diff options
| -rw-r--r-- | include/afl-fuzz.h | 15 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-tcg-runtime-inl.h | 4 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-cmplog.c | 15 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 4 | ||||
| -rw-r--r-- | src/afl-fuzz-misc.c | 4 | ||||
| -rw-r--r-- | src/afl-fuzz-mutators.c | 3 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 13 | ||||
| -rw-r--r-- | src/afl-fuzz-queue.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 16 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 46 | ||||
| -rw-r--r-- | src/afl-showmap.c | 2 | ||||
| -rw-r--r-- | src/afl-tmin.c | 2 |
13 files changed, 74 insertions, 54 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 913b08e6..28156268 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -109,7 +109,8 @@ #define CASE_PREFIX "id_" #endif /* ^!SIMPLE_FILES */ -#define STAGE_BUF_SIZE (64) /* usable size of the stage name buf in afl_state */ +#define STAGE_BUF_SIZE (64) /* usable size of the stage name buf in afl_state \ + */ extern s8 interesting_8[INTERESTING_8_LEN]; extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN]; @@ -542,7 +543,7 @@ typedef struct afl_state { /* cmplog forkserver ids */ s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd; - u32 cmplog_prev_timed_out; + u32 cmplog_prev_timed_out; u8 describe_op_buf_256[256]; /* describe_op will use this to return a string up to 256 */ @@ -559,13 +560,13 @@ typedef struct afl_state { #endif /* statis file */ - double last_bitmap_cvg, last_stability, last_eps; + double last_bitmap_cvg, last_stability, last_eps; /* plot file saves from last run */ u32 plot_prev_qp, plot_prev_pf, plot_prev_pnf, plot_prev_ce, plot_prev_md; u64 plot_prev_qc, plot_prev_uc, plot_prev_uh; - u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_ms, stats_last_execs; + u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_ms, stats_last_execs; double stats_avg_exec; u8 clean_trace[MAP_SIZE]; @@ -800,9 +801,9 @@ u8 has_new_bits(afl_state_t *, u8 *); /* Misc */ -u8 *DI(u64); -u8 *DF(double); -u8 *DMS(u64); +u8 * DI(u64); +u8 * DF(double); +u8 * DMS(u64); void DTD(u8 *, size_t, u64, u64); /* Extras */ diff --git a/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h b/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h index b7cd71bb..1526f09c 100644 --- a/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h +++ b/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h @@ -185,8 +185,8 @@ void HELPER(afl_cmplog_rtn)(CPUArchState *env) { if (!area_is_mapped(stack, sizeof(target_ulong) * 2)) return; // when this hook is executed, the retaddr is not on stack yet - void *ptr1 = g2h(stack[0]); - void *ptr2 = g2h(stack[1]); + void * ptr1 = g2h(stack[0]); + void * ptr2 = g2h(stack[1]); #else diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index a77684a7..68ffe28d 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -168,7 +168,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { unsigned char tmp[4] = {0}; - pid_t child_pid = -1; + pid_t child_pid = -1; /* Phone home and tell the parent that we're OK. If parent isn't there, assume we're not running in forkserver mode and just execute program. */ diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 7af7b84c..6211548b 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -32,9 +32,9 @@ void init_cmplog_forkserver(afl_state_t *afl) { struct timeval timeout; - int st_pipe[2], ctl_pipe[2]; - int status; - s32 rlen; + int st_pipe[2], ctl_pipe[2]; + int status; + s32 rlen; ACTF("Spinning up the cmplog fork server..."); @@ -373,9 +373,9 @@ void init_cmplog_forkserver(afl_state_t *afl) { u8 run_cmplog_target(afl_state_t *afl, u32 timeout) { struct timeval it; - int status = 0; - int sret; - u64 exec_ms; + int status = 0; + int sret; + u64 exec_ms; u32 tb4; s32 res; @@ -394,7 +394,8 @@ u8 run_cmplog_target(afl_state_t *afl, u32 timeout) { /* Since we always have a forkserver (or a fauxserver) running, we can simply tell them to have at it and read back the pid from it.*/ - if ((res = write(afl->cmplog_fsrv_ctl_fd, &afl->cmplog_prev_timed_out, 4)) != 4) { + if ((res = write(afl->cmplog_fsrv_ctl_fd, &afl->cmplog_prev_timed_out, 4)) != + 4) { if (afl->stop_soon) return 0; RPFATAL(res, diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 8acb305c..ab455417 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -797,7 +797,7 @@ void pivot_inputs(afl_state_t *afl) { u32 find_start_position(afl_state_t *afl) { - u8 tmp[4096] = {0}; /* Ought to be enough for anybody. */ + u8 tmp[4096] = {0}; /* Ought to be enough for anybody. */ u8 *fn, *off; s32 fd, i; @@ -834,7 +834,7 @@ u32 find_start_position(afl_state_t *afl) { void find_timeout(afl_state_t *afl) { - u8 tmp[4096] = {0}; /* Ought to be enough for anybody. */ + u8 tmp[4096] = {0}; /* Ought to be enough for anybody. */ u8 *fn, *off; s32 fd, i; diff --git a/src/afl-fuzz-misc.c b/src/afl-fuzz-misc.c index d0db79d6..90e0ee8a 100644 --- a/src/afl-fuzz-misc.c +++ b/src/afl-fuzz-misc.c @@ -166,8 +166,8 @@ u8 *DMS(u64 val) { void DTD(u8 *buf, size_t len, u64 cur_ms, u64 event_ms) { - u64 delta; - s32 t_d, t_h, t_m, t_s; + u64 delta; + s32 t_d, t_h, t_m, t_s; if (!event_ms) snprintf(buf, len, "none seen yet"); diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 5d39c2ee..9788da49 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -196,7 +196,8 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { u32 trim_exec = 0; u32 orig_len = q->len; - if (afl->stage_name != afl->stage_name_buf) afl->stage_name = afl->stage_name_buf; + if (afl->stage_name != afl->stage_name_buf) + afl->stage_name = afl->stage_name_buf; afl->bytes_trim_in += q->len; /* Initialize trimming in the custom mutator */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index ebb863ca..c1458dbb 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -1680,7 +1680,8 @@ havoc_stage: perf_score = orig_perf; snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "splice %u", splice_cycle); - if (afl->stage_name != afl->stage_name_buf) afl->stage_name = afl->stage_name_buf; + if (afl->stage_name != afl->stage_name_buf) + afl->stage_name = afl->stage_name_buf; afl->stage_short = "splice"; afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100; @@ -3573,9 +3574,10 @@ pacemaker_fuzzing: perf_score = orig_perf; - snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, MOpt_globals.splice_stageformat, - splice_cycle); - if (afl->stage_name != afl->stage_name_buf) afl->stage_name = afl->stage_name_buf; + snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, + MOpt_globals.splice_stageformat, splice_cycle); + if (afl->stage_name != afl->stage_name_buf) + afl->stage_name = afl->stage_name_buf; afl->stage_short = MOpt_globals.splice_stagenameshort; afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100; @@ -3623,7 +3625,8 @@ pacemaker_fuzzing: } else { perf_score = orig_perf; - snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, MOpt_globals.splice_stageformat, splice_cycle); + snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, + MOpt_globals.splice_stageformat, splice_cycle); afl->stage_name = afl->stage_name_buf; afl->stage_short = MOpt_globals.splice_stagenameshort; afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100; diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 00bad48f..8a995727 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -254,7 +254,7 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { void cull_queue(afl_state_t *afl) { struct queue_entry *q; - u8 temp_v[MAP_SIZE >> 3]; + u8 temp_v[MAP_SIZE >> 3]; u32 i; if (afl->dumb_mode || !afl->score_changed) return; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index c65cdce3..500c5ba2 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -38,8 +38,8 @@ u8 run_target(afl_state_t *afl, u32 timeout) { fd_set readfds; struct timeval it; - int status = 0; - u32 tb4; + int status = 0; + u32 tb4; afl->fsrv.child_timed_out = 0; @@ -361,7 +361,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, for (i = 0; i < MAP_SIZE; ++i) { - if (!afl->var_bytes[i] && afl->first_trace[i] != afl->fsrv.trace_bits[i]) { + if (!afl->var_bytes[i] && + afl->first_trace[i] != afl->fsrv.trace_bits[i]) { afl->var_bytes[i] = 1; afl->stage_max = CAL_CYCLES_LONG; @@ -500,7 +501,8 @@ void sync_fuzzers(afl_state_t *afl) { snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "sync %u", ++sync_cnt); - if (afl->stage_name != afl->stage_name_buf) afl->stage_name = afl->stage_name_buf; + if (afl->stage_name != afl->stage_name_buf) + afl->stage_name = afl->stage_name_buf; afl->stage_cur = 0; afl->stage_max = 0; @@ -607,7 +609,8 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { if (q->len < 5) return 0; - if (afl->stage_name != afl->stage_name_buf) afl->stage_name = afl->stage_name_buf; + if (afl->stage_name != afl->stage_name_buf) + afl->stage_name = afl->stage_name_buf; afl->bytes_trim_in += q->len; /* Select initial chunk len, starting with large steps. */ @@ -623,7 +626,8 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { u32 remove_pos = remove_len; - snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "trim %s/%s", DI(remove_len), DI(remove_len)); + snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "trim %s/%s", DI(remove_len), + DI(remove_len)); afl->stage_cur = 0; afl->stage_max = q->len / remove_len; diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index d4b27625..c89820d8 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -192,20 +192,22 @@ static void check_term_size(afl_state_t *afl) { void show_stats(afl_state_t *afl) { - double t_byte_ratio, stab_ratio; + double t_byte_ratio, stab_ratio; u64 cur_ms; u32 t_bytes, t_bits; u32 banner_len, banner_pad; u8 tmp[256]; - u8 time_tmp[64]; + u8 time_tmp[64]; cur_ms = get_cur_time(); /* If not enough time has passed since last UI update, bail out. */ - if (cur_ms - afl->stats_last_ms < 1000 / UI_TARGET_HZ && !afl->force_ui_update) return; + if (cur_ms - afl->stats_last_ms < 1000 / UI_TARGET_HZ && + !afl->force_ui_update) + return; /* Check if we're past the 10 minute mark. */ @@ -215,18 +217,22 @@ void show_stats(afl_state_t *afl) { if (!afl->stats_last_execs) { - afl->stats_avg_exec = ((double)afl->total_execs) * 1000 / (cur_ms - afl->start_time); + afl->stats_avg_exec = + ((double)afl->total_execs) * 1000 / (cur_ms - afl->start_time); } else { - double cur_avg = ((double)(afl->total_execs - afl->stats_last_execs)) * 1000 / (cur_ms - afl->stats_last_ms); + double cur_avg = ((double)(afl->total_execs - afl->stats_last_execs)) * + 1000 / (cur_ms - afl->stats_last_ms); /* If there is a dramatic (5x+) jump in speed, reset the indicator more quickly. */ - if (cur_avg * 5 < afl->stats_avg_exec || cur_avg / 5 > afl->stats_avg_exec) afl->stats_avg_exec = cur_avg; + if (cur_avg * 5 < afl->stats_avg_exec || cur_avg / 5 > afl->stats_avg_exec) + afl->stats_avg_exec = cur_avg; - afl->stats_avg_exec = afl->stats_avg_exec * (1.0 - 1.0 / AVG_SMOOTHING) + cur_avg * (1.0 / AVG_SMOOTHING); + afl->stats_avg_exec = afl->stats_avg_exec * (1.0 - 1.0 / AVG_SMOOTHING) + + cur_avg * (1.0 / AVG_SMOOTHING); } @@ -348,9 +354,9 @@ void show_stats(afl_state_t *afl) { /* Lord, forgive me this. */ - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA - " overall results " bSTG bH2 bH2 bRT "\n"); + " overall results " bSTG bH2 bH2 bRT "\n"); if (afl->dumb_mode) { @@ -383,7 +389,8 @@ void show_stats(afl_state_t *afl) { DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->start_time); SAYF(bV bSTOP " run time : " cRST "%-33s " bSTG bV bSTOP - " cycles done : %s%-5s " bSTG bV "\n", time_tmp, tmp, DI(afl->queue_cycle - 1)); + " cycles done : %s%-5s " bSTG bV "\n", + time_tmp, tmp, DI(afl->queue_cycle - 1)); /* We want to warn people about not seeing new paths after a full cycle, except when resuming fuzzing or running in non-instrumented mode. */ @@ -420,18 +427,20 @@ void show_stats(afl_state_t *afl) { DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->last_crash_time); SAYF(bV bSTOP " last uniq crash : " cRST "%-33s " bSTG bV bSTOP - " uniq crashes : %s%-6s" bSTG bV "\n", time_tmp, afl->unique_crashes ? cLRD : cRST, tmp); + " uniq crashes : %s%-6s" bSTG bV "\n", + time_tmp, afl->unique_crashes ? cLRD : cRST, tmp); sprintf(tmp, "%s%s", DI(afl->unique_hangs), (afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->last_hang_time); SAYF(bV bSTOP " last uniq hang : " cRST "%-33s " bSTG bV bSTOP - " uniq hangs : " cRST "%-6s" bSTG bV "\n", time_tmp, tmp); + " uniq hangs : " cRST "%-6s" bSTG bV "\n", + time_tmp, tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA - " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); + " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -460,9 +469,9 @@ void show_stats(afl_state_t *afl) { SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA - " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); + " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", DI(afl->queued_favored), ((double)afl->queued_favored) * 100 / afl->queued_paths); @@ -526,13 +535,14 @@ void show_stats(afl_state_t *afl) { } sprintf(tmp, "%s (%s%s unique)", DI(afl->total_tmouts), - DI(afl->unique_tmouts), (afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); + DI(afl->unique_tmouts), + (afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); SAYF(bSTG bV bSTOP " total tmouts : " cRST "%-22s" bSTG bV "\n", tmp); /* Aaaalmost there... hold on! */ - SAYF(bVR bH cCYA bSTOP + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index cc771c5a..712b50bd 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -264,7 +264,7 @@ static u8 run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len) { struct itimerval it; - int status = 0; + int status = 0; memset(fsrv->trace_bits, 0, MAP_SIZE); MEM_BARRIER(); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 9a3a72da..9238abab 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -399,7 +399,7 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, u8 first_run) { struct itimerval it; - int status = 0; + int status = 0; u32 cksum; |