diff options
| author | van Hauser <vh@thc.org> | 2022-04-06 10:24:07 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-04-06 10:24:07 +0200 |
| commit | ac80678592ea4a790ab2eedccfec4e3bc9f96447 (patch) | |
| tree | a553b0abf57558c579f2ed63cee1cee276a4de12 | |
| parent | 881aef21fd6ca3f3bcf0847587d4d6d86f3a69db (diff) | |
| parent | 3c5edab724f7e067163e85e94077c48894989573 (diff) | |
| download | afl++-ac80678592ea4a790ab2eedccfec4e3bc9f96447.tar.gz | |
Merge pull request #1380 from AFLplusplus/dev
fix cmplog
| -rw-r--r-- | TODO.md | 2 | ||||
| -rw-r--r-- | docs/Changelog.md | 1 | ||||
| -rw-r--r-- | docs/env_variables.md | 3 | ||||
| -rw-r--r-- | include/afl-fuzz.h | 8 | ||||
| -rw-r--r-- | include/envs.h | 1 | ||||
| -rw-r--r-- | instrumentation/cmplog-instructions-pass.cc | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-state.c | 16 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 839 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 33 | ||||
| -rw-r--r-- | test/test-cmplog.c | 8 | ||||
| -rwxr-xr-x | test/test-llvm.sh | 2 | ||||
| -rw-r--r-- | utils/afl_network_proxy/afl-network-client.c | 2 |
13 files changed, 909 insertions, 10 deletions
@@ -10,6 +10,8 @@ ## Maybe + - forkserver tells afl-fuzz if cmplog is supported and if so enable + it by default, with AFL_CMPLOG_NO=1 (?) set to skip? - afl_custom_fuzz_splice_optin() - afl_custom_splice() - cmdline option from-to range for mutations diff --git a/docs/Changelog.md b/docs/Changelog.md index 74631a88..d50a679b 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -23,6 +23,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - add AFL_EARY_FORKSERVER to install the forkserver as earliest as possible in the target (for afl-gcc-fast/afl-clang-fast/ afl-clang-lto) + - document and auto-activate pizza mode on condition - afl-cc: - converted all passed to use the new llvm pass manager for llvm 11+ - AFL++ PCGUARD mode is not available for 10.0.1 anymore (11+ only) diff --git a/docs/env_variables.md b/docs/env_variables.md index edd57fb6..9ffb08e7 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -549,6 +549,9 @@ checks or alter some of the more exotic semantics of the tool: constructors in your target you can set `AFL_EARLY_FORKSERVER`. Note that this is not a compile time option but a runtime option :-) + - set `AFL_PIZZA_MODE` to 1 to enable the April 1st stats menu, set to 0 + to disable although it is 1st of April. + ## 5) Settings for afl-qemu-trace The QEMU wrapper used to instrument binary-only code supports several settings: diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 3712fc4f..4f4d63b2 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -384,7 +384,8 @@ typedef struct afl_env_vars { afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one, afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast, afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new, - afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems; + afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems, + afl_pizza_mode; u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload, @@ -482,7 +483,8 @@ typedef struct afl_state { debug, /* Debug mode */ custom_only, /* Custom mutator only mode */ is_main_node, /* if this is the main node */ - is_secondary_node; /* if this is a secondary instance */ + is_secondary_node, /* if this is a secondary instance */ + pizza_is_served; /* pizza mode */ u32 stats_update_freq; /* Stats update frequency (execs) */ @@ -1082,6 +1084,8 @@ void write_setup_file(afl_state_t *, u32, char **); void write_stats_file(afl_state_t *, u32, double, double, double); void maybe_update_plot_file(afl_state_t *, u32, double, double); void show_stats(afl_state_t *); +void show_stats_normal(afl_state_t *); +void show_stats_pizza(afl_state_t *); void show_init_stats(afl_state_t *); /* StatsD */ diff --git a/include/envs.h b/include/envs.h index fc276f8f..1746f946 100644 --- a/include/envs.h +++ b/include/envs.h @@ -224,6 +224,7 @@ static char *afl_environment_variables[] = { "AFL_USE_FASAN", "AFL_USE_QASAN", "AFL_PRINT_FILENAMES", + "AFL_PIZZA_MODE", NULL }; diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index fd7930a1..4d37bcb2 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -515,7 +515,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) { while (1) { std::vector<Value *> args; - bool skip = true; + bool skip = false; if (vector_cnt) { diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 99f37cbf..e4124bf5 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -703,7 +703,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #else snprintf(fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir, - afl->saved_crashes, afl->last_kill_signal); + afl->saved_crashes, afl->fsrv.last_kill_signal); #endif /* ^!SIMPLE_FILES */ diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 129e4c8b..5924dd7b 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -496,6 +496,22 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->max_length = atoi((u8 *)get_afl_env(afl_environment_variables[i])); + } else if (!strncmp(env, "AFL_PIZZA_MODE", + + afl_environment_variable_len)) { + + afl->afl_env.afl_pizza_mode = + atoi((u8 *)get_afl_env(afl_environment_variables[i])); + if (afl->afl_env.afl_pizza_mode == 0) { + + afl->afl_env.afl_pizza_mode = 1; + + } else { + + afl->pizza_is_served = 1; + + } + } } else { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 1170bdb8..9737c692 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -437,6 +437,20 @@ static void check_term_size(afl_state_t *afl) { void show_stats(afl_state_t *afl) { + if (afl->pizza_is_served) { + + show_stats_pizza(afl); + + } else { + + show_stats_normal(afl); + + } + +} + +void show_stats_normal(afl_state_t *afl) { + double t_byte_ratio, stab_ratio; u64 cur_ms; @@ -1219,6 +1233,831 @@ void show_stats(afl_state_t *afl) { } +void show_stats_pizza(afl_state_t *afl) { + + double t_byte_ratio, stab_ratio; + + u64 cur_ms; + u32 t_bytes, t_bits; + + static u8 banner[128]; + u32 banner_len, banner_pad; + u8 tmp[256]; + u8 time_tmp[64]; + + u8 val_buf[8][STRINGIFY_VAL_SIZE_MAX]; +#define IB(i) (val_buf[(i)]) + + cur_ms = get_cur_time(); + + if (afl->most_time_key) { + + if (afl->most_time * 1000 < cur_ms - afl->start_time) { + + afl->most_time_key = 2; + afl->stop_soon = 2; + + } + + } + + if (afl->most_execs_key == 1) { + + if (afl->most_execs <= afl->fsrv.total_execs) { + + afl->most_execs_key = 2; + afl->stop_soon = 2; + + } + + } + + /* If not enough time has passed since last UI update, bail out. */ + + if (cur_ms - afl->stats_last_ms < 1000 / UI_TARGET_HZ && + !afl->force_ui_update) { + + return; + + } + + /* Check if we're past the 10 minute mark. */ + + if (cur_ms - afl->start_time > 10 * 60 * 1000) { afl->run_over10m = 1; } + + /* Calculate smoothed exec speed stats. */ + + if (unlikely(!afl->stats_last_execs)) { + + if (likely(cur_ms != afl->start_time)) { + + afl->stats_avg_exec = ((double)afl->fsrv.total_execs) * 1000 / + (afl->prev_run_time + cur_ms - afl->start_time); + + } + + } else { + + if (likely(cur_ms != afl->stats_last_ms)) { + + double cur_avg = + ((double)(afl->fsrv.total_execs - afl->stats_last_execs)) * 1000 / + (cur_ms - afl->stats_last_ms); + + /* If there is a dramatic (5x+) jump in speed, reset the indicator + more quickly. */ + + if (cur_avg * 5 < afl->stats_avg_exec || + cur_avg / 5 > afl->stats_avg_exec) { + + afl->stats_avg_exec = cur_avg; + + } + + afl->stats_avg_exec = afl->stats_avg_exec * (1.0 - 1.0 / AVG_SMOOTHING) + + cur_avg * (1.0 / AVG_SMOOTHING); + + } + + } + + afl->stats_last_ms = cur_ms; + afl->stats_last_execs = afl->fsrv.total_execs; + + /* Tell the callers when to contact us (as measured in execs). */ + + afl->stats_update_freq = afl->stats_avg_exec / (UI_TARGET_HZ * 10); + if (!afl->stats_update_freq) { afl->stats_update_freq = 1; } + + /* Do some bitmap stats. */ + + t_bytes = count_non_255_bytes(afl, afl->virgin_bits); + t_byte_ratio = ((double)t_bytes * 100) / afl->fsrv.real_map_size; + + if (unlikely(t_bytes > afl->fsrv.real_map_size)) { + + if (unlikely(!afl->afl_env.afl_ignore_problems)) { + + FATAL( + "This is what happens when you speak italian to the rabbit " + "Don't speak italian to the rabbit"); + + } + + } + + if (likely(t_bytes) && unlikely(afl->var_byte_count)) { + + stab_ratio = 100 - (((double)afl->var_byte_count * 100) / t_bytes); + + } else { + + stab_ratio = 100; + + } + + /* Roughly every minute, update fuzzer stats and save auto tokens. */ + + if (unlikely(!afl->non_instrumented_mode && + (afl->force_ui_update || + cur_ms - afl->stats_last_stats_ms > STATS_UPDATE_SEC * 1000))) { + + afl->stats_last_stats_ms = cur_ms; + write_stats_file(afl, t_bytes, t_byte_ratio, stab_ratio, + afl->stats_avg_exec); + save_auto(afl); + write_bitmap(afl); + + } + + if (unlikely(afl->afl_env.afl_statsd)) { + + if (unlikely(afl->force_ui_update || cur_ms - afl->statsd_last_send_ms > + STATSD_UPDATE_SEC * 1000)) { + + /* reset counter, even if send failed. */ + afl->statsd_last_send_ms = cur_ms; + if (statsd_send_metric(afl)) { + + WARNF("Could not order tomato sauce from statsd."); + + } + + } + + } + + /* Every now and then, write plot data. */ + + if (unlikely(afl->force_ui_update || + cur_ms - afl->stats_last_plot_ms > PLOT_UPDATE_SEC * 1000)) { + + afl->stats_last_plot_ms = cur_ms; + maybe_update_plot_file(afl, t_bytes, t_byte_ratio, afl->stats_avg_exec); + + } + + /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */ + + if (unlikely(!afl->non_instrumented_mode && afl->cycles_wo_finds > 100 && + !afl->pending_not_fuzzed && afl->afl_env.afl_exit_when_done)) { + + afl->stop_soon = 2; + + } + + /* AFL_EXIT_ON_TIME. */ + + if (unlikely(afl->last_find_time && !afl->non_instrumented_mode && + afl->afl_env.afl_exit_on_time && + (cur_ms - afl->last_find_time) > afl->exit_on_time)) { + + afl->stop_soon = 2; + + } + + if (unlikely(afl->total_crashes && afl->afl_env.afl_bench_until_crash)) { + + afl->stop_soon = 2; + + } + + /* If we're not on TTY, bail out. */ + + if (afl->not_on_tty) { return; } + + /* If we haven't started doing things, bail out. */ + + if (unlikely(!afl->queue_cur)) { return; } + + /* Compute some mildly useful bitmap stats. */ + + t_bits = (afl->fsrv.map_size << 3) - count_bits(afl, afl->virgin_bits); + + /* Now, for the visuals... */ + + if (afl->clear_screen) { + + SAYF(TERM_CLEAR CURSOR_HIDE); + afl->clear_screen = 0; + + check_term_size(afl); + + } + + SAYF(TERM_HOME); + + if (unlikely(afl->term_too_small)) { + + SAYF(cBRI + "Our pizzeria can't host this many guests.\n" + "Please call Pizzeria Caravaggio. They have tables of at least " + "79x24.\n" cRST); + + return; + + } + + /* Let's start by drawing a centered banner. */ + if (unlikely(!banner[0])) { + + char *si = ""; + if (afl->sync_id) { si = afl->sync_id; } + memset(banner, 0, sizeof(banner)); + banner_len = (afl->crash_mode ? 20 : 18) + strlen(VERSION) + strlen(si) + + strlen(afl->power_name) + 4 + 6; + + if (strlen(afl->use_banner) + banner_len > 75) { + + afl->use_banner += (strlen(afl->use_banner) + banner_len) - 76; + memset(afl->use_banner, '.', 3); + + } + + banner_len += strlen(afl->use_banner); + banner_pad = (79 - banner_len) / 2; + memset(banner, ' ', banner_pad); + +#ifdef __linux__ + if (afl->fsrv.nyx_mode) { + + sprintf(banner + banner_pad, + "%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s] - Nyx", + afl->crash_mode ? cPIN "Mozzarbella Pizzeria table booking system" + : cYEL "Mozzarbella Pizzeria management system", + si, afl->use_banner, afl->power_name); + + } else { + +#endif + sprintf(banner + banner_pad, + "%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s]", + afl->crash_mode ? cPIN "Mozzarbella Pizzeria table booking system" + : cYEL "Mozzarbella Pizzeria management system", + si, afl->use_banner, afl->power_name); + +#ifdef __linux__ + + } + +#endif + + } + + SAYF("\n%s\n", banner); + + /* "Handy" shortcuts for drawing boxes... */ + +#define bSTG bSTART cGRA +#define bH2 bH bH +#define bH5 bH2 bH2 bH +#define bH10 bH5 bH5 +#define bH20 bH10 bH10 +#define bH30 bH20 bH10 +#define SP5 " " +#define SP10 SP5 SP5 +#define SP20 SP10 SP10 + + /* Since `total_crashes` does not get reloaded from disk on restart, + it indicates if we found crashes this round already -> paint red. + If it's 0, but `saved_crashes` is set from a past run, paint in yellow. */ + char *crash_color = afl->total_crashes ? cLRD + : afl->saved_crashes ? cYEL + : cRST; + + /* Lord, forgive me this. */ + + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + " Mozzarbella has been proudly serving pizzas since " bSTG bH20 bH bH bH + bHB bH bSTOP cCYA " In this time, we served " bSTG bH30 bRT "\n"); + + if (afl->non_instrumented_mode) { + + strcpy(tmp, cRST); + + } else { + + u64 min_wo_finds = (cur_ms - afl->last_find_time) / 1000 / 60; + + /* First queue cycle: don't stop now! */ + if (afl->queue_cycle == 1 || min_wo_finds < 15) { + + strcpy(tmp, cMGN); + + } else + + /* Subsequent cycles, but we're still making finds. */ + if (afl->cycles_wo_finds < 25 || min_wo_finds < 30) { + + strcpy(tmp, cYEL); + + } else + + /* No finds for a long time and no test cases to try. */ + if (afl->cycles_wo_finds > 100 && !afl->pending_not_fuzzed && + min_wo_finds > 120) { + + strcpy(tmp, cLGN); + + /* Default: cautiously OK to stop? */ + + } else { + + strcpy(tmp, cLBL); + + } + + } + + u_stringify_time_diff(time_tmp, afl->prev_run_time + cur_ms, afl->start_time); + SAYF(bV bSTOP + " open time : " cRST "%-37s " bSTG bV bSTOP + " seasons done : %s%-5s " bSTG bV "\n", + time_tmp, tmp, u_stringify_int(IB(0), afl->queue_cycle - 1)); + + /* We want to warn people about not seeing new paths after a full cycle, + except when resuming fuzzing or running in non-instrumented mode. */ + + if (!afl->non_instrumented_mode && + (afl->last_find_time || afl->resuming_fuzz || afl->queue_cycle == 1 || + afl->in_bitmap || afl->crash_mode)) { + + u_stringify_time_diff(time_tmp, cur_ms, afl->last_find_time); + SAYF(bV bSTOP " last pizza baked : " cRST "%-37s ", + time_tmp); + + } else { + + if (afl->non_instrumented_mode) { + + SAYF(bV bSTOP " last pizza baked : " cPIN "n/a" cRST + " (non-instrumented mode) "); + + } else { + + SAYF(bV bSTOP " last pizza baked : " cRST + "none yet " cLRD + "(odd, check Gennarino, he might be slacking!) "); + + } + + } + + SAYF(bSTG bV bSTOP " pizzas on the menu : " cRST + "%-5s " bSTG bV "\n", + u_stringify_int(IB(0), afl->queued_items)); + + /* Highlight crashes in red if found, denote going over the KEEP_UNIQUE_CRASH + limit with a '+' appended to the count. */ + + sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->saved_crashes), + (afl->saved_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); + + u_stringify_time_diff(time_tmp, cur_ms, afl->last_crash_time); + SAYF(bV bSTOP + " last ordered pizza : " cRST "%-33s " bSTG bV bSTOP + " at table : %s%-6s " bSTG bV "\n", + time_tmp, crash_color, tmp); + + sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->saved_hangs), + (afl->saved_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); + + u_stringify_time_diff(time_tmp, cur_ms, afl->last_hang_time); + SAYF(bV bSTOP + " last conversation with customers : " cRST "%-33s " bSTG bV bSTOP + " number of Peroni : " cRST "%-6s " bSTG bV + "\n", + time_tmp, tmp); + + SAYF(bVR bH bSTOP cCYA + " Baking progress " bSTG bH30 bH20 bH5 bH bX bH bSTOP cCYA + " Pizzeria busyness" bSTG bH30 bH5 bH bH bVL "\n"); + + /* This gets funny because we want to print several variable-length variables + together, but then cram them into a fixed-width field - so we need to + put them in a temporary buffer first. */ + + sprintf(tmp, "%s%s%u (%0.01f%%)", u_stringify_int(IB(0), afl->current_entry), + afl->queue_cur->favored ? "." : "*", afl->queue_cur->fuzz_level, + ((double)afl->current_entry * 100) / afl->queued_items); + + SAYF(bV bSTOP " now baking : " cRST + "%-18s " bSTG bV bSTOP, + tmp); + + sprintf(tmp, "%0.02f%% / %0.02f%%", + ((double)afl->queue_cur->bitmap_size) * 100 / afl->fsrv.real_map_size, + t_byte_ratio); + + SAYF(" table full : %s%-19s " bSTG bV "\n", + t_byte_ratio > 70 + ? cLRD + : ((t_bytes < 200 && !afl->non_instrumented_mode) ? cPIN : cRST), + tmp); + + sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->cur_skipped_items), + ((double)afl->cur_skipped_items * 100) / afl->queued_items); + + SAYF(bV bSTOP " burned pizzas : " cRST + "%-18s " bSTG bV, + tmp); + + sprintf(tmp, "%0.02f bits/tuple", t_bytes ? (((double)t_bits) / t_bytes) : 0); + + SAYF(bSTOP " count coverage : " cRST "%-19s " bSTG bV "\n", + tmp); + + SAYF(bVR bH bSTOP cCYA + " Pizzas almost ready " bSTG bH30 bH20 bH2 bH bX bH bSTOP cCYA + " Types of pizzas cooking " bSTG bH10 bH5 bH2 bH10 bH2 bH bVL "\n"); + + sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored), + ((double)afl->queued_favored) * 100 / afl->queued_items); + + /* Yeah... it's still going on... halp? */ + + SAYF(bV bSTOP " now preparing : " cRST + "%-22s " bSTG bV bSTOP + " favourite topping : " cRST "%-20s" bSTG bV + "\n", + afl->stage_name, tmp); + + if (!afl->stage_max) { + + sprintf(tmp, "%s/-", u_stringify_int(IB(0), afl->stage_cur)); + + } else { + + sprintf(tmp, "%s/%s (%0.02f%%)", u_stringify_int(IB(0), afl->stage_cur), + u_stringify_int(IB(1), afl->stage_max), + ((double)afl->stage_cur) * 100 / afl->stage_max); + + } + + SAYF(bV bSTOP " number of pizzas : " cRST + "%-23s " bSTG bV bSTOP, + tmp); + + sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_with_cov), + ((double)afl->queued_with_cov) * 100 / afl->queued_items); + + SAYF(" new pizza type seen on Instagram : " cRST "%-20s" bSTG bV "\n", tmp); + + sprintf(tmp, "%s (%s%s saved)", u_stringify_int(IB(0), afl->total_crashes), + u_stringify_int(IB(1), afl->saved_crashes), + (afl->saved_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); + + if (afl->crash_mode) { + + SAYF(bV bSTOP " total pizzas : " cRST + "%-22s " bSTG bV bSTOP + " pizzas with pineapple : %s%-20s" bSTG bV "\n", + u_stringify_int(IB(0), afl->fsrv.total_execs), crash_color, tmp); + + } else { + + SAYF(bV bSTOP " total pizzas : " cRST + "%-22s " bSTG bV bSTOP + " total pizzas with pineapple : %s%-20s" bSTG bV "\n", + u_stringify_int(IB(0), afl->fsrv.total_execs), crash_color, tmp); + + } + + /* Show a warning about slow execution. */ + + if (afl->stats_avg_exec < 100) { + + sprintf(tmp, "%s/sec (%s)", u_stringify_float(IB(0), afl->stats_avg_exec), + afl->stats_avg_exec < 20 ? "zzzz..." : "Gennarino is at it again!"); + + SAYF(bV bSTOP " pizza making speed : " cLRD + "%-22s ", + tmp); + + } else { + + sprintf(tmp, "%s/sec", u_stringify_float(IB(0), afl->stats_avg_exec)); + SAYF(bV bSTOP " pizza making speed : " cRST + "%-22s ", + tmp); + + } + + sprintf(tmp, "%s (%s%s saved)", u_stringify_int(IB(0), afl->total_tmouts), + u_stringify_int(IB(1), afl->saved_tmouts), + (afl->saved_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); + + SAYF(bSTG bV bSTOP " burned pizzas : " cRST "%-20s" bSTG bV + "\n", + tmp); + + /* Aaaalmost there... hold on! */ + + SAYF(bVR bH cCYA bSTOP " Promotional campaign on TikTok yields " bSTG bH30 bH2 + bH bH2 bX bH bSTOP cCYA + " Customer type " bSTG bH5 bH2 bH30 bH2 bH bVL "\n"); + + if (unlikely(afl->custom_only)) { + + strcpy(tmp, "oven off (custom-mutator-only mode)"); + + } else if (likely(afl->skip_deterministic)) { + + strcpy(tmp, "oven off (default, enable with -D)"); + + } else { + + sprintf(tmp, "%s/%s, %s/%s, %s/%s", + u_stringify_int(IB(0), afl->stage_finds[STAGE_FLIP1]), + u_stringify_int(IB(1), afl->stage_cycles[STAGE_FLIP1]), + u_stringify_int(IB(2), afl->stage_finds[STAGE_FLIP2]), + u_stringify_int(IB(3), afl->stage_cycles[STAGE_FLIP2]), + u_stringify_int(IB(4), afl->stage_finds[STAGE_FLIP4]), + u_stringify_int(IB(5), afl->stage_cycles[STAGE_FLIP4])); + + } + + SAYF(bV bSTOP + " pizzas for celiac : " cRST "%-36s " bSTG bV bSTOP + " levels : " cRST "%-10s " bSTG bV + "\n", + tmp, u_stringify_int(IB(0), afl->max_depth)); + + if (unlikely(!afl->skip_deterministic)) { + + sprintf(tmp, "%s/%s, %s/%s, %s/%s", + u_stringify_int(IB(0), afl->stage_finds[STAGE_FLIP8]), + u_stringify_int(IB(1), afl->stage_cycles[STAGE_FLIP8]), + u_stringify_int(IB(2), afl->stage_finds[STAGE_FLIP16]), + u_stringify_int(IB(3), afl->stage_cycles[STAGE_FLIP16]), + u_stringify_int(IB(4), afl->stage_finds[STAGE_FLIP32]), + u_stringify_int(IB(5), afl->stage_cycles[STAGE_FLIP32])); + + } + + SAYF(bV bSTOP + " pizzas for kids : " cRST "%-36s " bSTG bV bSTOP + " pizzas to make : " cRST "%-10s " bSTG bV + "\n", + tmp, u_stringify_int(IB(0), afl->pending_not_fuzzed)); + + if (unlikely(!afl->skip_deterministic)) { + + sprintf(tmp, "%s/%s, %s/%s, %s/%s", + u_stringify_int(IB(0), afl->stage_finds[STAGE_ARITH8]), + u_stringify_int(IB(1), afl->stage_cycles[STAGE_ARITH8]), + u_stringify_int(IB(2), afl->stage_finds[STAGE_ARITH16]), + u_stringify_int(IB(3), afl->stage_cycles[STAGE_ARITH16]), + u_stringify_int(IB(4), afl->stage_finds[STAGE_ARITH32]), + u_stringify_int(IB(5), afl->stage_cycles[STAGE_ARITH32])); + + } + + SAYF(bV bSTOP + " pizza bianca : " cRST "%-36s " bSTG bV bSTOP + " nice table : " cRST "%-10s " bSTG bV + "\n", + tmp, u_stringify_int(IB(0), afl->pending_favored)); + + if (unlikely(!afl->skip_deterministic)) { + + sprintf(tmp, "%s/%s, %s/%s, %s/%s", + u_stringify_int(IB(0), afl->stage_finds[STAGE_INTEREST8]), + u_stringify_int(IB(1), afl->stage_cycles[STAGE_INTEREST8]), + u_stringify_int(IB(2), afl->stage_finds[STAGE_INTEREST16]), + u_stringify_int(IB(3), afl->stage_cycles[STAGE_INTEREST16]), + u_stringify_int(IB(4), afl->stage_finds[STAGE_INTEREST32]), + u_stringify_int(IB(5), afl->stage_cycles[STAGE_INTEREST32])); + + } + + SAYF(bV bSTOP + " recurring customers : " cRST "%-36s " bSTG bV bSTOP + " new customers : " cRST "%-10s " bSTG bV + "\n", + tmp, u_stringify_int(IB(0), afl->queued_discovered)); + + if (unlikely(!afl->skip_deterministic)) { + + sprintf(tmp, "%s/%s, %s/%s, %s/%s", + u_stringify_int(IB(0), afl->stage_finds[STAGE_EXTRAS_UO]), + u_stringify_int(IB(1), afl->stage_cycles[STAGE_EXTRAS_UO]), + u_stringify_int(IB(2), afl->stage_finds[STAGE_EXTRAS_UI]), + u_stringify_int(IB(3), afl->stage_cycles[STAGE_EXTRAS_UI]), + u_stringify_int(IB(4), afl->stage_finds[STAGE_EXTRAS_AO]), + u_stringify_int(IB(5), afl->stage_cycles[STAGE_EXTRAS_AO])); + + } else if (unlikely(!afl->extras_cnt || afl->custom_only)) { + + strcpy(tmp, "n/a"); + + } else { + + strcpy(tmp, "18 year aniversary mode"); + + } + + SAYF(bV bSTOP + " dictionary : " cRST "%-36s " bSTG bV bSTOP + " patrons from old resturant : " cRST "%-10s " bSTG bV + "\n", + tmp, + afl->sync_id ? u_stringify_int(IB(0), afl->queued_imported) + : (u8 *)"n/a"); + + sprintf(tmp, "%s/%s, %s/%s", + u_stringify_int(IB(0), afl->stage_finds[STAGE_HAVOC]), + u_stringify_int(IB(2), afl->stage_cycles[STAGE_HAVOC]), + u_stringify_int(IB(3), afl->stage_finds[STAGE_SPLICE]), + u_stringify_int(IB(4), afl->stage_cycles[STAGE_SPLICE])); + + SAYF(bV bSTOP " 18 year anniversary mode/cleaning : " cRST + "%-36s " bSTG bV bSTOP, + tmp); + + if (t_bytes) { + + sprintf(tmp, "%0.02f%%", stab_ratio); + + } else { + + strcpy(tmp, "n/a"); + + } + + SAYF(" oven flameout : %s%-10s " bSTG bV "\n", + (stab_ratio < 85 && afl->var_byte_count > 40) + ? cLRD + : ((afl->queued_variable && + (!afl->persistent_mode || afl->var_byte_count > 20)) + ? cMGN + : cRST), + tmp); + + if (unlikely(afl->afl_env.afl_python_module)) { + + sprintf(tmp, "%s/%s,", + u_stringify_int(IB(0), afl->stage_finds[STAGE_PYTHON]), + u_stringify_int(IB(1), afl->stage_cycles[STAGE_PYTHON])); + + } else { + + strcpy(tmp, "unused,"); + + } + + if (unlikely(afl->afl_env.afl_custom_mutator_library)) { + + strcat(tmp, " "); + strcat(tmp, u_stringify_int(IB(2), afl->stage_finds[STAGE_CUSTOM_MUTATOR])); + strcat(tmp, "/"); + strcat(tmp, + u_stringify_int(IB(3), afl->stage_cycles[STAGE_CUSTOM_MUTATOR])); + strcat(tmp, ","); + + } else { + + strcat(tmp, " unused,"); + + } + + if (unlikely(afl->shm.cmplog_mode)) { + + strcat(tmp, " "); + strcat(tmp, u_stringify_int(IB(4), afl->stage_finds[STAGE_COLORIZATION])); + strcat(tmp, "/"); + strcat(tmp, u_stringify_int(IB(5), afl->stage_cycles[STAGE_COLORIZATION])); + strcat(tmp, ", "); + strcat(tmp, u_stringify_int(IB(6), afl->stage_finds[STAGE_ITS])); + strcat(tmp, "/"); + strcat(tmp, u_stringify_int(IB(7), afl->stage_cycles[STAGE_ITS])); + + } else { + + strcat(tmp, " unused, unused"); + + } + + SAYF(bV bSTOP " py/custom/rq : " cRST + "%-36s " bSTG bVR bH20 bH2 bH30 bH2 bH bH bRB "\n", + tmp); + + if (likely(afl->disable_trim)) { + + sprintf(tmp, "disabled, "); + + } else if (unlikely(!afl->bytes_trim_out)) { + + sprintf(tmp, "n/a, "); + + } else { + + sprintf(tmp, "%0.02f%%/%s, ", + ((double)(afl->bytes_trim_in - afl->bytes_trim_out)) * 100 / + afl->bytes_trim_in, + u_stringify_int(IB(0), afl->trim_execs)); + + } + + if (likely(afl->skip_deterministic)) { + + strcat(tmp, "disabled"); + + } else if (unlikely(!afl->blocks_eff_total)) { + + strcat(tmp, "n/a"); + + } else { + + u8 tmp2[128]; + + sprintf(tmp2, "%0.02f%%", + ((double)(afl->blocks_eff_total - afl->blocks_eff_select)) * 100 / + afl->blocks_eff_total); + + strcat(tmp, tmp2); + + } + + // if (afl->custom_mutators_count) { + + // + // sprintf(tmp, "%s/%s", + // u_stringify_int(IB(0), afl->stage_finds[STAGE_CUSTOM_MUTATOR]), + // u_stringify_int(IB(1), afl->stage_cycles[STAGE_CUSTOM_MUTATOR])); + // SAYF(bV bSTOP " custom mut. : " cRST "%-36s " bSTG bV RESET_G1, tmp); + // + //} else { + + SAYF(bV bSTOP " toilets clogged : " cRST + "%-36s " bSTG bV RESET_G1, + tmp); + + //} + + /* Provide some CPU utilization stats. */ + + if (afl->cpu_core_count) { + + char *spacing = SP10, snap[80] = " " cLGN "Pizzaioli's busyness " cRST " "; + + double cur_runnable = get_runnable_processes(); + u32 cur_utilization = cur_runnable * 100 / afl->cpu_core_count; + + u8 *cpu_color = cCYA; + + /* If we could still run one or more processes, use green. */ + + if (afl->cpu_core_count > 1 && cur_runnable + 1 <= afl->cpu_core_count) { + + cpu_color = cLGN; + + } + + /* If we're clearly oversubscribed, use red. */ + + if (!afl->no_cpu_meter_red && cur_utilization >= 150) { cpu_color = cLRD; } + + if (afl->fsrv.snapshot) { spacing = snap; } + +#ifdef HAVE_AFFINITY + + if (afl->cpu_aff >= 0) { + + SAYF("%s" cGRA "[cpu%03u:%s%3u%%" cGRA "]\r" cRST, spacing, + MIN(afl->cpu_aff, 999), cpu_color, MIN(cur_utilization, (u32)999)); + + } else { + + SAYF("%s" cGRA " [cpu:%s%3u%%" cGRA "]\r" cRST, spacing, cpu_color, + MIN(cur_utilization, (u32)999)); + + } + +#else + + SAYF("%s" cGRA " [cpu:%s%3u%%" cGRA "]\r" cRST, spacing, cpu_color, + MIN(cur_utilization, (u32)999)); + +#endif /* ^HAVE_AFFINITY */ + + } else { + + SAYF("\r"); + + } + + /* Last line */ + SAYF(SET_G1 "\n" bSTG bLB bH30 bH20 bH2 bH20 bH2 bH bRB bSTOP cRST RESET_G1); + +#undef IB + + /* Hallelujah! */ + + fflush(0); + +} + /* Display quick statistics at the end of processing the input directory, plus a bunch of warnings. Some calibration stuff also ended up here, along with several hardcoded constants. Maybe clean up eventually. */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index c5333056..92243fbb 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -259,6 +259,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_IGNORE_PROBLEMS: do not abort fuzzing if an incorrect setup is detected during a run\n" "AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n" "AFL_INPUT_LEN_MIN/AFL_INPUT_LEN_MAX: like -g/-G set min/max fuzz length produced\n" + "AFL_PIZZA_MODE: 1 - enforce pizza mode, 0 - disable for April 1st\n" "AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n" "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n" " the target was compiled for\n" @@ -2269,6 +2270,25 @@ int main(int argc, char **argv_orig, char **envp) { runs_in_current_cycle = (u32)-1; afl->cur_skipped_items = 0; + // 1st april fool joke - enable pizza mode + // to not waste time on checking the date we only do this when the + // queue is fully cycled. + time_t cursec = time(NULL); + struct tm *curdate = localtime(&cursec); + if (likely(!afl->afl_env.afl_pizza_mode)) { + + if (unlikely(curdate->tm_mon == 3 && curdate->tm_mday == 1)) { + + afl->pizza_is_served = 1; + + } else { + + afl->pizza_is_served = 0; + + } + + } + if (unlikely(afl->old_seed_selection)) { afl->current_entry = 0; @@ -2528,8 +2548,17 @@ stop_fuzzing: write_bitmap(afl); save_auto(afl); - SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing aborted %s +++\n" cRST, - afl->stop_soon == 2 ? "programmatically" : "by user"); + if (afl->afl_env.afl_pizza_mode) { + + SAYF(CURSOR_SHOW cLRD "\n\n+++ Baking aborted %s +++\n" cRST, + afl->stop_soon == 2 ? "programmatically" : "by the chef"); + + } else { + + SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing aborted %s +++\n" cRST, + afl->stop_soon == 2 ? "programmatically" : "by user"); + + } if (afl->most_time_key == 2) { diff --git a/test/test-cmplog.c b/test/test-cmplog.c index 1a314653..d724ecaf 100644 --- a/test/test-cmplog.c +++ b/test/test-cmplog.c @@ -8,13 +8,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t i) { - if (i < 24) return 0; + if (i < 30) return 0; if (buf[0] != 'A') return 0; if (buf[1] != 'B') return 0; if (buf[2] != 'C') return 0; if (buf[3] != 'D') return 0; - if (memcmp(buf + 4, "1234", 4) || memcmp(buf + 8, "EFGH", 4)) return 0; - if (strncmp(buf + 12, "IJKL", 4) == 0 && strcmp(buf + 16, "DEADBEEF") == 0) + int *icmp = (int *)(buf + 4); + if (*icmp != 0x69694141) return 0; + if (memcmp(buf + 8, "1234", 4) || memcmp(buf + 12, "EFGH", 4)) return 0; + if (strncmp(buf + 16, "IJKL", 4) == 0 && strcmp(buf + 20, "DEADBEEF") == 0) abort(); return 0; diff --git a/test/test-llvm.sh b/test/test-llvm.sh index ddbee378..ce64d76c 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -261,7 +261,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { $ECHO "$GREY[*] running afl-fuzz for llvm_mode cmplog, this will take approx 10 seconds" { mkdir -p in - echo 0000000000000000000000000 > in/in + echo 00000000000000000000000000000000 > in/in AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -m none -V60 -i in -o out -c./test-cmplog -- ./test-cmplog >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/crashes/id:000000* out/default/hangs/id:000000* 2>/dev/null )" & { diff --git a/utils/afl_network_proxy/afl-network-client.c b/utils/afl_network_proxy/afl-network-client.c index ceffb1ed..7d04a89a 100644 --- a/utils/afl_network_proxy/afl-network-client.c +++ b/utils/afl_network_proxy/afl-network-client.c @@ -407,7 +407,9 @@ int main(int argc, char *argv[]) { #ifdef USE_DEFLATE libdeflate_free_compressor(compressor); libdeflate_free_decompressor(decompressor); + free(buf2); #endif + free(buf); return 0; |