Merge pull request #1759 from AFLplusplus/dev

Dev
author: van Hauser <vh@thc.org> 2023-06-06 17:36:04 +0300
committer: GitHub <noreply@github.com> 2023-06-06 17:36:04 +0300
commit: 4deb45f3b3e9f53880596d21432069b05553bcb3 (patch)
tree: 2dcf56dd0b540a4387f050c32ba5f50e7f42d666 /include
parent: 8de7f6131d48e27d53e894b65bd11e0dc3817639 (diff)
parent: 2f6b54e4410738d92c4981a700541f15e4fbe938 (diff)
download: afl++-4deb45f3b3e9f53880596d21432069b05553bcb3.tar.gz
7 files changed, 70 insertions, 25 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 23a04f42..e1359dc8 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -184,6 +184,7 @@ struct queue_entry {
       handicap,                         /* Number of queue cycles behind    */
       depth,                            /* Path depth                       */
       exec_cksum,                       /* Checksum of the execution trace  */
+      custom,                           /* Marker for custom mutators       */
       stats_mutated;                    /* stats: # of mutations performed  */
 
   u8 *trace_mini;                       /* Trace bytes, if kept             */
@@ -398,8 +399,9 @@ typedef struct afl_env_vars {
       afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast,
       afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new,
       afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems,
-      afl_keep_timeouts, afl_pizza_mode, afl_no_crash_readme,
-      afl_ignore_timeouts, afl_no_startup_calibration, afl_no_warn_instability;
+      afl_keep_timeouts, afl_no_crash_readme, afl_ignore_timeouts,
+      afl_no_startup_calibration, afl_no_warn_instability,
+      afl_post_process_keep_original;
 
   u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
       *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload,
@@ -408,6 +410,8 @@ typedef struct afl_env_vars {
       *afl_testcache_entries, *afl_child_kill_signal, *afl_fsrv_kill_signal,
       *afl_target_env, *afl_persistent_record, *afl_exit_on_time;
 
+  s32 afl_pizza_mode;
+
 } afl_env_vars_t;
 
 struct afl_pass_stat {
@@ -882,14 +886,19 @@ struct custom_mutator {
    * A post-processing function to use right before AFL writes the test case to
    * disk in order to execute the target.
    *
-   * (Optional) If this functionality is not needed, simply don't define this
+   * NOTE: Do not do any random changes to the data in this function!
+   *
+   * PERFORMANCE: If you can modify the data in-place you will have a better
+   *              performance. Modify *data and set `*out_buf = data`.
+   *
+   * (Optional) If this functionality is not needed, simply do not define this
    * function.
    *
    * @param[in] data pointer returned in afl_custom_init by this custom mutator
    * @param[in] buf Buffer containing the test case to be executed
    * @param[in] buf_size Size of the test case
    * @param[out] out_buf Pointer to the buffer storing the test case after
-   *     processing. External library should allocate memory for out_buf.
+   *     processing. The external library should allocate memory for out_buf.
    *     It can chose to alter buf in-place, if the space is large enough.
    * @return Size of the output buffer.
    */
@@ -1095,7 +1104,6 @@ u32  count_bits(afl_state_t *, u8 *);
 u32  count_bytes(afl_state_t *, u8 *);
 u32  count_non_255_bytes(afl_state_t *, u8 *);
 void simplify_trace(afl_state_t *, u8 *);
-void classify_counts(afl_forkserver_t *);
 #ifdef WORD_SIZE_64
 void discover_word(u8 *ret, u64 *current, u64 *virgin);
 #else
@@ -1109,6 +1117,9 @@ u8 *describe_op(afl_state_t *, u8, size_t);
 u8 save_if_interesting(afl_state_t *, void *, u32, u8);
 u8 has_new_bits(afl_state_t *, u8 *);
 u8 has_new_bits_unclassified(afl_state_t *, u8 *);
+#ifndef AFL_SHOWMAP
+void classify_counts(afl_forkserver_t *);
+#endif
 
 /* Extras */
 
@@ -1184,11 +1195,13 @@ void   fix_up_sync(afl_state_t *);
 void   check_asan_opts(afl_state_t *);
 void   check_binary(afl_state_t *, u8 *);
 void   check_if_tty(afl_state_t *);
-void   setup_signal_handlers(void);
 void   save_cmdline(afl_state_t *, u32, char **);
 void   read_foreign_testcases(afl_state_t *, int);
 void   write_crash_readme(afl_state_t *afl);
 u8     check_if_text_buf(u8 *buf, u32 len);
+#ifndef AFL_SHOWMAP
+void setup_signal_handlers(void);
+#endif
 
 /* CmpLog */
 
@@ -1210,7 +1223,7 @@ double rand_next_percent(afl_state_t *afl);
 
 static inline u32 rand_below(afl_state_t *afl, u32 limit) {
 
-  if (limit <= 1) return 0;
+  if (unlikely(limit <= 1)) return 0;
 
   /* The boundary not being necessarily a power of 2,
      we need to ensure the result uniformity. */
@@ -1243,7 +1256,7 @@ static inline u32 rand_below(afl_state_t *afl, u32 limit) {
    expand havoc mode */
 static inline u32 rand_below_datalen(afl_state_t *afl, u32 limit) {
 
-  if (limit <= 1) return 0;
+  if (unlikely(limit <= 1)) return 0;
 
   switch (rand_below(afl, 3)) {
 
diff --git a/include/alloc-inl.h b/include/alloc-inl.h
index ae37028e..1e9a192b 100644
--- a/include/alloc-inl.h
+++ b/include/alloc-inl.h
@@ -42,7 +42,7 @@
 // Be careful! _WANT_ORIGINAL_AFL_ALLOC is not compatible with custom mutators
 
 #ifndef _WANT_ORIGINAL_AFL_ALLOC
-  // afl++ stuff without memory corruption checks - for speed
+  // AFL++ stuff without memory corruption checks - for speed
 
   /* User-facing macro to sprintf() to a dynamically allocated buffer. */
 
@@ -704,12 +704,11 @@ static inline void *afl_realloc(void **buf, size_t size_needed) {
     *buf = NULL;
     return NULL;
 
-  } else {
-
-    new_buf = newer_buf;
-
   }
 
+  new_buf = newer_buf;
+  memset(((u8 *)new_buf) + current_size, 0, next_size - current_size);
+
   new_buf->complete_size = next_size;
   *buf = (void *)(new_buf->buf);
   return *buf;
diff --git a/include/cmplog.h b/include/cmplog.h
index 6e16e6b0..e4821444 100644
--- a/include/cmplog.h
+++ b/include/cmplog.h
@@ -34,7 +34,7 @@
 
 #define CMP_MAP_W 65536
 #define CMP_MAP_H 32
-#define CMP_MAP_RTN_H (CMP_MAP_H / 4)
+#define CMP_MAP_RTN_H (CMP_MAP_H / 2)
 
 #define SHAPE_BYTES(x) (x + 1)
 
diff --git a/include/common.h b/include/common.h
index 0958b035..8d85d201 100644
--- a/include/common.h
+++ b/include/common.h
@@ -147,5 +147,11 @@ s32 create_file(u8 *fn);
 void *afl_memmem(const void *haystack, size_t haystacklen, const void *needle,
                  size_t needlelen);
 
+#ifdef __linux__
+/* Nyx helper functions to create and remove tmp workdirs */
+char *create_nyx_tmp_workdir(void);
+void  remove_nyx_tmp_workdir(afl_forkserver_t *fsrv, char *nyx_out_dir_path);
+#endif
+
 #endif
 
diff --git a/include/config.h b/include/config.h
index c1297bdd..b767d526 100644
--- a/include/config.h
+++ b/include/config.h
@@ -26,7 +26,7 @@
 /* Version string: */
 
 // c = release, a = volatile github dev, e = experimental branch
-#define VERSION "++4.06a"
+#define VERSION "++4.07a"
 
 /******************************************************
  *                                                    *
@@ -87,7 +87,7 @@
    will be kept and written to the crash/ directory as RECORD:... files.
    Note that every crash will be written, not only unique ones! */
 
-//#define AFL_PERSISTENT_RECORD
+// #define AFL_PERSISTENT_RECORD
 
 /* console output colors: There are three ways to configure its behavior
  * 1. default: colored outputs fixed on: defined USE_COLOR && defined
diff --git a/include/envs.h b/include/envs.h
index 066921b9..edfd06e4 100644
--- a/include/envs.h
+++ b/include/envs.h
@@ -37,6 +37,10 @@ static char *afl_environment_variables[] = {
     "AFL_CRASH_EXITCODE",
     "AFL_CUSTOM_MUTATOR_LIBRARY",
     "AFL_CUSTOM_MUTATOR_ONLY",
+    "AFL_CUSTOM_INFO_PROGRAM",
+    "AFL_CUSTOM_INFO_PROGRAM_ARGV",
+    "AFL_CUSTOM_INFO_PROGRAM_INPUT",
+    "AFL_CUSTOM_INFO_OUT",
     "AFL_CXX",
     "AFL_CYCLE_SCHEDULES",
     "AFL_DEBUG",
@@ -65,6 +69,7 @@ static char *afl_environment_variables[] = {
     "AFL_FRIDA_INST_INSN",
     "AFL_FRIDA_INST_JIT",
     "AFL_FRIDA_INST_NO_CACHE",
+    "AFL_FRIDA_INST_NO_DYNAMIC_LOAD",
     "AFL_FRIDA_INST_NO_OPTIMIZE",
     "AFL_FRIDA_INST_NO_PREFETCH",
     "AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH",
@@ -105,6 +110,7 @@ static char *afl_environment_variables[] = {
     "AFL_HARDEN",
     "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES",
     "AFL_IGNORE_PROBLEMS",
+    "AFL_IGNORE_PROBLEMS_COVERAGE",
     "AFL_IGNORE_TIMEOUTS",
     "AFL_IGNORE_UNKNOWN_ENVS",
     "AFL_IMPORT_FIRST",
@@ -159,8 +165,9 @@ static char *afl_environment_variables[] = {
     "AFL_LLVM_SKIP_NEVERZERO",
     "AFL_NO_AFFINITY",
     "AFL_TRY_AFFINITY",
-    "AFL_LLVM_LTO_STARTID",
     "AFL_LLVM_LTO_DONTWRITEID",
+    "AFL_LLVM_LTO_SKIPINIT"
+    "AFL_LLVM_LTO_STARTID",
     "AFL_NO_ARITH",
     "AFL_NO_AUTODICT",
     "AFL_NO_BUILTIN",
@@ -186,6 +193,7 @@ static char *afl_environment_variables[] = {
     "AFL_PATH",
     "AFL_PERFORMANCE_FILE",
     "AFL_PERSISTENT_RECORD",
+    "AFL_POST_PROCESS_KEEP_ORIGINAL",
     "AFL_PRELOAD",
     "AFL_TARGET_ENV",
     "AFL_PYTHON_MODULE",
diff --git a/include/forkserver.h b/include/forkserver.h
index 50898a08..f5069ce2 100644
--- a/include/forkserver.h
+++ b/include/forkserver.h
@@ -51,16 +51,28 @@ typedef enum NyxReturnValue {
 
 } NyxReturnValue;
 
+typedef enum NyxProcessRole {
+
+  StandAlone,
+  Parent,
+  Child,
+
+} NyxProcessRole;
+
 typedef struct {
 
-  void *(*nyx_new)(const char *sharedir, const char *workdir, uint32_t cpu_id,
-                   uint32_t input_buffer_size,
-                   bool     input_buffer_write_protection);
-  void *(*nyx_new_parent)(const char *sharedir, const char *workdir,
-                          uint32_t cpu_id, uint32_t input_buffer_size,
-                          bool input_buffer_write_protection);
-  void *(*nyx_new_child)(const char *sharedir, const char *workdir,
-                         uint32_t cpu_id, uint32_t worker_id);
+  void *(*nyx_config_load)(const char *sharedir);
+  void (*nyx_config_set_workdir_path)(void *config, const char *workdir);
+  void (*nyx_config_set_input_buffer_size)(void    *config,
+                                           uint32_t input_buffer_size);
+  void (*nyx_config_set_input_buffer_write_protection)(
+      void *config, bool input_buffer_write_protection);
+  void (*nyx_config_set_hprintf_fd)(void *config, int32_t hprintf_fd);
+  void (*nyx_config_set_process_role)(void *config, enum NyxProcessRole role);
+  void (*nyx_config_set_reuse_snapshot_path)(void       *config,
+                                             const char *reuse_snapshot_path);
+
+  void *(*nyx_new)(void *config, uint32_t worker_id);
   void (*nyx_shutdown)(void *qemu_process);
   void (*nyx_option_set_reload_mode)(void *qemu_process, bool enable);
   void (*nyx_option_set_timeout)(void *qemu_process, uint8_t timeout_sec,
@@ -73,8 +85,13 @@ typedef struct {
   uint32_t (*nyx_get_aux_string)(void *nyx_process, uint8_t *buffer,
                                  uint32_t size);
 
+  bool (*nyx_remove_work_dir)(const char *workdir);
+
 } nyx_plugin_handler_t;
 
+/* Imports helper functions to enable Nyx mode (Linux only )*/
+nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary);
+
 #endif
 
 typedef struct afl_forkserver {
@@ -178,6 +195,8 @@ typedef struct afl_forkserver {
   u32                   nyx_id;          /* nyx runner id (0 -> master)      */
   u32                   nyx_bind_cpu_id; /* nyx runner cpu id                */
   char                 *nyx_aux_string;
+  bool                  nyx_use_tmp_workdir;
+  char                 *nyx_tmp_workdir_path;
 #endif
 
 } afl_forkserver_t;
author	van Hauser <vh@thc.org>	2023-06-06 17:36:04 +0300
committer	GitHub <noreply@github.com>	2023-06-06 17:36:04 +0300
commit	4deb45f3b3e9f53880596d21432069b05553bcb3 (patch)
tree	2dcf56dd0b540a4387f050c32ba5f50e7f42d666 /include
parent	8de7f6131d48e27d53e894b65bd11e0dc3817639 (diff)
parent	2f6b54e4410738d92c4981a700541f15e4fbe938 (diff)
download	afl++-4deb45f3b3e9f53880596d21432069b05553bcb3.tar.gz