From 000b282f92fd0ada04c737ce9e2a3d2b07ee93ab116f62e27e01604546fc54a5 Mon Sep 17 00:00:00 2001 From: Paolo Perego Date: Tue, 21 Jan 2025 11:09:55 +0000 Subject: [PATCH] - Bump BuildRequires to llvm >= 17 - This fixes afl-clang-fast and afl-clang-lto on Tumbleweed (boo#1236169) OBS-URL: https://build.opensuse.org/package/show/devel:tools/afl?expand=0&rev=182 --- .gitattributes | 23 + .gitignore | 1 + afl-3.0c-fix-paths.patch | 31 + afl-rpmlintrc | 10 + afl.changes | 1946 ++++++++++++++++++++++++++++++++++++++ afl.spec | 127 +++ v4.21c.tar.gz | 3 + v4.30c.tar.gz | 3 + 8 files changed, 2144 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 afl-3.0c-fix-paths.patch create mode 100644 afl-rpmlintrc create mode 100644 afl.changes create mode 100644 afl.spec create mode 100644 v4.21c.tar.gz create mode 100644 v4.30c.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/afl-3.0c-fix-paths.patch b/afl-3.0c-fix-paths.patch new file mode 100644 index 0000000..1d73dd1 --- /dev/null +++ b/afl-3.0c-fix-paths.patch @@ -0,0 +1,31 @@ +Index: AFLplusplus-4.30c/GNUmakefile +=================================================================== +--- AFLplusplus-4.30c.orig/GNUmakefile ++++ AFLplusplus-4.30c/GNUmakefile +@@ -21,8 +21,8 @@ HASH=\# + + PREFIX ?= /usr/local + BIN_PATH = $(PREFIX)/bin +-HELPER_PATH = $(PREFIX)/lib/afl +-DOC_PATH = $(PREFIX)/share/doc/afl ++HELPER_PATH = $(LIBEXEC_DIR)/afl ++DOC_PATH = $(DOC_DIR)/afl + MISC_PATH = $(PREFIX)/share/afl + MAN_PATH = $(PREFIX)/share/man/man8 + INCLUDE_PATH = $(PREFIX)/include/afl +Index: AFLplusplus-4.30c/GNUmakefile.llvm +=================================================================== +--- AFLplusplus-4.30c.orig/GNUmakefile.llvm ++++ AFLplusplus-4.30c/GNUmakefile.llvm +@@ -20,9 +20,9 @@ + HASH=\# + + PREFIX ?= /usr/local +-HELPER_PATH ?= $(PREFIX)/lib/afl ++HELPER_PATH ?= $(LIBEXEC_DIR)/afl + BIN_PATH ?= $(PREFIX)/bin +-DOC_PATH ?= $(PREFIX)/share/doc/afl ++DOC_PATH ?= $(DOC_DIR)/afl + MISC_PATH ?= $(PREFIX)/share/afl + MAN_PATH ?= $(PREFIX)/share/man/man8 + diff --git a/afl-rpmlintrc b/afl-rpmlintrc new file mode 100644 index 0000000..2a1f933 --- /dev/null +++ b/afl-rpmlintrc @@ -0,0 +1,10 @@ +# packages a number of fuzzed files as samples and test cases +addFilter("arch-dependent-file-in-usr-share.*/usr/share/doc/packages/afl/vuln_samples") +addFilter("arch-dependent-file-in-usr-share.*/usr/share/afl/testcases") +addFilter("devel-file-in-non-devel-package.*/usr/share/afl/testcases") +addFilter("binaryinfo-readelf-failed.*/usr/share/afl/testcases") +addFilter("bad-crc-in-zip.*/usr/share/doc/packages/afl/vuln_samples/") +addFilter("missing-PT_GNU_STACK-section.*/usr/share/doc/packages/afl/vuln_samples") +addFilter("missing-PT_GNU_STACK-section.*/usr/share/afl/testcases") +addFilter("statically-linked-binary.*/usr/share/doc/packages/afl/vuln_samples") +addFilter("statically-linked-binary.*/usr/share/afl/testcases") diff --git a/afl.changes b/afl.changes new file mode 100644 index 0000000..e21b2a0 --- /dev/null +++ b/afl.changes @@ -0,0 +1,1946 @@ +------------------------------------------------------------------- +Tue Jan 21 10:07:57 UTC 2025 - Wolfgang Frisch + +- Bump BuildRequires to llvm >= 17 + - This fixes afl-clang-fast and afl-clang-lto on Tumbleweed (boo#1236169) + +------------------------------------------------------------------- +Tue Dec 3 14:59:59 UTC 2024 - Marcus Meissner + +- updated to 4.30c + - afl-gcc and afl-clang funcionality is now removed + - afl-fuzz: + - fastresume feature added. if you abort fuzzing and resume fuzzing + with `-i -` or `AFL_AUTORESUME=1` and the target binary has not changed + then a dump will be loaded and the calibration phase skipped. + to disable this feature set `AFL_NO_FASTRESUME=1` + zlib compression is used if zlib is found at compile time + - improved seed selection algorithm + - added `AFL_CUSTOM_MUTATOR_LATE_SEND=1` to call the custom send() + function after the target has been restarted. + - because of bad math and undefined behaviour fixes we have to change + the CMPLOG map. **YOU NEED TO RECOMPILE CMPLOG TARGETS** + - fixed custom_post_process for calibration + - fixes for AFL_EXIT_ON_TIME and AFL_EXIT_WHEN_DONE, changed behaviour of + AFL_EXIT_WHEN_DONE to finish when really done :-) + - frida_mode: + - AFL_FRIDA_PERSISTENT_ADDR can now be be any reachable address not just + a function entry + - AFL_DEBUG is now the same as AFL_FRIDA_VERBOSE + - AFL_FRIDA_DEBUG_MAPS now works as expected + - qemu_mode: + - new hooks supported (optional), see qemu_mode/hooking_bridge - thanks to + @CowBoy4mH3LL + - unicorn_mode: + - fix install and forkserver (thanks aarnav!) + - pin unicorn version + - nyx_mode: + - bugfixes + - custom mutators: + - custom_send_tcp custom mutator added, thanks to @dergoegge + - afl-cc + - fix to support pointless changes in LLVM 20 + - new runtime (!) variable: `AFL_OLD_FORKSERVER` to use the old vanilla + AFL type forkserver. Useful for symcc/symqemu/nautilus/etc. with + AFL_LLVM_INSTRUMENT=CLASSIC + - new compile time variable: `AFL_OPT_LEVEL` to set a specific optimization + level, default is `3` + - correctly explain how to get the correct map size for large targets + - small fix for weird LLVM defines in redhat + - code formatting updated to llvm 18 + - improved custom_mutators/aflpp/standalone/aflpp-standalone + - added custom_mutators/autotokens/standalone/autotokens-standalone + - AFL++ headers are now installed to $PREFIX/include/afl + +------------------------------------------------------------------- +Mon Jun 10 08:12:20 UTC 2024 - Marcus Meissner + +- updated to 4.21c + * afl-fuzz + - fixed a regression in afl-fuzz that resulted in a 5-10% performace loss + do a switch from gettimeofday() to clock_gettime() which should be rather + three times faster. The reason for this is unknown. + - new queue selection algorithm based on 2 core years of queue data + analysis. gives a noticable improvement on coverage although the results + seem counterintuitive :-) + - added AFL_DISABLE_REDUNDANT for huge queues + - added `AFL_NO_SYNC` environment variable that does what you think it does + - fix AFL_PERSISTENT_RECORD + - run custom_post_process after standard trimming + - prevent filenames in the queue that have spaces + - minor fix for FAST schedules + - more frequent stats update when syncing (todo: check performance impact) + - now timing of calibration, trimming and syncing is measured seperately, + thanks to @eqv! + - -V timing is now accurately the fuzz time (without syncing), before + long calibration times and syncing could result in now fuzzing being + made when the time was already run out until then, thanks to @eqv! + - fix -n uninstrumented mode when ending fuzzing + - enhanced the ASAN configuration + - make afl-fuzz use less memory with cmplog and fix a memleak + * afl-cc: + - re-enable i386 support that was accidently disabled + - fixes for LTO and outdated afl-gcc mode for i386 + - fix COMPCOV split compare for old LLVMs + - disable xml/curl/g_ string transform functions because we do not check + for null pointers ... TODO + - ensure shared memory variables are visible in weird build setups + - compatability to new LLVM 19 changes + * afl-cmin + - work with input files that have a space + * afl-showmap + - fix memory leak on shmem testcase usage (thanks to @ndrewh) + - minor fix to collect coverage -C (thanks to @bet4it) + * Fixed a shmem mmap bug (that rarely came up on MacOS) + * libtokencap: script generate_libtoken_dict.sh added by @a-shvedov + +------------------------------------------------------------------- +Mon Apr 15 09:44:22 UTC 2024 - Marcus Meissner + +- updated to 4.20c + + A new forkserver communication model is now introduced. afl-fuzz is + backward compatible to old compiled targets if they are not built + for CMPLOG/Redqueen, but new compiled targets will not work with + old afl-fuzz versions! + + Recompile all targets that are instrumented for CMPLOG/Redqueen! + - AFL++ now supports up to 4 billion coverage edges, up from 6 million. + - New compile option: `make PERFORMANCE=1` - this will enable special + CPU dependent optimizations that make everything more performant - but + the binaries will likely won't work on different platforms. Also + enables a faster hasher if the CPU requirements are met. + - The persistent record feature (see config.h) was expanded to also + support replay, thanks to @quarta-qti ! + - afl-fuzz: + - the new deterministic fuzzing feature is now activated by default, + deactivate with -z. Parameters -d and -D are ignored. + - small improvements to CMPLOG/redqueen + - workround for a bug with MOpt -L when used with -M - in the future + we will either remove or rewrite MOpt. + - fix for `-t xxx+` feature + - -e extension option now saves the queue items, crashes, etc. with the + extension too + - fixes for trimmming, correct -V time and reading stats on resume by eqv + thanks a lot! + - afl-cc: + - added collision free caller instrumentation to LTO mode. activate with + `AFL_LLVM_LTO_CALLER=1`. You can set a max depth to go through single + block functions with `AFL_LLVM_LTO_CALLER_DEPTH` (default 0) + - fixes for COMPCOV/LAF and most other modules + - fix for GCC_PLUGIN cmplog that broke on std::strings + - afl-whatsup: + - now also displays current average speed + - small bugfixes + - Fixes for aflpp custom mutator and standalone tool + - Minor edits to afl-persistent-config + - Prevent temporary files being left behind on aborted afl-whatsup + - More CPU benchmarks added to benchmark/ + +------------------------------------------------------------------- +Mon Feb 5 10:30:56 UTC 2024 - Marcus Meissner + +- updated to 4.10c + - afl-fuzz: + - default power schedule is now EXPLORE, due a fix in fast schedules + explore is slightly better now. + - fixed minor issues in the mutation engine, thanks to @futhewo for + reporting! + - better deterministic fuzzing is now available, benchmarks have shown + to improve fuzzing. Enable with -D. Thanks to @kdsjZh for the PR! + - afl-cc: + - large rewrite by @SonicStark which fixes a few corner cases, thanks! + - LTO mode now requires llvm 12+ + - workaround for ASAN with gcc_plugin mode + - instrumentation: + - LLVM 18 support, thanks to @devnexen! + - Injection (SQL, LDAP, XSS) fuzzing feature now available, see + `instrumentation/README.injections.md` how to activate/use/expand. + - compcov/LAF-intel: + - floating point splitting bug fix by @hexcoder + - due a bug in LLVM 17 integer splitting is disabled there! + - when splitting floats was selected, integers were always split as well, + fixed to require AFL_LLVM_LAF_SPLIT_COMPARES or _ALL as it should + - dynamic instrumentation filtering for LLVM NATIVE, thanks @Mozilla! + see utils/dynamic_covfilter/README.md + - qemu_mode: + - plugins are now activated by default and a new module is included that + produces drcov compatible traces for lighthouse/lightkeeper/... + thanks to @JRomainG to submitting! + - updated Nyx checkout (fixes a bug) and some QOL + - updated the custom grammar mutator + - document afl-cmin does not work on macOS (but afl-cmin.bash does) + +------------------------------------------------------------------- +Sun Dec 17 12:08:00 UTC 2023 - Marcus Meissner + +- updated to 4.09c + - afl-fuzz: + - fixed the new mutation implementation for two bugs + - added `AFL_FINAL_SYNC` which forces a final fuzzer sync (also for `-F`) + before terminating. + - added AFL_IGNORE_SEED_PROBLEMS to skip over seeds that time out instead + of exiting with an error message + - allow -S/-M naming up to 50 characters (from 24) + - CMPLOG: + - added scale support (-l S) + - skip unhelpful insertions (u8) + - added --version and --help command line parameters + - fixed endless loop when reading malformed dictionaries + - new custom mutator function: post_run - thanks to yangzao! + - afl-whatsup: + - detect instanced that are starting up and show them as such as not dead + - now also shows coverage reached + - option -m shows only very relevant stats + - option -n will not use color in the output + - instrumentation: + - fix for a few string compare transform functions for LAF + - we are instrumenting __cxx internal functions again. this might break + a few targets, please report if so. + - frida_mode: + - fixes support for large map offsets + - support for AFL_FUZZER_LOOPCOUNT for afl.rs and LLVMFuzzerTestOneInput + - afl-cmin/afl-cmin.bash: prevent unneeded file errors + - added new tool afl-addseeds that adds new seeds to a running campaign + - added benchmark/benchmark.py if you want to see how good your fuzzing + speed is in comparison to other setups. + +------------------------------------------------------------------- +Fri Aug 11 08:06:00 UTC 2023 - Marcus Meissner + +- updated to 4.08c + - afl-fuzz: + - new mutation engine: mutations that favor discovery more paths are + prefered until no new finds for 10 minutes then switching to mutations + that favor triggering crashes. Modes and switch time can be configured + with `-P`. Also input mode for the target can be defined with `-a` to + be `text` or `binary` (defaults to `generic`) + - new custom mutator that has the new afl++ engine (so it can easily + incorporated into new custom mutators), and also comes with a standalone + command line tool! See custom_mutators/aflpp/standalone/ + - display the state of the fuzzing run in the UI :-) + - fix timeout setting if '+' is used or a session is restarted + - -l X option to enable base64 transformation solving + - allow to disable CMPLOG with '-c -' (e.g. afl.rs enforces '-c 0' on + every instance which is counterproductive). + - afl-cmin/afl-cmin.bash: + - fixed a bug inherited from vanilla AFL where a coverage of + map[123] = 11 would be the same as map[1123] = 1 + - warn on crashing inputs + - adjust threads if less inputs than threads specified + - afl-cc: + - fixed an off-by-one instrumentation of iselect, hurting coverage a bit. + Thanks to @amykweon for spotting and fixing! + - @toka fixed a bug in laf-intel signed integer comparison splitting, + thanks a lot!! + - more LLVM compatability + - frida_mode: + - support for long form instrumentation on x86_x64 and arm64 + - renamed utils/get_symbol_addr.sh to utils/frida_get_symbol_addr.sh + - qemu_mode: + - added qemu_mode/utils/qemu_get_symbol_addr.sh + +------------------------------------------------------------------- +Mon Jun 12 11:31:30 UTC 2023 - Marcus Meissner + +- updated to 4.07c + - afl-fuzz: + - reverse reading the seeds only on restarts (increases performance) + - new env `AFL_POST_PROCESS_KEEP_ORIGINAL` to keep the orignal + data before post process on finds (for atnwalk custom mutator) + - new env `AFL_IGNORE_PROBLEMS_COVERAGE` to ignore coverage from + loaded libs after forkserver initialization (required by Mozilla) + - afl-cc: + - added @responsefile support + - new env `AFL_LLVM_LTO_SKIPINIT` to support the AFL++ based WASM + (https://github.com/fgsect/WAFL) project + - error and print help if afl-clan-lto is used with lto=thin + - rewrote our PCGUARD pass to be compatible with LLVM 15+ shenanigans, + requires LLVM 13+ now instead of 10.0.1+ + - fallback to native LLVM PCGUARD if our PCGUARD is unavailable + - fixed a crash in GCC CMPLOG + - afl-showmap: + - added custom mutator post_process and send support + - add `-I filelist` option, an alternative to `-i in_dir` + - afl-cmin + afl-cmin.bash: + - `-T threads` parallel task support, can be a huge speedup! + - qemu_mode: + - Persistent mode + QASAN support for ppc32 targets by @worksbutnottested + - a new grammar custom mutator atnwalk was submitted by @voidptr127 ! + - two new custom mutators are now available: + - TritonDSE in custom_mutators/aflpp_tritondse + - SymQEMU in custom_mutators/symqemu +- removed ppc64le condition (failed parsing), we have no 32bit ppc64le + +------------------------------------------------------------------- +Mon Apr 17 09:26:21 UTC 2023 - Marcus Meissner + +- updated to 4.06c + - afl-fuzz: + - ensure temporary file descriptor is closed when not used + - added `AFL_NO_WARN_INSTABILITY` + - added time_wo_finds to fuzzer_stats + - fixed a crash in pizza (1st april easter egg) mode. Sorry for + everyone who was affected! + - allow pizza mode to be disabled when AFL_PIZZA_MODE is set to -1 + - option `-p mmopt` now also selects new queue items more often + - fix bug in post_process custom mutator implementation + - print name of custom mutator in UI + - slight changes that improve fuzzer performance + - afl-cc: + - add CFI sanitizer variant to gcc targets + - llvm 16 + 17 support (thanks to @devnexen!) + - support llvm 15 native pcguard changes + - support for LLVMFuzzerTestOneInput -1 return + - LTO autoken and llvm_mode: added AFL_LLVM_DICT2FILE_NO_MAIN support + - qemu_mode: + - fix _RANGES envs to allow hyphens in the filenames + - basic riscv support + - frida_mode: + - added `AFL_FRIDA_STATS_INTERVAL` + - fix issue on MacOS + - unicorn_mode: + - updated and minor issues fixed + - nyx_mode support for all tools + - better sanitizer default options support for all tools + - new custom module: autotoken, a grammar free fuzzer for text inputs + - fixed custom mutator C examples + - more minor fixes and cross-platform support + +------------------------------------------------------------------- +Wed Apr 12 09:26:02 UTC 2023 - Dominique Leuenberger + +- Pin to llvm15 for the time being: code fails to build with + llvm16. + +------------------------------------------------------------------- +Thu Jan 5 15:33:51 UTC 2023 - Marcus Meissner + +- updated to 4.05c + - afl-fuzz: + - added afl_custom_fuzz_send custom mutator feature. Now your can + send fuzz data to the target as you need, e.g. via IPC. + - cmplog mode now has a -l R option for random colorization, thanks + to guyf2010 for the PR! + - queue statistics are written every 30 minutes to + out/NAME/queue_data if compiled with INTROSPECTION + - new env: AFL_FORK_SERVER_KILL_SIGNAL + - afl-showmap/afl-cmin + - `-t none` now translates to `-t 120000` (120 seconds) + - unicorn_mode updated + - updated rust custom mutator dependencies and LibAFL custom mutator + - several minor bugfixes + +------------------------------------------------------------------- +Sat Oct 22 14:15:36 UTC 2022 - Andreas Schwab + +- Update file list for riscv64 + +------------------------------------------------------------------- +Fri Oct 21 14:28:09 UTC 2022 - Marcus Meissner + +- updated to 4.04c + - fix gramatron and grammar_mutator build scripts + - enhancements to the afl-persistent-config and afl-system-config + - scripts + - afl-fuzz: + - force writing all stats on exit + - afl-cc: + - make gcc_mode (afl-gcc-fast) work with gcc down to version 3.6 + - qemu_mode: + - fixed 10x speed degredation in v4.03c + - added qemu_mode/fastexit helper library + - unicorn_mode: + - Enabled tricore arch (by @jma-qb) + - Updated Capstone version in Rust bindings + - llvm-mode: + - AFL runtime will always pass inputs via shared memory, when possible, + ignoring the command line. + +------------------------------------------------------------------- +Tue Sep 20 15:50:19 UTC 2022 - Marcus Meissner + +- updated to 4.03c + - Building now gives a build summary what succeeded and what not + - afl-fuzz: + - added AFL_NO_STARTUP_CALIBRATION to start fuzzing at once instead + of calibrating all initial seeds first. Good for large queues + and long execution times, especially in CIs. + - default calibration cycles set to 7 from 8, and only add 5 cycles + to variables queue items instead of 12. + - afl-cc: + - fixed off-by-one bug in our pcguard implemenation, thanks for + @tokatoka for reporting + - fix for llvm 15 and reenabling LTO, thanks to nikic for the PR! + - better handling of -fsanitize=..,...,.. lists + - support added for LLVMFuzzerRunDriver() + - fix gcc_mode cmplog + - obtain the map size of a target with setting AFL_DUMP_MAP_SIZE=1 + note that this will exit the target before main() + - qemu_mode: + - added AFL_QEMU_TRACK_UNSTABLE to log the addresses of unstable + edges (together with AFL_DEBUG=1 afl-fuzz). thanks to + worksbutnottested! + - afl-analyze broke at some point, fix by CodeLogicError, thank you! + - afl-cmin/afl-cmin.bash now have an -A option to allow also crashing + and timeout inputs + - unicorn_mode: + - updated upstream unicorn version + - fixed builds for aarch64 + - build now uses all available cores + +------------------------------------------------------------------- +Sat Aug 20 11:55:57 UTC 2022 - Marcus Meissner + +- updated to 4.02c + - afl-cc: + - important fix for the default pcguard mode when LLVM IR vector + selects are produced, thanks to @juppytt for reporting! + - gcc_plugin: + - Adacore submitted CMPLOG support to the gcc_plugin! :-) + - llvm_mode: + - laf cmp splitting fixed for more comparison types + - frida_mode: + - now works on Android! + - afl-fuzz: + - change post_process hook to allow returning NULL and 0 length to + tell afl-fuzz to skip this mutated input + +------------------------------------------------------------------- +Tue Jun 28 14:32:52 UTC 2022 - Marcus Meissner + +- updated to 4.01c + - fixed */build_...sh scripts to work outside of git + - new custom_mutator: libafl with token fuzzing :) + - afl-fuzz: + - when you just want to compile once and set CMPLOG, then just + set -c 0 to tell afl-fuzz that the fuzzing binary is also for + CMPLOG. + - new commandline options -g/G to set min/max length of generated + fuzz inputs + - you can set the time for syncing to other fuzzer now with + AFL_SYNC_TIME + - reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow + persistent mode and manual forkserver support if these are not + in the target binary (e.g. are in a shared library) + - add AFL_EARLY_FORKSERVER to install the forkserver as earliest as + possible in the target (for afl-gcc-fast/afl-clang-fast/ + afl-clang-lto) + - "saved timeouts" was wrong information, timeouts are still thrown + away by default even if they have new coverage (hangs are always + kept), unless AFL_KEEP_TIMEOUTS are set + - AFL never implemented auto token inserts (but user token inserts, + user token overwrite and auto token overwrite), added now! + - fixed a mutation type in havoc mode + - Mopt fix to always select the correct algorithm + - fix effector map calculation (deterministic mode) + - fix custom mutator post_process functionality + - document and auto-activate pizza mode on condition + - afl-cc: + - due a bug in lld of llvm 15 LTO instrumentation wont work atm :-( + - converted all passed to use the new llvm pass manager for llvm 11+ + - AFL++ PCGUARD mode is not available for 10.0.1 anymore (11+ only) + - trying to stay on top on all these #$&ยง!! changes in llvm 15 ... + - frida_mode: + - update to new frida release, handles now c++ throw/catch + - unicorn_mode: + - update unicorn engine, fix C example + - utils: + - removed optimin because it looses coverage due to a bug and is + unmaintained :-( +- removed upstream llvm14-fix-build.patch +------------------------------------------------------------------- +Sat Jun 4 13:26:34 UTC 2022 - Aaron Puchert + +- Add llvm14-fix-build.patch: fix build with LLVM 14. + +------------------------------------------------------------------- +Wed Feb 23 22:21:07 UTC 2022 - Aaron Puchert + +- Fix build with armv7l on Leap: we have afl-llvm-rt-lto{,-32}.o. +- Fix build with ppc64le: we don't seem to have the 32-bit object + files available there and there is also no gcc-32bit. + +------------------------------------------------------------------- +Mon Jan 31 12:45:45 UTC 2022 - Marcus Meissner + +- updated to 4.00c + + - complete documentation restructuring, made possible by Google Season + of Docs :) thank you Jana! + - we renamed several UI and fuzzer_stat entries to be more precise, + e.g. "unique crashes" -> "saved crashes", "total paths" -> + "corpus count", "current path" -> "current item". + This might need changing custom scripting! + - Nyx mode (full system emulation with snapshot capability) has been + added - thanks to @schumilo and @eqv! + - unicorn_mode: + - Moved to unicorn2! by Ziqiao Kong (@lazymio) + - Faster, more accurate emulation (newer QEMU base), risc-v support + - removed indirections in rust callbacks + - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :) + thanks to RICSecLab submitting! + - if instrumented libaries are dlopen()'ed after the forkserver you + will now see a crash. Before you would have colliding coverage. + We changed this to force fixing a broken setup rather then allowing + ineffective fuzzing. + - See docs/best_practices.md how to fix such setups. + - afl-fuzz: + - cmplog binaries will need to be recompiled for this version + (it is better!) + - fix a regression introduced in 3.10 that resulted in less + coverage being detected. thanks to Collin May for reporting! + - ensure all spawned targets are killed on exit + - added AFL_IGNORE_PROBLEMS, plus checks to identify and abort on + incorrect LTO usage setups and enhanced the READMEs for better + information on how to deal with instrumenting libraries + - fix -n dumb mode (nobody should use this mode though) + - fix stability issue with LTO and cmplog + - better banner + - more effective cmplog mode + - more often update the UI when in input2stage mode + - qemu_mode/unicorn_mode: fixed OOB write when using libcompcov, + thanks to kotee4ko for reporting! + - frida_mode: + - better performance, bug fixes + - David Carlier added Android support :) + - afl-showmap, afl-tmin and afl-analyze: + - honor persistent mode for more speed. thanks to dloffre-snl + for reporting! + - fix bug where targets are not killed on timeouts + - moved hidden afl-showmap -A option to -H to be used for + coresight_mode + - Prevent accidentaly killing non-afl/fuzz services when aborting + afl-showmap and other tools. + - afl-cc: + - detect overflow reads on initial input buffer for asan + - new cmplog mode (incompatible with older afl++ versions) + - support llvm IR select instrumentation for default PCGUARD and LTO + - fix for shared linking on MacOS + - better selective instrumentation AFL_LLVM_{ALLOW|DENY}LIST + on filename matching (requires llvm 11 or newer) + - fixed a potential crash in targets for LAF string handling + - fixed a bad assert in LAF split switches + - added AFL_USE_TSAN thread sanitizer support + - llvm and LTO mode modified to work with new llvm 14-dev (again.) + - fix for AFL_REAL_LD + - more -z defs filtering + - make -v without options work + - added the very good grammar mutator "GramaTron" to the + custom_mutators + - added optimin, a faster and better corpus minimizer by + Adrian Herrera. Thank you! + - added afl-persistent-config script to set perform permanent system + configuration settings for fuzzing, for Linux and Macos. + thanks to jhertz! + - added xml, curl & exotic string functions to llvm dictionary feature + - fix AFL_PRELOAD issues on MacOS + - removed utils/afl_frida because frida_mode/ is now so much better + - added uninstall target to makefile (todo: update new readme!) + +------------------------------------------------------------------- +Sun Sep 26 11:04:42 UTC 2021 - Marcus Meissner + +- enable gcc-plugin on factory +- build with 32bit plugins on x86_64 + +------------------------------------------------------------------- +Mon Jul 19 12:49:59 UTC 2021 - Marcus Meissner + +- updated to 3.14c + - afl-fuzz: + - fix -F when a '/' was part of the parameter + - fixed a crash for cmplog for very slow inputs + - fix for AFLfast schedule counting + - removed implied -D determinstic from -M main + - if the target becomes unavailable check out out/default/error.txt + for an indicator why + - AFL_CAL_FAST was a dead env, now does the same as AFL_FAST_CAL + - reverse read the queue on resumes (more effective) + - fix custom mutator trimming + - afl-cc: + - Update to COMPCOV/laf-intel that speeds up the instrumentation + process a lot - thanks to Michael Rodler/f0rki for the PR! + - Fix for failures for some sized string instrumentations + - Fix to instrument global namespace functions in c++ + - Fix for llvm 13 + - support partial linking + - do honor AFL_LLVM_{ALLOW/DENY}LIST for LTO autodictionary and DICT2FILE + - We do support llvm versions from 3.8 to 5.0 again + - frida_mode: + - several fixes for cmplog + - remove need for AFL_FRIDA_PERSISTENT_RETADDR_OFFSET + - less coverage collision + - feature parity of aarch64 with intel now (persistent, cmplog, + in-memory testcases, asan) + - afl-cmin and afl-showmap -i do now descend into subdirectories + (like afl-fuzz does) - note that afl-cmin.bash does not! + - afl_analyze: + - fix timeout handling + - add forkserver support for better performance + - ensure afl-compiler-rt is built for gcc_module + - always build aflpp_driver for libfuzzer harnesses + - added `AFL_NO_FORKSRV` env variable support to + afl-cmin, afl-tmin, and afl-showmap, by @jhertz + - removed outdated documents, improved existing documentation + +------------------------------------------------------------------- +Thu Jul 15 19:29:19 UTC 2021 - Peace Peters + +- s390x added to the compiler files + +------------------------------------------------------------------- +Tue Jun 8 09:06:11 UTC 2021 - Andreas Schwab + +- Fix filelist for riscv64 + +------------------------------------------------------------------- +Tue Jun 1 10:36:06 UTC 2021 - Marcus Meissner + +- updated to 3.13c + - Note: plot_data switched to relative time from unix time in 3.10 + - frida_mode - new mode that uses frida to fuzz binary-only targets, + it currently supports persistent mode and cmplog. + thanks to @WorksButNotTested! + - create a fuzzing dictionary with the help of CodeQL thanks to + @microsvuln! see utils/autodict_ql + - afl-fuzz: + - added patch by @realmadsci to support @@ as part of command line + options, e.g. `afl-fuzz ... -- ./target --infile=@@` + - add recording of previous fuzz attempts for persistent mode + to allow replay of non-reproducable crashes, see + AFL_PERSISTENT_RECORD in config.h and docs/envs.h + - fixed a bug when trimming for stdin targets + - cmplog -l: default cmplog level is now 2, better efficiency. + level 3 now performs redqueen on everything. use with care. + - better fuzzing strategy yield display for enabled options + - ensure one fuzzer sync per cycle + - fix afl_custom_queue_new_entry original file name when syncing + from fuzzers + - fixed a crash when more than one custom mutator was used together + with afl_custom_post_process + - on a crashing seed potentially the wrong input was disabled + - added AFL_EXIT_ON_SEED_ISSUES env that will exit if a seed in + -i dir crashes the target or results in a timeout. By default + afl++ ignores these and uses them for splicing instead. + - added AFL_EXIT_ON_TIME env that will make afl-fuzz exit fuzzing + after no new paths have been found for n seconds + - when AFL_FAST_CAL is set a variable path will now be calibrated + 8 times instead of originally 40. Long calibration is now 20. + - added AFL_TRY_AFFINITY to try to bind to CPUs but don't error if + it fails + - afl-cc: + - We do not support llvm versions prior 6.0 anymore + - added thread safe counters to all modes (`AFL_LLVM_THREADSAFE_INST`), + note that this disables NeverZero counters. + - Fix for -pie compiled binaries with default afl-clang-fast PCGUARD + - Leak Sanitizer (AFL_USE_LSAN) added by Joshua Rogers, thanks! + - Removed InsTrim instrumentation as it is not as good as PCGUARD + - Removed automatic linking with -lc++ for LTO mode + - Fixed a crash in llvm dict2file when a strncmp length was -1 + - added --afl-noopt support + - utils/aflpp_driver: + - aflpp_qemu_driver_hook fixed to work with qemu_mode + - aflpp_driver now compiled with -fPIC + - unicornafl: + - fix MIPS delay slot caching, thanks @JackGrence + - fixed aarch64 exit address + - execution no longer stops at address 0x0 + - updated afl-system-config to support Arch Linux weirdness and increase + MacOS shared memory + - updated the grammar custom mutator to the newest version + - add -d (add dead fuzzer stats) to afl-whatsup + - added AFL_PRINT_FILENAMES to afl-showmap/cmin to print the + current filename + - afl-showmap/cmin will now process queue items in alphabetical order + +------------------------------------------------------------------- +Fri Apr 9 12:25:49 UTC 2021 - Guillaume GARDET + +- Fix packaging for aarch64 and %arm + +------------------------------------------------------------------- +Sat Apr 3 23:31:18 UTC 2021 - Niklas Haas + +- install `afl-clang-lto`, recommended by upstream as the best variant + - add dependency on `lld` + - bump llvm-devel up to >= 11.0.0 +- fix /usr/bin/env path in afl.cmin scripts +- prevent stripping of runtime objects (fix bug 1184324) + +------------------------------------------------------------------- +Mon Mar 29 12:29:54 UTC 2021 - Guillaume GARDET + +- Fix packaging on aarch64 and %{arm} + +------------------------------------------------------------------- +Wed Mar 24 16:30:39 UTC 2021 - Marcus Meissner + +- updated to 3.12c + - afl-fuzz: + - added AFL_TARGET_ENV variable to pass extra env vars to the target + (for things like LD_LIBRARY_PATH) + - fix map detection, AFL_MAP_SIZE not needed anymore for most cases + - fix counting favorites (just a display thing) + - afl-cc: + - fix cmplog rtn (rare crash and not being able to gather ptr data) + - fix our own PCGUARD implementation to compile with llvm 10.0.1 + - link runtime not to shared libs + - ensure shared libraries are properly built and instrumented + - AFL_LLVM_INSTRUMENT_ALLOW/DENY were not implemented for LTO, added + - show correct LLVM PCGUARD NATIVE mode when auto switching to it + and keep fsanitize-coverage-*list=... + Short mnemnonic NATIVE is now also accepted. + - qemu_mode (thanks @realmadsci): + - move AFL_PRELOAD and AFL_USE_QASAN logic inside afl-qemu-trace + - add AFL_QEMU_CUSTOM_BIN + - unicorn_mode + - accidently removed the subfolder from github, re-added + - added DEFAULT_PERMISSION to config.h for all files created, default + to 0600 + +------------------------------------------------------------------- +Tue Mar 16 07:43:01 UTC 2021 - Marcus Meissner + +- updated to 3.11c + - afl-fuzz: + - better auto detection of map size + - fix sanitizer settings (bug since 3.10c) + - fix an off-by-one overwrite in cmplog + - add non-unicode variants from unicode-looking dictionary entries + - Rust custom mutator API improvements + - Imported crash stats painted yellow on resume (only new ones are red) + - afl-cc: + - added AFL_NOOPT that will just pass everything to the normal + gcc/clang compiler without any changes - to pass weird configure + scripts + - fixed a crash that can occur with ASAN + CMPLOG together plus + better support for unicode (thanks to @stbergmann for reporting!) + - fixed a crash in LAF transform for empty strings + - handle erroneous setups in which multiple afl-compiler-rt are + compiled into the target. This now also supports dlopen() + instrumented libs loaded before the forkserver and even after the + forkserver is started (then with collisions though) + - the compiler rt was added also in object building (-c) which + should have been fixed years ago but somewhere got lost :( + - Renamed CTX to CALLER, added correct/real CTX implementation to + CLASSIC + - qemu_mode: + - added AFL_QEMU_EXCLUDE_RANGES env by @realmadsci, thanks! + - if no new/updated checkout is wanted, build with: + NO_CHECKOUT=1 ./build_qemu_support.sh + - we no longer perform a "git drop" + - afl-cmin: support filenames with spaces +- afl-3.0c-fix-paths.patch: refreshed + +------------------------------------------------------------------- +Mon Mar 1 09:43:40 UTC 2021 - Marcus Meissner + +- update to 3.10c + - Mac OS ARM64 support + - Android support fixed and updated by Joey Jiaojg - thanks! + - New selective instrumentation option with __AFL_COVERAGE_* commands + to be placed in the source code. + Check out instrumentation/README.instrument_list.md + - afl-fuzz + - Making AFL_MAP_SIZE (mostly) obsolete - afl-fuzz now learns on + start the target map size + - upgraded cmplog/redqueen: solving for floating point, solving + transformations (e.g. toupper, tolower, to/from hex, xor, + arithmetics, etc.). This is costly hence new command line option + `-l` that sets the intensity (values 1 to 3). Recommended is 2. + - added `AFL_CMPLOG_ONLY_NEW` to not use cmplog on initial seeds + from `-i` or resumes (these have most likely already been done) + - fix crash for very, very fast targets+systems (thanks to mhlakhani + for reporting) + - on restarts (`-i`)/autoresume (AFL_AUTORESUME) the stats are now + reloaded and used, thanks to Vimal Joseph for this patch! + - changed the meaning of '+' of the '-t' option, it now means to + auto-calculate the timeout with the value given being the max + timeout. The original meaning of skipping timeouts instead of + abort is now inherent to the -t option. + - if deterministic mode is active (`-D`, or `-M` without `-d`) then + we sync after every queue entry as this can take very long time + otherwise + - added minimum SYNC_TIME to include/config.h (30 minutes default) + - better detection if a target needs a large shared map + - fix for `-Z` + - fixed a few crashes + - switched to an even faster RNG + - added hghwng's patch for faster trace map analysis + - printing suggestions for mistyped `AFL_` env variables + - added Rust bindings for custom mutators (thanks @julihoh) + - afl-cc + - allow instrumenting LLVMFuzzerTestOneInput + - fixed endless loop for allow/blocklist lines starting with a + comment (thanks to Zherya for reporting) + - cmplog/redqueen now also tracks floating point, _ExtInt() + 128bit + - cmplog/redqueen can now process basic libc++ and libstdc++ + std::string comparisons (no position or length type variants) + - added support for __afl_coverage_interesting() for LTO and our + own PCGUARD (llvm 10.0.1+), read more about this function and + selective coverage in instrumentation/README.instrument_list.md + - added AFL_LLVM_INSTRUMENT option NATIVE for native clang pc-guard + support (less performant than our own), GCC for old afl-gcc and + CLANG for old afl-clang + - fixed a potential crash in the LAF feature + - workaround for llvm bitcast lto bug + - workaround for llvm 13 + - qemuafl + - QASan (address sanitizer for Qemu) ported to qemuafl! + See qemu_mode/libqasan/README.md + - solved some persistent mode bugs (thanks Dil4rd) + - solved an issue when dumping the memory maps (thanks wizche) + - Android support for QASan + - unicornafl + - Substantial speed gains in python bindings for certain use cases + - Improved rust bindings + - Added a new example harness to compare python, c and rust bindings + - afl-cmin and afl-showmap now support the -f option + - afl_plot now also generates a graph on the discovered edges + - changed default: no memory limit for afl-cmin and afl-cmin.bash + - warn on any _AFL and __AFL env vars. + - set AFL_IGNORE_UNKNOWN_ENVS to not warn on unknown AFL_... env vars + - added dummy Makefile to instrumentation/ + - Updated utils/afl_frida to be 5% faster, 7% on x86_x64 + - Added `AFL_KILL_SIGNAL` env variable (thanks @v-p-b) + - @Edznux added a nice documentation on how to use rpc.statsd with + afl++ in docs/rpc_statsd.md, thanks! + +------------------------------------------------------------------- +Tue Dec 15 09:18:09 UTC 2020 - Marcus Meissner + +- updated to 3.0c + - llvm_mode/ and gcc_plugin/ moved to instrumentation/ + - examples/ renamed to utils/ + - moved libdislocator, libtokencap and qdbi_mode to utils/ + - all compilers combined to afl-cc which emulates the previous ones + - afl-llvm/gcc-rt.o merged into afl-compiler-rt.o + - afl-fuzz + - not specifying -M or -S will now auto-set "-S default" + - deterministic fuzzing is now disabled by default and can be enabled with + -D. It is still enabled by default for -M. + - a new seed selection was implemented that uses weighted randoms based on + a schedule performance score, which is much better that the previous + walk the whole queue approach. Select the old mode with -Z (auto enabled + with -M) + - Marcel Boehme submitted a patch that improves all AFFast schedules :) + - the default schedule is now FAST + - memory limits are now disabled by default, set them with -m if required + - rpc.statsd support, for stats and charts, by Edznux, thanks a lot! + - reading testcases from -i now descends into subdirectories + - allow the -x command line option up to 4 times + - loaded extras now have a duplication protection + - If test cases are too large we do a partial read on the maximum + supported size + - longer seeds with the same trace information will now be ignored + for fuzzing but still be used for splicing + - crashing seeds are now not prohibiting a run anymore but are + skipped - they are used for splicing, though + - update MOpt for expanded havoc modes + - setting the env var AFL_NO_AUTODICT will not load an LTO autodictionary + - added NO_SPLICING compile option and makefile define + - added INTROSPECTION make target that writes all mutations to + out/NAME/introspection.txt + - print special compile time options used in help output + - when using -c cmplog, one of the childs was not killed, fixed + - somewhere we broke -n dumb fuzzing, fixed + - added afl_custom_describe to the custom mutator API to allow for easy + mutation reproduction on crashing inputs + - instrumentation + - We received an enhanced gcc_plugin module from AdaCore, thank you + very much!! + - not overriding -Ox or -fno-unroll-loops anymore + - we now have our own trace-pc-guard implementation. It is the same as + -fsanitize-coverage=trace-pc-guard from llvm 12, but: it is a) inline + and b) works from llvm 10.0.1 + onwards :) + - new llvm pass: dict2file via AFL_LLVM_DICT2FILE, create afl-fuzz + -x dictionary of string comparisons found during compilation + - LTO autodict now also collects interesting cmp comparisons, + std::string compare + find + ==, bcmp + - fix crash in dict2file for integers > 64 bit + - custom mutators + - added a new custom mutator: symcc -> https://github.com/eurecom-s3/symcc/ + - added a new custom mutator: libfuzzer that integrates libfuzzer mutations + - Our afl++ Grammar-Mutator is now better integrated into custom_mutators/ + - added INTROSPECTION support for custom modules + - python fuzz function was not optional, fixed + - some python mutator speed improvements + - afl-cmin/afl-cmin.bash now search first in PATH and last in AFL_PATH + - unicornafl synced with upstream version 1.02 (fixes, better rust bindings) + - renamed AFL_DEBUG_CHILD_OUTPUT to AFL_DEBUG_CHILD + - added AFL_CRASH_EXITCODE env variable to treat a child exitcode as crash +- afl-2.63c-fix-paths.patch refreshed to afl-3.0c-fix-paths.patch + +------------------------------------------------------------------- +Sat Sep 5 08:43:19 UTC 2020 - Marcus Meissner + +- updated to 2.68c + - added the GSoC excellent afl++ grammar mutator by Shengtuo to our + custom_mutators/ (see custom_mutators/README.md) - or get it here: + https://github.com/AFLplusplus/Grammar-Mutator + - a few QOL changes for Apple and its outdated gmake + - afl-fuzz: + - fix for auto dictionary entries found during fuzzing to not throw out + a -x dictionary + - added total execs done to plot file + - AFL_MAX_DET_EXTRAS env variable added to control the amount of + deterministic dict entries without recompiling. + - AFL_FORKSRV_INIT_TMOUT env variable added to control the time to wait + for the forkserver to come up without the need to increase the overall + timeout. + - bugfix for cmplog that results in a heap overflow based on target data + (thanks to the magma team for reporting!) + - write fuzzing setup into out/fuzzer_setup (environment variables and + command line) + - custom mutators: + - added afl_custom_fuzz_count/fuzz_count function to allow specifying + the number of fuzz attempts for custom_fuzz + - llvm_mode: + - ported SanCov to LTO, and made it the default for LTO. better + instrumentation locations + - Further llvm 12 support (fast moving target like afl++ :-) ) + - deprecated LLVM SKIPSINGLEBLOCK env environment + +------------------------------------------------------------------- +Wed Aug 19 14:35:25 UTC 2020 - Marcus Meissner + +- updated to 2.67c + - Support for improved afl++ snapshot module: + https://github.com/AFLplusplus/AFL-Snapshot-LKM + - Due to the instrumentation needing more memory, the initial memory sizes + for -m have been increased + - afl-fuzz: + - added -F option to allow -M main fuzzers to sync to foreign fuzzers, + e.g. honggfuzz or libfuzzer + - added -b option to bind to a specific CPU + - eliminated CPU affinity race condition for -S/-M runs + - expanded havoc mode added, on no cycle finds add extra splicing and + MOpt into the mix + - fixed a bug in redqueen for strings and made deterministic with -s + - llvm_mode: + - now supports llvm 12 + - support for AFL_LLVM_ALLOWLIST/AFL_LLVM_DENYLIST (previous + AFL_LLVM_WHITELIST and AFL_LLVM_INSTRUMENT_FILE are deprecated and + are matched to AFL_LLVM_ALLOWLIST). The format is compatible to llvm + sancov, and also supports function matching :) + - added neverzero counting to trace-pc/pcgard + - fixes for laf-intel float splitting (thanks to mark-griffin for + reporting) + - fixes for llvm 4.0 + - skipping ctors and ifuncs for instrumentation + - LTO: switch default to the dynamic memory map, set AFL_LLVM_MAP_ADDR + for a fixed map address (eg. 0x10000) + - LTO: improved stability for persistent mode, no other instrumentation + has that advantage + - LTO: fixed autodict for long strings + - LTO: laf-intel and redqueen/cmplog are now applied at link time + to prevent llvm optimizing away the splits + - LTO: autodictionary mode is a fixed default now + - LTO: instrim instrumentation disabled, only classic support used + as it is always better + - LTO: env var AFL_LLVM_DOCUMENT_IDS=file will document which edge ID + was given to which function during compilation + - LTO: single block functions were not implemented by default, fixed + - LTO: AFL_LLVM_SKIP_NEVERZERO behaviour was inversed, fixed + - setting AFL_LLVM_LAF_SPLIT_FLOATS now activates + AFL_LLVM_LAF_SPLIT_COMPARES + - support for -E and -shared compilation runs + - added honggfuzz mangle as a custom mutator in custom_mutators/honggfuzz + - added afl-frida gum solution to examples/afl_frida (mostly imported + from https://github.com/meme/hotwax/) + - small fixes to afl-plot, afl-whatsup and man page creation + - new README, added FAQ + +------------------------------------------------------------------- +Thu Jul 2 09:59:38 UTC 2020 - Marcus Meissner + +- updated to 2.66c + - renamed blacklist/whitelist to ignorelist/instrumentlist -> + AFL_LLVM_INSTRUMENT_FILE and AFL_GCC_INSTRUMENT_FILE + - warn on deprecated environment variables + - afl-fuzz: + - -S secondary nodes now only sync from the main node to increase + performance, the -M main node still syncs from everyone. Added checks + that ensure exactly one main node is present and warn otherwise + - Add -D after -S to force a secondary to perform deterministic fuzzing + - If no main node is present at a sync one secondary node automatically + becomes a temporary main node until a real main nodes shows up + - Fixed a mayor performance issue we inherited from AFLfast + - switched murmur2 hashing and random() for xxh3 and xoshiro256**, + resulting in an up to 5.5% speed increase + - Resizing the window does not crash afl-fuzz anymore + - Ensure that the targets are killed on exit + - fix/update to MOpt (thanks to arnow117) + - added MOpt dictionary support from repo + - added experimental SEEK power schedule. It is EXPLORE with ignoring + the runtime and less focus on the length of the test case + - llvm_mode: + - the default instrumentation is now PCGUARD if the llvm version is >= 7, + as it is faster and provides better coverage. The original afl + instrumentation can be set via AFL_LLVM_INSTRUMENT=AFL. This is + automatically done when the instrument_file list feature is used. + - PCGUARD mode is now even better because we made it collision free - plus + it has a fixed map size, so it is also faster! :) + - some targets want a ld variant for LD that is not gcc/clang but ld, + added afl-ld-lto to solve this + - lowered minimum required llvm version to 3.4 (except LLVMInsTrim, which + needs 3.8.0) + - instrument_file list feature now supports wildcards (thanks to sirmc) + - small change to cmplog to make it work with current llvm 11-dev + - added AFL_LLVM_LAF_ALL, sets all laf-intel settings + - LTO instrument_files functionality rewritten, now main, _init etc functions + need not to be listed anymore + - fixed crash in compare-transform-pass when strcasecmp/strncasecmp was + tried to be instrumented with LTO + - fixed crash in cmplog with LTO + - enable snapshot lkm also for persistent mode + - Unicornafl + - Added powerPC support from unicorn/next + - rust bindings! + - CMPLOG/Redqueen now also works for MMAP sharedmem + - ensure shmem is released on errors + - we moved radamsa to be a custom mutator in ./custom_mutators/. It is not + compiled by default anymore. + - allow running in /tmp (only unsafe with umask 0) + - persistent mode shared memory testcase handover (instead of via + files/stdin) - 10-100% performance increase + - General support for 64 bit PowerPC, RiscV, Sparc etc. + - fix afl-cmin.bash + - slightly better performance compilation options for afl++ and targets + - fixed afl-gcc/afl-as that could break on fast systems reusing pids in + the same second + - added lots of dictionaries from oss-fuzz, go-fuzz and Jakub Wilk + - added former post_library examples to examples/custom_mutators/ + - Dockerfile upgraded to Ubuntu 20.04 Focal and installing llvm 11 and + gcc 10 so afl-clang-lto can be build + +------------------------------------------------------------------- +Fri May 15 09:24:47 UTC 2020 - Marcus Meissner + +- updated to 2.65c + - afl-fuzz: + - AFL_MAP_SIZE was not working correctly + - better python detection + - an old, old bug in afl that would show negative stability in rare + circumstances is now hopefully fixed + - AFL_POST_LIBRARY was deprecated, use AFL_CUSTOM_MUTATOR_LIBRARY + instead (see docs/custom_mutators.md) + - llvm_mode: + - afl-clang-fast/lto now do not skip single block functions. This + behaviour can be reactivated with AFL_LLVM_SKIPSINGLEBLOCK + - if LLVM 11 is installed the posix shm_open+mmap is used and a fixed + address for the shared memory map is used as this increases the + fuzzing speed + - InsTrim now has an LTO version! :-) That is the best and fastest mode! + - fixes to LTO mode if instrumented edges > MAP_SIZE + - CTX and NGRAM can now be used together + - CTX and NGRAM are now also supported in CFG/INSTRIM mode + - AFL_LLVM_LAF_TRANSFORM_COMPARES could crash, fixed + - added AFL_LLVM_SKIP_NEVERZERO to skip the never zero coverage counter + implementation. For targets with few or no loops or heavily called + functions. Gives a small performance boost. + - qemu_mode: + - add information on PIE/PIC load addresses for 32 bit + - better dependency checks + - gcc_plugin: + - better dependency checks + - unicorn_mode: + - validate_crash_callback can now count non-crashing inputs as crash as well + - better submodule handling + - afl-showmap: fix for -Q mode + - added examples/afl_network_proxy which allows to fuzz a target over the + network (not fuzzing tcp/ip services but running afl-fuzz on one system + and the target being on an embedded device) + - added examples/afl_untracer which does a binary-only fuzzing with the + modifications done in memory (intel32/64 and aarch64 support) + - added examples/afl_proxy which can be easily used to fuzz and instrument + non-standard things + - all: + - forkserver communication now also used for error reporting + - fix 32 bit build options + - make clean now leaves qemu-3.1.1.tar.xz and the unicornafl directory + intact if in a git/svn checkout - unless "deepclean" is used + +------------------------------------------------------------------- +Sat Apr 18 07:05:42 UTC 2020 - Marcus Meissner + +- updated to 2.64c + - llvm_mode LTO mode: + - now requires llvm11 - but compiles all targets! :) + - autodictionary feature added, enable with `AFL_LLVM_LTO_AUTODICTIONARY` + - variable map size usage + - afl-fuzz: + - variable map size support added (only LTO mode can use this) + - snapshot feature usage now visible in UI + - Now setting `-L -1` will enable MOpt in parallel to normal mutation. + Additionally, this allows to run dictionaries, radamsa and cmplog. + - fix for cmplog/redqueen mode if stdin was used + - fix for writing a better plot_data file + - qemu_mode: fix for persistent mode (which would not terminate or get stuck) + - compare-transform/AFL_LLVM_LAF_TRANSFORM_COMPARES now transforms also + static global and local variable comparisons (cannot find all though) + - extended forkserver: map_size and more information is communicated to + afl-fuzz (and afl-fuzz acts accordingly) + - new environment variable: AFL_MAP_SIZE to specify the size of the shared map + - if AFL_CC/AFL_CXX is set but empty afl compilers did fail, fixed + (this bug is in vanilla afl too) + - added NO_PYTHON flag to disable python support when building afl-fuzz + - more refactoring + +------------------------------------------------------------------- +Sun Apr 12 11:04:35 UTC 2020 - Marcus Meissner + +- updated to 2.63c + - all: + - big code changes to make afl-fuzz thread-safe so afl-fuzz can spawn + multiple fuzzing threads in the future or even become a library + - afl basic tools now report on the environment variables picked up + - more tools get environment variable usage info in the help output + - force all output to stdout (some OK/SAY/WARN messages were sent to + stdout, some to stderr) + - uninstrumented mode uses an internal forkserver ("fauxserver") + - now builds with `-D_FORTIFY_SOURCE=2` + - drastically reduced number of (de)allocations during fuzzing + - afl-fuzz: + - python mutator modules and custom mutator modules now use the same + interface and hence the API changed + - AFL_AUTORESUME will resume execution without the need to specify `-i -` + - added experimental power schedules (-p): + - mmopt: ignores runtime of queue entries, gives higher weighting to + the last 5 queue entries + - rare: puts focus on queue entries that hits rare branches, also ignores + runtime + - llvm_mode: + - added SNAPSHOT feature (using https://github.com/AFLplusplus/AFL-Snapshot-LKM) + - added Control Flow Integrity sanitizer (AFL_USE_CFISAN) + - added AFL_LLVM_INSTRUMENT option to control the instrumentation type + easier: DEFAULT, CFG (INSTRIM), LTO, CTX, NGRAM-x (x=2-16) + - made USE_TRACE_PC compile obsolete + - LTO collision free instrumented added in llvm_mode with afl-clang-lto - + note that this mode is amazing, but quite some targets won't compile + - Added llvm_mode NGRAM prev_loc coverage by Adrean Herrera + (https://github.com/adrianherrera/afl-ngram-pass/), activate by setting + AFL_LLVM_INSTRUMENT=NGRAM- or AFL_LLVM_NGRAM_SIZE= + - Added llvm_mode context sensitive branch coverage, activated by setting + AFL_LLVM_INSTRUMENT=CTX or AFL_LLVM_CTX=1 + - llvm_mode InsTrim mode: + - removed workaround for bug where paths were not instrumented and + imported fix by author + - made skipping 1 block functions an option and is disabled by default, + set AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK=1 to re-enable this + - qemu_mode: + - qemu_mode now uses solely the internal capstone version to fix builds + on modern Linux distributions + - QEMU now logs routine arguments for CmpLog when the target is x86 + - afl-tmin: + - now supports hang mode `-H` to minimize hangs + - fixed potential afl-tmin missbehavior for targets with multiple hangs + - Pressing Control-c in afl-cmin did not terminate it for some OS + - the custom API was rewritten and is now the same for Python and shared + libraries. +- afl-1.58b-fix-paths.patch moved to +- afl-2.63c-fix-paths.patch: adjust Makefile -> GNUmakefile + +------------------------------------------------------------------- +Fri Feb 28 14:09:26 UTC 2020 - Marcus Meissner + +- updated to 2.62c + - Important fix for memory allocation functions that result in afl-fuzz not identifying crashes - UPDATE! + - Small fix for -E/-V to release the CPU + - CmpLog does not need sancov anymore + +------------------------------------------------------------------- +Tue Feb 25 12:04:22 UTC 2020 - Marcus Meissner + +- updated to 2.61c + - use -march=native if available + - most tools now check for mistyped environment variables + - gcc 10 is now supported + - the memory safety checks are now disabled for a little more speed during + fuzzing (only affects creating queue entries), can be toggled in config.h + - afl-fuzz: + - MOpt out of bounds writing crash fixed + - now prints the real python version support compiled in + - set stronger performance compile options and little tweaks + - Android: prefer bigcores when selecting a CPU + - CmpLog forkserver + - Redqueen input-2-state mutator (cmp instructions only ATM) + - all Python 2+3 versions supported now + - changed execs_per_sec in fuzzer_stats from "current" execs per second + (which is pointless) to total execs per second + - bugfix for dictionary insert stage count (fix via Google repo PR) + - added warning if -M is used together with custom mutators with _ONLY option + - AFL_TMPDIR checks are now later and better explained if they fail + - llvm_mode + - InsTrim: three bug fixes: + 1. (minor) no pointless instrumentation of 1 block functions + 2. (medium) path bug that leads a few blocks not instrumented that + should be + 3. (major) incorrect prev_loc was written, fixed! + - afl-clang-fast: + - show in the help output for which llvm version it was compiled for + - now does not need to be recompiled between trace-pc and pass + instrumentation. compile normally and set AFL_LLVM_USE_TRACE_PC :) + - LLVM 11 is supported + - CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog) + - afl-gcc, afl-clang-fast, afl-gcc-fast: + - experimental support for undefined behaviour sanitizer UBSAN + (set AFL_USE_UBSAN=1) + - the instrumentation summary output now also lists activated sanitizers + - afl-as: added isatty(2) check back in + - added AFL_DEBUG (for upcoming merge) + - qemu_mode: + - persistent mode is now also available for arm and aarch64 + - CmpLog instrumentation for QEMU (-c afl-fuzz command line option) + for x86, x86_64, arm and aarch64 + - AFL_PERSISTENT_HOOK callback module for persistent QEMU + (see examples/qemu_persistent_hook) + - added qemu_mode/README.persistent.md documentation + - AFL_ENTRYPOINT noew has instruction granularity + - afl-cmin is now a sh script (invoking awk) instead of bash for portability + the original script is still present as afl-cmin.bash + - afl-showmap: -i dir option now allows processing multiple inputs using the + forkserver. This is for enhanced speed in afl-cmin. + - added blacklist and whitelisting function check in all modules of llvm_mode + - added fix from Debian project to compile libdislocator and libtokencap + - libdislocator: AFL_ALIGNED_ALLOC to force size alignment to max_align_t + +------------------------------------------------------------------- +Sun Feb 9 16:12:14 UTC 2020 - Marcus Meissner + +- added radamsa mutator + +------------------------------------------------------------------- +Thu Jan 2 08:31:09 UTC 2020 - Marcus Meissner + +- updated to 2.60c + - fixed a critical bug in afl-tmin that was introduced during ++2.53d + - added test cases for afl-cmin and afl-tmin to test/test.sh + - added ./experimental/argv_fuzzing ld_preload library by Kjell Braden + - added preeny's desock_dup ld_preload library as + ./experimental/socket_fuzzing for network fuzzing + - added AFL_AS_FORCE_INSTRUMENT environment variable for afl-as - this is + for the retrorewrite project + - we now set QEMU_SET_ENV from AFL_PRELOAD when qemu_mode is used + +------------------------------------------------------------------- +Fri Dec 27 16:01:06 UTC 2019 - Marcus Meissner + +- updated to 2.59c + - qbdi_mode: fuzz android native libraries via QBDI framework + - unicorn_mode: switched to the new unicornafl, thanks domenukk + (see https://github.com/vanhauser-thc/unicorn) + - afl-fuzz: + - added radamsa as (an optional) mutator stage (-R[R]) + - added -u command line option to not unlink the fuzz input file + - Python3 support (autodetect) + - AFL_DISABLE_TRIM env var to disable the trim stage + - CPU affinity support for DragonFly + - llvm_mode: + - float splitting is now configured via AFL_LLVM_LAF_SPLIT_FLOATS + - support for llvm 10 included now (thanks to devnexen) + - libtokencap: + - support for *BSD/OSX/Dragonfly added + - hook common *cmp functions from widely used libraries + - compcov: + - hook common *cmp functions from widely used libraries + - floating point splitting support for QEMU on x86 targets + - qemu_mode: AFL_QEMU_DISABLE_CACHE env to disable QEMU TranslationBlocks caching + - afl-analyze: added AFL_SKIP_BIN_CHECK support + - better random numbers for gcc_plugin and llvm_mode (thanks to devnexen) + - Dockerfile by courtesy of devnexen + - added regex.dictionary + - qemu and unicorn download scripts now try to download until the full + download succeeded. f*ckin travis fails downloading 40% of the time! + - more support for Android (please test!) + - added the few Android stuff we didnt have already from Google afl repository + - removed unnecessary warnings + +------------------------------------------------------------------- +Sat Nov 9 16:05:04 UTC 2019 - Marcus Meissner + +- updated to 2.58c + - reverted patch to not unlink and recreate the input file, it resulted in performance loss of ~10% + - added test/test-performance.sh script + - (re)added gcc_plugin, fast inline instrumentation is not yet finished, however it includes the whitelisting and persistance feature! by hexcoder- + - gcc_plugin tests added to testing framework +- jump to 2.57 instead of 2.55 to catch up with Google's versioning + - persistent mode for QEMU (see qemu_mode/README.md) + - custom mutator library is now an additional mutator, to exclusivly use it + - add AFL_CUSTOM_MUTATOR_ONLY (that will trigger the previous behaviour) + - new library qemu_mode/unsigaction which filters sigaction events + - afl-fuzz: new command line option -I to execute a command on a new crash + - no more unlinking the input file, this way the input file can also be a + - FIFO or disk partition + - setting LLVM_CONFIG for llvm_mode will now again switch to the selected + - llvm version. If your setup is correct. + - fuzzing strategy yields for custom mutator were missing from the UI, added them :) + - added "make tests" which will perform checks to see that all functionality + - is working as expected. this is currently the starting point, its not complete :) + - added mutation documentation feature ("make document"), creates afl-fuzz-document + - and saves all mutations of the first run on the first file into out/queue/mutations + - libtokencap and libdislocator now compile to the afl_root directory and are + - installed to the .../lib/afl directory when present during make install + - more BSD support, e.g. free CPU binding code for FreeBSD (thanks to devnexen) + - reducing duplicate code in afl-fuzz + - added "make help" + - removed compile warnings from python internal stuff + - added man page for afl-clang-fast[++] + - updated documentation + - Wine mode to run Win32 binaries with the QEMU instrumentation (-W) + - CompareCoverage for ARM target in QEMU/Unicorn +- 2.54c: + - big code refactoring: + - all includes are now in include/ + - all afl sources are now in src/ - see src/README.src + - afl-fuzz was splitted up in various individual files for including + - functionality in other programs (e.g. forkserver, memory map, etc.) + - for better readability. + - new code indention everywhere + - auto-generating man pages for all (main) tools + - added AFL_FORCE_UI to show the UI even if the terminal is not detected + - llvm 9 is now supported (still needs testing) + - Android is now supported (thank to JoeyJiao!) - still need to modify the Makefile though + - fix building qemu on some Ubuntus (thanks to floyd!) + - custom mutator by a loaded library is now supported (thanks to kyakdan!) + - added PR that includes peak_rss_mb and slowest_exec_ms in the fuzzer_stats report + - more support for *BSD (thanks to devnexen!) + - fix building on *BSD (thanks to tobias.kortkamp for the patch) + - fix for a few features to support different map sized than 2^16 + - afl-showmap: new option -r now shows the real values in the buckets (stock + - afl never did), plus shows tuple content summary information now + - small docu updates + - NeverZero counters for QEMU + - NeverZero counters for Unicorn + - CompareCoverage Unicorn + - immediates-only instrumentation for CompareCoverage +- 2.53c release + - imported the few minor changes from the 2.53b release + - unicorn_mode got added - thanks to domenukk for the patch! + - fix llvm_mode AFL_TRACE_PC with modern llvm + - fix a crash in qemu_mode which also exists in stock afl + - added libcompcov, a laf-intel implementation for qemu! :) see qemu_mode/libcompcov/README.libcompcov + - updated afl-fuzz and afl-system-config for new scaling governor location in modern kernels + - all queue, hang and crash files now have their discovery time in their name + - if llvm_mode was compiled, afl-clang/afl-clang++ will point to these instead of afl-gcc + - added instrim, a much faster llvm_mode instrumentation at the cost of path discovery. See llvm_mode/README.instrim (https://github.com/csienslab/instrim) + - added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt + - added code to make it more portable to other platforms than Intel Linux + - added never zero counters for afl-gcc and optionally (because of an optimization issue in llvm < 9) for llvm_mode (AFL_LLVM_NEVER_ZERO=1) + - added a new doc about binary only fuzzing: docs/binaryonly_fuzzing.txt + - more cpu power for afl-system-config + - added forkserver patch to afl-tmin, makes it much faster (originally from github.com/nccgroup/TriforceAFL) + - added whitelist support for llvm_mode via AFL_LLVM_WHITELIST to allow only to instrument what is actually interesting. Gives more speed and less map pollution (originally by choller@mozilla) + - added Python Module mutator support, python2.7-dev is autodetected. see docs/python_mutators.txt (originally by choller@mozilla) + - added AFL_CAL_FAST for slow applications and AFL_DEBUG_CHILD_OUTPUT for debugging + - added -V time and -E execs option to better comparison runs, runs afl-fuzz for a specific time/executions. + - added a -s seed switch to allow afl run with a fixed initial seed that is not updated. This is good for performance and path discovery tests as the random numbers are deterministic then + +------------------------------------------------------------------- +Thu Oct 17 12:58:02 UTC 2019 - Richard Brown + +- Remove obsolete Groups tag (fate#326485) + +------------------------------------------------------------------- +Sun Jun 23 17:44:06 UTC 2019 - Marcus Meissner + +- updated to afl++ 2.52c version, community fork. It integrates + various community patches. + - community patches to make llvm_mode and qemu_mode faster, plus new features and bugfixes + - qemu upgraded to 3.1 + - aflfast powerschedules added + - llvm_mode now supports llvm up to version 8 + +------------------------------------------------------------------- +Thu Aug 30 15:03:49 UTC 2018 - Guillaume GARDET + +- Fix build on non X86* platforms + +------------------------------------------------------------------- +Sun Nov 5 07:57:53 UTC 2017 - mardnh@gmx.de + +- Update to version 2.52b: + * Upgraded QEMU patches from 2.3.0 to 2.10.0. Required troubleshooting + several weird issues. + * Added setsid to afl-showmap. See the notes for 2.51b. + * Added target mode (deferred, persistent, qemu, etc) to fuzzer_stats. + * afl-tmin should now save a partially minimized file when Ctrl-C + is pressed. + * Added an option for afl-analyze to dump offsets in hex. + * Added support for parameters in triage_crashes.sh. + +------------------------------------------------------------------- +Sun Sep 3 12:08:41 UTC 2017 - astieger@suse.com + +- afl 2.51b: + * Make afl-tmin call setsid to prevent glibc traceback junk from + showing up on the terminal +- includes changes form 2.50b: + * Fix a timing corner case + * Address a libtokencap / pthreads incompatibility issue + * Add AFL_FAST_CAL. + * In-place resume now preserves .synced + +------------------------------------------------------------------- +Sat Jul 29 23:04:43 UTC 2017 - meissner@suse.com + +- include docs/README + +------------------------------------------------------------------- +Wed Jul 26 06:47:03 UTC 2017 - meissner@suse.com + +- Version 2.49b + - Added AFL_TMIN_EXACT to allow path constraint for crash minimization. + - Added dates for releases (retroactively for all of 2017). +- Version 2.48b + - Added AFL_ALLOW_TMP to permit some scripts to run in /tmp. + - Fixed cwd handling in afl-analyze (similar to the quirk in afl-tmin). + - Made it possible to point -o and -f to the same file in afl-tmin. +- Version 2.47b + - Fixed cwd handling in afl-tmin. Spotted by Jakub Wilk. +- Version 2.46b + - libdislocator now supports AFL_LD_NO_CALLOC_OVER for folks who do not + want to abort on calloc() overflows. + - Made a minor fix to libtokencap. Reported by Daniel Stender. + - Added a small JSON dictionary, inspired on a dictionary done by Jakub Wilk. + +------------------------------------------------------------------- +Fri Jul 7 14:59:31 UTC 2017 - meissner@suse.com + +- update to 2.45b: + - Added strstr, strcasestr support to libtokencap. Contributed by + Daniel Hodson. + - Fixed a resumption offset glitch spotted by Jakub Wilk. + - There are definitely no bugs in afl-showmap -c now. + +------------------------------------------------------------------- +Mon Jul 3 08:08:58 UTC 2017 - astieger@suse.com + +- update to 2.44b: + * Add visual indicator of ASAN / MSAN mode when compiling + * Add support for afl-showmap coredumps (-c) + * Add LD_BIND_NOW=1 for afl-showmap by default + * Added AFL_NO_ARITH to aid in the fuzzing of text-based formats + * Renamed the R() macro to avoid a problem with llvm_mode in the + latest versions of LLVM + +------------------------------------------------------------------- +Wed Apr 12 06:25:50 UTC 2017 - meissner@suse.com + +- update to 2.41b: + - Addressed a major user complaint related to timeout detection. Timing out + inputs are now binned as "hangs" only if they exceed a far more generous + time limit than the one used to reject slow paths. +- update to 2.40b: + - Fixed a minor oversight in the insertion strategy for dictionary words. + Spotted by Andrzej Jackowski. + - Made a small improvement to the havoc block insertion strategy. + - Adjusted color rules for "is it done yet?" indicators. + +------------------------------------------------------------------- +Wed Mar 8 20:52:05 UTC 2017 - sfalken@opensuse.org + +- Changed %doc line, to clear buildfailure in openSUSE:Factory + Due to unpackaged files + +------------------------------------------------------------------- +Fri Feb 10 12:09:01 UTC 2017 - meissner@suse.com + +- update to 2.39b: + - Improved error reporting in afl-cmin. Suggested by floyd. + - Made a minor tweak to trace-pc-guard support. Suggested by kcc. + - Added a mention of afl-monitor. + +------------------------------------------------------------------- +Mon Jan 30 14:21:37 UTC 2017 - astieger@suse.com + +- update to 2.38b: + * Added -mllvm -sanitizer-coverage-block-threshold=0 to + trace-pc-guard mode + * Fixed a cosmetic bad free() bug when aborting -S sessions + * Made a small change to afl-whatsup to sort fuzzers by name. + * Fixed a minor issue with malloc(0) in libdislocator + * Changed the clobber pattern in libdislocator to a slightly more + reliable one + * Added a note about THP performance + * Added a somewhat unofficial support for running afl-tmin with a + baseline "mask" that causes it to minimize only for edges that + are unique to the input file, but not to the "boring" baseline. + * "Fixed" a getPassName() problem with never versions of clang. + +------------------------------------------------------------------- +Wed Oct 19 20:05:42 UTC 2016 - mpluskal@suse.com + +- Update to version 2.35b: + * Fixed a minor cmdline reporting glitch, spotted by Leo Barnes. + * Fixed a silly bug in libdislocator. Spotted by Johannes Schultz. +- Changes for version 2.34b: + * Added a note about afl-tmin to technical_details.txt. + * Added support for AFL_NO_UI, as suggested by Leo Barnes. +- Changes for version 2.33b: + * Added code to strip -Wl,-z,defs and -Wl,--no-undefined for + fl-clang-fast, since they interfere with -shared. Spotted and + iagnosed by Toby Hutton. + * Added some fuzzing tips for Android. + +------------------------------------------------------------------- +Thu Aug 25 12:45:55 UTC 2016 - meissner@suse.com + +- Version 2.32b: + - Added a check for AFL_HARDEN combined with AFL_USE_*SAN. Suggested by Hanno Boeck. + - Made several other cosmetic adjustments to cycle timing in the wake of the big tweak made in 2.31b. + +- Version 2.31b: + - Changed havoc cycle counts for a marked performance boost, especially + with -S / -d. See the discussion of FidgetyAFL in: + + https://groups.google.com/forum/#!topic/afl-users/fOPeb62FZUg + + While this does not implement the approach proposed by the authors of + the CCS paper, the solution is a result of digging into that research; + more improvements may follow as I do more experiments and get more + definitive data. +- Version 2.30b: + - Made minor improvements to persistent mode to avoid the remote + possibility of "no instrumentation detected" issues with very low + instrumentation densities. + - Fixed a minor glitch with a leftover process in persistent mode. + Reported by Jakub Wilk and Daniel Stender. + - Made persistent mode bitmaps a bit more consistent and adjusted the way + this is shown in the UI, especially in persistent mode. + +- Version 2.29b: + - Made a minor #include fix to llvm_mode. Suggested by Jonathan Metzman. + - Made cosmetic updates to the docs. +- Version 2.28b: + - Added "life pro tips" to docs/. + - Moved testcases/_extras/ to dictionaries/ for visibility. + - Made minor improvements to install scripts. + - Added an important safety tip. +- Version 2.27b: + - Added libtokencap, a simple feature to intercept strcmp / memcmp and + generate dictionary entries that can help extend coverage. + - Moved libdislocator to its own dir, added README. + - The demo in experimental/instrumented_cmp is no more. +- Version 2.26b: + - Made a fix for libdislocator.so to compile on MacOS X. + - Added support for DYLD_INSERT_LIBRARIES. + - Renamed AFL_LD_PRELOAD to AFL_PRELOAD. +- Version 2.25b: + - Made some cosmetic updates to libdislocator.so, renamed one env + variable. +- Version 2.24b: + - Added libdislocator.so, an experimental, abusive allocator. Try + it out with AFL_LD_PRELOAD=/path/to/libdislocator.so when running + afl-fuzz. +- Version 2.23b: + - Improved the stability metric for persistent mode binaries. Problem + spotted by Kurt Roeckx. + - Made a related improvement that may bring the metric to 100% for those + targets. +- Version 2.22b: + - Mentioned the potential conflicts between MSAN / ASAN and FORTIFY_SOURCE. + There is no automated check for this, since some distros may implicitly + set FORTIFY_SOURCE outside of the compiler's argv[]. + - Populated the support for AFL_LD_PRELOAD to all companion tools. + - Made a change to the handling of ./afl-clang-fast -v. Spotted by + Jan Kneschke. + +------------------------------------------------------------------- +Sat Jul 23 19:10:30 UTC 2016 - astieger@suse.com + +- afl 2.21b: + * Minor UI fixes +- includes changes from 2.20b: + * Revamp handling of variable paths + * Stablility improvements + * Include current input bitmap density in UI + * Add experimental support for parallelizing -M. +- includes changes from 2.19b: + * Ensure auto CPU binding happens at non-overlapping times +- includes changes from 2.18b + * Performance improvements + +------------------------------------------------------------------- +Tue Jun 28 06:26:03 UTC 2016 - astieger@suse.com + +- afl 2.17b: + * Remove error-prone and manual -Z option + * automatically bind to the first free core + +------------------------------------------------------------------- +Wed Jun 15 18:26:54 UTC 2016 - astieger@suse.com + +- afl 2.14b: + - Added FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION as a macro + defined when compiling with afl-gcc and friends + - Refreshed some of the non-x86 docs. + +------------------------------------------------------------------- +Tue May 31 11:18:02 UTC 2016 - astieger@suse.com + +- afl 2.13b: + * Fixed a spurious build test error with trace-pc and + llvm_mode/Makefile. + * Fixed a cosmetic issue with afl-whatsup +- includes changes from 2.12b + * Fixed a minor issue in afl-tmin that can make alphabet + minimization less efficient during passes > 1 + +------------------------------------------------------------------- +Mon May 2 11:02:02 UTC 2016 - astieger@suse.com + +- afl 2.11b: + - Fixed a minor typo in instrumented_cmp + - Added a missing size check for deterministic insertion steps. + - Made an improvement to afl-gotcpu when -Z not used. + - Fixed a typo in post_library_png.so.c in experimental/ + +------------------------------------------------------------------- +Sat Apr 16 15:12:46 UTC 2016 - astieger@suse.com + +- afl 2.10b: + * Fix a minor core counting glitch + +------------------------------------------------------------------- +Mon Mar 28 19:11:03 UTC 2016 - mpluskal@suse.com + +- Update to 2.09b + * Made several documentation updates. + * Added some visual indicators to promote and simplify the use + of -Z. +- Changes for 2.08b + * Added explicit support for -m32 and -m64 for llvm_mode. + Inspired by a request from Christian Holler. + * Added a new benchmarking option, as requested by Kostya + Serebryany. +- Changes for 2.07b + * Added CPU affinity option (-Z) on Linux. With some caution, + this can offer a significant (10%+) performance bump and + reduce jitter. Proposed by Austin Seipp. + * Updated afl-gotcpu to use CPU affinity where supported. + * Fixed confusing CPU_TARGET error messages with QEMU build. + Spotted by Daniel Komaromy and others. +- Changes for 2.06b + * Worked around LLVM persistent mode hiccups with -shared code. + Contributed by Christian Holler. + * Added __AFL_COMPILER as a convenient way to detect that + something is built under afl-gcc / afl-clang / afl-clang-fast + and enable custom optimizations in your code. Suggested by + Pedro Corte-Real. + * Upstreamed several minor changes developed by Franjo Ivancic to + allow AFL to be built as a library. This is fairly use-specific + and may have relatively little appeal to general audiences. + +------------------------------------------------------------------- +Sun Feb 28 13:59:04 UTC 2016 - astieger@suse.com + +- afl 2.05b: + * Put __sanitizer_cov_module_init & co behind #ifdef to avoid + problems with ASAN. + +------------------------------------------------------------------- +Wed Feb 24 21:52:33 UTC 2016 - astieger@suse.com + +- afl 2.04b: + * remove indirect-calls coverage from -fsanitize-coverage + * LLVM: Added experimental -fsanitize-coverage=trace-pc support + - LLVM: better support non-standard map sizes + - LLVM: use thread-local execution tracing + - Force-disabled symbolization for ASAN + - Added AFL_LD_PRELOAD to allow LD_PRELOAD to be set for targets + without affecting AFL itself + - Fixed a "lcamtuf can't count to 16" bug in the havoc stage. + +------------------------------------------------------------------- +Tue Feb 16 15:37:01 UTC 2016 - astieger@suse.com + +- afl 2.01b: + - updates to color handling + - Fixed an installation issue with afl-as + +------------------------------------------------------------------- +Thu Feb 11 12:21:39 UTC 2016 - astieger@suse.com + +- afl 1.99b: + - Revamp the output and the internal logic of afl-analyze. + - Clean up color handling code + - added support for background colors. + +------------------------------------------------------------------- +Wed Feb 10 20:25:47 UTC 2016 - astieger@suse.com + +- afl 1.98b: + - new tool afl-analyze + +------------------------------------------------------------------- +Sat Dec 19 15:45:22 UTC 2015 - mpluskal@suse.com + +- Update to 1.96b + * Added -fpic to CFLAGS for the clang plugin, as suggested by + Hanno Boeck. + * Made another clang change (IRBuilder) suggested by Jeff Trull. + * Fixed several typos, spotted by Jakub Wilk. + * Added support for AFL_SHUFFLE_QUEUE, based on discussions with + Christian Holler. + +------------------------------------------------------------------- +Fri Nov 13 09:06:47 UTC 2015 - astieger@suse.com + +- afl 1.95b: + * Fixed a harmless bug when handling -B + * Made the exit message a bit more accurate when + AFL_EXIT_WHEN_DONE is set. + * Added some error-checking for old-style forkserver syntax. + * Switched from exit() to _exit() in injected code to avoid + snafus with destructors in C++ code. + * Made a change to avoid spuriously setting __AFL_SHM_ID when + AFL_DUMB_FORKSRV is set in conjunction with -n. + +------------------------------------------------------------------- +Fri Oct 2 15:11:23 UTC 2015 - astieger@suse.com + +- afl 1.94b: + * Changed allocator alignment to improve support for non-x86 systems + (now that llvm_mode makes this more feasible). + * Fixed an obscure bug that would affect people trying to use afl-gcc + with $TMP set but $TMPDIR absent. + +------------------------------------------------------------------- +Mon Sep 7 13:22:07 UTC 2015 - astieger@suse.com + +- afl 1.92b: + * C++ fix (namespaces) + +------------------------------------------------------------------- +Thu Sep 3 14:32:09 UTC 2015 - astieger@suse.com + +- afl 1.91b: + * C++ instrumentation fixes +- includes changes from 1.90b: + * documentation updates + * Fixed a potential problem with deferred mode signatures getting + optimized out by the linker (with --gc-sections). + +------------------------------------------------------------------- +Wed Sep 2 07:57:31 UTC 2015 - astieger@suse.com + +- afl 1.89b: + * Revamped the support for persistent and deferred forkserver + modes. Both now feature simpler syntax and do not require + companion env variables. + * Added a bit more info about afl-showmap. + +------------------------------------------------------------------- +Sun Aug 30 23:40:19 UTC 2015 - astieger@suse.com + +- afl 1.88b: + * Make AFL_EXIT_WHEN_DONE work in non-tty mode. + +------------------------------------------------------------------- +Thu Aug 27 14:32:46 UTC 2015 - astieger@suse.com + +- afl 1.87b: + * Add QuickStartGuide.txt and other documentation updates + +------------------------------------------------------------------- +Mon Aug 10 19:49:56 UTC 2015 - astieger@suse.com + +- afl 1.86b: + * Added support for AFL_SKIP_CRASHES + * Removed the hard-fail terminal size check + +------------------------------------------------------------------- +Wed Aug 5 13:46:26 UTC 2015 - mpluskal@suse.com + +- Update to 1.85b + * Fixed a garbled sentence in notes on parallel fuzzing. + * Fixed a minor glitch in afl-cmin. +- Changes for 1.84b + * Made SIMPLE_FILES behave as expected when naming backup + directories for crashes and hangs. + * Added the total number of favored paths to fuzzer_stats. + * Made afl-tmin, afl-fuzz, and afl-cmin reject negative values + passed to -t and -m, since they generally won't work as + expected. + * Made a fix for no lahf / sahf support on older versions of + FreeBSD. + +------------------------------------------------------------------- +Mon Jun 15 09:07:34 UTC 2015 - astieger@suse.com + +- afl 1.83b: + * fixes for platforms other than GNU/Linux + +------------------------------------------------------------------- +Sat Jun 13 10:41:30 UTC 2015 - astieger@suse.com + +- afl 1.82b: + * Fixed a harmless but annoying race condition in persistent mode + * Updated persistent mode documentation + - Tweaked AFL_PERSISTENT to force AFL_NO_VAR_CHECK. +- afl 1.81b: + * Added persistent mode for in-process fuzzing. + * in-place resume code to preserve crashes/README.txt. + +------------------------------------------------------------------- +Tue May 26 10:59:53 UTC 2015 - astieger@suse.com + +- afl 1.80b: + - Made afl-cmin tolerant of whitespaces in filenames + - Added support for AFL_EXIT_WHEN_DONE + +------------------------------------------------------------------- +Mon May 25 07:43:23 UTC 2015 - astieger@suse.com + +- afl 1.79b: + - Added support for dictionary levels, see testcases/README.testcases. + - Reworked the SQL dictionary to use levels. + - Added a note about Preeny. + +------------------------------------------------------------------- +Tue May 19 07:26:27 UTC 2015 - astieger@suse.com + +- builds for i586 x86_64 only + +------------------------------------------------------------------- +Mon May 18 17:12:36 UTC 2015 - astieger@suse.com + +- afl 1.78b: + - Added a dictionary for PDF + - Added several references to afl-cov + +------------------------------------------------------------------- +Fri May 8 13:05:09 UTC 2015 - astieger@suse.com + +- afl 1.77b: + * additional fuzzing functionality + * reduce number of duplicates + * documentation updates + * qemu_mode with qemu 2.3.0 + +------------------------------------------------------------------- +Mon Apr 27 08:45:05 UTC 2015 - astieger@suse.com + +- afl 1.73b: + - Fixed a bug in effector maps that could sometimes cause more + fuzzing than necessary, or SEGV +- includes changes from 1.72b: + - Fixed a glitch in non-x86 install + - Added a minor safeguard to llvm_mode Makefile + +------------------------------------------------------------------- +Mon Apr 20 17:20:09 UTC 2015 - astieger@suse.com + +- afl 1.71b: + - Fix bug with installed copies of AFL trying to use QEMU mode. + - Add last path / crash / hang times to fuzzer_stats +- with changes from 1.70b: + - Modify resumption code to reuse the original timeout value when + resuming a session if -t is not given. This prevents timeout + creep in continuous fuzzing. + - Add improved error messages for failed handshake when + AFL_DEFER_FORKSRV is set. + - slight improvement to llvm_mode/Makefile + - Refresh several bits of documentation. + +------------------------------------------------------------------- +Thu Apr 16 07:19:18 UTC 2015 - astieger@suse.com + +- afl 1.69b: + - Added support for deferred initialization in LLVM mode. +- afl 1.68b: + - Fixed a minor PRNG glitch that would make the first seconds of + a fuzzing job deterministic. + - Made tmp[] static in the LLVM runtime to keep Valgrind happy + - Clarified the footnote in README. + +------------------------------------------------------------------- +Mon Apr 13 19:58:55 UTC 2015 - astieger@suse.com + +- afl 1.67b: + - One more correction to llvm_mode Makefile +- afl 1.66b: + - Added CC / CXX support to llvm_mode Makefile + - Fixed 'make clean' with gmake + - Fixed 'make -j n clean all' + - Removed build date and time from banners to give people deterministic + builds + - drop afl-1.46b-nodate.patch, thus obsoleted + +------------------------------------------------------------------- +Mon Apr 13 15:11:11 UTC 2015 - astieger@suse.com + +- afl 1.65b: + - Fixed a snafu with some leftover code in afl-clang-fast. + - Corrected even moar typos. + +------------------------------------------------------------------- +Sun Apr 12 09:41:38 UTC 2015 - astieger@suse.com + +- afl 1.64b: + - improve compatibility with non-ELF platforms. + - Fixed a problem with afl-clang-fast and -shared libraries. + - Removed unnecessary instrumentation density adjustment for LLVM +- includes changes from 1.63b: + - Updated cgroups_asan/ + - Fixed typos + +------------------------------------------------------------------- +Sat Apr 11 07:15:12 UTC 2015 - astieger@suse.com + +- afl 1.62b: + - Improved the handling of -x in afl-clang-fast, + - Improved the handling of low AFL_INST_RATIO settings for QEMU and + LLVM modes. + - Fixed the llvm-config bug for good +- includes changes from 1.61b: + - Fixed an obscure bug compiling OpenSSL with afl-clang-fast. + - Fixed a 'make install' bug on non-x86 systems + - Fixed a problem with half-broken llvm-config + +------------------------------------------------------------------- +Thu Apr 9 13:12:37 UTC 2015 - astieger@suse.com + +- afl 1.60b: + * Allowed experimental/llvm_instrumentation/ to graduate to llvm_mode/. + * Removed experimental/arm_support/, since it's completely broken and likely + unnecessary with LLVM support in place. + * Added ASAN cgroups script to experimental/asan_cgroups/, updated existing + docs. Courtesy Sam Hakim and David A. Wheeler. + * Refactored afl-tmin to reduce the number of execs in common use cases. + Ideas from Jonathan Neuschafer and Turo Lamminen. + * Added a note about CLAs at the bottom of README. + * Renamed testcases_readme.txt to README.testcases for some semblance of + consistency. + * Made assorted updates to docs. +- includes changes from 1.59b + * Imported Laszlo Szekeres' experimental LLVM instrumentation into + experimental/llvm_instrumentation. I'll work on including it in the + "mainstream" version soon. +- updates afl-1.46b-nodate.patch + +------------------------------------------------------------------- +Fri Mar 27 20:26:35 UTC 2015 - astieger@suse.com + +- fix SLE 11 SP3 build, add afl-1.58b-fix-paths.patch + +------------------------------------------------------------------- +Fri Mar 27 14:40:09 UTC 2015 - astieger@suse.com + +- afl 1.58b: + * Added a workaround for abort() behavior in -lpthread programs in + QEMU mode. + * Made several documentation updates, including links to the + static instrumentation tool (sister_projects.txt). +- use libexecdir + +------------------------------------------------------------------- +Tue Mar 24 15:58:08 UTC 2015 - meissner@suse.com + +- updated to 1.57b + +------------------------------------------------------------------- +Mon Feb 16 12:53:36 UTC 2015 - astieger@suse.com + +- initial package + diff --git a/afl.spec b/afl.spec new file mode 100644 index 0000000..037fa97 --- /dev/null +++ b/afl.spec @@ -0,0 +1,127 @@ +# +# spec file for package afl +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define afl_rt compiler-rt,llvm-rt,llvm-rt-lto + +%ifarch %{arm} %ix86 s390x x86_64 +%define afl_32 1 +%endif + +%ifarch aarch64 ppc64 ppc64le riscv64 s390x x86_64 +%define afl_64 1 +%endif + +Name: afl +Version: 4.30c +Release: 0 +Summary: American fuzzy lop is a security-oriented fuzzer +#URL: https://lcamtuf.coredump.cx/afl/ +License: Apache-2.0 +URL: https://github.com/AFLplusplus/AFLplusplus +Source: https://github.com/AFLplusplus/AFLplusplus/archive/v%{version}.tar.gz +Source1: afl-rpmlintrc +Patch1: afl-3.0c-fix-paths.patch +BuildRequires: gcc-c++ +BuildRequires: (clang >= 17) +%ifarch x86_64 +BuildRequires: gcc-32bit +%endif +%if %?suse_version >= 1550 +BuildRequires: gcc-devel +%endif +BuildRequires: lld +BuildRequires: llvm-devel >= 17 +BuildRequires: python3-devel +Requires: lld + +%package devel +Summary: Development headers for use when fuzzing with American fuzzy lop +Requires: %name = %version + +%description devel +This package contains include files for use with afl. + +%description +American fuzzy lop is a security-oriented fuzzer that employs a novel type +of compile-time instrumentation and genetic algorithms to automatically +discover clean, interesting test cases that trigger new internal states in +the targeted binary. This substantially improves the functional coverage +for the fuzzed code. The compact synthesized corpora produced by the tool +are also useful for seeding other, more labor- or resource-intensive +testing regimes down the road. + +Compared to other instrumented fuzzers, afl-fuzz is designed to be +practical: it has modest performance overhead, uses a variety of highly +effective fuzzing strategies and effort minimization tricks, requires +essentially no configuration, and seamlessly handles complex, real-world +use cases - say, common image parsing or file compression libraries. + +%prep +%setup -q -n AFLplusplus-%version +%patch -P1 -p1 +sed -i 's|#!/usr/bin/env sh|#!/bin/sh|g' afl-cmin +sed -i 's|#!/usr/bin/env bash|#!/bin/bash|g' afl-cmin.bash + +%build +export CFLAGS="$CFLAGS %{optflags} -fno-lto" +%ifnarch %{ix86} x86_64 +export AFL_NO_X86=1 +%endif +make %{?_smp_mflags} PREFIX=%{_prefix} LIBEXEC_DIR=%{_libexecdir} DOC_DIR=%{_docdir} +# make radamsa + +%install +%ifnarch %{ix86} x86_64 +export AFL_NO_X86=1 +%endif +make %{?_smp_mflags} PREFIX=%{_prefix} LIBEXEC_DIR=%{_libexecdir} DOC_DIR=%{_docdir} MAN_PATH=%{_mandir}/man8 DESTDIR=%{buildroot} install +chmod -x %{buildroot}/%{_libexecdir}/%{name}/*.o + +%files +%license docs/COPYING LICENSE +%doc /usr/share/doc/packages/%name/ +%{_bindir}/%{name}-* +%dir %{_libexecdir}/%{name} +#{_libexecdir}/%{name}/%{name}-as +#{_libexecdir}/%{name}/as +%if 0%{?afl_64} +%{_libexecdir}/%{name}/afl-{%{afl_rt}}-64.o +%endif +%if 0%{?afl_32} +%{_libexecdir}/%{name}/afl-{%{afl_rt}}-32.o +%endif +%ifarch aarch64 +%{_libexecdir}/%{name}/afl-llvm-rt-lto-32.o +%endif +%{_libexecdir}/%{name}/afl-{%{afl_rt}}.o +%{_libexecdir}/%{name}/dynamic_list.txt +%{_libexecdir}/%{name}/*.so +%{_libexecdir}/%{name}/*.a +%dir %{_datadir}/%{name} +%dir %{_datadir}/%{name}/testcases +%{_datadir}/%{name}/testcases/* +%dir %{_datadir}/afl/dictionaries/ +%{_datadir}/afl/dictionaries/* +%{_datadir}/afl/injections.dic +%{_mandir}/man8/afl*.8* + +%files devel +%license docs/COPYING LICENSE +%{_includedir}/afl + +%changelog diff --git a/v4.21c.tar.gz b/v4.21c.tar.gz new file mode 100644 index 0000000..e7f744a --- /dev/null +++ b/v4.21c.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:11f7c77d37cff6e7f65ac7cc55bab7901e0c6208e845a38764394d04ed567b30 +size 3004235 diff --git a/v4.30c.tar.gz b/v4.30c.tar.gz new file mode 100644 index 0000000..0bb07e2 --- /dev/null +++ b/v4.30c.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7c08c81f59b6c1f0bc2428fdee9fb880520e72c50be0683072e66bcde662b480 +size 3031558