GCC mode not working on aarch64
bendrissou opened this issue · comments
I am attempting to compile a simple program with afl-gcc. The compilation fails and return errors. The program compiles successfully with gcc and afl-cc (GCC_PLUGIN mode).
The program is:
#include<stdio.h>
int main() {
int intType;
float floatType;
double doubleType;
char charType;
// sizeof evaluates the size of a variable
printf("Size of int: %zu bytes\n", sizeof(intType));
printf("Size of float: %zu bytes\n", sizeof(floatType));
printf("Size of double: %zu bytes\n", sizeof(doubleType));
printf("Size of char: %zu byte\n", sizeof(charType));
return 0;
}
Error message (truncated):
afl-cc++4.10a by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: GCC-GCC
[!] WARNING: You are using outdated instrumentation, install LLVM and/or gcc-plugin and use afl-clang-fast/afl-clang-lto/afl-gcc-fast instead!
afl-as++4.10a by Michal Zalewski
[+] Instrumented 1 locations (64-bit, non-hardened mode, ratio 100%).
/tmp/.afl-89261-1705517520-1767933681.: Assembler messages:
/tmp/.afl-89261-1705517520-1767933681.:49: Error: unknown mnemonic `leaq' -- `leaq -(128+24)(%rsp),%rsp'
/tmp/.afl-89261-1705517520-1767933681.:50: Error: unknown mnemonic `movq' -- `movq %rdx,0(%rsp)'
/tmp/.afl-89261-1705517520-1767933681.:51: Error: unknown mnemonic `movq' -- `movq %rcx,8(%rsp)'
/tmp/.afl-89261-1705517520-1767933681.:52: Error: unknown mnemonic `movq' -- `movq %rax,16(%rsp)'
/tmp/.afl-89261-1705517520-1767933681.:53: Error: unknown mnemonic `movq' -- `movq $0x0000fbcf,%rcx'
/tmp/.afl-89261-1705517520-1767933681.:54: Error: unknown mnemonic `call' -- `call __afl_maybe_log'
/tmp/.afl-89261-1705517520-1767933681.:55: Error: unknown mnemonic `movq' -- `movq 16(%rsp),%rax'
/tmp/.afl-89261-1705517520-1767933681.:56: Error: unknown mnemonic `movq' -- `movq 8(%rsp),%rcx'
/tmp/.afl-89261-1705517520-1767933681.:57: Error: unknown mnemonic `movq' -- `movq 0(%rsp),%rdx'
/tmp/.afl-89261-1705517520-1767933681.:58: Error: unknown mnemonic `leaq' -- `leaq (128+24)(%rsp),%rsp'
/tmp/.afl-89261-1705517520-1767933681.:843: Error: unknown pseudo-op: `.att_syntax'
/tmp/.afl-89261-1705517520-1767933681.:844: Error: unknown pseudo-op: `.code64'
I tested this issue on a x86 linux machine and it works fine.
Environment
gcc (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0
afl-fuzz++4.10a
I am using an Mac Apple Silicon machine. Running in a Linux docker contained.
Try the gcc plugin, that guy should be platform-independent.
GCC mode is only for x86 afaik (and in any case it's the worst of all instrumentations).
As you can see, it emits x86 assembly here.
this is missing a patch to afl-cc that disallows afl-gcc for non x86_x64. will try to add this over the days
The reason I am very keen to using GCC over GCC_PLUGIN (default mode) is because GCC+ASAN catches some memory errors which GCC_PLUGIN+ASAN misses.
But I guess that's a different issue.
as we said, afl-gcc and afl-clang are not supported on non x86_x64 systems. If you want to have this then please send a PR.
or find out why the gcc plugin is preventing asan from finding crashes.
I added a fix to the dev branch that should prevent the errors that you are seeing, can you please test?
@bendrissou can you please test? I do not have an ARM64 machine, so I cannot test my changes how they really work :(
works for me on my raspberry
works for me on my raspberry
thank you very much!
if you use afl-gcc - what is happening then? is the AFL++ Sancov used then?
No instrumentation targets found, but no emission of x86 instructions as above.
and a notice which instrumentor was used?
afl-cc++4.10a by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: GCC_PLUGIN-DEFAULT
afl-gcc-pass ++4.10a by <oliva@adacore.com>
[*] Inline instrumentation at ratio of 100% in non-hardened mode.
[!] WARNING: No instrumentation targets found.
Here is my latest test of the dev branch:
root@a11dd61c1626:/AFLplusplus-dev# ./afl-gcc-fast /benchmarks/dummy/var-size.c
afl-cc++4.10a by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: GCC_PLUGIN-DEFAULT
afl-gcc-pass ++4.10a by <oliva@adacore.com>
[*] Inline instrumentation at ratio of 100% in non-hardened mode.
[!] WARNING: No instrumentation targets found.
root@a11dd61c1626:/AFLplusplus-dev#
root@a11dd61c1626:/AFLplusplus-dev# ./afl-gcc /benchmarks/dummy/var-size.c
afl-cc++4.10a by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: GCC_PLUGIN-DEFAULT
afl-gcc-pass ++4.10a by <oliva@adacore.com>
[*] Inline instrumentation at ratio of 100% in non-hardened mode.
[!] WARNING: No instrumentation targets found.
root@a11dd61c1626:/AFLplusplus-dev#
root@a11dd61c1626:/AFLplusplus-dev# ./afl-clang /benchmarks/dummy/var-size.c
afl-cc++4.10a by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: GCC_PLUGIN-DEFAULT
afl-gcc-pass ++4.10a by <oliva@adacore.com>
[*] Inline instrumentation at ratio of 100% in non-hardened mode.
[!] WARNING: No instrumentation targets found.
root@a11dd61c1626:/AFLplusplus-dev# ./afl-clang-fast /benchmarks/dummy/var-size.c
[-] PROGRAM ABORT : afl-clang not available on your platform!
Location : mode_final_checkout(), src/afl-cc.c:1187
root@a11dd61c1626:/AFLplusplus-dev#
Note that all compilers compile the program, except afl-clang-fast compiler which aborts.
I was expecting afl-clang and afl-gcc compilers to abort instead of afl-clang-fast.
let me have a look if I can fix this from remote :) will write once I have a new state for testing
can you please execute this from the dev branch:
Marcs-Mac-mini ~/afl++/test $ ./test-compilers.sh
Testing compilers ...
Failing: afl-gcc
Missing: afl-clang-lto
Missing: afl-gcc-fast
Done!
Here is my output:
root@a11dd61c1626:/AFLplusplus-dev/test# ./test-compilers.sh
Testing compilers ...
Failing: afl-gcc
Failing: afl-clang
Failing: afl-clang-fast
Missing: afl-clang-lto
Done!
Can you please just type make to compile afl++ and paste the output? No need to clean
# make
[*] Compiling AFL++ for OS Linux on ARCH aarch64
[!] Note: skipping x86 compilation checks (AFL_NO_X86 set).
[+] shmat seems to be working.
[+] Python 3.10.6 support seems to be working.
[+] Everything seems to be working, ready to compile. (cc (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0)
make -j -f GNUmakefile.llvm
make[1]: Entering directory '/AFLplusplus-dev'
GNUmakefile.llvm:62: [!] llvm_mode needs llvm-config, which was not found. Set LLVM_CONFIG to its path and retry.
[+] llvm_mode detected llvm < 12, afl-lto LTO will not be build.
GNUmakefile.llvm:127: we have trouble finding clang - llvm-config is not helping us
GNUmakefile.llvm:142: we have trouble finding clang++ - llvm-config is not helping us
make[1]: llvm-config: No such file or directory
[+] shmat seems to be working.
make[1]: llvm-config: No such file or directory
[*] Building 32-bit variant of the runtime (-m32)... failed (that's fine)
make[1]: Leaving directory '/AFLplusplus-dev'
make -f GNUmakefile.gcc_plugin
make[1]: Entering directory '/AFLplusplus-dev'
[+] shmat seems to be working.
[*] Checking for working 'cc'...
[*] Checking for gcc plugin development header files...
[*] Checking for './afl-showmap'...
[+] All set and ready to build.
[*] Building 32-bit variant of the runtime (-m32)... failed (that's fine)
[*] Testing the CC wrapper and instrumentation output...
unset AFL_USE_ASAN AFL_USE_MSAN; ASAN_OPTIONS=detect_leaks=0 AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. AFL_CC=cc ./afl-gcc-fast -O3 -g -funroll-loops -Wall -Iinclude -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DGCC_VERSION=\"\" -DGCC_BINDIR=\"\" -Wno-unused-function ./test-instr.c -o test-instr -lrt
ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr </dev/null
echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
[+] All right, the instrumentation seems to be working!
[+] All done! You can now use './afl-gcc-fast' to compile programs.
make[1]: Leaving directory '/AFLplusplus-dev'
[!] Note: skipping build tests (you may need to use LLVM or QEMU mode).
[+] Main compiler 'afl-cc' successfully built!
[-] LLVM mode for 'afl-cc' failed to build, likely you either don't have llvm installed, or you need to set LLVM_CONFIG, to point to e.g. llvm-config-11. See instrumentation/README.llvm.md how to do this. Highly recommended!
[-] LLVM LTO mode for 'afl-cc' failed to build, this would need LLVM 11+, see instrumentation/README.lto.md how to build it
[+] gcc_plugin for 'afl-cc' successfully built!
[+] All done! Be sure to review the README.md - it's pretty short and useful.
NOTE: If you can read this, your terminal probably uses white background.
This will make the UI hard to read. See docs/status_screen.md for advice.
make -C utils/aflpp_driver
make[1]: Entering directory '/AFLplusplus-dev/utils/aflpp_driver'
Note: Optional aflpp_qemu_driver_hook.o not built.
Note: Optional aflpp_qemu_driver_hook.so not built.
make[1]: Leaving directory '/AFLplusplus-dev/utils/aflpp_driver'
Build Summary:
[+] afl-fuzz and supporting tools successfully built
[-] LLVM mode could not be built, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md
[-] LLVM mode could not be built, please install at least llvm-13 and clang-13 or newer, see docs/INSTALL.md
[-] LLVM LTO mode could not be built, it is optional, if you want it, please install LLVM and LLD 11+. More information at instrumentation/README.lto.md on how to build it
[+] gcc_mode successfully built
you did not install llvm via brew as it is explained in the INSTALL.md or you did not set LLVM_CONFIG pointing to llvm-config-VERSION ... of course it is not working then on macos ....
Why do I need to install LLVM? I am only interested in GCC mode. Are you saying LLVM/clang is a prerequisite for afl-gcc?
it is the best mode. afl-gcc is crap, afl-gcc-fast is better but compared to afl-clang-fast by far not as good (non-colliding coverage for example, dictionary generation etc)