diff options
| author | Andrea Fioraldi <andreafioraldi@gmail.com> | 2019-12-02 14:34:21 +0100 |
|---|---|---|
| committer | Andrea Fioraldi <andreafioraldi@gmail.com> | 2019-12-02 14:34:21 +0100 |
| commit | 124ec8d297269b6b3066123782a7e92c802d2248 (patch) | |
| tree | f18a4a42111ea2faa08ef2183d995aa254146e7b /src | |
| parent | e9ed056913b4ce711ae47699c1937779036259e7 (diff) | |
| download | afl++-124ec8d297269b6b3066123782a7e92c802d2248.tar.gz | |
code format (contributors, do it!)
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-analyze.c | 3 | ||||
| -rw-r--r-- | src/afl-as.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 12 | ||||
| -rw-r--r-- | src/afl-fuzz-globals.c | 4 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 18 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 39 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 29 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 54 | ||||
| -rw-r--r-- | src/afl-gotcpu.c | 11 |
10 files changed, 94 insertions, 80 deletions
diff --git a/src/afl-analyze.c b/src/afl-analyze.c index ee281af8..b82e124d 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -987,7 +987,8 @@ int main(int argc, char** argv) { if (child_timed_out) FATAL("Target binary times out (adjusting -t may help)."); - if (getenv("AFL_SKIP_BIN_CHECK") == NULL && !anything_set()) FATAL("No instrumentation detected."); + if (getenv("AFL_SKIP_BIN_CHECK") == NULL && !anything_set()) + FATAL("No instrumentation detected."); analyze(use_argv); diff --git a/src/afl-as.c b/src/afl-as.c index a0ebb2e0..9abe3fc2 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -83,7 +83,7 @@ static u8 use_64bit = 0; #error "Sorry, 32-bit Apple platforms are not supported." #endif /* __APPLE__ */ -#endif /* ^WORD_SIZE_64 */ +#endif /* ^WORD_SIZE_64 */ /* Examine and modify parameters to pass to 'as'. Note that the file name is always the last parameter passed by GCC, so we exploit this property diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 5d629cc0..0329421c 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -87,7 +87,7 @@ u8 has_new_bits(u8* virgin_map) { u32 i = (MAP_SIZE >> 2); -#endif /* ^WORD_SIZE_64 */ +#endif /* ^WORD_SIZE_64 */ u8 ret = 0; @@ -125,7 +125,7 @@ u8 has_new_bits(u8* virgin_map) { else ret = 1; -#endif /* ^WORD_SIZE_64 */ +#endif /* ^WORD_SIZE_64 */ } @@ -306,7 +306,7 @@ void simplify_trace(u32* mem) { } -#endif /* ^WORD_SIZE_64 */ +#endif /* ^WORD_SIZE_64 */ /* Destructively classify execution counts in a trace. This is used as a preprocessing step for any newly acquired traces. Called on every exec, @@ -391,7 +391,7 @@ void classify_counts(u32* mem) { } -#endif /* ^WORD_SIZE_64 */ +#endif /* ^WORD_SIZE_64 */ /* Compact trace bytes into a smaller bitmap. We effectively just drop the count information here. This is called only sporadically, for some @@ -599,7 +599,7 @@ u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { simplify_trace((u64*)trace_bits); #else simplify_trace((u32*)trace_bits); -#endif /* ^WORD_SIZE_64 */ +#endif /* ^WORD_SIZE_64 */ if (!has_new_bits(virgin_tmout)) return keeping; @@ -662,7 +662,7 @@ u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { simplify_trace((u64*)trace_bits); #else simplify_trace((u32*)trace_bits); -#endif /* ^WORD_SIZE_64 */ +#endif /* ^WORD_SIZE_64 */ if (!has_new_bits(virgin_crash)) return keeping; diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index 50b6b802..5c36eb0b 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -96,7 +96,7 @@ u8 schedule = EXPLORE; /* Power schedule (default: EXPLORE)*/ u8 havoc_max_mult = HAVOC_MAX_MULT; u8 use_radamsa; -size_t (*radamsa_mutate_ptr)(u8*, size_t, u8*, size_t, u32); +size_t (*radamsa_mutate_ptr)(u8 *, size_t, u8 *, size_t, u32); u8 skip_deterministic, /* Skip deterministic stages? */ force_deterministic, /* Force deterministic stages? */ @@ -215,7 +215,7 @@ u32 rand_cnt; /* Random number counter */ #endif u32 rand_seed[2]; -s64 init_seed; +s64 init_seed; u64 total_cal_us, /* Total calibration time (us) */ total_cal_cycles; /* Total calibration cycles */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index d99f9bec..bdab41e7 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -142,7 +142,8 @@ void bind_to_free_cpu(void) { if (procs[i].ki_oncpu < sizeof(cpu_used) && procs[i].ki_pctcpu > 10) cpu_used[procs[i].ki_oncpu] = 1; #elif defined(__DragonFly__) - if (procs[i].kp_lwp.kl_cpuid < sizeof(cpu_used) && procs[i].kp_lwp.kl_pctcpu > 10) + if (procs[i].kp_lwp.kl_cpuid < sizeof(cpu_used) && + procs[i].kp_lwp.kl_pctcpu > 10) cpu_used[procs[i].kp_lwp.kl_cpuid] = 1; #endif @@ -734,7 +735,8 @@ void pivot_inputs(void) { use_name += 6; else use_name = rsl; - nfn = alloc_printf("%s/queue/id:%06u,time:0,orig:%s", out_dir, id, use_name); + nfn = alloc_printf("%s/queue/id:%06u,time:0,orig:%s", out_dir, id, + use_name); #else @@ -1563,8 +1565,10 @@ void check_cpu_governor(void) { " You can later go back to the original state by replacing " "'performance'\n" - " with 'ondemand' or 'powersave'. If you don't want to change the settings,\n" - " set AFL_SKIP_CPUFREQ to make afl-fuzz skip this check - but expect some\n" + " with 'ondemand' or 'powersave'. If you don't want to change the " + "settings,\n" + " set AFL_SKIP_CPUFREQ to make afl-fuzz skip this check - but expect " + "some\n" " performance drop.\n", min / 1024, max / 1024); FATAL("Suboptimal CPU scaling governor"); @@ -1609,7 +1613,8 @@ void check_cpu_governor(void) { void get_core_count(void) { -#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__DragonFly__) +#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \ + defined(__DragonFly__) size_t s = sizeof(cpu_core_count); @@ -1655,7 +1660,8 @@ void get_core_count(void) { cur_runnable = (u32)get_runnable_processes(); -#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__DragonFly__) +#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \ + defined(__DragonFly__) /* Add ourselves, since the 1-minute average doesn't include that yet. */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 6ab0266d..f7cfbbe1 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -480,8 +480,7 @@ u8 fuzz_one_original(char** argv) { if (perf_score == 0) goto abandon_entry; - if (use_radamsa > 1) - goto radamsa_stage; + if (use_radamsa > 1) goto radamsa_stage; if (custom_mutator) { @@ -541,6 +540,7 @@ u8 fuzz_one_original(char** argv) { ? queue_cur->depth * 30 : havoc_max_mult * 100)) || queue_cur->passed_det) { + if (use_radamsa > 1) goto radamsa_stage; else @@ -549,12 +549,14 @@ u8 fuzz_one_original(char** argv) { #else goto havoc_stage; #endif + } /* Skip deterministic fuzzing if exec path checksum puts this out of scope for this master instance. */ if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1) { + if (use_radamsa > 1) goto radamsa_stage; else @@ -563,6 +565,7 @@ u8 fuzz_one_original(char** argv) { #else goto havoc_stage; #endif + } doing_det = 1; @@ -2279,39 +2282,39 @@ retry_splicing: ret_val = 0; goto radamsa_stage; - radamsa_stage: - if (!use_radamsa || !radamsa_mutate_ptr) - goto abandon_entry; - + if (!use_radamsa || !radamsa_mutate_ptr) goto abandon_entry; + stage_name = "radamsa"; stage_short = "radamsa"; stage_max = (HAVOC_CYCLES * perf_score / havoc_div / 100) << use_radamsa; - + if (stage_max < HAVOC_MIN) stage_max = HAVOC_MIN; - + orig_hit_cnt = queued_paths + unique_crashes; - + /* Read the additional testcase into a new buffer. */ - u8 *save_buf = ck_alloc_nozero(len); + u8* save_buf = ck_alloc_nozero(len); memcpy(save_buf, out_buf, len); - + u32 max_len = len + choose_block_len(HAVOC_BLK_XL); u8* new_buf = ck_alloc_nozero(max_len); - u8 *tmp_buf; + u8* tmp_buf; for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) { - u32 new_len = radamsa_mutate_ptr(save_buf, len, new_buf, max_len, get_rand_seed()); + + u32 new_len = + radamsa_mutate_ptr(save_buf, len, new_buf, max_len, get_rand_seed()); if (new_len) { - + temp_len = new_len; tmp_buf = new_buf; } else { - tmp_buf = save_buf; // nope but I dont care + tmp_buf = save_buf; // nope but I dont care temp_len = len; } @@ -2323,14 +2326,14 @@ radamsa_stage: goto abandon_entry; } - + } ck_free(save_buf); ck_free(new_buf); - + new_hit_cnt = queued_paths + unique_crashes; - + stage_finds[STAGE_RADAMSA] += new_hit_cnt - orig_hit_cnt; stage_cycles[STAGE_RADAMSA] += stage_max; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index c5035b63..8fa91afd 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -225,7 +225,7 @@ u8 run_target(char** argv, u32 timeout) { classify_counts((u64*)trace_bits); #else classify_counts((u32*)trace_bits); -#endif /* ^WORD_SIZE_64 */ +#endif /* ^WORD_SIZE_64 */ prev_timed_out = child_timed_out; diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 851cfb1c..db2d7dc2 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -334,9 +334,9 @@ void show_stats(void) { /* Lord, forgive me this. */ - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA - " overall results " bSTG bH2 bH2 bRT "\n"); + " overall results " bSTG bH2 bH2 bRT "\n"); if (dumb_mode) { @@ -413,9 +413,9 @@ void show_stats(void) { " uniq hangs : " cRST "%-6s" bSTG bV "\n", DTD(cur_ms, last_hang_time), tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA - " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); + " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -443,9 +443,9 @@ void show_stats(void) { SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA - " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); + " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", DI(queued_favored), ((double)queued_favored) * 100 / queued_paths); @@ -514,7 +514,7 @@ void show_stats(void) { /* Aaaalmost there... hold on! */ - SAYF(bVR bH cCYA bSTOP + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); @@ -576,11 +576,12 @@ void show_stats(void) { " imported : " cRST "%-10s" bSTG bV "\n", tmp, sync_id ? DI(queued_imported) : (u8*)"n/a"); - sprintf(tmp, "%s/%s, %s/%s, %s/%s, %s/%s, %s/%s", DI(stage_finds[STAGE_HAVOC]), - DI(stage_cycles[STAGE_HAVOC]), DI(stage_finds[STAGE_SPLICE]), - DI(stage_cycles[STAGE_SPLICE]), DI(stage_finds[STAGE_PYTHON]), - DI(stage_cycles[STAGE_PYTHON]), DI(stage_finds[STAGE_RADAMSA]), - DI(stage_cycles[STAGE_RADAMSA]), DI(stage_finds[STAGE_CUSTOM_MUTATOR]), + sprintf(tmp, "%s/%s, %s/%s, %s/%s, %s/%s, %s/%s", + DI(stage_finds[STAGE_HAVOC]), DI(stage_cycles[STAGE_HAVOC]), + DI(stage_finds[STAGE_SPLICE]), DI(stage_cycles[STAGE_SPLICE]), + DI(stage_finds[STAGE_PYTHON]), DI(stage_cycles[STAGE_PYTHON]), + DI(stage_finds[STAGE_RADAMSA]), DI(stage_cycles[STAGE_RADAMSA]), + DI(stage_finds[STAGE_CUSTOM_MUTATOR]), DI(stage_cycles[STAGE_CUSTOM_MUTATOR])); SAYF(bV bSTOP "havoc/custom : " cRST "%-36s " bSTG bV bSTOP, tmp); @@ -634,13 +635,13 @@ void show_stats(void) { sprintf(tmp, "%s/%s", DI(stage_finds[STAGE_CUSTOM_MUTATOR]), DI(stage_cycles[STAGE_CUSTOM_MUTATOR])); SAYF(bV bSTOP " custom mut. : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB - "\n" bLB bH30 bH20 bH2 bH bRB bSTOP cRST RESET_G1, + "\n" bLB bH30 bH20 bH2 bH bRB bSTOP cRST RESET_G1, tmp); } else { SAYF(bV bSTOP " trim : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB - "\n" bLB bH30 bH20 bH2 bRB bSTOP cRST RESET_G1, + "\n" bLB bH30 bH20 bH2 bRB bSTOP cRST RESET_G1, tmp); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 42bdaebd..bdbc48e0 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -28,7 +28,7 @@ static u8* get_libradamsa_path(u8* own_loc) { u8 *tmp, *cp, *rsl, *own_copy; - + tmp = getenv("AFL_PATH"); if (tmp) { @@ -51,8 +51,7 @@ static u8* get_libradamsa_path(u8* own_loc) { cp = alloc_printf("%s/libradamsa.so", own_copy); ck_free(own_copy); - if (!access(cp, X_OK)) - return cp; + if (!access(cp, X_OK)) return cp; } else @@ -70,11 +69,12 @@ static u8* get_libradamsa_path(u8* own_loc) { } - SAYF("\n" cLRD "[-] " cRST - "Oops, unable to find the 'libradamsa.so' binary. The binary must be " - "built\n" - " separately using 'make radamsa'. If you already have the binary " - "installed,\n you may need to specify AFL_PATH in the environment.\n"); + SAYF( + "\n" cLRD "[-] " cRST + "Oops, unable to find the 'libradamsa.so' binary. The binary must be " + "built\n" + " separately using 'make radamsa'. If you already have the binary " + "installed,\n you may need to specify AFL_PATH in the environment.\n"); FATAL("Failed to locate 'libradamsa.so'."); @@ -109,10 +109,12 @@ static void usage(u8* argv0) { " -m megs - memory limit for child process (%d MB)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" - " -W - use qemu-based instrumentation with Wine (Wine mode)\n\n" + " -W - use qemu-based instrumentation with Wine (Wine " + "mode)\n\n" "Mutator settings:\n" - " -R[R] - add Radamsa as mutator, add another -R to exclusivly run it\n" + " -R[R] - add Radamsa as mutator, add another -R to exclusivly " + "run it\n" " -L minutes - use MOpt(imize) mode and set the limit time for " "entering the\n" " pacemaker mode (minutes of no new paths, 0 = " @@ -184,9 +186,8 @@ int main(int argc, char** argv) { struct timeval tv; struct timezone tz; - SAYF(cCYA - "afl-fuzz" VERSION cRST - " based on afl by Michal Zalewski and a big online community\n"); + SAYF(cCYA "afl-fuzz" VERSION cRST + " based on afl by Michal Zalewski and a big online community\n"); doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; @@ -568,9 +569,9 @@ int main(int argc, char** argv) { usage(argv[0]); return -1; break; // not needed - + case 'R': - + if (use_radamsa) use_radamsa = 2; else @@ -595,28 +596,30 @@ int main(int argc, char** argv) { if (fixed_seed) OKF("Running with fixed seed: %u", (u32)init_seed); srandom((u32)init_seed); - + if (use_radamsa) { - + OKF("Using Radamsa add-on"); - - u8* libradamsa_path = get_libradamsa_path(argv[0]); + + u8* libradamsa_path = get_libradamsa_path(argv[0]); void* handle = dlopen(libradamsa_path, RTLD_NOW); ck_free(libradamsa_path); - + if (!handle) FATAL("Failed to dlopen() libradamsa"); void (*radamsa_init_ptr)(void) = dlsym(handle, "radamsa_init"); radamsa_mutate_ptr = dlsym(handle, "radamsa"); - if (!radamsa_init_ptr || !radamsa_mutate_ptr) FATAL("Failed to dlsym() libradamsa"); + if (!radamsa_init_ptr || !radamsa_mutate_ptr) + FATAL("Failed to dlsym() libradamsa"); - /* randamsa_init installs some signal hadlers, call it before setup_signal_handlers - so that AFL++ can then replace those signal handlers */ + /* randamsa_init installs some signal hadlers, call it before + setup_signal_handlers so that AFL++ can then replace those signal + handlers */ radamsa_init_ptr(); } - + setup_signal_handlers(); check_asan_opts(); @@ -648,8 +651,7 @@ int main(int argc, char** argv) { } - if (getenv("AFL_DISABLE_TRIM")) - disable_trim = 1; + if (getenv("AFL_DISABLE_TRIM")) disable_trim = 1; if (getenv("AFL_NO_UI") && getenv("AFL_FORCE_UI")) FATAL("AFL_NO_UI and AFL_FORCE_UI are mutually exclusive"); diff --git a/src/afl-gotcpu.c b/src/afl-gotcpu.c index e09f0980..c6d71bb2 100644 --- a/src/afl-gotcpu.c +++ b/src/afl-gotcpu.c @@ -52,7 +52,8 @@ #include "types.h" #include "debug.h" -#if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || defined(__APPLE__) || defined(__DragonFly__) +#if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || \ + defined(__APPLE__) || defined(__DragonFly__) #define HAVE_AFFINITY 1 #if defined(__FreeBSD__) || defined(__DragonFly__) #include <pthread.h> @@ -69,7 +70,7 @@ #include <mach/thread_act.h> #include <mach/thread_policy.h> #endif -#endif /* __linux__ || __FreeBSD__ || __NetBSD__ || __APPLE__ */ +#endif /* __linux__ || __FreeBSD__ || __NetBSD__ || __APPLE__ */ /* Get unix time in microseconds. */ @@ -183,11 +184,11 @@ int main(int argc, char** argv) { cpuset_set(i, c); #elif defined(__APPLE__) - thread_affinity_policy_data_t c = { i }; + thread_affinity_policy_data_t c = {i}; thread_port_t native_thread = pthread_mach_thread_np(pthread_self()); if (thread_policy_set(native_thread, THREAD_AFFINITY_POLICY, - (thread_policy_t)&c, 1) != KERN_SUCCESS) - PFATAL("thread_policy_set failed"); + (thread_policy_t)&c, 1) != KERN_SUCCESS) + PFATAL("thread_policy_set failed"); #endif #if defined(__FreeBSD__) || defined(__DragonFly__) |