-------------------------------------------------------------------
Thu Jan 5 15:33:51 UTC 2023 - Marcus Meissner <meissner@suse.com>
- updated to 4.05c
- afl-fuzz:
- added afl_custom_fuzz_send custom mutator feature. Now your can
send fuzz data to the target as you need, e.g. via IPC.
- cmplog mode now has a -l R option for random colorization, thanks
to guyf2010 for the PR!
- queue statistics are written every 30 minutes to
out/NAME/queue_data if compiled with INTROSPECTION
- new env: AFL_FORK_SERVER_KILL_SIGNAL
- afl-showmap/afl-cmin
- `-t none` now translates to `-t 120000` (120 seconds)
- unicorn_mode updated
- updated rust custom mutator dependencies and LibAFL custom mutator
- several minor bugfixes
-------------------------------------------------------------------
Sat Oct 22 14:15:36 UTC 2022 - Andreas Schwab <schwab@suse.de>
- Update file list for riscv64
-------------------------------------------------------------------
Fri Oct 21 14:28:09 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to 4.04c
- fix gramatron and grammar_mutator build scripts
- enhancements to the afl-persistent-config and afl-system-config
- scripts
- afl-fuzz:
- force writing all stats on exit
- afl-cc:
- make gcc_mode (afl-gcc-fast) work with gcc down to version 3.6
- qemu_mode:
- fixed 10x speed degredation in v4.03c
- added qemu_mode/fastexit helper library
- unicorn_mode:
- Enabled tricore arch (by @jma-qb)
- Updated Capstone version in Rust bindings
- llvm-mode:
- AFL runtime will always pass inputs via shared memory, when possible,
ignoring the command line.
-------------------------------------------------------------------
Tue Sep 20 15:50:19 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to 4.03c
- Building now gives a build summary what succeeded and what not
- afl-fuzz:
- added AFL_NO_STARTUP_CALIBRATION to start fuzzing at once instead
of calibrating all initial seeds first. Good for large queues
and long execution times, especially in CIs.
- default calibration cycles set to 7 from 8, and only add 5 cycles
to variables queue items instead of 12.
- afl-cc:
- fixed off-by-one bug in our pcguard implemenation, thanks for
@tokatoka for reporting
- fix for llvm 15 and reenabling LTO, thanks to nikic for the PR!
- better handling of -fsanitize=..,...,.. lists
- support added for LLVMFuzzerRunDriver()
- fix gcc_mode cmplog
- obtain the map size of a target with setting AFL_DUMP_MAP_SIZE=1
note that this will exit the target before main()
- qemu_mode:
- added AFL_QEMU_TRACK_UNSTABLE to log the addresses of unstable
edges (together with AFL_DEBUG=1 afl-fuzz). thanks to
worksbutnottested!
- afl-analyze broke at some point, fix by CodeLogicError, thank you!
- afl-cmin/afl-cmin.bash now have an -A option to allow also crashing
and timeout inputs
- unicorn_mode:
- updated upstream unicorn version
- fixed builds for aarch64
- build now uses all available cores
-------------------------------------------------------------------
Sat Aug 20 11:55:57 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to 4.02c
- afl-cc:
- important fix for the default pcguard mode when LLVM IR vector
selects are produced, thanks to @juppytt for reporting!
- gcc_plugin:
- Adacore submitted CMPLOG support to the gcc_plugin! :-)
- llvm_mode:
- laf cmp splitting fixed for more comparison types
- frida_mode:
- now works on Android!
- afl-fuzz:
- change post_process hook to allow returning NULL and 0 length to
tell afl-fuzz to skip this mutated input
-------------------------------------------------------------------
Tue Jun 28 14:32:52 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to 4.01c
- fixed */build_...sh scripts to work outside of git
- new custom_mutator: libafl with token fuzzing :)
- afl-fuzz:
- when you just want to compile once and set CMPLOG, then just
set -c 0 to tell afl-fuzz that the fuzzing binary is also for
CMPLOG.
- new commandline options -g/G to set min/max length of generated
fuzz inputs
- you can set the time for syncing to other fuzzer now with
AFL_SYNC_TIME
- reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow
persistent mode and manual forkserver support if these are not
in the target binary (e.g. are in a shared library)
- add AFL_EARLY_FORKSERVER to install the forkserver as earliest as
possible in the target (for afl-gcc-fast/afl-clang-fast/
afl-clang-lto)
- "saved timeouts" was wrong information, timeouts are still thrown
away by default even if they have new coverage (hangs are always
kept), unless AFL_KEEP_TIMEOUTS are set
- AFL never implemented auto token inserts (but user token inserts,
user token overwrite and auto token overwrite), added now!
- fixed a mutation type in havoc mode
- Mopt fix to always select the correct algorithm
- fix effector map calculation (deterministic mode)
- fix custom mutator post_process functionality
- document and auto-activate pizza mode on condition
- afl-cc:
- due a bug in lld of llvm 15 LTO instrumentation wont work atm :-(
- converted all passed to use the new llvm pass manager for llvm 11+
- AFL++ PCGUARD mode is not available for 10.0.1 anymore (11+ only)
- trying to stay on top on all these #$&ยง!! changes in llvm 15 ...
- frida_mode:
- update to new frida release, handles now c++ throw/catch
- unicorn_mode:
- update unicorn engine, fix C example
- utils:
- removed optimin because it looses coverage due to a bug and is
unmaintained :-(
- removed upstream llvm14-fix-build.patch
-------------------------------------------------------------------
Sat Jun 4 13:26:34 UTC 2022 - Aaron Puchert <aaronpuchert@alice-dsl.net>
- Add llvm14-fix-build.patch: fix build with LLVM 14.
-------------------------------------------------------------------
Wed Feb 23 22:21:07 UTC 2022 - Aaron Puchert <aaronpuchert@alice-dsl.net>
- Fix build with armv7l on Leap: we have afl-llvm-rt-lto{,-32}.o.
- Fix build with ppc64le: we don't seem to have the 32-bit object
files available there and there is also no gcc-32bit.
-------------------------------------------------------------------
Mon Jan 31 12:45:45 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to 4.00c
- complete documentation restructuring, made possible by Google Season
of Docs :) thank you Jana!
- we renamed several UI and fuzzer_stat entries to be more precise,
e.g. "unique crashes" -> "saved crashes", "total paths" ->
"corpus count", "current path" -> "current item".
This might need changing custom scripting!
- Nyx mode (full system emulation with snapshot capability) has been
added - thanks to @schumilo and @eqv!
- unicorn_mode:
- Moved to unicorn2! by Ziqiao Kong (@lazymio)
- Faster, more accurate emulation (newer QEMU base), risc-v support
- removed indirections in rust callbacks
- new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :)
thanks to RICSecLab submitting!
- if instrumented libaries are dlopen()'ed after the forkserver you
will now see a crash. Before you would have colliding coverage.
We changed this to force fixing a broken setup rather then allowing
ineffective fuzzing.
- See docs/best_practices.md how to fix such setups.
- afl-fuzz:
- cmplog binaries will need to be recompiled for this version
(it is better!)
- fix a regression introduced in 3.10 that resulted in less
coverage being detected. thanks to Collin May for reporting!
- ensure all spawned targets are killed on exit
- added AFL_IGNORE_PROBLEMS, plus checks to identify and abort on
incorrect LTO usage setups and enhanced the READMEs for better
information on how to deal with instrumenting libraries
- fix -n dumb mode (nobody should use this mode though)
- fix stability issue with LTO and cmplog
- better banner
- more effective cmplog mode
- more often update the UI when in input2stage mode
- qemu_mode/unicorn_mode: fixed OOB write when using libcompcov,
thanks to kotee4ko for reporting!
- frida_mode:
- better performance, bug fixes
- David Carlier added Android support :)
- afl-showmap, afl-tmin and afl-analyze:
- honor persistent mode for more speed. thanks to dloffre-snl
for reporting!
- fix bug where targets are not killed on timeouts
- moved hidden afl-showmap -A option to -H to be used for
coresight_mode
- Prevent accidentaly killing non-afl/fuzz services when aborting
afl-showmap and other tools.
- afl-cc:
- detect overflow reads on initial input buffer for asan
- new cmplog mode (incompatible with older afl++ versions)
- support llvm IR select instrumentation for default PCGUARD and LTO
- fix for shared linking on MacOS
- better selective instrumentation AFL_LLVM_{ALLOW|DENY}LIST
on filename matching (requires llvm 11 or newer)
- fixed a potential crash in targets for LAF string handling
- fixed a bad assert in LAF split switches
- added AFL_USE_TSAN thread sanitizer support
- llvm and LTO mode modified to work with new llvm 14-dev (again.)
- fix for AFL_REAL_LD
- more -z defs filtering
- make -v without options work
- added the very good grammar mutator "GramaTron" to the
custom_mutators
- added optimin, a faster and better corpus minimizer by
Adrian Herrera. Thank you!
- added afl-persistent-config script to set perform permanent system
configuration settings for fuzzing, for Linux and Macos.
thanks to jhertz!
- added xml, curl & exotic string functions to llvm dictionary feature
- fix AFL_PRELOAD issues on MacOS
- removed utils/afl_frida because frida_mode/ is now so much better
- added uninstall target to makefile (todo: update new readme!)
-------------------------------------------------------------------
Sun Sep 26 11:04:42 UTC 2021 - Marcus Meissner <meissner@suse.com>
- enable gcc-plugin on factory
- build with 32bit plugins on x86_64
-------------------------------------------------------------------
Mon Jul 19 12:49:59 UTC 2021 - Marcus Meissner <meissner@suse.com>
- updated to 3.14c
- afl-fuzz:
- fix -F when a '/' was part of the parameter
- fixed a crash for cmplog for very slow inputs
- fix for AFLfast schedule counting
- removed implied -D determinstic from -M main
- if the target becomes unavailable check out out/default/error.txt
for an indicator why
- AFL_CAL_FAST was a dead env, now does the same as AFL_FAST_CAL
- reverse read the queue on resumes (more effective)
- fix custom mutator trimming
- afl-cc:
- Update to COMPCOV/laf-intel that speeds up the instrumentation
process a lot - thanks to Michael Rodler/f0rki for the PR!
- Fix for failures for some sized string instrumentations
- Fix to instrument global namespace functions in c++
- Fix for llvm 13
- support partial linking
- do honor AFL_LLVM_{ALLOW/DENY}LIST for LTO autodictionary and DICT2FILE
- We do support llvm versions from 3.8 to 5.0 again
- frida_mode:
- several fixes for cmplog
- remove need for AFL_FRIDA_PERSISTENT_RETADDR_OFFSET
- less coverage collision
- feature parity of aarch64 with intel now (persistent, cmplog,
in-memory testcases, asan)
- afl-cmin and afl-showmap -i do now descend into subdirectories
(like afl-fuzz does) - note that afl-cmin.bash does not!
- afl_analyze:
- fix timeout handling
- add forkserver support for better performance
- ensure afl-compiler-rt is built for gcc_module
- always build aflpp_driver for libfuzzer harnesses
- added `AFL_NO_FORKSRV` env variable support to
afl-cmin, afl-tmin, and afl-showmap, by @jhertz
- removed outdated documents, improved existing documentation
-------------------------------------------------------------------
Thu Jul 15 19:29:19 UTC 2021 - Peace Peters <peacepeters.pp@gmail.com>
- s390x added to the compiler files
-------------------------------------------------------------------
Tue Jun 8 09:06:11 UTC 2021 - Andreas Schwab <schwab@suse.de>
- Fix filelist for riscv64
-------------------------------------------------------------------
Tue Jun 1 10:36:06 UTC 2021 - Marcus Meissner <meissner@suse.com>
- updated to 3.13c
- Note: plot_data switched to relative time from unix time in 3.10
- frida_mode - new mode that uses frida to fuzz binary-only targets,
it currently supports persistent mode and cmplog.
thanks to @WorksButNotTested!
- create a fuzzing dictionary with the help of CodeQL thanks to
@microsvuln! see utils/autodict_ql
- afl-fuzz:
- added patch by @realmadsci to support @@ as part of command line
options, e.g. `afl-fuzz ... -- ./target --infile=@@`
- add recording of previous fuzz attempts for persistent mode
to allow replay of non-reproducable crashes, see
AFL_PERSISTENT_RECORD in config.h and docs/envs.h
- fixed a bug when trimming for stdin targets
- cmplog -l: default cmplog level is now 2, better efficiency.
level 3 now performs redqueen on everything. use with care.
- better fuzzing strategy yield display for enabled options
- ensure one fuzzer sync per cycle
- fix afl_custom_queue_new_entry original file name when syncing
from fuzzers
- fixed a crash when more than one custom mutator was used together
with afl_custom_post_process
- on a crashing seed potentially the wrong input was disabled
- added AFL_EXIT_ON_SEED_ISSUES env that will exit if a seed in
-i dir crashes the target or results in a timeout. By default
afl++ ignores these and uses them for splicing instead.
- added AFL_EXIT_ON_TIME env that will make afl-fuzz exit fuzzing
after no new paths have been found for n seconds
- when AFL_FAST_CAL is set a variable path will now be calibrated
8 times instead of originally 40. Long calibration is now 20.
- added AFL_TRY_AFFINITY to try to bind to CPUs but don't error if
it fails
- afl-cc:
- We do not support llvm versions prior 6.0 anymore
- added thread safe counters to all modes (`AFL_LLVM_THREADSAFE_INST`),
note that this disables NeverZero counters.
- Fix for -pie compiled binaries with default afl-clang-fast PCGUARD
- Leak Sanitizer (AFL_USE_LSAN) added by Joshua Rogers, thanks!
- Removed InsTrim instrumentation as it is not as good as PCGUARD
- Removed automatic linking with -lc++ for LTO mode
- Fixed a crash in llvm dict2file when a strncmp length was -1
- added --afl-noopt support
- utils/aflpp_driver:
- aflpp_qemu_driver_hook fixed to work with qemu_mode
- aflpp_driver now compiled with -fPIC
- unicornafl:
- fix MIPS delay slot caching, thanks @JackGrence
- fixed aarch64 exit address
- execution no longer stops at address 0x0
- updated afl-system-config to support Arch Linux weirdness and increase
MacOS shared memory
- updated the grammar custom mutator to the newest version
- add -d (add dead fuzzer stats) to afl-whatsup
- added AFL_PRINT_FILENAMES to afl-showmap/cmin to print the
current filename
- afl-showmap/cmin will now process queue items in alphabetical order
-------------------------------------------------------------------
Fri Apr 9 12:25:49 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org>
- Fix packaging for aarch64 and %arm
-------------------------------------------------------------------
Sat Apr 3 23:31:18 UTC 2021 - Niklas Haas <obs@haasn.xyz>
- install `afl-clang-lto`, recommended by upstream as the best variant
- add dependency on `lld`
- bump llvm-devel up to >= 11.0.0
- fix /usr/bin/env path in afl.cmin scripts
- prevent stripping of runtime objects (fix bug 1184324)
-------------------------------------------------------------------
Mon Mar 29 12:29:54 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org>
- Fix packaging on aarch64 and %{arm}
-------------------------------------------------------------------
Wed Mar 24 16:30:39 UTC 2021 - Marcus Meissner <meissner@suse.com>
- updated to 3.12c
- afl-fuzz:
- added AFL_TARGET_ENV variable to pass extra env vars to the target
(for things like LD_LIBRARY_PATH)
- fix map detection, AFL_MAP_SIZE not needed anymore for most cases
- fix counting favorites (just a display thing)
- afl-cc:
- fix cmplog rtn (rare crash and not being able to gather ptr data)
- fix our own PCGUARD implementation to compile with llvm 10.0.1
- link runtime not to shared libs
- ensure shared libraries are properly built and instrumented
- AFL_LLVM_INSTRUMENT_ALLOW/DENY were not implemented for LTO, added
- show correct LLVM PCGUARD NATIVE mode when auto switching to it
and keep fsanitize-coverage-*list=...
Short mnemnonic NATIVE is now also accepted.
- qemu_mode (thanks @realmadsci):
- move AFL_PRELOAD and AFL_USE_QASAN logic inside afl-qemu-trace
- add AFL_QEMU_CUSTOM_BIN
- unicorn_mode
- accidently removed the subfolder from github, re-added
- added DEFAULT_PERMISSION to config.h for all files created, default
to 0600
-------------------------------------------------------------------
Tue Mar 16 07:43:01 UTC 2021 - Marcus Meissner <meissner@suse.com>
- updated to 3.11c
- afl-fuzz:
- better auto detection of map size
- fix sanitizer settings (bug since 3.10c)
- fix an off-by-one overwrite in cmplog
- add non-unicode variants from unicode-looking dictionary entries
- Rust custom mutator API improvements
- Imported crash stats painted yellow on resume (only new ones are red)
- afl-cc:
- added AFL_NOOPT that will just pass everything to the normal
gcc/clang compiler without any changes - to pass weird configure
scripts
- fixed a crash that can occur with ASAN + CMPLOG together plus
better support for unicode (thanks to @stbergmann for reporting!)
- fixed a crash in LAF transform for empty strings
- handle erroneous setups in which multiple afl-compiler-rt are
compiled into the target. This now also supports dlopen()
instrumented libs loaded before the forkserver and even after the
forkserver is started (then with collisions though)
- the compiler rt was added also in object building (-c) which
should have been fixed years ago but somewhere got lost :(
- Renamed CTX to CALLER, added correct/real CTX implementation to
CLASSIC
- qemu_mode:
- added AFL_QEMU_EXCLUDE_RANGES env by @realmadsci, thanks!
- if no new/updated checkout is wanted, build with:
NO_CHECKOUT=1 ./build_qemu_support.sh
- we no longer perform a "git drop"
- afl-cmin: support filenames with spaces
- afl-3.0c-fix-paths.patch: refreshed
-------------------------------------------------------------------
Mon Mar 1 09:43:40 UTC 2021 - Marcus Meissner <meissner@suse.com>
- update to 3.10c
- Mac OS ARM64 support
- Android support fixed and updated by Joey Jiaojg - thanks!
- New selective instrumentation option with __AFL_COVERAGE_* commands
to be placed in the source code.
Check out instrumentation/README.instrument_list.md
- afl-fuzz
- Making AFL_MAP_SIZE (mostly) obsolete - afl-fuzz now learns on
start the target map size
- upgraded cmplog/redqueen: solving for floating point, solving
transformations (e.g. toupper, tolower, to/from hex, xor,
arithmetics, etc.). This is costly hence new command line option
`-l` that sets the intensity (values 1 to 3). Recommended is 2.
- added `AFL_CMPLOG_ONLY_NEW` to not use cmplog on initial seeds
from `-i` or resumes (these have most likely already been done)
- fix crash for very, very fast targets+systems (thanks to mhlakhani
for reporting)
- on restarts (`-i`)/autoresume (AFL_AUTORESUME) the stats are now
reloaded and used, thanks to Vimal Joseph for this patch!
- changed the meaning of '+' of the '-t' option, it now means to
auto-calculate the timeout with the value given being the max
timeout. The original meaning of skipping timeouts instead of
abort is now inherent to the -t option.
- if deterministic mode is active (`-D`, or `-M` without `-d`) then
we sync after every queue entry as this can take very long time
otherwise
- added minimum SYNC_TIME to include/config.h (30 minutes default)
- better detection if a target needs a large shared map
- fix for `-Z`
- fixed a few crashes
- switched to an even faster RNG
- added hghwng's patch for faster trace map analysis
- printing suggestions for mistyped `AFL_` env variables
- added Rust bindings for custom mutators (thanks @julihoh)
- afl-cc
- allow instrumenting LLVMFuzzerTestOneInput
- fixed endless loop for allow/blocklist lines starting with a
comment (thanks to Zherya for reporting)
- cmplog/redqueen now also tracks floating point, _ExtInt() + 128bit
- cmplog/redqueen can now process basic libc++ and libstdc++
std::string comparisons (no position or length type variants)
- added support for __afl_coverage_interesting() for LTO and our
own PCGUARD (llvm 10.0.1+), read more about this function and
selective coverage in instrumentation/README.instrument_list.md
- added AFL_LLVM_INSTRUMENT option NATIVE for native clang pc-guard
support (less performant than our own), GCC for old afl-gcc and
CLANG for old afl-clang
- fixed a potential crash in the LAF feature
- workaround for llvm bitcast lto bug
- workaround for llvm 13
- qemuafl
- QASan (address sanitizer for Qemu) ported to qemuafl!
See qemu_mode/libqasan/README.md
- solved some persistent mode bugs (thanks Dil4rd)
- solved an issue when dumping the memory maps (thanks wizche)
- Android support for QASan
- unicornafl
- Substantial speed gains in python bindings for certain use cases
- Improved rust bindings
- Added a new example harness to compare python, c and rust bindings
- afl-cmin and afl-showmap now support the -f option
- afl_plot now also generates a graph on the discovered edges
- changed default: no memory limit for afl-cmin and afl-cmin.bash
- warn on any _AFL and __AFL env vars.
- set AFL_IGNORE_UNKNOWN_ENVS to not warn on unknown AFL_... env vars
- added dummy Makefile to instrumentation/
- Updated utils/afl_frida to be 5% faster, 7% on x86_x64
- Added `AFL_KILL_SIGNAL` env variable (thanks @v-p-b)
- @Edznux added a nice documentation on how to use rpc.statsd with
afl++ in docs/rpc_statsd.md, thanks!
-------------------------------------------------------------------
Tue Dec 15 09:18:09 UTC 2020 - Marcus Meissner <meissner@suse.com>
- updated to 3.0c
- llvm_mode/ and gcc_plugin/ moved to instrumentation/
- examples/ renamed to utils/
- moved libdislocator, libtokencap and qdbi_mode to utils/
- all compilers combined to afl-cc which emulates the previous ones
- afl-llvm/gcc-rt.o merged into afl-compiler-rt.o
- afl-fuzz
- not specifying -M or -S will now auto-set "-S default"
- deterministic fuzzing is now disabled by default and can be enabled with
-D. It is still enabled by default for -M.
- a new seed selection was implemented that uses weighted randoms based on
a schedule performance score, which is much better that the previous
walk the whole queue approach. Select the old mode with -Z (auto enabled
with -M)
- Marcel Boehme submitted a patch that improves all AFFast schedules :)
- the default schedule is now FAST
- memory limits are now disabled by default, set them with -m if required
- rpc.statsd support, for stats and charts, by Edznux, thanks a lot!
- reading testcases from -i now descends into subdirectories
- allow the -x command line option up to 4 times
- loaded extras now have a duplication protection
- If test cases are too large we do a partial read on the maximum
supported size
- longer seeds with the same trace information will now be ignored
for fuzzing but still be used for splicing
- crashing seeds are now not prohibiting a run anymore but are
skipped - they are used for splicing, though
- update MOpt for expanded havoc modes
- setting the env var AFL_NO_AUTODICT will not load an LTO autodictionary
- added NO_SPLICING compile option and makefile define
- added INTROSPECTION make target that writes all mutations to
out/NAME/introspection.txt
- print special compile time options used in help output
- when using -c cmplog, one of the childs was not killed, fixed
- somewhere we broke -n dumb fuzzing, fixed
- added afl_custom_describe to the custom mutator API to allow for easy
mutation reproduction on crashing inputs
- instrumentation
- We received an enhanced gcc_plugin module from AdaCore, thank you
very much!!
- not overriding -Ox or -fno-unroll-loops anymore
- we now have our own trace-pc-guard implementation. It is the same as
-fsanitize-coverage=trace-pc-guard from llvm 12, but: it is a) inline
and b) works from llvm 10.0.1 + onwards :)
- new llvm pass: dict2file via AFL_LLVM_DICT2FILE, create afl-fuzz
-x dictionary of string comparisons found during compilation
- LTO autodict now also collects interesting cmp comparisons,
std::string compare + find + ==, bcmp
- fix crash in dict2file for integers > 64 bit
- custom mutators
- added a new custom mutator: symcc -> https://github.com/eurecom-s3/symcc/
- added a new custom mutator: libfuzzer that integrates libfuzzer mutations
- Our afl++ Grammar-Mutator is now better integrated into custom_mutators/
- added INTROSPECTION support for custom modules
- python fuzz function was not optional, fixed
- some python mutator speed improvements
- afl-cmin/afl-cmin.bash now search first in PATH and last in AFL_PATH
- unicornafl synced with upstream version 1.02 (fixes, better rust bindings)
- renamed AFL_DEBUG_CHILD_OUTPUT to AFL_DEBUG_CHILD
- added AFL_CRASH_EXITCODE env variable to treat a child exitcode as crash
- afl-2.63c-fix-paths.patch refreshed to afl-3.0c-fix-paths.patch
-------------------------------------------------------------------
Sat Sep 5 08:43:19 UTC 2020 - Marcus Meissner <meissner@suse.com>
- updated to 2.68c
- added the GSoC excellent afl++ grammar mutator by Shengtuo to our
custom_mutators/ (see custom_mutators/README.md) - or get it here:
https://github.com/AFLplusplus/Grammar-Mutator
- a few QOL changes for Apple and its outdated gmake
- afl-fuzz:
- fix for auto dictionary entries found during fuzzing to not throw out
a -x dictionary
- added total execs done to plot file
- AFL_MAX_DET_EXTRAS env variable added to control the amount of
deterministic dict entries without recompiling.
- AFL_FORKSRV_INIT_TMOUT env variable added to control the time to wait
for the forkserver to come up without the need to increase the overall
timeout.
- bugfix for cmplog that results in a heap overflow based on target data
(thanks to the magma team for reporting!)
- write fuzzing setup into out/fuzzer_setup (environment variables and
command line)
- custom mutators:
- added afl_custom_fuzz_count/fuzz_count function to allow specifying
the number of fuzz attempts for custom_fuzz
- llvm_mode:
- ported SanCov to LTO, and made it the default for LTO. better
instrumentation locations
- Further llvm 12 support (fast moving target like afl++ :-) )
- deprecated LLVM SKIPSINGLEBLOCK env environment
-------------------------------------------------------------------
Wed Aug 19 14:35:25 UTC 2020 - Marcus Meissner <meissner@suse.com>
- updated to 2.67c
- Support for improved afl++ snapshot module:
https://github.com/AFLplusplus/AFL-Snapshot-LKM
- Due to the instrumentation needing more memory, the initial memory sizes
for -m have been increased
- afl-fuzz:
- added -F option to allow -M main fuzzers to sync to foreign fuzzers,
e.g. honggfuzz or libfuzzer
- added -b option to bind to a specific CPU
- eliminated CPU affinity race condition for -S/-M runs
- expanded havoc mode added, on no cycle finds add extra splicing and
MOpt into the mix
- fixed a bug in redqueen for strings and made deterministic with -s
- llvm_mode:
- now supports llvm 12
- support for AFL_LLVM_ALLOWLIST/AFL_LLVM_DENYLIST (previous
AFL_LLVM_WHITELIST and AFL_LLVM_INSTRUMENT_FILE are deprecated and
are matched to AFL_LLVM_ALLOWLIST). The format is compatible to llvm
sancov, and also supports function matching :)
- added neverzero counting to trace-pc/pcgard
- fixes for laf-intel float splitting (thanks to mark-griffin for
reporting)
- fixes for llvm 4.0
- skipping ctors and ifuncs for instrumentation
- LTO: switch default to the dynamic memory map, set AFL_LLVM_MAP_ADDR
for a fixed map address (eg. 0x10000)
- LTO: improved stability for persistent mode, no other instrumentation
has that advantage
- LTO: fixed autodict for long strings
- LTO: laf-intel and redqueen/cmplog are now applied at link time
to prevent llvm optimizing away the splits
- LTO: autodictionary mode is a fixed default now
- LTO: instrim instrumentation disabled, only classic support used
as it is always better
- LTO: env var AFL_LLVM_DOCUMENT_IDS=file will document which edge ID
was given to which function during compilation
- LTO: single block functions were not implemented by default, fixed
- LTO: AFL_LLVM_SKIP_NEVERZERO behaviour was inversed, fixed
- setting AFL_LLVM_LAF_SPLIT_FLOATS now activates
AFL_LLVM_LAF_SPLIT_COMPARES
- support for -E and -shared compilation runs
- added honggfuzz mangle as a custom mutator in custom_mutators/honggfuzz
- added afl-frida gum solution to examples/afl_frida (mostly imported
from https://github.com/meme/hotwax/)
- small fixes to afl-plot, afl-whatsup and man page creation
- new README, added FAQ
-------------------------------------------------------------------
Thu Jul 2 09:59:38 UTC 2020 - Marcus Meissner <meissner@suse.com>
- updated to 2.66c
- renamed blacklist/whitelist to ignorelist/instrumentlist ->
AFL_LLVM_INSTRUMENT_FILE and AFL_GCC_INSTRUMENT_FILE
- warn on deprecated environment variables
- afl-fuzz:
- -S secondary nodes now only sync from the main node to increase
performance, the -M main node still syncs from everyone. Added checks
that ensure exactly one main node is present and warn otherwise
- Add -D after -S to force a secondary to perform deterministic fuzzing
- If no main node is present at a sync one secondary node automatically
becomes a temporary main node until a real main nodes shows up
- Fixed a mayor performance issue we inherited from AFLfast
- switched murmur2 hashing and random() for xxh3 and xoshiro256**,
resulting in an up to 5.5% speed increase
- Resizing the window does not crash afl-fuzz anymore
- Ensure that the targets are killed on exit
- fix/update to MOpt (thanks to arnow117)
- added MOpt dictionary support from repo
- added experimental SEEK power schedule. It is EXPLORE with ignoring
the runtime and less focus on the length of the test case
- llvm_mode:
- the default instrumentation is now PCGUARD if the llvm version is >= 7,
as it is faster and provides better coverage. The original afl
instrumentation can be set via AFL_LLVM_INSTRUMENT=AFL. This is
automatically done when the instrument_file list feature is used.
- PCGUARD mode is now even better because we made it collision free - plus
it has a fixed map size, so it is also faster! :)
- some targets want a ld variant for LD that is not gcc/clang but ld,
added afl-ld-lto to solve this
- lowered minimum required llvm version to 3.4 (except LLVMInsTrim, which
needs 3.8.0)
- instrument_file list feature now supports wildcards (thanks to sirmc)
- small change to cmplog to make it work with current llvm 11-dev
- added AFL_LLVM_LAF_ALL, sets all laf-intel settings
- LTO instrument_files functionality rewritten, now main, _init etc functions
need not to be listed anymore
- fixed crash in compare-transform-pass when strcasecmp/strncasecmp was
tried to be instrumented with LTO
- fixed crash in cmplog with LTO
- enable snapshot lkm also for persistent mode
- Unicornafl
- Added powerPC support from unicorn/next
- rust bindings!
- CMPLOG/Redqueen now also works for MMAP sharedmem
- ensure shmem is released on errors
- we moved radamsa to be a custom mutator in ./custom_mutators/. It is not
compiled by default anymore.
- allow running in /tmp (only unsafe with umask 0)
- persistent mode shared memory testcase handover (instead of via
files/stdin) - 10-100% performance increase
- General support for 64 bit PowerPC, RiscV, Sparc etc.
- fix afl-cmin.bash
- slightly better performance compilation options for afl++ and targets
- fixed afl-gcc/afl-as that could break on fast systems reusing pids in
the same second
- added lots of dictionaries from oss-fuzz, go-fuzz and Jakub Wilk
- added former post_library examples to examples/custom_mutators/
- Dockerfile upgraded to Ubuntu 20.04 Focal and installing llvm 11 and
gcc 10 so afl-clang-lto can be build
-------------------------------------------------------------------
Fri May 15 09:24:47 UTC 2020 - Marcus Meissner <meissner@suse.com>
- updated to 2.65c
- afl-fuzz:
- AFL_MAP_SIZE was not working correctly
- better python detection
- an old, old bug in afl that would show negative stability in rare
circumstances is now hopefully fixed
- AFL_POST_LIBRARY was deprecated, use AFL_CUSTOM_MUTATOR_LIBRARY
instead (see docs/custom_mutators.md)
- llvm_mode:
- afl-clang-fast/lto now do not skip single block functions. This
behaviour can be reactivated with AFL_LLVM_SKIPSINGLEBLOCK
- if LLVM 11 is installed the posix shm_open+mmap is used and a fixed
address for the shared memory map is used as this increases the
fuzzing speed
- InsTrim now has an LTO version! :-) That is the best and fastest mode!
- fixes to LTO mode if instrumented edges > MAP_SIZE
- CTX and NGRAM can now be used together
- CTX and NGRAM are now also supported in CFG/INSTRIM mode
- AFL_LLVM_LAF_TRANSFORM_COMPARES could crash, fixed
- added AFL_LLVM_SKIP_NEVERZERO to skip the never zero coverage counter
implementation. For targets with few or no loops or heavily called
functions. Gives a small performance boost.
- qemu_mode:
- add information on PIE/PIC load addresses for 32 bit
- better dependency checks
- gcc_plugin:
- better dependency checks
- unicorn_mode:
- validate_crash_callback can now count non-crashing inputs as crash as well
- better submodule handling
- afl-showmap: fix for -Q mode
- added examples/afl_network_proxy which allows to fuzz a target over the
network (not fuzzing tcp/ip services but running afl-fuzz on one system
and the target being on an embedded device)
- added examples/afl_untracer which does a binary-only fuzzing with the
modifications done in memory (intel32/64 and aarch64 support)
- added examples/afl_proxy which can be easily used to fuzz and instrument
non-standard things
- all:
- forkserver communication now also used for error reporting
- fix 32 bit build options
- make clean now leaves qemu-3.1.1.tar.xz and the unicornafl directory
intact if in a git/svn checkout - unless "deepclean" is used
-------------------------------------------------------------------
Sat Apr 18 07:05:42 UTC 2020 - Marcus Meissner <meissner@suse.com>
- updated to 2.64c
- llvm_mode LTO mode:
- now requires llvm11 - but compiles all targets! :)
- autodictionary feature added, enable with `AFL_LLVM_LTO_AUTODICTIONARY`
- variable map size usage
- afl-fuzz:
- variable map size support added (only LTO mode can use this)
- snapshot feature usage now visible in UI
- Now setting `-L -1` will enable MOpt in parallel to normal mutation.
Additionally, this allows to run dictionaries, radamsa and cmplog.
- fix for cmplog/redqueen mode if stdin was used
- fix for writing a better plot_data file
- qemu_mode: fix for persistent mode (which would not terminate or get stuck)
- compare-transform/AFL_LLVM_LAF_TRANSFORM_COMPARES now transforms also
static global and local variable comparisons (cannot find all though)
- extended forkserver: map_size and more information is communicated to
afl-fuzz (and afl-fuzz acts accordingly)
- new environment variable: AFL_MAP_SIZE to specify the size of the shared map
- if AFL_CC/AFL_CXX is set but empty afl compilers did fail, fixed
(this bug is in vanilla afl too)
- added NO_PYTHON flag to disable python support when building afl-fuzz
- more refactoring
-------------------------------------------------------------------
Sun Apr 12 11:04:35 UTC 2020 - Marcus Meissner <meissner@suse.com>
- updated to 2.63c
- all:
- big code changes to make afl-fuzz thread-safe so afl-fuzz can spawn
multiple fuzzing threads in the future or even become a library
- afl basic tools now report on the environment variables picked up
- more tools get environment variable usage info in the help output
- force all output to stdout (some OK/SAY/WARN messages were sent to
stdout, some to stderr)
- uninstrumented mode uses an internal forkserver ("fauxserver")
- now builds with `-D_FORTIFY_SOURCE=2`
- drastically reduced number of (de)allocations during fuzzing
- afl-fuzz:
- python mutator modules and custom mutator modules now use the same
interface and hence the API changed
- AFL_AUTORESUME will resume execution without the need to specify `-i -`
- added experimental power schedules (-p):
- mmopt: ignores runtime of queue entries, gives higher weighting to
the last 5 queue entries
- rare: puts focus on queue entries that hits rare branches, also ignores
runtime
- llvm_mode:
- added SNAPSHOT feature (using https://github.com/AFLplusplus/AFL-Snapshot-LKM)
- added Control Flow Integrity sanitizer (AFL_USE_CFISAN)
- added AFL_LLVM_INSTRUMENT option to control the instrumentation type
easier: DEFAULT, CFG (INSTRIM), LTO, CTX, NGRAM-x (x=2-16)
- made USE_TRACE_PC compile obsolete
- LTO collision free instrumented added in llvm_mode with afl-clang-lto -
note that this mode is amazing, but quite some targets won't compile
- Added llvm_mode NGRAM prev_loc coverage by Adrean Herrera
(https://github.com/adrianherrera/afl-ngram-pass/), activate by setting
AFL_LLVM_INSTRUMENT=NGRAM-<value> or AFL_LLVM_NGRAM_SIZE=<value>
- Added llvm_mode context sensitive branch coverage, activated by setting
AFL_LLVM_INSTRUMENT=CTX or AFL_LLVM_CTX=1
- llvm_mode InsTrim mode:
- removed workaround for bug where paths were not instrumented and
imported fix by author
- made skipping 1 block functions an option and is disabled by default,
set AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK=1 to re-enable this
- qemu_mode:
- qemu_mode now uses solely the internal capstone version to fix builds
on modern Linux distributions
- QEMU now logs routine arguments for CmpLog when the target is x86
- afl-tmin:
- now supports hang mode `-H` to minimize hangs
- fixed potential afl-tmin missbehavior for targets with multiple hangs
- Pressing Control-c in afl-cmin did not terminate it for some OS
- the custom API was rewritten and is now the same for Python and shared
libraries.
- afl-1.58b-fix-paths.patch moved to
- afl-2.63c-fix-paths.patch: adjust Makefile -> GNUmakefile
-------------------------------------------------------------------
Fri Feb 28 14:09:26 UTC 2020 - Marcus Meissner <meissner@suse.com>
- updated to 2.62c
- Important fix for memory allocation functions that result in afl-fuzz not identifying crashes - UPDATE!
- Small fix for -E/-V to release the CPU
- CmpLog does not need sancov anymore
-------------------------------------------------------------------
Tue Feb 25 12:04:22 UTC 2020 - Marcus Meissner <meissner@suse.com>
- updated to 2.61c
- use -march=native if available
- most tools now check for mistyped environment variables
- gcc 10 is now supported
- the memory safety checks are now disabled for a little more speed during
fuzzing (only affects creating queue entries), can be toggled in config.h
- afl-fuzz:
- MOpt out of bounds writing crash fixed
- now prints the real python version support compiled in
- set stronger performance compile options and little tweaks
- Android: prefer bigcores when selecting a CPU
- CmpLog forkserver
- Redqueen input-2-state mutator (cmp instructions only ATM)
- all Python 2+3 versions supported now
- changed execs_per_sec in fuzzer_stats from "current" execs per second
(which is pointless) to total execs per second
- bugfix for dictionary insert stage count (fix via Google repo PR)
- added warning if -M is used together with custom mutators with _ONLY option
- AFL_TMPDIR checks are now later and better explained if they fail
- llvm_mode
- InsTrim: three bug fixes:
1. (minor) no pointless instrumentation of 1 block functions
2. (medium) path bug that leads a few blocks not instrumented that
should be
3. (major) incorrect prev_loc was written, fixed!
- afl-clang-fast:
- show in the help output for which llvm version it was compiled for
- now does not need to be recompiled between trace-pc and pass
instrumentation. compile normally and set AFL_LLVM_USE_TRACE_PC :)
- LLVM 11 is supported
- CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog)
- afl-gcc, afl-clang-fast, afl-gcc-fast:
- experimental support for undefined behaviour sanitizer UBSAN
(set AFL_USE_UBSAN=1)
- the instrumentation summary output now also lists activated sanitizers
- afl-as: added isatty(2) check back in
- added AFL_DEBUG (for upcoming merge)
- qemu_mode:
- persistent mode is now also available for arm and aarch64
- CmpLog instrumentation for QEMU (-c afl-fuzz command line option)
for x86, x86_64, arm and aarch64
- AFL_PERSISTENT_HOOK callback module for persistent QEMU
(see examples/qemu_persistent_hook)
- added qemu_mode/README.persistent.md documentation
- AFL_ENTRYPOINT noew has instruction granularity
- afl-cmin is now a sh script (invoking awk) instead of bash for portability
the original script is still present as afl-cmin.bash
- afl-showmap: -i dir option now allows processing multiple inputs using the
forkserver. This is for enhanced speed in afl-cmin.
- added blacklist and whitelisting function check in all modules of llvm_mode
- added fix from Debian project to compile libdislocator and libtokencap
- libdislocator: AFL_ALIGNED_ALLOC to force size alignment to max_align_t
-------------------------------------------------------------------
Sun Feb 9 16:12:14 UTC 2020 - Marcus Meissner <meissner@suse.com>
- added radamsa mutator
-------------------------------------------------------------------
Thu Jan 2 08:31:09 UTC 2020 - Marcus Meissner <meissner@suse.com>
- updated to 2.60c
- fixed a critical bug in afl-tmin that was introduced during ++2.53d
- added test cases for afl-cmin and afl-tmin to test/test.sh
- added ./experimental/argv_fuzzing ld_preload library by Kjell Braden
- added preeny's desock_dup ld_preload library as
./experimental/socket_fuzzing for network fuzzing
- added AFL_AS_FORCE_INSTRUMENT environment variable for afl-as - this is
for the retrorewrite project
- we now set QEMU_SET_ENV from AFL_PRELOAD when qemu_mode is used
-------------------------------------------------------------------
Fri Dec 27 16:01:06 UTC 2019 - Marcus Meissner <meissner@suse.com>
- updated to 2.59c
- qbdi_mode: fuzz android native libraries via QBDI framework
- unicorn_mode: switched to the new unicornafl, thanks domenukk
(see https://github.com/vanhauser-thc/unicorn)
- afl-fuzz:
- added radamsa as (an optional) mutator stage (-R[R])
- added -u command line option to not unlink the fuzz input file
- Python3 support (autodetect)
- AFL_DISABLE_TRIM env var to disable the trim stage
- CPU affinity support for DragonFly
- llvm_mode:
- float splitting is now configured via AFL_LLVM_LAF_SPLIT_FLOATS
- support for llvm 10 included now (thanks to devnexen)
- libtokencap:
- support for *BSD/OSX/Dragonfly added
- hook common *cmp functions from widely used libraries
- compcov:
- hook common *cmp functions from widely used libraries
- floating point splitting support for QEMU on x86 targets
- qemu_mode: AFL_QEMU_DISABLE_CACHE env to disable QEMU TranslationBlocks caching
- afl-analyze: added AFL_SKIP_BIN_CHECK support
- better random numbers for gcc_plugin and llvm_mode (thanks to devnexen)
- Dockerfile by courtesy of devnexen
- added regex.dictionary
- qemu and unicorn download scripts now try to download until the full
download succeeded. f*ckin travis fails downloading 40% of the time!
- more support for Android (please test!)
- added the few Android stuff we didnt have already from Google afl repository
- removed unnecessary warnings
-------------------------------------------------------------------
Sat Nov 9 16:05:04 UTC 2019 - Marcus Meissner <meissner@suse.com>
- updated to 2.58c
- reverted patch to not unlink and recreate the input file, it resulted in performance loss of ~10%
- added test/test-performance.sh script
- (re)added gcc_plugin, fast inline instrumentation is not yet finished, however it includes the whitelisting and persistance feature! by hexcoder-
- gcc_plugin tests added to testing framework
- jump to 2.57 instead of 2.55 to catch up with Google's versioning
- persistent mode for QEMU (see qemu_mode/README.md)
- custom mutator library is now an additional mutator, to exclusivly use it
- add AFL_CUSTOM_MUTATOR_ONLY (that will trigger the previous behaviour)
- new library qemu_mode/unsigaction which filters sigaction events
- afl-fuzz: new command line option -I to execute a command on a new crash
- no more unlinking the input file, this way the input file can also be a
- FIFO or disk partition
- setting LLVM_CONFIG for llvm_mode will now again switch to the selected
- llvm version. If your setup is correct.
- fuzzing strategy yields for custom mutator were missing from the UI, added them :)
- added "make tests" which will perform checks to see that all functionality
- is working as expected. this is currently the starting point, its not complete :)
- added mutation documentation feature ("make document"), creates afl-fuzz-document
- and saves all mutations of the first run on the first file into out/queue/mutations
- libtokencap and libdislocator now compile to the afl_root directory and are
- installed to the .../lib/afl directory when present during make install
- more BSD support, e.g. free CPU binding code for FreeBSD (thanks to devnexen)
- reducing duplicate code in afl-fuzz
- added "make help"
- removed compile warnings from python internal stuff
- added man page for afl-clang-fast[++]
- updated documentation
- Wine mode to run Win32 binaries with the QEMU instrumentation (-W)
- CompareCoverage for ARM target in QEMU/Unicorn
- 2.54c:
- big code refactoring:
- all includes are now in include/
- all afl sources are now in src/ - see src/README.src
- afl-fuzz was splitted up in various individual files for including
- functionality in other programs (e.g. forkserver, memory map, etc.)
- for better readability.
- new code indention everywhere
- auto-generating man pages for all (main) tools
- added AFL_FORCE_UI to show the UI even if the terminal is not detected
- llvm 9 is now supported (still needs testing)
- Android is now supported (thank to JoeyJiao!) - still need to modify the Makefile though
- fix building qemu on some Ubuntus (thanks to floyd!)
- custom mutator by a loaded library is now supported (thanks to kyakdan!)
- added PR that includes peak_rss_mb and slowest_exec_ms in the fuzzer_stats report
- more support for *BSD (thanks to devnexen!)
- fix building on *BSD (thanks to tobias.kortkamp for the patch)
- fix for a few features to support different map sized than 2^16
- afl-showmap: new option -r now shows the real values in the buckets (stock
- afl never did), plus shows tuple content summary information now
- small docu updates
- NeverZero counters for QEMU
- NeverZero counters for Unicorn
- CompareCoverage Unicorn
- immediates-only instrumentation for CompareCoverage
- 2.53c release
- imported the few minor changes from the 2.53b release
- unicorn_mode got added - thanks to domenukk for the patch!
- fix llvm_mode AFL_TRACE_PC with modern llvm
- fix a crash in qemu_mode which also exists in stock afl
- added libcompcov, a laf-intel implementation for qemu! :) see qemu_mode/libcompcov/README.libcompcov
- updated afl-fuzz and afl-system-config for new scaling governor location in modern kernels
- all queue, hang and crash files now have their discovery time in their name
- if llvm_mode was compiled, afl-clang/afl-clang++ will point to these instead of afl-gcc
- added instrim, a much faster llvm_mode instrumentation at the cost of path discovery. See llvm_mode/README.instrim (https://github.com/csienslab/instrim)
- added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt
- added code to make it more portable to other platforms than Intel Linux
- added never zero counters for afl-gcc and optionally (because of an optimization issue in llvm < 9) for llvm_mode (AFL_LLVM_NEVER_ZERO=1)
- added a new doc about binary only fuzzing: docs/binaryonly_fuzzing.txt
- more cpu power for afl-system-config
- added forkserver patch to afl-tmin, makes it much faster (originally from github.com/nccgroup/TriforceAFL)
- added whitelist support for llvm_mode via AFL_LLVM_WHITELIST to allow only to instrument what is actually interesting. Gives more speed and less map pollution (originally by choller@mozilla)
- added Python Module mutator support, python2.7-dev is autodetected. see docs/python_mutators.txt (originally by choller@mozilla)
- added AFL_CAL_FAST for slow applications and AFL_DEBUG_CHILD_OUTPUT for debugging
- added -V time and -E execs option to better comparison runs, runs afl-fuzz for a specific time/executions.
- added a -s seed switch to allow afl run with a fixed initial seed that is not updated. This is good for performance and path discovery tests as the random numbers are deterministic then
-------------------------------------------------------------------
Thu Oct 17 12:58:02 UTC 2019 - Richard Brown <rbrown@suse.com>
- Remove obsolete Groups tag (fate#326485)
-------------------------------------------------------------------
Sun Jun 23 17:44:06 UTC 2019 - Marcus Meissner <meissner@suse.com>
- updated to afl++ 2.52c version, community fork. It integrates
various community patches.
- community patches to make llvm_mode and qemu_mode faster, plus new features and bugfixes
- qemu upgraded to 3.1
- aflfast powerschedules added
- llvm_mode now supports llvm up to version 8
-------------------------------------------------------------------
Thu Aug 30 15:03:49 UTC 2018 - Guillaume GARDET <guillaume.gardet@opensuse.org>
- Fix build on non X86* platforms
-------------------------------------------------------------------
Sun Nov 5 07:57:53 UTC 2017 - mardnh@gmx.de
- Update to version 2.52b:
* Upgraded QEMU patches from 2.3.0 to 2.10.0. Required troubleshooting
several weird issues.
* Added setsid to afl-showmap. See the notes for 2.51b.
* Added target mode (deferred, persistent, qemu, etc) to fuzzer_stats.
* afl-tmin should now save a partially minimized file when Ctrl-C
is pressed.
* Added an option for afl-analyze to dump offsets in hex.
* Added support for parameters in triage_crashes.sh.
-------------------------------------------------------------------
Sun Sep 3 12:08:41 UTC 2017 - astieger@suse.com
- afl 2.51b:
* Make afl-tmin call setsid to prevent glibc traceback junk from
showing up on the terminal
- includes changes form 2.50b:
* Fix a timing corner case
* Address a libtokencap / pthreads incompatibility issue
* Add AFL_FAST_CAL.
* In-place resume now preserves .synced
-------------------------------------------------------------------
Sat Jul 29 23:04:43 UTC 2017 - meissner@suse.com
- include docs/README
-------------------------------------------------------------------
Wed Jul 26 06:47:03 UTC 2017 - meissner@suse.com
- Version 2.49b
- Added AFL_TMIN_EXACT to allow path constraint for crash minimization.
- Added dates for releases (retroactively for all of 2017).
- Version 2.48b
- Added AFL_ALLOW_TMP to permit some scripts to run in /tmp.
- Fixed cwd handling in afl-analyze (similar to the quirk in afl-tmin).
- Made it possible to point -o and -f to the same file in afl-tmin.
- Version 2.47b
- Fixed cwd handling in afl-tmin. Spotted by Jakub Wilk.
- Version 2.46b
- libdislocator now supports AFL_LD_NO_CALLOC_OVER for folks who do not
want to abort on calloc() overflows.
- Made a minor fix to libtokencap. Reported by Daniel Stender.
- Added a small JSON dictionary, inspired on a dictionary done by Jakub Wilk.
-------------------------------------------------------------------
Fri Jul 7 14:59:31 UTC 2017 - meissner@suse.com
- update to 2.45b:
- Added strstr, strcasestr support to libtokencap. Contributed by
Daniel Hodson.
- Fixed a resumption offset glitch spotted by Jakub Wilk.
- There are definitely no bugs in afl-showmap -c now.
-------------------------------------------------------------------
Mon Jul 3 08:08:58 UTC 2017 - astieger@suse.com
- update to 2.44b:
* Add visual indicator of ASAN / MSAN mode when compiling
* Add support for afl-showmap coredumps (-c)
* Add LD_BIND_NOW=1 for afl-showmap by default
* Added AFL_NO_ARITH to aid in the fuzzing of text-based formats
* Renamed the R() macro to avoid a problem with llvm_mode in the
latest versions of LLVM
-------------------------------------------------------------------
Wed Apr 12 06:25:50 UTC 2017 - meissner@suse.com
- update to 2.41b:
- Addressed a major user complaint related to timeout detection. Timing out
inputs are now binned as "hangs" only if they exceed a far more generous
time limit than the one used to reject slow paths.
- update to 2.40b:
- Fixed a minor oversight in the insertion strategy for dictionary words.
Spotted by Andrzej Jackowski.
- Made a small improvement to the havoc block insertion strategy.
- Adjusted color rules for "is it done yet?" indicators.
-------------------------------------------------------------------
Wed Mar 8 20:52:05 UTC 2017 - sfalken@opensuse.org
- Changed %doc line, to clear buildfailure in openSUSE:Factory
Due to unpackaged files
-------------------------------------------------------------------
Fri Feb 10 12:09:01 UTC 2017 - meissner@suse.com
- update to 2.39b:
- Improved error reporting in afl-cmin. Suggested by floyd.
- Made a minor tweak to trace-pc-guard support. Suggested by kcc.
- Added a mention of afl-monitor.
-------------------------------------------------------------------
Mon Jan 30 14:21:37 UTC 2017 - astieger@suse.com
- update to 2.38b:
* Added -mllvm -sanitizer-coverage-block-threshold=0 to
trace-pc-guard mode
* Fixed a cosmetic bad free() bug when aborting -S sessions
* Made a small change to afl-whatsup to sort fuzzers by name.
* Fixed a minor issue with malloc(0) in libdislocator
* Changed the clobber pattern in libdislocator to a slightly more
reliable one
* Added a note about THP performance
* Added a somewhat unofficial support for running afl-tmin with a
baseline "mask" that causes it to minimize only for edges that
are unique to the input file, but not to the "boring" baseline.
* "Fixed" a getPassName() problem with never versions of clang.
-------------------------------------------------------------------
Wed Oct 19 20:05:42 UTC 2016 - mpluskal@suse.com
- Update to version 2.35b:
* Fixed a minor cmdline reporting glitch, spotted by Leo Barnes.
* Fixed a silly bug in libdislocator. Spotted by Johannes Schultz.
- Changes for version 2.34b:
* Added a note about afl-tmin to technical_details.txt.
* Added support for AFL_NO_UI, as suggested by Leo Barnes.
- Changes for version 2.33b:
* Added code to strip -Wl,-z,defs and -Wl,--no-undefined for
fl-clang-fast, since they interfere with -shared. Spotted and
iagnosed by Toby Hutton.
* Added some fuzzing tips for Android.
-------------------------------------------------------------------
Thu Aug 25 12:45:55 UTC 2016 - meissner@suse.com
- Version 2.32b:
- Added a check for AFL_HARDEN combined with AFL_USE_*SAN. Suggested by Hanno Boeck.
- Made several other cosmetic adjustments to cycle timing in the wake of the big tweak made in 2.31b.
- Version 2.31b:
- Changed havoc cycle counts for a marked performance boost, especially
with -S / -d. See the discussion of FidgetyAFL in:
https://groups.google.com/forum/#!topic/afl-users/fOPeb62FZUg
While this does not implement the approach proposed by the authors of
the CCS paper, the solution is a result of digging into that research;
more improvements may follow as I do more experiments and get more
definitive data.
- Version 2.30b:
- Made minor improvements to persistent mode to avoid the remote
possibility of "no instrumentation detected" issues with very low
instrumentation densities.
- Fixed a minor glitch with a leftover process in persistent mode.
Reported by Jakub Wilk and Daniel Stender.
- Made persistent mode bitmaps a bit more consistent and adjusted the way
this is shown in the UI, especially in persistent mode.
- Version 2.29b:
- Made a minor #include fix to llvm_mode. Suggested by Jonathan Metzman.
- Made cosmetic updates to the docs.
- Version 2.28b:
- Added "life pro tips" to docs/.
- Moved testcases/_extras/ to dictionaries/ for visibility.
- Made minor improvements to install scripts.
- Added an important safety tip.
- Version 2.27b:
- Added libtokencap, a simple feature to intercept strcmp / memcmp and
generate dictionary entries that can help extend coverage.
- Moved libdislocator to its own dir, added README.
- The demo in experimental/instrumented_cmp is no more.
- Version 2.26b:
- Made a fix for libdislocator.so to compile on MacOS X.
- Added support for DYLD_INSERT_LIBRARIES.
- Renamed AFL_LD_PRELOAD to AFL_PRELOAD.
- Version 2.25b:
- Made some cosmetic updates to libdislocator.so, renamed one env
variable.
- Version 2.24b:
- Added libdislocator.so, an experimental, abusive allocator. Try
it out with AFL_LD_PRELOAD=/path/to/libdislocator.so when running
afl-fuzz.
- Version 2.23b:
- Improved the stability metric for persistent mode binaries. Problem
spotted by Kurt Roeckx.
- Made a related improvement that may bring the metric to 100% for those
targets.
- Version 2.22b:
- Mentioned the potential conflicts between MSAN / ASAN and FORTIFY_SOURCE.
There is no automated check for this, since some distros may implicitly
set FORTIFY_SOURCE outside of the compiler's argv[].
- Populated the support for AFL_LD_PRELOAD to all companion tools.
- Made a change to the handling of ./afl-clang-fast -v. Spotted by
Jan Kneschke.
-------------------------------------------------------------------
Sat Jul 23 19:10:30 UTC 2016 - astieger@suse.com
- afl 2.21b:
* Minor UI fixes
- includes changes from 2.20b:
* Revamp handling of variable paths
* Stablility improvements
* Include current input bitmap density in UI
* Add experimental support for parallelizing -M.
- includes changes from 2.19b:
* Ensure auto CPU binding happens at non-overlapping times
- includes changes from 2.18b
* Performance improvements
-------------------------------------------------------------------
Tue Jun 28 06:26:03 UTC 2016 - astieger@suse.com
- afl 2.17b:
* Remove error-prone and manual -Z option
* automatically bind to the first free core
-------------------------------------------------------------------
Wed Jun 15 18:26:54 UTC 2016 - astieger@suse.com
- afl 2.14b:
- Added FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION as a macro
defined when compiling with afl-gcc and friends
- Refreshed some of the non-x86 docs.
-------------------------------------------------------------------
Tue May 31 11:18:02 UTC 2016 - astieger@suse.com
- afl 2.13b:
* Fixed a spurious build test error with trace-pc and
llvm_mode/Makefile.
* Fixed a cosmetic issue with afl-whatsup
- includes changes from 2.12b
* Fixed a minor issue in afl-tmin that can make alphabet
minimization less efficient during passes > 1
-------------------------------------------------------------------
Mon May 2 11:02:02 UTC 2016 - astieger@suse.com
- afl 2.11b:
- Fixed a minor typo in instrumented_cmp
- Added a missing size check for deterministic insertion steps.
- Made an improvement to afl-gotcpu when -Z not used.
- Fixed a typo in post_library_png.so.c in experimental/
-------------------------------------------------------------------
Sat Apr 16 15:12:46 UTC 2016 - astieger@suse.com
- afl 2.10b:
* Fix a minor core counting glitch
-------------------------------------------------------------------
Mon Mar 28 19:11:03 UTC 2016 - mpluskal@suse.com
- Update to 2.09b
* Made several documentation updates.
* Added some visual indicators to promote and simplify the use
of -Z.
- Changes for 2.08b
* Added explicit support for -m32 and -m64 for llvm_mode.
Inspired by a request from Christian Holler.
* Added a new benchmarking option, as requested by Kostya
Serebryany.
- Changes for 2.07b
* Added CPU affinity option (-Z) on Linux. With some caution,
this can offer a significant (10%+) performance bump and
reduce jitter. Proposed by Austin Seipp.
* Updated afl-gotcpu to use CPU affinity where supported.
* Fixed confusing CPU_TARGET error messages with QEMU build.
Spotted by Daniel Komaromy and others.
- Changes for 2.06b
* Worked around LLVM persistent mode hiccups with -shared code.
Contributed by Christian Holler.
* Added __AFL_COMPILER as a convenient way to detect that
something is built under afl-gcc / afl-clang / afl-clang-fast
and enable custom optimizations in your code. Suggested by
Pedro Corte-Real.
* Upstreamed several minor changes developed by Franjo Ivancic to
allow AFL to be built as a library. This is fairly use-specific
and may have relatively little appeal to general audiences.
-------------------------------------------------------------------
Sun Feb 28 13:59:04 UTC 2016 - astieger@suse.com
- afl 2.05b:
* Put __sanitizer_cov_module_init & co behind #ifdef to avoid
problems with ASAN.
-------------------------------------------------------------------
Wed Feb 24 21:52:33 UTC 2016 - astieger@suse.com
- afl 2.04b:
* remove indirect-calls coverage from -fsanitize-coverage
* LLVM: Added experimental -fsanitize-coverage=trace-pc support
- LLVM: better support non-standard map sizes
- LLVM: use thread-local execution tracing
- Force-disabled symbolization for ASAN
- Added AFL_LD_PRELOAD to allow LD_PRELOAD to be set for targets
without affecting AFL itself
- Fixed a "lcamtuf can't count to 16" bug in the havoc stage.
-------------------------------------------------------------------
Tue Feb 16 15:37:01 UTC 2016 - astieger@suse.com
- afl 2.01b:
- updates to color handling
- Fixed an installation issue with afl-as
-------------------------------------------------------------------
Thu Feb 11 12:21:39 UTC 2016 - astieger@suse.com
- afl 1.99b:
- Revamp the output and the internal logic of afl-analyze.
- Clean up color handling code
- added support for background colors.
-------------------------------------------------------------------
Wed Feb 10 20:25:47 UTC 2016 - astieger@suse.com
- afl 1.98b:
- new tool afl-analyze
-------------------------------------------------------------------
Sat Dec 19 15:45:22 UTC 2015 - mpluskal@suse.com
- Update to 1.96b
* Added -fpic to CFLAGS for the clang plugin, as suggested by
Hanno Boeck.
* Made another clang change (IRBuilder) suggested by Jeff Trull.
* Fixed several typos, spotted by Jakub Wilk.
* Added support for AFL_SHUFFLE_QUEUE, based on discussions with
Christian Holler.
-------------------------------------------------------------------
Fri Nov 13 09:06:47 UTC 2015 - astieger@suse.com
- afl 1.95b:
* Fixed a harmless bug when handling -B
* Made the exit message a bit more accurate when
AFL_EXIT_WHEN_DONE is set.
* Added some error-checking for old-style forkserver syntax.
* Switched from exit() to _exit() in injected code to avoid
snafus with destructors in C++ code.
* Made a change to avoid spuriously setting __AFL_SHM_ID when
AFL_DUMB_FORKSRV is set in conjunction with -n.
-------------------------------------------------------------------
Fri Oct 2 15:11:23 UTC 2015 - astieger@suse.com
- afl 1.94b:
* Changed allocator alignment to improve support for non-x86 systems
(now that llvm_mode makes this more feasible).
* Fixed an obscure bug that would affect people trying to use afl-gcc
with $TMP set but $TMPDIR absent.
-------------------------------------------------------------------
Mon Sep 7 13:22:07 UTC 2015 - astieger@suse.com
- afl 1.92b:
* C++ fix (namespaces)
-------------------------------------------------------------------
Thu Sep 3 14:32:09 UTC 2015 - astieger@suse.com
- afl 1.91b:
* C++ instrumentation fixes
- includes changes from 1.90b:
* documentation updates
* Fixed a potential problem with deferred mode signatures getting
optimized out by the linker (with --gc-sections).
-------------------------------------------------------------------
Wed Sep 2 07:57:31 UTC 2015 - astieger@suse.com
- afl 1.89b:
* Revamped the support for persistent and deferred forkserver
modes. Both now feature simpler syntax and do not require
companion env variables.
* Added a bit more info about afl-showmap.
-------------------------------------------------------------------
Sun Aug 30 23:40:19 UTC 2015 - astieger@suse.com
- afl 1.88b:
* Make AFL_EXIT_WHEN_DONE work in non-tty mode.
-------------------------------------------------------------------
Thu Aug 27 14:32:46 UTC 2015 - astieger@suse.com
- afl 1.87b:
* Add QuickStartGuide.txt and other documentation updates
-------------------------------------------------------------------
Mon Aug 10 19:49:56 UTC 2015 - astieger@suse.com
- afl 1.86b:
* Added support for AFL_SKIP_CRASHES
* Removed the hard-fail terminal size check
-------------------------------------------------------------------
Wed Aug 5 13:46:26 UTC 2015 - mpluskal@suse.com
- Update to 1.85b
* Fixed a garbled sentence in notes on parallel fuzzing.
* Fixed a minor glitch in afl-cmin.
- Changes for 1.84b
* Made SIMPLE_FILES behave as expected when naming backup
directories for crashes and hangs.
* Added the total number of favored paths to fuzzer_stats.
* Made afl-tmin, afl-fuzz, and afl-cmin reject negative values
passed to -t and -m, since they generally won't work as
expected.
* Made a fix for no lahf / sahf support on older versions of
FreeBSD.
-------------------------------------------------------------------
Mon Jun 15 09:07:34 UTC 2015 - astieger@suse.com
- afl 1.83b:
* fixes for platforms other than GNU/Linux
-------------------------------------------------------------------
Sat Jun 13 10:41:30 UTC 2015 - astieger@suse.com
- afl 1.82b:
* Fixed a harmless but annoying race condition in persistent mode
* Updated persistent mode documentation
- Tweaked AFL_PERSISTENT to force AFL_NO_VAR_CHECK.
- afl 1.81b:
* Added persistent mode for in-process fuzzing.
* in-place resume code to preserve crashes/README.txt.
-------------------------------------------------------------------
Tue May 26 10:59:53 UTC 2015 - astieger@suse.com
- afl 1.80b:
- Made afl-cmin tolerant of whitespaces in filenames
- Added support for AFL_EXIT_WHEN_DONE
-------------------------------------------------------------------
Mon May 25 07:43:23 UTC 2015 - astieger@suse.com
- afl 1.79b:
- Added support for dictionary levels, see testcases/README.testcases.
- Reworked the SQL dictionary to use levels.
- Added a note about Preeny.
-------------------------------------------------------------------
Tue May 19 07:26:27 UTC 2015 - astieger@suse.com
- builds for i586 x86_64 only
-------------------------------------------------------------------
Mon May 18 17:12:36 UTC 2015 - astieger@suse.com
- afl 1.78b:
- Added a dictionary for PDF
- Added several references to afl-cov
-------------------------------------------------------------------
Fri May 8 13:05:09 UTC 2015 - astieger@suse.com
- afl 1.77b:
* additional fuzzing functionality
* reduce number of duplicates
* documentation updates
* qemu_mode with qemu 2.3.0
-------------------------------------------------------------------
Mon Apr 27 08:45:05 UTC 2015 - astieger@suse.com
- afl 1.73b:
- Fixed a bug in effector maps that could sometimes cause more
fuzzing than necessary, or SEGV
- includes changes from 1.72b:
- Fixed a glitch in non-x86 install
- Added a minor safeguard to llvm_mode Makefile
-------------------------------------------------------------------
Mon Apr 20 17:20:09 UTC 2015 - astieger@suse.com
- afl 1.71b:
- Fix bug with installed copies of AFL trying to use QEMU mode.
- Add last path / crash / hang times to fuzzer_stats
- with changes from 1.70b:
- Modify resumption code to reuse the original timeout value when
resuming a session if -t is not given. This prevents timeout
creep in continuous fuzzing.
- Add improved error messages for failed handshake when
AFL_DEFER_FORKSRV is set.
- slight improvement to llvm_mode/Makefile
- Refresh several bits of documentation.
-------------------------------------------------------------------
Thu Apr 16 07:19:18 UTC 2015 - astieger@suse.com
- afl 1.69b:
- Added support for deferred initialization in LLVM mode.
- afl 1.68b:
- Fixed a minor PRNG glitch that would make the first seconds of
a fuzzing job deterministic.
- Made tmp[] static in the LLVM runtime to keep Valgrind happy
- Clarified the footnote in README.
-------------------------------------------------------------------
Mon Apr 13 19:58:55 UTC 2015 - astieger@suse.com
- afl 1.67b:
- One more correction to llvm_mode Makefile
- afl 1.66b:
- Added CC / CXX support to llvm_mode Makefile
- Fixed 'make clean' with gmake
- Fixed 'make -j n clean all'
- Removed build date and time from banners to give people deterministic
builds
- drop afl-1.46b-nodate.patch, thus obsoleted
-------------------------------------------------------------------
Mon Apr 13 15:11:11 UTC 2015 - astieger@suse.com
- afl 1.65b:
- Fixed a snafu with some leftover code in afl-clang-fast.
- Corrected even moar typos.
-------------------------------------------------------------------
Sun Apr 12 09:41:38 UTC 2015 - astieger@suse.com
- afl 1.64b:
- improve compatibility with non-ELF platforms.
- Fixed a problem with afl-clang-fast and -shared libraries.
- Removed unnecessary instrumentation density adjustment for LLVM
- includes changes from 1.63b:
- Updated cgroups_asan/
- Fixed typos
-------------------------------------------------------------------
Sat Apr 11 07:15:12 UTC 2015 - astieger@suse.com
- afl 1.62b:
- Improved the handling of -x in afl-clang-fast,
- Improved the handling of low AFL_INST_RATIO settings for QEMU and
LLVM modes.
- Fixed the llvm-config bug for good
- includes changes from 1.61b:
- Fixed an obscure bug compiling OpenSSL with afl-clang-fast.
- Fixed a 'make install' bug on non-x86 systems
- Fixed a problem with half-broken llvm-config
-------------------------------------------------------------------
Thu Apr 9 13:12:37 UTC 2015 - astieger@suse.com
- afl 1.60b:
* Allowed experimental/llvm_instrumentation/ to graduate to llvm_mode/.
* Removed experimental/arm_support/, since it's completely broken and likely
unnecessary with LLVM support in place.
* Added ASAN cgroups script to experimental/asan_cgroups/, updated existing
docs. Courtesy Sam Hakim and David A. Wheeler.
* Refactored afl-tmin to reduce the number of execs in common use cases.
Ideas from Jonathan Neuschafer and Turo Lamminen.
* Added a note about CLAs at the bottom of README.
* Renamed testcases_readme.txt to README.testcases for some semblance of
consistency.
* Made assorted updates to docs.
- includes changes from 1.59b
* Imported Laszlo Szekeres' experimental LLVM instrumentation into
experimental/llvm_instrumentation. I'll work on including it in the
"mainstream" version soon.
- updates afl-1.46b-nodate.patch
-------------------------------------------------------------------
Fri Mar 27 20:26:35 UTC 2015 - astieger@suse.com
- fix SLE 11 SP3 build, add afl-1.58b-fix-paths.patch
-------------------------------------------------------------------
Fri Mar 27 14:40:09 UTC 2015 - astieger@suse.com
- afl 1.58b:
* Added a workaround for abort() behavior in -lpthread programs in
QEMU mode.
* Made several documentation updates, including links to the
static instrumentation tool (sister_projects.txt).
- use libexecdir
-------------------------------------------------------------------
Tue Mar 24 15:58:08 UTC 2015 - meissner@suse.com
- updated to 1.57b
-------------------------------------------------------------------
Mon Feb 16 12:53:36 UTC 2015 - astieger@suse.com
- initial package