions: 61 | 62 | Program Directory 63 | ------- --------- 64 | Google Test llvm/utils/unittest/googletest 65 | OpenBSD regex llvm/lib/Support/{reg*, COPYRIGHT.regex} 66 | pyyaml tests llvm/test/YAMLParser/{*.data, LICENSE.TXT} 67 | ARM contributions llvm/lib/Target/ARM/LICENSE.TXT 68 | md5 contributions llvm/lib/Support/MD5.cpp llvm/include/llvm/Support/MD5.h 69 | --------------------------------------------------------------------------------