"
19 | echo
20 |
21 | if [ ! "$#" = "2" ]; then
22 |
23 | cat 1>&2 <<_EOF_
24 | This program generates gnuplot images from afl-fuzz output data. Usage:
25 |
26 | $0 afl_state_dir graph_output_dir
27 |
28 | The afl_state_dir parameter should point to an existing state directory for any
29 | active or stopped instance of afl-fuzz; while graph_output_dir should point to
30 | an empty directory where this tool can write the resulting plots to.
31 |
32 | The program will put index.html and three PNG images in the output directory;
33 | you should be able to view it with any web browser of your choice.
34 |
35 | _EOF_
36 |
37 | exit 1
38 |
39 | fi
40 |
41 | if [ "$AFL_ALLOW_TMP" = "" ]; then
42 |
43 | echo "$1" | grep -qE '^(/var)?/tmp/'
44 | T1="$?"
45 |
46 | echo "$2" | grep -qE '^(/var)?/tmp/'
47 | T2="$?"
48 |
49 | if [ "$T1" = "0" -o "$T2" = "0" ]; then
50 |
51 | echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2
52 | exit 1
53 |
54 | fi
55 |
56 | fi
57 |
58 | if [ ! -f "$1/plot_data" ]; then
59 |
60 | echo "[-] Error: input directory is not valid (missing 'plot_data')." 1>&2
61 | exit 1
62 |
63 | fi
64 |
65 | BANNER="`cat "$1/fuzzer_stats" | grep '^afl_banner ' | cut -d: -f2- | cut -b2-`"
66 |
67 | test "$BANNER" = "" && BANNER="(none)"
68 |
69 | GNUPLOT=`which gnuplot 2>/dev/null`
70 |
71 | if [ "$GNUPLOT" = "" ]; then
72 |
73 | echo "[-] Error: can't find 'gnuplot' in your \$PATH." 1>&2
74 | exit 1
75 |
76 | fi
77 |
78 | mkdir "$2" 2>/dev/null
79 |
80 | if [ ! -d "$2" ]; then
81 |
82 | echo "[-] Error: unable to create the output directory - pick another location." 1>&2
83 | exit 1
84 |
85 | fi
86 |
87 | rm -f "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png"
88 | mv -f "$2/index.html" "$2/index.html.orig" 2>/dev/null
89 |
90 | echo "[*] Generating plots..."
91 |
92 | (
93 |
94 | cat <<_EOF_
95 | set terminal png truecolor enhanced size 1000,300 butt
96 |
97 | set output '$2/high_freq.png'
98 |
99 | set xdata time
100 | set timefmt '%s'
101 | set format x "%b %d\n%H:%M"
102 | set tics font 'small'
103 | unset mxtics
104 | unset mytics
105 |
106 | set grid xtics linetype 0 linecolor rgb '#e0e0e0'
107 | set grid ytics linetype 0 linecolor rgb '#e0e0e0'
108 | set border linecolor rgb '#50c0f0'
109 | set tics textcolor rgb '#000000'
110 | set key outside
111 |
112 | set autoscale xfixmin
113 | set autoscale xfixmax
114 |
115 | plot '$1/plot_data' using 1:4 with filledcurve x1 title 'total paths' linecolor rgb '#000000' fillstyle transparent solid 0.2 noborder, \\
116 | '' using 1:3 with filledcurve x1 title 'current path' linecolor rgb '#f0f0f0' fillstyle transparent solid 0.5 noborder, \\
117 | '' using 1:5 with lines title 'pending paths' linecolor rgb '#0090ff' linewidth 3, \\
118 | '' using 1:6 with lines title 'pending favs' linecolor rgb '#c00080' linewidth 3, \\
119 | '' using 1:2 with lines title 'cycles done' linecolor rgb '#c000f0' linewidth 3
120 |
121 | set terminal png truecolor enhanced size 1000,200 butt
122 | set output '$2/low_freq.png'
123 |
124 | plot '$1/plot_data' using 1:8 with filledcurve x1 title '' linecolor rgb '#c00080' fillstyle transparent solid 0.2 noborder, \\
125 | '' using 1:8 with lines title ' uniq crashes' linecolor rgb '#c00080' linewidth 3, \\
126 | '' using 1:9 with lines title 'uniq hangs' linecolor rgb '#c000f0' linewidth 3, \\
127 | '' using 1:10 with lines title 'levels' linecolor rgb '#0090ff' linewidth 3
128 |
129 | set terminal png truecolor enhanced size 1000,200 butt
130 | set output '$2/exec_speed.png'
131 |
132 | plot '$1/plot_data' using 1:11 with filledcurve x1 title '' linecolor rgb '#0090ff' fillstyle transparent solid 0.2 noborder, \\
133 | '$1/plot_data' using 1:11 with lines title ' execs/sec' linecolor rgb '#0090ff' linewidth 3 smooth bezier;
134 |
135 | _EOF_
136 |
137 | ) | gnuplot
138 |
139 | if [ ! -s "$2/exec_speed.png" ]; then
140 |
141 | echo "[-] Error: something went wrong! Perhaps you have an ancient version of gnuplot?" 1>&2
142 | exit 1
143 |
144 | fi
145 |
146 | echo "[*] Generating index.html..."
147 |
148 | cat >"$2/index.html" <<_EOF_
149 |
150 | | Banner: | $BANNER |
151 | | Directory: | $1 |
152 | | Generated on: | `date` |
153 |
154 |
155 | 
156 | 
157 | 
158 |
159 | _EOF_
160 |
161 | # Make it easy to remotely view results when outputting directly to a directory
162 | # served by Apache or other HTTP daemon. Since the plots aren't horribly
163 | # sensitive, this seems like a reasonable trade-off.
164 |
165 | chmod 755 "$2"
166 | chmod 644 "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png" "$2/index.html"
167 |
168 | echo "[+] All done - enjoy your charts!"
169 |
170 | exit 0
171 |
--------------------------------------------------------------------------------
/llvm_mode/afl-llvm-pass.so.cc:
--------------------------------------------------------------------------------
1 | /*
2 | american fuzzy lop - LLVM-mode instrumentation pass
3 | ---------------------------------------------------
4 |
5 | Written by Laszlo Szekeres and
6 | Michal Zalewski
7 |
8 | LLVM integration design comes from Laszlo Szekeres. C bits copied-and-pasted
9 | from afl-as.c are Michal's fault.
10 |
11 | Copyright 2015, 2016 Google Inc. All rights reserved.
12 |
13 | Licensed under the Apache License, Version 2.0 (the "License");
14 | you may not use this file except in compliance with the License.
15 | You may obtain a copy of the License at:
16 |
17 | http://www.apache.org/licenses/LICENSE-2.0
18 |
19 | This library is plugged into LLVM when invoking clang through afl-clang-fast.
20 | It tells the compiler to add code roughly equivalent to the bits discussed
21 | in ../afl-as.h.
22 |
23 | */
24 |
25 | #define AFL_LLVM_PASS
26 |
27 | #include "../config.h"
28 | #include "../debug.h"
29 |
30 | #include
31 | #include
32 | #include
33 |
34 | #include "llvm/ADT/Statistic.h"
35 | #include "llvm/IR/IRBuilder.h"
36 | #include "llvm/IR/LegacyPassManager.h"
37 | #include "llvm/IR/Module.h"
38 | #include "llvm/Support/Debug.h"
39 | #include "llvm/Transforms/IPO/PassManagerBuilder.h"
40 |
41 | using namespace llvm;
42 |
43 | namespace {
44 |
45 | class AFLCoverage : public ModulePass {
46 |
47 | public:
48 |
49 | static char ID;
50 | AFLCoverage() : ModulePass(ID) { }
51 |
52 | bool runOnModule(Module &M) override;
53 |
54 | // StringRef getPassName() const override {
55 | // return "American Fuzzy Lop Instrumentation";
56 | // }
57 |
58 | };
59 |
60 | }
61 |
62 |
63 | char AFLCoverage::ID = 0;
64 |
65 |
66 | bool AFLCoverage::runOnModule(Module &M) {
67 |
68 | LLVMContext &C = M.getContext();
69 |
70 | IntegerType *Int8Ty = IntegerType::getInt8Ty(C);
71 | IntegerType *Int32Ty = IntegerType::getInt32Ty(C);
72 |
73 | /* Show a banner */
74 |
75 | char be_quiet = 0;
76 |
77 | if (isatty(2) && !getenv("AFL_QUIET")) {
78 |
79 | SAYF(cCYA "afl-llvm-pass " cBRI VERSION cRST " by \n");
80 |
81 | } else be_quiet = 1;
82 |
83 | /* Decide instrumentation ratio */
84 |
85 | char* inst_ratio_str = getenv("AFL_INST_RATIO");
86 | unsigned int inst_ratio = 100;
87 |
88 | if (inst_ratio_str) {
89 |
90 | if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || !inst_ratio ||
91 | inst_ratio > 100)
92 | FATAL("Bad value of AFL_INST_RATIO (must be between 1 and 100)");
93 |
94 | }
95 |
96 | /* Get globals for the SHM region and the previous location. Note that
97 | __afl_prev_loc is thread-local. */
98 |
99 | GlobalVariable *AFLMapPtr =
100 | new GlobalVariable(M, PointerType::get(Int8Ty, 0), false,
101 | GlobalValue::ExternalLinkage, 0, "__afl_area_ptr");
102 |
103 | GlobalVariable *AFLPrevLoc = new GlobalVariable(
104 | M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc",
105 | 0, GlobalVariable::GeneralDynamicTLSModel, 0, false);
106 |
107 | /* Instrument all the things! */
108 |
109 | int inst_blocks = 0;
110 |
111 | for (auto &F : M)
112 | for (auto &BB : F) {
113 |
114 | BasicBlock::iterator IP = BB.getFirstInsertionPt();
115 | IRBuilder<> IRB(&(*IP));
116 |
117 | if (AFL_R(100) >= inst_ratio) continue;
118 |
119 | /* Make up cur_loc */
120 |
121 | unsigned int cur_loc = AFL_R(MAP_SIZE);
122 |
123 | ConstantInt *CurLoc = ConstantInt::get(Int32Ty, cur_loc);
124 |
125 | /* Load prev_loc */
126 |
127 | LoadInst *PrevLoc = IRB.CreateLoad(AFLPrevLoc);
128 | PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
129 | Value *PrevLocCasted = IRB.CreateZExt(PrevLoc, IRB.getInt32Ty());
130 |
131 | /* Load SHM pointer */
132 |
133 | LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr);
134 | MapPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
135 | Value *MapPtrIdx =
136 | IRB.CreateGEP(MapPtr, IRB.CreateXor(PrevLocCasted, CurLoc));
137 |
138 | /* Update bitmap */
139 |
140 | LoadInst *Counter = IRB.CreateLoad(MapPtrIdx);
141 | Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
142 | Value *Incr = IRB.CreateAdd(Counter, ConstantInt::get(Int8Ty, 1));
143 | IRB.CreateStore(Incr, MapPtrIdx)
144 | ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
145 |
146 | /* Set prev_loc to cur_loc >> 1 */
147 |
148 | StoreInst *Store =
149 | IRB.CreateStore(ConstantInt::get(Int32Ty, cur_loc >> 1), AFLPrevLoc);
150 | Store->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
151 |
152 | inst_blocks++;
153 |
154 | }
155 |
156 | /* Say something nice. */
157 |
158 | if (!be_quiet) {
159 |
160 | if (!inst_blocks) WARNF("No instrumentation targets found.");
161 | else OKF("Instrumented %u locations (%s mode, ratio %u%%).",
162 | inst_blocks, getenv("AFL_HARDEN") ? "hardened" :
163 | ((getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) ?
164 | "ASAN/MSAN" : "non-hardened"), inst_ratio);
165 |
166 | }
167 |
168 | return true;
169 |
170 | }
171 |
172 |
173 | static void registerAFLPass(const PassManagerBuilder &,
174 | legacy::PassManagerBase &PM) {
175 |
176 | PM.add(new AFLCoverage());
177 |
178 | }
179 |
180 |
181 | static RegisterStandardPasses RegisterAFLPass(
182 | PassManagerBuilder::EP_OptimizerLast, registerAFLPass);
183 |
184 | static RegisterStandardPasses RegisterAFLPass0(
185 | PassManagerBuilder::EP_EnabledOnOptLevel0, registerAFLPass);
186 |
--------------------------------------------------------------------------------
/qemu_mode/README.qemu:
--------------------------------------------------------------------------------
1 | =========================================================
2 | High-performance binary-only instrumentation for afl-fuzz
3 | =========================================================
4 |
5 | (See ../docs/README for the general instruction manual.)
6 |
7 | 1) Introduction
8 | ---------------
9 |
10 | The code in this directory allows you to build a standalone feature that
11 | leverages the QEMU "user emulation" mode and allows callers to obtain
12 | instrumentation output for black-box, closed-source binaries. This mechanism
13 | can be then used by afl-fuzz to stress-test targets that couldn't be built
14 | with afl-gcc.
15 |
16 | The usual performance cost is 2-5x, which is considerably better than
17 | seen so far in experiments with tools such as DynamoRIO and PIN.
18 |
19 | The idea and much of the implementation comes from Andrew Griffiths.
20 |
21 | 2) How to use
22 | -------------
23 |
24 | The feature is implemented with a fairly simple patch to QEMU 2.3.0. The
25 | simplest way to build it is to run ./build_qemu_support.sh. The script will
26 | download, configure, and compile the QEMU binary for you.
27 |
28 | QEMU is a big project, so this will take a while, and you may have to
29 | resolve a couple of dependencies (most notably, you will definitely need
30 | libtool and glib2-devel).
31 |
32 | Once the binaries are compiled, you can leverage the QEMU tool by calling
33 | afl-fuzz and all the related utilities with -Q in the command line.
34 |
35 | Note that QEMU requires a generous memory limit to run; somewhere around
36 | 200 MB is a good starting point, but considerably more may be needed for
37 | more complex programs. The default -m limit will be automatically bumped up
38 | to 200 MB when specifying -Q to afl-fuzz; be careful when overriding this.
39 |
40 | In principle, if you set CPU_TARGET before calling ./build_qemu_support.sh,
41 | you should get a build capable of running non-native binaries (say, you
42 | can try CPU_TARGET=arm). This is also necessary for running 32-bit binaries
43 | on a 64-bit system (CPU_TARGET=i386).
44 |
45 | Note: if you want the QEMU helper to be installed on your system for all
46 | users, you need to build it before issuing 'make install' in the parent
47 | directory.
48 |
49 | 3) Notes on linking
50 | -------------------
51 |
52 | The feature is supported only on Linux. Supporting BSD may amount to porting
53 | the changes made to linux-user/elfload.c and applying them to
54 | bsd-user/elfload.c, but I have not looked into this yet.
55 |
56 | The instrumentation follows only the .text section of the first ELF binary
57 | encountered in the linking process. It does not trace shared libraries. In
58 | practice, this means two things:
59 |
60 | - Any libraries you want to analyze *must* be linked statically into the
61 | executed ELF file (this will usually be the case for closed-source
62 | apps).
63 |
64 | - Standard C libraries and other stuff that is wasteful to instrument
65 | should be linked dynamically - otherwise, AFL will have no way to avoid
66 | peeking into them.
67 |
68 | Setting AFL_INST_LIBS=1 can be used to circumvent the .text detection logic
69 | and instrument every basic block encountered.
70 |
71 | 4) Benchmarking
72 | ---------------
73 |
74 | If you want to compare the performance of the QEMU instrumentation with that of
75 | afl-gcc compiled code against the same target, you need to build the
76 | non-instrumented binary with the same optimization flags that are normally
77 | injected by afl-gcc, and make sure that the bits to be tested are statically
78 | linked into the binary. A common way to do this would be:
79 |
80 | $ CFLAGS="-O3 -funroll-loops" ./configure --disable-shared
81 | $ make clean all
82 |
83 | Comparative measurements of execution speed or instrumentation coverage will be
84 | fairly meaningless if the optimization levels or instrumentation scopes don't
85 | match.
86 |
87 | 5) Gotchas, feedback, bugs
88 | --------------------------
89 |
90 | If you need to fix up checksums or do other cleanup on mutated test cases, see
91 | experimental/post_library/ for a viable solution.
92 |
93 | Do not mix QEMU mode with ASAN, MSAN, or the likes; QEMU doesn't appreciate
94 | the "shadow VM" trick employed by the sanitizers and will probably just
95 | run out of memory.
96 |
97 | Compared to fully-fledged virtualization, the user emulation mode is *NOT* a
98 | security boundary. The binaries can freely interact with the host OS. If you
99 | somehow need to fuzz an untrusted binary, put everything in a sandbox first.
100 |
101 | QEMU does not necessarily support all CPU or hardware features that your
102 | target program may be utilizing. In particular, it does not appear to have
103 | full support for AVX2 / FMA3. Using binaries for older CPUs, or recompiling them
104 | with -march=core2, can help.
105 |
106 | Beyond that, this is an early-stage mechanism, so fields reports are welcome.
107 | You can send them to .
108 |
109 | 6) Alternatives: static rewriting
110 | ---------------------------------
111 |
112 | Statically rewriting binaries just once, instead of attempting to translate
113 | them at run time, can be a faster alternative. That said, static rewriting is
114 | fraught with peril, because it depends on being able to properly and fully model
115 | program control flow without actually executing each and every code path.
116 |
117 | If you want to experiment with this mode of operation, there is a module
118 | contributed by Aleksandar Nikolich:
119 |
120 | https://github.com/vrtadmin/moflow/tree/master/afl-dyninst
121 | https://groups.google.com/forum/#!topic/afl-users/HlSQdbOTlpg
122 |
123 | At this point, the author reports the possibility of hiccups with stripped
124 | binaries. That said, if we can get it to be comparably reliable to QEMU, we may
125 | decide to switch to this mode, but I had no time to play with it yet.
126 |
--------------------------------------------------------------------------------
/afl-gotcpu.c:
--------------------------------------------------------------------------------
1 | /*
2 | american fuzzy lop - free CPU gizmo
3 | -----------------------------------
4 |
5 | Written and maintained by Michal Zalewski
6 |
7 | Copyright 2015, 2016 Google Inc. All rights reserved.
8 |
9 | Licensed under the Apache License, Version 2.0 (the "License");
10 | you may not use this file except in compliance with the License.
11 | You may obtain a copy of the License at:
12 |
13 | http://www.apache.org/licenses/LICENSE-2.0
14 |
15 | This tool provides a fairly accurate measurement of CPU preemption rate.
16 | It is meant to complement the quick-and-dirty load average widget shown
17 | in the afl-fuzz UI. See docs/parallel_fuzzing.txt for more info.
18 |
19 | For some work loads, the tool may actually suggest running more instances
20 | than you have CPU cores. This can happen if the tested program is spending
21 | a portion of its run time waiting for I/O, rather than being 100%
22 | CPU-bound.
23 |
24 | The idea for the getrusage()-based approach comes from Jakub Wilk.
25 |
26 | */
27 |
28 | #define AFL_MAIN
29 | #define _GNU_SOURCE
30 |
31 | #include
32 | #include
33 | #include
34 | #include
35 | #include
36 |
37 | #include
38 | #include
39 | #include
40 | #include
41 |
42 | #include "types.h"
43 | #include "debug.h"
44 |
45 | #ifdef __linux__
46 | # define HAVE_AFFINITY 1
47 | #endif /* __linux__ */
48 |
49 |
50 | /* Get unix time in microseconds. */
51 |
52 | static u64 get_cur_time_us(void) {
53 |
54 | struct timeval tv;
55 | struct timezone tz;
56 |
57 | gettimeofday(&tv, &tz);
58 |
59 | return (tv.tv_sec * 1000000ULL) + tv.tv_usec;
60 |
61 | }
62 |
63 |
64 | /* Get CPU usage in microseconds. */
65 |
66 | static u64 get_cpu_usage_us(void) {
67 |
68 | struct rusage u;
69 |
70 | getrusage(RUSAGE_SELF, &u);
71 |
72 | return (u.ru_utime.tv_sec * 1000000ULL) + u.ru_utime.tv_usec +
73 | (u.ru_stime.tv_sec * 1000000ULL) + u.ru_stime.tv_usec;
74 |
75 | }
76 |
77 |
78 | /* Measure preemption rate. */
79 |
80 | static u32 measure_preemption(u32 target_ms) {
81 |
82 | static volatile u32 v1, v2;
83 |
84 | u64 st_t, en_t, st_c, en_c, real_delta, slice_delta;
85 | s32 loop_repeats = 0;
86 |
87 | st_t = get_cur_time_us();
88 | st_c = get_cpu_usage_us();
89 |
90 | repeat_loop:
91 |
92 | v1 = CTEST_BUSY_CYCLES;
93 |
94 | while (v1--) v2++;
95 | sched_yield();
96 |
97 | en_t = get_cur_time_us();
98 |
99 | if (en_t - st_t < target_ms * 1000) {
100 | loop_repeats++;
101 | goto repeat_loop;
102 | }
103 |
104 | /* Let's see what percentage of this time we actually had a chance to
105 | run, and how much time was spent in the penalty box. */
106 |
107 | en_c = get_cpu_usage_us();
108 |
109 | real_delta = (en_t - st_t) / 1000;
110 | slice_delta = (en_c - st_c) / 1000;
111 |
112 | return real_delta * 100 / slice_delta;
113 |
114 | }
115 |
116 |
117 | /* Do the benchmark thing. */
118 |
119 | int main(int argc, char** argv) {
120 |
121 | #ifdef HAVE_AFFINITY
122 |
123 | u32 cpu_cnt = sysconf(_SC_NPROCESSORS_ONLN),
124 | idle_cpus = 0, maybe_cpus = 0, i;
125 |
126 | SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by \n");
127 |
128 | ACTF("Measuring per-core preemption rate (this will take %0.02f sec)...",
129 | ((double)CTEST_CORE_TRG_MS) / 1000);
130 |
131 | for (i = 0; i < cpu_cnt; i++) {
132 |
133 | s32 fr = fork();
134 |
135 | if (fr < 0) PFATAL("fork failed");
136 |
137 | if (!fr) {
138 |
139 | cpu_set_t c;
140 | u32 util_perc;
141 |
142 | CPU_ZERO(&c);
143 | CPU_SET(i, &c);
144 |
145 | if (sched_setaffinity(0, sizeof(c), &c))
146 | PFATAL("sched_setaffinity failed");
147 |
148 | util_perc = measure_preemption(CTEST_CORE_TRG_MS);
149 |
150 | if (util_perc < 110) {
151 |
152 | SAYF(" Core #%u: " cLGN "AVAILABLE\n" cRST, i);
153 | exit(0);
154 |
155 | } else if (util_perc < 250) {
156 |
157 | SAYF(" Core #%u: " cYEL "CAUTION " cRST "(%u%%)\n", i, util_perc);
158 | exit(1);
159 |
160 | }
161 |
162 | SAYF(" Core #%u: " cLRD "OVERBOOKED " cRST "(%u%%)\n" cRST, i,
163 | util_perc);
164 | exit(2);
165 |
166 | }
167 |
168 | }
169 |
170 | for (i = 0; i < cpu_cnt; i++) {
171 |
172 | int ret;
173 | if (waitpid(-1, &ret, 0) < 0) PFATAL("waitpid failed");
174 |
175 | if (WEXITSTATUS(ret) == 0) idle_cpus++;
176 | if (WEXITSTATUS(ret) <= 1) maybe_cpus++;
177 |
178 | }
179 |
180 | SAYF(cGRA "\n>>> ");
181 |
182 | if (idle_cpus) {
183 |
184 | if (maybe_cpus == idle_cpus) {
185 |
186 | SAYF(cLGN "PASS: " cRST "You can run more processes on %u core%s.",
187 | idle_cpus, idle_cpus > 1 ? "s" : "");
188 |
189 | } else {
190 |
191 | SAYF(cLGN "PASS: " cRST "You can run more processes on %u to %u core%s.",
192 | idle_cpus, maybe_cpus, maybe_cpus > 1 ? "s" : "");
193 |
194 | }
195 |
196 | SAYF(cGRA " <<<" cRST "\n\n");
197 | return 0;
198 |
199 | }
200 |
201 | if (maybe_cpus) {
202 |
203 | SAYF(cYEL "CAUTION: " cRST "You may still have %u core%s available.",
204 | maybe_cpus, maybe_cpus > 1 ? "s" : "");
205 | SAYF(cGRA " <<<" cRST "\n\n");
206 | return 1;
207 |
208 | }
209 |
210 | SAYF(cLRD "FAIL: " cRST "All cores are overbooked.");
211 | SAYF(cGRA " <<<" cRST "\n\n");
212 | return 2;
213 |
214 | #else
215 |
216 | u32 util_perc;
217 |
218 | SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by \n");
219 |
220 | /* Run a busy loop for CTEST_TARGET_MS. */
221 |
222 | ACTF("Measuring gross preemption rate (this will take %0.02f sec)...",
223 | ((double)CTEST_TARGET_MS) / 1000);
224 |
225 | util_perc = measure_preemption(CTEST_TARGET_MS);
226 |
227 | /* Deliver the final verdict. */
228 |
229 | SAYF(cGRA "\n>>> ");
230 |
231 | if (util_perc < 105) {
232 |
233 | SAYF(cLGN "PASS: " cRST "You can probably run additional processes.");
234 |
235 | } else if (util_perc < 130) {
236 |
237 | SAYF(cYEL "CAUTION: " cRST "Your CPU may be somewhat overbooked (%u%%).",
238 | util_perc);
239 |
240 | } else {
241 |
242 | SAYF(cLRD "FAIL: " cRST "Your CPU is overbooked (%u%%).", util_perc);
243 |
244 | }
245 |
246 | SAYF(cGRA " <<<" cRST "\n\n");
247 |
248 | return (util_perc > 105) + (util_perc > 130);
249 |
250 | #endif /* ^HAVE_AFFINITY */
251 |
252 | }
253 |
--------------------------------------------------------------------------------
/Readme.md:
--------------------------------------------------------------------------------
1 | # Adding predictions to AFL
2 |
3 |
4 | american fuzzy lop 2.51b (magic_fuzzer)
5 |
6 | ┌─ process timing ─────────────────────────────────────┬─ overall results ─────┐
7 | │ run time : 0 days, 0 hrs, 10 min, 15 sec │ cycles done : 6 │
8 | │ last new path : 0 days, 0 hrs, 0 min, 1 sec │current paths : 3104 │
9 | │ last uniq crash : none seen yet │ path coverag : 21.7% │
10 | │ last uniq hang : none seen yet │ uniq crashes : 0 │
11 | │ correctness : 5.486657e-04 │ uniq hangs : 0 │
12 | │ fuzzability : 4.415707e-01 │ effec paths : 1.555 │
13 |
14 |
15 | ## Overview
16 | Pythia provides *statistical correctness guarantees* for fuzzing campaigns (correctness), and quantifies *how difficult* it is to discover paths in a program (difficulty). Pythia also allows to determine the *progress* of the fuzzing campaign *towards completion* (path coverage) and can *predict* the number of paths discovered at a certain time in the future. Once you reach a "path coverage" of 99%, you can normally abort the fuzzing campaign without expecting too many new discoveries. Once you reach a "correctness" of 1e-8, we expect that it would take about 100 million new executions from the last discovery until the next discovery of a new path / unique crash.
17 |
18 | ## More details
19 | * My extension (Pythia) allows to **provide statistical correctness guarantees** for fuzzing campaigns (see correctness). For fuzzing campaigns of the same program, fuzzed for the same time using the same seeds, Pythia shows an upper bound on the probability to discover a crashing input when no crashes have been found.
20 | * My extension (Pythia) allows to **quantify just how "difficult" it is to fuzz a program** (see difficulty). This is interesting if you want to improve the fuzzability of your test drivers (e.g., in OSS-Fuzz) or if you want to gauge, how long it might take to fuzz that program to achieve a decent progress / correctness guarantee.
21 | * My extension (Pythia) allows to **determine the progress of the fuzzing campaign towards completion** (see path coverage). Once about 99% of paths have been discovered, you can abort the fuzzing campaign without expecting too many new discoveries. Definitely more reliable than setting AFL_EXIT_WHEN_DONE.
22 | * Of course, we can play with the UI presentation. I could easily add the expected time until discovering the next path / unique crash or other prediction intervals. I could also predict map-coverage expected in the future. Wasn't so sure whether this is so interesting. I could provide 95%-confidence intervals, as well. I could try to "smooth" the predictions and estimates using a moving average to reduce the swings.
23 | * Estimation and prediction is **quite efficient and easily scales**! In the beginning of a fuzzing campaign the estimates and predictions might seem all over the place. However, in the accompanying research article, I show (empirically and theoretically) that the estimator bias reduces and precision increases as the fuzzing campaign continues. You should try it out and see for yourself :)
24 | * Also quite useful to implement a **smart scheduling of fuzzing campaigns**, where each campaign runs long enough to make sufficient progress towards completion but not too long to waste resources. See, some programs are "done" in a few hours while others show good progress for days on end -- Pythia finds that out for you :).
25 |
26 | ## How to interpret UI
27 | * **current paths**: shows the current number of paths discovered.
28 | * **path coverage**: shows #current paths as a percentage of the *asymptotic* total number of paths discovered. In the beginning when many paths are discovered the estimates are quite strongly biased and might swing a bit. Later, when an asymptote is discernable (see afl-plot), the path coverage estimate becomes slightly positively biased, meaning that it might slightly over-estimate the current path coverage. However, the magnitude of the bias reduces as the fuzzing campaign continues. Moreover, there are better estimators available -- but they are more complex (and less efficient) to compute. I would change this based on your feedback. As you get more familiar with Pythia, the *correctness* and *difficulty* values should allow you to tell how trustworthy the path coverage estimate is.
29 | * **correctness**: shows an upper bound on the probability to expose a unique crash if no crashes have been found. The number is fairly representative of fuzzing campaigns of similar length, assuming AFL is started with the same seeds, parameters, and test driver.
30 | * **fuzzability**: shows how "difficult" it is to discover new paths in that program. Fuzzability is a program property where programs with fuzzability 0 are extremely difficult to fuzz while programs a very high degree of fuzzability are much easier to fuzz.
31 |
32 | ## Gotchas
33 | * I did not test Pythia when there are more than one instances (-M / -S). Maybe this needs to be accounted for in the implementation. However, again I expect that estimator performance improves with time (i.e., #cycles).
34 | * For some programs, the asymptotic total number of paths might be estimated several times higher than the current number of paths even after few days. The estimate is based on the number of paths exercised exactly once (see first number @ prediction info), which in such a case would be relatively high (e.g., 80% of paths are exercised exactly once). Consider this: Even after such a long time most of the discovered paths have still been exercised not more than once. Quite certainly, there are many other paths that have not been exercised at all.
35 |
36 | If there is enough interest, I'll put up a technical report explaining the research behind this. Also, let me know if you want to build on this research and cite my paper :)
37 | The central ideas also work for Libfuzzer, syzcaller, Peach, CSmith, and many other fuzzers (except for fuzzers based on symbolic execution) and other program analysis (not only for path coverage).
38 |
39 | ## Further reading
40 | * Marcel Böhme. 2018. [Software Testing as Species Discovery](https://mboehme.github.io/paper/TOSEM18.pdf). ACM TOSEM
41 | * *Discusses the analogy between bug finding in testing and ecology.*
42 | * *Introduces the biostatistical framework and relevant estimators.*
43 | * *Provides an evaluation of Pythia.*
44 | * Marcel Böhme. 2019. [Assurances in Software Testing: A Roadmap](https://arxiv.org/abs/1807.10255). ACM/IEEE ICSE (NIER track)
45 | * *Abridged version (6 pages). Discusses the larger vision, opportunities, and open challenges.*
46 | * Marcel Bohme. 2019. [When to Stop Fuzzing](https://www.fuzzingbook.org/html/WhenToStopFuzzing.html); book chapter in "[Generating Software Tests](https://www.fuzzingbook.org)" by A. Zeller, R. Gopinath, M. Böhme, G. Fraser, and C. Holler
47 | * *A tutorial-style interactive book chapter written as Jupyter notebook.*
48 | * *Play with the statistical techniques behind the estimation and extrapolation that is implemented in Pythia.*
49 | * *Learn more about the central ideas.*
50 |
51 | Cheers - Marcel
52 |
--------------------------------------------------------------------------------
/docs/notes_for_asan.txt:
--------------------------------------------------------------------------------
1 | ==================================
2 | Notes for using ASAN with afl-fuzz
3 | ==================================
4 |
5 | This file discusses some of the caveats for fuzzing under ASAN, and suggests
6 | a handful of alternatives. See README for the general instruction manual.
7 |
8 | 1) Short version
9 | ----------------
10 |
11 | ASAN on 64-bit systems requests a lot of memory in a way that can't be easily
12 | distinguished from a misbehaving program bent on crashing your system.
13 |
14 | Because of this, fuzzing with ASAN is recommended only in four scenarios:
15 |
16 | - On 32-bit systems, where we can always enforce a reasonable memory limit
17 | (-m 800 or so is a good starting point),
18 |
19 | - On 64-bit systems only if you can do one of the following:
20 |
21 | - Compile the binary in 32-bit mode (gcc -m32),
22 |
23 | - Precisely gauge memory needs using http://jwilk.net/software/recidivm .
24 |
25 | - Limit the memory available to process using cgroups on Linux (see
26 | experimental/asan_cgroups).
27 |
28 | To compile with ASAN, set AFL_USE_ASAN=1 before calling 'make clean all'. The
29 | afl-gcc / afl-clang wrappers will pick that up and add the appropriate flags.
30 | Note that ASAN is incompatible with -static, so be mindful of that.
31 |
32 | (You can also use AFL_USE_MSAN=1 to enable MSAN instead.)
33 |
34 | There is also the option of generating a corpus using a non-ASAN binary, and
35 | then feeding it to an ASAN-instrumented one to check for bugs. This is faster,
36 | and can give you somewhat comparable results. You can also try using
37 | libdislocator (see libdislocator/README.dislocator in the parent directory) as a
38 | lightweight and hassle-free (but less thorough) alternative.
39 |
40 | 2) Long version
41 | ---------------
42 |
43 | ASAN allocates a huge region of virtual address space for bookkeeping purposes.
44 | Most of this is never actually accessed, so the OS never has to allocate any
45 | real pages of memory for the process, and the VM grabbed by ASAN is essentially
46 | "free" - but the mapping counts against the standard OS-enforced limit
47 | (RLIMIT_AS, aka ulimit -v).
48 |
49 | On our end, afl-fuzz tries to protect you from processes that go off-rails
50 | and start consuming all the available memory in a vain attempt to parse a
51 | malformed input file. This happens surprisingly often, so enforcing such a limit
52 | is important for almost any fuzzer: the alternative is for the kernel OOM
53 | handler to step in and start killing random processes to free up resources.
54 | Needless to say, that's not a very nice prospect to live with.
55 |
56 | Unfortunately, un*x systems offer no portable way to limit the amount of
57 | pages actually given to a process in a way that distinguishes between that
58 | and the harmless "land grab" done by ASAN. In principle, there are three standard
59 | ways to limit the size of the heap:
60 |
61 | - The RLIMIT_AS mechanism (ulimit -v) caps the size of the virtual space -
62 | but as noted, this pays no attention to the number of pages actually
63 | in use by the process, and doesn't help us here.
64 |
65 | - The RLIMIT_DATA mechanism (ulimit -d) seems like a good fit, but it applies
66 | only to the traditional sbrk() / brk() methods of requesting heap space;
67 | modern allocators, including the one in glibc, routinely rely on mmap()
68 | instead, and circumvent this limit completely.
69 |
70 | - Finally, the RLIMIT_RSS limit (ulimit -m) sounds like what we need, but
71 | doesn't work on Linux - mostly because nobody felt like implementing it.
72 |
73 | There are also cgroups, but they are Linux-specific, not universally available
74 | even on Linux systems, and they require root permissions to set up; I'm a bit
75 | hesitant to make afl-fuzz require root permissions just for that. That said,
76 | if you are on Linux and want to use cgroups, check out the contributed script
77 | that ships in experimental/asan_cgroups/.
78 |
79 | In settings where cgroups aren't available, we have no nice, portable way to
80 | avoid counting the ASAN allocation toward the limit. On 32-bit systems, or for
81 | binaries compiled in 32-bit mode (-m32), this is not a big deal: ASAN needs
82 | around 600-800 MB or so, depending on the compiler - so all you need to do is
83 | to specify -m that is a bit higher than that.
84 |
85 | On 64-bit systems, the situation is more murky, because the ASAN allocation
86 | is completely outlandish - around 17.5 TB in older versions, and closer to
87 | 20 TB with newest ones. The actual amount of memory on your system is
88 | (probably!) just a tiny fraction of that - so unless you dial the limit
89 | with surgical precision, you will get no protection from OOM bugs.
90 |
91 | On my system, the amount of memory grabbed by ASAN with a slightly older
92 | version of gcc is around 17,825,850 MB; for newest clang, it's 20,971,600.
93 | But there is no guarantee that these numbers are stable, and if you get them
94 | wrong by "just" a couple gigs or so, you will be at risk.
95 |
96 | To get the precise number, you can use the recidivm tool developed by Jakub
97 | Wilk (http://jwilk.net/software/recidivm). In absence of this, ASAN is *not*
98 | recommended when fuzzing 64-bit binaries, unless you are confident that they
99 | are robust and enforce reasonable memory limits (in which case, you can
100 | specify '-m none' when calling afl-fuzz).
101 |
102 | Using recidivm or running with no limits aside, there are two other decent
103 | alternatives: build a corpus of test cases using a non-ASAN binary, and then
104 | examine them with ASAN, Valgrind, or other heavy-duty tools in a more
105 | controlled setting; or compile the target program with -m32 (32-bit mode)
106 | if your system supports that.
107 |
108 | 3) Interactions with the QEMU mode
109 | ----------------------------------
110 |
111 | ASAN, MSAN, and other sanitizers appear to be incompatible with QEMU user
112 | emulation, so please do not try to use them with the -Q option; QEMU doesn't
113 | seem to appreciate the shadow VM trick used by these tools, and will likely
114 | just allocate all your physical memory, then crash.
115 |
116 | 4) ASAN and OOM crashes
117 | -----------------------
118 |
119 | By default, ASAN treats memory allocation failures as fatal errors, immediately
120 | causing the program to crash. Since this is a departure from normal POSIX
121 | semantics (and creates the appearance of security issues in otherwise
122 | properly-behaving programs), we try to disable this by specifying
123 | allocator_may_return_null=1 in ASAN_OPTIONS.
124 |
125 | Unfortunately, it's been reported that this setting still causes ASAN to
126 | trigger phantom crashes in situations where the standard allocator would
127 | simply return NULL. If this is interfering with your fuzzing jobs, you may
128 | want to cc: yourself on this bug:
129 |
130 | https://bugs.llvm.org/show_bug.cgi?id=22026
131 |
132 | 5) What about UBSAN?
133 | --------------------
134 |
135 | Some folks expressed interest in fuzzing with UBSAN. This isn't officially
136 | supported, because many installations of UBSAN don't offer a consistent way
137 | to abort() on fault conditions or to terminate with a distinctive exit code.
138 |
139 | That said, some versions of the library can be binary-patched to address this
140 | issue, while newer releases support explicit compile-time flags - see this
141 | mailing list thread for tips:
142 |
143 | https://groups.google.com/forum/#!topic/afl-users/GyeSBJt4M38
144 |
--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | #
2 | # american fuzzy lop - makefile
3 | # -----------------------------
4 | #
5 | # Written and maintained by Michal Zalewski
6 | #
7 | # Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
8 | #
9 | # Licensed under the Apache License, Version 2.0 (the "License");
10 | # you may not use this file except in compliance with the License.
11 | # You may obtain a copy of the License at:
12 | #
13 | # http://www.apache.org/licenses/LICENSE-2.0
14 | #
15 |
16 | PROGNAME = afl
17 | VERSION = $(shell grep '^\#define VERSION ' config.h | cut -d '"' -f2)
18 |
19 | PREFIX ?= /usr/local
20 | BIN_PATH = $(PREFIX)/bin
21 | HELPER_PATH = $(PREFIX)/lib/afl
22 | DOC_PATH = $(PREFIX)/share/doc/afl
23 | MISC_PATH = $(PREFIX)/share/afl
24 |
25 | # PROGS intentionally omit afl-as, which gets installed elsewhere.
26 |
27 | PROGS = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
28 | SH_PROGS = afl-plot afl-cmin afl-whatsup
29 |
30 | CFLAGS ?= -O3 -funroll-loops -lm
31 | CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
32 | -DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \
33 | -DBIN_PATH=\"$(BIN_PATH)\"
34 |
35 | ifneq "$(filter Linux GNU%,$(shell uname))" ""
36 | LDFLAGS += -ldl -lm
37 | endif
38 |
39 | ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
40 | TEST_CC = afl-gcc
41 | else
42 | TEST_CC = afl-clang
43 | endif
44 |
45 | COMM_HDR = alloc-inl.h config.h debug.h types.h
46 |
47 | all: test_x86 $(PROGS) afl-as test_build all_done
48 |
49 | ifndef AFL_NO_X86
50 |
51 | test_x86:
52 | @echo "[*] Checking for the ability to compile x86 code..."
53 | @echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 )
54 | @rm -f .test
55 | @echo "[+] Everything seems to be working, ready to compile."
56 |
57 | else
58 |
59 | test_x86:
60 | @echo "[!] Note: skipping x86 compilation checks (AFL_NO_X86 set)."
61 |
62 | endif
63 |
64 | afl-gcc: afl-gcc.c $(COMM_HDR) | test_x86
65 | $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
66 | set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $$i; done
67 |
68 | afl-as: afl-as.c afl-as.h $(COMM_HDR) | test_x86
69 | $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
70 | ln -sf afl-as as
71 |
72 | afl-fuzz: afl-fuzz.c $(COMM_HDR) | test_x86
73 | $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
74 |
75 | afl-showmap: afl-showmap.c $(COMM_HDR) | test_x86
76 | $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
77 |
78 | afl-tmin: afl-tmin.c $(COMM_HDR) | test_x86
79 | $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
80 |
81 | afl-analyze: afl-analyze.c $(COMM_HDR) | test_x86
82 | $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
83 |
84 | afl-gotcpu: afl-gotcpu.c $(COMM_HDR) | test_x86
85 | $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
86 |
87 | ifndef AFL_NO_X86
88 |
89 | test_build: afl-gcc afl-as afl-showmap
90 | @echo "[*] Testing the CC wrapper and instrumentation output..."
91 | unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS)
92 | echo 0 | ./afl-showmap -m none -q -o .test-instr0 ./test-instr
93 | echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr
94 | @rm -f test-instr
95 | @cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please ping to troubleshoot the issue."; echo; exit 1; fi
96 | @echo "[+] All right, the instrumentation seems to be working!"
97 |
98 | else
99 |
100 | test_build: afl-gcc afl-as afl-showmap
101 | @echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)."
102 |
103 | endif
104 |
105 | all_done: test_build
106 | @if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi
107 | @echo "[+] All done! Be sure to review README - it's pretty short and useful."
108 | @if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
109 | @! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.txt for advice.\033[0m\n" 2>/dev/null
110 |
111 | .NOTPARALLEL: clean
112 |
113 | clean:
114 | rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.3.0.tar.bz2 afl-qemu-trace
115 | rm -rf out_dir qemu_mode/qemu-2.3.0
116 | $(MAKE) -C llvm_mode clean
117 | $(MAKE) -C libdislocator clean
118 | $(MAKE) -C libtokencap clean
119 |
120 | install: all
121 | mkdir -p -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
122 | rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh
123 | install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH)
124 | rm -f $${DESTDIR}$(BIN_PATH)/afl-as
125 | if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
126 | ifndef AFL_TRACE_PC
127 | if [ -f afl-clang-fast -a -f afl-llvm-pass.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
128 | else
129 | if [ -f afl-clang-fast -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
130 | endif
131 | if [ -f afl-llvm-rt-32.o ]; then set -e; install -m 755 afl-llvm-rt-32.o $${DESTDIR}$(HELPER_PATH); fi
132 | if [ -f afl-llvm-rt-64.o ]; then set -e; install -m 755 afl-llvm-rt-64.o $${DESTDIR}$(HELPER_PATH); fi
133 | set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/$$i; done
134 | install -m 755 afl-as $${DESTDIR}$(HELPER_PATH)
135 | ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as
136 | install -m 644 docs/README docs/ChangeLog docs/*.txt $${DESTDIR}$(DOC_PATH)
137 | cp -r testcases/ $${DESTDIR}$(MISC_PATH)
138 | cp -r dictionaries/ $${DESTDIR}$(MISC_PATH)
139 |
140 | publish: clean
141 | test "`basename $$PWD`" = "afl" || exit 1
142 | test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0" ]; then echo; echo "Change program version in config.h, mmkay?"; echo; exit 1; fi
143 | cd ..; rm -rf $(PROGNAME)-$(VERSION); cp -pr $(PROGNAME) $(PROGNAME)-$(VERSION); \
144 | tar -cvz -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz $(PROGNAME)-$(VERSION)
145 | chmod 644 ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz
146 | ( cd ~/www/afl/releases/; ln -s -f $(PROGNAME)-$(VERSION).tgz $(PROGNAME)-latest.tgz )
147 | cat docs/README >~/www/afl/README.txt
148 | cat docs/status_screen.txt >~/www/afl/status_screen.txt
149 | cat docs/historical_notes.txt >~/www/afl/historical_notes.txt
150 | cat docs/technical_details.txt >~/www/afl/technical_details.txt
151 | cat docs/ChangeLog >~/www/afl/ChangeLog.txt
152 | cat docs/QuickStartGuide.txt >~/www/afl/QuickStartGuide.txt
153 | echo -n "$(VERSION)" >~/www/afl/version.txt
154 |
--------------------------------------------------------------------------------
/libtokencap/libtokencap.so.c:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | american fuzzy lop - extract tokens passed to strcmp / memcmp
4 | -------------------------------------------------------------
5 |
6 | Written and maintained by Michal Zalewski
7 |
8 | Copyright 2016 Google Inc. All rights reserved.
9 |
10 | Licensed under the Apache License, Version 2.0 (the "License");
11 | you may not use this file except in compliance with the License.
12 | You may obtain a copy of the License at:
13 |
14 | http://www.apache.org/licenses/LICENSE-2.0
15 |
16 | This Linux-only companion library allows you to instrument strcmp(),
17 | memcmp(), and related functions to automatically extract tokens.
18 | See README.tokencap for more info.
19 |
20 | */
21 |
22 | #include
23 | #include
24 | #include
25 |
26 | #include "../types.h"
27 | #include "../config.h"
28 |
29 | #ifndef __linux__
30 | # error "Sorry, this library is Linux-specific for now!"
31 | #endif /* !__linux__ */
32 |
33 |
34 | /* Mapping data and such */
35 |
36 | #define MAX_MAPPINGS 1024
37 |
38 | static struct mapping {
39 | void *st, *en;
40 | } __tokencap_ro[MAX_MAPPINGS];
41 |
42 | static u32 __tokencap_ro_cnt;
43 | static u8 __tokencap_ro_loaded;
44 | static FILE* __tokencap_out_file;
45 |
46 |
47 | /* Identify read-only regions in memory. Only parameters that fall into these
48 | ranges are worth dumping when passed to strcmp() and so on. Read-write
49 | regions are far more likely to contain user input instead. */
50 |
51 | static void __tokencap_load_mappings(void) {
52 |
53 | u8 buf[MAX_LINE];
54 | FILE* f = fopen("/proc/self/maps", "r");
55 |
56 | __tokencap_ro_loaded = 1;
57 |
58 | if (!f) return;
59 |
60 | while (fgets(buf, MAX_LINE, f)) {
61 |
62 | u8 rf, wf;
63 | void* st, *en;
64 |
65 | if (sscanf(buf, "%p-%p %c%c", &st, &en, &rf, &wf) != 4) continue;
66 | if (wf == 'w' || rf != 'r') continue;
67 |
68 | __tokencap_ro[__tokencap_ro_cnt].st = (void*)st;
69 | __tokencap_ro[__tokencap_ro_cnt].en = (void*)en;
70 |
71 | if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
72 |
73 | }
74 |
75 | fclose(f);
76 |
77 | }
78 |
79 |
80 | /* Check an address against the list of read-only mappings. */
81 |
82 | static u8 __tokencap_is_ro(const void* ptr) {
83 |
84 | u32 i;
85 |
86 | if (!__tokencap_ro_loaded) __tokencap_load_mappings();
87 |
88 | for (i = 0; i < __tokencap_ro_cnt; i++)
89 | if (ptr >= __tokencap_ro[i].st && ptr <= __tokencap_ro[i].en) return 1;
90 |
91 | return 0;
92 |
93 | }
94 |
95 |
96 | /* Dump an interesting token to output file, quoting and escaping it
97 | properly. */
98 |
99 | static void __tokencap_dump(const u8* ptr, size_t len, u8 is_text) {
100 |
101 | u8 buf[MAX_AUTO_EXTRA * 4 + 1];
102 | u32 i;
103 | u32 pos = 0;
104 |
105 | if (len < MIN_AUTO_EXTRA || len > MAX_AUTO_EXTRA || !__tokencap_out_file)
106 | return;
107 |
108 | for (i = 0; i < len; i++) {
109 |
110 | if (is_text && !ptr[i]) break;
111 |
112 | switch (ptr[i]) {
113 |
114 | case 0 ... 31:
115 | case 127 ... 255:
116 | case '\"':
117 | case '\\':
118 |
119 | sprintf(buf + pos, "\\x%02x", ptr[i]);
120 | pos += 4;
121 | break;
122 |
123 | default:
124 |
125 | buf[pos++] = ptr[i];
126 |
127 | }
128 |
129 | }
130 |
131 | buf[pos] = 0;
132 |
133 | fprintf(__tokencap_out_file, "\"%s\"\n", buf);
134 |
135 | }
136 |
137 |
138 | /* Replacements for strcmp(), memcmp(), and so on. Note that these will be used
139 | only if the target is compiled with -fno-builtins and linked dynamically. */
140 |
141 | #undef strcmp
142 |
143 | int strcmp(const char* str1, const char* str2) {
144 |
145 | if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
146 | if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);
147 |
148 | while (1) {
149 |
150 | unsigned char c1 = *str1, c2 = *str2;
151 |
152 | if (c1 != c2) return (c1 > c2) ? 1 : -1;
153 | if (!c1) return 0;
154 | str1++; str2++;
155 |
156 | }
157 |
158 | }
159 |
160 |
161 | #undef strncmp
162 |
163 | int strncmp(const char* str1, const char* str2, size_t len) {
164 |
165 | if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
166 | if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);
167 |
168 | while (len--) {
169 |
170 | unsigned char c1 = *str1, c2 = *str2;
171 |
172 | if (!c1) return 0;
173 | if (c1 != c2) return (c1 > c2) ? 1 : -1;
174 | str1++; str2++;
175 |
176 | }
177 |
178 | return 0;
179 |
180 | }
181 |
182 |
183 | #undef strcasecmp
184 |
185 | int strcasecmp(const char* str1, const char* str2) {
186 |
187 | if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
188 | if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);
189 |
190 | while (1) {
191 |
192 | unsigned char c1 = tolower(*str1), c2 = tolower(*str2);
193 |
194 | if (c1 != c2) return (c1 > c2) ? 1 : -1;
195 | if (!c1) return 0;
196 | str1++; str2++;
197 |
198 | }
199 |
200 | }
201 |
202 |
203 | #undef strncasecmp
204 |
205 | int strncasecmp(const char* str1, const char* str2, size_t len) {
206 |
207 | if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
208 | if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);
209 |
210 | while (len--) {
211 |
212 | unsigned char c1 = tolower(*str1), c2 = tolower(*str2);
213 |
214 | if (!c1) return 0;
215 | if (c1 != c2) return (c1 > c2) ? 1 : -1;
216 | str1++; str2++;
217 |
218 | }
219 |
220 | return 0;
221 |
222 | }
223 |
224 |
225 | #undef memcmp
226 |
227 | int memcmp(const void* mem1, const void* mem2, size_t len) {
228 |
229 | if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
230 | if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);
231 |
232 | while (len--) {
233 |
234 | unsigned char c1 = *(const char*)mem1, c2 = *(const char*)mem2;
235 | if (c1 != c2) return (c1 > c2) ? 1 : -1;
236 | mem1++; mem2++;
237 |
238 | }
239 |
240 | return 0;
241 |
242 | }
243 |
244 |
245 | #undef strstr
246 |
247 | char* strstr(const char* haystack, const char* needle) {
248 |
249 | if (__tokencap_is_ro(haystack))
250 | __tokencap_dump(haystack, strlen(haystack), 1);
251 |
252 | if (__tokencap_is_ro(needle))
253 | __tokencap_dump(needle, strlen(needle), 1);
254 |
255 | do {
256 | const char* n = needle;
257 | const char* h = haystack;
258 |
259 | while(*n && *h && *n == *h) n++, h++;
260 |
261 | if(!*n) return (char*)haystack;
262 |
263 | } while (*(haystack++));
264 |
265 | return 0;
266 |
267 | }
268 |
269 |
270 | #undef strcasestr
271 |
272 | char* strcasestr(const char* haystack, const char* needle) {
273 |
274 | if (__tokencap_is_ro(haystack))
275 | __tokencap_dump(haystack, strlen(haystack), 1);
276 |
277 | if (__tokencap_is_ro(needle))
278 | __tokencap_dump(needle, strlen(needle), 1);
279 |
280 | do {
281 |
282 | const char* n = needle;
283 | const char* h = haystack;
284 |
285 | while(*n && *h && tolower(*n) == tolower(*h)) n++, h++;
286 |
287 | if(!*n) return (char*)haystack;
288 |
289 | } while(*(haystack++));
290 |
291 | return 0;
292 |
293 | }
294 |
295 |
296 | /* Init code to open the output file (or default to stderr). */
297 |
298 | __attribute__((constructor)) void __tokencap_init(void) {
299 |
300 | u8* fn = getenv("AFL_TOKEN_FILE");
301 | if (fn) __tokencap_out_file = fopen(fn, "a");
302 | if (!__tokencap_out_file) __tokencap_out_file = stderr;
303 |
304 | }
305 |
306 |
--------------------------------------------------------------------------------
/libdislocator/libdislocator.so.c:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | american fuzzy lop - dislocator, an abusive allocator
4 | -----------------------------------------------------
5 |
6 | Written and maintained by Michal Zalewski
7 |
8 | Copyright 2016 Google Inc. All rights reserved.
9 |
10 | Licensed under the Apache License, Version 2.0 (the "License");
11 | you may not use this file except in compliance with the License.
12 | You may obtain a copy of the License at:
13 |
14 | http://www.apache.org/licenses/LICENSE-2.0
15 |
16 | This is a companion library that can be used as a drop-in replacement
17 | for the libc allocator in the fuzzed binaries. See README.dislocator for
18 | more info.
19 |
20 | */
21 |
22 | #include
23 | #include
24 | #include
25 | #include
26 | #include
27 |
28 | #include "../config.h"
29 | #include "../types.h"
30 |
31 | #ifndef PAGE_SIZE
32 | # define PAGE_SIZE 4096
33 | #endif /* !PAGE_SIZE */
34 |
35 | #ifndef MAP_ANONYMOUS
36 | # define MAP_ANONYMOUS MAP_ANON
37 | #endif /* !MAP_ANONYMOUS */
38 |
39 | /* Error / message handling: */
40 |
41 | #define DEBUGF(_x...) do { \
42 | if (alloc_verbose) { \
43 | if (++call_depth == 1) { \
44 | fprintf(stderr, "[AFL] " _x); \
45 | fprintf(stderr, "\n"); \
46 | } \
47 | call_depth--; \
48 | } \
49 | } while (0)
50 |
51 | #define FATAL(_x...) do { \
52 | if (++call_depth == 1) { \
53 | fprintf(stderr, "*** [AFL] " _x); \
54 | fprintf(stderr, " ***\n"); \
55 | abort(); \
56 | } \
57 | call_depth--; \
58 | } while (0)
59 |
60 | /* Macro to count the number of pages needed to store a buffer: */
61 |
62 | #define PG_COUNT(_l) (((_l) + (PAGE_SIZE - 1)) / PAGE_SIZE)
63 |
64 | /* Canary & clobber bytes: */
65 |
66 | #define ALLOC_CANARY 0xAACCAACC
67 | #define ALLOC_CLOBBER 0xCC
68 |
69 | #define PTR_C(_p) (((u32*)(_p))[-1])
70 | #define PTR_L(_p) (((u32*)(_p))[-2])
71 |
72 | /* Configurable stuff (use AFL_LD_* to set): */
73 |
74 | static u32 max_mem = MAX_ALLOC; /* Max heap usage to permit */
75 | static u8 alloc_verbose, /* Additional debug messages */
76 | hard_fail, /* abort() when max_mem exceeded? */
77 | no_calloc_over; /* abort() on calloc() overflows? */
78 |
79 | static __thread size_t total_mem; /* Currently allocated mem */
80 |
81 | static __thread u32 call_depth; /* To avoid recursion via fprintf() */
82 |
83 |
84 | /* This is the main alloc function. It allocates one page more than necessary,
85 | sets that tailing page to PROT_NONE, and then increments the return address
86 | so that it is right-aligned to that boundary. Since it always uses mmap(),
87 | the returned memory will be zeroed. */
88 |
89 | static void* __dislocator_alloc(size_t len) {
90 |
91 | void* ret;
92 |
93 |
94 | if (total_mem + len > max_mem || total_mem + len < total_mem) {
95 |
96 | if (hard_fail)
97 | FATAL("total allocs exceed %u MB", max_mem / 1024 / 1024);
98 |
99 | DEBUGF("total allocs exceed %u MB, returning NULL",
100 | max_mem / 1024 / 1024);
101 |
102 | return NULL;
103 |
104 | }
105 |
106 | /* We will also store buffer length and a canary below the actual buffer, so
107 | let's add 8 bytes for that. */
108 |
109 | ret = mmap(NULL, (1 + PG_COUNT(len + 8)) * PAGE_SIZE, PROT_READ | PROT_WRITE,
110 | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
111 |
112 | if (ret == (void*)-1) {
113 |
114 | if (hard_fail) FATAL("mmap() failed on alloc (OOM?)");
115 |
116 | DEBUGF("mmap() failed on alloc (OOM?)");
117 |
118 | return NULL;
119 |
120 | }
121 |
122 | /* Set PROT_NONE on the last page. */
123 |
124 | if (mprotect(ret + PG_COUNT(len + 8) * PAGE_SIZE, PAGE_SIZE, PROT_NONE))
125 | FATAL("mprotect() failed when allocating memory");
126 |
127 | /* Offset the return pointer so that it's right-aligned to the page
128 | boundary. */
129 |
130 | ret += PAGE_SIZE * PG_COUNT(len + 8) - len - 8;
131 |
132 | /* Store allocation metadata. */
133 |
134 | ret += 8;
135 |
136 | PTR_L(ret) = len;
137 | PTR_C(ret) = ALLOC_CANARY;
138 |
139 | total_mem += len;
140 |
141 | return ret;
142 |
143 | }
144 |
145 |
146 | /* The "user-facing" wrapper for calloc(). This just checks for overflows and
147 | displays debug messages if requested. */
148 |
149 | void* calloc(size_t elem_len, size_t elem_cnt) {
150 |
151 | void* ret;
152 |
153 | size_t len = elem_len * elem_cnt;
154 |
155 | /* Perform some sanity checks to detect obvious issues... */
156 |
157 | if (elem_cnt && len / elem_cnt != elem_len) {
158 |
159 | if (no_calloc_over) {
160 | DEBUGF("calloc(%zu, %zu) would overflow, returning NULL", elem_len, elem_cnt);
161 | return NULL;
162 | }
163 |
164 | FATAL("calloc(%zu, %zu) would overflow", elem_len, elem_cnt);
165 |
166 | }
167 |
168 | ret = __dislocator_alloc(len);
169 |
170 | DEBUGF("calloc(%zu, %zu) = %p [%zu total]", elem_len, elem_cnt, ret,
171 | total_mem);
172 |
173 | return ret;
174 |
175 | }
176 |
177 |
178 | /* The wrapper for malloc(). Roughly the same, also clobbers the returned
179 | memory (unlike calloc(), malloc() is not guaranteed to return zeroed
180 | memory). */
181 |
182 | void* malloc(size_t len) {
183 |
184 | void* ret;
185 |
186 | ret = __dislocator_alloc(len);
187 |
188 | DEBUGF("malloc(%zu) = %p [%zu total]", len, ret, total_mem);
189 |
190 | if (ret && len) memset(ret, ALLOC_CLOBBER, len);
191 |
192 | return ret;
193 |
194 | }
195 |
196 |
197 | /* The wrapper for free(). This simply marks the entire region as PROT_NONE.
198 | If the region is already freed, the code will segfault during the attempt to
199 | read the canary. Not very graceful, but works, right? */
200 |
201 | void free(void* ptr) {
202 |
203 | u32 len;
204 |
205 | DEBUGF("free(%p)", ptr);
206 |
207 | if (!ptr) return;
208 |
209 | if (PTR_C(ptr) != ALLOC_CANARY) FATAL("bad allocator canary on free()");
210 |
211 | len = PTR_L(ptr);
212 |
213 | total_mem -= len;
214 |
215 | /* Protect everything. Note that the extra page at the end is already
216 | set as PROT_NONE, so we don't need to touch that. */
217 |
218 | ptr -= PAGE_SIZE * PG_COUNT(len + 8) - len - 8;
219 |
220 | if (mprotect(ptr - 8, PG_COUNT(len + 8) * PAGE_SIZE, PROT_NONE))
221 | FATAL("mprotect() failed when freeing memory");
222 |
223 | /* Keep the mapping; this is wasteful, but prevents ptr reuse. */
224 |
225 | }
226 |
227 |
228 | /* Realloc is pretty straightforward, too. We forcibly reallocate the buffer,
229 | move data, and then free (aka mprotect()) the original one. */
230 |
231 | void* realloc(void* ptr, size_t len) {
232 |
233 | void* ret;
234 |
235 | ret = malloc(len);
236 |
237 | if (ret && ptr) {
238 |
239 | if (PTR_C(ptr) != ALLOC_CANARY) FATAL("bad allocator canary on realloc()");
240 |
241 | memcpy(ret, ptr, MIN(len, PTR_L(ptr)));
242 | free(ptr);
243 |
244 | }
245 |
246 | DEBUGF("realloc(%p, %zu) = %p [%zu total]", ptr, len, ret, total_mem);
247 |
248 | return ret;
249 |
250 | }
251 |
252 |
253 | __attribute__((constructor)) void __dislocator_init(void) {
254 |
255 | u8* tmp = getenv("AFL_LD_LIMIT_MB");
256 |
257 | if (tmp) {
258 |
259 | max_mem = atoi(tmp) * 1024 * 1024;
260 | if (!max_mem) FATAL("Bad value for AFL_LD_LIMIT_MB");
261 |
262 | }
263 |
264 | alloc_verbose = !!getenv("AFL_LD_VERBOSE");
265 | hard_fail = !!getenv("AFL_LD_HARD_FAIL");
266 | no_calloc_over = !!getenv("AFL_LD_NO_CALLOC_OVER");
267 |
268 | }
269 |
--------------------------------------------------------------------------------
/debug.h:
--------------------------------------------------------------------------------
1 | /*
2 | american fuzzy lop - debug / error handling macros
3 | --------------------------------------------------
4 |
5 | Written and maintained by Michal Zalewski
6 |
7 | Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
8 |
9 | Licensed under the Apache License, Version 2.0 (the "License");
10 | you may not use this file except in compliance with the License.
11 | You may obtain a copy of the License at:
12 |
13 | http://www.apache.org/licenses/LICENSE-2.0
14 |
15 | */
16 |
17 | #ifndef _HAVE_DEBUG_H
18 | #define _HAVE_DEBUG_H
19 |
20 | #include
21 |
22 | #include "types.h"
23 | #include "config.h"
24 |
25 | /*******************
26 | * Terminal colors *
27 | *******************/
28 |
29 | #ifdef USE_COLOR
30 |
31 | # define cBLK "\x1b[0;30m"
32 | # define cRED "\x1b[0;31m"
33 | # define cGRN "\x1b[0;32m"
34 | # define cBRN "\x1b[0;33m"
35 | # define cBLU "\x1b[0;34m"
36 | # define cMGN "\x1b[0;35m"
37 | # define cCYA "\x1b[0;36m"
38 | # define cLGR "\x1b[0;37m"
39 | # define cGRA "\x1b[1;90m"
40 | # define cLRD "\x1b[1;91m"
41 | # define cLGN "\x1b[1;92m"
42 | # define cYEL "\x1b[1;93m"
43 | # define cLBL "\x1b[1;94m"
44 | # define cPIN "\x1b[1;95m"
45 | # define cLCY "\x1b[1;96m"
46 | # define cBRI "\x1b[1;97m"
47 | # define cRST "\x1b[0m"
48 |
49 | # define bgBLK "\x1b[40m"
50 | # define bgRED "\x1b[41m"
51 | # define bgGRN "\x1b[42m"
52 | # define bgBRN "\x1b[43m"
53 | # define bgBLU "\x1b[44m"
54 | # define bgMGN "\x1b[45m"
55 | # define bgCYA "\x1b[46m"
56 | # define bgLGR "\x1b[47m"
57 | # define bgGRA "\x1b[100m"
58 | # define bgLRD "\x1b[101m"
59 | # define bgLGN "\x1b[102m"
60 | # define bgYEL "\x1b[103m"
61 | # define bgLBL "\x1b[104m"
62 | # define bgPIN "\x1b[105m"
63 | # define bgLCY "\x1b[106m"
64 | # define bgBRI "\x1b[107m"
65 |
66 | #else
67 |
68 | # define cBLK ""
69 | # define cRED ""
70 | # define cGRN ""
71 | # define cBRN ""
72 | # define cBLU ""
73 | # define cMGN ""
74 | # define cCYA ""
75 | # define cLGR ""
76 | # define cGRA ""
77 | # define cLRD ""
78 | # define cLGN ""
79 | # define cYEL ""
80 | # define cLBL ""
81 | # define cPIN ""
82 | # define cLCY ""
83 | # define cBRI ""
84 | # define cRST ""
85 |
86 | # define bgBLK ""
87 | # define bgRED ""
88 | # define bgGRN ""
89 | # define bgBRN ""
90 | # define bgBLU ""
91 | # define bgMGN ""
92 | # define bgCYA ""
93 | # define bgLGR ""
94 | # define bgGRA ""
95 | # define bgLRD ""
96 | # define bgLGN ""
97 | # define bgYEL ""
98 | # define bgLBL ""
99 | # define bgPIN ""
100 | # define bgLCY ""
101 | # define bgBRI ""
102 |
103 | #endif /* ^USE_COLOR */
104 |
105 | /*************************
106 | * Box drawing sequences *
107 | *************************/
108 |
109 | #ifdef FANCY_BOXES
110 |
111 | # define SET_G1 "\x1b)0" /* Set G1 for box drawing */
112 | # define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */
113 | # define bSTART "\x0e" /* Enter G1 drawing mode */
114 | # define bSTOP "\x0f" /* Leave G1 drawing mode */
115 | # define bH "q" /* Horizontal line */
116 | # define bV "x" /* Vertical line */
117 | # define bLT "l" /* Left top corner */
118 | # define bRT "k" /* Right top corner */
119 | # define bLB "m" /* Left bottom corner */
120 | # define bRB "j" /* Right bottom corner */
121 | # define bX "n" /* Cross */
122 | # define bVR "t" /* Vertical, branch right */
123 | # define bVL "u" /* Vertical, branch left */
124 | # define bHT "v" /* Horizontal, branch top */
125 | # define bHB "w" /* Horizontal, branch bottom */
126 |
127 | #else
128 |
129 | # define SET_G1 ""
130 | # define RESET_G1 ""
131 | # define bSTART ""
132 | # define bSTOP ""
133 | # define bH "-"
134 | # define bV "|"
135 | # define bLT "+"
136 | # define bRT "+"
137 | # define bLB "+"
138 | # define bRB "+"
139 | # define bX "+"
140 | # define bVR "+"
141 | # define bVL "+"
142 | # define bHT "+"
143 | # define bHB "+"
144 |
145 | #endif /* ^FANCY_BOXES */
146 |
147 | /***********************
148 | * Misc terminal codes *
149 | ***********************/
150 |
151 | #define TERM_HOME "\x1b[H"
152 | #define TERM_CLEAR TERM_HOME "\x1b[2J"
153 | #define cEOL "\x1b[0K"
154 | #define CURSOR_HIDE "\x1b[?25l"
155 | #define CURSOR_SHOW "\x1b[?25h"
156 |
157 | /************************
158 | * Debug & error macros *
159 | ************************/
160 |
161 | /* Just print stuff to the appropriate stream. */
162 |
163 | #ifdef MESSAGES_TO_STDOUT
164 | # define SAYF(x...) printf(x)
165 | #else
166 | # define SAYF(x...) fprintf(stderr, x)
167 | #endif /* ^MESSAGES_TO_STDOUT */
168 |
169 | /* Show a prefixed warning. */
170 |
171 | #define WARNF(x...) do { \
172 | SAYF(cYEL "[!] " cBRI "WARNING: " cRST x); \
173 | SAYF(cRST "\n"); \
174 | } while (0)
175 |
176 | /* Show a prefixed "doing something" message. */
177 |
178 | #define ACTF(x...) do { \
179 | SAYF(cLBL "[*] " cRST x); \
180 | SAYF(cRST "\n"); \
181 | } while (0)
182 |
183 | /* Show a prefixed "success" message. */
184 |
185 | #define OKF(x...) do { \
186 | SAYF(cLGN "[+] " cRST x); \
187 | SAYF(cRST "\n"); \
188 | } while (0)
189 |
190 | /* Show a prefixed fatal error message (not used in afl). */
191 |
192 | #define BADF(x...) do { \
193 | SAYF(cLRD "\n[-] " cRST x); \
194 | SAYF(cRST "\n"); \
195 | } while (0)
196 |
197 | /* Die with a verbose non-OS fatal error message. */
198 |
199 | #define FATAL(x...) do { \
200 | SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \
201 | cBRI x); \
202 | SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", \
203 | __FUNCTION__, __FILE__, __LINE__); \
204 | exit(1); \
205 | } while (0)
206 |
207 | /* Die by calling abort() to provide a core dump. */
208 |
209 | #define ABORT(x...) do { \
210 | SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \
211 | cBRI x); \
212 | SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", \
213 | __FUNCTION__, __FILE__, __LINE__); \
214 | abort(); \
215 | } while (0)
216 |
217 | /* Die while also including the output of perror(). */
218 |
219 | #define PFATAL(x...) do { \
220 | fflush(stdout); \
221 | SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] SYSTEM ERROR : " \
222 | cBRI x); \
223 | SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", \
224 | __FUNCTION__, __FILE__, __LINE__); \
225 | SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \
226 | exit(1); \
227 | } while (0)
228 |
229 | /* Die with FAULT() or PFAULT() depending on the value of res (used to
230 | interpret different failure modes for read(), write(), etc). */
231 |
232 | #define RPFATAL(res, x...) do { \
233 | if (res < 0) PFATAL(x); else FATAL(x); \
234 | } while (0)
235 |
236 | /* Error-checking versions of read() and write() that call RPFATAL() as
237 | appropriate. */
238 |
239 | #define ck_write(fd, buf, len, fn) do { \
240 | u32 _len = (len); \
241 | s32 _res = write(fd, buf, _len); \
242 | if (_res != _len) RPFATAL(_res, "Short write to %s", fn); \
243 | } while (0)
244 |
245 | #define ck_read(fd, buf, len, fn) do { \
246 | u32 _len = (len); \
247 | s32 _res = read(fd, buf, _len); \
248 | if (_res != _len) RPFATAL(_res, "Short read from %s", fn); \
249 | } while (0)
250 |
251 | #endif /* ! _HAVE_DEBUG_H */
252 |
--------------------------------------------------------------------------------
/docs/INSTALL:
--------------------------------------------------------------------------------
1 | =========================
2 | Installation instructions
3 | =========================
4 |
5 | This document provides basic installation instructions and discusses known
6 | issues for a variety of platforms. See README for the general instruction
7 | manual.
8 |
9 | 1) Linux on x86
10 | ---------------
11 |
12 | This platform is expected to work well. Compile the program with:
13 |
14 | $ make
15 |
16 | You can start using the fuzzer without installation, but it is also possible to
17 | install it with:
18 |
19 | # make install
20 |
21 | There are no special dependencies to speak of; you will need GNU make and a
22 | working compiler (gcc or clang). Some of the optional scripts bundled with the
23 | program may depend on bash, gdb, and similar basic tools.
24 |
25 | If you are using clang, please review llvm_mode/README.llvm; the LLVM
26 | integration mode can offer substantial performance gains compared to the
27 | traditional approach.
28 |
29 | You may have to change several settings to get optimal results (most notably,
30 | disable crash reporting utilities and switch to a different CPU governor), but
31 | afl-fuzz will guide you through that if necessary.
32 |
33 | 2) OpenBSD, FreeBSD, NetBSD on x86
34 | ----------------------------------
35 |
36 | Similarly to Linux, these platforms are expected to work well and are
37 | regularly tested. Compile everything with GNU make:
38 |
39 | $ gmake
40 |
41 | Note that BSD make will *not* work; if you do not have gmake on your system,
42 | please install it first. As on Linux, you can use the fuzzer itself without
43 | installation, or install it with:
44 |
45 | # gmake install
46 |
47 | Keep in mind that if you are using csh as your shell, the syntax of some of the
48 | shell commands given in the README and other docs will be different.
49 |
50 | The llvm_mode requires a dynamically linked, fully-operational installation of
51 | clang. At least on FreeBSD, the clang binaries are static and do not include
52 | some of the essential tools, so if you want to make it work, you may need to
53 | follow the instructions in llvm_mode/README.llvm.
54 |
55 | Beyond that, everything should work as advertised.
56 |
57 | The QEMU mode is currently supported only on Linux. I think it's just a QEMU
58 | problem, I couldn't get a vanilla copy of user-mode emulation support working
59 | correctly on BSD at all.
60 |
61 | 3) MacOS X on x86
62 | -----------------
63 |
64 | MacOS X should work, but there are some gotchas due to the idiosyncrasies of
65 | the platform. On top of this, I have limited release testing capabilities
66 | and depend mostly on user feedback.
67 |
68 | To build AFL, install Xcode and follow the general instructions for Linux.
69 |
70 | The Xcode 'gcc' tool is just a wrapper for clang, so be sure to use afl-clang
71 | to compile any instrumented binaries; afl-gcc will fail unless you have GCC
72 | installed from another source (in which case, please specify AFL_CC and
73 | AFL_CXX to point to the "real" GCC binaries).
74 |
75 | Only 64-bit compilation will work on the platform; porting the 32-bit
76 | instrumentation would require a fair amount of work due to the way OS X
77 | handles relocations, and today, virtually all MacOS X boxes are 64-bit.
78 |
79 | The crash reporting daemon that comes by default with MacOS X will cause
80 | problems with fuzzing. You need to turn it off by following the instructions
81 | provided here: http://goo.gl/CCcd5u
82 |
83 | The fork() semantics on OS X are a bit unusual compared to other unix systems
84 | and definitely don't look POSIX-compliant. This means two things:
85 |
86 | - Fuzzing will be probably slower than on Linux. In fact, some folks report
87 | considerable performance gains by running the jobs inside a Linux VM on
88 | MacOS X.
89 |
90 | - Some non-portable, platform-specific code may be incompatible with the
91 | AFL forkserver. If you run into any problems, set AFL_NO_FORKSRV=1 in the
92 | environment before starting afl-fuzz.
93 |
94 | User emulation mode of QEMU does not appear to be supported on MacOS X, so
95 | black-box instrumentation mode (-Q) will not work.
96 |
97 | The llvm_mode requires a fully-operational installation of clang. The one that
98 | comes with Xcode is missing some of the essential headers and helper tools.
99 | See llvm_mode/README.llvm for advice on how to build the compiler from scratch.
100 |
101 | 4) Linux or *BSD on non-x86 systems
102 | -----------------------------------
103 |
104 | Standard build will fail on non-x86 systems, but you should be able to
105 | leverage two other options:
106 |
107 | - The LLVM mode (see llvm_mode/README.llvm), which does not rely on
108 | x86-specific assembly shims. It's fast and robust, but requires a
109 | complete installation of clang.
110 |
111 | - The QEMU mode (see qemu_mode/README.qemu), which can be also used for
112 | fuzzing cross-platform binaries. It's slower and more fragile, but
113 | can be used even when you don't have the source for the tested app.
114 |
115 | If you're not sure what you need, you need the LLVM mode. To get it, try:
116 |
117 | $ AFL_NO_X86=1 gmake && gmake -C llvm_mode
118 |
119 | ...and compile your target program with afl-clang-fast or afl-clang-fast++
120 | instead of the traditional afl-gcc or afl-clang wrappers.
121 |
122 | 5) Solaris on x86
123 | -----------------
124 |
125 | The fuzzer reportedly works on Solaris, but I have not tested this first-hand,
126 | and the user base is fairly small, so I don't have a lot of feedback.
127 |
128 | To get the ball rolling, you will need to use GNU make and GCC or clang. I'm
129 | being told that the stock version of GCC that comes with the platform does not
130 | work properly due to its reliance on a hardcoded location for 'as' (completely
131 | ignoring the -B parameter or $PATH).
132 |
133 | To fix this, you may want to build stock GCC from the source, like so:
134 |
135 | $ ./configure --prefix=$HOME/gcc --with-gnu-as --with-gnu-ld \
136 | --with-gmp-include=/usr/include/gmp --with-mpfr-include=/usr/include/mpfr
137 | $ make
138 | $ sudo make install
139 |
140 | Do *not* specify --with-as=/usr/gnu/bin/as - this will produce a GCC binary that
141 | ignores the -B flag and you will be back to square one.
142 |
143 | Note that Solaris reportedly comes with crash reporting enabled, which causes
144 | problems with crashes being misinterpreted as hangs, similarly to the gotchas
145 | for Linux and MacOS X. AFL does not auto-detect crash reporting on this
146 | particular platform, but you may need to run the following command:
147 |
148 | $ coreadm -d global -d global-setid -d process -d proc-setid \
149 | -d kzone -d log
150 |
151 | User emulation mode of QEMU is not available on Solaris, so black-box
152 | instrumentation mode (-Q) will not work.
153 |
154 | 6) Everything else
155 | ------------------
156 |
157 | You're on your own. On POSIX-compliant systems, you may be able to compile and
158 | run the fuzzer; and the LLVM mode may offer a way to instrument non-x86 code.
159 |
160 | The fuzzer will not run on Windows. It will also not work under Cygwin. It
161 | could be ported to the latter platform fairly easily, but it's a pretty bad
162 | idea, because Cygwin is extremely slow. It makes much more sense to use
163 | VirtualBox or so to run a hardware-accelerated Linux VM; it will run around
164 | 20x faster or so. If you have a *really* compelling use case for Cygwin, let
165 | me know.
166 |
167 | Although Android on x86 should theoretically work, the stock kernel may have
168 | SHM support compiled out, and if so, you may have to address that issue first.
169 | It's possible that all you need is this workaround:
170 |
171 | https://github.com/pelya/android-shmem
172 |
173 | Joshua J. Drake notes that the Android linker adds a shim that automatically
174 | intercepts SIGSEGV and related signals. To fix this issue and be able to see
175 | crashes, you need to put this at the beginning of the fuzzed program:
176 |
177 | signal(SIGILL, SIG_DFL);
178 | signal(SIGABRT, SIG_DFL);
179 | signal(SIGBUS, SIG_DFL);
180 | signal(SIGFPE, SIG_DFL);
181 | signal(SIGSEGV, SIG_DFL);
182 |
183 | You may need to #include first.
184 |
--------------------------------------------------------------------------------
/docs/historical_notes.txt:
--------------------------------------------------------------------------------
1 | ================
2 | Historical notes
3 | ================
4 |
5 | This doc talks about the rationale of some of the high-level design decisions
6 | for American Fuzzy Lop. It's adopted from a discussion with Rob Graham.
7 | See README for the general instruction manual, and technical_details.txt for
8 | additional implementation-level insights.
9 |
10 | 1) Influences
11 | -------------
12 |
13 | In short, afl-fuzz is inspired chiefly by the work done by Tavis Ormandy back
14 | in 2007. Tavis did some very persuasive experiments using gcov block coverage
15 | to select optimal test cases out of a large corpus of data, and then using
16 | them as a starting point for traditional fuzzing workflows.
17 |
18 | (By "persuasive", I mean: netting a significant number of interesting
19 | vulnerabilities.)
20 |
21 | In parallel to this, both Tavis and I were interested in evolutionary fuzzing.
22 | Tavis had his experiments, and I was working on a tool called bunny-the-fuzzer,
23 | released somewhere in 2007.
24 |
25 | Bunny used a generational algorithm not much different from afl-fuzz, but
26 | also tried to reason about the relationship between various input bits and
27 | the internal state of the program, with hopes of deriving some additional value
28 | from that. The reasoning / correlation part was probably in part inspired by
29 | other projects done around the same time by Will Drewry and Chris Evans.
30 |
31 | The state correlation approach sounded very sexy on paper, but ultimately, made
32 | the fuzzer complicated, brittle, and cumbersome to use; every other target
33 | program would require a tweak or two. Because Bunny didn't fare a whole lot
34 | better than less sophisticated brute-force tools, I eventually decided to write
35 | it off. You can still find its original documentation at:
36 |
37 | https://code.google.com/p/bunny-the-fuzzer/wiki/BunnyDoc
38 |
39 | There has been a fair amount of independent work, too. Most notably, a few
40 | weeks earlier that year, Jared DeMott had a Defcon presentation about a
41 | coverage-driven fuzzer that relied on coverage as a fitness function.
42 |
43 | Jared's approach was by no means identical to what afl-fuzz does, but it was in
44 | the same ballpark. His fuzzer tried to explicitly solve for the maximum coverage
45 | with a single input file; in comparison, afl simply selects for cases that do
46 | something new (which yields better results - see technical_details.txt).
47 |
48 | A few years later, Gabriel Campana released fuzzgrind, a tool that relied purely
49 | on Valgrind and a constraint solver to maximize coverage without any brute-force
50 | bits; and Microsoft Research folks talked extensively about their still
51 | non-public, solver-based SAGE framework.
52 |
53 | In the past six years or so, I've also seen a fair number of academic papers
54 | that dealt with smart fuzzing (focusing chiefly on symbolic execution) and a
55 | couple papers that discussed proof-of-concept applications of genetic
56 | algorithms with the same goals in mind. I'm unconvinced how practical most of
57 | these experiments were; I suspect that many of them suffer from the
58 | bunny-the-fuzzer's curse of being cool on paper and in carefully designed
59 | experiments, but failing the ultimate test of being able to find new,
60 | worthwhile security bugs in otherwise well-fuzzed, real-world software.
61 |
62 | In some ways, the baseline that the "cool" solutions have to compete against is
63 | a lot more impressive than it may seem, making it difficult for competitors to
64 | stand out. For a singular example, check out the work by Gynvael and Mateusz
65 | Jurczyk, applying "dumb" fuzzing to ffmpeg, a prominent and security-critical
66 | component of modern browsers and media players:
67 |
68 | http://googleonlinesecurity.blogspot.com/2014/01/ffmpeg-and-thousand-fixes.html
69 |
70 | Effortlessly getting comparable results with state-of-the-art symbolic execution
71 | in equally complex software still seems fairly unlikely, and hasn't been
72 | demonstrated in practice so far.
73 |
74 | But I digress; ultimately, attribution is hard, and glorying the fundamental
75 | concepts behind AFL is probably a waste of time. The devil is very much in the
76 | often-overlooked details, which brings us to...
77 |
78 | 2) Design goals for afl-fuzz
79 | ----------------------------
80 |
81 | In short, I believe that the current implementation of afl-fuzz takes care of
82 | several itches that seemed impossible to scratch with other tools:
83 |
84 | 1) Speed. It's genuinely hard to compete with brute force when your "smart"
85 | approach is resource-intensive. If your instrumentation makes it 10x more
86 | likely to find a bug, but runs 100x slower, your users are getting a bad
87 | deal.
88 |
89 | To avoid starting with a handicap, afl-fuzz is meant to let you fuzz most of
90 | the intended targets at roughly their native speed - so even if it doesn't
91 | add value, you do not lose much.
92 |
93 | On top of this, the tool leverages instrumentation to actually reduce the
94 | amount of work in a couple of ways: for example, by carefully trimming the
95 | corpus or skipping non-functional but non-trimmable regions in the input
96 | files.
97 |
98 | 2) Rock-solid reliability. It's hard to compete with brute force if your
99 | approach is brittle and fails unexpectedly. Automated testing is attractive
100 | because it's simple to use and scalable; anything that goes against these
101 | principles is an unwelcome trade-off and means that your tool will be used
102 | less often and with less consistent results.
103 |
104 | Most of the approaches based on symbolic execution, taint tracking, or
105 | complex syntax-aware instrumentation are currently fairly unreliable with
106 | real-world targets. Perhaps more importantly, their failure modes can render
107 | them strictly worse than "dumb" tools, and such degradation can be difficult
108 | for less experienced users to notice and correct.
109 |
110 | In contrast, afl-fuzz is designed to be rock solid, chiefly by keeping it
111 | simple. In fact, at its core, it's designed to be just a very good
112 | traditional fuzzer with a wide range of interesting, well-researched
113 | strategies to go by. The fancy parts just help it focus the effort in
114 | places where it matters the most.
115 |
116 | 3) Simplicity. The author of a testing framework is probably the only person
117 | who truly understands the impact of all the settings offered by the tool -
118 | and who can dial them in just right. Yet, even the most rudimentary fuzzer
119 | frameworks often come with countless knobs and fuzzing ratios that need to
120 | be guessed by the operator ahead of the time. This can do more harm than
121 | good.
122 |
123 | AFL is designed to avoid this as much as possible. The three knobs you
124 | can play with are the output file, the memory limit, and the ability to
125 | override the default, auto-calibrated timeout. The rest is just supposed to
126 | work. When it doesn't, user-friendly error messages outline the probable
127 | causes and workarounds, and get you back on track right away.
128 |
129 | 4) Chainability. Most general-purpose fuzzers can't be easily employed
130 | against resource-hungry or interaction-heavy tools, necessitating the
131 | creation of custom in-process fuzzers or the investment of massive CPU
132 | power (most of which is wasted on tasks not directly related to the code
133 | we actually want to test).
134 |
135 | AFL tries to scratch this itch by allowing users to use more lightweight
136 | targets (e.g., standalone image parsing libraries) to create small
137 | corpora of interesting test cases that can be fed into a manual testing
138 | process or a UI harness later on.
139 |
140 | As mentioned in technical_details.txt, AFL does all this not by systematically
141 | applying a single overarching CS concept, but by experimenting with a variety
142 | of small, complementary methods that were shown to reliably yields results
143 | better than chance. The use of instrumentation is a part of that toolkit, but is
144 | far from being the most important one.
145 |
146 | Ultimately, what matters is that afl-fuzz is designed to find cool bugs - and
147 | has a pretty robust track record of doing just that.
148 |
--------------------------------------------------------------------------------
/llvm_mode/afl-llvm-rt.o.c:
--------------------------------------------------------------------------------
1 | /*
2 | american fuzzy lop - LLVM instrumentation bootstrap
3 | ---------------------------------------------------
4 |
5 | Written by Laszlo Szekeres and
6 | Michal Zalewski
7 |
8 | LLVM integration design comes from Laszlo Szekeres.
9 |
10 | Copyright 2015, 2016 Google Inc. All rights reserved.
11 |
12 | Licensed under the Apache License, Version 2.0 (the "License");
13 | you may not use this file except in compliance with the License.
14 | You may obtain a copy of the License at:
15 |
16 | http://www.apache.org/licenses/LICENSE-2.0
17 |
18 | This code is the rewrite of afl-as.h's main_payload.
19 |
20 | */
21 |
22 | #include "../config.h"
23 | #include "../types.h"
24 |
25 | #include
26 | #include
27 | #include
28 | #include
29 | #include
30 | #include
31 |
32 | #include
33 | #include
34 | #include
35 | #include
36 |
37 | /* This is a somewhat ugly hack for the experimental 'trace-pc-guard' mode.
38 | Basically, we need to make sure that the forkserver is initialized after
39 | the LLVM-generated runtime initialization pass, not before. */
40 |
41 | #ifdef USE_TRACE_PC
42 | # define CONST_PRIO 5
43 | #else
44 | # define CONST_PRIO 0
45 | #endif /* ^USE_TRACE_PC */
46 |
47 |
48 | /* Globals needed by the injected instrumentation. The __afl_area_initial region
49 | is used for instrumentation output before __afl_map_shm() has a chance to run.
50 | It will end up as .comm, so it shouldn't be too wasteful. */
51 |
52 | u8 __afl_area_initial[MAP_SIZE];
53 | u8* __afl_area_ptr = __afl_area_initial;
54 |
55 | __thread u32 __afl_prev_loc;
56 |
57 |
58 | /* Running in persistent mode? */
59 |
60 | static u8 is_persistent;
61 |
62 |
63 | /* SHM setup. */
64 |
65 | static void __afl_map_shm(void) {
66 |
67 | u8 *id_str = getenv(SHM_ENV_VAR);
68 |
69 | /* If we're running under AFL, attach to the appropriate region, replacing the
70 | early-stage __afl_area_initial region that is needed to allow some really
71 | hacky .init code to work correctly in projects such as OpenSSL. */
72 |
73 | if (id_str) {
74 |
75 | u32 shm_id = atoi(id_str);
76 |
77 | __afl_area_ptr = shmat(shm_id, NULL, 0);
78 |
79 | /* Whooooops. */
80 |
81 | if (__afl_area_ptr == (void *)-1) _exit(1);
82 |
83 | /* Write something into the bitmap so that even with low AFL_INST_RATIO,
84 | our parent doesn't give up on us. */
85 |
86 | __afl_area_ptr[0] = 1;
87 |
88 | }
89 |
90 | }
91 |
92 |
93 | /* Fork server logic. */
94 |
95 | static void __afl_start_forkserver(void) {
96 |
97 | static u8 tmp[4];
98 | s32 child_pid;
99 |
100 | u8 child_stopped = 0;
101 |
102 | /* Phone home and tell the parent that we're OK. If parent isn't there,
103 | assume we're not running in forkserver mode and just execute program. */
104 |
105 | if (write(FORKSRV_FD + 1, tmp, 4) != 4) return;
106 |
107 | while (1) {
108 |
109 | u32 was_killed;
110 | int status;
111 |
112 | /* Wait for parent by reading from the pipe. Abort if read fails. */
113 |
114 | if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1);
115 |
116 | /* If we stopped the child in persistent mode, but there was a race
117 | condition and afl-fuzz already issued SIGKILL, write off the old
118 | process. */
119 |
120 | if (child_stopped && was_killed) {
121 | child_stopped = 0;
122 | if (waitpid(child_pid, &status, 0) < 0) _exit(1);
123 | }
124 |
125 | if (!child_stopped) {
126 |
127 | /* Once woken up, create a clone of our process. */
128 |
129 | child_pid = fork();
130 | if (child_pid < 0) _exit(1);
131 |
132 | /* In child process: close fds, resume execution. */
133 |
134 | if (!child_pid) {
135 |
136 | close(FORKSRV_FD);
137 | close(FORKSRV_FD + 1);
138 | return;
139 |
140 | }
141 |
142 | } else {
143 |
144 | /* Special handling for persistent mode: if the child is alive but
145 | currently stopped, simply restart it with SIGCONT. */
146 |
147 | kill(child_pid, SIGCONT);
148 | child_stopped = 0;
149 |
150 | }
151 |
152 | /* In parent process: write PID to pipe, then wait for child. */
153 |
154 | if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) _exit(1);
155 |
156 | if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0)
157 | _exit(1);
158 |
159 | /* In persistent mode, the child stops itself with SIGSTOP to indicate
160 | a successful run. In this case, we want to wake it up without forking
161 | again. */
162 |
163 | if (WIFSTOPPED(status)) child_stopped = 1;
164 |
165 | /* Relay wait status to pipe, then loop back. */
166 |
167 | if (write(FORKSRV_FD + 1, &status, 4) != 4) _exit(1);
168 |
169 | }
170 |
171 | }
172 |
173 |
174 | /* A simplified persistent mode handler, used as explained in README.llvm. */
175 |
176 | int __afl_persistent_loop(unsigned int max_cnt) {
177 |
178 | static u8 first_pass = 1;
179 | static u32 cycle_cnt;
180 |
181 | if (first_pass) {
182 |
183 | /* Make sure that every iteration of __AFL_LOOP() starts with a clean slate.
184 | On subsequent calls, the parent will take care of that, but on the first
185 | iteration, it's our job to erase any trace of whatever happened
186 | before the loop. */
187 |
188 | if (is_persistent) {
189 |
190 | memset(__afl_area_ptr, 0, MAP_SIZE);
191 | __afl_area_ptr[0] = 1;
192 | __afl_prev_loc = 0;
193 | }
194 |
195 | cycle_cnt = max_cnt;
196 | first_pass = 0;
197 | return 1;
198 |
199 | }
200 |
201 | if (is_persistent) {
202 |
203 | if (--cycle_cnt) {
204 |
205 | raise(SIGSTOP);
206 |
207 | __afl_area_ptr[0] = 1;
208 | __afl_prev_loc = 0;
209 |
210 | return 1;
211 |
212 | } else {
213 |
214 | /* When exiting __AFL_LOOP(), make sure that the subsequent code that
215 | follows the loop is not traced. We do that by pivoting back to the
216 | dummy output region. */
217 |
218 | __afl_area_ptr = __afl_area_initial;
219 |
220 | }
221 |
222 | }
223 |
224 | return 0;
225 |
226 | }
227 |
228 |
229 | /* This one can be called from user code when deferred forkserver mode
230 | is enabled. */
231 |
232 | void __afl_manual_init(void) {
233 |
234 | static u8 init_done;
235 |
236 | if (!init_done) {
237 |
238 | __afl_map_shm();
239 | __afl_start_forkserver();
240 | init_done = 1;
241 |
242 | }
243 |
244 | }
245 |
246 |
247 | /* Proper initialization routine. */
248 |
249 | __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) {
250 |
251 | is_persistent = !!getenv(PERSIST_ENV_VAR);
252 |
253 | if (getenv(DEFER_ENV_VAR)) return;
254 |
255 | __afl_manual_init();
256 |
257 | }
258 |
259 |
260 | /* The following stuff deals with supporting -fsanitize-coverage=trace-pc-guard.
261 | It remains non-operational in the traditional, plugin-backed LLVM mode.
262 | For more info about 'trace-pc-guard', see README.llvm.
263 |
264 | The first function (__sanitizer_cov_trace_pc_guard) is called back on every
265 | edge (as opposed to every basic block). */
266 |
267 | void __sanitizer_cov_trace_pc_guard(uint32_t* guard) {
268 | __afl_area_ptr[*guard]++;
269 | }
270 |
271 |
272 | /* Init callback. Populates instrumentation IDs. Note that we're using
273 | ID of 0 as a special value to indicate non-instrumented bits. That may
274 | still touch the bitmap, but in a fairly harmless way. */
275 |
276 | void __sanitizer_cov_trace_pc_guard_init(uint32_t* start, uint32_t* stop) {
277 |
278 | u32 inst_ratio = 100;
279 | u8* x;
280 |
281 | if (start == stop || *start) return;
282 |
283 | x = getenv("AFL_INST_RATIO");
284 | if (x) inst_ratio = atoi(x);
285 |
286 | if (!inst_ratio || inst_ratio > 100) {
287 | fprintf(stderr, "[-] ERROR: Invalid AFL_INST_RATIO (must be 1-100).\n");
288 | abort();
289 | }
290 |
291 | /* Make sure that the first element in the range is always set - we use that
292 | to avoid duplicate calls (which can happen as an artifact of the underlying
293 | implementation in LLVM). */
294 |
295 | *(start++) = R(MAP_SIZE - 1) + 1;
296 |
297 | while (start < stop) {
298 |
299 | if (R(100) < inst_ratio) *start = R(MAP_SIZE - 1) + 1;
300 | else *start = 0;
301 |
302 | start++;
303 |
304 | }
305 |
306 | }
307 |
--------------------------------------------------------------------------------