1#!/bin/sh 2 3. ./test-pre.sh 4 5$ECHO "$BLUE[*] Testing: qemu_mode" 6test -z "$AFL_CC" && { 7 if type gcc >/dev/null; then 8 export AFL_CC=gcc 9 else 10 if type clang >/dev/null; then 11 export AFL_CC=clang 12 fi 13 fi 14} 15 16test -e ../afl-qemu-trace && { 17 cc -pie -fPIE -o test-instr ../test-instr.c 18 cc -o test-compcov test-compcov.c 19 test -e test-instr -a -e test-compcov && { 20 { 21 mkdir -p in 22 echo 00000 > in/in 23 $ECHO "$GREY[*] running afl-fuzz for qemu_mode, this will take approx 10 seconds" 24 { 25 ../afl-fuzz -m ${MEM_LIMIT} -V07 -Q -i in -o out -- ./test-instr >>errors 2>&1 26 } >>errors 2>&1 27 test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && { 28 $ECHO "$GREEN[+] afl-fuzz is working correctly with qemu_mode" 29 RUNTIME=`grep execs_done out/default/fuzzer_stats | awk '{print$3}'` 30 } || { 31 echo CUT------------------------------------------------------------------CUT 32 cat errors 33 echo CUT------------------------------------------------------------------CUT 34 $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode" 35 CODE=1 36 } 37 rm -f errors 38 39 $ECHO "$GREY[*] running afl-fuzz for qemu_mode AFL_ENTRYPOINT, this will take approx 6 seconds" 40 { 41 { 42 export AFL_ENTRYPOINT=`printf 1 | AFL_DEBUG=1 ../afl-qemu-trace ./test-instr 2>&1 >/dev/null | awk '/forkserver/{print $4; exit}'` 43 $ECHO AFL_ENTRYPOINT=$AFL_ENTRYPOINT - $(nm test-instr | grep "T main") - $(file ./test-instr) 44 ../afl-fuzz -m ${MEM_LIMIT} -V2 -Q -i in -o out -- ./test-instr 45 unset AFL_ENTRYPOINT 46 } >>errors 2>&1 47 } >>errors 2>&1 48 test -n "$( ls out/default/queue/id:000001* 2>/dev/null )" && { 49 $ECHO "$GREEN[+] afl-fuzz is working correctly with qemu_mode AFL_ENTRYPOINT" 50 RUNTIME=`grep execs_done out/default/fuzzer_stats | awk '{print$3}'` 51 } || { 52 echo CUT------------------------------------------------------------------CUT 53 cat errors 54 echo CUT------------------------------------------------------------------CUT 55 $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode AFL_ENTRYPOINT" 56 CODE=1 57 } 58 rm -f errors 59 60 test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { 61 test -e ../libcompcov.so && { 62 $ECHO "$GREY[*] running afl-fuzz for qemu_mode compcov, this will take approx 10 seconds" 63 { 64 export AFL_PRELOAD=../libcompcov.so 65 export AFL_COMPCOV_LEVEL=2 66 ../afl-fuzz -m ${MEM_LIMIT} -V07 -Q -i in -o out -- ./test-compcov >>errors 2>&1 67 unset AFL_PRELOAD 68 unset AFL_COMPCOV_LEVEL 69 } >>errors 2>&1 70 test -n "$( ls out/default/queue/id:000001* 2>/dev/null )" && { 71 $ECHO "$GREEN[+] afl-fuzz is working correctly with qemu_mode compcov" 72 } || { 73 echo CUT------------------------------------------------------------------CUT 74 cat errors 75 echo CUT------------------------------------------------------------------CUT 76 $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode compcov" 77 CODE=1 78 } 79 } || { 80 $ECHO "$YELLOW[-] we cannot test qemu_mode compcov because it is not present" 81 INCOMPLETE=1 82 } 83 rm -f errors 84 } || { 85 $ECHO "$YELLOW[-] not an intel or arm platform, cannot test qemu_mode compcov" 86 } 87 88 test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { 89 $ECHO "$GREY[*] running afl-fuzz for qemu_mode cmplog, this will take approx 10 seconds" 90 { 91 ../afl-fuzz -m none -V07 -Q -c 0 -l 3 -i in -o out -- ./test-compcov >>errors 2>&1 92 } >>errors 2>&1 93 test -n "$( ls out/default/queue/id:000001* 2>/dev/null )" && { 94 $ECHO "$GREEN[+] afl-fuzz is working correctly with qemu_mode cmplog" 95 } || { 96 echo CUT------------------------------------------------------------------CUT 97 cat errors 98 echo CUT------------------------------------------------------------------CUT 99 $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode cmplog" 100 CODE=1 101 } 102 rm -f errors 103 } || { 104 $ECHO "$YELLOW[-] not an intel or arm platform, cannot test qemu_mode cmplog" 105 } 106 107 test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { 108 $ECHO "$GREY[*] running afl-fuzz for persistent qemu_mode, this will take approx 10 seconds" 109 { 110 IS_STATIC="" 111 file test-instr | grep -q 'statically linked' && IS_STATIC=1 112 test -z "$IS_STATIC" && { 113 if file test-instr | grep -q "32-bit"; then 114 # for 32-bit reduce 8 nibbles to the lower 7 nibbles 115 ADDR_LOWER_PART=`nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.//'` 116 else 117 # for 64-bit reduce 16 nibbles to the lower 9 nibbles 118 ADDR_LOWER_PART=`nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.......//'` 119 fi 120 export AFL_QEMU_PERSISTENT_ADDR=`expr 0x4${ADDR_LOWER_PART}` 121 } 122 test -n "$IS_STATIC" && { 123 export AFL_QEMU_PERSISTENT_ADDR=0x`nm test-instr | grep "T main" | awk '{print $1}'` 124 } 125 export AFL_QEMU_PERSISTENT_GPR=1 126 $ECHO "Info: AFL_QEMU_PERSISTENT_ADDR=$AFL_QEMU_PERSISTENT_ADDR <= $(nm test-instr | grep "T main" | awk '{print $1}')" 127 env|grep AFL_|sort 128 file test-instr 129 ../afl-fuzz -m ${MEM_LIMIT} -V07 -Q -i in -o out -- ./test-instr 130 unset AFL_QEMU_PERSISTENT_ADDR 131 } >>errors 2>&1 132 test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && { 133 $ECHO "$GREEN[+] afl-fuzz is working correctly with persistent qemu_mode" 134 RUNTIMEP=`grep execs_done out/default/fuzzer_stats | awk '{print$3}'` 135 test -n "$RUNTIME" -a -n "$RUNTIMEP" && { 136 DIFF=`expr $RUNTIMEP / $RUNTIME` 137 test "$DIFF" -gt 1 && { # must be at least twice as fast 138 $ECHO "$GREEN[+] persistent qemu_mode was noticeable faster than standard qemu_mode" 139 } || { 140 $ECHO "$YELLOW[-] persistent qemu_mode was not noticeable faster than standard qemu_mode" 141 } 142 } || { 143 $ECHO "$YELLOW[-] we got no data on executions performed? weird!" 144 } 145 } || { 146 echo CUT------------------------------------------------------------------CUT 147 cat errors 148 echo CUT------------------------------------------------------------------CUT 149 $ECHO "$RED[!] afl-fuzz is not working correctly with persistent qemu_mode" 150 CODE=1 151 } 152 rm -rf in out errors 153 } || { 154 $ECHO "$YELLOW[-] not an intel or arm platform, cannot test persistent qemu_mode" 155 } 156 157 test -e ../qemu_mode/unsigaction/unsigaction32.so && { 158 ${AFL_CC} -o test-unsigaction32 -m32 test-unsigaction.c >> errors 2>&1 && { 159 ./test-unsigaction32 160 RETVAL_NORMAL32=$? 161 LD_PRELOAD=../qemu_mode/unsigaction/unsigaction32.so ./test-unsigaction32 162 RETVAL_LIBUNSIGACTION32=$? 163 test $RETVAL_NORMAL32 = "2" -a $RETVAL_LIBUNSIGACTION32 = "0" && { 164 $ECHO "$GREEN[+] qemu_mode unsigaction library (32 bit) ignores signals" 165 } || { 166 test $RETVAL_NORMAL32 != "2" && { 167 $ECHO "$RED[!] cannot trigger signal in test program (32 bit)" 168 } 169 test $RETVAL_LIBUNSIGACTION32 != "0" && { 170 $ECHO "$RED[!] signal in test program (32 bit) is not ignored with unsigaction" 171 } 172 CODE=1 173 } 174 } || { 175 $ECHO "$YELLOW[-] cannot compile test program (32 bit) for unsigaction library" 176 INCOMPLETE=1 177 } 178 } || { 179 $ECHO "$YELLOW[-] we cannot test qemu_mode unsigaction library (32 bit) because it is not present" 180 INCOMPLETE=1 181 } 182 test -e ../qemu_mode/unsigaction/unsigaction64.so && { 183 ${AFL_CC} -o test-unsigaction64 -m64 test-unsigaction.c >> errors 2>&1 && { 184 ./test-unsigaction64 185 RETVAL_NORMAL64=$? 186 LD_PRELOAD=../qemu_mode/unsigaction/unsigaction64.so ./test-unsigaction64 187 RETVAL_LIBUNSIGACTION64=$? 188 test $RETVAL_NORMAL64 = "2" -a $RETVAL_LIBUNSIGACTION64 = "0" && { 189 $ECHO "$GREEN[+] qemu_mode unsigaction library (64 bit) ignores signals" 190 } || { 191 test $RETVAL_NORMAL64 != "2" && { 192 $ECHO "$RED[!] cannot trigger signal in test program (64 bit)" 193 } 194 test $RETVAL_LIBUNSIGACTION64 != "0" && { 195 $ECHO "$RED[!] signal in test program (64 bit) is not ignored with unsigaction" 196 } 197 CODE=1 198 } 199 unset LD_PRELOAD 200 } || { 201 $ECHO "$YELLOW[-] cannot compile test program (64 bit) for unsigaction library" 202 INCOMPLETE=1 203 } 204 } || { 205 $ECHO "$YELLOW[-] we cannot test qemu_mode unsigaction library (64 bit) because it is not present" 206 INCOMPLETE=1 207 } 208 rm -rf errors test-unsigaction32 test-unsigaction64 209 } 210 } || { 211 $ECHO "$RED[!] gcc compilation of test targets failed - what is going on??" 212 CODE=1 213 } 214 215 rm -f test-instr test-compcov 216} || { 217 $ECHO "$YELLOW[-] qemu_mode is not compiled, cannot test" 218 INCOMPLETE=1 219} 220 221. ./test-post.sh 222