Merge pull request #2141 from AFLplusplus/dev

push to stable

3 files changed, 57 insertions, 9 deletions

diff --git a/docs/Changelog.md b/docs/Changelog.md
index 1590b2df..d33d3121 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -4,11 +4,29 @@
   release of the tool. See README.md for the general instruction manual.
 
 ### Version ++4.22a (dev)
+  - afl-fuzz:
+    - fastresume feature added. if you abort fuzzing and resume fuzzing
+      with `-i -` or `AFL_AUTORESUME=1` and the target binary has not changed
+      then a dump will be loaded and the calibration phase skipped.
+      to disable this feature set `AFL_NO_FASTRESUME=1`
+      zlib compression is used if zlib is found at compile time
+    - improved seed selection algorithm
+    - added `AFL_CUSTOM_MUTATOR_LATE_SEND=1` to call the custom send()
+      function after the target has been restarted.
   - frida_mode:
     - AFL_FRIDA_PERSISTENT_ADDR can now be be any reachable address not just
       a function entry
     - AFL_DEBUG is now the same as AFL_FRIDA_VERBOSE
     - AFL_FRIDA_DEBUG_MAPS now works as expected
+  - qemu_mode:
+    - new hooks supported (optional), see qemu_mode/hooking_bridge - thanks to
+      @CowBoy4mH3LL
+  - custom mutators:
+    - custom_send_tcp custom mutator added, thanks to @dergoegge
+  - afl-cc
+    - new runtime (!) variable: `AFL_OLD_FORKSERVER` to use the old vanilla
+      AFL type forkserver. Useful for symcc/symqemu/nautilus/etc. with
+      AFL_LLVM_INSTRUMENT=CLASSIC
 
 
 ### Version ++4.21c (release)
diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md
index b7a7032f..3067ceab 100644
--- a/docs/custom_mutators.md
+++ b/docs/custom_mutators.md
@@ -198,6 +198,11 @@ def deinit():  # optional for Python
     This method can be used if you want to send data to the target yourself,
     e.g. via IPC. This replaces some usage of utils/afl_proxy but requires
     that you start the target with afl-fuzz.
+
+    Setting `AFL_CUSTOM_MUTATOR_LATE_SEND` will call the afl_custom_fuzz_send()
+    function after the target has been restarted. (This is needed for e.g. TCP
+    services.)
+
     Example: [custom_mutators/examples/custom_send.c](../custom_mutators/examples/custom_send.c)
 
 - `queue_new_entry` (optional):
diff --git a/docs/env_variables.md b/docs/env_variables.md
index 22e0ce0f..8c2d5848 100644
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@@ -331,7 +331,26 @@ mode.
     the target performs only a few loops, then this will give a small
     performance boost.
 
-## 4) Settings for afl-fuzz
+## 4) Runtime settings
+
+The following environment variables are for a compiled AFL++ target.
+
+  - Setting `AFL_DUMP_MAP_SIZE` when executing the target directly will
+    dump the map size of the target and exit.
+
+  - Setting `AFL_OLD_FORKSERVER` will use the old AFL vanilla forkserver.
+    This makes only sense when you
+      a) compile in a classic colliding coverage mode (e.g.
+         AFL_LLVM_INSTRUMENT=CLASSIC) or if the map size of the target is
+         below MAP_SIZE (65536 by default), AND
+      b) you want to use this compiled AFL++ target with a different tool
+         that expects vanilla AFL behaviour, e.g. symcc, symqemu, nautilus, etc.
+    You would use this option together with the target fuzzing application.
+
+  - Setting `AFL_DISABLE_LLVM_INSTRUMENTATION` will disable collecting
+    instrumentation. (More of an internal option.)
+
+## 5) Settings for afl-fuzz
 
 The main fuzzer binary accepts several options that disable a couple of sanity
 checks or alter some of the more exotic semantics of the tool:
@@ -368,6 +387,10 @@ checks or alter some of the more exotic semantics of the tool:
     XML or other highly flexible structured input. For details, see
     [custom_mutators.md](custom_mutators.md).
 
+  - Setting `AFL_CUSTOM_MUTATOR_LATE_SEND` will call the afl_custom_fuzz_send()
+    function after the target has been restarted. (This is needed for e.g. TCP
+    services.)
+
   - Setting `AFL_CYCLE_SCHEDULES` will switch to a different schedule every time
     a cycle is finished.
 
@@ -514,6 +537,8 @@ checks or alter some of the more exotic semantics of the tool:
   - `AFL_NO_SNAPSHOT` will advise afl-fuzz not to use the snapshot feature if
     the snapshot lkm is loaded.
 
+  - `AFL_NO_FASTRESUME` will not try to read or write a fast resume file.
+
   - Setting `AFL_NO_UI` inhibits the UI altogether and just periodically prints
     some basic stats. This behavior is also automatically triggered when the
     output from afl-fuzz is redirected to a file or to a pipe.
@@ -636,7 +661,7 @@ checks or alter some of the more exotic semantics of the tool:
     Note that will not be exact and with slow targets it can take seconds
     until there is a slice for the time test.
 
-## 5) Settings for afl-qemu-trace
+## 6) Settings for afl-qemu-trace
 
 The QEMU wrapper used to instrument binary-only code supports several settings:
 
@@ -708,7 +733,7 @@ The QEMU wrapper used to instrument binary-only code supports several settings:
     crash is found. Setting `AFL_NO_CRASH_README` will prevent this. Useful when
     counting crashes based on a file count in that directory.
 
-## 7) Settings for afl-frida-trace
+## 8) Settings for afl-frida-trace
 
 The FRIDA wrapper used to instrument binary-only code supports many of the same
 options as `afl-qemu-trace`, but also has a number of additional advanced
@@ -798,7 +823,7 @@ support.
   dump you must set a sufficient timeout (using `-t`) to avoid `afl-fuzz`
   killing the process whilst it is being dumped.
 
-## 8) Settings for afl-cmin
+## 9) Settings for afl-cmin
 
 The corpus minimization script offers very little customization:
 
@@ -816,7 +841,7 @@ The corpus minimization script offers very little customization:
   - `AFL_PRINT_FILENAMES` prints each filename to stdout, as it gets processed.
     This can help when embedding `afl-cmin` or `afl-showmap` in other scripts.
 
-## 9) Settings for afl-tmin
+## 10) Settings for afl-tmin
 
 Virtually nothing to play with. Well, in QEMU mode (`-Q`), `AFL_PATH` will be
 searched for afl-qemu-trace. In addition to this, `TMPDIR` may be used if a
@@ -827,12 +852,12 @@ to match when minimizing crashes. This will make minimization less useful, but
 may prevent the tool from "jumping" from one crashing condition to another in
 very buggy software. You probably want to combine it with the `-e` flag.
 
-## 10) Settings for afl-analyze
+## 11) Settings for afl-analyze
 
 You can set `AFL_ANALYZE_HEX` to get file offsets printed as hexadecimal instead
 of decimal.
 
-## 11) Settings for libdislocator
+## 12) Settings for libdislocator
 
 The library honors these environment variables:
 
@@ -854,12 +879,12 @@ The library honors these environment variables:
   - `AFL_LD_VERBOSE` causes the library to output some diagnostic messages that
     may be useful for pinpointing the cause of any observed issues.
 
-## 11) Settings for libtokencap
+## 13) Settings for libtokencap
 
 This library accepts `AFL_TOKEN_FILE` to indicate the location to which the
 discovered tokens should be written.
 
-## 12) Third-party variables set by afl-fuzz & other tools
+## 14) Third-party variables set by afl-fuzz & other tools
 
 Several variables are not directly interpreted by afl-fuzz, but are set to
 optimal values if not already present in the environment: