diff options
| -rw-r--r-- | README.md | 1 | ||||
| -rw-r--r-- | frida_mode/test/cmplog/GNUmakefile | 17 | ||||
| -rw-r--r-- | frida_mode/test/cmplog/Makefile | 3 | ||||
| -rw-r--r-- | include/forkserver.h | 2 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-cmplog.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 57 |
7 files changed, 27 insertions, 57 deletions
diff --git a/README.md b/README.md index eeab7aa1..821b8cb7 100644 --- a/README.md +++ b/README.md @@ -228,6 +228,7 @@ Thank you! (For people sending pull requests - please add yourself to this list Thomas Rooijakkers David Carlier Ruben ten Hove Joey Jiao fuzzah @intrigus-lgtm + Yaakov Saxon ``` </details> diff --git a/frida_mode/test/cmplog/GNUmakefile b/frida_mode/test/cmplog/GNUmakefile index bcaff42d..fca52f82 100644 --- a/frida_mode/test/cmplog/GNUmakefile +++ b/frida_mode/test/cmplog/GNUmakefile @@ -2,8 +2,9 @@ PWD:=$(shell pwd)/ ROOT:=$(PWD)../../../ BUILD_DIR:=$(PWD)build/ +TEST_CMPLOG_BASENAME=compcovtest TEST_CMPLOG_SRC=$(PWD)cmplog.c -TEST_CMPLOG_OBJ=$(BUILD_DIR)compcovtest +TEST_CMPLOG_OBJ=$(BUILD_DIR)$(TEST_CMPLOG_BASENAME) TEST_BIN:=$(PWD)../../build/test @@ -13,7 +14,7 @@ CMP_LOG_INPUT:=$(TEST_DATA_DIR)in QEMU_OUT:=$(BUILD_DIR)qemu-out FRIDA_OUT:=$(BUILD_DIR)frida-out -.PHONY: all 32 clean qemu frida frida-nocmplog format +.PHONY: all 32 clean qemu frida frida-nocmplog frida-unprefixedpath format all: $(TEST_CMPLOG_OBJ) make -C $(ROOT)frida_mode/ @@ -64,6 +65,18 @@ frida-nocmplog: $(TEST_CMPLOG_OBJ) $(CMP_LOG_INPUT) -- \ $(TEST_CMPLOG_OBJ) @@ + +frida-unprefixedpath: $(TEST_CMPLOG_OBJ) $(CMP_LOG_INPUT) + PATH=$(BUILD_DIR) $(ROOT)afl-fuzz \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -c 0 \ + -l 3AT \ + -Z \ + -- \ + $(TEST_CMPLOG_BASENAME) @@ + debug: $(TEST_CMPLOG_OBJ) $(CMP_LOG_INPUT) gdb \ --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ diff --git a/frida_mode/test/cmplog/Makefile b/frida_mode/test/cmplog/Makefile index 7ca9a9a5..b84e9218 100644 --- a/frida_mode/test/cmplog/Makefile +++ b/frida_mode/test/cmplog/Makefile @@ -19,6 +19,9 @@ frida: frida-nocmplog: @gmake frida-nocmplog +frida-unprefixedpath: + @gmake frida-unprefixedpath + format: @gmake format diff --git a/include/forkserver.h b/include/forkserver.h index 35bc1771..50898a08 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -43,7 +43,7 @@ typedef enum NyxReturnValue { Normal, Crash, Asan, - Timout, + Timeout, InvalidWriteToPayload, Error, IoError, diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 89d01460..5aa4c2ff 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -1370,7 +1370,7 @@ afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, case Crash: case Asan: return FSRV_RUN_CRASH; - case Timout: + case Timeout: return FSRV_RUN_TMOUT; case InvalidWriteToPayload: /* ??? */ diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 8967d4bc..2bf26d19 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -41,7 +41,7 @@ void cmplog_exec_child(afl_forkserver_t *fsrv, char **argv) { } - execv(argv[0], argv); + execv(fsrv->target_path, argv); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index de41600b..5f286427 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2087,6 +2087,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->cmplog_fsrv.qemu_mode = afl->fsrv.qemu_mode; afl->cmplog_fsrv.frida_mode = afl->fsrv.frida_mode; afl->cmplog_fsrv.cmplog_binary = afl->cmplog_binary; + afl->cmplog_fsrv.target_path = afl->fsrv.target_path; afl->cmplog_fsrv.init_child_func = cmplog_exec_child; if ((map_size <= DEFAULT_SHMEM_SIZE || @@ -2216,8 +2217,8 @@ int main(int argc, char **argv_orig, char **envp) { cull_queue(afl); // ensure we have at least one seed that is not disabled. - u32 valid_seeds = 0; - for (u32 entry = 0; entry < afl->queued_items; ++entry) + u32 entry, valid_seeds = 0; + for (entry = 0; entry < afl->queued_items; ++entry) if (!afl->queue_buf[entry]->disabled) { ++valid_seeds; } if (!afl->pending_not_fuzzed || !valid_seeds) { @@ -2247,7 +2248,7 @@ int main(int argc, char **argv_orig, char **envp) { u64 max_ms = 0; - for (u32 entry = 0; entry < afl->queued_items; ++entry) + for (entry = 0; entry < afl->queued_items; ++entry) if (!afl->queue_buf[entry]->disabled) if (afl->queue_buf[entry]->exec_us > max_ms) max_ms = afl->queue_buf[entry]->exec_us; @@ -2291,7 +2292,7 @@ int main(int argc, char **argv_orig, char **envp) { #ifdef INTROSPECTION u32 prev_saved_crashes = 0, prev_saved_tmouts = 0; #endif - u32 skip_count = 0, prev_queued_items = 0, runs_in_current_cycle = (u32)-1; + u32 prev_queued_items = 0, runs_in_current_cycle = (u32)-1; u8 skipped_fuzz; #ifdef INTROSPECTION @@ -2553,54 +2554,6 @@ int main(int argc, char **argv_orig, char **envp) { } skipped_fuzz = fuzz_one(afl); - - if (unlikely(skipped_fuzz)) { - - ++skip_count; - - if (unlikely(skip_count > afl->active_items)) { - - if (afl->active_items > 1 && !afl->old_seed_selection) { - - u32 found = 0; - for (u32 i = 0; i < afl->queued_items; ++i) { - - if (likely(!afl->queue_buf[i]->disabled && - afl->queue_buf[i]->perf_score == 0)) { - - ++found; - - } - - } - - if (found >= afl->active_items) { - - // all active items have a perf_score of 0 ... damn - for (u32 i = 0; i < afl->queued_items; ++i) { - - if (likely(!afl->queue_buf[i]->disabled)) { - - afl->queue_buf[i]->perf_score = afl->queue_buf[i]->weight; - - } - - } - - } - - } - - skip_count = 0; - - } - - } else { - - skip_count = 0; - - } - #ifdef INTROSPECTION ++afl->queue_cur->stats_selected; |