From 6b2388095ed6e07fa3c11fc7270e77cbec61587a Mon Sep 17 00:00:00 2001 From: Thomas HUET Date: Wed, 3 Aug 2016 20:19:14 +0200 Subject: [PATCH] 2.25b --- Makefile | 2 +- config.h | 2 +- docs/ChangeLog | 7 +++++++ docs/env_variables.txt | 2 +- libdislocator.so.c | 44 +++++++++++++++++++++++++++--------------- 5 files changed, 38 insertions(+), 19 deletions(-) diff --git a/Makefile b/Makefile index 680752c8..c3fa8617 100644 --- a/Makefile +++ b/Makefile @@ -86,7 +86,7 @@ afl-gotcpu: afl-gotcpu.c $(COMM_HDR) | test_x86 $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) libdislocator.so: libdislocator.so.c $(COMM_HDR) | test_x86 - $(CC) $(CFLAGS) -shared $@.c -o $@ $(LDFLAGS) + $(CC) $(CFLAGS) -shared -fPIC $@.c -o $@ $(LDFLAGS) ifndef AFL_NO_X86 diff --git a/config.h b/config.h index ed56d60d..e4932085 100644 --- a/config.h +++ b/config.h @@ -21,7 +21,7 @@ /* Version string: */ -#define VERSION "2.24b" +#define VERSION "2.25b" /****************************************************** * * diff --git a/docs/ChangeLog b/docs/ChangeLog index d046f0e0..26518896 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -16,6 +16,13 @@ Not sure if you should upgrade? The lowest currently recommended version is 2.21b. If you're stuck on an earlier release, it's strongly advisable to get on with the times. +-------------- +Version 2.25b: +-------------- + + - Made some cosmetic updates to libdislocator.so, renamed one env + variable. + -------------- Version 2.24b: -------------- diff --git a/docs/env_variables.txt b/docs/env_variables.txt index 7777b933..ea4875e0 100644 --- a/docs/env_variables.txt +++ b/docs/env_variables.txt @@ -193,7 +193,7 @@ The library honors three environmental variables: library, in megabytes. The default value is 1 GB. Once this is exceeded, allocations will return NULL. - - AFL_LD_LIMIT_HARD alters the behavior by calling abort() on excessive + - AFL_LD_HARD_FAIL alters the behavior by calling abort() on excessive allocations, thus causing what AFL would perceive as a crash. Useful for programs that are supposed to maintain a specific memory footprint. diff --git a/libdislocator.so.c b/libdislocator.so.c index 27c009c8..de162567 100644 --- a/libdislocator.so.c +++ b/libdislocator.so.c @@ -35,7 +35,7 @@ - It checks for calloc() overflows and can cause soft or hard failures of alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB, - AFL_LD_HARD_LIMIT). + AFL_LD_HARD_FAIL). Basically, it is inspired by some of the non-default options available for the OpenBSD allocator - see malloc.conf(5) on that platform for @@ -49,7 +49,7 @@ The allocator is slow and memory-intensive (even the tiniest allocation uses up 4 kB of physical memory and 8 kB of virtual mem), making it - completely unsuitable for "production" uses; but it is faster and more + completely unsuitable for "production" uses; but it can be faster and more hassle-free than ASAN / MSAN when fuzzing small, self-contained binaries. To use this library, run AFL like so: @@ -57,7 +57,8 @@ AFL_LD_PRELOAD=/path/to/libdislocator.so ./afl-fuzz [...other params...] You *have* to specify path, even if it's just ./libdislocator.so or - $PWD/libdislocator.so. + $PWD/libdislocator.so. On MacOS X, you may have to use DYLD_INSERT_LIBRARIES + instead of LD_PRELOAD. Similarly to afl-tmin, the library is not "proprietary" and can be used with other fuzzers or testing tools without the need for any code @@ -85,15 +86,21 @@ #define DEBUGF(_x...) do { \ if (alloc_verbose) { \ - fprintf(stderr, "[AFL] " _x); \ - fprintf(stderr, "\n"); \ + if (++call_depth == 1) { \ + fprintf(stderr, "[AFL] " _x); \ + fprintf(stderr, "\n"); \ + } \ + call_depth--; \ } \ } while (0) #define FATAL(_x...) do { \ - fprintf(stderr, "*** [AFL] " _x); \ - fprintf(stderr, " ***\n"); \ - abort(); \ + if (++call_depth == 1) { \ + fprintf(stderr, "*** [AFL] " _x); \ + fprintf(stderr, " ***\n"); \ + abort(); \ + } \ + call_depth--; \ } while (0) /* Macro to count the number of pages needed to store a buffer: */ @@ -112,9 +119,11 @@ static u32 max_mem = MAX_ALLOC; /* Max heap usage to permit */ static u8 alloc_verbose, /* Additional debug messages */ - hard_limit; /* abort() when max_mem exceeded? */ + hard_fail; /* abort() when max_mem exceeded? */ + +static __thread size_t total_mem; /* Currently allocated mem */ -static __thread u64 total_mem; /* Currently allocated mem */ +static __thread u32 call_depth; /* This is the main alloc function. It allocates one page more than necessary, sets that tailing page to PROT_NONE, and then increments the return address @@ -127,7 +136,7 @@ static void* __dislocator_alloc(size_t len) { if (total_mem + len > max_mem) { - if (hard_limit) + if (hard_fail) FATAL("total allocs exceed %u MB", max_mem / 1024 / 1024); DEBUGF("total allocs exceed %u MB, returning NULL", @@ -145,7 +154,10 @@ static void* __dislocator_alloc(size_t len) { if (ret == (void*)-1) { - DEBUGF("mmap() failed when allocating memory (OOM?)"); + if (hard_fail) FATAL("mmap() failed on alloc (OOM?)"); + + DEBUGF("mmap() failed on alloc (OOM?)"); + return NULL; } @@ -190,7 +202,7 @@ void* calloc(size_t elem_len, size_t elem_cnt) { ret = __dislocator_alloc(len); - DEBUGF("calloc(%zu, %zu) = %p [%llu total]", elem_len, elem_cnt, ret, + DEBUGF("calloc(%zu, %zu) = %p [%zu total]", elem_len, elem_cnt, ret, total_mem); return ret; @@ -208,7 +220,7 @@ void* malloc(size_t len) { ret = __dislocator_alloc(len); - DEBUGF("malloc(%zu) = %p [%llu total]", len, ret, total_mem); + DEBUGF("malloc(%zu) = %p [%zu total]", len, ret, total_mem); if (ret && len) memset(ret, ALLOC_CLOBBER, len); @@ -266,7 +278,7 @@ void* realloc(void* ptr, size_t len) { } - DEBUGF("realloc(%p, %zu) = %p [%llu total]", ptr, len, ret, total_mem); + DEBUGF("realloc(%p, %zu) = %p [%zu total]", ptr, len, ret, total_mem); return ret; @@ -285,6 +297,6 @@ __attribute__((constructor)) void __dislocator_init(void) { } alloc_verbose = !!getenv("AFL_LD_VERBOSE"); - hard_limit = !!getenv("AFL_LD_HARD_LIMIT"); + hard_fail = !!getenv("AFL_LD_HARD_FAIL"); }