diff --git a/afl-as.c b/afl-as.c index 7686fe8a..b15e651f 100644 --- a/afl-as.c +++ b/afl-as.c @@ -56,7 +56,8 @@ static u8* modified_file; /* Instrumented file for the real 'as' */ static u8 be_quiet, /* Quiet mode (no stderr output) */ clang_mode, /* Running in clang mode? */ pass_thru, /* Just pass data through? */ - just_version; /* Just show version? */ + just_version, /* Just show version? */ + sanitizer; /* Using ASAN / MSAN */ static u32 inst_ratio = 100, /* Instrumentation probability (%) */ as_par_cnt = 1; /* Number of params to 'as' */ @@ -454,7 +455,8 @@ static void add_instrumentation(void) { pass_thru ? " (pass-thru mode)" : ""); else OKF("Instrumented %u locations (%s-bit, %s mode, ratio %u%%).", ins_lines, use_64bit ? "64" : "32", - getenv("AFL_HARDEN") ? "hardened" : "non-hardened", + getenv("AFL_HARDEN") ? "hardened" : + (sanitizer ? "ASAN/MSAN" : "non-hardened"), inst_ratio); } @@ -521,7 +523,10 @@ int main(int argc, char** argv) { ASAN-specific branches. But we can probabilistically compensate for that... */ - if (getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) inst_ratio /= 3; + if (getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) { + sanitizer = 1; + inst_ratio /= 3; + } if (!just_version) add_instrumentation(); diff --git a/afl-showmap.c b/afl-showmap.c index 4b81862a..789082ff 100644 --- a/afl-showmap.c +++ b/afl-showmap.c @@ -64,7 +64,8 @@ static s32 shm_id; /* ID of the SHM region */ static u8 quiet_mode, /* Hide non-essential messages? */ edges_only, /* Ignore hit counts? */ cmin_mode, /* Generate output in afl-cmin mode? */ - binary_mode; /* Write output as a binary map */ + binary_mode, /* Write output as a binary map */ + keep_cores; /* Allow coredumps? */ static volatile u8 stop_soon, /* Ctrl-C pressed? */ @@ -285,9 +286,13 @@ static void run_target(char** argv) { } - r.rlim_max = r.rlim_cur = 0; + if (keep_cores) r.rlim_max = r.rlim_cur = 0; + else r.rlim_max = r.rlim_cur = RLIM_INFINITY; + setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ + if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); + execv(target_path, argv); *(u32*)trace_bits = EXEC_FAIL_SIG; @@ -479,7 +484,8 @@ static void usage(u8* argv0) { "Other settings:\n\n" " -q - sink program's output and don't show messages\n" - " -e - show edge coverage only, ignore hit counts\n\n" + " -e - show edge coverage only, ignore hit counts\n" + " -c - allow core dumps\n\n" "This tool displays raw tuple data captured by AFL instrumentation.\n" "For additional help, consult %s/README.\n\n" cRST, @@ -614,7 +620,7 @@ int main(int argc, char** argv) { doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; - while ((opt = getopt(argc,argv,"+o:m:t:A:eqZQb")) > 0) + while ((opt = getopt(argc,argv,"+o:m:t:A:eqZQbc")) > 0) switch (opt) { @@ -719,6 +725,12 @@ int main(int argc, char** argv) { binary_mode = 1; break; + case 'c': + + if (keep_cores) FATAL("Multiple -c options not supported"); + keep_cores = 1; + break; + default: usage(argv[0]); diff --git a/config.h b/config.h index c51e0528..319fd162 100644 --- a/config.h +++ b/config.h @@ -21,7 +21,7 @@ /* Version string: */ -#define VERSION "2.43b" +#define VERSION "2.44b" /****************************************************** * * diff --git a/docs/ChangeLog b/docs/ChangeLog index 0df03c35..17f7d74e 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -16,6 +16,21 @@ Not sure if you should upgrade? The lowest currently recommended version is 2.41b. If you're stuck on an earlier release, it's strongly advisable to get on with the times. +-------------- +Version 2.44b: +-------------- + + - Added a visual indicator of ASAN / MSAN mode when compiling. Requested + by Jakub Wilk. + + - Added support for afl-showmap coredumps (-c). Suggested by Jakub Wilk. + + - Added LD_BIND_NOW=1 for afl-showmap by default. Although not really useful, + it reportedly helps reproduce some crashes. Suggested by Jakub Wilk. + + - Added a note about allocator_may_return_null=1 not always working with + ASAN. Spotted by Jakub Wilk. + -------------- Version 2.43b: -------------- diff --git a/docs/notes_for_asan.txt b/docs/notes_for_asan.txt index dff89ba6..972ca909 100644 --- a/docs/notes_for_asan.txt +++ b/docs/notes_for_asan.txt @@ -113,7 +113,23 @@ emulation, so please do not try to use them with the -Q option; QEMU doesn't seem to appreciate the shadow VM trick used by these tools, and will likely just allocate all your physical memory, then crash. -4) What about UBSAN? +4) ASAN and OOM crashes +----------------------- + +By default, ASAN treats memory allocation failures as fatal errors, immediately +causing the program to crash. Since this is a departure from normal POSIX +semantics (and creates the appearance of security issues in otherwise +properly-behaving programs), we try to disable this by specifying +allocator_may_return_null=1 in ASAN_OPTIONS. + +Unfortunately, it's been reported that this setting still causes ASAN to +trigger phantom crashes in situations where the standard allocator would +simply return NULL. If this is interfering with your fuzzing jobs, you may +want to cc: yourself on this bug: + + https://bugs.llvm.org/show_bug.cgi?id=22026 + +5) What about UBSAN? -------------------- Some folks expressed interest in fuzzing with UBSAN. This isn't officially diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index 7fac3def..04f3ec48 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -159,9 +159,9 @@ bool AFLCoverage::runOnModule(Module &M) { if (!inst_blocks) WARNF("No instrumentation targets found."); else OKF("Instrumented %u locations (%s mode, ratio %u%%).", - inst_blocks, - getenv("AFL_HARDEN") ? "hardened" : "non-hardened", - inst_ratio); + inst_blocks, getenv("AFL_HARDEN") ? "hardened" : + ((getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) ? + "ASAN/MSAN" : "non-hardened"), inst_ratio); }