Re: [afl-users] Building AFL LLVM mode for x32?

870 views
Skip to first unread message

Michal Zalewski

unread,
Dec 20, 2016, 11:58:09 AM12/20/16
to afl-users
> dave@compute-node-3:/mnt/nvme-cluster-7/afl-2.35b/llvm_mode$ clang -mx32
> afl-llvm-rt-32.bc -fPIC

Not sure what you're trying to do here? Why not use afl-clang-fast
with the -32 flag or so?

afl-clang-fast doesn't recognize -mx32 (it honors -m32), but not sure
why you'd want to use it?

/mz

David Manouchehri

unread,
Dec 27, 2016, 6:04:04 AM12/27/16
to afl-users
Hi Michal,

I'm trying to use x32 with AFL's LLVM mode.

x32 should work great with ASAN (since it only has a 32-bit address space), but still gives us the option of using x86-64 instructions. Seems like the best of both worlds for fuzzing?

afl-clang-fast isn't an issue, it compiles fine with x32.

dave@compute-node-6:/mnt/nvme-cluster-7/afl-2.35b$ LDFLAGS='-mx32' CFLAGS='-mx32' CXXFLAGS='-mx32' CC='clang-3.9' CXX='clang++-3.9' make

[*] Checking for the ability to compile x86 code...

[+] Everything seems to be working, ready to compile.

clang-3.9 -mx32 -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-gcc.c -o afl-gcc -mx32 -ldl

set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $i; done

clang-3.9 -mx32 -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-fuzz.c -o afl-fuzz -mx32 -ldl

clang-3.9 -mx32 -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-showmap.c -o afl-showmap -mx32 -ldl

clang-3.9 -mx32 -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-tmin.c -o afl-tmin -mx32 -ldl

clang-3.9 -mx32 -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-gotcpu.c -o afl-gotcpu -mx32 -ldl

clang-3.9 -mx32 -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-analyze.c -o afl-analyze -mx32 -ldl

clang-3.9 -mx32 -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-as.c -o afl-as -mx32 -ldl

ln -sf afl-as as

[*] Testing the CC wrapper and instrumentation output...

unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./afl-clang -mx32 -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" test-instr.c -o test-instr -mx32 -ldl

echo 0 | ./afl-showmap -m none -q -o .test-instr0 ./test-instr

echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr

[+] All right, the instrumentation seems to be working!

[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc.

[+] All done! Be sure to review README - it's pretty short and useful.

NOTE: If you can read this, your terminal probably uses white background.

This will make the UI hard to read. See docs/status_screen.txt for advice.

dave@compute-node-6:/mnt/nvme-cluster-7/afl-2.35b$ file * | grep ELF

afl-analyze:         ELF 32-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /libx32/ld-linux-x32.so.2, for GNU/Linux 3.4.0, not stripped

afl-as:              ELF 32-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /libx32/ld-linux-x32.so.2, for GNU/Linux 3.4.0, not stripped

afl-fuzz:            ELF 32-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /libx32/ld-linux-x32.so.2, for GNU/Linux 3.4.0, not stripped

afl-gcc:             ELF 32-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /libx32/ld-linux-x32.so.2, for GNU/Linux 3.4.0, not stripped

afl-gotcpu:          ELF 32-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /libx32/ld-linux-x32.so.2, for GNU/Linux 3.4.0, not stripped

afl-showmap:         ELF 32-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /libx32/ld-linux-x32.so.2, for GNU/Linux 3.4.0, not stripped

afl-tmin:            ELF 32-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /libx32/ld-linux-x32.so.2, for GNU/Linux 3.4.0, not stripped


However, building AFL's LLVM mode does not work. This is what I was trying to explain in my first message by posting the error from afl-llvm-rt-32.

dave@compute-node-6:/mnt/nvme-cluster-7/afl-2.35b$ cd llvm_mode/

dave@compute-node-6:/mnt/nvme-cluster-7/afl-2.35b/llvm_mode$ sed -i 's/m32/mx32/g' Makefile

dave@compute-node-6:/mnt/nvme-cluster-7/afl-2.35b/llvm_mode$ make

[*] Checking for working 'llvm-config'...

[*] Checking for working 'clang'...

[*] Checking for '../afl-showmap'...

[+] All set and ready to build.

clang -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"2.35b\"  afl-clang-fast.c -o ../afl-clang-fast

ln -sf afl-clang-fast ../afl-clang-fast++

clang++ `llvm-config --cxxflags` -fno-rtti -fpic -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DVERSION=\"2.35b\" -Wno-variadic-macros -shared afl-llvm-pass.so.cc -o ../afl-llvm-pass.so `llvm-config --ldflags`

warning: unknown warning option '-Wno-maybe-uninitialized'; did you mean '-Wno-uninitialized'? [-Wunknown-warning-option]

1 warning generated.

clang -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"2.35b\"  -fPIC -c afl-llvm-rt.o.c -o ../afl-llvm-rt.o

[*] Building 32-bit variant of the runtime (-mx32)... failed (that's fine)

[*] Building 64-bit variant of the runtime (-m64)... success!

[*] Testing the CC wrapper and instrumentation output...

unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; AFL_QUIET=1 AFL_PATH=. AFL_CC=clang ../afl-clang-fast -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"2.35b\"  ../test-instr.c -o test-instr

echo 0 | ../afl-showmap -m none -q -o .test-instr0 ./test-instr

echo 1 | ../afl-showmap -m none -q -o .test-instr1 ./test-instr

[+] All right, the instrumentation seems to be working!

[+] All done! You can now use '../afl-clang-fast' to compile programs.


To narrow it down, I'll only look at the target that failed.

dave@compute-node-6:/mnt/nvme-cluster-7/afl-2.35b/llvm_mode$ LDFLAGS='-mx32' CFLAGS='-mx32' CXXFLAGS='-mx32' make ../afl-llvm-rt-32.o VERBOSE=1

[*] Checking for working 'llvm-config'...

[*] Checking for working 'clang'...

[*] Checking for '../afl-showmap'...

[+] All set and ready to build.

[*] Building 32-bit variant of the runtime (-mx32)... failed (that's fine)


 
Since this isn't much info, I'll add some more verbose flags.

dave@compute-node-6:/mnt/nvme-cluster-7/afl-2.35b/llvm_mode$ sed -i 's/2>/#/g' Makefile

dave@compute-node-6:/mnt/nvme-cluster-7/afl-2.35b/llvm_mode$ LDFLAGS='-mx32' CFLAGS='-mx32' CXXFLAGS='-mx32' make ../afl-llvm-rt-32.o

[*] Checking for working 'llvm-config'...

[*] Checking for working 'clang'...

[*] Checking for '../afl-showmap'...

[+] All set and ready to build.

[*] Building 32-bit variant of the runtime (-mx32)... fatal error: error in backend: Cannot select: 0x325b110: ch,glue = X86ISD::TLSADDR 0x3218860, TargetGlobalTLSAddress:i32<i32* @__afl_prev_loc> 0 [TF=7]

  0x325a850: i32 = TargetGlobalTLSAddress<i32* @__afl_prev_loc> 0 [TF=7]

In function: __afl_persistent_loop

clang: error: clang frontend command failed with exit code 70 (use -v to see invocation)

clang version 3.9.1-svn281634-1~exp1 (branches/release_39)

Target: x86_64-pc-linux-gnux32

Thread model: posix

InstalledDir: /usr/lib/llvm-3.9/bin

clang: note: diagnostic msg: PLEASE submit a bug report to http://llvm.org/bugs/ and include the crash backtrace, preprocessed source, and associated run script.

clang: note: diagnostic msg:

********************


PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:

Preprocessed source(s) and associated run script(s) are located at:

clang: note: diagnostic msg: /tmp/afl-llvm-rt-ba56e5.c

clang: note: diagnostic msg: /tmp/afl-llvm-rt-ba56e5.sh

clang: note: diagnostic msg:


********************

Makefile:89: recipe for target '../afl-llvm-rt-32.o' failed

make: *** [../afl-llvm-rt-32.o] Error 70


What needs to be changed in afl-llvm-rt-32 to be compiled for x32?

David Manouchehri

unread,
Dec 27, 2016, 6:05:32 AM12/27/16
to afl-users
Sorry about the formatting, it looked perfect on my end until I sent it..

Michal Zalewski

unread,
Dec 27, 2016, 11:53:30 AM12/27/16
to afl-users
> x32 should work great with ASAN (since it only has a 32-bit address space),
> but still gives us the option of using x86-64 instructions. Seems like the
> best of both worlds for fuzzing?

Why do you care about the instruction set?

In any case, the bottom line is that it's not the best option in the
sense that AFL doesn't support it (mostly because I have not seen any
other real-world uses of it), and the failure to build the binary is
expected =) I suggest just using -m32.

/mz
Reply all
Reply to author
Forward
0 new messages