| OLD | NEW |
|---|
| (Empty) | |
| 1 =================================== |
| 2 libdislocator, an abusive allocator |
| 3 =================================== |
| 4 |
| 5 (See ../docs/README for the general instruction manual.) |
| 6 |
| 7 This is a companion library that can be used as a drop-in replacement for the |
| 8 libc allocator in the fuzzed binaries. It improves the odds of bumping into |
| 9 heap-related security bugs in several ways: |
| 10 |
| 11 - It allocates all buffers so that they are immediately adjacent to a |
| 12 subsequent PROT_NONE page, causing most off-by-one reads and writes to |
| 13 immediately segfault, |
| 14 |
| 15 - It adds a canary immediately below the allocated buffer, to catch writes |
| 16 to negative offsets (won't catch reads, though), |
| 17 |
| 18 - It sets the memory returned by malloc() to garbage values, improving the |
| 19 odds of crashing when the target accesses uninitialized data, |
| 20 |
| 21 - It sets freed memory to PROT_NONE and does not actually reuse it, causing |
| 22 most use-after-free bugs to segfault right away, |
| 23 |
| 24 - It forces all realloc() calls to return a new address - and sets |
| 25 PROT_NONE on the original block. This catches use-after-realloc bugs, |
| 26 |
| 27 - It checks for calloc() overflows and can cause soft or hard failures |
| 28 of alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB, |
| 29 AFL_LD_HARD_FAIL). |
| 30 |
| 31 Basically, it is inspired by some of the non-default options available for the |
| 32 OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is |
| 33 also somewhat similar to several other debugging libraries, such as gmalloc |
| 34 and DUMA - but is simple, plug-and-play, and designed specifically for fuzzing |
| 35 jobs. |
| 36 |
| 37 Note that it does nothing for stack-based memory handling errors. The |
| 38 -fstack-protector-all setting for GCC / clang, enabled when using AFL_HARDEN, |
| 39 can catch some subset of that. |
| 40 |
| 41 The allocator is slow and memory-intensive (even the tiniest allocation uses up |
| 42 4 kB of physical memory and 8 kB of virtual mem), making it completely unsuitabl
e |
| 43 for "production" uses; but it can be faster and more hassle-free than ASAN / MSA
N |
| 44 when fuzzing small, self-contained binaries. |
| 45 |
| 46 To use this library, run AFL like so: |
| 47 |
| 48 AFL_PRELOAD=/path/to/libdislocator.so ./afl-fuzz [...other params...] |
| 49 |
| 50 You *have* to specify path, even if it's just ./libdislocator.so or |
| 51 $PWD/libdislocator.so. |
| 52 |
| 53 Similarly to afl-tmin, the library is not "proprietary" and can be used with |
| 54 other fuzzers or testing tools without the need for any code tweaks. It does not |
| 55 require AFL-instrumented binaries to work. |
| 56 |
| 57 Note that the AFL_PRELOAD approach (which AFL internally maps to LD_PRELOAD or |
| 58 DYLD_INSERT_LIBRARIES, depending on the OS) works only if the target binary is |
| 59 dynamically linked. Otherwise, attempting to use the library will have no |
| 60 effect. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2238013002:
Roll src/third_party/afl/src/ 2.14b..2.30b (16 versions). (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master