+63 -62

pkgs/tools/security/afl/default.nix

··· 3 3 }: 4 4 5 5 let 6 6 - afl-qemu = callPackage ./qemu.nix {}; 6 6 + afl-qemu = callPackage ./qemu.nix { inherit afl; }; 7 7 qemu-exe-name = if stdenv.hostPlatform.system == "x86_64-linux" then "qemu-x86_64" 8 8 else if stdenv.hostPlatform.system == "i686-linux" then "qemu-i386" 9 9 else throw "afl: no support for ${stdenv.hostPlatform.system}!"; 10 10 - in 10 10 + afl = stdenv.mkDerivation rec { 11 11 + name = "afl-${version}"; 12 12 + version = "2.52b"; 11 13 12 12 - stdenv.mkDerivation rec { 13 13 - name = "afl-${version}"; 14 14 - version = "2.52b"; 14 14 + src = fetchurl { 15 15 + url = "http://lcamtuf.coredump.cx/afl/releases/${name}.tgz"; 16 16 + sha256 = "0ig0ij4n1pwry5dw1hk4q88801jzzy2cric6y2gd6560j55lnqa3"; 17 17 + }; 15 18 16 16 - src = fetchurl { 17 17 - url = "http://lcamtuf.coredump.cx/afl/releases/${name}.tgz"; 18 18 - sha256 = "0ig0ij4n1pwry5dw1hk4q88801jzzy2cric6y2gd6560j55lnqa3"; 19 19 - }; 19 19 + # Note: libcgroup isn't needed for building, just for the afl-cgroup 20 20 + # script. 21 21 + buildInputs = [ makeWrapper llvm which ]; 20 22 21 21 - # Note: libcgroup isn't needed for building, just for the afl-cgroup 22 22 - # script. 23 23 - buildInputs = [ makeWrapper llvm which ]; 23 23 + buildPhase = '' 24 24 + make PREFIX=$out 25 25 + cd llvm_mode 26 26 + make PREFIX=$out 27 27 + cd .. 28 28 + ''; 29 29 + installPhase = '' 30 30 + # Do the normal installation 31 31 + make install PREFIX=$out 24 32 25 25 - buildPhase = '' 26 26 - make PREFIX=$out 27 27 - cd llvm_mode 28 28 - make PREFIX=$out 29 29 - cd .. 30 30 - ''; 31 31 - installPhase = '' 32 32 - # Do the normal installation 33 33 - make install PREFIX=$out 33 33 + # Install the custom QEMU emulator for binary blob fuzzing. 34 34 + cp ${afl-qemu}/bin/${qemu-exe-name} $out/bin/afl-qemu-trace 34 35 35 35 - # Install the custom QEMU emulator for binary blob fuzzing. 36 36 - cp ${afl-qemu}/bin/${qemu-exe-name} $out/bin/afl-qemu-trace 36 36 + # Install the cgroups wrapper for asan-based fuzzing. 37 37 + cp experimental/asan_cgroups/limit_memory.sh $out/bin/afl-cgroup 38 38 + chmod +x $out/bin/afl-cgroup 39 39 + substituteInPlace $out/bin/afl-cgroup \ 40 40 + --replace "cgcreate" "${libcgroup}/bin/cgcreate" \ 41 41 + --replace "cgexec" "${libcgroup}/bin/cgexec" \ 42 42 + --replace "cgdelete" "${libcgroup}/bin/cgdelete" 37 43 38 38 - # Install the cgroups wrapper for asan-based fuzzing. 39 39 - cp experimental/asan_cgroups/limit_memory.sh $out/bin/afl-cgroup 40 40 - chmod +x $out/bin/afl-cgroup 41 41 - substituteInPlace $out/bin/afl-cgroup \ 42 42 - --replace "cgcreate" "${libcgroup}/bin/cgcreate" \ 43 43 - --replace "cgexec" "${libcgroup}/bin/cgexec" \ 44 44 - --replace "cgdelete" "${libcgroup}/bin/cgdelete" 44 44 + # Patch shebangs before wrapping 45 45 + patchShebangs $out/bin 45 46 46 46 - # Patch shebangs before wrapping 47 47 - patchShebangs $out/bin 47 47 + # Wrap afl-clang-fast(++) with a *different* AFL_PATH, because it 48 48 + # has totally different semantics in that case(?) - and also set a 49 49 + # proper AFL_CC and AFL_CXX so we don't pick up the wrong one out 50 50 + # of $PATH. 51 51 + for x in $out/bin/afl-clang-fast $out/bin/afl-clang-fast++; do 52 52 + wrapProgram $x \ 53 53 + --prefix AFL_PATH : "$out/lib/afl" \ 54 54 + --run 'export AFL_CC=''${AFL_CC:-${clang}/bin/clang} AFL_CXX=''${AFL_CXX:-${clang}/bin/clang++}' 55 55 + done 56 56 + ''; 48 57 49 49 - # Wrap afl-clang-fast(++) with a *different* AFL_PATH, because it 50 50 - # has totally different semantics in that case(?) - and also set a 51 51 - # proper AFL_CC and AFL_CXX so we don't pick up the wrong one out 52 52 - # of $PATH. 53 53 - for x in $out/bin/afl-clang-fast $out/bin/afl-clang-fast++; do 54 54 - wrapProgram $x \ 55 55 - --prefix AFL_PATH : "$out/lib/afl" \ 56 56 - --run 'export AFL_CC=''${AFL_CC:-${clang}/bin/clang} AFL_CXX=''${AFL_CXX:-${clang}/bin/clang++}' 57 57 - done 58 58 - ''; 58 58 + passthru = { 59 59 + qemu = afl-qemu; 60 60 + }; 59 61 60 60 - passthru = { 61 61 - qemu = afl-qemu; 62 62 + meta = { 63 63 + description = "Powerful fuzzer via genetic algorithms and instrumentation"; 64 64 + longDescription = '' 65 65 + American fuzzy lop is a fuzzer that employs a novel type of 66 66 + compile-time instrumentation and genetic algorithms to 67 67 + automatically discover clean, interesting test cases that 68 68 + trigger new internal states in the targeted binary. This 69 69 + substantially improves the functional coverage for the fuzzed 70 70 + code. The compact synthesized corpora produced by the tool are 71 71 + also useful for seeding other, more labor or resource-intensive 72 72 + testing regimes down the road. 73 73 + ''; 74 74 + homepage = "http://lcamtuf.coredump.cx/afl/"; 75 75 + license = stdenv.lib.licenses.asl20; 76 76 + platforms = ["x86_64-linux" "i686-linux"]; 77 77 + maintainers = [ stdenv.lib.maintainers.thoughtpolice ]; 78 78 + }; 62 79 }; 80 80 + in afl 63 81 64 64 - meta = { 65 65 - description = "Powerful fuzzer via genetic algorithms and instrumentation"; 66 66 - longDescription = '' 67 67 - American fuzzy lop is a fuzzer that employs a novel type of 68 68 - compile-time instrumentation and genetic algorithms to 69 69 - automatically discover clean, interesting test cases that 70 70 - trigger new internal states in the targeted binary. This 71 71 - substantially improves the functional coverage for the fuzzed 72 72 - code. The compact synthesized corpora produced by the tool are 73 73 - also useful for seeding other, more labor or resource-intensive 74 74 - testing regimes down the road. 75 75 - ''; 76 76 - homepage = "http://lcamtuf.coredump.cx/afl/"; 77 77 - license = stdenv.lib.licenses.asl20; 78 78 - platforms = ["x86_64-linux" "i686-linux"]; 79 79 - maintainers = [ stdenv.lib.maintainers.thoughtpolice ]; 80 80 - }; 81 81 - } 82 82 +

-335

pkgs/tools/security/afl/qemu-patches/afl-config.h

··· 1 1 - /* 2 2 - american fuzzy lop - vaguely configurable bits 3 3 - ---------------------------------------------- 4 4 - 5 5 - Written and maintained by Michal Zalewski <lcamtuf@google.com> 6 6 - 7 7 - Copyright 2013, 2014, 2015 Google Inc. All rights reserved. 8 8 - 9 9 - Licensed under the Apache License, Version 2.0 (the "License"); 10 10 - you may not use this file except in compliance with the License. 11 11 - You may obtain a copy of the License at: 12 12 - 13 13 - http://www.apache.org/licenses/LICENSE-2.0 14 14 - 15 15 - */ 16 16 - 17 17 - #ifndef _HAVE_CONFIG_H 18 18 - #define _HAVE_CONFIG_H 19 19 - 20 20 - #include "afl-types.h" 21 21 - 22 22 - /****************************************************** 23 23 - * * 24 24 - * Settings that may be of interest to power users: * 25 25 - * * 26 26 - ******************************************************/ 27 27 - 28 28 - /* Comment out to disable terminal colors: */ 29 29 - 30 30 - #define USE_COLOR 31 31 - 32 32 - /* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */ 33 33 - 34 34 - #define FANCY_BOXES 35 35 - 36 36 - /* Default timeout for fuzzed code (milliseconds): */ 37 37 - 38 38 - #define EXEC_TIMEOUT 1000 39 39 - 40 40 - /* Timeout rounding factor when auto-scaling (milliseconds): */ 41 41 - 42 42 - #define EXEC_TM_ROUND 20 43 43 - 44 44 - /* Default memory limit for child process (MB): */ 45 45 - 46 46 - #ifndef __x86_64__ 47 47 - # define MEM_LIMIT 25 48 48 - #else 49 49 - # define MEM_LIMIT 50 50 50 - #endif /* ^!__x86_64__ */ 51 51 - 52 52 - /* Default memory limit when running in QEMU mode (MB): */ 53 53 - 54 54 - #define MEM_LIMIT_QEMU 200 55 55 - 56 56 - /* Number of calibration cycles per every new test case (and for test 57 57 - cases that show variable behavior): */ 58 58 - 59 59 - #define CAL_CYCLES 10 60 60 - #define CAL_CYCLES_LONG 40 61 61 - 62 62 - /* The same, but when AFL_NO_VAR_CHECK is set in the environment: */ 63 63 - 64 64 - #define CAL_CYCLES_NO_VAR 4 65 65 - 66 66 - /* Number of subsequent hangs before abandoning an input file: */ 67 67 - 68 68 - #define HANG_LIMIT 250 69 69 - 70 70 - /* Maximum number of unique hangs or crashes to record: */ 71 71 - 72 72 - #define KEEP_UNIQUE_HANG 500 73 73 - #define KEEP_UNIQUE_CRASH 5000 74 74 - 75 75 - /* Baseline number of random tweaks during a single 'havoc' stage: */ 76 76 - 77 77 - #define HAVOC_CYCLES 5000 78 78 - 79 79 - /* Maximum multiplier for the above (should be a power of two, beware 80 80 - of 32-bit int overflows): */ 81 81 - 82 82 - #define HAVOC_MAX_MULT 16 83 83 - 84 84 - /* Absolute minimum number of havoc cycles (after all adjustments): */ 85 85 - 86 86 - #define HAVOC_MIN 10 87 87 - 88 88 - /* Maximum stacking for havoc-stage tweaks. The actual value is calculated 89 89 - like this: 90 90 - 91 91 - n = random between 1 and HAVOC_STACK_POW2 92 92 - stacking = 2^n 93 93 - 94 94 - In other words, the default (n = 7) produces 2, 4, 8, 16, 32, 64, or 95 95 - 128 stacked tweaks: */ 96 96 - 97 97 - #define HAVOC_STACK_POW2 7 98 98 - 99 99 - /* Caps on block sizes for cloning and deletion operations. Each of these 100 100 - ranges has a 33% probability of getting picked, except for the first 101 101 - two cycles where smaller blocks are favored: */ 102 102 - 103 103 - #define HAVOC_BLK_SMALL 32 104 104 - #define HAVOC_BLK_MEDIUM 128 105 105 - #define HAVOC_BLK_LARGE 1500 106 106 - 107 107 - /* Probabilities of skipping non-favored entries in the queue, expressed as 108 108 - percentages: */ 109 109 - 110 110 - #define SKIP_TO_NEW_PROB 99 /* ...when there are new, pending favorites */ 111 111 - #define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */ 112 112 - #define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */ 113 113 - 114 114 - /* Splicing cycle count: */ 115 115 - 116 116 - #define SPLICE_CYCLES 20 117 117 - 118 118 - /* Nominal per-splice havoc cycle length: */ 119 119 - 120 120 - #define SPLICE_HAVOC 500 121 121 - 122 122 - /* Maximum offset for integer addition / subtraction stages: */ 123 123 - 124 124 - #define ARITH_MAX 35 125 125 - 126 126 - /* Limits for the test case trimmer. The absolute minimum chunk size; and 127 127 - the starting and ending divisors for chopping up the input file: */ 128 128 - 129 129 - #define TRIM_MIN_BYTES 4 130 130 - #define TRIM_START_STEPS 16 131 131 - #define TRIM_END_STEPS 1024 132 132 - 133 133 - /* Maximum size of input file, in bytes (keep under 100MB): */ 134 134 - 135 135 - #define MAX_FILE (1 * 1024 * 1024) 136 136 - 137 137 - /* The same, for the test case minimizer: */ 138 138 - 139 139 - #define TMIN_MAX_FILE (10 * 1024 * 1024) 140 140 - 141 141 - /* Block normalization steps for afl-tmin: */ 142 142 - 143 143 - #define TMIN_SET_MIN_SIZE 4 144 144 - #define TMIN_SET_STEPS 128 145 145 - 146 146 - /* Maximum dictionary token size (-x), in bytes: */ 147 147 - 148 148 - #define MAX_DICT_FILE 128 149 149 - 150 150 - /* Length limits for auto-detected dictionary tokens: */ 151 151 - 152 152 - #define MIN_AUTO_EXTRA 3 153 153 - #define MAX_AUTO_EXTRA 32 154 154 - 155 155 - /* Maximum number of user-specified dictionary tokens to use in deterministic 156 156 - steps; past this point, the "extras/user" step will be still carried out, 157 157 - but with proportionally lower odds: */ 158 158 - 159 159 - #define MAX_DET_EXTRAS 200 160 160 - 161 161 - /* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing 162 162 - (first value), and to keep in memory as candidates. The latter should be much 163 163 - higher than the former. */ 164 164 - 165 165 - #define USE_AUTO_EXTRAS 50 166 166 - #define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 10) 167 167 - 168 168 - /* Scaling factor for the effector map used to skip some of the more 169 169 - expensive deterministic steps. The actual divisor is set to 170 170 - 2^EFF_MAP_SCALE2 bytes: */ 171 171 - 172 172 - #define EFF_MAP_SCALE2 3 173 173 - 174 174 - /* Minimum input file length at which the effector logic kicks in: */ 175 175 - 176 176 - #define EFF_MIN_LEN 128 177 177 - 178 178 - /* Maximum effector density past which everything is just fuzzed 179 179 - unconditionally (%): */ 180 180 - 181 181 - #define EFF_MAX_PERC 90 182 182 - 183 183 - /* UI refresh frequency (Hz): */ 184 184 - 185 185 - #define UI_TARGET_HZ 5 186 186 - 187 187 - /* Fuzzer stats file and plot update intervals (sec): */ 188 188 - 189 189 - #define STATS_UPDATE_SEC 60 190 190 - #define PLOT_UPDATE_SEC 5 191 191 - 192 192 - /* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */ 193 193 - 194 194 - #define AVG_SMOOTHING 16 195 195 - 196 196 - /* Sync interval (every n havoc cycles): */ 197 197 - 198 198 - #define SYNC_INTERVAL 5 199 199 - 200 200 - /* Output directory reuse grace period (minutes): */ 201 201 - 202 202 - #define OUTPUT_GRACE 25 203 203 - 204 204 - /* Uncomment to use simple file names (id_NNNNNN): */ 205 205 - 206 206 - // #define SIMPLE_FILES 207 207 - 208 208 - /* List of interesting values to use in fuzzing. */ 209 209 - 210 210 - #define INTERESTING_8 \ 211 211 - -128, /* Overflow signed 8-bit when decremented */ \ 212 212 - -1, /* */ \ 213 213 - 0, /* */ \ 214 214 - 1, /* */ \ 215 215 - 16, /* One-off with common buffer size */ \ 216 216 - 32, /* One-off with common buffer size */ \ 217 217 - 64, /* One-off with common buffer size */ \ 218 218 - 100, /* One-off with common buffer size */ \ 219 219 - 127 /* Overflow signed 8-bit when incremented */ 220 220 - 221 221 - #define INTERESTING_16 \ 222 222 - -32768, /* Overflow signed 16-bit when decremented */ \ 223 223 - -129, /* Overflow signed 8-bit */ \ 224 224 - 128, /* Overflow signed 8-bit */ \ 225 225 - 255, /* Overflow unsig 8-bit when incremented */ \ 226 226 - 256, /* Overflow unsig 8-bit */ \ 227 227 - 512, /* One-off with common buffer size */ \ 228 228 - 1000, /* One-off with common buffer size */ \ 229 229 - 1024, /* One-off with common buffer size */ \ 230 230 - 4096, /* One-off with common buffer size */ \ 231 231 - 32767 /* Overflow signed 16-bit when incremented */ 232 232 - 233 233 - #define INTERESTING_32 \ 234 234 - -2147483648LL, /* Overflow signed 32-bit when decremented */ \ 235 235 - -100663046, /* Large negative number (endian-agnostic) */ \ 236 236 - -32769, /* Overflow signed 16-bit */ \ 237 237 - 32768, /* Overflow signed 16-bit */ \ 238 238 - 65535, /* Overflow unsig 16-bit when incremented */ \ 239 239 - 65536, /* Overflow unsig 16 bit */ \ 240 240 - 100663045, /* Large positive number (endian-agnostic) */ \ 241 241 - 2147483647 /* Overflow signed 32-bit when incremented */ 242 242 - 243 243 - /*********************************************************** 244 244 - * * 245 245 - * Really exotic stuff you probably don't want to touch: * 246 246 - * * 247 247 - ***********************************************************/ 248 248 - 249 249 - /* Call count interval between reseeding the libc PRNG from /dev/urandom: */ 250 250 - 251 251 - #define RESEED_RNG 10000 252 252 - 253 253 - /* Maximum line length passed from GCC to 'as' and used for parsing 254 254 - configuration files: */ 255 255 - 256 256 - #define MAX_LINE 8192 257 257 - 258 258 - /* Environment variable used to pass SHM ID to the called program. */ 259 259 - 260 260 - #define SHM_ENV_VAR "__AFL_SHM_ID" 261 261 - 262 262 - /* Other less interesting, internal-only variables. */ 263 263 - 264 264 - #define CLANG_ENV_VAR "__AFL_CLANG_MODE" 265 265 - #define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK" 266 266 - 267 267 - /* Distinctive bitmap signature used to indicate failed execution: */ 268 268 - 269 269 - #define EXEC_FAIL_SIG 0xfee1dead 270 270 - 271 271 - /* Distinctive exit code used to indicate MSAN trip condition: */ 272 272 - 273 273 - #define MSAN_ERROR 86 274 274 - 275 275 - /* Designated file descriptors for forkserver commands (the application will 276 276 - use FORKSRV_FD and FORKSRV_FD + 1): */ 277 277 - 278 278 - #define FORKSRV_FD 198 279 279 - 280 280 - /* Fork server init timeout multiplier: we'll wait the user-selected 281 281 - timeout plus this much for the fork server to spin up. */ 282 282 - 283 283 - #define FORK_WAIT_MULT 10 284 284 - 285 285 - /* Calibration timeout adjustments, to be a bit more generous when resuming 286 286 - fuzzing sessions or trying to calibrate already-added internal finds. 287 287 - The first value is a percentage, the other is in milliseconds: */ 288 288 - 289 289 - #define CAL_TMOUT_PERC 125 290 290 - #define CAL_TMOUT_ADD 50 291 291 - 292 292 - /* Number of chances to calibrate a case before giving up: */ 293 293 - 294 294 - #define CAL_CHANCES 3 295 295 - 296 296 - /* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than 297 297 - 2; you probably want to keep it under 18 or so for performance reasons 298 298 - (adjusting AFL_INST_RATIO when compiling is probably a better way to solve 299 299 - problems with complex programs). You need to recompile the target binary 300 300 - after changing this - otherwise, SEGVs may ensue. */ 301 301 - 302 302 - #define MAP_SIZE_POW2 16 303 303 - #define MAP_SIZE (1 << MAP_SIZE_POW2) 304 304 - 305 305 - /* Maximum allocator request size (keep well under INT_MAX): */ 306 306 - 307 307 - #define MAX_ALLOC 0x40000000 308 308 - 309 309 - /* A made-up hashing seed: */ 310 310 - 311 311 - #define HASH_CONST 0xa5b35705 312 312 - 313 313 - /* Constants for afl-gotcpu to control busy loop timing: */ 314 314 - 315 315 - #define CTEST_TARGET_MS 5000 316 316 - #define CTEST_BUSY_CYCLES (10 * 1000 * 1000) 317 317 - 318 318 - /* Uncomment this to use inferior block-coverage-based instrumentation. Note 319 319 - that you need to recompile the target binary for this to have any effect: */ 320 320 - 321 321 - // #define COVERAGE_ONLY 322 322 - 323 323 - /* Uncomment this to ignore hit counts and output just one bit per tuple. 324 324 - As with the previous setting, you will need to recompile the target 325 325 - binary: */ 326 326 - 327 327 - // #define SKIP_COUNTS 328 328 - 329 329 - /* Uncomment this to use instrumentation data to record newly discovered paths, 330 330 - but do not use them as seeds for fuzzing. This is useful for conveniently 331 331 - measuring coverage that could be attained by a "dumb" fuzzing algorithm: */ 332 332 - 333 333 - // #define IGNORE_FINDS 334 334 - 335 335 - #endif /* ! _HAVE_CONFIG_H */

-296

pkgs/tools/security/afl/qemu-patches/afl-qemu-cpu-inl.h

··· 1 1 - /* 2 2 - american fuzzy lop - high-performance binary-only instrumentation 3 3 - ----------------------------------------------------------------- 4 4 - 5 5 - Written by Andrew Griffiths <agriffiths@google.com> and 6 6 - Michal Zalewski <lcamtuf@google.com> 7 7 - 8 8 - Idea & design very much by Andrew Griffiths. 9 9 - 10 10 - Copyright 2015 Google Inc. All rights reserved. 11 11 - 12 12 - Licensed under the Apache License, Version 2.0 (the "License"); 13 13 - you may not use this file except in compliance with the License. 14 14 - You may obtain a copy of the License at: 15 15 - 16 16 - http://www.apache.org/licenses/LICENSE-2.0 17 17 - 18 18 - This code is a shim patched into the separately-distributed source 19 19 - code of QEMU 2.2.0. It leverages the built-in QEMU tracing functionality 20 20 - to implement AFL-style instrumentation and to take care of the remaining 21 21 - parts of the AFL fork server logic. 22 22 - 23 23 - The resulting QEMU binary is essentially a standalone instrumentation 24 24 - tool; for an example of how to leverage it for other purposes, you can 25 25 - have a look at afl-showmap.c. 26 26 - 27 27 - */ 28 28 - 29 29 - #include <sys/shm.h> 30 30 - #include "afl-config.h" 31 31 - 32 32 - /*************************** 33 33 - * VARIOUS AUXILIARY STUFF * 34 34 - ***************************/ 35 35 - 36 36 - /* A snippet patched into tb_find_slow to inform the parent process that 37 37 - we have hit a new block that hasn't been translated yet, and to tell 38 38 - it to translate within its own context, too (this avoids translation 39 39 - overhead in the next forked-off copy). */ 40 40 - 41 41 - #define AFL_QEMU_CPU_SNIPPET1 do { \ 42 42 - afl_request_tsl(pc, cs_base, flags); \ 43 43 - } while (0) 44 44 - 45 45 - /* This snippet kicks in when the instruction pointer is positioned at 46 46 - _start and does the usual forkserver stuff, not very different from 47 47 - regular instrumentation injected via afl-as.h. */ 48 48 - 49 49 - #define AFL_QEMU_CPU_SNIPPET2 do { \ 50 50 - if(tb->pc == afl_entry_point) { \ 51 51 - afl_setup(); \ 52 52 - afl_forkserver(env); \ 53 53 - } \ 54 54 - afl_maybe_log(tb->pc); \ 55 55 - } while (0) 56 56 - 57 57 - /* We use one additional file descriptor to relay "needs translation" 58 58 - messages between the child and the fork server. */ 59 59 - 60 60 - #define TSL_FD (FORKSRV_FD - 1) 61 61 - 62 62 - /* This is equivalent to afl-as.h: */ 63 63 - 64 64 - static unsigned char *afl_area_ptr; 65 65 - 66 66 - /* Exported variables populated by the code patched into elfload.c: */ 67 67 - 68 68 - abi_ulong afl_entry_point, /* ELF entry point (_start) */ 69 69 - afl_start_code, /* .text start pointer */ 70 70 - afl_end_code; /* .text end pointer */ 71 71 - 72 72 - /* Set in the child process in forkserver mode: */ 73 73 - 74 74 - static unsigned char afl_fork_child; 75 75 - unsigned int afl_forksrv_pid; 76 76 - 77 77 - /* Instrumentation ratio: */ 78 78 - 79 79 - static unsigned int afl_inst_rms = MAP_SIZE; 80 80 - 81 81 - /* Function declarations. */ 82 82 - 83 83 - static void afl_setup(void); 84 84 - static void afl_forkserver(CPUArchState*); 85 85 - static inline void afl_maybe_log(abi_ulong); 86 86 - 87 87 - static void afl_wait_tsl(CPUArchState*, int); 88 88 - static void afl_request_tsl(target_ulong, target_ulong, uint64_t); 89 89 - 90 90 - static TranslationBlock *tb_find_slow(CPUArchState*, target_ulong, 91 91 - target_ulong, uint64_t); 92 92 - 93 93 - 94 94 - /* Data structure passed around by the translate handlers: */ 95 95 - 96 96 - struct afl_tsl { 97 97 - target_ulong pc; 98 98 - target_ulong cs_base; 99 99 - uint64_t flags; 100 100 - }; 101 101 - 102 102 - 103 103 - /************************* 104 104 - * ACTUAL IMPLEMENTATION * 105 105 - *************************/ 106 106 - 107 107 - 108 108 - /* Set up SHM region and initialize other stuff. */ 109 109 - 110 110 - static void afl_setup(void) { 111 111 - 112 112 - char *id_str = getenv(SHM_ENV_VAR), 113 113 - *inst_r = getenv("AFL_INST_RATIO"); 114 114 - 115 115 - int shm_id; 116 116 - 117 117 - if (inst_r) { 118 118 - 119 119 - unsigned int r; 120 120 - 121 121 - r = atoi(inst_r); 122 122 - 123 123 - if (r > 100) r = 100; 124 124 - if (!r) r = 1; 125 125 - 126 126 - afl_inst_rms = MAP_SIZE * r / 100; 127 127 - 128 128 - } 129 129 - 130 130 - if (id_str) { 131 131 - 132 132 - shm_id = atoi(id_str); 133 133 - afl_area_ptr = shmat(shm_id, NULL, 0); 134 134 - 135 135 - if (afl_area_ptr == (void*)-1) exit(1); 136 136 - 137 137 - /* With AFL_INST_RATIO set to a low value, we want to touch the bitmap 138 138 - so that the parent doesn't give up on us. */ 139 139 - 140 140 - if (inst_r) afl_area_ptr[0] = 1; 141 141 - 142 142 - 143 143 - } 144 144 - 145 145 - if (getenv("AFL_INST_LIBS")) { 146 146 - 147 147 - afl_start_code = 0; 148 148 - afl_end_code = (abi_ulong)-1; 149 149 - 150 150 - } 151 151 - 152 152 - } 153 153 - 154 154 - 155 155 - /* Fork server logic, invoked once we hit _start. */ 156 156 - 157 157 - static void afl_forkserver(CPUArchState *env) { 158 158 - 159 159 - static unsigned char tmp[4]; 160 160 - 161 161 - if (!afl_area_ptr) return; 162 162 - 163 163 - /* Tell the parent that we're alive. If the parent doesn't want 164 164 - to talk, assume that we're not running in forkserver mode. */ 165 165 - 166 166 - if (write(FORKSRV_FD + 1, tmp, 4) != 4) return; 167 167 - 168 168 - afl_forksrv_pid = getpid(); 169 169 - 170 170 - /* All right, let's await orders... */ 171 171 - 172 172 - while (1) { 173 173 - 174 174 - pid_t child_pid; 175 175 - int status, t_fd[2]; 176 176 - 177 177 - /* Whoops, parent dead? */ 178 178 - 179 179 - if (read(FORKSRV_FD, tmp, 4) != 4) exit(2); 180 180 - 181 181 - /* Establish a channel with child to grab translation commands. We'll 182 182 - read from t_fd[0], child will write to TSL_FD. */ 183 183 - 184 184 - if (pipe(t_fd) || dup2(t_fd[1], TSL_FD) < 0) exit(3); 185 185 - close(t_fd[1]); 186 186 - 187 187 - child_pid = fork(); 188 188 - if (child_pid < 0) exit(4); 189 189 - 190 190 - if (!child_pid) { 191 191 - 192 192 - /* Child process. Close descriptors and run free. */ 193 193 - 194 194 - afl_fork_child = 1; 195 195 - close(FORKSRV_FD); 196 196 - close(FORKSRV_FD + 1); 197 197 - close(t_fd[0]); 198 198 - return; 199 199 - 200 200 - } 201 201 - 202 202 - /* Parent. */ 203 203 - 204 204 - close(TSL_FD); 205 205 - 206 206 - if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) exit(5); 207 207 - 208 208 - /* Collect translation requests until child dies and closes the pipe. */ 209 209 - 210 210 - afl_wait_tsl(env, t_fd[0]); 211 211 - 212 212 - /* Get and relay exit status to parent. */ 213 213 - 214 214 - if (waitpid(child_pid, &status, WUNTRACED) < 0) exit(6); 215 215 - if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(7); 216 216 - 217 217 - } 218 218 - 219 219 - } 220 220 - 221 221 - 222 222 - /* The equivalent of the tuple logging routine from afl-as.h. */ 223 223 - 224 224 - static inline void afl_maybe_log(abi_ulong cur_loc) { 225 225 - 226 226 - static abi_ulong prev_loc; 227 227 - 228 228 - /* Optimize for cur_loc > afl_end_code, which is the most likely case on 229 229 - Linux systems. */ 230 230 - 231 231 - if (cur_loc > afl_end_code || cur_loc < afl_start_code || !afl_area_ptr) 232 232 - return; 233 233 - 234 234 - /* Looks like QEMU always maps to fixed locations, so we can skip this: 235 235 - cur_loc -= afl_start_code; */ 236 236 - 237 237 - /* Instruction addresses may be aligned. Let's mangle the value to get 238 238 - something quasi-uniform. */ 239 239 - 240 240 - cur_loc = (cur_loc >> 4) ^ (cur_loc << 8); 241 241 - cur_loc &= MAP_SIZE - 1; 242 242 - 243 243 - /* Implement probabilistic instrumentation by looking at scrambled block 244 244 - address. This keeps the instrumented locations stable across runs. */ 245 245 - 246 246 - if (cur_loc >= afl_inst_rms) return; 247 247 - 248 248 - afl_area_ptr[cur_loc ^ prev_loc]++; 249 249 - prev_loc = cur_loc >> 1; 250 250 - 251 251 - } 252 252 - 253 253 - 254 254 - /* This code is invoked whenever QEMU decides that it doesn't have a 255 255 - translation of a particular block and needs to compute it. When this happens, 256 256 - we tell the parent to mirror the operation, so that the next fork() has a 257 257 - cached copy. */ 258 258 - 259 259 - static void afl_request_tsl(target_ulong pc, target_ulong cb, uint64_t flags) { 260 260 - 261 261 - struct afl_tsl t; 262 262 - 263 263 - if (!afl_fork_child) return; 264 264 - 265 265 - t.pc = pc; 266 266 - t.cs_base = cb; 267 267 - t.flags = flags; 268 268 - 269 269 - if (write(TSL_FD, &t, sizeof(struct afl_tsl)) != sizeof(struct afl_tsl)) 270 270 - return; 271 271 - 272 272 - } 273 273 - 274 274 - 275 275 - /* This is the other side of the same channel. Since timeouts are handled by 276 276 - afl-fuzz simply killing the child, we can just wait until the pipe breaks. */ 277 277 - 278 278 - static void afl_wait_tsl(CPUArchState *env, int fd) { 279 279 - 280 280 - struct afl_tsl t; 281 281 - 282 282 - while (1) { 283 283 - 284 284 - /* Broken pipe means it's time to return to the fork server routine. */ 285 285 - 286 286 - if (read(fd, &t, sizeof(struct afl_tsl)) != sizeof(struct afl_tsl)) 287 287 - break; 288 288 - 289 289 - tb_find_slow(env, t.pc, t.cs_base, t.flags); 290 290 - 291 291 - } 292 292 - 293 293 - close(fd); 294 294 - 295 295 - } 296 296 -

-79

pkgs/tools/security/afl/qemu-patches/afl-types.h

··· 1 1 - /* 2 2 - american fuzzy lop - type definitions and minor macros 3 3 - ------------------------------------------------------ 4 4 - 5 5 - Written and maintained by Michal Zalewski <lcamtuf@google.com> 6 6 - 7 7 - Copyright 2013, 2014, 2015 Google Inc. All rights reserved. 8 8 - 9 9 - Licensed under the Apache License, Version 2.0 (the "License"); 10 10 - you may not use this file except in compliance with the License. 11 11 - You may obtain a copy of the License at: 12 12 - 13 13 - http://www.apache.org/licenses/LICENSE-2.0 14 14 - 15 15 - */ 16 16 - 17 17 - #ifndef _HAVE_TYPES_H 18 18 - #define _HAVE_TYPES_H 19 19 - 20 20 - #include <stdint.h> 21 21 - #include <stdlib.h> 22 22 - 23 23 - typedef uint8_t u8; 24 24 - typedef uint16_t u16; 25 25 - typedef uint32_t u32; 26 26 - 27 27 - /* 28 28 - 29 29 - Ugh. There is an unintended compiler / glibc #include glitch caused by 30 30 - combining the u64 type an %llu in format strings, necessitating a workaround. 31 31 - 32 32 - In essence, the compiler is always looking for 'unsigned long long' for %llu. 33 33 - On 32-bit systems, the u64 type (aliased to uint64_t) is expanded to 34 34 - 'unsigned long long' in <bits/types.h>, so everything checks out. 35 35 - 36 36 - But on 64-bit systems, it is #ifdef'ed in the same file as 'unsigned long'. 37 37 - Now, it only happens in circumstances where the type happens to have the 38 38 - expected bit width, *but* the compiler does not know that... and complains 39 39 - about 'unsigned long' being unsafe to pass to %llu. 40 40 - 41 41 - */ 42 42 - 43 43 - #ifdef __x86_64__ 44 44 - typedef unsigned long long u64; 45 45 - #else 46 46 - typedef uint64_t u64; 47 47 - #endif /* ^sizeof(...) */ 48 48 - 49 49 - typedef int8_t s8; 50 50 - typedef int16_t s16; 51 51 - typedef int32_t s32; 52 52 - typedef int64_t s64; 53 53 - 54 54 - #ifndef MIN 55 55 - # define MIN(_a,_b) ((_a) > (_b) ? (_b) : (_a)) 56 56 - # define MAX(_a,_b) ((_a) > (_b) ? (_a) : (_b)) 57 57 - #endif /* !MIN */ 58 58 - 59 59 - #define SWAP16(_x) ({ \ 60 60 - u16 _ret = (_x); \ 61 61 - (u16)((_ret << 8) | (_ret >> 8)); \ 62 62 - }) 63 63 - 64 64 - #define SWAP32(_x) ({ \ 65 65 - u32 _ret = (_x); \ 66 66 - (u32)((_ret << 24) | (_ret >> 24) | \ 67 67 - ((_ret << 8) & 0x00FF0000) | \ 68 68 - ((_ret >> 8) & 0x0000FF00)); \ 69 69 - }) 70 70 - 71 71 - #define R(x) (random() % (x)) 72 72 - 73 73 - #define STRINGIFY_INTERNAL(x) #x 74 74 - #define STRINGIFY(x) STRINGIFY_INTERNAL(x) 75 75 - 76 76 - #define MEM_BARRIER() \ 77 77 - asm volatile("" ::: "memory") 78 78 - 79 79 - #endif /* ! _HAVE_TYPES_H */

-33

pkgs/tools/security/afl/qemu-patches/cpu-exec.patch

··· 1 1 - --- qemu-2.3.0/cpu-exec.c.orig 2014-12-09 14:45:40.000000000 +0000 2 2 - +++ qemu-2.3.0/cpu-exec.c 2015-02-20 22:07:02.966000000 +0000 3 3 - @@ -28,6 +28,8 @@ 4 4 - #include "exec/memory-internal.h" 5 5 - #include "qemu/rcu.h" 6 6 - 7 7 - +#include "afl-qemu-cpu-inl.h" 8 8 - + 9 9 - /* -icount align implementation. */ 10 10 - 11 11 - typedef struct SyncClocks { 12 12 - @@ -296,8 +298,11 @@ 13 13 - } 14 14 - not_found: 15 15 - /* if no translated code available, then translate it now */ 16 16 - + 17 17 - tb = tb_gen_code(cpu, pc, cs_base, flags, 0); 18 18 - 19 19 - + AFL_QEMU_CPU_SNIPPET1; 20 20 - + 21 21 - found: 22 22 - /* Move the last found TB to the head of the list */ 23 23 - if (likely(*ptb1)) { 24 24 - @@ -492,6 +497,9 @@ 25 25 - next_tb = 0; 26 26 - tcg_ctx.tb_ctx.tb_invalidated_flag = 0; 27 27 - } 28 28 - + 29 29 - + AFL_QEMU_CPU_SNIPPET2; 30 30 - + 31 31 - if (qemu_loglevel_mask(CPU_LOG_EXEC)) { 32 32 - qemu_log("Trace %p [" TARGET_FMT_lx "] %s\n", 33 33 - tb->tc_ptr, tb->pc, lookup_symbol(tb->pc));

-32

pkgs/tools/security/afl/qemu-patches/elfload.patch

··· 1 1 - --- qemu-2.3.0/linux-user/elfload.c.orig 2014-12-09 14:45:42.000000000 +0000 2 2 - +++ qemu-2.3.0/linux-user/elfload.c 2015-01-28 02:51:23.719000000 +0000 3 3 - @@ -28,6 +28,8 @@ 4 4 - 5 5 - #define ELF_OSABI ELFOSABI_SYSV 6 6 - 7 7 - +extern abi_ulong afl_entry_point, afl_start_code, afl_end_code; 8 8 - + 9 9 - /* from personality.h */ 10 10 - 11 11 - /* 12 12 - @@ -1889,6 +1891,8 @@ 13 13 - info->brk = 0; 14 14 - info->elf_flags = ehdr->e_flags; 15 15 - 16 16 - + if (!afl_entry_point) afl_entry_point = info->entry; 17 17 - + 18 18 - for (i = 0; i < ehdr->e_phnum; i++) { 19 19 - struct elf_phdr *eppnt = phdr + i; 20 20 - if (eppnt->p_type == PT_LOAD) { 21 21 - @@ -1922,9 +1926,11 @@ 22 22 - if (elf_prot & PROT_EXEC) { 23 23 - if (vaddr < info->start_code) { 24 24 - info->start_code = vaddr; 25 25 - + if (!afl_start_code) afl_start_code = vaddr; 26 26 - } 27 27 - if (vaddr_ef > info->end_code) { 28 28 - info->end_code = vaddr_ef; 29 29 - + if (!afl_end_code) afl_end_code = vaddr_ef; 30 30 - } 31 31 - } 32 32 - if (elf_prot & PROT_WRITE) {

+5 -6

pkgs/tools/security/afl/qemu-patches/no-etc-install.patch

··· 2 2 index d6b9dc1..ce7c493 100644 3 3 --- a/Makefile 4 4 +++ b/Makefile 5 5 - @@ -384,8 +384,7 @@ install-confdir: 6 6 - install-sysconfig: install-datadir install-confdir 7 7 - $(INSTALL_DATA) $(SRC_PATH)/sysconfigs/target/target-x86_64.conf "$(DESTDIR)$(qemu_confdir)" 5 5 + @@ -601,7 +601,7 @@ install-localstatedir: 6 6 + endif 7 7 + 8 8 9 9 - -install: all $(if $(BUILD_DOCS),install-doc) install-sysconfig \ 10 10 - -install-datadir install-localstatedir 9 9 + -install: all $(if $(BUILD_DOCS),install-doc) install-datadir install-localstatedir 11 10 +install: all $(if $(BUILD_DOCS),install-doc) install-datadir 12 11 ifneq ($(TOOLS),) 13 13 - $(call install-prog,$(TOOLS),$(DESTDIR)$(bindir)) 12 12 + $(call install-prog,$(subst qemu-ga,qemu-ga$(EXESUF),$(TOOLS)),$(DESTDIR)$(bindir)) 14 13 endif

+28

pkgs/tools/security/afl/qemu-patches/qemu-2.10.0-glibc-2.27.patch

··· 1 1 + A modified version of qemu commit 75e5b70e6b5dcc4f2219992d7cffa462aa406af0 2 2 + diff --git a/configure b/configure 3 3 + index 9c8aa5a..99ccc17 100755 4 4 + --- a/configure 5 5 + +++ b/configure 6 6 + @@ -3855,7 +3855,7 @@ fi 7 7 + # check if memfd is supported 8 8 + memfd=no 9 9 + cat > $TMPC << EOF 10 10 + -#include <sys/memfd.h> 11 11 + +#include <sys/mman.h> 12 12 + 13 13 + int main(void) 14 14 + { 15 15 + diff --git a/util/memfd.c b/util/memfd.c 16 16 + index 4571d1a..412e94a 100644 17 17 + --- a/util/memfd.c 18 18 + +++ b/util/memfd.c 19 19 + @@ -31,9 +31,7 @@ 20 20 + 21 21 + #include "qemu/memfd.h" 22 22 + 23 23 + -#ifdef CONFIG_MEMFD 24 24 + -#include <sys/memfd.h> 25 25 + -#elif defined CONFIG_LINUX 26 26 + +#if defined CONFIG_LINUX && !defined CONFIG_MEMFD 27 27 + #include <sys/syscall.h> 28 28 + #include <asm/unistd.h>

-121

pkgs/tools/security/afl/qemu-patches/qemu-2.3.0-glibc-2.26.patch

··· 1 1 - diff --git a/user-exec.c b/user-exec.c 2 2 - index 8f57e8a..957f9f7 100644 3 3 - --- a/user-exec.c 4 4 - +++ b/user-exec.c 5 5 - @@ -57,7 +57,7 @@ static void exception_action(CPUState *cpu) 6 6 - void cpu_resume_from_signal(CPUState *cpu, void *puc) 7 7 - { 8 8 - #ifdef __linux__ 9 9 - - struct ucontext *uc = puc; 10 10 - + ucontext_t *uc = puc; 11 11 - #elif defined(__OpenBSD__) 12 12 - struct sigcontext *uc = puc; 13 13 - #endif 14 14 - @@ -171,7 +171,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, 15 15 - #elif defined(__OpenBSD__) 16 16 - struct sigcontext *uc = puc; 17 17 - #else 18 18 - - struct ucontext *uc = puc; 19 19 - + ucontext_t *uc = puc; 20 20 - #endif 21 21 - unsigned long pc; 22 22 - int trapno; 23 23 - @@ -226,7 +226,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, 24 24 - #elif defined(__OpenBSD__) 25 25 - struct sigcontext *uc = puc; 26 26 - #else 27 27 - - struct ucontext *uc = puc; 28 28 - + ucontext_t *uc = puc; 29 29 - #endif 30 30 - 31 31 - pc = PC_sig(uc); 32 32 - @@ -288,7 +288,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, 33 33 - 34 34 - #ifdef __APPLE__ 35 35 - #include <sys/ucontext.h> 36 36 - -typedef struct ucontext SIGCONTEXT; 37 37 - +typedef ucontext_t SIGCONTEXT; 38 38 - /* All Registers access - only for local access */ 39 39 - #define REG_sig(reg_name, context) \ 40 40 - ((context)->uc_mcontext->ss.reg_name) 41 41 - @@ -331,7 +331,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, 42 42 - #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) 43 43 - ucontext_t *uc = puc; 44 44 - #else 45 45 - - struct ucontext *uc = puc; 46 46 - + ucontext_t *uc = puc; 47 47 - #endif 48 48 - unsigned long pc; 49 49 - int is_write; 50 50 - @@ -358,7 +358,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, 51 51 - void *puc) 52 52 - { 53 53 - siginfo_t *info = pinfo; 54 54 - - struct ucontext *uc = puc; 55 55 - + ucontext_t *uc = puc; 56 56 - uint32_t *pc = uc->uc_mcontext.sc_pc; 57 57 - uint32_t insn = *pc; 58 58 - int is_write = 0; 59 59 - @@ -456,7 +456,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, 60 60 - #if defined(__NetBSD__) 61 61 - ucontext_t *uc = puc; 62 62 - #else 63 63 - - struct ucontext *uc = puc; 64 64 - + ucontext_t *uc = puc; 65 65 - #endif 66 66 - unsigned long pc; 67 67 - int is_write; 68 68 - @@ -483,7 +483,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, 69 69 - int cpu_signal_handler(int host_signum, void *pinfo, void *puc) 70 70 - { 71 71 - siginfo_t *info = pinfo; 72 72 - - struct ucontext *uc = puc; 73 73 - + ucontext_t *uc = puc; 74 74 - uintptr_t pc = uc->uc_mcontext.pc; 75 75 - uint32_t insn = *(uint32_t *)pc; 76 76 - bool is_write; 77 77 - @@ -512,7 +512,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, 78 78 - void *puc) 79 79 - { 80 80 - siginfo_t *info = pinfo; 81 81 - - struct ucontext *uc = puc; 82 82 - + ucontext_t *uc = puc; 83 83 - unsigned long pc; 84 84 - int is_write; 85 85 - 86 86 - @@ -534,7 +534,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, 87 87 - int cpu_signal_handler(int host_signum, void *pinfo, void *puc) 88 88 - { 89 89 - siginfo_t *info = pinfo; 90 90 - - struct ucontext *uc = puc; 91 91 - + ucontext_t *uc = puc; 92 92 - unsigned long ip; 93 93 - int is_write = 0; 94 94 - 95 95 - @@ -565,7 +565,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, 96 96 - void *puc) 97 97 - { 98 98 - siginfo_t *info = pinfo; 99 99 - - struct ucontext *uc = puc; 100 100 - + ucontext_t *uc = puc; 101 101 - unsigned long pc; 102 102 - uint16_t *pinsn; 103 103 - int is_write = 0; 104 104 - @@ -618,7 +618,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, 105 105 - void *puc) 106 106 - { 107 107 - siginfo_t *info = pinfo; 108 108 - - struct ucontext *uc = puc; 109 109 - + ucontext_t *uc = puc; 110 110 - greg_t pc = uc->uc_mcontext.pc; 111 111 - int is_write; 112 112 - 113 113 - @@ -634,7 +634,7 @@ int cpu_signal_handler(int host_signum, void *pinfo, 114 114 - void *puc) 115 115 - { 116 116 - siginfo_t *info = pinfo; 117 117 - - struct ucontext *uc = puc; 118 118 - + ucontext_t *uc = puc; 119 119 - unsigned long pc = uc->uc_mcontext.sc_iaoq[0]; 120 120 - uint32_t insn = *(uint32_t *)pc; 121 121 - int is_write = 0;

-25

pkgs/tools/security/afl/qemu-patches/syscall.patch

··· 1 1 - --- qemu-2.3.0/linux-user/syscall.c.orig 2014-12-09 14:45:43.000000000 +0000 2 2 - +++ qemu-2.3.0/linux-user/syscall.c 2015-03-27 06:33:00.736000000 +0000 3 3 - @@ -227,7 +227,21 @@ 4 4 - _syscall3(int,sys_rt_sigqueueinfo,int,pid,int,sig,siginfo_t *,uinfo) 5 5 - _syscall3(int,sys_syslog,int,type,char*,bufp,int,len) 6 6 - #if defined(TARGET_NR_tgkill) && defined(__NR_tgkill) 7 7 - -_syscall3(int,sys_tgkill,int,tgid,int,pid,int,sig) 8 8 - + 9 9 - +extern unsigned int afl_forksrv_pid; 10 10 - + 11 11 - +static int sys_tgkill(int tgid, int pid, int sig) { 12 12 - + 13 13 - + /* Workaround for -lpthread to make abort() work properly, without 14 14 - + killing the forkserver due to a prematurely cached PID. */ 15 15 - + 16 16 - + if (afl_forksrv_pid && afl_forksrv_pid == pid && sig == SIGABRT) 17 17 - + pid = tgid = getpid(); 18 18 - + 19 19 - + return syscall(__NR_sys_tgkill, pid, tgid, sig); 20 20 - + 21 21 - +} 22 22 - + 23 23 - #endif 24 24 - #if defined(TARGET_NR_tkill) && defined(__NR_tkill) 25 25 - _syscall2(int,sys_tkill,int,tid,int,sig)

-18

pkgs/tools/security/afl/qemu-patches/translate-all.patch

··· 1 1 - --- qemu-2.3.0/translate-all.c.orig 2014-12-09 14:45:46.000000000 +0000 2 2 - +++ qemu-2.3.0/translate-all.c 2015-01-28 22:37:42.383000000 +0000 3 3 - @@ -393,8 +393,13 @@ 4 4 - /* We can't use g_malloc because it may recurse into a locked mutex. */ 5 5 - # define ALLOC(P, SIZE) \ 6 6 - do { \ 7 7 - - P = mmap(NULL, SIZE, PROT_READ | PROT_WRITE, \ 8 8 - - MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \ 9 9 - + void* _tmp = mmap(NULL, SIZE, PROT_READ | PROT_WRITE, \ 10 10 - + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \ 11 11 - + if (_tmp == (void*)-1) { \ 12 12 - + qemu_log(">>> Out of memory for stack, bailing out. <<<\n"); \ 13 13 - + exit(1); \ 14 14 - + } \ 15 15 - + (P) = _tmp; \ 16 16 - } while (0) 17 17 - #else 18 18 - # define ALLOC(P, SIZE) \

+34 -30

pkgs/tools/security/afl/qemu.nix

··· 1 1 - { stdenv, fetchurl, python2, zlib, pkgconfig, glib, ncurses, perl 1 1 + { stdenv, fetchurl, afl, python2, zlib, pkgconfig, glib, ncurses, perl 2 2 , attr, libcap, vde2, texinfo, libuuid, flex, bison, lzo, snappy 3 3 , libaio, libcap_ng, gnutls, pixman, autoconf 4 4 , writeText ··· 7 7 with stdenv.lib; 8 8 9 9 let 10 10 - n = "qemu-2.3.0"; 11 11 - 12 12 - aflHeaderFile = writeText "afl-qemu-cpu-inl.h" 13 13 - (builtins.readFile ./qemu-patches/afl-qemu-cpu-inl.h); 14 14 - aflConfigFile = writeText "afl-config.h" 15 15 - (builtins.readFile ./qemu-patches/afl-config.h); 16 16 - aflTypesFile = writeText "afl-types.h" 17 17 - (builtins.readFile ./qemu-patches/afl-types.h); 18 18 - 10 10 + qemuName = "qemu-2.10.0"; 11 11 + aflName = afl.name; 19 12 cpuTarget = if stdenv.hostPlatform.system == "x86_64-linux" then "x86_64-linux-user" 20 13 else if stdenv.hostPlatform.system == "i686-linux" then "i386-linux-user" 21 14 else throw "afl: no support for ${stdenv.hostPlatform.system}!"; 22 15 in 23 16 stdenv.mkDerivation rec { 24 24 - name = "afl-${n}"; 17 17 + name = "afl-${qemuName}"; 25 18 26 26 - src = fetchurl { 27 27 - url = "http://wiki.qemu.org/download/${n}.tar.bz2"; 28 28 - sha256 = "120m53c3p28qxmfzllicjzr8syjv6v4d9rsyrgkp7gnmcgvvgfmn"; 29 29 - }; 19 19 + srcs = [ 20 20 + (fetchurl { 21 21 + url = "http://wiki.qemu.org/download/${qemuName}.tar.bz2"; 22 22 + sha256 = "0j3dfxzrzdp1w21k21fjvmakzc6lcha1rsclaicwqvbf63hkk7vy"; 23 23 + }) 24 24 + afl.src 25 25 + ]; 26 26 + 27 27 + sourceRoot = qemuName; 28 28 + 29 29 + postUnpack = '' 30 30 + cp ${aflName}/types.h $sourceRoot/afl-types.h 31 31 + substitute ${aflName}/config.h $sourceRoot/afl-config.h \ 32 32 + --replace "types.h" "afl-types.h" 33 33 + substitute ${aflName}/qemu_mode/patches/afl-qemu-cpu-inl.h $sourceRoot/afl-qemu-cpu-inl.h \ 34 34 + --replace "../../config.h" "afl-config.h" 35 35 + substituteInPlace ${aflName}/qemu_mode/patches/cpu-exec.diff \ 36 36 + --replace "../patches/afl-qemu-cpu-inl.h" "afl-qemu-cpu-inl.h" 37 37 + ''; 30 38 31 39 buildInputs = 32 40 [ python2 zlib pkgconfig glib pixman ncurses perl attr libcap ··· 37 45 38 46 enableParallelBuilding = true; 39 47 40 40 - patches = 41 41 - [ ./qemu-patches/elfload.patch 42 42 - ./qemu-patches/cpu-exec.patch 43 43 - ./qemu-patches/no-etc-install.patch 44 44 - ./qemu-patches/translate-all.patch 45 45 - ./qemu-patches/syscall.patch 46 46 - ./qemu-patches/qemu-2.3.0-glibc-2.26.patch 47 47 - ]; 48 48 - 49 49 - preConfigure = '' 50 50 - cp ${aflTypesFile} afl-types.h 51 51 - cp ${aflConfigFile} afl-config.h 52 52 - cp ${aflHeaderFile} afl-qemu-cpu-inl.h 53 53 - ''; 48 48 + patches = [ 49 49 + # patches extracted from afl source 50 50 + "../${aflName}/qemu_mode/patches/cpu-exec.diff" 51 51 + "../${aflName}/qemu_mode/patches/elfload.diff" 52 52 + "../${aflName}/qemu_mode/patches/syscall.diff" 53 53 + # nix-specific patches to make installation more well-behaved 54 54 + ./qemu-patches/no-etc-install.patch 55 55 + ./qemu-patches/qemu-2.10.0-glibc-2.27.patch 56 56 + ]; 54 57 55 58 configureFlags = 56 59 [ "--disable-system" 57 60 "--enable-linux-user" 58 58 - "--enable-guest-base" 59 61 "--disable-gtk" 60 62 "--disable-sdl" 61 63 "--disable-vnc" 62 64 "--target-list=${cpuTarget}" 65 65 + "--enable-pie" 66 66 + "--enable-kvm" 63 67 "--sysconfdir=/etc" 64 68 "--localstatedir=/var" 65 69 ];