added AFL_MAX_DET_EXTRAS env var

author: Dominik Maier <domenukk@gmail.com> 2020-08-23 01:48:36 +0200
committer: Dominik Maier <domenukk@gmail.com> 2020-08-23 01:48:36 +0200
commit: 1301552101af899557a93a7535d8a57874fe6edf (patch)
tree: 7c97f8e12a7572b5d546d119fe9d7855ee80ccab
parent: c4f71ab201da991fd16b2691f76020bfdb6459a4 (diff)
download: afl++-1301552101af899557a93a7535d8a57874fe6edf.tar.gz
7 files changed, 41 insertions, 17 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 1deeddd3..148e6e84 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -353,7 +353,7 @@ typedef struct afl_env_vars {
       afl_cal_fast, afl_cycle_schedules, afl_expand_havoc;
 
   u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
-      *afl_hang_tmout, *afl_skip_crashes, *afl_preload;
+      *afl_hang_tmout, *afl_skip_crashes, *afl_preload, *afl_max_det_extras;
 
 } afl_env_vars_t;
 
@@ -506,7 +506,8 @@ typedef struct afl_state {
       useless_at_start,                 /* Number of useless starting paths */
       var_byte_count,                   /* Bitmap bytes with var behavior   */
       current_entry,                    /* Current queue entry ID           */
-      havoc_div;                        /* Cycle count divisor for havoc    */
+      havoc_div,                        /* Cycle count divisor for havoc    */
+      max_det_extras;                   /* deterministic extra count (dicts)*/
 
   u64 total_crashes,                    /* Total number of crashes          */
       unique_crashes,                   /* Crashes with unique signatures   */
diff --git a/include/envs.h b/include/envs.h
index 96ae91ba..4d50d0ff 100644
--- a/include/envs.h
+++ b/include/envs.h
@@ -102,6 +102,7 @@ static char *afl_environment_variables[] = {
     "AFL_NO_X86",  // not really an env but we dont want to warn on it
     "AFL_MAP_SIZE",
     "AFL_MAPSIZE",
+    "AFL_MAX_DET_EXTRAS",
     "AFL_PATH",
     "AFL_PERFORMANCE_FILE",
     "AFL_PRELOAD",
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 52a14602..9d9e81cd 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -115,7 +115,7 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) {
   fsrv_to->out_file = NULL;
 
   fsrv_to->init_child_func = fsrv_exec_child;
-  //Note: do not copy ->add_extra_func
+  // Note: do not copy ->add_extra_func
 
   list_append(&fsrv_list, fsrv_to);
 
diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c
index 1452c55e..03c5152a 100644
--- a/src/afl-fuzz-extras.c
+++ b/src/afl-fuzz-extras.c
@@ -248,10 +248,10 @@ static void extras_check_and_sort(afl_state_t *afl, u32 min_len, u32 max_len,
 
   }
 
-  if (afl->extras_cnt > MAX_DET_EXTRAS) {
+  if (afl->extras_cnt > afl->max_det_extras) {
 
     WARNF("More than %d tokens - will use them probabilistically.",
-          MAX_DET_EXTRAS);
+          afl->max_det_extras);
 
   }
 
@@ -403,10 +403,10 @@ void add_extra(afl_state_t *afl, u8 *mem, u32 len) {
 
   /* We only want to print this once */
 
-  if (afl->extras_cnt == MAX_DET_EXTRAS + 1) {
+  if (afl->extras_cnt == afl->max_det_extras + 1) {
 
     WARNF("More than %d tokens - will use them probabilistically.",
-          MAX_DET_EXTRAS);
+          afl->max_det_extras);
 
   }
 
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index 3bf0c195..c0c036db 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -1509,13 +1509,13 @@ skip_interest:
 
     for (j = 0; j < afl->extras_cnt; ++j) {
 
-      /* Skip extras probabilistically if afl->extras_cnt > MAX_DET_EXTRAS. Also
-         skip them if there's no room to insert the payload, if the token
+      /* Skip extras probabilistically if afl->extras_cnt > AFL_MAX_DET_EXTRAS.
+         Also skip them if there's no room to insert the payload, if the token
          is redundant, or if its entire span has no bytes set in the effector
          map. */
 
-      if ((afl->extras_cnt > MAX_DET_EXTRAS &&
-           rand_below(afl, afl->extras_cnt) >= MAX_DET_EXTRAS) ||
+      if ((afl->extras_cnt > afl->max_det_extras &&
+           rand_below(afl, afl->extras_cnt) >= afl->max_det_extras) ||
           afl->extras[j].len > len - i ||
           !memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len) ||
           !memchr(eff_map + EFF_APOS(i), 1,
@@ -3722,13 +3722,13 @@ skip_interest:
 
     for (j = 0; j < afl->extras_cnt; ++j) {
 
-      /* Skip extras probabilistically if afl->extras_cnt > MAX_DET_EXTRAS. Also
-         skip them if there's no room to insert the payload, if the token
+      /* Skip extras probabilistically if afl->extras_cnt > AFL_MAX_DET_EXTRAS.
+         Also skip them if there's no room to insert the payload, if the token
          is redundant, or if its entire span has no bytes set in the effector
          map. */
 
-      if ((afl->extras_cnt > MAX_DET_EXTRAS &&
-           rand_below(afl, afl->extras_cnt) >= MAX_DET_EXTRAS) ||
+      if ((afl->extras_cnt > afl->max_det_extras &&
+           rand_below(afl, afl->extras_cnt) >= afl->max_det_extras) ||
           afl->extras[j].len > len - i ||
           !memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len) ||
           !memchr(eff_map + EFF_APOS(i), 1,
diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c
index dd0e316c..74798584 100644
--- a/src/afl-fuzz-state.c
+++ b/src/afl-fuzz-state.c
@@ -349,6 +349,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
             afl->afl_env.afl_preload =
                 (u8 *)get_afl_env(afl_environment_variables[i]);
 
+          } else if (!strncmp(env, "AFL_MAX_DET_EXTRAS",
+
+                              afl_environment_variable_len)) {
+
+            afl->afl_env.afl_max_det_extras =
+                (u8 *)get_afl_env(afl_environment_variables[i]);
+
           }
 
         } else {
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 5dd092f2..664cc076 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -177,6 +177,8 @@ static void usage(u8 *argv0, int more_help) {
       "AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n"
       "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n"
       "              the target was compiled for\n"
+      "AFL_MAX_DET_EXTRAS: if the dict/extras file contains more tokens than this threshold,\n"
+      "                    the tokens will sometimes be skipped during fuzzing.\n"
       "AFL_NO_AFFINITY: do not check for an unused cpu core to use for fuzzing\n"
       "AFL_NO_ARITH: skip arithmetic mutations in deterministic stage\n"
       "AFL_NO_CPU_RED: avoid red color for showing very high cpu usage\n"
@@ -949,8 +951,21 @@ int main(int argc, char **argv_orig, char **envp) {
 
   if (afl->afl_env.afl_hang_tmout) {
 
-    afl->hang_tmout = atoi(afl->afl_env.afl_hang_tmout);
-    if (!afl->hang_tmout) { FATAL("Invalid value of AFL_HANG_TMOUT"); }
+    s32 hang_tmout = atoi(afl->afl_env.afl_hang_tmout);
+    if (hang_tmout < 1) { FATAL("Invalid value for AFL_HANG_TMOUT"); }
+    afl->hang_tmout = (u32)hang_tmout;
+
+  }
+
+  if (afl->afl_env.afl_max_det_extras) {
+
+    s32 max_det_extras = atoi(afl->afl_env.afl_max_det_extras);
+    if (max_det_extras < 1) { FATAL("Invalid value for AFL_MAX_DET_EXTRAS"); }
+    afl->max_det_extras = (u32)max_det_extras;
+
+  } else {
+
+    afl->max_det_extras = MAX_DET_EXTRAS;
 
   }
author	Dominik Maier <domenukk@gmail.com>	2020-08-23 01:48:36 +0200
committer	Dominik Maier <domenukk@gmail.com>	2020-08-23 01:48:36 +0200
commit	1301552101af899557a93a7535d8a57874fe6edf (patch)
tree	7c97f8e12a7572b5d546d119fe9d7855ee80ccab
parent	c4f71ab201da991fd16b2691f76020bfdb6459a4 (diff)
download	afl++-1301552101af899557a93a7535d8a57874fe6edf.tar.gz