Hello community, here is the log from the commit of package afl for openSUSE:Factory checked in at 2015-04-16 14:14:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/afl (Old) and /work/SRC/openSUSE:Factory/.afl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "afl" Changes: -------- --- /work/SRC/openSUSE:Factory/afl/afl.changes 2015-04-12 00:11:15.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.afl.new/afl.changes 2015-04-16 14:14:15.000000000 +0200 @@ -1,0 +2,42 @@ +Thu Apr 16 07:19:18 UTC 2015 - [email protected] + +- afl 1.69b: + - Added support for deferred initialization in LLVM mode. +- afl 1.68b: + - Fixed a minor PRNG glitch that would make the first seconds of + a fuzzing job deterministic. + - Made tmp[] static in the LLVM runtime to keep Valgrind happy + - Clarified the footnote in README. + +------------------------------------------------------------------- +Mon Apr 13 19:58:55 UTC 2015 - [email protected] + +- afl 1.67b: + - One more correction to llvm_mode Makefile +- afl 1.66b: + - Added CC / CXX support to llvm_mode Makefile + - Fixed 'make clean' with gmake + - Fixed 'make -j n clean all' + - Removed build date and time from banners to give people deterministic + builds + - drop afl-1.46b-nodate.patch, thus obsoleted + +------------------------------------------------------------------- +Mon Apr 13 15:11:11 UTC 2015 - [email protected] + +- afl 1.65b: + - Fixed a snafu with some leftover code in afl-clang-fast. + - Corrected even moar typos. + +------------------------------------------------------------------- +Sun Apr 12 09:41:38 UTC 2015 - [email protected] + +- afl 1.64b: + - improve compatibility with non-ELF platforms. + - Fixed a problem with afl-clang-fast and -shared libraries. + - Removed unnecessary instrumentation density adjustment for LLVM +- includes changes from 1.63b: + - Updated cgroups_asan/ + - Fixed typos + +------------------------------------------------------------------- Old: ---- afl-1.46b-nodate.patch afl-1.62b.tgz New: ---- afl-1.69b.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ afl.spec ++++++ --- /var/tmp/diff_new_pack.vN4Arh/_old 2015-04-16 14:14:15.000000000 +0200 +++ /var/tmp/diff_new_pack.vN4Arh/_new 2015-04-16 14:14:15.000000000 +0200 @@ -17,7 +17,7 @@ Name: afl -Version: 1.62b +Version: 1.69b Release: 0 Summary: American fuzzy lop is a security-oriented fuzzer License: Apache-2.0 @@ -25,7 +25,6 @@ Url: http://lcamtuf.coredump.cx/afl/ Source: http://lcamtuf.coredump.cx/afl/releases/%{name}-%{version}.tgz Source1: afl-rpmlintrc -Patch0: afl-1.46b-nodate.patch Patch1: afl-1.58b-fix-paths.patch BuildRequires: gcc-c++ BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -37,7 +36,6 @@ %prep %setup -q -%patch0 -p1 %patch1 -p1 %build ++++++ afl-1.62b.tgz -> afl-1.69b.tgz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/Makefile new/afl-1.69b/Makefile --- old/afl-1.62b/Makefile 2015-04-10 03:40:25.000000000 +0200 +++ new/afl-1.69b/Makefile 2015-04-16 08:11:39.000000000 +0200 @@ -14,7 +14,7 @@ # PROGNAME = afl -VERSION = 1.62b +VERSION = 1.69b PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin @@ -100,10 +100,12 @@ @echo "[+] All done! Be sure to review README - it's pretty short and useful." @! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.txt for advice.\033[0m\n" 2>/dev/null +.NOTPARALLEL: clean + clean: rm -f $(PROGS) as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.2.0.tar.bz2 afl-qemu-trace rm -rf out_dir qemu_mode/qemu-2.2.0 - cd llvm_mode && make clean + $(MAKE) -C llvm_mode clean ifndef AFL_NOX86 install: all diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/afl-as.c new/afl-1.69b/afl-as.c --- old/afl-1.62b/afl-as.c 2015-03-18 08:18:47.000000000 +0100 +++ new/afl-1.69b/afl-as.c 2015-04-13 20:14:13.000000000 +0200 @@ -471,8 +471,7 @@ if (isatty(2) && !getenv("AFL_QUIET")) { - SAYF(cCYA "afl-as " cBRI VERSION cRST " (" __DATE__ " " __TIME__ - ") by <[email protected]>\n"); + SAYF(cCYA "afl-as " cBRI VERSION cRST " by <[email protected]>\n"); } else be_quiet = 1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/afl-fuzz.c new/afl-1.69b/afl-fuzz.c --- old/afl-1.62b/afl-fuzz.c 2015-04-10 04:06:54.000000000 +0200 +++ new/afl-1.69b/afl-fuzz.c 2015-04-15 07:38:00.000000000 +0200 @@ -175,7 +175,7 @@ static u64 stage_finds[32], /* Patterns found per fuzz stage */ stage_cycles[32]; /* Execs per fuzz stage */ -static u32 rand_cnt = RESEED_RNG; /* Random number counter */ +static u32 rand_cnt; /* Random number counter */ static u64 total_cal_us, /* Total calibration time (us) */ total_cal_cycles; /* Total calibration cycles */ @@ -6859,8 +6859,7 @@ char** use_argv; - SAYF(cCYA "afl-fuzz " cBRI VERSION cRST " (" __DATE__ " " __TIME__ - ") by <[email protected]>\n"); + SAYF(cCYA "afl-fuzz " cBRI VERSION cRST " by <[email protected]>\n"); doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/afl-gcc.c new/afl-1.69b/afl-gcc.c --- old/afl-1.62b/afl-gcc.c 2015-03-06 17:02:32.000000000 +0100 +++ new/afl-1.69b/afl-gcc.c 2015-04-13 20:14:05.000000000 +0200 @@ -276,8 +276,7 @@ if (isatty(2) && !getenv("AFL_QUIET")) { - SAYF(cCYA "afl-cc " cBRI VERSION cRST " (" __DATE__ " " __TIME__ - ") by <[email protected]>\n"); + SAYF(cCYA "afl-cc " cBRI VERSION cRST " by <[email protected]>\n"); } else be_quiet = 1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/afl-gotcpu.c new/afl-1.69b/afl-gotcpu.c --- old/afl-1.62b/afl-gotcpu.c 2015-01-29 10:31:07.000000000 +0100 +++ new/afl-1.69b/afl-gotcpu.c 2015-04-13 20:13:55.000000000 +0200 @@ -77,8 +77,7 @@ s32 loop_repeats = 0, util_perc; u64 st_t, en_t, st_c, en_c, real_delta, slice_delta; - SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " (" __DATE__ " " __TIME__ - ") by <[email protected]>\n"); + SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by <[email protected]>\n"); /* Run a busy loop for CTEST_TARGET_MS. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/afl-showmap.c new/afl-1.69b/afl-showmap.c --- old/afl-1.62b/afl-showmap.c 2015-04-08 06:20:17.000000000 +0200 +++ new/afl-1.69b/afl-showmap.c 2015-04-13 20:13:45.000000000 +0200 @@ -416,8 +416,7 @@ static void show_banner(void) { - SAYF(cCYA "afl-showmap " cBRI VERSION cRST " (" __DATE__ " " __TIME__ - ") by <[email protected]>\n"); + SAYF(cCYA "afl-showmap " cBRI VERSION cRST " by <[email protected]>\n"); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/afl-tmin.c new/afl-1.69b/afl-tmin.c --- old/afl-1.62b/afl-tmin.c 2015-04-08 07:29:42.000000000 +0200 +++ new/afl-1.69b/afl-tmin.c 2015-04-13 20:14:29.000000000 +0200 @@ -899,8 +899,7 @@ doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; - SAYF(cCYA "afl-tmin " cBRI VERSION cRST " (" __DATE__ " " __TIME__ - ") by <[email protected]>\n"); + SAYF(cCYA "afl-tmin " cBRI VERSION cRST " by <[email protected]>\n"); while ((opt = getopt(argc,argv,"+i:o:f:m:t:xeQ")) > 0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/docs/ChangeLog new/afl-1.69b/docs/ChangeLog --- old/afl-1.62b/docs/ChangeLog 2015-04-10 16:15:53.000000000 +0200 +++ new/afl-1.69b/docs/ChangeLog 2015-04-16 08:04:57.000000000 +0200 @@ -17,6 +17,76 @@ to get on with the times. -------------- +Version 1.69b: +-------------- + + - Added support for deferred initialization in LLVM mode. Suggested by + Richard Godbee. + +-------------- +Version 1.68b: +-------------- + + - Fixed a minor PRNG glitch that would make the first seconds of a fuzzing + job deterministic. Thanks to Andreas Stieger. + + - Made tmp[] static in the LLVM runtime to keep Valgrind happy (this had + no impact on anything else). Spotted by Richard Godbee. + + - Clarified the footnote in README. + +-------------- +Version 1.67b: +-------------- + + - Made one more correction to llvm_mode Makefile, spotted by Jakub Wilk. + +-------------- +Version 1.66b: +-------------- + + - Added CC / CXX support to llvm_mode Makefile. Requested by Charlie Eriksen. + + - Fixed 'make clean' with gmake. Suggested by Oliver Schneider. + + - Fixed 'make -j n clean all'. Suggested by Oliver Schneider. + + - Removed build date and time from banners to give people deterministic + builds. Requested by Jakub Wilk. + +-------------- +Version 1.65b: +-------------- + + - Fixed a snafu with some leftover code in afl-clang-fast. + + - Corrected even moar typos. + +-------------- +Version 1.64b: +-------------- + + - Further simplified afl-clang-fast runtime by reverting .init_array to + __attribute__((constructor(0)). This should improve compatibility with + non-ELF platforms. + + - Fixed a problem with afl-clang-fast and -shared libraries. Simplified + the code by getting rid of .preinit_array and replacing it with a .comm + object. Problem reported by Charlie Eriksen. + + - Removed unnecessary instrumentation density adjustment for the LLVM mode. + Reported by Jonathan Neuschafer. + +-------------- +Version 1.63b: +-------------- + + - Updated cgroups_asan/ with a new version from Sam, made a couple changes + to streamline it and keep parallel afl instances in separate groups. + + - Fixed typos, thanks to Jakub Wilk. + +-------------- Version 1.62b: -------------- @@ -62,6 +132,8 @@ - Made assorted updates to docs. + - Added MEM_BARRIER() to afl-showmap and afl-tmin, just to be safe. + -------------- Version 1.59b: -------------- @@ -884,7 +956,7 @@ -------------- - Added support for plotting, with design and implementation based on a - prototype design proposed by by Michael Rash. Huge thanks! + prototype design proposed by Michael Rash. Huge thanks! - Added afl-plot.sh, which allows you to, well, generate a nice plot using this data. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/docs/README new/afl-1.69b/docs/README --- old/afl-1.62b/docs/README 2015-04-09 04:06:46.000000000 +0200 +++ new/afl-1.69b/docs/README 2015-04-16 08:05:12.000000000 +0200 @@ -422,6 +422,7 @@ Aidan Thornton Aleksandar Nikolich Sam Hakim Laszlo Szekeres David A. Wheeler Turo Lamminen + Andreas Stieger Richard Godbee Thank you! @@ -438,8 +439,9 @@ https://groups.google.com/group/afl-users PS. If you wish to submit raw code to be incorporated into the project, please -be aware that the copyright on AFL is formally claimed by Google, and they do -ask contributors to agree to a simple CLA first: +be aware that the copyright on most of AFL is claimed by Google. While you do +retain copyright on your contributions, they do ask people to agree to a simple +CLA first: https://cla.developers.google.com/clas diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/docs/env_variables.txt new/afl-1.69b/docs/env_variables.txt --- old/afl-1.62b/docs/env_variables.txt 2015-04-10 05:54:12.000000000 +0200 +++ new/afl-1.69b/docs/env_variables.txt 2015-04-16 08:07:39.000000000 +0200 @@ -110,6 +110,10 @@ may complain of high load prematurely, especially on systems with low core counts. To avoid the alarming red color, you can set AFL_NO_CPU_RED. + - In LLVM mode, AFL_DEFER_FORKSRV can be set to require the forkserver to + be initialized manually (see llvm_mode/README.llvm). This setting has no + effect for progrms not compiled with afl-clang-fast. + 3) Settings for afl-qemu-trace ------------------------------ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/docs/historical_notes.txt new/afl-1.69b/docs/historical_notes.txt --- old/afl-1.62b/docs/historical_notes.txt 2015-03-05 09:23:15.000000000 +0100 +++ new/afl-1.69b/docs/historical_notes.txt 2015-04-11 19:54:48.000000000 +0200 @@ -36,8 +36,8 @@ https://code.google.com/p/bunny-the-fuzzer/wiki/BunnyDoc -There has been a fair amount of independent work, too. Most notably, few weeks -earlier that year, Jared DeMott had a Defcon presentation about a +There has been a fair amount of independent work, too. Most notably, a few +weeks earlier that year, Jared DeMott had a Defcon presentation about a coverage-driven fuzzer that relied on coverage as a fitness function. Jared's approach was by no means identical to what afl-fuzz does, but it was in @@ -45,7 +45,7 @@ with a single input file; in comparison, afl simply selects for cases that do something new (which yields better results - see technical_details.txt). -Few years later, Gabriel Campana released fuzzgrind, a tool that relied purely +A few years later, Gabriel Campana released fuzzgrind, a tool that relied purely on Valgrind and a constraint solver to maximize coverage without any brute-force bits; and Microsoft Research folks talked extensively about their still non-public, solver-based SAGE framework. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/docs/perf_tips.txt new/afl-1.69b/docs/perf_tips.txt --- old/afl-1.62b/docs/perf_tips.txt 2015-04-09 04:09:29.000000000 +0200 +++ new/afl-1.69b/docs/perf_tips.txt 2015-04-16 08:06:09.000000000 +0200 @@ -86,6 +86,9 @@ equivalent calls. Some programs may intentionally call sleep(), usleep(), or nanosleep(), etc. +In programs that are slow due to unavoidable initialization overhead, you may +want to try the LLVM deferred forkserver mode (see llvm_mode/README.llvm). + Last but not least, if you are using ASAN and the performance is unacceptable, consider turning it off for now, and manually examining the generated corpus with an ASAN-enabled binary later on. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/docs/vuln_samples/sqlite-negative-memset.sql new/afl-1.69b/docs/vuln_samples/sqlite-negative-memset.sql --- old/afl-1.62b/docs/vuln_samples/sqlite-negative-memset.sql 1970-01-01 01:00:00.000000000 +0100 +++ new/afl-1.69b/docs/vuln_samples/sqlite-negative-memset.sql 2015-04-11 01:16:44.000000000 +0200 @@ -0,0 +1 @@ +SELECT*from(select"",zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(150000000),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0)),(select"",zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),(0),zeroblob(150000000),(0),zeroblob(0),(0)EXCEPT select zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/docs/vuln_samples/sqlite-null-ptr12.sql new/afl-1.69b/docs/vuln_samples/sqlite-null-ptr12.sql --- old/afl-1.62b/docs/vuln_samples/sqlite-null-ptr12.sql 1970-01-01 01:00:00.000000000 +0100 +++ new/afl-1.69b/docs/vuln_samples/sqlite-null-ptr12.sql 2015-04-12 01:08:40.000000000 +0200 @@ -0,0 +1 @@ +PRAGMA e;select lower(0);select lower(0)"a",""GROUP BY a ORDER BY a; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/docs/vuln_samples/sqlite-null-ptr13.sql new/afl-1.69b/docs/vuln_samples/sqlite-null-ptr13.sql --- old/afl-1.62b/docs/vuln_samples/sqlite-null-ptr13.sql 1970-01-01 01:00:00.000000000 +0100 +++ new/afl-1.69b/docs/vuln_samples/sqlite-null-ptr13.sql 2015-04-12 05:29:47.000000000 +0200 @@ -0,0 +1 @@ +WITH x AS(SELECT*FROM t)SELECT""EXCEPT SELECT 0 ORDER BY 0 COLLATE""; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/docs/vuln_samples/sqlite-use-after-free.sql new/afl-1.69b/docs/vuln_samples/sqlite-use-after-free.sql --- old/afl-1.62b/docs/vuln_samples/sqlite-use-after-free.sql 1970-01-01 01:00:00.000000000 +0100 +++ new/afl-1.69b/docs/vuln_samples/sqlite-use-after-free.sql 2015-04-16 01:18:54.000000000 +0200 @@ -0,0 +1 @@ +create table t(s);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql='ANALYZE;CREATE VIRTUAL TABLE t USING fts3;DROP TABLE t;DROP TABLE EXISTS t';PRAGMA r;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/experimental/asan_cgroups/limit_memory.sh new/afl-1.69b/experimental/asan_cgroups/limit_memory.sh --- old/afl-1.62b/experimental/asan_cgroups/limit_memory.sh 2015-04-09 07:34:36.000000000 +0200 +++ new/afl-1.69b/experimental/asan_cgroups/limit_memory.sh 2015-04-11 03:39:55.000000000 +0200 @@ -1,4 +1,4 @@ -#!/bin/sh +#!/usr/bin/env bash # # american fuzzy lop - limit memory using cgroups # ----------------------------------------------- @@ -6,6 +6,9 @@ # Written by Samir Khakimov <[email protected]> and # David A. Wheeler <[email protected]> # +# Edits to bring the script in line with afl-cmin and other companion scripts +# by Michal Zalewski <[email protected]>. All bugs are my fault. +# # Copyright 2015 Institute for Defense Analyses. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -16,129 +19,139 @@ # # This tool allows the amount of actual memory allocated to a program # to be limited on Linux systems using cgroups, instead of the traditional -# setrlimit() API. This helps avoid the problems discussed in +# setrlimit() API. This helps avoid the address space problems discussed in # docs/notes_for_asan.txt. # -# Note that this is a contributed script and its coding conventions and -# error reporting differs a bit from the ones used in tools such as afl-cmin. +# Important: the limit covers *both* afl-fuzz and the fuzzed binary. In some +# hopefully rare circumstances, afl-fuzz could be killed before the fuzzed +# task. # -usage() { - echo 'Limit memory that can be used without limiting what can be allocated.' - echo 'This is useful when fuzzing 64-bit binaries with ASAN.' - echo 'You need to run this as root; it will run command as user USERNAME.' - echo - echo 'Usage:' - printf '%s\n' " $0 [-u USERNAME] [-m MEMORY_LIMIT] [-h|--help] command..." - echo - echo 'Options:' - echo '-u USERNAME : Run command as USERNAME. It is strongly recommended' - echo ' that you supply a username (to limit privileges).' - echo ' Default is $USER.' - echo '-m MEMORY_LIMIT: Limit the amount of used memory to MEMORY_LIMIT;' - echo ' This does NOT limit the amount of allocated memory.' - echo ' Default is 50M (50 Mebibytes)' - echo '-h,--help: Help' - echo - echo 'Example:' - printf '%s\n' " $0 -u joe afl-fuzz -m none -i input -o output system_under_test" - echo 'Limitations:' - echo 'Any whitespace in 'command' is interpreted as a parameter separator,' - echo 'due to limitations in the syntax of "su".' -} +echo "cgroup tool for afl-fuzz by <[email protected]> and <[email protected]>" +echo -NEW_USER="" -MEMORY_LIMIT="50M" +unset NEW_USER +MEM_LIMIT="50" -# Sanity checks. +while getopts "+u:m:" opt; do -if [ "$(uname -s)" != 'Linux' ] ; then - echo "Need to be running on a Linux system" >&2 - exit 1 -fi + case "$opt" in -if ! type cgcreate > /dev/null 2>&1 ; then - echo "Need to install cgroup tools!" >&2 - if type apt-get >/dev/null 2>&1 ; then - echo "Try: apt-get install cgroup-bin" >&2 - elif type yum >/dev/null 2>&1 ; then - echo "Try: yum install libcgroup-tools" >&2 - fi - usage - exit 2 -fi + "u") + NEW_USER="$OPTARG" + ;; -# Process options. + "m") + MEM_LIMIT="$[OPTARG]" + ;; -while [ $# > 0 ] ; do - case "$1" in - -u) - shift - NEW_USER="$1" - shift ;; - -m) - shift - MEMORY_LIMIT="$1" - shift ;; - -h|--help) - usage - exit 0 ;; - --) shift; break ;; - -*) - echo "Unknown option $1" >&2 - echo "Use -h for help" >&2 - exit 3 ;; - *) break ;; - esac -done + "?") + exit 1 + ;; -# Defaults -# If username unspecified, use $USER + esac -if [ "$NEW_USER" = "" ] ; then - NEW_USER="$USER" +done + +if [ "$MEM_LIMIT" -lt "5" ]; then + echo "[-] Error: malformed or dangerously low value of -m." 1>&2 + exit 1 fi -if ! id -u "$NEW_USER" > /dev/null 2>&1 ; then - echo "$NEW_USER is invalid user" >&2 - exit 4 +shift $((OPTIND-1)) + +TARGET_BIN="$1" + +if [ "$TARGET_BIN" = "" -o "$NEW_USER" = "" ]; then + + cat 1>&2 <<_EOF_ +Usage: $0 [ options ] -- /path/to/afl-fuzz [ ...afl options... ] + +Required parameters: + + -u user - run the fuzzer as a specific user after setting up limits + +Optional parameters: + + -m megs - set memory limit to a specified value ($MEM_LIMIT MB) + +This tool configures cgroups-based memory limits for a fuzzing job to simplify +the task of fuzzing ASAN or MSAN binaries. You would normally want to use it in +conjunction with '-m none' passed to the afl-fuzz binary itself, say: + + $0 -u joe ./afl-fuzz -i input -o output -m none /path/to/target + +_EOF_ + + exit 1 + fi -# If no command provided, use "sh" as command +# Basic sanity checks -if [ $# = 0 ] ; then - set sh +if [ ! "`uname -s`" = "Linux" ]; then + echo "[-] Error: this tool does not support non-Linux systems." 1>&2 + exit 1 fi -if [ "$NEW_USER" = "root" ] ; then - echo "Warning: executing command as root user" >&2 +if [ ! "`id -u`" = "0" ]; then + echo "[-] Error: you need to run this script as root (sorry!)." 1>&2 + exit 1 fi -if [ ! -d "/sys/fs/cgroup/memory/$NEW_USER" ] ; then - cgcreate -a "$NEW_USER" -g memory:"$NEW_USER" - if [ $? != 0 ] ; then - echo "Could not create memory setting for user $NEW_USER" >&2 - exit 5 +if ! type cgcreate 2>/dev/null 1>&2; then + + echo "[-] Error: you need to install cgroup tools first." 1>&2 + + if type apt-get 2>/dev/null 1>&2; then + echo " (Perhaps 'apt-get install cgroup-bin' will work.)" 1>&2 + elif type yum 2>/dev/null 1>&2; then + echo " (Perhaps 'yum install libcgroup-tools' will work.)" 1>&2 fi + + exit 1 + fi -if [ -f "/sys/fs/cgroup/memory/$NEW_USER/memory.memsw.limit_in_bytes" ] ; then - printf '%s\n' "$MEMORY_LIMIT" > "/sys/fs/cgroup/memory/$NEW_USER/memory.memsw.limit_in_bytes" -else - # This system does not support memsw.limit_in_bytes; - # we must disable swapping for the memory limit to work. - swapoff -a - if [ $? != 0 ] ; then - echo "Could not disable swapping." >&2 - exit 6 - fi +if ! id -u "$NEW_USER" 2>/dev/null 1>&2; then + echo "[-] Error: user '$NEW_USER' does not seem to exist." 1>&2 + exit 1 +fi + +# Create a new cgroup path if necessary... We used PID-keyed groups to keep +# parallel afl-fuzz tasks separate from each other. + +CID="afl-$NEW_USER-$$" + +CPATH="/sys/fs/cgroup/memory/$CID" + +if [ ! -d "$CPATH" ]; then + + cgcreate -a "$NEW_USER" -g memory:"$CID" || exit 1 + fi -printf '%s\n' "$MEMORY_LIMIT" > "/sys/fs/cgroup/memory/$NEW_USER/memory.limit_in_bytes" +# Set the appropriate limit... + +if [ -f "$CPATH/memory.memsw.limit_in_bytes" ]; then + + echo "${MEM_LIMIT}M" > "$CPATH/memory.limit_in_bytes" 2>/dev/null + echo "${MEM_LIMIT}M" > "$CPATH/memory.memsw.limit_in_bytes" || exit 1 + echo "${MEM_LIMIT}M" > "$CPATH/memory.limit_in_bytes" || exit 1 + +elif grep -qE 'partition|file' /proc/swaps; then + + echo "[-] Error: your system requires swap to be disabled first (swapoff -a)." 1>&2 + exit 1 + +else + + echo "${MEM_LIMIT}M" > "$CPATH/memory.limit_in_bytes" || exit 1 -if [ $? != 0 ] ; then - echo "Could not set memory limit" >&2 - exit 7 fi -cgexec -g "memory:$NEW_USER" su -c "$*" "$NEW_USER" +# All right. At this point, we can just run the command. + +cgexec -g "memory:$CID" su -c "$*" "$NEW_USER" + +cgdelete -g "memory:$CID" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/llvm_mode/Makefile new/afl-1.69b/llvm_mode/Makefile --- old/afl-1.62b/llvm_mode/Makefile 2015-04-10 16:15:17.000000000 +0200 +++ new/afl-1.69b/llvm_mode/Makefile 2015-04-13 20:49:15.000000000 +0200 @@ -40,18 +40,22 @@ # this seems to be busted on some distros, so using the one in $PATH is # probably better. +ifeq "$(findstring clang, $(CC))" "" + CC = clang CXX = clang++ +endif + PROGS = ../afl-clang-fast ../afl-llvm-pass.so ../afl-llvm-rt.o all: test_deps $(PROGS) test_build all_done test_deps: @echo "[*] Checking for working 'llvm-config'..." - @which $(LLVM_CONFIG) >/dev/null 2>&1 || ( echo "[-] Oops, can't find 'llvm-config'. Install clang or set \$$LLVM_CONFIG beforehand."; echo " (Sometimes, the binary will be named llvm-config-3.5 or something like that.)"; exit 1 ) + @which $(LLVM_CONFIG) >/dev/null 2>&1 || ( echo "[-] Oops, can't find 'llvm-config'. Install clang or set \$$LLVM_CONFIG or \$$PATH beforehand."; echo " (Sometimes, the binary will be named llvm-config-3.5 or something like that.)"; exit 1 ) @echo "[*] Checking for working '$(CC)'..." - @which $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH."; exit 1 ) + @which $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 ) @echo "[*] Checking for '../afl-showmap'..." @test -f ../afl-showmap || ( echo "[-] Oops, can't find '../afl-showmap'. Be sure to compile AFL first."; exit 1 ) @echo "[+] All set and ready to build." @@ -78,6 +82,8 @@ all_done: test_build @echo "[+] All done! You can now use '../afl-clang-fast' to compile programs." +.NOTPARALLEL: clean + clean: rm -f *.o *.so *~ a.out core core.[1-9][0-9]* test-instr .test-instr0 .test-instr1 rm -f $(PROGS) ../afl-clang-fast++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/llvm_mode/README.llvm new/afl-1.69b/llvm_mode/README.llvm --- old/afl-1.62b/llvm_mode/README.llvm 2015-04-09 20:16:44.000000000 +0200 +++ new/afl-1.69b/llvm_mode/README.llvm 2015-04-16 08:04:18.000000000 +0200 @@ -9,7 +9,7 @@ The code in this directory allows you to instrument programs for AFL using true compiler-level instrumentation, instead of the more crude -assembly-level rewriting approach taken by by afl-gcc afl-clang. This has +assembly-level rewriting approach taken by afl-gcc and afl-clang. This has several interesting properties: - The compiler can make many optimizations that are hard to pull off when @@ -40,9 +40,16 @@ system. You should also make sure that the llvm-config tool is in your path; if not, be sure to set LLVM_CONFIG in the environment beforehand. -To build, type 'make'. This will generate binaries called afl-clang-fast and -afl-clang-fast++ in the parent directory. Once this is done, you can instrument -third-party code in a way similar to the standard operating mode of AFL, e.g.: +Unfortunately, some systems come without llvm-config or the LLVM development +headers. In such a case, you may have to do a full install on your own, or +download pre-built binaries from: + + http://llvm.org/releases/download.html + +To build the instrumentation, type 'make'. This will generate binaries called +afl-clang-fast and afl-clang-fast++ in the parent directory. Once this is done, +you can instrument third-party code in a way similar to the standard operating +mode of AFL, e.g.: CC=/path/to/afl/afl-clang-fast ./configure [...options...] make @@ -65,3 +72,44 @@ This is an early-stage mechanism, so field reports are welcome. You can send bug reports to <[email protected]>. + +4) Bonus feature: deferred instrumentation +------------------------------------------ + +AFL tries to optimize performance by executing the targeted binary just once, +stopping it just before main(), and then cloning this "master" process to get +a steady supply of targets to fuzz. + +Although this approach eliminates much of the OS-, linker- and libc-level +costs of executing the program, it does not always help with binaries that +perform other time-consuming initialization steps before getting to the input +file. + +In such cases, it would be beneficial to initialize the forkserver a bit later, +once most of the initialization work is already done, and the binary is about +to read the fuzzed input and parse it. You can do this in LLVM mode in a fairly +simple way: + +1) First, locate a suitable location in the code for the deferred initialization + to take place. This needs to be done with *extreme* care to avoid breaking + the binary. In particular, the program will probably malfunction if the + initialization happens after: + + - The creation of any vital threads or child processes - since the forkserver + can't clone them easily. + + - The creation of temporary files, network sockets, offset-sensitive file + descriptors, and similar shared-state resources - but only provided that + they actually influence the behavior of the program later on. + + - Any access to the fuzzed input or the metadata about its size. + +2) Next, insert the following global function declaration somewhere in the + source file: + + void __afl_manual_init(void); + + ...and add a call to this function in the desired location before recompiling + the project with afl-clang-fast (afl-gcc and afl-clang will *not* work). + +3) Finally, be sure to set AFL_DEFER_FORKSRV=1 before invoking afl-fuzz. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/llvm_mode/afl-clang-fast.c new/afl-1.69b/llvm_mode/afl-clang-fast.c --- old/afl-1.62b/llvm_mode/afl-clang-fast.c 2015-04-10 03:39:22.000000000 +0200 +++ new/afl-1.69b/llvm_mode/afl-clang-fast.c 2015-04-13 20:14:44.000000000 +0200 @@ -36,7 +36,6 @@ static u8* obj_path; /* Path to runtime libraries */ static u8** cc_params; /* Parameters passed to the real CC */ static u32 cc_par_cnt = 1; /* Param count, including argv0 */ -static u8 maybe_linking = 1; /* Probably linking? */ /* Try to find the runtime libraries. If that fails, abort. */ @@ -97,7 +96,7 @@ static void edit_params(u32 argc, char** argv) { - u8 fortify_set = 0, asan_set = 0, x_set = 0; + u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1; u8 *name; cc_params = ck_alloc((argc + 32) * sizeof(u8*)); @@ -149,25 +148,23 @@ } - if (asan_set) { + if (!asan_set) { - /* Pass this on to afl-llvm-pass to adjust map density. */ + if (getenv("AFL_USE_ASAN")) { - setenv("AFL_USE_ASAN", "1", 1); + cc_params[cc_par_cnt++] = "-fsanitize=address"; - } else if (getenv("AFL_USE_ASAN")) { + if (getenv("AFL_USE_MSAN")) + FATAL("ASAN and MSAN are mutually exclusive"); - cc_params[cc_par_cnt++] = "-fsanitize=address"; + } else if (getenv("AFL_USE_MSAN")) { - if (getenv("AFL_USE_MSAN")) - FATAL("ASAN and MSAN are mutually exclusive"); + cc_params[cc_par_cnt++] = "-fsanitize=memory"; - } else if (getenv("AFL_USE_MSAN")) { + if (getenv("AFL_USE_ASAN")) + FATAL("ASAN and MSAN are mutually exclusive"); - cc_params[cc_par_cnt++] = "-fsanitize=memory"; - - if (getenv("AFL_USE_ASAN")) - FATAL("ASAN and MSAN are mutually exclusive"); + } } @@ -187,6 +184,7 @@ } cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt.o", obj_path); + } cc_params[cc_par_cnt] = NULL; @@ -200,8 +198,7 @@ if (isatty(2) && !getenv("AFL_QUIET")) { - SAYF(cCYA "afl-clang-fast " cBRI VERSION cRST " (" __DATE__ " " __TIME__ - ") by <[email protected]>\n"); + SAYF(cCYA "afl-clang-fast " cBRI VERSION cRST " by <[email protected]>\n"); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/llvm_mode/afl-llvm-pass.so.cc new/afl-1.69b/llvm_mode/afl-llvm-pass.so.cc --- old/afl-1.62b/llvm_mode/afl-llvm-pass.so.cc 2015-04-10 05:18:04.000000000 +0200 +++ new/afl-1.69b/llvm_mode/afl-llvm-pass.so.cc 2015-04-13 20:14:55.000000000 +0200 @@ -77,8 +77,7 @@ if (isatty(2) && !getenv("AFL_QUIET")) { - SAYF(cCYA "afl-llvm-pass " cBRI VERSION cRST " (" __DATE__ " " __TIME__ - ") by <[email protected]>\n"); + SAYF(cCYA "afl-llvm-pass " cBRI VERSION cRST " by <[email protected]>\n"); } else be_quiet = 1; @@ -95,11 +94,6 @@ } - if (getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) { - inst_ratio /= 3; - if (!inst_ratio) inst_ratio = 1; - } - /* Get globals for the SHM region and the previous location. */ GlobalVariable *AFLMapPtr = diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.62b/llvm_mode/afl-llvm-rt.o.c new/afl-1.69b/llvm_mode/afl-llvm-rt.o.c --- old/afl-1.62b/llvm_mode/afl-llvm-rt.o.c 2015-04-10 04:09:44.000000000 +0200 +++ new/afl-1.69b/llvm_mode/afl-llvm-rt.o.c 2015-04-16 08:12:29.000000000 +0200 @@ -27,43 +27,31 @@ #include <sys/shm.h> #include <sys/wait.h> #include <unistd.h> +#include <assert.h> -/* Globals needed by the injected instrumentation. */ +/* Globals needed by the injected instrumentation. The __afl_area_initial region + is used for instrumentation output before __afl_map_shm() has a chance to run. + It will end up as .comm, so it shouldn't be too wasteful. */ -u8* __afl_area_ptr; +u8 __afl_area_initial[MAP_SIZE]; +u8* __afl_area_ptr = __afl_area_initial; u16 __afl_prev_loc; - -/* Create some decoy memory as early as possible to get us through any - code that runs before main(). */ - -static void __afl_pre_map(void) { - - __afl_area_ptr = mmap(NULL, MAP_SIZE, PROT_READ | PROT_WRITE, - MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); - - /* Whoops. */ - - if (__afl_area_ptr == (void *)-1) exit(1); - -} - - /* SHM setup. */ static void __afl_map_shm(void) { u8 *id_str = getenv(SHM_ENV_VAR); - /* If we're running under AFL, attach to the appropriate region, get rid - of the early-stage map. */ + /* If we're running under AFL, attach to the appropriate region, replacing the + early-stage __afl_area_initial region that is needed to allow some really + hacky .init code to work correctly in projects such as OpenSSL. */ if (id_str) { u32 shm_id = atoi(id_str); - munmap(__afl_area_ptr, MAP_SIZE); __afl_area_ptr = shmat(shm_id, NULL, 0); /* Whooooops. */ @@ -84,7 +72,7 @@ static void __afl_start_forkserver(void) { - u8 tmp[4]; + static u8 tmp[4]; /* Phone home and tell the parent that we're OK. If parent isn't there, assume we're not running in forkserver mode and just execute program. */ @@ -129,24 +117,30 @@ } -/* Proper initialization routine. */ +/* This one can be called from user code when AFL_DEFER_FORKSRV is set. */ + +void __afl_manual_init(void) { + + static u8 init_done; + + if (!init_done) { + + __afl_map_shm(); + __afl_start_forkserver(); + init_done = 1; + + } -static void __afl_init() { - __afl_map_shm(); - __afl_start_forkserver(); } -/* Now, the tricky part. We want to get __afl_area_ptr assigned as soon - as possible, so that custom assembly that calls C code from .init - doesn't cause segfaults (hello, OpenSSL). But at this stage, getenv() - will not work, so we just use the dummy handler. */ +/* Proper initialization routine. */ + +__attribute__((constructor(0))) void __afl_auto_init(void) { -__attribute__((section(".preinit_array"), used)) - static void (*__afl_preinit_f)(void) = __afl_pre_map; + if (getenv("AFL_DEFER_FORKSRV")) return; + __afl_manual_init(); + +} -/* With this out of the way, we can wait until just before main() to - do the whole shmat() and forkserver thing. */ -__attribute__((section(".init_array"), used)) - static void (*__afl_init_f)(void) = __afl_init;
