Hello community, here is the log from the commit of package afl for openSUSE:Factory checked in at 2015-03-30 19:33:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/afl (Old) and /work/SRC/openSUSE:Factory/.afl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "afl" Changes: -------- --- /work/SRC/openSUSE:Factory/afl/afl.changes 2015-03-25 21:32:49.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.afl.new/afl.changes 2015-03-30 19:33:18.000000000 +0200 @@ -1,0 +2,15 @@ +Fri Mar 27 20:26:35 UTC 2015 - astie...@suse.com + +- fix SLE 11 SP3 build, add afl-1.58b-fix-paths.patch + +------------------------------------------------------------------- +Fri Mar 27 14:40:09 UTC 2015 - astie...@suse.com + +- afl 1.58b: + * Added a workaround for abort() behavior in -lpthread programs in + QEMU mode. + * Made several documentation updates, including links to the + static instrumentation tool (sister_projects.txt). +- use libexecdir + +------------------------------------------------------------------- Old: ---- afl-1.57b.tgz New: ---- afl-1.58b-fix-paths.patch afl-1.58b.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ afl.spec ++++++ --- /var/tmp/diff_new_pack.VS4I7U/_old 2015-03-30 19:33:18.000000000 +0200 +++ /var/tmp/diff_new_pack.VS4I7U/_new 2015-03-30 19:33:18.000000000 +0200 @@ -17,7 +17,7 @@ Name: afl -Version: 1.57b +Version: 1.58b Release: 0 Summary: American fuzzy lop is a security-oriented fuzzer License: Apache-2.0 @@ -26,6 +26,7 @@ Source: http://lcamtuf.coredump.cx/afl/releases/%{name}-%{version}.tgz Source1: afl-rpmlintrc Patch0: afl-1.46b-nodate.patch +Patch1: afl-1.58b-fix-paths.patch BuildRequires: gcc-c++ BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -37,24 +38,24 @@ %prep %setup -q %patch0 -p1 +%patch1 -p1 %build export CFLAGS="$CFLAGS %{optflags}" -make %{?_smp_mflags} +make PREFIX=%{_prefix} LIBEXEC_DIR=%{_libexecdir} DOC_DIR=%{_docdir} %{?_smp_mflags} %install -export PREFIX=%{_prefix} -make DESTDIR=%{buildroot} install %{?_smp_mflags} -rm -rf %{buildroot}%{_datadir}/doc/%{name} +make PREFIX=%{_prefix} LIBEXEC_DIR=%{_libexecdir} DOC_DIR=%{_docdir} DESTDIR=%{buildroot} install %{?_smp_mflags} %files %defattr(-,root,root) +%doc docs/COPYING %{_bindir}/%{name}-* -%dir /usr/lib/%{name} -/usr/lib/%{name}/%{name}-as -/usr/lib/%{name}/as +%dir %{_libexecdir}/%{name} +%{_libexecdir}/%{name}/%{name}-as +%{_libexecdir}/%{name}/as %dir %{_datadir}/%{name} %dir %{_datadir}/%{name}/testcases %{_datadir}/%{name}/testcases/* -%doc docs/COPYING docs/README docs/ChangeLog docs/*.txt docs/visualization docs/vuln_samples +%changelog ++++++ afl-1.58b-fix-paths.patch ++++++ --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: afl-1.58b/Makefile =================================================================== --- afl-1.58b.orig/Makefile 2015-03-27 07:47:58.000000000 +0100 +++ afl-1.58b/Makefile 2015-03-27 21:14:10.000000000 +0100 @@ -18,8 +18,8 @@ VERSION = 1.58b PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin -HELPER_PATH = $(PREFIX)/lib/afl -DOC_PATH = $(PREFIX)/share/doc/afl +HELPER_PATH = $(LIBEXEC_DIR)/afl +DOC_PATH = $(DOC_DIR)/afl MISC_PATH = $(PREFIX)/share/afl PROGS = afl-gcc afl-as afl-fuzz afl-showmap afl-tmin afl-gotcpu ++++++ afl-1.57b.tgz -> afl-1.58b.tgz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.57b/Makefile new/afl-1.58b/Makefile --- old/afl-1.57b/Makefile 2015-03-18 08:24:38.000000000 +0100 +++ new/afl-1.58b/Makefile 2015-03-27 07:47:58.000000000 +0100 @@ -14,7 +14,7 @@ # PROGNAME = afl -VERSION = 1.57b +VERSION = 1.58b PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.57b/docs/ChangeLog new/afl-1.58b/docs/ChangeLog --- old/afl-1.57b/docs/ChangeLog 2015-03-18 08:28:39.000000000 +0100 +++ new/afl-1.58b/docs/ChangeLog 2015-03-27 07:48:35.000000000 +0100 @@ -17,6 +17,16 @@ to get on with the times. -------------- +Version 1.58b: +-------------- + + - Added a workaround for abort() behavior in -lpthread programs in QEMU mode. + Spotted by Aidan Thornton. + + - Made several documentation updates, including links to the static + instrumentation tool (sister_projects.txt). + +-------------- Version 1.57b: -------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.57b/docs/README new/afl-1.58b/docs/README --- old/afl-1.57b/docs/README 2015-03-18 08:25:01.000000000 +0100 +++ new/afl-1.58b/docs/README 2015-03-27 07:42:42.000000000 +0100 @@ -417,6 +417,8 @@ Andrew Griffiths Parker Thompson Jonathan Neuschfer Tyler Nighswander Ben Nagy Samir Aguiar + Aidan Thornton Aleksandar Nikolich + Sam Hakim Thank you! diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.57b/docs/perf_tips.txt new/afl-1.58b/docs/perf_tips.txt --- old/afl-1.57b/docs/perf_tips.txt 2015-02-21 08:34:36.000000000 +0100 +++ new/afl-1.58b/docs/perf_tips.txt 2015-03-23 03:00:43.000000000 +0100 @@ -76,7 +76,8 @@ config file, or disabling some compile-time features that aren't really needed for the job (try ./configure --help). One of the notoriously resource-consuming things would be calling other utilities via exec*(), popen(), system(), or -equivalent calls. +equivalent calls. Some programs may intentionally call sleep(), usleep(), or +nanosleep(), etc. Last but not least, if you are using ASAN and the performance is unacceptable, consider turning it off for now, and manually examining the generated corpus diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.57b/docs/sister_projects.txt new/afl-1.58b/docs/sister_projects.txt --- old/afl-1.57b/docs/sister_projects.txt 2015-03-18 04:58:23.000000000 +0100 +++ new/afl-1.58b/docs/sister_projects.txt 2015-03-27 07:47:04.000000000 +0100 @@ -28,6 +28,16 @@ https://github.com/bnagy/aflfix +Static binary-only instrumentation (Aleksandar Nikolich) +-------------------------------------------------------- + + Allows black-box binaries to be instrumented statically (i.e., by modifying + the binary ahead of the time, rather than translating it on the run). Author + reports better performance compared to QEMU, but occassional translation + errors with stripped binaries. + + https://github.com/vrtadmin/moflow/tree/master/afl-dyninst + Python AFL (Jakub Wilk) ----------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.57b/docs/vuln_samples/sqlite-bad-ptr.sql new/afl-1.58b/docs/vuln_samples/sqlite-bad-ptr.sql --- old/afl-1.57b/docs/vuln_samples/sqlite-bad-ptr.sql 1970-01-01 01:00:00.000000000 +0100 +++ new/afl-1.58b/docs/vuln_samples/sqlite-bad-ptr.sql 2015-03-20 21:37:51.000000000 +0100 @@ -0,0 +1 @@ +SELECT 0 UNION SELECT 0 ORDER BY 1 COLLATE""""""""; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.57b/docs/vuln_samples/sqlite-null-ptr10.sql new/afl-1.58b/docs/vuln_samples/sqlite-null-ptr10.sql --- old/afl-1.57b/docs/vuln_samples/sqlite-null-ptr10.sql 1970-01-01 01:00:00.000000000 +0100 +++ new/afl-1.58b/docs/vuln_samples/sqlite-null-ptr10.sql 2015-03-21 20:06:30.000000000 +0100 @@ -0,0 +1 @@ +SELECT fts3_tokenizer(@0()); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.57b/docs/vuln_samples/sqlite-null-ptr11.sql new/afl-1.58b/docs/vuln_samples/sqlite-null-ptr11.sql --- old/afl-1.57b/docs/vuln_samples/sqlite-null-ptr11.sql 1970-01-01 01:00:00.000000000 +0100 +++ new/afl-1.58b/docs/vuln_samples/sqlite-null-ptr11.sql 2015-03-22 04:34:27.000000000 +0100 @@ -0,0 +1 @@ +select''like''like''like#0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.57b/docs/vuln_samples/sqlite-null-ptr6.sql new/afl-1.58b/docs/vuln_samples/sqlite-null-ptr6.sql --- old/afl-1.57b/docs/vuln_samples/sqlite-null-ptr6.sql 1970-01-01 01:00:00.000000000 +0100 +++ new/afl-1.58b/docs/vuln_samples/sqlite-null-ptr6.sql 2015-03-20 21:38:02.000000000 +0100 @@ -0,0 +1 @@ +PRAGMA encoding='UTF16';CREATE VIRTUAL TABLE � USING s; \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.57b/docs/vuln_samples/sqlite-null-ptr7.sql new/afl-1.58b/docs/vuln_samples/sqlite-null-ptr7.sql --- old/afl-1.57b/docs/vuln_samples/sqlite-null-ptr7.sql 1970-01-01 01:00:00.000000000 +0100 +++ new/afl-1.58b/docs/vuln_samples/sqlite-null-ptr7.sql 2015-03-20 21:38:24.000000000 +0100 @@ -0,0 +1 @@ +CREATE VIRTUAL TABLE t USING fts4(tokenize=); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.57b/docs/vuln_samples/sqlite-null-ptr8.sql new/afl-1.58b/docs/vuln_samples/sqlite-null-ptr8.sql --- old/afl-1.57b/docs/vuln_samples/sqlite-null-ptr8.sql 1970-01-01 01:00:00.000000000 +0100 +++ new/afl-1.58b/docs/vuln_samples/sqlite-null-ptr8.sql 2015-03-21 04:24:24.000000000 +0100 @@ -0,0 +1 @@ +CREATE TABLE p(a UNIQUE,PRIMARY KEY('a'))WITHOUT rowid; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.57b/docs/vuln_samples/sqlite-null-ptr9.sql new/afl-1.58b/docs/vuln_samples/sqlite-null-ptr9.sql --- old/afl-1.57b/docs/vuln_samples/sqlite-null-ptr9.sql 1970-01-01 01:00:00.000000000 +0100 +++ new/afl-1.58b/docs/vuln_samples/sqlite-null-ptr9.sql 2015-03-21 04:24:39.000000000 +0100 @@ -0,0 +1 @@ +CREATE TABLE t0(z);WITH d(x)AS(SELECT*UNION SELECT 0)INSERT INTO t0 SELECT 0 FROM d; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.57b/docs/vuln_samples/sqlite-unint-mem.sql new/afl-1.58b/docs/vuln_samples/sqlite-unint-mem.sql --- old/afl-1.57b/docs/vuln_samples/sqlite-unint-mem.sql 1970-01-01 01:00:00.000000000 +0100 +++ new/afl-1.58b/docs/vuln_samples/sqlite-unint-mem.sql 2015-03-20 21:54:52.000000000 +0100 @@ -0,0 +1 @@ +REATE VIRTUAL TABLE t0 USING fts4(prefix=0);INSERT INTO t0 VALUES(0); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.57b/qemu_mode/README.qemu new/afl-1.58b/qemu_mode/README.qemu --- old/afl-1.57b/qemu_mode/README.qemu 2015-03-03 06:22:51.000000000 +0100 +++ new/afl-1.58b/qemu_mode/README.qemu 2015-03-27 08:07:21.000000000 +0100 @@ -96,3 +96,22 @@ Beyond that, this is an early-stage mechanism, so fields reports - even just "yeah, it worked for me" - are very much welcome. You can always drop a mail to <afl-us...@googlegroups.com>. + +6) Alternatives: static rewriting +--------------------------------- + +Statically rewriting binaries just once, instead of attempting to translate +them at run time, can be a faster alternative - but it is fraught with peril, +because it depends on being able to properly model program control flow without +actually running it. + +There is a module attempting just this, contributed by Aleksandar Nikolich: + + https://github.com/vrtadmin/moflow/tree/master/afl-dyninst + https://groups.google.com/forum/#!topic/afl-users/HlSQdbOTlpg + +At this point, the author reports the possibility of hiccups with stripped +binaries. That said, if we can get it to be comparably reliable to QEMU, we may +decide to switch to this mode! + +Once again, field reports are very welcome. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.57b/qemu_mode/build_qemu_support.sh new/afl-1.58b/qemu_mode/build_qemu_support.sh --- old/afl-1.57b/qemu_mode/build_qemu_support.sh 2015-02-02 09:12:55.000000000 +0100 +++ new/afl-1.58b/qemu_mode/build_qemu_support.sh 2015-03-27 07:47:49.000000000 +0100 @@ -112,6 +112,7 @@ patch -p0 <patches/elfload.diff || exit 1 patch -p0 <patches/cpu-exec.diff || exit 1 patch -p0 <patches/translate-all.diff || exit 1 +patch -p0 <patches/syscall.diff || exit 1 echo "[+] Patching done." diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.57b/qemu_mode/patches/afl-qemu-cpu-inl.h new/afl-1.58b/qemu_mode/patches/afl-qemu-cpu-inl.h --- old/afl-1.57b/qemu_mode/patches/afl-qemu-cpu-inl.h 2015-02-02 22:14:12.000000000 +0100 +++ new/afl-1.58b/qemu_mode/patches/afl-qemu-cpu-inl.h 2015-03-27 07:53:46.000000000 +0100 @@ -69,9 +69,10 @@ afl_start_code, /* .text start pointer */ afl_end_code; /* .text end pointer */ -/* Set on the child in forkserver mode: */ +/* Set in the child process in forkserver mode: */ static unsigned char afl_fork_child; +unsigned int afl_forksrv_pid; /* Instrumentation ratio: */ @@ -158,6 +159,8 @@ if (write(FORKSRV_FD + 1, tmp, 4) != 4) return; + afl_forksrv_pid = getpid(); + /* All right, let's await orders... */ while (1) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-1.57b/qemu_mode/patches/syscall.diff new/afl-1.58b/qemu_mode/patches/syscall.diff --- old/afl-1.57b/qemu_mode/patches/syscall.diff 1970-01-01 01:00:00.000000000 +0100 +++ new/afl-1.58b/qemu_mode/patches/syscall.diff 2015-03-27 07:39:50.000000000 +0100 @@ -0,0 +1,25 @@ +--- qemu-2.2.0/linux-user/syscall.c.orig 2014-12-09 14:45:43.000000000 +0000 ++++ qemu-2.2.0/linux-user/syscall.c 2015-03-27 06:33:00.736000000 +0000 +@@ -227,7 +227,21 @@ + _syscall3(int,sys_rt_sigqueueinfo,int,pid,int,sig,siginfo_t *,uinfo) + _syscall3(int,sys_syslog,int,type,char*,bufp,int,len) + #if defined(TARGET_NR_tgkill) && defined(__NR_tgkill) +-_syscall3(int,sys_tgkill,int,tgid,int,pid,int,sig) ++ ++extern unsigned int afl_forksrv_pid; ++ ++static int sys_tgkill(int tgid, int pid, int sig) { ++ ++ /* Workaround for -lpthread to make abort() work properly, without ++ killing the forkserver due to a prematurely cached PID. */ ++ ++ if (afl_forksrv_pid && afl_forksrv_pid == pid && sig == SIGABRT) ++ pid = tgid = getpid(); ++ ++ return syscall(__NR_sys_tgkill, pid, tgid, sig); ++ ++} ++ + #endif + #if defined(TARGET_NR_tkill) && defined(__NR_tkill) + _syscall2(int,sys_tkill,int,tid,int,sig)
