Hello community, here is the log from the commit of package afl for openSUSE:Factory checked in at 2016-10-23 12:51:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/afl (Old) and /work/SRC/openSUSE:Factory/.afl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "afl" Changes: -------- --- /work/SRC/openSUSE:Factory/afl/afl.changes 2016-08-29 15:39:46.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.afl.new/afl.changes 2016-10-23 12:51:53.000000000 +0200 @@ -1,0 +2,15 @@ +Wed Oct 19 20:05:42 UTC 2016 - [email protected] + +- Update to version 2.35b: + * Fixed a minor cmdline reporting glitch, spotted by Leo Barnes. + * Fixed a silly bug in libdislocator. Spotted by Johannes Schultz. +- Changes for version 2.34b: + * Added a note about afl-tmin to technical_details.txt. + * Added support for AFL_NO_UI, as suggested by Leo Barnes. +- Changes for version 2.33b: + * Added code to strip -Wl,-z,defs and -Wl,--no-undefined for + fl-clang-fast, since they interfere with -shared. Spotted and + iagnosed by Toby Hutton. + * Added some fuzzing tips for Android. + +------------------------------------------------------------------- Old: ---- afl-2.32b.tgz New: ---- afl-2.35b.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ afl.spec ++++++ --- /var/tmp/diff_new_pack.kZd3jQ/_old 2016-10-23 12:51:55.000000000 +0200 +++ /var/tmp/diff_new_pack.kZd3jQ/_new 2016-10-23 12:51:55.000000000 +0200 @@ -17,7 +17,7 @@ Name: afl -Version: 2.32b +Version: 2.35b Release: 0 Summary: American fuzzy lop is a security-oriented fuzzer License: Apache-2.0 @@ -31,9 +31,19 @@ ExclusiveArch: i586 x86_64 %description -American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary. This substantially improves the functional coverage for the fuzzed code. The compact synthesized corpora produced by the tool are also useful for seeding other, more labor- or resource-intensive testing regimes down the road. - -Compared to other instrumented fuzzers, afl-fuzz is designed to be practical: it has modest performance overhead, uses a variety of highly effective fuzzing strategies and effort minimization tricks, requires essentially no configuration, and seamlessly handles complex, real-world use cases - say, common image parsing or file compression libraries. +American fuzzy lop is a security-oriented fuzzer that employs a novel type +of compile-time instrumentation and genetic algorithms to automatically +discover clean, interesting test cases that trigger new internal states in +the targeted binary. This substantially improves the functional coverage +for the fuzzed code. The compact synthesized corpora produced by the tool +are also useful for seeding other, more labor- or resource-intensive +testing regimes down the road. + +Compared to other instrumented fuzzers, afl-fuzz is designed to be +practical: it has modest performance overhead, uses a variety of highly +effective fuzzing strategies and effort minimization tricks, requires +essentially no configuration, and seamlessly handles complex, real-world +use cases - say, common image parsing or file compression libraries. %prep %setup -q @@ -56,7 +66,7 @@ %dir %{_datadir}/%{name} %dir %{_datadir}/%{name}/testcases %{_datadir}/%{name}/testcases/* -%dir /usr/share/afl/dictionaries/ -/usr/share/afl/dictionaries/* +%dir %{_datadir}/afl/dictionaries/ +%{_datadir}/afl/dictionaries/* %changelog ++++++ afl-2.32b.tgz -> afl-2.35b.tgz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.32b/afl-fuzz.c new/afl-2.35b/afl-fuzz.c --- old/afl-2.32b/afl-fuzz.c 2016-08-20 08:40:05.000000000 +0200 +++ new/afl-2.35b/afl-fuzz.c 2016-09-20 04:38:39.000000000 +0200 @@ -4924,8 +4924,11 @@ #endif /* ^IGNORE_FINDS */ - if (not_on_tty) - ACTF("Fuzzing test case #%u (%u total)...", current_entry, queued_paths); + if (not_on_tty) { + ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", + current_entry, queued_paths, unique_crashes); + fflush(stdout); + } /* Map the test case into memory. */ @@ -6922,6 +6925,12 @@ struct winsize ws; + if (getenv("AFL_NO_UI")) { + OKF("Disabling the UI because AFL_NO_UI is set."); + not_on_tty = 1; + return; + } + if (ioctl(1, TIOCGWINSZ, &ws)) { if (errno == ENOTTY) { @@ -7652,7 +7661,7 @@ u8* c; if (sync_id) FATAL("Multiple -S or -M options not supported"); - sync_id = optarg; + sync_id = ck_strdup(optarg); if ((c = strchr(sync_id, ':'))) { @@ -7982,6 +7991,7 @@ destroy_queue(); destroy_extras(); ck_free(target_path); + ck_free(sync_id); alloc_report(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.32b/afl-gcc.c new/afl-2.35b/afl-gcc.c --- old/afl-2.32b/afl-gcc.c 2016-08-20 08:29:07.000000000 +0200 +++ new/afl-2.35b/afl-gcc.c 2016-08-28 02:09:39.000000000 +0200 @@ -233,7 +233,7 @@ FATAL("ASAN and MSAN are mutually exclusive"); if (getenv("AFL_HARDEN")) - FATAL("ABSAN and AFL_HARDEN are mutually exclusive"); + FATAL("ASAN and AFL_HARDEN are mutually exclusive"); cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; cc_params[cc_par_cnt++] = "-fsanitize=address"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.32b/config.h new/afl-2.35b/config.h --- old/afl-2.32b/config.h 2016-08-20 08:27:49.000000000 +0200 +++ new/afl-2.35b/config.h 2016-09-23 17:04:24.000000000 +0200 @@ -21,7 +21,7 @@ /* Version string: */ -#define VERSION "2.32b" +#define VERSION "2.35b" /****************************************************** * * diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.32b/docs/ChangeLog new/afl-2.35b/docs/ChangeLog --- old/afl-2.32b/docs/ChangeLog 2016-08-20 08:41:57.000000000 +0200 +++ new/afl-2.35b/docs/ChangeLog 2016-09-23 17:00:52.000000000 +0200 @@ -17,6 +17,31 @@ to get on with the times. -------------- +Version 2.35b: +-------------- + + - Fixed a minor cmdline reporting glitch, spotted by Leo Barnes. + + - Fixed a silly bug in libdislocator. Spotted by Johannes Schultz. + +-------------- +Version 2.34b: +-------------- + + - Added a note about afl-tmin to technical_details.txt. + + - Added support for AFL_NO_UI, as suggested by Leo Barnes. + +-------------- +Version 2.33b: +-------------- + + - Added code to strip -Wl,-z,defs and -Wl,--no-undefined for afl-clang-fast, + since they interfere with -shared. Spotted and diagnosed by Toby Hutton. + + - Added some fuzzing tips for Android. + +-------------- Version 2.32b: -------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.32b/docs/INSTALL new/afl-2.35b/docs/INSTALL --- old/afl-2.32b/docs/INSTALL 2016-07-22 20:48:18.000000000 +0200 +++ new/afl-2.35b/docs/INSTALL 2016-08-21 18:45:31.000000000 +0200 @@ -164,8 +164,20 @@ 20x faster or so. If you have a *really* compelling use case for Cygwin, let me know. -Although Android on x86 should theoretically work, the stock kernel has SHM -support compiled out, so you will need to address this issue first. It's -possible that all you need is this: +Although Android on x86 should theoretically work, the stock kernel may have +SHM support compiled out, and if so, you may have to address that issue first. +It's possible that all you need is this workaround: https://github.com/pelya/android-shmem + +Joshua J. Drake notes that the Android linker adds a shim that automatically +intercepts SIGSEGV and related signals. To fix this issue and be able to see +crashes, you need to put this at the beginning of the fuzzed program: + + signal(SIGILL, SIG_DFL); + signal(SIGABRT, SIG_DFL); + signal(SIGBUS, SIG_DFL); + signal(SIGFPE, SIG_DFL); + signal(SIGSEGV, SIG_DFL); + +You may need to #include <signal.h> first. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.32b/docs/README new/afl-2.35b/docs/README --- old/afl-2.32b/docs/README 2016-08-18 19:27:12.000000000 +0200 +++ new/afl-2.35b/docs/README 2016-08-23 08:54:15.000000000 +0200 @@ -478,6 +478,7 @@ Vegard Nossum Jan Kneschke Kurt Roeckx Marcel Bohme Van-Thuan Pham Abhik Roychoudhury + Joshua J. Drake Toby Hutton Thank you! diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.32b/docs/env_variables.txt new/afl-2.35b/docs/env_variables.txt --- old/afl-2.32b/docs/env_variables.txt 2016-08-06 04:48:17.000000000 +0200 +++ new/afl-2.35b/docs/env_variables.txt 2016-09-16 05:54:51.000000000 +0200 @@ -145,6 +145,10 @@ without disrupting the afl-fuzz process itself. This is useful, among other things, for bootstrapping libdislocator.so. + - Setting AFL_NO_UI inhibits the UI altogether, and just periodically prints + some basic stats. This behavior is also automatically triggered when the + output from afl-fuzz is redirected to a file or to a pipe. + - If you are Jakub, you may need AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES. Others need not apply. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.32b/docs/sister_projects.txt new/afl-2.35b/docs/sister_projects.txt --- old/afl-2.32b/docs/sister_projects.txt 2016-07-12 04:42:04.000000000 +0200 +++ new/afl-2.35b/docs/sister_projects.txt 2016-09-23 17:04:16.000000000 +0200 @@ -173,6 +173,13 @@ https://github.com/mrash/afl-cov +afl-sancov (Bhargava Shastry) +----------------------------- + + Similar to afl-cov, but uses clang sanitizer instrumentation. + + https://github.com/bshastry/afl-sancov + RecidiVM (Jakub Wilk) --------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.32b/docs/technical_details.txt new/afl-2.35b/docs/technical_details.txt --- old/afl-2.32b/docs/technical_details.txt 2016-08-08 04:57:20.000000000 +0200 +++ new/afl-2.35b/docs/technical_details.txt 2016-09-09 00:32:31.000000000 +0200 @@ -279,7 +279,38 @@ and stepover to match. The average per-file gains are around 5-20%. The standalone afl-tmin tool uses a more exhaustive, iterative algorithm, and -also attempts to perform alphabet normalization on the trimmed files. +also attempts to perform alphabet normalization on the trimmed files. The +operation of afl-tmin is as follows. + +First, the tool automatically selects the operating mode. If the initial input +crashes the target binary, afl-tmin will run in non-instrumented mode, simply +keeping any tweaks that produce a simpler file but still crash the target. If +the target is non-crashing, the tool uses an instrumented mode and keeps only +the tweaks that produce exactly the same execution path. + +The actual minimization algorithm is: + + 1) Attempt to zero large blocks of data with large stepovers. Empirically, + this is shown to reduce the number of execs by preempting finer-grained + efforts later on. + + 2) Perform a block deletion pass with decreasing block sizes and stepovers, + binary-search-style. + + 3) Perform alphabet normalization by counting unique characters and trying + to bulk-replace each with a zero value. + + 4) As a last result, perform byte-by-byte normalization on non-zero bytes. + +Instead of zeroing with a 0x00 byte, afl-tmin uses the ASCII digit '0'. This +is done because such a modification is much less likely to interfere with +text parsing, so it is more likely to result in successful minimization of +text files. + +The algorithm used here is less involved than some other test case +minimization approaches proposed in academic work, but requires far fewer +executions and tends to produce comparable results in most real-world +applications. 6) Fuzzing strategies --------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.32b/libdislocator/libdislocator.so.c new/afl-2.35b/libdislocator/libdislocator.so.c --- old/afl-2.32b/libdislocator/libdislocator.so.c 2016-08-06 05:46:40.000000000 +0200 +++ new/afl-2.35b/libdislocator/libdislocator.so.c 2016-09-23 17:02:36.000000000 +0200 @@ -89,7 +89,8 @@ void* ret; - if (total_mem + len > max_mem) { + + if (total_mem + len > max_mem || total_mem + len <= total_mem) { if (hard_fail) FATAL("total allocs exceed %u MB", max_mem / 1024 / 1024); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.32b/llvm_mode/afl-clang-fast.c new/afl-2.35b/llvm_mode/afl-clang-fast.c --- old/afl-2.32b/llvm_mode/afl-clang-fast.c 2016-08-20 08:29:39.000000000 +0200 +++ new/afl-2.35b/llvm_mode/afl-clang-fast.c 2016-08-23 08:53:27.000000000 +0200 @@ -152,6 +152,9 @@ if (!strcmp(cur, "-shared")) maybe_linking = 0; + if (!strcmp(cur, "-Wl,-z,defs") || + !strcmp(cur, "-Wl,--no-undefined")) continue; + cc_params[cc_par_cnt++] = cur; }
