about summary refs log tree commit diff
path: root/custom_mutators/symqemu
diff options
context:
space:
mode:
Diffstat (limited to 'custom_mutators/symqemu')
-rw-r--r--custom_mutators/symqemu/README.md10
-rw-r--r--custom_mutators/symqemu/symqemu.c44
2 files changed, 45 insertions, 9 deletions
diff --git a/custom_mutators/symqemu/README.md b/custom_mutators/symqemu/README.md
index b7702c06..c3071afc 100644
--- a/custom_mutators/symqemu/README.md
+++ b/custom_mutators/symqemu/README.md
@@ -2,10 +2,18 @@
 
 This uses the symcc to find new paths into the target.
 
+## How to build and use
+
 To use this custom mutator follow the steps in the symqemu repository 
 [https://github.com/eurecom-s3/symqemu/](https://github.com/eurecom-s3/symqemu/) 
 on how to build symqemu-x86_x64 and put it in your `PATH`.
 
-just type `make` to build this custom mutator.
+Just type `make` to build this custom mutator.
 
 ```AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/symqemu/symqemu-mutator.so AFL_DISABLE_TRIM=1 afl-fuzz ...```
+
+## Options
+
+`SYMQEMU_ALL=1` - use concolic solving on **all** queue items, not only interesting/favorite ones.
+
+`SYMQEMU_LATE=1` - use concolic solving only after there have been no finds for 5 minutes.
diff --git a/custom_mutators/symqemu/symqemu.c b/custom_mutators/symqemu/symqemu.c
index 163ae240..e2b07af6 100644
--- a/custom_mutators/symqemu/symqemu.c
+++ b/custom_mutators/symqemu/symqemu.c
@@ -23,6 +23,8 @@ static u32   found_items = 0;
 typedef struct my_mutator {
 
   afl_state_t *afl;
+  u32          all;
+  u32          late;
   u8          *mutator_buf;
   u8          *out_dir;
   u8          *target;
@@ -156,18 +158,19 @@ my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) {
 
   data->argv[0] = data->symqemu;
   data->argv[1] = data->target;
+  data->afl = afl;
+  data->seed = seed;
+  afl_struct = afl;
+
+  if (getenv("SYMQEMU_ALL")) { data->all = 1; }
+  if (getenv("SYMQEMU_LATE")) { data->late = 1; }
+  if (data->input_file) { setenv("SYMCC_INPUT_FILE", data->input_file, 1); }
 
   DBG("out_dir=%s, target=%s, input_file=%s, argc=%u\n", data->out_dir,
       data->target,
       data->input_file ? (char *)data->input_file : (char *)"<stdin>",
       data->argc);
 
-  if (data->input_file) { setenv("SYMCC_INPUT_FILE", data->input_file, 1); }
-
-  data->afl = afl;
-  data->seed = seed;
-  afl_struct = afl;
-
   if (debug) {
 
     fprintf(stderr, "[");
@@ -189,15 +192,40 @@ void afl_custom_splice_optout(void *data) {
 
 }
 
+/* Get unix time in milliseconds */
+
+inline u64 get_cur_time(void) {
+
+  struct timeval  tv;
+  struct timezone tz;
+
+  gettimeofday(&tv, &tz);
+
+  return (tv.tv_sec * 1000ULL) + (tv.tv_usec / 1000);
+
+}
+
 u32 afl_custom_fuzz_count(my_mutator_t *data, const u8 *buf, size_t buf_size) {
 
-  if (likely(!afl_struct->queue_cur->favored ||
-             afl_struct->queue_cur->was_fuzzed)) {
+  if (likely((!afl_struct->queue_cur->favored ||
+              afl_struct->queue_cur->was_fuzzed) &&
+             !data->all)) {
 
     return 0;
 
   }
 
+  if (likely(data->late)) {
+
+    if (unlikely(get_cur_time() - afl_struct->last_find_time <=
+                 10 * 60 * 1000)) {
+
+      return 0;
+
+    }
+
+  }
+
   int         pipefd[2];
   struct stat st;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-28 11:27:41 +0000