diff options
| author | van Hauser <vh@thc.org> | 2020-06-04 02:37:05 +0200 |
|---|---|---|
| committer | van Hauser <vh@thc.org> | 2020-06-04 02:37:05 +0200 |
| commit | 35ddec7aebaa3fdd454118a31483f9c43e549d6a (patch) | |
| tree | 3f1d6d1be54c1f4fa052a35252c175ab5feb42e6 | |
| parent | e11922e5cceb6ddf36d7860f77f315c7a73bab15 (diff) | |
| download | afl++-35ddec7aebaa3fdd454118a31483f9c43e549d6a.tar.gz | |
fix shmem persistent mode
| -rw-r--r-- | examples/persistent_demo/persistent_demo_new.c | 2 | ||||
| -rw-r--r-- | examples/persistent_demo/test-instr.c | 4 | ||||
| -rw-r--r-- | llvm_mode/afl-clang-fast.c | 4 | ||||
| -rw-r--r-- | llvm_mode/afl-llvm-rt.o.c | 17 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 3 |
5 files changed, 15 insertions, 15 deletions
diff --git a/examples/persistent_demo/persistent_demo_new.c b/examples/persistent_demo/persistent_demo_new.c index 69468bdd..98909442 100644 --- a/examples/persistent_demo/persistent_demo_new.c +++ b/examples/persistent_demo/persistent_demo_new.c @@ -45,7 +45,7 @@ int main(int argc, char **argv) { __AFL_INIT(); buf = __AFL_FUZZ_TESTCASE_BUF; - while (__AFL_LOOP(1000)) { + while (__AFL_LOOP(1000)) { // increase if you have good stability len = __AFL_FUZZ_TESTCASE_LEN; diff --git a/examples/persistent_demo/test-instr.c b/examples/persistent_demo/test-instr.c index 4cd07102..f7512790 100644 --- a/examples/persistent_demo/test-instr.c +++ b/examples/persistent_demo/test-instr.c @@ -25,7 +25,7 @@ int main(int argc, char **argv) { __AFL_INIT(); unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; - while (__AFL_LOOP(2147483647)) { + while (__AFL_LOOP(2147483647)) { // MAX_INT if you have 100% stability unsigned int len = __AFL_FUZZ_TESTCASE_LEN; @@ -50,6 +50,8 @@ int main(int argc, char **argv) { counter++; #endif + fprintf(stderr, "len: %u\n", len); + if (!len) continue; if (buf[0] == '0') diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 47347893..75504ea5 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -495,14 +495,14 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-D__AFL_FUZZ_INIT()=" "int __afl_sharedmem_fuzzing = 1;" - "extern unsigned int __afl_fuzz_len;" + "extern unsigned int *__afl_fuzz_len;" "extern unsigned char *__afl_fuzz_ptr;" "unsigned char *__afl_fuzz_alt_ptr;"; cc_params[cc_par_cnt++] = "-D__AFL_FUZZ_TESTCASE_BUF=(__afl_fuzz_ptr ? __afl_fuzz_ptr : " "(__afl_fuzz_alt_ptr = malloc(1 * 1024 * 1024)))"; cc_params[cc_par_cnt++] = - "-D__AFL_FUZZ_TESTCASE_LEN=(__afl_fuzz_ptr ? __afl_fuzz_len : read(0, " + "-D__AFL_FUZZ_TESTCASE_LEN=(__afl_fuzz_ptr ? *__afl_fuzz_len : read(0, " "__afl_fuzz_alt_ptr, 1 * 1024 * 1024))"; cc_params[cc_par_cnt++] = diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index c6b49e36..e37ecfd7 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -77,9 +77,8 @@ u8 __afl_area_initial[MAP_SIZE]; u8 * __afl_area_ptr = __afl_area_initial; u8 * __afl_dictionary; u8 * __afl_fuzz_ptr; -u32 __afl_fuzz_len; u32 __afl_fuzz_len_dummy; -u32 *__afl_fuzz_len_shmem = &__afl_fuzz_len_dummy; +u32 *__afl_fuzz_len = &__afl_fuzz_len_dummy; u32 __afl_final_loc; u32 __afl_map_size = MAP_SIZE; @@ -138,19 +137,19 @@ static void __afl_map_shm_fuzz() { } - __afl_fuzz_len_shmem = + __afl_fuzz_len = (u32 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0); #else u32 shm_id = atoi(id_str); - __afl_fuzz_len_shmem = (u32 *)shmat(shm_id, NULL, 0); + __afl_fuzz_len = (u32 *)shmat(shm_id, NULL, 0); #endif /* Whooooops. */ - if (__afl_fuzz_len_shmem == (void *)-1) { + if (__afl_fuzz_len == (void *)-1) { fprintf(stderr, "Error: could not access fuzzing shared memory\n"); exit(1); @@ -167,7 +166,7 @@ static void __afl_map_shm_fuzz() { } - __afl_fuzz_ptr = (u8 *)(__afl_fuzz_len_shmem + sizeof(int)); + __afl_fuzz_ptr = (u8 *)(__afl_fuzz_len + sizeof(int)); } @@ -457,7 +456,7 @@ static void __afl_start_snapshots(void) { s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd_doc >= 0) { - if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + if (write(fd_doc, __afl_fuzz_ptr, *__afl_fuzz_len) != *__afl_fuzz_len) { fprintf(stderr, "write of mutation file failed: %s\n", fn); unlink(fn); @@ -657,7 +656,7 @@ static void __afl_start_forkserver(void) { s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd_doc >= 0) { - if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { + if (write(fd_doc, __afl_fuzz_ptr, *__afl_fuzz_len) != *__afl_fuzz_len) { fprintf(stderr, "write of mutation file failed: %s\n", fn); unlink(fn); @@ -770,8 +769,6 @@ int __afl_persistent_loop(unsigned int max_cnt) { raise(SIGSTOP); - __afl_fuzz_len = *__afl_fuzz_len_shmem; - __afl_area_ptr[0] = 1; memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T)); diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 0b53d7c0..a5e2db54 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -831,8 +831,9 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { if (fsrv->shmem_fuzz) { - memcpy(fsrv->shmem_fuzz, buf, len); *fsrv->shmem_fuzz_len = len; + memcpy(fsrv->shmem_fuzz, buf, len); + // fprintf(stderr, "test case len: %u\n", *fsrv->shmem_fuzz_len); } else { |