diff options
| author | Andrea Fioraldi <andreafioraldi@gmail.com> | 2020-04-14 10:12:41 +0200 |
|---|---|---|
| committer | Andrea Fioraldi <andreafioraldi@gmail.com> | 2020-04-14 10:12:41 +0200 |
| commit | 1d62bf1c37b9a1803745abb41ed41057959a45d2 (patch) | |
| tree | 3e33e4d0535291ca5a6968c3ed5bb18f72acd20e /src | |
| parent | 982d46e7cb2c7cabcd8969e6303c3cb8f3d8e56a (diff) | |
| parent | 1374e65401c9d40b449c78459a2d0241c779b989 (diff) | |
| download | afl++-1d62bf1c37b9a1803745abb41ed41057959a45d2.tar.gz | |
solve conflicts
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-analyze.c | 4 | ||||
| -rw-r--r-- | src/afl-common.c | 11 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 13 | ||||
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 10 | ||||
| -rw-r--r-- | src/afl-fuzz-extras.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 17 | ||||
| -rw-r--r-- | src/afl-fuzz-queue.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-redqueen.c | 7 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 15 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 42 | ||||
| -rw-r--r-- | src/afl-sharedmem.c | 10 | ||||
| -rw-r--r-- | src/afl-showmap.c | 8 | ||||
| -rw-r--r-- | src/afl-tmin.c | 4 |
15 files changed, 88 insertions, 61 deletions
diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 510ec94a..952786b0 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -902,6 +902,8 @@ int main(int argc, char **argv, char **envp) { if (mem_limit_given) FATAL("Multiple -m options not supported"); mem_limit_given = 1; + if (!optarg) { FATAL("Bad syntax used for -m"); } + if (!strcmp(optarg, "none")) { mem_limit = 0; @@ -938,6 +940,8 @@ int main(int argc, char **argv, char **envp) { if (timeout_given) FATAL("Multiple -t options not supported"); timeout_given = 1; + if (!optarg) FATAL("Wrong usage of -t"); + exec_tmout = atoi(optarg); if (exec_tmout < 10 || optarg[0] == '-') diff --git a/src/afl-common.c b/src/afl-common.c index 7eba6ae4..1ac1a2f3 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -292,11 +292,10 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { *rsl = 0; cp = alloc_printf("%s/afl-qemu-trace", own_copy); - ck_free(own_copy); - if (!access(cp, X_OK)) { + if (cp && !access(cp, X_OK)) { - if (cp != NULL) ck_free(cp); + ck_free(cp); cp = alloc_printf("%s/afl-wine-trace", own_copy); @@ -309,10 +308,14 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { } - } else + ck_free(own_copy); + + } else { ck_free(own_copy); + } + u8 *ncp = BIN_PATH "/afl-qemu-trace"; if (!access(ncp, X_OK)) { diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 28f664fa..f647ff5d 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -365,9 +365,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, kill(fsrv->fsrv_pid, SIGKILL); } else { - + rlen = 4; - + } } else { @@ -455,7 +455,6 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } - len = status; offset = 0; while (offset < status && (u8)dict[offset] + offset < status) { @@ -631,10 +630,14 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, static void afl_fsrv_kill(afl_forkserver_t *fsrv) { - if (fsrv->child_pid > 0) kill(fsrv->child_pid, SIGKILL); - if (fsrv->fsrv_pid > 0) kill(fsrv->fsrv_pid, SIGKILL); + if (fsrv->child_pid > 0) kill(fsrv->child_pid, SIGKILL); + if (fsrv->fsrv_pid > 0) { + + kill(fsrv->fsrv_pid, SIGKILL); if (waitpid(fsrv->fsrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); } + } + } void afl_fsrv_killall() { diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index b6a494db..a0a720fa 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -535,7 +535,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (unlikely(len == 0)) return 0; u8 *queue_fn = ""; - u8 hnb; + u8 hnb = '\0'; s32 fd; u8 keeping = 0, res; @@ -718,9 +718,11 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { // if the user wants to be informed on new crashes - do that #if !TARGET_OS_IPHONE - if (system(afl->infoexec) == -1) - hnb += 0; // we dont care if system errors, but we dont want a - // compiler warning either + // we dont care if system errors, but we dont want a + // compiler warning either + // See + // https://stackoverflow.com/questions/11888594/ignoring-return-values-in-c + (void)(system(afl->infoexec) + 1); #else WARNF("command execution unsupported"); #endif diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c index 55146dd9..c366cc5b 100644 --- a/src/afl-fuzz-extras.c +++ b/src/afl-fuzz-extras.c @@ -130,6 +130,8 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len, wptr = afl->extras[afl->extras_cnt].data = ck_alloc(rptr - lptr); + if (!wptr) PFATAL("no mem for data"); + while (*lptr) { char *hexdigits = "0123456789abcdef"; diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 54cc81ef..10417da6 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2178,6 +2178,8 @@ void save_cmdline(afl_state_t *afl, u32 argc, char **argv) { u32 l = strlen(argv[i]); + if (!argv[i] || !buf) FATAL("null deref detected"); + memcpy(buf, argv[i], l); buf += l; diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 4a039a1d..65075db4 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -3604,7 +3604,6 @@ pacemaker_fuzzing: } s32 temp_len_puppet; - cur_ms_lv = get_cur_time(); // for (; afl->swarm_now < swarm_num; ++afl->swarm_now) { @@ -4178,8 +4177,6 @@ pacemaker_fuzzing: afl->orig_hit_cnt_puppet))) { afl->key_puppet = 0; - cur_ms_lv = get_cur_time(); - new_hit_cnt = afl->queued_paths + afl->unique_crashes; afl->orig_hit_cnt_puppet = 0; afl->last_limit_time_start = 0; @@ -4388,7 +4385,7 @@ void pso_updating(afl_state_t *afl) { u8 fuzz_one(afl_state_t *afl) { - int key_val_lv = 0; + int key_val_lv_1 = 0, key_val_lv_2 = 0; #ifdef _AFL_DOCUMENT_MUTATIONS @@ -4408,22 +4405,22 @@ u8 fuzz_one(afl_state_t *afl) { #endif - if (afl->limit_time_sig == 0) { + // if limit_time_sig == -1 then both are run after each other - key_val_lv = fuzz_one_original(afl); + if (afl->limit_time_sig <= 0) { key_val_lv_1 = fuzz_one_original(afl); } - } else { + if (afl->limit_time_sig != 0) { if (afl->key_module == 0) - key_val_lv = pilot_fuzzing(afl); + key_val_lv_2 = pilot_fuzzing(afl); else if (afl->key_module == 1) - key_val_lv = core_fuzzing(afl); + key_val_lv_2 = core_fuzzing(afl); else if (afl->key_module == 2) pso_updating(afl); } - return key_val_lv; + return (key_val_lv_1 | key_val_lv_2); #undef BUF_PARAMS diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 346c2639..5eb110d0 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -438,6 +438,8 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { } + if (unlikely(!n_paths)) FATAL("Queue state corrupt"); + fuzz_mu = fuzz_total / n_paths; if (fuzz <= fuzz_mu) { diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index ba24890b..9a9de02a 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -115,7 +115,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { afl->stage_short = "colorization"; afl->stage_max = 1000; - struct range *rng; + struct range *rng = NULL; afl->stage_cur = 0; while ((rng = pop_biggest_range(&ranges)) != NULL && afl->stage_cur < afl->stage_max) { @@ -146,6 +146,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { empty_range: ck_free(rng); + rng = NULL; ++afl->stage_cur; } @@ -162,6 +163,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { rng = ranges; ranges = ranges->next; ck_free(rng); + rng = NULL; } @@ -201,9 +203,12 @@ checksum_fail: rng = ranges; ranges = ranges->next; ck_free(rng); + rng = NULL; } + // TODO: clang notices a _potential_ leak of mem pointed to by rng + return 1; } diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 1ddd7e1a..514ba9ef 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -49,7 +49,7 @@ u8 run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { memset(fsrv->trace_bits, 0, fsrv->map_size); MEM_BARRIER(); - + /* we have the fork server (or faux server) up and running, so simply tell it to have at it, and then read back PID. */ diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 2e680dbb..d48dd5e3 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -56,7 +56,6 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, bitmap_cvg = afl->last_bitmap_cvg; stability = afl->last_stability; - eps = afl->last_eps; } else { @@ -388,9 +387,9 @@ void show_stats(afl_state_t *afl) { /* Lord, forgive me this. */ - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA - " overall results " bSTG bH2 bH2 bRT "\n"); + " overall results " bSTG bH2 bH2 bRT "\n"); if (afl->dumb_mode) { @@ -472,9 +471,9 @@ void show_stats(afl_state_t *afl) { " uniq hangs : " cRST "%-6s" bSTG bV "\n", time_tmp, tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA - " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); + " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -504,9 +503,9 @@ void show_stats(afl_state_t *afl) { SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA - " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); + " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored), ((double)afl->queued_favored) * 100 / afl->queued_paths); @@ -580,7 +579,7 @@ void show_stats(afl_state_t *afl) { /* Aaaalmost there... hold on! */ - SAYF(bVR bH cCYA bSTOP + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 2320be5a..07067691 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -109,12 +109,12 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "Mutator settings:\n" " -R[R] - add Radamsa as mutator, add another -R to exclusivly " "run it\n" - " -L minutes - use MOpt(imize) mode and set the limit time for " + " -L minutes - use MOpt(imize) mode and set the time limit for " "entering the\n" - " pacemaker mode (minutes of no new paths, 0 = " - "immediately).\n" - " a recommended value is 10-60. see " - "docs/README.MOpt.md\n" + " pacemaker mode (minutes of no new paths). 0 = " + "immediately,\n" + " -1 = immediately and together with normal mutation).\n" + " See docs/README.MOpt.md\n" " -c program - enable CmpLog by specifying a binary compiled for " "it.\n" " if using QEMU, just use -c 0.\n\n" @@ -553,20 +553,33 @@ int main(int argc, char **argv_orig, char **envp) { case 'L': { /* MOpt mode */ if (afl->limit_time_sig) FATAL("Multiple -L options not supported"); - afl->limit_time_sig = 1; afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT; - if (sscanf(optarg, "%llu", &afl->limit_time_puppet) < 1 || - optarg[0] == '-') + if (sscanf(optarg, "%d", &afl->limit_time_puppet) < 1) FATAL("Bad syntax used for -L"); + if (afl->limit_time_puppet == -1) { + + afl->limit_time_sig = -1; + afl->limit_time_puppet = 0; + + } else if (afl->limit_time_puppet < 0) { + + FATAL("-L value must be between 0 and 2000000 or -1"); + + } else { + + afl->limit_time_sig = 1; + + } + u64 limit_time_puppet2 = afl->limit_time_puppet * 60 * 1000; if (limit_time_puppet2 < afl->limit_time_puppet) FATAL("limit_time overflow"); afl->limit_time_puppet = limit_time_puppet2; - SAYF("limit_time_puppet %llu\n", afl->limit_time_puppet); + SAYF("limit_time_puppet %d\n", afl->limit_time_puppet); afl->swarm_now = 0; if (afl->limit_time_puppet == 0) afl->key_puppet = 1; @@ -701,11 +714,14 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->use_radamsa) { - if (afl->limit_time_sig) + if (afl->limit_time_sig > 0) FATAL( - "MOpt and Radamsa are mutually exclusive. We accept pull requests " - "that integrates MOpt with the optional mutators " - "(custom/radamsa/redquenn/...)."); + "MOpt and Radamsa are mutually exclusive unless you specify -L -1. " + "We accept pull requests that integrates MOpt with the optional " + "mutators (custom/radamsa/redqueen/...)."); + + if (afl->limit_time_sig && afl->use_radamsa > 1) + FATAL("Radamsa in radamsa-only mode can not run together with -L"); OKF("Using Radamsa add-on"); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 9db84e77..eea1cc95 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -67,6 +67,7 @@ list_t shm_list = {.element_prealloc_count = 0}; void afl_shm_deinit(sharedmem_t *shm) { + // TODO: clang reports a potential UAF in this function/makro(?) list_remove(&shm_list, shm); #ifdef USEMMAP @@ -93,14 +94,6 @@ void afl_shm_deinit(sharedmem_t *shm) { } -/* At exit, remove all leftover maps */ - -void afl_shm_atexit(void) { - - LIST_FOREACH(&shm_list, sharedmem_t, { afl_shm_deinit(el); }); - -} - /* Configure shared memory. Returns a pointer to shm->map for ease of use. */ @@ -207,7 +200,6 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) { #endif list_append(&shm_list, shm); - atexit(afl_shm_atexit); return shm->map; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index c84fa36c..3fcc1d2b 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -59,9 +59,9 @@ #include <sys/types.h> #include <sys/resource.h> -char *stdin_file; /* stdin file */ +static char *stdin_file; /* stdin file */ -u8 *in_dir, /* input folder */ +static u8 *in_dir, /* input folder */ *at_file = NULL; /* Substitution string for @@ */ static u8 *in_data; /* Input data */ @@ -71,7 +71,7 @@ static u32 total, highest; /* tuple content information */ static u32 in_len, /* Input data length */ arg_offset, total_execs; /* Total number of execs */ -u8 quiet_mode, /* Hide non-essential messages? */ +static u8 quiet_mode, /* Hide non-essential messages? */ edges_only, /* Ignore hit counts? */ raw_instr_output, /* Do not apply AFL filters */ cmin_mode, /* Generate output in afl-cmin mode? */ @@ -983,7 +983,7 @@ int main(int argc, char **argv_orig, char **envp) { if (!quiet_mode) OKF("Processed %u input files.", total_execs); closedir(dir_in); - closedir(dir_out); + if (dir_out) closedir(dir_out); } else { diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 3be6b2c0..31fad1df 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -60,7 +60,7 @@ static u8 *mask_bitmap; /* Mask for trace bits (-B) */ -u8 *in_file, /* Minimizer input test case */ +static u8 *in_file, /* Minimizer input test case */ *output_file; /* Minimizer output file */ static u8 *in_data; /* Input data for trimming */ @@ -72,7 +72,7 @@ static u32 in_len, /* Input data length */ missed_crashes, /* Misses due to crashes */ missed_paths; /* Misses due to exec path diffs */ -u8 crash_mode, /* Crash-centric mode? */ +static u8 crash_mode, /* Crash-centric mode? */ hang_mode, /* Minimize as long as it hangs */ exit_crash, /* Treat non-zero exit as crash? */ edges_only, /* Ignore hit counts? */ |