diff options
Diffstat (limited to 'docs/env_variables.md')
| -rw-r--r-- | docs/env_variables.md | 37 |
1 files changed, 28 insertions, 9 deletions
diff --git a/docs/env_variables.md b/docs/env_variables.md index eebbcbda..8c2d5848 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -331,7 +331,26 @@ mode. the target performs only a few loops, then this will give a small performance boost. -## 4) Settings for afl-fuzz +## 4) Runtime settings + +The following environment variables are for a compiled AFL++ target. + + - Setting `AFL_DUMP_MAP_SIZE` when executing the target directly will + dump the map size of the target and exit. + + - Setting `AFL_OLD_FORKSERVER` will use the old AFL vanilla forkserver. + This makes only sense when you + a) compile in a classic colliding coverage mode (e.g. + AFL_LLVM_INSTRUMENT=CLASSIC) or if the map size of the target is + below MAP_SIZE (65536 by default), AND + b) you want to use this compiled AFL++ target with a different tool + that expects vanilla AFL behaviour, e.g. symcc, symqemu, nautilus, etc. + You would use this option together with the target fuzzing application. + + - Setting `AFL_DISABLE_LLVM_INSTRUMENTATION` will disable collecting + instrumentation. (More of an internal option.) + +## 5) Settings for afl-fuzz The main fuzzer binary accepts several options that disable a couple of sanity checks or alter some of the more exotic semantics of the tool: @@ -642,7 +661,7 @@ checks or alter some of the more exotic semantics of the tool: Note that will not be exact and with slow targets it can take seconds until there is a slice for the time test. -## 5) Settings for afl-qemu-trace +## 6) Settings for afl-qemu-trace The QEMU wrapper used to instrument binary-only code supports several settings: @@ -714,7 +733,7 @@ The QEMU wrapper used to instrument binary-only code supports several settings: crash is found. Setting `AFL_NO_CRASH_README` will prevent this. Useful when counting crashes based on a file count in that directory. -## 7) Settings for afl-frida-trace +## 8) Settings for afl-frida-trace The FRIDA wrapper used to instrument binary-only code supports many of the same options as `afl-qemu-trace`, but also has a number of additional advanced @@ -804,7 +823,7 @@ support. dump you must set a sufficient timeout (using `-t`) to avoid `afl-fuzz` killing the process whilst it is being dumped. -## 8) Settings for afl-cmin +## 9) Settings for afl-cmin The corpus minimization script offers very little customization: @@ -822,7 +841,7 @@ The corpus minimization script offers very little customization: - `AFL_PRINT_FILENAMES` prints each filename to stdout, as it gets processed. This can help when embedding `afl-cmin` or `afl-showmap` in other scripts. -## 9) Settings for afl-tmin +## 10) Settings for afl-tmin Virtually nothing to play with. Well, in QEMU mode (`-Q`), `AFL_PATH` will be searched for afl-qemu-trace. In addition to this, `TMPDIR` may be used if a @@ -833,12 +852,12 @@ to match when minimizing crashes. This will make minimization less useful, but may prevent the tool from "jumping" from one crashing condition to another in very buggy software. You probably want to combine it with the `-e` flag. -## 10) Settings for afl-analyze +## 11) Settings for afl-analyze You can set `AFL_ANALYZE_HEX` to get file offsets printed as hexadecimal instead of decimal. -## 11) Settings for libdislocator +## 12) Settings for libdislocator The library honors these environment variables: @@ -860,12 +879,12 @@ The library honors these environment variables: - `AFL_LD_VERBOSE` causes the library to output some diagnostic messages that may be useful for pinpointing the cause of any observed issues. -## 11) Settings for libtokencap +## 13) Settings for libtokencap This library accepts `AFL_TOKEN_FILE` to indicate the location to which the discovered tokens should be written. -## 12) Third-party variables set by afl-fuzz & other tools +## 14) Third-party variables set by afl-fuzz & other tools Several variables are not directly interpreted by afl-fuzz, but are set to optimal values if not already present in the environment: |