diff options
| author | Dominik Maier <domenukk@gmail.com> | 2020-06-25 17:13:16 +0200 |
|---|---|---|
| committer | Dominik Maier <domenukk@gmail.com> | 2020-06-25 17:13:16 +0200 |
| commit | 3a62bb68e0867ceb920761bc19c96f5ca1992003 (patch) | |
| tree | 2f403d0b9911002f4b5d8c2edd09a6b1117c93d1 /src/afl-fuzz.c | |
| parent | aad433e11efa4a8350a264313c66db8ef6d17088 (diff) | |
| parent | 8178f4dfddfb51f7a3e2f94e67bb9cf7332c7ef1 (diff) | |
| download | afl++-3a62bb68e0867ceb920761bc19c96f5ca1992003.tar.gz | |
updated unicornafl
Diffstat (limited to 'src/afl-fuzz.c')
| -rw-r--r-- | src/afl-fuzz.c | 167 |
1 files changed, 42 insertions, 125 deletions
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index c8083f71..2f23aec7 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -46,63 +46,6 @@ static void at_exit() { } -static u8 *get_libradamsa_path(u8 *own_loc) { - - u8 *tmp, *cp, *rsl, *own_copy; - - tmp = getenv("AFL_PATH"); - - if (tmp) { - - cp = alloc_printf("%s/libradamsa.so", tmp); - - if (access(cp, X_OK)) { FATAL("Unable to find '%s'", cp); } - - return cp; - - } - - own_copy = ck_strdup(own_loc); - rsl = strrchr(own_copy, '/'); - - if (rsl) { - - *rsl = 0; - - cp = alloc_printf("%s/libradamsa.so", own_copy); - ck_free(own_copy); - - if (!access(cp, X_OK)) { return cp; } - - } else { - - ck_free(own_copy); - - } - - if (!access(AFL_PATH "/libradamsa.so", X_OK)) { - - return ck_strdup(AFL_PATH "/libradamsa.so"); - - } - - if (!access(BIN_PATH "/libradamsa.so", X_OK)) { - - return ck_strdup(BIN_PATH "/libradamsa.so"); - - } - - SAYF( - "\n" cLRD "[-] " cRST - "Oops, unable to find the 'libradamsa.so' binary. The binary must be " - "built\n" - " separately using 'make radamsa'. If you already have the binary " - "installed,\n you may need to specify AFL_PATH in the environment.\n"); - - FATAL("Failed to locate 'libradamsa.so'."); - -} - /* Display usage hints. */ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { @@ -115,12 +58,13 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { " -o dir - output directory for fuzzer findings\n\n" "Execution control settings:\n" - " -p schedule - power schedules recompute a seed's performance " - "score.\n" - " <explore(default), fast, coe, lin, quad, exploit, " - "mmopt, rare>\n" + " -p schedule - power schedules compute a seed's performance score. " + "<explore\n" + " (default), fast, coe, lin, quad, exploit, mmopt, " + "rare, seek>\n" " see docs/power_schedules.md\n" - " -f file - location read by the fuzzed program (stdin)\n" + " -f file - location read by the fuzzed program (default: stdin " + "or @@)\n" " -t msec - timeout for each run (auto-scaled, 50-%d ms)\n" " -m megs - memory limit for child process (%d MB)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" @@ -129,8 +73,6 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "mode)\n\n" "Mutator settings:\n" - " -R[R] - add Radamsa as mutator, add another -R to exclusivly " - "run it\n" " -L minutes - use MOpt(imize) mode and set the time limit for " "entering the\n" " pacemaker mode (minutes of no new paths). 0 = " @@ -146,7 +88,7 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "devices etc.!)\n" " -d - quick & dirty mode (skips deterministic steps)\n" " -n - fuzz without instrumentation (non-instrumented mode)\n" - " -x dir - optional fuzzer dictionary (see README.md, its really " + " -x dict_file - optional fuzzer dictionary (see README.md, its really " "good!)\n\n" "Testing settings:\n" @@ -159,14 +101,16 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "Other stuff:\n" " -T text - text banner to show on the screen\n" - " -M / -S id - distributed mode (see docs/parallel_fuzzing.md)\n" + " -M/-S id - distributed mode (see docs/parallel_fuzzing.md)\n" + " use -D to force -S secondary to perform deterministic " + "fuzzing\n" " -I command - execute this command/script when a new crash is " "found\n" - " -B bitmap.txt - mutate a specific test case, use the out/fuzz_bitmap " - "file\n" + //" -B bitmap.txt - mutate a specific test case, use the out/fuzz_bitmap + //" "file\n" " -C - crash exploration mode (the peruvian rabbit thing)\n" - " -e ext - file extension for the temporarily generated test " - "case\n\n", + " -e ext - file extension for the fuzz test case case (if " + "needed)\n\n", argv0, EXEC_TIMEOUT, MEM_LIMIT); if (more_help > 1) { @@ -292,7 +236,7 @@ int main(int argc, char **argv_orig, char **envp) { rand_set_seed(afl, tv.tv_sec ^ tv.tv_usec ^ getpid()); while ((opt = getopt(argc, argv, - "+c:i:I:o:f:m:t:T:dnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:")) > + "+c:i:I:o:f:m:t:T:dDnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:")) > 0) { switch (opt) { @@ -347,6 +291,10 @@ int main(int argc, char **argv_orig, char **envp) { afl->schedule = RARE; + } else if (!stricmp(optarg, "seek")) { + + afl->schedule = SEEK; + } else if (!stricmp(optarg, "explore") || !stricmp(optarg, "default") || !stricmp(optarg, "normal") || !stricmp(optarg, "afl")) { @@ -384,7 +332,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->out_dir = optarg; break; - case 'M': { /* master sync ID */ + case 'M': { /* main sync ID */ u8 *c; @@ -413,7 +361,7 @@ int main(int argc, char **argv_orig, char **envp) { break; - case 'S': + case 'S': /* secondary sync id */ if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } afl->sync_id = ck_strdup(optarg); @@ -518,6 +466,11 @@ int main(int argc, char **argv_orig, char **envp) { break; + case 'D': /* enforce deterministic */ + + afl->skip_deterministic = 0; + break; + case 'd': /* skip deterministic */ afl->skip_deterministic = 1; @@ -782,15 +735,9 @@ int main(int argc, char **argv_orig, char **envp) { case 'R': - if (afl->use_radamsa) { - - afl->use_radamsa = 2; - - } else { - - afl->use_radamsa = 1; - - } + FATAL( + "Radamsa is now a custom mutator, please use that " + "(custom_mutators/radamsa/)."); break; @@ -833,47 +780,6 @@ int main(int argc, char **argv_orig, char **envp) { } - if (afl->use_radamsa) { - - if (afl->limit_time_sig > 0) { - - FATAL( - "MOpt and Radamsa are mutually exclusive unless you specify -L -1. " - "We accept pull requests that integrates MOpt with the optional " - "mutators (custom/radamsa/redqueen/...)."); - - } - - if (afl->limit_time_sig && afl->use_radamsa > 1) { - - FATAL("Radamsa in radamsa-only mode can not run together with -L"); - - } - - OKF("Using Radamsa add-on"); - - u8 * libradamsa_path = get_libradamsa_path(argv[0]); - void *handle = dlopen(libradamsa_path, RTLD_NOW); - ck_free(libradamsa_path); - - if (!handle) { FATAL("Failed to dlopen() libradamsa"); } - - void (*radamsa_init_ptr)(void) = dlsym(handle, "radamsa_init"); - afl->radamsa_mutate_ptr = dlsym(handle, "radamsa"); - - if (!radamsa_init_ptr || !afl->radamsa_mutate_ptr) { - - FATAL("Failed to dlsym() libradamsa"); - - } - - /* radamsa_init installs some signal handlers, call it before - setup_signal_handlers so that AFL++ can then replace those signal - handlers */ - radamsa_init_ptr(); - - } - #if defined(__SANITIZE_ADDRESS__) if (afl->fsrv.mem_limit) { @@ -947,6 +853,9 @@ int main(int argc, char **argv_orig, char **envp) { case RARE: OKF("Using rare edge focus power schedule (RARE)"); break; + case SEEK: + OKF("Using seek power schedule (SEEK)"); + break; case EXPLORE: OKF("Using exploration-based constant power schedule (EXPLORE, default)"); break; @@ -1093,7 +1002,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->is_main_node && check_main_node_exists(afl) == 1) { - WARNF("it is wasteful to run more than one master!"); + WARNF("it is wasteful to run more than one main node!"); sleep(1); } @@ -1340,7 +1249,15 @@ int main(int argc, char **argv_orig, char **envp) { if (!skipped_fuzz && !afl->stop_soon && afl->sync_id) { - if (!(sync_interval_cnt++ % SYNC_INTERVAL)) { sync_fuzzers(afl); } + if (unlikely(afl->is_main_node)) { + + if (!(sync_interval_cnt++ % (SYNC_INTERVAL / 2))) { sync_fuzzers(afl); } + + } else { + + if (!(sync_interval_cnt++ % SYNC_INTERVAL)) { sync_fuzzers(afl); } + + } } |