Hello community, here is the log from the commit of package afl for openSUSE:Factory checked in at 2016-07-01 09:59:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/afl (Old) and /work/SRC/openSUSE:Factory/.afl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "afl" Changes: -------- --- /work/SRC/openSUSE:Factory/afl/afl.changes 2016-06-19 10:49:35.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.afl.new/afl.changes 2016-07-01 09:59:30.000000000 +0200 @@ -1,0 +2,7 @@ +Tue Jun 28 06:26:03 UTC 2016 - [email protected] + +- afl 2.17b: + * Remove error-prone and manual -Z option + * automatically bind to the first free core + +------------------------------------------------------------------- Old: ---- afl-2.14b.tgz New: ---- afl-2.17b.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ afl.spec ++++++ --- /var/tmp/diff_new_pack.VM0fOM/_old 2016-07-01 09:59:31.000000000 +0200 +++ /var/tmp/diff_new_pack.VM0fOM/_new 2016-07-01 09:59:31.000000000 +0200 @@ -17,7 +17,7 @@ Name: afl -Version: 2.14b +Version: 2.17b Release: 0 Summary: American fuzzy lop is a security-oriented fuzzer License: Apache-2.0 ++++++ afl-2.14b.tgz -> afl-2.17b.tgz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.14b/Makefile new/afl-2.17b/Makefile --- old/afl-2.14b/Makefile 2016-06-07 08:45:45.000000000 +0200 +++ new/afl-2.17b/Makefile 2016-06-24 04:35:35.000000000 +0200 @@ -14,7 +14,7 @@ # PROGNAME = afl -VERSION = 2.14b +VERSION = $(shell grep '^\#define VERSION ' config.h | cut -d '"' -f2) PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin @@ -30,7 +30,7 @@ CFLAGS ?= -O3 -funroll-loops CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \ -DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \ - -DBIN_PATH=\"$(BIN_PATH)\" -DVERSION=\"$(VERSION)\" + -DBIN_PATH=\"$(BIN_PATH)\" ifneq "$(filter Linux GNU%,$(shell uname))" "" LDFLAGS += -ldl @@ -66,7 +66,7 @@ set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $$i; done afl-as: afl-as.c afl-as.h $(COMM_HDR) | test_x86 - $(CC) $(CFLAGS) [email protected] -o $@ $(LDFLAGS) + $(CC) $(CFLAGS) [email protected] -o $@ $(LDFLAGS) ln -sf afl-as as afl-fuzz: afl-fuzz.c $(COMM_HDR) | test_x86 @@ -132,7 +132,7 @@ publish: clean test "`basename $$PWD`" = "afl" || exit 1 - test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0" ]; then echo; echo "Change program version in Makefile, mmkay?"; echo; exit 1; fi + test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0" ]; then echo; echo "Change program version in config.h, mmkay?"; echo; exit 1; fi cd ..; rm -rf $(PROGNAME)-$(VERSION); cp -pr $(PROGNAME) $(PROGNAME)-$(VERSION); \ tar -cvz -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz $(PROGNAME)-$(VERSION) chmod 644 ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.14b/afl-analyze.c new/afl-2.17b/afl-analyze.c --- old/afl-2.14b/afl-analyze.c 2016-02-21 06:41:47.000000000 +0100 +++ new/afl-2.17b/afl-analyze.c 2016-06-28 07:23:28.000000000 +0200 @@ -89,21 +89,17 @@ /* Classify tuple counts. This is a slow & naive version, but good enough here. */ -#define AREP4(_sym) (_sym), (_sym), (_sym), (_sym) -#define AREP8(_sym) AREP4(_sym), AREP4(_sym) -#define AREP16(_sym) AREP8(_sym), AREP8(_sym) -#define AREP32(_sym) AREP16(_sym), AREP16(_sym) -#define AREP64(_sym) AREP32(_sym), AREP32(_sym) -#define AREP128(_sym) AREP64(_sym), AREP64(_sym) - static u8 count_class_lookup[256] = { - /* 0 - 3: 4 */ 0, 1, 2, 4, - /* 4 - 7: +4 */ AREP4(8), - /* 8 - 15: +8 */ AREP8(16), - /* 16 - 31: +16 */ AREP16(32), - /* 32 - 127: +96 */ AREP64(64), AREP32(64), - /* 128+: +128 */ AREP128(128) + [0] = 0, + [1] = 1, + [2] = 2, + [3] = 4, + [4 ... 7] = 8, + [8 ... 15] = 16, + [16 ... 31] = 32, + [32 ... 127] = 64, + [128 ... 255] = 128 }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.14b/afl-as.h new/afl-2.17b/afl-as.h --- old/afl-2.14b/afl-as.h 2015-11-03 05:29:51.000000000 +0100 +++ new/afl-2.17b/afl-as.h 2016-06-21 06:44:52.000000000 +0200 @@ -181,7 +181,9 @@ " xorl %ecx, %edi\n" " shrl $1, %ecx\n" " movl %ecx, __afl_prev_loc\n" -#endif /* !COVERAGE_ONLY */ +#else + " movl %ecx, %edi\n" +#endif /* ^!COVERAGE_ONLY */ "\n" #ifdef SKIP_COUNTS " orb $1, (%edx, %edi, 1)\n" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.14b/afl-fuzz.c new/afl-2.17b/afl-fuzz.c --- old/afl-2.14b/afl-fuzz.c 2016-06-07 08:53:58.000000000 +0200 +++ new/afl-2.17b/afl-fuzz.c 2016-06-28 07:22:19.000000000 +0200 @@ -60,7 +60,8 @@ # include <sys/sysctl.h> #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ -/* For supporting -Z on systems that have sched_setaffinity. */ +/* For systems that have sched_setaffinity; right now just Linux, but one + can hope... */ #ifdef __linux__ # define HAVE_AFFINITY 1 @@ -200,14 +201,11 @@ static u64 total_bitmap_size, /* Total bit count for all bitmaps */ total_bitmap_entries; /* Number of bitmaps counted */ -static u32 cpu_core_count; /* CPU core count */ +static s32 cpu_core_count; /* CPU core count */ #ifdef HAVE_AFFINITY -static u8 use_affinity; /* Using -Z */ - -static u32 cpu_aff_main, /* Affinity for main process */ - cpu_aff_child; /* Affinity for fuzzed child */ +static s32 cpu_aff = -1; /* Selected CPU core */ #endif /* HAVE_AFFINITY */ @@ -340,25 +338,6 @@ } -#ifdef HAVE_AFFINITY - -/* Set CPU affinity (on systems that support it). */ - -static void set_cpu_affinity(u32 cpu_id) { - - cpu_set_t c; - - CPU_ZERO(&c); - CPU_SET(cpu_id, &c); - - if (sched_setaffinity(0, sizeof(c), &c)) - PFATAL("sched_setaffinity failed"); - -} - -#endif /* HAVE_AFFINITY */ - - /* Generate a random number (from 0 to limit - 1). This may have slight bias. */ @@ -398,6 +377,122 @@ } +#ifdef HAVE_AFFINITY + +/* Build a list of processes bound to specific cores. Returns -1 if nothing + can be found. Assumes an upper bound of 4k CPUs. */ + +static void bind_to_free_cpu(void) { + + DIR* d; + struct dirent* de; + cpu_set_t c; + + u8 cpu_used[4096] = { 0 }; + u32 i; + + if (!cpu_core_count) return; + + if (getenv("AFL_NO_AFFINITY")) { + + WARNF("Not binding to a CPU core (AFL_NO_AFFINITY set)."); + return; + + } + + d = opendir("/proc"); + + if (!d) { + + WARNF("Unable to access /proc - can't scan for free CPU cores."); + return; + + } + + ACTF("Checking CPU core loadout..."); + + /* Introduce some jitter, in case multiple AFL tasks are doing the same + thing at the same time... */ + + usleep(R(1000) * 250); + + /* Scan all /proc/<pid>/status entries, checking for Cpus_allowed_list. + Flag all processes bound to a specific CPU using cpu_used[]. This will + fail for some exotic binding setups, but is likely good enough in almost + all real-world use cases. */ + + while ((de = readdir(d))) { + + u8* fn; + FILE* f; + u8 tmp[MAX_LINE]; + u8 has_vmsize = 0; + + if (!isdigit(de->d_name[0])) continue; + + fn = alloc_printf("/proc/%s/status", de->d_name); + + if (!(f = fopen(fn, "r"))) { + ck_free(fn); + continue; + } + + while (fgets(tmp, MAX_LINE, f)) { + + u32 hval; + + /* Processes without VmSize are probably kernel tasks. */ + + if (!strncmp(tmp, "VmSize:\t", 8)) has_vmsize = 1; + + if (!strncmp(tmp, "Cpus_allowed_list:\t", 19) && + !strchr(tmp, '-') && !strchr(tmp, ',') && + sscanf(tmp + 19, "%u", &hval) == 1 && hval < sizeof(cpu_used) && + has_vmsize) { + + cpu_used[hval] = 1; + break; + + } + + } + + ck_free(fn); + fclose(f); + + } + + closedir(d); + + for (i = 0; i < cpu_core_count; i++) if (!cpu_used[i]) break; + + if (i == cpu_core_count) { + + SAYF("\n" cLRD "[-] " cRST + "Uh-oh, looks like all %u CPU cores on your system are allocated to\n" + " other instances of afl-fuzz (or similar CPU-locked tasks). Starting\n" + " another fuzzer on this machine is probably a bad plan, but if you are\n" + " absolutely sure, you can set AFL_NO_AFFINITY and try again.\n", + cpu_core_count); + + FATAL("No more free CPU cores"); + + } + + OKF("Found a free CPU core, binding to #%u.", i); + + cpu_aff = i; + + CPU_ZERO(&c); + CPU_SET(i, &c); + + if (sched_setaffinity(0, sizeof(c), &c)) + PFATAL("sched_setaffinity failed"); + +} + +#endif /* HAVE_AFFINITY */ + #ifndef IGNORE_FINDS /* Helper function to compare buffers; returns first and last differing offset. We @@ -948,21 +1043,11 @@ is hit or not. Called on every new crash or hang, should be reasonably fast. */ -#define AREP4(_sym) (_sym), (_sym), (_sym), (_sym) -#define AREP8(_sym) AREP4(_sym), AREP4(_sym) -#define AREP16(_sym) AREP8(_sym), AREP8(_sym) -#define AREP32(_sym) AREP16(_sym), AREP16(_sym) -#define AREP64(_sym) AREP32(_sym), AREP32(_sym) -#define AREP128(_sym) AREP64(_sym), AREP64(_sym) - -static u8 simplify_lookup[256] = { - /* 4 */ 1, 128, 128, 128, - /* +4 */ AREP4(128), - /* +8 */ AREP8(128), - /* +16 */ AREP16(128), - /* +32 */ AREP32(128), - /* +64 */ AREP64(128), - /* +128 */ AREP128(128) +static const u8 simplify_lookup[256] = { + + [0] = 1, + [1 ... 255] = 128 + }; #ifdef __x86_64__ @@ -1029,14 +1114,17 @@ preprocessing step for any newly acquired traces. Called on every exec, must be fast. */ -static u8 count_class_lookup[256] = { +static const u8 count_class_lookup[256] = { - /* 0 - 3: 4 */ 0, 1, 2, 4, - /* 4 - 7: +4 */ AREP4(8), - /* 8 - 15: +8 */ AREP8(16), - /* 16 - 31: +16 */ AREP16(32), - /* 32 - 127: +96 */ AREP64(64), AREP32(64), - /* 128+: +128 */ AREP128(128) + [0] = 0, + [1] = 1, + [2] = 2, + [3] = 4, + [4 ... 7] = 8, + [8 ... 15] = 16, + [16 ... 31] = 32, + [32 ... 127] = 64, + [128 ... 255] = 128 }; @@ -1897,10 +1985,6 @@ struct rlimit r; -#ifdef HAVE_AFFINITY - if (use_affinity) set_cpu_affinity(cpu_aff_child); -#endif /* HAVE_AFFINITY */ - /* Umpf. On OpenBSD, the default fd limit for root users is set to soft 128. Let's try to fix that... */ @@ -2199,10 +2283,6 @@ struct rlimit r; -#ifdef HAVE_AFFINITY - if (use_affinity) set_cpu_affinity(cpu_aff_child); -#endif /* HAVE_AFFINITY */ - if (mem_limit) { r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20; @@ -4132,10 +4212,10 @@ #ifdef HAVE_AFFINITY - if (use_affinity) { + if (cpu_aff >= 0) { - SAYF(SP10 cGRA "[cpu@%02u:%s%3u%%" cGRA "]\r" cRST, - MIN(cpu_aff_child, 99), cpu_color, + SAYF(SP10 cGRA "[cpu%03u:%s%3u%%" cGRA "]\r" cRST, + MIN(cpu_aff, 999), cpu_color, MIN(cur_utilization, 999)); } else { @@ -4144,6 +4224,7 @@ cpu_color, MIN(cur_utilization, 999)); } + #else SAYF(SP10 cGRA " [cpu:%s%3u%%" cGRA "]\r" cRST, @@ -6838,9 +6919,6 @@ " -T text - text banner to show on the screen\n" " -M / -S id - distributed mode (see parallel_fuzzing.txt)\n" -#ifdef HAVE_AFFINITY - " -Z core_id - set CPU affinity (see perf_tips.txt)\n" -#endif /* HAVE_AFFINITY */ " -C - crash exploration mode (the peruvian rabbit thing)\n\n" "For additional tips, please consult %s/README.\n\n", @@ -7138,27 +7216,27 @@ #else - if (!cpu_core_count) { +#ifdef HAVE_AFFINITY + + cpu_core_count = sysconf(_SC_NPROCESSORS_ONLN); + +#else - /* On Linux, a simple way is to look at /proc/stat, especially since we'd - be parsing it anyway for other reasons later on. But do this only if - cpu_core_count hasn't been obtained before as a result of specifying - -Z. */ + FILE* f = fopen("/proc/stat", "r"); + u8 tmp[1024]; - FILE* f = fopen("/proc/stat", "r"); - u8 tmp[1024]; + if (!f) return; - if (!f) return; + while (fgets(tmp, sizeof(tmp), f)) + if (!strncmp(tmp, "cpu", 3) && isdigit(tmp[3])) cpu_core_count++; - while (fgets(tmp, sizeof(tmp), f)) - if (!strncmp(tmp, "cpu", 3) && isdigit(tmp[3])) cpu_core_count++; + fclose(f); - fclose(f); - } +#endif /* ^HAVE_AFFINITY */ #endif /* ^(__APPLE__ || __FreeBSD__ || __OpenBSD__) */ - if (cpu_core_count) { + if (cpu_core_count > 0) { cur_runnable = (u32)get_runnable_processes(); @@ -7187,17 +7265,12 @@ } - } else WARNF("Unable to figure out the number of CPU cores."); - -#ifdef HAVE_AFFINITY + } else { - if (use_affinity) - OKF("Using specified CPU affinity: main = %u, child = %u", - cpu_aff_main, cpu_aff_child); - else if (cpu_core_count > 1) - OKF(cBRI "Try setting CPU affinity (-Z) for a performance boost!" cRST); + cpu_core_count = 0; + WARNF("Unable to figure out the number of CPU cores."); -#endif /* HAVE_AFFINITY */ + } } @@ -7490,7 +7563,7 @@ doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; - while ((opt = getopt(argc, argv, "+i:o:f:m:t:T:dnCB:S:M:x:QZ:")) > 0) + while ((opt = getopt(argc, argv, "+i:o:f:m:t:T:dnCB:S:M:x:Q")) > 0) switch (opt) { @@ -7586,35 +7659,6 @@ break; -#ifdef HAVE_AFFINITY - - case 'Z': { - - s32 i; - - if (use_affinity) FATAL("Multiple -Z options not supported"); - use_affinity = 1; - - cpu_core_count = sysconf(_SC_NPROCESSORS_ONLN); - - i = sscanf(optarg, "%u,%u", &cpu_aff_main, &cpu_aff_child); - - if (i < 1 || cpu_aff_main >= cpu_core_count) - FATAL("Bogus primary core ID passed to -Z (expected 0-%u)", - cpu_core_count - 1); - - if (i == 1) cpu_aff_child = cpu_aff_main; - - if (cpu_aff_child >= cpu_core_count) - FATAL("Bogus secondary core ID passed to -Z (expected 0-%u)", - cpu_core_count - 1); - - break; - - } - -#endif /* HAVE_AFFINITY */ - case 'd': if (skip_deterministic) FATAL("Multiple -d options not supported"); @@ -7680,10 +7724,6 @@ setup_signal_handlers(); check_asan_opts(); -#ifdef HAVE_AFFINITY - if (use_affinity) set_cpu_affinity(cpu_aff_main); -#endif /* HAVE_AFFINITY */ - if (sync_id) fix_up_sync(); if (!strcmp(in_dir, out_dir)) @@ -7714,6 +7754,11 @@ check_if_tty(); get_core_count(); + +#ifdef HAVE_AFFINITY + bind_to_free_cpu(); +#endif /* HAVE_AFFINITY */ + check_crash_handling(); check_cpu_governor(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.14b/afl-showmap.c new/afl-2.17b/afl-showmap.c --- old/afl-2.14b/afl-showmap.c 2016-05-04 03:28:27.000000000 +0200 +++ new/afl-2.17b/afl-showmap.c 2016-06-28 07:22:41.000000000 +0200 @@ -73,21 +73,17 @@ /* Classify tuple counts. Instead of mapping to individual bits, as in afl-fuzz.c, we map to more user-friendly numbers between 1 and 8. */ -#define AREP4(_sym) (_sym), (_sym), (_sym), (_sym) -#define AREP8(_sym) AREP4(_sym), AREP4(_sym) -#define AREP16(_sym) AREP8(_sym), AREP8(_sym) -#define AREP32(_sym) AREP16(_sym), AREP16(_sym) -#define AREP64(_sym) AREP32(_sym), AREP32(_sym) -#define AREP128(_sym) AREP64(_sym), AREP64(_sym) +static const u8 count_class_lookup[256] = { -static u8 count_class_lookup[256] = { - - /* 0 - 3: 4 */ 0, 1, 2, 3, - /* 4 - 7: +4 */ AREP4(4), - /* 8 - 15: +8 */ AREP8(5), - /* 16 - 31: +16 */ AREP16(6), - /* 32 - 127: +96 */ AREP64(7), AREP32(7), - /* 128+: +128 */ AREP128(8) + [0] = 0, + [1] = 1, + [2] = 2, + [3] = 3, + [4 ... 7] = 4, + [8 ... 15] = 5, + [16 ... 31] = 6, + [32 ... 127] = 7, + [128 ... 255] = 8 }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.14b/afl-tmin.c new/afl-2.17b/afl-tmin.c --- old/afl-2.14b/afl-tmin.c 2016-05-29 23:42:29.000000000 +0200 +++ new/afl-2.17b/afl-tmin.c 2016-06-28 07:22:53.000000000 +0200 @@ -81,21 +81,17 @@ /* Classify tuple counts. This is a slow & naive version, but good enough here. */ -#define AREP4(_sym) (_sym), (_sym), (_sym), (_sym) -#define AREP8(_sym) AREP4(_sym), AREP4(_sym) -#define AREP16(_sym) AREP8(_sym), AREP8(_sym) -#define AREP32(_sym) AREP16(_sym), AREP16(_sym) -#define AREP64(_sym) AREP32(_sym), AREP32(_sym) -#define AREP128(_sym) AREP64(_sym), AREP64(_sym) +static const u8 count_class_lookup[256] = { -static u8 count_class_lookup[256] = { - - /* 0 - 3: 4 */ 0, 1, 2, 4, - /* 4 - 7: +4 */ AREP4(8), - /* 8 - 15: +8 */ AREP8(16), - /* 16 - 31: +16 */ AREP16(32), - /* 32 - 127: +96 */ AREP64(64), AREP32(64), - /* 128+: +128 */ AREP128(128) + [0] = 0, + [1] = 1, + [2] = 2, + [3] = 4, + [4 ... 7] = 8, + [8 ... 15] = 16, + [16 ... 31] = 32, + [32 ... 127] = 64, + [128 ... 255] = 128 }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.14b/config.h new/afl-2.17b/config.h --- old/afl-2.14b/config.h 2016-03-08 05:30:34.000000000 +0100 +++ new/afl-2.17b/config.h 2016-06-27 21:06:37.000000000 +0200 @@ -19,6 +19,10 @@ #include "types.h" +/* Version string: */ + +#define VERSION "2.17b" + /****************************************************** * * * Settings that may be of interest to power users: * diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.14b/docs/ChangeLog new/afl-2.17b/docs/ChangeLog --- old/afl-2.14b/docs/ChangeLog 2016-06-07 20:06:05.000000000 +0200 +++ new/afl-2.17b/docs/ChangeLog 2016-06-28 04:17:51.000000000 +0200 @@ -17,6 +17,35 @@ to get on with the times. -------------- +Version 2.17b: +-------------- + + - Killed the error-prone and manual -Z option. On Linux, AFL will now + automatically bind to the first free core (or complain if there are no + free cores left). + + - Made some doc updates along these lines. + +-------------- +Version 2.16b: +-------------- + + - Improved support for older versions of clang (hopefully without + breaking anything). + + - Moved version data from Makefile to config.h. Suggested by + Jonathan Metzman. + +-------------- +Version 2.15b: +-------------- + + - Added a README section on looking for non-crashing bugs. + + - Added license data to several boring files. Contributed by + Jonathan Metzman. + +-------------- Version 2.14b: -------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.14b/docs/QuickStartGuide.txt new/afl-2.17b/docs/QuickStartGuide.txt --- old/afl-2.14b/docs/QuickStartGuide.txt 2015-08-26 06:04:19.000000000 +0200 +++ new/afl-2.17b/docs/QuickStartGuide.txt 2016-06-18 04:15:39.000000000 +0200 @@ -14,7 +14,8 @@ checksum verification code, too. The program must crash properly when a fault is encountered. Watch out for - custom SIGSEGV or SIGABRT handlers and background processes. + custom SIGSEGV or SIGABRT handlers and background processes. For tips on + detecting non-crashing flaws, see section 11 in docs/README. 3) Compile the program / library to be fuzzed using afl-gcc. A common way to do this would be: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.14b/docs/README new/afl-2.17b/docs/README --- old/afl-2.14b/docs/README 2016-06-07 20:13:51.000000000 +0200 +++ new/afl-2.17b/docs/README 2016-06-19 00:24:18.000000000 +0200 @@ -336,7 +336,31 @@ insights into complex file formats. More info about its operation can be found near the end of technical_details.txt. -11) Common-sense risks +11) Going beyond crashes +------------------------ + +Fuzzing is a wonderful and underutilized technique for discovering non-crashing +design and implementation errors, too. Quite a few interesting bugs have been +found by modifying the target programs to call abort() when, say: + + - Two bignum libraries produce different outputs when given the same + fuzzer-generated input, + + - An image library produces different outputs when asked to decode the same + input image several times in a row, + + - A serialization / deserialization library fails to produce stable outputs + when iteratively serializing and deserializing fuzzer-supplied data, + + - A compression library produces an output inconsistent with the input file + when asked to compress and then decompress a particular blob. + +Implementing these or similar sanity checks usually takes very little time; +if you are the maintainer of a particular package, you can make this code +conditional with #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION (a flag also +shared with libfuzzer) or #ifdef __AFL_COMPILER (this one is just for AFL). + +12) Common-sense risks ---------------------- Please keep in mind that, similarly to many other computationally-intensive @@ -364,7 +388,7 @@ $ iostat -d 3 -x -k [...optional disk ID...] -12) Known limitations & areas for improvement +13) Known limitations & areas for improvement --------------------------------------------- Here are some of the most important caveats for AFL: @@ -402,7 +426,7 @@ Beyond this, see INSTALL for platform-specific tips. -13) Special thanks +14) Special thanks ------------------ Many of the improvements to afl-fuzz wouldn't be possible without feedback, @@ -439,7 +463,7 @@ Guillaume Endignoux ilovezfs Daniel Godas-Lopez Franjo Ivancic Austin Seipp Daniel Komaromy - Daniel Binderman + Daniel Binderman Jonathan Metzman Thank you! diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.14b/docs/env_variables.txt new/afl-2.17b/docs/env_variables.txt --- old/afl-2.14b/docs/env_variables.txt 2016-03-11 03:30:04.000000000 +0100 +++ new/afl-2.17b/docs/env_variables.txt 2016-06-27 20:43:23.000000000 +0200 @@ -109,6 +109,10 @@ normally indicated by the cycle counter in the UI turning green. May be convenient for some types of automated jobs. + - Setting AFL_NO_AFFINITY disables attempts to bind to a specific CPU core + on Linux systems. This slows things down, but lets you run more instances + of afl-fuzz than would be prudent (if you really want to). + - AFL_SKIP_CRASHES causes AFL to tolerate crashing files in the input queue. This can help with rare situations where a program crashes only intermittently, but it's not really recommended under normal operating diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.14b/docs/perf_tips.txt new/afl-2.17b/docs/perf_tips.txt --- old/afl-2.14b/docs/perf_tips.txt 2016-06-07 20:12:08.000000000 +0200 +++ new/afl-2.17b/docs/perf_tips.txt 2016-06-27 20:41:44.000000000 +0200 @@ -144,29 +144,7 @@ presented with pathological inputs. Low -m values can make them give up sooner and not waste CPU time. -8) Set CPU core affinity for AFL --------------------------------- - -Making sure that the fuzzer always runs on the same (idle) CPU core can offer -a significant speed bump and reduce scheduler jitter. The benefits can be even -more striking on true multiprocessor systems. - -On Linux, you can assign the fuzzer to a specific core by first running -afl-gotcpu to see which cores are idle, and then specifying the ID of a -preferred core via -Z, like so: - - $ ./afl-fuzz -Z core_id [...other parameters...] - -Note that this parameter needs to be used with care; accidentally forcing -multiple fuzzers to share the same core may result in performance that is -worse than what you would get without -Z. - -(It is also possible to specify two comma-delimited values for -Z, in which -case, the fuzzer will run on one designated core, and the target binary will -be banished to another. This can sometimes offer minor benefits, but isn't -recommended for general use.) - -9) Check OS configuration +8) Check OS configuration ------------------------- There are several OS-level factors that may affect fuzzing speed: @@ -200,8 +178,8 @@ SCHED_RR - can usually speed things up, too, but needs to be done with care. -10) If all other options fail, use -d -------------------------------------- +9) If all other options fail, use -d +------------------------------------ For programs that are genuinely slow, in cases where you really can't escape using huge input files, or when you simply want to get quick and dirty results diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.14b/docs/sister_projects.txt new/afl-2.17b/docs/sister_projects.txt --- old/afl-2.14b/docs/sister_projects.txt 2016-05-12 05:13:47.000000000 +0200 +++ new/afl-2.17b/docs/sister_projects.txt 2016-06-27 21:33:46.000000000 +0200 @@ -6,9 +6,9 @@ designed for, or meant to integrate with AFL. See README for the general instruction manual. ----------------------------- -Support for other languages: ----------------------------- +------------------------------------------- +Support for other languages / environments: +------------------------------------------- Python AFL (Jakub Wilk) ----------------------- @@ -70,6 +70,14 @@ https://github.com/bnagy/aflfix +TriforceAFL (Tim Newsham and Jesse Hertz) +----------------------------------------- + + Leverages QEMU full system emulation mode to allow AFL to target operating + systems and other alien worlds: + + https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/june/project-triforce-run-afl-on-everything/ + ---------------- Network fuzzing: ---------------- @@ -273,3 +281,4 @@ https://github.com/google/syzkaller/wiki/Found-Bugs https://github.com/dvyukov/linux/commit/33787098ffaaa83b8a7ccf519913ac5fd6125931 + http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.14b/experimental/instrumented_cmp/instrumented_cmp.c new/afl-2.17b/experimental/instrumented_cmp/instrumented_cmp.c --- old/afl-2.14b/experimental/instrumented_cmp/instrumented_cmp.c 2016-04-01 16:22:59.000000000 +0200 +++ new/afl-2.17b/experimental/instrumented_cmp/instrumented_cmp.c 2016-06-18 04:14:07.000000000 +0200 @@ -1,6 +1,17 @@ /* - A simple proof-of-concept for instrumented strcmp() or memcmp(). + american fuzzy lop - instrumented strcmp() or memcmp() proof-of-concept + ----------------------------------------------------------------------- + + Written and maintained by Michal Zalewski <[email protected]> + + Copyright 2015 Google Inc. All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 Normally, afl-fuzz will have difficulty ever reaching the code behind something like: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.14b/hash.h new/afl-2.17b/hash.h --- old/afl-2.14b/hash.h 2015-09-22 06:07:34.000000000 +0200 +++ new/afl-2.17b/hash.h 2016-06-18 04:14:07.000000000 +0200 @@ -12,6 +12,16 @@ Austin's original code is public domain. + Other code written and maintained by Michal Zalewski <[email protected]> + + Copyright 2016 Google Inc. All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + */ #ifndef _HAVE_HASH_H diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.14b/llvm_mode/Makefile new/afl-2.17b/llvm_mode/Makefile --- old/afl-2.14b/llvm_mode/Makefile 2016-05-14 19:42:20.000000000 +0200 +++ new/afl-2.17b/llvm_mode/Makefile 2016-06-24 04:38:49.000000000 +0200 @@ -20,7 +20,7 @@ HELPER_PATH = $(PREFIX)/lib/afl BIN_PATH = $(PREFIX)/bin -VERSION = $(shell grep ^VERSION ../Makefile | cut -d= -f2 | sed 's/ //') +VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2) LLVM_CONFIG ?= llvm-config diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.14b/llvm_mode/afl-llvm-pass.so.cc new/afl-2.17b/llvm_mode/afl-llvm-pass.so.cc --- old/afl-2.14b/llvm_mode/afl-llvm-pass.so.cc 2016-05-14 22:16:44.000000000 +0200 +++ new/afl-2.17b/llvm_mode/afl-llvm-pass.so.cc 2016-06-23 17:45:02.000000000 +0200 @@ -100,7 +100,7 @@ GlobalVariable *AFLPrevLoc = new GlobalVariable( M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc", - 0, GlobalValue::GeneralDynamicTLSModel, 0, false); + 0, GlobalVariable::GeneralDynamicTLSModel, 0, false); /* Instrument all the things! */
