Hello community,
here is the log from the commit of package afl for openSUSE:Factory checked in
at 2015-05-06 07:48:59
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/afl (Old)
and /work/SRC/openSUSE:Factory/.afl.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "afl"
Changes:
--------
--- /work/SRC/openSUSE:Factory/afl/afl.changes 2015-04-22 01:18:45.000000000
+0200
+++ /work/SRC/openSUSE:Factory/.afl.new/afl.changes 2015-05-06
07:49:04.000000000 +0200
@@ -1,0 +2,10 @@
+Mon Apr 27 08:45:05 UTC 2015 - astie...@suse.com
+
+- afl 1.73b:
+ - Fixed a bug in effector maps that could sometimes cause more
+ fuzzing than necessary, or SEGV
+- includes changes from 1.72b:
+ - Fixed a glitch in non-x86 install
+ - Added a minor safeguard to llvm_mode Makefile
+
+-------------------------------------------------------------------
Old:
----
afl-1.71b.tgz
New:
----
afl-1.73b.tgz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ afl.spec ++++++
--- /var/tmp/diff_new_pack.4FczG3/_old 2015-05-06 07:49:05.000000000 +0200
+++ /var/tmp/diff_new_pack.4FczG3/_new 2015-05-06 07:49:05.000000000 +0200
@@ -17,7 +17,7 @@
Name: afl
-Version: 1.71b
+Version: 1.73b
Release: 0
Summary: American fuzzy lop is a security-oriented fuzzer
License: Apache-2.0
++++++ afl-1.71b.tgz -> afl-1.73b.tgz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.71b/Makefile new/afl-1.73b/Makefile
--- old/afl-1.71b/Makefile 2015-04-20 03:17:54.000000000 +0200
+++ new/afl-1.73b/Makefile 2015-04-27 08:17:22.000000000 +0200
@@ -14,7 +14,7 @@
#
PROGNAME = afl
-VERSION = 1.71b
+VERSION = 1.73b
PREFIX ?= /usr/local
BIN_PATH = $(PREFIX)/bin
@@ -108,11 +108,7 @@
rm -rf out_dir qemu_mode/qemu-2.2.0
$(MAKE) -C llvm_mode clean
-ifndef AFL_NOX86
install: all
-else
-install: nox86
-endif
mkdir -p -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH)
$${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh
install -m 755 afl-gcc afl-fuzz afl-showmap afl-plot afl-tmin afl-cmin
afl-gotcpu afl-whatsup $${DESTDIR}$(BIN_PATH)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.71b/afl-fuzz.c new/afl-1.73b/afl-fuzz.c
--- old/afl-1.71b/afl-fuzz.c 2015-04-20 03:39:02.000000000 +0200
+++ new/afl-1.73b/afl-fuzz.c 2015-04-27 08:15:10.000000000 +0200
@@ -4646,7 +4646,7 @@
/* Let's consult the effector map... */
- if (!*(u16*)(eff_map + EFF_APOS(i))) {
+ if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) {
stage_max--;
continue;
}
@@ -4682,7 +4682,8 @@
for (i = 0; i < len - 3; i++) {
/* Let's consult the effector map... */
- if (!*(u32*)(eff_map + EFF_APOS(i))) {
+ if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] &&
+ !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) {
stage_max--;
continue;
}
@@ -4804,7 +4805,7 @@
/* Let's consult the effector map... */
- if (!*(u16*)(eff_map + EFF_APOS(i))) {
+ if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) {
stage_max -= 4 * ARITH_MAX;
continue;
}
@@ -4895,7 +4896,8 @@
/* Let's consult the effector map... */
- if (!*(u32*)(eff_map + EFF_APOS(i))) {
+ if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] &&
+ !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) {
stage_max -= 4 * ARITH_MAX;
continue;
}
@@ -5040,7 +5042,7 @@
/* Let's consult the effector map... */
- if (!*(u16*)(eff_map + EFF_APOS(i))) {
+ if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) {
stage_max -= sizeof(interesting_16);
continue;
}
@@ -5113,7 +5115,8 @@
/* Let's consult the effector map... */
- if (!*(u32*)(eff_map + EFF_APOS(i))) {
+ if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] &&
+ !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) {
stage_max -= sizeof(interesting_32) >> 1;
continue;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.71b/docs/ChangeLog new/afl-1.73b/docs/ChangeLog
--- old/afl-1.71b/docs/ChangeLog 2015-04-20 03:39:59.000000000 +0200
+++ new/afl-1.73b/docs/ChangeLog 2015-04-27 08:17:07.000000000 +0200
@@ -17,6 +17,24 @@
to get on with the times.
--------------
+Version 1.73b:
+--------------
+
+ - Fixed a pretty stupid bug in effector maps that could sometimes cause
+ AFL to fuzz slightly more than necessary; and in very rare circumstances,
+ could lead to SEGV if eff_map is aligned with page boundary and followed
+ by an unmapped page. Spotted by Jonathan Gray.
+
+--------------
+Version 1.72b:
+--------------
+
+ - Fixed a glitch in non-x86 install, spotted by Tobias Ospelt.
+
+ - Added a minor safeguard to llvm_mode Makefile following a report from
+ Kai Zhao.
+
+--------------
Version 1.71b:
--------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.71b/docs/historical_notes.txt
new/afl-1.73b/docs/historical_notes.txt
--- old/afl-1.71b/docs/historical_notes.txt 2015-04-11 19:54:48.000000000
+0200
+++ new/afl-1.73b/docs/historical_notes.txt 2015-04-20 05:37:07.000000000
+0200
@@ -52,18 +52,18 @@
In the past six years or so, I've also seen a fair number of academic papers
that dealt with smart fuzzing (focusing chiefly on symbolic execution) and a
-couple papers that discussed proof-of-concept application of genetic
-algorithms. I'm unconvinced how practical most of these experiments were;
-I suspect that many of them suffer from the bunny-the-fuzzer's curse of being
-cool on paper and in carefully designed experiments, but failing the ultimate
-test of being able to find new, worthwhile security bugs in otherwise
-well-fuzzed, real-world software.
-
-In some ways, the baseline that such solutions had to compete against was a lot
-more impressive than usually acknowledged, making it difficult to truly stand
-out; for a singular example, check out the work by Gynvael and Mateusz Jurczyk,
-applying "dumb" fuzzing to ffmpeg, a prominent and security-critical component
-of modern browsers and media players:
+couple papers that discussed proof-of-concept applications of genetic
+algorithms with the same goals in mind. I'm unconvinced how practical most of
+these experiments were; I suspect that many of them suffer from the
+bunny-the-fuzzer's curse of being cool on paper and in carefully designed
+experiments, but failing the ultimate test of being able to find new,
+worthwhile security bugs in otherwise well-fuzzed, real-world software.
+
+In some ways, the baseline that the "cool" solutions have to compete against is
+a lot more impressive than it may seem, making it difficult for competitors to
+stand out. For a singular example, check out the work by Gynvael and Mateusz
+Jurczyk, applying "dumb" fuzzing to ffmpeg, a prominent and security-critical
+component of modern browsers and media players:
http://googleonlinesecurity.blogspot.com/2014/01/ffmpeg-and-thousand-fixes.html
@@ -83,7 +83,8 @@
1) Speed. It's genuinely hard to compete with brute force when your "smart"
approach is resource-intensive. If your instrumentation makes it 10x more
- likely to find a bug, but runs 100x slower, your users getting a bad deal.
+ likely to find a bug, but runs 100x slower, your users are getting a bad
+ deal.
To avoid starting with a handicap, afl-fuzz is meant to let you fuzz most of
the intended targets at roughly their native speed - so even if it doesn't
@@ -103,9 +104,8 @@
Most of the approaches based on symbolic execution, taint tracking, or
complex syntax-aware instrumentation are currently fairly unreliable with
real-world targets. Perhaps more importantly, their failure modes can render
- them strictly worse than "dumb" tools, and can be difficult for less
- experienced users to notice and correct - giving them a false sense of
- security.
+ them strictly worse than "dumb" tools, and such degradation can be difficult
+ for less experienced users to notice and correct.
In contrast, afl-fuzz is designed to be rock solid, chiefly by keeping it
simple. In fact, at its core, it's designed to be just a very good
@@ -130,7 +130,7 @@
against resource-hungry or interaction-heavy tools, necessitating the
creation of custom in-process fuzzers or the investment of massive CPU
power (most of which is wasted on tasks not directly related to the code
- we want to test).
+ we actually want to test).
AFL tries to scratch this itch by allowing users to use more lightweight
targets (e.g., standalone image parsing libraries) to create small
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.71b/docs/sister_projects.txt
new/afl-1.73b/docs/sister_projects.txt
--- old/afl-1.71b/docs/sister_projects.txt 2015-04-17 16:46:15.000000000
+0200
+++ new/afl-1.73b/docs/sister_projects.txt 2015-04-22 20:10:08.000000000
+0200
@@ -24,6 +24,13 @@
https://github.com/floyd-fuh/afl-fuzzing-scripts/
+afl-crash-analyzer (Tobias Ospelt)
+----------------------------------
+
+ Makes it easier to navigate and annotate crashing test cases.
+
+ https://github.com/floyd-fuh/afl-crash-analyzer/
+
Crashwalk (Ben Nagy)
--------------------
@@ -98,6 +105,13 @@
https://bitbucket.org/jwilk/python-afl
+Go-fuzz (Dmitry Vyukov)
+-----------------------
+
+ AFL-style guided fuzzing approach for Go targets:
+
+ https://github.com/dvyukov/go-fuzz
+
-------------------------------
Narrow-purpose or experimental:
-------------------------------
@@ -129,3 +143,4 @@
A simple SQL shell designed specifically for fuzzing the underlying library.
http://www.sqlite.org/src/artifact/9e7e273da2030371
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.71b/docs/technical_details.txt
new/afl-1.73b/docs/technical_details.txt
--- old/afl-1.71b/docs/technical_details.txt 2015-04-19 08:49:44.000000000
+0200
+++ new/afl-1.73b/docs/technical_details.txt 2015-04-20 05:40:05.000000000
+0200
@@ -73,7 +73,7 @@
The absence of simple saturating arithmetic opcodes on Intel CPUs means that
the hit counters can sometimes wrap around to zero. Since this is a fairly
-unlikely and localized event, it's an acceptable performance trade-off.
+unlikely and localized event, it's seen as an acceptable performance trade-off.
2) Detecting new behaviors
--------------------------
@@ -93,8 +93,9 @@
fragile global comparisons of complex execution traces, and while avoiding the
scourge of path explosion.
-To illustrate, consider that the second trace shown below would be considered
-substantially new because of the presence of new tuples (CA, AE):
+To illustrate the properties of the algorithm, consider that the second trace
+shown below would be considered substantially new because of the presence of
+new tuples (CA, AE):
#1: A -> B -> C -> D -> E
#2: A -> B -> C -> A -> E
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.71b/docs/vuln_samples/sqlite-bad-ptr2.sql
new/afl-1.73b/docs/vuln_samples/sqlite-bad-ptr2.sql
--- old/afl-1.71b/docs/vuln_samples/sqlite-bad-ptr2.sql 1970-01-01
01:00:00.000000000 +0100
+++ new/afl-1.73b/docs/vuln_samples/sqlite-bad-ptr2.sql 2015-04-21
16:41:34.000000000 +0200
@@ -0,0 +1 @@
+PRAGMA foreign_keys=1;CREATE TABLE t1("""0"PRIMARY KEy REFERENCES t1 ON DELETE
SET NULL);REPLACE INTO t1 SELECT(0);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.71b/docs/vuln_samples/sqlite-heap-overflow.sql
new/afl-1.73b/docs/vuln_samples/sqlite-heap-overflow.sql
--- old/afl-1.71b/docs/vuln_samples/sqlite-heap-overflow.sql 1970-01-01
01:00:00.000000000 +0100
+++ new/afl-1.73b/docs/vuln_samples/sqlite-heap-overflow.sql 2015-04-21
08:05:28.000000000 +0200
@@ -0,0 +1,2 @@
+DROP TABLE IF EXISTS t;CREATE VIRTUAL TABLE t0 USING fts4();insert into t0
select zeroblob(0);SAVEPOINT O;insert into t0
+select(0);SAVEPOINT E;insert into t0 SELECT 0 UNION SELECT 0'x'ORDER BY x;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.71b/docs/vuln_samples/sqlite-null-ptr14.sql
new/afl-1.73b/docs/vuln_samples/sqlite-null-ptr14.sql
--- old/afl-1.71b/docs/vuln_samples/sqlite-null-ptr14.sql 1970-01-01
01:00:00.000000000 +0100
+++ new/afl-1.73b/docs/vuln_samples/sqlite-null-ptr14.sql 2015-04-21
08:02:52.000000000 +0200
@@ -0,0 +1 @@
+CREATE VIRTUAL TABLE x USING fts4();VALUES(0,0),(0,0),(0,0),(0,0);PRAGMA
writable_schema=ON;UPDATE sqlite_master SET sql=''WHERE name='';UPDATE
sqlite_master SET sql='CREATE table t(d CHECK(T(#0)';SAVEPOINT K;SAVEPOINT
T;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.71b/docs/vuln_samples/sqlite-null-ptr15.sql
new/afl-1.73b/docs/vuln_samples/sqlite-null-ptr15.sql
--- old/afl-1.71b/docs/vuln_samples/sqlite-null-ptr15.sql 1970-01-01
01:00:00.000000000 +0100
+++ new/afl-1.73b/docs/vuln_samples/sqlite-null-ptr15.sql 2015-04-23
06:15:46.000000000 +0200
@@ -0,0 +1 @@
+CREATE VIRTUAL TABLE t4 USING fts4(0,b,c,notindexed=0);INSERT INTO t4
VALUES('','','0');BEGIN;INSERT INTO t4 VALUES('','','0');INSERT INTO
t4(t4)VALUES('integrity-check');
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.71b/llvm_mode/Makefile
new/afl-1.73b/llvm_mode/Makefile
--- old/afl-1.71b/llvm_mode/Makefile 2015-04-17 01:51:57.000000000 +0200
+++ new/afl-1.73b/llvm_mode/Makefile 2015-04-24 21:12:52.000000000 +0200
@@ -72,7 +72,7 @@
test_build: $(PROGS)
@echo "[*] Testing the CC wrapper and instrumentation output..."
- unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100
AFL_PATH=. AFL_CC=$(CC) ../afl-clang-fast $(CFLAGS) ../test-instr.c -o
test-instr $(LDFLAGS)
+ unset AFL_USE_ASAN AFL_USE_MSAN AFL_DEFER_FORKSRV; AFL_QUIET=1
AFL_INST_RATIO=100 AFL_PATH=. AFL_CC=$(CC) ../afl-clang-fast $(CFLAGS)
../test-instr.c -o test-instr $(LDFLAGS)
echo 0 | ../afl-showmap -m none -q -o .test-instr0 ./test-instr
echo 1 | ../afl-showmap -m none -q -o .test-instr1 ./test-instr
@rm -f test-instr
