diff options
| author | Junwha <qbit@unist.ac.kr> | 2023-08-02 02:59:07 +0900 |
|---|---|---|
| committer | Junwha <qbit@unist.ac.kr> | 2023-08-02 19:07:38 +0900 |
| commit | 1429c9724efb62e5ac90ec27d93a64c28632ba5d (patch) | |
| tree | dd1038326b5510c83ea3831137f4845f993b37c1 /src/afl-fuzz-init.c | |
| parent | 0265b39c138e1451accc048d3442a1e15d7ae86c (diff) | |
| download | afl++-1429c9724efb62e5ac90ec27d93a64c28632ba5d.tar.gz | |
Add option for treating crashing input as new crash
Signed-off-by: Junwha Hong <qbit@unist.ac.kr>
Diffstat (limited to 'src/afl-fuzz-init.c')
| -rw-r--r-- | src/afl-fuzz-init.c | 99 |
1 files changed, 81 insertions, 18 deletions
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 24fd7077..6b7f3036 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1056,6 +1056,13 @@ void perform_dry_run(afl_state_t *afl) { "skipping", fn, (int)(s8)afl->fsrv.crash_exitcode); + } else if (afl->crashing_seeds_as_new_crash) { + + WARNF( + "Test case '%s' results in a crash," + "as AFL_CRASHING_SEEDS_AS_NEW_CRASH is set, " + "saving as a crash", fn); + } else { WARNF("Test case '%s' results in a crash, skipping", fn); @@ -1078,38 +1085,94 @@ void perform_dry_run(afl_state_t *afl) { } - q->disabled = 1; - q->perf_score = 0; + /* Crashing corpus will regrad as normal, and categorized as new crash at fuzzing */ + if (afl->crashing_seeds_as_new_crash) { + + ++afl->total_crashes; - u32 i = 0; - while (unlikely(i < afl->queued_items && afl->queue_buf[i] && - afl->queue_buf[i]->disabled)) { + if (likely(!afl->non_instrumented_mode)) { - ++i; + classify_counts(&afl->fsrv); + + simplify_trace(afl, afl->fsrv.trace_bits); - } + if (!has_new_bits(afl, afl->virgin_crash)) { break; } + + } + + + if (unlikely(!afl->saved_crashes) && + (afl->afl_env.afl_no_crash_readme != 1)) { + + write_crash_readme(afl); + + } + + u8 crash_fn[PATH_MAX]; + u8 *use_name = strstr(q->fname, ",orig:"); + + afl->stage_name = "dry_run"; + afl->stage_short = "dry_run"; + + #ifndef SIMPLE_FILES + + snprintf(crash_fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s%s", afl->out_dir, + afl->saved_crashes, afl->fsrv.last_kill_signal, + describe_op(afl, 0, NAME_MAX - strlen("id:000000,sig:00,") - strlen(use_name)), use_name); + + #else + + snprintf(crash_fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir, + afl->saved_crashes, afl->fsrv.last_kill_signal); + + #endif - if (i < afl->queued_items && afl->queue_buf[i]) { + ++afl->saved_crashes; - afl->queue = afl->queue_buf[i]; + fd = open(crash_fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", crash_fn); } + ck_write(fd, use_mem, read_len, crash_fn); + close(fd); + + afl->last_crash_time = get_cur_time(); + afl->last_crash_execs = afl->fsrv.total_execs; } else { - afl->queue = afl->queue_buf[0]; + q->disabled = 1; + q->perf_score = 0; - } + u32 i = 0; + while (unlikely(i < afl->queued_items && afl->queue_buf[i] && + afl->queue_buf[i]->disabled)) { - afl->max_depth = 0; - for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) { + ++i; - if (!afl->queue_buf[i]->disabled && - afl->queue_buf[i]->depth > afl->max_depth) - afl->max_depth = afl->queue_buf[i]->depth; + } - } + if (i < afl->queued_items && afl->queue_buf[i]) { - break; + afl->queue = afl->queue_buf[i]; + + } else { + afl->queue = afl->queue_buf[0]; + + } + + afl->max_depth = 0; + for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) { + + if (!afl->queue_buf[i]->disabled && + afl->queue_buf[i]->depth > afl->max_depth) + afl->max_depth = afl->queue_buf[i]->depth; + + } + + } + + break; + case FSRV_RUN_ERROR: FATAL("Unable to execute target application ('%s')", afl->argv[0]); |