diff options
| author | Andrea Fioraldi <andreafioraldi@gmail.com> | 2020-02-18 15:05:17 +0100 |
|---|---|---|
| committer | Andrea Fioraldi <andreafioraldi@gmail.com> | 2020-02-18 15:05:17 +0100 |
| commit | 13296af49168c4b63f3d4ea1e31f278317114e5c (patch) | |
| tree | 14941b58b4ace876c7e6c80ddd2add321a3f5a2a /src | |
| parent | 706718ca2e7ef0becb32fc4548fadeb19a0f6212 (diff) | |
| download | afl++-13296af49168c4b63f3d4ea1e31f278317114e5c.tar.gz | |
skeleton for rtn cmplog
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-fuzz-one.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-redqueen.c | 74 |
2 files changed, 74 insertions, 2 deletions
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index c1f3f9ac..18376556 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -531,7 +531,7 @@ u8 fuzz_one_original(char** argv) { } - if (cmplog_mode) { + if (cmplog_mode && !queue_cur->fully_colorized) { if (input_to_state_stage(argv, in_buf, out_buf, len, queue_cur->exec_cksum)) goto abandon_entry; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 4f5d69f7..f070c196 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -145,6 +145,9 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) { --stage_cur; } + + if (stage_cur) + queue_cur->fully_colorized = 1; new_hit_cnt = queued_paths + unique_crashes; stage_finds[STAGE_COLORIZATION] += new_hit_cnt - orig_hit_cnt; @@ -417,6 +420,71 @@ u8 cmp_fuzz(u32 key, u8* orig_buf, u8* buf, u32 len) { } +u8 rtn_extend_encoding(struct cmp_header* h, u8* pattern, u8* repl, u32 idx, + u8* orig_buf, u8* buf, u32 len, u8* status) { + + *status = 2; + +} + +u8 rtn_fuzz(u32 key, u8* orig_buf, u8* buf, u32 len) { + + struct cmp_header* h = &cmp_map->headers[key]; + u32 i, j, idx; + + u32 loggeds = h->hits; + if (h->hits > CMP_MAP_RTN_H) loggeds = CMP_MAP_RTN_H; + + u8 status; + // opt not in the paper + u32 fails = 0; + + for (i = 0; i < loggeds; ++i) { + + struct cmpfn_operands* o = &((struct cmpfn_operands*)cmp_map->log[key])[i]; + + // opt not in the paper + //for (j = 0; j < i; ++j) + // if (cmp_map->log[key][j].v0 == o->v0 && cmp_map->log[key][i].v1 == o->v1) + // goto cmp_fuzz_next_iter; + + for (idx = 0; idx < len && fails < 8; ++idx) { + + if (unlikely(rtn_extend_encoding(h, o->v0, o->v1, idx, orig_buf, buf, len, + &status))) + return 1; + if (status == 2) + ++fails; + else if (status == 1) + break; + + if (unlikely(rtn_extend_encoding(h, o->v1, o->v0, idx, orig_buf, buf, len, + &status))) + return 1; + if (status == 2) + ++fails; + else if (status == 1) + break; + + } + + // If failed, add to dictionary + if (fails == 8) { + + maybe_add_auto(o->v0, SHAPE_BYTES(h->shape)); + maybe_add_auto(o->v1, SHAPE_BYTES(h->shape)); + + } + + cmp_fuzz_next_iter: + stage_cur++; + + } + + return 0; + +} + ///// Input to State stage // queue_cur->exec_cksum @@ -455,7 +523,11 @@ u8 input_to_state_stage(char** argv, u8* orig_buf, u8* buf, u32 len, for (k = 0; k < CMP_MAP_W; ++k) { if (!cmp_map->headers[k].hits) continue; - cmp_fuzz(k, orig_buf, buf, len); + + if (cmp_map->headers[k].type == CMP_TYPE_INS) + cmp_fuzz(k, orig_buf, buf, len); + else + rtn_fuzz(k, orig_buf, buf, len); } |