Package: afl Version: 2.52b-4 Severity: wishlist Dear Maintainer,
I noticed that AFL was not working when not instrumentation was compiled
with the target binary. In fact, AFL has a QEMU mode allowing to run the
fuzzer on binary-only programs. If you do not have this support you will
run into the following error:
[-] Oops, unable to find the 'afl-qemu-trace' binary. The binary must be
built separately by following the instructions in
qemu_mode/README.qemu. If you already have the binary installed, you
may need to specify AFL_PATH in the environment.
Of course, even without QEMU, afl-fuzz can still work with binaries
that are instrumented at compile time with afl-gcc. It is also
possible to use it as a traditional "dumb" fuzzer by specifying '-n'
in the command line.
[-] PROGRAM ABORT : Failed to locate 'afl-qemu-trace'.
Location : get_qemu_argv(), afl-fuzz.c:7669
I tried to add the feature to my system (Debian unstable) and was
successful. So, I propose to explain what I did to ease the job of the
maintainer in order to add it to the current Debian AFL package.
After 'apt-get source afl', I went to afl-2.52b/qemu_mode/ and I ran the
build_qemu_support.sh script.
The first bug is coming from the fact that the script expect
/usr/bin/libtool and we have /usr/bin/libtoolize. A simple modification
of the build_qemu_support.sh script did the job.
The second problem was coming from a wrong function declaration in the
QEMU code (declared non-static and defined as static).
I added a memfd_create.diff patch to patches/:
diff -ru qemu-2.10.0-clean/util/memfd.c qemu-2.10.0/util/memfd.c
--- qemu-2.10.0-clean/util/memfd.c 2018-11-20 18:11:00.170271506 +0100
+++ qemu-2.10.0/util/memfd.c 2018-11-20 18:11:13.398423613 +0100
@@ -37,7 +37,7 @@
#include <sys/syscall.h>
#include <asm/unistd.h>
-static int memfd_create(const char *name, unsigned int flags)
+int memfd_create(const char *name, unsigned int flags)
{
#ifdef __NR_memfd_create
return syscall(__NR_memfd_create, name, flags);
And modified the build_qemu_support.sh script by adding:
echo "[*] Applying patches..."
patch -p1 <../patches/elfload.diff || exit 1
patch -p1 <../patches/cpu-exec.diff || exit 1
patch -p1 <../patches/syscall.diff || exit 1
+patch -p1 <../patches/memfd_create.diff || exit 1
echo "[+] Patching done."
Then, I ran the ./build_qemu_support.sh script and I ended up with a
afl-qemu-trace executable which does perfectly the job.
I did not modify the 'debian/rules' script to completely rebuild the
package. But, I probably can come with a full patch for that.
I hope that the maintainer will find this small message useful!
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages afl depends on:
ii build-essential 12.5
ii libc6 2.27-8
Versions of packages afl recommends:
ii afl-clang 2.52b-4
ii afl-doc 2.52b-4
Versions of packages afl suggests:
ii gnuplot-nox [gnuplot] 5.2.5+dfsg1-1
-- no debconf information
signature.asc
Description: OpenPGP digital signature
