Revisions of afl
Marcus Meissner (msmeissn)
accepted
request 1030428
from
Marcus Meissner (msmeissn)
(revision 156)
- updated to 4.04c
- fix gramatron and grammar_mutator build scripts
- enhancements to the afl-persistent-config and afl-system-config
- scripts
- afl-fuzz:
- force writing all stats on exit
- afl-cc:
- make gcc_mode (afl-gcc-fast) work with gcc down to version 3.6
- qemu_mode:
- fixed 10x speed degredation in v4.03c
- added qemu_mode/fastexit helper library
- unicorn_mode:
- Enabled tricore arch (by @jma-qb)
- Updated Capstone version in Rust bindings
- llvm-mode:
- AFL runtime will always pass inputs via shared memory, when possible,
ignoring the command line.
buildservice-autocommit
accepted
request 1005009
from
Marcus Meissner (msmeissn)
(revision 155)
Marcus Meissner (msmeissn)
(revision 155)
baserev update by copy to link target
Marcus Meissner (msmeissn)
accepted
request 1005008
from
Marcus Meissner (msmeissn)
(revision 154)
- updated to 4.03c
- Building now gives a build summary what succeeded and what not
- afl-fuzz:
- added AFL_NO_STARTUP_CALIBRATION to start fuzzing at once instead
of calibrating all initial seeds first. Good for large queues
and long execution times, especially in CIs.
- default calibration cycles set to 7 from 8, and only add 5 cycles
to variables queue items instead of 12.
- afl-cc:
- fixed off-by-one bug in our pcguard implemenation, thanks for
@tokatoka for reporting
- fix for llvm 15 and reenabling LTO, thanks to nikic for the PR!
- better handling of -fsanitize=..,...,.. lists
- support added for LLVMFuzzerRunDriver()
- fix gcc_mode cmplog
- obtain the map size of a target with setting AFL_DUMP_MAP_SIZE=1
note that this will exit the target before main()
- qemu_mode:
- added AFL_QEMU_TRACK_UNSTABLE to log the addresses of unstable
edges (together with AFL_DEBUG=1 afl-fuzz). thanks to
worksbutnottested!
- afl-analyze broke at some point, fix by CodeLogicError, thank you!
- afl-cmin/afl-cmin.bash now have an -A option to allow also crashing
and timeout inputs
- unicorn_mode:
- updated upstream unicorn version
- fixed builds for aarch64
- build now uses all available cores
buildservice-autocommit
accepted
request 998344
from
Marcus Meissner (msmeissn)
(revision 153)
Marcus Meissner (msmeissn)
(revision 153)
baserev update by copy to link target
Marcus Meissner (msmeissn)
accepted
request 998343
from
Marcus Meissner (msmeissn)
(revision 152)
- updated to 4.02c
- afl-cc:
- important fix for the default pcguard mode when LLVM IR vector
selects are produced, thanks to @juppytt for reporting!
- gcc_plugin:
- Adacore submitted CMPLOG support to the gcc_plugin! :-)
- llvm_mode:
- laf cmp splitting fixed for more comparison types
- frida_mode:
- now works on Android!
- afl-fuzz:
- change post_process hook to allow returning NULL and 0 length to
tell afl-fuzz to skip this mutated input
buildservice-autocommit
accepted
request 985621
from
Marcus Meissner (msmeissn)
(revision 151)
Marcus Meissner (msmeissn)
(revision 151)
baserev update by copy to link target
Marcus Meissner (msmeissn)
accepted
request 985620
from
Marcus Meissner (msmeissn)
(revision 150)
- updated to 4.01c
- fixed */build_...sh scripts to work outside of git
- new custom_mutator: libafl with token fuzzing :)
- afl-fuzz:
- when you just want to compile once and set CMPLOG, then just
set -c 0 to tell afl-fuzz that the fuzzing binary is also for
CMPLOG.
- new commandline options -g/G to set min/max length of generated
fuzz inputs
- you can set the time for syncing to other fuzzer now with
AFL_SYNC_TIME
- reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow
persistent mode and manual forkserver support if these are not
in the target binary (e.g. are in a shared library)
- add AFL_EARLY_FORKSERVER to install the forkserver as earliest as
possible in the target (for afl-gcc-fast/afl-clang-fast/
afl-clang-lto)
- "saved timeouts" was wrong information, timeouts are still thrown
away by default even if they have new coverage (hangs are always
kept), unless AFL_KEEP_TIMEOUTS are set
- AFL never implemented auto token inserts (but user token inserts,
user token overwrite and auto token overwrite), added now!
- fixed a mutation type in havoc mode
- Mopt fix to always select the correct algorithm
- fix effector map calculation (deterministic mode)
- fix custom mutator post_process functionality
- document and auto-activate pizza mode on condition
- afl-cc:
- due a bug in lld of llvm 15 LTO instrumentation wont work atm :-(
- converted all passed to use the new llvm pass manager for llvm 11+
buildservice-autocommit
accepted
request 980919
from
Marcus Meissner (msmeissn)
(revision 149)
Marcus Meissner (msmeissn)
(revision 149)
baserev update by copy to link target
Marcus Meissner (msmeissn)
accepted
request 980763
from
Aaron Puchert (aaronpuchert)
(revision 148)
- Add llvm14-fix-build.patch: fix build with LLVM 14.
buildservice-autocommit
accepted
request 966170
from
Marcus Meissner (msmeissn)
(revision 147)
Marcus Meissner (msmeissn)
(revision 147)
baserev update by copy to link target
Marcus Meissner (msmeissn)
accepted
request 965115
from
Aaron Puchert (aaronpuchert)
(revision 146)
- Fix build with armv7l on Leap: we have afl-llvm-rt-lto{,-32}.o.
- Fix build with ppc64le: we don't seem to have the 32-bit object
files available there and there is also no gcc-32bit.
Marcus Meissner (msmeissn)
accepted
request 950196
from
Marcus Meissner (msmeissn)
(revision 145)
- updated to 4.00c
- complete documentation restructuring, made possible by Google Season
of Docs :) thank you Jana!
- we renamed several UI and fuzzer_stat entries to be more precise,
e.g. "unique crashes" -> "saved crashes", "total paths" ->
"corpus count", "current path" -> "current item".
This might need changing custom scripting!
- Nyx mode (full system emulation with snapshot capability) has been
added - thanks to @schumilo and @eqv!
- unicorn_mode:
- Moved to unicorn2! by Ziqiao Kong (@lazymio)
- Faster, more accurate emulation (newer QEMU base), risc-v support
- removed indirections in rust callbacks
- new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :)
thanks to RICSecLab submitting!
- if instrumented libaries are dlopen()'ed after the forkserver you
will now see a crash. Before you would have colliding coverage.
We changed this to force fixing a broken setup rather then allowing
ineffective fuzzing.
- See docs/best_practices.md how to fix such setups.
- afl-fuzz:
- cmplog binaries will need to be recompiled for this version
(it is better!)
- fix a regression introduced in 3.10 that resulted in less
coverage being detected. thanks to Collin May for reporting!
- ensure all spawned targets are killed on exit
- added AFL_IGNORE_PROBLEMS, plus checks to identify and abort on
incorrect LTO usage setups and enhanced the READMEs for better
information on how to deal with instrumenting libraries
- fix -n dumb mode (nobody should use this mode though)
Marcus Meissner (msmeissn)
accepted
request 921492
from
Marcus Meissner (msmeissn)
(revision 144)
- enable gcc-plugin on factory - build with 32bit plugins on x86_64
Marcus Meissner (msmeissn)
accepted
request 907257
from
Marcus Meissner (msmeissn)
(revision 143)
- updated to 3.14c
- afl-fuzz:
- fix -F when a '/' was part of the parameter
- fixed a crash for cmplog for very slow inputs
- fix for AFLfast schedule counting
- removed implied -D determinstic from -M main
- if the target becomes unavailable check out out/default/error.txt
for an indicator why
- AFL_CAL_FAST was a dead env, now does the same as AFL_FAST_CAL
- reverse read the queue on resumes (more effective)
- fix custom mutator trimming
- afl-cc:
- Update to COMPCOV/laf-intel that speeds up the instrumentation
process a lot - thanks to Michael Rodler/f0rki for the PR!
- Fix for failures for some sized string instrumentations
- Fix to instrument global namespace functions in c++
- Fix for llvm 13
- support partial linking
- do honor AFL_LLVM_{ALLOW/DENY}LIST for LTO autodictionary and DICT2FILE
- We do support llvm versions from 3.8 to 5.0 again
- frida_mode:
- several fixes for cmplog
- remove need for AFL_FRIDA_PERSISTENT_RETADDR_OFFSET
- less coverage collision
- feature parity of aarch64 with intel now (persistent, cmplog,
in-memory testcases, asan)
- afl-cmin and afl-showmap -i do now descend into subdirectories
(like afl-fuzz does) - note that afl-cmin.bash does not!
- afl_analyze:
- fix timeout handling
Marcus Meissner (msmeissn)
accepted
request 906530
from
Peace Peters (peace)
(revision 142)
- s390x added to the compiler files
buildservice-autocommit
accepted
request 898301
from
Marcus Meissner (msmeissn)
(revision 141)
Marcus Meissner (msmeissn)
(revision 141)
baserev update by copy to link target
Marcus Meissner (msmeissn)
accepted
request 898298
from
Andreas Schwab (Andreas_Schwab)
(revision 140)
- Fix filelist for riscv64
buildservice-autocommit
accepted
request 896671
from
Marcus Meissner (msmeissn)
(revision 139)
Marcus Meissner (msmeissn)
(revision 139)
baserev update by copy to link target
Marcus Meissner (msmeissn)
accepted
request 896670
from
Marcus Meissner (msmeissn)
(revision 138)
- updated to 3.13c
- Note: plot_data switched to relative time from unix time in 3.10
- frida_mode - new mode that uses frida to fuzz binary-only targets,
it currently supports persistent mode and cmplog.
thanks to @WorksButNotTested!
- create a fuzzing dictionary with the help of CodeQL thanks to
@microsvuln! see utils/autodict_ql
- afl-fuzz:
- added patch by @realmadsci to support @@ as part of command line
options, e.g. `afl-fuzz ... -- ./target --infile=@@`
- add recording of previous fuzz attempts for persistent mode
to allow replay of non-reproducable crashes, see
AFL_PERSISTENT_RECORD in config.h and docs/envs.h
- fixed a bug when trimming for stdin targets
- cmplog -l: default cmplog level is now 2, better efficiency.
level 3 now performs redqueen on everything. use with care.
- better fuzzing strategy yield display for enabled options
- ensure one fuzzer sync per cycle
- fix afl_custom_queue_new_entry original file name when syncing
from fuzzers
- fixed a crash when more than one custom mutator was used together
with afl_custom_post_process
- on a crashing seed potentially the wrong input was disabled
- added AFL_EXIT_ON_SEED_ISSUES env that will exit if a seed in
-i dir crashes the target or results in a timeout. By default
afl++ ignores these and uses them for splicing instead.
- added AFL_EXIT_ON_TIME env that will make afl-fuzz exit fuzzing
after no new paths have been found for n seconds
- when AFL_FAST_CAL is set a variable path will now be calibrated
8 times instead of originally 40. Long calibration is now 20.
buildservice-autocommit
accepted
request 884083
from
Marcus Meissner (msmeissn)
(revision 137)
Marcus Meissner (msmeissn)
(revision 137)
baserev update by copy to link target
Displaying revisions 21 - 40 of 176
