commit
05fdb3f9ad
|
@ -1,19 +0,0 @@
|
|||
Updating the QEMU patches
|
||||
=========================
|
||||
|
||||
When updating to the latest American Fuzzy Lop, make sure to check for
|
||||
any new patches to qemu for binary fuzzing support:
|
||||
|
||||
https://github.com/google/AFL/tree/master/qemu_mode
|
||||
|
||||
Be sure to check the build script and make sure it's also using the
|
||||
right QEMU version and options in `qemu.nix`:
|
||||
|
||||
https://github.com/google/AFL/blob/master/qemu_mode/build_qemu_support.sh
|
||||
|
||||
`afl-config.h`, `afl-types.h`, and `afl-qemu-cpu-inl.h` are part of
|
||||
the afl source code, and copied from `config.h`, `types.h` and
|
||||
`afl-qemu-cpu-inl.h` appropriately. These files and the QEMU patches
|
||||
need to be slightly adjusted to fix their `#include`s (the patches
|
||||
try to otherwise include files like `../../config.h` which causes the
|
||||
build to fail).
|
|
@ -1,82 +0,0 @@
|
|||
{ lib, stdenv, fetchFromGitHub, callPackage, makeWrapper
|
||||
, clang, llvm, which, libcgroup
|
||||
}:
|
||||
|
||||
let
|
||||
afl-qemu = callPackage ./qemu.nix { inherit afl; };
|
||||
qemu-exe-name = if stdenv.hostPlatform.system == "x86_64-linux" then "qemu-x86_64"
|
||||
else if stdenv.hostPlatform.system == "i686-linux" then "qemu-i386"
|
||||
else throw "afl: no support for ${stdenv.hostPlatform.system}!";
|
||||
afl = stdenv.mkDerivation rec {
|
||||
pname = "afl";
|
||||
version = "2.57b";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "google";
|
||||
repo = pname;
|
||||
rev = "v${version}";
|
||||
sha256 = "0fqj3g6ds1f21kxz7m9mc1fspi9r4jg9jcmi60inwxijrc5ncvr6";
|
||||
};
|
||||
enableParallelBuilding = true;
|
||||
|
||||
# Note: libcgroup isn't needed for building, just for the afl-cgroup
|
||||
# script.
|
||||
nativeBuildInputs = [ makeWrapper which llvm.dev ];
|
||||
buildInputs = [ llvm ];
|
||||
|
||||
makeFlags = [ "PREFIX=$(out)" ];
|
||||
postBuild = ''
|
||||
make -C llvm_mode $makeFlags -j$NIX_BUILD_CORES
|
||||
'';
|
||||
postInstall = ''
|
||||
# Install the custom QEMU emulator for binary blob fuzzing.
|
||||
cp ${afl-qemu}/bin/${qemu-exe-name} $out/bin/afl-qemu-trace
|
||||
|
||||
# Install the cgroups wrapper for asan-based fuzzing.
|
||||
cp experimental/asan_cgroups/limit_memory.sh $out/bin/afl-cgroup
|
||||
chmod +x $out/bin/afl-cgroup
|
||||
substituteInPlace $out/bin/afl-cgroup \
|
||||
--replace "cgcreate" "${libcgroup}/bin/cgcreate" \
|
||||
--replace "cgexec" "${libcgroup}/bin/cgexec" \
|
||||
--replace "cgdelete" "${libcgroup}/bin/cgdelete"
|
||||
|
||||
# Patch shebangs before wrapping
|
||||
patchShebangs $out/bin
|
||||
|
||||
# Wrap afl-clang-fast(++) with a *different* AFL_PATH, because it
|
||||
# has totally different semantics in that case(?) - and also set a
|
||||
# proper AFL_CC and AFL_CXX so we don't pick up the wrong one out
|
||||
# of $PATH.
|
||||
# first though we need to replace the afl-clang-fast++ symlink with
|
||||
# a real copy to prevent wrapProgram skipping the symlink and confusing
|
||||
# nix's cc wrapper
|
||||
rm $out/bin/afl-clang-fast++
|
||||
cp $out/bin/afl-clang-fast $out/bin/afl-clang-fast++
|
||||
for x in $out/bin/afl-clang-fast $out/bin/afl-clang-fast++; do
|
||||
wrapProgram $x \
|
||||
--prefix AFL_PATH : "$out/lib/afl" \
|
||||
--run 'export AFL_CC=''${AFL_CC:-${clang}/bin/clang} AFL_CXX=''${AFL_CXX:-${clang}/bin/clang++}'
|
||||
done
|
||||
'';
|
||||
|
||||
passthru.qemu = afl-qemu;
|
||||
|
||||
meta = {
|
||||
description = "Powerful fuzzer via genetic algorithms and instrumentation";
|
||||
longDescription = ''
|
||||
American fuzzy lop is a fuzzer that employs a novel type of
|
||||
compile-time instrumentation and genetic algorithms to
|
||||
automatically discover clean, interesting test cases that
|
||||
trigger new internal states in the targeted binary. This
|
||||
substantially improves the functional coverage for the fuzzed
|
||||
code. The compact synthesized corpora produced by the tool are
|
||||
also useful for seeding other, more labor or resource-intensive
|
||||
testing regimes down the road.
|
||||
'';
|
||||
homepage = "https://lcamtuf.coredump.cx/afl/";
|
||||
license = lib.licenses.asl20;
|
||||
platforms = ["x86_64-linux" "i686-linux"];
|
||||
maintainers = with lib.maintainers; [ thoughtpolice ris ];
|
||||
};
|
||||
};
|
||||
in afl
|
|
@ -1,35 +0,0 @@
|
|||
{ lib, stdenv, afl}:
|
||||
|
||||
stdenv.mkDerivation {
|
||||
version = lib.getVersion afl;
|
||||
pname = "libdislocator";
|
||||
|
||||
src = afl.src;
|
||||
sourceRoot = "${afl.src.name}/libdislocator";
|
||||
|
||||
makeFlags = [ "PREFIX=$(out)" ];
|
||||
|
||||
preInstall = ''
|
||||
mkdir -p $out/lib/afl
|
||||
'';
|
||||
postInstall = ''
|
||||
mkdir $out/bin
|
||||
cat > $out/bin/get-libdislocator-so <<END
|
||||
#!${stdenv.shell}
|
||||
echo $out/lib/afl/libdislocator.so
|
||||
END
|
||||
chmod +x $out/bin/get-libdislocator-so
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://lcamtuf.coredump.cx/afl/";
|
||||
description = ''
|
||||
Drop-in replacement for the libc allocator which improves
|
||||
the odds of bumping into heap-related security bugs in
|
||||
several ways.
|
||||
'';
|
||||
mainProgram = "get-libdislocator-so";
|
||||
license = lib.licenses.asl20;
|
||||
maintainers = with maintainers; [ ris ];
|
||||
};
|
||||
}
|
|
@ -1,13 +0,0 @@
|
|||
diff --git a/Makefile b/Makefile
|
||||
index d6b9dc1..ce7c493 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -601,7 +601,7 @@ install-localstatedir:
|
||||
endif
|
||||
|
||||
|
||||
-install: all $(if $(BUILD_DOCS),install-doc) install-datadir install-localstatedir
|
||||
+install: all $(if $(BUILD_DOCS),install-doc) install-datadir
|
||||
ifneq ($(TOOLS),)
|
||||
$(call install-prog,$(subst qemu-ga,qemu-ga$(EXESUF),$(TOOLS)),$(DESTDIR)$(bindir))
|
||||
endif
|
|
@ -1,51 +0,0 @@
|
|||
--- qemu-2.10.0-clean/linux-user/syscall.c 2020-03-12 18:47:47.898592169 +0100
|
||||
+++ qemu-2.10.0/linux-user/syscall.c 2020-03-13 09:13:42.461809699 +0100
|
||||
@@ -34,6 +34,7 @@
|
||||
#include <sys/resource.h>
|
||||
#include <sys/swap.h>
|
||||
#include <linux/capability.h>
|
||||
+#include <linux/sockios.h> // https://lkml.org/lkml/2019/6/3/988
|
||||
#include <sched.h>
|
||||
#include <sys/timex.h>
|
||||
#ifdef __ia64__
|
||||
@@ -256,7 +257,9 @@ static type name (type1 arg1,type2 arg2,
|
||||
#endif
|
||||
|
||||
#ifdef __NR_gettid
|
||||
-_syscall0(int, gettid)
|
||||
+// taken from https://patchwork.kernel.org/patch/10862231/
|
||||
+#define __NR_sys_gettid __NR_gettid
|
||||
+_syscall0(int, sys_gettid)
|
||||
#else
|
||||
/* This is a replacement for the host gettid() and must return a host
|
||||
errno. */
|
||||
@@ -6219,7 +6222,7 @@ static void *clone_func(void *arg)
|
||||
cpu = ENV_GET_CPU(env);
|
||||
thread_cpu = cpu;
|
||||
ts = (TaskState *)cpu->opaque;
|
||||
- info->tid = gettid();
|
||||
+ info->tid = sys_gettid();
|
||||
task_settid(ts);
|
||||
if (info->child_tidptr)
|
||||
put_user_u32(info->tid, info->child_tidptr);
|
||||
@@ -6363,9 +6366,9 @@ static int do_fork(CPUArchState *env, un
|
||||
mapping. We can't repeat the spinlock hack used above because
|
||||
the child process gets its own copy of the lock. */
|
||||
if (flags & CLONE_CHILD_SETTID)
|
||||
- put_user_u32(gettid(), child_tidptr);
|
||||
+ put_user_u32(sys_gettid(), child_tidptr);
|
||||
if (flags & CLONE_PARENT_SETTID)
|
||||
- put_user_u32(gettid(), parent_tidptr);
|
||||
+ put_user_u32(sys_gettid(), parent_tidptr);
|
||||
ts = (TaskState *)cpu->opaque;
|
||||
if (flags & CLONE_SETTLS)
|
||||
cpu_set_tls (env, newtls);
|
||||
@@ -11402,7 +11405,7 @@ abi_long do_syscall(void *cpu_env, int n
|
||||
break;
|
||||
#endif
|
||||
case TARGET_NR_gettid:
|
||||
- ret = get_errno(gettid());
|
||||
+ ret = get_errno(sys_gettid());
|
||||
break;
|
||||
#ifdef TARGET_NR_readahead
|
||||
case TARGET_NR_readahead:
|
|
@ -1,77 +0,0 @@
|
|||
{ lib, stdenv, fetchurl, afl, python2, zlib, pkg-config, glib, perl
|
||||
, texinfo, libuuid, flex, bison, pixman, autoconf
|
||||
}:
|
||||
|
||||
let
|
||||
cpuTarget = if stdenv.hostPlatform.system == "x86_64-linux" then "x86_64-linux-user"
|
||||
else if stdenv.hostPlatform.system == "i686-linux" then "i386-linux-user"
|
||||
else throw "afl: no support for ${stdenv.hostPlatform.system}!";
|
||||
in
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "afl-qemu";
|
||||
version = "2.10.0";
|
||||
|
||||
srcs = [
|
||||
(fetchurl {
|
||||
url = "https://download.qemu.org/qemu-${version}.tar.bz2";
|
||||
sha256 = "0j3dfxzrzdp1w21k21fjvmakzc6lcha1rsclaicwqvbf63hkk7vy";
|
||||
})
|
||||
afl.src
|
||||
];
|
||||
|
||||
sourceRoot = "qemu-${version}";
|
||||
|
||||
postUnpack = ''
|
||||
cp ${afl.src.name}/types.h $sourceRoot/afl-types.h
|
||||
substitute ${afl.src.name}/config.h $sourceRoot/afl-config.h \
|
||||
--replace "types.h" "afl-types.h"
|
||||
substitute ${afl.src.name}/qemu_mode/patches/afl-qemu-cpu-inl.h $sourceRoot/afl-qemu-cpu-inl.h \
|
||||
--replace "../../config.h" "afl-config.h"
|
||||
substituteInPlace ${afl.src.name}/qemu_mode/patches/cpu-exec.diff \
|
||||
--replace "../patches/afl-qemu-cpu-inl.h" "afl-qemu-cpu-inl.h"
|
||||
'';
|
||||
|
||||
nativeBuildInputs = [
|
||||
python2 perl pkg-config flex bison autoconf texinfo
|
||||
];
|
||||
|
||||
buildInputs = [
|
||||
zlib glib pixman libuuid
|
||||
];
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
||||
patches = [
|
||||
# patches extracted from afl source
|
||||
"../${afl.src.name}/qemu_mode/patches/cpu-exec.diff"
|
||||
"../${afl.src.name}/qemu_mode/patches/elfload.diff"
|
||||
"../${afl.src.name}/qemu_mode/patches/syscall.diff"
|
||||
"../${afl.src.name}/qemu_mode/patches/configure.diff"
|
||||
"../${afl.src.name}/qemu_mode/patches/memfd.diff"
|
||||
# nix-specific patches to make installation more well-behaved
|
||||
./qemu-patches/no-etc-install.patch
|
||||
# patch for fixing qemu build on glibc >= 2.30
|
||||
./qemu-patches/syscall-glibc2_30.diff
|
||||
];
|
||||
|
||||
configureFlags =
|
||||
[ "--disable-system"
|
||||
"--enable-linux-user"
|
||||
"--disable-gtk"
|
||||
"--disable-sdl"
|
||||
"--disable-vnc"
|
||||
"--disable-kvm"
|
||||
"--target-list=${cpuTarget}"
|
||||
"--enable-pie"
|
||||
"--sysconfdir=/etc"
|
||||
"--localstatedir=/var"
|
||||
];
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://www.qemu.org/";
|
||||
description = "Fork of QEMU with AFL instrumentation support";
|
||||
license = licenses.gpl2Plus;
|
||||
maintainers = with maintainers; [ thoughtpolice ];
|
||||
platforms = platforms.linux;
|
||||
};
|
||||
}
|
|
@ -61,6 +61,7 @@ mapAliases ({
|
|||
adtool = throw "'adtool' has been removed, as it was broken and unmaintained";
|
||||
advcpmv = throw "'advcpmv' has been removed, as it is not being actively maintained and break recent coreutils."; # Added 2024-03-29
|
||||
aether = throw "aether has been removed from nixpkgs; upstream unmaintained, security issues"; # Added 2023-10-03
|
||||
afl = throw "afl has been removed as the upstream project was archived. Consider using 'aflplusplus'"; # Added 2024-04-21
|
||||
airfield = throw "airfield has been removed due to being unmaintained"; # Added 2023-05-19
|
||||
alertmanager-bot = throw "alertmanager-bot is broken and has been archived by upstream"; # Added 2023-07-28
|
||||
alsa-project = throw "alsa-project was removed and its sub-attributes were promoted to top-level."; # Added 2023-11-12
|
||||
|
|
|
@ -1614,10 +1614,6 @@ with pkgs;
|
|||
|
||||
afio = callPackage ../tools/archivers/afio { };
|
||||
|
||||
afl = callPackage ../tools/security/afl {
|
||||
stdenv = clangStdenv;
|
||||
};
|
||||
|
||||
honggfuzz = callPackage ../tools/security/honggfuzz {
|
||||
clang = clang_16;
|
||||
llvm = llvm_16;
|
||||
|
@ -1632,7 +1628,7 @@ with pkgs;
|
|||
|
||||
ledfx = callPackage ../applications/audio/ledfx { };
|
||||
|
||||
libdislocator = callPackage ../tools/security/afl/libdislocator.nix { };
|
||||
libdislocator = callPackage ../tools/security/aflplusplus/libdislocator.nix { };
|
||||
|
||||
afpfs-ng = callPackage ../tools/filesystems/afpfs-ng { };
|
||||
|
||||
|
|
Loading…
Reference in New Issue