diff options
| author | vanhauser-thc <vh@thc.org> | 2022-09-17 13:44:34 +0200 |
|---|---|---|
| committer | vanhauser-thc <vh@thc.org> | 2022-09-17 13:44:34 +0200 |
| commit | 9cfe1d13945c0f6f4b8b92d0e82e0f466bda4dab (patch) | |
| tree | 929804330a72743abef122133be052df4719eecd | |
| parent | 0623a73a5cb8a0c2cff32413df9f4c5c69b8e339 (diff) | |
| download | afl++-9cfe1d13945c0f6f4b8b92d0e82e0f466bda4dab.tar.gz | |
afl-cmin -A
| -rwxr-xr-x | afl-cmin | 19 | ||||
| -rwxr-xr-x | afl-cmin.bash | 6 | ||||
| -rw-r--r-- | docs/Changelog.md | 2 |
3 files changed, 20 insertions, 7 deletions
@@ -105,12 +105,13 @@ function usage() { "Execution control settings:\n" \ " -f file - location read by the fuzzed program (stdin)\n" \ " -m megs - memory limit for child process ("mem_limit" MB)\n" \ -" -t msec - run time limit for child process (none)\n" \ +" -t msec - run time limit for child process (default: none)\n" \ " -O - use binary-only instrumentation (FRIDA mode)\n" \ " -Q - use binary-only instrumentation (QEMU mode)\n" \ " -U - use unicorn-based instrumentation (unicorn mode)\n" \ "\n" \ "Minimization settings:\n" \ +" -A - allow crashes and timeouts (not recommended)\n" \ " -C - keep crashing inputs, reject everything else\n" \ " -e - solve for edge coverage only, ignore hit counts\n" \ "\n" \ @@ -123,6 +124,7 @@ function usage() { "AFL_KEEP_TRACES: leave the temporary <out_dir>/.traces directory\n" \ "AFL_KILL_SIGNAL: Signal delivered to child processes on timeout (default: SIGKILL)\n" \ "AFL_NO_FORKSRV: run target via execve instead of using the forkserver\n" \ +"AFL_CMIN_ALLOW_ANY: write tuples for crashing inputs also\n" \ "AFL_PATH: path for the afl-showmap binary if not found anywhere in PATH\n" \ "AFL_PRINT_FILENAMES: If set, the filename currently processed will be " \ "printed to stdout\n" \ @@ -146,11 +148,12 @@ BEGIN { # defaults extra_par = "" AFL_CMIN_CRASHES_ONLY = "" + AFL_CMIN_ALLOW_ANY = "" # process options Opterr = 1 # default is to diagnose Optind = 1 # skip ARGV[0] - while ((_go_c = getopt(ARGC, ARGV, "hi:o:f:m:t:eCOQU?")) != -1) { + while ((_go_c = getopt(ARGC, ARGV, "hi:o:f:m:t:eACOQU?")) != -1) { if (_go_c == "i") { if (!Optarg) usage() if (in_dir) { print "Option "_go_c" is only allowed once" > "/dev/stderr"} @@ -186,6 +189,10 @@ BEGIN { AFL_CMIN_CRASHES_ONLY = "AFL_CMIN_CRASHES_ONLY=1 " continue } else + if (_go_c == "A") { + AFL_CMIN_ALLOW_ANY = "AFL_CMIN_ALLOW_ANY=1 " + continue + } else if (_go_c == "e") { extra_par = extra_par " -e" continue @@ -445,15 +452,15 @@ BEGIN { if (!stdin_file) { print " Processing "in_count" files (forkserver mode)..." # print AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string - retval = system(AFL_MAP_SIZE AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string) + retval = system(AFL_MAP_SIZE AFL_CMIN_ALLOW_ANY AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string) } else { print " Processing "in_count" files (forkserver mode)..." # print AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null" - retval = system(AFL_MAP_SIZE AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null") + retval = system(AFL_MAP_SIZE AFL_CMIN_ALLOW_ANY AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null") } - if (retval && !AFL_CMIN_CRASHES_ONLY) { - print "[!] Exit code "retval" != 0 received from afl-showmap, terminating..." + if (retval && (!AFL_CMIN_CRASHES_ONLY && !AFL_CMIN_ALLOW_ANY)) { + print "[!] Exit code "retval" != 0 received from afl-showmap (this means a crashing or timeout input is likely present), terminating..." if (!ENVIRON["AFL_KEEP_TRACES"]) { system("rm -rf "trace_dir" 2>/dev/null") diff --git a/afl-cmin.bash b/afl-cmin.bash index d2218cd0..10c9477a 100755 --- a/afl-cmin.bash +++ b/afl-cmin.bash @@ -53,7 +53,7 @@ unset IN_DIR OUT_DIR STDIN_FILE EXTRA_PAR MEM_LIMIT_GIVEN \ export AFL_QUIET=1 -while getopts "+i:o:f:m:t:eOQUCh" opt; do +while getopts "+i:o:f:m:t:eOQUACh" opt; do case "$opt" in @@ -80,6 +80,9 @@ while getopts "+i:o:f:m:t:eOQUCh" opt; do "e") EXTRA_PAR="$EXTRA_PAR -e" ;; + "A") + export AFL_CMIN_ALLOW_ANY=1 + ;; "C") export AFL_CMIN_CRASHES_ONLY=1 ;; @@ -128,6 +131,7 @@ Execution control settings: Minimization settings: + -A - allow crashing and timeout inputs -C - keep crashing inputs, reject everything else -e - solve for edge coverage only, ignore hit counts diff --git a/docs/Changelog.md b/docs/Changelog.md index 71607542..95659068 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -30,6 +30,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. edges (together with AFL_DEBUG=1 afl-fuzz). thanks to worksbutnottested! - afl-analyze broke at some point, fix by CodeLogicError, thank you! + - afl-cmin/afl-cmin.bash now have an -A option to allow also crashing + and timeout inputs - unicorn_mode: - updated upstream unicorn version - fixed builds for aarch64 |