aboutsummaryrefslogtreecommitdiff
path: root/include
diff options
context:
space:
mode:
authorvan Hauser <vh@thc.org>2020-03-09 12:21:54 +0100
committervan Hauser <vh@thc.org>2020-03-09 12:21:54 +0100
commit988a32ced5ce08465940c985bb538c87d4c4b4e7 (patch)
tree1a8362bd269384c38ee2be0d8db92998a39f6445 /include
parent188a6f5ec58d776d2246baed9a66fdd56245bc28 (diff)
downloadafl++-988a32ced5ce08465940c985bb538c87d4c4b4e7.tar.gz
code-format
Diffstat (limited to 'include')
-rw-r--r--include/afl-fuzz.h392
-rw-r--r--include/afl-prealloc.h161
-rw-r--r--include/common.h5
-rw-r--r--include/forkserver.h36
-rw-r--r--include/list.h85
-rw-r--r--include/sharedmem.h26
6 files changed, 373 insertions, 332 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index c773d085..9ef888d9 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -109,8 +109,8 @@
extern s8 interesting_8[INTERESTING_8_LEN];
extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN];
-extern s32 interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN];
-
+extern s32
+ interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN];
struct queue_entry {
@@ -233,7 +233,7 @@ enum {
};
-extern u8 *doc_path; /* gath to documentation dir */
+extern u8* doc_path; /* gath to documentation dir */
/* Python stuff */
#ifdef USE_PYTHON
@@ -263,7 +263,6 @@ extern u8 *doc_path; /* gath to documentation dir */
#define _XOPEN_SOURCE _SAVE_XOPEN_SOURCE
#endif
-
enum {
/* 00 */ PY_FUNC_INIT,
@@ -284,18 +283,18 @@ enum {
typedef struct MOpt_globals {
- u64* finds;
- u64* finds_v2;
- u64* cycles;
- u64* cycles_v2;
- u64* cycles_v3;
- u32 is_pilot_mode;
- u64* pTime;
- u64 period;
- char* havoc_stagename;
- char* splice_stageformat;
- char* havoc_stagenameshort;
- char* splice_stagenameshort;
+ u64* finds;
+ u64* finds_v2;
+ u64* cycles;
+ u64* cycles_v2;
+ u64* cycles_v3;
+ u32 is_pilot_mode;
+ u64* pTime;
+ u64 period;
+ char* havoc_stagename;
+ char* splice_stageformat;
+ char* havoc_stagenameshort;
+ char* splice_stagenameshort;
} MOpt_globals_t;
@@ -307,9 +306,9 @@ typedef struct afl_state {
u32 _id;
afl_forkserver_t fsrv;
- sharedmem_t shm;
+ sharedmem_t shm;
- char** argv; /* argv if needed */
+ char** argv; /* argv if needed */
/* MOpt:
Lots of globals, but mostly for the status UI and other things where it
@@ -346,171 +345,170 @@ typedef struct afl_state {
core_operator_finds_puppet_v2[operator_num],
core_operator_cycles_puppet[operator_num],
core_operator_cycles_puppet_v2[operator_num],
- core_operator_cycles_puppet_v3[operator_num]; /* Execs per fuzz stage */
+ core_operator_cycles_puppet_v3[operator_num]; /* Execs per fuzz stage */
double period_pilot_tmp;
s32 key_lv;
- u8 *in_dir, /* Input directory with test cases */
- *out_dir, /* Working & output directory */
- *tmp_dir, /* Temporary directory for input */
- *sync_dir, /* Synchronization directory */
- *sync_id, /* Fuzzer ID */
- *power_name, /* Power schedule name */
- *use_banner, /* Display banner */
- *in_bitmap, /* Input bitmap */
- *file_extension, /* File extension */
- *orig_cmdline, /* Original command line */
- *infoexec; /* Command to execute on a new crash */
-
- u32 hang_tmout; /* Timeout used for hang det (ms) */
-
- u8 cal_cycles, /* Calibration cycles defaults */
- cal_cycles_long, /* Calibration cycles defaults */
- no_unlink, /* do not unlink cur_input */
- debug, /* Debug mode */
- custom_only, /* Custom mutator only mode */
- python_only; /* Python-only mode */
-
- u32 stats_update_freq; /* Stats update frequency (execs) */
-
- u8 schedule; /* Power schedule (default: EXPLORE)*/
+ u8 *in_dir, /* Input directory with test cases */
+ *out_dir, /* Working & output directory */
+ *tmp_dir, /* Temporary directory for input */
+ *sync_dir, /* Synchronization directory */
+ *sync_id, /* Fuzzer ID */
+ *power_name, /* Power schedule name */
+ *use_banner, /* Display banner */
+ *in_bitmap, /* Input bitmap */
+ *file_extension, /* File extension */
+ *orig_cmdline, /* Original command line */
+ *infoexec; /* Command to execute on a new crash */
+
+ u32 hang_tmout; /* Timeout used for hang det (ms) */
+
+ u8 cal_cycles, /* Calibration cycles defaults */
+ cal_cycles_long, /* Calibration cycles defaults */
+ no_unlink, /* do not unlink cur_input */
+ debug, /* Debug mode */
+ custom_only, /* Custom mutator only mode */
+ python_only; /* Python-only mode */
+
+ u32 stats_update_freq; /* Stats update frequency (execs) */
+
+ u8 schedule; /* Power schedule (default: EXPLORE)*/
u8 havoc_max_mult;
u8 use_radamsa;
size_t (*radamsa_mutate_ptr)(u8*, size_t, u8*, size_t, u32);
- u8 skip_deterministic, /* Skip deterministic stages? */
- force_deterministic, /* Force deterministic stages? */
- use_splicing, /* Recombine input files? */
- dumb_mode, /* Run in non-instrumented mode? */
- score_changed, /* Scoring for favorites changed? */
- kill_signal, /* Signal that killed the child */
- resuming_fuzz, /* Resuming an older fuzzing job? */
- timeout_given, /* Specific timeout given? */
- not_on_tty, /* stdout is not a tty */
- term_too_small, /* terminal dimensions too small */
- no_forkserver, /* Disable forkserver? */
- crash_mode, /* Crash mode! Yeah! */
- in_place_resume, /* Attempt in-place resume? */
- autoresume, /* Resume if afl->out_dir exists? */
- auto_changed, /* Auto-generated tokens changed? */
- no_cpu_meter_red, /* Feng shui on the status screen */
- no_arith, /* Skip most arithmetic ops */
- shuffle_queue, /* Shuffle input queue? */
- bitmap_changed, /* Time to update bitmap? */
- qemu_mode, /* Running in QEMU mode? */
- unicorn_mode, /* Running in Unicorn mode? */
- use_wine, /* Use WINE with QEMU mode */
- skip_requested, /* Skip request, via SIGUSR1 */
- run_over10m, /* Run time over 10 minutes? */
- persistent_mode, /* Running in persistent mode? */
- deferred_mode, /* Deferred forkserver mode? */
- fixed_seed, /* do not reseed */
- fast_cal, /* Try to calibrate faster? */
- disable_trim; /* Never trim in fuzz_one */
-
- u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */
- virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */
- virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */
-
- u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */
-
- volatile u8 stop_soon, /* Ctrl-C pressed? */
- clear_screen; /* Window resized? */
-
- u32 queued_paths, /* Total number of queued testcases */
- queued_variable, /* Testcases with variable behavior */
- queued_at_start, /* Total number of initial inputs */
- queued_discovered, /* Items discovered during this run */
- queued_imported, /* Items imported via -S */
- queued_favored, /* Paths deemed favorable */
- queued_with_cov, /* Paths with new coverage bytes */
- pending_not_fuzzed, /* Queued but not done yet */
- pending_favored, /* Pending favored paths */
- cur_skipped_paths, /* Abandoned inputs in cur cycle */
- cur_depth, /* Current path depth */
- max_depth, /* Max path depth */
- useless_at_start, /* Number of useless starting paths */
- var_byte_count, /* Bitmap bytes with var behavior */
- current_entry, /* Current queue entry ID */
- havoc_div; /* Cycle count divisor for havoc */
-
- u64 total_crashes, /* Total number of crashes */
- unique_crashes, /* Crashes with unique signatures */
- total_tmouts, /* Total number of timeouts */
- unique_tmouts, /* Timeouts with unique signatures */
- unique_hangs, /* Hangs with unique signatures */
- total_execs, /* Total execve() calls */
- slowest_exec_ms, /* Slowest testcase non hang in ms */
- start_time, /* Unix start time (ms) */
- last_path_time, /* Time for most recent path (ms) */
- last_crash_time, /* Time for most recent crash (ms) */
- last_hang_time, /* Time for most recent hang (ms) */
- last_crash_execs, /* Exec counter at last crash */
- queue_cycle, /* Queue round counter */
- cycles_wo_finds, /* Cycles without any new paths */
- trim_execs, /* Execs done to trim input files */
- bytes_trim_in, /* Bytes coming into the trimmer */
- bytes_trim_out, /* Bytes coming outa the trimmer */
- blocks_eff_total, /* Blocks subject to effector maps */
- blocks_eff_select; /* Blocks selected as fuzzable */
-
- u32 subseq_tmouts; /* Number of timeouts in a row */
-
- u8 *stage_name, /* Name of the current fuzz stage */
- *stage_short, /* Short stage name */
- *syncing_party; /* Currently syncing with... */
-
- u8 stage_name_buf64[64]; /* A name buf with len 64 if needed */
-
- s32 stage_cur, stage_max; /* Stage progression */
- s32 splicing_with; /* Splicing with which test case? */
-
- u32 master_id, master_max; /* Master instance job splitting */
-
- u32 syncing_case; /* Syncing with case #... */
-
- s32 stage_cur_byte, /* Byte offset of current stage op */
- stage_cur_val; /* Value used for stage op */
-
- u8 stage_val_type; /* Value type (STAGE_VAL_*) */
-
- u64 stage_finds[32], /* Patterns found per fuzz stage */
- stage_cycles[32]; /* Execs per fuzz stage */
-
- #ifndef HAVE_ARC4RANDOM
- u32 rand_cnt; /* Random number counter */
- #endif
+ u8 skip_deterministic, /* Skip deterministic stages? */
+ force_deterministic, /* Force deterministic stages? */
+ use_splicing, /* Recombine input files? */
+ dumb_mode, /* Run in non-instrumented mode? */
+ score_changed, /* Scoring for favorites changed? */
+ kill_signal, /* Signal that killed the child */
+ resuming_fuzz, /* Resuming an older fuzzing job? */
+ timeout_given, /* Specific timeout given? */
+ not_on_tty, /* stdout is not a tty */
+ term_too_small, /* terminal dimensions too small */
+ no_forkserver, /* Disable forkserver? */
+ crash_mode, /* Crash mode! Yeah! */
+ in_place_resume, /* Attempt in-place resume? */
+ autoresume, /* Resume if afl->out_dir exists? */
+ auto_changed, /* Auto-generated tokens changed? */
+ no_cpu_meter_red, /* Feng shui on the status screen */
+ no_arith, /* Skip most arithmetic ops */
+ shuffle_queue, /* Shuffle input queue? */
+ bitmap_changed, /* Time to update bitmap? */
+ qemu_mode, /* Running in QEMU mode? */
+ unicorn_mode, /* Running in Unicorn mode? */
+ use_wine, /* Use WINE with QEMU mode */
+ skip_requested, /* Skip request, via SIGUSR1 */
+ run_over10m, /* Run time over 10 minutes? */
+ persistent_mode, /* Running in persistent mode? */
+ deferred_mode, /* Deferred forkserver mode? */
+ fixed_seed, /* do not reseed */
+ fast_cal, /* Try to calibrate faster? */
+ disable_trim; /* Never trim in fuzz_one */
+
+ u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */
+ virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */
+ virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */
+
+ u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */
+
+ volatile u8 stop_soon, /* Ctrl-C pressed? */
+ clear_screen; /* Window resized? */
+
+ u32 queued_paths, /* Total number of queued testcases */
+ queued_variable, /* Testcases with variable behavior */
+ queued_at_start, /* Total number of initial inputs */
+ queued_discovered, /* Items discovered during this run */
+ queued_imported, /* Items imported via -S */
+ queued_favored, /* Paths deemed favorable */
+ queued_with_cov, /* Paths with new coverage bytes */
+ pending_not_fuzzed, /* Queued but not done yet */
+ pending_favored, /* Pending favored paths */
+ cur_skipped_paths, /* Abandoned inputs in cur cycle */
+ cur_depth, /* Current path depth */
+ max_depth, /* Max path depth */
+ useless_at_start, /* Number of useless starting paths */
+ var_byte_count, /* Bitmap bytes with var behavior */
+ current_entry, /* Current queue entry ID */
+ havoc_div; /* Cycle count divisor for havoc */
+
+ u64 total_crashes, /* Total number of crashes */
+ unique_crashes, /* Crashes with unique signatures */
+ total_tmouts, /* Total number of timeouts */
+ unique_tmouts, /* Timeouts with unique signatures */
+ unique_hangs, /* Hangs with unique signatures */
+ total_execs, /* Total execve() calls */
+ slowest_exec_ms, /* Slowest testcase non hang in ms */
+ start_time, /* Unix start time (ms) */
+ last_path_time, /* Time for most recent path (ms) */
+ last_crash_time, /* Time for most recent crash (ms) */
+ last_hang_time, /* Time for most recent hang (ms) */
+ last_crash_execs, /* Exec counter at last crash */
+ queue_cycle, /* Queue round counter */
+ cycles_wo_finds, /* Cycles without any new paths */
+ trim_execs, /* Execs done to trim input files */
+ bytes_trim_in, /* Bytes coming into the trimmer */
+ bytes_trim_out, /* Bytes coming outa the trimmer */
+ blocks_eff_total, /* Blocks subject to effector maps */
+ blocks_eff_select; /* Blocks selected as fuzzable */
+
+ u32 subseq_tmouts; /* Number of timeouts in a row */
+
+ u8 *stage_name, /* Name of the current fuzz stage */
+ *stage_short, /* Short stage name */
+ *syncing_party; /* Currently syncing with... */
+
+ u8 stage_name_buf64[64]; /* A name buf with len 64 if needed */
+
+ s32 stage_cur, stage_max; /* Stage progression */
+ s32 splicing_with; /* Splicing with which test case? */
+
+ u32 master_id, master_max; /* Master instance job splitting */
+
+ u32 syncing_case; /* Syncing with case #... */
+
+ s32 stage_cur_byte, /* Byte offset of current stage op */
+ stage_cur_val; /* Value used for stage op */
+
+ u8 stage_val_type; /* Value type (STAGE_VAL_*) */
+
+ u64 stage_finds[32], /* Patterns found per fuzz stage */
+ stage_cycles[32]; /* Execs per fuzz stage */
+
+#ifndef HAVE_ARC4RANDOM
+ u32 rand_cnt; /* Random number counter */
+#endif
u32 rand_seed[2];
s64 init_seed;
- u64 total_cal_us, /* Total calibration time (us) */
- total_cal_cycles; /* Total calibration cycles */
+ u64 total_cal_us, /* Total calibration time (us) */
+ total_cal_cycles; /* Total calibration cycles */
- u64 total_bitmap_size, /* Total bit count for all bitmaps */
- total_bitmap_entries; /* Number of bitmaps counted */
+ u64 total_bitmap_size, /* Total bit count for all bitmaps */
+ total_bitmap_entries; /* Number of bitmaps counted */
- s32 cpu_core_count; /* CPU core count */
+ s32 cpu_core_count; /* CPU core count */
#ifdef HAVE_AFFINITY
- s32 cpu_aff; /* Selected CPU core */
-#endif /* HAVE_AFFINITY */
+ s32 cpu_aff; /* Selected CPU core */
+#endif /* HAVE_AFFINITY */
- struct queue_entry *queue, /* Fuzzing queue (linked list) */
- *queue_cur, /* Current offset within the queue */
- *queue_top, /* Top of the list */
- *q_prev100; /* Previous 100 marker */
+ struct queue_entry *queue, /* Fuzzing queue (linked list) */
+ *queue_cur, /* Current offset within the queue */
+ *queue_top, /* Top of the list */
+ *q_prev100; /* Previous 100 marker */
- struct queue_entry*
- top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */
+ struct queue_entry* top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */
- struct extra_data* extras; /* Extra tokens to fuzz with */
- u32 extras_cnt; /* Total number of tokens read */
+ struct extra_data* extras; /* Extra tokens to fuzz with */
+ u32 extras_cnt; /* Total number of tokens read */
- struct extra_data* a_extras; /* Automatically selected extras */
- u32 a_extras_cnt; /* Total number of tokens available */
+ struct extra_data* a_extras; /* Automatically selected extras */
+ u32 a_extras_cnt; /* Total number of tokens available */
u8* (*post_handler)(u8* buf, u32* len);
@@ -525,12 +523,13 @@ typedef struct afl_state {
/* cmplog forkserver ids */
s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd;
- u8 describe_op_buf_256[256]; /* describe_op will use this to return a string up to 256 */
+ u8 describe_op_buf_256[256]; /* describe_op will use this to return a string
+ up to 256 */
#ifdef USE_PYTHON
/* Python Mutators */
- PyObject *py_module;
- PyObject *py_functions[PY_FUNC_COUNT];
+ PyObject* py_module;
+ PyObject* py_functions[PY_FUNC_COUNT];
#endif
#ifdef _AFL_DOCUMENT_MUTATIONS
@@ -540,7 +539,8 @@ typedef struct afl_state {
} afl_state_t;
-/* A global pointer to all instances is needed (for now) for signals to arrive */
+/* A global pointer to all instances is needed (for now) for signals to arrive
+ */
extern list_t afl_states;
@@ -558,7 +558,7 @@ struct custom_mutator {
*
* @param seed Seed used for the mutation.
*/
- void (*afl_custom_init)(afl_state_t *afl, unsigned int seed);
+ void (*afl_custom_init)(afl_state_t* afl, unsigned int seed);
/**
* Perform custom mutations on a given input
@@ -574,8 +574,8 @@ struct custom_mutator {
* not produce data larger than max_size.
* @return Size of the mutated output.
*/
- size_t (*afl_custom_fuzz)(afl_state_t *afl, u8** buf, size_t buf_size, u8* add_buf,
- size_t add_buf_size, size_t max_size);
+ size_t (*afl_custom_fuzz)(afl_state_t* afl, u8** buf, size_t buf_size,
+ u8* add_buf, size_t add_buf_size, size_t max_size);
/**
* A post-processing function to use right before AFL writes the test case to
@@ -591,7 +591,8 @@ struct custom_mutator {
* will release the memory after saving the test case.
* @return Size of the output buffer after processing
*/
- size_t (*afl_custom_pre_save)(afl_state_t *afl, u8* buf, size_t buf_size, u8** out_buf);
+ size_t (*afl_custom_pre_save)(afl_state_t* afl, u8* buf, size_t buf_size,
+ u8** out_buf);
/**
* This method is called at the start of each trimming operation and receives
@@ -613,7 +614,7 @@ struct custom_mutator {
* @param buf_size Size of the test case
* @return The amount of possible iteration steps to trim the input
*/
- u32 (*afl_custom_init_trim)(afl_state_t *afl, u8* buf, size_t buf_size);
+ u32 (*afl_custom_init_trim)(afl_state_t* afl, u8* buf, size_t buf_size);
/**
* This method is called for each trimming operation. It doesn't have any
@@ -631,7 +632,7 @@ struct custom_mutator {
* the memory after saving the test case.
* @param[out] out_buf_size Pointer to the size of the trimmed test case
*/
- void (*afl_custom_trim)(afl_state_t *afl, u8** out_buf, size_t* out_buf_size);
+ void (*afl_custom_trim)(afl_state_t* afl, u8** out_buf, size_t* out_buf_size);
/**
* This method is called after each trim operation to inform you if your
@@ -644,8 +645,8 @@ struct custom_mutator {
* @return The next trim iteration index (from 0 to the maximum amount of
* steps returned in init_trim)
*/
- u32 (*afl_custom_post_trim)(afl_state_t *afl, u8 success);
-
+ u32 (*afl_custom_post_trim)(afl_state_t* afl, u8 success);
+
/**
* Perform a single custom mutation on a given input.
* This mutation is stacked with the other muatations in havoc.
@@ -659,8 +660,9 @@ struct custom_mutator {
* not produce data larger than max_size.
* @return Size of the mutated output.
*/
- size_t (*afl_custom_havoc_mutation)(afl_state_t *afl, u8** buf, size_t buf_size, size_t max_size);
-
+ size_t (*afl_custom_havoc_mutation)(afl_state_t* afl, u8** buf,
+ size_t buf_size, size_t max_size);
+
/**
* Return the probability (in percentage) that afl_custom_havoc_mutation
* is called in havoc. By default it is 6 %.
@@ -669,7 +671,7 @@ struct custom_mutator {
*
* @return The probability (0-100).
*/
- u8 (*afl_custom_havoc_mutation_probability)(afl_state_t *afl);
+ u8 (*afl_custom_havoc_mutation_probability)(afl_state_t* afl);
/**
* Determine whether the fuzzer should fuzz the current queue entry or not.
@@ -680,7 +682,7 @@ struct custom_mutator {
* @return Return True(1) if the fuzzer will fuzz the queue entry, and
* False(0) otherwise.
*/
- u8 (*afl_custom_queue_get)(afl_state_t *afl, const u8* filename);
+ u8 (*afl_custom_queue_get)(afl_state_t* afl, const u8* filename);
/**
* Allow for additional analysis (e.g. calling a different tool that does a
@@ -692,14 +694,13 @@ struct custom_mutator {
* @param filename_orig_queue File name of the original queue entry. This
* argument can be NULL while initializing the fuzzer
*/
- void (*afl_custom_queue_new_entry)(afl_state_t *afl, const u8* filename_new_queue,
- const u8* filename_orig_queue);
+ void (*afl_custom_queue_new_entry)(afl_state_t* afl,
+ const u8* filename_new_queue,
+ const u8* filename_orig_queue);
};
-
-
-void afl_state_init(afl_state_t *);
+void afl_state_init(afl_state_t*);
void afl_state_deinit(afl_state_t*);
/**** Prototypes ****/
@@ -707,13 +708,13 @@ void afl_state_deinit(afl_state_t*);
/* Custom mutators */
void setup_custom_mutator(afl_state_t*);
void destroy_custom_mutator(afl_state_t*);
-u8 trim_case_custom(afl_state_t *, struct queue_entry* q, u8* in_buf);
+u8 trim_case_custom(afl_state_t*, struct queue_entry* q, u8* in_buf);
/* Python */
#ifdef USE_PYTHON
-int init_py_module(afl_state_t*, u8*);
-void finalize_py_module(afl_state_t*);
+int init_py_module(afl_state_t*, u8*);
+void finalize_py_module(afl_state_t*);
void init_py(afl_state_t*, unsigned int);
size_t fuzz_py(afl_state_t*, u8**, size_t, u8*, size_t, size_t);
@@ -721,7 +722,7 @@ size_t pre_save_py(afl_state_t*, u8*, size_t, u8**);
u32 init_trim_py(afl_state_t*, u8*, size_t);
u32 post_trim_py(afl_state_t*, u8);
void trim_py(afl_state_t*, u8**, size_t*);
-size_t havoc_mutation_py(afl_state_t *, u8**, size_t, size_t);
+size_t havoc_mutation_py(afl_state_t*, u8**, size_t, size_t);
u8 havoc_mutation_probability_py(afl_state_t*);
u8 queue_get_py(afl_state_t*, const u8*);
void queue_new_entry_py(afl_state_t*, const u8*, const u8*);
@@ -759,7 +760,7 @@ void minimize_bits(u8*, u8*);
u8* describe_op(afl_state_t*, u8);
#endif
u8 save_if_interesting(afl_state_t*, void*, u32, u8);
-u8 has_new_bits(afl_state_t *, u8*);
+u8 has_new_bits(afl_state_t*, u8*);
/* Misc */
@@ -830,11 +831,11 @@ void save_cmdline(afl_state_t*, u32, char**);
/* CmpLog */
-void init_cmplog_forkserver(afl_state_t *afl);
-u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len);
+void init_cmplog_forkserver(afl_state_t* afl);
+u8 common_fuzz_cmplog_stuff(afl_state_t* afl, u8* out_buf, u32 len);
/* RedQueen */
-u8 input_to_state_stage(afl_state_t *afl, u8* orig_buf, u8* buf, u32 len,
+u8 input_to_state_stage(afl_state_t* afl, u8* orig_buf, u8* buf, u32 len,
u32 exec_cksum);
/**** Inline routines ****/
@@ -842,7 +843,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8* orig_buf, u8* buf, u32 len,
/* Generate a random number (from 0 to limit - 1). This may
have slight bias. */
-static inline u32 UR(afl_state_t *afl, u32 limit) {
+static inline u32 UR(afl_state_t* afl, u32 limit) {
#ifdef HAVE_ARC4RANDOM
if (afl->fixed_seed) { return random() % limit; }
@@ -853,7 +854,8 @@ static inline u32 UR(afl_state_t *afl, u32 limit) {
#else
if (!afl->fixed_seed && unlikely(!afl->rand_cnt--)) {
- ck_read(afl->fsrv.dev_urandom_fd, &afl->rand_seed, sizeof(afl->rand_seed), "/dev/urandom");
+ ck_read(afl->fsrv.dev_urandom_fd, &afl->rand_seed, sizeof(afl->rand_seed),
+ "/dev/urandom");
srandom(afl->rand_seed[0]);
afl->rand_cnt = (RESEED_RNG / 2) + (afl->rand_seed[1] % RESEED_RNG);
@@ -864,7 +866,7 @@ static inline u32 UR(afl_state_t *afl, u32 limit) {
}
-static inline u32 get_rand_seed(afl_state_t *afl) {
+static inline u32 get_rand_seed(afl_state_t* afl) {
if (afl->fixed_seed) return (u32)afl->init_seed;
return afl->rand_seed[0];
@@ -883,4 +885,4 @@ static u64 next_p2(u64 val) {
}
-#endif \ No newline at end of file
+#endif
diff --git a/include/afl-prealloc.h b/include/afl-prealloc.h
index 712cdec6..fb307eb3 100644
--- a/include/afl-prealloc.h
+++ b/include/afl-prealloc.h
@@ -1,4 +1,5 @@
-/* If we know we'll reuse small elements often, we'll just preallocate a buffer, then fall back to malloc */
+/* If we know we'll reuse small elements often, we'll just preallocate a buffer,
+ * then fall back to malloc */
// TODO: Replace free status check with bitmask+CLZ
#ifndef AFL_PREALLOC_H
@@ -11,91 +12,109 @@
#include "debug.h"
typedef enum prealloc_status {
- PRE_STATUS_UNUSED = 0,/* free in buf */
- PRE_STATUS_USED, /* used in buf */
- PRE_STATUS_MALLOC /* system malloc */
-} pre_status_t;
+ PRE_STATUS_UNUSED = 0, /* free in buf */
+ PRE_STATUS_USED, /* used in buf */
+ PRE_STATUS_MALLOC /* system malloc */
-/* Adds the entry used for prealloc bookkeeping to this struct */
+} pre_status_t;
-#define PREALLOCABLE ;pre_status_t pre_status; /* prealloc status of this instance */
+/* Adds the entry used for prealloc bookkeeping to this struct */
+#define PREALLOCABLE \
+ ; \
+ pre_status_t pre_status; /* prealloc status of this instance */
/* allocate an element of type *el_ptr, to this variable.
Uses (and reuses) the given prealloc_buf before hitting libc's malloc.
prealloc_buf must be the pointer to an array with type `type`.
- `type` must be a struct with uses PREALLOCABLE (a pre_status_t pre_status member).
- prealloc_size must be the array size.
- prealloc_counter must be a variable initialized with 0 (of any name).
+ `type` must be a struct with uses PREALLOCABLE (a pre_status_t pre_status
+ member). prealloc_size must be the array size. prealloc_counter must be a
+ variable initialized with 0 (of any name).
*/
-#define PRE_ALLOC(el_ptr, prealloc_buf, prealloc_size, prealloc_counter) do { \
- \
- if ((prealloc_counter) >= (prealloc_size)) { \
- \
- el_ptr = malloc(sizeof(*el_ptr)); \
- el_ptr->pre_status = PRE_STATUS_MALLOC; \
- \
- } else { \
- \
- /* Find one of our preallocated elements */ \
- u32 i; \
- for (i = 0; i < (prealloc_size); i++) { \
- \
- el_ptr = &((prealloc_buf)[i]); \
- if (el_ptr->pre_status == PRE_STATUS_UNUSED) { \
- \
- (prealloc_counter)++; \
- el_ptr->pre_status = PRE_STATUS_USED; \
- break; \
- \
- } \
- } \
- } \
- \
- if(!el_ptr) { \
- FATAL("BUG in list.h -> no element found or allocated!"); \
- } \
-} while(0);
-
+#define PRE_ALLOC(el_ptr, prealloc_buf, prealloc_size, prealloc_counter) \
+ do { \
+ \
+ if ((prealloc_counter) >= (prealloc_size)) { \
+ \
+ el_ptr = malloc(sizeof(*el_ptr)); \
+ el_ptr->pre_status = PRE_STATUS_MALLOC; \
+ \
+ } else { \
+ \
+ /* Find one of our preallocated elements */ \
+ u32 i; \
+ for (i = 0; i < (prealloc_size); i++) { \
+ \
+ el_ptr = &((prealloc_buf)[i]); \
+ if (el_ptr->pre_status == PRE_STATUS_UNUSED) { \
+ \
+ (prealloc_counter)++; \
+ el_ptr->pre_status = PRE_STATUS_USED; \
+ break; \
+ \
+ } \
+ \
+ } \
+ \
+ } \
+ \
+ if (!el_ptr) { FATAL("BUG in list.h -> no element found or allocated!"); } \
+ \
+ } while (0);
/* Take a chosen (free) element from the prealloc_buf directly */
-#define PRE_ALLOC_FORCE(el_ptr, prealloc_counter) do { \
- if ((el_ptr)->pre_status != PRE_STATUS_UNUSED) { \
- FATAL("PRE_ALLOC_FORCE element already allocated"); \
- } \
- (el_ptr)->pre_status = PRE_STATUS_USED; \
- (prealloc_counter)++; \
-} while(0);
-
+#define PRE_ALLOC_FORCE(el_ptr, prealloc_counter) \
+ do { \
+ \
+ if ((el_ptr)->pre_status != PRE_STATUS_UNUSED) { \
+ \
+ FATAL("PRE_ALLOC_FORCE element already allocated"); \
+ \
+ } \
+ (el_ptr)->pre_status = PRE_STATUS_USED; \
+ (prealloc_counter)++; \
+ \
+ } while (0);
/* free an preallocated element */
-#define PRE_FREE(el_ptr, prealloc_counter) do { \
- \
- switch ((el_ptr)->pre_status) { \
- \
- case PRE_STATUS_USED: { \
- (el_ptr)->pre_status = PRE_STATUS_UNUSED; \
- (prealloc_counter)--; \
- if ((prealloc_counter) < 0) { \
- FATAL("Inconsistent data in PRE_FREE"); \
- } \
- break; \
- } \
- case PRE_STATUS_MALLOC: { \
- (el_ptr)->pre_status = PRE_STATUS_UNUSED; \
- free((el_ptr)); \
- break; \
- } \
- default: { \
- FATAL("Double Free Detected"); \
- break; \
- } \
- \
- } \
-} while(0);
+#define PRE_FREE(el_ptr, prealloc_counter) \
+ do { \
+ \
+ switch ((el_ptr)->pre_status) { \
+ \
+ case PRE_STATUS_USED: { \
+ \
+ (el_ptr)->pre_status = PRE_STATUS_UNUSED; \
+ (prealloc_counter)--; \
+ if ((prealloc_counter) < 0) { \
+ \
+ FATAL("Inconsistent data in PRE_FREE"); \
+ \
+ } \
+ break; \
+ \
+ } \
+ case PRE_STATUS_MALLOC: { \
+ \
+ (el_ptr)->pre_status = PRE_STATUS_UNUSED; \
+ free((el_ptr)); \
+ break; \
+ \
+ } \
+ default: { \
+ \
+ FATAL("Double Free Detected"); \
+ break; \
+ \
+ } \
+ \
+ } \
+ \
+ } while (0);
#endif
+
diff --git a/include/common.h b/include/common.h
index 780e083b..d794d0ac 100644
--- a/include/common.h
+++ b/include/common.h
@@ -33,8 +33,8 @@
void detect_file_args(char** argv, u8* prog_in, u8 use_stdin);
void check_environment_vars(char** env);
-char** get_qemu_argv(u8* own_loc, u8 **target_path_p, int argc, char **argv);
-char** get_wine_argv(u8* own_loc, u8 **target_path_p, int argc, char **argv);
+char** get_qemu_argv(u8* own_loc, u8** target_path_p, int argc, char** argv);
+char** get_wine_argv(u8* own_loc, u8** target_path_p, int argc, char** argv);
char* get_afl_env(char* env);
/* Get unix time in milliseconds */
@@ -64,3 +64,4 @@ static u64 get_cur_time_us(void) {
}
#endif
+
diff --git a/include/forkserver.h b/include/forkserver.h
index 3587427b..ac027576 100644
--- a/include/forkserver.h
+++ b/include/forkserver.h
@@ -33,36 +33,34 @@ typedef struct afl_forkserver {
/* a program that includes afl-forkserver needs to define these */
- u8 uses_asan; /* Target uses ASAN? */
- u8* trace_bits; /* SHM with instrumentation bitmap */
- u8 use_stdin; /* use stdin for sending data */
+ u8 uses_asan; /* Target uses ASAN? */
+ u8 *trace_bits; /* SHM with instrumentation bitmap */
+ u8 use_stdin; /* use stdin for sending data */
-s32 fsrv_pid, /* PID of the fork server */
- child_pid, /* PID of the fuzzed program */
- out_dir_fd; /* FD of the lock file */
+ s32 fsrv_pid, /* PID of the fork server */
+ child_pid, /* PID of the fuzzed program */
+ out_dir_fd; /* FD of the lock file */
-s32 out_fd, /* Persistent fd for afl->fsrv.out_file */
+ s32 out_fd, /* Persistent fd for afl->fsrv.out_file */
#ifndef HAVE_ARC4RANDOM
- dev_urandom_fd, /* Persistent fd for /dev/urandom */
+ dev_urandom_fd, /* Persistent fd for /dev/urandom */
#endif
- dev_null_fd, /* Persistent fd for /dev/null */
- fsrv_ctl_fd, /* Fork server control pipe (write) */
- fsrv_st_fd; /* Fork server status pipe (read) */
+ dev_null_fd, /* Persistent fd for /dev/null */
+ fsrv_ctl_fd, /* Fork server control pipe (write) */
+ fsrv_st_fd; /* Fork server status pipe (read) */
- u32 exec_tmout; /* Configurable exec timeout (ms) */
- u64 mem_limit; /* Memory cap for child (MB) */
+ u32 exec_tmout; /* Configurable exec timeout (ms) */
+ u64 mem_limit; /* Memory cap for child (MB) */
- u8 *out_file, /* File to fuzz, if any */
- *target_path; /* Path of the target */
+ u8 *out_file, /* File to fuzz, if any */
+ *target_path; /* Path of the target */
- FILE* plot_file; /* Gnuplot output file */
+ FILE *plot_file; /* Gnuplot output file */
- u8 child_timed_out; /* Traced process timed out? */
+ u8 child_timed_out; /* Traced process timed out? */
} afl_forkserver_t;
-
-
void handle_timeout(int sig);
void afl_fsrv_init(afl_forkserver_t *fsrv);
void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv);
diff --git a/include/list.h b/include/list.h
index 7184850f..6f84b12d 100644
--- a/include/list.h
+++ b/include/list.h
@@ -8,21 +8,23 @@
#include "debug.h"
#include "afl-prealloc.h"
-#define LIST_PREALLOC_SIZE (64) /* How many elements to allocate before malloc is needed */
+#define LIST_PREALLOC_SIZE \
+ (64) /* How many elements to allocate before malloc is needed */
typedef struct list_element {
+
PREALLOCABLE;
struct list_element *prev;
struct list_element *next;
- void *data;
+ void * data;
} element_t;
typedef struct list {
element_t element_prealloc_buf[LIST_PREALLOC_SIZE];
- u32 element_prealloc_count;
+ u32 element_prealloc_count;
} list_t;
@@ -52,7 +54,8 @@ static void list_append(list_t *list, void *el) {
}
element_t *el_box = NULL;
- PRE_ALLOC(el_box, list->element_prealloc_buf, LIST_PREALLOC_SIZE, list->element_prealloc_count);
+ PRE_ALLOC(el_box, list->element_prealloc_buf, LIST_PREALLOC_SIZE,
+ list->element_prealloc_count);
if (!el_box) FATAL("failed to allocate list element");
el_box->data = el;
el_box->next = head;
@@ -62,59 +65,75 @@ static void list_append(list_t *list, void *el) {
}
-/* Simple foreach.
+/* Simple foreach.
Pointer to the current element is in `el`,
casted to (a pointer) of the given `type`.
A return from this block will return from calling func.
*/
-#define LIST_FOREACH(list, type, block) do { \
- list_t *li = (list); \
- element_t *head = get_head((li)); \
- element_t *el_box = (head)->next; \
- if (!el_box) \
- FATAL("foreach over uninitialized list");\
- while(el_box != head) { \
- type *el = (type *)((el_box)->data); \
- /* get next so el_box can be unlinked */ \
- element_t *next = el_box->next; \
- {block}; \
- el_box = next; \
- } \
-} while(0);
+#define LIST_FOREACH(list, type, block) \
+ do { \
+ \
+ list_t * li = (list); \
+ element_t *head = get_head((li)); \
+ element_t *el_box = (head)->next; \
+ if (!el_box) FATAL("foreach over uninitialized list"); \
+ while (el_box != head) { \
+ \
+ type *el = (type *)((el_box)->data); \
+ /* get next so el_box can be unlinked */ \
+ element_t *next = el_box->next; \
+ {block}; \
+ el_box = next; \
+ \
+ } \
+ \
+ } while (0);
/* In foreach: remove the current el from the list */
-#define LIST_REMOVE_CURRENT_EL_IN_FOREACH() do { \
- el_box->prev->next = next; \
- el_box->next->prev = el_box->prev; \
- list_free_el(li, el_box); \
-} while(0);
+#define LIST_REMOVE_CURRENT_EL_IN_FOREACH() \
+ do { \
+ \
+ el_box->prev->next = next; \
+ el_box->next->prev = el_box->prev; \
+ list_free_el(li, el_box); \
+ \
+ } while (0);
/* Same as foreach, but will clear list in the process */
-#define LIST_FOREACH_CLEAR(list, type, block) do { \
- LIST_FOREACH((list), type, { \
- {block}; \
- LIST_REMOVE_CURRENT_EL_IN_FOREACH(); \
- }); \
-} while(0);
+#define LIST_FOREACH_CLEAR(list, type, block) \
+ do { \
+ \
+ LIST_FOREACH((list), type, { \
+ \
+ {block}; \
+ LIST_REMOVE_CURRENT_EL_IN_FOREACH(); \
+ \
+ }); \
+ \
+ } while (0);
/* remove an item from the list */
static void list_remove(list_t *list, void *remove_me) {
LIST_FOREACH(list, void, {
+
if (el == remove_me) {
+
el_box->prev->next = el_box->next;
el_box->next->prev = el_box->prev;
el_box->data = NULL;
list_free_el(list, el_box);
return;
+
}
+
});
- FATAL ("List item to be removed not in list");
+ FATAL("List item to be removed not in list");
}
@@ -123,11 +142,13 @@ static void list_remove(list_t *list, void *remove_me) {
static bool list_contains(list_t *list, void *contains_me) {
LIST_FOREACH(list, void, {
+
if (el == contains_me) return true;
+
});
return false;
}
-#endif \ No newline at end of file
+#endif
diff --git a/include/sharedmem.h b/include/sharedmem.h
index b90f7d87..9a7d9082 100644
--- a/include/sharedmem.h
+++ b/include/sharedmem.h
@@ -29,30 +29,30 @@
typedef struct sharedmem {
- //extern unsigned char *trace_bits;
+ // extern unsigned char *trace_bits;
- #ifdef USEMMAP
+#ifdef USEMMAP
/* ================ Proteas ================ */
- int g_shm_fd;
- char g_shm_file_path[L_tmpnam];
- /* ========================================= */
- #else
- s32 shm_id; /* ID of the SHM region */
+ int g_shm_fd;
+ char g_shm_file_path[L_tmpnam];
+/* ========================================= */
+#else
+ s32 shm_id; /* ID of the SHM region */
s32 cmplog_shm_id;
- #endif
+#endif
- u8 *map; /* shared memory region */
+ u8 *map; /* shared memory region */
- size_t size_alloc; /* actual allocated size */
- size_t size_used; /* in use by shmem app */
+ size_t size_alloc; /* actual allocated size */
+ size_t size_used; /* in use by shmem app */
int cmplog_mode;
struct cmp_map *cmp_map;
} sharedmem_t;
-u8 *afl_shm_init(sharedmem_t*, size_t, unsigned char dumb_mode);
-void afl_shm_deinit(sharedmem_t*);
+u8 * afl_shm_init(sharedmem_t *, size_t, unsigned char dumb_mode);
+void afl_shm_deinit(sharedmem_t *);
#endif
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-14 15:11:41 +0000