diff options
| author | Andrea Fioraldi <andreafioraldi@gmail.com> | 2019-11-11 15:53:24 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-11-11 15:53:24 +0100 |
| commit | 388f4ae30240f2a675afa5b1febded00284ad450 (patch) | |
| tree | 5ac20b7c7deff76fe4bb9269b1f684e48e2736a0 /src/afl-fuzz-one.c | |
| parent | 01d55372441960c435af8f3bd6b61d1302042728 (diff) | |
| parent | f1fbea96f625a5af9b5321cb98acfc3378b5343e (diff) | |
| download | afl++-388f4ae30240f2a675afa5b1febded00284ad450.tar.gz | |
Merge pull request #106 from vanhauser-thc/radamsa
Radamsa
Diffstat (limited to 'src/afl-fuzz-one.c')
| -rw-r--r-- | src/afl-fuzz-one.c | 90 |
1 files changed, 82 insertions, 8 deletions
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 8ca219b5..6ab0266d 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -480,6 +480,9 @@ u8 fuzz_one_original(char** argv) { if (perf_score == 0) goto abandon_entry; + if (use_radamsa > 1) + goto radamsa_stage; + if (custom_mutator) { stage_short = "custom"; @@ -537,22 +540,30 @@ u8 fuzz_one_original(char** argv) { perf_score < (queue_cur->depth * 30 <= havoc_max_mult * 100 ? queue_cur->depth * 30 : havoc_max_mult * 100)) || - queue_cur->passed_det) + queue_cur->passed_det) { + if (use_radamsa > 1) + goto radamsa_stage; + else #ifdef USE_PYTHON - goto python_stage; + goto python_stage; #else - goto havoc_stage; + goto havoc_stage; #endif + } /* Skip deterministic fuzzing if exec path checksum puts this out of scope for this master instance. */ - if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1) + if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1) { + if (use_radamsa > 1) + goto radamsa_stage; + else #ifdef USE_PYTHON - goto python_stage; + goto python_stage; #else - goto havoc_stage; + goto havoc_stage; #endif + } doing_det = 1; @@ -2252,10 +2263,13 @@ retry_splicing: out_buf = ck_alloc_nozero(len); memcpy(out_buf, in_buf, len); + if (use_radamsa > 1) + goto radamsa_stage; + else #ifdef USE_PYTHON - goto python_stage; + goto python_stage; #else - goto havoc_stage; + goto havoc_stage; #endif } @@ -2263,7 +2277,67 @@ retry_splicing: #endif /* !IGNORE_FINDS */ ret_val = 0; + goto radamsa_stage; + + +radamsa_stage: + + if (!use_radamsa || !radamsa_mutate_ptr) + goto abandon_entry; + + stage_name = "radamsa"; + stage_short = "radamsa"; + stage_max = (HAVOC_CYCLES * perf_score / havoc_div / 100) << use_radamsa; + + if (stage_max < HAVOC_MIN) stage_max = HAVOC_MIN; + + orig_hit_cnt = queued_paths + unique_crashes; + + /* Read the additional testcase into a new buffer. */ + u8 *save_buf = ck_alloc_nozero(len); + memcpy(save_buf, out_buf, len); + + u32 max_len = len + choose_block_len(HAVOC_BLK_XL); + u8* new_buf = ck_alloc_nozero(max_len); + u8 *tmp_buf; + + for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) { + u32 new_len = radamsa_mutate_ptr(save_buf, len, new_buf, max_len, get_rand_seed()); + + if (new_len) { + + temp_len = new_len; + tmp_buf = new_buf; + + } else { + + tmp_buf = save_buf; // nope but I dont care + temp_len = len; + + } + + if (common_fuzz_stuff(argv, tmp_buf, temp_len)) { + + ck_free(save_buf); + ck_free(new_buf); + goto abandon_entry; + + } + + } + + ck_free(save_buf); + ck_free(new_buf); + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_RADAMSA] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_RADAMSA] += stage_max; + + ret_val = 0; + goto abandon_entry; +/* we are through with this queue entry - for this iteration */ abandon_entry: splicing_with = -1; |