Merge pull request AFLplusplus#1579 from AFLplusplus/dev

push to stable

Author: vanhauser-thc

GNUmakefile

@@ -381,6 +381,7 @@ help:
 	@echo ASAN_BUILD - compiles AFL++ with memory sanitizer for debug purposes
 	@echo UBSAN_BUILD - compiles AFL++ tools with undefined behaviour sanitizer for debug purposes
 	@echo DEBUG - no optimization, -ggdb3, all warnings and -Werror
+	@echo LLVM_DEBUG - shows llvm deprecation warnings
 	@echo PROFILING - compile afl-fuzz with profiling information
 	@echo INTROSPECTION - compile afl-fuzz with mutation introspection
 	@echo NO_PYTHON - disable python support
@@ -425,7 +426,7 @@ test_python:
 	@echo "[+] $(PYTHON_VERSION) support seems to be working."
 else
 test_python:
-	@echo "[-] You seem to need to install the package python3-dev, python2-dev or python-dev (and perhaps python[23]-apt), but it is optional so we continue"
+	@echo "[-] You seem to need to install the package python3-dev or python-dev (and perhaps python[3]-apt), but it is optional so we continue"
 endif
 
 .PHONY: ready

GNUmakefile.llvm

@@ -255,16 +255,19 @@ else
 endif
 
 CFLAGS          ?= -O3 -funroll-loops -fPIC -D_FORTIFY_SOURCE=2
-CFLAGS_SAFE     := -Wall -g -Wno-cast-qual -Wno-variadic-macros -Wno-pointer-sign -I ./include/ -I ./instrumentation/ \
+CFLAGS_SAFE     := -Wall -g -Wno-cast-qual -Wno-variadic-macros -Wno-pointer-sign \
+                   -I ./include/ -I ./instrumentation/ \
                    -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
                    -DLLVM_BINDIR=\"$(LLVM_BINDIR)\" -DVERSION=\"$(VERSION)\" \
                    -DLLVM_LIBDIR=\"$(LLVM_LIBDIR)\" -DLLVM_VERSION=\"$(LLVMVER)\" \
-                   -Wno-deprecated -DAFL_CLANG_FLTO=\"$(AFL_CLANG_FLTO)\" \
-                   -DAFL_REAL_LD=\"$(AFL_REAL_LD)\" \
-                   -DAFL_CLANG_LDPATH=\"$(AFL_CLANG_LDPATH)\" \
-                   -DAFL_CLANG_FUSELD=\"$(AFL_CLANG_FUSELD)\" \
-                   -DCLANG_BIN=\"$(CLANG_BIN)\" -DCLANGPP_BIN=\"$(CLANGPP_BIN)\" -DUSE_BINDIR=$(USE_BINDIR) -Wno-unused-function \
-                   $(AFL_CLANG_DEBUG_PREFIX)
+                   -DAFL_CLANG_FLTO=\"$(AFL_CLANG_FLTO)\" -DAFL_REAL_LD=\"$(AFL_REAL_LD)\" \
+                   -DAFL_CLANG_LDPATH=\"$(AFL_CLANG_LDPATH)\" -DAFL_CLANG_FUSELD=\"$(AFL_CLANG_FUSELD)\" \
+                   -DCLANG_BIN=\"$(CLANG_BIN)\" -DCLANGPP_BIN=\"$(CLANGPP_BIN)\" -DUSE_BINDIR=$(USE_BINDIR) \
+                   -Wno-unused-function $(AFL_CLANG_DEBUG_PREFIX)
+ifndef LLVM_DEBUG
+  CFLAGS_SAFE += -Wno-deprecated
+endif
+
 override CFLAGS += $(CFLAGS_SAFE)
 
 ifdef AFL_TRACE_PC

custom_mutators/examples/custom_send.c

@@ -0,0 +1,56 @@
+// cc -O3 -fPIC -shared -g -o custom_send.so -I../../include custom_send.c
+// cd ../..
+// afl-cc -o test-instr test-instr.c
+// afl-fuzz -i in -o out -- ./test-instr -f /tmp/foo
+
+#include "custom_mutator_helpers.h"
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+typedef struct my_mutator {
+
+  afl_t *afl;
+
+} my_mutator_t;
+
+my_mutator_t *afl_custom_init(afl_t *afl, unsigned int seed) {
+
+  my_mutator_t *data = calloc(1, sizeof(my_mutator_t));
+  if (!data) {
+
+    perror("afl_custom_init alloc");
+    return NULL;
+
+  }
+
+  data->afl = afl;
+
+  return data;
+
+}
+
+void afl_custom_fuzz_send(my_mutator_t *data, uint8_t *buf, size_t buf_size) {
+
+  int fd = open("/tmp/foo", O_CREAT | O_NOFOLLOW | O_TRUNC | O_RDWR, 0644);
+
+  if (fd >= 0) {
+
+    (void)write(fd, buf, buf_size);
+    close(fd);
+
+  }
+
+  return;
+
+}
+
+void afl_custom_deinit(my_mutator_t *data) {
+
+  free(data);
+
+}
+

docs/Changelog.md

@@ -4,8 +4,14 @@
   release of the tool. See README.md for the general instruction manual.
 
 ### Version ++4.05a (dev)
-  - your PR? :)
-
+  - afl-fuzz:
+    - added afl_custom_fuzz_send custom mutator feature. Now your can
+      send fuzz data to the target as you need, e.g. via IPC.
+    - cmplog mode now has -l R option for random colorization, thanks
+      to guyf2010 for the PR!
+  - afl-showmap/afl-cmin
+    - -t none now translates to -t 120000 (120 seconds)
+  - unicorn_mode updated
 
 ### Version ++4.04c (release)
   - fix gramatron and grammar_mutator build scripts

docs/INSTALL.md

@@ -83,6 +83,7 @@ These build options exist:
 * UBSAN_BUILD - compiles AFL++ tools with undefined behaviour sanitizer for
   debug purposes
 * DEBUG - no optimization, -ggdb3, all warnings and -Werror
+* LLVM_DEBUG - shows llvm deprecation warnings
 * PROFILING - compile afl-fuzz with profiling information
 * INTROSPECTION - compile afl-fuzz with mutation introspection
 * NO_PYTHON - disable python support

docs/custom_mutators.md

@@ -57,6 +57,7 @@ int afl_custom_post_trim(void *data, unsigned char success);
 size_t afl_custom_havoc_mutation(void *data, unsigned char *buf, size_t buf_size, unsigned char **out_buf, size_t max_size);
 unsigned char afl_custom_havoc_mutation_probability(void *data);
 unsigned char afl_custom_queue_get(void *data, const unsigned char *filename);
+void (*afl_custom_fuzz_send)(void *data, const u8 *buf, size_t buf_size);
 u8 afl_custom_queue_new_entry(void *data, const unsigned char *filename_new_queue, const unsigned int *filename_orig_queue);
 const char* afl_custom_introspection(my_mutator_t *data);
 void afl_custom_deinit(void *data);
@@ -98,6 +99,9 @@ def havoc_mutation_probability():
 def queue_get(filename):
     return True
 
+def fuzz_send(buf):
+    pass
+
 def queue_new_entry(filename_new_queue, filename_orig_queue):
     return False
 
@@ -168,6 +172,13 @@ def deinit():  # optional for Python
     to the target, e.g. if it is too short, too corrupted, etc. If so,
     return a NULL buffer and zero length (or a 0 length string in Python).
 
+- `fuzz_send` (optional):
+
+    This method can be used if you want to send data to the target yourself,
+    e.g. via IPC. This replaces some usage of utils/afl_proxy but requires
+    that you start the target with afl-fuzz.
+    Example: [custom_mutators/examples/custom_send.c](custom_mutators/examples/custom_send.c)
+
 - `queue_new_entry` (optional):
 
     This methods is called after adding a new test case to the queue. If the
@@ -269,10 +280,10 @@ sudo apt install python-dev
 ```
 
 Then, AFL++ can be compiled with Python support. The AFL++ Makefile detects
-Python 2 and 3 through `python-config` if it is in the PATH and compiles
-`afl-fuzz` with the feature if available.
+Python3 through `python-config`/`python3-config` if it is in the PATH and
+compiles `afl-fuzz` with the feature if available.
 
-Note: for some distributions, you might also need the package `python[23]-apt`.
+Note: for some distributions, you might also need the package `python[3]-apt`.
 In case your setup is different, set the necessary variables like this:
 `PYTHON_INCLUDE=/path/to/python/include LDFLAGS=-L/path/to/python/lib make`.
 

dynamic_list.txt

@@ -8,6 +8,7 @@
   "__afl_auto_first";
   "__afl_auto_init";
   "__afl_auto_second";
+  "__afl_connected";
   "__afl_coverage_discard";
   "__afl_coverage_interesting";
   "__afl_coverage_off";

include/afl-fuzz.h

@@ -333,6 +333,7 @@ enum {
   /* 11 */ PY_FUNC_QUEUE_NEW_ENTRY,
   /* 12 */ PY_FUNC_INTROSPECTION,
   /* 13 */ PY_FUNC_DESCRIBE,
+  /* 14 */ PY_FUNC_FUZZ_SEND,
   PY_FUNC_COUNT
 
 };
@@ -656,7 +657,7 @@ typedef struct afl_state {
   u32 cmplog_max_filesize;
   u32 cmplog_lvl;
   u32 colorize_success;
-  u8  cmplog_enable_arith, cmplog_enable_transform;
+  u8  cmplog_enable_arith, cmplog_enable_transform, cmplog_random_colorization;
 
   struct afl_pass_stat *pass_stats;
   struct cmp_map       *orig_cmp_map;
@@ -968,6 +969,19 @@ struct custom_mutator {
    */
   u8 (*afl_custom_queue_get)(void *data, const u8 *filename);
 
+  /**
+   * This method can be used if you want to send data to the target yourself,
+   * e.g. via IPC. This replaces some usage of utils/afl_proxy but requires
+   * that you start the target with afl-fuzz.
+   *
+   * (Optional)
+   *
+   * @param data pointer returned in afl_custom_init by this custom mutator
+   * @param buf Buffer containing the test case
+   * @param buf_size Size of the test case
+   */
+  void (*afl_custom_fuzz_send)(void *data, const u8 *buf, size_t buf_size);
+
   /**
    * Allow for additional analysis (e.g. calling a different tool that does a
    * different kind of coverage and saves this for the custom mutator).
@@ -1022,6 +1036,7 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *, char *);
 void                   finalize_py_module(void *);
 
 u32         fuzz_count_py(void *, const u8 *, size_t);
+void        fuzz_send_py(void *, const u8 *, size_t);
 size_t      post_process_py(void *, u8 *, size_t, u8 **);
 s32         init_trim_py(void *, u8 *, size_t);
 s32         post_trim_py(void *, u8);

include/envs.h

@@ -42,6 +42,7 @@ static char *afl_environment_variables[] = {
     "AFL_DEBUG",
     "AFL_DEBUG_CHILD",
     "AFL_DEBUG_GDB",
+    "AFL_DEBUG_UNICORN",
     "AFL_DISABLE_TRIM",
     "AFL_DISABLE_LLVM_INSTRUMENTATION",
     "AFL_DONT_OPTIMIZE",

instrumentation/README.lto.md

@@ -118,10 +118,11 @@ cmake \
     -DLLVM_LINK_LLVM_DYLIB="ON" \
     -DLLVM_TARGETS_TO_BUILD="host" \
     ../llvm/
+# NOTE: for llvm 16 this needs to be changed to:
+#    -DLLVM_ENABLE_PROJECTS='clang;compiler-rt;lld' \
+#    -DLLVM_ENABLE_RUNTIMES='libcxx;libcxxabi' \
 cmake --build . -j4
-export PATH="$(pwd)/bin:$PATH"
 export LLVM_CONFIG="$(pwd)/bin/llvm-config"
-export LD_LIBRARY_PATH="$(llvm-config --libdir)${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
 cd /path/to/AFLplusplus/
 make
 sudo make install

instrumentation/afl-compiler-rt.o.c

@@ -105,6 +105,9 @@ u32 __afl_dictionary_len;
 u64 __afl_map_addr;
 u32 __afl_first_final_loc;
 
+/* 1 if we are running in afl, and the forkserver was started, else 0 */
+u32 __afl_connected = 0;
+
 // for the __AFL_COVERAGE_ON/__AFL_COVERAGE_OFF features to work:
 int        __afl_selective_coverage __attribute__((weak));
 int        __afl_selective_coverage_start_off __attribute__((weak));
@@ -1051,6 +1054,8 @@ static void __afl_start_forkserver(void) {
 
   if (write(FORKSRV_FD + 1, tmp, 4) != 4) { return; }
 
+  __afl_connected = 1;
+
   if (__afl_sharedmem_fuzzing || (__afl_dictionary_len && __afl_dictionary)) {
 
     if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1);
@@ -1261,48 +1266,38 @@ int __afl_persistent_loop(unsigned int max_cnt) {
        iteration, it's our job to erase any trace of whatever happened
        before the loop. */
 
-    if (is_persistent) {
-
-      memset(__afl_area_ptr, 0, __afl_map_size);
-      __afl_area_ptr[0] = 1;
-      memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T));
-
-    }
+    memset(__afl_area_ptr, 0, __afl_map_size);
+    __afl_area_ptr[0] = 1;
+    memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T));
 
     cycle_cnt = max_cnt;
     first_pass = 0;
     __afl_selective_coverage_temp = 1;
 
     return 1;
 
-  }
-
-  if (is_persistent) {
-
-    if (--cycle_cnt) {
+  } else if (--cycle_cnt) {
 
-      raise(SIGSTOP);
+    raise(SIGSTOP);
 
-      __afl_area_ptr[0] = 1;
-      memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T));
-      __afl_selective_coverage_temp = 1;
+    __afl_area_ptr[0] = 1;
+    memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T));
+    __afl_selective_coverage_temp = 1;
 
-      return 1;
+    return 1;
 
-    } else {
+  } else {
 
-      /* When exiting __AFL_LOOP(), make sure that the subsequent code that
-         follows the loop is not traced. We do that by pivoting back to the
-         dummy output region. */
+    /* When exiting __AFL_LOOP(), make sure that the subsequent code that
+        follows the loop is not traced. We do that by pivoting back to the
+        dummy output region. */
 
-      __afl_area_ptr = __afl_area_ptr_dummy;
+    __afl_area_ptr = __afl_area_ptr_dummy;
 
-    }
+    return 0;
 
   }
 
-  return 0;
-
 }
 
 /* This one can be called from user code when deferred forkserver mode