2.05b

legend-issue · Mar 2, 2016 · e30e998 · e30e998
1 parent 418e426
commit e30e998
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 23 deletions.
diff --git a/Makefile b/Makefile
@@ -14,15 +14,15 @@
 #
 
 PROGNAME    = afl
-VERSION     = 2.04b
+VERSION     = 2.05b
 
 PREFIX     ?= /usr/local
 BIN_PATH    = $(PREFIX)/bin
 HELPER_PATH = $(PREFIX)/lib/afl
 DOC_PATH    = $(PREFIX)/share/doc/afl
 MISC_PATH   = $(PREFIX)/share/afl
 
-# PROGS intentionally omit afl-as, which gets installed elsewhere.
+# PROGS intentionally omit afl-as, which gets installed to its own dir.
 
 PROGS       = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
 SH_PROGS    = afl-plot afl-cmin afl-whatsup

diff --git a/docs/ChangeLog b/docs/ChangeLog
@@ -16,6 +16,13 @@ Not sure if you should upgrade? The lowest currently recommended version
 is 2.03b. If you're stuck on an earlier release, it's strongly advisable
 to get on with the times.
 
+--------------
+Version 2.05b:
+--------------
+
+  - Put __sanitizer_cov_module_init & co behind #ifdef to avoid problems
+    with ASAN. Spotted by Christian Holler.
+
 --------------
 Version 2.04b:
 --------------

diff --git a/docs/sister_projects.txt b/docs/sister_projects.txt
@@ -249,3 +249,11 @@ Support for selective instrumentation (Christian Holler)
 --------------------------------------------------------
 
   https://github.com/choller/afl/blob/master/docs/mozilla/partial_instrumentation.txt
+
+Kernel fuzzing (Dmitry Vyukov)
+------------------------------
+
+  A similar guided approach as applied to fuzzing syscalls:
+
+  https://github.com/google/syzkaller/wiki/Found-Bugs
+  https://github.com/dvyukov/linux/commit/33787098ffaaa83b8a7ccf519913ac5fd6125931
diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c
@@ -203,12 +203,17 @@ void __afl_manual_init(void) {
 }
 
 
+static void __afl_trace_pc_init(void);
+
+
 /* Proper initialization routine. */
 
 __attribute__((constructor(0))) void __afl_auto_init(void) {
 
   is_persistent = !!getenv(PERSIST_ENV_VAR);
 
+  __afl_trace_pc_init();
+
   if (getenv(DEFER_ENV_VAR)) return;
 
   __afl_manual_init();
@@ -249,29 +254,11 @@ void __sanitizer_cov_trace_pc(void) {
 }
 
 
-/* Same deal, but for indirect calls. */
-
-void __sanitizer_cov_trace_pc_indir(void* dummy) {
-
-  u32 cur = ((u32)__builtin_return_address(0)) & MIN(4095, MAP_SIZE - 1);
-
-  if (cur > inst_ratio_scaled) return;
-
-  __afl_area_ptr[cur ^ __afl_prev_loc]++;
-
-#if MAP_SIZE_POW2 > 12
-  __afl_prev_loc = cur << (MAP_SIZE_POW2 - 12);
-#else
-  __afl_prev_loc = cur >> 1;
-#endif /* ^MAP_SIZE_POW2 > 12 */
-
-}
-
-
 /* Init callback. Unfortunately, LLVM does not support compile-time
-   instrumentation density scaling, at least not just yet. */
+   instrumentation density scaling, at least not just yet. This means
+   taking some performance hit by checking inst_ratio_scaled at runtime. */
 
-void __sanitizer_cov_module_init(void) {
+static void __afl_trace_pc_init(void) {
 
   u8* x = getenv("AFL_INST_RATIO");
 
@@ -288,3 +275,9 @@ void __sanitizer_cov_module_init(void) {
 
 }
 
+
+/* Work around a short-lived bug in LLVM with -fsanitize-coverage=trace-pc. */
+
+void __sanitizer_cov_module_init(void) __attribute__((weak));
+void __sanitizer_cov_module_init(void) { }
+