Hello community,
here is the log from the commit of package afl for openSUSE:Factory checked in
at 2017-11-07 10:00:41
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/afl (Old)
and /work/SRC/openSUSE:Factory/.afl.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "afl"
Tue Nov 7 10:00:41 2017 rev:39 rq:539104 version:2.52b
Changes:
--------
--- /work/SRC/openSUSE:Factory/afl/afl.changes 2017-09-04 12:39:09.651552081
+0200
+++ /work/SRC/openSUSE:Factory/.afl.new/afl.changes 2017-11-07
10:01:22.142964702 +0100
@@ -1,0 +2,13 @@
+Sun Nov 5 07:57:53 UTC 2017 - mar...@gmx.de
+
+- Update to version 2.52b:
+ * Upgraded QEMU patches from 2.3.0 to 2.10.0. Required troubleshooting
+ several weird issues.
+ * Added setsid to afl-showmap. See the notes for 2.51b.
+ * Added target mode (deferred, persistent, qemu, etc) to fuzzer_stats.
+ * afl-tmin should now save a partially minimized file when Ctrl-C
+ is pressed.
+ * Added an option for afl-analyze to dump offsets in hex.
+ * Added support for parameters in triage_crashes.sh.
+
+-------------------------------------------------------------------
Old:
----
afl-2.51b.tgz
New:
----
afl-2.52b.tgz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ afl.spec ++++++
--- /var/tmp/diff_new_pack.a1n2eA/_old 2017-11-07 10:01:22.918936550 +0100
+++ /var/tmp/diff_new_pack.a1n2eA/_new 2017-11-07 10:01:22.922936405 +0100
@@ -17,7 +17,7 @@
Name: afl
-Version: 2.51b
+Version: 2.52b
Release: 0
Summary: American fuzzy lop is a security-oriented fuzzer
License: Apache-2.0
@@ -47,6 +47,7 @@
%prep
%setup -q
%patch1 -p1
+sed -i 's|#!/usr/bin/env bash|#!/bin/bash|g' afl-cmin
%build
export CFLAGS="$CFLAGS %{optflags}"
++++++ afl-2.51b.tgz -> afl-2.52b.tgz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.51b/Makefile new/afl-2.52b/Makefile
--- old/afl-2.51b/Makefile 2017-01-15 02:50:54.000000000 +0100
+++ new/afl-2.52b/Makefile 2017-11-05 03:26:11.000000000 +0100
@@ -4,7 +4,7 @@
#
# Written and maintained by Michal Zalewski <lcam...@google.com>
#
-# Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
+# Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -111,8 +111,8 @@
.NOTPARALLEL: clean
clean:
- rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out
core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0
.test-instr1 qemu_mode/qemu-2.3.0.tar.bz2 afl-qemu-trace
- rm -rf out_dir qemu_mode/qemu-2.3.0
+ rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out
core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0
.test-instr1 qemu_mode/qemu-2.10.0.tar.bz2 afl-qemu-trace
+ rm -rf out_dir qemu_mode/qemu-2.10.0
$(MAKE) -C llvm_mode clean
$(MAKE) -C libdislocator clean
$(MAKE) -C libtokencap clean
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.51b/afl-analyze.c new/afl-2.52b/afl-analyze.c
--- old/afl-2.51b/afl-analyze.c 2017-07-17 22:51:38.000000000 +0200
+++ new/afl-2.52b/afl-analyze.c 2017-11-05 03:26:03.000000000 +0100
@@ -4,7 +4,7 @@
Written and maintained by Michal Zalewski <lcam...@google.com>
- Copyright 2016 Google Inc. All rights reserved.
+ Copyright 2016, 2017 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -68,6 +68,7 @@
dev_null_fd = -1; /* FD to /dev/null */
static u8 edges_only, /* Ignore hit counts? */
+ use_hex_offsets, /* Show hex offsets? */
use_stdin = 1; /* Use stdin for program input? */
static volatile u8
@@ -486,9 +487,13 @@
/* Every 16 digits, display offset. */
if (!((i + off) % 16)) {
-
+
if (off) SAYF(cRST cLCY ">");
- SAYF(cRST cGRA "%s[%06u] " cRST, (i + off) ? "\n" : "", i + off);
+
+ if (use_hex_offsets)
+ SAYF(cRST cGRA "%s[%06x] " cRST, (i + off) ? "\n" : "", i + off);
+ else
+ SAYF(cRST cGRA "%s[%06u] " cRST, (i + off) ? "\n" : "", i + off);
}
@@ -512,7 +517,10 @@
#else
- SAYF(" Offset %u, length %u: ", i, rlen);
+ if (use_hex_offsets)
+ SAYF(" Offset %x, length %u: ", i, rlen);
+ else
+ SAYF(" Offset %u, length %u: ", i, rlen);
switch (rtype) {
@@ -874,6 +882,10 @@
char** new_argv = ck_alloc(sizeof(char*) * (argc + 4));
u8 *tmp, *cp, *rsl, *own_copy;
+ /* Workaround for a QEMU stability glitch. */
+
+ setenv("QEMU_LOG", "nochain", 1);
+
memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc);
/* Now we need to actually find qemu for argv[0]. */
@@ -1026,6 +1038,8 @@
if (optind == argc || !in_file) usage(argv[0]);
+ use_hex_offsets = !!getenv("AFL_ANALYZE_HEX");
+
setup_shm();
setup_signal_handlers();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.51b/afl-fuzz.c new/afl-2.52b/afl-fuzz.c
--- old/afl-2.51b/afl-fuzz.c 2017-08-20 06:34:26.000000000 +0200
+++ new/afl-2.52b/afl-fuzz.c 2017-11-05 03:25:56.000000000 +0100
@@ -6,7 +6,7 @@
Forkserver design by Jann Horn <jannh...@googlemail.com>
- Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
+ Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -121,6 +121,7 @@
skip_requested, /* Skip request, via SIGUSR1 */
run_over10m, /* Run time over 10 minutes? */
persistent_mode, /* Running in persistent mode? */
+ deferred_mode, /* Deferred forkserver mode? */
fast_cal; /* Try to calibrate faster? */
static s32 out_fd, /* Persistent fd for out_file */
@@ -3428,6 +3429,7 @@
"exec_timeout : %u\n"
"afl_banner : %s\n"
"afl_version : " VERSION "\n"
+ "target_mode : %s%s%s%s%s%s%s\n"
"command_line : %s\n",
start_time / 1000, get_cur_time() / 1000, getpid(),
queue_cycle ? (queue_cycle - 1) : 0, total_execs, eps,
@@ -3436,7 +3438,13 @@
queued_variable, stability, bitmap_cvg, unique_crashes,
unique_hangs, last_path_time / 1000, last_crash_time / 1000,
last_hang_time / 1000, total_execs - last_crash_execs,
- exec_tmout, use_banner, orig_cmdline);
+ exec_tmout, use_banner,
+ qemu_mode ? "qemu " : "", dumb_mode ? " dumb " : "",
+ no_forkserver ? "no_forksrv " : "", crash_mode ? "crash " : "",
+ persistent_mode ? "persistent " : "", deferred_mode ? "deferred "
: "",
+ (qemu_mode || dumb_mode || no_forkserver || crash_mode ||
+ persistent_mode || deferred_mode) ? "" : "default",
+ orig_cmdline);
/* ignore errors */
fclose(f);
@@ -6946,6 +6954,7 @@
OKF(cPIN "Deferred forkserver binary detected.");
setenv(DEFER_ENV_VAR, "1", 1);
+ deferred_mode = 1;
} else if (getenv("AFL_DEFER_FORKSRV")) {
@@ -7596,6 +7605,10 @@
char** new_argv = ck_alloc(sizeof(char*) * (argc + 4));
u8 *tmp, *cp, *rsl, *own_copy;
+ /* Workaround for a QEMU stability glitch. */
+
+ setenv("QEMU_LOG", "nochain", 1);
+
memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc);
new_argv[2] = target_path;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.51b/afl-showmap.c new/afl-2.52b/afl-showmap.c
--- old/afl-2.51b/afl-showmap.c 2017-07-04 22:46:53.000000000 +0200
+++ new/afl-2.52b/afl-showmap.c 2017-11-05 03:26:43.000000000 +0100
@@ -4,7 +4,7 @@
Written and maintained by Michal Zalewski <lcam...@google.com>
- Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
+ Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -293,6 +293,8 @@
if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0);
+ setsid();
+
execv(target_path, argv);
*(u32*)trace_bits = EXEC_FAIL_SIG;
@@ -557,6 +559,10 @@
char** new_argv = ck_alloc(sizeof(char*) * (argc + 4));
u8 *tmp, *cp, *rsl, *own_copy;
+ /* Workaround for a QEMU stability glitch. */
+
+ setenv("QEMU_LOG", "nochain", 1);
+
memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc);
new_argv[2] = target_path;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.51b/afl-tmin.c new/afl-2.52b/afl-tmin.c
--- old/afl-2.51b/afl-tmin.c 2017-08-31 06:25:50.000000000 +0200
+++ new/afl-2.52b/afl-tmin.c 2017-11-05 03:26:50.000000000 +0100
@@ -4,7 +4,7 @@
Written and maintained by Michal Zalewski <lcam...@google.com>
- Copyright 2015, 2016 Google Inc. All rights reserved.
+ Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -341,8 +341,11 @@
total_execs++;
if (stop_soon) {
+
SAYF(cRST cLRD "\n+++ Minimization aborted by user +++\n" cRST);
+ close(write_to_file(out_file, in_data, in_len));
exit(1);
+
}
/* Always discard inputs that time out. */
@@ -891,6 +894,10 @@
char** new_argv = ck_alloc(sizeof(char*) * (argc + 4));
u8 *tmp, *cp, *rsl, *own_copy;
+ /* Workaround for a QEMU stability glitch. */
+
+ setenv("QEMU_LOG", "nochain", 1);
+
memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc);
/* Now we need to actually find qemu for argv[0]. */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.51b/config.h new/afl-2.52b/config.h
--- old/afl-2.51b/config.h 2017-08-31 06:27:31.000000000 +0200
+++ new/afl-2.52b/config.h 2017-11-05 03:24:47.000000000 +0100
@@ -21,7 +21,7 @@
/* Version string: */
-#define VERSION "2.51b"
+#define VERSION "2.52b"
/******************************************************
* *
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.51b/docs/ChangeLog new/afl-2.52b/docs/ChangeLog
--- old/afl-2.51b/docs/ChangeLog 2017-08-31 06:27:21.000000000 +0200
+++ new/afl-2.52b/docs/ChangeLog 2017-11-05 03:25:03.000000000 +0100
@@ -17,6 +17,27 @@
to get on with the times.
---------------------------
+Version 2.52b (2017-11-04):
+---------------------------
+
+ - Upgraded QEMU patches from 2.3.0 to 2.10.0. Required troubleshooting
+ several weird issues. All the legwork done by Andrew Griffiths.
+
+ - Added setsid to afl-showmap. See the notes for 2.51b.
+
+ - Added target mode (deferred, persistent, qemu, etc) to fuzzer_stats.
+ Requested by Jakub Wilk.
+
+ - afl-tmin should now save a partially minimized file when Ctrl-C
+ is pressed. Suggested by Jakub Wilk.
+
+ - Added an option for afl-analyze to dump offsets in hex. Suggested by
+ Jakub Wilk.
+
+ - Added support for parameters in triage_crashes.sh. Patch by Adam of
+ DC949.
+
+---------------------------
Version 2.51b (2017-08-30):
---------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.51b/docs/env_variables.txt
new/afl-2.52b/docs/env_variables.txt
--- old/afl-2.51b/docs/env_variables.txt 2017-08-06 16:30:17.000000000
+0200
+++ new/afl-2.52b/docs/env_variables.txt 2017-11-05 03:25:03.000000000
+0100
@@ -213,7 +213,13 @@
may prevent the tool from "jumping" from one crashing condition to another in
very buggy software. You probably want to combine it with the -e flag.
-7) Settings for libdislocator.so
+7) Settings for afl-analyze
+---------------------------
+
+You can set AFL_ANALYZE_HEX to get file offsets printed as hexadecimal instead
+of decimal.
+
+8) Settings for libdislocator.so
--------------------------------
The library honors three environmental variables:
@@ -233,14 +239,14 @@
of the common allocators check for that internally and return NULL, so
it's a security risk only in more exotic setups.
-8) Settings for libtokencap.so
+9) Settings for libtokencap.so
------------------------------
This library accepts AFL_TOKEN_FILE to indicate the location to which the
discovered tokens should be written.
-9) Third-party variables set by afl-fuzz & other tools
-------------------------------------------------------
+10) Third-party variables set by afl-fuzz & other tools
+-------------------------------------------------------
Several variables are not directly interpreted by afl-fuzz, but are set to
optimal values if not already present in the environment:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.51b/docs/status_screen.txt
new/afl-2.52b/docs/status_screen.txt
--- old/afl-2.51b/docs/status_screen.txt 2017-04-12 06:32:13.000000000
+0200
+++ new/afl-2.52b/docs/status_screen.txt 2017-11-05 03:25:03.000000000
+0100
@@ -297,7 +297,8 @@
Next, we have the number of new paths found during this fuzzing section and
imported from other fuzzer instances when doing parallelized fuzzing; and the
-number of inputs that produce seemingly variable behavior in the tested binary.
+extent to which identical inputs appear to sometimes produce variable behavior
+in the tested binary.
That last bit is actually fairly interesting: it measures the consistency of
observed traces. If a program always behaves the same for the same input data,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/afl-2.51b/experimental/crash_triage/triage_crashes.sh
new/afl-2.52b/experimental/crash_triage/triage_crashes.sh
--- old/afl-2.51b/experimental/crash_triage/triage_crashes.sh 2017-07-17
22:46:13.000000000 +0200
+++ new/afl-2.52b/experimental/crash_triage/triage_crashes.sh 2017-11-05
03:25:21.000000000 +0100
@@ -5,7 +5,7 @@
#
# Written and maintained by Michal Zalewski <lcam...@google.com>
#
-# Copyright 2013, 2014 Google Inc. All rights reserved.
+# Copyright 2013, 2014, 2017 Google Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -28,18 +28,16 @@
ulimit -v 100000 2>/dev/null
ulimit -d 100000 2>/dev/null
-if [ ! "$#" = "2" ]; then
- echo "Usage: $0 /path/to/afl_output_dir /path/to/tested_binary" 1>&2
- echo 1>&2
- echo "Note: the tested binary must accept input on stdin and require no
additional" 1>&2
- echo "parameters. For more complex use cases, you need to edit this script."
1>&2
+if [ "$#" -lt "2" ]; then
+ echo "Usage: $0 /path/to/afl_output_dir /path/to/tested_binary [...target
params...]" 1>&2
echo 1>&2
exit 1
fi
DIR="$1"
BIN="$2"
-
+shift
+shift
if [ "$AFL_ALLOW_TMP" = "" ]; then
@@ -85,11 +83,33 @@
id=`basename -- "$crash" | cut -d, -f1 | cut -d: -f2`
sig=`basename -- "$crash" | cut -d, -f2 | cut -d: -f2`
+ # Grab the args, converting @@ to $crash
+
+ use_args=""
+ use_stdio=1
+
+ for a in $@; do
+
+ if [ "$a" = "@@" ] ; then
+ args="$use_args $crash"
+ unset use_stdio
+ else
+ args="$use_args $a"
+ fi
+
+ done
+
+ # Strip the trailing space
+ use_args="${use_args# }"
+
echo "+++ ID $id, SIGNAL $sig +++"
echo
- $GDB --batch -q --ex "r <$crash" --ex 'back' --ex 'disass $pc, $pc+16' --ex
'info reg' --ex 'quit' "$BIN" 0</dev/null
+ if [ "$use_stdio" = "1" ]; then
+ $GDB --batch -q --ex "r $use_args <$crash" --ex 'back' --ex 'disass $pc,
$pc+16' --ex 'info reg' --ex 'quit' "$BIN" 0</dev/null
+ else
+ $GDB --batch -q --ex "r $use_args" --ex 'back' --ex 'disass $pc, $pc+16'
--ex 'info reg' --ex 'quit' "$BIN" 0</dev/null
+ fi
echo
done
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.51b/qemu_mode/README.qemu
new/afl-2.52b/qemu_mode/README.qemu
--- old/afl-2.51b/qemu_mode/README.qemu 2017-01-15 02:51:50.000000000 +0100
+++ new/afl-2.52b/qemu_mode/README.qemu 2017-11-05 03:24:50.000000000 +0100
@@ -21,7 +21,7 @@
2) How to use
-------------
-The feature is implemented with a fairly simple patch to QEMU 2.3.0. The
+The feature is implemented with a fairly simple patch to QEMU 2.10.0. The
simplest way to build it is to run ./build_qemu_support.sh. The script will
download, configure, and compile the QEMU binary for you.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.51b/qemu_mode/build_qemu_support.sh
new/afl-2.52b/qemu_mode/build_qemu_support.sh
--- old/afl-2.51b/qemu_mode/build_qemu_support.sh 2016-03-08
08:10:20.000000000 +0100
+++ new/afl-2.52b/qemu_mode/build_qemu_support.sh 2017-11-05
03:25:32.000000000 +0100
@@ -6,7 +6,7 @@
# Written by Andrew Griffiths <agriffi...@google.com> and
# Michal Zalewski <lcam...@google.com>
#
-# Copyright 2015, 2016 Google Inc. All rights reserved.
+# Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,8 +22,10 @@
# will be written to ../afl-qemu-trace.
#
-QEMU_URL="http://wiki.qemu-project.org/download/qemu-2.3.0.tar.bz2";
-QEMU_SHA384="7a0f0c900f7e2048463cc32ff3e904965ab466c8428847400a0f2dcfe458108a68012c4fddb2a7e7c822b4fd1a49639b"
+
+VERSION="2.10.0"
+QEMU_URL="http://download.qemu-project.org/qemu-${VERSION}.tar.xz";
+QEMU_SHA384="68216c935487bc8c0596ac309e1e3ee75c2c4ce898aab796faa321db5740609ced365fedda025678d072d09ac8928105"
echo "================================================="
echo "AFL binary-only instrumentation QEMU build script"
@@ -89,7 +91,7 @@
if [ ! "$CKSUM" = "$QEMU_SHA384" ]; then
- echo "[*] Downloading QEMU 2.3.0 from the web..."
+ echo "[*] Downloading QEMU ${VERSION} from the web..."
rm -f "$ARCHIVE"
wget -O "$ARCHIVE" -- "$QEMU_URL" || exit 1
@@ -110,32 +112,34 @@
echo "[*] Uncompressing archive (this will take a while)..."
-rm -rf "qemu-2.3.0" || exit 1
+rm -rf "qemu-${VERSION}" || exit 1
tar xf "$ARCHIVE" || exit 1
echo "[+] Unpacking successful."
-echo "[*] Applying patches..."
-
-patch -p0 <patches/elfload.diff || exit 1
-patch -p0 <patches/cpu-exec.diff || exit 1
-patch -p0 <patches/translate-all.diff || exit 1
-patch -p0 <patches/syscall.diff || exit 1
-
-echo "[+] Patching done."
+echo "[*] Configuring QEMU for $CPU_TARGET..."
ORIG_CPU_TARGET="$CPU_TARGET"
test "$CPU_TARGET" = "" && CPU_TARGET="`uname -m`"
test "$CPU_TARGET" = "i686" && CPU_TARGET="i386"
-echo "[*] Configuring QEMU for $CPU_TARGET..."
+cd qemu-$VERSION || exit 1
+
+echo "[*] Applying patches..."
+
+patch -p1 <../patches/elfload.diff || exit 1
+patch -p1 <../patches/cpu-exec.diff || exit 1
+patch -p1 <../patches/syscall.diff || exit 1
+
+echo "[+] Patching done."
-cd qemu-2.3.0 || exit 1
+# --enable-pie seems to give a couple of exec's a second performance
+# improvement, much to my surprise. Not sure how universal this is..
-CFLAGS="-O3" ./configure --disable-system --enable-linux-user \
- --enable-guest-base --disable-gtk --disable-sdl --disable-vnc \
- --target-list="${CPU_TARGET}-linux-user" || exit 1
+CFLAGS="-O3 -ggdb" ./configure --disable-system \
+ --enable-linux-user --disable-gtk --disable-sdl --disable-vnc \
+ --target-list="${CPU_TARGET}-linux-user" --enable-pie --enable-kvm || exit 1
echo "[+] Configuration complete."
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.51b/qemu_mode/patches/afl-qemu-cpu-inl.h
new/afl-2.52b/qemu_mode/patches/afl-qemu-cpu-inl.h
--- old/afl-2.51b/qemu_mode/patches/afl-qemu-cpu-inl.h 2016-02-20
23:22:07.000000000 +0100
+++ new/afl-2.52b/qemu_mode/patches/afl-qemu-cpu-inl.h 2017-11-05
03:24:52.000000000 +0100
@@ -7,7 +7,7 @@
Idea & design very much by Andrew Griffiths.
- Copyright 2015, 2016 Google Inc. All rights reserved.
+ Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -16,7 +16,7 @@
http://www.apache.org/licenses/LICENSE-2.0
This code is a shim patched into the separately-distributed source
- code of QEMU 2.2.0. It leverages the built-in QEMU tracing functionality
+ code of QEMU 2.10.0. It leverages the built-in QEMU tracing functionality
to implement AFL-style instrumentation and to take care of the remaining
parts of the AFL fork server logic.
@@ -47,11 +47,11 @@
regular instrumentation injected via afl-as.h. */
#define AFL_QEMU_CPU_SNIPPET2 do { \
- if(tb->pc == afl_entry_point) { \
+ if(itb->pc == afl_entry_point) { \
afl_setup(); \
- afl_forkserver(env); \
+ afl_forkserver(cpu); \
} \
- afl_maybe_log(tb->pc); \
+ afl_maybe_log(itb->pc); \
} while (0)
/* We use one additional file descriptor to relay "needs translation"
@@ -81,16 +81,12 @@
/* Function declarations. */
static void afl_setup(void);
-static void afl_forkserver(CPUArchState*);
+static void afl_forkserver(CPUState*);
static inline void afl_maybe_log(abi_ulong);
-static void afl_wait_tsl(CPUArchState*, int);
+static void afl_wait_tsl(CPUState*, int);
static void afl_request_tsl(target_ulong, target_ulong, uint64_t);
-static TranslationBlock *tb_find_slow(CPUArchState*, target_ulong,
- target_ulong, uint64_t);
-
-
/* Data structure passed around by the translate handlers: */
struct afl_tsl {
@@ -99,12 +95,15 @@
uint64_t flags;
};
+/* Some forward decls: */
+
+TranslationBlock *tb_htable_lookup(CPUState*, target_ulong, target_ulong,
uint32_t);
+static inline TranslationBlock *tb_find(CPUState*, TranslationBlock*, int);
/*************************
* ACTUAL IMPLEMENTATION *
*************************/
-
/* Set up SHM region and initialize other stuff. */
static void afl_setup(void) {
@@ -149,12 +148,18 @@
}
+ /* pthread_atfork() seems somewhat broken in util/rcu.c, and I'm
+ not entirely sure what is the cause. This disables that
+ behaviour, and seems to work alright? */
+
+ rcu_disable_atfork();
+
}
/* Fork server logic, invoked once we hit _start. */
-static void afl_forkserver(CPUArchState *env) {
+static void afl_forkserver(CPUState *cpu) {
static unsigned char tmp[4];
@@ -178,7 +183,7 @@
if (read(FORKSRV_FD, tmp, 4) != 4) exit(2);
- /* Establish a channel with child to grab translation commands. We'll
+ /* Establish a channel with child to grab translation commands. We'll
read from t_fd[0], child will write to TSL_FD. */
if (pipe(t_fd) || dup2(t_fd[1], TSL_FD) < 0) exit(3);
@@ -207,7 +212,7 @@
/* Collect translation requests until child dies and closes the pipe. */
- afl_wait_tsl(env, t_fd[0]);
+ afl_wait_tsl(cpu, t_fd[0]);
/* Get and relay exit status to parent. */
@@ -269,13 +274,13 @@
}
-
/* This is the other side of the same channel. Since timeouts are handled by
afl-fuzz simply killing the child, we can just wait until the pipe breaks.
*/
-static void afl_wait_tsl(CPUArchState *env, int fd) {
+static void afl_wait_tsl(CPUState *cpu, int fd) {
struct afl_tsl t;
+ TranslationBlock *tb;
while (1) {
@@ -284,11 +289,18 @@
if (read(fd, &t, sizeof(struct afl_tsl)) != sizeof(struct afl_tsl))
break;
- tb_find_slow(env, t.pc, t.cs_base, t.flags);
+ tb = tb_htable_lookup(cpu, t.pc, t.cs_base, t.flags);
+
+ if(!tb) {
+ mmap_lock();
+ tb_lock();
+ tb_gen_code(cpu, t.pc, t.cs_base, t.flags, 0);
+ mmap_unlock();
+ tb_unlock();
+ }
}
close(fd);
}
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.51b/qemu_mode/patches/cpu-exec.diff
new/afl-2.52b/qemu_mode/patches/cpu-exec.diff
--- old/afl-2.51b/qemu_mode/patches/cpu-exec.diff 2015-04-30
05:35:43.000000000 +0200
+++ new/afl-2.52b/qemu_mode/patches/cpu-exec.diff 2017-11-05
03:24:52.000000000 +0100
@@ -1,33 +1,28 @@
---- qemu-2.3.0/cpu-exec.c.orig 2014-12-09 14:45:40.000000000 +0000
-+++ qemu-2.3.0/cpu-exec.c 2015-02-20 22:07:02.966000000 +0000
-@@ -28,6 +28,8 @@
- #include "exec/memory-internal.h"
- #include "qemu/rcu.h"
-
+--- qemu-2.10.0-rc3-clean/accel/tcg/cpu-exec.c 2017-08-15 11:39:41.000000000
-0700
++++ qemu-2.10.0-rc3/accel/tcg/cpu-exec.c 2017-08-22 14:34:55.868730680
-0700
+@@ -36,6 +36,8 @@
+ #include "sysemu/cpus.h"
+ #include "sysemu/replay.h"
+
+#include "../patches/afl-qemu-cpu-inl.h"
+
/* -icount align implementation. */
-
+
typedef struct SyncClocks {
-@@ -296,8 +298,11 @@
- }
- not_found:
- /* if no translated code available, then translate it now */
+@@ -144,6 +146,8 @@
+ int tb_exit;
+ uint8_t *tb_ptr = itb->tc_ptr;
+
++ AFL_QEMU_CPU_SNIPPET2;
+
- tb = tb_gen_code(cpu, pc, cs_base, flags, 0);
-
-+ AFL_QEMU_CPU_SNIPPET1;
-+
- found:
- /* Move the last found TB to the head of the list */
- if (likely(*ptb1)) {
-@@ -492,6 +497,9 @@
- next_tb = 0;
- tcg_ctx.tb_ctx.tb_invalidated_flag = 0;
- }
-+
-+ AFL_QEMU_CPU_SNIPPET2;
-+
- if (qemu_loglevel_mask(CPU_LOG_EXEC)) {
- qemu_log("Trace %p [" TARGET_FMT_lx "] %s\n",
- tb->tc_ptr, tb->pc, lookup_symbol(tb->pc));
+ qemu_log_mask_and_addr(CPU_LOG_EXEC, itb->pc,
+ "Trace %p [%d: " TARGET_FMT_lx "] %s\n",
+ itb->tc_ptr, cpu->cpu_index, itb->pc,
+@@ -365,6 +369,7 @@
+ if (!tb) {
+ /* if no translated code available, then translate it now */
+ tb = tb_gen_code(cpu, pc, cs_base, flags, 0);
++ AFL_QEMU_CPU_SNIPPET1;
+ }
+
+ mmap_unlock();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.51b/qemu_mode/patches/elfload.diff
new/afl-2.52b/qemu_mode/patches/elfload.diff
--- old/afl-2.51b/qemu_mode/patches/elfload.diff 2015-04-30
05:36:10.000000000 +0200
+++ new/afl-2.52b/qemu_mode/patches/elfload.diff 2017-11-05
03:24:52.000000000 +0100
@@ -1,6 +1,6 @@
---- qemu-2.3.0/linux-user/elfload.c.orig 2014-12-09 14:45:42.000000000
+0000
-+++ qemu-2.3.0/linux-user/elfload.c 2015-01-28 02:51:23.719000000 +0000
-@@ -28,6 +28,8 @@
+--- qemu-2.10.0-rc3-clean/linux-user/elfload.c 2017-08-15 11:39:41.000000000
-0700
++++ qemu-2.10.0-rc3/linux-user/elfload.c 2017-08-22 14:33:57.397127516
-0700
+@@ -20,6 +20,8 @@
#define ELF_OSABI ELFOSABI_SYSV
@@ -9,7 +9,7 @@
/* from personality.h */
/*
-@@ -1889,6 +1891,8 @@
+@@ -2085,6 +2087,8 @@
info->brk = 0;
info->elf_flags = ehdr->e_flags;
@@ -18,7 +18,7 @@
for (i = 0; i < ehdr->e_phnum; i++) {
struct elf_phdr *eppnt = phdr + i;
if (eppnt->p_type == PT_LOAD) {
-@@ -1922,9 +1926,11 @@
+@@ -2118,9 +2122,11 @@
if (elf_prot & PROT_EXEC) {
if (vaddr < info->start_code) {
info->start_code = vaddr;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.51b/qemu_mode/patches/syscall.diff
new/afl-2.52b/qemu_mode/patches/syscall.diff
--- old/afl-2.51b/qemu_mode/patches/syscall.diff 2015-04-30
05:36:29.000000000 +0200
+++ new/afl-2.52b/qemu_mode/patches/syscall.diff 2017-11-05
03:24:52.000000000 +0100
@@ -1,25 +1,35 @@
---- qemu-2.3.0/linux-user/syscall.c.orig 2014-12-09 14:45:43.000000000
+0000
-+++ qemu-2.3.0/linux-user/syscall.c 2015-03-27 06:33:00.736000000 +0000
-@@ -227,7 +227,21 @@
- _syscall3(int,sys_rt_sigqueueinfo,int,pid,int,sig,siginfo_t *,uinfo)
- _syscall3(int,sys_syslog,int,type,char*,bufp,int,len)
- #if defined(TARGET_NR_tgkill) && defined(__NR_tgkill)
--_syscall3(int,sys_tgkill,int,tgid,int,pid,int,sig)
-+
+--- qemu-2.10.0-rc3-clean/linux-user/syscall.c 2017-08-15 11:39:41.000000000
-0700
++++ qemu-2.10.0-rc3/linux-user/syscall.c 2017-08-22 14:34:03.193088186
-0700
+@@ -116,6 +116,8 @@
+
+ #include "qemu.h"
+
+extern unsigned int afl_forksrv_pid;
+
-+static int sys_tgkill(int tgid, int pid, int sig) {
-+
-+ /* Workaround for -lpthread to make abort() work properly, without
-+ killing the forkserver due to a prematurely cached PID. */
-+
-+ if (afl_forksrv_pid && afl_forksrv_pid == pid && sig == SIGABRT)
-+ pid = tgid = getpid();
-+
-+ return syscall(__NR_sys_tgkill, pid, tgid, sig);
-+
-+}
-+
+ #ifndef CLONE_IO
+ #define CLONE_IO 0x80000000 /* Clone io context */
#endif
- #if defined(TARGET_NR_tkill) && defined(__NR_tkill)
- _syscall2(int,sys_tkill,int,tid,int,sig)
+@@ -11688,8 +11690,21 @@
+ break;
+
+ case TARGET_NR_tgkill:
+- ret = get_errno(safe_tgkill((int)arg1, (int)arg2,
+- target_to_host_signal(arg3)));
++
++ {
++ int pid = (int)arg1,
++ tgid = (int)arg2,
++ sig = (int)arg3;
++
++ /* Not entirely sure if the below is correct for all architectures.
*/
++
++ if(afl_forksrv_pid && afl_forksrv_pid == pid && sig == SIGABRT)
++ pid = tgid = getpid();
++
++ ret = get_errno(safe_tgkill(pid, tgid, target_to_host_signal(sig)));
++
++ }
++
+ break;
+
+ #ifdef TARGET_NR_set_robust_list
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.51b/qemu_mode/patches/translate-all.diff
new/afl-2.52b/qemu_mode/patches/translate-all.diff
--- old/afl-2.51b/qemu_mode/patches/translate-all.diff 2015-04-30
05:36:45.000000000 +0200
+++ new/afl-2.52b/qemu_mode/patches/translate-all.diff 1970-01-01
01:00:00.000000000 +0100
@@ -1,18 +0,0 @@
---- qemu-2.3.0/translate-all.c.orig 2014-12-09 14:45:46.000000000 +0000
-+++ qemu-2.3.0/translate-all.c 2015-01-28 22:37:42.383000000 +0000
-@@ -393,8 +393,13 @@
- /* We can't use g_malloc because it may recurse into a locked mutex. */
- # define ALLOC(P, SIZE) \
- do { \
-- P = mmap(NULL, SIZE, PROT_READ | PROT_WRITE, \
-- MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \
-+ void* _tmp = mmap(NULL, SIZE, PROT_READ | PROT_WRITE, \
-+ MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \
-+ if (_tmp == (void*)-1) { \
-+ qemu_log(">>> Out of memory for stack, bailing out. <<<\n"); \
-+ exit(1); \
-+ } \
-+ (P) = _tmp; \
- } while (0)
- #else
- # define ALLOC(P, SIZE) \
