Package: afl
Version: 2.52b-4
Severity: wishlist

Dear Maintainer,

I noticed that AFL was not working when not instrumentation was compiled
with the target binary. In fact, AFL has a QEMU mode allowing to run the
fuzzer on binary-only programs. If you do not have this support you will
run into the following error:

[-] Oops, unable to find the 'afl-qemu-trace' binary. The binary must be
    built separately by following the instructions in
    qemu_mode/README.qemu. If you already have the binary installed, you
    may need to specify AFL_PATH in the environment.

    Of course, even without QEMU, afl-fuzz can still work with binaries
    that are instrumented at compile time with afl-gcc. It is also
    possible to use it as a traditional "dumb" fuzzer by specifying '-n'
    in the command line.

[-] PROGRAM ABORT : Failed to locate 'afl-qemu-trace'.
         Location : get_qemu_argv(), afl-fuzz.c:7669

I tried to add the feature to my system (Debian unstable) and was
successful. So, I propose to explain what I did to ease the job of the
maintainer in order to add it to the current Debian AFL package.

After 'apt-get source afl', I went to afl-2.52b/qemu_mode/ and I ran the script.

The first bug is coming from the fact that the script expect
/usr/bin/libtool and we have /usr/bin/libtoolize. A simple modification
of the script did the job.

The second problem was coming from a wrong function declaration in the
QEMU code (declared non-static and defined as static).

I added a memfd_create.diff patch to patches/:

diff -ru qemu-2.10.0-clean/util/memfd.c qemu-2.10.0/util/memfd.c
--- qemu-2.10.0-clean/util/memfd.c      2018-11-20 18:11:00.170271506 +0100
+++ qemu-2.10.0/util/memfd.c    2018-11-20 18:11:13.398423613 +0100
@@ -37,7 +37,7 @@
 #include <sys/syscall.h>
 #include <asm/unistd.h>

-static int memfd_create(const char *name, unsigned int flags)
+int memfd_create(const char *name, unsigned int flags)
 #ifdef __NR_memfd_create
     return syscall(__NR_memfd_create, name, flags);

And modified the script by adding:

echo "[*] Applying patches..."

 patch -p1 <../patches/elfload.diff || exit 1
 patch -p1 <../patches/cpu-exec.diff || exit 1
 patch -p1 <../patches/syscall.diff || exit 1
+patch -p1 <../patches/memfd_create.diff || exit 1

echo "[+] Patching done."

Then, I ran the ./ script and I ended up with a
afl-qemu-trace executable which does perfectly the job.

I did not modify the 'debian/rules' script to completely rebuild the
package. But, I probably can come with a full patch for that.

I hope that the maintainer will find this small message useful!

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages afl depends on:
ii  build-essential  12.5
ii  libc6            2.27-8

Versions of packages afl recommends:
ii  afl-clang  2.52b-4
ii  afl-doc    2.52b-4

Versions of packages afl suggests:
ii  gnuplot-nox [gnuplot]  5.2.5+dfsg1-1

-- no debconf information

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to