Merge pull request #1821 from junwha0511/crashing-seeds-as-new-crash

Implement an option for treating crashing seeds as new crash
author: van Hauser <vh@thc.org> 2023-08-09 14:39:25 +0000
committer: GitHub <noreply@github.com> 2023-08-09 14:39:25 +0000
commit: b4bd33961c645b1fed059d5ff8269911bc941cc9 (patch)
tree: f8e77e6b0d5411cd831bd7a644c23b17ef89af37
parent: 7f3b0a9503f90b86e8c196c6b405f0a4c8a7babc (diff)
parent: fcdfe9e990d84ab477cd3c571cbf540e8bc8e15a (diff)
download: afl++-b4bd33961c645b1fed059d5ff8269911bc941cc9.tar.gz
6 files changed, 100 insertions, 23 deletions
diff --git a/docs/env_variables.md b/docs/env_variables.md
index 1f73bbdf..affc9e3c 100644
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@@ -365,6 +365,9 @@ checks or alter some of the more exotic semantics of the tool:
   - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behavior which
     does not allow crashes or timeout seeds in the initial -i corpus.
 
+  - `AFL_CRASHING_SEEDS_AS_NEW_CRASH` will treat crashing seeds as new crash. these 
+    crashes will be written to crashes folder as op:dry_run, and orig:<seed_file_name>.
+
   - `AFL_EXIT_ON_TIME` causes afl-fuzz to terminate if no new paths were found
     within a specified period of time (in seconds). May be convenient for some
     types of automated jobs.
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index e114b0fc..18352acb 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -1,3 +1,4 @@
+
 /*
    american fuzzy lop++ - fuzzer header
    ------------------------------------
@@ -408,7 +409,7 @@ typedef struct afl_env_vars {
       *afl_max_det_extras, *afl_statsd_host, *afl_statsd_port,
       *afl_crash_exitcode, *afl_statsd_tags_flavor, *afl_testcache_size,
       *afl_testcache_entries, *afl_child_kill_signal, *afl_fsrv_kill_signal,
-      *afl_target_env, *afl_persistent_record, *afl_exit_on_time;
+      *afl_target_env, *afl_persistent_record, *afl_exit_on_time, *afl_crashing_seeds_as_new_crash;
 
   s32 afl_pizza_mode;
 
diff --git a/include/envs.h b/include/envs.h
index 963e1367..0007d5a8 100644
--- a/include/envs.h
+++ b/include/envs.h
@@ -35,6 +35,7 @@ static char *afl_environment_variables[] = {
     "AFL_COMPCOV_BINNAME",
     "AFL_COMPCOV_LEVEL",
     "AFL_CRASH_EXITCODE",
+    "AFL_CRASHING_SEEDS_AS_NEW_CRASH",
     "AFL_CUSTOM_MUTATOR_LIBRARY",
     "AFL_CUSTOM_MUTATOR_ONLY",
     "AFL_CUSTOM_INFO_PROGRAM",
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index 24fd7077..d994d749 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -1057,9 +1057,18 @@ void perform_dry_run(afl_state_t *afl) {
               fn, (int)(s8)afl->fsrv.crash_exitcode);
 
         } else {
-
-          WARNF("Test case '%s' results in a crash, skipping", fn);
-
+          if (afl->afl_env.afl_crashing_seeds_as_new_crash) {
+          
+            WARNF(
+                "Test case '%s' results in a crash, "
+                "as AFL_CRASHING_SEEDS_AS_NEW_CRASH is set, "
+                "saving as a new crash", fn);
+            
+          } else {
+
+            WARNF("Test case '%s' results in a crash, skipping", fn);
+          
+          }
         }
 
         if (afl->afl_env.afl_exit_on_seed_issues) {
@@ -1078,38 +1087,94 @@ void perform_dry_run(afl_state_t *afl) {
 
         }
 
-        q->disabled = 1;
-        q->perf_score = 0;
+        /* Crashing seeds will be regarded as new crashes on startup */
+        if (afl->afl_env.afl_crashing_seeds_as_new_crash) {
+          
+          ++afl->total_crashes;
 
-        u32 i = 0;
-        while (unlikely(i < afl->queued_items && afl->queue_buf[i] &&
-                        afl->queue_buf[i]->disabled)) {
+          if (likely(!afl->non_instrumented_mode)) {
 
-          ++i;
+            classify_counts(&afl->fsrv);
+          
+            simplify_trace(afl, afl->fsrv.trace_bits);
 
-        }
+            if (!has_new_bits(afl, afl->virgin_crash)) { break; }
+
+          }
+
+          
+          if (unlikely(!afl->saved_crashes) &&
+              (afl->afl_env.afl_no_crash_readme != 1)) {
+
+            write_crash_readme(afl);
+
+          }
+
+          u8  crash_fn[PATH_MAX];
+          u8 *use_name = strstr(q->fname, ",orig:");
+
+          afl->stage_name = "dry_run";
+          afl->stage_short = "dry_run";
+
+    #ifndef SIMPLE_FILES
+
+          snprintf(crash_fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s%s", afl->out_dir,
+                  afl->saved_crashes, afl->fsrv.last_kill_signal,
+                  describe_op(afl, 0, NAME_MAX - strlen("id:000000,sig:00,") - strlen(use_name)), use_name);
+
+    #else
 
-        if (i < afl->queued_items && afl->queue_buf[i]) {
+          snprintf(crash_fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir,
+                  afl->saved_crashes, afl->fsrv.last_kill_signal);
 
-          afl->queue = afl->queue_buf[i];
+    #endif  
+
+          ++afl->saved_crashes;
+
+          fd = open(crash_fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
+          if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", crash_fn); }
+          ck_write(fd, use_mem, read_len, crash_fn);
+          close(fd);
+
+          afl->last_crash_time = get_cur_time();
+          afl->last_crash_execs = afl->fsrv.total_execs;
 
         } else {
 
-          afl->queue = afl->queue_buf[0];
+          u32 i = 0;
+          while (unlikely(i < afl->queued_items && afl->queue_buf[i] &&
+                          afl->queue_buf[i]->disabled)) {
 
-        }
+            ++i;
 
-        afl->max_depth = 0;
-        for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) {
+          }
 
-          if (!afl->queue_buf[i]->disabled &&
-              afl->queue_buf[i]->depth > afl->max_depth)
-            afl->max_depth = afl->queue_buf[i]->depth;
+          if (i < afl->queued_items && afl->queue_buf[i]) {
 
-        }
+            afl->queue = afl->queue_buf[i];
 
-        break;
+          } else {
+
+            afl->queue = afl->queue_buf[0];
+
+          }
+
+          afl->max_depth = 0;
+          for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) {
+
+            if (!afl->queue_buf[i]->disabled &&
+                afl->queue_buf[i]->depth > afl->max_depth)
+              afl->max_depth = afl->queue_buf[i]->depth;
+
+          }
+
+        }
+        
+        q->disabled = 1;
+        q->perf_score = 0;
 
+        break;  
+      
       case FSRV_RUN_ERROR:
 
         FATAL("Unable to execute target application ('%s')", afl->argv[0]);
diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c
index 99f69314..5a6b95cf 100644
--- a/src/afl-fuzz-state.c
+++ b/src/afl-fuzz-state.c
@@ -200,6 +200,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
             afl->afl_env.afl_exit_on_time =
                 (u8 *)get_afl_env(afl_environment_variables[i]);
 
+          } else if (!strncmp(env, "AFL_CRASHING_SEEDS_AS_NEW_CRASH",
+
+                              afl_environment_variable_len)) {
+
+            afl->afl_env.afl_crashing_seeds_as_new_crash =
+                atoi((u8 *)get_afl_env(afl_environment_variables[i]));
+
           } else if (!strncmp(env, "AFL_NO_AFFINITY",
 
                               afl_environment_variable_len)) {
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index cdb3f996..733c7429 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -1592,7 +1592,7 @@ int main(int argc, char **argv_orig, char **envp) {
   if (get_afl_env("AFL_NO_ARITH")) { afl->no_arith = 1; }
   if (get_afl_env("AFL_SHUFFLE_QUEUE")) { afl->shuffle_queue = 1; }
   if (get_afl_env("AFL_EXPAND_HAVOC_NOW")) { afl->expand_havoc = 1; }
-
+  
   if (afl->afl_env.afl_autoresume) {
 
     afl->autoresume = 1;
author	van Hauser <vh@thc.org>	2023-08-09 14:39:25 +0000
committer	GitHub <noreply@github.com>	2023-08-09 14:39:25 +0000
commit	b4bd33961c645b1fed059d5ff8269911bc941cc9 (patch)
tree	f8e77e6b0d5411cd831bd7a644c23b17ef89af37
parent	7f3b0a9503f90b86e8c196c6b405f0a4c8a7babc (diff)
parent	fcdfe9e990d84ab477cd3c571cbf540e8bc8e15a (diff)
download	afl++-b4bd33961c645b1fed059d5ff8269911bc941cc9.tar.gz