/* Copyright 2013 Google LLC All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at: http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ // 这部分是版权声明和许可证信息,说明这个文件是在Apache License 2.0下发布的。 /* american fuzzy lop - wrapper for GCC and clang ---------------------------------------------- Written and maintained by Michal Zalewski This program is a drop-in replacement for GCC or clang. The most common way of using it is to pass the path to afl-gcc or afl-clang via CC when invoking ./configure. (Of course, use CXX and point it to afl-g++ / afl-clang++ for C++ code.) The wrapper needs to know the path to afl-as (renamed to 'as'). The default is /usr/local/lib/afl/. A convenient way to specify alternative directories would be to set AFL_PATH. If AFL_HARDEN is set, the wrapper will compile the target app with various hardening options that may help detect memory management issues more reliably. You can also specify AFL_USE_ASAN to enable ASAN. If you want to call a non-default compiler as a next step of the chain, specify its location via AFL_CC or AFL_CXX. */ // 这部分是注释,提供了关于这个程序的概述和使用说明。 #define AFL_MAIN #include "config.h" #include "types.h" #include "debug.h" #include "alloc-inl.h" #include #include #include #include // 这些是包含的头文件,其中一些是AFL自己的头文件,其他的是C标准库的头文件 static u8* as_path; /* Path to the AFL 'as' wrapper */ static u8** cc_params; /* Parameters passed to the real CC */ static u32 cc_par_cnt = 1; /* Param count, including argv0 */ static u8 be_quiet, /* Quiet mode */ clang_mode; /* Invoked as afl-clang*? */ // 这些是全局变量声明。`as_path`存储AFL汇编器的路径,`cc_params`存储传递给实际编译器的参数,`cc_par_cnt`是参数计数器,`be_quiet`用于控制 // 是否静默模式,`clang_mode`指示是否以`afl-clang`或`afl-clang++`模式调用。 /* Try to find our "fake" GNU assembler in AFL_PATH or at the location derived from argv[0]. If that fails, abort. */ static void find_as(u8* argv0) { // 这个函数尝试在AFL_PATH环境变量指定的路径或从argv[0]派生的路径中找到AFL的“假”GNU汇编器。如果找不到,程序将终止。 u8 *afl_path = getenv("AFL_PATH"); u8 *slash, *tmp; if (afl_path) { tmp = alloc_printf("%s/as", afl_path); if (!access(tmp, X_OK)) { as_path = afl_path; ck_free(tmp); return; } ck_free(tmp); } slash = strrchr(argv0, '/'); if (slash) { u8 *dir; *slash = 0; dir = ck_strdup(argv0); *slash = '/'; tmp = alloc_printf("%s/afl-as", dir); if (!access(tmp, X_OK)) { as_path = dir; ck_free(tmp); return; } ck_free(tmp); ck_free(dir); } if (!access(AFL_PATH "/as", X_OK)) { as_path = AFL_PATH; return; } FATAL("Unable to find AFL wrapper binary for 'as'. Please set AFL_PATH"); } /* Copy argv to cc_params, making the necessary edits. */ static void edit_params(u32 argc, char** argv) { //定义了一个函数edit_params,它接受两个参数:argc是参数的数量,argv是参数的数组。 u8 fortify_set = 0, asan_set = 0;//声明两个变量fortify_set和asan_set,用于跟踪是否已经设置了FORTIFY_SOURCE和address sanitizer(ASan)标志 u8 *name;//用于存储程序的名称 #if defined(__FreeBSD__) && defined(__x86_64__) u8 m32_set = 0; #endif cc_params = ck_alloc((argc + 128) * sizeof(u8*));//分配内存以存储修改后的参数列表,大小为argc + 128个u8*类型的指针。 name = strrchr(argv[0], '/');//找到argv[0](程序的路径)中最后一个'/'字符,这通常用于获取程序的名称。 if (!name) name = argv[0]; else name++;//如果name为NULL(即argv[0]中没有'/'),则name指向argv[0]的开始。否则,name向前移动一个字符,跳过'/'。 if (!strncmp(name, "afl-clang", 9)) { clang_mode = 1;//检查程序名称是否以"afl-clang"开头,如果是,设置clang_mode标志为1 setenv(CLANG_ENV_VAR, "1", 1);//设置环境变量CLANG_ENV_VAR为"1",这可能用于通知其他部分的AFL工具链正在使用Clang。 if (!strcmp(name, "afl-clang++")) { u8* alt_cxx = getenv("AFL_CXX"); cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++";//如果AFL_CXX设置,将其值作为第一个参数;否则,使用"clang++"。 } else { u8* alt_cc = getenv("AFL_CC"); cc_params[0] = alt_cc ? alt_cc : (u8*)"clang";//否则尝试获取环境变量AFL_CC的值。 } } else { /* With GCJ and Eclipse installed, you can actually compile Java! The instrumentation will work (amazingly). Alas, unhandled exceptions do not call abort(), so afl-fuzz would need to be modified to equate non-zero exit codes with crash conditions when working with Java binaries. Meh. */ #ifdef __APPLE__ //在Apple系统上,根据程序名称设置不同的编译器。如果AFL_CXX、AFL_GCJ或AFL_CC环境变量设置,使用它们的值;否则,使用默认的编译器名称 if (!strcmp(name, "afl-g++")) cc_params[0] = getenv("AFL_CXX"); else if (!strcmp(name, "afl-gcj")) cc_params[0] = getenv("AFL_GCJ"); else cc_params[0] = getenv("AFL_CC"); if (!cc_params[0]) { //输出错误信息,指出在MacOS X上需要设置AFL_CC或AFL_CXX环境变量。 SAYF("\n" cLRD "[-] " cRST "On Apple systems, 'gcc' is usually just a wrapper for clang. Please use the\n" " 'afl-clang' utility instead of 'afl-gcc'. If you really have GCC installed,\n" " set AFL_CC or AFL_CXX to specify the correct path to that compiler.\n"); FATAL("AFL_CC or AFL_CXX required on MacOS X"); } #else //对于非Apple系统,根据程序名称设置不同的编译器。如果相应的环境变量设置,使用它们的值;否则,使用默认的编译器名称。 if (!strcmp(name, "afl-g++")) { u8* alt_cxx = getenv("AFL_CXX"); cc_params[0] = alt_cxx ? alt_cxx : (u8*)"g++"; } else if (!strcmp(name, "afl-gcj")) { u8* alt_cc = getenv("AFL_GCJ"); cc_params[0] = alt_cc ? alt_cc : (u8*)"gcj"; } else { u8* alt_cc = getenv("AFL_CC"); cc_params[0] = alt_cc ? alt_cc : (u8*)"gcc"; } #endif /* __APPLE__ */ } while (--argc) { u8* cur = *(++argv); if (!strncmp(cur, "-B", 2)) {//如果当前参数以"-B"开头,输出警告信息,并跳过后续参数(如果当前参数后面紧跟着的是编译器的路径)。 if (!be_quiet) WARNF("-B is already set, overriding");//如果程序不在静默模式,输出警告信息。 if (!cur[2] && argc > 1) { argc--; argv++; }//如果-B后面紧跟着的是编译器的路径,跳过这个路径。 continue; } if (!strcmp(cur, "-integrated-as")) continue;//如果参数是"-integrated-as",跳过它。 if (!strcmp(cur, "-pipe")) continue;//如果参数是"-pipe",跳过它。 #if defined(__FreeBSD__) && defined(__x86_64__) if (!strcmp(cur, "-m32")) m32_set = 1; #endif if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory")) asan_set = 1;//如果参数是"-fsanitize=address"或"-fsanitize=memory",设置asan_set标志。 if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1;//如果参数包含"FORTIFY_SOURCE",设置fortify_set标志。 cc_params[cc_par_cnt++] = cur; } cc_params[cc_par_cnt++] = "-B"; cc_params[cc_par_cnt++] = as_path; //向参数列表中添加"-B"和AFL汇编器的路径。 if (clang_mode) cc_params[cc_par_cnt++] = "-no-integrated-as";//如果clang_mode标志设置,向参数列表中添加`"-no-integrated-as" if (getenv("AFL_HARDEN")) { cc_params[cc_par_cnt++] = "-fstack-protector-all"; if (!fortify_set) cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2"; } if (asan_set) {//检查是否设置了asan_set标志。 /* Pass this on to afl-as to adjust map density. */ setenv("AFL_USE_ASAN", "1", 1);//如果设置,设置环境变量AFL_USE_ASAN为"1" } else if (getenv("AFL_USE_ASAN")) {//如果asan_set标志未设置,但设置了环境变量AFL_USE_ASAN。 if (getenv("AFL_USE_MSAN")) FATAL("ASAN and MSAN are mutually exclusive");//如果同时设置了AFL_USE_MSAN,输出错误信息并终止程序。 if (getenv("AFL_HARDEN")) FATAL("ASAN and AFL_HARDEN are mutually exclusive");//如果同时设置了AFL_HARDEN,输出错误信息并终止程序。 cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; cc_params[cc_par_cnt++] = "-fsanitize=address";//向参数列表中添加"-U_FORTIFY_SOURCE"和"-fsanitize=address"。 } else if (getenv("AFL_USE_MSAN")) { if (getenv("AFL_USE_ASAN")) FATAL("ASAN and MSAN are mutually exclusive");//如果同时设置了AFL_USE_ASAN,输出错误信息并终止程序。 if (getenv("AFL_HARDEN")) FATAL("MSAN and AFL_HARDEN are mutually exclusive");//如果同时设置了AFL_HARDEN,输出错误信息并终止程序。 cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; cc_params[cc_par_cnt++] = "-fsanitize=memory";//向参数列表中添加"-U_FORTIFY_SOURCE"和"-fsanitize=memory"。 } if (!getenv("AFL_DONT_OPTIMIZE")) {//检查是否设置了环境变量AFL_DONT_OPTIMIZE。 #if defined(__FreeBSD__) && defined(__x86_64__) /* On 64-bit FreeBSD systems, clang -g -m32 is broken, but -m32 itself works OK. This has nothing to do with us, but let's avoid triggering that bug. */ if (!clang_mode || !m32_set) cc_params[cc_par_cnt++] = "-g";//如果不是Clang模式或没有设置m32_set标志,向参数列表中添加"-g"。 #else cc_params[cc_par_cnt++] = "-g"; #endif//结束#if defined(__FreeBSD__) && defined(__x86_64__)条件编译块。 cc_params[cc_par_cnt++] = "-O3"; cc_params[cc_par_cnt++] = "-funroll-loops";//向参数列表中添加"-O3"和"-funroll-loops",这些是优化选项。 /* Two indicators that you're building for fuzzing; one of them is AFL-specific, the other is shared with libfuzzer. */ cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1"; cc_params[cc_par_cnt++] = "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1"; //向参数列表中添加两个宏定义,这些宏定义指示编译器代码将用于模糊测试。 } if (getenv("AFL_NO_BUILTIN")) { cc_params[cc_par_cnt++] = "-fno-builtin-strcmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strncmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp"; cc_params[cc_par_cnt++] = "-fno-builtin-memcmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strstr"; cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr"; //如果设置,向参数列表中添加一系列"-fno-builtin-*"选项,这些选项禁用编译器的内置函数。 } cc_params[cc_par_cnt] = NULL; } /* Main entry point */ //最后是函数结束语,结束函数定义。 int main(int argc, char** argv) { if (isatty(2) && !getenv("AFL_QUIET")) { SAYF(cCYA "afl-cc " cBRI VERSION cRST " by \n"); } else be_quiet = 1; if (argc < 2) { SAYF("\n" "This is a helper application for afl-fuzz. It serves as a drop-in replacement\n" "for gcc or clang, letting you recompile third-party code with the required\n" "runtime instrumentation. A common use pattern would be one of the following:\n\n" " CC=%s/afl-gcc ./configure\n" " CXX=%s/afl-g++ ./configure\n\n" "You can specify custom next-stage toolchain via AFL_CC, AFL_CXX, and AFL_AS.\n" "Setting AFL_HARDEN enables hardening optimizations in the compiled code.\n\n", BIN_PATH, BIN_PATH); exit(1); } find_as(argv[0]); edit_params(argc, argv); execvp(cc_params[0], (char**)cc_params); FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]); return 0; }