about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.gitmodules4
-rw-r--r--docs/env_variables.md4
-rw-r--r--frida_mode/GNUmakefile20
-rw-r--r--frida_mode/README.md5
m---------frida_mode/frida0
-rw-r--r--frida_mode/src/cmplog/cmplog_x64.c16
-rw-r--r--include/afl-fuzz.h6
-rw-r--r--include/envs.h1
m---------qemu_mode/qemuafl0
-rw-r--r--src/afl-fuzz-bitmap.c2
-rw-r--r--src/afl-fuzz-state.c8
-rw-r--r--src/afl-fuzz-stats.c12
-rw-r--r--src/afl-fuzz.c8
-rwxr-xr-xtest/test-custom-mutators.sh2
-rwxr-xr-xtest/test-performance.sh1
-rwxr-xr-xtest/test-pre.sh1
16 files changed, 61 insertions, 29 deletions
diff --git a/.gitmodules b/.gitmodules
index 0b8ccd97..c787ec0e 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -7,7 +7,3 @@
 [submodule "qemu_mode/qemuafl"]
 	path = qemu_mode/qemuafl
 	url = https://github.com/AFLplusplus/qemuafl
-[submodule "frida_mode/frida"]
-	path = frida_mode/frida
-	url = https://github.com/WorksButNotTested/frida.git
-	branch = x64_stalker_fix
diff --git a/docs/env_variables.md b/docs/env_variables.md
index 0100ffac..8879db72 100644
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@@ -284,6 +284,10 @@ checks or alter some of the more exotic semantics of the tool:
     normally indicated by the cycle counter in the UI turning green. May be
     convenient for some types of automated jobs.
 
+  - `AFL_EXIT_ON_TIME` Causes afl-fuzz to terminate if no new paths were 
+    found within a specified period of time. May be convenient for some 
+    types of automated jobs.
+
   - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behaviour
     which does not allow crashes or timeout seeds in the initial -i corpus.
 
diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile
index e95455e3..a15f5c32 100644
--- a/frida_mode/GNUmakefile
+++ b/frida_mode/GNUmakefile
@@ -64,7 +64,7 @@ ifndef OS
  $(error "Operating system unsupported")
 endif
 
-GUM_DEVKIT_VERSION=14.2.17
+GUM_DEVKIT_VERSION=14.2.18
 GUM_DEVKIT_FILENAME=frida-gum-devkit-$(GUM_DEVKIT_VERSION)-$(OS)-$(ARCH).tar.xz
 GUM_DEVKIT_URL="https://github.com/frida/frida/releases/download/$(GUM_DEVKIT_VERSION)/$(GUM_DEVKIT_FILENAME)"
 
@@ -72,17 +72,18 @@ GUM_DEVKIT_TARBALL:=$(FRIDA_BUILD_DIR)$(GUM_DEVKIT_FILENAME)
 GUM_DEVIT_LIBRARY=$(FRIDA_BUILD_DIR)libfrida-gum.a
 GUM_DEVIT_HEADER=$(FRIDA_BUILD_DIR)frida-gum.h
 
-FRIDA_DIR:=$(PWD)frida/
+FRIDA_DIR:=$(PWD)build/frida-source/
 FRIDA_MAKEFILE:=$(FRIDA_DIR)Makefile
 FRIDA_GUM:=$(FRIDA_DIR)build/frida-linux-x86_64/lib/libfrida-gum-1.0.a
 FRIDA_GUM_DEVKIT_DIR:=$(FRIDA_DIR)build/gum-devkit/
 FRIDA_GUM_DEVKIT_HEADER:=$(FRIDA_GUM_DEVKIT_DIR)frida-gum.h
-FRIDA_GUM_DEVKIT_TARBALL:=$(FRIDA_DIR)build/$(GUM_DEVKIT_FILENAME)
+FRIDA_GUM_DEVKIT_TARBALL:=$(FRIDA_DIR)build/frida-gum-devkit-$(GUM_DEVKIT_VERSION)-$(OS)-$(ARCH).tar
+FRIDA_GUM_DEVKIT_COMPRESSED_TARBALL:=$(FRIDA_DIR)build/$(GUM_DEVKIT_FILENAME)
 
 AFL_COMPILER_RT_SRC:=$(ROOT)instrumentation/afl-compiler-rt.o.c
 AFL_COMPILER_RT_OBJ:=$(OBJ_DIR)afl-compiler-rt.o
 
-.PHONY: all clean format
+.PHONY: all clean format $(FRIDA_GUM)
 
 ############################## ALL #############################################
 
@@ -97,8 +98,8 @@ $(OBJ_DIR): | $(BUILD_DIR)
 
 ############################# FRIDA ############################################
 
-$(FRIDA_MAKEFILE):
-	git submodule update --init --recursive $(FRIDA_DIR)
+$(FRIDA_MAKEFILE): | $(BUILD_DIR)
+	git clone --recursive https://github.com/frida/frida.git $(FRIDA_DIR)
 
 $(FRIDA_GUM): $(FRIDA_MAKEFILE)
 	cd $(FRIDA_DIR) && make gum-linux-$(ARCH)
@@ -107,7 +108,10 @@ $(FRIDA_GUM_DEVKIT_HEADER): $(FRIDA_GUM)
 	$(FRIDA_DIR)releng/devkit.py frida-gum linux-$(ARCH) $(FRIDA_DIR)build/gum-devkit/
 
 $(FRIDA_GUM_DEVKIT_TARBALL): $(FRIDA_GUM_DEVKIT_HEADER)
-	cd $(FRIDA_GUM_DEVKIT_DIR) && tar cJvf $(FRIDA_GUM_DEVKIT_TARBALL) .
+	cd $(FRIDA_GUM_DEVKIT_DIR) && tar cvf $(FRIDA_GUM_DEVKIT_TARBALL) .
+
+$(FRIDA_GUM_DEVKIT_COMPRESSED_TARBALL): $(FRIDA_GUM_DEVKIT_TARBALL)
+	xz -k -f -0 $(FRIDA_GUM_DEVKIT_TARBALL)
 
 ############################# DEVKIT ###########################################
 
@@ -115,7 +119,7 @@ $(FRIDA_BUILD_DIR): | $(BUILD_DIR)
 	mkdir -p $@
 
 ifdef FRIDA_SOURCE
-$(GUM_DEVKIT_TARBALL): $(FRIDA_GUM_DEVKIT_TARBALL)| $(FRIDA_BUILD_DIR)
+$(GUM_DEVKIT_TARBALL): $(FRIDA_GUM_DEVKIT_COMPRESSED_TARBALL)| $(FRIDA_BUILD_DIR)
 	cp -v $< $@
 else
 $(GUM_DEVKIT_TARBALL): | $(FRIDA_BUILD_DIR)
diff --git a/frida_mode/README.md b/frida_mode/README.md
index d9634df2..2c6b0316 100644
--- a/frida_mode/README.md
+++ b/frida_mode/README.md
@@ -53,8 +53,13 @@ instead we use 'O' in hommage to the [author](https://github.com/oleavr) of
 FRIDA.
 
 Similarly, the intention is to mimic the use of environment variables used by
+<<<<<<< Updated upstream
 QEMU where possible (by replacing `s/QEMU/FRIDA/g`). Accordingly, the
 following options are currently supported:
+=======
+QEMU where possible (although replacing `s/QEMU/FRIDA/g`). Accordingly, the
+following options are currently supported.
+>>>>>>> Stashed changes
 
 * `AFL_FRIDA_DEBUG_MAPS` - See `AFL_QEMU_DEBUG_MAPS`
 * `AFL_FRIDA_EXCLUDE_RANGES` - See `AFL_QEMU_EXCLUDE_RANGES`
diff --git a/frida_mode/frida b/frida_mode/frida
deleted file mode 160000
-Subproject 59457cf83f8411c62988f93da1dfe8b04e22824
diff --git a/frida_mode/src/cmplog/cmplog_x64.c b/frida_mode/src/cmplog/cmplog_x64.c
index cdb698d5..9bf09ad5 100644
--- a/frida_mode/src/cmplog/cmplog_x64.c
+++ b/frida_mode/src/cmplog/cmplog_x64.c
@@ -175,6 +175,8 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) {
   guint64 rdi = cmplog_read_reg(context, X86_REG_RDI);
   guint64 rsi = cmplog_read_reg(context, X86_REG_RSI);
 
+  if (((G_MAXULONG - rdi) < 32) || ((G_MAXULONG - rsi) < 32)) return;
+
   void *ptr1 = GSIZE_TO_POINTER(rdi);
   void *ptr2 = GSIZE_TO_POINTER(rsi);
 
@@ -223,18 +225,6 @@ static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx,
 
 }
 
-static void cmplog_instrument_call_put_callout(GumStalkerIterator *iterator,
-                                               cs_x86_op *         operand) {
-
-  cmplog_ctx_t *ctx = g_malloc(sizeof(cmplog_ctx_t));
-  if (ctx == NULL) return;
-
-  cmplog_instrument_put_operand(ctx, operand);
-
-  gum_stalker_iterator_put_callout(iterator, cmplog_call_callout, ctx, g_free);
-
-}
-
 static void cmplog_instrument_call(const cs_insn *     instr,
                                    GumStalkerIterator *iterator) {
 
@@ -251,7 +241,7 @@ static void cmplog_instrument_call(const cs_insn *     instr,
   if (operand->type == X86_OP_MEM && operand->mem.segment != X86_REG_INVALID)
     return;
 
-  cmplog_instrument_call_put_callout(iterator, operand);
+  gum_stalker_iterator_put_callout(iterator, cmplog_call_callout, NULL, NULL);
 
 }
 
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index f201782a..72f956b9 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -392,7 +392,7 @@ typedef struct afl_env_vars {
       *afl_max_det_extras, *afl_statsd_host, *afl_statsd_port,
       *afl_crash_exitcode, *afl_statsd_tags_flavor, *afl_testcache_size,
       *afl_testcache_entries, *afl_kill_signal, *afl_target_env,
-      *afl_persistent_record;
+      *afl_persistent_record, *afl_exit_on_time;
 
 } afl_env_vars_t;
 
@@ -575,7 +575,8 @@ typedef struct afl_state {
       last_sync_cycle,                  /* Cycle no. of the last sync       */
       last_path_time,                   /* Time for most recent path (ms)   */
       last_crash_time,                  /* Time for most recent crash (ms)  */
-      last_hang_time;                   /* Time for most recent hang (ms)   */
+      last_hang_time,                   /* Time for most recent hang (ms)   */
+      exit_on_time;                     /* Delay to exit if no new paths    */
 
   u32 slowest_exec_ms,                  /* Slowest testcase non hang in ms  */
       subseq_tmouts;                    /* Number of timeouts in a row      */
@@ -1134,6 +1135,7 @@ void   check_if_tty(afl_state_t *);
 void   setup_signal_handlers(void);
 void   save_cmdline(afl_state_t *, u32, char **);
 void   read_foreign_testcases(afl_state_t *, int);
+void   write_crash_readme(afl_state_t *afl);
 
 /* CmpLog */
 
diff --git a/include/envs.h b/include/envs.h
index cd23ca3f..9175005e 100644
--- a/include/envs.h
+++ b/include/envs.h
@@ -49,6 +49,7 @@ static char *afl_environment_variables[] = {
     "AFL_DUMB_FORKSRV",
     "AFL_ENTRYPOINT",
     "AFL_EXIT_WHEN_DONE",
+    "AFL_EXIT_ON_TIME",
     "AFL_EXIT_ON_SEED_ISSUES",
     "AFL_FAST_CAL",
     "AFL_FORCE_UI",
diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl
-Subproject ddc4a9748d59857753fb33c30a356f354595f36
+Subproject d73b0336b451fd034e5f469089fb7ee96c80adf
diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c
index 3d0228db..97f10e6f 100644
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@@ -397,7 +397,7 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) {
 
 /* Write a message accompanying the crash directory :-) */
 
-static void write_crash_readme(afl_state_t *afl) {
+void write_crash_readme(afl_state_t *afl) {
 
   u8    fn[PATH_MAX];
   s32   fd;
diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c
index 28d3339a..73ba7a52 100644
--- a/src/afl-fuzz-state.c
+++ b/src/afl-fuzz-state.c
@@ -99,6 +99,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
   afl->cal_cycles = CAL_CYCLES;
   afl->cal_cycles_long = CAL_CYCLES_LONG;
   afl->hang_tmout = EXEC_TIMEOUT;
+  afl->exit_on_time = 0;
   afl->stats_update_freq = 1;
   afl->stats_avg_exec = 0;
   afl->skip_deterministic = 1;
@@ -187,6 +188,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
             afl->afl_env.afl_exit_when_done =
                 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
 
+          } else if (!strncmp(env, "AFL_EXIT_ON_TIME",
+
+                              afl_environment_variable_len)) {
+
+            afl->afl_env.afl_exit_on_time =
+                (u8 *) get_afl_env(afl_environment_variables[i]);
+
           } else if (!strncmp(env, "AFL_NO_AFFINITY",
 
                               afl_environment_variable_len)) {
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index fd9af5e4..bccd2f31 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -179,6 +179,8 @@ void load_stats_file(afl_state_t *afl) {
 
   }
 
+  if (afl->unique_crashes) { write_crash_readme(afl); }
+
   return;
 
 }
@@ -574,6 +576,16 @@ void show_stats(afl_state_t *afl) {
 
   }
 
+  /* AFL_EXIT_ON_TIME. */ 
+
+  if (unlikely(afl->last_path_time && !afl->non_instrumented_mode && 
+    afl->afl_env.afl_exit_on_time && 
+    (cur_ms - afl->last_path_time) > afl->exit_on_time)) {
+
+    afl->stop_soon = 2;
+
+  }
+
   if (unlikely(afl->total_crashes && afl->afl_env.afl_bench_until_crash)) {
 
     afl->stop_soon = 2;
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 8c3ba575..8de3ed6b 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -204,6 +204,7 @@ static void usage(u8 *argv0, int more_help) {
       "AFL_DISABLE_TRIM: disable the trimming of test cases\n"
       "AFL_DUMB_FORKSRV: use fork server without feedback from target\n"
       "AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found\n"
+      "AFL_EXIT_ON_TIME: exit when no new paths are found within the specified time period\n"
       "AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60 minutes and a cycle without finds)\n"
       "AFL_FAST_CAL: limit the calibration stage to three cycles for speedup\n"
       "AFL_FORCE_UI: force showing the status screen (for virtual consoles)\n"
@@ -1246,6 +1247,13 @@ int main(int argc, char **argv_orig, char **envp) {
 
   }
 
+  if (afl->afl_env.afl_exit_on_time) {
+
+    u64 exit_on_time = atoi(afl->afl_env.afl_exit_on_time);
+    afl->exit_on_time = (u64)exit_on_time * 1000;
+
+  }
+
   if (afl->afl_env.afl_max_det_extras) {
 
     s32 max_det_extras = atoi(afl->afl_env.afl_max_det_extras);
diff --git a/test/test-custom-mutators.sh b/test/test-custom-mutators.sh
index a5d666ff..5d679a82 100755
--- a/test/test-custom-mutators.sh
+++ b/test/test-custom-mutators.sh
@@ -5,7 +5,7 @@
 $ECHO "$BLUE[*] Testing: custom mutator"
 test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && {
   # normalize path
-  CUSTOM_MUTATOR_PATH=$(cd $(pwd)/../utils/custom_mutators;pwd)
+  CUSTOM_MUTATOR_PATH=$(cd $(pwd)/../custom_mutators/examples;pwd)
   test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUSTOM_MUTATOR_PATH}/example.py && {
     unset AFL_CC
     # Compile the vulnerable program for single mutator
diff --git a/test/test-performance.sh b/test/test-performance.sh
index cd9f6caf..d61e2f2a 100755
--- a/test/test-performance.sh
+++ b/test/test-performance.sh
@@ -18,6 +18,7 @@ export AFL_QUIET=1
 export AFL_PATH=`pwd`/..
 
 unset AFL_EXIT_WHEN_DONE
+unset AFL_EXIT_ON_TIME
 unset AFL_SKIP_CPUFREQ
 unset AFL_DEBUG
 unset AFL_HARDEN
diff --git a/test/test-pre.sh b/test/test-pre.sh
index 174f2f7f..7819da47 100755
--- a/test/test-pre.sh
+++ b/test/test-pre.sh
@@ -62,6 +62,7 @@ $ECHO \\101 2>&1 | grep -qE '^A' || {
 test -z "$ECHO" && { printf Error: printf command does not support octal character codes ; exit 1 ; }
 
 export AFL_EXIT_WHEN_DONE=1
+export AFL_EXIT_ON_TIME=60
 export AFL_SKIP_CPUFREQ=1
 export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
 unset AFL_NO_X86
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-19 23:44:46 +0000