diff options
| -rwxr-xr-x | afl-cmin | 17 | ||||
| -rwxr-xr-x | afl-cmin.bash | 6 | ||||
| -rw-r--r-- | docs/Changelog.md | 2 | ||||
| -rw-r--r-- | instrumentation/afl-compiler-rt.o.c | 18 |
4 files changed, 38 insertions, 5 deletions
diff --git a/afl-cmin b/afl-cmin index 51835648..44716af1 100755 --- a/afl-cmin +++ b/afl-cmin @@ -291,6 +291,15 @@ BEGIN { target_bin = tnew } + get_map_size = "AFL_DUMP_MAP_SIZE=1 " target_bin + get_map_size | getline mapsize + if (mapsize && mapsize > 65535) { + + AFL_MAP_SIZE = "AFL_MAP_SIZE="mapsize" " + print "[+] Setting "AFL_MAP_SIZE + + } + if (!ENVIRON["AFL_SKIP_BIN_CHECK"] && !qemu_mode && !frida_mode && !unicorn_mode) { if (0 != system( "grep -q __AFL_SHM_ID "target_bin )) { print "[-] Error: binary '"target_bin"' doesn't appear to be instrumented." > "/dev/stderr" @@ -399,10 +408,10 @@ BEGIN { print "[*] Testing the target binary..." if (!stdin_file) { - system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -- \""target_bin"\" "prog_args_string" <\""in_dir"/"first_file"\"") + system(AFL_MAP_SIZE "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -- \""target_bin"\" "prog_args_string" <\""in_dir"/"first_file"\"") } else { system("cp \""in_dir"/"first_file"\" "stdin_file) - system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null") + system(AFL_MAP_SIZE "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null") } first_count = 0 @@ -435,11 +444,11 @@ BEGIN { if (!stdin_file) { print " Processing "in_count" files (forkserver mode)..." # print AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string - retval = system( AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string) + retval = system(AFL_MAP_SIZE AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string) } else { print " Processing "in_count" files (forkserver mode)..." # print AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null" - retval = system( AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null") + retval = system(AFL_MAP_SIZE AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null") } if (retval && !AFL_CMIN_CRASHES_ONLY) { diff --git a/afl-cmin.bash b/afl-cmin.bash index 9ac65199..db3e8ae5 100755 --- a/afl-cmin.bash +++ b/afl-cmin.bash @@ -215,6 +215,12 @@ if [ ! -f "$TARGET_BIN" -o ! -x "$TARGET_BIN" ]; then fi +MAPSIZE=`AFL_DUMP_MAP_SIZE=1 "./$TARGET_BIN" 2>/dev/null` +test -n "$MAPSIZE" && { + export AFL_MAP_SIZE=$MAPSIZE + echo "[+] Setting AFL_MAP_SIZE=$MAPSIZE" +} + if [ "$AFL_SKIP_BIN_CHECK" = "" -a "$QEMU_MODE" = "" -a "$FRIDA_MODE" = "" -a "$UNICORN_MODE" = "" ]; then if ! grep -qF "__AFL_SHM_ID" "$TARGET_BIN"; then diff --git a/docs/Changelog.md b/docs/Changelog.md index d07cef54..c5934c4a 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -16,6 +16,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. and long execution times, especially in CIs. - afl-cc: - better handling of -fsanitize=..,...,.. lists + - obtain the map size of a target with setting AFL_DUMP_MAP_SIZE=1 + note that this will exit the target before main() - qemu_mode: - added AFL_QEMU_TRACK_UNSTABLE to log the addresses of unstable edges (together with AFL_DEBUG=1 afl-fuzz). thanks to diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 97974c4a..1759898e 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -288,11 +288,18 @@ static void __afl_map_shm(void) { __afl_map_size = ++__afl_final_loc; // as we count starting 0 + if (getenv("AFL_DUMP_MAP_SIZE")) { + + printf("%u\n", __afl_map_size); + exit(-1); + + } + if (__afl_final_loc > MAP_SIZE) { char *ptr; u32 val = 0; - if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) val = atoi(ptr); + if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) { val = atoi(ptr); } if (val < __afl_final_loc) { if (__afl_final_loc > FS_OPT_MAX_MAPSIZE) { @@ -325,6 +332,15 @@ static void __afl_map_shm(void) { } + } else { + + if (getenv("AFL_DUMP_MAP_SIZE")) { + + printf("%u\n", MAP_SIZE); + exit(-1); + + } + } if (!id_str && __afl_area_ptr_dummy == __afl_area_initial) { |