diff options
| author | Andrea Fioraldi <andreafioraldi@gmail.com> | 2019-09-02 18:49:43 +0200 |
|---|---|---|
| committer | Andrea Fioraldi <andreafioraldi@gmail.com> | 2019-09-02 18:49:43 +0200 |
| commit | b24639d0113e15933e749ea0f96abe3f25a134a0 (patch) | |
| tree | 4272020625c80c0d6982d3787bebc573c0da01b8 /src/afl-fuzz-init.c | |
| parent | 2ae4ca91b48407add0e940ee13bd8b385e319a7a (diff) | |
| download | afl++-b24639d0113e15933e749ea0f96abe3f25a134a0.tar.gz | |
run code formatter
Diffstat (limited to 'src/afl-fuzz-init.c')
| -rw-r--r-- | src/afl-fuzz-init.c | 643 |
1 files changed, 382 insertions, 261 deletions
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index f66db74c..8a3ee6fa 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -22,7 +22,6 @@ #include "afl-fuzz.h" - #ifdef HAVE_AFFINITY /* Build a list of processes bound to specific cores. Returns -1 if nothing @@ -30,11 +29,11 @@ void bind_to_free_cpu(void) { - DIR* d; + DIR* d; struct dirent* de; - cpu_set_t c; + cpu_set_t c; - u8 cpu_used[4096] = { 0 }; + u8 cpu_used[4096] = {0}; u32 i; if (cpu_core_count < 2) return; @@ -69,18 +68,20 @@ void bind_to_free_cpu(void) { while ((de = readdir(d))) { - u8* fn; + u8* fn; FILE* f; - u8 tmp[MAX_LINE]; - u8 has_vmsize = 0; + u8 tmp[MAX_LINE]; + u8 has_vmsize = 0; if (!isdigit(de->d_name[0])) continue; fn = alloc_printf("/proc/%s/status", de->d_name); if (!(f = fopen(fn, "r"))) { + ck_free(fn); continue; + } while (fgets(tmp, MAX_LINE, f)) { @@ -91,10 +92,9 @@ void bind_to_free_cpu(void) { if (!strncmp(tmp, "VmSize:\t", 8)) has_vmsize = 1; - if (!strncmp(tmp, "Cpus_allowed_list:\t", 19) && - !strchr(tmp, '-') && !strchr(tmp, ',') && - sscanf(tmp + 19, "%u", &hval) == 1 && hval < sizeof(cpu_used) && - has_vmsize) { + if (!strncmp(tmp, "Cpus_allowed_list:\t", 19) && !strchr(tmp, '-') && + !strchr(tmp, ',') && sscanf(tmp + 19, "%u", &hval) == 1 && + hval < sizeof(cpu_used) && has_vmsize) { cpu_used[hval] = 1; break; @@ -110,14 +110,17 @@ void bind_to_free_cpu(void) { closedir(d); - for (i = 0; i < cpu_core_count; ++i) if (!cpu_used[i]) break; + for (i = 0; i < cpu_core_count; ++i) + if (!cpu_used[i]) break; if (i == cpu_core_count) { SAYF("\n" cLRD "[-] " cRST "Uh-oh, looks like all %d CPU cores on your system are allocated to\n" - " other instances of afl-fuzz (or similar CPU-locked tasks). Starting\n" - " another fuzzer on this machine is probably a bad plan, but if you are\n" + " other instances of afl-fuzz (or similar CPU-locked tasks). " + "Starting\n" + " another fuzzer on this machine is probably a bad plan, but if " + "you are\n" " absolutely sure, you can set AFL_NO_AFFINITY and try again.\n", cpu_core_count); @@ -132,8 +135,7 @@ void bind_to_free_cpu(void) { CPU_ZERO(&c); CPU_SET(i, &c); - if (sched_setaffinity(0, sizeof(c), &c)) - PFATAL("sched_setaffinity failed"); + if (sched_setaffinity(0, sizeof(c), &c)) PFATAL("sched_setaffinity failed"); } @@ -144,8 +146,8 @@ void bind_to_free_cpu(void) { void setup_post(void) { void* dh; - u8* fn = getenv("AFL_POST_LIBRARY"); - u32 tlen = 6; + u8* fn = getenv("AFL_POST_LIBRARY"); + u32 tlen = 6; if (!fn) return; @@ -166,8 +168,9 @@ void setup_post(void) { } void setup_custom_mutator(void) { + void* dh; - u8* fn = getenv("AFL_CUSTOM_MUTATOR_LIBRARY"); + u8* fn = getenv("AFL_CUSTOM_MUTATOR_LIBRARY"); if (!fn) return; @@ -180,11 +183,11 @@ void setup_custom_mutator(void) { if (!custom_mutator) FATAL("Symbol 'afl_custom_mutator' not found."); pre_save_handler = dlsym(dh, "afl_pre_save_handler"); -// if (!pre_save_handler) WARNF("Symbol 'afl_pre_save_handler' not found."); + // if (!pre_save_handler) WARNF("Symbol 'afl_pre_save_handler' not found."); OKF("Custom mutator installed successfully."); -} +} /* Shuffle an array of pointers. Might be slightly biased. */ @@ -194,8 +197,8 @@ static void shuffle_ptrs(void** ptrs, u32 cnt) { for (i = 0; i < cnt - 2; ++i) { - u32 j = i + UR(cnt - i); - void *s = ptrs[i]; + u32 j = i + UR(cnt - i); + void* s = ptrs[i]; ptrs[i] = ptrs[j]; ptrs[j] = s; @@ -208,15 +211,18 @@ static void shuffle_ptrs(void** ptrs, u32 cnt) { void read_testcases(void) { - struct dirent **nl; - s32 nl_cnt; - u32 i; - u8* fn1; + struct dirent** nl; + s32 nl_cnt; + u32 i; + u8* fn1; /* Auto-detect non-in-place resumption attempts. */ fn1 = alloc_printf("%s/queue", in_dir); - if (!access(fn1, F_OK)) in_dir = fn1; else ck_free(fn1); + if (!access(fn1, F_OK)) + in_dir = fn1; + else + ck_free(fn1); ACTF("Scanning '%s'...", in_dir); @@ -231,9 +237,12 @@ void read_testcases(void) { if (errno == ENOENT || errno == ENOTDIR) SAYF("\n" cLRD "[-] " cRST - "The input directory does not seem to be valid - try again. The fuzzer needs\n" - " one or more test case to start with - ideally, a small file under 1 kB\n" - " or so. The cases must be stored as regular files directly in the input\n" + "The input directory does not seem to be valid - try again. The " + "fuzzer needs\n" + " one or more test case to start with - ideally, a small file " + "under 1 kB\n" + " or so. The cases must be stored as regular files directly in " + "the input\n" " directory.\n"); PFATAL("Unable to open '%s'", in_dir); @@ -252,12 +261,13 @@ void read_testcases(void) { struct stat st; u8* fn2 = alloc_printf("%s/%s", in_dir, nl[i]->d_name); - u8* dfn = alloc_printf("%s/.state/deterministic_done/%s", in_dir, nl[i]->d_name); + u8* dfn = + alloc_printf("%s/.state/deterministic_done/%s", in_dir, nl[i]->d_name); + + u8 passed_det = 0; - u8 passed_det = 0; + free(nl[i]); /* not tracked */ - free(nl[i]); /* not tracked */ - if (lstat(fn2, &st) || access(fn2, R_OK)) PFATAL("Unable to access '%s'", fn2); @@ -271,9 +281,9 @@ void read_testcases(void) { } - if (st.st_size > MAX_FILE) - FATAL("Test case '%s' is too big (%s, limit is %s)", fn2, - DMS(st.st_size), DMS(MAX_FILE)); + if (st.st_size > MAX_FILE) + FATAL("Test case '%s' is too big (%s, limit is %s)", fn2, DMS(st.st_size), + DMS(MAX_FILE)); /* Check for metadata that indicates that deterministic fuzzing is complete for this entry. We don't want to repeat deterministic @@ -287,14 +297,17 @@ void read_testcases(void) { } - free(nl); /* not tracked */ + free(nl); /* not tracked */ if (!queued_paths) { SAYF("\n" cLRD "[-] " cRST - "Looks like there are no valid test cases in the input directory! The fuzzer\n" - " needs one or more test case to start with - ideally, a small file under\n" - " 1 kB or so. The cases must be stored as regular files directly in the\n" + "Looks like there are no valid test cases in the input directory! The " + "fuzzer\n" + " needs one or more test case to start with - ideally, a small " + "file under\n" + " 1 kB or so. The cases must be stored as regular files directly " + "in the\n" " input directory.\n"); FATAL("No usable test cases in '%s'", in_dir); @@ -306,7 +319,6 @@ void read_testcases(void) { } - /* Examine map coverage. Called once, for first test case. */ static void check_map_coverage(void) { @@ -322,15 +334,14 @@ static void check_map_coverage(void) { } - /* Perform dry run of all test cases to confirm that the app is working as expected. This is done only for the initial inputs, and only once. */ void perform_dry_run(char** argv) { struct queue_entry* q = queue; - u32 cal_failures = 0; - u8* skip_crashes = getenv("AFL_SKIP_CRASHES"); + u32 cal_failures = 0; + u8* skip_crashes = getenv("AFL_SKIP_CRASHES"); while (q) { @@ -358,7 +369,7 @@ void perform_dry_run(char** argv) { if (stop_soon) return; if (res == crash_mode || res == FAULT_NOBITS) - SAYF(cGRA " len = %u, map size = %u, exec speed = %llu us\n" cRST, + SAYF(cGRA " len = %u, map size = %u, exec speed = %llu us\n" cRST, q->len, q->bitmap_size, q->exec_us); switch (res) { @@ -380,90 +391,119 @@ void perform_dry_run(char** argv) { out. */ if (timeout_given > 1) { + WARNF("Test case results in a timeout (skipping)"); q->cal_failed = CAL_CHANCES; ++cal_failures; break; + } SAYF("\n" cLRD "[-] " cRST - "The program took more than %u ms to process one of the initial test cases.\n" - " Usually, the right thing to do is to relax the -t option - or to delete it\n" - " altogether and allow the fuzzer to auto-calibrate. That said, if you know\n" - " what you are doing and want to simply skip the unruly test cases, append\n" - " '+' at the end of the value passed to -t ('-t %u+').\n", exec_tmout, - exec_tmout); + "The program took more than %u ms to process one of the initial " + "test cases.\n" + " Usually, the right thing to do is to relax the -t option - " + "or to delete it\n" + " altogether and allow the fuzzer to auto-calibrate. That " + "said, if you know\n" + " what you are doing and want to simply skip the unruly test " + "cases, append\n" + " '+' at the end of the value passed to -t ('-t %u+').\n", + exec_tmout, exec_tmout); FATAL("Test case '%s' results in a timeout", fn); } else { SAYF("\n" cLRD "[-] " cRST - "The program took more than %u ms to process one of the initial test cases.\n" - " This is bad news; raising the limit with the -t option is possible, but\n" + "The program took more than %u ms to process one of the initial " + "test cases.\n" + " This is bad news; raising the limit with the -t option is " + "possible, but\n" " will probably make the fuzzing process extremely slow.\n\n" - " If this test case is just a fluke, the other option is to just avoid it\n" - " altogether, and find one that is less of a CPU hog.\n", exec_tmout); + " If this test case is just a fluke, the other option is to " + "just avoid it\n" + " altogether, and find one that is less of a CPU hog.\n", + exec_tmout); FATAL("Test case '%s' results in a timeout", fn); } - case FAULT_CRASH: + case FAULT_CRASH: if (crash_mode) break; if (skip_crashes) { + WARNF("Test case results in a crash (skipping)"); q->cal_failed = CAL_CHANCES; ++cal_failures; break; + } if (mem_limit) { SAYF("\n" cLRD "[-] " cRST - "Oops, the program crashed with one of the test cases provided. There are\n" + "Oops, the program crashed with one of the test cases provided. " + "There are\n" " several possible explanations:\n\n" - " - The test case causes known crashes under normal working conditions. If\n" - " so, please remove it. The fuzzer should be seeded with interesting\n" + " - The test case causes known crashes under normal working " + "conditions. If\n" + " so, please remove it. The fuzzer should be seeded with " + "interesting\n" " inputs - but not ones that cause an outright crash.\n\n" - " - The current memory limit (%s) is too low for this program, causing\n" - " it to die due to OOM when parsing valid files. To fix this, try\n" - " bumping it up with the -m setting in the command line. If in doubt,\n" + " - The current memory limit (%s) is too low for this " + "program, causing\n" + " it to die due to OOM when parsing valid files. To fix " + "this, try\n" + " bumping it up with the -m setting in the command line. " + "If in doubt,\n" " try something along the lines of:\n\n" - MSG_ULIMIT_USAGE " /path/to/binary [...] <testcase )\n\n" + MSG_ULIMIT_USAGE + " /path/to/binary [...] <testcase )\n\n" - " Tip: you can use http://jwilk.net/software/recidivm to quickly\n" - " estimate the required amount of virtual memory for the binary. Also,\n" + " Tip: you can use http://jwilk.net/software/recidivm to " + "quickly\n" + " estimate the required amount of virtual memory for the " + "binary. Also,\n" " if you are using ASAN, see %s/notes_for_asan.txt.\n\n" MSG_FORK_ON_APPLE - " - Least likely, there is a horrible bug in the fuzzer. If other options\n" - " fail, poke <afl-users@googlegroups.com> for troubleshooting tips.\n", + " - Least likely, there is a horrible bug in the fuzzer. If " + "other options\n" + " fail, poke <afl-users@googlegroups.com> for " + "troubleshooting tips.\n", DMS(mem_limit << 20), mem_limit - 1, doc_path); } else { SAYF("\n" cLRD "[-] " cRST - "Oops, the program crashed with one of the test cases provided. There are\n" + "Oops, the program crashed with one of the test cases provided. " + "There are\n" " several possible explanations:\n\n" - " - The test case causes known crashes under normal working conditions. If\n" - " so, please remove it. The fuzzer should be seeded with interesting\n" + " - The test case causes known crashes under normal working " + "conditions. If\n" + " so, please remove it. The fuzzer should be seeded with " + "interesting\n" " inputs - but not ones that cause an outright crash.\n\n" MSG_FORK_ON_APPLE - " - Least likely, there is a horrible bug in the fuzzer. If other options\n" - " fail, poke <afl-users@googlegroups.com> for troubleshooting tips.\n"); + " - Least likely, there is a horrible bug in the fuzzer. If " + "other options\n" + " fail, poke <afl-users@googlegroups.com> for " + "troubleshooting tips.\n"); } + #undef MSG_ULIMIT_USAGE #undef MSG_FORK_ON_APPLE @@ -473,11 +513,9 @@ void perform_dry_run(char** argv) { FATAL("Unable to execute target application ('%s')", argv[0]); - case FAULT_NOINST: + case FAULT_NOINST: FATAL("No instrumentation detected"); - FATAL("No instrumentation detected"); - - case FAULT_NOBITS: + case FAULT_NOBITS: ++useless_at_start; @@ -513,7 +551,6 @@ void perform_dry_run(char** argv) { } - /* Helper function: link() if possible, copy otherwise. */ static void link_or_copy(u8* old_path, u8* new_path) { @@ -532,7 +569,7 @@ static void link_or_copy(u8* old_path, u8* new_path) { tmp = ck_alloc(64 * 1024); - while ((i = read(sfd, tmp, 64 * 1024)) > 0) + while ((i = read(sfd, tmp, 64 * 1024)) > 0) ck_write(dfd, tmp, i, new_path); if (i < 0) PFATAL("read() failed"); @@ -543,23 +580,25 @@ static void link_or_copy(u8* old_path, u8* new_path) { } - /* Create hard links for input test cases in the output directory, choosing good names and pivoting accordingly. */ void pivot_inputs(void) { struct queue_entry* q = queue; - u32 id = 0; + u32 id = 0; ACTF("Creating hard links for all input files..."); while (q) { - u8 *nfn, *rsl = strrchr(q->fname, '/'); + u8 *nfn, *rsl = strrchr(q->fname, '/'); u32 orig_id; - if (!rsl) rsl = q->fname; else ++rsl; + if (!rsl) + rsl = q->fname; + else + ++rsl; /* If the original file name conforms to the syntax and the recorded ID matches the one we'd assign, just use the original file name. @@ -582,7 +621,8 @@ void pivot_inputs(void) { if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) { struct queue_entry* s = queue; - while (src_id-- && s) s = s->next; + while (src_id-- && s) + s = s->next; if (s) q->depth = s->depth + 1; if (max_depth < q->depth) max_depth = q->depth; @@ -598,7 +638,10 @@ void pivot_inputs(void) { u8* use_name = strstr(rsl, ",orig:"); - if (use_name) use_name += 6; else use_name = rsl; + if (use_name) + use_name += 6; + else + use_name = rsl; nfn = alloc_printf("%s/queue/id:%06u,orig:%s", out_dir, id, use_name); #else @@ -628,29 +671,31 @@ void pivot_inputs(void) { } - /* When resuming, try to find the queue position to start from. This makes sense only when resuming, and when we can find the original fuzzer_stats. */ u32 find_start_position(void) { - static u8 tmp[4096]; /* Ought to be enough for anybody. */ + static u8 tmp[4096]; /* Ought to be enough for anybody. */ - u8 *fn, *off; + u8 *fn, *off; s32 fd, i; u32 ret; if (!resuming_fuzz) return 0; - if (in_place_resume) fn = alloc_printf("%s/fuzzer_stats", out_dir); - else fn = alloc_printf("%s/../fuzzer_stats", in_dir); + if (in_place_resume) + fn = alloc_printf("%s/fuzzer_stats", out_dir); + else + fn = alloc_printf("%s/../fuzzer_stats", in_dir); fd = open(fn, O_RDONLY); ck_free(fn); if (fd < 0) return 0; - i = read(fd, tmp, sizeof(tmp) - 1); (void)i; /* Ignore errors */ + i = read(fd, tmp, sizeof(tmp) - 1); + (void)i; /* Ignore errors */ close(fd); off = strstr(tmp, "cur_path : "); @@ -662,30 +707,32 @@ u32 find_start_position(void) { } - /* The same, but for timeouts. The idea is that when resuming sessions without -t given, we don't want to keep auto-scaling the timeout over and over again to prevent it from growing due to random flukes. */ void find_timeout(void) { - static u8 tmp[4096]; /* Ought to be enough for anybody. */ + static u8 tmp[4096]; /* Ought to be enough for anybody. */ - u8 *fn, *off; + u8 *fn, *off; s32 fd, i; u32 ret; if (!resuming_fuzz) return; - if (in_place_resume) fn = alloc_printf("%s/fuzzer_stats", out_dir); - else fn = alloc_printf("%s/../fuzzer_stats", in_dir); + if (in_place_resume) + fn = alloc_printf("%s/fuzzer_stats", out_dir); + else + fn = alloc_printf("%s/../fuzzer_stats", in_dir); fd = open(fn, O_RDONLY); ck_free(fn); if (fd < 0) return; - i = read(fd, tmp, sizeof(tmp) - 1); (void)i; /* Ignore errors */ + i = read(fd, tmp, sizeof(tmp) - 1); + (void)i; /* Ignore errors */ close(fd); off = strstr(tmp, "exec_timeout : "); @@ -699,14 +746,12 @@ void find_timeout(void) { } - - /* A helper function for maybe_delete_out_dir(), deleting all prefixed files in a directory. */ static u8 delete_files(u8* path, u8* prefix) { - DIR* d; + DIR* d; struct dirent* d_ent; d = opendir(path); @@ -715,8 +760,8 @@ static u8 delete_files(u8* path, u8* prefix) { while ((d_ent = readdir(d))) { - if (d_ent->d_name[0] != '.' && (!prefix || - !strncmp(d_ent->d_name, prefix, strlen(prefix)))) { + if (d_ent->d_name[0] != '.' && + (!prefix || !strncmp(d_ent->d_name, prefix, strlen(prefix)))) { u8* fname = alloc_printf("%s/%s", path, d_ent->d_name); if (unlink(fname)) PFATAL("Unable to delete '%s'", fname); @@ -732,14 +777,13 @@ static u8 delete_files(u8* path, u8* prefix) { } - /* Get the number of runnable processes, with some simple smoothing. */ double get_runnable_processes(void) { static double res; -#if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) +#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) /* I don't see any portable sysctl or so that would quickly give us the number of runnable processes; the 1-minute load average can be a @@ -762,10 +806,11 @@ double get_runnable_processes(void) { while (fgets(tmp, sizeof(tmp), f)) { if (!strncmp(tmp, "procs_running ", 14) || - !strncmp(tmp, "procs_blocked ", 14)) val += atoi(tmp + 14); + !strncmp(tmp, "procs_blocked ", 14)) + val += atoi(tmp + 14); } - + fclose(f); if (!res) { @@ -785,7 +830,6 @@ double get_runnable_processes(void) { } - /* Delete the temporary directory used for in-place session resume. */ void nuke_resume_dir(void) { @@ -824,14 +868,13 @@ dir_cleanup_failed: } - /* Delete fuzzer output directory if we recognize it as ours, if the fuzzer is not currently running, and if the last run time isn't too great. */ void maybe_delete_out_dir(void) { FILE* f; - u8 *fn = alloc_printf("%s/fuzzer_stats", out_dir); + u8* fn = alloc_printf("%s/fuzzer_stats", out_dir); /* See if the output directory is locked. If yes, bail out. If not, create a lock that will persist for the lifetime of the process @@ -845,7 +888,8 @@ void maybe_delete_out_dir(void) { if (flock(out_dir_fd, LOCK_EX | LOCK_NB) && errno == EWOULDBLOCK) { SAYF("\n" cLRD "[-] " cRST - "Looks like the job output directory is being actively used by another\n" + "Looks like the job output directory is being actively used by " + "another\n" " instance of afl-fuzz. You will need to choose a different %s\n" " or stop the other process first.\n", sync_id ? "fuzzer ID" : "output location"); @@ -862,8 +906,10 @@ void maybe_delete_out_dir(void) { u64 start_time2, last_update; - if (fscanf(f, "start_time : %llu\n" - "last_update : %llu\n", &start_time2, &last_update) != 2) + if (fscanf(f, + "start_time : %llu\n" + "last_update : %llu\n", + &start_time2, &last_update) != 2) FATAL("Malformed data in '%s'", fn); fclose(f); @@ -873,16 +919,22 @@ void maybe_delete_out_dir(void) { if (!in_place_resume && last_update - start_time2 > OUTPUT_GRACE * 60) { SAYF("\n" cLRD "[-] " cRST - "The job output directory already exists and contains the results of more\n" - " than %d minutes worth of fuzzing. To avoid data loss, afl-fuzz will *NOT*\n" + "The job output directory already exists and contains the results " + "of more\n" + " than %d minutes worth of fuzzing. To avoid data loss, afl-fuzz " + "will *NOT*\n" " automatically delete this data for you.\n\n" - " If you wish to start a new session, remove or rename the directory manually,\n" - " or specify a different output location for this job. To resume the old\n" - " session, put '-' as the input directory in the command line ('-i -') and\n" - " try again.\n", OUTPUT_GRACE); + " If you wish to start a new session, remove or rename the " + "directory manually,\n" + " or specify a different output location for this job. To resume " + "the old\n" + " session, put '-' as the input directory in the command line " + "('-i -') and\n" + " try again.\n", + OUTPUT_GRACE); - FATAL("At-risk data found in '%s'", out_dir); + FATAL("At-risk data found in '%s'", out_dir); } @@ -902,7 +954,7 @@ void maybe_delete_out_dir(void) { in_dir = alloc_printf("%s/_resume", out_dir); - rename(orig_q, in_dir); /* Ignore errors */ + rename(orig_q, in_dir); /* Ignore errors */ OKF("Output directory exists, will attempt session resume."); @@ -961,7 +1013,7 @@ void maybe_delete_out_dir(void) { if (!in_place_resume) { fn = alloc_printf("%s/crashes/README.txt", out_dir); - unlink(fn); /* Ignore errors */ + unlink(fn); /* Ignore errors */ ck_free(fn); } @@ -973,7 +1025,7 @@ void maybe_delete_out_dir(void) { if (in_place_resume && rmdir(fn)) { - time_t cur_t = time(0); + time_t cur_t = time(0); struct tm* t = localtime(&cur_t); #ifndef SIMPLE_FILES @@ -984,13 +1036,13 @@ void maybe_delete_out_dir(void) { #else - u8* nfn = alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, - t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, - t->tm_hour, t->tm_min, t->tm_sec); + u8* nfn = alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t->tm_year + 1900, + t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min, + t->tm_sec); #endif /* ^!SIMPLE_FILES */ - rename(fn, nfn); /* Ignore errors. */ + rename(fn, nfn); /* Ignore errors. */ ck_free(nfn); } @@ -1004,7 +1056,7 @@ void maybe_delete_out_dir(void) { if (in_place_resume && rmdir(fn)) { - time_t cur_t = time(0); + time_t cur_t = time(0); struct tm* t = localtime(&cur_t); #ifndef SIMPLE_FILES @@ -1015,13 +1067,13 @@ void maybe_delete_out_dir(void) { #else - u8* nfn = alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, - t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, - t->tm_hour, t->tm_min, t->tm_sec); + u8* nfn = alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t->tm_year + 1900, + t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min, + t->tm_sec); #endif /* ^!SIMPLE_FILES */ - rename(fn, nfn); /* Ignore errors. */ + rename(fn, nfn); /* Ignore errors. */ ck_free(nfn); } @@ -1032,9 +1084,13 @@ void maybe_delete_out_dir(void) { /* And now, for some finishing touches. */ if (file_extension) { + fn = alloc_printf("%s/.cur_input.%s", out_dir, file_extension); + } else { + fn = alloc_printf("%s/.cur_input", out_dir); + } if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; @@ -1045,9 +1101,11 @@ void maybe_delete_out_dir(void) { ck_free(fn); if (!in_place_resume) { - fn = alloc_printf("%s/fuzzer_stats", out_dir); + + fn = alloc_printf("%s/fuzzer_stats", out_dir); if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; ck_free(fn); + } fn = alloc_printf("%s/plot_data", out_dir); @@ -1067,19 +1125,22 @@ void maybe_delete_out_dir(void) { dir_cleanup_failed: SAYF("\n" cLRD "[-] " cRST - "Whoops, the fuzzer tried to reuse your output directory, but bumped into\n" - " some files that shouldn't be there or that couldn't be removed - so it\n" + "Whoops, the fuzzer tried to reuse your output directory, but bumped " + "into\n" + " some files that shouldn't be there or that couldn't be removed - " + "so it\n" " decided to abort! This happened while processing this path:\n\n" " %s\n\n" - " Please examine and manually delete the files, or specify a different\n" - " output location for the tool.\n", fn); + " Please examine and manually delete the files, or specify a " + "different\n" + " output location for the tool.\n", + fn); FATAL("Output directory cleanup failed"); } - /* Prepare output directories and fds. */ void setup_dirs_fds(void) { @@ -1090,7 +1151,7 @@ void setup_dirs_fds(void) { ACTF("Setting up output directories..."); if (sync_id && mkdir(sync_dir, 0700) && errno != EEXIST) - PFATAL("Unable to create '%s'", sync_dir); + PFATAL("Unable to create '%s'", sync_dir); if (mkdir(out_dir, 0700)) { @@ -1197,14 +1258,16 @@ void setup_dirs_fds(void) { plot_file = fdopen(fd, "w"); if (!plot_file) PFATAL("fdopen() failed"); - fprintf(plot_file, "# unix_time, cycles_done, cur_path, paths_total, " - "pending_total, pending_favs, map_size, unique_crashes, " - "unique_hangs, max_depth, execs_per_sec\n"); - /* ignore errors */ + fprintf(plot_file, + "# unix_time, cycles_done, cur_path, paths_total, " + "pending_total, pending_favs, map_size, unique_crashes, " + "unique_hangs, max_depth, execs_per_sec\n"); + /* ignore errors */ } void setup_cmdline_file(char** argv) { + u8* tmp; s32 fd; u32 i = 0; @@ -1221,13 +1284,15 @@ void setup_cmdline_file(char** argv) { if (!cmdline_file) PFATAL("fdopen() failed"); while (argv[i]) { + fprintf(cmdline_file, "%s\n", argv[i]); ++i; + } fclose(cmdline_file); -} +} /* Setup the output file for fuzzed data, if not using -f. */ @@ -1235,12 +1300,16 @@ void setup_stdio_file(void) { u8* fn; if (file_extension) { + fn = alloc_printf("%s/.cur_input.%s", out_dir, file_extension); + } else { + fn = alloc_printf("%s/.cur_input", out_dir); + } - unlink(fn); /* Ignore errors */ + unlink(fn); /* Ignore errors */ out_fd = open(fn, O_RDWR | O_CREAT | O_EXCL, 0600); @@ -1250,32 +1319,34 @@ void setup_stdio_file(void) { } - /* Make sure that core dumps don't go to a program. */ void check_crash_handling(void) { #ifdef __APPLE__ - /* Yuck! There appears to be no simple C API to query for the state of + /* Yuck! There appears to be no simple C API to query for the state of loaded daemons on MacOS X, and I'm a bit hesitant to do something more sophisticated, such as disabling crash reporting via Mach ports, until I get a box to test the code. So, for now, we check for crash reporting the awful way. */ - - if (system("launchctl list 2>/dev/null | grep -q '\\.ReportCrash$'")) return; - SAYF("\n" cLRD "[-] " cRST - "Whoops, your system is configured to forward crash notifications to an\n" - " external crash reporting utility. This will cause issues due to the\n" - " extended delay between the fuzzed binary malfunctioning and this fact\n" - " being relayed to the fuzzer via the standard waitpid() API.\n\n" - " To avoid having crashes misinterpreted as timeouts, please run the\n" - " following commands:\n\n" + if (system("launchctl list 2>/dev/null | grep -q '\\.ReportCrash$'")) return; - " SL=/System/Library; PL=com.apple.ReportCrash\n" - " launchctl unload -w ${SL}/LaunchAgents/${PL}.plist\n" - " sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist\n"); + SAYF( + "\n" cLRD "[-] " cRST + "Whoops, your system is configured to forward crash notifications to an\n" + " external crash reporting utility. This will cause issues due to " + "the\n" + " extended delay between the fuzzed binary malfunctioning and this " + "fact\n" + " being relayed to the fuzzer via the standard waitpid() API.\n\n" + " To avoid having crashes misinterpreted as timeouts, please run the\n" + " following commands:\n\n" + + " SL=/System/Library; PL=com.apple.ReportCrash\n" + " launchctl unload -w ${SL}/LaunchAgents/${PL}.plist\n" + " sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist\n"); if (!getenv("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) FATAL("Crash reporter detected"); @@ -1283,10 +1354,10 @@ void check_crash_handling(void) { #else /* This is Linux specific, but I don't think there's anything equivalent on - *BSD, so we can just let it slide for now. */ + *BSD, so we can just let it slide for now. */ s32 fd = open("/proc/sys/kernel/core_pattern", O_RDONLY); - u8 fchar; + u8 fchar; if (fd < 0) return; @@ -1294,54 +1365,68 @@ void check_crash_handling(void) { if (read(fd, &fchar, 1) == 1 && fchar == '|') { - SAYF("\n" cLRD "[-] " cRST - "Hmm, your system is configured to send core dump notifications to an\n" - " external utility. This will cause issues: there will be an extended delay\n" - " between stumbling upon a crash and having this information relayed to the\n" - " fuzzer via the standard waitpid() API.\n\n" + SAYF( + "\n" cLRD "[-] " cRST + "Hmm, your system is configured to send core dump notifications to an\n" + " external utility. This will cause issues: there will be an " + "extended delay\n" + " between stumbling upon a crash and having this information " + "relayed to the\n" + " fuzzer via the standard waitpid() API.\n\n" - " To avoid having crashes misinterpreted as timeouts, please log in as root\n" - " and temporarily modify /proc/sys/kernel/core_pattern, like so:\n\n" + " To avoid having crashes misinterpreted as timeouts, please log in " + "as root\n" + " and temporarily modify /proc/sys/kernel/core_pattern, like so:\n\n" - " echo core >/proc/sys/kernel/core_pattern\n"); + " echo core >/proc/sys/kernel/core_pattern\n"); if (!getenv("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) FATAL("Pipe at the beginning of 'core_pattern'"); } - + close(fd); #endif /* ^__APPLE__ */ } - /* Check CPU governor. */ void check_cpu_governor(void) { + #ifdef __linux__ FILE* f; - u8 tmp[128]; - u64 min = 0, max = 0; + u8 tmp[128]; + u64 min = 0, max = 0; if (getenv("AFL_SKIP_CPUFREQ")) return; if (cpu_aff > 0) - snprintf(tmp, sizeof(tmp), "%s%d%s", "/sys/devices/system/cpu/cpu", cpu_aff, "/cpufreq/scaling_governor"); + snprintf(tmp, sizeof(tmp), "%s%d%s", "/sys/devices/system/cpu/cpu", cpu_aff, + "/cpufreq/scaling_governor"); else - snprintf(tmp, sizeof(tmp), "%s", "/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor"); + snprintf(tmp, sizeof(tmp), "%s", + "/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor"); f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor", "r"); if (!f) { + if (cpu_aff > 0) - snprintf(tmp, sizeof(tmp), "%s%d%s", "/sys/devices/system/cpu/cpufreq/policy", cpu_aff, "/scaling_governor"); + snprintf(tmp, sizeof(tmp), "%s%d%s", + "/sys/devices/system/cpu/cpufreq/policy", cpu_aff, + "/scaling_governor"); else - snprintf(tmp, sizeof(tmp), "%s", "/sys/devices/system/cpu/cpufreq/policy0/scaling_governor"); + snprintf(tmp, sizeof(tmp), "%s", + "/sys/devices/system/cpu/cpufreq/policy0/scaling_governor"); f = fopen(tmp, "r"); + } + if (!f) { + WARNF("Could not check CPU scaling governor"); return; + } ACTF("Checking CPU scaling governor..."); @@ -1355,71 +1440,79 @@ void check_cpu_governor(void) { f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", "r"); if (f) { + if (fscanf(f, "%llu", &min) != 1) min = 0; fclose(f); + } f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", "r"); if (f) { + if (fscanf(f, "%llu", &max) != 1) max = 0; fclose(f); + } if (min == max) return; SAYF("\n" cLRD "[-] " cRST "Whoops, your system uses on-demand CPU frequency scaling, adjusted\n" - " between %llu and %llu MHz. Unfortunately, the scaling algorithm in the\n" - " kernel is imperfect and can miss the short-lived processes spawned by\n" + " between %llu and %llu MHz. Unfortunately, the scaling algorithm in " + "the\n" + " kernel is imperfect and can miss the short-lived processes spawned " + "by\n" " afl-fuzz. To keep things moving, run these commands as root:\n\n" " cd /sys/devices/system/cpu\n" " echo performance | tee cpu*/cpufreq/scaling_governor\n\n" - " You can later go back to the original state by replacing 'performance' with\n" - " 'ondemand'. If you don't want to change the settings, set AFL_SKIP_CPUFREQ\n" - " to make afl-fuzz skip this check - but expect some performance drop.\n", + " You can later go back to the original state by replacing " + "'performance' with\n" + " 'ondemand'. If you don't want to change the settings, set " + "AFL_SKIP_CPUFREQ\n" + " to make afl-fuzz skip this check - but expect some performance " + "drop.\n", min / 1024, max / 1024); FATAL("Suboptimal CPU scaling governor"); #endif -} +} /* Count the number of logical CPU cores. */ void get_core_count(void) { -#if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) +#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) size_t s = sizeof(cpu_core_count); /* On *BSD systems, we can just use a sysctl to get the number of CPUs. */ -#ifdef __APPLE__ +# ifdef __APPLE__ - if (sysctlbyname("hw.logicalcpu", &cpu_core_count, &s, NULL, 0) < 0) - return; + if (sysctlbyname("hw.logicalcpu", &cpu_core_count, &s, NULL, 0) < 0) return; -#else +# else - int s_name[2] = { CTL_HW, HW_NCPU }; + int s_name[2] = {CTL_HW, HW_NCPU}; if (sysctl(s_name, 2, &cpu_core_count, &s, NULL, 0) < 0) return; -#endif /* ^__APPLE__ */ +# endif /* ^__APPLE__ */ #else -#ifdef HAVE_AFFINITY +# ifdef HAVE_AFFINITY cpu_core_count = sysconf(_SC_NPROCESSORS_ONLN); -#else +# else FILE* f = fopen("/proc/stat", "r"); - u8 tmp[1024]; + u8 tmp[1024]; if (!f) return; @@ -1428,7 +1521,7 @@ void get_core_count(void) { fclose(f); -#endif /* ^HAVE_AFFINITY */ +# endif /* ^HAVE_AFFINITY */ #endif /* ^(__APPLE__ || __FreeBSD__ || __OpenBSD__) */ @@ -1438,7 +1531,7 @@ void get_core_count(void) { cur_runnable = (u32)get_runnable_processes(); -#if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) +#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) /* Add ourselves, since the 1-minute average doesn't include that yet. */ @@ -1447,8 +1540,8 @@ void get_core_count(void) { #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ OKF("You have %d CPU core%s and %u runnable tasks (utilization: %0.0f%%).", - cpu_core_count, cpu_core_count > 1 ? "s" : "", - cur_runnable, cur_runnable * 100.0 / cpu_core_count); + cpu_core_count, cpu_core_count > 1 ? "s" : "", cur_runnable, + cur_runnable * 100.0 / cpu_core_count); if (cpu_core_count > 1) { @@ -1459,7 +1552,7 @@ void get_core_count(void) { } else if (cur_runnable + 1 <= cpu_core_count) { OKF("Try parallel jobs - see %s/parallel_fuzzing.txt.", doc_path); - + } } @@ -1473,21 +1566,18 @@ void get_core_count(void) { } - /* Validate and fix up out_dir and sync_dir when using -S. */ void fix_up_sync(void) { u8* x = sync_id; - if (dumb_mode) - FATAL("-S / -M and -n are mutually exclusive"); + if (dumb_mode) FATAL("-S / -M and -n are mutually exclusive"); if (skip_deterministic) { - if (force_deterministic) - FATAL("use -S instead of -M -d"); - //else + if (force_deterministic) FATAL("use -S instead of -M -d"); + // else // FATAL("-S already implies -d"); } @@ -1506,26 +1596,29 @@ void fix_up_sync(void) { x = alloc_printf("%s/%s", out_dir, sync_id); sync_dir = out_dir; - out_dir = x; + out_dir = x; if (!force_deterministic) { + skip_deterministic = 1; use_splicing = 1; + } } - /* Handle screen resize (SIGWINCH). */ static void handle_resize(int sig) { + clear_screen = 1; -} +} /* Check ASAN options. */ void check_asan_opts(void) { + u8* x = getenv("ASAN_OPTIONS"); if (x) { @@ -1543,29 +1636,27 @@ void check_asan_opts(void) { if (x) { if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) - FATAL("Custom MSAN_OPTIONS set without exit_code=" - STRINGIFY(MSAN_ERROR) " - please fix!"); + FATAL("Custom MSAN_OPTIONS set without exit_code=" STRINGIFY( + MSAN_ERROR) " - please fix!"); if (!strstr(x, "symbolize=0")) FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!"); } -} - +} /* Handle stop signal (Ctrl-C, etc). */ static void handle_stop_sig(int sig) { - stop_soon = 1; + stop_soon = 1; if (child_pid > 0) kill(child_pid, SIGKILL); if (forksrv_pid > 0) kill(forksrv_pid, SIGKILL); } - /* Handle skip request (SIGUSR1). */ static void handle_skipreq(int sig) { @@ -1574,14 +1665,13 @@ static void handle_skipreq(int sig) { } - /* Do a PATH search and find target binary to see that it exists and isn't a shell script - a common and painful mistake. We also check for a valid ELF header and for evidence of AFL instrumentation. */ void check_binary(u8* fname) { - u8* env_path = 0; + u8* env_path = 0; struct stat st; s32 fd; @@ -1609,7 +1699,9 @@ void check_binary(u8* fname) { memcpy(cur_elem, env_path, delim - env_path); ++delim; - } else cur_elem = ck_strdup(env_path); + } else + + cur_elem = ck_strdup(env_path); env_path = delim; @@ -1621,7 +1713,8 @@ void check_binary(u8* fname) { ck_free(cur_elem); if (!stat(target_path, &st) && S_ISREG(st.st_mode) && - (st.st_mode & 0111) && (f_len = st.st_size) >= 4) break; + (st.st_mode & 0111) && (f_len = st.st_size) >= 4) + break; ck_free(target_path); target_path = 0; @@ -1638,7 +1731,7 @@ void check_binary(u8* fname) { if ((!strncmp(target_path, "/tmp/", 5) && !strchr(target_path + 5, '/')) || (!strncmp(target_path, "/var/tmp/", 9) && !strchr(target_path + 9, '/'))) - FATAL("Please don't keep binaries in /tmp or /var/tmp"); + FATAL("Please don't keep binaries in /tmp or /var/tmp"); fd = open(target_path, O_RDONLY); @@ -1653,13 +1746,19 @@ void check_binary(u8* fname) { if (f_data[0] == '#' && f_data[1] == '!') { SAYF("\n" cLRD "[-] " cRST - "Oops, the target binary looks like a shell script. Some build systems will\n" - " sometimes generate shell stubs for dynamically linked programs; try static\n" - " library mode (./configure --disable-shared) if that's the case.\n\n" - - " Another possible cause is that you are actually trying to use a shell\n" - " wrapper around the fuzzed component. Invoking shell can slow down the\n" - " fuzzing process by a factor of 20x or more; it's best to write the wrapper\n" + "Oops, the target binary looks like a shell script. Some build " + "systems will\n" + " sometimes generate shell stubs for dynamically linked programs; " + "try static\n" + " library mode (./configure --disable-shared) if that's the " + "case.\n\n" + + " Another possible cause is that you are actually trying to use a " + "shell\n" + " wrapper around the fuzzed component. Invoking shell can slow " + "down the\n" + " fuzzing process by a factor of 20x or more; it's best to write " + "the wrapper\n" " in a compiled language instead.\n"); FATAL("Program '%s' is a shell script", target_path); @@ -1673,28 +1772,35 @@ void check_binary(u8* fname) { #else -#if !defined(__arm__) && !defined(__arm64__) +# if !defined(__arm__) && !defined(__arm64__) if (f_data[0] != 0xCF || f_data[1] != 0xFA || f_data[2] != 0xED) FATAL("Program '%s' is not a 64-bit Mach-O binary", target_path); -#endif +# endif #endif /* ^!__APPLE__ */ if (!qemu_mode && !unicorn_mode && !dumb_mode && !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { - SAYF("\n" cLRD "[-] " cRST - "Looks like the target binary is not instrumented! The fuzzer depends on\n" - " compile-time instrumentation to isolate interesting test cases while\n" - " mutating the input data. For more information, and for tips on how to\n" - " instrument binaries, please see %s/README.\n\n" - - " When source code is not available, you may be able to leverage QEMU\n" - " mode support. Consult the README for tips on how to enable this.\n" - - " (It is also possible to use afl-fuzz as a traditional, \"dumb\" fuzzer.\n" - " For that, you can use the -n option - but expect much worse results.)\n", - doc_path); + SAYF( + "\n" cLRD "[-] " cRST + "Looks like the target binary is not instrumented! The fuzzer depends " + "on\n" + " compile-time instrumentation to isolate interesting test cases " + "while\n" + " mutating the input data. For more information, and for tips on " + "how to\n" + " instrument binaries, please see %s/README.\n\n" + + " When source code is not available, you may be able to leverage " + "QEMU\n" + " mode support. Consult the README for tips on how to enable this.\n" + + " (It is also possible to use afl-fuzz as a traditional, \"dumb\" " + "fuzzer.\n" + " For that, you can use the -n option - but expect much worse " + "results.)\n", + doc_path); FATAL("No instrumentation detected"); @@ -1704,8 +1810,10 @@ void check_binary(u8* fname) { memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { SAYF("\n" cLRD "[-] " cRST - "This program appears to be instrumented with afl-gcc, but is being run in\n" - " QEMU or Unicorn mode (-Q or -U). This is probably not what you want -\n" + "This program appears to be instrumented with afl-gcc, but is being " + "run in\n" + " QEMU or Unicorn mode (-Q or -U). This is probably not what you " + "want -\n" " this setup will be slow and offer no practical benefits.\n"); FATAL("Instrumentation found in -Q or -U mode"); @@ -1713,7 +1821,8 @@ void check_binary(u8* fname) { } if (memmem(f_data, f_len, "libasan.so", 10) || - memmem(f_data, f_len, "__msan_init", 11)) uses_asan = 1; + memmem(f_data, f_len, "__msan_init", 11)) + uses_asan = 1; /* Detect persistent & deferred init signatures in the binary. */ @@ -1745,7 +1854,6 @@ void check_binary(u8* fname) { } - /* Trim and possibly create a banner for the run. */ void fix_up_banner(u8* name) { @@ -1759,7 +1867,10 @@ void fix_up_banner(u8* name) { } else { u8* trim = strrchr(name, '/'); - if (!trim) use_banner = name; else use_banner = trim + 1; + if (!trim) + use_banner = name; + else + use_banner = trim + 1; } @@ -1775,7 +1886,6 @@ void fix_up_banner(u8* name) { } - /* Check if we're on TTY. */ void check_if_tty(void) { @@ -1783,24 +1893,29 @@ void check_if_tty(void) { struct winsize ws; if (getenv("AFL_NO_UI")) { + OKF("Disabling the UI because AFL_NO_UI is set."); not_on_tty = 1; return; + } if (ioctl(1, TIOCGWINSZ, &ws)) { if (errno == ENOTTY) { - OKF("Looks like we're not running on a tty, so I'll be a bit less verbose."); + + OKF("Looks like we're not running on a tty, so I'll be a bit less " + "verbose."); not_on_tty = 1; + } return; + } } - /* Set up signal handlers. More complicated that needs to be, because libc on Solaris doesn't resume interrupted reads(), sets SA_RESETHAND when you call siginterrupt(), and does other stupid things. */ @@ -1809,8 +1924,8 @@ void setup_signal_handlers(void) { struct sigaction sa; - sa.sa_handler = NULL; - sa.sa_flags = SA_RESTART; + sa.sa_handler = NULL; + sa.sa_flags = SA_RESTART; sa.sa_sigaction = NULL; sigemptyset(&sa.sa_mask); @@ -1845,13 +1960,12 @@ void setup_signal_handlers(void) { } - /* Rewrite argv for QEMU. */ char** get_qemu_argv(u8* own_loc, char** argv, int argc) { char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); - u8 *tmp, *cp, *rsl, *own_copy; + u8 * tmp, *cp, *rsl, *own_copy; memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); @@ -1866,8 +1980,7 @@ char** get_qemu_argv(u8* own_loc, char** argv, int argc) { cp = alloc_printf("%s/afl-qemu-trace", tmp); - if (access(cp, X_OK)) - FATAL("Unable to find '%s'", tmp); + if (access(cp, X_OK)) FATAL("Unable to find '%s'", tmp); target_path = new_argv[0] = cp; return new_argv; @@ -1891,7 +2004,9 @@ char** get_qemu_argv(u8* own_loc, char** argv, int argc) { } - } else ck_free(own_copy); + } else + + ck_free(own_copy); if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) { @@ -1901,14 +2016,20 @@ char** get_qemu_argv(u8* own_loc, char** argv, int argc) { } SAYF("\n" cLRD "[-] " cRST - "Oops, unable to find the 'afl-qemu-trace' binary. The binary must be built\n" - " separately by following the instructions in qemu_mode/README.qemu. If you\n" - " already have the binary installed, you may need to specify AFL_PATH in the\n" + "Oops, unable to find the 'afl-qemu-trace' binary. The binary must be " + "built\n" + " separately by following the instructions in qemu_mode/README.qemu. " + "If you\n" + " already have the binary installed, you may need to specify " + "AFL_PATH in the\n" " environment.\n\n" - " Of course, even without QEMU, afl-fuzz can still work with binaries that are\n" - " instrumented at compile time with afl-gcc. It is also possible to use it as a\n" - " traditional \"dumb\" fuzzer by specifying '-n' in the command line.\n"); + " Of course, even without QEMU, afl-fuzz can still work with " + "binaries that are\n" + " instrumented at compile time with afl-gcc. It is also possible to " + "use it as a\n" + " traditional \"dumb\" fuzzer by specifying '-n' in the command " + "line.\n"); FATAL("Failed to locate 'afl-qemu-trace'."); @@ -1923,7 +2044,7 @@ void save_cmdline(u32 argc, char** argv) { for (i = 0; i < argc; ++i) len += strlen(argv[i]) + 1; - + buf = orig_cmdline = ck_alloc(len); for (i = 0; i < argc; ++i) { |