Hello community,
here is the log from the commit of package afl for openSUSE:Factory checked in
at 2015-11-13 23:36:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/afl (Old)
and /work/SRC/openSUSE:Factory/.afl.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "afl"
Changes:
--------
--- /work/SRC/openSUSE:Factory/afl/afl.changes 2015-10-06 13:25:58.000000000
+0200
+++ /work/SRC/openSUSE:Factory/.afl.new/afl.changes 2015-11-13
23:36:15.000000000 +0100
@@ -1,0 +2,13 @@
+Fri Nov 13 09:06:47 UTC 2015 - astie...@suse.com
+
+- afl 1.95b:
+ * Fixed a harmless bug when handling -B
+ * Made the exit message a bit more accurate when
+ AFL_EXIT_WHEN_DONE is set.
+ * Added some error-checking for old-style forkserver syntax.
+ * Switched from exit() to _exit() in injected code to avoid
+ snafus with destructors in C++ code.
+ * Made a change to avoid spuriously setting __AFL_SHM_ID when
+ AFL_DUMB_FORKSRV is set in conjunction with -n.
+
+-------------------------------------------------------------------
Old:
----
afl-1.94b.tgz
New:
----
afl-1.95b.tgz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ afl.spec ++++++
--- /var/tmp/diff_new_pack.m8P26L/_old 2015-11-13 23:36:16.000000000 +0100
+++ /var/tmp/diff_new_pack.m8P26L/_new 2015-11-13 23:36:16.000000000 +0100
@@ -17,7 +17,7 @@
Name: afl
-Version: 1.94b
+Version: 1.95b
Release: 0
Summary: American fuzzy lop is a security-oriented fuzzer
License: Apache-2.0
++++++ afl-1.94b.tgz -> afl-1.95b.tgz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.94b/Makefile new/afl-1.95b/Makefile
--- old/afl-1.94b/Makefile 2015-09-12 03:38:02.000000000 +0200
+++ new/afl-1.95b/Makefile 2015-11-13 03:58:12.000000000 +0100
@@ -14,7 +14,7 @@
#
PROGNAME = afl
-VERSION = 1.94b
+VERSION = 1.95b
PREFIX ?= /usr/local
BIN_PATH = $(PREFIX)/bin
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.94b/afl-as.h new/afl-1.95b/afl-as.h
--- old/afl-1.94b/afl-as.h 2015-07-17 19:53:09.000000000 +0200
+++ new/afl-1.95b/afl-as.h 2015-11-03 05:29:51.000000000 +0100
@@ -334,7 +334,7 @@
"__afl_die:\n"
"\n"
" xorl %eax, %eax\n"
- " call exit\n"
+ " call _exit\n"
"\n"
"__afl_setup_abort:\n"
"\n"
@@ -639,7 +639,7 @@
"__afl_die:\n"
"\n"
" xorq %rax, %rax\n"
- CALL_L64("exit")
+ CALL_L64("_exit")
"\n"
"__afl_setup_abort:\n"
"\n"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.94b/afl-fuzz.c new/afl-1.95b/afl-fuzz.c
--- old/afl-1.94b/afl-fuzz.c 2015-09-03 07:12:32.000000000 +0200
+++ new/afl-1.95b/afl-fuzz.c 2015-11-13 03:58:02.000000000 +0100
@@ -1201,8 +1201,7 @@
fork server commands. This should be replaced with better auto-detection
later on, perhaps? */
- if (dumb_mode != 1)
- setenv(SHM_ENV_VAR, shm_str, 1);
+ if (!dumb_mode) setenv(SHM_ENV_VAR, shm_str, 1);
ck_free(shm_str);
@@ -3700,7 +3699,7 @@
/* Honor AFL_EXIT_WHEN_DONE. */
if (!dumb_mode && cycles_wo_finds > 20 && !pending_not_fuzzed &&
- getenv("AFL_EXIT_WHEN_DONE")) stop_soon = 1;
+ getenv("AFL_EXIT_WHEN_DONE")) stop_soon = 2;
/* If we're not on TTY, bail out. */
@@ -6613,6 +6612,10 @@
setenv(PERSIST_ENV_VAR, "1", 1);
no_var_check = 1;
+ } else if (getenv("AFL_PERSISTENT")) {
+
+ WARNF("AFL_PERSISTENT is no longer supported and may misbehave!");
+
}
if (memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) {
@@ -6620,6 +6623,10 @@
OKF(cPIN "Deferred forkserver binary detected.");
setenv(DEFER_ENV_VAR, "1", 1);
+ } else if (getenv("AFL_DEFER_FORKSRV")) {
+
+ WARNF("AFL_DEFER_FORKSRV is no longer supported and may misbehave!");
+
}
if (munmap(f_data, f_len)) PFATAL("unmap() failed");
@@ -7468,7 +7475,7 @@
case 'n':
if (dumb_mode) FATAL("Multiple -n options not supported");
- if (getenv("AFL_DUMB_FORKSRV")) dumb_mode = 2 ; else dumb_mode = 1;
+ if (getenv("AFL_DUMB_FORKSRV")) dumb_mode = 2; else dumb_mode = 1;
break;
@@ -7640,7 +7647,8 @@
stop_fuzzing:
- SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing aborted by user +++\n" cRST);
+ SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing %s +++\n" cRST,
+ stop_soon == 2 ? "ended via AFL_EXIT_WHEN_DONE" : "aborted by user");
/* Running for more than 30 minutes but still doing first cycle? */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.94b/afl-gcc.c new/afl-1.95b/afl-gcc.c
--- old/afl-1.94b/afl-gcc.c 2015-04-13 20:14:05.000000000 +0200
+++ new/afl-1.95b/afl-gcc.c 2015-09-22 00:41:01.000000000 +0200
@@ -184,7 +184,7 @@
if (!be_quiet) WARNF("-B is already set, overriding");
- if (!cur[2] && argc) { argc--; argv++; }
+ if (!cur[2] && argc > 1) { argc--; argv++; }
continue;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.94b/docs/ChangeLog new/afl-1.95b/docs/ChangeLog
--- old/afl-1.94b/docs/ChangeLog 2015-09-12 03:35:54.000000000 +0200
+++ new/afl-1.95b/docs/ChangeLog 2015-11-13 03:56:43.000000000 +0100
@@ -17,6 +17,23 @@
to get on with the times.
--------------
+Version 1.95b:
+--------------
+
+ - Fixed a harmless bug when handling -B. Spotted by Jacek Wielemborek.
+
+ - Made the exit message a bit more accurate when AFL_EXIT_WHEN_DONE is set.
+
+ - Added some error-checking for old-style forkserver syntax. Suggested by
+ Ben Nagy.
+
+ - Switched from exit() to _exit() in injected code to avoid snafus with
+ destructors in C++ code. Spotted by sunblate.
+
+ - Made a change to avoid spuriously setting __AFL_SHM_ID when
+ AFL_DUMB_FORKSRV is set in conjunction with -n. Spotted by Jakub Wilk.
+
+--------------
Version 1.94b:
--------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.94b/hash.h new/afl-1.95b/hash.h
--- old/afl-1.94b/hash.h 2015-01-23 06:27:14.000000000 +0100
+++ new/afl-1.95b/hash.h 2015-09-22 06:07:34.000000000 +0200
@@ -10,7 +10,7 @@
similar to the original; the 64-bit one is a custom hack with
mostly-unproven properties.
- Austin's original code is public domain; so is this variant.
+ Austin's original code is public domain.
*/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.94b/llvm_mode/README.llvm
new/afl-1.95b/llvm_mode/README.llvm
--- old/afl-1.94b/llvm_mode/README.llvm 2015-09-03 16:52:18.000000000 +0200
+++ new/afl-1.95b/llvm_mode/README.llvm 2015-10-27 06:47:14.000000000 +0100
@@ -95,7 +95,7 @@
performance gain. You can implement delayed initialization in LLVM mode in a
fairly simple way.
-First, locate a suitable location in the code where the delayed cloning can
+First, find a suitable location in the code where the delayed cloning can
take place. This needs to be done with *extreme* care to avoid breaking the
binary. In particular, the program will probably malfunction if you select
a location after:
@@ -118,8 +118,8 @@
__AFL_INIT();
#endif
-You don't need the #ifdef guards, but they will make the program still work as
-usual when compiled with a tool other than afl-clang-fast.
+You don't need the #ifdef guards, but including them ensures that the program
+will keep working normally when compiled with a tool other than afl-clang-fast.
Finally, recompile the pogram with afl-clang-fast (afl-gcc or afl-clang will
*not* generate a deferred-initialization binary) - and you should be all set!
@@ -153,9 +153,9 @@
#ifdef guards can be used to suppress it when using other compilers.
Note that as with the previous mode, the feature is easy to misuse; if you
-do not reset the critical state fully, you may end up with false positives or
+do not fully reset the critical state, you may end up with false positives or
waste a whole lot of CPU power doing nothing useful at all. Be particularly
-wary of memory leaks and the state of file descriptors.
+wary of memory leaks and of the state of file descriptors.
When running in this mode, the execution paths will inherently vary a bit
depending on whether the input loop is being entered for the first time or
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.94b/llvm_mode/afl-llvm-rt.o.c
new/afl-1.95b/llvm_mode/afl-llvm-rt.o.c
--- old/afl-1.94b/llvm_mode/afl-llvm-rt.o.c 2015-09-03 08:04:27.000000000
+0200
+++ new/afl-1.95b/llvm_mode/afl-llvm-rt.o.c 2015-11-03 05:28:19.000000000
+0100
@@ -65,7 +65,7 @@
/* Whooooops. */
- if (__afl_area_ptr == (void *)-1) exit(1);
+ if (__afl_area_ptr == (void *)-1) _exit(1);
/* Write something into the bitmap so that even with low AFL_INST_RATIO,
our parent doesn't give up on us. */
@@ -98,7 +98,7 @@
/* Wait for parent by reading from the pipe. Abort if read fails. */
- if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(1);
+ if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1);
/* If we stopped the child in persistent mode, but there was a race
condition and afl-fuzz already issued SIGKILL, write off the old
@@ -106,7 +106,7 @@
if (child_stopped && was_killed) {
child_stopped = 0;
- if (waitpid(child_pid, &status, 0) < 0) exit(1);
+ if (waitpid(child_pid, &status, 0) < 0) _exit(1);
}
if (!child_stopped) {
@@ -114,7 +114,7 @@
/* Once woken up, create a clone of our process. */
child_pid = fork();
- if (child_pid < 0) exit(1);
+ if (child_pid < 0) _exit(1);
/* In child process: close fds, resume execution. */
@@ -138,10 +138,10 @@
/* In parent process: write PID to pipe, then wait for child. */
- if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) exit(1);
+ if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) _exit(1);
if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0)
- exit(1);
+ _exit(1);
/* In persistent mode, the child stops itself with SIGSTOP to indicate
a successful run. In this case, we want to wake it up without forking
@@ -151,7 +151,7 @@
/* Relay wait status to pipe, then loop back. */
- if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(1);
+ if (write(FORKSRV_FD + 1, &status, 4) != 4) _exit(1);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.94b/qemu_mode/README.qemu
new/afl-1.95b/qemu_mode/README.qemu
--- old/afl-1.94b/qemu_mode/README.qemu 2015-04-30 05:36:55.000000000 +0200
+++ new/afl-1.95b/qemu_mode/README.qemu 2015-10-06 07:40:06.000000000 +0200
@@ -39,7 +39,8 @@
In principle, if you set CPU_TARGET before calling ./build_qemu_support.sh,
you should get a build capable of running non-native binaries (say, you
-can try CPU_TARGET=arm). I haven't played with this.
+can try CPU_TARGET=arm). This is also necessary for running 32-bit binaries
+on a 64-bit system (CPU_TARGET=i386).
Note: if you want the QEMU helper to be installed on your system for all
users, you need to build it before issuing 'make install' in the parent
@@ -104,10 +105,9 @@
---------------------------------
Statically rewriting binaries just once, instead of attempting to translate
-them at run time, can be a faster alternative to what is being attempted here.
-That said, static rewriting is fraught with peril, because it depends on being
-able to properly and fully model program control flow without actually running
-it.
+them at run time, can be a faster alternative. That said, static rewriting is
+fraught with peril, because it depends on being able to properly and fully
model
+program control flow without actually executing each and every code path.
If you want to experiment with this mode of operation, there is a module
contributed by Aleksandar Nikolich:
