AFL++'s LLVM plugins are not built by default

[smoelius]

@vanhauser-thc wrote in #449:

AFL++'s LLVM plugins are not built by default.
And even if the user wants to build them the check is faulty:

$ cargo-afl afl config --plugins
AFL LLVM runtime was already built for Rust rustc-1.75.0-nightly-42b1224; run `cargo afl config --build --force` to rebuild it.
$ ls /home/marc/.local/share/afl.rs/rustc-1.75.0-nightly-42b1224/afl.rs-0.15.1/afl-llvm
libafl-llvm-rt.a  libafl-llvm-rt.o

The message says "runtime" which would be correct, because the runtime is there, but what we want are the --plugins which are not.

[jberryman]

I'm fairly new to both rust and AFL++ and a little lost about the work around here. For context I arrived here while investigating why my fuzzing campaign seemed to stall pretty early on.

I can see that we're taking this branch on my code:

afl.rs/cargo-afl/src/main.rs

Lines 272 to 280 in 08d63a6

	} else {
	rustflags.push_str(&format!(
	"-C passes={passes} \
	-C llvm-args=-sanitizer-coverage-level=3 \
	-C llvm-args=-sanitizer-coverage-trace-pc-guard \
	-C llvm-args=-sanitizer-coverage-prune-blocks=0 \
	-C llvm-args=-sanitizer-coverage-trace-compares
	",
	));

And I don't seem to have e.g. cmplog-instructions-pass.so anywhere in my home directory.

What do I need to do or change to get CMPLOG support? I am on:

rustc 1.73.0 (cc66ad468 2023-10-03)
binary: rustc
commit-hash: cc66ad468955717ab92600c770da8c1601a4ff33
commit-date: 2023-10-03
host: x86_64-unknown-linux-gnu
release: 1.73.0
LLVM version: 17.0.2

Thanks for all your work on this project!

[jberryman]

Oh and I ran cargo afl config --build --force but that seemed not to do anything

[vanhauser-thc]

It is ‘cargo afl config —plugins --force’

Also #451

[jberryman]

ah thanks!

so ...

$ rustup show
Default host: x86_64-unknown-linux-gnu
rustup home:  /home/me/.rustup

installed toolchains
--------------------

stable-x86_64-unknown-linux-gnu
nightly-x86_64-unknown-linux-gnu (default)

active toolchain
----------------

nightly-x86_64-unknown-linux-gnu (default)
rustc 1.78.0-nightly (8ace7ea1f 2024-02-07)

$ rustc --version --verbose
rustc 1.78.0-nightly (8ace7ea1f 2024-02-07)
binary: rustc
commit-hash: 8ace7ea1f7cbba7b4f031e66c54ca237a0d65de6
commit-date: 2024-02-07
host: x86_64-unknown-linux-gnu
release: 1.78.0-nightly
LLVM version: 17.0.6

then

$ cargo install cargo-afl --force
   ...
$ ls /home/me/.local/share/afl.rs/rustc-1.78.0-nightly-8ace7ea/afl.rs-0.15.3/afl-llvm
libafl-llvm-rt.a  libafl-llvm-rt.o
$ cargo afl config --plugins --force
thread 'main' panicked at /home/me/.cargo/registry/src/index.crates.io-6f17d22bba15001f/cargo-afl-0.15.3/src/config.rs:180:29:
could not run llvm-config-17 --version

The logic here seems to assume rust's llvm is in my path? That's not the case for me (I happen to have llvm-14 installed currently)

[jberryman]

I guess that's just on me to install and keep up to date; I don't see llvm-config in the stuff rustc ships

[vanhauser-thc]

You need to install the llvm-tools component with rustup and install llvm 17 (eg apt.llvm.org)

[jberryman]

installing llvm-17 on my system was sufficient, then after running cargo afl config --plugins --force it compiled with cmplog plugins etc. thanks for the help!

[smoelius]

Renaming this issue to just "AFL++'s LLVM plugins are not built by default".

The check should be fixed by #498.

Re building the plugins by default, I would prefer to wait until Rust's plugin support is stabilized (e.g., rust-lang/rust#127577).

[R9295]

@smoelius currently, it's a bit ambiguous if AFL++'s passes are used. What do you think about introducing a AFL_FORCE_PASS or so when building using cargo afl build? I'd be happy to contribute a patch.

[smoelius]

@smoelius currently, it's a bit ambiguous if AFL++'s passes are used. What do you think about introducing a AFL_FORCE_PASS or so when building using cargo afl build? I'd be happy to contribute a patch.

Sorry if it should be obvious, but could you explain what this option would do?

[vanhauser-thc]

I think AFL_FORCE_PASS would do a cargo afl config --plugins --force underneath when doing cargo afl build.

this is not a good env var though, because AFL_ should be reserved to AFL++'s envs. this is specifically for afl.rs so maybe AFLRS_FORCE_PASS?

[R9295]

There are two scenarios:

1. Building the fuzz target with instrumentation cargo afl build
2. Building AFL++ & plugins cargo afl config --build --plugins --force

I'm referring to the first. AFLRS_FORCE_PASS would force the usage of AFL++'s passes when instrumenting, regardless of the nightly check.

Like this, it would:

a) error if AFL++'s plugins were not built (and won't implicitly use the rustc sancov pass)
c) remind me that I am not on nightly and should switch.

It is easy to forget --plugins --force when building AFL++ and it's plugins since nightly changes it's LLVM version rather often.

[smoelius]

I think the behavior sounds fine. I'm just not 100% sure on the name. Maybe AFLRS_REQUIRE_PLUGINS? IMHO:

• @vanhauser-thc's suggestion to use AFLRS is a good one.
• REQUIRE sounds more like what this feature would do.
• PLUGINS because the issue is really about whether plugins will be used, not passes.

Or have I misunderstood something?