------------------------------------------------------------------- Thu Jan 5 15:33:51 UTC 2023 - Marcus Meissner - updated to 4.05c - afl-fuzz: - added afl_custom_fuzz_send custom mutator feature. Now your can send fuzz data to the target as you need, e.g. via IPC. - cmplog mode now has a -l R option for random colorization, thanks to guyf2010 for the PR! - queue statistics are written every 30 minutes to out/NAME/queue_data if compiled with INTROSPECTION - new env: AFL_FORK_SERVER_KILL_SIGNAL - afl-showmap/afl-cmin - `-t none` now translates to `-t 120000` (120 seconds) - unicorn_mode updated - updated rust custom mutator dependencies and LibAFL custom mutator - several minor bugfixes ------------------------------------------------------------------- Sat Oct 22 14:15:36 UTC 2022 - Andreas Schwab - Update file list for riscv64 ------------------------------------------------------------------- Fri Oct 21 14:28:09 UTC 2022 - Marcus Meissner - updated to 4.04c - fix gramatron and grammar_mutator build scripts - enhancements to the afl-persistent-config and afl-system-config - scripts - afl-fuzz: - force writing all stats on exit - afl-cc: - make gcc_mode (afl-gcc-fast) work with gcc down to version 3.6 - qemu_mode: - fixed 10x speed degredation in v4.03c - added qemu_mode/fastexit helper library - unicorn_mode: - Enabled tricore arch (by @jma-qb) - Updated Capstone version in Rust bindings - llvm-mode: - AFL runtime will always pass inputs via shared memory, when possible, ignoring the command line. ------------------------------------------------------------------- Tue Sep 20 15:50:19 UTC 2022 - Marcus Meissner - updated to 4.03c - Building now gives a build summary what succeeded and what not - afl-fuzz: - added AFL_NO_STARTUP_CALIBRATION to start fuzzing at once instead of calibrating all initial seeds first. Good for large queues and long execution times, especially in CIs. - default calibration cycles set to 7 from 8, and only add 5 cycles to variables queue items instead of 12. - afl-cc: - fixed off-by-one bug in our pcguard implemenation, thanks for @tokatoka for reporting - fix for llvm 15 and reenabling LTO, thanks to nikic for the PR! - better handling of -fsanitize=..,...,.. lists - support added for LLVMFuzzerRunDriver() - fix gcc_mode cmplog - obtain the map size of a target with setting AFL_DUMP_MAP_SIZE=1 note that this will exit the target before main() - qemu_mode: - added AFL_QEMU_TRACK_UNSTABLE to log the addresses of unstable edges (together with AFL_DEBUG=1 afl-fuzz). thanks to worksbutnottested! - afl-analyze broke at some point, fix by CodeLogicError, thank you! - afl-cmin/afl-cmin.bash now have an -A option to allow also crashing and timeout inputs - unicorn_mode: - updated upstream unicorn version - fixed builds for aarch64 - build now uses all available cores ------------------------------------------------------------------- Sat Aug 20 11:55:57 UTC 2022 - Marcus Meissner - updated to 4.02c - afl-cc: - important fix for the default pcguard mode when LLVM IR vector selects are produced, thanks to @juppytt for reporting! - gcc_plugin: - Adacore submitted CMPLOG support to the gcc_plugin! :-) - llvm_mode: - laf cmp splitting fixed for more comparison types - frida_mode: - now works on Android! - afl-fuzz: - change post_process hook to allow returning NULL and 0 length to tell afl-fuzz to skip this mutated input ------------------------------------------------------------------- Tue Jun 28 14:32:52 UTC 2022 - Marcus Meissner - updated to 4.01c - fixed */build_...sh scripts to work outside of git - new custom_mutator: libafl with token fuzzing :) - afl-fuzz: - when you just want to compile once and set CMPLOG, then just set -c 0 to tell afl-fuzz that the fuzzing binary is also for CMPLOG. - new commandline options -g/G to set min/max length of generated fuzz inputs - you can set the time for syncing to other fuzzer now with AFL_SYNC_TIME - reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow persistent mode and manual forkserver support if these are not in the target binary (e.g. are in a shared library) - add AFL_EARLY_FORKSERVER to install the forkserver as earliest as possible in the target (for afl-gcc-fast/afl-clang-fast/ afl-clang-lto) - "saved timeouts" was wrong information, timeouts are still thrown away by default even if they have new coverage (hangs are always kept), unless AFL_KEEP_TIMEOUTS are set - AFL never implemented auto token inserts (but user token inserts, user token overwrite and auto token overwrite), added now! - fixed a mutation type in havoc mode - Mopt fix to always select the correct algorithm - fix effector map calculation (deterministic mode) - fix custom mutator post_process functionality - document and auto-activate pizza mode on condition - afl-cc: - due a bug in lld of llvm 15 LTO instrumentation wont work atm :-( - converted all passed to use the new llvm pass manager for llvm 11+ - AFL++ PCGUARD mode is not available for 10.0.1 anymore (11+ only) - trying to stay on top on all these #$&ยง!! changes in llvm 15 ... - frida_mode: - update to new frida release, handles now c++ throw/catch - unicorn_mode: - update unicorn engine, fix C example - utils: - removed optimin because it looses coverage due to a bug and is unmaintained :-( - removed upstream llvm14-fix-build.patch ------------------------------------------------------------------- Sat Jun 4 13:26:34 UTC 2022 - Aaron Puchert - Add llvm14-fix-build.patch: fix build with LLVM 14. ------------------------------------------------------------------- Wed Feb 23 22:21:07 UTC 2022 - Aaron Puchert - Fix build with armv7l on Leap: we have afl-llvm-rt-lto{,-32}.o. - Fix build with ppc64le: we don't seem to have the 32-bit object files available there and there is also no gcc-32bit. ------------------------------------------------------------------- Mon Jan 31 12:45:45 UTC 2022 - Marcus Meissner - updated to 4.00c - complete documentation restructuring, made possible by Google Season of Docs :) thank you Jana! - we renamed several UI and fuzzer_stat entries to be more precise, e.g. "unique crashes" -> "saved crashes", "total paths" -> "corpus count", "current path" -> "current item". This might need changing custom scripting! - Nyx mode (full system emulation with snapshot capability) has been added - thanks to @schumilo and @eqv! - unicorn_mode: - Moved to unicorn2! by Ziqiao Kong (@lazymio) - Faster, more accurate emulation (newer QEMU base), risc-v support - removed indirections in rust callbacks - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :) thanks to RICSecLab submitting! - if instrumented libaries are dlopen()'ed after the forkserver you will now see a crash. Before you would have colliding coverage. We changed this to force fixing a broken setup rather then allowing ineffective fuzzing. - See docs/best_practices.md how to fix such setups. - afl-fuzz: - cmplog binaries will need to be recompiled for this version (it is better!) - fix a regression introduced in 3.10 that resulted in less coverage being detected. thanks to Collin May for reporting! - ensure all spawned targets are killed on exit - added AFL_IGNORE_PROBLEMS, plus checks to identify and abort on incorrect LTO usage setups and enhanced the READMEs for better information on how to deal with instrumenting libraries - fix -n dumb mode (nobody should use this mode though) - fix stability issue with LTO and cmplog - better banner - more effective cmplog mode - more often update the UI when in input2stage mode - qemu_mode/unicorn_mode: fixed OOB write when using libcompcov, thanks to kotee4ko for reporting! - frida_mode: - better performance, bug fixes - David Carlier added Android support :) - afl-showmap, afl-tmin and afl-analyze: - honor persistent mode for more speed. thanks to dloffre-snl for reporting! - fix bug where targets are not killed on timeouts - moved hidden afl-showmap -A option to -H to be used for coresight_mode - Prevent accidentaly killing non-afl/fuzz services when aborting afl-showmap and other tools. - afl-cc: - detect overflow reads on initial input buffer for asan - new cmplog mode (incompatible with older afl++ versions) - support llvm IR select instrumentation for default PCGUARD and LTO - fix for shared linking on MacOS - better selective instrumentation AFL_LLVM_{ALLOW|DENY}LIST on filename matching (requires llvm 11 or newer) - fixed a potential crash in targets for LAF string handling - fixed a bad assert in LAF split switches - added AFL_USE_TSAN thread sanitizer support - llvm and LTO mode modified to work with new llvm 14-dev (again.) - fix for AFL_REAL_LD - more -z defs filtering - make -v without options work - added the very good grammar mutator "GramaTron" to the custom_mutators - added optimin, a faster and better corpus minimizer by Adrian Herrera. Thank you! - added afl-persistent-config script to set perform permanent system configuration settings for fuzzing, for Linux and Macos. thanks to jhertz! - added xml, curl & exotic string functions to llvm dictionary feature - fix AFL_PRELOAD issues on MacOS - removed utils/afl_frida because frida_mode/ is now so much better - added uninstall target to makefile (todo: update new readme!) ------------------------------------------------------------------- Sun Sep 26 11:04:42 UTC 2021 - Marcus Meissner - enable gcc-plugin on factory - build with 32bit plugins on x86_64 ------------------------------------------------------------------- Mon Jul 19 12:49:59 UTC 2021 - Marcus Meissner - updated to 3.14c - afl-fuzz: - fix -F when a '/' was part of the parameter - fixed a crash for cmplog for very slow inputs - fix for AFLfast schedule counting - removed implied -D determinstic from -M main - if the target becomes unavailable check out out/default/error.txt for an indicator why - AFL_CAL_FAST was a dead env, now does the same as AFL_FAST_CAL - reverse read the queue on resumes (more effective) - fix custom mutator trimming - afl-cc: - Update to COMPCOV/laf-intel that speeds up the instrumentation process a lot - thanks to Michael Rodler/f0rki for the PR! - Fix for failures for some sized string instrumentations - Fix to instrument global namespace functions in c++ - Fix for llvm 13 - support partial linking - do honor AFL_LLVM_{ALLOW/DENY}LIST for LTO autodictionary and DICT2FILE - We do support llvm versions from 3.8 to 5.0 again - frida_mode: - several fixes for cmplog - remove need for AFL_FRIDA_PERSISTENT_RETADDR_OFFSET - less coverage collision - feature parity of aarch64 with intel now (persistent, cmplog, in-memory testcases, asan) - afl-cmin and afl-showmap -i do now descend into subdirectories (like afl-fuzz does) - note that afl-cmin.bash does not! - afl_analyze: - fix timeout handling - add forkserver support for better performance - ensure afl-compiler-rt is built for gcc_module - always build aflpp_driver for libfuzzer harnesses - added `AFL_NO_FORKSRV` env variable support to afl-cmin, afl-tmin, and afl-showmap, by @jhertz - removed outdated documents, improved existing documentation ------------------------------------------------------------------- Thu Jul 15 19:29:19 UTC 2021 - Peace Peters - s390x added to the compiler files ------------------------------------------------------------------- Tue Jun 8 09:06:11 UTC 2021 - Andreas Schwab - Fix filelist for riscv64 ------------------------------------------------------------------- Tue Jun 1 10:36:06 UTC 2021 - Marcus Meissner - updated to 3.13c - Note: plot_data switched to relative time from unix time in 3.10 - frida_mode - new mode that uses frida to fuzz binary-only targets, it currently supports persistent mode and cmplog. thanks to @WorksButNotTested! - create a fuzzing dictionary with the help of CodeQL thanks to @microsvuln! see utils/autodict_ql - afl-fuzz: - added patch by @realmadsci to support @@ as part of command line options, e.g. `afl-fuzz ... -- ./target --infile=@@` - add recording of previous fuzz attempts for persistent mode to allow replay of non-reproducable crashes, see AFL_PERSISTENT_RECORD in config.h and docs/envs.h - fixed a bug when trimming for stdin targets - cmplog -l: default cmplog level is now 2, better efficiency. level 3 now performs redqueen on everything. use with care. - better fuzzing strategy yield display for enabled options - ensure one fuzzer sync per cycle - fix afl_custom_queue_new_entry original file name when syncing from fuzzers - fixed a crash when more than one custom mutator was used together with afl_custom_post_process - on a crashing seed potentially the wrong input was disabled - added AFL_EXIT_ON_SEED_ISSUES env that will exit if a seed in -i dir crashes the target or results in a timeout. By default afl++ ignores these and uses them for splicing instead. - added AFL_EXIT_ON_TIME env that will make afl-fuzz exit fuzzing after no new paths have been found for n seconds - when AFL_FAST_CAL is set a variable path will now be calibrated 8 times instead of originally 40. Long calibration is now 20. - added AFL_TRY_AFFINITY to try to bind to CPUs but don't error if it fails - afl-cc: - We do not support llvm versions prior 6.0 anymore - added thread safe counters to all modes (`AFL_LLVM_THREADSAFE_INST`), note that this disables NeverZero counters. - Fix for -pie compiled binaries with default afl-clang-fast PCGUARD - Leak Sanitizer (AFL_USE_LSAN) added by Joshua Rogers, thanks! - Removed InsTrim instrumentation as it is not as good as PCGUARD - Removed automatic linking with -lc++ for LTO mode - Fixed a crash in llvm dict2file when a strncmp length was -1 - added --afl-noopt support - utils/aflpp_driver: - aflpp_qemu_driver_hook fixed to work with qemu_mode - aflpp_driver now compiled with -fPIC - unicornafl: - fix MIPS delay slot caching, thanks @JackGrence - fixed aarch64 exit address - execution no longer stops at address 0x0 - updated afl-system-config to support Arch Linux weirdness and increase MacOS shared memory - updated the grammar custom mutator to the newest version - add -d (add dead fuzzer stats) to afl-whatsup - added AFL_PRINT_FILENAMES to afl-showmap/cmin to print the current filename - afl-showmap/cmin will now process queue items in alphabetical order ------------------------------------------------------------------- Fri Apr 9 12:25:49 UTC 2021 - Guillaume GARDET - Fix packaging for aarch64 and %arm ------------------------------------------------------------------- Sat Apr 3 23:31:18 UTC 2021 - Niklas Haas - install `afl-clang-lto`, recommended by upstream as the best variant - add dependency on `lld` - bump llvm-devel up to >= 11.0.0 - fix /usr/bin/env path in afl.cmin scripts - prevent stripping of runtime objects (fix bug 1184324) ------------------------------------------------------------------- Mon Mar 29 12:29:54 UTC 2021 - Guillaume GARDET - Fix packaging on aarch64 and %{arm} ------------------------------------------------------------------- Wed Mar 24 16:30:39 UTC 2021 - Marcus Meissner - updated to 3.12c - afl-fuzz: - added AFL_TARGET_ENV variable to pass extra env vars to the target (for things like LD_LIBRARY_PATH) - fix map detection, AFL_MAP_SIZE not needed anymore for most cases - fix counting favorites (just a display thing) - afl-cc: - fix cmplog rtn (rare crash and not being able to gather ptr data) - fix our own PCGUARD implementation to compile with llvm 10.0.1 - link runtime not to shared libs - ensure shared libraries are properly built and instrumented - AFL_LLVM_INSTRUMENT_ALLOW/DENY were not implemented for LTO, added - show correct LLVM PCGUARD NATIVE mode when auto switching to it and keep fsanitize-coverage-*list=... Short mnemnonic NATIVE is now also accepted. - qemu_mode (thanks @realmadsci): - move AFL_PRELOAD and AFL_USE_QASAN logic inside afl-qemu-trace - add AFL_QEMU_CUSTOM_BIN - unicorn_mode - accidently removed the subfolder from github, re-added - added DEFAULT_PERMISSION to config.h for all files created, default to 0600 ------------------------------------------------------------------- Tue Mar 16 07:43:01 UTC 2021 - Marcus Meissner - updated to 3.11c - afl-fuzz: - better auto detection of map size - fix sanitizer settings (bug since 3.10c) - fix an off-by-one overwrite in cmplog - add non-unicode variants from unicode-looking dictionary entries - Rust custom mutator API improvements - Imported crash stats painted yellow on resume (only new ones are red) - afl-cc: - added AFL_NOOPT that will just pass everything to the normal gcc/clang compiler without any changes - to pass weird configure scripts - fixed a crash that can occur with ASAN + CMPLOG together plus better support for unicode (thanks to @stbergmann for reporting!) - fixed a crash in LAF transform for empty strings - handle erroneous setups in which multiple afl-compiler-rt are compiled into the target. This now also supports dlopen() instrumented libs loaded before the forkserver and even after the forkserver is started (then with collisions though) - the compiler rt was added also in object building (-c) which should have been fixed years ago but somewhere got lost :( - Renamed CTX to CALLER, added correct/real CTX implementation to CLASSIC - qemu_mode: - added AFL_QEMU_EXCLUDE_RANGES env by @realmadsci, thanks! - if no new/updated checkout is wanted, build with: NO_CHECKOUT=1 ./build_qemu_support.sh - we no longer perform a "git drop" - afl-cmin: support filenames with spaces - afl-3.0c-fix-paths.patch: refreshed ------------------------------------------------------------------- Mon Mar 1 09:43:40 UTC 2021 - Marcus Meissner - update to 3.10c - Mac OS ARM64 support - Android support fixed and updated by Joey Jiaojg - thanks! - New selective instrumentation option with __AFL_COVERAGE_* commands to be placed in the source code. Check out instrumentation/README.instrument_list.md - afl-fuzz - Making AFL_MAP_SIZE (mostly) obsolete - afl-fuzz now learns on start the target map size - upgraded cmplog/redqueen: solving for floating point, solving transformations (e.g. toupper, tolower, to/from hex, xor, arithmetics, etc.). This is costly hence new command line option `-l` that sets the intensity (values 1 to 3). Recommended is 2. - added `AFL_CMPLOG_ONLY_NEW` to not use cmplog on initial seeds from `-i` or resumes (these have most likely already been done) - fix crash for very, very fast targets+systems (thanks to mhlakhani for reporting) - on restarts (`-i`)/autoresume (AFL_AUTORESUME) the stats are now reloaded and used, thanks to Vimal Joseph for this patch! - changed the meaning of '+' of the '-t' option, it now means to auto-calculate the timeout with the value given being the max timeout. The original meaning of skipping timeouts instead of abort is now inherent to the -t option. - if deterministic mode is active (`-D`, or `-M` without `-d`) then we sync after every queue entry as this can take very long time otherwise - added minimum SYNC_TIME to include/config.h (30 minutes default) - better detection if a target needs a large shared map - fix for `-Z` - fixed a few crashes - switched to an even faster RNG - added hghwng's patch for faster trace map analysis - printing suggestions for mistyped `AFL_` env variables - added Rust bindings for custom mutators (thanks @julihoh) - afl-cc - allow instrumenting LLVMFuzzerTestOneInput - fixed endless loop for allow/blocklist lines starting with a comment (thanks to Zherya for reporting) - cmplog/redqueen now also tracks floating point, _ExtInt() + 128bit - cmplog/redqueen can now process basic libc++ and libstdc++ std::string comparisons (no position or length type variants) - added support for __afl_coverage_interesting() for LTO and our own PCGUARD (llvm 10.0.1+), read more about this function and selective coverage in instrumentation/README.instrument_list.md - added AFL_LLVM_INSTRUMENT option NATIVE for native clang pc-guard support (less performant than our own), GCC for old afl-gcc and CLANG for old afl-clang - fixed a potential crash in the LAF feature - workaround for llvm bitcast lto bug - workaround for llvm 13 - qemuafl - QASan (address sanitizer for Qemu) ported to qemuafl! See qemu_mode/libqasan/README.md - solved some persistent mode bugs (thanks Dil4rd) - solved an issue when dumping the memory maps (thanks wizche) - Android support for QASan - unicornafl - Substantial speed gains in python bindings for certain use cases - Improved rust bindings - Added a new example harness to compare python, c and rust bindings - afl-cmin and afl-showmap now support the -f option - afl_plot now also generates a graph on the discovered edges - changed default: no memory limit for afl-cmin and afl-cmin.bash - warn on any _AFL and __AFL env vars. - set AFL_IGNORE_UNKNOWN_ENVS to not warn on unknown AFL_... env vars - added dummy Makefile to instrumentation/ - Updated utils/afl_frida to be 5% faster, 7% on x86_x64 - Added `AFL_KILL_SIGNAL` env variable (thanks @v-p-b) - @Edznux added a nice documentation on how to use rpc.statsd with afl++ in docs/rpc_statsd.md, thanks! ------------------------------------------------------------------- Tue Dec 15 09:18:09 UTC 2020 - Marcus Meissner - updated to 3.0c - llvm_mode/ and gcc_plugin/ moved to instrumentation/ - examples/ renamed to utils/ - moved libdislocator, libtokencap and qdbi_mode to utils/ - all compilers combined to afl-cc which emulates the previous ones - afl-llvm/gcc-rt.o merged into afl-compiler-rt.o - afl-fuzz - not specifying -M or -S will now auto-set "-S default" - deterministic fuzzing is now disabled by default and can be enabled with -D. It is still enabled by default for -M. - a new seed selection was implemented that uses weighted randoms based on a schedule performance score, which is much better that the previous walk the whole queue approach. Select the old mode with -Z (auto enabled with -M) - Marcel Boehme submitted a patch that improves all AFFast schedules :) - the default schedule is now FAST - memory limits are now disabled by default, set them with -m if required - rpc.statsd support, for stats and charts, by Edznux, thanks a lot! - reading testcases from -i now descends into subdirectories - allow the -x command line option up to 4 times - loaded extras now have a duplication protection - If test cases are too large we do a partial read on the maximum supported size - longer seeds with the same trace information will now be ignored for fuzzing but still be used for splicing - crashing seeds are now not prohibiting a run anymore but are skipped - they are used for splicing, though - update MOpt for expanded havoc modes - setting the env var AFL_NO_AUTODICT will not load an LTO autodictionary - added NO_SPLICING compile option and makefile define - added INTROSPECTION make target that writes all mutations to out/NAME/introspection.txt - print special compile time options used in help output - when using -c cmplog, one of the childs was not killed, fixed - somewhere we broke -n dumb fuzzing, fixed - added afl_custom_describe to the custom mutator API to allow for easy mutation reproduction on crashing inputs - instrumentation - We received an enhanced gcc_plugin module from AdaCore, thank you very much!! - not overriding -Ox or -fno-unroll-loops anymore - we now have our own trace-pc-guard implementation. It is the same as -fsanitize-coverage=trace-pc-guard from llvm 12, but: it is a) inline and b) works from llvm 10.0.1 + onwards :) - new llvm pass: dict2file via AFL_LLVM_DICT2FILE, create afl-fuzz -x dictionary of string comparisons found during compilation - LTO autodict now also collects interesting cmp comparisons, std::string compare + find + ==, bcmp - fix crash in dict2file for integers > 64 bit - custom mutators - added a new custom mutator: symcc -> https://github.com/eurecom-s3/symcc/ - added a new custom mutator: libfuzzer that integrates libfuzzer mutations - Our afl++ Grammar-Mutator is now better integrated into custom_mutators/ - added INTROSPECTION support for custom modules - python fuzz function was not optional, fixed - some python mutator speed improvements - afl-cmin/afl-cmin.bash now search first in PATH and last in AFL_PATH - unicornafl synced with upstream version 1.02 (fixes, better rust bindings) - renamed AFL_DEBUG_CHILD_OUTPUT to AFL_DEBUG_CHILD - added AFL_CRASH_EXITCODE env variable to treat a child exitcode as crash - afl-2.63c-fix-paths.patch refreshed to afl-3.0c-fix-paths.patch ------------------------------------------------------------------- Sat Sep 5 08:43:19 UTC 2020 - Marcus Meissner - updated to 2.68c - added the GSoC excellent afl++ grammar mutator by Shengtuo to our custom_mutators/ (see custom_mutators/README.md) - or get it here: https://github.com/AFLplusplus/Grammar-Mutator - a few QOL changes for Apple and its outdated gmake - afl-fuzz: - fix for auto dictionary entries found during fuzzing to not throw out a -x dictionary - added total execs done to plot file - AFL_MAX_DET_EXTRAS env variable added to control the amount of deterministic dict entries without recompiling. - AFL_FORKSRV_INIT_TMOUT env variable added to control the time to wait for the forkserver to come up without the need to increase the overall timeout. - bugfix for cmplog that results in a heap overflow based on target data (thanks to the magma team for reporting!) - write fuzzing setup into out/fuzzer_setup (environment variables and command line) - custom mutators: - added afl_custom_fuzz_count/fuzz_count function to allow specifying the number of fuzz attempts for custom_fuzz - llvm_mode: - ported SanCov to LTO, and made it the default for LTO. better instrumentation locations - Further llvm 12 support (fast moving target like afl++ :-) ) - deprecated LLVM SKIPSINGLEBLOCK env environment ------------------------------------------------------------------- Wed Aug 19 14:35:25 UTC 2020 - Marcus Meissner - updated to 2.67c - Support for improved afl++ snapshot module: https://github.com/AFLplusplus/AFL-Snapshot-LKM - Due to the instrumentation needing more memory, the initial memory sizes for -m have been increased - afl-fuzz: - added -F option to allow -M main fuzzers to sync to foreign fuzzers, e.g. honggfuzz or libfuzzer - added -b option to bind to a specific CPU - eliminated CPU affinity race condition for -S/-M runs - expanded havoc mode added, on no cycle finds add extra splicing and MOpt into the mix - fixed a bug in redqueen for strings and made deterministic with -s - llvm_mode: - now supports llvm 12 - support for AFL_LLVM_ALLOWLIST/AFL_LLVM_DENYLIST (previous AFL_LLVM_WHITELIST and AFL_LLVM_INSTRUMENT_FILE are deprecated and are matched to AFL_LLVM_ALLOWLIST). The format is compatible to llvm sancov, and also supports function matching :) - added neverzero counting to trace-pc/pcgard - fixes for laf-intel float splitting (thanks to mark-griffin for reporting) - fixes for llvm 4.0 - skipping ctors and ifuncs for instrumentation - LTO: switch default to the dynamic memory map, set AFL_LLVM_MAP_ADDR for a fixed map address (eg. 0x10000) - LTO: improved stability for persistent mode, no other instrumentation has that advantage - LTO: fixed autodict for long strings - LTO: laf-intel and redqueen/cmplog are now applied at link time to prevent llvm optimizing away the splits - LTO: autodictionary mode is a fixed default now - LTO: instrim instrumentation disabled, only classic support used as it is always better - LTO: env var AFL_LLVM_DOCUMENT_IDS=file will document which edge ID was given to which function during compilation - LTO: single block functions were not implemented by default, fixed - LTO: AFL_LLVM_SKIP_NEVERZERO behaviour was inversed, fixed - setting AFL_LLVM_LAF_SPLIT_FLOATS now activates AFL_LLVM_LAF_SPLIT_COMPARES - support for -E and -shared compilation runs - added honggfuzz mangle as a custom mutator in custom_mutators/honggfuzz - added afl-frida gum solution to examples/afl_frida (mostly imported from https://github.com/meme/hotwax/) - small fixes to afl-plot, afl-whatsup and man page creation - new README, added FAQ ------------------------------------------------------------------- Thu Jul 2 09:59:38 UTC 2020 - Marcus Meissner - updated to 2.66c - renamed blacklist/whitelist to ignorelist/instrumentlist -> AFL_LLVM_INSTRUMENT_FILE and AFL_GCC_INSTRUMENT_FILE - warn on deprecated environment variables - afl-fuzz: - -S secondary nodes now only sync from the main node to increase performance, the -M main node still syncs from everyone. Added checks that ensure exactly one main node is present and warn otherwise - Add -D after -S to force a secondary to perform deterministic fuzzing - If no main node is present at a sync one secondary node automatically becomes a temporary main node until a real main nodes shows up - Fixed a mayor performance issue we inherited from AFLfast - switched murmur2 hashing and random() for xxh3 and xoshiro256**, resulting in an up to 5.5% speed increase - Resizing the window does not crash afl-fuzz anymore - Ensure that the targets are killed on exit - fix/update to MOpt (thanks to arnow117) - added MOpt dictionary support from repo - added experimental SEEK power schedule. It is EXPLORE with ignoring the runtime and less focus on the length of the test case - llvm_mode: - the default instrumentation is now PCGUARD if the llvm version is >= 7, as it is faster and provides better coverage. The original afl instrumentation can be set via AFL_LLVM_INSTRUMENT=AFL. This is automatically done when the instrument_file list feature is used. - PCGUARD mode is now even better because we made it collision free - plus it has a fixed map size, so it is also faster! :) - some targets want a ld variant for LD that is not gcc/clang but ld, added afl-ld-lto to solve this - lowered minimum required llvm version to 3.4 (except LLVMInsTrim, which needs 3.8.0) - instrument_file list feature now supports wildcards (thanks to sirmc) - small change to cmplog to make it work with current llvm 11-dev - added AFL_LLVM_LAF_ALL, sets all laf-intel settings - LTO instrument_files functionality rewritten, now main, _init etc functions need not to be listed anymore - fixed crash in compare-transform-pass when strcasecmp/strncasecmp was tried to be instrumented with LTO - fixed crash in cmplog with LTO - enable snapshot lkm also for persistent mode - Unicornafl - Added powerPC support from unicorn/next - rust bindings! - CMPLOG/Redqueen now also works for MMAP sharedmem - ensure shmem is released on errors - we moved radamsa to be a custom mutator in ./custom_mutators/. It is not compiled by default anymore. - allow running in /tmp (only unsafe with umask 0) - persistent mode shared memory testcase handover (instead of via files/stdin) - 10-100% performance increase - General support for 64 bit PowerPC, RiscV, Sparc etc. - fix afl-cmin.bash - slightly better performance compilation options for afl++ and targets - fixed afl-gcc/afl-as that could break on fast systems reusing pids in the same second - added lots of dictionaries from oss-fuzz, go-fuzz and Jakub Wilk - added former post_library examples to examples/custom_mutators/ - Dockerfile upgraded to Ubuntu 20.04 Focal and installing llvm 11 and gcc 10 so afl-clang-lto can be build ------------------------------------------------------------------- Fri May 15 09:24:47 UTC 2020 - Marcus Meissner - updated to 2.65c - afl-fuzz: - AFL_MAP_SIZE was not working correctly - better python detection - an old, old bug in afl that would show negative stability in rare circumstances is now hopefully fixed - AFL_POST_LIBRARY was deprecated, use AFL_CUSTOM_MUTATOR_LIBRARY instead (see docs/custom_mutators.md) - llvm_mode: - afl-clang-fast/lto now do not skip single block functions. This behaviour can be reactivated with AFL_LLVM_SKIPSINGLEBLOCK - if LLVM 11 is installed the posix shm_open+mmap is used and a fixed address for the shared memory map is used as this increases the fuzzing speed - InsTrim now has an LTO version! :-) That is the best and fastest mode! - fixes to LTO mode if instrumented edges > MAP_SIZE - CTX and NGRAM can now be used together - CTX and NGRAM are now also supported in CFG/INSTRIM mode - AFL_LLVM_LAF_TRANSFORM_COMPARES could crash, fixed - added AFL_LLVM_SKIP_NEVERZERO to skip the never zero coverage counter implementation. For targets with few or no loops or heavily called functions. Gives a small performance boost. - qemu_mode: - add information on PIE/PIC load addresses for 32 bit - better dependency checks - gcc_plugin: - better dependency checks - unicorn_mode: - validate_crash_callback can now count non-crashing inputs as crash as well - better submodule handling - afl-showmap: fix for -Q mode - added examples/afl_network_proxy which allows to fuzz a target over the network (not fuzzing tcp/ip services but running afl-fuzz on one system and the target being on an embedded device) - added examples/afl_untracer which does a binary-only fuzzing with the modifications done in memory (intel32/64 and aarch64 support) - added examples/afl_proxy which can be easily used to fuzz and instrument non-standard things - all: - forkserver communication now also used for error reporting - fix 32 bit build options - make clean now leaves qemu-3.1.1.tar.xz and the unicornafl directory intact if in a git/svn checkout - unless "deepclean" is used ------------------------------------------------------------------- Sat Apr 18 07:05:42 UTC 2020 - Marcus Meissner - updated to 2.64c - llvm_mode LTO mode: - now requires llvm11 - but compiles all targets! :) - autodictionary feature added, enable with `AFL_LLVM_LTO_AUTODICTIONARY` - variable map size usage - afl-fuzz: - variable map size support added (only LTO mode can use this) - snapshot feature usage now visible in UI - Now setting `-L -1` will enable MOpt in parallel to normal mutation. Additionally, this allows to run dictionaries, radamsa and cmplog. - fix for cmplog/redqueen mode if stdin was used - fix for writing a better plot_data file - qemu_mode: fix for persistent mode (which would not terminate or get stuck) - compare-transform/AFL_LLVM_LAF_TRANSFORM_COMPARES now transforms also static global and local variable comparisons (cannot find all though) - extended forkserver: map_size and more information is communicated to afl-fuzz (and afl-fuzz acts accordingly) - new environment variable: AFL_MAP_SIZE to specify the size of the shared map - if AFL_CC/AFL_CXX is set but empty afl compilers did fail, fixed (this bug is in vanilla afl too) - added NO_PYTHON flag to disable python support when building afl-fuzz - more refactoring ------------------------------------------------------------------- Sun Apr 12 11:04:35 UTC 2020 - Marcus Meissner - updated to 2.63c - all: - big code changes to make afl-fuzz thread-safe so afl-fuzz can spawn multiple fuzzing threads in the future or even become a library - afl basic tools now report on the environment variables picked up - more tools get environment variable usage info in the help output - force all output to stdout (some OK/SAY/WARN messages were sent to stdout, some to stderr) - uninstrumented mode uses an internal forkserver ("fauxserver") - now builds with `-D_FORTIFY_SOURCE=2` - drastically reduced number of (de)allocations during fuzzing - afl-fuzz: - python mutator modules and custom mutator modules now use the same interface and hence the API changed - AFL_AUTORESUME will resume execution without the need to specify `-i -` - added experimental power schedules (-p): - mmopt: ignores runtime of queue entries, gives higher weighting to the last 5 queue entries - rare: puts focus on queue entries that hits rare branches, also ignores runtime - llvm_mode: - added SNAPSHOT feature (using https://github.com/AFLplusplus/AFL-Snapshot-LKM) - added Control Flow Integrity sanitizer (AFL_USE_CFISAN) - added AFL_LLVM_INSTRUMENT option to control the instrumentation type easier: DEFAULT, CFG (INSTRIM), LTO, CTX, NGRAM-x (x=2-16) - made USE_TRACE_PC compile obsolete - LTO collision free instrumented added in llvm_mode with afl-clang-lto - note that this mode is amazing, but quite some targets won't compile - Added llvm_mode NGRAM prev_loc coverage by Adrean Herrera (https://github.com/adrianherrera/afl-ngram-pass/), activate by setting AFL_LLVM_INSTRUMENT=NGRAM- or AFL_LLVM_NGRAM_SIZE= - Added llvm_mode context sensitive branch coverage, activated by setting AFL_LLVM_INSTRUMENT=CTX or AFL_LLVM_CTX=1 - llvm_mode InsTrim mode: - removed workaround for bug where paths were not instrumented and imported fix by author - made skipping 1 block functions an option and is disabled by default, set AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK=1 to re-enable this - qemu_mode: - qemu_mode now uses solely the internal capstone version to fix builds on modern Linux distributions - QEMU now logs routine arguments for CmpLog when the target is x86 - afl-tmin: - now supports hang mode `-H` to minimize hangs - fixed potential afl-tmin missbehavior for targets with multiple hangs - Pressing Control-c in afl-cmin did not terminate it for some OS - the custom API was rewritten and is now the same for Python and shared libraries. - afl-1.58b-fix-paths.patch moved to - afl-2.63c-fix-paths.patch: adjust Makefile -> GNUmakefile ------------------------------------------------------------------- Fri Feb 28 14:09:26 UTC 2020 - Marcus Meissner - updated to 2.62c - Important fix for memory allocation functions that result in afl-fuzz not identifying crashes - UPDATE! - Small fix for -E/-V to release the CPU - CmpLog does not need sancov anymore ------------------------------------------------------------------- Tue Feb 25 12:04:22 UTC 2020 - Marcus Meissner - updated to 2.61c - use -march=native if available - most tools now check for mistyped environment variables - gcc 10 is now supported - the memory safety checks are now disabled for a little more speed during fuzzing (only affects creating queue entries), can be toggled in config.h - afl-fuzz: - MOpt out of bounds writing crash fixed - now prints the real python version support compiled in - set stronger performance compile options and little tweaks - Android: prefer bigcores when selecting a CPU - CmpLog forkserver - Redqueen input-2-state mutator (cmp instructions only ATM) - all Python 2+3 versions supported now - changed execs_per_sec in fuzzer_stats from "current" execs per second (which is pointless) to total execs per second - bugfix for dictionary insert stage count (fix via Google repo PR) - added warning if -M is used together with custom mutators with _ONLY option - AFL_TMPDIR checks are now later and better explained if they fail - llvm_mode - InsTrim: three bug fixes: 1. (minor) no pointless instrumentation of 1 block functions 2. (medium) path bug that leads a few blocks not instrumented that should be 3. (major) incorrect prev_loc was written, fixed! - afl-clang-fast: - show in the help output for which llvm version it was compiled for - now does not need to be recompiled between trace-pc and pass instrumentation. compile normally and set AFL_LLVM_USE_TRACE_PC :) - LLVM 11 is supported - CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog) - afl-gcc, afl-clang-fast, afl-gcc-fast: - experimental support for undefined behaviour sanitizer UBSAN (set AFL_USE_UBSAN=1) - the instrumentation summary output now also lists activated sanitizers - afl-as: added isatty(2) check back in - added AFL_DEBUG (for upcoming merge) - qemu_mode: - persistent mode is now also available for arm and aarch64 - CmpLog instrumentation for QEMU (-c afl-fuzz command line option) for x86, x86_64, arm and aarch64 - AFL_PERSISTENT_HOOK callback module for persistent QEMU (see examples/qemu_persistent_hook) - added qemu_mode/README.persistent.md documentation - AFL_ENTRYPOINT noew has instruction granularity - afl-cmin is now a sh script (invoking awk) instead of bash for portability the original script is still present as afl-cmin.bash - afl-showmap: -i dir option now allows processing multiple inputs using the forkserver. This is for enhanced speed in afl-cmin. - added blacklist and whitelisting function check in all modules of llvm_mode - added fix from Debian project to compile libdislocator and libtokencap - libdislocator: AFL_ALIGNED_ALLOC to force size alignment to max_align_t ------------------------------------------------------------------- Sun Feb 9 16:12:14 UTC 2020 - Marcus Meissner - added radamsa mutator ------------------------------------------------------------------- Thu Jan 2 08:31:09 UTC 2020 - Marcus Meissner - updated to 2.60c - fixed a critical bug in afl-tmin that was introduced during ++2.53d - added test cases for afl-cmin and afl-tmin to test/test.sh - added ./experimental/argv_fuzzing ld_preload library by Kjell Braden - added preeny's desock_dup ld_preload library as ./experimental/socket_fuzzing for network fuzzing - added AFL_AS_FORCE_INSTRUMENT environment variable for afl-as - this is for the retrorewrite project - we now set QEMU_SET_ENV from AFL_PRELOAD when qemu_mode is used ------------------------------------------------------------------- Fri Dec 27 16:01:06 UTC 2019 - Marcus Meissner - updated to 2.59c - qbdi_mode: fuzz android native libraries via QBDI framework - unicorn_mode: switched to the new unicornafl, thanks domenukk (see https://github.com/vanhauser-thc/unicorn) - afl-fuzz: - added radamsa as (an optional) mutator stage (-R[R]) - added -u command line option to not unlink the fuzz input file - Python3 support (autodetect) - AFL_DISABLE_TRIM env var to disable the trim stage - CPU affinity support for DragonFly - llvm_mode: - float splitting is now configured via AFL_LLVM_LAF_SPLIT_FLOATS - support for llvm 10 included now (thanks to devnexen) - libtokencap: - support for *BSD/OSX/Dragonfly added - hook common *cmp functions from widely used libraries - compcov: - hook common *cmp functions from widely used libraries - floating point splitting support for QEMU on x86 targets - qemu_mode: AFL_QEMU_DISABLE_CACHE env to disable QEMU TranslationBlocks caching - afl-analyze: added AFL_SKIP_BIN_CHECK support - better random numbers for gcc_plugin and llvm_mode (thanks to devnexen) - Dockerfile by courtesy of devnexen - added regex.dictionary - qemu and unicorn download scripts now try to download until the full download succeeded. f*ckin travis fails downloading 40% of the time! - more support for Android (please test!) - added the few Android stuff we didnt have already from Google afl repository - removed unnecessary warnings ------------------------------------------------------------------- Sat Nov 9 16:05:04 UTC 2019 - Marcus Meissner - updated to 2.58c - reverted patch to not unlink and recreate the input file, it resulted in performance loss of ~10% - added test/test-performance.sh script - (re)added gcc_plugin, fast inline instrumentation is not yet finished, however it includes the whitelisting and persistance feature! by hexcoder- - gcc_plugin tests added to testing framework - jump to 2.57 instead of 2.55 to catch up with Google's versioning - persistent mode for QEMU (see qemu_mode/README.md) - custom mutator library is now an additional mutator, to exclusivly use it - add AFL_CUSTOM_MUTATOR_ONLY (that will trigger the previous behaviour) - new library qemu_mode/unsigaction which filters sigaction events - afl-fuzz: new command line option -I to execute a command on a new crash - no more unlinking the input file, this way the input file can also be a - FIFO or disk partition - setting LLVM_CONFIG for llvm_mode will now again switch to the selected - llvm version. If your setup is correct. - fuzzing strategy yields for custom mutator were missing from the UI, added them :) - added "make tests" which will perform checks to see that all functionality - is working as expected. this is currently the starting point, its not complete :) - added mutation documentation feature ("make document"), creates afl-fuzz-document - and saves all mutations of the first run on the first file into out/queue/mutations - libtokencap and libdislocator now compile to the afl_root directory and are - installed to the .../lib/afl directory when present during make install - more BSD support, e.g. free CPU binding code for FreeBSD (thanks to devnexen) - reducing duplicate code in afl-fuzz - added "make help" - removed compile warnings from python internal stuff - added man page for afl-clang-fast[++] - updated documentation - Wine mode to run Win32 binaries with the QEMU instrumentation (-W) - CompareCoverage for ARM target in QEMU/Unicorn - 2.54c: - big code refactoring: - all includes are now in include/ - all afl sources are now in src/ - see src/README.src - afl-fuzz was splitted up in various individual files for including - functionality in other programs (e.g. forkserver, memory map, etc.) - for better readability. - new code indention everywhere - auto-generating man pages for all (main) tools - added AFL_FORCE_UI to show the UI even if the terminal is not detected - llvm 9 is now supported (still needs testing) - Android is now supported (thank to JoeyJiao!) - still need to modify the Makefile though - fix building qemu on some Ubuntus (thanks to floyd!) - custom mutator by a loaded library is now supported (thanks to kyakdan!) - added PR that includes peak_rss_mb and slowest_exec_ms in the fuzzer_stats report - more support for *BSD (thanks to devnexen!) - fix building on *BSD (thanks to tobias.kortkamp for the patch) - fix for a few features to support different map sized than 2^16 - afl-showmap: new option -r now shows the real values in the buckets (stock - afl never did), plus shows tuple content summary information now - small docu updates - NeverZero counters for QEMU - NeverZero counters for Unicorn - CompareCoverage Unicorn - immediates-only instrumentation for CompareCoverage - 2.53c release - imported the few minor changes from the 2.53b release - unicorn_mode got added - thanks to domenukk for the patch! - fix llvm_mode AFL_TRACE_PC with modern llvm - fix a crash in qemu_mode which also exists in stock afl - added libcompcov, a laf-intel implementation for qemu! :) see qemu_mode/libcompcov/README.libcompcov - updated afl-fuzz and afl-system-config for new scaling governor location in modern kernels - all queue, hang and crash files now have their discovery time in their name - if llvm_mode was compiled, afl-clang/afl-clang++ will point to these instead of afl-gcc - added instrim, a much faster llvm_mode instrumentation at the cost of path discovery. See llvm_mode/README.instrim (https://github.com/csienslab/instrim) - added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt - added code to make it more portable to other platforms than Intel Linux - added never zero counters for afl-gcc and optionally (because of an optimization issue in llvm < 9) for llvm_mode (AFL_LLVM_NEVER_ZERO=1) - added a new doc about binary only fuzzing: docs/binaryonly_fuzzing.txt - more cpu power for afl-system-config - added forkserver patch to afl-tmin, makes it much faster (originally from github.com/nccgroup/TriforceAFL) - added whitelist support for llvm_mode via AFL_LLVM_WHITELIST to allow only to instrument what is actually interesting. Gives more speed and less map pollution (originally by choller@mozilla) - added Python Module mutator support, python2.7-dev is autodetected. see docs/python_mutators.txt (originally by choller@mozilla) - added AFL_CAL_FAST for slow applications and AFL_DEBUG_CHILD_OUTPUT for debugging - added -V time and -E execs option to better comparison runs, runs afl-fuzz for a specific time/executions. - added a -s seed switch to allow afl run with a fixed initial seed that is not updated. This is good for performance and path discovery tests as the random numbers are deterministic then ------------------------------------------------------------------- Thu Oct 17 12:58:02 UTC 2019 - Richard Brown - Remove obsolete Groups tag (fate#326485) ------------------------------------------------------------------- Sun Jun 23 17:44:06 UTC 2019 - Marcus Meissner - updated to afl++ 2.52c version, community fork. It integrates various community patches. - community patches to make llvm_mode and qemu_mode faster, plus new features and bugfixes - qemu upgraded to 3.1 - aflfast powerschedules added - llvm_mode now supports llvm up to version 8 ------------------------------------------------------------------- Thu Aug 30 15:03:49 UTC 2018 - Guillaume GARDET - Fix build on non X86* platforms ------------------------------------------------------------------- Sun Nov 5 07:57:53 UTC 2017 - mardnh@gmx.de - Update to version 2.52b: * Upgraded QEMU patches from 2.3.0 to 2.10.0. Required troubleshooting several weird issues. * Added setsid to afl-showmap. See the notes for 2.51b. * Added target mode (deferred, persistent, qemu, etc) to fuzzer_stats. * afl-tmin should now save a partially minimized file when Ctrl-C is pressed. * Added an option for afl-analyze to dump offsets in hex. * Added support for parameters in triage_crashes.sh. ------------------------------------------------------------------- Sun Sep 3 12:08:41 UTC 2017 - astieger@suse.com - afl 2.51b: * Make afl-tmin call setsid to prevent glibc traceback junk from showing up on the terminal - includes changes form 2.50b: * Fix a timing corner case * Address a libtokencap / pthreads incompatibility issue * Add AFL_FAST_CAL. * In-place resume now preserves .synced ------------------------------------------------------------------- Sat Jul 29 23:04:43 UTC 2017 - meissner@suse.com - include docs/README ------------------------------------------------------------------- Wed Jul 26 06:47:03 UTC 2017 - meissner@suse.com - Version 2.49b - Added AFL_TMIN_EXACT to allow path constraint for crash minimization. - Added dates for releases (retroactively for all of 2017). - Version 2.48b - Added AFL_ALLOW_TMP to permit some scripts to run in /tmp. - Fixed cwd handling in afl-analyze (similar to the quirk in afl-tmin). - Made it possible to point -o and -f to the same file in afl-tmin. - Version 2.47b - Fixed cwd handling in afl-tmin. Spotted by Jakub Wilk. - Version 2.46b - libdislocator now supports AFL_LD_NO_CALLOC_OVER for folks who do not want to abort on calloc() overflows. - Made a minor fix to libtokencap. Reported by Daniel Stender. - Added a small JSON dictionary, inspired on a dictionary done by Jakub Wilk. ------------------------------------------------------------------- Fri Jul 7 14:59:31 UTC 2017 - meissner@suse.com - update to 2.45b: - Added strstr, strcasestr support to libtokencap. Contributed by Daniel Hodson. - Fixed a resumption offset glitch spotted by Jakub Wilk. - There are definitely no bugs in afl-showmap -c now. ------------------------------------------------------------------- Mon Jul 3 08:08:58 UTC 2017 - astieger@suse.com - update to 2.44b: * Add visual indicator of ASAN / MSAN mode when compiling * Add support for afl-showmap coredumps (-c) * Add LD_BIND_NOW=1 for afl-showmap by default * Added AFL_NO_ARITH to aid in the fuzzing of text-based formats * Renamed the R() macro to avoid a problem with llvm_mode in the latest versions of LLVM ------------------------------------------------------------------- Wed Apr 12 06:25:50 UTC 2017 - meissner@suse.com - update to 2.41b: - Addressed a major user complaint related to timeout detection. Timing out inputs are now binned as "hangs" only if they exceed a far more generous time limit than the one used to reject slow paths. - update to 2.40b: - Fixed a minor oversight in the insertion strategy for dictionary words. Spotted by Andrzej Jackowski. - Made a small improvement to the havoc block insertion strategy. - Adjusted color rules for "is it done yet?" indicators. ------------------------------------------------------------------- Wed Mar 8 20:52:05 UTC 2017 - sfalken@opensuse.org - Changed %doc line, to clear buildfailure in openSUSE:Factory Due to unpackaged files ------------------------------------------------------------------- Fri Feb 10 12:09:01 UTC 2017 - meissner@suse.com - update to 2.39b: - Improved error reporting in afl-cmin. Suggested by floyd. - Made a minor tweak to trace-pc-guard support. Suggested by kcc. - Added a mention of afl-monitor. ------------------------------------------------------------------- Mon Jan 30 14:21:37 UTC 2017 - astieger@suse.com - update to 2.38b: * Added -mllvm -sanitizer-coverage-block-threshold=0 to trace-pc-guard mode * Fixed a cosmetic bad free() bug when aborting -S sessions * Made a small change to afl-whatsup to sort fuzzers by name. * Fixed a minor issue with malloc(0) in libdislocator * Changed the clobber pattern in libdislocator to a slightly more reliable one * Added a note about THP performance * Added a somewhat unofficial support for running afl-tmin with a baseline "mask" that causes it to minimize only for edges that are unique to the input file, but not to the "boring" baseline. * "Fixed" a getPassName() problem with never versions of clang. ------------------------------------------------------------------- Wed Oct 19 20:05:42 UTC 2016 - mpluskal@suse.com - Update to version 2.35b: * Fixed a minor cmdline reporting glitch, spotted by Leo Barnes. * Fixed a silly bug in libdislocator. Spotted by Johannes Schultz. - Changes for version 2.34b: * Added a note about afl-tmin to technical_details.txt. * Added support for AFL_NO_UI, as suggested by Leo Barnes. - Changes for version 2.33b: * Added code to strip -Wl,-z,defs and -Wl,--no-undefined for fl-clang-fast, since they interfere with -shared. Spotted and iagnosed by Toby Hutton. * Added some fuzzing tips for Android. ------------------------------------------------------------------- Thu Aug 25 12:45:55 UTC 2016 - meissner@suse.com - Version 2.32b: - Added a check for AFL_HARDEN combined with AFL_USE_*SAN. Suggested by Hanno Boeck. - Made several other cosmetic adjustments to cycle timing in the wake of the big tweak made in 2.31b. - Version 2.31b: - Changed havoc cycle counts for a marked performance boost, especially with -S / -d. See the discussion of FidgetyAFL in: https://groups.google.com/forum/#!topic/afl-users/fOPeb62FZUg While this does not implement the approach proposed by the authors of the CCS paper, the solution is a result of digging into that research; more improvements may follow as I do more experiments and get more definitive data. - Version 2.30b: - Made minor improvements to persistent mode to avoid the remote possibility of "no instrumentation detected" issues with very low instrumentation densities. - Fixed a minor glitch with a leftover process in persistent mode. Reported by Jakub Wilk and Daniel Stender. - Made persistent mode bitmaps a bit more consistent and adjusted the way this is shown in the UI, especially in persistent mode. - Version 2.29b: - Made a minor #include fix to llvm_mode. Suggested by Jonathan Metzman. - Made cosmetic updates to the docs. - Version 2.28b: - Added "life pro tips" to docs/. - Moved testcases/_extras/ to dictionaries/ for visibility. - Made minor improvements to install scripts. - Added an important safety tip. - Version 2.27b: - Added libtokencap, a simple feature to intercept strcmp / memcmp and generate dictionary entries that can help extend coverage. - Moved libdislocator to its own dir, added README. - The demo in experimental/instrumented_cmp is no more. - Version 2.26b: - Made a fix for libdislocator.so to compile on MacOS X. - Added support for DYLD_INSERT_LIBRARIES. - Renamed AFL_LD_PRELOAD to AFL_PRELOAD. - Version 2.25b: - Made some cosmetic updates to libdislocator.so, renamed one env variable. - Version 2.24b: - Added libdislocator.so, an experimental, abusive allocator. Try it out with AFL_LD_PRELOAD=/path/to/libdislocator.so when running afl-fuzz. - Version 2.23b: - Improved the stability metric for persistent mode binaries. Problem spotted by Kurt Roeckx. - Made a related improvement that may bring the metric to 100% for those targets. - Version 2.22b: - Mentioned the potential conflicts between MSAN / ASAN and FORTIFY_SOURCE. There is no automated check for this, since some distros may implicitly set FORTIFY_SOURCE outside of the compiler's argv[]. - Populated the support for AFL_LD_PRELOAD to all companion tools. - Made a change to the handling of ./afl-clang-fast -v. Spotted by Jan Kneschke. ------------------------------------------------------------------- Sat Jul 23 19:10:30 UTC 2016 - astieger@suse.com - afl 2.21b: * Minor UI fixes - includes changes from 2.20b: * Revamp handling of variable paths * Stablility improvements * Include current input bitmap density in UI * Add experimental support for parallelizing -M. - includes changes from 2.19b: * Ensure auto CPU binding happens at non-overlapping times - includes changes from 2.18b * Performance improvements ------------------------------------------------------------------- Tue Jun 28 06:26:03 UTC 2016 - astieger@suse.com - afl 2.17b: * Remove error-prone and manual -Z option * automatically bind to the first free core ------------------------------------------------------------------- Wed Jun 15 18:26:54 UTC 2016 - astieger@suse.com - afl 2.14b: - Added FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION as a macro defined when compiling with afl-gcc and friends - Refreshed some of the non-x86 docs. ------------------------------------------------------------------- Tue May 31 11:18:02 UTC 2016 - astieger@suse.com - afl 2.13b: * Fixed a spurious build test error with trace-pc and llvm_mode/Makefile. * Fixed a cosmetic issue with afl-whatsup - includes changes from 2.12b * Fixed a minor issue in afl-tmin that can make alphabet minimization less efficient during passes > 1 ------------------------------------------------------------------- Mon May 2 11:02:02 UTC 2016 - astieger@suse.com - afl 2.11b: - Fixed a minor typo in instrumented_cmp - Added a missing size check for deterministic insertion steps. - Made an improvement to afl-gotcpu when -Z not used. - Fixed a typo in post_library_png.so.c in experimental/ ------------------------------------------------------------------- Sat Apr 16 15:12:46 UTC 2016 - astieger@suse.com - afl 2.10b: * Fix a minor core counting glitch ------------------------------------------------------------------- Mon Mar 28 19:11:03 UTC 2016 - mpluskal@suse.com - Update to 2.09b * Made several documentation updates. * Added some visual indicators to promote and simplify the use of -Z. - Changes for 2.08b * Added explicit support for -m32 and -m64 for llvm_mode. Inspired by a request from Christian Holler. * Added a new benchmarking option, as requested by Kostya Serebryany. - Changes for 2.07b * Added CPU affinity option (-Z) on Linux. With some caution, this can offer a significant (10%+) performance bump and reduce jitter. Proposed by Austin Seipp. * Updated afl-gotcpu to use CPU affinity where supported. * Fixed confusing CPU_TARGET error messages with QEMU build. Spotted by Daniel Komaromy and others. - Changes for 2.06b * Worked around LLVM persistent mode hiccups with -shared code. Contributed by Christian Holler. * Added __AFL_COMPILER as a convenient way to detect that something is built under afl-gcc / afl-clang / afl-clang-fast and enable custom optimizations in your code. Suggested by Pedro Corte-Real. * Upstreamed several minor changes developed by Franjo Ivancic to allow AFL to be built as a library. This is fairly use-specific and may have relatively little appeal to general audiences. ------------------------------------------------------------------- Sun Feb 28 13:59:04 UTC 2016 - astieger@suse.com - afl 2.05b: * Put __sanitizer_cov_module_init & co behind #ifdef to avoid problems with ASAN. ------------------------------------------------------------------- Wed Feb 24 21:52:33 UTC 2016 - astieger@suse.com - afl 2.04b: * remove indirect-calls coverage from -fsanitize-coverage * LLVM: Added experimental -fsanitize-coverage=trace-pc support - LLVM: better support non-standard map sizes - LLVM: use thread-local execution tracing - Force-disabled symbolization for ASAN - Added AFL_LD_PRELOAD to allow LD_PRELOAD to be set for targets without affecting AFL itself - Fixed a "lcamtuf can't count to 16" bug in the havoc stage. ------------------------------------------------------------------- Tue Feb 16 15:37:01 UTC 2016 - astieger@suse.com - afl 2.01b: - updates to color handling - Fixed an installation issue with afl-as ------------------------------------------------------------------- Thu Feb 11 12:21:39 UTC 2016 - astieger@suse.com - afl 1.99b: - Revamp the output and the internal logic of afl-analyze. - Clean up color handling code - added support for background colors. ------------------------------------------------------------------- Wed Feb 10 20:25:47 UTC 2016 - astieger@suse.com - afl 1.98b: - new tool afl-analyze ------------------------------------------------------------------- Sat Dec 19 15:45:22 UTC 2015 - mpluskal@suse.com - Update to 1.96b * Added -fpic to CFLAGS for the clang plugin, as suggested by Hanno Boeck. * Made another clang change (IRBuilder) suggested by Jeff Trull. * Fixed several typos, spotted by Jakub Wilk. * Added support for AFL_SHUFFLE_QUEUE, based on discussions with Christian Holler. ------------------------------------------------------------------- Fri Nov 13 09:06:47 UTC 2015 - astieger@suse.com - afl 1.95b: * Fixed a harmless bug when handling -B * Made the exit message a bit more accurate when AFL_EXIT_WHEN_DONE is set. * Added some error-checking for old-style forkserver syntax. * Switched from exit() to _exit() in injected code to avoid snafus with destructors in C++ code. * Made a change to avoid spuriously setting __AFL_SHM_ID when AFL_DUMB_FORKSRV is set in conjunction with -n. ------------------------------------------------------------------- Fri Oct 2 15:11:23 UTC 2015 - astieger@suse.com - afl 1.94b: * Changed allocator alignment to improve support for non-x86 systems (now that llvm_mode makes this more feasible). * Fixed an obscure bug that would affect people trying to use afl-gcc with $TMP set but $TMPDIR absent. ------------------------------------------------------------------- Mon Sep 7 13:22:07 UTC 2015 - astieger@suse.com - afl 1.92b: * C++ fix (namespaces) ------------------------------------------------------------------- Thu Sep 3 14:32:09 UTC 2015 - astieger@suse.com - afl 1.91b: * C++ instrumentation fixes - includes changes from 1.90b: * documentation updates * Fixed a potential problem with deferred mode signatures getting optimized out by the linker (with --gc-sections). ------------------------------------------------------------------- Wed Sep 2 07:57:31 UTC 2015 - astieger@suse.com - afl 1.89b: * Revamped the support for persistent and deferred forkserver modes. Both now feature simpler syntax and do not require companion env variables. * Added a bit more info about afl-showmap. ------------------------------------------------------------------- Sun Aug 30 23:40:19 UTC 2015 - astieger@suse.com - afl 1.88b: * Make AFL_EXIT_WHEN_DONE work in non-tty mode. ------------------------------------------------------------------- Thu Aug 27 14:32:46 UTC 2015 - astieger@suse.com - afl 1.87b: * Add QuickStartGuide.txt and other documentation updates ------------------------------------------------------------------- Mon Aug 10 19:49:56 UTC 2015 - astieger@suse.com - afl 1.86b: * Added support for AFL_SKIP_CRASHES * Removed the hard-fail terminal size check ------------------------------------------------------------------- Wed Aug 5 13:46:26 UTC 2015 - mpluskal@suse.com - Update to 1.85b * Fixed a garbled sentence in notes on parallel fuzzing. * Fixed a minor glitch in afl-cmin. - Changes for 1.84b * Made SIMPLE_FILES behave as expected when naming backup directories for crashes and hangs. * Added the total number of favored paths to fuzzer_stats. * Made afl-tmin, afl-fuzz, and afl-cmin reject negative values passed to -t and -m, since they generally won't work as expected. * Made a fix for no lahf / sahf support on older versions of FreeBSD. ------------------------------------------------------------------- Mon Jun 15 09:07:34 UTC 2015 - astieger@suse.com - afl 1.83b: * fixes for platforms other than GNU/Linux ------------------------------------------------------------------- Sat Jun 13 10:41:30 UTC 2015 - astieger@suse.com - afl 1.82b: * Fixed a harmless but annoying race condition in persistent mode * Updated persistent mode documentation - Tweaked AFL_PERSISTENT to force AFL_NO_VAR_CHECK. - afl 1.81b: * Added persistent mode for in-process fuzzing. * in-place resume code to preserve crashes/README.txt. ------------------------------------------------------------------- Tue May 26 10:59:53 UTC 2015 - astieger@suse.com - afl 1.80b: - Made afl-cmin tolerant of whitespaces in filenames - Added support for AFL_EXIT_WHEN_DONE ------------------------------------------------------------------- Mon May 25 07:43:23 UTC 2015 - astieger@suse.com - afl 1.79b: - Added support for dictionary levels, see testcases/README.testcases. - Reworked the SQL dictionary to use levels. - Added a note about Preeny. ------------------------------------------------------------------- Tue May 19 07:26:27 UTC 2015 - astieger@suse.com - builds for i586 x86_64 only ------------------------------------------------------------------- Mon May 18 17:12:36 UTC 2015 - astieger@suse.com - afl 1.78b: - Added a dictionary for PDF - Added several references to afl-cov ------------------------------------------------------------------- Fri May 8 13:05:09 UTC 2015 - astieger@suse.com - afl 1.77b: * additional fuzzing functionality * reduce number of duplicates * documentation updates * qemu_mode with qemu 2.3.0 ------------------------------------------------------------------- Mon Apr 27 08:45:05 UTC 2015 - astieger@suse.com - afl 1.73b: - Fixed a bug in effector maps that could sometimes cause more fuzzing than necessary, or SEGV - includes changes from 1.72b: - Fixed a glitch in non-x86 install - Added a minor safeguard to llvm_mode Makefile ------------------------------------------------------------------- Mon Apr 20 17:20:09 UTC 2015 - astieger@suse.com - afl 1.71b: - Fix bug with installed copies of AFL trying to use QEMU mode. - Add last path / crash / hang times to fuzzer_stats - with changes from 1.70b: - Modify resumption code to reuse the original timeout value when resuming a session if -t is not given. This prevents timeout creep in continuous fuzzing. - Add improved error messages for failed handshake when AFL_DEFER_FORKSRV is set. - slight improvement to llvm_mode/Makefile - Refresh several bits of documentation. ------------------------------------------------------------------- Thu Apr 16 07:19:18 UTC 2015 - astieger@suse.com - afl 1.69b: - Added support for deferred initialization in LLVM mode. - afl 1.68b: - Fixed a minor PRNG glitch that would make the first seconds of a fuzzing job deterministic. - Made tmp[] static in the LLVM runtime to keep Valgrind happy - Clarified the footnote in README. ------------------------------------------------------------------- Mon Apr 13 19:58:55 UTC 2015 - astieger@suse.com - afl 1.67b: - One more correction to llvm_mode Makefile - afl 1.66b: - Added CC / CXX support to llvm_mode Makefile - Fixed 'make clean' with gmake - Fixed 'make -j n clean all' - Removed build date and time from banners to give people deterministic builds - drop afl-1.46b-nodate.patch, thus obsoleted ------------------------------------------------------------------- Mon Apr 13 15:11:11 UTC 2015 - astieger@suse.com - afl 1.65b: - Fixed a snafu with some leftover code in afl-clang-fast. - Corrected even moar typos. ------------------------------------------------------------------- Sun Apr 12 09:41:38 UTC 2015 - astieger@suse.com - afl 1.64b: - improve compatibility with non-ELF platforms. - Fixed a problem with afl-clang-fast and -shared libraries. - Removed unnecessary instrumentation density adjustment for LLVM - includes changes from 1.63b: - Updated cgroups_asan/ - Fixed typos ------------------------------------------------------------------- Sat Apr 11 07:15:12 UTC 2015 - astieger@suse.com - afl 1.62b: - Improved the handling of -x in afl-clang-fast, - Improved the handling of low AFL_INST_RATIO settings for QEMU and LLVM modes. - Fixed the llvm-config bug for good - includes changes from 1.61b: - Fixed an obscure bug compiling OpenSSL with afl-clang-fast. - Fixed a 'make install' bug on non-x86 systems - Fixed a problem with half-broken llvm-config ------------------------------------------------------------------- Thu Apr 9 13:12:37 UTC 2015 - astieger@suse.com - afl 1.60b: * Allowed experimental/llvm_instrumentation/ to graduate to llvm_mode/. * Removed experimental/arm_support/, since it's completely broken and likely unnecessary with LLVM support in place. * Added ASAN cgroups script to experimental/asan_cgroups/, updated existing docs. Courtesy Sam Hakim and David A. Wheeler. * Refactored afl-tmin to reduce the number of execs in common use cases. Ideas from Jonathan Neuschafer and Turo Lamminen. * Added a note about CLAs at the bottom of README. * Renamed testcases_readme.txt to README.testcases for some semblance of consistency. * Made assorted updates to docs. - includes changes from 1.59b * Imported Laszlo Szekeres' experimental LLVM instrumentation into experimental/llvm_instrumentation. I'll work on including it in the "mainstream" version soon. - updates afl-1.46b-nodate.patch ------------------------------------------------------------------- Fri Mar 27 20:26:35 UTC 2015 - astieger@suse.com - fix SLE 11 SP3 build, add afl-1.58b-fix-paths.patch ------------------------------------------------------------------- Fri Mar 27 14:40:09 UTC 2015 - astieger@suse.com - afl 1.58b: * Added a workaround for abort() behavior in -lpthread programs in QEMU mode. * Made several documentation updates, including links to the static instrumentation tool (sister_projects.txt). - use libexecdir ------------------------------------------------------------------- Tue Mar 24 15:58:08 UTC 2015 - meissner@suse.com - updated to 1.57b ------------------------------------------------------------------- Mon Feb 16 12:53:36 UTC 2015 - astieger@suse.com - initial package