Add AFLplusplus integration patch

intel · Oct 27, 2020 · 5eef3fb · 5eef3fb
1 parent 103081b
commit 5eef3fb
Show file tree

Hide file tree

Showing 4 changed files with 153 additions and 3 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,7 +15,7 @@ jobs:
       - name: Install dependencies
         run: |
           sudo apt-get update -q
-          sudo apt-get install -y build-essential autoconf automake autoconf-archive libjson-c-dev libglib2.0-dev flex bison libtool cmake
+          sudo apt-get install -y build-essential autoconf automake autoconf-archive libjson-c-dev libglib2.0-dev flex bison libtool cmake clang
 
       - name: Setup ld
         run: |
@@ -111,13 +111,24 @@ jobs:
       - name: Patch and install AFL
         if: github.ref == 'refs/heads/master'
         run: |
-          export DESTDIR="$PWD/install"
+          export DESTDIR="$PWD/install/afl"
           git submodule update --init AFL
           cd AFL
           patch -p1 < ../patches/0001-AFL-Xen-mode.patch
           make
           make PREFIX="" install
 
+      - name: Patch and install AFLplusplus
+        if: github.ref == 'refs/heads/master'
+        run: |
+          export DESTDIR="$PWD/install/aflplusplus"
+          export CC=clang
+          git submodule update --init AFLplusplus
+          cd AFLplusplus
+          patch -p1 < ../patches/0001-AFLplusplus-Xen-mode.patch
+          make
+          make PREFIX="" install
+
       - name: Create archive
         id: archive
         if: github.ref == 'refs/heads/master'
@@ -130,7 +141,7 @@ jobs:
           mv $PWD/install/* $SAVEDIR
           cp ~/saved-xen/*.deb $SAVEDIR
           cd $SAVEDIR
-          tar czvf kfx.tar.gz lib bin include *.deb
+          tar czvf kfx.tar.gz lib bin include afl aflplusplus *.deb
           mv kfx.tar.gz ..
           cd ..
           ls -la

diff --git a/.gitmodules b/.gitmodules
@@ -28,3 +28,8 @@
 	url = https://github.com/tklengyel/libxdc
 	ignore = dirty
 	shallow = true
+[submodule "AFLplusplus"]
+	path = AFLplusplus
+	url = https://github.com/AFLplusplus/AFLplusplus
+	ignore = dirty
+	shallow = true
diff --git a/AFLplusplus b/AFLplusplus
diff --git a/patches/0001-AFLplusplus-Xen-mode.patch b/patches/0001-AFLplusplus-Xen-mode.patch
@@ -0,0 +1,133 @@
+From 575f3cc483b78f71091c4030ba223db5cc37e233 Mon Sep 17 00:00:00 2001
+From: Tamas K Lengyel <tamas.lengyel@intel.com>
+Date: Tue, 27 Oct 2020 19:18:53 -0400
+Subject: [PATCH] KF/x integration patch
+
+---
+ include/config.h     |  4 ++++
+ include/forkserver.h |  2 ++
+ src/afl-forkserver.c | 13 +++++++------
+ src/afl-fuzz.c       | 14 ++++++++++++--
+ 4 files changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/include/config.h b/include/config.h
+index 711d0b77..b22f3d3e 100644
+--- a/include/config.h
++++ b/include/config.h
+@@ -86,6 +86,10 @@
+
+ #define MEM_LIMIT_UNICORN 200
+
++/* Default memory limit when running in Xen mode (MB): */
++
++#define MEM_LIMIT_XEN 750
++
+ /* Number of calibration cycles per every new test case (and for test
+    cases that show variable behavior): */
+
+diff --git a/include/forkserver.h b/include/forkserver.h
+index 717493db..c9a2e500 100644
+--- a/include/forkserver.h
++++ b/include/forkserver.h
+@@ -80,6 +80,8 @@ typedef struct afl_forkserver {
+
+   u8 qemu_mode;                         /* if running in qemu mode or not   */
+
++  u8 xen_mode;                          /* if running in qemu mode or not   */
++
+   u32 *shmem_fuzz_len;                  /* length of the fuzzing test case  */
+
+   u8 *shmem_fuzz;                       /* allocated memory for fuzzing     */
+diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
+index b2734335..42cd6525 100644
+--- a/src/afl-forkserver.c
++++ b/src/afl-forkserver.c
+@@ -488,12 +488,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
+
+     if (!time_ms) {
+
+-      kill(fsrv->fsrv_pid, SIGKILL);
++      kill(fsrv->fsrv_pid, fsrv->xen_mode ? SIGTERM : SIGKILL);
+
+     } else if (time_ms > fsrv->exec_tmout * FORK_WAIT_MULT) {
+
+       fsrv->last_run_timed_out = 1;
+-      kill(fsrv->fsrv_pid, SIGKILL);
++      kill(fsrv->fsrv_pid, fsrv->xen_mode ? SIGTERM : SIGKILL);
+
+     } else {
+
+@@ -843,10 +843,10 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
+
+ static void afl_fsrv_kill(afl_forkserver_t *fsrv) {
+
+-  if (fsrv->child_pid > 0) { kill(fsrv->child_pid, SIGKILL); }
++  if (fsrv->child_pid > 0 && !fsrv->xen_mode ) { kill(fsrv->child_pid, SIGKILL); }
+   if (fsrv->fsrv_pid > 0) {
+
+-    kill(fsrv->fsrv_pid, SIGKILL);
++    kill(fsrv->fsrv_pid, fsrv->xen_mode ? SIGTERM : SIGKILL);
+     if (waitpid(fsrv->fsrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); }
+
+   }
+@@ -963,7 +963,8 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
+     /* If there was no response from forkserver after timeout seconds,
+     we kill the child. The forkserver should inform us afterwards */
+
+-    kill(fsrv->child_pid, SIGKILL);
++    kill(fsrv->child_pid, fsrv->xen_mode ? SIGTERM : SIGKILL);
++
+     fsrv->last_run_timed_out = 1;
+     if (read(fsrv->fsrv_st_fd, &fsrv->child_status, 4) < 4) { exec_ms = 0; }
+
+@@ -1013,7 +1014,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
+
+     fsrv->last_kill_signal = WTERMSIG(fsrv->child_status);
+
+-    if (fsrv->last_run_timed_out && fsrv->last_kill_signal == SIGKILL) {
++    if (fsrv->last_run_timed_out && fsrv->last_kill_signal == (fsrv->xen_mode ? SIGTERM : SIGKILL) ) {
+
+       return FSRV_RUN_TMOUT;
+
+diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
+index cefcd73f..40a90c22 100644
+--- a/src/afl-fuzz.c
++++ b/src/afl-fuzz.c
+@@ -126,7 +126,8 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) {
+       "  -Q            - use binary-only instrumentation (QEMU mode)\n"
+       "  -U            - use unicorn-based instrumentation (Unicorn mode)\n"
+       "  -W            - use qemu-based instrumentation with Wine (Wine "
+-      "mode)\n\n"
++      "mode)\n"
++      "  -X            - use virtual-machine instrumentation (Xen mode)\n\n"
+
+       "Mutator settings:\n"
+       "  -R[R]         - add Radamsa as mutator, add another -R to exclusivly "
+@@ -292,7 +293,7 @@ int main(int argc, char **argv_orig, char **envp) {
+   afl->init_seed = tv.tv_sec ^ tv.tv_usec ^ getpid();
+
+   while ((opt = getopt(argc, argv,
+-                       "+c:i:I:o:f:m:t:T:dnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:")) >
++                       "+c:i:I:o:f:m:t:T:dnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:X")) >
+          0) {
+
+     switch (opt) {
+@@ -602,6 +603,15 @@ int main(int argc, char **argv_orig, char **envp) {
+
+         break;
+
++      case 'X':                                                /* Xen mode */
++
++        if (afl->fsrv.xen_mode) { FATAL("Multiple -X options not supported"); }
++        afl->fsrv.xen_mode = 1;
++
++        if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_XEN; }
++
++        break;
++
+       case 'W':                                           /* Wine+QEMU mode */
+
+         if (afl->use_wine) { FATAL("Multiple -W options not supported"); }
+-- 
+2.20.1
+