Merge pull request #2071 from AFLplusplus/dev

Push to stable

.github/workflows/ci.yml

@@ -5,7 +5,6 @@ on:
  branches:
  - stable
  - dev
- - 420
  pull_request:
  branches:
  - dev # No need for stable-pull-request, as that equals dev-push

README.md

@@ -4,7 +4,7 @@
 
 Release version: [4.20c](https://github.com/AFLplusplus/AFLplusplus/releases)
 
-GitHub version: 4.20c
+GitHub version: 4.21a
 
 Repository:
 [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus)

afl-cmin

@@ -13,7 +13,7 @@ awk -f - -- ${@+"$@"} <<'EOF'
 # awk script to minimize a test corpus of input files
 #
 # based on afl-cmin bash script written by Michal Zalewski
-# rewritten by Heiko Eißfeldt (hexcoder-)
+# rewritten by Heiko Eissfeldt (hexcoder-)
 # tested with:
 # gnu awk (x86 Linux)
 # bsd awk (x86 *BSD)
@@ -603,8 +603,8 @@ BEGIN {
  # create path for the trace file from afl-showmap
  tracefile_path = trace_dir"/"fn
  # ensure the file size is not zero
- cmd = "du -b "tracefile_path
- "ls -l "tracefile_path
+ cmd = "du -b \""tracefile_path"\""
+ # "ls -l \""tracefile_path"\""
  cmd | getline output
  close(cmd)
  split(output, result, "\t")

afl-cmin.bash

@@ -152,6 +152,7 @@ Minimization settings:
  -e - solve for edge coverage only, ignore hit counts
 
 For additional tips, please consult README.md.
+This script cannot read filenames that end with a space ' '.
 
 Environment variables used:
 AFL_KEEP_TRACES: leave the temporary <out_dir>\.traces directory

docs/Changelog.md

@@ -3,6 +3,18 @@
  This is the list of all noteworthy changes made in every public
  release of the tool. See README.md for the general instruction manual.
 
+### Version ++4.21a (dev)
+ * afl-fuzz
+ - fix AFL_PERSISTENT_RECORD
+ - prevent filenames in the queue that have spaces
+ - minor fix for FAST schedules
+ * afl-cc:
+ - fixes for LTO and outdated afl-gcc mode
+ - ensure shared memory variables are visible in weird build setups
+ * afl-cmin
+ - work with input files that have a space
+
+
 ### Version ++4.20c (release)
  ! A new forkserver communication model is now introduced. afl-fuzz is
  backward compatible to old compiled targets if they are not built

include/afl-as.h

@@ -5,7 +5,7 @@
  Originally written by Michal Zalewski
 
  Now maintained by Marc Heuse <[email protected]>,
- Heiko Eißfeldt <[email protected]>,
+ Heiko Eissfeldt <[email protected]>,
  Andrea Fioraldi <[email protected]>,
  Dominik Maier <[email protected]>
 

include/afl-prealloc.h

@@ -5,7 +5,7 @@
  Originally written by Michal Zalewski
 
  Now maintained by Marc Heuse <[email protected]>,
- Heiko Eißfeldt <[email protected]>,
+ Heiko Eissfeldt <[email protected]>,
  Andrea Fioraldi <[email protected]>,
  Dominik Maier <[email protected]>
 

include/alloc-inl.h

@@ -5,7 +5,7 @@
  Originally written by Michal Zalewski
 
  Now maintained by Marc Heuse <[email protected]>,
- Heiko Eißfeldt <[email protected]>,
+ Heiko Eissfeldt <[email protected]>,
  Andrea Fioraldi <[email protected]>,
  Dominik Maier <[email protected]>
 

include/cmplog.h

@@ -7,7 +7,7 @@
  Forkserver design by Jann Horn <[email protected]>
 
  Now maintained by Marc Heuse <[email protected]>,
- Heiko Eißfeldt <[email protected]>,
+ Heiko Eissfeldt <[email protected]>,
  Andrea Fioraldi <[email protected]>,
  Dominik Maier <[email protected]>
 

include/common.h

@@ -5,7 +5,7 @@
  Originally written by Michal Zalewski
 
  Now maintained by Marc Heuse <[email protected]>,
- Heiko Eißfeldt <[email protected]>,
+ Heiko Eissfeldt <[email protected]>,
  Andrea Fioraldi <[email protected]>,
  Dominik Maier <[email protected]>
 

include/config.h

@@ -26,7 +26,7 @@
 /* Version string: */
 
 // c = release, a = volatile github dev, e = experimental branch
-#define VERSION "++4.20c"
+#define VERSION "++4.21a"
 
 /******************************************************
  * *

include/debug.h

@@ -5,7 +5,7 @@
  Originally written by Michal Zalewski
 
  Now maintained by Marc Heuse <[email protected]>,
- Heiko Eißfeldt <[email protected]>,
+ Heiko Eissfeldt <[email protected]>,
  Andrea Fioraldi <[email protected]>,
  Dominik Maier <[email protected]>
 

include/forkserver.h

@@ -7,7 +7,7 @@
  Forkserver design by Jann Horn <[email protected]>
 
  Now maintained by Marc Heuse <[email protected]>,
- Heiko Eißfeldt <[email protected]>,
+ Heiko Eissfeldt <[email protected]>,
  Andrea Fioraldi <[email protected]>,
  Dominik Maier <[email protected]>>
 

include/list.h

@@ -5,7 +5,7 @@
  Originally written by Michal Zalewski
 
  Now maintained by Marc Heuse <[email protected]>,
- Heiko Eißfeldt <[email protected]>,
+ Heiko Eissfeldt <[email protected]>,
  Andrea Fioraldi <[email protected]>,
  Dominik Maier <[email protected]>
 

include/sharedmem.h

@@ -7,7 +7,7 @@
  Forkserver design by Jann Horn <[email protected]>
 
  Now maintained by Marc Heuse <[email protected]>,
- Heiko Eißfeldt <[email protected]>,
+ Heiko Eissfeldt <[email protected]>,
  Andrea Fioraldi <[email protected]>,
  Dominik Maier <[email protected]>
 

include/snapshot-inl.h

@@ -7,7 +7,7 @@
  Forkserver design by Jann Horn <[email protected]>
 
  Now maintained by Marc Heuse <[email protected]>,
- Heiko Eißfeldt <[email protected]>,
+ Heiko Eissfeldt <[email protected]>,
  Andrea Fioraldi <[email protected]>,
  Dominik Maier <[email protected]>
 

include/types.h

@@ -5,7 +5,7 @@
  Originally written by Michal Zalewski
 
  Now maintained by Marc Heuse <[email protected]>,
- Heiko Eißfeldt <[email protected]>,
+ Heiko Eissfeldt <[email protected]>,
  Andrea Fioraldi <[email protected]>,
  Dominik Maier <[email protected]>
 

instrumentation/SanitizerCoverageLTO.so.cc

@@ -341,7 +341,7 @@ llvmGetPassPluginInfo() {
  using OptimizationLevel = typename PassBuilder::OptimizationLevel;
 #endif
 #if LLVM_VERSION_MAJOR >= 15
- PB.registerFullLinkTimeOptimizationEarlyEPCallback(
+ PB.registerFullLinkTimeOptimizationLastEPCallback(
 #else
  PB.registerOptimizerLastEPCallback(
 #endif

instrumentation/split-compares-pass.so.cc

@@ -1,7 +1,7 @@
 /*
  * Copyright 2016 laf-intel
- * extended for floating point by Heiko Eißfeldt
- * adapted to new pass manager by Heiko Eißfeldt
+ * extended for floating point by Heiko Eissfeldt
+ * adapted to new pass manager by Heiko Eissfeldt
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

src/afl-analyze.c

@@ -5,7 +5,7 @@
  Originally written by Michal Zalewski
 
  Now maintained by Marc Heuse <[email protected]>,
- Heiko Eißfeldt <[email protected]> and
+ Heiko Eissfeldt <[email protected]> and
  Andrea Fioraldi <[email protected]>
 
  Copyright 2016, 2017 Google Inc. All rights reserved.

src/afl-as.c

@@ -5,7 +5,7 @@
  Originally written by Michal Zalewski
 
  Now maintained by Marc Heuse <[email protected]>,
- Heiko Eißfeldt <[email protected]> and
+ Heiko Eissfeldt <[email protected]> and
  Andrea Fioraldi <[email protected]>
 
  Copyright 2016, 2017 Google Inc. All rights reserved.

src/afl-cc.c

@@ -17,6 +17,10 @@
 
 #define AFL_MAIN
 
+#ifndef _GNU_SOURCE
+ #define _GNU_SOURCE 1
+#endif
+
 #include "common.h"
 #include "config.h"
 #include "types.h"
@@ -32,7 +36,9 @@
 #include <limits.h>
 #include <assert.h>
 #include <ctype.h>
+#include <fcntl.h>
 #include <sys/stat.h>
+#include <sys/mman.h>
 
 #if (LLVM_MAJOR - 0 == 0)
  #undef LLVM_MAJOR
@@ -464,6 +470,8 @@ u8 *find_object(aflcc_state_t *aflcc, u8 *obj) {
  *slash = 0;
  tmp = alloc_printf("%s/%s", exepath, obj);
 
+ if (aflcc->debug) DEBUGF("Trying %s\n", tmp);
+
  if (!access(tmp, R_OK)) { return tmp; }
 
  ck_free(tmp);
@@ -518,7 +526,7 @@ void find_built_deps(aflcc_state_t *aflcc) {
  char *ptr = NULL;
 
 #if defined(__x86_64__)
- if ((ptr = find_object(aflcc, "as")) != NULL) {
+ if ((ptr = find_object(aflcc, "afl-as")) != NULL) {
 
  #ifndef __APPLE__
  // on OSX clang masquerades as GCC
@@ -1261,13 +1269,8 @@ void mode_final_checkout(aflcc_state_t *aflcc, int argc, char **argv) {
  aflcc->instrument_mode == INSTRUMENT_PCGUARD) {
 
  aflcc->lto_mode = 1;
- // force CFG
- // if (!aflcc->instrument_mode) {
-
  aflcc->instrument_mode = INSTRUMENT_PCGUARD;
 
- // }
-
  } else if (aflcc->instrument_mode == INSTRUMENT_CLASSIC) {
 
  aflcc->lto_mode = 1;
@@ -1583,8 +1586,10 @@ void add_defs_persistent_mode(aflcc_state_t *aflcc) {
  insert_param(aflcc,
  "-D__AFL_FUZZ_INIT()="
  "int __afl_sharedmem_fuzzing = 1;"
- "extern unsigned int *__afl_fuzz_len;"
- "extern unsigned char *__afl_fuzz_ptr;"
+ "extern __attribute__((visibility(\"default\"))) "
+ "unsigned int *__afl_fuzz_len;"
+ "extern __attribute__((visibility(\"default\"))) "
+ "unsigned char *__afl_fuzz_ptr;"
  "unsigned char __afl_fuzz_alt[1048576];"
  "unsigned char *__afl_fuzz_alt_ptr = __afl_fuzz_alt;");
 
@@ -2473,13 +2478,60 @@ void add_runtime(aflcc_state_t *aflcc) {
 */
 void add_assembler(aflcc_state_t *aflcc) {
 
- u8 *afl_as = find_object(aflcc, "as");
+ u8 *afl_as = find_object(aflcc, "afl-as");
 
- if (!afl_as) FATAL("Cannot find 'as' (symlink to 'afl-as').");
+ if (!afl_as) FATAL("Cannot find 'afl-as'.");
 
  u8 *slash = strrchr(afl_as, '/');
  if (slash) *slash = 0;
 
+ // Search for 'as' may be unreliable in some cases (see #2058)
+ // so use 'afl-as' instead, because 'as' is usually a symbolic link,
+ // or can be a renamed copy of 'afl-as' created in the same dir.
+ // Now we should verify if the compiler can find the 'as' we need.
+
+#define AFL_AS_ERR "(should be a symlink or copy of 'afl-as')"
+
+ u8 *afl_as_dup = alloc_printf("%s/as", afl_as);
+
+ int fd = open(afl_as_dup, O_RDONLY);
+ if (fd < 0) { PFATAL("Unable to open '%s' " AFL_AS_ERR, afl_as_dup); }
+
+ struct stat st;
+ if (fstat(fd, &st) < 0) {
+
+ PFATAL("Unable to fstat '%s' " AFL_AS_ERR, afl_as_dup);
+
+ }
+
+ u32 f_len = st.st_size;
+
+ u8 *f_data = mmap(0, f_len, PROT_READ, MAP_PRIVATE, fd, 0);
+ if (f_data == MAP_FAILED) {
+
+ PFATAL("Unable to mmap file '%s' " AFL_AS_ERR, afl_as_dup);
+
+ }
+
+ close(fd);
+
+ // "AFL_AS" is a const str passed to getenv in afl-as.c
+ if (!memmem(f_data, f_len, "AFL_AS", strlen("AFL_AS") + 1)) {
+
+ FATAL(
+ "Looks like '%s' is not a valid symlink or copy of '%s/afl-as'. "
+ "It is a prerequisite to override system-wide 'as' for "
+ "instrumentation.",
+ afl_as_dup, afl_as);
+
+ }
+
+ if (munmap(f_data, f_len)) { PFATAL("unmap() failed"); }
+
+ ck_free(afl_as_dup);
+
+#undef AFL_AS_ERR
+
  insert_param(aflcc, "-B");
  insert_param(aflcc, afl_as);
 

src/afl-common.c

@@ -5,7 +5,7 @@
  Originally written by Michal Zalewski
 
  Now maintained by Marc Heuse <[email protected]>,
- Heiko Eißfeldt <[email protected]> and
+ Heiko Eissfeldt <[email protected]> and
  Andrea Fioraldi <[email protected]>
 
  Copyright 2016, 2017 Google Inc. All rights reserved.

src/afl-forkserver.c

@@ -7,7 +7,7 @@
  Forkserver design by Jann Horn <[email protected]>
 
  Now maintained by Marc Heuse <[email protected]>,
- Heiko Eißfeldt <[email protected]> and
+ Heiko Eissfeldt <[email protected]> and
  Andrea Fioraldi <[email protected]> and
  Dominik Maier <[email protected]>
 
@@ -27,6 +27,9 @@
  */
 
 #include "config.h"
+#ifdef AFL_PERSISTENT_RECORD
+ #include "afl-fuzz.h"
+#endif
 #include "types.h"
 #include "debug.h"
 #include "common.h"
@@ -2078,10 +2081,13 @@ store_persistent_record: {
  u32 len = fsrv->persistent_record_len[entry];
  if (likely(len && data)) {
 
- snprintf(fn, sizeof(fn), persistent_out_fmt, fsrv->persistent_record_dir,
- fsrv->persistent_record_cnt, writecnt++,
- afl->file_extension ? "." : "",
- afl->file_extension ? (const char *)afl->file_extension : "");
+ snprintf(
+ fn, sizeof(fn), persistent_out_fmt, fsrv->persistent_record_dir,
+ fsrv->persistent_record_cnt, writecnt++,
+ ((afl_state_t *)(fsrv->afl_ptr))->file_extension ? "." : "",
+ ((afl_state_t *)(fsrv->afl_ptr))->file_extension
+ ? (const char *)((afl_state_t *)(fsrv->afl_ptr))->file_extension
+ : "");
  int fd = open(fn, O_CREAT | O_TRUNC | O_WRONLY, 0644);
  if (fd >= 0) {
 

src/afl-fuzz-bitmap.c

@@ -5,7 +5,7 @@
  Originally written by Michal Zalewski
 
  Now maintained by Marc Heuse <[email protected]>,
- Heiko Eißfeldt <[email protected]> and
+ Heiko Eissfeldt <[email protected]> and
  Andrea Fioraldi <[email protected]>
 
  Copyright 2016, 2017 Google Inc. All rights reserved.