diff options
| author | van Hauser <vh@thc.org> | 2020-06-03 15:49:23 +0200 |
|---|---|---|
| committer | van Hauser <vh@thc.org> | 2020-06-03 15:49:23 +0200 |
| commit | dd0ca7335ff93090def7be7fd0b46e9f71375004 (patch) | |
| tree | 3c447d24b4fed3d8277a19ffe8b53000656a7a95 | |
| parent | 686d8823eb8eab3a7cb87f4affec56e0d6e402d1 (diff) | |
| download | afl++-dd0ca7335ff93090def7be7fd0b46e9f71375004.tar.gz | |
switch shmem_len to the map
| -rw-r--r-- | examples/aflpp_driver/aflpp_qemu_driver.c | 6 | ||||
| -rw-r--r-- | include/forkserver.h | 4 | ||||
| -rw-r--r-- | llvm_mode/afl-llvm-rt.o.c | 9 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-common.h | 6 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-cpu-inl.h | 10 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 2 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 6 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 6 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 4 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 14 |
10 files changed, 36 insertions, 31 deletions
diff --git a/examples/aflpp_driver/aflpp_qemu_driver.c b/examples/aflpp_driver/aflpp_qemu_driver.c index ea4dab95..604feb91 100644 --- a/examples/aflpp_driver/aflpp_qemu_driver.c +++ b/examples/aflpp_driver/aflpp_qemu_driver.c @@ -7,9 +7,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); static const size_t kMaxAflInputSize = 1 << 20; -static uint8_t AflInputBuf[kMaxAflInputSize]; +static uint8_t AflInputBuf[kMaxAflInputSize]; -void __attribute__ ((noinline)) afl_qemu_driver_stdin_input(void) { +void __attribute__((noinline)) afl_qemu_driver_stdin_input(void) { size_t l = read(0, AflInputBuf, kMaxAflInputSize); LLVMFuzzerTestOneInput(AflInputBuf, l); @@ -31,7 +31,7 @@ int main(int argc, char **argv) { LLVMFuzzerTestOneInput(dummy_input, 1); } - + return 0; } diff --git a/include/forkserver.h b/include/forkserver.h index 840ab509..fa132837 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -75,13 +75,13 @@ typedef struct afl_forkserver { u8 use_shdmen_fuzz; /* use shared mem for test cases */ - u8 support_shdmen_fuzz; /* set by afl-fuzz */ + u8 support_shmem_fuzz; /* set by afl-fuzz */ u8 use_fauxsrv; /* Fauxsrv for non-forking targets? */ u8 qemu_mode; /* if running in qemu mode or not */ - u32 shmem_fuzz_len; /* length of the fuzzing test case */ + u32 *shmem_fuzz_len; /* length of the fuzzing test case */ u8 *shmem_fuzz; /* allocated memory for fuzzing */ diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index f739691a..963de6e6 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -166,8 +166,7 @@ static void __afl_map_shm_fuzz() { } - __afl_fuzz_len_shmem = (u32 *)mmap(NULL, sizeof(int), PROT_READ | PROT_WRITE, - MAP_SHARED | MAP_ANONYMOUS, -1, 0); + __afl_fuzz_len_shmem = (u32 *)(__afl_fuzz_ptr + MAX_FILE); } @@ -448,9 +447,6 @@ static void __afl_start_snapshots(void) { } - *__afl_fuzz_len_shmem = __afl_fuzz_len = (was_killed >> 8); - was_killed = (was_killed & 0xff); - #ifdef _AFL_DOCUMENT_MUTATIONS if (__afl_fuzz_ptr) { @@ -651,9 +647,6 @@ static void __afl_start_forkserver(void) { } - *__afl_fuzz_len_shmem = __afl_fuzz_len = (was_killed >> 8); - was_killed = (was_killed & 0xff); - #ifdef _AFL_DOCUMENT_MUTATIONS if (__afl_fuzz_ptr) { diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h index f7ffa56a..92c33b50 100644 --- a/qemu_mode/patches/afl-qemu-common.h +++ b/qemu_mode/patches/afl-qemu-common.h @@ -83,9 +83,9 @@ extern unsigned char persistent_save_gpr; extern uint64_t persistent_saved_gpr[AFL_REGS_NUM]; extern int persisent_retaddr_offset; -extern u8 *shared_buf; -extern u32 shared_buf_len; -extern u8 sharedmem_fuzzing; +extern u8 * shared_buf; +extern u32 *shared_buf_len; +extern u8 sharedmem_fuzzing; extern afl_persistent_hook_fn afl_persistent_hook_ptr; diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index 7836e2cf..78f607aa 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -83,9 +83,9 @@ unsigned char persistent_save_gpr; uint64_t persistent_saved_gpr[AFL_REGS_NUM]; int persisent_retaddr_offset; -u8 *shared_buf; -u32 shared_buf_len; -u8 sharedmem_fuzzing; +u8 * shared_buf; +u32 *shared_buf_len; +u8 sharedmem_fuzzing; afl_persistent_hook_fn afl_persistent_hook_ptr; @@ -148,6 +148,7 @@ static void afl_map_shm_fuzz(void) { u32 shm_id = atoi(id_str); shared_buf = shmat(shm_id, NULL, 0); + shared_buf_len = (u32 *)(shared_buf + MAX_FILE); /* Whooooops. */ @@ -377,9 +378,6 @@ void afl_forkserver(CPUState *cpu) { if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(2); - shared_buf_len = (was_killed >> 8); - was_killed = (was_killed & 0xff); - /* If we stopped the child in persistent mode, but there was a race condition and afl-fuzz already issued SIGKILL, write off the old process. */ diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index 15d5c91c..8553f194 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -162,7 +162,7 @@ static void log_x86_sp_content(void) { static void callback_to_persistent_hook(void) { afl_persistent_hook_ptr(persistent_saved_gpr, guest_base, shared_buf, - shared_buf_len); + *shared_buf_len); } diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index b5b55713..0b53d7c0 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -506,7 +506,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if ((status & FS_OPT_SHDMEM_FUZZ) == FS_OPT_SHDMEM_FUZZ) { - if (fsrv->support_shdmen_fuzz) { + if (fsrv->support_shmem_fuzz) { fsrv->use_shdmen_fuzz = 1; if (!be_quiet) { ACTF("Using SHARED MEMORY FUZZING feature."); } @@ -832,7 +832,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { if (fsrv->shmem_fuzz) { memcpy(fsrv->shmem_fuzz, buf, len); - fsrv->shmem_fuzz_len = len; + *fsrv->shmem_fuzz_len = len; } else { @@ -894,8 +894,6 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, MEM_BARRIER(); - if (fsrv->shmem_fuzz_len) write_value += (fsrv->shmem_fuzz_len << 8); - /* we have the fork server (or faux server) up and running First, tell it if the previous run timed out. */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 3c3503b1..a30bf3f2 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1960,7 +1960,8 @@ void setup_testcase_shmem(afl_state_t *afl) { afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t)); // we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR - if ((afl->fsrv.shmem_fuzz = afl_shm_init(afl->shm_fuzz, MAX_FILE, 1))) { + if ((afl->fsrv.shmem_fuzz = + afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(int), 1))) { #ifdef USEMMAP setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1); @@ -1970,7 +1971,8 @@ void setup_testcase_shmem(afl_state_t *afl) { setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); ck_free(shm_str); #endif - afl->fsrv.support_shdmen_fuzz = 1; + afl->fsrv.support_shmem_fuzz = 1; + afl->fsrv.shmem_fuzz_len = (u32 *)(afl->fsrv.shmem_fuzz + MAX_FILE); } else { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index bf5defa5..91a64fba 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -232,12 +232,12 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child_output); - if (afl->fsrv.support_shdmen_fuzz && !afl->fsrv.use_shdmen_fuzz) { + if (afl->fsrv.support_shmem_fuzz && !afl->fsrv.use_shdmen_fuzz) { afl_shm_deinit(afl->shm_fuzz); ck_free(afl->shm_fuzz); afl->shm_fuzz = NULL; - afl->fsrv.support_shdmen_fuzz = 0; + afl->fsrv.support_shmem_fuzz = 0; afl->fsrv.shmem_fuzz = NULL; } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 97221572..1f5552e0 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -138,6 +138,20 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, afl->orig_cmdline); /* ignore errors */ + if (afl->debug) { + + fprintf(f, "virgin_bytes :"); + for (uint32_t i = 0; i < afl->fsrv.map_size; i++) + if (afl->virgin_bits[i] != 0xff) + fprintf(f, " %d[%02x]", i, afl->virgin_bits[i]); + fprintf(f, "\n"); + fprintf(f, "var_bytes :"); + for (uint32_t i = 0; i < afl->fsrv.map_size; i++) + if (afl->var_bytes[i]) fprintf(f, " %d", i); + fprintf(f, "\n"); + + } + fclose(f); } |