Marcus Meissner
e7828fd91b
- updated to 3.11c - afl-fuzz: - better auto detection of map size - fix sanitizer settings (bug since 3.10c) - fix an off-by-one overwrite in cmplog - add non-unicode variants from unicode-looking dictionary entries - Rust custom mutator API improvements - Imported crash stats painted yellow on resume (only new ones are red) - afl-cc: - added AFL_NOOPT that will just pass everything to the normal gcc/clang compiler without any changes - to pass weird configure scripts - fixed a crash that can occur with ASAN + CMPLOG together plus better support for unicode (thanks to @stbergmann for reporting!) - fixed a crash in LAF transform for empty strings - handle erroneous setups in which multiple afl-compiler-rt are compiled into the target. This now also supports dlopen() instrumented libs loaded before the forkserver and even after the forkserver is started (then with collisions though) - the compiler rt was added also in object building (-c) which should have been fixed years ago but somewhere got lost :( - Renamed CTX to CALLER, added correct/real CTX implementation to CLASSIC - qemu_mode: - added AFL_QEMU_EXCLUDE_RANGES env by @realmadsci, thanks! - if no new/updated checkout is wanted, build with: NO_CHECKOUT=1 ./build_qemu_support.sh - we no longer perform a "git drop" - afl-cmin: support filenames with spaces - afl-3.0c-fix-paths.patch: refreshed OBS-URL: https://build.opensuse.org/request/show/879398 OBS-URL: https://build.opensuse.org/package/show/devel:tools/afl?expand=0&rev=128
1248 lines
82 KiB
Plaintext
1248 lines
82 KiB
Plaintext
-------------------------------------------------------------------
|
|
Tue Mar 16 07:43:01 UTC 2021 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- updated to 3.11c
|
|
- afl-fuzz:
|
|
- better auto detection of map size
|
|
- fix sanitizer settings (bug since 3.10c)
|
|
- fix an off-by-one overwrite in cmplog
|
|
- add non-unicode variants from unicode-looking dictionary entries
|
|
- Rust custom mutator API improvements
|
|
- Imported crash stats painted yellow on resume (only new ones are red)
|
|
- afl-cc:
|
|
- added AFL_NOOPT that will just pass everything to the normal
|
|
gcc/clang compiler without any changes - to pass weird configure
|
|
scripts
|
|
- fixed a crash that can occur with ASAN + CMPLOG together plus
|
|
better support for unicode (thanks to @stbergmann for reporting!)
|
|
- fixed a crash in LAF transform for empty strings
|
|
- handle erroneous setups in which multiple afl-compiler-rt are
|
|
compiled into the target. This now also supports dlopen()
|
|
instrumented libs loaded before the forkserver and even after the
|
|
forkserver is started (then with collisions though)
|
|
- the compiler rt was added also in object building (-c) which
|
|
should have been fixed years ago but somewhere got lost :(
|
|
- Renamed CTX to CALLER, added correct/real CTX implementation to
|
|
CLASSIC
|
|
- qemu_mode:
|
|
- added AFL_QEMU_EXCLUDE_RANGES env by @realmadsci, thanks!
|
|
- if no new/updated checkout is wanted, build with:
|
|
NO_CHECKOUT=1 ./build_qemu_support.sh
|
|
- we no longer perform a "git drop"
|
|
- afl-cmin: support filenames with spaces
|
|
- afl-3.0c-fix-paths.patch: refreshed
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 1 09:43:40 UTC 2021 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- update to 3.10c
|
|
- Mac OS ARM64 support
|
|
- Android support fixed and updated by Joey Jiaojg - thanks!
|
|
- New selective instrumentation option with __AFL_COVERAGE_* commands
|
|
to be placed in the source code.
|
|
Check out instrumentation/README.instrument_list.md
|
|
- afl-fuzz
|
|
- Making AFL_MAP_SIZE (mostly) obsolete - afl-fuzz now learns on
|
|
start the target map size
|
|
- upgraded cmplog/redqueen: solving for floating point, solving
|
|
transformations (e.g. toupper, tolower, to/from hex, xor,
|
|
arithmetics, etc.). This is costly hence new command line option
|
|
`-l` that sets the intensity (values 1 to 3). Recommended is 2.
|
|
- added `AFL_CMPLOG_ONLY_NEW` to not use cmplog on initial seeds
|
|
from `-i` or resumes (these have most likely already been done)
|
|
- fix crash for very, very fast targets+systems (thanks to mhlakhani
|
|
for reporting)
|
|
- on restarts (`-i`)/autoresume (AFL_AUTORESUME) the stats are now
|
|
reloaded and used, thanks to Vimal Joseph for this patch!
|
|
- changed the meaning of '+' of the '-t' option, it now means to
|
|
auto-calculate the timeout with the value given being the max
|
|
timeout. The original meaning of skipping timeouts instead of
|
|
abort is now inherent to the -t option.
|
|
- if deterministic mode is active (`-D`, or `-M` without `-d`) then
|
|
we sync after every queue entry as this can take very long time
|
|
otherwise
|
|
- added minimum SYNC_TIME to include/config.h (30 minutes default)
|
|
- better detection if a target needs a large shared map
|
|
- fix for `-Z`
|
|
- fixed a few crashes
|
|
- switched to an even faster RNG
|
|
- added hghwng's patch for faster trace map analysis
|
|
- printing suggestions for mistyped `AFL_` env variables
|
|
- added Rust bindings for custom mutators (thanks @julihoh)
|
|
- afl-cc
|
|
- allow instrumenting LLVMFuzzerTestOneInput
|
|
- fixed endless loop for allow/blocklist lines starting with a
|
|
comment (thanks to Zherya for reporting)
|
|
- cmplog/redqueen now also tracks floating point, _ExtInt() + 128bit
|
|
- cmplog/redqueen can now process basic libc++ and libstdc++
|
|
std::string comparisons (no position or length type variants)
|
|
- added support for __afl_coverage_interesting() for LTO and our
|
|
own PCGUARD (llvm 10.0.1+), read more about this function and
|
|
selective coverage in instrumentation/README.instrument_list.md
|
|
- added AFL_LLVM_INSTRUMENT option NATIVE for native clang pc-guard
|
|
support (less performant than our own), GCC for old afl-gcc and
|
|
CLANG for old afl-clang
|
|
- fixed a potential crash in the LAF feature
|
|
- workaround for llvm bitcast lto bug
|
|
- workaround for llvm 13
|
|
- qemuafl
|
|
- QASan (address sanitizer for Qemu) ported to qemuafl!
|
|
See qemu_mode/libqasan/README.md
|
|
- solved some persistent mode bugs (thanks Dil4rd)
|
|
- solved an issue when dumping the memory maps (thanks wizche)
|
|
- Android support for QASan
|
|
- unicornafl
|
|
- Substantial speed gains in python bindings for certain use cases
|
|
- Improved rust bindings
|
|
- Added a new example harness to compare python, c and rust bindings
|
|
- afl-cmin and afl-showmap now support the -f option
|
|
- afl_plot now also generates a graph on the discovered edges
|
|
- changed default: no memory limit for afl-cmin and afl-cmin.bash
|
|
- warn on any _AFL and __AFL env vars.
|
|
- set AFL_IGNORE_UNKNOWN_ENVS to not warn on unknown AFL_... env vars
|
|
- added dummy Makefile to instrumentation/
|
|
- Updated utils/afl_frida to be 5% faster, 7% on x86_x64
|
|
- Added `AFL_KILL_SIGNAL` env variable (thanks @v-p-b)
|
|
- @Edznux added a nice documentation on how to use rpc.statsd with
|
|
afl++ in docs/rpc_statsd.md, thanks!
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 15 09:18:09 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- updated to 3.0c
|
|
- llvm_mode/ and gcc_plugin/ moved to instrumentation/
|
|
- examples/ renamed to utils/
|
|
- moved libdislocator, libtokencap and qdbi_mode to utils/
|
|
- all compilers combined to afl-cc which emulates the previous ones
|
|
- afl-llvm/gcc-rt.o merged into afl-compiler-rt.o
|
|
- afl-fuzz
|
|
- not specifying -M or -S will now auto-set "-S default"
|
|
- deterministic fuzzing is now disabled by default and can be enabled with
|
|
-D. It is still enabled by default for -M.
|
|
- a new seed selection was implemented that uses weighted randoms based on
|
|
a schedule performance score, which is much better that the previous
|
|
walk the whole queue approach. Select the old mode with -Z (auto enabled
|
|
with -M)
|
|
- Marcel Boehme submitted a patch that improves all AFFast schedules :)
|
|
- the default schedule is now FAST
|
|
- memory limits are now disabled by default, set them with -m if required
|
|
- rpc.statsd support, for stats and charts, by Edznux, thanks a lot!
|
|
- reading testcases from -i now descends into subdirectories
|
|
- allow the -x command line option up to 4 times
|
|
- loaded extras now have a duplication protection
|
|
- If test cases are too large we do a partial read on the maximum
|
|
supported size
|
|
- longer seeds with the same trace information will now be ignored
|
|
for fuzzing but still be used for splicing
|
|
- crashing seeds are now not prohibiting a run anymore but are
|
|
skipped - they are used for splicing, though
|
|
- update MOpt for expanded havoc modes
|
|
- setting the env var AFL_NO_AUTODICT will not load an LTO autodictionary
|
|
- added NO_SPLICING compile option and makefile define
|
|
- added INTROSPECTION make target that writes all mutations to
|
|
out/NAME/introspection.txt
|
|
- print special compile time options used in help output
|
|
- when using -c cmplog, one of the childs was not killed, fixed
|
|
- somewhere we broke -n dumb fuzzing, fixed
|
|
- added afl_custom_describe to the custom mutator API to allow for easy
|
|
mutation reproduction on crashing inputs
|
|
- instrumentation
|
|
- We received an enhanced gcc_plugin module from AdaCore, thank you
|
|
very much!!
|
|
- not overriding -Ox or -fno-unroll-loops anymore
|
|
- we now have our own trace-pc-guard implementation. It is the same as
|
|
-fsanitize-coverage=trace-pc-guard from llvm 12, but: it is a) inline
|
|
and b) works from llvm 10.0.1 + onwards :)
|
|
- new llvm pass: dict2file via AFL_LLVM_DICT2FILE, create afl-fuzz
|
|
-x dictionary of string comparisons found during compilation
|
|
- LTO autodict now also collects interesting cmp comparisons,
|
|
std::string compare + find + ==, bcmp
|
|
- fix crash in dict2file for integers > 64 bit
|
|
- custom mutators
|
|
- added a new custom mutator: symcc -> https://github.com/eurecom-s3/symcc/
|
|
- added a new custom mutator: libfuzzer that integrates libfuzzer mutations
|
|
- Our afl++ Grammar-Mutator is now better integrated into custom_mutators/
|
|
- added INTROSPECTION support for custom modules
|
|
- python fuzz function was not optional, fixed
|
|
- some python mutator speed improvements
|
|
- afl-cmin/afl-cmin.bash now search first in PATH and last in AFL_PATH
|
|
- unicornafl synced with upstream version 1.02 (fixes, better rust bindings)
|
|
- renamed AFL_DEBUG_CHILD_OUTPUT to AFL_DEBUG_CHILD
|
|
- added AFL_CRASH_EXITCODE env variable to treat a child exitcode as crash
|
|
- afl-2.63c-fix-paths.patch refreshed to afl-3.0c-fix-paths.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Sep 5 08:43:19 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- updated to 2.68c
|
|
- added the GSoC excellent afl++ grammar mutator by Shengtuo to our
|
|
custom_mutators/ (see custom_mutators/README.md) - or get it here:
|
|
https://github.com/AFLplusplus/Grammar-Mutator
|
|
- a few QOL changes for Apple and its outdated gmake
|
|
- afl-fuzz:
|
|
- fix for auto dictionary entries found during fuzzing to not throw out
|
|
a -x dictionary
|
|
- added total execs done to plot file
|
|
- AFL_MAX_DET_EXTRAS env variable added to control the amount of
|
|
deterministic dict entries without recompiling.
|
|
- AFL_FORKSRV_INIT_TMOUT env variable added to control the time to wait
|
|
for the forkserver to come up without the need to increase the overall
|
|
timeout.
|
|
- bugfix for cmplog that results in a heap overflow based on target data
|
|
(thanks to the magma team for reporting!)
|
|
- write fuzzing setup into out/fuzzer_setup (environment variables and
|
|
command line)
|
|
- custom mutators:
|
|
- added afl_custom_fuzz_count/fuzz_count function to allow specifying
|
|
the number of fuzz attempts for custom_fuzz
|
|
- llvm_mode:
|
|
- ported SanCov to LTO, and made it the default for LTO. better
|
|
instrumentation locations
|
|
- Further llvm 12 support (fast moving target like afl++ :-) )
|
|
- deprecated LLVM SKIPSINGLEBLOCK env environment
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 19 14:35:25 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- updated to 2.67c
|
|
- Support for improved afl++ snapshot module:
|
|
https://github.com/AFLplusplus/AFL-Snapshot-LKM
|
|
- Due to the instrumentation needing more memory, the initial memory sizes
|
|
for -m have been increased
|
|
- afl-fuzz:
|
|
- added -F option to allow -M main fuzzers to sync to foreign fuzzers,
|
|
e.g. honggfuzz or libfuzzer
|
|
- added -b option to bind to a specific CPU
|
|
- eliminated CPU affinity race condition for -S/-M runs
|
|
- expanded havoc mode added, on no cycle finds add extra splicing and
|
|
MOpt into the mix
|
|
- fixed a bug in redqueen for strings and made deterministic with -s
|
|
- llvm_mode:
|
|
- now supports llvm 12
|
|
- support for AFL_LLVM_ALLOWLIST/AFL_LLVM_DENYLIST (previous
|
|
AFL_LLVM_WHITELIST and AFL_LLVM_INSTRUMENT_FILE are deprecated and
|
|
are matched to AFL_LLVM_ALLOWLIST). The format is compatible to llvm
|
|
sancov, and also supports function matching :)
|
|
- added neverzero counting to trace-pc/pcgard
|
|
- fixes for laf-intel float splitting (thanks to mark-griffin for
|
|
reporting)
|
|
- fixes for llvm 4.0
|
|
- skipping ctors and ifuncs for instrumentation
|
|
- LTO: switch default to the dynamic memory map, set AFL_LLVM_MAP_ADDR
|
|
for a fixed map address (eg. 0x10000)
|
|
- LTO: improved stability for persistent mode, no other instrumentation
|
|
has that advantage
|
|
- LTO: fixed autodict for long strings
|
|
- LTO: laf-intel and redqueen/cmplog are now applied at link time
|
|
to prevent llvm optimizing away the splits
|
|
- LTO: autodictionary mode is a fixed default now
|
|
- LTO: instrim instrumentation disabled, only classic support used
|
|
as it is always better
|
|
- LTO: env var AFL_LLVM_DOCUMENT_IDS=file will document which edge ID
|
|
was given to which function during compilation
|
|
- LTO: single block functions were not implemented by default, fixed
|
|
- LTO: AFL_LLVM_SKIP_NEVERZERO behaviour was inversed, fixed
|
|
- setting AFL_LLVM_LAF_SPLIT_FLOATS now activates
|
|
AFL_LLVM_LAF_SPLIT_COMPARES
|
|
- support for -E and -shared compilation runs
|
|
- added honggfuzz mangle as a custom mutator in custom_mutators/honggfuzz
|
|
- added afl-frida gum solution to examples/afl_frida (mostly imported
|
|
from https://github.com/meme/hotwax/)
|
|
- small fixes to afl-plot, afl-whatsup and man page creation
|
|
- new README, added FAQ
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 2 09:59:38 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- updated to 2.66c
|
|
- renamed blacklist/whitelist to ignorelist/instrumentlist ->
|
|
AFL_LLVM_INSTRUMENT_FILE and AFL_GCC_INSTRUMENT_FILE
|
|
- warn on deprecated environment variables
|
|
- afl-fuzz:
|
|
- -S secondary nodes now only sync from the main node to increase
|
|
performance, the -M main node still syncs from everyone. Added checks
|
|
that ensure exactly one main node is present and warn otherwise
|
|
- Add -D after -S to force a secondary to perform deterministic fuzzing
|
|
- If no main node is present at a sync one secondary node automatically
|
|
becomes a temporary main node until a real main nodes shows up
|
|
- Fixed a mayor performance issue we inherited from AFLfast
|
|
- switched murmur2 hashing and random() for xxh3 and xoshiro256**,
|
|
resulting in an up to 5.5% speed increase
|
|
- Resizing the window does not crash afl-fuzz anymore
|
|
- Ensure that the targets are killed on exit
|
|
- fix/update to MOpt (thanks to arnow117)
|
|
- added MOpt dictionary support from repo
|
|
- added experimental SEEK power schedule. It is EXPLORE with ignoring
|
|
the runtime and less focus on the length of the test case
|
|
- llvm_mode:
|
|
- the default instrumentation is now PCGUARD if the llvm version is >= 7,
|
|
as it is faster and provides better coverage. The original afl
|
|
instrumentation can be set via AFL_LLVM_INSTRUMENT=AFL. This is
|
|
automatically done when the instrument_file list feature is used.
|
|
- PCGUARD mode is now even better because we made it collision free - plus
|
|
it has a fixed map size, so it is also faster! :)
|
|
- some targets want a ld variant for LD that is not gcc/clang but ld,
|
|
added afl-ld-lto to solve this
|
|
- lowered minimum required llvm version to 3.4 (except LLVMInsTrim, which
|
|
needs 3.8.0)
|
|
- instrument_file list feature now supports wildcards (thanks to sirmc)
|
|
- small change to cmplog to make it work with current llvm 11-dev
|
|
- added AFL_LLVM_LAF_ALL, sets all laf-intel settings
|
|
- LTO instrument_files functionality rewritten, now main, _init etc functions
|
|
need not to be listed anymore
|
|
- fixed crash in compare-transform-pass when strcasecmp/strncasecmp was
|
|
tried to be instrumented with LTO
|
|
- fixed crash in cmplog with LTO
|
|
- enable snapshot lkm also for persistent mode
|
|
- Unicornafl
|
|
- Added powerPC support from unicorn/next
|
|
- rust bindings!
|
|
- CMPLOG/Redqueen now also works for MMAP sharedmem
|
|
- ensure shmem is released on errors
|
|
- we moved radamsa to be a custom mutator in ./custom_mutators/. It is not
|
|
compiled by default anymore.
|
|
- allow running in /tmp (only unsafe with umask 0)
|
|
- persistent mode shared memory testcase handover (instead of via
|
|
files/stdin) - 10-100% performance increase
|
|
- General support for 64 bit PowerPC, RiscV, Sparc etc.
|
|
- fix afl-cmin.bash
|
|
- slightly better performance compilation options for afl++ and targets
|
|
- fixed afl-gcc/afl-as that could break on fast systems reusing pids in
|
|
the same second
|
|
- added lots of dictionaries from oss-fuzz, go-fuzz and Jakub Wilk
|
|
- added former post_library examples to examples/custom_mutators/
|
|
- Dockerfile upgraded to Ubuntu 20.04 Focal and installing llvm 11 and
|
|
gcc 10 so afl-clang-lto can be build
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 15 09:24:47 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- updated to 2.65c
|
|
- afl-fuzz:
|
|
- AFL_MAP_SIZE was not working correctly
|
|
- better python detection
|
|
- an old, old bug in afl that would show negative stability in rare
|
|
circumstances is now hopefully fixed
|
|
- AFL_POST_LIBRARY was deprecated, use AFL_CUSTOM_MUTATOR_LIBRARY
|
|
instead (see docs/custom_mutators.md)
|
|
- llvm_mode:
|
|
- afl-clang-fast/lto now do not skip single block functions. This
|
|
behaviour can be reactivated with AFL_LLVM_SKIPSINGLEBLOCK
|
|
- if LLVM 11 is installed the posix shm_open+mmap is used and a fixed
|
|
address for the shared memory map is used as this increases the
|
|
fuzzing speed
|
|
- InsTrim now has an LTO version! :-) That is the best and fastest mode!
|
|
- fixes to LTO mode if instrumented edges > MAP_SIZE
|
|
- CTX and NGRAM can now be used together
|
|
- CTX and NGRAM are now also supported in CFG/INSTRIM mode
|
|
- AFL_LLVM_LAF_TRANSFORM_COMPARES could crash, fixed
|
|
- added AFL_LLVM_SKIP_NEVERZERO to skip the never zero coverage counter
|
|
implementation. For targets with few or no loops or heavily called
|
|
functions. Gives a small performance boost.
|
|
- qemu_mode:
|
|
- add information on PIE/PIC load addresses for 32 bit
|
|
- better dependency checks
|
|
- gcc_plugin:
|
|
- better dependency checks
|
|
- unicorn_mode:
|
|
- validate_crash_callback can now count non-crashing inputs as crash as well
|
|
- better submodule handling
|
|
- afl-showmap: fix for -Q mode
|
|
- added examples/afl_network_proxy which allows to fuzz a target over the
|
|
network (not fuzzing tcp/ip services but running afl-fuzz on one system
|
|
and the target being on an embedded device)
|
|
- added examples/afl_untracer which does a binary-only fuzzing with the
|
|
modifications done in memory (intel32/64 and aarch64 support)
|
|
- added examples/afl_proxy which can be easily used to fuzz and instrument
|
|
non-standard things
|
|
- all:
|
|
- forkserver communication now also used for error reporting
|
|
- fix 32 bit build options
|
|
- make clean now leaves qemu-3.1.1.tar.xz and the unicornafl directory
|
|
intact if in a git/svn checkout - unless "deepclean" is used
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Apr 18 07:05:42 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- updated to 2.64c
|
|
- llvm_mode LTO mode:
|
|
- now requires llvm11 - but compiles all targets! :)
|
|
- autodictionary feature added, enable with `AFL_LLVM_LTO_AUTODICTIONARY`
|
|
- variable map size usage
|
|
- afl-fuzz:
|
|
- variable map size support added (only LTO mode can use this)
|
|
- snapshot feature usage now visible in UI
|
|
- Now setting `-L -1` will enable MOpt in parallel to normal mutation.
|
|
Additionally, this allows to run dictionaries, radamsa and cmplog.
|
|
- fix for cmplog/redqueen mode if stdin was used
|
|
- fix for writing a better plot_data file
|
|
- qemu_mode: fix for persistent mode (which would not terminate or get stuck)
|
|
- compare-transform/AFL_LLVM_LAF_TRANSFORM_COMPARES now transforms also
|
|
static global and local variable comparisons (cannot find all though)
|
|
- extended forkserver: map_size and more information is communicated to
|
|
afl-fuzz (and afl-fuzz acts accordingly)
|
|
- new environment variable: AFL_MAP_SIZE to specify the size of the shared map
|
|
- if AFL_CC/AFL_CXX is set but empty afl compilers did fail, fixed
|
|
(this bug is in vanilla afl too)
|
|
- added NO_PYTHON flag to disable python support when building afl-fuzz
|
|
- more refactoring
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Apr 12 11:04:35 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- updated to 2.63c
|
|
- all:
|
|
- big code changes to make afl-fuzz thread-safe so afl-fuzz can spawn
|
|
multiple fuzzing threads in the future or even become a library
|
|
- afl basic tools now report on the environment variables picked up
|
|
- more tools get environment variable usage info in the help output
|
|
- force all output to stdout (some OK/SAY/WARN messages were sent to
|
|
stdout, some to stderr)
|
|
- uninstrumented mode uses an internal forkserver ("fauxserver")
|
|
- now builds with `-D_FORTIFY_SOURCE=2`
|
|
- drastically reduced number of (de)allocations during fuzzing
|
|
- afl-fuzz:
|
|
- python mutator modules and custom mutator modules now use the same
|
|
interface and hence the API changed
|
|
- AFL_AUTORESUME will resume execution without the need to specify `-i -`
|
|
- added experimental power schedules (-p):
|
|
- mmopt: ignores runtime of queue entries, gives higher weighting to
|
|
the last 5 queue entries
|
|
- rare: puts focus on queue entries that hits rare branches, also ignores
|
|
runtime
|
|
- llvm_mode:
|
|
- added SNAPSHOT feature (using https://github.com/AFLplusplus/AFL-Snapshot-LKM)
|
|
- added Control Flow Integrity sanitizer (AFL_USE_CFISAN)
|
|
- added AFL_LLVM_INSTRUMENT option to control the instrumentation type
|
|
easier: DEFAULT, CFG (INSTRIM), LTO, CTX, NGRAM-x (x=2-16)
|
|
- made USE_TRACE_PC compile obsolete
|
|
- LTO collision free instrumented added in llvm_mode with afl-clang-lto -
|
|
note that this mode is amazing, but quite some targets won't compile
|
|
- Added llvm_mode NGRAM prev_loc coverage by Adrean Herrera
|
|
(https://github.com/adrianherrera/afl-ngram-pass/), activate by setting
|
|
AFL_LLVM_INSTRUMENT=NGRAM-<value> or AFL_LLVM_NGRAM_SIZE=<value>
|
|
- Added llvm_mode context sensitive branch coverage, activated by setting
|
|
AFL_LLVM_INSTRUMENT=CTX or AFL_LLVM_CTX=1
|
|
- llvm_mode InsTrim mode:
|
|
- removed workaround for bug where paths were not instrumented and
|
|
imported fix by author
|
|
- made skipping 1 block functions an option and is disabled by default,
|
|
set AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK=1 to re-enable this
|
|
- qemu_mode:
|
|
- qemu_mode now uses solely the internal capstone version to fix builds
|
|
on modern Linux distributions
|
|
- QEMU now logs routine arguments for CmpLog when the target is x86
|
|
- afl-tmin:
|
|
- now supports hang mode `-H` to minimize hangs
|
|
- fixed potential afl-tmin missbehavior for targets with multiple hangs
|
|
- Pressing Control-c in afl-cmin did not terminate it for some OS
|
|
- the custom API was rewritten and is now the same for Python and shared
|
|
libraries.
|
|
- afl-1.58b-fix-paths.patch moved to
|
|
- afl-2.63c-fix-paths.patch: adjust Makefile -> GNUmakefile
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 28 14:09:26 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- updated to 2.62c
|
|
- Important fix for memory allocation functions that result in afl-fuzz not identifying crashes - UPDATE!
|
|
- Small fix for -E/-V to release the CPU
|
|
- CmpLog does not need sancov anymore
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 25 12:04:22 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- updated to 2.61c
|
|
- use -march=native if available
|
|
- most tools now check for mistyped environment variables
|
|
- gcc 10 is now supported
|
|
- the memory safety checks are now disabled for a little more speed during
|
|
fuzzing (only affects creating queue entries), can be toggled in config.h
|
|
- afl-fuzz:
|
|
- MOpt out of bounds writing crash fixed
|
|
- now prints the real python version support compiled in
|
|
- set stronger performance compile options and little tweaks
|
|
- Android: prefer bigcores when selecting a CPU
|
|
- CmpLog forkserver
|
|
- Redqueen input-2-state mutator (cmp instructions only ATM)
|
|
- all Python 2+3 versions supported now
|
|
- changed execs_per_sec in fuzzer_stats from "current" execs per second
|
|
(which is pointless) to total execs per second
|
|
- bugfix for dictionary insert stage count (fix via Google repo PR)
|
|
- added warning if -M is used together with custom mutators with _ONLY option
|
|
- AFL_TMPDIR checks are now later and better explained if they fail
|
|
- llvm_mode
|
|
- InsTrim: three bug fixes:
|
|
1. (minor) no pointless instrumentation of 1 block functions
|
|
2. (medium) path bug that leads a few blocks not instrumented that
|
|
should be
|
|
3. (major) incorrect prev_loc was written, fixed!
|
|
- afl-clang-fast:
|
|
- show in the help output for which llvm version it was compiled for
|
|
- now does not need to be recompiled between trace-pc and pass
|
|
instrumentation. compile normally and set AFL_LLVM_USE_TRACE_PC :)
|
|
- LLVM 11 is supported
|
|
- CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog)
|
|
- afl-gcc, afl-clang-fast, afl-gcc-fast:
|
|
- experimental support for undefined behaviour sanitizer UBSAN
|
|
(set AFL_USE_UBSAN=1)
|
|
- the instrumentation summary output now also lists activated sanitizers
|
|
- afl-as: added isatty(2) check back in
|
|
- added AFL_DEBUG (for upcoming merge)
|
|
- qemu_mode:
|
|
- persistent mode is now also available for arm and aarch64
|
|
- CmpLog instrumentation for QEMU (-c afl-fuzz command line option)
|
|
for x86, x86_64, arm and aarch64
|
|
- AFL_PERSISTENT_HOOK callback module for persistent QEMU
|
|
(see examples/qemu_persistent_hook)
|
|
- added qemu_mode/README.persistent.md documentation
|
|
- AFL_ENTRYPOINT noew has instruction granularity
|
|
- afl-cmin is now a sh script (invoking awk) instead of bash for portability
|
|
the original script is still present as afl-cmin.bash
|
|
- afl-showmap: -i dir option now allows processing multiple inputs using the
|
|
forkserver. This is for enhanced speed in afl-cmin.
|
|
- added blacklist and whitelisting function check in all modules of llvm_mode
|
|
- added fix from Debian project to compile libdislocator and libtokencap
|
|
- libdislocator: AFL_ALIGNED_ALLOC to force size alignment to max_align_t
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Feb 9 16:12:14 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- added radamsa mutator
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 2 08:31:09 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- updated to 2.60c
|
|
- fixed a critical bug in afl-tmin that was introduced during ++2.53d
|
|
- added test cases for afl-cmin and afl-tmin to test/test.sh
|
|
- added ./experimental/argv_fuzzing ld_preload library by Kjell Braden
|
|
- added preeny's desock_dup ld_preload library as
|
|
./experimental/socket_fuzzing for network fuzzing
|
|
- added AFL_AS_FORCE_INSTRUMENT environment variable for afl-as - this is
|
|
for the retrorewrite project
|
|
- we now set QEMU_SET_ENV from AFL_PRELOAD when qemu_mode is used
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Dec 27 16:01:06 UTC 2019 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- updated to 2.59c
|
|
- qbdi_mode: fuzz android native libraries via QBDI framework
|
|
- unicorn_mode: switched to the new unicornafl, thanks domenukk
|
|
(see https://github.com/vanhauser-thc/unicorn)
|
|
- afl-fuzz:
|
|
- added radamsa as (an optional) mutator stage (-R[R])
|
|
- added -u command line option to not unlink the fuzz input file
|
|
- Python3 support (autodetect)
|
|
- AFL_DISABLE_TRIM env var to disable the trim stage
|
|
- CPU affinity support for DragonFly
|
|
- llvm_mode:
|
|
- float splitting is now configured via AFL_LLVM_LAF_SPLIT_FLOATS
|
|
- support for llvm 10 included now (thanks to devnexen)
|
|
- libtokencap:
|
|
- support for *BSD/OSX/Dragonfly added
|
|
- hook common *cmp functions from widely used libraries
|
|
- compcov:
|
|
- hook common *cmp functions from widely used libraries
|
|
- floating point splitting support for QEMU on x86 targets
|
|
- qemu_mode: AFL_QEMU_DISABLE_CACHE env to disable QEMU TranslationBlocks caching
|
|
- afl-analyze: added AFL_SKIP_BIN_CHECK support
|
|
- better random numbers for gcc_plugin and llvm_mode (thanks to devnexen)
|
|
- Dockerfile by courtesy of devnexen
|
|
- added regex.dictionary
|
|
- qemu and unicorn download scripts now try to download until the full
|
|
download succeeded. f*ckin travis fails downloading 40% of the time!
|
|
- more support for Android (please test!)
|
|
- added the few Android stuff we didnt have already from Google afl repository
|
|
- removed unnecessary warnings
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Nov 9 16:05:04 UTC 2019 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- updated to 2.58c
|
|
- reverted patch to not unlink and recreate the input file, it resulted in performance loss of ~10%
|
|
- added test/test-performance.sh script
|
|
- (re)added gcc_plugin, fast inline instrumentation is not yet finished, however it includes the whitelisting and persistance feature! by hexcoder-
|
|
- gcc_plugin tests added to testing framework
|
|
- jump to 2.57 instead of 2.55 to catch up with Google's versioning
|
|
- persistent mode for QEMU (see qemu_mode/README.md)
|
|
- custom mutator library is now an additional mutator, to exclusivly use it
|
|
- add AFL_CUSTOM_MUTATOR_ONLY (that will trigger the previous behaviour)
|
|
- new library qemu_mode/unsigaction which filters sigaction events
|
|
- afl-fuzz: new command line option -I to execute a command on a new crash
|
|
- no more unlinking the input file, this way the input file can also be a
|
|
- FIFO or disk partition
|
|
- setting LLVM_CONFIG for llvm_mode will now again switch to the selected
|
|
- llvm version. If your setup is correct.
|
|
- fuzzing strategy yields for custom mutator were missing from the UI, added them :)
|
|
- added "make tests" which will perform checks to see that all functionality
|
|
- is working as expected. this is currently the starting point, its not complete :)
|
|
- added mutation documentation feature ("make document"), creates afl-fuzz-document
|
|
- and saves all mutations of the first run on the first file into out/queue/mutations
|
|
- libtokencap and libdislocator now compile to the afl_root directory and are
|
|
- installed to the .../lib/afl directory when present during make install
|
|
- more BSD support, e.g. free CPU binding code for FreeBSD (thanks to devnexen)
|
|
- reducing duplicate code in afl-fuzz
|
|
- added "make help"
|
|
- removed compile warnings from python internal stuff
|
|
- added man page for afl-clang-fast[++]
|
|
- updated documentation
|
|
- Wine mode to run Win32 binaries with the QEMU instrumentation (-W)
|
|
- CompareCoverage for ARM target in QEMU/Unicorn
|
|
- 2.54c:
|
|
- big code refactoring:
|
|
- all includes are now in include/
|
|
- all afl sources are now in src/ - see src/README.src
|
|
- afl-fuzz was splitted up in various individual files for including
|
|
- functionality in other programs (e.g. forkserver, memory map, etc.)
|
|
- for better readability.
|
|
- new code indention everywhere
|
|
- auto-generating man pages for all (main) tools
|
|
- added AFL_FORCE_UI to show the UI even if the terminal is not detected
|
|
- llvm 9 is now supported (still needs testing)
|
|
- Android is now supported (thank to JoeyJiao!) - still need to modify the Makefile though
|
|
- fix building qemu on some Ubuntus (thanks to floyd!)
|
|
- custom mutator by a loaded library is now supported (thanks to kyakdan!)
|
|
- added PR that includes peak_rss_mb and slowest_exec_ms in the fuzzer_stats report
|
|
- more support for *BSD (thanks to devnexen!)
|
|
- fix building on *BSD (thanks to tobias.kortkamp for the patch)
|
|
- fix for a few features to support different map sized than 2^16
|
|
- afl-showmap: new option -r now shows the real values in the buckets (stock
|
|
- afl never did), plus shows tuple content summary information now
|
|
- small docu updates
|
|
- NeverZero counters for QEMU
|
|
- NeverZero counters for Unicorn
|
|
- CompareCoverage Unicorn
|
|
- immediates-only instrumentation for CompareCoverage
|
|
- 2.53c release
|
|
- imported the few minor changes from the 2.53b release
|
|
- unicorn_mode got added - thanks to domenukk for the patch!
|
|
- fix llvm_mode AFL_TRACE_PC with modern llvm
|
|
- fix a crash in qemu_mode which also exists in stock afl
|
|
- added libcompcov, a laf-intel implementation for qemu! :) see qemu_mode/libcompcov/README.libcompcov
|
|
- updated afl-fuzz and afl-system-config for new scaling governor location in modern kernels
|
|
- all queue, hang and crash files now have their discovery time in their name
|
|
- if llvm_mode was compiled, afl-clang/afl-clang++ will point to these instead of afl-gcc
|
|
- added instrim, a much faster llvm_mode instrumentation at the cost of path discovery. See llvm_mode/README.instrim (https://github.com/csienslab/instrim)
|
|
- added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt
|
|
- added code to make it more portable to other platforms than Intel Linux
|
|
- added never zero counters for afl-gcc and optionally (because of an optimization issue in llvm < 9) for llvm_mode (AFL_LLVM_NEVER_ZERO=1)
|
|
- added a new doc about binary only fuzzing: docs/binaryonly_fuzzing.txt
|
|
- more cpu power for afl-system-config
|
|
- added forkserver patch to afl-tmin, makes it much faster (originally from github.com/nccgroup/TriforceAFL)
|
|
- added whitelist support for llvm_mode via AFL_LLVM_WHITELIST to allow only to instrument what is actually interesting. Gives more speed and less map pollution (originally by choller@mozilla)
|
|
- added Python Module mutator support, python2.7-dev is autodetected. see docs/python_mutators.txt (originally by choller@mozilla)
|
|
- added AFL_CAL_FAST for slow applications and AFL_DEBUG_CHILD_OUTPUT for debugging
|
|
- added -V time and -E execs option to better comparison runs, runs afl-fuzz for a specific time/executions.
|
|
- added a -s seed switch to allow afl run with a fixed initial seed that is not updated. This is good for performance and path discovery tests as the random numbers are deterministic then
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 17 12:58:02 UTC 2019 - Richard Brown <rbrown@suse.com>
|
|
|
|
- Remove obsolete Groups tag (fate#326485)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jun 23 17:44:06 UTC 2019 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- updated to afl++ 2.52c version, community fork. It integrates
|
|
various community patches.
|
|
- community patches to make llvm_mode and qemu_mode faster, plus new features and bugfixes
|
|
- qemu upgraded to 3.1
|
|
- aflfast powerschedules added
|
|
- llvm_mode now supports llvm up to version 8
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 30 15:03:49 UTC 2018 - Guillaume GARDET <guillaume.gardet@opensuse.org>
|
|
|
|
- Fix build on non X86* platforms
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Nov 5 07:57:53 UTC 2017 - mardnh@gmx.de
|
|
|
|
- Update to version 2.52b:
|
|
* Upgraded QEMU patches from 2.3.0 to 2.10.0. Required troubleshooting
|
|
several weird issues.
|
|
* Added setsid to afl-showmap. See the notes for 2.51b.
|
|
* Added target mode (deferred, persistent, qemu, etc) to fuzzer_stats.
|
|
* afl-tmin should now save a partially minimized file when Ctrl-C
|
|
is pressed.
|
|
* Added an option for afl-analyze to dump offsets in hex.
|
|
* Added support for parameters in triage_crashes.sh.
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Sep 3 12:08:41 UTC 2017 - astieger@suse.com
|
|
|
|
- afl 2.51b:
|
|
* Make afl-tmin call setsid to prevent glibc traceback junk from
|
|
showing up on the terminal
|
|
- includes changes form 2.50b:
|
|
* Fix a timing corner case
|
|
* Address a libtokencap / pthreads incompatibility issue
|
|
* Add AFL_FAST_CAL.
|
|
* In-place resume now preserves .synced
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jul 29 23:04:43 UTC 2017 - meissner@suse.com
|
|
|
|
- include docs/README
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 26 06:47:03 UTC 2017 - meissner@suse.com
|
|
|
|
- Version 2.49b
|
|
- Added AFL_TMIN_EXACT to allow path constraint for crash minimization.
|
|
- Added dates for releases (retroactively for all of 2017).
|
|
- Version 2.48b
|
|
- Added AFL_ALLOW_TMP to permit some scripts to run in /tmp.
|
|
- Fixed cwd handling in afl-analyze (similar to the quirk in afl-tmin).
|
|
- Made it possible to point -o and -f to the same file in afl-tmin.
|
|
- Version 2.47b
|
|
- Fixed cwd handling in afl-tmin. Spotted by Jakub Wilk.
|
|
- Version 2.46b
|
|
- libdislocator now supports AFL_LD_NO_CALLOC_OVER for folks who do not
|
|
want to abort on calloc() overflows.
|
|
- Made a minor fix to libtokencap. Reported by Daniel Stender.
|
|
- Added a small JSON dictionary, inspired on a dictionary done by Jakub Wilk.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 7 14:59:31 UTC 2017 - meissner@suse.com
|
|
|
|
- update to 2.45b:
|
|
- Added strstr, strcasestr support to libtokencap. Contributed by
|
|
Daniel Hodson.
|
|
- Fixed a resumption offset glitch spotted by Jakub Wilk.
|
|
- There are definitely no bugs in afl-showmap -c now.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 3 08:08:58 UTC 2017 - astieger@suse.com
|
|
|
|
- update to 2.44b:
|
|
* Add visual indicator of ASAN / MSAN mode when compiling
|
|
* Add support for afl-showmap coredumps (-c)
|
|
* Add LD_BIND_NOW=1 for afl-showmap by default
|
|
* Added AFL_NO_ARITH to aid in the fuzzing of text-based formats
|
|
* Renamed the R() macro to avoid a problem with llvm_mode in the
|
|
latest versions of LLVM
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 12 06:25:50 UTC 2017 - meissner@suse.com
|
|
|
|
- update to 2.41b:
|
|
- Addressed a major user complaint related to timeout detection. Timing out
|
|
inputs are now binned as "hangs" only if they exceed a far more generous
|
|
time limit than the one used to reject slow paths.
|
|
- update to 2.40b:
|
|
- Fixed a minor oversight in the insertion strategy for dictionary words.
|
|
Spotted by Andrzej Jackowski.
|
|
- Made a small improvement to the havoc block insertion strategy.
|
|
- Adjusted color rules for "is it done yet?" indicators.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 8 20:52:05 UTC 2017 - sfalken@opensuse.org
|
|
|
|
- Changed %doc line, to clear buildfailure in openSUSE:Factory
|
|
Due to unpackaged files
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 10 12:09:01 UTC 2017 - meissner@suse.com
|
|
|
|
- update to 2.39b:
|
|
- Improved error reporting in afl-cmin. Suggested by floyd.
|
|
- Made a minor tweak to trace-pc-guard support. Suggested by kcc.
|
|
- Added a mention of afl-monitor.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 30 14:21:37 UTC 2017 - astieger@suse.com
|
|
|
|
- update to 2.38b:
|
|
* Added -mllvm -sanitizer-coverage-block-threshold=0 to
|
|
trace-pc-guard mode
|
|
* Fixed a cosmetic bad free() bug when aborting -S sessions
|
|
* Made a small change to afl-whatsup to sort fuzzers by name.
|
|
* Fixed a minor issue with malloc(0) in libdislocator
|
|
* Changed the clobber pattern in libdislocator to a slightly more
|
|
reliable one
|
|
* Added a note about THP performance
|
|
* Added a somewhat unofficial support for running afl-tmin with a
|
|
baseline "mask" that causes it to minimize only for edges that
|
|
are unique to the input file, but not to the "boring" baseline.
|
|
* "Fixed" a getPassName() problem with never versions of clang.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 19 20:05:42 UTC 2016 - mpluskal@suse.com
|
|
|
|
- Update to version 2.35b:
|
|
* Fixed a minor cmdline reporting glitch, spotted by Leo Barnes.
|
|
* Fixed a silly bug in libdislocator. Spotted by Johannes Schultz.
|
|
- Changes for version 2.34b:
|
|
* Added a note about afl-tmin to technical_details.txt.
|
|
* Added support for AFL_NO_UI, as suggested by Leo Barnes.
|
|
- Changes for version 2.33b:
|
|
* Added code to strip -Wl,-z,defs and -Wl,--no-undefined for
|
|
fl-clang-fast, since they interfere with -shared. Spotted and
|
|
iagnosed by Toby Hutton.
|
|
* Added some fuzzing tips for Android.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 25 12:45:55 UTC 2016 - meissner@suse.com
|
|
|
|
- Version 2.32b:
|
|
- Added a check for AFL_HARDEN combined with AFL_USE_*SAN. Suggested by Hanno Boeck.
|
|
- Made several other cosmetic adjustments to cycle timing in the wake of the big tweak made in 2.31b.
|
|
|
|
- Version 2.31b:
|
|
- Changed havoc cycle counts for a marked performance boost, especially
|
|
with -S / -d. See the discussion of FidgetyAFL in:
|
|
|
|
https://groups.google.com/forum/#!topic/afl-users/fOPeb62FZUg
|
|
|
|
While this does not implement the approach proposed by the authors of
|
|
the CCS paper, the solution is a result of digging into that research;
|
|
more improvements may follow as I do more experiments and get more
|
|
definitive data.
|
|
- Version 2.30b:
|
|
- Made minor improvements to persistent mode to avoid the remote
|
|
possibility of "no instrumentation detected" issues with very low
|
|
instrumentation densities.
|
|
- Fixed a minor glitch with a leftover process in persistent mode.
|
|
Reported by Jakub Wilk and Daniel Stender.
|
|
- Made persistent mode bitmaps a bit more consistent and adjusted the way
|
|
this is shown in the UI, especially in persistent mode.
|
|
|
|
- Version 2.29b:
|
|
- Made a minor #include fix to llvm_mode. Suggested by Jonathan Metzman.
|
|
- Made cosmetic updates to the docs.
|
|
- Version 2.28b:
|
|
- Added "life pro tips" to docs/.
|
|
- Moved testcases/_extras/ to dictionaries/ for visibility.
|
|
- Made minor improvements to install scripts.
|
|
- Added an important safety tip.
|
|
- Version 2.27b:
|
|
- Added libtokencap, a simple feature to intercept strcmp / memcmp and
|
|
generate dictionary entries that can help extend coverage.
|
|
- Moved libdislocator to its own dir, added README.
|
|
- The demo in experimental/instrumented_cmp is no more.
|
|
- Version 2.26b:
|
|
- Made a fix for libdislocator.so to compile on MacOS X.
|
|
- Added support for DYLD_INSERT_LIBRARIES.
|
|
- Renamed AFL_LD_PRELOAD to AFL_PRELOAD.
|
|
- Version 2.25b:
|
|
- Made some cosmetic updates to libdislocator.so, renamed one env
|
|
variable.
|
|
- Version 2.24b:
|
|
- Added libdislocator.so, an experimental, abusive allocator. Try
|
|
it out with AFL_LD_PRELOAD=/path/to/libdislocator.so when running
|
|
afl-fuzz.
|
|
- Version 2.23b:
|
|
- Improved the stability metric for persistent mode binaries. Problem
|
|
spotted by Kurt Roeckx.
|
|
- Made a related improvement that may bring the metric to 100% for those
|
|
targets.
|
|
- Version 2.22b:
|
|
- Mentioned the potential conflicts between MSAN / ASAN and FORTIFY_SOURCE.
|
|
There is no automated check for this, since some distros may implicitly
|
|
set FORTIFY_SOURCE outside of the compiler's argv[].
|
|
- Populated the support for AFL_LD_PRELOAD to all companion tools.
|
|
- Made a change to the handling of ./afl-clang-fast -v. Spotted by
|
|
Jan Kneschke.
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jul 23 19:10:30 UTC 2016 - astieger@suse.com
|
|
|
|
- afl 2.21b:
|
|
* Minor UI fixes
|
|
- includes changes from 2.20b:
|
|
* Revamp handling of variable paths
|
|
* Stablility improvements
|
|
* Include current input bitmap density in UI
|
|
* Add experimental support for parallelizing -M.
|
|
- includes changes from 2.19b:
|
|
* Ensure auto CPU binding happens at non-overlapping times
|
|
- includes changes from 2.18b
|
|
* Performance improvements
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 28 06:26:03 UTC 2016 - astieger@suse.com
|
|
|
|
- afl 2.17b:
|
|
* Remove error-prone and manual -Z option
|
|
* automatically bind to the first free core
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 15 18:26:54 UTC 2016 - astieger@suse.com
|
|
|
|
- afl 2.14b:
|
|
- Added FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION as a macro
|
|
defined when compiling with afl-gcc and friends
|
|
- Refreshed some of the non-x86 docs.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 31 11:18:02 UTC 2016 - astieger@suse.com
|
|
|
|
- afl 2.13b:
|
|
* Fixed a spurious build test error with trace-pc and
|
|
llvm_mode/Makefile.
|
|
* Fixed a cosmetic issue with afl-whatsup
|
|
- includes changes from 2.12b
|
|
* Fixed a minor issue in afl-tmin that can make alphabet
|
|
minimization less efficient during passes > 1
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 2 11:02:02 UTC 2016 - astieger@suse.com
|
|
|
|
- afl 2.11b:
|
|
- Fixed a minor typo in instrumented_cmp
|
|
- Added a missing size check for deterministic insertion steps.
|
|
- Made an improvement to afl-gotcpu when -Z not used.
|
|
- Fixed a typo in post_library_png.so.c in experimental/
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Apr 16 15:12:46 UTC 2016 - astieger@suse.com
|
|
|
|
- afl 2.10b:
|
|
* Fix a minor core counting glitch
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 28 19:11:03 UTC 2016 - mpluskal@suse.com
|
|
|
|
- Update to 2.09b
|
|
* Made several documentation updates.
|
|
* Added some visual indicators to promote and simplify the use
|
|
of -Z.
|
|
- Changes for 2.08b
|
|
* Added explicit support for -m32 and -m64 for llvm_mode.
|
|
Inspired by a request from Christian Holler.
|
|
* Added a new benchmarking option, as requested by Kostya
|
|
Serebryany.
|
|
- Changes for 2.07b
|
|
* Added CPU affinity option (-Z) on Linux. With some caution,
|
|
this can offer a significant (10%+) performance bump and
|
|
reduce jitter. Proposed by Austin Seipp.
|
|
* Updated afl-gotcpu to use CPU affinity where supported.
|
|
* Fixed confusing CPU_TARGET error messages with QEMU build.
|
|
Spotted by Daniel Komaromy and others.
|
|
- Changes for 2.06b
|
|
* Worked around LLVM persistent mode hiccups with -shared code.
|
|
Contributed by Christian Holler.
|
|
* Added __AFL_COMPILER as a convenient way to detect that
|
|
something is built under afl-gcc / afl-clang / afl-clang-fast
|
|
and enable custom optimizations in your code. Suggested by
|
|
Pedro Corte-Real.
|
|
* Upstreamed several minor changes developed by Franjo Ivancic to
|
|
allow AFL to be built as a library. This is fairly use-specific
|
|
and may have relatively little appeal to general audiences.
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Feb 28 13:59:04 UTC 2016 - astieger@suse.com
|
|
|
|
- afl 2.05b:
|
|
* Put __sanitizer_cov_module_init & co behind #ifdef to avoid
|
|
problems with ASAN.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 24 21:52:33 UTC 2016 - astieger@suse.com
|
|
|
|
- afl 2.04b:
|
|
* remove indirect-calls coverage from -fsanitize-coverage
|
|
* LLVM: Added experimental -fsanitize-coverage=trace-pc support
|
|
- LLVM: better support non-standard map sizes
|
|
- LLVM: use thread-local execution tracing
|
|
- Force-disabled symbolization for ASAN
|
|
- Added AFL_LD_PRELOAD to allow LD_PRELOAD to be set for targets
|
|
without affecting AFL itself
|
|
- Fixed a "lcamtuf can't count to 16" bug in the havoc stage.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 16 15:37:01 UTC 2016 - astieger@suse.com
|
|
|
|
- afl 2.01b:
|
|
- updates to color handling
|
|
- Fixed an installation issue with afl-as
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 11 12:21:39 UTC 2016 - astieger@suse.com
|
|
|
|
- afl 1.99b:
|
|
- Revamp the output and the internal logic of afl-analyze.
|
|
- Clean up color handling code
|
|
- added support for background colors.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 10 20:25:47 UTC 2016 - astieger@suse.com
|
|
|
|
- afl 1.98b:
|
|
- new tool afl-analyze
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Dec 19 15:45:22 UTC 2015 - mpluskal@suse.com
|
|
|
|
- Update to 1.96b
|
|
* Added -fpic to CFLAGS for the clang plugin, as suggested by
|
|
Hanno Boeck.
|
|
* Made another clang change (IRBuilder) suggested by Jeff Trull.
|
|
* Fixed several typos, spotted by Jakub Wilk.
|
|
* Added support for AFL_SHUFFLE_QUEUE, based on discussions with
|
|
Christian Holler.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 13 09:06:47 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.95b:
|
|
* Fixed a harmless bug when handling -B
|
|
* Made the exit message a bit more accurate when
|
|
AFL_EXIT_WHEN_DONE is set.
|
|
* Added some error-checking for old-style forkserver syntax.
|
|
* Switched from exit() to _exit() in injected code to avoid
|
|
snafus with destructors in C++ code.
|
|
* Made a change to avoid spuriously setting __AFL_SHM_ID when
|
|
AFL_DUMB_FORKSRV is set in conjunction with -n.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 2 15:11:23 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.94b:
|
|
* Changed allocator alignment to improve support for non-x86 systems
|
|
(now that llvm_mode makes this more feasible).
|
|
* Fixed an obscure bug that would affect people trying to use afl-gcc
|
|
with $TMP set but $TMPDIR absent.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 7 13:22:07 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.92b:
|
|
* C++ fix (namespaces)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 3 14:32:09 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.91b:
|
|
* C++ instrumentation fixes
|
|
- includes changes from 1.90b:
|
|
* documentation updates
|
|
* Fixed a potential problem with deferred mode signatures getting
|
|
optimized out by the linker (with --gc-sections).
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 2 07:57:31 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.89b:
|
|
* Revamped the support for persistent and deferred forkserver
|
|
modes. Both now feature simpler syntax and do not require
|
|
companion env variables.
|
|
* Added a bit more info about afl-showmap.
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Aug 30 23:40:19 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.88b:
|
|
* Make AFL_EXIT_WHEN_DONE work in non-tty mode.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 27 14:32:46 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.87b:
|
|
* Add QuickStartGuide.txt and other documentation updates
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 10 19:49:56 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.86b:
|
|
* Added support for AFL_SKIP_CRASHES
|
|
* Removed the hard-fail terminal size check
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 5 13:46:26 UTC 2015 - mpluskal@suse.com
|
|
|
|
- Update to 1.85b
|
|
* Fixed a garbled sentence in notes on parallel fuzzing.
|
|
* Fixed a minor glitch in afl-cmin.
|
|
- Changes for 1.84b
|
|
* Made SIMPLE_FILES behave as expected when naming backup
|
|
directories for crashes and hangs.
|
|
* Added the total number of favored paths to fuzzer_stats.
|
|
* Made afl-tmin, afl-fuzz, and afl-cmin reject negative values
|
|
passed to -t and -m, since they generally won't work as
|
|
expected.
|
|
* Made a fix for no lahf / sahf support on older versions of
|
|
FreeBSD.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 15 09:07:34 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.83b:
|
|
* fixes for platforms other than GNU/Linux
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jun 13 10:41:30 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.82b:
|
|
* Fixed a harmless but annoying race condition in persistent mode
|
|
* Updated persistent mode documentation
|
|
- Tweaked AFL_PERSISTENT to force AFL_NO_VAR_CHECK.
|
|
- afl 1.81b:
|
|
* Added persistent mode for in-process fuzzing.
|
|
* in-place resume code to preserve crashes/README.txt.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 26 10:59:53 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.80b:
|
|
- Made afl-cmin tolerant of whitespaces in filenames
|
|
- Added support for AFL_EXIT_WHEN_DONE
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 25 07:43:23 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.79b:
|
|
- Added support for dictionary levels, see testcases/README.testcases.
|
|
- Reworked the SQL dictionary to use levels.
|
|
- Added a note about Preeny.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 19 07:26:27 UTC 2015 - astieger@suse.com
|
|
|
|
- builds for i586 x86_64 only
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 18 17:12:36 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.78b:
|
|
- Added a dictionary for PDF
|
|
- Added several references to afl-cov
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 8 13:05:09 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.77b:
|
|
* additional fuzzing functionality
|
|
* reduce number of duplicates
|
|
* documentation updates
|
|
* qemu_mode with qemu 2.3.0
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 27 08:45:05 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.73b:
|
|
- Fixed a bug in effector maps that could sometimes cause more
|
|
fuzzing than necessary, or SEGV
|
|
- includes changes from 1.72b:
|
|
- Fixed a glitch in non-x86 install
|
|
- Added a minor safeguard to llvm_mode Makefile
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 20 17:20:09 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.71b:
|
|
- Fix bug with installed copies of AFL trying to use QEMU mode.
|
|
- Add last path / crash / hang times to fuzzer_stats
|
|
- with changes from 1.70b:
|
|
- Modify resumption code to reuse the original timeout value when
|
|
resuming a session if -t is not given. This prevents timeout
|
|
creep in continuous fuzzing.
|
|
- Add improved error messages for failed handshake when
|
|
AFL_DEFER_FORKSRV is set.
|
|
- slight improvement to llvm_mode/Makefile
|
|
- Refresh several bits of documentation.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 16 07:19:18 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.69b:
|
|
- Added support for deferred initialization in LLVM mode.
|
|
- afl 1.68b:
|
|
- Fixed a minor PRNG glitch that would make the first seconds of
|
|
a fuzzing job deterministic.
|
|
- Made tmp[] static in the LLVM runtime to keep Valgrind happy
|
|
- Clarified the footnote in README.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 13 19:58:55 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.67b:
|
|
- One more correction to llvm_mode Makefile
|
|
- afl 1.66b:
|
|
- Added CC / CXX support to llvm_mode Makefile
|
|
- Fixed 'make clean' with gmake
|
|
- Fixed 'make -j n clean all'
|
|
- Removed build date and time from banners to give people deterministic
|
|
builds
|
|
- drop afl-1.46b-nodate.patch, thus obsoleted
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 13 15:11:11 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.65b:
|
|
- Fixed a snafu with some leftover code in afl-clang-fast.
|
|
- Corrected even moar typos.
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Apr 12 09:41:38 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.64b:
|
|
- improve compatibility with non-ELF platforms.
|
|
- Fixed a problem with afl-clang-fast and -shared libraries.
|
|
- Removed unnecessary instrumentation density adjustment for LLVM
|
|
- includes changes from 1.63b:
|
|
- Updated cgroups_asan/
|
|
- Fixed typos
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Apr 11 07:15:12 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.62b:
|
|
- Improved the handling of -x in afl-clang-fast,
|
|
- Improved the handling of low AFL_INST_RATIO settings for QEMU and
|
|
LLVM modes.
|
|
- Fixed the llvm-config bug for good
|
|
- includes changes from 1.61b:
|
|
- Fixed an obscure bug compiling OpenSSL with afl-clang-fast.
|
|
- Fixed a 'make install' bug on non-x86 systems
|
|
- Fixed a problem with half-broken llvm-config
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 9 13:12:37 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.60b:
|
|
* Allowed experimental/llvm_instrumentation/ to graduate to llvm_mode/.
|
|
* Removed experimental/arm_support/, since it's completely broken and likely
|
|
unnecessary with LLVM support in place.
|
|
* Added ASAN cgroups script to experimental/asan_cgroups/, updated existing
|
|
docs. Courtesy Sam Hakim and David A. Wheeler.
|
|
* Refactored afl-tmin to reduce the number of execs in common use cases.
|
|
Ideas from Jonathan Neuschafer and Turo Lamminen.
|
|
* Added a note about CLAs at the bottom of README.
|
|
* Renamed testcases_readme.txt to README.testcases for some semblance of
|
|
consistency.
|
|
* Made assorted updates to docs.
|
|
- includes changes from 1.59b
|
|
* Imported Laszlo Szekeres' experimental LLVM instrumentation into
|
|
experimental/llvm_instrumentation. I'll work on including it in the
|
|
"mainstream" version soon.
|
|
- updates afl-1.46b-nodate.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 27 20:26:35 UTC 2015 - astieger@suse.com
|
|
|
|
- fix SLE 11 SP3 build, add afl-1.58b-fix-paths.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 27 14:40:09 UTC 2015 - astieger@suse.com
|
|
|
|
- afl 1.58b:
|
|
* Added a workaround for abort() behavior in -lpthread programs in
|
|
QEMU mode.
|
|
* Made several documentation updates, including links to the
|
|
static instrumentation tool (sister_projects.txt).
|
|
- use libexecdir
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 24 15:58:08 UTC 2015 - meissner@suse.com
|
|
|
|
- updated to 1.57b
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 16 12:53:36 UTC 2015 - astieger@suse.com
|
|
|
|
- initial package
|
|
|