diff options
| -rw-r--r-- | examples/custom_mutators/example.c | 36 | ||||
| -rw-r--r-- | include/afl-fuzz.h | 21 | ||||
| -rw-r--r-- | include/envs.h | 35 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-tcg-runtime-inl.h | 11 | ||||
| -rw-r--r-- | src/afl-fuzz-globals.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 7 | ||||
| -rw-r--r-- | src/afl-fuzz-mutators.c | 39 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 30 | ||||
| -rw-r--r-- | src/afl-fuzz-python.c | 34 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 6 | ||||
| -rw-r--r-- | src/afl-showmap.c | 5 | ||||
| -rw-r--r-- | src/afl-tmin.c | 42 |
13 files changed, 143 insertions, 127 deletions
diff --git a/examples/custom_mutators/example.c b/examples/custom_mutators/example.c index 178d39b3..127f971e 100644 --- a/examples/custom_mutators/example.c +++ b/examples/custom_mutators/example.c @@ -38,18 +38,17 @@ void afl_custom_init(unsigned int seed) { * produce data larger than max_size. * @return Size of the mutated output. */ -size_t afl_custom_fuzz(uint8_t **buf, size_t buf_size, - uint8_t *add_buf,size_t add_buf_size, // add_buf can be NULL +size_t afl_custom_fuzz(uint8_t **buf, size_t buf_size, uint8_t *add_buf, + size_t add_buf_size, // add_buf can be NULL size_t max_size) { // Make sure that the packet size does not exceed the maximum size expected by // the fuzzer size_t mutated_size = data_size <= max_size ? data_size : max_size; - if (mutated_size > buf_size) - *buf = realloc(*buf, mutated_size); - - uint8_t* mutated_out = *buf; + if (mutated_size > buf_size) *buf = realloc(*buf, mutated_size); + + uint8_t *mutated_out = *buf; // Randomly select a command string to add as a header to the packet memcpy(mutated_out, commands[rand() % 3], 3); @@ -94,9 +93,9 @@ size_t afl_custom_pre_save(uint8_t *buf, size_t buf_size, uint8_t **out_buf) { } static uint8_t *trim_buf; -static size_t trim_buf_size; -static int trimmming_steps; -static int cur_step; +static size_t trim_buf_size; +static int trimmming_steps; +static int cur_step; /** * This method is called at the start of each trimming operation and receives @@ -147,7 +146,7 @@ int afl_custom_init_trim(uint8_t *buf, size_t buf_size) { * the memory after saving the test case. * @param[out] out_buf_size Pointer to the size of the trimmed test case */ -void afl_custom_trim(uint8_t **out_buf, size_t* out_buf_size) { +void afl_custom_trim(uint8_t **out_buf, size_t *out_buf_size) { *out_buf_size = trim_buf_size - 1; @@ -172,8 +171,10 @@ void afl_custom_trim(uint8_t **out_buf, size_t* out_buf_size) { int afl_custom_post_trim(int success) { if (success) { + ++cur_step; return cur_step; + } return trimmming_steps; @@ -193,7 +194,8 @@ int afl_custom_post_trim(int success) { * not produce data larger than max_size. * @return Size of the mutated output. */ -size_t afl_custom_havoc_mutation(uint8_t** buf, size_t buf_size, size_t max_size) { +size_t afl_custom_havoc_mutation(uint8_t **buf, size_t buf_size, + size_t max_size) { if (buf_size == 0) { @@ -205,7 +207,7 @@ size_t afl_custom_havoc_mutation(uint8_t** buf, size_t buf_size, size_t max_size size_t victim = rand() % buf_size; (*buf)[victim] += rand() % 10; - + return buf_size; } @@ -220,7 +222,7 @@ size_t afl_custom_havoc_mutation(uint8_t** buf, size_t buf_size, size_t max_size */ uint8_t afl_custom_havoc_mutation_probability(void) { - return 5; // 5 % + return 5; // 5 % } @@ -233,14 +235,14 @@ uint8_t afl_custom_havoc_mutation_probability(void) { * @return Return True(1) if the fuzzer will fuzz the queue entry, and * False(0) otherwise. */ -uint8_t afl_custom_queue_get(const uint8_t* filename) { +uint8_t afl_custom_queue_get(const uint8_t *filename) { return 1; } /** - * Allow for additional analysis (e.g. calling a different tool that does a + * Allow for additional analysis (e.g. calling a different tool that does a * different kind of coverage and saves this for the custom mutator). * * (Optional) @@ -248,8 +250,8 @@ uint8_t afl_custom_queue_get(const uint8_t* filename) { * @param filename_new_queue File name of the new queue entry * @param filename_orig_queue File name of the original queue entry */ -void afl_custom_queue_new_entry(const uint8_t* filename_new_queue, - const uint8_t* filename_orig_queue) { +void afl_custom_queue_new_entry(const uint8_t *filename_new_queue, + const uint8_t *filename_orig_queue) { /* Additional analysis on the original or new test case */ diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 8c0e7ca9..693e0dc6 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -461,8 +461,9 @@ extern s32 cmplog_child_pid, cmplog_forksrv_pid; /* Custom mutators */ struct custom_mutator { + const char* name; - void* dh; + void* dh; /* hooks for the custom mutator function */ @@ -485,8 +486,8 @@ struct custom_mutator { * @param[in] buf_size Size of the input/output data * @param[in] add_buf Buffer containing the additional test case * @param[in] add_buf_size Size of the additional test case - * @param[in] max_size Maximum size of the mutated output. The mutation must not - * produce data larger than max_size. + * @param[in] max_size Maximum size of the mutated output. The mutation must + * not produce data larger than max_size. * @return Size of the mutated output. */ size_t (*afl_custom_fuzz)(u8** buf, size_t buf_size, u8* add_buf, @@ -560,7 +561,7 @@ struct custom_mutator { * steps returned in init_trim) */ u32 (*afl_custom_post_trim)(u8 success); - + /** * Perform a single custom mutation on a given input. * This mutation is stacked with the other muatations in havoc. @@ -574,8 +575,9 @@ struct custom_mutator { * not produce data larger than max_size. * @return Size of the mutated output. */ - size_t (*afl_custom_havoc_mutation)(u8** buf, size_t buf_size, size_t max_size); - + size_t (*afl_custom_havoc_mutation)(u8** buf, size_t buf_size, + size_t max_size); + /** * Return the probability (in percentage) that afl_custom_havoc_mutation * is called in havoc. By default it is 6 %. @@ -598,7 +600,7 @@ struct custom_mutator { u8 (*afl_custom_queue_get)(const u8* filename); /** - * Allow for additional analysis (e.g. calling a different tool that does a + * Allow for additional analysis (e.g. calling a different tool that does a * different kind of coverage and saves this for the custom mutator). * * (Optional) @@ -609,6 +611,7 @@ struct custom_mutator { */ void (*afl_custom_queue_new_entry)(const u8* filename_new_queue, const u8* filename_orig_queue); + }; extern struct custom_mutator* mutator; @@ -680,8 +683,8 @@ u8 trim_case_custom(char** argv, struct queue_entry* q, u8* in_buf); /* Python */ #ifdef USE_PYTHON -int init_py_module(u8*); -void finalize_py_module(); +int init_py_module(u8*); +void finalize_py_module(); void init_py(unsigned int); size_t fuzz_py(u8**, size_t, u8*, size_t, size_t); diff --git a/include/envs.h b/include/envs.h index fee74fd7..b131f406 100644 --- a/include/envs.h +++ b/include/envs.h @@ -1,11 +1,10 @@ const char *afl_environment_variables[] = { "AFL_ALIGNED_ALLOC", "AFL_ALLOW_TMP", "AFL_ANALYZE_HEX", "AFL_AS", - "AFL_AUTORESUME", - "AFL_AS_FORCE_INSTRUMENT", "AFL_BENCH_JUST_ONE", "AFL_BENCH_UNTIL_CRASH", - "AFL_CAL_FAST", "AFL_CC", "AFL_CMIN_ALLOW_ANY", "AFL_CMIN_CRASHES_ONLY", - "AFL_CODE_END", "AFL_CODE_START", "AFL_COMPCOV_BINNAME", - "AFL_COMPCOV_LEVEL", "AFL_CUSTOM_MUTATOR_LIBRARY", + "AFL_AUTORESUME", "AFL_AS_FORCE_INSTRUMENT", "AFL_BENCH_JUST_ONE", + "AFL_BENCH_UNTIL_CRASH", "AFL_CAL_FAST", "AFL_CC", "AFL_CMIN_ALLOW_ANY", + "AFL_CMIN_CRASHES_ONLY", "AFL_CODE_END", "AFL_CODE_START", + "AFL_COMPCOV_BINNAME", "AFL_COMPCOV_LEVEL", "AFL_CUSTOM_MUTATOR_LIBRARY", "AFL_CUSTOM_MUTATOR_ONLY", "AFL_CXX", "AFL_DEBUG", "AFL_DEBUG_CHILD_OUTPUT", //"AFL_DEFER_FORKSRV", // not implemented anymore, so warn additionally "AFL_DISABLE_TRIM", "AFL_DONT_OPTIMIZE", "AFL_DUMB_FORKSRV", @@ -19,21 +18,19 @@ const char *afl_environment_variables[] = { "AFL_LLVM_LAF_SPLIT_COMPARES_BITW", "AFL_LLVM_LAF_SPLIT_FLOATS", "AFL_LLVM_LAF_SPLIT_SWITCHES", "AFL_LLVM_LAF_TRANSFORM_COMPARES", "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST", "AFL_NO_AFFINITY", - "AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID", - "AFL_NO_ARITH", "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", - "AFL_NO_UI", + "AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID", "AFL_NO_ARITH", + "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_UI", "AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_PATH", "AFL_PERFORMANCE_FILE", //"AFL_PERSISTENT", // not implemented anymore, so warn additionally - "AFL_POST_LIBRARY", "AFL_PRELOAD", "AFL_PYTHON_MODULE", - "AFL_QEMU_COMPCOV", "AFL_QEMU_COMPCOV_DEBUG", "AFL_QEMU_DEBUG_MAPS", - "AFL_QEMU_DISABLE_CACHE", "AFL_QEMU_PERSISTENT_ADDR", - "AFL_QEMU_PERSISTENT_CNT", "AFL_QEMU_PERSISTENT_GPR", - "AFL_QEMU_PERSISTENT_HOOK", "AFL_QEMU_PERSISTENT_RET", - "AFL_QEMU_PERSISTENT_RETADDR_OFFSET", "AFL_QUIET", - "AFL_RANDOM_ALLOC_CANARY", "AFL_REAL_PATH", "AFL_SHUFFLE_QUEUE", - "AFL_SKIP_BIN_CHECK", "AFL_SKIP_CPUFREQ", "AFL_SKIP_CRASHES", - "AFL_TMIN_EXACT", "AFL_TMPDIR", "AFL_TOKEN_FILE", "AFL_TRACE_PC", - "AFL_USE_ASAN", "AFL_USE_MSAN", "AFL_USE_TRACE_PC", "AFL_USE_UBSAN", - "AFL_WINE_PATH", NULL}; + "AFL_POST_LIBRARY", "AFL_PRELOAD", "AFL_PYTHON_MODULE", "AFL_QEMU_COMPCOV", + "AFL_QEMU_COMPCOV_DEBUG", "AFL_QEMU_DEBUG_MAPS", "AFL_QEMU_DISABLE_CACHE", + "AFL_QEMU_PERSISTENT_ADDR", "AFL_QEMU_PERSISTENT_CNT", + "AFL_QEMU_PERSISTENT_GPR", "AFL_QEMU_PERSISTENT_HOOK", + "AFL_QEMU_PERSISTENT_RET", "AFL_QEMU_PERSISTENT_RETADDR_OFFSET", + "AFL_QUIET", "AFL_RANDOM_ALLOC_CANARY", "AFL_REAL_PATH", + "AFL_SHUFFLE_QUEUE", "AFL_SKIP_BIN_CHECK", "AFL_SKIP_CPUFREQ", + "AFL_SKIP_CRASHES", "AFL_TMIN_EXACT", "AFL_TMPDIR", "AFL_TOKEN_FILE", + "AFL_TRACE_PC", "AFL_USE_ASAN", "AFL_USE_MSAN", "AFL_USE_TRACE_PC", + "AFL_USE_UBSAN", "AFL_WINE_PATH", NULL}; diff --git a/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h b/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h index 9cdba901..a510ac83 100644 --- a/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h +++ b/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h @@ -34,7 +34,7 @@ #include "afl-qemu-common.h" #include "tcg.h" -void HELPER(afl_entry_routine)(CPUArchState *env) { +void HELPER(afl_entry_routine)(CPUArchState* env) { afl_forkserver(ENV_GET_CPU(env)); @@ -171,7 +171,7 @@ static int area_is_mapped(void* ptr, size_t len) { } -void HELPER(afl_cmplog_rtn)(CPUX86State *env) { +void HELPER(afl_cmplog_rtn)(CPUX86State* env) { #if defined(TARGET_X86_64) @@ -181,9 +181,9 @@ void HELPER(afl_cmplog_rtn)(CPUX86State *env) { #elif defined(TARGET_I386) target_ulong* stack = g2h(env->regs[R_ESP]); - - if (!area_is_mapped(stack, sizeof(target_ulong)*2)) return; - + + if (!area_is_mapped(stack, sizeof(target_ulong) * 2)) return; + // when this hook is executed, the retaddr is not on stack yet void* ptr1 = g2h(stack[0]); void* ptr2 = g2h(stack[1]); @@ -217,3 +217,4 @@ void HELPER(afl_cmplog_rtn)(CPUX86State *env) { ptr2, 32); } + diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index 87418753..9412463d 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -256,7 +256,7 @@ u8 *cmplog_binary; s32 cmplog_child_pid, cmplog_forksrv_pid; /* Custom mutator */ -struct custom_mutator* mutator; +struct custom_mutator *mutator; /* Interesting values, as per config.h */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 08b6de60..8cabd9eb 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -990,7 +990,7 @@ dir_cleanup_failed: } /* Delete fuzzer output directory if we recognize it as ours, if the fuzzer - is not currently running, and if the last run time isn't too great. + is not currently running, and if the last run time isn't too great. Resume fuzzing if `-` is set as in_dir or if AFL_AUTORESUME is set */ static void handle_existing_out_dir(void) { @@ -1036,10 +1036,11 @@ static void handle_existing_out_dir(void) { fclose(f); - /* Autoresume treats a normal run as in_place_resume if a valid out dir already exists */ + /* Autoresume treats a normal run as in_place_resume if a valid out dir + * already exists */ if (!in_place_resume && autoresume) { - + OKF("Detected prior run with AFL_AUTORESUME set. Resuming."); in_place_resume = 1; diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 28d21636..b31e678b 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -36,6 +36,7 @@ void setup_custom_mutator(void) { u8* fn = getenv("AFL_CUSTOM_MUTATOR_LIBRARY"); if (fn) { + if (limit_time_sig) FATAL( "MOpt and custom mutator are mutually exclusive. We accept pull " @@ -45,6 +46,7 @@ void setup_custom_mutator(void) { load_custom_mutator(fn); return; + } /* Try Python module */ @@ -65,6 +67,7 @@ void setup_custom_mutator(void) { load_custom_mutator_py(module_name); } + #else if (getenv("AFL_PYTHON_MODULE")) FATAL("Your AFL binary was built without Python support"); @@ -75,16 +78,20 @@ void setup_custom_mutator(void) { void destroy_custom_mutator(void) { if (mutator) { + if (mutator->dh) dlclose(mutator->dh); else { + /* Python mutator */ #ifdef USE_PYTHON finalize_py_module(); #endif + } ck_free(mutator); + } } @@ -104,8 +111,7 @@ void load_custom_mutator(const char* fn) { /* Mutator */ /* "afl_custom_init", optional for backward compatibility */ mutator->afl_custom_init = dlsym(dh, "afl_custom_init"); - if (!mutator->afl_custom_init) - WARNF("Symbol 'afl_custom_init' not found."); + if (!mutator->afl_custom_init) WARNF("Symbol 'afl_custom_init' not found."); /* "afl_custom_fuzz" or "afl_custom_mutator", required */ mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_fuzz"); @@ -133,8 +139,7 @@ void load_custom_mutator(const char* fn) { /* "afl_custom_trim", optional */ mutator->afl_custom_trim = dlsym(dh, "afl_custom_trim"); - if (!mutator->afl_custom_trim) - WARNF("Symbol 'afl_custom_trim' not found."); + if (!mutator->afl_custom_trim) WARNF("Symbol 'afl_custom_trim' not found."); /* "afl_custom_post_trim", optional */ mutator->afl_custom_post_trim = dlsym(dh, "afl_custom_post_trim"); @@ -151,14 +156,15 @@ void load_custom_mutator(const char* fn) { "trimming will be used."); } - + /* "afl_custom_havoc_mutation", optional */ mutator->afl_custom_havoc_mutation = dlsym(dh, "afl_custom_havoc_mutation"); if (!mutator->afl_custom_havoc_mutation) WARNF("Symbol 'afl_custom_havoc_mutation' not found."); /* "afl_custom_havoc_mutation", optional */ - mutator->afl_custom_havoc_mutation_probability = dlsym(dh, "afl_custom_havoc_mutation_probability"); + mutator->afl_custom_havoc_mutation_probability = + dlsym(dh, "afl_custom_havoc_mutation_probability"); if (!mutator->afl_custom_havoc_mutation_probability) WARNF("Symbol 'afl_custom_havoc_mutation_probability' not found."); @@ -175,8 +181,7 @@ void load_custom_mutator(const char* fn) { OKF("Custom mutator '%s' installed successfully.", fn); /* Initialize the custom mutator */ - if (mutator->afl_custom_init) - mutator->afl_custom_init(UR(0xFFFFFFFF)); + if (mutator->afl_custom_init) mutator->afl_custom_init(UR(0xFFFFFFFF)); } @@ -309,8 +314,7 @@ void load_custom_mutator_py(const char* module_name) { mutator->name = module_name; ACTF("Loading Python mutator library from '%s'...", module_name); - if (py_functions[PY_FUNC_INIT]) - mutator->afl_custom_init = init_py; + if (py_functions[PY_FUNC_INIT]) mutator->afl_custom_init = init_py; /* "afl_custom_fuzz" should not be NULL, but the interface of Python mutator is quite different from the custom mutator. */ @@ -325,14 +329,14 @@ void load_custom_mutator_py(const char* module_name) { if (py_functions[PY_FUNC_POST_TRIM]) mutator->afl_custom_post_trim = post_trim_py; - if (py_functions[PY_FUNC_TRIM]) - mutator->afl_custom_trim = trim_py; - + if (py_functions[PY_FUNC_TRIM]) mutator->afl_custom_trim = trim_py; + if (py_functions[PY_FUNC_HAVOC_MUTATION]) mutator->afl_custom_havoc_mutation = havoc_mutation_py; - + if (py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY]) - mutator->afl_custom_havoc_mutation_probability = havoc_mutation_probability_py; + mutator->afl_custom_havoc_mutation_probability = + havoc_mutation_probability_py; if (py_functions[PY_FUNC_QUEUE_GET]) mutator->afl_custom_queue_get = queue_get_py; @@ -343,8 +347,9 @@ void load_custom_mutator_py(const char* module_name) { OKF("Python mutator '%s' installed successfully.", module_name); /* Initialize the custom mutator */ - if (mutator->afl_custom_init) - mutator->afl_custom_init(UR(0xFFFFFFFF)); + if (mutator->afl_custom_init) mutator->afl_custom_init(UR(0xFFFFFFFF)); } + #endif + diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 1817bd03..c6dbb858 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -359,8 +359,7 @@ u8 fuzz_one_original(char** argv) { /* The custom mutator will decide to skip this test case or not. */ - if (!mutator->afl_custom_queue_get(queue_cur->fname)) - return 1; + if (!mutator->afl_custom_queue_get(queue_cur->fname)) return 1; } @@ -1552,7 +1551,7 @@ custom_mutator_stage: const u32 max_seed_size = MAX_FILE; orig_hit_cnt = queued_paths + unique_crashes; - + for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) { struct queue_entry* target; @@ -1597,10 +1596,9 @@ custom_mutator_stage: new_buf = ck_alloc_nozero(target->len); ck_read(fd, new_buf, target->len, target->fname); close(fd); - - size_t mutated_size = mutator->afl_custom_fuzz(&out_buf, len, - new_buf, target->len, - max_seed_size); + + size_t mutated_size = mutator->afl_custom_fuzz(&out_buf, len, new_buf, + target->len, max_seed_size); ck_free(new_buf); @@ -1629,7 +1627,7 @@ custom_mutator_stage: } } - + if (mutated_size < len) out_buf = ck_realloc(out_buf, len); memcpy(out_buf, in_buf, len); @@ -1688,13 +1686,15 @@ havoc_stage: havoc_queued = queued_paths; u8 stacked_custom = (mutator && mutator->afl_custom_havoc_mutation); - u8 stacked_custom_prob = 6; // like one of the default mutations in havoc + u8 stacked_custom_prob = 6; // like one of the default mutations in havoc if (stacked_custom && mutator->afl_custom_havoc_mutation_probability) { stacked_custom_prob = mutator->afl_custom_havoc_mutation_probability(); if (stacked_custom_prob > 100) - FATAL("The probability returned by afl_custom_havoc_mutation_propability has to be in the range 0-100."); + FATAL( + "The probability returned by afl_custom_havoc_mutation_propability " + "has to be in the range 0-100."); } @@ -1708,12 +1708,12 @@ havoc_stage: stage_cur_val = use_stacking; for (i = 0; i < use_stacking; ++i) { - + if (stacked_custom && UR(100) < stacked_custom_prob) { - - temp_len = mutator->afl_custom_havoc_mutation(&out_buf, temp_len, - MAX_FILE); - + + temp_len = + mutator->afl_custom_havoc_mutation(&out_buf, temp_len, MAX_FILE); + } switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) { diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 4e72905d..28b101f3 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -80,6 +80,7 @@ int init_py_module(u8* module_name) { py_notrim = 1; } else if ((py_idx >= PY_FUNC_HAVOC_MUTATION) && + (py_idx <= PY_FUNC_QUEUE_NEW_ENTRY)) { // Implenting the havoc and queue API is optional for now @@ -140,6 +141,7 @@ void finalize_py_module() { } void init_py(unsigned int seed) { + PyObject *py_args, *py_value; /* Provide the init function a seed for the Python RNG */ @@ -171,12 +173,13 @@ void init_py(unsigned int seed) { return; } + } size_t fuzz_py(u8** buf, size_t buf_size, u8* add_buf, size_t add_buf_size, size_t max_size) { - size_t mutated_size; + size_t mutated_size; PyObject *py_args, *py_value; py_args = PyTuple_New(3); @@ -224,8 +227,7 @@ size_t fuzz_py(u8** buf, size_t buf_size, u8* add_buf, size_t add_buf_size, if (py_value != NULL) { mutated_size = PyByteArray_Size(py_value); - if (buf_size < mutated_size) - *buf = ck_realloc(*buf, mutated_size); + if (buf_size < mutated_size) *buf = ck_realloc(*buf, mutated_size); memcpy(*buf, PyByteArray_AsString(py_value), mutated_size); Py_DECREF(py_value); @@ -242,7 +244,7 @@ size_t fuzz_py(u8** buf, size_t buf_size, u8* add_buf, size_t add_buf_size, size_t pre_save_py(u8* buf, size_t buf_size, u8** out_buf) { - size_t out_buf_size; + size_t out_buf_size; PyObject *py_args, *py_value; py_args = PyTuple_New(1); py_value = PyByteArray_FromStringAndSize(buf, buf_size); @@ -377,7 +379,7 @@ void trim_py(u8** out_buf, size_t* out_buf_size) { size_t havoc_mutation_py(u8** buf, size_t buf_size, size_t max_size) { - size_t mutated_size; + size_t mutated_size; PyObject *py_args, *py_value; py_args = PyTuple_New(2); @@ -414,9 +416,8 @@ size_t havoc_mutation_py(u8** buf, size_t buf_size, size_t max_size) { if (py_value != NULL) { mutated_size = PyByteArray_Size(py_value); - if (buf_size < mutated_size) - *buf = ck_realloc(*buf, mutated_size); - + if (buf_size < mutated_size) *buf = ck_realloc(*buf, mutated_size); + memcpy(*buf, PyByteArray_AsString(py_value), mutated_size); Py_DECREF(py_value); @@ -436,7 +437,8 @@ u8 havoc_mutation_probability_py(void) { PyObject *py_args, *py_value; py_args = PyTuple_New(0); - py_value = PyObject_CallObject(py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY], py_args); + py_value = PyObject_CallObject( + py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY], py_args); Py_DECREF(py_args); if (py_value != NULL) { @@ -483,7 +485,7 @@ u8 queue_get_py(const u8* filename) { int ret = PyObject_IsTrue(py_value); Py_DECREF(py_value); - + if (ret == -1) { PyErr_Print(); @@ -491,10 +493,10 @@ u8 queue_get_py(const u8* filename) { } - return (u8) ret & 0xFF; + return (u8)ret & 0xFF; } else { - + PyErr_Print(); FATAL("Call failed"); @@ -516,7 +518,7 @@ void queue_new_entry_py(const u8* filename_new_queue, py_value = PyString_FromString(filename_new_queue); #endif if (!py_value) { - + Py_DECREF(py_args); FATAL("Failed to convert arguments"); @@ -534,7 +536,7 @@ void queue_new_entry_py(const u8* filename_new_queue, py_value = PyString_FromString(filename_orig_queue); #endif if (!py_value) { - + Py_DECREF(py_args); FATAL("Failed to convert arguments"); @@ -545,8 +547,8 @@ void queue_new_entry_py(const u8* filename_new_queue, PyTuple_SetItem(py_args, 1, py_value); // Call - py_value = PyObject_CallObject(py_functions[PY_FUNC_QUEUE_NEW_ENTRY], - py_args); + py_value = + PyObject_CallObject(py_functions[PY_FUNC_QUEUE_NEW_ENTRY], py_args); Py_DECREF(py_args); if (py_value == NULL) { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 58985d8b..f0ba2fe8 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -662,7 +662,7 @@ void sync_fuzzers(char** argv) { ck_write(id_fd, &next_min_accept, sizeof(u32), qd_synced_path); -close_sync: + close_sync: close(id_fd); closedir(qd); ck_free(qd_path); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 12c7853c..778ada9a 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -119,7 +119,8 @@ static void usage(u8* argv0, int more_help) { " if using QEMU, just use -c 0.\n\n" "Fuzzing behavior settings:\n" - " -N - do not unlink the fuzzing input file (only for devices etc.!)\n" + " -N - do not unlink the fuzzing input file (only for " + "devices etc.!)\n" " -d - quick & dirty mode (skips deterministic steps)\n" " -n - fuzz without instrumentation (dumb mode)\n" " -x dir - optional fuzzer dictionary (see README.md, its really " @@ -752,8 +753,7 @@ int main(int argc, char** argv, char** envp) { if (get_afl_env("AFL_AUTORESUME")) { autoresume = 1; - if (in_place_resume) - SAYF("AFL_AUTORESUME has no effect for '-i -'"); + if (in_place_resume) SAYF("AFL_AUTORESUME has no effect for '-i -'"); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 6075027f..ffdb67e4 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -730,9 +730,8 @@ int main(int argc, char** argv, char** envp) { char** use_argv; doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; - - if (getenv("AFL_QUIET") != NULL) - be_quiet = 1; + + if (getenv("AFL_QUIET") != NULL) be_quiet = 1; while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqZQUWbcrh")) > 0) diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 509943ff..31296cb5 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -99,7 +99,6 @@ static volatile u8 stop_soon; /* Ctrl-C pressed? */ static u8 qemu_mode; - /* * forkserver section */ @@ -533,7 +532,7 @@ static u8 run_target(char** argv, u8* mem, u32 len, u8 first_run) { return 0; } - + /* Handle crashing inputs depending on current mode. */ if (WIFSIGNALED(status) || @@ -822,14 +821,15 @@ finalize_all: if (hang_mode) { - SAYF("\n" cGRA " File size reduced by : " cRST - "%0.02f%% (to %u byte%s)\n" cGRA " Characters simplified : " cRST - "%0.02f%%\n" cGRA " Number of execs done : " cRST "%u\n" cGRA - " Fruitless execs : " cRST "termination=%u crash=%u\n\n", - 100 - ((double)in_len) * 100 / orig_len, in_len, in_len == 1 ? "" : "s", - ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), total_execs, - missed_paths, missed_crashes); - return; + SAYF("\n" cGRA " File size reduced by : " cRST + "%0.02f%% (to %u byte%s)\n" cGRA " Characters simplified : " cRST + "%0.02f%%\n" cGRA " Number of execs done : " cRST "%u\n" cGRA + " Fruitless execs : " cRST "termination=%u crash=%u\n\n", + 100 - ((double)in_len) * 100 / orig_len, in_len, + in_len == 1 ? "" : "s", + ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), total_execs, + missed_paths, missed_crashes); + return; } @@ -1146,7 +1146,8 @@ int main(int argc, char** argv, char** envp) { case 'e': if (edges_only) FATAL("Multiple -e options not supported"); - if (hang_mode) FATAL("Edges only and hang mode are mutually exclusive."); + if (hang_mode) + FATAL("Edges only and hang mode are mutually exclusive."); edges_only = 1; break; @@ -1232,12 +1233,13 @@ int main(int argc, char** argv, char** envp) { break; - case 'H': /* Hang Mode */ - + case 'H': /* Hang Mode */ + /* Minimizes a testcase to the minimum that still times out */ if (hang_mode) FATAL("Multipe -H options not supported"); - if (edges_only) FATAL("Edges only and hang mode are mutually exclusive."); + if (edges_only) + FATAL("Edges only and hang mode are mutually exclusive."); hang_mode = 1; break; @@ -1314,14 +1316,18 @@ int main(int argc, char** argv, char** envp) { run_target(use_argv, in_data, in_len, 1); if (hang_mode && !child_timed_out) - FATAL("Target binary did not time out but hang minimization mode " - "(-H) was set (-t %u).", exec_tmout); + FATAL( + "Target binary did not time out but hang minimization mode " + "(-H) was set (-t %u).", + exec_tmout); if (child_timed_out && !hang_mode) - FATAL("Target binary times out (adjusting -t may help). Use -H to minimize a hang."); + FATAL( + "Target binary times out (adjusting -t may help). Use -H to minimize a " + "hang."); if (hang_mode) { - + OKF("Program hangs as expected, minimizing in " cCYA "hang" cRST " mode."); } else if (!crash_mode) { |