Merge pull request AFLplusplus#1906 from AFLplusplus/dev

Dev

.custom-format.py

@@ -24,7 +24,7 @@
 
 # string_re = re.compile('(\\"(\\\\.|[^"\\\\])*\\")') # TODO: for future use
 
-CURRENT_LLVM = os.getenv('LLVM_VERSION', 16)
+CURRENT_LLVM = os.getenv('LLVM_VERSION', 17)
 CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN", "")
 
 

.gitignore

@@ -10,6 +10,7 @@
 .test
 .test2
 .vscode
+afl-addseeds.8
 afl-analyze
 afl-analyze.8
 afl-as

afl-cmin

@@ -259,22 +259,20 @@ BEGIN {
   # Do a sanity check to discourage the use of /tmp, since we can't really
   # handle this safely from an awk script.
 
-  #if (!ENVIRON["AFL_ALLOW_TMP"]) {
-  #  dirlist[0] = in_dir
-  #  dirlist[1] = target_bin
-  #  dirlist[2] = out_dir
-  #  dirlist[3] = stdin_file
-  #  "pwd" | getline dirlist[4] # current directory
-  #  for (dirind in dirlist) {
-  #    dir = dirlist[dirind]
-  #
-  #      if (dir ~ /^(\/var)?\/tmp/) {
-  #        print "[-] Error: do not use this script in /tmp or /var/tmp." > "/dev/stderr"
-  #        exit 1
-  #      }
-  #    }
-  #  delete dirlist
-  #}
+  if (!ENVIRON["AFL_ALLOW_TMP"]) {
+    dirlist[0] = in_dir
+    dirlist[1] = target_bin
+    dirlist[2] = out_dir
+    dirlist[3] = stdin_file
+    "pwd" | getline dirlist[4] # current directory
+    for (dirind in dirlist) {
+      dir = dirlist[dirind]
+      if (dir ~ /^(\/var)?\/tmp/) {
+        print "[-] Warning: do not use this script in /tmp or /var/tmp for security reasons." > "/dev/stderr"
+      }
+    }
+    delete dirlist
+  }
 
   if (threads && stdin_file) {
     print "[-] Error: -T and -f cannot be used together." > "/dev/stderr"
@@ -430,7 +428,7 @@ BEGIN {
   } else {
     stat_format = "-f '%z %N'" # *BSD, MacOS
   }
-  cmdline = "(cd "in_dir" && find . \\( ! -name \".*\" -a -type d \\) -o -type f -exec stat "stat_format" \\{\\} + | sort -k1n -k2r)"
+  cmdline = "(cd "in_dir" && find . \\( ! -name \".*\" -a -type d \\) -o -type f -exec stat "stat_format" \\{\\} + | sort -k1n -k2r) | grep -Ev '^0'"
   #cmdline = "ls "in_dir" | (cd "in_dir" && xargs stat "stat_format" 2>/dev/null) | sort -k1n -k2r"
   #cmdline = "(cd "in_dir" && stat "stat_format" *) | sort -k1n -k2r"
   #cmdline = "(cd "in_dir" && ls | xargs stat "stat_format" ) | sort -k1n -k2r"

afl-cmin.bash

@@ -167,29 +167,28 @@ fi
 # Do a sanity check to discourage the use of /tmp, since we can't really
 # handle this safely from a shell script.
 
-#if [ "$AFL_ALLOW_TMP" = "" ]; then
-#
-#  echo "$IN_DIR" | grep -qE '^(/var)?/tmp/'
-#  T1="$?"
-#
-#  echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/'
-#  T2="$?"
-#
-#  echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/'
-#  T3="$?"
-#
-#  echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/'
-#  T4="$?"
-#
-#  echo "$PWD" | grep -qE '^(/var)?/tmp/'
-#  T5="$?"
-#
-#  if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then
-#    echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2
-#    exit 1
-#  fi
-#
-#fi
+if [ "$AFL_ALLOW_TMP" = "" ]; then
+
+  echo "$IN_DIR" | grep -qE '^(/var)?/tmp/'
+  T1="$?"
+
+  echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/'
+  T2="$?"
+
+  echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/'
+  T3="$?"
+
+  echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/'
+  T4="$?"
+
+  echo "$PWD" | grep -qE '^(/var)?/tmp/'
+  T5="$?"
+
+  if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then
+    echo "[-] Warning: do not use this script in /tmp or /var/tmp for security reasons." 1>&2
+  fi
+
+fi
 
 # If @@ is specified, but there's no -f, let's come up with a temporary input
 # file name.
@@ -423,22 +422,30 @@ if [ "$THREADS" = "" ]; then
 
     ls "$IN_DIR" | while read -r fn; do
 
-      CUR=$((CUR+1))
-      printf "\\r    Processing file $CUR/$IN_COUNT... "
+      if [ -s "$IN_DIR/$fn" ]; then
 
-      "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$fn"
+        CUR=$((CUR+1))
+        printf "\\r    Processing file $CUR/$IN_COUNT... "
+
+        "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$fn"
+
+      fi
 
     done
 
   else
 
     ls "$IN_DIR" | while read -r fn; do
 
-      CUR=$((CUR+1))
-      printf "\\r    Processing file $CUR/$IN_COUNT... "
+      if [ -s "$IN_DIR/$fn" ]; then
+
+        CUR=$((CUR+1))
+        printf "\\r    Processing file $CUR/$IN_COUNT... "
+
+        cp "$IN_DIR/$fn" "$STDIN_FILE"
+        "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -H "$STDIN_FILE" -- "$@" </dev/null
 
-      cp "$IN_DIR/$fn" "$STDIN_FILE"
-      "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -H "$STDIN_FILE" -- "$@" </dev/null
+      fi
 
     done
 
@@ -460,19 +467,26 @@ else
 
     cat $inputs | while read -r fn; do
 
-      "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$fn"
+      if [ -s "$IN_DIR/$fn" ]; then
+
+        "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$fn"
+
+      fi
 
     done
 
   else
 
-    STDIN_FILE="$inputs.$$"
-    cat $inputs | while read -r fn; do
+    if [ -s "$IN_DIR/$fn" ]; then
+      STDIN_FILE="$inputs.$$"
+      cat $inputs | while read -r fn; do
 
-      cp "$IN_DIR/$fn" "$STDIN_FILE"
-      "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -H "$STDIN_FILE" -- "$@" </dev/null
+        cp "$IN_DIR/$fn" "$STDIN_FILE"
+        "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -H "$STDIN_FILE" -- "$@" </dev/null
 
-    done
+      done
+
+    fi
 
   fi
 

afl-persistent-config

@@ -2,7 +2,7 @@
 # written by jhertz
 # 
 
-test "$1" = "-h" -o "$1" = "-hh" && {
+test "$1" = "-h" -o "$1" = "-hh" -o "$1" = "--help" && {
   echo 'afl-persistent-config'
   echo
   echo $0
@@ -17,6 +17,11 @@ test "$1" = "-h" -o "$1" = "-hh" && {
   exit 0
 }
 
+if [ $# -ne 0 ]; then
+  echo "ERROR: Unknown option(s): $@"
+  exit 1
+fi
+
 echo
 echo "WARNING: This scripts makes permanent configuration changes to the system to"
 echo "         increase the performance for fuzzing. As a result, the system also"

afl-system-config

@@ -1,5 +1,5 @@
 #!/bin/sh
-test "$1" = "-h" -o "$1" = "-hh" && {
+test "$1" = "-h" -o "$1" = "-hh" -o "$1" = "--help" && {
   echo 'afl-system-config by Marc Heuse <[email protected]>'
   echo
   echo $0
@@ -13,6 +13,10 @@ test "$1" = "-h" -o "$1" = "-hh" && {
   echo configuration options.
   exit 0
 }
+if [ $# -ne 0 ]; then
+  echo "ERROR: Unknown option(s): $@"
+  exit 1
+fi
 
 DONE=
 PLATFORM=`uname -s`

docs/Changelog.md

@@ -10,6 +10,9 @@
     - added AFL_IGNORE_SEED_PROBLEMS to skip over seeds that time out instead
       of exiting with an error message
     - allow -S/-M naming up to 50 characters (from 24)
+    - added scale support to CMPLOG (-l S)
+    - added --version and --help command line parameters
+    - fixed endless loop when reading malformed dictionaries
   - afl-whatsup:
     - detect instanced that are starting up and show them as such as not dead
     - now also shows coverage reached
@@ -19,6 +22,7 @@
     - fix for a few string compare transform functions for LAF
   - frida_mode:
     - fixes support for large map offsets
+  - afl-cmin/afl-cmin.bash: prevent unneeded file errors
   - added new tool afl-addseeds that adds new seeds to a running campaign
   - added benchmark/benchmark.sh if you want to see how good your fuzzing
     speed is in comparison to other setups.

docs/custom_mutators.md

@@ -125,8 +125,9 @@ def deinit():  # optional for Python
 
 - `queue_get` (optional):
 
-    This method determines whether the custom fuzzer should fuzz the current
-    queue entry or not
+    This method determines whether AFL++ should fuzz the current
+    queue entry or not: all defined custom mutators as well as
+    all AFL++'s mutators.
 
 - `fuzz_count` (optional):
 

docs/env_variables.md

@@ -135,6 +135,12 @@ subset of the settings discussed in section 1, with the exception of:
   - `TMPDIR` and `AFL_KEEP_ASSEMBLY`, since no temporary assembly files are
     created.
 
+  - LLVM modes compiling C++ will normally set rpath in the binary if LLVM is
+    not in a usual location (/usr or /lib). Setting `AFL_LLVM_NO_RPATH=1`
+    disables this behaviour in case it isn't desired. For example, the compiling
+    toolchain might be in a custom location, but the target machine has LLVM
+    runtime libs in the search path.
+
 Then there are a few specific features that are only available in
 instrumentation mode:
 

frida_mode/src/main.c

@@ -49,10 +49,10 @@ extern void __libc_init(void *raw_args, void (*onexit)(void) __unused,
                         int (*slingshot)(int, char **, char **),
                         structors_array_t const *const structors);
 #else
-extern int  __libc_start_main(int (*main)(int, char **, char **), int argc,
-                              char **ubp_av, void (*init)(void),
-                              void (*fini)(void), void (*rtld_fini)(void),
-                              void(*stack_end));
+extern int __libc_start_main(int (*main)(int, char **, char **), int argc,
+                             char **ubp_av, void (*init)(void),
+                             void (*fini)(void), void (*rtld_fini)(void),
+                             void(*stack_end));
 #endif
 
 typedef int (*main_fn_t)(int argc, char **argv, char **envp);

include/afl-fuzz.h

@@ -675,7 +675,7 @@ typedef struct afl_state {
   u32 cmplog_max_filesize;
   u32 cmplog_lvl;
   u32 colorize_success;
-  u8  cmplog_enable_arith, cmplog_enable_transform,
+  u8  cmplog_enable_arith, cmplog_enable_transform, cmplog_enable_scale,
       cmplog_enable_xtreme_transform, cmplog_random_colorization;
 
   struct afl_pass_stat *pass_stats;

include/afl-mutations.h

@@ -1854,7 +1854,7 @@ inline u32 afl_mutate(afl_state_t *afl, u8 *buf, u32 len, u32 steps,
 
   for (u32 step = 0; step < steps; ++step) {
 
-  retry_havoc_step : {
+  retry_havoc_step: {
 
     u32 r = rand_below(afl, MUT_STRATEGY_ARRAY_SIZE), item;
 

include/envs.h

@@ -162,6 +162,7 @@ static char *afl_environment_variables[] = {
     "AFL_LLVM_MAP_DYNAMIC",
     "AFL_LLVM_NGRAM_SIZE",
     "AFL_NGRAM_SIZE",
+    "AFL_LLVM_NO_RPATH",
     "AFL_LLVM_NOT_ZERO",
     "AFL_LLVM_INSTRUMENT_FILE",
     "AFL_LLVM_THREADSAFE_INST",

include/xxhash.h

@@ -365,7 +365,7 @@ typedef uint32_t XXH32_hash_t;
       (defined(__cplusplus) || \
        (defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) /* C99 */))
     #include <stdint.h>
-typedef uint32_t      XXH32_hash_t;
+typedef uint32_t XXH32_hash_t;
 
   #else
     #include <limits.h>
@@ -1082,7 +1082,7 @@ struct XXH64_state_s {
       #include <stdalign.h>
       #define XXH_ALIGN(n) alignas(n)
     #elif defined(__cplusplus) && (__cplusplus >= 201103L)      /* >= C++11 */
-      /* In C++ alignas() is a keyword */
+    /* In C++ alignas() is a keyword */
       #define XXH_ALIGN(n) alignas(n)
     #elif defined(__GNUC__)
       #define XXH_ALIGN(n) __attribute__((aligned(n)))
@@ -3031,8 +3031,8 @@ XXH64_hashFromCanonical(const XXH64_canonical_t *src) {
           __STDC_VERSION__ >= 199901L                             /* >= C99 */
         #define XXH_RESTRICT restrict
       #else
-        /* Note: it might be useful to define __restrict or __restrict__ for
-         * some C++ compilers */
+      /* Note: it might be useful to define __restrict or __restrict__ for
+       * some C++ compilers */
         #define XXH_RESTRICT                                     /* disable */
       #endif
 
@@ -3492,8 +3492,8 @@ XXH_FORCE_INLINE xxh_u64x2 XXH_vec_loadu(const void *ptr) {
           #define XXH_vec_mulo vec_mulo
           #define XXH_vec_mule vec_mule
         #elif defined(__clang__) && XXH_HAS_BUILTIN(__builtin_altivec_vmuleuw)
-          /* Clang has a better way to control this, we can just use the builtin
-           * which doesn't swap. */
+        /* Clang has a better way to control this, we can just use the builtin
+         * which doesn't swap. */
           #define XXH_vec_mulo __builtin_altivec_vmulouw
           #define XXH_vec_mule __builtin_altivec_vmuleuw
         #else
@@ -3604,15 +3604,15 @@ XXH_FORCE_INLINE xxh_u64 XXH_mult32to64(xxh_u64 x, xxh_u64 y) {
         #include <intrin.h>
         #define XXH_mult32to64(x, y) __emulu((unsigned)(x), (unsigned)(y))
       #else
-        /*
-         * Downcast + upcast is usually better than masking on older compilers
-         * like GCC 4.2 (especially 32-bit ones), all without affecting newer
-         * compilers.
-         *
-         * The other method, (x & 0xFFFFFFFF) * (y & 0xFFFFFFFF), will AND both
-         * operands and perform a full 64x64 multiply -- entirely redundant on
-         * 32-bit.
-         */
+      /*
+       * Downcast + upcast is usually better than masking on older compilers
+       * like GCC 4.2 (especially 32-bit ones), all without affecting newer
+       * compilers.
+       *
+       * The other method, (x & 0xFFFFFFFF) * (y & 0xFFFFFFFF), will AND both
+       * operands and perform a full 64x64 multiply -- entirely redundant on
+       * 32-bit.
+       */
         #define XXH_mult32to64(x, y) \
           ((xxh_u64)(xxh_u32)(x) * (xxh_u64)(xxh_u32)(y))
       #endif