diff options
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-cpu-inl.h | 4 | ||||
| -rw-r--r-- | src/afl-fuzz-redqueen.c | 50 |
3 files changed, 54 insertions, 2 deletions
diff --git a/Makefile b/Makefile index 13be4ec9..70eac6b9 100644 --- a/Makefile +++ b/Makefile @@ -57,7 +57,7 @@ ifneq "$(shell uname -m)" "x86_64" endif CFLAGS ?= -O3 -funroll-loops $(CFLAGS_OPT) -CFLAGS += -Wall -g -Wno-pointer-sign -I include/ \ +override CFLAGS += -Wall -g -Wno-pointer-sign -I include/ \ -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \ -DDOC_PATH=\"$(DOC_PATH)\" -Wno-unused-function diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index 0ae6364b..9a98fde3 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -368,8 +368,10 @@ static void afl_forkserver(CPUState *cpu) { if (WIFSTOPPED(status)) child_stopped = 1; - else if (unlikely(first_run && is_persistent)) + else if (unlikely(first_run && is_persistent)) { + fprintf(stderr, "[AFL] ERROR: no persistent iteration executed\n"); exit(12); // Persistent is wrong + } first_run = 0; if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(7); diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 6fb1964f..bac7357e 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -122,6 +122,9 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) { while ((rng = pop_biggest_range(&ranges)) != NULL && stage_cur) { u32 s = rng->end - rng->start; + if (s == 0) + goto empty_range; + memcpy(backup, buf + rng->start, s); rand_replace(buf + rng->start, s); @@ -136,6 +139,7 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) { } else needs_write = 1; +empty_range: ck_free(rng); --stage_cur; @@ -298,6 +302,44 @@ u8 cmp_extend_encoding(struct cmp_header* h, u64 pattern, u64 repl, u32 idx, } +void try_to_add_to_dict(u64 v, u8 shape) { + + u8* b = (u8*)&v; + + u32 k; + u8 cons_ff = 0, cons_0 = 0; + for (k = 0; k < shape; ++k) { + + if (b[k] == 0) ++cons_0; + else if (b[k] == 0xff) ++cons_0; + else cons_0 = cons_ff = 0; + + if (cons_0 > 1 || cons_ff > 1) + return; + + } + + maybe_add_auto((u8*)&v, shape); + + u64 rev; + switch (shape) { + case 1: break; + case 2: + rev = SWAP16((u16)v); + maybe_add_auto((u8*)&rev, shape); + break; + case 4: + rev = SWAP32((u32)v); + maybe_add_auto((u8*)&rev, shape); + break; + case 8: + rev = SWAP64(v); + maybe_add_auto((u8*)&rev, shape); + break; + } + +} + u8 cmp_fuzz(u32 key, u8* orig_buf, u8* buf, u32 len) { struct cmp_header* h = &cmp_map->headers[key]; @@ -338,6 +380,14 @@ u8 cmp_fuzz(u32 key, u8* orig_buf, u8* buf, u32 len) { break; } + + // If failed, add to dictionary + if (fails == 8) { + + try_to_add_to_dict(o->v0, SHAPE_BYTES(h->shape)); + try_to_add_to_dict(o->v1, SHAPE_BYTES(h->shape)); + + } cmp_fuzz_next_iter: stage_cur++; |