Linux下安装AFL及遇到的问题 [已解决]

安装AFL前期工作：

编译安装AFL，及其LLVM_MODE

$ git clone https://github.com/google/AFL.git
$ cd AFL
$ make
$ cd llvm_mode
$ make
$ export LLVM_CONFIG=/usr/bin/llvm-config-10   #需要指定LLVM_CONFIG路径，不然会报错
$ cd ..
$ make install

llvm_mode将启用对afl-clang-fast和afl-clang-fast++的支持。它将用于持久模式。这将需要安装clang和llvm。

$ sudo apt-get install clang

安装QEMU_MODE：

这里需要安装一些依赖项

$ sudo apt install libtool-bin
$ sudo apt install bison
$ sudo apt install libglib2.0-dev

以及安装python环境，笔者安装的是2.7版本

$ wget https://www.python.org/ftp/python/2.7.x/Python-2.7.x.tgz
$ tar -zxvf Python-2.7.x.tgz
$ cd Python-2.7.x
$ ./configure --prefix=/usr/local/python
$ make && sudo make install
$ ln -s /usr/local/python-2.7.x/bin/python /usr/bin/python2.7.x

安装完成后，开始通过构建脚本安装qemu_mode，过程中出现了一些问题，下面是解决方案。

问题1是参考：http://fuzzing.in/codelabs/fuzzing_opensource_cn

因为直接安装可能会报错，需要完成以下操作，对 ~/xxx/AFL/qemu_mode/build_qemu_support.sh 对 122行中的内容进行修改：

tar xf "$ARCHIVE" || exit 1

替换成：

tar xf "$ARCHIVE" --exclude qemu-2.10.0/roms/u-boot/scripts/Kconfig || exit 1

问题2如下：显示syscall.c 中 191行及265行有问题

/home/xxxx/Projects/AFL/qemu_mode/qemu-2.10.0/linux-user/syscall.c:261:16: error: static declaration of ‘gettid’ follows non-static declaration
  261 | _syscall0(int, gettid)
      |                ^~~~~~
/home/xxxx/Projects/AFL/qemu_mode/qemu-2.10.0/linux-user/syscall.c:191:13: note: in definition of macro ‘_syscall0 ’
  191 | static type name (void)   
      |             ^~~~
In file included from /usr/include/unistd.h:1170,
                 from /home/xxxx/Projects/AFL/qemu_mode/qemu-2.10.0/include/qemu/osdep.h:75,
                 from /home/xxxx/Projects/AFL/qemu_mode/qemu-2.10.0/linux-user/syscall.c:20:
/usr/include/x86_64-linux-gnu/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here
   34 | extern __pid_t gettid (void) __THROW;
      |                ^~~~~~
/home/xxxx/Projects/AFL/qemu_mode/qemu-2.10.0/linux-user/ioctls.h:173:9: error: ‘SIOCGSTAMP’ undeclared here (not in a function); did you mean ‘SIOCSRARP’?
  173 |   IOCTL(SIOCGSTAMP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timeval)))
      |         ^~~~~~~~~~
/home/xxxx/Projects/AFL/qemu_mode/qemu-2.10.0/linux-user/syscall.c:5597:23: note: in definition of macro ‘IOCTL’
 5597 |     { TARGET_ ## cmd, cmd, #cmd, access, 0, {  __VA_ARGS__ } },
      |                       ^~~
/home/xxxx/Projects/AFL/qemu_mode/qemu-2.10.0/linux-user/ioctls.h:174:9: error: ‘SIOCGSTAMPNS’ undeclared here (not in a function); did you mean ‘SIOCGSTAMP_OLD’?
  174 |   IOCTL(SIOCGSTAMPNS, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timespec)))
      |         ^~~~~~~~~~~~
/home/xxxx/Projects/AFL/qemu_mode/qemu-2.10.0/linux-user/syscall.c:5597:23: note: in definition of macro ‘IOCTL’
 5597 |     { TARGET_ ## cmd, cmd, #cmd, access, 0, {  __VA_ARGS__ } },
      |                       ^~~
make[1]: *** [/home/xxxx/Projects/AFL/qemu_mode/qemu-2.10.0/rules.mak:66: linux-user/syscall.o] Error 1
make: *** [Makefile:326: subdir-x86_64-linux-user] Error 2

这里首先参考了：http://fuzzing.in/codelabs/fuzzing_opensource_cn 18节中的内容进行安装，但是问题仍然存在，对syscall.c文件的191行和265行进行了修改，但仍然报错。后在参考https://www.codeleading.com/article/61745363753/ 文章后，了解到需要对 /AFL/qemu-mode/patches/syscall.diff 进行修改，笔者创建了syscall2.diff 并在build_qemu_support.sh中重新指定 syscall2.diff，修改内容如下：

--- qemu-2.10.0-clean/linux-user/syscall.c	2020-03-12 18:47:47.898592169 +0100
+++ qemu-2.10.0/linux-user/syscall.c	2020-03-12 19:16:41.563074307 +0100
@@ -34,6 +34,7 @@
 #include 
 #include 
 #include 
+#include  // https://lkml.org/lkml/2019/6/3/988
 #include 
 #include 
 #ifdef __ia64__
@@ -116,6 +117,8 @@ int __clone2(int (*fn)(void *), void *ch
 #include "qemu.h"

+extern unsigned int afl_forksrv_pid;
+
 #ifndef CLONE_IO
 #define CLONE_IO                0x80000000      
 #endif
 
@@ -256,7 +259,9 @@ static type name (type1 arg1,type2 arg2,
 #endif

 #ifdef __NR_gettid
-_syscall0(int, gettid)
+// taken from https://patchwork.kernel.org/patch/10862231/
+#define __NR_sys_gettid __NR_gettid
+_syscall0(int, sys_gettid)
 #else
 
@@ -6219,7 +6224,8 @@ static void *clone_func(void *arg)
     cpu = ENV_GET_CPU(env);
     thread_cpu = cpu;
     ts = (TaskState *)cpu->opaque;
-    info->tid = gettid();
+    // taken from https://patchwork.kernel.org/patch/10862231/
+    info->tid = sys_gettid();
     task_settid(ts);
     if (info->child_tidptr)
         put_user_u32(info->tid, info->child_tidptr);
@@ -6363,9 +6369,11 @@ static int do_fork(CPUArchState *env, un
                mapping.  We can't repeat the spinlock hack used above because
                the child process gets its own copy of the lock.  */
             if (flags & CLONE_CHILD_SETTID)
-                put_user_u32(gettid(), child_tidptr);
+                // taken from https://patchwork.kernel.org/patch/10862231/
+                put_user_u32(sys_gettid(), child_tidptr);
             if (flags & CLONE_PARENT_SETTID)
-                put_user_u32(gettid(), parent_tidptr);
+                // taken from https://patchwork.kernel.org/patch/10862231/
+                put_user_u32(sys_gettid(), parent_tidptr);
             ts = (TaskState *)cpu->opaque;
             if (flags & CLONE_SETTLS)
                 cpu_set_tls (env, newtls);
@@ -11402,7 +11410,8 @@ abi_long do_syscall(void *cpu_env, int n
         break;
 #endif
     case TARGET_NR_gettid:
-        ret = get_errno(gettid());
+        // taken from https://patchwork.kernel.org/patch/10862231/
+        ret = get_errno(sys_gettid());
         break;
 #ifdef TARGET_NR_readahead
     case TARGET_NR_readahead:

随后重新执行如下命令

sudo ./build_qemu_support.sh

就没有问题啦！

Linux下安装AFL及遇到的问题 [已解决]

Python相关栏目本月热门文章