diff options
| -rw-r--r-- | TODO | 2 | ||||
| -rw-r--r-- | docs/ChangeLog | 2 | ||||
| -rw-r--r-- | docs/custom_mutator.txt | 11 | ||||
| -rw-r--r-- | docs/env_variables.txt | 5 | ||||
| -rw-r--r-- | include/afl-fuzz.h | 1 | ||||
| -rw-r--r-- | src/afl-fuzz-globals.c | 1 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 9 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 10 |
8 files changed, 33 insertions, 8 deletions
diff --git a/TODO b/TODO index 23bf688b..11dc523a 100644 --- a/TODO +++ b/TODO @@ -4,8 +4,6 @@ Roadmap 2.54d: afl-fuzz: - enable python mutator for MOpt - enable custom mutator for MOpt - - make custom mutator to call other mutators as well unless - AFL_CUSTOM_MUTATOR_ONLY=1 is set - add superion? remote feature diff --git a/docs/ChangeLog b/docs/ChangeLog index cbc067ca..171845b7 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -18,6 +18,8 @@ Version ++2.54d (dev): ---------------------- - persistent mode for QEMU (see qemu_mode/README.md) + - custom mutator library is now a standard mutator, to exclusivly use it + add AFL_CUSTOM_MUTATOR_ONLY (that will trigger the previous behaviour) - no more unlinking the input file, this way the input file can also be a FIFO or disk partition - reducing duplicate code in afl-fuzz diff --git a/docs/custom_mutator.txt b/docs/custom_mutator.txt index 3b1b93b9..30e6b897 100644 --- a/docs/custom_mutator.txt +++ b/docs/custom_mutator.txt @@ -18,8 +18,13 @@ environment variable. The library must export the afl_custom_mutator() function must be compiled as a shared object. For example: $CC -shared -Wall -O3 <lib-name>.c -o <lib-name>.so -AFL will call the afl_custom_mutator() function every time it needs to mutate -a test case. For some cases, the format of the mutated data returned from +Note: unless AFL_CUSTOM_MUTATOR_ONLY is set, its state mutator like any others, +so it will be used for some test cases, and other mutators for others. + +Only if AFL_CUSTOM_MUTATOR_ONLY is set the afl_custom_mutator() function will +be called every time it needs to mutate test case! + +For some cases, the format of the mutated data returned from the custom mutator is not suitable to directly execute the target with this input. For example, when using libprotobuf-mutator, the data returned is in a protobuf format which corresponds to a given grammar. In order to execute the target, @@ -31,4 +36,4 @@ is not needed. 2) Example ---------- -A simple example is provided in ../custom_mutators/ \ No newline at end of file +A simple example is provided in ../custom_mutators/ diff --git a/docs/env_variables.txt b/docs/env_variables.txt index 4a39cc9a..d5688939 100644 --- a/docs/env_variables.txt +++ b/docs/env_variables.txt @@ -202,8 +202,9 @@ checks or alter some of the more exotic semantics of the tool: for more. - Setting AFL_CUSTOM_MUTATOR_LIBRARY to a shared library with - afl_custom_mutator() export will run all mutations solely to this function. - see docs/custom_mutator.txt + afl_custom_mutator() export run additional mutations though this library. + If AFL_CUSTOM_MUTATOR_ONLY is also set, all mutations will solely be + performed with/from the libary. see docs/custom_mutator.txt - For AFL_PYTHON_MODULE and AFL_PYTHON_ONLY - they require to be compiled with -DUSE_PYTHON. Please see docs/python_mutators.txt diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index ec896bdb..ae15b28f 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -251,6 +251,7 @@ extern u64 mem_limit; /* Memory cap for child (MB) */ extern u8 cal_cycles, /* Calibration cycles defaults */ cal_cycles_long, debug, /* Debug mode */ + custom_only, /* Custom mutator only mode */ python_only; /* Python-only mode */ extern u32 stats_update_freq; /* Stats update frequency (execs) */ diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index 9aaa03cc..d457d28c 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -84,6 +84,7 @@ u64 mem_limit = MEM_LIMIT; /* Memory cap for child (MB) */ u8 cal_cycles = CAL_CYCLES, /* Calibration cycles defaults */ cal_cycles_long = CAL_CYCLES_LONG, debug, /* Debug mode */ + custom_only, /* Custom mutator only mode */ python_only; /* Python-only mode */ u32 stats_update_freq = 1; /* Stats update frequency (execs) */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 3928a88f..82643722 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -516,7 +516,14 @@ u8 fuzz_one_original(char** argv) { stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt; stage_cycles[STAGE_CUSTOM_MUTATOR] += stage_max; - goto abandon_entry; + + if (custom_only) { + + /* Skip other stages */ + ret_val = 0; + goto abandon_entry; + + } } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 2d16345a..c2e18477 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -622,6 +622,16 @@ int main(int argc, char** argv) { } + if (getenv("AFL_CUSTOM_MUTATOR_ONLY")) { + + /* This ensures we don't proceed to havoc/splice */ + custom_only = 1; + + /* Ensure we also skip all deterministic steps */ + skip_deterministic = 1; + + } + get_core_count(); #ifdef HAVE_AFFINITY |