diff options
35 files changed, 2909 insertions, 1265 deletions
| diff --git a/.clang-format b/.clang-format index dcf2a476..fd5d9a41 100644 --- a/.clang-format +++ b/.clang-format @@ -10,7 +10,7 @@ AlignOperands: true AlignTrailingComments: true AllowAllParametersOfDeclarationOnNextLine: true AllowShortBlocksOnASingleLine: true -AllowShortCaseLabelsOnASingleLine: true +AllowShortCaseLabelsOnASingleLine: false AllowShortFunctionsOnASingleLine: false AllowShortIfStatementsOnASingleLine: true AllowShortLoopsOnASingleLine: false diff --git a/examples/qemu_persistent_hook/test.c b/examples/qemu_persistent_hook/test.c index f6672027..afeff202 100644 --- a/examples/qemu_persistent_hook/test.c +++ b/examples/qemu_persistent_hook/test.c @@ -16,7 +16,8 @@ int target_func(unsigned char *buf, int size) { } break; - default: break; + default: + break; } diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 87e6dcff..6c349ea7 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -956,7 +956,7 @@ static inline u32 rand_below(afl_state_t *afl, u32 limit) { static inline u32 get_rand_seed(afl_state_t *afl) { - if (unlikely(afl->fixed_seed)) return (u32)afl->init_seed; + if (unlikely(afl->fixed_seed)) { return (u32)afl->init_seed; } return afl->rand_seed[0]; } @@ -967,8 +967,12 @@ static inline u32 get_rand_seed(afl_state_t *afl) { static inline u64 next_p2(u64 val) { u64 ret = 1; - while (val > ret) + while (val > ret) { + ret <<= 1; + + } + return ret; } diff --git a/include/alloc-inl.h b/include/alloc-inl.h index d16e84bb..e5547fe0 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -87,7 +87,7 @@ static inline void *DFL_ck_alloc_nozero(u32 size) { void *ret; - if (!size) return NULL; + if (!size) { return NULL; } ALLOC_CHECK_SIZE(size); ret = malloc(size); @@ -103,7 +103,7 @@ static inline void *DFL_ck_alloc(u32 size) { void *mem; - if (!size) return NULL; + if (!size) { return NULL; } mem = DFL_ck_alloc_nozero(size); return memset(mem, 0, size); @@ -115,7 +115,7 @@ static inline void *DFL_ck_alloc(u32 size) { static inline void DFL_ck_free(void *mem) { - if (!mem) return; + if (!mem) { return; } free(mem); @@ -165,7 +165,7 @@ static inline u8 *DFL_ck_strdup(u8 *str) { u8 *ret; u32 size; - if (!str) return NULL; + if (!str) { return NULL; } size = strlen((char *)str) + 1; @@ -184,7 +184,7 @@ static inline void *DFL_ck_memdup(void *mem, u32 size) { void *ret; - if (!mem || !size) return NULL; + if (!mem || !size) { return NULL; } ALLOC_CHECK_SIZE(size); ret = malloc(size); @@ -201,7 +201,7 @@ static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) { u8 *ret; - if (!mem || !size) return NULL; + if (!mem || !size) { return NULL; } ALLOC_CHECK_SIZE(size); ret = malloc(size + 1); @@ -772,8 +772,12 @@ static inline void TRK_ck_free(void *ptr, const char *file, const char *func, */ static inline size_t next_pow2(size_t in) { - if (in == 0 || in > (size_t)-1) + if (in == 0 || in > (size_t)-1) { + return 0; /* avoid undefined behaviour under-/overflow */ + + } + size_t out = in - 1; out |= out >> 1; out |= out >> 2; @@ -794,10 +798,10 @@ static inline size_t next_pow2(size_t in) { static inline void *maybe_grow(void **buf, size_t *size, size_t size_needed) { /* No need to realloc */ - if (likely(size_needed && *size >= size_needed)) return *buf; + if (likely(size_needed && *size >= size_needed)) { return *buf; } /* No initial size was set */ - if (size_needed < INITIAL_GROWTH_SIZE) size_needed = INITIAL_GROWTH_SIZE; + if (size_needed < INITIAL_GROWTH_SIZE) { size_needed = INITIAL_GROWTH_SIZE; } /* grow exponentially */ size_t next_size = next_pow2(size_needed); @@ -824,13 +828,13 @@ static inline void *ck_maybe_grow(void **buf, size_t *size, size_t size_needed) { /* Oops. found a bug? */ - if (unlikely(size_needed < 1)) FATAL("cannot grow to non-positive size"); + if (unlikely(size_needed < 1)) { FATAL("cannot grow to non-positive size"); } /* No need to realloc */ - if (likely(*size >= size_needed)) return *buf; + if (likely(*size >= size_needed)) { return *buf; } /* No initial size was set */ - if (size_needed < INITIAL_GROWTH_SIZE) size_needed = INITIAL_GROWTH_SIZE; + if (size_needed < INITIAL_GROWTH_SIZE) { size_needed = INITIAL_GROWTH_SIZE; } /* grow exponentially */ size_t next_size = next_pow2(size_needed); diff --git a/include/android-ashmem.h b/include/android-ashmem.h index 6fdcb1ba..5d99dd48 100644 --- a/include/android-ashmem.h +++ b/include/android-ashmem.h @@ -109,3 +109,5 @@ static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) { #endif +#endif + diff --git a/include/forkserver.h b/include/forkserver.h index 18a287ad..f07c5104 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -30,6 +30,7 @@ #include <stdio.h> #include <stdbool.h> +#include "types.h" #include "types.h" typedef struct afl_forkserver { diff --git a/include/list.h b/include/list.h index bb985c4f..88cbe062 100644 --- a/include/list.h +++ b/include/list.h @@ -83,7 +83,7 @@ static inline void list_append(list_t *list, void *el) { element_t *el_box = NULL; PRE_ALLOC(el_box, list->element_prealloc_buf, LIST_PREALLOC_SIZE, list->element_prealloc_count); - if (!el_box) FATAL("failed to allocate list element"); + if (!el_box) { FATAL("failed to allocate list element"); } el_box->data = el; el_box->next = head; el_box->prev = head->prev; diff --git a/libtokencap/libtokencap.so.c b/libtokencap/libtokencap.so.c index 758af9c0..1588239c 100644 --- a/libtokencap/libtokencap.so.c +++ b/libtokencap/libtokencap.so.c @@ -274,7 +274,8 @@ static void __tokencap_dump(const u8 *ptr, size_t len, u8 is_text) { pos += 4; break; - default: buf[pos++] = ptr[i]; + default: + buf[pos++] = ptr[i]; } diff --git a/llvm_mode/cmplog-instructions-pass.cc b/llvm_mode/cmplog-instructions-pass.cc index dc72a3e4..b0ab475d 100644 --- a/llvm_mode/cmplog-instructions-pass.cc +++ b/llvm_mode/cmplog-instructions-pass.cc @@ -360,11 +360,20 @@ bool CmpLogInstructions::hookInstrs(Module &M) { switch (max_size) { - case 8: IRB.CreateCall(cmplogHookIns1, args, "tmp"); break; - case 16: IRB.CreateCall(cmplogHookIns2, args, "tmp"); break; - case 32: IRB.CreateCall(cmplogHookIns4, args, "tmp"); break; - case 64: IRB.CreateCall(cmplogHookIns8, args, "tmp"); break; - default: break; + case 8: + IRB.CreateCall(cmplogHookIns1, args, "tmp"); + break; + case 16: + IRB.CreateCall(cmplogHookIns2, args, "tmp"); + break; + case 32: + IRB.CreateCall(cmplogHookIns4, args, "tmp"); + break; + case 64: + IRB.CreateCall(cmplogHookIns8, args, "tmp"); + break; + default: + break; } diff --git a/llvm_mode/split-compares-pass.so.cc b/llvm_mode/split-compares-pass.so.cc index f0615f85..7c657ebf 100644 --- a/llvm_mode/split-compares-pass.so.cc +++ b/llvm_mode/split-compares-pass.so.cc @@ -318,10 +318,18 @@ bool SplitComparesTransform::simplifyCompares(Module &M) { CmpInst::Predicate new_pred; switch (pred) { - case CmpInst::ICMP_UGE: new_pred = CmpInst::ICMP_UGT; break; - case CmpInst::ICMP_SGE: new_pred = CmpInst::ICMP_SGT; break; - case CmpInst::ICMP_ULE: new_pred = CmpInst::ICMP_ULT; break; - case CmpInst::ICMP_SLE: new_pred = CmpInst::ICMP_SLT; break; + case CmpInst::ICMP_UGE: + new_pred = CmpInst::ICMP_UGT; + break; + case CmpInst::ICMP_SGE: + new_pred = CmpInst::ICMP_SGT; + break; + case CmpInst::ICMP_ULE: + new_pred = CmpInst::ICMP_ULT; + break; + case CmpInst::ICMP_SLE: + new_pred = CmpInst::ICMP_SLT; + break; default: // keep the compiler happy continue; @@ -384,10 +392,18 @@ bool SplitComparesTransform::simplifyCompares(Module &M) { CmpInst::Predicate new_pred; switch (pred) { - case CmpInst::FCMP_UGE: new_pred = CmpInst::FCMP_UGT; break; - case CmpInst::FCMP_OGE: new_pred = CmpInst::FCMP_OGT; break; - case CmpInst::FCMP_ULE: new_pred = CmpInst::FCMP_ULT; break; - case CmpInst::FCMP_OLE: new_pred = CmpInst::FCMP_OLT; break; + case CmpInst::FCMP_UGE: + new_pred = CmpInst::FCMP_UGT; + break; + case CmpInst::FCMP_OGE: + new_pred = CmpInst::FCMP_OGT; + break; + case CmpInst::FCMP_ULE: + new_pred = CmpInst::FCMP_ULT; + break; + case CmpInst::FCMP_OLE: + new_pred = CmpInst::FCMP_OLT; + break; default: // keep the compiler happy continue; @@ -855,7 +871,8 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { icmp_exponent_result = BinaryOperator::Create(Instruction::Xor, icmp_exponent, t_s0); break; - default: continue; + default: + continue; } @@ -958,7 +975,8 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { icmp_fraction_result = BinaryOperator::Create(Instruction::Xor, icmp_fraction, t_s0); break; - default: continue; + default: + continue; } @@ -1004,7 +1022,8 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { PN->addIncoming(icmp_exponent_result, signequal_bb); PN->addIncoming(icmp_fraction_result, middle_bb); break; - default: continue; + default: + continue; } diff --git a/qbdi_mode/demo-so.c b/qbdi_mode/demo-so.c index dbb7b714..dd367036 100755 --- a/qbdi_mode/demo-so.c +++ b/qbdi_mode/demo-so.c @@ -29,7 +29,9 @@ int target_func(char *buf, int size) { } break; - default: puts("default action"); break; + default: + puts("default action"); + break; } diff --git a/qemu_mode/libcompcov/compcovtest.cc b/qemu_mode/libcompcov/compcovtest.cc index faea75e5..d70bba91 100644 --- a/qemu_mode/libcompcov/compcovtest.cc +++ b/qemu_mode/libcompcov/compcovtest.cc @@ -51,9 +51,11 @@ int main() { switch (z) { - case 0xBEEF: break; + case 0xBEEF: + break; - default: return 4; + default: + return 4; } diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index 1abec477..014471ca 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -55,11 +55,20 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2, switch (ot & MO_SIZE) { - case MO_64: gen_helper_afl_cmplog_64(cur_loc_v, arg1, arg2); break; - case MO_32: gen_helper_afl_cmplog_32(cur_loc_v, arg1, arg2); break; - case MO_16: gen_helper_afl_cmplog_16(cur_loc_v, arg1, arg2); break; - case MO_8: gen_helper_afl_cmplog_8(cur_loc_v, arg1, arg2); break; - default: break; + case MO_64: + gen_helper_afl_cmplog_64(cur_loc_v, arg1, arg2); + break; + case MO_32: + gen_helper_afl_cmplog_32(cur_loc_v, arg1, arg2); + break; + case MO_16: + gen_helper_afl_cmplog_16(cur_loc_v, arg1, arg2); + break; + case MO_8: + gen_helper_afl_cmplog_8(cur_loc_v, arg1, arg2); + break; + default: + break; } @@ -78,10 +87,17 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2, switch (ot & MO_SIZE) { - case MO_64: gen_helper_afl_compcov_64(cur_loc_v, arg1, arg2); break; - case MO_32: gen_helper_afl_compcov_32(cur_loc_v, arg1, arg2); break; - case MO_16: gen_helper_afl_compcov_16(cur_loc_v, arg1, arg2); break; - default: break; + case MO_64: + gen_helper_afl_compcov_64(cur_loc_v, arg1, arg2); + break; + case MO_32: + gen_helper_afl_compcov_32(cur_loc_v, arg1, arg2); + break; + case MO_16: + gen_helper_afl_compcov_16(cur_loc_v, arg1, arg2); + break; + default: + break; } diff --git a/src/afl-analyze.c b/src/afl-analyze.c index b2c0f841..8f48b1d0 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -122,7 +122,7 @@ static void classify_counts(u8 *mem) { while (i--) { - if (*mem) *mem = 1; + if (*mem) { *mem = 1; } mem++; } @@ -147,8 +147,11 @@ static inline u8 anything_set(void) { u32 *ptr = (u32 *)trace_bits; u32 i = (map_size >> 2); - while (i--) - if (*(ptr++)) return 1; + while (i--) { + + if (*(ptr++)) { return 1; } + + } return 0; @@ -169,13 +172,16 @@ static void read_initial_file(void) { struct stat st; s32 fd = open(in_file, O_RDONLY); - if (fd < 0) PFATAL("Unable to open '%s'", in_file); + if (fd < 0) { PFATAL("Unable to open '%s'", in_file); } + + if (fstat(fd, &st) || !st.st_size) { FATAL("Zero-sized input file."); } - if (fstat(fd, &st) || !st.st_size) FATAL("Zero-sized input file."); + if (st.st_size >= TMIN_MAX_FILE) { - if (st.st_size >= TMIN_MAX_FILE) FATAL("Input file is too large (%u MB max)", TMIN_MAX_FILE / 1024 / 1024); + } + in_len = st.st_size; in_data = ck_alloc_nozero(in_len); @@ -197,7 +203,7 @@ static s32 write_to_file(u8 *path, u8 *mem, u32 len) { ret = open(path, O_RDWR | O_CREAT | O_EXCL, 0600); - if (ret < 0) PFATAL("Unable to create '%s'", path); + if (ret < 0) { PFATAL("Unable to create '%s'", path); } ck_write(ret, mem, len, path); @@ -225,7 +231,7 @@ static u32 analyze_run_target(char **argv, u8 *mem, u32 len, u8 first_run) { child_pid = fork(); - if (child_pid < 0) PFATAL("fork() failed"); + if (child_pid < 0) { PFATAL("fork() failed"); } if (!child_pid) { @@ -278,7 +284,7 @@ static u32 analyze_run_target(char **argv, u8 *mem, u32 len, u8 first_run) { setitimer(ITIMER_REAL, &it, NULL); - if (waitpid(child_pid, &status, 0) <= 0) FATAL("waitpid() failed"); + if (waitpid(child_pid, &status, 0) <= 0) { FATAL("waitpid() failed"); } child_pid = 0; it.it_value.tv_sec = 0; @@ -290,9 +296,12 @@ static u32 analyze_run_target(char **argv, u8 *mem, u32 len, u8 first_run) { /* Clean up bitmap, analyze exit condition, etc. */ - if (*(u32 *)trace_bits == EXEC_FAIL_SIG) + if (*(u32 *)trace_bits == EXEC_FAIL_SIG) { + FATAL("Unable to execute '%s'", argv[0]); + } + classify_counts(trace_bits); total_execs++; @@ -325,7 +334,7 @@ static u32 analyze_run_target(char **argv, u8 *mem, u32 len, u8 first_run) { } - if (first_run) orig_cksum = cksum; + if (first_run) { orig_cksum = cksum; } return cksum; @@ -340,9 +349,12 @@ static void show_char(u8 val) { switch (val) { case 0 ... 32: - case 127 ... 255: SAYF("#%02x", val); break; + case 127 ... 255: + SAYF("#%02x", val); + break; - default: SAYF(" %c ", val); + default: + SAYF(" %c ", val); } @@ -387,7 +399,12 @@ static void dump_hex(u8 *buf, u32 len, u8 *b_data) { while (i + rlen < len && (b_data[i] >> 7) == (b_data[i + rlen] >> 7)) { - if (rtype < (b_data[i + rlen] & 0x0f)) rtype = b_data[i + rlen] & 0x0f; + if (rtype < (b_data[i + rlen] & 0x0f)) { + + rtype = b_data[i + rlen] & 0x0f; + + } + rlen++; } @@ -454,9 +471,11 @@ static void dump_hex(u8 *buf, u32 len, u8 *b_data) { case 1: case 3: - case 5 ... MAX_AUTO_EXTRA - 1: break; + case 5 ... MAX_AUTO_EXTRA - 1: + break; - default: rtype = RESP_SUSPECT; + default: + rtype = RESP_SUSPECT; } @@ -472,34 +491,58 @@ static void dump_hex(u8 *buf, u32 len, u8 *b_data) { if (!((i + off) % 16)) { - if (off) SAYF(cRST cLCY ">"); + if (off) { SAYF(cRST cLCY ">"); } + + if (use_hex_offsets) { - if (use_hex_offsets) SAYF(cRST cGRA "%s[%06x] " cRST, (i + off) ? "\n" : "", i + off); - else + + } else { + SAYF(cRST cGRA "%s[%06u] " cRST, (i + off) ? "\n" : "", i + off); + } + } switch (rtype) { - case RESP_NONE: SAYF(cLGR bgGRA); break; - case RESP_MINOR: SAYF(cBRI bgGRA); break; - case RESP_VARIABLE: SAYF(cBLK bgCYA); break; - case RESP_FIXED: SAYF(cBLK bgMGN); break; - case RESP_LEN: SAYF(cBLK bgLGN); break; - case RESP_CKSUM: SAYF(cBLK bgYEL); break; - case RESP_SUSPECT: SAYF(cBLK bgLRD); break; + case RESP_NONE: + SAYF(cLGR bgGRA); + break; + case RESP_MINOR: + SAYF(cBRI bgGRA); + break; + case RESP_VARIABLE: + SAYF(cBLK bgCYA); + break; + case RESP_FIXED: + SAYF(cBLK bgMGN); + break; + case RESP_LEN: + SAYF(cBLK bgLGN); + break; + case RESP_CKSUM: + SAYF(cBLK bgYEL); + break; + case RESP_SUSPECT: + SAYF(cBLK bgLRD); + break; } show_char(in_data[i + off]); - if (off != rlen - 1 && (i + off + 1) % 16) + if (off != rlen - 1 && (i + off + 1) % 16) { + SAYF(" "); - else + + } else { + SAYF(cRST " "); + } + } #else @@ -511,13 +554,27 @@ static void dump_hex(u8 *buf, u32 len, u8 *b_data) { switch (rtype) { - case RESP_NONE: SAYF("no-op block\n"); break; - case RESP_MINOR: SAYF("superficial content\n"); break; - case RESP_VARIABLE: SAYF("critical stream\n"); break; - case RESP_FIXED: SAYF("\"magic value\" section\n"); break; - case RESP_LEN: SAYF("suspected length field\n"); break; - case RESP_CKSUM: SAYF("suspected cksum or magic int\n"); break; - case RESP_SUSPECT: SAYF("suspected checksummed block\n"); break; + case RESP_NONE: + SAYF("no-op block\n"); + break; + case RESP_MINOR: + SAYF("superficial content\n"); + break; + case RESP_VARIABLE: + SAYF("critical stream\n"); + break; + case RESP_FIXED: + SAYF("\"magic value\" section\n"); + break; + case RESP_LEN: + SAYF("suspected length field\n"); + break; + case RESP_CKSUM: + SAYF("suspected cksum or magic int\n"); + break; + case RESP_SUSPECT: + SAYF("suspected checksummed block\n"); + break; } @@ -594,16 +651,21 @@ static void analyze(char **argv) { b_data[i] = RESP_FIXED; - } else + } else { b_data[i] = RESP_VARIABLE; + } + /* When all checksums change, flip most significant bit of b_data. */ if (prev_xff != xor_ff && prev_x01 != xor_01 && prev_s10 != sub_10 && - prev_a10 != add_10) + prev_a10 != add_10) { + seq_byte ^= 0x80; + } + b_data[i] |= seq_byte; prev_xff = xor_ff; @@ -620,10 +682,13 @@ static void analyze(char **argv) { OKF("Analysis complete. Interesting bits: %0.02f%% of the input file.", 100.0 - ((double)boring_len * 100) / in_len); - if (exec_hangs) + if (exec_hangs) { + WARNF(cLRD "Encountered %u timeouts - results may be skewed." cRST, exec_hangs); + } + ck_free(b_data); } @@ -634,7 +699,7 @@ static void handle_stop_sig(int sig) { stop_soon = 1; - if (child_pid > 0) kill(child_pid, SIGKILL); + if (child_pid > 0) { kill(child_pid, SIGKILL); } } @@ -645,7 +710,7 @@ static void set_up_environment(void) { u8 *x; dev_null_fd = open("/dev/null", O_RDWR); - if (dev_null_fd < 0) PFATAL("Unable to open /dev/null"); + if (dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); } if (!prog_in) { @@ -654,7 +719,7 @@ static void set_up_environment(void) { if (access(use_dir, R_OK | W_OK | X_OK)) { use_dir = get_afl_env("TMPDIR"); - if (!use_dir) use_dir = "/tmp"; + if (!use_dir) { use_dir = "/tmp"; } } @@ -668,25 +733,37 @@ static void set_up_environment(void) { if (x) { - if (!strstr(x, "abort_on_error=1")) + if (!strstr(x, "abort_on_error=1")) { + FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!"); - if (!strstr(x, "symbolize=0")) + } + + if (!strstr(x, "symbolize=0")) { + FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!"); + } + } x = get_afl_env("MSAN_OPTIONS"); if (x) { - if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) + if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) { + FATAL("Custom MSAN_OPTIONS set without exit_code=" STRINGIFY( MSAN_ERROR) " - please fix!"); - if (!strstr(x, "symbolize=0")) + } + + if (!strstr(x, "symbolize=0")) { + FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!"); + } + } setenv("ASAN_OPTIONS", @@ -713,20 +790,28 @@ static void set_up_environment(void) { s32 i, afl_preload_size = strlen(afl_preload); for (i = 0; i < afl_preload_size; ++i) { - if (afl_preload[i] == ',') + if (afl_preload[i] == ',') { + PFATAL( "Comma (',') is not allowed in AFL_PRELOAD when -Q is " "specified!"); + } + } - if (qemu_preload) + if (qemu_preload) { + buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", qemu_preload, afl_preload, afl_preload); - else + + } else { + buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", afl_preload, afl_preload); + } + setenv("QEMU_SET_ENV", buf, 1); ck_free(buf); @@ -820,26 +905,26 @@ int main(int argc, char **argv, char **envp) { SAYF(cCYA "afl-analyze" VERSION cRST " by Michal Zalewski\n"); - while ((opt = getopt(argc, argv, "+i:f:m:t:eQUWh")) > 0) + while ((opt = getopt(argc, argv, "+i:f:m:t:eQUWh")) > 0) { switch (opt) { case 'i': - if (in_file) FATAL("Multiple -i options not supported"); + if (in_file) { FATAL("Multiple -i options not supported"); } in_file = optarg; break; case 'f': - if (prog_in) FATAL("Multiple -f options not supported"); + if (prog_in) { FATAL("Multiple -f options not supported"); } use_stdin = 0; prog_in = optarg; break; case 'e': - if (edges_only) FATAL("Multiple -e options not supported"); + if (edges_only) { FATAL("Multiple -e options not supported"); } edges_only = 1; break; @@ -847,7 +932,7 @@ int main(int argc, char **argv, char **envp) { u8 suffix = 'M'; - if (mem_limit_given) FATAL("Multiple -m options not supported"); + if (mem_limit_given) { FATAL("Multiple -m options not supported"); } mem_limit_given = 1; if (!optarg) { FATAL("Wrong usage of -m"); } @@ -860,66 +945,83 @@ int main(int argc, char **argv, char **envp) { } if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || - optarg[0] == '-') + optarg[0] == '-') { + FATAL("Bad syntax used for -m"); + } + switch (suffix) { - case 'T': mem_limit *= 1024 * 1024; break; - case 'G': mem_limit *= 1024; break; - case 'k': mem_limit /= 1024; break; - case 'M': break; + case 'T': + mem_limit *= 1024 * 1024; + break; + case 'G': + mem_limit *= 1024; + break; + case 'k': + mem_limit /= 1024; + break; + case 'M': + break; - default: FATAL("Unsupported suffix or bad syntax for -m"); + default: + FATAL("Unsupported suffix or bad syntax for -m"); } - if (mem_limit < 5) FATAL("Dangerously low value of -m"); + if (mem_limit < 5) { FATAL("Dangerously low value of -m"); } + + if (sizeof(rlim_t) == 4 && mem_limit > 2000) { - if (sizeof(rlim_t) == 4 && mem_limit > 2000) FATAL("Value of -m out of range on 32-bit systems"); + } + } break; case 't': - if (timeout_given) FATAL("Multiple -t options not supported"); + if (timeout_given) { FATAL("Multiple -t options not supported"); } timeout_given = 1; - if (!optarg) FATAL("Wrong usage of -t"); + if (!optarg) { FATAL("Wrong usage of -t"); } exec_tmout = atoi(optarg); - if (exec_tmout < 10 || optarg[0] == '-') + if (exec_tmout < 10 || optarg[0] == '-') { + FATAL("Dangerously low value of -t"); + } + break; case 'Q': - if (qemu_mode) FATAL("Multiple -Q options not supported"); - if (!mem_limit_given) mem_limit = MEM_LIMIT_QEMU; + if (qemu_mode) { FATAL("Multiple -Q options not supported"); } + if (!mem_limit_given) { mem_limit = MEM_LIMIT_QEMU; } qemu_mode = 1; break; case 'U': - if (unicorn_mode) FATAL("Multiple -U options not supported"); - if (!mem_limit_given) mem_limit = MEM_LIMIT_UNICORN; + if (unicorn_mode) { FATAL("Multiple -U options not supported"); } + if (!mem_limit_given) { mem_limit = MEM_LIMIT_UNICORN; } unicorn_mode = 1; break; case 'W': /* Wine+QEMU mode */ - if (use_wine) FATAL("Multiple -W options not supported"); + if (use_wine) { FATAL("Multiple -W options not supported"); } qemu_mode = 1; use_wine = 1; - if (!mem_limit_given) mem_limit = 0; + if (!mem_limit_given) { mem_limit = 0; } break; @@ -928,11 +1030,14 @@ int main(int argc, char **argv, char **envp) { return -1; break; - default: usage(argv[0]); + default: + usage(argv[0]); } - if (optind == argc || !in_file) usage(argv[0]); + } + + if (optind == argc || !in_file) { usage(argv[0]); } map_size = get_map_size(); @@ -952,17 +1057,24 @@ int main(int argc, char **argv, char **envp) { if (qemu_mode) { - if (use_wine) + if (use_wine) { + use_argv = get_wine_argv(argv[0], &target_path, argc - optind, argv + optind); - else + + } else { + use_argv = get_qemu_argv(argv[0], &target_path, argc - optind, argv + optind); - } else + } + + } else { use_argv = argv + optind; + } + SAYF("\n"); read_initial_file(); @@ -972,17 +1084,23 @@ int main(int argc, char **argv, char **envp) { analyze_run_target(use_argv, in_data, in_len, 1); - if (child_timed_out) + if (child_timed_out) { + FATAL("Target binary times out (adjusting -t may help)."); - if (get_afl_env("AFL_SKIP_BIN_CHECK") == NULL && !anything_set()) + } + + if (get_afl_env("AFL_SKIP_BIN_CHECK") == NULL && !anything_set()) { + FATAL("No instrumentation detected."); + } + analyze(use_argv); OKF("We're done here. Have a nice day!\n"); - if (target_path) ck_free(target_path); + if (target_path) { ck_free(target_path); } afl_shm_deinit(&shm); diff --git a/src/afl-as.c b/src/afl-as.c index d0b61ac1..486a6afa 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -126,9 +126,9 @@ static void edit_params(int argc, char **argv) { is not set. We need to check these non-standard variables to properly handle the pass_thru logic later on. */ - if (!tmp_dir) tmp_dir = getenv("TEMP"); - if (!tmp_dir) tmp_dir = getenv("TMP"); - if (!tmp_dir) tmp_dir = "/tmp"; + if (!tmp_dir) { tmp_dir = getenv("TEMP"); } + if (!tmp_dir) { tmp_dir = getenv("TMP"); } + if (!tmp_dir) { tmp_dir = "/tmp"; } as_params = ck_alloc((argc + 32) * sizeof(u8 *)); @@ -138,11 +138,16 @@ static void edit_params(int argc, char **argv) { for (i = 1; i < argc - 1; i++) { - if (!strcmp(argv[i], "--64")) + if (!strcmp(argv[i], "--64")) { + use_64bit = 1; - else if (!strcmp(argv[i], "--32")) + + } else if (!strcmp(argv[i], "--32")) { + use_64bit = 0; + } + #ifdef __APPLE__ /* The Apple case is a bit different... */ @@ -195,11 +200,16 @@ static void edit_params(int argc, char **argv) { } - if (input_file[1]) + if (input_file[1]) { + FATAL("Incorrect use (not called through afl-gcc?)"); - else + + } else { + input_file = NULL; + } + } else { /* Check if this looks like a standard invocation as a part of an attempt @@ -210,11 +220,16 @@ static void edit_params(int argc, char **argv) { if (strncmp(input_file, tmp_dir, strlen(tmp_dir)) && strncmp(input_file, "/var/tmp/", 9) && strncmp(input_file, "/tmp/", 5) && - getenv("AFL_AS_FORCE_INSTRUMENT") == NULL) + getenv("AFL_AS_FORCE_INSTRUMENT") == NULL) { + pass_thru = 1; - else if (getenv("AFL_AS_FORCE_INSTRUMENT")) + + } else if (getenv("AFL_AS_FORCE_INSTRUMENT")) { + unsetenv("AFL_AS_FORCE_INSTRUMENT"); + } + } modified_file = @@ -251,19 +266,21 @@ static void add_instrumentation(void) { if (input_file) { inf = fopen(input_file, "r"); - if (!inf) PFATAL("Unable to read '%s'", input_file); + if (!inf) { PFATAL("Unable to read '%s'", input_file); } - } else + } else { inf = stdin; + } + outfd = open(modified_file, O_WRONLY | O_EXCL | O_CREAT, 0600); - if (outfd < 0) PFATAL("Unable to write to '%s'", modified_file); + if (outfd < 0) { PFATAL("Unable to write to '%s'", modified_file); } outf = fdopen(outfd, "w"); - if (!outf) PFATAL("fdopen() failed"); + if (!outf) { PFATAL("fdopen() failed"); } while (fgets(line, MAX_LINE, inf)) { @@ -287,7 +304,7 @@ static void add_instrumentation(void) { fputs(line, outf); - if (pass_thru) continue; + if (pass_thru) { continue; } /* All right, this is where the actual fun begins. For one, we only want to instrument the .text section. So, let's keep track of that in processed @@ -300,9 +317,12 @@ static void add_instrumentation(void) { around them, so we use that as a signal. */ if (!clang_mode && instr_ok && !strncmp(line + 2, "p2align ", 8) && - isdigit(line[10]) && line[11] == '\n') + isdigit(line[10]) && line[11] == '\n') { + skip_next_label = 1; + } + if (!strncmp(line + 2, "text\n", 5) || !strncmp(line + 2, "section\t.text", 13) || !strncmp(line + 2, "section\t__TEXT,__text", 21) || @@ -330,23 +350,23 @@ static void add_instrumentation(void) { if (strstr(line, ".code")) { - if (strstr(line, ".code32")) skip_csect = use_64bit; - if (strstr(line, ".code64")) skip_csect = !use_64bit; + if (strstr(line, ".code32")) { skip_csect = use_64bit; } + if (strstr(line, ".code64")) { skip_csect = !use_64bit; } } /* Detect syntax changes, as could happen with hand-written assembly. Skip Intel blocks, resume instrumentation when back to AT&T. */ - if (strstr(line, ".intel_syntax")) skip_intel = 1; - if (strstr(line, ".att_syntax")) skip_intel = 0; + if (strstr(line, ".intel_syntax")) { skip_intel = 1; } + if (strstr(line, ".att_syntax")) { skip_intel = 0; } /* Detect and skip ad-hoc __asm__ blocks, likewise skipping them. */ if (line[0] == '#' || line[1] == '#') { - if (strstr(line, "#APP")) skip_app = 1; - if (strstr(line, "#NO_APP")) skip_app = 0; + if (strstr(line, "#APP")) { skip_app = 1; } + if (strstr(line, "#NO_APP")) { skip_app = 0; } } @@ -375,9 +395,12 @@ static void add_instrumentation(void) { */ if (skip_intel || skip_app || skip_csect || !instr_ok || line[0] == '#' || - line[0] == ' ') + line[0] == ' ') { + continue; + } + /* Conditional branch instruction (jnz, etc). We append the instrumentation right after the branch (to instrument the not-taken path) and at the branch destination label (handled later on). */ @@ -449,11 +472,16 @@ static void add_instrumentation(void) { .Lfunc_begin0-style exception handling calculations (a problem on MacOS X). */ - if (!skip_next_label) + if (!skip_next_label) { + instrument_next = 1; - else + + } else { + skip_next_label = 0; + } + } } else { @@ -468,17 +496,19 @@ static void add_instrumentation(void) { } - if (ins_lines) fputs(use_64bit ? main_payload_64 : main_payload_32, outf); + if (ins_lines) { fputs(use_64bit ? main_payload_64 : main_payload_32, outf); } - if (input_file) fclose(inf); + if (input_file) { fclose(inf); } fclose(outf); if (!be_quiet) { - if (!ins_lines) + if (!ins_lines) { + WARNF("No instrumentation targets found%s.", pass_thru ? " (pass-thru mode)" : ""); - else { + + } else { char modeline[100]; snprintf(modeline, sizeof(modeline), "%s%s%s%s", @@ -514,10 +544,12 @@ int main(int argc, char **argv) { SAYF(cCYA "afl-as" VERSION cRST " by Michal Zalewski\n"); - } else + } else { be_quiet = 1; + } + if (argc < 2 || (argc == 2 && strcmp(argv[1], "-h") == 0)) { fprintf( @@ -565,14 +597,20 @@ int main(int argc, char **argv) { if (inst_ratio_str) { - if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || inst_ratio > 100) + if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || inst_ratio > 100) { + FATAL("Bad value of AFL_INST_RATIO (must be between 0 and 100)"); + } + } - if (getenv(AS_LOOP_ENV_VAR)) + if (getenv(AS_LOOP_ENV_VAR)) { + FATAL("Endless loop when calling 'as' (remove '.' from your PATH)"); + } + setenv(AS_LOOP_ENV_VAR, "1", 1); /* When compiling with ASAN, we don't have a particularly elegant way to skip @@ -582,11 +620,11 @@ int main(int argc, char **argv) { if (getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) { sanitizer = 1; - if (!getenv("AFL_INST_RATIO")) inst_ratio /= 3; + if (!getenv("AFL_INST_RATIO")) { inst_ratio /= 3; } } - if (!just_version) add_instrumentation(); + if (!just_version) { add_instrumentation(); } if (!(pid = fork())) { @@ -595,11 +633,11 @@ int main(int argc, char **argv) { } - if (pid < 0) PFATAL("fork() failed"); + if (pid < 0) { PFATAL("fork() failed"); } - if (waitpid(pid, &status, 0) <= 0) PFATAL("waitpid() failed"); + if (waitpid(pid, &status, 0) <= 0) { PFATAL("waitpid() failed"); } - if (!getenv("AFL_KEEP_ASSEMBLY")) unlink(modified_file); + if (!getenv("AFL_KEEP_ASSEMBLY")) { unlink(modified_file); } exit(WEXITSTATUS(status)); diff --git a/src/afl-common.c b/src/afl-common.c index 6ef7a195..1dae8509 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -101,7 +101,7 @@ void detect_file_args(char **argv, u8 *prog_in, u8 *use_stdin) { if (aa_loc) { - if (!prog_in) FATAL("@@ syntax is not supported by this tool."); + if (!prog_in) { FATAL("@@ syntax is not supported by this tool."); } *use_stdin = 0; @@ -198,7 +198,7 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { cp = alloc_printf("%s/afl-qemu-trace", tmp); - if (access(cp, X_OK)) FATAL("Unable to find '%s'", tmp); + if (access(cp, X_OK)) { FATAL("Unable to find '%s'", tmp); } *target_path_p = new_argv[0] = cp; return new_argv; @@ -230,7 +230,7 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) { - if (cp) ck_free(cp); + if (cp) { ck_free(cp); } *target_path_p = new_argv[0] = ck_strdup(BIN_PATH "/afl-qemu-trace"); return new_argv; @@ -277,13 +277,13 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { cp = alloc_printf("%s/afl-qemu-trace", tmp); - if (access(cp, X_OK)) FATAL("Unable to find '%s'", tmp); + if (access(cp, X_OK)) { FATAL("Unable to find '%s'", tmp); } ck_free(cp); cp = alloc_printf("%s/afl-wine-trace", tmp); - if (access(cp, X_OK)) FATAL("Unable to find '%s'", tmp); + if (access(cp, X_OK)) { FATAL("Unable to find '%s'", tmp); } *target_path_p = new_argv[0] = cp; return new_argv; @@ -416,15 +416,22 @@ u8 *find_binary(u8 *fname) { ck_free(cur_elem); if (!stat(target_path, &st) && S_ISREG(st.st_mode) && - (st.st_mode & 0111) && st.st_size >= 4) + (st.st_mode & 0111) && st.st_size >= 4) { + break; + } + ck_free(target_path); target_path = NULL; } - if (!target_path) FATAL("Program '%s' not found or not executable", fname); + if (!target_path) { + + FATAL("Program '%s' not found or not executable", fname); + + } } @@ -434,7 +441,7 @@ u8 *find_binary(u8 *fname) { void check_environment_vars(char **envp) { - if (be_quiet) return; + if (be_quiet) { return; } int index = 0, found = 0; char *env, *val; @@ -448,24 +455,30 @@ void check_environment_vars(char **envp) { } else if (strncmp(env, "AFL_", 4) == 0) { int i = 0, match = 0; - while (match == 0 && afl_environment_variables[i] != NULL) + while (match == 0 && afl_environment_variables[i] != NULL) { + if (strncmp(env, afl_environment_variables[i], strlen(afl_environment_variables[i])) == 0 && env[strlen(afl_environment_variables[i])] == '=') { match = 1; - if ((val = getenv(afl_environment_variables[i])) && !*val) + if ((val = getenv(afl_environment_variables[i])) && !*val) { + WARNF( "AFL environment variable %s defined but is empty, this can " "lead to unexpected consequences", afl_environment_variables[i]); + } + } else { i++; } + } + if (match == 0) { WARNF("Mistyped AFL environment variable: %s", env); @@ -477,7 +490,7 @@ void check_environment_vars(char **envp) { } - if (found) sleep(2); + if (found) { sleep(2); } } @@ -485,10 +498,16 @@ char *get_afl_env(char *env) { char *val; - if ((val = getenv(env)) != NULL) - if (!be_quiet) + if ((val = getenv(env)) != NULL) { + + if (!be_quiet) { + OKF("Loaded environment variable %s with value %s", env, val); + } + + } + return val; } @@ -499,7 +518,7 @@ void read_bitmap(u8 *fname, u8 *map, size_t len) { s32 fd = open(fname, O_RDONLY); - if (fd < 0) PFATAL("Unable to open '%s'", fname); + if (fd < 0) { PFATAL("Unable to open '%s'", fname); } ck_read(fd, map, len, fname); @@ -906,9 +925,13 @@ u32 get_map_size() { if ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE"))) { map_size = atoi(ptr); - if (map_size < 8 || map_size > (1 << 29)) + if (map_size < 8 || map_size > (1 << 29)) { + FATAL("illegal AFL_MAP_SIZE %u, must be between 2^3 and 2^30", map_size); - if (map_size % 8) map_size = (((map_size >> 3) + 1) << 3); + + } + + if (map_size % 8) { map_size = (((map_size >> 3) + 1) << 3); } } diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 9b915a7a..0c795f9c 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -128,12 +128,16 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { unsigned char tmp[4] = {0, 0, 0, 0}; pid_t child_pid = -1; - if (!be_quiet) ACTF("Using Fauxserver:"); + if (!be_quiet) { ACTF("Using Fauxserver:"); } /* Phone home and tell the parent that we're OK. If parent isn't there, assume we're not running in forkserver mode and just execute program. */ - if (write(FORKSRV_FD + 1, tmp, 4) != 4) abort(); // TODO: Abort? + if (write(FORKSRV_FD + 1, tmp, 4) != 4) { + + abort(); // TODO: Abort? + + } void (*old_sigchld_handler)(int) = signal(SIGCHLD, SIG_DFL); @@ -144,13 +148,13 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { /* Wait for parent by reading from the pipe. Exit if read fails. */ - if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(0); + if (read(FORKSRV_FD, &was_killed, 4) != 4) { exit(0); } /* Create a clone of our process. */ child_pid = fork(); - if (child_pid < 0) PFATAL("Fork failed"); + if (child_pid < 0) { PFATAL("Fork failed"); } /* In child process: close fds, resume execution. */ @@ -177,7 +181,7 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { /* In parent process: write PID to AFL. */ - if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) exit(0); + if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) { exit(0); } /* after child exited, get and relay exit status to parent through waitpid. */ @@ -191,7 +195,7 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { /* Relay wait status to AFL pipe, then loop back. */ - if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(0); + if (write(FORKSRV_FD + 1, &status, 4) != 4) { exit(0); } } @@ -212,25 +216,28 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, int status; s32 rlen; - if (!be_quiet) ACTF("Spinning up the fork server..."); + if (!be_quiet) { ACTF("Spinning up the fork server..."); } if (fsrv->use_fauxsrv) { /* TODO: Come up with sone nice way to initalize this all */ - if (fsrv->init_child_func != fsrv_exec_child) + if (fsrv->init_child_func != fsrv_exec_child) { + FATAL("Different forkserver not compatible with fauxserver"); + } + fsrv->init_child_func = afl_fauxsrv_execv; } - if (pipe(st_pipe) || pipe(ctl_pipe)) PFATAL("pipe() failed"); + if (pipe(st_pipe) || pipe(ctl_pipe)) { PFATAL("pipe() failed"); } fsrv->last_run_timed_out = 0; fsrv->fsrv_pid = fork(); - if (fsrv->fsrv_pid < 0) PFATAL("fork() failed"); + if (fsrv->fsrv_pid < 0) { PFATAL("fork() failed"); } if (!fsrv->fsrv_pid) { @@ -295,8 +302,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, /* Set up control and status pipes, close the unneeded original fds. */ - if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) PFATAL("dup2() failed"); - if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) PFATAL("dup2() failed"); + if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) { PFATAL("dup2() failed"); } + if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) { PFATAL("dup2() failed"); } close(ctl_pipe[0]); close(ctl_pipe[1]); @@ -308,12 +315,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, #ifndef HAVE_ARC4RANDOM close(fsrv->dev_urandom_fd); #endif - if (fsrv->plot_file != NULL) fclose(fsrv->plot_file); + if (fsrv->plot_file != NULL) { fclose(fsrv->plot_file); } /* This should improve performance a bit, since it stops the linker from doing extra work post-fork(). */ - if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); + if (!getenv("LD_BIND_LAZY")) { setenv("LD_BIND_NOW", "1", 0); } /* Set sane defaults for ASAN if nothing else specified. */ @@ -391,17 +398,20 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (rlen == 4) { - if (!be_quiet) OKF("All right - fork server is up."); + if (!be_quiet) { OKF("All right - fork server is up."); } if ((status & FS_OPT_ENABLED) == FS_OPT_ENABLED) { - if (!be_quiet && getenv("AFL_DEBUG")) + if (!be_quiet && getenv("AFL_DEBUG")) { + ACTF("Extended forkserver functions received (%08x).", status); + } + if ((status & FS_OPT_SNAPSHOT) == FS_OPT_SNAPSHOT) { fsrv->snapshot = 1; - if (!be_quiet) ACTF("Using SNAPSHOT feature."); + if (!be_quiet) { ACTF("Using SNAPSHOT feature."); } } @@ -409,7 +419,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, u32 tmp_map_size = FS_OPT_GET_MAPSIZE(status); - if (!fsrv->map_size) fsrv->map_size = MAP_SIZE; + if (!fsrv->map_size) { fsrv->map_size = MAP_SIZE; } if (unlikely(tmp_map_size % 8)) { @@ -419,13 +429,17 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } - if (!be_quiet) ACTF("Target map size: %u", tmp_map_size); - if (tmp_map_size > fsrv->map_size) + if (!be_quiet) { ACTF("Target map size: %u", tmp_map_size); } + if (tmp_map_size > fsrv->map_size) { + FATAL( "Target's coverage map size of %u is larger than the one this " "afl++ is set with (%u) (change MAP_SIZE_POW2 in config.h and " "recompile or set AFL_MAP_SIZE)\n", tmp_map_size, fsrv->map_size); + + } + fsrv->map_size = tmp_map_size; } @@ -436,27 +450,44 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, // this is not afl-fuzz - we deny and return status = (0xffffffff ^ (FS_OPT_ENABLED | FS_OPT_AUTODICT)); - if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) + if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) { + FATAL("Writing to forkserver failed."); + + } + return; } - if (!be_quiet) ACTF("Using AUTODICT feature."); + if (!be_quiet) { ACTF("Using AUTODICT feature."); } status = (FS_OPT_ENABLED | FS_OPT_AUTODICT); - if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) + if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) { + FATAL("Writing to forkserver failed."); - if (read(fsrv->fsrv_st_fd, &status, 4) != 4) + + } + + if (read(fsrv->fsrv_st_fd, &status, 4) != 4) { + FATAL("Reading from forkserver failed."); - if (status < 2 || (u32)status > 0xffffff) + } + + if (status < 2 || (u32)status > 0xffffff) { + FATAL("Dictionary has an illegal size: %d", status); + } + u32 len = status, offset = 0, count = 0; u8 *dict = ck_alloc(len); - if (dict == NULL) + if (dict == NULL) { + FATAL("Could not allocate %u bytes of autodictionary memory", len); + } + while (len != 0) { rlen = read(fsrv->fsrv_st_fd, dict + offset, len); @@ -486,7 +517,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } - if (!be_quiet) ACTF("Loaded %u autodictionary entries", count); + if (!be_quiet) { ACTF("Loaded %u autodictionary entries", count); } ck_free(dict); } @@ -497,10 +528,13 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } - if (fsrv->last_run_timed_out) + if (fsrv->last_run_timed_out) { + FATAL("Timeout while initializing fork server (adjusting -t may help)"); - if (waitpid(fsrv->fsrv_pid, &status, 0) <= 0) PFATAL("waitpid() failed"); + } + + if (waitpid(fsrv->fsrv_pid, &status, 0) <= 0) { PFATAL("waitpid() failed"); } if (WIFSIGNALED(status)) { @@ -580,9 +614,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } - if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG) + if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG) { + FATAL("Unable to execute target application ('%s')", argv[0]); + } + if (fsrv->mem_limit && fsrv->mem_limit < 500 && fsrv->uses_asan) { SAYF("\n" cLRD "[-] " cRST @@ -651,7 +688,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, static void afl_fsrv_kill(afl_forkserver_t *fsrv) { - if (fsrv->child_pid > 0) kill(fsrv->child_pid, SIGKILL); + if (fsrv->child_pid > 0) { kill(fsrv->child_pid, SIGKILL); } if (fsrv->fsrv_pid > 0) { kill(fsrv->fsrv_pid, SIGKILL); @@ -680,7 +717,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { } - if (fd < 0) PFATAL("Unable to create '%s'", fsrv->out_file); + if (fd < 0) { PFATAL("Unable to create '%s'", fsrv->out_file); } } else { @@ -692,7 +729,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { if (!fsrv->out_file) { - if (ftruncate(fd, len)) PFATAL("ftruncate() failed"); + if (ftruncate(fd, len)) { PFATAL("ftruncate() failed"); } lseek(fd, 0, SEEK_SET); } else { @@ -727,7 +764,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, if ((res = write(fsrv->fsrv_ctl_fd, &fsrv->last_run_timed_out, 4)) != 4) { - if (*stop_soon_p) return 0; + if (*stop_soon_p) { return 0; } RPFATAL(res, "Unable to request new process from fork server (OOM?)"); } @@ -736,12 +773,12 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, if ((res = read(fsrv->fsrv_st_fd, &fsrv->child_pid, 4)) != 4) { - if (*stop_soon_p) return 0; + if (*stop_soon_p) { return 0; } RPFATAL(res, "Unable to request new process from fork server (OOM?)"); } - if (fsrv->child_pid <= 0) FATAL("Fork server is misbehaving (OOM?)"); + if (fsrv->child_pid <= 0) { FATAL("Fork server is misbehaving (OOM?)"); } exec_ms = read_timed(fsrv->fsrv_st_fd, &status, 4, timeout, stop_soon_p); @@ -752,13 +789,13 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, kill(fsrv->child_pid, SIGKILL); fsrv->last_run_timed_out = 1; - if (read(fsrv->fsrv_st_fd, &status, 4) < 4) exec_ms = 0; + if (read(fsrv->fsrv_st_fd, &status, 4) < 4) { exec_ms = 0; } } if (!exec_ms) { - if (*stop_soon_p) return 0; + if (*stop_soon_p) { return 0; } SAYF("\n" cLRD "[-] " cRST "Unable to communicate with fork server. Some possible reasons:\n\n" " - You've run out of memory. Use -m to increase the the memory " @@ -784,7 +821,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, } - if (!WIFSTOPPED(status)) fsrv->child_pid = 0; + if (!WIFSTOPPED(status)) { fsrv->child_pid = 0; } fsrv->total_execs++; @@ -800,9 +837,12 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, fsrv->last_kill_signal = WTERMSIG(status); - if (fsrv->last_run_timed_out && fsrv->last_kill_signal == SIGKILL) + if (fsrv->last_run_timed_out && fsrv->last_kill_signal == SIGKILL) { + return FSRV_RUN_TMOUT; + } + return FSRV_RUN_CRASH; } diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 0823deed..69fe6562 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -35,13 +35,13 @@ void write_bitmap(afl_state_t *afl) { u8 fname[PATH_MAX]; s32 fd; - if (!afl->bitmap_changed) return; + if (!afl->bitmap_changed) { return; } afl->bitmap_changed = 0; snprintf(fname, PATH_MAX, "%s/fuzz_bitmap", afl->out_dir); fd = open(fname, O_WRONLY | O_CREAT | O_TRUNC, 0600); - if (fd < 0) PFATAL("Unable to open '%s'", fname); + if (fd < 0) { PFATAL("Unable to open '%s'", fname); } ck_write(fd, afl->virgin_bits, afl->fsrv.map_size, fname); @@ -102,11 +102,16 @@ u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { (cur[1] && vir[1] == 0xff) || (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff) || (cur[4] && vir[4] == 0xff) || (cur[5] && vir[5] == 0xff) || (cur[6] && vir[6] == 0xff) || - (cur[7] && vir[7] == 0xff)) + (cur[7] && vir[7] == 0xff)) { + ret = 2; - else + + } else { + ret = 1; + } + #else if (*virgin == 0xffffffff || (cur[0] && vir[0] == 0xff) || @@ -129,9 +134,12 @@ u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { } - if (unlikely(ret) && likely(virgin_map == afl->virgin_bits)) + if (unlikely(ret) && likely(virgin_map == afl->virgin_bits)) { + afl->bitmap_changed = 1; + } + return ret; } @@ -183,11 +191,11 @@ u32 count_bytes(afl_state_t *afl, u8 *mem) { u32 v = *(ptr++); - if (!v) continue; - if (v & 0x000000ff) ++ret; - if (v & 0x0000ff00) ++ret; - if (v & 0x00ff0000) ++ret; - if (v & 0xff000000) ++ret; + if (!v) { continue; } + if (v & 0x000000ff) { ++ret; } + if (v & 0x0000ff00) { ++ret; } + if (v & 0x00ff0000) { ++ret; } + if (v & 0xff000000) { ++ret; } } @@ -211,11 +219,11 @@ u32 count_non_255_bytes(afl_state_t *afl, u8 *mem) { /* This is called on the virgin bitmap, so optimize for the most likely case. */ - if (v == 0xffffffff) continue; - if ((v & 0x000000ff) != 0x000000ff) ++ret; - if ((v & 0x0000ff00) != 0x0000ff00) ++ret; - if ((v & 0x00ff0000) != 0x00ff0000) ++ret; - if ((v & 0xff000000) != 0xff000000) ++ret; + if (v == 0xffffffff) { continue; } + if ((v & 0x000000ff) != 0x000000ff) { ++ret; } + if ((v & 0x0000ff00) != 0x0000ff00) { ++ret; } + if ((v & 0x00ff0000) != 0x00ff0000) { ++ret; } + if ((v & 0xff000000) != 0xff000000) { ++ret; } } @@ -257,10 +265,12 @@ void simplify_trace(afl_state_t *afl, u64 *mem) { mem8[6] = simplify_lookup[mem8[6]]; mem8[7] = simplify_lookup[mem8[7]]; - } else + } else { *mem = 0x0101010101010101ULL; + } + ++mem; } @@ -322,11 +332,17 @@ void init_count_class16(void) { u32 b1, b2; - for (b1 = 0; b1 < 256; b1++) - for (b2 = 0; b2 < 256; b2++) + for (b1 = 0; b1 < 256; b1++) { + + for (b2 = 0; b2 < 256; b2++) { + count_class_lookup16[(b1 << 8) + b2] = (count_class_lookup8[b1] << 8) | count_class_lookup8[b2]; + } + + } + } #ifdef WORD_SIZE_64 @@ -397,7 +413,7 @@ void minimize_bits(afl_state_t *afl, u8 *dst, u8 *src) { while (i < afl->fsrv.map_size) { - if (*(src++)) dst[i >> 3] |= 1 << (i & 7); + if (*(src++)) { dst[i >> 3] |= 1 << (i & 7); } ++i; } @@ -423,27 +439,35 @@ u8 *describe_op(afl_state_t *afl, u8 hnb) { sprintf(ret + strlen(ret), ",time:%llu", get_cur_time() - afl->start_time); - if (afl->splicing_with >= 0) + if (afl->splicing_with >= 0) { + sprintf(ret + strlen(ret), "+%06d", afl->splicing_with); + } + sprintf(ret + strlen(ret), ",op:%s", afl->stage_short); if (afl->stage_cur_byte >= 0) { sprintf(ret + strlen(ret), ",pos:%d", afl->stage_cur_byte); - if (afl->stage_val_type != STAGE_VAL_NONE) + if (afl->stage_val_type != STAGE_VAL_NONE) { + sprintf(ret + strlen(ret), ",val:%s%+d", (afl->stage_val_type == STAGE_VAL_BE) ? "be:" : "", afl->stage_cur_val); - } else + } + + } else { sprintf(ret + strlen(ret), ",rep:%d", afl->stage_cur_val); + } + } - if (hnb == 2) strcat(ret, ",+cov"); + if (hnb == 2) { strcat(ret, ",+cov"); } return ret; @@ -467,7 +491,7 @@ static void write_crash_readme(afl_state_t *afl) { /* Do not die on errors here - that would be impolite. */ - if (unlikely(fd < 0)) return; + if (unlikely(fd < 0)) { return; } f = fdopen(fd, "w"); @@ -512,7 +536,7 @@ static void write_crash_readme(afl_state_t *afl) { u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { - if (unlikely(len == 0)) return 0; + if (unlikely(len == 0)) { return 0; } u8 *queue_fn = ""; u8 hnb = '\0'; @@ -545,7 +569,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (!(hnb = has_new_bits(afl, afl->virgin_bits))) { - if (unlikely(afl->crash_mode)) ++afl->total_crashes; + if (unlikely(afl->crash_mode)) { ++afl->total_crashes; } return 0; } @@ -578,11 +602,14 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { res = calibrate_case(afl, afl->queue_top, mem, afl->queue_cycle - 1, 0); - if (unlikely(res == FSRV_RUN_ERROR)) + if (unlikely(res == FSRV_RUN_ERROR)) { + FATAL("Unable to execute target application"); + } + fd = open(queue_fn, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (unlikely(fd < 0)) PFATAL("Unable to create '%s'", queue_fn); + if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", queue_fn); } ck_write(fd, mem, len, queue_fn); close(fd); @@ -601,7 +628,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { ++afl->total_tmouts; - if (afl->unique_hangs >= KEEP_UNIQUE_HANG) return keeping; + if (afl->unique_hangs >= KEEP_UNIQUE_HANG) { return keeping; } if (likely(!afl->dumb_mode)) { @@ -611,7 +638,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { simplify_trace(afl, (u32 *)afl->fsrv.trace_bits); #endif /* ^WORD_SIZE_64 */ - if (!has_new_bits(afl, afl->virgin_tmout)) return keeping; + if (!has_new_bits(afl, afl->virgin_tmout)) { return keeping; } } @@ -631,9 +658,13 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { timeout actually uncovers a crash. Make sure we don't discard it if so. */ - if (!afl->stop_soon && new_fault == FSRV_RUN_CRASH) goto keep_as_crash; + if (!afl->stop_soon && new_fault == FSRV_RUN_CRASH) { + + goto keep_as_crash; - if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) return keeping; + } + + if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { return keeping; } } @@ -665,7 +696,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { ++afl->total_crashes; - if (afl->unique_crashes >= KEEP_UNIQUE_CRASH) return keeping; + if (afl->unique_crashes >= KEEP_UNIQUE_CRASH) { return keeping; } if (likely(!afl->dumb_mode)) { @@ -675,11 +706,11 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { simplify_trace(afl, (u32 *)afl->fsrv.trace_bits); #endif /* ^WORD_SIZE_64 */ - if (!has_new_bits(afl, afl->virgin_crash)) return keeping; + if (!has_new_bits(afl, afl->virgin_crash)) { return keeping; } } - if (unlikely(!afl->unique_crashes)) write_crash_readme(afl); + if (unlikely(!afl->unique_crashes)) { write_crash_readme(afl); } #ifndef SIMPLE_FILES @@ -715,9 +746,11 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { break; - case FSRV_RUN_ERROR: FATAL("Unable to execute target application"); + case FSRV_RUN_ERROR: + FATAL("Unable to execute target application"); - default: return keeping; + default: + return keeping; } @@ -725,7 +758,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { test case, too. */ fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (unlikely(fd < 0)) PFATAL("Unable to create '%s'", fn); + if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", fn); } ck_write(fd, mem, len, fn); close(fd); diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 12c814ba..9452fa90 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -37,9 +37,12 @@ void cmplog_exec_child(afl_forkserver_t *fsrv, char **argv) { setenv("___AFL_EINS_ZWEI_POLIZEI___", "1", 1); - if (!fsrv->qemu_mode && argv[0] != fsrv->cmplog_binary) + if (!fsrv->qemu_mode && argv[0] != fsrv->cmplog_binary) { + argv[0] = fsrv->cmplog_binary; + } + execv(argv[0], argv); } @@ -54,7 +57,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { size_t post_len = afl->post_handler(afl->post_data, out_buf, len, &post_buf); - if (!post_buf || !post_len) return 0; + if (!post_buf || !post_len) { return 0; } out_buf = post_buf; len = post_len; @@ -64,7 +67,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { fault = fuzz_run_target(afl, &afl->cmplog_fsrv, afl->fsrv.exec_tmout); - if (afl->stop_soon) return 1; + if (afl->stop_soon) { return 1; } if (fault == FSRV_RUN_TMOUT) { @@ -75,10 +78,12 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { } - } else + } else { afl->subseq_tmouts = 0; + } + /* Users can hit us with SIGUSR1 to request the current input to be abandoned. */ diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c index c366cc5b..12771cd7 100644 --- a/src/afl-fuzz-extras.c +++ b/src/afl-fuzz-extras.c @@ -59,7 +59,7 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len, f = fopen(fname, "r"); - if (!f) PFATAL("Unable to open '%s'", fname); + if (!f) { PFATAL("Unable to open '%s'", fname); } while ((lptr = fgets(buf, MAX_LINE, f))) { @@ -70,57 +70,79 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len, /* Trim on left and right. */ - while (isspace(*lptr)) + while (isspace(*lptr)) { + ++lptr; + } + rptr = lptr + strlen(lptr) - 1; - while (rptr >= lptr && isspace(*rptr)) + while (rptr >= lptr && isspace(*rptr)) { + --rptr; + + } + ++rptr; *rptr = 0; /* Skip empty lines and comments. */ - if (!*lptr || *lptr == '#') continue; + if (!*lptr || *lptr == '#') { continue; } /* All other lines must end with '"', which we can consume. */ --rptr; - if (rptr < lptr || *rptr != '"') + if (rptr < lptr || *rptr != '"') { + FATAL("Malformed name=\"value\" pair in line %u.", cur_line); + } + *rptr = 0; /* Skip alphanumerics and dashes (label). */ - while (isalnum(*lptr) || *lptr == '_') + while (isalnum(*lptr) || *lptr == '_') { + ++lptr; + } + /* If @number follows, parse that. */ if (*lptr == '@') { ++lptr; - if (atoi(lptr) > dict_level) continue; - while (isdigit(*lptr)) + if (atoi(lptr) > dict_level) { continue; } + while (isdigit(*lptr)) { + ++lptr; + } + } /* Skip whitespace and = signs. */ - while (isspace(*lptr) || *lptr == '=') + while (isspace(*lptr) || *lptr == '=') { + ++lptr; + } + /* Consume opening '"'. */ - if (*lptr != '"') + if (*lptr != '"') { + FATAL("Malformed name=\"keyword\" pair in line %u.", cur_line); + } + ++lptr; - if (!*lptr) FATAL("Empty keyword in line %u.", cur_line); + if (!*lptr) { FATAL("Empty keyword in line %u.", cur_line); } /* Okay, let's allocate memory and copy data between "...", handling \xNN escaping, \\, and \". */ @@ -130,7 +152,7 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len, wptr = afl->extras[afl->extras_cnt].data = ck_alloc(rptr - lptr); - if (!wptr) PFATAL("no mem for data"); + if (!wptr) { PFATAL("no mem for data"); } while (*lptr) { @@ -154,9 +176,12 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len, } - if (*lptr != 'x' || !isxdigit(lptr[1]) || !isxdigit(lptr[2])) + if (*lptr != 'x' || !isxdigit(lptr[1]) || !isxdigit(lptr[2])) { + FATAL("Invalid escaping (not \\xNN) in line %u.", cur_line); + } + *(wptr++) = ((strchr(hexdigits, tolower(lptr[1])) - hexdigits) << 4) | (strchr(hexdigits, tolower(lptr[2])) - hexdigits); @@ -165,7 +190,9 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len, break; - default: *(wptr++) = *(lptr++); ++klen; + default: + *(wptr++) = *(lptr++); + ++klen; } @@ -173,14 +200,17 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len, afl->extras[afl->extras_cnt].len = klen; - if (afl->extras[afl->extras_cnt].len > MAX_DICT_FILE) + if (afl->extras[afl->extras_cnt].len > MAX_DICT_FILE) { + FATAL( "Keyword too big in line %u (%s, limit is %s)", cur_line, stringify_mem_size(val_bufs[0], sizeof(val_bufs[0]), klen), stringify_mem_size(val_bufs[1], sizeof(val_bufs[1]), MAX_DICT_FILE)); - if (*min_len > klen) *min_len = klen; - if (*max_len < klen) *max_len = klen; + } + + if (*min_len > klen) { *min_len = klen; } + if (*max_len < klen) { *max_len = klen; } ++afl->extras_cnt; @@ -227,7 +257,7 @@ void load_extras(afl_state_t *afl, u8 *dir) { } - if (x) FATAL("Dictionary levels not supported for directories."); + if (x) { FATAL("Dictionary levels not supported for directories."); } while ((de = readdir(d))) { @@ -235,7 +265,11 @@ void load_extras(afl_state_t *afl, u8 *dir) { u8 * fn = alloc_printf("%s/%s", dir, de->d_name); s32 fd; - if (lstat(fn, &st) || access(fn, R_OK)) PFATAL("Unable to access '%s'", fn); + if (lstat(fn, &st) || access(fn, R_OK)) { + + PFATAL("Unable to access '%s'", fn); + + } /* This also takes care of . and .. */ if (!S_ISREG(st.st_mode) || !st.st_size) { @@ -245,14 +279,17 @@ void load_extras(afl_state_t *afl, u8 *dir) { } - if (st.st_size > MAX_DICT_FILE) + if (st.st_size > MAX_DICT_FILE) { + FATAL( "Extra '%s' is too big (%s, limit is %s)", fn, stringify_mem_size(val_bufs[0], sizeof(val_bufs[0]), st.st_size), stringify_mem_size(val_bufs[1], sizeof(val_bufs[1]), MAX_DICT_FILE)); - if (min_len > st.st_size) min_len = st.st_size; - if (max_len < st.st_size) max_len = st.st_size; + } + + if (min_len > st.st_size) { min_len = st.st_size; } + if (max_len < st.st_size) { max_len = st.st_size; } afl->extras = ck_realloc_block( afl->extras, (afl->extras_cnt + 1) * sizeof(struct extra_data)); @@ -262,7 +299,7 @@ void load_extras(afl_state_t *afl, u8 *dir) { fd = open(fn, O_RDONLY); - if (fd < 0) PFATAL("Unable to open '%s'", fn); + if (fd < 0) { PFATAL("Unable to open '%s'", fn); } ck_read(fd, afl->extras[afl->extras_cnt].data, st.st_size, fn); @@ -277,7 +314,7 @@ void load_extras(afl_state_t *afl, u8 *dir) { check_and_sort: - if (!afl->extras_cnt) FATAL("No usable files in '%s'", dir); + if (!afl->extras_cnt) { FATAL("No usable files in '%s'", dir); } qsort(afl->extras, afl->extras_cnt, sizeof(struct extra_data), compare_extras_len); @@ -286,22 +323,32 @@ check_and_sort: stringify_mem_size(val_bufs[0], sizeof(val_bufs[0]), min_len), stringify_mem_size(val_bufs[1], sizeof(val_bufs[1]), max_len)); - if (max_len > 32) + if (max_len > 32) { + WARNF("Some tokens are relatively large (%s) - consider trimming.", stringify_mem_size(val_bufs[0], sizeof(val_bufs[0]), max_len)); - if (afl->extras_cnt > MAX_DET_EXTRAS) + } + + if (afl->extras_cnt > MAX_DET_EXTRAS) { + WARNF("More than %d tokens - will use them probabilistically.", MAX_DET_EXTRAS); + } + } /* Helper function for maybe_add_auto(afl, ) */ static inline u8 memcmp_nocase(u8 *m1, u8 *m2, u32 len) { - while (len--) - if (tolower(*(m1++)) ^ tolower(*(m2++))) return 1; + while (len--) { + + if (tolower(*(m1++)) ^ tolower(*(m2++))) { return 1; } + + } + return 0; } @@ -318,14 +365,17 @@ void maybe_add_auto(void *afl_tmp, u8 *mem, u32 len) { /* Allow users to specify that they don't want auto dictionaries. */ - if (!MAX_AUTO_EXTRAS || !USE_AUTO_EXTRAS) return; + if (!MAX_AUTO_EXTRAS || !USE_AUTO_EXTRAS) { return; } /* Skip runs of identical bytes. */ - for (i = 1; i < len; ++i) - if (mem[0] ^ mem[i]) break; + for (i = 1; i < len; ++i) { + + if (mem[0] ^ mem[i]) { break; } - if (i == len) return; + } + + if (i == len) { return; } /* Reject builtin interesting values. */ @@ -333,33 +383,51 @@ void maybe_add_auto(void *afl_tmp, u8 *mem, u32 len) { i = sizeof(interesting_16) >> 1; - while (i--) + while (i--) { + if (*((u16 *)mem) == interesting_16[i] || - *((u16 *)mem) == SWAP16(interesting_16[i])) + *((u16 *)mem) == SWAP16(interesting_16[i])) { + return; + } + + } + } if (len == 4) { i = sizeof(interesting_32) >> 2; - while (i--) + while (i--) { + if (*((u32 *)mem) == interesting_32[i] || - *((u32 *)mem) == SWAP32(interesting_32[i])) + *((u32 *)mem) == SWAP32(interesting_32[i])) { + return; + } + + } + } /* Reject anything that matches existing extras. Do a case-insensitive match. We optimize by exploiting the fact that extras[] are sorted by size. */ - for (i = 0; i < afl->extras_cnt; ++i) - if (afl->extras[i].len >= len) break; + for (i = 0; i < afl->extras_cnt; ++i) { - for (; i < afl->extras_cnt && afl->extras[i].len == len; ++i) - if (!memcmp_nocase(afl->extras[i].data, mem, len)) return; + if (afl->extras[i].len >= len) { break; } + + } + + for (; i < afl->extras_cnt && afl->extras[i].len == len; ++i) { + + if (!memcmp_nocase(afl->extras[i].data, mem, len)) { return; } + + } /* Last but not least, check afl->a_extras[] for matches. There are no guarantees of a particular sort order. */ @@ -423,7 +491,7 @@ void save_auto(afl_state_t *afl) { u32 i; - if (!afl->auto_changed) return; + if (!afl->auto_changed) { return; } afl->auto_changed = 0; for (i = 0; i < MIN(USE_AUTO_EXTRAS, afl->a_extras_cnt); ++i) { @@ -434,7 +502,7 @@ void save_auto(afl_state_t *afl) { fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", fn); + if (fd < 0) { PFATAL("Unable to create '%s'", fn); } ck_write(fd, afl->a_extras[i].data, afl->a_extras[i].len, fn); @@ -461,7 +529,7 @@ void load_auto(afl_state_t *afl) { if (fd < 0) { - if (errno != ENOENT) PFATAL("Unable to open '%s'", fn); + if (errno != ENOENT) { PFATAL("Unable to open '%s'", fn); } ck_free(fn); break; @@ -472,21 +540,29 @@ void load_auto(afl_state_t *afl) { len = read(fd, tmp, MAX_AUTO_EXTRA + 1); - if (len < 0) PFATAL("Unable to read from '%s'", fn); + if (len < 0) { PFATAL("Unable to read from '%s'", fn); } + + if (len >= MIN_AUTO_EXTRA && len <= MAX_AUTO_EXTRA) { - if (len >= MIN_AUTO_EXTRA && len <= MAX_AUTO_EXTRA) maybe_add_auto((u8 *)afl, tmp, len); + } + close(fd); ck_free(fn); } - if (i) + if (i) { + OKF("Loaded %u auto-discovered dictionary tokens.", i); - else + + } else { + OKF("No auto-generated dictionary tokens to reuse."); + } + } /* Destroy extras. */ @@ -495,14 +571,20 @@ void destroy_extras(afl_state_t *afl) { u32 i; - for (i = 0; i < afl->extras_cnt; ++i) + for (i = 0; i < afl->extras_cnt; ++i) { + ck_free(afl->extras[i].data); + } + ck_free(afl->extras); - for (i = 0; i < afl->a_extras_cnt; ++i) + for (i = 0; i < afl->a_extras_cnt; ++i) { + ck_free(afl->a_extras[i].data); + } + ck_free(afl->a_extras); } diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 3da348d2..4dd31ac9 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -42,7 +42,7 @@ void bind_to_free_cpu(afl_state_t *afl) { u8 cpu_used[4096] = {0}; u32 i; - if (afl->cpu_core_count < 2) return; + if (afl->cpu_core_count < 2) { return; } if (afl->afl_env.afl_no_affinity) { @@ -82,7 +82,7 @@ void bind_to_free_cpu(afl_state_t *afl) { u8 tmp[MAX_LINE]; u8 has_vmsize = 0; - if (!isdigit(de->d_name[0])) continue; + if (!isdigit(de->d_name[0])) { continue; } snprintf(fn, PATH_MAX, "/proc/%s/status", de->d_name); @@ -94,7 +94,7 @@ void bind_to_free_cpu(afl_state_t *afl) { /* Processes without VmSize are probably kernel tasks. */ - if (!strncmp(tmp, "VmSize:\t", 8)) has_vmsize = 1; + if (!strncmp(tmp, "VmSize:\t", 8)) { has_vmsize = 1; } if (!strncmp(tmp, "Cpus_allowed_list:\t", 19) && !strchr(tmp, '-') && !strchr(tmp, ',') && sscanf(tmp + 19, "%u", &hval) == 1 && @@ -190,8 +190,12 @@ void bind_to_free_cpu(afl_state_t *afl) { try: #ifndef __ANDROID__ - for (i = cpu_start; i < afl->cpu_core_count; i++) - if (!cpu_used[i]) break; + for (i = cpu_start; i < afl->cpu_core_count; i++) { + + if (!cpu_used[i]) { break; } + + } + if (i == afl->cpu_core_count) { #else @@ -229,8 +233,12 @@ void bind_to_free_cpu(afl_state_t *afl) { #if defined(__linux__) if (sched_setaffinity(0, sizeof(c), &c)) { - if (cpu_start == afl->cpu_core_count) + if (cpu_start == afl->cpu_core_count) { + PFATAL("sched_setaffinity failed for CPU %d, exit", i); + + } + WARNF("sched_setaffinity failed to CPU %d, trying next CPU", i); cpu_start++; goto try @@ -282,30 +290,37 @@ void setup_post(afl_state_t *afl) { u32 tlen = 6; strncpy(tbuf, "hello", tlen); - if (!fn) return; + if (!fn) { return; } ACTF("Loading postprocessor from '%s'...", fn); dh = dlopen(fn, RTLD_NOW); - if (!dh) FATAL("%s", dlerror()); + if (!dh) { FATAL("%s", dlerror()); } afl->post_handler = dlsym(dh, "afl_postprocess"); - if (!afl->post_handler) FATAL("Symbol 'afl_postprocess' not found."); + if (!afl->post_handler) { FATAL("Symbol 'afl_postprocess' not found."); } afl->post_init = dlsym(dh, "afl_postprocess_init"); - if (!afl->post_init) FATAL("Symbol 'afl_postprocess_init' not found."); + if (!afl->post_init) { FATAL("Symbol 'afl_postprocess_init' not found."); } afl->post_deinit = dlsym(dh, "afl_postprocess_deinit"); - if (!afl->post_deinit) FATAL("Symbol 'afl_postprocess_deinit' not found."); + if (!afl->post_deinit) { + + FATAL("Symbol 'afl_postprocess_deinit' not found."); + + } /* Do a quick test. It's better to segfault now than later =) */ u8 *post_buf = NULL; afl->post_data = afl->post_init(afl); - if (!afl->post_data) FATAL("Could not initialize post handler."); + if (!afl->post_data) { FATAL("Could not initialize post handler."); } size_t post_len = afl->post_handler(afl->post_data, tbuf, tlen, &post_buf); - if (!post_len || !post_buf) + if (!post_len || !post_buf) { + SAYF("Empty return in test post handler for buf=\"hello\\0\"."); + } + OKF("Postprocessor installed successfully."); } @@ -342,11 +357,16 @@ void read_testcases(afl_state_t *afl) { /* Auto-detect non-in-place resumption attempts. */ fn1 = alloc_printf("%s/queue", afl->in_dir); - if (!access(fn1, F_OK)) + if (!access(fn1, F_OK)) { + afl->in_dir = fn1; - else + + } else { + ck_free(fn1); + } + ACTF("Scanning '%s'...", afl->in_dir); /* We use scandir() + alphasort() rather than readdir() because otherwise, @@ -357,7 +377,7 @@ void read_testcases(afl_state_t *afl) { if (nl_cnt < 0) { - if (errno == ENOENT || errno == ENOTDIR) + if (errno == ENOENT || errno == ENOTDIR) { SAYF("\n" cLRD "[-] " cRST "The input directory does not seem to be valid - try again. The " @@ -368,6 +388,8 @@ void read_testcases(afl_state_t *afl) { "the input\n" " directory.\n"); + } + PFATAL("Unable to open '%s'", afl->in_dir); } @@ -392,9 +414,12 @@ void read_testcases(afl_state_t *afl) { free(nl[i]); /* not tracked */ - if (lstat(fn2, &st) || access(fn2, R_OK)) + if (lstat(fn2, &st) || access(fn2, R_OK)) { + PFATAL("Unable to access '%s'", fn2); + } + /* This also takes care of . and .. */ if (!S_ISREG(st.st_mode) || !st.st_size || strstr(fn2, "/README.txt")) { @@ -404,17 +429,20 @@ void read_testcases(afl_state_t *afl) { } - if (st.st_size > MAX_FILE) + if (st.st_size > MAX_FILE) { + FATAL("Test case '%s' is too big (%s, limit is %s)", fn2, stringify_mem_size(val_buf[0], sizeof(val_buf[0]), st.st_size), stringify_mem_size(val_buf[1], sizeof(val_buf[1]), MAX_FILE)); + } + /* Check for metadata that indicates that deterministic fuzzing is complete for this entry. We don't want to repeat deterministic fuzzing when resuming aborted scans, because it would be pointless and probably very time-consuming. */ - if (!access(dfn, F_OK)) passed_det = 1; + if (!access(dfn, F_OK)) { passed_det = 1; } add_to_queue(afl, fn2, st.st_size, passed_det); @@ -462,29 +490,35 @@ void perform_dry_run(afl_state_t *afl) { ACTF("Attempting dry run with '%s'...", fn); fd = open(q->fname, O_RDONLY); - if (fd < 0) PFATAL("Unable to open '%s'", q->fname); + if (fd < 0) { PFATAL("Unable to open '%s'", q->fname); } use_mem = ck_alloc_nozero(q->len); - if (read(fd, use_mem, q->len) != q->len) + if (read(fd, use_mem, q->len) != q->len) { + FATAL("Short read from '%s'", q->fname); + } + close(fd); res = calibrate_case(afl, q, use_mem, 0, 1); ck_free(use_mem); - if (afl->stop_soon) return; + if (afl->stop_soon) { return; } + + if (res == afl->crash_mode || res == FSRV_RUN_NOBITS) { - if (res == afl->crash_mode || res == FSRV_RUN_NOBITS) SAYF(cGRA " len = %u, map size = %u, exec speed = %llu us\n" cRST, q->len, q->bitmap_size, q->exec_us); + } + switch (res) { case FSRV_RUN_OK: - if (afl->crash_mode) FATAL("Test case '%s' does *NOT* crash", fn); + if (afl->crash_mode) { FATAL("Test case '%s' does *NOT* crash", fn); } break; @@ -539,7 +573,7 @@ void perform_dry_run(afl_state_t *afl) { case FSRV_RUN_CRASH: - if (afl->crash_mode) break; + if (afl->crash_mode) { break; } if (skip_crashes) { @@ -635,20 +669,28 @@ void perform_dry_run(afl_state_t *afl) { FATAL("Unable to execute target application ('%s')", afl->argv[0]); - case FSRV_RUN_NOINST: FATAL("No instrumentation detected"); + case FSRV_RUN_NOINST: + FATAL("No instrumentation detected"); case FSRV_RUN_NOBITS: ++afl->useless_at_start; - if (!afl->in_bitmap && !afl->shuffle_queue) + if (!afl->in_bitmap && !afl->shuffle_queue) { + WARNF("No new instrumentation output, test case may be useless."); + } + break; } - if (q->var_behavior) WARNF("Instrumentation output varies across runs."); + if (q->var_behavior) { + + WARNF("Instrumentation output varies across runs."); + + } q = q->next; @@ -656,17 +698,23 @@ void perform_dry_run(afl_state_t *afl) { if (cal_failures) { - if (cal_failures == afl->queued_paths) + if (cal_failures == afl->queued_paths) { + FATAL("All test cases time out%s, giving up!", skip_crashes ? " or crash" : ""); + } + WARNF("Skipped %u test cases (%0.02f%%) due to timeouts%s.", cal_failures, ((double)cal_failures) * 100 / afl->queued_paths, skip_crashes ? " or crashes" : ""); - if (cal_failures * 5 > afl->queued_paths) + if (cal_failures * 5 > afl->queued_paths) { + WARNF(cLRD "High percentage of rejected test cases, check settings!"); + } + } OKF("All test cases processed."); @@ -681,20 +729,23 @@ static void link_or_copy(u8 *old_path, u8 *new_path) { s32 sfd, dfd; u8 *tmp; - if (!i) return; + if (!i) { return; } sfd = open(old_path, O_RDONLY); - if (sfd < 0) PFATAL("Unable to open '%s'", old_path); + if (sfd < 0) { PFATAL("Unable to open '%s'", old_path); } dfd = open(new_path, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (dfd < 0) PFATAL("Unable to create '%s'", new_path); + if (dfd < 0) { PFATAL("Unable to create '%s'", new_path); } tmp = ck_alloc(64 * 1024); - while ((i = read(sfd, tmp, 64 * 1024)) > 0) + while ((i = read(sfd, tmp, 64 * 1024)) > 0) { + ck_write(dfd, tmp, i, new_path); - if (i < 0) PFATAL("read() failed"); + } + + if (i < 0) { PFATAL("read() failed"); } ck_free(tmp); close(sfd); @@ -717,11 +768,16 @@ void pivot_inputs(afl_state_t *afl) { u8 *nfn, *rsl = strrchr(q->fname, '/'); u32 orig_id; - if (!rsl) + if (!rsl) { + rsl = q->fname; - else + + } else { + ++rsl; + } + /* If the original file name conforms to the syntax and the recorded ID matches the one we'd assign, just use the original file name. This is valuable for resuming fuzzing runs. */ @@ -743,11 +799,15 @@ void pivot_inputs(afl_state_t *afl) { if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) { struct queue_entry *s = afl->queue; - while (src_id-- && s) + while (src_id-- && s) { + s = s->next; - if (s) q->depth = s->depth + 1; - if (afl->max_depth < q->depth) afl->max_depth = q->depth; + } + + if (s) { q->depth = s->depth + 1; } + + if (afl->max_depth < q->depth) { afl->max_depth = q->depth; } } @@ -760,10 +820,16 @@ void pivot_inputs(afl_state_t *afl) { u8 *use_name = strstr(rsl, ",orig:"); - if (use_name) + if (use_name) { + use_name += 6; - else + + } else { + use_name = rsl; + + } + nfn = alloc_printf("%s/queue/id:%06u,time:0,orig:%s", afl->out_dir, id, use_name); @@ -783,14 +849,14 @@ void pivot_inputs(afl_state_t *afl) { /* Make sure that the passed_det value carries over, too. */ - if (q->passed_det) mark_as_det_done(afl, q); + if (q->passed_det) { mark_as_det_done(afl, q); } q = q->next; ++id; } - if (afl->in_place_resume) nuke_resume_dir(afl); + if (afl->in_place_resume) { nuke_resume_dir(afl); } } @@ -805,27 +871,32 @@ u32 find_start_position(afl_state_t *afl) { s32 fd, i; u32 ret; - if (!afl->resuming_fuzz) return 0; + if (!afl->resuming_fuzz) { return 0; } + + if (afl->in_place_resume) { - if (afl->in_place_resume) fn = alloc_printf("%s/fuzzer_stats", afl->out_dir); - else + + } else { + fn = alloc_printf("%s/../fuzzer_stats", afl->in_dir); + } + fd = open(fn, O_RDONLY); ck_free(fn); - if (fd < 0) return 0; + if (fd < 0) { return 0; } i = read(fd, tmp, sizeof(tmp) - 1); (void)i; /* Ignore errors */ close(fd); off = strstr(tmp, "cur_path : "); - if (!off) return 0; + if (!off) { return 0; } ret = atoi(off + 20); - if (ret >= afl->queued_paths) ret = 0; + if (ret >= afl->queued_paths) { ret = 0; } return ret; } @@ -842,27 +913,32 @@ void find_timeout(afl_state_t *afl) { s32 fd, i; u32 ret; - if (!afl->resuming_fuzz) return; + if (!afl->resuming_fuzz) { return; } + + if (afl->in_place_resume) { - if (afl->in_place_resume) fn = alloc_printf("%s/fuzzer_stats", afl->out_dir); - else + + } else { + fn = alloc_printf("%s/../fuzzer_stats", afl->in_dir); + } + fd = open(fn, O_RDONLY); ck_free(fn); - if (fd < 0) return; + if (fd < 0) { return; } i = read(fd, tmp, sizeof(tmp) - 1); (void)i; /* Ignore errors */ close(fd); off = strstr(tmp, "exec_timeout : "); - if (!off) return; + if (!off) { return; } ret = atoi(off + 20); - if (ret <= 4) return; + if (ret <= 4) { return; } afl->fsrv.exec_tmout = ret; afl->timeout_given = 3; @@ -879,7 +955,7 @@ static u8 delete_files(u8 *path, u8 *prefix) { d = opendir(path); - if (!d) return 0; + if (!d) { return 0; } while ((d_ent = readdir(d))) { @@ -887,7 +963,7 @@ static u8 delete_files(u8 *path, u8 *prefix) { (!prefix || !strncmp(d_ent->d_name, prefix, strlen(prefix)))) { u8 *fname = alloc_printf("%s/%s", path, d_ent->d_name); - if (unlink(fname)) PFATAL("Unable to delete '%s'", fname); + if (unlink(fname)) { PFATAL("Unable to delete '%s'", fname); } ck_free(fname); } @@ -925,14 +1001,17 @@ double get_runnable_processes(void) { u8 tmp[1024]; u32 val = 0; - if (!f) return 0; + if (!f) { return 0; } while (fgets(tmp, sizeof(tmp), f)) { if (!strncmp(tmp, "procs_running ", 14) || - !strncmp(tmp, "procs_blocked ", 14)) + !strncmp(tmp, "procs_blocked ", 14)) { + val += atoi(tmp + 14); + } + } fclose(f); @@ -961,27 +1040,27 @@ void nuke_resume_dir(afl_state_t *afl) { u8 *fn; fn = alloc_printf("%s/_resume/.state/deterministic_done", afl->out_dir); - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; } ck_free(fn); fn = alloc_printf("%s/_resume/.state/auto_extras", afl->out_dir); - if (delete_files(fn, "auto_")) goto dir_cleanup_failed; + if (delete_files(fn, "auto_")) { goto dir_cleanup_failed; } ck_free(fn); fn = alloc_printf("%s/_resume/.state/redundant_edges", afl->out_dir); - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; } ck_free(fn); fn = alloc_printf("%s/_resume/.state/variable_behavior", afl->out_dir); - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; } ck_free(fn); fn = alloc_printf("%s/_resume/.state", afl->out_dir); - if (rmdir(fn) && errno != ENOENT) goto dir_cleanup_failed; + if (rmdir(fn) && errno != ENOENT) { goto dir_cleanup_failed; } ck_free(fn); fn = alloc_printf("%s/_resume", afl->out_dir); - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; } ck_free(fn); return; @@ -1006,7 +1085,7 @@ static void handle_existing_out_dir(afl_state_t *afl) { (this requires leaving the descriptor open).*/ afl->fsrv.out_dir_fd = open(afl->out_dir, O_RDONLY); - if (afl->fsrv.out_dir_fd < 0) PFATAL("Unable to open '%s'", afl->out_dir); + if (afl->fsrv.out_dir_fd < 0) { PFATAL("Unable to open '%s'", afl->out_dir); } #ifndef __sun @@ -1034,9 +1113,12 @@ static void handle_existing_out_dir(afl_state_t *afl) { if (fscanf(f, "start_time : %llu\n" "last_update : %llu\n", - &start_time2, &last_update) != 2) + &start_time2, &last_update) != 2) { + FATAL("Malformed data in '%s'", fn); + } + fclose(f); /* Autoresume treats a normal run as in_place_resume if a valid out dir @@ -1110,7 +1192,7 @@ static void handle_existing_out_dir(afl_state_t *afl) { if (!afl->in_place_resume) { fn = alloc_printf("%s/.synced", afl->out_dir); - if (delete_files(fn, NULL)) goto dir_cleanup_failed; + if (delete_files(fn, NULL)) { goto dir_cleanup_failed; } ck_free(fn); } @@ -1118,30 +1200,30 @@ static void handle_existing_out_dir(afl_state_t *afl) { /* Next, we need to clean up <afl->out_dir>/queue/.state/ subdirectories: */ fn = alloc_printf("%s/queue/.state/deterministic_done", afl->out_dir); - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; } ck_free(fn); fn = alloc_printf("%s/queue/.state/auto_extras", afl->out_dir); - if (delete_files(fn, "auto_")) goto dir_cleanup_failed; + if (delete_files(fn, "auto_")) { goto dir_cleanup_failed; } ck_free(fn); fn = alloc_printf("%s/queue/.state/redundant_edges", afl->out_dir); - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; } ck_free(fn); fn = alloc_printf("%s/queue/.state/variable_behavior", afl->out_dir); - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; } ck_free(fn); /* Then, get rid of the .state subdirectory itself (should be empty by now) and everything matching <afl->out_dir>/queue/id:*. */ fn = alloc_printf("%s/queue/.state", afl->out_dir); - if (rmdir(fn) && errno != ENOENT) goto dir_cleanup_failed; + if (rmdir(fn) && errno != ENOENT) { goto dir_cleanup_failed; } ck_free(fn); fn = alloc_printf("%s/queue", afl->out_dir); - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; } ck_free(fn); /* All right, let's do <afl->out_dir>/crashes/id:* and @@ -1184,7 +1266,7 @@ static void handle_existing_out_dir(afl_state_t *afl) { } - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; } ck_free(fn); fn = alloc_printf("%s/hangs", afl->out_dir); @@ -1215,7 +1297,7 @@ static void handle_existing_out_dir(afl_state_t *afl) { } - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; } ck_free(fn); /* And now, for some finishing touches. */ @@ -1230,27 +1312,27 @@ static void handle_existing_out_dir(afl_state_t *afl) { } - if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; + if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; } ck_free(fn); fn = alloc_printf("%s/fuzz_bitmap", afl->out_dir); - if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; + if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; } ck_free(fn); if (!afl->in_place_resume) { fn = alloc_printf("%s/fuzzer_stats", afl->out_dir); - if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; + if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; } ck_free(fn); } fn = alloc_printf("%s/plot_data", afl->out_dir); - if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; + if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; } ck_free(fn); fn = alloc_printf("%s/cmdline", afl->out_dir); - if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; + if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; } ck_free(fn); OKF("Output dir cleanup successful."); @@ -1287,28 +1369,37 @@ void setup_dirs_fds(afl_state_t *afl) { ACTF("Setting up output directories..."); - if (afl->sync_id && mkdir(afl->sync_dir, 0700) && errno != EEXIST) + if (afl->sync_id && mkdir(afl->sync_dir, 0700) && errno != EEXIST) { + PFATAL("Unable to create '%s'", afl->sync_dir); + } + if (mkdir(afl->out_dir, 0700)) { - if (errno != EEXIST) PFATAL("Unable to create '%s'", afl->out_dir); + if (errno != EEXIST) { PFATAL("Unable to create '%s'", afl->out_dir); } handle_existing_out_dir(afl); } else { - if (afl->in_place_resume) + if (afl->in_place_resume) { + FATAL("Resume attempted but old output directory not found"); + } + afl->fsrv.out_dir_fd = open(afl->out_dir, O_RDONLY); #ifndef __sun if (afl->fsrv.out_dir_fd < 0 || - flock(afl->fsrv.out_dir_fd, LOCK_EX | LOCK_NB)) + flock(afl->fsrv.out_dir_fd, LOCK_EX | LOCK_NB)) { + PFATAL("Unable to flock() output directory."); + } + #endif /* !__sun */ } @@ -1316,39 +1407,39 @@ void setup_dirs_fds(afl_state_t *afl) { /* Queue directory for any starting & discovered paths. */ tmp = alloc_printf("%s/queue", afl->out_dir); - if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); } ck_free(tmp); /* Top-level directory for queue metadata used for session resume and related tasks. */ tmp = alloc_printf("%s/queue/.state/", afl->out_dir); - if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); } ck_free(tmp); /* Directory for flagging queue entries that went through deterministic fuzzing in the past. */ tmp = alloc_printf("%s/queue/.state/deterministic_done/", afl->out_dir); - if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); } ck_free(tmp); /* Directory with the auto-selected dictionary entries. */ tmp = alloc_printf("%s/queue/.state/auto_extras/", afl->out_dir); - if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); } ck_free(tmp); /* The set of paths currently deemed redundant. */ tmp = alloc_printf("%s/queue/.state/redundant_edges/", afl->out_dir); - if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); } ck_free(tmp); /* The set of paths showing variable behavior. */ tmp = alloc_printf("%s/queue/.state/variable_behavior/", afl->out_dir); - if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); } ck_free(tmp); /* Sync directory for keeping track of cooperating fuzzers. */ @@ -1357,9 +1448,12 @@ void setup_dirs_fds(afl_state_t *afl) { tmp = alloc_printf("%s/.synced/", afl->out_dir); - if (mkdir(tmp, 0700) && (!afl->in_place_resume || errno != EEXIST)) + if (mkdir(tmp, 0700) && (!afl->in_place_resume || errno != EEXIST)) { + PFATAL("Unable to create '%s'", tmp); + } + ck_free(tmp); } @@ -1367,34 +1461,34 @@ void setup_dirs_fds(afl_state_t *afl) { /* All recorded crashes. */ tmp = alloc_printf("%s/crashes", afl->out_dir); - if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); } ck_free(tmp); /* All recorded hangs. */ tmp = alloc_printf("%s/hangs", afl->out_dir); - if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); } ck_free(tmp); /* Generally useful file descriptors. */ afl->fsrv.dev_null_fd = open("/dev/null", O_RDWR); - if (afl->fsrv.dev_null_fd < 0) PFATAL("Unable to open /dev/null"); + if (afl->fsrv.dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); } #ifndef HAVE_ARC4RANDOM afl->fsrv.dev_urandom_fd = open("/dev/urandom", O_RDONLY); - if (afl->fsrv.dev_urandom_fd < 0) PFATAL("Unable to open /dev/urandom"); + if (afl->fsrv.dev_urandom_fd < 0) { PFATAL("Unable to open /dev/urandom"); } #endif /* Gnuplot output file. */ tmp = alloc_printf("%s/plot_data", afl->out_dir); fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", tmp); + if (fd < 0) { PFATAL("Unable to create '%s'", tmp); } ck_free(tmp); afl->fsrv.plot_file = fdopen(fd, "w"); - if (!afl->fsrv.plot_file) PFATAL("fdopen() failed"); + if (!afl->fsrv.plot_file) { PFATAL("fdopen() failed"); } fprintf(afl->fsrv.plot_file, "# unix_time, cycles_done, cur_path, paths_total, " @@ -1417,11 +1511,11 @@ void setup_cmdline_file(afl_state_t *afl, char **argv) { /* Store the command line to reproduce our findings */ tmp = alloc_printf("%s/cmdline", afl->out_dir); fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", tmp); + if (fd < 0) { PFATAL("Unable to create '%s'", tmp); } ck_free(tmp); cmdline_file = fdopen(fd, "w"); - if (!cmdline_file) PFATAL("fdopen() failed"); + if (!cmdline_file) { PFATAL("fdopen() failed"); } while (argv[i]) { @@ -1453,7 +1547,7 @@ void setup_stdio_file(afl_state_t *afl) { afl->fsrv.out_fd = open(fn, O_RDWR | O_CREAT | O_EXCL, 0600); - if (afl->fsrv.out_fd < 0) PFATAL("Unable to create '%s'", fn); + if (afl->fsrv.out_fd < 0) { PFATAL("Unable to create '%s'", fn); } ck_free(fn); @@ -1501,7 +1595,7 @@ void check_crash_handling(void) { s32 fd = open("/proc/sys/kernel/core_pattern", O_RDONLY); u8 fchar; - if (fd < 0) return; + if (fd < 0) { return; } ACTF("Checking core_pattern..."); @@ -1524,9 +1618,12 @@ void check_crash_handling(void) { " echo core >/proc/sys/kernel/core_pattern\n"); - if (!getenv("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) + if (!getenv("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) { + FATAL("Pipe at the beginning of 'core_pattern'"); + } + } close(fd); @@ -1544,24 +1641,36 @@ void check_cpu_governor(afl_state_t *afl) { u8 tmp[128]; u64 min = 0, max = 0; - if (afl->afl_env.afl_skip_cpufreq) return; + if (afl->afl_env.afl_skip_cpufreq) { return; } + + if (afl->cpu_aff > 0) { - if (afl->cpu_aff > 0) snprintf(tmp, sizeof(tmp), "%s%d%s", "/sys/devices/system/cpu/cpu", afl->cpu_aff, "/cpufreq/scaling_governor"); - else + + } else { + snprintf(tmp, sizeof(tmp), "%s", "/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor"); + + } + f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor", "r"); if (!f) { - if (afl->cpu_aff > 0) + if (afl->cpu_aff > 0) { + snprintf(tmp, sizeof(tmp), "%s%d%s", "/sys/devices/system/cpu/cpufreq/policy", afl->cpu_aff, "/scaling_governor"); - else + + } else { + snprintf(tmp, sizeof(tmp), "%s", "/sys/devices/system/cpu/cpufreq/policy0/scaling_governor"); + + } + f = fopen(tmp, "r"); } @@ -1575,17 +1684,17 @@ void check_cpu_governor(afl_state_t *afl) { ACTF("Checking CPU scaling governor..."); - if (!fgets(tmp, 128, f)) PFATAL("fgets() failed"); + if (!fgets(tmp, 128, f)) { PFATAL("fgets() failed"); } fclose(f); - if (!strncmp(tmp, "perf", 4)) return; + if (!strncmp(tmp, "perf", 4)) { return; } f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", "r"); if (f) { - if (fscanf(f, "%llu", &min) != 1) min = 0; + if (fscanf(f, "%llu", &min) != 1) { min = 0; } fclose(f); } @@ -1594,12 +1703,12 @@ void check_cpu_governor(afl_state_t *afl) { if (f) { - if (fscanf(f, "%llu", &max) != 1) max = 0; + if (fscanf(f, "%llu", &max) != 1) { max = 0; } fclose(f); } - if (min == max) return; + if (min == max) { return; } SAYF("\n" cLRD "[-] " cRST "Whoops, your system uses on-demand CPU frequency scaling, adjusted\n" @@ -1752,11 +1861,11 @@ void fix_up_sync(afl_state_t *afl) { u8 *x = afl->sync_id; - if (afl->dumb_mode) FATAL("-S / -M and -n are mutually exclusive"); + if (afl->dumb_mode) { FATAL("-S / -M and -n are mutually exclusive"); } if (afl->skip_deterministic) { - if (afl->force_deterministic) FATAL("use -S instead of -M -d"); + if (afl->force_deterministic) { FATAL("use -S instead of -M -d"); } // else // FATAL("-S already implies -d"); @@ -1764,14 +1873,17 @@ void fix_up_sync(afl_state_t *afl) { while (*x) { - if (!isalnum(*x) && *x != '_' && *x != '-') + if (!isalnum(*x) && *x != '_' && *x != '-') { + FATAL("Non-alphanumeric fuzzer ID specified via -S or -M"); + } + ++x; } - if (strlen(afl->sync_id) > 32) FATAL("Fuzzer ID too long"); + if (strlen(afl->sync_id) > 32) { FATAL("Fuzzer ID too long"); } x = alloc_printf("%s/%s", afl->out_dir, afl->sync_id); @@ -1803,25 +1915,37 @@ void check_asan_opts(void) { if (x) { - if (!strstr(x, "abort_on_error=1")) + if (!strstr(x, "abort_on_error=1")) { + FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!"); - if (!strstr(x, "symbolize=0")) + } + + if (!strstr(x, "symbolize=0")) { + FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!"); + } + } x = get_afl_env("MSAN_OPTIONS"); if (x) { - if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) + if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) { + FATAL("Custom MSAN_OPTIONS set without exit_code=" STRINGIFY( MSAN_ERROR) " - please fix!"); - if (!strstr(x, "symbolize=0")) + } + + if (!strstr(x, "symbolize=0")) { + FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!"); + } + } } @@ -1868,9 +1992,12 @@ void check_binary(afl_state_t *afl, u8 *fname) { afl->fsrv.target_path = ck_strdup(fname); if (stat(afl->fsrv.target_path, &st) || !S_ISREG(st.st_mode) || - !(st.st_mode & 0111) || (f_len = st.st_size) < 4) + !(st.st_mode & 0111) || (f_len = st.st_size) < 4) { + FATAL("Program '%s' not found or not executable", fname); + } + } else { while (env_path) { @@ -1883,52 +2010,71 @@ void check_binary(afl_state_t *afl, u8 *fname) { memcpy(cur_elem, env_path, delim - env_path); ++delim; - } else + } else { cur_elem = ck_strdup(env_path); + } + env_path = delim; - if (cur_elem[0]) + if (cur_elem[0]) { + afl->fsrv.target_path = alloc_printf("%s/%s", cur_elem, fname); - else + + } else { + afl->fsrv.target_path = ck_strdup(fname); + } + ck_free(cur_elem); if (!stat(afl->fsrv.target_path, &st) && S_ISREG(st.st_mode) && - (st.st_mode & 0111) && (f_len = st.st_size) >= 4) + (st.st_mode & 0111) && (f_len = st.st_size) >= 4) { + break; + } + ck_free(afl->fsrv.target_path); afl->fsrv.target_path = 0; } - if (!afl->fsrv.target_path) + if (!afl->fsrv.target_path) { + FATAL("Program '%s' not found or not executable", fname); + } + } - if (afl->afl_env.afl_skip_bin_check || afl->use_wine) return; + if (afl->afl_env.afl_skip_bin_check || afl->use_wine) { return; } /* Check for blatant user errors. */ if ((!strncmp(afl->fsrv.target_path, "/tmp/", 5) && !strchr(afl->fsrv.target_path + 5, '/')) || (!strncmp(afl->fsrv.target_path, "/var/tmp/", 9) && - !strchr(afl->fsrv.target_path + 9, '/'))) + !strchr(afl->fsrv.target_path + 9, '/'))) { + FATAL("Please don't keep binaries in /tmp or /var/tmp"); + } + fd = open(afl->fsrv.target_path, O_RDONLY); - if (fd < 0) PFATAL("Unable to open '%s'", afl->fsrv.target_path); + if (fd < 0) { PFATAL("Unable to open '%s'", afl->fsrv.target_path); } f_data = mmap(0, f_len, PROT_READ, MAP_PRIVATE, fd, 0); - if (f_data == MAP_FAILED) + if (f_data == MAP_FAILED) { + PFATAL("Unable to mmap file '%s'", afl->fsrv.target_path); + } + close(fd); if (f_data[0] == '#' && f_data[1] == '!') { @@ -1955,9 +2101,12 @@ void check_binary(afl_state_t *afl, u8 *fname) { #ifndef __APPLE__ - if (f_data[0] != 0x7f || memcmp(f_data + 1, "ELF", 3)) + if (f_data[0] != 0x7f || memcmp(f_data + 1, "ELF", 3)) { + FATAL("Program '%s' is not an ELF binary", afl->fsrv.target_path); + } + #else #if !defined(__arm__) && !defined(__arm64__) @@ -2011,9 +2160,12 @@ void check_binary(afl_state_t *afl, u8 *fname) { } if (memmem(f_data, f_len, "__asan_init", 11) || - memmem(f_data, f_len, "__msan_init", 11)) + memmem(f_data, f_len, "__msan_init", 11)) { + afl->fsrv.uses_asan = 1; + } + /* Detect persistent & deferred init signatures in the binary. */ if (memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1)) { @@ -2040,7 +2192,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { } - if (munmap(f_data, f_len)) PFATAL("unmap() failed"); + if (munmap(f_data, f_len)) { PFATAL("unmap() failed"); } } @@ -2057,11 +2209,16 @@ void fix_up_banner(afl_state_t *afl, u8 *name) { } else { u8 *trim = strrchr(name, '/'); - if (!trim) + if (!trim) { + afl->use_banner = name; - else + + } else { + afl->use_banner = trim + 1; + } + } } @@ -2152,21 +2309,24 @@ void save_cmdline(afl_state_t *afl, u32 argc, char **argv) { u32 len = 1, i; u8 *buf; - for (i = 0; i < argc; ++i) + for (i = 0; i < argc; ++i) { + len += strlen(argv[i]) + 1; + } + buf = afl->orig_cmdline = ck_alloc(len); for (i = 0; i < argc; ++i) { u32 l = strlen(argv[i]); - if (!argv[i] || !buf) FATAL("null deref detected"); + if (!argv[i] || !buf) { FATAL("null deref detected"); } memcpy(buf, argv[i], l); buf += l; - if (i != argc - 1) *(buf++) = ' '; + if (i != argc - 1) { *(buf++) = ' '; } } diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 434b4673..1a279b2d 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -35,12 +35,15 @@ void setup_custom_mutator(afl_state_t *afl) { if (fn) { - if (afl->limit_time_sig) + if (afl->limit_time_sig) { + FATAL( "MOpt and custom mutator are mutually exclusive. We accept pull " "requests that integrates MOpt with the optional mutators " "(custom/radamsa/redquenn/...)."); + } + load_custom_mutator(afl, fn); return; @@ -53,12 +56,15 @@ void setup_custom_mutator(afl_state_t *afl) { if (module_name) { - if (afl->limit_time_sig) + if (afl->limit_time_sig) { + FATAL( "MOpt and Python mutator are mutually exclusive. We accept pull " "requests that integrates MOpt with the optional mutators " "(custom/radamsa/redqueen/...)."); + } + load_custom_mutator_py(afl, module_name); } @@ -76,7 +82,7 @@ void destroy_custom_mutator(afl_state_t *afl) { afl->mutator->afl_custom_deinit(afl->mutator->data); - if (afl->mutator->dh) dlclose(afl->mutator->dh); + if (afl->mutator->dh) { dlclose(afl->mutator->dh); } if (afl->mutator->pre_save_buf) { @@ -104,20 +110,26 @@ void load_custom_mutator(afl_state_t *afl, const char *fn) { ACTF("Loading custom mutator library from '%s'...", fn); dh = dlopen(fn, RTLD_NOW); - if (!dh) FATAL("%s", dlerror()); + if (!dh) { FATAL("%s", dlerror()); } afl->mutator->dh = dh; /* Mutator */ /* "afl_custom_init", required */ afl->mutator->afl_custom_init = dlsym(dh, "afl_custom_init"); - if (!afl->mutator->afl_custom_init) + if (!afl->mutator->afl_custom_init) { + FATAL("Symbol 'afl_custom_init' not found."); + } + /* "afl_custom_deinit", required */ afl->mutator->afl_custom_deinit = dlsym(dh, "afl_custom_deinit"); - if (!afl->mutator->afl_custom_deinit) + if (!afl->mutator->afl_custom_deinit) { + FATAL("Symbol 'afl_custom_deinit' not found."); + } + /* "afl_custom_fuzz" or "afl_custom_mutator", required */ afl->mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_fuzz"); if (!afl->mutator->afl_custom_fuzz) { @@ -126,32 +138,47 @@ void load_custom_mutator(afl_state_t *afl, const char *fn) { WARNF("Symbol 'afl_custom_fuzz' not found. Try 'afl_custom_mutator'."); afl->mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_mutator"); - if (!afl->mutator->afl_custom_fuzz) + if (!afl->mutator->afl_custom_fuzz) { + FATAL("Symbol 'afl_custom_mutator' not found."); + } + } /* "afl_custom_pre_save", optional */ afl->mutator->afl_custom_pre_save = dlsym(dh, "afl_custom_pre_save"); - if (!afl->mutator->afl_custom_pre_save) + if (!afl->mutator->afl_custom_pre_save) { + WARNF("Symbol 'afl_custom_pre_save' not found."); + } + u8 notrim = 0; /* "afl_custom_init_trim", optional */ afl->mutator->afl_custom_init_trim = dlsym(dh, "afl_custom_init_trim"); - if (!afl->mutator->afl_custom_init_trim) + if (!afl->mutator->afl_custom_init_trim) { + WARNF("Symbol 'afl_custom_init_trim' not found."); + } + /* "afl_custom_trim", optional */ afl->mutator->afl_custom_trim = dlsym(dh, "afl_custom_trim"); - if (!afl->mutator->afl_custom_trim) + if (!afl->mutator->afl_custom_trim) { + WARNF("Symbol 'afl_custom_trim' not found."); + } + /* "afl_custom_post_trim", optional */ afl->mutator->afl_custom_post_trim = dlsym(dh, "afl_custom_post_trim"); - if (!afl->mutator->afl_custom_post_trim) + if (!afl->mutator->afl_custom_post_trim) { + WARNF("Symbol 'afl_custom_post_trim' not found."); + } + if (notrim) { afl->mutator->afl_custom_init_trim = NULL; @@ -166,33 +193,48 @@ void load_custom_mutator(afl_state_t *afl, const char *fn) { /* "afl_custom_havoc_mutation", optional */ afl->mutator->afl_custom_havoc_mutation = dlsym(dh, "afl_custom_havoc_mutation"); - if (!afl->mutator->afl_custom_havoc_mutation) + if (!afl->mutator->afl_custom_havoc_mutation) { + WARNF("Symbol 'afl_custom_havoc_mutation' not found."); + } + /* "afl_custom_havoc_mutation", optional */ afl->mutator->afl_custom_havoc_mutation_probability = dlsym(dh, "afl_custom_havoc_mutation_probability"); - if (!afl->mutator->afl_custom_havoc_mutation_probability) + if (!afl->mutator->afl_custom_havoc_mutation_probability) { + WARNF("Symbol 'afl_custom_havoc_mutation_probability' not found."); + } + /* "afl_custom_queue_get", optional */ afl->mutator->afl_custom_queue_get = dlsym(dh, "afl_custom_queue_get"); - if (!afl->mutator->afl_custom_queue_get) + if (!afl->mutator->afl_custom_queue_get) { + WARNF("Symbol 'afl_custom_queue_get' not found."); + } + /* "afl_custom_queue_new_entry", optional */ afl->mutator->afl_custom_queue_new_entry = dlsym(dh, "afl_custom_queue_new_entry"); - if (!afl->mutator->afl_custom_queue_new_entry) + if (!afl->mutator->afl_custom_queue_new_entry) { + WARNF("Symbol 'afl_custom_queue_new_entry' not found"); + } + OKF("Custom mutator '%s' installed successfully.", fn); /* Initialize the custom mutator */ - if (afl->mutator->afl_custom_init) + if (afl->mutator->afl_custom_init) { + afl->mutator->data = afl->mutator->afl_custom_init(afl, rand_below(afl, 0xFFFFFFFF)); + } + } u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { @@ -210,12 +252,19 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { afl->stage_cur = 0; afl->stage_max = afl->mutator->afl_custom_init_trim(afl->mutator->data, in_buf, q->len); - if (unlikely(afl->stage_max) < 0) + if (unlikely(afl->stage_max) < 0) { + FATAL("custom_init_trim error ret: %d", afl->stage_max); - if (afl->not_on_tty && afl->debug) + + } + + if (afl->not_on_tty && afl->debug) { + SAYF("[Custom Trimming] START: Max %d iterations, %u bytes", afl->stage_max, q->len); + } + while (afl->stage_cur < afl->stage_max) { u8 *retbuf = NULL; @@ -227,13 +276,18 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { size_t retlen = afl->mutator->afl_custom_trim(afl->mutator->data, &retbuf); - if (unlikely(!retbuf)) + if (unlikely(!retbuf)) { + FATAL("custom_trim failed (ret %zd)", retlen); - else if (unlikely(retlen > orig_len)) + + } else if (unlikely(retlen > orig_len)) { + FATAL( "Trimmed data returned by custom mutator is larger than original " "data"); + } + write_to_testcase(afl, retbuf, retlen); fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); @@ -263,32 +317,45 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { afl->stage_cur = afl->mutator->afl_custom_post_trim(afl->mutator->data, 1); - if (afl->not_on_tty && afl->debug) + if (afl->not_on_tty && afl->debug) { + SAYF("[Custom Trimming] SUCCESS: %d/%d iterations (now at %u bytes)", afl->stage_cur, afl->stage_max, q->len); + } + } else { /* Tell the custom mutator that the trimming was unsuccessful */ afl->stage_cur = afl->mutator->afl_custom_post_trim(afl->mutator->data, 0); - if (unlikely(afl->stage_cur < 0)) + if (unlikely(afl->stage_cur < 0)) { + FATAL("Error ret in custom_post_trim: %d", afl->stage_cur); - if (afl->not_on_tty && afl->debug) + + } + + if (afl->not_on_tty && afl->debug) { + SAYF("[Custom Trimming] FAILURE: %d/%d iterations", afl->stage_cur, afl->stage_max); + } + } /* Since this can be slow, update the screen every now and then. */ - if (!(trim_exec++ % afl->stats_update_freq)) show_stats(afl); + if (!(trim_exec++ % afl->stats_update_freq)) { show_stats(afl); } } - if (afl->not_on_tty && afl->debug) + if (afl->not_on_tty && afl->debug) { + SAYF("[Custom Trimming] DONE: %u bytes -> %u bytes", orig_len, q->len); + } + /* If we have made changes to in_buf, we also need to update the on-disk version of the test case. */ @@ -300,7 +367,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { fd = open(q->fname, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", q->fname); + if (fd < 0) { PFATAL("Unable to create '%s'", q->fname); } ck_write(fd, in_buf, q->len, q->fname); close(fd); diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index a4ba739e..6d399a03 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -37,7 +37,7 @@ static int select_algorithm(afl_state_t *afl) { if (unlikely(i_puppet == 0)) { - if (sele < afl->probability_now[afl->swarm_now][i_puppet]) break; + if (sele < afl->probability_now[afl->swarm_now][i_puppet]) { break; } } else { @@ -53,8 +53,12 @@ static int select_algorithm(afl_state_t *afl) { } if (j_puppet == 1 && - sele < afl->probability_now[afl->swarm_now][i_puppet - 1]) + sele < afl->probability_now[afl->swarm_now][i_puppet - 1]) { + FATAL("error select_algorithm"); + + } + return i_puppet; } @@ -67,7 +71,7 @@ static u32 choose_block_len(afl_state_t *afl, u32 limit) { u32 min_value, max_value; u32 rlim = MIN(afl->queue_cycle, 3); - if (unlikely(!afl->run_over10m)) rlim = 1; + if (unlikely(!afl->run_over10m)) { rlim = 1; } switch (rand_below(afl, rlim)) { @@ -97,7 +101,7 @@ static u32 choose_block_len(afl_state_t *afl, u32 limit) { } - if (min_value >= limit) min_value = 1; + if (min_value >= limit) { min_value = 1; } return min_value + rand_below(afl, MIN(max_value, limit) - min_value + 1); @@ -114,7 +118,7 @@ static u8 could_be_bitflip(u32 xor_val) { u32 sh = 0; - if (!xor_val) return 1; + if (!xor_val) { return 1; } /* Shift left until first bit set. */ @@ -127,14 +131,18 @@ static u8 could_be_bitflip(u32 xor_val) { /* 1-, 2-, and 4-bit patterns are OK anywhere. */ - if (xor_val == 1 || xor_val == 3 || xor_val == 15) return 1; + if (xor_val == 1 || xor_val == 3 || xor_val == 15) { return 1; } /* 8-, 16-, and 32-bit patterns are OK only if shift factor is divisible by 8, since that's the stepover for these ops. */ - if (sh & 7) return 0; + if (sh & 7) { return 0; } + + if (xor_val == 0xff || xor_val == 0xffff || xor_val == 0xffffffff) { - if (xor_val == 0xff || xor_val == 0xffff || xor_val == 0xffffffff) return 1; + return 1; + + } return 0; @@ -147,7 +155,7 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { u32 i, ov = 0, nv = 0, diffs = 0; - if (old_val == new_val) return 1; + if (old_val == new_val) { return 1; } /* See if one-byte adjustments to any byte could produce this result. */ @@ -169,11 +177,11 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { if (diffs == 1) { - if ((u8)(ov - nv) <= ARITH_MAX || (u8)(nv - ov) <= ARITH_MAX) return 1; + if ((u8)(ov - nv) <= ARITH_MAX || (u8)(nv - ov) <= ARITH_MAX) { return 1; } } - if (blen == 1) return 0; + if (blen == 1) { return 0; } /* See if two-byte adjustments to any byte would produce this result. */ @@ -197,12 +205,20 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { if (diffs == 1) { - if ((u16)(ov - nv) <= ARITH_MAX || (u16)(nv - ov) <= ARITH_MAX) return 1; + if ((u16)(ov - nv) <= ARITH_MAX || (u16)(nv - ov) <= ARITH_MAX) { + + return 1; + + } ov = SWAP16(ov); nv = SWAP16(nv); - if ((u16)(ov - nv) <= ARITH_MAX || (u16)(nv - ov) <= ARITH_MAX) return 1; + if ((u16)(ov - nv) <= ARITH_MAX || (u16)(nv - ov) <= ARITH_MAX) { + + return 1; + + } } @@ -211,16 +227,22 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { if (blen == 4) { if ((u32)(old_val - new_val) <= ARITH_MAX || - (u32)(new_val - old_val) <= ARITH_MAX) + (u32)(new_val - old_val) <= ARITH_MAX) { + return 1; + } + new_val = SWAP32(new_val); old_val = SWAP32(old_val); if ((u32)(old_val - new_val) <= ARITH_MAX || - (u32)(new_val - old_val) <= ARITH_MAX) + (u32)(new_val - old_val) <= ARITH_MAX) { + return 1; + } + } return 0; @@ -237,7 +259,7 @@ static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) { u32 i, j; - if (old_val == new_val) return 1; + if (old_val == new_val) { return 1; } /* See if one-byte insertions from interesting_8 over old_val could produce new_val. */ @@ -249,7 +271,7 @@ static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) { u32 tval = (old_val & ~(0xff << (i * 8))) | (((u8)interesting_8[j]) << (i * 8)); - if (new_val == tval) return 1; + if (new_val == tval) { return 1; } } @@ -258,7 +280,7 @@ static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) { /* Bail out unless we're also asked to examine two-byte LE insertions as a preparation for BE attempts. */ - if (blen == 2 && !check_le) return 0; + if (blen == 2 && !check_le) { return 0; } /* See if two-byte insertions over old_val could give us new_val. */ @@ -269,7 +291,7 @@ static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) { u32 tval = (old_val & ~(0xffff << (i * 8))) | (((u16)interesting_16[j]) << (i * 8)); - if (new_val == tval) return 1; + if (new_val == tval) { return 1; } /* Continue here only if blen > 2. */ @@ -278,7 +300,7 @@ static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) { tval = (old_val & ~(0xffff << (i * 8))) | (SWAP16(interesting_16[j]) << (i * 8)); - if (new_val == tval) return 1; + if (new_val == tval) { return 1; } } @@ -291,8 +313,11 @@ static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) { /* See if four-byte insertions could produce the same result (LE only). */ - for (j = 0; j < sizeof(interesting_32) / 4; ++j) - if (new_val == (u32)interesting_32[j]) return 1; + for (j = 0; j < sizeof(interesting_32) / 4; ++j) { + + if (new_val == (u32)interesting_32[j]) { return 1; } + + } } @@ -315,7 +340,7 @@ static void locate_diffs(u8 *ptr1, u8 *ptr2, u32 len, s32 *first, s32 *last) { if (*(ptr1++) != *(ptr2++)) { - if (f_loc == -1) f_loc = pos; + if (f_loc == -1) { f_loc = pos; } l_loc = pos; } @@ -364,9 +389,12 @@ u8 fuzz_one_original(afl_state_t *afl) { /* The custom mutator will decide to skip this test case or not. */ if (!afl->mutator->afl_custom_queue_get(afl->mutator->data, - afl->queue_cur->fname)) + afl->queue_cur->fname)) { + return 1; + } + } if (likely(afl->pending_favored)) { @@ -377,9 +405,12 @@ u8 fuzz_one_original(afl_state_t *afl) { if (((afl->queue_cur->was_fuzzed > 0 || afl->queue_cur->fuzz_level > 0) || !afl->queue_cur->favored) && - rand_below(afl, 100) < SKIP_TO_NEW_PROB) + rand_below(afl, 100) < SKIP_TO_NEW_PROB) { + return 1; + } + } else if (!afl->dumb_mode && !afl->queue_cur->favored && afl->queued_paths > 10) { @@ -391,11 +422,11 @@ u8 fuzz_one_original(afl_state_t *afl) { if (afl->queue_cycle > 1 && (afl->queue_cur->fuzz_level == 0 || afl->queue_cur->was_fuzzed)) { - if (rand_below(afl, 100) < SKIP_NFAV_NEW_PROB) return 1; + if (rand_below(afl, 100) < SKIP_NFAV_NEW_PROB) { return 1; } } else { - if (rand_below(afl, 100) < SKIP_NFAV_OLD_PROB) return 1; + if (rand_below(afl, 100) < SKIP_NFAV_OLD_PROB) { return 1; } } @@ -415,15 +446,22 @@ u8 fuzz_one_original(afl_state_t *afl) { fd = open(afl->queue_cur->fname, O_RDONLY); - if (unlikely(fd < 0)) PFATAL("Unable to open '%s'", afl->queue_cur->fname); + if (unlikely(fd < 0)) { + + PFATAL("Unable to open '%s'", afl->queue_cur->fname); + + } len = afl->queue_cur->len; orig_in = in_buf = mmap(0, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); - if (unlikely(orig_in == MAP_FAILED)) + if (unlikely(orig_in == MAP_FAILED)) { + PFATAL("Unable to mmap '%s' with len %d", afl->queue_cur->fname, len); + } + close(fd); /* We could mmap() out_buf as MAP_PRIVATE, but we end up clobbering every @@ -449,9 +487,12 @@ u8 fuzz_one_original(afl_state_t *afl) { res = calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0); - if (unlikely(res == FSRV_RUN_ERROR)) + if (unlikely(res == FSRV_RUN_ERROR)) { + FATAL("Unable to execute target application"); + } + } if (unlikely(afl->stop_soon) || res != afl->crash_mode) { @@ -471,9 +512,12 @@ u8 fuzz_one_original(afl_state_t *afl) { u8 res = trim_case(afl, afl->queue_cur, in_buf); - if (unlikely(res == FSRV_RUN_ERROR)) + if (unlikely(res == FSRV_RUN_ERROR)) { + FATAL("Unable to execute target application"); + } + if (unlikely(afl->stop_soon)) { ++afl->cur_skipped_paths; @@ -497,16 +541,19 @@ u8 fuzz_one_original(afl_state_t *afl) { orig_perf = perf_score = calculate_score(afl, afl->queue_cur); - if (unlikely(perf_score == 0)) goto abandon_entry; + if (unlikely(perf_score == 0)) { goto abandon_entry; } - if (unlikely(afl->use_radamsa > 1)) goto radamsa_stage; + if (unlikely(afl->use_radamsa > 1)) { goto radamsa_stage; } if (afl->shm.cmplog_mode && !afl->queue_cur->fully_colorized) { if (input_to_state_stage(afl, in_buf, out_buf, len, - afl->queue_cur->exec_cksum)) + afl->queue_cur->exec_cksum)) { + goto abandon_entry; + } + } /* Skip right away if -d is given, if it has not been chosen sufficiently @@ -568,7 +615,7 @@ u8 fuzz_one_original(afl_state_t *afl) { FLIP_BIT(out_buf, afl->stage_cur); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } FLIP_BIT(out_buf, afl->stage_cur); @@ -608,21 +655,31 @@ u8 fuzz_one_original(afl_state_t *afl) { /* If at end of file and we are still collecting a string, grab the final character and force output. */ - if (a_len < MAX_AUTO_EXTRA) + if (a_len < MAX_AUTO_EXTRA) { + a_collect[a_len] = out_buf[afl->stage_cur >> 3]; + + } + ++a_len; - if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) + if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) { + maybe_add_auto((u8 *)afl, a_collect, a_len); + } + } else if (cksum != prev_cksum) { /* Otherwise, if the checksum has changed, see if we have something worthwhile queued up, and collect that if the answer is yes. */ - if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) + if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) { + maybe_add_auto((u8 *)afl, a_collect, a_len); + } + a_len = 0; prev_cksum = cksum; @@ -633,8 +690,12 @@ u8 fuzz_one_original(afl_state_t *afl) { if (cksum != afl->queue_cur->exec_cksum) { - if (a_len < MAX_AUTO_EXTRA) + if (a_len < MAX_AUTO_EXTRA) { + a_collect[a_len] = out_buf[afl->stage_cur >> 3]; + + } + ++a_len; } @@ -663,7 +724,7 @@ u8 fuzz_one_original(afl_state_t *afl) { FLIP_BIT(out_buf, afl->stage_cur); FLIP_BIT(out_buf, afl->stage_cur + 1); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } FLIP_BIT(out_buf, afl->stage_cur); FLIP_BIT(out_buf, afl->stage_cur + 1); @@ -692,7 +753,7 @@ u8 fuzz_one_original(afl_state_t *afl) { FLIP_BIT(out_buf, afl->stage_cur + 2); FLIP_BIT(out_buf, afl->stage_cur + 3); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } FLIP_BIT(out_buf, afl->stage_cur); FLIP_BIT(out_buf, afl->stage_cur + 1); @@ -746,7 +807,7 @@ u8 fuzz_one_original(afl_state_t *afl) { out_buf[afl->stage_cur] ^= 0xFF; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } /* We also use this stage to pull off a simple trick: we identify bytes that seem to have no effect on the current execution path @@ -760,11 +821,16 @@ u8 fuzz_one_original(afl_state_t *afl) { /* If in dumb mode or if the file is very short, just flag everything without wasting time on checksums. */ - if (!afl->dumb_mode && len >= EFF_MIN_LEN) + if (!afl->dumb_mode && len >= EFF_MIN_LEN) { + cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); - else + + } else { + cksum = ~afl->queue_cur->exec_cksum; + } + if (cksum != afl->queue_cur->exec_cksum) { eff_map[EFF_APOS(afl->stage_cur)] = 1; @@ -804,7 +870,7 @@ u8 fuzz_one_original(afl_state_t *afl) { /* Two walking bytes. */ - if (len < 2) goto skip_bitflip; + if (len < 2) { goto skip_bitflip; } afl->stage_name = "bitflip 16/8"; afl->stage_short = "flip16"; @@ -828,7 +894,7 @@ u8 fuzz_one_original(afl_state_t *afl) { *(u16 *)(out_buf + i) ^= 0xFFFF; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; *(u16 *)(out_buf + i) ^= 0xFFFF; @@ -840,7 +906,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP16] += afl->stage_max; - if (len < 4) goto skip_bitflip; + if (len < 4) { goto skip_bitflip; } /* Four walking bytes. */ @@ -866,7 +932,7 @@ u8 fuzz_one_original(afl_state_t *afl) { *(u32 *)(out_buf + i) ^= 0xFFFFFFFF; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; *(u32 *)(out_buf + i) ^= 0xFFFFFFFF; @@ -880,7 +946,7 @@ u8 fuzz_one_original(afl_state_t *afl) { skip_bitflip: - if (afl->no_arith) goto skip_arith; + if (afl->no_arith) { goto skip_arith; } /********************** * ARITHMETIC INC/DEC * @@ -924,13 +990,15 @@ skip_bitflip: afl->stage_cur_val = j; out_buf[i] = orig + j; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + r = orig ^ (orig - j); if (!could_be_bitflip(r)) { @@ -938,13 +1006,15 @@ skip_bitflip: afl->stage_cur_val = -j; out_buf[i] = orig - j; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + out_buf[i] = orig; } @@ -958,7 +1028,7 @@ skip_bitflip: /* 16-bit arithmetics, both endians. */ - if (len < 2) goto skip_arith; + if (len < 2) { goto skip_arith; } afl->stage_name = "arith 16/8"; afl->stage_short = "arith16"; @@ -1000,25 +1070,29 @@ skip_bitflip: afl->stage_cur_val = j; *(u16 *)(out_buf + i) = orig + j; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + if ((orig & 0xff) < j && !could_be_bitflip(r2)) { afl->stage_cur_val = -j; *(u16 *)(out_buf + i) = orig - j; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + /* Big endian comes next. Same deal. */ afl->stage_val_type = STAGE_VAL_BE; @@ -1028,25 +1102,29 @@ skip_bitflip: afl->stage_cur_val = j; *(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) + j); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + if ((orig >> 8) < j && !could_be_bitflip(r4)) { afl->stage_cur_val = -j; *(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) - j); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + *(u16 *)(out_buf + i) = orig; } @@ -1060,7 +1138,7 @@ skip_bitflip: /* 32-bit arithmetics, both endians. */ - if (len < 4) goto skip_arith; + if (len < 4) { goto skip_arith; } afl->stage_name = "arith 32/8"; afl->stage_short = "arith32"; @@ -1101,25 +1179,29 @@ skip_bitflip: afl->stage_cur_val = j; *(u32 *)(out_buf + i) = orig + j; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + if ((orig & 0xffff) < j && !could_be_bitflip(r2)) { afl->stage_cur_val = -j; *(u32 *)(out_buf + i) = orig - j; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + /* Big endian next. */ afl->stage_val_type = STAGE_VAL_BE; @@ -1129,25 +1211,29 @@ skip_bitflip: afl->stage_cur_val = j; *(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) + j); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + if ((SWAP32(orig) & 0xffff) < j && !could_be_bitflip(r4)) { afl->stage_cur_val = -j; *(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) - j); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + *(u32 *)(out_buf + i) = orig; } @@ -1206,7 +1292,7 @@ skip_arith: afl->stage_cur_val = interesting_8[j]; out_buf[i] = interesting_8[j]; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } out_buf[i] = orig; ++afl->stage_cur; @@ -1222,7 +1308,7 @@ skip_arith: /* Setting 16-bit integers, both endians. */ - if (afl->no_arith || len < 2) goto skip_interest; + if (afl->no_arith || len < 2) { goto skip_interest; } afl->stage_name = "interest 16/8"; afl->stage_short = "int16"; @@ -1261,13 +1347,15 @@ skip_arith: *(u16 *)(out_buf + i) = interesting_16[j]; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + if ((u16)interesting_16[j] != SWAP16(interesting_16[j]) && !could_be_bitflip(orig ^ SWAP16(interesting_16[j])) && !could_be_arith(orig, SWAP16(interesting_16[j]), 2) && @@ -1276,13 +1364,15 @@ skip_arith: afl->stage_val_type = STAGE_VAL_BE; *(u16 *)(out_buf + i) = SWAP16(interesting_16[j]); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + } *(u16 *)(out_buf + i) = orig; @@ -1294,7 +1384,7 @@ skip_arith: afl->stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST16] += afl->stage_max; - if (len < 4) goto skip_interest; + if (len < 4) { goto skip_interest; } /* Setting 32-bit integers, both endians. */ @@ -1336,13 +1426,15 @@ skip_arith: *(u32 *)(out_buf + i) = interesting_32[j]; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + if ((u32)interesting_32[j] != SWAP32(interesting_32[j]) && !could_be_bitflip(orig ^ SWAP32(interesting_32[j])) && !could_be_arith(orig, SWAP32(interesting_32[j]), 4) && @@ -1351,13 +1443,15 @@ skip_arith: afl->stage_val_type = STAGE_VAL_BE; *(u32 *)(out_buf + i) = SWAP32(interesting_32[j]); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + } *(u32 *)(out_buf + i) = orig; @@ -1375,7 +1469,7 @@ skip_interest: * DICTIONARY STUFF * ********************/ - if (!afl->extras_cnt) goto skip_user_extras; + if (!afl->extras_cnt) { goto skip_user_extras; } /* Overwrite with user-supplied extras. */ @@ -1421,7 +1515,7 @@ skip_interest: last_len = afl->extras[j].len; memcpy(out_buf + i, afl->extras[j].data, last_len); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; @@ -1489,7 +1583,7 @@ skip_interest: skip_user_extras: - if (!afl->a_extras_cnt) goto skip_extras; + if (!afl->a_extras_cnt) { goto skip_extras; } afl->stage_name = "auto extras (over)"; afl->stage_short = "ext_AO"; @@ -1523,7 +1617,7 @@ skip_user_extras: last_len = afl->a_extras[j].len; memcpy(out_buf + i, afl->a_extras[j].data, last_len); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; @@ -1545,22 +1639,22 @@ skip_extras: we're properly done with deterministic steps and can mark it as such in the .state/ directory. */ - if (!afl->queue_cur->passed_det) mark_as_det_done(afl, afl->queue_cur); + if (!afl->queue_cur->passed_det) { mark_as_det_done(afl, afl->queue_cur); } custom_mutator_stage: /******************* * CUSTOM MUTATORS * *******************/ - if (likely(!afl->mutator)) goto havoc_stage; - if (likely(!afl->mutator->afl_custom_fuzz)) goto havoc_stage; + if (likely(!afl->mutator)) { goto havoc_stage; } + if (likely(!afl->mutator->afl_custom_fuzz)) { goto havoc_stage; } afl->stage_name = "custom mutator"; afl->stage_short = "custom"; afl->stage_max = HAVOC_CYCLES * perf_score / afl->havoc_div / 100; afl->stage_val_type = STAGE_VAL_NONE; - if (afl->stage_max < HAVOC_MIN) afl->stage_max = HAVOC_MIN; + if (afl->stage_max < HAVOC_MIN) { afl->stage_max = HAVOC_MIN; } const u32 max_seed_size = MAX_FILE; @@ -1589,9 +1683,12 @@ custom_mutator_stage: } - while (tid--) + while (tid--) { + target = target->next; + } + /* Make sure that the target has a reasonable length. */ while (target && (target->len < 2 || target == afl->queue_cur) && @@ -1602,11 +1699,11 @@ custom_mutator_stage: } - if (!target) goto retry_external_pick; + if (!target) { goto retry_external_pick; } /* Read the additional testcase into a new buffer. */ fd = open(target->fname, O_RDONLY); - if (unlikely(fd < 0)) PFATAL("Unable to open '%s'", target->fname); + if (unlikely(fd < 0)) { PFATAL("Unable to open '%s'", target->fname); } new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), target->len); ck_read(fd, new_buf, target->len, target->fname); @@ -1618,9 +1715,12 @@ custom_mutator_stage: afl->mutator->data, out_buf, len, &mutated_buf, new_buf, target->len, max_seed_size); - if (unlikely(!mutated_buf)) + if (unlikely(!mutated_buf)) { + FATAL("Error in custom_fuzz. Size returned: %zd", mutated_size); + } + if (mutated_size > 0) { if (common_fuzz_stuff(afl, mutated_buf, (u32)mutated_size)) { @@ -1695,7 +1795,7 @@ havoc_stage: } - if (afl->stage_max < HAVOC_MIN) afl->stage_max = HAVOC_MIN; + if (afl->stage_max < HAVOC_MIN) { afl->stage_max = HAVOC_MIN; } temp_len = len; @@ -1710,11 +1810,14 @@ havoc_stage: stacked_custom_prob = afl->mutator->afl_custom_havoc_mutation_probability(afl->mutator->data); - if (stacked_custom_prob > 100) + if (stacked_custom_prob > 100) { + FATAL( "The probability returned by afl_custom_havoc_mutation_propability " "has to be in the range 0-100."); + } + } /* We essentially just do several thousand runs (depending on perf_score) @@ -1733,8 +1836,12 @@ havoc_stage: u8 * custom_havoc_buf = NULL; size_t new_len = afl->mutator->afl_custom_havoc_mutation( afl->mutator->data, out_buf, temp_len, &custom_havoc_buf, MAX_FILE); - if (unlikely(!custom_havoc_buf)) + if (unlikely(!custom_havoc_buf)) { + FATAL("Error in custom_havoc (return %zd)", new_len); + + } + if (likely(new_len > 0 && custom_havoc_buf)) { temp_len = new_len; @@ -1771,7 +1878,7 @@ havoc_stage: /* Set word to interesting value, randomly choosing endian. */ - if (temp_len < 2) break; + if (temp_len < 2) { break; } if (rand_below(afl, 2)) { @@ -1791,7 +1898,7 @@ havoc_stage: /* Set dword to interesting value, randomly choosing endian. */ - if (temp_len < 4) break; + if (temp_len < 4) { break; } if (rand_below(afl, 2)) { @@ -1825,7 +1932,7 @@ havoc_stage: /* Randomly subtract from word, random endian. */ - if (temp_len < 2) break; + if (temp_len < 2) { break; } if (rand_below(afl, 2)) { @@ -1849,7 +1956,7 @@ havoc_stage: /* Randomly add to word, random endian. */ - if (temp_len < 2) break; + if (temp_len < 2) { break; } if (rand_below(afl, 2)) { @@ -1873,7 +1980,7 @@ havoc_stage: /* Randomly subtract from dword, random endian. */ - if (temp_len < 4) break; + if (temp_len < 4) { break; } if (rand_below(afl, 2)) { @@ -1897,7 +2004,7 @@ havoc_stage: /* Randomly add to dword, random endian. */ - if (temp_len < 4) break; + if (temp_len < 4) { break; } if (rand_below(afl, 2)) { @@ -1934,7 +2041,7 @@ havoc_stage: u32 del_from, del_len; - if (temp_len < 2) break; + if (temp_len < 2) { break; } /* Don't delete too much. */ @@ -1984,14 +2091,19 @@ havoc_stage: /* Inserted part */ - if (actually_clone) + if (actually_clone) { + memcpy(new_buf + clone_to, out_buf + clone_from, clone_len); - else + + } else { + memset(new_buf + clone_to, rand_below(afl, 2) ? rand_below(afl, 256) : out_buf[rand_below(afl, temp_len)], clone_len); + } + /* Tail */ memcpy(new_buf + clone_to + clone_len, out_buf + clone_to, temp_len - clone_to); @@ -2012,7 +2124,7 @@ havoc_stage: u32 copy_from, copy_to, copy_len; - if (temp_len < 2) break; + if (temp_len < 2) { break; } copy_len = choose_block_len(afl, temp_len - 1); @@ -2021,16 +2133,21 @@ havoc_stage: if (rand_below(afl, 4)) { - if (copy_from != copy_to) + if (copy_from != copy_to) { + memmove(out_buf + copy_to, out_buf + copy_from, copy_len); - } else + } + + } else { memset(out_buf + copy_to, rand_below(afl, 2) ? rand_below(afl, 256) : out_buf[rand_below(afl, temp_len)], copy_len); + } + break; } @@ -2051,7 +2168,7 @@ havoc_stage: u32 extra_len = afl->a_extras[use_extra].len; u32 insert_at; - if (extra_len > temp_len) break; + if (extra_len > temp_len) { break; } insert_at = rand_below(afl, temp_len - extra_len + 1); memcpy(out_buf + insert_at, afl->a_extras[use_extra].data, @@ -2065,7 +2182,7 @@ havoc_stage: u32 extra_len = afl->extras[use_extra].len; u32 insert_at; - if (extra_len > temp_len) break; + if (extra_len > temp_len) { break; } insert_at = rand_below(afl, temp_len - extra_len + 1); memcpy(out_buf + insert_at, afl->extras[use_extra].data, extra_len); @@ -2089,7 +2206,7 @@ havoc_stage: use_extra = rand_below(afl, afl->a_extras_cnt); extra_len = afl->a_extras[use_extra].len; - if (temp_len + extra_len >= MAX_FILE) break; + if (temp_len + extra_len >= MAX_FILE) { break; } new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + extra_len); @@ -2106,7 +2223,7 @@ havoc_stage: use_extra = rand_below(afl, afl->extras_cnt); extra_len = afl->extras[use_extra].len; - if (temp_len + extra_len >= MAX_FILE) break; + if (temp_len + extra_len >= MAX_FILE) { break; } new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + extra_len); @@ -2136,7 +2253,7 @@ havoc_stage: } - if (common_fuzz_stuff(afl, out_buf, temp_len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, temp_len)) { goto abandon_entry; } /* out_buf might have been mangled a bit, so let's restore it to its original size and shape. */ @@ -2226,9 +2343,12 @@ retry_splicing: } - while (tid--) + while (tid--) { + target = target->next; + } + /* Make sure that the target has a reasonable length. */ while (target && (target->len < 2 || target == afl->queue_cur)) { @@ -2238,13 +2358,13 @@ retry_splicing: } - if (!target) goto retry_splicing; + if (!target) { goto retry_splicing; } /* Read the testcase into a new buffer. */ fd = open(target->fname, O_RDONLY); - if (unlikely(fd < 0)) PFATAL("Unable to open '%s'", target->fname); + if (unlikely(fd < 0)) { PFATAL("Unable to open '%s'", target->fname); } new_buf = ck_maybe_grow(BUF_PARAMS(in_scratch), target->len); @@ -2288,14 +2408,18 @@ retry_splicing: radamsa_stage: - if (likely(!afl->use_radamsa || !afl->radamsa_mutate_ptr)) goto abandon_entry; + if (likely(!afl->use_radamsa || !afl->radamsa_mutate_ptr)) { + + goto abandon_entry; + + } afl->stage_name = "radamsa"; afl->stage_short = "radamsa"; afl->stage_max = (HAVOC_CYCLES * perf_score / afl->havoc_div / 100) << afl->use_radamsa; - if (afl->stage_max < HAVOC_MIN) afl->stage_max = HAVOC_MIN; + if (afl->stage_max < HAVOC_MIN) { afl->stage_max = HAVOC_MIN; } orig_hit_cnt = afl->queued_paths + afl->unique_crashes; @@ -2351,7 +2475,7 @@ abandon_entry: --afl->pending_not_fuzzed; afl->queue_cur->was_fuzzed = 1; - if (afl->queue_cur->favored) --afl->pending_favored; + if (afl->queue_cur->favored) { --afl->pending_favored; } } @@ -2405,9 +2529,12 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { cases. */ if ((afl->queue_cur->was_fuzzed || !afl->queue_cur->favored) && - rand_below(afl, 100) < SKIP_TO_NEW_PROB) + rand_below(afl, 100) < SKIP_TO_NEW_PROB) { + return 1; + } + } else if (!afl->dumb_mode && !afl->queue_cur->favored && afl->queued_paths > 10) { @@ -2418,11 +2545,11 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->queue_cycle > 1 && !afl->queue_cur->was_fuzzed) { - if (rand_below(afl, 100) < SKIP_NFAV_NEW_PROB) return 1; + if (rand_below(afl, 100) < SKIP_NFAV_NEW_PROB) { return 1; } } else { - if (rand_below(afl, 100) < SKIP_NFAV_OLD_PROB) return 1; + if (rand_below(afl, 100) < SKIP_NFAV_OLD_PROB) { return 1; } } @@ -2442,15 +2569,18 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { fd = open(afl->queue_cur->fname, O_RDONLY); - if (fd < 0) PFATAL("Unable to open '%s'", afl->queue_cur->fname); + if (fd < 0) { PFATAL("Unable to open '%s'", afl->queue_cur->fname); } len = afl->queue_cur->len; orig_in = in_buf = mmap(0, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); - if (orig_in == MAP_FAILED) + if (orig_in == MAP_FAILED) { + PFATAL("Unable to mmap '%s'", afl->queue_cur->fname); + } + close(fd); /* We could mmap() out_buf as MAP_PRIVATE, but we end up clobbering every @@ -2476,7 +2606,11 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { res = calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0); - if (res == FSRV_RUN_ERROR) FATAL("Unable to execute target application"); + if (res == FSRV_RUN_ERROR) { + + FATAL("Unable to execute target application"); + + } } @@ -2497,7 +2631,11 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { u8 res = trim_case(afl, afl->queue_cur, in_buf); - if (res == FSRV_RUN_ERROR) FATAL("Unable to execute target application"); + if (res == FSRV_RUN_ERROR) { + + FATAL("Unable to execute target application"); + + } if (afl->stop_soon) { @@ -2525,9 +2663,12 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->shm.cmplog_mode && !afl->queue_cur->fully_colorized) { if (input_to_state_stage(afl, in_buf, out_buf, len, - afl->queue_cur->exec_cksum)) + afl->queue_cur->exec_cksum)) { + goto abandon_entry; + } + } /* Go to pacemker fuzzing if MOpt is doing well */ @@ -2549,16 +2690,22 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { testing in earlier, resumed runs (passed_det). */ if (afl->skip_deterministic || afl->queue_cur->was_fuzzed || - afl->queue_cur->passed_det) + afl->queue_cur->passed_det) { + goto havoc_stage; + } + /* Skip deterministic fuzzing if exec path checksum puts this out of scope for this master instance. */ if (afl->master_max && - (afl->queue_cur->exec_cksum % afl->master_max) != afl->master_id - 1) + (afl->queue_cur->exec_cksum % afl->master_max) != afl->master_id - 1) { + goto havoc_stage; + } + doing_det = 1; /********************************************* @@ -2592,7 +2739,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { FLIP_BIT(out_buf, afl->stage_cur); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } FLIP_BIT(out_buf, afl->stage_cur); @@ -2632,21 +2779,31 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { /* If at end of file and we are still collecting a string, grab the final character and force output. */ - if (a_len < MAX_AUTO_EXTRA) + if (a_len < MAX_AUTO_EXTRA) { + a_collect[a_len] = out_buf[afl->stage_cur >> 3]; + + } + ++a_len; - if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) + if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) { + maybe_add_auto((u8 *)afl, a_collect, a_len); + } + } else if (cksum != prev_cksum) { /* Otherwise, if the checksum has changed, see if we have something worthwhile queued up, and collect that if the answer is yes. */ - if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) + if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) { + maybe_add_auto((u8 *)afl, a_collect, a_len); + } + a_len = 0; prev_cksum = cksum; @@ -2657,8 +2814,12 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (cksum != afl->queue_cur->exec_cksum) { - if (a_len < MAX_AUTO_EXTRA) + if (a_len < MAX_AUTO_EXTRA) { + a_collect[a_len] = out_buf[afl->stage_cur >> 3]; + + } + ++a_len; } @@ -2687,7 +2848,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { FLIP_BIT(out_buf, afl->stage_cur); FLIP_BIT(out_buf, afl->stage_cur + 1); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } FLIP_BIT(out_buf, afl->stage_cur); FLIP_BIT(out_buf, afl->stage_cur + 1); @@ -2716,7 +2877,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { FLIP_BIT(out_buf, afl->stage_cur + 2); FLIP_BIT(out_buf, afl->stage_cur + 3); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } FLIP_BIT(out_buf, afl->stage_cur); FLIP_BIT(out_buf, afl->stage_cur + 1); @@ -2770,7 +2931,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { out_buf[afl->stage_cur] ^= 0xFF; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } /* We also use this stage to pull off a simple trick: we identify bytes that seem to have no effect on the current execution path @@ -2784,11 +2945,16 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { /* If in dumb mode or if the file is very short, just flag everything without wasting time on checksums. */ - if (!afl->dumb_mode && len >= EFF_MIN_LEN) + if (!afl->dumb_mode && len >= EFF_MIN_LEN) { + cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); - else + + } else { + cksum = ~afl->queue_cur->exec_cksum; + } + if (cksum != afl->queue_cur->exec_cksum) { eff_map[EFF_APOS(afl->stage_cur)] = 1; @@ -2828,7 +2994,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { /* Two walking bytes. */ - if (len < 2) goto skip_bitflip; + if (len < 2) { goto skip_bitflip; } afl->stage_name = "bitflip 16/8"; afl->stage_short = "flip16"; @@ -2852,7 +3018,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { *(u16 *)(out_buf + i) ^= 0xFFFF; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; *(u16 *)(out_buf + i) ^= 0xFFFF; @@ -2864,7 +3030,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { afl->stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP16] += afl->stage_max; - if (len < 4) goto skip_bitflip; + if (len < 4) { goto skip_bitflip; } /* Four walking bytes. */ @@ -2890,7 +3056,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { *(u32 *)(out_buf + i) ^= 0xFFFFFFFF; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; *(u32 *)(out_buf + i) ^= 0xFFFFFFFF; @@ -2904,7 +3070,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { skip_bitflip: - if (afl->no_arith) goto skip_arith; + if (afl->no_arith) { goto skip_arith; } /********************** * ARITHMETIC INC/DEC * @@ -2948,13 +3114,15 @@ skip_bitflip: afl->stage_cur_val = j; out_buf[i] = orig + j; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + r = orig ^ (orig - j); if (!could_be_bitflip(r)) { @@ -2962,13 +3130,15 @@ skip_bitflip: afl->stage_cur_val = -j; out_buf[i] = orig - j; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + out_buf[i] = orig; } @@ -2982,7 +3152,7 @@ skip_bitflip: /* 16-bit arithmetics, both endians. */ - if (len < 2) goto skip_arith; + if (len < 2) { goto skip_arith; } afl->stage_name = "arith 16/8"; afl->stage_short = "arith16"; @@ -3024,25 +3194,29 @@ skip_bitflip: afl->stage_cur_val = j; *(u16 *)(out_buf + i) = orig + j; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + if ((orig & 0xff) < j && !could_be_bitflip(r2)) { afl->stage_cur_val = -j; *(u16 *)(out_buf + i) = orig - j; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + /* Big endian comes next. Same deal. */ afl->stage_val_type = STAGE_VAL_BE; @@ -3052,25 +3226,29 @@ skip_bitflip: afl->stage_cur_val = j; *(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) + j); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + if ((orig >> 8) < j && !could_be_bitflip(r4)) { afl->stage_cur_val = -j; *(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) - j); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + *(u16 *)(out_buf + i) = orig; } @@ -3084,7 +3262,7 @@ skip_bitflip: /* 32-bit arithmetics, both endians. */ - if (len < 4) goto skip_arith; + if (len < 4) { goto skip_arith; } afl->stage_name = "arith 32/8"; afl->stage_short = "arith32"; @@ -3125,25 +3303,29 @@ skip_bitflip: afl->stage_cur_val = j; *(u32 *)(out_buf + i) = orig + j; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + if ((orig & 0xffff) < j && !could_be_bitflip(r2)) { afl->stage_cur_val = -j; *(u32 *)(out_buf + i) = orig - j; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + /* Big endian next. */ afl->stage_val_type = STAGE_VAL_BE; @@ -3153,25 +3335,29 @@ skip_bitflip: afl->stage_cur_val = j; *(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) + j); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + if ((SWAP32(orig) & 0xffff) < j && !could_be_bitflip(r4)) { afl->stage_cur_val = -j; *(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) - j); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + *(u32 *)(out_buf + i) = orig; } @@ -3230,7 +3416,7 @@ skip_arith: afl->stage_cur_val = interesting_8[j]; out_buf[i] = interesting_8[j]; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } out_buf[i] = orig; ++afl->stage_cur; @@ -3246,7 +3432,7 @@ skip_arith: /* Setting 16-bit integers, both endians. */ - if (afl->no_arith || len < 2) goto skip_interest; + if (afl->no_arith || len < 2) { goto skip_interest; } afl->stage_name = "interest 16/8"; afl->stage_short = "int16"; @@ -3285,13 +3471,15 @@ skip_arith: *(u16 *)(out_buf + i) = interesting_16[j]; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + if ((u16)interesting_16[j] != SWAP16(interesting_16[j]) && !could_be_bitflip(orig ^ SWAP16(interesting_16[j])) && !could_be_arith(orig, SWAP16(interesting_16[j]), 2) && @@ -3300,13 +3488,15 @@ skip_arith: afl->stage_val_type = STAGE_VAL_BE; *(u16 *)(out_buf + i) = SWAP16(interesting_16[j]); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + } *(u16 *)(out_buf + i) = orig; @@ -3318,7 +3508,7 @@ skip_arith: afl->stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST16] += afl->stage_max; - if (len < 4) goto skip_interest; + if (len < 4) { goto skip_interest; } /* Setting 32-bit integers, both endians. */ @@ -3360,13 +3550,15 @@ skip_arith: *(u32 *)(out_buf + i) = interesting_32[j]; - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + if ((u32)interesting_32[j] != SWAP32(interesting_32[j]) && !could_be_bitflip(orig ^ SWAP32(interesting_32[j])) && !could_be_arith(orig, SWAP32(interesting_32[j]), 4) && @@ -3375,13 +3567,15 @@ skip_arith: afl->stage_val_type = STAGE_VAL_BE; *(u32 *)(out_buf + i) = SWAP32(interesting_32[j]); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; - } else + } else { --afl->stage_max; + } + } *(u32 *)(out_buf + i) = orig; @@ -3399,7 +3593,7 @@ skip_interest: * DICTIONARY STUFF * ********************/ - if (!afl->extras_cnt) goto skip_user_extras; + if (!afl->extras_cnt) { goto skip_user_extras; } /* Overwrite with user-supplied extras. */ @@ -3445,7 +3639,7 @@ skip_interest: last_len = afl->extras[j].len; memcpy(out_buf + i, afl->extras[j].data, last_len); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; @@ -3513,7 +3707,7 @@ skip_interest: skip_user_extras: - if (!afl->a_extras_cnt) goto skip_extras; + if (!afl->a_extras_cnt) { goto skip_extras; } afl->stage_name = "auto extras (over)"; afl->stage_short = "ext_AO"; @@ -3547,7 +3741,7 @@ skip_user_extras: last_len = afl->a_extras[j].len; memcpy(out_buf + i, afl->a_extras[j].data, last_len); - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; } ++afl->stage_cur; @@ -3569,7 +3763,7 @@ skip_extras: we're properly done with deterministic steps and can mark it as such in the .state/ directory. */ - if (!afl->queue_cur->passed_det) mark_as_det_done(afl, afl->queue_cur); + if (!afl->queue_cur->passed_det) { mark_as_det_done(afl, afl->queue_cur); } /**************** * RANDOM HAVOC * @@ -3652,7 +3846,7 @@ pacemaker_fuzzing: } - if (afl->stage_max < HAVOC_MIN) afl->stage_max = HAVOC_MIN; + if (afl->stage_max < HAVOC_MIN) { afl->stage_max = HAVOC_MIN; } temp_len = len; @@ -3684,7 +3878,7 @@ pacemaker_fuzzing: break; case 1: - if (temp_len < 2) break; + if (temp_len < 2) { break; } temp_len_puppet = rand_below(afl, (temp_len << 3) - 1); FLIP_BIT(out_buf, temp_len_puppet); FLIP_BIT(out_buf, temp_len_puppet + 1); @@ -3692,7 +3886,7 @@ pacemaker_fuzzing: break; case 2: - if (temp_len < 2) break; + if (temp_len < 2) { break; } temp_len_puppet = rand_below(afl, (temp_len << 3) - 3); FLIP_BIT(out_buf, temp_len_puppet); FLIP_BIT(out_buf, temp_len_puppet + 1); @@ -3702,19 +3896,19 @@ pacemaker_fuzzing: break; case 3: - if (temp_len < 4) break; + if (temp_len < 4) { break; } out_buf[rand_below(afl, temp_len)] ^= 0xFF; MOpt_globals.cycles_v2[STAGE_FLIP8] += 1; break; case 4: - if (temp_len < 8) break; + if (temp_len < 8) { break; } *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) ^= 0xFFFF; MOpt_globals.cycles_v2[STAGE_FLIP16] += 1; break; case 5: - if (temp_len < 8) break; + if (temp_len < 8) { break; } *(u32 *)(out_buf + rand_below(afl, temp_len - 3)) ^= 0xFFFFFFFF; MOpt_globals.cycles_v2[STAGE_FLIP32] += 1; break; @@ -3729,7 +3923,7 @@ pacemaker_fuzzing: case 7: /* Randomly subtract from word, random endian. */ - if (temp_len < 8) break; + if (temp_len < 8) { break; } if (rand_below(afl, 2)) { u32 pos = rand_below(afl, temp_len - 1); @@ -3764,7 +3958,7 @@ pacemaker_fuzzing: case 8: /* Randomly subtract from dword, random endian. */ - if (temp_len < 8) break; + if (temp_len < 8) { break; } if (rand_below(afl, 2)) { u32 pos = rand_below(afl, temp_len - 3); @@ -3800,7 +3994,7 @@ pacemaker_fuzzing: case 9: /* Set byte to interesting value. */ - if (temp_len < 4) break; + if (temp_len < 4) { break; } out_buf[rand_below(afl, temp_len)] = interesting_8[rand_below(afl, sizeof(interesting_8))]; MOpt_globals.cycles_v2[STAGE_INTEREST8] += 1; @@ -3808,7 +4002,7 @@ pacemaker_fuzzing: case 10: /* Set word to interesting value, randomly choosing endian. */ - if (temp_len < 8) break; + if (temp_len < 8) { break; } if (rand_below(afl, 2)) { *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) = @@ -3829,7 +4023,7 @@ pacemaker_fuzzing: case 11: /* Set dword to interesting value, randomly choosing endian. */ - if (temp_len < 8) break; + if (temp_len < 8) { break; } if (rand_below(afl, 2)) { @@ -3866,7 +4060,7 @@ pacemaker_fuzzing: u32 del_from, del_len; - if (temp_len < 2) break; + if (temp_len < 2) { break; } /* Don't delete too much. */ @@ -3917,15 +4111,20 @@ pacemaker_fuzzing: /* Inserted part */ - if (actually_clone) + if (actually_clone) { + memcpy(new_buf + clone_to, out_buf + clone_from, clone_len); - else + + } else { + memset(new_buf + clone_to, rand_below(afl, 2) ? rand_below(afl, 256) : out_buf[rand_below(afl, temp_len)], clone_len); + } + /* Tail */ memcpy(new_buf + clone_to + clone_len, out_buf + clone_to, temp_len - clone_to); @@ -3946,7 +4145,7 @@ pacemaker_fuzzing: u32 copy_from, copy_to, copy_len; - if (temp_len < 2) break; + if (temp_len < 2) { break; } copy_len = choose_block_len(afl, temp_len - 1); @@ -3955,15 +4154,21 @@ pacemaker_fuzzing: if (rand_below(afl, 4)) { - if (copy_from != copy_to) + if (copy_from != copy_to) { + memmove(out_buf + copy_to, out_buf + copy_from, copy_len); - } else + } + + } else { memset(out_buf + copy_to, rand_below(afl, 2) ? rand_below(afl, 256) : out_buf[rand_below(afl, temp_len)], copy_len); + + } + MOpt_globals.cycles_v2[STAGE_OverWrite75] += 1; break; @@ -3977,9 +4182,12 @@ pacemaker_fuzzing: u64 temp_total_found = afl->queued_paths + afl->unique_crashes; - if (common_fuzz_stuff(afl, out_buf, temp_len)) + if (common_fuzz_stuff(afl, out_buf, temp_len)) { + goto abandon_entry_puppet; + } + /* out_buf might have been mangled a bit, so let's restore it to its original size and shape. */ @@ -4011,9 +4219,12 @@ pacemaker_fuzzing: afl->total_puppet_find = afl->total_puppet_find + temp_temp_puppet; for (i = 0; i < operator_num; ++i) { - if (MOpt_globals.cycles_v2[i] > MOpt_globals.cycles_v3[i]) + if (MOpt_globals.cycles_v2[i] > MOpt_globals.cycles_v3[i]) { + MOpt_globals.finds_v2[i] += temp_temp_puppet; + } + } } /* if */ @@ -4085,9 +4296,12 @@ pacemaker_fuzzing: } - while (tid--) + while (tid--) { + target = target->next; + } + /* Make sure that the target has a reasonable length. */ while (target && (target->len < 2 || target == afl->queue_cur)) { @@ -4097,13 +4311,13 @@ pacemaker_fuzzing: } - if (!target) goto retry_splicing_puppet; + if (!target) { goto retry_splicing_puppet; } /* Read the testcase into a new buffer. */ fd = open(target->fname, O_RDONLY); - if (fd < 0) PFATAL("Unable to open '%s'", target->fname); + if (fd < 0) { PFATAL("Unable to open '%s'", target->fname); } new_buf = ck_maybe_grow(BUF_PARAMS(in_scratch), target->len); @@ -4147,12 +4361,15 @@ pacemaker_fuzzing: abandon_entry: abandon_entry_puppet: - if (splice_cycle >= afl->SPLICE_CYCLES_puppet) + if (splice_cycle >= afl->SPLICE_CYCLES_puppet) { + afl->SPLICE_CYCLES_puppet = (rand_below( afl, SPLICE_CYCLES_puppet_up - SPLICE_CYCLES_puppet_low + 1) + SPLICE_CYCLES_puppet_low); + } + afl->splicing_with = -1; /* Update afl->pending_not_fuzzed count if we made it through the @@ -4205,11 +4422,14 @@ pacemaker_fuzzing: double temp_eff = 0.0; - if (MOpt_globals.cycles_v2[i] > MOpt_globals.cycles[i]) + if (MOpt_globals.cycles_v2[i] > MOpt_globals.cycles[i]) { + temp_eff = (double)(MOpt_globals.finds_v2[i] - MOpt_globals.finds[i]) / (double)(MOpt_globals.cycles_v2[i] - MOpt_globals.cycles[i]); + } + if (afl->eff_best[afl->swarm_now][i] < temp_eff) { afl->eff_best[afl->swarm_now][i] = temp_eff; @@ -4255,9 +4475,12 @@ pacemaker_fuzzing: } - if (afl->swarm_now < 0 || afl->swarm_now > swarm_num - 1) + if (afl->swarm_now < 0 || afl->swarm_now > swarm_num - 1) { + PFATAL("swarm_now error number %d", afl->swarm_now); + } + } /* if afl->swarm_now == swarm_num */ /* adjust pointers dependent on 'afl->swarm_now' */ @@ -4307,7 +4530,7 @@ u8 pilot_fuzzing(afl_state_t *afl) { void pso_updating(afl_state_t *afl) { afl->g_now += 1; - if (afl->g_now > afl->g_max) afl->g_now = 0; + if (afl->g_now > afl->g_max) { afl->g_now = 0; } afl->w_now = (afl->w_init - afl->w_end) * (afl->g_max - afl->g_now) / (afl->g_max) + afl->w_end; @@ -4331,10 +4554,13 @@ void pso_updating(afl_state_t *afl) { for (i = 0; i < operator_num; ++i) { - if (afl->operator_finds_puppet[i]) + if (afl->operator_finds_puppet[i]) { + afl->G_best[i] = (double)((double)(afl->operator_finds_puppet[i]) / (double)(temp_operator_finds_puppet)); + } + } for (tmp_swarm = 0; tmp_swarm < swarm_num; ++tmp_swarm) { @@ -4348,10 +4574,16 @@ void pso_updating(afl_state_t *afl) { RAND_C * (afl->L_best[tmp_swarm][i] - afl->x_now[tmp_swarm][i]) + RAND_C * (afl->G_best[i] - afl->x_now[tmp_swarm][i]); afl->x_now[tmp_swarm][i] += afl->v_now[tmp_swarm][i]; - if (afl->x_now[tmp_swarm][i] > v_max) + if (afl->x_now[tmp_swarm][i] > v_max) { + afl->x_now[tmp_swarm][i] = v_max; - else if (afl->x_now[tmp_swarm][i] < v_min) + + } else if (afl->x_now[tmp_swarm][i] < v_min) { + afl->x_now[tmp_swarm][i] = v_min; + + } + x_temp += afl->x_now[tmp_swarm][i]; } @@ -4359,18 +4591,26 @@ void pso_updating(afl_state_t *afl) { for (i = 0; i < operator_num; ++i) { afl->x_now[tmp_swarm][i] = afl->x_now[tmp_swarm][i] / x_temp; - if (likely(i != 0)) + if (likely(i != 0)) { + afl->probability_now[tmp_swarm][i] = afl->probability_now[tmp_swarm][i - 1] + afl->x_now[tmp_swarm][i]; - else + + } else { + afl->probability_now[tmp_swarm][i] = afl->x_now[tmp_swarm][i]; + } + } if (afl->probability_now[tmp_swarm][operator_num - 1] < 0.99 || - afl->probability_now[tmp_swarm][operator_num - 1] > 1.01) + afl->probability_now[tmp_swarm][operator_num - 1] > 1.01) { + FATAL("ERROR probability"); + } + } afl->swarm_now = 0; @@ -4410,13 +4650,20 @@ u8 fuzz_one(afl_state_t *afl) { if (afl->limit_time_sig != 0) { - if (afl->key_module == 0) + if (afl->key_module == 0) { + key_val_lv_2 = pilot_fuzzing(afl); - else if (afl->key_module == 1) + + } else if (afl->key_module == 1) { + key_val_lv_2 = core_fuzzing(afl); - else if (afl->key_module == 2) + + } else if (afl->key_module == 2) { + pso_updating(afl); + } + } return (key_val_lv_1 | key_val_lv_2); diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index d4519c6d..64cabcad 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -111,10 +111,10 @@ static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { - if (!module_name) return NULL; + if (!module_name) { return NULL; } py_mutator_t *py = calloc(1, sizeof(py_mutator_t)); - if (!py) PFATAL("Could not allocate memory for python mutator!"); + if (!py) { PFATAL("Could not allocate memory for python mutator!"); } Py_Initialize(); @@ -160,12 +160,12 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { if (py_idx == PY_FUNC_PRE_SAVE) { // Implenting the pre_save API is optional for now - if (PyErr_Occurred()) PyErr_Print(); + if (PyErr_Occurred()) { PyErr_Print(); } } else if (py_idx >= PY_FUNC_INIT_TRIM && py_idx <= PY_FUNC_TRIM) { // Implementing the trim API is optional for now - if (PyErr_Occurred()) PyErr_Print(); + if (PyErr_Occurred()) { PyErr_Print(); } py_notrim = 1; } else if ((py_idx >= PY_FUNC_HAVOC_MUTATION) && @@ -173,11 +173,11 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { (py_idx <= PY_FUNC_QUEUE_NEW_ENTRY)) { // Implenting the havoc and queue API is optional for now - if (PyErr_Occurred()) PyErr_Print(); + if (PyErr_Occurred()) { PyErr_Print(); } } else { - if (PyErr_Occurred()) PyErr_Print(); + if (PyErr_Occurred()) { PyErr_Print(); } fprintf(stderr, "Cannot find/call function with index %d in external " "Python module.\n", @@ -222,9 +222,12 @@ void finalize_py_module(void *py_mutator) { deinit_py(py_mutator); u32 i; - for (i = 0; i < PY_FUNC_COUNT; ++i) + for (i = 0; i < PY_FUNC_COUNT; ++i) { + Py_XDECREF(py->py_functions[i]); + } + Py_DECREF(py->py_module); } @@ -308,38 +311,67 @@ void load_custom_mutator_py(afl_state_t *afl, char *module_name) { PyObject **py_functions = py_mutator->py_functions; - if (py_functions[PY_FUNC_INIT]) afl->mutator->afl_custom_init = unsupported; + if (py_functions[PY_FUNC_INIT]) { + + afl->mutator->afl_custom_init = unsupported; - if (py_functions[PY_FUNC_DEINIT]) afl->mutator->afl_custom_deinit = deinit_py; + } + + if (py_functions[PY_FUNC_DEINIT]) { + + afl->mutator->afl_custom_deinit = deinit_py; + + } /* "afl_custom_fuzz" should not be NULL, but the interface of Python mutator is quite different from the custom mutator. */ afl->mutator->afl_custom_fuzz = fuzz_py; - if (py_functions[PY_FUNC_PRE_SAVE]) + if (py_functions[PY_FUNC_PRE_SAVE]) { + afl->mutator->afl_custom_pre_save = pre_save_py; - if (py_functions[PY_FUNC_INIT_TRIM]) + } + + if (py_functions[PY_FUNC_INIT_TRIM]) { + afl->mutator->afl_custom_init_trim = init_trim_py; - if (py_functions[PY_FUNC_POST_TRIM]) + } + + if (py_functions[PY_FUNC_POST_TRIM]) { + afl->mutator->afl_custom_post_trim = post_trim_py; - if (py_functions[PY_FUNC_TRIM]) afl->mutator->afl_custom_trim = trim_py; + } + + if (py_functions[PY_FUNC_TRIM]) { afl->mutator->afl_custom_trim = trim_py; } + + if (py_functions[PY_FUNC_HAVOC_MUTATION]) { - if (py_functions[PY_FUNC_HAVOC_MUTATION]) afl->mutator->afl_custom_havoc_mutation = havoc_mutation_py; - if (py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY]) + } + + if (py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY]) { + afl->mutator->afl_custom_havoc_mutation_probability = havoc_mutation_probability_py; - if (py_functions[PY_FUNC_QUEUE_GET]) + } + + if (py_functions[PY_FUNC_QUEUE_GET]) { + afl->mutator->afl_custom_queue_get = queue_get_py; - if (py_functions[PY_FUNC_QUEUE_NEW_ENTRY]) + } + + if (py_functions[PY_FUNC_QUEUE_NEW_ENTRY]) { + afl->mutator->afl_custom_queue_new_entry = queue_new_entry_py; + } + OKF("Python mutator '%s' installed successfully.", module_name); /* Initialize the custom mutator */ diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 121eb3f1..f998c06b 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -38,7 +38,7 @@ void mark_as_det_done(afl_state_t *afl, struct queue_entry *q) { strrchr(q->fname, '/') + 1); fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", fn); + if (fd < 0) { PFATAL("Unable to create '%s'", fn); } close(fd); q->passed_det = 1; @@ -61,7 +61,7 @@ void mark_as_variable(afl_state_t *afl, struct queue_entry *q) { if (symlink(ldest, fn)) { s32 fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", fn); + if (fd < 0) { PFATAL("Unable to create '%s'", fn); } close(fd); } @@ -77,7 +77,7 @@ void mark_as_redundant(afl_state_t *afl, struct queue_entry *q, u8 state) { u8 fn[PATH_MAX]; - if (state == q->fs_redundant) return; + if (state == q->fs_redundant) { return; } q->fs_redundant = state; @@ -89,12 +89,12 @@ void mark_as_redundant(afl_state_t *afl, struct queue_entry *q, u8 state) { s32 fd; fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", fn); + if (fd < 0) { PFATAL("Unable to create '%s'", fn); } close(fd); } else { - if (unlink(fn)) PFATAL("Unable to remove '%s'", fn); + if (unlink(fn)) { PFATAL("Unable to remove '%s'", fn); } } @@ -113,17 +113,19 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) { q->n_fuzz = 1; q->trace_mini = NULL; - if (q->depth > afl->max_depth) afl->max_depth = q->depth; + if (q->depth > afl->max_depth) { afl->max_depth = q->depth; } if (afl->queue_top) { afl->queue_top->next = q; afl->queue_top = q; - } else + } else { afl->q_prev100 = afl->queue = afl->queue_top = q; + } + ++afl->queued_paths; ++afl->pending_not_fuzzed; @@ -143,7 +145,7 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) { u8 *fname_orig = NULL; /* At the initialization stage, queue_cur is NULL */ - if (afl->queue_cur) fname_orig = afl->queue_cur->fname; + if (afl->queue_cur) { fname_orig = afl->queue_cur->fname; } afl->mutator->afl_custom_queue_new_entry(afl->mutator->data, fname, fname_orig); @@ -188,14 +190,19 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { u64 fuzz_p2 = next_pow2(q->n_fuzz); if (afl->schedule == MMOPT || afl->schedule == RARE || - unlikely(afl->fixed_seed)) + unlikely(afl->fixed_seed)) { + fav_factor = q->len << 2; - else + + } else { + fav_factor = q->exec_us * q->len; + } + /* For every byte set in afl->fsrv.trace_bits[], see if there is a previous winner, and how it compares to us. */ - for (i = 0; i < afl->fsrv.map_size; ++i) + for (i = 0; i < afl->fsrv.map_size; ++i) { if (afl->fsrv.trace_bits[i]) { @@ -206,27 +213,41 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { u64 top_rated_fuzz_p2 = next_pow2(afl->top_rated[i]->n_fuzz); if (afl->schedule == MMOPT || afl->schedule == RARE || - unlikely(afl->fixed_seed)) + unlikely(afl->fixed_seed)) { + top_rated_fav_factor = afl->top_rated[i]->len << 2; - else + + } else { + top_rated_fav_factor = afl->top_rated[i]->exec_us * afl->top_rated[i]->len; - if (fuzz_p2 > top_rated_fuzz_p2) + } + + if (fuzz_p2 > top_rated_fuzz_p2) { + continue; - else if (fuzz_p2 == top_rated_fuzz_p2) - if (fav_factor > top_rated_fav_factor) continue; + + } else if (fuzz_p2 == top_rated_fuzz_p2) { + + if (fav_factor > top_rated_fav_factor) { continue; } + + } if (afl->schedule == MMOPT || afl->schedule == RARE || unlikely(afl->fixed_seed)) { - if (fav_factor > afl->top_rated[i]->len << 2) continue; + if (fav_factor > afl->top_rated[i]->len << 2) { continue; } } else { - if (fav_factor > afl->top_rated[i]->exec_us * afl->top_rated[i]->len) + if (fav_factor > + afl->top_rated[i]->exec_us * afl->top_rated[i]->len) { + continue; + } + } /* Looks like we're going to win. Decrease ref count for the @@ -258,6 +279,8 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { } + } + } /* The second part of the mechanism discussed above is a routine that @@ -273,7 +296,7 @@ void cull_queue(afl_state_t *afl) { u32 i; u8 * temp_v = afl->map_tmp_buf; - if (afl->dumb_mode || !afl->score_changed) return; + if (afl->dumb_mode || !afl->score_changed) { return; } afl->score_changed = 0; @@ -294,25 +317,38 @@ void cull_queue(afl_state_t *afl) { /* Let's see if anything in the bitmap isn't captured in temp_v. If yes, and if it has a afl->top_rated[] contender, let's use it. */ - for (i = 0; i < afl->fsrv.map_size; ++i) + for (i = 0; i < afl->fsrv.map_size; ++i) { + if (afl->top_rated[i] && (temp_v[i >> 3] & (1 << (i & 7)))) { u32 j = len; /* Remove all bits belonging to the current entry from temp_v. */ - while (j--) - if (afl->top_rated[i]->trace_mini[j]) + while (j--) { + + if (afl->top_rated[i]->trace_mini[j]) { + temp_v[j] &= ~afl->top_rated[i]->trace_mini[j]; + } + + } + afl->top_rated[i]->favored = 1; ++afl->queued_favored; - if (afl->top_rated[i]->fuzz_level == 0 || !afl->top_rated[i]->was_fuzzed) + if (afl->top_rated[i]->fuzz_level == 0 || + !afl->top_rated[i]->was_fuzzed) { + ++afl->pending_favored; + } + } + } + q = afl->queue; while (q) { @@ -347,39 +383,67 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { if (afl->schedule != MMOPT && afl->schedule != RARE && likely(!afl->fixed_seed)) { - if (q->exec_us * 0.1 > avg_exec_us) + if (q->exec_us * 0.1 > avg_exec_us) { + perf_score = 10; - else if (q->exec_us * 0.25 > avg_exec_us) + + } else if (q->exec_us * 0.25 > avg_exec_us) { + perf_score = 25; - else if (q->exec_us * 0.5 > avg_exec_us) + + } else if (q->exec_us * 0.5 > avg_exec_us) { + perf_score = 50; - else if (q->exec_us * 0.75 > avg_exec_us) + + } else if (q->exec_us * 0.75 > avg_exec_us) { + perf_score = 75; - else if (q->exec_us * 4 < avg_exec_us) + + } else if (q->exec_us * 4 < avg_exec_us) { + perf_score = 300; - else if (q->exec_us * 3 < avg_exec_us) + + } else if (q->exec_us * 3 < avg_exec_us) { + perf_score = 200; - else if (q->exec_us * 2 < avg_exec_us) + + } else if (q->exec_us * 2 < avg_exec_us) { + perf_score = 150; + } + } /* Adjust score based on bitmap size. The working theory is that better coverage translates to better targets. Multiplier from 0.25x to 3x. */ - if (q->bitmap_size * 0.3 > avg_bitmap_size) + if (q->bitmap_size * 0.3 > avg_bitmap_size) { + perf_score *= 3; - else if (q->bitmap_size * 0.5 > avg_bitmap_size) + + } else if (q->bitmap_size * 0.5 > avg_bitmap_size) { + perf_score *= 2; - else if (q->bitmap_size * 0.75 > avg_bitmap_size) + + } else if (q->bitmap_size * 0.75 > avg_bitmap_size) { + perf_score *= 1.5; - else if (q->bitmap_size * 3 < avg_bitmap_size) + + } else if (q->bitmap_size * 3 < avg_bitmap_size) { + perf_score *= 0.25; - else if (q->bitmap_size * 2 < avg_bitmap_size) + + } else if (q->bitmap_size * 2 < avg_bitmap_size) { + perf_score *= 0.5; - else if (q->bitmap_size * 1.5 < avg_bitmap_size) + + } else if (q->bitmap_size * 1.5 < avg_bitmap_size) { + perf_score *= 0.75; + } + /* Adjust score based on handicap. Handicap is proportional to how late in the game we learned about this path. Latecomers are allowed to run for a bit longer until they catch up with the rest. */ @@ -402,11 +466,19 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { switch (q->depth) { - case 0 ... 3: break; - case 4 ... 7: perf_score *= 2; break; - case 8 ... 13: perf_score *= 3; break; - case 14 ... 25: perf_score *= 4; break; - default: perf_score *= 5; + case 0 ... 3: + break; + case 4 ... 7: + perf_score *= 2; + break; + case 8 ... 13: + perf_score *= 3; + break; + case 14 ... 25: + perf_score *= 4; + break; + default: + perf_score *= 5; } @@ -418,9 +490,12 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { switch (afl->schedule) { - case EXPLORE: break; + case EXPLORE: + break; - case EXPLOIT: factor = MAX_FACTOR; break; + case EXPLOIT: + factor = MAX_FACTOR; + break; case COE: fuzz_total = 0; @@ -435,16 +510,21 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { } - if (unlikely(!n_paths)) FATAL("Queue state corrupt"); + if (unlikely(!n_paths)) { FATAL("Queue state corrupt"); } fuzz_mu = fuzz_total / n_paths; if (fuzz <= fuzz_mu) { - if (q->fuzz_level < 16) + if (q->fuzz_level < 16) { + factor = ((u32)(1 << q->fuzz_level)); - else + + } else { + factor = MAX_FACTOR; + } + } else { factor = 0; @@ -454,13 +534,21 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { break; case FAST: - if (q->fuzz_level < 16) + if (q->fuzz_level < 16) { + factor = ((u32)(1 << q->fuzz_level)) / (fuzz == 0 ? 1 : fuzz); - else + + } else { + factor = MAX_FACTOR / (fuzz == 0 ? 1 : next_pow2(fuzz)); + + } + break; - case LIN: factor = q->fuzz_level / (fuzz == 0 ? 1 : fuzz); break; + case LIN: + factor = q->fuzz_level / (fuzz == 0 ? 1 : fuzz); + break; case QUAD: factor = q->fuzz_level * q->fuzz_level / (fuzz == 0 ? 1 : fuzz); @@ -477,7 +565,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { (afl->max_depth - q->depth)) / 5)); */ // put focus on the last 5 entries - if (afl->max_depth - q->depth < 5) perf_score *= 2; + if (afl->max_depth - q->depth < 5) { perf_score *= 2; } break; @@ -493,26 +581,35 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { break; - default: PFATAL("Unknown Power Schedule"); + default: + PFATAL("Unknown Power Schedule"); } - if (factor > MAX_FACTOR) factor = MAX_FACTOR; + if (factor > MAX_FACTOR) { factor = MAX_FACTOR; } perf_score *= factor / POWER_BETA; // MOpt mode - if (afl->limit_time_sig != 0 && afl->max_depth - q->depth < 3) + if (afl->limit_time_sig != 0 && afl->max_depth - q->depth < 3) { + perf_score *= 2; - else if (perf_score < 1) + + } else if (perf_score < 1) { + // Add a lower bound to AFLFast's energy assignment strategies perf_score = 1; + } + /* Make sure that we don't go over limit. */ - if (perf_score > afl->havoc_max_mult * 100) + if (perf_score > afl->havoc_max_mult * 100) { + perf_score = afl->havoc_max_mult * 100; + } + return perf_score; } diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 3e9af088..3a3e6be1 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -73,11 +73,16 @@ static struct range *pop_biggest_range(struct range **ranges) { if (rmax) { - if (prev_rmax) + if (prev_rmax) { + prev_rmax->next = rmax->next; - else + + } else { + *ranges = rmax->next; + } + } return rmax; @@ -86,7 +91,7 @@ static struct range *pop_biggest_range(struct range **ranges) { static u8 get_exec_checksum(afl_state_t *afl, u8 *buf, u32 len, u32 *cksum) { - if (unlikely(common_fuzz_stuff(afl, buf, len))) return 1; + if (unlikely(common_fuzz_stuff(afl, buf, len))) { return 1; } *cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); return 0; @@ -96,9 +101,12 @@ static u8 get_exec_checksum(afl_state_t *afl, u8 *buf, u32 len, u32 *cksum) { static void rand_replace(afl_state_t *afl, u8 *buf, u32 len) { u32 i; - for (i = 0; i < len; ++i) + for (i = 0; i < len; ++i) { + buf[i] = rand_below(afl, 256); + } + } static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { @@ -131,9 +139,12 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { u32 cksum; u64 start_us = get_cur_time_us(); - if (unlikely(get_exec_checksum(afl, buf, len, &cksum))) + if (unlikely(get_exec_checksum(afl, buf, len, &cksum))) { + goto checksum_fail; + } + u64 stop_us = get_cur_time_us(); /* Discard if the mutations change the paths or if it is too decremental @@ -159,7 +170,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { } - if (afl->stage_cur < afl->stage_max) afl->queue_cur->fully_colorized = 1; + if (afl->stage_cur < afl->stage_max) { afl->queue_cur->fully_colorized = 1; } new_hit_cnt = afl->queued_paths + afl->unique_crashes; afl->stage_finds[STAGE_COLORIZATION] += new_hit_cnt - orig_hit_cnt; @@ -192,7 +203,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { } - if (fd < 0) PFATAL("Unable to create '%s'", afl->queue_cur->fname); + if (fd < 0) { PFATAL("Unable to create '%s'", afl->queue_cur->fname); } ck_write(fd, buf, len, afl->queue_cur->fname); afl->queue_cur->len = len; // no-op, just to be 100% safe @@ -204,7 +215,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { return 0; checksum_fail: - if (rng) ck_free(rng); + if (rng) { ck_free(rng); } ck_free(backup); while (ranges) { @@ -230,15 +241,20 @@ static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) { orig_hit_cnt = afl->queued_paths + afl->unique_crashes; - if (unlikely(common_fuzz_stuff(afl, buf, len))) return 1; + if (unlikely(common_fuzz_stuff(afl, buf, len))) { return 1; } new_hit_cnt = afl->queued_paths + afl->unique_crashes; - if (unlikely(new_hit_cnt != orig_hit_cnt)) + if (unlikely(new_hit_cnt != orig_hit_cnt)) { + *status = 1; - else + + } else { + *status = 2; + } + return 0; } @@ -265,18 +281,24 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, if (its_len >= 8 && *buf_64 == pattern && *o_buf_64 == o_pattern) { *buf_64 = repl; - if (unlikely(its_fuzz(afl, buf, len, status))) return 1; + if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } *buf_64 = pattern; } // reverse encoding - if (do_reverse) + if (do_reverse) { + if (unlikely(cmp_extend_encoding(afl, h, SWAP64(pattern), SWAP64(repl), SWAP64(o_pattern), idx, orig_buf, buf, - len, 0, status))) + len, 0, status))) { + return 1; + } + + } + } if (SHAPE_BYTES(h->shape) == 4 || *status == 2) { @@ -285,18 +307,24 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, *o_buf_32 == (u32)o_pattern) { *buf_32 = (u32)repl; - if (unlikely(its_fuzz(afl, buf, len, status))) return 1; + if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } *buf_32 = pattern; } // reverse encoding - if (do_reverse) + if (do_reverse) { + if (unlikely(cmp_extend_encoding(afl, h, SWAP32(pattern), SWAP32(repl), SWAP32(o_pattern), idx, orig_buf, buf, - len, 0, status))) + len, 0, status))) { + return 1; + } + + } + } if (SHAPE_BYTES(h->shape) == 2 || *status == 2) { @@ -305,18 +333,24 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, *o_buf_16 == (u16)o_pattern) { *buf_16 = (u16)repl; - if (unlikely(its_fuzz(afl, buf, len, status))) return 1; + if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } *buf_16 = (u16)pattern; } // reverse encoding - if (do_reverse) + if (do_reverse) { + if (unlikely(cmp_extend_encoding(afl, h, SWAP16(pattern), SWAP16(repl), SWAP16(o_pattern), idx, orig_buf, buf, - len, 0, status))) + len, 0, status))) { + return 1; + } + + } + } if (SHAPE_BYTES(h->shape) == 1 || *status == 2) { @@ -324,7 +358,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, if (its_len >= 1 && *buf_8 == (u8)pattern && *o_buf_8 == (u8)o_pattern) { *buf_8 = (u8)repl; - if (unlikely(its_fuzz(afl, buf, len, status))) return 1; + if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } *buf_8 = (u8)pattern; } @@ -343,14 +377,21 @@ static void try_to_add_to_dict(afl_state_t *afl, u64 v, u8 shape) { u8 cons_ff = 0, cons_0 = 0; for (k = 0; k < shape; ++k) { - if (b[k] == 0) + if (b[k] == 0) { + ++cons_0; - else if (b[k] == 0xff) + + } else if (b[k] == 0xff) { + ++cons_0; - else + + } else { + cons_0 = cons_ff = 0; - if (cons_0 > 1 || cons_ff > 1) return; + } + + if (cons_0 > 1 || cons_ff > 1) { return; } } @@ -359,7 +400,8 @@ static void try_to_add_to_dict(afl_state_t *afl, u64 v, u8 shape) { u64 rev; switch (shape) { - case 1: break; + case 1: + break; case 2: rev = SWAP16((u16)v); maybe_add_auto((u8 *)afl, (u8 *)&rev, shape); @@ -383,7 +425,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { u32 i, j, idx; u32 loggeds = h->hits; - if (h->hits > CMP_MAP_H) loggeds = CMP_MAP_H; + if (h->hits > CMP_MAP_H) { loggeds = CMP_MAP_H; } u8 status = 0; // opt not in the paper @@ -410,12 +452,12 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { } else { - if (s_v0 != o->v0) s_v0_fixed = 0; - if (s_v1 != o->v1) s_v1_fixed = 0; - if (s_v0 + 1 != o->v0) s_v0_inc = 0; - if (s_v1 + 1 != o->v1) s_v1_inc = 0; - if (s_v0 - 1 != o->v0) s_v0_dec = 0; - if (s_v1 - 1 != o->v1) s_v1_dec = 0; + if (s_v0 != o->v0) { s_v0_fixed = 0; } + if (s_v1 != o->v1) { s_v1_fixed = 0; } + if (s_v0 + 1 != o->v0) { s_v0_inc = 0; } + if (s_v1 + 1 != o->v1) { s_v1_inc = 0; } + if (s_v0 - 1 != o->v0) { s_v0_dec = 0; } + if (s_v1 - 1 != o->v1) { s_v1_dec = 0; } s_v0 = o->v0; s_v1 = o->v1; @@ -424,32 +466,56 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { struct cmp_operands *orig_o = &afl->orig_cmp_map->log[key][i]; // opt not in the paper - for (j = 0; j < i; ++j) + for (j = 0; j < i; ++j) { + if (afl->shm.cmp_map->log[key][j].v0 == o->v0 && - afl->shm.cmp_map->log[key][i].v1 == o->v1) + afl->shm.cmp_map->log[key][i].v1 == o->v1) { + goto cmp_fuzz_next_iter; + } + + } + for (idx = 0; idx < len && fails < 8; ++idx) { if (unlikely(cmp_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx, - orig_buf, buf, len, 1, &status))) + orig_buf, buf, len, 1, &status))) { + return 1; - if (status == 2) + + } + + if (status == 2) { + ++fails; - else if (status == 1) + + } else if (status == 1) { + break; + } + if (unlikely(cmp_extend_encoding(afl, h, o->v1, o->v0, orig_o->v1, idx, - orig_buf, buf, len, 1, &status))) + orig_buf, buf, len, 1, &status))) { + return 1; - if (status == 2) + + } + + if (status == 2) { + ++fails; - else if (status == 1) + + } else if (status == 1) { + break; + } + } - if (status == 1) found_one = 1; + if (status == 1) { found_one = 1; } // If failed, add to dictionary if (fails == 8) { @@ -481,7 +547,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { } - if (afl->pass_stats[key].total < 0xff) afl->pass_stats[key].total++; + if (afl->pass_stats[key].total < 0xff) { afl->pass_stats[key].total++; } return 0; @@ -502,11 +568,14 @@ static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h, for (i = 0; i < its_len; ++i) { if (pattern[idx + i] != buf[idx + i] || - o_pattern[idx + i] != orig_buf[idx + i] || *status == 1) + o_pattern[idx + i] != orig_buf[idx + i] || *status == 1) { + break; + } + buf[idx + i] = repl[idx + i]; - if (unlikely(its_fuzz(afl, buf, len, status))) return 1; + if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } } @@ -521,7 +590,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { u32 i, j, idx; u32 loggeds = h->hits; - if (h->hits > CMP_MAP_RTN_H) loggeds = CMP_MAP_RTN_H; + if (h->hits > CMP_MAP_RTN_H) { loggeds = CMP_MAP_RTN_H; } u8 status = 0; // opt not in the paper @@ -539,32 +608,56 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { &((struct cmpfn_operands *)afl->orig_cmp_map->log[key])[i]; // opt not in the paper - for (j = 0; j < i; ++j) + for (j = 0; j < i; ++j) { + if (!memcmp(&((struct cmpfn_operands *)afl->shm.cmp_map->log[key])[j], o, - sizeof(struct cmpfn_operands))) + sizeof(struct cmpfn_operands))) { + goto rtn_fuzz_next_iter; + } + + } + for (idx = 0; idx < len && fails < 8; ++idx) { if (unlikely(rtn_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx, - orig_buf, buf, len, &status))) + orig_buf, buf, len, &status))) { + return 1; - if (status == 2) + + } + + if (status == 2) { + ++fails; - else if (status == 1) + + } else if (status == 1) { + break; + } + if (unlikely(rtn_extend_encoding(afl, h, o->v1, o->v0, orig_o->v1, idx, - orig_buf, buf, len, &status))) + orig_buf, buf, len, &status))) { + return 1; - if (status == 2) + + } + + if (status == 2) { + ++fails; - else if (status == 1) + + } else if (status == 1) { + break; + } + } - if (status == 1) found_one = 1; + if (status == 1) { found_one = 1; } // If failed, add to dictionary if (fails == 8) { @@ -589,7 +682,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { } - if (afl->pass_stats[key].total < 0xff) afl->pass_stats[key].total++; + if (afl->pass_stats[key].total < 0xff) { afl->pass_stats[key].total++; } return 0; @@ -602,25 +695,31 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, u32 exec_cksum) { u8 r = 1; - if (afl->orig_cmp_map == NULL) + if (afl->orig_cmp_map == NULL) { + afl->orig_cmp_map = ck_alloc_nozero(sizeof(struct cmp_map)); - if (afl->pass_stats == NULL) + } + + if (afl->pass_stats == NULL) { + afl->pass_stats = ck_alloc(sizeof(struct afl_pass_stat) * CMP_MAP_W); + } + // do it manually, forkserver clear only afl->fsrv.trace_bits memset(afl->shm.cmp_map->headers, 0, sizeof(afl->shm.cmp_map->headers)); - if (unlikely(common_fuzz_cmplog_stuff(afl, buf, len))) return 1; + if (unlikely(common_fuzz_cmplog_stuff(afl, buf, len))) { return 1; } memcpy(afl->orig_cmp_map, afl->shm.cmp_map, sizeof(struct cmp_map)); - if (unlikely(colorization(afl, buf, len, exec_cksum))) return 1; + if (unlikely(colorization(afl, buf, len, exec_cksum))) { return 1; } // do it manually, forkserver clear only afl->fsrv.trace_bits memset(afl->shm.cmp_map->headers, 0, sizeof(afl->shm.cmp_map->headers)); - if (unlikely(common_fuzz_cmplog_stuff(afl, buf, len))) return 1; + if (unlikely(common_fuzz_cmplog_stuff(afl, buf, len))) { return 1; } u64 orig_hit_cnt, new_hit_cnt; u64 orig_execs = afl->fsrv.total_execs; @@ -634,33 +733,41 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, u32 k; for (k = 0; k < CMP_MAP_W; ++k) { - if (!afl->shm.cmp_map->headers[k].hits) continue; + if (!afl->shm.cmp_map->headers[k].hits) { continue; } if (afl->pass_stats[k].total && (rand_below(afl, afl->pass_stats[k].total) >= afl->pass_stats[k].faileds || - afl->pass_stats[k].total == 0xff)) + afl->pass_stats[k].total == 0xff)) { + afl->shm.cmp_map->headers[k].hits = 0; // blacklist this cmp - if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) + } + + if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) { + afl->stage_max += MIN((u32)afl->shm.cmp_map->headers[k].hits, CMP_MAP_H); - else + + } else { + afl->stage_max += MIN((u32)afl->shm.cmp_map->headers[k].hits, CMP_MAP_RTN_H); + } + } for (k = 0; k < CMP_MAP_W; ++k) { - if (!afl->shm.cmp_map->headers[k].hits) continue; + if (!afl->shm.cmp_map->headers[k].hits) { continue; } if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) { - if (unlikely(cmp_fuzz(afl, k, orig_buf, buf, len))) goto exit_its; + if (unlikely(cmp_fuzz(afl, k, orig_buf, buf, len))) { goto exit_its; } } else { - if (unlikely(rtn_fuzz(afl, k, orig_buf, buf, len))) goto exit_its; + if (unlikely(rtn_fuzz(afl, k, orig_buf, buf, len))) { goto exit_its; } } diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 30ba0e65..bf8c4ec0 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -72,9 +72,12 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { size_t new_size = afl->mutator->afl_custom_pre_save(afl->mutator->data, mem, len, &new_buf); - if (unlikely(!new_buf)) + if (unlikely(!new_buf)) { + FATAL("Custom_pre_save failed (ret: %lu)", (long unsigned)new_size); + } + /* everything as planned. use the new data. */ afl_fsrv_write_to_testcase(&afl->fsrv, new_buf, new_size); @@ -108,27 +111,34 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, } - if (fd < 0) PFATAL("Unable to create '%s'", afl->fsrv.out_file); + if (fd < 0) { PFATAL("Unable to create '%s'", afl->fsrv.out_file); } - } else + } else { lseek(fd, 0, SEEK_SET); - if (skip_at) ck_write(fd, mem, skip_at, afl->fsrv.out_file); + } + + if (skip_at) { ck_write(fd, mem, skip_at, afl->fsrv.out_file); } u8 *memu8 = mem; - if (tail_len) + if (tail_len) { + ck_write(fd, memu8 + skip_at + skip_len, tail_len, afl->fsrv.out_file); + } + if (!afl->fsrv.out_file) { - if (ftruncate(fd, len - skip_len)) PFATAL("ftruncate() failed"); + if (ftruncate(fd, len - skip_len)) { PFATAL("ftruncate() failed"); } lseek(fd, 0, SEEK_SET); - } else + } else { close(fd); + } + } /* Calibrate a new test case. This is done when processing the input directory @@ -151,10 +161,13 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, trying to calibrate already-added finds. This helps avoid trouble due to intermittent latency. */ - if (!from_queue || afl->resuming_fuzz) + if (!from_queue || afl->resuming_fuzz) { + use_tmout = MAX(afl->fsrv.exec_tmout + CAL_TMOUT_ADD, afl->fsrv.exec_tmout * CAL_TMOUT_PERC / 100); + } + ++q->cal_failed; afl->stage_name = "calibration"; @@ -177,18 +190,24 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, } - if (q->exec_cksum) + if (q->exec_cksum) { + memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size); + } + start_us = get_cur_time_us(); for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) { u32 cksum; - if (!first_run && !(afl->stage_cur % afl->stats_update_freq)) + if (!first_run && !(afl->stage_cur % afl->stats_update_freq)) { + show_stats(afl); + } + write_to_testcase(afl, use_mem, q->len); fault = fuzz_run_target(afl, &afl->fsrv, use_tmout); @@ -196,7 +215,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, /* afl->stop_soon is set by the handler for Ctrl+C. When it's pressed, we want to bail out quickly. */ - if (afl->stop_soon || fault != afl->crash_mode) goto abort_calibration; + if (afl->stop_soon || fault != afl->crash_mode) { goto abort_calibration; } if (!afl->dumb_mode && !afl->stage_cur && !count_bytes(afl, afl->fsrv.trace_bits)) { @@ -211,7 +230,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, if (q->exec_cksum != cksum) { u8 hnb = has_new_bits(afl, afl->virgin_bits); - if (hnb > new_bits) new_bits = hnb; + if (hnb > new_bits) { new_bits = hnb; } if (q->exec_cksum) { @@ -220,9 +239,12 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, for (i = 0; i < afl->fsrv.map_size; ++i) { if (unlikely(!afl->var_bytes[i]) && - unlikely(afl->first_trace[i] != afl->fsrv.trace_bits[i])) + unlikely(afl->first_trace[i] != afl->fsrv.trace_bits[i])) { + afl->var_bytes[i] = 1; + } + } var_detected = 1; @@ -261,9 +283,12 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, parent. This is a non-critical problem, but something to warn the user about. */ - if (!afl->dumb_mode && first_run && !fault && !new_bits) + if (!afl->dumb_mode && first_run && !fault && !new_bits) { + fault = FSRV_RUN_NOBITS; + } + abort_calibration: if (new_bits == 2 && !q->has_new_cov) { @@ -292,7 +317,7 @@ abort_calibration: afl->stage_cur = old_sc; afl->stage_max = old_sm; - if (!first_run) show_stats(afl); + if (!first_run) { show_stats(afl); } return fault; @@ -307,7 +332,7 @@ void sync_fuzzers(afl_state_t *afl) { u32 sync_cnt = 0; sd = opendir(afl->sync_dir); - if (!sd) PFATAL("Unable to open '%s'", afl->sync_dir); + if (!sd) { PFATAL("Unable to open '%s'", afl->sync_dir); } afl->stage_max = afl->stage_cur = 0; afl->cur_depth = 0; @@ -326,9 +351,12 @@ void sync_fuzzers(afl_state_t *afl) { /* Skip dot files and our own output directory. */ - if (sd_ent->d_name[0] == '.' || !strcmp(afl->sync_id, sd_ent->d_name)) + if (sd_ent->d_name[0] == '.' || !strcmp(afl->sync_id, sd_ent->d_name)) { + continue; + } + /* Skip anything that doesn't have a queue/ subdirectory. */ qd_path = alloc_printf("%s/%s/queue", afl->sync_dir, sd_ent->d_name); @@ -347,9 +375,13 @@ void sync_fuzzers(afl_state_t *afl) { id_fd = open(qd_synced_path, O_RDWR | O_CREAT, 0600); - if (id_fd < 0) PFATAL("Unable to create '%s'", qd_synced_path); + if (id_fd < 0) { PFATAL("Unable to create '%s'", qd_synced_path); } - if (read(id_fd, &min_accept, sizeof(u32)) > 0) lseek(id_fd, 0, SEEK_SET); + if (read(id_fd, &min_accept, sizeof(u32)) > 0) { + + lseek(id_fd, 0, SEEK_SET); + + } next_min_accept = min_accept; @@ -372,14 +404,20 @@ void sync_fuzzers(afl_state_t *afl) { if (qd_ent->d_name[0] == '.' || sscanf(qd_ent->d_name, CASE_PREFIX "%06u", &afl->syncing_case) != 1 || - afl->syncing_case < min_accept) + afl->syncing_case < min_accept) { + continue; + } + /* OK, sounds like a new one. Let's give it a try. */ - if (afl->syncing_case >= next_min_accept) + if (afl->syncing_case >= next_min_accept) { + next_min_accept = afl->syncing_case + 1; + } + path = alloc_printf("%s/%s", qd_path, qd_ent->d_name); /* Allow this to fail in case the other fuzzer is resuming or so... */ @@ -393,7 +431,7 @@ void sync_fuzzers(afl_state_t *afl) { } - if (fstat(fd, &st)) PFATAL("fstat() failed"); + if (fstat(fd, &st)) { PFATAL("fstat() failed"); } /* Ignore zero-sized or oversized files. */ @@ -402,7 +440,7 @@ void sync_fuzzers(afl_state_t *afl) { u8 fault; u8 *mem = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); - if (mem == MAP_FAILED) PFATAL("Unable to mmap '%s'", path); + if (mem == MAP_FAILED) { PFATAL("Unable to mmap '%s'", path); } /* See what happens. We rely on save_if_interesting() to catch major errors and save the test case. */ @@ -411,7 +449,7 @@ void sync_fuzzers(afl_state_t *afl) { fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); - if (afl->stop_soon) goto close_sync; + if (afl->stop_soon) { goto close_sync; } afl->syncing_party = sd_ent->d_name; afl->queued_imported += @@ -420,7 +458,7 @@ void sync_fuzzers(afl_state_t *afl) { munmap(mem, st.st_size); - if (!(afl->stage_cur++ % afl->stats_update_freq)) show_stats(afl); + if (!(afl->stage_cur++ % afl->stats_update_freq)) { show_stats(afl); } } @@ -450,9 +488,12 @@ void sync_fuzzers(afl_state_t *afl) { u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { /* Custom mutator trimmer */ - if (afl->mutator && afl->mutator->afl_custom_trim) + if (afl->mutator && afl->mutator->afl_custom_trim) { + return trim_case_custom(afl, q, in_buf); + } + u8 needs_write = 0, fault = 0; u32 trim_exec = 0; u32 remove_len; @@ -464,7 +505,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { detected, it will still work to some extent, so we don't check for this. */ - if (q->len < 5) return 0; + if (q->len < 5) { return 0; } afl->stage_name = afl->stage_name_buf; afl->bytes_trim_in += q->len; @@ -499,7 +540,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); ++afl->trim_execs; - if (afl->stop_soon || fault == FSRV_RUN_ERROR) goto abort_trimming; + if (afl->stop_soon || fault == FSRV_RUN_ERROR) { goto abort_trimming; } /* Note that we don't keep track of crashes or hangs here; maybe TODO? */ @@ -531,13 +572,15 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { } - } else + } else { remove_pos += remove_len; + } + /* Since this can be slow, update the screen every now and then. */ - if (!(trim_exec++ % afl->stats_update_freq)) show_stats(afl); + if (!(trim_exec++ % afl->stats_update_freq)) { show_stats(afl); } ++afl->stage_cur; } @@ -564,7 +607,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { } - if (fd < 0) PFATAL("Unable to create '%s'", q->fname); + if (fd < 0) { PFATAL("Unable to create '%s'", q->fname); } ck_write(fd, in_buf, q->len, q->fname); close(fd); @@ -595,7 +638,7 @@ u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { size_t post_len = afl->post_handler(afl->post_data, out_buf, len, &post_buf); - if (!post_buf || !post_len) return 0; + if (!post_buf || !post_len) { return 0; } out_buf = post_buf; len = post_len; @@ -605,7 +648,7 @@ u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); - if (afl->stop_soon) return 1; + if (afl->stop_soon) { return 1; } if (fault == FSRV_RUN_TMOUT) { @@ -616,10 +659,12 @@ u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { } - } else + } else { afl->subseq_tmouts = 0; + } + /* Users can hit us with SIGUSR1 to request the current input to be abandoned. */ @@ -636,9 +681,12 @@ u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { afl->queued_discovered += save_if_interesting(afl, out_buf, len, fault); if (!(afl->stage_cur % afl->stats_update_freq) || - afl->stage_cur + 1 == afl->stage_max) + afl->stage_cur + 1 == afl->stage_max) { + show_stats(afl); + } + return 0; } diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index de7a4481..b38c9ec5 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -81,7 +81,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) { and out_size are NULL/0 by default. */ memset(afl, 0, sizeof(afl_state_t)); - if (!map_size) afl->shm.map_size = MAP_SIZE; + if (!map_size) { afl->shm.map_size = MAP_SIZE; } afl->w_init = 0.9; afl->w_end = 0.3; @@ -344,10 +344,12 @@ void read_afl_environment(afl_state_t *afl, char **envp) { } - } else + } else { i++; + } + } if (match == 0) { @@ -361,7 +363,7 @@ void read_afl_environment(afl_state_t *afl, char **envp) { } - if (found) sleep(2); + if (found) { sleep(2); } } @@ -369,18 +371,18 @@ void read_afl_environment(afl_state_t *afl, char **envp) { void afl_state_deinit(afl_state_t *afl) { - if (afl->post_deinit) afl->post_deinit(afl->post_data); - if (afl->in_place_resume) ck_free(afl->in_dir); - if (afl->sync_id) ck_free(afl->out_dir); - if (afl->pass_stats) ck_free(afl->pass_stats); - if (afl->orig_cmp_map) ck_free(afl->orig_cmp_map); - - if (afl->out_buf) free(afl->out_buf); - if (afl->out_scratch_buf) free(afl->out_scratch_buf); - if (afl->eff_buf) free(afl->eff_buf); - if (afl->in_buf) free(afl->in_buf); - if (afl->in_scratch_buf) free(afl->in_scratch_buf); - if (afl->ex_buf) free(afl->ex_buf); + if (afl->post_deinit) { afl->post_deinit(afl->post_data); } + if (afl->in_place_resume) { ck_free(afl->in_dir); } + if (afl->sync_id) { ck_free(afl->out_dir); } + if (afl->pass_stats) { ck_free(afl->pass_stats); } + if (afl->orig_cmp_map) { ck_free(afl->orig_cmp_map); } + + if (afl->out_buf) { free(afl->out_buf); } + if (afl->out_scratch_buf) { free(afl->out_scratch_buf); } + if (afl->eff_buf) { free(afl->eff_buf); } + if (afl->in_buf) { free(afl->in_buf); } + if (afl->in_scratch_buf) { free(afl->in_scratch_buf); } + if (afl->ex_buf) { free(afl->ex_buf); } ck_free(afl->virgin_bits); ck_free(afl->virgin_tmout); diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index c507b7f7..3cbb2d8c 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -43,11 +43,11 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", fn); + if (fd < 0) { PFATAL("Unable to create '%s'", fn); } f = fdopen(fd, "w"); - if (!f) PFATAL("fdopen() failed"); + if (!f) { PFATAL("fdopen() failed"); } /* Keep last values in case we're called from another context where exec/sec stats and such are not readily available. */ @@ -65,7 +65,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, } - if (getrusage(RUSAGE_CHILDREN, &rus)) rus.ru_maxrss = 0; + if (getrusage(RUSAGE_CHILDREN, &rus)) { rus.ru_maxrss = 0; } fprintf( f, @@ -153,9 +153,12 @@ void maybe_update_plot_file(afl_state_t *afl, double bitmap_cvg, double eps) { afl->plot_prev_uc == afl->unique_crashes && afl->plot_prev_uh == afl->unique_hangs && afl->plot_prev_md == afl->max_depth) || - unlikely(!afl->queue_cycle)) + unlikely(!afl->queue_cycle)) { + return; + } + afl->plot_prev_qp = afl->queued_paths; afl->plot_prev_pf = afl->pending_favored; afl->plot_prev_pnf = afl->pending_not_fuzzed; @@ -190,10 +193,10 @@ static void check_term_size(afl_state_t *afl) { afl->term_too_small = 0; - if (ioctl(1, TIOCGWINSZ, &ws)) return; + if (ioctl(1, TIOCGWINSZ, &ws)) { return; } - if (ws.ws_row == 0 || ws.ws_col == 0) return; - if (ws.ws_row < 24 || ws.ws_col < 79) afl->term_too_small = 1; + if (ws.ws_row == 0 || ws.ws_col == 0) { return; } + if (ws.ws_row < 24 || ws.ws_col < 79) { afl->term_too_small = 1; } } @@ -241,12 +244,15 @@ void show_stats(afl_state_t *afl) { /* If not enough time has passed since last UI update, bail out. */ if (cur_ms - afl->stats_last_ms < 1000 / UI_TARGET_HZ && - !afl->force_ui_update) + !afl->force_ui_update) { + return; + } + /* Check if we're past the 10 minute mark. */ - if (cur_ms - afl->start_time > 10 * 60 * 1000) afl->run_over10m = 1; + if (cur_ms - afl->start_time > 10 * 60 * 1000) { afl->run_over10m = 1; } /* Calculate smoothed exec speed stats. */ @@ -263,9 +269,13 @@ void show_stats(afl_state_t *afl) { /* If there is a dramatic (5x+) jump in speed, reset the indicator more quickly. */ - if (cur_avg * 5 < afl->stats_avg_exec || cur_avg / 5 > afl->stats_avg_exec) + if (cur_avg * 5 < afl->stats_avg_exec || + cur_avg / 5 > afl->stats_avg_exec) { + afl->stats_avg_exec = cur_avg; + } + afl->stats_avg_exec = afl->stats_avg_exec * (1.0 - 1.0 / AVG_SMOOTHING) + cur_avg * (1.0 / AVG_SMOOTHING); @@ -277,18 +287,23 @@ void show_stats(afl_state_t *afl) { /* Tell the callers when to contact us (as measured in execs). */ afl->stats_update_freq = afl->stats_avg_exec / (UI_TARGET_HZ * 10); - if (!afl->stats_update_freq) afl->stats_update_freq = 1; + if (!afl->stats_update_freq) { afl->stats_update_freq = 1; } /* Do some bitmap stats. */ t_bytes = count_non_255_bytes(afl, afl->virgin_bits); t_byte_ratio = ((double)t_bytes * 100) / afl->fsrv.map_size; - if (likely(t_bytes) && unlikely(afl->var_byte_count)) + if (likely(t_bytes) && unlikely(afl->var_byte_count)) { + stab_ratio = 100 - (((double)afl->var_byte_count * 100) / t_bytes); - else + + } else { + stab_ratio = 100; + } + /* Roughly every minute, update fuzzer stats and save auto tokens. */ if (cur_ms - afl->stats_last_stats_ms > STATS_UPDATE_SEC * 1000) { @@ -312,19 +327,25 @@ void show_stats(afl_state_t *afl) { /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */ if (!afl->dumb_mode && afl->cycles_wo_finds > 100 && - !afl->pending_not_fuzzed && afl->afl_env.afl_exit_when_done) + !afl->pending_not_fuzzed && afl->afl_env.afl_exit_when_done) { + afl->stop_soon = 2; - if (afl->total_crashes && afl->afl_env.afl_bench_until_crash) + } + + if (afl->total_crashes && afl->afl_env.afl_bench_until_crash) { + afl->stop_soon = 2; + } + /* If we're not on TTY, bail out. */ - if (afl->not_on_tty) return; + if (afl->not_on_tty) { return; } /* If we haven't started doing things, bail out. */ - if (!afl->queue_cur) return; + if (!afl->queue_cur) { return; } /* Compute some mildly useful bitmap stats. */ @@ -389,9 +410,9 @@ void show_stats(afl_state_t *afl) { /* Lord, forgive me this. */ - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA - " overall results " bSTG bH2 bH2 bRT "\n"); + " overall results " bSTG bH2 bH2 bRT "\n"); if (afl->dumb_mode) { @@ -402,24 +423,33 @@ void show_stats(afl_state_t *afl) { u64 min_wo_finds = (cur_ms - afl->last_path_time) / 1000 / 60; /* First queue cycle: don't stop now! */ - if (afl->queue_cycle == 1 || min_wo_finds < 15) + if (afl->queue_cycle == 1 || min_wo_finds < 15) { + strcpy(tmp, cMGN); - else + + } else /* Subsequent cycles, but we're still making finds. */ - if (afl->cycles_wo_finds < 25 || min_wo_finds < 30) + if (afl->cycles_wo_finds < 25 || min_wo_finds < 30) { + strcpy(tmp, cYEL); - else + + } else /* No finds for a long time and no test cases to try. */ if (afl->cycles_wo_finds > 100 && !afl->pending_not_fuzzed && - min_wo_finds > 120) + min_wo_finds > 120) { + strcpy(tmp, cLGN); - /* Default: cautiously OK to stop? */ - else + /* Default: cautiously OK to stop? */ + + } else { + strcpy(tmp, cLBL); + } + } u_stringify_time_diff(time_tmp, cur_ms, afl->start_time); @@ -439,16 +469,18 @@ void show_stats(afl_state_t *afl) { } else { - if (afl->dumb_mode) + if (afl->dumb_mode) { SAYF(bV bSTOP " last new path : " cPIN "n/a" cRST " (non-instrumented mode) "); - else + } else { SAYF(bV bSTOP " last new path : " cRST "none yet " cLRD "(odd, check syntax!) "); + } + } SAYF(bSTG bV bSTOP " total paths : " cRST "%-5s " bSTG bV "\n", @@ -473,9 +505,9 @@ void show_stats(afl_state_t *afl) { " uniq hangs : " cRST "%-6s" bSTG bV "\n", time_tmp, tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA - " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); + " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -505,9 +537,9 @@ void show_stats(afl_state_t *afl) { SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA - " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); + " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored), ((double)afl->queued_favored) * 100 / afl->queued_paths); @@ -581,7 +613,7 @@ void show_stats(afl_state_t *afl) { /* Aaaalmost there... hold on! */ - SAYF(bVR bH cCYA bSTOP + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); @@ -605,7 +637,8 @@ void show_stats(afl_state_t *afl) { " levels : " cRST "%-10s" bSTG bV "\n", tmp, u_stringify_int(IB(0), afl->max_depth)); - if (!afl->skip_deterministic) + if (!afl->skip_deterministic) { + sprintf(tmp, "%s/%s, %s/%s, %s/%s", u_stringify_int(IB(0), afl->stage_finds[STAGE_FLIP8]), u_stringify_int(IB(1), afl->stage_cycles[STAGE_FLIP8]), @@ -614,11 +647,14 @@ void show_stats(afl_state_t *afl) { u_stringify_int(IB(4), afl->stage_finds[STAGE_FLIP32]), u_stringify_int(IB(5), afl->stage_cycles[STAGE_FLIP32])); + } + SAYF(bV bSTOP " byte flips : " cRST "%-36s " bSTG bV bSTOP " pending : " cRST "%-10s" bSTG bV "\n", tmp, u_stringify_int(IB(0), afl->pending_not_fuzzed)); - if (!afl->skip_deterministic) + if (!afl->skip_deterministic) { + sprintf(tmp, "%s/%s, %s/%s, %s/%s", u_stringify_int(IB(0), afl->stage_finds[STAGE_ARITH8]), u_stringify_int(IB(1), afl->stage_cycles[STAGE_ARITH8]), @@ -627,11 +663,14 @@ void show_stats(afl_state_t *afl) { u_stringify_int(IB(4), afl->stage_finds[STAGE_ARITH32]), u_stringify_int(IB(5), afl->stage_cycles[STAGE_ARITH32])); + } + SAYF(bV bSTOP " arithmetics : " cRST "%-36s " bSTG bV bSTOP " pend fav : " cRST "%-10s" bSTG bV "\n", tmp, u_stringify_int(IB(0), afl->pending_favored)); - if (!afl->skip_deterministic) + if (!afl->skip_deterministic) { + sprintf(tmp, "%s/%s, %s/%s, %s/%s", u_stringify_int(IB(0), afl->stage_finds[STAGE_INTEREST8]), u_stringify_int(IB(1), afl->stage_cycles[STAGE_INTEREST8]), @@ -640,11 +679,14 @@ void show_stats(afl_state_t *afl) { u_stringify_int(IB(4), afl->stage_finds[STAGE_INTEREST32]), u_stringify_int(IB(5), afl->stage_cycles[STAGE_INTEREST32])); + } + SAYF(bV bSTOP " known ints : " cRST "%-36s " bSTG bV bSTOP " own finds : " cRST "%-10s" bSTG bV "\n", tmp, u_stringify_int(IB(0), afl->queued_discovered)); - if (!afl->skip_deterministic) + if (!afl->skip_deterministic) { + sprintf(tmp, "%s/%s, %s/%s, %s/%s", u_stringify_int(IB(0), afl->stage_finds[STAGE_EXTRAS_UO]), u_stringify_int(IB(1), afl->stage_cycles[STAGE_EXTRAS_UO]), @@ -653,6 +695,8 @@ void show_stats(afl_state_t *afl) { u_stringify_int(IB(4), afl->stage_finds[STAGE_EXTRAS_AO]), u_stringify_int(IB(5), afl->stage_cycles[STAGE_EXTRAS_AO])); + } + SAYF(bV bSTOP " dictionary : " cRST "%-36s " bSTG bV bSTOP " imported : " cRST "%-10s" bSTG bV "\n", tmp, @@ -669,11 +713,16 @@ void show_stats(afl_state_t *afl) { SAYF(bV bSTOP " havoc/rad : " cRST "%-36s " bSTG bV bSTOP, tmp); - if (t_bytes) + if (t_bytes) { + sprintf(tmp, "%0.02f%%", stab_ratio); - else + + } else { + strcpy(tmp, "n/a"); + } + SAYF(" stability : %s%-10s" bSTG bV "\n", (stab_ratio < 85 && afl->var_byte_count > 40) ? cLRD @@ -769,14 +818,17 @@ void show_stats(afl_state_t *afl) { /* If we could still run one or more processes, use green. */ - if (afl->cpu_core_count > 1 && cur_runnable + 1 <= afl->cpu_core_count) + if (afl->cpu_core_count > 1 && cur_runnable + 1 <= afl->cpu_core_count) { + cpu_color = cLGN; + } + /* If we're clearly oversubscribed, use red. */ - if (!afl->no_cpu_meter_red && cur_utilization >= 150) cpu_color = cLRD; + if (!afl->no_cpu_meter_red && cur_utilization >= 150) { cpu_color = cLRD; } - if (afl->fsrv.snapshot) spacing = snap; + if (afl->fsrv.snapshot) { spacing = snap; } #ifdef HAVE_AFFINITY @@ -799,10 +851,12 @@ void show_stats(afl_state_t *afl) { #endif /* ^HAVE_AFFINITY */ - } else + } else { SAYF("\r"); + } + /* Last line */ SAYF(SET_G1 "\n" bSTG bLB bH30 bH20 bH2 bRB bSTOP cRST RESET_G1); @@ -829,17 +883,21 @@ void show_init_stats(afl_state_t *afl) { u8 val_bufs[4][STRINGIFY_VAL_SIZE_MAX]; #define IB(i) val_bufs[(i)], sizeof(val_bufs[(i)]) - if (afl->total_cal_cycles) avg_us = afl->total_cal_us / afl->total_cal_cycles; + if (afl->total_cal_cycles) { + + avg_us = afl->total_cal_us / afl->total_cal_cycles; + + } while (q) { - if (!min_us || q->exec_us < min_us) min_us = q->exec_us; - if (q->exec_us > max_us) max_us = q->exec_us; + if (!min_us || q->exec_us < min_us) { min_us = q->exec_us; } + if (q->exec_us > max_us) { max_us = q->exec_us; } - if (!min_bits || q->bitmap_size < min_bits) min_bits = q->bitmap_size; - if (q->bitmap_size > max_bits) max_bits = q->bitmap_size; + if (!min_bits || q->bitmap_size < min_bits) { min_bits = q->bitmap_size; } + if (q->bitmap_size > max_bits) { max_bits = q->bitmap_size; } - if (q->len > max_len) max_len = q->len; + if (q->len > max_len) { max_len = q->len; } q = q->next; @@ -847,38 +905,61 @@ void show_init_stats(afl_state_t *afl) { SAYF("\n"); - if (avg_us > ((afl->fsrv.qemu_mode || afl->unicorn_mode) ? 50000 : 10000)) + if (avg_us > ((afl->fsrv.qemu_mode || afl->unicorn_mode) ? 50000 : 10000)) { + WARNF(cLRD "The target binary is pretty slow! See %s/perf_tips.md.", doc_path); + } + /* Let's keep things moving with slow binaries. */ - if (avg_us > 50000) + if (avg_us > 50000) { + afl->havoc_div = 10; /* 0-19 execs/sec */ - else if (avg_us > 20000) + + } else if (avg_us > 20000) { + afl->havoc_div = 5; /* 20-49 execs/sec */ - else if (avg_us > 10000) + + } else if (avg_us > 10000) { + afl->havoc_div = 2; /* 50-100 execs/sec */ + } + if (!afl->resuming_fuzz) { - if (max_len > 50 * 1024) + if (max_len > 50 * 1024) { + WARNF(cLRD "Some test cases are huge (%s) - see %s/perf_tips.md!", stringify_mem_size(IB(0), max_len), doc_path); - else if (max_len > 10 * 1024) + + } else if (max_len > 10 * 1024) { + WARNF("Some test cases are big (%s) - see %s/perf_tips.md.", stringify_mem_size(IB(0), max_len), doc_path); - if (afl->useless_at_start && !afl->in_bitmap) + } + + if (afl->useless_at_start && !afl->in_bitmap) { + WARNF(cLRD "Some test cases look useless. Consider using a smaller set."); - if (afl->queued_paths > 100) + } + + if (afl->queued_paths > 100) { + WARNF(cLRD "You probably have far too many input files! Consider trimming " "down."); - else if (afl->queued_paths > 20) + + } else if (afl->queued_paths > 20) { + WARNF("You have lots of input files; try starting small."); + } + } OKF("Here are some useful stats:\n\n" @@ -903,20 +984,30 @@ void show_init_stats(afl_state_t *afl) { random scheduler jitter is less likely to have any impact, and because our patience is wearing thin =) */ - if (avg_us > 50000) + if (avg_us > 50000) { + afl->fsrv.exec_tmout = avg_us * 2 / 1000; - else if (avg_us > 10000) + + } else if (avg_us > 10000) { + afl->fsrv.exec_tmout = avg_us * 3 / 1000; - else + + } else { + afl->fsrv.exec_tmout = avg_us * 5 / 1000; + } + afl->fsrv.exec_tmout = MAX(afl->fsrv.exec_tmout, max_us / 1000); afl->fsrv.exec_tmout = (afl->fsrv.exec_tmout + EXEC_TM_ROUND) / EXEC_TM_ROUND * EXEC_TM_ROUND; - if (afl->fsrv.exec_tmout > EXEC_TIMEOUT) + if (afl->fsrv.exec_tmout > EXEC_TIMEOUT) { + afl->fsrv.exec_tmout = EXEC_TIMEOUT; + } + ACTF("No -t option specified, so I'll use exec timeout of %u ms.", afl->fsrv.exec_tmout); @@ -932,9 +1023,12 @@ void show_init_stats(afl_state_t *afl) { /* In dumb mode, re-running every timing out test case with a generous time limit is very expensive, so let's select a more conservative default. */ - if (afl->dumb_mode && !(afl->afl_env.afl_hang_tmout)) + if (afl->dumb_mode && !(afl->afl_env.afl_hang_tmout)) { + afl->hang_tmout = MIN(EXEC_TIMEOUT, afl->fsrv.exec_tmout * 2 + 100); + } + OKF("All set and ready to roll!"); #undef IB diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index efb65ba6..5920f5c0 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -37,7 +37,7 @@ static u8 *get_libradamsa_path(u8 *own_loc) { cp = alloc_printf("%s/libradamsa.so", tmp); - if (access(cp, X_OK)) FATAL("Unable to find '%s'", cp); + if (access(cp, X_OK)) { FATAL("Unable to find '%s'", cp); } return cp; @@ -53,12 +53,14 @@ static u8 *get_libradamsa_path(u8 *own_loc) { cp = alloc_printf("%s/libradamsa.so", own_copy); ck_free(own_copy); - if (!access(cp, X_OK)) return cp; + if (!access(cp, X_OK)) { return cp; } - } else + } else { ck_free(own_copy); + } + if (!access(AFL_PATH "/libradamsa.so", X_OK)) { return ck_strdup(AFL_PATH "/libradamsa.so"); @@ -148,7 +150,8 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "case\n\n", argv0, EXEC_TIMEOUT, MEM_LIMIT); - if (more_help > 1) + if (more_help > 1) { + SAYF( "Environment variables used:\n" "LD_BIND_LAZY: do not set LD_BIND_NOW env var for target\n" @@ -193,11 +196,15 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { //"AFL_DEFER_FORKSRV: not supported anymore -> no effect, just a warning\n" "\n" ); - else + + } else { + SAYF( "To view also the supported environment variables of afl-fuzz please " "use \"-hh\".\n\n"); + } + #ifdef USE_PYTHON SAYF("Compiled with %s module support, see docs/custom_mutator.md\n", (char *)PYTHON_VERSION); @@ -216,13 +223,13 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { static int stricmp(char const *a, char const *b) { - if (!a || !b) FATAL("Null reference"); + if (!a || !b) { FATAL("Null reference"); } for (;; ++a, ++b) { int d; d = tolower(*a) - tolower(*b); - if (d != 0 || !*a) return d; + if (d != 0 || !*a) { return d; } } @@ -247,14 +254,14 @@ int main(int argc, char **argv_orig, char **envp) { afl_state_t *afl = calloc(1, sizeof(afl_state_t)); if (!afl) { FATAL("Could not create afl state"); } - if (get_afl_env("AFL_DEBUG")) afl->debug = 1; + if (get_afl_env("AFL_DEBUG")) { afl->debug = 1; } map_size = get_map_size(); afl_state_init(afl, map_size); afl_fsrv_init(&afl->fsrv); read_afl_environment(afl, envp); - if (afl->shm.map_size) afl->fsrv.map_size = afl->shm.map_size; + if (afl->shm.map_size) { afl->fsrv.map_size = afl->shm.map_size; } exit_1 = !!afl->afl_env.afl_bench_just_one; SAYF(cCYA "afl-fuzz" VERSION cRST @@ -266,11 +273,14 @@ int main(int argc, char **argv_orig, char **envp) { afl->init_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); while ((opt = getopt(argc, argv, - "+c:i:I:o:f:m:t:T:dnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:")) > 0) + "+c:i:I:o:f:m:t:T:dnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:")) > + 0) { switch (opt) { - case 'I': afl->infoexec = optarg; break; + case 'I': + afl->infoexec = optarg; + break; case 'c': { @@ -334,7 +344,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'e': - if (afl->file_extension) FATAL("Multiple -e options not supported"); + if (afl->file_extension) { FATAL("Multiple -e options not supported"); } afl->file_extension = optarg; @@ -342,16 +352,16 @@ int main(int argc, char **argv_orig, char **envp) { case 'i': /* input dir */ - if (afl->in_dir) FATAL("Multiple -i options not supported"); + if (afl->in_dir) { FATAL("Multiple -i options not supported"); } afl->in_dir = optarg; - if (!strcmp(afl->in_dir, "-")) afl->in_place_resume = 1; + if (!strcmp(afl->in_dir, "-")) { afl->in_place_resume = 1; } break; case 'o': /* output dir */ - if (afl->out_dir) FATAL("Multiple -o options not supported"); + if (afl->out_dir) { FATAL("Multiple -o options not supported"); } afl->out_dir = optarg; break; @@ -359,7 +369,7 @@ int main(int argc, char **argv_orig, char **envp) { u8 *c; - if (afl->sync_id) FATAL("Multiple -S or -M options not supported"); + if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } afl->sync_id = ck_strdup(optarg); if ((c = strchr(afl->sync_id, ':'))) { @@ -368,9 +378,12 @@ int main(int argc, char **argv_orig, char **envp) { if (sscanf(c + 1, "%u/%u", &afl->master_id, &afl->master_max) != 2 || !afl->master_id || !afl->master_max || - afl->master_id > afl->master_max || afl->master_max > 1000000) + afl->master_id > afl->master_max || afl->master_max > 1000000) { + FATAL("Bogus master ID passed to -M"); + } + } afl->force_deterministic = 1; @@ -381,20 +394,20 @@ int main(int argc, char **argv_orig, char **envp) { case 'S': - if (afl->sync_id) FATAL("Multiple -S or -M options not supported"); + if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } afl->sync_id = ck_strdup(optarg); break; case 'f': /* target file */ - if (afl->fsrv.out_file) FATAL("Multiple -f options not supported"); + if (afl->fsrv.out_file) { FATAL("Multiple -f options not supported"); } afl->fsrv.out_file = ck_strdup(optarg); afl->fsrv.use_stdin = 0; break; case 'x': /* dictionary */ - if (extras_dir) FATAL("Multiple -x options not supported"); + if (extras_dir) { FATAL("Multiple -x options not supported"); } extras_dir = optarg; break; @@ -402,19 +415,27 @@ int main(int argc, char **argv_orig, char **envp) { u8 suffix = 0; - if (afl->timeout_given) FATAL("Multiple -t options not supported"); + if (afl->timeout_given) { FATAL("Multiple -t options not supported"); } if (sscanf(optarg, "%u%c", &afl->fsrv.exec_tmout, &suffix) < 1 || - optarg[0] == '-') + optarg[0] == '-') { + FATAL("Bad syntax used for -t"); - if (afl->fsrv.exec_tmout < 5) FATAL("Dangerously low value of -t"); + } + + if (afl->fsrv.exec_tmout < 5) { FATAL("Dangerously low value of -t"); } + + if (suffix == '+') { - if (suffix == '+') afl->timeout_given = 2; - else + + } else { + afl->timeout_given = 1; + } + break; } @@ -423,10 +444,10 @@ int main(int argc, char **argv_orig, char **envp) { u8 suffix = 'M'; - if (mem_limit_given) FATAL("Multiple -m options not supported"); + if (mem_limit_given) { FATAL("Multiple -m options not supported"); } mem_limit_given = 1; - if (!optarg) FATAL("Wrong usage of -m"); + if (!optarg) { FATAL("Wrong usage of -m"); } if (!strcmp(optarg, "none")) { @@ -436,32 +457,51 @@ int main(int argc, char **argv_orig, char **envp) { } if (sscanf(optarg, "%llu%c", &afl->fsrv.mem_limit, &suffix) < 1 || - optarg[0] == '-') + optarg[0] == '-') { + FATAL("Bad syntax used for -m"); - switch (suffix) { + } - case 'T': afl->fsrv.mem_limit *= 1024 * 1024; break; - case 'G': afl->fsrv.mem_limit *= 1024; break; - case 'k': afl->fsrv.mem_limit /= 1024; break; - case 'M': break; + switch (suffix) { - default: FATAL("Unsupported suffix or bad syntax for -m"); + case 'T': + afl->fsrv.mem_limit *= 1024 * 1024; + break; + case 'G': + afl->fsrv.mem_limit *= 1024; + break; + case 'k': + afl->fsrv.mem_limit /= 1024; + break; + case 'M': + break; + + default: + FATAL("Unsupported suffix or bad syntax for -m"); } - if (afl->fsrv.mem_limit < 5) FATAL("Dangerously low value of -m"); + if (afl->fsrv.mem_limit < 5) { FATAL("Dangerously low value of -m"); } + + if (sizeof(rlim_t) == 4 && afl->fsrv.mem_limit > 2000) { - if (sizeof(rlim_t) == 4 && afl->fsrv.mem_limit > 2000) FATAL("Value of -m out of range on 32-bit systems"); + } + } break; case 'd': /* skip deterministic */ - if (afl->skip_deterministic) FATAL("Multiple -d options not supported"); + if (afl->skip_deterministic) { + + FATAL("Multiple -d options not supported"); + + } + afl->skip_deterministic = 1; afl->use_splicing = 1; break; @@ -479,7 +519,7 @@ int main(int argc, char **argv_orig, char **envp) { I only used this once or twice to get variants of a particular file, so I'm not making this an official setting. */ - if (afl->in_bitmap) FATAL("Multiple -B options not supported"); + if (afl->in_bitmap) { FATAL("Multiple -B options not supported"); } afl->in_bitmap = optarg; read_bitmap(afl->in_bitmap, afl->virgin_bits, afl->fsrv.map_size); @@ -487,85 +527,99 @@ int main(int argc, char **argv_orig, char **envp) { case 'C': /* crash mode */ - if (afl->crash_mode) FATAL("Multiple -C options not supported"); + if (afl->crash_mode) { FATAL("Multiple -C options not supported"); } afl->crash_mode = FSRV_RUN_CRASH; break; case 'n': /* dumb mode */ - if (afl->dumb_mode) FATAL("Multiple -n options not supported"); - if (afl->afl_env.afl_dumb_forksrv) + if (afl->dumb_mode) { FATAL("Multiple -n options not supported"); } + if (afl->afl_env.afl_dumb_forksrv) { + afl->dumb_mode = 2; - else + + } else { + afl->dumb_mode = 1; + } + break; case 'T': /* banner */ - if (afl->use_banner) FATAL("Multiple -T options not supported"); + if (afl->use_banner) { FATAL("Multiple -T options not supported"); } afl->use_banner = optarg; break; case 'Q': /* QEMU mode */ - if (afl->fsrv.qemu_mode) FATAL("Multiple -Q options not supported"); + if (afl->fsrv.qemu_mode) { FATAL("Multiple -Q options not supported"); } afl->fsrv.qemu_mode = 1; - if (!mem_limit_given) afl->fsrv.mem_limit = MEM_LIMIT_QEMU; + if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_QEMU; } break; case 'N': /* Unicorn mode */ - if (afl->no_unlink) FATAL("Multiple -N options not supported"); + if (afl->no_unlink) { FATAL("Multiple -N options not supported"); } afl->no_unlink = 1; break; case 'U': /* Unicorn mode */ - if (afl->unicorn_mode) FATAL("Multiple -U options not supported"); + if (afl->unicorn_mode) { FATAL("Multiple -U options not supported"); } afl->unicorn_mode = 1; - if (!mem_limit_given) afl->fsrv.mem_limit = MEM_LIMIT_UNICORN; + if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_UNICORN; } break; case 'W': /* Wine+QEMU mode */ - if (afl->use_wine) FATAL("Multiple -W options not supported"); + if (afl->use_wine) { FATAL("Multiple -W options not supported"); } afl->fsrv.qemu_mode = 1; afl->use_wine = 1; - if (!mem_limit_given) afl->fsrv.mem_limit = 0; + if (!mem_limit_given) { afl->fsrv.mem_limit = 0; } break; case 'V': { afl->most_time_key = 1; - if (sscanf(optarg, "%llu", &afl->most_time) < 1 || optarg[0] == '-') + if (sscanf(optarg, "%llu", &afl->most_time) < 1 || optarg[0] == '-') { + FATAL("Bad syntax used for -V"); + } + } break; case 'E': { afl->most_execs_key = 1; - if (sscanf(optarg, "%llu", &afl->most_execs) < 1 || optarg[0] == '-') + if (sscanf(optarg, "%llu", &afl->most_execs) < 1 || optarg[0] == '-') { + FATAL("Bad syntax used for -E"); + } + } break; case 'L': { /* MOpt mode */ - if (afl->limit_time_sig) FATAL("Multiple -L options not supported"); + if (afl->limit_time_sig) { FATAL("Multiple -L options not supported"); } afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT; - if (sscanf(optarg, "%d", &afl->limit_time_puppet) < 1) + if (sscanf(optarg, "%d", &afl->limit_time_puppet) < 1) { + FATAL("Bad syntax used for -L"); + } + if (afl->limit_time_puppet == -1) { afl->limit_time_sig = -1; @@ -583,19 +637,23 @@ int main(int argc, char **argv_orig, char **envp) { u64 limit_time_puppet2 = afl->limit_time_puppet * 60 * 1000; - if (limit_time_puppet2 < afl->limit_time_puppet) + if (limit_time_puppet2 < afl->limit_time_puppet) { + FATAL("limit_time overflow"); + + } + afl->limit_time_puppet = limit_time_puppet2; SAYF("limit_time_puppet %d\n", afl->limit_time_puppet); afl->swarm_now = 0; - if (afl->limit_time_puppet == 0) afl->key_puppet = 1; + if (afl->limit_time_puppet == 0) { afl->key_puppet = 1; } int i; int tmp_swarm = 0; - if (afl->g_now > afl->g_max) afl->g_now = 0; + if (afl->g_now > afl->g_max) { afl->g_now = 0; } afl->w_now = (afl->w_init - afl->w_end) * (afl->g_max - afl->g_now) / (afl->g_max) + afl->w_end; @@ -643,11 +701,16 @@ int main(int argc, char **argv_orig, char **envp) { afl->x_now[tmp_swarm][i] += afl->v_now[tmp_swarm][i]; - if (afl->x_now[tmp_swarm][i] > v_max) + if (afl->x_now[tmp_swarm][i] > v_max) { + afl->x_now[tmp_swarm][i] = v_max; - else if (afl->x_now[tmp_swarm][i] < v_min) + + } else if (afl->x_now[tmp_swarm][i] < v_min) { + afl->x_now[tmp_swarm][i] = v_min; + } + x_temp += afl->x_now[tmp_swarm][i]; } @@ -655,19 +718,27 @@ int main(int argc, char **argv_orig, char **envp) { for (i = 0; i < operator_num; ++i) { afl->x_now[tmp_swarm][i] = afl->x_now[tmp_swarm][i] / x_temp; - if (likely(i != 0)) + if (likely(i != 0)) { + afl->probability_now[tmp_swarm][i] = afl->probability_now[tmp_swarm][i - 1] + afl->x_now[tmp_swarm][i]; - else + + } else { + afl->probability_now[tmp_swarm][i] = afl->x_now[tmp_swarm][i]; + } + } if (afl->probability_now[tmp_swarm][operator_num - 1] < 0.99 || - afl->probability_now[tmp_swarm][operator_num - 1] > 1.01) + afl->probability_now[tmp_swarm][operator_num - 1] > 1.01) { + FATAL("ERROR probability"); + } + } for (i = 0; i < operator_num; ++i) { @@ -682,25 +753,37 @@ int main(int argc, char **argv_orig, char **envp) { } break; - case 'h': show_help++; break; // not needed + case 'h': + show_help++; + break; // not needed case 'R': - if (afl->use_radamsa) + if (afl->use_radamsa) { + afl->use_radamsa = 2; - else + + } else { + afl->use_radamsa = 1; + } + break; default: - if (!show_help) show_help = 1; + if (!show_help) { show_help = 1; } } - if (optind == argc || !afl->in_dir || !afl->out_dir || show_help) + } + + if (optind == argc || !afl->in_dir || !afl->out_dir || show_help) { + usage(afl, argv[0], show_help); + } + OKF("afl++ is maintained by Marc \"van Hauser\" Heuse, Heiko \"hexcoder\" " "Eißfeldt, Andrea Fioraldi and Dominik Maier"); OKF("afl++ is open source, get it at " @@ -711,40 +794,57 @@ int main(int argc, char **argv_orig, char **envp) { OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL"); if (afl->sync_id && afl->force_deterministic && - afl->afl_env.afl_custom_mutator_only) + afl->afl_env.afl_custom_mutator_only) { + WARNF( "Using -M master with the AFL_CUSTOM_MUTATOR_ONLY mutator options will " "result in no deterministic mutations being done!"); - if (afl->fixed_seed) OKF("Running with fixed seed: %u", (u32)afl->init_seed); + } + + if (afl->fixed_seed) { + + OKF("Running with fixed seed: %u", (u32)afl->init_seed); + + } + srandom((u32)afl->init_seed); srand((u32)afl->init_seed); // in case it is a different implementation if (afl->use_radamsa) { - if (afl->limit_time_sig > 0) + if (afl->limit_time_sig > 0) { + FATAL( "MOpt and Radamsa are mutually exclusive unless you specify -L -1. " "We accept pull requests that integrates MOpt with the optional " "mutators (custom/radamsa/redqueen/...)."); - if (afl->limit_time_sig && afl->use_radamsa > 1) + } + + if (afl->limit_time_sig && afl->use_radamsa > 1) { + FATAL("Radamsa in radamsa-only mode can not run together with -L"); + } + OKF("Using Radamsa add-on"); u8 * libradamsa_path = get_libradamsa_path(argv[0]); void *handle = dlopen(libradamsa_path, RTLD_NOW); ck_free(libradamsa_path); - if (!handle) FATAL("Failed to dlopen() libradamsa"); + if (!handle) { FATAL("Failed to dlopen() libradamsa"); } void (*radamsa_init_ptr)(void) = dlsym(handle, "radamsa_init"); afl->radamsa_mutate_ptr = dlsym(handle, "radamsa"); - if (!radamsa_init_ptr || !afl->radamsa_mutate_ptr) + if (!radamsa_init_ptr || !afl->radamsa_mutate_ptr) { + FATAL("Failed to dlsym() libradamsa"); + } + /* randamsa_init installs some signal hadlers, call it before setup_signal_handlers so that AFL++ can then replace those signal handlers */ @@ -767,80 +867,113 @@ int main(int argc, char **argv_orig, char **envp) { afl->power_name = power_names[afl->schedule]; - if (afl->sync_id) fix_up_sync(afl); + if (afl->sync_id) { fix_up_sync(afl); } + + if (!strcmp(afl->in_dir, afl->out_dir)) { - if (!strcmp(afl->in_dir, afl->out_dir)) FATAL("Input and output directories can't be the same"); + } + if (afl->dumb_mode) { - if (afl->crash_mode) FATAL("-C and -n are mutually exclusive"); - if (afl->fsrv.qemu_mode) FATAL("-Q and -n are mutually exclusive"); - if (afl->unicorn_mode) FATAL("-U and -n are mutually exclusive"); + if (afl->crash_mode) { FATAL("-C and -n are mutually exclusive"); } + if (afl->fsrv.qemu_mode) { FATAL("-Q and -n are mutually exclusive"); } + if (afl->unicorn_mode) { FATAL("-U and -n are mutually exclusive"); } } - if (get_afl_env("AFL_DISABLE_TRIM")) afl->disable_trim = 1; + if (get_afl_env("AFL_DISABLE_TRIM")) { afl->disable_trim = 1; } + + if (getenv("AFL_NO_UI") && getenv("AFL_FORCE_UI")) { - if (getenv("AFL_NO_UI") && getenv("AFL_FORCE_UI")) FATAL("AFL_NO_UI and AFL_FORCE_UI are mutually exclusive"); - if (strchr(argv[optind], '/') == NULL && !afl->unicorn_mode) + } + + if (strchr(argv[optind], '/') == NULL && !afl->unicorn_mode) { + WARNF(cLRD "Target binary called without a prefixed path, make sure you are " "fuzzing the right binary: " cRST "%s", argv[optind]); + } + ACTF("Getting to work..."); switch (afl->schedule) { - case FAST: OKF("Using exponential power schedule (FAST)"); break; - case COE: OKF("Using cut-off exponential power schedule (COE)"); break; + case FAST: + OKF("Using exponential power schedule (FAST)"); + break; + case COE: + OKF("Using cut-off exponential power schedule (COE)"); + break; case EXPLOIT: OKF("Using exploitation-based constant power schedule (EXPLOIT)"); break; - case LIN: OKF("Using linear power schedule (LIN)"); break; - case QUAD: OKF("Using quadratic power schedule (QUAD)"); break; - case MMOPT: OKF("Using modified MOpt power schedule (MMOPT)"); break; - case RARE: OKF("Using rare edge focus power schedule (RARE)"); break; + case LIN: + OKF("Using linear power schedule (LIN)"); + break; + case QUAD: + OKF("Using quadratic power schedule (QUAD)"); + break; + case MMOPT: + OKF("Using modified MOpt power schedule (MMOPT)"); + break; + case RARE: + OKF("Using rare edge focus power schedule (RARE)"); + break; case EXPLORE: OKF("Using exploration-based constant power schedule (EXPLORE, default)"); break; - default: FATAL("Unknown power schedule"); break; + default: + FATAL("Unknown power schedule"); + break; } - if (get_afl_env("AFL_NO_FORKSRV")) afl->no_forkserver = 1; - if (get_afl_env("AFL_NO_CPU_RED")) afl->no_cpu_meter_red = 1; - if (get_afl_env("AFL_NO_ARITH")) afl->no_arith = 1; - if (get_afl_env("AFL_SHUFFLE_QUEUE")) afl->shuffle_queue = 1; - if (get_afl_env("AFL_FAST_CAL")) afl->fast_cal = 1; + if (get_afl_env("AFL_NO_FORKSRV")) { afl->no_forkserver = 1; } + if (get_afl_env("AFL_NO_CPU_RED")) { afl->no_cpu_meter_red = 1; } + if (get_afl_env("AFL_NO_ARITH")) { afl->no_arith = 1; } + if (get_afl_env("AFL_SHUFFLE_QUEUE")) { afl->shuffle_queue = 1; } + if (get_afl_env("AFL_FAST_CAL")) { afl->fast_cal = 1; } if (afl->afl_env.afl_autoresume) { afl->autoresume = 1; - if (afl->in_place_resume) SAYF("AFL_AUTORESUME has no effect for '-i -'"); + if (afl->in_place_resume) { + + SAYF("AFL_AUTORESUME has no effect for '-i -'"); + + } } if (afl->afl_env.afl_hang_tmout) { afl->hang_tmout = atoi(afl->afl_env.afl_hang_tmout); - if (!afl->hang_tmout) FATAL("Invalid value of AFL_HANG_TMOUT"); + if (!afl->hang_tmout) { FATAL("Invalid value of AFL_HANG_TMOUT"); } } - if (afl->dumb_mode == 2 && afl->no_forkserver) + if (afl->dumb_mode == 2 && afl->no_forkserver) { + FATAL("AFL_DUMB_FORKSRV and AFL_NO_FORKSRV are mutually exclusive"); + } + afl->fsrv.use_fauxsrv = afl->dumb_mode == 1 || afl->no_forkserver; - if (getenv("LD_PRELOAD")) + if (getenv("LD_PRELOAD")) { + WARNF( "LD_PRELOAD is set, are you sure that is what to you want to do " "instead of using AFL_PRELOAD?"); + } + if (afl->afl_env.afl_preload) { if (afl->fsrv.qemu_mode) { @@ -852,20 +985,28 @@ int main(int argc, char **argv_orig, char **envp) { s32 i, afl_preload_size = strlen(afl_preload); for (i = 0; i < afl_preload_size; ++i) { - if (afl_preload[i] == ',') + if (afl_preload[i] == ',') { + PFATAL( "Comma (',') is not allowed in AFL_PRELOAD when -Q is " "specified!"); + } + } - if (qemu_preload) + if (qemu_preload) { + buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", qemu_preload, afl_preload, afl_preload); - else + + } else { + buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", afl_preload, afl_preload); + } + setenv("QEMU_SET_ENV", buf, 1); ck_free(buf); @@ -879,15 +1020,18 @@ int main(int argc, char **argv_orig, char **envp) { } - if (getenv("AFL_LD_PRELOAD")) + if (getenv("AFL_LD_PRELOAD")) { + FATAL("Use AFL_PRELOAD instead of AFL_LD_PRELOAD"); + } + save_cmdline(afl, argc, argv); fix_up_banner(afl, argv[optind]); check_if_tty(afl); - if (afl->afl_env.afl_force_ui) afl->not_on_tty = 0; + if (afl->afl_env.afl_force_ui) { afl->not_on_tty = 0; } if (afl->afl_env.afl_cal_fast) { @@ -921,7 +1065,7 @@ int main(int argc, char **argv_orig, char **envp) { setup_post(afl); - if (!afl->in_bitmap) memset(afl->virgin_bits, 255, afl->fsrv.map_size); + if (!afl->in_bitmap) { memset(afl->virgin_bits, 255, afl->fsrv.map_size); } memset(afl->virgin_tmout, 255, afl->fsrv.map_size); memset(afl->virgin_crash, 255, afl->fsrv.map_size); @@ -938,9 +1082,9 @@ int main(int argc, char **argv_orig, char **envp) { pivot_inputs(afl); - if (extras_dir) load_extras(afl, extras_dir); + if (extras_dir) { load_extras(afl, extras_dir); } - if (!afl->timeout_given) find_timeout(afl); + if (!afl->timeout_given) { find_timeout(afl); } if ((afl->tmp_dir = afl->afl_env.afl_tmpdir) != NULL && !afl->in_place_resume) { @@ -959,16 +1103,21 @@ int main(int argc, char **argv_orig, char **envp) { } /* there is still a race condition here, but well ... */ - if (access(tmpfile, F_OK) != -1) + if (access(tmpfile, F_OK) != -1) { + FATAL( "AFL_TMPDIR already has an existing temporary input file: %s - if " "this is not from another instance, then just remove the file.", tmpfile); - } else + } + + } else { afl->tmp_dir = afl->out_dir; + } + /* If we don't have a file name chosen yet, use a safe default. */ if (!afl->fsrv.out_file) { @@ -1005,13 +1154,17 @@ int main(int argc, char **argv_orig, char **envp) { } - if (!afl->fsrv.out_file) setup_stdio_file(afl); + if (!afl->fsrv.out_file) { setup_stdio_file(afl); } if (afl->cmplog_binary) { - if (afl->unicorn_mode) + if (afl->unicorn_mode) { + FATAL("CmpLog and Unicorn mode are not compatible at the moment, sorry"); - if (!afl->fsrv.qemu_mode) check_binary(afl, afl->cmplog_binary); + + } + + if (!afl->fsrv.qemu_mode) { check_binary(afl, afl->cmplog_binary); } } @@ -1021,13 +1174,18 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->fsrv.qemu_mode) { - if (afl->use_wine) + if (afl->use_wine) { + use_argv = get_wine_argv(argv[0], &afl->fsrv.target_path, argc - optind, argv + optind); - else + + } else { + use_argv = get_qemu_argv(argv[0], &afl->fsrv.target_path, argc - optind, argv + optind); + } + } else { use_argv = argv + optind; @@ -1062,7 +1220,7 @@ int main(int argc, char **argv_orig, char **envp) { maybe_update_plot_file(afl, 0, 0); save_auto(afl); - if (afl->stop_soon) goto stop_fuzzing; + if (afl->stop_soon) { goto stop_fuzzing; } /* Woop woop woop */ @@ -1070,7 +1228,7 @@ int main(int argc, char **argv_orig, char **envp) { sleep(4); afl->start_time += 4000; - if (afl->stop_soon) goto stop_fuzzing; + if (afl->stop_soon) { goto stop_fuzzing; } } @@ -1112,34 +1270,44 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->queued_paths == prev_queued) { - if (afl->use_splicing) + if (afl->use_splicing) { + ++afl->cycles_wo_finds; - else + + } else { + afl->use_splicing = 1; - } else + } + + } else { afl->cycles_wo_finds = 0; + } + prev_queued = afl->queued_paths; if (afl->sync_id && afl->queue_cycle == 1 && - afl->afl_env.afl_import_first) + afl->afl_env.afl_import_first) { + sync_fuzzers(afl); + } + } skipped_fuzz = fuzz_one(afl); if (!skipped_fuzz && !afl->stop_soon && afl->sync_id) { - if (!(sync_interval_cnt++ % SYNC_INTERVAL)) sync_fuzzers(afl); + if (!(sync_interval_cnt++ % SYNC_INTERVAL)) { sync_fuzzers(afl); } } - if (!afl->stop_soon && exit_1) afl->stop_soon = 2; + if (!afl->stop_soon && exit_1) { afl->stop_soon = 2; } - if (afl->stop_soon) break; + if (afl->stop_soon) { break; } afl->queue_cur = afl->queue_cur->next; ++afl->current_entry; @@ -1159,11 +1327,18 @@ stop_fuzzing: SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing aborted %s +++\n" cRST, afl->stop_soon == 2 ? "programmatically" : "by user"); - if (afl->most_time_key == 2) + if (afl->most_time_key == 2) { + SAYF(cYEL "[!] " cRST "Time limit was reached\n"); - if (afl->most_execs_key == 2) + + } + + if (afl->most_execs_key == 2) { + SAYF(cYEL "[!] " cRST "Execution limit was reached\n"); + } + /* Running for more than 30 minutes but still doing first cycle? */ if (afl->queue_cycle == 1 && @@ -1182,7 +1357,7 @@ stop_fuzzing: destroy_custom_mutator(afl); afl_shm_deinit(&afl->shm); afl_fsrv_deinit(&afl->fsrv); - if (afl->orig_cmdline) ck_free(afl->orig_cmdline); + if (afl->orig_cmdline) { ck_free(afl->orig_cmdline); } ck_free(afl->fsrv.target_path); ck_free(afl->fsrv.out_file); ck_free(afl->sync_id); diff --git a/src/afl-gcc.c b/src/afl-gcc.c index 1ae10975..6c6bd1f1 100644 --- a/src/afl-gcc.c +++ b/src/afl-gcc.c @@ -128,11 +128,16 @@ static void edit_params(u32 argc, char **argv) { cc_params = ck_alloc((argc + 128) * sizeof(u8 *)); name = strrchr(argv[0], '/'); - if (!name) + if (!name) { + name = argv[0]; - else + + } else { + ++name; + } + if (!strncmp(name, "afl-clang", 9)) { clang_mode = 1; @@ -211,7 +216,7 @@ static void edit_params(u32 argc, char **argv) { if (!strncmp(cur, "-B", 2)) { - if (!be_quiet) WARNF("-B is already set, overriding"); + if (!be_quiet) { WARNF("-B is already set, overriding"); } if (!cur[2] && argc > 1) { @@ -224,18 +229,22 @@ static void edit_params(u32 argc, char **argv) { } - if (!strcmp(cur, "-integrated-as")) continue; + if (!strcmp(cur, "-integrated-as")) { continue; } - if (!strcmp(cur, "-pipe")) continue; + if (!strcmp(cur, "-pipe")) { continue; } #if defined(__FreeBSD__) && defined(WORD_SIZE_64) if (!strcmp(cur, "-m32")) m32_set = 1; #endif - if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory")) + if (!strcmp(cur, "-fsanitize=address") || + !strcmp(cur, "-fsanitize=memory")) { + asan_set = 1; - if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1; + } + + if (strstr(cur, "FORTIFY_SOURCE")) { fortify_set = 1; } cc_params[cc_par_cnt++] = cur; @@ -244,13 +253,13 @@ static void edit_params(u32 argc, char **argv) { cc_params[cc_par_cnt++] = "-B"; cc_params[cc_par_cnt++] = as_path; - if (clang_mode) cc_params[cc_par_cnt++] = "-no-integrated-as"; + if (clang_mode) { cc_params[cc_par_cnt++] = "-no-integrated-as"; } if (getenv("AFL_HARDEN")) { cc_params[cc_par_cnt++] = "-fstack-protector-all"; - if (!fortify_set) cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2"; + if (!fortify_set) { cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2"; } } @@ -262,21 +271,35 @@ static void edit_params(u32 argc, char **argv) { } else if (getenv("AFL_USE_ASAN")) { - if (getenv("AFL_USE_MSAN")) FATAL("ASAN and MSAN are mutually exclusive"); + if (getenv("AFL_USE_MSAN")) { + + FATAL("ASAN and MSAN are mutually exclusive"); + + } + + if (getenv("AFL_HARDEN")) { - if (getenv("AFL_HARDEN")) FATAL("ASAN and AFL_HARDEN are mutually exclusive"); + } + cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; cc_params[cc_par_cnt++] = "-fsanitize=address"; } else if (getenv("AFL_USE_MSAN")) { - if (getenv("AFL_USE_ASAN")) FATAL("ASAN and MSAN are mutually exclusive"); + if (getenv("AFL_USE_ASAN")) { + + FATAL("ASAN and MSAN are mutually exclusive"); + + } + + if (getenv("AFL_HARDEN")) { - if (getenv("AFL_HARDEN")) FATAL("MSAN and AFL_HARDEN are mutually exclusive"); + } + cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; cc_params[cc_par_cnt++] = "-fsanitize=memory"; @@ -386,10 +409,12 @@ int main(int argc, char **argv) { "afl-gcc is deprecated, llvm_mode is much faster and has more " "options\n"); - } else + } else { be_quiet = 1; + } + if (argc < 2) { SAYF( @@ -416,7 +441,11 @@ int main(int argc, char **argv) { ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE")))) { u32 map_size = atoi(ptr); - if (map_size != MAP_SIZE) FATAL("AFL_MAP_SIZE is not supported by afl-gcc"); + if (map_size != MAP_SIZE) { + + FATAL("AFL_MAP_SIZE is not supported by afl-gcc"); + + } } diff --git a/src/afl-gotcpu.c b/src/afl-gotcpu.c index 6c2fa147..ab7aad5c 100644 --- a/src/afl-gotcpu.c +++ b/src/afl-gotcpu.c @@ -102,8 +102,12 @@ repeat_loop: v1 = CTEST_BUSY_CYCLES; - while (v1--) + while (v1--) { + v2++; + + } + sched_yield(); en_t = get_cur_time_us(); @@ -154,7 +158,7 @@ int main(int argc, char **argv) { s32 fr = fork(); - if (fr < 0) PFATAL("fork failed"); + if (fr < 0) { PFATAL("fork failed"); } if (!fr) { @@ -192,8 +196,12 @@ int main(int argc, char **argv) { #endif #if defined(__linux__) - if (sched_setaffinity(0, sizeof(c), &c)) + if (sched_setaffinity(0, sizeof(c), &c)) { + PFATAL("sched_setaffinity failed for cpu %d", i); + + } + #endif util_perc = measure_preemption(CTEST_CORE_TRG_MS); @@ -221,10 +229,10 @@ int main(int argc, char **argv) { for (i = 0; i < cpu_cnt; i++) { int ret; - if (waitpid(-1, &ret, 0) < 0) PFATAL("waitpid failed"); + if (waitpid(-1, &ret, 0) < 0) { PFATAL("waitpid failed"); } - if (WEXITSTATUS(ret) == 0) idle_cpus++; - if (WEXITSTATUS(ret) <= 1) maybe_cpus++; + if (WEXITSTATUS(ret) == 0) { idle_cpus++; } + if (WEXITSTATUS(ret) <= 1) { maybe_cpus++; } } diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index a130411e..94fca09e 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -86,7 +86,7 @@ void afl_shm_deinit(sharedmem_t *shm) { #else shmctl(shm->shm_id, IPC_RMID, NULL); - if (shm->cmplog_mode) shmctl(shm->cmplog_shm_id, IPC_RMID, NULL); + if (shm->cmplog_mode) { shmctl(shm->cmplog_shm_id, IPC_RMID, NULL); } #endif shm->map = NULL; @@ -152,14 +152,14 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) { shm->shm_id = shmget(IPC_PRIVATE, map_size, IPC_CREAT | IPC_EXCL | 0600); - if (shm->shm_id < 0) PFATAL("shmget() failed"); + if (shm->shm_id < 0) { PFATAL("shmget() failed"); } if (shm->cmplog_mode) { shm->cmplog_shm_id = shmget(IPC_PRIVATE, sizeof(struct cmp_map), IPC_CREAT | IPC_EXCL | 0600); - if (shm->cmplog_shm_id < 0) PFATAL("shmget() failed"); + if (shm->cmplog_shm_id < 0) { PFATAL("shmget() failed"); } } @@ -170,7 +170,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) { fork server commands. This should be replaced with better auto-detection later on, perhaps? */ - if (!dumb_mode) setenv(SHM_ENV_VAR, shm_str, 1); + if (!dumb_mode) { setenv(SHM_ENV_VAR, shm_str, 1); } ck_free(shm_str); @@ -178,7 +178,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) { shm_str = alloc_printf("%d", shm->cmplog_shm_id); - if (!dumb_mode) setenv(CMPLOG_SHM_ENV_VAR, shm_str, 1); + if (!dumb_mode) { setenv(CMPLOG_SHM_ENV_VAR, shm_str, 1); } ck_free(shm_str); @@ -186,13 +186,17 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) { shm->map = shmat(shm->shm_id, NULL, 0); - if (shm->map == (void *)-1 || !shm->map) PFATAL("shmat() failed"); + if (shm->map == (void *)-1 || !shm->map) { PFATAL("shmat() failed"); } if (shm->cmplog_mode) { shm->cmp_map = shmat(shm->cmplog_shm_id, NULL, 0); - if (shm->cmp_map == (void *)-1 || !shm->cmp_map) PFATAL("shmat() failed"); + if (shm->cmp_map == (void *)-1 || !shm->cmp_map) { + + PFATAL("shmat() failed"); + + } } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 59b4963d..63b54851 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -121,7 +121,7 @@ static void classify_counts(afl_forkserver_t *fsrv) { while (i--) { - if (*mem) *mem = 1; + if (*mem) { *mem = 1; } mem++; } @@ -143,7 +143,7 @@ static void classify_counts(afl_forkserver_t *fsrv) { static void at_exit_handler(void) { - if (stdin_file) unlink(stdin_file); + if (stdin_file) { unlink(stdin_file); } } @@ -161,25 +161,28 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) { fd = open(outfile, O_WRONLY); - if (fd < 0) PFATAL("Unable to open '%s'", out_file); + if (fd < 0) { PFATAL("Unable to open '%s'", out_file); } } else if (!strcmp(outfile, "-")) { fd = dup(1); - if (fd < 0) PFATAL("Unable to open stdout"); + if (fd < 0) { PFATAL("Unable to open stdout"); } } else { unlink(outfile); /* Ignore errors */ fd = open(outfile, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", outfile); + if (fd < 0) { PFATAL("Unable to create '%s'", outfile); } } if (binary_mode) { - for (i = 0; i < map_size; i++) - if (fsrv->trace_bits[i]) ret++; + for (i = 0; i < map_size; i++) { + + if (fsrv->trace_bits[i]) { ret++; } + + } ck_write(fd, fsrv->trace_bits, map_size, outfile); close(fd); @@ -188,27 +191,29 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) { FILE *f = fdopen(fd, "w"); - if (!f) PFATAL("fdopen() failed"); + if (!f) { PFATAL("fdopen() failed"); } for (i = 0; i < map_size; i++) { - if (!fsrv->trace_bits[i]) continue; + if (!fsrv->trace_bits[i]) { continue; } ret++; total += fsrv->trace_bits[i]; - if (highest < fsrv->trace_bits[i]) highest = fsrv->trace_bits[i]; + if (highest < fsrv->trace_bits[i]) { highest = fsrv->trace_bits[i]; } if (cmin_mode) { - if (fsrv->last_run_timed_out) break; - if (!caa && child_crashed != cco) break; + if (fsrv->last_run_timed_out) { break; } + if (!caa && child_crashed != cco) { break; } fprintf(f, "%u%u\n", fsrv->trace_bits[i], i); - } else + } else { fprintf(f, "%06u:%u\n", i, fsrv->trace_bits[i]); + } + } fclose(f); @@ -251,11 +256,14 @@ static u32 read_file(u8 *in_file) { struct stat st; s32 fd = open(in_file, O_RDONLY); - if (fd < 0) WARNF("Unable to open '%s'", in_file); + if (fd < 0) { WARNF("Unable to open '%s'", in_file); } + + if (fstat(fd, &st) || !st.st_size) { - if (fstat(fd, &st) || !st.st_size) WARNF("Zero-sized input file '%s'.", in_file); + } + in_len = st.st_size; in_data = ck_alloc_nozero(in_len); @@ -276,13 +284,13 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) { static struct itimerval it; int status = 0; - if (!quiet_mode) SAYF("-- Program output begins --\n" cRST); + if (!quiet_mode) { SAYF("-- Program output begins --\n" cRST); } MEM_BARRIER(); fsrv->child_pid = fork(); - if (fsrv->child_pid < 0) PFATAL("fork() failed"); + if (fsrv->child_pid < 0) { PFATAL("fork() failed"); } if (!fsrv->child_pid) { @@ -319,14 +327,19 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) { } - if (!keep_cores) + if (!keep_cores) { + r.rlim_max = r.rlim_cur = 0; - else + + } else { + r.rlim_max = r.rlim_cur = RLIM_INFINITY; + } + setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ - if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); + if (!getenv("LD_BIND_LAZY")) { setenv("LD_BIND_NOW", "1", 0); } setsid(); @@ -349,7 +362,7 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) { setitimer(ITIMER_REAL, &it, NULL); - if (waitpid(fsrv->child_pid, &status, 0) <= 0) FATAL("waitpid() failed"); + if (waitpid(fsrv->child_pid, &status, 0) <= 0) { FATAL("waitpid() failed"); } fsrv->child_pid = 0; it.it_value.tv_sec = 0; @@ -360,26 +373,39 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) { /* Clean up bitmap, analyze exit condition, etc. */ - if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG) + if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG) { + FATAL("Unable to execute '%s'", argv[0]); + } + classify_counts(fsrv); - if (!quiet_mode) SAYF(cRST "-- Program output ends --\n"); + if (!quiet_mode) { SAYF(cRST "-- Program output ends --\n"); } + + if (!fsrv->last_run_timed_out && !stop_soon && WIFSIGNALED(status)) { - if (!fsrv->last_run_timed_out && !stop_soon && WIFSIGNALED(status)) child_crashed = 1; + } + if (!quiet_mode) { - if (fsrv->last_run_timed_out) + if (fsrv->last_run_timed_out) { + SAYF(cLRD "\n+++ Program timed off +++\n" cRST); - else if (stop_soon) + + } else if (stop_soon) { + SAYF(cLRD "\n+++ Program aborted by user +++\n" cRST); - else if (child_crashed) + + } else if (child_crashed) { + SAYF(cLRD "\n+++ Program killed by signal %u +++\n" cRST, WTERMSIG(status)); + } + } } @@ -421,20 +447,28 @@ static void set_up_environment(afl_forkserver_t *fsrv) { s32 i, afl_preload_size = strlen(afl_preload); for (i = 0; i < afl_preload_size; ++i) { - if (afl_preload[i] == ',') + if (afl_preload[i] == ',') { + PFATAL( "Comma (',') is not allowed in AFL_PRELOAD when -Q is " "specified!"); + } + } - if (qemu_preload) + if (qemu_preload) { + buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", qemu_preload, afl_preload, afl_preload); - else + + } else { + buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", afl_preload, afl_preload); + } + setenv("QEMU_SET_ENV", buf, 1); ck_free(buf); @@ -549,20 +583,20 @@ int main(int argc, char **argv_orig, char **envp) { doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; - if (getenv("AFL_QUIET") != NULL) be_quiet = 1; + if (getenv("AFL_QUIET") != NULL) { be_quiet = 1; } - while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqZQUWbcrh")) > 0) + while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqZQUWbcrh")) > 0) { switch (opt) { case 'i': - if (in_dir) FATAL("Multiple -i options not supported"); + if (in_dir) { FATAL("Multiple -i options not supported"); } in_dir = optarg; break; case 'o': - if (out_file) FATAL("Multiple -o options not supported"); + if (out_file) { FATAL("Multiple -o options not supported"); } out_file = optarg; break; @@ -570,10 +604,10 @@ int main(int argc, char **argv_orig, char **envp) { u8 suffix = 'M'; - if (mem_limit_given) FATAL("Multiple -m options not supported"); + if (mem_limit_given) { FATAL("Multiple -m options not supported"); } mem_limit_given = 1; - if (!optarg) FATAL("Wrong usage of -m"); + if (!optarg) { FATAL("Wrong usage of -m"); } if (!strcmp(optarg, "none")) { @@ -583,25 +617,39 @@ int main(int argc, char **argv_orig, char **envp) { } if (sscanf(optarg, "%llu%c", &fsrv->mem_limit, &suffix) < 1 || - optarg[0] == '-') + optarg[0] == '-') { + FATAL("Bad syntax used for -m"); - switch (suffix) { + } - case 'T': fsrv->mem_limit *= 1024 * 1024; break; - case 'G': fsrv->mem_limit *= 1024; break; - case 'k': fsrv->mem_limit /= 1024; break; - case 'M': break; + switch (suffix) { - default: FATAL("Unsupported suffix or bad syntax for -m"); + case 'T': + fsrv->mem_limit *= 1024 * 1024; + break; + case 'G': + fsrv->mem_limit *= 1024; + break; + case 'k': + fsrv->mem_limit /= 1024; + break; + case 'M': + break; + + default: + FATAL("Unsupported suffix or bad syntax for -m"); } - if (fsrv->mem_limit < 5) FATAL("Dangerously low value of -m"); + if (fsrv->mem_limit < 5) { FATAL("Dangerously low value of -m"); } + + if (sizeof(rlim_t) == 4 && fsrv->mem_limit > 2000) { - if (sizeof(rlim_t) == 4 && fsrv->mem_limit > 2000) FATAL("Value of -m out of range on 32-bit systems"); + } + } break; @@ -615,32 +663,35 @@ int main(int argc, char **argv_orig, char **envp) { case 't': - if (timeout_given) FATAL("Multiple -t options not supported"); + if (timeout_given) { FATAL("Multiple -t options not supported"); } timeout_given = 1; - if (!optarg) FATAL("Wrong usage of -t"); + if (!optarg) { FATAL("Wrong usage of -t"); } if (strcmp(optarg, "none")) { fsrv->exec_tmout = atoi(optarg); - if (fsrv->exec_tmout < 20 || optarg[0] == '-') + if (fsrv->exec_tmout < 20 || optarg[0] == '-') { + FATAL("Dangerously low value of -t"); + } + } break; case 'e': - if (edges_only) FATAL("Multiple -e options not supported"); - if (raw_instr_output) FATAL("-e and -r are mutually exclusive"); + if (edges_only) { FATAL("Multiple -e options not supported"); } + if (raw_instr_output) { FATAL("-e and -r are mutually exclusive"); } edges_only = 1; break; case 'q': - if (quiet_mode) FATAL("Multiple -q options not supported"); + if (quiet_mode) { FATAL("Multiple -q options not supported"); } quiet_mode = 1; break; @@ -660,27 +711,27 @@ int main(int argc, char **argv_orig, char **envp) { case 'Q': - if (fsrv->qemu_mode) FATAL("Multiple -Q options not supported"); - if (!mem_limit_given) fsrv->mem_limit = MEM_LIMIT_QEMU; + if (fsrv->qemu_mode) { FATAL("Multiple -Q options not supported"); } + if (!mem_limit_given) { fsrv->mem_limit = MEM_LIMIT_QEMU; } fsrv->qemu_mode = 1; break; case 'U': - if (unicorn_mode) FATAL("Multiple -U options not supported"); - if (!mem_limit_given) fsrv->mem_limit = MEM_LIMIT_UNICORN; + if (unicorn_mode) { FATAL("Multiple -U options not supported"); } + if (!mem_limit_given) { fsrv->mem_limit = MEM_LIMIT_UNICORN; } unicorn_mode = 1; break; case 'W': /* Wine+QEMU mode */ - if (use_wine) FATAL("Multiple -W options not supported"); + if (use_wine) { FATAL("Multiple -W options not supported"); } fsrv->qemu_mode = 1; use_wine = 1; - if (!mem_limit_given) fsrv->mem_limit = 0; + if (!mem_limit_given) { fsrv->mem_limit = 0; } break; @@ -694,14 +745,14 @@ int main(int argc, char **argv_orig, char **envp) { case 'c': - if (keep_cores) FATAL("Multiple -c options not supported"); + if (keep_cores) { FATAL("Multiple -c options not supported"); } keep_cores = 1; break; case 'r': - if (raw_instr_output) FATAL("Multiple -r options not supported"); - if (edges_only) FATAL("-e and -r are mutually exclusive"); + if (raw_instr_output) { FATAL("Multiple -r options not supported"); } + if (edges_only) { FATAL("-e and -r are mutually exclusive"); } raw_instr_output = 1; break; @@ -710,11 +761,14 @@ int main(int argc, char **argv_orig, char **envp) { return -1; break; - default: usage(argv[0]); + default: + usage(argv[0]); } - if (optind == argc || !out_file) usage(argv[0]); + } + + if (optind == argc || !out_file) { usage(argv[0]); } check_environment_vars(envp); @@ -735,7 +789,7 @@ int main(int argc, char **argv_orig, char **envp) { if (in_dir) { - if (at_file) PFATAL("Options -A and -i are mutually exclusive"); + if (at_file) { PFATAL("Options -A and -i are mutually exclusive"); } detect_file_args(argv + optind, "", &fsrv->use_stdin); } else { @@ -744,22 +798,32 @@ int main(int argc, char **argv_orig, char **envp) { } - for (i = optind; i < argc; i++) - if (strcmp(argv[i], "@@") == 0) arg_offset = i; + for (i = optind; i < argc; i++) { + + if (strcmp(argv[i], "@@") == 0) { arg_offset = i; } + + } if (fsrv->qemu_mode) { - if (use_wine) + if (use_wine) { + use_argv = get_wine_argv(argv[0], &fsrv->target_path, argc - optind, argv + optind); - else + + } else { + use_argv = get_qemu_argv(argv[0], &fsrv->target_path, argc - optind, argv + optind); - } else + } + + } else { use_argv = argv + optind; + } + if (in_dir) { DIR * dir_in, *dir_out; @@ -771,20 +835,30 @@ int main(int argc, char **argv_orig, char **envp) { #endif fsrv->dev_null_fd = open("/dev/null", O_RDWR); - if (fsrv->dev_null_fd < 0) PFATAL("Unable to open /dev/null"); + if (fsrv->dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); } - if (!(dir_in = opendir(in_dir))) PFATAL("cannot open directory %s", in_dir); + if (!(dir_in = opendir(in_dir))) { + + PFATAL("cannot open directory %s", in_dir); + + } + + if (!(dir_out = opendir(out_file))) { + + if (mkdir(out_file, 0700)) { - if (!(dir_out = opendir(out_file))) - if (mkdir(out_file, 0700)) PFATAL("cannot create output directory %s", out_file); + } + + } + u8 *use_dir = "."; if (access(use_dir, R_OK | W_OK | X_OK)) { use_dir = get_afl_env("TMPDIR"); - if (!use_dir) use_dir = "/tmp"; + if (!use_dir) { use_dir = "/tmp"; } } @@ -792,7 +866,7 @@ int main(int argc, char **argv_orig, char **envp) { unlink(stdin_file); atexit(at_exit_handler); fsrv->out_fd = open(stdin_file, O_RDWR | O_CREAT | O_EXCL, 0600); - if (fsrv->out_fd < 0) PFATAL("Unable to create '%s'", out_file); + if (fsrv->out_fd < 0) { PFATAL("Unable to create '%s'", out_file); } if (arg_offset && argv[arg_offset] != stdin_file) { @@ -805,8 +879,12 @@ int main(int argc, char **argv_orig, char **envp) { int i = optind; SAYF(cMGN "[D]" cRST " %s:", fsrv->target_path); - while (argv[i] != NULL) + while (argv[i] != NULL) { + SAYF(" \"%s\"", argv[i++]); + + } + SAYF("\n"); SAYF(cMGN "[D]" cRST " %d - %d = %d, %s\n", arg_offset, optind, arg_offset - optind, infile); @@ -818,11 +896,19 @@ int main(int argc, char **argv_orig, char **envp) { while (done == 0 && (dir_ent = readdir(dir_in))) { - if (dir_ent->d_name[0] == '.') + if (dir_ent->d_name[0] == '.') { + continue; // skip anything that starts with '.' + } + #if defined(DT_REG) /* Posix and Solaris do not know d_type and DT_REG */ - if (dir_ent->d_type != DT_REG) continue; // only regular files + if (dir_ent->d_type != DT_REG) { + + continue; // only regular files + + } + #endif snprintf(infile, sizeof(infile), "%s/%s", in_dir, dir_ent->d_name); @@ -843,10 +929,10 @@ int main(int argc, char **argv_orig, char **envp) { } - if (!quiet_mode) OKF("Processed %llu input files.", fsrv->total_execs); + if (!quiet_mode) { OKF("Processed %llu input files.", fsrv->total_execs); } closedir(dir_in); - if (dir_out) closedir(dir_out); + if (dir_out) { closedir(dir_out); } } else { @@ -857,7 +943,7 @@ int main(int argc, char **argv_orig, char **envp) { if (!quiet_mode) { - if (!tcnt) FATAL("No instrumentation detected" cRST); + if (!tcnt) { FATAL("No instrumentation detected" cRST); } OKF("Captured %u tuples (highest value %u, total values %u) in '%s'." cRST, tcnt, highest, total, out_file); @@ -875,13 +961,13 @@ int main(int argc, char **argv_orig, char **envp) { u32 ret = child_crashed * 2 + fsrv->last_run_timed_out; - if (fsrv->target_path) ck_free(fsrv->target_path); + if (fsrv->target_path) { ck_free(fsrv->target_path); } afl_fsrv_deinit(fsrv); - if (stdin_file) ck_free(stdin_file); + if (stdin_file) { ck_free(stdin_file); } argv_cpy_free(argv); - if (fsrv->qemu_mode) free(use_argv[2]); + if (fsrv->qemu_mode) { free(use_argv[2]); } exit(ret); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index dab2a417..d6fbd493 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -108,7 +108,7 @@ static void apply_mask(u32 *mem, u32 *mask) { u32 i = (map_size >> 2); - if (!mask) return; + if (!mask) { return; } while (i--) { @@ -129,7 +129,7 @@ static void classify_counts(afl_forkserver_t *fsrv) { while (i--) { - if (*mem) *mem = 1; + if (*mem) { *mem = 1; } mem++; } @@ -154,8 +154,11 @@ static inline u8 anything_set(afl_forkserver_t *fsrv) { u32 *ptr = (u32 *)fsrv->trace_bits; u32 i = (map_size >> 2); - while (i--) - if (*(ptr++)) return 1; + while (i--) { + + if (*(ptr++)) { return 1; } + + } return 0; @@ -174,13 +177,16 @@ static void read_initial_file(void) { struct stat st; s32 fd = open(in_file, O_RDONLY); - if (fd < 0) PFATAL("Unable to open '%s'", in_file); + if (fd < 0) { PFATAL("Unable to open '%s'", in_file); } + + if (fstat(fd, &st) || !st.st_size) { FATAL("Zero-sized input file."); } - if (fstat(fd, &st) || !st.st_size) FATAL("Zero-sized input file."); + if (st.st_size >= TMIN_MAX_FILE) { - if (st.st_size >= TMIN_MAX_FILE) FATAL("Input file is too large (%u MB max)", TMIN_MAX_FILE / 1024 / 1024); + } + in_len = st.st_size; in_data = ck_alloc_nozero(in_len); @@ -202,7 +208,7 @@ static s32 write_to_file(u8 *path, u8 *mem, u32 len) { ret = open(path, O_RDWR | O_CREAT | O_EXCL, 0600); - if (ret < 0) PFATAL("Unable to create '%s'", path); + if (ret < 0) { PFATAL("Unable to create '%s'", path); } ck_write(ret, mem, len, path); @@ -223,7 +229,7 @@ static u8 tmin_run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, fsrv_run_result_t ret = afl_fsrv_run_target(fsrv, fsrv->exec_tmout, &stop_soon); - if (ret == FSRV_RUN_ERROR) FATAL("Couldn't run child"); + if (ret == FSRV_RUN_ERROR) { FATAL("Couldn't run child"); } if (stop_soon) { @@ -239,9 +245,14 @@ static u8 tmin_run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, switch (ret) { - case FSRV_RUN_TMOUT: return 1; - case FSRV_RUN_CRASH: missed_crashes++; return 0; - default: missed_hangs++; return 0; + case FSRV_RUN_TMOUT: + return 1; + case FSRV_RUN_CRASH: + missed_crashes++; + return 0; + default: + missed_hangs++; + return 0; } @@ -261,11 +272,11 @@ static u8 tmin_run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, if (ret == FSRV_RUN_CRASH) { - if (first_run) crash_mode = 1; + if (first_run) { crash_mode = 1; } if (crash_mode) { - if (!exact_mode) return 1; + if (!exact_mode) { return 1; } } else { @@ -287,13 +298,13 @@ static u8 tmin_run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, } - if (ret == FSRV_RUN_NOINST) FATAL("Binary not instrumented?"); + if (ret == FSRV_RUN_NOINST) { FATAL("Binary not instrumented?"); } u32 cksum = hash32(fsrv->trace_bits, fsrv->map_size, HASH_CONST); - if (first_run) orig_cksum = cksum; + if (first_run) { orig_cksum = cksum; } - if (orig_cksum == cksum) return 1; + if (orig_cksum == cksum) { return 1; } missed_paths++; return 0; @@ -320,7 +331,7 @@ static void minimize(afl_forkserver_t *fsrv, char **argv) { set_len = next_pow2(in_len / TMIN_SET_STEPS); set_pos = 0; - if (set_len < TMIN_SET_MIN_SIZE) set_len = TMIN_SET_MIN_SIZE; + if (set_len < TMIN_SET_MIN_SIZE) { set_len = TMIN_SET_MIN_SIZE; } ACTF(cBRI "Stage #0: " cRST "One-time block normalization..."); @@ -328,8 +339,11 @@ static void minimize(afl_forkserver_t *fsrv, char **argv) { u32 use_len = MIN(set_len, in_len - set_pos); - for (i = 0; i < use_len; i++) - if (in_data[set_pos + i] != '0') break; + for (i = 0; i < use_len; i++) { + + if (in_data[set_pos + i] != '0') { break; } + + } if (i != use_len) { @@ -374,7 +388,7 @@ next_pass: next_del_blksize: - if (!del_len) del_len = 1; + if (!del_len) { del_len = 1; } del_pos = 0; prev_del = 1; @@ -387,7 +401,7 @@ next_del_blksize: s32 tail_len; tail_len = in_len - del_pos - del_len; - if (tail_len < 0) tail_len = 0; + if (tail_len < 0) { tail_len = 0; } /* If we have processed at least one full block (initially, prev_del == 1), and we did so without deleting the previous one, and we aren't at the @@ -420,10 +434,12 @@ next_del_blksize: changed_any = 1; - } else + } else { del_pos += del_len; + } + } if (del_len > 1 && in_len >= 1) { @@ -435,11 +451,14 @@ next_del_blksize: OKF("Block removal complete, %u bytes deleted.", stage_o_len - in_len); - if (!in_len && changed_any) + if (!in_len && changed_any) { + WARNF(cLRD "Down to zero bytes - check the command line and mem limit!" cRST); - if (cur_pass > 1 && !changed_any) goto finalize_all; + } + + if (cur_pass > 1 && !changed_any) { goto finalize_all; } /************************* * ALPHABET MINIMIZATION * @@ -453,7 +472,7 @@ next_del_blksize: for (i = 0; i < in_len; i++) { - if (!alpha_map[in_data[i]]) alpha_size++; + if (!alpha_map[in_data[i]]) { alpha_size++; } alpha_map[in_data[i]]++; } @@ -466,12 +485,15 @@ next_del_blksize: u32 r; u8 res; - if (i == '0' || !alpha_map[i]) continue; + if (i == '0' || !alpha_map[i]) { continue; } memcpy(tmp_buf, in_data, in_len); - for (r = 0; r < in_len; r++) - if (tmp_buf[r] == i) tmp_buf[r] = '0'; + for (r = 0; r < in_len; r++) { + + if (tmp_buf[r] == i) { tmp_buf[r] = '0'; } + + } res = tmin_run_target(fsrv, argv, tmp_buf, in_len, 0); @@ -506,7 +528,7 @@ next_del_blksize: u8 res, orig = tmp_buf[i]; - if (orig == '0') continue; + if (orig == '0') { continue; } tmp_buf[i] = '0'; res = tmin_run_target(fsrv, argv, tmp_buf, in_len, 0); @@ -517,10 +539,12 @@ next_del_blksize: alpha_del2++; changed_any = 1; - } else + } else { tmp_buf[i] = orig; + } + } alpha_d_total += alpha_del2; @@ -528,11 +552,11 @@ next_del_blksize: OKF("Character minimization done, %u byte%s replaced.", alpha_del2, alpha_del2 == 1 ? "" : "s"); - if (changed_any) goto next_pass; + if (changed_any) { goto next_pass; } finalize_all: - if (tmp_buf) ck_free(tmp_buf); + if (tmp_buf) { ck_free(tmp_buf); } if (hang_mode) { @@ -558,9 +582,12 @@ finalize_all: missed_hangs ? cLRD : "", missed_hangs); if (fsrv->total_execs > 50 && missed_hangs * 10 > fsrv->total_execs && - !hang_mode) + !hang_mode) { + WARNF(cLRD "Frequent timeouts - results may be skewed." cRST); + } + } /* Handle Ctrl-C and the like. */ @@ -579,7 +606,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) { u8 *x; fsrv->dev_null_fd = open("/dev/null", O_RDWR); - if (fsrv->dev_null_fd < 0) PFATAL("Unable to open /dev/null"); + if (fsrv->dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); } if (!out_file) { @@ -588,7 +615,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) { if (access(use_dir, R_OK | W_OK | X_OK)) { use_dir = get_afl_env("TMPDIR"); - if (!use_dir) use_dir = "/tmp"; + if (!use_dir) { use_dir = "/tmp"; } } @@ -600,7 +627,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) { fsrv->out_fd = open(out_file, O_RDWR | O_CREAT | O_EXCL, 0600); - if (fsrv->out_fd < 0) PFATAL("Unable to create '%s'", out_file); + if (fsrv->out_fd < 0) { PFATAL("Unable to create '%s'", out_file); } /* Set sane defaults... */ @@ -608,25 +635,37 @@ static void set_up_environment(afl_forkserver_t *fsrv) { if (x) { - if (!strstr(x, "abort_on_error=1")) + if (!strstr(x, "abort_on_error=1")) { + FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!"); - if (!strstr(x, "symbolize=0")) + } + + if (!strstr(x, "symbolize=0")) { + FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!"); + } + } x = get_afl_env("MSAN_OPTIONS"); if (x) { - if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) + if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) { + FATAL("Custom MSAN_OPTIONS set without exit_code=" STRINGIFY( MSAN_ERROR) " - please fix!"); - if (!strstr(x, "symbolize=0")) + } + + if (!strstr(x, "symbolize=0")) { + FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!"); + } + } setenv("ASAN_OPTIONS", @@ -653,20 +692,28 @@ static void set_up_environment(afl_forkserver_t *fsrv) { s32 i, afl_preload_size = strlen(afl_preload); for (i = 0; i < afl_preload_size; ++i) { - if (afl_preload[i] == ',') + if (afl_preload[i] == ',') { + PFATAL( "Comma (',') is not allowed in AFL_PRELOAD when -Q is " "specified!"); + } + } - if (qemu_preload) + if (qemu_preload) { + buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", qemu_preload, afl_preload, afl_preload); - else + + } else { + buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s", afl_preload, afl_preload); + } + setenv("QEMU_SET_ENV", buf, 1); ck_free(buf); @@ -772,40 +819,44 @@ int main(int argc, char **argv_orig, char **envp) { SAYF(cCYA "afl-tmin" VERSION cRST " by Michal Zalewski\n"); - while ((opt = getopt(argc, argv, "+i:o:f:m:t:B:xeQUWHh")) > 0) + while ((opt = getopt(argc, argv, "+i:o:f:m:t:B:xeQUWHh")) > 0) { switch (opt) { case 'i': - if (in_file) FATAL("Multiple -i options not supported"); + if (in_file) { FATAL("Multiple -i options not supported"); } in_file = optarg; break; case 'o': - if (output_file) FATAL("Multiple -o options not supported"); + if (output_file) { FATAL("Multiple -o options not supported"); } output_file = optarg; break; case 'f': - if (out_file) FATAL("Multiple -f options not supported"); + if (out_file) { FATAL("Multiple -f options not supported"); } fsrv->use_stdin = 0; out_file = optarg; break; case 'e': - if (edges_only) FATAL("Multiple -e options not supported"); - if (hang_mode) + if (edges_only) { FATAL("Multiple -e options not supported"); } + if (hang_mode) { + FATAL("Edges only and hang mode are mutually exclusive."); + + } + edges_only = 1; break; case 'x': - if (exit_crash) FATAL("Multiple -x options not supported"); + if (exit_crash) { FATAL("Multiple -x options not supported"); } exit_crash = 1; break; @@ -813,10 +864,10 @@ int main(int argc, char **argv_orig, char **envp) { u8 suffix = 'M'; - if (mem_limit_given) FATAL("Multiple -m options not supported"); + if (mem_limit_given) { FATAL("Multiple -m options not supported"); } mem_limit_given = 1; - if (!optarg) FATAL("Wrong usage of -m"); + if (!optarg) { FATAL("Wrong usage of -m"); } if (!strcmp(optarg, "none")) { @@ -826,66 +877,83 @@ int main(int argc, char **argv_orig, char **envp) { } if (sscanf(optarg, "%llu%c", &fsrv->mem_limit, &suffix) < 1 || - optarg[0] == '-') + optarg[0] == '-') { + FATAL("Bad syntax used for -m"); - switch (suffix) { + } - case 'T': fsrv->mem_limit *= 1024 * 1024; break; - case 'G': fsrv->mem_limit *= 1024; break; - case 'k': fsrv->mem_limit /= 1024; break; - case 'M': break; + switch (suffix) { - default: FATAL("Unsupported suffix or bad syntax for -m"); + case 'T': + fsrv->mem_limit *= 1024 * 1024; + break; + case 'G': + fsrv->mem_limit *= 1024; + break; + case 'k': + fsrv->mem_limit /= 1024; + break; + case 'M': + break; + + default: + FATAL("Unsupported suffix or bad syntax for -m"); } - if (fsrv->mem_limit < 5) FATAL("Dangerously low value of -m"); + if (fsrv->mem_limit < 5) { FATAL("Dangerously low value of -m"); } + + if (sizeof(rlim_t) == 4 && fsrv->mem_limit > 2000) { - if (sizeof(rlim_t) == 4 && fsrv->mem_limit > 2000) FATAL("Value of -m out of range on 32-bit systems"); + } + } break; case 't': - if (timeout_given) FATAL("Multiple -t options not supported"); + if (timeout_given) { FATAL("Multiple -t options not supported"); } timeout_given = 1; - if (!optarg) FATAL("Wrong usage of -t"); + if (!optarg) { FATAL("Wrong usage of -t"); } fsrv->exec_tmout = atoi(optarg); - if (fsrv->exec_tmout < 10 || optarg[0] == '-') + if (fsrv->exec_tmout < 10 || optarg[0] == '-') { + FATAL("Dangerously low value of -t"); + } + break; case 'Q': - if (fsrv->qemu_mode) FATAL("Multiple -Q options not supported"); - if (!mem_limit_given) fsrv->mem_limit = MEM_LIMIT_QEMU; + if (fsrv->qemu_mode) { FATAL("Multiple -Q options not supported"); } + if (!mem_limit_given) { fsrv->mem_limit = MEM_LIMIT_QEMU; } fsrv->qemu_mode = 1; break; case 'U': - if (unicorn_mode) FATAL("Multiple -Q options not supported"); - if (!mem_limit_given) fsrv->mem_limit = MEM_LIMIT_UNICORN; + if (unicorn_mode) { FATAL("Multiple -Q options not supported"); } + if (!mem_limit_given) { fsrv->mem_limit = MEM_LIMIT_UNICORN; } unicorn_mode = 1; break; case 'W': /* Wine+QEMU mode */ - if (use_wine) FATAL("Multiple -W options not supported"); + if (use_wine) { FATAL("Multiple -W options not supported"); } fsrv->qemu_mode = 1; use_wine = 1; - if (!mem_limit_given) fsrv->mem_limit = 0; + if (!mem_limit_given) { fsrv->mem_limit = 0; } break; @@ -893,9 +961,13 @@ int main(int argc, char **argv_orig, char **envp) { /* Minimizes a testcase to the minimum that still times out */ - if (hang_mode) FATAL("Multipe -H options not supported"); - if (edges_only) + if (hang_mode) { FATAL("Multipe -H options not supported"); } + if (edges_only) { + FATAL("Edges only and hang mode are mutually exclusive."); + + } + hang_mode = 1; break; @@ -914,7 +986,7 @@ int main(int argc, char **argv_orig, char **envp) { The option may be extended and made more official if it proves to be useful. */ - if (mask_bitmap) FATAL("Multiple -B options not supported"); + if (mask_bitmap) { FATAL("Multiple -B options not supported"); } mask_bitmap = ck_alloc(map_size); read_bitmap(optarg, mask_bitmap, map_size); break; @@ -924,11 +996,14 @@ int main(int argc, char **argv_orig, char **envp) { return -1; break; - default: usage(argv[0]); + default: + usage(argv[0]); } - if (optind == argc || !in_file || !output_file) usage(argv[0]); + } + + if (optind == argc || !in_file || !output_file) { usage(argv[0]); } check_environment_vars(envp); @@ -945,17 +1020,24 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->qemu_mode) { - if (use_wine) + if (use_wine) { + use_argv = get_wine_argv(argv[0], &fsrv->target_path, argc - optind, argv + optind); - else + + } else { + use_argv = get_qemu_argv(argv[0], &fsrv->target_path, argc - optind, argv + optind); - } else + } + + } else { use_argv = argv + optind; + } + exact_mode = !!get_afl_env("AFL_TMIN_EXACT"); if (hang_mode && exact_mode) { @@ -977,17 +1059,23 @@ int main(int argc, char **argv_orig, char **envp) { tmin_run_target(fsrv, use_argv, in_data, in_len, 1); - if (hang_mode && !fsrv->last_run_timed_out) + if (hang_mode && !fsrv->last_run_timed_out) { + FATAL( "Target binary did not time out but hang minimization mode " "(-H) was set (-t %u).", fsrv->exec_tmout); - if (fsrv->last_run_timed_out && !hang_mode) + } + + if (fsrv->last_run_timed_out && !hang_mode) { + FATAL( "Target binary times out (adjusting -t may help). Use -H to minimize a " "hang."); + } + if (hang_mode) { OKF("Program hangs as expected, minimizing in " cCYA "hang" cRST " mode."); @@ -997,7 +1085,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("Program terminates normally, minimizing in " cCYA "instrumented" cRST " mode."); - if (!anything_set(fsrv)) FATAL("No instrumentation detected."); + if (!anything_set(fsrv)) { FATAL("No instrumentation detected."); } } else { @@ -1012,7 +1100,7 @@ int main(int argc, char **argv_orig, char **envp) { ACTF("Writing output to '%s'...", output_file); unlink(out_file); - if (out_file) ck_free(out_file); + if (out_file) { ck_free(out_file); } out_file = NULL; close(write_to_file(output_file, in_data, in_len)); @@ -1021,9 +1109,9 @@ int main(int argc, char **argv_orig, char **envp) { afl_shm_deinit(&shm); afl_fsrv_deinit(fsrv); - if (fsrv->target_path) ck_free(fsrv->target_path); - if (mask_bitmap) ck_free(mask_bitmap); - if (in_data) ck_free(in_data); + if (fsrv->target_path) { ck_free(fsrv->target_path); } + if (mask_bitmap) { ck_free(mask_bitmap); } + if (in_data) { ck_free(in_data); } argv_cpy_free(argv); | 
