diff options
Diffstat (limited to 'include/afl-fuzz.h')
| -rw-r--r-- | include/afl-fuzz.h | 392 |
1 files changed, 197 insertions, 195 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index c773d085..9ef888d9 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -109,8 +109,8 @@ extern s8 interesting_8[INTERESTING_8_LEN]; extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN]; -extern s32 interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN]; - +extern s32 + interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN]; struct queue_entry { @@ -233,7 +233,7 @@ enum { }; -extern u8 *doc_path; /* gath to documentation dir */ +extern u8* doc_path; /* gath to documentation dir */ /* Python stuff */ #ifdef USE_PYTHON @@ -263,7 +263,6 @@ extern u8 *doc_path; /* gath to documentation dir */ #define _XOPEN_SOURCE _SAVE_XOPEN_SOURCE #endif - enum { /* 00 */ PY_FUNC_INIT, @@ -284,18 +283,18 @@ enum { typedef struct MOpt_globals { - u64* finds; - u64* finds_v2; - u64* cycles; - u64* cycles_v2; - u64* cycles_v3; - u32 is_pilot_mode; - u64* pTime; - u64 period; - char* havoc_stagename; - char* splice_stageformat; - char* havoc_stagenameshort; - char* splice_stagenameshort; + u64* finds; + u64* finds_v2; + u64* cycles; + u64* cycles_v2; + u64* cycles_v3; + u32 is_pilot_mode; + u64* pTime; + u64 period; + char* havoc_stagename; + char* splice_stageformat; + char* havoc_stagenameshort; + char* splice_stagenameshort; } MOpt_globals_t; @@ -307,9 +306,9 @@ typedef struct afl_state { u32 _id; afl_forkserver_t fsrv; - sharedmem_t shm; + sharedmem_t shm; - char** argv; /* argv if needed */ + char** argv; /* argv if needed */ /* MOpt: Lots of globals, but mostly for the status UI and other things where it @@ -346,171 +345,170 @@ typedef struct afl_state { core_operator_finds_puppet_v2[operator_num], core_operator_cycles_puppet[operator_num], core_operator_cycles_puppet_v2[operator_num], - core_operator_cycles_puppet_v3[operator_num]; /* Execs per fuzz stage */ + core_operator_cycles_puppet_v3[operator_num]; /* Execs per fuzz stage */ double period_pilot_tmp; s32 key_lv; - u8 *in_dir, /* Input directory with test cases */ - *out_dir, /* Working & output directory */ - *tmp_dir, /* Temporary directory for input */ - *sync_dir, /* Synchronization directory */ - *sync_id, /* Fuzzer ID */ - *power_name, /* Power schedule name */ - *use_banner, /* Display banner */ - *in_bitmap, /* Input bitmap */ - *file_extension, /* File extension */ - *orig_cmdline, /* Original command line */ - *infoexec; /* Command to execute on a new crash */ - - u32 hang_tmout; /* Timeout used for hang det (ms) */ - - u8 cal_cycles, /* Calibration cycles defaults */ - cal_cycles_long, /* Calibration cycles defaults */ - no_unlink, /* do not unlink cur_input */ - debug, /* Debug mode */ - custom_only, /* Custom mutator only mode */ - python_only; /* Python-only mode */ - - u32 stats_update_freq; /* Stats update frequency (execs) */ - - u8 schedule; /* Power schedule (default: EXPLORE)*/ + u8 *in_dir, /* Input directory with test cases */ + *out_dir, /* Working & output directory */ + *tmp_dir, /* Temporary directory for input */ + *sync_dir, /* Synchronization directory */ + *sync_id, /* Fuzzer ID */ + *power_name, /* Power schedule name */ + *use_banner, /* Display banner */ + *in_bitmap, /* Input bitmap */ + *file_extension, /* File extension */ + *orig_cmdline, /* Original command line */ + *infoexec; /* Command to execute on a new crash */ + + u32 hang_tmout; /* Timeout used for hang det (ms) */ + + u8 cal_cycles, /* Calibration cycles defaults */ + cal_cycles_long, /* Calibration cycles defaults */ + no_unlink, /* do not unlink cur_input */ + debug, /* Debug mode */ + custom_only, /* Custom mutator only mode */ + python_only; /* Python-only mode */ + + u32 stats_update_freq; /* Stats update frequency (execs) */ + + u8 schedule; /* Power schedule (default: EXPLORE)*/ u8 havoc_max_mult; u8 use_radamsa; size_t (*radamsa_mutate_ptr)(u8*, size_t, u8*, size_t, u32); - u8 skip_deterministic, /* Skip deterministic stages? */ - force_deterministic, /* Force deterministic stages? */ - use_splicing, /* Recombine input files? */ - dumb_mode, /* Run in non-instrumented mode? */ - score_changed, /* Scoring for favorites changed? */ - kill_signal, /* Signal that killed the child */ - resuming_fuzz, /* Resuming an older fuzzing job? */ - timeout_given, /* Specific timeout given? */ - not_on_tty, /* stdout is not a tty */ - term_too_small, /* terminal dimensions too small */ - no_forkserver, /* Disable forkserver? */ - crash_mode, /* Crash mode! Yeah! */ - in_place_resume, /* Attempt in-place resume? */ - autoresume, /* Resume if afl->out_dir exists? */ - auto_changed, /* Auto-generated tokens changed? */ - no_cpu_meter_red, /* Feng shui on the status screen */ - no_arith, /* Skip most arithmetic ops */ - shuffle_queue, /* Shuffle input queue? */ - bitmap_changed, /* Time to update bitmap? */ - qemu_mode, /* Running in QEMU mode? */ - unicorn_mode, /* Running in Unicorn mode? */ - use_wine, /* Use WINE with QEMU mode */ - skip_requested, /* Skip request, via SIGUSR1 */ - run_over10m, /* Run time over 10 minutes? */ - persistent_mode, /* Running in persistent mode? */ - deferred_mode, /* Deferred forkserver mode? */ - fixed_seed, /* do not reseed */ - fast_cal, /* Try to calibrate faster? */ - disable_trim; /* Never trim in fuzz_one */ - - u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */ - virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */ - virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */ - - u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */ - - volatile u8 stop_soon, /* Ctrl-C pressed? */ - clear_screen; /* Window resized? */ - - u32 queued_paths, /* Total number of queued testcases */ - queued_variable, /* Testcases with variable behavior */ - queued_at_start, /* Total number of initial inputs */ - queued_discovered, /* Items discovered during this run */ - queued_imported, /* Items imported via -S */ - queued_favored, /* Paths deemed favorable */ - queued_with_cov, /* Paths with new coverage bytes */ - pending_not_fuzzed, /* Queued but not done yet */ - pending_favored, /* Pending favored paths */ - cur_skipped_paths, /* Abandoned inputs in cur cycle */ - cur_depth, /* Current path depth */ - max_depth, /* Max path depth */ - useless_at_start, /* Number of useless starting paths */ - var_byte_count, /* Bitmap bytes with var behavior */ - current_entry, /* Current queue entry ID */ - havoc_div; /* Cycle count divisor for havoc */ - - u64 total_crashes, /* Total number of crashes */ - unique_crashes, /* Crashes with unique signatures */ - total_tmouts, /* Total number of timeouts */ - unique_tmouts, /* Timeouts with unique signatures */ - unique_hangs, /* Hangs with unique signatures */ - total_execs, /* Total execve() calls */ - slowest_exec_ms, /* Slowest testcase non hang in ms */ - start_time, /* Unix start time (ms) */ - last_path_time, /* Time for most recent path (ms) */ - last_crash_time, /* Time for most recent crash (ms) */ - last_hang_time, /* Time for most recent hang (ms) */ - last_crash_execs, /* Exec counter at last crash */ - queue_cycle, /* Queue round counter */ - cycles_wo_finds, /* Cycles without any new paths */ - trim_execs, /* Execs done to trim input files */ - bytes_trim_in, /* Bytes coming into the trimmer */ - bytes_trim_out, /* Bytes coming outa the trimmer */ - blocks_eff_total, /* Blocks subject to effector maps */ - blocks_eff_select; /* Blocks selected as fuzzable */ - - u32 subseq_tmouts; /* Number of timeouts in a row */ - - u8 *stage_name, /* Name of the current fuzz stage */ - *stage_short, /* Short stage name */ - *syncing_party; /* Currently syncing with... */ - - u8 stage_name_buf64[64]; /* A name buf with len 64 if needed */ - - s32 stage_cur, stage_max; /* Stage progression */ - s32 splicing_with; /* Splicing with which test case? */ - - u32 master_id, master_max; /* Master instance job splitting */ - - u32 syncing_case; /* Syncing with case #... */ - - s32 stage_cur_byte, /* Byte offset of current stage op */ - stage_cur_val; /* Value used for stage op */ - - u8 stage_val_type; /* Value type (STAGE_VAL_*) */ - - u64 stage_finds[32], /* Patterns found per fuzz stage */ - stage_cycles[32]; /* Execs per fuzz stage */ - - #ifndef HAVE_ARC4RANDOM - u32 rand_cnt; /* Random number counter */ - #endif + u8 skip_deterministic, /* Skip deterministic stages? */ + force_deterministic, /* Force deterministic stages? */ + use_splicing, /* Recombine input files? */ + dumb_mode, /* Run in non-instrumented mode? */ + score_changed, /* Scoring for favorites changed? */ + kill_signal, /* Signal that killed the child */ + resuming_fuzz, /* Resuming an older fuzzing job? */ + timeout_given, /* Specific timeout given? */ + not_on_tty, /* stdout is not a tty */ + term_too_small, /* terminal dimensions too small */ + no_forkserver, /* Disable forkserver? */ + crash_mode, /* Crash mode! Yeah! */ + in_place_resume, /* Attempt in-place resume? */ + autoresume, /* Resume if afl->out_dir exists? */ + auto_changed, /* Auto-generated tokens changed? */ + no_cpu_meter_red, /* Feng shui on the status screen */ + no_arith, /* Skip most arithmetic ops */ + shuffle_queue, /* Shuffle input queue? */ + bitmap_changed, /* Time to update bitmap? */ + qemu_mode, /* Running in QEMU mode? */ + unicorn_mode, /* Running in Unicorn mode? */ + use_wine, /* Use WINE with QEMU mode */ + skip_requested, /* Skip request, via SIGUSR1 */ + run_over10m, /* Run time over 10 minutes? */ + persistent_mode, /* Running in persistent mode? */ + deferred_mode, /* Deferred forkserver mode? */ + fixed_seed, /* do not reseed */ + fast_cal, /* Try to calibrate faster? */ + disable_trim; /* Never trim in fuzz_one */ + + u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */ + virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */ + virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */ + + u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */ + + volatile u8 stop_soon, /* Ctrl-C pressed? */ + clear_screen; /* Window resized? */ + + u32 queued_paths, /* Total number of queued testcases */ + queued_variable, /* Testcases with variable behavior */ + queued_at_start, /* Total number of initial inputs */ + queued_discovered, /* Items discovered during this run */ + queued_imported, /* Items imported via -S */ + queued_favored, /* Paths deemed favorable */ + queued_with_cov, /* Paths with new coverage bytes */ + pending_not_fuzzed, /* Queued but not done yet */ + pending_favored, /* Pending favored paths */ + cur_skipped_paths, /* Abandoned inputs in cur cycle */ + cur_depth, /* Current path depth */ + max_depth, /* Max path depth */ + useless_at_start, /* Number of useless starting paths */ + var_byte_count, /* Bitmap bytes with var behavior */ + current_entry, /* Current queue entry ID */ + havoc_div; /* Cycle count divisor for havoc */ + + u64 total_crashes, /* Total number of crashes */ + unique_crashes, /* Crashes with unique signatures */ + total_tmouts, /* Total number of timeouts */ + unique_tmouts, /* Timeouts with unique signatures */ + unique_hangs, /* Hangs with unique signatures */ + total_execs, /* Total execve() calls */ + slowest_exec_ms, /* Slowest testcase non hang in ms */ + start_time, /* Unix start time (ms) */ + last_path_time, /* Time for most recent path (ms) */ + last_crash_time, /* Time for most recent crash (ms) */ + last_hang_time, /* Time for most recent hang (ms) */ + last_crash_execs, /* Exec counter at last crash */ + queue_cycle, /* Queue round counter */ + cycles_wo_finds, /* Cycles without any new paths */ + trim_execs, /* Execs done to trim input files */ + bytes_trim_in, /* Bytes coming into the trimmer */ + bytes_trim_out, /* Bytes coming outa the trimmer */ + blocks_eff_total, /* Blocks subject to effector maps */ + blocks_eff_select; /* Blocks selected as fuzzable */ + + u32 subseq_tmouts; /* Number of timeouts in a row */ + + u8 *stage_name, /* Name of the current fuzz stage */ + *stage_short, /* Short stage name */ + *syncing_party; /* Currently syncing with... */ + + u8 stage_name_buf64[64]; /* A name buf with len 64 if needed */ + + s32 stage_cur, stage_max; /* Stage progression */ + s32 splicing_with; /* Splicing with which test case? */ + + u32 master_id, master_max; /* Master instance job splitting */ + + u32 syncing_case; /* Syncing with case #... */ + + s32 stage_cur_byte, /* Byte offset of current stage op */ + stage_cur_val; /* Value used for stage op */ + + u8 stage_val_type; /* Value type (STAGE_VAL_*) */ + + u64 stage_finds[32], /* Patterns found per fuzz stage */ + stage_cycles[32]; /* Execs per fuzz stage */ + +#ifndef HAVE_ARC4RANDOM + u32 rand_cnt; /* Random number counter */ +#endif u32 rand_seed[2]; s64 init_seed; - u64 total_cal_us, /* Total calibration time (us) */ - total_cal_cycles; /* Total calibration cycles */ + u64 total_cal_us, /* Total calibration time (us) */ + total_cal_cycles; /* Total calibration cycles */ - u64 total_bitmap_size, /* Total bit count for all bitmaps */ - total_bitmap_entries; /* Number of bitmaps counted */ + u64 total_bitmap_size, /* Total bit count for all bitmaps */ + total_bitmap_entries; /* Number of bitmaps counted */ - s32 cpu_core_count; /* CPU core count */ + s32 cpu_core_count; /* CPU core count */ #ifdef HAVE_AFFINITY - s32 cpu_aff; /* Selected CPU core */ -#endif /* HAVE_AFFINITY */ + s32 cpu_aff; /* Selected CPU core */ +#endif /* HAVE_AFFINITY */ - struct queue_entry *queue, /* Fuzzing queue (linked list) */ - *queue_cur, /* Current offset within the queue */ - *queue_top, /* Top of the list */ - *q_prev100; /* Previous 100 marker */ + struct queue_entry *queue, /* Fuzzing queue (linked list) */ + *queue_cur, /* Current offset within the queue */ + *queue_top, /* Top of the list */ + *q_prev100; /* Previous 100 marker */ - struct queue_entry* - top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */ + struct queue_entry* top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */ - struct extra_data* extras; /* Extra tokens to fuzz with */ - u32 extras_cnt; /* Total number of tokens read */ + struct extra_data* extras; /* Extra tokens to fuzz with */ + u32 extras_cnt; /* Total number of tokens read */ - struct extra_data* a_extras; /* Automatically selected extras */ - u32 a_extras_cnt; /* Total number of tokens available */ + struct extra_data* a_extras; /* Automatically selected extras */ + u32 a_extras_cnt; /* Total number of tokens available */ u8* (*post_handler)(u8* buf, u32* len); @@ -525,12 +523,13 @@ typedef struct afl_state { /* cmplog forkserver ids */ s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd; - u8 describe_op_buf_256[256]; /* describe_op will use this to return a string up to 256 */ + u8 describe_op_buf_256[256]; /* describe_op will use this to return a string + up to 256 */ #ifdef USE_PYTHON /* Python Mutators */ - PyObject *py_module; - PyObject *py_functions[PY_FUNC_COUNT]; + PyObject* py_module; + PyObject* py_functions[PY_FUNC_COUNT]; #endif #ifdef _AFL_DOCUMENT_MUTATIONS @@ -540,7 +539,8 @@ typedef struct afl_state { } afl_state_t; -/* A global pointer to all instances is needed (for now) for signals to arrive */ +/* A global pointer to all instances is needed (for now) for signals to arrive + */ extern list_t afl_states; @@ -558,7 +558,7 @@ struct custom_mutator { * * @param seed Seed used for the mutation. */ - void (*afl_custom_init)(afl_state_t *afl, unsigned int seed); + void (*afl_custom_init)(afl_state_t* afl, unsigned int seed); /** * Perform custom mutations on a given input @@ -574,8 +574,8 @@ struct custom_mutator { * not produce data larger than max_size. * @return Size of the mutated output. */ - size_t (*afl_custom_fuzz)(afl_state_t *afl, u8** buf, size_t buf_size, u8* add_buf, - size_t add_buf_size, size_t max_size); + size_t (*afl_custom_fuzz)(afl_state_t* afl, u8** buf, size_t buf_size, + u8* add_buf, size_t add_buf_size, size_t max_size); /** * A post-processing function to use right before AFL writes the test case to @@ -591,7 +591,8 @@ struct custom_mutator { * will release the memory after saving the test case. * @return Size of the output buffer after processing */ - size_t (*afl_custom_pre_save)(afl_state_t *afl, u8* buf, size_t buf_size, u8** out_buf); + size_t (*afl_custom_pre_save)(afl_state_t* afl, u8* buf, size_t buf_size, + u8** out_buf); /** * This method is called at the start of each trimming operation and receives @@ -613,7 +614,7 @@ struct custom_mutator { * @param buf_size Size of the test case * @return The amount of possible iteration steps to trim the input */ - u32 (*afl_custom_init_trim)(afl_state_t *afl, u8* buf, size_t buf_size); + u32 (*afl_custom_init_trim)(afl_state_t* afl, u8* buf, size_t buf_size); /** * This method is called for each trimming operation. It doesn't have any @@ -631,7 +632,7 @@ struct custom_mutator { * the memory after saving the test case. * @param[out] out_buf_size Pointer to the size of the trimmed test case */ - void (*afl_custom_trim)(afl_state_t *afl, u8** out_buf, size_t* out_buf_size); + void (*afl_custom_trim)(afl_state_t* afl, u8** out_buf, size_t* out_buf_size); /** * This method is called after each trim operation to inform you if your @@ -644,8 +645,8 @@ struct custom_mutator { * @return The next trim iteration index (from 0 to the maximum amount of * steps returned in init_trim) */ - u32 (*afl_custom_post_trim)(afl_state_t *afl, u8 success); - + u32 (*afl_custom_post_trim)(afl_state_t* afl, u8 success); + /** * Perform a single custom mutation on a given input. * This mutation is stacked with the other muatations in havoc. @@ -659,8 +660,9 @@ struct custom_mutator { * not produce data larger than max_size. * @return Size of the mutated output. */ - size_t (*afl_custom_havoc_mutation)(afl_state_t *afl, u8** buf, size_t buf_size, size_t max_size); - + size_t (*afl_custom_havoc_mutation)(afl_state_t* afl, u8** buf, + size_t buf_size, size_t max_size); + /** * Return the probability (in percentage) that afl_custom_havoc_mutation * is called in havoc. By default it is 6 %. @@ -669,7 +671,7 @@ struct custom_mutator { * * @return The probability (0-100). */ - u8 (*afl_custom_havoc_mutation_probability)(afl_state_t *afl); + u8 (*afl_custom_havoc_mutation_probability)(afl_state_t* afl); /** * Determine whether the fuzzer should fuzz the current queue entry or not. @@ -680,7 +682,7 @@ struct custom_mutator { * @return Return True(1) if the fuzzer will fuzz the queue entry, and * False(0) otherwise. */ - u8 (*afl_custom_queue_get)(afl_state_t *afl, const u8* filename); + u8 (*afl_custom_queue_get)(afl_state_t* afl, const u8* filename); /** * Allow for additional analysis (e.g. calling a different tool that does a @@ -692,14 +694,13 @@ struct custom_mutator { * @param filename_orig_queue File name of the original queue entry. This * argument can be NULL while initializing the fuzzer */ - void (*afl_custom_queue_new_entry)(afl_state_t *afl, const u8* filename_new_queue, - const u8* filename_orig_queue); + void (*afl_custom_queue_new_entry)(afl_state_t* afl, + const u8* filename_new_queue, + const u8* filename_orig_queue); }; - - -void afl_state_init(afl_state_t *); +void afl_state_init(afl_state_t*); void afl_state_deinit(afl_state_t*); /**** Prototypes ****/ @@ -707,13 +708,13 @@ void afl_state_deinit(afl_state_t*); /* Custom mutators */ void setup_custom_mutator(afl_state_t*); void destroy_custom_mutator(afl_state_t*); -u8 trim_case_custom(afl_state_t *, struct queue_entry* q, u8* in_buf); +u8 trim_case_custom(afl_state_t*, struct queue_entry* q, u8* in_buf); /* Python */ #ifdef USE_PYTHON -int init_py_module(afl_state_t*, u8*); -void finalize_py_module(afl_state_t*); +int init_py_module(afl_state_t*, u8*); +void finalize_py_module(afl_state_t*); void init_py(afl_state_t*, unsigned int); size_t fuzz_py(afl_state_t*, u8**, size_t, u8*, size_t, size_t); @@ -721,7 +722,7 @@ size_t pre_save_py(afl_state_t*, u8*, size_t, u8**); u32 init_trim_py(afl_state_t*, u8*, size_t); u32 post_trim_py(afl_state_t*, u8); void trim_py(afl_state_t*, u8**, size_t*); -size_t havoc_mutation_py(afl_state_t *, u8**, size_t, size_t); +size_t havoc_mutation_py(afl_state_t*, u8**, size_t, size_t); u8 havoc_mutation_probability_py(afl_state_t*); u8 queue_get_py(afl_state_t*, const u8*); void queue_new_entry_py(afl_state_t*, const u8*, const u8*); @@ -759,7 +760,7 @@ void minimize_bits(u8*, u8*); u8* describe_op(afl_state_t*, u8); #endif u8 save_if_interesting(afl_state_t*, void*, u32, u8); -u8 has_new_bits(afl_state_t *, u8*); +u8 has_new_bits(afl_state_t*, u8*); /* Misc */ @@ -830,11 +831,11 @@ void save_cmdline(afl_state_t*, u32, char**); /* CmpLog */ -void init_cmplog_forkserver(afl_state_t *afl); -u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len); +void init_cmplog_forkserver(afl_state_t* afl); +u8 common_fuzz_cmplog_stuff(afl_state_t* afl, u8* out_buf, u32 len); /* RedQueen */ -u8 input_to_state_stage(afl_state_t *afl, u8* orig_buf, u8* buf, u32 len, +u8 input_to_state_stage(afl_state_t* afl, u8* orig_buf, u8* buf, u32 len, u32 exec_cksum); /**** Inline routines ****/ @@ -842,7 +843,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8* orig_buf, u8* buf, u32 len, /* Generate a random number (from 0 to limit - 1). This may have slight bias. */ -static inline u32 UR(afl_state_t *afl, u32 limit) { +static inline u32 UR(afl_state_t* afl, u32 limit) { #ifdef HAVE_ARC4RANDOM if (afl->fixed_seed) { return random() % limit; } @@ -853,7 +854,8 @@ static inline u32 UR(afl_state_t *afl, u32 limit) { #else if (!afl->fixed_seed && unlikely(!afl->rand_cnt--)) { - ck_read(afl->fsrv.dev_urandom_fd, &afl->rand_seed, sizeof(afl->rand_seed), "/dev/urandom"); + ck_read(afl->fsrv.dev_urandom_fd, &afl->rand_seed, sizeof(afl->rand_seed), + "/dev/urandom"); srandom(afl->rand_seed[0]); afl->rand_cnt = (RESEED_RNG / 2) + (afl->rand_seed[1] % RESEED_RNG); @@ -864,7 +866,7 @@ static inline u32 UR(afl_state_t *afl, u32 limit) { } -static inline u32 get_rand_seed(afl_state_t *afl) { +static inline u32 get_rand_seed(afl_state_t* afl) { if (afl->fixed_seed) return (u32)afl->init_seed; return afl->rand_seed[0]; @@ -883,4 +885,4 @@ static u64 next_p2(u64 val) { } -#endif \ No newline at end of file +#endif |