diff options
| author | h1994st <h1994st@gmail.com> | 2020-03-07 10:29:14 -0500 |
|---|---|---|
| committer | h1994st <h1994st@gmail.com> | 2020-03-07 10:29:14 -0500 |
| commit | dc0b2dda5e4ec41ea491e63f0ec31c5da6fe7f1d (patch) | |
| tree | c94bdcd834b4d011df9e2f0fa4e7cd0fd8689019 | |
| parent | a10a3f2fa75f16bf7781a3c02cd23eab7164cff1 (diff) | |
| parent | ed5d65b54f07570c82f6704fdca403b776ff7be2 (diff) | |
| download | afl++-dc0b2dda5e4ec41ea491e63f0ec31c5da6fe7f1d.tar.gz | |
Merge branch 'master' of https://github.com/vanhauser-thc/AFLplusplus
| -rw-r--r-- | docs/Changelog.md | 2 | ||||
| -rw-r--r-- | docs/custom_mutators.md | 13 | ||||
| -rw-r--r-- | docs/technical_details.md | 5 | ||||
| -rw-r--r-- | examples/custom_mutators/example.c | 56 | ||||
| -rw-r--r-- | include/afl-fuzz.h | 48 | ||||
| -rw-r--r-- | include/alloc-inl.h | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-mutators.c | 23 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 37 | ||||
| -rw-r--r-- | src/afl-fuzz-python.c | 93 | ||||
| -rw-r--r-- | src/afl-tmin.c | 86 |
10 files changed, 318 insertions, 47 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md index d5c2a279..57a78691 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -16,6 +16,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - afl-fuzz basic tools now report on the environment variables picked up - more tools get environment variable usage info in the help output - AFL_AUTORESUME will resume execution without the need to specify `-i -` + - afl-tmin now supports hang mode `-H` to minimize hangs + - fixed potential afl-tmin missbehavior for targets with multiple hangs ### Version ++2.62c (release): diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 4deb07e1..b31a2e4f 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -28,13 +28,14 @@ performed with the custom mutator. C/C++: ```c void afl_custom_init(unsigned int seed); -size_t afl_custom_fuzz(u8* buf, size_t buf_size, - u8* add_buf, size_t add_buf_size, - u8* mutated_out, size_t max_size); +size_t afl_custom_fuzz(u8** buf, size_t buf_size, u8* add_buf, + size_t add_buf_size, size_t max_size); size_t afl_custom_pre_save(u8* buf, size_t buf_size, u8** out_buf); u32 afl_custom_init_trim(u8* buf, size_t buf_size); void afl_custom_trim(u8** out_buf, size_t* out_buf_size); u32 afl_custom_post_trim(u8 success); +size_t afl_custom_havoc_mutation(uint8_t** buf, size_t buf_size, size_t max_size); +uint8_t afl_custom_havoc_mutation_probability(void); ``` Python: @@ -56,6 +57,12 @@ def trim(): def post_trim(success): return next_index + +def havoc_mutation(buf, max_size): + return mutated_out + +def havoc_mutation_probability(): + return probability # int in [0, 100] ``` ### Custom Mutation diff --git a/docs/technical_details.md b/docs/technical_details.md index 996bf162..a0453c91 100644 --- a/docs/technical_details.md +++ b/docs/technical_details.md @@ -286,8 +286,9 @@ operation of `afl-tmin` is as follows. First, the tool automatically selects the operating mode. If the initial input crashes the target binary, afl-tmin will run in non-instrumented mode, simply -keeping any tweaks that produce a simpler file but still crash the target. If -the target is non-crashing, the tool uses an instrumented mode and keeps only +keeping any tweaks that produce a simpler file but still crash the target. +The same mode is used for hangs, if `-H` (hang mode) is specified. +If the target is non-crashing, the tool uses an instrumented mode and keeps only the tweaks that produce exactly the same execution path. The actual minimization algorithm is: diff --git a/examples/custom_mutators/example.c b/examples/custom_mutators/example.c index 5aaa6a5d..d34b3045 100644 --- a/examples/custom_mutators/example.c +++ b/examples/custom_mutators/example.c @@ -30,23 +30,27 @@ void afl_custom_init(unsigned int seed) { * * (Optional for now. Required in the future) * - * @param[in] buf Input data to be mutated + * @param[in] buf Pointer to input data to be mutated * @param[in] buf_size Size of input data * @param[in] add_buf Buffer containing the additional test case * @param[in] add_buf_size Size of the additional test case - * @param[out] mutated_out Buffer to store the mutated input * @param[in] max_size Maximum size of the mutated output. The mutation must not * produce data larger than max_size. * @return Size of the mutated output. */ -size_t afl_custom_fuzz(uint8_t *buf, size_t buf_size, - uint8_t *add_buf,size_t add_buf_size, - uint8_t *mutated_out, size_t max_size) { +size_t afl_custom_fuzz(uint8_t **buf, size_t buf_size, + uint8_t *add_buf,size_t add_buf_size, // add_buf can be NULL + size_t max_size) { // Make sure that the packet size does not exceed the maximum size expected by // the fuzzer size_t mutated_size = data_size <= max_size ? data_size : max_size; + if (mutated_size > buf_size) + *buf = realloc(*buf, mutated_size); + + uint8_t* mutated_out = *buf; + // Randomly select a command string to add as a header to the packet memcpy(mutated_out, commands[rand() % 3], 3); @@ -175,3 +179,45 @@ int afl_custom_post_trim(int success) { return trimmming_steps; } + +/** + * Perform a single custom mutation on a given input. + * This mutation is stacked with the other muatations in havoc. + * + * (Optional) + * + * @param[in] buf Pointer to the input data to be mutated + * @param[in] buf_size Size of input data + * @param[in] max_size Maximum size of the mutated output. The mutation must not produce data larger than max_size. + * @return Size of the mutated output. + */ +size_t afl_custom_havoc_mutation(uint8_t** buf, size_t buf_size, size_t max_size) { + + if (buf_size == 0) { + + *buf = realloc(*buf, 1); + **buf = rand() % 256; + buf_size = 1; + + } + + size_t victim = rand() % buf_size; + (*buf)[victim] += rand() % 10; + + return buf_size; + +} + +/** + * Return the probability (in percentage) that afl_custom_havoc_mutation + * is called in havoc. By default it is 6 %. + * + * (Optional) + * + * @return The probability (0-100). + */ +uint8_t afl_custom_havoc_mutation_probability(void) { + + return 5; // 5 % + +} diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 37b6832c..57639411 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -480,18 +480,16 @@ struct custom_mutator { * * (Optional for now. Required in the future) * - * @param[in] buf Input data to be mutated + * @param[in] buf Pointer to input data to be mutated * @param[in] buf_size Size of input data * @param[in] add_buf Buffer containing the additional test case * @param[in] add_buf_size Size of the additional test case - * @param[out] mutated_out Buffer to store the mutated input * @param[in] max_size Maximum size of the mutated output. The mutation must not * produce data larger than max_size. * @return Size of the mutated output. */ - size_t (*afl_custom_fuzz)(u8* buf, size_t buf_size, - u8* add_buf, size_t add_buf_size, - u8* mutated_out, size_t max_size); + size_t (*afl_custom_fuzz)(u8** buf, size_t buf_size, u8* add_buf, + size_t add_buf_size, size_t max_size); /** * A post-processing function to use right before AFL writes the test case to @@ -561,6 +559,30 @@ struct custom_mutator { * steps returned in init_trim) */ u32 (*afl_custom_post_trim)(u8 success); + + /** + * Perform a single custom mutation on a given input. + * This mutation is stacked with the other muatations in havoc. + * + * (Optional) + * + * @param[in] buf Pointer to the input data to be mutated + * @param[in] buf_size Size of input data + * @param[in] max_size Maximum size of the mutated output. The mutation must not produce data larger than max_size. + * @return Size of the mutated output. + */ + size_t (*afl_custom_havoc_mutation)(u8** buf, size_t buf_size, size_t max_size); + + /** + * Return the probability (in percentage) that afl_custom_havoc_mutation + * is called in havoc. By default it is 6 %. + * + * (Optional) + * + * @return The probability (0-100). + */ + u8 (*afl_custom_havoc_mutation_probability)(void); + }; extern struct custom_mutator* mutator; @@ -610,6 +632,8 @@ enum { /* 03 */ PY_FUNC_INIT_TRIM, /* 04 */ PY_FUNC_POST_TRIM, /* 05 */ PY_FUNC_TRIM, + /* 06 */ PY_FUNC_HAVOC_MUTATION, + /* 07 */ PY_FUNC_HAVOC_MUTATION_PROBABILITY, PY_FUNC_COUNT }; @@ -623,23 +647,23 @@ extern PyObject* py_functions[PY_FUNC_COUNT]; /* Custom mutators */ void setup_custom_mutator(void); void destroy_custom_mutator(void); -void load_custom_mutator(const char*); -void load_custom_mutator_py(const char*); u8 trim_case_custom(char** argv, struct queue_entry* q, u8* in_buf); /* Python */ #ifdef USE_PYTHON + int init_py_module(u8*); void finalize_py_module(); -void init_py(unsigned int seed); -size_t fuzz_py(u8* buf, size_t buf_size, - u8* add_buf, size_t add_buf_size, - u8* mutated_out, size_t max_size); -size_t pre_save_py(u8* data, size_t size, u8** new_data); +void init_py(unsigned int); +size_t fuzz_py(u8**, size_t, u8*, size_t, size_t); +size_t pre_save_py(u8*, size_t, u8**); u32 init_trim_py(u8*, size_t); u32 post_trim_py(u8); void trim_py(u8**, size_t*); +size_t havoc_mutation_py(u8**, size_t, size_t); +u8 havoc_mutation_probability_py(void); + #endif /* Queue */ diff --git a/include/alloc-inl.h b/include/alloc-inl.h index 19ac86e9..1451aae0 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -34,6 +34,8 @@ #include "types.h" #include "debug.h" +// Be careful! _WANT_ORIGINAL_AFL_ALLOC is not compatible with custom mutators + #ifndef _WANT_ORIGINAL_AFL_ALLOC // afl++ stuff without memory corruption checks - for speed diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 26eaea59..76ce2c96 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -25,6 +25,11 @@ #include "afl-fuzz.h" +void load_custom_mutator(const char*); +#ifdef USE_PYTHON +void load_custom_mutator_py(const char*); +#endif + void setup_custom_mutator(void) { /* Try mutator library first */ @@ -146,6 +151,16 @@ void load_custom_mutator(const char* fn) { "trimming will be used."); } + + /* "afl_custom_havoc_mutation", optional */ + mutator->afl_custom_havoc_mutation = dlsym(dh, "afl_custom_havoc_mutation"); + if (!mutator->afl_custom_havoc_mutation) + WARNF("Symbol 'afl_custom_havoc_mutation' not found."); + + /* "afl_custom_havoc_mutation", optional */ + mutator->afl_custom_havoc_mutation_probability = dlsym(dh, "afl_custom_havoc_mutation_probability"); + if (!mutator->afl_custom_havoc_mutation_probability) + WARNF("Symbol 'afl_custom_havoc_mutation_probability' not found."); OKF("Custom mutator '%s' installed successfully.", fn); @@ -276,6 +291,7 @@ abort_trimming: } +#ifdef USE_PYTHON void load_custom_mutator_py(const char* module_name) { mutator = ck_alloc(sizeof(struct custom_mutator)); @@ -301,6 +317,12 @@ void load_custom_mutator_py(const char* module_name) { if (py_functions[PY_FUNC_TRIM]) mutator->afl_custom_trim = trim_py; + + if (py_functions[PY_FUNC_HAVOC_MUTATION]) + mutator->afl_custom_havoc_mutation = havoc_mutation_py; + + if (py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY]) + mutator->afl_custom_havoc_mutation_probability = havoc_mutation_probability_py; OKF("Python mutator '%s' installed successfully.", module_name); @@ -309,3 +331,4 @@ void load_custom_mutator_py(const char* module_name) { mutator->afl_custom_init(UR(0xFFFFFFFF)); } +#endif diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 5d00e8df..f12f4a67 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -1540,11 +1540,10 @@ custom_mutator_stage: if (stage_max < HAVOC_MIN) stage_max = HAVOC_MIN; - const u32 max_seed_size = 4096 * 4096; - u8* mutated_buf = ck_alloc(max_seed_size); + const u32 max_seed_size = MAX_FILE; orig_hit_cnt = queued_paths + unique_crashes; - + for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) { struct queue_entry* target; @@ -1589,21 +1588,17 @@ custom_mutator_stage: new_buf = ck_alloc_nozero(target->len); ck_read(fd, new_buf, target->len, target->fname); close(fd); - - size_t mutated_size = mutator->afl_custom_fuzz(out_buf, len, + + size_t mutated_size = mutator->afl_custom_fuzz(&out_buf, len, new_buf, target->len, - mutated_buf, max_seed_size); + max_seed_size); ck_free(new_buf); if (mutated_size > 0) { - out_buf = ck_realloc(out_buf, mutated_size); - memcpy(out_buf, mutated_buf, mutated_size); - if (common_fuzz_stuff(argv, out_buf, (u32)mutated_size)) { - ck_free(mutated_buf); goto abandon_entry; } @@ -1625,10 +1620,12 @@ custom_mutator_stage: } } + + if (mutated_size < len) out_buf = ck_realloc(out_buf, len); + memcpy(out_buf, in_buf, len); } - ck_free(mutated_buf); new_hit_cnt = queued_paths + unique_crashes; stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt; @@ -1681,6 +1678,17 @@ havoc_stage: havoc_queued = queued_paths; + u8 stacked_custom = (mutator && mutator->afl_custom_havoc_mutation); + u8 stacked_custom_prob = 6; // like one of the default mutations in havoc + + if (stacked_custom && mutator->afl_custom_havoc_mutation_probability) { + + stacked_custom_prob = mutator->afl_custom_havoc_mutation_probability(); + if (stacked_custom_prob > 100) + FATAL("The probability returned by afl_custom_havoc_mutation_propability has to be in the range 0-100."); + + } + /* We essentially just do several thousand runs (depending on perf_score) where we take the input file and make random stacked tweaks. */ @@ -1691,6 +1699,13 @@ havoc_stage: stage_cur_val = use_stacking; for (i = 0; i < use_stacking; ++i) { + + if (stacked_custom && UR(100) < stacked_custom_prob) { + + temp_len = mutator->afl_custom_havoc_mutation(&out_buf, temp_len, + MAX_FILE); + + } switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) { diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index c22e4402..32f9f6ab 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -55,6 +55,8 @@ int init_py_module(u8* module_name) { py_functions[PY_FUNC_POST_TRIM] = PyObject_GetAttrString(py_module, "post_trim"); py_functions[PY_FUNC_TRIM] = PyObject_GetAttrString(py_module, "trim"); + py_functions[PY_FUNC_HAVOC_MUTATION] = PyObject_GetAttrString(py_module, "havoc_mutation"); + py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY] = PyObject_GetAttrString(py_module, "havoc_mutation_probability"); for (py_idx = 0; py_idx < PY_FUNC_COUNT; ++py_idx) { @@ -159,16 +161,15 @@ void init_py(unsigned int seed) { } } -size_t fuzz_py(u8* buf, size_t buf_size, - u8* add_buf, size_t add_buf_size, - u8* mutated_out, size_t max_size) { +size_t fuzz_py(u8** buf, size_t buf_size, u8* add_buf, size_t add_buf_size, + size_t max_size) { size_t mutated_size; PyObject *py_args, *py_value; py_args = PyTuple_New(3); /* buf */ - py_value = PyByteArray_FromStringAndSize(buf, buf_size); + py_value = PyByteArray_FromStringAndSize(*buf, buf_size); if (!py_value) { Py_DECREF(py_args); @@ -211,7 +212,10 @@ size_t fuzz_py(u8* buf, size_t buf_size, if (py_value != NULL) { mutated_size = PyByteArray_Size(py_value); - memcpy(mutated_out, PyByteArray_AsString(py_value), mutated_size); + if (buf_size < mutated_size) + *buf = ck_realloc(*buf, mutated_size); + + memcpy(*buf, PyByteArray_AsString(py_value), mutated_size); Py_DECREF(py_value); return mutated_size; @@ -359,5 +363,84 @@ void trim_py(u8** out_buf, size_t* out_buf_size) { } +size_t havoc_mutation_py(u8** buf, size_t buf_size, size_t max_size) { + + size_t mutated_size; + PyObject *py_args, *py_value; + py_args = PyTuple_New(2); + + /* buf */ + py_value = PyByteArray_FromStringAndSize(*buf, buf_size); + if (!py_value) { + + Py_DECREF(py_args); + FATAL("Failed to convert arguments"); + + } + + PyTuple_SetItem(py_args, 0, py_value); + + /* max_size */ +#if PY_MAJOR_VERSION >= 3 + py_value = PyLong_FromLong(max_size); +#else + py_value = PyInt_FromLong(max_size); +#endif + if (!py_value) { + + Py_DECREF(py_args); + FATAL("Failed to convert arguments"); + + } + + PyTuple_SetItem(py_args, 1, py_value); + + py_value = PyObject_CallObject(py_functions[PY_FUNC_HAVOC_MUTATION], py_args); + + Py_DECREF(py_args); + + if (py_value != NULL) { + + mutated_size = PyByteArray_Size(py_value); + if (buf_size < mutated_size) + *buf = ck_realloc(*buf, mutated_size); + + memcpy(*buf, PyByteArray_AsString(py_value), mutated_size); + + Py_DECREF(py_value); + return mutated_size; + + } else { + + PyErr_Print(); + FATAL("Call failed"); + + } + +} + +u8 havoc_mutation_probability_py(void) { + + PyObject *py_args, *py_value; + + py_args = PyTuple_New(0); + py_value = PyObject_CallObject(py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY], py_args); + Py_DECREF(py_args); + + if (py_value != NULL) { + + long prob = PyLong_AsLong(py_value); + Py_DECREF(py_value); + return (u8)prob; + + } else { + + PyErr_Print(); + FATAL("Call failed"); + + } + +} + #endif /* USE_PYTHON */ diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 13fdbee7..509943ff 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -89,6 +89,7 @@ u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ s32 dev_null_fd = -1; /* FD to /dev/null */ u8 crash_mode, /* Crash-centric mode? */ + hang_mode, /* Minimize as long as it hangs */ exit_crash, /* Treat non-zero exit as crash? */ edges_only, /* Ignore hit counts? */ exact_mode, /* Require path match for crashes? */ @@ -98,6 +99,7 @@ static volatile u8 stop_soon; /* Ctrl-C pressed? */ static u8 qemu_mode; + /* * forkserver section */ @@ -427,6 +429,8 @@ static u8 run_target(char** argv, u8* mem, u32 len, u8 first_run) { u32 cksum; + child_timed_out = 0; + memset(trace_bits, 0, MAP_SIZE); MEM_BARRIER(); @@ -484,8 +488,13 @@ static u8 run_target(char** argv, u8* mem, u32 len, u8 first_run) { if (*(u32*)trace_bits == EXEC_FAIL_SIG) FATAL("Unable to execute '%s'", argv[0]); - classify_counts(trace_bits); - apply_mask((u32*)trace_bits, (u32*)mask_bitmap); + if (!hang_mode) { + + classify_counts(trace_bits); + apply_mask((u32*)trace_bits, (u32*)mask_bitmap); + + } + total_execs++; if (stop_soon) { @@ -496,7 +505,27 @@ static u8 run_target(char** argv, u8* mem, u32 len, u8 first_run) { } - /* Always discard inputs that time out. */ + /* Always discard inputs that time out, unless we are in hang mode */ + + if (hang_mode) { + + if (child_timed_out) return 1; + + if (WIFSIGNALED(status) || + (WIFEXITED(status) && WEXITSTATUS(status) == MSAN_ERROR) || + (WIFEXITED(status) && WEXITSTATUS(status) && exit_crash)) { + + missed_crashes++; + + } else { + + missed_hangs++; + + } + + return 0; + + } if (child_timed_out) { @@ -504,7 +533,7 @@ static u8 run_target(char** argv, u8* mem, u32 len, u8 first_run) { return 0; } - + /* Handle crashing inputs depending on current mode. */ if (WIFSIGNALED(status) || @@ -791,6 +820,19 @@ next_del_blksize: finalize_all: + if (hang_mode) { + + SAYF("\n" cGRA " File size reduced by : " cRST + "%0.02f%% (to %u byte%s)\n" cGRA " Characters simplified : " cRST + "%0.02f%%\n" cGRA " Number of execs done : " cRST "%u\n" cGRA + " Fruitless execs : " cRST "termination=%u crash=%u\n\n", + 100 - ((double)in_len) * 100 / orig_len, in_len, in_len == 1 ? "" : "s", + ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), total_execs, + missed_paths, missed_crashes); + return; + + } + SAYF("\n" cGRA " File size reduced by : " cRST "%0.02f%% (to %u byte%s)\n" cGRA " Characters simplified : " cRST "%0.02f%%\n" cGRA " Number of execs done : " cRST "%u\n" cGRA @@ -799,7 +841,7 @@ finalize_all: ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), total_execs, missed_paths, missed_crashes, missed_hangs ? cLRD : "", missed_hangs); - if (total_execs > 50 && missed_hangs * 10 > total_execs) + if (total_execs > 50 && missed_hangs * 10 > total_execs && !hang_mode) WARNF(cLRD "Frequent timeouts - results may be skewed." cRST); } @@ -978,6 +1020,7 @@ static void usage(u8* argv0) { " -e - solve for edge coverage only, ignore hit counts\n" " -x - treat non-zero exit codes as crashes\n\n" + " -H - minimize a hang (hang mode)\n" "For additional tips, please consult %s/README.md.\n\n" @@ -1077,7 +1120,7 @@ int main(int argc, char** argv, char** envp) { SAYF(cCYA "afl-tmin" VERSION cRST " by Michal Zalewski\n"); - while ((opt = getopt(argc, argv, "+i:o:f:m:t:B:xeQUWh")) > 0) + while ((opt = getopt(argc, argv, "+i:o:f:m:t:B:xeQUWHh")) > 0) switch (opt) { @@ -1103,6 +1146,7 @@ int main(int argc, char** argv, char** envp) { case 'e': if (edges_only) FATAL("Multiple -e options not supported"); + if (hang_mode) FATAL("Edges only and hang mode are mutually exclusive."); edges_only = 1; break; @@ -1188,6 +1232,15 @@ int main(int argc, char** argv, char** envp) { break; + case 'H': /* Hang Mode */ + + /* Minimizes a testcase to the minimum that still times out */ + + if (hang_mode) FATAL("Multipe -H options not supported"); + if (edges_only) FATAL("Edges only and hang mode are mutually exclusive."); + hang_mode = 1; + break; + case 'B': /* load bitmap */ /* This is a secret undocumented option! It is speculated to be useful @@ -1242,6 +1295,13 @@ int main(int argc, char** argv, char** envp) { exact_mode = !!get_afl_env("AFL_TMIN_EXACT"); + if (hang_mode && exact_mode) { + + SAYF("AFL_TMIN_EXACT won't work for loops in hang mode, ignoring."); + exact_mode = 0; + + } + SAYF("\n"); read_initial_file(); @@ -1253,10 +1313,18 @@ int main(int argc, char** argv, char** envp) { run_target(use_argv, in_data, in_len, 1); - if (child_timed_out) - FATAL("Target binary times out (adjusting -t may help)."); + if (hang_mode && !child_timed_out) + FATAL("Target binary did not time out but hang minimization mode " + "(-H) was set (-t %u).", exec_tmout); + + if (child_timed_out && !hang_mode) + FATAL("Target binary times out (adjusting -t may help). Use -H to minimize a hang."); + + if (hang_mode) { + + OKF("Program hangs as expected, minimizing in " cCYA "hang" cRST " mode."); - if (!crash_mode) { + } else if (!crash_mode) { OKF("Program terminates normally, minimizing in " cCYA "instrumented" cRST " mode."); |