Hello community, here is the log from the commit of package afl for openSUSE:Factory checked in at 2017-11-07 10:00:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/afl (Old) and /work/SRC/openSUSE:Factory/.afl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "afl" Tue Nov 7 10:00:41 2017 rev:39 rq:539104 version:2.52b Changes: -------- --- /work/SRC/openSUSE:Factory/afl/afl.changes 2017-09-04 12:39:09.651552081 +0200 +++ /work/SRC/openSUSE:Factory/.afl.new/afl.changes 2017-11-07 10:01:22.142964702 +0100 @@ -1,0 +2,13 @@ +Sun Nov 5 07:57:53 UTC 2017 - mar...@gmx.de + +- Update to version 2.52b: + * Upgraded QEMU patches from 2.3.0 to 2.10.0. Required troubleshooting + several weird issues. + * Added setsid to afl-showmap. See the notes for 2.51b. + * Added target mode (deferred, persistent, qemu, etc) to fuzzer_stats. + * afl-tmin should now save a partially minimized file when Ctrl-C + is pressed. + * Added an option for afl-analyze to dump offsets in hex. + * Added support for parameters in triage_crashes.sh. + +------------------------------------------------------------------- Old: ---- afl-2.51b.tgz New: ---- afl-2.52b.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ afl.spec ++++++ --- /var/tmp/diff_new_pack.a1n2eA/_old 2017-11-07 10:01:22.918936550 +0100 +++ /var/tmp/diff_new_pack.a1n2eA/_new 2017-11-07 10:01:22.922936405 +0100 @@ -17,7 +17,7 @@ Name: afl -Version: 2.51b +Version: 2.52b Release: 0 Summary: American fuzzy lop is a security-oriented fuzzer License: Apache-2.0 @@ -47,6 +47,7 @@ %prep %setup -q %patch1 -p1 +sed -i 's|#!/usr/bin/env bash|#!/bin/bash|g' afl-cmin %build export CFLAGS="$CFLAGS %{optflags}" ++++++ afl-2.51b.tgz -> afl-2.52b.tgz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.51b/Makefile new/afl-2.52b/Makefile --- old/afl-2.51b/Makefile 2017-01-15 02:50:54.000000000 +0100 +++ new/afl-2.52b/Makefile 2017-11-05 03:26:11.000000000 +0100 @@ -4,7 +4,7 @@ # # Written and maintained by Michal Zalewski <lcam...@google.com> # -# Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved. +# Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -111,8 +111,8 @@ .NOTPARALLEL: clean clean: - rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.3.0.tar.bz2 afl-qemu-trace - rm -rf out_dir qemu_mode/qemu-2.3.0 + rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.10.0.tar.bz2 afl-qemu-trace + rm -rf out_dir qemu_mode/qemu-2.10.0 $(MAKE) -C llvm_mode clean $(MAKE) -C libdislocator clean $(MAKE) -C libtokencap clean diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.51b/afl-analyze.c new/afl-2.52b/afl-analyze.c --- old/afl-2.51b/afl-analyze.c 2017-07-17 22:51:38.000000000 +0200 +++ new/afl-2.52b/afl-analyze.c 2017-11-05 03:26:03.000000000 +0100 @@ -4,7 +4,7 @@ Written and maintained by Michal Zalewski <lcam...@google.com> - Copyright 2016 Google Inc. All rights reserved. + Copyright 2016, 2017 Google Inc. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -68,6 +68,7 @@ dev_null_fd = -1; /* FD to /dev/null */ static u8 edges_only, /* Ignore hit counts? */ + use_hex_offsets, /* Show hex offsets? */ use_stdin = 1; /* Use stdin for program input? */ static volatile u8 @@ -486,9 +487,13 @@ /* Every 16 digits, display offset. */ if (!((i + off) % 16)) { - + if (off) SAYF(cRST cLCY ">"); - SAYF(cRST cGRA "%s[%06u] " cRST, (i + off) ? "\n" : "", i + off); + + if (use_hex_offsets) + SAYF(cRST cGRA "%s[%06x] " cRST, (i + off) ? "\n" : "", i + off); + else + SAYF(cRST cGRA "%s[%06u] " cRST, (i + off) ? "\n" : "", i + off); } @@ -512,7 +517,10 @@ #else - SAYF(" Offset %u, length %u: ", i, rlen); + if (use_hex_offsets) + SAYF(" Offset %x, length %u: ", i, rlen); + else + SAYF(" Offset %u, length %u: ", i, rlen); switch (rtype) { @@ -874,6 +882,10 @@ char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); u8 *tmp, *cp, *rsl, *own_copy; + /* Workaround for a QEMU stability glitch. */ + + setenv("QEMU_LOG", "nochain", 1); + memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); /* Now we need to actually find qemu for argv[0]. */ @@ -1026,6 +1038,8 @@ if (optind == argc || !in_file) usage(argv[0]); + use_hex_offsets = !!getenv("AFL_ANALYZE_HEX"); + setup_shm(); setup_signal_handlers(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.51b/afl-fuzz.c new/afl-2.52b/afl-fuzz.c --- old/afl-2.51b/afl-fuzz.c 2017-08-20 06:34:26.000000000 +0200 +++ new/afl-2.52b/afl-fuzz.c 2017-11-05 03:25:56.000000000 +0100 @@ -6,7 +6,7 @@ Forkserver design by Jann Horn <jannh...@googlemail.com> - Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved. + Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -121,6 +121,7 @@ skip_requested, /* Skip request, via SIGUSR1 */ run_over10m, /* Run time over 10 minutes? */ persistent_mode, /* Running in persistent mode? */ + deferred_mode, /* Deferred forkserver mode? */ fast_cal; /* Try to calibrate faster? */ static s32 out_fd, /* Persistent fd for out_file */ @@ -3428,6 +3429,7 @@ "exec_timeout : %u\n" "afl_banner : %s\n" "afl_version : " VERSION "\n" + "target_mode : %s%s%s%s%s%s%s\n" "command_line : %s\n", start_time / 1000, get_cur_time() / 1000, getpid(), queue_cycle ? (queue_cycle - 1) : 0, total_execs, eps, @@ -3436,7 +3438,13 @@ queued_variable, stability, bitmap_cvg, unique_crashes, unique_hangs, last_path_time / 1000, last_crash_time / 1000, last_hang_time / 1000, total_execs - last_crash_execs, - exec_tmout, use_banner, orig_cmdline); + exec_tmout, use_banner, + qemu_mode ? "qemu " : "", dumb_mode ? " dumb " : "", + no_forkserver ? "no_forksrv " : "", crash_mode ? "crash " : "", + persistent_mode ? "persistent " : "", deferred_mode ? "deferred " : "", + (qemu_mode || dumb_mode || no_forkserver || crash_mode || + persistent_mode || deferred_mode) ? "" : "default", + orig_cmdline); /* ignore errors */ fclose(f); @@ -6946,6 +6954,7 @@ OKF(cPIN "Deferred forkserver binary detected."); setenv(DEFER_ENV_VAR, "1", 1); + deferred_mode = 1; } else if (getenv("AFL_DEFER_FORKSRV")) { @@ -7596,6 +7605,10 @@ char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); u8 *tmp, *cp, *rsl, *own_copy; + /* Workaround for a QEMU stability glitch. */ + + setenv("QEMU_LOG", "nochain", 1); + memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); new_argv[2] = target_path; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.51b/afl-showmap.c new/afl-2.52b/afl-showmap.c --- old/afl-2.51b/afl-showmap.c 2017-07-04 22:46:53.000000000 +0200 +++ new/afl-2.52b/afl-showmap.c 2017-11-05 03:26:43.000000000 +0100 @@ -4,7 +4,7 @@ Written and maintained by Michal Zalewski <lcam...@google.com> - Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved. + Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -293,6 +293,8 @@ if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); + setsid(); + execv(target_path, argv); *(u32*)trace_bits = EXEC_FAIL_SIG; @@ -557,6 +559,10 @@ char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); u8 *tmp, *cp, *rsl, *own_copy; + /* Workaround for a QEMU stability glitch. */ + + setenv("QEMU_LOG", "nochain", 1); + memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); new_argv[2] = target_path; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.51b/afl-tmin.c new/afl-2.52b/afl-tmin.c --- old/afl-2.51b/afl-tmin.c 2017-08-31 06:25:50.000000000 +0200 +++ new/afl-2.52b/afl-tmin.c 2017-11-05 03:26:50.000000000 +0100 @@ -4,7 +4,7 @@ Written and maintained by Michal Zalewski <lcam...@google.com> - Copyright 2015, 2016 Google Inc. All rights reserved. + Copyright 2015, 2016, 2017 Google Inc. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -341,8 +341,11 @@ total_execs++; if (stop_soon) { + SAYF(cRST cLRD "\n+++ Minimization aborted by user +++\n" cRST); + close(write_to_file(out_file, in_data, in_len)); exit(1); + } /* Always discard inputs that time out. */ @@ -891,6 +894,10 @@ char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); u8 *tmp, *cp, *rsl, *own_copy; + /* Workaround for a QEMU stability glitch. */ + + setenv("QEMU_LOG", "nochain", 1); + memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); /* Now we need to actually find qemu for argv[0]. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.51b/config.h new/afl-2.52b/config.h --- old/afl-2.51b/config.h 2017-08-31 06:27:31.000000000 +0200 +++ new/afl-2.52b/config.h 2017-11-05 03:24:47.000000000 +0100 @@ -21,7 +21,7 @@ /* Version string: */ -#define VERSION "2.51b" +#define VERSION "2.52b" /****************************************************** * * diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.51b/docs/ChangeLog new/afl-2.52b/docs/ChangeLog --- old/afl-2.51b/docs/ChangeLog 2017-08-31 06:27:21.000000000 +0200 +++ new/afl-2.52b/docs/ChangeLog 2017-11-05 03:25:03.000000000 +0100 @@ -17,6 +17,27 @@ to get on with the times. --------------------------- +Version 2.52b (2017-11-04): +--------------------------- + + - Upgraded QEMU patches from 2.3.0 to 2.10.0. Required troubleshooting + several weird issues. All the legwork done by Andrew Griffiths. + + - Added setsid to afl-showmap. See the notes for 2.51b. + + - Added target mode (deferred, persistent, qemu, etc) to fuzzer_stats. + Requested by Jakub Wilk. + + - afl-tmin should now save a partially minimized file when Ctrl-C + is pressed. Suggested by Jakub Wilk. + + - Added an option for afl-analyze to dump offsets in hex. Suggested by + Jakub Wilk. + + - Added support for parameters in triage_crashes.sh. Patch by Adam of + DC949. + +--------------------------- Version 2.51b (2017-08-30): --------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.51b/docs/env_variables.txt new/afl-2.52b/docs/env_variables.txt --- old/afl-2.51b/docs/env_variables.txt 2017-08-06 16:30:17.000000000 +0200 +++ new/afl-2.52b/docs/env_variables.txt 2017-11-05 03:25:03.000000000 +0100 @@ -213,7 +213,13 @@ may prevent the tool from "jumping" from one crashing condition to another in very buggy software. You probably want to combine it with the -e flag. -7) Settings for libdislocator.so +7) Settings for afl-analyze +--------------------------- + +You can set AFL_ANALYZE_HEX to get file offsets printed as hexadecimal instead +of decimal. + +8) Settings for libdislocator.so -------------------------------- The library honors three environmental variables: @@ -233,14 +239,14 @@ of the common allocators check for that internally and return NULL, so it's a security risk only in more exotic setups. -8) Settings for libtokencap.so +9) Settings for libtokencap.so ------------------------------ This library accepts AFL_TOKEN_FILE to indicate the location to which the discovered tokens should be written. -9) Third-party variables set by afl-fuzz & other tools ------------------------------------------------------- +10) Third-party variables set by afl-fuzz & other tools +------------------------------------------------------- Several variables are not directly interpreted by afl-fuzz, but are set to optimal values if not already present in the environment: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.51b/docs/status_screen.txt new/afl-2.52b/docs/status_screen.txt --- old/afl-2.51b/docs/status_screen.txt 2017-04-12 06:32:13.000000000 +0200 +++ new/afl-2.52b/docs/status_screen.txt 2017-11-05 03:25:03.000000000 +0100 @@ -297,7 +297,8 @@ Next, we have the number of new paths found during this fuzzing section and imported from other fuzzer instances when doing parallelized fuzzing; and the -number of inputs that produce seemingly variable behavior in the tested binary. +extent to which identical inputs appear to sometimes produce variable behavior +in the tested binary. That last bit is actually fairly interesting: it measures the consistency of observed traces. If a program always behaves the same for the same input data, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.51b/experimental/crash_triage/triage_crashes.sh new/afl-2.52b/experimental/crash_triage/triage_crashes.sh --- old/afl-2.51b/experimental/crash_triage/triage_crashes.sh 2017-07-17 22:46:13.000000000 +0200 +++ new/afl-2.52b/experimental/crash_triage/triage_crashes.sh 2017-11-05 03:25:21.000000000 +0100 @@ -5,7 +5,7 @@ # # Written and maintained by Michal Zalewski <lcam...@google.com> # -# Copyright 2013, 2014 Google Inc. All rights reserved. +# Copyright 2013, 2014, 2017 Google Inc. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,18 +28,16 @@ ulimit -v 100000 2>/dev/null ulimit -d 100000 2>/dev/null -if [ ! "$#" = "2" ]; then - echo "Usage: $0 /path/to/afl_output_dir /path/to/tested_binary" 1>&2 - echo 1>&2 - echo "Note: the tested binary must accept input on stdin and require no additional" 1>&2 - echo "parameters. For more complex use cases, you need to edit this script." 1>&2 +if [ "$#" -lt "2" ]; then + echo "Usage: $0 /path/to/afl_output_dir /path/to/tested_binary [...target params...]" 1>&2 echo 1>&2 exit 1 fi DIR="$1" BIN="$2" - +shift +shift if [ "$AFL_ALLOW_TMP" = "" ]; then @@ -85,11 +83,33 @@ id=`basename -- "$crash" | cut -d, -f1 | cut -d: -f2` sig=`basename -- "$crash" | cut -d, -f2 | cut -d: -f2` + # Grab the args, converting @@ to $crash + + use_args="" + use_stdio=1 + + for a in $@; do + + if [ "$a" = "@@" ] ; then + args="$use_args $crash" + unset use_stdio + else + args="$use_args $a" + fi + + done + + # Strip the trailing space + use_args="${use_args# }" + echo "+++ ID $id, SIGNAL $sig +++" echo - $GDB --batch -q --ex "r <$crash" --ex 'back' --ex 'disass $pc, $pc+16' --ex 'info reg' --ex 'quit' "$BIN" 0</dev/null + if [ "$use_stdio" = "1" ]; then + $GDB --batch -q --ex "r $use_args <$crash" --ex 'back' --ex 'disass $pc, $pc+16' --ex 'info reg' --ex 'quit' "$BIN" 0</dev/null + else + $GDB --batch -q --ex "r $use_args" --ex 'back' --ex 'disass $pc, $pc+16' --ex 'info reg' --ex 'quit' "$BIN" 0</dev/null + fi echo done - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.51b/qemu_mode/README.qemu new/afl-2.52b/qemu_mode/README.qemu --- old/afl-2.51b/qemu_mode/README.qemu 2017-01-15 02:51:50.000000000 +0100 +++ new/afl-2.52b/qemu_mode/README.qemu 2017-11-05 03:24:50.000000000 +0100 @@ -21,7 +21,7 @@ 2) How to use ------------- -The feature is implemented with a fairly simple patch to QEMU 2.3.0. The +The feature is implemented with a fairly simple patch to QEMU 2.10.0. The simplest way to build it is to run ./build_qemu_support.sh. The script will download, configure, and compile the QEMU binary for you. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.51b/qemu_mode/build_qemu_support.sh new/afl-2.52b/qemu_mode/build_qemu_support.sh --- old/afl-2.51b/qemu_mode/build_qemu_support.sh 2016-03-08 08:10:20.000000000 +0100 +++ new/afl-2.52b/qemu_mode/build_qemu_support.sh 2017-11-05 03:25:32.000000000 +0100 @@ -6,7 +6,7 @@ # Written by Andrew Griffiths <agriffi...@google.com> and # Michal Zalewski <lcam...@google.com> # -# Copyright 2015, 2016 Google Inc. All rights reserved. +# Copyright 2015, 2016, 2017 Google Inc. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,8 +22,10 @@ # will be written to ../afl-qemu-trace. # -QEMU_URL="http://wiki.qemu-project.org/download/qemu-2.3.0.tar.bz2" -QEMU_SHA384="7a0f0c900f7e2048463cc32ff3e904965ab466c8428847400a0f2dcfe458108a68012c4fddb2a7e7c822b4fd1a49639b" + +VERSION="2.10.0" +QEMU_URL="http://download.qemu-project.org/qemu-${VERSION}.tar.xz" +QEMU_SHA384="68216c935487bc8c0596ac309e1e3ee75c2c4ce898aab796faa321db5740609ced365fedda025678d072d09ac8928105" echo "=================================================" echo "AFL binary-only instrumentation QEMU build script" @@ -89,7 +91,7 @@ if [ ! "$CKSUM" = "$QEMU_SHA384" ]; then - echo "[*] Downloading QEMU 2.3.0 from the web..." + echo "[*] Downloading QEMU ${VERSION} from the web..." rm -f "$ARCHIVE" wget -O "$ARCHIVE" -- "$QEMU_URL" || exit 1 @@ -110,32 +112,34 @@ echo "[*] Uncompressing archive (this will take a while)..." -rm -rf "qemu-2.3.0" || exit 1 +rm -rf "qemu-${VERSION}" || exit 1 tar xf "$ARCHIVE" || exit 1 echo "[+] Unpacking successful." -echo "[*] Applying patches..." - -patch -p0 <patches/elfload.diff || exit 1 -patch -p0 <patches/cpu-exec.diff || exit 1 -patch -p0 <patches/translate-all.diff || exit 1 -patch -p0 <patches/syscall.diff || exit 1 - -echo "[+] Patching done." +echo "[*] Configuring QEMU for $CPU_TARGET..." ORIG_CPU_TARGET="$CPU_TARGET" test "$CPU_TARGET" = "" && CPU_TARGET="`uname -m`" test "$CPU_TARGET" = "i686" && CPU_TARGET="i386" -echo "[*] Configuring QEMU for $CPU_TARGET..." +cd qemu-$VERSION || exit 1 + +echo "[*] Applying patches..." + +patch -p1 <../patches/elfload.diff || exit 1 +patch -p1 <../patches/cpu-exec.diff || exit 1 +patch -p1 <../patches/syscall.diff || exit 1 + +echo "[+] Patching done." -cd qemu-2.3.0 || exit 1 +# --enable-pie seems to give a couple of exec's a second performance +# improvement, much to my surprise. Not sure how universal this is.. -CFLAGS="-O3" ./configure --disable-system --enable-linux-user \ - --enable-guest-base --disable-gtk --disable-sdl --disable-vnc \ - --target-list="${CPU_TARGET}-linux-user" || exit 1 +CFLAGS="-O3 -ggdb" ./configure --disable-system \ + --enable-linux-user --disable-gtk --disable-sdl --disable-vnc \ + --target-list="${CPU_TARGET}-linux-user" --enable-pie --enable-kvm || exit 1 echo "[+] Configuration complete." diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.51b/qemu_mode/patches/afl-qemu-cpu-inl.h new/afl-2.52b/qemu_mode/patches/afl-qemu-cpu-inl.h --- old/afl-2.51b/qemu_mode/patches/afl-qemu-cpu-inl.h 2016-02-20 23:22:07.000000000 +0100 +++ new/afl-2.52b/qemu_mode/patches/afl-qemu-cpu-inl.h 2017-11-05 03:24:52.000000000 +0100 @@ -7,7 +7,7 @@ Idea & design very much by Andrew Griffiths. - Copyright 2015, 2016 Google Inc. All rights reserved. + Copyright 2015, 2016, 2017 Google Inc. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -16,7 +16,7 @@ http://www.apache.org/licenses/LICENSE-2.0 This code is a shim patched into the separately-distributed source - code of QEMU 2.2.0. It leverages the built-in QEMU tracing functionality + code of QEMU 2.10.0. It leverages the built-in QEMU tracing functionality to implement AFL-style instrumentation and to take care of the remaining parts of the AFL fork server logic. @@ -47,11 +47,11 @@ regular instrumentation injected via afl-as.h. */ #define AFL_QEMU_CPU_SNIPPET2 do { \ - if(tb->pc == afl_entry_point) { \ + if(itb->pc == afl_entry_point) { \ afl_setup(); \ - afl_forkserver(env); \ + afl_forkserver(cpu); \ } \ - afl_maybe_log(tb->pc); \ + afl_maybe_log(itb->pc); \ } while (0) /* We use one additional file descriptor to relay "needs translation" @@ -81,16 +81,12 @@ /* Function declarations. */ static void afl_setup(void); -static void afl_forkserver(CPUArchState*); +static void afl_forkserver(CPUState*); static inline void afl_maybe_log(abi_ulong); -static void afl_wait_tsl(CPUArchState*, int); +static void afl_wait_tsl(CPUState*, int); static void afl_request_tsl(target_ulong, target_ulong, uint64_t); -static TranslationBlock *tb_find_slow(CPUArchState*, target_ulong, - target_ulong, uint64_t); - - /* Data structure passed around by the translate handlers: */ struct afl_tsl { @@ -99,12 +95,15 @@ uint64_t flags; }; +/* Some forward decls: */ + +TranslationBlock *tb_htable_lookup(CPUState*, target_ulong, target_ulong, uint32_t); +static inline TranslationBlock *tb_find(CPUState*, TranslationBlock*, int); /************************* * ACTUAL IMPLEMENTATION * *************************/ - /* Set up SHM region and initialize other stuff. */ static void afl_setup(void) { @@ -149,12 +148,18 @@ } + /* pthread_atfork() seems somewhat broken in util/rcu.c, and I'm + not entirely sure what is the cause. This disables that + behaviour, and seems to work alright? */ + + rcu_disable_atfork(); + } /* Fork server logic, invoked once we hit _start. */ -static void afl_forkserver(CPUArchState *env) { +static void afl_forkserver(CPUState *cpu) { static unsigned char tmp[4]; @@ -178,7 +183,7 @@ if (read(FORKSRV_FD, tmp, 4) != 4) exit(2); - /* Establish a channel with child to grab translation commands. We'll + /* Establish a channel with child to grab translation commands. We'll read from t_fd[0], child will write to TSL_FD. */ if (pipe(t_fd) || dup2(t_fd[1], TSL_FD) < 0) exit(3); @@ -207,7 +212,7 @@ /* Collect translation requests until child dies and closes the pipe. */ - afl_wait_tsl(env, t_fd[0]); + afl_wait_tsl(cpu, t_fd[0]); /* Get and relay exit status to parent. */ @@ -269,13 +274,13 @@ } - /* This is the other side of the same channel. Since timeouts are handled by afl-fuzz simply killing the child, we can just wait until the pipe breaks. */ -static void afl_wait_tsl(CPUArchState *env, int fd) { +static void afl_wait_tsl(CPUState *cpu, int fd) { struct afl_tsl t; + TranslationBlock *tb; while (1) { @@ -284,11 +289,18 @@ if (read(fd, &t, sizeof(struct afl_tsl)) != sizeof(struct afl_tsl)) break; - tb_find_slow(env, t.pc, t.cs_base, t.flags); + tb = tb_htable_lookup(cpu, t.pc, t.cs_base, t.flags); + + if(!tb) { + mmap_lock(); + tb_lock(); + tb_gen_code(cpu, t.pc, t.cs_base, t.flags, 0); + mmap_unlock(); + tb_unlock(); + } } close(fd); } - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.51b/qemu_mode/patches/cpu-exec.diff new/afl-2.52b/qemu_mode/patches/cpu-exec.diff --- old/afl-2.51b/qemu_mode/patches/cpu-exec.diff 2015-04-30 05:35:43.000000000 +0200 +++ new/afl-2.52b/qemu_mode/patches/cpu-exec.diff 2017-11-05 03:24:52.000000000 +0100 @@ -1,33 +1,28 @@ ---- qemu-2.3.0/cpu-exec.c.orig 2014-12-09 14:45:40.000000000 +0000 -+++ qemu-2.3.0/cpu-exec.c 2015-02-20 22:07:02.966000000 +0000 -@@ -28,6 +28,8 @@ - #include "exec/memory-internal.h" - #include "qemu/rcu.h" - +--- qemu-2.10.0-rc3-clean/accel/tcg/cpu-exec.c 2017-08-15 11:39:41.000000000 -0700 ++++ qemu-2.10.0-rc3/accel/tcg/cpu-exec.c 2017-08-22 14:34:55.868730680 -0700 +@@ -36,6 +36,8 @@ + #include "sysemu/cpus.h" + #include "sysemu/replay.h" + +#include "../patches/afl-qemu-cpu-inl.h" + /* -icount align implementation. */ - + typedef struct SyncClocks { -@@ -296,8 +298,11 @@ - } - not_found: - /* if no translated code available, then translate it now */ +@@ -144,6 +146,8 @@ + int tb_exit; + uint8_t *tb_ptr = itb->tc_ptr; + ++ AFL_QEMU_CPU_SNIPPET2; + - tb = tb_gen_code(cpu, pc, cs_base, flags, 0); - -+ AFL_QEMU_CPU_SNIPPET1; -+ - found: - /* Move the last found TB to the head of the list */ - if (likely(*ptb1)) { -@@ -492,6 +497,9 @@ - next_tb = 0; - tcg_ctx.tb_ctx.tb_invalidated_flag = 0; - } -+ -+ AFL_QEMU_CPU_SNIPPET2; -+ - if (qemu_loglevel_mask(CPU_LOG_EXEC)) { - qemu_log("Trace %p [" TARGET_FMT_lx "] %s\n", - tb->tc_ptr, tb->pc, lookup_symbol(tb->pc)); + qemu_log_mask_and_addr(CPU_LOG_EXEC, itb->pc, + "Trace %p [%d: " TARGET_FMT_lx "] %s\n", + itb->tc_ptr, cpu->cpu_index, itb->pc, +@@ -365,6 +369,7 @@ + if (!tb) { + /* if no translated code available, then translate it now */ + tb = tb_gen_code(cpu, pc, cs_base, flags, 0); ++ AFL_QEMU_CPU_SNIPPET1; + } + + mmap_unlock(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.51b/qemu_mode/patches/elfload.diff new/afl-2.52b/qemu_mode/patches/elfload.diff --- old/afl-2.51b/qemu_mode/patches/elfload.diff 2015-04-30 05:36:10.000000000 +0200 +++ new/afl-2.52b/qemu_mode/patches/elfload.diff 2017-11-05 03:24:52.000000000 +0100 @@ -1,6 +1,6 @@ ---- qemu-2.3.0/linux-user/elfload.c.orig 2014-12-09 14:45:42.000000000 +0000 -+++ qemu-2.3.0/linux-user/elfload.c 2015-01-28 02:51:23.719000000 +0000 -@@ -28,6 +28,8 @@ +--- qemu-2.10.0-rc3-clean/linux-user/elfload.c 2017-08-15 11:39:41.000000000 -0700 ++++ qemu-2.10.0-rc3/linux-user/elfload.c 2017-08-22 14:33:57.397127516 -0700 +@@ -20,6 +20,8 @@ #define ELF_OSABI ELFOSABI_SYSV @@ -9,7 +9,7 @@ /* from personality.h */ /* -@@ -1889,6 +1891,8 @@ +@@ -2085,6 +2087,8 @@ info->brk = 0; info->elf_flags = ehdr->e_flags; @@ -18,7 +18,7 @@ for (i = 0; i < ehdr->e_phnum; i++) { struct elf_phdr *eppnt = phdr + i; if (eppnt->p_type == PT_LOAD) { -@@ -1922,9 +1926,11 @@ +@@ -2118,9 +2122,11 @@ if (elf_prot & PROT_EXEC) { if (vaddr < info->start_code) { info->start_code = vaddr; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.51b/qemu_mode/patches/syscall.diff new/afl-2.52b/qemu_mode/patches/syscall.diff --- old/afl-2.51b/qemu_mode/patches/syscall.diff 2015-04-30 05:36:29.000000000 +0200 +++ new/afl-2.52b/qemu_mode/patches/syscall.diff 2017-11-05 03:24:52.000000000 +0100 @@ -1,25 +1,35 @@ ---- qemu-2.3.0/linux-user/syscall.c.orig 2014-12-09 14:45:43.000000000 +0000 -+++ qemu-2.3.0/linux-user/syscall.c 2015-03-27 06:33:00.736000000 +0000 -@@ -227,7 +227,21 @@ - _syscall3(int,sys_rt_sigqueueinfo,int,pid,int,sig,siginfo_t *,uinfo) - _syscall3(int,sys_syslog,int,type,char*,bufp,int,len) - #if defined(TARGET_NR_tgkill) && defined(__NR_tgkill) --_syscall3(int,sys_tgkill,int,tgid,int,pid,int,sig) -+ +--- qemu-2.10.0-rc3-clean/linux-user/syscall.c 2017-08-15 11:39:41.000000000 -0700 ++++ qemu-2.10.0-rc3/linux-user/syscall.c 2017-08-22 14:34:03.193088186 -0700 +@@ -116,6 +116,8 @@ + + #include "qemu.h" + +extern unsigned int afl_forksrv_pid; + -+static int sys_tgkill(int tgid, int pid, int sig) { -+ -+ /* Workaround for -lpthread to make abort() work properly, without -+ killing the forkserver due to a prematurely cached PID. */ -+ -+ if (afl_forksrv_pid && afl_forksrv_pid == pid && sig == SIGABRT) -+ pid = tgid = getpid(); -+ -+ return syscall(__NR_sys_tgkill, pid, tgid, sig); -+ -+} -+ + #ifndef CLONE_IO + #define CLONE_IO 0x80000000 /* Clone io context */ #endif - #if defined(TARGET_NR_tkill) && defined(__NR_tkill) - _syscall2(int,sys_tkill,int,tid,int,sig) +@@ -11688,8 +11690,21 @@ + break; + + case TARGET_NR_tgkill: +- ret = get_errno(safe_tgkill((int)arg1, (int)arg2, +- target_to_host_signal(arg3))); ++ ++ { ++ int pid = (int)arg1, ++ tgid = (int)arg2, ++ sig = (int)arg3; ++ ++ /* Not entirely sure if the below is correct for all architectures. */ ++ ++ if(afl_forksrv_pid && afl_forksrv_pid == pid && sig == SIGABRT) ++ pid = tgid = getpid(); ++ ++ ret = get_errno(safe_tgkill(pid, tgid, target_to_host_signal(sig))); ++ ++ } ++ + break; + + #ifdef TARGET_NR_set_robust_list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.51b/qemu_mode/patches/translate-all.diff new/afl-2.52b/qemu_mode/patches/translate-all.diff --- old/afl-2.51b/qemu_mode/patches/translate-all.diff 2015-04-30 05:36:45.000000000 +0200 +++ new/afl-2.52b/qemu_mode/patches/translate-all.diff 1970-01-01 01:00:00.000000000 +0100 @@ -1,18 +0,0 @@ ---- qemu-2.3.0/translate-all.c.orig 2014-12-09 14:45:46.000000000 +0000 -+++ qemu-2.3.0/translate-all.c 2015-01-28 22:37:42.383000000 +0000 -@@ -393,8 +393,13 @@ - /* We can't use g_malloc because it may recurse into a locked mutex. */ - # define ALLOC(P, SIZE) \ - do { \ -- P = mmap(NULL, SIZE, PROT_READ | PROT_WRITE, \ -- MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \ -+ void* _tmp = mmap(NULL, SIZE, PROT_READ | PROT_WRITE, \ -+ MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \ -+ if (_tmp == (void*)-1) { \ -+ qemu_log(">>> Out of memory for stack, bailing out. <<<\n"); \ -+ exit(1); \ -+ } \ -+ (P) = _tmp; \ - } while (0) - #else - # define ALLOC(P, SIZE) \