about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/config.h28
-rw-r--r--src/afl-fuzz-redqueen.c35
-rw-r--r--src/afl-fuzz.c3
3 files changed, 38 insertions, 28 deletions
diff --git a/include/config.h b/include/config.h
index b5137553..60872785 100644
--- a/include/config.h
+++ b/include/config.h
@@ -34,6 +34,32 @@
  *                                                    *
  ******************************************************/
 
+/* CMPLOG/REDQUEEN TUNING
+ *
+ * Here you can tuning and solving options for cmplog.
+ * Note that these are run-time options for afl-fuzz, no target
+ * recompilation required.
+ *
+ */
+
+/* Enable transform following (XOR/ADD/SUB manipulations, hex en/decoding) */
+// #define CMPLOG_TRANSFORM
+
+/* if TRANSFORM is enabled, this additionally enables base64 en/decoding */
+// #define CMPLOG_TRANSFORM_BASE64
+
+/* Minimum % of the corpus to perform cmplog on. Default: 20% */
+#define CMPLOG_CORPUS_PERCENT 20U
+
+/* Number of potential posititions from which we decide the cmplog becomes
+   useless, default 16384 */
+#define CMPLOG_POSITIONS_MAX 16384U
+
+/* Maximum allowed fails per CMP value. Default: 32 * 3 */
+#define CMPLOG_FAIL_MAX 96
+
+/* Now non-cmplog configuration options */
+
 /* console output colors: There are three ways to configure its behavior
  * 1. default: colored outputs fixed on: defined USE_COLOR && defined
  * ALWAYS_COLORED The env var. AFL_NO_COLOR will have no effect
@@ -67,7 +93,7 @@
 /* If you want to have the original afl internal memory corruption checks.
    Disabled by default for speed. it is better to use "make ASAN_BUILD=1". */
 
-//#define _WANT_ORIGINAL_AFL_ALLOC
+// #define _WANT_ORIGINAL_AFL_ALLOC
 
 /* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */
 
diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c
index 14a9b65d..8979be98 100644
--- a/src/afl-fuzz-redqueen.c
+++ b/src/afl-fuzz-redqueen.c
@@ -51,7 +51,7 @@ enum {
 enum {
 
   LVL1 = 1,  // Integer solving
-  LVL2 = 2,  // FP solving
+  LVL2 = 2,  // unused except for setting the queue entry
   LVL3 = 4   // expensive tranformations
 
 };
@@ -986,11 +986,10 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
 
 #endif
 
-  // we only allow this for ascii2integer (above)
+  // we only allow this for ascii2integer (above) so leave if this is the case
   if (unlikely(pattern == o_pattern)) { return 0; }
 
-  if ((lvl & LVL1) || ((lvl & LVL2) && (attr >= IS_FP && attr < IS_FP_MOD)) ||
-      attr >= IS_FP_MOD) {
+  if ((lvl & LVL1) || attr >= IS_FP_MOD) {
 
     if (SHAPE_BYTES(h->shape) >= 8 && *status != 1) {
 
@@ -1498,9 +1497,6 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
                    u32 len, u32 lvl, struct tainted *taint) {
 
   struct cmp_header *h = &afl->shm.cmp_map->headers[key];
-  // FP handling only from lvl 2 onwards
-  if ((h->attribute & IS_FP) && lvl < LVL2) { return 0; }
-
   struct tainted *t;
   u32             i, j, idx, taint_len, loggeds;
   u32             have_taint = 1, is_n = 0;
@@ -2443,21 +2439,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) {
   afl->stage_max = 0;
   afl->stage_cur = 0;
 
-  u32 lvl;
-  u32 cmplog_done = afl->queue_cur->colorized;
-  u32 cmplog_lvl = afl->cmplog_lvl;
-  if (!cmplog_done) {
-
-    lvl = LVL1;
-
-  } else {
-
-    lvl = 0;
-
-  }
-
-  if (cmplog_lvl >= 2 && cmplog_done < 2) { lvl += LVL2; }
-  if (cmplog_lvl >= 3 && cmplog_done < 3) { lvl += LVL3; }
+  u32 lvl = (afl->queue_cur->colorized ? 0 : LVL1) + (afl->cmplog_lvl == CMPLOG_LVL_MAX ? LVL3 : 0);
 
 #ifdef COMBINE
   u8 *cbuf = afl_realloc((void **)&afl->in_scratch_buf, len + 128);
@@ -2473,8 +2455,8 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) {
 
     if (!afl->shm.cmp_map->headers[k].hits) { continue; }
 
-    if (afl->pass_stats[k].faileds >= 0x69 ||
-        afl->pass_stats[k].total >= 0x69) {
+    if (afl->pass_stats[k].faileds >= CMPLOG_FAIL_MAX ||
+        afl->pass_stats[k].total >= CMPLOG_FAIL_MAX) {
 
 #ifdef _DEBUG
       fprintf(stderr, "DISABLED %u\n", k);
@@ -2542,9 +2524,10 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) {
 
 exit_its:
 
-  afl->queue_cur->colorized = afl->cmplog_lvl;
   if (afl->cmplog_lvl == CMPLOG_LVL_MAX) {
 
+    afl->queue_cur->colorized = CMPLOG_LVL_MAX;
+  
     ck_free(afl->queue_cur->cmplog_colorinput);
     t = taint;
     while (taint) {
@@ -2559,6 +2542,8 @@ exit_its:
 
   } else {
 
+    afl->queue_cur->colorized = LVL2;
+
     if (!afl->queue_cur->taint) { afl->queue_cur->taint = taint; }
 
     if (!afl->queue_cur->cmplog_colorinput) {
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 008ba7d1..62560724 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -123,8 +123,7 @@ static void usage(u8 *argv0, int more_help) {
       "it.\n"
       "                  if using QEMU, just use -c 0.\n"
       "  -l cmplog_level - set the complexity/intensivity of CmpLog.\n"
-      "                  Values: 1 (integer+string), 2 (+FP) and 3 "
-      "(+transform)\n\n"
+      "                  Values: 1 (basic), 2 (larger files) and 3 (transform)\n\n"
 
       "Fuzzing behavior settings:\n"
       "  -Z            - sequential queue selection instead of weighted "
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-17 19:18:03 +0000