AFL_IGNORE_SEED_PROBLEMS

author: vanhauser-thc <vh@thc.org> 2023-08-23 18:02:33 +0200
committer: vanhauser-thc <vh@thc.org> 2023-08-23 18:02:33 +0200
commit: 549e5dd9269238ac43ff482d439f7f671946185c (patch)
tree: c683a940acbfe1c37c5269c1f0103d962b2e06e9
parent: d95cef82730c8ea7debbac676aeeee232c08fc5a (diff)
download: afl++-549e5dd9269238ac43ff482d439f7f671946185c.tar.gz
7 files changed, 59 insertions, 16 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 961b2940..87c01f21 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -7,6 +7,8 @@
   - afl-fuzz:
     - added `AFL_FINAL_SYNC` which forces a final fuzzer sync (also for `-F`)
       before terminating.
+    - added AFL_IGNORE_SEED_PROBLEMS to skip over seeds that time out instead
+      of exiting with an error message
   - afl-whatsup:
     - detect instanced that are starting up and show them as such as not dead
     - now also shows coverage reached
diff --git a/docs/env_variables.md b/docs/env_variables.md
index 2ce274d3..3bb4e844 100644
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@@ -327,6 +327,9 @@ checks or alter some of the more exotic semantics of the tool:
     (`-i in`). This is an important feature to set when resuming a fuzzing
     session.
 
+  - `AFL_IGNORE_SEED_PROBLEMS` will skip over crashes and timeouts in the seeds
+    instead of exiting.
+
   - Setting `AFL_CRASH_EXITCODE` sets the exit code AFL++ treats as crash. For
     example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting in a `-1`
     return code (i.e. `exit(-1)` got called), will be treated as if a crash had
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 3dfd2b2c..d02e852e 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -1,4 +1,3 @@
-
 /*
    american fuzzy lop++ - fuzzer header
    ------------------------------------
@@ -175,10 +174,10 @@ struct queue_entry {
       stats_skipped,                    /* stats: how often skipped         */
       stats_finds,                      /* stats: # of saved finds          */
       stats_crashes,                    /* stats: # of saved crashes        */
-      stats_tmouts,                      /* stats: # of saved timeouts       */
+      stats_tmouts,                     /* stats: # of saved timeouts       */
 #endif
       fuzz_level,                       /* Number of fuzzing iterations     */
-      n_fuzz_entry;                      /* offset in n_fuzz                 */
+      n_fuzz_entry;                     /* offset in n_fuzz                 */
 
   u64 exec_us,                          /* Execution time (us)              */
       handicap,                         /* Number of queue cycles behind    */
@@ -402,7 +401,7 @@ typedef struct afl_env_vars {
       afl_keep_timeouts, afl_no_crash_readme, afl_ignore_timeouts,
       afl_no_startup_calibration, afl_no_warn_instability,
       afl_post_process_keep_original, afl_crashing_seeds_as_new_crash,
-      afl_final_sync;
+      afl_final_sync, afl_ignore_seed_problems;
 
   u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
       *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload,
diff --git a/include/envs.h b/include/envs.h
index 3f5a9e1c..4259d6dd 100644
--- a/include/envs.h
+++ b/include/envs.h
@@ -113,6 +113,7 @@ static char *afl_environment_variables[] = {
     "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES",
     "AFL_IGNORE_PROBLEMS",
     "AFL_IGNORE_PROBLEMS_COVERAGE",
+    "AFL_IGNORE_SEED_PROBLEMS",
     "AFL_IGNORE_TIMEOUTS",
     "AFL_IGNORE_UNKNOWN_ENVS",
     "AFL_IMPORT_FIRST",
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index 4c09fab7..9fc0cc57 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -951,19 +951,47 @@ void perform_dry_run(afl_state_t *afl) {
 
         } else {
 
-          SAYF("\n" cLRD "[-] " cRST
-               "The program took more than %u ms to process one of the initial "
-               "test cases.\n"
-               "    This is bad news; raising the limit with the -t option is "
-               "possible, but\n"
-               "    will probably make the fuzzing process extremely slow.\n\n"
+          static int say_once = 0;
+
+          if (!say_once) {
+
+            SAYF(
+                "\n" cLRD "[-] " cRST
+                "The program took more than %u ms to process one of the "
+                "initial "
+                "test cases.\n"
+                "    This is bad news; raising the limit with the -t option is "
+                "possible, but\n"
+                "    will probably make the fuzzing process extremely slow.\n\n"
+
+                "    If this test case is just a fluke, the other option is to "
+                "just avoid it\n"
+                "    altogether, and find one that is less of a CPU hog.\n",
+                afl->fsrv.exec_tmout);
+
+            if (!afl->afl_env.afl_ignore_seed_problems) {
+
+              FATAL("Test case '%s' results in a timeout", fn);
+
+            }
+
+            say_once = 1;
+
+          }
+
+          if (!q->was_fuzzed) {
 
-               "    If this test case is just a fluke, the other option is to "
-               "just avoid it\n"
-               "    altogether, and find one that is less of a CPU hog.\n",
-               afl->fsrv.exec_tmout);
+            q->was_fuzzed = 1;
+            --afl->pending_not_fuzzed;
+            --afl->active_items;
 
-          FATAL("Test case '%s' results in a timeout", fn);
+          }
+
+          q->disabled = 1;
+          q->perf_score = 0;
+
+          WARNF("Test case '%s' results in a timeout, skipping", fn);
+          break;
 
         }
 
@@ -2270,7 +2298,8 @@ void check_crash_handling(void) {
      reporting the awful way. */
 
   #if !TARGET_OS_IPHONE
-  if (system("launchctl list 2>/dev/null | grep -q '\\.ReportCrash\\>'")) return;
+  if (system("launchctl list 2>/dev/null | grep -q '\\.ReportCrash\\>'"))
+    return;
 
   SAYF(
       "\n" cLRD "[-] " cRST
diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c
index 97e00415..db82536d 100644
--- a/src/afl-fuzz-state.c
+++ b/src/afl-fuzz-state.c
@@ -316,6 +316,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
             afl->afl_env.afl_ignore_problems =
                 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
 
+          } else if (!strncmp(env, "AFL_IGNORE_SEED_PROBLEMS",
+
+                              afl_environment_variable_len)) {
+
+            afl->afl_env.afl_ignore_seed_problems =
+                get_afl_env(afl_environment_variables[i]) ? 1 : 0;
+
           } else if (!strncmp(env, "AFL_IGNORE_TIMEOUTS",
 
                               afl_environment_variable_len)) {
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 43834172..08960ac6 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -275,6 +275,8 @@ static void usage(u8 *argv0, int more_help) {
       "AFL_IGNORE_PROBLEMS: do not abort fuzzing if an incorrect setup is detected\n"
       "AFL_IGNORE_PROBLEMS_COVERAGE: if set in addition to AFL_IGNORE_PROBLEMS - also\n"
       "                              ignore those libs for coverage\n"
+      "AFL_IGNORE_SEED_PROBLEMS: skip over crashes and timeouts in the seeds instead of\n"
+      "                          exiting\n"
       "AFL_IGNORE_TIMEOUTS: do not process or save any timeouts\n"
       "AFL_IGNORE_UNKNOWN_ENVS: don't warn on unknown env vars\n"
       "AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n"
author	vanhauser-thc <vh@thc.org>	2023-08-23 18:02:33 +0200
committer	vanhauser-thc <vh@thc.org>	2023-08-23 18:02:33 +0200
commit	549e5dd9269238ac43ff482d439f7f671946185c (patch)
tree	c683a940acbfe1c37c5269c1f0103d962b2e06e9
parent	d95cef82730c8ea7debbac676aeeee232c08fc5a (diff)
download	afl++-549e5dd9269238ac43ff482d439f7f671946185c.tar.gz