• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/bin/sh
2
3. ./test-pre.sh
4
5
6AFL_GCC=afl-gcc
7$ECHO "$BLUE[*] Testing: ${AFL_GCC}, afl-showmap, afl-fuzz, afl-cmin and afl-tmin"
8test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "i386" && {
9 test -e ../${AFL_GCC} -a -e ../afl-showmap -a -e ../afl-fuzz && {
10  ../${AFL_GCC} -o test-instr.plain -O0 ../test-instr.c > /dev/null 2>&1
11  AFL_HARDEN=1 ../${AFL_GCC} -o test-compcov.harden test-compcov.c > /dev/null 2>&1
12  test -e test-instr.plain && {
13    $ECHO "$GREEN[+] ${AFL_GCC} compilation succeeded"
14    echo 0 | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain > /dev/null 2>&1
15    AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain < /dev/null > /dev/null 2>&1
16    test -e test-instr.plain.0 -a -e test-instr.plain.1 && {
17      diff test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && {
18        $ECHO "$RED[!] ${AFL_GCC} instrumentation should be different on different input but is not"
19        CODE=1
20      } || {
21        $ECHO "$GREEN[+] ${AFL_GCC} instrumentation present and working correctly"
22      }
23    } || {
24      $ECHO "$RED[!] ${AFL_GCC} instrumentation failed"
25      CODE=1
26    }
27    rm -f test-instr.plain.0 test-instr.plain.1
28    SKIP=
29    TUPLES=`echo 1|AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'`
30    test "$TUPLES" -gt 1 -a "$TUPLES" -lt 12 && {
31      $ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine"
32    } || {
33      $ECHO "$RED[!] ${AFL_GCC} instrumentation produces weird numbers: $TUPLES"
34      CODE=1
35    }
36    test "$TUPLES" -lt 3 && SKIP=1
37    true  # this is needed because of the test above
38  } || {
39    $ECHO "$RED[!] ${AFL_GCC} failed"
40    echo CUT------------------------------------------------------------------CUT
41    uname -a
42    ../${AFL_GCC} -o test-instr.plain -O0 ../test-instr.c
43    echo CUT------------------------------------------------------------------CUT
44    CODE=1
45  }
46  test -e test-compcov.harden && {
47    nm test-compcov.harden | grep -Eq 'stack_chk_fail|fstack-protector-all|fortified' > /dev/null 2>&1 && {
48      $ECHO "$GREEN[+] ${AFL_GCC} hardened mode succeeded and is working"
49    } || {
50      $ECHO "$RED[!] ${AFL_GCC} hardened mode is not hardened"
51      env | egrep 'AFL|PATH|LLVM'
52      AFL_DEBUG=1 AFL_HARDEN=1 ../${AFL_GCC} -o test-compcov.harden test-compcov.c
53      nm test-compcov.harden
54      CODE=1
55    }
56    rm -f test-compcov.harden
57  } || {
58    $ECHO "$RED[!] ${AFL_GCC} hardened mode compilation failed"
59    CODE=1
60  }
61  # now we want to be sure that afl-fuzz is working
62  # make sure crash reporter is disabled on Mac OS X
63  (test "$(uname -s)" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && {
64    $ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET"
65    true
66  }) || {
67    mkdir -p in
68    echo 0 > in/in
69    test -z "$SKIP" && {
70      $ECHO "$GREY[*] running afl-fuzz for ${AFL_GCC}, this will take approx 10 seconds"
71      {
72        ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -D -- ./test-instr.plain >>errors 2>&1
73      } >>errors 2>&1
74      test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && {
75        $ECHO "$GREEN[+] afl-fuzz is working correctly with ${AFL_GCC}"
76      } || {
77        echo CUT------------------------------------------------------------------CUT
78        cat errors
79        echo CUT------------------------------------------------------------------CUT
80        $ECHO "$RED[!] afl-fuzz is not working correctly with ${AFL_GCC}"
81        CODE=1
82      }
83    }
84    echo 000000000000000000000000 > in/in2
85    echo 111 > in/in3
86    mkdir -p in2
87    ../afl-cmin -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null 2>&1 # why is afl-forkserver writing to stderr?
88    CNT=`ls in2/* 2>/dev/null | wc -l`
89    case "$CNT" in
90      *2) $ECHO "$GREEN[+] afl-cmin correctly minimized the number of testcases" ;;
91      *)  $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)"
92          CODE=1
93          ;;
94    esac
95    rm -f in2/in*
96    export AFL_QUIET=1
97    if command -v bash >/dev/null ; then {
98      ../afl-cmin.bash -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null
99      CNT=`ls in2/* 2>/dev/null | wc -l`
100      case "$CNT" in
101        *2) $ECHO "$GREEN[+] afl-cmin.bash correctly minimized the number of testcases" ;;
102        *)  $ECHO "$RED[!] afl-cmin.bash did not correctly minimize the number of testcases ($CNT)"
103            CODE=1
104            ;;
105        esac
106    } else {
107      $ECHO "$GREY[*] no bash available, cannot test afl-cmin.bash"
108    }
109    fi
110    ../afl-tmin -m ${MEM_LIMIT} -i in/in2 -o in2/in2 -- ./test-instr.plain > /dev/null 2>&1
111    SIZE=`ls -l in2/in2 2>/dev/null | awk '{print$5}'`
112    test "$SIZE" = 1 && $ECHO "$GREEN[+] afl-tmin correctly minimized the testcase"
113    test "$SIZE" = 1 || {
114       $ECHO "$RED[!] afl-tmin did incorrectly minimize the testcase to $SIZE"
115       CODE=1
116    }
117    rm -rf in out errors in2
118    unset AFL_QUIET
119  }
120  rm -f test-instr.plain
121 } || {
122  $ECHO "$YELLOW[-] afl is not compiled, cannot test"
123  INCOMPLETE=1
124 }
125 if [ ${AFL_GCC} = "afl-gcc" ] ; then AFL_GCC=afl-clang ; else AFL_GCC=afl-gcc ; fi
126 $ECHO "$BLUE[*] Testing: ${AFL_GCC}, afl-showmap, afl-fuzz, afl-cmin and afl-tmin"
127 SKIP=
128 test -e ../${AFL_GCC} -a -e ../afl-showmap -a -e ../afl-fuzz && {
129  ../${AFL_GCC} -o test-instr.plain -O0 ../test-instr.c > /dev/null 2>&1
130  AFL_HARDEN=1 ../${AFL_GCC} -o test-compcov.harden test-compcov.c > /dev/null 2>&1
131  test -e test-instr.plain && {
132    $ECHO "$GREEN[+] ${AFL_GCC} compilation succeeded"
133    echo 0 | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain > /dev/null 2>&1
134    AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain < /dev/null > /dev/null 2>&1
135    test -e test-instr.plain.0 -a -e test-instr.plain.1 && {
136      diff test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && {
137        $ECHO "$RED[!] ${AFL_GCC} instrumentation should be different on different input but is not"
138        CODE=1
139      } || {
140        $ECHO "$GREEN[+] ${AFL_GCC} instrumentation present and working correctly"
141      }
142    } || {
143      $ECHO "$RED[!] ${AFL_GCC} instrumentation failed"
144      CODE=1
145    }
146    rm -f test-instr.plain.0 test-instr.plain.1
147    TUPLES=`echo 1|AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'`
148    test "$TUPLES" -gt 1 -a "$TUPLES" -lt 12 && {
149      $ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine"
150    } || {
151      $ECHO "$RED[!] ${AFL_GCC} instrumentation produces weird numbers: $TUPLES"
152      CODE=1
153    }
154    test "$TUPLES" -lt 3 && SKIP=1
155    true  # this is needed because of the test above
156  } || {
157    $ECHO "$RED[!] ${AFL_GCC} failed"
158    echo CUT------------------------------------------------------------------CUT
159    uname -a
160    ../${AFL_GCC} -o test-instr.plain ../test-instr.c
161    echo CUT------------------------------------------------------------------CUT
162    CODE=1
163  }
164  test -e test-compcov.harden && {
165    nm test-compcov.harden | grep -Eq 'stack_chk_fail|fstack-protector-all|fortified' > /dev/null 2>&1 && {
166      $ECHO "$GREEN[+] ${AFL_GCC} hardened mode succeeded and is working"
167    } || {
168      $ECHO "$RED[!] ${AFL_GCC} hardened mode is not hardened"
169      CODE=1
170    }
171    rm -f test-compcov.harden
172  } || {
173    $ECHO "$RED[!] ${AFL_GCC} hardened mode compilation failed"
174    CODE=1
175  }
176  # now we want to be sure that afl-fuzz is working
177  # make sure crash reporter is disabled on Mac OS X
178  (test "$(uname -s)" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && {
179    $ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET"
180    true
181  }) || {
182    mkdir -p in
183    echo 0 > in/in
184    test -z "$SKIP" && {
185      $ECHO "$GREY[*] running afl-fuzz for ${AFL_GCC}, this will take approx 10 seconds"
186      {
187        ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -D -- ./test-instr.plain >>errors 2>&1
188      } >>errors 2>&1
189      test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && {
190        $ECHO "$GREEN[+] afl-fuzz is working correctly with ${AFL_GCC}"
191      } || {
192        echo CUT------------------------------------------------------------------CUT
193        cat errors
194        echo CUT------------------------------------------------------------------CUT
195        $ECHO "$RED[!] afl-fuzz is not working correctly with ${AFL_GCC}"
196        CODE=1
197      }
198    }
199    echo 000000000000000000000000 > in/in2
200    echo AAA > in/in3
201    mkdir -p in2
202    ../afl-cmin -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null 2>&1 # why is afl-forkserver writing to stderr?
203    CNT=`ls in2/* 2>/dev/null | wc -l`
204    case "$CNT" in
205      *2) $ECHO "$GREEN[+] afl-cmin correctly minimized the number of testcases" ;;
206      \ *1|1)  { # allow leading whitecase for portability
207            test -s in2/* && $ECHO "$YELLOW[?] afl-cmin did minimize to one testcase. This can be a bug or due compiler optimization."
208            test -s in2/* || {
209		$ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)"
210          	CODE=1
211            }
212          }
213          ;;
214      *)  $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)"
215          CODE=1
216          ;;
217    esac
218    rm -f in2/in*
219    export AFL_QUIET=1
220    if command -v bash >/dev/null ; then {
221      ../afl-cmin.bash -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null
222      CNT=`ls in2/* 2>/dev/null | wc -l`
223      case "$CNT" in
224        *2) $ECHO "$GREEN[+] afl-cmin.bash correctly minimized the number of testcases" ;;
225        \ *1|1)  { # allow leading whitecase for portability
226              test -s in2/* && $ECHO "$YELLOW[?] afl-cmin.bash did minimize to one testcase. This can be a bug or due compiler optimization."
227              test -s in2/* || {
228  		$ECHO "$RED[!] afl-cmin.bash did not correctly minimize the number of testcases ($CNT)"
229          	CODE=1
230              }
231            }
232            ;;
233        *)  $ECHO "$RED[!] afl-cmin.bash did not correctly minimize the number of testcases ($CNT)"
234            CODE=1
235            ;;
236        esac
237    } else {
238      $ECHO "$GREY[*] no bash available, cannot test afl-cmin.bash"
239    }
240    fi
241    ../afl-tmin -m ${MEM_LIMIT} -i in/in2 -o in2/in2 -- ./test-instr.plain > /dev/null 2>&1
242    SIZE=`ls -l in2/in2 2>/dev/null | awk '{print$5}'`
243    test "$SIZE" = 1 && $ECHO "$GREEN[+] afl-tmin correctly minimized the testcase"
244    test "$SIZE" = 1 || {
245       $ECHO "$RED[!] afl-tmin did incorrectly minimize the testcase to $SIZE"
246       CODE=1
247    }
248    rm -rf in out errors in2
249    unset AFL_QUIET
250  }
251  rm -f test-instr.plain
252 } || {
253  $ECHO "$YELLOW[-] afl is not compiled, cannot test"
254  INCOMPLETE=1
255 }
256} || {
257 $ECHO "$GREY[*] not an intel platform, skipped tests of afl-gcc"
258 #this is not incomplete as this feature doesnt exist, so all good
259 AFL_TEST_COUNT=$((AFL_TEST_COUNT-1))
260}
261
262. ./test-post.sh
263