diff options
| author | van Hauser <vh@thc.org> | 2023-09-11 12:54:21 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-09-11 12:54:21 +0000 |
| commit | 9f023d482bf4deace3b2f3d726a1bf7062511087 (patch) | |
| tree | d9f99fec6352900147f3b51fd5e7572d68a0e521 | |
| parent | 87b33740ea426bac276a9eb4bc5f201bd396b6dc (diff) | |
| parent | a8185f8ff294d937e6074f148f6b4c971ca02cee (diff) | |
| download | afl++-9f023d482bf4deace3b2f3d726a1bf7062511087.tar.gz | |
Merge branch 'dev' into reinit
| -rw-r--r-- | frida_mode/src/lib/lib.c | 6 | ||||
| -rw-r--r-- | include/afl-fuzz.h | 1 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 1 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 13 | ||||
| -rw-r--r-- | src/afl-fuzz-queue.c | 19 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 50 |
6 files changed, 73 insertions, 17 deletions
diff --git a/frida_mode/src/lib/lib.c b/frida_mode/src/lib/lib.c index d563b69b..7fac755a 100644 --- a/frida_mode/src/lib/lib.c +++ b/frida_mode/src/lib/lib.c @@ -44,8 +44,10 @@ static gboolean lib_find_exe(const GumModuleDetails *details, lib_details_t *lib_details = (lib_details_t *)user_data; - memcpy(lib_details->name, details->name, PATH_MAX); - memcpy(lib_details->path, details->path, PATH_MAX); + strncpy(lib_details->name, details->name, PATH_MAX); + strncpy(lib_details->path, details->path, PATH_MAX); + lib_details->name[PATH_MAX] = '\0'; + lib_details->path[PATH_MAX] = '\0'; lib_details->base_address = details->range->base_address; lib_details->size = details->range->size; return FALSE; diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index d02e852e..217a720a 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -610,6 +610,7 @@ typedef struct afl_state { u32 stage_cur, stage_max; /* Stage progression */ s32 splicing_with; /* Splicing with which test case? */ + s64 smallest_favored; /* smallest queue id favored */ u32 main_node_id, main_node_max; /* Main instance job splitting */ diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 9da096f7..07f5a1a9 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -272,6 +272,7 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) { fsrv_to->uses_crash_exitcode = from->uses_crash_exitcode; fsrv_to->crash_exitcode = from->crash_exitcode; fsrv_to->child_kill_signal = from->child_kill_signal; + fsrv_to->fsrv_kill_signal = from->fsrv_kill_signal; fsrv_to->debug = from->debug; // These are forkserver specific. diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index c2b7e583..db88f239 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -3442,7 +3442,12 @@ abandon_entry: --afl->pending_not_fuzzed; afl->queue_cur->was_fuzzed = 1; afl->reinit_table = 1; - if (afl->queue_cur->favored) { --afl->pending_favored; } + if (afl->queue_cur->favored) { + + --afl->pending_favored; + afl->smallest_favored = -1; + + } } @@ -5906,8 +5911,10 @@ pacemaker_fuzzing: --afl->pending_not_fuzzed; afl->queue_cur->was_fuzzed = 1; afl->reinit_table = 1 - if (afl->queue_cur->favored) { --afl->pending_favored; } - + if (afl->queue_cur->favored) { + --afl->pending_favored; + afl->smallest_favored = -1; + } } } diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 78c1d654..ce9718b0 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -738,7 +738,11 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { u64 top_rated_fav_factor; u64 top_rated_fuzz_p2; - if (likely(afl->schedule >= FAST && afl->schedule <= RARE)) { + if (likely(afl->schedule >= FAST && afl->schedule < RARE)) { + + top_rated_fuzz_p2 = 0; // Skip the fuzz_p2 comparison + + } else if (unlikely(afl->schedule == RARE)) { top_rated_fuzz_p2 = next_pow2(afl->n_fuzz[afl->top_rated[i]->n_fuzz_entry]); @@ -827,6 +831,8 @@ void cull_queue(afl_state_t *afl) { /* Let's see if anything in the bitmap isn't captured in temp_v. If yes, and if it has a afl->top_rated[] contender, let's use it. */ + afl->smallest_favored = -1; + for (i = 0; i < afl->fsrv.map_size; ++i) { if (afl->top_rated[i] && (temp_v[i >> 3] & (1 << (i & 7)))) { @@ -850,7 +856,16 @@ void cull_queue(afl_state_t *afl) { afl->top_rated[i]->favored = 1; ++afl->queued_favored; - if (!afl->top_rated[i]->was_fuzzed) { ++afl->pending_favored; } + if (!afl->top_rated[i]->was_fuzzed) { + + ++afl->pending_favored; + if (unlikely(afl->smallest_favored < 0)) { + + afl->smallest_favored = (s64)afl->top_rated[i]->id; + + } + + } } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 768a5bbd..a3d5e300 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2707,22 +2707,52 @@ int main(int argc, char **argv_orig, char **envp) { if (likely(!afl->old_seed_selection)) { - if (unlikely(prev_queued_items < afl->queued_items || - afl->reinit_table)) { + if (likely(afl->pending_favored && afl->smallest_favored >= 0)) { - // we have new queue entries since the last run, recreate alias table - prev_queued_items = afl->queued_items; - create_alias_table(afl); + afl->current_entry = afl->smallest_favored; - } + /* - do { + } else { - afl->current_entry = select_next_queue_entry(afl); + for (s32 iter = afl->queued_items - 1; iter >= 0; --iter) + { - } while (unlikely(afl->current_entry >= afl->queued_items)); + if (unlikely(afl->queue_buf[iter]->favored && + !afl->queue_buf[iter]->was_fuzzed)) { - afl->queue_cur = afl->queue_buf[afl->current_entry]; + afl->current_entry = iter; + break; + + } + + } + + */ + + afl->queue_cur = afl->queue_buf[afl->current_entry]; + + } else { + + if (unlikely(prev_queued_items < afl->queued_items || + afl->reinit_table)) { + + // we have new queue entries since the last run, recreate alias + // table + prev_queued_items = afl->queued_items; + create_alias_table(afl); + + } + + do { + + afl->current_entry = select_next_queue_entry(afl); + + } while (unlikely(afl->current_entry >= afl->queued_items)); + + afl->queue_cur = afl->queue_buf[afl->current_entry]; + + } } |