Hello community,
here is the log from the commit of package afl for openSUSE:Factory checked in
at 2016-02-25 22:10:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/afl (Old)
and /work/SRC/openSUSE:Factory/.afl.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "afl"
Changes:
--------
--- /work/SRC/openSUSE:Factory/afl/afl.changes 2016-02-18 12:36:29.000000000
+0100
+++ /work/SRC/openSUSE:Factory/.afl.new/afl.changes 2016-02-26
00:26:45.000000000 +0100
@@ -1,0 +2,13 @@
+Wed Feb 24 21:52:33 UTC 2016 - astie...@suse.com
+
+- afl 2.04b:
+ * remove indirect-calls coverage from -fsanitize-coverage
+ * LLVM: Added experimental -fsanitize-coverage=trace-pc support
+ - LLVM: better support non-standard map sizes
+ - LLVM: use thread-local execution tracing
+ - Force-disabled symbolization for ASAN
+ - Added AFL_LD_PRELOAD to allow LD_PRELOAD to be set for targets
+ without affecting AFL itself
+ - Fixed a "lcamtuf can't count to 16" bug in the havoc stage.
+
+-------------------------------------------------------------------
Old:
----
afl-2.01b.tgz
New:
----
afl-2.04b.tgz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ afl.spec ++++++
--- /var/tmp/diff_new_pack.1fQjCg/_old 2016-02-26 00:26:46.000000000 +0100
+++ /var/tmp/diff_new_pack.1fQjCg/_new 2016-02-26 00:26:46.000000000 +0100
@@ -17,7 +17,7 @@
Name: afl
-Version: 2.01b
+Version: 2.04b
Release: 0
Summary: American fuzzy lop is a security-oriented fuzzer
License: Apache-2.0
++++++ afl-1.58b-fix-paths.patch ++++++
--- /var/tmp/diff_new_pack.1fQjCg/_old 2016-02-26 00:26:46.000000000 +0100
+++ /var/tmp/diff_new_pack.1fQjCg/_new 2016-02-26 00:26:46.000000000 +0100
@@ -2,11 +2,11 @@
Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
-Index: afl-2.01b/Makefile
+Index: afl-2.04b/Makefile
===================================================================
---- afl-2.01b.orig/Makefile 2016-02-16 08:14:22.000000000 +0100
-+++ afl-2.01b/Makefile 2016-02-16 16:36:39.051519647 +0100
-@@ -18,8 +18,8 @@ VERSION = 2.01b
+--- afl-2.04b.orig/Makefile
++++ afl-2.04b/Makefile
+@@ -18,8 +18,8 @@ VERSION = 2.04b
PREFIX ?= /usr/local
BIN_PATH = $(PREFIX)/bin
@@ -16,4 +16,4 @@
+DOC_PATH = $(DOC_DIR)/afl
MISC_PATH = $(PREFIX)/share/afl
- PROGS = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
+ # PROGS intentionally omit afl-as, which gets installed elsewhere.
++++++ afl-2.01b.tgz -> afl-2.04b.tgz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/Makefile new/afl-2.04b/Makefile
--- old/afl-2.01b/Makefile 2016-02-16 08:14:22.000000000 +0100
+++ new/afl-2.04b/Makefile 2016-02-22 03:22:50.000000000 +0100
@@ -4,7 +4,7 @@
#
# Written and maintained by Michal Zalewski <lcam...@google.com>
#
-# Copyright 2013, 2014, 2015 Google Inc. All rights reserved.
+# Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -14,7 +14,7 @@
#
PROGNAME = afl
-VERSION = 2.01b
+VERSION = 2.04b
PREFIX ?= /usr/local
BIN_PATH = $(PREFIX)/bin
@@ -22,6 +22,8 @@
DOC_PATH = $(PREFIX)/share/doc/afl
MISC_PATH = $(PREFIX)/share/afl
+# PROGS intentionally omit afl-as, which gets installed elsewhere.
+
PROGS = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
SH_PROGS = afl-plot afl-cmin afl-whatsup
@@ -44,18 +46,18 @@
all: test_x86 $(PROGS) afl-as test_build all_done
-ifndef AFL_NOX86
+ifndef AFL_NO_X86
test_x86:
@echo "[*] Checking for the ability to compile x86 code..."
- @echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test
|| ( echo; echo "Oops, looks like your compiler can't generate x86 code.";
echo; echo "You can still try using the LLVM or QEMU mode, but see docs/INSTALL
first."; echo "To ignore this error, set AFL_NOX86=1."; echo; exit 1 )
+ @echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test
|| ( echo; echo "Oops, looks like your compiler can't generate x86 code.";
echo; echo "You can still try using the LLVM or QEMU mode, but see docs/INSTALL
first."; echo "To ignore this error, set AFL_NO_X86=1."; echo; exit 1 )
@rm -f .test
@echo "[+] Everything seems to be working, ready to compile."
else
test_x86:
- @echo "[!] Note: skipping x86 compilation checks (AFL_NOX86 set)."
+ @echo "[!] Note: skipping x86 compilation checks (AFL_NO_X86 set)."
endif
@@ -82,7 +84,7 @@
afl-gotcpu: afl-gotcpu.c $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
-ifndef AFL_NOX86
+ifndef AFL_NO_X86
test_build: afl-gcc afl-as afl-showmap
@echo "[*] Testing the CC wrapper and instrumentation output..."
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/afl-analyze.c new/afl-2.04b/afl-analyze.c
--- old/afl-2.01b/afl-analyze.c 2016-02-12 07:05:31.000000000 +0100
+++ new/afl-2.04b/afl-analyze.c 2016-02-21 06:41:47.000000000 +0100
@@ -677,22 +677,43 @@
x = getenv("ASAN_OPTIONS");
- if (x && !strstr(x, "abort_on_error=1"))
- FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!");
+ if (x) {
+
+ if (!strstr(x, "abort_on_error=1"))
+ FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!");
+
+ if (!strstr(x, "symbolize=0"))
+ FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!");
+
+ }
x = getenv("MSAN_OPTIONS");
- if (x && !strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR)))
- FATAL("Custom MSAN_OPTIONS set without exit_code="
- STRINGIFY(MSAN_ERROR) " - please fix!");
+ if (x) {
+
+ if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR)))
+ FATAL("Custom MSAN_OPTIONS set without exit_code="
+ STRINGIFY(MSAN_ERROR) " - please fix!");
+
+ if (!strstr(x, "symbolize=0"))
+ FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!");
+
+ }
setenv("ASAN_OPTIONS", "abort_on_error=1:"
"detect_leaks=0:"
+ "symbolize=0:"
"allocator_may_return_null=1", 0);
setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":"
+ "symbolize=0:"
+ "abort_on_error=1:"
+ "allocator_may_return_null=1:"
"msan_track_origins=0", 0);
+ if (getenv("AFL_LD_PRELOAD"))
+ setenv("LD_PRELOAD", getenv("AFL_LD_PRELOAD"), 1);
+
}
@@ -773,7 +794,7 @@
"Required parameters:\n\n"
- " -i file - input test case to be shrunk by the tool\n"
+ " -i file - input test case to be analyzed by the tool\n"
"Execution control settings:\n\n"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/afl-fuzz.c new/afl-2.04b/afl-fuzz.c
--- old/afl-2.01b/afl-fuzz.c 2016-02-15 08:57:18.000000000 +0100
+++ new/afl-2.04b/afl-fuzz.c 2016-02-21 06:41:16.000000000 +0100
@@ -6,7 +6,7 @@
Forkserver design by Jann Horn <jannh...@googlemail.com>
- Copyright 2013, 2014, 2015 Google Inc. All rights reserved.
+ Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -1934,12 +1934,16 @@
setenv("ASAN_OPTIONS", "abort_on_error=1:"
"detect_leaks=0:"
+ "symbolize=0:"
"allocator_may_return_null=1", 0);
/* MSAN is tricky, because it doesn't support abort_on_error=1 at this
point. So, we do this in a very hacky way. */
setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":"
+ "symbolize=0:"
+ "abort_on_error=1:"
+ "allocator_may_return_null=1:"
"msan_track_origins=0", 0);
execv(target_path, argv);
@@ -2197,9 +2201,11 @@
setenv("ASAN_OPTIONS", "abort_on_error=1:"
"detect_leaks=0:"
+ "symbolize=0:"
"allocator_may_return_null=1", 0);
setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":"
+ "symbolize=0:"
"msan_track_origins=0", 0);
execv(target_path, argv);
@@ -6071,10 +6077,10 @@
}
- /* Values 16 and 17 can be selected only if there are any extras
+ /* Values 15 and 16 can be selected only if there are any extras
present in the dictionaries. */
- case 16: {
+ case 15: {
/* Overwrite bytes with an extra. */
@@ -6111,7 +6117,7 @@
}
- case 17: {
+ case 16: {
u32 use_extra, extra_len, insert_at = UR(temp_len);
u8* new_buf;
@@ -7155,14 +7161,28 @@
static void check_asan_opts(void) {
u8* x = getenv("ASAN_OPTIONS");
- if (x && !strstr(x, "abort_on_error=1"))
- FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!");
+ if (x) {
+
+ if (!strstr(x, "abort_on_error=1"))
+ FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!");
+
+ if (!strstr(x, "symbolize=0"))
+ FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!");
+
+ }
x = getenv("MSAN_OPTIONS");
- if (x && !strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR)))
- FATAL("Custom MSAN_OPTIONS set without exit_code="
- STRINGIFY(MSAN_ERROR) " - please fix!");
+ if (x) {
+
+ if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR)))
+ FATAL("Custom MSAN_OPTIONS set without exit_code="
+ STRINGIFY(MSAN_ERROR) " - please fix!");
+
+ if (!strstr(x, "symbolize=0"))
+ FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!");
+
+ }
}
@@ -7365,6 +7385,7 @@
u32 sync_interval_cnt = 0, seek_to;
u8 *extras_dir = 0;
u8 mem_limit_given = 0;
+ u8 exit_1 = !!getenv("AFL_BENCH_JUST_ONE");
char** use_argv;
@@ -7553,6 +7574,9 @@
if (dumb_mode == 2 && no_forkserver)
FATAL("AFL_DUMB_FORKSRV and AFL_NO_FORKSRV are mutually exclusive");
+ if (getenv("AFL_LD_PRELOAD"))
+ setenv("LD_PRELOAD", getenv("AFL_LD_PRELOAD"), 1);
+
save_cmdline(argc, argv);
fix_up_banner(argv[optind]);
@@ -7661,6 +7685,8 @@
}
+ if (!stop_soon && exit_1) stop_soon = 2;
+
if (stop_soon) break;
queue_cur = queue_cur->next;
@@ -7676,8 +7702,8 @@
stop_fuzzing:
- SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing %s +++\n" cRST,
- stop_soon == 2 ? "ended via AFL_EXIT_WHEN_DONE" : "aborted by user");
+ SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing aborted %s +++\n" cRST,
+ stop_soon == 2 ? "programatically" : "by user");
/* Running for more than 30 minutes but still doing first cycle? */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/afl-showmap.c new/afl-2.04b/afl-showmap.c
--- old/afl-2.01b/afl-showmap.c 2016-02-10 16:46:19.000000000 +0100
+++ new/afl-2.04b/afl-showmap.c 2016-02-21 06:41:24.000000000 +0100
@@ -4,7 +4,7 @@
Written and maintained by Michal Zalewski <lcam...@google.com>
- Copyright 2013, 2014, 2015 Google Inc. All rights reserved.
+ Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -332,11 +332,18 @@
setenv("ASAN_OPTIONS", "abort_on_error=1:"
"detect_leaks=0:"
+ "symbolize=0:"
"allocator_may_return_null=1", 0);
setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":"
+ "symbolize=0:"
+ "abort_on_error=1:"
+ "allocator_may_return_null=1:"
"msan_track_origins=0", 0);
+ if (getenv("AFL_LD_PRELOAD"))
+ setenv("LD_PRELOAD", getenv("AFL_LD_PRELOAD"), 1);
+
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/afl-tmin.c new/afl-2.04b/afl-tmin.c
--- old/afl-2.01b/afl-tmin.c 2016-02-10 16:50:11.000000000 +0100
+++ new/afl-2.04b/afl-tmin.c 2016-02-21 06:41:01.000000000 +0100
@@ -4,7 +4,7 @@
Written and maintained by Michal Zalewski <lcam...@google.com>
- Copyright 2015 Google Inc. All rights reserved.
+ Copyright 2015, 2016 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -668,22 +668,43 @@
x = getenv("ASAN_OPTIONS");
- if (x && !strstr(x, "abort_on_error=1"))
- FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!");
+ if (x) {
+
+ if (!strstr(x, "abort_on_error=1"))
+ FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!");
+
+ if (!strstr(x, "symbolize=0"))
+ FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!");
+
+ }
x = getenv("MSAN_OPTIONS");
- if (x && !strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR)))
- FATAL("Custom MSAN_OPTIONS set without exit_code="
- STRINGIFY(MSAN_ERROR) " - please fix!");
+ if (x) {
+
+ if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR)))
+ FATAL("Custom MSAN_OPTIONS set without exit_code="
+ STRINGIFY(MSAN_ERROR) " - please fix!");
+
+ if (!strstr(x, "symbolize=0"))
+ FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!");
+
+ }
setenv("ASAN_OPTIONS", "abort_on_error=1:"
"detect_leaks=0:"
+ "symbolize=0:"
"allocator_may_return_null=1", 0);
setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":"
+ "symbolize=0:"
+ "abort_on_error=1:"
+ "allocator_may_return_null=1:"
"msan_track_origins=0", 0);
+ if (getenv("AFL_LD_PRELOAD"))
+ setenv("LD_PRELOAD", getenv("AFL_LD_PRELOAD"), 1);
+
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/config.h new/afl-2.04b/config.h
--- old/afl-2.01b/config.h 2016-02-10 20:58:24.000000000 +0100
+++ new/afl-2.04b/config.h 2016-02-20 23:24:03.000000000 +0100
@@ -4,7 +4,7 @@
Written and maintained by Michal Zalewski <lcam...@google.com>
- Copyright 2013, 2014, 2015 Google Inc. All rights reserved.
+ Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/debug.h new/afl-2.04b/debug.h
--- old/afl-2.01b/debug.h 2016-02-12 07:03:59.000000000 +0100
+++ new/afl-2.04b/debug.h 2016-02-20 23:23:55.000000000 +0100
@@ -4,7 +4,7 @@
Written and maintained by Michal Zalewski <lcam...@google.com>
- Copyright 2013, 2014, 2015 Google Inc. All rights reserved.
+ Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/docs/ChangeLog new/afl-2.04b/docs/ChangeLog
--- old/afl-2.01b/docs/ChangeLog 2016-02-16 08:14:13.000000000 +0100
+++ new/afl-2.04b/docs/ChangeLog 2016-02-21 21:19:12.000000000 +0100
@@ -13,10 +13,48 @@
sending a mail to <afl-users+subscr...@googlegroups.com>.
Not sure if you should upgrade? The lowest currently recommended version
-is 1.92b. If you're stuck on an earlier release, it's strongly advisable
+is 2.03b. If you're stuck on an earlier release, it's strongly advisable
to get on with the times.
--------------
+Version 2.04b:
+--------------
+
+ - Removed indirect-calls coverage from -fsanitize-coverage (since it's
+ redundant). Spotted by Kostya Serebryany.
+
+--------------
+Version 2.03b:
+--------------
+
+ - Added experimental -fsanitize-coverage=trace-pc support that goes with
+ some recent additions to LLVM, as implemented by Kostya Serebryany.
+ Right now, this is cumbersome to use with common build systems, so
+ the mode remains undocumented.
+
+ - Made several substantial improvements to better support non-standard
+ map sizes in LLVM mode.
+
+ - Switched LLVM mode to thread-local execution tracing, which may offer
+ better results in some multithreaded apps.
+
+ - Fixed a minor typo, reported by Heiko Eissfeldt.
+
+ - Force-disabled symbolization for ASAN, as suggested by Christian Holler.
+
+ - AFL_NOX86 renamed to AFL_NO_X86 for consistency.
+
+ - Added AFL_LD_PRELOAD to allow LD_PRELOAD to be set for targets without
+ affecting AFL itself. Suggested by Daniel Godas-Lopez.
+
+--------------
+Version 2.02b:
+--------------
+
+ - Fixed a "lcamtuf can't count to 16" bug in the havoc stage. Reported
+ by Guillaume Endignoux.
+
+--------------
Version 2.01b:
--------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/docs/INSTALL new/afl-2.04b/docs/INSTALL
--- old/afl-2.01b/docs/INSTALL 2015-08-26 06:09:23.000000000 +0200
+++ new/afl-2.04b/docs/INSTALL 2016-02-20 21:10:50.000000000 +0100
@@ -110,7 +110,7 @@
- The QEMU mode (see qemu_mode/README.qemu), which can be also used for
fuzzing cross-platform binaries.
-In both cases, you will need to set AFL_NOX86=1 before running make or gmake.
+In both cases, you will need to set AFL_NO_X86=1 before running make or gmake.
5) Solaris on x86
-----------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/docs/README new/afl-2.04b/docs/README
--- old/afl-2.01b/docs/README 2016-02-11 02:17:09.000000000 +0100
+++ new/afl-2.04b/docs/README 2016-02-21 01:04:50.000000000 +0100
@@ -432,6 +432,8 @@
Christian Holler Dominique Pelle
Jacek Wielemborek Leo Barnes
Jeremy Barnes Jeff Trull
+ Guillaume Endignoux ilovezfs
+ Daniel Godas-Lopez
Thank you!
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/docs/env_variables.txt
new/afl-2.04b/docs/env_variables.txt
--- old/afl-2.01b/docs/env_variables.txt 2016-02-04 06:20:39.000000000
+0100
+++ new/afl-2.04b/docs/env_variables.txt 2016-02-21 06:42:37.000000000
+0100
@@ -139,9 +139,15 @@
- In QEMU mode (-Q), AFL_PATH will be searched for afl-qemu-trace.
+ - Setting AFL_LD_PRELOAD causes AFL to set LD_PRELOAD for the target binary
+ without disrupting the afl-fuzz process itself.
+
- If you are Jakub, you may need AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES.
Others need not apply.
+ - Benchmarking only: AFL_BENCH_JUST_ONE causes the fuzzer to exit after
+ processing the first queue entry.
+
4) Settings for afl-qemu-trace
------------------------------
@@ -192,16 +198,21 @@
abort_on_error=1
detect_leaks=0
+ symbolize=0
allocator_may_return_null=1
If you want to set your own options, be sure to include abort_on_error=1 -
otherwise, the fuzzer will not be able to detect crashes in the tested
- app.
+ app. Similarly, include symbolize=0, since without it, AFL may have
+ difficulty telling crashes and hangs apart.
- In the same vein, by default, MSAN_OPTIONS are set to:
- exit_code=86
+ exit_code=86 (required for legacy reasons)
+ abort_on_error=1
+ symbolize=0
msan_track_origins=0
+ allocator_may_return_null=1
Be sure to include the first one when customizing anything, since MSAN
doesn't call abort() on error, and we need a way to detect faults.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/docs/sister_projects.txt
new/afl-2.04b/docs/sister_projects.txt
--- old/afl-2.01b/docs/sister_projects.txt 2016-02-15 05:43:37.000000000
+0100
+++ new/afl-2.04b/docs/sister_projects.txt 2016-02-21 01:27:47.000000000
+0100
@@ -240,3 +240,12 @@
http://www.sqlite.org/src/artifact/9e7e273da2030371
+Support for Python mutation modules (Christian Holler)
+------------------------------------------------------
+
+ https://github.com/choller/afl/blob/master/docs/mozilla/python_modules.txt
+
+Support for selective instrumentation (Christian Holler)
+--------------------------------------------------------
+
+
https://github.com/choller/afl/blob/master/docs/mozilla/partial_instrumentation.txt
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/docs/status_screen.txt
new/afl-2.04b/docs/status_screen.txt
--- old/afl-2.01b/docs/status_screen.txt 2016-02-12 07:12:09.000000000
+0100
+++ new/afl-2.04b/docs/status_screen.txt 2016-02-21 01:01:37.000000000
+0100
@@ -297,12 +297,6 @@
- Use of uninitialized memory in conjunction with some intrinsic sources of
entropy in the tested binary. This can be indicative of a security bug.
- - Multiple threads executing at once in semi-random order. Not a big deal,
- but to avoid hiccups, it's best to restrict instrumented programs to a
- single thread. Check compile-time options or run-time flags. For example,
- for ImageMagick, you can try --without-threads --disable-openmp; for
- ffmpeg, look for --disable-pthreads instead.
-
- Attempts to create files that were already created during previous runs, or
otherwise interact with some form of persistent state. This is harmless,
but you may want to instruct the targeted program to write to stdout or to
@@ -315,6 +309,20 @@
select random();
+ - Multiple threads executing at once in semi-random order. This is usually
+ just a nuisance, but if the number of variable paths is very high, try the
+ following options:
+
+ - Use afl-clang-fast from llvm_mode/ - it uses a thread-local tracking
+ model that is less prone to concurrency issues,
+
+ - See if the target can be compiled or run without threads. Common
+ ./configure options include --without-threads, --disable-pthreads, or
+ --disable-openmp.
+
+ - Replace pthreads with GNU Pth (https://www.gnu.org/software/pth/), which
+ allows you to use a deterministic scheduler.
+
Less likely causes may include running out of disk space, SHM handles, or other
globally limited resources.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/llvm_mode/Makefile
new/afl-2.04b/llvm_mode/Makefile
--- old/afl-2.01b/llvm_mode/Makefile 2015-12-16 05:25:00.000000000 +0100
+++ new/afl-2.04b/llvm_mode/Makefile 2016-02-21 02:49:14.000000000 +0100
@@ -7,7 +7,7 @@
#
# LLVM integration design comes from Laszlo Szekeres.
#
-# Copyright 2015 Google Inc. All rights reserved.
+# Copyright 2015, 2016 Google Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,11 +27,14 @@
CFLAGS ?= -O3 -funroll-loops
CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
-DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
- -DVERSION=\"$(VERSION)\"
+ -DVERSION=\"$(VERSION)\"
+ifdef AFL_TRACE_PC
+ CFLAGS += -DUSE_TRACE_PC=1
+endif
CXXFLAGS ?= -O3 -funroll-loops
CXXFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
- -DVERSION=\"$(VERSION)\"
+ -DVERSION=\"$(VERSION)\" -Wno-variadic-macros
CLANG_CFL = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fpic $(CXXFLAGS)
CLANG_LFL = `$(LLVM_CONFIG) --ldflags` $(LDFLAGS)
@@ -39,9 +42,7 @@
# User teor2345 reports that this is required to make things work on MacOS X.
ifeq "$(shell uname)" "Darwin"
-
-CLANG_LFL += -Wl,-flat_namespace -Wl,-undefined,suppress
-
+ CLANG_LFL += -Wl,-flat_namespace -Wl,-undefined,suppress
endif
# We were using llvm-config --bindir to get the location of clang, but
@@ -49,19 +50,25 @@
# probably better.
ifeq "$(origin CC)" "default"
-
-CC = clang
-CXX = clang++
-
+ CC = clang
+ CXX = clang++
endif
-PROGS = ../afl-clang-fast ../afl-llvm-pass.so ../afl-llvm-rt.o
+ifndef AFL_TRACE_PC
+ PROGS = ../afl-clang-fast ../afl-llvm-pass.so ../afl-llvm-rt.o
+else
+ PROGS = ../afl-clang-fast ../afl-llvm-rt.o
+endif
all: test_deps $(PROGS) test_build all_done
test_deps:
+ifndef AFL_TRACE_PC
@echo "[*] Checking for working 'llvm-config'..."
@which $(LLVM_CONFIG) >/dev/null 2>&1 || ( echo "[-] Oops, can't find
'llvm-config'. Install clang or set \$$LLVM_CONFIG or \$$PATH beforehand.";
echo " (Sometimes, the binary will be named llvm-config-3.5 or something
like that.)"; exit 1 )
+else
+ @echo "[!] Note: using -fsanitize=trace-pc mode (this will fail with
older LLVM)."
+endif
@echo "[*] Checking for working '$(CC)'..."
@which $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'.
Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 )
@echo "[*] Checking for '../afl-showmap'..."
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/llvm_mode/README.llvm
new/afl-2.04b/llvm_mode/README.llvm
--- old/afl-2.01b/llvm_mode/README.llvm 2015-12-16 05:26:18.000000000 +0100
+++ new/afl-2.04b/llvm_mode/README.llvm 2016-02-21 03:30:35.000000000 +0100
@@ -22,7 +22,9 @@
- The instrumentation is CPU-independent. At least in principle, you should
be able to rely on it to fuzz programs on non-x86 architectures (after
- building afl-fuzz with AFL_NOX86=1).
+ building afl-fuzz with AFL_NO_X86=1).
+
+ - The instrumentation can cope a bit better with multi-threaded targets.
- Because the feature relies on the internals of LLVM, it is clang-specific
and will *not* work with GCC.
@@ -166,3 +168,27 @@
"pure" in-process fuzzing offered, say, by LLVM's LibFuzzer; but it is a lot
faster than the normal fork() model, and compared to in-process fuzzing,
should be a lot more robust.
+
+6) Bonus feature #3: new 'trace-pc' mode
+----------------------------------------
+
+Recent versions of LLVM are shipping with a built-in execution tracing feature
+that is fairly usable for AFL, without the need to post-process the assembly
+or install any compiler plugins. See:
+
+ http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs
+
+As of this writing, the feature is only available on SVN trunk, and is yet to
+make it to an official release of LLVM. Nevertheless, if you have a
+sufficiently recent compiler and want to give it a try, build afl-clang-fast
+this way:
+
+ AFL_TRACE_PC=1 make clean all
+
+Since a form of 'trace-pc' is also supported in GCC, this mode may become a
+longer-term solution to all our needs.
+
+Note that this mode supports AFL_INST_RATIO at run time, not at compilation
+time. This is somewhat similar to the behavior of the QEMU mode. Because of
+the need to support it at run time, the mode is also a tad slower than the
+plugin-based approach.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/llvm_mode/afl-clang-fast.c
new/afl-2.04b/llvm_mode/afl-clang-fast.c
--- old/afl-2.01b/llvm_mode/afl-clang-fast.c 2015-09-09 00:37:25.000000000
+0200
+++ new/afl-2.04b/llvm_mode/afl-clang-fast.c 2016-02-21 21:19:23.000000000
+0100
@@ -7,7 +7,7 @@
LLVM integration design comes from Laszlo Szekeres.
- Copyright 2015 Google Inc. All rights reserved.
+ Copyright 2015, 2016 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -112,10 +112,22 @@
cc_params[0] = alt_cc ? alt_cc : (u8*)"clang";
}
+ /* There are two ways to compile afl-clang-fast. In the traditional mode, we
+ use afl-llvm-pass.so to inject instrumentation. In the experimental
+ 'trace-pc' mode, we use native LLVM instrumentation callbacks instead.
+ The latter is a very recent addition - see:
+
+ http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs */
+
+#ifdef USE_TRACE_PC
+ cc_params[cc_par_cnt++] = "-fsanitize-coverage=bb,trace-pc";
+#else
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = "-load";
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path);
+#endif /* ^USE_TRACE_PC */
+
cc_params[cc_par_cnt++] = "-Qunused-arguments";
while (--argc) {
@@ -168,6 +180,13 @@
}
+#ifdef USE_TRACE_PC
+
+ if (getenv("AFL_INST_RATIO"))
+ FATAL("AFL_INST_RATIO not available at compile time with 'trace-pc'.");
+
+#endif /* USE_TRACE_PC */
+
if (!getenv("AFL_DONT_OPTIMIZE")) {
cc_params[cc_par_cnt++] = "-g";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/llvm_mode/afl-llvm-pass.so.cc
new/afl-2.04b/llvm_mode/afl-llvm-pass.so.cc
--- old/afl-2.01b/llvm_mode/afl-llvm-pass.so.cc 2015-12-16 05:27:28.000000000
+0100
+++ new/afl-2.04b/llvm_mode/afl-llvm-pass.so.cc 2016-02-21 00:54:16.000000000
+0100
@@ -8,7 +8,7 @@
LLVM integration design comes from Laszlo Szekeres. C bits copied-and-pasted
from afl-as.c are Michal's fault.
- Copyright 2015 Google Inc. All rights reserved.
+ Copyright 2015, 2016 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -66,8 +66,7 @@
LLVMContext &C = M.getContext();
IntegerType *Int8Ty = IntegerType::getInt8Ty(C);
- IntegerType *Int16Ty = IntegerType::getInt16Ty(C);
- IntegerType *Int64Ty = IntegerType::getInt64Ty(C);
+ IntegerType *Int32Ty = IntegerType::getInt32Ty(C);
/* Show a banner */
@@ -92,14 +91,16 @@
}
- /* Get globals for the SHM region and the previous location. */
+ /* Get globals for the SHM region and the previous location. Note that
+ __afl_prev_loc is thread-local. */
GlobalVariable *AFLMapPtr =
new GlobalVariable(M, PointerType::get(Int8Ty, 0), false,
GlobalValue::ExternalLinkage, 0, "__afl_area_ptr");
GlobalVariable *AFLPrevLoc = new GlobalVariable(
- M, Int16Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc");
+ M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc",
+ 0, GlobalValue::GeneralDynamicTLSModel, 0, false);
/* Instrument all the things! */
@@ -116,13 +117,14 @@
/* Make up cur_loc */
unsigned int cur_loc = R(MAP_SIZE);
- ConstantInt *CurLoc = ConstantInt::get(Int64Ty, cur_loc);
+
+ ConstantInt *CurLoc = ConstantInt::get(Int32Ty, cur_loc);
/* Load prev_loc */
LoadInst *PrevLoc = IRB.CreateLoad(AFLPrevLoc);
PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
- Value *PrevLocCasted = IRB.CreateZExt(PrevLoc, IRB.getInt64Ty());
+ Value *PrevLocCasted = IRB.CreateZExt(PrevLoc, IRB.getInt32Ty());
/* Load SHM pointer */
@@ -142,7 +144,7 @@
/* Set prev_loc to cur_loc >> 1 */
StoreInst *Store =
- IRB.CreateStore(ConstantInt::get(Int16Ty, cur_loc >> 1), AFLPrevLoc);
+ IRB.CreateStore(ConstantInt::get(Int32Ty, cur_loc >> 1), AFLPrevLoc);
Store->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
inst_blocks++;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/llvm_mode/afl-llvm-rt.o.c
new/afl-2.04b/llvm_mode/afl-llvm-rt.o.c
--- old/afl-2.01b/llvm_mode/afl-llvm-rt.o.c 2015-11-03 05:28:19.000000000
+0100
+++ new/afl-2.04b/llvm_mode/afl-llvm-rt.o.c 2016-02-21 21:23:08.000000000
+0100
@@ -7,7 +7,7 @@
LLVM integration design comes from Laszlo Szekeres.
- Copyright 2015 Google Inc. All rights reserved.
+ Copyright 2015, 2016 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -22,6 +22,7 @@
#include "../config.h"
#include "../types.h"
+#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
@@ -39,7 +40,8 @@
u8 __afl_area_initial[MAP_SIZE];
u8* __afl_area_ptr = __afl_area_initial;
-u16 __afl_prev_loc;
+
+__thread u32 __afl_prev_loc;
/* Running in persistent mode? */
@@ -214,3 +216,75 @@
}
+/* The following stuff deals with support for -fsanitize-coverage=bb,trace-pc.
+ It remains non-operational in the traditional, plugin-backed LLVM mode.
+ For more info about 'trace-pc', see README.llvm.
+
+ The first function (__sanitizer_cov_trace_pc) is called back on every
+ basic block. Since LLVM is not giving us any stable IDs for the blocks,
+ we use 12 least significant bits of the return address (which should be
+ stable even with ASLR; more significant bits may vary across runs).
+
+ Since MAP_SIZE is usually larger than 12 bits, we "pad" it by combining
+ left-shifted __afl_prev_loc. This gives us a theoretical maximum of 24
+ bits, although instruction alignment likely reduces this somewhat. */
+
+
+static u32 inst_ratio_scaled = MIN(4096, MAP_SIZE);
+
+void __sanitizer_cov_trace_pc(void) {
+
+ u32 cur = ((u32)__builtin_return_address(0)) & MIN(4095, MAP_SIZE - 1);
+
+ if (cur > inst_ratio_scaled) return;
+
+ __afl_area_ptr[cur ^ __afl_prev_loc]++;
+
+#if MAP_SIZE_POW2 > 12
+ __afl_prev_loc = cur << (MAP_SIZE_POW2 - 12);
+#else
+ __afl_prev_loc = cur >> 1;
+#endif /* ^MAP_SIZE_POW2 > 12 */
+
+}
+
+
+/* Same deal, but for indirect calls. */
+
+void __sanitizer_cov_trace_pc_indir(void* dummy) {
+
+ u32 cur = ((u32)__builtin_return_address(0)) & MIN(4095, MAP_SIZE - 1);
+
+ if (cur > inst_ratio_scaled) return;
+
+ __afl_area_ptr[cur ^ __afl_prev_loc]++;
+
+#if MAP_SIZE_POW2 > 12
+ __afl_prev_loc = cur << (MAP_SIZE_POW2 - 12);
+#else
+ __afl_prev_loc = cur >> 1;
+#endif /* ^MAP_SIZE_POW2 > 12 */
+
+}
+
+
+/* Init callback. Unfortunately, LLVM does not support compile-time
+ instrumentation density scaling, at least not just yet. */
+
+void __sanitizer_cov_module_init(void) {
+
+ u8* x = getenv("AFL_INST_RATIO");
+
+ if (!x) return;
+
+ inst_ratio_scaled = atoi(x);
+
+ if (!inst_ratio_scaled || inst_ratio_scaled > 100) {
+ fprintf(stderr, "[-] ERROR: Invalid AFL_INST_RATIO (must be 1-100).\n");
+ abort();
+ }
+
+ inst_ratio_scaled = inst_ratio_scaled * MIN(4096, MAP_SIZE) / 100;
+
+}
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.01b/qemu_mode/patches/afl-qemu-cpu-inl.h
new/afl-2.04b/qemu_mode/patches/afl-qemu-cpu-inl.h
--- old/afl-2.01b/qemu_mode/patches/afl-qemu-cpu-inl.h 2015-06-11
08:33:30.000000000 +0200
+++ new/afl-2.04b/qemu_mode/patches/afl-qemu-cpu-inl.h 2016-02-20
23:22:07.000000000 +0100
@@ -7,7 +7,7 @@
Idea & design very much by Andrew Griffiths.
- Copyright 2015 Google Inc. All rights reserved.
+ Copyright 2015, 2016 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -223,7 +223,7 @@
static inline void afl_maybe_log(abi_ulong cur_loc) {
- static abi_ulong prev_loc;
+ static __thread abi_ulong prev_loc;
/* Optimize for cur_loc > afl_end_code, which is the most likely case on
Linux systems. */
@@ -231,11 +231,9 @@
if (cur_loc > afl_end_code || cur_loc < afl_start_code || !afl_area_ptr)
return;
- /* Looks like QEMU always maps to fixed locations, so we can skip this:
- cur_loc -= afl_start_code; */
-
- /* Instruction addresses may be aligned. Let's mangle the value to get
- something quasi-uniform. */
+ /* Looks like QEMU always maps to fixed locations, so ASAN is not a
+ concern. Phew. But instruction addresses may be aligned. Let's mangle
+ the value to get something quasi-uniform. */
cur_loc = (cur_loc >> 4) ^ (cur_loc << 8);
cur_loc &= MAP_SIZE - 1;
