├── .gitattributes ├── .githooks └── pre-commit ├── .github └── workflows │ └── python-app.yml ├── .gitignore ├── .gitmodules ├── CNAME ├── Dockerfile ├── LICENSE ├── Makefile ├── README.md ├── VERSION ├── _config.yml ├── docs ├── Makefile ├── libpmfuzz.7.md ├── manpages │ ├── libpmfuzz.7 │ └── pmfuzz-fuzz.1 └── pmfuzz-fuzz.1.md ├── include ├── .gitignore ├── Doxyfile ├── Makefile ├── libfakepmfuzz.c ├── libpmfuzz.c ├── libpmtracefuncts.c ├── pm_trace_functs.h ├── pmfuzz.h ├── pmfuzz_config.h ├── rtinfo.c ├── rtinfo.h └── shiftregarr.h ├── pmfuzz-fuzz ├── scripts ├── install-dependencies.sh ├── install-ndctl.sh └── libs │ └── helper.lib.bash ├── src ├── annotation-pass │ ├── Makefile │ ├── README.md │ └── pmfuzz_annot_pass.cpp ├── example │ ├── Makefile │ ├── example │ └── example.cc └── pmfuzz │ ├── .gitignore │ ├── Doxyfile │ ├── Makefile │ ├── README.md │ ├── configs │ ├── base.yml │ ├── examples │ │ ├── mapcli.btree.baseline.yml │ │ ├── mapcli.btree.complete.yml │ │ ├── mapcli.btree.completeslow.yml │ │ ├── mapcli.btree.completeunfocused.yml │ │ ├── mapcli.btree.primitivebaseline.yml │ │ ├── mapcli.ctree.baseline.yml │ │ ├── mapcli.ctree.complete.yml │ │ ├── mapcli.ctree.completeslow.yml │ │ ├── mapcli.ctree.completeunfocused.yml │ │ ├── mapcli.hashmap_atomic.baseline.yml │ │ ├── mapcli.hashmap_atomic.complete.yml │ │ ├── mapcli.hashmap_atomic.completeslow.yml │ │ ├── mapcli.hashmap_atomic.completeunfocused.yml │ │ ├── mapcli.hashmap_atomic.primitivebaseline.yml │ │ ├── mapcli.hashmap_rp.baseline.yml │ │ ├── mapcli.hashmap_rp.complete.yml │ │ ├── mapcli.hashmap_rp.completeslow.yml │ │ ├── mapcli.hashmap_rp.completeunfocused.yml │ │ ├── mapcli.hashmap_rp.primitivebaseline.yml │ │ ├── mapcli.hashmap_tx.baseline.yml │ │ ├── mapcli.hashmap_tx.complete.yml │ │ ├── mapcli.hashmap_tx.completeslow.yml │ │ ├── mapcli.hashmap_tx.completeunfocused.yml │ │ ├── mapcli.hashmap_tx.primitivebaseline.yml │ │ ├── mapcli.rbtree.baseline.yml │ │ ├── mapcli.rbtree.complete.yml │ │ ├── mapcli.rbtree.completeslow.yml │ │ ├── mapcli.rbtree.completeunfocused.yml │ │ ├── mapcli.rbtree.primitivebaseline.yml │ │ ├── mapcli.rtree.baseline.yml │ │ ├── mapcli.rtree.complete.yml │ │ ├── mapcli.rtree.completeslow.yml │ │ ├── mapcli.rtree.completeunfocused.yml │ │ ├── mapcli.rtree.primitivebaseline.yml │ │ ├── mapcli.skiplist.baseline.yml │ │ ├── mapcli.skiplist.complete.yml │ │ ├── mapcli.skiplist.completeslow.yml │ │ ├── mapcli.skiplist.completeunfocused.yml │ │ ├── mapcli.skiplist.primitivebaseline.yml │ │ ├── memcached.baseline.yml │ │ ├── memcached.complete.yml │ │ ├── memcached.completeslow.yml │ │ ├── memcached.completeunfocused.yml │ │ ├── memcached.primitivebaseline.yml │ │ ├── redis.baseline.yml │ │ ├── redis.complete.yml │ │ ├── redis.completeslow.yml │ │ ├── redis.completeunfocused.yml │ │ └── redis.primitivebaseline.yml │ ├── run_configs │ │ ├── baseline.yml │ │ ├── complete.yml │ │ ├── completeslow.yml │ │ ├── completeunfocused.yml │ │ └── primitivebaseline.yml │ └── workload │ │ ├── mapcli.btree.yml │ │ ├── mapcli.ctree.yml │ │ ├── mapcli.hashmap_atomic.yml │ │ ├── mapcli.hashmap_rp.yml │ │ ├── mapcli.hashmap_tx.yml │ │ ├── mapcli.rbtree.yml │ │ ├── mapcli.rtree.yml │ │ ├── mapcli.skiplist.yml │ │ ├── memcached.yml │ │ └── redis.yml │ ├── core │ ├── dedupengine.py │ ├── pmfuzz.py │ └── whatsup.py │ ├── handlers │ └── name_handler.py │ ├── helper │ ├── bugreport.py │ ├── common.py │ ├── config.py │ ├── parallel.py │ ├── prettyprint.py │ ├── ptimer.py │ └── target.py │ ├── interfaces │ ├── afl.py │ ├── failureinjection.py │ └── lcov.py │ ├── pmfuzz-cov.py │ ├── pmfuzz-fuzz.py │ ├── pmfuzz-setup.sh │ ├── pmfuzz-tests.py │ ├── pmfuzz-whatsup.py │ ├── pyfilter.sh │ ├── requirements.txt │ ├── stages │ ├── __init__.py │ ├── dedup.py │ ├── fuzzobj.py │ ├── stage.py │ ├── stage1.py │ ├── stage2.py │ └── state.py │ └── tools │ ├── cp-map │ └── pmfuzz-cmin └── vendor ├── AFLplusplus-2.63c ├── .clang-format ├── .custom-format.py ├── .gitignore ├── .travis.yml ├── Android.bp ├── Android.mk ├── CONTRIBUTING.md ├── Changelog.md ├── Dockerfile ├── GNUmakefile ├── LICENSE ├── Makefile ├── QuickStartGuide.md ├── README.md ├── TODO.md ├── afl-cmin ├── afl-cmin.bash ├── afl-plot ├── afl-system-config ├── afl-whatsup ├── afl-wine-trace ├── config.h ├── dictionaries │ ├── README.md │ ├── gif.dict │ ├── html_tags.dict │ ├── jpeg.dict │ ├── js.dict │ ├── json.dict │ ├── pdf.dict │ ├── png.dict │ ├── regexp.dict │ ├── sql.dict │ ├── tiff.dict │ ├── webp.dict │ └── xml.dict ├── docs │ ├── COPYING │ ├── Changelog.md │ ├── INSTALL.md │ ├── PATCHES.md │ ├── QuickStartGuide.md │ ├── README.MOpt.md │ ├── README.md │ ├── README.radamsa.md │ ├── binaryonly_fuzzing.md │ ├── custom_mutators.md │ ├── env_variables.md │ ├── historical_notes.md │ ├── ideas.md │ ├── life_pro_tips.md │ ├── notes_for_asan.md │ ├── parallel_fuzzing.md │ ├── perf_tips.md │ ├── power_schedules.md │ ├── sister_projects.md │ ├── status_screen.md │ ├── technical_details.md │ ├── visualization │ │ └── afl_gzip.png │ └── vuln_samples │ │ ├── bash-cmd-exec.var │ │ ├── bash-uninit-mem.var │ │ ├── ffmpeg-h264-bad-ptr-800m.mp4 │ │ ├── ffmpeg-h264-bad-read.mp4 │ │ ├── ffmpeg-h264-call-stack-overflow.mp4 │ │ ├── file-fpu-exception.elf │ │ ├── firefox-bmp-leak.bmp │ │ ├── firefox-chrome-leak.jpg │ │ ├── firefox-gif-leak.gif │ │ ├── firefox-gif-leak2.gif │ │ ├── jxrlib-crash.jxr │ │ ├── jxrlib-crash2.jxr │ │ ├── jxrlib-crash3.jxr │ │ ├── jxrlib-crash4.jxr │ │ ├── lesspipe-cpio-bad-write.cpio │ │ ├── libjpeg-sos-leak.jpg │ │ ├── libjpeg-turbo-dht-leak.jpg │ │ ├── libtiff-bad-write.tif │ │ ├── libtiff-uninit-mem.tif │ │ ├── libtiff-uninit-mem2.tif │ │ ├── libtiff-uninit-mem3.tif │ │ ├── libtiff-uninit-mem4.tif │ │ ├── libxml2-bad-read.xml │ │ ├── msie-dht-leak.jpg │ │ ├── msie-jxr-mem-leak.jxr │ │ ├── msie-png-mem-leak.png │ │ ├── msie-tiff-mem-leak.tif │ │ ├── msie-zlib-dos.png │ │ ├── openssl-null-ptr.der │ │ ├── openssl-null-ptr2.der │ │ ├── photoshop-mem-leak.jpg │ │ ├── sqlite-bad-free.sql │ │ ├── sqlite-bad-ptr.sql │ │ ├── sqlite-bad-ptr2.sql │ │ ├── sqlite-bad-ptr3.sql │ │ ├── sqlite-heap-overflow.sql │ │ ├── sqlite-heap-overwrite.sql │ │ ├── sqlite-negative-memset.sql │ │ ├── sqlite-null-ptr1.sql │ │ ├── sqlite-null-ptr10.sql │ │ ├── sqlite-null-ptr11.sql │ │ ├── sqlite-null-ptr12.sql │ │ ├── sqlite-null-ptr13.sql │ │ ├── sqlite-null-ptr14.sql │ │ ├── sqlite-null-ptr15.sql │ │ ├── sqlite-null-ptr2.sql │ │ ├── sqlite-null-ptr3.sql │ │ ├── sqlite-null-ptr4.sql │ │ ├── sqlite-null-ptr5.sql │ │ ├── sqlite-null-ptr6.sql │ │ ├── sqlite-null-ptr7.sql │ │ ├── sqlite-null-ptr8.sql │ │ ├── sqlite-null-ptr9.sql │ │ ├── sqlite-oob-read.sql │ │ ├── sqlite-oob-write.sql │ │ ├── sqlite-stack-buf-overflow.sql │ │ ├── sqlite-stack-exhaustion.sql │ │ ├── sqlite-unint-mem.sql │ │ ├── sqlite-use-after-free.sql │ │ ├── strings-bfd-badptr.elf │ │ ├── strings-bfd-badptr2.elf │ │ ├── strings-stack-overflow │ │ ├── strings-unchecked-ctr.elf │ │ ├── tcpdump-arp-crash.pcap │ │ ├── tcpdump-ppp-crash.pcap │ │ ├── unrtf-arbitrary-read.rtf │ │ └── unzip-t-mem-corruption.zip ├── examples │ ├── README.md │ ├── argv_fuzzing │ │ ├── Makefile │ │ ├── README.md │ │ ├── argv-fuzz-inl.h │ │ └── argvfuzz.c │ ├── asan_cgroups │ │ └── limit_memory.sh │ ├── bash_shellshock │ │ └── shellshock-fuzz.diff │ ├── canvas_harness │ │ └── canvas_harness.html │ ├── crash_triage │ │ └── triage_crashes.sh │ ├── custom_mutators │ │ ├── Makefile │ │ ├── README.md │ │ ├── XmlMutatorMin.py │ │ ├── common.py │ │ ├── custom_mutator_helpers.h │ │ ├── example.c │ │ ├── example.py │ │ ├── simple-chunk-replace.py │ │ └── wrapper_afl_min.py │ ├── distributed_fuzzing │ │ └── sync_script.sh │ ├── libpng_no_checksum │ │ └── libpng-nocrc.patch │ ├── persistent_demo │ │ └── persistent_demo.c │ ├── post_library │ │ ├── post_library.so.c │ │ └── post_library_png.so.c │ ├── qemu_persistent_hook │ │ ├── README.md │ │ ├── read_into_rdi.c │ │ └── test.c │ └── socket_fuzzing │ │ ├── Makefile │ │ ├── README.md │ │ └── socketfuzz.c ├── gcc_plugin │ ├── GNUmakefile │ ├── Makefile │ ├── README.md │ ├── README.whitelist.md │ ├── afl-gcc-fast.c │ ├── afl-gcc-pass.so.cc │ └── afl-gcc-rt.o.c ├── include │ ├── afl-as.h │ ├── afl-fuzz.h │ ├── afl-prealloc.h │ ├── alloc-inl.h │ ├── android-ashmem.h │ ├── cmplog.h │ ├── common.h │ ├── config.h │ ├── debug.h │ ├── envs.h │ ├── forkserver.h │ ├── hash.h │ ├── list.h │ ├── sharedmem.h │ ├── snapshot-inl.h │ └── types.h ├── libdislocator │ ├── Makefile │ ├── README.md │ └── libdislocator.so.c ├── libtokencap │ ├── GNUmakefile │ ├── Makefile │ ├── README.md │ └── libtokencap.so.c ├── llvm_mode │ ├── GNUmakefile │ ├── LLVMInsTrim.so.cc │ ├── Makefile │ ├── MarkNodes.cc │ ├── MarkNodes.h │ ├── NOTES │ ├── README.cmplog.md │ ├── README.ctx.md │ ├── README.instrim.md │ ├── README.laf-intel.md │ ├── README.lto.md │ ├── README.md │ ├── README.neverzero.md │ ├── README.ngram.md │ ├── README.snapshot.md │ ├── README.whitelist.md │ ├── TODO │ ├── afl-clang-fast.c │ ├── afl-ld.c │ ├── afl-llvm-lto-instrumentation.so.cc │ ├── afl-llvm-lto-whitelist.so.cc │ ├── afl-llvm-pass.so.cc │ ├── afl-llvm-rt.o.c │ ├── cmplog-instructions-pass.cc │ ├── cmplog-routines-pass.cc │ ├── compare-transform-pass.so.cc │ ├── llvm-ngram-coverage.h │ ├── split-compares-pass.so.cc │ └── split-switches-pass.so.cc ├── qbdi_mode │ ├── README.md │ ├── assets │ │ └── screen1.png │ ├── build.sh │ ├── demo-so.c │ └── template.cpp ├── qemu_mode │ ├── README.md │ ├── README.persistent.md │ ├── build_qemu_support.sh │ ├── libcompcov │ │ ├── Makefile │ │ ├── README.md │ │ ├── compcovtest.cc │ │ ├── libcompcov.so.c │ │ └── pmparser.h │ ├── patches │ │ ├── __init__.py.diff │ │ ├── afl-qemu-common.h │ │ ├── afl-qemu-cpu-inl.h │ │ ├── afl-qemu-cpu-translate-inl.h │ │ ├── afl-qemu-floats.h │ │ ├── afl-qemu-tcg-inl.h │ │ ├── afl-qemu-tcg-runtime-inl.h │ │ ├── afl-qemu-translate-inl.h │ │ ├── arm-translate-a64.diff │ │ ├── arm-translate.diff │ │ ├── bsd-elfload.diff │ │ ├── configure.diff │ │ ├── cpu-exec.diff │ │ ├── elfload.diff │ │ ├── i386-fpu_helper.diff │ │ ├── i386-ops_sse.diff │ │ ├── i386-translate.diff │ │ ├── make_strncpy_safe.diff │ │ ├── softfloat.diff │ │ ├── syscall.diff │ │ ├── tcg-runtime-head.diff │ │ ├── tcg-runtime.diff │ │ ├── tcg.diff │ │ ├── translate-all.diff │ │ └── translator.diff │ └── unsigaction │ │ ├── GNUmakefile │ │ ├── Makefile │ │ ├── README.md │ │ └── unsigaction.c ├── src │ ├── README.md │ ├── afl-analyze.c │ ├── afl-as.c │ ├── afl-common.c │ ├── afl-forkserver.c │ ├── afl-fuzz-bitmap.c │ ├── afl-fuzz-cmplog.c │ ├── afl-fuzz-extras.c │ ├── afl-fuzz-init.c │ ├── afl-fuzz-mutators.c │ ├── afl-fuzz-one.c │ ├── afl-fuzz-python.c │ ├── afl-fuzz-queue.c │ ├── afl-fuzz-redqueen.c │ ├── afl-fuzz-run.c │ ├── afl-fuzz-state.c │ ├── afl-fuzz-stats.c │ ├── afl-fuzz.c │ ├── afl-gcc.c │ ├── afl-gotcpu.c │ ├── afl-sharedmem.c │ ├── afl-showmap.c │ ├── afl-tmin.c │ └── third_party │ │ └── libradamsa │ │ ├── .gitignore │ │ ├── GNUmakefile │ │ ├── LICENSE │ │ ├── README.md │ │ ├── libradamsa-test.c │ │ ├── libradamsa.c │ │ └── radamsa.h ├── test-instr.c ├── test │ ├── checkcommit.sh │ ├── test-compcov.c │ ├── test-custom-mutator.c │ ├── test-performance.sh │ ├── test-unsigaction.c │ ├── test.sh │ └── unittests │ │ ├── unit_list.c │ │ ├── unit_maybe_alloc.c │ │ └── unit_preallocable.c ├── testcases │ ├── README.md │ ├── archives │ │ ├── common │ │ │ ├── ar │ │ │ │ └── small_archive.a │ │ │ ├── bzip2 │ │ │ │ └── small_archive.bz2 │ │ │ ├── cab │ │ │ │ └── small_archive.cab │ │ │ ├── compress │ │ │ │ └── small_archive.Z │ │ │ ├── cpio │ │ │ │ └── small_archive.cpio │ │ │ ├── gzip │ │ │ │ └── small_archive.gz │ │ │ ├── lzo │ │ │ │ └── small_archive.lzo │ │ │ ├── rar │ │ │ │ └── small_archive.rar │ │ │ ├── tar │ │ │ │ └── small_archive.tar │ │ │ ├── xz │ │ │ │ └── small_archive.xz │ │ │ └── zip │ │ │ │ └── small_archive.zip │ │ └── exotic │ │ │ ├── arj │ │ │ └── small_archive.arj │ │ │ ├── lha │ │ │ └── small_archive.lha │ │ │ ├── lrzip │ │ │ └── small_archive.lrz │ │ │ ├── lzip │ │ │ └── small_archive.lz │ │ │ ├── lzma │ │ │ └── small_archive.lzma │ │ │ ├── rzip │ │ │ └── small_archive.rz │ │ │ └── zoo │ │ │ └── small_archive.zoo │ ├── images │ │ ├── bmp │ │ │ └── not_kitty.bmp │ │ ├── gif │ │ │ └── not_kitty.gif │ │ ├── ico │ │ │ └── not_kitty.ico │ │ ├── jp2 │ │ │ └── not_kitty.jp2 │ │ ├── jpeg │ │ │ └── not_kitty.jpg │ │ ├── jxr │ │ │ └── not_kitty.jxr │ │ ├── png │ │ │ ├── not_kitty.png │ │ │ ├── not_kitty_alpha.png │ │ │ ├── not_kitty_gamma.png │ │ │ └── not_kitty_icc.png │ │ ├── tiff │ │ │ └── not_kitty.tiff │ │ └── webp │ │ │ └── not_kitty.webp │ ├── multimedia │ │ └── h264 │ │ │ └── small_movie.mp4 │ └── others │ │ ├── elf │ │ └── small_exec.elf │ │ ├── js │ │ └── small_script.js │ │ ├── pcap │ │ └── small_capture.pcap │ │ ├── pdf │ │ └── small.pdf │ │ ├── rtf │ │ └── small_document.rtf │ │ ├── sql │ │ └── simple_queries.sql │ │ ├── text │ │ └── hello_world.txt │ │ └── xml │ │ └── small_document.xml ├── types.h └── unicorn_mode │ ├── README.md │ ├── build_unicorn_support.sh │ ├── helper_scripts │ ├── template_test_harness.py │ ├── unicorn_dumper_gdb.py │ ├── unicorn_dumper_ida.py │ ├── unicorn_dumper_lldb.py │ ├── unicorn_dumper_pwndbg.py │ └── unicorn_loader.py │ └── samples │ ├── c │ ├── .gitignore │ ├── COMPILE.md │ ├── Makefile │ ├── harness.c │ ├── persistent_target.c │ ├── persistent_target_x86_64 │ ├── sample_all.sh │ ├── sample_inputs │ │ ├── sample1.bin │ │ ├── sample2.bin │ │ ├── sample3.bin │ │ ├── sample4.bin │ │ └── sample5.bin │ └── simple_target_x86_64 │ ├── compcov_x64 │ ├── COMPILE.md │ ├── compcov_target.bin │ ├── compcov_target.c │ ├── compcov_target.elf │ ├── compcov_test_harness.py │ └── sample_inputs │ │ └── sample1.bin │ ├── persistent │ ├── .gitignore │ ├── COMPILE.md │ ├── Makefile │ ├── harness.c │ ├── persistent_target.c │ ├── persistent_target_x86_64 │ ├── sample_all.sh │ ├── sample_inputs │ │ ├── sample1.bin │ │ ├── sample2.bin │ │ ├── sample3.bin │ │ ├── sample4.bin │ │ └── sample5.bin │ ├── simple_target_noncrashing.c │ └── simple_target_x86_64 │ └── simple │ ├── COMPILE.md │ ├── sample_inputs │ ├── sample1.bin │ ├── sample2.bin │ ├── sample3.bin │ ├── sample4.bin │ └── sample5.bin │ ├── simple_target.bin │ ├── simple_target.c │ ├── simple_test_harness.py │ └── simple_test_harness_alt.py └── patches └── preeny.git_patch /.gitattributes: -------------------------------------------------------------------------------- 1 | # Basic .gitattributes for a python repo. 2 | 3 | # Source files 4 | # ============ 5 | *.pxd text diff=python 6 | *.py text diff=python 7 | *.py3 text diff=python 8 | *.pyw text diff=python 9 | *.pyx text diff=python 10 | *.pyz text diff=python 11 | *.pyi text diff=python 12 | 13 | # Binary files 14 | # ============ 15 | *.db binary 16 | *.p binary 17 | *.pkl binary 18 | *.pickle binary 19 | *.pyc binary 20 | *.pyd binary 21 | *.pyo binary 22 | 23 | # Jupyter notebook 24 | *.ipynb text 25 | 26 | # Note: .db, .p, and .pkl files are associated 27 | # with the python modules ``pickle``, ``dbm.*``, 28 | # ``shelve``, ``marshal``, ``anydbm``, & ``bsddb`` 29 | # (among others). -------------------------------------------------------------------------------- /.githooks/pre-commit: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | echo -n 'PMFuzz tests: ' 4 | python3 src/pmfuzz/pmfuzz-tests.py 5 | 6 | retVal=$? 7 | 8 | if [ $retVal -ne 0 ]; then 9 | echo -e "\n\nPMFuzz: Unable to commit, test(s) failed." 10 | fi 11 | 12 | exit $retVal -------------------------------------------------------------------------------- /.github/workflows/python-app.yml: -------------------------------------------------------------------------------- 1 | # This workflow will install Python dependencies, run tests and lint with a single version of Python 2 | # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions 3 | 4 | name: PMFuzz 5 | 6 | on: 7 | push: 8 | branches: [ main ] 9 | pull_request: 10 | branches: [ main ] 11 | 12 | jobs: 13 | build: 14 | 15 | runs-on: ubuntu-20.04 16 | 17 | env: 18 | PIN_ROOT: /tmp/pin-3.18-98332-gaebd7b1e6-gcc-linux 19 | LLVM_CONFIG: build/llvm-9/bin/llvm-config 20 | 21 | steps: 22 | - uses: actions/checkout@v2 23 | - name: Set up Python 3.8 24 | uses: actions/setup-python@v2 25 | with: 26 | python-version: 3.8 27 | 28 | - name: Install python headers 29 | run: | 30 | sudo apt-get update 31 | sudo apt-get install -y python3.8-dev 32 | sudo apt-get install -y gcc g++ gfortran libopenblas-dev liblapack-dev build-essential libtinfo5 libini-config-dev libunwind-dev cmake 33 | 34 | - name: Setup pin 35 | run: | 36 | wget 'https://software.intel.com/sites/landingpage/pintool/downloads/pin-3.18-98332-gaebd7b1e6-gcc-linux.tar.gz' 37 | tar xzf pin-3.18-98332-gaebd7b1e6-gcc-linux.tar.gz 38 | 39 | - name: Build everything 40 | run: | 41 | make -j 2 42 | 43 | - name: Install dependencies 44 | run: | 45 | python -m pip install --upgrade pip 46 | pip install flake8 pytest 47 | pip install -r src/pmfuzz/requirements.txt 48 | 49 | - name: Test with make check 50 | run: | 51 | make check 52 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | .vscode 3 | *.log 4 | *.out 5 | include/*.o 6 | include/*.so 7 | src/*/*.o 8 | src/*/*.so 9 | vendor/*/*.so 10 | vendor/*/*.o 11 | vendor/*/*/*.so 12 | vendor/*/*/*.o 13 | tests/*.o 14 | *.bc 15 | failure_list.txt 16 | out 17 | 18 | build/ 19 | 6000.cmd 20 | *.gcno 21 | *.gcda 22 | 23 | docs/programming_manual 24 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "vendor/AFL"] 2 | path = vendor/AFL 3 | url = git@github.com:sihangliu/AFL.git 4 | [submodule "vendor/preeny"] 5 | path = vendor/preeny 6 | url = https://github.com/zardus/preeny.git 7 | -------------------------------------------------------------------------------- /CNAME: -------------------------------------------------------------------------------- 1 | pmfuzz.persistentmemory.org 2 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # @file Dockerfile 2 | # @brief Dockerfile for PMFuzz 3 | # @copyright 2021 PMFuzz Authors 4 | # SPDX-license-identifier: BSD-3-Clause 5 | 6 | # Only tested on Ubuntu 18.04, other versions *may* work 7 | FROM ubuntu:18.04 8 | 9 | # Install dependencies 10 | RUN apt-get update 11 | RUN apt-get install -y build-essential libunwind-dev libini-config-dev make git wget cmake 12 | RUN apt-get install -y python3 python3-pip 13 | RUN apt-get install -y man manpages-posix 14 | 15 | # Clone PMFuzz 16 | RUN git clone https://github.com/Systems-ShiftLab/pmfuzz.git 17 | WORKDIR pmfuzz 18 | 19 | # Install python dependencies 20 | RUN pip3 install -r src/pmfuzz/requirements.txt 21 | 22 | # Configure the system 23 | RUN mkdir -p /usr/local/share/man/man1/ 24 | RUN mkdir -p /usr/local/share/man/man7/ 25 | 26 | # Build and install PMFuzz 27 | RUN make 28 | RUN make install 29 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2020-21 PMFuzz Authors 2 | 3 | Redistribution and use in source and binary forms, with or without 4 | modification, are permitted provided that the following conditions are 5 | met: 6 | 7 | 1. Redistributions of source code must retain the above copyright 8 | notice, this list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright 11 | notice, this list of conditions and the following disclaimer in the 12 | documentation and/or other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its 15 | contributors may be used to endorse or promote products derived from 16 | this software without specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 21 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 22 | HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 23 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 24 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 25 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 26 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 27 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 | -------------------------------------------------------------------------------- /VERSION: -------------------------------------------------------------------------------- 1 | #define PMFUZZ_NAME "PMFuzz" 2 | #define PMFUZZ_VERSION "1.0" 3 | #define PMFUZZ_AUTHORS "ShiftLab" 4 | #define PMFUZZ_INFO_LN "PMFuzz v1.0 by " 5 | #define PMFUZZ_BUG_LOC "https://github.com/Systems-ShiftLab/pmfuzz/issues" 6 | #define PMFUZZ_WEBSITE "https://github.com/Systems-ShiftLab/pmfuzz" 7 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-slate 2 | -------------------------------------------------------------------------------- /docs/Makefile: -------------------------------------------------------------------------------- 1 | all: manpages 2 | 3 | manpages: 4 | pandoc pmfuzz-fuzz.1.md -s -t man > manpages/pmfuzz-fuzz.1 5 | pandoc libpmfuzz.7.md -s -t man > manpages/libpmfuzz.7 6 | 7 | clean: 8 | -rm programming_manual 9 | -rm programming_manual.pdf 10 | 11 | 12 | .PHONY: manpages 13 | -------------------------------------------------------------------------------- /docs/libpmfuzz.7.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: libpmfuzz 3 | section: 7 4 | header: PMFuzz Programmer's Manual 5 | date: March 2021 6 | --- 7 | 8 | # NAME 9 | **libpmfuzz**, **libfakepmfuzz** - PMFuzz interface library 10 | 11 | # SYNOPSIS 12 | ``` 13 | #include 14 | 15 | afl-clang ... -lpmfuzz 16 | cc ... -lfakepmfuzz 17 | ``` 18 | 19 | # DESCRIPTION 20 | 21 | **libpmfuzz** provides the interface to PMFuzz using a set of 22 | annotations functions and macros. **libpmfuzz** requires the modified 23 | AFL++ clang compiler to compile the linked program. 24 | 25 | PMFuzz also provides **libfakepmfuzz** that allows linking with any 26 | C/C++ compilers but doesn't provide any real tracking mechanism. 27 | 28 | # VERSIONING 29 | 30 | # ENVIRONMENT 31 | 32 | # EXAMPLE 33 | 34 | # SEE ALSO 35 | 36 | -------------------------------------------------------------------------------- /docs/manpages/libpmfuzz.7: -------------------------------------------------------------------------------- 1 | .\" Automatically generated by Pandoc 2.10 2 | .\" 3 | .TH "libpmfuzz" "7" "March 2021" "" "PMFuzz Programmer\[cq]s Manual" 4 | .hy 5 | .SH NAME 6 | .PP 7 | \f[B]libpmfuzz\f[R], \f[B]libfakepmfuzz\f[R] - PMFuzz interface library 8 | .SH SYNOPSIS 9 | .IP 10 | .nf 11 | \f[C] 12 | #include 13 | 14 | afl-clang ... -lpmfuzz 15 | cc ... -lfakepmfuzz 16 | \f[R] 17 | .fi 18 | .SH DESCRIPTION 19 | .PP 20 | \f[B]libpmfuzz\f[R] provides the interface to PMFuzz using a set of 21 | annotations functions and macros. 22 | \f[B]libpmfuzz\f[R] requires the modified AFL++ clang compiler to 23 | compile the linked program. 24 | .PP 25 | PMFuzz also provides \f[B]libfakepmfuzz\f[R] that allows linking with 26 | any C/C++ compilers but doesn\[cq]t provide any real tracking mechanism. 27 | .SH VERSIONING 28 | .SH ENVIRONMENT 29 | .SH EXAMPLE 30 | .SH SEE ALSO 31 | -------------------------------------------------------------------------------- /include/.gitignore: -------------------------------------------------------------------------------- 1 | docs/ 2 | *.so 3 | *.o -------------------------------------------------------------------------------- /include/Makefile: -------------------------------------------------------------------------------- 1 | CFLAGS += -fPIC -g -Wall -Wextra $(PMFUZZ_CFLAGS) 2 | CFLAG_SH += -shared 3 | LDFLAGS += -pthread -lunwind -lunwind-x86_64 -rdynamic 4 | LDFLAGS_SH += -shared 5 | 6 | TARGET = libpmtracefuncts.so libpmfuzz.so libfakepmfuzz.so 7 | DEPENDS = rtinfo.o 8 | SOURCES = $(shell echo *.c) 9 | HEADERS = $(shell echo *.h) 10 | 11 | all: $(TARGET) 12 | 13 | $(DEPENDS): $(DEPENDS:.o=.c) 14 | $(CC) -c $(FLAGS) $(CFLAGS) $(DEBUGFLAGS) -o $@ $(@:.o=.c) $(LDFLAGS) 15 | 16 | $(TARGET): $(TARGET:.so=.c) $(DEPENDS) 17 | $(CC) $(FLAGS) $(CFLAGS) $(CFLAG_SH) $(DEBUGFLAGS) -o $@ $(@:.so=.c) $(DEPENDS) $(LDFLAGS) $(LDFLAGS_SH) 18 | 19 | docs: 20 | doxygen Doxyfile 21 | $(MAKE) -C docs/latex 22 | @echo 23 | @echo 24 | @echo "===" 25 | @echo "Documentation generated in docs/" 26 | @echo "===" 27 | @echo 28 | @echo 29 | 30 | clean: 31 | rm -f *.so *.o 32 | -------------------------------------------------------------------------------- /include/libfakepmfuzz.c: -------------------------------------------------------------------------------- 1 | /** 2 | * @file libpmfuzz.c 3 | * @details Fake version of PMFuzz that does not require AFL runtime 4 | * @copyright 2020-21 PMFuzz Authors 5 | * 6 | * Libpmfuzz uses a non-standard size bitset to record PM accesses, on every 7 | * PM access the element would be left shifted by one, e.g.: 8 | * [Location1 value: 00000000 00000000 00000000 00000000] 9 | * 1. PM access to location 1 10 | * [New Location1 value: 00000000 00000000 00000000 00000001] 11 | * 2. PM access to location 1 12 | * [New Location1 value: 00000000 00000000 00000000 00000010] 13 | */ 14 | 15 | #include "pmfuzz.h" 16 | 17 | #pragma GCC diagnostic push 18 | #pragma GCC diagnostic ignored "-Wunused-parameter" 19 | 20 | char pmfuzz_version_str[] = "1.0.0"; 21 | 22 | void update_loc(uint32_t loc) { 23 | return; 24 | } 25 | void pmfuzz_ro(uint32_t rand) { 26 | return; 27 | } 28 | 29 | void pmfuzz_wo(uint32_t rand) { 30 | return; 31 | } 32 | 33 | void pmfuzz_rw(uint32_t rand) { 34 | return; 35 | } 36 | 37 | void pmfuzz_inject_failure(char* file, int line) { 38 | return; 39 | } 40 | 41 | void pmfuzz_set_addr_env(void* addr, unsigned long size) { 42 | return; 43 | } 44 | void pmfuzz_set_path_env(char* path) { 45 | return; 46 | } 47 | 48 | void pmfuzz_init(void* addr, unsigned long size, char* path) { 49 | return; 50 | } 51 | 52 | void pmfuzz_term() { 53 | return; 54 | } 55 | 56 | #pragma GCC diagnostic pop 57 | -------------------------------------------------------------------------------- /include/libpmtracefuncts.c: -------------------------------------------------------------------------------- 1 | #include "pm_trace_functs.h" 2 | #include 3 | 4 | // PM Address range manipulation 5 | void pm_trace_pm_addr_add(uint64_t addr __attribute__((unused)), uint64_t size __attribute__((unused))) { 6 | return; 7 | } 8 | 9 | void pm_trace_pm_addr_remove(uint64_t addr __attribute__((unused)), uint64_t size __attribute__((unused))){ 10 | return; 11 | } 12 | 13 | // Transaction annotation 14 | void pm_trace_tx_begin(void){ 15 | asm (""); 16 | return; 17 | } 18 | 19 | void pm_trace_tx_end(void){ 20 | asm (""); 21 | return; 22 | } 23 | 24 | void pm_trace_tx_addr_add(uint64_t addr __attribute__((unused)), uint64_t size __attribute__((unused))){ 25 | asm (""); 26 | return; 27 | } 28 | 29 | void pm_trace_tx_alloc(uint64_t addr __attribute__((unused)), uint64_t size __attribute__((unused))){ 30 | asm (""); 31 | return; 32 | } 33 | 34 | void tx_commit_point(void){ 35 | asm (""); 36 | return; 37 | } 38 | 39 | 40 | // not necessary 41 | /* 42 | void pm_trace_pmdk_funct_begin(void){ 43 | return; 44 | } 45 | void pm_trace_pmdk_funct_end(void){ 46 | return; 47 | } 48 | */ 49 | -------------------------------------------------------------------------------- /include/pm_trace_functs.h: -------------------------------------------------------------------------------- 1 | #ifndef PM_TRACE_FUNCTS__ 2 | #define PM_TRACE_FUNCTS__ 3 | 4 | #include 5 | 6 | // PM Address range manipulation 7 | void pm_trace_pm_addr_add(uint64_t addr, uint64_t size); 8 | void pm_trace_pm_addr_remove(uint64_t addr, uint64_t size); 9 | 10 | // Transaction annotation 11 | void pm_trace_tx_begin(void); 12 | void pm_trace_tx_end(void); 13 | void pm_trace_tx_addr_add(uint64_t addr, uint64_t size); 14 | void pm_trace_tx_alloc(uint64_t addr, uint64_t size); 15 | 16 | void tx_commit_point(void); 17 | 18 | /* 19 | // PMDK library TX function annotation 20 | void pm_trace_pmdk_funct_begin(void); 21 | void pm_trace_pmdk_funct_end(void); 22 | */ 23 | 24 | #endif // PM_TRACE_FUNCTS__ 25 | -------------------------------------------------------------------------------- /include/pmfuzz.h: -------------------------------------------------------------------------------- 1 | #ifndef INCLUDE_PMFUZZ_INSTRUMENTATION_H__ 2 | #define INCLUDE_PMFUZZ_INSTRUMENTATION_H__ 3 | 4 | #include 5 | #include 6 | #include "shiftregarr.h" 7 | 8 | extern char pmfuzz_version_str[]; 9 | 10 | void pmfuzz_ro(uint32_t rand); 11 | void pmfuzz_wo(uint32_t rand); 12 | void pmfuzz_rw(uint32_t rand); 13 | void pmfuzz_inject_failure(char* file, int line); 14 | void pmfuzz_set_addr_env(void* addr, unsigned long size); 15 | void pmfuzz_set_path_env(char* path); 16 | 17 | void pmfuzz_init(void* addr, unsigned long size, char* path); 18 | void pmfuzz_term(void); 19 | 20 | #define PMFUZZ_RND(range) \ 21 | (((uint32_t)((15485867*__LINE__*__LINE__*(__COUNTER__+9))%4392203))%(range)) 22 | 23 | #define PMFUZZ_RND_LN(line, range) \ 24 | (((uint32_t)((15485867*line*line*(__COUNTER__+9))%4392203))%(range)) 25 | 26 | #ifdef PMFUZZ 27 | 28 | /* AFL variables */ 29 | extern uint8_t *__pmfuzz_area_ptr; 30 | extern uint32_t __pmfuzz_map_size; 31 | extern uint32_t __pmfuzz_prev_loc; 32 | 33 | #define PMFUZZ_MARK_RO __attribute__((annotate("pmfuzz_pm_read_func"))) 34 | #define PMFUZZ_MARK_WO __attribute__((annotate("pmfuzz_pm_write_func"))) 35 | #define PMFUZZ_MARK_RW __attribute__((annotate("pmfuzz_pm_read_write_func"))) 36 | #define NO_INLINE __attribute__((noinline)) 37 | 38 | #define PMFUZZ_FAILURE_HINT pmfuzz_inject_failure(__FILE__, __LINE__); 39 | 40 | #else 41 | 42 | #define PMFUZZ_MARK_RO 43 | #define PMFUZZ_MARK_WO 44 | #define PMFUZZ_MARK_RW 45 | #define NO_INLINE 46 | 47 | #define PMFUZZ_FAILURE_HINT 48 | 49 | #endif // PMFUZZ 50 | 51 | #endif // INCLUDE_PMFUZZ_INSTRUMENTATION_H__ 52 | -------------------------------------------------------------------------------- /include/pmfuzz_config.h: -------------------------------------------------------------------------------- 1 | #ifndef INCLUDE_PMFUZZ_CONFIG_HEADER__ 2 | #define INCLUDE_PMFUZZ_CONFIG_HEADER__ 3 | 4 | #include "../VERSION" 5 | 6 | #endif // INCLUDE_PMFUZZ_CONFIG_HEADER__ -------------------------------------------------------------------------------- /include/rtinfo.c: -------------------------------------------------------------------------------- 1 | #include "rtinfo.h" 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | void print_trace() { 9 | char pid_buf[30]; 10 | sprintf(pid_buf, "%d", getpid()); 11 | char name_buf[512]; 12 | name_buf[readlink("/proc/self/exe", name_buf, 511)]=0; 13 | prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, 0, 0, 0); 14 | int child_pid = fork(); 15 | if (!child_pid) { 16 | execlp("gdb", "gdb", "--batch", "-n", "-ex", "thread", "-ex", "bt", name_buf, pid_buf, NULL); 17 | abort(); /* If gdb failed to start */ 18 | } else { 19 | waitpid(child_pid,NULL,0); 20 | } 21 | } 22 | 23 | int print_stack_trace() { 24 | print_str(STDERR_FILENO, "--- Begin stacktrace ---\n"); 25 | 26 | print_trace(); 27 | 28 | print_str(STDERR_FILENO, "--- End stacktrace ---\n"); 29 | 30 | return (0); 31 | } 32 | -------------------------------------------------------------------------------- /include/rtinfo.h: -------------------------------------------------------------------------------- 1 | /** 2 | * Licensed under FreeBSD from 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #define BACKTRACE_DEPTH 256 22 | #define NULLSTR "(null)" 23 | 24 | static inline void print_str(int fd, const char *str) { 25 | if (str == NULL) { 26 | write(fd, NULLSTR, strlen(NULLSTR)); 27 | } else { 28 | write(fd, str, strlen(str)); 29 | } 30 | } 31 | 32 | void print_unw_error(const char *fun, int error); 33 | 34 | int print_stack_trace(); 35 | -------------------------------------------------------------------------------- /pmfuzz-fuzz: -------------------------------------------------------------------------------- 1 | src/pmfuzz/pmfuzz-fuzz.py -------------------------------------------------------------------------------- /scripts/install-dependencies.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | fail() { 4 | echo "ERROR: $1" 5 | exit 1 6 | } 7 | 8 | SUDO="sudo" 9 | sudo 2>/dev/null || SUDO="" 10 | 11 | DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/$(basename "${BASH_SOURCE[0]}")" 12 | 13 | $SUDO apt-get install libunwind-dev libini-config-dev || { fail "Cannot run 'apt-get install'."; } 14 | "$(dirname $DIR)"/install-ndctl.sh || { fail "Cannot run install-ndctl script."; } -------------------------------------------------------------------------------- /scripts/install-ndctl.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | NDCTL_DIR=$1 4 | SUDO="sudo" 5 | sudo 2>/dev/null || SUDO="" 6 | 7 | function clone_ndctl { 8 | git clone https://github.com/pmem/ndctl/ /tmp/ndctl-tmp-pmfuzz 9 | NDCTL_DIR=/tmp/ndctl-tmp-pmfuzz 10 | ${BASH} -c "cd $NDCTL_DIR; git checkout v68;" 11 | } 12 | 13 | if [ "$#" -ne 1 ]; then 14 | echo 'No ndctl path specified, cloning from github' 15 | clone_ndctl 16 | fi 17 | 18 | $SUDO apt-get -y purge 'libdaxctl*' 'libndctl*' 19 | 20 | $SUDO apt-get install autoconf bash-completion asciidoctor libkmod-dev libudev-dev uuid-dev libjson-c-dev libkeyutils-dev 21 | 22 | 23 | pushd $NDCTL_DIR 24 | 25 | $SUDO ./autogen.sh 26 | $SUDO ./configure CFLAGS='-g -O2' --prefix=/usr/local --sysconfdir=/etc --libdir=/usr/local/lib64 27 | 28 | popd 29 | 30 | make -j40 -C "$NDCTL_DIR" 31 | $SUDO make install -j40 -C "$NDCTL_DIR" 32 | -------------------------------------------------------------------------------- /src/annotation-pass/Makefile: -------------------------------------------------------------------------------- 1 | # This file is a derivative of AFL's Apache 2.0 licensed work, 2 | # see vendor/AFL directory for complete license. 3 | 4 | TARGET = pmfuzz_annot_pass.so 5 | 6 | LLVM_CONFIG ?= llvm-config 7 | 8 | CFLAGS ?= -O3 -funroll-loops 9 | CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \ 10 | 11 | CXXFLAGS ?= -O3 -funroll-loops -I../../include 12 | CXXFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \ 13 | -DVERSION=\"$(VERSION)\" -Wno-variadic-macros 14 | 15 | # Mark nodelete to work around unload bug in upstream LLVM 5.0+ 16 | CLANG_CFL = `$(LLVM_CONFIG) --cxxflags` -Wl,-znodelete -fno-rtti -fpic $(CXXFLAGS) 17 | CLANG_LFL = `$(LLVM_CONFIG) --ldflags` $(LDFLAGS) 18 | 19 | # We were using llvm-config --bindir to get the location of clang, but 20 | # this seems to be busted on some distros, so using the one in $PATH is 21 | # probably better. 22 | 23 | ifeq "$(origin CC)" "default" 24 | CC = clang 25 | CXX = clang++ 26 | endif 27 | 28 | all: test-deps 29 | make $(TARGET) 30 | 31 | test-deps: 32 | @echo "[*] Checking for working 'llvm-config'..." 33 | @which $(LLVM_CONFIG) >/dev/null 2>&1 || ( echo "[-] Oops, can't find 'llvm-config'. Install clang or set \$$LLVM_CONFIG or \$$PATH beforehand."; echo " (Sometimes, the binary will be named llvm-config-3.5 or something like that.)"; exit 1 ) 34 | 35 | $(TARGET): $(TARGET:.so=.cpp) 36 | $(CXX) $(CLANG_CFL) -shared $< -o $@ $(CLANG_LFL) 37 | 38 | clean: 39 | rm *.so 40 | -------------------------------------------------------------------------------- /src/annotation-pass/README.md: -------------------------------------------------------------------------------- 1 | 1. Add LLVM's bin directory to `PATH` 2 | 2. `make` 3 | 3. Compiler pass will be generated as `pmfuzz-annot-pass.so` 4 | -------------------------------------------------------------------------------- /src/example/Makefile: -------------------------------------------------------------------------------- 1 | DEPENDS := 2 | CXXFLAGS := 3 | LIBS :=-lfakepmfuzz 4 | 5 | %.o: %.cc $(DEPENDS) 6 | $(CXX) $(INCLUDE) -c $(CXXFLAGS) $< -o $@ 7 | 8 | example: example.o 9 | $(CXX) -o $@ $< $(LIBS) 10 | 11 | clean: 12 | rm -f example *.o 13 | -------------------------------------------------------------------------------- /src/example/example: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/src/example/example -------------------------------------------------------------------------------- /src/example/example.cc: -------------------------------------------------------------------------------- 1 | // -*- mode: c++; c-basic-offset: 2; -*- 2 | 3 | /** 4 | * @file example.cc 5 | * @date March 13, 2021 6 | * @brief Brief description here 7 | */ 8 | 9 | #include 10 | 11 | int main() { 12 | printf("PMFuzz version: %s\n", pmfuzz_version_str); 13 | } 14 | -------------------------------------------------------------------------------- /src/pmfuzz/.gitignore: -------------------------------------------------------------------------------- 1 | __pycache__/ 2 | venv/ 3 | docs/ 4 | log.html 5 | log.pdf 6 | progress.* 7 | .afl-tmin-temp-* 8 | -------------------------------------------------------------------------------- /src/pmfuzz/Makefile: -------------------------------------------------------------------------------- 1 | FILE_DIR = $(dir $(realpath $(firstword $(MAKEFILE_LIST)))) 2 | 3 | docs: FORCE 4 | PATH=$(PATH):$(FILE_DIR) doxygen Doxyfile 5 | $(MAKE) -C docs/latex 6 | @echo 7 | @echo 8 | @echo "===" 9 | @echo "Documentation generated in docs/" 10 | @echo "===" 11 | @echo 12 | @echo 13 | 14 | tests: FORCE 15 | python3 pmfuzz-tests.py 16 | 17 | clean: 18 | rm -rf docs 19 | 20 | FORCE: ; 21 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.btree.baseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_tx 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.btree.yml 7 | - configs/run_configs/baseline.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.btree.complete.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_tx 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.btree.yml 7 | - configs/run_configs/complete.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.btree.completeslow.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_tx 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.btree.yml 7 | - configs/run_configs/completeslow.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.btree.completeunfocused.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_tx 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.btree.yml 7 | - configs/run_configs/completeunfocused.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.btree.primitivebaseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for btree 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.btree.yml 7 | - configs/run_configs/primitivebaseline.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.ctree.baseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_tx 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.ctree.yml 7 | - configs/run_configs/baseline.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.ctree.complete.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_tx 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.ctree.yml 7 | - configs/run_configs/complete.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.ctree.completeslow.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_tx 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.ctree.yml 7 | - configs/run_configs/completeslow.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.ctree.completeunfocused.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_tx 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.ctree.yml 7 | - configs/run_configs/completeunfocused.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.hashmap_atomic.baseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_atomic 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.hashmap_atomic.yml 7 | - configs/run_configs/baseline.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.hashmap_atomic.complete.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_atomic 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.hashmap_atomic.yml 7 | - configs/run_configs/complete.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.hashmap_atomic.completeslow.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_atomic 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.hashmap_atomic.yml 7 | - configs/run_configs/completeslow.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.hashmap_atomic.completeunfocused.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_atomic 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.hashmap_atomic.yml 7 | - configs/run_configs/completeunfocused.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.hashmap_atomic.primitivebaseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_atomic 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.hashmap_atomic.yml 7 | - configs/run_configs/primitivebaseline.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.hashmap_rp.baseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_rp 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.hashmap_rp.yml 7 | - configs/run_configs/baseline.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.hashmap_rp.complete.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_rp 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.hashmap_rp.yml 7 | - configs/run_configs/complete.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.hashmap_rp.completeslow.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_rp 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.hashmap_rp.yml 7 | - configs/run_configs/completeslow.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.hashmap_rp.completeunfocused.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_rp 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.hashmap_rp.yml 7 | - configs/run_configs/completeunfocused.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.hashmap_rp.primitivebaseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_rp 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.hashmap_rp.yml 7 | - configs/run_configs/primitivebaseline.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.hashmap_tx.baseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_tx 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.hashmap_tx.yml 7 | - configs/run_configs/baseline.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.hashmap_tx.complete.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_tx 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.hashmap_tx.yml 7 | - configs/run_configs/complete.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.hashmap_tx.completeslow.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_tx 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.hashmap_tx.yml 7 | - configs/run_configs/completeslow.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.hashmap_tx.completeunfocused.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_tx 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.hashmap_tx.yml 7 | - configs/run_configs/completeunfocused.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.hashmap_tx.primitivebaseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for hashmap_tx 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.hashmap_tx.yml 7 | - configs/run_configs/primitivebaseline.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.rbtree.baseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for rbtree 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.rbtree.yml 7 | - configs/run_configs/baseline.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.rbtree.complete.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for rbtree 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.rbtree.yml 7 | - configs/run_configs/complete.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.rbtree.completeslow.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for rbtree 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.rbtree.yml 7 | - configs/run_configs/completeslow.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.rbtree.completeunfocused.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for rbtree 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.rbtree.yml 7 | - configs/run_configs/completeunfocused.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.rbtree.primitivebaseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for rbtree 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.rbtree.yml 7 | - configs/run_configs/primitivebaseline.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.rtree.baseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for rtree 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.rtree.yml 7 | - configs/run_configs/baseline.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.rtree.complete.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for rtree 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.rtree.yml 7 | - configs/run_configs/complete.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.rtree.completeslow.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for rtree 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.rtree.yml 7 | - configs/run_configs/completeslow.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.rtree.completeunfocused.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for rtree 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.rtree.yml 7 | - configs/run_configs/completeunfocused.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.rtree.primitivebaseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for rtree 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.rtree.yml 7 | - configs/run_configs/primitivebaseline.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.skiplist.baseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for skiplist 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.skiplist.yml 7 | - configs/run_configs/baseline.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.skiplist.complete.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for skiplist 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.skiplist.yml 7 | - configs/run_configs/complete.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.skiplist.completeslow.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for skiplist 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.skiplist.yml 7 | - configs/run_configs/completeslow.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.skiplist.completeunfocused.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for skiplist 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.skiplist.yml 7 | - configs/run_configs/completeunfocused.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/mapcli.skiplist.primitivebaseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the Baseline for skiplist 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/mapcli.skiplist.yml 7 | - configs/run_configs/primitivebaseline.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/memcached.baseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the baseline for memcached 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/memcached.yml 7 | - configs/run_configs/baseline.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/memcached.complete.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the PMFuzz for memcached 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/memcached.yml 7 | - configs/run_configs/complete.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/memcached.completeslow.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the PMFuzz for memcached 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/memcached.yml 7 | - configs/run_configs/completeslow.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/memcached.completeunfocused.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the PMFuzz for memcached 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/memcached.yml 7 | - configs/run_configs/completeunfocused.yml 8 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/memcached.primitivebaseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the baseline for memcached 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/memcached.yml 7 | - configs/run_configs/primitivebaseline.yml 8 | 9 | target: 10 | tmout: "2500" # ms 11 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/redis.baseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the baseline AFL for redis 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/redis.yml 7 | - configs/run_configs/baseline.yml -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/redis.complete.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the PMfuzz for redis 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/redis.yml 7 | - configs/run_configs/complete.yml -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/redis.completeslow.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the PMfuzz for redis 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/redis.yml 7 | - configs/run_configs/completeslow.yml -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/redis.completeunfocused.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the PMfuzz for redis 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/redis.yml 7 | - configs/run_configs/completeunfocused.yml -------------------------------------------------------------------------------- /src/pmfuzz/configs/examples/redis.primitivebaseline.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the baseline AFL for redis 3 | 4 | include: 5 | - configs/base.yml 6 | - configs/workload/redis.yml 7 | - configs/run_configs/primitivebaseline.yml 8 | 9 | target: 10 | tmout: "2500" # ms 11 | mlimit: "3000" 12 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/run_configs/baseline.yml: -------------------------------------------------------------------------------- 1 | # Baseline configuration 2 | 3 | pmfuzz: 4 | progress_file: "/tmp/baseline.log" 5 | stage: 6 | "1": 7 | cores: 38 8 | "2": 9 | enable: No 10 | 11 | dedup: 12 | global: 13 | fdedup: No 14 | minimize_tc: No 15 | minimize_corpus: Yes 16 | local: 17 | minimize_tc: No 18 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/run_configs/complete.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the whole PMFuzz package for hashmap_tx 3 | 4 | pmfuzz: 5 | progress_file: "/tmp/complete.log" 6 | stage: 7 | "1": 8 | cores: 20 9 | "2": 10 | enable: Yes 11 | cores: 10 12 | tc_timeout: 600 # sec 13 | dedup: 14 | global: 15 | fdedup: 'pm_map' 16 | minimize_tc: No 17 | minimize_corpus: Yes 18 | local: 19 | minimize_tc: No # TODO: Yes version not implemented 20 | minimize_corpus: Yes 21 | 22 | failure_injection: 23 | enable: Yes 24 | 25 | # Configure the fuzzing target 26 | target: 27 | env: 28 | ENABLE_PM_PATH: "1" 29 | 30 | afl: 31 | prioritize_pm_path: 32 | enable: Yes 33 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/run_configs/completeslow.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the whole PMFuzz package for hashmap_tx 3 | 4 | pmfuzz: 5 | progress_file: "/tmp/complete.log" 6 | stage: 7 | "1": 8 | cores: 20 9 | "2": 10 | enable: Yes 11 | cores: 10 12 | tc_timeout: 600 # sec 13 | dedup: 14 | global: 15 | fdedup: 'pm_map' 16 | minimize_tc: No 17 | minimize_corpus: Yes 18 | local: 19 | minimize_tc: No # TODO: Yes version not implemented 20 | minimize_corpus: Yes 21 | 22 | failure_injection: 23 | enable: Yes 24 | 25 | # Configure the fuzzing target 26 | target: 27 | tmout: "500" 28 | env: 29 | ENABLE_PM_PATH: "1" 30 | AFL_NO_FORKSRV: "1" 31 | PRIMITIVE_BASELINE_MODE: "1" 32 | 33 | afl: 34 | prioritize_pm_path: 35 | enable: Yes 36 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/run_configs/completeunfocused.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Runs the whole PMFuzz package for hashmap_tx 3 | 4 | pmfuzz: 5 | progress_file: "/tmp/complete.log" 6 | stage: 7 | "1": 8 | cores: 20 9 | "2": 10 | enable: Yes 11 | cores: 10 12 | tc_timeout: 600 # sec 13 | dedup: 14 | global: 15 | fdedup: 'pm_map' 16 | minimize_tc: No 17 | minimize_corpus: Yes 18 | local: 19 | minimize_tc: No # TODO: Yes version not implemented 20 | minimize_corpus: Yes 21 | 22 | failure_injection: 23 | enable: Yes 24 | 25 | target: 26 | env: 27 | UNFOCUSSED_MODE: "1" 28 | 29 | afl: 30 | prioritize_pm_path: 31 | enable: No 32 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/run_configs/primitivebaseline.yml: -------------------------------------------------------------------------------- 1 | # Baseline configuration 2 | 3 | target: 4 | env: 5 | # Disable the forkserver and 6 | AFL_NO_FORKSRV: "1" 7 | PRIMITIVE_BASELINE_MODE: "1" 8 | 9 | tmout: "500" 10 | 11 | pmfuzz: 12 | progress_file: "/tmp/baseline.log" 13 | stage: 14 | "1": 15 | cores: 38 16 | "2": 17 | enable: No 18 | 19 | dedup: 20 | global: 21 | fdedup: No 22 | minimize_tc: No 23 | minimize_corpus: Yes 24 | local: 25 | minimize_tc: No 26 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/workload/mapcli.btree.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Configures binary for PMDK/mapcli/hashmap_tx 3 | 4 | target: 5 | env: 6 | PMEM_IS_PMEM_FORCE: "1" 7 | LD_LIBRARY_PATH: "/usr/local/lib64/" 8 | cmd: "%ROOT%/vendor/pmdk/src/examples/libpmemobj/map/mapcli btree __POOL_IMAGE__ 0" 9 | persist_enable_env: USE_FAKE_MMAP=0 10 | persist_disable_env: USE_FAKE_MMAP=1 11 | 12 | pmfuzz: 13 | failure_injection: 14 | test_with: "%ROOT%/inputs/mapcli_inputs/4.txt" 15 | img_gen_mode: 16 | env: { 17 | USE_FAKE_MMAP : "1", 18 | FI_MODE : IMG_GEN, 19 | FAILURE_LIST : /dev/null, 20 | PMFUZZ_DEBUG : "1", 21 | ENABLE_CNST_IMG : "1", 22 | LD_LIBRARY_PATH : "/usr/local/lib64", 23 | LD_PRELOAD : "%LIB%/libdetime.so:%LIB%/libdesrand.so:", 24 | } -------------------------------------------------------------------------------- /src/pmfuzz/configs/workload/mapcli.ctree.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Configures binary for PMDK/mapcli/hashmap_tx 3 | 4 | target: 5 | env: 6 | PMEM_IS_PMEM_FORCE: "1" 7 | LD_LIBRARY_PATH: "/usr/local/lib64/" 8 | cmd: "%ROOT%/vendor/pmdk/src/examples/libpmemobj/map/mapcli ctree __POOL_IMAGE__ 0" 9 | persist_enable_env: USE_FAKE_MMAP=0 10 | persist_disable_env: USE_FAKE_MMAP=1 11 | 12 | pmfuzz: 13 | failure_injection: 14 | test_with: "%ROOT%/inputs/mapcli_inputs/4.txt" 15 | img_gen_mode: 16 | env: { 17 | USE_FAKE_MMAP : "1", 18 | FI_MODE : IMG_GEN, 19 | FAILURE_LIST : /dev/null, 20 | PMFUZZ_DEBUG : "1", 21 | ENABLE_CNST_IMG : "1", 22 | LD_LIBRARY_PATH : "/usr/local/lib64", 23 | LD_PRELOAD : "%LIB%/libdetime.so:%LIB%/libdesrand.so:", 24 | } -------------------------------------------------------------------------------- /src/pmfuzz/configs/workload/mapcli.hashmap_atomic.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Configures binary for PMDK/mapcli/hashmap_atomic 3 | 4 | target: 5 | env: 6 | PMEM_IS_PMEM_FORCE: "1" 7 | LD_LIBRARY_PATH: "/usr/local/lib64/" 8 | cmd: "%ROOT%/vendor/pmdk/src/examples/libpmemobj/map/mapcli hashmap_atomic __POOL_IMAGE__ 0" 9 | persist_enable_env: USE_FAKE_MMAP=0 10 | persist_disable_env: USE_FAKE_MMAP=1 11 | 12 | pmfuzz: 13 | failure_injection: 14 | test_with: "%ROOT%/inputs/mapcli_inputs/4.txt" 15 | img_gen_mode: 16 | env: { 17 | USE_FAKE_MMAP : "1", 18 | FI_MODE : IMG_GEN, 19 | FAILURE_LIST : /dev/null, 20 | PMFUZZ_DEBUG : "1", 21 | ENABLE_CNST_IMG : "1", 22 | LD_LIBRARY_PATH : "/usr/local/lib64", 23 | LD_PRELOAD : "%LIB%/libdetime.so:%LIB%/libdesrand.so:", 24 | } -------------------------------------------------------------------------------- /src/pmfuzz/configs/workload/mapcli.hashmap_rp.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Configures binary for PMDK/mapcli/hashmap_rp 3 | 4 | target: 5 | env: 6 | PMEM_IS_PMEM_FORCE: "1" 7 | LD_LIBRARY_PATH: "/usr/local/lib64/" 8 | cmd: "%ROOT%/vendor/pmdk/src/examples/libpmemobj/map/mapcli hashmap_rp __POOL_IMAGE__ 0" 9 | persist_enable_env: USE_FAKE_MMAP=0 10 | persist_disable_env: USE_FAKE_MMAP=1 11 | 12 | pmfuzz: 13 | failure_injection: 14 | test_with: "%ROOT%/inputs/mapcli_inputs/4.txt" 15 | img_gen_mode: 16 | env: { 17 | USE_FAKE_MMAP : "1", 18 | FI_MODE : IMG_GEN, 19 | FAILURE_LIST : /dev/null, 20 | PMFUZZ_DEBUG : "1", 21 | ENABLE_CNST_IMG : "1", 22 | LD_LIBRARY_PATH : "/usr/local/lib64", 23 | LD_PRELOAD : "%LIB%/libdetime.so:%LIB%/libdesrand.so:", 24 | } -------------------------------------------------------------------------------- /src/pmfuzz/configs/workload/mapcli.hashmap_tx.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Configures binary for PMDK/mapcli/hashmap_tx 3 | 4 | target: 5 | env: 6 | PMEM_IS_PMEM_FORCE: "1" 7 | LD_LIBRARY_PATH: "/usr/local/lib64/" 8 | cmd: "%ROOT%/vendor/pmdk/src/examples/libpmemobj/map/mapcli hashmap_tx __POOL_IMAGE__ 0" 9 | persist_enable_env: USE_FAKE_MMAP=0 10 | persist_disable_env: USE_FAKE_MMAP=1 11 | 12 | pmfuzz: 13 | failure_injection: 14 | test_with: "%ROOT%/inputs/mapcli_inputs/4.txt" 15 | img_gen_mode: 16 | env: { 17 | USE_FAKE_MMAP : "1", 18 | FI_MODE : IMG_GEN, 19 | FAILURE_LIST : /dev/null, 20 | PMFUZZ_DEBUG : "1", 21 | ENABLE_CNST_IMG : "1", 22 | LD_LIBRARY_PATH : "/usr/local/lib64", 23 | LD_PRELOAD : "%LIB%/libdetime.so:%LIB%/libdesrand.so:", 24 | } -------------------------------------------------------------------------------- /src/pmfuzz/configs/workload/mapcli.rbtree.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Configures binary for PMDK/mapcli/rbtree 3 | 4 | target: 5 | env: 6 | PMEM_IS_PMEM_FORCE: "1" 7 | LD_LIBRARY_PATH: "/usr/local/lib64/" 8 | cmd: "%ROOT%/vendor/pmdk/src/examples/libpmemobj/map/mapcli rbtree __POOL_IMAGE__ 0" 9 | persist_enable_env: USE_FAKE_MMAP=0 10 | persist_disable_env: USE_FAKE_MMAP=1 11 | 12 | pmfuzz: 13 | failure_injection: 14 | test_with: "%ROOT%/inputs/mapcli_inputs/4.txt" 15 | img_gen_mode: 16 | env: { 17 | USE_FAKE_MMAP : "1", 18 | FI_MODE : IMG_GEN, 19 | FAILURE_LIST : /dev/null, 20 | PMFUZZ_DEBUG : "1", 21 | ENABLE_CNST_IMG : "1", 22 | LD_LIBRARY_PATH : "/usr/local/lib64", 23 | LD_PRELOAD : "%LIB%/libdetime.so:%LIB%/libdesrand.so:", 24 | } -------------------------------------------------------------------------------- /src/pmfuzz/configs/workload/mapcli.rtree.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Configures binary for PMDK/mapcli/rtree 3 | 4 | target: 5 | env: 6 | PMEM_IS_PMEM_FORCE: "1" 7 | LD_LIBRARY_PATH: "/usr/local/lib64/" 8 | cmd: "%ROOT%/vendor/pmdk/src/examples/libpmemobj/map/mapcli rtree __POOL_IMAGE__ 0" 9 | persist_enable_env: USE_FAKE_MMAP=0 10 | persist_disable_env: USE_FAKE_MMAP=1 11 | 12 | pmfuzz: 13 | failure_injection: 14 | test_with: "%ROOT%/inputs/mapcli_inputs/4.txt" 15 | img_gen_mode: 16 | env: { 17 | USE_FAKE_MMAP : "1", 18 | FI_MODE : IMG_GEN, 19 | FAILURE_LIST : /dev/null, 20 | PMFUZZ_DEBUG : "1", 21 | ENABLE_CNST_IMG : "1", 22 | LD_LIBRARY_PATH : "/usr/local/lib64", 23 | LD_PRELOAD : "%LIB%/libdetime.so:%LIB%/libdesrand.so:", 24 | } -------------------------------------------------------------------------------- /src/pmfuzz/configs/workload/mapcli.skiplist.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Configures binary for PMDK/mapcli/skiplist 3 | 4 | target: 5 | env: 6 | PMEM_IS_PMEM_FORCE: "1" 7 | LD_LIBRARY_PATH: "/usr/local/lib64/" 8 | cmd: "%ROOT%/vendor/pmdk/src/examples/libpmemobj/map/mapcli skiplist __POOL_IMAGE__ 0" 9 | persist_enable_env: USE_FAKE_MMAP=0 10 | persist_disable_env: USE_FAKE_MMAP=1 11 | 12 | pmfuzz: 13 | failure_injection: 14 | test_with: "%ROOT%/inputs/mapcli_inputs/4.txt" 15 | img_gen_mode: 16 | env: { 17 | USE_FAKE_MMAP : "1", 18 | FI_MODE : IMG_GEN, 19 | FAILURE_LIST : /dev/null, 20 | PMFUZZ_DEBUG : "1", 21 | ENABLE_CNST_IMG : "1", 22 | LD_LIBRARY_PATH : "/usr/local/lib64", 23 | LD_PRELOAD : "%LIB%/libdetime.so:%LIB%/libdesrand.so:", 24 | } -------------------------------------------------------------------------------- /src/pmfuzz/configs/workload/memcached.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Configures binary for vendor/memcached-pmem 3 | 4 | target: 5 | env: 6 | PMEM_IS_PMEM_FORCE: "1" 7 | LD_PRELOAD: "%LIB%/libdesock.so:%LIB%/libdetime.so:%LIB%/libdesrand.so" 8 | LD_LIBRARY_PATH: "/usr/local/lib64/" 9 | 10 | cmd: "%BIN%/memcached -A -p 11211 -m 0 -j __POOL_IMAGE__ -o pslab_force" 11 | 12 | persist_enable_env: USE_FAKE_MMAP=0 13 | persist_disable_env: USE_FAKE_MMAP=1 14 | 15 | empty_img: 16 | stdin: "shutdown" 17 | tmout: "1500" # ms 18 | 19 | pmfuzz: 20 | failure_injection: 21 | test_with: "%ROOT%/inputs/memcached/1.txt" 22 | img_gen_mode: 23 | dont_create_env: 24 | LD_PRELOAD : "%LIB%/libdetime.so:%LIB%/libdesrand.so:%LIB%/libdesock.so:" 25 | create_env: 26 | LD_PRELOAD : "%LIB%/libdetime.so:%LIB%/libdesrand.so:%LIB%/libdesock.so:" 27 | -------------------------------------------------------------------------------- /src/pmfuzz/configs/workload/redis.yml: -------------------------------------------------------------------------------- 1 | # Brief: 2 | # Configures binary for vendor/redis-3.2-nvml 3 | 4 | target: 5 | env: 6 | PMEM_IS_PMEM_FORCE: "1" 7 | LD_PRELOAD: "%LIB%/libdesock.so:%LIB%/libdetime.so:%LIB%/libderand.so" 8 | LD_LIBRARY_PATH: "/usr/local/lib64/" 9 | 10 | cmd: "%BIN%/redis-server %ROOT%/vendor/redis-3.2-nvml/redis.conf --pmfile __POOL_IMAGE__ 8mb" 11 | 12 | persist_enable_env: USE_FAKE_MMAP=0 13 | persist_disable_env: USE_FAKE_MMAP=1 14 | 15 | empty_img: 16 | stdin: "shutdown" 17 | 18 | tmout: "1500" # ms 19 | 20 | pmfuzz: 21 | failure_injection: 22 | test_with: "%ROOT%/inputs/redis/5.txt" 23 | img_gen_mode: 24 | dont_create_env: 25 | LD_PRELOAD : "%LIB%/libdetime.so:%LIB%/libdesrand.so:%LIB%/libdesock.so:" 26 | create_env: 27 | LD_PRELOAD : "%LIB%/libdetime.so:%LIB%/libdesrand.so:%LIB%/libdesock.so:" -------------------------------------------------------------------------------- /src/pmfuzz/pmfuzz-setup.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env sh 2 | # Brief: 3 | # Sets up python environment for pmfuzz 4 | # Usage: 5 | # ./pmfuzz-setup.sh 6 | 7 | BASEDIR=$(dirname "$0") 8 | LOG_F="$(mktemp /tmp/pmfuzz-setup.XXXXXX.log)" 9 | 10 | LOG_TEXT=", check README. Log file at: ${LOG_F}" 11 | 12 | echo "Log file: ${LOG_F}" 13 | echo '' 14 | 15 | # Check for virtual env 16 | echo 'Finding virtualenv...' 17 | command -v virtualenv >${LOG_F} 2>&1 \ 18 | || { echo >&2 "ERROR: PMFuzz requires virtualenv." $LOG_TEXT ; 19 | exit 1; } 20 | 21 | # Create new virtual env 22 | echo 'Setting up environment...' 23 | virtualenv -q --python=python3 "${BASEDIR}/venv" >${LOG_F} 2>&1 \ 24 | || { echo >&2 "ERROR: Unable to create virtual env" $LOG_TEXT; 25 | exit 1; } 26 | 27 | # Activate environment 28 | echo 'Activating environment...' 29 | source "${BASEDIR}/venv/bin/activate" >${LOG_F} 2>&1 \ 30 | || . "${BASEDIR}/venv/bin/activate" >${LOG_F} 2>&1 \ 31 | || { echo >&2 "ERROR: Unable to activate virtual env" $LOG_TEXT; 32 | exit 1; } 33 | 34 | 35 | # Install requirements 36 | echo 'Installing dependencies...' 37 | pip install -r requirements.txt >${LOG_F} 2>&1 \ 38 | || { echo >&2 "ERROR: Unable to install dependencies" $LOG_TEXT; 39 | exit 1; } 40 | 41 | echo '' 42 | echo 'Done, run source venv/bin/activate before running pmfuzz' -------------------------------------------------------------------------------- /src/pmfuzz/pmfuzz-tests.py: -------------------------------------------------------------------------------- 1 | import doctest 2 | import sys 3 | 4 | import handlers.name_handler as nh 5 | 6 | from helper.parallel import Parallel 7 | 8 | def test_parallel(): 9 | def dummy(val1, val2): 10 | print('Val1: %d, val2: %d' % (val1, val2)) 11 | 12 | prl_obj = Parallel(dummy, 2) 13 | 14 | for i in range(10): 15 | prl_obj.run([i, i*i]) 16 | 17 | prl_obj.wait() 18 | 19 | return (0, 1) 20 | 21 | def main(): 22 | f1, t1 = doctest.testmod(nh, verbose=False) 23 | 24 | f2, t2 = test_parallel() 25 | 26 | failure_count = f1 + f2 27 | test_count = t1 + t2 28 | 29 | print('%d of %d tests failed.' % (failure_count, test_count)) 30 | 31 | exitcode = 0 32 | if failure_count > 0: 33 | exitcode = 1 34 | 35 | sys.exit(exitcode) 36 | 37 | if __name__ == '__main__': 38 | main() -------------------------------------------------------------------------------- /src/pmfuzz/pyfilter.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | doxypypy -a -c $1 3 | -------------------------------------------------------------------------------- /src/pmfuzz/requirements.txt: -------------------------------------------------------------------------------- 1 | alembic==1.4.0 2 | astroid==2.3.3 3 | async-generator==1.10 4 | attrs==19.3.0 5 | bcrypt==3.2.0 6 | bitarray==1.3.0 7 | certifi==2018.8.24 8 | certipy==0.1.3 9 | cffi==1.14.0 10 | chardet==3.0.4 11 | cryptography==2.8 12 | cycler==0.10.0 13 | decorator==4.4.1 14 | entrypoints==0.3 15 | HiYaPyCo==0.4.16 16 | idna==2.9 17 | importlib-metadata==1.5.0 18 | ipython-genutils==0.2.0 19 | isort==4.3.21 20 | Jinja2==2.11.2 21 | jsonschema==3.2.0 22 | jupyter-telemetry==0.0.5 23 | jupyterhub==0.9.6 24 | kiwisolver==1.2.0 25 | lazy-object-proxy==1.4.3 26 | Mako==1.1.1 27 | MarkupSafe==1.1.1 28 | matplotlib==3.2.2 29 | mccabe==0.6.1 30 | numpy==1.19.0 31 | oauthlib==3.1.0 32 | pamela==1.0.0 33 | pandas==1.0.5 34 | paramiko==2.7.2 35 | pickleDB==0.9.2 36 | plotext==1.0.10 37 | prometheus-client==0.7.1 38 | psutil==5.7.0 39 | pyaml==20.4.0 40 | pycparser==2.19 41 | pydot==1.4.1 42 | pylint==2.4.4 43 | PyNaCl==1.4.0 44 | pyOpenSSL==19.1.0 45 | pyparsing==2.4.7 46 | pyrsistent==0.15.7 47 | python-dateutil==2.8.1 48 | python-editor==1.0.4 49 | python-json-logger==0.1.11 50 | python-oauth2==1.1.1 51 | pytz==2020.1 52 | PyYAML==5.3.1 53 | requests==2.23.0 54 | ruamel.yaml==0.16.10 55 | ruamel.yaml.clib==0.2.0 56 | scipy==1.3.1 57 | six==1.15.0 58 | SQLAlchemy==1.3.13 59 | stdiomask==0.0.6 60 | tornado==6.0.3 61 | traitlets==4.3.3 62 | typed-ast==1.4.0 63 | urllib3==1.25.8 64 | urwid==2.1.0 65 | wrapt==1.11.2 66 | zipp==3.0.0 67 | -------------------------------------------------------------------------------- /src/pmfuzz/stages/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/src/pmfuzz/stages/__init__.py -------------------------------------------------------------------------------- /src/pmfuzz/stages/fuzzobj.py: -------------------------------------------------------------------------------- 1 | """ 2 | @file fuzzobj.py 3 | @details TODO 4 | @copyright 2020-21 PMFuzz Authors 5 | 6 | SPDX-license-identifier: BSD-3-Clause 7 | """ 8 | 9 | import time 10 | 11 | from os import path 12 | import datetime 13 | 14 | from helper import common 15 | from helper import prettyprint 16 | from helper import config 17 | 18 | class FuzzObj: 19 | """ @class Class for creating pmfuzz objects """ 20 | 21 | # Holds the suffix for output directory of all the stages 22 | SUFFIX = '.pmfuzz-outdir' 23 | 24 | def __init__(self, name, verbose, force_resp, dry_run): 25 | self.force_resp = force_resp # Force resp needs to be set first 26 | # for others to use it 27 | 28 | self.name = name 29 | self.verbose = verbose 30 | self.dry_run = dry_run 31 | 32 | def printv(self, msg): 33 | if self.verbose: 34 | prettyprint.printv(msg) 35 | 36 | @property 37 | def name(self): 38 | return self._name 39 | 40 | @name.setter 41 | def name(self, value): 42 | self._name = value 43 | 44 | @property 45 | def verbose(self): 46 | return self._verbose 47 | 48 | @verbose.setter 49 | def verbose(self, value): 50 | self._verbose = value 51 | 52 | @property 53 | def force_resp(self): 54 | return self._force_resp 55 | 56 | @force_resp.setter 57 | def force_resp(self, value): 58 | self._force_resp = value 59 | 60 | @property 61 | def dry_run(self): 62 | return self._dry_run 63 | 64 | @dry_run.setter 65 | def dry_run(self, value): 66 | self._dry_run = value 67 | -------------------------------------------------------------------------------- /src/pmfuzz/tools/cp-map: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | 3 | """ 4 | @file cp-map 5 | @details Creates a tuple file for afl-cmin using a binary bitmap 6 | @copyright 2020-21 PMFuzz Authors 7 | 8 | SPDX-license-identifier: BSD-3-Clause 9 | """ 10 | 11 | import argparse 12 | import bitarray 13 | import numpy as np 14 | import os 15 | import sys 16 | 17 | 18 | def parse_args(): 19 | parser = argparse.ArgumentParser( 20 | description='Copies map for a testcase as a tuple list.' 21 | ) 22 | 23 | parser.add_argument( 24 | 'input_f', 25 | type=str, 26 | help='Input file to generate the map for', 27 | ) 28 | parser.add_argument( 29 | 'output_f', 30 | type=str, 31 | help='Destination file for the tuple', 32 | ) 33 | parser.add_argument( 34 | '-m', 35 | dest='maps_dir', 36 | type=str, 37 | default=None, 38 | help='Directory containing the maps, default: same as input directory', 39 | ) 40 | 41 | args = parser.parse_args() 42 | 43 | if args.maps_dir == None: 44 | args.maps_dir = os.path.dirname(args.input_f) 45 | 46 | return args 47 | 48 | def main(): 49 | args = parse_args() 50 | 51 | in_fname = os.path.basename(args.input_f) 52 | mapname = 'map_' + in_fname 53 | map_f = os.path.join(args.maps_dir, mapname) 54 | 55 | with open(map_f, 'rb') as obj, open(args.output_f, 'w') as obj2: 56 | arr = bitarray.bitarray() 57 | arr.fromfile(obj) 58 | arr = arr.tobytes() 59 | 60 | cnt = 0 61 | for i in range(len(arr)): 62 | if arr[i] != 0: 63 | val = int(np.log2(arr[i]))+1 64 | obj2.write("%u%u\n" % (val, i)) 65 | cnt += 1 66 | # iter += 1 67 | 68 | # if iter > 64*1024*8: 69 | # print('Iter %d is too large' % iter) 70 | # exit(1) 71 | # print('Total tuples: %d' % cnt) 72 | if __name__ == '__main__': 73 | main() 74 | else: 75 | print('Cannot import %s as library' % sys.argv[0]) 76 | exit(1) -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/.gitignore: -------------------------------------------------------------------------------- 1 | .test 2 | .test2 3 | *.o 4 | *.so 5 | afl-analyze 6 | afl-as 7 | afl-clang 8 | afl-clang++ 9 | afl-clang-fast 10 | afl-clang-fast++ 11 | afl-clang-lto 12 | afl-clang-lto++ 13 | afl-fuzz 14 | afl-g++ 15 | afl-gcc 16 | afl-gcc-fast 17 | afl-g++-fast 18 | afl-gotcpu 19 | afl-ld 20 | afl-qemu-trace 21 | afl-showmap 22 | afl-tmin 23 | afl-analyze.8 24 | afl-as.8 25 | afl-clang-fast++.8 26 | afl-clang-fast.8 27 | afl-clang-lto.8 28 | afl-clang-lto++.8 29 | afl-cmin.8 30 | afl-cmin.bash.8 31 | afl-fuzz.8 32 | afl-gcc.8 33 | afl-gcc-fast.8 34 | afl-g++-fast.8 35 | afl-gotcpu.8 36 | afl-plot.8 37 | afl-showmap.8 38 | afl-system-config.8 39 | afl-tmin.8 40 | afl-whatsup.8 41 | qemu_mode/libcompcov/compcovtest 42 | as 43 | ld 44 | qemu_mode/qemu-* 45 | unicorn_mode/unicornafl/ 46 | unicorn_mode/samples/*/\.test-* 47 | unicorn_mode/samples/*/output/ 48 | core\.* 49 | test/unittests/unit_maybe_alloc 50 | test/unittests/unit_preallocable 51 | test/unittests/unit_list 52 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/Android.mk: -------------------------------------------------------------------------------- 1 | Makefile -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # How to submit a Pull Request to AFLplusplus 2 | 3 | Each modified source file, before merging, must be formatted. 4 | 5 | ``` 6 | make code-format 7 | ``` 8 | 9 | This should be fine if you modified one of the files already present in the 10 | project, or added a file in a directory we already format, otherwise run: 11 | 12 | ``` 13 | ./.custom-format.py -i file-that-you-have-created.c 14 | ``` 15 | 16 | Regarding the coding style, please follow the AFL style. 17 | No camel case at all and use the AFL's macros wherever possible 18 | (e.g. WARNF, FATAL, MAP_SIZE, ...). 19 | 20 | Remember that AFLplusplus has to build and run on many platforms, so 21 | generalize your Makefiles (or your patches to our pre-existing Makefiles) 22 | to be as much generic as possible. 23 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/Changelog.md: -------------------------------------------------------------------------------- 1 | docs/Changelog.md -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:eoan 2 | MAINTAINER David Carlier 3 | LABEL "about"="AFLplusplus docker image" 4 | RUN apt-get update && apt-get -y install \ 5 | --no-install-suggests --no-install-recommends \ 6 | automake \ 7 | bison \ 8 | build-essential \ 9 | clang \ 10 | clang-9 \ 11 | flex \ 12 | git \ 13 | python3.7 \ 14 | python3.7-dev \ 15 | gcc-9 \ 16 | gcc-9-plugin-dev \ 17 | gcc-9-multilib \ 18 | libc++-9-dev \ 19 | libtool \ 20 | libtool-bin \ 21 | libglib2.0-dev \ 22 | llvm-9-dev \ 23 | python-setuptools \ 24 | python2.7-dev \ 25 | wget \ 26 | ca-certificates \ 27 | libpixman-1-dev \ 28 | && rm -rf /var/lib/apt/lists/* 29 | 30 | ARG CC=gcc-9 31 | ARG CXX=g++-9 32 | ARG LLVM_CONFIG=llvm-config-9 33 | 34 | RUN git clone https://github.com/AFLplusplus/AFLplusplus 35 | 36 | RUN cd AFLplusplus && make clean && make distrib && \ 37 | make install && cd .. && rm -rf AFLplusplus 38 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo please use GNU make, thanks! 3 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/QuickStartGuide.md: -------------------------------------------------------------------------------- 1 | docs/QuickStartGuide.md -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/TODO.md: -------------------------------------------------------------------------------- 1 | # TODO list for AFL++ 2 | 3 | ## Roadmap 2.63 4 | 5 | - complete custom_mutator API changes and documentation 6 | - fix stability calculation bug 7 | 8 | ## Roadmap 2.64 9 | 10 | - context sensitive branch coverage in llvm_mode 11 | - random crc32 HASH_CONST per run? because with 65536 paths we have collisions 12 | - namespace for targets? e.g. network 13 | - libradamsa as a custom module? 14 | - laf-intel build auto-dictionary? 15 | 16 | ## Further down the road 17 | 18 | afl-fuzz: 19 | - sync_fuzzers(): only masters sync from all, slaves only sync from master 20 | (@andrea: be careful, often people run all slaves) 21 | - ascii_only mode for mutation output 22 | - setting min_len/max_len/start_offset/end_offset limits for mutation output 23 | 24 | llvm_mode: 25 | - added context sensitive branch coverage 26 | - add CT cov and ngram cov to LTO and InsTrim 27 | - better whitelist solution for LTO 28 | 29 | gcc_plugin: 30 | - laf-intel 31 | - better instrumentation (seems to be better with gcc-9+) 32 | 33 | qemu_mode: 34 | - update to 4.x (probably this will be skipped :( ) 35 | - non colliding instrumentation 36 | - instrim for QEMU mode via static analysis (with r2pipe? or angr?) 37 | Idea: The static analyzer outputs a map in which each edge that must be 38 | skipped is marked with 1. QEMU loads it at startup in the parent process. 39 | - rename qemu specific envs to AFL_QEMU (AFL_ENTRYPOINT, AFL_CODE_START/END, 40 | AFL_COMPCOV_LEVEL?) 41 | - add AFL_QEMU_EXITPOINT (maybe multiple?), maybe pointless as we have 42 | persistent mode 43 | - add/implement AFL_QEMU_INST_LIBLIST and AFL_QEMU_NOINST_PROGRAM 44 | - add/implement AFL_QEMU_INST_REGIONS as a list of _START/_END addresses 45 | 46 | custom_mutators: 47 | - rip what Superion is doing into custom mutators for js, php, etc. 48 | 49 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/config.h: -------------------------------------------------------------------------------- 1 | include/config.h -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/dictionaries/README.md: -------------------------------------------------------------------------------- 1 | # AFL dictionaries 2 | 3 | (See [../docs/README.md](../docs/README.md) for the general instruction manual.) 4 | 5 | This subdirectory contains a set of dictionaries that can be used in 6 | conjunction with the -x option to allow the fuzzer to effortlessly explore the 7 | grammar of some of the more verbose data formats or languages. The basic 8 | principle behind the operation of fuzzer dictionaries is outlined in section 10 9 | of the "main" README.md for the project. 10 | 11 | Custom dictionaries can be added at will. They should consist of a 12 | reasonably-sized set of rudimentary syntax units that the fuzzer will then try 13 | to clobber together in various ways. Snippets between 2 and 16 bytes are 14 | usually the sweet spot. 15 | 16 | Custom dictionaries can be created in two ways: 17 | 18 | - By creating a new directory and placing each token in a separate file, in 19 | which case, there is no need to escape or otherwise format the data. 20 | 21 | - By creating a flat text file where tokens are listed one per line in the 22 | format of name="value". The alphanumeric name is ignored and can be omitted, 23 | although it is a convenient way to document the meaning of a particular 24 | token. The value must appear in quotes, with hex escaping (\xNN) applied to 25 | all non-printable, high-bit, or otherwise problematic characters (\\ and \" 26 | shorthands are recognized, too). 27 | 28 | The fuzzer auto-selects the appropriate mode depending on whether the -x 29 | parameter is a file or a directory. 30 | 31 | In the file mode, every name field can be optionally followed by @, e.g.: 32 | 33 | `keyword_foo@1 = "foo"` 34 | 35 | Such entries will be loaded only if the requested dictionary level is equal or 36 | higher than this number. The default level is zero; a higher value can be set 37 | by appending @ to the dictionary file name, like so: 38 | 39 | `-x path/to/dictionary.dct@2` 40 | 41 | Good examples of dictionaries can be found in xml.dict and png.dict. 42 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/dictionaries/gif.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for GIF images 3 | # ----------------------------- 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_87a="87a" 9 | header_89a="89a" 10 | header_gif="GIF" 11 | 12 | marker_2c="," 13 | marker_3b=";" 14 | 15 | section_2101="!\x01\x12" 16 | section_21f9="!\xf9\x04" 17 | section_21fe="!\xfe" 18 | section_21ff="!\xff\x11" 19 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/dictionaries/jpeg.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for JPEG images 3 | # ------------------------------ 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_jfif="JFIF\x00" 9 | header_jfxx="JFXX\x00" 10 | 11 | section_ffc0="\xff\xc0" 12 | section_ffc2="\xff\xc2" 13 | section_ffc4="\xff\xc4" 14 | section_ffd0="\xff\xd0" 15 | section_ffd8="\xff\xd8" 16 | section_ffd9="\xff\xd9" 17 | section_ffda="\xff\xda" 18 | section_ffdb="\xff\xdb" 19 | section_ffdd="\xff\xdd" 20 | section_ffe0="\xff\xe0" 21 | section_ffe1="\xff\xe1" 22 | section_fffe="\xff\xfe" 23 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/dictionaries/json.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for JSON 3 | # ----------------------- 4 | # 5 | # Just the very basics. 6 | # 7 | # Inspired by a dictionary by Jakub Wilk 8 | # 9 | 10 | "0" 11 | ",0" 12 | ":0" 13 | "0:" 14 | "-1.2e+3" 15 | 16 | "true" 17 | "false" 18 | "null" 19 | 20 | "\"\"" 21 | ",\"\"" 22 | ":\"\"" 23 | "\"\":" 24 | 25 | "{}" 26 | ",{}" 27 | ":{}" 28 | "{\"\":0}" 29 | "{{}}" 30 | 31 | "[]" 32 | ",[]" 33 | ":[]" 34 | "[0]" 35 | "[[]]" 36 | 37 | "''" 38 | "\\" 39 | "\\b" 40 | "\\f" 41 | "\\n" 42 | "\\r" 43 | "\\t" 44 | "\\u0000" 45 | "\\x00" 46 | "\\0" 47 | "\\uD800\\uDC00" 48 | "\\uDBFF\\uDFFF" 49 | 50 | "\"\":0" 51 | "//" 52 | "/**/" 53 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/dictionaries/png.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for PNG images 3 | # ----------------------------- 4 | # 5 | # Just the basic, standard-originating sections; does not include vendor 6 | # extensions. 7 | # 8 | # Created by Michal Zalewski 9 | # 10 | 11 | header_png="\x89PNG\x0d\x0a\x1a\x0a" 12 | 13 | section_IDAT="IDAT" 14 | section_IEND="IEND" 15 | section_IHDR="IHDR" 16 | section_PLTE="PLTE" 17 | section_bKGD="bKGD" 18 | section_cHRM="cHRM" 19 | section_fRAc="fRAc" 20 | section_gAMA="gAMA" 21 | section_gIFg="gIFg" 22 | section_gIFt="gIFt" 23 | section_gIFx="gIFx" 24 | section_hIST="hIST" 25 | section_iCCP="iCCP" 26 | section_iTXt="iTXt" 27 | section_oFFs="oFFs" 28 | section_pCAL="pCAL" 29 | section_pHYs="pHYs" 30 | section_sBIT="sBIT" 31 | section_sCAL="sCAL" 32 | section_sPLT="sPLT" 33 | section_sRGB="sRGB" 34 | section_sTER="sTER" 35 | section_tEXt="tEXt" 36 | section_tIME="tIME" 37 | section_tRNS="tRNS" 38 | section_zTXt="zTXt" 39 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/dictionaries/tiff.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for TIFF images 3 | # ------------------------------ 4 | # 5 | # Just the basic, standard-originating sections; does not include vendor 6 | # extensions. 7 | # 8 | # Created by Michal Zalewski 9 | # 10 | 11 | header_ii="II*\x00" 12 | header_mm="MM\x00*" 13 | 14 | section_100="\x00\x01" 15 | section_101="\x01\x01" 16 | section_102="\x02\x01" 17 | section_103="\x03\x01" 18 | section_106="\x06\x01" 19 | section_107="\x07\x01" 20 | section_10D="\x0d\x01" 21 | section_10E="\x0e\x01" 22 | section_10F="\x0f\x01" 23 | section_110="\x10\x01" 24 | section_111="\x11\x01" 25 | section_112="\x12\x01" 26 | section_115="\x15\x01" 27 | section_116="\x16\x01" 28 | section_117="\x17\x01" 29 | section_11A="\x1a\x01" 30 | section_11B="\x1b\x01" 31 | section_11C="\x1c\x01" 32 | section_11D="\x1d\x01" 33 | section_11E="\x1e\x01" 34 | section_11F="\x1f\x01" 35 | section_122="\"\x01" 36 | section_123="#\x01" 37 | section_124="$\x01" 38 | section_125="%\x01" 39 | section_128="(\x01" 40 | section_129=")\x01" 41 | section_12D="-\x01" 42 | section_131="1\x01" 43 | section_132="2\x01" 44 | section_13B=";\x01" 45 | section_13C="<\x01" 46 | section_13D="=\x01" 47 | section_13E=">\x01" 48 | section_13F="?\x01" 49 | section_140="@\x01" 50 | section_FE="\xfe\x00" 51 | section_FF="\xff\x00" 52 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/dictionaries/webp.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for WebP images 3 | # ------------------------------ 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_RIFF="RIFF" 9 | header_WEBP="WEBP" 10 | 11 | section_ALPH="ALPH" 12 | section_ANIM="ANIM" 13 | section_ANMF="ANMF" 14 | section_EXIF="EXIF" 15 | section_FRGM="FRGM" 16 | section_ICCP="ICCP" 17 | section_VP8="VP8 " 18 | section_VP8L="VP8L" 19 | section_VP8X="VP8X" 20 | section_XMP="XMP " 21 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/dictionaries/xml.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for XML 3 | # ---------------------- 4 | # 5 | # Several basic syntax elements and attributes, modeled on libxml2. 6 | # 7 | # Created by Michal Zalewski 8 | # 9 | 10 | attr_encoding=" encoding=\"1\"" 11 | attr_generic=" a=\"1\"" 12 | attr_href=" href=\"1\"" 13 | attr_standalone=" standalone=\"no\"" 14 | attr_version=" version=\"1\"" 15 | attr_xml_base=" xml:base=\"1\"" 16 | attr_xml_id=" xml:id=\"1\"" 17 | attr_xml_lang=" xml:lang=\"1\"" 18 | attr_xml_space=" xml:space=\"1\"" 19 | attr_xmlns=" xmlns=\"1\"" 20 | 21 | entity_builtin="<" 22 | entity_decimal="" 23 | entity_external="&a;" 24 | entity_hex="" 25 | 26 | string_any="ANY" 27 | string_brackets="[]" 28 | string_cdata="CDATA" 29 | string_col_fallback=":fallback" 30 | string_col_generic=":a" 31 | string_col_include=":include" 32 | string_dashes="--" 33 | string_empty="EMPTY" 34 | string_empty_dblquotes="\"\"" 35 | string_empty_quotes="''" 36 | string_entities="ENTITIES" 37 | string_entity="ENTITY" 38 | string_fixed="#FIXED" 39 | string_id="ID" 40 | string_idref="IDREF" 41 | string_idrefs="IDREFS" 42 | string_implied="#IMPLIED" 43 | string_nmtoken="NMTOKEN" 44 | string_nmtokens="NMTOKENS" 45 | string_notation="NOTATION" 46 | string_parentheses="()" 47 | string_pcdata="#PCDATA" 48 | string_percent="%a" 49 | string_public="PUBLIC" 50 | string_required="#REQUIRED" 51 | string_schema=":schema" 52 | string_system="SYSTEM" 53 | string_ucs4="UCS-4" 54 | string_utf16="UTF-16" 55 | string_utf8="UTF-8" 56 | string_xmlns="xmlns:" 57 | 58 | tag_attlist="" 61 | tag_doctype="" 68 | tag_open_close="" 69 | tag_open_exclamation="" 72 | tag_xml_q="" 73 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/PATCHES.md: -------------------------------------------------------------------------------- 1 | # Applied Patches 2 | 3 | The following patches from https://github.com/vanhauser-thc/afl-patches 4 | have been installed or not installed: 5 | 6 | 7 | ## INSTALLED 8 | ``` 9 | afl-llvm-fix.diff by kcwu(at)csie(dot)org 10 | afl-sort-all_uniq-fix.diff by legarrec(dot)vincent(at)gmail(dot)com 11 | laf-intel.diff by heiko(dot)eissfeldt(at)hexco(dot)de 12 | afl-llvm-optimize.diff by mh(at)mh-sec(dot)de 13 | afl-fuzz-tmpdir.diff by mh(at)mh-sec(dot)de 14 | afl-fuzz-79x24.diff by heiko(dot)eissfeldt(at)hexco(dot)de 15 | afl-fuzz-fileextensionopt.diff tbd 16 | afl-as-AFL_INST_RATIO.diff by legarrec(dot)vincent(at)gmail(dot)com 17 | afl-qemu-ppc64.diff by william(dot)barsse(at)airbus(dot)com 18 | afl-qemu-optimize-entrypoint.diff by mh(at)mh-sec(dot)de 19 | afl-qemu-speed.diff by abiondo on github 20 | afl-qemu-optimize-map.diff by mh(at)mh-sec(dot)de 21 | ``` 22 | 23 | + llvm_mode ngram prev_loc coverage (github.com/adrianherrera/afl-ngram-pass) 24 | + Custom mutator (native library) (by kyakdan) 25 | + unicorn_mode (modernized and updated by domenukk) 26 | + instrim (https://github.com/csienslab/instrim) was integrated 27 | + MOpt (github.com/puppet-meteor/MOpt-AFL) was imported 28 | + AFLfast additions (github.com/mboehme/aflfast) were incorporated. 29 | + Qemu 3.1 upgrade with enhancement patches (github.com/andreafioraldi/afl) 30 | + Python mutator modules support (github.com/choller/afl) 31 | + Whitelisting in LLVM mode (github.com/choller/afl) 32 | + forkserver patch for afl-tmin (github.com/nccgroup/TriforceAFL) 33 | 34 | 35 | ## NOT INSTALLED 36 | 37 | ``` 38 | afl-fuzz-context_sensitive.diff - changes too much of the behaviour 39 | afl-tmpfs.diff - same as afl-fuzz-tmpdir.diff but more complex 40 | afl-cmin-reduce-dataset.diff - unsure of the impact 41 | afl-llvm-fix2.diff - not needed with the other patches 42 | ``` 43 | 44 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/README.radamsa.md: -------------------------------------------------------------------------------- 1 | # libradamsa 2 | 3 | Pretranslated radamsa library. This code belongs to the radamsa author. 4 | 5 | > Original repository: https://gitlab.com/akihe/radamsa 6 | 7 | > Source commit: 7b2cc2d0 8 | 9 | > The code here is adapted for AFL++ with minor changes respect the original version 10 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/visualization/afl_gzip.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/docs/visualization/afl_gzip.png -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/bash-cmd-exec.var: -------------------------------------------------------------------------------- 1 | () { _; } >_[$($())] { id; } -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/bash-uninit-mem.var: -------------------------------------------------------------------------------- 1 | () { x() { _; }; x() { _; } <O));insert into t0 2 | select randomblob(0)-trim(0); 3 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-bad-ptr.sql: -------------------------------------------------------------------------------- 1 | SELECT 0 UNION SELECT 0 ORDER BY 1 COLLATE""""""""; 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-bad-ptr2.sql: -------------------------------------------------------------------------------- 1 | PRAGMA foreign_keys=1;CREATE TABLE t1("""0"PRIMARY KEy REFERENCES t1 ON DELETE SET NULL);REPLACE INTO t1 SELECT(0); 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-bad-ptr3.sql: -------------------------------------------------------------------------------- 1 | create table t(l);PRAGMA writable_schema=ON; 2 | UPDATE sqlite_master SET sql='00000000000000000000000000000000000000000000000000000000000000000000000000000000[%S';PRAGMA t;SAVEPOINT x;ROLLBACK;VACUUM; 3 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-heap-overflow.sql: -------------------------------------------------------------------------------- 1 | DROP TABLE IF EXISTS t;CREATE VIRTUAL TABLE t0 USING fts4();insert into t0 select zeroblob(0);SAVEPOINT O;insert into t0 2 | select(0);SAVEPOINT E;insert into t0 SELECT 0 UNION SELECT 0'x'ORDER BY x; 3 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-negative-memset.sql: -------------------------------------------------------------------------------- 1 | SELECT*from(select"",zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(150000000),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0)),(select"",zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),(0),zeroblob(150000000),(0),zeroblob(0),(0)EXCEPT select zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0)); 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-null-ptr1.sql: -------------------------------------------------------------------------------- 1 | create table t0(t);insert into t0 2 | select strftime(); 3 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-null-ptr10.sql: -------------------------------------------------------------------------------- 1 | SELECT fts3_tokenizer(@0()); 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-null-ptr11.sql: -------------------------------------------------------------------------------- 1 | select''like''like''like#0; 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-null-ptr12.sql: -------------------------------------------------------------------------------- 1 | PRAGMA e;select lower(0);select lower(0)"a",""GROUP BY a ORDER BY a; 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-null-ptr13.sql: -------------------------------------------------------------------------------- 1 | WITH x AS(SELECT*FROM t)SELECT""EXCEPT SELECT 0 ORDER BY 0 COLLATE""; 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-null-ptr14.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE x USING fts4();VALUES(0,0),(0,0),(0,0),(0,0);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql=''WHERE name='';UPDATE sqlite_master SET sql='CREATE table t(d CHECK(T(#0)';SAVEPOINT K;SAVEPOINT T;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t; 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-null-ptr15.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE t4 USING fts4(0,b,c,notindexed=0);INSERT INTO t4 VALUES('','','0');BEGIN;INSERT INTO t4 VALUES('','','0');INSERT INTO t4(t4)VALUES('integrity-check'); 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-null-ptr2.sql: -------------------------------------------------------------------------------- 1 | DETACH(select group_concat(q)); 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-null-ptr3.sql: -------------------------------------------------------------------------------- 1 | select(select strftime()); 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-null-ptr4.sql: -------------------------------------------------------------------------------- 1 | select n()AND+#00; 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-null-ptr5.sql: -------------------------------------------------------------------------------- 1 | select e.*,0 from(s,(L))e; 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-null-ptr6.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-null-ptr6.sql -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-null-ptr7.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE t USING fts4(tokenize=); 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-null-ptr8.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE p(a UNIQUE,PRIMARY KEY('a'))WITHOUT rowid; 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-null-ptr9.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE t0(z);WITH d(x)AS(SELECT*UNION SELECT 0)INSERT INTO t0 SELECT 0 FROM d; 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-oob-read.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-oob-read.sql -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-oob-write.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE t0 USING fts4(x,order=DESC); 2 | INSERT INTO t0(docid,x)VALUES(-1E0,'0(o'); 3 | INSERT INTO t0 VALUES(''); 4 | INSERT INTO t0 VALUES(''); 5 | INSeRT INTO t0 VALUES('o'); 6 | SELECT docid FROM t0 WHERE t0 MATCH'"0*o"'; 7 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-stack-buf-overflow.sql: -------------------------------------------------------------------------------- 1 | SELECT printf('%*.*f',90000||006000000&6600000000,00000000000000000909000000000000.0000000000000000)""WHERE"">""; 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-stack-exhaustion.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE t0 USING fts4(content=t0); 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-unint-mem.sql: -------------------------------------------------------------------------------- 1 | REATE VIRTUAL TABLE t0 USING fts4(prefix=0);INSERT INTO t0 VALUES(0); 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/sqlite-use-after-free.sql: -------------------------------------------------------------------------------- 1 | create table t(s);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql='ANALYZE;CREATE VIRTUAL TABLE t USING fts3;DROP TABLE t;DROP TABLE EXISTS t';PRAGMA r;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t; 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/strings-bfd-badptr.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/docs/vuln_samples/strings-bfd-badptr.elf -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/strings-bfd-badptr2.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/docs/vuln_samples/strings-bfd-badptr2.elf -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/strings-stack-overflow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/docs/vuln_samples/strings-stack-overflow -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/strings-unchecked-ctr.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/docs/vuln_samples/strings-unchecked-ctr.elf -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/tcpdump-arp-crash.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/docs/vuln_samples/tcpdump-arp-crash.pcap -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/tcpdump-ppp-crash.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/docs/vuln_samples/tcpdump-ppp-crash.pcap -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/unrtf-arbitrary-read.rtf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/docs/vuln_samples/unrtf-arbitrary-read.rtf -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/docs/vuln_samples/unzip-t-mem-corruption.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/docs/vuln_samples/unzip-t-mem-corruption.zip -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/examples/README.md: -------------------------------------------------------------------------------- 1 | # AFL++ Examples 2 | 3 | Here's a quick overview of the stuff you can find in this directory: 4 | 5 | - custom_mutators - example custom mutators in python an c 6 | 7 | - argv_fuzzing - a simple wrapper to allow cmdline to be fuzzed 8 | (e.g., to test setuid programs). 9 | 10 | - asan_cgroups - a contributed script to simplify fuzzing ASAN 11 | binaries with robust memory limits on Linux. 12 | 13 | - bash_shellshock - a simple hack used to find a bunch of 14 | post-Shellshock bugs in bash. 15 | 16 | - canvas_harness - a test harness used to find browser bugs with a 17 | corpus generated using simple image parsing 18 | binaries & afl-fuzz. 19 | 20 | - clang_asm_normalize - a script that makes it easy to instrument 21 | hand-written assembly, provided that you have clang. 22 | 23 | - crash_triage - a very rudimentary example of how to annotate crashes 24 | with additional gdb metadata. 25 | 26 | - distributed_fuzzing - a sample script for synchronizing fuzzer instances 27 | across multiple machines (see parallel_fuzzing.md). 28 | 29 | - libpng_no_checksum - a sample patch for removing CRC checks in libpng. 30 | 31 | - persistent_demo - an example of how to use the LLVM persistent process 32 | mode to speed up certain fuzzing jobs. 33 | 34 | - post_library - an example of how to build postprocessors for AFL. 35 | 36 | - socket_fuzzing - a LD_PRELOAD library 'redirects' a socket to stdin 37 | for fuzzing access with afl++ 38 | 39 | Note that the minimize_corpus.sh tool has graduated from the examples/ 40 | directory and is now available as ../afl-cmin. The LLVM mode has likewise 41 | graduated to ../llvm_mode/*. 42 | 43 | Most of the tools in this directory are meant chiefly as examples that need to 44 | be tweaked for your specific needs. They come with some basic documentation, 45 | but are not necessarily production-grade. 46 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/examples/argv_fuzzing/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop++ - argvfuzz 3 | # -------------------------------- 4 | # 5 | # Copyright 2019-2020 Kjell Braden 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at: 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | 14 | .PHONY: all install clean 15 | 16 | PREFIX ?= /usr/local 17 | BIN_PATH = $(PREFIX)/bin 18 | HELPER_PATH = $(PREFIX)/lib/afl 19 | 20 | CFLAGS = -fPIC -Wall -Wextra 21 | LDFLAGS = -shared 22 | 23 | UNAME_SAYS_LINUX=$(shell uname | grep -E '^Linux|^GNU' >/dev/null; echo $$?) 24 | UNAME_SAYS_LINUX:sh=uname | grep -E '^Linux|^GNU' >/dev/null; echo $$? 25 | 26 | _LDFLAGS_ADD=$(UNAME_SAYS_LINUX:1=) 27 | LDFLAGS_ADD=$(_LDFLAGS_ADD:0=-ldl) 28 | LDFLAGS += $(LDFLAGS_ADD) 29 | 30 | # on gcc for arm there is no -m32, but -mbe32 31 | M32FLAG = -m32 32 | M64FLAG = -m64 33 | 34 | CC_IS_GCC=$(shell $(CC) --version 2>/dev/null | grep gcc; echo $$?) 35 | CC_IS_ARMCOMPILER=$(shell $(CC) -v 2>&1 >/dev/null | grep arm; echo $$?) 36 | 37 | _M32FLAG=$(CC_IS_GCC)$(CC_IS_ARMCOMPILER) 38 | __M32FLAG=$(_M32FLAG:00=-mbe32) 39 | ___M32FLAG=$(__M32FLAG:$(CC_IS_GCC)$(CC_IS_ARMCOMPILER)=-m32) 40 | M32FLAG=$(___M32FLAG) 41 | 42 | all: argvfuzz32.so argvfuzz64.so 43 | 44 | argvfuzz32.so: argvfuzz.c 45 | -$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz32 build failure (that's fine)" 46 | 47 | argvfuzz64.so: argvfuzz.c 48 | -$(CC) $(M64FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz64 build failure (that's fine)" 49 | 50 | install: argvfuzz32.so argvfuzz64.so 51 | install -d -m 755 $(DESTDIR)$(HELPER_PATH)/ 52 | if [ -f argvfuzz32.so ]; then set -e; install -m 755 argvfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi 53 | if [ -f argvfuzz64.so ]; then set -e; install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi 54 | 55 | clean: 56 | rm -f argvfuzz32.so argvfuzz64.so 57 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/examples/argv_fuzzing/README.md: -------------------------------------------------------------------------------- 1 | # argvfuzz 2 | 3 | afl supports fuzzing file inputs or stdin. When source is available, 4 | `argv-fuzz-inl.h` can be used to change `main()` to build argv from stdin. 5 | 6 | `argvfuzz` tries to provide the same functionality for binaries. When loaded 7 | using `LD_PRELOAD`, it will hook the call to `__libc_start_main` and replace 8 | argv using the same logic of `argv-fuzz-inl.h`. 9 | 10 | A few conditions need to be fulfilled for this mechanism to work correctly: 11 | 12 | 1. As it relies on hooking the loader, it cannot work on static binaries. 13 | 2. If the target binary does not use the default libc's `_start` implementation 14 | (crt1.o), the hook may not run. 15 | 3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. If the 16 | target binary expects argv to be living on the stack, things may go wrong. 17 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/examples/argv_fuzzing/argvfuzz.c: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop++ - LD_PRELOAD for fuzzing argv in binaries 3 | ------------------------------------------------------------ 4 | 5 | Copyright 2019-2020 Kjell Braden 6 | 7 | Licensed under the Apache License, Version 2.0 (the "License"); 8 | you may not use this file except in compliance with the License. 9 | You may obtain a copy of the License at: 10 | 11 | http://www.apache.org/licenses/LICENSE-2.0 12 | 13 | */ 14 | 15 | #define _GNU_SOURCE /* for RTLD_NEXT */ 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include "argv-fuzz-inl.h" 21 | 22 | int __libc_start_main(int (*main)(int, char **, char **), int argc, char **argv, 23 | void (*init)(void), void (*fini)(void), 24 | void (*rtld_fini)(void), void *stack_end) { 25 | 26 | int (*orig)(int (*main)(int, char **, char **), int argc, char **argv, 27 | void (*init)(void), void (*fini)(void), void (*rtld_fini)(void), 28 | void *stack_end); 29 | int sub_argc; 30 | char **sub_argv; 31 | 32 | (void)argc; 33 | (void)argv; 34 | 35 | orig = dlsym(RTLD_NEXT, __func__); 36 | 37 | if (!orig) { 38 | 39 | fprintf(stderr, "hook did not find original %s: %s\n", __func__, dlerror()); 40 | exit(EXIT_FAILURE); 41 | 42 | } 43 | 44 | sub_argv = afl_init_argv(&sub_argc); 45 | 46 | return orig(main, sub_argc, sub_argv, init, fini, rtld_fini, stack_end); 47 | 48 | } 49 | 50 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/examples/bash_shellshock/shellshock-fuzz.diff: -------------------------------------------------------------------------------- 1 | This patch shows a very simple way to find post-Shellshock bugs in bash, as 2 | discussed here: 3 | 4 | http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html 5 | 6 | In essence, it shows a way to fuzz environmental variables. Instructions: 7 | 8 | 1) Download bash 4.3, apply this patch, compile with: 9 | 10 | CC=/path/to/afl-gcc ./configure 11 | make clean all 12 | 13 | Note that the harness puts the fuzzed output in $TEST_VARIABLE. With 14 | Florian's Shellshock patch (bash43-028), this is no longer passed down 15 | to the parser. 16 | 17 | 2) Create and cd to an empty directory, put the compiled bash binary in 18 | there, and run these commands: 19 | 20 | mkdir in_dir 21 | echo -n '() { a() { a; }; : >b; }' >in_dir/script.txt 22 | 23 | 3) Run the fuzzer with: 24 | 25 | /path/to/afl-fuzz -d -i in_dir -o out_dir ./bash -c : 26 | 27 | The -d parameter is advisable only if the tested shell is fairly slow 28 | or if you are in a hurry; will cover more ground faster, but 29 | less systematically. 30 | 31 | 4) Watch for crashes in out_dir/crashes/. Also watch for any new files 32 | created in cwd if you're interested in non-crash RCEs (files will be 33 | created whenever the shell executes "foo>bar" or something like 34 | that). You can correlate their creation date with new entries in 35 | out_dir/queue/. 36 | 37 | You can also modify the bash binary to directly check for more subtle 38 | fault conditions, or use the synthesized entries in out_dir/queue/ 39 | as a seed for other, possibly slower or more involved testing regimes. 40 | 41 | Expect several hours to get decent coverage. 42 | 43 | --- bash-4.3/shell.c.orig 2014-01-14 14:04:32.000000000 +0100 44 | +++ bash-4.3/shell.c 2015-04-30 05:56:46.000000000 +0200 45 | @@ -371,6 +371,14 @@ 46 | env = environ; 47 | #endif /* __OPENNT */ 48 | 49 | + { 50 | + 51 | + static char val[1024 * 16]; 52 | + read(0, val, sizeof(val) - 1); 53 | + setenv("TEST_VARIABLE", val, 1); 54 | + 55 | + } 56 | + 57 | USE_VAR(argc); 58 | USE_VAR(argv); 59 | USE_VAR(env); 60 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/examples/custom_mutators/Makefile: -------------------------------------------------------------------------------- 1 | all: libexamplemutator.so 2 | 3 | libexamplemutator.so: 4 | $(CC) $(CFLAGS) -D_FORTIFY_SOURCE=2 -O3 -fPIC -shared -g -I ../../include example.c -o libexamplemutator.so 5 | 6 | clean: 7 | rm -rf libexamplemutator.so 8 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/examples/custom_mutators/README.md: -------------------------------------------------------------------------------- 1 | # Examples for the custom mutator 2 | 3 | These are example and helper files for the custom mutator feature. 4 | See [docs/custom_mutators.md](../docs/custom_mutators.md) for more information 5 | 6 | Note that if you compile with python3.7 you must use python3 scripts, and if 7 | you use python2.7 to compile python2 scripts! 8 | 9 | example.c - this is a simple example written in C and should be compiled to a 10 | shared library. Use make to compile it and produce libexamplemutator.so 11 | 12 | example.py - this is the template you can use, the functions are there but they 13 | are empty 14 | 15 | simple-chunk-replace.py - this is a simple example where chunks are replaced 16 | 17 | common.py - this can be used for common functions and helpers. 18 | the examples do not use this though. But you can :) 19 | 20 | wrapper_afl_min.py - mutation of XML documents, loads XmlMutatorMin.py 21 | 22 | XmlMutatorMin.py - module for XML mutation 23 | 24 | custom_mutator_helpers.h is an header that defines some helper routines 25 | like surgical_havoc_mutate() that allow to perform a randomly chosen 26 | mutation from a subset of the havoc mutations. 27 | If you do so, you have to specify -I /path/to/AFLplusplus/include when 28 | compiling. 29 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/examples/custom_mutators/common.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding: utf-8 3 | ''' 4 | Module containing functions shared between multiple AFL modules 5 | 6 | @author: Christian Holler (:decoder) 7 | 8 | @license: 9 | 10 | This Source Code Form is subject to the terms of the Mozilla Public 11 | License, v. 2.0. If a copy of the MPL was not distributed with this 12 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 13 | 14 | @contact: choller@mozilla.com 15 | ''' 16 | 17 | from __future__ import print_function 18 | import random 19 | import os 20 | import re 21 | 22 | 23 | def randel(l): 24 | if not l: 25 | return None 26 | return l[random.randint(0, len(l)-1)] 27 | 28 | 29 | def randel_pop(l): 30 | if not l: 31 | return None 32 | return l.pop(random.randint(0, len(l)-1)) 33 | 34 | 35 | def write_exc_example(data, exc): 36 | exc_name = re.sub(r'[^a-zA-Z0-9]', '_', repr(exc)) 37 | 38 | if not os.path.exists(exc_name): 39 | with open(exc_name, 'w') as f: 40 | f.write(data) 41 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/examples/custom_mutators/simple-chunk-replace.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding: utf-8 3 | ''' 4 | Simple Chunk Cross-Over Replacement Module for AFLFuzz 5 | 6 | @author: Christian Holler (:decoder) 7 | 8 | @license: 9 | 10 | This Source Code Form is subject to the terms of the Mozilla Public 11 | License, v. 2.0. If a copy of the MPL was not distributed with this 12 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 13 | 14 | @contact: choller@mozilla.com 15 | ''' 16 | 17 | import random 18 | 19 | 20 | def init(seed): 21 | ''' 22 | Called once when AFLFuzz starts up. Used to seed our RNG. 23 | 24 | @type seed: int 25 | @param seed: A 32-bit random value 26 | ''' 27 | # Seed our RNG 28 | random.seed(seed) 29 | 30 | 31 | def fuzz(buf, add_buf, max_size): 32 | ''' 33 | Called per fuzzing iteration. 34 | 35 | @type buf: bytearray 36 | @param buf: The buffer that should be mutated. 37 | 38 | @type add_buf: bytearray 39 | @param add_buf: A second buffer that can be used as mutation source. 40 | 41 | @type max_size: int 42 | @param max_size: Maximum size of the mutated output. The mutation must not 43 | produce data larger than max_size. 44 | 45 | @rtype: bytearray 46 | @return: A new bytearray containing the mutated data 47 | ''' 48 | # Make a copy of our input buffer for returning 49 | ret = bytearray(buf) 50 | 51 | # Take a random fragment length between 2 and 32 (or less if add_buf is shorter) 52 | fragment_len = random.randint(1, min(len(add_buf), 32)) 53 | 54 | # Determine a random source index where to take the data chunk from 55 | rand_src_idx = random.randint(0, len(add_buf) - fragment_len) 56 | 57 | # Determine a random destination index where to put the data chunk 58 | rand_dst_idx = random.randint(0, len(buf)) 59 | 60 | # Make the chunk replacement 61 | ret[rand_dst_idx:rand_dst_idx + fragment_len] = add_buf[rand_src_idx:rand_src_idx + fragment_len] 62 | 63 | # Return data 64 | return ret 65 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/examples/libpng_no_checksum/libpng-nocrc.patch: -------------------------------------------------------------------------------- 1 | --- pngrutil.c.orig 2014-06-12 03:35:16.000000000 +0200 2 | +++ pngrutil.c 2014-07-01 05:08:31.000000000 +0200 3 | @@ -268,7 +268,11 @@ 4 | if (need_crc != 0) 5 | { 6 | crc = png_get_uint_32(crc_bytes); 7 | - return ((int)(crc != png_ptr->crc)); 8 | + 9 | + if (crc != png_ptr->crc) 10 | + fprintf(stderr, "NOTE: CRC in the file is 0x%08x, change to 0x%08x\n", crc, png_ptr->crc); 11 | + 12 | + return ((int)(1 != 1)); 13 | } 14 | 15 | else 16 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/examples/qemu_persistent_hook/README.md: -------------------------------------------------------------------------------- 1 | # QEMU persistent hook example 2 | 3 | Compile the test binary and the library: 4 | 5 | ``` 6 | gcc -no-pie test.c -o test 7 | gcc -fPIC -shared read_into_rdi.c -o read_into_rdi.so 8 | ``` 9 | 10 | Fuzz with: 11 | 12 | ``` 13 | export AFL_QEMU_PERSISTENT_ADDR=0x$(nm test | grep "T target_func" | awk '{print $1}') 14 | export AFL_QEMU_PERSISTENT_HOOK=./read_into_rdi.so 15 | 16 | mkdir in 17 | echo 0000 > in/in 18 | 19 | ../../afl-fuzz -Q -i in -o out -- ./test 20 | ``` 21 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/examples/qemu_persistent_hook/read_into_rdi.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #define g2h(x) ((void *)((unsigned long)(x) + guest_base)) 6 | #define h2g(x) ((uint64_t)(x)-guest_base) 7 | 8 | enum { 9 | 10 | R_EAX = 0, 11 | R_ECX = 1, 12 | R_EDX = 2, 13 | R_EBX = 3, 14 | R_ESP = 4, 15 | R_EBP = 5, 16 | R_ESI = 6, 17 | R_EDI = 7, 18 | R_R8 = 8, 19 | R_R9 = 9, 20 | R_R10 = 10, 21 | R_R11 = 11, 22 | R_R12 = 12, 23 | R_R13 = 13, 24 | R_R14 = 14, 25 | R_R15 = 15, 26 | 27 | R_AL = 0, 28 | R_CL = 1, 29 | R_DL = 2, 30 | R_BL = 3, 31 | R_AH = 4, 32 | R_CH = 5, 33 | R_DH = 6, 34 | R_BH = 7, 35 | 36 | }; 37 | 38 | void afl_persistent_hook(uint64_t *regs, uint64_t guest_base) { 39 | 40 | // In this example the register RDI is pointing to the memory location 41 | // of the target buffer, and the length of the input is in RSI. 42 | // This can be seen with a debugger, e.g. gdb (and "disass main") 43 | 44 | printf("reading into %p\n", regs[R_EDI]); 45 | size_t r = read(0, g2h(regs[R_EDI]), 1024); 46 | regs[R_ESI] = r; 47 | printf("read %ld bytes\n", r); 48 | 49 | } 50 | 51 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/examples/qemu_persistent_hook/test.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int target_func(unsigned char *buf, int size) { 4 | 5 | printf("buffer:%p, size:%p\n", buf, size); 6 | switch (buf[0]) { 7 | 8 | case 1: 9 | if (buf[1] == '\x44') { puts("a"); } 10 | break; 11 | case 0xff: 12 | if (buf[2] == '\xff') { 13 | 14 | if (buf[1] == '\x44') { puts("b"); } 15 | 16 | } 17 | 18 | break; 19 | default: break; 20 | 21 | } 22 | 23 | return 1; 24 | 25 | } 26 | 27 | char data[1024]; 28 | 29 | int main() { 30 | 31 | target_func(data, 1024); 32 | 33 | } 34 | 35 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/examples/socket_fuzzing/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop++ - socket_fuzz 3 | # ---------------------------------- 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at: 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | 12 | .PHONY: all install clean 13 | 14 | PREFIX ?= /usr/local 15 | BIN_PATH = $(PREFIX)/bin 16 | HELPER_PATH = $(PREFIX)/lib/afl 17 | 18 | CFLAGS = -fPIC -Wall -Wextra 19 | LDFLAGS = -shared 20 | 21 | UNAME_SAYS_LINUX=$(shell uname | grep -E '^Linux|^GNU' >/dev/null; echo $$?) 22 | UNAME_SAYS_LINUX:sh=uname | grep -E '^Linux|^GNU' >/dev/null; echo $$? 23 | 24 | _LDFLAGS_ADD=$(UNAME_SAYS_LINUX:1=) 25 | LDFLAGS_ADD=$(_LDFLAGS_ADD:0=-ldl) 26 | LDFLAGS += $(LDFLAGS_ADD) 27 | 28 | # on gcc for arm there is no -m32, but -mbe32 29 | M32FLAG = -m32 30 | M64FLAG = -m64 31 | 32 | CC_IS_GCC=$(shell $(CC) --version 2>/dev/null | grep gcc; echo $$?) 33 | CC_IS_ARMCOMPILER=$(shell $(CC) -v 2>&1 >/dev/null | grep arm; echo $$?) 34 | 35 | _M32FLAG=$(CC_IS_GCC)$(CC_IS_ARMCOMPILER) 36 | __M32FLAG=$(_M32FLAG:00=-mbe32) 37 | ___M32FLAG=$(__M32FLAG:$(CC_IS_GCC)$(CC_IS_ARMCOMPILER)=-m32) 38 | M32FLAG=$(___M32FLAG) 39 | #ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" "" 40 | # ifneq (,$(findstring arm, "$(shell $(CC) -v 2>&1 >/dev/null)")) 41 | # M32FLAG = -mbe32 42 | # endif 43 | #endif 44 | 45 | all: socketfuzz32.so socketfuzz64.so 46 | 47 | socketfuzz32.so: socketfuzz.c 48 | -$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz32 build failure (that's fine)" 49 | 50 | socketfuzz64.so: socketfuzz.c 51 | -$(CC) $(M64FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz64 build failure (that's fine)" 52 | 53 | install: socketfuzz32.so socketfuzz64.so 54 | install -d -m 755 $(DESTDIR)$(HELPER_PATH)/ 55 | if [ -f socketfuzz32.so ]; then set -e; install -m 755 socketfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi 56 | if [ -f socketfuzz64.so ]; then set -e; install -m 755 socketfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi 57 | 58 | clean: 59 | rm -f socketfuzz32.so socketfuzz64.so 60 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/examples/socket_fuzzing/README.md: -------------------------------------------------------------------------------- 1 | # socketfuzz 2 | 3 | when you want to fuzz a network service and you can not/do not want to modify 4 | the source (or just have a binary), then this LD_PRELOAD library will allow 5 | for sending input to stdin which the target binary will think is coming from 6 | a network socket. 7 | 8 | This is desock_dup.c from the amazing preeny project 9 | https://github.com/zardus/preeny 10 | 11 | It is packaged in afl++ to have it at hand if needed 12 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/include/cmplog.h: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop++ - cmplog header 3 | ------------------------------------ 4 | 5 | Originally written by Michal Zalewski 6 | 7 | Forkserver design by Jann Horn 8 | 9 | Now maintained by Marc Heuse , 10 | Heiko Eißfeldt , 11 | Andrea Fioraldi , 12 | Dominik Maier 13 | 14 | Copyright 2016, 2017 Google Inc. All rights reserved. 15 | Copyright 2019-2020 AFLplusplus Project. All rights reserved. 16 | 17 | Licensed under the Apache License, Version 2.0 (the "License"); 18 | you may not use this file except in compliance with the License. 19 | You may obtain a copy of the License at: 20 | 21 | http://www.apache.org/licenses/LICENSE-2.0 22 | 23 | Shared code to handle the shared memory. This is used by the fuzzer 24 | as well the other components like afl-tmin, afl-showmap, etc... 25 | 26 | */ 27 | 28 | #ifndef _AFL_CMPLOG_H 29 | #define _AFL_CMPLOG_H 30 | 31 | #include "config.h" 32 | 33 | #define CMP_MAP_W 65536 34 | #define CMP_MAP_H 256 35 | #define CMP_MAP_RTN_H (CMP_MAP_H / 4) 36 | 37 | #define SHAPE_BYTES(x) (x + 1) 38 | 39 | #define CMP_TYPE_INS 0 40 | #define CMP_TYPE_RTN 1 41 | 42 | struct cmp_header { 43 | 44 | unsigned hits : 20; 45 | 46 | unsigned cnt : 20; 47 | unsigned id : 16; 48 | 49 | unsigned shape : 5; // from 0 to 31 50 | unsigned type : 1; 51 | 52 | } __attribute__((packed)); 53 | 54 | struct cmp_operands { 55 | 56 | u64 v0; 57 | u64 v1; 58 | 59 | }; 60 | 61 | struct cmpfn_operands { 62 | 63 | u8 v0[32]; 64 | u8 v1[32]; 65 | 66 | }; 67 | 68 | typedef struct cmp_operands cmp_map_list[CMP_MAP_H]; 69 | 70 | struct cmp_map { 71 | 72 | struct cmp_header headers[CMP_MAP_W]; 73 | struct cmp_operands log[CMP_MAP_W][CMP_MAP_H]; 74 | 75 | }; 76 | 77 | #endif 78 | 79 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/include/envs.h: -------------------------------------------------------------------------------- 1 | 2 | extern char *afl_environment_variables[]; 3 | 4 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/include/sharedmem.h: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop++ - shared memory related header 3 | --------------------------------------------------- 4 | 5 | Originally written by Michal Zalewski 6 | 7 | Forkserver design by Jann Horn 8 | 9 | Now maintained by Marc Heuse , 10 | Heiko Eißfeldt , 11 | Andrea Fioraldi , 12 | Dominik Maier 13 | 14 | Copyright 2016, 2017 Google Inc. All rights reserved. 15 | Copyright 2019-2020 AFLplusplus Project. All rights reserved. 16 | 17 | Licensed under the Apache License, Version 2.0 (the "License"); 18 | you may not use this file except in compliance with the License. 19 | You may obtain a copy of the License at: 20 | 21 | http://www.apache.org/licenses/LICENSE-2.0 22 | 23 | Shared code to handle the shared memory. This is used by the fuzzer 24 | as well the other components like afl-tmin, afl-showmap, etc... 25 | 26 | */ 27 | 28 | #ifndef __AFL_SHAREDMEM_H 29 | #define __AFL_SHAREDMEM_H 30 | 31 | typedef struct sharedmem { 32 | 33 | // extern unsigned char *trace_bits; 34 | 35 | // PMFuzz disable mmap 36 | #ifdef USEMMAP 37 | /* ================ Proteas ================ */ 38 | int g_shm_fd; 39 | char g_shm_file_path[L_tmpnam]; 40 | /* ========================================= */ 41 | #else 42 | s32 shm_id; /* ID of the SHM region */ 43 | s32 shm_pm_id; /* ID of the PM SHM region */ 44 | s32 cmplog_shm_id; 45 | #endif 46 | 47 | u8 *map; /* shared memory region */ 48 | u8 *pm_map; /* shared memory PM region */ 49 | 50 | size_t size_alloc; /* actual allocated size */ 51 | size_t size_used; /* in use by shmem app */ 52 | 53 | int cmplog_mode; 54 | struct cmp_map *cmp_map; 55 | 56 | } sharedmem_t; 57 | 58 | u8 * afl_shm_init(sharedmem_t *, size_t, unsigned char dumb_mode); 59 | void afl_shm_deinit(sharedmem_t *); 60 | 61 | #endif 62 | 63 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/include/snapshot-inl.h: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop++ - snapshot helpers routines 3 | ------------------------------------------------ 4 | 5 | Originally written by Michal Zalewski 6 | 7 | Forkserver design by Jann Horn 8 | 9 | Now maintained by Marc Heuse , 10 | Heiko Eißfeldt , 11 | Andrea Fioraldi , 12 | Dominik Maier 13 | 14 | Copyright 2016, 2017 Google Inc. All rights reserved. 15 | Copyright 2019-2020 AFLplusplus Project. All rights reserved. 16 | 17 | Licensed under the Apache License, Version 2.0 (the "License"); 18 | you may not use this file except in compliance with the License. 19 | You may obtain a copy of the License at: 20 | 21 | http://www.apache.org/licenses/LICENSE-2.0 22 | 23 | */ 24 | 25 | // From AFL-Snapshot-LKM/include/afl_snapshot.h (must be kept synced) 26 | 27 | #include 28 | #include 29 | #include 30 | #include 31 | 32 | #define AFL_SNAPSHOT_FILE_NAME "/dev/afl_snapshot" 33 | 34 | #define AFL_SNAPSHOT_IOCTL_MAGIC 44313 35 | 36 | #define AFL_SNAPSHOT_IOCTL_DO _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 1) 37 | #define AFL_SNAPSHOT_IOCTL_CLEAN _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 2) 38 | 39 | static int afl_snapshot_dev_fd; 40 | 41 | static int afl_snapshot_init(void) { 42 | 43 | afl_snapshot_dev_fd = open(AFL_SNAPSHOT_FILE_NAME, 0); 44 | return afl_snapshot_dev_fd; 45 | 46 | } 47 | 48 | static int afl_snapshot_do() { 49 | 50 | return ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_DO); 51 | 52 | } 53 | 54 | static int afl_snapshot_clean(void) { 55 | 56 | return ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_CLEAN); 57 | 58 | } 59 | 60 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/libdislocator/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop++ - libdislocator 3 | # ---------------------------------- 4 | # 5 | # Originally written by Michal Zalewski 6 | # 7 | # Copyright 2016 Google Inc. All rights reserved. 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at: 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | 16 | PREFIX ?= /usr/local 17 | HELPER_PATH = $(PREFIX)/lib/afl 18 | 19 | VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2) 20 | 21 | CFLAGS ?= -O3 -funroll-loops -D_FORTIFY_SOURCE=2 22 | CFLAGS += -I ../include/ -Wall -g -Wno-pointer-sign 23 | 24 | CFLAGS_ADD=$(USEHUGEPAGE:1=-DUSEHUGEPAGE) 25 | CFLAGS += $(CFLAGS_ADD) 26 | 27 | all: libdislocator.so 28 | 29 | VPATH = .. 30 | libdislocator.so: libdislocator.so.c ../config.h 31 | $(CC) $(CFLAGS) -shared -fPIC libdislocator.so.c -o ../$@ $(LDFLAGS) 32 | 33 | .NOTPARALLEL: clean 34 | 35 | clean: 36 | rm -f *.o *.so *~ a.out core core.[1-9][0-9]* 37 | rm -f ../libdislocator.so 38 | 39 | install: all 40 | install -m 755 -d $${DESTDIR}$(HELPER_PATH) 41 | install -m 755 ../libdislocator.so $${DESTDIR}$(HELPER_PATH) 42 | install -m 644 README.dislocator.md $${DESTDIR}$(HELPER_PATH) 43 | 44 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/libtokencap/GNUmakefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop++ - libtokencap 3 | # -------------------------------- 4 | # 5 | # Originally written by Michal Zalewski 6 | # 7 | # Copyright 2016 Google Inc. All rights reserved. 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at: 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | 16 | PREFIX ?= /usr/local 17 | HELPER_PATH = $(PREFIX)/lib/afl 18 | DOC_PATH ?= $(PREFIX)/share/doc/afl 19 | MAN_PATH ?= $(PREFIX)/man/man8 20 | 21 | VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2) 22 | 23 | CFLAGS ?= -O3 -funroll-loops 24 | override CFLAGS += -I ../include/ -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign 25 | 26 | ifeq "$(shell uname)" "Linux" 27 | TARGETS = libtokencap.so 28 | LDFLAGS += -ldl 29 | endif 30 | ifeq "$(shell uname)" "Darwin" 31 | TARGETS = libtokencap.so 32 | LDFLAGS += -ldl 33 | endif 34 | ifeq "$(shell uname)" "FreeBSD" 35 | TARGETS = libtokencap.so 36 | endif 37 | ifeq "$(shell uname)" "OpenBSD" 38 | TARGETS = libtokencap.so 39 | endif 40 | ifeq "$(shell uname)" "NetBSD" 41 | TARGETS = libtokencap.so 42 | endif 43 | ifeq "$(shell uname)" "DragonFly" 44 | TARGETS = libtokencap.so 45 | LDFLAGS += -ldl 46 | endif 47 | all: $(TARGETS) 48 | 49 | VPATH = .. 50 | libtokencap.so: libtokencap.so.c ../config.h 51 | $(CC) $(CFLAGS) -shared -fPIC $< -o ../$@ $(LDFLAGS) 52 | 53 | .NOTPARALLEL: clean 54 | 55 | clean: 56 | rm -f *.o *.so *~ a.out core core.[1-9][0-9]* 57 | rm -f ../libtokencap.so 58 | 59 | install: all 60 | install -m 755 -d $${DESTDIR}$(HELPER_PATH) 61 | install -m 755 ../libtokencap.so $${DESTDIR}$(HELPER_PATH) 62 | install -m 644 -T README.md $${DESTDIR}$(DOC_PATH)/README.tokencap.md 63 | 64 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/llvm_mode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo please use GNU make, thanks! 3 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/llvm_mode/MarkNodes.h: -------------------------------------------------------------------------------- 1 | #ifndef __MARK_NODES__ 2 | #define __MARK_NODES__ 3 | 4 | #include "llvm/IR/BasicBlock.h" 5 | #include "llvm/IR/Function.h" 6 | #include 7 | 8 | std::pair, std::vector> 9 | markNodes(llvm::Function *F); 10 | 11 | #endif 12 | 13 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/llvm_mode/README.cmplog.md: -------------------------------------------------------------------------------- 1 | # CmpLog instrumentation 2 | 3 | The CmpLog instrumentation enables the logging of the comparisons operands in a 4 | shared memory. 5 | 6 | These values can be used by various mutators built on top of it. 7 | At the moment we support the RedQueen mutator (input-2-state instructions only). 8 | 9 | ## Build 10 | 11 | To use CmpLog, you have to build two versions of the instrumented target 12 | program. 13 | 14 | The first version is built using the regular AFL++ instrumentation. 15 | 16 | The second one, the CmpLog binary, with setting AFL_LLVM_CMPLOG during the compilation. 17 | 18 | For example: 19 | 20 | ``` 21 | ./configure --cc=~/path/to/afl-clang-fast 22 | make 23 | cp ./program ./program.afl 24 | make clean 25 | export AFL_LLVM_CMPLOG=1 26 | ./configure --cc=~/path/to/afl-clang-fast 27 | make 28 | cp ./program ./program.cmplog 29 | ``` 30 | 31 | ## Use 32 | 33 | AFL++ has the new -c option that can be used to specify a CmpLog binary (the second 34 | build). 35 | 36 | For example: 37 | 38 | ``` 39 | afl-fuzz -i input -o output -c ./program.cmplog -m none -- ./program.afl @@ 40 | ``` 41 | 42 | Be careful to use -m none because CmpLog maps a lot of pages. 43 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/llvm_mode/README.ctx.md: -------------------------------------------------------------------------------- 1 | # AFL Context Sensitive Branch Coverage 2 | 3 | ## What is this? 4 | 5 | This is an LLVM-based implementation of the context sensitive branch coverage. 6 | 7 | Basically every function gets it's own ID and that ID is combined with the 8 | edges of the called functions. 9 | 10 | So if both function A and function B call a function C, the coverage 11 | collected in C will be different. 12 | 13 | In math the coverage is collected as follows: 14 | `map[current_location_ID ^ previous_location_ID >> 1 ^ previous_callee_ID] += 1` 15 | 16 | ## Usage 17 | 18 | Set the `AFL_LLVM_INSTRUMENT=CTX` or `AFL_LLVM_CTX=1` environment variable. 19 | 20 | It is highly recommended to increase the MAP_SIZE_POW2 definition in 21 | config.h to at least 18 and maybe up to 20 for this as otherwise too 22 | many map collisions occur. 23 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/llvm_mode/README.instrim.md: -------------------------------------------------------------------------------- 1 | # InsTrim 2 | 3 | InsTrim: Lightweight Instrumentation for Coverage-guided Fuzzing 4 | 5 | ## Introduction 6 | 7 | InsTrim uses CFG and markers to instrument just what is necessary in the 8 | binary in llvm_mode. It is about 10-15% faster without disadvantages. 9 | 10 | ## Usage 11 | 12 | Set the environment variable `AFL_LLVM_INSTRUMENT=CFG` or `AFL_LLVM_INSTRIM=1` 13 | during compilation of the target. 14 | 15 | There is also an advanced mode which instruments loops in a way so that 16 | afl-fuzz can see which loop path has been selected but not being able to 17 | see how often the loop has been rerun. 18 | This again is a tradeoff for speed for less path information. 19 | To enable this mode set `AFL_LLVM_INSTRIM_LOOPHEAD=1`. 20 | 21 | There is an additional optimization option that skips single block 22 | functions. In 95% of the C targets and (guess) 50% of the C++ targets 23 | it is good to enable this, as otherwise pointless instrumentation occurs. 24 | The corner case where we want this instrumentation is when vtable/call table 25 | is used and the index to that vtable/call table is not set in specific 26 | basic blocks. 27 | To enable skipping these (most of the time) unnecessary instrumentations set 28 | `AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK=1` 29 | 30 | ## Background 31 | 32 | The paper: [InsTrim: Lightweight Instrumentation for Coverage-guided Fuzzing] 33 | (https://www.ndss-symposium.org/wp-content/uploads/2018/07/bar2018_14_Hsu_paper.pdf) 34 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/llvm_mode/README.laf-intel.md: -------------------------------------------------------------------------------- 1 | # laf-intel instrumentation 2 | 3 | ## Usage 4 | 5 | By default these passes will not run when you compile programs using 6 | afl-clang-fast. Hence, you can use AFL as usual. 7 | To enable the passes you must set environment variables before you 8 | compile the target project. 9 | 10 | The following options exist: 11 | 12 | `export AFL_LLVM_LAF_SPLIT_SWITCHES=1` 13 | 14 | Enables the split-switches pass. 15 | 16 | `export AFL_LLVM_LAF_TRANSFORM_COMPARES=1` 17 | 18 | Enables the transform-compares pass (strcmp, memcmp, strncmp, 19 | strcasecmp, strncasecmp). 20 | 21 | `export AFL_LLVM_LAF_SPLIT_COMPARES=1` 22 | 23 | Enables the split-compares pass. 24 | By default it will 25 | 1. simplify operators >= (and <=) into chains of > (<) and == comparisons 26 | 2. change signed integer comparisons to a chain of sign-only comparison 27 | and unsigned comparisons 28 | 3. split all unsigned integer comparisons with bit widths of 29 | 64, 32 or 16 bits to chains of 8 bits comparisons. 30 | 31 | You can change the behaviour of the last step by setting 32 | `export AFL_LLVM_LAF_SPLIT_COMPARES_BITW=`, where 33 | bit_width may be 64, 32 or 16. 34 | 35 | A new experimental feature is splitting floating point comparisons into a 36 | series of sign, exponent and mantissa comparisons followed by splitting each 37 | of them into 8 bit comparisons when necessary. 38 | It is activated with the `AFL_LLVM_LAF_SPLIT_FLOATS` setting, available only 39 | when `AFL_LLVM_LAF_SPLIT_COMPARES` is set. 40 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/llvm_mode/README.neverzero.md: -------------------------------------------------------------------------------- 1 | # NeverZero counters for LLVM instrumentation 2 | 3 | ## Usage 4 | 5 | In larger, complex or reiterative programs the counters that collect the edge 6 | coverage can easily fill up and wrap around. 7 | This is not that much of an issue - unless by chance it wraps just to a value 8 | of zero when the program execution ends. 9 | In this case afl-fuzz is not able to see that the edge has been accessed and 10 | will ignore it. 11 | 12 | NeverZero prevents this behaviour. If a counter wraps, it jumps over the value 13 | 0 directly to a 1. This improves path discovery (by a very little amount) 14 | at a very little cost (one instruction per edge). 15 | 16 | (The alternative of saturated counters has been tested also and proved to be 17 | inferior in terms of path discovery.) 18 | 19 | This is implemented in afl-gcc, however for llvm_mode this is optional if 20 | the llvm version is below 9 - as there is a perfomance bug that is only fixed 21 | in version 9 and onwards. 22 | 23 | If you want to enable this for llvm < 9 then set 24 | 25 | ``` 26 | export AFL_LLVM_NOT_ZERO=1 27 | ``` 28 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/llvm_mode/README.ngram.md: -------------------------------------------------------------------------------- 1 | # AFL N-Gram Branch Coverage 2 | 3 | ## Source 4 | 5 | This is an LLVM-based implementation of the n-gram branch coverage proposed in 6 | the paper ["Be Sensitive and Collaborative: Analzying Impact of Coverage Metrics 7 | in Greybox Fuzzing"](https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf), 8 | by Jinghan Wang, et. al. 9 | 10 | Note that the original implementation (available 11 | [here](https://github.com/bitsecurerlab/afl-sensitive)) 12 | is built on top of AFL's QEMU mode. 13 | This is essentially a port that uses LLVM vectorized instructions to achieve 14 | the same results when compiling source code. 15 | 16 | In math the branch coverage is performed as follows: 17 | `map[current_location ^ prev_location[0] >> 1 ^ prev_location[1] >> 1 ^ ... up to n-1`] += 1` 18 | 19 | ## Usage 20 | 21 | The size of `n` (i.e., the number of branches to remember) is an option 22 | that is specified either in the `AFL_LLVM_INSTRUMENT=NGRAM-{value}` or the 23 | `AFL_LLVM_NGRAM_SIZE` environment variable. 24 | Good values are 2, 4 or 8, valid are 2-16. 25 | 26 | It is highly recommended to increase the MAP_SIZE_POW2 definition in 27 | config.h to at least 18 and maybe up to 20 for this as otherwise too 28 | many map collisions occur. 29 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/llvm_mode/README.snapshot.md: -------------------------------------------------------------------------------- 1 | # AFL++ snapshot feature 2 | 3 | Snapshotting is a feature that makes a snapshot from a process and then 4 | restores it's state, which is faster then forking it again. 5 | 6 | All targets compiled with llvm_mode are automatically enabled for the 7 | snapshot feature. 8 | 9 | To use the snapshot feature for fuzzing compile and load this kernel 10 | module: [https://github.com/AFLplusplus/AFL-Snapshot-LKM](https://github.com/AFLplusplus/AFL-Snapshot-LKM) 11 | 12 | Note that is has little value for persistent (__AFL_LOOP) fuzzing. 13 | 14 | ## Notes 15 | 16 | Snapshot does not work with multithreaded targets yet. Still in WIP, it is now usable only for single threaded applications. 17 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/llvm_mode/TODO: -------------------------------------------------------------------------------- 1 | TODO for afl-ld: 2 | * handle libfoo.a object archives 3 | 4 | TODO for afl-llvm-lto-instrumentation: 5 | * better algo for putting stuff in the map? 6 | * try to predict how long the instrumentation process will take 7 | 8 | TODO for afl-llvm-lto-whitelist 9 | * different solution then renaming? 10 | 11 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/llvm_mode/llvm-ngram-coverage.h: -------------------------------------------------------------------------------- 1 | #ifndef AFL_NGRAM_CONFIG_H 2 | #define AFL_NGRAM_CONFIG_H 3 | 4 | #include "../config.h" 5 | 6 | #if (MAP_SIZE_POW2 <= 16) 7 | typedef u16 PREV_LOC_T; 8 | #elif (MAP_SIZE_POW2 <= 32) 9 | typedef u32 PREV_LOC_T; 10 | #else 11 | typedef u64 PREV_LOC_T; 12 | #endif 13 | 14 | /* Maximum ngram size */ 15 | #define NGRAM_SIZE_MAX 16U 16 | 17 | #endif 18 | 19 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qbdi_mode/assets/screen1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/qbdi_mode/assets/screen1.png -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qbdi_mode/demo-so.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | // gcc -shared -o libdemo.so demo-so.c -w 4 | int target_func(char *buf, int size) { 5 | 6 | printf("buffer:%p, size:%p\n", buf, size); 7 | switch (buf[0]) { 8 | 9 | case 1: 10 | puts("222"); 11 | if (buf[1] == '\x44') { 12 | 13 | puts("null ptr deference"); 14 | *(char *)(0) = 1; 15 | 16 | } 17 | 18 | break; 19 | case 0xff: 20 | if (buf[2] == '\xff') { 21 | 22 | if (buf[1] == '\x44') { 23 | 24 | puts("crash...."); 25 | *(char *)(0xdeadbeef) = 1; 26 | 27 | } 28 | 29 | } 30 | 31 | break; 32 | default: puts("default action"); break; 33 | 34 | } 35 | 36 | return 1; 37 | 38 | } 39 | 40 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/libcompcov/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop++ - libcompcov 3 | # -------------------------------- 4 | # 5 | # Written by Andrea Fioraldi 6 | # 7 | # Copyright 2019-2020 Andrea Fioraldi. All rights reserved. 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at: 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | 16 | PREFIX ?= /usr/local 17 | HELPER_PATH = $(PREFIX)/lib/afl 18 | DOC_PATH ?= $(PREFIX)/share/doc/afl 19 | MAN_PATH ?= $(PREFIX)/man/man8 20 | 21 | VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2) 22 | 23 | CFLAGS ?= -O3 -funroll-loops -I ../../include/ 24 | CFLAGS += -Wall -Wno-unused-result -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign 25 | LDFLAGS += -ldl 26 | 27 | all: libcompcov.so 28 | 29 | libcompcov.so: libcompcov.so.c ../../config.h 30 | $(CC) $(CFLAGS) -shared -fPIC $< -o ../../$@ $(LDFLAGS) 31 | 32 | .NOTPARALLEL: clean 33 | 34 | clean: 35 | rm -f *.o *.so *~ a.out core core.[1-9][0-9]* 36 | rm -f ../../libcompcov.so compcovtest 37 | 38 | compcovtest: compcovtest.cc 39 | $(CXX) -std=c++11 $< -o $@ 40 | 41 | install: all 42 | install -m 755 ../../libcompcov.so $${DESTDIR}$(HELPER_PATH) 43 | install -m 644 -T README.md $${DESTDIR}$(DOC_PATH)/README.compcov.md 44 | 45 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/libcompcov/README.md: -------------------------------------------------------------------------------- 1 | # strcmp() / memcmp() CompareCoverage library for afl++ QEMU 2 | 3 | Written by Andrea Fioraldi 4 | 5 | This Linux-only companion library allows you to instrument `strcmp()`, `memcmp()`, 6 | and related functions to log the CompareCoverage of these libcalls. 7 | 8 | Use this with caution. While this can speedup a lot the bypass of hard 9 | branch conditions it can also waste a lot of time and take up unnecessary space 10 | in the shared memory when logging the coverage related to functions that 11 | doesn't process input-related data. 12 | 13 | To use the library, you *need* to make sure that your fuzzing target is linked 14 | dynamically and make use of strcmp(), memcmp(), and related functions. 15 | For optimized binaries this is an issue, those functions are often inlined 16 | and this module is not capable to log the coverage in this case. 17 | 18 | If you have the source code of the fuzzing target you should nto use this 19 | library and QEMU but build it with afl-clang-fast and the laf-intel options. 20 | 21 | To use this library make sure to preload it with AFL_PRELOAD. 22 | 23 | ``` 24 | export AFL_PRELOAD=/path/to/libcompcov.so 25 | export AFL_COMPCOV_LEVEL=1 26 | 27 | afl-fuzz -Q -i input -o output -- 28 | ``` 29 | 30 | The AFL_COMPCOV_LEVEL tells to QEMU and libcompcov how to log comaprisons. 31 | Level 1 logs just comparison with immediates / read-only memory and level 2 32 | logs all the comparisons. 33 | 34 | The library make use of https://github.com/ouadev/proc_maps_parser and so it is 35 | Linux specific. However this is not a strict dependency, other UNIX operating 36 | systems can be supported simply replacing the code related to the 37 | /proc/self/maps parsing. 38 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/libcompcov/compcovtest.cc: -------------------------------------------------------------------------------- 1 | ///////////////////////////////////////////////////////////////////////// 2 | // 3 | // Author: Mateusz Jurczyk (mjurczyk@google.com) 4 | // 5 | // Copyright 2019-2020 Google LLC 6 | // 7 | // Licensed under the Apache License, Version 2.0 (the "License"); 8 | // you may not use this file except in compliance with the License. 9 | // You may obtain a copy of the License at 10 | // 11 | // https://www.apache.org/licenses/LICENSE-2.0 12 | // 13 | // Unless required by applicable law or agreed to in writing, software 14 | // distributed under the License is distributed on an "AS IS" BASIS, 15 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | // See the License for the specific language governing permissions and 17 | // limitations under the License. 18 | // 19 | 20 | // solution: echo -ne 'The quick brown fox jumps over the lazy 21 | // dog\xbe\xba\xfe\xca\xbe\xba\xfe\xca\xde\xc0\xad\xde\xef\xbe' | ./compcovtest 22 | 23 | #include 24 | #include 25 | #include 26 | #include 27 | 28 | int main() { 29 | 30 | char buffer[44] = {/* zero padding */}; 31 | fread(buffer, 1, sizeof(buffer) - 1, stdin); 32 | 33 | if (memcmp(&buffer[0], "The quick brown fox ", 20) != 0 || 34 | strncmp(&buffer[20], "jumps over ", 11) != 0 || 35 | strcmp(&buffer[31], "the lazy dog") != 0) { 36 | 37 | return 1; 38 | 39 | } 40 | 41 | uint64_t x = 0; 42 | fread(&x, sizeof(x), 1, stdin); 43 | if (x != 0xCAFEBABECAFEBABE) { return 2; } 44 | 45 | uint32_t y = 0; 46 | fread(&y, sizeof(y), 1, stdin); 47 | if (y != 0xDEADC0DE) { return 3; } 48 | 49 | uint16_t z = 0; 50 | fread(&z, sizeof(z), 1, stdin); 51 | 52 | switch (z) { 53 | 54 | case 0xBEEF: break; 55 | 56 | default: return 4; 57 | 58 | } 59 | 60 | printf("Puzzle solved, congrats!\n"); 61 | abort(); 62 | return 0; 63 | 64 | } 65 | 66 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/patches/__init__.py.diff: -------------------------------------------------------------------------------- 1 | --- a/scripts/tracetool/__init__.py 2020-03-28 13:42:21.937700726 +0100 2 | +++ b/scripts/tracetool/__init__.py 2020-03-28 13:41:50.991034257 +0100 3 | @@ -447,12 +447,12 @@ 4 | import tracetool 5 | 6 | format = str(format) 7 | - if len(format) is 0: 8 | + if len(format) == 0: 9 | raise TracetoolError("format not set") 10 | if not tracetool.format.exists(format): 11 | raise TracetoolError("unknown format: %s" % format) 12 | 13 | - if len(backends) is 0: 14 | + if len(backends) == 0: 15 | raise TracetoolError("no backends specified") 16 | for backend in backends: 17 | if not tracetool.backend.exists(backend): 18 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/patches/afl-qemu-tcg-inl.h: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop++ - high-performance binary-only instrumentation 3 | ------------------------------------------------------------------- 4 | 5 | Originally written by Andrew Griffiths and 6 | Michal Zalewski 7 | 8 | TCG instrumentation and block chaining support by Andrea Biondo 9 | 10 | 11 | QEMU 3.1.1 port, TCG thread-safety, CompareCoverage and NeverZero 12 | counters by Andrea Fioraldi 13 | 14 | Copyright 2015, 2016, 2017 Google Inc. All rights reserved. 15 | Copyright 2019-2020 AFLplusplus Project. All rights reserved. 16 | 17 | Licensed under the Apache License, Version 2.0 (the "License"); 18 | you may not use this file except in compliance with the License. 19 | You may obtain a copy of the License at: 20 | 21 | http://www.apache.org/licenses/LICENSE-2.0 22 | 23 | This code is a shim patched into the separately-distributed source 24 | code of QEMU 3.1.0. It leverages the built-in QEMU tracing functionality 25 | to implement AFL-style instrumentation and to take care of the remaining 26 | parts of the AFL fork server logic. 27 | 28 | The resulting QEMU binary is essentially a standalone instrumentation 29 | tool; for an example of how to leverage it for other purposes, you can 30 | have a look at afl-showmap.c. 31 | 32 | */ 33 | void afl_gen_tcg_plain_call(void *func); 34 | 35 | void afl_gen_tcg_plain_call(void *func) { 36 | 37 | TCGOp *op = tcg_emit_op(INDEX_op_call); 38 | 39 | TCGOP_CALLO(op) = 0; 40 | 41 | op->args[0] = (uintptr_t)func; 42 | op->args[1] = 0; 43 | TCGOP_CALLI(op) = 0; 44 | 45 | } 46 | 47 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/patches/bsd-elfload.diff: -------------------------------------------------------------------------------- 1 | diff --git a/bsd-user/elfload.c b/bsd-user/elfload.c 2 | index 7cccf3eb..195875af 100644 3 | --- a/bsd-user/elfload.c 4 | +++ b/bsd-user/elfload.c 5 | @@ -15,6 +15,8 @@ 6 | #undef ELF_ARCH 7 | #endif 8 | 9 | +extern abi_ulong afl_entry_point, afl_start_code, afl_end_code; 10 | + 11 | /* from personality.h */ 12 | 13 | /* 14 | @@ -1522,6 +1524,8 @@ int load_elf_binary(struct linux_binprm * bprm, struct target_pt_regs * regs, 15 | info->start_data = start_data; 16 | info->end_data = end_data; 17 | info->start_stack = bprm->p; 18 | + if (!afl_start_code) afl_start_code = vaddr; 19 | + if (!afl_end_code) afl_end_code = vaddr_ef; 20 | 21 | /* Calling set_brk effectively mmaps the pages that we need for the bss and break 22 | sections */ 23 | @@ -1549,6 +1553,20 @@ int load_elf_binary(struct linux_binprm * bprm, struct target_pt_regs * regs, 24 | } 25 | 26 | info->entry = elf_entry; 27 | + if (!afl_entry_point) { 28 | + char *ptr; 29 | + if ((ptr = getenv("AFL_ENTRYPOINT")) != NULL) { 30 | + afl_entry_point = strtoul(ptr, NULL, 16); 31 | + } else { 32 | + afl_entry_point = info->entry; 33 | + } 34 | +#ifdef TARGET_ARM 35 | + /* The least significant bit indicates Thumb mode. */ 36 | + afl_entry_point = afl_entry_point & ~(target_ulong)1; 37 | +#endif 38 | + } 39 | + if (getenv("AFL_DEBUG") != NULL) 40 | + fprintf(stderr, "AFL forkserver entrypoint: %p\n", (void*)afl_entry_point); 41 | 42 | return 0; 43 | } 44 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/patches/configure.diff: -------------------------------------------------------------------------------- 1 | --- a/configure 2019-08-02 18:04:50.000000000 +0200 2 | +++ b/configure 2020-02-28 06:31:30.424895061 +0100 3 | @@ -1479,6 +1479,8 @@ 4 | ;; 5 | --enable-capstone=system) capstone="system" 6 | ;; 7 | + --enable-capstone=internal) capstone="internal" 8 | + ;; 9 | --with-git=*) git="$optarg" 10 | ;; 11 | --enable-git-update) git_update=yes 12 | @@ -4604,6 +4606,21 @@ 13 | fi 14 | 15 | ########################################## 16 | +cat > $TMPC << EOF 17 | +#include 18 | +#include 19 | +int main(int argc, char **argv) { return dlopen("libc.so", RTLD_NOW) != NULL; } 20 | +EOF 21 | +if compile_prog "" "" ; then 22 | + : 23 | +elif compile_prog "" "-ldl" ; then 24 | + LIBS="-ldl $LIBS" 25 | + libs_qga="-ldl $libs_qga" 26 | +else 27 | + error_exit "libdl check failed" 28 | +fi 29 | + 30 | +########################################## 31 | # spice probe 32 | if test "$spice" != "no" ; then 33 | cat > $TMPC << EOF 34 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/patches/cpu-exec.diff: -------------------------------------------------------------------------------- 1 | diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c 2 | index 870027d4..0bc87dfc 100644 3 | --- a/accel/tcg/cpu-exec.c 4 | +++ b/accel/tcg/cpu-exec.c 5 | @@ -36,6 +36,8 @@ 6 | #include "sysemu/cpus.h" 7 | #include "sysemu/replay.h" 8 | 9 | +#include "../patches/afl-qemu-cpu-inl.h" 10 | + 11 | /* -icount align implementation. */ 12 | 13 | typedef struct SyncClocks { 14 | @@ -397,11 +399,13 @@ static inline TranslationBlock *tb_find(CPUState *cpu, 15 | TranslationBlock *tb; 16 | target_ulong cs_base, pc; 17 | uint32_t flags; 18 | + bool was_translated = false, was_chained = false; 19 | 20 | tb = tb_lookup__cpu_state(cpu, &pc, &cs_base, &flags, cf_mask); 21 | if (tb == NULL) { 22 | mmap_lock(); 23 | tb = tb_gen_code(cpu, pc, cs_base, flags, cf_mask); 24 | + was_translated = true; 25 | mmap_unlock(); 26 | /* We add the TB in the virtual pc hash table for the fast lookup */ 27 | atomic_set(&cpu->tb_jmp_cache[tb_jmp_cache_hash_func(pc)], tb); 28 | @@ -418,6 +422,10 @@ static inline TranslationBlock *tb_find(CPUState *cpu, 29 | /* See if we can patch the calling TB. */ 30 | if (last_tb) { 31 | tb_add_jump(last_tb, tb_exit, tb); 32 | + was_chained = true; 33 | + } 34 | + if (was_translated || was_chained) { 35 | + afl_request_tsl(pc, cs_base, flags, cf_mask, was_chained ? last_tb : NULL, tb_exit); 36 | } 37 | return tb; 38 | } 39 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/patches/i386-fpu_helper.diff: -------------------------------------------------------------------------------- 1 | diff --git a/target/i386/fpu_helper.c b/target/i386/fpu_helper.c 2 | index ea5a0c48..89901315 100644 3 | --- a/target/i386/fpu_helper.c 4 | +++ b/target/i386/fpu_helper.c 5 | @@ -384,10 +384,16 @@ void helper_fxchg_ST0_STN(CPUX86State *env, int st_index) 6 | 7 | static const int fcom_ccval[4] = {0x0100, 0x4000, 0x0000, 0x4500}; 8 | 9 | +#include "../patches/afl-qemu-common.h" 10 | + 11 | void helper_fcom_ST0_FT0(CPUX86State *env) 12 | { 13 | int ret; 14 | 15 | + if (afl_compcov_level > 2 && env->eip < afl_end_code && 16 | + env->eip >= afl_start_code) 17 | + afl_float_compcov_log_80(env->eip, ST0, FT0); 18 | + 19 | ret = floatx80_compare(ST0, FT0, &env->fp_status); 20 | env->fpus = (env->fpus & ~0x4500) | fcom_ccval[ret + 1]; 21 | } 22 | @@ -396,6 +402,10 @@ void helper_fucom_ST0_FT0(CPUX86State *env) 23 | { 24 | int ret; 25 | 26 | + if (afl_compcov_level > 2 && env->eip < afl_end_code && 27 | + env->eip >= afl_start_code) 28 | + afl_float_compcov_log_80(env->eip, ST0, FT0); 29 | + 30 | ret = floatx80_compare_quiet(ST0, FT0, &env->fp_status); 31 | env->fpus = (env->fpus & ~0x4500) | fcom_ccval[ret + 1]; 32 | } 33 | @@ -407,6 +417,10 @@ void helper_fcomi_ST0_FT0(CPUX86State *env) 34 | int eflags; 35 | int ret; 36 | 37 | + if (afl_compcov_level > 2 && env->eip < afl_end_code && 38 | + env->eip >= afl_start_code) 39 | + afl_float_compcov_log_80(env->eip, ST0, FT0); 40 | + 41 | ret = floatx80_compare(ST0, FT0, &env->fp_status); 42 | eflags = cpu_cc_compute_all(env, CC_OP); 43 | eflags = (eflags & ~(CC_Z | CC_P | CC_C)) | fcomi_ccval[ret + 1]; 44 | @@ -418,6 +432,10 @@ void helper_fucomi_ST0_FT0(CPUX86State *env) 45 | int eflags; 46 | int ret; 47 | 48 | + if (afl_compcov_level > 2 && env->eip < afl_end_code && 49 | + env->eip >= afl_start_code) 50 | + afl_float_compcov_log_80(env->eip, ST0, FT0); 51 | + 52 | ret = floatx80_compare_quiet(ST0, FT0, &env->fp_status); 53 | eflags = cpu_cc_compute_all(env, CC_OP); 54 | eflags = (eflags & ~(CC_Z | CC_P | CC_C)) | fcomi_ccval[ret + 1]; 55 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/patches/i386-ops_sse.diff: -------------------------------------------------------------------------------- 1 | diff --git a/target/i386/ops_sse.h b/target/i386/ops_sse.h 2 | index ed059897..a5296caa 100644 3 | --- a/target/i386/ops_sse.h 4 | +++ b/target/i386/ops_sse.h 5 | @@ -997,6 +997,8 @@ SSE_HELPER_CMP(cmpord, FPU_CMPORD) 6 | 7 | static const int comis_eflags[4] = {CC_C, CC_Z, 0, CC_Z | CC_P | CC_C}; 8 | 9 | +#include "../patches/afl-qemu-common.h" 10 | + 11 | void helper_ucomiss(CPUX86State *env, Reg *d, Reg *s) 12 | { 13 | int ret; 14 | @@ -1004,6 +1006,11 @@ void helper_ucomiss(CPUX86State *env, Reg *d, Reg *s) 15 | 16 | s0 = d->ZMM_S(0); 17 | s1 = s->ZMM_S(0); 18 | + 19 | + if (afl_compcov_level > 2 && env->eip < afl_end_code && 20 | + env->eip >= afl_start_code) 21 | + afl_float_compcov_log_32(env->eip, s0, s1, &env->sse_status); 22 | + 23 | ret = float32_compare_quiet(s0, s1, &env->sse_status); 24 | CC_SRC = comis_eflags[ret + 1]; 25 | } 26 | @@ -1015,6 +1022,11 @@ void helper_comiss(CPUX86State *env, Reg *d, Reg *s) 27 | 28 | s0 = d->ZMM_S(0); 29 | s1 = s->ZMM_S(0); 30 | + 31 | + if (afl_compcov_level > 2 && env->eip < afl_end_code && 32 | + env->eip >= afl_start_code) 33 | + afl_float_compcov_log_32(env->eip, s0, s1, &env->sse_status); 34 | + 35 | ret = float32_compare(s0, s1, &env->sse_status); 36 | CC_SRC = comis_eflags[ret + 1]; 37 | } 38 | @@ -1026,6 +1038,11 @@ void helper_ucomisd(CPUX86State *env, Reg *d, Reg *s) 39 | 40 | d0 = d->ZMM_D(0); 41 | d1 = s->ZMM_D(0); 42 | + 43 | + if (afl_compcov_level > 2 && env->eip < afl_end_code && 44 | + env->eip >= afl_start_code) 45 | + afl_float_compcov_log_64(env->eip, d0, d1, &env->sse_status); 46 | + 47 | ret = float64_compare_quiet(d0, d1, &env->sse_status); 48 | CC_SRC = comis_eflags[ret + 1]; 49 | } 50 | @@ -1037,6 +1054,11 @@ void helper_comisd(CPUX86State *env, Reg *d, Reg *s) 51 | 52 | d0 = d->ZMM_D(0); 53 | d1 = s->ZMM_D(0); 54 | + 55 | + if (afl_compcov_level > 2 && env->eip < afl_end_code && 56 | + env->eip >= afl_start_code) 57 | + afl_float_compcov_log_64(env->eip, d0, d1, &env->sse_status); 58 | + 59 | ret = float64_compare(d0, d1, &env->sse_status); 60 | CC_SRC = comis_eflags[ret + 1]; 61 | } 62 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/patches/make_strncpy_safe.diff: -------------------------------------------------------------------------------- 1 | --- a/util/qemu-sockets.c 2020-03-28 13:55:09.511029429 +0100 2 | +++ b/util/qemu-sockets.c 2020-03-28 14:01:12.147693937 +0100 3 | @@ -877,7 +877,7 @@ 4 | 5 | memset(&un, 0, sizeof(un)); 6 | un.sun_family = AF_UNIX; 7 | - strncpy(un.sun_path, path, sizeof(un.sun_path)); 8 | + strncpy(un.sun_path, path, sizeof(un.sun_path) - 1); 9 | 10 | if (bind(sock, (struct sockaddr*) &un, sizeof(un)) < 0) { 11 | error_setg_errno(errp, errno, "Failed to bind socket to %s", path); 12 | @@ -922,7 +922,7 @@ 13 | 14 | memset(&un, 0, sizeof(un)); 15 | un.sun_family = AF_UNIX; 16 | - strncpy(un.sun_path, saddr->path, sizeof(un.sun_path)); 17 | + strncpy(un.sun_path, saddr->path, sizeof(un.sun_path) - 1); 18 | 19 | /* connect to peer */ 20 | do { 21 | --- a/block/sheepdog.c 2020-03-28 14:01:57.164360270 +0100 22 | +++ b/block/sheepdog.c 2020-03-28 14:02:52.781026597 +0100 23 | @@ -1236,7 +1236,7 @@ 24 | * don't want the send_req to read uninitialized data. 25 | */ 26 | strncpy(buf, filename, SD_MAX_VDI_LEN); 27 | - strncpy(buf + SD_MAX_VDI_LEN, tag, SD_MAX_VDI_TAG_LEN); 28 | + strncpy(buf + SD_MAX_VDI_LEN, tag, SD_MAX_VDI_TAG_LEN - 1); 29 | 30 | memset(&hdr, 0, sizeof(hdr)); 31 | if (lock) { 32 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/patches/softfloat.diff: -------------------------------------------------------------------------------- 1 | diff --git a/fpu/softfloat.c b/fpu/softfloat.c 2 | index e1eef954..2f8d0d62 100644 3 | --- a/fpu/softfloat.c 4 | +++ b/fpu/softfloat.c 5 | @@ -7205,3 +7205,5 @@ float128 float128_scalbn(float128 a, int n, float_status *status) 6 | , status); 7 | 8 | } 9 | + 10 | +#include "../../patches/afl-qemu-floats.h" 11 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/patches/tcg-runtime-head.diff: -------------------------------------------------------------------------------- 1 | diff --git a/accel/tcg/tcg-runtime.h b/accel/tcg/tcg-runtime.h 2 | index 1bd39d13..81ef3973 100644 3 | --- a/accel/tcg/tcg-runtime.h 4 | +++ b/accel/tcg/tcg-runtime.h 5 | @@ -260,3 +260,13 @@ DEF_HELPER_FLAGS_4(gvec_leu8, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32) 6 | DEF_HELPER_FLAGS_4(gvec_leu16, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32) 7 | DEF_HELPER_FLAGS_4(gvec_leu32, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32) 8 | DEF_HELPER_FLAGS_4(gvec_leu64, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32) 9 | + 10 | +DEF_HELPER_FLAGS_1(afl_entry_routine, TCG_CALL_NO_RWG, void, env) 11 | +DEF_HELPER_FLAGS_1(afl_maybe_log, TCG_CALL_NO_RWG, void, tl) 12 | +DEF_HELPER_FLAGS_3(afl_compcov_16, TCG_CALL_NO_RWG, void, tl, tl, tl) 13 | +DEF_HELPER_FLAGS_3(afl_compcov_32, TCG_CALL_NO_RWG, void, tl, tl, tl) 14 | +DEF_HELPER_FLAGS_3(afl_compcov_64, TCG_CALL_NO_RWG, void, tl, tl, tl) 15 | +DEF_HELPER_FLAGS_3(afl_cmplog_16, TCG_CALL_NO_RWG, void, tl, tl, tl) 16 | +DEF_HELPER_FLAGS_3(afl_cmplog_32, TCG_CALL_NO_RWG, void, tl, tl, tl) 17 | +DEF_HELPER_FLAGS_3(afl_cmplog_64, TCG_CALL_NO_RWG, void, tl, tl, tl) 18 | +DEF_HELPER_FLAGS_1(afl_cmplog_rtn, TCG_CALL_NO_RWG, void, env) 19 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/patches/tcg-runtime.diff: -------------------------------------------------------------------------------- 1 | diff --git a/accel/tcg/tcg-runtime.c b/accel/tcg/tcg-runtime.c 2 | index d0d44844..009ef15a 100644 3 | --- a/accel/tcg/tcg-runtime.c 4 | +++ b/accel/tcg/tcg-runtime.c 5 | @@ -167,3 +167,5 @@ void HELPER(exit_atomic)(CPUArchState *env) 6 | { 7 | cpu_loop_exit_atomic(ENV_GET_CPU(env), GETPC()); 8 | } 9 | + 10 | +#include "../../../patches/afl-qemu-tcg-runtime-inl.h" 11 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/patches/tcg.diff: -------------------------------------------------------------------------------- 1 | diff --git a/tcg/tcg.c b/tcg/tcg.c 2 | index e85133ef..54b9b390 100644 3 | --- a/tcg/tcg.c 4 | +++ b/tcg/tcg.c 5 | @@ -1612,6 +1612,9 @@ bool tcg_op_supported(TCGOpcode op) 6 | } 7 | } 8 | 9 | + 10 | +#include "../../patches/afl-qemu-tcg-inl.h" 11 | + 12 | /* Note: we convert the 64 bit args to 32 bit and do some alignment 13 | and endian swap. Maybe it would be better to do the alignment 14 | and endian swap in tcg_reg_alloc_call(). */ 15 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/patches/translate-all.diff: -------------------------------------------------------------------------------- 1 | diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c 2 | index 639f0b27..21a45494 100644 3 | --- a/accel/tcg/translate-all.c 4 | +++ b/accel/tcg/translate-all.c 5 | @@ -59,6 +59,8 @@ 6 | #include "exec/log.h" 7 | #include "sysemu/cpus.h" 8 | 9 | +#include "../patches/afl-qemu-translate-inl.h" 10 | + 11 | /* #define DEBUG_TB_INVALIDATE */ 12 | /* #define DEBUG_TB_FLUSH */ 13 | /* make various TB consistency checks */ 14 | @@ -1721,6 +1723,7 @@ TranslationBlock *tb_gen_code(CPUState *cpu, 15 | tcg_func_start(tcg_ctx); 16 | 17 | tcg_ctx->cpu = ENV_GET_CPU(env); 18 | + afl_gen_trace(pc); 19 | gen_intermediate_code(cpu, tb); 20 | tcg_ctx->cpu = NULL; 21 | 22 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/patches/translator.diff: -------------------------------------------------------------------------------- 1 | diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c 2 | index afd0a49e..773ea712 100644 3 | --- a/accel/tcg/translator.c 4 | +++ b/accel/tcg/translator.c 5 | @@ -18,6 +18,8 @@ 6 | #include "exec/log.h" 7 | #include "exec/translator.h" 8 | 9 | +#include "../../../patches/afl-qemu-common.h" 10 | + 11 | /* Pairs with tcg_clear_temp_count. 12 | To be called by #TranslatorOps.{translate_insn,tb_stop} if 13 | (1) the target is sufficiently clean to support reporting, 14 | @@ -92,6 +94,11 @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db, 15 | break; 16 | } 17 | } 18 | + 19 | + if (db->pc_next == afl_entry_point) { 20 | + afl_setup(); 21 | + gen_helper_afl_entry_routine(cpu_env); 22 | + } 23 | 24 | /* Disassemble one instruction. The translate_insn hook should 25 | update db->pc_next and db->is_jmp to indicate what should be 26 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/unsigaction/GNUmakefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop++ - unsigaction 3 | # -------------------------------- 4 | # 5 | # Written by Andrea Fioraldi 6 | # 7 | # Copyright 2019-2020 Andrea Fioraldi. All rights reserved. 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at: 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | 16 | ifndef AFL_NO_X86 17 | 18 | all: lib_i386 lib_amd64 19 | 20 | lib_i386: 21 | @$(CC) -m32 -fPIC -shared unsigaction.c -o unsigaction32.so 2>/dev/null ; if [ "$$?" = "0" ]; then echo "unsigaction32 build success"; else echo "unsigaction32 build failure (that's fine)"; fi 22 | 23 | lib_amd64: 24 | $(CC) -fPIC -shared unsigaction.c -o unsigaction64.so 25 | 26 | clean: 27 | rm -f unsigaction32.so unsigaction64.so 28 | 29 | else 30 | 31 | all: 32 | @echo "[!] Note: skipping compilation of unsigaction (AFL_NO_X86 set)." 33 | 34 | endif 35 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/unsigaction/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop++ - unsigaction 3 | # -------------------------------- 4 | # 5 | # Written by Andrea Fioraldi 6 | # 7 | # Copyright 2019-2020 Andrea Fioraldi. All rights reserved. 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at: 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | .POSIX: 16 | 17 | _UNIQ=_QINU_ 18 | 19 | TARGETCANDIDATES=unsigaction32.so unsigaction64.so 20 | _TARGETS=$(_UNIQ)$(AFL_NO_X86)$(_UNIQ) 21 | __TARGETS=$(_TARGETS:$(_UNIQ)1$(_UNIQ)=) 22 | TARGETS=$(__TARGETS:$(_UNIQ)$(_UNIQ)=$(TARGETCANDIDATES)) 23 | 24 | all: $(TARGETS) 25 | @if [ "$(AFL_NO_X86)" != "" ]; then echo "[!] Note: skipping compilation of unsigaction (AFL_NO_X86 set)."; fi 26 | 27 | unsigaction32.so: 28 | @$(CC) -m32 -fPIC -shared unsigaction.c -o unsigaction32.so 2>/dev/null ; if [ "$$?" = "0" ]; then echo "unsigaction32 build success"; else echo "unsigaction32 build failure (that's fine)"; fi 29 | 30 | unsigaction64.so: 31 | $(CC) -m64 -fPIC -shared unsigaction.c -o unsigaction64.so 32 | 33 | clean: 34 | rm -f unsigaction32.so unsigaction64.so 35 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/unsigaction/README.md: -------------------------------------------------------------------------------- 1 | # unsigaction 2 | 3 | This library disables sigaction handlers when preloaded. 4 | 5 | Mainly needed by Wine mode but can be used as a separate tool. 6 | 7 | A similar solution can be found in [preeny](https://github.com/zardus/preeny). 8 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/qemu_mode/unsigaction/unsigaction.c: -------------------------------------------------------------------------------- 1 | int sigaction(int signum, void *act, void *oldact) { 2 | return 0; 3 | } 4 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/src/README.md: -------------------------------------------------------------------------------- 1 | # Source Folder 2 | 3 | Quick explanation about the files here: 4 | 5 | - `afl-analyze.c` - afl-analyze binary tool 6 | - `afl-as.c` - afl-as binary tool 7 | - `afl-gotcpu.c` - afl-gotcpu binary tool 8 | - `afl-showmap.c` - afl-showmap binary tool 9 | - `afl-tmin.c` - afl-tmin binary tool 10 | - `afl-fuzz.c` - afl-fuzz binary tool (just main() and usage()) 11 | - `afl-fuzz-bitmap.c` - afl-fuzz bitmap handling 12 | - `afl-fuzz-extras.c` - afl-fuzz the *extra* function calls 13 | - `afl-fuzz-state.c` - afl-fuzz state and globals 14 | - `afl-fuzz-init.c` - afl-fuzz initialization 15 | - `afl-fuzz-misc.c` - afl-fuzz misc functions 16 | - `afl-fuzz-one.c` - afl-fuzz fuzzer_one big loop, this is where the mutation is happening 17 | - `afl-fuzz-python.c` - afl-fuzz the python mutator extension 18 | - `afl-fuzz-queue.c` - afl-fuzz handling the queue 19 | - `afl-fuzz-run.c` - afl-fuzz running the target 20 | - `afl-fuzz-stats.c` - afl-fuzz writing the statistics file 21 | - `afl-gcc.c` - afl-gcc binary tool (deprecated) 22 | - `afl-common.c` - common functions, used by afl-analyze, afl-fuzz, afl-showmap and afl-tmin 23 | - `afl-forkserver.c` - forkserver implementation, used by afl-fuzz and afl-tmin 24 | afl-sharedmem.c - sharedmem implementation, used by afl-fuzz and afl-tmin 25 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/src/third_party/libradamsa/.gitignore: -------------------------------------------------------------------------------- 1 | *.a 2 | *.o 3 | libradamsa-test 4 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/src/third_party/libradamsa/GNUmakefile: -------------------------------------------------------------------------------- 1 | CUR_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) 2 | 3 | all: libradamsa.so 4 | 5 | # These can be overriden: 6 | CFLAGS ?= -march=native $(CFLAGS_FLTO) 7 | 8 | # These are required: (otherwise radamsa gets very very slooooow) 9 | CFLAGS += -O3 -funroll-loops 10 | 11 | libradamsa.so: libradamsa.a 12 | $(CC) $(CFLAGS) -shared libradamsa.a -o libradamsa.so 13 | 14 | libradamsa.a: libradamsa.c radamsa.h 15 | @echo " ***************************************************************" 16 | @echo " * Compiling libradamsa, wait some minutes (~3 on modern CPUs) *" 17 | @echo " ***************************************************************" 18 | $(CC) -fPIC $(CFLAGS) -I $(CUR_DIR) -o libradamsa.a -c libradamsa.c 19 | 20 | test: libradamsa.a libradamsa-test.c 21 | $(CC) $(CFLAGS) -I $(CUR_DIR) -o libradamsa-test libradamsa-test.c libradamsa.a 22 | ./libradamsa-test libradamsa-test.c | grep "library test passed" 23 | rm /tmp/libradamsa-*.fuzz 24 | 25 | clean: 26 | rm -f libradamsa.a libradamsa.so libradamsa-test 27 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/src/third_party/libradamsa/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2013 Aki Helin 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy 4 | of this software and associated documentation files (the "Software"), to deal 5 | in the Software without restriction, including without limitation the rights 6 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | copies of the Software, and to permit persons to whom the Software is 8 | furnished to do so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in 11 | all copies or substantial portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 19 | THE SOFTWARE. 20 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/src/third_party/libradamsa/README.md: -------------------------------------------------------------------------------- 1 | # libradamsa 2 | 3 | Pretranslated radamsa library. This code belongs to the radamsa author. 4 | 5 | > Original repository: https://gitlab.com/akihe/radamsa 6 | 7 | > Source commit: 7b2cc2d0 8 | 9 | > The code here is adapted for AFL++ with minor changes respect the original version 10 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/src/third_party/libradamsa/libradamsa-test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | size_t filesize(char* filename) { 13 | struct stat st; 14 | stat(filename, &st); 15 | return st.st_size; 16 | } 17 | 18 | #define BUFSIZE 1024*1024 19 | 20 | void fail(char *why) { 21 | printf("fail: %s\n", why); 22 | exit(1); 23 | } 24 | 25 | void write_output(char *data, size_t len, int num) { 26 | char path[32]; 27 | int fd; 28 | int wrote; 29 | sprintf(path, "/tmp/libradamsa-%d.fuzz", num); 30 | fd = open(path, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR); 31 | printf("Opened %s -> %d\n", path, fd); 32 | if (fd < 0) { 33 | fail("failed to open output file"); 34 | } 35 | wrote = write(fd, data, len); 36 | printf("wrote %d of %zu bytes\n", wrote, len); 37 | if (wrote != len) { 38 | fail("failed to write all of output at once"); 39 | } 40 | close(fd); 41 | printf("Wrote %zu bytes to %s\n", len, path); 42 | } 43 | 44 | int main(int nargs, char **argv) { 45 | char *spath = argv[1]; 46 | int fd = open(spath, O_RDONLY, 0); 47 | size_t len; 48 | char *input; 49 | char *output; 50 | int seed = 0; 51 | if (fd < 0) { 52 | fail("cannot open input file"); 53 | } 54 | len = filesize(spath); 55 | input = malloc(len); 56 | output = malloc(BUFSIZE); 57 | if (!input || !output) { 58 | fail("failed to allocate buffers\n"); 59 | } 60 | radamsa_init(); 61 | if (len != read(fd, input, len)) { 62 | fail("failed to read the entire sample at once"); 63 | } 64 | while(seed++ < 100) { 65 | size_t n; 66 | n = radamsa((uint8_t *) input, len, (uint8_t *) output, BUFSIZE, seed); 67 | write_output(output, n, seed); 68 | printf("Fuzzed %zu -> %zu bytes\n", len, n); 69 | } 70 | printf("library test passed\n"); 71 | free(output); 72 | free(input); 73 | return 0; 74 | } 75 | 76 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/src/third_party/libradamsa/radamsa.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | extern void radamsa_init(); 5 | 6 | extern size_t radamsa(uint8_t *ptr, size_t len, 7 | uint8_t *target, size_t max, 8 | unsigned int seed); 9 | 10 | extern size_t radamsa_inplace(uint8_t *ptr, 11 | size_t len, 12 | size_t max, 13 | unsigned int seed); 14 | 15 | 16 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/test-instr.c: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop++ - a trivial program to test the build 3 | -------------------------------------------------------- 4 | Originally written by Michal Zalewski 5 | Copyright 2014 Google Inc. All rights reserved. 6 | Copyright 2019-2020 AFLplusplus Project. All rights reserved. 7 | Licensed under the Apache License, Version 2.0 (the "License"); 8 | you may not use this file except in compliance with the License. 9 | You may obtain a copy of the License at: 10 | http://www.apache.org/licenses/LICENSE-2.0 11 | */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | int main(int argc, char **argv) { 22 | 23 | int fd = 0; 24 | char buff[8]; 25 | char *buf = buff; 26 | 27 | // we support command line parameter and stdin 28 | if (argc == 2) { 29 | 30 | buf = argv[1]; 31 | printf("Input %s - ", buf); 32 | 33 | } else { 34 | 35 | if (argc >= 3 && strcmp(argv[1], "-f") == 0) 36 | if ((fd = open(argv[2], O_RDONLY)) < 0) { 37 | 38 | fprintf(stderr, "Error: unable to open %s\n", argv[2]); 39 | exit(-1); 40 | 41 | } 42 | 43 | if (read(fd, buf, sizeof(buf)) < 1) { 44 | 45 | printf("Hum?\n"); 46 | return 1; 47 | 48 | } 49 | 50 | } 51 | 52 | // we support three input cases (plus a 4th if stdin is used but there is no 53 | // input) 54 | if (buf[0] == '0') 55 | printf("Looks like a zero to me!\n"); 56 | else if (buf[0] == '1') 57 | printf("Pretty sure that is a one!\n"); 58 | else 59 | printf("Neither one or zero? How quaint!\n"); 60 | 61 | return 0; 62 | 63 | } 64 | 65 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/test/checkcommit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | CMDLINE="/prg/tests/normal/tiff-4.0.4/tools/thumbnail @@ /dev/null" 3 | INDIR="/prg/tests/normal/tiff-4.0.4/in-small" 4 | 5 | test -z "$1" -o -n "$4" && { 6 | echo "Syntax: $0 commit-id \"\"" 7 | echo 8 | echo "Switches to the defined commit ID, compiles with profiling and runs" 9 | echo "afl-fuzz on a defind target and input directory, saving timing," 10 | echo "fuzzer_stats and profiling output to \".out\"" 11 | echo "Honors CFLAGS and LDFLAGS" 12 | echo 13 | echo "Defaults:" 14 | echo " indir: \"$INDIR\"" 15 | echo " cmdline: \"$CMDLINE\"" 16 | exit 1 17 | } 18 | 19 | C=$1 20 | test -n "$2" && INDIR=$2 21 | test -n "$3" && CMDLINE=$3 22 | 23 | git checkout "$C" || { echo "CHECKOUT FAIL $C" > $C.out ; exit 1 ; } 24 | export AFL_BENCH_JUST_ONE=1 25 | test -z "$CFLAGS" && CFLAGS="-O3 -funroll-loops" 26 | export CFLAGS="$CFLAGS -pg" 27 | export LDFLAGS="$LDFLAGS -pg" 28 | make >/dev/null 2>&1 || echo ERROR: BUILD FAILURE 29 | test -x ./afl-fuzz || { echo "BUILD FAIL $C" > $C.out ; make clean ; exit 1 ; } 30 | 31 | START=`date +%s` 32 | echo $START > $C.out 33 | time nice -n -20 ./afl-fuzz -i "$INDIR" -s 123 -o out-profile -- $CMDLINE 2>> $C.out 34 | STOP=`date +%s` 35 | echo $STOP >> $C.out 36 | echo RUNTIME: `expr $STOP - $START` >> $C.out 37 | cat out-profile/fuzzer_stats >> $C.out 38 | gprof ./afl-fuzz gmon.out >> $C.out 39 | 40 | make clean >/dev/null 2>&1 41 | rm -rf out-profile gmon.out 42 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/test/test-compcov.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, char **argv) { 7 | char *input = argv[1], *buf, buffer[20]; 8 | 9 | if (argc < 2) { 10 | ssize_t ret = read(0, buffer, sizeof(buffer) - 1); 11 | buffer[ret] = 0; 12 | input = buffer; 13 | } 14 | 15 | if (strcmp(input, "LIBTOKENCAP") == 0) 16 | printf("your string was libtokencap\n"); 17 | else if (strcmp(input, "BUGMENOT") == 0) 18 | printf("your string was bugmenot\n"); 19 | else if (strcmp(input, "BUFFEROVERFLOW") == 0) { 20 | buf = malloc(16); 21 | strcpy(buf, "TEST"); 22 | strcat(buf, input); 23 | printf("This will only crash with libdislocator: %s\n", buf); 24 | return 0; 25 | } else if (*(unsigned int*)input == 0xabadcafe) 26 | printf("GG you eat cmp tokens for breakfast!\n"); 27 | else 28 | printf("I do not know your string\n"); 29 | 30 | return 0; 31 | 32 | } 33 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/test/test-custom-mutator.c: -------------------------------------------------------------------------------- 1 | /** 2 | * Reference: https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/blob/master/4_libprotobuf_aflpp_custom_mutator/vuln.c 3 | */ 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | int main(int argc, char *argv[]) 12 | { 13 | char str[100]; 14 | read(0, str, 100); 15 | if( str[6] == 'A') { 16 | abort(); 17 | } 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/test/test-unsigaction.c: -------------------------------------------------------------------------------- 1 | #include /* sigemptyset(), sigaction(), kill(), SIGUSR1 */ 2 | #include /* exit() */ 3 | #include /* getpid() */ 4 | #include /* errno */ 5 | #include /* fprintf() */ 6 | 7 | static void mysig_handler(int sig) 8 | { 9 | exit(2); 10 | } 11 | 12 | int main() 13 | { 14 | /* setup sig handler */ 15 | struct sigaction sa; 16 | sa.sa_handler = mysig_handler; 17 | sigemptyset(&sa.sa_mask); 18 | sa.sa_flags = 0; 19 | if (sigaction(SIGCHLD, &sa, NULL)) { 20 | fprintf(stderr, "could not set signal handler %d, aborted\n", errno); 21 | exit(1); 22 | } 23 | kill(getpid(), SIGCHLD); 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/README.md: -------------------------------------------------------------------------------- 1 | # AFL starting test cases 2 | 3 | (See [../README.md](../README.md) for the general instruction manual.) 4 | 5 | The archives/, images/, multimedia/, and others/ subdirectories contain small, 6 | standalone files that can be used to seed afl-fuzz when testing parsers for a 7 | variety of common data formats. 8 | 9 | There is probably not much to be said about these files, except that they were 10 | optimized for size and stripped of any non-essential fluff. Some directories 11 | contain several examples that exercise various features of the underlying format. 12 | For example, there is a PNG file with and without a color profile. 13 | 14 | Additional test cases are always welcome. 15 | 16 | In addition to well-chosen starting files, many fuzzing jobs benefit from a 17 | small and concise dictionary. See [../dictionaries/README.md](../dictionaries/README.md) for more. 18 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/archives/common/ar/small_archive.a: -------------------------------------------------------------------------------- 1 | ! 2 | limerick/ 1415337776 500 500 100640 191 ` 3 | There was a young man from Japan 4 | Whose limericks never would scan. 5 | When asked why that was, 6 | He replied "It's because 7 | I always try to cram as many words into the last line as I possibly can." 8 | 9 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/archives/common/bzip2/small_archive.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/archives/common/bzip2/small_archive.bz2 -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/archives/common/cab/small_archive.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/archives/common/cab/small_archive.cab -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/archives/common/compress/small_archive.Z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/archives/common/compress/small_archive.Z -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/archives/common/cpio/small_archive.cpio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/archives/common/cpio/small_archive.cpio -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/archives/common/gzip/small_archive.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/archives/common/gzip/small_archive.gz -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/archives/common/lzo/small_archive.lzo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/archives/common/lzo/small_archive.lzo -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/archives/common/rar/small_archive.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/archives/common/rar/small_archive.rar -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/archives/common/tar/small_archive.tar: -------------------------------------------------------------------------------- 1 | limerick0000640000076400007640000000027712427053460012465 0ustar lcamtuflcamtufThere was a young man from Japan 2 | Whose limericks never would scan. 3 | When asked why that was, 4 | He replied "It's because 5 | I always try to cram as many words into the last line as I possibly can." 6 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/archives/common/xz/small_archive.xz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/archives/common/xz/small_archive.xz -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/archives/common/zip/small_archive.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/archives/common/zip/small_archive.zip -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/archives/exotic/arj/small_archive.arj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/archives/exotic/arj/small_archive.arj -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/archives/exotic/lha/small_archive.lha: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/archives/exotic/lha/small_archive.lha -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/archives/exotic/lrzip/small_archive.lrz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/archives/exotic/lrzip/small_archive.lrz -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/archives/exotic/lzip/small_archive.lz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/archives/exotic/lzip/small_archive.lz -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/archives/exotic/lzma/small_archive.lzma: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/archives/exotic/lzma/small_archive.lzma -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/archives/exotic/rzip/small_archive.rz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/archives/exotic/rzip/small_archive.rz -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/archives/exotic/zoo/small_archive.zoo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/archives/exotic/zoo/small_archive.zoo -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/images/bmp/not_kitty.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/images/bmp/not_kitty.bmp -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/images/gif/not_kitty.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/images/gif/not_kitty.gif -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/images/ico/not_kitty.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/images/ico/not_kitty.ico -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/images/jp2/not_kitty.jp2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/images/jp2/not_kitty.jp2 -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/images/jpeg/not_kitty.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/images/jpeg/not_kitty.jpg -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/images/jxr/not_kitty.jxr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/images/jxr/not_kitty.jxr -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/images/png/not_kitty.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/images/png/not_kitty.png -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/images/png/not_kitty_alpha.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/images/png/not_kitty_alpha.png -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/images/png/not_kitty_gamma.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/images/png/not_kitty_gamma.png -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/images/png/not_kitty_icc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/images/png/not_kitty_icc.png -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/images/tiff/not_kitty.tiff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/images/tiff/not_kitty.tiff -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/images/webp/not_kitty.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/images/webp/not_kitty.webp -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/multimedia/h264/small_movie.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/multimedia/h264/small_movie.mp4 -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/others/elf/small_exec.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/others/elf/small_exec.elf -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/others/js/small_script.js: -------------------------------------------------------------------------------- 1 | if (1==1) eval('1'); -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/others/pcap/small_capture.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/testcases/others/pcap/small_capture.pcap -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/others/pdf/small.pdf: -------------------------------------------------------------------------------- 1 | %PDF-1.0 2 | 1 0 obj<>endobj 2 0 obj<>endobj 3 0 obj<>endobj trailer<> -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/others/rtf/small_document.rtf: -------------------------------------------------------------------------------- 1 | {\rtf1\pard Test\par} -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/others/sql/simple_queries.sql: -------------------------------------------------------------------------------- 1 | create table t1(one smallint); 2 | insert into t1 values(1); 3 | select * from t1; 4 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/others/text/hello_world.txt: -------------------------------------------------------------------------------- 1 | hello 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/testcases/others/xml/small_document.xml: -------------------------------------------------------------------------------- 1 | d 2 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/types.h: -------------------------------------------------------------------------------- 1 | include/types.h -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/c/.gitignore: -------------------------------------------------------------------------------- 1 | harness 2 | harness-debug 3 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/c/COMPILE.md: -------------------------------------------------------------------------------- 1 | # C Sample 2 | 3 | This shows a simple harness for unicornafl in C 4 | 5 | ## Compiling sample.c 6 | 7 | The target can be built using the `make` command. 8 | Just make sure you have built unicorn support first: 9 | ```bash 10 | cd /path/to/afl/unicorn_mode 11 | ./build_unicorn_support.sh 12 | ``` 13 | 14 | ## Compiling simple_target.c 15 | 16 | You shouldn't need to compile simple_target.c since a X86_64 binary version is 17 | pre-built and shipped in this sample folder. This file documents how the binary 18 | was built in case you want to rebuild it or recompile it for any reason. 19 | 20 | The pre-built binary (simple_target_x86_64.bin) was built using -g -O0 in gcc. 21 | 22 | We then load the binary and execute the main function directly. 23 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/c/Makefile: -------------------------------------------------------------------------------- 1 | # UnicornAFL Usage 2 | # Original Unicorn Example Makefile by Nguyen Anh Quynh , 2015 3 | # Adapted for AFL++ by domenukk , 2020 4 | .POSIX: 5 | UNAME_S =$(shell uname -s)# GNU make 6 | UNAME_S:sh=uname -s # BSD make 7 | _UNIQ=_QINU_ 8 | 9 | LIBDIR = ../../unicornafl 10 | BIN_EXT = 11 | AR_EXT = a 12 | 13 | # Verbose output? 14 | V ?= 0 15 | 16 | CFLAGS += -Wall -Werror -I../../unicornafl/include 17 | 18 | LDFLAGS += -L$(LIBDIR) -lpthread -lm 19 | 20 | _LRT = $(_UNIQ)$(UNAME_S:Linux=) 21 | __LRT = $(_LRT:$(_UNIQ)=-lrt) 22 | LRT = $(__LRT:$(_UNIQ)=) 23 | 24 | LDFLAGS += $(LRT) 25 | 26 | _CC = $(_UNIQ)$(CROSS) 27 | __CC = $(_CC:$(_UNIQ)=$(CC)) 28 | MYCC = $(__CC:$(_UNIQ)$(CROSS)=$(CROSS)gcc) 29 | 30 | .PHONY: all clean 31 | 32 | all: harness 33 | 34 | clean: 35 | rm -rf *.o harness harness-debug 36 | 37 | harness.o: harness.c ../../unicornafl/include/unicorn/*.h 38 | ${MYCC} ${CFLAGS} -O3 -c harness.c 39 | 40 | harness-debug.o: harness.c ../../unicornafl/include/unicorn/*.h 41 | ${MYCC} ${CFLAGS} -g -c harness.c -o $@ 42 | 43 | harness: harness.o 44 | ${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o $@ 45 | 46 | debug: harness-debug.o 47 | ${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o harness-debug 48 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/c/persistent_target.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Sample target file to test afl-unicorn fuzzing capabilities. 3 | * This is a very trivial example that will crash pretty easily 4 | * in several different exciting ways. 5 | * 6 | * Input is assumed to come from a buffer located at DATA_ADDRESS 7 | * (0x00300000), so make sure that your Unicorn emulation of this 8 | * puts user data there. 9 | * 10 | * Written by Nathan Voss 11 | * Adapted by Lukas Seidel 12 | */ 13 | #include 14 | #include 15 | 16 | 17 | int main(int argc, char** argv) { 18 | if (argc < 2) return -1; 19 | 20 | char *data_buf = argv[1]; 21 | uint64_t data_len = strlen(data_buf); 22 | if (data_len < 20) return -2; 23 | 24 | for (; data_len --> 0 ;) { 25 | if (data_len >= 18) continue; 26 | if (data_len > 2 && data_len < 18) { 27 | ((char *)data_len)[(uint64_t)data_buf] = data_buf[data_len + 1]; 28 | } else if (data_buf[9] == 0x90 && data_buf[10] != 0x00 && data_buf[11] == 0x90) { 29 | // Cause a crash if data[10] is not zero, but [9] and [11] are zero 30 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 31 | } 32 | } 33 | if (data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) { 34 | // Cause an 'invalid read' crash if (0x10 < data[0] < 0x20) and data[1] > data[2] 35 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 36 | } 37 | 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/c/persistent_target_x86_64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/unicorn_mode/samples/c/persistent_target_x86_64 -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/c/sample_all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | [ -z "${UNAME}" ] && UNAME=$(uname) 4 | 5 | DIR=`dirname $0` 6 | 7 | if [ "$UNAME" = Darwin ]; then 8 | export DYLD_LIBRARY_PATH=../../unicorn 9 | else 10 | export LD_LIBRARY_PATH=../../unicorn 11 | fi 12 | 13 | 14 | 15 | if [ ! test -e $DIR/harness]; then 16 | echo "[!] harness not found in $DIR" 17 | exit 1 18 | fi -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/c/sample_inputs/sample1.bin: -------------------------------------------------------------------------------- 1 | abcd -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/c/sample_inputs/sample2.bin: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/c/sample_inputs/sample3.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/c/sample_inputs/sample4.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/c/sample_inputs/sample5.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/c/simple_target_x86_64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/unicorn_mode/samples/c/simple_target_x86_64 -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/compcov_x64/COMPILE.md: -------------------------------------------------------------------------------- 1 | # Compiling compcov_target.c 2 | 3 | compcov_target.c was compiled without optimization, position-independent, 4 | and without standard libraries using the following command line: 5 | 6 | ``` 7 | gcc -o compcov_target.elf compcov_target.c -fPIC -O0 -nostdlib 8 | ``` 9 | 10 | The .text section from the resulting ELF binary was then extracted to create 11 | the raw binary blob that is loaded and emulated by compcov_test_harness.py: 12 | 13 | ``` 14 | objcopy -O binary --only-section=.text compcov_target.elf compcov_target.bin 15 | ``` 16 | 17 | Note that the output of this is padded with nulls for 16-byte alignment. This is 18 | important when emulating it, as NOPs will be added after the return of main() 19 | as necessary. 20 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/compcov_x64/compcov_target.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/unicorn_mode/samples/compcov_x64/compcov_target.bin -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/compcov_x64/compcov_target.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Sample target file to test afl-unicorn fuzzing capabilities. 3 | * This is a very trivial example that will crash pretty easily 4 | * in several different exciting ways. 5 | * 6 | * Input is assumed to come from a buffer located at DATA_ADDRESS 7 | * (0x00300000), so make sure that your Unicorn emulation of this 8 | * puts user data there. 9 | * 10 | * Written by Andrea Fioraldi 11 | */ 12 | 13 | // Magic address where mutated data will be placed 14 | #define DATA_ADDRESS 0x00300000 15 | 16 | int main(void) { 17 | unsigned int *data_buf = (unsigned int *) DATA_ADDRESS; 18 | 19 | if (((unsigned short*)data_buf)[0] == 0x0100) { 20 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 21 | } else if (data_buf[1] == data_buf[2] + 0xfffe) { 22 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 23 | } 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/compcov_x64/compcov_target.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/unicorn_mode/samples/compcov_x64/compcov_target.elf -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/compcov_x64/sample_inputs/sample1.bin: -------------------------------------------------------------------------------- 1 | 00000000000000000000000000000000 -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/persistent/.gitignore: -------------------------------------------------------------------------------- 1 | harness 2 | harness-debug 3 | out 4 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/persistent/COMPILE.md: -------------------------------------------------------------------------------- 1 | # C Sample 2 | 3 | This shows a simple persistent harness for unicornafl in C 4 | In contrast to the normal c harness, this harness manually resets the unicorn state on each new input. 5 | Thanks to this, we can rerun the testcase in unicorn multiple times, without the need to fork again. 6 | 7 | ## Compiling sample.c 8 | 9 | The target can be built using the `make` command. 10 | Just make sure you have built unicorn support first: 11 | ```bash 12 | cd /path/to/afl/unicorn_mode 13 | ./build_unicorn_support.sh 14 | ``` 15 | 16 | ## Compiling persistent_target.c 17 | 18 | You don't need to compile persistent_target.c since a X86_64 binary version is 19 | pre-built and shipped in this sample folder. This file documents how the binary 20 | was built in case you want to rebuild it or recompile it for any reason. 21 | 22 | The pre-built binary (persistent_target_x86_64.bin) was built using -g -O0 in gcc. 23 | 24 | We then load the binary we execute the main function directly. 25 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/persistent/Makefile: -------------------------------------------------------------------------------- 1 | # UnicornAFL Usage 2 | # Original Unicorn Example Makefile by Nguyen Anh Quynh , 2015 3 | # Adapted for AFL++ by domenukk , 2020 4 | .POSIX: 5 | UNAME_S =$(shell uname -s)# GNU make 6 | UNAME_S:sh=uname -s # BSD make 7 | _UNIQ=_QINU_ 8 | 9 | LIBDIR = ../../unicornafl 10 | BIN_EXT = 11 | AR_EXT = a 12 | 13 | # Verbose output? 14 | V ?= 0 15 | 16 | CFLAGS += -Wall -Werror -I../../unicornafl/include 17 | 18 | LDFLAGS += -L$(LIBDIR) -lpthread -lm 19 | 20 | _LRT = $(_UNIQ)$(UNAME_S:Linux=) 21 | __LRT = $(_LRT:$(_UNIQ)=-lrt) 22 | LRT = $(__LRT:$(_UNIQ)=) 23 | 24 | LDFLAGS += $(LRT) 25 | 26 | _CC = $(_UNIQ)$(CROSS) 27 | __CC = $(_CC:$(_UNIQ)=$(CC)) 28 | MYCC = $(__CC:$(_UNIQ)$(CROSS)=$(CROSS)gcc) 29 | 30 | .PHONY: all clean 31 | 32 | all: harness 33 | 34 | clean: 35 | rm -rf *.o harness harness-debug 36 | 37 | harness.o: harness.c ../../unicornafl/include/unicorn/*.h 38 | ${MYCC} ${CFLAGS} -O3 -c harness.c 39 | 40 | harness-debug.o: harness.c ../../unicornafl/include/unicorn/*.h 41 | ${MYCC} ${CFLAGS} -g -c harness.c -o $@ 42 | 43 | harness: harness.o 44 | ${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o $@ 45 | 46 | debug: harness-debug.o 47 | ${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o harness-debug 48 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/persistent/persistent_target.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Sample target file to test afl-unicorn fuzzing capabilities. 3 | * This is a very trivial example that will crash pretty easily 4 | * in several different exciting ways. 5 | * 6 | * Input is assumed to come from a buffer located at DATA_ADDRESS 7 | * (0x00300000), so make sure that your Unicorn emulation of this 8 | * puts user data there. 9 | * 10 | * Written by Nathan Voss 11 | * Adapted by Lukas Seidel 12 | */ 13 | #include 14 | #include 15 | 16 | 17 | int main(int argc, char** argv) { 18 | if (argc < 2) return -1; 19 | 20 | char *data_buf = argv[1]; 21 | uint64_t data_len = strlen(data_buf); 22 | if (data_len < 20) return -2; 23 | 24 | for (; data_len --> 0 ;) { 25 | if (data_len >= 18) continue; 26 | if (data_len > 2 && data_len < 18) { 27 | ((char *)data_len)[(uint64_t)data_buf] = data_buf[data_len + 1]; 28 | } else if (data_buf[9] == 0x90 && data_buf[10] != 0x00 && data_buf[11] == 0x90) { 29 | // Cause a crash if data[10] is not zero, but [9] and [11] are zero 30 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 31 | } 32 | } 33 | if (data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) { 34 | // Cause an 'invalid read' crash if (0x10 < data[0] < 0x20) and data[1] > data[2] 35 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 36 | } 37 | 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/persistent/persistent_target_x86_64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/unicorn_mode/samples/persistent/persistent_target_x86_64 -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/persistent/sample_all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | [ -z "${UNAME}" ] && UNAME=$(uname) 4 | 5 | DIR=`dirname $0` 6 | 7 | if [ "$UNAME" = Darwin ]; then 8 | export DYLD_LIBRARY_PATH=../../unicorn 9 | else 10 | export LD_LIBRARY_PATH=../../unicorn 11 | fi 12 | 13 | 14 | 15 | if [ ! test -e $DIR/harness]; then 16 | echo "[!] harness not found in $DIR" 17 | exit 1 18 | fi -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/persistent/sample_inputs/sample1.bin: -------------------------------------------------------------------------------- 1 | abcd -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/persistent/sample_inputs/sample2.bin: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/persistent/sample_inputs/sample3.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/persistent/sample_inputs/sample4.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/persistent/sample_inputs/sample5.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/persistent/simple_target_noncrashing.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Sample target file to test afl-unicorn fuzzing capabilities. 3 | * This is a very trivial example that will crash pretty easily 4 | * in several different exciting ways. 5 | * 6 | * Input is assumed to come from a buffer located at DATA_ADDRESS 7 | * (0x00300000), so make sure that your Unicorn emulation of this 8 | * puts user data there. 9 | * 10 | * Written by Nathan Voss 11 | * Adapted by Lukas Seidel 12 | */ 13 | 14 | 15 | int main(int argc, char** argv) { 16 | if(argc < 2){ 17 | return -1; 18 | } 19 | 20 | char *data_buf = argv[1]; 21 | 22 | if len(data_buf < 20) { 23 | if (data_buf[20] != 0) { 24 | printf("Not crashing"); 25 | } else if (data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) { 26 | printf("Also not crashing with databuf[0] == %c", data_buf[0]) 27 | } else if (data_buf[9] == 0x00 && data_buf[10] != 0x00 && data_buf[11] == 0x00) { 28 | // Cause a crash if data[10] is not zero, but [9] and [11] are zero 29 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 30 | } 31 | 32 | return 0; 33 | } 34 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/persistent/simple_target_x86_64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/unicorn_mode/samples/persistent/simple_target_x86_64 -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/simple/COMPILE.md: -------------------------------------------------------------------------------- 1 | # Compiling simple_target.c 2 | 3 | You shouldn't need to compile simple_target.c since a MIPS binary version is 4 | pre-built and shipped with afl-unicorn. This file documents how the binary 5 | was built in case you want to rebuild it or recompile it for any reason. 6 | 7 | The pre-built binary (simple_target.bin) was built by cross-compiling 8 | simple_target.c for MIPS using the mips-linux-gnu-gcc package on an Ubuntu 9 | 16.04 LTS system. This cross compiler (and associated binutils) was installed 10 | from apt-get packages: 11 | 12 | ``` 13 | sudo apt-get install gcc-mips-linux-gnu 14 | ``` 15 | 16 | simple_target.c was compiled without optimization, position-independent, 17 | and without standard libraries using the following command line: 18 | 19 | ``` 20 | mips-linux-gnu-gcc -o simple_target.elf simple_target.c -fPIC -O0 -nostdlib 21 | ``` 22 | 23 | The .text section from the resulting ELF binary was then extracted to create 24 | the raw binary blob that is loaded and emulated by simple_test_harness.py: 25 | 26 | ``` 27 | mips-linux-gnu-objcopy -O binary --only-section=.text simple_target.elf simple_target.bin 28 | ``` 29 | 30 | In summary, to recreate simple_taget.bin execute the following: 31 | 32 | ``` 33 | mips-linux-gnu-gcc -o simple_target.elf simple_target.c -fPIC -O0 -nostdlib 34 | && mips-linux-gnu-objcopy -O binary --only-section=.text simple_target.elf simple_target.bin 35 | && rm simple_target.elf 36 | ``` 37 | 38 | Note that the output of this is padded with nulls for 16-byte alignment. This is 39 | important when emulating it, as NOPs will be added after the return of main() 40 | as necessary. 41 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/simple/sample_inputs/sample1.bin: -------------------------------------------------------------------------------- 1 | abcd -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/simple/sample_inputs/sample2.bin: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/simple/sample_inputs/sample3.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/simple/sample_inputs/sample4.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/simple/sample_inputs/sample5.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/simple/simple_target.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Systems-ShiftLab/pmfuzz/4318d1daf2720a2164ca609ca35f7e33dd312e91/vendor/AFLplusplus-2.63c/unicorn_mode/samples/simple/simple_target.bin -------------------------------------------------------------------------------- /vendor/AFLplusplus-2.63c/unicorn_mode/samples/simple/simple_target.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Sample target file to test afl-unicorn fuzzing capabilities. 3 | * This is a very trivial example that will crash pretty easily 4 | * in several different exciting ways. 5 | * 6 | * Input is assumed to come from a buffer located at DATA_ADDRESS 7 | * (0x00300000), so make sure that your Unicorn emulation of this 8 | * puts user data there. 9 | * 10 | * Written by Nathan Voss 11 | */ 12 | 13 | // Magic address where mutated data will be placed 14 | #define DATA_ADDRESS 0x00300000 15 | 16 | int main(void) { 17 | unsigned char *data_buf = (unsigned char *) DATA_ADDRESS; 18 | 19 | if (data_buf[20] != 0) { 20 | // Cause an 'invalid read' crash if data[0..3] == '\x01\x02\x03\x04' 21 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 22 | } else if (data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) { 23 | // Cause an 'invalid read' crash if (0x10 < data[0] < 0x20) and data[1] > data[2] 24 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 25 | } else if (data_buf[9] == 0x00 && data_buf[10] != 0x00 && data_buf[11] == 0x00) { 26 | // Cause a crash if data[10] is not zero, but [9] and [11] are zero 27 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 28 | } 29 | 30 | return 0; 31 | } 32 | --------------------------------------------------------------------------------