2.44b

Author: mcarpenter

Diff for: afl-as.c

@@ -56,7 +56,8 @@ static u8*  modified_file;      /* Instrumented file for the real 'as'  */
 static u8   be_quiet,           /* Quiet mode (no stderr output)        */
             clang_mode,         /* Running in clang mode?               */
             pass_thru,          /* Just pass data through?              */
-            just_version;       /* Just show version?                   */
+            just_version,       /* Just show version?                   */
+            sanitizer;          /* Using ASAN / MSAN                    */
 
 static u32  inst_ratio = 100,   /* Instrumentation probability (%)      */
             as_par_cnt = 1;     /* Number of params to 'as'             */
@@ -454,7 +455,8 @@ static void add_instrumentation(void) {
                           pass_thru ? " (pass-thru mode)" : "");
     else OKF("Instrumented %u locations (%s-bit, %s mode, ratio %u%%).",
              ins_lines, use_64bit ? "64" : "32",
-             getenv("AFL_HARDEN") ? "hardened" : "non-hardened",
+             getenv("AFL_HARDEN") ? "hardened" : 
+             (sanitizer ? "ASAN/MSAN" : "non-hardened"),
              inst_ratio);
 
   }
@@ -521,7 +523,10 @@ int main(int argc, char** argv) {
      ASAN-specific branches. But we can probabilistically compensate for
      that... */
 
-  if (getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) inst_ratio /= 3;
+  if (getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) {
+    sanitizer = 1;
+    inst_ratio /= 3;
+  }
 
   if (!just_version) add_instrumentation();
 

Diff for: afl-showmap.c

@@ -64,7 +64,8 @@ static s32 shm_id;                    /* ID of the SHM region              */
 static u8  quiet_mode,                /* Hide non-essential messages?      */
            edges_only,                /* Ignore hit counts?                */
            cmin_mode,                 /* Generate output in afl-cmin mode? */
-           binary_mode;               /* Write output as a binary map      */
+           binary_mode,               /* Write output as a binary map      */
+           keep_cores;                /* Allow coredumps?                  */
 
 static volatile u8
            stop_soon,                 /* Ctrl-C pressed?                   */
@@ -285,9 +286,13 @@ static void run_target(char** argv) {
 
     }
 
-    r.rlim_max = r.rlim_cur = 0;
+    if (keep_cores) r.rlim_max = r.rlim_cur = 0;
+    else r.rlim_max = r.rlim_cur = RLIM_INFINITY;
+
     setrlimit(RLIMIT_CORE, &r); /* Ignore errors */
 
+    if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0);
+
     execv(target_path, argv);
 
     *(u32*)trace_bits = EXEC_FAIL_SIG;
@@ -479,7 +484,8 @@ static void usage(u8* argv0) {
        "Other settings:\n\n"
 
        "  -q            - sink program's output and don't show messages\n"
-       "  -e            - show edge coverage only, ignore hit counts\n\n"
+       "  -e            - show edge coverage only, ignore hit counts\n"
+       "  -c            - allow core dumps\n\n"
 
        "This tool displays raw tuple data captured by AFL instrumentation.\n"
        "For additional help, consult %s/README.\n\n" cRST,
@@ -614,7 +620,7 @@ int main(int argc, char** argv) {
 
   doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH;
 
-  while ((opt = getopt(argc,argv,"+o:m:t:A:eqZQb")) > 0)
+  while ((opt = getopt(argc,argv,"+o:m:t:A:eqZQbc")) > 0)
 
     switch (opt) {
 
@@ -719,6 +725,12 @@ int main(int argc, char** argv) {
         binary_mode = 1;
         break;
 
+      case 'c':
+
+        if (keep_cores) FATAL("Multiple -c options not supported");
+        keep_cores = 1;
+        break;
+
       default:
 
         usage(argv[0]);

Diff for: config.h

@@ -21,7 +21,7 @@
 
 /* Version string: */
 
-#define VERSION             "2.43b"
+#define VERSION             "2.44b"
 
 /******************************************************
  *                                                    *

Diff for: docs/ChangeLog

@@ -16,6 +16,21 @@ Not sure if you should upgrade? The lowest currently recommended version
 is 2.41b. If you're stuck on an earlier release, it's strongly advisable
 to get on with the times.
 
+--------------
+Version 2.44b:
+--------------
+
+  - Added a visual indicator of ASAN / MSAN mode when compiling. Requested
+    by Jakub Wilk.
+
+  - Added support for afl-showmap coredumps (-c). Suggested by Jakub Wilk.
+
+  - Added LD_BIND_NOW=1 for afl-showmap by default. Although not really useful,
+    it reportedly helps reproduce some crashes. Suggested by Jakub Wilk.
+
+  - Added a note about allocator_may_return_null=1 not always working with
+    ASAN. Spotted by Jakub Wilk.
+
 --------------
 Version 2.43b:
 --------------

Diff for: docs/notes_for_asan.txt

@@ -113,7 +113,23 @@ emulation, so please do not try to use them with the -Q option; QEMU doesn't
 seem to appreciate the shadow VM trick used by these tools, and will likely
 just allocate all your physical memory, then crash.
 
-4) What about UBSAN?
+4) ASAN and OOM crashes
+-----------------------
+
+By default, ASAN treats memory allocation failures as fatal errors, immediately
+causing the program to crash. Since this is a departure from normal POSIX
+semantics (and creates the appearance of security issues in otherwise
+properly-behaving programs), we try to disable this by specifying 
+allocator_may_return_null=1 in ASAN_OPTIONS.
+
+Unfortunately, it's been reported that this setting still causes ASAN to
+trigger phantom crashes in situations where the standard allocator would
+simply return NULL. If this is interfering with your fuzzing jobs, you may
+want to cc: yourself on this bug:
+
+  https://bugs.llvm.org/show_bug.cgi?id=22026
+
+5) What about UBSAN?
 --------------------
 
 Some folks expressed interest in fuzzing with UBSAN. This isn't officially

Diff for: llvm_mode/afl-llvm-pass.so.cc

@@ -159,9 +159,9 @@ bool AFLCoverage::runOnModule(Module &M) {
 
     if (!inst_blocks) WARNF("No instrumentation targets found.");
     else OKF("Instrumented %u locations (%s mode, ratio %u%%).",
-             inst_blocks,
-             getenv("AFL_HARDEN") ? "hardened" : "non-hardened",
-             inst_ratio);
+             inst_blocks, getenv("AFL_HARDEN") ? "hardened" :
+             ((getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) ?
+              "ASAN/MSAN" : "non-hardened"), inst_ratio);
 
   }