diff options
| -rw-r--r-- | Makefile | 7 | ||||
| -rw-r--r-- | docs/ChangeLog | 2 | ||||
| -rw-r--r-- | include/afl-fuzz.h | 5 | ||||
| -rw-r--r-- | src/afl-fuzz-globals.c | 4 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 17 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 12 | ||||
| -rwxr-xr-x | test/test.sh | 8 |
7 files changed, 55 insertions, 0 deletions
diff --git a/Makefile b/Makefile index d7309cff..35f58ac5 100644 --- a/Makefile +++ b/Makefile @@ -92,6 +92,8 @@ help: @echo "distrib: everything (for both binary-only and source code fuzzing)" @echo "install: installs everything you have compiled with the build option above" @echo "clean: cleans everything. for qemu_mode and unicorn_mode it means it deletes all downloads as well" + @echo "tests: this runs the test framework. It is more catered for the developers, but if you run into problems this helps pinpointing the problem" + @echo "document: creates afl-fuzz-document which will only do one run and save all manipulated inputs into out/queue/mutations" @echo "help: shows these build options :-)" @echo "==========================================" @echo "Recommended: \"distrib\" or \"source-only\", then \"install\"" @@ -176,6 +178,11 @@ afl-gotcpu: src/afl-gotcpu.c $(COMM_HDR) | test_x86 $(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS) +# document all mutations and only do one run (use with only one input file!) +document: include/afl-fuzz.h $(AFL_FUZZ_FILES) afl-common.o afl-sharedmem.o afl-forkserver.o $(COMM_HDR) | test_x86 + $(CC) $(CFLAGS) $(AFL_FUZZ_FILES) -D_AFL_DOCUMENT_MUTATIONS afl-common.o afl-sharedmem.o afl-forkserver.o -o afl-fuzz-document $(LDFLAGS) $(PYFLAGS) + + code-format: ./.custom-format.py -i src/*.c ./.custom-format.py -i include/*.h diff --git a/docs/ChangeLog b/docs/ChangeLog index 7beb32c3..0f5bb99c 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -27,6 +27,8 @@ Version ++2.54d (dev): - fuzzing strategy yields for custom mutator were missing from the UI, added them :) - added "make tests" which will perform checks to see that all functionality is working as expected. this is currently the starting point, its not complete :) + - added mutation documentation feature ("make document"), creates afl-fuzz-document + and saves all mutations of the first run on the first file into out/queue/mutations - libtokencap and libdislocator now compile to the afl_root directory and are installed to the .../lib/afl directory when present during make install - reducing duplicate code in afl-fuzz diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 9536e06a..4912b3f0 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -682,5 +682,10 @@ static u64 get_cur_time_us(void) { } +#ifdef _AFL_DOCUMENT_MUTATIONS + extern u8 do_document; + extern u32 document_counter; +#endif + #endif diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index 1358a1fb..01b242b8 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -259,3 +259,7 @@ PyObject *py_functions[PY_FUNC_COUNT]; #endif +#ifdef _AFL_DOCUMENT_MUTATIONS + u8 do_document; + u32 document_counter; +#endif diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 59483b8f..1824f0b2 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -4231,6 +4231,7 @@ pacemaker_fuzzing: #define core_fuzzing(a) common_fuzzing((a), MOpt_globals_core) + void pso_updating(void) { g_now += 1; @@ -4310,6 +4311,22 @@ void pso_updating(void) { u8 fuzz_one(char** argv) { int key_val_lv = 0; + +#ifdef _AFL_DOCUMENT_MUTATIONS + if (do_document == 0) { + char *fn = alloc_printf("%s/mutations", out_dir); + if (fn) { + do_document = mkdir(fn, 0700); // if it exists we do not care + do_document = 1; + ck_free(fn); + } else + PFATAL("malloc()"); + } else { + do_document = 2; + stop_soon = 2; + } +#endif + if (limit_time_sig == 0) { key_val_lv = fuzz_one_original(argv); diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index f2f663dc..220433fc 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -251,6 +251,18 @@ void write_to_testcase(void* mem, u32 len) { s32 fd = out_fd; +#ifdef _AFL_DOCUMENT_MUTATIONS + s32 doc_fd; + char *fn = alloc_printf("%s/mutations/%09u:%s", out_dir, document_counter++, describe_op(0)); + if (fn != NULL) { + if ((doc_fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600)) >= 0) { + if (write(doc_fd, mem, len) != len) PFATAL("write to mutation file failed: %s", fn); + close(doc_fd); + } + ck_free(fn); + } +#endif + if (out_file) { // unlink(out_file); /* Ignore errors. diff --git a/test/test.sh b/test/test.sh index 5d67588a..d230cf71 100755 --- a/test/test.sh +++ b/test/test.sh @@ -27,10 +27,18 @@ test -z "$ECHO" && { echo Error: echo command does not support -e option ; exit export AFL_EXIT_WHEN_DONE=1 export AFL_SKIP_CPUFREQ=1 +unset AFL_QUIET unset AFL_DEBUG unset AFL_HARDEN +unset AFL_USE_ASAN +unset AFL_USE_MSAN +unset AFL_CC +unset AFL_PRELOAD unset AFL_LLVM_WHITELIST unset AFL_LLVM_INSTRIM +unset AFL_LLVM_LAF_SPLIT_SWITCHES +unset AFL_LLVM_LAF_TRANSFORM_COMPARES +unset AFL_LLVM_LAF_SPLIT_COMPARES GREY="\\x1b[1;90m" BLUE="\\x1b[1;94m" |