diff options
Diffstat (limited to 'include')
| -rw-r--r-- | include/afl-as.h | 95 | ||||
| -rw-r--r-- | include/afl-fuzz.h | 545 | ||||
| -rw-r--r-- | include/alloc-inl.h | 225 | ||||
| -rw-r--r-- | include/android-ashmem.h | 87 | ||||
| -rw-r--r-- | include/common.h | 1 | ||||
| -rw-r--r-- | include/config.h | 214 | ||||
| -rw-r--r-- | include/debug.h | 180 | ||||
| -rw-r--r-- | include/forkserver.h | 18 | ||||
| -rw-r--r-- | include/hash.h | 25 | ||||
| -rw-r--r-- | include/sharedmem.h | 1 | ||||
| -rw-r--r-- | include/types.h | 43 |
11 files changed, 737 insertions, 697 deletions
diff --git a/include/afl-as.h b/include/afl-as.h index 4748eda7..4f8fb640 100644 --- a/include/afl-as.h +++ b/include/afl-as.h @@ -37,7 +37,7 @@ #include "config.h" #include "types.h" -/* +/* ------------------ Performances notes ------------------ @@ -106,47 +106,47 @@ static const u8* trampoline_fmt_32 = - "\n" - "/* --- AFL TRAMPOLINE (32-BIT) --- */\n" - "\n" - ".align 4\n" - "\n" - "leal -16(%%esp), %%esp\n" - "movl %%edi, 0(%%esp)\n" - "movl %%edx, 4(%%esp)\n" - "movl %%ecx, 8(%%esp)\n" - "movl %%eax, 12(%%esp)\n" - "movl $0x%08x, %%ecx\n" - "call __afl_maybe_log\n" - "movl 12(%%esp), %%eax\n" - "movl 8(%%esp), %%ecx\n" - "movl 4(%%esp), %%edx\n" - "movl 0(%%esp), %%edi\n" - "leal 16(%%esp), %%esp\n" - "\n" - "/* --- END --- */\n" - "\n"; + "\n" + "/* --- AFL TRAMPOLINE (32-BIT) --- */\n" + "\n" + ".align 4\n" + "\n" + "leal -16(%%esp), %%esp\n" + "movl %%edi, 0(%%esp)\n" + "movl %%edx, 4(%%esp)\n" + "movl %%ecx, 8(%%esp)\n" + "movl %%eax, 12(%%esp)\n" + "movl $0x%08x, %%ecx\n" + "call __afl_maybe_log\n" + "movl 12(%%esp), %%eax\n" + "movl 8(%%esp), %%ecx\n" + "movl 4(%%esp), %%edx\n" + "movl 0(%%esp), %%edi\n" + "leal 16(%%esp), %%esp\n" + "\n" + "/* --- END --- */\n" + "\n"; static const u8* trampoline_fmt_64 = - "\n" - "/* --- AFL TRAMPOLINE (64-BIT) --- */\n" - "\n" - ".align 4\n" - "\n" - "leaq -(128+24)(%%rsp), %%rsp\n" - "movq %%rdx, 0(%%rsp)\n" - "movq %%rcx, 8(%%rsp)\n" - "movq %%rax, 16(%%rsp)\n" - "movq $0x%08x, %%rcx\n" - "call __afl_maybe_log\n" - "movq 16(%%rsp), %%rax\n" - "movq 8(%%rsp), %%rcx\n" - "movq 0(%%rsp), %%rdx\n" - "leaq (128+24)(%%rsp), %%rsp\n" - "\n" - "/* --- END --- */\n" - "\n"; + "\n" + "/* --- AFL TRAMPOLINE (64-BIT) --- */\n" + "\n" + ".align 4\n" + "\n" + "leaq -(128+24)(%%rsp), %%rsp\n" + "movq %%rdx, 0(%%rsp)\n" + "movq %%rcx, 8(%%rsp)\n" + "movq %%rax, 16(%%rsp)\n" + "movq $0x%08x, %%rcx\n" + "call __afl_maybe_log\n" + "movq 16(%%rsp), %%rax\n" + "movq 8(%%rsp), %%rcx\n" + "movq 0(%%rsp), %%rdx\n" + "leaq (128+24)(%%rsp), %%rsp\n" + "\n" + "/* --- END --- */\n" + "\n"; static const u8* main_payload_32 = @@ -398,9 +398,9 @@ static const u8* main_payload_32 = recognize .string. */ #ifdef __APPLE__ -# define CALL_L64(str) "call _" str "\n" +# define CALL_L64(str) "call _" str "\n" #else -# define CALL_L64(str) "call " str "@PLT\n" +# define CALL_L64(str) "call " str "@PLT\n" #endif /* ^__APPLE__ */ static const u8* main_payload_64 = @@ -415,7 +415,7 @@ static const u8* main_payload_64 = "\n" "__afl_maybe_log:\n" "\n" -#if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9)) +#if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9)) " .byte 0x9f /* lahf */\n" #else " lahf\n" @@ -448,7 +448,7 @@ static const u8* main_payload_64 = "__afl_return:\n" "\n" " addb $127, %al\n" -#if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9)) +#if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9)) " .byte 0x9e /* sahf */\n" #else " sahf\n" @@ -737,9 +737,9 @@ static const u8* main_payload_64 = #ifdef __APPLE__ " .comm __afl_area_ptr, 8\n" -#ifndef COVERAGE_ONLY +# ifndef COVERAGE_ONLY " .comm __afl_prev_loc, 8\n" -#endif /* !COVERAGE_ONLY */ +# endif /* !COVERAGE_ONLY */ " .comm __afl_fork_pid, 4\n" " .comm __afl_temp, 4\n" " .comm __afl_setup_failure, 1\n" @@ -747,9 +747,9 @@ static const u8* main_payload_64 = #else " .lcomm __afl_area_ptr, 8\n" -#ifndef COVERAGE_ONLY +# ifndef COVERAGE_ONLY " .lcomm __afl_prev_loc, 8\n" -#endif /* !COVERAGE_ONLY */ +# endif /* !COVERAGE_ONLY */ " .lcomm __afl_fork_pid, 4\n" " .lcomm __afl_temp, 4\n" " .lcomm __afl_setup_failure, 1\n" @@ -765,3 +765,4 @@ static const u8* main_payload_64 = "\n"; #endif /* !_HAVE_AFL_AS_H */ + diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index ca22ef75..3e121851 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -27,12 +27,12 @@ #define MESSAGES_TO_STDOUT #ifndef _GNU_SOURCE -#define _GNU_SOURCE +# define _GNU_SOURCE #endif #define _FILE_OFFSET_BITS 64 #ifdef __ANDROID__ - #include "android-ashmem.h" +# include "android-ashmem.h" #endif #include "config.h" @@ -68,7 +68,7 @@ #include <sys/ioctl.h> #include <sys/file.h> -#if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) +#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) # include <sys/sysctl.h> # define HAVE_ARC4RANDOM 1 #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ @@ -88,45 +88,47 @@ struct queue_entry { - u8* fname; /* File name for the test case */ - u32 len; /* Input length */ + u8* fname; /* File name for the test case */ + u32 len; /* Input length */ - u8 cal_failed, /* Calibration failed? */ - trim_done, /* Trimmed? */ - was_fuzzed, /* historical, but needed for MOpt */ - passed_det, /* Deterministic stages passed? */ - has_new_cov, /* Triggers new coverage? */ - var_behavior, /* Variable behavior? */ - favored, /* Currently favored? */ - fs_redundant; /* Marked as redundant in the fs? */ + u8 cal_failed, /* Calibration failed? */ + trim_done, /* Trimmed? */ + was_fuzzed, /* historical, but needed for MOpt */ + passed_det, /* Deterministic stages passed? */ + has_new_cov, /* Triggers new coverage? */ + var_behavior, /* Variable behavior? */ + favored, /* Currently favored? */ + fs_redundant; /* Marked as redundant in the fs? */ - u32 bitmap_size, /* Number of bits set in bitmap */ - fuzz_level, /* Number of fuzzing iterations */ - exec_cksum; /* Checksum of the execution trace */ + u32 bitmap_size, /* Number of bits set in bitmap */ + fuzz_level, /* Number of fuzzing iterations */ + exec_cksum; /* Checksum of the execution trace */ - u64 exec_us, /* Execution time (us) */ - handicap, /* Number of queue cycles behind */ - n_fuzz, /* Number of fuzz, does not overflow */ - depth; /* Path depth */ + u64 exec_us, /* Execution time (us) */ + handicap, /* Number of queue cycles behind */ + n_fuzz, /* Number of fuzz, does not overflow */ + depth; /* Path depth */ - u8* trace_mini; /* Trace bytes, if kept */ - u32 tc_ref; /* Trace bytes ref count */ + u8* trace_mini; /* Trace bytes, if kept */ + u32 tc_ref; /* Trace bytes ref count */ - struct queue_entry *next, /* Next element, if any */ - *next_100; /* 100 elements ahead */ + struct queue_entry *next, /* Next element, if any */ + *next_100; /* 100 elements ahead */ }; struct extra_data { - u8* data; /* Dictionary token data */ - u32 len; /* Dictionary token length */ - u32 hit_cnt; /* Use count in the corpus */ -}; + u8* data; /* Dictionary token data */ + u32 len; /* Dictionary token length */ + u32 hit_cnt; /* Use count in the corpus */ + +}; /* Fuzzing stages */ enum { + /* 00 */ STAGE_FLIP1, /* 01 */ STAGE_FLIP2, /* 02 */ STAGE_FLIP4, @@ -146,72 +148,60 @@ enum { /* 16 */ STAGE_SPLICE, /* 17 */ STAGE_PYTHON, /* 18 */ STAGE_CUSTOM_MUTATOR + }; /* Stage value types */ enum { + /* 00 */ STAGE_VAL_NONE, /* 01 */ STAGE_VAL_LE, /* 02 */ STAGE_VAL_BE + }; /* Execution status fault codes */ enum { + /* 00 */ FAULT_NONE, /* 01 */ FAULT_TMOUT, /* 02 */ FAULT_CRASH, /* 03 */ FAULT_ERROR, /* 04 */ FAULT_NOINST, /* 05 */ FAULT_NOBITS -}; +}; /* MOpt: Lots of globals, but mostly for the status UI and other things where it really makes no sense to haul them around as function parameters. */ -extern u64 limit_time_puppet, - orig_hit_cnt_puppet, - last_limit_time_start, - tmp_pilot_time, - total_pacemaker_time, - total_puppet_find, - temp_puppet_find, - most_time_key, - most_time, - most_execs_key, - most_execs, - old_hit_count; - -extern s32 SPLICE_CYCLES_puppet, - limit_time_sig, - key_puppet, - key_module; - -extern double w_init, - w_end, - w_now; +extern u64 limit_time_puppet, orig_hit_cnt_puppet, last_limit_time_start, + tmp_pilot_time, total_pacemaker_time, total_puppet_find, temp_puppet_find, + most_time_key, most_time, most_execs_key, most_execs, old_hit_count; + +extern s32 SPLICE_CYCLES_puppet, limit_time_sig, key_puppet, key_module; + +extern double w_init, w_end, w_now; extern s32 g_now; extern s32 g_max; #define operator_num 16 #define swarm_num 5 -#define period_core 500000 +#define period_core 500000 extern u64 tmp_core_time; extern s32 swarm_now; -extern double x_now[swarm_num][operator_num], - L_best[swarm_num][operator_num], - eff_best[swarm_num][operator_num], - G_best[operator_num], - v_now[swarm_num][operator_num], - probability_now[swarm_num][operator_num], - swarm_fitness[swarm_num]; +extern double x_now[swarm_num][operator_num], L_best[swarm_num][operator_num], + eff_best[swarm_num][operator_num], G_best[operator_num], + v_now[swarm_num][operator_num], probability_now[swarm_num][operator_num], + swarm_fitness[swarm_num]; -extern u64 stage_finds_puppet[swarm_num][operator_num], /* Patterns found per fuzz stage */ +extern u64 stage_finds_puppet[swarm_num][operator_num], /* Patterns found per + fuzz stage */ stage_finds_puppet_v2[swarm_num][operator_num], stage_cycles_puppet_v2[swarm_num][operator_num], stage_cycles_puppet_v3[swarm_num][operator_num], @@ -221,9 +211,9 @@ extern u64 stage_finds_puppet[swarm_num][operator_num], /* Patterns fo core_operator_finds_puppet_v2[operator_num], core_operator_cycles_puppet[operator_num], core_operator_cycles_puppet_v2[operator_num], - core_operator_cycles_puppet_v3[operator_num]; /* Execs per fuzz stage */ + core_operator_cycles_puppet_v3[operator_num]; /* Execs per fuzz stage */ -#define RAND_C (rand()%1000*0.001) +#define RAND_C (rand() % 1000 * 0.001) #define v_max 1 #define v_min 0.05 #define limit_time_bound 1.1 @@ -236,225 +226,228 @@ extern u64 stage_finds_puppet[swarm_num][operator_num], /* Patterns fo #define period_pilot 50000 extern double period_pilot_tmp; -extern s32 key_lv; - -extern u8 *in_dir, /* Input directory with test cases */ - *out_dir, /* Working & output directory */ - *tmp_dir , /* Temporary directory for input */ - *sync_dir, /* Synchronization directory */ - *sync_id, /* Fuzzer ID */ - *power_name, /* Power schedule name */ - *use_banner, /* Display banner */ - *in_bitmap, /* Input bitmap */ - *file_extension, /* File extension */ - *orig_cmdline; /* Original command line */ -extern u8 *doc_path, /* Path to documentation dir */ - *target_path, /* Path to target binary */ - *out_file; /* File to fuzz, if any */ - -extern u32 exec_tmout; /* Configurable exec timeout (ms) */ -extern u32 hang_tmout; /* Timeout used for hang det (ms) */ - -extern u64 mem_limit; /* Memory cap for child (MB) */ - -extern u8 cal_cycles, /* Calibration cycles defaults */ - cal_cycles_long, - debug, /* Debug mode */ - python_only; /* Python-only mode */ - -extern u32 stats_update_freq; /* Stats update frequency (execs) */ +extern s32 key_lv; + +extern u8 *in_dir, /* Input directory with test cases */ + *out_dir, /* Working & output directory */ + *tmp_dir, /* Temporary directory for input */ + *sync_dir, /* Synchronization directory */ + *sync_id, /* Fuzzer ID */ + *power_name, /* Power schedule name */ + *use_banner, /* Display banner */ + *in_bitmap, /* Input bitmap */ + *file_extension, /* File extension */ + *orig_cmdline; /* Original command line */ +extern u8 *doc_path, /* Path to documentation dir */ + *target_path, /* Path to target binary */ + *out_file; /* File to fuzz, if any */ + +extern u32 exec_tmout; /* Configurable exec timeout (ms) */ +extern u32 hang_tmout; /* Timeout used for hang det (ms) */ + +extern u64 mem_limit; /* Memory cap for child (MB) */ + +extern u8 cal_cycles, /* Calibration cycles defaults */ + cal_cycles_long, debug, /* Debug mode */ + python_only; /* Python-only mode */ + +extern u32 stats_update_freq; /* Stats update frequency (execs) */ enum { - /* 00 */ EXPLORE, /* AFL default, Exploration-based constant schedule */ - /* 01 */ FAST, /* Exponential schedule */ - /* 02 */ COE, /* Cut-Off Exponential schedule */ - /* 03 */ LIN, /* Linear schedule */ - /* 04 */ QUAD, /* Quadratic schedule */ - /* 05 */ EXPLOIT, /* AFL's exploitation-based const. */ - + + /* 00 */ EXPLORE, /* AFL default, Exploration-based constant schedule */ + /* 01 */ FAST, /* Exponential schedule */ + /* 02 */ COE, /* Cut-Off Exponential schedule */ + /* 03 */ LIN, /* Linear schedule */ + /* 04 */ QUAD, /* Quadratic schedule */ + /* 05 */ EXPLOIT, /* AFL's exploitation-based const. */ + POWER_SCHEDULES_NUM + }; -extern char *power_names[POWER_SCHEDULES_NUM]; +extern char* power_names[POWER_SCHEDULES_NUM]; -extern u8 schedule; /* Power schedule (default: EXPLORE)*/ +extern u8 schedule; /* Power schedule (default: EXPLORE)*/ extern u8 havoc_max_mult; -extern u8 skip_deterministic, /* Skip deterministic stages? */ - force_deterministic, /* Force deterministic stages? */ - use_splicing, /* Recombine input files? */ - dumb_mode, /* Run in non-instrumented mode? */ - score_changed, /* Scoring for favorites changed? */ - kill_signal, /* Signal that killed the child */ - resuming_fuzz, /* Resuming an older fuzzing job? */ - timeout_given, /* Specific timeout given? */ - not_on_tty, /* stdout is not a tty */ - term_too_small, /* terminal dimensions too small */ - no_forkserver, /* Disable forkserver? */ - crash_mode, /* Crash mode! Yeah! */ - in_place_resume, /* Attempt in-place resume? */ - auto_changed, /* Auto-generated tokens changed? */ - no_cpu_meter_red, /* Feng shui on the status screen */ - no_arith, /* Skip most arithmetic ops */ - shuffle_queue, /* Shuffle input queue? */ - bitmap_changed, /* Time to update bitmap? */ - qemu_mode, /* Running in QEMU mode? */ - unicorn_mode, /* Running in Unicorn mode? */ - skip_requested, /* Skip request, via SIGUSR1 */ - run_over10m, /* Run time over 10 minutes? */ - persistent_mode, /* Running in persistent mode? */ - deferred_mode, /* Deferred forkserver mode? */ - fixed_seed, /* do not reseed */ - fast_cal, /* Try to calibrate faster? */ - uses_asan; /* Target uses ASAN? */ - -extern s32 out_fd, /* Persistent fd for out_file */ +extern u8 skip_deterministic, /* Skip deterministic stages? */ + force_deterministic, /* Force deterministic stages? */ + use_splicing, /* Recombine input files? */ + dumb_mode, /* Run in non-instrumented mode? */ + score_changed, /* Scoring for favorites changed? */ + kill_signal, /* Signal that killed the child */ + resuming_fuzz, /* Resuming an older fuzzing job? */ + timeout_given, /* Specific timeout given? */ + not_on_tty, /* stdout is not a tty */ + term_too_small, /* terminal dimensions too small */ + no_forkserver, /* Disable forkserver? */ + crash_mode, /* Crash mode! Yeah! */ + in_place_resume, /* Attempt in-place resume? */ + auto_changed, /* Auto-generated tokens changed? */ + no_cpu_meter_red, /* Feng shui on the status screen */ + no_arith, /* Skip most arithmetic ops */ + shuffle_queue, /* Shuffle input queue? */ + bitmap_changed, /* Time to update bitmap? */ + qemu_mode, /* Running in QEMU mode? */ + unicorn_mode, /* Running in Unicorn mode? */ + skip_requested, /* Skip request, via SIGUSR1 */ + run_over10m, /* Run time over 10 minutes? */ + persistent_mode, /* Running in persistent mode? */ + deferred_mode, /* Deferred forkserver mode? */ + fixed_seed, /* do not reseed */ + fast_cal, /* Try to calibrate faster? */ + uses_asan; /* Target uses ASAN? */ + +extern s32 out_fd, /* Persistent fd for out_file */ #ifndef HAVE_ARC4RANDOM - dev_urandom_fd, /* Persistent fd for /dev/urandom */ + dev_urandom_fd, /* Persistent fd for /dev/urandom */ #endif - dev_null_fd, /* Persistent fd for /dev/null */ - fsrv_ctl_fd, /* Fork server control pipe (write) */ - fsrv_st_fd; /* Fork server status pipe (read) */ - -extern s32 forksrv_pid, /* PID of the fork server */ - child_pid, /* PID of the fuzzed program */ - out_dir_fd; /* FD of the lock file */ - -extern u8* trace_bits; /* SHM with instrumentation bitmap */ - -extern u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */ - virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */ - virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */ - -extern u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */ - -extern volatile u8 stop_soon, /* Ctrl-C pressed? */ - clear_screen, /* Window resized? */ - child_timed_out; /* Traced process timed out? */ - -extern u32 queued_paths, /* Total number of queued testcases */ - queued_variable, /* Testcases with variable behavior */ - queued_at_start, /* Total number of initial inputs */ - queued_discovered, /* Items discovered during this run */ - queued_imported, /* Items imported via -S */ - queued_favored, /* Paths deemed favorable */ - queued_with_cov, /* Paths with new coverage bytes */ - pending_not_fuzzed, /* Queued but not done yet */ - pending_favored, /* Pending favored paths */ - cur_skipped_paths, /* Abandoned inputs in cur cycle */ - cur_depth, /* Current path depth */ - max_depth, /* Max path depth */ - useless_at_start, /* Number of useless starting paths */ - var_byte_count, /* Bitmap bytes with var behavior */ - current_entry, /* Current queue entry ID */ - havoc_div; /* Cycle count divisor for havoc */ - -extern u64 total_crashes, /* Total number of crashes */ - unique_crashes, /* Crashes with unique signatures */ - total_tmouts, /* Total number of timeouts */ - unique_tmouts, /* Timeouts with unique signatures */ - unique_hangs, /* Hangs with unique signatures */ - total_execs, /* Total execve() calls */ - slowest_exec_ms, /* Slowest testcase non hang in ms */ - start_time, /* Unix start time (ms) */ - last_path_time, /* Time for most recent path (ms) */ - last_crash_time, /* Time for most recent crash (ms) */ - last_hang_time, /* Time for most recent hang (ms) */ - last_crash_execs, /* Exec counter at last crash */ - queue_cycle, /* Queue round counter */ - cycles_wo_finds, /* Cycles without any new paths */ - trim_execs, /* Execs done to trim input files */ - bytes_trim_in, /* Bytes coming into the trimmer */ - bytes_trim_out, /* Bytes coming outa the trimmer */ - blocks_eff_total, /* Blocks subject to effector maps */ - blocks_eff_select; /* Blocks selected as fuzzable */ - -extern u32 subseq_tmouts; /* Number of timeouts in a row */ - -extern u8 *stage_name, /* Name of the current fuzz stage */ - *stage_short, /* Short stage name */ - *syncing_party; /* Currently syncing with... */ - -extern s32 stage_cur, stage_max; /* Stage progression */ -extern s32 splicing_with; /* Splicing with which test case? */ - -extern u32 master_id, master_max; /* Master instance job splitting */ - -extern u32 syncing_case; /* Syncing with case #... */ - -extern s32 stage_cur_byte, /* Byte offset of current stage op */ - stage_cur_val; /* Value used for stage op */ - -extern u8 stage_val_type; /* Value type (STAGE_VAL_*) */ - -extern u64 stage_finds[32], /* Patterns found per fuzz stage */ - stage_cycles[32]; /* Execs per fuzz stage */ + dev_null_fd, /* Persistent fd for /dev/null */ + fsrv_ctl_fd, /* Fork server control pipe (write) */ + fsrv_st_fd; /* Fork server status pipe (read) */ + +extern s32 forksrv_pid, /* PID of the fork server */ + child_pid, /* PID of the fuzzed program */ + out_dir_fd; /* FD of the lock file */ + +extern u8* trace_bits; /* SHM with instrumentation bitmap */ + +extern u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */ + virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */ + virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */ + +extern u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */ + +extern volatile u8 stop_soon, /* Ctrl-C pressed? */ + clear_screen, /* Window resized? */ + child_timed_out; /* Traced process timed out? */ + +extern u32 queued_paths, /* Total number of queued testcases */ + queued_variable, /* Testcases with variable behavior */ + queued_at_start, /* Total number of initial inputs */ + queued_discovered, /* Items discovered during this run */ + queued_imported, /* Items imported via -S */ + queued_favored, /* Paths deemed favorable */ + queued_with_cov, /* Paths with new coverage bytes */ + pending_not_fuzzed, /* Queued but not done yet */ + pending_favored, /* Pending favored paths */ + cur_skipped_paths, /* Abandoned inputs in cur cycle */ + cur_depth, /* Current path depth */ + max_depth, /* Max path depth */ + useless_at_start, /* Number of useless starting paths */ + var_byte_count, /* Bitmap bytes with var behavior */ + current_entry, /* Current queue entry ID */ + havoc_div; /* Cycle count divisor for havoc */ + +extern u64 total_crashes, /* Total number of crashes */ + unique_crashes, /* Crashes with unique signatures */ + total_tmouts, /* Total number of timeouts */ + unique_tmouts, /* Timeouts with unique signatures */ + unique_hangs, /* Hangs with unique signatures */ + total_execs, /* Total execve() calls */ + slowest_exec_ms, /* Slowest testcase non hang in ms */ + start_time, /* Unix start time (ms) */ + last_path_time, /* Time for most recent path (ms) */ + last_crash_time, /* Time for most recent crash (ms) */ + last_hang_time, /* Time for most recent hang (ms) */ + last_crash_execs, /* Exec counter at last crash */ + queue_cycle, /* Queue round counter */ + cycles_wo_finds, /* Cycles without any new paths */ + trim_execs, /* Execs done to trim input files */ + bytes_trim_in, /* Bytes coming into the trimmer */ + bytes_trim_out, /* Bytes coming outa the trimmer */ + blocks_eff_total, /* Blocks subject to effector maps */ + blocks_eff_select; /* Blocks selected as fuzzable */ + +extern u32 subseq_tmouts; /* Number of timeouts in a row */ + +extern u8 *stage_name, /* Name of the current fuzz stage */ + *stage_short, /* Short stage name */ + *syncing_party; /* Currently syncing with... */ + +extern s32 stage_cur, stage_max; /* Stage progression */ +extern s32 splicing_with; /* Splicing with which test case? */ + +extern u32 master_id, master_max; /* Master instance job splitting */ + +extern u32 syncing_case; /* Syncing with case #... */ + +extern s32 stage_cur_byte, /* Byte offset of current stage op */ + stage_cur_val; /* Value used for stage op */ + +extern u8 stage_val_type; /* Value type (STAGE_VAL_*) */ + +extern u64 stage_finds[32], /* Patterns found per fuzz stage */ + stage_cycles[32]; /* Execs per fuzz stage */ #ifndef HAVE_ARC4RANDOM -extern u32 rand_cnt; /* Random number counter */ +extern u32 rand_cnt; /* Random number counter */ #endif -extern u64 total_cal_us, /* Total calibration time (us) */ - total_cal_cycles; /* Total calibration cycles */ +extern u64 total_cal_us, /* Total calibration time (us) */ + total_cal_cycles; /* Total calibration cycles */ -extern u64 total_bitmap_size, /* Total bit count for all bitmaps */ - total_bitmap_entries; /* Number of bitmaps counted */ +extern u64 total_bitmap_size, /* Total bit count for all bitmaps */ + total_bitmap_entries; /* Number of bitmaps counted */ -extern s32 cpu_core_count; /* CPU core count */ +extern s32 cpu_core_count; /* CPU core count */ #ifdef HAVE_AFFINITY -extern s32 cpu_aff; /* Selected CPU core */ +extern s32 cpu_aff; /* Selected CPU core */ #endif /* HAVE_AFFINITY */ -extern FILE* plot_file; /* Gnuplot output file */ - +extern FILE* plot_file; /* Gnuplot output file */ - -extern struct queue_entry *queue, /* Fuzzing queue (linked list) */ - *queue_cur, /* Current offset within the queue */ - *queue_top, /* Top of the list */ - *q_prev100; /* Previous 100 marker */ +extern struct queue_entry *queue, /* Fuzzing queue (linked list) */ + *queue_cur, /* Current offset within the queue */ + *queue_top, /* Top of the list */ + *q_prev100; /* Previous 100 marker */ extern struct queue_entry* - top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */ + top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */ -extern struct extra_data* extras; /* Extra tokens to fuzz with */ -extern u32 extras_cnt; /* Total number of tokens read */ +extern struct extra_data* extras; /* Extra tokens to fuzz with */ +extern u32 extras_cnt; /* Total number of tokens read */ -extern struct extra_data* a_extras; /* Automatically selected extras */ -extern u32 a_extras_cnt; /* Total number of tokens available */ +extern struct extra_data* a_extras; /* Automatically selected extras */ +extern u32 a_extras_cnt; /* Total number of tokens available */ u8* (*post_handler)(u8* buf, u32* len); /* hooks for the custom mutator function */ -size_t (*custom_mutator)(u8 *data, size_t size, u8* mutated_out, size_t max_size, unsigned int seed); -size_t (*pre_save_handler)(u8 *data, size_t size, u8 **new_data); +size_t (*custom_mutator)(u8* data, size_t size, u8* mutated_out, + size_t max_size, unsigned int seed); +size_t (*pre_save_handler)(u8* data, size_t size, u8** new_data); /* Interesting values, as per config.h */ extern s8 interesting_8[INTERESTING_8_LEN]; extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN]; -extern s32 interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN]; +extern s32 + interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN]; /* Python stuff */ #ifdef USE_PYTHON -#include <Python.h> +# include <Python.h> -extern PyObject *py_module; +extern PyObject* py_module; enum { + /* 00 */ PY_FUNC_INIT, /* 01 */ PY_FUNC_FUZZ, /* 02 */ PY_FUNC_INIT_TRIM, /* 03 */ PY_FUNC_POST_TRIM, /* 04 */ PY_FUNC_TRIM, PY_FUNC_COUNT + }; -extern PyObject *py_functions[PY_FUNC_COUNT]; +extern PyObject* py_functions[PY_FUNC_COUNT]; #endif @@ -462,13 +455,13 @@ extern PyObject *py_functions[PY_FUNC_COUNT]; /* Python */ #ifdef USE_PYTHON -int init_py(); +int init_py(); void finalize_py(); void fuzz_py(char*, size_t, char*, size_t, char**, size_t*); -u32 init_trim_py(char*, size_t); -u32 post_trim_py(char); +u32 init_trim_py(char*, size_t); +u32 post_trim_py(char); void trim_py(char**, size_t*); -u8 trim_case_python(char**, struct queue_entry*, u8*); +u8 trim_case_python(char**, struct queue_entry*, u8*); #endif /* Queue */ @@ -480,16 +473,16 @@ void add_to_queue(u8*, u32, u8); void destroy_queue(void); void update_bitmap_score(struct queue_entry*); void cull_queue(void); -u32 calculate_score(struct queue_entry*); +u32 calculate_score(struct queue_entry*); /* Bitmap */ void write_bitmap(void); void read_bitmap(u8*); -u8 has_new_bits(u8*); -u32 count_bits(u8*); -u32 count_bytes(u8*); -u32 count_non_255_bytes(u8*); +u8 has_new_bits(u8*); +u32 count_bits(u8*); +u32 count_bytes(u8*); +u32 count_non_255_bytes(u8*); #ifdef __x86_64__ void simplify_trace(u64*); void classify_counts(u64*); @@ -529,51 +522,51 @@ void show_init_stats(void); /* Run */ -u8 run_target(char**, u32); +u8 run_target(char**, u32); void write_to_testcase(void*, u32); void write_with_gap(void*, u32, u32, u32); -u8 calibrate_case(char**, struct queue_entry*, u8*, u32, u8); +u8 calibrate_case(char**, struct queue_entry*, u8*, u32, u8); void sync_fuzzers(char**); -u8 trim_case(char**, struct queue_entry*, u8*); -u8 common_fuzz_stuff(char**, u8*, u32); +u8 trim_case(char**, struct queue_entry*, u8*); +u8 common_fuzz_stuff(char**, u8*, u32); /* Fuzz one */ -u8 fuzz_one_original(char**); +u8 fuzz_one_original(char**); static u8 pilot_fuzzing(char**); -u8 core_fuzzing(char**); -void pso_updating(void); -u8 fuzz_one(char**); +u8 core_fuzzing(char**); +void pso_updating(void); +u8 fuzz_one(char**); /* Init */ #ifdef HAVE_AFFINITY void bind_to_free_cpu(void); #endif -void setup_post(void); -void setup_custom_mutator(void); -void read_testcases(void); -void perform_dry_run(char**); -void pivot_inputs(void); -u32 find_start_position(void); -void find_timeout(void); +void setup_post(void); +void setup_custom_mutator(void); +void read_testcases(void); +void perform_dry_run(char**); +void pivot_inputs(void); +u32 find_start_position(void); +void find_timeout(void); double get_runnable_processes(void); -void nuke_resume_dir(void); -void maybe_delete_out_dir(void); -void setup_dirs_fds(void); -void setup_cmdline_file(char**); -void setup_stdio_file(void); -void check_crash_handling(void); -void check_cpu_governor(void); -void get_core_count(void); -void fix_up_sync(void); -void check_asan_opts(void); -void check_binary(u8*); -void fix_up_banner(u8*); -void check_if_tty(void); -void setup_signal_handlers(void); +void nuke_resume_dir(void); +void maybe_delete_out_dir(void); +void setup_dirs_fds(void); +void setup_cmdline_file(char**); +void setup_stdio_file(void); +void check_crash_handling(void); +void check_cpu_governor(void); +void get_core_count(void); +void fix_up_sync(void); +void check_asan_opts(void); +void check_binary(u8*); +void fix_up_banner(u8*); +void check_if_tty(void); +void setup_signal_handlers(void); char** get_qemu_argv(u8*, char**, int); -void save_cmdline(u32, char**); +void save_cmdline(u32, char**); /**** Inline routines ****/ @@ -581,25 +574,27 @@ void save_cmdline(u32, char**); have slight bias. */ static inline u32 UR(u32 limit) { + #ifdef HAVE_ARC4RANDOM - if (fixed_seed) { - return random() % limit; - } + if (fixed_seed) { return random() % limit; } /* The boundary not being necessarily a power of 2, we need to ensure the result uniformity. */ return arc4random_uniform(limit); #else if (!fixed_seed && unlikely(!rand_cnt--)) { + u32 seed[2]; ck_read(dev_urandom_fd, &seed, sizeof(seed), "/dev/urandom"); srandom(seed[0]); rand_cnt = (RESEED_RNG / 2) + (seed[1] % RESEED_RNG); + } return random() % limit; #endif + } /* Find first power of two greater or equal to val (assuming val under @@ -608,7 +603,8 @@ static inline u32 UR(u32 limit) { static u64 next_p2(u64 val) { u64 ret = 1; - while (val > ret) ret <<= 1; + while (val > ret) + ret <<= 1; return ret; } @@ -617,7 +613,7 @@ static u64 next_p2(u64 val) { static u64 get_cur_time(void) { - struct timeval tv; + struct timeval tv; struct timezone tz; gettimeofday(&tv, &tz); @@ -626,12 +622,11 @@ static u64 get_cur_time(void) { } - /* Get unix time in microseconds */ static u64 get_cur_time_us(void) { - struct timeval tv; + struct timeval tv; struct timezone tz; gettimeofday(&tv, &tz); diff --git a/include/alloc-inl.h b/include/alloc-inl.h index 2f98da0e..4a4beff1 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -31,82 +31,105 @@ /* User-facing macro to sprintf() to a dynamically allocated buffer. */ -#define alloc_printf(_str...) ({ \ - u8* _tmp; \ - s32 _len = snprintf(NULL, 0, _str); \ +#define alloc_printf(_str...) \ + ({ \ + \ + u8* _tmp; \ + s32 _len = snprintf(NULL, 0, _str); \ if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ - _tmp = ck_alloc(_len + 1); \ - snprintf((char*)_tmp, _len + 1, _str); \ - _tmp; \ + _tmp = ck_alloc(_len + 1); \ + snprintf((char*)_tmp, _len + 1, _str); \ + _tmp; \ + \ }) /* Macro to enforce allocation limits as a last-resort defense against integer overflows. */ -#define ALLOC_CHECK_SIZE(_s) do { \ - if ((_s) > MAX_ALLOC) \ - ABORT("Bad alloc request: %u bytes", (_s)); \ +#define ALLOC_CHECK_SIZE(_s) \ + do { \ + \ + if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \ + \ } while (0) /* Macro to check malloc() failures and the like. */ -#define ALLOC_CHECK_RESULT(_r, _s) do { \ - if (!(_r)) \ - ABORT("Out of memory: can't allocate %u bytes", (_s)); \ +#define ALLOC_CHECK_RESULT(_r, _s) \ + do { \ + \ + if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \ + \ } while (0) /* Magic tokens used to mark used / freed chunks. */ -#define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */ -#define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */ -#define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */ +#define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */ +#define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */ +#define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */ /* Positions of guard tokens in relation to the user-visible pointer. */ -#define ALLOC_C1(_ptr) (((u32*)(_ptr))[-2]) -#define ALLOC_S(_ptr) (((u32*)(_ptr))[-1]) -#define ALLOC_C2(_ptr) (((u8*)(_ptr))[ALLOC_S(_ptr)]) +#define ALLOC_C1(_ptr) (((u32*)(_ptr))[-2]) +#define ALLOC_S(_ptr) (((u32*)(_ptr))[-1]) +#define ALLOC_C2(_ptr) (((u8*)(_ptr))[ALLOC_S(_ptr)]) -#define ALLOC_OFF_HEAD 8 +#define ALLOC_OFF_HEAD 8 #define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1) /* Allocator increments for ck_realloc_block(). */ -#define ALLOC_BLK_INC 256 +#define ALLOC_BLK_INC 256 /* Sanity-checking macros for pointers. */ -#define CHECK_PTR(_p) do { \ - if (_p) { \ - if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\ - if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \ - ABORT("Use after free."); \ - else ABORT("Corrupted head alloc canary."); \ - } \ - } \ +#define CHECK_PTR(_p) \ + do { \ + \ + if (_p) { \ + \ + if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) { \ + \ + if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \ + ABORT("Use after free."); \ + else \ + ABORT("Corrupted head alloc canary."); \ + \ + } \ + \ + } \ + \ } while (0) /* #define CHECK_PTR(_p) do { \ + \ if (_p) { \ + \ if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\ + \ if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \ ABORT("Use after free."); \ else ABORT("Corrupted head alloc canary."); \ + \ } \ if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \ ABORT("Corrupted tail alloc canary."); \ + \ } \ + \ } while (0) */ -#define CHECK_PTR_EXPR(_p) ({ \ - typeof (_p) _tmp = (_p); \ - CHECK_PTR(_tmp); \ - _tmp; \ +#define CHECK_PTR_EXPR(_p) \ + ({ \ + \ + typeof(_p) _tmp = (_p); \ + CHECK_PTR(_tmp); \ + _tmp; \ + \ }) - /* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized requests. */ @@ -123,14 +146,13 @@ static inline void* DFL_ck_alloc_nozero(u32 size) { ret += ALLOC_OFF_HEAD; ALLOC_C1(ret) = ALLOC_MAGIC_C1; - ALLOC_S(ret) = size; + ALLOC_S(ret) = size; ALLOC_C2(ret) = ALLOC_MAGIC_C2; - return (void *)ret; + return (void*)ret; } - /* Allocate a buffer, returning zeroed memory. */ static inline void* DFL_ck_alloc(u32 size) { @@ -144,7 +166,6 @@ static inline void* DFL_ck_alloc(u32 size) { } - /* Free memory, checking for double free and corrupted heap. When DEBUG_BUILD is set, the old memory will be also clobbered with 0xFF. */ @@ -163,20 +184,19 @@ static inline void DFL_ck_free(void* mem) { ALLOC_C1(mem) = ALLOC_MAGIC_F; - u8 *realStart = mem; + u8* realStart = mem; free(realStart - ALLOC_OFF_HEAD); } - /* Re-allocate a buffer, checking for issues and zeroing any newly-added tail. With DEBUG_BUILD, the buffer is always reallocated to a new addresses and the old memory is clobbered with 0xFF. */ static inline void* DFL_ck_realloc(void* orig, u32 size) { - u8* ret; - u32 old_size = 0; + u8* ret; + u32 old_size = 0; if (!size) { @@ -193,9 +213,9 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) { ALLOC_C1(orig) = ALLOC_MAGIC_F; #endif /* !DEBUG_BUILD */ - old_size = ALLOC_S(orig); - u8 *origu8 = orig; - origu8 -= ALLOC_OFF_HEAD; + old_size = ALLOC_S(orig); + u8* origu8 = orig; + origu8 -= ALLOC_OFF_HEAD; orig = origu8; ALLOC_CHECK_SIZE(old_size); @@ -219,7 +239,7 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) { if (orig) { - u8 *origu8 = orig; + u8* origu8 = orig; memcpy(ret + ALLOC_OFF_HEAD, origu8 + ALLOC_OFF_HEAD, MIN(size, old_size)); memset(origu8 + ALLOC_OFF_HEAD, 0xFF, old_size); @@ -234,17 +254,15 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) { ret += ALLOC_OFF_HEAD; ALLOC_C1(ret) = ALLOC_MAGIC_C1; - ALLOC_S(ret) = size; + ALLOC_S(ret) = size; ALLOC_C2(ret) = ALLOC_MAGIC_C2; - if (size > old_size) - memset(ret + old_size, 0, size - old_size); + if (size > old_size) memset(ret + old_size, 0, size - old_size); - return (void *)ret; + return (void*)ret; } - /* Re-allocate a buffer with ALLOC_BLK_INC increments (used to speed up repeated small reallocs without complicating the user code). */ @@ -268,13 +286,12 @@ static inline void* DFL_ck_realloc_block(void* orig, u32 size) { } - /* Create a buffer with a copy of a string. Returns NULL for NULL inputs. */ static inline u8* DFL_ck_strdup(u8* str) { - u8* ret; - u32 size; + u8* ret; + u32 size; if (!str) return NULL; @@ -287,38 +304,36 @@ static inline u8* DFL_ck_strdup(u8* str) { ret += ALLOC_OFF_HEAD; ALLOC_C1(ret) = ALLOC_MAGIC_C1; - ALLOC_S(ret) = size; + ALLOC_S(ret) = size; ALLOC_C2(ret) = ALLOC_MAGIC_C2; return memcpy(ret, str, size); } - /* Create a buffer with a copy of a memory block. Returns NULL for zero-sized or NULL inputs. */ static inline void* DFL_ck_memdup(void* mem, u32 size) { - u8* ret; + u8* ret; if (!mem || !size) return NULL; ALLOC_CHECK_SIZE(size); ret = malloc(size + ALLOC_OFF_TOTAL); ALLOC_CHECK_RESULT(ret, size); - + ret += ALLOC_OFF_HEAD; ALLOC_C1(ret) = ALLOC_MAGIC_C1; - ALLOC_S(ret) = size; + ALLOC_S(ret) = size; ALLOC_C2(ret) = ALLOC_MAGIC_C2; return memcpy(ret, mem, size); } - /* Create a buffer with a block of text, appending a NUL terminator at the end. Returns NULL for zero-sized or NULL inputs. */ @@ -331,11 +346,11 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) { ALLOC_CHECK_SIZE(size); ret = malloc(size + ALLOC_OFF_TOTAL + 1); ALLOC_CHECK_RESULT(ret, size); - + ret += ALLOC_OFF_HEAD; ALLOC_C1(ret) = ALLOC_MAGIC_C1; - ALLOC_S(ret) = size; + ALLOC_S(ret) = size; ALLOC_C2(ret) = ALLOC_MAGIC_C2; memcpy(ret, mem, size); @@ -345,22 +360,21 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) { } - #ifndef DEBUG_BUILD /* In non-debug mode, we just do straightforward aliasing of the above functions to user-visible names such as ck_alloc(). */ -#define ck_alloc DFL_ck_alloc -#define ck_alloc_nozero DFL_ck_alloc_nozero -#define ck_realloc DFL_ck_realloc -#define ck_realloc_block DFL_ck_realloc_block -#define ck_strdup DFL_ck_strdup -#define ck_memdup DFL_ck_memdup -#define ck_memdup_str DFL_ck_memdup_str -#define ck_free DFL_ck_free +# define ck_alloc DFL_ck_alloc +# define ck_alloc_nozero DFL_ck_alloc_nozero +# define ck_realloc DFL_ck_realloc +# define ck_realloc_block DFL_ck_realloc_block +# define ck_strdup DFL_ck_strdup +# define ck_memdup DFL_ck_memdup +# define ck_memdup_str DFL_ck_memdup_str +# define ck_free DFL_ck_free -#define alloc_report() +# define alloc_report() #else @@ -369,34 +383,35 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) { /* Alloc tracking data structures: */ -#define ALLOC_BUCKETS 4096 +# define ALLOC_BUCKETS 4096 struct TRK_obj { - void *ptr; + + void* ptr; char *file, *func; - u32 line; + u32 line; + }; -#ifdef AFL_MAIN +# ifdef AFL_MAIN struct TRK_obj* TRK[ALLOC_BUCKETS]; u32 TRK_cnt[ALLOC_BUCKETS]; -# define alloc_report() TRK_report() +# define alloc_report() TRK_report() -#else +# else extern struct TRK_obj* TRK[ALLOC_BUCKETS]; -extern u32 TRK_cnt[ALLOC_BUCKETS]; +extern u32 TRK_cnt[ALLOC_BUCKETS]; -# define alloc_report() +# define alloc_report() -#endif /* ^AFL_MAIN */ +# endif /* ^AFL_MAIN */ /* Bucket-assigning function for a given pointer: */ -#define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS) - +# define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS) /* Add a new entry to the list of allocated objects. */ @@ -415,7 +430,7 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func, if (!TRK[bucket][i].ptr) { - TRK[bucket][i].ptr = ptr; + TRK[bucket][i].ptr = ptr; TRK[bucket][i].file = (char*)file; TRK[bucket][i].func = (char*)func; TRK[bucket][i].line = line; @@ -425,10 +440,10 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func, /* No space available - allocate more. */ - TRK[bucket] = DFL_ck_realloc_block(TRK[bucket], - (TRK_cnt[bucket] + 1) * sizeof(struct TRK_obj)); + TRK[bucket] = DFL_ck_realloc_block( + TRK[bucket], (TRK_cnt[bucket] + 1) * sizeof(struct TRK_obj)); - TRK[bucket][i].ptr = ptr; + TRK[bucket][i].ptr = ptr; TRK[bucket][i].file = (char*)file; TRK[bucket][i].func = (char*)func; TRK[bucket][i].line = line; @@ -437,7 +452,6 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func, } - /* Remove entry from the list of allocated objects. */ static inline void TRK_free_buf(void* ptr, const char* file, const char* func, @@ -460,12 +474,11 @@ static inline void TRK_free_buf(void* ptr, const char* file, const char* func, } - WARNF("ALLOC: Attempt to free non-allocated memory in %s (%s:%u)", - func, file, line); + WARNF("ALLOC: Attempt to free non-allocated memory in %s (%s:%u)", func, file, + line); } - /* Do a final report on all non-deallocated objects. */ static inline void TRK_report(void) { @@ -482,7 +495,6 @@ static inline void TRK_report(void) { } - /* Simple wrappers for non-debugging functions: */ static inline void* TRK_ck_alloc(u32 size, const char* file, const char* func, @@ -494,7 +506,6 @@ static inline void* TRK_ck_alloc(u32 size, const char* file, const char* func, } - static inline void* TRK_ck_realloc(void* orig, u32 size, const char* file, const char* func, u32 line) { @@ -505,7 +516,6 @@ static inline void* TRK_ck_realloc(void* orig, u32 size, const char* file, } - static inline void* TRK_ck_realloc_block(void* orig, u32 size, const char* file, const char* func, u32 line) { @@ -516,7 +526,6 @@ static inline void* TRK_ck_realloc_block(void* orig, u32 size, const char* file, } - static inline void* TRK_ck_strdup(u8* str, const char* file, const char* func, u32 line) { @@ -526,7 +535,6 @@ static inline void* TRK_ck_strdup(u8* str, const char* file, const char* func, } - static inline void* TRK_ck_memdup(void* mem, u32 size, const char* file, const char* func, u32 line) { @@ -536,7 +544,6 @@ static inline void* TRK_ck_memdup(void* mem, u32 size, const char* file, } - static inline void* TRK_ck_memdup_str(void* mem, u32 size, const char* file, const char* func, u32 line) { @@ -546,9 +553,8 @@ static inline void* TRK_ck_memdup_str(void* mem, u32 size, const char* file, } - -static inline void TRK_ck_free(void* ptr, const char* file, - const char* func, u32 line) { +static inline void TRK_ck_free(void* ptr, const char* file, const char* func, + u32 line) { TRK_free_buf(ptr, file, func, line); DFL_ck_free(ptr); @@ -557,30 +563,27 @@ static inline void TRK_ck_free(void* ptr, const char* file, /* Aliasing user-facing names to tracking functions: */ -#define ck_alloc(_p1) \ - TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) +# define ck_alloc(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) -#define ck_alloc_nozero(_p1) \ - TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) +#define ck_alloc_nozero(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) -#define ck_realloc(_p1, _p2) \ +# define ck_realloc(_p1, _p2)\ TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -#define ck_realloc_block(_p1, _p2) \ +# define ck_realloc_block(_p1, _p2)\ TRK_ck_realloc_block(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -#define ck_strdup(_p1) \ - TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__) +# define ck_strdup(_p1) TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__) -#define ck_memdup(_p1, _p2) \ +# define ck_memdup(_p1, _p2)\ TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -#define ck_memdup_str(_p1, _p2) \ +# define ck_memdup_str(_p1, _p2)\ TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -#define ck_free(_p1) \ - TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__) +# define ck_free(_p1) TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__) #endif /* ^!DEBUG_BUILD */ #endif /* ! _HAVE_ALLOC_INL_H */ + diff --git a/include/android-ashmem.h b/include/android-ashmem.h index a787c04b..a4b5bf30 100644 --- a/include/android-ashmem.h +++ b/include/android-ashmem.h @@ -8,74 +8,73 @@ #include <sys/mman.h> #if __ANDROID_API__ >= 26 -#define shmat bionic_shmat -#define shmctl bionic_shmctl -#define shmdt bionic_shmdt -#define shmget bionic_shmget +# define shmat bionic_shmat +# define shmctl bionic_shmctl +# define shmdt bionic_shmdt +# define shmget bionic_shmget #endif - #include <sys/shm.h> +#include <sys/shm.h> #undef shmat #undef shmctl #undef shmdt #undef shmget #include <stdio.h> -#define ASHMEM_DEVICE "/dev/ashmem" +#define ASHMEM_DEVICE "/dev/ashmem" -static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) -{ - int ret = 0; - if (__cmd == IPC_RMID) { - int length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL); - struct ashmem_pin pin = {0, length}; - ret = ioctl(__shmid, ASHMEM_UNPIN, &pin); - close(__shmid); - } +static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) { + + int ret = 0; + if (__cmd == IPC_RMID) { + + int length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL); + struct ashmem_pin pin = {0, length}; + ret = ioctl(__shmid, ASHMEM_UNPIN, &pin); + close(__shmid); + + } + + return ret; - return ret; } -static inline int shmget (key_t __key, size_t __size, int __shmflg) -{ - int fd,ret; - char ourkey[11]; +static inline int shmget(key_t __key, size_t __size, int __shmflg) { + + int fd, ret; + char ourkey[11]; - fd = open(ASHMEM_DEVICE, O_RDWR); - if (fd < 0) - return fd; + fd = open(ASHMEM_DEVICE, O_RDWR); + if (fd < 0) return fd; - sprintf(ourkey,"%d",__key); - ret = ioctl(fd, ASHMEM_SET_NAME, ourkey); - if (ret < 0) - goto error; + sprintf(ourkey, "%d", __key); + ret = ioctl(fd, ASHMEM_SET_NAME, ourkey); + if (ret < 0) goto error; - ret = ioctl(fd, ASHMEM_SET_SIZE, __size); - if (ret < 0) - goto error; + ret = ioctl(fd, ASHMEM_SET_SIZE, __size); + if (ret < 0) goto error; - return fd; + return fd; error: - close(fd); - return ret; + close(fd); + return ret; + } -static inline void *shmat (int __shmid, const void *__shmaddr, int __shmflg) -{ - int size; +static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) { + + int size; void *ptr; - + size = ioctl(__shmid, ASHMEM_GET_SIZE, NULL); - if (size < 0) { - return NULL; - } + if (size < 0) { return NULL; } ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, __shmid, 0); - if (ptr == MAP_FAILED) { - return NULL; - } - + if (ptr == MAP_FAILED) { return NULL; } + return ptr; + } #endif + diff --git a/include/common.h b/include/common.h index 161caa39..9845c2af 100644 --- a/include/common.h +++ b/include/common.h @@ -4,3 +4,4 @@ void detect_file_args(char **argv, u8 *prog_in); #endif + diff --git a/include/config.h b/include/config.h index 17836151..babba3bd 100644 --- a/include/config.h +++ b/include/config.h @@ -21,7 +21,7 @@ /* Version string: */ -#define VERSION "++2.53d" // c = release, d = volatile github dev +#define VERSION "++2.53d" // c = release, d = volatile github dev /****************************************************** * * @@ -41,64 +41,64 @@ /* Default timeout for fuzzed code (milliseconds). This is the upper bound, also used for detecting hangs; the actual value is auto-scaled: */ -#define EXEC_TIMEOUT 1000 +#define EXEC_TIMEOUT 1000 /* Timeout rounding factor when auto-scaling (milliseconds): */ -#define EXEC_TM_ROUND 20 +#define EXEC_TM_ROUND 20 /* Default memory limit for child process (MB): */ -#ifndef __x86_64__ -# define MEM_LIMIT 25 +#ifndef __x86_64__ +# define MEM_LIMIT 25 #else -# define MEM_LIMIT 50 +# define MEM_LIMIT 50 #endif /* ^!__x86_64__ */ /* Default memory limit when running in QEMU mode (MB): */ -#define MEM_LIMIT_QEMU 200 +#define MEM_LIMIT_QEMU 200 /* Default memory limit when running in Unicorn mode (MB): */ -#define MEM_LIMIT_UNICORN 200 +#define MEM_LIMIT_UNICORN 200 /* Number of calibration cycles per every new test case (and for test cases that show variable behavior): */ -#define CAL_CYCLES 8 -#define CAL_CYCLES_LONG 40 +#define CAL_CYCLES 8 +#define CAL_CYCLES_LONG 40 /* Number of subsequent timeouts before abandoning an input file: */ -#define TMOUT_LIMIT 250 +#define TMOUT_LIMIT 250 /* Maximum number of unique hangs or crashes to record: */ -#define KEEP_UNIQUE_HANG 500 -#define KEEP_UNIQUE_CRASH 5000 +#define KEEP_UNIQUE_HANG 500 +#define KEEP_UNIQUE_CRASH 5000 /* Baseline number of random tweaks during a single 'havoc' stage: */ -#define HAVOC_CYCLES 256 -#define HAVOC_CYCLES_INIT 1024 +#define HAVOC_CYCLES 256 +#define HAVOC_CYCLES_INIT 1024 /* Maximum multiplier for the above (should be a power of two, beware of 32-bit int overflows): */ -#define HAVOC_MAX_MULT 16 +#define HAVOC_MAX_MULT 16 #define HAVOC_MAX_MULT_MOPT 32 /* Absolute minimum number of havoc cycles (after all adjustments): */ -#define HAVOC_MIN 16 +#define HAVOC_MIN 16 /* Power Schedule Divisor */ -#define POWER_BETA 1 -#define MAX_FACTOR (POWER_BETA * 32) +#define POWER_BETA 1 +#define MAX_FACTOR (POWER_BETA * 32) /* Maximum stacking for havoc-stage tweaks. The actual value is calculated - like this: + like this: n = random between 1 and HAVOC_STACK_POW2 stacking = 2^n @@ -106,116 +106,116 @@ In other words, the default (n = 7) produces 2, 4, 8, 16, 32, 64, or 128 stacked tweaks: */ -#define HAVOC_STACK_POW2 7 +#define HAVOC_STACK_POW2 7 /* Caps on block sizes for cloning and deletion operations. Each of these ranges has a 33% probability of getting picked, except for the first two cycles where smaller blocks are favored: */ -#define HAVOC_BLK_SMALL 32 -#define HAVOC_BLK_MEDIUM 128 -#define HAVOC_BLK_LARGE 1500 +#define HAVOC_BLK_SMALL 32 +#define HAVOC_BLK_MEDIUM 128 +#define HAVOC_BLK_LARGE 1500 /* Extra-large blocks, selected very rarely (<5% of the time): */ -#define HAVOC_BLK_XL 32768 +#define HAVOC_BLK_XL 32768 /* Probabilities of skipping non-favored entries in the queue, expressed as percentages: */ -#define SKIP_TO_NEW_PROB 99 /* ...when there are new, pending favorites */ -#define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */ -#define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */ +#define SKIP_TO_NEW_PROB 99 /* ...when there are new, pending favorites */ +#define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */ +#define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */ /* Splicing cycle count: */ -#define SPLICE_CYCLES 15 +#define SPLICE_CYCLES 15 /* Nominal per-splice havoc cycle length: */ -#define SPLICE_HAVOC 32 +#define SPLICE_HAVOC 32 /* Maximum offset for integer addition / subtraction stages: */ -#define ARITH_MAX 35 +#define ARITH_MAX 35 /* Limits for the test case trimmer. The absolute minimum chunk size; and the starting and ending divisors for chopping up the input file: */ -#define TRIM_MIN_BYTES 4 -#define TRIM_START_STEPS 16 -#define TRIM_END_STEPS 1024 +#define TRIM_MIN_BYTES 4 +#define TRIM_START_STEPS 16 +#define TRIM_END_STEPS 1024 /* Maximum size of input file, in bytes (keep under 100MB): */ -#define MAX_FILE (1 * 1024 * 1024) +#define MAX_FILE (1 * 1024 * 1024) /* The same, for the test case minimizer: */ -#define TMIN_MAX_FILE (10 * 1024 * 1024) +#define TMIN_MAX_FILE (10 * 1024 * 1024) /* Block normalization steps for afl-tmin: */ -#define TMIN_SET_MIN_SIZE 4 -#define TMIN_SET_STEPS 128 +#define TMIN_SET_MIN_SIZE 4 +#define TMIN_SET_STEPS 128 /* Maximum dictionary token size (-x), in bytes: */ -#define MAX_DICT_FILE 128 +#define MAX_DICT_FILE 128 /* Length limits for auto-detected dictionary tokens: */ -#define MIN_AUTO_EXTRA 3 -#define MAX_AUTO_EXTRA 32 +#define MIN_AUTO_EXTRA 3 +#define MAX_AUTO_EXTRA 32 /* Maximum number of user-specified dictionary tokens to use in deterministic steps; past this point, the "extras/user" step will be still carried out, but with proportionally lower odds: */ -#define MAX_DET_EXTRAS 200 +#define MAX_DET_EXTRAS 200 /* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing (first value), and to keep in memory as candidates. The latter should be much higher than the former. */ -#define USE_AUTO_EXTRAS 50 -#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 10) +#define USE_AUTO_EXTRAS 50 +#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 10) /* Scaling factor for the effector map used to skip some of the more expensive deterministic steps. The actual divisor is set to 2^EFF_MAP_SCALE2 bytes: */ -#define EFF_MAP_SCALE2 3 +#define EFF_MAP_SCALE2 3 /* Minimum input file length at which the effector logic kicks in: */ -#define EFF_MIN_LEN 128 +#define EFF_MIN_LEN 128 /* Maximum effector density past which everything is just fuzzed unconditionally (%): */ -#define EFF_MAX_PERC 90 +#define EFF_MAX_PERC 90 /* UI refresh frequency (Hz): */ -#define UI_TARGET_HZ 5 +#define UI_TARGET_HZ 5 /* Fuzzer stats file and plot update intervals (sec): */ -#define STATS_UPDATE_SEC 60 -#define PLOT_UPDATE_SEC 5 +#define STATS_UPDATE_SEC 60 +#define PLOT_UPDATE_SEC 5 /* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */ -#define AVG_SMOOTHING 16 +#define AVG_SMOOTHING 16 /* Sync interval (every n havoc cycles): */ -#define SYNC_INTERVAL 5 +#define SYNC_INTERVAL 5 /* Output directory reuse grace period (minutes): */ -#define OUTPUT_GRACE 25 +#define OUTPUT_GRACE 25 /* Uncomment to use simple file names (id_NNNNNN): */ @@ -223,42 +223,42 @@ /* List of interesting values to use in fuzzing. */ -#define INTERESTING_8 \ - -128, /* Overflow signed 8-bit when decremented */ \ - -1, /* */ \ - 0, /* */ \ - 1, /* */ \ - 16, /* One-off with common buffer size */ \ - 32, /* One-off with common buffer size */ \ - 64, /* One-off with common buffer size */ \ - 100, /* One-off with common buffer size */ \ - 127 /* Overflow signed 8-bit when incremented */ +#define INTERESTING_8 \ + -128, /* Overflow signed 8-bit when decremented */ \ + -1, /* */ \ + 0, /* */ \ + 1, /* */ \ + 16, /* One-off with common buffer size */ \ + 32, /* One-off with common buffer size */ \ + 64, /* One-off with common buffer size */ \ + 100, /* One-off with common buffer size */ \ + 127 /* Overflow signed 8-bit when incremented */ #define INTERESTING_8_LEN 9 -#define INTERESTING_16 \ - -32768, /* Overflow signed 16-bit when decremented */ \ - -129, /* Overflow signed 8-bit */ \ - 128, /* Overflow signed 8-bit */ \ - 255, /* Overflow unsig 8-bit when incremented */ \ - 256, /* Overflow unsig 8-bit */ \ - 512, /* One-off with common buffer size */ \ - 1000, /* One-off with common buffer size */ \ - 1024, /* One-off with common buffer size */ \ - 4096, /* One-off with common buffer size */ \ - 32767 /* Overflow signed 16-bit when incremented */ +#define INTERESTING_16 \ + -32768, /* Overflow signed 16-bit when decremented */ \ + -129, /* Overflow signed 8-bit */ \ + 128, /* Overflow signed 8-bit */ \ + 255, /* Overflow unsig 8-bit when incremented */ \ + 256, /* Overflow unsig 8-bit */ \ + 512, /* One-off with common buffer size */ \ + 1000, /* One-off with common buffer size */ \ + 1024, /* One-off with common buffer size */ \ + 4096, /* One-off with common buffer size */ \ + 32767 /* Overflow signed 16-bit when incremented */ #define INTERESTING_16_LEN 10 -#define INTERESTING_32 \ - -2147483648LL, /* Overflow signed 32-bit when decremented */ \ - -100663046, /* Large negative number (endian-agnostic) */ \ - -32769, /* Overflow signed 16-bit */ \ - 32768, /* Overflow signed 16-bit */ \ - 65535, /* Overflow unsig 16-bit when incremented */ \ - 65536, /* Overflow unsig 16 bit */ \ - 100663045, /* Large positive number (endian-agnostic) */ \ - 2147483647 /* Overflow signed 32-bit when incremented */ +#define INTERESTING_32 \ + -2147483648LL, /* Overflow signed 32-bit when decremented */ \ + -100663046, /* Large negative number (endian-agnostic) */ \ + -32769, /* Overflow signed 16-bit */ \ + 32768, /* Overflow signed 16-bit */ \ + 65535, /* Overflow unsig 16-bit when incremented */ \ + 65536, /* Overflow unsig 16 bit */ \ + 100663045, /* Large positive number (endian-agnostic) */ \ + 2147483647 /* Overflow signed 32-bit when incremented */ #define INTERESTING_32_LEN 8 @@ -270,57 +270,57 @@ /* Call count interval between reseeding the libc PRNG from /dev/urandom: */ -#define RESEED_RNG 10000 +#define RESEED_RNG 10000 /* Maximum line length passed from GCC to 'as' and used for parsing configuration files: */ -#define MAX_LINE 8192 +#define MAX_LINE 8192 /* Environment variable used to pass SHM ID to the called program. */ -#define SHM_ENV_VAR "__AFL_SHM_ID" +#define SHM_ENV_VAR "__AFL_SHM_ID" /* Other less interesting, internal-only variables. */ -#define CLANG_ENV_VAR "__AFL_CLANG_MODE" -#define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK" -#define PERSIST_ENV_VAR "__AFL_PERSISTENT" -#define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV" +#define CLANG_ENV_VAR "__AFL_CLANG_MODE" +#define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK" +#define PERSIST_ENV_VAR "__AFL_PERSISTENT" +#define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV" /* In-code signatures for deferred and persistent mode. */ -#define PERSIST_SIG "##SIG_AFL_PERSISTENT##" -#define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##" +#define PERSIST_SIG "##SIG_AFL_PERSISTENT##" +#define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##" /* Distinctive bitmap signature used to indicate failed execution: */ -#define EXEC_FAIL_SIG 0xfee1dead +#define EXEC_FAIL_SIG 0xfee1dead /* Distinctive exit code used to indicate MSAN trip condition: */ -#define MSAN_ERROR 86 +#define MSAN_ERROR 86 /* Designated file descriptors for forkserver commands (the application will use FORKSRV_FD and FORKSRV_FD + 1): */ -#define FORKSRV_FD 198 +#define FORKSRV_FD 198 /* Fork server init timeout multiplier: we'll wait the user-selected timeout plus this much for the fork server to spin up. */ -#define FORK_WAIT_MULT 10 +#define FORK_WAIT_MULT 10 /* Calibration timeout adjustments, to be a bit more generous when resuming fuzzing sessions or trying to calibrate already-added internal finds. The first value is a percentage, the other is in milliseconds: */ -#define CAL_TMOUT_PERC 125 -#define CAL_TMOUT_ADD 50 +#define CAL_TMOUT_PERC 125 +#define CAL_TMOUT_ADD 50 /* Number of chances to calibrate a case before giving up: */ -#define CAL_CHANCES 3 +#define CAL_CHANCES 3 /* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than 2; you probably want to keep it under 18 or so for performance reasons @@ -328,28 +328,27 @@ problems with complex programs). You need to recompile the target binary after changing this - otherwise, SEGVs may ensue. */ -#define MAP_SIZE_POW2 16 -#define MAP_SIZE (1 << MAP_SIZE_POW2) +#define MAP_SIZE_POW2 16 +#define MAP_SIZE (1 << MAP_SIZE_POW2) /* Maximum allocator request size (keep well under INT_MAX): */ -#define MAX_ALLOC 0x40000000 +#define MAX_ALLOC 0x40000000 /* A made-up hashing seed: */ -#define HASH_CONST 0xa5b35705 +#define HASH_CONST 0xa5b35705 /* Constants for afl-gotcpu to control busy loop timing: */ -#define CTEST_TARGET_MS 5000 -#define CTEST_CORE_TRG_MS 1000 -#define CTEST_BUSY_CYCLES (10 * 1000 * 1000) +#define CTEST_TARGET_MS 5000 +#define CTEST_CORE_TRG_MS 1000 +#define CTEST_BUSY_CYCLES (10 * 1000 * 1000) /* Enable NeverZero counters in QEMU mode */ #define AFL_QEMU_NOT_ZERO - /* Uncomment this to use inferior block-coverage-based instrumentation. Note that you need to recompile the target binary for this to have any effect: */ @@ -368,3 +367,4 @@ // #define IGNORE_FINDS #endif /* ! _HAVE_CONFIG_H */ + diff --git a/include/debug.h b/include/debug.h index c0044280..6a59ad7a 100644 --- a/include/debug.h +++ b/include/debug.h @@ -108,39 +108,39 @@ #ifdef FANCY_BOXES -# define SET_G1 "\x1b)0" /* Set G1 for box drawing */ -# define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */ -# define bSTART "\x0e" /* Enter G1 drawing mode */ -# define bSTOP "\x0f" /* Leave G1 drawing mode */ -# define bH "q" /* Horizontal line */ -# define bV "x" /* Vertical line */ -# define bLT "l" /* Left top corner */ -# define bRT "k" /* Right top corner */ -# define bLB "m" /* Left bottom corner */ -# define bRB "j" /* Right bottom corner */ -# define bX "n" /* Cross */ -# define bVR "t" /* Vertical, branch right */ -# define bVL "u" /* Vertical, branch left */ -# define bHT "v" /* Horizontal, branch top */ -# define bHB "w" /* Horizontal, branch bottom */ +# define SET_G1 "\x1b)0" /* Set G1 for box drawing */ +# define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */ +# define bSTART "\x0e" /* Enter G1 drawing mode */ +# define bSTOP "\x0f" /* Leave G1 drawing mode */ +# define bH "q" /* Horizontal line */ +# define bV "x" /* Vertical line */ +# define bLT "l" /* Left top corner */ +# define bRT "k" /* Right top corner */ +# define bLB "m" /* Left bottom corner */ +# define bRB "j" /* Right bottom corner */ +# define bX "n" /* Cross */ +# define bVR "t" /* Vertical, branch right */ +# define bVL "u" /* Vertical, branch left */ +# define bHT "v" /* Horizontal, branch top */ +# define bHB "w" /* Horizontal, branch bottom */ #else -# define SET_G1 "" +# define SET_G1 "" # define RESET_G1 "" -# define bSTART "" -# define bSTOP "" -# define bH "-" -# define bV "|" -# define bLT "+" -# define bRT "+" -# define bLB "+" -# define bRB "+" -# define bX "+" -# define bVR "+" -# define bVL "+" -# define bHT "+" -# define bHB "+" +# define bSTART "" +# define bSTOP "" +# define bH "-" +# define bV "|" +# define bLT "+" +# define bRT "+" +# define bLB "+" +# define bRB "+" +# define bX "+" +# define bVR "+" +# define bVL "+" +# define bHT "+" +# define bHB "+" #endif /* ^FANCY_BOXES */ @@ -148,11 +148,11 @@ * Misc terminal codes * ***********************/ -#define TERM_HOME "\x1b[H" -#define TERM_CLEAR TERM_HOME "\x1b[2J" -#define cEOL "\x1b[0K" -#define CURSOR_HIDE "\x1b[?25l" -#define CURSOR_SHOW "\x1b[?25h" +#define TERM_HOME "\x1b[H" +#define TERM_CLEAR TERM_HOME "\x1b[2J" +#define cEOL "\x1b[0K" +#define CURSOR_HIDE "\x1b[?25l" +#define CURSOR_SHOW "\x1b[?25h" /************************ * Debug & error macros * @@ -161,91 +161,125 @@ /* Just print stuff to the appropriate stream. */ #ifdef MESSAGES_TO_STDOUT -# define SAYF(x...) printf(x) -#else -# define SAYF(x...) fprintf(stderr, x) +# define SAYF(x...) printf(x) +#else +# define SAYF(x...) fprintf(stderr, x) #endif /* ^MESSAGES_TO_STDOUT */ /* Show a prefixed warning. */ -#define WARNF(x...) do { \ +#define WARNF(x...) \ + do { \ + \ SAYF(cYEL "[!] " cBRI "WARNING: " cRST x); \ - SAYF(cRST "\n"); \ + SAYF(cRST "\n"); \ + \ } while (0) /* Show a prefixed "doing something" message. */ -#define ACTF(x...) do { \ +#define ACTF(x...) \ + do { \ + \ SAYF(cLBL "[*] " cRST x); \ - SAYF(cRST "\n"); \ + SAYF(cRST "\n"); \ + \ } while (0) /* Show a prefixed "success" message. */ -#define OKF(x...) do { \ +#define OKF(x...) \ + do { \ + \ SAYF(cLGN "[+] " cRST x); \ - SAYF(cRST "\n"); \ + SAYF(cRST "\n"); \ + \ } while (0) /* Show a prefixed fatal error message (not used in afl). */ -#define BADF(x...) do { \ +#define BADF(x...) \ + do { \ + \ SAYF(cLRD "\n[-] " cRST x); \ - SAYF(cRST "\n"); \ + SAYF(cRST "\n"); \ + \ } while (0) /* Die with a verbose non-OS fatal error message. */ -#define FATAL(x...) do { \ - SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \ - cRST x); \ - SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", \ - __FUNCTION__, __FILE__, __LINE__); \ - exit(1); \ +#define FATAL(x...) \ + do { \ + \ + SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ + "\n[-] PROGRAM ABORT : " cRST x); \ + SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", __FUNCTION__, \ + __FILE__, __LINE__); \ + exit(1); \ + \ } while (0) /* Die by calling abort() to provide a core dump. */ -#define ABORT(x...) do { \ - SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \ - cRST x); \ - SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", \ - __FUNCTION__, __FILE__, __LINE__); \ - abort(); \ +#define ABORT(x...) \ + do { \ + \ + SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ + "\n[-] PROGRAM ABORT : " cRST x); \ + SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", __FUNCTION__, \ + __FILE__, __LINE__); \ + abort(); \ + \ } while (0) /* Die while also including the output of perror(). */ -#define PFATAL(x...) do { \ - fflush(stdout); \ - SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] SYSTEM ERROR : " \ - cRST x); \ - SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", \ - __FUNCTION__, __FILE__, __LINE__); \ - SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \ - exit(1); \ +#define PFATAL(x...) \ + do { \ + \ + fflush(stdout); \ + SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ + "\n[-] SYSTEM ERROR : " cRST x); \ + SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", __FUNCTION__, \ + __FILE__, __LINE__); \ + SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \ + exit(1); \ + \ } while (0) /* Die with FAULT() or PFAULT() depending on the value of res (used to interpret different failure modes for read(), write(), etc). */ -#define RPFATAL(res, x...) do { \ - if (res < 0) PFATAL(x); else FATAL(x); \ +#define RPFATAL(res, x...) \ + do { \ + \ + if (res < 0) \ + PFATAL(x); \ + else \ + FATAL(x); \ + \ } while (0) /* Error-checking versions of read() and write() that call RPFATAL() as appropriate. */ -#define ck_write(fd, buf, len, fn) do { \ - u32 _len = (len); \ - s32 _res = write(fd, buf, _len); \ +#define ck_write(fd, buf, len, fn) \ + do { \ + \ + u32 _len = (len); \ + s32 _res = write(fd, buf, _len); \ if (_res != _len) RPFATAL(_res, "Short write to %s", fn); \ + \ } while (0) -#define ck_read(fd, buf, len, fn) do { \ - u32 _len = (len); \ - s32 _res = read(fd, buf, _len); \ +#define ck_read(fd, buf, len, fn) \ + do { \ + \ + u32 _len = (len); \ + s32 _res = read(fd, buf, _len); \ if (_res != _len) RPFATAL(_res, "Short read from %s", fn); \ + \ } while (0) #endif /* ! _HAVE_DEBUG_H */ + diff --git a/include/forkserver.h b/include/forkserver.h index fa40d9c6..af5dab72 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -5,21 +5,21 @@ void handle_timeout(int sig); void init_forkserver(char **argv); #ifdef __APPLE__ -#define MSG_FORK_ON_APPLE \ - " - On MacOS X, the semantics of fork() syscalls are non-standard and " \ - "may\n" \ - " break afl-fuzz performance optimizations when running " \ - "platform-specific\n" \ +# define MSG_FORK_ON_APPLE \ + " - On MacOS X, the semantics of fork() syscalls are non-standard and " \ + "may\n" \ + " break afl-fuzz performance optimizations when running " \ + "platform-specific\n" \ " targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" #else -#define MSG_FORK_ON_APPLE "" +# define MSG_FORK_ON_APPLE "" #endif #ifdef RLIMIT_AS - #define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%llu << 10];" +# define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%llu << 10];" #else - #define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%llu << 10];" +# define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%llu << 10];" #endif /* ^RLIMIT_AS */ - #endif + diff --git a/include/hash.h b/include/hash.h index f39a8257..5d0512a6 100644 --- a/include/hash.h +++ b/include/hash.h @@ -31,12 +31,12 @@ #ifdef __x86_64__ -#define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r)))) +# define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r)))) static inline u32 hash32(const void* key, u32 len, u32 seed) { const u64* data = (u64*)key; - u64 h1 = seed ^ len; + u64 h1 = seed ^ len; len >>= 3; @@ -45,12 +45,12 @@ static inline u32 hash32(const void* key, u32 len, u32 seed) { u64 k1 = *data++; k1 *= 0x87c37b91114253d5ULL; - k1 = ROL64(k1, 31); + k1 = ROL64(k1, 31); k1 *= 0x4cf5ad432745937fULL; h1 ^= k1; - h1 = ROL64(h1, 27); - h1 = h1 * 5 + 0x52dce729; + h1 = ROL64(h1, 27); + h1 = h1 * 5 + 0x52dce729; } @@ -64,14 +64,14 @@ static inline u32 hash32(const void* key, u32 len, u32 seed) { } -#else +#else -#define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r)))) +# define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r)))) static inline u32 hash32(const void* key, u32 len, u32 seed) { - const u32* data = (u32*)key; - u32 h1 = seed ^ len; + const u32* data = (u32*)key; + u32 h1 = seed ^ len; len >>= 2; @@ -80,12 +80,12 @@ static inline u32 hash32(const void* key, u32 len, u32 seed) { u32 k1 = *data++; k1 *= 0xcc9e2d51; - k1 = ROL32(k1, 15); + k1 = ROL32(k1, 15); k1 *= 0x1b873593; h1 ^= k1; - h1 = ROL32(h1, 13); - h1 = h1 * 5 + 0xe6546b64; + h1 = ROL32(h1, 13); + h1 = h1 * 5 + 0xe6546b64; } @@ -102,3 +102,4 @@ static inline u32 hash32(const void* key, u32 len, u32 seed) { #endif /* ^__x86_64__ */ #endif /* !_HAVE_HASH_H */ + diff --git a/include/sharedmem.h b/include/sharedmem.h index 9aa44d0e..7e13b13b 100644 --- a/include/sharedmem.h +++ b/include/sharedmem.h @@ -5,3 +5,4 @@ void setup_shm(unsigned char dumb_mode); void remove_shm(void); #endif + diff --git a/include/types.h b/include/types.h index 7606d4ed..60ae64c2 100644 --- a/include/types.h +++ b/include/types.h @@ -46,26 +46,31 @@ typedef unsigned long long u64; typedef uint64_t u64; #endif /* ^__x86_64__ */ -typedef int8_t s8; -typedef int16_t s16; -typedef int32_t s32; -typedef int64_t s64; +typedef int8_t s8; +typedef int16_t s16; +typedef int32_t s32; +typedef int64_t s64; #ifndef MIN -# define MIN(_a,_b) ((_a) > (_b) ? (_b) : (_a)) -# define MAX(_a,_b) ((_a) > (_b) ? (_a) : (_b)) +# define MIN(_a, _b) ((_a) > (_b) ? (_b) : (_a)) +# define MAX(_a, _b) ((_a) > (_b) ? (_a) : (_b)) #endif /* !MIN */ -#define SWAP16(_x) ({ \ - u16 _ret = (_x); \ +#define SWAP16(_x) \ + ({ \ + \ + u16 _ret = (_x); \ (u16)((_ret << 8) | (_ret >> 8)); \ + \ }) -#define SWAP32(_x) ({ \ - u32 _ret = (_x); \ - (u32)((_ret << 24) | (_ret >> 24) | \ - ((_ret << 8) & 0x00FF0000) | \ - ((_ret >> 8) & 0x0000FF00)); \ +#define SWAP32(_x) \ + ({ \ + \ + u32 _ret = (_x); \ + (u32)((_ret << 24) | (_ret >> 24) | ((_ret << 8) & 0x00FF0000) | \ + ((_ret >> 8) & 0x0000FF00)); \ + \ }) #ifdef AFL_LLVM_PASS @@ -77,15 +82,15 @@ typedef int64_t s64; #define STRINGIFY_INTERNAL(x) #x #define STRINGIFY(x) STRINGIFY_INTERNAL(x) -#define MEM_BARRIER() \ - __asm__ volatile("" ::: "memory") +#define MEM_BARRIER() __asm__ volatile("" ::: "memory") #if __GNUC__ < 6 - #define likely(_x) (_x) - #define unlikely(_x) (_x) +# define likely(_x) (_x) +# define unlikely(_x) (_x) #else - #define likely(_x) __builtin_expect(!!(_x), 1) - #define unlikely(_x) __builtin_expect(!!(_x), 0) +# define likely(_x) __builtin_expect(!!(_x), 1) +# define unlikely(_x) __builtin_expect(!!(_x), 0) #endif #endif /* ! _HAVE_TYPES_H */ + |