• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/bin/sh
2
3. ./test-pre.sh
4
5$ECHO "$BLUE[*] Testing: qemu_mode"
6test -z "$AFL_CC" && {
7  if type gcc >/dev/null; then
8    export AFL_CC=gcc
9  else
10    if type clang >/dev/null; then
11      export AFL_CC=clang
12    fi
13  fi
14}
15
16test -e ../afl-qemu-trace && {
17  cc -pie -fPIE -o test-instr ../test-instr.c
18  cc -o test-compcov test-compcov.c
19  test -e test-instr -a -e test-compcov && {
20    {
21      mkdir -p in
22      echo 00000 > in/in
23      $ECHO "$GREY[*] running afl-fuzz for qemu_mode, this will take approx 10 seconds"
24      {
25        ../afl-fuzz -m ${MEM_LIMIT} -V10 -Q -i in -o out -- ./test-instr >>errors 2>&1
26      } >>errors 2>&1
27      test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && {
28        $ECHO "$GREEN[+] afl-fuzz is working correctly with qemu_mode"
29        RUNTIME=`grep execs_done out/default/fuzzer_stats | awk '{print$3}'`
30      } || {
31        echo CUT------------------------------------------------------------------CUT
32        cat errors
33        echo CUT------------------------------------------------------------------CUT
34        $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode"
35        CODE=1
36      }
37      rm -f errors
38
39      $ECHO "$GREY[*] running afl-fuzz for qemu_mode AFL_ENTRYPOINT, this will take approx 6 seconds"
40      {
41        {
42          export AFL_ENTRYPOINT=`printf 1 | AFL_DEBUG=1 ../afl-qemu-trace ./test-instr 2>&1 >/dev/null | awk '/forkserver/{print $4; exit}'`
43          $ECHO AFL_ENTRYPOINT=$AFL_ENTRYPOINT - $(nm test-instr | grep "T main") - $(file ./test-instr)
44          ../afl-fuzz -m ${MEM_LIMIT} -V2 -Q -i in -o out -- ./test-instr
45          unset AFL_ENTRYPOINT
46        } >>errors 2>&1
47      } >>errors 2>&1
48      test -n "$( ls out/default/queue/id:000001* 2>/dev/null )" && {
49        $ECHO "$GREEN[+] afl-fuzz is working correctly with qemu_mode AFL_ENTRYPOINT"
50        RUNTIME=`grep execs_done out/default/fuzzer_stats | awk '{print$3}'`
51      } || {
52        echo CUT------------------------------------------------------------------CUT
53        cat errors
54        echo CUT------------------------------------------------------------------CUT
55        $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode AFL_ENTRYPOINT"
56        CODE=1
57      }
58      rm -f errors
59
60      test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && {
61        test -e ../libcompcov.so && {
62          $ECHO "$GREY[*] running afl-fuzz for qemu_mode compcov, this will take approx 10 seconds"
63          {
64            export AFL_PRELOAD=../libcompcov.so
65            export AFL_COMPCOV_LEVEL=2
66            ../afl-fuzz -m ${MEM_LIMIT} -V10 -Q -i in -o out -- ./test-compcov >>errors 2>&1
67            unset AFL_PRELOAD
68            unset AFL_COMPCOV_LEVEL
69          } >>errors 2>&1
70          test -n "$( ls out/default/queue/id:000001* 2>/dev/null )" && {
71            $ECHO "$GREEN[+] afl-fuzz is working correctly with qemu_mode compcov"
72          } || {
73            echo CUT------------------------------------------------------------------CUT
74            cat errors
75            echo CUT------------------------------------------------------------------CUT
76            $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode compcov"
77            CODE=1
78          }
79        } || {
80          $ECHO "$YELLOW[-] we cannot test qemu_mode compcov because it is not present"
81          INCOMPLETE=1
82        }
83        rm -f errors
84      } || {
85       $ECHO "$YELLOW[-] not an intel or arm platform, cannot test qemu_mode compcov"
86      }
87
88      test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && {
89        $ECHO "$GREY[*] running afl-fuzz for qemu_mode cmplog, this will take approx 10 seconds"
90        {
91          ../afl-fuzz -m none -V10 -Q -c 0 -i in -o out -- ./test-compcov >>errors 2>&1
92        } >>errors 2>&1
93        test -n "$( ls out/default/queue/id:000001* 2>/dev/null )" && {
94          $ECHO "$GREEN[+] afl-fuzz is working correctly with qemu_mode cmplog"
95        } || {
96          echo CUT------------------------------------------------------------------CUT
97          cat errors
98          echo CUT------------------------------------------------------------------CUT
99          $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode cmplog"
100          CODE=1
101        }
102        rm -f errors
103      } || {
104       $ECHO "$YELLOW[-] not an intel or arm platform, cannot test qemu_mode cmplog"
105      }
106
107      test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && {
108        $ECHO "$GREY[*] running afl-fuzz for persistent qemu_mode, this will take approx 10 seconds"
109        {
110          if file test-instr | grep -q "32-bit"; then
111            # for 32-bit reduce 8 nibbles to the lower 7 nibbles
112	    ADDR_LOWER_PART=`nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.//'`
113          else
114            # for 64-bit reduce 16 nibbles to the lower 9 nibbles
115	    ADDR_LOWER_PART=`nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.......//'`
116          fi
117          export AFL_QEMU_PERSISTENT_ADDR=`expr 0x4${ADDR_LOWER_PART}`
118          export AFL_QEMU_PERSISTENT_GPR=1
119          $ECHO "Info: AFL_QEMU_PERSISTENT_ADDR=$AFL_QEMU_PERSISTENT_ADDR <= $(nm test-instr | grep "T main" | awk '{print $1}')"
120          env|grep AFL_|sort
121          file test-instr
122          ../afl-fuzz -m ${MEM_LIMIT} -V10 -Q -i in -o out -- ./test-instr
123          unset AFL_QEMU_PERSISTENT_ADDR
124        } >>errors 2>&1
125        test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && {
126          $ECHO "$GREEN[+] afl-fuzz is working correctly with persistent qemu_mode"
127          RUNTIMEP=`grep execs_done out/default/fuzzer_stats | awk '{print$3}'`
128          test -n "$RUNTIME" -a -n "$RUNTIMEP" && {
129            DIFF=`expr $RUNTIMEP / $RUNTIME`
130            test "$DIFF" -gt 1 && { # must be at least twice as fast
131              $ECHO "$GREEN[+] persistent qemu_mode was noticeable faster than standard qemu_mode"
132            } || {
133              $ECHO "$YELLOW[-] persistent qemu_mode was not noticeable faster than standard qemu_mode"
134            }
135          } || {
136            $ECHO "$YELLOW[-] we got no data on executions performed? weird!"
137          }
138        } || {
139          echo CUT------------------------------------------------------------------CUT
140          cat errors
141          echo CUT------------------------------------------------------------------CUT
142          $ECHO "$RED[!] afl-fuzz is not working correctly with persistent qemu_mode"
143          CODE=1
144        }
145        rm -rf in out errors
146      } || {
147       $ECHO "$YELLOW[-] not an intel or arm platform, cannot test persistent qemu_mode"
148      }
149
150      test -e ../qemu_mode/unsigaction/unsigaction32.so && {
151        ${AFL_CC} -o test-unsigaction32 -m32 test-unsigaction.c >> errors 2>&1 && {
152	  ./test-unsigaction32
153          RETVAL_NORMAL32=$?
154	  LD_PRELOAD=../qemu_mode/unsigaction/unsigaction32.so ./test-unsigaction32
155          RETVAL_LIBUNSIGACTION32=$?
156	  test $RETVAL_NORMAL32 = "2" -a $RETVAL_LIBUNSIGACTION32 = "0" && {
157            $ECHO "$GREEN[+] qemu_mode unsigaction library (32 bit) ignores signals"
158	  } || {
159	    test $RETVAL_NORMAL32 != "2" && {
160	      $ECHO "$RED[!] cannot trigger signal in test program (32 bit)"
161	    }
162	    test $RETVAL_LIBUNSIGACTION32 != "0" && {
163	      $ECHO "$RED[!] signal in test program (32 bit) is not ignored with unsigaction"
164	    }
165            CODE=1
166          }
167        } || {
168	  $ECHO "$YELLOW[-] cannot compile test program (32 bit) for unsigaction library"
169          INCOMPLETE=1
170        }
171      } || {
172        $ECHO "$YELLOW[-] we cannot test qemu_mode unsigaction library (32 bit) because it is not present"
173        INCOMPLETE=1
174      }
175      test -e ../qemu_mode/unsigaction/unsigaction64.so && {
176        ${AFL_CC} -o test-unsigaction64 -m64 test-unsigaction.c >> errors 2>&1 && {
177	  ./test-unsigaction64
178          RETVAL_NORMAL64=$?
179	  LD_PRELOAD=../qemu_mode/unsigaction/unsigaction64.so ./test-unsigaction64
180          RETVAL_LIBUNSIGACTION64=$?
181	  test $RETVAL_NORMAL64 = "2" -a $RETVAL_LIBUNSIGACTION64 = "0" && {
182            $ECHO "$GREEN[+] qemu_mode unsigaction library (64 bit) ignores signals"
183	  } || {
184	    test $RETVAL_NORMAL64 != "2" && {
185	      $ECHO "$RED[!] cannot trigger signal in test program (64 bit)"
186	    }
187	    test $RETVAL_LIBUNSIGACTION64 != "0" && {
188	      $ECHO "$RED[!] signal in test program (64 bit) is not ignored with unsigaction"
189	    }
190            CODE=1
191          }
192          unset LD_PRELOAD
193        } || {
194	  $ECHO "$YELLOW[-] cannot compile test program (64 bit) for unsigaction library"
195          INCOMPLETE=1
196        }
197      } || {
198        $ECHO "$YELLOW[-] we cannot test qemu_mode unsigaction library (64 bit) because it is not present"
199        INCOMPLETE=1
200      }
201      rm -rf errors test-unsigaction32 test-unsigaction64
202    }
203  } || {
204    $ECHO "$RED[!] gcc compilation of test targets failed - what is going on??"
205    CODE=1
206  }
207
208  rm -f test-instr test-compcov
209} || {
210  $ECHO "$YELLOW[-] qemu_mode is not compiled, cannot test"
211  INCOMPLETE=1
212}
213
214. ./test-post.sh
215