diff --git a/Makefile b/Makefile index 8416634b..e75edc0b 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ # PROGNAME = afl -VERSION = 2.03b +VERSION = 2.04b PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin diff --git a/afl-analyze.c b/afl-analyze.c index bf6248e2..2c27a51e 100644 --- a/afl-analyze.c +++ b/afl-analyze.c @@ -707,6 +707,8 @@ static void set_up_environment(void) { setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" "symbolize=0:" + "abort_on_error=1:" + "allocator_may_return_null=1:" "msan_track_origins=0", 0); if (getenv("AFL_LD_PRELOAD")) diff --git a/afl-fuzz.c b/afl-fuzz.c index 22e1ce5e..d0d59ea8 100644 --- a/afl-fuzz.c +++ b/afl-fuzz.c @@ -1942,6 +1942,8 @@ static void init_forkserver(char** argv) { setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" "symbolize=0:" + "abort_on_error=1:" + "allocator_may_return_null=1:" "msan_track_origins=0", 0); execv(target_path, argv); diff --git a/afl-showmap.c b/afl-showmap.c index 04dc7e09..2cc3b783 100644 --- a/afl-showmap.c +++ b/afl-showmap.c @@ -337,6 +337,8 @@ static void set_up_environment(void) { setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" "symbolize=0:" + "abort_on_error=1:" + "allocator_may_return_null=1:" "msan_track_origins=0", 0); if (getenv("AFL_LD_PRELOAD")) diff --git a/afl-tmin.c b/afl-tmin.c index 24967ee3..f2ddc6e2 100644 --- a/afl-tmin.c +++ b/afl-tmin.c @@ -698,6 +698,8 @@ static void set_up_environment(void) { setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" "symbolize=0:" + "abort_on_error=1:" + "allocator_may_return_null=1:" "msan_track_origins=0", 0); if (getenv("AFL_LD_PRELOAD")) diff --git a/docs/ChangeLog b/docs/ChangeLog index 308e68fa..9384d5b6 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -16,6 +16,13 @@ Not sure if you should upgrade? The lowest currently recommended version is 2.03b. If you're stuck on an earlier release, it's strongly advisable to get on with the times. +-------------- +Version 2.04b: +-------------- + + - Removed indirect-calls coverage from -fsanitize-coverage (since it's + redundant). Spotted by Kostya Serebryany. + -------------- Version 2.03b: -------------- diff --git a/docs/env_variables.txt b/docs/env_variables.txt index ebb629c7..22229bf4 100644 --- a/docs/env_variables.txt +++ b/docs/env_variables.txt @@ -208,8 +208,11 @@ optimal values if not already present in the environment: - In the same vein, by default, MSAN_OPTIONS are set to: - exit_code=86 + exit_code=86 (required for legacy reasons) + abort_on_error=1 + symbolize=0 msan_track_origins=0 + allocator_may_return_null=1 Be sure to include the first one when customizing anything, since MSAN doesn't call abort() on error, and we need a way to detect faults. diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index a0458c19..b6a64d13 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -120,7 +120,7 @@ static void edit_params(u32 argc, char** argv) { http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs */ #ifdef USE_TRACE_PC - cc_params[cc_par_cnt++] = "-fsanitize-coverage=bb,indirect-calls,trace-pc"; + cc_params[cc_par_cnt++] = "-fsanitize-coverage=bb,trace-pc"; #else cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 2d8a89ae..e98b9212 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -216,22 +216,21 @@ __attribute__((constructor(0))) void __afl_auto_init(void) { } -/********************************************* - * Support for -fsanitize-coverage=trace-pc. * - *********************************************/ +/* The following stuff deals with support for -fsanitize-coverage=bb,trace-pc. + It remains non-operational in the traditional, plugin-backed LLVM mode. + For more info about 'trace-pc', see README.llvm. -static u32 inst_ratio_scaled = MIN(4096, MAP_SIZE); - - -/* The first function is called on every basic block. We use the return address - instead of a randomly-generated token (because LLVM is not giving us one). - Since ASLR may make addresses vary across runs, we use only the last 12 - bits, which should be stable within a given binary. + The first function (__sanitizer_cov_trace_pc) is called back on every + basic block. Since LLVM is not giving us any stable IDs for the blocks, + we use 12 least significant bits of the return address (which should be + stable even with ASLR; more significant bits may vary across runs). Since MAP_SIZE is usually larger than 12 bits, we "pad" it by combining left-shifted __afl_prev_loc. This gives us a theoretical maximum of 24 - bits (but basic blocks might be aligned, which reduces this number - somewhat). */ + bits, although instruction alignment likely reduces this somewhat. */ + + +static u32 inst_ratio_scaled = MIN(4096, MAP_SIZE); void __sanitizer_cov_trace_pc(void) { @@ -270,8 +269,7 @@ void __sanitizer_cov_trace_pc_indir(void* dummy) { /* Init callback. Unfortunately, LLVM does not support compile-time - instrumentation density scaling, at least not just yet - so the runtime - inst_ratio stuff slows us down :-( */ + instrumentation density scaling, at least not just yet. */ void __sanitizer_cov_module_init(void) {