From bf1be9d02f2f3b618ae44602f4d1075701d04338 Mon Sep 17 00:00:00 2001 From: Thomas HUET Date: Mon, 10 Aug 2015 05:42:18 +0200 Subject: [PATCH] 1.86b --- Makefile | 2 +- afl-fuzz.c | 60 ++++++++++++++++++++++++++++------------ docs/ChangeLog | 12 ++++++++ docs/README | 1 + docs/env_variables.txt | 5 ++++ docs/notes_for_asan.txt | 13 +++++++++ docs/sister_projects.txt | 9 +++++- 7 files changed, 82 insertions(+), 20 deletions(-) diff --git a/Makefile b/Makefile index 849ff12b..7d5a29ff 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ # PROGNAME = afl -VERSION = 1.85b +VERSION = 1.86b PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin diff --git a/afl-fuzz.c b/afl-fuzz.c index 54e348ac..ad9da19f 100644 --- a/afl-fuzz.c +++ b/afl-fuzz.c @@ -88,6 +88,7 @@ static u8 skip_deterministic, /* Skip deterministic stages? */ resuming_fuzz, /* Resuming an older fuzzing job? */ timeout_given, /* Specific timeout given? */ not_on_tty, /* stdout is not a tty */ + term_too_small, /* terminal dimensions too small */ uses_asan, /* Target uses ASAN? */ no_forkserver, /* Disable forkserver? */ crash_mode, /* Crash mode! Yeah! */ @@ -2491,8 +2492,8 @@ static void check_map_coverage(void) { static void perform_dry_run(char** argv) { struct queue_entry* q = queue; - u32 id = 0; u32 cal_failures = 0; + u8* skip_crashes = getenv("AFL_SKIP_CRASHES"); while (q) { @@ -2576,6 +2577,13 @@ static void perform_dry_run(char** argv) { if (crash_mode) break; + if (skip_crashes) { + WARNF("Test case results in a crash (skipping)"); + q->cal_failed = CAL_CHANCES; + cal_failures++; + break; + } + if (mem_limit) { SAYF("\n" cLRD "[-] " cRST @@ -2660,17 +2668,18 @@ static void perform_dry_run(char** argv) { if (q->var_behavior) WARNF("Instrumentation output varies across runs."); q = q->next; - id++; } if (cal_failures) { if (cal_failures == queued_paths) - FATAL("All test cases time out, giving up!"); + FATAL("All test cases time out%s, giving up!", + skip_crashes ? " or crash" : ""); - WARNF("Skipped %u test cases (%0.02f%%) due to timeouts.", cal_failures, - ((double)cal_failures) * 100 / queued_paths); + WARNF("Skipped %u test cases (%0.02f%%) due to timeouts%s.", cal_failures, + ((double)cal_failures) * 100 / queued_paths, + skip_crashes ? " or crashes" : ""); if (cal_failures * 5 > queued_paths) WARNF(cLRD "High percentage of rejected test cases, check settings!"); @@ -3605,6 +3614,9 @@ static void maybe_delete_out_dir(void) { } +static void check_term_size(void); + + /* A spiffy retro stats screen! This is called every stats_update_freq execve() calls, plus in several other circumstances. */ @@ -3700,10 +3712,21 @@ static void show_stats(void) { SAYF(TERM_CLEAR CURSOR_HIDE); clear_screen = 0; + check_term_size(); + } SAYF(TERM_HOME); + if (term_too_small) { + + SAYF(cBRI "Your terminal is too small to display the UI.\n" + "Please resize terminal window to at least 80x25.\n" cNOR); + + return; + + } + /* Let's start by drawing a centered banner. */ banner_len = (crash_mode ? 24 : 22) + strlen(VERSION) + strlen(use_banner); @@ -3916,7 +3939,7 @@ static void show_stats(void) { sprintf(tmp, "%s/%s, %s/%s, %s/%s", DI(stage_finds[STAGE_FLIP1]), DI(stage_cycles[STAGE_FLIP1]), - DI(stage_finds[STAGE_FLIP4]), DI(stage_cycles[STAGE_FLIP2]), + DI(stage_finds[STAGE_FLIP2]), DI(stage_cycles[STAGE_FLIP2]), DI(stage_finds[STAGE_FLIP4]), DI(stage_cycles[STAGE_FLIP4])); } @@ -6618,9 +6641,9 @@ static void fix_up_banner(u8* name) { } -/* Check terminal dimensions. */ +/* Check if we're on TTY. */ -static void check_terminal(void) { +static void check_if_tty(void) { struct winsize ws; @@ -6634,19 +6657,20 @@ static void check_terminal(void) { return; } - if (ws.ws_row < 25 || ws.ws_col < 80) { +} - SAYF("\n" cLRD "[-] " cRST - "Oops, your terminal window seems to be smaller than 80 x 25 characters.\n" - " That's not enough for afl-fuzz to correctly draw its fancy ANSI UI!\n\n" - " Depending on the terminal software you are using, you should be able to\n" - " resize the window by dragging its edges, or to adjust the dimensions in\n" - " the settings menu.\n"); +/* Check terminal dimensions after resize. */ - FATAL("Please resize terminal to 80x25 or more"); +static void check_term_size(void) { - } + struct winsize ws; + + term_too_small = 0; + + if (ioctl(1, TIOCGWINSZ, &ws)) return; + + if (ws.ws_row < 25 || ws.ws_col < 80) term_too_small = 1; } @@ -7481,7 +7505,7 @@ int main(int argc, char** argv) { fix_up_banner(argv[optind]); - check_terminal(); + check_if_tty(); get_core_count(); check_crash_handling(); diff --git a/docs/ChangeLog b/docs/ChangeLog index e3113cb5..e56e8602 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -16,6 +16,18 @@ Not sure if you should upgrade? The lowest currently recommended version is 1.76b. If you're stuck on an earlier release, it's strongly advisable to get on with the times. +-------------- +Version 1.86b: +-------------- + + - Added support for AFL_SKIP_CRASHES, which is a very hackish solution to + the problem of resuming sessions with intermittently crashing inputs. + + - Removed the hard-fail terminal size check, replaced with a dynamic + warning shown in place of the UI. Based on feedback from Christian Holler. + + - Fixed a minor typo in show_stats. Spotted by Dingbao Xie. + -------------- Version 1.85b: -------------- diff --git a/docs/README b/docs/README index 724d159f..f0a5ae04 100644 --- a/docs/README +++ b/docs/README @@ -427,6 +427,7 @@ bug reports, or patches from: Keegan McAllister Kostya Serebryany Richo Healey Martijn Bogaard rc0r Jonathan Foote + Christian Holler Thank you! diff --git a/docs/env_variables.txt b/docs/env_variables.txt index 69d38b48..edf4b972 100644 --- a/docs/env_variables.txt +++ b/docs/env_variables.txt @@ -107,6 +107,11 @@ checks or alter some of the more exotic semantics of the tool: normally indicated by the cycle counter in the UI turning green. May be convenient for some types of automated jobs. + - AFL_SKIP_CRASHES causes AFL to tolerate crashing files in the input + queue. This can help with rare situations where a program crashes only + intermittently, but it's not really recommended under normal operating + conditions. + - When developing custom instrumentation on top of afl-fuzz, you can use AFL_SKIP_BIN_CHECK to inhibit the checks for non-instrumented binaries and shell scripts; and AFL_DUMB_FORKSRV in conjunction with the -n diff --git a/docs/notes_for_asan.txt b/docs/notes_for_asan.txt index 60bd5a42..42d48879 100644 --- a/docs/notes_for_asan.txt +++ b/docs/notes_for_asan.txt @@ -109,3 +109,16 @@ ASAN, MSAN, and other sanitizers appear to be incompatible with QEMU user emulation, so please do not try to use them with the -Q option; QEMU doesn't seem to appreciate the shadow VM trick used by these tools, and will likely just allocate all your physical memory, then crash. + +4) What about UBSAN? +-------------------- + +Some folks expressed interest in fuzzing with UBSAN. This isn't officially +supported, because many installations of UBSAN don't offer a consistent way +to abort() on fault conditions or to terminate with a distinctive exit code. + +That said, some versions of the library can be binary-patched to address this +issue, while newer releases support explicit compile-time flags - see this +mailing list thread for tips: + + https://groups.google.com/forum/#!topic/afl-users/GyeSBJt4M38 diff --git a/docs/sister_projects.txt b/docs/sister_projects.txt index 6ca4f445..aa38ed38 100644 --- a/docs/sister_projects.txt +++ b/docs/sister_projects.txt @@ -21,7 +21,7 @@ Python AFL (Jakub Wilk) Go-fuzz (Dmitry Vyukov) ----------------------- - AFL-style guided fuzzing approach for Go targets: + AFL-inspired guided fuzzing approach for Go targets: https://github.com/dvyukov/go-fuzz @@ -154,6 +154,13 @@ RecidiVM (Jakub Wilk) Narrow-purpose or experimental: ------------------------------- +Pause and resume scripts (Ben Nagy) +----------------------------------- + + Simple automation to suspend and resume groups of fuzzing jobs. + + https://gist.github.com/bnagy/8f0eb29eb125653f73fd + Static binary-only instrumentation (Aleksandar Nikolich) --------------------------------------------------------