Hello community, here is the log from the commit of package afl for openSUSE:Factory checked in at 2017-07-04 09:10:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/afl (Old) and /work/SRC/openSUSE:Factory/.afl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "afl" Tue Jul 4 09:10:40 2017 rev:34 rq:507727 version:2.44b Changes: -------- --- /work/SRC/openSUSE:Factory/afl/afl.changes 2017-04-12 17:59:36.698828781 +0200 +++ /work/SRC/openSUSE:Factory/.afl.new/afl.changes 2017-07-04 09:11:17.918979025 +0200 @@ -1,0 +2,11 @@ +Mon Jul 3 08:08:58 UTC 2017 - [email protected] + +- update to 2.44b: + * Add visual indicator of ASAN / MSAN mode when compiling + * Add support for afl-showmap coredumps (-c) + * Add LD_BIND_NOW=1 for afl-showmap by default + * Added AFL_NO_ARITH to aid in the fuzzing of text-based formats + * Renamed the R() macro to avoid a problem with llvm_mode in the + latest versions of LLVM + +------------------------------------------------------------------- Old: ---- afl-2.41b.tgz New: ---- afl-2.44b.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ afl.spec ++++++ --- /var/tmp/diff_new_pack.BUdfyk/_old 2017-07-04 09:11:19.290786115 +0200 +++ /var/tmp/diff_new_pack.BUdfyk/_new 2017-07-04 09:11:19.294785553 +0200 @@ -17,7 +17,7 @@ Name: afl -Version: 2.41b +Version: 2.44b Release: 0 Summary: American fuzzy lop is a security-oriented fuzzer License: Apache-2.0 @@ -27,7 +27,6 @@ Source1: afl-rpmlintrc Patch1: afl-1.58b-fix-paths.patch BuildRequires: gcc-c++ -BuildRoot: %{_tmppath}/%{name}-%{version}-build ExclusiveArch: i586 x86_64 %description @@ -57,7 +56,6 @@ make %{?_smp_mflags} PREFIX=%{_prefix} LIBEXEC_DIR=%{_libexecdir} DOC_DIR=%{_docdir} DESTDIR=%{buildroot} install %files -%defattr(-,root,root) %doc docs/ChangeLog docs/COPYING README docs/*.txt %{_bindir}/%{name}-* %dir %{_libexecdir}/%{name} ++++++ afl-2.41b.tgz -> afl-2.44b.tgz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.41b/afl-as.c new/afl-2.44b/afl-as.c --- old/afl-2.41b/afl-as.c 2016-02-10 16:53:12.000000000 +0100 +++ new/afl-2.44b/afl-as.c 2017-06-23 00:46:53.000000000 +0200 @@ -56,7 +56,8 @@ static u8 be_quiet, /* Quiet mode (no stderr output) */ clang_mode, /* Running in clang mode? */ pass_thru, /* Just pass data through? */ - just_version; /* Just show version? */ + just_version, /* Just show version? */ + sanitizer; /* Using ASAN / MSAN */ static u32 inst_ratio = 100, /* Instrumentation probability (%) */ as_par_cnt = 1; /* Number of params to 'as' */ @@ -454,7 +455,8 @@ pass_thru ? " (pass-thru mode)" : ""); else OKF("Instrumented %u locations (%s-bit, %s mode, ratio %u%%).", ins_lines, use_64bit ? "64" : "32", - getenv("AFL_HARDEN") ? "hardened" : "non-hardened", + getenv("AFL_HARDEN") ? "hardened" : + (sanitizer ? "ASAN/MSAN" : "non-hardened"), inst_ratio); } @@ -521,7 +523,10 @@ ASAN-specific branches. But we can probabilistically compensate for that... */ - if (getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) inst_ratio /= 3; + if (getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) { + sanitizer = 1; + inst_ratio /= 3; + } if (!just_version) add_instrumentation(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.41b/afl-fuzz.c new/afl-2.44b/afl-fuzz.c --- old/afl-2.41b/afl-fuzz.c 2017-04-12 06:45:34.000000000 +0200 +++ new/afl-2.44b/afl-fuzz.c 2017-06-16 20:01:29.000000000 +0200 @@ -114,6 +114,7 @@ in_place_resume, /* Attempt in-place resume? */ auto_changed, /* Auto-generated tokens changed? */ no_cpu_meter_red, /* Feng shui on the status screen */ + no_arith, /* Skip most arithmetic ops */ shuffle_queue, /* Shuffle input queue? */ bitmap_changed = 1, /* Time to update bitmap? */ qemu_mode, /* Running in QEMU mode? */ @@ -4412,7 +4413,7 @@ limit is very expensive, so let's select a more conservative default. */ if (dumb_mode && !getenv("AFL_HANG_TMOUT")) - hang_tmout = exec_tmout * 4; + hang_tmout = MIN(EXEC_TIMEOUT, exec_tmout * 2 + 100); OKF("All set and ready to roll!"); @@ -4546,8 +4547,6 @@ } - - abort_trimming: bytes_trim_out += q->len; @@ -5395,6 +5394,8 @@ skip_bitflip: + if (no_arith) goto skip_arith; + /********************** * ARITHMETIC INC/DEC * **********************/ @@ -5708,7 +5709,7 @@ /* Setting 16-bit integers, both endians. */ - if (len < 2) goto skip_interest; + if (no_arith || len < 2) goto skip_interest; stage_name = "interest 16/8"; stage_short = "int16"; @@ -7882,6 +7883,7 @@ if (getenv("AFL_NO_FORKSRV")) no_forkserver = 1; if (getenv("AFL_NO_CPU_RED")) no_cpu_meter_red = 1; + if (getenv("AFL_NO_ARITH")) no_arith = 1; if (getenv("AFL_SHUFFLE_QUEUE")) shuffle_queue = 1; if (getenv("AFL_HANG_TMOUT")) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.41b/afl-showmap.c new/afl-2.44b/afl-showmap.c --- old/afl-2.41b/afl-showmap.c 2017-01-14 05:12:31.000000000 +0100 +++ new/afl-2.44b/afl-showmap.c 2017-06-28 09:04:47.000000000 +0200 @@ -64,7 +64,8 @@ static u8 quiet_mode, /* Hide non-essential messages? */ edges_only, /* Ignore hit counts? */ cmin_mode, /* Generate output in afl-cmin mode? */ - binary_mode; /* Write output as a binary map */ + binary_mode, /* Write output as a binary map */ + keep_cores; /* Allow coredumps? */ static volatile u8 stop_soon, /* Ctrl-C pressed? */ @@ -285,9 +286,13 @@ } - r.rlim_max = r.rlim_cur = 0; + if (keep_cores) r.rlim_max = r.rlim_cur = 0; + else r.rlim_max = r.rlim_cur = RLIM_INFINITY; + setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ + if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); + execv(target_path, argv); *(u32*)trace_bits = EXEC_FAIL_SIG; @@ -479,7 +484,8 @@ "Other settings:\n\n" " -q - sink program's output and don't show messages\n" - " -e - show edge coverage only, ignore hit counts\n\n" + " -e - show edge coverage only, ignore hit counts\n" + " -c - allow core dumps\n\n" "This tool displays raw tuple data captured by AFL instrumentation.\n" "For additional help, consult %s/README.\n\n" cRST, @@ -614,7 +620,7 @@ doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; - while ((opt = getopt(argc,argv,"+o:m:t:A:eqZQb")) > 0) + while ((opt = getopt(argc,argv,"+o:m:t:A:eqZQbc")) > 0) switch (opt) { @@ -719,6 +725,12 @@ binary_mode = 1; break; + case 'c': + + if (keep_cores) FATAL("Multiple -c options not supported"); + keep_cores = 1; + break; + default: usage(argv[0]); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.41b/config.h new/afl-2.44b/config.h --- old/afl-2.41b/config.h 2017-04-12 06:46:53.000000000 +0200 +++ new/afl-2.44b/config.h 2017-06-28 09:14:52.000000000 +0200 @@ -21,7 +21,7 @@ /* Version string: */ -#define VERSION "2.41b" +#define VERSION "2.44b" /****************************************************** * * diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.41b/docs/ChangeLog new/afl-2.44b/docs/ChangeLog --- old/afl-2.41b/docs/ChangeLog 2017-04-12 06:05:03.000000000 +0200 +++ new/afl-2.44b/docs/ChangeLog 2017-06-28 09:11:54.000000000 +0200 @@ -13,10 +13,39 @@ sending a mail to <[email protected]>. Not sure if you should upgrade? The lowest currently recommended version -is 2.31b. If you're stuck on an earlier release, it's strongly advisable +is 2.41b. If you're stuck on an earlier release, it's strongly advisable to get on with the times. -------------- +Version 2.44b: +-------------- + + - Added a visual indicator of ASAN / MSAN mode when compiling. Requested + by Jakub Wilk. + + - Added support for afl-showmap coredumps (-c). Suggested by Jakub Wilk. + + - Added LD_BIND_NOW=1 for afl-showmap by default. Although not really useful, + it reportedly helps reproduce some crashes. Suggested by Jakub Wilk. + + - Added a note about allocator_may_return_null=1 not always working with + ASAN. Spotted by Jakub Wilk. + +-------------- +Version 2.43b: +-------------- + + - Added AFL_NO_ARITH to aid in the fuzzing of text-based formats. + Requested by Jakub Wilk. + +-------------- +Version 2.42b: +-------------- + + - Renamed the R() macro to avoid a problem with llvm_mode in the latest + versions of LLVM. Fix suggested by Christian Holler. + +-------------- Version 2.41b: -------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.41b/docs/README new/afl-2.44b/docs/README --- old/afl-2.41b/docs/README 2017-04-12 06:08:38.000000000 +0200 +++ new/afl-2.44b/docs/README 2017-04-21 18:12:24.000000000 +0200 @@ -308,7 +308,7 @@ queue, making it easier to diagnose faults. Having said that, it's important to acknowledge that some fuzzing crashes can be -difficult quickly evaluate for exploitability without a lot of debugging and +difficult to quickly evaluate for exploitability without a lot of debugging and code analysis work. To assist with this task, afl-fuzz supports a very unique "crash exploration" mode enabled with the -C flag. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.41b/docs/env_variables.txt new/afl-2.44b/docs/env_variables.txt --- old/afl-2.41b/docs/env_variables.txt 2017-04-12 06:10:55.000000000 +0200 +++ new/afl-2.44b/docs/env_variables.txt 2017-06-16 20:03:30.000000000 +0200 @@ -123,6 +123,9 @@ don't want AFL to spend too much time classifying that stuff and just rapidly put all timeouts in that bin. + - AFL_NO_ARITH causes AFL to skip most of the deterministic arithmetics. + This can be useful to speed up the fuzzing of text-based file formats. + - AFL_SHUFFLE_QUEUE randomly reorders the input queue on startup. Requested by some users for unorthodox parallelized fuzzing setups, but not advisable otherwise. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.41b/docs/notes_for_asan.txt new/afl-2.44b/docs/notes_for_asan.txt --- old/afl-2.41b/docs/notes_for_asan.txt 2016-08-20 08:26:35.000000000 +0200 +++ new/afl-2.44b/docs/notes_for_asan.txt 2017-06-28 09:11:28.000000000 +0200 @@ -113,7 +113,23 @@ seem to appreciate the shadow VM trick used by these tools, and will likely just allocate all your physical memory, then crash. -4) What about UBSAN? +4) ASAN and OOM crashes +----------------------- + +By default, ASAN treats memory allocation failures as fatal errors, immediately +causing the program to crash. Since this is a departure from normal POSIX +semantics (and creates the appearance of security issues in otherwise +properly-behaving programs), we try to disable this by specifying +allocator_may_return_null=1 in ASAN_OPTIONS. + +Unfortunately, it's been reported that this setting still causes ASAN to +trigger phantom crashes in situations where the standard allocator would +simply return NULL. If this is interfering with your fuzzing jobs, you may +want to cc: yourself on this bug: + + https://bugs.llvm.org/show_bug.cgi?id=22026 + +5) What about UBSAN? -------------------- Some folks expressed interest in fuzzing with UBSAN. This isn't officially diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.41b/llvm_mode/afl-llvm-pass.so.cc new/afl-2.44b/llvm_mode/afl-llvm-pass.so.cc --- old/afl-2.41b/llvm_mode/afl-llvm-pass.so.cc 2017-01-22 09:26:08.000000000 +0100 +++ new/afl-2.44b/llvm_mode/afl-llvm-pass.so.cc 2017-06-23 00:49:06.000000000 +0200 @@ -22,6 +22,8 @@ */ +#define AFL_LLVM_PASS + #include "../config.h" #include "../debug.h" @@ -112,11 +114,11 @@ BasicBlock::iterator IP = BB.getFirstInsertionPt(); IRBuilder<> IRB(&(*IP)); - if (R(100) >= inst_ratio) continue; + if (AFL_R(100) >= inst_ratio) continue; /* Make up cur_loc */ - unsigned int cur_loc = R(MAP_SIZE); + unsigned int cur_loc = AFL_R(MAP_SIZE); ConstantInt *CurLoc = ConstantInt::get(Int32Ty, cur_loc); @@ -157,9 +159,9 @@ if (!inst_blocks) WARNF("No instrumentation targets found."); else OKF("Instrumented %u locations (%s mode, ratio %u%%).", - inst_blocks, - getenv("AFL_HARDEN") ? "hardened" : "non-hardened", - inst_ratio); + inst_blocks, getenv("AFL_HARDEN") ? "hardened" : + ((getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) ? + "ASAN/MSAN" : "non-hardened"), inst_ratio); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.41b/types.h new/afl-2.44b/types.h --- old/afl-2.41b/types.h 2016-08-02 20:35:04.000000000 +0200 +++ new/afl-2.44b/types.h 2017-06-02 08:34:36.000000000 +0200 @@ -68,7 +68,11 @@ ((_ret >> 8) & 0x0000FF00)); \ }) -#define R(x) (random() % (x)) +#ifdef AFL_LLVM_PASS +# define AFL_R(x) (random() % (x)) +#else +# define R(x) (random() % (x)) +#endif /* ^AFL_LLVM_PASS */ #define STRINGIFY_INTERNAL(x) #x #define STRINGIFY(x) STRINGIFY_INTERNAL(x)
