fix

author: vanhauser-thc <vh@thc.org> 2021-10-17 20:31:02 +0200
committer: vanhauser-thc <vh@thc.org> 2021-10-17 20:31:02 +0200
commit: 462149de642451024199557c7a7bb7ea76e5b8fa (patch)
tree: 7f58702389aacdd3c4cbdc926a64b77db220936d
parent: bf0fbc24ad32b0ec5421f4d2090c85d87aeceee3 (diff)
download: afl++-462149de642451024199557c7a7bb7ea76e5b8fa.tar.gz
2 files changed, 53 insertions, 52 deletions
diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c
index 21772ca0..38beafb7 100644
--- a/instrumentation/afl-compiler-rt.o.c
+++ b/instrumentation/afl-compiler-rt.o.c
@@ -1944,15 +1944,8 @@ void __cmplog_rtn_hook_n(u8 *ptr1, u8 *ptr2, u32 len) {
 void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u32 len) {
 
   /*
-    u32 i;
     if (area_is_valid(ptr1, 32) <= 0 || area_is_valid(ptr2, 32) <= 0) return;
-    fprintf(stderr, "rtn_strn len=%u arg0=", len);
-    for (i = 0; i < len; i++)
-      fprintf(stderr, "%02x", ptr1[i]);
-    fprintf(stderr, " arg1=");
-    for (i = 0; i < len; i++)
-      fprintf(stderr, "%02x", ptr2[i]);
-    fprintf(stderr, "\n");
+    fprintf(stderr, "rtn_strn len=%u arg0=%s arg1=%s\n", len, ptr1, ptr2);
   */
 
   if (likely(!__afl_cmp_map)) return;
@@ -2005,15 +1998,8 @@ void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u32 len) {
 void __cmplog_rtn_hook_str(u8 *ptr1, u8 *ptr2) {
 
   /*
-    u32 i;
     if (area_is_valid(ptr1, 32) <= 0 || area_is_valid(ptr2, 32) <= 0) return;
-    fprintf(stderr, "rtn_str arg0=");
-    for (i = 0; i < len; i++)
-      fprintf(stderr, "%02x", ptr1[i]);
-    fprintf(stderr, " arg1=");
-    for (i = 0; i < len; i++)
-      fprintf(stderr, "%02x", ptr2[i]);
-    fprintf(stderr, "\n");
+    fprintf(stderr, "rtn_str arg0=%s arg1=%s\n", ptr1, ptr2);
   */
 
   if (likely(!__afl_cmp_map)) return;
diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c
index 30de12c1..65d21b0a 100644
--- a/src/afl-fuzz-redqueen.c
+++ b/src/afl-fuzz-redqueen.c
@@ -1455,25 +1455,25 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h,
 
   #ifdef _DEBUG
     fprintf(stderr, "TestUN: %u>=%u (len=%u idx=%u attr=%u off=%lu) (%u) ",
-            its_len, shape, len, idx, attr, off, do_reverse);
+            its_len, hshape, len, idx, attr, off, do_reverse);
     u32 i;
     u8 *o_r = (u8 *)&changed_val;
-    for (i = 0; i < shape; i++)
+    for (i = 0; i < hshape; i++)
       fprintf(stderr, "%02x", ptr[i]);
     fprintf(stderr, "==");
-    for (i = 0; i < shape; i++)
+    for (i = 0; i < hshape; i++)
       fprintf(stderr, "%02x", p[off + i]);
     fprintf(stderr, " ");
-    for (i = 0; i < shape; i++)
+    for (i = 0; i < hshape; i++)
       fprintf(stderr, "%02x", o_ptr[i]);
     fprintf(stderr, "==");
-    for (i = 0; i < shape; i++)
+    for (i = 0; i < hshape; i++)
       fprintf(stderr, "%02x", o_p[off + i]);
     fprintf(stderr, " <= ");
-    for (i = 0; i < shape; i++)
+    for (i = 0; i < hshape; i++)
       fprintf(stderr, "%02x", r[off + i]);
     fprintf(stderr, "<-");
-    for (i = 0; i < shape; i++)
+    for (i = 0; i < hshape; i++)
       fprintf(stderr, "%02x", o_r[off + i]);
     fprintf(stderr, "\n");
   #endif
@@ -1850,39 +1850,46 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
             is_n, hshape);
 #endif
 
-    u8 same0 = 0, same1 = 0, result = 1 + 2 + (found_one << 2);
-    if (o->v0 != orig_o->v0) { same0 = 8; }
-    if (o->v1 != orig_o->v1) { same1 = 8; }
+    // we only learn 16 bit +
+    if (hshape > 1) {
+
+      u8 same0 = 0, same1 = 0, result = 1 + 2 + (found_one << 2);
+      if (o->v0 != orig_o->v0) { same0 = 8; }
+      if (o->v1 != orig_o->v1) { same1 = 8; }
 
 #ifdef WORD_SIZE_64
-    if (unlikely(is_n)) {
+      if (unlikely(is_n)) {
 
-      if (DICT_ADD_STRATEGY >= same0 + result) {
+        if (DICT_ADD_STRATEGY >= same0 + result) {
 
-        try_to_add_to_dictN(afl, s128_v0, hshape);
+          try_to_add_to_dictN(afl, s128_v0, hshape);
 
-      }
+        }
 
-      if (DICT_ADD_STRATEGY >= same1 + result) {
+        if (DICT_ADD_STRATEGY >= same1 + result) {
 
-        try_to_add_to_dictN(afl, s128_v1, hshape);
+          try_to_add_to_dictN(afl, s128_v1, hshape);
 
-      }
+        }
 
-    } else
+      } else
 
 #endif
-    {
+      {
 
-      if (DICT_ADD_STRATEGY >= same0 + result) {
+        if (DICT_ADD_STRATEGY >= same0 + result) {
 
-        try_to_add_to_dict(afl, o->v0, hshape);
+          // fprintf(stderr, "add v0 0x%llx\n", o->v0);
+          try_to_add_to_dict(afl, o->v0, hshape);
 
-      }
+        }
 
-      if (DICT_ADD_STRATEGY >= same1 + result) {
+        if (DICT_ADD_STRATEGY >= same1 + result) {
 
-        try_to_add_to_dict(afl, o->v1, hshape);
+          // fprintf(stderr, "add v1 0x%llx\n", o->v1);
+          try_to_add_to_dict(afl, o->v1, hshape);
+
+        }
 
       }
 
@@ -2428,18 +2435,22 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
     }
 
     /*
-      struct cmp_header *hh = &afl->orig_cmp_map->headers[key];
-      fprintf(stderr, "RTN N hits=%u id=%u shape=%u attr=%u v0=", h->hits,
-              h->id, hshape, h->attribute);
-      for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v0[j]);
-      fprintf(stderr, " v1=");
-      for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v1[j]);
-      fprintf(stderr, "\nRTN O hits=%u id=%u shape=%u attr=%u o0=",
-              hh->hits, hh->id, hshape, hh->attribute);
-      for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v0[j]);
-      fprintf(stderr, " o1=");
-      for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v1[j]);
-      fprintf(stderr, "\n");
+    struct cmp_header *hh = &afl->orig_cmp_map->headers[key];
+    fprintf(stderr, "RTN N hits=%u id=%u shape=%u attr=%u v0=", h->hits, h->id,
+            hshape, h->attribute);
+    for (j = 0; j < 8; j++)
+      fprintf(stderr, "%02x", o->v0[j]);
+    fprintf(stderr, " v1=");
+    for (j = 0; j < 8; j++)
+      fprintf(stderr, "%02x", o->v1[j]);
+    fprintf(stderr, "\nRTN O hits=%u id=%u shape=%u attr=%u o0=", hh->hits,
+            hh->id, hshape, hh->attribute);
+    for (j = 0; j < 8; j++)
+      fprintf(stderr, "%02x", orig_o->v0[j]);
+    fprintf(stderr, " o1=");
+    for (j = 0; j < 8; j++)
+      fprintf(stderr, "%02x", orig_o->v1[j]);
+    fprintf(stderr, "\n");
     */
 
     t = taint;
@@ -2547,12 +2558,14 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
 
       if (DICT_ADD_STRATEGY >= same0 + result) {
 
+        // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0);
         maybe_add_auto(afl, o->v0, l0);
 
       }
 
       if (DICT_ADD_STRATEGY >= same1 + result) {
 
+        // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1);
         maybe_add_auto(afl, o->v1, l1);
 
       }
@@ -2727,11 +2740,13 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) {
 
     if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) {
 
+      // fprintf(stderr, "INS %u\n", k);
       afl->stage_max +=
           MIN((u32)(afl->shm.cmp_map->headers[k].hits), (u32)CMP_MAP_H);
 
     } else {
 
+      // fprintf(stderr, "RTN %u\n", k);
       afl->stage_max +=
           MIN((u32)(afl->shm.cmp_map->headers[k].hits), (u32)CMP_MAP_RTN_H);
author	vanhauser-thc <vh@thc.org>	2021-10-17 20:31:02 +0200
committer	vanhauser-thc <vh@thc.org>	2021-10-17 20:31:02 +0200
commit	462149de642451024199557c7a7bb7ea76e5b8fa (patch)
tree	7f58702389aacdd3c4cbdc926a64b77db220936d
parent	bf0fbc24ad32b0ec5421f4d2090c85d87aeceee3 (diff)
download	afl++-462149de642451024199557c7a7bb7ea76e5b8fa.tar.gz