Hello community, here is the log from the commit of package afl for openSUSE:Factory checked in at 2015-11-13 23:36:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/afl (Old) and /work/SRC/openSUSE:Factory/.afl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "afl" Changes: -------- --- /work/SRC/openSUSE:Factory/afl/afl.changes 2015-10-06 13:25:58.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.afl.new/afl.changes 2015-11-13 23:36:15.000000000 +0100 @@ -1,0 +2,13 @@ +Fri Nov 13 09:06:47 UTC 2015 - astie...@suse.com + +- afl 1.95b: + * Fixed a harmless bug when handling -B + * Made the exit message a bit more accurate when + AFL_EXIT_WHEN_DONE is set. + * Added some error-checking for old-style forkserver syntax. + * Switched from exit() to _exit() in injected code to avoid + snafus with destructors in C++ code. + * Made a change to avoid spuriously setting __AFL_SHM_ID when + AFL_DUMB_FORKSRV is set in conjunction with -n. + +------------------------------------------------------------------- Old: ---- afl-1.94b.tgz New: ---- afl-1.95b.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ afl.spec ++++++ --- /var/tmp/diff_new_pack.m8P26L/_old 2015-11-13 23:36:16.000000000 +0100 +++ /var/tmp/diff_new_pack.m8P26L/_new 2015-11-13 23:36:16.000000000 +0100 @@ -17,7 +17,7 @@ Name: afl -Version: 1.94b +Version: 1.95b Release: 0 Summary: American fuzzy lop is a security-oriented fuzzer License: Apache-2.0 ++++++ afl-1.94b.tgz -> afl-1.95b.tgz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.94b/Makefile new/afl-1.95b/Makefile --- old/afl-1.94b/Makefile 2015-09-12 03:38:02.000000000 +0200 +++ new/afl-1.95b/Makefile 2015-11-13 03:58:12.000000000 +0100 @@ -14,7 +14,7 @@ # PROGNAME = afl -VERSION = 1.94b +VERSION = 1.95b PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.94b/afl-as.h new/afl-1.95b/afl-as.h --- old/afl-1.94b/afl-as.h 2015-07-17 19:53:09.000000000 +0200 +++ new/afl-1.95b/afl-as.h 2015-11-03 05:29:51.000000000 +0100 @@ -334,7 +334,7 @@ "__afl_die:\n" "\n" " xorl %eax, %eax\n" - " call exit\n" + " call _exit\n" "\n" "__afl_setup_abort:\n" "\n" @@ -639,7 +639,7 @@ "__afl_die:\n" "\n" " xorq %rax, %rax\n" - CALL_L64("exit") + CALL_L64("_exit") "\n" "__afl_setup_abort:\n" "\n" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.94b/afl-fuzz.c new/afl-1.95b/afl-fuzz.c --- old/afl-1.94b/afl-fuzz.c 2015-09-03 07:12:32.000000000 +0200 +++ new/afl-1.95b/afl-fuzz.c 2015-11-13 03:58:02.000000000 +0100 @@ -1201,8 +1201,7 @@ fork server commands. This should be replaced with better auto-detection later on, perhaps? */ - if (dumb_mode != 1) - setenv(SHM_ENV_VAR, shm_str, 1); + if (!dumb_mode) setenv(SHM_ENV_VAR, shm_str, 1); ck_free(shm_str); @@ -3700,7 +3699,7 @@ /* Honor AFL_EXIT_WHEN_DONE. */ if (!dumb_mode && cycles_wo_finds > 20 && !pending_not_fuzzed && - getenv("AFL_EXIT_WHEN_DONE")) stop_soon = 1; + getenv("AFL_EXIT_WHEN_DONE")) stop_soon = 2; /* If we're not on TTY, bail out. */ @@ -6613,6 +6612,10 @@ setenv(PERSIST_ENV_VAR, "1", 1); no_var_check = 1; + } else if (getenv("AFL_PERSISTENT")) { + + WARNF("AFL_PERSISTENT is no longer supported and may misbehave!"); + } if (memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) { @@ -6620,6 +6623,10 @@ OKF(cPIN "Deferred forkserver binary detected."); setenv(DEFER_ENV_VAR, "1", 1); + } else if (getenv("AFL_DEFER_FORKSRV")) { + + WARNF("AFL_DEFER_FORKSRV is no longer supported and may misbehave!"); + } if (munmap(f_data, f_len)) PFATAL("unmap() failed"); @@ -7468,7 +7475,7 @@ case 'n': if (dumb_mode) FATAL("Multiple -n options not supported"); - if (getenv("AFL_DUMB_FORKSRV")) dumb_mode = 2 ; else dumb_mode = 1; + if (getenv("AFL_DUMB_FORKSRV")) dumb_mode = 2; else dumb_mode = 1; break; @@ -7640,7 +7647,8 @@ stop_fuzzing: - SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing aborted by user +++\n" cRST); + SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing %s +++\n" cRST, + stop_soon == 2 ? "ended via AFL_EXIT_WHEN_DONE" : "aborted by user"); /* Running for more than 30 minutes but still doing first cycle? */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.94b/afl-gcc.c new/afl-1.95b/afl-gcc.c --- old/afl-1.94b/afl-gcc.c 2015-04-13 20:14:05.000000000 +0200 +++ new/afl-1.95b/afl-gcc.c 2015-09-22 00:41:01.000000000 +0200 @@ -184,7 +184,7 @@ if (!be_quiet) WARNF("-B is already set, overriding"); - if (!cur[2] && argc) { argc--; argv++; } + if (!cur[2] && argc > 1) { argc--; argv++; } continue; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.94b/docs/ChangeLog new/afl-1.95b/docs/ChangeLog --- old/afl-1.94b/docs/ChangeLog 2015-09-12 03:35:54.000000000 +0200 +++ new/afl-1.95b/docs/ChangeLog 2015-11-13 03:56:43.000000000 +0100 @@ -17,6 +17,23 @@ to get on with the times. -------------- +Version 1.95b: +-------------- + + - Fixed a harmless bug when handling -B. Spotted by Jacek Wielemborek. + + - Made the exit message a bit more accurate when AFL_EXIT_WHEN_DONE is set. + + - Added some error-checking for old-style forkserver syntax. Suggested by + Ben Nagy. + + - Switched from exit() to _exit() in injected code to avoid snafus with + destructors in C++ code. Spotted by sunblate. + + - Made a change to avoid spuriously setting __AFL_SHM_ID when + AFL_DUMB_FORKSRV is set in conjunction with -n. Spotted by Jakub Wilk. + +-------------- Version 1.94b: -------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.94b/hash.h new/afl-1.95b/hash.h --- old/afl-1.94b/hash.h 2015-01-23 06:27:14.000000000 +0100 +++ new/afl-1.95b/hash.h 2015-09-22 06:07:34.000000000 +0200 @@ -10,7 +10,7 @@ similar to the original; the 64-bit one is a custom hack with mostly-unproven properties. - Austin's original code is public domain; so is this variant. + Austin's original code is public domain. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.94b/llvm_mode/README.llvm new/afl-1.95b/llvm_mode/README.llvm --- old/afl-1.94b/llvm_mode/README.llvm 2015-09-03 16:52:18.000000000 +0200 +++ new/afl-1.95b/llvm_mode/README.llvm 2015-10-27 06:47:14.000000000 +0100 @@ -95,7 +95,7 @@ performance gain. You can implement delayed initialization in LLVM mode in a fairly simple way. -First, locate a suitable location in the code where the delayed cloning can +First, find a suitable location in the code where the delayed cloning can take place. This needs to be done with *extreme* care to avoid breaking the binary. In particular, the program will probably malfunction if you select a location after: @@ -118,8 +118,8 @@ __AFL_INIT(); #endif -You don't need the #ifdef guards, but they will make the program still work as -usual when compiled with a tool other than afl-clang-fast. +You don't need the #ifdef guards, but including them ensures that the program +will keep working normally when compiled with a tool other than afl-clang-fast. Finally, recompile the pogram with afl-clang-fast (afl-gcc or afl-clang will *not* generate a deferred-initialization binary) - and you should be all set! @@ -153,9 +153,9 @@ #ifdef guards can be used to suppress it when using other compilers. Note that as with the previous mode, the feature is easy to misuse; if you -do not reset the critical state fully, you may end up with false positives or +do not fully reset the critical state, you may end up with false positives or waste a whole lot of CPU power doing nothing useful at all. Be particularly -wary of memory leaks and the state of file descriptors. +wary of memory leaks and of the state of file descriptors. When running in this mode, the execution paths will inherently vary a bit depending on whether the input loop is being entered for the first time or diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.94b/llvm_mode/afl-llvm-rt.o.c new/afl-1.95b/llvm_mode/afl-llvm-rt.o.c --- old/afl-1.94b/llvm_mode/afl-llvm-rt.o.c 2015-09-03 08:04:27.000000000 +0200 +++ new/afl-1.95b/llvm_mode/afl-llvm-rt.o.c 2015-11-03 05:28:19.000000000 +0100 @@ -65,7 +65,7 @@ /* Whooooops. */ - if (__afl_area_ptr == (void *)-1) exit(1); + if (__afl_area_ptr == (void *)-1) _exit(1); /* Write something into the bitmap so that even with low AFL_INST_RATIO, our parent doesn't give up on us. */ @@ -98,7 +98,7 @@ /* Wait for parent by reading from the pipe. Abort if read fails. */ - if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(1); + if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1); /* If we stopped the child in persistent mode, but there was a race condition and afl-fuzz already issued SIGKILL, write off the old @@ -106,7 +106,7 @@ if (child_stopped && was_killed) { child_stopped = 0; - if (waitpid(child_pid, &status, 0) < 0) exit(1); + if (waitpid(child_pid, &status, 0) < 0) _exit(1); } if (!child_stopped) { @@ -114,7 +114,7 @@ /* Once woken up, create a clone of our process. */ child_pid = fork(); - if (child_pid < 0) exit(1); + if (child_pid < 0) _exit(1); /* In child process: close fds, resume execution. */ @@ -138,10 +138,10 @@ /* In parent process: write PID to pipe, then wait for child. */ - if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) exit(1); + if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) _exit(1); if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0) - exit(1); + _exit(1); /* In persistent mode, the child stops itself with SIGSTOP to indicate a successful run. In this case, we want to wake it up without forking @@ -151,7 +151,7 @@ /* Relay wait status to pipe, then loop back. */ - if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(1); + if (write(FORKSRV_FD + 1, &status, 4) != 4) _exit(1); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.94b/qemu_mode/README.qemu new/afl-1.95b/qemu_mode/README.qemu --- old/afl-1.94b/qemu_mode/README.qemu 2015-04-30 05:36:55.000000000 +0200 +++ new/afl-1.95b/qemu_mode/README.qemu 2015-10-06 07:40:06.000000000 +0200 @@ -39,7 +39,8 @@ In principle, if you set CPU_TARGET before calling ./build_qemu_support.sh, you should get a build capable of running non-native binaries (say, you -can try CPU_TARGET=arm). I haven't played with this. +can try CPU_TARGET=arm). This is also necessary for running 32-bit binaries +on a 64-bit system (CPU_TARGET=i386). Note: if you want the QEMU helper to be installed on your system for all users, you need to build it before issuing 'make install' in the parent @@ -104,10 +105,9 @@ --------------------------------- Statically rewriting binaries just once, instead of attempting to translate -them at run time, can be a faster alternative to what is being attempted here. -That said, static rewriting is fraught with peril, because it depends on being -able to properly and fully model program control flow without actually running -it. +them at run time, can be a faster alternative. That said, static rewriting is +fraught with peril, because it depends on being able to properly and fully model +program control flow without actually executing each and every code path. If you want to experiment with this mode of operation, there is a module contributed by Aleksandar Nikolich: