about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/config.h9
-rw-r--r--instrumentation/afl-compiler-rt.o.c6
-rw-r--r--src/afl-cc.c62
-rw-r--r--src/afl-common.c2
-rw-r--r--src/afl-fuzz.c24
5 files changed, 60 insertions, 43 deletions
diff --git a/include/config.h b/include/config.h
index b049fee0..29225f6b 100644
--- a/include/config.h
+++ b/include/config.h
@@ -34,6 +34,15 @@
  *                                                    *
  ******************************************************/
 
+/* Default shared memory map size. Most targets just need a coverage map
+   between 20-250kb. Plus there is an auto-detection feature in afl-fuzz.
+   However if a target has problematic constructors and init arrays then
+   this can fail. Hence afl-fuzz deploys a larger default map. The largest
+   map seen so far is the xlsx fuzzer for libreoffice which is 5MB.
+   At runtime this value can be overriden via AFL_MAP_SIZE.
+   Default: 8MB (defined in bytes) */
+#define DEFAULT_SHMEM_SIZE (8 * 1024 * 1024)
+
 /* CMPLOG/REDQUEEN TUNING
  *
  * Here you can modify tuning and solving options for CMPLOG.
diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c
index 70148b78..c635ae63 100644
--- a/instrumentation/afl-compiler-rt.o.c
+++ b/instrumentation/afl-compiler-rt.o.c
@@ -1774,14 +1774,14 @@ void __cmplog_rtn_hook(u8 *ptr1, u8 *ptr2) {
   */
 
   if (unlikely(!__afl_cmp_map)) return;
-  //fprintf(stderr, "RTN1 %p %p\n", ptr1, ptr2);
+  // fprintf(stderr, "RTN1 %p %p\n", ptr1, ptr2);
   int l1, l2;
   if ((l1 = area_is_valid(ptr1, 32)) <= 0 ||
       (l2 = area_is_valid(ptr2, 32)) <= 0)
     return;
   int len = MIN(l1, l2);
 
-  //fprintf(stderr, "RTN2 %u\n", len);
+  // fprintf(stderr, "RTN2 %u\n", len);
   uintptr_t k = (uintptr_t)__builtin_return_address(0);
   k = (k >> 4) ^ (k << 8);
   k &= CMP_MAP_W - 1;
@@ -1812,7 +1812,7 @@ void __cmplog_rtn_hook(u8 *ptr1, u8 *ptr2) {
                    ptr1, len);
   __builtin_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1,
                    ptr2, len);
-  //fprintf(stderr, "RTN3\n");
+  // fprintf(stderr, "RTN3\n");
 
 }
 
diff --git a/src/afl-cc.c b/src/afl-cc.c
index 206066fd..ebbd390c 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -959,63 +959,63 @@ static void edit_params(u32 argc, char **argv, char **envp) {
 
   if (compiler_mode != GCC && compiler_mode != CLANG) {
 
-      switch (bit_mode) {
+    switch (bit_mode) {
 
-        case 0:
-          if (!shared_linking)
+      case 0:
+        if (!shared_linking)
           cc_params[cc_par_cnt++] =
               alloc_printf("%s/afl-compiler-rt.o", obj_path);
-          if (lto_mode)
-            cc_params[cc_par_cnt++] =
-                alloc_printf("%s/afl-llvm-rt-lto.o", obj_path);
-          break;
+        if (lto_mode)
+          cc_params[cc_par_cnt++] =
+              alloc_printf("%s/afl-llvm-rt-lto.o", obj_path);
+        break;
 
-        case 32:
-          if (!shared_linking)
+      case 32:
+        if (!shared_linking)
           cc_params[cc_par_cnt++] =
               alloc_printf("%s/afl-compiler-rt-32.o", obj_path);
+        if (access(cc_params[cc_par_cnt - 1], R_OK))
+          FATAL("-m32 is not supported by your compiler");
+        if (lto_mode) {
+
+          cc_params[cc_par_cnt++] =
+              alloc_printf("%s/afl-llvm-rt-lto-32.o", obj_path);
           if (access(cc_params[cc_par_cnt - 1], R_OK))
             FATAL("-m32 is not supported by your compiler");
-          if (lto_mode) {
-
-            cc_params[cc_par_cnt++] =
-                alloc_printf("%s/afl-llvm-rt-lto-32.o", obj_path);
-            if (access(cc_params[cc_par_cnt - 1], R_OK))
-              FATAL("-m32 is not supported by your compiler");
 
-          }
+        }
 
-          break;
+        break;
 
-        case 64:
-          if (!shared_linking)
+      case 64:
+        if (!shared_linking)
           cc_params[cc_par_cnt++] =
               alloc_printf("%s/afl-compiler-rt-64.o", obj_path);
+        if (access(cc_params[cc_par_cnt - 1], R_OK))
+          FATAL("-m64 is not supported by your compiler");
+        if (lto_mode) {
+
+          cc_params[cc_par_cnt++] =
+              alloc_printf("%s/afl-llvm-rt-lto-64.o", obj_path);
           if (access(cc_params[cc_par_cnt - 1], R_OK))
             FATAL("-m64 is not supported by your compiler");
-          if (lto_mode) {
 
-            cc_params[cc_par_cnt++] =
-                alloc_printf("%s/afl-llvm-rt-lto-64.o", obj_path);
-            if (access(cc_params[cc_par_cnt - 1], R_OK))
-              FATAL("-m64 is not supported by your compiler");
-
-          }
+        }
 
-          break;
+        break;
 
-      }
+    }
 
   #if !defined(__APPLE__) && !defined(__sun)
-          if (!shared_linking)
+    if (!shared_linking)
       cc_params[cc_par_cnt++] =
           alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path);
   #endif
 
-    }
+  }
 
   #if defined(USEMMAP) && !defined(__HAIKU__)
-    cc_params[cc_par_cnt++] = "-lrt";
+  cc_params[cc_par_cnt++] = "-lrt";
   #endif
 
 #endif
diff --git a/src/afl-common.c b/src/afl-common.c
index 27b63434..7e56ce3f 100644
--- a/src/afl-common.c
+++ b/src/afl-common.c
@@ -1072,7 +1072,7 @@ u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms) {
 /* Reads the map size from ENV */
 u32 get_map_size(void) {
 
-  uint32_t map_size = 8000000;  // a very large default map
+  uint32_t map_size = DEFAULT_SHMEM_SIZE;
   char *   ptr;
 
   if ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE"))) {
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 2fde561c..8318a92e 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -1527,11 +1527,13 @@ int main(int argc, char **argv_orig, char **envp) {
   if (!afl->non_instrumented_mode && !afl->fsrv.qemu_mode &&
       !afl->unicorn_mode) {
 
-    if (map_size <= 8000000 && !afl->non_instrumented_mode &&
+    if (map_size <= DEFAULT_SHMEM_SIZE && !afl->non_instrumented_mode &&
         !afl->fsrv.qemu_mode && !afl->unicorn_mode) {
 
-      afl->fsrv.map_size = 8000000;  // dummy temporary value
-      setenv("AFL_MAP_SIZE", "8000000", 1);
+      afl->fsrv.map_size = DEFAULT_SHMEM_SIZE;  // dummy temporary value
+      char vbuf[16];
+      snprintf(vbuf, sizeof(vbuf), "%u", DEFAULT_SHMEM_SIZE);
+      setenv("AFL_MAP_SIZE", vbuf, 1);
 
     }
 
@@ -1582,11 +1584,13 @@ int main(int argc, char **argv_orig, char **envp) {
     afl->cmplog_fsrv.cmplog_binary = afl->cmplog_binary;
     afl->cmplog_fsrv.init_child_func = cmplog_exec_child;
 
-    if (map_size <= 8000000 && !afl->non_instrumented_mode &&
+    if (map_size <= DEFAULT_SHMEM_SIZE && !afl->non_instrumented_mode &&
         !afl->fsrv.qemu_mode && !afl->unicorn_mode) {
 
-      afl->cmplog_fsrv.map_size = 8000000;  // dummy temporary value
-      setenv("AFL_MAP_SIZE", "8000000", 1);
+      afl->fsrv.map_size = DEFAULT_SHMEM_SIZE;  // dummy temporary value
+      char vbuf[16];
+      snprintf(vbuf, sizeof(vbuf), "%u", DEFAULT_SHMEM_SIZE);
+      setenv("AFL_MAP_SIZE", vbuf, 1);
 
     }
 
@@ -1634,8 +1638,12 @@ int main(int argc, char **argv_orig, char **envp) {
   }
 
   if (afl->debug) {
-  printf("NORMAL %u, CMPLOG %u\n", afl->fsrv.map_size, afl->cmplog_fsrv.map_size);
-  fprintf(stderr, "NORMAL %u, CMPLOG %u\n", afl->fsrv.map_size, afl->cmplog_fsrv.map_size);
+
+    printf("NORMAL %u, CMPLOG %u\n", afl->fsrv.map_size,
+           afl->cmplog_fsrv.map_size);
+    fprintf(stderr, "NORMAL %u, CMPLOG %u\n", afl->fsrv.map_size,
+            afl->cmplog_fsrv.map_size);
+
   }
 
   load_auto(afl);
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-21 16:33:45 +0000