enhanced radamsa integration

3 files changed, 93 insertions, 65 deletions

diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index 5a53de4d..d10c1922 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -483,6 +483,9 @@ u8 fuzz_one_original(char** argv) {
 
   if (perf_score == 0) goto abandon_entry;
 
+  if (use_radamsa > 1)
+    goto radamsa_stage;
+
   if (custom_mutator) {
 
     stage_short = "custom";
@@ -540,22 +543,30 @@ u8 fuzz_one_original(char** argv) {
        perf_score < (queue_cur->depth * 30 <= havoc_max_mult * 100
                          ? queue_cur->depth * 30
                          : havoc_max_mult * 100)) ||
-      queue_cur->passed_det)
+      queue_cur->passed_det) {
+    if (use_radamsa > 1)
+      goto radamsa_stage;
+    else
 #ifdef USE_PYTHON
-    goto python_stage;
+      goto python_stage;
 #else
-    goto havoc_stage;
+      goto havoc_stage;
 #endif
+  }
 
   /* Skip deterministic fuzzing if exec path checksum puts this out of scope
      for this master instance. */
 
-  if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1)
+  if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1) {
+    if (use_radamsa > 1)
+      goto radamsa_stage;
+    else
 #ifdef USE_PYTHON
-    goto python_stage;
+      goto python_stage;
 #else
-    goto havoc_stage;
+      goto havoc_stage;
 #endif
+  }
 
   doing_det = 1;
 
@@ -1731,61 +1742,11 @@ havoc_stage:
 
   for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) {
 
-    if (use_radamsa && UR(RADAMSA_CHANCE) == 0) {
-  
-      u32 max_len = temp_len + choose_block_len(HAVOC_BLK_XL);
-      u8* new_buf = ck_alloc_nozero(max_len);
-      
-      u32 new_len = radamsa_mutate(out_buf, temp_len, new_buf, max_len, get_rand_seed());
-      
-      if (new_len) {
-      
-        temp_len = new_len;
-        ck_free(out_buf);
-        out_buf = new_buf;
-      
-      } else {
-      
-        ck_free(new_buf);
-      
-      }
-  
-      goto havoc_run_point;
-    
-    }
-
     u32 use_stacking = 1 << (1 + UR(HAVOC_STACK_POW2));
 
     stage_cur_val = use_stacking;
 
     for (i = 0; i < use_stacking; ++i) {
-    
-      /*if (use_radamsa && UR(RADAMSA_CHANCE) == 0) {
-      
-        // Ramdsa stage stacked with the AFL havoc mutations.
-        // This is very slow, I maintain the commendted code for future or
-        // particular uses.
-      
-        u32 max_len = temp_len + choose_block_len(HAVOC_BLK_XL);
-        u8* new_buf = ck_alloc_nozero(max_len);
-        
-        u32 new_len = radamsa_mutate(out_buf, temp_len, new_buf, max_len, get_rand_seed());
-        
-        if (new_len) {
-        
-          temp_len = new_len;
-          ck_free(out_buf);
-          out_buf = new_buf;
-        
-        } else {
-        
-          ck_free(new_buf);
-        
-        }
-          
-        continue;
-      
-      }*/
 
       switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) {
 
@@ -2161,8 +2122,6 @@ havoc_stage:
 
     }
 
-havoc_run_point:
-
     if (common_fuzz_stuff(argv, out_buf, temp_len)) goto abandon_entry;
 
     /* out_buf might have been mangled a bit, so let's restore it to its
@@ -2307,10 +2266,13 @@ retry_splicing:
     out_buf = ck_alloc_nozero(len);
     memcpy(out_buf, in_buf, len);
 
+    if (use_radamsa > 1)
+      goto radamsa_stage;
+    else
 #ifdef USE_PYTHON
-    goto python_stage;
+      goto python_stage;
 #else
-    goto havoc_stage;
+      goto havoc_stage;
 #endif
 
   }
@@ -2318,7 +2280,67 @@ retry_splicing:
 #endif                                                     /* !IGNORE_FINDS */
 
   ret_val = 0;
+  goto radamsa_stage;
+
+
+radamsa_stage:
+
+  if (!use_radamsa)
+    goto abandon_entry;
+  
+  stage_name = "radamsa";
+  stage_short = "radamsa";
+  stage_max = (HAVOC_CYCLES * perf_score / havoc_div / 100) << use_radamsa;
+  
+  if (stage_max < HAVOC_MIN) stage_max = HAVOC_MIN;
+  
+  orig_hit_cnt = queued_paths + unique_crashes;
+  
+  /* Read the additional testcase into a new buffer. */
+  u8 *save_buf = ck_alloc_nozero(len);
+  memcpy(save_buf, out_buf, len);
+ 
+  u32 max_len = len + choose_block_len(HAVOC_BLK_XL);
+  u8* new_buf = ck_alloc_nozero(max_len);
+  u8 *tmp_buf;
+
+  for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) {
+  u32 new_len = radamsa_mutate(save_buf, len, new_buf, max_len, get_rand_seed());
+
+    if (new_len) {
+     
+      temp_len = new_len;
+      tmp_buf = new_buf;
+
+    } else {
+
+      tmp_buf = save_buf; // nope but I dont care
+      temp_len = len;
+
+    }
+
+    if (common_fuzz_stuff(argv, tmp_buf, temp_len)) {
+
+      ck_free(save_buf);
+      ck_free(new_buf);
+      goto abandon_entry;
+
+    }
+  
+  }
+
+  ck_free(save_buf);
+  ck_free(new_buf);
+  
+  new_hit_cnt = queued_paths + unique_crashes;
+ 
+  stage_finds[STAGE_RADAMSA] += new_hit_cnt - orig_hit_cnt;
+  stage_cycles[STAGE_RADAMSA] += stage_max;
+
+  ret_val = 0;
+  goto abandon_entry;
 
+/* we are through with this queue entry - for this iteration */
 abandon_entry:
 
   splicing_with = -1;
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index f1bc1c8a..7f749511 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -576,10 +576,11 @@ void show_stats(void) {
                 "  imported : " cRST "%-10s" bSTG       bV "\n",
        tmp, sync_id ? DI(queued_imported) : (u8*)"n/a");
 
-  sprintf(tmp, "%s/%s, %s/%s, %s/%s, %s/%s", DI(stage_finds[STAGE_HAVOC]),
+  sprintf(tmp, "%s/%s, %s/%s, %s/%s, %s/%s, %s/%s", DI(stage_finds[STAGE_HAVOC]),
           DI(stage_cycles[STAGE_HAVOC]), DI(stage_finds[STAGE_SPLICE]),
           DI(stage_cycles[STAGE_SPLICE]), DI(stage_finds[STAGE_PYTHON]),
-          DI(stage_cycles[STAGE_PYTHON]), DI(stage_finds[STAGE_CUSTOM_MUTATOR]),
+          DI(stage_cycles[STAGE_PYTHON]), DI(stage_finds[STAGE_RADAMSA]),
+          DI(stage_cycles[STAGE_RADAMSA]), DI(stage_finds[STAGE_CUSTOM_MUTATOR]),
           DI(stage_cycles[STAGE_CUSTOM_MUTATOR]));
 
   SAYF(bV bSTOP "havoc/custom : " cRST "%-36s " bSTG bV bSTOP, tmp);
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index d5dfa7cc..14462fb7 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -55,7 +55,10 @@ static void usage(u8* argv0) {
       "  -m megs       - memory limit for child process (%d MB)\n"
       "  -Q            - use binary-only instrumentation (QEMU mode)\n"
       "  -U            - use unicorn-based instrumentation (Unicorn mode)\n"
-      "  -W            - use qemu-based instrumentation with Wine (Wine mode)\n"
+      "  -W            - use qemu-based instrumentation with Wine (Wine mode)\n\n"
+
+      "Mutator settings:\n"
+      "  -R[R]         - add Radamsa as mutator, add another -R to exclusivly run it\n"
       "  -L minutes    - use MOpt(imize) mode and set the limit time for "
       "entering the\n"
       "                  pacemaker mode (minutes of no new paths, 0 = "
@@ -514,8 +517,10 @@ int main(int argc, char** argv) {
      
       case 'R':
       
-        if (use_radamsa) FATAL("Multiple -R options not supported");
-        use_radamsa = 1;
+        if (use_radamsa)
+          use_radamsa = 2;
+        else
+          use_radamsa = 1;
 
         break;