Hello community,
here is the log from the commit of package afl for openSUSE:Factory checked in
at 2015-04-12 00:11:13
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/afl (Old)
and /work/SRC/openSUSE:Factory/.afl.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "afl"
Changes:
--------
--- /work/SRC/openSUSE:Factory/afl/afl.changes 2015-04-10 10:20:35.000000000
+0200
+++ /work/SRC/openSUSE:Factory/.afl.new/afl.changes 2015-04-12
00:11:15.000000000 +0200
@@ -1,0 +2,13 @@
+Sat Apr 11 07:15:12 UTC 2015 - astie...@suse.com
+
+- afl 1.62b:
+ - Improved the handling of -x in afl-clang-fast,
+ - Improved the handling of low AFL_INST_RATIO settings for QEMU and
+ LLVM modes.
+ - Fixed the llvm-config bug for good
+- includes changes from 1.61b:
+ - Fixed an obscure bug compiling OpenSSL with afl-clang-fast.
+ - Fixed a 'make install' bug on non-x86 systems
+ - Fixed a problem with half-broken llvm-config
+
+-------------------------------------------------------------------
Old:
----
afl-1.60b.tgz
New:
----
afl-1.62b.tgz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ afl.spec ++++++
--- /var/tmp/diff_new_pack.tC00hk/_old 2015-04-12 00:11:16.000000000 +0200
+++ /var/tmp/diff_new_pack.tC00hk/_new 2015-04-12 00:11:16.000000000 +0200
@@ -17,7 +17,7 @@
Name: afl
-Version: 1.60b
+Version: 1.62b
Release: 0
Summary: American fuzzy lop is a security-oriented fuzzer
License: Apache-2.0
++++++ afl-1.60b.tgz -> afl-1.62b.tgz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.60b/Makefile new/afl-1.62b/Makefile
--- old/afl-1.60b/Makefile 2015-04-09 07:10:07.000000000 +0200
+++ new/afl-1.62b/Makefile 2015-04-10 03:40:25.000000000 +0200
@@ -14,7 +14,7 @@
#
PROGNAME = afl
-VERSION = 1.60b
+VERSION = 1.62b
PREFIX ?= /usr/local
BIN_PATH = $(PREFIX)/bin
@@ -105,7 +105,11 @@
rm -rf out_dir qemu_mode/qemu-2.2.0
cd llvm_mode && make clean
+ifndef AFL_NOX86
install: all
+else
+install: nox86
+endif
mkdir -p -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH)
$${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh
install -m 755 afl-gcc afl-fuzz afl-showmap afl-plot afl-tmin afl-cmin
afl-gotcpu afl-whatsup $${DESTDIR}$(BIN_PATH)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.60b/docs/ChangeLog new/afl-1.62b/docs/ChangeLog
--- old/afl-1.60b/docs/ChangeLog 2015-04-09 04:17:56.000000000 +0200
+++ new/afl-1.62b/docs/ChangeLog 2015-04-10 16:15:53.000000000 +0200
@@ -17,6 +17,30 @@
to get on with the times.
--------------
+Version 1.62b:
+--------------
+
+ - Improved the handling of -x in afl-clang-fast,
+
+ - Improved the handling of low AFL_INST_RATIO settings for QEMU and
+ LLVM modes.
+
+ - Fixed the llvm-config bug for good (thanks to Tobias Ospelt).
+
+--------------
+Version 1.61b:
+--------------
+
+ - Fixed an obscure bug compiling OpenSSL with afl-clang-fast. Patch by
+ Laszlo Szekeres.
+
+ - Fixed a 'make install' bug on non-x86 systems, thanks to Tobias Ospelt.
+
+ - Fixed a problem with half-broken llvm-config on Odroid, thanks to
+ Tobias Ospelt. (There is another odd bug there that hasn't been fully
+ fixed - TBD).
+
+--------------
Version 1.60b:
--------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.60b/docs/env_variables.txt
new/afl-1.62b/docs/env_variables.txt
--- old/afl-1.60b/docs/env_variables.txt 2015-04-09 06:43:28.000000000
+0200
+++ new/afl-1.62b/docs/env_variables.txt 2015-04-10 05:54:12.000000000
+0200
@@ -139,7 +139,7 @@
Note that AFL_INST_RATIO will behave a bit differently than for afl-gcc,
because functions are *not* instrumented unconditionally - so low values
-will have a more striking effect.
+will have a more striking effect. For this tool, 0 is not a valid choice.
5) Settings for afl-cmin
------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/afl-1.60b/docs/vuln_samples/sqlite-stack-exhaustion.sql
new/afl-1.62b/docs/vuln_samples/sqlite-stack-exhaustion.sql
--- old/afl-1.60b/docs/vuln_samples/sqlite-stack-exhaustion.sql 1970-01-01
01:00:00.000000000 +0100
+++ new/afl-1.62b/docs/vuln_samples/sqlite-stack-exhaustion.sql 2015-04-10
06:04:15.000000000 +0200
@@ -0,0 +1 @@
+CREATE VIRTUAL TABLE t0 USING fts4(content=t0);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.60b/llvm_mode/Makefile
new/afl-1.62b/llvm_mode/Makefile
--- old/afl-1.60b/llvm_mode/Makefile 2015-04-09 07:11:31.000000000 +0200
+++ new/afl-1.62b/llvm_mode/Makefile 2015-04-10 16:15:17.000000000 +0200
@@ -24,9 +24,6 @@
LLVM_CONFIG ?= llvm-config
-CC = `$(LLVM_CONFIG) --bindir`/clang
-CXX = `$(LLVM_CONFIG) --bindir`/clang++
-
CFLAGS ?= -O3 -funroll-loops
CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
-DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
@@ -39,13 +36,22 @@
CLANG_CFL = `$(LLVM_CONFIG) --cxxflags` -fno-rtti $(CXXFLAGS)
CLANG_LFL = `$(LLVM_CONFIG) --ldflags` $(LDFLAGS)
+# We were using llvm-config --bindir to get the location of clang, but
+# this seems to be busted on some distros, so using the one in $PATH is
+# probably better.
+
+CC = clang
+CXX = clang++
+
PROGS = ../afl-clang-fast ../afl-llvm-pass.so ../afl-llvm-rt.o
all: test_deps $(PROGS) test_build all_done
test_deps:
@echo "[*] Checking for working 'llvm-config'..."
- @which $(LLVM_CONFIG) &>/dev/null || ( echo "[-] Oops, can't find
'llvm-config'. Install clang or set \$$LLVM_CONFIG beforehand."; exit 1 )
+ @which $(LLVM_CONFIG) >/dev/null 2>&1 || ( echo "[-] Oops, can't find
'llvm-config'. Install clang or set \$$LLVM_CONFIG beforehand."; echo "
(Sometimes, the binary will be named llvm-config-3.5 or something like that.)";
exit 1 )
+ @echo "[*] Checking for working '$(CC)'..."
+ @which $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'.
Make sure that it's in your \$$PATH."; exit 1 )
@echo "[*] Checking for '../afl-showmap'..."
@test -f ../afl-showmap || ( echo "[-] Oops, can't find
'../afl-showmap'. Be sure to compile AFL first."; exit 1 )
@echo "[+] All set and ready to build."
@@ -58,11 +64,11 @@
$(CXX) $(CLANG_CFL) -shared $< -o $@ $(CLANG_LFL)
../afl-llvm-rt.o: afl-llvm-rt.o.c | test_deps
- $(CC) $(CFLAGS) -c $< -o $@
+ $(CC) $(CFLAGS) -fPIC -c $< -o $@
test_build: $(PROGS)
@echo "[*] Testing the CC wrapper and instrumentation output..."
- unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100
AFL_PATH=. ../afl-clang-fast $(CFLAGS) ../test-instr.c -o test-instr $(LDFLAGS)
+ unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100
AFL_PATH=. AFL_CC=$(CC) ../afl-clang-fast $(CFLAGS) ../test-instr.c -o
test-instr $(LDFLAGS)
echo 0 | ../afl-showmap -m none -q -o .test-instr0 ./test-instr
echo 1 | ../afl-showmap -m none -q -o .test-instr1 ./test-instr
@rm -f test-instr
@@ -74,4 +80,4 @@
clean:
rm -f *.o *.so *~ a.out core core.[1-9][0-9]* test-instr .test-instr0
.test-instr1
- rm -f $(PROGS)
+ rm -f $(PROGS) ../afl-clang-fast++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.60b/llvm_mode/afl-clang-fast.c
new/afl-1.62b/llvm_mode/afl-clang-fast.c
--- old/afl-1.60b/llvm_mode/afl-clang-fast.c 2015-04-09 06:37:52.000000000
+0200
+++ new/afl-1.62b/llvm_mode/afl-clang-fast.c 2015-04-10 03:39:22.000000000
+0200
@@ -97,7 +97,7 @@
static void edit_params(u32 argc, char** argv) {
- u8 fortify_set = 0, asan_set = 0;
+ u8 fortify_set = 0, asan_set = 0, x_set = 0;
u8 *name;
cc_params = ck_alloc((argc + 32) * sizeof(u8*));
@@ -117,6 +117,7 @@
cc_params[cc_par_cnt++] = "-load";
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path);
+ cc_params[cc_par_cnt++] = "-Qunused-arguments";
while (--argc) {
u8* cur = *(++argv);
@@ -125,6 +126,8 @@
if (!strcmp(cur, "-m32")) FATAL("-m32 is not supported");
#endif
+ if (!strcmp(cur, "-x")) x_set = 1;
+
if (!strcmp(cur, "-c") || !strcmp(cur, "-S") || !strcmp(cur, "-E"))
maybe_linking = 0;
@@ -178,9 +181,12 @@
if (maybe_linking) {
- cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt.o", obj_path);
- cc_params[cc_par_cnt++] = "-Qunused-arguments";
+ if (x_set) {
+ cc_params[cc_par_cnt++] = "-x";
+ cc_params[cc_par_cnt++] = "none";
+ }
+ cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt.o", obj_path);
}
cc_params[cc_par_cnt] = NULL;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.60b/llvm_mode/afl-llvm-pass.so.cc
new/afl-1.62b/llvm_mode/afl-llvm-pass.so.cc
--- old/afl-1.60b/llvm_mode/afl-llvm-pass.so.cc 2015-04-09 08:21:20.000000000
+0200
+++ new/afl-1.62b/llvm_mode/afl-llvm-pass.so.cc 2015-04-10 05:18:04.000000000
+0200
@@ -149,7 +149,6 @@
/* Set prev_loc to cur_loc >> 1 */
- // Update prev_loc
StoreInst *Store =
IRB.CreateStore(ConstantInt::get(Int16Ty, cur_loc >> 1), AFLPrevLoc);
Store->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
@@ -163,7 +162,7 @@
if (!be_quiet) {
if (!inst_blocks) WARNF("No instrumentation targets found.");
- else OKF("Instrumented %u locations (%s-bit, ratio %u%%).",
+ else OKF("Instrumented %u locations (%s mode, ratio %u%%).",
inst_blocks,
getenv("AFL_HARDEN") ? "hardened" : "non-hardened",
inst_ratio);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.60b/llvm_mode/afl-llvm-rt.o.c
new/afl-1.62b/llvm_mode/afl-llvm-rt.o.c
--- old/afl-1.60b/llvm_mode/afl-llvm-rt.o.c 2015-04-09 05:39:51.000000000
+0200
+++ new/afl-1.62b/llvm_mode/afl-llvm-rt.o.c 2015-04-10 04:09:44.000000000
+0200
@@ -35,30 +35,47 @@
u16 __afl_prev_loc;
+/* Create some decoy memory as early as possible to get us through any
+ code that runs before main(). */
+
+static void __afl_pre_map(void) {
+
+ __afl_area_ptr = mmap(NULL, MAP_SIZE, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+ /* Whoops. */
+
+ if (__afl_area_ptr == (void *)-1) exit(1);
+
+}
+
+
/* SHM setup. */
static void __afl_map_shm(void) {
u8 *id_str = getenv(SHM_ENV_VAR);
- /* Either attach to the specified region, or create a decoy map so that
- we do not crash. */
+ /* If we're running under AFL, attach to the appropriate region, get rid
+ of the early-stage map. */
if (id_str) {
u32 shm_id = atoi(id_str);
+
+ munmap(__afl_area_ptr, MAP_SIZE);
__afl_area_ptr = shmat(shm_id, NULL, 0);
- } else {
+ /* Whooooops. */
- __afl_area_ptr = mmap(NULL, MAP_SIZE, PROT_READ | PROT_WRITE,
- MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+ if (__afl_area_ptr == (void *)-1) exit(1);
- }
+ /* Write something into the bitmap so that even with low AFL_INST_RATIO,
+ our parent doesn't give up on us. */
- /* Whoops. */
+ __afl_area_ptr[0] = 1;
- if (__afl_area_ptr == (void *)-1) exit(1);
+ }
}
@@ -112,11 +129,24 @@
}
-/* Make sure that all this stuff happens early on. */
-
-__attribute__((constructor (0))) void __afl_init() {
+/* Proper initialization routine. */
+static void __afl_init() {
__afl_map_shm();
__afl_start_forkserver();
-
}
+
+
+/* Now, the tricky part. We want to get __afl_area_ptr assigned as soon
+ as possible, so that custom assembly that calls C code from .init
+ doesn't cause segfaults (hello, OpenSSL). But at this stage, getenv()
+ will not work, so we just use the dummy handler. */
+
+__attribute__((section(".preinit_array"), used))
+ static void (*__afl_preinit_f)(void) = __afl_pre_map;
+
+/* With this out of the way, we can wait until just before main() to
+ do the whole shmat() and forkserver thing. */
+
+__attribute__((section(".init_array"), used))
+ static void (*__afl_init_f)(void) = __afl_init;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.60b/qemu_mode/patches/afl-qemu-cpu-inl.h
new/afl-1.62b/qemu_mode/patches/afl-qemu-cpu-inl.h
--- old/afl-1.60b/qemu_mode/patches/afl-qemu-cpu-inl.h 2015-03-27
07:53:46.000000000 +0100
+++ new/afl-1.62b/qemu_mode/patches/afl-qemu-cpu-inl.h 2015-04-10
04:09:16.000000000 +0200
@@ -134,6 +134,12 @@
if (afl_area_ptr == (void*)-1) exit(1);
+ /* With AFL_INST_RATIO set to a low value, we want to touch the bitmap
+ so that the parent doesn't give up on us. */
+
+ if (inst_r) afl_area_ptr[0] = 1;
+
+
}
if (getenv("AFL_INST_LIBS")) {
