diff options
| author | van Hauser <vh@thc.org> | 2022-08-03 11:08:10 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-08-03 11:08:10 +0200 |
| commit | a2f3c3ee519c19935039d1fe1e8b77cdc32fa375 (patch) | |
| tree | 3a0007a3e8a07b58c4bef927d9c52e0043aa8466 /src | |
| parent | c57988e672634ee98048eba6432cc1f4e377e07c (diff) | |
| parent | 6056d4b140f0665c6a701cada9166379be3435ac (diff) | |
| download | afl++-a2f3c3ee519c19935039d1fe1e8b77cdc32fa375.tar.gz | |
Merge pull request #1478 from AFLplusplus/dev
Push to stable
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 15 | ||||
| -rw-r--r-- | src/afl-fuzz-cmplog.c | 13 | ||||
| -rw-r--r-- | src/afl-fuzz-mutators.c | 18 | ||||
| -rw-r--r-- | src/afl-fuzz-python.c | 11 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 85 | ||||
| -rw-r--r-- | src/afl-fuzz-state.c | 20 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 4 |
7 files changed, 115 insertions, 51 deletions
diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 089f7bb5..b3a10bb7 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -647,8 +647,19 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (afl->fsrv.exec_tmout < afl->hang_tmout) { - u8 new_fault; - len = write_to_testcase(afl, &mem, len, 0); + u8 new_fault; + u32 tmp_len = write_to_testcase(afl, &mem, len, 0); + + if (likely(tmp_len)) { + + len = tmp_len; + + } else { + + len = write_to_testcase(afl, &mem, len, 1); + + } + new_fault = fuzz_run_target(afl, &afl->fsrv, afl->hang_tmout); classify_counts(&afl->fsrv); diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 258d9ea7..d0c829e2 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -47,9 +47,18 @@ void cmplog_exec_child(afl_forkserver_t *fsrv, char **argv) { u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { - u8 fault; + u8 fault; + u32 tmp_len = write_to_testcase(afl, (void **)&out_buf, len, 0); - write_to_testcase(afl, (void **)&out_buf, len, 0); + if (likely(tmp_len)) { + + len = tmp_len; + + } else { + + len = write_to_testcase(afl, (void **)&out_buf, len, 1); + + } fault = fuzz_run_target(afl, &afl->cmplog_fsrv, afl->fsrv.exec_tmout); diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index dd97a7d3..b9daebfa 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -430,13 +430,21 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf, retlen = write_to_testcase(afl, (void **)&retbuf, retlen, 0); - fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); - ++afl->trim_execs; + if (unlikely(!retlen)) { + + ++afl->trim_execs; + + } else { - if (afl->stop_soon || fault == FSRV_RUN_ERROR) { goto abort_trimming; } + fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); + ++afl->trim_execs; - classify_counts(&afl->fsrv); - cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + if (afl->stop_soon || fault == FSRV_RUN_ERROR) { goto abort_trimming; } + + classify_counts(&afl->fsrv); + cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + + } } diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index a3d864c3..a43d80bb 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -535,7 +535,16 @@ size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, Py_DECREF(py_value); - *out_buf = (u8 *)py->post_process_buf.buf; + if (unlikely(py->post_process_buf.len == 0)) { + + *out_buf = NULL; + + } else { + + *out_buf = (u8 *)py->post_process_buf.buf; + + } + return py->post_process_buf.len; } else { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 0f3be1a7..c0e72ae6 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -76,24 +76,6 @@ fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { u32 __attribute__((hot)) write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) { -#ifdef _AFL_DOCUMENT_MUTATIONS - s32 doc_fd; - char fn[PATH_MAX]; - snprintf(fn, PATH_MAX, "%s/mutations/%09u:%s", afl->out_dir, - afl->document_counter++, - describe_op(afl, 0, NAME_MAX - strlen("000000000:"))); - - if ((doc_fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION)) >= - 0) { - - if (write(doc_fd, *mem, len) != len) - PFATAL("write to mutation file failed: %s", fn); - close(doc_fd); - - } - -#endif - if (unlikely(afl->custom_mutators_count)) { ssize_t new_size = len; @@ -107,19 +89,38 @@ write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) { new_size = el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf); - if (unlikely(!new_buf && new_size <= 0)) { + if (unlikely(!new_buf || new_size <= 0)) { - FATAL("Custom_post_process failed (ret: %lu)", - (long unsigned)new_size); + new_size = 0; + new_buf = new_mem; + // FATAL("Custom_post_process failed (ret: %lu)", (long + // unsigned)new_size); - } + } else { - new_mem = new_buf; + new_mem = new_buf; + + } } }); + if (unlikely(!new_size)) { + + // perform dummy runs (fix = 1), but skip all others + if (fix) { + + new_size = len; + + } else { + + return 0; + + } + + } + if (unlikely(new_size < afl->min_length && !fix)) { new_size = afl->min_length; @@ -153,6 +154,24 @@ write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) { } +#ifdef _AFL_DOCUMENT_MUTATIONS + s32 doc_fd; + char fn[PATH_MAX]; + snprintf(fn, PATH_MAX, "%s/mutations/%09u:%s", afl->out_dir, + afl->document_counter++, + describe_op(afl, 0, NAME_MAX - strlen("000000000:"))); + + if ((doc_fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION)) >= + 0) { + + if (write(doc_fd, *mem, len) != len) + PFATAL("write to mutation file failed: %s", fn); + close(doc_fd); + + } + +#endif + return len; } @@ -207,14 +226,18 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at, new_size = el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf); - if (unlikely(!new_buf || new_size <= 0)) { + if (unlikely(!new_buf && new_size <= 0)) { - FATAL("Custom_post_process failed (ret: %lu)", - (long unsigned)new_size); + new_size = 0; + new_buf = new_mem; + // FATAL("Custom_post_process failed (ret: %lu)", (long + // unsigned)new_size); - } + } else { - new_mem = new_buf; + new_mem = new_buf; + + } } @@ -969,7 +992,11 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { u8 fault; - len = write_to_testcase(afl, (void **)&out_buf, len, 0); + if (unlikely(len = write_to_testcase(afl, (void **)&out_buf, len, 0)) == 0) { + + return 0; + + } fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index cc4138ae..ddfd4b31 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -518,16 +518,6 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_no_crash_readme = atoi((u8 *)get_afl_env(afl_environment_variables[i])); - if (afl->afl_env.afl_pizza_mode == 0) { - - afl->afl_env.afl_pizza_mode = 1; - - } else { - - afl->pizza_is_served = 1; - - } - } else if (!strncmp(env, "AFL_SYNC_TIME", afl_environment_variable_len)) { @@ -607,6 +597,16 @@ void read_afl_environment(afl_state_t *afl, char **envp) { } + if (afl->afl_env.afl_pizza_mode == 0) { + + afl->afl_env.afl_pizza_mode = 1; + + } else { + + afl->pizza_is_served = 1; + + } + if (issue_detected) { sleep(2); } } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 287f09df..2e151abb 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -167,8 +167,8 @@ static void usage(u8 *argv0, int more_help) { " See docs/README.MOpt.md\n" " -c program - enable CmpLog by specifying a binary compiled for " "it.\n" - " if using QEMU/FRIDA or if you the fuzzing target is " - "compiled" + " if using QEMU/FRIDA or the fuzzing target is " + "compiled\n" " for CmpLog then just use -c 0.\n" " -l cmplog_opts - CmpLog configuration values (e.g. \"2AT\"):\n" " 1=small files, 2=larger files (default), 3=all " |