diff --git a/Makefile b/Makefile index e75edc0b..4075e951 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ # PROGNAME = afl -VERSION = 2.04b +VERSION = 2.05b PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin @@ -22,7 +22,7 @@ HELPER_PATH = $(PREFIX)/lib/afl DOC_PATH = $(PREFIX)/share/doc/afl MISC_PATH = $(PREFIX)/share/afl -# PROGS intentionally omit afl-as, which gets installed elsewhere. +# PROGS intentionally omit afl-as, which gets installed to its own dir. PROGS = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze SH_PROGS = afl-plot afl-cmin afl-whatsup diff --git a/docs/ChangeLog b/docs/ChangeLog index 9384d5b6..4b370bb8 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -16,6 +16,13 @@ Not sure if you should upgrade? The lowest currently recommended version is 2.03b. If you're stuck on an earlier release, it's strongly advisable to get on with the times. +-------------- +Version 2.05b: +-------------- + + - Put __sanitizer_cov_module_init & co behind #ifdef to avoid problems + with ASAN. Spotted by Christian Holler. + -------------- Version 2.04b: -------------- diff --git a/docs/sister_projects.txt b/docs/sister_projects.txt index 680b421f..b0d4d310 100644 --- a/docs/sister_projects.txt +++ b/docs/sister_projects.txt @@ -249,3 +249,11 @@ Support for selective instrumentation (Christian Holler) -------------------------------------------------------- https://github.com/choller/afl/blob/master/docs/mozilla/partial_instrumentation.txt + +Kernel fuzzing (Dmitry Vyukov) +------------------------------ + + A similar guided approach as applied to fuzzing syscalls: + + https://github.com/google/syzkaller/wiki/Found-Bugs + https://github.com/dvyukov/linux/commit/33787098ffaaa83b8a7ccf519913ac5fd6125931 diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index e98b9212..8f3f303d 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -203,12 +203,17 @@ void __afl_manual_init(void) { } +static void __afl_trace_pc_init(void); + + /* Proper initialization routine. */ __attribute__((constructor(0))) void __afl_auto_init(void) { is_persistent = !!getenv(PERSIST_ENV_VAR); + __afl_trace_pc_init(); + if (getenv(DEFER_ENV_VAR)) return; __afl_manual_init(); @@ -249,29 +254,11 @@ void __sanitizer_cov_trace_pc(void) { } -/* Same deal, but for indirect calls. */ - -void __sanitizer_cov_trace_pc_indir(void* dummy) { - - u32 cur = ((u32)__builtin_return_address(0)) & MIN(4095, MAP_SIZE - 1); - - if (cur > inst_ratio_scaled) return; - - __afl_area_ptr[cur ^ __afl_prev_loc]++; - -#if MAP_SIZE_POW2 > 12 - __afl_prev_loc = cur << (MAP_SIZE_POW2 - 12); -#else - __afl_prev_loc = cur >> 1; -#endif /* ^MAP_SIZE_POW2 > 12 */ - -} - - /* Init callback. Unfortunately, LLVM does not support compile-time - instrumentation density scaling, at least not just yet. */ + instrumentation density scaling, at least not just yet. This means + taking some performance hit by checking inst_ratio_scaled at runtime. */ -void __sanitizer_cov_module_init(void) { +static void __afl_trace_pc_init(void) { u8* x = getenv("AFL_INST_RATIO"); @@ -288,3 +275,9 @@ void __sanitizer_cov_module_init(void) { } + +/* Work around a short-lived bug in LLVM with -fsanitize-coverage=trace-pc. */ + +void __sanitizer_cov_module_init(void) __attribute__((weak)); +void __sanitizer_cov_module_init(void) { } +