diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 65786d8b0e..0845ae3a20 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -46,7 +46,7 @@ LLVMVER = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/git//' | sed 's LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/\..*//' ) LLVM_MINOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/.*\.//' | sed 's/git//' | sed 's/svn//' | sed 's/ .*//' ) LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[0-2]\.|^3.[0-7]\.' && echo 1 || echo 0 ) -LLVM_TOO_NEW = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[7-9]' && echo 1 || echo 0 ) +LLVM_TOO_NEW = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[8-9]|^2[0-9]' && echo 1 || echo 0 ) LLVM_TOO_OLD = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[1-9]\.|^1[012]\.' && echo 1 || echo 0 ) LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[0-9]' && echo 1 || echo 0 ) LLVM_NEWER_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[6-9]' && echo 1 || echo 0 ) diff --git a/TODO.md b/TODO.md index ac24fe071b..9bdb2c5518 100644 --- a/TODO.md +++ b/TODO.md @@ -1,14 +1,19 @@ # TODO list for AFL++ -## Should +## Must + - adapt MOpt to new mutation engine + - Update afl->pending_not_fuzzed for MOpt + - cmplog rtn sanity check on fixed length? + no length 1 - afl-showmap -f support - afl-fuzz multicore wrapper script - - add value_profile but only enable after 15 minutes without finds + +## Should + + - add value_profile but only enable after 15 minutes without finds? - afl-crash-analysis - support persistent and deferred fork server in afl-showmap? - better autodetection of shifting runtime timeout values - - Update afl->pending_not_fuzzed for MOpt - afl-plot to support multiple plot_data - parallel builds for source-only targets - get rid of check_binary, replace with more forkserver communication @@ -27,8 +32,7 @@ QEMU mode/FRIDA mode: - non colliding instrumentation - rename qemu specific envs to AFL_QEMU (AFL_ENTRYPOINT, AFL_CODE_START/END, AFL_COMPCOV_LEVEL?) - - add AFL_QEMU_EXITPOINT (maybe multiple?), maybe pointless as there is - persistent mode + - add AFL_QEMU_EXITPOINT (maybe multiple?) ## Ideas diff --git a/include/envs.h b/include/envs.h index 4259d6ddd5..734b1707ae 100644 --- a/include/envs.h +++ b/include/envs.h @@ -179,6 +179,7 @@ static char *afl_environment_variables[] = { "AFL_NO_COLOUR", #endif "AFL_NO_CPU_RED", + "AFL_NO_CFG_FUZZING", // afl.rs rust crate option "AFL_NO_CRASH_README", "AFL_NO_FORKSRV", "AFL_NO_UI", diff --git a/include/forkserver.h b/include/forkserver.h index 5e498c5635..f6230fe8c4 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -197,6 +197,7 @@ typedef struct afl_forkserver { u32 nyx_id; /* nyx runner id (0 -> master) */ u32 nyx_bind_cpu_id; /* nyx runner cpu id */ char *nyx_aux_string; + u32 nyx_aux_string_len; bool nyx_use_tmp_workdir; char *nyx_tmp_workdir_path; s32 nyx_log_fd; diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 98c5973cf9..588eb95057 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -214,7 +214,11 @@ llvmGetPassPluginInfo() { #if LLVM_VERSION_MAJOR == 13 using OptimizationLevel = typename PassBuilder::OptimizationLevel; #endif +#if LLVM_VERSION_MAJOR >= 16 + PB.registerOptimizerEarlyEPCallback( +#else PB.registerOptimizerLastEPCallback( +#endif [](ModulePassManager &MPM, OptimizationLevel OL) { MPM.addPass(ModuleSanitizerCoverageAFL()); diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 85ee9f717d..c3197c8a34 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -666,6 +666,7 @@ static void __afl_map_shm(void) { } if (id_str) { + // /dev/null doesn't work so we use /dev/urandom if ((__afl_dummy_fd[1] = open("/dev/urandom", O_WRONLY)) < 0) { diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index c59324fdfd..052488a9ab 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -552,7 +552,7 @@ bool AFLCoverage::runOnModule(Module &M) { #endif { - // load the context ID of the previous function and write to to a + // load the context ID of the previous function and write to a // local variable on the stack LoadInst *PrevCtxLoad = IRB.CreateLoad( #if LLVM_VERSION_MAJOR >= 14 @@ -634,7 +634,7 @@ bool AFLCoverage::runOnModule(Module &M) { /* There is a problem with Ubuntu 18.04 and llvm 6.0 (see issue #63). The inline function successors() is not inlined and also not found at runtime - :-( As I am unable to detect Ubuntu18.04 heree, the next best thing is to + :-( As I am unable to detect Ubuntu18.04 here, the next best thing is to disable this optional optimization for LLVM 6.0.0 and Linux */ #if !(LLVM_VERSION_MAJOR == 6 && LLVM_VERSION_MINOR == 0) || !defined __linux__ // only instrument if this basic block is the destination of a previous diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 07f5a1a94b..9b710733ce 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -615,8 +615,10 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (getenv("AFL_NYX_AUX_SIZE") != NULL) { + fsrv->nyx_aux_string_len = atoi(getenv("AFL_NYX_AUX_SIZE")); + if (fsrv->nyx_handlers->nyx_config_set_aux_buffer_size( - nyx_config, atoi(getenv("AFL_NYX_AUX_SIZE"))) != 1) { + nyx_config, fsrv->nyx_aux_string_len) != 1) { NYX_PRE_FATAL(fsrv, "Invalid AFL_NYX_AUX_SIZE value set (must be a multiple " @@ -624,6 +626,10 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } + } else { + + fsrv->nyx_aux_string_len = 0x1000; + } if (getenv("AFL_NYX_REUSE_SNAPSHOT") != NULL) { @@ -697,8 +703,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, fsrv->nyx_handlers->nyx_option_set_timeout(fsrv->nyx_runner, 2, 0); fsrv->nyx_handlers->nyx_option_apply(fsrv->nyx_runner); - fsrv->nyx_aux_string = malloc(0x1000); - memset(fsrv->nyx_aux_string, 0, 0x1000); + fsrv->nyx_aux_string = malloc(fsrv->nyx_aux_string_len); + memset(fsrv->nyx_aux_string, 0, fsrv->nyx_aux_string_len); /* dry run */ fsrv->nyx_handlers->nyx_set_afl_input(fsrv->nyx_runner, "INIT", 4); diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 0429db34ed..d76158ced5 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -866,7 +866,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", fn_log); } u32 nyx_aux_string_len = afl->fsrv.nyx_handlers->nyx_get_aux_string( - afl->fsrv.nyx_runner, afl->fsrv.nyx_aux_string, 0x1000); + afl->fsrv.nyx_runner, afl->fsrv.nyx_aux_string, afl->fsrv.nyx_aux_string_len); ck_write(fd, afl->fsrv.nyx_aux_string, nyx_aux_string_len, fn_log); close(fd); diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index adf04420f6..66e32e78ed 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -250,11 +250,13 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, #endif u64 cur_time = get_cur_time(); - u8 fn[PATH_MAX]; + u8 fn_tmp[PATH_MAX]; + u8 fn_final[PATH_MAX]; FILE *f; - snprintf(fn, PATH_MAX, "%s/fuzzer_stats", afl->out_dir); - f = create_ffile(fn); + snprintf(fn_tmp, PATH_MAX, "%s/.fuzzer_stats_tmp", afl->out_dir); + snprintf(fn_final, PATH_MAX, "%s/fuzzer_stats", afl->out_dir); + f = create_ffile(fn_tmp); /* Keep last values in case we're called from another context where exec/sec stats and such are not readily available. */ @@ -412,6 +414,7 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, } fclose(f); + rename(fn_tmp, fn_final); } @@ -817,17 +820,18 @@ void show_stats_normal(afl_state_t *afl) { if (afl->fsrv.nyx_mode) { snprintf(banner + banner_pad, sizeof(banner) - banner_pad, - "%s%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s] - Nyx", - afl->crash_mode ? cPIN : cYEL, fuzzer_name, - si, afl->use_banner, afl->power_name); + "%s%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN + "[%s] - Nyx", + afl->crash_mode ? cPIN : cYEL, fuzzer_name, si, afl->use_banner, + afl->power_name); } else { #endif snprintf(banner + banner_pad, sizeof(banner) - banner_pad, "%s%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s]", - afl->crash_mode ? cPIN : cYEL, fuzzer_name, - si, afl->use_banner, afl->power_name); + afl->crash_mode ? cPIN : cYEL, fuzzer_name, si, afl->use_banner, + afl->power_name); #ifdef __linux__ diff --git a/src/afl-fuzz-statsd.c b/src/afl-fuzz-statsd.c index e835c8ea2f..2e42ea9b7f 100644 --- a/src/afl-fuzz-statsd.c +++ b/src/afl-fuzz-statsd.c @@ -223,7 +223,7 @@ int statsd_format_metric(afl_state_t *afl, char *buff, size_t bufflen) { char tags[MAX_TAG_LEN * 2] = {0}; if (afl->statsd_tags_format) { - snprintf(tags, MAX_TAG_LEN * 2, afl->statsd_tags_format, afl->use_banner, + snprintf(tags, MAX_TAG_LEN * 2, afl->statsd_tags_format, afl->sync_id, VERSION); } diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index 1c8e571fc0..51878a56f3 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -f2cede37 +f607118f diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index f2cede37a7..f607118fc1 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit f2cede37a75bbd4a9b9438f0277727b5d4620572 +Subproject commit f607118fc10e5225da751385075792e24133a130