codenote / american-fuzzy-lop Goto Github PK

The Makefile for afl 0.40b has this line:

    mkdir -m 755 $(HELPER_PATH) 2>/dev/null || continue

This "continue" doesn't make sense. If mkdir failed, you'd get an error like:

bash: continue: only meaningful in a `for', `while', or `until' loop

afl 0.43b Makefile uses "echo -e", which is not portable. Some shells (such as 
dash) have "echo" builtin that doesn't support -e. I'd suggest using printf(1) 
instead.

make tells me:

[*] Checking for an installation of GCC...

Oops, looks like you don't have GCC installed (or you need to specify \C).

The reason is here:
@$(CC) -v >.test 2>&1; grep -q '^gcc version' .test || ( echo; echo "Oops, 
looks like you don't have GCC installed (or you need to specify \$CC)."; echo; 
rm -f .test; exit 1 )

On my system (current Gentoo) gcc -v outputs this version string:
gcc-Version 4.9.2 (Gentoo 4.9.2 p1.0, pie-0.6.1) 

Maybe checking just for the binary gcc is better (?)

afl-as 0.41b doesn't remove its temporary files:

$ ls /tmp/.afl*
ls: cannot access /tmp/.afl*: No such file or directory

$ echo > test.c

$ afl-gcc -c test.c
afl-gcc 0.41b (Oct 26 2014 18:08:42) by <[email protected]>
afl-as 0.41b (Oct 26 2014 18:08:42) by <[email protected]>
[!] WARNING: No instrumentation targets found.

$ ls /tmp/.afl*
/tmp/.afl-8376-1414343520.s

cp -d is non portable

also bash specific brace expansion is used (probably breaking on ubuntu?)

Proposed alternative attached

experimental/crash_triage/triage_crashes.sh expects test cases in 
crashes/<sig>/<hash>/,
But that's not where afl-fuzz actually creates them: 
crashes/sig:<sig>,hash:<hash>/

Not sure if the tool should be used against this type of project, but here it 
goes:


Tried without:
parralelism
ccache

Added a delay before reading the file
________________________________________________________________________________
_____
mkdir -p /home/bubu/libre_test/libreoffice/instdir && install-gdb-printers -a 
/home/bubu/libre_test/libreoffice/instdir -c
/usr/bin/make -j 1 -rs -f /home/bubu/libre_test/libreoffice/Makefile.gbuild \
         \
         \
         \
        all
[build CXX] sal/osl/all/compat.cxx
afl-gcc 0.20b (Dec 26 2013 12:10:40) by <[email protected]>
afl-as 0.20b (Dec 26 2013 12:10:59) by <[email protected]>

[-]  SYSTEM ERROR : Unable to read 
'/home/bubu/libre_test/libreoffice/workdir/CxxObject/sal/osl/all/compat.o'
    Stop location : add_instrumentation(), afl-as.c:103
       OS message : No such file or directory

make[1]: *** 
[/home/bubu/libre_test/libreoffice/workdir/CxxObject/sal/osl/all/compat.o] 
Error 1
make: *** [build] Error 2

It seems like afl-as does not work with gcc's -pipe flag, so perhaps the flag 
should be stripped out by edit_params in afl-gcc.c?

$ ./afl-g++ -c -pipe ./foo.cpp
...
[!] WARNING: No instrumentation targets found.

$ ./afl-g++ -c ./foo.cpp
...
[+] Successfully instrumented 3 locations (seed = 0x52892e37).


---

foo.cpp:

int main()
{
  return 0;
}

The attached patch fixes a few typos.

when compiling with 0.46b-1.fc22.x86_64 + gcc 4.9.2
I'm getting invalid items passed on the stack.

Function is:

void parse_long_options (int _argc,
                         char **_argv,
                         const char *_command_name,
                         const char *_package,
                         const char *_version,
                         void (*_usage) (int),
                         /* const char *author1, ...*/ ...);


The _version argument is passed from an extern Version string,
but the pointer passed is corrupt, having the value 0xF880
or 0x1800 for example

any ideas?

When you set AFL_HARDEN=1, afl-gcc passes -fsanitize=memory to gcc. But my gcc 
doesn't seem to have such an option. Perhaps afl should try harder to guess 
which hardening options are available?

$ gcc --version
gcc (Debian 4.9.1-16) 4.9.1
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

$ echo > test.c

$ AFL_HARDEN=1 afl-gcc -c test.c 
afl-gcc 0.40b (Oct 26 2014 16:20:18) by <[email protected]>
gcc: error: unrecognized argument to -fsanitize= option: 'memory'

$ grep -rn O_EXCL afl-0.32b/
afl-0.32b/afl-as.c:112:  outfd = open(modified_file, O_WRONLY | O_EXCL | 
O_CREAT | O_NOFOLLOW, 0600);
afl-0.32b/afl-fuzz.c:919:    fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 
0600);
afl-0.32b/afl-fuzz.c:1091:  fd = open(fn, O_WRONLY | O_CREAT | O_EXCL | 
O_NOFOLLOW, 0600);
afl-0.32b/afl-fuzz.c:2610:  out_fd = open(fn, O_RDWR | O_CREAT | O_EXCL | 
O_NOFOLLOW, 0600);

So in all cases but one O_CREAT|O_EXCL is used together with O_NOFOLLOW.
As far as I can tell, O_NOFOLLOW is no-op when or-ed with O_CREAT|O_EXCL, so it 
could be safely removed.

C++ programs compiled with afl-g++ can't catch exceptions:

$ g++ --version | head -n1
g++ (Debian 4.9.1-15) 4.9.1

$ g++ -Wall testcatch.cc -o testcatch

$ ./testcatch
Caught Foo!

$ afl-g++ -Wall testcatch.cc -o testcatch-afl
afl-gcc 0.31b (Oct  1 2014 13:05:52) by <[email protected]>
afl-as 0.31b (Oct  1 2014 13:05:52) by <[email protected]>
[+] Successfully instrumented 6 locations (seed = 0x542ab77d).

$ ./testcatch-afl
terminate called after throwing an instance of 'Foo'
Aborted

Mac OS X ships with clang by default and clang is able to compile afl w/o 
problems. The only thing stopping it is the first makefile check. I'd suggest 
something like 

@$(CC) -v >.test 2>&1; grep -iq '\d\.\d' .test

for the test, to simply check if CC -v returns some kind of version number, 
instead of looking for gcc specifically